Feature Request: Add deSEC Flexibility.

[RJ-Make]

Integrated deSEC is just plain awesome, and now that it's working I loved how easy it was. After literally running through the latest GEN 2 Script over 10 times I have made some observations in regards to the deSEC implementation.

And if any of these are incorrect please correct me.

1. The function seems extremely limited, starting with how it's presented to the user. You shouldn't have to delete a domain or an existing account to run through the function. On first run, I believe the first question the user should be asked is if they have an existing deSEC account and domain. This is where the first "fork" should be created.

Perhaps this was not implemented in such a way for simplicity reasons for people like me, but trust me, I'm an idot when it comes to this stuff and even I can understand. :-)

2. Add a mechanism in the function to change the port number. This IS the sole reason I love the deSEC implementation. Having port 80 open has always bothered me. However it doesn't seem possible to change the port after the function has been run?

3. Add a mechanism in the function to change the domain. I don't believe asking deSEC admins to merge accounts, etc is a fair solution IMO.

Anyway, thanks for reading and thanks for continuing to improve the product.

[enoch85]

@RJ-Make Thanks for your feedback and pointers!

You shouldn't have to delete a domain or an existing account to run through the function.

Well, you can't register someone else's domain or email. :) But sure, I agree that it would be cool if you could add domains to an existing email account so that you don't need to enter a brand new email account every time the script is run. I'm not sure about how the API looks here, but that would open up for adding Collabora, Talk, and other domains as well on the same account.

The manual way of doing it would be to enter the domain in your admin panel before you run the scripts in question.

Add a mechanism in the function to change the port number.

There already is such a function actually. I think it was implemented after you ran the script for the first time. Now you can choose whichever port you want between 1024 - 49151. Port 80 is only used for HTTP, and it's redirected if to a secure port in any case. Have a look here:

https://github.com/nextcloud/vm/blob/master/lets-encrypt/activate-tls.sh#L240
https://github.com/nextcloud/vm/blob/master/lets-encrypt/activate-tls.sh#L255

If you want to change port yourself afterwards it can also be done manually in the Apache2 configs.

Add a mechanism in the function to change the domain

The script is designed to setup one domain, once done you can go to the deSEC admin portal yourself and change it.

I don't know if it's possible from the API to change your domain on an already existing account.

@peterthomassen Any thoughts on above?

[peterthomassen]

It's currently not possible to rename a domain in our API, and I don't think we'll implement that, as it comes with a lot of ill-defined edge cases. If you want to change the domain name, you need to log into your account, create a new domain and then configure fresh records for that domain. I agree though that the preferred solution should be one that does not require users to interact with our support. :-)

As for the ill-defined edge cases: If your domain is example.com and your MX record points to mail.example.com, and you rename the domain to example.net -- do you touch the MX record? It may seems obvious that the answer is yes, but it could be that the example.com domain is now hosted at another DNS operator, including the mail.example.com server, and that that's the mailserver that is responsible for example.net -- so perhaps it's better not to touch it?

Things become more complicated if you use DANE (TLS certificate or PGP key pinning via DNS): Should you transfer pinned keys to the new domain? -- My impression is that it's impossible to do this correctly in a generic way, and the consequence is that it can only be done manually. (fyi @nils-wisiol)

[RJ-Make]

@RJ-Make Thanks for your feedback and pointers!

You shouldn't have to delete a domain or an existing account to run through the function.

Well, you can't register someone else's domain or email. :) But sure, I agree that it would be cool if you could add domains to an existing email account so that you don't need to enter a brand new email account every time the script is run. I'm not sure about how the API looks here, but that would open up for adding Collabora, Talk, and other domains as well on the same account.

Not sure if it's possible, but say the function asks for the users token and existing domain (after the first "fork" question). I have to assume there is a method to return authentication. So if authenticated = true then the domain must be owned by the script user?

I would think this would prevent the need to delete/merge a domain/account to get it setup?

The manual way of doing it would be to enter the domain in your admin panel before you run the scripts in question.

Could you elaborate on this? I had to delete my deSEC account (and domain) if I wanted to use the same domain again if I re-ran the script when I kept running into bugs in getting the certificate created correctly.

Add a mechanism in the function to change the port number.

There already is such a function actually. I think it was implemented after you ran the script for the first time. Now you can choose whichever port you want between 1024 - 49151. Port 80 is only used for HTTP, and it's redirected if to a secure port in any case. Have a look here:

Yep, That was the version I ran when the bugs finally got sorted out, which was great. I was referring to subsequently changing the port.

https://github.com/nextcloud/vm/blob/master/lets-encrypt/activate-tls.sh#L240
https://github.com/nextcloud/vm/blob/master/lets-encrypt/activate-tls.sh#L255

If you want to change port yourself afterwards it can also be done manually in the Apache2 configs.

I will assume, like me, other customers of the product don't have the working knowledge of safely making such changes and is the sole reason we purchase the product in the first place.

I rely on the experts, such as yourself, to help us make those changes without messing everything up. :-) I wouldn't even know where to find that file, much less know how and what to change.

Just thinking about how to make the user experience better running through the product's functions. Which I have got to say has improved greatly from the GEN 1 product I purchased last year.

Thank You!

[RJ-Make]

Oh I missed the last part.. I'm not asking for a function to re-name an existing domain, but to simply choose another domain name without having to delete/merge my deSEC account. deSEC allows it's users to create multiple domains.

Example: I originally chose xyz.dedyn.io as my domain, but later wanted to use abc.dedyn.io (one I created in my deSEC control panel). I would think if my #1 enhancement in my first post was achieved, it would solve this one also?

@peterthomassen
@enoch85

[enoch85]

@peterthomassen Would it be possible to add more domains to an account if you have the DEDYNAUTHTOKEN? If yes, where do you get the token once logged in to your account?

I think the main question here is: Is it possible to register more domains to the same email-address (account) with the API?

Right now you need a unique email-address to be able to run the deSEC script, each time.

[enoch85]

Just found out it is possible.

Testing with this:

source /var/scripts/fetch_lib.sh

DEDYN_TOKEN=$(grep DEDYN_TOKEN "$SCRIPTS"/deSEC/.dedynauth | cut -d '=' -f2)
DEDYN_NAME=$(grep DEDYN_NAME "$SCRIPTS"/deSEC/.dedynauth | cut -d '=' -f2)

SUBDOMAIN=$(input_box_flow "Please enter the subdomain you are using for Collabora, e.g: collabora")

curl -X POST https://desec.io/api/v1/domains/"$DEDYN_NAME"/rrsets/ \
    --header "Authorization: Token $DEDYN_TOKEN" \
    --header "Content-Type: application/json" --data @- <<EOF
    {
      "subname": "$SUBDOMAIN",
      "type": "A",
      "ttl": 3600,
      "records": ["127.0.0.1"]
    }
EOF

# Add domain to ddclient
if grep -q "$DEDYN_NAME" /etc/ddclient.conf
then
    echo "$SUBDOMAIN.$DEDYN_NAME" >> /etc/ddclient.conf
    systemctl restart ddclient
fi

[enoch85]

PR is here: #1991

[enoch85]

@RJ-Make Please download and run the script in the PR to test if it's working.

1. wget https://raw.githubusercontent.com/nextcloud/vm/desec_subdomain/addons/desec_subdomain.sh
2. sudo bash desec_subdomain.sh
3. Enjoiy!

TODO: add TLS

[RJ-Make]

I get this when I enter wget https://raw.githubusercontent.com/nextcloud/vm/desec_subdomain/addons/desec_subdomain.sh.

[enoch85]

@RJ-Make Sorry, it was merged before you tried.

Use this link: https://raw.githubusercontent.com/nextcloud/vm/master/addons/desec_subdomain.sh

[RJ-Make]

I entered talk.xxx.dedyn.io (which appears to have been incorrect)

The created result in the session was
talk.xxx.dedyn.io.xxx.dedyn.io

1. This created domain does not show up in my deSEC account
2. The talk.xxx.dedyn.io.xxx.dedyn.io url returns Bad Certificate.
3. talk.xxx.dedyn.io domain which is already created in my decSEC account does not forward.

[enoch85]

@RJ-Make You should only enter the subdomain name, so talk would be the one in your case.

When done you currently need to add TLS manually by running the Activate TLS script on that domain.

[enoch85]

@RJ-Make It's now possible to add TLS to the domain as well.

Please run the script again to test if it works:

1. Run wget https://raw.githubusercontent.com/nextcloud/vm/master/addons/desec_subdomain.sh
2. sudo bash desec_subdomain.sh
3. Run Collabora, Talk or whatever with the new domain you just created in step 2.

Please report back.

[RJ-Make]

[RJ-Make]

I will add, the script thought the process completed without errors.

EDIT: This is a domain already created in my deSEC account.

[RJ-Make]

I just so happen to look at my deSEC record for the main domain, and I see this. So perhaps the talk sub I created is screwing things up?

[RJ-Make]

I have a feeling this is screwing things up. I'll delete my talk entry and re-test tomorrow.

[enoch85]

Please remove both talk records and try again.

Thanks!

[RJ-Make]

Everything looked like it succeeded however Talk (installed after I ran the subdomain script) fails with the following error.

[enoch85]

OK, great! The the deSEC script is working in the current state! 🚀

Please open another issue for the issue with Talk and I'll ping the right people.