From ad390cedef8bd4c66c4d999cf3ce02f542617c41 Mon Sep 17 00:00:00 2001 From: fwiegerinck Date: Tue, 21 Jan 2025 23:12:34 +0100 Subject: [PATCH] - Remove comments - replace motd with .profile --- ct/alpine-step-ca.sh | 15 -------------- install/alpine-step-ca-install.sh | 34 ++++--------------------------- 2 files changed, 4 insertions(+), 45 deletions(-) diff --git a/ct/alpine-step-ca.sh b/ct/alpine-step-ca.sh index b5e95b30..5de62fb6 100644 --- a/ct/alpine-step-ca.sh +++ b/ct/alpine-step-ca.sh @@ -5,7 +5,6 @@ source <(curl -s https://raw.githubusercontent.com/community-scripts/ProxmoxVE/m # License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE # Source: https://github.com/smallstep/certificates -# App Default Values APP="Alpine-Step-CA" var_tags="alpine;step-ca" var_cpu="1" @@ -15,16 +14,10 @@ var_os="alpine" var_version="3.20" var_unprivileged="0" -# CA default values DEFAULT_CA_NAME="HomeLab CA" - - -# App Output & Base Settings header_info "$APP" base_settings - -# Core variables color catch_errors @@ -55,10 +48,8 @@ function update_script() { function ca_settings() { - # Step 0: Announce whiptail --backtitle "Proxmox VE Helper Scripts" --msgbox --title "Configure Certificate Authority" "Now that we defined the container we need to configure the certificate authority." 8 58 - # Basic - Step 1: Name of CA if CA_NAME=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "Name of certificate authority" 8 58 "$DEFAULT_CA_NAME" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then if [ -z "$CA_NAME" ]; then CA_NAME="$DEFAULT_CA_NAME" @@ -67,10 +58,8 @@ function ca_settings() { exit fi - # Basic - Step 2: DNS entries of CA CA_DNS_ENTRIES=() DEFAULT_CA_DNS_ENTRY="${HN}.local" - if CA_PRIMARY_DNS=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "DNS entry of Certificate Authority" 8 58 "$DEFAULT_CA_DNS_ENTRY" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then if [ -z "$CA_PRIMARY_DNS" ]; then CA_PRIMARY_DNS=$DEFAULT_CA_DNS_ENTRY @@ -88,7 +77,6 @@ function ca_settings() { fi done - # Basic - Step 3: X509 policy allow by DNS name x509_policy_dns=() while true; do if dns_entry=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "[X509 Policy] Allowed by DNS. Use full ('domain.local') or wildcard ('*.local') DNS:" 8 58 "" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then @@ -102,7 +90,6 @@ function ca_settings() { fi done - # Basic - Step 4: X509 policy allow by IP address/range x509_policy_ips=() while true; do if ip_entry=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "[X509 Policy] Allowed by IP addresses. Use single address ('192.168.1.169' or '::1') or CIDR address ranges ('192.168.1.0/24' or '2001:0db8::/120'):" 8 58 "" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then @@ -116,11 +103,9 @@ function ca_settings() { fi done - # ACME - Step 1: Should ACME be enabled? if (whiptail --backtitle "Proxmox VE Helper Scripts" --defaultno --title "Configure Certificate Authority" --yesno "Enable ACME?" 10 58); then CA_ACME="yes" - # ACME - Step 2: Name of ACME provider default_ca_acme_name="acme" if CA_ACME_NAME=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "Name of ACME provider" 8 58 "$default_ca_acme_name" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then if [ -z "$CA_ACME_NAME" ]; then diff --git a/install/alpine-step-ca-install.sh b/install/alpine-step-ca-install.sh index a0a14166..aeb5fbb5 100644 --- a/install/alpine-step-ca-install.sh +++ b/install/alpine-step-ca-install.sh @@ -17,44 +17,31 @@ update_os motd_ssh customize -# Finished base install.... now install and setup Step-CA - -# Step 0: Set internal values config_dir="/etc/step-ca" passwd_file="${config_dir}/password.txt" ca_admin_provisioner="Admin JWK" ca_admin_subject="admin-localhost" ca_admin_provisioner_passwd_file="${config_dir}/admin-jwk-password.txt" - -# Step 1: Installing Dependencies msg_info "Installing dependencies" $STD apk add newt $STD apk add openssl msg_ok "Installed dependencies" - -# Step 2: Prepare environment msg_info "Preparing environment" -$STD echo "export STEPPATH=/etc/step-ca" > ~/.profile +$STD echo "export STEPPATH=/etc/step-ca" >> ~/.profile $STD export STEPPATH=/etc/step-ca msg_ok "Environment prepared" -# Step 3: Do actual install of step-ca msg_info "Installing Alpine Step-CA" $STD apk add step-cli step-certificates msg_ok "Installed Alpine Step-CA" -# Step 4: Setup step-ca - -# Step 4a: Prepare secrets msg_info "Generate CA secrets" -function generatePasswordFile(){ # argument: path of file - +function generatePasswordFile(){ $STD echo "$(openssl rand -base64 18 | tr -dc 'a-zA-Z0-9' | cut -c1-13)" > "$1" chmod 600 "$1" - } generatePasswordFile "${passwd_file}" @@ -62,14 +49,11 @@ generatePasswordFile "${ca_admin_provisioner_passwd_file}" msg_ok "Generated CA secrets" -# Step 4b: Configure base CA msg_info "Initialize base CA" -# Do initialize and immediately start it for further configuration $STD step ca init --name "${CA_NAME}" --dns localhost $CA_DNS --password-file ${passwd_file} --deployment-type standalone --address ":443" --provisioner "${ca_admin_provisioner}" --admin-subject "${ca_admin_subject}" --provisioner-password-file ${ca_admin_provisioner_passwd_file} --remote-management $STD rc-service step-ca start -# Wait till service has started and port is available timeout_counter=0 while ! nc -z localhost 443; do sleep 0.5 @@ -83,11 +67,9 @@ done msg_ok "Initialized base CA" -# Step 4c: Configure CA policy if necessary if [ -n "${CA_X509_POLICY_DNS}" ] || [ -n "${CA_X509_POLICY_IPS}" ]; then msg_info "Configure CA policy" - # Ensure admin subject is added to the allow list $STD step ca policy authority x509 allow dns "${ca_admin_subject}" --admin-provisioner "${ca_admin_provisioner}" --admin-subject "${ca_admin_subject}" --password-file ${ca_admin_provisioner_passwd_file} if [ -n "${CA_X509_POLICY_DNS}" ]; then @@ -100,26 +82,18 @@ if [ -n "${CA_X509_POLICY_DNS}" ] || [ -n "${CA_X509_POLICY_IPS}" ]; then msg_ok "Configured CA policy" fi -# Step 4d: Configure ACME if desired if [ "${CA_ACME}" = "yes" ]; then msg_info "Initialize ACME for CA" $STD step ca provisioner add "${CA_ACME_NAME}" --type ACME --x509-min-dur=20m --x509-max-dur=32h --x509-default-dur=24h --admin-provisioner "${ca_admin_provisioner}" --admin-subject "${ca_admin_subject}" --password-file ${ca_admin_provisioner_passwd_file} msg_ok "Initialized ACME for CA" fi - -# Step 4e: Restart service and enable auto-start msg_info "Starting Alpine Step-CA" $STD rc-service step-ca restart $STD rc-update add step-ca default msg_ok "Started Alpine Step-CA" -# Step 4f: Report back completion as it works from here! msg_ok "Completed setup of CA" -# Step 4g: Extend motd with step-ca fingerprint of root CA -MOTD_FILE="/etc/motd" -if [ -f "$MOTD_FILE" ]; then - ca_root_fingerprint=$(step certificate fingerprint ${STEPPATH}/certs/root_ca.crt) - echo -e "\n${TAB}${DEFAULT}${YW} Fingerprint CA Root Certificate: ${GN}${ca_root_fingerprint}${CL}" >> "$MOTD_FILE" -fi +ca_root_fingerprint=$(step certificate fingerprint ${STEPPATH}/certs/root_ca.crt) +$STD echo "echo \"Fingerprint CA Root Certificate: ${ca_root_fingerprint}\" " >> ~/.profile \ No newline at end of file