44r0n7/pi-kit
1
0
Fork 0
Code Issues 8 Pull Requests Actions Packages Projects Releases 11 Wiki Activity

Add CA hash sidecar for onboarding

Browse Source
This commit is contained in:
Aaron
2026-01-02 22:43:43 -05:00
parent 40b1b43449
commit 32a9f42361
4 changed files with 61 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
pikit-prep.sh
View File

@@ -235,6 +235,7 @@ prep_image() {
clean_file /etc/pikit/certs/pikit.local.key
clean_file /etc/pikit/certs/pikit.local.csr
clean_file /var/www/pikit-web/assets/pikit-ca.crt
clean_file /var/www/pikit-web/assets/pikit-ca.sha256
# --- Backup/editor cruft ---
clean_backups /var/www/pikit-web
@@ -515,6 +516,7 @@ check_image() {
check_file_missing /etc/pikit/certs/pikit.local.crt
check_file_missing /etc/pikit/certs/pikit.local.key
check_file_missing /var/www/pikit-web/assets/pikit-ca.crt
check_file_missing /var/www/pikit-web/assets/pikit-ca.sha256
section "Logs"
if [ -d /var/log ]; then

40
pikit-web/onboarding/index.html
View File

@@ -108,13 +108,45 @@
if (el) el.textContent = cmd;
});
async function loadCaHash() {
async function fetchText(url) {
const res = await fetch(url, { cache: "no-store" });
if (!res.ok) return "";
return (await res.text()).trim();
}
async function fetchCaHashFromApi() {
const res = await fetch("/api/firstboot", { cache: "no-store" });
if (!res.ok) return "";
const data = await res.json();
return data?.ca_hash || "";
}
async function loadCaHash(retries = 10) {
if (!caHash) return;
try {
const res = await fetch("/api/firstboot");
const data = await res.json();
caHash.textContent = data?.ca_hash || "Unavailable";
const assetHash = await fetchText("/assets/pikit-ca.sha256");
if (assetHash) {
caHash.textContent = assetHash.split(/\s+/)[0];
return;
}
} catch (err) {
// ignore and try API
}
try {
const apiHash = await fetchCaHashFromApi();
if (apiHash) {
caHash.textContent = apiHash;
return;
}
} catch (err) {
// fall through
}
if (retries > 0) {
caHash.textContent = "Generating...";
setTimeout(() => loadCaHash(retries - 1), 2000);
} else {
caHash.textContent = "Unavailable";
}
}

15
systemd/pikit-certgen.sh
View File

@@ -17,6 +17,19 @@ log() {
printf '[pikit-certgen] %s\n' "$*"
}
write_ca_hash() {
if [ -s "$WEB_ASSETS/pikit-ca.crt" ]; then
if command -v sha256sum >/dev/null 2>&1; then
sha256sum "$WEB_ASSETS/pikit-ca.crt" | awk '{print $1}' > "$WEB_ASSETS/pikit-ca.sha256"
elif command -v openssl >/dev/null 2>&1; then
openssl dgst -sha256 "$WEB_ASSETS/pikit-ca.crt" | awk '{print $2}' > "$WEB_ASSETS/pikit-ca.sha256"
fi
if [ -s "$WEB_ASSETS/pikit-ca.sha256" ]; then
chmod 644 "$WEB_ASSETS/pikit-ca.sha256"
fi
fi
}
ensure_group() {
if ! getent group "$CERT_GROUP" >/dev/null 2>&1; then
groupadd "$CERT_GROUP" || true
@@ -52,6 +65,7 @@ if [ -s "$CA_CRT" ] && [ -s "$CA_KEY" ] && [ -s "$SRV_KEY" ] && [ -s "$SRV_CRT"
chmod 644 "$WEB_ASSETS/pikit-ca.crt"
log "Copied CA to web assets."
fi
write_ca_hash
fix_perms
log "TLS certs already present; skipping generation."
exit 0
@@ -97,5 +111,6 @@ fix_perms
cp "$CA_CRT" "$WEB_ASSETS/pikit-ca.crt"
chmod 644 "$WEB_ASSETS/pikit-ca.crt"
write_ca_hash
log "TLS certs generated."

8
systemd/pikit-firstboot.sh
View File

@@ -192,6 +192,14 @@ finish_step 1
begin_step 2
cp "$CERT_DIR/pikit-ca.crt" "$WEB_ASSETS/pikit-ca.crt"
chmod 644 "$WEB_ASSETS/pikit-ca.crt"
if command -v sha256sum >/dev/null 2>&1; then
sha256sum "$WEB_ASSETS/pikit-ca.crt" | awk '{print $1}' > "$WEB_ASSETS/pikit-ca.sha256"
elif command -v openssl >/dev/null 2>&1; then
openssl dgst -sha256 "$WEB_ASSETS/pikit-ca.crt" | awk '{print $2}' > "$WEB_ASSETS/pikit-ca.sha256"
fi
if [ -s "$WEB_ASSETS/pikit-ca.sha256" ]; then
chmod 644 "$WEB_ASSETS/pikit-ca.sha256"
fi
if command -v systemctl >/dev/null 2>&1; then
systemctl reload nginx || systemctl restart nginx
fi