44r0n7/pi-kit
1
0
Fork 0
Code Issues 8 Pull Requests Actions Packages Projects Releases 11 Wiki Activity
Files
453deac601956910201f87c48381f9841ef16141
pi-kit/systemd/pikit-certgen.sh
Aaron 32a9f42361 Add CA hash sidecar for onboarding
2026-01-02 22:43:43 -05:00

117 lines
3.1 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
# Generate Pi-Kit TLS CA + server cert if missing (idempotent).
set -euo pipefail
CERT_DIR="/etc/pikit/certs"
WEB_ASSETS="/var/www/pikit-web/assets"
CA_CRT="$CERT_DIR/pikit-ca.crt"
CA_KEY="$CERT_DIR/pikit-ca.key"
CA_SRL="$CERT_DIR/pikit-ca.srl"
SRV_KEY="$CERT_DIR/pikit.local.key"
SRV_CRT="$CERT_DIR/pikit.local.crt"
SRV_CSR="$CERT_DIR/pikit.local.csr"
CERT_GROUP="pikit-cert"
log() {
printf '[pikit-certgen] %s\n' "$*"
}
write_ca_hash() {
if [ -s "$WEB_ASSETS/pikit-ca.crt" ]; then
if command -v sha256sum >/dev/null 2>&1; then
sha256sum "$WEB_ASSETS/pikit-ca.crt" | awk '{print $1}' > "$WEB_ASSETS/pikit-ca.sha256"
elif command -v openssl >/dev/null 2>&1; then
openssl dgst -sha256 "$WEB_ASSETS/pikit-ca.crt" | awk '{print $2}' > "$WEB_ASSETS/pikit-ca.sha256"
fi
if [ -s "$WEB_ASSETS/pikit-ca.sha256" ]; then
chmod 644 "$WEB_ASSETS/pikit-ca.sha256"
fi
fi
}
ensure_group() {
if ! getent group "$CERT_GROUP" >/dev/null 2>&1; then
groupadd "$CERT_GROUP" || true
fi
for u in www-data dietpi-dashboard-frontend; do
if id -u "$u" >/dev/null 2>&1; then
usermod -a -G "$CERT_GROUP" "$u" || true
fi
done
}
fix_perms() {
ensure_group
if [ -d "$CERT_DIR" ]; then
chgrp "$CERT_GROUP" "$CERT_DIR" || true
chmod 750 "$CERT_DIR" || true
fi
for f in "$CA_CRT" "$CA_KEY" "$SRV_CRT" "$SRV_KEY"; do
if [ -e "$f" ]; then
chgrp "$CERT_GROUP" "$f" || true
fi
done
[ -e "$CA_KEY" ] && chmod 640 "$CA_KEY"
[ -e "$SRV_KEY" ] && chmod 640 "$SRV_KEY"
[ -e "$CA_CRT" ] && chmod 644 "$CA_CRT"
[ -e "$SRV_CRT" ] && chmod 644 "$SRV_CRT"
}
if [ -s "$CA_CRT" ] && [ -s "$CA_KEY" ] && [ -s "$SRV_KEY" ] && [ -s "$SRV_CRT" ]; then
mkdir -p "$WEB_ASSETS"
if [ ! -s "$WEB_ASSETS/pikit-ca.crt" ]; then
cp "$CA_CRT" "$WEB_ASSETS/pikit-ca.crt"
chmod 644 "$WEB_ASSETS/pikit-ca.crt"
log "Copied CA to web assets."
fi
write_ca_hash
fix_perms
log "TLS certs already present; skipping generation."
exit 0
fi
if ! command -v openssl >/dev/null 2>&1; then
log "openssl not installed; cannot generate certs."
exit 1
fi
log "Generating TLS certs..."
mkdir -p "$CERT_DIR" "$WEB_ASSETS"
ensure_group
chgrp "$CERT_GROUP" "$CERT_DIR" || true
chmod 750 "$CERT_DIR"
rm -f "$CA_KEY" "$CA_CRT" "$CA_SRL" "$SRV_KEY" "$SRV_CRT" "$SRV_CSR" || true
openssl genrsa -out "$CA_KEY" 2048
openssl req -x509 -new -nodes -key "$CA_KEY" -sha256 -days 3650 \
-out "$CA_CRT" -subj "/CN=Pi-Kit CA"
openssl genrsa -out "$SRV_KEY" 2048
openssl req -new -key "$SRV_KEY" -out "$SRV_CSR" -subj "/CN=pikit.local"
SAN_CFG=$(mktemp)
cat > "$SAN_CFG" <<'CFG'
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = pikit.local
DNS.2 = pikit
CFG
openssl x509 -req -in "$SRV_CSR" -CA "$CA_CRT" -CAkey "$CA_KEY" \
-CAcreateserial -out "$SRV_CRT" -days 825 -sha256 -extfile "$SAN_CFG"
rm -f "$SAN_CFG" "$SRV_CSR"
fix_perms
cp "$CA_CRT" "$WEB_ASSETS/pikit-ca.crt"
chmod 644 "$WEB_ASSETS/pikit-ca.crt"
write_ca_hash
log "TLS certs generated."
Reference in New Issue View Git Blame Copy Permalink