provisioning tool for building opinionated architecture
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 

652 lines
20 KiB

#!/bin/bash
RED='\e[0;41m\e[1;37m'
GREEN='\033[0;32m'
YELLOW='\033[0;33m'
PURPLE='\033[0;35m'
DARK='\e[100m'
NC='\033[0m' # No Color
TO_BE_DEFINED="TO BE DEFINED"
# BOLD='\033[1m'
# DIM='\e[2m\e[0;90m'
function echo() {
[[ -n ${PREFIX:-} ]] && printf "${DARK}%25.25s${NC} " "${PREFIX}"
builtin echo "$@"
}
function check_normal_user() {
[[ $(id -u) -lt 1000 ]] && echoerr "normal user (>1000) expected, please connect as a normal user then call again!" && exit 100
return 0
}
function sudo_required() {
check_normal_user
command -v sudo &>/dev/null &&
id -G | grep -q sudo && echoerr "command <sudo> not found, please install as so: \`apt install -y sudo\`" && exit 1
if ! sudo -n true &>/dev/null; then
if [[ -n "${1:-}" ]]; then
echowarnn "[sudo] requiring authorized access for: [ $1 ]"
else
echowarnn "[sudo] requiring authorized access for further processing"
fi
fi
sudo -vp ' : '
}
# idempotent cargo install <package1 package2 ...>
function idem_cargo_install() {
for i in "$@"; do
if [ ! -f ~/.cargo/bin/"$i" ]; then
cargo install "$i"
fi
done
}
# display error in red
function echoerr() {
echo -e "${RED}$*${NC}" >&2
}
function echoerrn() {
echo -en "${RED}$*${NC}" >&2
}
# display warn in yellow
function echowarn() {
echo -e "${YELLOW}$*${NC}" >&2
}
function echowarnn() {
echo -en "${YELLOW}$*${NC}" >&2
}
# display error in green
function echoinfo() {
echo -e "${GREEN}$*${NC}" >&2
}
function echoinfon() {
echo -en "${GREEN}$*${NC}" >&2
}
# test whether <ip> is a valid ipv4 address?
function valid_ipv4() {
local ip="$1"
if [[ $ip =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
IFS='.' read -ra ADDR <<<"$ip"
[[ ${ADDR[0]} -le 255 && ${ADDR[1]} -le 255 && ${ADDR[2]} -le 255 && ${ADDR[3]} -le 255 ]]
return $?
fi
return 1
}
function enable_trace() {
trap 'trap_error $? ${LINENO:-0} ${BASH_LINENO:-0} ${BASH_COMMAND:-empty} $(printf "::%s" ${FUNCNAME[@]})' ERR
}
function disable_trace() {
trap - ERR
}
function prepare_nftables() {
local PREFIX="miaou:nftables"
if [[ ! -f /etc/nftables.rules.d/firewall.table ]]; then
echo "installing nftables ..."
sudo apt install -y nftables
sudo cp -f "$MIAOU_BASEDIR/templates/hardened/nftables.conf" /etc/
sudo mkdir -p /etc/nftables.rules.d
sudo cp -f "$MIAOU_BASEDIR/templates/hardened/firewall.table" /etc/nftables.rules.d/
sudo systemctl restart nftables
sudo systemctl enable nftables
echo "OK"
else
echo "nftables already installed!"
fi
}
function miaou_init() {
# shellcheck source=/dev/null
[[ -f /opt/debian-bash/lib/functions.sh ]] && source /opt/debian-bash/lib/functions.sh
# shellcheck source=/dev/null
. "$MIAOU_BASEDIR/lib/functions.sh"
export MIAOU_CONFIGDIR="$HOME/.config/miaou"
set -Eeuo pipefail
enable_trace
trap 'ctrl_c $? ${LINENO:-0} ${BASH_LINENO:-0} ${BASH_COMMAND:-empty} $(printf "::%s" ${FUNCNAME[@]})' INT
}
function ctrl_c() {
PREFIX="miaou:trap" echoerr "Ctrl + C happened, exiting!!! $*"
exit 125
}
# extract source code error triggered on trap error <error_code> <error_line>
function trap_error() {
ERRORS_COUNT=0
if [[ -f "$MIAOU_CONFIGDIR"/error_count ]]; then
ERRORS_COUNT=$(cat "$MIAOU_CONFIGDIR"/error_count)
else
mkdir -p "$MIAOU_CONFIGDIR"
printf 0 >"$MIAOU_CONFIGDIR"/error_count
fi
ERRORS_COUNT=$((ERRORS_COUNT + 1))
printf '%s' $ERRORS_COUNT >"$MIAOU_CONFIGDIR"/error_count
local PREFIX=""
# local file="${0:-}"
local err=$1 # error status
local line=$2 # LINENO
local linecallfunc=${3:-}
local command="${4:-}"
local funcstack="${5:-}"
local caller
caller=$(caller | cut -d' ' -f2)
# echo >&2
# if [ "$funcstack" != "::" ]; then
# echo -e "${RED}ERROR <$err>, due to command <$command> at line $line from <$caller>, stack=${funcstack}${NC}" >&2
# else
# echo >&2 "ERROR DETECTED"
# fi
# echo
# echo -e "${PURPLE}$caller:$line ${NC}EXIT ${RED}<$err>${NC}" >&2
# echo -e "${PURPLE}------------------------------------------ ${NC}" >&2
if [[ $ERRORS_COUNT == 1 ]]; then
echo
echo -e "${RED}ERROR <$err>, due to command <$command $funcstack>${NC}" >&2
fi
echo -e "${PURPLE}$ERRORS_COUNT: $caller:$line ${RED}$command $funcstack${NC}" >&2
# echo -e "${PURPLE}----------------------------- ${PURPLE}EXIT CODE ${PURPLE}--------------${PURPLE} $err ${NC}" >&2
# if [[ $line -gt 2 ]]; then
# sed "$((line - 2))q;d" "$caller" >&2
# sed "$((line - 1))q;d" "$caller" >&2
# fi
# echo -ne "${BOLD}" >&2
# sed "${line}q;d" "$caller" >&2
# echo -e "${PURPLE}------------------------------------------ ${NC}" >&2
}
# exist_command(cmd1, ...)
# test all commands exist, else fail
function exist_command() {
for i in "$@"; do
command -v "$i" &>/dev/null || return 50
done
}
# test whether container <ct> is up and running?
function container_running() {
arg1_required "$@"
container_exists "$1" && lxc list "$1" -c ns -f csv | head -n1 | grep -q "$1,RUNNING"
lxc exec "$1" -- bash <<EOF
set -Eeuo pipefail
if [[ ! -f /root/cloud-status.json ]]; then
cloud-init status --wait >/dev/null
fi
EOF
}
# test arg1 required
function arg1_required() {
[[ -z "${1:-}" ]] && echoerr "ERROR: arg#1 expected!" && return 125
return 0
}
# test arg2 required
function arg2_required() {
[[ -z "${2:-}" ]] && echoerr "ERROR: arg#2 expected!" && return 125
return 0
}
# test whether container <ct> exists yet?
function container_exists() {
arg1_required "$@"
lxc list "$1" -c n -f csv | grep -q "^$1\$"
}
# build debian image with prebuild debian-bash and various useful settings
# ARG1=release [bullseye, buster]
function build_miaou_image() {
local RELEASE="$1"
local IMAGE_LABEL="$RELEASE-miaou"
local PREFIX="miaou:image"
local DEB_REPOSITORY
DEB_REPOSITORY=$(grep ^deb /etc/apt/sources.list | head -n1 | cut -d ' ' -f2 | cut -d '/' -f3)
if ! lxc image -cl list -f csv | grep -q "$IMAGE_LABEL"; then
echo "building lxc image <$IMAGE_LABEL> ... "
echo "image will reuse same local repository <$DEB_REPOSITORY>"
creation_date=$(date +%s)
sudo /opt/debian-bash/tools/idem_apt_install debootstrap
cat <<EOF1 | sudo bash
set -euo pipefail
rm -rf /tmp/$IMAGE_LABEL{,-image}
mkdir -p /tmp/$IMAGE_LABEL{,-image}
debootstrap $RELEASE /tmp/$IMAGE_LABEL http://$DEB_REPOSITORY/debian
echo
echo "DEBOOTSTRAP ... OK"
echo
cat <<EOF2 | chroot /tmp/$IMAGE_LABEL
set -euo pipefail
echo "image prepare source.list from $DEB_REPOSITORY"
if [[ "$RELEASE" == "buster" ]]; then
cat <<EOF3 >/etc/apt/sources.list
deb http://$DEB_REPOSITORY/debian $RELEASE main contrib
deb http://$DEB_REPOSITORY/debian $RELEASE-updates main contrib
deb http://$DEB_REPOSITORY/debian-security/ $RELEASE/updates main contrib
EOF3
else
cat <<EOF3 >/etc/apt/sources.list
deb http://$DEB_REPOSITORY/debian $RELEASE main contrib
deb http://$DEB_REPOSITORY/debian $RELEASE-updates main contrib
deb http://$DEB_REPOSITORY/debian-security/ $RELEASE-security main contrib
EOF3
fi
echo APT UPDATE
apt update && apt dist-upgrade -y
apt install -y curl wget file git sudo bash-completion
curl https://git.artcode.re/pvincent/debian-bash/raw/branch/master/install.sh | sudo bash -s -- --host
ln -sf /usr/share/zoneinfo/Indian/Reunion /etc/localtime
cat <<EOF3 >/etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
source /etc/network/interfaces.d/*
EOF3
echo "deboostrap ready!"
EOF2
cd /tmp/$IMAGE_LABEL-image
tar -czf rootfs.tar.gz -C /tmp/$IMAGE_LABEL .
cat <<EOF2 >metadata.yaml
architecture: "x86_64"
creation_date: $creation_date
properties:
architecture: "x86_64"
description: "Debian $RELEASE for miaou instances"
os: "debian"
release: "$RELEASE"
EOF2
tar -czf metadata.tar.gz metadata.yaml
EOF1
lxc image import "/tmp/$IMAGE_LABEL-image/metadata.tar.gz" "/tmp/$IMAGE_LABEL-image/rootfs.tar.gz" --alias "$IMAGE_LABEL"
echo "image <$IMAGE_LABEL> successfully built!"
echo DONE
else
echo "image <$IMAGE_LABEL> already built!"
fi
}
# execute remote scripting onto one LXC container <CONTAINER> [COMMANDS, ...]
# may use one command like: `lxc_exec ct1 uname -a`
# or pipe like so: `
# cat <<EOF | lxc_exec ct1
# ls -l
# uname -a
# echo [\$0] [\$1] [\$2] # toto titi tata
# EOF
# `
function lxc_exec() {
arg1_required "$@"
container="$1"
shift
declare -a ARGUMENTS
ARGUMENTS=(toto titi tata) # might be overriden with interesting stuff!
if ((${#} == 0)); then
multiline=""
while read -r line; do
if [[ ! "$line" =~ ^\# ]] && [[ ! "$line" =~ ^[[:space:]]*$ ]]; then
if [[ "$line" =~ .*\;$ ]] || [[ "$line" =~ do$ ]] || [[ "$line" =~ then$ ]] || [[ "$line" =~ else$ ]]; then
multiline+="${line} " # append space in case of ending with either '; do then else'
else
multiline+="${line};" # append ; for multiple commands
fi
fi
done
# echo "DEBUG: multiline = [$multiline]"
# echo DEBUG: lxc exec "$container" -- bash -lc "$multiline" "${ARGUMENTS[@]}"
lxc exec "$container" -- bash -lc "$multiline" "${ARGUMENTS[@]}"
else
lxc exec "$container" -- bash -lc "$*" "${ARGUMENTS[@]}"
fi
}
# check container exist and running
function check_container() {
arg1_required "$@"
local CT="$1"
container_exists "$CT"
container_running "$CT"
}
function launch_container() {
arg1_required "$@"
local ct="$1"
if ! container_exists "$ct"; then
echo "container <$ct> about to be created ..."
local extra_release="${2:-}"
if [[ -n "$extra_release" ]] && ! lxc image info "${extra_release}-miaou" >/dev/null; then
echoerrn "unknown extra_release <${extra_release}-miaou>!\nHINT : please add it into /etc/miaou/defaults.yaml, then re-install miaou!"
exit 128
fi
if [[ -n "$extra_release" ]]; then
echoerrn "FIXME: lxc-miaou-create -o release=bookworm should be implemented ...."
lxc-miaou-create "$ct" "$extra_release"
else
lxc-miaou-create "$ct"
fi
echo "DONE"
fi
if ! container_running "$ct"; then
echowarn "container <$ct> seems to be asleep, starting ..."
lxc start "$ct"
echowarn DONE
fi
}
function load_yaml_from_expanded {
arg1_required "$@"
yaml_key="$1"
yaml_file="$MIAOU_CONFIGDIR/miaou.expanded.yaml"
yaml_value=$(yq ".$yaml_key" "$yaml_file")
if [[ -n "$yaml_value" ]] && [[ "$yaml_value" != "null" ]] && [[ "$yaml_value" != "$TO_BE_DEFINED" ]]; then
PREFIX="" echo "$yaml_value"
else
echoerr "undefined value for key: <$yaml_key> from file: <$yaml_file>"
return 98
fi
}
function check_yaml_defined_value {
yaml_file="$1"
yaml_key="$2"
yaml_value=$(yq ".$yaml_key" "$yaml_file")
if [[ -n "$yaml_value" ]] && [[ "$yaml_value" != "null" ]] && [[ "$yaml_value" != "$TO_BE_DEFINED" ]]; then
return 0
else
echoerr "undefined value for key: <$yaml_key> from file: <$yaml_file>"
return 99
fi
}
# halt unless current user is root
function root_required() {
[[ $(id -u) == 0 ]] || (echoerr "root required" && return 1)
}
# arg#1: environment variable
# read from environment or ask entry before exporting new variable
function env_or_ask {
if [[ -n ${1+x} ]]; then
if printenv "$1" >/dev/null; then
echo "value defined as $(printenv "$1")"
else
printf "Please define %20s: " "$1"
read -r
export "$1=\"$REPLY\"" >/dev/null
fi
else
echoerr "env_or_ask requires one argument: <VARIABLE_NAME>" && exit 5
fi
}
# install_debian_bash()
# grab and install related project
function install_debian_bash() {
local PREFIX="debian-bash:install"
if [[ ! -d /opt/debian-bash ]]; then
echo "installing curl wget commands ..."
apt install -y curl wget
echo "installing debian-bash..."
curl https://git.artcode.re/pvincent/debian-bash/raw/branch/master/install.sh | sudo bash -s -- --host
export PATH=$PATH:/opt/debian-bash/tools/
echo "OK"
else
# /opt/debian-bash/tools/debian_bash_upgrade
echo "addon <debian-bash> already installed!"
fi
# shellcheck source=/dev/null
source /etc/bash.bashrc
sudo /opt/debian-bash/tools/idem_apt_install bash-completion
}
function add_toolbox_sudoers {
local PREFIX="toolbox:sudoers"
echo -n "creating sudoers file to allow sudo as command from /TOOLBOX... "
sudo mkdir -p /etc/sudoers.d
if [[ ! -f /etc/sudoers.d/add_TOOLBOX_to_PATH ]]; then
sudo tee /etc/sudoers.d/add_TOOLBOX_to_PATH &>/dev/null <<EOF
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/TOOLBOX"
EOF
PREFIX="" echo "updated!"
else
PREFIX="" echo "already done!"
fi
}
function prepare_toolbox() {
local PREFIX="toolbox:prepare"
sudo mkdir -p /TOOLBOX
if ! command -v cargo &>/dev/null; then
echo -n "installing <cargo> ... "
curl -sSf https://sh.rustup.rs | sh -s -- -y
# shellcheck source=/dev/null
source "$HOME/.cargo/env"
/opt/debian-bash/tools/append_or_replace "^PATH=\$PATH:\$HOME/\\.cargo/bin" "PATH=\$PATH:\$HOME/.cargo/bin" ~/.bashrc
PREFIX="" echo "OK"
else
echo "command <cargo> already installed!"
fi
echo -n "installing <fd> ... "
if [ ! -f "/TOOLBOX/fd" ]; then
idem_cargo_install fd-find
sudo cp "$HOME"/.cargo/bin/fd /TOOLBOX/fd
PREFIX="" echo "successfully installed!"
else
PREFIX="" echo "already done!"
fi
echo -n "installing <viu> ... "
if [ ! -f "/TOOLBOX/viu" ]; then
idem_cargo_install viu
sudo cp "$HOME"/.cargo/bin/viu /TOOLBOX/
PREFIX="" echo "successfully installed!"
else
PREFIX="" echo "already done!"
fi
echo -n "installing <rg> alias <ripgrep> ... "
if [ ! -f "/TOOLBOX/rg" ]; then
sudo /opt/debian-bash/tools/idem_apt_install ripgrep
sudo ln /usr/bin/rg /TOOLBOX/
PREFIX="" echo "successfully installed"
else
PREFIX="" echo "already done!"
fi
echo -n "installing <ag> alias <silversearcher-ag> ... "
if [ ! -f "/TOOLBOX/ag" ]; then
sudo /opt/debian-bash/tools/idem_apt_install silversearcher-ag
sudo ln /usr/bin/ag /TOOLBOX/
PREFIX="" echo "successfully installed"
else
PREFIX="" echo "already done!"
fi
echo -n "installing <bandwhich> ... "
if [ ! -f "/TOOLBOX/bandwhich" ]; then
idem_cargo_install bandwhich
sudo cp "$HOME"/.cargo/bin/bandwhich /TOOLBOX/bandwhich
PREFIX="" echo "successfully installed"
else
PREFIX="" echo "already done!"
fi
echo -n "installing <btm> alias <bottom> ... "
if [ ! -f "/TOOLBOX/btm" ]; then
VERSION=$(wget_semver github ClementTsang/bottom)
cd /tmp
wget "https://github.com/ClementTsang/bottom/releases/download/$VERSION/bottom_x86_64-unknown-linux-musl.tar.gz"
tar -xzvf bottom_x86_64-unknown-linux-musl.tar.gz
sudo cp btm /usr/local/bin/
sudo ln /usr/local/bin/btm /TOOLBOX/
PREFIX="" echo "successfully installed"
else
PREFIX="" echo "already done!"
fi
echo -n "installing <micro> ... "
if [ ! -f "/TOOLBOX/micro" ]; then
cd /tmp || (echoerr "/tmp wrong permission" && exit 101)
curl -q https://getmic.ro | GETMICRO_REGISTER=n sh
sudo mv micro /TOOLBOX/micro
sudo chown root:root /TOOLBOX/micro
PREFIX="" echo "successfully installed"
else
PREFIX="" echo "already done!"
fi
echo -n "installing <ncdu> ... "
if [ ! -f "/TOOLBOX/ncdu" ]; then
sudo /opt/debian-bash/tools/idem_apt_install ncdu
sudo cp /usr/bin/ncdu /TOOLBOX/ncdu
PREFIX="" echo "successfully installed"
else
PREFIX="" echo "already done!"
fi
echo -n "installing <unzip> ... "
if [ ! -f "/TOOLBOX/unzip" ]; then
sudo /opt/debian-bash/tools/idem_apt_install unzip
sudo cp /usr/bin/unzip /TOOLBOX/unzip
PREFIX="" echo "successfully installed"
else
PREFIX="" echo "already done!"
fi
echo -n "installing <tree> ... "
if [ ! -f "/TOOLBOX/tree" ]; then
sudo /opt/debian-bash/tools/idem_apt_install tree
sudo cp /bin/tree /TOOLBOX/tree
PREFIX="" echo "successfully installed"
else
PREFIX="" echo "already done!"
fi
echo -n "installing <duf> ... "
if [ ! -f "/TOOLBOX/duf" ]; then
VERSION=$(/opt/debian-bash/tools/wget_semver github muesli/duf)
VERSION_WITHOUT_V=${VERSION#v}
wget -O /tmp/duf.deb "https://github.com/muesli/duf/releases/download/${VERSION}/duf_${VERSION_WITHOUT_V}_linux_amd64.deb"
sudo dpkg -i /tmp/duf.deb
sudo cp /bin/duf /TOOLBOX/duf
PREFIX="" echo "successfully installed"
else
PREFIX="" echo "already done!"
fi
echo -n "installing <curl> ... "
if [ ! -f "/TOOLBOX/curl" ]; then
sudo wget -O /TOOLBOX/curl "https://github.com/moparisthebest/static-curl/releases/latest/download/curl-amd64"
sudo chmod +x /TOOLBOX/curl
PREFIX="" echo "successfully installed"
else
PREFIX="" echo "already done!"
fi
echo -n "installing <wget> ... "
if [ ! -f "/TOOLBOX/wget" ]; then
sudo ln -f /usr/bin/wget /TOOLBOX/wget
PREFIX="" echo "successfully installed"
else
PREFIX="" echo "already done!"
fi
}
# install_mandatory_commands
function install_mandatory_commands() {
local PREFIX="mandatory:commands"
sudo /opt/debian-bash/tools/idem_apt_install dnsutils build-essential curl mariadb-client postgresql-client
if ! exist_command tera; then
echo "installing <tera> ..."
local version=v0.2.4
wget -q "https://github.com/chevdor/tera-cli/releases/download/${version}/tera-cli_linux_amd64.deb" -O /tmp/tera-cli_linux_amd64.deb
sudo dpkg -i /tmp/tera-cli_linux_amd64.deb
else
echo "command <tera> already installed!"
fi
if ! exist_command yq; then
local version binary
version='v4.35.2'
binary='yq_linux_amd64'
sudo sh -c "wget https://github.com/mikefarah/yq/releases/download/${version}/${binary}.tar.gz -O - |\
tar -xz ./${binary} && sudo mv ${binary} /usr/bin/yq"
else
echo "command <yq> already installed!"
fi
}
# flatten array, aka remove duplicated elements in array
# return: `mapfile -t OUTPUT_ARRAY < <(sort_array "${INPUT_ARRAY[@]}")`
function flatten_array {
declare -a array=("$@")
IFS=" " read -r -a array <<<"$(tr ' ' '\n' <<<"${array[@]}" | sort -u | tr '\n' ' ')"
printf '%s\n' "${array[@]}"
}
function prepare_nftables() {
local PREFIX="miaou:firewall"
if [[ ! -f /etc/nftables.rules.d/firewall.table ]]; then
echo "installing nftables ..."
sudo apt install -y nftables
sudo cp -f "$MIAOU_BASEDIR/templates/hardened/nftables.conf" /etc/
sudo mkdir -p /etc/nftables.rules.d
sudo cp -f "$MIAOU_BASEDIR/templates/hardened/firewall.table" /etc/nftables.rules.d/
sudo systemctl restart nftables
sudo systemctl enable nftables
echo "OK"
else
echo "nftables already installed!"
fi
}