diff options
| author | Paul Buetow <paul@buetow.org> | 2022-07-13 13:09:16 +0100 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2022-07-13 13:09:16 +0100 |
| commit | 0f841977cfa1f2b934f433ac4239e612b44e5dcf (patch) | |
| tree | 9d2abd0b69275e3fd368da6b3a84049921541caa | |
| parent | 251e0cb9f2b5442405a87a71e018f50b73a09995 (diff) | |
Use ACME
| -rw-r--r-- | frontends/Rexfile | 83 | ||||
| -rw-r--r-- | frontends/etc/acme-client.conf.tpl | 37 | ||||
| -rw-r--r-- | frontends/etc/httpd.conf.tpl (renamed from frontends/etc/httpd.conf) | 158 | ||||
| -rw-r--r-- | frontends/etc/relayd.conf.tpl | 11 | ||||
| -rw-r--r-- | frontends/scripts/acme.sh.tpl | 22 | ||||
| -rw-r--r-- | frontends/var/nsd/zones/master/buetow.org.zone.tpl | 1 | ||||
| -rw-r--r-- | frontends/var/nsd/zones/master/dtail.dev.zone.tpl | 1 |
7 files changed, 182 insertions, 131 deletions
diff --git a/frontends/Rexfile b/frontends/Rexfile index 6ffd55a..5eeda02 100644 --- a/frontends/Rexfile +++ b/frontends/Rexfile @@ -40,12 +40,18 @@ our $ipv6address = sub { # facts aren't set yet due to the myname file in the first place. our $fqdns = sub { my $ipv4 = shift; - return 'blowfish.buetow.org' if $ipv4 eq '23.88.35.144'; + return 'blowfish.buetow.org' if $ipv4 eq '23.88.35.144'; return 'twofish.buetow.org' if $ipv4 eq '108.160.134.135'; Rex::Logger::info("Unable to determine hostname for $ipv4", 'error'); return 'HOSTNAME-UNKNOWN.buetow.org'; }; +# To determine whether te server is te primary or the secondary. +our $is_primary = sub { + my $ipv4 = shift; + $fqdns->($ipv4) eq 'blowfish.buetow.org'; +}; + our $filewalk; our $filewalk = sub { my $dir = shift; @@ -71,6 +77,7 @@ our $filewalk = sub { our $secrets = sub { read_file './secrets/' . shift }; our @dns_zones = qw/buetow.org dtail.dev foo.surf foo.zone irregular.ninja sidewalk.ninja snonux.de snonux.me snonux.land/; +our @acme_hosts = qw/paul.buetow.org buetow.org dtail.dev foo.zone irregular.ninja snonux.land/; # UTILITY TASKS @@ -79,35 +86,6 @@ task 'dump_info', group => 'frontends', sub { dump_system_information }; # OPENBSD TASKS SECTION -desc 'Install certificates from the secret store'; -task 'certs', group => 'frontends', - sub { - my $restart_services = FALSE; - - for my $source ($filewalk->('./secrets/etc/ssl')) { - my $dest = $source; - $dest =~ s/.*secrets//; - my $mode = $dest =~ /private/ ? '440' : '644'; - - Rex::Logger::info("Dealing with $dest"); - file $dest, - source => $source, - owner => 'root', - group => 'www', - mode => $mode, - on_change => sub { - Rex::Logger::info("$dest changed, scheduling services restart"); - $restart_services = TRUE; - }; - } - - if ($restart_services) { - service 'httpd' => 'restart'; - service 'relayd' => 'restart'; - service 'smtpd' => 'restart'; - } - }; - desc 'Install base stuff'; task 'base', group => 'frontends', sub { @@ -132,6 +110,40 @@ task 'uptimed', group => 'frontends', service 'uptimed', ensure => 'started'; }; +desc 'Configure ACME client'; +task 'acme', group => 'frontends', + sub { + file '/etc/acme-client.conf', + content => template('./etc/acme-client.conf.tpl', + acme_hosts => \@acme_hosts, + is_primary => $is_primary), + owner => 'root', + group => 'wheel', + mode => '644'; + + file '/usr/local/bin/acme.sh', + content => template('./scripts/acme.sh.tpl', + acme_hosts => \@acme_hosts, + is_primary => $is_primary), + owner => 'root', + group => 'wheel', + mode => '744'; + + file '/etc/daily.local', + ensure => 'present', + owner => 'root', + group => 'wheel', + mode => '744'; + + append_if_no_such_line '/etc/daily.local', '/usr/local/bin/acme.sh'; + }; + +desc 'Invoke ACME client'; +task 'acme_invoke', group => 'frontends', + sub { + say run '/usr/local/bin/acme.sh'; + }; + desc 'Setup httpd'; task 'httpd', group => 'frontends', sub { @@ -139,7 +151,9 @@ task 'httpd', group => 'frontends', #delete_lines_according_to qr{httpd_flags}, '/etc/rc.conf.local'; file '/etc/httpd.conf', - source => './etc/httpd.conf', + content => template('./etc/httpd.conf.tpl', + acme_hosts => \@acme_hosts, + is_primary => $is_primary), owner => 'root', group => 'wheel', mode => '644', @@ -169,7 +183,9 @@ task 'relayd', group => 'frontends', append_if_no_such_line '/etc/rc.conf.local', 'relayd_flags='; file '/etc/relayd.conf', - content => template('./etc/relayd.conf.tpl', ipv6address => $ipv6address), + content => template('./etc/relayd.conf.tpl', + ipv6address => $ipv6address, + is_primary => $is_primary), owner => 'root', group => 'wheel', mode => '600', @@ -297,10 +313,11 @@ task 'failunderd', group => 'frontends', desc 'Common configs of all hosts'; task 'commons', group => 'frontends', sub { - certs(); base(); uptimed(); httpd(); + acme(); + acme_invoke(); inetd(); relayd(); smtpd(); diff --git a/frontends/etc/acme-client.conf.tpl b/frontends/etc/acme-client.conf.tpl new file mode 100644 index 0000000..681f357 --- /dev/null +++ b/frontends/etc/acme-client.conf.tpl @@ -0,0 +1,37 @@ +# +# $OpenBSD: acme-client.conf,v 1.4 2020/09/17 09:13:06 florian Exp $ +# +authority letsencrypt { + api url "https://acme-v02.api.letsencrypt.org/directory" + account key "/etc/acme/letsencrypt-privkey.pem" +} + +authority letsencrypt-staging { + api url "https://acme-staging-v02.api.letsencrypt.org/directory" + account key "/etc/acme/letsencrypt-staging-privkey.pem" +} + +authority buypass { + api url "https://api.buypass.com/acme/directory" + account key "/etc/acme/buypass-privkey.pem" + contact "mailto:me@example.com" +} + +authority buypass-test { + api url "https://api.test4.buypass.no/acme/directory" + account key "/etc/acme/buypass-test-privkey.pem" + contact "mailto:me@example.com" +} + +<% + our $primary = $is_primary->($vio0_ip); + our $prefix = $primary ? '' : 'www.'; +%> + +<% for my $host (@$acme_hosts) { %> +domain <%= $prefix.$host %> { + domain key "/etc/ssl/private/<%= $prefix.$host %>.key" + domain full chain certificate "/etc/ssl/<%= $prefix.$host %>.fullchain.pem" + sign with letsencrypt +} +<% } %> diff --git a/frontends/etc/httpd.conf b/frontends/etc/httpd.conf.tpl index 044849e..c536766 100644 --- a/frontends/etc/httpd.conf +++ b/frontends/etc/httpd.conf.tpl @@ -1,76 +1,94 @@ -server "foo.zone" { +<% + our $primary = $is_primary->($vio0_ip); + our $prefix = $primary ? '' : 'www.'; +%> + +# Plain HTTP for ACME and HTTPS redirect +<% for my $host (@$acme_hosts) { %> +server "<%= $prefix.$host %>" { listen on * port 80 - block return 302 "https://foo.zone" -} - -server "www.foo.zone" { - listen on * port 80 - block return 302 "https://www.foo.zone" + location "/.well-known/acme-challenge/*" { + root "/acme" + request strip 2 + } + location * { + block return 302 "https://$HTTP_HOST$REQUEST_URI" + } } +<% } %> -server "foo.zone" { - alias "www.foo.zone" +# Gemtexter hosts +<% for my $host (qw/foo.zone snonux.land/) { %> +server "<%= $prefix.$host %>" { listen on * tls port 443 tls { - certificate "/etc/ssl/foo.zone.fullchain.pem" - key "/etc/ssl/private/foo.zone.key" + certificate "/etc/ssl/<%= $prefix.$host %>.fullchain.pem" + key "/etc/ssl/private/<%= $prefix.$host %>.key" } - location "/*" { - root "/htdocs/gemtexter/foo.zone" + location * { + root "/htdocs/gemtexter/<%= $host %>" directory auto index } } +<% } %> -server "snonux.land" { - listen on * port 80 - block return 302 "https://snonux.land" -} - -server "www.snonux.land" { - listen on * port 80 - block return 302 "https://www.snonux.land" +# DTail special host +server "<%= $prefix %>dtail.dev" { + listen on * tls port 443 + tls { + certificate "/etc/ssl/<%= $prefix %>dtail.dev.fullchain.pem" + key "/etc/ssl/private/<%= $prefix %>dtail.dev.key" + } + location * { + block return 302 "https://github.dtail.dev$REQUEST_URI" + } } -server "snonux.land" { - alias "www.snonux.land" +# Irregular Ninja special host +server "<%= $prefix %>irregular.ninja" { listen on * tls port 443 tls { - certificate "/etc/ssl/foo.zone.fullchain.pem" - key "/etc/ssl/private/foo.zone.key" + certificate "/etc/ssl/<%= $prefix %>irregular.ninja.fullchain.pem" + key "/etc/ssl/private/<%= $prefix %>irregular.ninja.key" } - location "/*" { - root "/htdocs/gemtexter/foo.zone/notes" + location * { + root "/htdocs/irregular.ninja" directory auto index } } -server "irregular.ninja" { - listen on * port 80 - block return 302 "https://irregular.ninja" -} - -server "www.irregular.ninja" { - listen on * port 80 - block return 302 "https://www.irregular.ninja" -} - -server "irregular.ninja" { - alias "www.irregular.ninja" +# buetow.org special host. +server "<%= $prefix %>buetow.org" { listen on * tls port 443 tls { - certificate "/etc/ssl/irregular.ninja.fullchain.pem" - key "/etc/ssl/private/irregular.ninja.key" + certificate "/etc/ssl/<%= $prefix %>buetow.org.fullchain.pem" + key "/etc/ssl/private/<%= $prefix %>buetow.org.key" } - location "/*" { - root "/htdocs/irregular.ninja" + root "/htdocs/buetow.org" + location match "/tmp/.*" { directory auto index } + location match "/.*" { + block return 302 "https://paul.buetow.org" + } +} + +<% if ($primary) { %> +server "paul.buetow.org" { + listen on * tls port 443 + tls { + certificate "/etc/ssl/paul.buetow.org.fullchain.pem" + key "/etc/ssl/private/paul.buetow.org.key" + } + block return 302 "https://foo.zone/contact-information.html" } +<% } %> +# Legacy hosts server "snonux.de" { alias "www.snonux.de" listen on * port 80 - block return 302 "https://foo.zone$REQUEST_URI" + block return 302 "https://foo.zone$REQUEST_URI" } server "snonux.de" { @@ -115,57 +133,7 @@ server "sidewalk.ninja" { block return 302 "https://irregular.ninja$REQUEST_URI" } -server "buetow.org" { - alias "www.buetow.org" - listen on * port 80 - block return 302 "https://foo.zone$REQUEST_URI" -} - -server "paul.buetow.org" { - alias "contact.buetow.org" - listen on * port 80 - block return 302 "https://foo.zone/contact-information.html" -} - -server "tmp.buetow.org" { - listen on * port 80 - block return 302 "https://buetow.org/tmp/" -} - -server "buetow.org" { - alias "www.buetow.org" - listen on * tls port 443 - tls { - certificate "/etc/ssl/buetow.org.fullchain.pem" - key "/etc/ssl/private/buetow.org.key" - } - root "/htdocs/buetow.org" - location match "/tmp/.*" { - directory auto index - } - location match "/.*" { - block return 302 "https://foo.zone$REQUEST_URI" - } -} - -server "dtail.dev" { - alias "www.dtail.dev" - listen on * port 80 - block return 302 "https://dail.dev" -} - -server "dtail.dev" { - alias "www.dtail.dev" - listen on * tls port 443 - tls { - certificate "/etc/ssl/dtail.dev.fullchain.pem" - key "/etc/ssl/private/dtail.dev.key" - } - location * { - block return 302 "https://github.dtail.dev" - } -} - +# Defaults server "default" { listen on * port 80 block return 302 "https://foo.zone$REQUEST_URI" diff --git a/frontends/etc/relayd.conf.tpl b/frontends/etc/relayd.conf.tpl index d8553b2..4d702be 100644 --- a/frontends/etc/relayd.conf.tpl +++ b/frontends/etc/relayd.conf.tpl @@ -1,10 +1,15 @@ +<% + our $primary = $is_primary->($vio0_ip); + our $prefix = $primary ? '' : 'www.'; +%> + log connection tcp protocol "gemini" { - tls keypair buetow.org + tls keypair <%= $prefix %>foo.zone + tls keypair <%= $prefix %>buetow.org + tls keypair <%= $prefix %>snonux.land tls keypair snonux.de - tls keypair foo.zone - tls keypair irregular.ninja } relay "gemini4" { diff --git a/frontends/scripts/acme.sh.tpl b/frontends/scripts/acme.sh.tpl new file mode 100644 index 0000000..8039168 --- /dev/null +++ b/frontends/scripts/acme.sh.tpl @@ -0,0 +1,22 @@ +#!/bin/sh + +<% + our $primary = $is_primary->($vio0_ip); + our $prefix = $primary ? '' : 'www.'; +-%> + +<% for my $host (@$acme_hosts) { -%> +# Requesting and renewing certificate. +/usr/sbin/acme-client -v <%= $prefix.$host %> +# Create symlink, so that relayd also can read it. +crt_path=/etc/ssl/<%= $prefix.$host %> +if [ -e $crt_path.crt ]; then + rm $crt_path.crt +fi +ln -s $crt_path.fullchain.pem $crt_path.crt + +<% } -%> + +# Pick up the new certs. +/usr/sbin/rcctl reload httpd +/usr/sbin/rcctl reload relayd diff --git a/frontends/var/nsd/zones/master/buetow.org.zone.tpl b/frontends/var/nsd/zones/master/buetow.org.zone.tpl index 42bff2d..df35a53 100644 --- a/frontends/var/nsd/zones/master/buetow.org.zone.tpl +++ b/frontends/var/nsd/zones/master/buetow.org.zone.tpl @@ -27,6 +27,7 @@ twofish 86400 IN A 108.160.134.135 twofish 86400 IN AAAA 2401:c080:1000:45af:5400:3ff:fec6:ca1d git2 3600 IN CNAME twofish www 3600 IN CNAME twofish +www.paul 3600 IN CNAME twofish vulcan 86400 IN A 95.216.174.192 vulcan 86400 IN AAAA 2a01:4f9:c010:250e::1 diff --git a/frontends/var/nsd/zones/master/dtail.dev.zone.tpl b/frontends/var/nsd/zones/master/dtail.dev.zone.tpl index 0d67272..72e531b 100644 --- a/frontends/var/nsd/zones/master/dtail.dev.zone.tpl +++ b/frontends/var/nsd/zones/master/dtail.dev.zone.tpl @@ -12,5 +12,6 @@ $TTL 4h 86400 IN A 23.88.35.144 86400 IN AAAA 2a01:4f8:c17:20f1::4 * 86400 IN CNAME blowfish.buetow.org. +www 86400 IN CNAME twofish.buetow.org. github 86400 IN CNAME mimecast.github.io. |