diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
new file mode 100644
index 0000000000000000000000000000000000000000..ab65b9abd8a6b3cdc903129ac631fceb61c11fa3
--- /dev/null
+++ b/.gitlab-ci.yml
@@ -0,0 +1,4 @@
+---
+include:
+ - project: shore/ci-templates
+ file: templates/bats.yml
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 1850801b354fca69941bf4e1a2257b3976aed9bf..afa71939afc4b25a1bf41b2df970ebdfe639fdde 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,13 +1,42 @@
-- repo: git://github.com/pre-commit/pre-commit-hooks
- sha: v0.9.1
- hooks:
- - id: check-added-large-files
- - id: check-yaml
- - id: check-merge-conflict
-- repo: https://www.shore.co.il/git/shell-pre-commit/
- sha: v0.5.4
- hooks:
- - id: shell-lint
- files: &shellscripts ^ssl-ca$
- - id: shellcheck
- files: *shellscripts
+---
+repos:
+ - repo: https://github.com/pre-commit/pre-commit-hooks.git
+ rev: v3.4.0
+ hooks:
+ - id: check-added-large-files
+ - id: check-executables-have-shebangs
+ - id: check-merge-conflict
+ - id: check-symlinks
+ - id: trailing-whitespace
+
+ - repo: https://github.com/Yelp/detect-secrets
+ rev: v0.14.3
+ hooks:
+ - id: detect-secrets
+
+ - repo: https://github.com/adrienverge/yamllint
+ rev: v1.25.0
+ hooks:
+ - id: yamllint
+
+ - repo: https://github.com/amperser/proselint/
+ rev: 0.10.2
+ hooks:
+ - id: proselint
+ types: [plain-text]
+ exclude: LICENSE
+
+ - repo: https://github.com/executablebooks/mdformat.git
+ rev: 0.5.3
+ hooks:
+ - id: mdformat
+
+ - repo: https://git.shore.co.il/nimrod/shell-pre-commit.git
+ rev: v0.6.0
+ hooks:
+ - id: shell-lint
+
+ - repo: https://github.com/shellcheck-py/shellcheck-py.git
+ rev: v0.7.1.1
+ hooks:
+ - id: shellcheck
diff --git a/.travis.yml b/.travis.yml
deleted file mode 100644
index 0ce32bf57299f9607f396a4f3c3cce1180516ccc..0000000000000000000000000000000000000000
--- a/.travis.yml
+++ /dev/null
@@ -1,37 +0,0 @@
----
-language: python
-python: "2.7"
-dist: trusty
-sudo: false
-group: beta
-cache:
- - pip
- - directories:
- - $HOME/.pre-commit
- - $HOME/.cabal
- - $HOME/.ghc
-
-addons:
- apt:
- packages:
- - mawk
- - openssl
- - curl
- - build-essential
- - cabal-install
- - ghc
-
-env:
- PATH: $PATH:$HOME/.cabal/bin
-
-install:
- - cabal update && cabal install shellcheck
- - pip install pre_commit | cat
-
-script:
- - make pre-commit
- - make test
-
-notifications:
- on_failure: never
- email: false
diff --git a/Makefile b/Makefile
index 45f83c41493ae18c69aa7166b294ced13589281e..c9cb4eec24cb6b9ab36a0c4b34d0fab3bbf8f4e4 100644
--- a/Makefile
+++ b/Makefile
@@ -1,15 +1,8 @@
.PHONY: install test clean pre-commit
install:
- cp ssl-ca /usr/local/bin/ssl-ca
- chmod 755 /usr/local/bin/ssl-ca
-
-test: clean
- bats --tap tests/
-
-pre-commit:
- pre-commit run --all-files
+ install -m 755 ssl-ca /usr/local/bin/ssl-ca
clean:
- [ ! -f .server.pid ] || kill "$$(cat .server.pid)"
+ - kill "$$(cat .server.pid)"
git clean -Xdf
diff --git a/README.md b/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..c4c3debef47d305ec5ab5e5c3b96cb5c0d602829
--- /dev/null
+++ b/README.md
@@ -0,0 +1,102 @@
+# SSL-CA
+
+[](https://git.shore.co.il/nimrod/ssl-ca/-/commits/master)
+
+This utility automates generating an SSL certificate authority, keys and
+signed certificates. The only dependency is OpenSSL (and base utils).
+Make and Git are needed for installation (although one can just download
+and copy `ssl-ca`{.sourceCode}). The use case in mind is testing and
+internal environments, therefore some security measures (like
+revocation) are not available in the current implementation.
+
+## Installation
+
+```shell
+git clone https://www.shore.co.il/cgit/ssl-ca
+cd ssl-ca
+sudo make install
+```
+
+## Usage
+
+This will generate, inside the new directory, the directory structure, a
+starting configuration for starting work and a new CA key and
+certificate. :
+
+```
+$ mkdir domain.tld
+$ cd domain.tld
+$ ssl-ca init
+Generating RSA private key, 512 bit long modulus
+.++++++++++++
+......++++++++++++
+e is 65537 (0x10001)
+```
+
+To generate a new key and certificate for the www host, the key will at
+`keys/www` and the certificate at `certs/www` :
+
+```
+$ ssl-ca gen www
+Generating RSA private key, 512 bit long modulus
+................................++++++++++++
+..++++++++++++
+e is 65537 (0x10001)
+Signature ok
+subject=/CN=*.*.www.domain.tld
+Getting CA Private Key
+```
+
+To sign existing keys, copy them to the `keys/` folder. All keys that
+don't have a matching certificate under `certs/` will be signed when
+running :
+
+```
+$ openssl genrsa -out keys/smtp #Generate a key for smtp.domain.tld
+$ ssl-ca sign
+Signature ok
+subject=/CN=*.*.smtp.domain.tld
+Getting CA Private Key
+```
+
+To resign **ALL** existing keys (regardless of existing certificates) :
+
+```
+$ ssl-ca resign
+Signature ok
+subject=/CN=*.*.smtp.domain.tld
+Getting CA Private Key
+Signature ok
+subject=/CN=*.*.www.smtp.domain.tld
+Getting CA Private Key
+```
+
+The certs by themselves are the same as self-signed certs, but once you
+add `CA.crt`{.sourceCode} to your browser (or OS), then the certs will
+be valid as any other cert on the internet.
+
+## Development
+
+Requirements are:
+
+- Python (2.7 or 3.5 or later).
+- Make.
+- Git.
+- Bats.
+
+Tests are written using [Bats](https://github.com/sstephenson/bats) and
+some linters are used with [pre-commit](http://pre-commit.com/). The
+`clean`{.sourceCode}, `test`{.sourceCode} and `pre-commit`{.sourceCode}
+Make targets are provided. Installing the pre-commit Git hooks is
+recommended.
+
+## License
+
+This software is licensed under the MIT license (see `LICENSE.txt`).
+
+## Author Information
+
+Nimrod Adar, [contact me](mailto:nimrod@shore.co.il) or visit my
+[website](https://www.shore.co.il/). Patches are welcome via
+[`git send-email`](http://git-scm.com/book/en/v2/Git-Commands-Email). The repository
+is located at: <https://git.shore.co.il/expore/>.
diff --git a/README.rst b/README.rst
deleted file mode 100644
index 1040aea7d426187a47d6348f864b1457f6253185..0000000000000000000000000000000000000000
--- a/README.rst
+++ /dev/null
@@ -1,99 +0,0 @@
-SSL-CA
-######
-
-.. image:: https://travis-ci.org/adarnimrod/ssl-ca.svg?branch=master
- :target: https://travis-ci.org/adarnimrod/ssl-ca
-
-This utility automates generating an SSL certificate authority, keys and
-signed certificates. The only dependency is OpenSSL (and base utils). Make
-and Git are needed for installation (although one can just download and copy
-:code:`ssl-ca`). The use case in mind is testing and internal environments,
-therefore some security measures (like revocation) are not available in the
-current implementation.
-
-Installation
-------------
-.. code:: shell
-
- git clone https://www.shore.co.il/cgit/ssl-ca
- cd ssl-ca
- sudo make install
-
-Usage
------
-
-This will generate, inside the new directory, the directory structure, a starting
-configuration for starting work and a new CA key and certificate. ::
-
- $ mkdir domain.tld
- $ cd domain.tld
- $ ssl-ca init
- Generating RSA private key, 512 bit long modulus
- .++++++++++++
- ......++++++++++++
- e is 65537 (0x10001)
-
-To generate a new key and certificate for the www host, the key will at
-``keys/www`` and the certificate at ``certs/www`` ::
-
- $ ssl-ca gen www
- Generating RSA private key, 512 bit long modulus
- ................................++++++++++++
- ..++++++++++++
- e is 65537 (0x10001)
- Signature ok
- subject=/CN=*.*.www.domain.tld
- Getting CA Private Key
-
-To sign existing keys, copy them to the ``keys/`` folder. All keys that don't
-have a matching certificate under ``certs/`` will be signed when running ::
-
- $ openssl genrsa -out keys/smtp #Generate a key for smtp.domain.tld
- $ ssl-ca sign
- Signature ok
- subject=/CN=*.*.smtp.domain.tld
- Getting CA Private Key
-
-To resign **ALL** existing keys (regardless of existing certificates) ::
-
- $ ssl-ca resign
- Signature ok
- subject=/CN=*.*.smtp.domain.tld
- Getting CA Private Key
- Signature ok
- subject=/CN=*.*.www.smtp.domain.tld
- Getting CA Private Key
-
-
-The certs by themselves are the same as self-signed certs, but once you add
-:code:`CA.crt` to your browser (or OS), then the certs will be valid as any
-other cert on the internet.
-
-Development
------------
-
-Requirements are:
-
-- Python (2.7 or 3.5 or later).
-- Make.
-- Git.
-- Bats.
-
-Tests are written using `Bats <https://github.com/sstephenson/bats>`_ and some
-linters are used with `pre-commit <http://pre-commit.com/>`_. The :code:`clean`,
-:code:`test` and :code:`pre-commit` Make targets are provided. Installing the
-pre-commit Git hooks is recommended.
-
-License
--------
-
-This software is licensed under the MIT license (see the :code:`LICENSE.txt`
-file).
-
-Author
-------
-
-Nimrod Adar, `contact me <nimrod@shore.co.il>`_ or visit my `website
-<https://www.shore.co.il/>`_. Patches are welcome via `git send-email
-<http://git-scm.com/book/en/v2/Git-Commands-Email>`_. The repository is located
-at: https://www.shore.co.il/cgit/.
diff --git a/ssl-ca b/ssl-ca
index 3e41fd324fbaccc3ebf689a9cbc5fa03a7a6dce6..2305c99999731ef3609c3fad3dfde1af64ef7fe0 100755
--- a/ssl-ca
+++ b/ssl-ca
@@ -16,7 +16,7 @@ default_ca = CA_default
dir = $PWD
certs = \$dir/certs
certificate = \$dir/CA.crt
-private_key = \$dir/CA.key
+private_key = \$dir/CA.key # pragma: allowlist secret
default_md = sha256
email_in_dn = no
RANDFILE = /dev/urandom
diff --git a/tests/ssl-ca.bats b/tests/ssl-ca.bats
index 0a9a2493ba432985f0f6783178666f5a08de6ed7..c1c5ffe63a75e860f58004d81ae8bf1c3943a9b3 100644
--- a/tests/ssl-ca.bats
+++ b/tests/ssl-ca.bats
@@ -1,5 +1,3 @@
-#!/usr/bin/env bats
-
export PATH="$BATS_TEST_DIRNAME/../:$PATH"
setup () {