github-personal/labca
1
0
Fork 0
mirror of https://github.com/outbackdingo/labca.git synced 2026-01-27 10:19:34 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
273b2b83ff426ef63b2ca2b28e27fca7584a857b
labca/control.sh

104 lines
3.4 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
set -e
get_fqdn() {
local file_fqdn=""
if [ -e /opt/labca/data/config.json ]; then
file_fqdn=$(grep fqdn /opt/labca/data/config.json 2>/dev/null | cut -d ":" -f 2- | tr -d " \",")
fi
if [ "$file_fqdn" == "" ]; then
if [ "$LABCA_FQDN" == "notset" ]; then
echo "ERROR: environment variable LABCA_FQDN is not set!"
exit 1
else
echo -e "{\n \"config\": {\n \"complete\": false\n },\n \"labca\": {\n \"fqdn\": \"$LABCA_FQDN\"\n },\n \"version\": \"\"\n}" > /opt/labca/data/config.json
fi
elif [ "$LABCA_FQDN" != "notset" ] && [ "$LABCA_FQDN" != "$file_fqdn" ]; then
echo "WARNING: environment variable LABCA_FQDN ('$LABCA_FQDN') does not match config file. Using '$file_fqdn'..."
export LABCA_FQDN=$file_fqdn
fi
}
# TODO: install docker should be done in pre-baked image
install_docker() {
export DEBIAN_FRONTEND=noninteractive
apt update
apt install -y apt-transport-https ca-certificates curl software-properties-common
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add -
add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu focal stable"
apt-cache policy docker-ce
apt update
apt install -y docker-ce
}
selfsigned_cert() {
pushd /etc/nginx/ssl >/dev/null
openssl req -x509 -nodes -sha256 -newkey rsa:2048 -keyout labca_key.pem -out labca_cert.pem -days 7 \
-subj "/O=LabCA/CN=$LABCA_FQDN" -reqexts SAN -extensions SAN \
-config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nbasicConstraints=CA:FALSE\nnsCertType=server\nsubjectAltName=DNS:$LABCA_FQDN"))
popd >/dev/null
}
renew_near_expiry() {
pushd /etc/nginx/ssl >/dev/null
if ! expires=$(openssl x509 -checkend 86400 -noout -in /etc/nginx/ssl/labca_cert.pem); then
hash=$(openssl x509 -hash -noout -in /etc/nginx/ssl/labca_cert.pem)
issuer_hash=$(openssl x509 -issuer_hash -noout -in /etc/nginx/ssl/labca_cert.pem)
if [ "$hash" == "$issuer_hash" ]; then
selfsigned_cert
else
echo "acme-request" | /opt/labca/commander
fi
fi
popd >/dev/null
}
# TODO: install cron should be done in pre-baked image
start_cron() {
apt update
apt install -y cron
[ -e /opt/boulder/labca/setup_complete ] && [ ! -e /etc/cron.d/labca ] && ln -sf /opt/labca/cron_d /etc/cron.d/labca || true
chmod g-w /opt/labca/cron_d
[ -e /opt/logs/cron.log ] || touch /opt/logs/cron.log
tail -f -n0 /opt/logs/cron.log &
service cron start
}
# TODO: install ucspi-tcp should be done in pre-baked image
serve_commander() {
apt update
apt install -y ucspi-tcp
cd /opt/boulder/labca
/opt/labca/gui/apply-boulder
cd -
echo "Start serving commander script..."
tcpserver 0.0.0.0 3030 /opt/labca/commander
}
main() {
mkdir -p /opt/logs
get_fqdn
docker ps &>/dev/null || install_docker
# Use python 3.10 to prevent warnings from certbot
add-apt-repository -y ppa:deadsnakes/ppa
apt update
apt install -y python3.10-venv
python3.10 -m venv /opt/certbot
/opt/certbot/bin/pip install --upgrade pip
/opt/certbot/bin/pip install certbot
ln -sf /opt/certbot/bin/certbot /usr/bin/certbot
[ -e /etc/nginx/ssl/labca_cert.pem ] || selfsigned_cert
renew_near_expiry
start_cron
serve_commander
}
main "$@"
Reference in New Issue View Git Blame Copy Permalink