feat: Initial commit

2025-11-08 18:21:46 +01:00 · 2025-11-08 18:21:46 +01:00 · 17973e866b
commit 17973e866b
44 changed files with 1444 additions and 0 deletions
--- a/scripts/EXAMPLE-CERT-CREATION.md
+++ b/scripts/EXAMPLE-CERT-CREATION.md
@ -0,0 +1,21 @@
+# Example of the cert creation for the Nginx setup
+
+## Creation
+
+Please execute the following script `bash create-tls-certs.sh` to create all necessary certificates for the complete setup of all related components.
+
+## Adaptation
+
+Please adjust the configuration files inside the [config](./config) folder and adapt the corresponding values for the req_distinguished_names and subjectAltNames based on your organisation and configuration. You can find [here](https://support.dnsimple.com/articles/what-is-common-name/) and [here](https://learn.microsoft.com/en-us/azure/application-gateway/self-signed-certificates) more information about the corresponding values and CA certificates in general.
+
+## Ca Certificates
+
+### Nginx
+
+Describes the Certificate Authority (certificate & key) for the Nginx server.
+
+## Server Certificates
+
+### Nginx
+
+Describes the server certificate and key for the Nginx server, and it's signed by the Nginx CA.
--- a/scripts/certs/.placeholder
+++ b/scripts/certs/.placeholder
--- a/scripts/config/ca_nginx.conf
+++ b/scripts/config/ca_nginx.conf
@ -0,0 +1,20 @@
+[req]
+distinguished_name = req_distinguished_name
+default_bits = 4096
+prompt = no
+default_md = sha256
+
+[req_distinguished_name]
+C = DE
+ST = Baden-Wuerttemberg
+L = Mannheim
+O = TheIOTStudio
+CN = Pretix Nginx CA
+emailAddress = info@theiotstudio.com
+
+[ext]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer
+basicConstraints = critical, CA:TRUE, pathlen:3
+keyUsage = critical, cRLSign, keyCertSign
+nsCertType = sslCA, emailCA
--- a/scripts/config/server_nginx.conf
+++ b/scripts/config/server_nginx.conf
@ -0,0 +1,19 @@
+[req]
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+default_bits = 4096
+prompt = no
+default_md = sha256
+
+[req_distinguished_name]
+C = DE
+ST = Baden-Wuerttemberg
+L = Mannheim
+O = TheIOTStudio
+CN = Pretix Nginx Server
+emailAddress = info@theiotstudio.com
+
+[v3_req]
+keyUsage = keyEncipherment, dataEncipherment, digitalSignature
+extendedKeyUsage = serverAuth, clientAuth
+subjectAltName=IP:<IP address of the Nginx server> or DNS:<DNS address of the Nginx server>
--- a/scripts/create-tls-certs.sh
+++ b/scripts/create-tls-certs.sh
@ -0,0 +1,18 @@
+#!/bin/sh
+
+# Switch the directory
+echo "Switch the directory"
+path=$(pwd)/config
+cd certs
+
+# Create the Nginx ca
+echo "Create the Nginx ca"
+openssl req -new -x509 -sha256 -newkey rsa:4096 -nodes -keyout ca_nginx.key -out ca_nginx.crt -days 3650 \
+-extensions ext \
+-config $path/ca_nginx.conf
+
+# Create the server certificates
+echo "Create the Nginx server certificates"
+openssl genrsa -out nginx.key 4096
+openssl req -new -key nginx.key -out nginx.csr -extensions v3_req -config $path/server_nginx.conf
+openssl x509 -inform pem -req -days 1825 -in nginx.csr -CA ca_nginx.crt -CAkey ca_nginx.key -CAcreateserial -out nginx.crt -extensions v3_req -extfile $path/server_nginx.conf