2022-12-22 17:25:05 +01:00
|
|
|
#!/bin/bash
|
|
|
|
# MICA infra
|
|
|
|
set -e
|
2022-12-23 14:32:08 +01:00
|
|
|
if [ -z $SNSTERGUARD ] ; then exit 1; fi
|
2022-12-22 17:25:05 +01:00
|
|
|
DIR=`dirname $0`
|
|
|
|
cd `dirname $0`
|
|
|
|
|
|
|
|
# disable systemd-resolved which conflicts with nsd
|
|
|
|
echo "DNSStubListener=no" >> /etc/systemd/resolved.conf
|
|
|
|
systemctl stop systemd-resolved
|
|
|
|
|
2022-12-23 14:32:08 +01:00
|
|
|
# manage mica.sns zone
|
2022-12-22 17:25:05 +01:00
|
|
|
apt-get update
|
|
|
|
DEBIAN_FRONTEND=noninteractive apt-get install -y unbound
|
|
|
|
cp dns.conf /etc/unbound/unbound.conf.d/
|
|
|
|
|
2023-05-26 11:36:05 +02:00
|
|
|
# On place les certifs
|
|
|
|
if [ -f tls/root_ca.crt ]; then
|
|
|
|
cp -ar tls/root_ca.crt /usr/local/share/ca-certificates/
|
|
|
|
/usr/sbin/update-ca-certificates --fresh
|
|
|
|
fi
|
2022-12-22 17:25:05 +01:00
|
|
|
|
|
|
|
# Install smallstep CA / ACME server
|
|
|
|
cd /tmp
|
2023-05-26 09:45:21 +02:00
|
|
|
wget "https://dl.smallstep.com/gh-release/cli/gh-release-header/v0.24.4/step-cli_0.24.4_amd64.deb"
|
|
|
|
dpkg -i step-cli_0.24.4_amd64.deb
|
|
|
|
wget "https://dl.smallstep.com/gh-release/certificates/gh-release-header/v0.24.2/step-ca_0.24.2_amd64.deb"
|
|
|
|
dpkg -i step-ca_0.24.2_amd64.deb
|
|
|
|
|
|
|
|
echo "password" > /root/ca-passwordfile
|
2023-05-26 11:36:05 +02:00
|
|
|
step ca init --deployment-type=standalone --name="Kaz CA" --dns="ca.mica.sns" --acme --address=":443" --provisioner="contact@kaz.sns" --password-file="/root/ca-passwordfile" --root="${DIR}/tls/root_ca.crt" --key "${DIR}/tls/root_ca_key"
|
2023-05-26 09:45:21 +02:00
|
|
|
echo -e '#!/bin/sh\nstep-ca --password-file /root/ca-passwordfile' >> /etc/rc.local
|
|
|
|
chmod +x /etc/rc.local
|
2022-12-22 17:25:05 +01:00
|
|
|
|
|
|
|
# step ca init
|
|
|
|
# step ca root root.crt
|
|
|
|
# step ca provisioner add acme --type ACME
|
2022-12-23 14:32:08 +01:00
|
|
|
# certbot certonly -n --standalone -d www.target.sns --server https://www.mica.sns/acme/acme/directory --agree-tos --email "fr@fr.fr"
|