#!/bin/bash # variables LABEL="DATA" DATABASE_PASS=$(head -c 300 /dev/urandom | tr -cd 'a-zA-Z0-9' | head -c 16) PI_SECRET_KEY=$(head -c 300 /dev/urandom | tr -cd 'a-zA-Z0-9' | head -c 16) PI_PEPPER=$(head -c 300 /dev/urandom | tr -cd 'a-zA-Z0-9' | head -c 16) ADMIN_PASS="privacyidea" TLD="example.com" HOST="privacyidea" ORGNAME="privacyIDEA example" # start set -e [ -e /01firstboot ] && exit 0 [ -e /02firstboot ] || exit 0 # privacyIDEA configuration if [ ! -d "/$LABEL/etc/privacyidea" ]; then echo 'Create privacyIDEA configfile...' mkdir -p /$LABEL/etc/privacyidea chown privacyidea /$LABEL/etc/privacyidea cp /etc/privacyidea/pi.cfg /$LABEL/etc/privacyidea/pi.cfg.orig mv /etc/privacyidea/pi.cfg /$LABEL/etc/privacyidea/pi.cfg ln -s /$LABEL/etc/privacyidea/pi.cfg /etc/privacyidea/pi.cfg sed -i "s/^SUPERUSER_REALM = .*/SUPERUSER_REALM = ['admin']/" /$LABEL/etc/privacyidea/pi.cfg sed -i "s/^SQLALCHEMY_DATABASE_URI = .*/SQLALCHEMY_DATABASE_URI = 'mysql:\/\/pi:$DATABASE_PASS@localhost\/pi'/" /$LABEL/etc/privacyidea/pi.cfg sed -i "s/^SECRET_KEY = .*/SECRET_KEY = '$PI_SECRET_KEY'/" /$LABEL/etc/privacyidea/pi.cfg sed -i "s/^PI_PEPPER = .*/PI_PEPPER = \"$PI_PEPPER\"/" /$LABEL/etc/privacyidea/pi.cfg sed -i "s/^PI_ENCFILE = .*/PI_ENCFILE = '\/etc\/privacyidea\/enckey'/" /$LABEL/etc/privacyidea/pi.cfg sed -i "s/^PI_AUDIT_KEY_PRIVATE = .*/PI_AUDIT_KEY_PRIVATE = '\/etc\/privacyidea\/private.pem'/" /$LABEL/etc/privacyidea/pi.cfg sed -i "s/^PI_AUDIT_KEY_PUBLIC = .*/PI_AUDIT_KEY_PUBLIC = '\/etc\/privacyidea\/public.pem'/" /$LABEL/etc/privacyidea/pi.cfg echo "SQLALCHEMY_TRACK_MODIFICATIONS = False" >> /$LABEL/etc/privacyidea/pi.cfg echo 'Create privacyIDEA encryption and audit keys...' rm -rf /etc/privacyidea/enckey pi-manage create_enckey mv /etc/privacyidea/enckey /$LABEL/etc/privacyidea/enckey chown privacyidea /$LABEL/etc/privacyidea/enckey ln -s /$LABEL/etc/privacyidea/enckey /etc/privacyidea/enckey rm -rf /etc/privacyidea/public.pem /etc/privacyidea/private.pem pi-manage create_audit_keys mv /etc/privacyidea/private.pem /$LABEL/etc/privacyidea/private.pem mv /etc/privacyidea/public.pem /$LABEL/etc/privacyidea/public.pem chown privacyidea /$LABEL/etc/privacyidea/*.pem ln -s /$LABEL/etc/privacyidea/private.pem /etc/privacyidea/private.pem ln -s /$LABEL/etc/privacyidea/public.pem /etc/privacyidea/public.pem else if [ ! -L /etc/privacyidea/pi.cfg ]; then rm -rf /$LABEL/etc/privacyidea/pi.cfg.orig mv /etc/privacyidea/pi.cfg /$LABEL/etc/privacyidea/pi.cfg.orig else rm -rf /etc/privacyidea/pi.cfg fi ln -s /$LABEL/etc/privacyidea/pi.cfg /etc/privacyidea/pi.cfg rm -rf /etc/privacyidea/enckey ln -s /$LABEL/etc/privacyidea/enckey /etc/privacyidea/enckey rm -rf /etc/privacyidea/public.pem /etc/privacyidea/private.pem ln -s /$LABEL/etc/privacyidea/private.pem /etc/privacyidea/private.pem ln -s /$LABEL/etc/privacyidea/public.pem /etc/privacyidea/public.pem fi # Database systemctl stop mariadb if [ ! -d "/$LABEL/var/lib/mysql/pi" ]; then echo 'Initialize MariaDB...' mkdir -p "/$LABEL/var/lib" rm -rf "/$LABEL/var/lib/mysql" if [ ! -L /var/lib/mysql ]; then rm -rf "/$LABEL/var/lib/mysql.orig" cp -a "/var/lib/mysql" "/$LABEL/var/lib/mysql.orig" mv "/var/lib/mysql" "/$LABEL/var/lib/mysql" ln -s "/$LABEL/var/lib/mysql" "/var/lib/mysql" elif [ -d "/$LABEL/var/lib/mysql.orig" ]; then cp -a "/$LABEL/var/lib/mysql.orig" "/$LABEL/var/lib/mysql" rm -rf "/var/lib/mysql" ln -s "/$LABEL/var/lib/mysql" "/var/lib/mysql" else echo '### ERROR initialize database !!! ###' exit 1 fi systemctl start mariadb sleep 5 echo 'Create privacyIDEA database...' mysql -u root -e "CREATE USER 'pi'@'localhost' IDENTIFIED BY '$DATABASE_PASS'" mysql -u root -e "CREATE DATABASE pi DEFAULT CHARACTER SET latin1 COLLATE latin1_swedish_ci;" mysql -u root -e "GRANT ALL PRIVILEGES ON pi.* TO 'pi'@'localhost' IDENTIFIED by '$DATABASE_PASS';" mysql -u root -e "FLUSH PRIVILEGES;" pi-manage createdb pi-manage admin add -p "$ADMIN_PASS" admin else echo 'Start MariaDB...' if [ ! -L /var/lib/mysql ]; then rm -rf "/$LABEL/var/lib/mysql.orig" mv "/var/lib/mysql" "/$LABEL/var/lib/mysql.orig" else rm -f "/var/lib/mysql" fi ln -s "/$LABEL/var/lib/mysql" "/var/lib/mysql" systemctl start mariadb fi if [ -x "/$LABEL/etc/ssl/cert-renew.sh" ]; then # angepaßtes Zertifikat vorhanden (kein example) if [ ! -L /etc/ssl/cert-renew.sh ]; then rm -f "/$LABEL/etc/ssl/cert-renew.sh.orig" mv "/etc/ssl/cert-renew.sh" "/$LABEL/etc/ssl/cert-renew.sh.orig" else rm -f "/etc/ssl/cert-renew.sh" fi ln -s "/$LABEL/etc/ssl/cert-renew.sh" "/etc/ssl/cert-renew.sh" else echo 'Create example certificate...' mkdir -p "/$LABEL/CERTS/KEYS/" mkdir -p "/$LABEL/CERTS/$HOST.$TLD" echo "FQDN = $HOST.$TLD" > "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" echo "ORGNAME = $ORGNAME" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" echo "ALTNAMES = DNS:$HOST.$TLD , DNS:$TLD" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" echo -e "\n[ req ]\ndefault_bits = 4096\ndefault_md = sha256\nprompt = no\nencrypt_key = no\ndistinguished_name = dn\nreq_extensions = req_ext\ndefault_keyfile = ../KEYS/\$FQDN-key.pem\n" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" echo -e "\n[ dn ]\nC = DE\nO = \$ORGNAME\nCN = \$FQDN\n" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" echo -e "\n[ req_ext ]\nsubjectAltName = \$ALTNAMES" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" openssl req -x509 -new -config "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" -out "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" -keyout "/$LABEL/CERTS/KEYS/$HOST.$TLD-key.pem" cp "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-fullchain.pem" touch "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-chain.pem" fi rm -rf /etc/ssl/apache2 mkdir -p /etc/ssl ln -sf "/$LABEL/etc/ssl/apache2" "/etc/ssl/apache2" /etc/ssl/cert-renew.sh systemctl enable mariadb systemctl enable freeradius systemctl enable apache2 systemctl restart freeradius systemctl restart apache2 echo echo "Success!" echo "Do not forget to upgrade the MySQL database and the privacyIDEA Schema:" echo " # mysql_upgrade" echo " # privacyidea-schema-upgrade /usr/lib/privacyidea/migrations" echo rm /02firstboot