Add cert scripts; update readme; update gitignore; add nginx

2024-11-19 10:54:05 +01:00 · 2024-11-19 10:54:05 +01:00 · ae3d5e4df7
commit ae3d5e4df7
parent 91c5eb1d9d
9 changed files with 301 additions and 30 deletions
--- a/scripts/cert_renew.sh
+++ b/scripts/cert_renew.sh
@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+set -euf -o pipefail
+
+cd "$(dirname "$(realpath "$0")")../"
+
+lego \
+--path ./data/.lego \
+	--http.port 8080 \
+	--tls.port 8443 \
+	--email="acme@base23.de" \
+	--domains="sso.base23.de" \
+	--http renew \
+	--renew-hook="./scripts/cert_renew_hook.sh"
--- a/scripts/cert_renew_hook.sh
+++ b/scripts/cert_renew_hook.sh
@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+set -euf -o pipefail
+
+cd "$(dirname "$(realpath "$0")")../"
+
+docker compose restart nginx
--- a/scripts/init.sh
+++ b/scripts/init.sh
@ -0,0 +1,62 @@
+#!/usr/bin/env bash
+set -euf -o pipefail
+
+# Function to securely query user for a password, verify it, and return it for further use
+prompt_password() {
+	local purpose="$1"
+	local password password_confirm
+
+	while true; do
+		printf "Enter password for %s: " "$purpose"
+		read -rs password
+		printf "\nConfirm password for %s: " "$purpose"
+		read -rs password_confirm
+		printf "\n"
+
+		# Check if passwords match
+		if [[ "$password" == "$password_confirm" ]]; then
+			RETURNED_PASSWORD="$password"
+			printf "Password verified for %s.\n" "$purpose"
+			return 0
+		else
+			printf "Error: Passwords do not match. Please try again.\n" >&2
+		fi
+	done
+}
+
+# Trap SIGINT to exit gracefully if the user aborts with CTRL+C
+trap 'printf "\nOperation aborted by user.\n" >&2; rm .env; exit 1' SIGINT
+
+
+cd "$(dirname "$(realpath "$0")")../"
+
+# Check if .env exists and exit if it is
+[[ -f ./.env ]] && echo ".env already exists. Exiting!" && exit 1 || true
+
+cat ./env.template >> .env
+echo "# SECRETS" >> .env
+echo "PG_PASS=$(openssl rand -base64 36 | tr -d '\n')" >> .env
+echo "AUTHENTIK_SECRET_KEY=$(openssl rand -base64 60 | tr -d '\n')" >> .env
+prompt_password "AUTHENTIK_EMAIL__PASSWORD"; echo "AUTHENTIK_EMAIL__PASSWORD=${RETURNED_PASSWORD}" >> .env; unset RETURNED_PASSWORD
+prompt_password "GEOIPUPDATE_LICENSE_KEY"; echo "GEOIPUPDATE_LICENSE_KEY=${RETURNED_PASSWORD}" >> .env; unset RETURNED_PASSWORD
+echo "" >> .env
+
+# Generate dhparam, if not existing
+[[ ! -d ./data/nginx/certs ]] && mkdir -p ./data/nginx/certs && chmod 700 ./data/nginx/certs || true
+[[ ! -f ./data/nginx/certs/dhparam.pem ]] && echo "" && echo "Generating Diffie-Hellman parameters (dhparams)" && openssl dhparam -out ./data/nginx/certs/dhparams.pem 4096 \
+	&& echo "" && echo "Checking generated dhparams" openssl dhparam -check -in ./data/nginx/certs/dhparams.pem || true
+
+# Create certificate
+echo ""
+echo "Create certificate"
+lego \
+	--path ./data/.lego \
+	--http.port 8080 \
+	--tls.port 8443 \
+	--email="acme@base23.de" \
+	--domains="sso.base23.de" \
+	--http run
+
+# Link certificates to correct directory
+
+# Setup cronjob to automatically renew certificates