From: Christian Heller Date: Mon, 26 Nov 2018 19:22:01 +0000 (+0100) Subject: WIP. X-Git-Url: https://plomlompom.com/repos/%7B%7B%20web_path%20%7D%7D/decks/%7B%7Bdb.prefix%7D%7D/static/blog?a=commitdiff_plain;h=db8166ccd4711d311a845d009e859c9c415ea657;p=config WIP. --- diff --git a/all_new_2018/apt-mark/server b/all_new_2018/apt-mark/server index 8421675..c7db7a4 100644 --- a/all_new_2018/apt-mark/server +++ b/all_new_2018/apt-mark/server @@ -4,5 +4,7 @@ openssh-server readline-common # provides letsencrypt certbot +# for letsencrypt renewal +cron # provides systemd scripts that configure iptables via /etc/iptables/* -iptables-persistent +iptables-persistent \ No newline at end of file diff --git a/all_new_2018/letsencrypt.sh b/all_new_2018/letsencrypt.sh index 01f8a81..c89e37f 100755 --- a/all_new_2018/letsencrypt.sh +++ b/all_new_2018/letsencrypt.sh @@ -1,9 +1,23 @@ #!/bin/sh +# Install or copy LetsEncrypt certificates on/from server. +# +# First argument: server +# Second argument: either "set" or "get" or "put" +# +# "set" install certbot on remote server and requests a new certificate +# for it. This needs two more arguments: an e-mail address for future +# communication with LetsEncrypt, and the domain for which to request +# the certificate (might plausibly be equivalent to the first argument +# though). This needs port 80 open on the server. +# +# "get" copies the server's /etc/letsencrypt to a local letsencrypt.tar. +# +# "set" copies a local letsencrypt.tar to the server's /etc/letsencrypt. set -e # Ensure we have a server name as argument. -if [ ! $# -eq 2 ]; then - echo "Need server and action as argument." +if [ $# -lt 2 ]; then + echo "Need server and action as arguments." false fi server="$1" @@ -14,8 +28,14 @@ eval $(ssh-agent) ssh-add ~/.ssh/id_rsa if [ "${action}" = "set" ]; then - # Install certificate. - ssh -t plom@${server} "su -c 'apt -y install certbot && certbot certonly --standalone -d ${server}$'" + # Install certificate. This needs port 80 open (443 does not work here). + if [ $# -lt 4 ]; then + echo "Need mail address and domain as arguments." + false + fi + mail="$3" + domain="$4" + ssh -t plom@${server} "su -c 'apt -y install certbot && certbot certonly --standalone --agree-tos -m ${mail} -d ${server}'" elif [ "${action}" = "get" ]; then # Get /etc/letsencrypt/ as tar file. ssh -t plom@${server} 'su -c "cd /etc/ && tar cf letsencrypt.tar letsencrypt && chown plom:plom letsencrypt.tar && mv letsencrypt.tar /home/plom/"' @@ -28,4 +48,3 @@ else echo "Action must be 'set', 'get', or 'put'." false fi - diff --git a/all_new_2018/linkable_etc_files/server/etc/iptables/rules.v4 b/all_new_2018/linkable_etc_files/server/etc/iptables/rules.v4 index faf35c1..fa4882d 100644 --- a/all_new_2018/linkable_etc_files/server/etc/iptables/rules.v4 +++ b/all_new_2018/linkable_etc_files/server/etc/iptables/rules.v4 @@ -2,13 +2,21 @@ :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] +# otherwise self-referential connections to local host will fail -A INPUT -i lo -j ACCEPT +# this enables ping etc. -A INPUT -p icmp -j ACCEPT +# SSH -A INPUT -p tcp --dport 22 -j ACCEPT +# HTTPS in theory, in practice my second SSH port, see sshd_config -A INPUT -p tcp --dport 443 -j ACCEPT +# SMTP (allowing for STARTTLS); necessary for mail server to mail server banter -A INPUT -p tcp --dport 25 -j ACCEPT +# SMTPS, for mail server to mail user agent communication -A INPUT -p tcp --dport 465 -j ACCEPT +# IMAPS -A INPUT -p tcp --dport 993 -j ACCEPT +# tolerate any inbound connections requested by our server, no matter the port -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT COMMIT -# iptables-restore seems to ignore COMMIT if no newline follows it \ No newline at end of file +# this last line is here because iptables-restore ignores the final command if no newline follows it \ No newline at end of file