среда, 13 ноября 2024 г.

Анало ipconfig registerdns в Linux

COMP=$(hostname -s)
DOM=$(hostname -d)
IP=$(hostname -i | cut -f1 -d' ')
DC=$(dig +short m48.dzm | head -n 1)

cat > /var/tmp/nsupdate.txt << EOF
server $DC
zone $DOM
update add ${COMP}.${DOM} 86400 A ${IP}
show
send
EOF
cat /var/tmp/nsupdate.txt

kdestroy
kinit -k ${COMP^^}\$
klist

nsupdate -g -v /var/tmp/nsupdate.txt


воскресенье, 24 марта 2024 г.

pxe boot grub efi legacy bios

grub-mkimage -d /usr/lib/grub/i386-pc/ -O i386-pc-pxe -o ./booti386 -p '(tftp)/grub' pxe tftp
grub-mkimage -d /usr/lib/grub/x86_64-efi/ -O x86_64-efi -o ./bootx64.efi -p '(tftp)/grub' efinet tftp
cp -r /usr/lib/grub/x86_64-efi
and after '/usr/lib/grub/x86_64-efi'
ion.
cp -r /usr/lib/grub/x86_64-efi ./
cp -r /usr/lib/grub/i386-pc ./
grub/grub.cfg

Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090

kickstart для минимальной установки redos для шаблона proxmox

lang en_US
keyboard --xlayouts='us'
timezone Europe/Moscow

zerombr
clearpart --all --initlabel
bootloader --location=mbr --append="net.ifnames=0"
autopart --type=plain

network --bootproto=dhcp --device=link --activate --onboot=on

firstboot --disable

#selinux
#selinux --enforcing
selinux --permissive
#selinux --disabledfirewall --enabled --ssh

#firewall
#firewall --enabled
firewall --disabled

authconfig --enableshadow --passalgo=sha512
#rootpw --plaintext redos --lock
rootpw --lock
#user --name=redos --groups=wheel --password=redos --gecos="defaultuser"
#sshkey --username=appc "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEA7YUTXCKAMavLy98/Kep6eDKK2NyVEc/kUklZUbBubg4DfFHDO2KDXtFN7uq8HPcYR7uqFLqkRijhBwJbnPGLpp2mA+iOHLpJvD/tGpDyNt/ImM0hQG3+dzPLtvzc9Ln5mY2RUfOUTFEx7dqGVuwPQXMhZLCEkpIcGicPTpdG0CIu/GdELUtwgrZZ+reNXMG82VnFBVDZObL7H1YsmrgyyWBUMAzwf+EeUFk9Q4k8qsV8utONo3AvscaESxyt5UDvVuV7PrPxp28a03k9ybMMrXjPzuEaM2P0pxGT0VsIoR/fG78MwkSPTveX0QgDU4gBihOAcH2/2WHGBE+1pr9saw== appc@appc-pc"
#sshkey --username=root "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEA7YUTXCKAMavLy98/Kep6eDKK2NyVEc/kUklZUbBubg4DfFHDO2KDXtFN7uq8HPcYR7uqFLqkRijhBwJbnPGLpp2mA+iOHLpJvD/tGpDyNt/ImM0hQG3+dzPLtvzc9Ln5mY2RUfOUTFEx7dqGVuwPQXMhZLCEkpIcGicPTpdG0CIu/GdELUtwgrZZ+reNXMG82VnFBVDZObL7H1YsmrgyyWBUMAzwf+EeUFk9Q4k8qsV8utONo3AvscaESxyt5UDvVuV7PrPxp28a03k9ybMMrXjPzuEaM2P0pxGT0VsIoR/fG78MwkSPTveX0QgDU4gBihOAcH2/2WHGBE+1pr9saw== appc@appc-pc"

%packages --multilib --ignoremissing
@Core
cloud-init
qemu-guest-agent
#net if name eth0 net.ifnames=0
-biosdevname
%end

#%post --nochroot --erroronfail --log=/tmp/ks-post.log
%post --erroronfail --log=/tmp/ks-post.log
echo post $(pwd)
#rootdir="/mnt/sysimage"
rootdir=""
echo issue
echo "\4" >> $rootdir/etc/issue
echo "\6" >> $rootdir/etc/issue
echo "" >> $rootdir/etc/issue

echo sudo
#echo "redos ALL:(ALL) NOPASSWD:ALL" > /etc/sudoers.d/redos

cat > $rootdir/etc/cloud/cloud.cfg.d/90-redos.cfg << EOF
datasource_list: [ NoCloud, ConfigDrive, None ]
runcmd:
  - rm -f /etc/machine-id
  - systemd-machine-id-setup
# System and/or distro specific settings
# (not accessible to handlers/transforms)
system_info:
   # This will affect which distro class gets used
   distro: redos
   # Default user name + that default users groups (if added/used)
   default_user:
     name: redos
     lock_passwd: True
     gecos: RedOS Cloud User
     groups: [wheel]
     sudo: ["ALL=(ALL) NOPASSWD:ALL"]
     shell: /bin/bash
   # Other config here will be given to the distro class and/or path classes
   paths:
      cloud_dir: /var/lib/cloud/
      templates_dir: /etc/cloud/templates/
   network:
      renderers: ['netplan', 'networkd', 'etcnet']
   ssh_svcname: sshd

EOF
%end

services --enabled=cloud-init,cloud-config,cloud-final,cloud-init-local
#метод завершения установки
#reboot
shutdown

Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090

Посмотреть список адресов в табличном виде powershell

ForEach-Object { Get-NetIPAddress -AddressFamily ipv4 } | Format-Table InterfaceIndex,InterfaceAlias,IPAddress

Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090

VYOS 1.5 qcow2

Собирал на ВМ с Debian 12

https://codingpackets.com/blog/vyos-qemu-image-build/

https://github.com/vyos/vyos-rolling-nightly-builds/releases/download/1.5-rolling-202312191154/vyos-1.5-rolling-202312191154-amd64.iso

sudo ansible-playbook qemu.yml \
   -e disk_size=10 \
   -e cloud_init=true \
   -e cloud_init_ds=NoCloud,ConfigDrive,None \
   -e guest_agent=qemu \
   -e keep_user=false \
   -e enable_ssh=true \
   -e iso_local=/home/appc/vyos-1.5-rolling-202312191154-amd64.iso

Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090

вторник, 30 января 2024 г.

SSTP + DST NAT NGINX APACHE share tcp 443

Взято вот туть:
https://forum.mikrotik.com/viewtopic.php?f=9&t=134358#

/interface sstp-server server set certificate=vpn.company.com.crt_0 enabled=yes port=10443
# добавим в список sstp-conn пакеты пришедшие на порт 443 для tls-host
/ip firewall mangle add \
action=add-src-to-address-list \
address-list=sstp-conn \
address-list-timeout=5s \
chain=prerouting \
dst-address-type=local \
dst-port=443 \
protocol=tcp \
tls-host=vpn.company.com

#отправим все пакеты заменим порт назначения 443 на порт 10443 в пакетах пришедших с адресов из списка sstp-vpn
/ip firewall nat add \
action=dst-nat \
chain=dstnat \
dst-address-type=local \
dst-port=443 \
protocol=tcp \
src-address-list=sstp-conn \
to-ports=10443

# правило для публикации веб сервера
/ip firewall nat add \
action=dst-nat \
chain=dstnat \
dst-address-type=local \
dst-port=80,443 \
protocol=tcp \
to-addresses=192.168.88.2

# чтобы наше правило в таблице mangle работало каждый раз, надо модифицировать fasttrack
# отключим fasttrack для пакетов идущих на адрес 443 (правило должно быть выше в списке чем правило fasttrack
/ip firewall filter add chain=forward dst-port=443 connection-state=established,related
# или будем fasttrack только те соединения которые уже набрали хотя бы 10 килобайт, тогда надо заменить правло с fasttrack
/ip firewall filter add action=fasttrack-connection chain=forward connection-bytes=10240-0 connection-state=established,related

Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090

понедельник, 15 января 2024 г.

Добавить открытый ssh ключ пользователю на микротике

#add ssh pub key to user
:local username "aratner";
:local userpubkey "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8z/rBphuDpGKHpcDtWDISCZFWybdH3fSKzVxWouLG0JuEhqZSpJT9Hd+16teA8daRPb1gY+l9+mRnCqTVDKxpnMq7jkjlfNKQPunDHhr3u7JDjeBel2JrgXs/GANMSbxyC5aRNP7XYs4TooRDUFr0XXvdglcYyP+34I0M+p9m94taK1q5FtL+JrpRXXGnhYzQn/GaV0rM9Qj21GFVWPfuqqG8wWwhaYPkeibJNhMcBy+qKRK0fIiklv68fWmIwd0Os9qEAJ4XTuVP8yfKR/Cu1hXPm/4+9JfXaw3Lh9e/J54NkRcyeT3wb0BgOpXMXnexl6HTUK59EcMaLGEaU+4F aratner@croc.ru";
#create file
/file print file="$username_sshpubkey";
#create file with key
/file set "$username_sshpubkey.txt" contents="$userpubkey";
#set key for user
/user ssh-keys import user="$username" public-key-file="$username_sshpubkey.txt";

#mkirotik #ssh

Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090

gnome chrome dock

Создаём для каждого профиля "ярлык"
chrome-profile-name=gmail-chrome
cat > $HOME/Desktop/$chrome-profile-name.desktop << EOF
[Desktop Entry]
Version=1.0
Name=$chrome-profile-name
GenericName=$chrome-profile-name
Exec=/usr/bin/google-chrome --user-data-dir=$HOME/$chrome-profile-name  --class="$chrome-profile-name"
Icon=$HOME/$chrome-profile-name/icon.png
StartupWMClass=$chrome-profile-name
Comment=Chromium Alternate
Terminal=false
X-MultipleArgs=false
Type=Application
Categories=Network;WebBrowser;
MimeType=text/html;text/xml;application/xhtml_xml;x-scheme-handler/http;x-scheme-handler/https;
StartupNotify=true
Actions=NewWindow;Incognito;TempProfile;
X-AppInstall-Package=chromium-browser
EOF

Это нужно, чтобы хромы запущенные с разными профилями вели себя как разные приложения в доке.

Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090

netboot.xyz podman

storage="/rpool/containers"
newpodname="netbootxyz"
newpodlocalpath="$storage/$newpodname"

mkdir -p $newpodlocalpath/{config,assets}

podman run -d \
  --name=$newpodname-app \
  -p 3000:3000                       `# sets webapp port` \
  -p 69:69/udp                       `# sets tftp port` \
  -p 8069:80                         `# optional` \
  -v $newpodlocalpath/config:/config   `# optional` \
  -v $newpodlocalpath/assets:/assets   `# optional` \
  --restart unless-stopped \
  docker.io/netbootxyz/netbootxyz

cd /etc/systemd/system
podman generate systemd --files --name ${ $newpodname}-app
systemctl daemon-reload
systemctl enable container-${newpodname}-app
systemctl stop  container-${newpodname}-app
systemctl start  container-${newpodname}-app

#    -e MENU_VERSION=2.0.59             `# optional` \
#  --pod=$newpodname \

Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090

nexus podman

storage="/rpool/containers"
newpodname="nexus"
newpodlocalpath="$storage/$newpodname"

podman pod create \
  --name $newpodname \
  -p 8081:8081

mkdir -p "$newpodlocalpath/data"
chown -R 200:200 "$newpodlocalpath/data"
podman run -d \
  --pod $newpodname \
  --name $newpodname-app \
  -v $newpodlocalpath/data:/nexus-data \
  docker.io/sonatype/nexus3

cd /etc/systemd/system
podman generate systemd --files --name ${newpodname}
systemctl daemon-reload
systemctl enable pod-${newpodname}
systemctl stop pod-${newpodname}
systemctl start pod-${newpodname}

Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090

Nginx Proxy Manager podman

storage="/rpool/containers"
newpodname="npm"
newpodlocalpath="$storage/$newpodname"
newpodmysqldb="npmdb"
newpodmysqluser="npmuser"
newpodmysqlpass="FdGawCetmok4"

podman pod create \
  --name $newpodname \
  -p 80:80 \
  -p 443:443 \
  -p 81:81

mkdir -p "$newpodlocalpath/data"
mkdir -p "$newpodlocalpath/letsencrypt"
podman run -d \
  --name=${newpodname}-npm \
  --pod=${newpodname} \
  -e DB_SQLITE_FILE=/data/database.sqlite \
  -e DISABLE_IPV6='true' \
  -v $newpodlocalpath/data:/data \
  -v $newpodlocalpath/letsencrypt:/etc/letsencrypt \
  docker.io/jc21/nginx-proxy-manager:latest

cd /etc/systemd/system
podman generate systemd --files --name ${newpodname}
systemctl daemon-reload
systemctl enable pod-${newpodname}
systemctl stop pod-${newpodname}
systemctl start pod-${newpodname}

version: '3.8'
services:
  app:
    image: 'jc21/nginx-proxy-manager:latest'
    restart: unless-stopped
    ports:
      # These ports are in format <host-port>:<container-port>
      - '80:80' # Public HTTP Port
      - '443:443' # Public HTTPS Port
      - '81:81' # Admin Web Port
      # Add any other Stream port you want to expose
      # - '21:21' # FTP

    # Uncomment the next line if you uncomment anything in the section
    # environment:
      # Uncomment this if you want to change the location of
      # the SQLite DB file within the container
      # DB_SQLITE_FILE: "/data/database.sqlite"

      # Uncomment this if IPv6 is not enabled on your host
      # DISABLE_IPV6: 'true'

    volumes:
      - ./data:/data
      - ./letsencrypt:/etc/letsencrypt

Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090

Почему "геймерские" клавы не работают с КВМ свичом

Ответ нашёлся тут:

USB keyboard protocol is limited to 6 keys pressed simultaneously + 3 modifier keys. To bypass this limitation, some keyboards report to the computer as a USB hub with multiple keyboards connected to it.

If your KVM switch was just directly passing through its USB port to the active computer, it would work fine, but this approach has two disadvantages:

You can't switch computers using keyboard shortcuts because the KVM doesn't interact with the keyboard, or whatever else is connected to USB.
Switching between computers disconnects USB device from one computer and connects it to the other. This will trigger USB (dis)connection sounds and may cause a short delay until devices start working after the switch.
To solve these problems, switches take over keyboard communication and pretend to be a permanently connected keyboard for each computer. Keystrokes are passed through to active computer or intercepted if they're recognized by the KVM as a special command.

For this feature to work, the connected device must actually be a keyboard - KVM doesn't implement complete USB protocol including hub support. So if the keyboard reports as a hub, the KVM may not know what to do with it.

Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090

samba-tool delegation

Делегировать группе полные права на OU
OUDN="OU=_OU3,DC=alt,DC=aratner,DC=ru"
GROUPSID=""
samba-tool dsacl set --objectdn=$OUDN --sddl="(OA;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;$GROUPSID)"

Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090

Делегирование АД

https://blog.stevecoinc.com/2017/04/delegating-domain-join-privileges-in.html?m=1

Delegating domain join privileges in Samba 4 from the command line (or not)

I'm trying to solve a bit of a mystery. I'd like to set up Samba 4 without using Windows. Most things seem to be possible, but I can't figure out how to delegate domain join privileges. Unfortunately, even the official documentation specifically references ADUC.

So I did some digging into what it would take to delegate domain join privileges without a Windows system. After several dead ends, I ran across this page: https://www.sevecek.com/EnglishPages/Lists/Posts/Post.aspx?ID=48

The important bit of that page is this script that uses the Windows command-line tool dsacls:

$user = 'gps\SCCM Client Computer Joiners'  $ou = 'OU=SCCM Test Clients,OU=SCCM,OU=Service,OU=Company,DC=gopas,DC=virtual'    DSACLS $ou /R $user    DSACLS $ou /I:S /G "$($user):GR;;computer"  DSACLS $ou /I:S /G "$($user):CA;Reset Password;computer"  DSACLS $ou /I:S /G "$($user):WP;pwdLastSet;computer"  DSACLS $ou /I:S /G "$($user):WP;Logon Information;computer"  DSACLS $ou /I:S /G "$($user):WP;description;computer"  DSACLS $ou /I:S /G "$($user):WP;displayName;computer"  DSACLS $ou /I:S /G "$($user):WP;sAMAccountName;computer"  DSACLS $ou /I:S /G "$($user):WP;DNS Host Name Attributes;computer"  DSACLS $ou /I:S /G "$($user):WP;Account Restrictions;computer"  DSACLS $ou /I:S /G "$($user):WP;servicePrincipalName;computer"  DSACLS $ou /I:S /G "$($user):CC;computer;organizationalUnit"

samba-tool has a subcommand dsacl set that I thought might be able to accomplish the same task. After a lot of work trying to get the arguments correct, I got to this point:
[root@dc1 ~]# samba-tool dsacl set --action=allow --objectdn='cn=Computers,dc=samba4,dc=local' --trusteedn='cn=Domain Join,cn=Users,dc=samba4,dc=local' --sddl='GR;;computer' --realm=SAMBA4.LOCAL -U administrator --password="$( cat /root/.password )"
new descriptor for cn=Computers,dc=samba4,dc=local:
O:DAG:DAD:AI(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPWPCRCCDCLCLORCWOWDSW;;;DA)(OA;;CCDC;bf967a86-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)(A;;RPLCLORC;;;AU)(OA;;CCDC;4828cc14-1437-45bc-9b07-ad6f015e5f28;;AO)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RPLCLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIID;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)(A;CIID;LC;;;RU)(A;CIID;RPWPCRCCLCLORCWOWDSDSW;;;BA)S:AI(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
ERROR(<type 'exceptions.TypeError'>): uncaught exception - Unable to parse SDDL
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/dsacl.py", line 174, in run
    self.add_ace(samdb, objectdn, new_ace)
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/dsacl.py", line 129, in add_ace
    desc = security.descriptor.from_sddl(desc_sddl, self.get_domain_sid(samdb))
So... I think the arguments to dsacls are some kind of "friendly" names that resolve to UUIDs or SIDs or something on the back end, but I can't figure out how to do the mapping.

Appreciating you putting your thoughts out there. This helped me get started on the problem and I think I figured it out. I ended up using the Windows GUI to make the delegation per Samba's instructions and compared the changes before/after to get this:

SID="GroupSIDHere"
samba-tool dsacl set --action=allow --objectdn='cn=Computers,dc=directory,dc=example,dc=com' --sddl="(OA;CI;CCDC;BF967A86-0DE6-11D0-A285-00AA003049E2;;$SID)(OA;CIIO;SWWP;F3A64788-5306-11D1-A9C5-0000F80367C1;BF967A86-0DE6-11D0-A285-00AA003049E2;$SID)(OA;CIIO;SWRPWP;72E39547-7B18-11D1-ADEF-00C04FD8D5CD;BF967A86-0DE6-11D0-A285-00AA003049E2;$SID)(OA;CIIO;RPWP;4C164200-20C0-11D0-A768-00AA006E0529;BF967A86-0DE6-11D0-A285-00AA003049E2;$SID)(OA;CIIO;CR;00299570-246D-11D0-A768-00AA006E0529;BF967A86-0DE6-11D0-A285-00AA003049E2;$SID)"


Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090

letsencrypt mikrotik

:local dnsName vpn.dom.ru
:local certName "$dnsName.cer"
:local certFullChain "$certName,1_.cer,0_.cer"
:local ipsecIdentityComment $dnsName
:local Comment letsencrypt

log info "[LE] enable www"
/ip/service/enable www
/ip/firewall/filter/enable [ find where comment="letsencrypt" ]

log info "[LE] updating cert for $dnsName"
/certificate enable-ssl-certificate dns-name=$dnsName

:log info "[LE] disable www"
/ip/service/disable www
/ip/firewall/filter/disable [ find where comment="letsencrypt" ]

:log info "[LE] rename cert to $certName "
/certificate/set numbers=[/certificate/find where common-name=$dnsName] name="$certName"
:log info "[LE] setup cert for sstp server"
/interface/sstp-server/server/set certificate="$certName"
:log info "[LE] setup cert for ipsec identity"
/ip/ipsec/identity/set numbers=[find where comment=$ipsecIdentityComment] certificate=$certFullChain

Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090