Index: branches/releng-9.0/nanobsd/files/tools/openvpn-easy-rsa =================================================================== --- branches/releng-9.0/nanobsd/files/tools/openvpn-easy-rsa (revision 10458) +++ branches/releng-9.0/nanobsd/files/tools/openvpn-easy-rsa (revision 10458) @@ -0,0 +1,102 @@ +#!/bin/sh +# +# Initialize the OpenVPN Easy-RSA 2.0 scripts +# +# Rick van der Zwet +# + +# This variable should point to +# the top level of the easy-rsa +# tree. +export EASY_RSA=${EASY_RSA:-"/usr/local/share/easy-rsa"} + +if [ ! -d "$EASY_RSA" ]; then + echo "# Installing easy-rsa at $EASY_RSA" + trap "mount -ur /; exit 1" 1 2 15 + mount -uwo noatime / || exit 1 + make -C /usr/local/share/doc/openvpn/easy-rsa/2.0 install DESTDIR=$EASY_RSA || exit 1 + # Avoid disasters and move the vars template holder + mv $EASY_RSA/vars $EASY_RSA/vars.old || exit 1 + mount -ur / + trap - 1 2 15 +fi + +# +# This variable should point to +# the requested executables +# +export OPENSSL="openssl" +export PKCS11TOOL="pkcs11-tool" +export GREP="grep" + + +# This variable should point to +# the openssl.cnf file included +# with easy-rsa. +export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA` + +# Edit this variable to point to +# your soon-to-be-created key +# directory. +# +# WARNING: clean-all will do +# a rm -rf on this directory +# so make sure you define +# it correctly! +export KEY_DIR="${KEY_DIR:-/etc/easy-rsa-keys}" + +# Issue rm -rf warning +echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR + +# PKCS11 fixes +export PKCS11_MODULE_PATH="dummy" +export PKCS11_PIN="dummy" + +# Increase this to 2048 if you +# are paranoid. This will slow +# down TLS negotiation performance +# as well as the one-time DH parms +# generation process. +export KEY_SIZE=1024 + +# In how many days should the root CA key expire? +export CA_EXPIRE=3650 + +# In how many days should certificates expire? +export KEY_EXPIRE=3650 + +# These are the default values for fields +# which will be placed in the certificate. +# Don't leave any of these fields blank. +export KEY_COUNTRY="US" +export KEY_PROVINCE="CA" +export KEY_CITY="SanFrancisco" +export KEY_ORG="Fort-Funston" +export KEY_EMAIL="me@myhost.mydomain" +export KEY_EMAIL=mail@host.domain +export KEY_CN=changeme +export KEY_NAME=changeme +export KEY_OU=changeme +export PKCS11_MODULE_PATH=changeme +export PKCS11_PIN=1234 + +# Start the local shell +cd $EASY_RSA +echo "#" +echo "# Type exit when done to write changes to persistent disk" +echo "#" +# Primer to remember what we are doing +sed -n -e '/Typical/,$p' README | sed -e 's/^/## /g' | grep -v '. ./vars' +echo "#" +bash || sh + +echo "# Writing changes to persistent storage (/cfg)" +trap "umount /cfg; exit 1" 1 2 15 EXIT + +mount -ro noatime /cfg || exit 1 +CFG_KEY_DIR=/cfg/`basename $KEY_DIR` +diff -b -B -q -r $KEY_DIR $CFG_KEY_DIR || { + mount -uwo noatime /cfg || exit 1 + rm -fR $CFG_KEY_DIR || exit 1 + cp -R $KEY_DIR $CFG_KEY_DIR || exit 1 +}