diff options
Diffstat (limited to '')
-rw-r--r-- | CHANGELOG.txt | 13 | ||||
-rw-r--r-- | VERSION.txt | 2 | ||||
-rw-r--r-- | dehydrated/Makefile | 21 | ||||
-rw-r--r-- | dehydrated/TODO | 3 | ||||
-rw-r--r-- | dehydrated/share/man/Makefile | 59 | ||||
-rw-r--r-- | dehydrated/share/man/dehydrated-cron.1.rst | 84 | ||||
-rw-r--r-- | dehydrated/share/man/dehydrated-hook.1.rst | 111 | ||||
-rw-r--r-- | dehydrated/share/man/dehydrated-nsupdate.1.rst | 117 | ||||
-rw-r--r-- | dehydrated/share/man/man.in | 19 | ||||
-rwxr-xr-x | knot/bin/knot-reset-zones (renamed from knot/bin/knot-zone-reset) | 11 | ||||
-rwxr-xr-x | knot/share/cron/knot-reset-zones | 3 | ||||
-rwxr-xr-x | knot/share/cron/knot-zone-reset | 3 |
12 files changed, 437 insertions, 9 deletions
diff --git a/CHANGELOG.txt b/CHANGELOG.txt index 9b39627..b5632a6 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -1,3 +1,16 @@ +2021-09-07 Daniel Baumann <daniel.baumann@open-infrastructure.net> + + * Releasing version 20210907. + + [ Daniel Baumann ] + * Updating knot-zone-reset to really remove all in-memory data completely. + * Renaming knot-zone-reset to knot-reset-zones for consistency. + * Adding manpage tooling for dehydrated-tools. + * Adding initial dehydrated-hook manpage. + * Adding initial dehydrated-nsupdate manpage. + * Adding initial dehydrated-cron manpage. + * Updating dehydrated todo file. + 2021-09-06 Daniel Baumann <daniel.baumann@open-infrastructure.net> * Releasing version 20210906. diff --git a/VERSION.txt b/VERSION.txt index 7ef5329..c6c7886 100644 --- a/VERSION.txt +++ b/VERSION.txt @@ -1 +1 @@ -20210906 +20210907 diff --git a/dehydrated/Makefile b/dehydrated/Makefile index 5a6239d..534adf8 100644 --- a/dehydrated/Makefile +++ b/dehydrated/Makefile @@ -58,7 +58,8 @@ test: fi @echo " done." -build: +build: share/man/*.rst + $(MAKE) -C share/man install: build mkdir -p $(DESTDIR)/etc/dehydrated/hook.d @@ -81,7 +82,25 @@ install: build ln -sf /usr/bin/dehydrated-nsupdate $(DESTDIR)/usr/share/dehydrated/hooks/clean_challenge.nsupdate ln -sf /usr/bin/dehydrated-nsupdate $(DESTDIR)/usr/share/dehydrated/hooks/deploy_challenge.nsupdate + for SECTION in $$(seq 1 8); \ + do \ + if ls share/man/*.$${SECTION} > /dev/null 2>&1; \ + then \ + mkdir -p $(DESTDIR)/usr/share/man/man$${SECTION}; \ + cp share/man/*.$${SECTION} $(DESTDIR)/usr/share/man/man$${SECTION}; \ + fi; \ + done + uninstall: + for SECTION in $$(seq 1 8); \ + do \ + for FILE in share/man/*.$${SECTION}; \ + do \ + rm -f $(DESTDIR)/usr/share/man/man$${SECTION}/$$(basename $${FILE}); \ + done; \ + rmdir --ignore-fail-on-non-empty --parents $(DESTDIR)/usr/share/man/man$${SECTION} || true; \ + done + rm -rf $(DESTDIR)/usr/share/dehydrated/hooks rmdir --ignore-fail-on-non-empty --parents $(DESTDIR)/usr/share/dehydrated || true diff --git a/dehydrated/TODO b/dehydrated/TODO index bd980cc..2bce240 100644 --- a/dehydrated/TODO +++ b/dehydrated/TODO @@ -1,4 +1,5 @@ TODO ==== - * write manpages + * use /etc/default for dehydrated-cron + * use /etc/default for dehydrated-hook diff --git a/dehydrated/share/man/Makefile b/dehydrated/share/man/Makefile new file mode 100644 index 0000000..ff27677 --- /dev/null +++ b/dehydrated/share/man/Makefile @@ -0,0 +1,59 @@ +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2021 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +# Depends: python3-docutils + +RST2MAN = rst2man \ + --no-datestamp \ + --no-generator \ + --strict \ + --strip-comments \ + --tab-width=4 \ + --verbose + +VERSION := $(shell cat ../../../VERSION.txt) + +SHELL := sh -e + +all: build + +build: man + +rebuild: clean build + +man: man.in *.rst + @echo -n "Creating manpages... " + + @for FILE in *.rst; \ + do \ + cp man.in $$(basename $${FILE} .rst); \ + $(RST2MAN) $${FILE} | \ + sed -e '/^.\\" Man page generated/d' \ + -e '/^.\\" Generated by/d' \ + -e "s|^\(.TH .*\) \(\"\" \"\"\) |\1 $${VERSION} service-tools |" \ + >> $$(basename $${FILE} .rst); \ + echo -n "."; \ + done + + @echo " done." + +clean: + rm -f *.[0-9] + +.PHONY: all clean build rebuild man diff --git a/dehydrated/share/man/dehydrated-cron.1.rst b/dehydrated/share/man/dehydrated-cron.1.rst new file mode 100644 index 0000000..d927f78 --- /dev/null +++ b/dehydrated/share/man/dehydrated-cron.1.rst @@ -0,0 +1,84 @@ +.. Open Infrastructure: service-tools + +.. Copyright (C) 2014-2021 Daniel Baumann <daniel.baumann@open-infrastructure.net> +.. +.. SPDX-License-Identifier: GPL-3.0+ +.. +.. This program is free software: you can redistribute it and/or modify +.. it under the terms of the GNU General Public License as published by +.. the Free Software Foundation, either version 3 of the License, or +.. (at your option) any later version. +.. +.. This program is distributed in the hope that it will be useful, +.. but WITHOUT ANY WARRANTY; without even the implied warranty of +.. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +.. GNU General Public License for more details. +.. +.. You should have received a copy of the GNU General Public License +.. along with this program. If not, see <https://www.gnu.org/licenses/>. + +=============== +dehydrated-cron +=============== + +---------------------------------------------------- +dehydrated cronjob for automatic certificate renewal +---------------------------------------------------- + +:manual section: 1 +:manual group: Open Infrastructure + +Synopsis +======== + +| **dehydrated-cron** + +Description +=========== + +**dehydrated** is a client for ACME-based Certificate Authorities, such as +LetsEncrypt. It can be used to request and obtain TLS certificates from an +ACME-based certificate authority. + +The **dehydrated-cron** script runs dehydrated once per day and on system +reboot for an automatic certificate renewal. + +Files +===== + +The following files are used: + +/etc/cron.d/dehydrated: + cronjob file. + +/usr/bin/dehydrated-cron: + script that gets executed by cron. + +See also +======== + +| dehydrated(1), +| dehydrated-hook(1), +| dehydrated-nsupdate(1). + +Homepage +======== + +More information about service-tools and the Open Infrastructure project can be +found on the homepage (https://open-infrastructure.net). + +Contact +======= + +Bug reports, feature requests, help, patches, support and everything else are +welcome on the Open Infrastructure Software Mailing List +<software@lists.open-infrastructure.net>. + +Debian specific bugs can also be reported in the Debian Bug Tracking System +(https://bugs.debian.org). + +Authors +======= + +service-tools were written by Daniel Baumann +<daniel.baumann@open-infrastructure.net> and others. diff --git a/dehydrated/share/man/dehydrated-hook.1.rst b/dehydrated/share/man/dehydrated-hook.1.rst new file mode 100644 index 0000000..7dc8f49 --- /dev/null +++ b/dehydrated/share/man/dehydrated-hook.1.rst @@ -0,0 +1,111 @@ +.. Open Infrastructure: service-tools + +.. Copyright (C) 2014-2021 Daniel Baumann <daniel.baumann@open-infrastructure.net> +.. +.. SPDX-License-Identifier: GPL-3.0+ +.. +.. This program is free software: you can redistribute it and/or modify +.. it under the terms of the GNU General Public License as published by +.. the Free Software Foundation, either version 3 of the License, or +.. (at your option) any later version. +.. +.. This program is distributed in the hope that it will be useful, +.. but WITHOUT ANY WARRANTY; without even the implied warranty of +.. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +.. GNU General Public License for more details. +.. +.. You should have received a copy of the GNU General Public License +.. along with this program. If not, see <https://www.gnu.org/licenses/>. + +=============== +dehydrated-hook +=============== + +------------------------- +dehydrated run-parts hook +------------------------- + +:manual section: 1 +:manual group: Open Infrastructure + +Synopsis +======== + +| **dehydrated-hook** 'HANDLER' + +Description +=========== + +**dehydrated** is a client for ACME-based Certificate Authorities, such as +LetsEncrypt. It can be used to request and obtain TLS certificates from an +ACME-based certificate authority. + +The **dehydrated-hook** makes it possible to run multiple scripts in every +stage within the process of creating, signing and deploying a certificate. + +Scripts need to be placed in /etc/dehydrated/hook.d and need to be prefixed +with the name of the handler, e.g. exit_hook.example1 or exit_hook.example2.sh + +Handlers +======== + +The following **dehydrated** handlers are available: + +| deploy_challenge + +| clean_challenge + +| sync_cert + +| deploy_cert + +| deploy_ocsp + +| unchanged_cert + +| invalid_challenge + +| request_failure + +| generate_csr + +| startup_hook + +| exit_hook + +Files +===== + +The following files are used: + +/etc/dehydrated/hook.d: + directory to place individual hooks. + +See also +======== + +| dehydrated(1), +| dehydrated-cron(1), +| dehydrated-nsupdate(1). + +Homepage +======== + +More information about service-tools and the Open Infrastructure project can be +found on the homepage (https://open-infrastructure.net). + +Contact +======= + +Bug reports, feature requests, help, patches, support and everything else are +welcome on the Open Infrastructure Software Mailing List +<software@lists.open-infrastructure.net>. + +Debian specific bugs can also be reported in the Debian Bug Tracking System +(https://bugs.debian.org). + +Authors +======= + +service-tools were written by Daniel Baumann +<daniel.baumann@open-infrastructure.net> and others. diff --git a/dehydrated/share/man/dehydrated-nsupdate.1.rst b/dehydrated/share/man/dehydrated-nsupdate.1.rst new file mode 100644 index 0000000..db88f5e --- /dev/null +++ b/dehydrated/share/man/dehydrated-nsupdate.1.rst @@ -0,0 +1,117 @@ +.. Open Infrastructure: service-tools + +.. Copyright (C) 2014-2021 Daniel Baumann <daniel.baumann@open-infrastructure.net> +.. +.. SPDX-License-Identifier: GPL-3.0+ +.. +.. This program is free software: you can redistribute it and/or modify +.. it under the terms of the GNU General Public License as published by +.. the Free Software Foundation, either version 3 of the License, or +.. (at your option) any later version. +.. +.. This program is distributed in the hope that it will be useful, +.. but WITHOUT ANY WARRANTY; without even the implied warranty of +.. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +.. GNU General Public License for more details. +.. +.. You should have received a copy of the GNU General Public License +.. along with this program. If not, see <https://www.gnu.org/licenses/>. + +=================== +dehydrated-nsupdate +=================== + +--------------------------------------- +dehydrated hook for dns-01 verification +--------------------------------------- + +:manual section: 1 +:manual group: Open Infrastructure + +Synopsis +======== + +| **dehydrated-nsupdate** + +Description +=========== + +**dehydrated** is a client for ACME-based Certificate Authorities, such as +LetsEncrypt. It can be used to request and obtain TLS certificates from an +ACME-based certificate authority. + +The **dehydrated-nsupdate** hook implements the dns-01 verification. It is +typically run together with **dehydrated-hook** as: + +| /etc/dehydrated/hook.d/deploy_challenge.nsupdate + +| /etc/dehydrated/hook.d/clean_challenge.nsupdate + +Features +======== + +**dehydrated-nsupdate** has the following features: + +| **automatic nameserver detection** +| **dehydrated-nsupdate** automatically finds and updates all authoritative +| nameservers for a given record by looking up the records in the DNS by itself. + +| **proper CNAME support** +| **dehydrated-nsupdate** follows CNAMEs delegating the TXT record creation to +| another zone. + +| **handling nameserver subzone shortcuts** +| **dehydrated-nsupdate** correctly handles authoritative nameserver +| answers that give shortcut answers for their own zones when using +| multiple subzones. + +| **TSIG support** +| **dehydrated-nsupdate** uses TSIG, if provided, to authenticate +| itself to the nameserver. + +| **proper removal of TXT records** +| **dehydrated-nsupdate** removes records after succesfull verification. + +| **bind9-dnsutils and knot-dnsutils support* +| **dehydrated-nsupdate** works with both nsupdate (bind9) and knsupdate (knot). + +Files +===== + +The following files are used: + +/etc/dehydrated/tsig.key: + default location for the TSIG key to be used. + +/etc/default/dehydrated-nsupdate, /etc/default/dehydrated-nsupdate.d/*: + configuration file, currently only used for TSIG_KEYFILE variable pointing + to the tsig.key file to be used (default: /etc/dehydrated/tsig.key). + +See also +======== + +| dehydrated(1), +| dehydrated-cron(1), +| dehydrated-hook(1). + +Homepage +======== + +More information about service-tools and the Open Infrastructure project can be +found on the homepage (https://open-infrastructure.net). + +Contact +======= + +Bug reports, feature requests, help, patches, support and everything else are +welcome on the Open Infrastructure Software Mailing List +<software@lists.open-infrastructure.net>. + +Debian specific bugs can also be reported in the Debian Bug Tracking System +(https://bugs.debian.org). + +Authors +======= + +service-tools were written by Daniel Baumann +<daniel.baumann@open-infrastructure.net> and others. diff --git a/dehydrated/share/man/man.in b/dehydrated/share/man/man.in new file mode 100644 index 0000000..b7acdb7 --- /dev/null +++ b/dehydrated/share/man/man.in @@ -0,0 +1,19 @@ +.\" Open Infrastructure: service-tools +.\" +.\" Copyright (C) 2014-2021 Daniel Baumann <daniel.baumann@open-infrastructure.net> +.\" +.\" SPDX-License-Identifier: GPL-3.0+ +.\" +.\" This program is free software: you can redistribute it and/or modify +.\" it under the terms of the GNU General Public License as published by +.\" the Free Software Foundation, either version 3 of the License, or +.\" (at your option) any later version. +.\" +.\" This program is distributed in the hope that it will be useful, +.\" but WITHOUT ANY WARRANTY; without even the implied warranty of +.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +.\" GNU General Public License for more details. +.\" +.\" You should have received a copy of the GNU General Public License +.\" along with this program. If not, see <https://www.gnu.org/licenses/>. +.\" diff --git a/knot/bin/knot-zone-reset b/knot/bin/knot-reset-zones index cc310b0..aae5ec1 100755 --- a/knot/bin/knot-zone-reset +++ b/knot/bin/knot-reset-zones @@ -33,9 +33,10 @@ for HOST in ${HOSTS} do case "${HOST}" in localhost) - echo -n "Flushing zone memory..." + echo -n "Resetting in-memory data for all zones..." service knot stop + rm -rf /var/lib/knot/journal/*.mdb rm -rf /var/lib/knot/timers/*.mdb service knot start @@ -43,9 +44,13 @@ do ;; *) - echo -n "Flushing ${HOST} zone memory..." + echo -n "'${HOST}': Resetting in-memory data for all zones..." - ssh "${HOST}" "sudo service knot stop && rm -rf /var/lib/knot/timers/*.mdb && sudo service knot start" + ssh "${HOST}" \ + "sudo service knot stop && \ + rm -rf /var/lib/knot/journal/*.mdb && \ + rm -rf /var/lib/knot/timers/*.mdb && \ + sudo service knot start" echo " done." ;; diff --git a/knot/share/cron/knot-reset-zones b/knot/share/cron/knot-reset-zones new file mode 100755 index 0000000..9762da4 --- /dev/null +++ b/knot/share/cron/knot-reset-zones @@ -0,0 +1,3 @@ +# /etc/cron.d/knot-reset-zone + +0 0 * * * root /usr/bin/knot-reset-zones localhost > /dev/null 2>&1 diff --git a/knot/share/cron/knot-zone-reset b/knot/share/cron/knot-zone-reset deleted file mode 100755 index b6ec7a7..0000000 --- a/knot/share/cron/knot-zone-reset +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/cron.d/knot-reset-zone - -0 0 * * * root /usr/bin/knot-reset-zone localhost > /dev/null 2>&1 |