You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
98 lines
2.8 KiB
98 lines
2.8 KiB
#!/bin/bash
|
|
|
|
readonly EXPANDED_CONF="$MIAOU_CONFIGDIR/miaou.expanded.yaml"
|
|
|
|
TARGET=$(yq '.target' "$EXPANDED_CONF")
|
|
readonly TARGET
|
|
|
|
function check() {
|
|
container_exists "$CONTAINER" || return 1
|
|
container_running "$CONTAINER" || return 2
|
|
check_reverseproxy || return 4
|
|
check_banner || return 5
|
|
check_certbot || return 6
|
|
|
|
PREFIX="recipe:dmz:check" echo "container <$CONTAINER> approved successfully!"
|
|
return 0
|
|
}
|
|
|
|
function check_reverseproxy() {
|
|
lxc exec "$CONTAINER" -- bash <<EOF
|
|
set -Eeuo pipefail
|
|
dpkg -l nginx | grep -q ^ii
|
|
systemctl is-active --quiet nginx
|
|
nginx -tq
|
|
EOF
|
|
}
|
|
|
|
function check_certbot() {
|
|
lxc exec "$CONTAINER" -- bash <<EOF
|
|
set -Eeuo pipefail
|
|
dpkg -l certbot | grep -q ^ii
|
|
dpkg -l python3-certbot-nginx | grep -q ^ii
|
|
EOF
|
|
}
|
|
|
|
function check_banner() {
|
|
if [[ $TARGET != "prod" ]]; then
|
|
lxc exec "$CONTAINER" -- bash <<EOF
|
|
set -Eeuo pipefail
|
|
test -f /etc/nginx/snippets/banner_$TARGET.conf
|
|
EOF
|
|
fi
|
|
}
|
|
|
|
function install() {
|
|
PREFIX="recipe:dmz:install"
|
|
: $PREFIX
|
|
|
|
echowarn "about to deploy new container <$CONTAINER> ..."
|
|
|
|
if ! container_exists "$CONTAINER"; then
|
|
echowarn "about to create new container <$CONTAINER> ..."
|
|
lxc-miaou-create "$CONTAINER"
|
|
echo OK
|
|
fi
|
|
|
|
if ! container_running "$CONTAINER"; then
|
|
echowarn "about to start asleep container <$CONTAINER> ..."
|
|
lxc start "$CONTAINER"
|
|
echo OK
|
|
fi
|
|
|
|
credential_email=$(load_yaml_from_expanded credential.email)
|
|
lxc exec "$CONTAINER" -- bash <<EOF
|
|
set -Eeuo pipefail
|
|
apt-get update && apt-get dist-upgrade -y
|
|
apt-get install -y nginx ssl-cert libnginx-mod-http-subs-filter certbot python3-certbot-nginx
|
|
|
|
echo "registering with your default credential email <$credential_email>"
|
|
certbot register --agree-tos --email $credential_email --no-eff-email || echo "already resgistered!"
|
|
|
|
rm /etc/nginx/sites-{enabled,available}/default -f
|
|
systemctl enable nginx
|
|
|
|
nginx -tq || rm /etc/nginx/sites-enabled/hosts
|
|
systemctl start nginx
|
|
EOF
|
|
|
|
if [[ "$TARGET" != "prod" ]]; then
|
|
echo "copying Nginx banner to container <$CONTAINER> ... "
|
|
lxc file push --uid 0 --gid 0 "$MIAOU_BASEDIR/templates/nginx/snippets/banner_$TARGET.conf" "$CONTAINER/etc/nginx/snippets/banner_$TARGET.conf"
|
|
lxc file push --uid 0 --gid 0 "$MIAOU_BASEDIR/templates/nginx/snippets/banner_exp.conf" "$CONTAINER/etc/nginx/snippets/banner_exp.conf"
|
|
echo "copying files to container <$CONTAINER> ... OK"
|
|
else
|
|
echo "no Nginx banner on PROD!"
|
|
fi
|
|
}
|
|
|
|
# MAIN
|
|
. "$MIAOU_BASEDIR/lib/init.sh"
|
|
|
|
arg1_required "$@"
|
|
readonly CONTAINER="$1"
|
|
|
|
check || (
|
|
install
|
|
check
|
|
)
|