You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
124 lines
3.7 KiB
124 lines
3.7 KiB
#!/bin/bash
|
|
|
|
readonly EXPANDED_CONF="$MIAOU_CONFIGDIR/miaou.expanded.yaml"
|
|
|
|
TARGET=$(yq '.target' "$EXPANDED_CONF")
|
|
readonly TARGET
|
|
|
|
function check() {
|
|
container_exists "$CONTAINER" || return 1
|
|
container_running "$CONTAINER" || return 2
|
|
check_reverseproxy || return 4
|
|
check_banner || return 5
|
|
check_certbot || return 6
|
|
|
|
PREFIX="recipe:dmz:check" echo "container <$CONTAINER> approved successfully!"
|
|
return 0
|
|
}
|
|
|
|
function check_reverseproxy() {
|
|
lxc exec "$CONTAINER" -- bash <<EOF
|
|
set -Eeuo pipefail
|
|
dpkg -l nginx | grep -q ^ii
|
|
systemctl is-active --quiet nginx
|
|
nginx -tq
|
|
EOF
|
|
}
|
|
|
|
function check_certbot() {
|
|
lxc exec "$CONTAINER" -- bash <<EOF
|
|
set -Eeuo pipefail
|
|
dpkg -l certbot | grep -q ^ii
|
|
dpkg -l python3-certbot-nginx | grep -q ^ii
|
|
EOF
|
|
}
|
|
|
|
function check_banner() {
|
|
if [[ $TARGET != "prod" ]]; then
|
|
lxc exec "$CONTAINER" -- bash <<EOF
|
|
set -Eeuo pipefail
|
|
test -f /etc/nginx/snippets/banner_$TARGET.conf
|
|
EOF
|
|
fi
|
|
}
|
|
|
|
function install() {
|
|
PREFIX="recipe:dmz:install"
|
|
: $PREFIX
|
|
|
|
echowarn "about to deploy new container <$CONTAINER> ..."
|
|
|
|
if ! container_exists "$CONTAINER"; then
|
|
echowarn "about to create new container <$CONTAINER> ..."
|
|
lxc-miaou-create "$CONTAINER"
|
|
echo OK
|
|
fi
|
|
|
|
if ! container_running "$CONTAINER"; then
|
|
echowarn "about to start asleep container <$CONTAINER> ..."
|
|
lxc start "$CONTAINER"
|
|
echo OK
|
|
fi
|
|
|
|
credential_email=$(load_yaml_from_expanded credential.email)
|
|
lxc exec "$CONTAINER" -- bash <<EOF
|
|
set -Eeuo pipefail
|
|
apt-get update && apt-get dist-upgrade -y
|
|
apt-get install -y nftables nginx ssl-cert libnginx-mod-http-subs-filter certbot python3-certbot-nginx
|
|
|
|
echo "registering with your default credential email <$credential_email>"
|
|
certbot register --agree-tos --email $credential_email --no-eff-email || echo "already resgistered!"
|
|
|
|
rm /etc/nginx/sites-{enabled,available}/default -f
|
|
systemctl enable nginx
|
|
|
|
nginx -tq || rm /etc/nginx/sites-enabled/hosts
|
|
systemctl start nginx
|
|
EOF
|
|
|
|
if [[ "$TARGET" != "prod" ]]; then
|
|
echo "copying Nginx banner to container <$CONTAINER> ... "
|
|
lxc file push --uid 0 --gid 0 "$MIAOU_BASEDIR/templates/nginx/snippets/banner_$TARGET.conf" "$CONTAINER/etc/nginx/snippets/banner_$TARGET.conf"
|
|
echo "copying files over container <$CONTAINER> ... OK"
|
|
else
|
|
echo "no Nginx banner on PROD!"
|
|
fi
|
|
|
|
echo "populate nftables entries into yaml"
|
|
local wan_interface dmz_ip
|
|
wan_interface=$(ip route show default | cut -d ' ' -f5)
|
|
dmz_ip=$(host "$CONTAINER.lxd" | cut -d ' ' -f4)
|
|
yq ".nftables.wan_interface=\"$wan_interface\"" "$EXPANDED_CONF" -i
|
|
yq ".nftables.dmz_ip=\"$dmz_ip\"" "$EXPANDED_CONF" -i
|
|
|
|
local nftables_reloading=false
|
|
if [[ "$TARGET" != "dev" ]]; then
|
|
mkdir -p "$MIAOU_CONFIGDIR/nftables.rules.d"
|
|
echo "nat http/s port to dmz"
|
|
tera -t "$MIAOU_BASEDIR/templates/nftables/nat.table.j2" "$EXPANDED_CONF" -o "$MIAOU_CONFIGDIR/nftables.rules.d/nat.table" &>/dev/null
|
|
sudo cp "$MIAOU_CONFIGDIR/nftables.rules.d/nat.table" /etc/nftables.rules.d/nat.table
|
|
nftables_reloading=true
|
|
else
|
|
if [[ -f /etc/nftables.rules.d/nat.table ]]; then
|
|
sudo_required "remove previous nat.table"
|
|
sudo rm -f /etc/nftables.rules.d/nat.table
|
|
nftables_reloading=true
|
|
fi
|
|
fi
|
|
if [[ "$nftables_reloading" == true ]]; then
|
|
sudo_required "reload nftables"
|
|
sudo systemctl reload nftables.service
|
|
fi
|
|
|
|
}
|
|
|
|
# MAIN
|
|
. "$MIAOU_BASEDIR/lib/init.sh"
|
|
|
|
arg1_required "$@"
|
|
readonly CONTAINER="$1"
|
|
|
|
check || (
|
|
install
|
|
check
|
|
)
|