Deployed services seem to be working

Signed-off-by: James Ketrenos <james_git@ketrenos.com>
2024-04-24 13:51:35 -07:00 · 2024-04-24 13:51:35 -07:00 · 47eb000b2b
commit 47eb000b2b
parent c30d731bd0
7 changed files with 177 additions and 68 deletions
--- a/README.md
+++ b/README.md
@ -1,5 +1,19 @@
 # ketreweb containers
 The cron job to update certificates isn't quite working yet.
 To update certificates:
 ```bash
 docker exec -it ketrenet-cron /bin/bash
 /usr/bin/certbot renew --no-self-upgrade --webroot -w /var/www/ketrenos.com
 /usr/bin/scp -q -i /keys/opnsense-letsencrypt /etc/letsencrypt/live/ketrenos.com/{fullchain,privkey}.pem letsencrypt@opnsense.ketrenos.com:.
 /usr/bin/ssh -i /keys/opnsense-letsencrypt letsencrypt@opnsense.ketrenos.com sudo ./update-cert.sh fullchain.pem privkey.pem
 ```
 After that completes (without errors) outside the container use `./sync-certs` to push
 the updated certificates to all the service containers and servers.
 ## ketreweb
 nginx and apache2
@ -36,4 +50,4 @@ DNSStubListenerExtra=1053
 ```bash
 sudo systemctl restart systemd-resolved
-```
+```
--- a/cron/etc/letsencrypt/options-ssl-apache.conf
+++ b/cron/etc/letsencrypt/options-ssl-apache.conf
@ -7,20 +7,12 @@
 SSLEngine on
 # Intermediate configuration, tweak to your needs
-SSLProtocol             all -SSLv2 -SSLv3
+SSLProtocol             all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
-SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
+SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
-SSLHonorCipherOrder     on
+SSLHonorCipherOrder     off
 SSLCompression          off
 SSLOptions +StrictRequire
 # Add vhost name to log entries:
 LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
 LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
 #CustomLog /var/log/apache2/access.log vhost_combined
 #LogLevel warn
 #ErrorLog /var/log/apache2/error.log
 # Always ensure Cookies have "Secure" set (JAH 2012/1)
 #Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4"
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -9,17 +9,17 @@ services:
      dockerfile: Dockerfile.web
    restart: always
    volumes:
-      - ./web/etc/nginx/sites-enabled:/etc/nginx/sites-enabled:ro
+      - /home/jketreno/docker/webserver/web/etc/nginx/sites-enabled:/etc/nginx/sites-enabled:ro
-      - ./web/etc/nginx/sites-available:/etc/nginx/sites-available:ro
+      - /home/jketreno/docker/webserver/web/etc/nginx/sites-available:/etc/nginx/sites-available:ro
-      - ./web/etc/apache2/envvars:/etc/apache2/envvars:ro
+      - /home/jketreno/docker/webserver/web/etc/apache2/envvars:/etc/apache2/envvars:ro
-      - ./web/etc/apache2/ports.conf:/etc/apache2/ports.conf:ro
+      - /home/jketreno/docker/webserver/web/etc/apache2/ports.conf:/etc/apache2/ports.conf:ro
-      - ./web/etc/apache2/sites-enabled:/etc/apache2/sites-enabled:ro
+      - /home/jketreno/docker/webserver/web/etc/apache2/sites-enabled:/etc/apache2/sites-enabled:ro
-      - ./web/etc/apache2/sites-available:/etc/apache2/sites-available:ro
+      - /home/jketreno/docker/webserver/web/etc/apache2/sites-available:/etc/apache2/sites-available:ro
-      - ./keys/cron/etc/letsencrypt/live:/etc/letsencrypt/live:ro
+      - /home/jketreno/docker/webserver/keys/cron/etc/letsencrypt/live:/etc/letsencrypt/live:ro
-      - ./keys/cron/etc/letsencrypt/archive:/etc/letsencrypt/archive:ro
+      - /home/jketreno/docker/webserver/keys/cron/etc/letsencrypt/archive:/etc/letsencrypt/archive:ro
-      - ./web/entrypoint.sh:/entrypoint.sh:ro
+      - /home/jketreno/docker/webserver/web/entrypoint.sh:/entrypoint.sh:ro
-      - ./data/log:/var/log:rw
+      - /home/jketreno/docker/webserver/data/log:/var/log:rw
-      - ./www:/var/www:ro
+      - /home/jketreno/docker/webserver/www:/var/www:ro
    ports:
      - 80:80
      - 443:443
@ -38,33 +38,34 @@ services:
      - 465:465  # postfix smtps
      - 587:587  # postfix submission
    volumes:
-      - ./keys/cron/etc/letsencrypt/live:/etc/letsencrypt/live:ro
+      - /home/jketreno/docker/webserver/keys/cron/etc/letsencrypt/live:/etc/letsencrypt/live:ro
-      - ./keys/cron/etc/letsencrypt/archive:/etc/letsencrypt/archive:ro
+      - /home/jketreno/docker/webserver/keys/cron/etc/letsencrypt/archive:/etc/letsencrypt/archive:ro
-      - ./mail/etc/mailname:/etc/mailname:ro
+      - /home/jketreno/docker/webserver/mail/etc/mailname:/etc/mailname:ro
-      - ./mail/etc/aliases.db:/etc/aliases.db:rw
+      - /home/jketreno/docker/webserver/mail/etc/aliases.db:/etc/aliases.db:rw
-      - ./mail/etc/aliases:/etc/aliases:rw
+      - /home/jketreno/docker/webserver/mail/etc/aliases:/etc/aliases:rw
-      - ./mail/etc/dovecot:/etc/dovecot:ro
+      - /home/jketreno/docker/webserver/mail/etc/dovecot:/etc/dovecot:ro
-      - ./mail/etc/amavis:/etc/amavis:ro
+      - /home/jketreno/docker/webserver/mail/etc/amavis:/etc/amavis:ro
-      - ./mail/etc/clamav:/etc/clamav:ro
+      - /home/jketreno/docker/webserver/mail/etc/clamav:/etc/clamav:ro
-      - ./mail/etc/hostname:/etc/hostname:ro
+      - /home/jketreno/docker/webserver/mail/etc/hostname:/etc/hostname:ro
-      - ./mail/etc/opendkim.conf:/etc/opendkim.conf:ro
+      - /home/jketreno/docker/webserver/mail/etc/opendkim.conf:/etc/opendkim.conf:ro
-      - ./mail/etc/opendkim:/etc/opendkim:ro
+      - /home/jketreno/docker/webserver/mail/etc/opendkim:/etc/opendkim:ro
-      - ./mail/etc/postfix:/etc/postfix:rw
+      - /home/jketreno/docker/webserver/mail/etc/postfix:/etc/postfix:rw
-      - ./mail/etc/milter-greylist:/etc/milter-greylist:ro
+      - /home/jketreno/docker/webserver/mail/etc/milter-greylist:/etc/milter-greylist:ro
-      - ./mail/entrypoint.sh:/entrypoint.sh:ro
+      - /home/jketreno/docker/webserver/mail/entrypoint.sh:/entrypoint.sh:ro
-      - ./data/log:/var/log:rw
+      - /home/jketreno/docker/webserver/data/log:/var/log:rw
-      - ./data/mail/var/mail:/var/mail:rw
+      - /home/jketreno/docker/webserver/data/mail/var/mail:/var/mail:rw
-      - ./data/mail/var/spool/mail:/var/spool/mail:rw
+      - /home/jketreno/docker/webserver/data/mail/var/spool/mail:/var/spool/mail:rw
      - /home/jketreno/docker/webserver/data/mail/var/lib/milter-greylist:/var/lib/milter-greylist:rw
      - /home:/home:rw
-      - ./www:/var/www:ro
+      - /home/jketreno/docker/webserver/www:/var/www:ro
-      - ./data/mail/var/lib/clamav:/var/lib/clamav:rw
+      - /home/jketreno/docker/webserver/data/mail/var/lib/clamav:/var/lib/clamav:rw
-      - ./mail/etc/rsyslog.conf:/etc/rsyslog.conf:ro
+      - /home/jketreno/docker/webserver/mail/etc/rsyslog.conf:/etc/rsyslog.conf:ro
-      - ./mail/etc/default/milter-greylist:/etc/default/milter-greylist:ro
+      - /home/jketreno/docker/webserver/mail/etc/default/milter-greylist:/etc/default/milter-greylist:ro
      # Keys
-      - ./keys/mail/etc/dkimkeys:/etc/dkimkeys:ro
+      - /home/jketreno/docker/webserver/keys/mail/etc/dkimkeys:/etc/dkimkeys:ro
-      - ./keys/mail/etc/spamassassin/sa-update-keys/:/etc/spamassassin/sa-update-keys:rw
+      - /home/jketreno/docker/webserver/keys/mail/etc/spamassassin/sa-update-keys/:/etc/spamassassin/sa-update-keys:rw
-      - ./keys/mail/etc/dovecot/private:/etc/dovecot-private:ro
+      - /home/jketreno/docker/webserver/keys/mail/etc/dovecot/private:/etc/dovecot-private:ro
-      - ./keys/mail/etc/opendkim:/etc/opendkim-private:rw
+      - /home/jketreno/docker/webserver/keys/mail/etc/opendkim:/etc/opendkim-private:rw
      # Authentication of dovecot users via pam
      #
@ -89,9 +90,9 @@ services:
    ports:
      - 8124:80
    volumes:
-      - ./roundcube/var/roundcube:/var/roundcube/config:ro
+      - /home/jketreno/docker/webserver/roundcube/var/roundcube:/var/roundcube/config:ro
-      - ./data/roundcube/db:/var/roundcube/db:rw
+      - /home/jketreno/docker/webserver/data/roundcube/db:/var/roundcube/db:rw
-      - ./data/roundcube/html:/var/www/html:rw
+      - /home/jketreno/docker/webserver/data/roundcube/html:/var/www/html:rw
  ketrenet-cron:
    image: ketrenet-cron
@ -101,16 +102,17 @@ services:
      dockerfile: Dockerfile.cron
    restart: always
    volumes:
-      - ./cron/etc/letsencrypt:/etc/letsencrypt:rw
+      - /home/jketreno/docker/webserver/cron/etc/letsencrypt:/etc/letsencrypt:rw
-      - ./keys/cron/etc/letsencrypt/live:/etc/letsencrypt/live:rw
+      - /home/jketreno/docker/webserver/keys/cron/etc/letsencrypt/live:/etc/letsencrypt/live:rw
-      - ./keys/cron/etc/letsencrypt/archive:/etc/letsencrypt/archive:rw
+      - /home/jketreno/docker/webserver/keys/cron/etc/letsencrypt/archive:/etc/letsencrypt/archive:rw
-      - ./cron/etc/cron.d:/etc/cron.d:ro
+      - /home/jketreno/docker/webserver/cron/etc/cron.d:/etc/cron.d:ro
-      - ./data/log:/var/log:rw
+      - /home/jketreno/docker/webserver/data/log:/var/log:rw
-      - ./keys/letsencrypt/:/keys:ro
+      - /home/jketreno/docker/webserver/keys/letsencrypt/:/keys:ro
-      - ./www:/var/www:rw
+      - /home/jketreno/docker/webserver/www:/var/www:rw
-      - ./cron/entrypoint.sh:/entrypoint.sh:ro
+      - /home/jketreno/docker/webserver/cron/entrypoint.sh:/entrypoint.sh:ro
  ketrenet-dns:
    profiles: [ "dev" ]
    image: ketrenet-dns
    container_name: ketrenet-dns
    hostname: dns
@ -124,9 +126,9 @@ services:
      - 67:67/udp # dhcp
      - 68:68/udp # dhcp
    volumes:
-      - ./keys/dns/ddns.key:/etc/ddns.key:ro
+      - /home/jketreno/docker/webserver/keys/dns/ddns.key:/etc/ddns.key:ro
-      - ./dns/etc/dhcp:/etc/dhcp:ro
+      - /home/jketreno/docker/webserver/dns/etc/dhcp:/etc/dhcp:ro
-      - ./dns/etc/bind:/etc/bind:ro
+      - /home/jketreno/docker/webserver/dns/etc/bind:/etc/bind:ro
-      - ./dns/entrypoint.sh:/entrypoint.sh:ro
+      - /home/jketreno/docker/webserver/dns/entrypoint.sh:/entrypoint.sh:ro
-      - ./data/log:/var/log:rw
+      - /home/jketreno/docker/webserver/data/log:/var/log:rw
-      - ./data/dns/var/lib/:/var/lib:rw
+      - /home/jketreno/docker/webserver/data/dns/var/lib/:/var/lib:rw
--- a/mail/entrypoint.sh
+++ b/mail/entrypoint.sh
@ -9,7 +9,11 @@ usermod -a -G opendkim postfix
 chmod g+rx /var/lib/amavis/tmp
 # directory is not being created by /etc/init.d/opendkim
-mkdir /var/spool/postfix/{opendkim,milter-greylist}
+for dir in opendkim ilter-greylist; do
  if [[ ! -d "/var/spool/${dir}" ]]; then
    mkdir -p "/var/spool/postfix/${dir}"
  fi
 done
 chown opendkim:opendkim /var/spool/postfix/opendkim
 # opendkim needs to read its private data
--- a/37
+++ b/37
@ -0,0 +1,37 @@
 #!/bin/bash
 #
 # Update /home/jketreno/letsencrypt
 #
 /usr/bin/rsync -aprl --delete /home/jketreno/docker/webserver/cron/etc/letsencrypt/ /home/jketreno/letsencrypt/
 mapfile -t paths < <(find /home/jketreno/docker/webserver/keys/cron/etc/letsencrypt -maxdepth 1 -type d | tail -n +2)
 for path in "${paths[@]}"; do
  dir=$(basename "${path}")
  /usr/bin/rsync -aprl "${path}/" "/home/jketreno/letsencrypt/${dir}/"
 done
 #
 # Change ownership so files can be read
 #
 chown -R jketreno: /home/jketreno/letsencrypt
 #
 # Update cert on media.ketrenos.com
 #
 /usr/bin/rsync -e "/usr/bin/ssh -i /home/jketreno/.ssh/media" -aprl --delete /home/jketreno/letsencrypt/ root@media.ketrenos.com:/etc/letsencrypt/
 /usr/bin/ssh -i /home/jketreno/.ssh/media root@media.ketrenos.com "chown -R root:root /etc/letsencrypt"
 /usr/bin/ssh -i /home/jketreno/.ssh/media root@media.ketrenos.com "systemctl restart nginx"
 #
 # Update mail VM
 #
 echo "update mail /etc/letsencrypt"
 /usr/bin/rsync -e "/usr/bin/ssh -i /home/jketreno/.ssh/email" -aprl --delete /home/jketreno/letsencrypt/ root@email.ketrenos.com:/etc/letsencrypt/
 /usr/bin/ssh -i /home/jketreno/.ssh/email root@email.ketrenos.com "chown -R root:root /etc/letsencrypt"
 /usr/bin/ssh -i /home/jketreno/.ssh/email root@email.ketrenos.com "/usr/sbin/service postfix restart ; /usr/bin/doveadm reload"
 #
 # Update cert on opnsense.ketrenos.com
 #
 /usr/bin/scp -q -i keys/letsencrypt/opnsense-letsencrypt /home/jketreno/letsencrypt/live/ketrenos.com/{fullchain,privkey}.pem letsencrypt@opnsense.ketrenos.com:.
 /usr/bin/ssh -i keys/letsencrypt/opnsense-letsencrypt letsencrypt@opnsense.ketrenos.com sudo ./update-cert.sh fullchain.pem privkey.pem
--- a/web/entrypoint.sh
+++ b/web/entrypoint.sh
@ -22,6 +22,9 @@ done &
 #
 # Watch for letsencrypt changes and if they occur, restart nginx and apache2
 #
-while inotifywait -e modify /etc/letsencrypt/archive; do 
+while inotifywait -r -e modify /etc/letsencrypt/archive; do
-  kill -9 "$(cat /var/run/nginx.pid)" "$(cat /var/run/apache2.pid)"
+  killall nginx
  rm -f /var/run/nginx.pid
  killall apache2
  rm -f /var/run/apache2/apache2.pid
 done
--- a/web/etc/nginx/sites-available/default
+++ b/web/etc/nginx/sites-available/default
@ -495,6 +495,39 @@ server {
 	}
 }
 server {
 	server_name files.ketrenos.com;
 	listen 443 ssl;
        ssl_certificate /etc/letsencrypt/live/ketrenos.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/ketrenos.com/privkey.pem;
        location ~* ^(/.well-known) {
 	    root /var/www/ketrenos.com;
 	}
 }
 server {
 	server_name email.ketrenos.com;
 	listen 443 ssl;
        ssl_certificate /etc/letsencrypt/live/ketrenos.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/ketrenos.com/privkey.pem;
        location ~* ^(/.well-known) {
 	    root /var/www/ketrenos.com;
 	}
 }
 server {
 	server_name smtp.ketrenos.com;
 	listen 443 ssl;
        ssl_certificate /etc/letsencrypt/live/ketrenos.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/ketrenos.com/privkey.pem;
        location ~* ^(/.well-known) {
 	    root /var/www/ketrenos.com;
 	}
 }
 server {
 	server_name mail.ketrenos.com;
 	listen 443 ssl;
@ -637,6 +670,30 @@ server {
        }
 }
 server {
        server_name nutshellforestfarm.ketrenos.com;
        listen 443 ssl;
        ssl_certificate /etc/letsencrypt/live/ketrenos.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/ketrenos.com/privkey.pem;
        location ~* ^(/.well-known) {
            root /var/www/ketrenos.com;
        }
        location / {
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header Host $http_host;
            proxy_set_header X-NginX-Proxy true;
            proxy_pass_header Set-Cookie;
            proxy_pass_header P3P;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_pass http://192.168.1.78:8932;
        }
 }
 server {
        server_name opnsense.ketrenos.com;