forked from ungleich-public/cdist
new type: __snakeoil_cert
This commit is contained in:
parent
c308a28969
commit
30ba796d06
8 changed files with 172 additions and 0 deletions
8
cdist/conf/type/__snakeoil_cert/explorer/ssl-cert-group
Executable file
8
cdist/conf/type/__snakeoil_cert/explorer/ssl-cert-group
Executable file
|
@ -0,0 +1,8 @@
|
|||
#!/bin/sh -e
|
||||
|
||||
if grep -Eq '^ssl-cert:' /etc/group
|
||||
then
|
||||
echo 'present'
|
||||
else
|
||||
echo 'absent'
|
||||
fi
|
24
cdist/conf/type/__snakeoil_cert/explorer/state
Executable file
24
cdist/conf/type/__snakeoil_cert/explorer/state
Executable file
|
@ -0,0 +1,24 @@
|
|||
#!/bin/sh -e
|
||||
|
||||
key_path="$( cat "$__object/parameter/key-path" )"
|
||||
|
||||
if echo "$key_path" | grep -Fq '%s'
|
||||
then
|
||||
# shellcheck disable=SC2059
|
||||
key_path="$( printf "$key_path" "$__object_id" )"
|
||||
fi
|
||||
|
||||
cert_path="$( cat "$__object/parameter/cert-path" )"
|
||||
|
||||
if echo "$cert_path" | grep -Fq '%s'
|
||||
then
|
||||
# shellcheck disable=SC2059
|
||||
cert_path="$( printf "$cert_path" "$__object_id" )"
|
||||
fi
|
||||
|
||||
if [ ! -f "$key_path" ] || [ ! -f "$cert_path" ]
|
||||
then
|
||||
echo 'absent'
|
||||
else
|
||||
echo 'present'
|
||||
fi
|
73
cdist/conf/type/__snakeoil_cert/gencode-remote
Executable file
73
cdist/conf/type/__snakeoil_cert/gencode-remote
Executable file
|
@ -0,0 +1,73 @@
|
|||
#!/bin/sh -e
|
||||
|
||||
state="$( cat "$__object/explorer/state" )"
|
||||
|
||||
if [ "$state" = 'present' ]
|
||||
then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [ -f "$__object/parameter/common-name" ]
|
||||
then
|
||||
common_name="$( cat "$__object/parameter/common-name" )"
|
||||
else
|
||||
common_name="$__object_id"
|
||||
fi
|
||||
|
||||
key_path="$( cat "$__object/parameter/key-path" )"
|
||||
|
||||
if echo "$key_path" | grep -Fq '%s'
|
||||
then
|
||||
# shellcheck disable=SC2059
|
||||
key_path="$( printf "$key_path" "$__object_id" )"
|
||||
fi
|
||||
|
||||
cert_path="$( cat "$__object/parameter/cert-path" )"
|
||||
|
||||
if echo "$cert_path" | grep -Fq '%s'
|
||||
then
|
||||
# shellcheck disable=SC2059
|
||||
cert_path="$( printf "$cert_path" "$__object_id" )"
|
||||
fi
|
||||
|
||||
key_type="$( cat "$__object/parameter/key-type" )"
|
||||
|
||||
key_type_arg="$( echo "$key_type" | cut -d : -f 2 )"
|
||||
|
||||
case "$key_type" in
|
||||
rsa:*)
|
||||
echo "openssl genrsa -out '$key_path' $key_type_arg"
|
||||
;;
|
||||
ec:*)
|
||||
echo "openssl ecparam -name $key_type_arg -genkey -noout -out '$key_path'"
|
||||
;;
|
||||
esac
|
||||
|
||||
# shellcheck disable=SC2016
|
||||
echo 'csr_path="$( mktemp )"'
|
||||
|
||||
echo "openssl req -new -subj '/CN=$common_name' -key '$key_path' -out \"\$csr_path\""
|
||||
|
||||
echo "openssl x509 -req -sha256 -days 3650 -in \"\$csr_path\" -signkey '$key_path' -out '$cert_path'"
|
||||
|
||||
# shellcheck disable=SC2016
|
||||
echo 'rm -f "$csr_path"'
|
||||
|
||||
if [ "$( cat "$__object/explorer/ssl-cert-group" )" = 'present' ]
|
||||
then
|
||||
key_group='ssl-cert'
|
||||
else
|
||||
key_group='root'
|
||||
fi
|
||||
|
||||
echo "chmod 640 '$key_path'"
|
||||
|
||||
echo "chown root '$key_path'"
|
||||
|
||||
echo "chgrp $key_group '$key_path'"
|
||||
|
||||
echo "chmod 644 '$cert_path'"
|
||||
|
||||
echo "chown root '$cert_path'"
|
||||
|
||||
echo "chgrp root '$cert_path'"
|
60
cdist/conf/type/__snakeoil_cert/man.rst
Normal file
60
cdist/conf/type/__snakeoil_cert/man.rst
Normal file
|
@ -0,0 +1,60 @@
|
|||
cdist-type__snakeoil_cert(7)
|
||||
============================
|
||||
|
||||
NAME
|
||||
----
|
||||
cdist-type__snakeoil_cert - Generate self-signed certificate
|
||||
|
||||
|
||||
DESCRIPTION
|
||||
-----------
|
||||
The purpose of this type is to generate **self-signed** certificate and private key
|
||||
for **testing purposes**. Certificate will expire in 3650 days.
|
||||
|
||||
Certificate's and key's access bits will be ``644`` and ``640`` respectively.
|
||||
If target system has ``ssl-cert`` group, then it will be used as key's group.
|
||||
Use ``require='__snakeoil_cert/...' __file ...`` to override.
|
||||
|
||||
|
||||
OPTIONAL PARAMETERS
|
||||
-------------------
|
||||
common-name
|
||||
Defaults to ``$__object_id``.
|
||||
|
||||
key-path
|
||||
``%s`` in path will be replaced with ``$__object_id``.
|
||||
Defaults to ``/etc/ssl/private/%s.pem``.
|
||||
|
||||
key-type
|
||||
Possible values are ``rsa:$bits`` and ``ec:$name``.
|
||||
For possible EC names see ``openssl ecparam -list_curves``.
|
||||
Defaults to ``rsa:2048``.
|
||||
|
||||
cert-path
|
||||
``%s`` in path will be replaced with ``$__object_id``.
|
||||
Defaults to ``/etc/ssl/certs/%s.pem``.
|
||||
|
||||
|
||||
EXAMPLES
|
||||
--------
|
||||
.. code-block:: sh
|
||||
__snakeoil_cert localhost-rsa \
|
||||
--common-name localhost \
|
||||
--key-type rsa:4096
|
||||
|
||||
__snakeoil_cert localhost-ec \
|
||||
--common-name localhost \
|
||||
--key-type ec:prime256v1
|
||||
|
||||
|
||||
AUTHORS
|
||||
-------
|
||||
Ander Punnar <ander-at-kvlt-dot-ee>
|
||||
|
||||
|
||||
COPYING
|
||||
-------
|
||||
Copyright \(C) 2021 Ander Punnar. You can redistribute it and/or modify it
|
||||
under the terms of the GNU General Public License as published by the Free
|
||||
Software Foundation, either version 3 of the License, or (at your option)
|
||||
any later version.
|
|
@ -0,0 +1 @@
|
|||
/etc/ssl/certs/%s.pem
|
|
@ -0,0 +1 @@
|
|||
/etc/ssl/private/%s.pem
|
|
@ -0,0 +1 @@
|
|||
rsa:2048
|
4
cdist/conf/type/__snakeoil_cert/parameter/optional
Normal file
4
cdist/conf/type/__snakeoil_cert/parameter/optional
Normal file
|
@ -0,0 +1,4 @@
|
|||
common-name
|
||||
key-path
|
||||
key-type
|
||||
cert-path
|
Loading…
Reference in a new issue