From 9fb72a3fcefd91dcb01ce9a2a7389492a943722d Mon Sep 17 00:00:00 2001
From: Keith Irwin <git@ki9.us>
Date: Sat, 10 Sep 2022 10:54:30 -0600
Subject: [PATCH] Prepared loggin on ssl_peer_add

---
 back/lib/ssl_peer_add         | 33 ++++++++++++++++++++++-----------
 back/srv/dashboard/Dockerfile | 15 ++++++++++++++-
 2 files changed, 36 insertions(+), 12 deletions(-)

diff --git a/back/lib/ssl_peer_add b/back/lib/ssl_peer_add
index 67cd00e..cbecd3b 100755
--- a/back/lib/ssl_peer_add
+++ b/back/lib/ssl_peer_add
@@ -12,11 +12,22 @@
 
 
 CONFIG_FILE='/etc/wgapi/config'
-[ ${#} -eq 0 ] || exit 3
-(( EUID == 0 )) || exit 6
-[ -f "${CONFIG_FILE}" ] || exit 4
-[ -x '/usr/bin/openssl' ] || exit 5
-[ -f '/etc/ssl/openssl.cnf' ] || exit 5
+[ ${#} -eq 0 ] || (
+	printf 'ERROR! Invalid number of arguments to %s: %s\n' "${0}" "${*}" >>"${LOGFILE}"
+	exit 3
+)
+[ -f "${CONFIG_FILE}" ] || (
+	printf 'ERROR! %s couldnt find %s\n' "${0}" "${*}" >>"${LOGFILE}"
+	exit 4
+)
+[ -x '/usr/bin/openssl' ] || (
+	printf 'ERROR! /usr/bin/openssl not found!\n' >>"${LOGFILE}"
+	exit 5
+)
+[ -f '/etc/ssl/openssl.cnf' ] || (
+	printf 'ERROR! /etc/ssl/openssl.cnf not found!\n' >>"${LOGFILE}"
+	exit 5
+)
 source "${CONFIG_FILE}"
 
 hostname="${1}"
@@ -26,7 +37,7 @@ ipstring="${3}"
 printf 'Signing SSL certs for %s.%s.%s...\n' "${hostname}" "${username}" "${TLD}" >>"${LOGFILE}"
 
 # Generate key
-/usr/bin/openssl genrsa -out "${SSL_CONFIG_DIR:?}/${username:?}/${hostname:?}/server.key" >/dev/null 2>&1 || (
+sudo /usr/bin/openssl genrsa -out "${SSL_CONFIG_DIR:?}/${username:?}/${hostname:?}/server.key" >/dev/null 2>&1 || (
 	printf 'Failed to generate SSL key %s/%s/server.key\n' "${username}" "${hostname}" >>"${LOGFILE}"
 	exit 7
 )
@@ -34,7 +45,7 @@ printf 'Signing SSL certs for %s.%s.%s...\n' "${hostname}" "${username}" "${TLD}
 	printf 'SSL key %s/%s/server.key was not generated!\n' "${username}" "${hostname}" >>"${LOGFILE}"
 	exit 7
 )
-chmod 400 "${SSL_CONFIG_DIR}/${username}/${hostname}/server.key" || (
+sudo chmod 400 "${SSL_CONFIG_DIR}/${username}/${hostname}/server.key" || (
 	printf 'Failed to chmod SSL key %s/%s/server.key\n' "${username}" "${hostname}" >>"${LOGFILE}"
 	exit 7
 )
@@ -49,7 +60,7 @@ cat '/etc/ssl/openssl.cnf' <(printf '%s' "${san}") \
 	)
 
 # Generate CSR
-/usr/bin/openssl req -new -sha256 -reqexts SAN \
+sudo /usr/bin/openssl req -new -sha256 -reqexts SAN \
 	-key "${SSL_CONFIG_DIR}/${username}/${hostname}/server.key" \
 	-out "${SSL_CONFIG_DIR}/${username}/${hostname}.csr" \
 	-config "${SSL_CONFIG_DIR}/${username}/${hostname}.cnf" \
@@ -60,7 +71,7 @@ cat '/etc/ssl/openssl.cnf' <(printf '%s' "${san}") \
 	)
 
 # Generate cert
-/usr/bin/openssl x509 -req -sha256 -extensions SAN -CAcreateserial \
+sudo /usr/bin/openssl x509 -req -sha256 -extensions SAN -CAcreateserial \
 	-extfile "${SSL_CONFIG_DIR}/${username}/${hostname}.cnf" \
 	-in "${SSL_CONFIG_DIR}/${username}/${hostname}.csr" \
 	-CA "${SSL_CA_CERT}" -CAkey "${SSL_CA_KEY}" \
@@ -74,12 +85,12 @@ cat '/etc/ssl/openssl.cnf' <(printf '%s' "${san}") \
 	printf 'SSL key %s/%s/server.crt was not generated!\n' "${username}" "${hostname}" >>"${LOGFILE}"
 	exit 7
 )
-chmod 644 "${SSL_CONFIG_DIR}/${username}/${hostname}/server.crt" || (
+sudo chmod 644 "${SSL_CONFIG_DIR}/${username}/${hostname}/server.crt" || (
 	printf 'Failed to chmod SSL cert %s/%s/server.crt\n' "${username}" "${hostname}" >>"${LOGFILE}"
 	exit 7
 )
 
 # Remove old files
-rm "${SSL_CONFIG_DIR}/${username}/${hostname}.cnf" "${SSL_CONFIG_DIR}/${username}/${hostname}.csr" 2>/dev/null
+sudo rm "${SSL_CONFIG_DIR}/${username}/${hostname}.cnf" "${SSL_CONFIG_DIR}/${username}/${hostname}.csr" 2>/dev/null
 
 printf 'SSL certs for %s.%s.%s are ready\n' "${hostname}" "${username}" "${TLD}" >>"${LOGFILE}"
\ No newline at end of file
diff --git a/back/srv/dashboard/Dockerfile b/back/srv/dashboard/Dockerfile
index 805ed0c..f672e47 100644
--- a/back/srv/dashboard/Dockerfile
+++ b/back/srv/dashboard/Dockerfile
@@ -1,9 +1,15 @@
 FROM debian:latest
+
+# Change these
 ENV LISTEN_PORT=8080
 ENV ADMIN_EMAIL='me@example.com'
+
+# Install deps
 RUN apt-get update && apt-get install --yes \
 	sudo curl apache2 openssl wireguard-tools dnsutils ipv6calc jq \
 	&& rm -rf /var/lib/apt/lists/*
+
+# Configure apache
 RUN a2enmod cgi rewrite
 RUN sed -i "s/^Listen 80$/Listen ${LISTEN_PORT}/" \
 	/etc/apache2/ports.conf
@@ -13,8 +19,15 @@ RUN sed -i "s/ServerAdmin .*$/ServerAdmin ${ADMIN_EMAIL}/" \
 	/etc/apache2/sites-available/000-default.conf
 RUN sed -i "s|DocumentRoot .*$|DocumentRoot /var/www/cgi-bin\n\tScriptAlias / /var/www/cgi-bin/index.cgi|" \
 	/etc/apache2/sites-available/000-default.conf
-RUN echo "www-data ALL=(ALL:ALL) NOPASSWD: /usr/bin/wg, /usr/bin/openssl" | sudo EDITOR='tee -a' visudo
+
+# Allow http to run these binaries as root with sudo
+RUN echo "www-data ALL=(ALL:ALL) NOPASSWD: /usr/bin/wg, /usr/bin/openssl, /usr/bin/rm, /usr/bin/chmod" \
+| sudo EDITOR='tee -a' visudo
+
+# Prepare filesystem
 RUN touch /var/local/wgapi_tokens
 RUN chown www-data:www-data /var/local/wgapi_tokens
+
+# Run time!
 EXPOSE ${LISTEN_PORT}
 CMD ["apachectl", "-D", "FOREGROUND"]
\ No newline at end of file