summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--CHANGELOG.txt13
-rw-r--r--VERSION.txt2
-rw-r--r--dehydrated/Makefile21
-rw-r--r--dehydrated/TODO3
-rw-r--r--dehydrated/share/man/Makefile59
-rw-r--r--dehydrated/share/man/dehydrated-cron.1.rst84
-rw-r--r--dehydrated/share/man/dehydrated-hook.1.rst111
-rw-r--r--dehydrated/share/man/dehydrated-nsupdate.1.rst117
-rw-r--r--dehydrated/share/man/man.in19
-rwxr-xr-xknot/bin/knot-reset-zones (renamed from knot/bin/knot-zone-reset)11
-rwxr-xr-xknot/share/cron/knot-reset-zones3
-rwxr-xr-xknot/share/cron/knot-zone-reset3
12 files changed, 437 insertions, 9 deletions
diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index 9b39627..b5632a6 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -1,3 +1,16 @@
+2021-09-07 Daniel Baumann <daniel.baumann@open-infrastructure.net>
+
+ * Releasing version 20210907.
+
+ [ Daniel Baumann ]
+ * Updating knot-zone-reset to really remove all in-memory data completely.
+ * Renaming knot-zone-reset to knot-reset-zones for consistency.
+ * Adding manpage tooling for dehydrated-tools.
+ * Adding initial dehydrated-hook manpage.
+ * Adding initial dehydrated-nsupdate manpage.
+ * Adding initial dehydrated-cron manpage.
+ * Updating dehydrated todo file.
+
2021-09-06 Daniel Baumann <daniel.baumann@open-infrastructure.net>
* Releasing version 20210906.
diff --git a/VERSION.txt b/VERSION.txt
index 7ef5329..c6c7886 100644
--- a/VERSION.txt
+++ b/VERSION.txt
@@ -1 +1 @@
-20210906
+20210907
diff --git a/dehydrated/Makefile b/dehydrated/Makefile
index 5a6239d..534adf8 100644
--- a/dehydrated/Makefile
+++ b/dehydrated/Makefile
@@ -58,7 +58,8 @@ test:
fi
@echo " done."
-build:
+build: share/man/*.rst
+ $(MAKE) -C share/man
install: build
mkdir -p $(DESTDIR)/etc/dehydrated/hook.d
@@ -81,7 +82,25 @@ install: build
ln -sf /usr/bin/dehydrated-nsupdate $(DESTDIR)/usr/share/dehydrated/hooks/clean_challenge.nsupdate
ln -sf /usr/bin/dehydrated-nsupdate $(DESTDIR)/usr/share/dehydrated/hooks/deploy_challenge.nsupdate
+ for SECTION in $$(seq 1 8); \
+ do \
+ if ls share/man/*.$${SECTION} > /dev/null 2>&1; \
+ then \
+ mkdir -p $(DESTDIR)/usr/share/man/man$${SECTION}; \
+ cp share/man/*.$${SECTION} $(DESTDIR)/usr/share/man/man$${SECTION}; \
+ fi; \
+ done
+
uninstall:
+ for SECTION in $$(seq 1 8); \
+ do \
+ for FILE in share/man/*.$${SECTION}; \
+ do \
+ rm -f $(DESTDIR)/usr/share/man/man$${SECTION}/$$(basename $${FILE}); \
+ done; \
+ rmdir --ignore-fail-on-non-empty --parents $(DESTDIR)/usr/share/man/man$${SECTION} || true; \
+ done
+
rm -rf $(DESTDIR)/usr/share/dehydrated/hooks
rmdir --ignore-fail-on-non-empty --parents $(DESTDIR)/usr/share/dehydrated || true
diff --git a/dehydrated/TODO b/dehydrated/TODO
index bd980cc..2bce240 100644
--- a/dehydrated/TODO
+++ b/dehydrated/TODO
@@ -1,4 +1,5 @@
TODO
====
- * write manpages
+ * use /etc/default for dehydrated-cron
+ * use /etc/default for dehydrated-hook
diff --git a/dehydrated/share/man/Makefile b/dehydrated/share/man/Makefile
new file mode 100644
index 0000000..ff27677
--- /dev/null
+++ b/dehydrated/share/man/Makefile
@@ -0,0 +1,59 @@
+# Open Infrastructure: service-tools
+
+# Copyright (C) 2014-2021 Daniel Baumann <daniel.baumann@open-infrastructure.net>
+#
+# SPDX-License-Identifier: GPL-3.0+
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <https://www.gnu.org/licenses/>.
+
+# Depends: python3-docutils
+
+RST2MAN = rst2man \
+ --no-datestamp \
+ --no-generator \
+ --strict \
+ --strip-comments \
+ --tab-width=4 \
+ --verbose
+
+VERSION := $(shell cat ../../../VERSION.txt)
+
+SHELL := sh -e
+
+all: build
+
+build: man
+
+rebuild: clean build
+
+man: man.in *.rst
+ @echo -n "Creating manpages... "
+
+ @for FILE in *.rst; \
+ do \
+ cp man.in $$(basename $${FILE} .rst); \
+ $(RST2MAN) $${FILE} | \
+ sed -e '/^.\\" Man page generated/d' \
+ -e '/^.\\" Generated by/d' \
+ -e "s|^\(.TH .*\) \(\"\" \"\"\) |\1 $${VERSION} service-tools |" \
+ >> $$(basename $${FILE} .rst); \
+ echo -n "."; \
+ done
+
+ @echo " done."
+
+clean:
+ rm -f *.[0-9]
+
+.PHONY: all clean build rebuild man
diff --git a/dehydrated/share/man/dehydrated-cron.1.rst b/dehydrated/share/man/dehydrated-cron.1.rst
new file mode 100644
index 0000000..d927f78
--- /dev/null
+++ b/dehydrated/share/man/dehydrated-cron.1.rst
@@ -0,0 +1,84 @@
+.. Open Infrastructure: service-tools
+
+.. Copyright (C) 2014-2021 Daniel Baumann <daniel.baumann@open-infrastructure.net>
+..
+.. SPDX-License-Identifier: GPL-3.0+
+..
+.. This program is free software: you can redistribute it and/or modify
+.. it under the terms of the GNU General Public License as published by
+.. the Free Software Foundation, either version 3 of the License, or
+.. (at your option) any later version.
+..
+.. This program is distributed in the hope that it will be useful,
+.. but WITHOUT ANY WARRANTY; without even the implied warranty of
+.. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.. GNU General Public License for more details.
+..
+.. You should have received a copy of the GNU General Public License
+.. along with this program. If not, see <https://www.gnu.org/licenses/>.
+
+===============
+dehydrated-cron
+===============
+
+----------------------------------------------------
+dehydrated cronjob for automatic certificate renewal
+----------------------------------------------------
+
+:manual section: 1
+:manual group: Open Infrastructure
+
+Synopsis
+========
+
+| **dehydrated-cron**
+
+Description
+===========
+
+**dehydrated** is a client for ACME-based Certificate Authorities, such as
+LetsEncrypt. It can be used to request and obtain TLS certificates from an
+ACME-based certificate authority.
+
+The **dehydrated-cron** script runs dehydrated once per day and on system
+reboot for an automatic certificate renewal.
+
+Files
+=====
+
+The following files are used:
+
+/etc/cron.d/dehydrated:
+ cronjob file.
+
+/usr/bin/dehydrated-cron:
+ script that gets executed by cron.
+
+See also
+========
+
+| dehydrated(1),
+| dehydrated-hook(1),
+| dehydrated-nsupdate(1).
+
+Homepage
+========
+
+More information about service-tools and the Open Infrastructure project can be
+found on the homepage (https://open-infrastructure.net).
+
+Contact
+=======
+
+Bug reports, feature requests, help, patches, support and everything else are
+welcome on the Open Infrastructure Software Mailing List
+<software@lists.open-infrastructure.net>.
+
+Debian specific bugs can also be reported in the Debian Bug Tracking System
+(https://bugs.debian.org).
+
+Authors
+=======
+
+service-tools were written by Daniel Baumann
+<daniel.baumann@open-infrastructure.net> and others.
diff --git a/dehydrated/share/man/dehydrated-hook.1.rst b/dehydrated/share/man/dehydrated-hook.1.rst
new file mode 100644
index 0000000..7dc8f49
--- /dev/null
+++ b/dehydrated/share/man/dehydrated-hook.1.rst
@@ -0,0 +1,111 @@
+.. Open Infrastructure: service-tools
+
+.. Copyright (C) 2014-2021 Daniel Baumann <daniel.baumann@open-infrastructure.net>
+..
+.. SPDX-License-Identifier: GPL-3.0+
+..
+.. This program is free software: you can redistribute it and/or modify
+.. it under the terms of the GNU General Public License as published by
+.. the Free Software Foundation, either version 3 of the License, or
+.. (at your option) any later version.
+..
+.. This program is distributed in the hope that it will be useful,
+.. but WITHOUT ANY WARRANTY; without even the implied warranty of
+.. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.. GNU General Public License for more details.
+..
+.. You should have received a copy of the GNU General Public License
+.. along with this program. If not, see <https://www.gnu.org/licenses/>.
+
+===============
+dehydrated-hook
+===============
+
+-------------------------
+dehydrated run-parts hook
+-------------------------
+
+:manual section: 1
+:manual group: Open Infrastructure
+
+Synopsis
+========
+
+| **dehydrated-hook** 'HANDLER'
+
+Description
+===========
+
+**dehydrated** is a client for ACME-based Certificate Authorities, such as
+LetsEncrypt. It can be used to request and obtain TLS certificates from an
+ACME-based certificate authority.
+
+The **dehydrated-hook** makes it possible to run multiple scripts in every
+stage within the process of creating, signing and deploying a certificate.
+
+Scripts need to be placed in /etc/dehydrated/hook.d and need to be prefixed
+with the name of the handler, e.g. exit_hook.example1 or exit_hook.example2.sh
+
+Handlers
+========
+
+The following **dehydrated** handlers are available:
+
+| deploy_challenge
+
+| clean_challenge
+
+| sync_cert
+
+| deploy_cert
+
+| deploy_ocsp
+
+| unchanged_cert
+
+| invalid_challenge
+
+| request_failure
+
+| generate_csr
+
+| startup_hook
+
+| exit_hook
+
+Files
+=====
+
+The following files are used:
+
+/etc/dehydrated/hook.d:
+ directory to place individual hooks.
+
+See also
+========
+
+| dehydrated(1),
+| dehydrated-cron(1),
+| dehydrated-nsupdate(1).
+
+Homepage
+========
+
+More information about service-tools and the Open Infrastructure project can be
+found on the homepage (https://open-infrastructure.net).
+
+Contact
+=======
+
+Bug reports, feature requests, help, patches, support and everything else are
+welcome on the Open Infrastructure Software Mailing List
+<software@lists.open-infrastructure.net>.
+
+Debian specific bugs can also be reported in the Debian Bug Tracking System
+(https://bugs.debian.org).
+
+Authors
+=======
+
+service-tools were written by Daniel Baumann
+<daniel.baumann@open-infrastructure.net> and others.
diff --git a/dehydrated/share/man/dehydrated-nsupdate.1.rst b/dehydrated/share/man/dehydrated-nsupdate.1.rst
new file mode 100644
index 0000000..db88f5e
--- /dev/null
+++ b/dehydrated/share/man/dehydrated-nsupdate.1.rst
@@ -0,0 +1,117 @@
+.. Open Infrastructure: service-tools
+
+.. Copyright (C) 2014-2021 Daniel Baumann <daniel.baumann@open-infrastructure.net>
+..
+.. SPDX-License-Identifier: GPL-3.0+
+..
+.. This program is free software: you can redistribute it and/or modify
+.. it under the terms of the GNU General Public License as published by
+.. the Free Software Foundation, either version 3 of the License, or
+.. (at your option) any later version.
+..
+.. This program is distributed in the hope that it will be useful,
+.. but WITHOUT ANY WARRANTY; without even the implied warranty of
+.. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.. GNU General Public License for more details.
+..
+.. You should have received a copy of the GNU General Public License
+.. along with this program. If not, see <https://www.gnu.org/licenses/>.
+
+===================
+dehydrated-nsupdate
+===================
+
+---------------------------------------
+dehydrated hook for dns-01 verification
+---------------------------------------
+
+:manual section: 1
+:manual group: Open Infrastructure
+
+Synopsis
+========
+
+| **dehydrated-nsupdate**
+
+Description
+===========
+
+**dehydrated** is a client for ACME-based Certificate Authorities, such as
+LetsEncrypt. It can be used to request and obtain TLS certificates from an
+ACME-based certificate authority.
+
+The **dehydrated-nsupdate** hook implements the dns-01 verification. It is
+typically run together with **dehydrated-hook** as:
+
+| /etc/dehydrated/hook.d/deploy_challenge.nsupdate
+
+| /etc/dehydrated/hook.d/clean_challenge.nsupdate
+
+Features
+========
+
+**dehydrated-nsupdate** has the following features:
+
+| **automatic nameserver detection**
+| **dehydrated-nsupdate** automatically finds and updates all authoritative
+| nameservers for a given record by looking up the records in the DNS by itself.
+
+| **proper CNAME support**
+| **dehydrated-nsupdate** follows CNAMEs delegating the TXT record creation to
+| another zone.
+
+| **handling nameserver subzone shortcuts**
+| **dehydrated-nsupdate** correctly handles authoritative nameserver
+| answers that give shortcut answers for their own zones when using
+| multiple subzones.
+
+| **TSIG support**
+| **dehydrated-nsupdate** uses TSIG, if provided, to authenticate
+| itself to the nameserver.
+
+| **proper removal of TXT records**
+| **dehydrated-nsupdate** removes records after succesfull verification.
+
+| **bind9-dnsutils and knot-dnsutils support*
+| **dehydrated-nsupdate** works with both nsupdate (bind9) and knsupdate (knot).
+
+Files
+=====
+
+The following files are used:
+
+/etc/dehydrated/tsig.key:
+ default location for the TSIG key to be used.
+
+/etc/default/dehydrated-nsupdate, /etc/default/dehydrated-nsupdate.d/*:
+ configuration file, currently only used for TSIG_KEYFILE variable pointing
+ to the tsig.key file to be used (default: /etc/dehydrated/tsig.key).
+
+See also
+========
+
+| dehydrated(1),
+| dehydrated-cron(1),
+| dehydrated-hook(1).
+
+Homepage
+========
+
+More information about service-tools and the Open Infrastructure project can be
+found on the homepage (https://open-infrastructure.net).
+
+Contact
+=======
+
+Bug reports, feature requests, help, patches, support and everything else are
+welcome on the Open Infrastructure Software Mailing List
+<software@lists.open-infrastructure.net>.
+
+Debian specific bugs can also be reported in the Debian Bug Tracking System
+(https://bugs.debian.org).
+
+Authors
+=======
+
+service-tools were written by Daniel Baumann
+<daniel.baumann@open-infrastructure.net> and others.
diff --git a/dehydrated/share/man/man.in b/dehydrated/share/man/man.in
new file mode 100644
index 0000000..b7acdb7
--- /dev/null
+++ b/dehydrated/share/man/man.in
@@ -0,0 +1,19 @@
+.\" Open Infrastructure: service-tools
+.\"
+.\" Copyright (C) 2014-2021 Daniel Baumann <daniel.baumann@open-infrastructure.net>
+.\"
+.\" SPDX-License-Identifier: GPL-3.0+
+.\"
+.\" This program is free software: you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation, either version 3 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program. If not, see <https://www.gnu.org/licenses/>.
+.\"
diff --git a/knot/bin/knot-zone-reset b/knot/bin/knot-reset-zones
index cc310b0..aae5ec1 100755
--- a/knot/bin/knot-zone-reset
+++ b/knot/bin/knot-reset-zones
@@ -33,9 +33,10 @@ for HOST in ${HOSTS}
do
case "${HOST}" in
localhost)
- echo -n "Flushing zone memory..."
+ echo -n "Resetting in-memory data for all zones..."
service knot stop
+ rm -rf /var/lib/knot/journal/*.mdb
rm -rf /var/lib/knot/timers/*.mdb
service knot start
@@ -43,9 +44,13 @@ do
;;
*)
- echo -n "Flushing ${HOST} zone memory..."
+ echo -n "'${HOST}': Resetting in-memory data for all zones..."
- ssh "${HOST}" "sudo service knot stop && rm -rf /var/lib/knot/timers/*.mdb && sudo service knot start"
+ ssh "${HOST}" \
+ "sudo service knot stop && \
+ rm -rf /var/lib/knot/journal/*.mdb && \
+ rm -rf /var/lib/knot/timers/*.mdb && \
+ sudo service knot start"
echo " done."
;;
diff --git a/knot/share/cron/knot-reset-zones b/knot/share/cron/knot-reset-zones
new file mode 100755
index 0000000..9762da4
--- /dev/null
+++ b/knot/share/cron/knot-reset-zones
@@ -0,0 +1,3 @@
+# /etc/cron.d/knot-reset-zone
+
+0 0 * * * root /usr/bin/knot-reset-zones localhost > /dev/null 2>&1
diff --git a/knot/share/cron/knot-zone-reset b/knot/share/cron/knot-zone-reset
deleted file mode 100755
index b6ec7a7..0000000
--- a/knot/share/cron/knot-zone-reset
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/cron.d/knot-reset-zone
-
-0 0 * * * root /usr/bin/knot-reset-zone localhost > /dev/null 2>&1