Kapisi/roles/SSL/templates/record-generation.bash.j2

#!/bin/bash

ttl=86400

externalip="$(curl -s ident.me)"

for domain in {{ hosted_domains }} {{ external_domain }}; do

    echo

     # NS/MX/A -- basic orientation to the world for names, mail, and address
     cat <<EOM
\$ORIGIN ${domain}.
@       $ttl   IN      SOA     ns51.cloudns.net. support.cloudns.net. 2024040128 7200 1800 1209600 86400
@       $ttl   IN      NS      ns51.cloudns.net.
@       $ttl   IN      NS      ns52.cloudns.net.
@       $ttl   IN      NS      ns53.cloudns.net.
@       $ttl   IN      NS      ns54.cloudns.net.
@       $ttl   IN      MX      10 mailforward51.cloudns.net.
@       $ttl   IN      MX      10 mailforward52.cloudns.net.
@       $ttl   IN      A       ${externalip}
EOM

     # CAA -- who can issue certs for this domain
     # https://letsencrypt.org/docs/caa/
     echo 'CAA 128 issue "letsencrypt.org"'

     # TLSA -- TLS fingerprints for certs & chain
     for i in _443._tcp _6697._tcp; do
         printf "$i   $ttl IN ";
     openssl x509 -in /etc/letsencrypt/live/{{ sslidentity }}/chain.pem -noout -pubkey  2>/dev/null | openssl rsa -pubin -outform DER  2>/dev/null | openssl dgst -sha256 -hex 2>/dev/null | awk '{print "TLSA 2 1 1", $NF}'
         printf "$i   $ttl IN ";
     openssl x509 -in /etc/letsencrypt/live/{{ sslidentity }}/cert.pem -noout -pubkey 2>/dev/null | openssl rsa -pubin -outform DER 2>/dev/null  | openssl dgst -sha256 -hex 2>/dev/null | awk '{print "TLSA 3 1 1", $NF}'
     done

     # SSHFP -- SFTP/SSH fingerprints
     ssh-keygen -r '@ $ttl' | grep -E '4 2|1 2' # Only take RSA & Ed25519 keys

done

# CNAME -- Add CNAMES for various subdomains
for i in {{ external_subdomains }}; do
     printf "%-20s %-10s %-10s %-10s %s\n" "$i" "$ttl" IN CNAME {{ external_domain }}.
done
AniNIX/Wiki#21 -- effecting renames for policy 2024-04-01 00:44:23 -05:00			`#!/bin/bash`

			`ttl=86400`

			`externalip="$(curl -s ident.me)"`

			`for domain in {{ hosted_domains }} {{ external_domain }}; do`

			`echo`

			`# NS/MX/A -- basic orientation to the world for names, mail, and address`
			`cat <<EOM`
			`\$ORIGIN ${domain}.`
			`@ $ttl IN SOA ns51.cloudns.net. support.cloudns.net. 2024040128 7200 1800 1209600 86400`
			`@ $ttl IN NS ns51.cloudns.net.`
			`@ $ttl IN NS ns52.cloudns.net.`
			`@ $ttl IN NS ns53.cloudns.net.`
			`@ $ttl IN NS ns54.cloudns.net.`
			`@ $ttl IN MX 10 mailforward51.cloudns.net.`
			`@ $ttl IN MX 10 mailforward52.cloudns.net.`
			`@ $ttl IN A ${externalip}`
			`EOM`

			`# CAA -- who can issue certs for this domain`
			`# https://letsencrypt.org/docs/caa/`
			`echo 'CAA 128 issue "letsencrypt.org"'`

			`# TLSA -- TLS fingerprints for certs & chain`
			`for i in _443._tcp _6697._tcp; do`
			`printf "$i $ttl IN ";`
			`openssl x509 -in /etc/letsencrypt/live/{{ sslidentity }}/chain.pem -noout -pubkey 2>/dev/null \| openssl rsa -pubin -outform DER 2>/dev/null \| openssl dgst -sha256 -hex 2>/dev/null \| awk '{print "TLSA 2 1 1", $NF}'`
			`printf "$i $ttl IN ";`
			`openssl x509 -in /etc/letsencrypt/live/{{ sslidentity }}/cert.pem -noout -pubkey 2>/dev/null \| openssl rsa -pubin -outform DER 2>/dev/null \| openssl dgst -sha256 -hex 2>/dev/null \| awk '{print "TLSA 3 1 1", $NF}'`
			`done`

			`# SSHFP -- SFTP/SSH fingerprints`
			`ssh-keygen -r '@ $ttl' \| grep -E '4 2\|1 2' # Only take RSA & Ed25519 keys`

			`done`

			`# CNAME -- Add CNAMES for various subdomains`
			`for i in {{ external_subdomains }}; do`
			`printf "%-20s %-10s %-10s %-10s %s\n" "$i" "$ttl" IN CNAME {{ external_domain }}.`
			`done`