mirror.MikroTik/nymurbd.MikroTik-scripts
1
0
Fork 0
mirror of https://github.com/nymurbd/MikroTik-scripts.git synced 2025-08-02 01:04:28 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
nymurbd.MikroTik-scripts/global-config.rsc
Christian Hesse d1693a241b certs: E1 / E5 -> ISRG Root X2 
In the beginning of Let's Encrypt their root certificate ISRG Root X1
was not widely trusted, at least some older and/or mobile platforms were
missing that certificate in their root certificate store.
At that time Let's Encrypt was using an alternative chain of trust,
where a certificate was cross-signed with DST Root CA X3.

To make sure a valid chain of trust is available under all circumstances
a set of all certificates had to be supplied: both root vertificates
ISRG Root X1 & DST Root CA X3, and an intermediate certificate.
This was still true after DST Root CA X3 expired, as it could still be
used as a root anchor and was shipped by Let's Encrypt when requested. 🤪

This time is finally over, and we have a clean chain for trust ending in
ISRG Root X1 (or ISRG Root X2).
Well, actually it is the other way round... Let's Encrypt signs with
different tantamount intermediate certificates. There is not only E5, but
also E6 - and we can not know beforehand which one is used on renew.

So let's jetzt drop the intermediate certificates now, and rely on root
certificates only. We are perfectly fine with this these days.

Follow-up commits will do the same for *all* certificates.

The certificate is downloaded with:

    curl -d '["ISRG Root X2"]' https://mkcert.org/generate/ | grep -v '^$' > certs/ISRG-Root-X2.pem
2024-06-21 15:55:45 +02:00

266 lines
10 KiB
Text
Raw Blame History

#!rsc by RouterOS
# RouterOS script: global-config
# Copyright (c) 2013-2024 Christian Hesse <mail@eworm.de>
# https://git.eworm.de/cgit/routeros-scripts/about/COPYING.md
#
# global configuration
# https://git.eworm.de/cgit/routeros-scripts/about/
# Set this to 'true' to disable news and change notifications.
:global NoNewsAndChangesNotification false;
# Add extra text (or emojis) in notification tags.
:global IdentityExtra "";
# This is used in DNS scripts ('ipsec-to-dns' and fallback in 'dhcp-to-dns')
# and backup scripts for file names.
:global Domain "example.com";
# You can send e-mail notifications. Configure the system's mail settings
# (/tool/e-mail), then install the module:
# $ScriptInstallUpdate mod/notification-email
# The to-address needs to be filled; cc-address can be empty, one address
# or a comma separated list of addresses.
:global EmailGeneralTo "";
:global EmailGeneralCc "";
#:global EmailGeneralTo "mail@example.com";
#:global EmailGeneralCc "another@example.com,third@example.com";
# You can send Telegram notifications. Register a bot
# and add the token and chat ids here, then install the module:
# $ScriptInstallUpdate mod/notification-telegram
:global TelegramTokenId "";
:global TelegramChatId "";
#:global TelegramTokenId "123456:ABCDEF-GHI";
#:global TelegramChatId "12345678";
# Using telegram-chat you have to define trusted chat ids (not group ids!)
# or user names. Groups allow to chat with devices simultaneously.
#:global TelegramChatIdsTrusted {
# "12345678";
# "example_user";
#};
:global TelegramChatGroups "(all)";
#:global TelegramChatGroups "(all|home|office)";
# You can send Matrix notifications. Configure these settings and
# install the module:
# $ScriptInstallUpdate mod/notification-matrix
:global MatrixHomeServer "";
:global MatrixAccessToken "";
:global MatrixRoom "";
#:global MatrixHomeServer "matrix.org";
#:global MatrixAccessToken "123456ABCDEFGHI...";
#:global MatrixRoom "!example:matrix.org";
# You can send Ntfy notifications. Configure these settings and
# install the module:
# $ScriptInstallUpdate mod/notification-ntfy
:global NtfyServer "ntfy.sh";
:global NtfyServerUser [];
:global NtfyServerPass [];
:global NtfyTopic "";
# It is possible to override e-mail, Telegram, Matrix and Ntfy setting
# for every script. This is done in arrays, where 'Override' is appended
# to the variable name, like this:
#:global EmailGeneralToOverride {
# "check-certificates"="override@example.com";
# "backup-email"="backup@example.com";
#}
# Toggle this to disable symbols in notifications.
:global NotificationsWithSymbols true;
# Toggle this to disable color output in terminal/cli.
:global TerminalColorOutput true;
# This defines what backups to generate and what password to use.
:global BackupSendBinary false;
:global BackupSendExport true;
:global BackupSendGlobalConfig true;
:global BackupPassword "v3ry-s3cr3t";
:global BackupRandomDelay 0;
# These credentials are used to upload backup and config export files.
# SFTP authentication is tricky, you may have to limit authentication
# methods for your SSH server.
:global BackupUploadUrl "sftp://example.com/backup/";
:global BackupUploadUser "mikrotik";
:global BackupUploadPass "v3ry-s3cr3t";
# Copy the RouterOS installation to backup partition before feature update.
:global BackupPartitionCopyBeforeFeatureUpdate false;
# This defines the settings for firewall address-lists (fw-addr-lists).
:global FwAddrLists {
# "allow"={
# { url="https://git.eworm.de/cgit/routeros-scripts/plain/fw-addr-lists.d/allow";
# cert="ISRG Root X2"; timeout=1w };
# };
"block"={
# { url="https://git.eworm.de/cgit/routeros-scripts/plain/fw-addr-lists.d/block";
# cert="ISRG Root X2" };
{ url="https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt";
cert="GlobalSign Atlas R3 DV TLS CA 2022 Q3" };
{ url="https://sslbl.abuse.ch/blacklist/sslipblacklist.txt";
cert="GlobalSign Atlas R3 DV TLS CA 2022 Q3" };
{ url="https://www.dshield.org/block.txt"; cidr="/24";
cert="R3" };
{ url="https://lists.blocklist.de/lists/strongips.txt";
cert="Certum Domain Validation CA SHA2" };
# { url="https://www.spamhaus.org/drop/drop.txt";
# cert="Cloudflare Inc ECC CA-3" };
# { url="https://www.spamhaus.org/drop/edrop.txt";
# cert="Cloudflare Inc ECC CA-3" };
};
# "mikrotik"={
# { url="https://git.eworm.de/cgit/routeros-scripts/plain/fw-addr-lists.d/mikrotik";
# cert="ISRG Root X2"; timeout=1w };
# };
};
:global FwAddrListTimeOut 1d;
# This defines what log messages to filter or include by topic or message
# text. Regular expressions are supported. Do *NOT* set an empty string,
# that will filter or include everything!
# These are filters, so excluding messages from forwarding.
:global LogForwardFilter "(debug|info|packet|raw)";
:global LogForwardFilterMessage [];
#:global LogForwardFilterMessage "message text";
#:global LogForwardFilterMessage "(message text|another text|...)";
# ... and another setting with reverse logic. This includes messages even
# if filtered above.
:global LogForwardInclude [];
:global LogForwardIncludeMessage [];
#:global LogForwardInclude "account";
#:global LogForwardIncludeMessage "message text";
# Specify an address to enable auto update to version assumed safe.
# The configured channel (bugfix, current, release-candidate) is appended.
:global SafeUpdateUrl "";
#:global SafeUpdateUrl "https://example.com/ros/safe-update/";
# Allow to install patch updates automatically.
:global SafeUpdatePatch false;
# Allow to install updates automatically if seen in neighbor list.
:global SafeUpdateNeighbor false;
:global SafeUpdateNeighborIdentity "";
# Install *ALL* updates automatically!
# Set to all upper-case "Yes, please!" to enable.
:global SafeUpdateAll "no";
# Defer the reboot for night on automatic (non-interactive) update
:global PackagesUpdateDeferReboot false;
# These thresholds control when to send health notification
# on temperature and voltage.
:global CheckHealthTemperature {
temperature=50;
cpu-temperature=70;
board-temperature1=50;
board-temperature2=50;
};
# This is deviation on recovery threshold against notification flooding.
:global CheckHealthTemperatureDeviation 3;
:global CheckHealthVoltageLow 115;
:global CheckHealthVoltagePercent 10;
# Access-list entries matching this comment are updated
# with daily pseudo-random PSK.
:global DailyPskMatchComment "Daily PSK";
:global DailyPskQrCodeUrl "https://www.eworm.de/cgi-bin/cqrlogo-wifi.cgi";
:global DailyPskSecrets {
{ "Abusive"; "Aggressive"; "Bored"; "Chemical"; "Cold";
"Cruel"; "Curved"; "Delightful"; "Discreet"; "Elite";
"Evasive"; "Faded"; "Flat"; "Future"; "Grandiose";
"Hanging"; "Humorous"; "Interesting"; "Magenta";
"Magnificent"; "Numerous"; "Optimal"; "Pathetic";
"Possessive"; "Remarkable"; "Rightful"; "Ruthless";
"Stale"; "Unusual"; "Useless"; "Various" };
{ "Adhesive"; "Amusing"; "Astonishing"; "Frantic";
"Kindhearted"; "Limping"; "Roasted"; "Robust";
"Staking"; "Thundering"; "Ultra"; "Unreal" };
{ "Belief"; "Button"; "Curtain"; "Edge"; "Jewel";
"String"; "Whistle" }
};
# Specify how to assemble DNS names in ipsec-to-dns.
:global HostNameInZone true;
:global PrefixInZone true;
# Run different commands with multiple mode-button presses.
:global ModeButton {
1="/system/script/run leds-toggle-mode;";
2=":global Identity; :global SendNotification; :global SymbolForNotification; \$SendNotification ([ \$SymbolForNotification \"earth\" ] . \"Hello...\") (\"Hello world, \" . \$Identity . \" calling!\");";
3="/system/shutdown;";
4="/system/reboot;";
5=":global BridgePortVlan; \$BridgePortVlan alt;";
# add more here...
};
# This led gives visual feedback if type is 'on' or 'off'.
:global ModeButtonLED "user-led";
# Run commands on SMS action.
:global SmsAction {
bridge-port-vlan-alt=":global BridgePortVlan; \$BridgePortVlan alt;";
reboot="/system/reboot;";
shutdown="/system/shutdown;";
# add more here...
};
# Run commands by hooking into SMS forward.
:global SmsForwardHooks {
{ match="magic string";
allowed-number="12345678";
command="/system/script/run ..." };
# add more here...
};
# This is the address used to send gps data to.
:global GpsTrackUrl "https://example.com/index.php";
# This is the base url to fetch scripts from.
:global ScriptUpdatesBaseUrl "https://git.eworm.de/cgit/routeros-scripts/plain/";
# alternative urls - main: stable code - next: currently in development
#:global ScriptUpdatesBaseUrl "https://raw.githubusercontent.com/eworm-de/routeros-scripts/main/";
#:global ScriptUpdatesBaseUrl "https://raw.githubusercontent.com/eworm-de/routeros-scripts/next/";
#:global ScriptUpdatesBaseUrl "https://gitlab.com/eworm-de/routeros-scripts/raw/main/";
#:global ScriptUpdatesBaseUrl "https://gitlab.com/eworm-de/routeros-scripts/raw/next/";
:global ScriptUpdatesUrlSuffix "";
# use next branch with default url (git.eworm.de)
#:global ScriptUpdatesUrlSuffix "?h=next";
# Use this for defaults with $ScriptRunOnce
# Install module with:
# $ScriptInstallUpdate mod/scriptrunonce
:global ScriptRunOnceBaseUrl "";
:global ScriptRunOnceUrlSuffix "";
# This project is developed in private spare time and usage is free of charge
# for you. If you like the scripts and think this is of value for you or your
# business please consider a donation:
# https://git.eworm.de/cgit/routeros-scripts/about/#donate
# Enable this to silence donation hint.
:global IDonate false;
# Use this for certificate auto-renew
:global CertRenewUrl "";
#:global CertRenewUrl "https://example.com/certificates/";
:global CertRenewTime 3w;
:global CertRenewPass {
"v3ry-s3cr3t";
"4n0th3r-s3cr3t";
};
:global CertWarnTime 2w;
:global CertIssuedExportPass {
"cert1-cn"="v3ry-s3cr3t";
"cert2-cn"="4n0th3r-s3cr3t";
};
# load custom settings from overlay and snippets
# Warning: Do *NOT* copy this code to overlay!
:foreach Script in=([ /system/script/find where name="global-config-overlay" ], \
[ /system/script/find where name~"^global-config-overlay.d/" ]) do={
:do {
/system/script/run $Script;
} on-error={
:log error ("Loading configuration from overlay or snippet " . \
[ /system/script/get $Script name ] . " failed!");
}
}
Reference in a new issue View git blame Copy permalink