summary refs log tree commit diff stats
path: root/system/services/taskserver/certs/generate
diff options
context:
space:
mode:
authorBenedikt Peetz <benedikt.peetz@b-peetz.de>2024-10-05 21:14:23 +0200
committerBenedikt Peetz <benedikt.peetz@b-peetz.de>2024-10-05 21:14:23 +0200
commite160aae0d52b7e7d7403105e110f2e73ebedc5b7 (patch)
tree43c2085907b693fecc00628aafb2c47421e91086 /system/services/taskserver/certs/generate
parentchore(taskserver/certs/ca.key.pem.gpg): reencrypt with new keys as recipients (diff)
downloadnixos-server-e160aae0d52b7e7d7403105e110f2e73ebedc5b7.tar.gz
nixos-server-e160aae0d52b7e7d7403105e110f2e73ebedc5b7.zip
refactor(taskserver/certs): Format scripts and allow selecting which certs to generate
Diffstat (limited to 'system/services/taskserver/certs/generate')
-rwxr-xr-xsystem/services/taskserver/certs/generate52
1 files changed, 39 insertions, 13 deletions
diff --git a/system/services/taskserver/certs/generate b/system/services/taskserver/certs/generate
index 283697f..3d0ebe3 100755
--- a/system/services/taskserver/certs/generate
+++ b/system/services/taskserver/certs/generate
@@ -1,4 +1,5 @@
-#!/bin/sh
+#!/usr/bin/env nix
+#! nix shell nixpkgs#openssl nixpkgs#gnutls nixpkgs#dash --command dash
 
 # For a public or production server, purchase a cert from a known CA, and skip
 # the next step.
@@ -10,25 +11,49 @@
 #   server.key.pem
 #   server.cert.pem
 
-GENERATION_LOCATION="/run/user/$(id -u)/taskserver/certs";
+GENERATION_LOCATION="/run/user/$(id -u)/taskserver/certs"
 BASEDIR="$(dirname "$0")"
-cd "$BASEDIR" || echo "(BUG?) No basedir ('$BASEDIR')" 1>&2
+cd "$BASEDIR" || {
+    echo "(BUG?) No basedir ('$BASEDIR')" 1>&2
+    exit 1
+}
 
+ca=false
+crl=false
+clients=false
+
+for arg in "$@"; do
+    case "$arg" in
+    "--ca")
+        ca=true
+        ;;
+    "--crl")
+        crl=true
+        ;;
+    "--clients")
+        clients=true
+        ;;
+    esac
+done
+
+# `ca.cert.pem` is not on this list, as it would otherwise get deleted in the `rm` on the
+# second-to last line
 set -- ./vars ./generate.ca ./generate.crl ./generate.client ./ca.key.pem.gpg ./isrgrootx1.pem
 
-mkdir -p "$GENERATION_LOCATION"
-cp "$@" "./ca.cert.pem" "$GENERATION_LOCATION"
+mkdir --parents "$GENERATION_LOCATION"
+cp "$@" ./ca.cert.pem "$GENERATION_LOCATION"
 cd "$GENERATION_LOCATION" || echo "(BUG?) No possible location fould!" 1>&2
 
-gpg --decrypt ca.key.pem.gpg > ca.key.pem
-cat ./isrgrootx1.pem >> ./ca.cert.pem
-[ -f ./ca.key.pem ] || ./generate.ca
+gpg --decrypt ca.key.pem.gpg >ca.key.pem
+
+[ "$ca" = true ] && ./generate.ca
+cat ./isrgrootx1.pem >>./ca.cert.pem
 
 # Generate a certificate revocation list (CRL).  The initial CRL is empty, but
 # can grow over time.  Creates:
 #   server.crl.pem
 
-./generate.crl
+[ "$crl" = true ] && ./generate.crl
 
 # The above is sufficient to operate a server. You now need to run a client cert creation
 # process per client; Add the required client names and uncomment
@@ -39,10 +64,11 @@ cat ./isrgrootx1.pem >> ./ca.cert.pem
 #   <client_name>.key.pem
 #   <client_name>.cert.pem
 #
-./generate.client soispha
-./generate.client android-mobile
-./generate.client android-tab
-
+[ "$clients" = true ] && ./generate.client soispha
+[ "$clients" = true ] && ./generate.client android-mobile
+[ "$clients" = true ] && ./generate.client android-tab
 
 rm "$@" "./ca.key.pem"
 echo "(INFO) Look for the keys at: $GENERATION_LOCATION"
+
+# vim: ft=sh