Add firstboot onboarding and prep/check tooling

systemd/pikit-certgen.sh

@@ -0,0 +1,101 @@
+#!/usr/bin/env bash
+# Generate Pi-Kit TLS CA + server cert if missing (idempotent).
+
+set -euo pipefail
+
+CERT_DIR="/etc/pikit/certs"
+WEB_ASSETS="/var/www/pikit-web/assets"
+CA_CRT="$CERT_DIR/pikit-ca.crt"
+CA_KEY="$CERT_DIR/pikit-ca.key"
+CA_SRL="$CERT_DIR/pikit-ca.srl"
+SRV_KEY="$CERT_DIR/pikit.local.key"
+SRV_CRT="$CERT_DIR/pikit.local.crt"
+SRV_CSR="$CERT_DIR/pikit.local.csr"
+CERT_GROUP="pikit-cert"
+
+log() {
+  printf '[pikit-certgen] %s\n' "$*"
+}
+
+ensure_group() {
+  if ! getent group "$CERT_GROUP" >/dev/null 2>&1; then
+    groupadd "$CERT_GROUP" || true
+  fi
+  for u in www-data dietpi-dashboard-frontend; do
+    if id -u "$u" >/dev/null 2>&1; then
+      usermod -a -G "$CERT_GROUP" "$u" || true
+    fi
+  done
+}
+
+fix_perms() {
+  ensure_group
+  if [ -d "$CERT_DIR" ]; then
+    chgrp "$CERT_GROUP" "$CERT_DIR" || true
+    chmod 750 "$CERT_DIR" || true
+  fi
+  for f in "$CA_CRT" "$CA_KEY" "$SRV_CRT" "$SRV_KEY"; do
+    if [ -e "$f" ]; then
+      chgrp "$CERT_GROUP" "$f" || true
+    fi
+  done
+  [ -e "$CA_KEY" ] && chmod 640 "$CA_KEY"
+  [ -e "$SRV_KEY" ] && chmod 640 "$SRV_KEY"
+  [ -e "$CA_CRT" ] && chmod 644 "$CA_CRT"
+  [ -e "$SRV_CRT" ] && chmod 644 "$SRV_CRT"
+}
+
+if [ -s "$CA_CRT" ] && [ -s "$CA_KEY" ] && [ -s "$SRV_KEY" ] && [ -s "$SRV_CRT" ]; then
+  mkdir -p "$WEB_ASSETS"
+  if [ ! -s "$WEB_ASSETS/pikit-ca.crt" ]; then
+    cp "$CA_CRT" "$WEB_ASSETS/pikit-ca.crt"
+    chmod 644 "$WEB_ASSETS/pikit-ca.crt"
+    log "Copied CA to web assets."
+  fi
+  fix_perms
+  log "TLS certs already present; skipping generation."
+  exit 0
+fi
+
+if ! command -v openssl >/dev/null 2>&1; then
+  log "openssl not installed; cannot generate certs."
+  exit 1
+fi
+
+log "Generating TLS certs..."
+mkdir -p "$CERT_DIR" "$WEB_ASSETS"
+ensure_group
+chgrp "$CERT_GROUP" "$CERT_DIR" || true
+chmod 750 "$CERT_DIR"
+
+rm -f "$CA_KEY" "$CA_CRT" "$CA_SRL" "$SRV_KEY" "$SRV_CRT" "$SRV_CSR" || true
+
+openssl genrsa -out "$CA_KEY" 2048
+openssl req -x509 -new -nodes -key "$CA_KEY" -sha256 -days 3650 \
+  -out "$CA_CRT" -subj "/CN=Pi-Kit CA"
+
+openssl genrsa -out "$SRV_KEY" 2048
+openssl req -new -key "$SRV_KEY" -out "$SRV_CSR" -subj "/CN=pikit.local"
+
+SAN_CFG=$(mktemp)
+cat > "$SAN_CFG" <<'CFG'
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = pikit.local
+DNS.2 = pikit
+CFG
+
+openssl x509 -req -in "$SRV_CSR" -CA "$CA_CRT" -CAkey "$CA_KEY" \
+  -CAcreateserial -out "$SRV_CRT" -days 825 -sha256 -extfile "$SAN_CFG"
+
+rm -f "$SAN_CFG" "$SRV_CSR"
+fix_perms
+
+cp "$CA_CRT" "$WEB_ASSETS/pikit-ca.crt"
+chmod 644 "$WEB_ASSETS/pikit-ca.crt"
+
+log "TLS certs generated."