zabbix appliance

privacyidea/Makefile

@@ -0,0 +1,91 @@
+PIUSER = $(CHROOT)/var/tmp/piuser
+02firstboot = $(CHROOT)/etc/local.d/02firstboot.start
+cert-renew.sh = $(CHROOT)/etc/ssl/cert-renew.sh
+apache_conf = $(CHROOT)/etc/apache2/vhosts.d/00_default_ssl_vhost.conf.orig
+pi_log = $(CHROOT)/var/log/privacyidea/privacyidea.log
+radius_dict = $(CHROOT)/etc/raddb/dictionary.orig
+radius_module = $(CHROOT)/etc/raddb/mods-enabled/perl-privacyidea
+radius_site = $(CHROOT)/etc/raddb/sites-enabled/privacyidea
+
+systemd-units: appliance/MySQL-Backup.sh appliance/backup.service appliance/backup.timer appliance/cert-renew.service appliance/cert-renew.timer
+	cp appliance/MySQL-Backup.sh $(CHROOT)/usr/local/bin/
+	cp appliance/backup.service appliance/backup.timer appliance/cert-renew.service appliance/cert-renew.timer $(CHROOT)/etc/systemd/system/
+
+$(PIUSER):
+	-RUN useradd --system --comment="created from appliance building - privacyidea user" --home-dir="/var/lib/privacyidea/home" --shell="/sbin/nologin" --no-create-home --uid 605 --user-group privacyidea
+	touch $(PIUSER)
+
+$(02firstboot): appliance/02firstboot.start
+	mkdir -p $(CHROOT)/etc/local.d
+	cp $< $@
+	touch $(CHROOT)/02firstboot
+
+$(cert-renew.sh): appliance/cert-renew.sh
+	mkdir -p $(CHROOT)/etc/ssl
+	cp $< $@
+
+$(apache_conf): $(CHROOT)/etc/apache2/vhosts.d/00_default_ssl_vhost.conf
+	sed -i 's:APACHE2_OPTS=\":APACHE2_OPTS=\"-D WSGI :' $(CHROOT)/etc/conf.d/apache2
+
+	mv $(CHROOT)/etc/apache2/vhosts.d/00_default_ssl_vhost.conf $(apache_conf)
+	# vor </VirtualHost> Zeilen einfügen:
+	sed '/<\/VirtualHost>/Q' $(apache_conf) >$(CHROOT)/etc/apache2/vhosts.d/00_default_ssl_vhost.conf
+	echo "    <Directory />" >>$(CHROOT)/etc/apache2/vhosts.d/00_default_ssl_vhost.conf
+	echo "        Require all granted" >>$(CHROOT)/etc/apache2/vhosts.d/00_default_ssl_vhost.conf
+	echo "        Options FollowSymLinks" >>$(CHROOT)/etc/apache2/vhosts.d/00_default_ssl_vhost.conf
+	echo "        AllowOverride None" >>$(CHROOT)/etc/apache2/vhosts.d/00_default_ssl_vhost.conf
+	echo "    </Directory>" >>$(CHROOT)/etc/apache2/vhosts.d/00_default_ssl_vhost.conf
+	echo "" >>$(CHROOT)/etc/apache2/vhosts.d/00_default_ssl_vhost.conf
+	echo "    WSGIScriptAlias / /etc/privacyidea/privacyideaapp.wsgi" >>$(CHROOT)/etc/apache2/vhosts.d/00_default_ssl_vhost.conf
+	echo "    WSGIDaemonProcess privacyidea processes=1 threads=15 display-name=%{GROUP} user=privacyidea" >>$(CHROOT)/etc/apache2/vhosts.d/00_default_ssl_vhost.conf
+	echo "    WSGIProcessGroup privacyidea" >>$(CHROOT)/etc/apache2/vhosts.d/00_default_ssl_vhost.conf
+	echo "    WSGIPassAuthorization On" >>$(CHROOT)/etc/apache2/vhosts.d/00_default_ssl_vhost.conf
+	echo "" >>$(CHROOT)/etc/apache2/vhosts.d/00_default_ssl_vhost.conf
+	grep -A 9999 '<\/VirtualHost>' $(apache_conf) >>$(CHROOT)/etc/apache2/vhosts.d/00_default_ssl_vhost.conf
+
+	touch $(apache_conf)
+
+$(pi_log):
+	touch $(CHROOT)/var/log/privacyidea/privacyidea.log
+	RUN chown privacyidea:root /var/log/privacyidea/privacyidea.log
+
+$(radius_dict): $(CHROOT)/etc/privacyidea/dictionary
+	if ! test -e $(radius_dict); \
+		then mv $(CHROOT)/etc/raddb/dictionary $(radius_dict); \
+	fi
+	cp -f $(CHROOT)/etc/privacyidea/dictionary $(CHROOT)/etc/raddb/dictionary
+	RUN chown root:radius /etc/raddb/dictionary
+	chmod 640 $(CHROOT)/etc/raddb/dictionary
+	touch $(radius_dict)
+
+$(radius_module): $(CHROOT)/etc/privacyidea/freeradius3/mods-perl-privacyidea
+	cp $(CHROOT)/etc/privacyidea/freeradius3/mods-perl-privacyidea $(CHROOT)/etc/raddb/mods-available/perl-privacyidea
+	rm $(CHROOT)/etc/raddb/mods-enabled/eap
+	ln -s ../mods-available/perl-privacyidea $(radius_module)
+
+$(radius_site): $(CHROOT)/etc/privacyidea/freeradius3/privacyidea
+	cp $(CHROOT)/etc/privacyidea/freeradius3/privacyidea $(CHROOT)/etc/raddb/sites-available/privacyidea
+	RUN chown root:radius /etc/raddb/sites-available/privacyidea
+	chmod 640 $(CHROOT)/etc/raddb/sites-available/privacyidea
+	rm $(CHROOT)/etc/raddb/sites-enabled/*
+	ln -s ../sites-available/privacyidea $(radius_site)
+
+$(CHROOT)/var/lib/mysql: mariadb/my.cnf.root
+	# MariaDB-Konfiguration ($$, weil make ein $ entfernt)
+	sed -i "s/^character-set-server.*$$/character-set-server = utf8mb4/" $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf
+	echo >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf
+	echo "collation-server = utf8mb4_general_ci" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf
+	echo "transaction_isolation = READ-COMMITTED" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf
+	echo "binlog_format = ROW" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf
+	echo "expire_logs_days = 3" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf
+	echo "innodb_file_per_table = 1" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf
+	echo "innodb_large_prefix = on" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf
+	cp mariadb/my.cnf.root $(CHROOT)/root/.my.cnf
+	chmod 0600 $(CHROOT)/root/.my.cnf
+	rm -rf $(CHROOT)/var/lib/mysql/*
+	RUN bash -c 'yes gentoo | emerge --config dev-db/mariadb'
+
+
+preinstall: $(PIUSER)
+
+postinstall: systemd-units $(apache_conf) $(02firstboot) $(cert-renew.sh) $(pi_log) $(radius_dict) $(radius_module) $(radius_site) $(CHROOT)/var/lib/mysql

privacyidea/appliance/02firstboot.start

@@ -0,0 +1,148 @@
+#!/bin/bash
+
+# variables
+LABEL="DATA"
+DATABASE_PASS=$(head -c 300 /dev/urandom | tr -cd 'a-zA-Z0-9' | head -c 16)
+PI_SECRET_KEY=$(head -c 300 /dev/urandom | tr -cd 'a-zA-Z0-9' | head -c 16)
+PI_PEPPER=$(head -c 300 /dev/urandom | tr -cd 'a-zA-Z0-9' | head -c 16)
+ADMIN_PASS="privacyidea"
+TLD="example.com"
+HOST="privacyidea"
+ORGNAME="privacyIDEA example"
+
+# start
+set -e
+
+[ -e /01firstboot ] && exit 0
+[ -e /02firstboot ] || exit 0
+
+# privacyIDEA configuration
+if [ ! -d "/$LABEL/etc/privacyidea" ]; then
+    echo 'Create privacyIDEA configfile...'
+    mkdir -p /$LABEL/etc/privacyidea
+    chown privacyidea /$LABEL/etc/privacyidea
+    cp /etc/privacyidea/pi.cfg /$LABEL/etc/privacyidea/pi.cfg.orig
+    mv /etc/privacyidea/pi.cfg /$LABEL/etc/privacyidea/pi.cfg
+    ln -s /$LABEL/etc/privacyidea/pi.cfg /etc/privacyidea/pi.cfg
+    sed -i "s/^SUPERUSER_REALM = .*/SUPERUSER_REALM = ['admin']/" /$LABEL/etc/privacyidea/pi.cfg
+    sed -i "s/^SQLALCHEMY_DATABASE_URI = .*/SQLALCHEMY_DATABASE_URI = 'mysql:\/\/pi:$DATABASE_PASS@localhost\/pi'/" /$LABEL/etc/privacyidea/pi.cfg
+    sed -i "s/^SECRET_KEY = .*/SECRET_KEY = '$PI_SECRET_KEY'/" /$LABEL/etc/privacyidea/pi.cfg
+    sed -i "s/^PI_PEPPER = .*/PI_PEPPER = \"$PI_PEPPER\"/" /$LABEL/etc/privacyidea/pi.cfg
+    sed -i "s/^PI_ENCFILE = .*/PI_ENCFILE = '\/etc\/privacyidea\/enckey'/" /$LABEL/etc/privacyidea/pi.cfg
+    sed -i "s/^PI_AUDIT_KEY_PRIVATE = .*/PI_AUDIT_KEY_PRIVATE = '\/etc\/privacyidea\/private.pem'/" /$LABEL/etc/privacyidea/pi.cfg
+    sed -i "s/^PI_AUDIT_KEY_PUBLIC = .*/PI_AUDIT_KEY_PUBLIC = '\/etc\/privacyidea\/public.pem'/" /$LABEL/etc/privacyidea/pi.cfg
+    echo "SQLALCHEMY_TRACK_MODIFICATIONS = False" >> /$LABEL/etc/privacyidea/pi.cfg
+
+    echo 'Create privacyIDEA encryption and audit keys...'
+    rm -rf /etc/privacyidea/enckey
+    pi-manage create_enckey
+    mv /etc/privacyidea/enckey /$LABEL/etc/privacyidea/enckey
+    chown privacyidea /$LABEL/etc/privacyidea/enckey
+    ln -s /$LABEL/etc/privacyidea/enckey /etc/privacyidea/enckey
+
+    rm -rf /etc/privacyidea/public.pem /etc/privacyidea/private.pem
+    pi-manage create_audit_keys
+    mv /etc/privacyidea/private.pem /$LABEL/etc/privacyidea/private.pem
+    mv /etc/privacyidea/public.pem /$LABEL/etc/privacyidea/public.pem
+    chown privacyidea /$LABEL/etc/privacyidea/*.pem
+    ln -s /$LABEL/etc/privacyidea/private.pem /etc/privacyidea/private.pem
+    ln -s /$LABEL/etc/privacyidea/public.pem /etc/privacyidea/public.pem
+else
+    if [ ! -L /etc/privacyidea/pi.cfg ]; then
+        rm -rf /$LABEL/etc/privacyidea/pi.cfg.orig
+        mv /etc/privacyidea/pi.cfg /$LABEL/etc/privacyidea/pi.cfg.orig
+    else
+        rm -rf /etc/privacyidea/pi.cfg
+    fi
+    ln -s /$LABEL/etc/privacyidea/pi.cfg /etc/privacyidea/pi.cfg
+
+    rm -rf /etc/privacyidea/enckey
+    ln -s /$LABEL/etc/privacyidea/enckey /etc/privacyidea/enckey
+
+    rm -rf /etc/privacyidea/public.pem /etc/privacyidea/private.pem
+    ln -s /$LABEL/etc/privacyidea/private.pem /etc/privacyidea/private.pem
+    ln -s /$LABEL/etc/privacyidea/public.pem /etc/privacyidea/public.pem
+fi
+
+
+# Database
+systemctl stop mariadb
+if [ ! -d "/$LABEL/var/lib/mysql/pi" ]; then
+    echo 'Initialize MariaDB...'
+    mkdir -p "/$LABEL/var/lib"
+    rm -rf "/$LABEL/var/lib/mysql"
+    if [ ! -L /var/lib/mysql ]; then
+        rm -rf "/$LABEL/var/lib/mysql.orig"
+        cp -a "/var/lib/mysql" "/$LABEL/var/lib/mysql.orig"
+        mv "/var/lib/mysql" "/$LABEL/var/lib/mysql"
+        ln -s "/$LABEL/var/lib/mysql" "/var/lib/mysql"
+    elif [ -d "/$LABEL/var/lib/mysql.orig" ]; then
+        cp -a "/$LABEL/var/lib/mysql.orig" "/$LABEL/var/lib/mysql"
+        rm -rf "/var/lib/mysql"
+        ln -s "/$LABEL/var/lib/mysql" "/var/lib/mysql"
+    else
+        echo '### ERROR initialize database !!! ###'
+        exit 1
+    fi
+    systemctl start mariadb
+    sleep 5
+
+    echo 'Create privacyIDEA database...'
+    mysql -u root -e "CREATE USER 'pi'@'localhost' IDENTIFIED BY '$DATABASE_PASS'"
+    mysql -u root -e "CREATE DATABASE pi DEFAULT CHARACTER SET latin1 COLLATE latin1_swedish_ci;"
+    mysql -u root -e "GRANT ALL PRIVILEGES ON pi.* TO 'pi'@'localhost' IDENTIFIED by '$DATABASE_PASS';"
+    mysql -u root -e "FLUSH PRIVILEGES;"
+
+    pi-manage createdb
+    pi-manage admin add -p "$ADMIN_PASS" admin
+
+else
+    echo 'Start MariaDB...'
+    if [ ! -L /var/lib/mysql ]; then
+        rm -rf "/$LABEL/var/lib/mysql.orig"
+        mv "/var/lib/mysql" "/$LABEL/var/lib/mysql.orig"
+    else
+        rm -f "/var/lib/mysql"
+    fi
+    ln -s "/$LABEL/var/lib/mysql" "/var/lib/mysql"
+    systemctl start mariadb
+fi
+
+if [ -x "/$LABEL/etc/ssl/cert-renew.sh" ]; then
+    # angepaßtes Zertifikat vorhanden (kein example)
+    if [ ! -L /etc/ssl/cert-renew.sh ]; then
+        rm -f "/$LABEL/etc/ssl/cert-renew.sh.orig"
+        mv "/etc/ssl/cert-renew.sh" "/$LABEL/etc/ssl/cert-renew.sh.orig"
+    else
+        rm -f "/etc/ssl/cert-renew.sh"
+    fi
+    ln -s "/$LABEL/etc/ssl/cert-renew.sh" "/etc/ssl/cert-renew.sh"
+else
+    echo 'Create example certificate...'
+    mkdir -p "/$LABEL/CERTS/KEYS/"
+    mkdir -p "/$LABEL/CERTS/$HOST.$TLD"
+    echo "FQDN = $HOST.$TLD" > "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
+    echo "ORGNAME = $ORGNAME" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
+    echo "ALTNAMES = DNS:$HOST.$TLD , DNS:$TLD" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
+    echo -e "\n[ req ]\ndefault_bits = 4096\ndefault_md = sha256\nprompt = no\nencrypt_key = no\ndistinguished_name = dn\nreq_extensions = req_ext\ndefault_keyfile = ../KEYS/\$FQDN-key.pem\n" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
+    echo -e "\n[ dn ]\nC = DE\nO = \$ORGNAME\nCN = \$FQDN\n" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
+    echo -e "\n[ req_ext ]\nsubjectAltName = \$ALTNAMES" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
+    openssl req -x509 -new -config "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" -out "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" -keyout "/$LABEL/CERTS/KEYS/$HOST.$TLD-key.pem"
+    cp "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-fullchain.pem"
+    touch "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-chain.pem"
+fi
+
+rm -rf /etc/ssl/apache2
+mkdir -p /etc/ssl
+ln -sf "/$LABEL/etc/ssl/apache2" "/etc/ssl/apache2"
+
+/etc/ssl/cert-renew.sh
+
+systemctl enable mariadb
+systemctl enable freeradius
+systemctl enable apache2
+
+systemctl restart freeradius
+systemctl restart apache2
+
+rm /02firstboot

privacyidea/appliance/MySQL-Backup.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
+
+DIR="/DATA/Backup/MySQL"
+
+if [ -z $1 ]; then
+ echo "database name missing! use --all for all db's"
+ exit 1;
+elif [ $1 = '--all' ]; then
+ echo "full backup"
+ for i in `mysqlshow --defaults-file=/root/.my.cnf | awk '{print $2}' | grep -v Databases`; do
+  if [ "$i" != "information_schema" ] && [ "$i" != "performance_schema" ]; then
+   if test -f ${DIR}/${i}.sql; then
+    echo "Move ${DIR}/${i}.sql to ${DIR}/${i}.sql.1"
+    mv ${DIR}/${i}.sql ${DIR}/${i}.sql.1
+   fi
+   echo "dump ${i} to ${DIR}/${i}.sgl"
+   mysqldump --defaults-file=/root/.my.cnf --single-transaction --events --opt -QF -r${DIR}/${i}.sql $i
+   chmod 600 ${DIR}/${i}.sql
+  fi
+ done;
+elif [ -n $1 ]; then
+ echo "Starting backup of $1"
+ if test -f $DIR/$1.sql; then
+  echo "Move $DIR/$1.sql to $DIR/$1.sql.1"
+  mv ${DIR}/${1}.sql ${DIR}/${1}.sql.1
+ fi
+ mysqldump --defaults-file=/root/.my.cnf --single-transaction --opt -QF -r${DIR}/${1}.sql $1
+ chmod 600 ${DIR}/${1}.sql
+fi
+echo "Done"
+exit 0;

privacyidea/appliance/backup.service

@@ -0,0 +1,8 @@
+[Unit]
+Description=execute backup tasks
+RefuseManualStart=no
+RefuseManualStop=yes
+ 
+[Service]
+Type=oneshot
+ExecStart=/usr/local/bin/MySQL-Backup.sh --all

privacyidea/appliance/backup.timer

@@ -0,0 +1,12 @@
+[Unit]
+Description=execute backup tasks
+RefuseManualStart=no
+RefuseManualStop=no
+ 
+[Timer]
+Persistent=false
+OnCalendar=Sun *-*-* 02:19:00
+Unit=backup.service
+ 
+[Install]
+WantedBy=default.target

privacyidea/appliance/cert-renew.service

@@ -0,0 +1,8 @@
+[Unit]
+Description=renew certificates from git store
+RefuseManualStart=no
+RefuseManualStop=yes
+ 
+[Service]
+Type=oneshot
+ExecStart=/etc/ssl/cert-renew.sh

privacyidea/appliance/cert-renew.sh

@@ -0,0 +1,52 @@
+#!/bin/bash
+
+HOST="privacyidea"
+TLD="example.com"
+FQDN="$HOST.$TLD"
+LABEL="DATA"
+
+CERT_DIR=/$LABEL/CERTS
+CERT_APACHE=/$LABEL/etc/ssl/apache2
+GETREPO=""
+GETUSER=""
+GETPASS=""
+
+function getCurrentVersion() {
+# Get hash from latest revision
+  git log --format=format:%H -1
+}
+
+cd $CERT_DIR
+
+if [ -z "$GETREPO" ]; then
+  GIT_REVISION=0
+  GIT_NEW_REVISION=1
+  cd $FQDN
+elif [ ! -d "$FQDN" ]; then
+  GIT_REVISION=0
+  git clone "https://$GETUSER:$GETPASS@$GETREPO"
+  cd $FQDN
+  GIT_NEW_REVISION=$(getCurrentVersion)
+else
+  cd $FQDN
+  GIT_REVISION=$(getCurrentVersion)
+  git commit -m "CRON: auto commit"
+  git fetch
+  git merge origin/master -m "Auto Merge"
+  GIT_NEW_REVISION=$(getCurrentVersion)
+fi
+
+echo "old: $GIT_REVISION"
+echo "new: $GIT_NEW_REVISION"
+
+if [ $GIT_REVISION != $GIT_NEW_REVISION ]
+then
+  echo "Update Apache certificate..."
+  mkdir -p $CERT_APACHE
+  cp $CERT_DIR/$FQDN/$FQDN-fullchain.pem $CERT_APACHE/server.crt
+  cp $CERT_DIR/KEYS/$FQDN-key.pem $CERT_APACHE/server.key
+  echo "Restarting Apache..."
+  systemctl is-active --quiet apache2 && systemctl restart apache2
+fi
+
+exit 0

privacyidea/appliance/cert-renew.timer

@@ -0,0 +1,12 @@
+[Unit]
+Description=renew certificates from git store
+RefuseManualStart=no
+RefuseManualStop=no
+ 
+[Timer]
+Persistent=false
+OnCalendar=Sun *-*-* 04:03:00
+Unit=cert-renew.service
+ 
+[Install]
+WantedBy=default.target

privacyidea/mariadb/my.cnf.root

@@ -0,0 +1,11 @@
+[mysqladmin]
+user        = root
+password    = gentoo
+
+[mysql]
+user        = root
+password    = gentoo
+
+[client]
+user        = root
+password    = gentoo

privacyidea/package.accept_keywords

@@ -0,0 +1,29 @@
+# privacyIDEA
+dev-python/responses
+dev-python/pyusb
+dev-python/imagesize
+dev-python/cookies
+dev-python/python-gnupg
+dev-python/ldap3
+dev-python/yubiotp
+dev-python/pycrypto
+dev-python/mysql-connector-python
+dev-python/pytest-cov
+dev-python/sphinx
+dev-python/sphinxcontrib-applehelp
+dev-python/sphinxcontrib-devhelp
+dev-python/sphinxcontrib-jsmath
+dev-python/sphinxcontrib-htmlhelp
+dev-python/sphinxcontrib-serializinghtml
+dev-python/sphinxcontrib-qthelp
+dev-python/smpplib
+
+# grunt, wird nur zur privacyIDEA-Translation benötigt
+dev-nodejs/*
+
+# stable kann kein python3
+net-fs/samba
+sys-libs/ldb
+sys-libs/talloc
+sys-libs/tdb
+sys-libs/tevent

privacyidea/package.use

@@ -0,0 +1,15 @@
+# privacyIDEA
+www-apps/privacyidea hightokencount -translation
+dev-python/sqlalchemy -sqlite
+dev-python/netaddr -cli
+dev-python/numpy lapack
+dev-libs/c-blosc hdf5
+sys-devel/gcc fortran
+sci-libs/hdf5 -cxx -fortran -hl
+
+# RADIUS (ohne Samba kein rlm_mschap.so)
+net-dialup/freeradius kerberos ldap mysql -python samba
+net-fs/samba ads gnutls ldap winbind
+
+# LDAP
+net-nds/openldap overlays perl sasl

privacyidea/privacyidea.cfg

@@ -0,0 +1,2 @@
+REPO_NAMES += unitas-privacyidea
+REPO_URI_unitas-privacyidea = https://git.unitas-network.de/Gentoo/unitas-privacyidea.git

privacyidea/world

@@ -0,0 +1,5 @@
+app-crypt/certbot-apache
+dev-db/mariadb
+www-apps/privacyidea
+www-apps/privacyideaadm
+net-dialup/freeradius

zabbix/Makefile

@@ -1,9 +1,22 @@
-preinstall:
-	# hardcoded users and groups
-	$(inroot) useradd --system --comment="created from appliance building - zabbix user" --home-dir="/var/lib/zabbix/home" --shell="/sbin/nologin" --no-create-home --uid 600 --user-group zabbix
+02firstboot = $(CHROOT)/etc/local.d/02firstboot.start
+cert-renew.sh = $(CHROOT)/etc/ssl/cert-renew.sh
+zabbix-userparameter = $(CHROOT)/var/lib/zabbix/userparameter_mysql.conf
 
-postinstall:
-	# MariaDB-Konfiguration
+systemd-units: appliance/MySQL-Backup.sh appliance/backup.service appliance/backup.timer appliance/cert-renew.service appliance/cert-renew.timer
+	cp appliance/MySQL-Backup.sh $(CHROOT)/usr/local/bin/
+	cp appliance/backup.service appliance/backup.timer appliance/cert-renew.service appliance/cert-renew.timer $(CHROOT)/etc/systemd/system/
+
+$(02firstboot): appliance/02firstboot.start
+	mkdir -p $(CHROOT)/etc/local.d
+	cp $< $@
+	touch $(CHROOT)/02firstboot
+
+$(cert-renew.sh): appliance/cert-renew.sh
+	mkdir -p $(CHROOT)/etc/ssl
+	cp $< $@
+
+$(CHROOT)/var/lib/mysql: mariadb/my.cnf.root
+	# MariaDB-Konfiguration ($$, weil make ein $ entfernt)
 	sed -i "s/^character-set-server.*$$/character-set-server = utf8mb4/" $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf
 	sed -iE 's/^\(log-bin\)/#\1/' $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf
 	echo >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf
@@ -13,31 +26,31 @@ postinstall:
 	cp mariadb/my.cnf.root $(CHROOT)/root/.my.cnf
 	chmod 0600 $(CHROOT)/root/.my.cnf
 	rm -rf $(CHROOT)/var/lib/mysql/*
-	$(inroot) bash -c 'yes gentoo | emerge --config dev-db/mariadb'
+	RUN bash -c 'yes gentoo | emerge --config dev-db/mariadb'
 
-	# Apache-/PHP-Konfiguration
+apache-php:
 	sed -i 's:APACHE2_OPTS=\":APACHE2_OPTS=\"-D PHP :' $(CHROOT)/etc/conf.d/apache2
 	find $(CHROOT)/etc/php/apache2-*/ -iname php.ini -print | xargs \sed -i \
 		-e 's:.*date.timezone =.*:date.timezone = Europe/Berlin:' \
+		-e 's:.*pcre.jit=.*:pcre.jit=0:' \
 		-e 's:.*max_execution_time =.*:max_execution_time = 300:' \
 		-e 's:.*max_input_time =.*:max_input_time = 300:' \
 		-e 's:.*post_max_size =.*:post_max_size = 16M:' \
 		-e 's:.*always_populate_raw_post_data =.*:always_populate_raw_post_data = -1:'
-	$(inroot) systemctl enable apache2
 
-	# Add zabbix service definitions
+zabbix-services:
 	echo "zabbix-agent 10050/tcp Zabbix Agent" >> $(CHROOT)/etc/services
 	echo "zabbix-agent 10050/udp Zabbix Agent" >> $(CHROOT)/etc/services
 	echo "zabbix-trapper 10051/tcp Zabbix Trapper" >> $(CHROOT)/etc/services
 	echo "zabbix-trapper 10051/udp Zabbix Trapper" >> $(CHROOT)/etc/services
 
-	# Install Zabbix webapp
-	$(inroot) webapp-config -h localhost -d zabbix -I zabbix `ls $(CHROOT)/usr/share/webapps/zabbix`
+zabbix-webapp:
+	RUN webapp-config -h localhost -d zabbix -I zabbix `ls $(CHROOT)/usr/share/webapps/zabbix`
 	cp $(CHROOT)/var/www/localhost/htdocs/zabbix/conf/zabbix.conf.php.example $(CHROOT)/var/www/localhost/htdocs/zabbix/conf/zabbix.conf.php
 	# enable any language
 	sed -i "s:'display' => false]:'display' => true]:" $(CHROOT)/var/www/localhost/htdocs/zabbix/include/locales.inc.php
 	# im Zabbix-Ebuild wird fowners und fperms vor webapp_src_install aufgerufen und deswegen wieder überschrieben
-	$(inroot) chown -R zabbix:zabbix \
+	RUN chown -R zabbix:zabbix \
 		/etc/zabbix \
 		/var/lib/zabbix \
 		/var/lib/zabbix/home \
@@ -54,9 +67,11 @@ postinstall:
 		$(CHROOT)/var/lib/zabbix/externalscripts \
 		$(CHROOT)/var/log/zabbix
 
-	# Zabbix Agent
-	cp zabbix/userparameter_mysql.conf $(CHROOT)/var/lib/zabbix/userparameter_mysql.conf
+$(zabbix-userparameter): zabbix/userparameter_mysql.conf
+	mkdir -p $(CHROOT)/var/lib/zabbix
+	cp $< $@
 
+zabbix-syslog:
 	# Zabbix Syslog (https://github.com/v-zhuravlev/zabbix-syslog)
 	mkdir -p $(CHROOT)/etc/zabbix/scripts/lib
 	cp zabbix/zabbix-syslog/zabbix_syslog_create_urls.pl $(CHROOT)/etc/zabbix/scripts/zabbix_syslog_create_urls.pl
@@ -64,15 +79,15 @@ postinstall:
 	cp zabbix/zabbix-syslog/zabbix_syslog.cfg $(CHROOT)/etc/zabbix/zabbix_syslog.cfg
 	cp zabbix/zabbix-syslog/lib/ZabbixAPI.pm $(CHROOT)/etc/zabbix/scripts/lib/ZabbixAPI.pm
 	cp zabbix/zabbix-syslog/70-zabbix_rsyslog.conf $(CHROOT)/etc/rsyslog.d/70-zabbix_rsyslog.conf
-	$(inroot)chown -R zabbix:zabbix /etc/zabbix/scripts
+	RUN chown -R zabbix:zabbix /etc/zabbix/scripts
 	chmod +x $(CHROOT)/etc/zabbix/scripts/zabbix_syslog_create_urls.pl
 	chmod +x $(CHROOT)/etc/zabbix/scripts/zabbix_syslog_lkp_host.pl
 
-	# FPing
-	$(inroot)chmod u=rwsx,g=rx,o=rx /usr/sbin/fping
-	$(inroot)chmod u=rwsx,g=rx,o=rx /usr/sbin/fping6
+fping:
+	chmod u=rwsx,g=rx,o=rx $(CHROOT)/usr/sbin/fping
+	chmod u=rwsx,g=rx,o=rx $(CHROOT)/usr/sbin/fping6
 
-	# SNMP
+snmp:
 	cp snmp/snmpd.conf $(CHROOT)/etc/snmp/snmpd.conf
 	cp snmp/snmptrapd.conf $(CHROOT)/etc/snmp/snmptrapd.conf
 	cp snmp/snmptt.conf $(CHROOT)/etc/snmp/snmptt.conf
@@ -86,5 +101,9 @@ postinstall:
 		-e 's:unknown_trap_log_enable = 0:unknown_trap_log_enable = 1:' \
 		$(CHROOT)/etc/snmp/snmptt.ini
 	mkdir -p $(CHROOT)/var/log/snmptt
-	$(inroot)chmod 0775 /var/log/snmptt
-	$(inroot)chown zabbix:zabbix /var/log/snmptt
+	chmod 0775 $(CHROOT)/var/log/snmptt
+	RUN chown zabbix:zabbix /var/log/snmptt
+
+preinstall:
+
+postinstall: systemd-units $(02firstboot) $(cert-renew.sh) $(CHROOT)/var/lib/mysql apache-php zabbix-services zabbix-webapp $(zabbix-userparameter) zabbix-syslog fping snmp

zabbix/appliance/02firstboot.start

@@ -2,7 +2,7 @@
 
 # variables
 LABEL="DATA"
-DATABASE_PASS="Di1sgMySQLPwd."
+DATABASE_PASS=$(head -c 300 /dev/urandom | tr -cd 'a-zA-Z0-9' | head -c 16)
 TLD="example.com"
 HOST="zabbix"
 ORGNAME="Zabbix example"
@@ -13,16 +13,59 @@ set -e
 [ -e /01firstboot ] && exit 0
 [ -e /02firstboot ] || exit 0
 
+# Zabbix configuration
+if [ ! -d "/$LABEL/etc/zabbix" ]; then
+    echo 'Create Zabbix Server config...'
+    mkdir -p /$LABEL/etc/zabbix
+    chown zabbix:zabbix /$LABEL/etc/zabbix
+    cp /etc/zabbix/zabbix_server.conf /$LABEL/etc/zabbix/zabbix_server.conf.orig
+    mv /etc/zabbix/zabbix_server.conf /$LABEL/etc/zabbix/zabbix_server.conf
+    ln -s /$LABEL/etc/zabbix/zabbix_server.conf /etc/zabbix/zabbix_server.conf
+    sed -i "s:# DBPassword=:DBPassword=${DATABASE_PASS}:" /$LABEL/etc/zabbix/zabbix_server.conf
+
+    echo 'Create Zabbix Frontend config...'
+    mkdir -p /$LABEL/var/www/localhost/htdocs/zabbix/conf
+    cp /var/www/localhost/htdocs/zabbix/conf/zabbix.conf.php /$LABEL/var/www/localhost/htdocs/zabbix/conf/zabbix.conf.php.orig
+    mv /var/www/localhost/htdocs/zabbix/conf/zabbix.conf.php /$LABEL/var/www/localhost/htdocs/zabbix/conf/zabbix.conf.php
+    ln -s /$LABEL/var/www/localhost/htdocs/zabbix/conf/zabbix.conf.php /var/www/localhost/htdocs/zabbix/conf/zabbix.conf.php
+    sed -i "s:\$DB\['PASSWORD'\].*:\$DB\['PASSWORD'\] = '${DATABASE_PASS}';:" /$LABEL/var/www/localhost/htdocs/zabbix/conf/zabbix.conf.php
+else
+    if [ ! -L /etc/zabbix/zabbix_server.conf ]; then
+        rm -rf /$LABEL/etc/zabbix/zabbix_server.conf.orig
+        mv /etc/zabbix/zabbix_server.conf /$LABEL/etc/zabbix/zabbix_server.conf.orig
+    else
+        rm -rf /etc/zabbix/zabbix_server.conf
+    fi
+    ln -s /$LABEL/etc/zabbix/zabbix_server.conf /etc/zabbix/zabbix_server.conf
+
+    if [ ! -L /var/www/localhost/htdocs/zabbix/conf ]; then
+        rm -rf /$LABEL/var/www/localhost/htdocs/zabbix/conf.orig
+        mv /var/www/localhost/htdocs/zabbix/conf /$LABEL/var/www/localhost/htdocs/zabbix/conf.orig
+    else
+        rm -rf /var/www/localhost/htdocs/zabbix/conf
+    fi
+    ln -s /$LABEL/var/www/localhost/htdocs/zabbix/conf /var/www/localhost/htdocs/zabbix/conf
+fi
+
 # Database
 systemctl stop mariadb
 if [ ! -d "/$LABEL/var/lib/mysql/zabbix" ]; then
     echo 'Initialize MariaDB...'
     mkdir -p "/$LABEL/var/lib"
     rm -rf "/$LABEL/var/lib/mysql"
-    rm -rf "/$LABEL/var/lib/mysql.orig"
-    cp -a "/var/lib/mysql" "/$LABEL/var/lib/mysql.orig"
-    mv "/var/lib/mysql" "/$LABEL/var/lib/mysql"
-    ln -s "/$LABEL/var/lib/mysql" "/var/lib/mysql"
+    if [ ! -L /var/lib/mysql ]; then
+        rm -rf "/$LABEL/var/lib/mysql.orig"
+        cp -a "/var/lib/mysql" "/$LABEL/var/lib/mysql.orig"
+        mv "/var/lib/mysql" "/$LABEL/var/lib/mysql"
+        ln -s "/$LABEL/var/lib/mysql" "/var/lib/mysql"
+    elif [ -d "/$LABEL/var/lib/mysql.orig" ]; then
+        cp -a "/$LABEL/var/lib/mysql.orig" "/$LABEL/var/lib/mysql"
+        rm -rf "/var/lib/mysql"
+        ln -s "/$LABEL/var/lib/mysql" "/var/lib/mysql"
+    else
+        echo '### ERROR initialize database !!! ###'
+        exit 1
+    fi
     systemctl start mariadb
     sleep 5
 
@@ -41,50 +84,51 @@ else
     if [ ! -L /var/lib/mysql ]; then
         rm -rf "/$LABEL/var/lib/mysql.orig"
         mv "/var/lib/mysql" "/$LABEL/var/lib/mysql.orig"
-        ln -s "/$LABEL/var/lib/mysql" "/var/lib/mysql"
+    else
+        rm -f "/var/lib/mysql"
     fi
+    ln -s "/$LABEL/var/lib/mysql" "/var/lib/mysql"
     systemctl start mariadb
 fi
-echo 'Enable database...'
-systemctl enable mariadb
 
-# Certificates
-if [ ! -f "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" ]; then
-	echo 'Create certificates...'
-	mkdir -p "/$LABEL/CERTS/KEYS/"
-	mkdir -p "/$LABEL/CERTS/$HOST.$TLD"
-	echo "FQDN = $HOST.$TLD" > "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
-	echo "ORGNAME = $ORGNAME" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
-	echo "ALTNAMES = DNS:$HOST.$TLD , DNS:$TLD" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
-	echo -e "\n[ req ]\ndefault_bits = 4096\ndefault_md = sha256\nprompt = no\nencrypt_key = no\ndistinguished_name = dn\nreq_extensions = req_ext\ndefault_keyfile = ../KEYS/\$FQDN-key.pem\n" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
-	echo -e "\n[ dn ]\nC = DE\nO = \$ORGNAME\nCN = \$FQDN\n" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
-	echo -e "\n[ req_ext ]\nsubjectAltName = \$ALTNAMES" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
-	openssl req -x509 -new -config "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" -out "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" -keyout "/$LABEL/CERTS/KEYS/$HOST.$TLD-key.pem"
-	cp "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-fullchain.pem"
-	touch "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-chain.pem"
-fi
-
-# Zabbix
-echo 'Start Zabbix...'
-if [ ! -f "/$LABEL/etc/zabbix/zabbix_server.conf" ]; then
-    mkdir -p "/$LABEL/etc/zabbix"
-    chown zabbix:zabbix "/$LABEL/etc/zabbix"
-    cp /etc/zabbix/zabbix_server.conf "/$LABEL/etc/zabbix/zabbix_server.conf.orig"
-    mv /etc/zabbix/zabbix_server.conf "/$LABEL/etc/zabbix/zabbix_server.conf"
-    sed -i "s:# DBPassword=:DBPassword=${DATABASE_PASS}:" "/$LABEL/etc/zabbix/zabbix_server.conf"
-    ln -s "/$LABEL/etc/zabbix/zabbix_server.conf" "/etc/zabbix/zabbix_server.conf"
-
-    mkdir -p "/$LABEL/etc/zabbix"
-    chown zabbix:zabbix "/$LABEL/etc/zabbix"
-    cp /etc/zabbix/zabbix_server.conf "/$LABEL/etc/zabbix/zabbix_server.conf.orig"
-    mv /etc/zabbix/zabbix_server.conf "/$LABEL/etc/zabbix/zabbix_server.conf"
-    sed -i "s:\$DB\['PASSWORD'\].*:\$DB\['PASSWORD'\] = '${DATABASE_PASS}';:" /var/www/localhost/htdocs/zabbix/conf/zabbix.conf.php
+if [ -x "/$LABEL/etc/ssl/cert-renew.sh" ]; then
+    # angepaßtes Zertifikat vorhanden (kein example)
+    if [ ! -L /etc/ssl/cert-renew.sh ]; then
+        rm -f "/$LABEL/etc/ssl/cert-renew.sh.orig"
+        mv "/etc/ssl/cert-renew.sh" "/$LABEL/etc/ssl/cert-renew.sh.orig"
+    else
+        rm -f "/etc/ssl/cert-renew.sh"
+    fi
+    ln -s "/$LABEL/etc/ssl/cert-renew.sh" "/etc/ssl/cert-renew.sh"
 else
-
+    echo 'Create example certificate...'
+    mkdir -p "/$LABEL/CERTS/KEYS/"
+    mkdir -p "/$LABEL/CERTS/$HOST.$TLD"
+    echo "FQDN = $HOST.$TLD" > "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
+    echo "ORGNAME = $ORGNAME" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
+    echo "ALTNAMES = DNS:$HOST.$TLD , DNS:$TLD" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
+    echo -e "\n[ req ]\ndefault_bits = 4096\ndefault_md = sha256\nprompt = no\nencrypt_key = no\ndistinguished_name = dn\nreq_extensions = req_ext\ndefault_keyfile = ../KEYS/\$FQDN-key.pem\n" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
+    echo -e "\n[ dn ]\nC = DE\nO = \$ORGNAME\nCN = \$FQDN\n" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
+    echo -e "\n[ req_ext ]\nsubjectAltName = \$ALTNAMES" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
+    openssl req -x509 -new -config "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" -out "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" -keyout "/$LABEL/CERTS/KEYS/$HOST.$TLD-key.pem"
+    cp "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-fullchain.pem"
+    touch "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-chain.pem"
 fi
-systemctl start zabbix-server
-systemctl enable zabbix-server
-systemctl start zabbix-agentd
-systemctl enable zabbix-agentd
 
-rm /firstboot
+rm -rf /etc/ssl/apache2
+mkdir -p /etc/ssl
+ln -sf "/$LABEL/etc/ssl/apache2" "/etc/ssl/apache2"
+
+/etc/ssl/cert-renew.sh
+
+systemctl enable mariadb
+systemctl enable zabbix-server
+systemctl enable zabbix-agentd
+systemctl enable apache2
+
+systemctl restart zabbix-server
+systemctl restart zabbix-agentd
+systemctl restart apache2
+
+rm /02firstboot
+

zabbix/appliance/MySQL-Backup.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
+
+DIR="/DATA/Backup/MySQL"
+
+if [ -z $1 ]; then
+ echo "database name missing! use --all for all db's"
+ exit 1;
+elif [ $1 = '--all' ]; then
+ echo "full backup"
+ for i in `mysqlshow --defaults-file=/root/.my.cnf | awk '{print $2}' | grep -v Databases`; do
+  if [ "$i" != "information_schema" ] && [ "$i" != "performance_schema" ]; then
+   if test -f ${DIR}/${i}.sql; then
+    echo "Move ${DIR}/${i}.sql to ${DIR}/${i}.sql.1"
+    mv ${DIR}/${i}.sql ${DIR}/${i}.sql.1
+   fi
+   echo "dump ${i} to ${DIR}/${i}.sgl"
+   mysqldump --defaults-file=/root/.my.cnf --single-transaction --events --opt -QF -r${DIR}/${i}.sql $i
+   chmod 600 ${DIR}/${i}.sql
+  fi
+ done;
+elif [ -n $1 ]; then
+ echo "Starting backup of $1"
+ if test -f $DIR/$1.sql; then
+  echo "Move $DIR/$1.sql to $DIR/$1.sql.1"
+  mv ${DIR}/${1}.sql ${DIR}/${1}.sql.1
+ fi
+ mysqldump --defaults-file=/root/.my.cnf --single-transaction --opt -QF -r${DIR}/${1}.sql $1
+ chmod 600 ${DIR}/${1}.sql
+fi
+echo "Done"
+exit 0;

zabbix/appliance/backup.service

@@ -0,0 +1,8 @@
+[Unit]
+Description=execute backup tasks
+RefuseManualStart=no
+RefuseManualStop=yes
+ 
+[Service]
+Type=oneshot
+ExecStart=/usr/local/bin/MySQL-Backup.sh --all

zabbix/appliance/backup.timer

@@ -0,0 +1,12 @@
+[Unit]
+Description=execute backup tasks
+RefuseManualStart=no
+RefuseManualStop=no
+ 
+[Timer]
+Persistent=false
+OnCalendar=Sun *-*-* 02:19:00
+Unit=backup.service
+ 
+[Install]
+WantedBy=default.target

zabbix/appliance/cert-renew.service

@@ -0,0 +1,8 @@
+[Unit]
+Description=renew certificates from git store
+RefuseManualStart=no
+RefuseManualStop=yes
+ 
+[Service]
+Type=oneshot
+ExecStart=/etc/ssl/cert-renew.sh

zabbix/appliance/cert-renew.sh

@@ -1,13 +1,12 @@
 #!/bin/bash
 
-HOST="ejabberd"
+HOST="zabbix"
 TLD="example.com"
 FQDN="$HOST.$TLD"
 LABEL="DATA"
 
 CERT_DIR=/$LABEL/CERTS
-CERT_EJABBERD=/$LABEL/etc/ssl/ejabberd
-CERT_NGINX=/$LABEL/etc/ssl/nginx
+CERT_APACHE=/$LABEL/etc/ssl/apache2
 GETREPO=""
 GETUSER=""
 GETPASS=""
@@ -42,25 +41,12 @@ echo "new: $GIT_NEW_REVISION"
 
 if [ $GIT_REVISION != $GIT_NEW_REVISION ]
 then
-  echo "Update Ejabberd certificate..."
-  mkdir -p $CERT_EJABBERD
-  cp $CERT_DIR/$FQDN/$FQDN-fullchain.pem $CERT_EJABBERD/server.pem
-  cp $CERT_DIR/KEYS/$FQDN-key.pem $CERT_EJABBERD/server.key
-  chown root:jabber $CERT_EJABBERD/server.*
-  chmod 444 $CERT_EJABBERD/server.pem
-  chmod 440 $CERT_EJABBERD/server.key
-  echo "Restart Ejabberd..."
-  systemctl restart ejabberd
-
-  echo "Update Nginx certificate..."
-  mkdir -p $CERT_NGINX
-  cp $CERT_DIR/$FQDN/$FQDN-fullchain.pem $CERT_NGINX/nginx.pem
-  cp $CERT_DIR/KEYS/$FQDN-key.pem $CERT_NGINX/nginx.key
-  chown nginx:nginx $CERT_NGINX/nginx.*
-  chmod 444 $CERT_NGINX/nginx.pem
-  chmod 400 $CERT_NGINX/nginx.key
-  echo "Restart Nginx..."
-  systemctl restart nginx
+  echo "Update Apache certificate..."
+  mkdir -p $CERT_APACHE
+  cp $CERT_DIR/$FQDN/$FQDN-fullchain.pem $CERT_APACHE/server.crt
+  cp $CERT_DIR/KEYS/$FQDN-key.pem $CERT_APACHE/server.key
+  echo "Restarting Apache..."
+  systemctl is-active --quiet apache2 && systemctl restart apache2
 fi
 
 exit 0

zabbix/appliance/cert-renew.timer

@@ -0,0 +1,12 @@
+[Unit]
+Description=renew certificates from git store
+RefuseManualStart=no
+RefuseManualStop=no
+ 
+[Timer]
+Persistent=false
+OnCalendar=Sun *-*-* 04:03:00
+Unit=cert-renew.service
+ 
+[Install]
+WantedBy=default.target

zabbix/mariadb/my.cnf.root

@@ -5,3 +5,7 @@ password    = gentoo
 [mysql]
 user        = root
 password    = gentoo
+
+[client]
+user        = root
+password    = gentoo