admin revised this gist . Go to revision
1 file changed, 86 insertions
StepCA.sh(file created)
| @@ -0,0 +1,86 @@ | |||
| 1 | + | #!/bin/sh | |
| 2 | + | ||
| 3 | + | set -e | |
| 4 | + | ||
| 5 | + | echo '----------Install StepCA!----------' | |
| 6 | + | apt-get update && apt-get install -y --no-install-recommends curl vim gpg ca-certificates jq | |
| 7 | + | ||
| 8 | + | curl -fsSL https://packages.smallstep.com/keys/apt/repo-signing-key.gpg -o /etc/apt/trusted.gpg.d/smallstep.asc && \ | |
| 9 | + | echo 'deb [signed-by=/etc/apt/trusted.gpg.d/smallstep.asc] https://packages.smallstep.com/stable/debian debs main' \ | |
| 10 | + | | tee /etc/apt/sources.list.d/smallstep.list | |
| 11 | + | ||
| 12 | + | apt-get update && apt-get -y install step-cli step-ca | |
| 13 | + | ||
| 14 | + | step ca init | |
| 15 | + | step ca provisioner add acme --type ACME | |
| 16 | + | mkdir /etc/step-ca | |
| 17 | + | mv $(step path)/* /etc/step-ca | |
| 18 | + | nano /etc/step-ca/password.txt | |
| 19 | + | cat <<< $(jq '.db.dataSource = "/etc/step-ca/db"' /etc/step-ca/config/ca.json) > /etc/step-ca/config/ca.json | |
| 20 | + | nano /etc/step-ca/config/defaults.json | |
| 21 | + | nano /etc/step-ca/config/ca.json | |
| 22 | + | ||
| 23 | + | useradd --user-group --system --home /etc/step-ca --shell /bin/false step | |
| 24 | + | setcap CAP_NET_BIND_SERVICE=+eip $(which step-ca) | |
| 25 | + | chown -R step:step /etc/step-ca | |
| 26 | + | ||
| 27 | + | ||
| 28 | + | cat <<EOF >>/etc/systemd/system/step-ca.service | |
| 29 | + | [Unit] | |
| 30 | + | Description=step-ca service | |
| 31 | + | Documentation=https://smallstep.com/docs/step-ca | |
| 32 | + | Documentation=https://smallstep.com/docs/step-ca/certificate-authority-server-production | |
| 33 | + | After=network-online.target | |
| 34 | + | Wants=network-online.target | |
| 35 | + | StartLimitIntervalSec=30 | |
| 36 | + | StartLimitBurst=3 | |
| 37 | + | ConditionFileNotEmpty=/etc/step-ca/config/ca.json | |
| 38 | + | ConditionFileNotEmpty=/etc/step-ca/password.txt | |
| 39 | + | ||
| 40 | + | [Service] | |
| 41 | + | Type=simple | |
| 42 | + | User=step | |
| 43 | + | Group=step | |
| 44 | + | Environment=STEPPATH=/etc/step-ca | |
| 45 | + | WorkingDirectory=/etc/step-ca | |
| 46 | + | ExecStart=/usr/bin/step-ca /etc/step-ca/config/ca.json --password-file password.txt | |
| 47 | + | ExecReload=/bin/kill --signal HUP $MAINPID | |
| 48 | + | Restart=on-failure | |
| 49 | + | RestartSec=5 | |
| 50 | + | TimeoutStopSec=30 | |
| 51 | + | StartLimitInterval=30 | |
| 52 | + | StartLimitBurst=3 | |
| 53 | + | ||
| 54 | + | ; Process capabilities & privileges | |
| 55 | + | AmbientCapabilities=CAP_NET_BIND_SERVICE | |
| 56 | + | CapabilityBoundingSet=CAP_NET_BIND_SERVICE | |
| 57 | + | SecureBits=keep-caps | |
| 58 | + | NoNewPrivileges=yes | |
| 59 | + | ||
| 60 | + | ; Sandboxing | |
| 61 | + | ProtectSystem=full | |
| 62 | + | ProtectHome=true | |
| 63 | + | RestrictNamespaces=true | |
| 64 | + | RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 | |
| 65 | + | PrivateTmp=true | |
| 66 | + | PrivateDevices=true | |
| 67 | + | ProtectClock=true | |
| 68 | + | ProtectControlGroups=true | |
| 69 | + | ProtectKernelTunables=true | |
| 70 | + | ProtectKernelLogs=true | |
| 71 | + | ProtectKernelModules=true | |
| 72 | + | LockPersonality=true | |
| 73 | + | RestrictSUIDSGID=true | |
| 74 | + | RemoveIPC=true | |
| 75 | + | RestrictRealtime=true | |
| 76 | + | SystemCallFilter=@system-service | |
| 77 | + | SystemCallArchitectures=native | |
| 78 | + | MemoryDenyWriteExecute=true | |
| 79 | + | ReadWriteDirectories=/etc/step-ca/db | |
| 80 | + | ||
| 81 | + | [Install] | |
| 82 | + | WantedBy=multi-user.target | |
| 83 | + | EOF | |
| 84 | + | ||
| 85 | + | systemctl daemon-reload | |
| 86 | + | systemctl enable --now step-ca.service | |
Newer
Older