aboutsummaryrefslogtreecommitdiffstats
path: root/system/services/taskserver
diff options
context:
space:
mode:
Diffstat (limited to '')
-rwxr-xr-xsystem/services/taskserver/certs/check_expire8
-rwxr-xr-xsystem/services/taskserver/certs/generate52
-rwxr-xr-xsystem/services/taskserver/certs/generate.ca40
3 files changed, 64 insertions, 36 deletions
diff --git a/system/services/taskserver/certs/check_expire b/system/services/taskserver/certs/check_expire
index 89969cc..39f3291 100755
--- a/system/services/taskserver/certs/check_expire
+++ b/system/services/taskserver/certs/check_expire
@@ -1,4 +1,10 @@
-#!/bin/sh
+#!/usr/bin/env nix
+#! nix shell nixpkgs#openssl nixpkgs#dash --command dash
+
+cd "$(dirname "$0")" || {
+ echo "No dir name?!"
+ exit 1
+}
for cert in *.cert.pem; do
echo "$cert"
diff --git a/system/services/taskserver/certs/generate b/system/services/taskserver/certs/generate
index 283697f..3d0ebe3 100755
--- a/system/services/taskserver/certs/generate
+++ b/system/services/taskserver/certs/generate
@@ -1,4 +1,5 @@
-#!/bin/sh
+#!/usr/bin/env nix
+#! nix shell nixpkgs#openssl nixpkgs#gnutls nixpkgs#dash --command dash
# For a public or production server, purchase a cert from a known CA, and skip
# the next step.
@@ -10,25 +11,49 @@
# server.key.pem
# server.cert.pem
-GENERATION_LOCATION="/run/user/$(id -u)/taskserver/certs";
+GENERATION_LOCATION="/run/user/$(id -u)/taskserver/certs"
BASEDIR="$(dirname "$0")"
-cd "$BASEDIR" || echo "(BUG?) No basedir ('$BASEDIR')" 1>&2
+cd "$BASEDIR" || {
+ echo "(BUG?) No basedir ('$BASEDIR')" 1>&2
+ exit 1
+}
+ca=false
+crl=false
+clients=false
+
+for arg in "$@"; do
+ case "$arg" in
+ "--ca")
+ ca=true
+ ;;
+ "--crl")
+ crl=true
+ ;;
+ "--clients")
+ clients=true
+ ;;
+ esac
+done
+
+# `ca.cert.pem` is not on this list, as it would otherwise get deleted in the `rm` on the
+# second-to last line
set -- ./vars ./generate.ca ./generate.crl ./generate.client ./ca.key.pem.gpg ./isrgrootx1.pem
-mkdir -p "$GENERATION_LOCATION"
-cp "$@" "./ca.cert.pem" "$GENERATION_LOCATION"
+mkdir --parents "$GENERATION_LOCATION"
+cp "$@" ./ca.cert.pem "$GENERATION_LOCATION"
cd "$GENERATION_LOCATION" || echo "(BUG?) No possible location fould!" 1>&2
-gpg --decrypt ca.key.pem.gpg > ca.key.pem
-cat ./isrgrootx1.pem >> ./ca.cert.pem
-[ -f ./ca.key.pem ] || ./generate.ca
+gpg --decrypt ca.key.pem.gpg >ca.key.pem
+
+[ "$ca" = true ] && ./generate.ca
+cat ./isrgrootx1.pem >>./ca.cert.pem
# Generate a certificate revocation list (CRL). The initial CRL is empty, but
# can grow over time. Creates:
# server.crl.pem
-./generate.crl
+[ "$crl" = true ] && ./generate.crl
# The above is sufficient to operate a server. You now need to run a client cert creation
# process per client; Add the required client names and uncomment
@@ -39,10 +64,11 @@ cat ./isrgrootx1.pem >> ./ca.cert.pem
# <client_name>.key.pem
# <client_name>.cert.pem
#
-./generate.client soispha
-./generate.client android-mobile
-./generate.client android-tab
-
+[ "$clients" = true ] && ./generate.client soispha
+[ "$clients" = true ] && ./generate.client android-mobile
+[ "$clients" = true ] && ./generate.client android-tab
rm "$@" "./ca.key.pem"
echo "(INFO) Look for the keys at: $GENERATION_LOCATION"
+
+# vim: ft=sh
diff --git a/system/services/taskserver/certs/generate.ca b/system/services/taskserver/certs/generate.ca
index a9fbc0c..eb0dd5c 100755
--- a/system/services/taskserver/certs/generate.ca
+++ b/system/services/taskserver/certs/generate.ca
@@ -2,29 +2,26 @@
# Take the correct binary to create the certificates
CERTTOOL=$(command -v gnutls-certtool 2>/dev/null || command -v certtool 2>/dev/null)
-if [ -z "$CERTTOOL" ]
-then
- echo "ERROR: No certtool found" >&2
- exit 1
+if [ -z "$CERTTOOL" ]; then
+ echo "ERROR: No certtool found" >&2
+ exit 1
fi
. ./vars
-if ! [ -f ca.key.pem ]
-then
- # Create a CA key.
- $CERTTOOL \
- --generate-privkey \
- --sec-param $SEC_PARAM \
- --outfile ca.key.pem
+if ! [ -f ca.key.pem ]; then
+ # Create a CA key.
+ $CERTTOOL \
+ --generate-privkey \
+ --sec-param $SEC_PARAM \
+ --outfile ca.key.pem
fi
chmod 600 ca.key.pem
-if ! [ -f ca.template ]
-then
- # Sign a CA cert.
- cat <<EOF >ca.template
+if ! [ -f ca.template ]; then
+ # Sign a CA cert.
+ cat <<EOF >ca.template
organization = $ORGANIZATION
cn = $CN CA
country = $COUNTRY
@@ -35,13 +32,12 @@ EOF
#locality = $LOCALITY
fi
-if ! [ -f ca.cert.pem ]
-then
- $CERTTOOL \
- --generate-self-signed \
- --load-privkey ca.key.pem \
- --template ca.template \
- --outfile ca.cert.pem
+if ! [ -f ca.cert.pem ]; then
+ $CERTTOOL \
+ --generate-self-signed \
+ --load-privkey ca.key.pem \
+ --template ca.template \
+ --outfile ca.cert.pem
fi
chmod 600 ca.cert.pem
generated by cgit v1.3.1 (git 2.54.0) at 2026-05-30 23:53:01 +0000