From bb7c89c01f88ffb70f9e24b65ddd21518211ad2d Mon Sep 17 00:00:00 2001 From: =?utf8?q?Zolt=C3=A1n=20Felleg?= Date: Mon, 21 Feb 2022 16:04:49 +0100 Subject: [PATCH] Added pki.in. --- scripts/c3.sh | 11 +++- .../firstboot/scripts/01_setupnetworking.sh | 59 +++++++++++++++++++ .../c3d/firstboot/scripts/02_settimezone.sh | 21 +++++++ .../firstboot/scripts/10_setupletsencrypt.sh | 4 ++ sources/pki.in/c3d/mode.txt | 9 +++ sources/pki.in/c3d/owner.txt | 2 + .../install-data/etc/ssh/ssh_host_ed25519_key | 7 +++ .../etc/ssh/ssh_host_ed25519_key-cert.pub | 1 + .../etc/ssh/ssh_host_ed25519_key.pub | 1 + .../etc/ssh/sshd_config.d/99-host-cert.conf | 1 + .../etc/ssh/sshd_config.d/99-user-CA.conf | 1 + .../install-data/etc/ssh/trusted-user-ca.keys | 1 + .../postinstall/install-data/root/certbot.sh | 35 +++++++++++ .../postinstall/install-data/root/rfc2136.ini | 10 ++++ .../usr/local/bin/backupletsencrypt.sh | 14 +++++ .../usr/local/bin/restoreletsencrypt.sh | 26 ++++++++ sources/pki.in/c3d/postinstall/scp/copy.list | 2 + sources/pki.in/c3d/postinstall/ssh/run.list | 2 + sources/pki.in/config | 21 +++++++ sources/pki.in/envvars | 3 + 20 files changed, 229 insertions(+), 2 deletions(-) create mode 100755 sources/pki.in/c3d/firstboot/scripts/01_setupnetworking.sh create mode 100755 sources/pki.in/c3d/firstboot/scripts/02_settimezone.sh create mode 100755 sources/pki.in/c3d/firstboot/scripts/10_setupletsencrypt.sh create mode 100644 sources/pki.in/c3d/mode.txt create mode 100644 sources/pki.in/c3d/owner.txt create mode 100644 sources/pki.in/c3d/postinstall/install-data/etc/ssh/ssh_host_ed25519_key create mode 100644 sources/pki.in/c3d/postinstall/install-data/etc/ssh/ssh_host_ed25519_key-cert.pub create mode 100644 sources/pki.in/c3d/postinstall/install-data/etc/ssh/ssh_host_ed25519_key.pub create mode 100644 sources/pki.in/c3d/postinstall/install-data/etc/ssh/sshd_config.d/99-host-cert.conf create mode 100644 sources/pki.in/c3d/postinstall/install-data/etc/ssh/sshd_config.d/99-user-CA.conf create mode 100644 sources/pki.in/c3d/postinstall/install-data/etc/ssh/trusted-user-ca.keys create mode 100755 sources/pki.in/c3d/postinstall/install-data/root/certbot.sh create mode 100644 sources/pki.in/c3d/postinstall/install-data/root/rfc2136.ini create mode 100755 sources/pki.in/c3d/postinstall/install-data/usr/local/bin/backupletsencrypt.sh create mode 100755 sources/pki.in/c3d/postinstall/install-data/usr/local/bin/restoreletsencrypt.sh create mode 100644 sources/pki.in/c3d/postinstall/scp/copy.list create mode 100644 sources/pki.in/c3d/postinstall/ssh/run.list create mode 100644 sources/pki.in/config create mode 100644 sources/pki.in/envvars diff --git a/scripts/c3.sh b/scripts/c3.sh index 2b382fd..c9d547a 100755 --- a/scripts/c3.sh +++ b/scripts/c3.sh @@ -214,14 +214,19 @@ populate_c3d() MODE_LIST=$CONTAINER_BUILDROOT/c3d/mode.txt if [ -f $MODE_LIST ] then + shopt -s nullglob grep --invert-match \ --regexp='^#' \ --regexp='^$' $MODE_LIST | while read LINE do TGT_MODE=$(echo "$LINE" | cut -f 1 -d ' ') - TGT_PATH=$(echo "$LINE" | cut -f 2 -d ' ') - chmod $TGT_MODE $CONTAINER_BUILDROOT/c3d/$TGT_PATH + GLOB_TGT_PATH=$(echo "$LINE" | cut -f 2 -d ' ') + for TGT_PATH in $CONTAINER_BUILDROOT/c3d/$GLOB_TGT_PATH + do + chmod $TGT_MODE $TGT_PATH + done done + shopt -u nullglob fi echo "Created and populated the container creation and configuration directory." @@ -234,6 +239,7 @@ set_c3d_ownership() OWNER_LIST=$CONTAINER_BUILDROOT/c3d/owner.txt if [ -f $OWNER_LIST ] then + shopt -s nullglob grep --invert-match \ --regexp='^#' \ --regexp='^$' $OWNER_LIST | while read LINE @@ -246,6 +252,7 @@ set_c3d_ownership() chroot $CONTAINER_BUILDROOT chown $TGT_OWNER $TGT_PATH done done + shopt -u nullglob fi echo "Set ownership of the container creation and configuration directory files." diff --git a/sources/pki.in/c3d/firstboot/scripts/01_setupnetworking.sh b/sources/pki.in/c3d/firstboot/scripts/01_setupnetworking.sh new file mode 100755 index 0000000..0c12c44 --- /dev/null +++ b/sources/pki.in/c3d/firstboot/scripts/01_setupnetworking.sh @@ -0,0 +1,59 @@ +#!/bin/sh + + +sleep 1 +systemctl --quiet is-active NetworkManager.service +NM_RC=$? +WAITED=0 +while [ $NM_RC -ne 0 ] +do + echo -n . + sleep 1 + WAITED=1 + systemctl --quiet is-active NetworkManager.service + NM_RC=$? +done +[ $WAITED -eq 1 ] && echo + +CONNECTIONS=$(nmcli --terse connection show | wc -l) +while [ $CONNECTIONS -ne 1 ] +do + echo "Number of connections: $CONNECTIONS" >&2 + sleep 1 + CONNECTIONS=$(nmcli --terse connection show | wc -l) +done + +nmcli --terse connection show | grep ':$' >/dev/null +ALL_CONNECTION_DEVICES_KNOWN=$? +while [ $ALL_CONNECTION_DEVICES_KNOWN -eq 0 ] +do + echo "Not all connection devices are known yet" >&2 + sleep 1 + nmcli --terse connection show | grep ':$' >/dev/null + ALL_CONNECTION_DEVICES_KNOWN=$? +done + +CONNECTION_LINE=$(nmcli --terse connection show) +CONNECTION_UUID=$(echo $CONNECTION_LINE | cut -f 2 -d ':') +CONNECTION_DEVICE=$(echo $CONNECTION_LINE | cut -f 4 -d ':') + +nmcli connection delete uuid "$CONNECTION_UUID" + +nmcli connection add \ + connection.autoconnect yes \ + connection.id internal \ + connection.interface-name $CONNECTION_DEVICE \ + connection.type 802-3-ethernet \ + ipv4.addresses "10.228.109.171/16" \ + ipv4.dns "10.228.109.159, 10.228.92.159" \ + ipv4.dns-search "in.useribm.hu" \ + ipv4.gateway "10.228.109.254" \ + ipv4.method "manual" \ + ipv6.addresses "2a02:d400:0000:f268:000c:18ff:fe03:6dab/64" \ + ipv6.dns "2a02:d400:0000:f268:000c:18ff:fe03:5c9f, 2a02:d400:0000:f268:000c:18ff:fe03:6d9f" \ + ipv6.dns-search "in.useribm.hu" \ + ipv6.gateway "2a02:d400:0000:f268:000c:18ff:fe03:6dfe" \ + ipv6.method "manual" \ + save yes + +nmcli connection show diff --git a/sources/pki.in/c3d/firstboot/scripts/02_settimezone.sh b/sources/pki.in/c3d/firstboot/scripts/02_settimezone.sh new file mode 100755 index 0000000..20b2a71 --- /dev/null +++ b/sources/pki.in/c3d/firstboot/scripts/02_settimezone.sh @@ -0,0 +1,21 @@ +#!/bin/sh + + +sleep 1 +systemctl --quiet is-active dbus.service +DBUS_RC=$? +WAITED=0 +while [ $DBUS_RC -ne 0 ] +do + if [ $WAITED -eq 0 ] + then + echo -n "Waiting for dbus.service" + fi + echo -n . + sleep 1 + WAITED=1 + systemctl --quiet is-active dbus.service + DBUS_RC=$? +done +[ $WAITED -ne 0 ] && echo +timedatectl set-timezone Europe/Budapest diff --git a/sources/pki.in/c3d/firstboot/scripts/10_setupletsencrypt.sh b/sources/pki.in/c3d/firstboot/scripts/10_setupletsencrypt.sh new file mode 100755 index 0000000..a8da842 --- /dev/null +++ b/sources/pki.in/c3d/firstboot/scripts/10_setupletsencrypt.sh @@ -0,0 +1,4 @@ +#!/bin/sh + + +/usr/local/bin/restoreletsencrypt.sh diff --git a/sources/pki.in/c3d/mode.txt b/sources/pki.in/c3d/mode.txt new file mode 100644 index 0000000..dd70881 --- /dev/null +++ b/sources/pki.in/c3d/mode.txt @@ -0,0 +1,9 @@ +# mode file (relative to /c3d) +755 firstboot/scripts/*.sh +440 postinstall/install-data/etc/ssh/ssh_host_*_key +444 postinstall/install-data/etc/ssh/ssh_host_*_key.pub +600 postinstall/install-data/etc/ssh/sshd_config.d/*.conf +755 postinstall/install-data/root/certbot.sh +600 postinstall/install-data/root/rfc2136.ini +755 postinstall/install-data/usr/local/bin/*.sh +755 postinstall/scripts/*.sh diff --git a/sources/pki.in/c3d/owner.txt b/sources/pki.in/c3d/owner.txt new file mode 100644 index 0000000..ea1bd74 --- /dev/null +++ b/sources/pki.in/c3d/owner.txt @@ -0,0 +1,2 @@ +# owner file (relative to /c3d) +root.ssh_keys postinstall/install-data/etc/ssh/ssh_host_*_key diff --git a/sources/pki.in/c3d/postinstall/install-data/etc/ssh/ssh_host_ed25519_key b/sources/pki.in/c3d/postinstall/install-data/etc/ssh/ssh_host_ed25519_key new file mode 100644 index 0000000..dcd4287 --- /dev/null +++ b/sources/pki.in/c3d/postinstall/install-data/etc/ssh/ssh_host_ed25519_key @@ -0,0 +1,7 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW +QyNTUxOQAAACBTtfM0pi5Ju5iCb5s1OiVVzRDfjNAUmJgSdhV1lye7HwAAAIj/h81+/4fN +fgAAAAtzc2gtZWQyNTUxOQAAACBTtfM0pi5Ju5iCb5s1OiVVzRDfjNAUmJgSdhV1lye7Hw +AAAEAzOkl9MPG6s0UBMYJAjp/5NHWoDydFO1DRGK+UCZpQyFO18zSmLkm7mIJvmzU6JVXN +EN+M0BSYmBJ2FXWXJ7sfAAAAAAECAwQF +-----END OPENSSH PRIVATE KEY----- diff --git a/sources/pki.in/c3d/postinstall/install-data/etc/ssh/ssh_host_ed25519_key-cert.pub b/sources/pki.in/c3d/postinstall/install-data/etc/ssh/ssh_host_ed25519_key-cert.pub new file mode 100644 index 0000000..8c7d565 --- /dev/null +++ b/sources/pki.in/c3d/postinstall/install-data/etc/ssh/ssh_host_ed25519_key-cert.pub @@ -0,0 +1 @@ +ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIAMeQaRoJvvx9n4zx+YB8mIJSYr84KitKGNJRQRHLLkFAAAAIFO18zSmLkm7mIJvmzU6JVXNEN+M0BSYmBJ2FXWXJ7sfAAAAAAAAAAAAAAACAAAAEXBraS5pbi51c2VyaWJtLmh1AAAAFQAAABFwa2kuaW4udXNlcmlibS5odQAAAAAAAAAA//////////8AAAAAAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIEXYIIzrUSx8/BQ6/ttkSr5oEyB5F5Yg4bp1DOkqDON9AAAAUwAAAAtzc2gtZWQyNTUxOQAAAEC7EmyytSsRsBxqatA+Rm0LF/P+bM72BQ3QnHs+JCeXdDYA0F+TQ61m/bnVvWKJeJxRu+TKyGnCr0lerUDZ7REN ssh_host_ed25519_key.pub diff --git a/sources/pki.in/c3d/postinstall/install-data/etc/ssh/ssh_host_ed25519_key.pub b/sources/pki.in/c3d/postinstall/install-data/etc/ssh/ssh_host_ed25519_key.pub new file mode 100644 index 0000000..de1140a --- /dev/null +++ b/sources/pki.in/c3d/postinstall/install-data/etc/ssh/ssh_host_ed25519_key.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFO18zSmLkm7mIJvmzU6JVXNEN+M0BSYmBJ2FXWXJ7sf diff --git a/sources/pki.in/c3d/postinstall/install-data/etc/ssh/sshd_config.d/99-host-cert.conf b/sources/pki.in/c3d/postinstall/install-data/etc/ssh/sshd_config.d/99-host-cert.conf new file mode 100644 index 0000000..173b545 --- /dev/null +++ b/sources/pki.in/c3d/postinstall/install-data/etc/ssh/sshd_config.d/99-host-cert.conf @@ -0,0 +1 @@ +HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub diff --git a/sources/pki.in/c3d/postinstall/install-data/etc/ssh/sshd_config.d/99-user-CA.conf b/sources/pki.in/c3d/postinstall/install-data/etc/ssh/sshd_config.d/99-user-CA.conf new file mode 100644 index 0000000..115882b --- /dev/null +++ b/sources/pki.in/c3d/postinstall/install-data/etc/ssh/sshd_config.d/99-user-CA.conf @@ -0,0 +1 @@ +TrustedUserCAKeys /etc/ssh/trusted-user-ca.keys diff --git a/sources/pki.in/c3d/postinstall/install-data/etc/ssh/trusted-user-ca.keys b/sources/pki.in/c3d/postinstall/install-data/etc/ssh/trusted-user-ca.keys new file mode 100644 index 0000000..84d19e3 --- /dev/null +++ b/sources/pki.in/c3d/postinstall/install-data/etc/ssh/trusted-user-ca.keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICcf/XXU8dNVtbveGmwbdnRJfYIItzxKmgRkzlp0k6r5 user-CA diff --git a/sources/pki.in/c3d/postinstall/install-data/root/certbot.sh b/sources/pki.in/c3d/postinstall/install-data/root/certbot.sh new file mode 100755 index 0000000..aa728e0 --- /dev/null +++ b/sources/pki.in/c3d/postinstall/install-data/root/certbot.sh @@ -0,0 +1,35 @@ +#!/bin/sh + + +if [ -d /etc/letsencrypt ] +then + rm --force --recursive /etc/letsencrypt.old + mv /etc/letsencrypt /etc/letsencrypt.old +fi +echo "Trying to generate certificates" +# testing/temporary/staging +# --staging \ +certbot certonly \ + --agree-tos \ + --cert-name useribm \ + --dns-rfc2136 \ + --dns-rfc2136-credentials /root/rfc2136.ini \ + --dns-rfc2136-propagation-seconds 120 \ + --domains *.useribm.hu \ + --domains useribm.hu \ + --preferred-challenges dns \ + -m siteadmin@useribm.hu +RC=$? +echo "RC: $RC" +certbot certonly \ + --agree-tos \ + --cert-name userrendszerhaz \ + --dns-rfc2136 \ + --dns-rfc2136-credentials /root/rfc2136.ini \ + --dns-rfc2136-propagation-seconds 120 \ + --domains *.userrendszerhaz.hu \ + --domains userrendszerhaz.hu \ + --preferred-challenges dns \ + -m siteadmin@userrendszerhaz.hu +RC=$? +echo "RC: $RC" diff --git a/sources/pki.in/c3d/postinstall/install-data/root/rfc2136.ini b/sources/pki.in/c3d/postinstall/install-data/root/rfc2136.ini new file mode 100644 index 0000000..6d0ad5a --- /dev/null +++ b/sources/pki.in/c3d/postinstall/install-data/root/rfc2136.ini @@ -0,0 +1,10 @@ +# Target DNS server +dns_rfc2136_server = 10.228.109.204 +# Target DNS port +dns_rfc2136_port = 53 +# TSIG key name +dns_rfc2136_name = certbot +# TSIG key secret +dns_rfc2136_secret = bscfztEn7MihBX6haJj1kNeKLpKo0aVs82LYfqpIpkk= +# TSIG key algorithm +dns_rfc2136_algorithm = HMAC-SHA256 diff --git a/sources/pki.in/c3d/postinstall/install-data/usr/local/bin/backupletsencrypt.sh b/sources/pki.in/c3d/postinstall/install-data/usr/local/bin/backupletsencrypt.sh new file mode 100755 index 0000000..9314373 --- /dev/null +++ b/sources/pki.in/c3d/postinstall/install-data/usr/local/bin/backupletsencrypt.sh @@ -0,0 +1,14 @@ +#!/bin/sh +set -x + + +BACKUP_BASE=$(mktemp --directory) +TMP_PATH=$(dirname $BACKUP_BASE) + + +tar --create \ + --directory=/etc \ + --file $TMP_PATH/letsencrypt.tar \ + letsencrypt + +rm --force --recursive $BACKUP_BASE diff --git a/sources/pki.in/c3d/postinstall/install-data/usr/local/bin/restoreletsencrypt.sh b/sources/pki.in/c3d/postinstall/install-data/usr/local/bin/restoreletsencrypt.sh new file mode 100755 index 0000000..2852397 --- /dev/null +++ b/sources/pki.in/c3d/postinstall/install-data/usr/local/bin/restoreletsencrypt.sh @@ -0,0 +1,26 @@ +#!/bin/sh +set -x + + +POSTINSTALL_SCP_PATH=/c3d/postinstall/scp +RESTORE_BASE=$(mktemp --directory) +TMP_PATH=$(dirname $RESTORE_BASE) + + +if [ ! -f $POSTINSTALL_SCP_PATH/letsencrypt.tar ] +then + echo "No restore file found, exiting" >&2 + exit 1 +fi + +if [ -d /etc/letsencrypt ] +then + rm --force --recursive /etc/letsencrypt.old + mv /etc/letsencrypt /etc/letsencrypt.old +fi + +tar --extract \ + --directory=/etc \ + --file $POSTINSTALL_SCP_PATH/letsencrypt.tar + +rm --force --recursive $RESTORE_BASE diff --git a/sources/pki.in/c3d/postinstall/scp/copy.list b/sources/pki.in/c3d/postinstall/scp/copy.list new file mode 100644 index 0000000..32c9ec6 --- /dev/null +++ b/sources/pki.in/c3d/postinstall/scp/copy.list @@ -0,0 +1,2 @@ +# source_host source_path +pki.in.useribm.hu /tmp/letsencrypt.tar diff --git a/sources/pki.in/c3d/postinstall/ssh/run.list b/sources/pki.in/c3d/postinstall/ssh/run.list new file mode 100644 index 0000000..6b284ae --- /dev/null +++ b/sources/pki.in/c3d/postinstall/ssh/run.list @@ -0,0 +1,2 @@ +# target_host target_user target_executable +pki.in.useribm.hu root /usr/local/bin/backupletsencrypt.sh diff --git a/sources/pki.in/config b/sources/pki.in/config new file mode 100644 index 0000000..89545dc --- /dev/null +++ b/sources/pki.in/config @@ -0,0 +1,21 @@ +lxc.include = /usr/share/lxc/config/common.conf + +lxc.arch = x86_64 +lxc.uts.name = pki.in.useribm.hu +lxc.rootfs.path = __CONTAINER_PATH__/rootfs +lxc.mount.auto = proc:rw sys:ro + +lxc.net.0.type = veth +lxc.net.0.flags = up +lxc.net.0.link = brci-dev +lxc.net.0.hwaddr = 02:0c:18:03:6d:ab + +lxc.autodev = 1 + +lxc.cgroup2.devices.allow = a + +lxc.signal.halt = SIGRTMIN+4 + +lxc.start.auto = 1 +lxc.start.order = __CONTAINER_START_ORDER__ +lxc.start.delay = 5 diff --git a/sources/pki.in/envvars b/sources/pki.in/envvars new file mode 100644 index 0000000..59fee95 --- /dev/null +++ b/sources/pki.in/envvars @@ -0,0 +1,3 @@ +DISTRIBUTION=Fedora +DISTRIBUTION_VERSION=35 +SPEC_PACKAGES="certbot python3-certbot-dns-rfc2136 openssh-clients openssh-server vim-enhanced" -- 2.54.0