#!/usr/bin/env bash set -euf -o pipefail # Function to securely query user for a password, verify it, and return it for further use prompt_password() { local purpose="$1" local password password_confirm while true; do printf "Enter password for %s: " "$purpose" read -rs password printf "\nConfirm password for %s: " "$purpose" read -rs password_confirm printf "\n" # Check if passwords match if [[ "$password" == "$password_confirm" ]]; then RETURNED_PASSWORD="$password" printf "Password verified for %s.\n" "$purpose" return 0 else printf "Error: Passwords do not match. Please try again.\n" >&2 fi done } # Trap SIGINT to exit gracefully if the user aborts with CTRL+C trap 'printf "\nOperation aborted by user.\n" >&2; exit 1' SIGINT cd "$(dirname "$(realpath "$0")")/../" # Check if .env exists and exit if it is [[ -f ./.env ]] && echo ".env already exists. Exiting!" && exit 1 || true cat ./env.template >> ./.env echo "# SECRETS" >> ./.env echo "PG_PASS=$(openssl rand -base64 36 | tr -d '\n')" >> ./.env echo "AUTHENTIK_SECRET_KEY=$(openssl rand -base64 60 | tr -d '\n')" >> ./.env prompt_password "AUTHENTIK_EMAIL__PASSWORD"; echo "AUTHENTIK_EMAIL__PASSWORD=${RETURNED_PASSWORD}" >> ./.env; unset RETURNED_PASSWORD prompt_password "GEOIPUPDATE_LICENSE_KEY"; echo "GEOIPUPDATE_LICENSE_KEY=${RETURNED_PASSWORD}" >> ./.env; unset RETURNED_PASSWORD echo "" >> ./.env # Generate dhparam, if not existing [[ ! -d ./data/nginx/certs ]] && mkdir -p ./data/nginx/certs && chmod 700 ./data/nginx/certs || true [[ ! -f ./data/nginx/certs/dhparams.pem ]] && echo "" && openssl dhparam -out ./data/nginx/certs/dhparams.pem 4096 \ && echo "" && echo "Checking generated dhparams" && openssl dhparam -check -in ./data/nginx/certs/dhparams.pem || true # Create certificate if [[ ! -d ./data/.lego ]]; then echo "" echo "Create certificate" lego \ --path ./data/.lego \ --accept-tos \ --email="acme@base23.de" \ --domains="sso.base23.de" \ --http run # Link certificates to correct directory ln -s ../../.lego/certificates/sso.base23.de.crt ./data/nginx/certs/sso.base23.de.crt ln -s ../../.lego/certificates/sso.base23.de.issuer.crt ./data/nginx/certs/sso.base23.de.issuer.crt ln -s ../../.lego/certificates/sso.base23.de.key ./data/nginx/certs/sso.base23.de.key fi # Setup directory for acme cheallenges mkdir -p ./data/nginx/acme # Setup cronjob to automatically renew certificates [[ ! -f /etc/systemd/system/lego-renew-sso-base23-de.service ]] && cat < /etc/systemd/system/lego-renew-sso-base23-de.service && systemctl daemon-reload [Unit] Description=SSL Certificate renewal for sso.base23.de with LEGO Documentation=https://go-acme.github.io/lego/ Wants=network-online.target After=network-online.target [Service] Type=oneshot ExecStart=/var/lib/apps/sso.base23.de/scripts/cert_renew.sh WorkingDirectory=/var/lib/apps/sso.base23.de/ User=root Group=root RemainAfterExit=yes [Install] WantedBy=multi-user.target EOF [[ ! -f /etc/systemd/system/lego-renew-sso-base23-de.timer ]] && cat < /etc/systemd/system/lego-renew-sso-base23-de.timer && systemctl daemon-reload && systemctl enable --now lego-renew-sso-base23-de.timer [Unit] Description=SSL Certificate renewal for sso.base23.de with LEGO Timer [Timer] OnCalendar=*-*-* 01:32:00 # add extra delay, here up to 1 hour: RandomizedDelaySec=1h Persistent=true [Install] WantedBy=timers.target EOF