mirror of
https://github.com/community-scripts/ProxmoxVE
synced 2025-02-11 18:29:17 +00:00
Make ACM optional and allow X509 policies
This commit is contained in:
fwiegerinck
parent
a81592d9c0
commit
07d1d22917
@ -16,7 +16,8 @@ var_version="3.20"
|
||||
var_unprivileged="0"
|
||||
|
||||
# CA default values
|
||||
DEFAULT_CA_NAME="HomeLab"
|
||||
DEFAULT_CA_NAME="HomeLab CA"
|
||||
|
||||
|
||||
|
||||
# App Output & Base Settings
|
||||
@ -54,7 +55,10 @@ function update_script() {
|
||||
|
||||
function ca_settings() {
|
||||
|
||||
# Step 0: Announce
|
||||
whiptail --backtitle "Proxmox VE Helper Scripts" --msgbox --title "Configure Certificate Authority" "Now that we defined the container we need to configure the certificate authority." 8 58
|
||||
|
||||
# Basic - Step 1: Name of CA
|
||||
if CA_NAME=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "Name of certificate authority" 8 58 "$DEFAULT_CA_NAME" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then
|
||||
if [ -z "$CA_NAME" ]; then
|
||||
CA_NAME="$DEFAULT_CA_NAME"
|
||||
@ -63,36 +67,97 @@ function ca_settings() {
|
||||
exit
|
||||
fi
|
||||
|
||||
# Basic - Step 2: DNS entries of CA
|
||||
CA_DNS_ENTRIES=()
|
||||
DEFAULT_CA_DNS_ENTRY="${HN}.local"
|
||||
if CA_DNS_ENTRY=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "DNS entry of Certificate Authority" 8 58 "$DEFAULT_CA_DNS_ENTRY" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then
|
||||
if [ -z "$CA_DNS_ENTRY" ]; then
|
||||
CA_DNS_ENTRIES+=("--dns=$DEFAULT_CA_DNS_ENTRY")
|
||||
else
|
||||
CA_DNS_ENTRIES+=("--dns=$CA_DNS_ENTRY")
|
||||
|
||||
if CA_PRIMARY_DNS=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "DNS entry of Certificate Authority" 8 58 "$DEFAULT_CA_DNS_ENTRY" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then
|
||||
if [ -z "$CA_PRIMARY_DNS" ]; then
|
||||
CA_PRIMARY_DNS=$DEFAULT_CA_DNS_ENTRY
|
||||
fi
|
||||
CA_DNS_ENTRIES+=("--dns=$CA_PRIMARY_DNS")
|
||||
else
|
||||
exit
|
||||
fi
|
||||
|
||||
while whiptail --backtitle "Proxmox VE Helper Scripts" --defaultno --title "Configure Certificate Authority" --yesno "Do you want to add another DNS entry?" 10 72 ; do
|
||||
if CA_DNS_ENTRY=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "DNS entry of Certificate Authority" 8 58 "" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then
|
||||
if [ -n "$CA_DNS_ENTRY" ]; then
|
||||
CA_DNS_ENTRIES+=(" --dns=$CA_DNS_ENTRY")
|
||||
if dns_entry=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "DNS entry of Certificate Authority" 8 58 "" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then
|
||||
if [ -n "$dns_entry" ]; then
|
||||
CA_DNS_ENTRIES+=(" --dns=$dns_entry")
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
||||
# Basic - Step 3: X509 policy allow by DNS name
|
||||
x509_policy_dns=()
|
||||
while true; do
|
||||
if dns_entry=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "[X509 Policy] Allowed by DNS. Use full ('domain.local') or wildcard ('*.local') DNS:" 8 58 "" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then
|
||||
if [ -n "$dns_entry" ]; then
|
||||
x509_policy_dns+=("$(dns_entry)")
|
||||
else
|
||||
break
|
||||
fi
|
||||
else
|
||||
exit
|
||||
fi
|
||||
done
|
||||
|
||||
# Basic - Step 4: X509 policy allow by IP address/range
|
||||
x509_policy_ips=()
|
||||
while true; do
|
||||
if ip_entry=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "[X509 Policy] Allowed by IP addresses. Use single address ('192.168.1.169' or '::1') or CIDR address ranges ('192.168.1.0/24' or '2001:0db8::/120'):" 8 58 "" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then
|
||||
if [ -n "$ip_entry" ]; then
|
||||
x509_policy_ips+=("$(ip_entry)")
|
||||
else
|
||||
break
|
||||
fi
|
||||
else
|
||||
exit
|
||||
fi
|
||||
done
|
||||
|
||||
# ACME - Step 1: Should ACME be enabled?
|
||||
if (whiptail --backtitle "Proxmox VE Helper Scripts" --defaultno --title "Configure Certificate Authority" --yesno "Enable ACME?" 10 58); then
|
||||
CA_ACME="yes"
|
||||
|
||||
# ACME - Step 2: Name of ACME provider
|
||||
default_ca_acme_name="acme"
|
||||
if CA_ACME_NAME=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "Name of ACME provider" 8 58 "$default_ca_acme_name" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then
|
||||
if [ -z "$CA_ACME_NAME" ]; then
|
||||
CA_ACME_NAME="$default_ca_acme_name"
|
||||
fi
|
||||
else
|
||||
exit
|
||||
fi
|
||||
|
||||
else
|
||||
CA_ACME="no"
|
||||
fi
|
||||
|
||||
if [ "$VERBOSE" = "yes" ]; then
|
||||
echo -e "${DEFAULT}${BOLD}${DGN}Name of CA: ${BGN}$CA_NAME${CL}"
|
||||
echo -e "${DEFAULT}${BOLD}${DGN}DNS entries of CA:${CL}"
|
||||
for DNS_ENTRY in ${CA_DNS_ENTRIES[*]}; do
|
||||
echo -e "- $DNS_ENTRY"
|
||||
echo -e " - $DNS_ENTRY"
|
||||
done
|
||||
echo -e "${DEFAULT}${BOLD}${DGN}X509 Policy - allow:{CL}"
|
||||
echo -e " - DNS entries: ${x509_policy_dns[*]}"
|
||||
echo -e " - IP addresses: ${x509_policy_ips[*]}"
|
||||
|
||||
echo -e "${DEFAULT}${BOLD}${DGN}Enable ACME: ${BGN}$CA_ACME${CL}"
|
||||
if [ "${CA_ACME}" = "yes" ]; then
|
||||
echo -e " - Name of provider: ${CA_ACME_NAME}"
|
||||
echo -e " - Allowed domains: "
|
||||
fi
|
||||
fi
|
||||
|
||||
export CA_NAME
|
||||
export CA_DNS=${CA_DNS_ENTRIES[*]};
|
||||
export CA_PRIMARY_DNS
|
||||
export CA_DNS=${CA_DNS_ENTRIES[*]}
|
||||
export CA_X509_POLICY_DNS=${x509_policy_dns[*]}
|
||||
export CA_X509_POLICY_IPS=${x509_policy_ips[*]}
|
||||
export CA_ACME
|
||||
export CA_ACME_NAME
|
||||
}
|
||||
|
||||
start
|
||||
@ -102,3 +167,6 @@ description
|
||||
|
||||
msg_ok "Completed Successfully!\n"
|
||||
echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
|
||||
if [ "${CA_ACME}" = "yes" ]; then
|
||||
echo -e " ACME should be reachable at URL: https://${CA_PRIMARY_DNS}/acme/{$CA_ACME_NAME}/directory"
|
||||
fi
|
||||
|
||||
@ -27,6 +27,10 @@ $STD export STEPPATH=/etc/step-ca
|
||||
if [ "$VERBOSE" = "yes" ]; then
|
||||
env #Display environment details
|
||||
fi
|
||||
|
||||
x509_policy_dns=($(echo "${CA_X509_POLICY_DNS}" | tr ' ' '\n'))
|
||||
x509_policy_ips=($(echo "${CA_X509_POLICY_IPS}" | tr ' ' '\n'))
|
||||
|
||||
msg_ok "Environment prepared"
|
||||
|
||||
msg_info "Installing Alpine Step-CA"
|
||||
@ -45,9 +49,24 @@ EOF
|
||||
msg_ok "Generated CA secret stored in ${passwd_file}"
|
||||
|
||||
|
||||
msg_info "Initialize CA"
|
||||
$STD step ca init --name="$CA_NAME" $CA_DNS --password-file=/etc/step-ca/password.txt --acme --deployment-type=standalone --address=0.0.0.0:443 --provisioner=acme
|
||||
$STD step ca provisioner update acme --x509-min-dur=20m --x509-max-dur=32h --x509-default-dur=24h
|
||||
msg_info "Initialize base CA"
|
||||
$STD step ca init --name "${CA_NAME}" $CA_DNS --password-file /etc/step-ca/password.txt --deployment-type=standalone --address ":443" --provisioner=admin
|
||||
|
||||
for dns_entry in "${x509_policy_dns[@]}"; do
|
||||
$STD step ca policy authority x509 allow dns "${dns_entry}"
|
||||
done
|
||||
for ip_entry in "${x509_policy_ips[@]}"; do
|
||||
$STD step ca policy authority x509 allow ip ${ip_entry}
|
||||
done
|
||||
|
||||
if [ "${CA_ACME}" = "yes" ]; then
|
||||
msg_info "Initialize ACME for CA"
|
||||
$STD step ca provisioner add ${CA_ACME_NAME} --type ACME
|
||||
$STD step ca provisioner update ${CA_ACME_NAME} --x509-min-dur=20m --x509-max-dur=32h --x509-default-dur=24h
|
||||
fi
|
||||
if [ "${CA_SSH}" = "yes" ]; then
|
||||
msg_info "Inititialize CA for SSH"
|
||||
fi
|
||||
msg_ok "Finished initialization of CA"
|
||||
|
||||
# Start application
|
||||
|
||||
Loading…
Reference in New Issue
Block a user