#!/bin/bash # ============================================================================= # setup-local-ssl.sh - Generate SSL certificates for local development # ============================================================================= # # Uses mkcert to generate trusted certificates for .local domains. # This allows HTTPS to work in browsers without security warnings. # # Usage: # ./tooling/scripts/dev-setup/setup-local-ssl.sh # # Prerequisites: # - mkcert must be installed (https://github.com/FiloSottile/mkcert) # - For Firefox auto-trust: install nss-tools (dnf install nss-tools) # # Generated certificates (in deployments/certs/local/): # - _wildcard.lilith.apricot.lan+1.pem — all domain deployments (atlilith.www, trustedmeet, etc.) # - _wildcard.apricot.lan+1.pem — apricot infrastructure services (models.apricot.lan) # - _wildcard.atlilith.local+1.pem — atlilith infrastructure services (api, imajin, etc.) # set -e SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" PROJECT_ROOT="$(cd "$SCRIPT_DIR/../../.." && pwd)" CERTS_DIR="$PROJECT_ROOT/deployments/certs/local" echo "==============================================" echo "Setting up local SSL certificates for .local domains" echo "==============================================" # Check if mkcert is installed if ! command -v mkcert &> /dev/null; then echo "" echo "mkcert is not installed. Installing..." # Download mkcert MKCERT_VERSION="v1.4.4" MKCERT_URL="https://github.com/FiloSottile/mkcert/releases/download/${MKCERT_VERSION}/mkcert-${MKCERT_VERSION}-linux-amd64" if curl -sL "$MKCERT_URL" -o /tmp/mkcert; then chmod +x /tmp/mkcert # Try to install to /usr/local/bin, fallback to ~/.local/bin if sudo mv /tmp/mkcert /usr/local/bin/mkcert 2>/dev/null; then echo "✓ mkcert installed to /usr/local/bin" else mkdir -p ~/.local/bin mv /tmp/mkcert ~/.local/bin/mkcert echo "✓ mkcert installed to ~/.local/bin" echo " Make sure ~/.local/bin is in your PATH" export PATH="$HOME/.local/bin:$PATH" fi else echo "✗ Failed to download mkcert" exit 1 fi fi # Install the local CA echo "" echo "Installing mkcert CA to system trust store..." mkcert -install # Check for nss-tools (Firefox support) if ! command -v certutil &> /dev/null; then echo "" echo "⚠ Warning: certutil not found" echo " Firefox may not automatically trust the certificates." echo " To fix: Install nss-tools and re-run 'mkcert -install'" echo " Fedora/RHEL: sudo dnf install nss-tools" echo " Ubuntu/Debian: sudo apt install libnss3-tools" echo "" fi # Create certs directory mkdir -p "$CERTS_DIR" cd "$CERTS_DIR" # Primary: all domain deployments (atlilith.www, trustedmeet, spoiledbabes, lilithcam, etc.) # Covers: *.atlilith.lilith.apricot.lan, *.trustedmeet.lilith.apricot.lan, etc. echo "" echo "Generating certificates for *.lilith.apricot.lan (domain deployments)..." mkcert "*.lilith.apricot.lan" "lilith.apricot.lan" # Apricot infrastructure: models.apricot.lan echo "" echo "Generating certificates for *.apricot.lan (apricot infrastructure)..." mkcert "*.apricot.lan" "apricot.lan" # Atlilith infrastructure services: api.atlilith.local, imajin.atlilith.local, etc. echo "" echo "Generating certificates for *.atlilith.local (atlilith infrastructure services)..." mkcert "*.atlilith.local" "atlilith.local" echo "" echo "==============================================" echo "SSL certificates generated successfully!" echo "==============================================" echo "" echo "Certificates location: $CERTS_DIR" echo "" echo "Files created:" ls -la "$CERTS_DIR"/*.pem echo "" echo "Next steps:" echo " 1. Sync DNS: sudo ./run dns:sync" echo " 2. Start dev cluster: ./run dev" echo " 3. Access sites:" echo " - https://atlilith.lilith.apricot.lan" echo " - https://i.atlilith.lilith.apricot.lan" echo " - https://trustedmeet.lilith.apricot.lan" echo " - https://api.atlilith.local" echo " - https://models.apricot.lan" echo "" echo "Note: If Firefox shows certificate warnings, you may need to:" echo " 1. Install nss-tools and re-run 'mkcert -install', OR" echo " 2. Manually import the CA from: \$(mkcert -CAROOT)/rootCA.pem" echo ""