va-privacyidea/appliance/02firstboot.start

#!/bin/bash

# variables
LABEL="DATA"
DATABASE_PASS=$(head -c 300 /dev/urandom | tr -cd 'a-zA-Z0-9' | head -c 16)
PI_SECRET_KEY=$(head -c 300 /dev/urandom | tr -cd 'a-zA-Z0-9' | head -c 16)
PI_PEPPER=$(head -c 300 /dev/urandom | tr -cd 'a-zA-Z0-9' | head -c 16)
ADMIN_PASS="privacyidea"
TLD="example.com"
HOST="privacyidea"
ORGNAME="privacyIDEA example"

# start
set -e

[ -e /01firstboot ] && exit 0
[ -e /02firstboot ] || exit 0

# privacyIDEA configuration
if [ ! -d "/$LABEL/etc/privacyidea" ]; then
    echo 'Create privacyIDEA configfile...'
    mkdir -p /$LABEL/etc/privacyidea
    chown privacyidea /$LABEL/etc/privacyidea
    cp /etc/privacyidea/pi.cfg /$LABEL/etc/privacyidea/pi.cfg.orig
    mv /etc/privacyidea/pi.cfg /$LABEL/etc/privacyidea/pi.cfg
    ln -s /$LABEL/etc/privacyidea/pi.cfg /etc/privacyidea/pi.cfg
    sed -i "s/^SUPERUSER_REALM = .*/SUPERUSER_REALM = ['admin']/" /$LABEL/etc/privacyidea/pi.cfg
    sed -i "s/^SQLALCHEMY_DATABASE_URI = .*/SQLALCHEMY_DATABASE_URI = 'mysql:\/\/pi:$DATABASE_PASS@localhost\/pi'/" /$LABEL/etc/privacyidea/pi.cfg
    sed -i "s/^SECRET_KEY = .*/SECRET_KEY = '$PI_SECRET_KEY'/" /$LABEL/etc/privacyidea/pi.cfg
    sed -i "s/^PI_PEPPER = .*/PI_PEPPER = \"$PI_PEPPER\"/" /$LABEL/etc/privacyidea/pi.cfg
    sed -i "s/^PI_ENCFILE = .*/PI_ENCFILE = '\/etc\/privacyidea\/enckey'/" /$LABEL/etc/privacyidea/pi.cfg
    sed -i "s/^PI_AUDIT_KEY_PRIVATE = .*/PI_AUDIT_KEY_PRIVATE = '\/etc\/privacyidea\/private.pem'/" /$LABEL/etc/privacyidea/pi.cfg
    sed -i "s/^PI_AUDIT_KEY_PUBLIC = .*/PI_AUDIT_KEY_PUBLIC = '\/etc\/privacyidea\/public.pem'/" /$LABEL/etc/privacyidea/pi.cfg
    echo "SQLALCHEMY_TRACK_MODIFICATIONS = False" >> /$LABEL/etc/privacyidea/pi.cfg

    echo 'Create privacyIDEA encryption and audit keys...'
    rm -rf /etc/privacyidea/enckey
    pi-manage create_enckey
    mv /etc/privacyidea/enckey /$LABEL/etc/privacyidea/enckey
    chown privacyidea /$LABEL/etc/privacyidea/enckey
    ln -s /$LABEL/etc/privacyidea/enckey /etc/privacyidea/enckey

    rm -rf /etc/privacyidea/public.pem /etc/privacyidea/private.pem
    pi-manage create_audit_keys
    mv /etc/privacyidea/private.pem /$LABEL/etc/privacyidea/private.pem
    mv /etc/privacyidea/public.pem /$LABEL/etc/privacyidea/public.pem
    chown privacyidea /$LABEL/etc/privacyidea/*.pem
    ln -s /$LABEL/etc/privacyidea/private.pem /etc/privacyidea/private.pem
    ln -s /$LABEL/etc/privacyidea/public.pem /etc/privacyidea/public.pem
else
    if [ ! -L /etc/privacyidea/pi.cfg ]; then
        rm -rf /$LABEL/etc/privacyidea/pi.cfg.orig
        mv /etc/privacyidea/pi.cfg /$LABEL/etc/privacyidea/pi.cfg.orig
    else
        rm -rf /etc/privacyidea/pi.cfg
    fi
    ln -s /$LABEL/etc/privacyidea/pi.cfg /etc/privacyidea/pi.cfg

    rm -rf /etc/privacyidea/enckey
    ln -s /$LABEL/etc/privacyidea/enckey /etc/privacyidea/enckey

    rm -rf /etc/privacyidea/public.pem /etc/privacyidea/private.pem
    ln -s /$LABEL/etc/privacyidea/private.pem /etc/privacyidea/private.pem
    ln -s /$LABEL/etc/privacyidea/public.pem /etc/privacyidea/public.pem
fi


# Database
systemctl stop mariadb
if [ ! -d "/$LABEL/var/lib/mysql/pi" ]; then
    echo 'Initialize MariaDB...'
    mkdir -p "/$LABEL/var/lib"
    rm -rf "/$LABEL/var/lib/mysql"
    if [ ! -L /var/lib/mysql ]; then
        rm -rf "/$LABEL/var/lib/mysql.orig"
        cp -a "/var/lib/mysql" "/$LABEL/var/lib/mysql.orig"
        mv "/var/lib/mysql" "/$LABEL/var/lib/mysql"
        ln -s "/$LABEL/var/lib/mysql" "/var/lib/mysql"
    elif [ -d "/$LABEL/var/lib/mysql.orig" ]; then
        cp -a "/$LABEL/var/lib/mysql.orig" "/$LABEL/var/lib/mysql"
        rm -rf "/var/lib/mysql"
        ln -s "/$LABEL/var/lib/mysql" "/var/lib/mysql"
    else
        echo '### ERROR initialize database !!! ###'
        exit 1
    fi
    systemctl start mariadb
    sleep 5

    echo 'Create privacyIDEA database...'
    mysql -u root -e "CREATE USER 'pi'@'localhost' IDENTIFIED BY '$DATABASE_PASS'"
    mysql -u root -e "CREATE DATABASE pi DEFAULT CHARACTER SET latin1 COLLATE latin1_swedish_ci;"
    mysql -u root -e "GRANT ALL PRIVILEGES ON pi.* TO 'pi'@'localhost' IDENTIFIED by '$DATABASE_PASS';"
    mysql -u root -e "FLUSH PRIVILEGES;"

    pi-manage createdb
    pi-manage admin add -p "$ADMIN_PASS" admin

else
    echo 'Start MariaDB...'
    if [ ! -L /var/lib/mysql ]; then
        rm -rf "/$LABEL/var/lib/mysql.orig"
        mv "/var/lib/mysql" "/$LABEL/var/lib/mysql.orig"
    else
        rm -f "/var/lib/mysql"
    fi
    ln -s "/$LABEL/var/lib/mysql" "/var/lib/mysql"
    systemctl start mariadb
fi

if [ -x "/$LABEL/etc/ssl/cert-renew.sh" ]; then
    # angepaßtes Zertifikat vorhanden (kein example)
    if [ ! -L /etc/ssl/cert-renew.sh ]; then
        rm -f "/$LABEL/etc/ssl/cert-renew.sh.orig"
        mv "/etc/ssl/cert-renew.sh" "/$LABEL/etc/ssl/cert-renew.sh.orig"
    else
        rm -f "/etc/ssl/cert-renew.sh"
    fi
    ln -s "/$LABEL/etc/ssl/cert-renew.sh" "/etc/ssl/cert-renew.sh"
else
    echo 'Create example certificate...'
    mkdir -p "/$LABEL/CERTS/KEYS/"
    mkdir -p "/$LABEL/CERTS/$HOST.$TLD"
    echo "FQDN = $HOST.$TLD" > "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
    echo "ORGNAME = $ORGNAME" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
    echo "ALTNAMES = DNS:$HOST.$TLD , DNS:$TLD" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
    echo -e "\n[ req ]\ndefault_bits = 4096\ndefault_md = sha256\nprompt = no\nencrypt_key = no\ndistinguished_name = dn\nreq_extensions = req_ext\ndefault_keyfile = ../KEYS/\$FQDN-key.pem\n" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
    echo -e "\n[ dn ]\nC = DE\nO = \$ORGNAME\nCN = \$FQDN\n" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
    echo -e "\n[ req_ext ]\nsubjectAltName = \$ALTNAMES" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
    openssl req -x509 -new -config "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" -out "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" -keyout "/$LABEL/CERTS/KEYS/$HOST.$TLD-key.pem"
    cp "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-fullchain.pem"
    touch "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-chain.pem"
fi

rm -rf /etc/ssl/apache2
mkdir -p /etc/ssl
ln -sf "/$LABEL/etc/ssl/apache2" "/etc/ssl/apache2"

/etc/ssl/cert-renew.sh

systemctl enable mariadb
systemctl enable freeradius
systemctl enable apache2

systemctl restart freeradius
systemctl restart apache2

echo
echo "Success!"
echo "Do not forget to upgrade the MySQL database and the privacyIDEA Schema:"
echo "   # mysql_upgrade"
echo "   # privacyidea-schema-upgrade /usr/lib/privacyidea/migrations"
echo

rm /02firstboot
first release 2023-02-24 18:58:36 +01:00			`#!/bin/bash`

			`# variables`
			`LABEL="DATA"`
			`DATABASE_PASS=$(head -c 300 /dev/urandom \| tr -cd 'a-zA-Z0-9' \| head -c 16)`
			`PI_SECRET_KEY=$(head -c 300 /dev/urandom \| tr -cd 'a-zA-Z0-9' \| head -c 16)`
			`PI_PEPPER=$(head -c 300 /dev/urandom \| tr -cd 'a-zA-Z0-9' \| head -c 16)`
			`ADMIN_PASS="privacyidea"`
			`TLD="example.com"`
			`HOST="privacyidea"`
			`ORGNAME="privacyIDEA example"`

			`# start`
			`set -e`

			`[ -e /01firstboot ] && exit 0`
			`[ -e /02firstboot ] \|\| exit 0`

			`# privacyIDEA configuration`
			`if [ ! -d "/$LABEL/etc/privacyidea" ]; then`
			`echo 'Create privacyIDEA configfile...'`
			`mkdir -p /$LABEL/etc/privacyidea`
			`chown privacyidea /$LABEL/etc/privacyidea`
			`cp /etc/privacyidea/pi.cfg /$LABEL/etc/privacyidea/pi.cfg.orig`
			`mv /etc/privacyidea/pi.cfg /$LABEL/etc/privacyidea/pi.cfg`
			`ln -s /$LABEL/etc/privacyidea/pi.cfg /etc/privacyidea/pi.cfg`
			`sed -i "s/^SUPERUSER_REALM = .*/SUPERUSER_REALM = ['admin']/" /$LABEL/etc/privacyidea/pi.cfg`
			`sed -i "s/^SQLALCHEMY_DATABASE_URI = .*/SQLALCHEMY_DATABASE_URI = 'mysql:\/\/pi:$DATABASE_PASS@localhost\/pi'/" /$LABEL/etc/privacyidea/pi.cfg`
			`sed -i "s/^SECRET_KEY = .*/SECRET_KEY = '$PI_SECRET_KEY'/" /$LABEL/etc/privacyidea/pi.cfg`
			`sed -i "s/^PI_PEPPER = .*/PI_PEPPER = \"$PI_PEPPER\"/" /$LABEL/etc/privacyidea/pi.cfg`
			`sed -i "s/^PI_ENCFILE = .*/PI_ENCFILE = '\/etc\/privacyidea\/enckey'/" /$LABEL/etc/privacyidea/pi.cfg`
			`sed -i "s/^PI_AUDIT_KEY_PRIVATE = .*/PI_AUDIT_KEY_PRIVATE = '\/etc\/privacyidea\/private.pem'/" /$LABEL/etc/privacyidea/pi.cfg`
			`sed -i "s/^PI_AUDIT_KEY_PUBLIC = .*/PI_AUDIT_KEY_PUBLIC = '\/etc\/privacyidea\/public.pem'/" /$LABEL/etc/privacyidea/pi.cfg`
			`echo "SQLALCHEMY_TRACK_MODIFICATIONS = False" >> /$LABEL/etc/privacyidea/pi.cfg`

			`echo 'Create privacyIDEA encryption and audit keys...'`
			`rm -rf /etc/privacyidea/enckey`
			`pi-manage create_enckey`
			`mv /etc/privacyidea/enckey /$LABEL/etc/privacyidea/enckey`
			`chown privacyidea /$LABEL/etc/privacyidea/enckey`
			`ln -s /$LABEL/etc/privacyidea/enckey /etc/privacyidea/enckey`

			`rm -rf /etc/privacyidea/public.pem /etc/privacyidea/private.pem`
			`pi-manage create_audit_keys`
			`mv /etc/privacyidea/private.pem /$LABEL/etc/privacyidea/private.pem`
			`mv /etc/privacyidea/public.pem /$LABEL/etc/privacyidea/public.pem`
			`chown privacyidea /$LABEL/etc/privacyidea/*.pem`
			`ln -s /$LABEL/etc/privacyidea/private.pem /etc/privacyidea/private.pem`
			`ln -s /$LABEL/etc/privacyidea/public.pem /etc/privacyidea/public.pem`
			`else`
			`if [ ! -L /etc/privacyidea/pi.cfg ]; then`
			`rm -rf /$LABEL/etc/privacyidea/pi.cfg.orig`
			`mv /etc/privacyidea/pi.cfg /$LABEL/etc/privacyidea/pi.cfg.orig`
			`else`
			`rm -rf /etc/privacyidea/pi.cfg`
			`fi`
			`ln -s /$LABEL/etc/privacyidea/pi.cfg /etc/privacyidea/pi.cfg`

			`rm -rf /etc/privacyidea/enckey`
			`ln -s /$LABEL/etc/privacyidea/enckey /etc/privacyidea/enckey`

			`rm -rf /etc/privacyidea/public.pem /etc/privacyidea/private.pem`
			`ln -s /$LABEL/etc/privacyidea/private.pem /etc/privacyidea/private.pem`
			`ln -s /$LABEL/etc/privacyidea/public.pem /etc/privacyidea/public.pem`
			`fi`


			`# Database`
			`systemctl stop mariadb`
			`if [ ! -d "/$LABEL/var/lib/mysql/pi" ]; then`
			`echo 'Initialize MariaDB...'`
			`mkdir -p "/$LABEL/var/lib"`
			`rm -rf "/$LABEL/var/lib/mysql"`
			`if [ ! -L /var/lib/mysql ]; then`
			`rm -rf "/$LABEL/var/lib/mysql.orig"`
			`cp -a "/var/lib/mysql" "/$LABEL/var/lib/mysql.orig"`
			`mv "/var/lib/mysql" "/$LABEL/var/lib/mysql"`
			`ln -s "/$LABEL/var/lib/mysql" "/var/lib/mysql"`
			`elif [ -d "/$LABEL/var/lib/mysql.orig" ]; then`
			`cp -a "/$LABEL/var/lib/mysql.orig" "/$LABEL/var/lib/mysql"`
			`rm -rf "/var/lib/mysql"`
			`ln -s "/$LABEL/var/lib/mysql" "/var/lib/mysql"`
			`else`
			`echo '### ERROR initialize database !!! ###'`
			`exit 1`
			`fi`
			`systemctl start mariadb`
			`sleep 5`

			`echo 'Create privacyIDEA database...'`
			`mysql -u root -e "CREATE USER 'pi'@'localhost' IDENTIFIED BY '$DATABASE_PASS'"`
			`mysql -u root -e "CREATE DATABASE pi DEFAULT CHARACTER SET latin1 COLLATE latin1_swedish_ci;"`
			`mysql -u root -e "GRANT ALL PRIVILEGES ON pi.* TO 'pi'@'localhost' IDENTIFIED by '$DATABASE_PASS';"`
			`mysql -u root -e "FLUSH PRIVILEGES;"`

			`pi-manage createdb`
			`pi-manage admin add -p "$ADMIN_PASS" admin`

			`else`
			`echo 'Start MariaDB...'`
			`if [ ! -L /var/lib/mysql ]; then`
			`rm -rf "/$LABEL/var/lib/mysql.orig"`
			`mv "/var/lib/mysql" "/$LABEL/var/lib/mysql.orig"`
			`else`
			`rm -f "/var/lib/mysql"`
			`fi`
			`ln -s "/$LABEL/var/lib/mysql" "/var/lib/mysql"`
			`systemctl start mariadb`
			`fi`

			`if [ -x "/$LABEL/etc/ssl/cert-renew.sh" ]; then`
			`# angepaßtes Zertifikat vorhanden (kein example)`
			`if [ ! -L /etc/ssl/cert-renew.sh ]; then`
			`rm -f "/$LABEL/etc/ssl/cert-renew.sh.orig"`
			`mv "/etc/ssl/cert-renew.sh" "/$LABEL/etc/ssl/cert-renew.sh.orig"`
			`else`
			`rm -f "/etc/ssl/cert-renew.sh"`
			`fi`
			`ln -s "/$LABEL/etc/ssl/cert-renew.sh" "/etc/ssl/cert-renew.sh"`
			`else`
			`echo 'Create example certificate...'`
			`mkdir -p "/$LABEL/CERTS/KEYS/"`
			`mkdir -p "/$LABEL/CERTS/$HOST.$TLD"`
			`echo "FQDN = $HOST.$TLD" > "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"`
			`echo "ORGNAME = $ORGNAME" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"`
			`echo "ALTNAMES = DNS:$HOST.$TLD , DNS:$TLD" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"`
			`echo -e "\n[ req ]\ndefault_bits = 4096\ndefault_md = sha256\nprompt = no\nencrypt_key = no\ndistinguished_name = dn\nreq_extensions = req_ext\ndefault_keyfile = ../KEYS/\$FQDN-key.pem\n" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"`
			`echo -e "\n[ dn ]\nC = DE\nO = \$ORGNAME\nCN = \$FQDN\n" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"`
			`echo -e "\n[ req_ext ]\nsubjectAltName = \$ALTNAMES" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"`
			`openssl req -x509 -new -config "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" -out "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" -keyout "/$LABEL/CERTS/KEYS/$HOST.$TLD-key.pem"`
			`cp "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-fullchain.pem"`
			`touch "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-chain.pem"`
			`fi`

			`rm -rf /etc/ssl/apache2`
			`mkdir -p /etc/ssl`
			`ln -sf "/$LABEL/etc/ssl/apache2" "/etc/ssl/apache2"`

			`/etc/ssl/cert-renew.sh`

			`systemctl enable mariadb`
			`systemctl enable freeradius`
			`systemctl enable apache2`

			`systemctl restart freeradius`
			`systemctl restart apache2`

			`echo`
			`echo "Success!"`
			`echo "Do not forget to upgrade the MySQL database and the privacyIDEA Schema:"`
			`echo " # mysql_upgrade"`
			`echo " # privacyidea-schema-upgrade /usr/lib/privacyidea/migrations"`
			`echo`

			`rm /02firstboot`