Rename certs to include domain. Better handling of certs in bootstrap.

2022-08-20 19:56:55 +01:00 · 2022-08-20 19:56:55 +01:00 · 2015269573
commit 2015269573
parent 3ef1e08a32
9 changed files with 53 additions and 12 deletions
--- a/base-files/certificates/_msmtp_-afterdark.lan-cert.pem
+++ b/base-files/certificates/_msmtp_-afterdark.lan-cert.pem
@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB/zCCAaagAwIBAgIIYTsef/0JU9MwCgYIKoZIzj0EAwQwVzESMBAGA1UEChMJ
+QWZ0ZXJkYXJrMRcwFQYDVQQDEw5BZnRlcmRhcmsgUm9vdDEoMCYGCSqGSIb3DQEJ
+ARYZc3lzYWRtaW5AYWZ0ZXJkYXJrLm9yZy51azAeFw0yMDAxMDEwMDAwMDBaFw0z
+OTEyMzEyMzU5NTlaMFgxEjAQBgNVBAoTCUFmdGVyZGFyazEYMBYGA1UEAwwPKi5h
+ZnRlcmRhcmsubGFuMSgwJgYJKoZIhvcNAQkBFhlzeXNhZG1pbkBhZnRlcmRhcmsu
+b3JnLnVrMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEpY03l2dNsMetws9bpYCA
+rF2u3LuWan17jFkA3WyTqRY9OCqV0eIug78OLlEOD6PDxxp7CWY5MufXzJ0u6Wxf
+16NbMFkwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUwsGf/l3uDE4UOGjaUU7n0vZu
+pbUwDgYDVR0PAQH/BAQDAgWgMBoGA1UdEQQTMBGCDyouYWZ0ZXJkYXJrLmxhbjAK
+BggqhkjOPQQDBANHADBEAiB4/awdPUg1yjWun0eWXducsCaO0D5l69nqqwK2O+k0
+sgIgUUxC0biEYaMLbdLunQkm8ZoZOitjB4lmMyhxR8zebto=
+-----END CERTIFICATE-----
--- a/base-files/certificates/_msmtp_-afterdark.lan-key.pem.gpg
+++ b/base-files/certificates/_msmtp_-afterdark.lan-key.pem.gpg
--- a/base-files/certificates/_msmtp_-hosts.slackware.network-cert.pem
+++ b/base-files/certificates/_msmtp_-hosts.slackware.network-cert.pem
--- a/base-files/certificates/_msmtp_-hosts.slackware.network-key.pem.gpg
+++ b/base-files/certificates/_msmtp_-hosts.slackware.network-key.pem.gpg
--- a/base-files/certificates/_netdata_-afterdark.lan-cert.pem
+++ b/base-files/certificates/_netdata_-afterdark.lan-cert.pem
@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIICADCCAaagAwIBAgIId9GITZ+52oQwCgYIKoZIzj0EAwQwVzESMBAGA1UEChMJ
+QWZ0ZXJkYXJrMRcwFQYDVQQDEw5BZnRlcmRhcmsgUm9vdDEoMCYGCSqGSIb3DQEJ
+ARYZc3lzYWRtaW5AYWZ0ZXJkYXJrLm9yZy51azAeFw0yMDAxMDEwMDAwMDBaFw0z
+OTEyMzEyMzU5NTlaMFgxEjAQBgNVBAoTCUFmdGVyZGFyazEYMBYGA1UEAwwPKi5h
+ZnRlcmRhcmsubGFuMSgwJgYJKoZIhvcNAQkBFhlzeXNhZG1pbkBhZnRlcmRhcmsu
+b3JnLnVrMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEChiQmrGe4NrTg2/aOkBx
+XT3vlDWLwCqAiuEgL3KwB5sqBB7nrZT55cvtmeSS9UeGWPZxKKA5be15UuFAsfIH
+AaNbMFkwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUX5EtNswUZnSLdqiXXCaw0piI
+fdEwDgYDVR0PAQH/BAQDAgWgMBoGA1UdEQQTMBGCDyouYWZ0ZXJkYXJrLmxhbjAK
+BggqhkjOPQQDBANIADBFAiEAoqyGs1XbEv4Y/nDY9aiFvi/ncAHKCAtkU71GS1+O
+XZkCIFd+ESp+sw2hwPkLa9gGcuvl/kglOgAYzo8tjNg5Kh/d
+-----END CERTIFICATE-----
--- a/base-files/certificates/_netdata_-afterdark.lan-key.gpg
+++ b/base-files/certificates/_netdata_-afterdark.lan-key.gpg
@ -0,0 +1,2 @@
+Ś
	!}ź#P{WÖßŇŔC±ÂńiçÉa?śĺ‘áu¤Śúż(Ąí‡©.PčŞľ’¸=¬Űţ(v ß<11>Ţ_öżĚÝ„`HkĚ}Ë
“
+ŤLmÂ	QÓä°s‡÷yM‰ĆŢ'ŞšC´Užżł*%zŁŽ<C581>V ‹8€ńRZ¬ţĆjżŮIŹŽFţŔ¨Čy×‘*Ű%IŃę1úëîoÜęŢgůęMµł=`Wđ\‚'¤ˇ<>ĘpŮűĘŢĚŘ:älüQ]qŹ5«Ů˛7,Ňgüp‰b.ˇˇ©kíRgyKŞŻÁxFć·äOř,<2C>°?,ĆěšáŘaDV‚/“!™|R.ŢWš ÁÁý<3W©¶
--- a/base-files/certificates/_netdata_-hosts.slackware.network-cert.pem
+++ b/base-files/certificates/_netdata_-hosts.slackware.network-cert.pem
--- a/base-files/certificates/_netdata_-hosts.slackware.network-key.pem.gpg
+++ b/base-files/certificates/_netdata_-hosts.slackware.network-key.pem.gpg
--- a/37
+++ b/37
@ -57,23 +57,36 @@ read -r -p "----> Enter GPG decryption passphraise (appears in clear text): " PA

 # Decrypt the pushover-config.
 echo "-> Decrypting /etc/pushover/*.gpg..."
-gpg -d --passphrase "$PASS" -o /etc/pushover/backups /etc/pushover/backups.gpg
-gpg -d --passphrase "$PASS" -o /etc/pushover/mirroring /etc/pushover/mirroring.gpg
-gpg -d --passphrase "$PASS" -o /etc/pushover/server /etc/pushover/server.gpg
-chmod 640 /etc/pushover/*
+for FILE in /etc/pushover/*.gpg; do
+  gpg -d --passphrase "$PASS" -o "/etc/pushover/${FILE%.gpg}" "$FILE"
+  chmod 640 "$FILE"
+done
+unset FILE
+
+# Get the current domain name.
+DOMAIN="$(hostname -d)"

 # Decrypt the netdata SSL key.
-echo "-> Decrypting netdata SSL key..."
-gpg -d --passphrase "$PASS" -o /etc/certificates/_netdata_-key.pem /etc/certificates/_netdata_-key.pem.gpg
-chmod 600 /etc/certificates/_netdata_-key.pem
-setfacl -m u:36:r /etc/certificates/_netdata_-key.pem
+echo "-> Decrypting netdata SSL key for $DOMAIN..."
+if [[ -e /etc/certificates/_netdata_-$DOMAIN-key.pem.gpg ]]; then
+  gpg -d --passphrase "$PASS" -o /etc/certificates/_netdata_-$DOMAIN-key.pem /etc/certificates/_netdata_-$DOMAIN-key.pem.gpg
+  chmod 600 /etc/certificates/_netdata_-$DOMAIN-key.pem
+  setfacl -m u:36:r /etc/certificates/_netdata_-$DOMAIN-key.pem
+else
+  echo "----> No netdata SSL key found for $DOMAIN!"
+fi

 # Decrypt the msmtp SSL key.
-echo "-> Decrypting msmtp SSL key..."
-gpg -d --passphrase "$PASS" -o /etc/certificates/_msmtp_-key.pem /etc/certificates/_msmtp_-key.pem.gpg
-chmod 600 /etc/certificates/_msmtp_-key.pem
-setfacl -m g:mail:r /etc/certificates/_msmtp_-key.pem
+echo "-> Decrypting msmtp SSL key for $DOMAIN..."
+if [[ -e /etc/certificates/_msmtp_-$DOMAIN-key.pem.gpg ]]; then
+  gpg -d --passphrase "$PASS" -o /etc/certificates/_msmtp_-$DOMAIN-key.pem /etc/certificates/_msmtp_-$DOMAIN-key.pem.gpg
+  chmod 600 /etc/certificates/_msmtp_-$DOMAIN-key.pem
+  setfacl -m g:mail:r /etc/certificates/_msmtp_-$DOMAIN-key.pem
+else
+  echo "----> No msmtp SSL key found for $DOMAIN!"
+fi

+# Remove the decryption password from the environment now it's finished with.
 unset PASS

 # Re-generate root's password for longer hash.