mirror of
https://github.com/community-scripts/ProxmoxVE
synced 2025-02-06 07:49:17 +00:00
- Remove comments
- replace motd with .profile
This commit is contained in:
fwiegerinck
parent
a6a212b63e
commit
ad390cedef
@ -5,7 +5,6 @@ source <(curl -s https://raw.githubusercontent.com/community-scripts/ProxmoxVE/m
|
||||
# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
|
||||
# Source: https://github.com/smallstep/certificates
|
||||
|
||||
# App Default Values
|
||||
APP="Alpine-Step-CA"
|
||||
var_tags="alpine;step-ca"
|
||||
var_cpu="1"
|
||||
@ -15,16 +14,10 @@ var_os="alpine"
|
||||
var_version="3.20"
|
||||
var_unprivileged="0"
|
||||
|
||||
# CA default values
|
||||
DEFAULT_CA_NAME="HomeLab CA"
|
||||
|
||||
|
||||
|
||||
# App Output & Base Settings
|
||||
header_info "$APP"
|
||||
base_settings
|
||||
|
||||
# Core
|
||||
variables
|
||||
color
|
||||
catch_errors
|
||||
@ -55,10 +48,8 @@ function update_script() {
|
||||
|
||||
function ca_settings() {
|
||||
|
||||
# Step 0: Announce
|
||||
whiptail --backtitle "Proxmox VE Helper Scripts" --msgbox --title "Configure Certificate Authority" "Now that we defined the container we need to configure the certificate authority." 8 58
|
||||
|
||||
# Basic - Step 1: Name of CA
|
||||
if CA_NAME=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "Name of certificate authority" 8 58 "$DEFAULT_CA_NAME" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then
|
||||
if [ -z "$CA_NAME" ]; then
|
||||
CA_NAME="$DEFAULT_CA_NAME"
|
||||
@ -67,10 +58,8 @@ function ca_settings() {
|
||||
exit
|
||||
fi
|
||||
|
||||
# Basic - Step 2: DNS entries of CA
|
||||
CA_DNS_ENTRIES=()
|
||||
DEFAULT_CA_DNS_ENTRY="${HN}.local"
|
||||
|
||||
if CA_PRIMARY_DNS=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "DNS entry of Certificate Authority" 8 58 "$DEFAULT_CA_DNS_ENTRY" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then
|
||||
if [ -z "$CA_PRIMARY_DNS" ]; then
|
||||
CA_PRIMARY_DNS=$DEFAULT_CA_DNS_ENTRY
|
||||
@ -88,7 +77,6 @@ function ca_settings() {
|
||||
fi
|
||||
done
|
||||
|
||||
# Basic - Step 3: X509 policy allow by DNS name
|
||||
x509_policy_dns=()
|
||||
while true; do
|
||||
if dns_entry=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "[X509 Policy] Allowed by DNS. Use full ('domain.local') or wildcard ('*.local') DNS:" 8 58 "" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then
|
||||
@ -102,7 +90,6 @@ function ca_settings() {
|
||||
fi
|
||||
done
|
||||
|
||||
# Basic - Step 4: X509 policy allow by IP address/range
|
||||
x509_policy_ips=()
|
||||
while true; do
|
||||
if ip_entry=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "[X509 Policy] Allowed by IP addresses. Use single address ('192.168.1.169' or '::1') or CIDR address ranges ('192.168.1.0/24' or '2001:0db8::/120'):" 8 58 "" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then
|
||||
@ -116,11 +103,9 @@ function ca_settings() {
|
||||
fi
|
||||
done
|
||||
|
||||
# ACME - Step 1: Should ACME be enabled?
|
||||
if (whiptail --backtitle "Proxmox VE Helper Scripts" --defaultno --title "Configure Certificate Authority" --yesno "Enable ACME?" 10 58); then
|
||||
CA_ACME="yes"
|
||||
|
||||
# ACME - Step 2: Name of ACME provider
|
||||
default_ca_acme_name="acme"
|
||||
if CA_ACME_NAME=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "Name of ACME provider" 8 58 "$default_ca_acme_name" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then
|
||||
if [ -z "$CA_ACME_NAME" ]; then
|
||||
|
||||
@ -17,44 +17,31 @@ update_os
|
||||
motd_ssh
|
||||
customize
|
||||
|
||||
# Finished base install.... now install and setup Step-CA
|
||||
|
||||
# Step 0: Set internal values
|
||||
config_dir="/etc/step-ca"
|
||||
passwd_file="${config_dir}/password.txt"
|
||||
ca_admin_provisioner="Admin JWK"
|
||||
ca_admin_subject="admin-localhost"
|
||||
ca_admin_provisioner_passwd_file="${config_dir}/admin-jwk-password.txt"
|
||||
|
||||
|
||||
# Step 1: Installing Dependencies
|
||||
msg_info "Installing dependencies"
|
||||
$STD apk add newt
|
||||
$STD apk add openssl
|
||||
msg_ok "Installed dependencies"
|
||||
|
||||
|
||||
# Step 2: Prepare environment
|
||||
msg_info "Preparing environment"
|
||||
$STD echo "export STEPPATH=/etc/step-ca" > ~/.profile
|
||||
$STD echo "export STEPPATH=/etc/step-ca" >> ~/.profile
|
||||
$STD export STEPPATH=/etc/step-ca
|
||||
msg_ok "Environment prepared"
|
||||
|
||||
# Step 3: Do actual install of step-ca
|
||||
msg_info "Installing Alpine Step-CA"
|
||||
$STD apk add step-cli step-certificates
|
||||
msg_ok "Installed Alpine Step-CA"
|
||||
|
||||
# Step 4: Setup step-ca
|
||||
|
||||
# Step 4a: Prepare secrets
|
||||
msg_info "Generate CA secrets"
|
||||
|
||||
function generatePasswordFile(){ # argument: path of file
|
||||
|
||||
function generatePasswordFile(){
|
||||
$STD echo "$(openssl rand -base64 18 | tr -dc 'a-zA-Z0-9' | cut -c1-13)" > "$1"
|
||||
chmod 600 "$1"
|
||||
|
||||
}
|
||||
|
||||
generatePasswordFile "${passwd_file}"
|
||||
@ -62,14 +49,11 @@ generatePasswordFile "${ca_admin_provisioner_passwd_file}"
|
||||
|
||||
msg_ok "Generated CA secrets"
|
||||
|
||||
# Step 4b: Configure base CA
|
||||
msg_info "Initialize base CA"
|
||||
|
||||
# Do initialize and immediately start it for further configuration
|
||||
$STD step ca init --name "${CA_NAME}" --dns localhost $CA_DNS --password-file ${passwd_file} --deployment-type standalone --address ":443" --provisioner "${ca_admin_provisioner}" --admin-subject "${ca_admin_subject}" --provisioner-password-file ${ca_admin_provisioner_passwd_file} --remote-management
|
||||
$STD rc-service step-ca start
|
||||
|
||||
# Wait till service has started and port is available
|
||||
timeout_counter=0
|
||||
while ! nc -z localhost 443; do
|
||||
sleep 0.5
|
||||
@ -83,11 +67,9 @@ done
|
||||
|
||||
msg_ok "Initialized base CA"
|
||||
|
||||
# Step 4c: Configure CA policy if necessary
|
||||
if [ -n "${CA_X509_POLICY_DNS}" ] || [ -n "${CA_X509_POLICY_IPS}" ]; then
|
||||
msg_info "Configure CA policy"
|
||||
|
||||
# Ensure admin subject is added to the allow list
|
||||
$STD step ca policy authority x509 allow dns "${ca_admin_subject}" --admin-provisioner "${ca_admin_provisioner}" --admin-subject "${ca_admin_subject}" --password-file ${ca_admin_provisioner_passwd_file}
|
||||
|
||||
if [ -n "${CA_X509_POLICY_DNS}" ]; then
|
||||
@ -100,26 +82,18 @@ if [ -n "${CA_X509_POLICY_DNS}" ] || [ -n "${CA_X509_POLICY_IPS}" ]; then
|
||||
msg_ok "Configured CA policy"
|
||||
fi
|
||||
|
||||
# Step 4d: Configure ACME if desired
|
||||
if [ "${CA_ACME}" = "yes" ]; then
|
||||
msg_info "Initialize ACME for CA"
|
||||
$STD step ca provisioner add "${CA_ACME_NAME}" --type ACME --x509-min-dur=20m --x509-max-dur=32h --x509-default-dur=24h --admin-provisioner "${ca_admin_provisioner}" --admin-subject "${ca_admin_subject}" --password-file ${ca_admin_provisioner_passwd_file}
|
||||
msg_ok "Initialized ACME for CA"
|
||||
fi
|
||||
|
||||
|
||||
# Step 4e: Restart service and enable auto-start
|
||||
msg_info "Starting Alpine Step-CA"
|
||||
$STD rc-service step-ca restart
|
||||
$STD rc-update add step-ca default
|
||||
msg_ok "Started Alpine Step-CA"
|
||||
|
||||
# Step 4f: Report back completion as it works from here!
|
||||
msg_ok "Completed setup of CA"
|
||||
|
||||
# Step 4g: Extend motd with step-ca fingerprint of root CA
|
||||
MOTD_FILE="/etc/motd"
|
||||
if [ -f "$MOTD_FILE" ]; then
|
||||
ca_root_fingerprint=$(step certificate fingerprint ${STEPPATH}/certs/root_ca.crt)
|
||||
echo -e "\n${TAB}${DEFAULT}${YW} Fingerprint CA Root Certificate: ${GN}${ca_root_fingerprint}${CL}" >> "$MOTD_FILE"
|
||||
fi
|
||||
ca_root_fingerprint=$(step certificate fingerprint ${STEPPATH}/certs/root_ca.crt)
|
||||
$STD echo "echo \"Fingerprint CA Root Certificate: ${ca_root_fingerprint}\" " >> ~/.profile
|
||||
Loading…
Reference in New Issue
Block a user