Sync DNS2 production changes - removed obsolete test suite and refactored structure

dashcaddy-api/ca/install.sh

@@ -0,0 +1,220 @@
+#!/bin/bash
+#
+# DashCA Installer - Sami Home Network Root CA
+# Installs the root CA certificate system-wide on Linux and macOS
+#
+# Usage: curl -fsSL https://ca.sami/install.sh | sudo bash
+#
+set -e
+
+# Configuration
+CERT_URL="https://ca.sami/root.crt"
+EXPECTED_FP="08:98:A5:63:F5:A1:A2:58:5F:02:D7:A8:A2:54:87:E6:BC:33:96:9F:9B:5D:B0:53:62:20:7F:AF:96:21:29:0E"
+CERT_NAME="Sami_Home_Network_Root_CA"
+
+# Colors
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+CYAN='\033[0;36m'
+YELLOW='\033[1;33m'
+NC='\033[0m' # No Color
+
+echo ""
+echo -e "${CYAN}========================================${NC}"
+echo -e "${CYAN} DashCA Installer${NC}"
+echo -e "${CYAN} Sami Home Network Root CA${NC}"
+echo -e "${CYAN}========================================${NC}"
+echo ""
+
+# Check for root/sudo
+if [[ $EUID -ne 0 ]]; then
+   echo -e "${RED}✗ This script requires root privileges${NC}"
+   echo ""
+   echo "Please run with sudo:"
+   echo -e "  ${YELLOW}curl -fsSL https://ca.sami/install.sh | sudo bash${NC}"
+   echo ""
+   echo "Or download first, then run:"
+   echo -e "  ${YELLOW}curl -o install.sh https://ca.sami/install.sh${NC}"
+   echo -e "  ${YELLOW}sudo bash install.sh${NC}"
+   echo ""
+   exit 1
+fi
+
+# Detect OS
+echo -e "${CYAN}[1/6] Detecting operating system...${NC}"
+if [[ "$OSTYPE" == "darwin"* ]]; then
+    OS="macos"
+    OS_NAME="macOS"
+elif [[ -f /etc/os-release ]]; then
+    . /etc/os-release
+    if [[ "$ID" == "debian" ]] || [[ "$ID" == "ubuntu" ]] || [[ "$ID_LIKE" == *"debian"* ]]; then
+        OS="debian"
+        OS_NAME="Debian/Ubuntu"
+    elif [[ "$ID" == "fedora" ]] || [[ "$ID" == "rhel" ]] || [[ "$ID" == "centos" ]] || [[ "$ID_LIKE" == *"fedora"* ]] || [[ "$ID_LIKE" == *"rhel"* ]]; then
+        OS="redhat"
+        OS_NAME="RedHat/CentOS/Fedora"
+    elif [[ "$ID" == "arch" ]] || [[ "$ID_LIKE" == *"arch"* ]]; then
+        OS="arch"
+        OS_NAME="Arch Linux"
+    else
+        OS="unknown"
+        OS_NAME="Unknown Linux"
+    fi
+elif [[ -f /etc/redhat-release ]]; then
+    OS="redhat"
+    OS_NAME="RedHat/CentOS"
+elif [[ -f /etc/arch-release ]]; then
+    OS="arch"
+    OS_NAME="Arch Linux"
+else
+    OS="unknown"
+    OS_NAME="Unknown"
+fi
+
+if [[ "$OS" == "unknown" ]]; then
+    echo -e "${RED}      ✗ Unsupported operating system${NC}"
+    echo ""
+    echo "This script supports:"
+    echo "  - Debian/Ubuntu"
+    echo "  - RedHat/CentOS/Fedora"
+    echo "  - Arch Linux"
+    echo "  - macOS"
+    echo ""
+    echo "For manual installation, download the certificate:"
+    echo -e "  ${YELLOW}curl -O $CERT_URL${NC}"
+    echo ""
+    exit 1
+fi
+
+echo -e "${GREEN}      ✓ Detected: $OS_NAME${NC}"
+
+# Download certificate
+echo -e "${CYAN}[2/6] Downloading certificate from $CERT_URL...${NC}"
+TEMP_CERT=$(mktemp)
+if ! curl -fsSL "$CERT_URL" -o "$TEMP_CERT"; then
+    echo -e "${RED}      ✗ Failed to download certificate${NC}"
+    echo ""
+    echo -e "${YELLOW}Troubleshooting:${NC}"
+    echo "  - Ensure you are on the Tailnet/network where ca.sami is accessible"
+    echo "  - Try accessing https://ca.sami in your browser first"
+    echo "  - Check your network connection"
+    rm -f "$TEMP_CERT"
+    exit 1
+fi
+echo -e "${GREEN}      ✓ Certificate downloaded${NC}"
+
+# Verify fingerprint
+echo -e "${CYAN}[3/6] Verifying certificate fingerprint...${NC}"
+if ! command -v openssl &> /dev/null; then
+    echo -e "${RED}      ✗ OpenSSL not found${NC}"
+    echo "Please install OpenSSL to verify certificate fingerprint"
+    rm -f "$TEMP_CERT"
+    exit 1
+fi
+
+ACTUAL_FP=$(openssl x509 -in "$TEMP_CERT" -noout -fingerprint -sha256 | cut -d= -f2)
+
+if [[ "$ACTUAL_FP" != "$EXPECTED_FP" ]]; then
+    echo -e "${RED}      ✗ Fingerprint mismatch!${NC}"
+    echo -e "${YELLOW}        Expected: $EXPECTED_FP${NC}"
+    echo -e "${RED}        Got:      $ACTUAL_FP${NC}"
+    rm -f "$TEMP_CERT"
+    echo ""
+    echo -e "${RED}SECURITY WARNING: The downloaded certificate does not match the expected fingerprint.${NC}"
+    echo -e "${RED}This could indicate a man-in-the-middle attack or certificate renewal.${NC}"
+    echo -e "${RED}Please verify with your network administrator before proceeding.${NC}"
+    echo ""
+    exit 1
+fi
+
+echo -e "${GREEN}      ✓ Fingerprint verified${NC}"
+
+# Extract certificate details
+echo -e "${CYAN}[4/6] Extracting certificate information...${NC}"
+CERT_SUBJECT=$(openssl x509 -in "$TEMP_CERT" -noout -subject | sed 's/subject=//')
+CERT_NOT_AFTER=$(openssl x509 -in "$TEMP_CERT" -noout -enddate | sed 's/notAfter=//')
+echo -e "${GREEN}      ✓ Subject: $CERT_SUBJECT${NC}"
+echo -e "${GREEN}      ✓ Valid until: $CERT_NOT_AFTER${NC}"
+
+# Check if already installed
+echo -e "${CYAN}[5/6] Checking for existing installation...${NC}"
+ALREADY_INSTALLED=false
+
+case "$OS" in
+    debian)
+        if [[ -f "/usr/local/share/ca-certificates/${CERT_NAME}.crt" ]]; then
+            ALREADY_INSTALLED=true
+        fi
+        ;;
+    redhat)
+        if [[ -f "/etc/pki/ca-trust/source/anchors/${CERT_NAME}.crt" ]]; then
+            ALREADY_INSTALLED=true
+        fi
+        ;;
+    arch)
+        if [[ -f "/etc/ca-certificates/trust-source/anchors/${CERT_NAME}.crt" ]]; then
+            ALREADY_INSTALLED=true
+        fi
+        ;;
+    macos)
+        if security find-certificate -a -c "$CERT_SUBJECT" /Library/Keychains/System.keychain &>/dev/null; then
+            ALREADY_INSTALLED=true
+        fi
+        ;;
+esac
+
+if [[ "$ALREADY_INSTALLED" == "true" ]]; then
+    echo -e "${YELLOW}      ℹ Certificate already installed${NC}"
+    rm -f "$TEMP_CERT"
+    echo ""
+    echo -e "${GREEN}The Sami Home Network Root CA is already trusted on this system.${NC}"
+    echo -e "${GREEN}No further action needed!${NC}"
+    echo ""
+    exit 0
+fi
+
+echo -e "${GREEN}      ✓ Certificate not yet installed, proceeding...${NC}"
+
+# Install based on OS
+echo -e "${CYAN}[6/6] Installing certificate...${NC}"
+case "$OS" in
+    debian)
+        cp "$TEMP_CERT" "/usr/local/share/ca-certificates/${CERT_NAME}.crt"
+        update-ca-certificates
+        echo -e "${GREEN}      ✓ Certificate installed via update-ca-certificates${NC}"
+        ;;
+    redhat)
+        cp "$TEMP_CERT" "/etc/pki/ca-trust/source/anchors/${CERT_NAME}.crt"
+        update-ca-trust
+        echo -e "${GREEN}      ✓ Certificate installed via update-ca-trust${NC}"
+        ;;
+    arch)
+        cp "$TEMP_CERT" "/etc/ca-certificates/trust-source/anchors/${CERT_NAME}.crt"
+        trust extract-compat
+        echo -e "${GREEN}      ✓ Certificate installed via trust extract-compat${NC}"
+        ;;
+    macos)
+        security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "$TEMP_CERT"
+        echo -e "${GREEN}      ✓ Certificate installed to System Keychain${NC}"
+        ;;
+esac
+
+# Cleanup
+rm -f "$TEMP_CERT"
+
+echo ""
+echo -e "${GREEN}========================================${NC}"
+echo -e "${GREEN} SUCCESS!${NC}"
+echo -e "${GREEN}========================================${NC}"
+echo ""
+echo -e "${GREEN}The Sami Home Network Root CA has been installed system-wide.${NC}"
+echo ""
+echo -e "${CYAN}What's next:${NC}"
+echo -e "  ${GREEN}✓${NC} All *.sami domains will now be trusted"
+echo -e "  ${GREEN}✓${NC} Browsers will no longer show security warnings"
+echo -e "  ${GREEN}✓${NC} Applications will trust HTTPS connections to your local services"
+echo ""
+echo -e "${CYAN}Test it out:${NC}"
+echo -e "  ${YELLOW}Visit https://status.sami or any other *.sami service${NC}"
+echo -e "  ${YELLOW}The connection should show as secure with no warnings${NC}"
+echo ""