From 2b0289307e4ead6cc46c7dc7d97bfc754e073ded Mon Sep 17 00:00:00 2001 From: Christoph Date: Thu, 23 Apr 2020 19:45:32 +0200 Subject: [PATCH] Update installation documentation. --- README.install | 165 ++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 164 insertions(+), 1 deletion(-) diff --git a/README.install b/README.install index 56cd9d6..e66fb1d 100644 --- a/README.install +++ b/README.install @@ -175,7 +175,7 @@ echo "$FQND_HOSTNAME" > /var/lib/dehydrated/domains.txt # 10. Install cronjob to adjust certificates at directory '/etc/ssl' #--- -# Prepare cnfiguration file +# Prepare configuration file for check coTURN service # cp /root/bin/monitoring/conf/check_cert_for_service.conf.sample \ /root/bin/monitoring/conf/check_cert_for_service.conf @@ -265,6 +265,101 @@ crontab "$_crontab_tmp_file" rm -f "$_crontab_tmp_file" +# Prepare configuration file for check certificates for prosody service +# +cp /root/bin/monitoring/conf/check_cert_for_prosody.conf.sample \ + /root/bin/monitoring/conf/check_cert_for_prosody.conf + +# Prepare configuration file for 'service_name' +# +if ! $(grep -q -E "^\s*service_domain=\"${FQND_HOSTNAME}\"" /root/bin/monitoring/conf/check_cert_for_prosody.conf 2> /dev/null) ; then + perl -i -n -p -e "s/^(#service_domain.*)/#\1\nservice_domain=\"${FQND_HOSTNAME}\"/" \ + /root/bin/monitoring/conf/check_cert_for_prosody.conf +fi + +if ! $(grep -q -E "^\s*service_name=\"Prosody\"" /root/bin/monitoring/conf/check_cert_for_prosody.conf 2> /dev/null) ; then + perl -i -n -p -e "s/^(#service_name.*)/#\1\nservice_name=\"Prosody\"/" \ + /root/bin/monitoring/conf/check_cert_for_prosody.conf +fi + +# Prepare configuration file for 'check_string_ps' +# +if ! $(grep -q -E "^\s*check_string_ps=\"[[:digit:]]\\ lua[[:digit:]].[[:digit:]] /usr/bin/prosody\"" \ + /root/bin/monitoring/conf/check_cert_for_prosody.conf 2> /dev/null) ; then + perl -i -n -p -e "s/^(#check_string_ps.*)/#\1\ncheck_string_ps=\"[[:digit:]]\\\ lua[[:digit:]].[[:digit:]] \/usr\/bin\/prosody\"/" \ + /root/bin/monitoring/conf/check_cert_for_prosody.conf +fi + +# Prepare configuration file for 'service_user' +# +if ! $(grep -q -E "^\s*service_user=\"prosody\"" \ + /root/bin/monitoring/conf/check_cert_for_prosody.conf 2> /dev/null) ; then + perl -i -n -p -e "s/^(#service_user.*)/#\1\nservice_user=\"prosody\"/" \ + /root/bin/monitoring/conf/check_cert_for_prosody.conf +fi + +# Prepare configuration file for 'service_group' +# +if ! $(grep -q -E "^\s*service_group=\"prosody\"" \ + /root/bin/monitoring/conf/check_cert_for_prosody.conf 2> /dev/null) ; then + perl -i -n -p -e "s/^(#service_group.*)/#\1\nservice_group=\"prosody\"/" \ + /root/bin/monitoring/conf/check_cert_for_prosody.conf +fi + +# Prepare configuration file for 'cert_installed' +# +if ! $(grep -q -E "^\s*cert_installed=\"/etc/prosody/certs/${FQND_HOSTNAME}.crt\"" \ + /root/bin/monitoring/conf/check_cert_for_prosody.conf 2> /dev/null) ; then + perl -i -n -p -e "s/^(#cert_installed.*)/#\1\ncert_installed=\"\/etc\/prosody\/certs\/${FQND_HOSTNAME}.crt\"/" \ + /root/bin/monitoring/conf/check_cert_for_prosody.conf +fi + +# Prepare configuration file for 'key_installed' +# +if ! $(grep -q -E "^\s*key_installed=\"/etc/prosody/certs/${FQND_HOSTNAME}.key\"" \ + /root/bin/monitoring/conf/check_cert_for_prosody.conf 2> /dev/null) ; then + perl -i -n -p -e "s/^(#key_installed.*)/#\1\nkey_installed=\"\/etc\/prosody\/certs\/${FQND_HOSTNAME}.key\"/" \ + /root/bin/monitoring/conf/check_cert_for_prosody.conf +fi + +# Prepare configuration file for 'cert_newest' +# +if ! $(grep -q -E "^\s*cert_newest=\"/var/lib/dehydrated/certs/${FQND_HOSTNAME}/fullchain.pem\"" \ + /root/bin/monitoring/conf/check_cert_for_prosody.conf 2> /dev/null) ; then + perl -i -n -p -e \ + "s/^(#cert_newest.*)/#\1\ncert_newest=\"\\/var\/lib\/dehydrated\/certs\/${FQND_HOSTNAME}\/fullchain.pem\"/" \ + /root/bin/monitoring/conf/check_cert_for_prosody.conf +fi + +# Prepare configuration file for 'key_newest' +# +if ! $(grep -q -E "^\s*key_newest=\"/var/lib/dehydrated/certs/${FQND_HOSTNAME}/privkey.pem\"" \ + /root/bin/monitoring/conf/check_cert_for_prosody.conf 2> /dev/null) ; then + perl -i -n -p -e \ + "s/^(#key_newest.*)/#\1\nkey_newest=\"\\/var\/lib\/dehydrated\/certs\/${FQND_HOSTNAME}\/privkey.pem\"/" \ + /root/bin/monitoring/conf/check_cert_for_prosody.conf +fi + +# Initial +/root/bin/monitoring//check_cert_for_prosody.sh + +# Add Cronjob for checcking if certificate/key is up to date +# +_crontab_tmp_file=/tmp/crontab_root.$$ +crontab -l > "$_crontab_tmp_file" 2> /dev/null + +if ! $(grep -q "/root/bin/monitoring/check_cert_for_prosody.sh" "$_crontab_tmp_file" 2>/dev/null) ; then + cat <> "$_crontab_tmp_file" + +# - Check if cert(s) for prosody service are up-to-date +# - +13 05 * * * /root/bin/monitoring/check_cert_for_prosody.sh +EOF +fi +crontab "$_crontab_tmp_file" +rm -f "$_crontab_tmp_file" + + # --- # 11.) Configure Jitsi Meet # --- @@ -323,6 +418,74 @@ EOF vim /etc/jitsi/meet/${FQND_HOSTNAME}-config.js +# --- +# 12.) Configure Prosody (avoid error message "portmanager error Error binding encrypted port for https.." +# --- + +# Edit file /etc/prosody/conf.d/${FQND_HOSTNAME}.cfg.lua +# +# after line (the location this is important) +# consider_bosh_secure = true; +# +# add the following lines: +# bosh_ports = { +# { +# port = 5280; +# path = "http-bind"; +# }, +# { +# port = 5281; +# path = "http-bind"; +# ssl = { +# certificate = "/etc/prosody/certs/${FQND_HOSTNAME}.crt"; +# key = "/etc/prosody/certs/${FQND_HOSTNAME}.key"; +# } +# } +# } +# +# http_ports = { 5280 } +# http_interfaces = { "localhost" } +# +# https_ports = { 5281 } +# https_interfaces = { "localhost" } +# +# https_ssl = { +# certificate = "/etc/prosody/certs/${FQND_HOSTNAME}.crt"; +# key = "/etc/prosody/certs/${FQND_HOSTNAME}.key"; +# } +# +cat <> /etc/prosody/conf.d/${FQND_HOSTNAME}.cfg.lua + +bosh_ports = { + { + port = 5280; + path = "http-bind"; + }, + { + port = 5281; + path = "http-bind"; + ssl = { + certificate = "/etc/prosody/certs/${FQND_HOSTNAME}.crt"; + key = "/etc/prosody/certs/${FQND_HOSTNAME}.key"; + } + } +} + +http_ports = { 5280 } +http_interfaces = { "localhost" } + +https_ports = { 5281 } +https_interfaces = { "localhost" } + +https_ssl = { + certificate = "/etc/prosody/certs/${FQND_HOSTNAME}.crt"; + key = "/etc/prosody/certs/${FQND_HOSTNAME}.key"; +} +EOF + +# +vim /etc/prosody/conf.d/${FQND_HOSTNAME}.cfg.lua + # =============================== # ssh-keygen -f "/home/chris/.ssh/known_hosts" -R "meet.oopen.de" # ssh-keygen -f "/home/chris/.ssh/known_hosts" -R ""159.69.74.155