From 88e8e2fc7611bbd7ce4b87009066616cb8a6d868 Mon Sep 17 00:00:00 2001 From: Adrian Amaglio Date: Sat, 16 Sep 2023 20:17:34 +0200 Subject: [PATCH] update --- provisioning/group_vars/servers.yml | 34 ------------------ provisioning/playbook.yml | 36 ++++++++++++++----- .../deploy_all/files/bin/deploy_service.sh | 1 + .../deploy_all/files/bin/driglibash-base | 5 ++- .../files/{certs.priv.pub => certs.pub} | 0 .../roles/jean-cloud-common/tasks/main.yml | 11 +----- .../acme-dns.sh | 2 +- .../deploy.sh | 0 .../deploy_bind.sh | 0 .../run.sh | 0 .../run_bind.sh | 16 +++++++-- services/ns.jean-cloud.org/deploy.sh | 6 ++-- services/ns1.jean-cloud.org/deploy.sh | 13 +++---- .../ns1.jean-cloud.org/helper_functions.sh | 9 ++--- 14 files changed, 64 insertions(+), 69 deletions(-) rename provisioning/roles/jean-cloud-common/files/{certs.priv.pub => certs.pub} (100%) rename services/{letsencrypt.jean-cloud.org => dnscerts.jean-cloud.org}/acme-dns.sh (80%) rename services/{letsencrypt.jean-cloud.org => dnscerts.jean-cloud.org}/deploy.sh (100%) rename services/{letsencrypt.jean-cloud.org => dnscerts.jean-cloud.org}/deploy_bind.sh (100%) rename services/{letsencrypt.jean-cloud.org => dnscerts.jean-cloud.org}/run.sh (100%) rename services/{letsencrypt.jean-cloud.org => dnscerts.jean-cloud.org}/run_bind.sh (59%) diff --git a/provisioning/group_vars/servers.yml b/provisioning/group_vars/servers.yml index 8ba7965..492d4f0 100755 --- a/provisioning/group_vars/servers.yml +++ b/provisioning/group_vars/servers.yml @@ -2,13 +2,6 @@ # bootstrap_user: root -# For jean-cloud docker services -new_nginx_conf_path: '/data/proxy/new-sites-enabled' -new_blackbox_hosts_path: '/data/prometheus/new-blackbox-targets.yml' -blackbox_hosts_path: '/data/prometheus/blackbox-targets.yml' - -remote_docker_login_registry: registry.jean-cloud.net - # sudo configuration # using geerlingguy security # https://galaxy.ansible.com/grog/sudo @@ -21,31 +14,7 @@ remote_docker_login_registry: registry.jean-cloud.net # commands: ALL # nopasswd: yes -# Security geerlingguy -security_ssh_port: 45985 -# IMPORTANT following values should be quoted. You can lock yourself out. -security_ssh_password_authentication: "no" -security_ssh_permit_root_login: "yes" -security_ssh_usedns: "no" -security_ssh_permit_empty_password: "no" -security_ssh_challenge_response_auth: "no" -security_ssh_gss_api_authentication: "no" -security_ssh_x11_forwarding: "no" -# Auto upgrades -security_autoupdate_enabled: true - -# f2b -security_fail2ban_enabled: false - -#locales -locales_default: - lang: en_US.UTF-8 - lc_all: en_US.UTF-8 - - -# For unattended upgrade configuration -unattended_upgrades_mail: contact@jean-cloud.org # For ssh security # https://galaxy.ansible.com/dev-sec/ssh-hardening @@ -102,9 +71,6 @@ shelldetector_cron_hour: '4' shelldetector_cron_minute: '00' -# Timezone -# https://galaxy.ansible.com/oefenweb/timezone -timezone_zone: Europe/Paris # NTP # https://galaxy.ansible.com/geerlingguy/ntp diff --git a/provisioning/playbook.yml b/provisioning/playbook.yml index 5c5eb22..a62d3bf 100755 --- a/provisioning/playbook.yml +++ b/provisioning/playbook.yml @@ -28,7 +28,12 @@ # Locales # TODO set locales date and currency #- alvistack.locales - - oefenweb.locales + - role: oefenweb.locales + vars: + locales_default: + lang: en_US.UTF-8 + lc_all: en_US.UTF-8 + # Sys update. Playbook bien fait. - robertdebock.update @@ -36,15 +41,23 @@ # Manage sudoers #- GROG.sudo - # Unattended upgrades - #- jnv.unattended-upgrades - #- thorian93.unattended_upgrade - #- racqspace.unattended_upgrades - + # ssh security # using geerlingguy security #- dev-sec.ssh-hardening - - geerlingguy.security + - role: geerlingguy.security + vars: + security_ssh_port: 45985 + security_ssh_password_authentication: "no" + security_ssh_permit_root_login: "yes" + security_ssh_usedns: "no" + security_ssh_permit_empty_password: "no" + security_ssh_challenge_response_auth: "no" + security_ssh_gss_api_authentication: "no" + security_ssh_x11_forwarding: "no" + security_autoupdate_enabled: true + security_fail2ban_enabled: false + # fail2ban #- oefenweb.fail2ban @@ -62,13 +75,18 @@ #- geerlingguy.clamav # docker - - geerlingguy.docker + - role: geerlingguy.docker + vars: + docker_service_enabled: false # timezone - - oefenweb.timezone + - role: oefenweb.timezone + vars: + timezone_zone: Europe/Paris # ntp #- geerlingguy.ntp + #TODO # docker metrics proxy #- docker-metrics-proxy diff --git a/provisioning/roles/deploy_all/files/bin/deploy_service.sh b/provisioning/roles/deploy_all/files/bin/deploy_service.sh index 639773d..3d52a81 100755 --- a/provisioning/roles/deploy_all/files/bin/deploy_service.sh +++ b/provisioning/roles/deploy_all/files/bin/deploy_service.sh @@ -8,6 +8,7 @@ set -euo pipefail noreload=false deploy=true +service= if [ "$#" -ge 2 ] && [ "$2" = noreload ] ; then noreload=true elif [ "$#" -ge 3 ] && [ "$3" = undeploy ] ; then diff --git a/provisioning/roles/deploy_all/files/bin/driglibash-base b/provisioning/roles/deploy_all/files/bin/driglibash-base index d17115d..8b615d7 100755 --- a/provisioning/roles/deploy_all/files/bin/driglibash-base +++ b/provisioning/roles/deploy_all/files/bin/driglibash-base @@ -10,6 +10,9 @@ driglibash_step_by_step=false # Set to watever you want to have a prefix driglibash_section_prefix="" +# set to retry failed commands +driglibash_run_retry= + trap 'die "Received sigint"' INT @@ -88,7 +91,7 @@ run() { if [ "$answer" = "y" ] || [ "$answer" = "Y" ] || [ -z "$answer" ] ; then continue elif [ "$answer" = "s" ] || [ "$answer" = "S" ] ; then - return "$code" + exit "$code" fi fi die "Aborting" diff --git a/provisioning/roles/jean-cloud-common/files/certs.priv.pub b/provisioning/roles/jean-cloud-common/files/certs.pub similarity index 100% rename from provisioning/roles/jean-cloud-common/files/certs.priv.pub rename to provisioning/roles/jean-cloud-common/files/certs.pub diff --git a/provisioning/roles/jean-cloud-common/tasks/main.yml b/provisioning/roles/jean-cloud-common/tasks/main.yml index c290aa8..2bd3a87 100644 --- a/provisioning/roles/jean-cloud-common/tasks/main.yml +++ b/provisioning/roles/jean-cloud-common/tasks/main.yml @@ -29,7 +29,7 @@ ansible.builtin.user: name: certs shell: /bin/bash - home: /data/letsencrypt.jean-cloud.org + home: /data/dnscerts.jean-cloud.org - name: Set authorized key, removing all the authorized keys already set ansible.posix.authorized_key: @@ -108,12 +108,3 @@ HISTTIMEFORMAT="%Y%m%d-%T " export HISTSIZE HISTFILESIZE HISTTIMEFORMAT - -- name : Disable docker service - service: - name: "{{ item }}" - state: stopped - enabled: false - with_items: - - docker - - docker.socket diff --git a/services/letsencrypt.jean-cloud.org/acme-dns.sh b/services/dnscerts.jean-cloud.org/acme-dns.sh similarity index 80% rename from services/letsencrypt.jean-cloud.org/acme-dns.sh rename to services/dnscerts.jean-cloud.org/acme-dns.sh index 1c6a903..1a3dae1 100755 --- a/services/letsencrypt.jean-cloud.org/acme-dns.sh +++ b/services/dnscerts.jean-cloud.org/acme-dns.sh @@ -10,7 +10,7 @@ service="$1" nginxfile="/docker/$service/nginx_server.conf" if [ -f "$nginxfile" ] ; then nginxdomains="$(extract_domain_nginx_conf.sh "$nginxfile" | template.sh "/docker/$service/.env")" - domains="$(echo "$service $nginxdomains" | tr ' ' '\n' | sort -u | resolvable.sh ns.jean-cloud.org | sed -z -e 's/\n$//' -e 's/\n/ -d /g' )" + domains="$(echo "$nginxdomains" | tr ' ' '\n' | sort -u | resolvable.sh ns.jean-cloud.org | sed -z -e 's/\n$//' -e 's/\n/ -d /g' )" [ -z "$domains" ] && exit 0 echo "--------------- -d $domains" certbot certonly --config-dir "$DATA_DIR/certs" --work-dir "$tmp/work" --logs-dir "$tmp/logs" --agree-tos -m contact@jean-cloud.org -n --cert-name "$service" --dns-rfc2136 --dns-rfc2136-credentials "$DATA_DIR/rfc2136.ini" -d $domains diff --git a/services/letsencrypt.jean-cloud.org/deploy.sh b/services/dnscerts.jean-cloud.org/deploy.sh similarity index 100% rename from services/letsencrypt.jean-cloud.org/deploy.sh rename to services/dnscerts.jean-cloud.org/deploy.sh diff --git a/services/letsencrypt.jean-cloud.org/deploy_bind.sh b/services/dnscerts.jean-cloud.org/deploy_bind.sh similarity index 100% rename from services/letsencrypt.jean-cloud.org/deploy_bind.sh rename to services/dnscerts.jean-cloud.org/deploy_bind.sh diff --git a/services/letsencrypt.jean-cloud.org/run.sh b/services/dnscerts.jean-cloud.org/run.sh similarity index 100% rename from services/letsencrypt.jean-cloud.org/run.sh rename to services/dnscerts.jean-cloud.org/run.sh diff --git a/services/letsencrypt.jean-cloud.org/run_bind.sh b/services/dnscerts.jean-cloud.org/run_bind.sh similarity index 59% rename from services/letsencrypt.jean-cloud.org/run_bind.sh rename to services/dnscerts.jean-cloud.org/run_bind.sh index a3ee486..2c8d645 100755 --- a/services/letsencrypt.jean-cloud.org/run_bind.sh +++ b/services/dnscerts.jean-cloud.org/run_bind.sh @@ -7,7 +7,9 @@ here="$(where)" # For some variables . /etc/jeancloud.env +set -a . "$here/.env" +set +a # Test secret presence [ ! -f "$DATA_DIR/rfc2136.ini" ] && echo "$0 Missing file '$DATA_DIR/rfc2136.ini'" && exit 1 @@ -23,10 +25,13 @@ if [ "$#" -ge 1 ] && [ -n "$1" ] ; then done fi -# For each service, read all possible domains +echo "For each service, read all possible domains" while read line ; do read -r service target < <(echo "$line") + # TODO remove + ( [ "$service" = collectif-arthadie.fr ] || [[ "$service" == *oma-radio.fr ]] ) && continue + # removo dummy cert dummy_cert.sh "$service" remove @@ -36,5 +41,12 @@ while read line ; do "$here/acme-dns.sh" "$service" # Replace dummy cert if letsencrypt failed - [ "$?" -ne 0 ] && dummy_cert.sh "$servic" remove + [ "$?" -ne 0 ] && dummy_cert.sh "$service" add done < "$servicefile" + +echo "Push certs to other servers" +for srv in $(host -t TXT shlago.jean-cloud.org ns.jean-cloud.org | grep -Po 'descriptive text "\K[^"]+' | tr ',' ' ' | tr ' ' '\n') ; do + server="$srv.jean-cloud.org" + echo "-- $server" + rsync -avz -e "ssh -i '$DATA_DIR/certs.priv' -p 45985" "$DATA_DIR/certs" "certs@$server:$DATA_DIR/certs" +done diff --git a/services/ns.jean-cloud.org/deploy.sh b/services/ns.jean-cloud.org/deploy.sh index e03bb54..331504a 100755 --- a/services/ns.jean-cloud.org/deploy.sh +++ b/services/ns.jean-cloud.org/deploy.sh @@ -3,11 +3,13 @@ set -euo pipefail cd ../ns1.jean-cloud.org -. deploy.sh +set -a . .env +. deploy.sh +set +a # Do not run if primary exists [ -d "$DATA_DIR/keys" ] && echo 'ns1 found on this host. Aborting.' && exit 0 export keydir="" -run secondary +runthis secondary diff --git a/services/ns1.jean-cloud.org/deploy.sh b/services/ns1.jean-cloud.org/deploy.sh index fe45540..d0706e4 100755 --- a/services/ns1.jean-cloud.org/deploy.sh +++ b/services/ns1.jean-cloud.org/deploy.sh @@ -21,24 +21,25 @@ server_zone_file="template.db.jean-cloud.org" keydir="$DATA_DIR/keys" # IP of primary servers +# MUST end with ; if non-empty primary_ips="" # IP of secondary servers (for zone transfer) -secondary_ips="37.65.119.74" +secondary_ips="37.65.119.74;" # NS name default_dns_name="shlago.jean-cloud.org." CAA_RR='CAA 0 issue "letsencrypt.org;validationmethods=dns-01"' -run () { +runthis () { if [ "$#" -ne 1 ] ; then - die "Usage: run " + die "Usage: runthis " fi prepare - primary_ips="$primary_ips;$(fakeresolve_ip_list raku)" - secondary_ips="$secondary_ips;$(fakeresolve_ip_list shlago)" + primary_ips="$primary_ips$(fakeresolve_ip_list raku)" + secondary_ips="$secondary_ips$(fakeresolve_ip_list shlago)" line_in_file "primary_ips=\"$primary_ips\"" "$DOCKER_DIR/.env" line_in_file "secondary_ips=\"$secondary_ips\"" "$DOCKER_DIR/.env" @@ -53,7 +54,7 @@ run () { } main () { - run primary + runthis primary } # Do not execute main if script is sourced diff --git a/services/ns1.jean-cloud.org/helper_functions.sh b/services/ns1.jean-cloud.org/helper_functions.sh index f9287cc..60ba95f 100644 --- a/services/ns1.jean-cloud.org/helper_functions.sh +++ b/services/ns1.jean-cloud.org/helper_functions.sh @@ -1,5 +1,7 @@ set -euo pipefail +. driglibash-base + fakeresolve_ip_list () { if [ "$#" -ne 1 ] ; then die "Usage: fakeresolve_ip_list " @@ -19,7 +21,7 @@ prepare () { fi # Sync the git repo - sudo -u bind git_update.sh -N -b main -i "$DATA_DIR/gitkey" -d "$debian_bind_confdir" 'ssh://git@git.jean-cloud.net:22529/adrian/dnszones.git' + run sudo -u bind git_update.sh -N -b main -i "$DATA_DIR/gitkey" -d "$debian_bind_confdir" 'ssh://git@git.jean-cloud.net:22529/adrian/dnszones.git' cd /etc/bind @@ -106,7 +108,7 @@ create_primary_files () { # Compact the default SOA SOA="$(grep -o '^[^;]*' SOA | sed -z -e 's/[[:space:]]\{2,\}/ /g' -e 's/\n/\\n/')" - cat "$debian_bind_confdir/template.named.conf" | template.sh "$DOCKER_DIR/.env" > "$debian_bind_confdir/named.conf" + line_in_file "include \"$DATA_DIR/letsencrypt.key\";" "$debian_bind_confdir/named.conf" for file in $(list_template_db_files) ; do domain="$(basename "$file" | sed 's/template.db.//')" @@ -170,7 +172,7 @@ create_primary_files () { create_secondary_files () { primary_ips="$(echo "$primary_ips" | sed 's/^;//')" for file in "$debian_bind_confdir"/template.db.* ; do - file="$(echo "$file" | sed 's/template.db.//')" + file="$(echo "$file" | sed -e 's/template.db.//' -e "s#$debian_bind_confdir#/var/lib/bind/#")" domain="$(basename "$file")" echo -n " @@ -180,5 +182,4 @@ zone \"$domain\" { file \"$file\"; };" >> "$debian_bind_confdir/named.conf.local" done - }