diff options
author | Benedikt Peetz <benedikt.peetz@b-peetz.de> | 2024-10-05 21:14:23 +0200 |
---|---|---|
committer | Benedikt Peetz <benedikt.peetz@b-peetz.de> | 2024-10-05 21:14:23 +0200 |
commit | e160aae0d52b7e7d7403105e110f2e73ebedc5b7 (patch) | |
tree | 43c2085907b693fecc00628aafb2c47421e91086 /system/services | |
parent | chore(taskserver/certs/ca.key.pem.gpg): reencrypt with new keys as recipients (diff) | |
download | nixos-server-e160aae0d52b7e7d7403105e110f2e73ebedc5b7.tar.gz nixos-server-e160aae0d52b7e7d7403105e110f2e73ebedc5b7.zip |
refactor(taskserver/certs): Format scripts and allow selecting which certs to generate
Diffstat (limited to 'system/services')
-rwxr-xr-x | system/services/taskserver/certs/check_expire | 8 | ||||
-rwxr-xr-x | system/services/taskserver/certs/generate | 52 | ||||
-rwxr-xr-x | system/services/taskserver/certs/generate.ca | 40 |
3 files changed, 64 insertions, 36 deletions
diff --git a/system/services/taskserver/certs/check_expire b/system/services/taskserver/certs/check_expire index 89969cc..39f3291 100755 --- a/system/services/taskserver/certs/check_expire +++ b/system/services/taskserver/certs/check_expire @@ -1,4 +1,10 @@ -#!/bin/sh +#!/usr/bin/env nix +#! nix shell nixpkgs#openssl nixpkgs#dash --command dash + +cd "$(dirname "$0")" || { + echo "No dir name?!" + exit 1 +} for cert in *.cert.pem; do echo "$cert" diff --git a/system/services/taskserver/certs/generate b/system/services/taskserver/certs/generate index 283697f..3d0ebe3 100755 --- a/system/services/taskserver/certs/generate +++ b/system/services/taskserver/certs/generate @@ -1,4 +1,5 @@ -#!/bin/sh +#!/usr/bin/env nix +#! nix shell nixpkgs#openssl nixpkgs#gnutls nixpkgs#dash --command dash # For a public or production server, purchase a cert from a known CA, and skip # the next step. @@ -10,25 +11,49 @@ # server.key.pem # server.cert.pem -GENERATION_LOCATION="/run/user/$(id -u)/taskserver/certs"; +GENERATION_LOCATION="/run/user/$(id -u)/taskserver/certs" BASEDIR="$(dirname "$0")" -cd "$BASEDIR" || echo "(BUG?) No basedir ('$BASEDIR')" 1>&2 +cd "$BASEDIR" || { + echo "(BUG?) No basedir ('$BASEDIR')" 1>&2 + exit 1 +} +ca=false +crl=false +clients=false + +for arg in "$@"; do + case "$arg" in + "--ca") + ca=true + ;; + "--crl") + crl=true + ;; + "--clients") + clients=true + ;; + esac +done + +# `ca.cert.pem` is not on this list, as it would otherwise get deleted in the `rm` on the +# second-to last line set -- ./vars ./generate.ca ./generate.crl ./generate.client ./ca.key.pem.gpg ./isrgrootx1.pem -mkdir -p "$GENERATION_LOCATION" -cp "$@" "./ca.cert.pem" "$GENERATION_LOCATION" +mkdir --parents "$GENERATION_LOCATION" +cp "$@" ./ca.cert.pem "$GENERATION_LOCATION" cd "$GENERATION_LOCATION" || echo "(BUG?) No possible location fould!" 1>&2 -gpg --decrypt ca.key.pem.gpg > ca.key.pem -cat ./isrgrootx1.pem >> ./ca.cert.pem -[ -f ./ca.key.pem ] || ./generate.ca +gpg --decrypt ca.key.pem.gpg >ca.key.pem + +[ "$ca" = true ] && ./generate.ca +cat ./isrgrootx1.pem >>./ca.cert.pem # Generate a certificate revocation list (CRL). The initial CRL is empty, but # can grow over time. Creates: # server.crl.pem -./generate.crl +[ "$crl" = true ] && ./generate.crl # The above is sufficient to operate a server. You now need to run a client cert creation # process per client; Add the required client names and uncomment @@ -39,10 +64,11 @@ cat ./isrgrootx1.pem >> ./ca.cert.pem # <client_name>.key.pem # <client_name>.cert.pem # -./generate.client soispha -./generate.client android-mobile -./generate.client android-tab - +[ "$clients" = true ] && ./generate.client soispha +[ "$clients" = true ] && ./generate.client android-mobile +[ "$clients" = true ] && ./generate.client android-tab rm "$@" "./ca.key.pem" echo "(INFO) Look for the keys at: $GENERATION_LOCATION" + +# vim: ft=sh diff --git a/system/services/taskserver/certs/generate.ca b/system/services/taskserver/certs/generate.ca index a9fbc0c..eb0dd5c 100755 --- a/system/services/taskserver/certs/generate.ca +++ b/system/services/taskserver/certs/generate.ca @@ -2,29 +2,26 @@ # Take the correct binary to create the certificates CERTTOOL=$(command -v gnutls-certtool 2>/dev/null || command -v certtool 2>/dev/null) -if [ -z "$CERTTOOL" ] -then - echo "ERROR: No certtool found" >&2 - exit 1 +if [ -z "$CERTTOOL" ]; then + echo "ERROR: No certtool found" >&2 + exit 1 fi . ./vars -if ! [ -f ca.key.pem ] -then - # Create a CA key. - $CERTTOOL \ - --generate-privkey \ - --sec-param $SEC_PARAM \ - --outfile ca.key.pem +if ! [ -f ca.key.pem ]; then + # Create a CA key. + $CERTTOOL \ + --generate-privkey \ + --sec-param $SEC_PARAM \ + --outfile ca.key.pem fi chmod 600 ca.key.pem -if ! [ -f ca.template ] -then - # Sign a CA cert. - cat <<EOF >ca.template +if ! [ -f ca.template ]; then + # Sign a CA cert. + cat <<EOF >ca.template organization = $ORGANIZATION cn = $CN CA country = $COUNTRY @@ -35,13 +32,12 @@ EOF #locality = $LOCALITY fi -if ! [ -f ca.cert.pem ] -then - $CERTTOOL \ - --generate-self-signed \ - --load-privkey ca.key.pem \ - --template ca.template \ - --outfile ca.cert.pem +if ! [ -f ca.cert.pem ]; then + $CERTTOOL \ + --generate-self-signed \ + --load-privkey ca.key.pem \ + --template ca.template \ + --outfile ca.cert.pem fi chmod 600 ca.cert.pem |