From: Zoltán Felleg Date: Tue, 8 Mar 2022 09:56:23 +0000 (+0100) Subject: Updated pki.in (to get/provide letsencrypt data over rsync instead of scp). X-Git-Url: http://git.useribm.hu/?a=commitdiff_plain;h=d57960339438e89d0b1f196e1b7f3c4ec880ac03;p=user-lxc.git Updated pki.in (to get/provide letsencrypt data over rsync instead of scp). --- diff --git a/sources/pki.in/c3d/firstboot/scripts/10_setupletsencrypt.sh b/sources/pki.in/c3d/firstboot/scripts/10_setupletsencrypt.sh deleted file mode 100755 index a8da842..0000000 --- a/sources/pki.in/c3d/firstboot/scripts/10_setupletsencrypt.sh +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/sh - - -/usr/local/bin/restoreletsencrypt.sh diff --git a/sources/pki.in/c3d/firstboot/scripts/90_setupservices.sh b/sources/pki.in/c3d/firstboot/scripts/90_setupservices.sh new file mode 100755 index 0000000..7293e8d --- /dev/null +++ b/sources/pki.in/c3d/firstboot/scripts/90_setupservices.sh @@ -0,0 +1,10 @@ +#!/bin/sh + + +systemctl enable rsyncd.service +systemctl start rsyncd.service +systemctl enable NetworkManager-wait-online.service +systemctl start NetworkManager-wait-online.service + +systemctl enable logrotate.timer +systemctl start logrotate.timer diff --git a/sources/pki.in/c3d/mode.txt b/sources/pki.in/c3d/mode.txt index dd70881..a7e9357 100644 --- a/sources/pki.in/c3d/mode.txt +++ b/sources/pki.in/c3d/mode.txt @@ -1,9 +1,6 @@ # mode file (relative to /c3d) 755 firstboot/scripts/*.sh -440 postinstall/install-data/etc/ssh/ssh_host_*_key -444 postinstall/install-data/etc/ssh/ssh_host_*_key.pub -600 postinstall/install-data/etc/ssh/sshd_config.d/*.conf 755 postinstall/install-data/root/certbot.sh 600 postinstall/install-data/root/rfc2136.ini -755 postinstall/install-data/usr/local/bin/*.sh 755 postinstall/scripts/*.sh +755 preinstall/scripts/*.sh diff --git a/sources/pki.in/c3d/owner.txt b/sources/pki.in/c3d/owner.txt deleted file mode 100644 index ea1bd74..0000000 --- a/sources/pki.in/c3d/owner.txt +++ /dev/null @@ -1,2 +0,0 @@ -# owner file (relative to /c3d) -root.ssh_keys postinstall/install-data/etc/ssh/ssh_host_*_key diff --git a/sources/pki.in/c3d/postinstall/install-data/etc/rsyncd.conf b/sources/pki.in/c3d/postinstall/install-data/etc/rsyncd.conf new file mode 100644 index 0000000..06abb99 --- /dev/null +++ b/sources/pki.in/c3d/postinstall/install-data/etc/rsyncd.conf @@ -0,0 +1,9 @@ +transfer logging = yes +use chroot = no +uid = root +gid = root + +[letsencrypt] + path = /etc/letsencrypt + read only = true + hosts allow = 10.228.0.0/16, 10.162.173.0/24, 2a02:d400:0:f268::/64, 2a02:d400:0:f2ad::/64 diff --git a/sources/pki.in/c3d/postinstall/install-data/etc/ssh/ssh_host_ed25519_key b/sources/pki.in/c3d/postinstall/install-data/etc/ssh/ssh_host_ed25519_key deleted file mode 100644 index dcd4287..0000000 --- a/sources/pki.in/c3d/postinstall/install-data/etc/ssh/ssh_host_ed25519_key +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN OPENSSH PRIVATE KEY----- -b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW -QyNTUxOQAAACBTtfM0pi5Ju5iCb5s1OiVVzRDfjNAUmJgSdhV1lye7HwAAAIj/h81+/4fN -fgAAAAtzc2gtZWQyNTUxOQAAACBTtfM0pi5Ju5iCb5s1OiVVzRDfjNAUmJgSdhV1lye7Hw -AAAEAzOkl9MPG6s0UBMYJAjp/5NHWoDydFO1DRGK+UCZpQyFO18zSmLkm7mIJvmzU6JVXN -EN+M0BSYmBJ2FXWXJ7sfAAAAAAECAwQF ------END OPENSSH PRIVATE KEY----- diff --git a/sources/pki.in/c3d/postinstall/install-data/etc/ssh/ssh_host_ed25519_key-cert.pub b/sources/pki.in/c3d/postinstall/install-data/etc/ssh/ssh_host_ed25519_key-cert.pub deleted file mode 100644 index 8c7d565..0000000 --- a/sources/pki.in/c3d/postinstall/install-data/etc/ssh/ssh_host_ed25519_key-cert.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIAMeQaRoJvvx9n4zx+YB8mIJSYr84KitKGNJRQRHLLkFAAAAIFO18zSmLkm7mIJvmzU6JVXNEN+M0BSYmBJ2FXWXJ7sfAAAAAAAAAAAAAAACAAAAEXBraS5pbi51c2VyaWJtLmh1AAAAFQAAABFwa2kuaW4udXNlcmlibS5odQAAAAAAAAAA//////////8AAAAAAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIEXYIIzrUSx8/BQ6/ttkSr5oEyB5F5Yg4bp1DOkqDON9AAAAUwAAAAtzc2gtZWQyNTUxOQAAAEC7EmyytSsRsBxqatA+Rm0LF/P+bM72BQ3QnHs+JCeXdDYA0F+TQ61m/bnVvWKJeJxRu+TKyGnCr0lerUDZ7REN ssh_host_ed25519_key.pub diff --git a/sources/pki.in/c3d/postinstall/install-data/etc/ssh/ssh_host_ed25519_key.pub b/sources/pki.in/c3d/postinstall/install-data/etc/ssh/ssh_host_ed25519_key.pub deleted file mode 100644 index de1140a..0000000 --- a/sources/pki.in/c3d/postinstall/install-data/etc/ssh/ssh_host_ed25519_key.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFO18zSmLkm7mIJvmzU6JVXNEN+M0BSYmBJ2FXWXJ7sf diff --git a/sources/pki.in/c3d/postinstall/install-data/etc/ssh/sshd_config.d/99-host-cert.conf b/sources/pki.in/c3d/postinstall/install-data/etc/ssh/sshd_config.d/99-host-cert.conf deleted file mode 100644 index 173b545..0000000 --- a/sources/pki.in/c3d/postinstall/install-data/etc/ssh/sshd_config.d/99-host-cert.conf +++ /dev/null @@ -1 +0,0 @@ -HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub diff --git a/sources/pki.in/c3d/postinstall/install-data/etc/ssh/sshd_config.d/99-user-CA.conf b/sources/pki.in/c3d/postinstall/install-data/etc/ssh/sshd_config.d/99-user-CA.conf deleted file mode 100644 index 115882b..0000000 --- a/sources/pki.in/c3d/postinstall/install-data/etc/ssh/sshd_config.d/99-user-CA.conf +++ /dev/null @@ -1 +0,0 @@ -TrustedUserCAKeys /etc/ssh/trusted-user-ca.keys diff --git a/sources/pki.in/c3d/postinstall/install-data/etc/ssh/trusted-user-ca.keys b/sources/pki.in/c3d/postinstall/install-data/etc/ssh/trusted-user-ca.keys deleted file mode 100644 index 84d19e3..0000000 --- a/sources/pki.in/c3d/postinstall/install-data/etc/ssh/trusted-user-ca.keys +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICcf/XXU8dNVtbveGmwbdnRJfYIItzxKmgRkzlp0k6r5 user-CA diff --git a/sources/pki.in/c3d/postinstall/install-data/usr/local/bin/backupletsencrypt.sh b/sources/pki.in/c3d/postinstall/install-data/usr/local/bin/backupletsencrypt.sh deleted file mode 100755 index 9314373..0000000 --- a/sources/pki.in/c3d/postinstall/install-data/usr/local/bin/backupletsencrypt.sh +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/sh -set -x - - -BACKUP_BASE=$(mktemp --directory) -TMP_PATH=$(dirname $BACKUP_BASE) - - -tar --create \ - --directory=/etc \ - --file $TMP_PATH/letsencrypt.tar \ - letsencrypt - -rm --force --recursive $BACKUP_BASE diff --git a/sources/pki.in/c3d/postinstall/install-data/usr/local/bin/restoreletsencrypt.sh b/sources/pki.in/c3d/postinstall/install-data/usr/local/bin/restoreletsencrypt.sh deleted file mode 100755 index 2852397..0000000 --- a/sources/pki.in/c3d/postinstall/install-data/usr/local/bin/restoreletsencrypt.sh +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/sh -set -x - - -POSTINSTALL_SCP_PATH=/c3d/postinstall/scp -RESTORE_BASE=$(mktemp --directory) -TMP_PATH=$(dirname $RESTORE_BASE) - - -if [ ! -f $POSTINSTALL_SCP_PATH/letsencrypt.tar ] -then - echo "No restore file found, exiting" >&2 - exit 1 -fi - -if [ -d /etc/letsencrypt ] -then - rm --force --recursive /etc/letsencrypt.old - mv /etc/letsencrypt /etc/letsencrypt.old -fi - -tar --extract \ - --directory=/etc \ - --file $POSTINSTALL_SCP_PATH/letsencrypt.tar - -rm --force --recursive $RESTORE_BASE diff --git a/sources/pki.in/c3d/postinstall/scp/copy.list b/sources/pki.in/c3d/postinstall/scp/copy.list deleted file mode 100644 index 32c9ec6..0000000 --- a/sources/pki.in/c3d/postinstall/scp/copy.list +++ /dev/null @@ -1,2 +0,0 @@ -# source_host source_path -pki.in.useribm.hu /tmp/letsencrypt.tar diff --git a/sources/pki.in/c3d/postinstall/scripts/10_setupservices.sh b/sources/pki.in/c3d/postinstall/scripts/10_setupservices.sh new file mode 100755 index 0000000..95a72bf --- /dev/null +++ b/sources/pki.in/c3d/postinstall/scripts/10_setupservices.sh @@ -0,0 +1,7 @@ +#!/bin/sh + + +systemctl disable rsyncd.service +systemctl disable NetworkManager-wait-online.service + +systemctl disable logrotate.timer diff --git a/sources/pki.in/c3d/postinstall/ssh/run.list b/sources/pki.in/c3d/postinstall/ssh/run.list deleted file mode 100644 index 6b284ae..0000000 --- a/sources/pki.in/c3d/postinstall/ssh/run.list +++ /dev/null @@ -1,2 +0,0 @@ -# target_host target_user target_executable -pki.in.useribm.hu root /usr/local/bin/backupletsencrypt.sh diff --git a/sources/pki.in/c3d/preinstall/scripts/01_rsyncletsencrypt.sh b/sources/pki.in/c3d/preinstall/scripts/01_rsyncletsencrypt.sh new file mode 100755 index 0000000..3c5ffb4 --- /dev/null +++ b/sources/pki.in/c3d/preinstall/scripts/01_rsyncletsencrypt.sh @@ -0,0 +1,14 @@ +#!/bin/sh + + +. $1 + + +/usr/bin/rsync \ + --archive \ + --delete-after \ + --exclude='cli.ini' \ + --info=STATS \ + --mkpath \ + pki.in.useribm.hu::letsencrypt \ + $CONTAINER_BUILDROOT/c3d/postinstall/install-data/etc/letsencrypt diff --git a/sources/pki.in/envvars b/sources/pki.in/envvars index 59fee95..0747293 100644 --- a/sources/pki.in/envvars +++ b/sources/pki.in/envvars @@ -1,3 +1,3 @@ DISTRIBUTION=Fedora DISTRIBUTION_VERSION=35 -SPEC_PACKAGES="certbot python3-certbot-dns-rfc2136 openssh-clients openssh-server vim-enhanced" +SPEC_PACKAGES="certbot python3-certbot-dns-rfc2136 rsync-daemon vim-enhanced"