diff options
Diffstat (limited to 'system/services/taskserver/certs/generate')
| -rwxr-xr-x | system/services/taskserver/certs/generate | 52 |
1 files changed, 39 insertions, 13 deletions
diff --git a/system/services/taskserver/certs/generate b/system/services/taskserver/certs/generate index 283697f..3d0ebe3 100755 --- a/system/services/taskserver/certs/generate +++ b/system/services/taskserver/certs/generate @@ -1,4 +1,5 @@ -#!/bin/sh +#!/usr/bin/env nix +#! nix shell nixpkgs#openssl nixpkgs#gnutls nixpkgs#dash --command dash # For a public or production server, purchase a cert from a known CA, and skip # the next step. @@ -10,25 +11,49 @@ # server.key.pem # server.cert.pem -GENERATION_LOCATION="/run/user/$(id -u)/taskserver/certs"; +GENERATION_LOCATION="/run/user/$(id -u)/taskserver/certs" BASEDIR="$(dirname "$0")" -cd "$BASEDIR" || echo "(BUG?) No basedir ('$BASEDIR')" 1>&2 +cd "$BASEDIR" || { + echo "(BUG?) No basedir ('$BASEDIR')" 1>&2 + exit 1 +} +ca=false +crl=false +clients=false + +for arg in "$@"; do + case "$arg" in + "--ca") + ca=true + ;; + "--crl") + crl=true + ;; + "--clients") + clients=true + ;; + esac +done + +# `ca.cert.pem` is not on this list, as it would otherwise get deleted in the `rm` on the +# second-to last line set -- ./vars ./generate.ca ./generate.crl ./generate.client ./ca.key.pem.gpg ./isrgrootx1.pem -mkdir -p "$GENERATION_LOCATION" -cp "$@" "./ca.cert.pem" "$GENERATION_LOCATION" +mkdir --parents "$GENERATION_LOCATION" +cp "$@" ./ca.cert.pem "$GENERATION_LOCATION" cd "$GENERATION_LOCATION" || echo "(BUG?) No possible location fould!" 1>&2 -gpg --decrypt ca.key.pem.gpg > ca.key.pem -cat ./isrgrootx1.pem >> ./ca.cert.pem -[ -f ./ca.key.pem ] || ./generate.ca +gpg --decrypt ca.key.pem.gpg >ca.key.pem + +[ "$ca" = true ] && ./generate.ca +cat ./isrgrootx1.pem >>./ca.cert.pem # Generate a certificate revocation list (CRL). The initial CRL is empty, but # can grow over time. Creates: # server.crl.pem -./generate.crl +[ "$crl" = true ] && ./generate.crl # The above is sufficient to operate a server. You now need to run a client cert creation # process per client; Add the required client names and uncomment @@ -39,10 +64,11 @@ cat ./isrgrootx1.pem >> ./ca.cert.pem # <client_name>.key.pem # <client_name>.cert.pem # -./generate.client soispha -./generate.client android-mobile -./generate.client android-tab - +[ "$clients" = true ] && ./generate.client soispha +[ "$clients" = true ] && ./generate.client android-mobile +[ "$clients" = true ] && ./generate.client android-tab rm "$@" "./ca.key.pem" echo "(INFO) Look for the keys at: $GENERATION_LOCATION" + +# vim: ft=sh |