refactor(taskserver/certs): Format scripts and allow selecting which certs to generate

author: Benedikt Peetz <benedikt.peetz@b-peetz.de> 2024-10-05 21:14:23 +0200
committer: Benedikt Peetz <benedikt.peetz@b-peetz.de> 2024-10-05 21:14:23 +0200
commit: e160aae0d52b7e7d7403105e110f2e73ebedc5b7 (patch)
tree: 43c2085907b693fecc00628aafb2c47421e91086 /system
parent: chore(taskserver/certs/ca.key.pem.gpg): reencrypt with new keys as recipients (diff)
download: nixos-server-e160aae0d52b7e7d7403105e110f2e73ebedc5b7.tar.gz
nixos-server-e160aae0d52b7e7d7403105e110f2e73ebedc5b7.zip
3 files changed, 64 insertions, 36 deletions
diff --git a/system/services/taskserver/certs/check_expire b/system/services/taskserver/certs/check_expire
index 89969cc..39f3291 100755
--- a/system/services/taskserver/certs/check_expire
+++ b/system/services/taskserver/certs/check_expire
@@ -1,4 +1,10 @@
-#!/bin/sh
+#!/usr/bin/env nix
+#! nix shell nixpkgs#openssl nixpkgs#dash --command dash
+
+cd "$(dirname "$0")" || {
+    echo "No dir name?!"
+    exit 1
+}
 
 for cert in *.cert.pem; do
     echo "$cert"
diff --git a/system/services/taskserver/certs/generate b/system/services/taskserver/certs/generate
index 283697f..3d0ebe3 100755
--- a/system/services/taskserver/certs/generate
+++ b/system/services/taskserver/certs/generate
@@ -1,4 +1,5 @@
-#!/bin/sh
+#!/usr/bin/env nix
+#! nix shell nixpkgs#openssl nixpkgs#gnutls nixpkgs#dash --command dash
 
 # For a public or production server, purchase a cert from a known CA, and skip
 # the next step.
@@ -10,25 +11,49 @@
 #   server.key.pem
 #   server.cert.pem
 
-GENERATION_LOCATION="/run/user/$(id -u)/taskserver/certs";
+GENERATION_LOCATION="/run/user/$(id -u)/taskserver/certs"
 BASEDIR="$(dirname "$0")"
-cd "$BASEDIR" || echo "(BUG?) No basedir ('$BASEDIR')" 1>&2
+cd "$BASEDIR" || {
+    echo "(BUG?) No basedir ('$BASEDIR')" 1>&2
+    exit 1
+}
 
+ca=false
+crl=false
+clients=false
+
+for arg in "$@"; do
+    case "$arg" in
+    "--ca")
+        ca=true
+        ;;
+    "--crl")
+        crl=true
+        ;;
+    "--clients")
+        clients=true
+        ;;
+    esac
+done
+
+# `ca.cert.pem` is not on this list, as it would otherwise get deleted in the `rm` on the
+# second-to last line
 set -- ./vars ./generate.ca ./generate.crl ./generate.client ./ca.key.pem.gpg ./isrgrootx1.pem
 
-mkdir -p "$GENERATION_LOCATION"
-cp "$@" "./ca.cert.pem" "$GENERATION_LOCATION"
+mkdir --parents "$GENERATION_LOCATION"
+cp "$@" ./ca.cert.pem "$GENERATION_LOCATION"
 cd "$GENERATION_LOCATION" || echo "(BUG?) No possible location fould!" 1>&2
 
-gpg --decrypt ca.key.pem.gpg > ca.key.pem
-cat ./isrgrootx1.pem >> ./ca.cert.pem
-[ -f ./ca.key.pem ] || ./generate.ca
+gpg --decrypt ca.key.pem.gpg >ca.key.pem
+
+[ "$ca" = true ] && ./generate.ca
+cat ./isrgrootx1.pem >>./ca.cert.pem
 
 # Generate a certificate revocation list (CRL).  The initial CRL is empty, but
 # can grow over time.  Creates:
 #   server.crl.pem
 
-./generate.crl
+[ "$crl" = true ] && ./generate.crl
 
 # The above is sufficient to operate a server. You now need to run a client cert creation
 # process per client; Add the required client names and uncomment
@@ -39,10 +64,11 @@ cat ./isrgrootx1.pem >> ./ca.cert.pem
 #   <client_name>.key.pem
 #   <client_name>.cert.pem
 #
-./generate.client soispha
-./generate.client android-mobile
-./generate.client android-tab
-
+[ "$clients" = true ] && ./generate.client soispha
+[ "$clients" = true ] && ./generate.client android-mobile
+[ "$clients" = true ] && ./generate.client android-tab
 
 rm "$@" "./ca.key.pem"
 echo "(INFO) Look for the keys at: $GENERATION_LOCATION"
+
+# vim: ft=sh
diff --git a/system/services/taskserver/certs/generate.ca b/system/services/taskserver/certs/generate.ca
index a9fbc0c..eb0dd5c 100755
--- a/system/services/taskserver/certs/generate.ca
+++ b/system/services/taskserver/certs/generate.ca
@@ -2,29 +2,26 @@
 
 # Take the correct binary to create the certificates
 CERTTOOL=$(command -v gnutls-certtool 2>/dev/null || command -v certtool 2>/dev/null)
-if [ -z "$CERTTOOL" ]
-then
-  echo "ERROR: No certtool found" >&2
-  exit 1
+if [ -z "$CERTTOOL" ]; then
+    echo "ERROR: No certtool found" >&2
+    exit 1
 fi
 
 . ./vars
 
-if ! [ -f ca.key.pem ]
-then
-  # Create a CA key.
-  $CERTTOOL \
-    --generate-privkey \
-    --sec-param $SEC_PARAM \
-    --outfile ca.key.pem
+if ! [ -f ca.key.pem ]; then
+    # Create a CA key.
+    $CERTTOOL \
+        --generate-privkey \
+        --sec-param $SEC_PARAM \
+        --outfile ca.key.pem
 fi
 
 chmod 600 ca.key.pem
 
-if ! [ -f ca.template ]
-then
-  # Sign a CA cert.
-  cat <<EOF >ca.template
+if ! [ -f ca.template ]; then
+    # Sign a CA cert.
+    cat <<EOF >ca.template
 organization = $ORGANIZATION
 cn = $CN CA
 country = $COUNTRY
@@ -35,13 +32,12 @@ EOF
 #locality = $LOCALITY
 fi
 
-if ! [ -f ca.cert.pem ]
-then
-  $CERTTOOL \
-    --generate-self-signed \
-    --load-privkey ca.key.pem \
-    --template ca.template \
-    --outfile ca.cert.pem
+if ! [ -f ca.cert.pem ]; then
+    $CERTTOOL \
+        --generate-self-signed \
+        --load-privkey ca.key.pem \
+        --template ca.template \
+        --outfile ca.cert.pem
 fi
 
 chmod 600 ca.cert.pem
author	Benedikt Peetz <benedikt.peetz@b-peetz.de>	2024-10-05 21:14:23 +0200
committer	Benedikt Peetz <benedikt.peetz@b-peetz.de>	2024-10-05 21:14:23 +0200
commit	e160aae0d52b7e7d7403105e110f2e73ebedc5b7 (patch)
tree	43c2085907b693fecc00628aafb2c47421e91086 /system
parent	chore(taskserver/certs/ca.key.pem.gpg): reencrypt with new keys as recipients (diff)
download	nixos-server-e160aae0d52b7e7d7403105e110f2e73ebedc5b7.tar.gz nixos-server-e160aae0d52b7e7d7403105e110f2e73ebedc5b7.zip