-
Notifications
You must be signed in to change notification settings - Fork 5
Expand file tree
/
Copy pathinstall.sh
More file actions
executable file
·205 lines (182 loc) · 5.41 KB
/
install.sh
File metadata and controls
executable file
·205 lines (182 loc) · 5.41 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
#!/bin/sh
set -e
REPO="esnet/acme-proxy"
INSTALL_DIR="${INSTALL_DIR:-/opt/acme-proxy}"
DB_DIR="${DB_DIR:-${INSTALL_DIR}/db}"
CONFIG_FILE="${CONFIG_FILE:-${INSTALL_DIR}/ca.json}"
SERVICE_USER="${SERVICE_USER:-acme-proxy}"
SERVICE_GROUP="${SERVICE_GROUP:-acme-proxy}"
# Detect OS and architecture
OS=$(uname -s | tr '[:upper:]' '[:lower:]')
ARCH=$(uname -m)
case "$ARCH" in
x86_64) ARCH="amd64" ;;
aarch64|arm64) ARCH="arm64" ;;
esac
# Check and install libpcsclite dependency
echo "Checking for libpcsclite dependency..."
OS_NAME=$(uname -s)
if [ "$OS_NAME" = "Darwin" ]; then
echo "Found macOS - skipping dependency check"
elif [ -f /etc/os-release ]; then
. /etc/os-release
if echo "$ID" | grep -Eqi 'ubuntu|debian'; then
if ! dpkg -s libpcsclite-dev >/dev/null 2>&1; then
echo "Installing libpcsclite-dev on Debian/Ubuntu..."
apt-get update && apt-get install -y libpcsclite-dev
else
echo "libpcsclite-dev already installed"
fi
elif echo "$ID" | grep -Eqi 'rhel|rocky|centos'; then
if ! rpm -q pcsc-lite-devel >/dev/null 2>&1; then
echo "Installing pcsc-lite-devel on RHEL/Rocky/CentOS..."
dnf install -y pcsc-lite-devel
else
echo "pcsc-lite-devel already installed"
fi
else
echo "Warning: Unknown Linux distribution: $ID"
echo "You may need to install pcsc-lite development libraries manually"
fi
else
echo "Warning: Cannot detect OS (/etc/os-release not found)"
echo "You may need to install pcsc-lite development libraries manually"
fi
echo "Creating installation directory..."
mkdir -p "$INSTALL_DIR"
mkdir -p "$DB_DIR"
echo "Creating ca.json configuration file..."
cat > "$CONFIG_FILE" << EOF
{
"address": ":443",
"dnsNames": ["acmeproxy.example.com"],
"logger": {
"format": "json"
},
"db": {
"type": "bbolt",
"dataSource": "${DB_DIR}/bbolt"
},
"authority": {
"type": "externalcas",
"config": {
"ca_url": "",
"account_email": "",
"eab_kid": "",
"eab_hmac_key": "",
"metrics": {
"enabled": true,
"port": 9234,
"dataSource": "db/metrics"
}
},
"provisioners": [
{
"type": "ACME",
"name": "acme",
"claims": {
"enableSSHCA": false,
"disableRenewal": false,
"allowRenewalAfterExpiry": false,
"disableSmallstepExtensions": true
},
"options": {
"x509": {},
"ssh": {}
}
}
],
"template": {},
"backdate": "1m0s"
},
"tls": {
"minVersion": 1.1,
"maxVersion": 1.2,
"renegotiation": false
},
"commonName": "acmeproxy.example.com"
}
EOF
echo "Downloading latest release..."
LATEST_RELEASE=$(curl -s "https://api.github.com/repos/${REPO}/releases/latest" | grep '"tag_name":' | sed -E 's/.*"([^"]+)".*/\1/')
BINARY_NAME="step-ca_${OS}_${ARCH}"
DOWNLOAD_URL="https://github.com/${REPO}/releases/download/${LATEST_RELEASE}/${BINARY_NAME}"
curl -L -o step-ca "$DOWNLOAD_URL"
chmod +x step-ca
echo "Installing binary to ${INSTALL_DIR}..."
mv step-ca "${INSTALL_DIR}/"
echo "Creating ${SERVICE_USER} service user..."
if ! id "${SERVICE_USER}" >/dev/null 2>&1; then
useradd --system --no-create-home --shell /usr/sbin/nologin "${SERVICE_USER}"
fi
# Create group if it doesn't exist and is different from user
if [ "${SERVICE_USER}" != "${SERVICE_GROUP}" ] && ! getent group "${SERVICE_GROUP}" >/dev/null 2>&1; then
groupadd --system "${SERVICE_GROUP}"
usermod -a -G "${SERVICE_GROUP}" "${SERVICE_USER}"
fi
echo "Setting ownership of installation directory..."
chown -R "${SERVICE_USER}:${SERVICE_GROUP}" "$INSTALL_DIR"
echo "Installing systemd service..."
cat > /etc/systemd/system/acme-proxy.service << EOF
[Unit]
Description=ACME Proxy Server (step-ca)
Documentation=https://github.com/esnet/acme-proxy
After=network-online.target
Wants=network-online.target
StartLimitIntervalSec=60
StartLimitBurst=3
[Service]
Type=simple
User=${SERVICE_USER}
Group=${SERVICE_GROUP}
# Paths
ExecStart=${INSTALL_DIR}/step-ca ${CONFIG_FILE}
WorkingDirectory=${INSTALL_DIR}
# Restart behavior
Restart=on-failure
RestartSec=5
# Security hardening
NoNewPrivileges=yes
ProtectSystem=strict
ProtectHome=no
PrivateTmp=yes
PrivateDevices=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectControlGroups=yes
RestrictSUIDSGID=yes
RestrictNamespaces=yes
# Allow binding to privileged ports (443)
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
# Allow write access to config and database directories
ReadWritePaths=${INSTALL_DIR}
# Logging
StandardOutput=journal
StandardError=journal
SyslogIdentifier=acme-proxy
[Install]
WantedBy=multi-user.target
EOF
echo "Reloading systemd daemon..."
systemctl daemon-reload
echo "Enabling acme-proxy service..."
systemctl enable acme-proxy
echo ""
echo "Installation complete!"
echo ""
echo "Next steps:"
echo " 1. Edit ${CONFIG_FILE} and configure:"
echo " - dnsNames: Your ACME proxy hostname"
echo " - ca_url: Your upstream ACME CA URL"
echo " - account_email: Your account email"
echo " - eab_kid: External Account Binding Key ID"
echo " - eab_hmac_key: External Account Binding HMAC key"
echo ""
echo " 2. Start the service:"
echo " sudo systemctl start acme-proxy"
echo ""
echo " 3. Check status:"
echo " sudo systemctl status acme-proxy"
echo " sudo journalctl -u acme-proxy -f"
echo ""