diff options
| author | Mitchell Riedstra <mitch@riedstra.dev> | 2023-01-09 23:01:36 -0500 |
|---|---|---|
| committer | Mitchell Riedstra <mitch@riedstra.dev> | 2023-01-09 23:01:36 -0500 |
| commit | 7e8d29755135a4384d8c2aa8cfd24c5ddfeb7c97 (patch) | |
| tree | 951be2c46639267f229c3fd4496c0049e0ca7127 /setup.sh | |
| download | acme-warehouse-7e8d29755135a4384d8c2aa8cfd24c5ddfeb7c97.tar.gz acme-warehouse-7e8d29755135a4384d8c2aa8cfd24c5ddfeb7c97.tar.xz | |
Diffstat (limited to 'setup.sh')
| -rwxr-xr-x | setup.sh | 88 |
1 files changed, 88 insertions, 0 deletions
diff --git a/setup.sh b/setup.sh new file mode 100755 index 0000000..1bb9b03 --- /dev/null +++ b/setup.sh @@ -0,0 +1,88 @@ +#!/bin/sh +# acme user's setup script +set -ex +cd "$HOME" + +if ! [ -e "sign.sec" ] ; then + rm -f sign.pub || echo "" + signify -G -n -p sign.pub -s sign.sec +fi +cat sign.pub + +if ! [ -e "age.key" ] ; then + age-keygen -o age.key +fi + +if [ -n "$AGE_RECIPIENTS" ] ; then + echo "$AGE_RECIPIENTS" > recipients.txt +fi + +awk '/public key/{print $4}' age.key >> recipients.txt + +if [ -z "$ACME_EMAIL" ] ; then + echo "ACME_EMAIL must be set" + exit 1 +fi + +if [ -z "$ACME_DELEGATION_DOMAIN" ] ; then + echo "ACME_DELEGATION_DOMAIN must be set" + exit 1 +fi + +if [ -z "$DOMAINS" ] ; then + echo "DOMAINS must be set" + exit 1 +fi + +cp /usr/bin/acme.sh ./ + +sh ./acme.sh --install \ + --home "$HOME/acme_home" \ + --config-home "$HOME/acme_conf" \ + --cert-home "$HOME/certs" \ + --accountemail "$ACME_EMAIL" \ + --accountkey "$HOME/acme_account.key" \ + --accountconf "$HOME/acme_account.conf" \ + --no-cron + + +#shellcheck disable=SC1091 +. "$HOME/acme_home/acme.sh.env" + +acme.sh --upgrade + +for domain in $DOMAINS ; do + #shellcheck disable=SC2086 + if ! [ -f "certs/$domain/$domain.cer" ] ; then + acme.sh $ACMESH_FLAGS \ + --issue \ + --dns dns_aws \ + --challenge-alias "$ACME_DELEGATION_DOMAIN" \ + -d "$domain" -d "*.${domain}" + fi + + cd "certs/$domain" + sha256sum "${domain}.cer" "${domain}.key" \ + > "/var/www/acme/${domain}.sha256sum" + + age -e -a -R "$HOME"/recipients.txt "${domain}.key" \ + > "/var/www/acme/${domain}.key.enc" + + cp "${domain}.cer" /var/www/acme/ + cp "fullchain.cer" /var/www/acme/"${domain}".fullchain + + cd /var/www/acme + + sha256sum "${domain}.fullchain" >> "${domain}.sha256sum" + + sha256sum "${domain}.key.enc" >> "${domain}.sha256sum" + + rm -f "${domain}.sha256sum.sig" || echo "" + + signify -S -m "${domain}.sha256sum" -s "$HOME/sign.sec" \ + -x "${domain}.sha256sum.sig" + + cd "$HOME" +done + +cp sign.pub /var/www/acme/ |