From 71d6a5fff3e4c0234b0fdf01cd306d1c607a3b78 Mon Sep 17 00:00:00 2001 From: Adrian Date: Sat, 22 Feb 2020 14:20:30 +0100 Subject: [PATCH 1/5] Add NetworkManager configuration --- network-manager/99-no-wifi-on-ethernet | 11 +++++++++++ network-manager/README.md | 13 +++++++++++++ 2 files changed, 24 insertions(+) create mode 100755 network-manager/99-no-wifi-on-ethernet create mode 100644 network-manager/README.md diff --git a/network-manager/99-no-wifi-on-ethernet b/network-manager/99-no-wifi-on-ethernet new file mode 100755 index 0000000..fa44a2f --- /dev/null +++ b/network-manager/99-no-wifi-on-ethernet @@ -0,0 +1,11 @@ +#!/bin/sh + +logger -t no-wifi-on-ethernet "Device $1 is $2" + +if [ "dev:$1:$2" = "dev:eth0:up" ]; then + nmcli r wifi off +fi + +if [ "dev:$1:$2" = "dev:eth0:down" ]; then + nmcli r wifi on +fi diff --git a/network-manager/README.md b/network-manager/README.md new file mode 100644 index 0000000..6e60a35 --- /dev/null +++ b/network-manager/README.md @@ -0,0 +1,13 @@ +# NetworkManager + +## Manage ethernet devices with NetworkManager + +```sh +touch /etc/NetworkManager/conf.d/10-globally-managed-devices.conf +``` + +## Automatically switch off wifi when ethernet is connected + +```sh +sudo cp 99-no-wifi-on-ethernet /etc/NetworkManager/dispatcher.d +``` From 4c004acda81255146c86399143973412ea9b8fbe Mon Sep 17 00:00:00 2001 From: Adrian Date: Wed, 15 Apr 2020 23:22:14 +0200 Subject: [PATCH 2/5] Fix unprocessed index directives --- nextcloud/nginx.conf | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/nextcloud/nginx.conf b/nextcloud/nginx.conf index 15307c4..8030b02 100644 --- a/nextcloud/nginx.conf +++ b/nextcloud/nginx.conf @@ -9,7 +9,6 @@ server { client_max_body_size 0; location / { - index index.php; try_files $uri /index.php$request_uri; } @@ -26,6 +25,10 @@ server { include fastcgi.conf; } + location /updater { index index.php; } + location /ocm-provider { index index.php; } + location /ocs-provider { index index.php; } + location = /.well-known/carddav { return 301 $scheme://$host:$server_port/remote.php/dav; } From 8b0615f9de0b9178f01d33e4e2953c9dcff0b5d2 Mon Sep 17 00:00:00 2001 From: Adrian Date: Mon, 13 Apr 2020 21:10:11 +0200 Subject: [PATCH 3/5] Add postfix SNI support --- mail/README.md | 12 ++++++++++-- mail/postfix/main.cf | 1 + mail/postfix/sni.cf | 1 + 3 files changed, 12 insertions(+), 2 deletions(-) create mode 100644 mail/postfix/sni.cf diff --git a/mail/README.md b/mail/README.md index 1119549..7945019 100644 --- a/mail/README.md +++ b/mail/README.md @@ -11,6 +11,7 @@ sudo mkdir -p /data/mail/config sudo chown vmail: /data/mail/* cat schema.sql | sudo -u vmail sqlite3 /data/mail/config/vmail.db +sudo chown vmail:postfix /data/mail/config/vmail.db sudo chmod 640 /data/mail/config/vmail.db ``` @@ -26,12 +27,13 @@ sudo apt install sqlite3 postfix postfix-sqlite dovecot-imapd dovecot-sqlite ope DOMAIN=example.com sudo cp -r postfix dovecot /etc +sudo chmod 600 /etc/postfix/sni.cf + sudo sed -i '$ r opendkim/local.conf' /etc/opendkim.conf -sudo sed -i s/example.com/$DOMAIN/ /etc/postfix/main.cf /etc/dovecot/local.conf +sudo sed -i s/example.com/$DOMAIN/ /etc/postfix/{main,sni}.cf /etc/dovecot/local.conf sudo sed -i '/include auth-system/ s/.*/#&/' /etc/dovecot/conf.d/10-auth.conf sudo ln -s /data/mail/config/vmail.db /.opendkim-bug-241.db -sudo chown vmail:postfix /data/mail/config/vmail.db opendkim-genkey -d $DOMAIN -s s chmod +r s.private @@ -40,6 +42,12 @@ cat s.txt rm s.private s.txt ``` +## Certificate Reload + +```sh +postmap -F /etc/postfix/sni.cf +``` + ## Notes * The `vmail.db` parent directory needs to be writeable by the user modifying the database diff --git a/mail/postfix/main.cf b/mail/postfix/main.cf index 4b2e97f..66b0ba0 100644 --- a/mail/postfix/main.cf +++ b/mail/postfix/main.cf @@ -14,6 +14,7 @@ smtp_tls_security_level = may smtpd_tls_security_level = may smtpd_tls_key_file = /data/ssl/certs/mail.example.com/privkey.pem smtpd_tls_cert_file = /data/ssl/certs/mail.example.com/fullchain.pem +tls_server_sni_maps = hash:/etc/postfix/sni.cf # Custom diff --git a/mail/postfix/sni.cf b/mail/postfix/sni.cf new file mode 100644 index 0000000..e9ae8a0 --- /dev/null +++ b/mail/postfix/sni.cf @@ -0,0 +1 @@ +mail.example.com /data/ssl/certs/mail.example.com/privkey.pem /data/ssl/certs/mail.example.com/fullchain.pem From f0dc028f270b3f374594f80b2985b321134b1918 Mon Sep 17 00:00:00 2001 From: Adrian Date: Thu, 16 Apr 2020 22:51:36 +0200 Subject: [PATCH 4/5] fixup-nginx --- nginx/README.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/nginx/README.md b/nginx/README.md index fee1b7c..d87501e 100644 --- a/nginx/README.md +++ b/nginx/README.md @@ -1,9 +1,19 @@ # Nginx ```sh +DOMAIN=example.com + sudo cp -r sites-available snippets conf.d /etc/nginx sudo rm /etc/nginx/sites-*/default sudo ln -s ../sites-available/0nohost /etc/nginx/sites-enabled sudo ln -s ../sites-available/redirect-ssl-all /etc/nginx/sites-enabled + +sudo sed -i s/example.com/$DOMAIN/ /etc/nginx/conf.d/ssl.conf +``` + +## Certificate Reload + +```sh +nginx -s reload ``` From 0ba0c06653ead4827731bc77ab9b1b48310e80c9 Mon Sep 17 00:00:00 2001 From: Adrian Date: Thu, 16 Apr 2020 23:45:18 +0200 Subject: [PATCH 5/5] Add dyndns and letsencrypt helpers --- dyndns/README.md | 16 +++++++++++++++ dyndns/dyndns-nsupdate | 10 +++++++++ dyndns/dyndns-update | 19 +++++++++++++++++ dyndns/example.com.nsupdate.txt | 12 +++++++++++ dyndns/tsig.example.com.conf | 4 ++++ dyndns/update-example.com.sh | 7 +++++++ letsencrypt/README.md | 36 +++++++++++++++++++++++++++++++++ letsencrypt/config | 5 +++++ letsencrypt/dehydrated-manual | 11 ++++++++++ letsencrypt/dehydrated-nsupdate | 24 ++++++++++++++++++++++ letsencrypt/example-hook | 7 +++++++ 11 files changed, 151 insertions(+) create mode 100644 dyndns/README.md create mode 100755 dyndns/dyndns-nsupdate create mode 100755 dyndns/dyndns-update create mode 100644 dyndns/example.com.nsupdate.txt create mode 100644 dyndns/tsig.example.com.conf create mode 100755 dyndns/update-example.com.sh create mode 100644 letsencrypt/README.md create mode 100644 letsencrypt/config create mode 100755 letsencrypt/dehydrated-manual create mode 100755 letsencrypt/dehydrated-nsupdate create mode 100644 letsencrypt/example-hook diff --git a/dyndns/README.md b/dyndns/README.md new file mode 100644 index 0000000..21e1264 --- /dev/null +++ b/dyndns/README.md @@ -0,0 +1,16 @@ +# Dynamic DNS + +Edit example files to match your needs. + +```sh +sudo mkdir /data/dns +cp *example* dyndns* /data/dns + +chmod 600 /data/dns/tsig* +``` + +## Cronjob + +```sh +/data/dns/update-example.com.sh +``` diff --git a/dyndns/dyndns-nsupdate b/dyndns/dyndns-nsupdate new file mode 100755 index 0000000..1876f7c --- /dev/null +++ b/dyndns/dyndns-nsupdate @@ -0,0 +1,10 @@ +#!/bin/sh + +DYN_DIR=/data/dns + +if test "x$DYN_TSIGKEY" = x; then DYN_TSIGKEY="$DYN_DIR/tsig.$DYN_DOMAIN.conf"; fi +if test "x$DYN_NSUPDATE" = x; then DYN_NSUPDATE="$DYN_DIR/$DYN_DOMAIN.nsupdate.txt"; fi + +if test "x$1" != x; then + cat "$DYN_NSUPDATE" | sed s/%IP%/$1/g | nsupdate -v -k "$DYN_TSIGKEY" +fi diff --git a/dyndns/dyndns-update b/dyndns/dyndns-update new file mode 100755 index 0000000..2eb07c8 --- /dev/null +++ b/dyndns/dyndns-update @@ -0,0 +1,19 @@ +#!/bin/sh + +if test "x$DYN_SERVER" = x; then echo export DYN_SERVER=ns.example.com; exit=1; fi +if test "x$DYN_DOMAIN" = x; then echo export DYN_DOMAIN=example.com; exit=1; fi +if test "x$DYN_SCRIPT" = x; then echo export DYN_SCRIPT=/path/to/script; exit=1; fi +if test "x$exit" = x1; then exit 1; fi + +if test "x$DYN_IPAPI" = x; then DYN_IPAPI=ifconfig.co; fi + +IPACTUAL=$(wget -qO - "$DYN_IPAPI") +IPSERVER=$(dig +short $DYN_DOMAIN @$DYN_SERVER) + +if test "x$IPSERVER" = x -o "x$IPACTUAL" = x; then + : # ERROR: IP unknown +elif test "x$IPSERVER" = "x$IPACTUAL"; then + : # INFO: IP not changed +else + "$DYN_SCRIPT" $IPACTUAL +fi diff --git a/dyndns/example.com.nsupdate.txt b/dyndns/example.com.nsupdate.txt new file mode 100644 index 0000000..8153944 --- /dev/null +++ b/dyndns/example.com.nsupdate.txt @@ -0,0 +1,12 @@ +server ns01.example.com +zone example.com + +update del example.com. TXT +update del example.com. A +update del *.example.com. A + +update add example.com. 86400 TXT "v=spf1 ip4:%IP%/32 -all" +update add example.com. 86400 A %IP% +update add *.example.com. 86400 A %IP% + +send diff --git a/dyndns/tsig.example.com.conf b/dyndns/tsig.example.com.conf new file mode 100644 index 0000000..1cea1d4 --- /dev/null +++ b/dyndns/tsig.example.com.conf @@ -0,0 +1,4 @@ +key "tsig.example.com." { + algorithm hmac-sha256; + secret "YWRyaXVtLmFkcml1bS4uCg=="; +}; diff --git a/dyndns/update-example.com.sh b/dyndns/update-example.com.sh new file mode 100755 index 0000000..e30dd4e --- /dev/null +++ b/dyndns/update-example.com.sh @@ -0,0 +1,7 @@ +#!/bin/sh + +export DYN_DOMAIN=example.com +export DYN_SERVER=ns01.example.com +export DYN_SCRIPT=/data/dns/dyndns-nsupdate + +/data/dns/dyndns-update diff --git a/letsencrypt/README.md b/letsencrypt/README.md new file mode 100644 index 0000000..c1f3f51 --- /dev/null +++ b/letsencrypt/README.md @@ -0,0 +1,36 @@ +# Let's Encrypt + +Download Let's Encrypt client (only `dehydrated` needed): +https://github.com/dehydrated-io/dehydrated/releases/latest + +```sh +sudo mkdir -p /data/ssl/{configs,challenge} +sudo chown -R admin: /data/ssl + +cp config dehydrated-* /data/ssl + +# List all domains for automatic renewal +editor /data/ssl/domains.txt + +/data/ssl/dehydrated -r +``` + +To enable certificate renewal, +`include snippets/letsencrypt` or put `redirect-ssl-all` in sites-enabled. + +## Cronjob + +```sh +/data/ssl/dehydrated -c +``` + +## Wildcard Certificates + +```sh +echo "service.example.com *.service.example.com" >> /data/ssl/domains.txt +echo "CHALLENGETYPE=dns-01" >> /data/ssl/configs/service.example.com +echo "HOOK=/data/ssl/dehydrated-hook" >> /data/ssl/configs/service.example.com +``` + +There are manual and nsupdate hooks. +See [example-hook](example-hook) for an example nsupdate hook. diff --git a/letsencrypt/config b/letsencrypt/config new file mode 100644 index 0000000..8ddd42e --- /dev/null +++ b/letsencrypt/config @@ -0,0 +1,5 @@ +DOMAINS_D=/data/ssl/configs +WELLKNOWN=/data/ssl/challenge +PRIVATE_KEY_RENEW=no +KEYSIZE=2048 +# CONTACT_EMAIL=hostmaster@example.com diff --git a/letsencrypt/dehydrated-manual b/letsencrypt/dehydrated-manual new file mode 100755 index 0000000..0436362 --- /dev/null +++ b/letsencrypt/dehydrated-manual @@ -0,0 +1,11 @@ +#!/bin/sh + +if test "x$1" = xdeploy_challenge; then + echo "Add the following record and press enter to continue:" + echo "_acme-challenge.$2. TXT $4" + read dummy +elif test "x$1" = xclean_challenge; then + echo "Remove the record and press enter to continue:" + echo "_acme-challenge.$2. TXT $4" + read dummy +fi diff --git a/letsencrypt/dehydrated-nsupdate b/letsencrypt/dehydrated-nsupdate new file mode 100755 index 0000000..52fd241 --- /dev/null +++ b/letsencrypt/dehydrated-nsupdate @@ -0,0 +1,24 @@ +#!/bin/sh + +SCRIPT_TTL=30 + +if test "x$LE_SERVER" = x; then echo export LE_SERVER=ns.example.com; exit=1; fi +if test "x$LE_ZONE" = x; then echo export LE_ZONE=example.com; exit=1; fi +if test "x$LE_TSIGKEY" = x; then echo export LE_TSIGKEY=/path/to/key; exit=1; fi +if test "x$exit" = x1; then exit 1; fi + +if test "x$1" = xdeploy_challenge; then + nsupdate -v -k "$LE_TSIGKEY" <<- NSUPDATE + server $LE_SERVER + zone $LE_ZONE + update add _acme-challenge.$2. $SCRIPT_TTL TXT $4 + send + NSUPDATE +elif test "x$1" = xclean_challenge; then + nsupdate -v -k "$LE_TSIGKEY" <<- NSUPDATE + server $LE_SERVER + zone $LE_ZONE + update del _acme-challenge.$2. TXT + send + NSUPDATE +fi diff --git a/letsencrypt/example-hook b/letsencrypt/example-hook new file mode 100644 index 0000000..80a49ad --- /dev/null +++ b/letsencrypt/example-hook @@ -0,0 +1,7 @@ +#!/bin/sh + +export LE_TSIGKEY=/data/dns/tsig.example.com.conf +export LE_SERVER=ns01.example.com +export LE_ZONE=example.com + +/data/ssl/dehydrated-nsupdate "$@"