Commit e3a255f3 authored by Paul Cammish's avatar Paul Cammish

Merge branch 'buster-testing' into 'buster'

Buster testing -> Buster

Closes #265 and #261

See merge request !134
parents de08711f 9879e754
Pipeline #709 passed with stages
in 37 minutes and 37 seconds
......@@ -16,7 +16,7 @@ SRCLIST=(/etc /root /srv /home /usr/local /var/mail /var/lib /var/spool/cron /va
# Exclude mysql binary dirs, as these are dumped to /var/backups/mysql before
# the backup. Also exclude php5 session files.
#
SKIPCOND=(-path "*.nobackup*" -o -name "*.o" -o '(' -path '/var/lib/mysql' -o -path '/var/lib/php5' ')' -prune )
SKIPCOND=(-path "*.nobackup*" -o -name "*.o" -o '(' -path '/var/lib/mysql' -o -path '/var/lib/php' -o -path '/var/lib/docker' ')' -prune )
##################################################
# Destination
......
# Modified/updated driver from default backup2l.conf file, which doesn't
# raise warnings from tar. Note that this also don't update the access
# time, which is useful.
# The following driver is equivalent to the built-in DRIVER_TAR_GZ driver, but
# does not change the access times of the original files during backup
# (Adrian Bunk, Gundolf Kiefer)
DRIVER_TAR_GZ ()
{
case $1 in
-test)
require_tools tar
echo "ok"
;;
-suffix)
echo "tar.gz"
;;
-create) # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
tar czf $3 --no-recursion -T $4 --atime-preserve 2>&1 \
| grep -v 'tar: Removing leading .* from .* names'
;;
-toc) # Arguments: $2 = BID, $3 = archive file name
tar tzf $3 | sed 's#^#/#'
;;
esac
}
#!/bin/bash
if [ $EUID != 0 ]; then
echo "Sorry, backups must be run as root. Run \`sudo backup2l -b\` to take a backup."
exit 1
fi
sympl-backup (10.0.190908.0) stable; urgency=medium
* Added backup2l driver to prevent warnings from tar.
-- Paul Cammish <sympl@kelduum.net> Sun, 08 Sep 2019 16:24:00 +0100
sympl-backup (10.0.190731.0) stable; urgency=medium
* Force backups to be run as root.
* Update backup paths.
* Don't back up /var/lib/docker.
-- Paul Cammish <sympl@kelduum.net> Wed, 31 Jul 2019 19:38:00 +0100
sympl-backup (10.0.190621.0) stable; urgency=medium
* Created Sympl v10.0 (Debian Buster)
......
sympl-core (10.0.190908.0) stable; urgency=medium
* Set default threshold for LE cert renewal to 30 days.
-- Paul Cammish <sympl@kelduum.net> Sun, 08 Sep 2019 12:03:00 +0100
sympl-core (10.0.190816.0) stable; urgency=medium
* Adds detection of NAT64 environments for sympl-ssl wrapper.
-- Paul Cammish <sympl@kelduum.net> Fri, 16 Aug 2019 18:11:00 +0100
sympl-core (10.0.190729.0) stable; urgency=medium
* Copy root users authorized_keys to Sympl user on first install.
......
......@@ -14,7 +14,7 @@ Depends: lsb-base (>= 3.0-6),
ruby | ruby-interpreter, ruby-json-jwt, ruby-password, ruby-diffy,
ruby-erubis, ruby-mocha, ruby-webmock, ruby-test-unit, ruby-faraday,
python, python-apt, gnutls-bin, gcc, libpam-tmpdir, wbritish | wordlist,
libpam-cracklib, dnsutils, ${misc:Depends}
libpam-cracklib, dnsutils, libc-bin, ${misc:Depends}
Recommends: sympl-backup, sympl-cron, sympl-mail, sympl-firewall,
sympl-ftp, sympl-web, sympl-monit, sympl-mysql, sympl-phpmyadmin,
sympl-dns, sympl-webmail, sympl-updater,
......
#!/bin/bash -e
# Workaround rapper script for sympl-ssl to fix a bug in IPv6 only resolution of the LE API DNS.
# Workaround wrapper script for sympl-ssl to fix a bug in IPv6 only resolution of the LE API DNS.
# If theres no IPv4 address assigned...
if [ $( sympl-ip -a | grep -c '\.' ) == 0 ]; then
if [ $( sympl-ip -a | grep -c '\.' ) == 0 ] || [ $( getent hosts ipv4only.arpa | grep -c ':' ) != 0 ] ; then
if [[ $@ == *'--verbose'* ]]; then echo 'Applying IPv6 only workaround...'; fi
# Do a DNS lookup for acme-v01.api.letsencrypt.org...
......
......@@ -12,7 +12,7 @@
# --force Re-generate certificates, and roll over to the new set even
# if they're not due to be renewed. Implies --verbose.
#
# --threshold days Number of days before expiry that certificates should be renewed. Defaults to 21.
# --threshold days Number of days before expiry that certificates should be renewed. Defaults to 30.
#
# --select set Select a specific set for a single domain. A domain must be specified.
#
......@@ -99,7 +99,7 @@ $DEBUG = false
prefix = '/srv'
do_list = do_generate = do_rollover = nil
rollover_to = nil
threshold = 21
threshold = 30
etc_dir = '/etc'
opts.each do |opt,arg|
......
sympl-firewall (10.0.190816.0) stable; urgency=medium
* Removed incrond, re-instated old triggers.
-- Paul Cammish <sympl@kelduum.net> Sun, 08 Sep 2019 17:51:00 +0100
sympl-firewall (10.0.190816.0) stable; urgency=medium
* Fixed warning from nftables.
-- Paul Cammish <sympl@kelduum.net> Fri, 16 Aug 2019 12:29:00 +0100
sympl-firewall (10.0.190718.0) stable; urgency=medium
* Updated sympl-firewall-whitelist to more sane defaults.
......
......@@ -9,7 +9,7 @@ XS-Ruby-Versions: all
Package: sympl-firewall
Architecture: any
Depends: iptables, ruby, sympl-core (>= 9.0.190611.0), libruby, ruby-sqlite3, incron, ${shlibs:Depends}, ${misc:Depends}
Depends: iptables, ruby, sympl-core (>= 9.0.190611.0), libruby, ruby-sqlite3, ${shlibs:Depends}, ${misc:Depends}
Replaces: symbiosis-firewall
Provides: symbiosis-firewall
Conflicts: symbiosis-firewall
......@@ -17,7 +17,3 @@ Description: Sympl firewall generator
This package contains a firewall generator which makes it simple to restrict
the incoming and outgoing connections a machine is permitted to accept or
initiate.
.
The firewall also allows the user to restrict the abilities of the
www-data user which will ensure that any PHP, or website, compromises
do not propagate.
......@@ -3,8 +3,6 @@ patterns.d etc/sympl/firewall
rule.d usr/share/sympl/firewall
action.d usr/share/sympl/firewall
test.d etc/sympl
incron.d etc/
monit.d/* usr/share/sympl/monit/checks/
incoming.d etc/sympl/firewall
outgoing.d etc/sympl/firewall
local.d etc/sympl/firewall
......
......@@ -16,23 +16,21 @@ PREFIX=/etc/sympl/firewall
chown -R sympl:sympl $PREFIX
# Temp compatibility fix for nftables changes.
update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
#DEBHELPER#
#
# Add symlinks for the monit script
monit_dir="/etc/sympl/monit.d"
mkdir -p "$monit_dir"
for i in incrond; do
monit_script="/usr/share/sympl/monit/checks/$i"
link_target="$monit_dir/$i"
if [ -x "$monit_script" ] && [ ! -e "$link_target" ]; then
echo "I: Adding symlink for Sympl Monit script for $i"
ln -s "$monit_script" "$link_target" || true
fi
done
# Remove old incrond support
if [ -f /etc/incron.d/sympl-firewall ]; then
rm /etc/incron.d/sympl-firewall
fi
if [ -L /etc/sympl/monit.d/incrond ]; then
rm /etc/sympl/monit.d/incrond
fi
if [ -f /usr/share/sympl/monit/checks/incrond ]; then
rm /etc/incron.d/sympl-firewall
fi
exit 0
/etc/sympl/firewall/incoming.d IN_NO_LOOP,IN_CREATE,IN_DELETE,IN_MOVE,IN_CLOSE_WRITE,IN_ONLYDIR /usr/sbin/sympl-firewall -s 5 load
/etc/sympl/firewall/outgoing.d IN_NO_LOOP,IN_CREATE,IN_DELETE,IN_MOVE,IN_CLOSE_WRITE,IN_ONLYDIR /usr/sbin/sympl-firewall -s 5 load
/etc/sympl/firewall/whitelist.d IN_NO_LOOP,IN_CREATE,IN_DELETE,IN_MOVE,IN_CLOSE_WRITE,IN_ONLYDIR /usr/sbin/sympl-firewall -s 5 reload-whitelist
/etc/sympl/firewall/blacklist.d IN_NO_LOOP,IN_CREATE,IN_DELETE,IN_MOVE,IN_CLOSE_WRITE,IN_ONLYDIR /usr/sbin/sympl-firewall -s 5 reload-blacklist
/etc/sympl/firewall/local.d IN_NO_LOOP,IN_CREATE,IN_DELETE,IN_MOVE,IN_CLOSE_WRITE,IN_ONLYDIR,IN_ATTRIB /usr/sbin/sympl-firewall -s 5 load
#!/usr/bin/ruby
#
require 'symbiosis/monitor/check'
# ensure that Incrond is running
class IncrondCheck < Symbiosis::Monitor::Check
def initialize
super pid_file: '/var/run/incrond.pid',
init_script: '/etc/init.d/incron',
unit_name: 'incron',
process_name: 'incrond'
end
end
exit IncrondCheck.new.do_check if $PROGRAM_NAME == __FILE__
......@@ -320,5 +320,15 @@ end
puts "Expiring done - removed #{expired} file(s)" if ( $VERBOSELOCAL )
#
# Updating the firewall is now done by the inotify cronjob
#
# Re-generate the blacklist chain
#
if ( updated || expired > 0 || force )
cmd = %w(/usr/sbin/sympl-firewall)
cmd << "--verbose" if $VERBOSELOCAL
cmd << "--no-execute" unless execute
cmd << "--no-delete" unless delete
cmd += ["--prefix", base_dir]
cmd << "reload-blacklist"
puts "Running #{cmd.join(" ")}" if $VERBOSELOCAL
exec(*cmd)
end
......@@ -335,6 +335,15 @@ end
puts "Expiring done - removed #{expired} file(s)" if ( $VERBOSELOCAL )
#
# Updating the firewall is now done by the inotify cronjob.
#
# Re-generate the whitelist chain
#
if ( updated || expired > 0 || force )
cmd = %w(/usr/sbin/sympl-firewall)
cmd << "--verbose" if $VERBOSELOCAL
cmd << "--no-execute" unless execute
cmd << "--no-delete" unless delete
cmd += ["--prefix", base_dir]
cmd << "reload-whitelist"
puts "Executing #{cmd.join(" ")}" if $VERBOSELOCAL
exec(*cmd)
end
sympl-mail (10.0.190917.0) stable; urgency=medium
* Adds full chain to Dovecot SNI, needed by some clients.
-- Paul Cammish <sympl@kelduum.net> Tue, 17 Sep 2019 12:57:15 +0100
sympl-mail (10.0.190708.0) stable; urgency=medium
* Re-enable Dovecot SNI
......
......@@ -24,7 +24,7 @@ fi
for certificate in $( find -L /srv -mindepth 5 -maxdepth 5 -name 'ssl.crt' -path '*/config/ssl/current/*' -print ); do
certpath="$( echo $certificate | sed 's|/config/ssl/current/.*$|/config/ssl/current|' )"
# Ensure there is a matching key file, and the path doesnt include an underscore
if [ -f "${certpath}/ssl.key" ] && [ -f "${certpath}/ssl.bundle" ] && [ "$certpath" != "*_*" ] ; then
if [ -f "${certpath}/ssl.key" ] && [ -f "${certpath}/ssl.combined" ] && [ "$certpath" != "*_*" ] ; then
# Go through the certs, listing all the domains, and filter them, one cert per domain.
openssl x509 -noout -text -in "$certificate" \
| grep 'Subject: CN\|DNS:' \
......@@ -40,8 +40,7 @@ echo "# Auto generated SNI configuration by sympl-mail-dovecot-sni." > /dev/shm/
cat /dev/shm/sympl-mail-dovecot-sni.data | while read certpath certificate domain; do
echo "# Enable SNI for $domain"
echo "local_name $domain {"
echo " ssl_ca = <$certpath/ssl.bundle"
echo " ssl_cert = <$certificate"
echo " ssl_cert = <$certpath/ssl.combined"
echo " ssl_key = <$certpath/ssl.key"
echo "}"
echo
......@@ -68,4 +67,4 @@ fi
if [ -f /dev/shm/sympl-mail-dovecot-sni.data ]; then rm /dev/shm/sympl-mail-dovecot-sni.data; fi
exit 0
exit 0
\ No newline at end of file
......@@ -123,7 +123,7 @@ CONFIG_FILE=/etc/sympl-sqldump.config
MYSQL=$( which mysql 2> /dev/null )
MYSQLDUMP=$( which mysqldump 2> /dev/null )
MYSQL_DEFAULTS="$HOME/.my.cnf"
MYSQL_DEFAULTS="/home/sympl/.my.cnf"
MYSQL_SKIP_DB='information_schema performance_schema'
MYSQLDUMP_OPTIONS='--create-options --no-create-db --events --triggers --routines --dump-date --tz-utc'
......@@ -249,7 +249,7 @@ if [ "${#PARAMETERS}" -gt "0" ]; then
Common
--dir, -d <path> Override path to dump directory.
Will be created/chown'd/chmod'd to root user.
Will be created/chown'd/chmod'd to sympl user.
Defaults to $DUMP_DIR
--keep, -k <number> Number of dumps to keep before removing old copies.
Defaults to $KEEP_MAX_COPIES
......@@ -263,17 +263,17 @@ Executable paths
Authentication
--mysql-defaults Optional 'defaults-file' to use in debian.cnf
format. Defaults to ~/.my.cnf,
format. Defaults to $MYSQL_DEFAULTS,
/etc/mysqldump/sympl-sqldump.cnf and
/etc/mysqldump/debian.cnf in that order.
Must be secured to root user only.
Must be secured to root or sympl user only.
Other
--force Force a run even if currently locked.
--config <file> Specify a config file to override defaults.
Defaults to /etc/sympl-sqldump.conf if exists
and must be secured to root.
and must be secured to root user only.
--help This text.
"
......@@ -285,8 +285,8 @@ fi
#############################################################################
if [ $( id -u ) -ne 0 ]; then
_error This must be run as root.
_exit 256
echo "Error: This must be run as root"
exit 256
fi
......@@ -345,15 +345,15 @@ fi
## MariaDB can simply be used with 'mysql', others will need
## $HOME/.my.cnf, /etc/mysql/sympl-sqldump.cnf or /etc/mysql/debian.cnf
## Use credentials from (in order) $HOME/.my.cnf, /etc/mysql/sympl-sqldump.cnf,
## Use credentials from (in order) $HOME/.my.cnf, /etc/mysql/sympl-sqldump.cnf,
## /etc/mysql/debian.cnf or the normal MySQL methods available to root.
# look for /etc/mysql directory (won't exist on centos)
if [ -d /etc/mysql ]; then
if [ -f "$MYSQL_DEFAULTS" ]; then
if [ "$( find "$MYSQL_DEFAULTS" -user $(whoami) -perm 0600 | wc -l )" == "1" ]; then
_debug Secure $HOME/.my.cnf found.
AUTH="--defaults-file=$HOME/.my.cnf"
if [ "$( find "$MYSQL_DEFAULTS" -user sympl -perm 0600 | wc -l )" == "1" ]; then
_debug Secure $MYSQL_DEFAULTS found.
AUTH="--defaults-file=$MYSQL_DEFAULTS"
fi
elif [ -f /etc/mysql/sympl-sqldump.cnf ]; then
if [ "$( find /etc/mysql/sympl-sqldump.cnf -user root -perm 0600 | wc -l )" == "1" ]; then
......@@ -418,9 +418,9 @@ if [ ! -d "$DUMP_DIR/." ]; then
mkdir -p $DUMP_DIR
_verbose "Created dump target directory $DUMP_DIR"
fi
if [ $( find $DUMP_DIR -maxdepth 0 -user root -perm 700 | wc -l ) -ne 1 ]; then
chown 0:0 "$DUMP_DIR/."
chmod 700 "$DUMP_DIR/."
if [ $( find $DUMP_DIR -maxdepth 0 -user sympl -group sympl -perm 770 | wc -l ) -ne 1 ]; then
chown sympl:sympl "$DUMP_DIR/."
chmod 770 "$DUMP_DIR/."
_verbose "Adjusted permissions for $DUMP_DIR"
fi
......@@ -444,8 +444,8 @@ for DATABASE in ${MYSQL_TO_DUMP}; do
else
_debug 'Creating dummy file and setting permissions'
touch $DUMP_FILENAME
chown 0:0 $DUMP_FILENAME
chmod 600 $DUMP_FILENAME
chown sympl:sympl $DUMP_FILENAME
chmod 660 $DUMP_FILENAME
## determine dump type
### MyISAM tables need to be locked, InnoDB tables don't, and use different dump types
......
sympl-mysql (10.0.190731.0) stable; urgency=medium
* Updated sympl-sqldump to use sympl user fully
-- Paul Cammish <sympl@kelduum.net> Wed, 31 Jul 2019 20:25:00 +0100
sympl-mysql (10.0.190621.0) stable; urgency=medium
* Created Sympl v10.0 (Debian Buster)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment