From 68ef34c3c6a3065f26f8da52973e04e689a519fb Mon Sep 17 00:00:00 2001
From: DarkFeather <ircs://aninix.net:6697/DarkFeather>
Date: Fri, 1 Jan 2021 12:45:34 -0600
Subject: [PATCH] Adding some SSL support scripts

---
 roles/SSL/files/manual-ssl-renew     | 24 ++++++++++++++++++++++++
 roles/SSL/files/tlsa-generation.bash |  4 ++++
 2 files changed, 28 insertions(+)
 create mode 100755 roles/SSL/files/manual-ssl-renew
 create mode 100644 roles/SSL/files/tlsa-generation.bash

diff --git a/roles/SSL/files/manual-ssl-renew b/roles/SSL/files/manual-ssl-renew
new file mode 100755
index 0000000..a4dff94
--- /dev/null
+++ b/roles/SSL/files/manual-ssl-renew
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+if [ `whoami` != 'root' ]; then
+    sudo $0 $@
+    exit
+fi
+
+domain="$1"
+
+certbot certonly -d ${domain} -d "*.${domain}" --manual --force-interactive --reuse-key
+cat /etc/letsencrypt/live/${domain}/cert.pem /etc/letsencrypt/live/${domain}/privkey.pem > /etc/letsencrypt/live/${domain}/certkey.pem
+
+# PKCS12 for Emby
+echo | openssl pkcs12 -password stdin -export -out /etc/letsencrypt/live/${domain}/ssl.pfx -inkey /etc/letsencrypt/live/${domain}/privkey.pem -in /etc/letsencrypt/live/${domain}/cert.pem -certfile /etc/letsencrypt/live/${domain}/fullchain.pem
+cat /etc/letsencrypt/live/${domain}/ssl.pfx > /var/lib/emby/ssl/yggdrasil.pfx
+
+systemctl restart webserver
+systemctl restart yggdrasil
+
+echo
+echo "Don't forget to send \`/raw reloadmodule m_ssl_openssl.so\` to a NetAdmin session on AniNIX/IRC"
+echo Add these to the TLSA records for the domain
+
+bash ./tlsa-generation.bash
diff --git a/roles/SSL/files/tlsa-generation.bash b/roles/SSL/files/tlsa-generation.bash
new file mode 100644
index 0000000..3bed2ee
--- /dev/null
+++ b/roles/SSL/files/tlsa-generation.bash
@@ -0,0 +1,4 @@
+#!/bin/bash
+openssl x509 -in /etc/letsencrypt/live/aninix.net/chain.pem -noout -pubkey | openssl rsa -pubin -outform DER | openssl dgst -sha256 -hex | awk '{print "le-ca TLSA 2 1 1", $NF}'
+openssl x509 -in /etc/letsencrypt/live/aninix.net/cert.pem -noout -pubkey | openssl rsa -pubin -outform DER | openssl dgst -sha256 -hex | awk '{print "cert TLSA 3 1 1", $NF}'
+