Frogg
/
Linux_frogg-profile.d
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

- ajout du script de renew auto du server CA

This commit is contained in:
Frogg 2026-05-17 10:12:55 +02:00
parent b0cdbb8a3e
commit f496539203
3 changed files with 35 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
config/config_install.sh
View File

@ -11,7 +11,7 @@ CONFIG_DEB_INSTALL_SERVER_SMTP_LOGIN="admin@frogg.fr"
# ZABBIX CLIENT INSTALLATION # ZABBIX CLIENT INSTALLATION
CONFIG_DEB_INSTALL_ZABBIX_SERVER_IP="zabbix.server.home" CONFIG_DEB_INSTALL_ZABBIX_SERVER_IP="zabbix.server.home"
# CA INSTALLATION # CA INSTALLATION
CONFIG_DEB_INSTALL_DEFAULT_CA_SERVER="192.168.0.110" CONFIG_DEB_INSTALL_DEFAULT_CA_SERVER="ca.server.home"
CONFIG_DEB_INSTALL_DEFAULT_CA_WILDCARD="*.server.home" CONFIG_DEB_INSTALL_DEFAULT_CA_WILDCARD="*.server.home"
CONFIG_DEB_INSTALL_DEFAULT_CA_SERVICES="gitea nginx apache2 mysql postgresql jellyfin" CONFIG_DEB_INSTALL_DEFAULT_CA_SERVICES="gitea nginx apache2 mysql postgresql jellyfin"
CONFIG_DEB_INSTALL_DEFAULT_CA_STEP="step-cli_0.24.4_amd64.deb" CONFIG_DEB_INSTALL_DEFAULT_CA_STEP="step-cli_0.24.4_amd64.deb"
@ -20,6 +20,7 @@ CONFIG_DEB_INSTALL_DEFAULT_CA_FILE_PFX="server.pfx"
CONFIG_DEB_INSTALL_DEFAULT_CA_FILE_CRT="server.crt" CONFIG_DEB_INSTALL_DEFAULT_CA_FILE_CRT="server.crt"
CONFIG_DEB_INSTALL_DEFAULT_CA_FILE_KEY="server.key" CONFIG_DEB_INSTALL_DEFAULT_CA_FILE_KEY="server.key"
CONFIG_DEB_INSTALL_DEFAULT_CA_CRON="STEP-CA-RENEWAL" CONFIG_DEB_INSTALL_DEFAULT_CA_CRON="STEP-CA-RENEWAL"
CONFIG_DEB_INSTALL_DEFAULT_CA_FINGERPRINT="4873b9eaeb8a7643475939b4035221bd1bc3acd0db00e94df5a76d771459f439"
# SCRIPT UPDATE INSTALLATION # SCRIPT UPDATE INSTALLATION
CONFIG_DEB_INSTALL_CRON_UPDATE="CONFIG_DEB_INSTALL_CRON_UPDATE" CONFIG_DEB_INSTALL_CRON_UPDATE="CONFIG_DEB_INSTALL_CRON_UPDATE"

32
func/deb_sys.sh
View File

@ -52,7 +52,7 @@ check_deb_sys_ipv6(){
check_deb_sys_locale_install() { check_deb_sys_locale_install() {
# On cherche spécifiquement les lignes décommentées pour fr_FR ET en_US # On cherche spécifiquement les lignes dé commentées pour fr_FR ET en_US
if grep -q "^fr_FR.UTF-8" /etc/locale.gen && grep -q "^en_US.UTF-8" /etc/locale.gen; then if grep -q "^fr_FR.UTF-8" /etc/locale.gen && grep -q "^en_US.UTF-8" /etc/locale.gen; then
return 0 return 0
else else
@ -331,7 +331,14 @@ do_deb_sys_ufw() {
fi fi
msg_info "Liste des ports tcp sortant ouvert" msg_info "Liste des ports tcp sortant ouvert"
ss -tlnw | grep -v -E '(127\.0\.0\.1|::1)' | column -t sudo ss -tlnwp | grep -v -E '(127\.0\.0\.1|::1)' | awk '
BEGIN {print "State", "Local_Address:Port", "Process"}
NR==1 {next}
{
split($4, a, ":");
port=a[length(a)]
}
!seen[port]++ {print $1, $2, $5}' | column -t
# 2. Boucle de saisie (on remplit uniquement le tableau en mémoire) # 2. Boucle de saisie (on remplit uniquement le tableau en mémoire)
while true; do while true; do
@ -356,7 +363,7 @@ do_deb_sys_ufw() {
current_ssh_port=${current_ssh_port:-22} current_ssh_port=${current_ssh_port:-22}
if [[ ! " ${ports_to_allow[@]} " =~ " ${current_ssh_port} " ]]; then if [[ ! " ${ports_to_allow[@]} " =~ " ${current_ssh_port} " ]]; then
msg_warning "ATTENTION : Votre port SSH ($current_ssh_port) n'est pas inclus !" msg_warning "ATTENTION : Votre port SSH ($current_ssh_port) n'est pas inclus !"
read -p "L'ajouter ? (O/n) : " add_ssh read -rp "L'ajouter ? (O/n) : " add_ssh
[[ "$add_ssh" != "n" ]] && ports_to_allow+=("$current_ssh_port") [[ "$add_ssh" != "n" ]] && ports_to_allow+=("$current_ssh_port")
fi fi
@ -634,8 +641,27 @@ EOF"
msg_success "MSMTP configuré. Test d'envoi recommandé : echo 'Test' | mail -s 'Test sujet' ton@mail.com" msg_success "MSMTP configuré. Test d'envoi recommandé : echo 'Test' | mail -s 'Test sujet' ton@mail.com"
} }
do_deb_sys_cert_install_ca_server(){
local full_command="${WELCOME_SCRIPT_PATH}/ca_server_renew.sh"
msg_info "Renouvellement du certificat"
eval "$full_command"
msg_info "Ajout du renouvellement automatique du certificat"
update_cron_marker "$CONFIG_DEB_INSTALL_DEFAULT_CA_CRON" "0 0 1 * * $full_command >> /var/log/cert-renew.log 2>&1"
msg_success "Opération terminée"
}
do_deb_sys_cert_install(){ do_deb_sys_cert_install(){
# cas du server CA
if [ "$(hostname)" = "$CONFIG_DEB_INSTALL_DEFAULT_CA_SERVER" ] || [ "$(hostname -f)" = "$CONFIG_DEB_INSTALL_DEFAULT_CA_SERVER" ]; then
msg_warning "server CA détecté, mise en place d'un renew spécifique..."
do_deb_sys_cert_install_ca_server
return 0
fi
local ca_ip wildcard_domain ca_url ca_fingerprint base_domain marker root_crt input_ip step_path \ local ca_ip wildcard_domain ca_url ca_fingerprint base_domain marker root_crt input_ip step_path \
system_target inter_target cert_group load_state unit svc_user current_group \ system_target inter_target cert_group load_state unit svc_user current_group \
cert_dir cert_crt cert_key cert_key cert_pfx pfx_cmd pfx_input step_bin renew_cmd restart_cmd="" \ cert_dir cert_crt cert_key cert_key cert_pfx pfx_cmd pfx_input step_bin renew_cmd restart_cmd="" \

4
script/ca_server_renew.sh Normal file
View File

@ -0,0 +1,4 @@
systemctl stop step-ca
step certificate create "Frogg.home CA Intermediate CA" /var/lib/step-ca/.step/certs/intermediate_ca.crt /var/lib/step-ca/.step/secrets/intermediate_ca_key --profile intermediate-ca --ca /var/lib/step-ca/.step/certs/root_ca.crt --ca-key /var/lib/step-ca/.step/secrets/root_ca_key --not-after 87600h --ca-password-file /var/lib/step-ca/.step/password.txt --password-file /var/lib/step-ca/.step/password.txt --force
chown -R step:step /var/lib/step-ca/
systemctl start step-ca