From 5ace027f97d77ff163b3256baf82875b544091c6 Mon Sep 17 00:00:00 2001
From: Nicolas Meienberger <github@thisprops.com>
Date: Tue, 6 Jun 2023 21:19:26 +0200
Subject: [PATCH] feat: generate self signed ssl cert on app start

---
 .env.example                |  2 +-
 .gitignore                  |  1 +
 scripts/common.sh           | 34 ++++++++++++++++++++++++++++++++--
 scripts/start-dev.sh        |  3 ++-
 scripts/start-e2e.sh        |  3 ++-
 scripts/start.sh            |  3 ++-
 templates/env-sample        |  1 +
 traefik/dynamic/dynamic.yml | 12 +++++++++++-
 8 files changed, 52 insertions(+), 7 deletions(-)

diff --git a/.env.example b/.env.example
index c01245cd..64f6da6e 100644
--- a/.env.example
+++ b/.env.example
@@ -13,7 +13,7 @@ ROOT_FOLDER_HOST=/Users/nicolas/Projects/runtipi
 NGINX_PORT=3000
 NGINX_PORT_SSL=443
 POSTGRES_PASSWORD=postgres
-DOMAIN=tipi.localhost
+DOMAIN=example.com
 STORAGE_PATH=/Users/nicolas/Projects/runtipi
 REDIS_HOST=tipi-redis
 
diff --git a/.gitignore b/.gitignore
index 647345af..1737a1ae 100644
--- a/.gitignore
+++ b/.gitignore
@@ -54,6 +54,7 @@ node_modules/
 /repos/
 /apps/
 traefik/shared
+traefik/tls
 
 # media folder
 media
diff --git a/scripts/common.sh b/scripts/common.sh
index fc53be63..40831983 100644
--- a/scripts/common.sh
+++ b/scripts/common.sh
@@ -98,6 +98,27 @@ function kill_watcher() {
     # pkill -f "watcher.sh"
 }
 
+function generateTLSCert() {
+    local domain="$1"
+
+    # If the certificate already exists for this domain, don't generate it again
+    if [[ -f "traefik/tls/$domain.txt" ]] && [[ -f "traefik/tls/cert.pem" ]] && [[ -f "traefik/tls/key.pem" ]]; then
+        return
+    fi
+
+    rm -rf "traefik/tls/$domain.txt"
+    rm -rf "traefik/tls/cert.pem"
+    rm -rf "traefik/tls/key.pem"
+
+    echo "Generating TLS certificate..."
+
+    if ! openssl req -x509 -newkey rsa:4096 -keyout traefik/tls/key.pem -out traefik/tls/cert.pem -days 365 -subj "/O=runtipi.io/OU=IT/CN=*.${domain}/emailAddress=webmaster@${domain}" -addext "subjectAltName = DNS:*.${domain},DNS:${domain}" -nodes; then
+        echo "Failed to generate TLS certificate"
+    fi
+    # Create a file to indicate that the certificate has been generated for this domain
+    touch "traefik/tls/$domain.txt"
+}
+
 
 function generate_env_file() {
   echo "Generating .env file..."
@@ -142,6 +163,7 @@ function generate_env_file() {
   local redis_host=$(get_json_field "$json_file" redis_host)
   local demo_mode=$(get_json_field "$json_file" demo_mode)
   local docker_tag=$(get_json_field "$json_file" docker_tag)
+  local local_domain=$(get_json_field "$json_file" local_domain)
   local root_folder=$(get_json_field "$json_file" root_folder | sed 's/\//\\\//g')
   local apps_repository=$(get_json_field "$json_file" apps_repository | sed 's/\//\\\//g')
   local storage_path=$(get_json_field "$json_file" storage_path | sed 's/\//\\\//g')
@@ -195,10 +217,15 @@ function generate_env_file() {
       storage_path_temp="${storage_path_settings}"
       storage_path="$(echo "${storage_path_temp}" | sed 's/\//\\\//g')"
     fi
+
+    if [[ "$(get_json_field "${STATE_FOLDER}/settings.json" localDomain)" != "null" ]]; then
+      local_domain=$(get_json_field "${STATE_FOLDER}/settings.json" localDomain)
+    fi
   fi
 
-  # If port is not 80 and domain is not tipi.localhost, we exit
-  if [[ "${nginx_port}" != "80" ]] && [[ "${domain}" != "tipi.localhost" ]]; then
+  echo "Using domain ${domain} and port ${nginx_port}"
+  # If port is not 80 and domain is not example.com or tipi.localhost, we exit
+  if [[ "${nginx_port}" != "80" ]] && [[ "${domain}" != "example.com" ]] && [[ "${domain}" != "tipi.localhost" ]]; then
     echo "Using a custom domain with a custom port is not supported"
     exit 1
   fi
@@ -236,8 +263,11 @@ function generate_env_file() {
       sed "${sed_args[@]}" "s/<redis_host>/${redis_host}/g" "${template}"
       sed "${sed_args[@]}" "s/<demo_mode>/${demo_mode}/g" "${template}"
       sed "${sed_args[@]}" "s/<docker_tag>/${docker_tag}/g" "${template}"
+      sed "${sed_args[@]}" "s/<local_domain>/${local_domain}/g" "${template}"
   done
 
+  generateTLSCert "$local_domain"
+
   mv -f "$env_file" "$ROOT_FOLDER/.env"
   chmod a+rwx "$ROOT_FOLDER/.env"
 }
diff --git a/scripts/start-dev.sh b/scripts/start-dev.sh
index 1796f4ba..5d44ff42 100755
--- a/scripts/start-dev.sh
+++ b/scripts/start-dev.sh
@@ -24,7 +24,7 @@ apps_repository="https://github.com/meienberger/runtipi-appstore"
 env_variables_json=$(cat <<EOF
 {
   "dns_ip": "9.9.9.9",
-  "domain": "tipi.localhost",
+  "domain": "example.com",
   "root_folder": "${ROOT_FOLDER}",
   "nginx_port": 3000,
   "nginx_port_ssl": 443,
@@ -38,6 +38,7 @@ env_variables_json=$(cat <<EOF
   "tipi_version": "$(get_json_field "${ROOT_FOLDER}/package.json" version)",
   "internal_ip": "localhost",
   "demo_mode": false,
+  "local_domain": "tipi.lan",
   "apps_repository": "${apps_repository}",
   "storage_path": "${ROOT_FOLDER}",
   "repo_id": "$("${ROOT_FOLDER}"/scripts/git.sh get_hash ${apps_repository})"
diff --git a/scripts/start-e2e.sh b/scripts/start-e2e.sh
index d980b049..7c4d05b5 100755
--- a/scripts/start-e2e.sh
+++ b/scripts/start-e2e.sh
@@ -46,7 +46,7 @@ apps_repository="https://github.com/meienberger/runtipi-appstore"
 env_variables_json=$(cat <<EOF
 {
   "dns_ip": "9.9.9.9",
-  "domain": "tipi.localhost",
+  "domain": "example.com",
   "root_folder": "${ROOT_FOLDER}",
   "nginx_port": 80,
   "nginx_port_ssl": 443,
@@ -57,6 +57,7 @@ env_variables_json=$(cat <<EOF
   "postgres_port": 5432,
   "postgres_host": "tipi-db",
   "redis_host": "tipi-redis",
+  "local_domain": "tipi.lan",
   "tipi_version": "$(get_json_field "${ROOT_FOLDER}/package.json" version)",
   "internal_ip": "localhost",
   "demo_mode": false,
diff --git a/scripts/start.sh b/scripts/start.sh
index 199d8fbd..73820d5e 100755
--- a/scripts/start.sh
+++ b/scripts/start.sh
@@ -100,9 +100,10 @@ env_variables_json=$(cat <<EOF
   "postgres_port": 5432,
   "postgres_host": "tipi-db",
   "redis_host": "tipi-redis",
+  "local_domain": "tipi.lan",
   "repo_id": "$("${ROOT_FOLDER}"/scripts/git.sh get_hash "${apps_repository}")",
   "apps_repository": "${apps_repository}",
-  "domain": "tipi.localhost",
+  "domain": "tipi.lan",
   "storage_path": "${ROOT_FOLDER}",
   "demo_mode": false,
 }
diff --git a/templates/env-sample b/templates/env-sample
index 3cc00311..68c638a2 100644
--- a/templates/env-sample
+++ b/templates/env-sample
@@ -21,4 +21,5 @@ POSTGRES_PASSWORD=<postgres_password>
 POSTGRES_PORT=<postgres_port>
 REDIS_HOST=<redis_host>
 DEMO_MODE=<demo_mode>
+LOCAL_DOMAIN=<local_domain>
 DOCKER_TAG=<docker_tag>
diff --git a/traefik/dynamic/dynamic.yml b/traefik/dynamic/dynamic.yml
index e2c19680..f0f6dcdc 100644
--- a/traefik/dynamic/dynamic.yml
+++ b/traefik/dynamic/dynamic.yml
@@ -1,4 +1,14 @@
 http:
   serversTransports:
     insecuretransport:
-      insecureSkipVerify: true
\ No newline at end of file
+      insecureSkipVerify: true
+
+tls:
+  stores:
+    default:
+      defaultCertificate:
+        certFile: /root/.config/tls/cert.pem
+        keyFile: /root/.config/tls/key.pem
+  certificates:
+    - certFile: /root/.config/tls/cert.pem
+      keyFile: /root/.config/tls/key.pem