openvpn, sudo, telegraf

2024-09-06 16:54:50 +02:00 · 2024-09-06 16:54:50 +02:00 · 455173bca9
commit 455173bca9
parent d692bd63e6
6 changed files with 369 additions and 0 deletions
--- a/hamstercage.yaml
+++ b/hamstercage.yaml
@ -50,3 +50,28 @@ tags:
        mode: 0o755
        owner: root
        type: file
+      /usr/local/etc/openvpn/openvpn_zs64.conf:
+        group: wheel
+        mode: 0o644
+        owner: root
+        type: file
+      /usr/local/etc/openvpn/vvmau.gruenkohl.org.cert:
+        group: wheel
+        mode: 0o644
+        owner: root
+        type: file
+      /usr/local/etc/openvpn/vvmau.gruenkohl.org.key:
+        group: wheel
+        mode: 0o644
+        owner: root
+        type: file
+      /usr/local/etc/sudoers:
+        group: wheel
+        mode: 0o440
+        owner: root
+        type: file
+      /usr/local/etc/telegraf.conf:
+        group: wheel
+        mode: 0o644
+        owner: root
+        type: file
--- a/tags/router.au/usr/local/etc/openvpn/openvpn_zs64.conf
+++ b/tags/router.au/usr/local/etc/openvpn/openvpn_zs64.conf
@ -0,0 +1,35 @@
+#
+# Verbindung zu zs64
+#
+
+client
+verify-x509-name CN=openvpn.zs64.net
+
+dev tun1
+
+remote openvpn.zs64.net 1194
+nobind
+
+ca	cryptonomicore-ca-cert.pem
+dh	dh1024.pem
+
+cert	/usr/local/etc/openvpn/vvmau.gruenkohl.org.cert
+key		/usr/local/etc/openvpn/vvmau.gruenkohl.org.key
+
+comp-lzo no
+
+log-append /var/log/openvpn_zs64.log
+#script-security 3
+#ifconfig-noexec
+#up /usr/local/etc/openvpn/openvpn_zs64.up
+
+
+verb	3
+status	/var/run/openvpn_zs64.status
+management /var/run/openvpn_zs64.sock unix
+management-client-user root
+management-client-group wheel
+
+#fragment    1400
+#mssfix 
+#comp-lzo yes
--- a/tags/router.au/usr/local/etc/openvpn/vvmau.gruenkohl.org.cert
+++ b/tags/router.au/usr/local/etc/openvpn/vvmau.gruenkohl.org.cert
@ -0,0 +1,84 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 192 (0xc0)
+    Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=DE, L=Hamburg, O=cryptonomicore.net, CN=Cryptonomicore CA/emailAddress=ca@cryptonomicore.net
+        Validity
+            Not Before: Mar 23 20:42:21 2021 GMT
+            Not After : Apr 16 20:42:21 2026 GMT
+        Subject: CN=vvmau.gruenkohl.org
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:c3:38:69:4f:9d:22:f5:2d:e5:f9:41:35:d3:93:
+                    90:08:d7:4d:ab:67:95:19:12:87:af:b7:fd:16:d7:
+                    99:34:ad:c6:44:ec:ad:09:86:e5:2b:a3:76:38:f3:
+                    93:c3:ca:32:ef:c4:64:f5:32:a5:3f:5a:b0:7d:66:
+                    da:ff:d2:95:f5:37:a2:9e:b9:33:16:0c:48:fa:85:
+                    4d:89:be:cc:0f:e1:86:38:b2:42:34:37:34:0e:18:
+                    10:f2:dd:e0:0e:b9:55:b4:50:95:cb:13:ad:58:fb:
+                    c0:0b:7f:82:f6:4e:f3:c9:ac:83:48:00:e2:6e:9a:
+                    db:b4:b5:4d:30:15:5e:22:9b:16:e3:e4:36:e1:5b:
+                    08:0d:3a:d9:6b:03:0d:0d:03:e2:20:5f:c8:19:eb:
+                    97:47:95:ea:e9:6f:83:6f:71:ba:21:2c:2f:11:b4:
+                    fc:a2:93:c4:b3:0f:f5:24:57:b5:56:4b:e6:2b:19:
+                    ed:47:bd:f0:43:bd:75:09:f2:ee:4a:24:ac:22:cb:
+                    f1:3d:08:e8:52:46:76:53:2d:ea:e0:9a:51:c4:d0:
+                    21:c1:3e:fd:b8:ac:2c:f6:44:6d:6c:c6:c8:71:1b:
+                    05:96:f5:c9:9b:6b:a3:1d:86:4c:b6:1a:e1:1b:25:
+                    5b:08:0e:23:d5:61:f3:ba:70:56:9f:27:7a:a4:a4:
+                    6d:73
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Subject Key Identifier: 
+                29:F1:E5:BD:A4:2A:67:57:02:3F:2E:90:65:34:44:38:D4:11:D0:23
+            X509v3 Authority Key Identifier: 
+                DirName:/C=DE/L=Hamburg/O=cryptonomicore.net/CN=Cryptonomicore CA/emailAddress=ca@cryptonomicore.net
+                serial:56
+
+            Netscape CA Revocation Url: 
+                https://www.cryptonomicore.net/ca-crl.pem
+    Signature Algorithm: sha1WithRSAEncryption
+         46:2f:47:fa:24:ad:17:8f:c8:fd:b1:09:91:ef:95:2a:e7:58:
+         d0:c3:93:72:ea:11:25:66:b3:da:49:25:3a:0d:99:96:fd:9c:
+         eb:ea:13:b3:c7:03:ff:05:c3:45:0c:64:a6:9a:e5:7a:89:9d:
+         d7:54:58:0a:9a:f8:c1:43:37:1f:9b:a6:58:fb:32:7d:f6:8b:
+         68:ee:99:6c:78:a1:31:b3:cb:b9:3b:11:37:92:5f:86:ff:49:
+         89:75:ce:51:07:24:66:64:d7:b9:d8:4b:72:fa:32:a8:62:67:
+         69:b5:94:54:b7:c1:b3:91:e1:54:0a:79:26:01:0a:a6:2b:a8:
+         13:f9:95:6a:24:f8:94:07:ad:8d:93:c7:2b:33:ba:69:fe:d6:
+         0c:13:da:a8:4b:bc:60:f3:32:cb:73:14:cd:4c:12:71:04:e4:
+         c1:30:d0:1c:e2:e5:df:07:a8:eb:66:39:d5:c3:a6:b5:ff:7d:
+         93:a5:a2:81:bb:74:5b:f4:0e:e6:97:39:51:b3:1e:f2:9b:ba:
+         5b:3e:a4:df:3e:17:c6:ad:12:c6:b4:3b:4b:a0:47:41:5b:ba:
+         4c:0c:65:1e:04:d8:d3:34:14:86:9f:f4:e8:cf:dd:bf:23:a5:
+         10:ab:3e:e4:ae:81:f7:e3:ca:71:de:d2:47:2c:d4:4f:b6:e3:
+         4f:c6:8f:f9
+-----BEGIN CERTIFICATE-----
+MIIEFzCCAv+gAwIBAgICAMAwDQYJKoZIhvcNAQEFBQAwfjELMAkGA1UEBhMCREUx
+EDAOBgNVBAcMB0hhbWJ1cmcxGzAZBgNVBAoMEmNyeXB0b25vbWljb3JlLm5ldDEa
+MBgGA1UEAwwRQ3J5cHRvbm9taWNvcmUgQ0ExJDAiBgkqhkiG9w0BCQEWFWNhQGNy
+eXB0b25vbWljb3JlLm5ldDAeFw0yMTAzMjMyMDQyMjFaFw0yNjA0MTYyMDQyMjFa
+MB4xHDAaBgNVBAMTE3Z2bWF1LmdydWVua29obC5vcmcwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQDDOGlPnSL1LeX5QTXTk5AI102rZ5UZEoevt/0W15k0
+rcZE7K0JhuUro3Y485PDyjLvxGT1MqU/WrB9Ztr/0pX1N6KeuTMWDEj6hU2JvswP
+4YY4skI0NzQOGBDy3eAOuVW0UJXLE61Y+8ALf4L2TvPJrINIAOJumtu0tU0wFV4i
+mxbj5DbhWwgNOtlrAw0NA+IgX8gZ65dHlerpb4NvcbohLC8RtPyik8SzD/UkV7VW
+S+YrGe1HvfBDvXUJ8u5KJKwiy/E9COhSRnZTLergmlHE0CHBPv24rCz2RG1sxshx
+GwWW9cmba6Mdhky2GuEbJVsIDiPVYfO6cFafJ3qkpG1zAgMBAAGjgf4wgfswCQYD
+VR0TBAIwADAdBgNVHQ4EFgQUKfHlvaQqZ1cCPy6QZTREONQR0CMwgZQGA1UdIwSB
+jDCBiaGBg6SBgDB+MQswCQYDVQQGEwJERTEQMA4GA1UEBwwHSGFtYnVyZzEbMBkG
+A1UECgwSY3J5cHRvbm9taWNvcmUubmV0MRowGAYDVQQDDBFDcnlwdG9ub21pY29y
+ZSBDQTEkMCIGCSqGSIb3DQEJARYVY2FAY3J5cHRvbm9taWNvcmUubmV0ggFWMDgG
+CWCGSAGG+EIBBAQrFilodHRwczovL3d3dy5jcnlwdG9ub21pY29yZS5uZXQvY2Et
+Y3JsLnBlbTANBgkqhkiG9w0BAQUFAAOCAQEARi9H+iStF4/I/bEJke+VKudY0MOT
+cuoRJWaz2kklOg2Zlv2c6+oTs8cD/wXDRQxkpprleomd11RYCpr4wUM3H5umWPsy
+ffaLaO6ZbHihMbPLuTsRN5Jfhv9JiXXOUQckZmTXudhLcvoyqGJnabWUVLfBs5Hh
+VAp5JgEKpiuoE/mVaiT4lAetjZPHKzO6af7WDBPaqEu8YPMyy3MUzUwScQTkwTDQ
+HOLl3weo62Y51cOmtf99k6Wigbt0W/QO5pc5UbMe8pu6Wz6k3z4Xxq0SxrQ7S6BH
+QVu6TAxlHgTY0zQUhp/06M/dvyOlEKs+5K6B9+PKcd7SRyzUT7bjT8aP+Q==
+-----END CERTIFICATE-----
--- a/tags/router.au/usr/local/etc/openvpn/vvmau.gruenkohl.org.key
+++ b/tags/router.au/usr/local/etc/openvpn/vvmau.gruenkohl.org.key
@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDDOGlPnSL1LeX5
+QTXTk5AI102rZ5UZEoevt/0W15k0rcZE7K0JhuUro3Y485PDyjLvxGT1MqU/WrB9
+Ztr/0pX1N6KeuTMWDEj6hU2JvswP4YY4skI0NzQOGBDy3eAOuVW0UJXLE61Y+8AL
+f4L2TvPJrINIAOJumtu0tU0wFV4imxbj5DbhWwgNOtlrAw0NA+IgX8gZ65dHlerp
+b4NvcbohLC8RtPyik8SzD/UkV7VWS+YrGe1HvfBDvXUJ8u5KJKwiy/E9COhSRnZT
+LergmlHE0CHBPv24rCz2RG1sxshxGwWW9cmba6Mdhky2GuEbJVsIDiPVYfO6cFaf
+J3qkpG1zAgMBAAECggEBAJ5vdeiLGwfozC/SYKDprYe/VOW7FyJWC5DsvZaAO3Kp
+ZbQicPy+YddcvmHSLSZFP7mfpl/pTntwWrQreakNe26cTHqMy40lQ0UuUpNsKajp
+20jAQ0KlWrXlijvRHjpU592DWU6LFbCWAHJUdjD4Opp+S71wGlSxkYXDbnWLoe5q
+ijx0X9QOamo8sfphiVbbb+EYOGYA9bk+fr7WaVSl9ZYKAxKkNUOUYVC83JKBBXCp
+TjwREd7Vk/UCBvTOxiaj10kTCsmONpFyVowasfhFFvljPy+g7UJLB7WX3maBsbC2
+XPvnKUrDXxYumDV/4k+7rDE49oXQ9I2Fffwwt/8FDWECgYEA/LcJL+JJ6jQ5JD84
+tEqejhE5l56RJBdomoHKG5sbg2YPyhsX5nIgabCp5cD9OUi5oYA2lHAjH1TriEeP
+ITNa4tocM+dtrbFAkoQghDxITOKh2kK4LHZAg0zRvVl4etaJcljhjFOC1/mBM0we
+dw/EAU1f4EdRULZOyjpq9NP4bUUCgYEAxcIMsoO0nalhX0VhGEftWmQDeFJDFCqr
+dM4LXaY/8nseHyuF2XLiCJp7jw3iVInyxFLyOElooXt8+6+DnHhA/P3cNqQrvMb8
+CFuDKITnpyGgTxDdMu5TDGegOEteW9bKQ/gdasPkW0bDNLG9Tjn7HssKLSakrUQK
+FQA5vWXzT1cCgYBMPfxrkd2y5uaGZPx6iDilq9SwRYqMVPOeCaIsCfOXBOemld30
+DGJzAHWBd2PuMF6wtrnAtsQh48DbcJth7NhysFLp5dxVFrDggzQ8MOOvLoCeFJrz
+7wkvk7GDasbKaIc3FFGXwGotNn0gOMrIKN19dxaB14JU02uZ3139VyYP8QKBgQC8
+G6g+Sh+M9OglWnZQRWLV31qZog4iabAr7C5Nh20+drQhTCIGxEuTiXbMjZVjetCM
+xKWYuuMm77LkKYCUXqLaw5Mr+p+L8u8b+Ahbi4hapxa4/r6Zyq7+lreFtNNtonNF
+kgZRX0KhPD9EqWj7txVSpino5uAv3A+HCG7j5M07AwKBgDG2z+3yok5S8dSb1nc2
+/n8ik0Bvs/lXG160B2HeCDrXF/InnN3AwMzYSSjjXkGVJYn4ThREoT7mflciA78s
+ywvWMPFskBolxtCU6nZgO1UmmsX6q6XTmT/z9DbXxjPFIv4Pb0GJ6OryCGb71Vjv
+ii7C7PD75gE0UMBjTxDq5BhU
+-----END PRIVATE KEY-----
--- a/tags/router.au/usr/local/etc/sudoers
+++ b/tags/router.au/usr/local/etc/sudoers
@ -0,0 +1,110 @@
+## sudoers file.
+##
+## This file MUST be edited with the 'visudo' command as root.
+## Failure to use 'visudo' may result in syntax or file permission errors
+## that prevent sudo from running.
+##
+## See the sudoers man page for the details on how to write a sudoers file.
+##
+
+##
+## Host alias specification
+##
+## Groups of machines. These may include host names (optionally with wildcards),
+## IP addresses, network numbers or netgroups.
+# Host_Alias	WEBSERVERS = www1, www2, www3
+
+##
+## User alias specification
+##
+## Groups of users.  These may consist of user names, uids, Unix groups,
+## or netgroups.
+# User_Alias	ADMINS = millert, dowdy, mikef
+
+##
+## Cmnd alias specification
+##
+## Groups of commands.  Often used to group related commands together.
+# Cmnd_Alias	PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \
+# 			    /usr/bin/pkill, /usr/bin/top
+# Cmnd_Alias	REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff
+
+##
+## Defaults specification
+##
+## Uncomment if needed to preserve environmental variables related to the
+## FreeBSD pkg utility and fetch.
+# Defaults     env_keep += "PKG_CACHEDIR PKG_DBDIR FTP_PASSIVE_MODE"
+##
+## Additionally uncomment if needed to preserve environmental variables
+## related to portupgrade
+# Defaults     env_keep += "PORTSDIR PORTS_INDEX PORTS_DBDIR PACKAGES PKGTOOLS_CONF"
+##
+## You may wish to keep some of the following environment variables
+## when running commands via sudo.
+##
+## Locale settings
+# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET"
+##
+## Run X applications through sudo; HOME is used to find the
+## .Xauthority file.  Note that other programs use HOME to find   
+## configuration files and this may lead to privilege escalation!
+# Defaults env_keep += "HOME"
+##
+## X11 resource path settings
+# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH"
+##
+## Desktop path settings
+# Defaults env_keep += "QTDIR KDEDIR"
+##
+## Allow sudo-run commands to inherit the callers' ConsoleKit session
+# Defaults env_keep += "XDG_SESSION_COOKIE"
+##
+## Uncomment to enable special input methods.  Care should be taken as
+## this may allow users to subvert the command being run via sudo.
+# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
+##
+## Uncomment to use a hard-coded PATH instead of the user's to find commands
+# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+##
+## Uncomment to send mail if the user does not enter the correct password.
+# Defaults mail_badpass
+##
+## Uncomment to enable logging of a command's output, except for
+## sudoreplay and reboot.  Use sudoreplay to play back logged sessions.
+# Defaults log_output
+# Defaults!/usr/bin/sudoreplay !log_output
+# Defaults!/usr/local/bin/sudoreplay !log_output
+# Defaults!REBOOT !log_output
+
+##
+## Runas alias specification
+##
+
+##
+## User privilege specification
+##
+root ALL=(ALL) ALL
+
+## Uncomment to allow members of group wheel to execute any command
+# %wheel ALL=(ALL) ALL
+
+## Same thing without a password
+%wheel ALL=(ALL) NOPASSWD: ALL
+
+## Uncomment to allow members of group sudo to execute any command
+# %sudo	ALL=(ALL) ALL
+%sudo ALL=(ALL) NOPASSWD: ALL
+
+## Uncomment to allow any user to run sudo if they know the password
+## of the user they are running the command as (root by default).
+# Defaults targetpw  # Ask for the password of the target user
+# ALL ALL=(ALL) ALL  # WARNING: only use this together with 'Defaults targetpw'
+
+## Uncomment to show on password prompt which users' password is being expected
+# Defaults passprompt="%p's password:"
+
+## Read drop-in files from /usr/local/etc/sudoers.d
+## (the '#' here does not indicate a comment)
+#includedir /usr/local/etc/sudoers.d
+Defaults    env_keep += "SSH_AUTH_SOCK"
--- a/tags/router.au/usr/local/etc/telegraf.conf
+++ b/tags/router.au/usr/local/etc/telegraf.conf
@ -0,0 +1,87 @@
+[global_tags]
+  location = "Aumuehle"
+
+[agent]
+  hostname = "router.lokschuppen-aumuehle.de"
+  interval = "10s"
+  round_interval = true
+  metric_batch_size = 1000
+  metric_buffer_limit = 10000
+  collection_jitter = "0s"
+  flush_interval = "10s"
+  flush_jitter = "0s"
+  precision = ""
+  # debug = false
+  # quiet = false
+  logtarget = "file"
+  logfile_rotation_interval = "0d"
+  logfile_rotation_max_size = "100MB"
+  logfile_rotation_max_archives = 5
+
+
+[[outputs.influxdb]]
+  urls = ["https://influxdb.vvm-museumsbahn.de"]
+  database = "telegraf"
+  username = "telegraf"
+  password = "ub74odVuK9QiiLHk7rhA"
+
+
+[[inputs.cpu]]
+  percpu = true
+  totalcpu = true
+  collect_cpu_time = false
+  report_active = false
+
+
+[[inputs.disk]]
+  mount_points = ["/"]
+  ignore_fs = ["tmpfs", "devfs", "fdescfs", "procfs"]
+
+
+# Read metrics about memory usage
+[[inputs.mem]]
+  # no configuration
+
+
+# Get the number of processes and group them by status
+[[inputs.processes]]
+  # no configuration
+
+
+# Read metrics about swap memory usage
+[[inputs.swap]]
+  # no configuration
+
+
+# Read metrics about system load & uptime
+[[inputs.system]]
+  ## Uncomment to remove deprecated metrics.
+  # fielddrop = ["uptime_format"]
+
+
+[[inputs.dns_query]]
+  servers = ["127.0.0.1", "8.8.8.8"]
+  domains = ["www.vvm-museumsbahn.de"]
+
+
+[[inputs.net]]
+  interfaces = ["ng0", "tun1", "igb0"]
+
+
+[[inputs.snmp]]
+  agents = [ "udp://192.168.1.1:161" ]
+  version = 2
+  community = "public"
+
+  [[inputs.snmp.field]]
+  oid = "RFC1213-MIB::sysName.0"
+  name = "source"
+  is_tag = true
+
+[[inputs.snmp.field]]
+  oid = "ADSL-LINE-MIB::adslAtucChanCurrTxRate.4"
+  name = "rx"
+
+[[inputs.snmp.field]]
+  oid = "ADSL-LINE-MIB::adslAturChanCurrTxRate.4"
+  name = "tx"