156 lines
6.4 KiB
Bash
Executable File
156 lines
6.4 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
# variables
|
|
LABEL="DATA"
|
|
DATABASE_PASS=$(head -c 300 /dev/urandom | tr -cd 'a-zA-Z0-9' | head -c 16)
|
|
PI_SECRET_KEY=$(head -c 300 /dev/urandom | tr -cd 'a-zA-Z0-9' | head -c 16)
|
|
PI_PEPPER=$(head -c 300 /dev/urandom | tr -cd 'a-zA-Z0-9' | head -c 16)
|
|
ADMIN_PASS="privacyidea"
|
|
TLD="example.com"
|
|
HOST="privacyidea"
|
|
ORGNAME="privacyIDEA example"
|
|
|
|
# start
|
|
set -e
|
|
|
|
[ -e /01firstboot ] && exit 0
|
|
[ -e /02firstboot ] || exit 0
|
|
|
|
# privacyIDEA configuration
|
|
if [ ! -d "/$LABEL/etc/privacyidea" ]; then
|
|
echo 'Create privacyIDEA configfile...'
|
|
mkdir -p /$LABEL/etc/privacyidea
|
|
chown privacyidea /$LABEL/etc/privacyidea
|
|
cp /etc/privacyidea/pi.cfg /$LABEL/etc/privacyidea/pi.cfg.orig
|
|
mv /etc/privacyidea/pi.cfg /$LABEL/etc/privacyidea/pi.cfg
|
|
ln -s /$LABEL/etc/privacyidea/pi.cfg /etc/privacyidea/pi.cfg
|
|
sed -i "s/^SUPERUSER_REALM = .*/SUPERUSER_REALM = ['admin']/" /$LABEL/etc/privacyidea/pi.cfg
|
|
sed -i "s/^SQLALCHEMY_DATABASE_URI = .*/SQLALCHEMY_DATABASE_URI = 'mysql:\/\/pi:$DATABASE_PASS@localhost\/pi'/" /$LABEL/etc/privacyidea/pi.cfg
|
|
sed -i "s/^SECRET_KEY = .*/SECRET_KEY = '$PI_SECRET_KEY'/" /$LABEL/etc/privacyidea/pi.cfg
|
|
sed -i "s/^PI_PEPPER = .*/PI_PEPPER = \"$PI_PEPPER\"/" /$LABEL/etc/privacyidea/pi.cfg
|
|
sed -i "s/^PI_ENCFILE = .*/PI_ENCFILE = '\/etc\/privacyidea\/enckey'/" /$LABEL/etc/privacyidea/pi.cfg
|
|
sed -i "s/^PI_AUDIT_KEY_PRIVATE = .*/PI_AUDIT_KEY_PRIVATE = '\/etc\/privacyidea\/private.pem'/" /$LABEL/etc/privacyidea/pi.cfg
|
|
sed -i "s/^PI_AUDIT_KEY_PUBLIC = .*/PI_AUDIT_KEY_PUBLIC = '\/etc\/privacyidea\/public.pem'/" /$LABEL/etc/privacyidea/pi.cfg
|
|
echo "SQLALCHEMY_TRACK_MODIFICATIONS = False" >> /$LABEL/etc/privacyidea/pi.cfg
|
|
|
|
echo 'Create privacyIDEA encryption and audit keys...'
|
|
rm -rf /etc/privacyidea/enckey
|
|
pi-manage create_enckey
|
|
mv /etc/privacyidea/enckey /$LABEL/etc/privacyidea/enckey
|
|
chown privacyidea /$LABEL/etc/privacyidea/enckey
|
|
ln -s /$LABEL/etc/privacyidea/enckey /etc/privacyidea/enckey
|
|
|
|
rm -rf /etc/privacyidea/public.pem /etc/privacyidea/private.pem
|
|
pi-manage create_audit_keys
|
|
mv /etc/privacyidea/private.pem /$LABEL/etc/privacyidea/private.pem
|
|
mv /etc/privacyidea/public.pem /$LABEL/etc/privacyidea/public.pem
|
|
chown privacyidea /$LABEL/etc/privacyidea/*.pem
|
|
ln -s /$LABEL/etc/privacyidea/private.pem /etc/privacyidea/private.pem
|
|
ln -s /$LABEL/etc/privacyidea/public.pem /etc/privacyidea/public.pem
|
|
else
|
|
if [ ! -L /etc/privacyidea/pi.cfg ]; then
|
|
rm -rf /$LABEL/etc/privacyidea/pi.cfg.orig
|
|
mv /etc/privacyidea/pi.cfg /$LABEL/etc/privacyidea/pi.cfg.orig
|
|
else
|
|
rm -rf /etc/privacyidea/pi.cfg
|
|
fi
|
|
ln -s /$LABEL/etc/privacyidea/pi.cfg /etc/privacyidea/pi.cfg
|
|
|
|
rm -rf /etc/privacyidea/enckey
|
|
ln -s /$LABEL/etc/privacyidea/enckey /etc/privacyidea/enckey
|
|
|
|
rm -rf /etc/privacyidea/public.pem /etc/privacyidea/private.pem
|
|
ln -s /$LABEL/etc/privacyidea/private.pem /etc/privacyidea/private.pem
|
|
ln -s /$LABEL/etc/privacyidea/public.pem /etc/privacyidea/public.pem
|
|
fi
|
|
|
|
|
|
# Database
|
|
systemctl stop mariadb
|
|
if [ ! -d "/$LABEL/var/lib/mysql/pi" ]; then
|
|
echo 'Initialize MariaDB...'
|
|
mkdir -p "/$LABEL/var/lib"
|
|
rm -rf "/$LABEL/var/lib/mysql"
|
|
if [ ! -L /var/lib/mysql ]; then
|
|
rm -rf "/$LABEL/var/lib/mysql.orig"
|
|
cp -a "/var/lib/mysql" "/$LABEL/var/lib/mysql.orig"
|
|
mv "/var/lib/mysql" "/$LABEL/var/lib/mysql"
|
|
ln -s "/$LABEL/var/lib/mysql" "/var/lib/mysql"
|
|
elif [ -d "/$LABEL/var/lib/mysql.orig" ]; then
|
|
cp -a "/$LABEL/var/lib/mysql.orig" "/$LABEL/var/lib/mysql"
|
|
rm -rf "/var/lib/mysql"
|
|
ln -s "/$LABEL/var/lib/mysql" "/var/lib/mysql"
|
|
else
|
|
echo '### ERROR initialize database !!! ###'
|
|
exit 1
|
|
fi
|
|
systemctl start mariadb
|
|
sleep 5
|
|
|
|
echo 'Create privacyIDEA database...'
|
|
mysql -u root -e "CREATE USER 'pi'@'localhost' IDENTIFIED BY '$DATABASE_PASS'"
|
|
mysql -u root -e "CREATE DATABASE pi DEFAULT CHARACTER SET latin1 COLLATE latin1_swedish_ci;"
|
|
mysql -u root -e "GRANT ALL PRIVILEGES ON pi.* TO 'pi'@'localhost' IDENTIFIED by '$DATABASE_PASS';"
|
|
mysql -u root -e "FLUSH PRIVILEGES;"
|
|
|
|
pi-manage createdb
|
|
pi-manage admin add -p "$ADMIN_PASS" admin
|
|
|
|
else
|
|
echo 'Start MariaDB...'
|
|
if [ ! -L /var/lib/mysql ]; then
|
|
rm -rf "/$LABEL/var/lib/mysql.orig"
|
|
mv "/var/lib/mysql" "/$LABEL/var/lib/mysql.orig"
|
|
else
|
|
rm -f "/var/lib/mysql"
|
|
fi
|
|
ln -s "/$LABEL/var/lib/mysql" "/var/lib/mysql"
|
|
systemctl start mariadb
|
|
fi
|
|
|
|
if [ -x "/$LABEL/etc/ssl/cert-renew.sh" ]; then
|
|
# angepaßtes Zertifikat vorhanden (kein example)
|
|
if [ ! -L /etc/ssl/cert-renew.sh ]; then
|
|
rm -f "/$LABEL/etc/ssl/cert-renew.sh.orig"
|
|
mv "/etc/ssl/cert-renew.sh" "/$LABEL/etc/ssl/cert-renew.sh.orig"
|
|
else
|
|
rm -f "/etc/ssl/cert-renew.sh"
|
|
fi
|
|
ln -s "/$LABEL/etc/ssl/cert-renew.sh" "/etc/ssl/cert-renew.sh"
|
|
else
|
|
echo 'Create example certificate...'
|
|
mkdir -p "/$LABEL/CERTS/KEYS/"
|
|
mkdir -p "/$LABEL/CERTS/$HOST.$TLD"
|
|
echo "FQDN = $HOST.$TLD" > "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
|
|
echo "ORGNAME = $ORGNAME" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
|
|
echo "ALTNAMES = DNS:$HOST.$TLD , DNS:$TLD" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
|
|
echo -e "\n[ req ]\ndefault_bits = 4096\ndefault_md = sha256\nprompt = no\nencrypt_key = no\ndistinguished_name = dn\nreq_extensions = req_ext\ndefault_keyfile = ../KEYS/\$FQDN-key.pem\n" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
|
|
echo -e "\n[ dn ]\nC = DE\nO = \$ORGNAME\nCN = \$FQDN\n" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
|
|
echo -e "\n[ req_ext ]\nsubjectAltName = \$ALTNAMES" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
|
|
openssl req -x509 -new -config "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" -out "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" -keyout "/$LABEL/CERTS/KEYS/$HOST.$TLD-key.pem"
|
|
cp "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-fullchain.pem"
|
|
touch "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-chain.pem"
|
|
fi
|
|
|
|
rm -rf /etc/ssl/apache2
|
|
mkdir -p /etc/ssl
|
|
ln -sf "/$LABEL/etc/ssl/apache2" "/etc/ssl/apache2"
|
|
|
|
/etc/ssl/cert-renew.sh
|
|
|
|
systemctl enable mariadb
|
|
systemctl enable freeradius
|
|
systemctl enable apache2
|
|
|
|
systemctl restart freeradius
|
|
systemctl restart apache2
|
|
|
|
echo
|
|
echo "Success!"
|
|
echo "Do not forget to upgrade the MySQL database and the privacyIDEA Schema:"
|
|
echo " # mysql_upgrade"
|
|
echo " # privacyidea-schema-upgrade /usr/lib/privacyidea/migrations"
|
|
echo
|
|
|
|
rm /02firstboot
|