v0.2.2

codeowners: Add CODEOWNERS file

.github/CODEOWNERS

@@ -0,0 +1,2 @@
+# Main repo owners:
+*       @dfunckt @richbayliss

.gitignore

@@ -3,3 +3,4 @@
 .vagrant/
 config/
 src/
+package-lock.json

.openbalenarc

@@ -0,0 +1,50 @@
+#!/bin/bash
+
+alias dc="/home/vagrant/openbalena/scripts/compose"
+
+function enter () {
+	if [[ $# -lt 1 ]]; then			
+		echo "Usage: enter <service name> [command]"
+		echo "  "
+		echo "  Runs a [command] in the service specified."
+		echo "  "
+		echo "  command:"
+		echo "    (default) /bin/bash"
+		echo "  "
+		echo "  example:"
+		echo "    enter api          # this will run the command '/bin/bash' in the API service, providing a shell prompt"
+		echo "    enter api uptime   # this will run the command 'uptime' in the API service, and return"
+		return 1
+	fi
+
+
+	service="$1"
+	shift
+	COMMAND=/bin/bash
+	if [[ $# -gt 0 ]]; then
+		COMMAND="$@"
+	fi
+	dc exec ${service} /bin/bash -c "${COMMAND}"
+}
+
+function logs () {
+	if [[ $# -lt 1 ]]; then			
+		echo "Usage: logs <service name> [options]"
+		echo "  "
+		echo "  Shows the logs from journalctl in the service specified."
+		echo "  "
+		echo "  options:"
+		echo "    -f  tail the log stream"
+		echo "    -n  number of lines to take"
+		echo "  "
+		echo "  example:"
+		echo "    logs api -fn100 # this will tail the API log, starting with the last 100 lines"
+		return 1
+	fi
+
+	service="$1"
+	shift
+	enter ${service} journalctl "$@"
+}
+
+cd /home/vagrant/openbalena

CHANGELOG.md

@@ -4,18 +4,80 @@ All notable changes to this project will be documented in this file
 automatically by Versionist. DO NOT EDIT THIS FILE MANUALLY!
 This project adheres to [Semantic Versioning](http://semver.org/).
 
-## v0.0.4 - 2018-11-02
+# v0.2.2
+## (2019-03-08)
+
+* codeowners: Add CODEOWNERS file [Rich Bayliss]
+
+# v0.2.1
+## (2019-03-08)
+
+* certs: Add support for an ACME certificate provider [Rich Bayliss]
+
+# v0.2.0
+## (2019-01-25)
+
+* Do not publish DB and Redis ports to the host [Akis Kesoglou]
+
+# v0.1.4
+## (2019-01-10)
+
+* vagrant: Add missing Node dependency [Rich Bayliss]
+
+# v0.1.3
+## (2019-01-10)
+
+* vagrant: Improve the Vagrant file to make development easier [Rich Bayliss]
+
+# v0.1.2
+## (2018-12-20)
+
+* init: Make scripts macOS compatible [Rich Bayliss]
+
+# v0.1.1
+## (2018-12-17)
+
+* Ignore package-lock.json [Akis Kesoglou]
+* Print the proper path to root CA cert [Akis Kesoglou]
+
+# v0.1.0
+## (2018-11-20)
+
+* vagrant: Change into open-balena directory automatically [Will Boyce]
+* api: Pass full VPN CA chain to `os-config` [Will Boyce]
+* haproxy: Proxy port 3128 to vpn service [Will Boyce]
+
+# v0.0.7
+## (2018-11-14)
+
+* Update README [Akis Kesoglou]
+
+# v0.0.6
+## (2018-11-10)
+
+* fix changelog.md [Giovanni Garufi]
+
+# v0.0.5
+## (2018-11-07)
+
+* env: Pass superuser credentials in the environment [Rich Bayliss]
+
+# v0.0.4
+## (2018-11-02)
 
 * Automatically detect the correct NodeJS binary [Akis Kesoglou]
 
-## v0.0.3 - 2018-11-02
+# v0.0.3
+## (2018-11-02)
 
 * Forward VPN config to the API container [Akis Kesoglou]
 
-## v0.0.2 - 2018-11-01
+# v0.0.2
+## (2018-11-01)
 
 * Add support for automatic versioning [Akis Kesoglou]
 
-## v0.0.1 - 2018-02-20
+# v0.0.1
+## (2018-02-20)
 
 * Initial commit

README.md

@@ -1,64 +1,113 @@
+<img alt="openBalena" src="docs/assets/openbalena-logo.svg" height="82">
 
-## Host requirements
+---
 
-- Docker >= 18.05.0
-- Docker Compose >= 1.11
-- OpenSSL >= 1.0.0
-- Python >= 2.7 or >=3.4
-- NodeJS >= 4.0
+OpenBalena is a platform to deploy and manage connected devices. Devices run
+[balenaOS][balena-os-website], a host operating system designed for running
+containers on IoT devices, and are managed via the [balena CLI][balena-cli],
+which you can use to configure your application containers, push updates, check
+status, view logs, and so forth. OpenBalena’s backend services, composed of
+battle-tested components that we’ve run in production on [balenaCloud][balena-cloud-website]
+for years, can store device information securely and reliably, allow remote
+management via a built-in VPN service, and efficiently distribute container
+images to your devices.
 
-## Installation
+To learn more about openBalena, visit [balena.io/open][open-balena-website].
 
-Make sure you have the software listed above installed.
 
-In a terminal, clone the project with:
+## Features
 
-    $ git clone https://github.com/balena-io/open-balena.git
+- **Simple provisioning**: Adding devices to your fleet is a breeze
+- **Easy updates**: Remotely update the software on your devices with a single command
+- **Container-based**: Benefit from the power of virtualization, optimized for the edge
+- **Scalable**: Deploy and manage one device, or one million
+- **Powerful API & SDK**: Extend openBalena to fit your needs
+- **Built-in VPN**: Access your devices regardless of their network environment
 
-Change into the `open-balena` directory and run the configuration script.
-This will create a new directory, `config`, and generate appropriate SSL
-certificates and configuration for the instance.
 
-    $ ./scripts/quickstart
+## Roadmap
 
-You may optionally configure the instance to run under a custom domain name.
-The default is `openbalena.local`. For example:
+OpenBalena is currently in beta. While fully functional, it lacks features we
+consider important before we can comfortably call it production-ready. During
+this phase, don’t be alarmed if things don’t work as expected just yet (and
+please let us know about any bugs or errors you encounter!). The following
+improvements and new functionality is planned:
 
-    $ ./scripts/quickstart -d mydomain.com
+- Full documentation
+- Full test suite
+- Simplified deployment
+- Remote host OS updates
+- Support for custom device types
 
-For more available options, see the script's help:
 
-    $ ./scripts/quickstart -h
+## Contributing
 
-Start the instance with:
+Everyone is welcome to contribute to openBalena. There are many different ways
+to get involved apart from submitting pull requests, including helping other
+users on the [forums][forums], reporting or triaging [issues][issue-tracker],
+reviewing and discussing [pull requests][pulls], or just spreading the word.
 
-    $ ./scripts/compose up -d
+All of openBalena is hosted on GitHub. Apart from its constituent components,
+which are the [API][open-balena-api], [VPN][open-balena-vpn], [Registry][open-balena-registry],
+[S3 storage service][open-balena-s3], and [Database][open-balena-db], contributions
+are also welcome to its client-side software such as the [balena CLI][balena-cli],
+the [balena SDK][balena-sdk], [balenaOS][balena-os] and [balenaEngine][balena-engine].
 
-Stop the instance with:
 
-    $ ./scripts/compose stop
+## Getting Started
 
-To remove all traces of the instance, run the following commands and finally
-delete the configuration folder.
+Our [Getting Started][getting-started] guide is the most direct path to getting
+an openBalena installation up and running and successfully deploying your
+application to your device(s).
 
-**WARNING**: This will remove *all* data.
 
-    $ ./scripts/compose kill
-    $ ./scripts/compose down
-    $ docker volume rm openbalena_s3 openbalena_redis openbalena_db openbalena_registry
+## Documentation
 
-### macOS & Windows
+While we're still working on the project documentation, please refer to the
+[balenaCloud documentation][documentation]. BalenaCloud is built on top of
+openBalena, so the core concepts and functionality is identical. The following
+sections are of particular interest:
 
-On macOS and Windows you need Vagrant. `open-balena` is not being tested with
-docker-machine. `open-balena` comes with an appropriate `Vagrantfile` for
-setting up the VM, installing dependencies and starting the platform.
+- [Overview / A balena primer](https://balena.io/docs/learn/welcome/primer)
+- [Overview / Core Concepts](https://balena.io/docs/learn/welcome/concepts)
+- [Overview / Going to production](https://balena.io/docs/learn/welcome/production-plan)
+- [Develop / Define a container](https://balena.io/docs/learn/develop/dockerfile)
+- [Develop / Multiple containers](https://balena.io/docs/learn/develop/multicontainer)
+- [Develop / Runtime](https://balena.io/docs/learn/develop/runtime)
+- [Develop / Interact with hardware](https://balena.io/docs/learn/develop/hardware)
+- [Deploy / Optimize your builds](https://balena.io/docs/learn/deploy/build-optimization)
+- [Reference](https://balena.io/docs/reference)
+- [FAQ](https://balena.io/docs/faq/troubleshooting/faq)
 
-- Install Vagrant >= 2.0
-- `$ vagrant plugin install vagrant-docker-compose`
-- `$ vagrant up`
 
-When provisioning completes and the VM has started, `open-balena` services
-should be running inside the VM. You will need to expose these services to
-the outside in order for them to be reachable by devices. To do so, you must
-setup DNS for the domain name you've deployed the instance as to point to the
-VM's IP address.
+## Getting Help
+
+You are welcome to submit any questions, participate in discussions and request
+help with any issue in [openBalena forums][forums]. The balena team frequents
+these forums and will be happy to help. You can also ask other community members
+for help, or contribute by answering questions posted by fellow openBalena users.
+Please do not use the issue tracker for support-related questions.
+
+
+## License
+
+OpenBalena is licensed under the terms of AGPL v3. See [LICENSE](LICENSE) for details.
+
+
+[balena-cli]: https://github.com/balena-io/balena-cli
+[balena-cloud-website]: https://balena.io/cloud
+[balena-engine]: https://github.com/balena-os/balena-engine
+[balena-os-website]: https://balena.io/os
+[balena-os]: https://github.com/balena-os/meta-balena
+[balena-sdk]: https://github.com/balena-io/balena-sdk
+[documentation]: https://balena.io/docs/learn/welcome/introduction/
+[forums]: https://forums.balena.io/c/open-balena
+[getting-started]: https://balena.io/open/docs/getting-started
+[issue-tracker]: https://github.com/balena-io/open-balena/issues
+[open-balena-api]: https://github.com/balena-io/open-balena-api
+[open-balena-db]: https://github.com/balena-io/open-balena-db
+[open-balena-registry]: https://github.com/balena-io/open-balena-registry
+[open-balena-s3]: https://github.com/balena-io/open-balena-s3
+[open-balena-vpn]: https://github.com/balena-io/open-balena-vpn
+[open-balena-website]: https://balena.io/open
+[pulls]: https://github.com/balena-io/open-balena/pulls

VERSION

@@ -1 +1 @@
-0.0.4
+0.2.2

Vagrantfile

@@ -7,22 +7,30 @@ Vagrant.require_version '>= 2.0.0'
 end
 
 Vagrant.configure('2') do |config|
-  config.vm.define 'openbalenavm'
-  config.vm.box = 'bento/ubuntu-16.04'
-  config.vm.box_url = 'https://vagrantcloud.com/bento/boxes/ubuntu-16.04/versions/201808.24.0/providers/virtualbox.box'
+  config.vm.define 'openbalena'
+  config.vm.hostname = 'openbalena-vagrant'
+  config.vm.box = 'bento/ubuntu-18.04'
+
+  config.vm.network "public_network",
+    use_dhcp_assigned_default_route: true
 
   config.vm.synced_folder '.', '/vagrant', disabled: true
-  config.vm.synced_folder '.', '/home/vagrant/open-balena'
-  config.vm.network 'public_network', bridge: ENV.fetch('OPENBALENA_BRIDGE', '')
+  config.vm.synced_folder '.', '/home/vagrant/openbalena'
 
   config.ssh.forward_agent = true
 
   config.vm.provision :docker
   config.vm.provision :docker_compose
 
-  # FIXME: remove node
-  config.vm.provision :shell, inline: 'apt-get update && apt-get install -y nodejs && rm -rf /var/lib/apt/lists/*'
+  $provision = <<-SCRIPT
+    touch /home/vagrant/.bashrc
+    grep -Fxq 'source /home/vagrant/openbalena/.openbalenarc' /home/vagrant/.bashrc || echo 'source /home/vagrant/openbalena/.openbalenarc' >> /home/vagrant/.bashrc
+
+    curl -o- https://raw.githubusercontent.com/creationix/nvm/v0.34.0/install.sh | bash
+    source "/home/vagrant/.nvm/nvm.sh" # This loads nvm
+    nvm install 10.15.0 && nvm use 10.15.0
+  SCRIPT
+
+  config.vm.provision :shell, privileged: false, inline: $provision
 
-  config.vm.provision :shell, privileged: false,
-    inline: "cd /home/vagrant/open-balena && ./scripts/quickstart -p -d #{ENV.fetch('OPENBALENA_DOMAIN', 'openbalena.local')}"
 end

cert-provider/Dockerfile

@@ -0,0 +1,20 @@
+FROM alpine
+
+EXPOSE 80
+WORKDIR /usr/src/app
+VOLUME [ "/usr/src/app/certs" ]
+
+RUN apk add --update bash curl git openssl ncurses socat
+
+RUN git clone https://github.com/Neilpang/acme.sh.git && \
+    cd acme.sh && \
+    git checkout 08357e3cb0d80c84bdaf3e42ce0e439665387f57 . && \
+    ./acme.sh --install  \
+    --cert-home /usr/src/app/certs
+
+COPY entry.sh /entry.sh
+COPY cert-provider.sh ./cert-provider.sh
+COPY fake-le-bundle.pem ./
+
+ENTRYPOINT [ "/entry.sh" ]
+CMD [ "/usr/src/app/cert-provider.sh" ]

cert-provider/cert-provider.sh

@@ -0,0 +1,181 @@
+#!/bin/bash
+
+# the acme.sh client script, installed via Git in the Dockerfile...
+ACME_BIN="$(realpath ~/.acme.sh/acme.sh)"
+
+# the path to a bundle of certs to verify a LetsEncrypt staging certificate until Apr 2036...
+ACME_STAGING_CA="/usr/src/app/fake-le-bundle.pem"
+
+# the path to a file which stores the last successful mode of certificate we acquired...
+ACME_MODE_FILE="/usr/src/app/certs/last_run_mode"
+
+# colour output helpers...
+reset=$(tput -T xterm sgr0)
+red=$(tput -T xterm setaf 1)
+green=$(tput -T xterm setaf 2)
+yellow=$(tput -T xterm setaf 3)
+blue=$(tput -T xterm setaf 4)
+
+logError() {
+    echo "${red}[Error]${reset} $1"
+}
+
+logWarn() {
+    echo "${yellow}[Warn]${reset} $1"
+}
+
+logInfo() {
+    echo "${blue}[Info]${reset} $1"
+}
+
+logSuccess() {
+    echo "${green}[Success]${reset} $1"
+}
+
+logErrorAndStop() {
+    logError "$1 [Stopping]"
+    while true; do
+        # do nothing forever...
+        sleep 60
+    done
+}
+
+retryWithDelay() {
+    RETRIES=${2:-3}
+    DELAY=${3:-5}
+
+    local ATTEMPT=0
+    while [ $RETRIES -gt $ATTEMPT ]; do
+        let "ATTEMPT++"
+        if $1; then
+            return $?
+        fi
+
+        echo "($ATTEMPT/$RETRIES) Retrying in ${DELAY} seconds..."
+        sleep $DELAY
+    done
+
+    return 1
+}
+
+waitForOnline() {
+    ADDRESS="${1,,}"
+
+    logInfo "Waiting for ${ADDRESS} to be available via HTTP..."
+    retryWithDelay "curl --output /dev/null --silent --head --fail http://${ADDRESS}" 6 5
+}
+
+isUsingStagingCert() {
+    HOST="${1,,}"
+    echo "" | openssl s_client -host "$HOST" -port 443 -showcerts 2>/dev/null | awk '/BEGIN CERT/ {p=1} ; p==1; /END CERT/ {p=0}' | openssl verify -CAfile "$ACME_STAGING_CA" > /dev/null 2>&1
+}
+
+pre-flight() {
+    case "$ACTIVE" in
+        "true"|"yes")
+            ;;
+        *)
+            logError "ACTIVE variable is not enabled. Value should be \"true\" or \"yes\" to continue."
+            return 1
+            ;;
+    esac
+
+    if [ -z "$DOMAINS" ]; then
+        logError "DOMAINS must be set. Value should be a comma-delimited string of domains."
+        return 1
+    else
+        IFS=, read -r -a ACME_DOMAINS <<< "$DOMAINS"
+        IFS=' ' read -r -a ACME_DOMAIN_ARGS <<< "${ACME_DOMAINS[@]/#/-d }"
+    fi
+
+    if [ -z "$VALIDATION" ]; then
+        logInfo "VALIDATION not set. Using default: http-01"
+        VALIDATION="http-01"
+    else
+        case "$VALIDATION" in
+            "http-01")
+                logInfo "Using validation method: $VALIDATION"
+                ;;
+            *)
+                logError "VALIDATION is invalid. Use a valid value: http-01"
+                return 1
+                ;;
+        esac
+    fi
+
+    if [ -z "$OUTPUT_PEM" ]; then
+        logError "OUTPUT_PEM must be set. Value should be the path to install your certificate to."
+        return 1
+    fi
+}
+
+waitToSeeStagingCert() {
+    logInfo "Waiting for ${ACME_DOMAINS[0]} to use a staging certificate..."
+    retryWithDelay "isUsingStagingCert ${ACME_DOMAINS[0]}" 3 5
+}
+
+lastAcquiredCertFor() {
+    ACME_MODE="${1:-none}"
+    ACME_LAST_MODE="$(cat $ACME_MODE_FILE || echo '')"
+    logInfo "Last acquired certificate for ${ACME_LAST_MODE^^}"
+    [ "${ACME_LAST_MODE,,}" == "${ACME_MODE,,}" ]
+}
+
+acquireCertificate() {
+    ACME_MODE="${1:-staging}"
+    ACME_FORCE="${2:-false}"
+    ACME_OPTS=()
+
+    if [ "${ACME_FORCE,,}" == "true" ];then ACME_OPTS+=("--force"); fi
+    case "$ACME_MODE" in
+        "production")
+            logInfo "Using PRODUCTION mode"
+            ;;
+        *)
+            logInfo "Using STAGING mode"
+            ACME_OPTS+=("--staging")
+            ;;
+    esac
+
+    case "$VALIDATION" in
+        "http-01")
+            ACME_OPTS+=("--standalone")
+            ;;
+        *)
+            logError "VALIDATION is invalid. Use a valid value: http-01"
+            return 1
+            ;;
+    esac
+
+    if ! waitForOnline "${ACME_DOMAINS[0]}"; then
+        logError "Unable to access site over HTTP"
+        return 1
+    fi
+
+    logInfo "Issuing certificates..."
+    "$ACME_BIN" --issue "${ACME_OPTS[@]}" "${ACME_DOMAIN_ARGS[@]}"
+
+    logInfo "Installing certificates..." && \
+    "$ACME_BIN" --install-cert "${ACME_DOMAIN_ARGS[@]}" \
+    --cert-file      /tmp/cert.pem  \
+    --key-file       /tmp/key.pem  \
+    --fullchain-file /tmp/fullchain.pem \
+    --reloadcmd     "cat /tmp/fullchain.pem /tmp/key.pem > $OUTPUT_PEM" && \
+
+    echo "${ACME_MODE}" > "${ACME_MODE_FILE}"
+}
+
+pre-flight || logErrorAndStop "Unable to continue due to misconfiguration. See errors above."
+
+waitForOnline "${ACME_DOMAINS[0]}" || logErrorAndStop "Unable to access ${ACME_DOMAINS[0]} on port 80. This is needed for certificate validation."
+
+if ! lastAcquiredCertFor "production"; then
+    acquireCertificate "staging" || logErrorAndStop "Unable to acquire a staging certificate."
+    waitToSeeStagingCert || logErrorAndStop "Unable to detect certificate change over. Cannot issue a production certificate."
+    acquireCertificate "production" "true" || logErrorAndStop "Unable to acquire a production certificate."
+fi
+
+logSuccess "Done!"
+
+logInfo "Running cron..."
+crond -f -d 7

cert-provider/entry.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+exec "$@"

cert-provider/fake-le-bundle.pem

@@ -0,0 +1,56 @@
+-----BEGIN CERTIFICATE-----
+MIIFATCCAumgAwIBAgIRAKc9ZKBASymy5TLOEp57N98wDQYJKoZIhvcNAQELBQAw
+GjEYMBYGA1UEAwwPRmFrZSBMRSBSb290IFgxMB4XDTE2MDMyMzIyNTM0NloXDTM2
+MDMyMzIyNTM0NlowGjEYMBYGA1UEAwwPRmFrZSBMRSBSb290IFgxMIICIjANBgkq
+hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA+pYHvQw5iU3v2b3iNuYNKYgsWD6KU7aJ
+diddtZQxSWYzUI3U0I1UsRPTxnhTifs/M9NW4ZlV13ZfB7APwC8oqKOIiwo7IwlP
+xg0VKgyz+kT8RJfYr66PPIYP0fpTeu42LpMJ+CKo9sbpgVNDZN2z/qiXrRNX/VtG
+TkPV7a44fZ5bHHVruAxvDnylpQxJobtCBWlJSsbIRGFHMc2z88eUz9NmIOWUKGGj
+EmP76x8OfRHpIpuxRSCjn0+i9+hR2siIOpcMOGd+40uVJxbRRP5ZXnUFa2fF5FWd
+O0u0RPI8HON0ovhrwPJY+4eWKkQzyC611oLPYGQ4EbifRsTsCxUZqyUuStGyp8oa
+aoSKfF6X0+KzGgwwnrjRTUpIl19A92KR0Noo6h622OX+4sZiO/JQdkuX5w/HupK0
+A0M0WSMCvU6GOhjGotmh2VTEJwHHY4+TUk0iQYRtv1crONklyZoAQPD76hCrC8Cr
+IbgsZLfTMC8TWUoMbyUDgvgYkHKMoPm0VGVVuwpRKJxv7+2wXO+pivrrUl2Q9fPe
+Kk055nJLMV9yPUdig8othUKrRfSxli946AEV1eEOhxddfEwBE3Lt2xn0hhiIedbb
+Ftf/5kEWFZkXyUmMJK8Ra76Kus2ABueUVEcZ48hrRr1Hf1N9n59VbTUaXgeiZA50
+qXf2bymE6F8CAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMB
+Af8wHQYDVR0OBBYEFMEmdKSKRKDm+iAo2FwjmkWIGHngMA0GCSqGSIb3DQEBCwUA
+A4ICAQBCPw74M9X/Xx04K1VAES3ypgQYH5bf9FXVDrwhRFSVckria/7dMzoF5wln
+uq9NGsjkkkDg17AohcQdr8alH4LvPdxpKr3BjpvEcmbqF8xH+MbbeUEnmbSfLI8H
+sefuhXF9AF/9iYvpVNC8FmJ0OhiVv13VgMQw0CRKkbtjZBf8xaEhq/YqxWVsgOjm
+dm5CAQ2X0aX7502x8wYRgMnZhA5goC1zVWBVAi8yhhmlhhoDUfg17cXkmaJC5pDd
+oenZ9NVhW8eDb03MFCrWNvIh89DDeCGWuWfDltDq0n3owyL0IeSn7RfpSclpxVmV
+/53jkYjwIgxIG7Gsv0LKMbsf6QdBcTjhvfZyMIpBRkTe3zuHd2feKzY9lEkbRvRQ
+zbh4Ps5YBnG6CKJPTbe2hfi3nhnw/MyEmF3zb0hzvLWNrR9XW3ibb2oL3424XOwc
+VjrTSCLzO9Rv6s5wi03qoWvKAQQAElqTYRHhynJ3w6wuvKYF5zcZF3MDnrVGLbh1
+Q9ePRFBCiXOQ6wPLoUhrrbZ8LpFUFYDXHMtYM7P9sc9IAWoONXREJaO08zgFtMp4
+8iyIYUyQAbsvx8oD2M8kRvrIRSrRJSl6L957b4AFiLIQ/GgV2curs0jje7Edx34c
+idWw1VrejtwclobqNMVtG3EiPUIpJGpbMcJgbiLSmKkrvQtGng==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEqzCCApOgAwIBAgIRAIvhKg5ZRO08VGQx8JdhT+UwDQYJKoZIhvcNAQELBQAw
+GjEYMBYGA1UEAwwPRmFrZSBMRSBSb290IFgxMB4XDTE2MDUyMzIyMDc1OVoXDTM2
+MDUyMzIyMDc1OVowIjEgMB4GA1UEAwwXRmFrZSBMRSBJbnRlcm1lZGlhdGUgWDEw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDtWKySDn7rWZc5ggjz3ZB0
+8jO4xti3uzINfD5sQ7Lj7hzetUT+wQob+iXSZkhnvx+IvdbXF5/yt8aWPpUKnPym
+oLxsYiI5gQBLxNDzIec0OIaflWqAr29m7J8+NNtApEN8nZFnf3bhehZW7AxmS1m0
+ZnSsdHw0Fw+bgixPg2MQ9k9oefFeqa+7Kqdlz5bbrUYV2volxhDFtnI4Mh8BiWCN
+xDH1Hizq+GKCcHsinDZWurCqder/afJBnQs+SBSL6MVApHt+d35zjBD92fO2Je56
+dhMfzCgOKXeJ340WhW3TjD1zqLZXeaCyUNRnfOmWZV8nEhtHOFbUCU7r/KkjMZO9
+AgMBAAGjgeMwgeAwDgYDVR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQAw
+HQYDVR0OBBYEFMDMA0a5WCDMXHJw8+EuyyCm9Wg6MHoGCCsGAQUFBwEBBG4wbDA0
+BggrBgEFBQcwAYYoaHR0cDovL29jc3Auc3RnLXJvb3QteDEubGV0c2VuY3J5cHQu
+b3JnLzA0BggrBgEFBQcwAoYoaHR0cDovL2NlcnQuc3RnLXJvb3QteDEubGV0c2Vu
+Y3J5cHQub3JnLzAfBgNVHSMEGDAWgBTBJnSkikSg5vogKNhcI5pFiBh54DANBgkq
+hkiG9w0BAQsFAAOCAgEABYSu4Il+fI0MYU42OTmEj+1HqQ5DvyAeyCA6sGuZdwjF
+UGeVOv3NnLyfofuUOjEbY5irFCDtnv+0ckukUZN9lz4Q2YjWGUpW4TTu3ieTsaC9
+AFvCSgNHJyWSVtWvB5XDxsqawl1KzHzzwr132bF2rtGtazSqVqK9E07sGHMCf+zp
+DQVDVVGtqZPHwX3KqUtefE621b8RI6VCl4oD30Olf8pjuzG4JKBFRFclzLRjo/h7
+IkkfjZ8wDa7faOjVXx6n+eUQ29cIMCzr8/rNWHS9pYGGQKJiY2xmVC9h12H99Xyf
+zWE9vb5zKP3MVG6neX1hSdo7PEAb9fqRhHkqVsqUvJlIRmvXvVKTwNCP3eCjRCCI
+PTAvjV+4ni786iXwwFYNz8l3PmPLCyQXWGohnJ8iBm+5nk7O2ynaPVW0U2W+pt2w
+SVuvdDM5zGv2f9ltNWUiYZHJ1mmO97jSY/6YfdOUH66iRtQtDkHBRdkNBsMbD+Em
+2TgBldtHNSJBfB3pm9FblgOcJ0FSWcUDWJ7vO0+NTXlgrRofRT6pVywzxVo6dND0
+WzYlTWeUVsO40xJqhgUQRER9YLOLxJ0O6C8i0xFxAMKOtSdodMB3RIwt7RFQ0uyt
+n5Z5MqkYhlMI3J1tPRTp1nEt9fyGspBOO05gi148Qasp+3N+svqKomoQglNoAxU=
+-----END CERTIFICATE-----

compose/services.yml

@@ -1,10 +1,12 @@
-version: '2.1'
+version: "2.1"
 
 volumes:
-  db:
-  registry:
-  s3:
-  redis:
+  certs: {}
+  cert-provider: {}
+  db: {}
+  redis: {}
+  registry: {}
+  s3: {}
 
 services:
   api:
@@ -20,13 +22,13 @@ services:
       API_VPN_SERVICE_API_KEY: ${OPENBALENA_API_VPN_SERVICE_API_KEY}
       BALENA_ROOT_CA: ${OPENBALENA_ROOT_CA}
       COOKIE_SESSION_SECRET: ${OPENBALENA_COOKIE_SESSION_SECRET}
-      DB_HOST: db.${OPENBALENA_HOST_NAME}
+      DB_HOST: db
       DB_PASSWORD: docker
       DB_PORT: 5432
       DB_USER: docker
       DELTA_HOST: delta.${OPENBALENA_HOST_NAME}
       DEVICE_CONFIG_OPENVPN_CONFIG: ${OPENBALENA_VPN_CONFIG}
-      DEVICE_CONFIG_OPENVPN_CA: ${OPENBALENA_VPN_CA}
+      DEVICE_CONFIG_OPENVPN_CA: ${OPENBALENA_VPN_CA_CHAIN}
       DEVICE_CONFIG_SSH_AUTHORIZED_KEYS: ${OPENBALENA_SSH_AUTHORIZED_KEYS}
       HOST: api.${OPENBALENA_HOST_NAME}
       IMAGE_MAKER_URL: img.${OPENBALENA_HOST_NAME}
@@ -36,10 +38,10 @@ services:
       JSON_WEB_TOKEN_EXPIRY_MINUTES: 10080
       JSON_WEB_TOKEN_SECRET: ${OPENBALENA_JWT_SECRET}
       MIXPANEL_TOKEN: __unused__
-      PRODUCTION_MODE: '${OPENBALENA_PRODUCTION_MODE}'
+      PRODUCTION_MODE: "${OPENBALENA_PRODUCTION_MODE}"
       PUBNUB_PUBLISH_KEY: __unused__
       PUBNUB_SUBSCRIBE_KEY: __unused__
-      REDIS_HOST: redis.${OPENBALENA_HOST_NAME}
+      REDIS_HOST: redis
       REDIS_PORT: 6379
       REGISTRY2_HOST: registry.${OPENBALENA_HOST_NAME}
       REGISTRY_HOST: registry.${OPENBALENA_HOST_NAME}
@@ -49,10 +51,12 @@ services:
       TOKEN_AUTH_CERT_KEY: ${OPENBALENA_TOKEN_AUTH_KEY}
       TOKEN_AUTH_CERT_KID: ${OPENBALENA_TOKEN_AUTH_KID}
       TOKEN_AUTH_CERT_PUB: ${OPENBALENA_TOKEN_AUTH_PUB}
-      TOKEN_AUTH_JWT_ALGO: 'ES256'
+      TOKEN_AUTH_JWT_ALGO: "ES256"
       VPN_HOST: vpn.${OPENBALENA_HOST_NAME}
       VPN_PORT: 443
       VPN_SERVICE_API_KEY: ${OPENBALENA_VPN_SERVICE_API_KEY}
+      SUPERUSER_EMAIL: ${OPENBALENA_SUPERUSER_EMAIL}
+      SUPERUSER_PASSWORD: ${OPENBALENA_SUPERUSER_PASSWORD}
 
   registry:
     extends:
@@ -71,10 +75,10 @@ services:
       BALENA_ROOT_CA: ${OPENBALENA_ROOT_CA}
       BALENA_TOKEN_AUTH_ISSUER: api.${OPENBALENA_HOST_NAME}
       BALENA_TOKEN_AUTH_REALM: https://api.${OPENBALENA_HOST_NAME}/auth/v1/token
-      COMMON_REGION: 
-      REGISTRY2_S3_BUCKET: 
-      REGISTRY2_S3_KEY: 
-      REGISTRY2_S3_SECRET: 
+      COMMON_REGION:
+      REGISTRY2_S3_BUCKET:
+      REGISTRY2_S3_KEY:
+      REGISTRY2_S3_SECRET:
       REGISTRY2_SECRETKEY: ${OPENBALENA_REGISTRY_SECRET_KEY}
       REGISTRY2_STORAGEPATH: /data
 
@@ -92,10 +96,10 @@ services:
       BALENA_API_HOST: api.${OPENBALENA_HOST_NAME}
       BALENA_ROOT_CA: ${OPENBALENA_ROOT_CA}
       BALENA_VPN_PORT: 443
-      PRODUCTION_MODE: '${OPENBALENA_PRODUCTION_MODE}'
+      PRODUCTION_MODE: "${OPENBALENA_PRODUCTION_MODE}"
       RESIN_VPN_GATEWAY: 10.2.0.1
-      SENTRY_DSN: 
-      VPN_HAPROXY_USEPROXYPROTOCOL: 'true'
+      SENTRY_DSN:
+      VPN_HAPROXY_USEPROXYPROTOCOL: "true"
       VPN_OPENVPN_CA_CRT: ${OPENBALENA_VPN_CA}
       VPN_OPENVPN_SERVER_CRT: ${OPENBALENA_VPN_SERVER_CRT}
       VPN_OPENVPN_SERVER_DH: ${OPENBALENA_VPN_SERVER_DH}
@@ -133,17 +137,20 @@ services:
     build: ../haproxy
     depends_on:
       - api
-      - registry
-      - vpn
+      - cert-provider
       - db
       - s3
       - redis
+      - registry
+      - vpn
     ports:
       - "80:80"
-      - "222:222"
       - "443:443"
-      - "5432:5432"
-      - "6379:6379"
+      - "3128:3128"
+    expose:
+      - "222"
+      - "5432"
+      - "6379"
     networks:
       default:
         aliases:
@@ -158,3 +165,15 @@ services:
       BALENA_HAPROXY_KEY: ${OPENBALENA_ROOT_KEY}
       BALENA_ROOT_CA: ${OPENBALENA_ROOT_CA}
       HAPROXY_HOSTNAME: ${OPENBALENA_HOST_NAME}
+    volumes:
+      - certs:/certs:ro
+
+  cert-provider:
+    build: ../cert-provider
+    volumes:
+      - certs:/certs
+      - cert-provider:/usr/src/app/certs
+    environment:
+      ACTIVE: ${OPENBALENA_ACME_CERT_ENABLED}
+      DOMAINS: "api.${OPENBALENA_HOST_NAME},registry.${OPENBALENA_HOST_NAME},s3.${OPENBALENA_HOST_NAME},vpn.${OPENBALENA_HOST_NAME}"
+      OUTPUT_PEM: /certs/open-balena.pem

docs/assets/openbalena-logo.svg

@@ -0,0 +1,8 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="228" height="42" viewBox="0 0 228 42">
+    <g fill="none" fill-rule="evenodd">
+        <path fill="#00D2EA" d="M57.231 23.086c0 2.186 1.667 3.8 3.635 3.8 1.968 0 3.635-1.614 3.635-3.828 0-2.213-1.667-3.826-3.635-3.826-1.968 0-3.635 1.613-3.635 3.826v.028zm-4.537-.055c0-3.69 2.651-8.035 8.172-8.035 5.521 0 8.172 4.346 8.172 8.062 0 3.718-2.65 8.063-8.172 8.063-5.52 0-8.172-4.345-8.172-8.063v-.027zM83.55 23.059c0-1.776-1.312-3.854-3.8-3.854-1.093 0-2.05.437-2.732 1.148-.657.684-1.067 1.667-1.067 2.76 0 1.067.41 2.023 1.094 2.706a3.82 3.82 0 0 0 2.706 1.12c2.378 0 3.799-1.94 3.799-3.853v-.027zm-11.944-7.57h4.264v1.666c.984-1.147 2.487-2.186 4.81-2.186 5.384 0 7.407 4.728 7.407 8.253 0 4.374-3.061 7.954-7.38 7.954-2.733 0-4.018-1.312-4.564-1.886v6.424h-4.537V15.488zM101.204 21.2c-.11-.71-1.038-2.405-3.389-2.405-2.35 0-3.28 1.695-3.389 2.405h6.778zm-6.833 3.444c.191 1.612 1.722 2.678 3.499 2.678 1.448 0 2.214-.628 2.76-1.42h4.647c-.738 1.694-1.804 3.006-3.088 3.88a7.373 7.373 0 0 1-4.32 1.367c-4.344 0-8.035-3.526-8.035-8.036 0-4.236 3.335-8.144 7.954-8.144 2.323 0 4.318.902 5.74 2.405 1.913 2.05 2.487 4.482 2.131 7.27H94.371zM108.31 15.488h4.235v1.613c.52-.738 1.476-2.132 4.182-2.132 5.111 0 5.63 4.154 5.63 6.204v9.484h-4.537v-8.282c0-1.667-.355-3.143-2.377-3.143-2.241 0-2.597 1.613-2.597 3.17v8.255h-4.537V15.488zM33.85 15.174v11.583c0 1.704-.918 3.29-2.395 4.139l-10.1 5.807c-.27.155-.55.277-.839.372v4.636c.49-.128.96-.312 1.396-.564l13.117-7.542a5.92 5.92 0 0 0 2.962-5.118V13.444c0-.512-.077-1.017-.213-1.513l-4.015 2.382c.054.281.087.568.087.86M2.955 8.323c-.515.297-.98.682-1.385 1.128l3.986 2.365c.29-.298.605-.57.974-.783L16.59 5.23a4.79 4.79 0 0 1 4.766-.003l10.1 5.808c.303.174.573.388.823.621l3.967-2.353c-.368-.377-.764-.717-1.216-.978L21.913.783a5.927 5.927 0 0 0-5.895.004L2.955 8.323zM16.588 36.7L6.53 30.898a4.787 4.787 0 0 1-2.39-4.136V15.17c0-.21.027-.417.056-.623L.163 12.154A5.72 5.72 0 0 0 0 13.437v15.056a5.918 5.918 0 0 0 2.955 5.114l13.063 7.537c.454.262.943.452 1.456.582v-4.643a4.517 4.517 0 0 1-.886-.382"/>
+        <g fill="#2A506F">
+            <path d="M132.219 20.286c-.995.804-1.492 1.83-1.492 3.077 0 1.32.458 2.426 1.372 3.321.915.895 2.118 1.342 3.609 1.342 1.411 0 2.554-.426 3.43-1.279.874-.85 1.311-1.912 1.311-3.181 0-1.25-.437-2.315-1.312-3.194-.875-.88-2.018-1.32-3.43-1.32-1.332.019-2.495.43-3.488 1.234zM127 11h3.966v6.588h.06c.437-.578 1.018-1.025 1.745-1.342a8.611 8.611 0 0 1 2.251-.637c.199-.018.387-.031.567-.04.178-.01.358-.014.536-.014 2.426 0 4.414.805 5.965 2.413 1.55 1.609 2.326 3.47 2.326 5.584 0 .308-.02.629-.06.963a5.71 5.71 0 0 1-.209.99 8.547 8.547 0 0 1-.716 1.898 7.322 7.322 0 0 1-1.132 1.626 7.133 7.133 0 0 1-2.714 1.857 9 9 0 0 1-3.34.638c-1.134 0-2.182-.196-3.147-.584-.965-.388-1.764-1.025-2.4-1.911l-.06-.027v2.033H127V11zM159.655 23.499c0-1.247-.443-2.3-1.328-3.16-.885-.858-2.033-1.278-3.444-1.26-1.452-.018-2.64.416-3.564 1.302-.924.886-1.386 1.988-1.386 3.307 0 1.23.481 2.264 1.446 3.104.964.84 2.112 1.253 3.444 1.234 1.432.019 2.595-.407 3.49-1.274.894-.868 1.342-1.943 1.342-3.226v-.027zm3.757 7.536h-3.638v-2.033h-.06c-.497.65-1.154 1.184-1.969 1.6a8.656 8.656 0 0 1-2.534.84l-.551.054c-.19.018-.374.027-.552.027-1.273 0-2.427-.222-3.46-.664a7.556 7.556 0 0 1-2.624-1.83 7.805 7.805 0 0 1-1.52-2.494 8.312 8.312 0 0 1-.538-2.983c0-1.048.164-2.014.492-2.9.329-.885.87-1.717 1.625-2.494.836-.886 1.764-1.541 2.789-1.966 1.024-.424 2.141-.637 3.355-.637 1.133 0 2.177.222 3.13.664a6.44 6.44 0 0 1 2.417 1.939v-2.142h3.638v15.019zM166.364 31.035h3.966V11h-3.966zM186.046 21.926c-.319-.886-.895-1.582-1.73-2.087a5.247 5.247 0 0 0-2.773-.76h-.24a5.695 5.695 0 0 0-2.683.847c-.835.51-1.391 1.176-1.67 2h9.096zm-9.036 3.2c.298.885.85 1.59 1.655 2.113a4.842 4.842 0 0 0 2.699.787c.755 0 1.465-.118 2.131-.352.666-.236 1.189-.552 1.567-.95l4.384-.027c-.498 1.356-1.506 2.5-3.027 3.43-1.521.93-3.157 1.396-4.906 1.396-2.406 0-4.458-.763-6.158-2.29-1.7-1.527-2.55-3.385-2.55-5.572 0-2.223.845-4.13 2.535-5.72 1.69-1.59 3.767-2.386 6.232-2.386 2.366 0 4.37.789 6.01 2.366 1.64 1.576 2.46 3.41 2.46 5.5 0 .235-.015.465-.045.69-.03.225-.065.446-.105.662-.02.073-.035.136-.044.19a.888.888 0 0 0-.015.162H177.01zM192.607 16.016h3.668V17.4h.06c.456-.56 1.058-.994 1.804-1.302a7.395 7.395 0 0 1 2.34-.542h.597c.079 0 .16.01.239.027a6.924 6.924 0 0 1 2.31.57c.747.325 1.388.75 1.924 1.273l.224.204c.07.063.134.14.194.23.635.814 1.014 1.682 1.133 2.603.12.922.18 1.862.18 2.82v7.753h-3.967v-7.781c0-.253-.01-.505-.03-.759a7.26 7.26 0 0 0-.21-1.152c-.099-.37-.248-.709-.446-1.017a2.753 2.753 0 0 0-1.06-.868 3.827 3.827 0 0 0-1.385-.379h-.373c-.07 0-.144.01-.224.027a3.904 3.904 0 0 0-1.342.421 2.63 2.63 0 0 0-1.014.88c-.198.29-.348.629-.447 1.018-.1.388-.16.781-.18 1.179-.02.235-.029.47-.029.705v7.726h-3.966V16.016zM223.472 23.499c0-1.247-.443-2.3-1.327-3.16-.885-.858-2.034-1.278-3.444-1.26-1.453-.018-2.64.416-3.564 1.302-.924.886-1.388 1.988-1.388 3.307 0 1.23.483 2.264 1.447 3.104.964.84 2.113 1.253 3.445 1.234 1.431.019 2.594-.407 3.489-1.274.894-.868 1.342-1.943 1.342-3.226v-.027zm3.758 7.536h-3.64v-2.033h-.058c-.498.65-1.154 1.184-1.969 1.6a8.666 8.666 0 0 1-2.535.84l-.551.054c-.19.018-.373.027-.552.027-1.272 0-2.426-.222-3.46-.664a7.548 7.548 0 0 1-2.623-1.83 7.796 7.796 0 0 1-1.521-2.494 8.312 8.312 0 0 1-.538-2.983c0-1.048.165-2.014.492-2.9.33-.885.87-1.717 1.626-2.494.835-.886 1.764-1.541 2.788-1.966 1.024-.424 2.142-.637 3.355-.637 1.133 0 2.177.222 3.131.664a6.44 6.44 0 0 1 2.416 1.939v-2.142h3.639v15.019z"/>
+        </g>
+    </g>
+</svg>

haproxy/Dockerfile

@@ -1,6 +1,10 @@
-FROM haproxy:1.8-alpine
+FROM haproxy:1.9-alpine
+
+VOLUME [ "/certs" ]
+
+RUN apk add --update inotify-tools
 
 COPY haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg
-COPY entry.sh /open-balena-entry
+COPY start-haproxy.sh /start-haproxy
 
-CMD /open-balena-entry
+CMD /start-haproxy

haproxy/entry.sh

@@ -1,11 +0,0 @@
-#!/bin/sh
-set -e
-
-HAPROXY_CHAIN=/etc/ssl/private/open-balena.pem
-mkdir -p "$(dirname "${HAPROXY_CHAIN}")"
-(
-    echo "${BALENA_HAPROXY_CRT}" | base64 -d
-    echo "${BALENA_HAPROXY_KEY}" | base64 -d
-    echo "${BALENA_ROOT_CA}" | base64 -d
-) > "${HAPROXY_CHAIN}"
-exec haproxy -f /usr/local/etc/haproxy/haproxy.cfg

haproxy/haproxy.cfg

@@ -12,6 +12,9 @@ frontend http-in
   bind *:80
   reqadd X-Forwarded-Proto:\ http
 
+  acl is_cert_validation path -i -m beg "/.well-known/acme-challenge/"
+  use_backend cert-provider if is_cert_validation
+
   acl host_api hdr_dom(host) -i "api.${HAPROXY_HOSTNAME}"
   use_backend backend_api if host_api
 
@@ -80,6 +83,12 @@ backend backend_s3
   option forwardfor
   balance roundrobin
 
+backend cert-provider
+  mode http
+  option forwardfor
+  balance roundrobin
+  server resin_cert-provider_1 cert-provider:80 no-check
+
 backend vpn-devices
   mode tcp
   server resin_vpn_1 vpn:443 send-proxy-v2 check-send-proxy port 443
@@ -103,3 +112,8 @@ frontend redis
 backend backend_redis
   mode tcp
   server resin_redis_1 redis:6379 check port 6379
+
+listen vpn-tunnel
+  mode tcp
+  bind *:3128
+  server balena_vpn vpn:3128 check port 3128

haproxy/start-haproxy.sh

@@ -0,0 +1,32 @@
+#!/bin/sh
+
+OPENBALENA_CERT=/etc/ssl/private/open-balena.pem
+mkdir -p "$(dirname "${OPENBALENA_CERT}")"
+
+if [ -f "/certs/open-balena.pem" ]; then
+    echo "Using certificate from cert-provider..."
+    cp /certs/open-balena.pem "${OPENBALENA_CERT}"
+else
+    echo "Building certificate from environment variables..."
+    (
+        echo "${BALENA_HAPROXY_CRT}" | base64 -d
+        echo "${BALENA_HAPROXY_KEY}" | base64 -d
+        echo "${BALENA_ROOT_CA}" | base64 -d
+    ) > "${OPENBALENA_CERT}"
+fi
+
+haproxy -f /usr/local/etc/haproxy/haproxy.cfg -W &
+HAPROXY_PID=$!
+
+while true; do
+    inotifywait -r -e create -e modify -e delete /certs
+    
+    if [ -f "/certs/open-balena.pem" ]; then
+        echo "Updating certificate from cert-provider..."
+        cp /certs/open-balena.pem "${OPENBALENA_CERT}"
+    fi
+    
+    echo "Certificate change detected. Reloading..."
+    kill -SIGUSR2 $HAPROXY_PID
+    sleep 1;
+done

package-lock.json

@@ -1,3 +0,0 @@
-{
-  "lockfileVersion": 1
-}

scripts/_realpath

@@ -0,0 +1,24 @@
+#!/bin/bash -e
+
+REALPATH=
+REALPATHS=(
+    'realpath'
+    'grealpath'
+    'greadlink -f'
+)
+for cmd in "${REALPATHS[@]}"; do
+if command -v "${cmd%% *}" &>/dev/null; then
+    REALPATH="${cmd}"
+    break
+fi
+done
+
+if [ -z "${REALPATH}" ]; then
+    local RED=`tput setaf 1`
+    echo "${RED}ERROR: Unable to find suitable command for realpath."
+    exit 1
+fi
+
+realpath() {
+  echo $(command ${REALPATH} "$@")
+}

scripts/compose

@@ -1,5 +1,7 @@
 #!/bin/bash -e
 
+source "${BASH_SOURCE%/*}/_realpath"
+
 CMD="$(realpath "$0")"
 DIR="$(dirname "${CMD}")"
 BASE_DIR="$(dirname "${DIR}")"

scripts/create-superuser

@@ -18,6 +18,8 @@ echo_bold() {
   printf "\\033[1m%s\\033[0m\\n" "${@}"
 }
 
+source "${BASH_SOURCE%/*}/_realpath"
+
 CMD="$(realpath "$0")"
 DIR="$(dirname "${CMD}")"
 FIG="${DIR}/compose"

scripts/gen-root-ca

@@ -22,12 +22,14 @@ OUT="$(realpath "${2:-.}")"
 # shellcheck source=scripts/ssl-common.sh
 source "${DIR}/ssl-common.sh"
 
-# Create a secret key and CA file for the self-signed CA
-"$easyrsa_bin" --pki-dir="${ROOT_PKI}" init-pki 2>/dev/null
-"$easyrsa_bin" --pki-dir="${ROOT_PKI}" --days="${CA_EXPIRY_DAYS}" --req-cn="ca.${CN}" build-ca nopass 2>/dev/null
 ROOT_CA="${ROOT_PKI}/ca.crt"
-echo "ROOT_CA=${ROOT_CA//$OUT/\$OUT}"
 
-# update indexes and generate CRLs
-"$easyrsa_bin" --pki-dir="${ROOT_PKI}" update-db 2>/dev/null
-"$easyrsa_bin" --pki-dir="${ROOT_PKI}" gen-crl 2>/dev/null
+if [ ! -f $ROOT_CA ]; then
+  # Create a secret key and CA file for the self-signed CA
+  "$easyrsa_bin" --pki-dir="${ROOT_PKI}" init-pki 2>/dev/null
+  "$easyrsa_bin" --pki-dir="${ROOT_PKI}" --days="${CA_EXPIRY_DAYS}" --req-cn="ca.${CN}" build-ca nopass 2>/dev/null
+
+  # update indexes and generate CRLs
+  "$easyrsa_bin" --pki-dir="${ROOT_PKI}" update-db 2>/dev/null
+  "$easyrsa_bin" --pki-dir="${ROOT_PKI}" gen-crl 2>/dev/null
+fi

scripts/gen-root-cert

@@ -22,13 +22,15 @@ OUT="$(realpath "${2:-.}")"
 # shellcheck source=scripts/ssl-common.sh
 source "${DIR}/ssl-common.sh"
 
-# generate default CSR and sign (root + wildcard)
-"$easyrsa_bin" --pki-dir="${ROOT_PKI}" --days="${CRT_EXPIRY_DAYS}" --subject-alt-name="DNS:*.${CN}" build-server-full "*.${CN}" nopass 2>/dev/null
 ROOT_CRT="${ROOT_PKI}"'/issued/*.'"${CN}"'.crt'
 ROOT_KEY="${ROOT_PKI}"'/private/*.'"${CN}"'.key'
-echo "ROOT_CRT=${ROOT_CRT//$OUT/\$OUT}"
-echo "ROOT_KEY=${ROOT_KEY//$OUT/\$OUT}"
 
-# update indexes and generate CRLs
-"$easyrsa_bin" --pki-dir="${ROOT_PKI}" update-db 2>/dev/null
-"$easyrsa_bin" --pki-dir="${ROOT_PKI}" gen-crl 2>/dev/null
+if [ ! -f $ROOT_CRT ] || [ ! -f $ROOT_KEY ]; then
+  rm -f $ROOT_CRT $ROOT_KEY
+  # generate default CSR and sign (root + wildcard)
+  "$easyrsa_bin" --pki-dir="${ROOT_PKI}" --days="${CRT_EXPIRY_DAYS}" --subject-alt-name="DNS:*.${CN}" build-server-full "*.${CN}" nopass 2>/dev/null
+
+  # update indexes and generate CRLs
+  "$easyrsa_bin" --pki-dir="${ROOT_PKI}" update-db 2>/dev/null
+  "$easyrsa_bin" --pki-dir="${ROOT_PKI}" gen-crl 2>/dev/null
+fi;

scripts/gen-token-auth-cert

@@ -42,13 +42,12 @@ JWT_CRT="${CERT_FILE}.crt"
 JWT_KEY="${CERT_FILE}.pem"
 JWT_KID="${CERT_FILE}.kid"
 
-mkdir -p "${CERT_DIR}"
-openssl ecparam -name prime256v1 -genkey -noout -out "${JWT_KEY}" 2>/dev/null
-openssl req -x509 -new -nodes -days "${CRT_EXPIRY_DAYS}" -key "${JWT_KEY}" -subj "/CN=api.${CN}" -out "${JWT_CRT}" 2>/dev/null
-openssl ec -in "${JWT_KEY}" -pubout -outform DER -out "${CERT_FILE}.der" 2>/dev/null
-keyid "${CERT_FILE}.der" >"${JWT_KID}"
-rm "${CERT_FILE}.der"
-
-echo "JWT_CRT=${JWT_CRT//$OUT/\$OUT}"
-echo "JWT_KEY=${JWT_KEY//$OUT/\$OUT}"
-echo "JWT_KID=${JWT_KID//$OUT/\$OUT}"
+if [ ! -f $JWT_CRT ] || [ ! -f $JWT_KEY ] || [ ! -f $JWT_KID ]; then
+  rm -f $JWT_CRT $JWT_KEY $JWT_KID
+  mkdir -p "${CERT_DIR}"
+  openssl ecparam -name prime256v1 -genkey -noout -out "${JWT_KEY}" 2>/dev/null
+  openssl req -x509 -new -nodes -days "${CRT_EXPIRY_DAYS}" -key "${JWT_KEY}" -subj "/CN=api.${CN}" -out "${JWT_CRT}" 2>/dev/null
+  openssl ec -in "${JWT_KEY}" -pubout -outform DER -out "${CERT_FILE}.der" 2>/dev/null
+  keyid "${CERT_FILE}.der" >"${JWT_KID}"
+  rm "${CERT_FILE}.der"
+fi

scripts/gen-vpn-certs

@@ -21,33 +21,35 @@ OUT="$(realpath "${2:-.}")"
 
 # shellcheck source=scripts/ssl-common.sh
 source "${DIR}/ssl-common.sh"
+
 VPN_PKI="$(realpath "${OUT}/vpn")"
-
-# generate VPN sub-CA
-"$easyrsa_bin" --pki-dir="${VPN_PKI}" init-pki 2>/dev/null
-"$easyrsa_bin" --pki-dir="${VPN_PKI}" --days="${CA_EXPIRY_DAYS}" --req-cn="vpn-ca.${CN}" build-ca nopass subca 2>/dev/null
-
-# import sub-CA CSR into root PKI, sign, and copy back to vpn PKI
-"$easyrsa_bin" --pki-dir="${ROOT_PKI}" import-req "${VPN_PKI}/reqs/ca.req" "vpn-ca" 2>/dev/null
-"$easyrsa_bin" --pki-dir="${ROOT_PKI}" sign-req ca "vpn-ca" 2>/dev/null
-cp "${ROOT_PKI}/issued/vpn-ca.crt" "${VPN_PKI}/ca.crt"
 VPN_CA="${VPN_PKI}/ca.crt"
-echo "VPN_CA=${VPN_CA//$OUT/\$OUT}"
-
-# generate and sign vpn server certificate
-"$easyrsa_bin" --pki-dir="${VPN_PKI}" --days="${CRT_EXPIRY_DAYS}" build-server-full "vpn.${CN}" nopass 2>/dev/null
 VPN_CRT="${VPN_PKI}/issued/vpn.${CN}.crt"
 VPN_KEY="${VPN_PKI}/private/vpn.${CN}.key"
-echo "VPN_CRT=${VPN_CRT//$OUT/\$OUT}"
-echo "VPN_KEY=${VPN_KEY//$OUT/\$OUT}"
-
-# generate vpn dhparams (keysize of 2048 will do, 4096 can wind up taking hours to generate)
-"$easyrsa_bin" --pki-dir="${VPN_PKI}" --keysize=2048 gen-dh 2>/dev/null
 VPN_DH="${VPN_PKI}/dh.pem"
-echo "VPN_DH=${VPN_DH//$OUT/\$OUT}"
 
-# update indexes and generate CRLs
-"$easyrsa_bin" --pki-dir="${ROOT_PKI}" update-db 2>/dev/null
-"$easyrsa_bin" --pki-dir="${VPN_PKI}" update-db 2>/dev/null
-"$easyrsa_bin" --pki-dir="${ROOT_PKI}" gen-crl 2>/dev/null
-"$easyrsa_bin" --pki-dir="${VPN_PKI}" gen-crl 2>/dev/null
+if [ ! -f $VPN_CA ] || [ ! -f $VPN_CRT ] || [ ! -f $VPN_KEY ] || [ ! -f $VPN_DH ]; then
+
+  rm -f $VPN_CA $VPN_CRT $VPN_DH $VPN_KEY
+
+  # generate VPN sub-CA
+  "$easyrsa_bin" --pki-dir="${VPN_PKI}" init-pki &>/dev/null
+  "$easyrsa_bin" --pki-dir="${VPN_PKI}" --days="${CA_EXPIRY_DAYS}" --req-cn="vpn-ca.${CN}" build-ca nopass subca 2>/dev/null
+
+  # import sub-CA CSR into root PKI, sign, and copy back to vpn PKI
+  "$easyrsa_bin" --pki-dir="${ROOT_PKI}" import-req "${VPN_PKI}/reqs/ca.req" "vpn-ca" 2>/dev/null
+  "$easyrsa_bin" --pki-dir="${ROOT_PKI}" sign-req ca "vpn-ca" 2>/dev/null
+  cp "${ROOT_PKI}/issued/vpn-ca.crt" "${VPN_PKI}/ca.crt"
+
+  # generate and sign vpn server certificate
+  "$easyrsa_bin" --pki-dir="${VPN_PKI}" --days="${CRT_EXPIRY_DAYS}" build-server-full "vpn.${CN}" nopass 2>/dev/null
+
+  # generate vpn dhparams (keysize of 2048 will do, 4096 can wind up taking hours to generate)
+  "$easyrsa_bin" --pki-dir="${VPN_PKI}" --keysize=2048 gen-dh 2>/dev/null
+
+  # update indexes and generate CRLs
+  "$easyrsa_bin" --pki-dir="${ROOT_PKI}" update-db 2>/dev/null
+  "$easyrsa_bin" --pki-dir="${VPN_PKI}" update-db 2>/dev/null
+  "$easyrsa_bin" --pki-dir="${ROOT_PKI}" gen-crl 2>/dev/null
+  "$easyrsa_bin" --pki-dir="${VPN_PKI}" gen-crl 2>/dev/null
+fi

scripts/make-env

@@ -16,10 +16,12 @@ usage() {
   echo "  VPN_CRT    Path to the VPN server certificate"
   echo "  VPN_KEY    Path to the VPN server private key"
   echo "  VPN_DH     Path to the VPN server Diffie Hellman parameters"
+  echo "  SUPERUSER_EMAIL     Email address of the superuser"
+  echo "  SUPERUSER_PASSWORD  Password of the superuser"
   echo
 }
 
-for var in DOMAIN ROOT_CA ROOT_CRT ROOT_KEY JWT_CRT JWT_KEY JWT_KID VPN_CA VPN_CRT VPN_KEY VPN_DH; do
+for var in DOMAIN ROOT_CA ROOT_CRT ROOT_KEY JWT_CRT JWT_KEY JWT_KID VPN_CA VPN_CRT VPN_KEY VPN_DH SUPERUSER_EMAIL SUPERUSER_PASSWORD; do
   if [ -z "${!var-}" ]; then
     usage
     exit 1
@@ -31,10 +33,14 @@ randstr() {
 }
 
 b64encode() {
-  cat "$@" | base64 --wrap=0 2>/dev/null || cat "$@" | base64 --break=0
+    echo "$@" | base64 --wrap=0 2>/dev/null || echo "$@" | base64 --break=0 2>/dev/null
 }
 
-VPN_CONFIG=$(b64encode <<STR
+b64file() {
+  b64encode "$(cat "$@")"
+}
+
+VPN_CONFIG=$(cat <<STR
 client
 remote vpn.$DOMAIN 443
 resolv-retry infinite
@@ -59,6 +65,7 @@ persist-tun
 verb 3
 user openvpn
 group openvpn
+
 STR
 )
 
@@ -68,21 +75,24 @@ export OPENBALENA_COOKIE_SESSION_SECRET=$(randstr 32)
 export OPENBALENA_HOST_NAME=$DOMAIN
 export OPENBALENA_JWT_SECRET=$(randstr 32)
 export OPENBALENA_RESINOS_REGISTRY_CODE=$(randstr 32)
-export OPENBALENA_ROOT_CA=$(b64encode "$ROOT_CA")
-export OPENBALENA_ROOT_CRT=$(b64encode "${ROOT_CRT}")
-export OPENBALENA_ROOT_KEY=$(b64encode "${ROOT_KEY}")
+export OPENBALENA_ROOT_CA=$(b64file "${ROOT_CA}")
+export OPENBALENA_ROOT_CRT=$(b64file "${ROOT_CRT}")
+export OPENBALENA_ROOT_KEY=$(b64file "${ROOT_KEY}")
 export OPENBALENA_TOKEN_AUTH_BUILDER_TOKEN=$(randstr 64)
-export OPENBALENA_TOKEN_AUTH_PUB=$(b64encode "$JWT_CRT")
-export OPENBALENA_TOKEN_AUTH_KEY=$(b64encode "$JWT_KEY")
-export OPENBALENA_TOKEN_AUTH_KID=$(b64encode "$JWT_KID")
-export OPENBALENA_VPN_CA=$(b64encode "$VPN_CA")
-export OPENBALENA_VPN_CONFIG=$VPN_CONFIG
-export OPENBALENA_VPN_SERVER_CRT=$(b64encode "$VPN_CRT")
-export OPENBALENA_VPN_SERVER_KEY=$(b64encode "$VPN_KEY")
-export OPENBALENA_VPN_SERVER_DH=$(b64encode "$VPN_DH")
+export OPENBALENA_TOKEN_AUTH_PUB=$(b64file "$JWT_CRT")
+export OPENBALENA_TOKEN_AUTH_KEY=$(b64file "$JWT_KEY")
+export OPENBALENA_TOKEN_AUTH_KID=$(b64file "$JWT_KID")
+export OPENBALENA_VPN_CA=$(b64file "$VPN_CA")
+export OPENBALENA_VPN_CA_CHAIN=$(b64file "$ROOT_CA" "$VPN_CA")
+export OPENBALENA_VPN_CONFIG=$(b64encode "$VPN_CONFIG")
+export OPENBALENA_VPN_SERVER_CRT=$(b64file "$VPN_CRT")
+export OPENBALENA_VPN_SERVER_KEY=$(b64file "$VPN_KEY")
+export OPENBALENA_VPN_SERVER_DH=$(b64file "$VPN_DH")
 export OPENBALENA_VPN_SERVICE_API_KEY=$(randstr 32)
 export OPENBALENA_API_VPN_SERVICE_API_KEY=$(randstr 32)
 export OPENBALENA_REGISTRY_SECRET_KEY=$(randstr 32)
 export OPENBALENA_SSH_AUTHORIZED_KEYS=
-export NODE_EXTRA_CA_CERTS="$ROOT_CA"
+export OPENBALENA_SUPERUSER_EMAIL=$SUPERUSER_EMAIL
+export OPENBALENA_SUPERUSER_PASSWORD=$(printf "%q" "${SUPERUSER_PASSWORD}")
+export OPENBALENA_ACME_CERT_ENABLED=${ACME_CERT_ENABLED:-false}
 STR

scripts/quickstart

@@ -1,5 +1,30 @@
 #!/bin/bash -e
 
+BLACK=`tput setaf 0`
+RED=`tput setaf 1`
+GREEN=`tput setaf 2`
+YELLOW=`tput setaf 3`
+BLUE=`tput setaf 4`
+MAGENTA=`tput setaf 5`
+CYAN=`tput setaf 6`
+WHITE=`tput setaf 7`
+
+BOLD=`tput bold`
+RESET=`tput sgr0`
+
+# for macos machines, we need proper OpenSSL...
+OPENSSL_VERSION=$(openssl version -v)
+if [[ "${OPENSSL_VERSION}" =~ ^LibreSSL.*$ ]]; then
+  echo -e "${RED}ERROR: You may not have a compatible OpenSSL version (${OPENSSL_VERSION}). Please install OpenSSL version 1.0.2q or above.${RESET}"
+  exit 1
+fi
+
+source "${BASH_SOURCE%/*}/_realpath"
+
+domainResolves() {
+  getent hosts "$1" > /dev/null 2>&1
+}
+
 CMD="$(realpath "$0")"
 DIR="$(dirname "${CMD}")"
 BASE_DIR="$(dirname "${DIR}")"
@@ -9,20 +34,27 @@ CERTS_DIR="${CONFIG_DIR}/certs"
 DOMAIN=openbalena.local
 
 usage() {
-  echo "usage: $0 [-h] [-p] [-d DOMAIN]"
+  echo "usage: $0 [-c] [-h] [-p] [-d DOMAIN] -U EMAIL -P PASSWORD"
   echo
-  echo "  -p         patch hosts - patch the host /etc/hosts file"
-  echo "  -d DOMAIN  the domain name this deployment will run as, eg. example.com. Default is 'openbalena.local'"
+  echo "  -c           enable the ACME certificate service in staging or production mode."
+  echo "  -p           patch hosts - patch the host /etc/hosts file"
+  echo "  -d DOMAIN    the domain name this deployment will run as, eg. example.com. Default is 'openbalena.local'"
+  echo "  -U EMAIL     the email address of the superuser account, used to login to your install from the Balena CLI"
+  echo "  -P PASSWORD  the password to use for the superuser account."
   echo
 }
 
 show_help=false
 patch_hosts=false
-while getopts ":hpd:" opt; do
+while getopts ":chpxd:U:P:" opt; do
   case "${opt}" in
     h) show_help=true;;
     p) patch_hosts=true;;
+    x) set -x;;
     d) DOMAIN="${OPTARG}";;
+    U) SUPERUSER_EMAIL="${OPTARG}";;
+    P) SUPERUSER_PASSWORD="${OPTARG}";;
+    c) ACME_CERT_ENABLED="true";;
     *)
       echo "Invalid argument: -${OPTARG}"
       usage
@@ -32,23 +64,35 @@ while getopts ":hpd:" opt; do
 done
 shift $((OPTIND-1))
 
+if [ -z "${SUPERUSER_EMAIL}" ] || [ -z "${SUPERUSER_PASSWORD}" ]; then
+  usage
+  exit 1
+fi
+
 if [ "$show_help" = "true" ]; then
   usage
   exit 1
 fi
 
-echo_bold() {
-  printf "\\033[1m%s\\033[0m\\n" "${@}"
-}
-
-if [ -d "$CONFIG_DIR" ]; then
-  echo 'Configuration directory already exists; please remove it first.'
-  exit 1
+if [ ! -z "$ACME_CERT_ENABLED" ]; then
+  echo "${BLUE}[INFO]${RESET} ACME Certificate request is ${BOLD}ENABLED${RESET}."
+  
+  if ! domainResolves "api.${DOMAIN}"; then
+    echo "${YELLOW}[WARN]${RESET} Unable to resolve \"api.${DOMAIN}\"!"
+    echo "${YELLOW}[WARN]${RESET} This might mean that you cannot use an ACME issued certificate."
+  fi
 fi
 
+echo_bold() {
+  echo "${BOLD}${@}${RESET}"
+}
+
 echo_bold "==> Creating new configuration at: $CONFIG_DIR"
 mkdir -p "$CONFIG_DIR" "$CERTS_DIR"
 
+echo_bold "==> Bootstrapping easy-rsa..."
+source "${DIR}/ssl-common.sh"
+
 echo_bold "==> Generating root CA cert..."
 # shellcheck source=scripts/gen-root-ca
 source "${DIR}/gen-root-ca" "${DOMAIN}" "${CERTS_DIR}"
@@ -81,5 +125,7 @@ fi
 echo_bold "==> Success!"
 echo '  - Start the instance with: ./scripts/compose up -d'
 echo '  - Stop the instance with: ./scripts/compose stop'
-echo '  - To create the superuser, see: ./scripts/create-superuser -h'
-echo "  - Use the following certificate with Balena CLI: ${CONFIG_DIR}/root/ca.crt"
+
+if [ -z "${ACME_CERT_ENABLED}" ]; then
+  echo "  - Use the following certificate with Balena CLI: ${CERTS_DIR}/root/ca.crt"
+fi

scripts/ssl-common.sh

@@ -7,6 +7,7 @@ if [ -z "${easyrsa_bin-}" ] || [ ! -x "${easyrsa_bin}" ]; then
     if [ -z "${easyrsa_bin}" ]; then
         easyrsa_dir="$(mktemp -dt easyrsa.XXXXXXXX)"
         easyrsa_url="https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.5/EasyRSA-nix-3.0.5.tgz"
+        echo "  - Downloading easy-rsa..."
         (cd "${easyrsa_dir}"; curl -sL "${easyrsa_url}" | tar xz --strip-components=1)
         easyrsa_bin="${easyrsa_dir}/easyrsa"
         # shellcheck disable=SC2064