53 lines
1.6 KiB
Bash
Executable file
53 lines
1.6 KiB
Bash
Executable file
#!/usr/bin/env bash
|
|
set -Eeuo pipefail
|
|
|
|
# absolute binaries (no PATH surprises)
|
|
JQ=/usr/bin/jq
|
|
OPENSSL=/usr/bin/openssl
|
|
INSTALL=/usr/bin/install
|
|
PODMAN=/usr/bin/podman
|
|
CAT=/usr/bin/cat
|
|
PRINTF=/usr/bin/printf
|
|
|
|
# Inputs
|
|
CA_JSON_PATH="${CA_JSON_PATH:-$PWD/.ca.json}" # written by the template in AGENT_DIR
|
|
ROOT_FILE="${ROOT_FILE:-$HOME/vault/ca/ca.pem}" # copied by setup script
|
|
: "${CHAIN_FILE:?missing CHAIN_FILE}" # passed from setup script (apps.yaml → chain_path)
|
|
RELOAD_TLS_LABEL="${RELOAD_TLS_LABEL:-}"
|
|
|
|
[[ -r "$CA_JSON_PATH" ]] || { echo "ERR: no CA_JSON_PATH: $CA_JSON_PATH" >&2; exit 1; }
|
|
[[ -r "$ROOT_FILE" ]] || { echo "ERR: no ROOT_FILE: $ROOT_FILE" >&2; exit 1; }
|
|
|
|
tmp="$(mktemp)"; trap 'rm -f "$tmp"' EXIT
|
|
|
|
# 1) read issuing CA (intermediate) from JSON
|
|
ISS_CA="$("$JQ" -r '.issuing_ca // (.ca_chain[0] // "")' "$CA_JSON_PATH")"
|
|
if [[ -z "${ISS_CA// }" ]]; then
|
|
echo "ERR: issuing_ca/ca_chain missing in $CA_JSON_PATH" >&2
|
|
exit 1
|
|
fi
|
|
|
|
# 2) build chain: Intermediate + Root
|
|
{
|
|
"$PRINTF" '%s\n' "$ISS_CA"
|
|
"$CAT" "$ROOT_FILE"
|
|
} > "$tmp"
|
|
|
|
# 3) atomic write to CHAIN_FILE
|
|
$INSTALL -m 0644 -D "$tmp" "$CHAIN_FILE"
|
|
echo "🟩 [OK] chain → $CHAIN_FILE"
|
|
|
|
# 4) optional reload all containers with label
|
|
if [[ -n "$RELOAD_TLS_LABEL" ]]; then
|
|
echo "🟦 [INFO] reload label: $RELOAD_TLS_LABEL"
|
|
ids="$($PODMAN ps -q --filter "label=$RELOAD_TLS_LABEL" || true)"
|
|
if [[ -n "${ids// }" ]]; then
|
|
while read -r id; do
|
|
[[ -z "$id" ]] && continue
|
|
$PODMAN exec "$id" nginx -s reload || $PODMAN restart "$id" || true
|
|
done <<< "$ids"
|
|
else
|
|
echo "🟨 [WARN] no containers with label $RELOAD_TLS_LABEL → skip reload"
|
|
fi
|
|
fi
|
|
|