KNEL/KNELConfigMgmt-FetchApply
1
0
Fork 0
Code Pull Requests Actions Packages Releases Activity
Files
1e506fed1d5e559c113c52f2544c413687d78402
KNELConfigMgmt-FetchApply/initializers/ssl-stack/apply
Charles N Wyble 1e506fed1d feat: Complete port of all KNELServerBuild components to FetchApply 
- Add secharden-audit-agents functionality to security-hardening
- Create unattended-upgrades initializer for automatic security updates
- Port Dell-specific scripts (fixcpuperf, fixeth, omsa) to dell-config
- Port sslStackFromSource.sh to ssl-stack initializer (dev systems only)
- Create ldap-auth placeholder for future Cloudron integration
- Update server class to include all initializers
- Update security role to include unattended-upgrades
- Add build dependencies to packages for SSL stack compilation
- Update README with comprehensive documentation of all initializers

Now all components from KNELServerBuild are successfully ported to FetchApply,
including previously missed security modules, Dell server scripts, and RandD components.

Future migration path clear: Salt for ongoing management, Ansible for ComplianceAsCode.

💘 Generated with Crush

Assisted-by: GLM-4.6 via Crush <crush@charm.land>
2026-01-21 12:48:32 -05:00

149 lines
4.4 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# KNEL SSL Stack Compilation Initializer
# Compiles OpenSSL, nghttp2, curl, APR, and Apache HTTPd from source
# Made from instructions at https://www.tunetheweb.com/performance/http2/
set -euo pipefail
echo "Running SSL stack compilation initializer..."
# Only run on specific systems or if explicitly requested
# This is a resource-intensive operation
if [[ $DEV_WORKSTATION_CHECK -gt 0 ]] || [[ "${COMPILE_SSL_STACK:-}" == "true" ]]; then
echo "Compiling SSL stack from source..."
# Base URLs and files (using original versions from KNELServerBuild)
OPENSSL_URL_BASE="https://www.openssl.org/source/"
OPENSSL_FILE="openssl-1.1.0h.tar.gz"
NGHTTP_URL_BASE="https://github.com/nghttp2/nghttp2/releases/download/v1.31.0/"
NGHTTP_FILE="nghttp2-1.31.0.tar.gz"
APR_URL_BASE="https://archive.apache.org/dist/apr/"
APR_FILE="apr-1.6.3.tar.gz"
APR_UTIL_URL_BASE="https://archive.apache.org/dist/apr/"
APR_UTIL_FILE="apr-util-1.6.1.tar.gz"
APACHE_URL_BASE="https://archive.apache.org/dist/httpd/"
APACHE_FILE="httpd-2.4.33.tar.gz"
CURL_URL_BASE="https://curl.haxx.se/download/"
CURL_FILE="curl-7.60.0.tar.gz"
# Create build directory
BUILD_DIR="/tmp/ssl-stack-build"
mkdir -p "$BUILD_DIR"
cd "$BUILD_DIR"
# Install build dependencies
DEBIAN_FRONTEND="noninteractive" apt-get -y install \
build-essential \
wget \
gcc \
make \
perl \
libpcre3 \
libpcre3-dev \
zlib1g \
zlib1g-dev \
|| true
# Download and compile OpenSSL
echo "Compiling OpenSSL..."
wget $OPENSSL_URL_BASE/$OPENSSL_FILE
tar xzf $OPENSSL_FILE
cd openssl-1.1.0h
./config enable-weak-ssl-ciphers shared zlib-dynamic -DOPENSSL_TLS_SECURITY_LEVEL=0 --prefix=/usr/local/custom-ssl/openssl-1.1.0h
make
make install
ln -sf /usr/local/custom-ssl/openssl-1.1.0h /usr/local/openssl
cd -
# Download and compile nghttp2
echo "Compiling nghttp2..."
wget $NGHTTP_URL_BASE/$NGHTTP_FILE
tar xzf $NGHTTP_FILE
cd nghttp2-1.31.0
./configure --prefix=/usr/local/custom-ssl/nghttp
make
make install
cd -
# Update ldconfig for custom SSL
cat <<EOF > /etc/ld.so.conf.d/custom-ssl.conf
/usr/local/custom-ssl/openssl-1.1.0h/lib
/usr/local/custom-ssl/nghttp/lib
EOF
ldconfig
# Download and compile curl
echo "Compiling curl..."
wget $CURL_URL_BASE/$CURL_FILE
tar xzf $CURL_FILE
cd curl-7.60.0
./configure --prefix=/usr/local/custom-ssl/curl --with-nghttp2=/usr/local/custom-ssl/nghttp/ --with-ssl=/usr/local/custom-ssl/openssl-1.1.0h/
make
make install
cd -
# Download and compile APR
echo "Compiling APR..."
wget $APR_URL_BASE/$APR_FILE
tar xzf $APR_FILE
cd apr-1.6.3
./configure --prefix=/usr/local/custom-ssl/apr
make
make install
cd -
# Download and compile APR-util
echo "Compiling APR-util..."
wget $APR_UTIL_URL_BASE/$APR_UTIL_FILE
tar xzf $APR_UTIL_FILE
tar xzf $APR_UTIL_FILE
cd apr-util-1.6.1
./configure --prefix=/usr/local/custom-ssl/apr-util --with-apr=/usr/local/custom-ssl/apr
make
make install
cd -
# Download and compile Apache HTTPd
echo "Compiling Apache HTTPd..."
wget $APACHE_URL_BASE/$APACHE_FILE
tar xzf $APACHE_FILE
cd httpd-2.4.33
cp -r ../apr-1.6.3 srclib/apr
cp -r ../apr-util-1.6.1 srclib/apr-util
./configure --prefix=/usr/local/custom-ssl/apache \
--with-ssl=/usr/local/custom-ssl/openssl-1.1.0h/ \
--with-pcre=/usr/bin/pcre-config \
--enable-unique-id \
--enable-ssl \
--enable-so \
--with-included-apr \
--enable-http2 \
--with-nghttp2=/usr/local/custom-ssl/nghttp/
make
make install
ln -sf /usr/local/custom-ssl/apache /usr/local/apache
cd -
# Cleanup
cd /
rm -rf "$BUILD_DIR"
echo "SSL stack compilation completed"
echo "Custom installations available at:"
echo " OpenSSL: /usr/local/custom-ssl/openssl-1.1.0h"
echo " nghttp2: /usr/local/custom-ssl/nghttp"
echo " curl: /usr/local/custom-ssl/curl"
echo " APR: /usr/local/custom-ssl/apr"
echo " Apache: /usr/local/custom-ssl/apache"
else
echo "Skipping SSL stack compilation (only runs on dev workstations or when COMPILE_SSL_STACK=true)"
fi
echo "SSL stack compilation initializer completed"
View Git Blame Copy Permalink