Packaging fixes

doc/builder/ap.sh

@@ -1,118 +0,0 @@
-#!/bin/bash
-
-source common.sh
-
-sed -e 's/trigger wan/trigger lan/' -i $OVERLAY/etc/config/certidude
-
-cat << \EOF > $OVERLAY/etc/uci-defaults/40-hostname
-
-MODEL=$(cat /etc/board.json | jsonfilter -e '@["model"]["id"]')
-
-# Hostname prefix
-case $MODEL in
-    tl-*|archer-*)  VENDOR=tplink ;;
-    cf-*) VENDOR=comfast ;;
-    *) VENDOR=ap ;;
-esac
-
-# Network interface with relevant MAC address
-case $MODEL in
-    tl-wdr*) NIC=wlan1 ;;
-    archer-*)  NIC=eth1 ;;
-    cf-e380ac-v2) NIC=eth0 ;;
-    *) NIC=wlan0 ;;
-esac
-
-HOSTNAME=$VENDOR-$(cat /sys/class/net/$NIC/address | cut -d : -f 4- | sed -e 's/://g')
-uci set system.@system[0].hostname=$HOSTNAME
-uci set network.lan.hostname=$HOSTNAME
-
-EOF
-
-cat << \EOF > $OVERLAY/etc/uci-defaults/50-access-point
-
-# Remove firewall rules since AP bridges ethernet to wireless anyway
-uci delete firewall.@zone[1]
-uci delete firewall.@zone[0]
-uci delete firewall.@forwarding[0]
-for j in $(seq 0 10); do uci delete firewall.@rule[0]; done
-
-# Remove WAN interface
-uci delete network.wan
-uci delete network.wan6
-
-# Reconfigure DHCP client for bridge over LAN and WAN ports
-uci delete network.lan.ipaddr
-uci delete network.lan.netmask
-uci delete network.lan.ip6assign
-uci delete network.globals.ula_prefix
-uci delete network.@switch_vlan[1]
-uci delete dhcp.@dnsmasq[0].domain
-uci set network.lan.proto=dhcp
-uci set network.lan.ipv6=0
-uci set network.lan.ifname='eth0'
-uci set network.lan.stp=1
-
-# Radio ordering differs among models
-case $(uci get wireless.radio0.hwmode) in
-    11a) uci rename wireless.radio0=radio5ghz;;
-    11g) uci rename wireless.radio0=radio2ghz;;
-esac
-case $(uci get wireless.radio1.hwmode) in
-    11a) uci rename wireless.radio1=radio5ghz;;
-    11g) uci rename wireless.radio1=radio2ghz;;
-esac
-
-# Reset virtual SSID-s
-uci delete wireless.@wifi-iface[1]
-uci delete wireless.@wifi-iface[0]
-
-# Pseudorandomize channel selection, should work with 80MHz on 5GHz band
-case $(uci get system.@system[0].hostname | md5sum) in
-   1*|2*|3*|4*) uci set wireless.radio2ghz.channel=1; uci set wireless.radio5ghz.channel=36 ;;
-   5*|6*|7*|8*) uci set wireless.radio2ghz.channel=5; uci set wireless.radio5ghz.channel=52 ;;
-   9*|0*|a*|b*) uci set wireless.radio2ghz.channel=9; uci set wireless.radio5ghz.channel=100 ;;
-   c*|d*|e*|f*) uci set wireless.radio2ghz.channel=13; uci set wireless.radio5ghz.channel=132 ;;
-esac
-
-# Create bridge for guests
-uci set network.guest=interface
-uci set network.guest.proto='static'
-uci set network.guest.address='0.0.0.0'
-uci set network.guest.type='bridge'
-uci set network.guest.ifname='eth0.156' # tag id 156 for guest network
-uci set network.guest.ipaddr='0.0.0.0'
-uci set network.guest.ipv6=0
-uci set network.guest.stp=1
-
-# Add VPN interface for IPSec
-uci set network.vpn=interface
-uci set network.vpn.ifname='ipsec0'
-uci set network.vpn.proto='none'
-
-uci set firewall.vpn=zone
-uci set firewall.vpn.name="vpn"
-uci set firewall.vpn.input="ACCEPT"
-uci set firewall.vpn.forward="ACCEPT"
-uci set firewall.vpn.output="ACCEPT"
-uci set firewall.vpn.network="vpn"
-
-# Disable switch tagging and bridge all ports on TP-Link WDR3600/WDR4300
-case $(cat /etc/board.json | jsonfilter -e '@["model"]["id"]') in
-    tl-wdr*|archer*)
-        uci set network.@switch[0].enable_vlan=0
-        uci set network.@switch_vlan[0].ports='0 1 2 3 4 5 6'
-    ;;
-    *) ;;
-esac
-
-EOF
-
-make -C $BUILD/$BASENAME image FILES=$OVERLAY PROFILE=$PROFILE PACKAGES="luci \
-    openssl-util curl ca-certificates dropbear \
-    strongswan-mod-kernel-libipsec kmod-tun strongswan-default strongswan-mod-openssl strongswan-mod-curl strongswan-mod-ccm strongswan-mod-gcm \
-    htop iftop netdata -odhcp6c -odhcpd -dnsmasq \
-    -luci-app-firewall \
-    -pppd -luci-proto-ppp -kmod-ppp -ppp -ppp-mod-pppoe \
-    -kmod-ip6tables -ip6tables -luci-proto-ipv6 -kmod-iptunnel6 -kmod-ipsec6"
-

doc/builder/common.sh

@@ -1,109 +0,0 @@
-#!/bin/bash
-
-set -e
-set -x
-umask 022
-
-VERSION=17.01.4
-BASENAME=lede-imagebuilder-$VERSION-ar71xx-generic.Linux-x86_64
-FILENAME=$BASENAME.tar.xz
-URL=http://downloads.lede-project.org/releases/$VERSION/targets/ar71xx/generic/$FILENAME
-
-# curl of vanilla LEDE doesn't support ECDSA at the moment
-BASENAME=lede-imagebuilder-ar71xx-generic.Linux-x86_64
-FILENAME=$BASENAME.tar.xz
-URL=https://www.koodur.com/$FILENAME
-
-
-if [ ! -e $BUILD/$FILENAME ]; then
-    wget -q $URL -O $BUILD/$FILENAME
-fi
-
-if [ ! -e $BUILD/$BASENAME ]; then
-    tar xf $BUILD/$FILENAME -C $BUILD
-fi
-
-# Copy CA certificate
-AUTHORITY=$(hostname -f)
-
-mkdir -p $OVERLAY/etc/config
-mkdir -p $OVERLAY/etc/uci-defaults
-mkdir -p $OVERLAY/etc/certidude/authority/$AUTHORITY/
-cp /var/lib/certidude/ca_cert.pem $OVERLAY/etc/certidude/authority/$AUTHORITY/
-
-cat <<EOF > $OVERLAY/etc/config/certidude
-
-config authority
-    option gateway "$ROUTER"
-    option hostname "$AUTHORITY"
-    option trigger wan
-    option key_type $AUTHORITY_CERTIFICATE_ALGORITHM
-    option key_length 2048
-    option key_curve secp384r1
-
-EOF
-
-case $AUTHORITY_CERTIFICATE_ALGORITHM in
-    rsa)
-        echo ": RSA /etc/certidude/authority/$AUTHORITY/host_key.pem" >> $OVERLAY/etc/ipsec.secrets
-        ;;
-    ec)
-        echo ": ECDSA /etc/certidude/authority/$AUTHORITY/host_key.pem" >> $OVERLAY/etc/ipsec.secrets
-        ;;
-    *)
-        echo "Unknown algorithm $AUTHORITY_CERTIFICATE_ALGORITHM"
-        exit 1
-        ;;
-esac
-
-cat << EOF > $OVERLAY/etc/certidude/authority/$AUTHORITY/updown
-#!/bin/sh
-
-CURL="curl -m 3 -f --key /etc/certidude/authority/$AUTHORITY/host_key.pem --cert /etc/certidude/authority/$AUTHORITY/host_cert.pem --cacert /etc/certidude/authority/$AUTHORITY/ca_cert.pem"
-URL="https://$AUTHORITY:8443/api/signed/\$(uci get system.@system[0].hostname)/script/"
-
-case \$PLUTO_VERB in
-  up-client)
-    logger -t certidude -s "Downloading and executing \$URL"
-    \$CURL \$URL -o /tmp/script.sh && sh /tmp/script.sh
-  ;;
-  *) ;;
-esac
-EOF
-
-chmod +x  $OVERLAY/etc/certidude/authority/$AUTHORITY/updown
-
-cat << EOF > $OVERLAY/etc/ipsec.conf
-
-config setup
-    strictcrlpolicy=yes
-
-ca $AUTHORITY
-    auto=add
-    cacert=/etc/certidude/authority/$AUTHORITY/ca_cert.pem
-    ocspuri = http://$AUTHORITY/api/ocsp/
-
-conn %default
-    keyingtries=%forever
-    dpdaction=restart
-    closeaction=restart
-    ike=$IKE
-    esp=$ESP
-    left=%defaultroute
-    leftcert=/etc/certidude/authority/$AUTHORITY/host_cert.pem
-    leftca="$AUTHORITY_CERTIFICATE_DISTINGUISHED_NAME"
-    rightca="$AUTHORITY_CERTIFICATE_DISTINGUISHED_NAME"
-
-conn client-to-site
-    auto=start
-    right="$ROUTER"
-    rightsubnet="$SUBNETS"
-    leftsourceip=%config
-    leftupdown=/etc/certidude/authority/$AUTHORITY/updown
-
-EOF
-
-cat << EOF > $OVERLAY/etc/uci-defaults/99-uhttpd-disable-https
-uci delete uhttpd.main.listen_https
-uci delete uhttpd.main.redirect_https
-EOF

doc/builder/ipcam.sh

@@ -1,46 +0,0 @@
-#!/bin/bash
-
-. common.sh
-
-cat << \EOF > $OVERLAY/etc/uci-defaults/40-hostname
-
-HOSTNAME=cam-$(cat /sys/class/net/eth0/address | cut -d : -f 4- | sed -e 's/://g')
-uci set system.@system[0].hostname=$HOSTNAME
-uci set network.wan.hostname=$HOSTNAME
-
-EOF
-
-touch $OVERLAY/etc/config/wireless
-
-cat << EOF > $OVERLAY/etc/uci-defaults/50-ipcam
-
-uci delete network.lan
-uci delete network.wan6
-
-uci set network.vpn=interface
-uci set network.vpn.ifname='ipsec0'
-uci set network.vpn.proto='none'
-uci set firewall.@zone[0].network=vpn
-uci delete firewall.@forwarding[0]
-
-uci set mjpg-streamer.core.enabled=1
-uci set mjpg-streamer.core.quality=''
-uci set mjpg-streamer.core.resolution='1280x720'
-uci delete mjpg-streamer.core.username
-uci delete mjpg-streamer.core.password
-
-uci certidude.@authority[0].red_led='gl-connect:red:wlan'
-uci certidude.@authority[0].green_led='gl-connect:green:lan'
-
-/etc/init.d/dropbear disable
-/etc/init.d/ipsec disable
-
-EOF
-
-
-make -C $BUILD/$BASENAME image FILES=$OVERLAY PROFILE=$PROFILE PACKAGES="openssl-util curl ca-certificates \
-    strongswan-default strongswan-mod-openssl strongswan-mod-curl strongswan-mod-ccm strongswan-mod-gcm htop \
-    iftop tcpdump nmap nano usbutils luci luci-app-mjpg-streamer kmod-video-uvc dropbear \
-    -pppd -luci-proto-ppp -kmod-ppp -ppp -ppp-mod-pppoe \
-    -dnsmasq -odhcpd -odhcp6c -kmod-ath9k picocom strongswan-mod-kernel-libipsec kmod-tun \
-    netdata"

doc/builder/mfp.sh

@@ -1,112 +0,0 @@
-#!/bin/bash
-
-. common.sh
-
-cat << \EOF > $OVERLAY/etc/uci-defaults/40-hostname
-
-HOSTNAME=mfp-$(cat /sys/class/net/eth0/address | cut -d : -f 4- | sed -e 's/://g')
-uci set system.@system[0].hostname=$HOSTNAME
-uci set network.wan.hostname=$HOSTNAME
-
-EOF
-
-mkdir -p $OVERLAY/etc/config/
-touch $OVERLAY/etc/config/wireless
-
-cat << EOF > $OVERLAY/etc/uci-defaults/50-mfp
-
-# Disable rebind protection for DNS
-uci set dhcp.@dnsmasq[0].rebind_protection=0
-uci set dhcp.@dnsmasq[0].domain='mfp.lan'
-uci delete dhcp.@dnsmasq[0].local
-
-# Disable bridge for LAN since WiFi is disabled
-uci delete network.lan.type
-uci set dhcp.lan.limit=1
-
-uci set network.vpn=interface
-uci set network.vpn.ifname='ipsec0'
-uci set network.vpn.proto='none'
-
-uci set firewall.vpn=zone
-uci set firewall.vpn.name="vpn"
-uci set firewall.vpn.input="ACCEPT"
-uci set firewall.vpn.forward="ACCEPT"
-uci set firewall.vpn.output="ACCEPT"
-uci set firewall.vpn.network="vpn"
-uci set firewall.vpn.masq='1'
-
-uci set firewall.lan2vpn=forwarding
-uci set firewall.lan2vpn.src='lan'
-uci set firewall.lan2vpn.dest='vpn'
-
-uci set firewall.allow_ipp=redirect
-uci set firewall.allow_ipp.name="Allow-IPP-on-MFP"
-uci set firewall.allow_ipp.src=vpn
-uci set firewall.allow_ipp.src_dport=631
-uci set firewall.allow_ipp.dest=lan
-uci set firewall.allow_ipp.dest_ip=192.168.1.100
-uci set firewall.allow_ipp.target=DNAT
-uci set firewall.allow_ipp.proto=tcp
-
-uci set firewall.allow_http=redirect
-uci set firewall.allow_http.name="Allow-HTTP-on-MFP"
-uci set firewall.allow_http.src=vpn
-uci set firewall.allow_http.src_dport=80
-uci set firewall.allow_http.dest=lan
-uci set firewall.allow_http.dest_ip=192.168.1.100
-uci set firewall.allow_http.target=DNAT
-uci set firewall.allow_http.proto=tcp
-
-uci set firewall.allow_https=redirect
-uci set firewall.allow_https.name="Allow-HTTPS-on-MFP"
-uci set firewall.allow_https.src=vpn
-uci set firewall.allow_https.src_dport=443
-uci set firewall.allow_https.dest=lan
-uci set firewall.allow_https.dest_ip=192.168.1.100
-uci set firewall.allow_https.target=DNAT
-uci set firewall.allow_https.proto=tcp
-
-uci set firewall.allow_jetdirect=redirect
-uci set firewall.allow_jetdirect.name="Allow-JetDirect-on-MFP"
-uci set firewall.allow_jetdirect.src=vpn
-uci set firewall.allow_jetdirect.src_dport=9100
-uci set firewall.allow_jetdirect.dest=lan
-uci set firewall.allow_jetdirect.dest_ip=192.168.1.100
-uci set firewall.allow_jetdirect.target=DNAT
-uci set firewall.allow_jetdirect.proto=tcp
-uci set firewall.allow_jetdirect.enabled=0
-
-uci set firewall.allow_snmp=redirect
-uci set firewall.allow_snmp.name="Allow-SNMP-on-MFP"
-uci set firewall.allow_snmp.src=vpn
-uci set firewall.allow_snmp.src_dport=161
-uci set firewall.allow_snmp.dest=lan
-uci set firewall.allow_snmp.dest_ip=192.168.1.100
-uci set firewall.allow_snmp.target=DNAT
-uci set firewall.allow_snmp.proto=udp
-uci set firewall.allow_snmp.enabled=0
-
-uci set firewall.allow_lpd=redirect
-uci set firewall.allow_lpd.name="Allow-LPD-on-MFP"
-uci set firewall.allow_lpd.src=vpn
-uci set firewall.allow_lpd.src_dport=515
-uci set firewall.allow_lpd.dest=lan
-uci set firewall.allow_lpd.dest_ip=192.168.1.100
-uci set firewall.allow_lpd.target=DNAT
-uci set firewall.allow_lpd.proto=tcp
-uci set firewall.allow_lpd.enabled=0
-
-/etc/init.d/dropbear disable
-
-uci set uhttpd.main.listen_http=0.0.0.0:8080
-
-EOF
-
-make -C $BUILD/$BASENAME image FILES=$OVERLAY PROFILE=$PROFILE PACKAGES="openssl-util curl ca-certificates htop \
-    iftop tcpdump nmap nano mtr patch diffutils ipset usbutils luci dropbear kmod-tun netdata \
-    strongswan-default strongswan-mod-kernel-libipsec strongswan-mod-openssl strongswan-mod-curl strongswan-mod-ccm strongswan-mod-gcm \
-    -odhcpd -odhcp6c -kmod-ath9k picocom libustream-openssl kmod-crypto-gcm \
-    -pppd -luci-proto-ppp -kmod-ppp -ppp -ppp-mod-pppoe \
-    -kmod-ip6tables -ip6tables -luci-proto-ipv6 -kmod-iptunnel6 -kmod-ipsec6"
-

doc/overlay/etc/hotplug.d/iface/50-certidude

@@ -1,10 +0,0 @@
-#!/bin/sh
-
-# To test: ACTION=ifup INTERFACE=wan sh /etc/hotplug.d/iface/50-certidude
-
-AUTHORITY=certidude.@authority[0]
-
-[ $ACTION == "ifup" ] || exit 0
-[ $INTERFACE == "$(uci get $AUTHORITY.trigger)" ] || exit 0
-
-/usr/bin/certidude-enroll > /var/log/certidude.log 2>&1

doc/overlay/etc/profile

@@ -1,25 +0,0 @@
-#!/bin/sh
-[ -f /etc/banner ] && cat /etc/banner
-[ -e /tmp/.failsafe ] && cat /etc/banner.failsafe
-
-export PATH=/usr/bin:/usr/sbin:/bin:/sbin
-export HOME=$(grep -e "^${USER:-root}:" /etc/passwd | cut -d ":" -f 6)
-export HOME=${HOME:-/root}
-export PS1='\u@\h:\w\$ '
-
-[ -z "$KSH_VERSION" -o \! -s /etc/mkshrc ] || . /etc/mkshrc
-[ -x /bin/more ] || alias more=less
-[ -x /usr/bin/vim ] && alias vi=vim || alias vim=vi
-[ -x /usr/bin/arp ] || arp() { cat /proc/net/arp; }
-[ -x /usr/bin/ldd ] || ldd() { LD_TRACE_LOADED_OBJECTS=1 $*; }
-
-HOSTNAME=$(uci get system.@system[0].hostname)
-
-export PS1='\[\033[01;31m\]$HOSTNAME\[\033[01;34m\] \W #\[\033[00m\] '
-case "$TERM" in
-    xterm*|rxvt*)
-        echo -ne "\033]0;${USER}@${HOSTNAME}:${PWD}\007"
-    ;;
-    *)
-    ;;
-esac

doc/overlay/etc/uci-defaults/40-hostname

@@ -1,23 +0,0 @@
-#!/bin/sh
-
-MODEL=$(cat /etc/board.json | jsonfilter -e '@["model"]["id"]')
-
-# Hostname prefix
-case $MODEL in
-    tl-*|archer-*)  VENDOR=tplink ;;
-    cf-*) VENDOR=comfast ;;
-    *) VENDOR=ap ;;
-esac
-
-# Network interface with relevant MAC address
-case $MODEL in
-    tl-wdr*) NIC=wlan1 ;;
-    archer-*)  NIC=eth1 ;;
-    cf-e380ac-v2) NIC=eth0 ;;
-    *) NIC=wlan0 ;;
-esac
-
-HOSTNAME=$VENDOR-$(cat /sys/class/net/$NIC/address | cut -d : -f 4- | sed -e 's/://g')
-uci set system.@system[0].hostname=$HOSTNAME
-uci set network.lan.hostname=$HOSTNAME
-

doc/overlay/etc/uci-defaults/60-cron

@@ -1,16 +0,0 @@
-#!/bin/sh
-
-# Randomize restart time
-OFFSET=$(awk -v min=1 -v max=59 'BEGIN{srand(); print int(min+rand()*(max-min+1))}')
-
-# wtf?! https://wiki.strongswan.org/issues/1501#note-7
-cat << EOF > /etc/crontabs/root
-#$OFFSET 2 * * * sleep 70 && touch /etc/banner && reboot
-$OFFSET 2 * * * ipsec restart
-5 1 1 */2 * /usr/bin/certidude-enroll-renew
-EOF
-
-chmod 0600 /etc/crontabs/root
-
-/etc/init.d/cron enable
-

doc/overlay/etc/uci-defaults/90-certidude-sysupgrade

@@ -1,6 +0,0 @@
-#!/bin/sh
-echo $AUTHORITY_PATH >> /etc/sysupgrade.conf
-echo $CERTIFICATE_PATH >> /etc/sysupgrade.conf
-echo $KEY_PATH >> /etc/sysupgrade.conf
-echo $REQUEST_PATH >> /etc/sysupgrade.conf
-

doc/overlay/usr/bin/certidude-enroll

@@ -1,130 +0,0 @@
-#!/bin/sh
-
-set -e
-set -x
-
-AUTHORITY=certidude.@authority[0]
-
-# TODO: iterate over all authorities
-
-GATEWAY=$(uci get $AUTHORITY.gateway)
-COMMON_NAME=$(uci get system.@system[0].hostname)
-
-DIR=/etc/certidude/authority/$(uci get $AUTHORITY.hostname)
-mkdir -p $DIR
-
-AUTHORITY_PATH=$DIR/ca_cert.pem
-CERTIFICATE_PATH=$DIR/host_cert.pem
-REQUEST_PATH=$DIR/host_req.pem
-KEY_PATH=$DIR/host_key.pem
-KEY_TYPE=$(uci get $AUTHORITY.key_type)
-KEY_LENGTH=$(uci get $AUTHORITY.key_length)
-KEY_CURVE=$(uci get $AUTHORITY.key_curve)
-
-NTP_SERVERS=$(uci get system.ntp.server)
-
-logger -t certidude -s "Fetching time from NTP servers: $NTP_SERVERS"
-ntpd -q -n -d -p $NTP_SERVERS
-
-logger -t certidude -s "Time is now: $(date)"
-
-# If certificate file is there assume everything's set up
-if [ -f $CERTIFICATE_PATH ]; then
-    SERIAL=$(openssl x509 -in $CERTIFICATE_PATH -noout -serial | cut -d "=" -f 2 | tr [A-F] [a-f])
-    logger -t certidude -s "Certificate with serial $SERIAL already exists in $CERTIFICATE_PATH, attempting to bring up VPN tunnel..."
-    exit 0
-fi
-
-
-#########################################
-### Generate private key if necessary ###
-#########################################
-
-if [ ! -f $KEY_PATH ]; then
-    case $KEY_TYPE in
-        rsa)
-            logger -t certidude -s "Generating $KEY_LENGTH-bit RSA key..."
-            openssl genrsa -out $KEY_PATH.part $KEY_LENGTH
-            openssl rsa -in $KEY_PATH.part -noout
-            ;;
-        ec)
-            logger -t certidude -s "Generating $KEY_CURVE ECDSA key..."
-            openssl ecparam -name $KEY_CURVE -genkey -noout -out $KEY_PATH.part
-            ;;
-        *)
-            logger -t certidude -s "Unsupported key type $KEY_TYPE"
-            exit 255
-            ;;
-    esac
-    mv $KEY_PATH.part $KEY_PATH
-fi
-
-
-############################
-### Fetch CA certificate ###
-############################
-
-if [ ! -f $AUTHORITY_PATH ]; then
-
-    logger -t certidude -s "Fetching CA certificate from $URL/api/certificate/"
-    curl -f -s http://$(uci get $AUTHORITY.hostname)/api/certificate/ -o $AUTHORITY_PATH.part
-    if [ $? -ne 0 ]; then
-        logger -t certidude -s "Failed to receive CA certificate, server responded: $(cat $AUTHORITY_PATH.part)"
-        exit 10
-    fi
-
-    openssl x509 -in $AUTHORITY_PATH.part -noout
-    if [ $? -ne 0 ]; then
-        logger -t certidude -s "Received invalid CA certificate"
-        exit 11
-    fi
-
-    mv $AUTHORITY_PATH.part $AUTHORITY_PATH
-fi
-
-logger -t certidude -s "CA certificate md5sum: $(md5sum -b $AUTHORITY_PATH)"
-
-
-#####################################
-### Generate request if necessary ###
-#####################################
-
-if [ ! -f $REQUEST_PATH ]; then
-    openssl req -new -sha256 -key $KEY_PATH -out $REQUEST_PATH.part -subj "/CN=$COMMON_NAME"
-    mv $REQUEST_PATH.part $REQUEST_PATH
-fi
-
-logger -t certidude -s "Request md5sum is $(md5sum -b $REQUEST_PATH)"
-
-curl -f -L \
-    -H "Content-Type: application/pkcs10" \
-    --cacert $AUTHORITY_PATH \
-    --data-binary @$REQUEST_PATH \
-    https://$(uci get $AUTHORITY.hostname):8443/api/request/?autosign=true\&wait=yes -o $CERTIFICATE_PATH.part
-
-# TODO: Loop until we get exitcode 0
-# TODO: Use backoff time $((2\*X))
-
-if [ $? -ne 0 ]; then
-    echo "Failed to fetch certificate"
-    exit 21
-fi
-
-# Verify certificate
-openssl verify -CAfile $AUTHORITY_PATH $CERTIFICATE_PATH.part
-
-if [ $? -ne 0 ]; then
-    logger -t certidude -s "Received bogus certificate!"
-    exit 22
-fi
-
-logger -t certidude -s "Certificate md5sum: $(md5sum -b $CERTIFICATE_PATH.part)"
-
-uci commit
-
-mv $CERTIFICATE_PATH.part $CERTIFICATE_PATH
-
-# Start services
-logger -t certidude -s "Starting IPSec IKEv2 daemon..."
-/etc/init.d/ipsec enable
-/etc/init.d/ipsec restart

doc/overlay/usr/bin/certidude-enroll-renew

@@ -1,27 +0,0 @@
-#!/bin/sh
-
-AUTHORITY=certidude.@authority[0]
-URL=https://$(uci get $AUTHORITY.hostname):8443
-DIR=/etc/certidude/authority/$(uci get $AUTHORITY.hostname)
-AUTHORITY_PATH=$DIR/ca_cert.pem
-CERTIFICATE_PATH=$DIR/host_cert.pem
-REQUEST_PATH=$DIR/host_req.pem
-KEY_PATH=$DIR/host_key.pem
-
-# TODO: fix Accepted 202 here
-
-curl -f -L \
-    -H "Content-Type: application/pkcs10" \
-    --data-binary @$REQUEST_PATH \
-    --cacert $AUTHORITY_PATH \
-    --key $KEY_PATH \
-    --cert $CERTIFICATE_PATH \
-    $URL/api/request/ -o $CERTIFICATE_PATH.part
-
-if [ $? -eq 0 ]; then
-    logger -t certidude -s "Certificate renewal successful"
-    mv $CERTIFICATE_PATH.part $CERTIFICATE_PATH
-    ipsec reload
-else
-    logger -t certidude -s "Failed to renew certificate"
-fi