Updated pki.in (to get/provide letsencrypt data over rsync instead of scp).

diff --git a/sources/pki.in/c3d/firstboot/scripts/10_setupletsencrypt.sh b/sources/pki.in/c3d/firstboot/scripts/10_setupletsencrypt.sh
deleted file mode 100755 (executable)
index a8da842..0000000
--- a/sources/pki.in/c3d/firstboot/scripts/10_setupletsencrypt.sh
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/bin/sh
-
-
-/usr/local/bin/restoreletsencrypt.sh

diff --git a/sources/pki.in/c3d/firstboot/scripts/90_setupservices.sh b/sources/pki.in/c3d/firstboot/scripts/90_setupservices.sh
new file mode 100755 (executable)
index 0000000..7293e8d
--- /dev/null
+++ b/sources/pki.in/c3d/firstboot/scripts/90_setupservices.sh
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+
+systemctl enable rsyncd.service
+systemctl start rsyncd.service
+systemctl enable NetworkManager-wait-online.service
+systemctl start NetworkManager-wait-online.service
+
+systemctl enable logrotate.timer
+systemctl start logrotate.timer

diff --git a/sources/pki.in/c3d/mode.txt b/sources/pki.in/c3d/mode.txt
index dd708814d91f96c68cea894bfd40a0d801876e2c..a7e935779dd651d7a8567a415d0012b3b403a681 100644 (file)
--- a/sources/pki.in/c3d/mode.txt
+++ b/sources/pki.in/c3d/mode.txt
@@ -1,9 +1,6 @@
 # mode file (relative to /c3d)
 755 firstboot/scripts/*.sh
-440 postinstall/install-data/etc/ssh/ssh_host_*_key
-444 postinstall/install-data/etc/ssh/ssh_host_*_key.pub
-600 postinstall/install-data/etc/ssh/sshd_config.d/*.conf
 755 postinstall/install-data/root/certbot.sh
 600 postinstall/install-data/root/rfc2136.ini
-755 postinstall/install-data/usr/local/bin/*.sh
 755 postinstall/scripts/*.sh
+755 preinstall/scripts/*.sh

diff --git a/sources/pki.in/c3d/owner.txt b/sources/pki.in/c3d/owner.txt
deleted file mode 100644 (file)
index ea1bd74..0000000
--- a/sources/pki.in/c3d/owner.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-# owner file (relative to /c3d)
-root.ssh_keys postinstall/install-data/etc/ssh/ssh_host_*_key

diff --git a/sources/pki.in/c3d/postinstall/install-data/etc/rsyncd.conf b/sources/pki.in/c3d/postinstall/install-data/etc/rsyncd.conf
new file mode 100644 (file)
index 0000000..06abb99
--- /dev/null
+++ b/sources/pki.in/c3d/postinstall/install-data/etc/rsyncd.conf
@@ -0,0 +1,9 @@
+transfer logging = yes
+use chroot = no
+uid = root
+gid = root
+
+[letsencrypt]
+    path = /etc/letsencrypt
+    read only = true
+    hosts allow = 10.228.0.0/16, 10.162.173.0/24, 2a02:d400:0:f268::/64, 2a02:d400:0:f2ad::/64

diff --git a/sources/pki.in/c3d/postinstall/install-data/etc/ssh/ssh_host_ed25519_key b/sources/pki.in/c3d/postinstall/install-data/etc/ssh/ssh_host_ed25519_key
deleted file mode 100644 (file)
index dcd4287..0000000
--- a/sources/pki.in/c3d/postinstall/install-data/etc/ssh/ssh_host_ed25519_key
+++ /dev/null
@@ -1,7 +0,0 @@
------BEGIN OPENSSH PRIVATE KEY-----
-b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
-QyNTUxOQAAACBTtfM0pi5Ju5iCb5s1OiVVzRDfjNAUmJgSdhV1lye7HwAAAIj/h81+/4fN
-fgAAAAtzc2gtZWQyNTUxOQAAACBTtfM0pi5Ju5iCb5s1OiVVzRDfjNAUmJgSdhV1lye7Hw
-AAAEAzOkl9MPG6s0UBMYJAjp/5NHWoDydFO1DRGK+UCZpQyFO18zSmLkm7mIJvmzU6JVXN
-EN+M0BSYmBJ2FXWXJ7sfAAAAAAECAwQF
------END OPENSSH PRIVATE KEY-----

diff --git a/sources/pki.in/c3d/postinstall/install-data/etc/ssh/ssh_host_ed25519_key-cert.pub b/sources/pki.in/c3d/postinstall/install-data/etc/ssh/ssh_host_ed25519_key-cert.pub
deleted file mode 100644 (file)
index 8c7d565..0000000
--- a/sources/pki.in/c3d/postinstall/install-data/etc/ssh/ssh_host_ed25519_key-cert.pub
+++ /dev/null
@@ -1 +0,0 @@
-ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIAMeQaRoJvvx9n4zx+YB8mIJSYr84KitKGNJRQRHLLkFAAAAIFO18zSmLkm7mIJvmzU6JVXNEN+M0BSYmBJ2FXWXJ7sfAAAAAAAAAAAAAAACAAAAEXBraS5pbi51c2VyaWJtLmh1AAAAFQAAABFwa2kuaW4udXNlcmlibS5odQAAAAAAAAAA//////////8AAAAAAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIEXYIIzrUSx8/BQ6/ttkSr5oEyB5F5Yg4bp1DOkqDON9AAAAUwAAAAtzc2gtZWQyNTUxOQAAAEC7EmyytSsRsBxqatA+Rm0LF/P+bM72BQ3QnHs+JCeXdDYA0F+TQ61m/bnVvWKJeJxRu+TKyGnCr0lerUDZ7REN ssh_host_ed25519_key.pub

diff --git a/sources/pki.in/c3d/postinstall/install-data/etc/ssh/ssh_host_ed25519_key.pub b/sources/pki.in/c3d/postinstall/install-data/etc/ssh/ssh_host_ed25519_key.pub
deleted file mode 100644 (file)
index de1140a..0000000
--- a/sources/pki.in/c3d/postinstall/install-data/etc/ssh/ssh_host_ed25519_key.pub
+++ /dev/null
@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFO18zSmLkm7mIJvmzU6JVXNEN+M0BSYmBJ2FXWXJ7sf 

diff --git a/sources/pki.in/c3d/postinstall/install-data/etc/ssh/sshd_config.d/99-host-cert.conf b/sources/pki.in/c3d/postinstall/install-data/etc/ssh/sshd_config.d/99-host-cert.conf
deleted file mode 100644 (file)
index 173b545..0000000
--- a/sources/pki.in/c3d/postinstall/install-data/etc/ssh/sshd_config.d/99-host-cert.conf
+++ /dev/null
@@ -1 +0,0 @@
-HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub

diff --git a/sources/pki.in/c3d/postinstall/install-data/etc/ssh/sshd_config.d/99-user-CA.conf b/sources/pki.in/c3d/postinstall/install-data/etc/ssh/sshd_config.d/99-user-CA.conf
deleted file mode 100644 (file)
index 115882b..0000000
--- a/sources/pki.in/c3d/postinstall/install-data/etc/ssh/sshd_config.d/99-user-CA.conf
+++ /dev/null
@@ -1 +0,0 @@
-TrustedUserCAKeys /etc/ssh/trusted-user-ca.keys

diff --git a/sources/pki.in/c3d/postinstall/install-data/etc/ssh/trusted-user-ca.keys b/sources/pki.in/c3d/postinstall/install-data/etc/ssh/trusted-user-ca.keys
deleted file mode 100644 (file)
index 84d19e3..0000000
--- a/sources/pki.in/c3d/postinstall/install-data/etc/ssh/trusted-user-ca.keys
+++ /dev/null
@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICcf/XXU8dNVtbveGmwbdnRJfYIItzxKmgRkzlp0k6r5 user-CA

diff --git a/sources/pki.in/c3d/postinstall/install-data/usr/local/bin/backupletsencrypt.sh b/sources/pki.in/c3d/postinstall/install-data/usr/local/bin/backupletsencrypt.sh
deleted file mode 100755 (executable)
index 9314373..0000000
--- a/sources/pki.in/c3d/postinstall/install-data/usr/local/bin/backupletsencrypt.sh
+++ /dev/null
@@ -1,14 +0,0 @@
-#!/bin/sh
-set -x
-
-
-BACKUP_BASE=$(mktemp --directory)
-TMP_PATH=$(dirname $BACKUP_BASE)
-
-
-tar --create \
-    --directory=/etc \
-    --file $TMP_PATH/letsencrypt.tar \
-    letsencrypt
-
-rm --force --recursive $BACKUP_BASE

diff --git a/sources/pki.in/c3d/postinstall/install-data/usr/local/bin/restoreletsencrypt.sh b/sources/pki.in/c3d/postinstall/install-data/usr/local/bin/restoreletsencrypt.sh
deleted file mode 100755 (executable)
index 2852397..0000000
--- a/sources/pki.in/c3d/postinstall/install-data/usr/local/bin/restoreletsencrypt.sh
+++ /dev/null
@@ -1,26 +0,0 @@
-#!/bin/sh
-set -x
-
-
-POSTINSTALL_SCP_PATH=/c3d/postinstall/scp
-RESTORE_BASE=$(mktemp --directory)
-TMP_PATH=$(dirname $RESTORE_BASE)
-
-
-if [ ! -f $POSTINSTALL_SCP_PATH/letsencrypt.tar ]
-then
-    echo "No restore file found, exiting" >&2
-    exit 1
-fi
-
-if [ -d /etc/letsencrypt ]
-then
-    rm --force --recursive /etc/letsencrypt.old
-    mv /etc/letsencrypt /etc/letsencrypt.old
-fi
-
-tar --extract \
-    --directory=/etc \
-    --file $POSTINSTALL_SCP_PATH/letsencrypt.tar
-
-rm --force --recursive $RESTORE_BASE

diff --git a/sources/pki.in/c3d/postinstall/scp/copy.list b/sources/pki.in/c3d/postinstall/scp/copy.list
deleted file mode 100644 (file)
index 32c9ec6..0000000
--- a/sources/pki.in/c3d/postinstall/scp/copy.list
+++ /dev/null
@@ -1,2 +0,0 @@
-# source_host source_path
-pki.in.useribm.hu /tmp/letsencrypt.tar

diff --git a/sources/pki.in/c3d/postinstall/scripts/10_setupservices.sh b/sources/pki.in/c3d/postinstall/scripts/10_setupservices.sh
new file mode 100755 (executable)
index 0000000..95a72bf
--- /dev/null
+++ b/sources/pki.in/c3d/postinstall/scripts/10_setupservices.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+
+systemctl disable rsyncd.service
+systemctl disable NetworkManager-wait-online.service
+
+systemctl disable logrotate.timer

diff --git a/sources/pki.in/c3d/postinstall/ssh/run.list b/sources/pki.in/c3d/postinstall/ssh/run.list
deleted file mode 100644 (file)
index 6b284ae..0000000
--- a/sources/pki.in/c3d/postinstall/ssh/run.list
+++ /dev/null
@@ -1,2 +0,0 @@
-# target_host target_user target_executable
-pki.in.useribm.hu root /usr/local/bin/backupletsencrypt.sh

diff --git a/sources/pki.in/c3d/preinstall/scripts/01_rsyncletsencrypt.sh b/sources/pki.in/c3d/preinstall/scripts/01_rsyncletsencrypt.sh
new file mode 100755 (executable)
index 0000000..3c5ffb4
--- /dev/null
+++ b/sources/pki.in/c3d/preinstall/scripts/01_rsyncletsencrypt.sh
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+
+. $1
+
+
+/usr/bin/rsync \
+    --archive \
+    --delete-after \
+    --exclude='cli.ini' \
+    --info=STATS \
+    --mkpath \
+    pki.in.useribm.hu::letsencrypt \
+    $CONTAINER_BUILDROOT/c3d/postinstall/install-data/etc/letsencrypt

diff --git a/sources/pki.in/envvars b/sources/pki.in/envvars
index 59fee950f6051a9a5a10389aded66fe46e9528c8..0747293875ae04e47626def5dd27814ce57b3ae6 100644 (file)
--- a/sources/pki.in/envvars
+++ b/sources/pki.in/envvars
@@ -1,3 +1,3 @@
 DISTRIBUTION=Fedora
 DISTRIBUTION_VERSION=35
-SPEC_PACKAGES="certbot python3-certbot-dns-rfc2136 openssh-clients openssh-server vim-enhanced"
+SPEC_PACKAGES="certbot python3-certbot-dns-rfc2136 rsync-daemon vim-enhanced"