move to own repository, update everything

This commit is contained in:
Jörg Deckert 2023-06-08 16:33:13 +02:00
parent c3b6e318a3
commit 4d1b2a5292
11 changed files with 4336 additions and 1 deletions

View File

@ -1,6 +1,6 @@
MIT License
Copyright (c) <year> <copyright holders>
Copyright (c) 2023 Freifunk Gera-Greiz
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

19
Makefile Normal file
View File

@ -0,0 +1,19 @@
02firstboot = $(CHROOT)/usr/local/bin/02firstboot.start
cert-renew.sh = $(CHROOT)/etc/ssl/cert-renew.sh
systemd-units: appliance/cert-renew.service appliance/cert-renew.timer
cp appliance/cert-renew.service appliance/cert-renew.timer $(CHROOT)/etc/systemd/system/
$(02firstboot): appliance/02firstboot.start
mkdir -p $(CHROOT)/usr/local/bin
cp $< $@
touch $(CHROOT)/02firstboot
$(cert-renew.sh): appliance/cert-renew.sh
mkdir -p $(CHROOT)/etc/ssl
cp $< $@
preinstall:
postinstall: systemd-units $(02firstboot) $(cert-renew.sh)

46
appliance/02firstboot.start Executable file
View File

@ -0,0 +1,46 @@
#!/bin/bash
# variables
LABEL="DATA"
TLD="freifunk-gera-greiz.de"
HOST="gwx"
ORGNAME="Freifunk example gateway"
# start
set -e
[ -e /01firstboot ] && exit 0
[ -e /02firstboot ] || exit 0
# Certificate
if [ -x "/$LABEL/etc/ssl/cert-renew.sh" ]; then
# angepaßtes Zertifikat vorhanden (kein example)
if [ ! -L /etc/ssl/cert-renew.sh ]; then
rm -f "/$LABEL/etc/ssl/cert-renew.sh.orig"
mv "/etc/ssl/cert-renew.sh" "/$LABEL/etc/ssl/cert-renew.sh.orig"
else
rm -f "/etc/ssl/cert-renew.sh"
fi
ln -s "/$LABEL/etc/ssl/cert-renew.sh" "/etc/ssl/cert-renew.sh"
else
echo 'Create example certificate...'
mkdir -p "/$LABEL/CERTS/KEYS/"
mkdir -p "/$LABEL/CERTS/$HOST.$TLD"
echo "FQDN = $HOST.$TLD" > "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
echo "ORGNAME = $ORGNAME" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
echo "ALTNAMES = DNS:$HOST.$TLD , DNS:$TLD" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
echo -e "\n[ req ]\ndefault_bits = 4096\ndefault_md = sha256\nprompt = no\nencrypt_key = no\ndistinguished_name = dn\nreq_extensions = req_ext\ndefault_keyfile = ../KEYS/\$FQDN-key.pem\n" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
echo -e "\n[ dn ]\nC = DE\nO = \$ORGNAME\nCN = \$FQDN\n" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
echo -e "\n[ req_ext ]\nsubjectAltName = \$ALTNAMES" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
openssl req -x509 -new -config "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" -out "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" -keyout "/$LABEL/CERTS/KEYS/$HOST.$TLD-key.pem"
cp "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-fullchain.pem"
touch "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-chain.pem"
fi
rm -rf /etc/ssl/nginx
mkdir -p /etc/ssl
ln -sf "/$LABEL/etc/ssl/nginx" "/etc/ssl/nginx"
/etc/ssl/cert-renew.sh
rm /02firstboot

View File

@ -0,0 +1,8 @@
[Unit]
Description=renew certificates from git store
RefuseManualStart=no
RefuseManualStop=yes
[Service]
Type=oneshot
ExecStart=/etc/ssl/cert-renew.sh

55
appliance/cert-renew.sh Executable file
View File

@ -0,0 +1,55 @@
#!/bin/bash
HOST="gwx"
TLD="freifunk-gera-greiz.de"
FQDN="$HOST.$TLD"
LABEL="DATA"
CERT_DIR=/$LABEL/CERTS
CERT_NGINX=/$LABEL/etc/ssl/nginx
GETREPO=""
GETUSER=""
GETPASS=""
function getCurrentVersion() {
# Get hash from latest revision
git log --format=format:%H -1
}
cd $CERT_DIR
if [ -z "$GETREPO" ]; then
GIT_REVISION=0
GIT_NEW_REVISION=1
cd $FQDN
elif [ ! -d "$FQDN" ]; then
GIT_REVISION=0
git clone "https://$GETUSER:$GETPASS@$GETREPO"
cd $FQDN
GIT_NEW_REVISION=$(getCurrentVersion)
else
cd $FQDN
GIT_REVISION=$(getCurrentVersion)
git commit -m "CRON: auto commit"
git fetch
git merge origin/master -m "Auto Merge"
GIT_NEW_REVISION=$(getCurrentVersion)
fi
echo "old: $GIT_REVISION"
echo "new: $GIT_NEW_REVISION"
if [ $GIT_REVISION != $GIT_NEW_REVISION ]
then
echo "Update Nginx certificate..."
mkdir -p $CERT_NGINX
cp $CERT_DIR/$FQDN/$FQDN-fullchain.pem $CERT_NGINX/nginx.pem
cp $CERT_DIR/KEYS/$FQDN-key.pem $CERT_NGINX/nginx.key
chown nginx:nginx $CERT_NGINX/nginx.*
chmod 444 $CERT_NGINX/nginx.pem
chmod 400 $CERT_NGINX/nginx.key
echo "Restarting Nginx..."
systemctl is-active --quiet nginx && systemctl restart nginx
fi
exit 0

View File

@ -0,0 +1,12 @@
[Unit]
Description=renew certificates from git store
RefuseManualStart=no
RefuseManualStop=no
[Timer]
Persistent=false
OnCalendar=Sun *-*-* 03:33:00
Unit=cert-renew.service
[Install]
WantedBy=default.target

4146
kernel.config Normal file

File diff suppressed because it is too large Load Diff

14
package.accept_keywords Normal file
View File

@ -0,0 +1,14 @@
## Freifunk
#
net-misc/bird
net-vpn/tinc
#
# eigene Ebuilds
dev-libs/libuecc
net-misc/batctl
net-misc/batman-adv
net-misc/ecdsautils
net-misc/ext-respondd
net-misc/fastd
net-misc/mesh-announce
net-misc/tunneldigger

6
package.use Normal file
View File

@ -0,0 +1,6 @@
app-misc/mime-types nginx
media-libs/gd png fontconfig truetype
net-analyzer/vnstat gd
net-dns/dnsmasq auth-dns dhcp-tools
net-misc/batman-adv bla dat mcast nc
net-vpn/openvpn iproute2 passwordsave

3
va-ffgw.cfg Normal file
View File

@ -0,0 +1,3 @@
REPO_NAMES += ff-overlay
REPO_URI_ff-overlay = https://github.com/ffggrz/ff-overlay.git
KERNEL_CONFIG = appliances/$(APPLIANCE)/kernel.config

26
world Normal file
View File

@ -0,0 +1,26 @@
net-analyzer/iptstate
net-analyzer/nmap
net-analyzer/tcpdump
net-analyzer/traceroute
net-analyzer/vnstat
net-dns/bind-tools
net-dns/dnsmasq
net-firewall/ebtables
net-firewall/ipt_netflow
net-misc/batctl
net-misc/batman-adv
net-misc/bird
net-misc/bridge-utils
net-misc/ecdsautils
net-misc/ext-respondd
net-misc/fastd
net-misc/iperf:3
net-misc/mesh-announce
net-misc/ntp
net-misc/telnet-bsd
net-misc/tunneldigger
net-vpn/openvpn
net-vpn/tinc
sys-apps/texinfo
sys-process/lsof
www-servers/nginx