# Cheese

A Certificate Transparency log configuration and deployment tool for Google's [[TesseraCT](github.com/transparency-dev/tesseract)] implementation. It tries to look and feel a little like the one provided by [[Sunlight](https://github.com/FiloSottile/sunlight)].

## Configuration Generator

The `tesseract/genconf` tool generates CT log configuration files and keys from a YAML specification
in a very similar way to Sunlight.

### Usage

1. **Build the tool:**
```bash
go build -o tesseract-genconf ./tesseract/genconf/
```

2. **Create YAML configuration file:**

```yaml
listen:
  - "[::]:8080"
roots: /etc/tesseract/roots.pem
logs:
  - shortname: example2025h1
    listen: "[::]:16900"
    inception: 2025-01-01
    submissionprefix: https://example2025h1.log.ct.example.com
    monitoringprefix: https://example2025h1.mon.ct.example.com
    extraroots: /etc/tesseract/extra-roots.pem
    secret: /etc/tesseract/keys/example2025h1.pem
    localdirectory: /var/lib/tesseract/example2025h1/data
    notafterstart: 2025-01-01T00:00:00Z
    notafterlimit: 2025-07-01T00:00:00Z
```

3. **Generate private keys:**
```bash
mkdir -p /etc/tesseract/keys
./tesseract-genconf -c config.yaml --write gen-key
```

4. **Create directories and generate environment files:**
```bash
mkdir -p /var/lib/tesseract/example2025h1/data
./tesseract-genconf -c config.yaml --write gen-env
```

5. **Generate HTML and JSON files:**
```bash
./tesseract-genconf -c config.yaml --write gen-html
```

6. **Generate nginx configuration files:**
```bash
./tesseract-genconf -c config.yaml --write gen-nginx
```

The port from the main `listen:` field will be used in the NGINX server blocks (in our case
`:8080`). You can symlink the generated $monitoringprefix.conf files from `/etc/nginx/sites-enabled/`.

7. **Generate root certificates (optional):**
```bash
# For testing/staging environment, take the ccadb 'testing' roots
./tesseract-genconf gen-roots --source https://rennet2027h2.log.ct.ipng.ch/ --output roots-staging.pem

# For production environment, take the ccadb 'production' roots
./tesseract-genconf gen-roots --source https://gouda2027h2.log.ct.ipng.ch/ --output roots-production.pem
```

### Safe File Operations with `--diff` and `--write`

The `tesseract-genconf` tool includes safety features to prevent accidental file modifications:

- **`--diff`**: Shows colored unified diffs of what would change without writing files
- **`--write`**: Required flag to actually write files to disk
- **`--no-color`**: Disables colored diff output (useful for redirecting to files)

**Recommended workflow:**
```bash
# 1. First, preview changes with --diff
./tesseract-genconf -c config.yaml --diff gen-html

# 2. Review the colored diff output, then apply changes
./tesseract-genconf -c config.yaml --write gen-html

# 3. Or combine both to see diffs and write files
./tesseract-genconf -c config.yaml --diff --write gen-html
```

**Note:** Flags must come before the command name (e.g., `--diff gen-html`, not `gen-html --diff`).