forked from iudx/iudx-auth-server
-
Notifications
You must be signed in to change notification settings - Fork 0
/
setup
executable file
·150 lines (105 loc) · 4.42 KB
/
setup
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
#!/bin/sh
id=`id | cut -f1 -d'('`
if [ $id != "uid=0" ]
then
echo
echo "You must be root to run this script"
echo
exit
fi
syspatch
if [ $1 = "test" ]
then
openssl req -x509 -nodes -days 365 -subj "/CN=localhost/emailAddress=ca@iudx.org.in" -newkey rsa:2048 -keyout ca.key -out ca.iudx.org.in.crt
openssl req -new -newkey rsa:2048 -nodes -out consumer.csr -keyout consumer.key.pem -subj "/emailAddress=barun@iisc.ac.in/id-qt-unotice=class:2"
openssl req -new -newkey rsa:2048 -nodes -out provider.csr -keyout provider.key.pem -subj "/emailAddress=arun.babu@rbccps.org/id-qt-unotice=class:3"
openssl req -new -newkey rsa:2048 -nodes -out r-server.csr -keyout r-server.key.pem -subj "/CN=iisc.iudx.org.in/id-qt-unotice=class:1/emailAddress=arun.babu@rbccps.org"
openssl req -new -newkey rsa:2048 -nodes -out f-server.csr -keyout f-server.key.pem -subj "/CN=google.com/id-qt-unotice=class:1/emailAddress=arun.babu@rbccps.org"
openssl req -new -newkey rsa:2048 -nodes -out l-server.csr -keyout l-server.key.pem -subj "/CN=localhost/id-qt-unotice=class:1/emailAddress=arun.babu@rbccps.org"
openssl x509 -CA ca.iudx.org.in.crt -CAkey ca.key -CAcreateserial -in consumer.csr -req -days 365 -sha256 -out consumer.pem
openssl x509 -CA ca.iudx.org.in.crt -CAkey ca.key -CAcreateserial -in provider.csr -req -days 365 -sha256 -out provider.pem
openssl x509 -CA ca.iudx.org.in.crt -CAkey ca.key -CAcreateserial -in r-server.csr -req -days 365 -sha256 -out r-server.pem
openssl x509 -CA ca.iudx.org.in.crt -CAkey ca.key -CAcreateserial -in f-server.csr -req -days 365 -sha256 -out f-server.pem
openssl x509 -CA ca.iudx.org.in.crt -CAkey ca.key -CAcreateserial -in l-server.csr -req -days 365 -sha256 -out l-server.pem
cp *.pem /home/build/
fi
useradd -s /sbin/nologin -d /nonexistent _aaa
pkg_add postgresql-server postgresql-client node
rcctl enable postgresql
rm -rf passwords
mkdir passwords
touch passwords/auth.db.password
touch passwords/admin.db.password
#------- Passwords for various operations -----------
touch passwords/select_crl.db.password
touch passwords/update_crl.db.password
touch passwords/select_token.db.password
touch passwords/insert_token.db.password
touch passwords/update_token.db.password
touch passwords/select_policy.db.password
touch passwords/insert_policy.db.password
touch passwords/update_policy.db.password
touch passwords/select_groups.db.password
touch passwords/insert_groups.db.password
touch passwords/update_groups.db.password
#----------------------------------------------------
chmod 400 passwords/*
for f in `ls passwords`
do
head /dev/urandom | sha256 > passwords/$f
password=`cat passwords/$f`
label=`echo $f | cut -f1 -d'.'`
sed -i "s/XXX$label/$password/" schema.sql
done
echo your-telegram-api-key > telegram.apikey
echo your-telegram-chat-id > telegram.chatid
chmod 400 telegram.*
chmod 400 *.sql
# setup postgresql
mv passwords/admin.db.password /var/postgresql/
chown _postgresql:_postgresql /var/postgresql/admin.db.password
mv schema.sql /var/postgresql/
chown _postgresql:_postgresql /var/postgresql/schema.sql
cp setup.postgresql.openbsd /var/postgresql/
chown _postgresql:_postgresql /var/postgresql/setup.postgresql.openbsd
chmod u+x /var/postgresql/setup.postgresql.openbsd
su _postgresql -c /var/postgresql/setup.postgresql.openbsd
until su _postgresql -c pg_isready
do
sleep 1
done
rm -rf /var/postgresql/setup.postgresql.openbsd
cp rc.local /etc/
cp pf.conf /etc/
touch https-key.pem
chmod 400 https-key.pem
openssl req -x509 -nodes -days 365 -subj "/CN=localhost" -newkey rsa:2048 -keyout https-key.pem -out https-certificate.pem
git clone --depth=1 https://github.com/rbccps-iisc/node-aperture
cd node-aperture
npm install
npm audit fix --force
cd ..
npm install
npm audit fix --force
echo /sbin/pfctl -t bruteforce -T expire 86400 > /etc/daily.local
echo syspatch >> /etc/daily.local
rcctl disable sndiod slaacd smtpd xenodm
echo boot > /etc/boot.conf
echo kern.seminfo.semmsl=250 >> /etc/sysctl.conf
echo kern.seminfo.semmns=5000 >> /etc/sysctl.conf
echo kern.seminfo.semopm=100 >> /etc/sysctl.conf
echo kern.seminfo.semmni=128 >> /etc/sysctl.conf
echo /usr/bin/pkill tmux >> /etc/rc.shutdown
echo /usr/sbin/rcctl stop postgresql >> /etc/rc.shutdown
if [ $1 = "noreboot" ] || [ $2 = "noreboot" ]
then
sysctl kern.seminfo.semmsl=250
sysctl kern.seminfo.semmns=5000
sysctl kern.seminfo.semopm=100
sysctl kern.seminfo.semmni=128
rcctl start postgresql
./run.tmux
./run.crl.tmux
else
reboot
fi