21a844cb8a
A previous `git pull --rebase origin main` dropped 177 local commits,
losing 3400+ files across admin-v2, backend, studio-v2, website,
klausur-service, and many other services. The partial restore attempt
(660295e2) only recovered some files.
This commit restores all missing files from pre-rebase ref 98933f5e
while preserving post-rebase additions (night-scheduler, night-mode UI,
NightModeWidget dashboard integration).
Restored features include:
- AI Module Sidebar (FAB), OCR Labeling, OCR Compare
- GPU Dashboard, RAG Pipeline, Magic Help
- Klausur-Korrektur (8 files), Abitur-Archiv (5+ files)
- Companion, Zeugnisse-Crawler, Screen Flow
- Full backend, studio-v2, website, klausur-service
- All compliance SDKs, agent-core, voice-service
- CI/CD configs, documentation, scripts
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
189 lines
5.7 KiB
Bash
Executable File
189 lines
5.7 KiB
Bash
Executable File
#!/bin/sh
|
|
# Vault PKI Initialization Script for BreakPilot SSL Certificates
|
|
#
|
|
# This script sets up a PKI secrets engine with:
|
|
# - Root CA
|
|
# - Intermediate CA
|
|
# - Certificate issuance role for macmini hostname
|
|
# - AppRole for vault-agent authentication
|
|
#
|
|
# Usage: Run this after Vault is initialized
|
|
|
|
set -e
|
|
|
|
echo "=== Vault PKI Initialization ==="
|
|
echo "Waiting for Vault to be ready..."
|
|
|
|
# Wait for Vault to be ready
|
|
until vault status > /dev/null 2>&1; do
|
|
sleep 1
|
|
done
|
|
|
|
echo "Vault is ready. Setting up PKI..."
|
|
|
|
# Create directories
|
|
mkdir -p /vault/agent/data
|
|
mkdir -p /vault/certs
|
|
|
|
# ================================================
|
|
# Step 1: Enable PKI Secrets Engine (Root CA)
|
|
# ================================================
|
|
echo "Enabling Root CA PKI engine..."
|
|
vault secrets enable -path=pki pki 2>/dev/null || echo "PKI engine already enabled"
|
|
|
|
# Set max lease TTL to 10 years for root CA
|
|
vault secrets tune -max-lease-ttl=87600h pki
|
|
|
|
# Check if Root CA already exists
|
|
if ! vault read pki/cert/ca > /dev/null 2>&1; then
|
|
echo "Generating Root CA certificate..."
|
|
vault write -field=certificate pki/root/generate/internal \
|
|
common_name="BreakPilot Root CA" \
|
|
issuer_name="root-2024" \
|
|
ttl=87600h > /vault/certs/root_ca.crt
|
|
else
|
|
echo "Root CA already exists, skipping generation"
|
|
fi
|
|
|
|
# Configure URLs
|
|
vault write pki/config/urls \
|
|
issuing_certificates="http://vault:8200/v1/pki/ca" \
|
|
crl_distribution_points="http://vault:8200/v1/pki/crl"
|
|
|
|
# ================================================
|
|
# Step 2: Enable PKI Secrets Engine (Intermediate CA)
|
|
# ================================================
|
|
echo "Enabling Intermediate CA PKI engine..."
|
|
vault secrets enable -path=pki_int pki 2>/dev/null || echo "Intermediate PKI engine already enabled"
|
|
|
|
# Set max lease TTL to 5 years for intermediate
|
|
vault secrets tune -max-lease-ttl=43800h pki_int
|
|
|
|
# Check if Intermediate CA already exists
|
|
if ! vault read pki_int/cert/ca > /dev/null 2>&1; then
|
|
echo "Generating Intermediate CA..."
|
|
|
|
# Generate Intermediate CSR (using -field to get raw CSR)
|
|
vault write -field=csr pki_int/intermediate/generate/internal \
|
|
common_name="BreakPilot Intermediate CA" \
|
|
issuer_name="breakpilot-intermediate" \
|
|
> /tmp/pki_intermediate.csr
|
|
|
|
echo "CSR generated, signing with Root CA..."
|
|
|
|
# Sign the Intermediate with Root CA (using -field to get raw certificate)
|
|
vault write -field=certificate pki/root/sign-intermediate \
|
|
issuer_ref="root-2024" \
|
|
csr=@/tmp/pki_intermediate.csr \
|
|
format=pem_bundle \
|
|
ttl="43800h" \
|
|
> /tmp/intermediate.cert.pem
|
|
|
|
echo "Importing signed intermediate certificate..."
|
|
|
|
# Import signed intermediate certificate
|
|
vault write pki_int/intermediate/set-signed \
|
|
certificate=@/tmp/intermediate.cert.pem
|
|
else
|
|
echo "Intermediate CA already exists, skipping generation"
|
|
fi
|
|
|
|
# ================================================
|
|
# Step 3: Create Role for Certificate Issuance
|
|
# ================================================
|
|
echo "Creating certificate issuance role..."
|
|
|
|
# Role for macmini certificates (internal use)
|
|
vault write pki_int/roles/breakpilot-internal \
|
|
allowed_domains="macmini,macmini.local,localhost,breakpilot.local" \
|
|
allow_bare_domains=true \
|
|
allow_subdomains=true \
|
|
allow_localhost=true \
|
|
allow_ip_sans=true \
|
|
max_ttl="720h" \
|
|
ttl="168h"
|
|
|
|
# ================================================
|
|
# Step 4: Create Policy for Certificate Access
|
|
# ================================================
|
|
echo "Creating certificate policy..."
|
|
|
|
vault policy write breakpilot-pki - <<EOF
|
|
# BreakPilot PKI Policy
|
|
# Allows issuing and reading certificates
|
|
|
|
# Issue certificates
|
|
path "pki_int/issue/breakpilot-internal" {
|
|
capabilities = ["create", "update"]
|
|
}
|
|
|
|
# Read CA certificates
|
|
path "pki/cert/ca" {
|
|
capabilities = ["read"]
|
|
}
|
|
|
|
path "pki_int/cert/ca" {
|
|
capabilities = ["read"]
|
|
}
|
|
|
|
# Renew own token
|
|
path "auth/token/renew-self" {
|
|
capabilities = ["update"]
|
|
}
|
|
EOF
|
|
|
|
# ================================================
|
|
# Step 5: Create AppRole for nginx/vault-agent
|
|
# ================================================
|
|
echo "Creating AppRole for certificate management..."
|
|
|
|
vault auth enable approle 2>/dev/null || echo "AppRole already enabled"
|
|
|
|
# Create role for nginx certificate management
|
|
vault write auth/approle/role/breakpilot-nginx \
|
|
token_policies="breakpilot-pki" \
|
|
token_ttl=24h \
|
|
token_max_ttl=168h \
|
|
secret_id_ttl=0
|
|
|
|
# Get role-id
|
|
ROLE_ID=$(vault read -field=role_id auth/approle/role/breakpilot-nginx/role-id)
|
|
|
|
# Generate secret-id
|
|
SECRET_ID=$(vault write -field=secret_id -f auth/approle/role/breakpilot-nginx/secret-id)
|
|
|
|
echo ""
|
|
echo "=== AppRole Credentials ==="
|
|
echo "Role ID: $ROLE_ID"
|
|
echo "Secret ID: $SECRET_ID"
|
|
echo ""
|
|
|
|
# Save credentials to file for vault-agent
|
|
echo "$ROLE_ID" > /vault/agent/data/role-id
|
|
echo "$SECRET_ID" > /vault/agent/data/secret-id
|
|
chmod 600 /vault/agent/data/role-id /vault/agent/data/secret-id
|
|
|
|
# ================================================
|
|
# Step 6: Verify PKI setup is working
|
|
# ================================================
|
|
echo "Verifying PKI setup..."
|
|
|
|
# Test that certificate issuance works (don't save, just verify)
|
|
if vault write -format=json pki_int/issue/breakpilot-internal \
|
|
common_name="test.macmini" \
|
|
ttl="1h" > /dev/null 2>&1; then
|
|
echo "✓ Certificate issuance working"
|
|
else
|
|
echo "✗ Certificate issuance failed!"
|
|
exit 1
|
|
fi
|
|
|
|
echo ""
|
|
echo "=== PKI Initialization Complete ==="
|
|
echo ""
|
|
echo "AppRole credentials saved to /vault/agent/data/"
|
|
ls -la /vault/agent/data/
|
|
echo ""
|
|
echo "Vault-agent will generate and manage certificates automatically."
|
|
echo "Start vault-agent to begin certificate management."
|