From 47eb000b2b5065cdd1cc5a9c3a4c6e7498fbcc96 Mon Sep 17 00:00:00 2001 From: James Ketrenos Date: Wed, 24 Apr 2024 13:51:35 -0700 Subject: [PATCH] Deployed services seem to be working Signed-off-by: James Ketrenos --- README.md | 16 ++- cron/etc/letsencrypt/options-ssl-apache.conf | 14 +-- docker-compose.yml | 108 ++++++++++--------- mail/entrypoint.sh | 6 +- sync-cert | 37 +++++++ web/entrypoint.sh | 7 +- web/etc/nginx/sites-available/default | 57 ++++++++++ 7 files changed, 177 insertions(+), 68 deletions(-) create mode 100755 sync-cert diff --git a/README.md b/README.md index 38ab0b3..77d5ecb 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,19 @@ # ketreweb containers +The cron job to update certificates isn't quite working yet. + +To update certificates: + +```bash +docker exec -it ketrenet-cron /bin/bash +/usr/bin/certbot renew --no-self-upgrade --webroot -w /var/www/ketrenos.com +/usr/bin/scp -q -i /keys/opnsense-letsencrypt /etc/letsencrypt/live/ketrenos.com/{fullchain,privkey}.pem letsencrypt@opnsense.ketrenos.com:. +/usr/bin/ssh -i /keys/opnsense-letsencrypt letsencrypt@opnsense.ketrenos.com sudo ./update-cert.sh fullchain.pem privkey.pem +``` + +After that completes (without errors) outside the container use `./sync-certs` to push +the updated certificates to all the service containers and servers. + ## ketreweb nginx and apache2 @@ -36,4 +50,4 @@ DNSStubListenerExtra=1053 ```bash sudo systemctl restart systemd-resolved -``` \ No newline at end of file +``` diff --git a/cron/etc/letsencrypt/options-ssl-apache.conf b/cron/etc/letsencrypt/options-ssl-apache.conf index 8113ee8..1a37996 100644 --- a/cron/etc/letsencrypt/options-ssl-apache.conf +++ b/cron/etc/letsencrypt/options-ssl-apache.conf @@ -7,20 +7,12 @@ SSLEngine on # Intermediate configuration, tweak to your needs -SSLProtocol all -SSLv2 -SSLv3 -SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS -SSLHonorCipherOrder on -SSLCompression off +SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 +SSLHonorCipherOrder off SSLOptions +StrictRequire # Add vhost name to log entries: LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common - -#CustomLog /var/log/apache2/access.log vhost_combined -#LogLevel warn -#ErrorLog /var/log/apache2/error.log - -# Always ensure Cookies have "Secure" set (JAH 2012/1) -#Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4" diff --git a/docker-compose.yml b/docker-compose.yml index 1856729..cb4c96d 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -9,17 +9,17 @@ services: dockerfile: Dockerfile.web restart: always volumes: - - ./web/etc/nginx/sites-enabled:/etc/nginx/sites-enabled:ro - - ./web/etc/nginx/sites-available:/etc/nginx/sites-available:ro - - ./web/etc/apache2/envvars:/etc/apache2/envvars:ro - - ./web/etc/apache2/ports.conf:/etc/apache2/ports.conf:ro - - ./web/etc/apache2/sites-enabled:/etc/apache2/sites-enabled:ro - - ./web/etc/apache2/sites-available:/etc/apache2/sites-available:ro - - ./keys/cron/etc/letsencrypt/live:/etc/letsencrypt/live:ro - - ./keys/cron/etc/letsencrypt/archive:/etc/letsencrypt/archive:ro - - ./web/entrypoint.sh:/entrypoint.sh:ro - - ./data/log:/var/log:rw - - ./www:/var/www:ro + - /home/jketreno/docker/webserver/web/etc/nginx/sites-enabled:/etc/nginx/sites-enabled:ro + - /home/jketreno/docker/webserver/web/etc/nginx/sites-available:/etc/nginx/sites-available:ro + - /home/jketreno/docker/webserver/web/etc/apache2/envvars:/etc/apache2/envvars:ro + - /home/jketreno/docker/webserver/web/etc/apache2/ports.conf:/etc/apache2/ports.conf:ro + - /home/jketreno/docker/webserver/web/etc/apache2/sites-enabled:/etc/apache2/sites-enabled:ro + - /home/jketreno/docker/webserver/web/etc/apache2/sites-available:/etc/apache2/sites-available:ro + - /home/jketreno/docker/webserver/keys/cron/etc/letsencrypt/live:/etc/letsencrypt/live:ro + - /home/jketreno/docker/webserver/keys/cron/etc/letsencrypt/archive:/etc/letsencrypt/archive:ro + - /home/jketreno/docker/webserver/web/entrypoint.sh:/entrypoint.sh:ro + - /home/jketreno/docker/webserver/data/log:/var/log:rw + - /home/jketreno/docker/webserver/www:/var/www:ro ports: - 80:80 - 443:443 @@ -38,33 +38,34 @@ services: - 465:465 # postfix smtps - 587:587 # postfix submission volumes: - - ./keys/cron/etc/letsencrypt/live:/etc/letsencrypt/live:ro - - ./keys/cron/etc/letsencrypt/archive:/etc/letsencrypt/archive:ro - - ./mail/etc/mailname:/etc/mailname:ro - - ./mail/etc/aliases.db:/etc/aliases.db:rw - - ./mail/etc/aliases:/etc/aliases:rw - - ./mail/etc/dovecot:/etc/dovecot:ro - - ./mail/etc/amavis:/etc/amavis:ro - - ./mail/etc/clamav:/etc/clamav:ro - - ./mail/etc/hostname:/etc/hostname:ro - - ./mail/etc/opendkim.conf:/etc/opendkim.conf:ro - - ./mail/etc/opendkim:/etc/opendkim:ro - - ./mail/etc/postfix:/etc/postfix:rw - - ./mail/etc/milter-greylist:/etc/milter-greylist:ro - - ./mail/entrypoint.sh:/entrypoint.sh:ro - - ./data/log:/var/log:rw - - ./data/mail/var/mail:/var/mail:rw - - ./data/mail/var/spool/mail:/var/spool/mail:rw + - /home/jketreno/docker/webserver/keys/cron/etc/letsencrypt/live:/etc/letsencrypt/live:ro + - /home/jketreno/docker/webserver/keys/cron/etc/letsencrypt/archive:/etc/letsencrypt/archive:ro + - /home/jketreno/docker/webserver/mail/etc/mailname:/etc/mailname:ro + - /home/jketreno/docker/webserver/mail/etc/aliases.db:/etc/aliases.db:rw + - /home/jketreno/docker/webserver/mail/etc/aliases:/etc/aliases:rw + - /home/jketreno/docker/webserver/mail/etc/dovecot:/etc/dovecot:ro + - /home/jketreno/docker/webserver/mail/etc/amavis:/etc/amavis:ro + - /home/jketreno/docker/webserver/mail/etc/clamav:/etc/clamav:ro + - /home/jketreno/docker/webserver/mail/etc/hostname:/etc/hostname:ro + - /home/jketreno/docker/webserver/mail/etc/opendkim.conf:/etc/opendkim.conf:ro + - /home/jketreno/docker/webserver/mail/etc/opendkim:/etc/opendkim:ro + - /home/jketreno/docker/webserver/mail/etc/postfix:/etc/postfix:rw + - /home/jketreno/docker/webserver/mail/etc/milter-greylist:/etc/milter-greylist:ro + - /home/jketreno/docker/webserver/mail/entrypoint.sh:/entrypoint.sh:ro + - /home/jketreno/docker/webserver/data/log:/var/log:rw + - /home/jketreno/docker/webserver/data/mail/var/mail:/var/mail:rw + - /home/jketreno/docker/webserver/data/mail/var/spool/mail:/var/spool/mail:rw + - /home/jketreno/docker/webserver/data/mail/var/lib/milter-greylist:/var/lib/milter-greylist:rw - /home:/home:rw - - ./www:/var/www:ro - - ./data/mail/var/lib/clamav:/var/lib/clamav:rw - - ./mail/etc/rsyslog.conf:/etc/rsyslog.conf:ro - - ./mail/etc/default/milter-greylist:/etc/default/milter-greylist:ro + - /home/jketreno/docker/webserver/www:/var/www:ro + - /home/jketreno/docker/webserver/data/mail/var/lib/clamav:/var/lib/clamav:rw + - /home/jketreno/docker/webserver/mail/etc/rsyslog.conf:/etc/rsyslog.conf:ro + - /home/jketreno/docker/webserver/mail/etc/default/milter-greylist:/etc/default/milter-greylist:ro # Keys - - ./keys/mail/etc/dkimkeys:/etc/dkimkeys:ro - - ./keys/mail/etc/spamassassin/sa-update-keys/:/etc/spamassassin/sa-update-keys:rw - - ./keys/mail/etc/dovecot/private:/etc/dovecot-private:ro - - ./keys/mail/etc/opendkim:/etc/opendkim-private:rw + - /home/jketreno/docker/webserver/keys/mail/etc/dkimkeys:/etc/dkimkeys:ro + - /home/jketreno/docker/webserver/keys/mail/etc/spamassassin/sa-update-keys/:/etc/spamassassin/sa-update-keys:rw + - /home/jketreno/docker/webserver/keys/mail/etc/dovecot/private:/etc/dovecot-private:ro + - /home/jketreno/docker/webserver/keys/mail/etc/opendkim:/etc/opendkim-private:rw # Authentication of dovecot users via pam # @@ -89,9 +90,9 @@ services: ports: - 8124:80 volumes: - - ./roundcube/var/roundcube:/var/roundcube/config:ro - - ./data/roundcube/db:/var/roundcube/db:rw - - ./data/roundcube/html:/var/www/html:rw + - /home/jketreno/docker/webserver/roundcube/var/roundcube:/var/roundcube/config:ro + - /home/jketreno/docker/webserver/data/roundcube/db:/var/roundcube/db:rw + - /home/jketreno/docker/webserver/data/roundcube/html:/var/www/html:rw ketrenet-cron: image: ketrenet-cron @@ -101,16 +102,17 @@ services: dockerfile: Dockerfile.cron restart: always volumes: - - ./cron/etc/letsencrypt:/etc/letsencrypt:rw - - ./keys/cron/etc/letsencrypt/live:/etc/letsencrypt/live:rw - - ./keys/cron/etc/letsencrypt/archive:/etc/letsencrypt/archive:rw - - ./cron/etc/cron.d:/etc/cron.d:ro - - ./data/log:/var/log:rw - - ./keys/letsencrypt/:/keys:ro - - ./www:/var/www:rw - - ./cron/entrypoint.sh:/entrypoint.sh:ro + - /home/jketreno/docker/webserver/cron/etc/letsencrypt:/etc/letsencrypt:rw + - /home/jketreno/docker/webserver/keys/cron/etc/letsencrypt/live:/etc/letsencrypt/live:rw + - /home/jketreno/docker/webserver/keys/cron/etc/letsencrypt/archive:/etc/letsencrypt/archive:rw + - /home/jketreno/docker/webserver/cron/etc/cron.d:/etc/cron.d:ro + - /home/jketreno/docker/webserver/data/log:/var/log:rw + - /home/jketreno/docker/webserver/keys/letsencrypt/:/keys:ro + - /home/jketreno/docker/webserver/www:/var/www:rw + - /home/jketreno/docker/webserver/cron/entrypoint.sh:/entrypoint.sh:ro ketrenet-dns: + profiles: [ "dev" ] image: ketrenet-dns container_name: ketrenet-dns hostname: dns @@ -124,9 +126,9 @@ services: - 67:67/udp # dhcp - 68:68/udp # dhcp volumes: - - ./keys/dns/ddns.key:/etc/ddns.key:ro - - ./dns/etc/dhcp:/etc/dhcp:ro - - ./dns/etc/bind:/etc/bind:ro - - ./dns/entrypoint.sh:/entrypoint.sh:ro - - ./data/log:/var/log:rw - - ./data/dns/var/lib/:/var/lib:rw + - /home/jketreno/docker/webserver/keys/dns/ddns.key:/etc/ddns.key:ro + - /home/jketreno/docker/webserver/dns/etc/dhcp:/etc/dhcp:ro + - /home/jketreno/docker/webserver/dns/etc/bind:/etc/bind:ro + - /home/jketreno/docker/webserver/dns/entrypoint.sh:/entrypoint.sh:ro + - /home/jketreno/docker/webserver/data/log:/var/log:rw + - /home/jketreno/docker/webserver/data/dns/var/lib/:/var/lib:rw diff --git a/mail/entrypoint.sh b/mail/entrypoint.sh index 2877536..47be864 100755 --- a/mail/entrypoint.sh +++ b/mail/entrypoint.sh @@ -9,7 +9,11 @@ usermod -a -G opendkim postfix chmod g+rx /var/lib/amavis/tmp # directory is not being created by /etc/init.d/opendkim -mkdir /var/spool/postfix/{opendkim,milter-greylist} +for dir in opendkim ilter-greylist; do + if [[ ! -d "/var/spool/${dir}" ]]; then + mkdir -p "/var/spool/postfix/${dir}" + fi +done chown opendkim:opendkim /var/spool/postfix/opendkim # opendkim needs to read its private data diff --git a/sync-cert b/sync-cert new file mode 100755 index 0000000..6e85b38 --- /dev/null +++ b/sync-cert @@ -0,0 +1,37 @@ +#!/bin/bash + +# +# Update /home/jketreno/letsencrypt +# +/usr/bin/rsync -aprl --delete /home/jketreno/docker/webserver/cron/etc/letsencrypt/ /home/jketreno/letsencrypt/ +mapfile -t paths < <(find /home/jketreno/docker/webserver/keys/cron/etc/letsencrypt -maxdepth 1 -type d | tail -n +2) +for path in "${paths[@]}"; do + dir=$(basename "${path}") + /usr/bin/rsync -aprl "${path}/" "/home/jketreno/letsencrypt/${dir}/" +done + +# +# Change ownership so files can be read +# +chown -R jketreno: /home/jketreno/letsencrypt + +# +# Update cert on media.ketrenos.com +# +/usr/bin/rsync -e "/usr/bin/ssh -i /home/jketreno/.ssh/media" -aprl --delete /home/jketreno/letsencrypt/ root@media.ketrenos.com:/etc/letsencrypt/ +/usr/bin/ssh -i /home/jketreno/.ssh/media root@media.ketrenos.com "chown -R root:root /etc/letsencrypt" +/usr/bin/ssh -i /home/jketreno/.ssh/media root@media.ketrenos.com "systemctl restart nginx" + +# +# Update mail VM +# +echo "update mail /etc/letsencrypt" +/usr/bin/rsync -e "/usr/bin/ssh -i /home/jketreno/.ssh/email" -aprl --delete /home/jketreno/letsencrypt/ root@email.ketrenos.com:/etc/letsencrypt/ +/usr/bin/ssh -i /home/jketreno/.ssh/email root@email.ketrenos.com "chown -R root:root /etc/letsencrypt" +/usr/bin/ssh -i /home/jketreno/.ssh/email root@email.ketrenos.com "/usr/sbin/service postfix restart ; /usr/bin/doveadm reload" + +# +# Update cert on opnsense.ketrenos.com +# +/usr/bin/scp -q -i keys/letsencrypt/opnsense-letsencrypt /home/jketreno/letsencrypt/live/ketrenos.com/{fullchain,privkey}.pem letsencrypt@opnsense.ketrenos.com:. +/usr/bin/ssh -i keys/letsencrypt/opnsense-letsencrypt letsencrypt@opnsense.ketrenos.com sudo ./update-cert.sh fullchain.pem privkey.pem diff --git a/web/entrypoint.sh b/web/entrypoint.sh index caf05db..9bb76b9 100755 --- a/web/entrypoint.sh +++ b/web/entrypoint.sh @@ -22,6 +22,9 @@ done & # # Watch for letsencrypt changes and if they occur, restart nginx and apache2 # -while inotifywait -e modify /etc/letsencrypt/archive; do - kill -9 "$(cat /var/run/nginx.pid)" "$(cat /var/run/apache2.pid)" +while inotifywait -r -e modify /etc/letsencrypt/archive; do + killall nginx + rm -f /var/run/nginx.pid + killall apache2 + rm -f /var/run/apache2/apache2.pid done diff --git a/web/etc/nginx/sites-available/default b/web/etc/nginx/sites-available/default index 59f521b..fc3d49c 100644 --- a/web/etc/nginx/sites-available/default +++ b/web/etc/nginx/sites-available/default @@ -495,6 +495,39 @@ server { } } +server { + server_name files.ketrenos.com; + listen 443 ssl; + ssl_certificate /etc/letsencrypt/live/ketrenos.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/ketrenos.com/privkey.pem; + + location ~* ^(/.well-known) { + root /var/www/ketrenos.com; + } +} + +server { + server_name email.ketrenos.com; + listen 443 ssl; + ssl_certificate /etc/letsencrypt/live/ketrenos.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/ketrenos.com/privkey.pem; + + location ~* ^(/.well-known) { + root /var/www/ketrenos.com; + } +} + +server { + server_name smtp.ketrenos.com; + listen 443 ssl; + ssl_certificate /etc/letsencrypt/live/ketrenos.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/ketrenos.com/privkey.pem; + + location ~* ^(/.well-known) { + root /var/www/ketrenos.com; + } +} + server { server_name mail.ketrenos.com; listen 443 ssl; @@ -637,6 +670,30 @@ server { } } +server { + server_name nutshellforestfarm.ketrenos.com; + listen 443 ssl; + ssl_certificate /etc/letsencrypt/live/ketrenos.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/ketrenos.com/privkey.pem; + location ~* ^(/.well-known) { + root /var/www/ketrenos.com; + } + + location / { + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $http_host; + proxy_set_header X-NginX-Proxy true; + proxy_pass_header Set-Cookie; + proxy_pass_header P3P; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_pass http://192.168.1.78:8932; + } +} + server { server_name opnsense.ketrenos.com;