nixos/scripts/generate-server-certificate.sh

#!/usr/bin/env bash
set -o errexit
set -o nounset
set -o pipefail

function print_help_and_exit() {
  printf "Usage: generate-server-certificate DOMAIN.. \n"
  printf "\n"
  printf "Arguments:\n"
  printf "  DOMAIN..\n"
  printf "          The domains to generate a certificate for"
  printf "Options:\n"
  printf "  -H, --host\n"
  printf "          Host where the service will run, required for sops operations\n"
  printf "  -p, --password-path\n"
  printf "          Path inside pass to find the ca.crt and ca.key files in\n"
  printf "  -r, --root\n"
  printf "          Repository root\n"
  exit 1
}

function mk_safe() {
  echo "${1//./-}"
}

domain_names=()
host=
password_path=
root="$(git rev-parse --show-toplevel)"

while [[ $# -gt 0 ]]; do
  case $1 in
  -h | --help)
    print_help_and_exit
    ;;
  -H | --host)
    shift # past argument
    host=$1
    shift # past value
    ;;
  -p | --password-path)
    shift # past argument
    password_path=$1
    shift # past value
    ;;
  -r | --root)
    shift # past argument
    root=$1
    shift # past value
    ;;
  -*)
    echo "Unknown option $1"
    print_help_and_exit
    ;;
  *)
    domain_names+=("$1") # save domain name
    shift                # past argument
    ;;
  esac
done

if [[ -z $host ]]; then
  printf -- "--host required\n"
  print_help_and_exit
elif [[ -z $password_path ]]; then
  printf -- "--password_path required\n"
  print_help_and_exit
fi

if [[ ${#domain_names[@]} -eq 0 ]]; then
  print_help_and_exit
fi

first_safe=$(mk_safe "${domain_names[0]}")

pushd "$(mktemp -d)"

cat <<EOF >openssl.cnf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name

[req_distinguished_name]

[v3_req]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
EOF

for key in "${!domain_names[@]}"; do
  echo "DNS.$((key + 1)) = ${domain_names[$key]}" >>openssl.cnf
done

# Get ca.key and ca.crt from pass
pass "$password_path/ca.key" >ca.key
pass "$password_path/ca.crt" >ca.crt

# Generate private key for certificate
openssl ecparam -name prime256v1 -genkey -out server.key
# Generate certificate signing request (CSR) for server certificate
openssl req -new -sha256 -key server.key -out server.csr -subj "/CN=*.home"
# Generate server certificate using CA
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 -sha256 -extfile openssl.cnf -extensions v3_req

# Copy server.crt to final destination
mkdir -p "$root/secrets/pub"
cp server.crt "$root/secrets/pub/${first_safe}.crt"

# Safe the server key to sops
server_key=$(awk -v ORS='\\n' '1' server.key)
key="[\"certificate-key-${first_safe}\"] \"$server_key\""
sops --set "$key" "$root/secrets/hosts/$host/secrets.yaml"

# Clean Up
shred -u openssl.cnf server.key ca.crt ca.key server.crt server.csr ca.srl

popd
style: format 2023-11-30 18:23:43 +01:00			`#!/usr/bin/env bash`
feat: rework nginx certificates 2023-09-21 16:05:17 +02:00			`set -o errexit`
			`set -o nounset`
			`set -o pipefail`

			`function print_help_and_exit() {`
			`printf "Usage: generate-server-certificate DOMAIN.. \n"`
			`printf "\n"`
			`printf "Arguments:\n"`
			`printf " DOMAIN..\n"`
			`printf " The domains to generate a certificate for"`
			`printf "Options:\n"`
			`printf " -H, --host\n"`
			`printf " Host where the service will run, required for sops operations\n"`
			`printf " -p, --password-path\n"`
			`printf " Path inside pass to find the ca.crt and ca.key files in\n"`
			`printf " -r, --root\n"`
			`printf " Repository root\n"`
			`exit 1`
			`}`

			`function mk_safe() {`
			`echo "${1//./-}"`
			`}`

			`domain_names=()`
			`host=`
			`password_path=`
			`root="$(git rev-parse --show-toplevel)"`

			`while [[ $# -gt 0 ]]; do`
			`case $1 in`
style: format 2023-11-30 18:23:43 +01:00			`-h \| --help)`
			`print_help_and_exit`
			`;;`
			`-H \| --host)`
			`shift # past argument`
			`host=$1`
			`shift # past value`
			`;;`
			`-p \| --password-path)`
			`shift # past argument`
			`password_path=$1`
			`shift # past value`
			`;;`
			`-r \| --root)`
			`shift # past argument`
			`root=$1`
			`shift # past value`
			`;;`
			`-*)`
			`echo "Unknown option $1"`
			`print_help_and_exit`
			`;;`
			`*)`
			`domain_names+=("$1") # save domain name`
			`shift # past argument`
			`;;`
feat: rework nginx certificates 2023-09-21 16:05:17 +02:00			`esac`
			`done`

style: format 2023-11-30 18:23:43 +01:00			`if [[ -z $host ]]; then`
feat: rework nginx certificates 2023-09-21 16:05:17 +02:00			`printf -- "--host required\n"`
			`print_help_and_exit`
style: format 2023-11-30 18:23:43 +01:00			`elif [[ -z $password_path ]]; then`
feat: rework nginx certificates 2023-09-21 16:05:17 +02:00			`printf -- "--password_path required\n"`
			`print_help_and_exit`
			`fi`

style: format 2023-11-30 18:23:43 +01:00			`if [[ ${#domain_names[@]} -eq 0 ]]; then`
feat: rework nginx certificates 2023-09-21 16:05:17 +02:00			`print_help_and_exit`
			`fi`

			`first_safe=$(mk_safe "${domain_names[0]}")`

			`pushd "$(mktemp -d)"`

style: format 2023-11-30 18:23:43 +01:00			`cat <<EOF >openssl.cnf`
feat: rework nginx certificates 2023-09-21 16:05:17 +02:00			`[req]`
			`req_extensions = v3_req`
			`distinguished_name = req_distinguished_name`

			`[req_distinguished_name]`

			`[v3_req]`
			`keyUsage = nonRepudiation, digitalSignature, keyEncipherment`
			`extendedKeyUsage = serverAuth`
			`subjectAltName = @alt_names`

			`[alt_names]`
			`EOF`

			`for key in "${!domain_names[@]}"; do`
style: format 2023-11-30 18:23:43 +01:00			`echo "DNS.$((key + 1)) = ${domain_names[$key]}" >>openssl.cnf`
feat: rework nginx certificates 2023-09-21 16:05:17 +02:00			`done`

			`# Get ca.key and ca.crt from pass`
style: format 2023-11-30 18:23:43 +01:00			`pass "$password_path/ca.key" >ca.key`
			`pass "$password_path/ca.crt" >ca.crt`
feat: rework nginx certificates 2023-09-21 16:05:17 +02:00
			`# Generate private key for certificate`
			`openssl ecparam -name prime256v1 -genkey -out server.key`
			`# Generate certificate signing request (CSR) for server certificate`
			`openssl req -new -sha256 -key server.key -out server.csr -subj "/CN=*.home"`
			`# Generate server certificate using CA`
			`openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 -sha256 -extfile openssl.cnf -extensions v3_req`

			`# Copy server.crt to final destination`
			`mkdir -p "$root/secrets/pub"`
			`cp server.crt "$root/secrets/pub/${first_safe}.crt"`

			`# Safe the server key to sops`
			`server_key=$(awk -v ORS='\\n' '1' server.key)`
			`key="[\"certificate-key-${first_safe}\"] \"$server_key\""`
			`sops --set "$key" "$root/secrets/hosts/$host/secrets.yaml"`

			`# Clean Up`
			`shred -u openssl.cnf server.key ca.crt ca.key server.crt server.csr ca.srl`

			`popd`