commit - 9ebfb5e615e046e105b4a994818b4a6896d3fcd9
commit + 01821ff87709982ced29ae14421aa20462469797
blob - /dev/null
blob + 7dea3fead9e73b828bf13255998d7a8fd0a65644 (mode 644)
--- /dev/null
+++ wiki.d/Acme-client.AutoRenew
+version=pmwiki-2.2.130 ordered=1 urlencoded=1
+agent=Mozilla/5.0 (Windows NT 10.0; WOW64; x64; rv:109.0) Gecko/20000101 Firefox/109.0/SyFVX0YNsjDfti0
+author=rahl
+charset=UTF-8
+csum=mini disclaimer
+ctime=1656190137
+host=102.114.210.144
+name=Acme-client.AutoRenew
+rev=3
+targets=
+text=(:title Automating acme-client Renewal:)%0a%0a@@$ man acme-client@@ provides a nice simple crontab entry for common usage.%0a%0aThe following is for a mail server running @@dovecot@@ and no @@httpd@@. Though it's somewhat specific, it should be trivial to alter the script for one's own needs.%0a%0a%0a!! Shell script%0a%0aAs the use-case is not entirely trivial, we opted for a shell script. The output as it stands is fairly verbose, but again, this would be easy to tweak.%0aThis script is perhaps a little over-engineered and is open to improvement. It attempts to only do the necessary work and exit cleanly upon any error.%0a%0aCreate and edit @@/usr/local/bin/renew_cert@@ (or a filename of your choice - just remember to edit any later commands/files as necessary).%0aThe only essential change is to set @@%3cyour.domain>@@ appropriately.%0a%0a[@%0a#!/bin/ksh%0a%0a# Renew LetsEncrypt certificate(s) for the mail server domain(s)%0a# Returns%0a# 0: Success%0a# 1: Certificate up to date%0a# 2: Error%0a%0a# Print message to stdout or stderr%0a# Messages for stdout are marked [INFO], stderr are marked [ERROR]%0a# Expects%0a# $1: 1|2 (stdout|stderr)%0a# $2: Message text%0a# Silently fails if called badly%0aprint_msg() {%0a if [ $# -ne 2 ]; then%0a return%0a fi%0a if [ $1 == "stdout" ]; then%0a outfd=1%0a tag="[INFO]"%0a elif [ $1 == "stderr" ]; then%0a outfd=2%0a tag="[ERROR]"%0a else%0a return%0a fi%0a msg=$2%0a echo "${tag} ${msg}" >&$outfd%0a}%0a%0a# We need http server for acme-client to communicate with LetsEncrypt%0arcctl check httpd%0ahttpd_check=$?%0a%0a# Only start httpd if it's not already running%0aif [ $httpd_check -eq 1 ]; then%0a print_msg stdout "Starting httpd"%0a rcctl -f start httpd%0a if [ $? -ne 0 ]; then%0a print_msg stderr "Failed to start httpd"%0a exit 2%0a fi%0afi%0a%0a# Attempt to renew certificate%0aprint_msg "Renewing mail server certificate"%0aacme-client %3cyour.domain>%0aacme_check=$?%0a%0a# Only stop httpd if it was not already running%0aif [ $httpd_check -eq 1 ]; then%0a print_msg stdout "Stopping httpd"%0a rcctl stop httpd%0afi%0a%0aif [ $acme_check -eq 2 ]; then%0a print_msg stdout "Certificate up to date"%0a exit 1%0aelif [ $acme_check -eq 1 ]; then%0a print_msg stderr "Failed to renew certificate"%0a exit 2%0afi%0a%0aprint_msg stdout "Successfully renewed certificate"%0a%0a# Serve the new certificate%0aprint_msg stdout "Reloading dovecot"%0arcctl reload dovecot%0aif [ $? -gt 0 ]; then%0a print_msg stderr "Failed to reload dovecot"%0a exit 2%0afi%0a@]%0a%0a!!! Permissions%0a%0a@@#chmod 700 /usr/local/bin/renew_cert@@%0a%0a%0a!! cronjob%0a%0aLetsEncrypt will allow certificate renewal if the expiry is within 30 days. We us a simple cronjob to run our script fortnightly.%0a%0aOutput is piped to @@logger@@ to be written to the system log.%0a%0aWith your favourite text-editor (@@vim@@), create or append to @@/etc/weekly.local@@:%0a%0a[@%0atest 1 -eq $(($(date +\%25g) & 1)) && renew_cert | logger -t "[acme renewal]"%0a@]%0a%0aThe use of @@test@@ is because running this once every two weeks should be more than enough. The technique was found [[https://unix.stackexchange.com/a/197411 | here]] and seems reasonable.%0a%0aBy default @@logger@@ will likely output to @@/var/log/messages@@, but this can be confirmed by checking your @@/etc/syslog.conf@@.%0aYou may also direct @@logger@@ to output elsewhere; see @@-p@@ in @@$man logger@@.
+time=1656190620
+title=Automating acme-client Renewal
+author:1656190620=rahl
+csum:1656190620=mini disclaimer
+diff:1656190620:1656190237:minor=11d10%0a%3c This script is perhaps a little over-engineered and is open to improvement. It attempts to only do the necessary work and exit cleanly upon any error.%0a
+host:1656190620=102.114.210.144
+author:1656190237=rahl
+csum:1656190237=Fix formatting
+diff:1656190237:1656190137:minor=5c5%0a%3c The following is for a mail server running @@dovecot@@ and no @@httpd@@. Though it's somewhat specific, it should be trivial to alter the script for one's own needs.%0a---%0a> The following is for a mail server running `dovecot` and no @@httpd@@. Though it's somewhat specific, it should be trivial to alter the script for one's own needs.%0a
+host:1656190237=102.114.210.144
+author:1656190137=rahl
+csum:1656190137=Initial writeup
+diff:1656190137:1656190137:=1,111d0%0a%3c (:title Automating acme-client Renewal:)%0a%3c %0a%3c @@$ man acme-client@@ provides a nice simple crontab entry for common usage.%0a%3c %0a%3c The following is for a mail server running `dovecot` and no @@httpd@@. Though it's somewhat specific, it should be trivial to alter the script for one's own needs.%0a%3c %0a%3c %0a%3c !! Shell script%0a%3c %0a%3c As the use-case is not entirely trivial, we opted for a shell script. The output as it stands is fairly verbose, but again, this would be easy to tweak.%0a%3c %0a%3c Create and edit @@/usr/local/bin/renew_cert@@ (or a filename of your choice - just remember to edit any later commands/files as necessary).%0a%3c The only essential change is to set @@%3cyour.domain>@@ appropriately.%0a%3c %0a%3c [@%0a%3c #!/bin/ksh%0a%3c %0a%3c # Renew LetsEncrypt certificate(s) for the mail server domain(s)%0a%3c # Returns%0a%3c # 0: Success%0a%3c # 1: Certificate up to date%0a%3c # 2: Error%0a%3c %0a%3c # Print message to stdout or stderr%0a%3c # Messages for stdout are marked [INFO], stderr are marked [ERROR]%0a%3c # Expects%0a%3c # $1: 1|2 (stdout|stderr)%0a%3c # $2: Message text%0a%3c # Silently fails if called badly%0a%3c print_msg() {%0a%3c if [ $# -ne 2 ]; then%0a%3c return%0a%3c fi%0a%3c if [ $1 == "stdout" ]; then%0a%3c outfd=1%0a%3c tag="[INFO]"%0a%3c elif [ $1 == "stderr" ]; then%0a%3c outfd=2%0a%3c tag="[ERROR]"%0a%3c else%0a%3c return%0a%3c fi%0a%3c msg=$2%0a%3c echo "${tag} ${msg}" >&$outfd%0a%3c }%0a%3c %0a%3c # We need http server for acme-client to communicate with LetsEncrypt%0a%3c rcctl check httpd%0a%3c httpd_check=$?%0a%3c %0a%3c # Only start httpd if it's not already running%0a%3c if [ $httpd_check -eq 1 ]; then%0a%3c print_msg stdout "Starting httpd"%0a%3c rcctl -f start httpd%0a%3c if [ $? -ne 0 ]; then%0a%3c print_msg stderr "Failed to start httpd"%0a%3c exit 2%0a%3c fi%0a%3c fi%0a%3c %0a%3c # Attempt to renew certificate%0a%3c print_msg "Renewing mail server certificate"%0a%3c acme-client %3cyour.domain>%0a%3c acme_check=$?%0a%3c %0a%3c # Only stop httpd if it was not already running%0a%3c if [ $httpd_check -eq 1 ]; then%0a%3c print_msg stdout "Stopping httpd"%0a%3c rcctl stop httpd%0a%3c fi%0a%3c %0a%3c if [ $acme_check -eq 2 ]; then%0a%3c print_msg stdout "Certificate up to date"%0a%3c exit 1%0a%3c elif [ $acme_check -eq 1 ]; then%0a%3c print_msg stderr "Failed to renew certificate"%0a%3c exit 2%0a%3c fi%0a%3c %0a%3c print_msg stdout "Successfully renewed certificate"%0a%3c %0a%3c # Serve the new certificate%0a%3c print_msg stdout "Reloading dovecot"%0a%3c rcctl reload dovecot%0a%3c if [ $? -gt 0 ]; then%0a%3c print_msg stderr "Failed to reload dovecot"%0a%3c exit 2%0a%3c fi%0a%3c @]%0a%3c %0a%3c !!! Permissions%0a%3c %0a%3c @@#chmod 700 /usr/local/bin/renew_cert@@%0a%3c %0a%3c %0a%3c !! cronjob%0a%3c %0a%3c LetsEncrypt will allow certificate renewal if the expiry is within 30 days. We us a simple cronjob to run our script fortnightly.%0a%3c %0a%3c Output is piped to @@logger@@ to be written to the system log.%0a%3c %0a%3c With your favourite text-editor (@@vim@@), create or append to @@/etc/weekly.local@@:%0a%3c %0a%3c [@%0a%3c test 1 -eq $(($(date +\%25g) & 1)) && renew_cert | logger -t "[acme renewal]"%0a%3c @]%0a%3c %0a%3c The use of @@test@@ is because running this once every two weeks should be more than enough. The technique was found [[https://unix.stackexchange.com/a/197411 | here]] and seems reasonable.%0a%3c %0a%3c By default @@logger@@ will likely output to @@/var/log/messages@@, but this can be confirmed by checking your @@/etc/syslog.conf@@.%0a%3c You may also direct @@logger@@ to output elsewhere; see @@-p@@ in @@$man logger@@.%0a\ No newline at end of file%0a
+host:1656190137=102.114.210.144
blob - fc1803d378688d4cc84ecc30c9b356dfb65c3650
blob + 5cadab5b03291e18ec0c8c8c701b5098389bafb3
--- wiki.d/SiteAdmin.Blocklist-MoinMaster
+++ wiki.d/SiteAdmin.Blocklist-MoinMaster
version=pmwiki-2.2.130 ordered=1 urlencoded=1
-agent=w3m/0.5.3+git20210102
+agent=Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
charset=UTF-8
ctime=1596101899
-host=38.87.162.154
+host=2607:fb91:223:4864:efe0:f2cb:f281:853
name=SiteAdmin.Blocklist-MoinMaster
passwdread=@lock
-rev=492
+rev=493
text=%0a [@%0a## blocklist-note: NOTE: This page is automatically generated by blocklist.php%0a## blocklist-note: NOTE: Any edits to this page may be lost!%0a## blocklist-url: http://moinmo.in/BadContent?action=raw%0a## blocklist-when: 2020-07-30T09:38:19%0a# blocklist-format: regex%0a#### Unable to download blocklist (allow_url_fopen=)%0a @]%0a
-time=1656135781
+time=1656259889
blob - /dev/null
blob + 60645ecdd67c25a1d3fbc95a68e4c4e31a9a6681 (mode 644)
--- /dev/null
+++ wiki.d/Unbound.Blacklists
+version=pmwiki-2.2.130 ordered=1 urlencoded=1
+agent=w3m/0.5.3+git20210102
+author=jrmu
+charset=UTF-8
+csum=
+ctime=1656136903
+host=38.87.162.154
+name=Unbound.Blacklists
+rev=2
+targets=
+text=(:title DNS Blacklists:)%0a%0aTo block unwanted traffic, unbound can be configured to blacklist domains.%0a%0aInside /var/unbound/etc/unbound.conf, insert these directives:%0a%0a[@%0alocal-zone: "www.domain.com" static%0a@]%0a%0aYou can obtain a list of domains to block using [[https://github.com/StevenBlack/hosts|StevenBlack's hosts]] files. I used the [[https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/gambling-porn/hosts|unified hosts + porn + gambling]] filter to block unwanted content.%0a%0a[@%0a$ ftp https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/gambling-porn/hosts%0a@]%0a%0aWe need to reformat this hosts file:%0a%0a[@%0a$ awk '!/^ *#/ && NF' hosts > newhosts # taken from stevenblack's list%0a$ sed 's/0\.0\.0\.0 \([^#]*\).*$/local-zone: "\1" static/' newhosts > newhosts2%0a$ sed 's/ "/"/' newhosts2 > newhosts3%0a@]%0a%0aManually check for malformed entries, then put this into /var/unbound/etc/unbound.conf.%0a%0aNote: You may consider using blacklists from here:%0a%0ahttps://dsi.ut-capitole.fr/blacklists/index_en.php%0ahttps://github.com/4skinSkywalker/anti-porn-hosts-file/blob/master/HOSTS.txt%0ahttps://mirror1.malwaredomains.com/files/justdomains https://blocklist.site/app/dl/piracy https://blocklist.site/app/dl/torrent https://mirror1.malwaredomains.com/files/justdomains https://github.com/mmotti/pihole-regex/blob/master/regex.list https://blocklist.site/app/dl/porn%0a%0aThe following networks should be banned for copyright infringement:%0a%0airc.p2p-network.net%0airc.gazellegames.net%0airc.nzbs.in%0a
+time=1656136928
+title=DNS Blacklists
+author:1656136928=jrmu
+diff:1656136928:1656136903:=28d27%0a%3c %0a
+host:1656136928=38.87.162.154
+author:1656136903=jrmu
+diff:1656136903:1656136903:=1,36d0%0a%3c (:title DNS Blacklists:)%0a%3c %0a%3c To block unwanted traffic, unbound can be configured to blacklist domains.%0a%3c %0a%3c Inside /var/unbound/etc/unbound.conf, insert these directives:%0a%3c %0a%3c [@%0a%3c local-zone: "www.domain.com" static%0a%3c @]%0a%3c %0a%3c You can obtain a list of domains to block using [[https://github.com/StevenBlack/hosts|StevenBlack's hosts]] files. I used the [[https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/gambling-porn/hosts|unified hosts + porn + gambling]] filter to block unwanted content.%0a%3c %0a%3c [@%0a%3c $ ftp https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/gambling-porn/hosts%0a%3c @]%0a%3c %0a%3c We need to reformat this hosts file:%0a%3c %0a%3c [@%0a%3c $ awk '!/^ *#/ && NF' hosts > newhosts # taken from stevenblack's list%0a%3c $ sed 's/0\.0\.0\.0 \([^#]*\).*$/local-zone: "\1" static/' newhosts > newhosts2%0a%3c $ sed 's/ "/"/' newhosts2 > newhosts3%0a%3c @]%0a%3c %0a%3c Manually check for malformed entries, then put this into /var/unbound/etc/unbound.conf.%0a%3c %0a%3c Note: You may consider using blacklists from here:%0a%3c https://dsi.ut-capitole.fr/blacklists/index_en.php%0a%3c https://github.com/4skinSkywalker/anti-porn-hosts-file/blob/master/HOSTS.txt%0a%3c https://mirror1.malwaredomains.com/files/justdomains https://blocklist.site/app/dl/piracy https://blocklist.site/app/dl/torrent https://mirror1.malwaredomains.com/files/justdomains https://github.com/mmotti/pihole-regex/blob/master/regex.list https://blocklist.site/app/dl/porn%0a%3c %0a%3c The following networks should be banned for copyright infringement:%0a%3c %0a%3c irc.p2p-network.net%0a%3c irc.gazellegames.net%0a%3c irc.nzbs.in%0a
+host:1656136903=38.87.162.154
