Kapisi/roles/SSL/templates/record-generation.bash.j2

45 lines
1.7 KiB
Plaintext
Raw Normal View History

#!/bin/bash
ttl=86400
externalip="$(curl -s ident.me)"
for domain in {{ hosted_domains }} {{ external_domain }}; do
echo
# NS/MX/A -- basic orientation to the world for names, mail, and address
cat <<EOM
\$ORIGIN ${domain}.
@ $ttl IN SOA ns51.cloudns.net. support.cloudns.net. 2024040128 7200 1800 1209600 86400
@ $ttl IN NS ns51.cloudns.net.
@ $ttl IN NS ns52.cloudns.net.
@ $ttl IN NS ns53.cloudns.net.
@ $ttl IN NS ns54.cloudns.net.
@ $ttl IN MX 10 mailforward51.cloudns.net.
@ $ttl IN MX 10 mailforward52.cloudns.net.
@ $ttl IN A ${externalip}
EOM
# CAA -- who can issue certs for this domain
# https://letsencrypt.org/docs/caa/
echo 'CAA 128 issue "letsencrypt.org"'
# TLSA -- TLS fingerprints for certs & chain
for i in _443._tcp _6697._tcp; do
printf "$i $ttl IN ";
openssl x509 -in /etc/letsencrypt/live/{{ sslidentity }}/chain.pem -noout -pubkey 2>/dev/null | openssl rsa -pubin -outform DER 2>/dev/null | openssl dgst -sha256 -hex 2>/dev/null | awk '{print "TLSA 2 1 1", $NF}'
printf "$i $ttl IN ";
openssl x509 -in /etc/letsencrypt/live/{{ sslidentity }}/cert.pem -noout -pubkey 2>/dev/null | openssl rsa -pubin -outform DER 2>/dev/null | openssl dgst -sha256 -hex 2>/dev/null | awk '{print "TLSA 3 1 1", $NF}'
done
# SSHFP -- SFTP/SSH fingerprints
ssh-keygen -r '@ $ttl' | grep -E '4 2|1 2' # Only take RSA & Ed25519 keys
done
# CNAME -- Add CNAMES for various subdomains
for i in {{ external_subdomains }}; do
printf "%-20s %-10s %-10s %-10s %s\n" "$i" "$ttl" IN CNAME {{ external_domain }}.
done