community-scripts/ProxmoxVED
5
0
Fork 0
Code Issues Pull Requests Actions 6 Packages Projects Releases Wiki Activity

Update install/step-ca-install.sh

Browse Source 
Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
This commit is contained in:
Joerg Heinemann 2026-02-03 18:37:51 +01:00 committed by GitHub
parent afd10e2516
commit 96b786d647
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 56 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
install/step-ca-install.sh
View File

@ -100,8 +100,62 @@ $STD step ca provisioner update "$AcmeProvisioner" \
msg_ok "Updated provisioner configurations"
msg_info "Start step-ca as a Daemon"
ServiceFileGitHUB="https://raw.githubusercontent.com/smallstep/certificates/refs/heads/master/systemd/step-ca.service"
$STD curl -fsSL $ServiceFileGitHUB >/etc/systemd/system/step-ca.service
msg_info "Start step-ca as a Daemon"
cat <<'EOF' >/etc/systemd/system/step-ca.service
[Unit]
Description=step-ca service
Documentation=https://smallstep.com/docs/step-ca
Documentation=https://smallstep.com/docs/step-ca/certificate-authority-server-production
After=network-online.target
Wants=network-online.target
StartLimitIntervalSec=30
StartLimitBurst=3
ConditionFileNotEmpty=/etc/step-ca/config/ca.json
ConditionFileNotEmpty=/etc/step-ca/password.txt
[Service]
Type=simple
User=step
Group=step
Environment=STEPPATH=/etc/step-ca
WorkingDirectory=/etc/step-ca
ExecStart=/usr/bin/step-ca config/ca.json --password-file password.txt
ExecReload=/bin/kill -USR1 $MAINPID
Restart=on-failure
RestartSec=5
TimeoutStopSec=30
StartLimitAction=reboot
; Process capabilities & privileges
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
SecureBits=keep-caps
NoNewPrivileges=yes
; Sandboxing
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@resources @privileged
RestrictNamespaces=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
PrivateMounts=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=strict
ProtectHome=yes
ReadWritePaths=/etc/step-ca/db
; Read only paths
ReadOnlyPaths=/etc/step-ca
[Install]
WantedBy=multi-user.target
EOF
systemctl enable -q --now step-ca
$STD systemctl enable -q --now step-ca
msg_ok "Started step-ca as a Daemon"