Add dyndns and letsencrypt helpers

dyndns/README.md

@@ -0,0 +1,16 @@
+# Dynamic DNS
+
+Edit example files to match your needs.
+
+```sh
+sudo mkdir /data/dns
+cp *example* dyndns* /data/dns
+
+chmod 600 /data/dns/tsig*
+```
+
+## Cronjob
+
+```sh
+/data/dns/update-example.com.sh
+```

dyndns/dyndns-nsupdate

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+DYN_DIR=/data/dns
+
+if test "x$DYN_TSIGKEY" = x; then DYN_TSIGKEY="$DYN_DIR/tsig.$DYN_DOMAIN.conf"; fi
+if test "x$DYN_NSUPDATE" = x; then DYN_NSUPDATE="$DYN_DIR/$DYN_DOMAIN.nsupdate.txt"; fi
+
+if test "x$1" != x; then
+	cat "$DYN_NSUPDATE" | sed s/%IP%/$1/g | nsupdate -v -k "$DYN_TSIGKEY"
+fi

dyndns/dyndns-update

@@ -0,0 +1,19 @@
+#!/bin/sh
+
+if test "x$DYN_SERVER" = x; then echo export DYN_SERVER=ns.example.com; exit=1; fi
+if test "x$DYN_DOMAIN" = x; then echo export DYN_DOMAIN=example.com; exit=1; fi
+if test "x$DYN_SCRIPT" = x; then echo export DYN_SCRIPT=/path/to/script; exit=1; fi
+if test "x$exit" = x1; then exit 1; fi
+
+if test "x$DYN_IPAPI" = x; then DYN_IPAPI=ifconfig.co; fi
+
+IPACTUAL=$(wget -qO - "$DYN_IPAPI")
+IPSERVER=$(dig +short $DYN_DOMAIN @$DYN_SERVER)
+
+if test "x$IPSERVER" = x -o "x$IPACTUAL" = x; then
+	: # ERROR: IP unknown
+elif test "x$IPSERVER" = "x$IPACTUAL"; then
+	: # INFO: IP not changed
+else
+	"$DYN_SCRIPT" $IPACTUAL
+fi

dyndns/example.com.nsupdate.txt

@@ -0,0 +1,12 @@
+server ns01.example.com
+zone example.com
+
+update del   example.com. TXT
+update del   example.com. A
+update del *.example.com. A
+
+update add   example.com. 86400 TXT "v=spf1 ip4:%IP%/32 -all"
+update add   example.com. 86400 A %IP%
+update add *.example.com. 86400 A %IP%
+
+send

dyndns/tsig.example.com.conf

@@ -0,0 +1,4 @@
+key "tsig.example.com." {
+	algorithm hmac-sha256;
+	secret "YWRyaXVtLmFkcml1bS4uCg==";
+};

dyndns/update-example.com.sh

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+export DYN_DOMAIN=example.com
+export DYN_SERVER=ns01.example.com
+export DYN_SCRIPT=/data/dns/dyndns-nsupdate
+
+/data/dns/dyndns-update

letsencrypt/README.md

@@ -0,0 +1,36 @@
+# Let's Encrypt
+
+Download Let's Encrypt client (only `dehydrated` needed):
+https://github.com/dehydrated-io/dehydrated/releases/latest
+
+```sh
+sudo mkdir -p /data/ssl/{configs,challenge}
+sudo chown -R admin: /data/ssl
+
+cp config dehydrated-* /data/ssl
+
+# List all domains for automatic renewal
+editor /data/ssl/domains.txt
+
+/data/ssl/dehydrated -r
+```
+
+To enable certificate renewal,
+`include snippets/letsencrypt` or put `redirect-ssl-all` in sites-enabled.
+
+## Cronjob
+
+```sh
+/data/ssl/dehydrated -c
+```
+
+## Wildcard Certificates
+
+```sh
+echo "service.example.com *.service.example.com" >> /data/ssl/domains.txt
+echo "CHALLENGETYPE=dns-01" >> /data/ssl/configs/service.example.com
+echo "HOOK=/data/ssl/dehydrated-hook" >> /data/ssl/configs/service.example.com
+```
+
+There are manual and nsupdate hooks.
+See [example-hook](example-hook) for an example nsupdate hook.

letsencrypt/config

@@ -0,0 +1,5 @@
+DOMAINS_D=/data/ssl/configs
+WELLKNOWN=/data/ssl/challenge
+PRIVATE_KEY_RENEW=no
+KEYSIZE=2048
+# CONTACT_EMAIL=hostmaster@example.com

letsencrypt/dehydrated-manual

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+if test "x$1" = xdeploy_challenge; then
+	echo "Add the following record and press enter to continue:"
+	echo "_acme-challenge.$2. TXT $4"
+	read dummy
+elif test "x$1" = xclean_challenge; then
+	echo "Remove the record and press enter to continue:"
+	echo "_acme-challenge.$2. TXT $4"
+	read dummy
+fi

letsencrypt/dehydrated-nsupdate

@@ -0,0 +1,24 @@
+#!/bin/sh
+
+SCRIPT_TTL=30
+
+if test "x$LE_SERVER" = x; then echo export LE_SERVER=ns.example.com; exit=1; fi
+if test "x$LE_ZONE" = x; then echo export LE_ZONE=example.com; exit=1; fi
+if test "x$LE_TSIGKEY" = x; then echo export LE_TSIGKEY=/path/to/key; exit=1; fi
+if test "x$exit" = x1; then exit 1; fi
+
+if test "x$1" = xdeploy_challenge; then
+	nsupdate -v -k "$LE_TSIGKEY" <<- NSUPDATE
+		server $LE_SERVER
+		zone $LE_ZONE
+		update add _acme-challenge.$2. $SCRIPT_TTL TXT $4
+		send
+	NSUPDATE
+elif test "x$1" = xclean_challenge; then
+	nsupdate -v -k "$LE_TSIGKEY" <<- NSUPDATE
+		server $LE_SERVER
+		zone $LE_ZONE
+		update del _acme-challenge.$2. TXT
+		send
+	NSUPDATE
+fi

letsencrypt/example-hook

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+export LE_TSIGKEY=/data/dns/tsig.example.com.conf
+export LE_SERVER=ns01.example.com
+export LE_ZONE=example.com
+
+/data/ssl/dehydrated-nsupdate "$@"

mail/README.md

@@ -11,6 +11,7 @@ sudo mkdir -p /data/mail/config
 sudo chown vmail: /data/mail/*
 
 cat schema.sql | sudo -u vmail sqlite3 /data/mail/config/vmail.db
+sudo chown vmail:postfix /data/mail/config/vmail.db
 sudo chmod 640 /data/mail/config/vmail.db
 ```
 
@@ -26,12 +27,13 @@ sudo apt install sqlite3 postfix postfix-sqlite dovecot-imapd dovecot-sqlite ope
 DOMAIN=example.com
 
 sudo cp -r postfix dovecot /etc
+sudo chmod 600 /etc/postfix/sni.cf
+
 sudo sed -i '$ r opendkim/local.conf' /etc/opendkim.conf
-sudo sed -i s/example.com/$DOMAIN/ /etc/postfix/main.cf /etc/dovecot/local.conf
+sudo sed -i s/example.com/$DOMAIN/ /etc/postfix/{main,sni}.cf /etc/dovecot/local.conf
 sudo sed -i '/include auth-system/ s/.*/#&/' /etc/dovecot/conf.d/10-auth.conf
 
 sudo ln -s /data/mail/config/vmail.db /.opendkim-bug-241.db
-sudo chown vmail:postfix /data/mail/config/vmail.db
 
 opendkim-genkey -d $DOMAIN -s s
 chmod +r s.private
@@ -40,6 +42,12 @@ cat s.txt
 rm s.private s.txt
 ```
 
+## Certificate Reload
+
+```sh
+postmap -F /etc/postfix/sni.cf
+```
+
 ## Notes
 
 * The `vmail.db` parent directory needs to be writeable by the user modifying the database

mail/postfix/main.cf

@@ -14,6 +14,7 @@ smtp_tls_security_level = may
 smtpd_tls_security_level = may
 smtpd_tls_key_file =  /data/ssl/certs/mail.example.com/privkey.pem
 smtpd_tls_cert_file = /data/ssl/certs/mail.example.com/fullchain.pem
+tls_server_sni_maps = hash:/etc/postfix/sni.cf
 
 # Custom
 

mail/postfix/sni.cf

@@ -0,0 +1 @@
+mail.example.com /data/ssl/certs/mail.example.com/privkey.pem /data/ssl/certs/mail.example.com/fullchain.pem

network-manager/99-no-wifi-on-ethernet

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+logger -t no-wifi-on-ethernet "Device $1 is $2"
+
+if [ "dev:$1:$2" = "dev:eth0:up" ]; then
+	nmcli r wifi off
+fi
+
+if [ "dev:$1:$2" = "dev:eth0:down" ]; then
+	nmcli r wifi on
+fi

network-manager/README.md

@@ -0,0 +1,13 @@
+# NetworkManager
+
+## Manage ethernet devices with NetworkManager
+
+```sh
+touch /etc/NetworkManager/conf.d/10-globally-managed-devices.conf
+```
+
+## Automatically switch off wifi when ethernet is connected
+
+```sh
+sudo cp 99-no-wifi-on-ethernet /etc/NetworkManager/dispatcher.d
+```

nextcloud/nginx.conf

@@ -9,7 +9,6 @@ server {
 	client_max_body_size 0;
 
 	location / {
-		index index.php;
 		try_files $uri /index.php$request_uri;
 	}
 
@@ -26,6 +25,10 @@ server {
 		include fastcgi.conf;
 	}
 
+	location /updater { index index.php; }
+	location /ocm-provider { index index.php; }
+	location /ocs-provider { index index.php; }
+
 	location = /.well-known/carddav {
 		return 301 $scheme://$host:$server_port/remote.php/dav;
 	}

nginx/README.md

@@ -1,9 +1,19 @@
 # Nginx
 
 ```sh
+DOMAIN=example.com
+
 sudo cp -r sites-available snippets conf.d /etc/nginx
 
 sudo rm /etc/nginx/sites-*/default
 sudo ln -s ../sites-available/0nohost /etc/nginx/sites-enabled
 sudo ln -s ../sites-available/redirect-ssl-all /etc/nginx/sites-enabled
+
+sudo sed -i s/example.com/$DOMAIN/ /etc/nginx/conf.d/ssl.conf
+```
+
+## Certificate Reload
+
+```sh
+nginx -s reload
 ```