martin/ProxmoxVE
1
0
Fork 0
mirror of https://github.com/community-scripts/ProxmoxVE synced 2025-02-06 15:59:17 +00:00
Code Issues Actions 7 Packages Projects Releases Wiki Activity

- Remove comments

Browse Source 
- replace motd with .profile
This commit is contained in:
fwiegerinck 2025-01-21 23:12:34 +01:00
parent a6a212b63e
commit ad390cedef
2 changed files with 4 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
ct/alpine-step-ca.sh
View File

@ -5,7 +5,6 @@ source <(curl -s https://raw.githubusercontent.com/community-scripts/ProxmoxVE/m
# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE # License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
# Source: https://github.com/smallstep/certificates # Source: https://github.com/smallstep/certificates
# App Default Values
APP="Alpine-Step-CA" APP="Alpine-Step-CA"
var_tags="alpine;step-ca" var_tags="alpine;step-ca"
var_cpu="1" var_cpu="1"
@ -15,16 +14,10 @@ var_os="alpine"
var_version="3.20" var_version="3.20"
var_unprivileged="0" var_unprivileged="0"
# CA default values
DEFAULT_CA_NAME="HomeLab CA" DEFAULT_CA_NAME="HomeLab CA"
# App Output & Base Settings
header_info "$APP" header_info "$APP"
base_settings base_settings
# Core
variables variables
color color
catch_errors catch_errors
@ -55,10 +48,8 @@ function update_script() {
function ca_settings() { function ca_settings() {
# Step 0: Announce
whiptail --backtitle "Proxmox VE Helper Scripts" --msgbox --title "Configure Certificate Authority" "Now that we defined the container we need to configure the certificate authority." 8 58 whiptail --backtitle "Proxmox VE Helper Scripts" --msgbox --title "Configure Certificate Authority" "Now that we defined the container we need to configure the certificate authority." 8 58
# Basic - Step 1: Name of CA
if CA_NAME=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "Name of certificate authority" 8 58 "$DEFAULT_CA_NAME" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then if CA_NAME=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "Name of certificate authority" 8 58 "$DEFAULT_CA_NAME" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then
if [ -z "$CA_NAME" ]; then if [ -z "$CA_NAME" ]; then
CA_NAME="$DEFAULT_CA_NAME" CA_NAME="$DEFAULT_CA_NAME"
@ -67,10 +58,8 @@ function ca_settings() {
exit exit
fi fi
# Basic - Step 2: DNS entries of CA
CA_DNS_ENTRIES=() CA_DNS_ENTRIES=()
DEFAULT_CA_DNS_ENTRY="${HN}.local" DEFAULT_CA_DNS_ENTRY="${HN}.local"
if CA_PRIMARY_DNS=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "DNS entry of Certificate Authority" 8 58 "$DEFAULT_CA_DNS_ENTRY" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then if CA_PRIMARY_DNS=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "DNS entry of Certificate Authority" 8 58 "$DEFAULT_CA_DNS_ENTRY" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then
if [ -z "$CA_PRIMARY_DNS" ]; then if [ -z "$CA_PRIMARY_DNS" ]; then
CA_PRIMARY_DNS=$DEFAULT_CA_DNS_ENTRY CA_PRIMARY_DNS=$DEFAULT_CA_DNS_ENTRY
@ -88,7 +77,6 @@ function ca_settings() {
fi fi
done done
# Basic - Step 3: X509 policy allow by DNS name
x509_policy_dns=() x509_policy_dns=()
while true; do while true; do
if dns_entry=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "[X509 Policy] Allowed by DNS. Use full ('domain.local') or wildcard ('*.local') DNS:" 8 58 "" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then if dns_entry=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "[X509 Policy] Allowed by DNS. Use full ('domain.local') or wildcard ('*.local') DNS:" 8 58 "" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then
@ -102,7 +90,6 @@ function ca_settings() {
fi fi
done done
# Basic - Step 4: X509 policy allow by IP address/range
x509_policy_ips=() x509_policy_ips=()
while true; do while true; do
if ip_entry=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "[X509 Policy] Allowed by IP addresses. Use single address ('192.168.1.169' or '::1') or CIDR address ranges ('192.168.1.0/24' or '2001:0db8::/120'):" 8 58 "" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then if ip_entry=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "[X509 Policy] Allowed by IP addresses. Use single address ('192.168.1.169' or '::1') or CIDR address ranges ('192.168.1.0/24' or '2001:0db8::/120'):" 8 58 "" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then
@ -116,11 +103,9 @@ function ca_settings() {
fi fi
done done
# ACME - Step 1: Should ACME be enabled?
if (whiptail --backtitle "Proxmox VE Helper Scripts" --defaultno --title "Configure Certificate Authority" --yesno "Enable ACME?" 10 58); then if (whiptail --backtitle "Proxmox VE Helper Scripts" --defaultno --title "Configure Certificate Authority" --yesno "Enable ACME?" 10 58); then
CA_ACME="yes" CA_ACME="yes"
# ACME - Step 2: Name of ACME provider
default_ca_acme_name="acme" default_ca_acme_name="acme"
if CA_ACME_NAME=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "Name of ACME provider" 8 58 "$default_ca_acme_name" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then if CA_ACME_NAME=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "Name of ACME provider" 8 58 "$default_ca_acme_name" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then
if [ -z "$CA_ACME_NAME" ]; then if [ -z "$CA_ACME_NAME" ]; then

34
install/alpine-step-ca-install.sh
View File

@ -17,44 +17,31 @@ update_os
motd_ssh motd_ssh
customize customize
# Finished base install.... now install and setup Step-CA
# Step 0: Set internal values
config_dir="/etc/step-ca" config_dir="/etc/step-ca"
passwd_file="${config_dir}/password.txt" passwd_file="${config_dir}/password.txt"
ca_admin_provisioner="Admin JWK" ca_admin_provisioner="Admin JWK"
ca_admin_subject="admin-localhost" ca_admin_subject="admin-localhost"
ca_admin_provisioner_passwd_file="${config_dir}/admin-jwk-password.txt" ca_admin_provisioner_passwd_file="${config_dir}/admin-jwk-password.txt"
# Step 1: Installing Dependencies
msg_info "Installing dependencies" msg_info "Installing dependencies"
$STD apk add newt $STD apk add newt
$STD apk add openssl $STD apk add openssl
msg_ok "Installed dependencies" msg_ok "Installed dependencies"
# Step 2: Prepare environment
msg_info "Preparing environment" msg_info "Preparing environment"
$STD echo "export STEPPATH=/etc/step-ca" > ~/.profile $STD echo "export STEPPATH=/etc/step-ca" >> ~/.profile
$STD export STEPPATH=/etc/step-ca $STD export STEPPATH=/etc/step-ca
msg_ok "Environment prepared" msg_ok "Environment prepared"
# Step 3: Do actual install of step-ca
msg_info "Installing Alpine Step-CA" msg_info "Installing Alpine Step-CA"
$STD apk add step-cli step-certificates $STD apk add step-cli step-certificates
msg_ok "Installed Alpine Step-CA" msg_ok "Installed Alpine Step-CA"
# Step 4: Setup step-ca
# Step 4a: Prepare secrets
msg_info "Generate CA secrets" msg_info "Generate CA secrets"
function generatePasswordFile(){ # argument: path of file function generatePasswordFile(){
$STD echo "$(openssl rand -base64 18 | tr -dc 'a-zA-Z0-9' | cut -c1-13)" > "$1" $STD echo "$(openssl rand -base64 18 | tr -dc 'a-zA-Z0-9' | cut -c1-13)" > "$1"
chmod 600 "$1" chmod 600 "$1"
} }
generatePasswordFile "${passwd_file}" generatePasswordFile "${passwd_file}"
@ -62,14 +49,11 @@ generatePasswordFile "${ca_admin_provisioner_passwd_file}"
msg_ok "Generated CA secrets" msg_ok "Generated CA secrets"
# Step 4b: Configure base CA
msg_info "Initialize base CA" msg_info "Initialize base CA"
# Do initialize and immediately start it for further configuration
$STD step ca init --name "${CA_NAME}" --dns localhost $CA_DNS --password-file ${passwd_file} --deployment-type standalone --address ":443" --provisioner "${ca_admin_provisioner}" --admin-subject "${ca_admin_subject}" --provisioner-password-file ${ca_admin_provisioner_passwd_file} --remote-management $STD step ca init --name "${CA_NAME}" --dns localhost $CA_DNS --password-file ${passwd_file} --deployment-type standalone --address ":443" --provisioner "${ca_admin_provisioner}" --admin-subject "${ca_admin_subject}" --provisioner-password-file ${ca_admin_provisioner_passwd_file} --remote-management
$STD rc-service step-ca start $STD rc-service step-ca start
# Wait till service has started and port is available
timeout_counter=0 timeout_counter=0
while ! nc -z localhost 443; do while ! nc -z localhost 443; do
sleep 0.5 sleep 0.5
@ -83,11 +67,9 @@ done
msg_ok "Initialized base CA" msg_ok "Initialized base CA"
# Step 4c: Configure CA policy if necessary
if [ -n "${CA_X509_POLICY_DNS}" ] || [ -n "${CA_X509_POLICY_IPS}" ]; then if [ -n "${CA_X509_POLICY_DNS}" ] || [ -n "${CA_X509_POLICY_IPS}" ]; then
msg_info "Configure CA policy" msg_info "Configure CA policy"
# Ensure admin subject is added to the allow list
$STD step ca policy authority x509 allow dns "${ca_admin_subject}" --admin-provisioner "${ca_admin_provisioner}" --admin-subject "${ca_admin_subject}" --password-file ${ca_admin_provisioner_passwd_file} $STD step ca policy authority x509 allow dns "${ca_admin_subject}" --admin-provisioner "${ca_admin_provisioner}" --admin-subject "${ca_admin_subject}" --password-file ${ca_admin_provisioner_passwd_file}
if [ -n "${CA_X509_POLICY_DNS}" ]; then if [ -n "${CA_X509_POLICY_DNS}" ]; then
@ -100,26 +82,18 @@ if [ -n "${CA_X509_POLICY_DNS}" ] || [ -n "${CA_X509_POLICY_IPS}" ]; then
msg_ok "Configured CA policy" msg_ok "Configured CA policy"
fi fi
# Step 4d: Configure ACME if desired
if [ "${CA_ACME}" = "yes" ]; then if [ "${CA_ACME}" = "yes" ]; then
msg_info "Initialize ACME for CA" msg_info "Initialize ACME for CA"
$STD step ca provisioner add "${CA_ACME_NAME}" --type ACME --x509-min-dur=20m --x509-max-dur=32h --x509-default-dur=24h --admin-provisioner "${ca_admin_provisioner}" --admin-subject "${ca_admin_subject}" --password-file ${ca_admin_provisioner_passwd_file} $STD step ca provisioner add "${CA_ACME_NAME}" --type ACME --x509-min-dur=20m --x509-max-dur=32h --x509-default-dur=24h --admin-provisioner "${ca_admin_provisioner}" --admin-subject "${ca_admin_subject}" --password-file ${ca_admin_provisioner_passwd_file}
msg_ok "Initialized ACME for CA" msg_ok "Initialized ACME for CA"
fi fi
# Step 4e: Restart service and enable auto-start
msg_info "Starting Alpine Step-CA" msg_info "Starting Alpine Step-CA"
$STD rc-service step-ca restart $STD rc-service step-ca restart
$STD rc-update add step-ca default $STD rc-update add step-ca default
msg_ok "Started Alpine Step-CA" msg_ok "Started Alpine Step-CA"
# Step 4f: Report back completion as it works from here!
msg_ok "Completed setup of CA" msg_ok "Completed setup of CA"
# Step 4g: Extend motd with step-ca fingerprint of root CA ca_root_fingerprint=$(step certificate fingerprint ${STEPPATH}/certs/root_ca.crt)
MOTD_FILE="/etc/motd" $STD echo "echo \"Fingerprint CA Root Certificate: ${ca_root_fingerprint}\" " >> ~/.profile
if [ -f "$MOTD_FILE" ]; then
ca_root_fingerprint=$(step certificate fingerprint ${STEPPATH}/certs/root_ca.crt)
echo -e "\n${TAB}${DEFAULT}${YW} Fingerprint CA Root Certificate: ${GN}${ca_root_fingerprint}${CL}" >> "$MOTD_FILE"
fi