From 35242e8a94a6a1093dd0c32180db6ce08b5e169d Mon Sep 17 00:00:00 2001
From: Michael Hoess <hoess@gmx.net>
Date: Sun, 21 Jan 2024 00:32:16 +0100
Subject: [PATCH] Include acme-stuff and sshd_config-stuff

---
 README.md                        | 19 +++++++++++++
 acme/newcert-dns.sh              | 20 ++++++++++++++
 acme/newcert-http.sh             | 18 ++++++++++++
 acme/rec-cert.sh                 | 47 ++++++++++++++++++++++++++++++++
 acme/send-cert.sh                |  3 +-
 apache/README.md                 | 25 -----------------
 apache/acme.include              |  2 --
 profile.d/sys_srcs.sh            |  5 ++++
 ssh/snippets/sshd_config.samples | 22 +++++++++++++++
 9 files changed, 133 insertions(+), 28 deletions(-)
 create mode 100644 README.md
 create mode 100644 acme/newcert-dns.sh
 create mode 100644 acme/newcert-http.sh
 create mode 100755 acme/rec-cert.sh
 delete mode 100644 apache/README.md
 delete mode 100644 apache/acme.include
 create mode 100755 profile.d/sys_srcs.sh
 create mode 100644 ssh/snippets/sshd_config.samples

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..6062229
--- /dev/null
+++ b/README.md
@@ -0,0 +1,19 @@
+# Misc tools
+
+## Install
+
+- Clone to /opt/srcs/misctool
+- Define global ENV $SYS_SRCS pointing to /opt/srcs, use this in wrappers
+
+## Stuff in "snippet" dirs
+
+Stuff could be included in existing configs
+
+## Use of scripts:
+Usually place a wrapper sourceing directly the contents of the file.
+```
+ACONF="Bla"
+. /SYS_SRCS/misc-tools/acme/rec-cert.sh $@
+
+```
+
diff --git a/acme/newcert-dns.sh b/acme/newcert-dns.sh
new file mode 100644
index 0000000..9091a4a
--- /dev/null
+++ b/acme/newcert-dns.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+# For clouddns
+# On new installs use
+#export CLOUDNS_AUTH_ID=XXXXX
+#export CLOUDNS_AUTH_PASSWORD="YYYYYYYYY"
+# after first use these are saved withing acme.sh 
+
+mkdir -p /etc/ssl/mycerts/$1
+
+./acme.sh  --home "/opt/acme" --config-home '/var/lib/acme'  --issue --dns dns_cloudns -d $1 
+
+
+cp /var/lib/acme/$1/*cer /etc/ssl/mycerts/$1
+cp /var/lib/acme/$1/*key /etc/ssl/mycerts/$1
+
+
+chmod go-rwx `find /etc/ssl/mycerts/$1 -name "key.pem"`
+chmod go-rwx `find /etc/ssl/mycerts/$1 -name "*key"`
+
diff --git a/acme/newcert-http.sh b/acme/newcert-http.sh
new file mode 100644
index 0000000..b49c934
--- /dev/null
+++ b/acme/newcert-http.sh
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+
+read -p "Server reload command on (default apache-reload): " rcmd
+rcmd=${rcmd:-"/etc/init.d/apache2 reload"}
+
+
+mkdir -p /etc/ssl/mycerts/$1
+
+./acme.sh --force  --home "/opt/acme" --config-home '/var/lib/acme'  --issue --standalone  --httpport 9432 -d $1 \
+--ca-file      /etc/ssl/mycerts/$1/ca.cer  \
+--cert-file      /etc/ssl/mycerts/$1/$1.cer  \
+--key-file       /etc/ssl/mycerts/$1/$1.key  \
+--fullchain-file /etc/ssl/mycerts/$1/fullchain.cer \
+--reloadcmd "${rcmd}"
+
+chmod go-rwx /etc/ssl/mycerts/$1/*.key
+
diff --git a/acme/rec-cert.sh b/acme/rec-cert.sh
new file mode 100755
index 0000000..8ef6911
--- /dev/null
+++ b/acme/rec-cert.sh
@@ -0,0 +1,47 @@
+# Return 0 on cert-udpate, 1 on fail, on no changes
+
+SRC=${SRC:-192.168.61.1}
+SRC_USER=${SRC_USER:-cert_send}
+
+#
+#
+#
+
+if [ "$1" == "" ]; then
+        echo "dir-name for target missing"
+        exit 1
+fi
+if [ "$2" == "" ]; then
+        echo "owning user missing"
+        exit 1
+fi
+
+TMP=$(mktemp -d)
+echo $TMP
+cd $TMP
+ssh $SRC_USER@$SRC 2> /dev/null > in.txt
+cat in.txt | head -n 1 
+echo Got:
+#cat in.txt | grep -B 99999 '\.\.\.\.\.' | grep -v '\.\.\.\.\.' | base64 -d > in.tgz
+cat in.txt | tr -d '\r' | base64 -d > in.tgz
+echo Install:
+tar xzf in.tgz || exit 1
+mkdir -p /etc/ssl/server/$1
+chg=0
+for i in $(ls *cer *key); do 
+        echo "...$i"
+        diff "$i" "/etc/ssl/server/$1/$i" || chg=1
+        if [ "$chg" == "1" ]; then
+                cp "$i" "/etc/ssl/server/$1" || exit 1
+        fi
+done
+
+chmod go-rwx /etc/ssl/server/${1}/*.key || exit 1
+chown ${2} /etc/ssl/server/${1}
+
+# return 0 if new cert was retrieved, 2 if no changes, 1 on error
+if [ "$chg" == 0 ]; then
+        exit 2
+fi
+exit 0
+
diff --git a/acme/send-cert.sh b/acme/send-cert.sh
index a0eb9c6..a0554a6 100755
--- a/acme/send-cert.sh
+++ b/acme/send-cert.sh
@@ -1,11 +1,12 @@
 #!/bin/bash
 
 # Add to authorized_keys
-# command="/opt/acme/send-cert.sh gitea.mh3000.net 192.168.61.15" s
+# command="/opt/acme/send-cert.sh test.mh3000.net 192.168.61.150" ssh-key
 
 
 if [ "$(echo $SSH_CLIENT | cut -d ' ' -f 1)" != "$2" ]; then
   echo Invalid IP
+  exit 1 
 fi
 
 echo ""
diff --git a/apache/README.md b/apache/README.md
deleted file mode 100644
index c230c57..0000000
--- a/apache/README.md
+++ /dev/null
@@ -1,25 +0,0 @@
-### acme.include
-
-Include which redirects requests which are actually for the _ACME/Let's encrypt_ .
-This way you can have apache running on port 80, but still process request from the _Let's encrypt_ service 
-which also come to port 80.
-
-Example apache definition for a typical HTTP/80-virtual server would look like this now:
-```
-<VirtualHost cdn.mh3000.net:80>
-        Include /etc/apache2/vhosts.d/acme.include        
-        RedirectMatch permanent ^(.*)$ https://cdn.mh3000.net/
-        TransferLog "/var/log/apache2/access_cdnmh3000-nonssl.log"
-</VirtualHost>
-```
-
-This works like this:
-- the include redirects request to the /.well-known/acme-challenge path to localhost:9432 where your
-  ACME-worker shoud listen for requests
-- All other requests will be redirect to the SSL-version of your site.
-
-E.g. with `acme.sh` you must specify then parameters `[OTHER STUFF] --issue --standalone  --httpport 9432 -d [DOMAIN]`
-at initial certificate request. Renews will automatically the also use the alternate httpport.
-
-
-
diff --git a/apache/acme.include b/apache/acme.include
deleted file mode 100644
index 2a68347..0000000
--- a/apache/acme.include
+++ /dev/null
@@ -1,2 +0,0 @@
-ProxyPass "/.well-known/acme-challenge" "http://127.0.0.1:9432/.well-known/acme-challenge" timeout=10 retry=3
-ProxyPassReverse "/.well-known/acme-challenge" "http://127.0.0.1:9432/.well-known/acme-challenge"
diff --git a/profile.d/sys_srcs.sh b/profile.d/sys_srcs.sh
new file mode 100755
index 0000000..e978741
--- /dev/null
+++ b/profile.d/sys_srcs.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+export SYS_SRCS=/opt/srcs
+
+
diff --git a/ssh/snippets/sshd_config.samples b/ssh/snippets/sshd_config.samples
new file mode 100644
index 0000000..c26284f
--- /dev/null
+++ b/ssh/snippets/sshd_config.samples
@@ -0,0 +1,22 @@
+
+# For local SSH forwarding
+PermitRootLogin false
+Matcm LocalAddress 127.0.0.1,::1
+        PermitRootLogin prohibit-password
+
+# Sample for SFTP-Only users
+# Every dir include /root must be owned by root with o=rx or o=r
+# 
+# Example tree
+# /srv/someuser/root/data # owned by someuser
+# /srv/soomeuser/root     # owned by root
+# /srv/someuser/.ssh      # owned by somueuser
+# /srv/someuser           # owned by root
+#
+Match User bu_*
+        X11Forwarding no
+        AllowTcpForwarding no
+        ForceCommand internal-sftp -l info -u 022
+        ChrootDirectory %h/root
+
+