diff options
71 files changed, 3718 insertions, 182 deletions
diff --git a/CHANGELOG.txt b/CHANGELOG.txt index 954d841..859b599 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -1,3 +1,188 @@ +2022-12-26 Daniel Baumann <daniel.baumann@open-infrastructure.net> + + * Releasing version 20221226. + + [ Daniel Baumann ] + * Adding root_intermediate_cert to exit_hook.extra-cleanup dehydrated hook. + * Creating relative links for extra certificates in deploy_cert.extra dehydrated hook. + +2022-12-25 Daniel Baumann <daniel.baumann@open-infrastructure.net> + + * Releasing version 20221225. + + [ Daniel Baumann ] + * Updating chain coments in deploy_cert.extra dehydrated hook. + * Stripping empty lines from partial files when using short chain in deploy_cert.extra dehydrated hook. + * Generalizing extra file generation for any number of components as needed by redis in deploy_cert.extra dehydrated hook. + +2022-12-24 Daniel Baumann <daniel.baumann@open-infrastructure.net> + + * Releasing version 20221224. + + [ Daniel Baumann ] + * Correcting wrong date for previous release in changelog. + * Also calling pull the current branch in git-pull-branches. + * Excluding onboard i40e cards in linux-i40e script, as they are not configurable. + * Adding linux-ice script. + * Updating dehydrated todo. + * Removing superfluous dot in output-message of dehydrated-nsupdate. + * Adding freeradius to dehydrated service-reload hook. + * Adding preferred chain compatibility in deploy_cert.extra dehydrated hook. + +2022-12-23 Daniel Baumann <daniel.baumann@open-infrastructure.net> + + * Releasing version 20221223. + + [ Daniel Baumann ] + * Adding znuny-tools. + * Adding git-pull-branches in git-tools. + * Completely stop and start apache in dehydrated hook to ensure OCSP renewals. + * Adding apt tools. + +2022-11-22 Daniel Baumann <daniel.baumann@open-infrastructure.net> + + * Releasing version 20221122. + + [ Daniel Baumann ] + * Using certdir variable in dehydrated hook instead of hardcoded path. + * Using shortnames for extra certificates in dehydrated extra hooks. + * Adding dehydrated hook to cleanup extra files. + +2022-11-08 Daniel Baumann <daniel.baumann@open-infrastructure.net> + + * Releasing version 20221108. + + [ Daniel Baumann ] + * Only restarting knot if it was running before in knot-zones-reset. + * Correcting cosmetic typo in dehydrated extra-cert hook output. + * Removing ssh remote part from knot related commands. + +2022-11-01 Daniel Baumann <daniel.baumann@open-infrastructure.net> + + * Releasing version 20221101. + + [ Daniel Baumann ] + * Correcting file handling errors in dehydrated deploy_cert.extra hook. + * Improving comment in dehydrated deploy_cert.chrony hook. + * Improving CA filename prefix in dehydrated deploy_cert.extra hook. + +2022-10-30 Daniel Baumann <daniel.baumann@open-infrastructure.net> + + * Releasing version 20221030. + + [ Daniel Baumann ] + * Merging the different extra certificate files into one dehydrated hook handling all extra copies. + * Reworking chrony workaround (#1013882) now that we know it's going to be permanent. + * Adding postfix to service-reload dehydrated hook. + * Reworking service-reload dehydrated hook. + * Reworking fix-permission dehydrated hook. + * Improving wording of TSIG lookup hierarchy in dehydrated-nsupdate.1. + * Temporarily passing tsig string to bind in dehydrated-nsupdate to unbreak bind support, bind requires a different keyfile format as knot. + * Updating dig alternative handling similar to nsupdate for consistency. + * Updating dehydrated TODO file. + * Updating license with newer GPL-3 version containing https instead of http links. + * Using variable for service-tools in makefile. + * Providing individual root and intermediate certificate files in dehydrated extra hook. + * Reworking knot-zones-reset script. + * Adding kea tools. + +2022-07-04 Daniel Baumann <daniel.baumann@open-infrastructure.net> + + * Releasing version 20220704. + + [ Daniel Baumann ] + * Adding privkey-fullchain hooks as used by postfix for dehydrated. + +2022-06-26 Daniel Baumann <daniel.baumann@open-infrastructure.net> + + * Releasing version 20220626. + + [ Daniel Baumann ] + * Updating dehydrated-tools TODO file. + * Adding dehydrated hook to workaround certificate handling in chrony (#1013882). + * Updating upload url in makefile. + +2022-06-24 Daniel Baumann <daniel.baumann@open-infrastructure.net> + + * Releasing version 20220624. + + [ Daniel Baumann ] + * Correcting loop over subdirectories to exclude all dot-directories, not just the one for git. + +2022-06-15 Daniel Baumann <daniel.baumann@open-infrastructure.net> + + * Releasing version 20220615. + + [ Daniel Baumann ] + * Correcting breaking extra-quotes in dnsdist-console. + * Adding git commands to release target in top-level Makefile. + +2022-06-14 Daniel Baumann <daniel.baumann@open-infrastructure.net> + + * Releasing version 20220614. + + [ Daniel Baumann ] + * Only restarting kresd in dehydrated exit_hook.service-reload if tls is configured. + * Adding test target in apache-tools makefile. + * Adding top-level makefile. + * Adding quotes arround some variables in dehydrated-tools to prevent globbing and word splitting. + * Adding quotes arround some variables in dnsdist-tools to prevent globbing and word splitting. + * Adding quotes arround some variables in linux-tools to prevent globbing and word splitting. + * Removing unused color definitions in linux-tools. + * Adding shellcheck exception in irker-tools for variable sourced from configuration file. + * Using read -r to not mangle backslashes in git-tools. + * Adding quotes arround some variables in git-tools to prevent globbing and word splitting. + * Changing default value handling for variables in git-whoami to more portable format. + * Consistently using curly braces for variables in git-whoami. + * Adding support for individual TSIG files per record, zone, and nameserver rather than having one global key for all updates in dehydrated-nsupdate. + * Handling comments in TSIG keyfiles in dehydrated-nsupdate to support disabling TSIG for individual records. + * Completing existing dehydrated-tools manpages. + * Updating dehydrated-tools TODO file. + +2022-06-09 Daniel Baumann <daniel.baumann@open-infrastructure.net> + + * Releasing version 20220609. + + [ Daniel Baumann ] + * Handling ipv4-only/ipv6-only nameservers on ipv4-only/ipv6-only systems. + * Adding dnsdist tools. + +2022-05-25 Daniel Baumann <daniel.baumann@open-infrastructure.net> + + * Releasing version 20220525. + + [ Daniel Baumann ] + * Renaming ethtools to linux since it's about kernel module options for now. + * Adding link-down-on-close=on in linux-i40e. + * Refactoring linux-i40e for start/stop/status actions. + * Adding linux-i40e manpage. + +2022-05-24 Daniel Baumann <daniel.baumann@open-infrastructure.net> + + * Releasing version 20220524. + + [ Daniel Baumann ] + * Updating dehydrated todo file. + * Adding ethtool-i40e. + +2022-04-30 Daniel Baumann <daniel.baumann@open-infrastructure.net> + + * Releasing version 20220430. + + [ Daniel Baumann ] + * Using localhost as fallback in kresd-cache-clear. + * Avoid failing if /var/lib/dehydrated/certs doesn't exist in dehydrated fix-permissions hook. + * Restarting kresd threads only if at least one exists to support building chroots in dehydrated service-reload hook. + +2022-04-14 Daniel Baumann <daniel.baumann@open-infrastructure.net> + + * Releasing version 20220414. + + [ Daniel Baumann ] + * Adding knot to list of services to restart in dehydrated hook. + * Adding knot-resolver handling in dehydrated service-reload hook. + * Using a variable to keep the list of services to restart in dehydrated hook for easier readability. + 2022-01-05 Daniel Baumann <daniel.baumann@open-infrastructure.net> * Releasing version 20220105. diff --git a/LICENSE.txt b/LICENSE.txt index 94a9ed0..f288702 100644 --- a/LICENSE.txt +++ b/LICENSE.txt @@ -1,7 +1,7 @@ GNU GENERAL PUBLIC LICENSE Version 3, 29 June 2007 - Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/> + Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/> Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. @@ -645,7 +645,7 @@ the "copyright" line and a pointer to where the full notice is found. GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. + along with this program. If not, see <https://www.gnu.org/licenses/>. Also add information on how to contact you by electronic and paper mail. @@ -664,11 +664,11 @@ might be different; for a GUI interface, you would use an "about box". You should also get your employer (if you work as a programmer) or school, if any, to sign a "copyright disclaimer" for the program, if necessary. For more information on this, and how to apply and follow the GNU GPL, see -<http://www.gnu.org/licenses/>. +<https://www.gnu.org/licenses/>. The GNU General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Lesser General Public License instead of this License. But first, please read -<http://www.gnu.org/philosophy/why-not-lgpl.html>. +<https://www.gnu.org/licenses/why-not-lgpl.html>. diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..9ad53ec --- /dev/null +++ b/Makefile @@ -0,0 +1,102 @@ +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +SHELL := sh -e + +PROJECT = open-infrastructure +SOFTWARE = service-tools + +VERSION := $(shell cat VERSION.txt) + +TOOLS := $(shell find . -mindepth 1 -maxdepth 1 -type d -and -not -name ".*" -and -not -name debian) + +all: build + +test: + @for TOOL in $(TOOLS); \ + do \ + echo "Processing $${TOOL}..."; \ + make -C $${TOOL} test; \ + echo; \ + done + +build: + @for TOOL in $(TOOLS); \ + do \ + echo "Processing $${TOOL}..."; \ + make -C $${TOOL} build; \ + echo; \ + done + +install: build + @for TOOL in $(TOOLS); \ + do \ + echo "Processing $${TOOL}..."; \ + make -C $${TOOL} install; \ + echo; \ + done + +uninstall: + @for TOOL in $(TOOLS); \ + do \ + echo "Processing $${TOOL}..."; \ + make -C $${TOOL} uninstall; \ + echo; \ + done + +clean: + @for TOOL in $(TOOLS); \ + do \ + echo "Processing $${TOOL}..."; \ + make -C $${TOOL} clean; \ + echo; \ + done + +distclean: + rm -rf $(SOFTWARE)-$(VERSION) + + @for TOOL in $(TOOLS); \ + do \ + echo "Processing $${TOOL}..."; \ + make -C $${TOOL} distclean; \ + echo; \ + done + +reinstall: uninstall install + +release: distclean + git commit -a -s -S -m 'Releasing version $(VERSION).' || true + git tag -s -m 'Tagging version $(VERSION).' v$(VERSION) || true + + mkdir $(SOFTWARE)-$(VERSION) + find . -mindepth 1 -maxdepth 1 -and -not -name ".git*" -and -not -name debian -and -not -name $(SOFTWARE)-$(VERSION) -exec cp \-a {} $(SOFTWARE)-$(VERSION) \; + + for FORMAT in xz lzip; \ + do \ + EXTENSION=$$(echo $${FORMAT} | cut -b-2); \ + tar --$${FORMAT} -cf ../$(SOFTWARE)-$(VERSION).tar.$${EXTENSION} $(SOFTWARE)-$(VERSION); \ + sha512sum ../$(SOFTWARE)-$(VERSION).tar.$${EXTENSION} > ../$(SOFTWARE)-$(VERSION).tar.$${EXTENSION}.sha512; \ + gpg --default-key 0xB62C61A10B93195F --armor -b ../$(SOFTWARE)-$(VERSION).tar.$${EXTENSION}; \ + mv ../$(SOFTWARE)-$(VERSION).tar.$${EXTENSION}.asc ../$(SOFTWARE)-$(VERSION).tar.$${EXTENSION}.sig; \ + done + + rm -rf $(SOFTWARE)-$(VERSION) + +upload: + scp ../$(SOFTWARE)-$(VERSION).* get.open-infrastructure.net:/srv/get.open-infrastructure.net/software/$(SOFTWARE)/upstream diff --git a/VERSION.txt b/VERSION.txt index 430a704..6c91a60 100644 --- a/VERSION.txt +++ b/VERSION.txt @@ -1 +1 @@ -20220105 +20221226 diff --git a/apache/Makefile b/apache/Makefile index c31a4cb..70b9a35 100644 --- a/apache/Makefile +++ b/apache/Makefile @@ -25,6 +25,8 @@ PROGRAM = apache-icons all: build +test: + build: share/man/*.rst $(MAKE) -C share/man diff --git a/apt/Makefile b/apt/Makefile new file mode 100644 index 0000000..6b3744b --- /dev/null +++ b/apt/Makefile @@ -0,0 +1,80 @@ +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +SHELL := sh -e + +SCRIPTS = bin/* + +all: build + +test: + @echo -n "Checking for syntax errors with sh... " + @for SCRIPT in $(SCRIPTS); \ + do \ + sh -n $${SCRIPT}; \ + echo -n "."; \ + done + @echo " done." + + @echo -n "Checking for bashisms... " + @if [ -x /usr/bin/checkbashisms ]; \ + then \ + for SCRIPT in $(SCRIPTS); \ + do \ + checkbashisms -f -x $${SCRIPT}; \ + echo -n "."; \ + done; \ + else \ + echo "Note: devscripts not installed, skipping checkbashisms."; \ + fi + @echo " done." + + @echo -n "Checking with shellcheck... " + @if [ -x /usr/bin/shellcheck ]; \ + then \ + for SCRIPT in $(SCRIPTS); \ + do \ + shellcheck -e SC2039 $${SCRIPT}; \ + echo -n "."; \ + done; \ + else \ + echo "Note: shellcheck not installed, skipping shellcheck."; \ + fi + @echo " done." + +build: + +install: build + mkdir -p $(DESTDIR)/usr/bin + cp -r bin/* $(DESTDIR)/usr/bin + +uninstall: + for FILE in bin/*; \ + do \ + rm -f $(DESTDIR)/usr/bin/$$(basename $${FILE}); \ + done + rmdir --ignore-fail-on-non-empty --parents $(DESTDIR)/usr/bin || true + + rmdir --ignore-fail-on-non-empty --parents $(DESTDIR) || true + +clean: + +distclean: + +reinstall: uninstall install diff --git a/apt/bin/apt-install b/apt/bin/apt-install new file mode 100755 index 0000000..2427361 --- /dev/null +++ b/apt/bin/apt-install @@ -0,0 +1,68 @@ +#!/bin/sh + +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +set -e + +PROGRAM="$(basename "${0}")" +OPTIONS="${*}" + +Usage () +{ + echo "Usage: ${PROGRAM} PACKAGE" >&2 + echo "Usage: ${PROGRAM} PACKAGE1 PACKAGE2 ..." >&2 + echo + echo "See ${PROGRAM}(1) for more information." + + exit 1 +} + +if [ -z "${OPTIONS}" ] +then + Usage +fi + +for OPTION in ${OPTIONS} +do + case "${OPTION}" in + -*) + # abort if options are trying to be used + Usage + ;; + + /*) + # abort if local deb files are trying to be installed + Usage + ;; + + .*) + # abort if local deb files are trying to be installed + echo "Debug: ." + Usage + ;; + esac +done + +# ignore local apt configuration files +APT_CONFIG="" +export APT_CONFIG + +apt update +apt install "${OPTIONS}" diff --git a/apt/bin/apt-remove b/apt/bin/apt-remove new file mode 100755 index 0000000..655246e --- /dev/null +++ b/apt/bin/apt-remove @@ -0,0 +1,67 @@ +#!/bin/sh + +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +set -e + +PROGRAM="$(basename "${0}")" +OPTIONS="${*}" + +Usage () +{ + echo "Usage: ${PROGRAM} PACKAGE" >&2 + echo "Usage: ${PROGRAM} PACKAGE1 PACKAGE2 ..." >&2 + echo + echo "See ${PROGRAM}(1) for more information." + + exit 1 +} + +if [ -z "${OPTIONS}" ] +then + Usage +fi + +for OPTION in ${OPTIONS} +do + case "${OPTION}" in + -*) + # abort if options are trying to be used + Usage + ;; + + /*) + # abort if local deb files are trying to be installed + Usage + ;; + + .*) + # abort if local deb files are trying to be installed + echo "Debug: ." + Usage + ;; + esac +done + +# ignore local apt configuration files +APT_CONFIG="" +export APT_CONFIG + +apt remove --purge "${OPTIONS}" diff --git a/apt/share/man/Makefile b/apt/share/man/Makefile new file mode 100644 index 0000000..a6d6bf2 --- /dev/null +++ b/apt/share/man/Makefile @@ -0,0 +1,59 @@ +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +# Depends: python3-docutils + +RST2MAN = rst2man \ + --no-datestamp \ + --no-generator \ + --strict \ + --strip-comments \ + --tab-width=4 \ + --verbose + +VERSION := $(shell cat ../../../VERSION.txt) + +SHELL := sh -e + +all: build + +build: man + +man: man.in *.rst + @echo -n "Creating manpages... " + + @for FILE in *.rst; \ + do \ + cp man.in $$(basename $${FILE} .rst); \ + $(RST2MAN) $${FILE} | \ + sed -e '/^.\\" Man page generated/d' \ + -e '/^.\\" Generated by/d' \ + -e "s|^\(.TH .*\) \(\"\" \"\"\) |\1 $${VERSION} service-tools |" \ + >> $$(basename $${FILE} .rst); \ + echo -n "."; \ + done + + @echo " done." + +clean: + rm -f *.[0-9] + +distclean: clean + +rebuild: clean build diff --git a/apt/share/man/apt-install.1.rst b/apt/share/man/apt-install.1.rst new file mode 100644 index 0000000..f446ea9 --- /dev/null +++ b/apt/share/man/apt-install.1.rst @@ -0,0 +1,123 @@ +.. Open Infrastructure: service-tools + +.. Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +.. +.. SPDX-License-Identifier: GPL-3.0+ +.. +.. This program is free software: you can redistribute it and/or modify +.. it under the terms of the GNU General Public License as published by +.. the Free Software Foundation, either version 3 of the License, or +.. (at your option) any later version. +.. +.. This program is distributed in the hope that it will be useful, +.. but WITHOUT ANY WARRANTY; without even the implied warranty of +.. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +.. GNU General Public License for more details. +.. +.. You should have received a copy of the GNU General Public License +.. along with this program. If not, see <https://www.gnu.org/licenses/>. + +=========== +apt-install +=========== + +------------------------------------------------------------------------ +securely allow unprivileged users to install packages via apt using sudo +------------------------------------------------------------------------ + +:manual section: 1 +:manual group: Open Infrastructure + +Synopsis +======== + +| **sudo apt-install** PACKAGE +| **sudo apt-install** PACKAGE1 PACKAGE2 ... + +Description +=========== + +**apt-install** securely allows unprivileged users to install packages via apt using sudo. + +Some background information +=========================== + +| **Use case** +| On managed systems by a group of system administrators, it would be nice to allow +| unprivileged users to install the packages they like from the pre-configured +| Debian repositories. +| +| **Unsecure via sudo** +| Traditionally this has been done by granting the unprivileged users to run +| sudo with e.g.: +| "user ALL=NOPASSWD: /usr/bin/apt, /usr/bin/apt-get" +| (see sudoers(5) for information about sudoers, the configuration file for sudo). +| +| **Using local apt configuration** +| Using sudo as above allows for custom apt options to be passed as arguments, e.g.: +| sudo apt update -o APT::Update::Pre-Invoke::="/bin/sh" +| +| Or refering to local apt configuration file: +| sudo APT_CONFIG=~/apt.conf apt update +| +| **Installing local debian packages** +| Unfortunatly this allows to not just install packages from the repositories, +| but also to install local packages: +| sudo apt install ./root-shell.deb +| +| Creating a Debian package that contains a wrapper for a root shell or invokes +| a shell as root during within the maintainer scripts is left to the reader, +| however, there's a example available here: +| https://git.open-infrastructure.net/software/root-shell/ + +| **Using wrapper scripts for apt install and apt remove** +| The apt-install and apt-remove wrapper drop parameters as well as file and path +| arguments to ensure only packages from the configured Debian repositories can be +| installed. + +sudo configuration +================== + +| Users can be granted sudo rights for apt-install and apt-remove via sudoers(5): +| "user ALL=NOPASSWD: /usr/bin/apt-install, /usr/bin/apt-remove" + +| It might make sense to also allow unprivileged users to allow updating the system: +| "user ALL=NOPASSWD: /usr/bin/apt update, /usr/bin/apt upgrade, /usr/bin/apt dist-upgrade" + +Warning +======= + +| Granting users local access to a system is always a security risk. +| Giving local users the ability to install packages even more so. + +| While the apt-install and apt-remove wrappers do prevent installing malicious packages, +| bugs in any of the packages within the configured Debian repositories can be exploited. + +See also +======== + +| apt(8), +| sudo(8), +| sudoers(5) + +Homepage +======== + +More information about service-tools and the Open Infrastructure project can be +found on the homepage (https://open-infrastructure.net). + +Contact +======= + +Bug reports, feature requests, help, patches, support and everything else are +welcome on the Open Infrastructure Software Mailing List +<software@lists.open-infrastructure.net>. + +Debian specific bugs can also be reported in the Debian Bug Tracking System +(https://bugs.debian.org). + +Authors +======= + +service-tools were written by Daniel Baumann +<daniel.baumann@open-infrastructure.net> and others. diff --git a/apt/share/man/man.in b/apt/share/man/man.in new file mode 100644 index 0000000..f95ca67 --- /dev/null +++ b/apt/share/man/man.in @@ -0,0 +1,19 @@ +.\" Open Infrastructure: service-tools +.\" +.\" Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +.\" +.\" SPDX-License-Identifier: GPL-3.0+ +.\" +.\" This program is free software: you can redistribute it and/or modify +.\" it under the terms of the GNU General Public License as published by +.\" the Free Software Foundation, either version 3 of the License, or +.\" (at your option) any later version. +.\" +.\" This program is distributed in the hope that it will be useful, +.\" but WITHOUT ANY WARRANTY; without even the implied warranty of +.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +.\" GNU General Public License for more details. +.\" +.\" You should have received a copy of the GNU General Public License +.\" along with this program. If not, see <https://www.gnu.org/licenses/>. +.\" diff --git a/dehydrated/Makefile b/dehydrated/Makefile index 2b6da9f..80f2e30 100644 --- a/dehydrated/Makefile +++ b/dehydrated/Makefile @@ -82,6 +82,9 @@ install: build ln -sf /usr/bin/dehydrated-nsupdate $(DESTDIR)/usr/share/dehydrated/hooks/clean_challenge.nsupdate ln -sf /usr/bin/dehydrated-nsupdate $(DESTDIR)/usr/share/dehydrated/hooks/deploy_challenge.nsupdate + ln -sf /usr/bin/dehydrated-get $(DESTDIR)/usr/share/dehydrated/hooks/clean_challenge.get + ln -sf /usr/bin/dehydrated-get $(DESTDIR)/usr/share/dehydrated/hooks/deploy_challenge.get + for SECTION in $$(seq 1 8); \ do \ if ls share/man/*.$${SECTION} > /dev/null 2>&1; \ diff --git a/dehydrated/TODO b/dehydrated/TODO index 9295784..b6cc845 100644 --- a/dehydrated/TODO +++ b/dehydrated/TODO @@ -1,8 +1,9 @@ TODO ==== + * add cleanup hook for extra certificates + * add manpages for individual dehydrated hooks * use /etc/default for dehydrated-cron * use /etc/default for dehydrated-hook - * maybe handling multiple different CNAMEs - (not sure if letsencrypt allows that, however, dehydrated-nsupdate only - processes one CNAME) + * use settings from _dehydrated.$domain.$tld for automatic configuration + * allow to configure 'use NS records' or 'use mname in SOA' per zone/tsig diff --git a/dehydrated/bin/dehydrated-get b/dehydrated/bin/dehydrated-get new file mode 100755 index 0000000..4368bab --- /dev/null +++ b/dehydrated/bin/dehydrated-get @@ -0,0 +1,212 @@ +#!/bin/sh + +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +set -e + +HOOK="$(basename "${0}")" +HOOK_ACTION="$(echo "${HOOK}" | awk -F. '{ print $1 }')" + +# set nsupdate action +case "${HOOK}" in + clean_challenge.*) + HOOK_ACTION="delete" + ;; + + deploy_challenge.*) + HOOK_ACTION="add" + ;; + + *) + echo "'${HOOK}': no such hook action '${HOOK_ACTION}'" >&2 + echo "'${HOOK}': use 'clean_challenge.' or 'deploy_challenge.' as prefix in your symlink" >&2 + exit 1 + ;; +esac + +# alternatives handling for dig +if command -v wget > /dev/null 2>&1 +then + # wget + GET_VARIANT="wget" +elif command -v curl > /dev/null 2>&1 +then + # curl + GET_VARIANT="curl" +else + echo "'${HOOK}': need wget or curl" >&2 + exit 1 +fi + +case "${DIG_VARIANT}" in + knot) + DIG="kdig +noidn" + ;; + + bind) + DIG="dig +noidnout" + ;; +esac + +# alternatives handling for nsupdate +if command -v knsupdate > /dev/null 2>&1 +then + # knot-dnsutils + NSUPDATE_VARIANT="knot" +elif command -v nsupdate > /dev/null 2>&1 +then + # bind-dnsutils + NSUPDATE_VARIANT="bind" +else + echo "'${HOOK}': need nsupdate from bind-dnsutils or knot-dnsutils" >&2 + exit 1 +fi + +case "${NSUPDATE_VARIANT}" in + knot) + NSUPDATE="knsupdate" + ;; + + bind) + NSUPDATE="nsupdate" + ;; +esac + +# config +for FILE in /etc/default/dehydrated-nsupdate /etc/default/dehydrated-nsupdate.d/* +do + if [ -e "${FILE}" ] + then + . "${FILE}" + fi +done + +# find txt record to update +CNAME="$(${DIG} +nocomments +noquestion "_acme-challenge.${DOMAIN}" 2>&1 | grep -v '^;' | awk '/CNAME/ { print $5 }' | tail -n1)" + +if [ -n "${CNAME}" ] +then + TXT_RECORD="${CNAME}" +else + TXT_RECORD="_acme-challenge.${DOMAIN}" +fi + +ZONE="${TXT_RECORD}" + +# find all nameservers to update +while true +do + NAMESERVERS="$(${DIG} +nocomments +noquestion NS "${ZONE}" 2>&1 | grep -v '^;' | awk '/NS/ { print $5 }')" + + if [ -n "${NAMESERVERS}" ] + then + ZONE="$(${DIG} +nocomments +noquestion NS "${ZONE}" 2>&1 | grep -v '^;' | awk '/NS/ { print $1 }' | tail -n1)" + break + else + ZONE="$(echo "${ZONE}" | cut -d '.' -f 2-)" + fi +done + +NAMESERVERS_IPV6="" +NAMESERVERS_IPV4="" + +for NAMESERVER in ${NAMESERVERS} +do + if [ -n "$(${DIG} +nocomments +noquestion +short AAAA "${NAMESERVER}")" ] + then + NAMESERVERS_IPV6="${NAMESERVERS_IPV6} ${NAMESERVER}" + fi + + if [ -n "$(${DIG} +nocomments +noquestion +short A "${NAMESERVER}")" ] + then + NAMESERVERS_IPV4="${NAMESERVERS_IPV4} ${NAMESERVER}" + fi +done + +# filter nameservers by available IP protocol +NAMESERVERS="" + +if hostname -I | grep -qs ':' +then + NAMESERVERS="${NAMESERVERS} ${NAMESERVERS_IPV6}" +fi + +if hostname -I | grep -qs '\.' +then + NAMESERVERS="${NAMESERVERS} ${NAMESERVERS_IPV4}" +fi + +NAMESERVERS="$(echo "${NAMESERVERS}" | sed -e 's| |\n|g' | sort -u -V)" + +# update nameservers +for NAMESERVER in ${NAMESERVERS} +do + if [ -e "/etc/dehydrated/tsig/$(basename "${TXT_RECORD}" .).key" ] + then + # specific key per record + KEY="/etc/dehydrated/tsig/$(basename "${TXT_RECORD}" .).key" + elif [ -e "/etc/dehydrated/tsig/$(basename "${ZONE}" .).key" ] + then + # specific key per zone + KEY="/etc/dehydrated/tsig/$(basename "${ZONE}" .).key" + elif [ -e "/etc/dehydrated/tsig/$(basename "${NAMESERVER}" .).key" ] + then + # specific key per nameserver + KEY="/etc/dehydrated/tsig/$(basename "${NAMESERVER}" .).key" + elif [ -e "/etc/dehydrated/tsig.key" ] + then + # global key (filesystem) + KEY="/etc/dehydrated/tsig.key" + elif [ -n "${TSIG_KEYFILE}" ] && [ -e "${TSIG_KEYFILE}" ] + then + # global key (conffile) + KEY="${TSIG_KEYFILE}" + else + # no key + KEY="" + fi + + # ignoring comments to allow empty keyfiles to disable TSIG individually + TSIG="$(grep -sv '^#' "${KEY}" || true)" + + if [ -n "${KEY}" ] && [ -n "${TSIG}" ] + then + case "${NSUPDATE_VARIANT}" in + knot) + NSUPDATE_OPTIONS="-k ${KEY}" + ;; + + bind) + NSUPDATE_OPTIONS="-y $(cat "${KEY}")" + ;; + esac + fi + + echo -n " + sending '${HOOK_ACTION}' for ${TXT_RECORD} to ${NAMESERVER}.." + +# shellcheck disable=SC2086 +echo "server ${NAMESERVER} +zone ${ZONE} +ttl 0 +update ${HOOK_ACTION} ${TXT_RECORD} 0 TXT ${TOKEN_VALUE} +send" | "${NSUPDATE}" ${NSUPDATE_OPTIONS} + + echo " done." +done diff --git a/dehydrated/bin/dehydrated-nsupdate b/dehydrated/bin/dehydrated-nsupdate index fa421ea..657cc48 100755 --- a/dehydrated/bin/dehydrated-nsupdate +++ b/dehydrated/bin/dehydrated-nsupdate @@ -45,30 +45,50 @@ esac if command -v kdig > /dev/null 2>&1 then # knot-dnsutils - DIG="kdig +noidn" + DIG_VARIANT="knot" elif command -v dig > /dev/null 2>&1 then # bind-dnsutils - DIG="dig +noidnout" + DIG_VARIANT="bind" else echo "'${HOOK}': need dig from bind-dnsutils or knot-dnsutils" >&2 exit 1 fi +case "${DIG_VARIANT}" in + knot) + DIG="kdig +noidn" + ;; + + bind) + DIG="dig +noidnout" + ;; +esac + # alternatives handling for nsupdate if command -v knsupdate > /dev/null 2>&1 then # knot-dnsutils - NSUPDATE="knsupdate" + NSUPDATE_VARIANT="knot" elif command -v nsupdate > /dev/null 2>&1 then # bind-dnsutils - NSUPDATE="nsupdate" + NSUPDATE_VARIANT="bind" else echo "'${HOOK}': need nsupdate from bind-dnsutils or knot-dnsutils" >&2 exit 1 fi +case "${NSUPDATE_VARIANT}" in + knot) + NSUPDATE="knsupdate" + ;; + + bind) + NSUPDATE="nsupdate" + ;; +esac + # config for FILE in /etc/default/dehydrated-nsupdate /etc/default/dehydrated-nsupdate.d/* do @@ -88,9 +108,9 @@ else TXT_RECORD="_acme-challenge.${DOMAIN}" fi -# find nameservers to update ZONE="${TXT_RECORD}" +# find all nameservers to update while true do NAMESERVERS="$(${DIG} +nocomments +noquestion NS "${ZONE}" 2>&1 | grep -v '^;' | awk '/NS/ { print $5 }')" @@ -104,15 +124,82 @@ do fi done -if [ -n "${TSIG_KEYFILE}" ] && [ -e "${TSIG_KEYFILE}" ] +NAMESERVERS_IPV6="" +NAMESERVERS_IPV4="" + +for NAMESERVER in ${NAMESERVERS} +do + if [ -n "$(${DIG} +nocomments +noquestion +short AAAA "${NAMESERVER}")" ] + then + NAMESERVERS_IPV6="${NAMESERVERS_IPV6} ${NAMESERVER}" + fi + + if [ -n "$(${DIG} +nocomments +noquestion +short A "${NAMESERVER}")" ] + then + NAMESERVERS_IPV4="${NAMESERVERS_IPV4} ${NAMESERVER}" + fi +done + +# filter nameservers by available IP protocol +NAMESERVERS="" + +if hostname -I | grep -qs ':' +then + NAMESERVERS="${NAMESERVERS} ${NAMESERVERS_IPV6}" +fi + +if hostname -I | grep -qs '\.' then - NSUPDATE_OPTIONS="-k ${TSIG_KEYFILE}" + NAMESERVERS="${NAMESERVERS} ${NAMESERVERS_IPV4}" fi +NAMESERVERS="$(echo "${NAMESERVERS}" | sed -e 's| |\n|g' | sort -u -V)" + # update nameservers for NAMESERVER in ${NAMESERVERS} do - echo -n " + sending '${HOOK_ACTION}' for ${TXT_RECORD} to ${NAMESERVER}..." + if [ -e "/etc/dehydrated/tsig/$(basename "${TXT_RECORD}" .).key" ] + then + # specific key per record + KEY="/etc/dehydrated/tsig/$(basename "${TXT_RECORD}" .).key" + elif [ -e "/etc/dehydrated/tsig/$(basename "${ZONE}" .).key" ] + then + # specific key per zone + KEY="/etc/dehydrated/tsig/$(basename "${ZONE}" .).key" + elif [ -e "/etc/dehydrated/tsig/$(basename "${NAMESERVER}" .).key" ] + then + # specific key per nameserver + KEY="/etc/dehydrated/tsig/$(basename "${NAMESERVER}" .).key" + elif [ -e "/etc/dehydrated/tsig.key" ] + then + # global key (filesystem) + KEY="/etc/dehydrated/tsig.key" + elif [ -n "${TSIG_KEYFILE}" ] && [ -e "${TSIG_KEYFILE}" ] + then + # global key (conffile) + KEY="${TSIG_KEYFILE}" + else + # no key + KEY="" + fi + + # ignoring comments to allow empty keyfiles to disable TSIG individually + TSIG="$(grep -sv '^#' "${KEY}" || true)" + + if [ -n "${KEY}" ] && [ -n "${TSIG}" ] + then + case "${NSUPDATE_VARIANT}" in + knot) + NSUPDATE_OPTIONS="-k ${KEY}" + ;; + + bind) + NSUPDATE_OPTIONS="-y $(cat "${KEY}")" + ;; + esac + fi + + echo -n " + sending '${HOOK_ACTION}' for ${TXT_RECORD} to ${NAMESERVER}.." # shellcheck disable=SC2086 echo "server ${NAMESERVER} diff --git a/dehydrated/share/hooks/deploy_cert.chrony b/dehydrated/share/hooks/deploy_cert.chrony new file mode 100755 index 0000000..b6744ff --- /dev/null +++ b/dehydrated/share/hooks/deploy_cert.chrony @@ -0,0 +1,35 @@ +#!/bin/sh + +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +set -e + +if grep -Eqrs '^ *ntsservercert' /etc/chrony +then + echo -n " + Copying certificate for chrony..." + + # https://bugs.debian.org/1013882 + cp -fL "${FULLCHAINFILE}" /etc/chrony/cert.pem + cp -fL "${KEYFILE}" /etc/chrony/key.pem + + chown _chrony:_chrony /etc/chrony/cert.pem /etc/chrony/key.pem + + echo " done." +fi diff --git a/dehydrated/share/hooks/deploy_cert.extra b/dehydrated/share/hooks/deploy_cert.extra new file mode 100755 index 0000000..391f767 --- /dev/null +++ b/dehydrated/share/hooks/deploy_cert.extra @@ -0,0 +1,88 @@ +#!/bin/sh + +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +set -e + +echo -n " + Creating extra certificate files..." + +DIRECTORY="$(dirname "${CERTFILE}")" + +if [ "$(grep -c 'BEGIN CERTIFICATE' ${FULLCHAINFILE})" -ge 3 ] +then + # long chain: + # * chain.pem: (R3 | ISRG Root X1) + # * fullchain.pem: (Certificate | R3 | ISRG Root X1) + CHAIN="long" +else + # short chain: + # * chain.pem: (R3) + # * fullchain.pem (Certificate | R3) + CHAIN="short" +fi + +case "${CHAIN}" in + long) + # split chain.pem + TMPFILE="$(mktemp -p "${DIRECTORY}" -u ca.XXXXXXXXXX)" + grep -Ev '^$' "${CHAINFILE}" | csplit -f "${TMPFILE}" -s -z - '/-----BEGIN CERTIFICATE-----/' '{*}' + + # intermediate (R3) + mv "${TMPFILE}00" "${DIRECTORY}/intermediate-${TIMESTAMP}.pem" + ln -sf "intermediate-${TIMESTAMP}.pem" "${DIRECTORY}/intermediate.pem" + + # root (ISRG Root X1) + mv "${TMPFILE}01" "${DIRECTORY}/root-${TIMESTAMP}.pem" + ln -sf "root-${TIMESTAMP}.pem" "${DIRECTORY}/root.pem" + ;; + + short) + # intermediate (R3) + grep -Ev '^$' "${DIRECTORY}/chain-${TIMESTAMP}.pem" > "${DIRECTORY}/intermediate-${TIMESTAMP}.pem" + ln -sf "intermediate-${TIMESTAMP}.pem" "${DIRECTORY}/intermediate.pem" + + # root (ISRG Root X1) + ISSUER_URI="$(openssl x509 -in "${DIRECTORY}/chain-${TIMESTAMP}.pem" -text -noout | grep 'Authority Information Access:' -A1 | awk -FURI: '/http/ { print $2 }')" + + if [ -n "${ISSUER_URI}" ] + then + wget -q "${ISSUER_URI}" -O - | openssl x509 -outform PEM > "${DIRECTORY}/root-${TIMESTAMP}.pem" + ln -sf "root-${TIMESTAMP}.pem" "${DIRECTORY}/root.pem" + fi + ;; +esac + +# extra certificate permutations: +# * privkey_fullchain.pem: postfix +# * root_intermediate_cert.pem: redis + +for EXTRA in fullchain_privkey privkey_fullchain root_intermediate_cert +do + rm -f "${DIRECTORY}/${EXTRA}-${TIMESTAMP}.pem" + + for FILE in $(echo ${EXTRA} | sed -e 's|_| |g') + do + cat "${DIRECTORY}/${FILE}-${TIMESTAMP}.pem" >> "${DIRECTORY}/${EXTRA}-${TIMESTAMP}.pem" + done + + ln -sf "${EXTRA}-${TIMESTAMP}.pem" "${DIRECTORY}/${EXTRA}.pem" +done + +echo " done." diff --git a/dehydrated/share/hooks/deploy_ocsp.extra b/dehydrated/share/hooks/deploy_ocsp.extra new file mode 100755 index 0000000..35a13f6 --- /dev/null +++ b/dehydrated/share/hooks/deploy_ocsp.extra @@ -0,0 +1,37 @@ +#!/bin/sh + +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +set -e + +echo " + Creating extra ocsp links..." + +DIRECTORY="$(dirname "${OCSPFILE}")" +OCSP="$(readlink "${OCSPFILE}")" + +for EXTRA in fullchain_privkey privkey_fullchain +do + EXTRA1="$(echo ${EXTRA} | awk -F_ '{ print $1 }')" + EXTRA2="$(echo ${EXTRA} | awk -F_ '{ print $2 }')" + + ln -sf "${OCSP}" "${DIRECTORY}/${EXTRA1}_${EXTRA2}.pem.ocsp" +done + +echo " done." diff --git a/dehydrated/share/hooks/exit_hook.extra-cleanup b/dehydrated/share/hooks/exit_hook.extra-cleanup new file mode 100755 index 0000000..fc09f7b --- /dev/null +++ b/dehydrated/share/hooks/exit_hook.extra-cleanup @@ -0,0 +1,77 @@ +#!/bin/sh + +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +set -e + +echo -n " + Cleanup extra certificate files..." + +for EXTRA in root intermediate fullchain_privkey privkey_fullchain root_intermediate_cert +do + for CERTIFICATE in "${CERTDIR}"/*/ + do + if ! ls "${CERTIFICATE}"/${EXTRA}*.pem > /dev/null 2>&1 + then + continue + fi + + SYMLINK="${CERTIFICATE}/${EXTRA}.pem" + ORIGINAL="$(readlink -f "${SYMLINK}")" + + if [ -e "${SYMLINK}" ] && [ ! -e "${ORIGINAL}" ] + then + # remove dangling symlink + rm -f "${SYMLINK}" + fi + + if [ -e "${SYMLINK}.ocsp" ] && [ ! -e "${ORIGINAL}.ocsp" ] + then + # remove dangling symlink + rm -f "${SYMLINK}.ocsp" + fi + + if [ -e "${SYMLINK}" ] + then + for FILE in "${CERTIFICATE}/${EXTRA}"-[0-9]*.pem + do + case "$(basename "${FILE}")" in + "$(basename "${ORIGINAL}")") + continue + ;; + + *) + # archive unused files + ARCHIVE="${BASEDIR}/archive/$(basename "${CERTIFICATE}")" + mkdir -p "${ARCHIVE}" + + mv "${FILE}" "${ARCHIVE}" + + if [ -e "${FILE}.ocsp" ] + then + mv "${FILE}.ocsp" "${ARCHIVE}" + fi + ;; + esac + done + fi + done +done + +echo " done." diff --git a/dehydrated/share/hooks/exit_hook.fix-permissions b/dehydrated/share/hooks/exit_hook.fix-permissions index 1e089f7..aa15553 100755 --- a/dehydrated/share/hooks/exit_hook.fix-permissions +++ b/dehydrated/share/hooks/exit_hook.fix-permissions @@ -21,17 +21,20 @@ set -e -echo " + Fixing permissions..." +if [ ! -e "${CERTDIR}" ] +then + exit 0 +fi if getent group ssl-cert > /dev/null 2>&1 then - echo -n " + /var/lib/dehydrated/certs:" - - find /var/lib/dehydrated/certs -type d -exec chmod 0750 {} \; - find /var/lib/dehydrated/certs -type f -exec chmod 0640 {} \; + echo -n " + Fixing file owner and permissions..." # https://bugs.debian.org/854431 - chown -R root:ssl-cert /var/lib/dehydrated/certs + chown -R root:ssl-cert "${CERTDIR}" + + find "${CERTDIR}" -type d -exec chmod 0750 {} \; + find "${CERTDIR}" -type f -exec chmod 0640 {} \; echo " done." fi diff --git a/dehydrated/share/hooks/exit_hook.service-reload b/dehydrated/share/hooks/exit_hook.service-reload index daba7dd..6d20eb9 100755 --- a/dehydrated/share/hooks/exit_hook.service-reload +++ b/dehydrated/share/hooks/exit_hook.service-reload @@ -21,15 +21,99 @@ set -e -echo " + Reloading services..." +Run_apache2 () +{ + if grep -Eqrs '^ *SSLCertificateFile' /etc/apache2/sites-enabled + then + service apache2 stop + service apache2 start + fi +} + +Run_chrony () +{ + if grep -Eqrs '^ *ntsservercert' /etc/chrony/chrony.conf /etc/chrony/conf.d/* + then + service chrony restart + fi +} + +Run_freeradius () +{ + if grep -Eqrs 'certificate_file = /var/lib/dehydrated' /etc/freeradius/*/* + then + service freeradius reload + fi +} + +Run_haproxy () +{ + if grep 'ssl crt' /etc/haproxy/haproxy.cfg | grep -qsv '^#' + then + service haproxy reload + fi +} + +Run_knot_resolver () +{ + if grep -Eqrs '^ *net.tls' /etc/knot-resolver/* + then + INSTANCES="$(systemctl | grep -c 'kresd@*.service')" + + if [ "${INSTANCES}" -gt 0 ] + then + for INSTANCE in $(seq 1 "${INSTANCES}") + do + service kresd@"${INSTANCE}" restart + done + fi + fi +} + +Run_postfix () +{ + if grep -Eqrs '^ *smtpd_tls' /etc/postfix/main.cf + then + service postfix restart + fi +} + +Run_postgresql () +{ + if grep -Eqrs '^ *ssl_cert_file' /etc/postgresql/* + then + service postgresql reload + fi +} + +Run_redis_sentinel () +{ + if grep -Eqrs '^ *tls-cert-file' /etc/redis/sentinel.conf + then + service redis-sentinel restart + fi +} + +Run_redis_server () +{ + if grep -Eqrs '^ *tls-cert-file' /etc/redis/redis.conf + then + service redis-server restart + fi +} + +echo " + Reloading services:" + +SERVICES="apache2 chrony freeradius haproxy knot-resolver postfix postgresql redis-sentinel redis-server" -for SERVICE in apache2 haproxy postgresql redis-server +for SERVICE in ${SERVICES} do - if service ${SERVICE} status > /dev/null 2>&1 + if service "${SERVICE}" status > /dev/null 2>&1 then echo -n " + ${SERVICE}:" - service ${SERVICE} reload || service ${SERVICE} restart + RELOAD="Run_$(echo "${SERVICE}" | sed -e 's|-|_|g')" + ${RELOAD} echo " done." fi diff --git a/dehydrated/share/man/dehydrated-cron.1.rst b/dehydrated/share/man/dehydrated-cron.1.rst index c060127..cd93a30 100644 --- a/dehydrated/share/man/dehydrated-cron.1.rst +++ b/dehydrated/share/man/dehydrated-cron.1.rst @@ -36,12 +36,25 @@ Synopsis Description =========== -**dehydrated** is a client for ACME-based Certificate Authorities, such as -LetsEncrypt. It can be used to request and obtain TLS certificates from an -ACME-based certificate authority. +**dehydrated** is a client for ACME-based Certificate Authorities, such as LetsEncrypt. It can be used to request and obtain TLS certificates from an ACME-based certificate authority. + +The **dehydrated-cron** script runs dehydrated once per day and on system reboot for an automatic certificate renewal. + +It uses the dehydrated '--keep-going' option to keep going after encountering an error while creating/renewing multiple certificates. Afterwards it also removes all unused certificates by using the dehydrated '--cleanup-delete' option. + +Usage +===== + +Installation +------------ + +| sudo ln -s /usr/bin/dehydrated-cron /etc/cron.d/dehydrated + +Removal +------- + +| sudo rm -f /etc/cron.d/dehydrated -The **dehydrated-cron** script runs dehydrated once per day and on system -reboot for an automatic certificate renewal. Files ===== @@ -67,21 +80,16 @@ See also Homepage ======== -More information about service-tools and the Open Infrastructure project can be -found on the homepage (https://open-infrastructure.net). +More information about service-tools and the Open Infrastructure project can be found on the homepage (https://open-infrastructure.net). Contact ======= -Bug reports, feature requests, help, patches, support and everything else are -welcome on the Open Infrastructure Software Mailing List -<software@lists.open-infrastructure.net>. +Bug reports, feature requests, help, patches, support and everything else are welcome on the Open Infrastructure Software Mailing List <software@lists.open-infrastructure.net>. -Debian specific bugs can also be reported in the Debian Bug Tracking System -(https://bugs.debian.org). +Debian specific bugs can also be reported in the Debian Bug Tracking System (https://bugs.debian.org). Authors ======= -service-tools were written by Daniel Baumann -<daniel.baumann@open-infrastructure.net> and others. +service-tools were written by Daniel Baumann <daniel.baumann@open-infrastructure.net> and others. diff --git a/dehydrated/share/man/dehydrated-hook.1.rst b/dehydrated/share/man/dehydrated-hook.1.rst index 607be92..de63127 100644 --- a/dehydrated/share/man/dehydrated-hook.1.rst +++ b/dehydrated/share/man/dehydrated-hook.1.rst @@ -36,43 +36,45 @@ Synopsis Description =========== -**dehydrated** is a client for ACME-based Certificate Authorities, such as -LetsEncrypt. It can be used to request and obtain TLS certificates from an -ACME-based certificate authority. +**dehydrated** is a client for ACME-based Certificate Authorities, such as LetsEncrypt. It can be used to request and obtain TLS certificates from an ACME-based certificate authority. -The **dehydrated-hook** makes it possible to run multiple scripts in every -stage within the process of creating, signing and deploying a certificate. +The **dehydrated-hook** makes it possible to run multiple scripts in every stage within the process of creating, signing and deploying a certificate. -Scripts need to be placed in /etc/dehydrated/hook.d and need to be prefixed -with the name of the handler, e.g. exit_hook.example1 or exit_hook.example2.sh +Scripts need to be placed in /etc/dehydrated/hook.d and need to be prefixed with the name of the handler, e.g. exit_hook.example1 or exit_hook.example2.sh Handlers ======== The following **dehydrated** handlers are available: +| | deploy_challenge - | clean_challenge - | sync_cert - | deploy_cert - | deploy_ocsp - | unchanged_cert - | invalid_challenge - | request_failure - | generate_csr - | startup_hook - | exit_hook +Usage +===== + +Installation +------------ + +| sudo echo HOOK="/usr/bin/dehydrated-hook" > /etc/dehydrated/conf.d/zz-hook.sh +| sudo mkdir -p /etc/dehydrated/hook.d + +Removal +------- + +| sudo rm -f /etc/dehydrated/conf.d/zz-hook.sh +| sudo rmdir /etc/dehydrated/hook.d + Files ===== @@ -91,21 +93,16 @@ See also Homepage ======== -More information about service-tools and the Open Infrastructure project can be -found on the homepage (https://open-infrastructure.net). +More information about service-tools and the Open Infrastructure project can be found on the homepage (https://open-infrastructure.net). Contact ======= -Bug reports, feature requests, help, patches, support and everything else are -welcome on the Open Infrastructure Software Mailing List -<software@lists.open-infrastructure.net>. +Bug reports, feature requests, help, patches, support and everything else are welcome on the Open Infrastructure Software Mailing List <software@lists.open-infrastructure.net>. -Debian specific bugs can also be reported in the Debian Bug Tracking System -(https://bugs.debian.org). +Debian specific bugs can also be reported in the Debian Bug Tracking System (https://bugs.debian.org). Authors ======= -service-tools were written by Daniel Baumann -<daniel.baumann@open-infrastructure.net> and others. +service-tools were written by Daniel Baumann <daniel.baumann@open-infrastructure.net> and others. diff --git a/dehydrated/share/man/dehydrated-nsupdate.1.rst b/dehydrated/share/man/dehydrated-nsupdate.1.rst index 058785f..d4b097b 100644 --- a/dehydrated/share/man/dehydrated-nsupdate.1.rst +++ b/dehydrated/share/man/dehydrated-nsupdate.1.rst @@ -36,15 +36,12 @@ Synopsis Description =========== -**dehydrated** is a client for ACME-based Certificate Authorities, such as -LetsEncrypt. It can be used to request and obtain TLS certificates from an -ACME-based certificate authority. +**dehydrated** is a client for ACME-based Certificate Authorities, such as LetsEncrypt. It can be used to request and obtain TLS certificates from an ACME-based certificate authority. -The **dehydrated-nsupdate** hook implements the dns-01 verification. It is -typically run together with **dehydrated-hook** as: +The **dehydrated-nsupdate** hook implements the dns-01 verification. It is typically run together with **dehydrated-hook** as: +| | /etc/dehydrated/hook.d/deploy_challenge.nsupdate - | /etc/dehydrated/hook.d/clean_challenge.nsupdate Features @@ -52,31 +49,87 @@ Features **dehydrated-nsupdate** has the following features: -| **automatic nameserver detection** -| **dehydrated-nsupdate** automatically finds and updates all authoritative -| nameservers for a given record by looking up the records in the DNS by itself. +Automatic nameserver detection (IPv4 and IPv6) +---------------------------------------------- + +dehydrated-nsupdate automatically finds and updates all authoritative nameservers for a given record by looking up the records in the DNS by itself, supporting IPv6-only, IPv4-only, and dual-stacked environments. + +Proper CNAME support +-------------------- + +dehydrated-nsupdate follows CNAMEs delegating the TXT record update to another zone. + +Handling nameserver subzone shortcuts +------------------------------------- + +dehydrated-nsupdate correctly handles authoritative nameserver answers that (wrongly) give shortcut answers for their own zones when using multiple authoritative subzones on the same nameservers. + +TSIG support +------------ -| **proper CNAME support** -| **dehydrated-nsupdate** follows CNAMEs delegating the TXT record creation to -| another zone. +dehydrated-nsupdate uses TSIG, if provided, to authenticate itself to the nameserver. Additionally to a global TSIG to be used for all record updates, separate TSIGs can individually be specified per record, per zone, and per nameserver. -| **handling nameserver subzone shortcuts** -| **dehydrated-nsupdate** correctly handles authoritative nameserver -| answers that give shortcut answers for their own zones when using -| multiple subzones. +Proper removal of TXT records +----------------------------- -| **TSIG support** -| **dehydrated-nsupdate** uses TSIG, if provided, to authenticate -| itself to the nameserver. +dehydrated-nsupdate removes records after succesfull verification. + +bind9-dnsutils and knot-dnsutils support +---------------------------------------- + +dehydrated-nsupdate works with both nsupdate (bind9) and knsupdate (knot). + +IDN handling +------------ + +dehydrated-nsupdate works with IDN domains by not expanding the punycode to update the correct records. + +Usage +===== -| **proper removal of TXT records** -| **dehydrated-nsupdate** removes records after succesfull verification. +dehydrated-hook(1) is a prerequisite for dehydrated-nsupdate. -| **bind9-dnsutils and knot-dnsutils support* -| **dehydrated-nsupdate** works with both nsupdate (bind9) and knsupdate (knot). +Installation +------------ -| **IDN handling** -| **dehydrated-nsupdate** works with IDN domains by not expanding the punycode. +| sudo echo CHALLENGETYPE="dns-01" > /etc/dehydrated/conf.d/zz-challengetype.sh +| sudo ln -s /usr/bin/dehydrated-nsupdate /etc/dehydrated/hook.d/deploy_challenge.nsupdate +| sudo ln -s /usr/bin/dehydrated-nsupdate /etc/dehydrated/hook.d/clean_challenge.nsupdate + +Removal +------- + +| sudo rm -f /etc/dehydrated/conf.d/zz-challengetype.sh +| sudo rm -f /etc/dehydrated/hook.d/deploy_challenge.nsupdate +| sudo rm -f /etc/dehydrated/hook.d/clean_challenge.nsupdate + +Configuration +============= + +Depending on the nameserver requirements, dehydrated-nsupdate can send record updates either unauthenticated or using a TSIG (recommended). + +A TSIG file consists of one single line containing the key (nsupdate/knsupdate do not allow comments), e.g.: + +| +| hmac-sha512:example:/LXPy6U8HAWA+QmvulZWm0owsQgNf8qJ5MNLTvirzvVtDb+PzLKoBmVHjnL6TUffkvRYa7Do448dSIrAuJ1G/A== + +Instead of using a global TSIG for all record update, specific TSIGs can be used individually per record, zone, and nameserver. + +The lookup hierarchy is the following (first match wins): + +| +| /etc/dehydrated/tsig/${record}.key +| /etc/dehydrated/tsig/${zone}.key +| /etc/dehydrated/tsig/${nameserver}.key +| /etc/dehydrated/tsig.key +| +| TSIG_KEYFILE variable in /etc/default/dehydrated-nsupdate/* +| TSIG_KEYFILE variable in /etc/default/dehydrated-nsupdate + +In order to explicitly not use a TSIG for a specific record, zone, or nameserver, an empty keyfile or a keyfile with only comments can be used, e.g.: + +| +| echo "# disabled" > /etc/dehydrated/tsig/ns1.example.org.key Files ===== @@ -84,11 +137,13 @@ Files The following files are used: /etc/dehydrated/tsig.key: - default location for the TSIG key to be used. + default location for global TSIG key to be used. + +/etc/dehydrated/tsig/${record}.key, /etc/dehydrated/tsig/${zone}.key, /etc/dehydrated/tsig/${nameserver}.key: + default locations for specific TSIG keys to be used individually per record, zone, or nameserver. -/etc/default/dehydrated-nsupdate, /etc/default/dehydrated-nsupdate.d/*: - configuration file, currently only used for TSIG_KEYFILE variable pointing - to the tsig.key file to be used (default: /etc/dehydrated/tsig.key). +/etc/default/dehydrated-nsupdate, /etc/default/dehydrated-nsupdate.d/\*: + configuration file, currently only used for TSIG_KEYFILE variable pointing to the location of the global TSIG key to be used (default: /etc/dehydrated/tsig.key). See also ======== @@ -100,21 +155,16 @@ See also Homepage ======== -More information about service-tools and the Open Infrastructure project can be -found on the homepage (https://open-infrastructure.net). +More information about service-tools and the Open Infrastructure project can be found on the homepage (https://open-infrastructure.net). Contact ======= -Bug reports, feature requests, help, patches, support and everything else are -welcome on the Open Infrastructure Software Mailing List -<software@lists.open-infrastructure.net>. +Bug reports, feature requests, help, patches, support and everything else are welcome on the Open Infrastructure Software Mailing List <software@lists.open-infrastructure.net>. -Debian specific bugs can also be reported in the Debian Bug Tracking System -(https://bugs.debian.org). +Debian specific bugs can also be reported in the Debian Bug Tracking System (https://bugs.debian.org). Authors ======= -service-tools were written by Daniel Baumann -<daniel.baumann@open-infrastructure.net> and others. +service-tools were written by Daniel Baumann <daniel.baumann@open-infrastructure.net> and others. diff --git a/dnsdist/Makefile b/dnsdist/Makefile new file mode 100644 index 0000000..6b3744b --- /dev/null +++ b/dnsdist/Makefile @@ -0,0 +1,80 @@ +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +SHELL := sh -e + +SCRIPTS = bin/* + +all: build + +test: + @echo -n "Checking for syntax errors with sh... " + @for SCRIPT in $(SCRIPTS); \ + do \ + sh -n $${SCRIPT}; \ + echo -n "."; \ + done + @echo " done." + + @echo -n "Checking for bashisms... " + @if [ -x /usr/bin/checkbashisms ]; \ + then \ + for SCRIPT in $(SCRIPTS); \ + do \ + checkbashisms -f -x $${SCRIPT}; \ + echo -n "."; \ + done; \ + else \ + echo "Note: devscripts not installed, skipping checkbashisms."; \ + fi + @echo " done." + + @echo -n "Checking with shellcheck... " + @if [ -x /usr/bin/shellcheck ]; \ + then \ + for SCRIPT in $(SCRIPTS); \ + do \ + shellcheck -e SC2039 $${SCRIPT}; \ + echo -n "."; \ + done; \ + else \ + echo "Note: shellcheck not installed, skipping shellcheck."; \ + fi + @echo " done." + +build: + +install: build + mkdir -p $(DESTDIR)/usr/bin + cp -r bin/* $(DESTDIR)/usr/bin + +uninstall: + for FILE in bin/*; \ + do \ + rm -f $(DESTDIR)/usr/bin/$$(basename $${FILE}); \ + done + rmdir --ignore-fail-on-non-empty --parents $(DESTDIR)/usr/bin || true + + rmdir --ignore-fail-on-non-empty --parents $(DESTDIR) || true + +clean: + +distclean: + +reinstall: uninstall install diff --git a/dnsdist/bin/dnsdist-console b/dnsdist/bin/dnsdist-console new file mode 100755 index 0000000..ea26d63 --- /dev/null +++ b/dnsdist/bin/dnsdist-console @@ -0,0 +1,61 @@ +#!/bin/sh + +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +set -e + +PROGRAM="$(basename "${0}")" + +Usage () +{ + if [ -z "${OPTIONS}" ] + then + echo "'${PROGRAM}': incomplete or invalid configuration in /etc/default/dnsdist" >&2 + exit 1 + fi +} + +if [ ! -r /etc/dnsdist/dnsdist.conf ] +then + Usage +fi + +CONTROL_SOCKET="$(awk -F\' '/^controlSocket\(/ { print $2 }' /etc/dnsdist/dnsdist.conf)" +KEY="$(awk -F\' '/^setKey\(/ { print $2 }' /etc/dnsdist/dnsdist.conf)" + +OPTIONS="" + +if [ -n "${CONTROL_SOCKET}" ] +then + OPTIONS="${OPTIONS} -c ${CONTROL_SOCKET}" +fi + +if [ -n "${KEY}" ] +then + OPTIONS="${OPTIONS} -k ${KEY}" +fi + +if [ -z "${OPTIONS}" ] +then + Usage +fi + +# shellcheck disable=SC2086 +dnsdist ${OPTIONS} diff --git a/git/bin/git-checkout-branches b/git/bin/git-checkout-branches index c0c586c..220386f 100755 --- a/git/bin/git-checkout-branches +++ b/git/bin/git-checkout-branches @@ -29,7 +29,7 @@ do BRANCH="$(echo "${REMOTE_BRANCH}" | cut -d/ -f 2-)" case "${BRANCH}" in - HEAD|${CURRENT_BRANCH}) + HEAD|"${CURRENT_BRANCH}") continue ;; esac diff --git a/git/bin/git-pull-branches b/git/bin/git-pull-branches new file mode 100755 index 0000000..afa2e63 --- /dev/null +++ b/git/bin/git-pull-branches @@ -0,0 +1,54 @@ +#!/bin/sh + +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +set -e + +CURRENT_BRANCH="$(git branch --show-current)" +REMOTE_BRANCHES="$(git branch -r | awk '{ print $1 }')" + +# pull current branch +git pull + +# pull remote branches +for REMOTE_BRANCH in ${REMOTE_BRANCHES} +do + BRANCH="$(echo "${REMOTE_BRANCH}" | cut -d/ -f 2-)" + + case "${BRANCH}" in + HEAD|"${CURRENT_BRANCH}") + continue + ;; + esac + + if git branch | sed -e 's|\*||' | grep -qs " ${BRANCH}$" + then + git checkout "${BRANCH}" + git pull + else + git checkout -b "${BRANCH}" "${REMOTE_BRANCH}" + fi +done + +# checkout current branch +if [ "$(git branch --show-current)" != "${CURRENT_BRANCH}" ] +then + git checkout "${CURRENT_BRANCH}" +fi diff --git a/git/bin/git-whoami b/git/bin/git-whoami index 9cab9bc..50f432a 100755 --- a/git/bin/git-whoami +++ b/git/bin/git-whoami @@ -10,24 +10,24 @@ set -e get_email() { - git config user.email || ( [ -n "$EMAIL" ] && echo "$EMAIL" ) || echo "$(id -nu)@$(hostname --fqdn)" + git config user.email || ( [ -n "${EMAIL}" ] && echo "${EMAIL}" ) || echo "$(id -nu)@$(hostname --fqdn)" } get_name() { - git config user.name || getent passwd $(id -un) | cut -d : -f 5 | cut -d , -f 1 + git config user.name || getent passwd "$(id -un)" | cut -d : -f 5 | cut -d , -f 1 } -: ${GIT_AUTHOR_NAME=$(get_name)} -: ${GIT_COMMITTER_NAME=$(get_name)} -: ${GIT_AUTHOR_EMAIL=$(get_email)} -: ${GIT_COMMITTER_EMAIL=$(get_email)} +GIT_AUTHOR_NAME="${GIT_AUTHOR_NAME:-$(get_name)}" +GIT_AUTHOR_EMAIL="${GIT_AUTHOR_EMAIL:-$(get_email)}" +GIT_COMMITTER_NAME="${GIT_COMMITER_NAME:-$(get_name)}" +GIT_COMMITTER_EMAIL="${GIT_COMMITER_EMAIL:-$(get_email)}" -author="$GIT_AUTHOR_NAME <$GIT_AUTHOR_EMAIL>" -commit="$GIT_COMMITTER_NAME <$GIT_COMMITTER_EMAIL>" +author="$GIT_AUTHOR_NAME <${GIT_AUTHOR_EMAIL}>" +commit="$GIT_COMMITTER_NAME <${GIT_COMMITTER_EMAIL}>" -if [ "$author" = "$commit" ]; then - echo "$author" +if [ "${author}" = "${commit}" ]; then + echo "${author}" else - echo "Author: $author" - echo "Commit: $commit" + echo "Author: ${author}" + echo "Commit: ${commit}" fi diff --git a/git/share/hooks/post-update.d/irker-notification b/git/share/hooks/post-update.d/irker-notification index 1ad6f54..7c712db 100755 --- a/git/share/hooks/post-update.d/irker-notification +++ b/git/share/hooks/post-update.d/irker-notification @@ -28,7 +28,7 @@ fi echo "sending IRC notification" -while read OLD NEW REFNAME +while read -r OLD NEW REFNAME do - irkerhook --refname=${REFNAME} $(git rev-list --reverse ${OLD}..${NEW}) + irkerhook --refname="${REFNAME}" "$(git rev-list --reverse "${OLD}".."${NEW}")" done diff --git a/irker/bin/irk.py b/irker/bin/irk.py new file mode 100755 index 0000000..01045af --- /dev/null +++ b/irker/bin/irk.py @@ -0,0 +1,43 @@ +#!/usr/bin/python3 + +# Copyright (C) 2013-2021 Daniel Baumann <daniel@debian.org> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +from cgi import FieldStorage +from datetime import datetime +from os import getenv +from subprocess import Popen, PIPE +from sys import exit + +def main(): + form = FieldStorage() + + if form.getvalue("target") and form.getvalue("message"): + Target = form.getvalue("target").split()[0] + Message = form.getvalue("message").split()[0] + + print('Content-Type: text/html\n') + + Date = datetime.now().strftime("%Y-%m-%d %H:%M:%S") + + print('Target: ' + Target) + print('Message: ' + Message) + + exit(0) + +if __name__ == '__main__': + main() diff --git a/irker/bin/irkerhook-debian b/irker/bin/irkerhook-debian index a0f6d52..ce8dfb4 100755 --- a/irker/bin/irkerhook-debian +++ b/irker/bin/irkerhook-debian @@ -40,6 +40,7 @@ fi echo "sending IRC notification" +# shellcheck disable=SC2153 for IRC_CHANNEL in ${IRC_CHANNELS} do irk "${IRC_CHANNEL}" "${MESSAGE}" diff --git a/irker/bin/test-0.sh b/irker/bin/test-0.sh new file mode 100755 index 0000000..cf67db8 --- /dev/null +++ b/irker/bin/test-0.sh @@ -0,0 +1,7 @@ +#!/bin/sh + +curl -i \ + --header "Content-Type: application/json" \ + --request POST \ + --data '' \ + https://irker.open-infrastructure.net/test.py diff --git a/irker/bin/test-evil.sh b/irker/bin/test-evil.sh new file mode 100755 index 0000000..9120238 --- /dev/null +++ b/irker/bin/test-evil.sh @@ -0,0 +1,10 @@ +#!/bin/sh + +curl -i \ + --header "Content-Type: application/json" \ + --request POST \ + --data '{ + "target":"foo; touch /bar", + "message":"xyz xyz" + }' \ + https://irker.open-infrastructure.net/test.py diff --git a/irker/bin/test.sh b/irker/bin/test.sh new file mode 100755 index 0000000..faeb8fe --- /dev/null +++ b/irker/bin/test.sh @@ -0,0 +1,10 @@ +#!/bin/sh + +curl -i \ + --header "Content-Type: application/json" \ + --request POST \ + --data '{ + "target":"abc", + "message":"xyz xyz" + }' \ + https://irker.open-infrastructure.net/test.py diff --git a/kea/Makefile b/kea/Makefile new file mode 100644 index 0000000..6b3744b --- /dev/null +++ b/kea/Makefile @@ -0,0 +1,80 @@ +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +SHELL := sh -e + +SCRIPTS = bin/* + +all: build + +test: + @echo -n "Checking for syntax errors with sh... " + @for SCRIPT in $(SCRIPTS); \ + do \ + sh -n $${SCRIPT}; \ + echo -n "."; \ + done + @echo " done." + + @echo -n "Checking for bashisms... " + @if [ -x /usr/bin/checkbashisms ]; \ + then \ + for SCRIPT in $(SCRIPTS); \ + do \ + checkbashisms -f -x $${SCRIPT}; \ + echo -n "."; \ + done; \ + else \ + echo "Note: devscripts not installed, skipping checkbashisms."; \ + fi + @echo " done." + + @echo -n "Checking with shellcheck... " + @if [ -x /usr/bin/shellcheck ]; \ + then \ + for SCRIPT in $(SCRIPTS); \ + do \ + shellcheck -e SC2039 $${SCRIPT}; \ + echo -n "."; \ + done; \ + else \ + echo "Note: shellcheck not installed, skipping shellcheck."; \ + fi + @echo " done." + +build: + +install: build + mkdir -p $(DESTDIR)/usr/bin + cp -r bin/* $(DESTDIR)/usr/bin + +uninstall: + for FILE in bin/*; \ + do \ + rm -f $(DESTDIR)/usr/bin/$$(basename $${FILE}); \ + done + rmdir --ignore-fail-on-non-empty --parents $(DESTDIR)/usr/bin || true + + rmdir --ignore-fail-on-non-empty --parents $(DESTDIR) || true + +clean: + +distclean: + +reinstall: uninstall install diff --git a/kea/bin/kea-leases-reset b/kea/bin/kea-leases-reset new file mode 100755 index 0000000..92265f4 --- /dev/null +++ b/kea/bin/kea-leases-reset @@ -0,0 +1,58 @@ +#!/bin/sh + +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +set -e + +HOSTS="${*:-localhost}" + +for HOST in ${HOSTS} +do + case "${HOST}" in + localhost) + echo "Removing all leases..." + + sudo service kea-dhcp6-server stop + sudo service kea-dhcp4-server stop + + sudo rm -f /var/lib/kea/*.csv* + + sudo service kea-dhcp6-server start + sudo service kea-dhcp4-server start + + echo + echo "done." + ;; + + *) + echo "'${HOST}': Removing all leases..." + + ssh "${HOST}" \ + "sudo service kea-dhcp6-server stop; \ + sudo service kea-dhcp4-server stop; \ + sudo rm -f /var/lib/kea/*.csv*; \ + sudo service kea-dhcp6-server start; \ + sudo service kea-dhcp4-server start" + + echo + echo "done." + ;; + esac +done diff --git a/knot-resolver/bin/kresd-cache-clear b/knot-resolver/bin/kresd-cache-clear index 79e62a8..5b9a0e1 100755 --- a/knot-resolver/bin/kresd-cache-clear +++ b/knot-resolver/bin/kresd-cache-clear @@ -21,37 +21,10 @@ set -e -HOSTS="${*}" +NUMBER="$(systemctl | grep -c 'kresd@[0-9].service')" -if [ -z "${HOSTS}" ] -then - echo "Usage: ${0} localhost|[HOST1 HOST2 ...]" >&2 - exit 1 -fi - -for HOST in ${HOSTS} +for NUMBER in $(seq 1 "${NUMBER}") do - case "${HOST}" in - localhost) - NUMBER="$(systemctl | grep -c 'kresd@[0-9].service')" - - for NUMBER in $(seq 1 "${NUMBER}") - do - echo "Flushing localhost, resolver ${NUMBER}" - echo "cache.clear()" | sudo socat - UNIX-CONNECT:/run/knot-resolver/control/"${NUMBER}" - done - ;; - - *) - NUMBER="$(ssh "${HOST}" sudo systemctl | grep -c 'kresd@[0-9].service')" - - for NUMBER in $(seq 1 "${NUMBER}") - do - echo "Flushing ${HOST}, resolver ${NUMBER}" - echo "cache.clear()" | ssh "${HOST}" sudo socat - UNIX-CONNECT:/run/knot-resolver/control/"${NUMBER}" - done - ;; - esac + echo "Flushing localhost, resolver ${NUMBER}" + echo "cache.clear()" | sudo socat - UNIX-CONNECT:/run/knot-resolver/control/"${NUMBER}" done - -echo diff --git a/knot-resolver/bin/kresd-restart b/knot-resolver/bin/kresd-restart new file mode 100755 index 0000000..49c2462 --- /dev/null +++ b/knot-resolver/bin/kresd-restart @@ -0,0 +1,51 @@ +#!/bin/sh + +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +set -e + +HOSTS="${*:-localhost}" + +for HOST in ${HOSTS} +do + case "${HOST}" in + localhost) + NUMBER="$(systemctl | grep -c 'kresd@[0-9].service')" + + for NUMBER in $(seq 1 "${NUMBER}") + do + echo "Flushing localhost, resolver ${NUMBER}" + echo "cache.clear()" | sudo socat - UNIX-CONNECT:/run/knot-resolver/control/"${NUMBER}" + done + ;; + + *) + NUMBER="$(ssh "${HOST}" sudo systemctl | grep -c 'kresd@[0-9].service')" + + for NUMBER in $(seq 1 "${NUMBER}") + do + echo "Flushing ${HOST}, resolver ${NUMBER}" + echo "cache.clear()" | ssh "${HOST}" sudo socat - UNIX-CONNECT:/run/knot-resolver/control/"${NUMBER}" + done + ;; + esac +done + +echo diff --git a/knot/bin/knot-reset-zones b/knot-resolver/bin/kresd-stats-list index 40779cf..01aceb5 100755 --- a/knot/bin/knot-reset-zones +++ b/knot-resolver/bin/kresd-stats-list @@ -33,26 +33,25 @@ for HOST in ${HOSTS} do case "${HOST}" in localhost) - echo -n "Resetting in-memory data for all zones..." + NUMBER="$(systemctl | grep -c 'kresd@[0-9].service')" - service knot stop - rm -rf /var/lib/knot/journal/*.mdb - rm -rf /var/lib/knot/timers/*.mdb - service knot start - - echo " done." + for NUMBER in $(seq 1 "${NUMBER}") + do + echo "Stats localhost, resolver ${NUMBER}" + echo "stats.list()" | sudo socat - UNIX-CONNECT:/run/knot-resolver/control/"${NUMBER}" + done ;; *) - echo -n "'${HOST}': Resetting in-memory data for all zones..." - - ssh "${HOST}" \ - "sudo service knot stop && \ - rm -rf /var/lib/knot/journal/*.mdb && \ - rm -rf /var/lib/knot/timers/*.mdb && \ - sudo service knot start" + NUMBER="$(ssh "${HOST}" sudo systemctl | grep -c 'kresd@[0-9].service')" - echo " done." + for NUMBER in $(seq 1 "${NUMBER}") + do + echo "Stats ${HOST}, resolver ${NUMBER}" + echo "stats.list()" | ssh "${HOST}" sudo socat - UNIX-CONNECT:/run/knot-resolver/control/"${NUMBER}" + done ;; esac done + +echo diff --git a/knot/bin/knot-zones-reset b/knot/bin/knot-zones-reset new file mode 100755 index 0000000..8ab2dca --- /dev/null +++ b/knot/bin/knot-zones-reset @@ -0,0 +1,55 @@ +#!/bin/sh + +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +set -e + +echo "Resetting in-memory data for all zones..." + +if systemctl status knot | grep -qs 'Active: active' +then + START="true" + sudo service knot stop +else + START="false" +fi + +sudo rm -rf /var/lib/knot/journal/*.mdb +sudo rm -rf /var/lib/knot/timers/*.mdb + +if [ -e /var/lib/knot/zones/.git ] +then + sudo chown -R root:root /var/lib/knot/zones/ + + cd /var/lib/knot/zones + sudo git clean -dxf + sudo git checkout -f + + sudo chown -R knot:knot /var/lib/knot/zones/ +fi + +case "${START}" in + true) + sudo service knot start + ;; +esac + +echo +echo "done." diff --git a/knot/share/cron/knot-reset-zones b/knot/share/cron/knot-reset-zones deleted file mode 100755 index 9762da4..0000000 --- a/knot/share/cron/knot-reset-zones +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/cron.d/knot-reset-zone - -0 0 * * * root /usr/bin/knot-reset-zones localhost > /dev/null 2>&1 diff --git a/knot/share/cron/knot-zones-reset b/knot/share/cron/knot-zones-reset new file mode 100755 index 0000000..13dfd44 --- /dev/null +++ b/knot/share/cron/knot-zones-reset @@ -0,0 +1,3 @@ +# /etc/cron.d/knot-zones-reset + +0 0 * * * root /usr/bin/knot-zones-reset > /dev/null 2>&1 diff --git a/linux/Makefile b/linux/Makefile new file mode 100644 index 0000000..09978b9 --- /dev/null +++ b/linux/Makefile @@ -0,0 +1,97 @@ +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +SHELL := sh -e + +SCRIPTS = bin/* + +all: build + +test: + @echo -n "Checking for syntax errors with sh... " + @for SCRIPT in $(SCRIPTS); \ + do \ + sh -n $${SCRIPT}; \ + echo -n "."; \ + done + @echo " done." + + @echo -n "Checking for bashisms... " + @if [ -x /usr/bin/checkbashisms ]; \ + then \ + for SCRIPT in $(SCRIPTS); \ + do \ + checkbashisms -f -x $${SCRIPT}; \ + echo -n "."; \ + done; \ + else \ + echo "Note: devscripts not installed, skipping checkbashisms."; \ + fi + @echo " done." + + @echo -n "Checking with shellcheck... " + @if [ -x /usr/bin/shellcheck ]; \ + then \ + for SCRIPT in $(SCRIPTS); \ + do \ + shellcheck -e SC2039 $${SCRIPT}; \ + echo -n "."; \ + done; \ + else \ + echo "Note: shellcheck not installed, skipping shellcheck."; \ + fi + @echo " done." + +build: + +install: build + mkdir -p $(DESTDIR)/usr/bin + cp -r bin/* $(DESTDIR)/usr/bin + + mkdir -p $(DESTDIR)/etc/modprobe.d + cp share/kmod/* $(DESTDIR)/etc/modprobe.d + + mkdir -p $(DESTDIR)/lib/systemd/system + cp -r share/systemd/* $(DESTDIR)/lib/systemd/system + +uninstall: + for FILE in share/systemd/*; \ + do \ + rm -f $(DESTDIR)/lib/systemd/system/$$(basename $${FILE}); \ + done + + for FILE in share/kmod/*; \ + do \ + rm -f $(DESTDIR)/etc/modprobe.d/$$(basename $${FILE}); \ + done + rmdir --ignore-fail-on-non-empty --parents $(DESTDIR)/etc/modprobe.d || true + + for FILE in bin/*; \ + do \ + rm -f $(DESTDIR)/usr/bin/$$(basename $${FILE}); \ + done + rmdir --ignore-fail-on-non-empty --parents $(DESTDIR)/usr/bin || true + + rmdir --ignore-fail-on-non-empty --parents $(DESTDIR) || true + +clean: + +distclean: + +reinstall: uninstall install diff --git a/linux/bin/linux-i40e b/linux/bin/linux-i40e new file mode 100755 index 0000000..3b46d5b --- /dev/null +++ b/linux/bin/linux-i40e @@ -0,0 +1,156 @@ +#!/bin/sh + +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +set -e + +PROGRAM="$(basename "${0}")" + +RED="\033[1;33;31m" +GREEN="\033[1;33;32m" +NORMAL="\033[0m" + +Ethtool_get () +{ + DEVICE="${1}" + FLAG="${2}" + TARGET_VALUE="${3}" + + if ethtool --show-priv-flags "${DEVICE}" | awk '{ print $1 }' | grep -qs "^${FLAG}$" + then + CURRENT_VALUE="$(ethtool --show-priv-flags "${DEVICE}" | awk "/^${FLAG} / { print \$3 }")" + + if [ "${CURRENT_VALUE}" = "${TARGET_VALUE}" ] + then + echo -n " ${FLAG}=${GREEN}${CURRENT_VALUE}${NORMAL}" + else + echo -n " ${FLAG}=${RED}${CURRENT_VALUE}${NORMAL}" + fi + fi +} + +Ethtool_set () +{ + DEVICE="${1}" + FLAG="${2}" + VALUE="${3}" + + if ethtool --show-priv-flags "${DEVICE}" | awk '{ print $1 }' | grep -qs "^${FLAG}$" + then + echo -n " ${FLAG}" + ethtool --set-priv-flags "${DEVICE}" "${FLAG}" "${VALUE}" + echo -n "=${VALUE}" + fi +} + +Test_root () +{ + case "$(id -u)" in + 0) + ;; + + *) + echo "'${PROGRAM}': must be run as root (or use sudo)" >&2 + exit 1 + ;; + esac +} + +Start () +{ + Test_root + + for DEVICE in ${DEVICES} + do + echo -n "Configuring ${DEVICE}:" + Ethtool_set "${DEVICE}" disable-fw-lldp on + Ethtool_set "${DEVICE}" link-down-on-close on + echo + done +} + +Stop () +{ + Test_root + + for DEVICE in ${DEVICES} + do + echo -n "Deconfiguring ${DEVICE}:" + Ethtool_set "${DEVICE}" disable-fw-lldp off + Ethtool_set "${DEVICE}" link-down-on-close off + echo + done +} + +Status () +{ + for DEVICE in ${DEVICES} + do + echo -n "${DEVICE}:" + Ethtool_get "${DEVICE}" disable-fw-lldp on + Ethtool_get "${DEVICE}" link-down-on-close on + echo + done +} + +Usage () +{ + echo "Usage: ${PROGRAM} {start|stop|status}" >&2 + echo >&2 + echo "See ${PROGRAM}(1) for more information." >&2 + + exit 1 +} + +if [ -z "${1}" ] +then + Usage +fi + +if [ ! -x /usr/sbin/ethtool ] +then + echo "'${PROGRAM}': /usr/sbin/ethtool - no such file." >&2 + exit 1 +fi + +DEVICES="$(grep -s '^DRIVER=i40e' /sys/class/net/*/device/uevent | awk -F/ '{ print $5 }' | grep -v eno | sort -V)" + +if [ -z "${DEVICES}" ] +then + echo "'${PROGRAM}': no network devices available with i40e driver" >&2 +fi + +case "${1}" in + start) + Start + ;; + + stop) + Stop + ;; + + status) + Status + ;; + + *) + Usage + ;; +esac diff --git a/linux/bin/linux-ice b/linux/bin/linux-ice new file mode 100755 index 0000000..6a25aa8 --- /dev/null +++ b/linux/bin/linux-ice @@ -0,0 +1,156 @@ +#!/bin/sh + +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +set -e + +PROGRAM="$(basename "${0}")" + +RED="\033[1;33;31m" +GREEN="\033[1;33;32m" +NORMAL="\033[0m" + +Ethtool_get () +{ + DEVICE="${1}" + FLAG="${2}" + TARGET_VALUE="${3}" + + if ethtool --show-priv-flags "${DEVICE}" | awk '{ print $1 }' | grep -qs "^${FLAG}$" + then + CURRENT_VALUE="$(ethtool --show-priv-flags "${DEVICE}" | awk "/^${FLAG} / { print \$3 }")" + + if [ "${CURRENT_VALUE}" = "${TARGET_VALUE}" ] + then + echo -n " ${FLAG}=${GREEN}${CURRENT_VALUE}${NORMAL}" + else + echo -n " ${FLAG}=${RED}${CURRENT_VALUE}${NORMAL}" + fi + fi +} + +Ethtool_set () +{ + DEVICE="${1}" + FLAG="${2}" + VALUE="${3}" + + if ethtool --show-priv-flags "${DEVICE}" | awk '{ print $1 }' | grep -qs "^${FLAG}$" + then + echo -n " ${FLAG}" + ethtool --set-priv-flags "${DEVICE}" "${FLAG}" "${VALUE}" + echo -n "=${VALUE}" + fi +} + +Test_root () +{ + case "$(id -u)" in + 0) + ;; + + *) + echo "'${PROGRAM}': must be run as root (or use sudo)" >&2 + exit 1 + ;; + esac +} + +Start () +{ + Test_root + + for DEVICE in ${DEVICES} + do + echo -n "Configuring ${DEVICE}:" + Ethtool_set "${DEVICE}" disable-fw-lldp on + Ethtool_set "${DEVICE}" link-down-on-close on + echo + done +} + +Stop () +{ + Test_root + + for DEVICE in ${DEVICES} + do + echo -n "Deconfiguring ${DEVICE}:" + Ethtool_set "${DEVICE}" disable-fw-lldp off + Ethtool_set "${DEVICE}" link-down-on-close off + echo + done +} + +Status () +{ + for DEVICE in ${DEVICES} + do + echo -n "${DEVICE}:" + Ethtool_get "${DEVICE}" disable-fw-lldp on + Ethtool_get "${DEVICE}" link-down-on-close on + echo + done +} + +Usage () +{ + echo "Usage: ${PROGRAM} {start|stop|status}" >&2 + echo >&2 + echo "See ${PROGRAM}(1) for more information." >&2 + + exit 1 +} + +if [ -z "${1}" ] +then + Usage +fi + +if [ ! -x /usr/sbin/ethtool ] +then + echo "'${PROGRAM}': /usr/sbin/ethtool - no such file." >&2 + exit 1 +fi + +DEVICES="$(grep -s '^DRIVER=ice' /sys/class/net/*/device/uevent | awk -F/ '{ print $5 }' | grep -v eno | sort -V)" + +if [ -z "${DEVICES}" ] +then + echo "'${PROGRAM}': no network devices available with ice driver" >&2 +fi + +case "${1}" in + start) + Start + ;; + + stop) + Stop + ;; + + status) + Status + ;; + + *) + Usage + ;; +esac diff --git a/linux/bin/linux-leds b/linux/bin/linux-leds new file mode 100755 index 0000000..ffe17b3 --- /dev/null +++ b/linux/bin/linux-leds @@ -0,0 +1,156 @@ +#!/bin/sh + +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +set -e + +PROGRAM="$(basename "${0}")" + +RED="\033[1;33;31m" +GREEN="\033[1;33;32m" +NORMAL="\033[0m" + +Ethtool_get () +{ + DEVICE="${1}" + FLAG="${2}" + TARGET_VALUE="${3}" + + if ethtool --show-priv-flags "${DEVICE}" | awk '{ print $1 }' | grep -qs "^${FLAG}$" + then + CURRENT_VALUE="$(ethtool --show-priv-flags "${DEVICE}" | awk "/^${FLAG} / { print \$3 }")" + + if [ "${CURRENT_VALUE}" = "${TARGET_VALUE}" ] + then + echo -n " ${FLAG}=${GREEN}${CURRENT_VALUE}${NORMAL}" + else + echo -n " ${FLAG}=${RED}${CURRENT_VALUE}${NORMAL}" + fi + fi +} + +Ethtool_set () +{ + DEVICE="${1}" + FLAG="${2}" + VALUE="${3}" + + if ethtool --show-priv-flags "${DEVICE}" | awk '{ print $1 }' | grep -qs "^${FLAG}$" + then + echo -n " ${FLAG}" + ethtool --set-priv-flags "${DEVICE}" "${FLAG}" "${VALUE}" + echo -n "=${VALUE}" + fi +} + +Test_root () +{ + case "$(id -u)" in + 0) + ;; + + *) + echo "'${PROGRAM}': must be run as root (or use sudo)" >&2 + exit 1 + ;; + esac +} + +Start () +{ + Test_root + + for DEVICE in ${DEVICES} + do + echo -n "Configuring ${DEVICE}:" + Ethtool_set "${DEVICE}" disable-fw-lldp on + Ethtool_set "${DEVICE}" link-down-on-close on + echo + done +} + +Stop () +{ + Test_root + + for DEVICE in ${DEVICES} + do + echo -n "Deconfiguring ${DEVICE}:" + Ethtool_set "${DEVICE}" disable-fw-lldp off + Ethtool_set "${DEVICE}" link-down-on-close off + echo + done +} + +Status () +{ + for DEVICE in ${DEVICES} + do + echo -n "${DEVICE}:" + Ethtool_get "${DEVICE}" disable-fw-lldp on + Ethtool_get "${DEVICE}" link-down-on-close on + echo + done +} + +Usage () +{ + echo "Usage: ${PROGRAM} {start|stop|status}" >&2 + echo >&2 + echo "See ${PROGRAM}(1) for more information." >&2 + + exit 1 +} + +if [ -z "${1}" ] +then + Usage +fi + +if [ ! -x /usr/sbin/ethtool ] +then + echo "'${PROGRAM}': /usr/sbin/ethtool - no such file." >&2 + exit 1 +fi + +DEVICES="$(grep -s '^DRIVER=i40e' /sys/class/net/*/device/uevent | awk -F/ '{ print $5 }' | sort -V)" + +if [ -z "${DEVICES}" ] +then + echo "'${PROGRAM}': no network devices available with i40e driver" >&2 +fi + +case "${1}" in + start) + Start + ;; + + stop) + Stop + ;; + + status) + Status + ;; + + *) + Usage + ;; +esac diff --git a/linux/share/kmod/linux-leds.conf b/linux/share/kmod/linux-leds.conf new file mode 100644 index 0000000..8e00229 --- /dev/null +++ b/linux/share/kmod/linux-leds.conf @@ -0,0 +1,4 @@ +# /etc/modprobe.d/linux-leds.conf + +blacklist pcengines-apuv2 +ledtrig_netdev diff --git a/linux/share/man/Makefile b/linux/share/man/Makefile new file mode 100644 index 0000000..a6d6bf2 --- /dev/null +++ b/linux/share/man/Makefile @@ -0,0 +1,59 @@ +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +# Depends: python3-docutils + +RST2MAN = rst2man \ + --no-datestamp \ + --no-generator \ + --strict \ + --strip-comments \ + --tab-width=4 \ + --verbose + +VERSION := $(shell cat ../../../VERSION.txt) + +SHELL := sh -e + +all: build + +build: man + +man: man.in *.rst + @echo -n "Creating manpages... " + + @for FILE in *.rst; \ + do \ + cp man.in $$(basename $${FILE} .rst); \ + $(RST2MAN) $${FILE} | \ + sed -e '/^.\\" Man page generated/d' \ + -e '/^.\\" Generated by/d' \ + -e "s|^\(.TH .*\) \(\"\" \"\"\) |\1 $${VERSION} service-tools |" \ + >> $$(basename $${FILE} .rst); \ + echo -n "."; \ + done + + @echo " done." + +clean: + rm -f *.[0-9] + +distclean: clean + +rebuild: clean build diff --git a/linux/share/man/linux-i40e.1.rst b/linux/share/man/linux-i40e.1.rst new file mode 100644 index 0000000..b1f8c30 --- /dev/null +++ b/linux/share/man/linux-i40e.1.rst @@ -0,0 +1,86 @@ +.. Open Infrastructure: service-tools + +.. Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +.. +.. SPDX-License-Identifier: GPL-3.0+ +.. +.. This program is free software: you can redistribute it and/or modify +.. it under the terms of the GNU General Public License as published by +.. the Free Software Foundation, either version 3 of the License, or +.. (at your option) any later version. +.. +.. This program is distributed in the hope that it will be useful, +.. but WITHOUT ANY WARRANTY; without even the implied warranty of +.. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +.. GNU General Public License for more details. +.. +.. You should have received a copy of the GNU General Public License +.. along with this program. If not, see <https://www.gnu.org/licenses/>. + +========== +linux-i40e +========== + +------------------------------------------------------------ +setting recommended options for the Linux i40e device driver +------------------------------------------------------------ + +:manual section: 1 +:manual group: Open Infrastructure + +Synopsis +======== + +| **linux-i40e** start|stop|status + +Description +=========== + +**linux-i40e** sets all recommended options for the Linux i40e device driver. + +Recommended options +=================== + +| **Enabling disable-fw-lldp** +| Many Intel network cards such as the X700 Series drop LLDP pakets by default. +| When using LACP (802.1ad) this has the effect that after a reboot of one switch, +| the bond interfaces do not recover. Disabling the firewalling of LLDP pakets on +| the network card allows the operating system (= Linux kernel) to actually recieve +| the pakets and re-establish the bonded connection. + +| **Enabling link-down-on-close** +| Many Intel network cards such as the X700 Series do not take down the link +| when the corresponding interface is deconfigured. This is in contrast to the +| consumer (Intel) network cards that usually do this. Therefore, without enabling +| the link-down-on-close, most assumptions of HA stacks (e.g. pacemaker/corosync) +| are not met and can lead to various unwanted effects. Enabling this options +| restores the usual behaviour. + +See also +======== + +| linux-ice(1), +| ethtool(8), +| https://www.kernel.org/doc/Documentation/networking/i40e.txt + +Homepage +======== + +More information about service-tools and the Open Infrastructure project can be +found on the homepage (https://open-infrastructure.net). + +Contact +======= + +Bug reports, feature requests, help, patches, support and everything else are +welcome on the Open Infrastructure Software Mailing List +<software@lists.open-infrastructure.net>. + +Debian specific bugs can also be reported in the Debian Bug Tracking System +(https://bugs.debian.org). + +Authors +======= + +service-tools were written by Daniel Baumann +<daniel.baumann@open-infrastructure.net> and others. diff --git a/linux/share/man/linux-ice.1.rst b/linux/share/man/linux-ice.1.rst new file mode 100644 index 0000000..60b718e --- /dev/null +++ b/linux/share/man/linux-ice.1.rst @@ -0,0 +1,86 @@ +.. Open Infrastructure: service-tools + +.. Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +.. +.. SPDX-License-Identifier: GPL-3.0+ +.. +.. This program is free software: you can redistribute it and/or modify +.. it under the terms of the GNU General Public License as published by +.. the Free Software Foundation, either version 3 of the License, or +.. (at your option) any later version. +.. +.. This program is distributed in the hope that it will be useful, +.. but WITHOUT ANY WARRANTY; without even the implied warranty of +.. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +.. GNU General Public License for more details. +.. +.. You should have received a copy of the GNU General Public License +.. along with this program. If not, see <https://www.gnu.org/licenses/>. + +========= +linux-ice +========= + +------------------------------------------------------------ +setting recommended options for the Linux ice device driver +------------------------------------------------------------ + +:manual section: 1 +:manual group: Open Infrastructure + +Synopsis +======== + +| **linux-ice** start|stop|status + +Description +=========== + +**linux-ice** sets all recommended options for the Linux ice device driver. + +Recommended options +=================== + +| **Enabling disable-fw-lldp** +| Many Intel network cards such as the X700 Series drop LLDP pakets by default. +| When using LACP (802.1ad) this has the effect that after a reboot of one switch, +| the bond interfaces do not recover. Disabling the firewalling of LLDP pakets on +| the network card allows the operating system (= Linux kernel) to actually recieve +| the pakets and re-establish the bonded connection. + +| **Enabling link-down-on-close** +| Many Intel network cards such as the X700 Series do not take down the link +| when the corresponding interface is deconfigured. This is in contrast to the +| consumer (Intel) network cards that usually do this. Therefore, without enabling +| the link-down-on-close, most assumptions of HA stacks (e.g. pacemaker/corosync) +| are not met and can lead to various unwanted effects. Enabling this options +| restores the usual behaviour. + +See also +======== + +| linux-i40e(1), +| ethtool(8), +| https://www.kernel.org/doc/Documentation/networking/ice.txt + +Homepage +======== + +More information about service-tools and the Open Infrastructure project can be +found on the homepage (https://open-infrastructure.net). + +Contact +======= + +Bug reports, feature requests, help, patches, support and everything else are +welcome on the Open Infrastructure Software Mailing List +<software@lists.open-infrastructure.net>. + +Debian specific bugs can also be reported in the Debian Bug Tracking System +(https://bugs.debian.org). + +Authors +======= + +service-tools were written by Daniel Baumann +<daniel.baumann@open-infrastructure.net> and others. diff --git a/linux/share/man/man.in b/linux/share/man/man.in new file mode 100644 index 0000000..f95ca67 --- /dev/null +++ b/linux/share/man/man.in @@ -0,0 +1,19 @@ +.\" Open Infrastructure: service-tools +.\" +.\" Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +.\" +.\" SPDX-License-Identifier: GPL-3.0+ +.\" +.\" This program is free software: you can redistribute it and/or modify +.\" it under the terms of the GNU General Public License as published by +.\" the Free Software Foundation, either version 3 of the License, or +.\" (at your option) any later version. +.\" +.\" This program is distributed in the hope that it will be useful, +.\" but WITHOUT ANY WARRANTY; without even the implied warranty of +.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +.\" GNU General Public License for more details. +.\" +.\" You should have received a copy of the GNU General Public License +.\" along with this program. If not, see <https://www.gnu.org/licenses/>. +.\" diff --git a/linux/share/systemd/linux-i40e.service b/linux/share/systemd/linux-i40e.service new file mode 100644 index 0000000..5d7f99f --- /dev/null +++ b/linux/share/systemd/linux-i40e.service @@ -0,0 +1,17 @@ +# Open Infrastructure: service-tools + +[Unit] +Description=setting recommended options for the Linux i40e device driver +Documentation=man:linux-i40e +Before=network.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/bin/linux-i40e start +ExecStop=/usr/bin/linux-i40e stop +StandardOutput=journal +StandardError=journal + +[Install] +WantedBy=multi-user.target diff --git a/linux/share/systemd/linux-ice.service b/linux/share/systemd/linux-ice.service new file mode 100644 index 0000000..ee8a727 --- /dev/null +++ b/linux/share/systemd/linux-ice.service @@ -0,0 +1,17 @@ +# Open Infrastructure: service-tools + +[Unit] +Description=setting recommended options for the Linux ice device driver +Documentation=man:linux-ice +Before=network.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/bin/linux-ice start +ExecStop=/usr/bin/linux-ice stop +StandardOutput=journal +StandardError=journal + +[Install] +WantedBy=multi-user.target diff --git a/openldap/Makefile b/openldap/Makefile new file mode 100644 index 0000000..e68219e --- /dev/null +++ b/openldap/Makefile @@ -0,0 +1,138 @@ +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +SHELL := sh -e + +SCRIPTS = bin/* + +all: build + +test: + @echo -n "Checking for syntax errors with sh... " + @for SCRIPT in $(SCRIPTS); \ + do \ + sh -n $${SCRIPT}; \ + echo -n "."; \ + done + @echo " done." + + @echo -n "Checking for bashisms... " + @if [ -x /usr/bin/checkbashisms ]; \ + then \ + for SCRIPT in $(SCRIPTS); \ + do \ + checkbashisms -f -x $${SCRIPT}; \ + echo -n "."; \ + done; \ + else \ + echo "Note: devscripts not installed, skipping checkbashisms."; \ + fi + @echo " done." + + @echo -n "Checking with shellcheck... " + @if [ -x /usr/bin/shellcheck ]; \ + then \ + for SCRIPT in $(SCRIPTS); \ + do \ + shellcheck -e SC1090 -e SC2039 $${SCRIPT}; \ + echo -n "."; \ + done; \ + else \ + echo "Note: shellcheck not installed, skipping shellcheck."; \ + fi + @echo " done." + +build: share/man/*.rst + $(MAKE) -C share/man + +install: build + mkdir -p $(DESTDIR)/etc/dehydrated/hook.d + + mkdir -p $(DESTDIR)/etc/cron.d + cp -r share/cron/* $(DESTDIR)/etc/cron.d + + mkdir -p $(DESTDIR)/etc/cron.daily + ln -s /usr/bin/dehydrated-cron $(DESTDIR)/etc/cron.daily/dehydrated + + mkdir -p $(DESTDIR)/etc/logrotate.d + cp -r share/logrotate/* $(DESTDIR)/etc/logrotate.d + + mkdir -p $(DESTDIR)/usr/bin + cp -r bin/* $(DESTDIR)/usr/bin + + mkdir -p $(DESTDIR)/usr/share/dehydrated/hooks + cp -r share/hooks/* $(DESTDIR)/usr/share/dehydrated/hooks + + ln -sf /usr/bin/dehydrated-nsupdate $(DESTDIR)/usr/share/dehydrated/hooks/clean_challenge.nsupdate + ln -sf /usr/bin/dehydrated-nsupdate $(DESTDIR)/usr/share/dehydrated/hooks/deploy_challenge.nsupdate + + for SECTION in $$(seq 1 8); \ + do \ + if ls share/man/*.$${SECTION} > /dev/null 2>&1; \ + then \ + mkdir -p $(DESTDIR)/usr/share/man/man$${SECTION}; \ + cp share/man/*.$${SECTION} $(DESTDIR)/usr/share/man/man$${SECTION}; \ + fi; \ + done + +uninstall: + for SECTION in $$(seq 1 8); \ + do \ + for FILE in share/man/*.$${SECTION}; \ + do \ + rm -f $(DESTDIR)/usr/share/man/man$${SECTION}/$$(basename $${FILE}); \ + done; \ + rmdir --ignore-fail-on-non-empty --parents $(DESTDIR)/usr/share/man/man$${SECTION} || true; \ + done + + rm -rf $(DESTDIR)/usr/share/dehydrated/hooks + rmdir --ignore-fail-on-non-empty --parents $(DESTDIR)/usr/share/dehydrated || true + + for FILE in bin/*; \ + do \ + rm -f $(DESTDIR)/usr/bin/$$(basename $${FILE}); \ + done + rmdir --ignore-fail-on-non-empty --parents $(DESTDIR)/usr/bin || true + + for FILE in share/logrotate/*; \ + do \ + rm -f $(DESTDIR)/etc/logrotate.d/$$(basename $${FILE}); \ + done + rmdir --ignore-fail-on-non-empty --parents $(DESTDIR)/etc/logrotate.d || true + + rm -f $(DESTDIR)/etc/cron.daily/dehydrated + rmdir --ignore-fail-on-non-empty --parents $(DESTDIR)/etc/cron.daily || true + + for FILE in share/cron/*; \ + do \ + rm -f $(DESTDIR)/etc/cron.d/$$(basename $${FILE}); \ + done + rmdir --ignore-fail-on-non-empty --parents $(DESTDIR)/etc/cron.d || true + + rm -rf $(DESTDIR)/etc/dehydrated/hook.d + rmdir --ignore-fail-on-non-empty --parents $(DESTDIR)/etc/dehydrated || true + + rmdir --ignore-fail-on-non-empty --parents $(DESTDIR) || true + +clean: + $(MAKE) -C share/man clean + +distclean: clean + +reinstall: uninstall install diff --git a/openldap/bin/slapd-cron-backup b/openldap/bin/slapd-cron-backup new file mode 100755 index 0000000..814590e --- /dev/null +++ b/openldap/bin/slapd-cron-backup @@ -0,0 +1,33 @@ +#!/bin/sh + +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +set -e + +BFHBCK=bfh-$( date +%y%m%d-%H%M ).ldif +ACCESSBCK=access-$( date +%y%m%d-%H%M ).ldif +BACKUPDIR=/srv/ldap-master.bfh.ch/slapcat + +/usr/sbin/slapcat -v -b "dc=bfh,dc=ch" -l $BACKUPDIR/$BFHBCK +gzip -9 $BACKUPDIR/$BFHBCK +/usr/sbin/slapcat -v -b "cn=accesslog" -l $BACKUPDIR/$ACCESSBCK +gzip -9 $BACKUPDIR/$ACCESSBCK + +find $BACKUPDIR -mtime +14 -exec rm {} + diff --git a/dehydrated/share/hooks/deploy_ocsp.fullchain-privkey b/openldap/bin/slapd-cron-clean index b408f03..9e915bb 100755 --- a/dehydrated/share/hooks/deploy_ocsp.fullchain-privkey +++ b/openldap/bin/slapd-cron-clean @@ -21,7 +21,9 @@ set -e -FILE="$(readlink "${OCSPFILE}")" -DIRECTORY="$(dirname "${OCSPFILE}")" +for FILE in $(find /var/lib/ldap -type f -name DB_CONFIG) +do + DATABASE="$(dirname "${FILE}")" -ln -sf "${FILE}" "${DIRECTORY}/cert.fullchain-privkey.pem.ocsp" + db_archive -d -h "${DATABASE}" +done diff --git a/openldap/share/cron/dehydrated b/openldap/share/cron/dehydrated new file mode 100755 index 0000000..a560985 --- /dev/null +++ b/openldap/share/cron/dehydrated @@ -0,0 +1,4 @@ +# /etc/cron.d/dehydrated + +@daily root /usr/bin/slapd-cron-db +@daily root /usr/bin/slapd-cron-backup diff --git a/openssh/Makefile b/openssh/Makefile index 3a2e4b9..6b3744b 100644 --- a/openssh/Makefile +++ b/openssh/Makefile @@ -1,6 +1,6 @@ # Open Infrastructure: service-tools -# Copyright (C) 2014-2021 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> # # SPDX-License-Identifier: GPL-3.0+ # diff --git a/openssh/bin/ssh-keycheck b/openssh/bin/ssh-keycheck index 737b8cd..67046f1 100755 --- a/openssh/bin/ssh-keycheck +++ b/openssh/bin/ssh-keycheck @@ -2,7 +2,7 @@ # Open Infrastructure: service-tools -# Copyright (C) 2014-2021 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> # # SPDX-License-Identifier: GPL-3.0+ # @@ -136,7 +136,7 @@ do ;; *) - echo "'${FILE}': wrong type" >&2 + echo "'${FILE}': wrong type ('${KEY_TYPE}' instead of '${TYPES}')" >&2 EXIT="1" ;; esac @@ -149,7 +149,7 @@ do ;; *) - echo "'${FILE}': wrong bits" >&2 + echo "'${FILE}': wrong bits ('${KEY_BITS}' instead of '${BITS}')" >&2 EXIT="1" ;; esac diff --git a/postgresql/Makefile b/postgresql/Makefile index 3a2e4b9..9bc75b3 100644 --- a/postgresql/Makefile +++ b/postgresql/Makefile @@ -1,6 +1,6 @@ # Open Infrastructure: service-tools -# Copyright (C) 2014-2021 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> # # SPDX-License-Identifier: GPL-3.0+ # @@ -63,8 +63,18 @@ build: install: build mkdir -p $(DESTDIR)/usr/bin cp -r bin/* $(DESTDIR)/usr/bin + ln -sf pg_hba.conf $(DESTDIR)/usr/bin/update-pg_hba.conf + + mkdir -p $(DESTDIR)/usr/share/bash-completion/completions + cp -r share/bash-completion/* $(DESTDIR)/usr/share/bash-completion/completions uninstall: + for FILE in share/bash-completion/*; \ + do \ + rm -f $(DESTDIR)/usr/share/bash-completion/completions/$$(basename $${FILE}); \ + done + + rm -f $(DESTDIR)/usr/bin/update-pg_hba.conf for FILE in bin/*; \ do \ rm -f $(DESTDIR)/usr/bin/$$(basename $${FILE}); \ diff --git a/postgresql/bin/pg_hba.conf b/postgresql/bin/pg_hba.conf new file mode 100755 index 0000000..2b6c7cb --- /dev/null +++ b/postgresql/bin/pg_hba.conf @@ -0,0 +1,169 @@ +#!/bin/sh + +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +set -e + +PROGRAM="$(basename "${0}")" + +Parameters () +{ + GETOPT_LONGOPTIONS="add,init,remove,update" + GETOPT_OPTIONS="a,i,r,u," + + PARAMETERS="$(getopt --longoptions ${GETOPT_LONGOPTIONS} --name=${COMMAND} --options ${GETOPT_OPTIONS} --shell sh -- ${@})" + + if [ "${?}" != "0" ] + then + echo "'${COMMAND}': getopt exit" >&2 + exit 1 + fi + + eval set -- "${PARAMETERS}" + + while true + do + case "${1}" in + -a|--add) + ACTION="add" + shift 1 + ;; + + -i|--init) + ACTION="init" + shift 1 + ;; + + -r|--remove) + ACTION="remove" + shift 1 + ;; + + -u|--update) + ACTION="update" + shift 1 + ;; + + --) + shift 1 + break + ;; + + *) + echo "'${COMMAND}': getopt error" >&2 + exit 1 + ;; + esac + done +} + +Usage () +{ + echo "Usage: ${PROGRAM} [-i|--init] [-a|--add LINE] [-r|--remove LINE] [-u|--update]" >&2 + echo + echo "See ${PROGRAM}(1) for more information." + + exit 1 +} + +Parameters "${@}" + +Run_add() +{ + echo "'add' not implemented yet" + exit 0 +} + +Run_init() +{ + echo "'init' not implemented yet" + exit 0 +} + +Run_remove() +{ + echo "'remove' not implemented yet" + exit 0 +} + +Run_update() +{ + # Check for pg_hba.conf + if ! ls /etc/postgresql/*/*/pg_hba.conf > /dev/null 2>&1 + then + echo "W: no pg_hba.conf in /etc/postgresql found." >&2 + exit 1 + fi + + # Check for managed pg_hba.conf + if ! ls /etc/postgresql/*/*/pg_hba.conf.g > /dev/null 2>&1 + then + echo "W: no managed pg_hba.conf in /etc/postgresql found, maybe use '${PROGRAM} --init' first." >&2 + exit 1 + fi + + # Update pg_hba.conf from pg_hba.conf.g directories + for DIRECTORY in /etc/postgresql/*/*/pg_hba.conf.g + do + if ls "${DIRECTORY}"/*.conf > /dev/null 2>&1 + then + CONFIG="$(basename "${DIRECTORY}" .g)" + + echo -n "Updating ${CONFIG}..." + + rm -f "${CONFIG}" + + for FILE in "${DIRECTORY}"/*.conf + do + cat "${FILE}" >> "${CONFIG}" + done + + echo " done." + fi + done +} + +case "${PROGRAM}" in + update-pg_hba.conf) + ACTION="update" + ;; +esac + +case "${ACTION}" in + add) + Run_add + ;; + + init) + Run_init + ;; + + remove) + Run_remove + ;; + + update) + Run_update + ;; + + *) + Usage + ;; +esac diff --git a/postgresql/bin/postgresql-backup b/postgresql/bin/postgresql-backup index ca2df8d..beaf2d8 100755 --- a/postgresql/bin/postgresql-backup +++ b/postgresql/bin/postgresql-backup @@ -2,7 +2,7 @@ # Open Infrastructure: service-tools -# Copyright (C) 2014-2021 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> # # SPDX-License-Identifier: GPL-3.0+ # @@ -21,6 +21,27 @@ set -e + +#!/bin/sh + +set -e + +DIRECTORY="/srv/$(cat /etc/hostname)/postgresql-backup/$(date +%Y-%m-%d)" +DATABASES="fbm_test" + +mkdir -p "${DIRECTORY}" +chown -R postgres:postgres "${DIRECTORY}" + +for DATABASE in ${DATABASES} +do + su - postgres -c "pg_dump -f ${DIRECTORY} -F d -j $(nproc) -C -d ${DATABASE}" +done + +chown -R root:root "${DIRECTORY}" + + + + # FIXME #postgres pg_dump ${DATABASE} | plzip > postgresql-backup/${DATABASE}-"$(date +\%Y\%m\%d)".sql.lz #find postgresql-backup/ -mtime +90 -name "${DATABASE}-*lz" | xargs -r rm diff --git a/postgresql/share/bash-completion/pg_hba.conf b/postgresql/share/bash-completion/pg_hba.conf new file mode 100644 index 0000000..c69b07b --- /dev/null +++ b/postgresql/share/bash-completion/pg_hba.conf @@ -0,0 +1,48 @@ +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +_pg_hba_conf() +{ + local cur prev pg_type + COMPREPLY=() + cur="${COMP_WORDS[COMP_CWORD]}" + prev="${COMP_WORDS[COMP_CWORD-1]}" + + if [ ${COMP_CWORD} -gt 0 ] + then + pg_type="${COMP_WORDS[1]}" + fi + + if [ "${prev}" = "--" ] + then + compopt -o bashdefault + COMPREPLY=( $(compgen -c -- $cur) ) + return 0 + fi + + case "${pg_type}" in + *) + local pg_types="local host hostssl hostnossl hostgssenc hostnogssenc" + COMPREPLY=( $(compgen -W "${pg_types}" -- ${cur}) ) + return 0 + ;; + esac +} + +complete -F _pg_hba_conf pg_hba.conf diff --git a/postgresql/share/man/Makefile b/postgresql/share/man/Makefile new file mode 100644 index 0000000..a8af58d --- /dev/null +++ b/postgresql/share/man/Makefile @@ -0,0 +1,59 @@ +# Open Infrastructure: compute-tools + +# Copyright (C) 2014-2021 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +# Depends: python3-docutils + +RST2MAN = rst2man \ + --no-datestamp \ + --no-generator \ + --strict \ + --strip-comments \ + --tab-width=4 \ + --verbose + +VERSION := $(shell cat ../../VERSION.txt) + +SHELL := sh -e + +all: build + +build: man + +rebuild: clean build + +man: man.in *.rst + @echo -n "Creating manpages... " + + @for FILE in *.rst; \ + do \ + cp man.in $$(basename $${FILE} .rst); \ + $(RST2MAN) $${FILE} | \ + sed -e '/^.\\" Man page generated/d' \ + -e '/^.\\" Generated by/d' \ + -e "s|^\(.TH .*\) \(\"\" \"\"\) |\1 $${VERSION} compute-tools |" \ + >> $$(basename $${FILE} .rst); \ + echo -n "."; \ + done + + @echo " done." + +clean: + rm -f *.[0-9] + +.PHONY: all clean build rebuild man diff --git a/postgresql/share/man/container.1.rst b/postgresql/share/man/container.1.rst new file mode 100644 index 0000000..6cd516f --- /dev/null +++ b/postgresql/share/man/container.1.rst @@ -0,0 +1,145 @@ +.. Open Infrastructure: compute-tools + +.. Copyright (C) 2014-2021 Daniel Baumann <daniel.baumann@open-infrastructure.net> +.. +.. SPDX-License-Identifier: GPL-3.0+ +.. +.. This program is free software: you can redistribute it and/or modify +.. it under the terms of the GNU General Public License as published by +.. the Free Software Foundation, either version 3 of the License, or +.. (at your option) any later version. +.. +.. This program is distributed in the hope that it will be useful, +.. but WITHOUT ANY WARRANTY; without even the implied warranty of +.. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +.. GNU General Public License for more details. +.. +.. You should have received a copy of the GNU General Public License +.. along with this program. If not, see <https://www.gnu.org/licenses/>. + +============== +container-list +============== + +---------------------------- +List container on the system +---------------------------- + +:manual section: 1 +:manual group: Open Infrastructure + +Synopsis +======== + +| **container list** ['OPTIONS'] +| **cnt ls** ['OPTIONS'] + +Description +=========== + +The **container list** command lists container on the system. + +Options +======= + +The following **container list** options are available, defaults to '--started +--stopped': + +-a, --all: + List all available container (started, stopped, and other). + +--csv-separator='SEPARATOR': + Specify custom CSV separator, defaults to ','. + +-f, --format='FORMAT': + Use format to list container. Currently available formats are 'cli' (default), + 'csv', 'json', 'nwdiag', 'shell', 'sh', 'yaml', or 'xml'. + +-h, --host='HOSTNAME': + List only container that are enabled for automatic start on the specified + hostname. Defaults to list containers of the local system only. Using 'all' + shows all container regardless of any automatic start configuration. + +--nwdiag-color='COLOR': + Specify custom nwdiag color for the host box, defaults to '#3465a4'. + +--nwdiag-label='LABEL': + Specify custom nwdiag label for the diagram, defaults to empty. + +-o, --other: + List only container that are not enable for automatic start on the current + system. + +-s, --started: + List only started container. + +-t, --stopped: + List only stopped container. + +Examples +======== + +List all started and stopped containers of the local system: + + sudo container list + +List all started and other containers: + + sudo container list -s -o + +Create a CSV export of all started and stopped containers: + + sudo container list -f csv + +Create a JSON export of all started and stopped containers: + + sudo container list -f json + +Create a nwdiag export of all started and stopped containers: + + sudo container list -f nwdiag + +Create a SVG image via nwdiag of all started and stopped containers: + + sudo container list -f nwdiag | nwdiag -T svg -o cnt-list.svg - + +Create a shell export of all started and stopped containers: + + sudo container list -f shell + sudo container list -f sh + +Create a YAML export of all started and stopped containers: + + sudo container list -f yaml + +Create a XML export of all started and stopped containers: + + sudo container list -f xml + +See also +======== + +| compute-tools(7), +| container(1). + +Homepage +======== + +More information about compute-tools and the Open Infrastructure project can be +found on the homepage (https://open-infrastructure.net). + +Contact +======= + +Bug reports, feature requests, help, patches, support and everything else are +welcome on the Open Infrastructure Software Mailing List +<software@lists.open-infrastructure.net>. + +Debian specific bugs can also be reported in the Debian Bug Tracking System +(https://bugs.debian.org). + +Authors +======= + +compute-tools were written by Daniel Baumann +<daniel.baumann@open-infrastructure.net> and others. diff --git a/postgresql/share/man/man.in b/postgresql/share/man/man.in new file mode 100644 index 0000000..f95ca67 --- /dev/null +++ b/postgresql/share/man/man.in @@ -0,0 +1,19 @@ +.\" Open Infrastructure: service-tools +.\" +.\" Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +.\" +.\" SPDX-License-Identifier: GPL-3.0+ +.\" +.\" This program is free software: you can redistribute it and/or modify +.\" it under the terms of the GNU General Public License as published by +.\" the Free Software Foundation, either version 3 of the License, or +.\" (at your option) any later version. +.\" +.\" This program is distributed in the hope that it will be useful, +.\" but WITHOUT ANY WARRANTY; without even the implied warranty of +.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +.\" GNU General Public License for more details. +.\" +.\" You should have received a copy of the GNU General Public License +.\" along with this program. If not, see <https://www.gnu.org/licenses/>. +.\" diff --git a/znuny/Makefile b/znuny/Makefile new file mode 100644 index 0000000..6b3744b --- /dev/null +++ b/znuny/Makefile @@ -0,0 +1,80 @@ +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +SHELL := sh -e + +SCRIPTS = bin/* + +all: build + +test: + @echo -n "Checking for syntax errors with sh... " + @for SCRIPT in $(SCRIPTS); \ + do \ + sh -n $${SCRIPT}; \ + echo -n "."; \ + done + @echo " done." + + @echo -n "Checking for bashisms... " + @if [ -x /usr/bin/checkbashisms ]; \ + then \ + for SCRIPT in $(SCRIPTS); \ + do \ + checkbashisms -f -x $${SCRIPT}; \ + echo -n "."; \ + done; \ + else \ + echo "Note: devscripts not installed, skipping checkbashisms."; \ + fi + @echo " done." + + @echo -n "Checking with shellcheck... " + @if [ -x /usr/bin/shellcheck ]; \ + then \ + for SCRIPT in $(SCRIPTS); \ + do \ + shellcheck -e SC2039 $${SCRIPT}; \ + echo -n "."; \ + done; \ + else \ + echo "Note: shellcheck not installed, skipping shellcheck."; \ + fi + @echo " done." + +build: + +install: build + mkdir -p $(DESTDIR)/usr/bin + cp -r bin/* $(DESTDIR)/usr/bin + +uninstall: + for FILE in bin/*; \ + do \ + rm -f $(DESTDIR)/usr/bin/$$(basename $${FILE}); \ + done + rmdir --ignore-fail-on-non-empty --parents $(DESTDIR)/usr/bin || true + + rmdir --ignore-fail-on-non-empty --parents $(DESTDIR) || true + +clean: + +distclean: + +reinstall: uninstall install diff --git a/dehydrated/share/hooks/deploy_cert.fullchain-privkey b/znuny/bin/otrs.Console.pl index 57d735b..0e72b93 100755 --- a/dehydrated/share/hooks/deploy_cert.fullchain-privkey +++ b/znuny/bin/otrs.Console.pl @@ -21,8 +21,4 @@ set -e -DIRECTORY="$(dirname "${FULLCHAINFILE}")" -FILE="cert.fullchain-privkey-${TIMESTAMP}.pem" - -cat "${FULLCHAINFILE}" "${KEYFILE}" > "${DIRECTORY}/${FILE}" -ln -sf "${FILE}" "${DIRECTORY}/cert.fullchain-privkey.pem" +sudo -u otrs /usr/share/otrs/bin/otrs.Console.pl ${@} diff --git a/znuny/bin/otrs.Daemon.pl b/znuny/bin/otrs.Daemon.pl new file mode 100755 index 0000000..7882d1d --- /dev/null +++ b/znuny/bin/otrs.Daemon.pl @@ -0,0 +1,24 @@ +#!/bin/sh + +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +set -e + +sudo -u otrs /usr/share/otrs/bin/otrs.Daemon.pl ${@} diff --git a/znuny/bin/znuny-setup b/znuny/bin/znuny-setup new file mode 100755 index 0000000..5345c42 --- /dev/null +++ b/znuny/bin/znuny-setup @@ -0,0 +1,66 @@ +#!/bin/sh + +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +set -e + +ARGUMENTS="${@}" + +if [ -z "${ARGUMENTS}" ] +then + echo "Usage: ${0} fix-permissions" + exit 1 +fi + +case "${ARGUMENTS}" in + fix-permissions) + echo "# this will set owner and permissions on article" + echo "# this can take a long time.. waiting 5s before beginning..." + sleep 5 + + echo "# setting permissions for local extensions" + + echo "chmod g+w -R /usr/share/otrs/" + chmod g+w -R /usr/share/otrs/ + + echo "chmod g+w -R /var/lib/otrs/" + chmod g+w -R /var/lib/otrs/ + + echo "chgrp www-data -R /var/lib/otrs/" + chgrp www-data -R /var/lib/otrs/ + + echo "chgrp www-data -R /usr/share/otrs/" + chgrp www-data -R /usr/share/otrs/ + + echo "# setting permissions on articles" + + echo "chown -R otrs:www-data /var/lib/otrs/article/" + chown -R otrs:www-data /var/lib/otrs/article/ + + echo "chmod -R 0775 /var/lib/otrs/article/" + chmod -R 0775 /var/lib/otrs/article/ + + echo "find /var/lib/otrs/article/ -type f -exec chmod 0664 {} +" + find /var/lib/otrs/article/ -type f -exec chmod 0664 {} + + + echo "chmod g+s -R /var/lib/otrs/article/" + chmod g+s -R /var/lib/otrs/article/ + ;; +esac |