From b8527ea38c4107c67f87e6a7b856333f09b4f907 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Tue, 7 Sep 2021 06:20:28 +0200 Subject: Merging upstream version 20210907. Signed-off-by: Daniel Baumann --- CHANGELOG.txt | 13 +++ VERSION.txt | 2 +- dehydrated/Makefile | 21 ++++- dehydrated/TODO | 3 +- dehydrated/share/man/Makefile | 59 +++++++++++++ dehydrated/share/man/dehydrated-cron.1.rst | 84 ++++++++++++++++++ dehydrated/share/man/dehydrated-hook.1.rst | 111 +++++++++++++++++++++++ dehydrated/share/man/dehydrated-nsupdate.1.rst | 117 +++++++++++++++++++++++++ dehydrated/share/man/man.in | 19 ++++ knot/bin/knot-reset-zones | 58 ++++++++++++ knot/bin/knot-zone-reset | 53 ----------- knot/share/cron/knot-reset-zones | 3 + knot/share/cron/knot-zone-reset | 3 - 13 files changed, 487 insertions(+), 59 deletions(-) create mode 100644 dehydrated/share/man/Makefile create mode 100644 dehydrated/share/man/dehydrated-cron.1.rst create mode 100644 dehydrated/share/man/dehydrated-hook.1.rst create mode 100644 dehydrated/share/man/dehydrated-nsupdate.1.rst create mode 100644 dehydrated/share/man/man.in create mode 100755 knot/bin/knot-reset-zones delete mode 100755 knot/bin/knot-zone-reset create mode 100755 knot/share/cron/knot-reset-zones delete mode 100755 knot/share/cron/knot-zone-reset diff --git a/CHANGELOG.txt b/CHANGELOG.txt index 9b39627..b5632a6 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -1,3 +1,16 @@ +2021-09-07 Daniel Baumann + + * Releasing version 20210907. + + [ Daniel Baumann ] + * Updating knot-zone-reset to really remove all in-memory data completely. + * Renaming knot-zone-reset to knot-reset-zones for consistency. + * Adding manpage tooling for dehydrated-tools. + * Adding initial dehydrated-hook manpage. + * Adding initial dehydrated-nsupdate manpage. + * Adding initial dehydrated-cron manpage. + * Updating dehydrated todo file. + 2021-09-06 Daniel Baumann * Releasing version 20210906. diff --git a/VERSION.txt b/VERSION.txt index 7ef5329..c6c7886 100644 --- a/VERSION.txt +++ b/VERSION.txt @@ -1 +1 @@ -20210906 +20210907 diff --git a/dehydrated/Makefile b/dehydrated/Makefile index 5a6239d..534adf8 100644 --- a/dehydrated/Makefile +++ b/dehydrated/Makefile @@ -58,7 +58,8 @@ test: fi @echo " done." -build: +build: share/man/*.rst + $(MAKE) -C share/man install: build mkdir -p $(DESTDIR)/etc/dehydrated/hook.d @@ -81,7 +82,25 @@ install: build ln -sf /usr/bin/dehydrated-nsupdate $(DESTDIR)/usr/share/dehydrated/hooks/clean_challenge.nsupdate ln -sf /usr/bin/dehydrated-nsupdate $(DESTDIR)/usr/share/dehydrated/hooks/deploy_challenge.nsupdate + for SECTION in $$(seq 1 8); \ + do \ + if ls share/man/*.$${SECTION} > /dev/null 2>&1; \ + then \ + mkdir -p $(DESTDIR)/usr/share/man/man$${SECTION}; \ + cp share/man/*.$${SECTION} $(DESTDIR)/usr/share/man/man$${SECTION}; \ + fi; \ + done + uninstall: + for SECTION in $$(seq 1 8); \ + do \ + for FILE in share/man/*.$${SECTION}; \ + do \ + rm -f $(DESTDIR)/usr/share/man/man$${SECTION}/$$(basename $${FILE}); \ + done; \ + rmdir --ignore-fail-on-non-empty --parents $(DESTDIR)/usr/share/man/man$${SECTION} || true; \ + done + rm -rf $(DESTDIR)/usr/share/dehydrated/hooks rmdir --ignore-fail-on-non-empty --parents $(DESTDIR)/usr/share/dehydrated || true diff --git a/dehydrated/TODO b/dehydrated/TODO index bd980cc..2bce240 100644 --- a/dehydrated/TODO +++ b/dehydrated/TODO @@ -1,4 +1,5 @@ TODO ==== - * write manpages + * use /etc/default for dehydrated-cron + * use /etc/default for dehydrated-hook diff --git a/dehydrated/share/man/Makefile b/dehydrated/share/man/Makefile new file mode 100644 index 0000000..ff27677 --- /dev/null +++ b/dehydrated/share/man/Makefile @@ -0,0 +1,59 @@ +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2021 Daniel Baumann +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +# Depends: python3-docutils + +RST2MAN = rst2man \ + --no-datestamp \ + --no-generator \ + --strict \ + --strip-comments \ + --tab-width=4 \ + --verbose + +VERSION := $(shell cat ../../../VERSION.txt) + +SHELL := sh -e + +all: build + +build: man + +rebuild: clean build + +man: man.in *.rst + @echo -n "Creating manpages... " + + @for FILE in *.rst; \ + do \ + cp man.in $$(basename $${FILE} .rst); \ + $(RST2MAN) $${FILE} | \ + sed -e '/^.\\" Man page generated/d' \ + -e '/^.\\" Generated by/d' \ + -e "s|^\(.TH .*\) \(\"\" \"\"\) |\1 $${VERSION} service-tools |" \ + >> $$(basename $${FILE} .rst); \ + echo -n "."; \ + done + + @echo " done." + +clean: + rm -f *.[0-9] + +.PHONY: all clean build rebuild man diff --git a/dehydrated/share/man/dehydrated-cron.1.rst b/dehydrated/share/man/dehydrated-cron.1.rst new file mode 100644 index 0000000..d927f78 --- /dev/null +++ b/dehydrated/share/man/dehydrated-cron.1.rst @@ -0,0 +1,84 @@ +.. Open Infrastructure: service-tools + +.. Copyright (C) 2014-2021 Daniel Baumann +.. +.. SPDX-License-Identifier: GPL-3.0+ +.. +.. This program is free software: you can redistribute it and/or modify +.. it under the terms of the GNU General Public License as published by +.. the Free Software Foundation, either version 3 of the License, or +.. (at your option) any later version. +.. +.. This program is distributed in the hope that it will be useful, +.. but WITHOUT ANY WARRANTY; without even the implied warranty of +.. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +.. GNU General Public License for more details. +.. +.. You should have received a copy of the GNU General Public License +.. along with this program. If not, see . + +=============== +dehydrated-cron +=============== + +---------------------------------------------------- +dehydrated cronjob for automatic certificate renewal +---------------------------------------------------- + +:manual section: 1 +:manual group: Open Infrastructure + +Synopsis +======== + +| **dehydrated-cron** + +Description +=========== + +**dehydrated** is a client for ACME-based Certificate Authorities, such as +LetsEncrypt. It can be used to request and obtain TLS certificates from an +ACME-based certificate authority. + +The **dehydrated-cron** script runs dehydrated once per day and on system +reboot for an automatic certificate renewal. + +Files +===== + +The following files are used: + +/etc/cron.d/dehydrated: + cronjob file. + +/usr/bin/dehydrated-cron: + script that gets executed by cron. + +See also +======== + +| dehydrated(1), +| dehydrated-hook(1), +| dehydrated-nsupdate(1). + +Homepage +======== + +More information about service-tools and the Open Infrastructure project can be +found on the homepage (https://open-infrastructure.net). + +Contact +======= + +Bug reports, feature requests, help, patches, support and everything else are +welcome on the Open Infrastructure Software Mailing List +. + +Debian specific bugs can also be reported in the Debian Bug Tracking System +(https://bugs.debian.org). + +Authors +======= + +service-tools were written by Daniel Baumann + and others. diff --git a/dehydrated/share/man/dehydrated-hook.1.rst b/dehydrated/share/man/dehydrated-hook.1.rst new file mode 100644 index 0000000..7dc8f49 --- /dev/null +++ b/dehydrated/share/man/dehydrated-hook.1.rst @@ -0,0 +1,111 @@ +.. Open Infrastructure: service-tools + +.. Copyright (C) 2014-2021 Daniel Baumann +.. +.. SPDX-License-Identifier: GPL-3.0+ +.. +.. This program is free software: you can redistribute it and/or modify +.. it under the terms of the GNU General Public License as published by +.. the Free Software Foundation, either version 3 of the License, or +.. (at your option) any later version. +.. +.. This program is distributed in the hope that it will be useful, +.. but WITHOUT ANY WARRANTY; without even the implied warranty of +.. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +.. GNU General Public License for more details. +.. +.. You should have received a copy of the GNU General Public License +.. along with this program. If not, see . + +=============== +dehydrated-hook +=============== + +------------------------- +dehydrated run-parts hook +------------------------- + +:manual section: 1 +:manual group: Open Infrastructure + +Synopsis +======== + +| **dehydrated-hook** 'HANDLER' + +Description +=========== + +**dehydrated** is a client for ACME-based Certificate Authorities, such as +LetsEncrypt. It can be used to request and obtain TLS certificates from an +ACME-based certificate authority. + +The **dehydrated-hook** makes it possible to run multiple scripts in every +stage within the process of creating, signing and deploying a certificate. + +Scripts need to be placed in /etc/dehydrated/hook.d and need to be prefixed +with the name of the handler, e.g. exit_hook.example1 or exit_hook.example2.sh + +Handlers +======== + +The following **dehydrated** handlers are available: + +| deploy_challenge + +| clean_challenge + +| sync_cert + +| deploy_cert + +| deploy_ocsp + +| unchanged_cert + +| invalid_challenge + +| request_failure + +| generate_csr + +| startup_hook + +| exit_hook + +Files +===== + +The following files are used: + +/etc/dehydrated/hook.d: + directory to place individual hooks. + +See also +======== + +| dehydrated(1), +| dehydrated-cron(1), +| dehydrated-nsupdate(1). + +Homepage +======== + +More information about service-tools and the Open Infrastructure project can be +found on the homepage (https://open-infrastructure.net). + +Contact +======= + +Bug reports, feature requests, help, patches, support and everything else are +welcome on the Open Infrastructure Software Mailing List +. + +Debian specific bugs can also be reported in the Debian Bug Tracking System +(https://bugs.debian.org). + +Authors +======= + +service-tools were written by Daniel Baumann + and others. diff --git a/dehydrated/share/man/dehydrated-nsupdate.1.rst b/dehydrated/share/man/dehydrated-nsupdate.1.rst new file mode 100644 index 0000000..db88f5e --- /dev/null +++ b/dehydrated/share/man/dehydrated-nsupdate.1.rst @@ -0,0 +1,117 @@ +.. Open Infrastructure: service-tools + +.. Copyright (C) 2014-2021 Daniel Baumann +.. +.. SPDX-License-Identifier: GPL-3.0+ +.. +.. This program is free software: you can redistribute it and/or modify +.. it under the terms of the GNU General Public License as published by +.. the Free Software Foundation, either version 3 of the License, or +.. (at your option) any later version. +.. +.. This program is distributed in the hope that it will be useful, +.. but WITHOUT ANY WARRANTY; without even the implied warranty of +.. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +.. GNU General Public License for more details. +.. +.. You should have received a copy of the GNU General Public License +.. along with this program. If not, see . + +=================== +dehydrated-nsupdate +=================== + +--------------------------------------- +dehydrated hook for dns-01 verification +--------------------------------------- + +:manual section: 1 +:manual group: Open Infrastructure + +Synopsis +======== + +| **dehydrated-nsupdate** + +Description +=========== + +**dehydrated** is a client for ACME-based Certificate Authorities, such as +LetsEncrypt. It can be used to request and obtain TLS certificates from an +ACME-based certificate authority. + +The **dehydrated-nsupdate** hook implements the dns-01 verification. It is +typically run together with **dehydrated-hook** as: + +| /etc/dehydrated/hook.d/deploy_challenge.nsupdate + +| /etc/dehydrated/hook.d/clean_challenge.nsupdate + +Features +======== + +**dehydrated-nsupdate** has the following features: + +| **automatic nameserver detection** +| **dehydrated-nsupdate** automatically finds and updates all authoritative +| nameservers for a given record by looking up the records in the DNS by itself. + +| **proper CNAME support** +| **dehydrated-nsupdate** follows CNAMEs delegating the TXT record creation to +| another zone. + +| **handling nameserver subzone shortcuts** +| **dehydrated-nsupdate** correctly handles authoritative nameserver +| answers that give shortcut answers for their own zones when using +| multiple subzones. + +| **TSIG support** +| **dehydrated-nsupdate** uses TSIG, if provided, to authenticate +| itself to the nameserver. + +| **proper removal of TXT records** +| **dehydrated-nsupdate** removes records after succesfull verification. + +| **bind9-dnsutils and knot-dnsutils support* +| **dehydrated-nsupdate** works with both nsupdate (bind9) and knsupdate (knot). + +Files +===== + +The following files are used: + +/etc/dehydrated/tsig.key: + default location for the TSIG key to be used. + +/etc/default/dehydrated-nsupdate, /etc/default/dehydrated-nsupdate.d/*: + configuration file, currently only used for TSIG_KEYFILE variable pointing + to the tsig.key file to be used (default: /etc/dehydrated/tsig.key). + +See also +======== + +| dehydrated(1), +| dehydrated-cron(1), +| dehydrated-hook(1). + +Homepage +======== + +More information about service-tools and the Open Infrastructure project can be +found on the homepage (https://open-infrastructure.net). + +Contact +======= + +Bug reports, feature requests, help, patches, support and everything else are +welcome on the Open Infrastructure Software Mailing List +. + +Debian specific bugs can also be reported in the Debian Bug Tracking System +(https://bugs.debian.org). + +Authors +======= + +service-tools were written by Daniel Baumann + and others. diff --git a/dehydrated/share/man/man.in b/dehydrated/share/man/man.in new file mode 100644 index 0000000..b7acdb7 --- /dev/null +++ b/dehydrated/share/man/man.in @@ -0,0 +1,19 @@ +.\" Open Infrastructure: service-tools +.\" +.\" Copyright (C) 2014-2021 Daniel Baumann +.\" +.\" SPDX-License-Identifier: GPL-3.0+ +.\" +.\" This program is free software: you can redistribute it and/or modify +.\" it under the terms of the GNU General Public License as published by +.\" the Free Software Foundation, either version 3 of the License, or +.\" (at your option) any later version. +.\" +.\" This program is distributed in the hope that it will be useful, +.\" but WITHOUT ANY WARRANTY; without even the implied warranty of +.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +.\" GNU General Public License for more details. +.\" +.\" You should have received a copy of the GNU General Public License +.\" along with this program. If not, see . +.\" diff --git a/knot/bin/knot-reset-zones b/knot/bin/knot-reset-zones new file mode 100755 index 0000000..aae5ec1 --- /dev/null +++ b/knot/bin/knot-reset-zones @@ -0,0 +1,58 @@ +#!/bin/sh + +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2021 Daniel Baumann +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +set -e + +HOSTS="${*}" + +if [ -z "${HOSTS}" ] +then + echo "Usage: ${0} localhost|[HOST1 HOST2 ...]" >&2 + exit 1 +fi + +for HOST in ${HOSTS} +do + case "${HOST}" in + localhost) + echo -n "Resetting in-memory data for all zones..." + + service knot stop + rm -rf /var/lib/knot/journal/*.mdb + rm -rf /var/lib/knot/timers/*.mdb + service knot start + + echo " done." + ;; + + *) + echo -n "'${HOST}': Resetting in-memory data for all zones..." + + ssh "${HOST}" \ + "sudo service knot stop && \ + rm -rf /var/lib/knot/journal/*.mdb && \ + rm -rf /var/lib/knot/timers/*.mdb && \ + sudo service knot start" + + echo " done." + ;; + esac +done diff --git a/knot/bin/knot-zone-reset b/knot/bin/knot-zone-reset deleted file mode 100755 index cc310b0..0000000 --- a/knot/bin/knot-zone-reset +++ /dev/null @@ -1,53 +0,0 @@ -#!/bin/sh - -# Open Infrastructure: service-tools - -# Copyright (C) 2014-2021 Daniel Baumann -# -# SPDX-License-Identifier: GPL-3.0+ -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -set -e - -HOSTS="${*}" - -if [ -z "${HOSTS}" ] -then - echo "Usage: ${0} localhost|[HOST1 HOST2 ...]" >&2 - exit 1 -fi - -for HOST in ${HOSTS} -do - case "${HOST}" in - localhost) - echo -n "Flushing zone memory..." - - service knot stop - rm -rf /var/lib/knot/timers/*.mdb - service knot start - - echo " done." - ;; - - *) - echo -n "Flushing ${HOST} zone memory..." - - ssh "${HOST}" "sudo service knot stop && rm -rf /var/lib/knot/timers/*.mdb && sudo service knot start" - - echo " done." - ;; - esac -done diff --git a/knot/share/cron/knot-reset-zones b/knot/share/cron/knot-reset-zones new file mode 100755 index 0000000..9762da4 --- /dev/null +++ b/knot/share/cron/knot-reset-zones @@ -0,0 +1,3 @@ +# /etc/cron.d/knot-reset-zone + +0 0 * * * root /usr/bin/knot-reset-zones localhost > /dev/null 2>&1 diff --git a/knot/share/cron/knot-zone-reset b/knot/share/cron/knot-zone-reset deleted file mode 100755 index b6ec7a7..0000000 --- a/knot/share/cron/knot-zone-reset +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/cron.d/knot-reset-zone - -0 0 * * * root /usr/bin/knot-reset-zone localhost > /dev/null 2>&1 -- cgit v1.2.3