SDGDen/CloudDeploy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

updated some post-install task writing, re-worked gencerts.sh entirely to use openSSL configuration files and V3 extensions for the certs.

Browse Source
This commit is contained in:
SDGDen
2026-03-09 14:12:31 +01:00
parent 3da6a5f3f8
commit e6fc0aec2a
3 changed files with 110 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
deploy.sh
View File

@@ -1058,6 +1058,8 @@ TP-LINK ROUTERS:
use $publicip if you are forwarding port 53, or $localip if not. use $publicip if you are forwarding port 53, or $localip if not.
if you use $localip, the device will not have DNS outside of your local network. if you use $localip, the device will not have DNS outside of your local network.
based on your configuration, you should probably use $dns_ip
you only need to do this for devices that have a static ip address, devices that get their ip assigned via DHCP (which is default for most devices, especially wireless ones) get their DNS address from the router. you only need to do this for devices that have a static ip address, devices that get their ip assigned via DHCP (which is default for most devices, especially wireless ones) get their DNS address from the router.
WINDOWS: WINDOWS:
@@ -1065,7 +1067,7 @@ WINDOWS:
1. Open Network Settings (Win+I > Network & Internet) 1. Open Network Settings (Win+I > Network & Internet)
2. Select your connection (Wi-Fi/Ethernet) 2. Select your connection (Wi-Fi/Ethernet)
3. Click "Hardware properties" > "Edit" next to DNS 3. Click "Hardware properties" > "Edit" next to DNS
4. Set manual DNS to $localip or $publicip 4. Set manual DNS to $dns_ip
5. Save changes 5. Save changes
MACOS: MACOS:
@@ -1073,7 +1075,7 @@ MACOS:
1. Open System Preferences > Network 1. Open System Preferences > Network
2. Select your connection 2. Select your connection
3. Click "Advanced" > DNS tab 3. Click "Advanced" > DNS tab
4. Add $localip or $publicip to DNS servers 4. Add $dns_ip to DNS servers
5. Click "OK" > "Apply" 5. Click "OK" > "Apply"
LINUX (NETWORK MANAGER): LINUX (NETWORK MANAGER):
@@ -1082,7 +1084,7 @@ LINUX (NETWORK MANAGER):
nm-connection-editor nm-connection-editor
2. Select your connection 2. Select your connection
3. Go to IPv4/IPv6 settings 3. Go to IPv4/IPv6 settings
4. Set DNS to $localip or $publicip 4. Set DNS to $dns_ip
5. Save and restart connection 5. Save and restart connection
ANDROID: ANDROID:
@@ -1091,14 +1093,14 @@ ANDROID:
2. Long-press your network > Modify network 2. Long-press your network > Modify network
3. Enable "Advanced options" 3. Enable "Advanced options"
4. Set IP to static 4. Set IP to static
5. Enter DNS as $localip or $publicip 5. Enter DNS as $dns_ip
IOS: IOS:
---- ----
1. Open Wi-Fi settings 1. Open Wi-Fi settings
2. Tap (i) next to your network 2. Tap (i) next to your network
3. Configure DNS > Manual 3. Configure DNS > Manual
4. Add $localip or $publicip 4. Add $dns_ip
5. Save changes 5. Save changes
EOF EOF
@@ -1219,6 +1221,15 @@ for the certificate key, use the wildcard.key file
for the certificate, use the wildcard.crt file for the certificate, use the wildcard.crt file
for the intermediate certificate, use the intermediate.crt file for the intermediate certificate, use the intermediate.crt file
after this, go to the Hosts > proxy hosts tab and go through each of the hosts
repeat for each host:
>go to the SSL tab
>select your certificate
>enable force SSL
in the case of owncloud you may also want to enable HTTP/2
then hit save.
because this certificate is not backed by a public certificate authority like letsencrypt, you have to manually trust the root cert on each device you want to use the cloud on, or deal with "certificate untrusted" warnings. because this certificate is not backed by a public certificate authority like letsencrypt, you have to manually trust the root cert on each device you want to use the cloud on, or deal with "certificate untrusted" warnings.

114
gencerts.sh
View File

@@ -1,64 +1,134 @@
#!/bin/bash #!/bin/bash
# Script to generate modern self-signed certificates for Nginx Proxy Manager with OpenSSL v3 extensions
# Script to generate self-signed certificates for Nginx Proxy Manager
# Prompt for domain # Prompt for domain
read -p "Enter the domain for the certificates (e.g., example.com): " DOMAIN read -p "Enter the domain for the certificates (e.g., example.com): " DOMAIN
if [ -z "$DOMAIN" ]; then if [ -z "$DOMAIN" ]; then
echo "Error: Domain not provided." echo "Error: Domain not provided."
exit 1 exit 1
fi fi
CERTS_DIR="/opt/files/certs/" CERTS_DIR="/opt/files/certs/"
# Create certs directory if it doesn't exist
mkdir -p "$CERTS_DIR" mkdir -p "$CERTS_DIR"
# Create OpenSSL configuration files
cat > "$CERTS_DIR/openssl_root_ca.cnf" <<EOF
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = v3_ca
[ req_distinguished_name ]
CN = $DOMAIN Root CA
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, keyCertSign, cRLSign
EOF
cat > "$CERTS_DIR/openssl_intermediate_ca.cnf" <<EOF
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
[ req_distinguished_name ]
CN = $DOMAIN Intermediate CA
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, keyCertSign, cRLSign
EOF
cat > "$CERTS_DIR/openssl_wildcard.cnf" <<EOF
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
req_extensions = v3_req
[ req_distinguished_name ]
CN = *.$DOMAIN
[ v3_req ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = $DOMAIN
DNS.2 = *.$DOMAIN
EOF
# Function to generate root CA # Function to generate root CA
generate_root_ca() { generate_root_ca() {
echo "Generating Root CA..." echo "Generating Root CA..."
openssl genrsa -out "$CERTS_DIR/rootCA.key" 4096 openssl genrsa -out "$CERTS_DIR/rootCA.key" 4096
openssl req -x509 -new -nodes -key "$CERTS_DIR/rootCA.key" -sha256 -days 3650 -out "$CERTS_DIR/rootCA.crt" -subj "/CN=$DOMAIN Root CA" openssl req -x509 -new -nodes -key "$CERTS_DIR/rootCA.key" \
-sha256 -days 3650 -out "$CERTS_DIR/rootCA.crt" \
-config "$CERTS_DIR/openssl_root_ca.cnf" -extensions v3_ca
} }
# Function to generate intermediate CA # Function to generate intermediate CA
generate_intermediate_ca() { generate_intermediate_ca() {
echo "Generating Intermediate CA..." echo "Generating Intermediate CA..."
openssl genrsa -out "$CERTS_DIR/intermediateCA.key" 4096 openssl genrsa -out "$CERTS_DIR/intermediateCA.key" 4096
openssl req -new -key "$CERTS_DIR/intermediateCA.key" -out "$CERTS_DIR/intermediateCA.csr" -subj "/CN=$DOMAIN Intermediate CA" openssl req -new -key "$CERTS_DIR/intermediateCA.key" \
openssl x509 -req -in "$CERTS_DIR/intermediateCA.csr" -CA "$CERTS_DIR/rootCA.crt" -CAkey "$CERTS_DIR/rootCA.key" -CAcreateserial -out "$CERTS_DIR/intermediateCA.crt" -days 3650 -sha256 -out "$CERTS_DIR/intermediateCA.csr" \
-config "$CERTS_DIR/openssl_intermediate_ca.cnf"
openssl x509 -req -in "$CERTS_DIR/intermediateCA.csr" \
-CA "$CERTS_DIR/rootCA.crt" -CAkey "$CERTS_DIR/rootCA.key" \
-CAcreateserial -out "$CERTS_DIR/intermediateCA.crt" \
-days 3650 -sha256 -extfile "$CERTS_DIR/openssl_intermediate_ca.cnf" \
-extensions v3_ca
} }
# Function to generate wildcard certificate # Function to generate wildcard certificate
generate_wildcard_cert() { generate_wildcard_cert() {
echo "Generating Wildcard Certificate..." echo "Generating Wildcard Certificate..."
openssl genrsa -out "$CERTS_DIR/wildcard.key" 4096 openssl genrsa -out "$CERTS_DIR/wildcard.key" 4096
openssl req -new -key "$CERTS_DIR/wildcard.key" -out "$CERTS_DIR/wildcard.csr" -subj "/CN=*.$DOMAIN" -addext "subjectAltName = DNS:$DOMAIN,DNS:*.$DOMAIN" openssl req -new -key "$CERTS_DIR/wildcard.key" \
openssl x509 -req -in "$CERTS_DIR/wildcard.csr" -CA "$CERTS_DIR/intermediateCA.crt" -CAkey "$CERTS_DIR/intermediateCA.key" -CAcreateserial -out "$CERTS_DIR/wildcard.crt" -days 3650 -sha256 -out "$CERTS_DIR/wildcard.csr" \
-config "$CERTS_DIR/openssl_wildcard.cnf"
openssl x509 -req -in "$CERTS_DIR/wildcard.csr" \
-CA "$CERTS_DIR/intermediateCA.crt" -CAkey "$CERTS_DIR/intermediateCA.key" \
-CAcreateserial -out "$CERTS_DIR/wildcard.crt" \
-days 3650 -sha256 -extfile "$CERTS_DIR/openssl_wildcard.cnf" \
-extensions v3_req
} }
# Function to export certificates for cross-platform compatibility # Function to export certificates for cross-platform compatibility
export_certs() { export_certs() {
echo "Exporting certificates for cross-platform compatibility..." echo "Exporting certificates for cross-platform compatibility..."
# Export root CA to .pfx (Windows) # Export root CA to .pfx (Windows)
openssl pkcs12 -export -out "$CERTS_DIR/rootCA.pfx" -inkey "$CERTS_DIR/rootCA.key" -in "$CERTS_DIR/rootCA.crt" -passout pass: openssl pkcs12 -export -out "$CERTS_DIR/rootCA.pfx" \
-inkey "$CERTS_DIR/rootCA.key" -in "$CERTS_DIR/rootCA.crt" -passout pass:
# Export intermediate CA to .pfx (Windows) # Export intermediate CA to .pfx (Windows)
openssl pkcs12 -export -out "$CERTS_DIR/intermediateCA.pfx" -inkey "$CERTS_DIR/intermediateCA.key" -in "$CERTS_DIR/intermediateCA.crt" -passout pass: openssl pkcs12 -export -out "$CERTS_DIR/intermediateCA.pfx" \
-inkey "$CERTS_DIR/intermediateCA.key" -in "$CERTS_DIR/intermediateCA.crt" -passout pass:
# Export wildcard cert to .pfx (Windows) # Export wildcard cert to .pfx (Windows)
openssl pkcs12 -export -out "$CERTS_DIR/wildcard.pfx" -inkey "$CERTS_DIR/wildcard.key" -in "$CERTS_DIR/wildcard.crt" -passout pass: openssl pkcs12 -export -out "$CERTS_DIR/wildcard.pfx" \
-inkey "$CERTS_DIR/wildcard.key" -in "$CERTS_DIR/wildcard.crt" -passout pass:
# Export root CA to .p12 (Cross-platform) # Export root CA to .p12 (Cross-platform)
openssl pkcs12 -export -out "$CERTS_DIR/rootCA.p12" -inkey "$CERTS_DIR/rootCA.key" -in "$CERTS_DIR/rootCA.crt" -passout pass: openssl pkcs12 -export -out "$CERTS_DIR/rootCA.p12" \
-inkey "$CERTS_DIR/rootCA.key" -in "$CERTS_DIR/rootCA.crt" -passout pass:
# Export intermediate CA to .p12 (Cross-platform) # Export intermediate CA to .p12 (Cross-platform)
openssl pkcs12 -export -out "$CERTS_DIR/intermediateCA.p12" -inkey "$CERTS_DIR/intermediateCA.key" -in "$CERTS_DIR/intermediateCA.crt" -passout pass: openssl pkcs12 -export -out "$CERTS_DIR/intermediateCA.p12" \
-inkey "$CERTS_DIR/intermediateCA.key" -in "$CERTS_DIR/intermediateCA.crt" -passout pass:
# Export wildcard cert to .p12 (Cross-platform) # Export wildcard cert to .p12 (Cross-platform)
openssl pkcs12 -export -out "$CERTS_DIR/wildcard.p12" -inkey "$CERTS_DIR/wildcard.key" -in "$CERTS_DIR/wildcard.crt" -passout pass: openssl pkcs12 -export -out "$CERTS_DIR/wildcard.p12" \
-inkey "$CERTS_DIR/wildcard.key" -in "$CERTS_DIR/wildcard.crt" -passout pass:
} }
# Main script execution # Main script execution

3
stacks/browser/compose.yml
View File

@@ -9,7 +9,8 @@ services:
volumes: volumes:
- /opt/stacks:/srv/stacks - /opt/stacks:/srv/stacks
- /opt/stacks/jellyfin/media:/srv/media - /opt/stacks/jellyfin/media:/srv/media
- /opt/stacks/setup:/srv/setup - /opt/stacks/setup/npmcertlist.txt:/srv/npm_cert_list.txt
- /opt/files:/srv/files
- ./filebrowser.db:/database.db - ./filebrowser.db:/database.db
restart: unless-stopped restart: unless-stopped
networks: networks: