From cf84a91849c3bcdb4c429fb16b65d8d92de2ef37 Mon Sep 17 00:00:00 2001 From: kload Date: Thu, 1 Oct 2015 14:36:29 -0400 Subject: [PATCH] [enh] Add SSL, nsswitch and udisks-glue regen conf scripts --- data/hooks/conf_regen/02-ssl | 50 ++++ data/hooks/conf_regen/46-nsswitch | 20 ++ data/hooks/conf_regen/49-udisks-glue | 20 ++ data/templates/nsswitch/nsswitch.conf | 21 ++ data/templates/ssl/openssl.cnf | 293 ++++++++++++++++++++ data/templates/udisks-glue/udisks-glue.conf | 9 + 6 files changed, 413 insertions(+) create mode 100644 data/hooks/conf_regen/02-ssl create mode 100644 data/hooks/conf_regen/46-nsswitch create mode 100644 data/hooks/conf_regen/49-udisks-glue create mode 100644 data/templates/nsswitch/nsswitch.conf create mode 100644 data/templates/ssl/openssl.cnf create mode 100644 data/templates/udisks-glue/udisks-glue.conf diff --git a/data/hooks/conf_regen/02-ssl b/data/hooks/conf_regen/02-ssl new file mode 100644 index 000000000..2087978d9 --- /dev/null +++ b/data/hooks/conf_regen/02-ssl @@ -0,0 +1,50 @@ +#!/bin/bash +set -e + +force=$1 + +function safe_copy () { + if [ $force ]; then + sudo yunohost service safecopy \ + -s ssl $1 $2 --force + else + sudo yunohost service safecopy \ + -s ssl $1 $2 + fi +} + +cd /usr/share/yunohost/templates/ssl +ssl_dir=/usr/share/yunohost/yunohost-config/ssl/yunoCA + +sudo mkdir -p /etc/yunohost/certs/yunohost.org +sudo mkdir -p $ssl_dir/{ca,certs,crl,newcerts} + +if [ ! -f $ssl_dir/serial ]; then + echo "01" | sudo tee $ssl_dir/serial +fi + +if [ ! -f /etc/yunohost/current_host ]; then + echo "yunohost.org" | sudo tee /etc/yunohost/current_host +fi + +if [ ! -f /etc/yunohost/certs/yunohost.org/crt.pem ]; then + sudo openssl req -new -config $ssl_dir/openssl.cnf \ + -days 730 -out $ssl_dir/certs/yunohost_csr.pem \ + -keyout $ssl_dir/certs/yunohost_key.pem -nodes -batch + sudo openssl ca -config $ssl_dir/openssl.cnf \ + -days 730 -in $ssl_dir/certs/yunohost_csr.pem \ + -out $ssl_dir/certs/yunohost_crt.pem -batch + sudo cp $ssl_dir/ca/cacert.pem \ + /etc/yunohost/certs/yunohost.org/ca.pem + sudo cp $ssl_dir/certs/yunohost_key.pem \ + /etc/yunohost/certs/yunohost.org/key.pem + sudo cp $ssl_dir/yunoCA/newcerts/01.pem \ + /etc/yunohost/certs/yunohost.org/crt.pem + sudo ln -s /etc/yunohost/certs/yunohost.org/crt.pem \ + /etc/ssl/certs/yunohost_crt.pem + sudo ln -s /etc/yunohost/certs/yunohost.org/key.pem \ + /etc/ssl/private/yunohost_key.pem + sudo ln -s /etc/yunohost/certs/yunohost.org/ca.pem \ + /etc/ssl/certs/ca-yunohost_crt.pem + sudo update-ca-certificates +fi diff --git a/data/hooks/conf_regen/46-nsswitch b/data/hooks/conf_regen/46-nsswitch new file mode 100644 index 000000000..73535eeda --- /dev/null +++ b/data/hooks/conf_regen/46-nsswitch @@ -0,0 +1,20 @@ +#!/bin/bash +set -e + +force=$1 + +function safe_copy () { + if [[ "$force" == "True" ]]; then + sudo yunohost service safecopy \ + -s nsswitch $1 $2 --force + else + sudo yunohost service safecopy \ + -s nsswitch $1 $2 + fi +} + +cd /usr/share/yunohost/templates/nsswitch + +if [[ "$(safe_copy nsswitch.conf /etc/nsswitch.conf)" == "True" ]]; then + sudo service nscd restart +fi diff --git a/data/hooks/conf_regen/49-udisks-glue b/data/hooks/conf_regen/49-udisks-glue new file mode 100644 index 000000000..85de9182d --- /dev/null +++ b/data/hooks/conf_regen/49-udisks-glue @@ -0,0 +1,20 @@ +#!/bin/bash +set -e + +force=$1 + +function safe_copy () { + if [[ "$force" == "True" ]]; then + sudo yunohost service safecopy \ + -s udisks-glue $1 $2 --force + else + sudo yunohost service safecopy \ + -s udisks-glue $1 $2 + fi +} + +cd /usr/share/yunohost/templates/udisks-glue + +if [[ "$(safe_copy udisks-glue.conf /etc/udisks-glue.conf)" == "True" ]]; then + sudo service udisks-glue restart +fi diff --git a/data/templates/nsswitch/nsswitch.conf b/data/templates/nsswitch/nsswitch.conf new file mode 100644 index 000000000..cf5b45256 --- /dev/null +++ b/data/templates/nsswitch/nsswitch.conf @@ -0,0 +1,21 @@ +# /etc/nsswitch.conf +# +# Example configuration of GNU Name Service Switch functionality. +# If you have the `glibc-doc-reference' and `info' packages installed, try: +# `info libc "Name Service Switch"' for information about this file. + +passwd: compat ldap +group: compat ldap +shadow: compat ldap +gshadow: files + +hosts: files mdns4_minimal [NOTFOUND=return] dns +networks: files + +protocols: db files +services: db files +ethers: db files +rpc: db files + +netgroup: nis +sudoers: files ldap diff --git a/data/templates/ssl/openssl.cnf b/data/templates/ssl/openssl.cnf new file mode 100644 index 000000000..fa5d19fa3 --- /dev/null +++ b/data/templates/ssl/openssl.cnf @@ -0,0 +1,293 @@ +# +# OpenSSL example configuration file. +# This is mostly being used for generation of certificate requests. +# + +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = /usr/share/yunohost/yunohost-config/ssl +RANDFILE = $ENV::HOME/.rnd + +# Extra OBJECT IDENTIFIER info: +#oid_file = $ENV::HOME/.oid +oid_section = new_oids + +# To use this configuration file with the "-extfile" option of the +# "openssl x509" utility, name here the section containing the +# X.509v3 extensions to use: +# extensions = +# (Alternatively, use a configuration file that has only +# X.509v3 extensions in its main [= default] section.) + +[ new_oids ] + +# We can add new OIDs in here for use by 'ca' and 'req'. +# Add a simple OID like this: +# testoid1=1.2.3.4 +# Or use config file substitution like this: +# testoid2=${testoid1}.5.6 + +#################################################################### +[ ca ] +default_ca = Yunohost # The default ca section + +#################################################################### +[ Yunohost ] + +dir = /usr/share/yunohost/yunohost-config/ssl/yunoCA # Where everything is kept +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. +unique_subject = no # Set to 'no' to allow creation of + # several ctificates with same subject. +new_certs_dir = $dir/newcerts # default place for new certs. + +certificate = $dir/ca/cacert.pem # The CA certificate +serial = $dir/serial # The current serial number +#crlnumber = $dir/crlnumber # the current crl number + # must be commented out to leave a V1 CRL +crl = $dir/crl.pem # The current CRL +private_key = $dir/ca/cakey.pem # The private key +RANDFILE = $dir/ca/.rand # private random number file + +x509_extensions = usr_cert # The extentions to add to the cert + +# Comment out the following two lines for the "traditional" +# (and highly broken) format. +name_opt = ca_default # Subject Name options +cert_opt = ca_default # Certificate field options + +# Extension copying option: use with caution. +copy_extensions = copy + +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs +# so this is commented out by default to leave a V1 CRL. +# crlnumber must also be commented out to leave a V1 CRL. +# crl_extensions = crl_ext + +default_days = 3650 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = sha256 # which md to use. +preserve = no # keep passed DN ordering + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_match + +# For the CA policy +[ policy_match ] +countryName = optional +stateOrProvinceName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +# For the 'anything' policy +# At this point in time, you must list all acceptable 'object' +# types. +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +#################################################################### +[ req ] +default_bits = 2048 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extentions to add to the self signed cert + +# Passwords for private keys if not present they will be prompted for +# input_password = secret +# output_password = secret + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString. +# utf8only: only UTF8Strings. +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings +# so use this option with caution! +string_mask = nombstr + +req_extensions = v3_req # The extensions to add to a certificate request + +[ req_distinguished_name ] +commonName = Common Name (eg, YOUR name) +commonName_max = 64 +commonName_default = yunohost.org + +# SET-ex3 = SET extension number 3 + +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 4 +challengePassword_max = 20 + +unstructuredName = An optional company name + +[ usr_cert ] + +# These extensions are added when 'ca' signs a request. + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +[ v3_req ] + +# Extensions to add to a certificate request + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +subjectAltName=DNS:yunohost.org,DNS:www.yunohost.org,DNS:ns.yunohost.org + +[ v3_ca ] + + +# Extensions for a typical CA + + +# PKIX recommendation. + +subjectKeyIdentifier=hash + +authorityKeyIdentifier=keyid:always,issuer:always + +# This is what PKIX recommends but some broken software chokes on critical +# extensions. +#basicConstraints = critical,CA:true +# So we do this instead. +basicConstraints = CA:true + +# Key usage: this is typical for a CA certificate. However since it will +# prevent it being used as an test self-signed certificate it is best +# left out by default. +# keyUsage = cRLSign, keyCertSign + +# Some might want this also +# nsCertType = sslCA, emailCA + +# Include email address in subject alt name: another PKIX recommendation +# subjectAltName=email:copy +# Copy issuer details +# issuerAltName=issuer:copy + +# DER hex encoding of an extension: beware experts only! +# obj=DER:02:03 +# Where 'obj' is a standard or added object +# You can even override a supported extension: +# basicConstraints= critical, DER:30:03:01:01:FF + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always,issuer:always + +[ proxy_cert_ext ] +# These extensions should be added when creating a proxy certificate + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +# This really needs to be in place for it to be a proxy certificate. +proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo diff --git a/data/templates/udisks-glue/udisks-glue.conf b/data/templates/udisks-glue/udisks-glue.conf new file mode 100644 index 000000000..f97de948f --- /dev/null +++ b/data/templates/udisks-glue/udisks-glue.conf @@ -0,0 +1,9 @@ +filter disks { + optical = false + partition_table = false + usage = filesystem +} +match disks { + automount=true + automount_options= { sync, noatime, "dmask=0", "fmask=0" } +}