Several updates #4

* Improved offline install docs
* Migrated token mechanism backend to SQL
* Preliminary token mechanism frontend integration
* Add clock skew tolerance for OCSP
* Add 'ldap computer filter' support for Kerberized machine enroll
* Include OCSP and CRL URL-s in certificates, controlled by profile.conf
* Better certificate extension handling
* Place DH parameters file in /etc/ssl/dhparam.pem
* Always talk to CA over port 8443 for 'certidude enroll'
* Hardened frontend nginx config
* Separate log files for frontend nginx
* Better provisioning heuristics
* Add sample site.sh config for LEDE image builder
* Add more device profiles for LEDE image builder
* Various bugfixes and improvements

doc/builder/ap.sh

@@ -111,7 +111,7 @@ EOF
 make -C $BUILD/$BASENAME image FILES=$OVERLAY PROFILE=$PROFILE PACKAGES="luci \
     openssl-util curl ca-certificates dropbear \
     strongswan-mod-kernel-libipsec kmod-tun strongswan-default strongswan-mod-openssl strongswan-mod-curl strongswan-mod-ccm strongswan-mod-gcm \
-    htop iftop tcpdump nmap nano -odhcp6c -odhcpd -dnsmasq \
+    htop iftop netdata -odhcp6c -odhcpd -dnsmasq \
     -luci-app-firewall \
     -pppd -luci-proto-ppp -kmod-ppp -ppp -ppp-mod-pppoe \
     -kmod-ip6tables -ip6tables -luci-proto-ipv6 -kmod-iptunnel6 -kmod-ipsec6"

doc/builder/common.sh

@@ -29,9 +29,7 @@ AUTHORITY=$(hostname -f)
 mkdir -p $OVERLAY/etc/config
 mkdir -p $OVERLAY/etc/uci-defaults
 mkdir -p $OVERLAY/etc/certidude/authority/$AUTHORITY/
-cp /var/lib/certidude/$AUTHORITY/ca_cert.pem $OVERLAY/etc/certidude/authority/$AUTHORITY/
-
-echo /etc/certidude >> $OVERLAY/etc/sysupgrade.conf
+cp /var/lib/certidude/ca_cert.pem $OVERLAY/etc/certidude/authority/$AUTHORITY/
 
 cat <<EOF > $OVERLAY/etc/config/certidude
 

doc/builder/ipcam.sh

@@ -40,5 +40,7 @@ EOF
 
 make -C $BUILD/$BASENAME image FILES=$OVERLAY PROFILE=$PROFILE PACKAGES="openssl-util curl ca-certificates \
     strongswan-default strongswan-mod-openssl strongswan-mod-curl strongswan-mod-ccm strongswan-mod-gcm htop \
-    iftop tcpdump nmap nano mtr patch diffutils ipset usbutils luci luci-app-mjpg-streamer kmod-video-uvc dropbear \
-    pciutils -dnsmasq -odhcpd -odhcp6c -kmod-ath9k picocom strongswan-mod-kernel-libipsec kmod-tun"
+    iftop tcpdump nmap nano usbutils luci luci-app-mjpg-streamer kmod-video-uvc dropbear \
+    -pppd -luci-proto-ppp -kmod-ppp -ppp -ppp-mod-pppoe \
+    -dnsmasq -odhcpd -odhcp6c -kmod-ath9k picocom strongswan-mod-kernel-libipsec kmod-tun \
+    netdata"

doc/builder/mfp.sh

@@ -103,8 +103,9 @@ uci set uhttpd.main.listen_http=0.0.0.0:8080
 EOF
 
 make -C $BUILD/$BASENAME image FILES=$OVERLAY PROFILE=$PROFILE PACKAGES="openssl-util curl ca-certificates htop \
-    iftop tcpdump nmap nano mtr patch diffutils ipset usbutils luci dropbear kmod-tun \
+    iftop tcpdump nmap nano mtr patch diffutils ipset usbutils luci dropbear kmod-tun netdata \
     strongswan-default strongswan-mod-kernel-libipsec strongswan-mod-openssl strongswan-mod-curl strongswan-mod-ccm strongswan-mod-gcm \
-    pciutils -odhcpd -odhcp6c -kmod-ath9k picocom libustream-openssl kmod-crypto-gcm bc"
-
+    -odhcpd -odhcp6c -kmod-ath9k picocom libustream-openssl kmod-crypto-gcm \
+    -pppd -luci-proto-ppp -kmod-ppp -ppp -ppp-mod-pppoe \
+    -kmod-ip6tables -ip6tables -luci-proto-ipv6 -kmod-iptunnel6 -kmod-ipsec6"
 

doc/overlay/etc/uci-defaults/60-cron

@@ -1,6 +1,11 @@
+# Randomize restart time
+OFFSET=$(awk -v min=1 -v max=59 'BEGIN{srand(); print int(min+rand()*(max-min+1))}')
+
+# wtf?! https://wiki.strongswan.org/issues/1501#note-7
 cat << EOF > /etc/crontabs/root
-15 1 * * * sleep 70 && touch /etc/banner && reboot
-10 1 1 */2 * /usr/bin/certidude-enroll-renew
+#$OFFSET 2 * * * sleep 70 && touch /etc/banner && reboot
+$OFFSET 2 * * * ipsec restart
+5 1 1 */2 * /usr/bin/certidude-enroll-renew
 EOF
 
 chmod 0600 /etc/crontabs/root

doc/overlay/usr/bin/certidude-enroll

@@ -122,6 +122,11 @@ logger -t certidude -s "Certificate md5sum: $(md5sum -b $CERTIFICATE_PATH.part)"
 
 uci commit
 
+echo $AUTHORITY_PATH >> /etc/sysupgrade.conf
+echo $CERTIFICATE_PATH >> /etc/sysupgrade.conf
+echo $KEY_PATH >> /etc/sysupgrade.conf
+echo $REQUEST_PATH >> /etc/sysupgrade.conf
+
 mv $CERTIFICATE_PATH.part $CERTIFICATE_PATH
 
 # Start services

doc/overlay/usr/bin/certidude-enroll-renew

@@ -8,6 +8,8 @@ CERTIFICATE_PATH=$DIR/host_cert.pem
 REQUEST_PATH=$DIR/host_req.pem
 KEY_PATH=$DIR/host_key.pem
 
+# TODO: fix Accepted 202 here
+
 curl -f -L \
     -H "Content-Type: application/pkcs10" \
     --data-binary @$REQUEST_PATH \