From: Christian Heller <c.heller@plomlompom.de>
Date: Mon, 26 Nov 2018 19:22:01 +0000 (+0100)
Subject: WIP.
X-Git-Url: https://plomlompom.com/repos/%7B%7Bprefix%7D%7D/static/%7B%7Bdb.prefix%7D%7D/pick_tasks?a=commitdiff_plain;h=db8166ccd4711d311a845d009e859c9c415ea657;p=config

WIP.
---

diff --git a/all_new_2018/apt-mark/server b/all_new_2018/apt-mark/server
index 8421675..c7db7a4 100644
--- a/all_new_2018/apt-mark/server
+++ b/all_new_2018/apt-mark/server
@@ -4,5 +4,7 @@ openssh-server
 readline-common
 # provides letsencrypt
 certbot
+# for letsencrypt renewal
+cron
 # provides systemd scripts that configure iptables via /etc/iptables/*
-iptables-persistent
+iptables-persistent
\ No newline at end of file
diff --git a/all_new_2018/letsencrypt.sh b/all_new_2018/letsencrypt.sh
index 01f8a81..c89e37f 100755
--- a/all_new_2018/letsencrypt.sh
+++ b/all_new_2018/letsencrypt.sh
@@ -1,9 +1,23 @@
 #!/bin/sh
+# Install or copy LetsEncrypt certificates on/from server.
+#
+# First argument: server
+# Second argument: either "set" or "get" or "put"
+#
+# "set" install certbot on remote server and requests a new certificate
+# for it. This needs two more arguments: an e-mail address for future
+# communication with LetsEncrypt, and the domain for which to request
+# the certificate (might plausibly be equivalent to the first argument
+# though). This needs port 80 open on the server.
+#
+# "get" copies the server's /etc/letsencrypt to a local letsencrypt.tar.
+#
+# "set" copies a local letsencrypt.tar to the server's /etc/letsencrypt.
 set -e
 
 # Ensure we have a server name as argument.
-if [ ! $# -eq 2 ]; then
-    echo "Need server and action as argument."
+if [ $# -lt 2 ]; then
+    echo "Need server and action as arguments."
     false
 fi
 server="$1"
@@ -14,8 +28,14 @@ eval $(ssh-agent)
 ssh-add ~/.ssh/id_rsa
 
 if [ "${action}" = "set" ]; then
-    # Install certificate.
-    ssh -t plom@${server} "su -c 'apt -y install certbot && certbot certonly --standalone -d ${server}$'"
+    # Install certificate. This needs port 80 open (443 does not work here).
+    if [ $# -lt 4 ]; then
+        echo "Need mail address and domain as arguments."
+        false
+    fi
+    mail="$3"
+    domain="$4"
+    ssh -t plom@${server} "su -c 'apt -y install certbot && certbot certonly --standalone --agree-tos -m ${mail} -d ${server}'"
 elif [ "${action}" = "get" ]; then
     # Get /etc/letsencrypt/ as tar file.
     ssh -t plom@${server} 'su -c "cd /etc/ && tar cf letsencrypt.tar letsencrypt && chown plom:plom letsencrypt.tar && mv letsencrypt.tar /home/plom/"'
@@ -28,4 +48,3 @@ else
     echo "Action must be 'set', 'get', or 'put'."
     false
 fi
-
diff --git a/all_new_2018/linkable_etc_files/server/etc/iptables/rules.v4 b/all_new_2018/linkable_etc_files/server/etc/iptables/rules.v4
index faf35c1..fa4882d 100644
--- a/all_new_2018/linkable_etc_files/server/etc/iptables/rules.v4
+++ b/all_new_2018/linkable_etc_files/server/etc/iptables/rules.v4
@@ -2,13 +2,21 @@
 :INPUT DROP [0:0]
 :FORWARD DROP [0:0]
 :OUTPUT ACCEPT [0:0]
+# otherwise self-referential connections to local host will fail
 -A INPUT -i lo -j ACCEPT
+# this enables ping etc.
 -A INPUT -p icmp -j ACCEPT
+# SSH
 -A INPUT -p tcp --dport 22 -j ACCEPT
+# HTTPS in theory, in practice my second SSH port, see sshd_config
 -A INPUT -p tcp --dport 443 -j ACCEPT
+# SMTP (allowing for STARTTLS); necessary for mail server to mail server banter
 -A INPUT -p tcp --dport 25 -j ACCEPT
+# SMTPS, for mail server to mail user agent communication
 -A INPUT -p tcp --dport 465 -j ACCEPT
+# IMAPS
 -A INPUT -p tcp --dport 993 -j ACCEPT
+# tolerate any inbound connections requested by our server, no matter the port
 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 COMMIT
-# iptables-restore seems to ignore COMMIT if no newline follows it
\ No newline at end of file
+# this last line is here because iptables-restore ignores the final command if no newline follows it
\ No newline at end of file