provisioning tool for building opinionated architecture
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
|
|
#!/bin/bash
readonly EXPANDED_CONF="$MIAOU_CONFIGDIR/miaou.expanded.yaml"
TARGET=$(yq '.target' "$EXPANDED_CONF") readonly TARGET
function check() { container_exists "$CONTAINER" || return 1 container_running "$CONTAINER" || return 2 check_reverseproxy || return 4 check_banner || return 5 check_certbot || return 6
PREFIX="recipe:dmz:check" echo "container <$CONTAINER> approved successfully!" return 0 }
function check_reverseproxy() { lxc exec "$CONTAINER" -- bash <<EOF set -Eeuo pipefail dpkg -l nginx | grep -q ^ii systemctl is-active --quiet nginx nginx -tq EOF }
function check_certbot() { lxc exec "$CONTAINER" -- bash <<EOF set -Eeuo pipefail dpkg -l certbot | grep -q ^ii dpkg -l python3-certbot-nginx | grep -q ^ii EOF }
function check_banner() { if [[ $TARGET != "prod" ]]; then lxc exec "$CONTAINER" -- bash <<EOF set -Eeuo pipefail test -f /etc/nginx/snippets/banner_$TARGET.conf EOF fi }
function install() { PREFIX="recipe:dmz:install" : $PREFIX
echowarn "about to deploy new container <$CONTAINER> ..."
if ! container_exists "$CONTAINER"; then echowarn "about to create new container <$CONTAINER> ..." lxc-miaou-create "$CONTAINER" echo OK fi
if ! container_running "$CONTAINER"; then echowarn "about to start asleep container <$CONTAINER> ..." lxc start "$CONTAINER" echo OK fi
credential_email=$(load_yaml_from_expanded credential.email) lxc exec "$CONTAINER" -- bash <<EOF set -Eeuo pipefail apt-get update && apt-get dist-upgrade -y apt-get install -y nftables nginx ssl-cert libnginx-mod-http-subs-filter certbot python3-certbot-nginx
echo "registering with your default credential email <$credential_email>" certbot register --agree-tos --email $credential_email --no-eff-email || echo "already resgistered!"
rm /etc/nginx/sites-{enabled,available}/default -f systemctl enable nginx
nginx -tq || rm /etc/nginx/sites-enabled/hosts systemctl start nginx EOF
if [[ "$TARGET" != "prod" ]]; then echo "copying Nginx banner to container <$CONTAINER> ... " lxc file push --uid 0 --gid 0 "$MIAOU_BASEDIR/templates/nginx/snippets/banner_$TARGET.conf" "$CONTAINER/etc/nginx/snippets/banner_$TARGET.conf" lxc file push --uid 0 --gid 0 "$MIAOU_BASEDIR/templates/nginx/snippets/banner_exp.conf" "$CONTAINER/etc/nginx/snippets/banner_exp.conf" echo "copying files over container <$CONTAINER> ... OK" else echo "no Nginx banner on PROD!" fi
echo "populate nftables entries into yaml" local wan_interface dmz_ip wan_interface=$(ip route show default | cut -d ' ' -f5) dmz_ip=$(host "$CONTAINER.lxd" | cut -d ' ' -f4) yq ".nftables.wan_interface=\"$wan_interface\"" "$EXPANDED_CONF" -i yq ".nftables.dmz_ip=\"$dmz_ip\"" "$EXPANDED_CONF" -i
local nftables_reloading=false if [[ "$TARGET" != "dev" ]]; then mkdir -p "$MIAOU_CONFIGDIR/nftables.rules.d" echo "nat http/s port to dmz" tera -t "$MIAOU_BASEDIR/templates/nftables/nat.table.j2" "$EXPANDED_CONF" -o "$MIAOU_CONFIGDIR/nftables.rules.d/nat.table" &>/dev/null sudo cp "$MIAOU_CONFIGDIR/nftables.rules.d/nat.table" /etc/nftables.rules.d/nat.table nftables_reloading=true else if [[ -f /etc/nftables.rules.d/nat.table ]]; then sudo_required "remove previous nat.table" sudo rm -f /etc/nftables.rules.d/nat.table nftables_reloading=true fi fi if [[ "$nftables_reloading" == true ]]; then sudo_required "reload nftables" sudo systemctl reload nftables.service fi
}
# MAIN . "$MIAOU_BASEDIR/lib/init.sh"
arg1_required "$@" readonly CONTAINER="$1"
check || ( install check )
|