aboutsummaryrefslogtreecommitdiffstats
path: root/global-config.rsc
AgeCommit message (Expand)AuthorFilesLines
2024-06-21certs: GlobalSign Atlas R3 DV TLS CA 2022 Q3 -> GlobalSignGravatar Christian Hesse1-2/+2
2024-06-21certs: R3 / R10 -> ISRG Root X1Gravatar Christian Hesse1-1/+1
2024-06-21certs: E1 / E5 -> ISRG Root X2•••In the beginning of Let's Encrypt their root certificate ISRG Root X1 was not widely trusted, at least some older and/or mobile platforms were missing that certificate in their root certificate store. At that time Let's Encrypt was using an alternative chain of trust, where a certificate was cross-signed with DST Root CA X3. To make sure a valid chain of trust is available under all circumstances a set of all certificates had to be supplied: both root vertificates ISRG Root X1 & DST Root CA X3, and an intermediate certificate. This was still true after DST Root CA X3 expired, as it could still be used as a root anchor and was shipped by Let's Encrypt when requested. 🤪 This time is finally over, and we have a clean chain for trust ending in ISRG Root X1 (or ISRG Root X2). Well, actually it is the other way round... Let's Encrypt signs with different tantamount intermediate certificates. There is not only E5, but also E6 - and we can not know beforehand which one is used on renew. So let's jetzt drop the intermediate certificates now, and rely on root certificates only. We are perfectly fine with this these days. Follow-up commits will do the same for *all* certificates. The certificate is downloaded with: curl -d '["ISRG Root X2"]' https://mkcert.org/generate/ | grep -v '^$' > certs/ISRG-Root-X2.pem Gravatar Christian Hesse1-3/+3
2024-06-19Let's Encrypt changed their intermediate certificates•••https://letsencrypt.org/2024/03/19/new-intermediate-certificates https://letsencrypt.org/certificates/ But let's keep the old ones around for now, as some sites are still using the old intermediate. Gravatar Christian Hesse1-3/+3
2024-05-23backup-partition: support copy before feature updateGravatar Christian Hesse1-0/+2
2024-05-14fw-addr-lists: add 'strongips' list from blocklist.dechange-128Gravatar Christian Hesse1-0/+2
2024-04-15mod/notification-ntfy: support basic auth•••Closes #59 change-127Gravatar Christian Hesse1-0/+2
2024-03-20global-config: put example fw-addr-lists into repositoryGravatar Christian Hesse1-3/+3
2024-03-18global-config: prepare a (commented) address-list for Mikrotik•••This is AS51894: https://bgp.he.net/AS51894 Gravatar Christian Hesse1-0/+4
2024-03-12global-config: merge loading overlay and snippetsGravatar Christian Hesse1-10/+4
2024-03-12global-config: support loading snippets•••This adds support for loading snippets, which need a name starting with "global-config-overlay.d/". This allows to split off configuration if desired. change-122Gravatar Christian Hesse1-0/+10
2024-01-30packages-update: support deferred reboot on auto-update•••Closes #56 change-117Gravatar Christian Hesse1-0/+3
2024-01-01update copyright for 2024Gravatar Christian Hesse1-1/+1
2023-11-30fw-addr-lists: support timeout per list•••This works with something like this: :global FwAddrLists { "allow"={ { url="https://eworm.de/ros/fw-addr-lists/allow"; cert="E1"; timeout=1w }; }; ... } All urls for one named list should have the same timeout! With different timeout values and identical addresses the behavior is besically undefined, depending on order. Gravatar Christian Hesse1-1/+1
2023-10-26global: switch eworm.de to new certificate chain (E1 / ISRG Root X2)•••old chain: R3 / ISRG Root X1 new chain: E1 / ISRG Root X2 No user interaction or migration is required for existing installations as we install 'E1' and 'ISRG Root X2' for some time already. Gravatar Christian Hesse1-2/+2
2023-10-17global-functions: $ScriptInstallUpdate: drop support for scripts from storage•••Nobody ever used that, no? (Well, except me - just before I implemented fetching. 😜) change-110Gravatar Christian Hesse1-2/+1
2023-10-17introduce mod/notification-ntfy...•••... for sending notifications via Ntfy (https://ntfy.sh/). TODO: use proper formatting once supported in Android app: https://github.com/binwiederhier/ntfy/issues/889 change-109Gravatar Christian Hesse1-3/+9
2023-10-17log-forward: add 'packet' in default filter...•••... which is used when logging raw packets from dns and ssh, and possibly others. Gravatar Christian Hesse1-1/+1
2023-10-16mod/notification-telegram: drop support for non-fixed width fontchange-107Gravatar Christian Hesse1-2/+0
2023-10-05log-forward: add 'raw' in default filter...•••... which is used when logging raw packets or commands. Gravatar Christian Hesse1-1/+1
2023-08-31check-routeros-update: support update from specific neighbor(s)•••... by matching the identity property. change-105Gravatar Christian Hesse1-0/+1
2023-06-27global-config: escaping question mark is no longer requiredGravatar Christian Hesse1-1/+1
2023-06-13fw-addr-lists: prepare lists from spamhaus.org in configGravatar Christian Hesse1-0/+4
2023-06-13fw-addr-lists: add lists from abuse.ch in configGravatar Christian Hesse1-0/+4
2023-06-13introduce fw-addr-listschange-101Gravatar Christian Hesse1-0/+15
2023-05-31global-config: end all (array) variables with a semicolonGravatar Christian Hesse1-4/+4
2023-04-26global-config: restore variables still used in ipsec-to-dns (for now)Gravatar Christian Hesse1-0/+4
2023-04-26global-config: be more verbose about domainGravatar Christian Hesse1-1/+2
2023-04-24dhcp-to-dns: get domain from dhcp server's network definitionchange-99Gravatar Christian Hesse1-3/+0
2023-03-07rename scripts and add file extension ".rsc"•••No functional change for the user... The migration is done automatically. change-95Gravatar Christian Hesse1-0/+220