100 lines
3.1 KiB
Bash
Executable File
100 lines
3.1 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
|
|
set -euo pipefail
|
|
|
|
passbolt_config="/etc/passbolt"
|
|
passbolt_base="/usr/share/php/passbolt"
|
|
gpg_private_key="${PASSBOLT_GPG_SERVER_KEY_PRIVATE:-$passbolt_config/gpg/serverkey_private.asc}"
|
|
gpg_public_key="${PASSBOLT_GPG_SERVER_KEY_PUBLIC:-$passbolt_config/gpg/serverkey.asc}"
|
|
|
|
ssl_key="$passbolt_config/certs/certificate.key"
|
|
ssl_cert="$passbolt_config/certs/certificate.crt"
|
|
|
|
export GNUPGHOME="/var/lib/passbolt/.gnupg"
|
|
|
|
entropy_check() {
|
|
local entropy_avail
|
|
|
|
entropy_avail=$(cat /proc/sys/kernel/random/entropy_avail)
|
|
|
|
if [ "$entropy_avail" -lt 2000 ]; then
|
|
|
|
cat <<EOF
|
|
==================================================================================
|
|
Your entropy pool is low. This situation could lead GnuPG to not
|
|
be able to create the gpg serverkey so the container start process will hang
|
|
until enough entropy is obtained.
|
|
Please consider installing rng-tools and/or virtio-rng on your host as the
|
|
preferred method to generate random numbers using a TRNG.
|
|
If rngd (rng-tools) does not provide enough or fast enough randomness you could
|
|
consider installing haveged as a helper to speed up this process.
|
|
Using haveged as a replacement for rngd is not recommended. You can read more
|
|
about this topic here: https://lwn.net/Articles/525459/
|
|
==================================================================================
|
|
EOF
|
|
fi
|
|
}
|
|
|
|
gpg_gen_key() {
|
|
key_email="${PASSBOLT_KEY_EMAIL:-passbolt@yourdomain.com}"
|
|
key_name="${PASSBOLT_KEY_NAME:-Passbolt default user}"
|
|
key_length="${PASSBOLT_KEY_LENGTH:-2048}"
|
|
subkey_length="${PASSBOLT_SUBKEY_LENGTH:-2048}"
|
|
expiration="${PASSBOLT_KEY_EXPIRATION:-0}"
|
|
|
|
entropy_check
|
|
|
|
gpg --batch --no-tty --gen-key <<EOF
|
|
Key-Type: default
|
|
Key-Length: $key_length
|
|
Subkey-Type: default
|
|
Subkey-Length: $subkey_length
|
|
Name-Real: $key_name
|
|
Name-Email: $key_email
|
|
Expire-Date: $expiration
|
|
%no-protection
|
|
%commit
|
|
EOF
|
|
|
|
gpg --armor --export-secret-keys "$key_email" > "$gpg_private_key"
|
|
gpg --armor --export "$key_email" > "$gpg_public_key"
|
|
}
|
|
|
|
gpg_import_key() {
|
|
gpg --batch --import "$gpg_public_key"
|
|
gpg --batch --import "$gpg_private_key"
|
|
}
|
|
|
|
gen_ssl_cert() {
|
|
openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 \
|
|
-subj '/C=FR/ST=Denial/L=Springfield/O=Dis/CN=www.passbolt.local' \
|
|
-keyout "$ssl_key" -out "$ssl_cert"
|
|
}
|
|
|
|
install() {
|
|
if [ -z "${PASSBOLT_GPG_SERVER_KEY_FINGERPRINT+xxx}" ] && [ ! -f "$passbolt_config/passbolt.php" ]; then
|
|
gpg_auto_fingerprint="$(gpg --homedir $GNUPGHOME --list-keys --with-colons ${PASSBOLT_KEY_EMAIL:-passbolt@yourdomain.com} |grep fpr |head -1| cut -f10 -d:)"
|
|
export PASSBOLT_GPG_SERVER_KEY_FINGERPRINT=$gpg_auto_fingerprint
|
|
fi
|
|
|
|
$passbolt_base/bin/cake passbolt install --no-admin || $passbolt_base/bin/cake passbolt migrate && echo "Enjoy! ☮"
|
|
}
|
|
|
|
|
|
if [ ! -f "$gpg_private_key" ] && [ ! -L "$gpg_private_key" ] || \
|
|
[ ! -f "$gpg_public_key" ] && [ ! -L "$gpg_public_key" ]; then
|
|
gpg_gen_key
|
|
gpg_import_key
|
|
else
|
|
gpg_import_key
|
|
fi
|
|
|
|
if [ ! -f "$ssl_key" ] && [ ! -L "$ssl_key" ] && \
|
|
[ ! -f "$ssl_cert" ] && [ ! -L "$ssl_cert" ]; then
|
|
gen_ssl_cert
|
|
fi
|
|
|
|
install
|
|
|
|
exec /usr/bin/supervisord -n
|