From af049e743192e0489a3ffeb4ed9fca6f88734a6e Mon Sep 17 00:00:00 2001 From: Soubinan Date: Thu, 16 Jan 2025 20:42:56 -0500 Subject: [PATCH 01/12] update omada.yml: use inline content for data.json --- assets/omada-post-data.json | 23 ----------------------- templates/omada.yml | 27 +++++++++++++++++++++++++-- 2 files changed, 25 insertions(+), 25 deletions(-) delete mode 100644 assets/omada-post-data.json diff --git a/assets/omada-post-data.json b/assets/omada-post-data.json deleted file mode 100644 index 1223b57..0000000 --- a/assets/omada-post-data.json +++ /dev/null @@ -1,23 +0,0 @@ -{ - "pageIndex": 0, - "pageSize": 1, - "sortField": "", - "sortOrder": "DESC", - "keyword": ".deb", - "siteId": 1, - "siteCode": "en", - "resourceType": "download", - "typeIdList": [], - "documentResourceTypeIdList": [], - "downloadsResourceTypeIdList": [], - "bulletinsResourceTypeIdList": [], - "documentTagIdList": [], - "downloadTagIdList": [], - "bulletinsTagIdList": [], - "communityCategories": [], - "communityTagNames": [], - "suitableModelList": [ - "Omada Software Controller", - "Omada Software Controller V5" - ] -} \ No newline at end of file diff --git a/templates/omada.yml b/templates/omada.yml index 735782d..0188220 100644 --- a/templates/omada.yml +++ b/templates/omada.yml @@ -11,8 +11,31 @@ metadata: instructions: files: - path: /var/omada/data.json - generator: copy - source: assets/omada-post-data.json + generator: dump + content: |- + { + "pageIndex": 0, + "pageSize": 1, + "sortField": "", + "sortOrder": "DESC", + "keyword": ".deb", + "siteId": 1, + "siteCode": "en", + "resourceType": "download", + "typeIdList": [], + "documentResourceTypeIdList": [], + "downloadsResourceTypeIdList": [], + "bulletinsResourceTypeIdList": [], + "documentTagIdList": [], + "downloadTagIdList": [], + "bulletinsTagIdList": [], + "communityCategories": [], + "communityTagNames": [], + "suitableModelList": [ + "Omada Software Controller", + "Omada Software Controller V5" + ] + } packages: - jq From d83f371f7338716c573959f3d51166066d4f189e Mon Sep 17 00:00:00 2001 From: Soubinan Date: Thu, 16 Jan 2025 22:03:55 -0500 Subject: [PATCH 02/12] improve self-signed cert creation method --- templates/keycloak.yml | 30 +++++++++++++++--------------- templates/matomo.yml | 19 ++++++++++++++----- templates/nextcloud.yml | 11 ++++++++--- 3 files changed, 37 insertions(+), 23 deletions(-) diff --git a/templates/keycloak.yml b/templates/keycloak.yml index 633850d..10e976e 100644 --- a/templates/keycloak.yml +++ b/templates/keycloak.yml @@ -62,17 +62,13 @@ instructions: [Install] WantedBy=multi-user.target - - path: /opt/certs/rootCA.config + - path: /opt/certs/ca.cnf generator: copy - source: assets/rootCA.config + source: assets/certificates/ca.cnf - - path: /opt/certs/csr.config + - path: /opt/certs/server.cnf generator: copy - source: assets/csr.config - - - path: /opt/certs/crt.config - generator: copy - source: assets/crt.config + source: assets/certificates/server.cnf packages: - openjdk-17-jre @@ -85,20 +81,24 @@ instructions: #!/bin/bash set -eux - mkdir -p /opt/keycloak + touch /opt/certs/index.txt + echo '01' > /opt/certs/serial.txt + cd /opt/certs + openssl req -x509 -config ca.cnf -newkey rsa:4096 -sha256 -nodes -out cacert.pem -outform PEM + openssl req -config server.cnf -newkey rsa:2048 -sha256 -nodes -out Keycloak.csr -outform PEM + openssl ca -batch -config ca.cnf -policy signing_policy -extensions signing_req -out Keycloak.crt -infiles Keycloak.csr - openssl req -x509 -newkey rsa:4096 -keyout /opt/certs/rootCA.key -out /opt/certs/rootCA.crt -sha256 -days 3650 -nodes -config /opt/certs/rootCA.config - openssl genrsa -out /etc/ssl/private/keycloak.key 2048 - openssl req -new -key /etc/ssl/private/keycloak.key -out /etc/ssl/private/keycloak.csr -config /opt/certs/csr.config - openssl x509 -req -in /etc/ssl/private/keycloak.csr -CA /opt/certs/rootCA.crt -CAkey /opt/certs/rootCA.key -CAcreateserial -out /etc/ssl/private/keycloak.crt -days 1825 -sha256 -extfile /opt/certs/crt.config + + mkdir -p /opt/keycloak + cd /opt/keycloak wget -O /tmp/keycloak.tar.gz https://github.com/keycloak/keycloak/releases/download/{{image.serial}}/keycloak-{{image.serial}}.tar.gz tar -xvf /tmp/keycloak.tar.gz -C /tmp && cp -r /tmp/keycloak-{{image.serial}}/* /opt/keycloak/ cat < /opt/keycloak/conf/keycloak.conf hostname=0.0.0.0 - https-certificate-file=/etc/ssl/private/keycloak.crt - https-certificate-key-file=/etc/ssl/private/keycloak.key + https-certificate-file=/opt/certs/keycloak.crt + https-certificate-key-file=/opt/certs/server.key EOF export JAVA_HOME=/usr/lib/jvm/java-17-openjdk-amd64 diff --git a/templates/matomo.yml b/templates/matomo.yml index 4ade34a..44d1cc7 100644 --- a/templates/matomo.yml +++ b/templates/matomo.yml @@ -10,9 +10,13 @@ metadata: - amd64 instructions: files: - - path: /opt/certs/rootCA.config + - path: /opt/certs/ca.cnf generator: copy - source: assets/rootCA.config + source: assets/certificates/ca.cnf + + - path: /opt/certs/server.cnf + generator: copy + source: assets/certificates/server.cnf - path: /opt/ssl.conf generator: dump @@ -23,8 +27,8 @@ instructions: ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLEngine on - SSLCertificateFile /etc/ssl/certs/rootCA.crt - SSLCertificateKeyFile /etc/ssl/private/rootCA.key + SSLCertificateFile /opt/certs/matomo.crt + SSLCertificateKeyFile /opt/certs/server.key SSLOptions +StdEnvVars @@ -107,7 +111,12 @@ instructions: #!/bin/bash set -eux - openssl req -x509 -newkey rsa:4096 -keyout /etc/ssl/private/rootCA.key -out /etc/ssl/certs/rootCA.crt -sha256 -days 3650 -nodes -config /opt/certs/rootCA.config + touch /opt/certs/index.txt + echo '01' > /opt/certs/serial.txt + cd /opt/certs + openssl req -x509 -config ca.cnf -newkey rsa:4096 -sha256 -nodes -out cacert.pem -outform PEM + openssl req -config server.cnf -newkey rsa:2048 -sha256 -nodes -out matomo.csr -outform PEM + openssl ca -batch -config ca.cnf -policy signing_policy -extensions signing_req -out matomo.crt -infiles matomo.csr wget -O /tmp/matomo.zip https://builds.matomo.org/matomo-{{image.serial}}.zip unzip /tmp/matomo.zip -d /tmp diff --git a/templates/nextcloud.yml b/templates/nextcloud.yml index bbf83ff..066ae12 100644 --- a/templates/nextcloud.yml +++ b/templates/nextcloud.yml @@ -26,8 +26,8 @@ instructions: CustomLog ${APACHE_LOG_DIR}/access.log combined SSLEngine on - SSLCertificateFile /etc/ssl/certs/rootCA.crt - SSLCertificateKeyFile /etc/ssl/private/rootCA.key + SSLCertificateFile /opt/certs/nextcould.crt + SSLCertificateKeyFile /opt/certs/server.key SSLOptions +StdEnvVars @@ -131,7 +131,12 @@ instructions: #!/bin/bash set -eux - openssl req -x509 -newkey rsa:4096 -keyout /etc/ssl/private/rootCA.key -out /etc/ssl/certs/rootCA.crt -sha256 -days 3650 -nodes -config /opt/certs/rootCA.config + touch /opt/certs/index.txt + echo '01' > /opt/certs/serial.txt + cd /opt/certs + openssl req -x509 -config ca.cnf -newkey rsa:4096 -sha256 -nodes -out cacert.pem -outform PEM + openssl req -config server.cnf -newkey rsa:2048 -sha256 -nodes -out nextcloud.csr -outform PEM + openssl ca -batch -config ca.cnf -policy signing_policy -extensions signing_req -out nextcloud.crt -infiles nextcloud.csr wget -O /tmp/nextcloud.zip https://download.nextcloud.com/server/releases/nextcloud-{{image.serial}}.zip unzip /tmp/nextcloud.zip -d /tmp From 741c51cac965dab187453e97027a52331759e85d Mon Sep 17 00:00:00 2001 From: Soubinan Date: Thu, 16 Jan 2025 22:04:33 -0500 Subject: [PATCH 03/12] improve vault template: configuration fixes --- templates/vault.yml | 89 +++++++++++++++++++++++++++++++++------------ 1 file changed, 65 insertions(+), 24 deletions(-) diff --git a/templates/vault.yml b/templates/vault.yml index 4198b4e..667ac27 100644 --- a/templates/vault.yml +++ b/templates/vault.yml @@ -10,35 +10,41 @@ metadata: - amd64 instructions: files: - - path: /opt/certs/rootCA.config + - path: /opt/certs/ca.cnf generator: copy - source: assets/rootCA.config + source: assets/certificates/ca.cnf - - path: /opt/certs/csr.config + - path: /opt/certs/server.cnf generator: copy - source: assets/csr.config + source: assets/certificates/server.cnf - - path: /opt/certs/crt.config - generator: copy - source: assets/crt.config + - path: /etc/vault.d/vault.env + generator: dump + content: |- + VAULT_ADDR=https://127.0.0.1:8200 + VAULT_SKIP_VERIFY=true + VAULT_CAPATH=/opt/certs/ca/cacert.pem + + - path: /etc/environment + generator: dump + content: |- + VAULT_CAPATH=/opt/certs/ca/cacert.pem - - path: /opt/vault/.config + - path: /etc/vault.d/vault.hcl generator: dump content: |- ui = true - cluster_addr = "https://127.0.0.1:8201" api_addr = "https://127.0.0.1:8200" disable_mlock = true - storage "raft" { + storage "file" { path = "/opt/vault/data" - node_id = "vault01" } listener "tcp" { address = "0.0.0.0:8200" - tls_cert_file = "/etc/ssl/private/vault.crt" - tls_key_file = "/etc/ssl/private/vault.key" + tls_cert_file = "/opt/certs/vault.crt" + tls_key_file = "/opt/certs/server.key" } - path: /etc/systemd/system/vault.service @@ -46,14 +52,39 @@ instructions: mode: "0440" content: |- [Unit] - Description=Vault - Secret management - After=network.target + Description="HashiCorp Vault - A tool for managing secrets" + Documentation=https://developer.hashicorp.com/vault/docs + Requires=network-online.target + After=network-online.target + ConditionFileNotEmpty=/etc/vault.d/vault.hcl [Service] - Type=simple + Type=notify + EnvironmentFile=/etc/vault.d/vault.env + User=vault + Group=vault + ProtectSystem=full + ProtectHome=read-only + PrivateTmp=yes + PrivateDevices=yes + SecureBits=keep-caps + AmbientCapabilities=CAP_IPC_LOCK + CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK + NoNewPrivileges=yes PIDFile=/opt/vault/vault.pid - ExecStart=/usr/bin/vault server -config /opt/vault/.config - Restart=always + ExecStart=/usr/bin/vault server -config /etc/vault.d/vault.hcl + ExecReload=/bin/kill --signal HUP $MAINPID + KillMode=process + KillSignal=SIGINT + Restart=on-failure + RestartSec=5 + TimeoutStopSec=30 + StartLimitInterval=60 + StartLimitIntervalSec=60 + StartLimitBurst=3 + LimitNOFILE=65536 + LimitMEMLOCK=infinity + LimitCORE=0 [Install] WantedBy=multi-user.target @@ -65,15 +96,25 @@ instructions: #!/bin/bash set -eux + echo "vm.swappiness = 0" >> /etc/sysctl.conf + sysctl -p + + useradd vault + usermod -aG vault vault + wget -O- https://apt.releases.hashicorp.com/gpg | gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com {{image.release}} main" | tee /etc/apt/sources.list.d/hashicorp.list - apt-get update && apt-get install vault + apt-get update + echo N|apt-get install -y vault - mkdir -p /opt/vault/data + mkdir /var/vault + chown vault:vault -R /opt/vault /var/vault - openssl req -x509 -newkey rsa:4096 -keyout /opt/certs/rootCA.key -out /opt/certs/rootCA.crt -sha256 -days 3650 -nodes -config /opt/certs/rootCA.config - openssl genrsa -out /etc/ssl/private/vault.key 2048 - openssl req -new -key /etc/ssl/private/vault.key -out /etc/ssl/private/vault.csr -config /opt/certs/csr.config - openssl x509 -req -in /etc/ssl/private/vault.csr -CA /opt/certs/rootCA.crt -CAkey /opt/certs/rootCA.key -CAcreateserial -out /etc/ssl/private/vault.crt -days 1825 -sha256 -extfile /opt/certs/crt.config + touch /opt/certs/index.txt + echo '01' > /opt/certs/serial.txt + cd /opt/certs + openssl req -x509 -config ca.cnf -newkey rsa:4096 -sha256 -nodes -out cacert.pem -outform PEM + openssl req -config server.cnf -newkey rsa:2048 -sha256 -nodes -out vault.csr -outform PEM + openssl ca -batch -config ca.cnf -policy signing_policy -extensions signing_req -out vault.crt -infiles vault.csr systemctl enable vault.service From 669be585166122fdb6b0c184532a754a65e7d066 Mon Sep 17 00:00:00 2001 From: Soubinan Date: Thu, 16 Jan 2025 22:07:04 -0500 Subject: [PATCH 04/12] Add Vault unsealed version --- templates/vault-unsealed.yml | 211 +++++++++++++++++++++++++++++++++++ 1 file changed, 211 insertions(+) create mode 100644 templates/vault-unsealed.yml diff --git a/templates/vault-unsealed.yml b/templates/vault-unsealed.yml new file mode 100644 index 0000000..3cdb992 --- /dev/null +++ b/templates/vault-unsealed.yml @@ -0,0 +1,211 @@ +metadata: + name: Vault-Unsealed + get_version_command: curl -s https://api.github.com/repos/hashicorp/vault/releases/latest | jq -r '.tag_name' + description: Vault is a free and source-available secrets management tool / secrets store. + categories: Secrets management, Security + project_source: https://github.com/hashicorp/vault + distribution: debian + release: bookworm + architectures: + - amd64 +instructions: + files: + - path: /opt/certs/ca.cnf + generator: copy + source: assets/certificates/ca.cnf + + - path: /opt/certs/server.cnf + generator: copy + source: assets/certificates/server.cnf + + - path: /opt/vault/init.sh + generator: dump + mode: "0755" + content: |- + #!/bin/bash + + vault operator init > /var/vault/init.output + cat /var/vault/init.output | grep -E 'Initial Root Token:' | awk '{print $4}' > /var/vault/keys + cat /var/vault/init.output | grep -E 'Unseal Key' | awk '{print $4}' > /var/vault/token + + - path: /opt/vault/unseal.sh + generator: dump + mode: "0755" + content: |- + #!/bin/bash + + i=0 + required_keys_nb=3 + path=${1:-'/var/vault/keys'} + numbers=(1 2 3 4 5) + selected_numbers=(0) + selected_keys=() + + select_key() { + while [[ "$i" -lt "$required_keys_nb" ]]; do + local random_number=0 + + while [[ "${selected_numbers[*]}" =~ "$random_number" ]]; do + index=$((RANDOM % ${#numbers[@]})) + random_number=${numbers[$index]} + done + + selected_numbers+=($random_number) + numbers=(${numbers[@]/$random_number/}) + selected_keys+=($(sed -n "${random_number}p" $path)) + + ((i++)) + done + + echo ${selected_keys[@]} + } + + keys=$(select_key) + + vault operator unseal "$(echo $keys| awk '{print $1}')" + vault operator unseal "$(echo $keys| awk '{print $2}')" + vault operator unseal "$(echo $keys| awk '{print $3}')" + + - path: /etc/vault.d/vault.env + generator: dump + content: |- + VAULT_ADDR=https://127.0.0.1:8200 + VAULT_SKIP_VERIFY=true + VAULT_CAPATH=/opt/certs/ca/cacert.pem + + - path: /etc/environment + generator: dump + content: |- + VAULT_CAPATH=/opt/certs/ca/cacert.pem + + - path: /etc/vault.d/vault.hcl + generator: dump + content: |- + ui = true + api_addr = "https://127.0.0.1:8200" + disable_mlock = true + + storage "file" { + path = "/opt/vault/data" + } + + listener "tcp" { + address = "0.0.0.0:8200" + tls_cert_file = "/opt/certs/vault.crt" + tls_key_file = "/opt/certs/server.key" + } + + - path: /etc/systemd/system/vault-init.service + generator: dump + mode: "0440" + content: |- + [Unit] + Description="HashiCorp Vault - Init daemon" + Requires=network-online.target + After=network-online.target + ConditionPathExists=!/var/vault/.initialized__ + + [Service] + Type=oneshot + EnvironmentFile=/etc/vault.d/vault.env + RemainAfterExit=yes + WorkingDirectory=/opt/vault + User=vault + ExecStart=/opt/vault/init.sh + ExecStart=/usr/bin/touch /var/vault/.initialized__ + + [Install] + WantedBy=multi-user.target + + - path: /etc/systemd/system/vault-unseal.service + generator: dump + mode: "0440" + content: |- + [Unit] + Description="HashiCorp Vault - Unseal daemon" + Requires=network-online.target + After=network-online.target + ConditionPathExists=/var/vault/.initialized__ + + [Service] + Type=oneshot + EnvironmentFile=/etc/vault.d/vault.env + RemainAfterExit=yes + WorkingDirectory=/opt/vault + User=vault + ExecStart=/opt/vault/unseal.sh + + [Install] + WantedBy=multi-user.target + + - path: /etc/systemd/system/vault.service + generator: dump + mode: "0440" + content: |- + [Unit] + Description="HashiCorp Vault - A tool for managing secrets" + Documentation=https://developer.hashicorp.com/vault/docs + Requires=network-online.target vault-unseal.service + After=network-online.target + ConditionFileNotEmpty=/etc/vault.d/vault.hcl + + [Service] + Type=notify + EnvironmentFile=/etc/vault.d/vault.env + User=vault + Group=vault + ProtectSystem=full + ProtectHome=read-only + PrivateTmp=yes + PrivateDevices=yes + SecureBits=keep-caps + AmbientCapabilities=CAP_IPC_LOCK + CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK + NoNewPrivileges=yes + PIDFile=/opt/vault/vault.pid + ExecStart=/usr/bin/vault server -config /etc/vault.d/vault.hcl + ExecReload=/bin/kill --signal HUP $MAINPID + KillMode=process + KillSignal=SIGINT + Restart=on-failure + RestartSec=5 + TimeoutStopSec=30 + StartLimitInterval=60 + StartLimitIntervalSec=60 + StartLimitBurst=3 + LimitNOFILE=65536 + LimitMEMLOCK=infinity + LimitCORE=0 + + [Install] + WantedBy=multi-user.target + + actions: + - trigger: post-files + pongo: true + action: |- + #!/bin/bash + set -eux + + echo "vm.swappiness = 0" >> /etc/sysctl.conf + sysctl -p + + useradd vault + usermod -aG vault vault + + wget -O- https://apt.releases.hashicorp.com/gpg | gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg + echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com {{image.release}} main" | tee /etc/apt/sources.list.d/hashicorp.list + apt-get update + echo N|apt-get install -y vault + + mkdir /var/vault + chown vault:vault -R /opt/vault /var/vault + + touch /opt/certs/index.txt + echo '01' > /opt/certs/serial.txt + cd /opt/certs + openssl req -x509 -config ca.cnf -newkey rsa:4096 -sha256 -nodes -out cacert.pem -outform PEM + openssl req -config server.cnf -newkey rsa:2048 -sha256 -nodes -out vault.csr -outform PEM + openssl ca -batch -config ca.cnf -policy signing_policy -extensions signing_req -out vault.crt -infiles vault.csr + + systemctl enable vault.service From 2c6c62eab6259862f4cbba14a182ed7968a4dcfa Mon Sep 17 00:00:00 2001 From: Soubinan Date: Thu, 16 Jan 2025 22:07:44 -0500 Subject: [PATCH 05/12] Add new assets (certificates configs) --- assets/certificates/ca.cnf | 60 ++++++++++++++++++++++++++++++++++ assets/certificates/server.cnf | 27 +++++++++++++++ assets/crt.config | 3 -- assets/csr.config | 18 ---------- assets/rootCA.config | 15 --------- 5 files changed, 87 insertions(+), 36 deletions(-) create mode 100644 assets/certificates/ca.cnf create mode 100644 assets/certificates/server.cnf delete mode 100644 assets/crt.config delete mode 100644 assets/csr.config delete mode 100644 assets/rootCA.config diff --git a/assets/certificates/ca.cnf b/assets/certificates/ca.cnf new file mode 100644 index 0000000..23d26ec --- /dev/null +++ b/assets/certificates/ca.cnf @@ -0,0 +1,60 @@ +[ ca ] +default_ca = CA_default + +[ CA_default ] +default_days = 3650 +default_crl_days = 90 +default_md = sha256 +preserve = no +x509_extensions = ca_extensions +email_in_dn = no +copy_extensions = copy +base_dir = /opt/certs +certificate = $base_dir/cacert.pem +private_key = $base_dir/cakey.pem +certs = $base_dir +new_certs_dir = $base_dir +database = $base_dir/index.txt +serial = $base_dir/serial.txt +RANDFILE = $base_dir/.rand +policy = signing_policy +unique_subject = no + +[ req ] +default_bits = 4096 +default_keyfile = cakey.pem +distinguished_name = ca_distinguished_name +x509_extensions = ca_extensions +string_mask = utf8only +prompt = no +req_extensions = signing_req + +[ ca_distinguished_name ] +countryName = CA +stateOrProvinceName = Quebec +localityName = Montreal +organizationName = SoubiLabs +organizationalUnitName = LXC BUILDER +commonName = lxc-images.soubilabs.xyz +emailAddress = lxc-images@soubiLabs.xyz + +[ ca_extensions ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always, issuer +basicConstraints = critical, CA:true +keyUsage = keyCertSign, cRLSign + +[ signing_policy ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ signing_req ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +basicConstraints = CA:FALSE +keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment diff --git a/assets/certificates/server.cnf b/assets/certificates/server.cnf new file mode 100644 index 0000000..fec7fcf --- /dev/null +++ b/assets/certificates/server.cnf @@ -0,0 +1,27 @@ +RANDFILE = /opt/certs/.rand + +[ req ] +default_bits = 2048 +default_keyfile = /opt/certs/server.key +distinguished_name = server_distinguished_name +req_extensions = server_req_extensions +string_mask = utf8only +prompt = no + +[ server_distinguished_name ] +countryName = CA +stateOrProvinceName = Quebec +localityName = Montreal +organizationName = SoubiLabs +organizationalUnitName = LXC-Images +commonName = localhost + +[ server_req_extensions ] +subjectKeyIdentifier = hash +basicConstraints = CA:FALSE +keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment +subjectAltName = @alternate_names +nsComment = "OpenSSL Generated Certificate" + +[ alternate_names ] +IP.1 = 127.0.0.1 \ No newline at end of file diff --git a/assets/crt.config b/assets/crt.config deleted file mode 100644 index b396026..0000000 --- a/assets/crt.config +++ /dev/null @@ -1,3 +0,0 @@ -authorityKeyIdentifier = keyid,issuer -basicConstraints = CA:FALSE -keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment diff --git a/assets/csr.config b/assets/csr.config deleted file mode 100644 index 2955d00..0000000 --- a/assets/csr.config +++ /dev/null @@ -1,18 +0,0 @@ -[ req ] -default_bits = 2048 -prompt = no -default_md = sha256 -req_extensions = req_ext -distinguished_name = dn - -[ dn ] -C = CA -ST = Quebec -L = Montreal -O = SoubiLabs -OU = LXC-Images -CN = localhost - -[ req_ext ] - -[ alt_names ] diff --git a/assets/rootCA.config b/assets/rootCA.config deleted file mode 100644 index 2a2f77f..0000000 --- a/assets/rootCA.config +++ /dev/null @@ -1,15 +0,0 @@ -[ req ] -default_md = sha256 -prompt = no -req_extensions = req_ext -distinguished_name = req_distinguished_name - -[ req_distinguished_name ] -countryName = CA -stateOrProvinceName = Quebec -localityName = Montreal -organizationName = SoubiLabs - -[ req_ext ] -keyUsage=critical,digitalSignature,keyEncipherment -extendedKeyUsage=critical,serverAuth,clientAuth \ No newline at end of file From 6d4d003d929615a27157eceebbc733f58c68b927 Mon Sep 17 00:00:00 2001 From: Soubinan Date: Thu, 16 Jan 2025 22:18:15 -0500 Subject: [PATCH 06/12] Use artifacts on PRs --- .github/workflows/builder.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/.github/workflows/builder.yml b/.github/workflows/builder.yml index 3a71af1..fb727a7 100644 --- a/.github/workflows/builder.yml +++ b/.github/workflows/builder.yml @@ -108,6 +108,17 @@ jobs: echo "ARTIFACT_SIZE=$(du -sh ./${{needs.init.outputs.app_name}}-${{needs.init.outputs.app_version}}-${{matrix.architectures}}-root.tar.xz | cut -f 1)" >> $GITHUB_ENV pwd && ls -lash + - name: Archive Image files + if: ${{steps.validity-checks.outputs.IS_BUILDABLE == 'true' && steps.validity-checks.outputs.IS_PUBLISHABLE == 'false'}} + uses: actions/upload-artifact@v4 + with: + name: "${{needs.init.outputs.app_name}}-${{needs.init.outputs.app_version}}-${{matrix.architectures}}" + path: | + ./${{needs.init.outputs.app_name}}-${{needs.init.outputs.app_version}}-${{matrix.architectures}}-root.tar.xz + ./${{needs.init.outputs.app_name}}-${{needs.init.outputs.app_version}}-${{matrix.architectures}}-meta.tar.xz + compression-level: 0 + retention-days: 1 + - name: Publish Image files if: ${{steps.validity-checks.outputs.IS_BUILDABLE == 'true' && steps.validity-checks.outputs.IS_PUBLISHABLE == 'true'}} run: | From 0fc4632e0bc8a96fd63179b310541a9a0d1a1cf7 Mon Sep 17 00:00:00 2001 From: Soubinan Date: Thu, 16 Jan 2025 23:58:33 -0500 Subject: [PATCH 07/12] fix small issues in vault templates --- templates/vault-unsealed.yml | 6 ++++-- templates/vault.yml | 9 +++++---- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/templates/vault-unsealed.yml b/templates/vault-unsealed.yml index 3cdb992..90f6579 100644 --- a/templates/vault-unsealed.yml +++ b/templates/vault-unsealed.yml @@ -71,12 +71,12 @@ instructions: content: |- VAULT_ADDR=https://127.0.0.1:8200 VAULT_SKIP_VERIFY=true - VAULT_CAPATH=/opt/certs/ca/cacert.pem + VAULT_CAPATH=/opt/certs/cacert.pem - path: /etc/environment generator: dump content: |- - VAULT_CAPATH=/opt/certs/ca/cacert.pem + VAULT_CAPATH=/opt/certs/cacert.pem - path: /etc/vault.d/vault.hcl generator: dump @@ -208,4 +208,6 @@ instructions: openssl req -config server.cnf -newkey rsa:2048 -sha256 -nodes -out vault.csr -outform PEM openssl ca -batch -config ca.cnf -policy signing_policy -extensions signing_req -out vault.crt -infiles vault.csr + systemctl enable vault-init.service + systemctl enable vault-unseal.service systemctl enable vault.service diff --git a/templates/vault.yml b/templates/vault.yml index 667ac27..bf13259 100644 --- a/templates/vault.yml +++ b/templates/vault.yml @@ -23,12 +23,12 @@ instructions: content: |- VAULT_ADDR=https://127.0.0.1:8200 VAULT_SKIP_VERIFY=true - VAULT_CAPATH=/opt/certs/ca/cacert.pem + VAULT_CAPATH=/opt/certs/cacert.pem - path: /etc/environment generator: dump content: |- - VAULT_CAPATH=/opt/certs/ca/cacert.pem + VAULT_CAPATH=/opt/certs/cacert.pem - path: /etc/vault.d/vault.hcl generator: dump @@ -105,10 +105,9 @@ instructions: wget -O- https://apt.releases.hashicorp.com/gpg | gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com {{image.release}} main" | tee /etc/apt/sources.list.d/hashicorp.list apt-get update - echo N|apt-get install -y vault + echo -e 'N\nN\n'|apt-get install -y vault mkdir /var/vault - chown vault:vault -R /opt/vault /var/vault touch /opt/certs/index.txt echo '01' > /opt/certs/serial.txt @@ -117,4 +116,6 @@ instructions: openssl req -config server.cnf -newkey rsa:2048 -sha256 -nodes -out vault.csr -outform PEM openssl ca -batch -config ca.cnf -policy signing_policy -extensions signing_req -out vault.crt -infiles vault.csr + chown vault:vault -R /opt /var/vault + systemctl enable vault.service From 6b60dc57980e1a15462e4a7a2e1ba64f873ec2e7 Mon Sep 17 00:00:00 2001 From: Soubinan Date: Sat, 18 Jan 2025 15:53:31 -0500 Subject: [PATCH 08/12] update vault-unsealed.yml: improve units orchestration --- templates/vault-unsealed.yml | 28 +++++++++++++++++----------- 1 file changed, 17 insertions(+), 11 deletions(-) diff --git a/templates/vault-unsealed.yml b/templates/vault-unsealed.yml index 90f6579..b245be2 100644 --- a/templates/vault-unsealed.yml +++ b/templates/vault-unsealed.yml @@ -25,8 +25,8 @@ instructions: #!/bin/bash vault operator init > /var/vault/init.output - cat /var/vault/init.output | grep -E 'Initial Root Token:' | awk '{print $4}' > /var/vault/keys - cat /var/vault/init.output | grep -E 'Unseal Key' | awk '{print $4}' > /var/vault/token + cat /var/vault/init.output | grep -E 'Initial Root Token:' | awk '{print $4}' > /var/vault/token + cat /var/vault/init.output | grep -E 'Unseal Key' | awk '{print $4}' > /var/vault/keys - path: /opt/vault/unseal.sh generator: dump @@ -101,9 +101,11 @@ instructions: content: |- [Unit] Description="HashiCorp Vault - Init daemon" - Requires=network-online.target - After=network-online.target - ConditionPathExists=!/var/vault/.initialized__ + Requires=network-online.target vault.service + After=network-online.target vault.service + BindsTo=vault.service + ConditionFileNotEmpty=!/var/vault/keys + ConditionFileNotEmpty=!/var/vault/token [Service] Type=oneshot @@ -123,9 +125,9 @@ instructions: content: |- [Unit] Description="HashiCorp Vault - Unseal daemon" - Requires=network-online.target - After=network-online.target - ConditionPathExists=/var/vault/.initialized__ + Requires=network-online.target vault.service + After=network-online.target vault.service + BindsTo=vault.service [Service] Type=oneshot @@ -133,7 +135,9 @@ instructions: RemainAfterExit=yes WorkingDirectory=/opt/vault User=vault + ExecStart=/usr/bin/cat /var/vault/.initialized__ ExecStart=/opt/vault/unseal.sh + Restart=on-failure [Install] WantedBy=multi-user.target @@ -145,7 +149,7 @@ instructions: [Unit] Description="HashiCorp Vault - A tool for managing secrets" Documentation=https://developer.hashicorp.com/vault/docs - Requires=network-online.target vault-unseal.service + Requires=network-online.target After=network-online.target ConditionFileNotEmpty=/etc/vault.d/vault.hcl @@ -196,11 +200,11 @@ instructions: wget -O- https://apt.releases.hashicorp.com/gpg | gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com {{image.release}} main" | tee /etc/apt/sources.list.d/hashicorp.list apt-get update - echo N|apt-get install -y vault + echo -e 'N\nN\n'|apt-get install -y vault mkdir /var/vault - chown vault:vault -R /opt/vault /var/vault + touch /var/vault/{keys,token} touch /opt/certs/index.txt echo '01' > /opt/certs/serial.txt cd /opt/certs @@ -208,6 +212,8 @@ instructions: openssl req -config server.cnf -newkey rsa:2048 -sha256 -nodes -out vault.csr -outform PEM openssl ca -batch -config ca.cnf -policy signing_policy -extensions signing_req -out vault.crt -infiles vault.csr + chown vault:vault -R /opt /var/vault + systemctl enable vault-init.service systemctl enable vault-unseal.service systemctl enable vault.service From 4b23f71f450cd5895ed6fd87f877c76df74a64aa Mon Sep 17 00:00:00 2001 From: Soubinan Date: Sat, 18 Jan 2025 15:54:24 -0500 Subject: [PATCH 09/12] update zitadel.yml: improve tls configs --- templates/zitadel.yml | 28 +++++++++++++--------------- 1 file changed, 13 insertions(+), 15 deletions(-) diff --git a/templates/zitadel.yml b/templates/zitadel.yml index 73edb11..6e17278 100644 --- a/templates/zitadel.yml +++ b/templates/zitadel.yml @@ -2,7 +2,7 @@ metadata: name: Zitadel get_version_command: curl -s https://api.github.com/repos/zitadel/zitadel/releases/latest | jq -r '.tag_name' description: Zitadel is a free and open-source secure authentication management tool. - categories: IAM, Authentication + categories: Identity, IAM, IDP, Security project_source: https://github.com/zitadel/zitadel distribution: debian release: bookworm @@ -10,17 +10,13 @@ metadata: - amd64 instructions: files: - - path: /opt/certs/rootCA.config + - path: /opt/certs/ca.cnf generator: copy - source: assets/rootCA.config + source: assets/certificates/ca.cnf - - path: /opt/certs/csr.config + - path: /opt/certs/server.cnf generator: copy - source: assets/csr.config - - - path: /opt/certs/crt.config - generator: copy - source: assets/crt.config + source: assets/certificates/server.cnf - path: /opt/zitadel/.config generator: dump @@ -29,8 +25,8 @@ instructions: ExternalSecure: true TLS: Enabled: true - KeyPath: /etc/ssl/private/zitadel.key - CertPath: /etc/ssl/private/zitadel.crt + KeyPath: /opt/certs/server.key + CertPath: /opt/certs/zitadel.crt - path: /opt/zitadel/.env generator: dump @@ -93,10 +89,12 @@ instructions: host replication all ::1/128 scram-sha-256 EOF - openssl req -x509 -newkey rsa:4096 -keyout /opt/certs/rootCA.key -out /opt/certs/rootCA.crt -sha256 -days 3650 -nodes -config /opt/certs/rootCA.config - openssl genrsa -out /etc/ssl/private/zitadel.key 2048 - openssl req -new -key /etc/ssl/private/zitadel.key -out /etc/ssl/private/zitadel.csr -config /opt/certs/csr.config - openssl x509 -req -in /etc/ssl/private/zitadel.csr -CA /opt/certs/rootCA.crt -CAkey /opt/certs/rootCA.key -CAcreateserial -out /etc/ssl/private/zitadel.crt -days 1825 -sha256 -extfile /opt/certs/crt.config + touch /opt/certs/index.txt + echo '01' > /opt/certs/serial.txt + cd /opt/certs + openssl req -x509 -config ca.cnf -newkey rsa:4096 -sha256 -nodes -out cacert.pem -outform PEM + openssl req -config server.cnf -newkey rsa:2048 -sha256 -nodes -out zitadel.csr -outform PEM + openssl ca -batch -config ca.cnf -policy signing_policy -extensions signing_req -out zitadel.crt -infiles zitadel.csr systemctl enable postgresql.service systemctl enable zitadel.service From 9e2bb613602b773fef59ee75af42037bb6b3fa1a Mon Sep 17 00:00:00 2001 From: Soubinan Date: Sat, 18 Jan 2025 22:57:29 -0500 Subject: [PATCH 10/12] Update matomo and keycloak --- templates/keycloak.yml | 4 ++-- templates/nextcloud.yml | 8 ++++++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/templates/keycloak.yml b/templates/keycloak.yml index 10e976e..7d3e266 100644 --- a/templates/keycloak.yml +++ b/templates/keycloak.yml @@ -85,8 +85,8 @@ instructions: echo '01' > /opt/certs/serial.txt cd /opt/certs openssl req -x509 -config ca.cnf -newkey rsa:4096 -sha256 -nodes -out cacert.pem -outform PEM - openssl req -config server.cnf -newkey rsa:2048 -sha256 -nodes -out Keycloak.csr -outform PEM - openssl ca -batch -config ca.cnf -policy signing_policy -extensions signing_req -out Keycloak.crt -infiles Keycloak.csr + openssl req -config server.cnf -newkey rsa:2048 -sha256 -nodes -out keycloak.csr -outform PEM + openssl ca -batch -config ca.cnf -policy signing_policy -extensions signing_req -out keycloak.crt -infiles keycloak.csr mkdir -p /opt/keycloak diff --git a/templates/nextcloud.yml b/templates/nextcloud.yml index 066ae12..6705565 100644 --- a/templates/nextcloud.yml +++ b/templates/nextcloud.yml @@ -10,9 +10,13 @@ metadata: - amd64 instructions: files: - - path: /opt/certs/rootCA.config + - path: /opt/certs/ca.cnf generator: copy - source: assets/rootCA.config + source: assets/certificates/ca.cnf + + - path: /opt/certs/server.cnf + generator: copy + source: assets/certificates/server.cnf - path: /opt/ssl.conf generator: dump From ffe668d7cab655d57577d5b013f8b96372dac91c Mon Sep 17 00:00:00 2001 From: Soubinan Date: Sat, 18 Jan 2025 22:57:55 -0500 Subject: [PATCH 11/12] revert omada json data removal --- assets/omada-post-data.json | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 assets/omada-post-data.json diff --git a/assets/omada-post-data.json b/assets/omada-post-data.json new file mode 100644 index 0000000..1223b57 --- /dev/null +++ b/assets/omada-post-data.json @@ -0,0 +1,23 @@ +{ + "pageIndex": 0, + "pageSize": 1, + "sortField": "", + "sortOrder": "DESC", + "keyword": ".deb", + "siteId": 1, + "siteCode": "en", + "resourceType": "download", + "typeIdList": [], + "documentResourceTypeIdList": [], + "downloadsResourceTypeIdList": [], + "bulletinsResourceTypeIdList": [], + "documentTagIdList": [], + "downloadTagIdList": [], + "bulletinsTagIdList": [], + "communityCategories": [], + "communityTagNames": [], + "suitableModelList": [ + "Omada Software Controller", + "Omada Software Controller V5" + ] +} \ No newline at end of file From f7e2f02c4993450916afb760e99942dc0e18f6ba Mon Sep 17 00:00:00 2001 From: Soubinan Date: Sat, 18 Jan 2025 22:58:07 -0500 Subject: [PATCH 12/12] add help message --- __layout.k | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/__layout.k b/__layout.k index 5529d7a..5016e08 100644 --- a/__layout.k +++ b/__layout.k @@ -27,6 +27,8 @@ schema Metadata: distribution: str release: str architectures: [str] + help_message: str = """\ + """ check: distribution != Undefined, "Distribution should be explicitely set" @@ -1283,6 +1285,12 @@ files = [ mode = "0655" content = _welcome_msg_script } + { + path = "/etc/issue.d/61-help.issue" + generator = "dump" + mode = "0655" + content = _metadata.help_message + } *_files_add ] packages = {