start.sh 2.16 KB
Newer Older
mehdi's avatar
mehdi committed
1 2 3 4 5 6
#!/bin/bash

set -eu

export NODE_ENV=production

7
# Creating a secret for web sessions
mehdi's avatar
mehdi committed
8
if [ ! -f /app/data/session.secret ]; then
Girish Ramakrishnan's avatar
Girish Ramakrishnan committed
9
    echo "==> Generating session secret"
Girish Ramakrishnan's avatar
Girish Ramakrishnan committed
10
    dd if=/dev/urandom bs=256 count=1 2>/dev/null | base64 > /app/data/session.secret
mehdi's avatar
mehdi committed
11 12
fi

13
# Generate random management token for admin api
Girish Ramakrishnan's avatar
Girish Ramakrishnan committed
14
dd if=/dev/urandom bs=256 count=1 2>/dev/null | base64 > /run/admin-token
15

mehdi's avatar
mehdi committed
16
# The first time this is run, initialize OpenVPN keys
mehdi's avatar
mehdi committed
17
if [ ! -d /app/data/keys ]; then
Girish Ramakrishnan's avatar
Girish Ramakrishnan committed
18 19
    echo "==> Init OpenVPN CA"
    source /app/code/easyrsa/easyrsa-vars.sh
mehdi's avatar
mehdi committed
20
    /app/code/easyrsa/clean-all
Girish Ramakrishnan's avatar
Girish Ramakrishnan committed
21 22
    /app/code/easyrsa/pkitool --initca              # ca.key and ca.crt
    openvpn --genkey --secret /app/data/keys/ta.key # OpenVPN static key
mehdi's avatar
mehdi committed
23
    /app/code/easyrsa/build-dh
Girish Ramakrishnan's avatar
Girish Ramakrishnan committed
24
    /app/code/easyrsa/pkitool --server cloudron     # server key
25 26
else
    echo "==> Migrate keys to new layout"
Girish Ramakrishnan's avatar
Girish Ramakrishnan committed
27 28 29 30
    for file in `find /app/data/keys/*:* -maxdepth 0 -type f -printf "%f\n"`; do
        username=$(echo $file | cut -d ":" -f 1)
        devicename=$(echo $file | cut -d ":" -f 2) # with the file extension
        echo "==> moving $file (username: $username devicename: $devicename"
31
        mkdir -p /app/data/keys/${username}
Girish Ramakrishnan's avatar
Girish Ramakrishnan committed
32
        mv /app/data/keys/$file /app/data/keys/${username}/${devicename}
33
    done
mehdi's avatar
mehdi committed
34 35
fi

36
# initializing / regenerating CRL file
Girish Ramakrishnan's avatar
Girish Ramakrishnan committed
37 38
echo "==> Creating CRL"
/app/code/regen-crl.sh
39

mehdi's avatar
mehdi committed
40
# Writing OpenVPN config
Girish Ramakrishnan's avatar
Girish Ramakrishnan committed
41
echo "==> Generating OpenVPN config"
Girish Ramakrishnan's avatar
Girish Ramakrishnan committed
42 43 44 45 46
[[ ! -f /app/data/openvpn.conf ]] && cp /app/code/openvpn.conf.template /app/data/openvpn.conf

sed -e "s/^port .*/port ${VPN_TCP_PORT:-}/" \
    -e "s/^push \"dhcp-option DOMAIN .*\"/push \"dhcp-option DOMAIN ${CLOUDRON_APP_DOMAIN}\"/" \
    -i /app/data/openvpn.conf
mehdi's avatar
mehdi committed
47

mehdi's avatar
mehdi committed
48
# Add iptables rules for NATing VPN traffic
49 50 51
network=$(cat /app/data/openvpn.conf | sed -ne 's/^server \(.*\) .*$/\1/p')
echo "==> Configuring nat rules for ${network}"
iptables -t nat -A POSTROUTING -s $network/24 -o eth0 -j MASQUERADE
mehdi's avatar
mehdi committed
52

Girish Ramakrishnan's avatar
Girish Ramakrishnan committed
53 54 55
# Clear all hosts on startup
mkdir -p /run/dnsmasq/hosts

mehdi's avatar
mehdi committed
56
# Fix permissions
Girish Ramakrishnan's avatar
Girish Ramakrishnan committed
57
echo "==> Fixing permissions"
mehdi's avatar
mehdi committed
58 59
chown -R cloudron:cloudron /app/data /tmp /run

Girish Ramakrishnan's avatar
Girish Ramakrishnan committed
60
echo "Starting OpenVPN"
61
exec /usr/bin/supervisord --configuration /etc/supervisor/supervisord.conf --nodaemon -i OpenVPN