Merge pull request #74 from soubinan/features

Improve templates
soubinan · Jan 19, 2025 · 532846c · 532846c
2 parents 845fa8d + 7655488
commit 532846c
Show file tree

Hide file tree

Showing 14 changed files with 472 additions and 102 deletions.
diff --git a/.github/workflows/builder.yml b/.github/workflows/builder.yml
@@ -108,6 +108,17 @@ jobs:
           echo "ARTIFACT_SIZE=$(du -sh ./${{needs.init.outputs.app_name}}-${{needs.init.outputs.app_version}}-${{matrix.architectures}}-root.tar.xz | cut -f 1)" >> $GITHUB_ENV
           pwd && ls -lash
 
+      - name: Archive Image files
+        if: ${{steps.validity-checks.outputs.IS_BUILDABLE == 'true' && steps.validity-checks.outputs.IS_PUBLISHABLE == 'false'}}
+        uses: actions/upload-artifact@v4
+        with:
+          name: "${{needs.init.outputs.app_name}}-${{needs.init.outputs.app_version}}-${{matrix.architectures}}"
+          path: |
+            ./${{needs.init.outputs.app_name}}-${{needs.init.outputs.app_version}}-${{matrix.architectures}}-root.tar.xz
+            ./${{needs.init.outputs.app_name}}-${{needs.init.outputs.app_version}}-${{matrix.architectures}}-meta.tar.xz
+          compression-level: 0
+          retention-days: 1
+
       - name: Publish Image files
         if: ${{steps.validity-checks.outputs.IS_BUILDABLE == 'true' && steps.validity-checks.outputs.IS_PUBLISHABLE == 'true'}}
         run: |

diff --git a/__layout.k b/__layout.k
@@ -27,6 +27,8 @@ schema Metadata:
     distribution: str
     release: str
     architectures: [str]
+    help_message: str = """\
+    """
 
     check:
         distribution != Undefined, "Distribution should be explicitely set"
@@ -1283,6 +1285,12 @@ files = [
         mode = "0655"
         content = _welcome_msg_script
     }
+    {
+        path = "/etc/issue.d/61-help.issue"
+        generator = "dump"
+        mode = "0655"
+        content = _metadata.help_message
+    }
     *_files_add
 ]
 packages = {

diff --git a/assets/certificates/ca.cnf b/assets/certificates/ca.cnf
@@ -0,0 +1,60 @@
+[ ca ]
+default_ca = CA_default
+
+[ CA_default ]
+default_days     = 3650
+default_crl_days = 90
+default_md       = sha256
+preserve         = no
+x509_extensions  = ca_extensions
+email_in_dn      = no
+copy_extensions  = copy
+base_dir         = /opt/certs
+certificate      = $base_dir/cacert.pem
+private_key      = $base_dir/cakey.pem
+certs            = $base_dir
+new_certs_dir    = $base_dir
+database         = $base_dir/index.txt
+serial           = $base_dir/serial.txt
+RANDFILE         = $base_dir/.rand
+policy           = signing_policy
+unique_subject   = no
+
+[ req ]
+default_bits       = 4096
+default_keyfile    = cakey.pem
+distinguished_name = ca_distinguished_name
+x509_extensions    = ca_extensions
+string_mask        = utf8only
+prompt             = no
+req_extensions     = signing_req
+
+[ ca_distinguished_name ]
+countryName            = CA
+stateOrProvinceName    = Quebec
+localityName           = Montreal
+organizationName       = SoubiLabs
+organizationalUnitName = LXC BUILDER
+commonName             = lxc-images.soubilabs.xyz
+emailAddress           = [email protected]
+
+[ ca_extensions ]
+subjectKeyIdentifier   = hash
+authorityKeyIdentifier = keyid:always, issuer
+basicConstraints       = critical, CA:true
+keyUsage               = keyCertSign, cRLSign
+
+[ signing_policy ]
+countryName            = optional
+stateOrProvinceName    = optional
+localityName           = optional
+organizationName       = optional
+organizationalUnitName = optional
+commonName             = supplied
+emailAddress           = optional
+
+[ signing_req ]
+subjectKeyIdentifier   = hash
+authorityKeyIdentifier = keyid,issuer
+basicConstraints       = CA:FALSE
+keyUsage               = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
diff --git a/assets/certificates/server.cnf b/assets/certificates/server.cnf
@@ -0,0 +1,27 @@
+RANDFILE = /opt/certs/.rand
+
+[ req ]
+default_bits       = 2048
+default_keyfile    = /opt/certs/server.key
+distinguished_name = server_distinguished_name
+req_extensions     = server_req_extensions
+string_mask        = utf8only
+prompt             = no
+
+[ server_distinguished_name ]
+countryName            = CA
+stateOrProvinceName    = Quebec
+localityName           = Montreal
+organizationName       = SoubiLabs
+organizationalUnitName = LXC-Images
+commonName             = localhost
+
+[ server_req_extensions ]
+subjectKeyIdentifier = hash
+basicConstraints     = CA:FALSE
+keyUsage             = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+subjectAltName       = @alternate_names
+nsComment            = "OpenSSL Generated Certificate"
+
+[ alternate_names ]
+IP.1 = 127.0.0.1
diff --git a/assets/crt.config b/assets/crt.config
diff --git a/assets/csr.config b/assets/csr.config
diff --git a/assets/rootCA.config b/assets/rootCA.config
diff --git a/templates/keycloak.yml b/templates/keycloak.yml
@@ -62,17 +62,13 @@ instructions:
         [Install]
         WantedBy=multi-user.target
 
-    - path: /opt/certs/rootCA.config
+    - path: /opt/certs/ca.cnf
       generator: copy
-      source: assets/rootCA.config
+      source: assets/certificates/ca.cnf
 
-    - path: /opt/certs/csr.config
+    - path: /opt/certs/server.cnf
       generator: copy
-      source: assets/csr.config
-
-    - path: /opt/certs/crt.config
-      generator: copy
-      source: assets/crt.config
+      source: assets/certificates/server.cnf
 
   packages:
     - openjdk-17-jre
@@ -85,20 +81,24 @@ instructions:
         #!/bin/bash
         set -eux
 
-        mkdir -p /opt/keycloak
+        touch /opt/certs/index.txt
+        echo '01' > /opt/certs/serial.txt
+        cd /opt/certs
+        openssl req -x509 -config ca.cnf -newkey rsa:4096 -sha256 -nodes -out cacert.pem -outform PEM
+        openssl req -config server.cnf -newkey rsa:2048 -sha256 -nodes -out keycloak.csr -outform PEM
+        openssl ca -batch -config ca.cnf -policy signing_policy -extensions signing_req -out keycloak.crt -infiles keycloak.csr
 
-        openssl req -x509 -newkey rsa:4096 -keyout /opt/certs/rootCA.key -out /opt/certs/rootCA.crt -sha256 -days 3650 -nodes -config /opt/certs/rootCA.config
-        openssl genrsa -out /etc/ssl/private/keycloak.key 2048
-        openssl req -new -key /etc/ssl/private/keycloak.key -out /etc/ssl/private/keycloak.csr -config /opt/certs/csr.config
-        openssl x509 -req -in /etc/ssl/private/keycloak.csr -CA /opt/certs/rootCA.crt -CAkey /opt/certs/rootCA.key -CAcreateserial -out /etc/ssl/private/keycloak.crt -days 1825 -sha256 -extfile /opt/certs/crt.config
+
+        mkdir -p /opt/keycloak
+        cd /opt/keycloak
 
         wget -O /tmp/keycloak.tar.gz https://github.com/keycloak/keycloak/releases/download/{{image.serial}}/keycloak-{{image.serial}}.tar.gz
         tar -xvf /tmp/keycloak.tar.gz -C /tmp && cp -r /tmp/keycloak-{{image.serial}}/* /opt/keycloak/
 
         cat <<EOF > /opt/keycloak/conf/keycloak.conf
         hostname=0.0.0.0
-        https-certificate-file=/etc/ssl/private/keycloak.crt
-        https-certificate-key-file=/etc/ssl/private/keycloak.key
+        https-certificate-file=/opt/certs/keycloak.crt
+        https-certificate-key-file=/opt/certs/server.key
         EOF
 
         export JAVA_HOME=/usr/lib/jvm/java-17-openjdk-amd64

diff --git a/templates/matomo.yml b/templates/matomo.yml
@@ -10,9 +10,13 @@ metadata:
     - amd64
 instructions:
   files:
-    - path: /opt/certs/rootCA.config
+    - path: /opt/certs/ca.cnf
       generator: copy
-      source: assets/rootCA.config
+      source: assets/certificates/ca.cnf
+
+    - path: /opt/certs/server.cnf
+      generator: copy
+      source: assets/certificates/server.cnf
 
     - path: /opt/ssl.conf
       generator: dump
@@ -23,8 +27,8 @@ instructions:
                 ErrorLog ${APACHE_LOG_DIR}/error.log
                 CustomLog ${APACHE_LOG_DIR}/access.log combined
                 SSLEngine on
-                SSLCertificateFile      /etc/ssl/certs/rootCA.crt
-                SSLCertificateKeyFile   /etc/ssl/private/rootCA.key
+                SSLCertificateFile      /opt/certs/matomo.crt
+                SSLCertificateKeyFile   /opt/certs/server.key
                 <FilesMatch "\.(?:cgi|shtml|phtml|php)$">
                         SSLOptions +StdEnvVars
                 </FilesMatch>
@@ -107,7 +111,12 @@ instructions:
         #!/bin/bash
         set -eux
 
-        openssl req -x509 -newkey rsa:4096 -keyout /etc/ssl/private/rootCA.key -out /etc/ssl/certs/rootCA.crt -sha256 -days 3650 -nodes -config /opt/certs/rootCA.config
+        touch /opt/certs/index.txt
+        echo '01' > /opt/certs/serial.txt
+        cd /opt/certs
+        openssl req -x509 -config ca.cnf -newkey rsa:4096 -sha256 -nodes -out cacert.pem -outform PEM
+        openssl req -config server.cnf -newkey rsa:2048 -sha256 -nodes -out matomo.csr -outform PEM
+        openssl ca -batch -config ca.cnf -policy signing_policy -extensions signing_req -out matomo.crt -infiles matomo.csr
 
         wget -O /tmp/matomo.zip https://builds.matomo.org/matomo-{{image.serial}}.zip
         unzip /tmp/matomo.zip -d /tmp

diff --git a/templates/nextcloud.yml b/templates/nextcloud.yml
@@ -10,9 +10,13 @@ metadata:
     - amd64
 instructions:
   files:
-    - path: /opt/certs/rootCA.config
+    - path: /opt/certs/ca.cnf
       generator: copy
-      source: assets/rootCA.config
+      source: assets/certificates/ca.cnf
+
+    - path: /opt/certs/server.cnf
+      generator: copy
+      source: assets/certificates/server.cnf
 
     - path: /opt/ssl.conf
       generator: dump
@@ -26,8 +30,8 @@ instructions:
                 CustomLog ${APACHE_LOG_DIR}/access.log combined
                 SSLEngine on
 
-                SSLCertificateFile      /etc/ssl/certs/rootCA.crt
-                SSLCertificateKeyFile   /etc/ssl/private/rootCA.key
+                SSLCertificateFile      /opt/certs/nextcould.crt
+                SSLCertificateKeyFile   /opt/certs/server.key
 
                 <FilesMatch "\.(?:cgi|shtml|phtml|php)$">
                         SSLOptions +StdEnvVars
@@ -131,7 +135,12 @@ instructions:
         #!/bin/bash
         set -eux
 
-        openssl req -x509 -newkey rsa:4096 -keyout /etc/ssl/private/rootCA.key -out /etc/ssl/certs/rootCA.crt -sha256 -days 3650 -nodes -config /opt/certs/rootCA.config
+        touch /opt/certs/index.txt
+        echo '01' > /opt/certs/serial.txt
+        cd /opt/certs
+        openssl req -x509 -config ca.cnf -newkey rsa:4096 -sha256 -nodes -out cacert.pem -outform PEM
+        openssl req -config server.cnf -newkey rsa:2048 -sha256 -nodes -out nextcloud.csr -outform PEM
+        openssl ca -batch -config ca.cnf -policy signing_policy -extensions signing_req -out nextcloud.crt -infiles nextcloud.csr
 
         wget -O /tmp/nextcloud.zip https://download.nextcloud.com/server/releases/nextcloud-{{image.serial}}.zip
         unzip /tmp/nextcloud.zip -d /tmp

diff --git a/templates/omada.yml b/templates/omada.yml
@@ -11,8 +11,31 @@ metadata:
 instructions:
   files:
     - path: /var/omada/data.json
-      generator: copy
-      source: assets/omada-post-data.json
+      generator: dump
+      content: |-
+        {
+            "pageIndex": 0,
+            "pageSize": 1,
+            "sortField": "",
+            "sortOrder": "DESC",
+            "keyword": ".deb",
+            "siteId": 1,
+            "siteCode": "en",
+            "resourceType": "download",
+            "typeIdList": [],
+            "documentResourceTypeIdList": [],
+            "downloadsResourceTypeIdList": [],
+            "bulletinsResourceTypeIdList": [],
+            "documentTagIdList": [],
+            "downloadTagIdList": [],
+            "bulletinsTagIdList": [],
+            "communityCategories": [],
+            "communityTagNames": [],
+            "suitableModelList": [
+                "Omada Software Controller",
+                "Omada Software Controller V5"
+            ]
+        }
 
   packages:
     - jq