diff options
Diffstat (limited to 'meta-unit-core/dynamic-layers/virtualization-layer/recipes-core')
3 files changed, 76 insertions, 0 deletions
diff --git a/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-regkeygen.bb b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-regkeygen.bb new file mode 100644 index 0000000..5acae19 --- /dev/null +++ b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-regkeygen.bb @@ -0,0 +1,30 @@ +SUMMARY = "Systemd service for generating TLS key and cert for local registry" +SECTION = "core" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302" + +SYSTEMD_SERVICE:${PN} = "regkeygen.service" + +SRC_URI = "\ + file://regkeygen.service \ + file://regkeygen.sh \ +" + +S = "${UNPACKDIR}" + +do_install() { + install -D -p -m0644 ${UNPACKDIR}/regkeygen.service ${D}${systemd_system_unitdir}/regkeygen.service + install -D -p -m0755 ${UNPACKDIR}/regkeygen.sh ${D}${bindir}/regkeygen.sh +} + +inherit systemd + +FILES:${PN} = "\ + ${systemd_system_unitdir} \ + ${bindir} \ +" + +RDEPENDS:${PN} = "\ + openssl \ + ca-certificates \ +" diff --git a/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-regkeygen/regkeygen.service b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-regkeygen/regkeygen.service new file mode 100644 index 0000000..07c2b87 --- /dev/null +++ b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-regkeygen/regkeygen.service @@ -0,0 +1,13 @@ +[Unit] +Description=Generate registry TLS keys for device +ConditionPathExists=!/etc/registry/domain.crt +ConditionPathExists=!/etc/registry/domain.key +After=time-sync.target +Wants=time-sync.target systemd-time-wait-sync.service + +[Service] +Type=oneshot +ExecStart=/usr/bin/regkeygen.sh + +[Install] +WantedBy=multi-user.target diff --git a/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-regkeygen/regkeygen.sh b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-regkeygen/regkeygen.sh new file mode 100644 index 0000000..5edf519 --- /dev/null +++ b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-regkeygen/regkeygen.sh @@ -0,0 +1,33 @@ +#!/bin/sh + +set -e + +echo "Generating TLS certificate and key for local registry..." + +mkdir -p /etc/registry +openssl req -x509 -newkey ec \ + -pkeyopt ec_paramgen_curve:P-256 \ + -keyout /etc/registry/domain.key \ + -out /etc/registry/domain.crt \ + -days 365 \ + -nodes \ + -subj '/C=US/ST=Minnesota/L=St. Paul/O=Closed Circuit Consulting/OU=/CN=localhost/emailAddress=unitexe70@gmail.com' \ + -addext 'subjectAltName=DNS:localhost,IP:127.0.0.1,IP:::1' + +echo "Setting permissions on generated artifacts..." + +chmod 640 /etc/registry/domain.key +chmod 644 /etc/registry/domain.crt + +echo "Adding CA to system trust store..." + +mkdir -p /usr/local/share/ca-certificates +cp /etc/registry/domain.crt /usr/local/share/ca-certificates/registry.crt +update-ca-certificates + +echo "Adding CA to containers trust store..." + +mkdir -p /etc/containers/certs.d/localhost:5000/ +cp /etc/registry/domain.crt /etc/containers/certs.d/localhost:5000/ca.crt + +echo "Registry TLS configuration created and ready for use" |