initial commit

3 files changed, 127 insertions, 0 deletions

diff --git a/generate-and-upload-self-signed-key b/generate-and-upload-self-signed-key
new file mode 100755
index 0000000..c4f9869
--- /dev/null
+++ b/generate-and-upload-self-signed-key
@@ -0,0 +1,110 @@
+#!/bin/bash
+
+hosts=$(
+  find /etc/nginx/ -name sites-available -prune , \
+    \( -type f -o -type l \) \
+    -exec sed -n '
+      s/^\s*//
+      /^server_name\s.*;/ p
+      /^server_name[^;]*$/,/;/ p
+    ' {} \; 2>/dev/null \
+  | tr '\n' ' ' \
+  | sed '
+    s/\s\+/ /g
+    s/;\s*/;\n/g
+    s/\slocalhost\(;\|\s\)//
+  ' \
+  | sed -n '
+    s/^server_name //
+    T
+    s/;$//
+    T
+    p
+  ' \
+  | sort -u
+)
+
+host_key_files=$(
+  printf '%s\n' "${hosts}" \
+  | cut -d' ' -f1
+)
+
+host_key_files=$(
+  printf '/etc/nginx/keys/%s\n' ${host_key_files}
+)
+
+if [ "$(whoami)" = 'root' ]; then
+  updated_something=false
+  for host_key_file in ${host_key_files}; do
+    if [ -f "${host_key_file}.key.pem.new" ] \
+    && [ -f "${host_key_file}.cert.pem.new" ]; then
+      mv "${host_key_file}.key.pem"{.new,}
+      mv "${host_key_file}.cert.pem"{.new,}
+      updated_something=true
+    fi
+  done
+  if ${updated_something}; then
+    systemctl try-restart nginx
+  fi
+
+  su http -s /bin/bash -c "$0"
+fi
+
+if [ "$(whoami)" != 'http' ]; then
+  exit
+fi
+
+printf '%s\n' "${hosts}" \
+| while read -r host other_hosts; do
+  openssl req -x509 -newkey rsa:4096 \
+    -keyout "/etc/nginx/keys/${host}.key.pem.new" \
+    -out "/etc/nginx/keys/${host}.cert.pem.new" \
+    -days 365 -nodes -subj '/C=DE/ST=Thuringia/L=Jena/O=Eckner/OU=Net/CN='"${host}" -sha256 \
+    -config <(
+      cat /etc/ssl/openssl.cnf
+      if [ -n "${other_hosts}" ]; then
+        printf '\n[SAN]\nsubjectAltName'
+        printf ',DNS:%s' \
+          "${host}" \
+          ${other_hosts} \
+        | sed 's/^,/=/'
+      fi
+    )
+done
+
+rsync --ignore-missing-args \
+  $(
+    printf '/etc/nginx/keys/%s.cert.pem\n' ${host_key_files}
+    printf '/etc/nginx/keys/%s.cert.pem.new\n' ${host_key_files}
+  ) \
+  ecknernet@eckner.net:httpdocs/certs/
+
+(
+  cd /etc/nginx/keys
+  {
+    printf '%s.cert.pem\n' ${host_key_files}
+    printf '%s.cert.pem.new\n' ${host_key_files}
+  } \
+  | while read -r key; do
+    [ -f "${key}" ] || continue
+    printf '%s %s\n' "$(
+      date -u --iso-8601=seconds -d@$(stat -c%Y "${key}") \
+      | cut -d+ -f1
+    )" "$(
+      sha512sum "${key}" \
+      | sed 's/\s\+/ /'
+    )"
+  done
+) \
+| ssh ecknernet@eckner.net '
+  cd httpdocs/certs
+  while read -r time sum file; do
+    rm -f ????-??-??T??\:??\:??".${file}"
+    mv "${file}" "${time}.${file}"
+    sed -i '"'"'
+      / [^.]\+\.'"'"'"${file//./\.}"'"'"'$/d
+    '"'"' sha512sums
+    printf '"'"'%s  %s\n'"'"' "${sum}" "${time}.${file}" \
+    >> sha512sums
+  done
+'
diff --git a/generate-and-upload-self-signed-key.service b/generate-and-upload-self-signed-key.service
new file mode 100644
index 0000000..59c2570
--- /dev/null
+++ b/generate-and-upload-self-signed-key.service
@@ -0,0 +1,6 @@
+[Unit]
+Description=generate and manage a self-signed key
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/generate-and-manage-self-signed-key
diff --git a/generate-and-upload-self-signed-key.timer b/generate-and-upload-self-signed-key.timer
new file mode 100644
index 0000000..8af0dd9
--- /dev/null
+++ b/generate-and-upload-self-signed-key.timer
@@ -0,0 +1,11 @@
+[Unit]
+Description=generate and manage a self-signed key twice a year
+
+[Timer]
+OnCalendar=*-01,05,09-01 00:00:00
+AccuracySec=1us
+RandomizeDelaySec=10000000
+Persistent=true
+
+[Install]
+WantedBy=timers.target