Include acme-stuff and sshd_config-stuff

2024-01-21 00:32:16 +01:00 · 2024-01-21 00:32:16 +01:00 · 35242e8a94
parent 026f416f58
commit 35242e8a94
9 changed files with 133 additions and 28 deletions
--- a/README.md
+++ b/README.md
@ -0,0 +1,19 @@
 # Misc tools
 ## Install
 - Clone to /opt/srcs/misctool
 - Define global ENV $SYS_SRCS pointing to /opt/srcs, use this in wrappers
 ## Stuff in "snippet" dirs
 Stuff could be included in existing configs
 ## Use of scripts:
 Usually place a wrapper sourceing directly the contents of the file.
 ```
 ACONF="Bla"
 . /SYS_SRCS/misc-tools/acme/rec-cert.sh $@
 ```
--- a/acme/newcert-dns.sh
+++ b/acme/newcert-dns.sh
@ -0,0 +1,20 @@
 #!/bin/sh
 # For clouddns
 # On new installs use
 #export CLOUDNS_AUTH_ID=XXXXX
 #export CLOUDNS_AUTH_PASSWORD="YYYYYYYYY"
 # after first use these are saved withing acme.sh 
 mkdir -p /etc/ssl/mycerts/$1
 ./acme.sh  --home "/opt/acme" --config-home '/var/lib/acme'  --issue --dns dns_cloudns -d $1 
 cp /var/lib/acme/$1/*cer /etc/ssl/mycerts/$1
 cp /var/lib/acme/$1/*key /etc/ssl/mycerts/$1
 chmod go-rwx `find /etc/ssl/mycerts/$1 -name "key.pem"`
 chmod go-rwx `find /etc/ssl/mycerts/$1 -name "*key"`
--- a/acme/newcert-http.sh
+++ b/acme/newcert-http.sh
@ -0,0 +1,18 @@
 #!/bin/sh
 read -p "Server reload command on (default apache-reload): " rcmd
 rcmd=${rcmd:-"/etc/init.d/apache2 reload"}
 mkdir -p /etc/ssl/mycerts/$1
 ./acme.sh --force  --home "/opt/acme" --config-home '/var/lib/acme'  --issue --standalone  --httpport 9432 -d $1 \
 --ca-file      /etc/ssl/mycerts/$1/ca.cer  \
 --cert-file      /etc/ssl/mycerts/$1/$1.cer  \
 --key-file       /etc/ssl/mycerts/$1/$1.key  \
 --fullchain-file /etc/ssl/mycerts/$1/fullchain.cer \
 --reloadcmd "${rcmd}"
 chmod go-rwx /etc/ssl/mycerts/$1/*.key
--- a/acme/rec-cert.sh
+++ b/acme/rec-cert.sh
@ -0,0 +1,47 @@
 # Return 0 on cert-udpate, 1 on fail, on no changes
 SRC=${SRC:-192.168.61.1}
 SRC_USER=${SRC_USER:-cert_send}
 #
 #
 #
 if [ "$1" == "" ]; then
        echo "dir-name for target missing"
        exit 1
 fi
 if [ "$2" == "" ]; then
        echo "owning user missing"
        exit 1
 fi
 TMP=$(mktemp -d)
 echo $TMP
 cd $TMP
 ssh $SRC_USER@$SRC 2> /dev/null > in.txt
 cat in.txt | head -n 1 
 echo Got:
 #cat in.txt | grep -B 99999 '\.\.\.\.\.' | grep -v '\.\.\.\.\.' | base64 -d > in.tgz
 cat in.txt | tr -d '\r' | base64 -d > in.tgz
 echo Install:
 tar xzf in.tgz || exit 1
 mkdir -p /etc/ssl/server/$1
 chg=0
 for i in $(ls *cer *key); do 
        echo "...$i"
        diff "$i" "/etc/ssl/server/$1/$i" || chg=1
        if [ "$chg" == "1" ]; then
                cp "$i" "/etc/ssl/server/$1" || exit 1
        fi
 done
 chmod go-rwx /etc/ssl/server/${1}/*.key || exit 1
 chown ${2} /etc/ssl/server/${1}
 # return 0 if new cert was retrieved, 2 if no changes, 1 on error
 if [ "$chg" == 0 ]; then
        exit 2
 fi
 exit 0
--- a/acme/send-cert.sh
+++ b/acme/send-cert.sh
@ -1,11 +1,12 @@
 #!/bin/bash
 # Add to authorized_keys
-# command="/opt/acme/send-cert.sh gitea.mh3000.net 192.168.61.15" s
+# command="/opt/acme/send-cert.sh test.mh3000.net 192.168.61.150" ssh-key
 if [ "$(echo $SSH_CLIENT | cut -d ' ' -f 1)" != "$2" ]; then
  echo Invalid IP
  exit 1 
 fi
 echo ""
--- a/apache/README.md
+++ b/apache/README.md
@ -1,25 +0,0 @@
 ### acme.include
 Include which redirects requests which are actually for the _ACME/Let's encrypt_ .
 This way you can have apache running on port 80, but still process request from the _Let's encrypt_ service 
 which also come to port 80.
 Example apache definition for a typical HTTP/80-virtual server would look like this now:
 ```
 <VirtualHost cdn.mh3000.net:80>
        Include /etc/apache2/vhosts.d/acme.include        
        RedirectMatch permanent ^(.*)$ https://cdn.mh3000.net/
        TransferLog "/var/log/apache2/access_cdnmh3000-nonssl.log"
 </VirtualHost>
 ```
 This works like this:
 - the include redirects request to the /.well-known/acme-challenge path to localhost:9432 where your
  ACME-worker shoud listen for requests
 - All other requests will be redirect to the SSL-version of your site.
 E.g. with `acme.sh` you must specify then parameters `[OTHER STUFF] --issue --standalone  --httpport 9432 -d [DOMAIN]`
 at initial certificate request. Renews will automatically the also use the alternate httpport.
--- a/apache/acme.include
+++ b/apache/acme.include
@ -1,2 +0,0 @@
 ProxyPass "/.well-known/acme-challenge" "http://127.0.0.1:9432/.well-known/acme-challenge" timeout=10 retry=3
 ProxyPassReverse "/.well-known/acme-challenge" "http://127.0.0.1:9432/.well-known/acme-challenge"
--- a/profile.d/sys_srcs.sh
+++ b/profile.d/sys_srcs.sh
@ -0,0 +1,5 @@
 #!/bin/bash
 export SYS_SRCS=/opt/srcs
--- a/ssh/snippets/sshd_config.samples
+++ b/ssh/snippets/sshd_config.samples
@ -0,0 +1,22 @@
 # For local SSH forwarding
 PermitRootLogin false
 Matcm LocalAddress 127.0.0.1,::1
        PermitRootLogin prohibit-password
 # Sample for SFTP-Only users
 # Every dir include /root must be owned by root with o=rx or o=r
 # 
 # Example tree
 # /srv/someuser/root/data # owned by someuser
 # /srv/soomeuser/root     # owned by root
 # /srv/someuser/.ssh      # owned by somueuser
 # /srv/someuser           # owned by root
 #
 Match User bu_*
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp -l info -u 022
        ChrootDirectory %h/root
		`@ -1,2 +0,0 @@`
			`ProxyPass "/.well-known/acme-challenge" "http://127.0.0.1:9432/.well-known/acme-challenge" timeout=10 retry=3`
			`ProxyPassReverse "/.well-known/acme-challenge" "http://127.0.0.1:9432/.well-known/acme-challenge"`