first release

Makefile

@@ -0,0 +1,24 @@
+02firstboot = $(CHROOT)/usr/local/bin/02firstboot.start
+cert-renew.sh = $(CHROOT)/etc/ssl/cert-renew.sh
+apache_conf = $(CHROOT)/etc/apache2/vhosts.d/default_vhost.include.applorig
+
+systemd-units: appliance/cert-renew.service appliance/cert-renew.timer
+	cp appliance/cert-renew.service appliance/cert-renew.timer $(CHROOT)/etc/systemd/system/
+
+$(02firstboot): appliance/02firstboot.start
+	mkdir -p $(CHROOT)/etc/local.d
+	cp $< $@
+	touch $(CHROOT)/02firstboot
+
+$(cert-renew.sh): appliance/cert-renew.sh
+	mkdir -p $(CHROOT)/etc/ssl
+	cp $< $@
+
+$(apache_conf): apache/default_vhost.include
+	sed -i 's/-D LANGUAGE/-D LANGUAGE -D PROXY/' $(CHROOT)/etc/conf.d/apache2
+	mv $(CHROOT)/etc/apache2/vhosts.d/default_vhost.include $@
+	cp $< $(CHROOT)/etc/apache2/vhosts.d/default_vhost.include
+
+preinstall:
+
+postinstall: systemd-units $(apache_conf) $(02firstboot) $(cert-renew.sh)

README.md

@@ -1,3 +1,3 @@
 # va-oxidized
 
-Oxidized Gentoo Virtual Appliance
+Oxidized @ the Gentoo Virtual Appliance

apache/default_vhost.include

@@ -0,0 +1,17 @@
+ServerName oxidized.example.com
+ServerAlias oxidized
+
+ServerAdmin admin@example.com
+
+DocumentRoot "/var/www/localhost/htdocs"
+<Directory "/var/www/localhost/htdocs">
+	Options Indexes FollowSymLinks
+	AllowOverride All
+	Require all granted
+</Directory>
+
+ProxyPreserveHost On
+ProxyRequests off
+AllowEncodedSlashes NoDecode
+ProxyPass / http://localhost:8888/ nocanon
+ProxyPassReverse / http://localhost:8888/

appliance/02firstboot.start

@@ -0,0 +1,57 @@
+#!/bin/bash
+
+# variables
+LABEL="DATA"
+DATABASE_PASS=$(head -c 300 /dev/urandom | tr -cd 'a-zA-Z0-9' | head -c 16)
+TLD="example.com"
+HOST="git"
+ORGNAME="git example"
+
+# start
+set -e
+
+[ -e /01firstboot ] && exit 0
+[ -e /02firstboot ] || exit 0
+
+# Certificate
+if [ -x "/$LABEL/etc/ssl/cert-renew.sh" ]; then
+    # angepaßtes Zertifikat vorhanden (kein example)
+    if [ ! -L /etc/ssl/cert-renew.sh ]; then
+        rm -f "/$LABEL/etc/ssl/cert-renew.sh.orig"
+        mv "/etc/ssl/cert-renew.sh" "/$LABEL/etc/ssl/cert-renew.sh.orig"
+    else
+        rm -f "/etc/ssl/cert-renew.sh"
+    fi
+    ln -s "/$LABEL/etc/ssl/cert-renew.sh" "/etc/ssl/cert-renew.sh"
+else
+    echo 'Create example certificate...'
+    mkdir -p "/$LABEL/CERTS/KEYS/"
+    mkdir -p "/$LABEL/CERTS/$HOST.$TLD"
+    echo "FQDN = $HOST.$TLD" > "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
+    echo "ORGNAME = $ORGNAME" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
+    echo "ALTNAMES = DNS:$HOST.$TLD , DNS:$TLD" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
+    echo -e "\n[ req ]\ndefault_bits = 4096\ndefault_md = sha256\nprompt = no\nencrypt_key = no\ndistinguished_name = dn\nreq_extensions = req_ext\ndefault_keyfile = ../KEYS/\$FQDN-key.pem\n" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
+    echo -e "\n[ dn ]\nC = DE\nO = \$ORGNAME\nCN = \$FQDN\n" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
+    echo -e "\n[ req_ext ]\nsubjectAltName = \$ALTNAMES" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
+    openssl req -x509 -new -config "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" -out "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" -keyout "/$LABEL/CERTS/KEYS/$HOST.$TLD-key.pem"
+    cp "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-fullchain.pem"
+    touch "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-chain.pem"
+fi
+
+rm -rf /etc/ssl/apache2
+mkdir -p /etc/ssl
+ln -sf "/$LABEL/etc/ssl/apache2" "/etc/ssl/apache2"
+
+/etc/ssl/cert-renew.sh
+
+echo
+echo "Success!"
+echo
+
+systemctl enable apache2
+systemctl enable oxidized
+
+systemctl restart oxidized
+systemctl restart apache2
+
+rm /02firstboot

appliance/cert-renew.service

@@ -0,0 +1,8 @@
+[Unit]
+Description=renew certificates from git store
+RefuseManualStart=no
+RefuseManualStop=yes
+ 
+[Service]
+Type=oneshot
+ExecStart=/etc/ssl/cert-renew.sh

appliance/cert-renew.sh

@@ -0,0 +1,52 @@
+#!/bin/bash
+
+HOST="oxidized"
+TLD="example.com"
+FQDN="$HOST.$TLD"
+LABEL="DATA"
+
+CERT_DIR=/$LABEL/CERTS
+CERT_APACHE=/$LABEL/etc/ssl/apache2
+GETREPO=""
+GETUSER=""
+GETPASS=""
+
+function getCurrentVersion() {
+# Get hash from latest revision
+  git log --format=format:%H -1
+}
+
+cd $CERT_DIR
+
+if [ -z "$GETREPO" ]; then
+  GIT_REVISION=0
+  GIT_NEW_REVISION=1
+  cd $FQDN
+elif [ ! -d "$FQDN" ]; then
+  GIT_REVISION=0
+  git clone "https://$GETUSER:$GETPASS@$GETREPO"
+  cd $FQDN
+  GIT_NEW_REVISION=$(getCurrentVersion)
+else
+  cd $FQDN
+  GIT_REVISION=$(getCurrentVersion)
+  git commit -m "CRON: auto commit"
+  git fetch
+  git merge origin/master -m "Auto Merge"
+  GIT_NEW_REVISION=$(getCurrentVersion)
+fi
+
+echo "old: $GIT_REVISION"
+echo "new: $GIT_NEW_REVISION"
+
+if [ $GIT_REVISION != $GIT_NEW_REVISION ]
+then
+  echo "Update Apache certificate..."
+  mkdir -p $CERT_APACHE
+  cp $CERT_DIR/$FQDN/$FQDN-fullchain.pem $CERT_APACHE/server.crt
+  cp $CERT_DIR/KEYS/$FQDN-key.pem $CERT_APACHE/server.key
+  echo "Restarting Apache..."
+  systemctl is-active --quiet apache2 && systemctl restart apache2
+fi
+
+exit 0

appliance/cert-renew.timer

@@ -0,0 +1,12 @@
+[Unit]
+Description=renew certificates from git store
+RefuseManualStart=no
+RefuseManualStop=no
+ 
+[Timer]
+Persistent=false
+OnCalendar=Sun *-*-* 04:03:00
+Unit=cert-renew.service
+ 
+[Install]
+WantedBy=timers.target

package.accept_keywords

@@ -0,0 +1,5 @@
+# Oxidized
+dev-ruby/slop
+
+# Oxidized-Web
+dev-ruby/charlock_holmes

package.use

@@ -0,0 +1,2 @@
+# Apache
+www-servers/apache apache2_modules_proxy apache2_modules_proxy_connect apache2_modules_proxy_http

va-oxidized.cfg

@@ -0,0 +1,2 @@
+REPO_NAMES += unitas-oxidized
+REPO_URI_unitas-oxidized = https://git.unitas-network.de/Gentoo/unitas-oxidized.git

world

@@ -0,0 +1,5 @@
+app-crypt/certbot-apache
+net-misc/oxidized
+net-misc/oxidized-script
+www-apps/oxidized-web
+www-servers/apache