shell script improvement

bin/gen-syncthing-cert

@@ -1,5 +1,5 @@
 #!/bin/sh
-set -euo pipefail
+set -eu
 
 tmp=$(mktemp -d)
 trap 'rm -rf -- "$tmp"' EXIT

bin/gen-tls-cert

@@ -4,27 +4,35 @@ trap 'rm -rf -- "$tmp"' EXIT
 
 # ref https://stackoverflow.com/questions/59738140/why-is-firefox-not-trusting-my-self-signed-certificate
 openssl req -x509 -nodes \
-  -newkey RSA:2048 \
+    -newkey RSA:2048 \
-  -keyout "$tmp/ca.key" \
+    -keyout "$tmp/ca.key" \
-  -days 365 \
+    -days 365 \
-  -out "$tmp/ca.cert" \
+    -out "$tmp/ca.cert" \
-  -subj '/CN=hd_root'
+    -subj '/CN=hd_root'
 
 rm secrets/tlskey.age
 openssl req -nodes \
-  -newkey rsa:2048 \
+    -newkey rsa:2048 \
-  -keyout - \
+    -keyout - \
-  -out "$tmp/server.csr" \
+    -out "$tmp/server.csr" \
-  -subj '/CN=lan' \
+    -subj '/CN=lan' \
-  | agenix -e secrets/tlskey.age
+    | agenix -e secrets/tlskey.age
+
+cat > "$tmp/extfile" << EOF
+subjectAltName=DNS:roam.lan,DNS:*.roam.lan
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+keyUsage=digitalSignature,keyEncipherment
+extendedKeyUsage=serverAuth
+EOF
 
 openssl x509 -req \
-  -CA "$tmp/ca.cert" \
+    -CA "$tmp/ca.cert" \
-  -CAkey "$tmp/ca.key" \
+    -CAkey "$tmp/ca.key" \
-  -in "$tmp/server.csr" \
+    -in "$tmp/server.csr" \
-  -out pki/server.cert \
+    -out pki/server.cert \
-  -days 365 \
+    -days 365 \
-  -CAcreateserial \
+    -CAcreateserial \
-  -extfile <(printf "subjectAltName=DNS:roam.lan,DNS:*.roam.lan\nauthorityKeyIdentifier=keyid,issuer\nbasicConstraints=CA:FALSE\nkeyUsage=digitalSignature,keyEncipherment\nextendedKeyUsage=serverAuth")
+    -extfile "$tmp/extfile"
 
 mv "$tmp/ca.cert" pki/ca.cert