diff --git a/scripts/disable_admin.sh b/scripts/disable_admin.sh new file mode 100755 index 0000000..baa5042 --- /dev/null +++ b/scripts/disable_admin.sh @@ -0,0 +1,5 @@ +#!/usr/bin/env -S /bin/bash +set -e +# There does not seem to be any sensible flag for this so delete and re-add is the way +/opt/scripts/delete_user.sh +/opt/scripts/enable_user.sh diff --git a/scripts/enable_admin.sh b/scripts/enable_admin.sh index 8cd1ee3..6851bce 100755 --- a/scripts/enable_admin.sh +++ b/scripts/enable_admin.sh @@ -2,14 +2,11 @@ set -e TR=/opt/tak CONFIG=${TR}/data/CoreConfig.xml +cd ${TR} +. ./setenv.sh -# Wait for server start -echo "enable_admin: Waiting for db" -WAITFORIT_TIMEOUT=30 /usr/bin/wait-for-it.sh ${POSTGRES_ADDRESS}:5432 -- true echo "enable_admin: Waiting for TAK server" -WAITFORIT_TIMEOUT=60 /usr/bin/wait-for-it.sh localhost:8089 -- true +WAITFORIT_TIMEOUT=2 /usr/bin/wait-for-it.sh localhost:8089 -- true echo "enable_admin: Making sure ${ADMIN_CERT_NAME} user is in place" -cd ${TR} -. ./setenv.sh TAKCL_CORECONFIG_PATH="${CONFIG}" java -jar /opt/tak/utils/UserManager.jar certmod -A "/opt/tak/data/certs/files/${ADMIN_CERT_NAME}.pem" diff --git a/scripts/firstrun_rm.sh b/scripts/firstrun_rm.sh index c6734d6..55a6c10 100755 --- a/scripts/firstrun_rm.sh +++ b/scripts/firstrun_rm.sh @@ -1,10 +1,4 @@ #!/usr/bin/env -S /bin/bash -if [ -f /opt/tak/data/firstrun.done ] -then - echo "First run already done" - exit 0 -fi - TR=/opt/tak CR=${TR}/certs @@ -35,8 +29,6 @@ if [[ ! -L "${TR}/certs" ]];then ln -f -s "${TR}/data/certs/" "${TR}/certs" fi -set -x - TAK_SERVER_HOSTNAME="$(cat /pvarki/kraftwerk-init.json | jq -r .product.dns)" @@ -49,9 +41,8 @@ if [ $? -ne 0 ] ; then LEGACY_PROVIDER="-legacy" fi -# FIXME: We need to update these when the LE cert gets updated so these can't be inside of the firstrun.done -check -# But they also seem get hissy if you try to add the same cert multiple times +echo "(re)Add TLS keys to keystore" # We have to do this pkcs12 song and dance because keytool can't import private keys directly # Create takserver.p12 using certificates from RM openssl pkcs12 ${LEGACY_PROVIDER} -export -out takserver.p12 \ @@ -60,6 +51,11 @@ openssl pkcs12 ${LEGACY_PROVIDER} -export -out takserver.p12 \ -name "${TAK_SERVER_HOSTNAME}" \ -passout pass:${TAKSERVER_KEYSTORE_PASS} +# Remove the old key (if exists) +keytool -delete \ + -alias "${TAK_SERVER_HOSTNAME}" \ + -keystore takserver.jks \ + -storepass "${TAKSERVER_KEYSTORE_PASS}" # Create the Java keystore and import takserver.p12 keytool -importkeystore -srcstoretype PKCS12 \ -destkeystore takserver.jks \ @@ -70,12 +66,24 @@ keytool -importkeystore -srcstoretype PKCS12 \ -destkeypass "${TAKSERVER_KEYSTORE_PASS}" # Put the CA certs one-by-one (can't import full chains in one go) to the truststore +# Remove the old root key (if exists) +keytool -delete \ + -alias "RM_Root" \ + -keystore takserver-truststore.jks \ + -storepass ${KEYSTORE_PASS} +# Add root key keytool -noprompt -import -trustcacerts \ -file "/ca_public/root_ca.pem" \ -alias "RM_Root" \ -keystore takserver-truststore.jks \ -storepass ${KEYSTORE_PASS} +# Remove the old intermediate key (if exists) +keytool -delete \ + -alias "RM_Intermediate" \ + -keystore takserver-truststore.jks \ + -storepass ${KEYSTORE_PASS} +# Add intermediate key keytool -noprompt -import -trustcacerts \ -file "/ca_public/intermediate_ca.pem" \ -alias "RM_Intermediate" \ @@ -83,7 +91,11 @@ keytool -noprompt -import -trustcacerts \ -storepass ${KEYSTORE_PASS} if [[ -f "/ca_public/miniwerk_ca.pem" ]];then - ALIAS=$(openssl x509 -noout -subject -in "/ca_public/miniwerk_ca.pem" |md5sum | cut -d" " -f1) + # Remove the old key (if exists) + keytool -delete \ + -alias "MW_Root" \ + -keystore takserver-truststore.jks \ + -storepass ${KEYSTORE_PASS} keytool -noprompt -import -trustcacerts \ -file /ca_public/miniwerk_ca.pem \ -alias "MW_Root" \ @@ -98,7 +110,11 @@ cp -v /opt/tak/data/certs/files/takserver-truststore.jks /opt/tak/data/certs/fil popd >> /dev/null - +if [ -f /opt/tak/data/firstrun.done ] +then + echo "First run already done, not importing database" + exit 0 +fi set -e diff --git a/scripts/start-tak.sh b/scripts/start-tak.sh index 83f9e96..f8a60c0 100755 --- a/scripts/start-tak.sh +++ b/scripts/start-tak.sh @@ -2,21 +2,29 @@ set -e TR=/opt/tak -CONFIG=${TR}/data/CoreConfig.xml +export TAKCL_CORECONFIG_PATH=${TR}/data/CoreConfig_${1}.xml # use process specific copy +COMMON_CONFIG_PATH=${TR}/data/CoreConfig.xml # common path used by various scripts +sleep 2 # (re-)Create config echo "(Re-)Creating config" -cat /opt/templates/CoreConfig.tpl | gomplate >${CONFIG} +set -x +export TAK_OCSP_UPSTREAM_IP=$(getent hosts ${TAK_OCSP_UPSTREAM} | awk '{ print $1 }') +gomplate -f /opt/templates/CoreConfig.tpl -o ${COMMON_CONFIG_PATH} # used by various scripts +# Process specific config +gomplate -f /opt/templates/CoreConfig.tpl -o ${TAKCL_CORECONFIG_PATH} # make sure it's in tak root too -cp ${CONFIG} ${TR} +ln -sf ${TAKCL_CORECONFIG_PATH} ${TR}/CoreConfig.xml +ls -lah ${TR}/CoreConfig.xml +cat ${TR}/CoreConfig.xml +set +x -# Symlink the certs coming from Volumes +# Ensure anything not having the correct config loads certs and saves logs to the volume +# (yes, we do need to re-check at every start) if [[ ! -L "${TR}/certs" ]];then mv ${TR}/certs ${TR}/certs.orig ln -s "${TR}/data/certs/" "${TR}/certs" fi - -# Symlink the log directory coming from Volumes if [[ ! -L "${TR}/logs" ]];then mv ${TR}/logs ${TR}/logs.orig ln -s "${TR}/data/logs/" "${TR}/logs" @@ -31,7 +39,7 @@ cd ${TR} # Start the right process if [ $1 = "messaging" ]; then echo "Starting TAK Messaging" - java -jar -Xmx${MESSAGING_MAX_HEAP}m -Dspring.profiles.active=messaging,consolelog takserver.war + java -jar -Xmx${MESSAGING_MAX_HEAP}m -Dspring.profiles.active=messaging,consolelog -Dkeystore.pkcs12.legacy takserver.war elif [ $1 = "api" ]; then echo "Starting TAK API" java -jar -Xmx${API_MAX_HEAP}m -Dspring.profiles.active=api,consolelog -Dkeystore.pkcs12.legacy takserver.war diff --git a/templates/CoreConfig.tpl b/templates/CoreConfig.tpl index fd1132d..6cff3dc 100644 --- a/templates/CoreConfig.tpl +++ b/templates/CoreConfig.tpl @@ -1,74 +1,21 @@ + xsi:schemaLocation="/opt/tak/CoreConfig.xsd"> - - - - - - - - - - - - - - - - - - - - - - - - - - - + - - @@ -88,12 +35,6 @@ - @@ -102,68 +43,41 @@ + - - - - - - - - + + - - - - + +