RedXen/Containers
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add DANE automated cert records

Browse Source
This commit is contained in:
Alex D. 2025-02-08 16:28:49 +00:00
parent f6d42dc437
commit 02a6ad7165
Signed by: caskd
GPG Key ID: F92BA85F61F4C173
6 changed files with 90 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
redxen.eu/config.mk
View File

@ -34,8 +34,14 @@ redxen.eu/daemons/nsd/${BUILD_ID_OUT}: %/${BUILD_ID_OUT} : \
redxen.eu/data/dns/zone/${BUILD_ID_OUT}: %/${BUILD_ID_OUT} : \ redxen.eu/data/dns/zone/${BUILD_ID_OUT}: %/${BUILD_ID_OUT} : \
%/redxen.eu \ %/redxen.eu \
%/internal \ %/internal \
redxen.eu/data/dns/dnssec/${BUILD_ID_OUT} \ redxen.eu/data/opendkim/${BUILD_ID_OUT} \
redxen.eu/data/opendkim/${BUILD_ID_OUT} redxen.eu/data/dns/dane/${BUILD_ID_OUT} \
redxen.eu/data/dns/dnssec/${BUILD_ID_OUT}
redxen.eu/data/dns/dane/${BUILD_ID_OUT}: %/${BUILD_ID_OUT} : \
%/recordlist \
%/gen-record.sh \
redxen.eu/data/pki/letsencrypt/${BUILD_ID_OUT}
# Certificates # Certificates
redxen.eu/data/pki/self/client/dovecot/${BUILD_ID_OUT}: %/${BUILD_ID_OUT} : \ redxen.eu/data/pki/self/client/dovecot/${BUILD_ID_OUT}: %/${BUILD_ID_OUT} : \

16
redxen.eu/data/dns/dane/Containerfile Normal file
View File

@ -0,0 +1,16 @@
FROM alpine AS preparer
RUN --network=host apk add cmd:xxd cmd:openssl
WORKDIR /root
ADD recordlist recordlist
ADD gen-record.sh gen-record.sh
RUN chmod +x ./gen-record.sh
RUN \
--mount=type=bind,from=redxen.eu/data/pki/letsencrypt:latest,src=/,dst=/letsencrypt \
< ./recordlist ./gen-record.sh /letsencrypt/cert.cer | tee ./records
FROM scratch
COPY --from=preparer /root/records /redxen.eu

15
redxen.eu/data/dns/dane/gen-record.sh Normal file
View File

@ -0,0 +1,15 @@
#!/bin/sh
set -e
CERT="$1"
grep -v '^#' | \
grep -v '^\s*$' | \
while read -r RECORD; do
SHA256="$(openssl x509 -in "$1" -pubkey -noout | \
openssl pkey -pubin -outform der | \
openssl dgst -sha256 -binary | \
xxd -p -u -c 32)"
echo "$RECORD TLSA 3 1 1 $SHA256"
done

42
redxen.eu/data/dns/dane/recordlist Normal file
View File

@ -0,0 +1,42 @@
#
# HAProxy
#
_443._tcp
_443._tcp.stats
_443._tcp.git
_443._tcp.sd
_443._tcp.seed
_443._tcp.packages
_443._tcp.cal
_443._tcp.wssproxy
##
## SMTP (legacy/well-known with StartTLS)
##
#_25._tcp.mail
#_25._tcp.smtp
#
##
## SMTP (TLS only)
##
#_465._tcp.mail
#_465._tcp.smtp
#
##
## SMTP (StartTLS, non-legacy)
##
#_587._tcp.mail
#_587._tcp.smtp
#
##
## IMAP (legacy)
##
#_143._tcp.mail
#_143._tcp.imap
#
##
## IMAP (TLS)
##
#_993._tcp.mail
#_993._tcp.imap

5
redxen.eu/data/dns/zone/Containerfile
View File

@ -24,6 +24,11 @@ RUN \
--mount=type=bind,from=redxen.eu/data/opendkim:latest,src=/redxen.eu,dst=/tmp/opendkim/redxen.eu \ --mount=type=bind,from=redxen.eu/data/opendkim:latest,src=/redxen.eu,dst=/tmp/opendkim/redxen.eu \
cat /tmp/opendkim/redxen.eu/*.txt | tee -a /tmp/zones/redxen.eu cat /tmp/opendkim/redxen.eu/*.txt | tee -a /tmp/zones/redxen.eu
# Add DANE records to zone
RUN \
--mount=type=bind,from=redxen.eu/data/dns/dane:latest,src=/,dst=/tmp/dane/ \
cat /tmp/dane/redxen.eu | tee -a /tmp/zones/redxen.eu
# Sign zone # Sign zone
RUN \ RUN \
--mount=type=bind,from=redxen.eu/data/dns/dnssec:latest,src=/redxen.eu,dst=/tmp/keys/redxen.eu \ --mount=type=bind,from=redxen.eu/data/dns/dnssec:latest,src=/redxen.eu,dst=/tmp/keys/redxen.eu \

5
redxen.eu/data/pki/letsencrypt/Containerfile
View File

@ -21,13 +21,16 @@ RUN --network=host acme.sh \
--stateless \ --stateless \
-d 'redxen.eu' \ -d 'redxen.eu' \
-d 'stats.redxen.eu' \ -d 'stats.redxen.eu' \
-d 'social.redxen.eu' \
-d 'git.redxen.eu' \ -d 'git.redxen.eu' \
-d 'sd.redxen.eu' \ -d 'sd.redxen.eu' \
-d 'seed.redxen.eu' \ -d 'seed.redxen.eu' \
-d 'packages.redxen.eu' \ -d 'packages.redxen.eu' \
-d 'cal.redxen.eu' \ -d 'cal.redxen.eu' \
-d 'wssproxy.redxen.eu' -d 'wssproxy.redxen.eu'
# TODO: Route these via HAProxy to allow easy cert gen
# -d 'mail.redxen.eu' \
# -d 'smtp.redxen.eu' \
# -d 'imap.redxen.eu' \
FROM scratch FROM scratch