mirror of
https://github.com/vxcontrol/pentagi.git
synced 2026-05-04 05:50:49 +00:00
Dmitry Ng
57 lines
1.8 KiB
Bash
Executable File
57 lines
1.8 KiB
Bash
Executable File
#!/bin/sh
|
|
|
|
export SERVER_SSL_KEY=${SERVER_SSL_KEY:-ssl/server.key}
|
|
export SERVER_SSL_CRT=${SERVER_SSL_CRT:-ssl/server.crt}
|
|
SERVER_SSL_CSR=ssl/service.csr
|
|
SERVER_SSL_CA_KEY=ssl/service_ca.key
|
|
SERVER_SSL_CA_CRT=ssl/service_ca.crt
|
|
OLLAMA_KEY=/root/.ollama/id_ed25519
|
|
|
|
if [ ! -f "$OLLAMA_KEY" ]; then
|
|
ssh-keygen -t ed25519 -N "" -f $OLLAMA_KEY
|
|
chmod 600 $OLLAMA_KEY
|
|
echo "Ollama signing key generated and saved to $OLLAMA_KEY"
|
|
fi
|
|
|
|
if [ -f "$SERVER_SSL_KEY" ] && [ -f "$SERVER_SSL_CRT" ]; then
|
|
echo "service ssl crt and key already exist"
|
|
elif [ "$SERVER_USE_SSL" = "true" ]; then
|
|
echo "Gen service ssl key and crt"
|
|
openssl genrsa -out ${SERVER_SSL_CA_KEY} 4096
|
|
openssl req \
|
|
-new -x509 -days 3650 \
|
|
-key ${SERVER_SSL_CA_KEY} \
|
|
-subj "/C=US/ST=NY/L=NY/O=PentAGI/OU=Project/CN=PentAGI CA" \
|
|
-out ${SERVER_SSL_CA_CRT}
|
|
openssl req \
|
|
-newkey rsa:4096 \
|
|
-sha256 \
|
|
-nodes \
|
|
-keyout ${SERVER_SSL_KEY} \
|
|
-subj "/C=US/ST=NY/L=NY/O=PentAGI/OU=Project/CN=localhost" \
|
|
-out ${SERVER_SSL_CSR}
|
|
|
|
echo "subjectAltName=DNS:pentagi.local" > extfile.tmp
|
|
echo "keyUsage=critical,digitalSignature,keyAgreement" >> extfile.tmp
|
|
|
|
openssl x509 -req \
|
|
-days 730 \
|
|
-extfile extfile.tmp \
|
|
-in ${SERVER_SSL_CSR} \
|
|
-CA ${SERVER_SSL_CA_CRT} -CAkey ${SERVER_SSL_CA_KEY} -CAcreateserial \
|
|
-out ${SERVER_SSL_CRT}
|
|
|
|
rm extfile.tmp
|
|
|
|
cat ${SERVER_SSL_CA_CRT} >> ${SERVER_SSL_CRT}
|
|
|
|
chmod g+r ${SERVER_SSL_KEY}
|
|
|
|
# Remove CA private key and CSR after signing -- they are no longer
|
|
# needed at runtime and leaving them on disk increases the attack
|
|
# surface if the container filesystem is compromised.
|
|
rm -f ${SERVER_SSL_CA_KEY} ${SERVER_SSL_CSR} ssl/service_ca.srl
|
|
fi
|
|
|
|
exec "$@"
|