fix(system/services/taskserver/certs): Move cert generation to script

This fully removes the human-factor and allows it to just run `./generate` to generate all required certificates and keys (with the needed extra keys and certificates)
author: Soispha <soispha@vhack.eu> 2023-11-07 16:44:08 +0100
committer: Soispha <soispha@vhack.eu> 2023-11-07 16:44:08 +0100
commit: 961729eed1540a7633f5200c63dcf8650d35c56f (patch)
tree: 71e84be3ddd87068c45698c0c43dd3227e20c7b3 /system/services/taskserver/certs/generate
parent: chore(version): v0.17.0 (diff)
download: nixos-server-961729eed1540a7633f5200c63dcf8650d35c56f.zip
4 files changed, 26 insertions, 19 deletions
diff --git a/system/services/taskserver/certs/generate b/system/services/taskserver/certs/generate
index 253e4bb..283697f 100755
--- a/system/services/taskserver/certs/generate
+++ b/system/services/taskserver/certs/generate
@@ -10,13 +10,19 @@
 #   server.key.pem
 #   server.cert.pem
 
-GENERATION_LOCATION="/run/user/$(id -u)/taskserver/keys";
+GENERATION_LOCATION="/run/user/$(id -u)/taskserver/certs";
+BASEDIR="$(dirname "$0")"
+cd "$BASEDIR" || echo "(BUG?) No basedir ('$BASEDIR')" 1>&2
+
+set -- ./vars ./generate.ca ./generate.crl ./generate.client ./ca.key.pem.gpg ./isrgrootx1.pem
 
 mkdir -p "$GENERATION_LOCATION"
-cp ./vars ./generate.ca ./generate.crl ./generate.client "$GENERATION_LOCATION"
+cp "$@" "./ca.cert.pem" "$GENERATION_LOCATION"
 cd "$GENERATION_LOCATION" || echo "(BUG?) No possible location fould!" 1>&2
 
-./generate.ca
+gpg --decrypt ca.key.pem.gpg > ca.key.pem
+cat ./isrgrootx1.pem >> ./ca.cert.pem
+[ -f ./ca.key.pem ] || ./generate.ca
 
 # Generate a certificate revocation list (CRL).  The initial CRL is empty, but
 # can grow over time.  Creates:
@@ -28,14 +34,15 @@ cd "$GENERATION_LOCATION" || echo "(BUG?) No possible location fould!" 1>&2
 # process per client; Add the required client names and uncomment
 # ./generate.client <client_name>
 #
-./generate.client soispha
-./generate.client android-mobile
-./generate.client android-tab
 #
 # Creates:
 #   <client_name>.key.pem
 #   <client_name>.cert.pem
+#
+./generate.client soispha
+./generate.client android-mobile
+./generate.client android-tab
 
 
-rm ./vars ./generate.ca ./generate.crl ./generate.client
+rm "$@" "./ca.key.pem"
 echo "(INFO) Look for the keys at: $GENERATION_LOCATION"
diff --git a/system/services/taskserver/certs/generate.ca b/system/services/taskserver/certs/generate.ca
index 4ffc6e9..a9fbc0c 100755
--- a/system/services/taskserver/certs/generate.ca
+++ b/system/services/taskserver/certs/generate.ca
@@ -35,7 +35,7 @@ EOF
 #locality = $LOCALITY
 fi
 
-if ! [ -f ca.cert.pem ] || [ ca.template -nt ca.cert.pem ]
+if ! [ -f ca.cert.pem ]
 then
   $CERTTOOL \
     --generate-self-signed \
diff --git a/system/services/taskserver/certs/generate.client b/system/services/taskserver/certs/generate.client
index 976cb82..4f0e503 100755
--- a/system/services/taskserver/certs/generate.client
+++ b/system/services/taskserver/certs/generate.client
@@ -16,21 +16,21 @@ then
   NAME=$1
 fi
 
-if ! [ -f ${NAME}.key.pem ]
+if ! [ -f "$NAME".key.pem ]
 then
   # Create a client key.
   $CERTTOOL \
     --generate-privkey \
     --sec-param $SEC_PARAM \
-    --outfile ${NAME}.key.pem
+    --outfile "$NAME".key.pem
 fi
 
-chmod 600 ${NAME}.key.pem
+chmod 600 "$NAME".key.pem
 
-if ! [ -f ${NAME}.template ]
+if ! [ -f "$NAME".template ]
 then
   # Sign a client cert with the key.
-  cat <<EOF >${NAME}.template
+  cat <<EOF >"$NAME".template
 organization = $ORGANIZATION
 cn = $CN
 expiration_days = $EXPIRATION_DAYS
@@ -40,15 +40,15 @@ signing_key
 EOF
 fi
 
-if ! [ -f ${NAME}.cert.pem ] || [ ${NAME}.template -nt ${NAME}.cert.pem ]
+if ! [ -f "$NAME".cert.pem ]
 then
   $CERTTOOL \
     --generate-certificate \
-    --load-privkey ${NAME}.key.pem \
+    --load-privkey "$NAME".key.pem \
     --load-ca-certificate ca.cert.pem \
     --load-ca-privkey ca.key.pem \
-    --template ${NAME}.template \
-    --outfile ${NAME}.cert.pem
+    --template "$NAME".template \
+    --outfile "$NAME".cert.pem
 fi
 
-chmod 600 ${NAME}.cert.pem
+chmod 600 "$NAME".cert.pem
diff --git a/system/services/taskserver/certs/generate.crl b/system/services/taskserver/certs/generate.crl
index 6a9daa8..e9f6715 100755
--- a/system/services/taskserver/certs/generate.crl
+++ b/system/services/taskserver/certs/generate.crl
@@ -18,7 +18,7 @@ expiration_days = $EXPIRATION_DAYS
 EOF
 fi
 
-if ! [ -f server.crl.pem ] || [ crl.template -nt server.crl.pem ]
+if ! [ -f server.crl.pem ]
 then
   $CERTTOOL \
     --generate-crl \
author	Soispha <soispha@vhack.eu>	2023-11-07 16:44:08 +0100
committer	Soispha <soispha@vhack.eu>	2023-11-07 16:44:08 +0100
commit	961729eed1540a7633f5200c63dcf8650d35c56f (patch)
tree	71e84be3ddd87068c45698c0c43dd3227e20c7b3 /system/services/taskserver/certs/generate
parent	chore(version): v0.17.0 (diff)
download	nixos-server-961729eed1540a7633f5200c63dcf8650d35c56f.zip