Rework nss-agl-driver-db to be a systemd unit at runtime

This avoids the issues seen with access rights changes on /home/agl-driver
and will replace https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl-demo/+/28587

Bug-AGL: SPEC-4599
Change-Id: If01ffc9623208edd7a7705739465fa8fca764b74
Signed-off-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>

2 files changed, 31 insertions, 0 deletions

diff --git a/recipes-core/nss/nss-agl-driver-db/nss-agl-driver-db.service b/recipes-core/nss/nss-agl-driver-db/nss-agl-driver-db.service
new file mode 100644
index 000000000..48eca3921
--- /dev/null
+++ b/recipes-core/nss/nss-agl-driver-db/nss-agl-driver-db.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Deploy Kuksa certificates to /home/agl-driver/.pki/
+After=local-fs.target
+Before=agl-session@agl-driver.service
+ConditionPathExists=!/home/agl-driver/.pki
+
+[Service]
+User=agl-driver
+ExecStart=/usr/sbin/nss-agl-driver-db.sh
+
+[Install]
+WantedBy=multi-user.target
diff --git a/recipes-core/nss/nss-agl-driver-db/nss-agl-driver-db.sh b/recipes-core/nss/nss-agl-driver-db/nss-agl-driver-db.sh
new file mode 100755
index 000000000..1a8351bf9
--- /dev/null
+++ b/recipes-core/nss/nss-agl-driver-db/nss-agl-driver-db.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+set -e
+
+# TLDR we need this file for chromium to connect back to kuksa.
+
+# check if directory already exists and bail out
+if test -d /home/agl-driver/.pki/nssdb ; then
+    echo "Directory already exists! Doing nothing."
+    exit 127
+fi
+
+# setup empty db in subfolder
+mkdir -p /home/agl-driver/.pki/nssdb
+certutil -N -d /home/agl-driver/.pki/nssdb --empty-password
+
+# deploy cert into local db
+certutil -A -d /home/agl-driver/.pki/nssdb -n "KuksaRootCA" -t "pC,," -i /etc/kuksa-val/CA.pem
+
+#chown -R agl-driver:agl-driver /home/agl-driver/.pki/nssdb