mirror of
https://gitlab.archlinux.org/archlinux/aurweb.git
synced 2025-02-03 10:43:03 +01:00
d63615a994
With this commit, it is advised to `rm ./data/root_ca.crt ./data/*.pem`, as new certificates and a root CA will be generated while utilizing the step volume. Closes #367 Signed-off-by: Kevin Morris <kevr@0cost.org>
115 lines
3.1 KiB
Bash
Executable file
115 lines
3.1 KiB
Bash
Executable file
#!/bin/bash
|
|
# Initialize step-ca and request certificates from it.
|
|
#
|
|
# Certificates created by this service are meant to be used in
|
|
# aurweb Docker's nginx service.
|
|
#
|
|
# If ./data/root_ca.crt is present, CA generation is skipped.
|
|
# If ./data/${host}.{cert,key}.pem is available, host certificate
|
|
# generation is skipped.
|
|
#
|
|
set -eou pipefail
|
|
|
|
# /data-based variables.
|
|
DATA_DIR="/data"
|
|
DATA_ROOT_CA="$DATA_DIR/root_ca.crt"
|
|
DATA_CERT="$DATA_DIR/localhost.cert.pem"
|
|
DATA_CERT_KEY="$DATA_DIR/localhost.key.pem"
|
|
|
|
# Host certificates requested from the CA (separated by spaces).
|
|
DATA_CERT_HOSTS='localhost'
|
|
|
|
# Local step paths and CA configuration values.
|
|
STEP_DIR="$(step-cli path)"
|
|
STEP_CA_CONFIG="$STEP_DIR/config/ca.json"
|
|
STEP_CA_ADDR='127.0.0.1:8443'
|
|
STEP_CA_URL='https://localhost:8443'
|
|
STEP_CA_PROVISIONER='admin@localhost'
|
|
|
|
# Password file used for both --password-file and --provisioner-password-file.
|
|
STEP_PASSWD_FILE="$STEP_DIR/password.txt"
|
|
|
|
# Hostnames supported by the CA.
|
|
STEP_CA_NAME='aurweb'
|
|
STEP_CA_DNS='localhost'
|
|
|
|
make_password() {
|
|
# Create a random 20-length password and write it to $1.
|
|
openssl rand -hex 20 > $1
|
|
}
|
|
|
|
setup_step_ca() {
|
|
# Cleanup and setup step ca configuration.
|
|
rm -rf $STEP_DIR/*
|
|
|
|
# Initialize `step`
|
|
make_password "$STEP_PASSWD_FILE"
|
|
step-cli ca init \
|
|
--name="$STEP_CA_NAME" \
|
|
--dns="$STEP_CA_DNS" \
|
|
--address="$STEP_CA_ADDR" \
|
|
--password-file="$STEP_PASSWD_FILE" \
|
|
--provisioner="$STEP_CA_PROVISIONER" \
|
|
--provisioner-password-file="$STEP_PASSWD_FILE" \
|
|
--with-ca-url="$STEP_CA_URL"
|
|
|
|
# Update ca.json max TLS certificate duration to a year.
|
|
update-step-config "$STEP_CA_CONFIG"
|
|
|
|
# Install root_ca.crt as read/writable to /data/root_ca.crt.
|
|
install -m666 "$STEP_DIR/certs/root_ca.crt" "$DATA_ROOT_CA"
|
|
}
|
|
|
|
start_step_ca() {
|
|
# Start the step-ca web server.
|
|
step-ca "$STEP_CA_CONFIG" \
|
|
--password-file="$STEP_PASSWD_FILE" &
|
|
until printf "" 2>>/dev/null >>/dev/tcp/127.0.0.1/8443; do
|
|
sleep 1
|
|
done
|
|
}
|
|
|
|
kill_step_ca() {
|
|
# Stop the step-ca web server.
|
|
killall step-ca >/dev/null 2>&1 || /bin/true
|
|
}
|
|
|
|
install_step_ca() {
|
|
# Install step-ca certificate authority to the system.
|
|
step-cli certificate install "$STEP_DIR/certs/root_ca.crt"
|
|
}
|
|
|
|
step_cert_request() {
|
|
# Request a certificate from the step ca.
|
|
step-cli ca certificate \
|
|
--not-after=8800h \
|
|
--provisioner="$STEP_CA_PROVISIONER" \
|
|
--provisioner-password-file="$STEP_PASSWD_FILE" \
|
|
$1 $2 $3
|
|
chmod 666 /data/${1}.*.pem
|
|
}
|
|
|
|
if [ ! -d /root/.step/config ]; then
|
|
# Remove existing certs.
|
|
rm -vf /data/localhost.{cert,key}.pem /data/root_ca.crt
|
|
|
|
setup_step_ca
|
|
install_step_ca
|
|
|
|
start_step_ca
|
|
for host in $DATA_CERT_HOSTS; do
|
|
step_cert_request $host /data/${host}.cert.pem /data/${host}.key.pem
|
|
done
|
|
kill_step_ca
|
|
|
|
echo -n "WARN: Your certificates are being regenerated to resolve "
|
|
echo -n "an inconsistent step-ca state. You will need to re-import "
|
|
echo "the root CA certificate into your browser."
|
|
else
|
|
exec "$@"
|
|
fi
|
|
|
|
# Set permissions to /data to rwx for everybody.
|
|
chmod 777 /data
|
|
|
|
exec "$@"
|