45 lines
1.7 KiB
Plaintext
45 lines
1.7 KiB
Plaintext
|
#!/bin/bash
|
||
|
|
||
|
ttl=86400
|
||
|
|
||
|
externalip="$(curl -s ident.me)"
|
||
|
|
||
|
for domain in {{ hosted_domains }} {{ external_domain }}; do
|
||
|
|
||
|
echo
|
||
|
|
||
|
# NS/MX/A -- basic orientation to the world for names, mail, and address
|
||
|
cat <<EOM
|
||
|
\$ORIGIN ${domain}.
|
||
|
@ $ttl IN SOA ns51.cloudns.net. support.cloudns.net. 2024040128 7200 1800 1209600 86400
|
||
|
@ $ttl IN NS ns51.cloudns.net.
|
||
|
@ $ttl IN NS ns52.cloudns.net.
|
||
|
@ $ttl IN NS ns53.cloudns.net.
|
||
|
@ $ttl IN NS ns54.cloudns.net.
|
||
|
@ $ttl IN MX 10 mailforward51.cloudns.net.
|
||
|
@ $ttl IN MX 10 mailforward52.cloudns.net.
|
||
|
@ $ttl IN A ${externalip}
|
||
|
EOM
|
||
|
|
||
|
# CAA -- who can issue certs for this domain
|
||
|
# https://letsencrypt.org/docs/caa/
|
||
|
echo 'CAA 128 issue "letsencrypt.org"'
|
||
|
|
||
|
# TLSA -- TLS fingerprints for certs & chain
|
||
|
for i in _443._tcp _6697._tcp; do
|
||
|
printf "$i $ttl IN ";
|
||
|
openssl x509 -in /etc/letsencrypt/live/{{ sslidentity }}/chain.pem -noout -pubkey 2>/dev/null | openssl rsa -pubin -outform DER 2>/dev/null | openssl dgst -sha256 -hex 2>/dev/null | awk '{print "TLSA 2 1 1", $NF}'
|
||
|
printf "$i $ttl IN ";
|
||
|
openssl x509 -in /etc/letsencrypt/live/{{ sslidentity }}/cert.pem -noout -pubkey 2>/dev/null | openssl rsa -pubin -outform DER 2>/dev/null | openssl dgst -sha256 -hex 2>/dev/null | awk '{print "TLSA 3 1 1", $NF}'
|
||
|
done
|
||
|
|
||
|
# SSHFP -- SFTP/SSH fingerprints
|
||
|
ssh-keygen -r '@ $ttl' | grep -E '4 2|1 2' # Only take RSA & Ed25519 keys
|
||
|
|
||
|
done
|
||
|
|
||
|
# CNAME -- Add CNAMES for various subdomains
|
||
|
for i in {{ external_subdomains }}; do
|
||
|
printf "%-20s %-10s %-10s %-10s %s\n" "$i" "$ttl" IN CNAME {{ external_domain }}.
|
||
|
done
|