AniNIX/Wiki#21 -- effecting renames for policy

2024-04-01 00:44:23 -05:00
parent 323b4dd306
commit 6f36d515e3
46 changed files with 509 additions and 368 deletions
--- a/roles/SSL/tasks/main.yml
+++ b/roles/SSL/tasks/main.yml
@@ -37,30 +37,20 @@
     group: http
     mode: 2755

- - name: Copy TLSA script
+ - name: Remove old TLSA script
+   become: yes
+   file:
+     path: /usr/local/sbin/tlsa-generation.bash
+     state: absent
+
+ - name: Copy record generator script
   become: yes
   template:
-     src: tlsa-generation.bash.j2
-     dest: /usr/local/sbin/tlsa-generation.bash
+     src: record-generation.bash.j2
+     dest: /usr/local/sbin/record-generation.bash
     owner: root
     group: root
     mode: 0700

- - name: Get proposed TLSA records
-   become: yes
-   command: /usr/local/sbin/tlsa-generation.bash
-   register: tlsa_records
-
- - name: Show proposed TLSA records
-   debug:
-     msg: "{{ tlsa_records.stdout_lines }}"
-
- - name: Get TLSA records
-   delegate_to: localhost
-   run_once: yes
-   command: "/bin/bash -c 'printf _443._tcp\\ ; dig _443._tcp.{{ external_domain }} TLSA +short; printf _6697._tcp\\ ; dig _6697._tcp.{{ external_domain }} TLSA +short'"
-   register: ext_tlsa_records
-
- - name: Show TLSA records
-   debug:
-     msg: "{{ ext_tlsa_records.stdout_lines }}"
+ - debug:
+     msg: 'Run `sudo /usr/local/sbin/record-generation.bash` to generate a zonefile for import into a DNS provider.'
--- a/roles/SSL/templates/record-generation.bash.j2
+++ b/roles/SSL/templates/record-generation.bash.j2
@@ -0,0 +1,44 @@
+#!/bin/bash
+
+ttl=86400
+
+externalip="$(curl -s ident.me)"
+
+for domain in {{ hosted_domains }} {{ external_domain }}; do
+
+    echo
+
+     # NS/MX/A -- basic orientation to the world for names, mail, and address
+     cat <<EOM
+\$ORIGIN ${domain}.
+@       $ttl   IN      SOA     ns51.cloudns.net. support.cloudns.net. 2024040128 7200 1800 1209600 86400
+@       $ttl   IN      NS      ns51.cloudns.net.
+@       $ttl   IN      NS      ns52.cloudns.net.
+@       $ttl   IN      NS      ns53.cloudns.net.
+@       $ttl   IN      NS      ns54.cloudns.net.
+@       $ttl   IN      MX      10 mailforward51.cloudns.net.
+@       $ttl   IN      MX      10 mailforward52.cloudns.net.
+@       $ttl   IN      A       ${externalip}
+EOM
+
+     # CAA -- who can issue certs for this domain
+     # https://letsencrypt.org/docs/caa/
+     echo 'CAA 128 issue "letsencrypt.org"'
+
+     # TLSA -- TLS fingerprints for certs & chain
+     for i in _443._tcp _6697._tcp; do
+         printf "$i   $ttl IN ";
+     openssl x509 -in /etc/letsencrypt/live/{{ sslidentity }}/chain.pem -noout -pubkey  2>/dev/null | openssl rsa -pubin -outform DER  2>/dev/null | openssl dgst -sha256 -hex 2>/dev/null | awk '{print "TLSA 2 1 1", $NF}'
+         printf "$i   $ttl IN ";
+     openssl x509 -in /etc/letsencrypt/live/{{ sslidentity }}/cert.pem -noout -pubkey 2>/dev/null | openssl rsa -pubin -outform DER 2>/dev/null  | openssl dgst -sha256 -hex 2>/dev/null | awk '{print "TLSA 3 1 1", $NF}'
+     done
+
+     # SSHFP -- SFTP/SSH fingerprints
+     ssh-keygen -r '@ $ttl' | grep -E '4 2|1 2' # Only take RSA & Ed25519 keys
+
+done
+
+# CNAME -- Add CNAMES for various subdomains
+for i in {{ external_subdomains }}; do
+     printf "%-20s %-10s %-10s %-10s %s\n" "$i" "$ttl" IN CNAME {{ external_domain }}.
+done
--- a/roles/SSL/templates/tlsa-generation.bash.j2
+++ b/roles/SSL/templates/tlsa-generation.bash.j2
@@ -1,4 +0,0 @@
-#!/bin/bash
-openssl x509 -in /etc/letsencrypt/live/{{ sslidentity }}/chain.pem -noout -pubkey | openssl rsa -pubin -outform DER | openssl dgst -sha256 -hex | awk '{print "le-ca TLSA 2 1 1", $NF}'
-openssl x509 -in /etc/letsencrypt/live/{{ sslidentity}}/cert.pem -noout -pubkey | openssl rsa -pubin -outform DER | openssl dgst -sha256 -hex | awk '{print "cert TLSA 3 1 1", $NF}'
-