#!/usr/bin/env bash set -euf -o pipefail # Function to securely query user for a password, verify it, and return it for further use prompt_password() { local purpose="$1" local password password_confirm while true; do printf "Enter password for %s: " "$purpose" read -rs password printf "\nConfirm password for %s: " "$purpose" read -rs password_confirm printf "\n" # Check if passwords match if [[ "$password" == "$password_confirm" ]]; then RETURNED_PASSWORD="$password" printf "Password verified for %s.\n" "$purpose" return 0 else printf "Error: Passwords do not match. Please try again.\n" >&2 fi done } # Trap SIGINT to exit gracefully if the user aborts with CTRL+C trap 'printf "\nOperation aborted by user.\n" >&2; exit 1' SIGINT cd "$(dirname "$(realpath "$0")")/../" AUTHENTIK_DOCKER_COMPOSE_PATH="$(realpath "$(pwd)")" # Check if .env exists and exit if it is if [[ ! -f ./.env ]]; then cat ./env.template >> ./.env echo "# SECRETS" >> ./.env echo "PG_PASS=$(openssl rand -base64 36 | tr -d '\n')" >> ./.env echo "AUTHENTIK_SECRET_KEY=$(openssl rand -base64 60 | tr -d '\n')" >> ./.env prompt_password "AUTHENTIK_EMAIL__PASSWORD"; echo "AUTHENTIK_EMAIL__PASSWORD=${RETURNED_PASSWORD}" >> ./.env; unset RETURNED_PASSWORD prompt_password "GEOIPUPDATE_LICENSE_KEY"; echo "GEOIPUPDATE_LICENSE_KEY=${RETURNED_PASSWORD}" >> ./.env; unset RETURNED_PASSWORD prompt_password "RESTIC_REPO_PASSWORD (leave empty to generate a password)"; echo "RESTIC_REPO_PASSWORD=$([[ -n ${RETURNED_PASSWORD} ]] && echo -n "${RETURNED_PASSWORD}" || openssl rand -base64 60 | tr -d '\n')" >> ./.env; unset RETURNED_PASSWORD echo "" >> ./.env fi # Check if ssh key already exists, otherwise generate one [[ ! -d ./data/restic/ssh/ ]] && mkdir -p ./data/restic/ssh/ [[ ! -f ./data/restic/ssh/id_ed25519 ]] && ssh-keygen -t ed25519 -C "sso.base23.de" -f ./data/restic/ssh/id_ed25519 # Generate dhparam, if not existing [[ ! -d ./data/nginx/certs ]] && mkdir -p ./data/nginx/certs && chmod 700 ./data/nginx/certs && chown 101:101 ./data/nginx/certs || true [[ ! -f ./data/nginx/dhparams.pem ]] && echo "" && openssl dhparam -out ./data/nginx/dhparams.pem 4096 && chown 101:101 ./data/nginx/dhparams.pem \ && echo "" && echo "Checking generated dhparams" && openssl dhparam -check -in ./data/nginx/dhparams.pem || true # Create certificate if [[ ! -d ./data/.lego ]]; then echo "" echo "Create certificate" lego \ --path ./data/.lego \ --accept-tos \ --email="acme@base23.de" \ --domains="sso.base23.de" \ --http run \ && install -m 400 -o 101 -g 101 "./data/.lego/certificates"/{sso.base23.de.crt,sso.base23.de.issuer.crt,sso.base23.de.key} "./data/nginx/certs" fi # Setup directory for acme cheallenges [[ ! -d ./data/nginx/acme ]] && mkdir -p ./data/nginx/acme # Setup cronjob to automatically renew certificates [[ ! -f /etc/systemd/system/lego-renew-sso-base23-de.service ]] && cat < /etc/systemd/system/lego-renew-sso-base23-de.service && systemctl daemon-reload [Unit] Description=SSL Certificate renewal for sso.base23.de with LEGO Documentation=https://go-acme.github.io/lego/ Wants=network-online.target After=network-online.target [Service] Type=oneshot ExecStart=${AUTHENTIK_DOCKER_COMPOSE_PATH}/scripts/cert_renew.sh WorkingDirectory=${AUTHENTIK_DOCKER_COMPOSE_PATH}/ User=root Group=root RemainAfterExit=yes [Install] WantedBy=multi-user.target EOF [[ ! -f /etc/systemd/system/lego-renew-sso-base23-de.timer ]] && cat < /etc/systemd/system/lego-renew-sso-base23-de.timer && systemctl daemon-reload && systemctl enable --now lego-renew-sso-base23-de.timer [Unit] Description=SSL Certificate renewal for sso.base23.de with LEGO Timer [Timer] OnCalendar=*-*-* 01:32:00 # add extra delay, here up to 1 hour: RandomizedDelaySec=1h Persistent=true [Install] WantedBy=timers.target EOF