ExternalVendorCode/open-balena
1
0
Fork 0
mirror of https://github.com/balena-io/open-balena.git synced 2024-12-19 05:37:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
1721728794
open-balena/scripts/make-env
Rich Bayliss 99dd615e55
certs: Add support for an ACME certificate provider 
Add a service which will acquire certificates from an ACME cert
provider, such as LetsEncrypt (), to allow an openBalena instance
to use a publicly trusted certificate instead of the self-signed
one it wil generate on setup.

Change-type: patch
Signed-off-by: Rich Bayliss <rich@balena.io>
2019-03-08 12:23:46 +00:00

99 lines
2.9 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash -e
usage() {
echo "usage: $0"
echo
echo "Required Variables:"
echo
echo " DOMAIN"
echo " ROOT_CA Path to root CA certificate"
echo " ROOT_CRT Path to root/wildcard certificate"
echo " ROOT_KEY Path to root/wildcard private key"
echo " JWT_CRT Path to Token Auth certificate"
echo " JWT_KEY Path to Token Auth private key"
echo " JWT_KID Path to KeyID for the Token Auth certificate"
echo " VPN_CA Path to the VPN sub-CA certificate"
echo " VPN_CRT Path to the VPN server certificate"
echo " VPN_KEY Path to the VPN server private key"
echo " VPN_DH Path to the VPN server Diffie Hellman parameters"
echo " SUPERUSER_EMAIL Email address of the superuser"
echo " SUPERUSER_PASSWORD Password of the superuser"
echo
}
for var in DOMAIN ROOT_CA ROOT_CRT ROOT_KEY JWT_CRT JWT_KEY JWT_KID VPN_CA VPN_CRT VPN_KEY VPN_DH SUPERUSER_EMAIL SUPERUSER_PASSWORD; do
if [ -z "${!var-}" ]; then
usage
exit 1
fi
done
randstr() {
LC_CTYPE=C tr -dc A-Za-z0-9 < /dev/urandom | fold -w "${1:-32}" | head -n 1
}
b64encode() {
echo "$@" | base64 --wrap=0 2>/dev/null || echo "$@" | base64 --break=0 2>/dev/null
}
b64file() {
b64encode "$(cat "$@")"
}
VPN_CONFIG=$(cat <<STR
client
remote vpn.$DOMAIN 443
resolv-retry infinite
remote-cert-tls server
ca /etc/openvpn/ca.crt
auth-user-pass /var/volatile/vpn-auth
auth-retry none
script-security 2
up /etc/openvpn-misc/upscript.sh
up-restart
down /etc/openvpn-misc/downscript.sh
comp-lzo
dev resin-vpn
dev-type tun
proto tcp
nobind
persist-key
persist-tun
verb 3
user openvpn
group openvpn
STR
)
cat <<STR
export OPENBALENA_PRODUCTION_MODE=false
export OPENBALENA_COOKIE_SESSION_SECRET=$(randstr 32)
export OPENBALENA_HOST_NAME=$DOMAIN
export OPENBALENA_JWT_SECRET=$(randstr 32)
export OPENBALENA_RESINOS_REGISTRY_CODE=$(randstr 32)
export OPENBALENA_ROOT_CA=$(b64file "${ROOT_CA}")
export OPENBALENA_ROOT_CRT=$(b64file "${ROOT_CRT}")
export OPENBALENA_ROOT_KEY=$(b64file "${ROOT_KEY}")
export OPENBALENA_TOKEN_AUTH_BUILDER_TOKEN=$(randstr 64)
export OPENBALENA_TOKEN_AUTH_PUB=$(b64file "$JWT_CRT")
export OPENBALENA_TOKEN_AUTH_KEY=$(b64file "$JWT_KEY")
export OPENBALENA_TOKEN_AUTH_KID=$(b64file "$JWT_KID")
export OPENBALENA_VPN_CA=$(b64file "$VPN_CA")
export OPENBALENA_VPN_CA_CHAIN=$(b64file "$ROOT_CA" "$VPN_CA")
export OPENBALENA_VPN_CONFIG=$(b64encode "$VPN_CONFIG")
export OPENBALENA_VPN_SERVER_CRT=$(b64file "$VPN_CRT")
export OPENBALENA_VPN_SERVER_KEY=$(b64file "$VPN_KEY")
export OPENBALENA_VPN_SERVER_DH=$(b64file "$VPN_DH")
export OPENBALENA_VPN_SERVICE_API_KEY=$(randstr 32)
export OPENBALENA_API_VPN_SERVICE_API_KEY=$(randstr 32)
export OPENBALENA_REGISTRY_SECRET_KEY=$(randstr 32)
export OPENBALENA_SSH_AUTHORIZED_KEYS=
export OPENBALENA_SUPERUSER_EMAIL=$SUPERUSER_EMAIL
export OPENBALENA_SUPERUSER_PASSWORD=$(printf "%q" "${SUPERUSER_PASSWORD}")
export OPENBALENA_ACME_CERT_ENABLED=${ACME_CERT_ENABLED:-false}
STR
Reference in New Issue View Git Blame Copy Permalink