docker-compose/authentik
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
authentik/scripts/init.sh

99 lines
3.3 KiB
Bash
Executable file
Raw Blame History

#!/usr/bin/env bash
set -euf -o pipefail
# Function to securely query user for a password, verify it, and return it for further use
prompt_password() {
local purpose="$1"
local password password_confirm
while true; do
printf "Enter password for %s: " "$purpose"
read -rs password
printf "\nConfirm password for %s: " "$purpose"
read -rs password_confirm
printf "\n"
# Check if passwords match
if [[ "$password" == "$password_confirm" ]]; then
RETURNED_PASSWORD="$password"
printf "Password verified for %s.\n" "$purpose"
return 0
else
printf "Error: Passwords do not match. Please try again.\n" >&2
fi
done
}
# Trap SIGINT to exit gracefully if the user aborts with CTRL+C
trap 'printf "\nOperation aborted by user.\n" >&2; exit 1' SIGINT
cd "$(dirname "$(realpath "$0")")/../"
# Check if .env exists and exit if it is
[[ -f ./.env ]] && echo ".env already exists. Exiting!" && exit 1 || true
cat ./env.template >> ./.env
echo "# SECRETS" >> ./.env
echo "PG_PASS=$(openssl rand -base64 36 | tr -d '\n')" >> ./.env
echo "AUTHENTIK_SECRET_KEY=$(openssl rand -base64 60 | tr -d '\n')" >> ./.env
prompt_password "AUTHENTIK_EMAIL__PASSWORD"; echo "AUTHENTIK_EMAIL__PASSWORD=${RETURNED_PASSWORD}" >> ./.env; unset RETURNED_PASSWORD
prompt_password "GEOIPUPDATE_LICENSE_KEY"; echo "GEOIPUPDATE_LICENSE_KEY=${RETURNED_PASSWORD}" >> ./.env; unset RETURNED_PASSWORD
echo "" >> ./.env
# Generate dhparam, if not existing
[[ ! -d ./data/nginx/certs ]] && mkdir -p ./data/nginx/certs && chmod 700 ./data/nginx/certs || true
[[ ! -f ./data/nginx/certs/dhparams.pem ]] && echo "" && openssl dhparam -out ./data/nginx/certs/dhparams.pem 4096 \
&& echo "" && echo "Checking generated dhparams" && openssl dhparam -check -in ./data/nginx/certs/dhparams.pem || true
# Create certificate
if [[ ! -d ./data/.lego ]]; then
echo ""
echo "Create certificate"
lego \
--path ./data/.lego \
--accept-tos \
--email="acme@base23.de" \
--domains="sso.base23.de" \
--http run
# Link certificates to correct directory
ln -s ../../.lego/certificates/sso.base23.de.crt ./data/nginx/certs/sso.base23.de.crt
ln -s ../../.lego/certificates/sso.base23.de.issuer.crt ./data/nginx/certs/sso.base23.de.issuer.crt
ln -s ../../.lego/certificates/sso.base23.de.key ./data/nginx/certs/sso.base23.de.key
fi
# Setup cronjob to automatically renew certificates
[[ ! -f /etc/systemd/system/lego-renew-sso-base23-de.service ]] && cat <<EOF > /etc/systemd/system/lego-renew-sso-base23-de.service && systemctl daemon-reload
[Unit]
Description=SSL Certificate renewal for sso.base23.de with LEGO
Documentation=https://go-acme.github.io/lego/
Wants=network-online.target
After=network-online.target
[Service]
Type=oneshot
ExecStart=/var/lib/apps/sso.base23.de/scripts/cert_renew.sh
WorkingDirectory=/var/lib/apps/sso.base23.de/
User=root
Group=root
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
EOF
[[ ! -f /etc/systemd/system/lego-renew-sso-base23-de.timer ]] && cat <<EOF > /etc/systemd/system/lego-renew-sso-base23-de.timer && systemctl daemon-reload && systemctl enable --now lego-renew-sso-base23-de.timer
[Unit]
Description=SSL Certificate renewal for sso.base23.de with LEGO Timer
[Timer]
OnCalendar=*-*-* 01:32:00
# add extra delay, here up to 1 hour:
RandomizedDelaySec=1h
Persistent=true
[Install]
WantedBy=timers.target
EOF
Reference in a new issue View git blame Copy permalink