From 6592577cb808823a816821840136a650f7dfa972 Mon Sep 17 00:00:00 2001 From: Joerg Deckert Date: Tue, 7 Jan 2025 15:13:24 +0100 Subject: [PATCH] first release --- Makefile | 24 +++++++++++++++ README.md | 2 +- apache/default_vhost.include | 17 +++++++++++ appliance/02firstboot.start | 57 ++++++++++++++++++++++++++++++++++++ appliance/cert-renew.service | 8 +++++ appliance/cert-renew.sh | 52 ++++++++++++++++++++++++++++++++ appliance/cert-renew.timer | 12 ++++++++ package.accept_keywords | 5 ++++ package.use | 2 ++ va-oxidized.cfg | 2 ++ world | 5 ++++ 11 files changed, 185 insertions(+), 1 deletion(-) create mode 100644 Makefile create mode 100644 apache/default_vhost.include create mode 100755 appliance/02firstboot.start create mode 100644 appliance/cert-renew.service create mode 100755 appliance/cert-renew.sh create mode 100644 appliance/cert-renew.timer create mode 100644 package.accept_keywords create mode 100644 package.use create mode 100644 va-oxidized.cfg create mode 100644 world diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..0997d37 --- /dev/null +++ b/Makefile @@ -0,0 +1,24 @@ +02firstboot = $(CHROOT)/usr/local/bin/02firstboot.start +cert-renew.sh = $(CHROOT)/etc/ssl/cert-renew.sh +apache_conf = $(CHROOT)/etc/apache2/vhosts.d/default_vhost.include.applorig + +systemd-units: appliance/cert-renew.service appliance/cert-renew.timer + cp appliance/cert-renew.service appliance/cert-renew.timer $(CHROOT)/etc/systemd/system/ + +$(02firstboot): appliance/02firstboot.start + mkdir -p $(CHROOT)/etc/local.d + cp $< $@ + touch $(CHROOT)/02firstboot + +$(cert-renew.sh): appliance/cert-renew.sh + mkdir -p $(CHROOT)/etc/ssl + cp $< $@ + +$(apache_conf): apache/default_vhost.include + sed -i 's/-D LANGUAGE/-D LANGUAGE -D PROXY/' $(CHROOT)/etc/conf.d/apache2 + mv $(CHROOT)/etc/apache2/vhosts.d/default_vhost.include $@ + cp $< $(CHROOT)/etc/apache2/vhosts.d/default_vhost.include + +preinstall: + +postinstall: systemd-units $(apache_conf) $(02firstboot) $(cert-renew.sh) diff --git a/README.md b/README.md index e0d808a..1584a39 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,3 @@ # va-oxidized -Oxidized Gentoo Virtual Appliance \ No newline at end of file +Oxidized @ the Gentoo Virtual Appliance \ No newline at end of file diff --git a/apache/default_vhost.include b/apache/default_vhost.include new file mode 100644 index 0000000..38963d0 --- /dev/null +++ b/apache/default_vhost.include @@ -0,0 +1,17 @@ +ServerName oxidized.example.com +ServerAlias oxidized + +ServerAdmin admin@example.com + +DocumentRoot "/var/www/localhost/htdocs" + + Options Indexes FollowSymLinks + AllowOverride All + Require all granted + + +ProxyPreserveHost On +ProxyRequests off +AllowEncodedSlashes NoDecode +ProxyPass / http://localhost:8888/ nocanon +ProxyPassReverse / http://localhost:8888/ diff --git a/appliance/02firstboot.start b/appliance/02firstboot.start new file mode 100755 index 0000000..42245f6 --- /dev/null +++ b/appliance/02firstboot.start @@ -0,0 +1,57 @@ +#!/bin/bash + +# variables +LABEL="DATA" +DATABASE_PASS=$(head -c 300 /dev/urandom | tr -cd 'a-zA-Z0-9' | head -c 16) +TLD="example.com" +HOST="git" +ORGNAME="git example" + +# start +set -e + +[ -e /01firstboot ] && exit 0 +[ -e /02firstboot ] || exit 0 + +# Certificate +if [ -x "/$LABEL/etc/ssl/cert-renew.sh" ]; then + # angepaßtes Zertifikat vorhanden (kein example) + if [ ! -L /etc/ssl/cert-renew.sh ]; then + rm -f "/$LABEL/etc/ssl/cert-renew.sh.orig" + mv "/etc/ssl/cert-renew.sh" "/$LABEL/etc/ssl/cert-renew.sh.orig" + else + rm -f "/etc/ssl/cert-renew.sh" + fi + ln -s "/$LABEL/etc/ssl/cert-renew.sh" "/etc/ssl/cert-renew.sh" +else + echo 'Create example certificate...' + mkdir -p "/$LABEL/CERTS/KEYS/" + mkdir -p "/$LABEL/CERTS/$HOST.$TLD" + echo "FQDN = $HOST.$TLD" > "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" + echo "ORGNAME = $ORGNAME" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" + echo "ALTNAMES = DNS:$HOST.$TLD , DNS:$TLD" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" + echo -e "\n[ req ]\ndefault_bits = 4096\ndefault_md = sha256\nprompt = no\nencrypt_key = no\ndistinguished_name = dn\nreq_extensions = req_ext\ndefault_keyfile = ../KEYS/\$FQDN-key.pem\n" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" + echo -e "\n[ dn ]\nC = DE\nO = \$ORGNAME\nCN = \$FQDN\n" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" + echo -e "\n[ req_ext ]\nsubjectAltName = \$ALTNAMES" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" + openssl req -x509 -new -config "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" -out "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" -keyout "/$LABEL/CERTS/KEYS/$HOST.$TLD-key.pem" + cp "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-fullchain.pem" + touch "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-chain.pem" +fi + +rm -rf /etc/ssl/apache2 +mkdir -p /etc/ssl +ln -sf "/$LABEL/etc/ssl/apache2" "/etc/ssl/apache2" + +/etc/ssl/cert-renew.sh + +echo +echo "Success!" +echo + +systemctl enable apache2 +systemctl enable oxidized + +systemctl restart oxidized +systemctl restart apache2 + +rm /02firstboot diff --git a/appliance/cert-renew.service b/appliance/cert-renew.service new file mode 100644 index 0000000..59ec86d --- /dev/null +++ b/appliance/cert-renew.service @@ -0,0 +1,8 @@ +[Unit] +Description=renew certificates from git store +RefuseManualStart=no +RefuseManualStop=yes + +[Service] +Type=oneshot +ExecStart=/etc/ssl/cert-renew.sh diff --git a/appliance/cert-renew.sh b/appliance/cert-renew.sh new file mode 100755 index 0000000..0923aad --- /dev/null +++ b/appliance/cert-renew.sh @@ -0,0 +1,52 @@ +#!/bin/bash + +HOST="oxidized" +TLD="example.com" +FQDN="$HOST.$TLD" +LABEL="DATA" + +CERT_DIR=/$LABEL/CERTS +CERT_APACHE=/$LABEL/etc/ssl/apache2 +GETREPO="" +GETUSER="" +GETPASS="" + +function getCurrentVersion() { +# Get hash from latest revision + git log --format=format:%H -1 +} + +cd $CERT_DIR + +if [ -z "$GETREPO" ]; then + GIT_REVISION=0 + GIT_NEW_REVISION=1 + cd $FQDN +elif [ ! -d "$FQDN" ]; then + GIT_REVISION=0 + git clone "https://$GETUSER:$GETPASS@$GETREPO" + cd $FQDN + GIT_NEW_REVISION=$(getCurrentVersion) +else + cd $FQDN + GIT_REVISION=$(getCurrentVersion) + git commit -m "CRON: auto commit" + git fetch + git merge origin/master -m "Auto Merge" + GIT_NEW_REVISION=$(getCurrentVersion) +fi + +echo "old: $GIT_REVISION" +echo "new: $GIT_NEW_REVISION" + +if [ $GIT_REVISION != $GIT_NEW_REVISION ] +then + echo "Update Apache certificate..." + mkdir -p $CERT_APACHE + cp $CERT_DIR/$FQDN/$FQDN-fullchain.pem $CERT_APACHE/server.crt + cp $CERT_DIR/KEYS/$FQDN-key.pem $CERT_APACHE/server.key + echo "Restarting Apache..." + systemctl is-active --quiet apache2 && systemctl restart apache2 +fi + +exit 0 diff --git a/appliance/cert-renew.timer b/appliance/cert-renew.timer new file mode 100644 index 0000000..340fe5d --- /dev/null +++ b/appliance/cert-renew.timer @@ -0,0 +1,12 @@ +[Unit] +Description=renew certificates from git store +RefuseManualStart=no +RefuseManualStop=no + +[Timer] +Persistent=false +OnCalendar=Sun *-*-* 04:03:00 +Unit=cert-renew.service + +[Install] +WantedBy=timers.target diff --git a/package.accept_keywords b/package.accept_keywords new file mode 100644 index 0000000..36907ca --- /dev/null +++ b/package.accept_keywords @@ -0,0 +1,5 @@ +# Oxidized +dev-ruby/slop + +# Oxidized-Web +dev-ruby/charlock_holmes diff --git a/package.use b/package.use new file mode 100644 index 0000000..630b4e5 --- /dev/null +++ b/package.use @@ -0,0 +1,2 @@ +# Apache +www-servers/apache apache2_modules_proxy apache2_modules_proxy_connect apache2_modules_proxy_http diff --git a/va-oxidized.cfg b/va-oxidized.cfg new file mode 100644 index 0000000..7eb800d --- /dev/null +++ b/va-oxidized.cfg @@ -0,0 +1,2 @@ +REPO_NAMES += unitas-oxidized +REPO_URI_unitas-oxidized = https://git.unitas-network.de/Gentoo/unitas-oxidized.git diff --git a/world b/world new file mode 100644 index 0000000..7e461c4 --- /dev/null +++ b/world @@ -0,0 +1,5 @@ +app-crypt/certbot-apache +net-misc/oxidized +net-misc/oxidized-script +www-apps/oxidized-web +www-servers/apache