miaou-server/recipes/dmz/install.sh

#!/bin/bash

readonly EXPANDED_CONF="$MIAOU_CONFIGDIR/miaou.expanded.yaml"

TARGET=$(yq '.target' "$EXPANDED_CONF")
readonly TARGET

function check() {
    container_exists "$CONTAINER" || return 1
    container_running "$CONTAINER" || return 2
    check_reverseproxy || return 4
    check_banner || return 5
    check_certbot || return 6

    PREFIX="recipe:dmz:check" echo "container <$CONTAINER> approved successfully!"
    return 0
}

function check_reverseproxy() {
    lxc exec "$CONTAINER" -- bash <<EOF
        set -Eeuo pipefail
        dpkg -l nginx | grep -q ^ii
        systemctl is-active --quiet nginx
        nginx -tq
EOF
}

function check_certbot() {
    lxc exec "$CONTAINER" -- bash <<EOF
        set -Eeuo pipefail
        dpkg -l certbot  | grep -q ^ii
        dpkg -l python3-certbot-nginx  | grep -q ^ii
EOF
}

function check_banner() {
    if [[ $TARGET != "prod" ]]; then
        lxc exec "$CONTAINER" -- bash <<EOF
            set -Eeuo pipefail
            test -f /etc/nginx/snippets/banner_$TARGET.conf
EOF
    fi
}

function install() {
    PREFIX="recipe:dmz:install"
    : $PREFIX

    echowarn "about to deploy new container <$CONTAINER> ..."

    if ! container_exists "$CONTAINER"; then
        echowarn "about to create new container <$CONTAINER> ..."
        lxc-miaou-create "$CONTAINER"
        echo OK
    fi

    if ! container_running "$CONTAINER"; then
        echowarn "about to start asleep container <$CONTAINER> ..."
        lxc start "$CONTAINER"
        echo OK
    fi

    credential_email=$(load_yaml_from_expanded credential.email)
    lxc exec "$CONTAINER" -- bash <<EOF
        set -Eeuo pipefail
        apt-get update && apt-get dist-upgrade -y
        apt-get install -y nginx ssl-cert libnginx-mod-http-subs-filter certbot python3-certbot-nginx

        echo "registering with your default credential email <$credential_email>"
        certbot register --agree-tos --email $credential_email --no-eff-email || echo "already resgistered!"

        rm /etc/nginx/sites-{enabled,available}/default -f
        systemctl enable nginx

        nginx -tq || rm /etc/nginx/sites-enabled/hosts
        systemctl start nginx
EOF

    if [[ "$TARGET" != "prod" ]]; then
        echo "copying Nginx banner to container <$CONTAINER> ... "
        lxc file push --uid 0 --gid 0 "$MIAOU_BASEDIR/templates/nginx/snippets/banner_$TARGET.conf" "$CONTAINER/etc/nginx/snippets/banner_$TARGET.conf"
        lxc file push --uid 0 --gid 0 "$MIAOU_BASEDIR/templates/nginx/snippets/banner_exp.conf" "$CONTAINER/etc/nginx/snippets/banner_exp.conf"
        echo "copying files to container <$CONTAINER> ... OK"
    else
        echo "no Nginx banner on PROD!"
    fi
}

# MAIN
. "$MIAOU_BASEDIR/lib/init.sh"

arg1_required "$@"
readonly CONTAINER="$1"

check || (
    install
    check
)