diff options
| -rw-r--r-- | PKGBUILD | 10 | ||||
| -rw-r--r-- | configs/nginx/certbot.ctx-server.conf | 5 | ||||
| -rw-r--r-- | configs/nginx/nginx.conf | 11 | ||||
| -rw-r--r-- | configs/os/services/kvmd-certbot.service | 8 | ||||
| -rw-r--r-- | configs/os/services/kvmd-certbot.timer | 10 | ||||
| -rw-r--r-- | configs/os/sysusers.conf | 5 | ||||
| -rw-r--r-- | configs/os/tmpfiles.conf | 8 | ||||
| -rwxr-xr-x | scripts/kvmd-certbot | 105 |
8 files changed, 153 insertions, 9 deletions
@@ -74,6 +74,7 @@ depends=( dnsmasq ipmitool "janus-gateway-pikvm>=0.11.2-7" + certbot platform-io-access "ustreamer>=5.8" @@ -112,7 +113,10 @@ md5sums=(SKIP) backup=( etc/kvmd/{override,logging,auth,meta}.yaml etc/kvmd/{ht,ipmi,vnc}passwd - etc/kvmd/nginx/{kvmd.ctx-{http,server},listen-http{,s},loc-{login,nocache,proxy,websocket},mime-types,ssl,redirect-to-https,nginx}.conf + etc/kvmd/nginx/{kvmd.ctx-{http,server},certbot.ctx-server}.conf + etc/kvmd/nginx/listen-http{,s}.conf + etc/kvmd/nginx/loc-{login,nocache,proxy,websocket}.conf + etc/kvmd/nginx/{mime-types,ssl,redirect-to-https,nginx}.conf etc/kvmd/janus/janus{,.plugin.ustreamer,.transport.websockets}.jcfg etc/kvmd/web.css ) @@ -133,9 +137,9 @@ package_kvmd() { cd "$srcdir/$pkgname-build" python setup.py install --root="$pkgdir" - install -Dm755 -t "$pkgdir/usr/bin" scripts/kvmd-{bootconfig,gencert} + install -Dm755 -t "$pkgdir/usr/bin" scripts/kvmd-{bootconfig,gencert,certbot} - install -Dm644 -t "$pkgdir/usr/lib/systemd/system" configs/os/services/*.service + install -Dm644 -t "$pkgdir/usr/lib/systemd/system" configs/os/services/* install -DTm644 configs/os/sysusers.conf "$pkgdir/usr/lib/sysusers.d/kvmd.conf" install -DTm644 configs/os/tmpfiles.conf "$pkgdir/usr/lib/tmpfiles.d/kvmd.conf" diff --git a/configs/nginx/certbot.ctx-server.conf b/configs/nginx/certbot.ctx-server.conf new file mode 100644 index 00000000..6c8ea525 --- /dev/null +++ b/configs/nginx/certbot.ctx-server.conf @@ -0,0 +1,5 @@ +location /.well-known/acme-challenge { + root /run/kvmd-certbot/webroot; + include /etc/kvmd/nginx/loc-nocache.conf; + auth_request off; +} diff --git a/configs/nginx/nginx.conf b/configs/nginx/nginx.conf index 81b8265d..6b08c68e 100644 --- a/configs/nginx/nginx.conf +++ b/configs/nginx/nginx.conf @@ -27,11 +27,11 @@ http { keepalive_timeout 10; client_max_body_size 4k; - client_body_temp_path /tmp/kvmd-nginx.client_body_temp; - fastcgi_temp_path /tmp/kvmd-nginx.fastcgi_temp; - proxy_temp_path /tmp/kvmd-nginx.proxy_temp; - scgi_temp_path /tmp/kvmd-nginx.scgi_temp; - uwsgi_temp_path /tmp/kvmd-nginx.uwsgi_temp; + client_body_temp_path /tmp/kvmd-nginx/client_body_temp; + fastcgi_temp_path /tmp/kvmd-nginx/fastcgi_temp; + proxy_temp_path /tmp/kvmd-nginx/proxy_temp; + scgi_temp_path /tmp/kvmd-nginx/scgi_temp; + uwsgi_temp_path /tmp/kvmd-nginx/uwsgi_temp; include /etc/kvmd/nginx/kvmd.ctx-http.conf; include /usr/share/kvmd/extras/*/nginx.ctx-http.conf; @@ -47,6 +47,7 @@ http { include /etc/kvmd/nginx/listen-https.conf; include /etc/kvmd/nginx/ssl.conf; include /etc/kvmd/nginx/kvmd.ctx-server.conf; + include /etc/kvmd/nginx/certbot.ctx-server.conf; include /usr/share/kvmd/extras/*/nginx.ctx-server.conf; } } diff --git a/configs/os/services/kvmd-certbot.service b/configs/os/services/kvmd-certbot.service new file mode 100644 index 00000000..bf505aea --- /dev/null +++ b/configs/os/services/kvmd-certbot.service @@ -0,0 +1,8 @@ +[Unit] +Description=PiKVM - Certbot-Renew for KVMD-Nginx + +[Service] +Type=oneshot +ExecStart=/usr/bin/kvmd-certbot renew --quiet +# Should we?.. +# PrivateTmp=true diff --git a/configs/os/services/kvmd-certbot.timer b/configs/os/services/kvmd-certbot.timer new file mode 100644 index 00000000..84fc9fcd --- /dev/null +++ b/configs/os/services/kvmd-certbot.timer @@ -0,0 +1,10 @@ +[Unit] +Description=Run KVMD-Certbot twice daily + +[Timer] +OnCalendar=*-*-* 00/12:00:00 +RandomizedDelaySec=12h +Persistent=true + +[Install] +WantedBy=timers.target diff --git a/configs/os/sysusers.conf b/configs/os/sysusers.conf index a24fbef9..b25179b8 100644 --- a/configs/os/sysusers.conf +++ b/configs/os/sysusers.conf @@ -4,6 +4,7 @@ g kvmd-ipmi - - g kvmd-vnc - - g kvmd-nginx - - g kvmd-janus - - +g kvmd-certbot - - u kvmd - "PiKVM - The main daemon" - u kvmd-pst - "PiKVM - Persistent storage" - @@ -11,6 +12,7 @@ u kvmd-ipmi - "PiKVM - IPMI to KVMD proxy" - u kvmd-vnc - "PiKVM - VNC to KVMD/Streamer proxy" - u kvmd-nginx - "PiKVM - HTTP entrypoint" - u kvmd-janus - "PiKVM - Janus WebRTC Gateway" - +u kvmd-certbot - "PiKVM - Certbot-Renew for KVMD-Nginx" m kvmd video m kvmd gpio @@ -26,3 +28,6 @@ m kvmd-janus audio m kvmd-nginx kvmd m kvmd-nginx kvmd-janus +m kvmd-nginx kvmd-certbot + +m kvmd-certbot kvmd-pst diff --git a/configs/os/tmpfiles.conf b/configs/os/tmpfiles.conf index 8e1734d2..973c5d43 100644 --- a/configs/os/tmpfiles.conf +++ b/configs/os/tmpfiles.conf @@ -1 +1,7 @@ -D /run/kvmd 0775 kvmd kvmd - +D /run/kvmd 0775 kvmd kvmd - +D /run/kvmd-certbot 0755 root root - +D /run/kvmd-certbot/webroot 0755 kvmd-certbot kvmd-certbot - + +D /tmp/kvmd 0775 kvmd kvmd - +D /tmp/kvmd-nginx 0700 kvmd-nginx root - +D /tmp/kvmd-certbot 0755 kvmd-certbot kvmd-certbot - diff --git a/scripts/kvmd-certbot b/scripts/kvmd-certbot new file mode 100755 index 00000000..937a6fb0 --- /dev/null +++ b/scripts/kvmd-certbot @@ -0,0 +1,105 @@ +#!/bin/bash +# ========================================================================== # +# # +# KVMD - The main PiKVM daemon. # +# # +# Copyright (C) 2018-2022 Maxim Devaev <[email protected]> # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see <https://www.gnu.org/licenses/>. # +# # +# ========================================================================== # + + +set -e +export LC_ALL=C + +if [ "$(whoami)" != root ]; then + echo "Only root can do that" + exit 1 +fi + +user=kvmd-certbot +web=/run/kvmd-certbot/webroot +pstbase=/var/lib/kvmd/pst/data/certbot +cur="$pstbase/runroot" +new="$pstbase/runroot.new" +tmp=/tmp/kvmd-certbot/runroot + +function cleanup() { + rm -rf "$tmp" +} + +function create_tmp() { + mkdir "$tmp" # Acts as a lock + chown "$user:" "$tmp" + trap cleanup EXIT +} + +if [ "$1" == "renew" ]; then + create_tmp + cp -a "$cur"/{config,work,logs} "$tmp" + sed -s -i -e "s| = $cur/| = $tmp/|g" "$tmp/config/renewal/"* + shift + sudo -u "$user" certbot renew "$@" \ + --config-dir="$tmp/config" \ + --work-dir="$tmp/work" \ + --logs-dir="$tmp/logs" \ + --deploy-hook="/usr/bin/touch '$tmp/updated'" + if [ -f "$tmp/updated" ]; then + sudo -u "$user" kvmd-pstrun -- bash -c " + set -ex + rm -rf '$new' + cp -a '$tmp' '$new' + rm '$new/updated' + chmod 640 '$new'/config/archive/*/privkey*.pem + sed -s -i -e 's| = $tmp/| = $cur/|g' '$new/config/renewal/'* + sync + kvmd-helper-swapfiles '$new' '$cur' + rm -rf '$new' + " + echo "Reloading KVMD-Nginx ..." + systemctl reload kvmd-nginx || true + fi + +else + create_tmp + if [ ! -d "$cur" ]; then + kvmd-pstrun -- bash -c " + set -ex + mkdir -p '$cur' + chown '$user:' '$cur' + " + fi + if [ "$1" == "certonly-webroot" ]; then + shift + sudo -u "$user" kvmd-pstrun -- certbot certonly "$@" \ + --config-dir="$cur/config" \ + --work-dir="$cur/work" \ + --logs-dir="$cur/logs" \ + --webroot \ + --webroot-path="$web" \ + --deploy-hook="/usr/bin/bash -c ' + set -ex + cd \"\$RENEWED_LINEAGE\" + chmod 640 privkey.pem + ln -s fullchain.pem server.crt + ln -s privkey.pem server.key + '" + else + sudo -u "$user" kvmd-pstrun -- certbot "$@" \ + --config-dir="$cur/config" \ + --work-dir="$cur/work" \ + --logs-dir="$cur/logs" + fi +fi |