StepCA.sh
· 2.4 KiB · Bash
Raw
#!/bin/sh
set -e
echo '----------Install StepCA!----------'
apt-get update && apt-get install -y --no-install-recommends curl vim gpg ca-certificates jq
curl -fsSL https://packages.smallstep.com/keys/apt/repo-signing-key.gpg -o /etc/apt/trusted.gpg.d/smallstep.asc && \
echo 'deb [signed-by=/etc/apt/trusted.gpg.d/smallstep.asc] https://packages.smallstep.com/stable/debian debs main' \
| tee /etc/apt/sources.list.d/smallstep.list
apt-get update && apt-get -y install step-cli step-ca
step ca init
step ca provisioner add acme --type ACME
mkdir /etc/step-ca
mv $(step path)/* /etc/step-ca
nano /etc/step-ca/password.txt
cat <<< $(jq '.db.dataSource = "/etc/step-ca/db"' /etc/step-ca/config/ca.json) > /etc/step-ca/config/ca.json
nano /etc/step-ca/config/defaults.json
nano /etc/step-ca/config/ca.json
useradd --user-group --system --home /etc/step-ca --shell /bin/false step
setcap CAP_NET_BIND_SERVICE=+eip $(which step-ca)
chown -R step:step /etc/step-ca
cat <<EOF >>/etc/systemd/system/step-ca.service
[Unit]
Description=step-ca service
Documentation=https://smallstep.com/docs/step-ca
Documentation=https://smallstep.com/docs/step-ca/certificate-authority-server-production
After=network-online.target
Wants=network-online.target
StartLimitIntervalSec=30
StartLimitBurst=3
ConditionFileNotEmpty=/etc/step-ca/config/ca.json
ConditionFileNotEmpty=/etc/step-ca/password.txt
[Service]
Type=simple
User=step
Group=step
Environment=STEPPATH=/etc/step-ca
WorkingDirectory=/etc/step-ca
ExecStart=/usr/bin/step-ca /etc/step-ca/config/ca.json --password-file password.txt
ExecReload=/bin/kill --signal HUP $MAINPID
Restart=on-failure
RestartSec=5
TimeoutStopSec=30
StartLimitInterval=30
StartLimitBurst=3
; Process capabilities & privileges
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
SecureBits=keep-caps
NoNewPrivileges=yes
; Sandboxing
ProtectSystem=full
ProtectHome=true
RestrictNamespaces=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
PrivateTmp=true
PrivateDevices=true
ProtectClock=true
ProtectControlGroups=true
ProtectKernelTunables=true
ProtectKernelLogs=true
ProtectKernelModules=true
LockPersonality=true
RestrictSUIDSGID=true
RemoveIPC=true
RestrictRealtime=true
SystemCallFilter=@system-service
SystemCallArchitectures=native
MemoryDenyWriteExecute=true
ReadWriteDirectories=/etc/step-ca/db
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable --now step-ca.service
| 1 | #!/bin/sh |
| 2 | |
| 3 | set -e |
| 4 | |
| 5 | echo '----------Install StepCA!----------' |
| 6 | apt-get update && apt-get install -y --no-install-recommends curl vim gpg ca-certificates jq |
| 7 | |
| 8 | curl -fsSL https://packages.smallstep.com/keys/apt/repo-signing-key.gpg -o /etc/apt/trusted.gpg.d/smallstep.asc && \ |
| 9 | echo 'deb [signed-by=/etc/apt/trusted.gpg.d/smallstep.asc] https://packages.smallstep.com/stable/debian debs main' \ |
| 10 | | tee /etc/apt/sources.list.d/smallstep.list |
| 11 | |
| 12 | apt-get update && apt-get -y install step-cli step-ca |
| 13 | |
| 14 | step ca init |
| 15 | step ca provisioner add acme --type ACME |
| 16 | mkdir /etc/step-ca |
| 17 | mv $(step path)/* /etc/step-ca |
| 18 | nano /etc/step-ca/password.txt |
| 19 | cat <<< $(jq '.db.dataSource = "/etc/step-ca/db"' /etc/step-ca/config/ca.json) > /etc/step-ca/config/ca.json |
| 20 | nano /etc/step-ca/config/defaults.json |
| 21 | nano /etc/step-ca/config/ca.json |
| 22 | |
| 23 | useradd --user-group --system --home /etc/step-ca --shell /bin/false step |
| 24 | setcap CAP_NET_BIND_SERVICE=+eip $(which step-ca) |
| 25 | chown -R step:step /etc/step-ca |
| 26 | |
| 27 | |
| 28 | cat <<EOF >>/etc/systemd/system/step-ca.service |
| 29 | [Unit] |
| 30 | Description=step-ca service |
| 31 | Documentation=https://smallstep.com/docs/step-ca |
| 32 | Documentation=https://smallstep.com/docs/step-ca/certificate-authority-server-production |
| 33 | After=network-online.target |
| 34 | Wants=network-online.target |
| 35 | StartLimitIntervalSec=30 |
| 36 | StartLimitBurst=3 |
| 37 | ConditionFileNotEmpty=/etc/step-ca/config/ca.json |
| 38 | ConditionFileNotEmpty=/etc/step-ca/password.txt |
| 39 | |
| 40 | [Service] |
| 41 | Type=simple |
| 42 | User=step |
| 43 | Group=step |
| 44 | Environment=STEPPATH=/etc/step-ca |
| 45 | WorkingDirectory=/etc/step-ca |
| 46 | ExecStart=/usr/bin/step-ca /etc/step-ca/config/ca.json --password-file password.txt |
| 47 | ExecReload=/bin/kill --signal HUP $MAINPID |
| 48 | Restart=on-failure |
| 49 | RestartSec=5 |
| 50 | TimeoutStopSec=30 |
| 51 | StartLimitInterval=30 |
| 52 | StartLimitBurst=3 |
| 53 | |
| 54 | ; Process capabilities & privileges |
| 55 | AmbientCapabilities=CAP_NET_BIND_SERVICE |
| 56 | CapabilityBoundingSet=CAP_NET_BIND_SERVICE |
| 57 | SecureBits=keep-caps |
| 58 | NoNewPrivileges=yes |
| 59 | |
| 60 | ; Sandboxing |
| 61 | ProtectSystem=full |
| 62 | ProtectHome=true |
| 63 | RestrictNamespaces=true |
| 64 | RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 |
| 65 | PrivateTmp=true |
| 66 | PrivateDevices=true |
| 67 | ProtectClock=true |
| 68 | ProtectControlGroups=true |
| 69 | ProtectKernelTunables=true |
| 70 | ProtectKernelLogs=true |
| 71 | ProtectKernelModules=true |
| 72 | LockPersonality=true |
| 73 | RestrictSUIDSGID=true |
| 74 | RemoveIPC=true |
| 75 | RestrictRealtime=true |
| 76 | SystemCallFilter=@system-service |
| 77 | SystemCallArchitectures=native |
| 78 | MemoryDenyWriteExecute=true |
| 79 | ReadWriteDirectories=/etc/step-ca/db |
| 80 | |
| 81 | [Install] |
| 82 | WantedBy=multi-user.target |
| 83 | EOF |
| 84 | |
| 85 | systemctl daemon-reload |
| 86 | systemctl enable --now step-ca.service |