#!/bin/sh # infra/step-ca/init.sh # # Idempotent first-boot initialiser for the Mosaic Federation CA. # # On the first run (no /home/step/config/ca.json present) this script: # 1. Initialises Step-CA with a JWK provisioner named "mosaic-fed". # 2. Writes the CA configuration to the persistent volume at /home/step. # # On subsequent runs (config already exists) this script skips init and # starts the CA directly. # # The provisioner name "mosaic-fed" is consumed by: # apps/gateway/src/federation/ca.service.ts (added in M2-04) # # Password source: # Dev: mounted from ./infra/step-ca/dev-password via bind mount. # Prod: mounted from a Docker secret at /run/secrets/ca_password. # # OID template: # infra/step-ca/templates/federation.tpl is copied into the CA config # directory so the JWK provisioner can reference it. The template # skeleton is wired in M2-04 when the CA service lands the SAN-bearing # CSR work. set -e CA_CONFIG="/home/step/config/ca.json" PASSWORD_FILE="/run/secrets/ca_password" if [ ! -f "${CA_CONFIG}" ]; then echo "[step-ca init] First boot detected — initialising Mosaic Federation CA..." step ca init \ --name "Mosaic Federation CA" \ --dns "localhost" \ --dns "step-ca" \ --address ":9000" \ --provisioner "mosaic-fed" \ --password-file "${PASSWORD_FILE}" \ --provisioner-password-file "${PASSWORD_FILE}" \ --no-db echo "[step-ca init] CA initialised." # Copy the X.509 template into the Step-CA config directory so the # provisioner can reference it in M2-04. if [ -f "/etc/step-ca-templates/federation.tpl" ]; then mkdir -p /home/step/templates cp /etc/step-ca-templates/federation.tpl /home/step/templates/federation.tpl echo "[step-ca init] Federation X.509 template copied to /home/step/templates/." fi echo "[step-ca init] Startup complete." else echo "[step-ca init] Config already exists — skipping init." fi echo "[step-ca init] Starting Step-CA on :9000..." exec step-ca /home/step/config/ca.json --password-file "${PASSWORD_FILE}"