provisioning tool for building opinionated architecture
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 

484 lines
16 KiB

#!/bin/bash
usage() {
PREFIX="miaou:usage" echo '<init>'
exit 0
}
yqm() {
#read only
yq "$1" "$EXPANDED_CONF"
}
yqmi() {
# for update
yq "$1" "$EXPANDED_CONF" -i
}
yqmt() {
# tabular
yq "$1" "$EXPANDED_CONF" -o t
}
compute_fqdn_middlepart() {
case "$1" in
prod)
local fqdn_middlepart="."
;;
beta)
local fqdn_middlepart=".beta."
;;
dev)
local fqdn_middlepart=".dev."
;;
*)
echowarn "unknown target <${target}>, please fix with correct value from {prod, beta, dev} and try again..."
exit 1
;;
esac
builtin echo "$fqdn_middlepart"
}
# archive_conf(FILE)
# save patch in archived folder of current file
function archive_conf() {
PREFIX="miaou:conf:archive"
file="$1"
filename=$(basename "$file")
mkdir -p "$MIAOU_CONFIGDIR/archived/$filename"
previous="$MIAOU_CONFIGDIR/archived/$filename/previous"
# shellcheck disable=SC2012
latest_patch=$(ls -1tr "$MIAOU_CONFIGDIR/archived/$filename/" | tail -n1)
if [[ -z "$latest_patch" ]]; then
echo -n "archiving first file <$file> ..."
cp "$file" "$previous"
PREFIX="" echoinfo OK
elif [[ "$file" -nt "$latest_patch" ]]; then
patchname="$MIAOU_CONFIGDIR/archived/$filename/$(date +%F_%T)"
if ! diff "$previous" "$file" >"$patchname"; then
echo -n "archiving patch <$patchname> ..."
cp "$file" "$previous"
PREFIX="" echoinfo OK
else
rm "$patchname"
fi
fi
}
function archive_allconf() {
mkdir -p "$MIAOU_CONFIGDIR"
archive_conf "$CONF"
archive_conf "$DEFAULTS"
}
function check_expand_conf() {
PREFIX="miaou:conf:check"
if ! "$FORCE" && [ -f "$EXPANDED_CONF" ] && [ "$EXPANDED_CONF" -nt "$CONF" ] && [ "$EXPANDED_CONF" -nt "$DEFAULTS" ]; then
echo "already expanded!"
return 1
fi
}
function expand_conf() {
PREFIX="miaou:conf"
if [[ -f "$EXPANDED_CONF" ]]; then
current_target=$(grep -Es "^target:" /etc/miaou/defaults.yaml | cut -d ' ' -f2)
previous_target=$(grep -Es "^target:" "$EXPANDED_CONF" | cut -d ' ' -f2)
[[ "$current_target" != "$previous_target" ]] && echoerr "TARGET <$previous_target> mismatched <$current_target>" && exit 101
fi
# initialize expanded conf by merging default
# shellcheck disable=SC2016
yq eval-all '. as $item ireduce ({}; . * $item )' "$CONF" "$DEFAULTS" >"$EXPANDED_CONF"
# append unique container unless overridden
mapfile -t services_app_only < <(yqmt '.services.[].[] | has("container") | select ( . == false) | [(parent|key)+" " +key]')
for i in "${services_app_only[@]}"; do
read -r -a item <<<"$i"
domain=${item[0]}
subdomain=${item[1]}
app=$(yqm ".services.\"$domain\".\"$subdomain\".app")
container=$(get_container_for_domain_subdomain_app "$domain" "$subdomain" "$app")
yqmi ".services.\"$domain\".\"$subdomain\".container=\"$container\""
done
# append enabled=true unless overridden
mapfile -t services_app_only < <(yqmt '.services.[].[] | has("enabled") | select ( . == false) | [(parent|key)+" " +key] | unique ')
# echo "found <${#services_app_only[@]}> enabled services"
for i in "${services_app_only[@]}"; do
read -r -a item <<<"$i"
domain=${item[0]}
subdomain=${item[1]}
yqmi ".services.\"$domain\".\"$subdomain\".enabled=true"
done
# compute fqdn
target=$(yqm '.target')
fqdn_middlepart=$(compute_fqdn_middlepart "$target")
# write fqdn_middlepart
yqmi ".expanded.fqdn_middlepart = \"$fqdn_middlepart\""
# add monitored.containers section
yqmi '.expanded.monitored.containers = ([ .services[] | to_entries | .[] | .value | select (.enabled == true ) | .container ] | unique)'
# add monitored.hosts section
yqmi '.expanded.monitored.hosts = [( .services[][] | select (.enabled == true ) | {"domain": ( parent | key ), "subdomain": key, "fqdn": key + (parent | parent | parent | .expanded.fqdn_middlepart) + ( parent | key ), "container":.container, "port":.port, "app":.app })]'
# add services section
if [[ ${#services_app_only[@]} -gt 0 ]]; then
yqmi '.expanded.services = [( .services[][] | select (.enabled == true ) | {"domain": ( parent | key ), "subdomain": key, "fqdn": key + (parent | parent | parent | .expanded.fqdn_middlepart) + ( parent | key ), "container":.container, "port":.port, "app":.app, "name": .name // ""})]'
else
yqmi '.expanded.services = []'
fi
# add firewall section, bridge_subnet + mail_passthrough if any
bridge_subnet=$(lxc network get lxdbr0 ipv4.address)
yqmi ".firewall.bridge_subnet = \"$bridge_subnet\""
container_mail_passthrough=$(yqm ".firewall.container_mail_passthrough")
}
function build_routes() {
PREFIX="miaou:routes"
mapfile -t fqdns < <(yqm '.expanded.services[].fqdn')
echo "found <${#fqdns[@]}> fqdn"
raw_dnsmasq=''
for i in "${fqdns[@]}"; do
raw_dnsmasq+="address=/$i/$DMZ_IP\\n"
# append domains to conf
echo "re-routing any connection from <$i> to internal container <$DMZ_CONTAINER.lxd>"
done
builtin echo -e "$raw_dnsmasq" | lxc network set $BRIDGE raw.dnsmasq -
}
function build_dmz_reverseproxy() {
PREFIX="miaou:build:dmz"
echo -n "building configuration for nginx ... "
mkdir -p "$MIAOU_CONFIGDIR/nginx"
tera -t "$MIAOU_BASEDIR/templates/nginx/_default.j2" "$EXPANDED_CONF" -o "$MIAOU_CONFIGDIR/nginx/_default" &>/dev/null
tera -t "$MIAOU_BASEDIR/templates/nginx/hosts.j2" "$EXPANDED_CONF" -o "$MIAOU_CONFIGDIR/nginx/hosts" &>/dev/null
PREFIX="" echo OK
echo -n "pushing configuration to <$DMZ_CONTAINER> ... "
for f in "$MIAOU_CONFIGDIR"/nginx/*; do
lxc file push --uid=0 --gid=0 "$f" "$DMZ_CONTAINER/etc/nginx/sites-available/" &>/dev/null
done
PREFIX="" echo OK
cat <<EOF | PREFIX="miaou:build:dmz" lxc_exec "$DMZ_CONTAINER"
cd /etc/nginx/sites-enabled/
for i in ../sites-available/*; do
# echo dmz: enabling... \$i
ln -sf \$i
done
nginx -tq
systemctl restart nginx
EOF
echo "nginx reloaded successfully!"
}
function monit_show() {
PREFIX="monit:show"
: $PREFIX
readarray -t hosts < <(yqmt '.expanded.monitored.hosts[] | [ .container, .port, .fqdn, .app ]')
echo "================="
echo "${#hosts[@]} available hosts"
echo "================="
for host in "${hosts[@]}"; do
read -r -a item <<<"$host"
container=${item[0]}
port=${item[1]}
fqdn=${item[2]}
app=${item[3]}
[[ -n ${PREFIX:-} ]] && printf "${DARK}%25.25s${NC} " "${PREFIX}"
if curl -m $MAX_WAIT -I -4so /dev/null "http://$container:$port"; then
builtin echo -ne "${GREEN}${NC}"
else
builtin echo -ne "${RED}${NC}"
fi
printf "\t%10.10s\thttps://%-40s\thttp://%s\n" "$app" "$fqdn" "$container:$port"
done
}
function build_monit() {
# test whether monitored items actually run safely
PREFIX="monit:build"
echo -n "testing monitored hosts ..."
readarray -t hosts < <(yqmt '.expanded.monitored.hosts[] | [ .container, .port, .fqdn ]')
for host in "${hosts[@]}"; do
read -r -a item <<<"$host"
container=${item[0]}
port=${item[1]}
fqdn=${item[2]}
if ! (lxc exec "$container" -- ss -tln | grep -q "\(0.0.0.0\|*\):$port"); then
echoerr
echoerr "no HTTP server responds on <$container.lxd:$port>"
echoerr "please review configuration <miaou.yaml> for fqdn: $fqdn"
exit 2
fi
if ! curl_check_unsecure "https://$fqdn"; then
echoerr
echoerr "DMZ does not seem to dispatch <https://$fqdn> please review DMZ Nginx proxy"
exit 3
elif [[ "$target" != 'dev' ]] && ! curl_check "https://$fqdn"; then
PREFIX="" echo
echowarn "T=$target missing valid certificate for fqdn <https://$fqdn> please review DMZ certbot"
fi
done
PREFIX="" echo OK
# templates for monit
echo -n "copying templates for monit ..."
mkdir -p "$MIAOU_CONFIGDIR/monit"
tera -t "$MIAOU_BASEDIR/templates/monit/containers.j2" "$EXPANDED_CONF" -o "$MIAOU_CONFIGDIR/monit/containers" >/dev/null
tera -t "$MIAOU_BASEDIR/templates/monit/hosts.j2" "$EXPANDED_CONF" -o "$MIAOU_CONFIGDIR/monit/hosts" >/dev/null
PREFIX="" echo OK
}
# count_service_for_container(container: string)
# returns how many services run inside container according to expanded conf
function count_service_for_container() {
container_mail_passthrough="$1"
count=$(yqm ".expanded.services.[] | select(.container == \"$container_mail_passthrough\") | .fqdn" | wc -l)
builtin echo "$count"
}
function build_nftables() {
PREFIX="miaou:nftables:build"
mkdir -p "$MIAOU_CONFIGDIR/nftables.rules.d"
container_mail_passthrough=$(yqm '.firewall.container_mail_passthrough')
if [[ "$container_mail_passthrough" != null ]]; then
ip_mail_passthrough=$(lxc list "$container_mail_passthrough" -c4 -f csv | grep eth0 | cut -d ' ' -f1)
[[ -z "$ip_mail_passthrough" ]] && echoerr "container <$container_mail_passthrough> passthrough unknown ip!" && exit 55
echo "passthrough=$container_mail_passthrough/$ip_mail_passthrough"
count=$(count_service_for_container "$container_mail_passthrough")
[[ $count == 0 ]] && echowarn "no service detected => no passthrough, no change!"
[[ $count -gt 1 ]] && echoerr "count <$count> services detected on container <$container_mail_passthrough>, please disable some and leave only one service for safety!!!" && exit 56
ip_mail_passthrough=$ip_mail_passthrough tera -e --env-key env -t "$MIAOU_BASEDIR/templates/nftables/lxd.table.j2" "$EXPANDED_CONF" -o "$MIAOU_CONFIGDIR/nftables.rules.d/lxd.table" &>/dev/null
else
echo "no container passthrough"
tera -t "$MIAOU_BASEDIR/templates/nftables/lxd.table.j2" "$EXPANDED_CONF" -o "$MIAOU_CONFIGDIR/nftables.rules.d/lxd.table" &>/dev/null
fi
if ! diff -q "$MIAOU_CONFIGDIR/nftables.rules.d/lxd.table" /etc/nftables.rules.d/lxd.table; then
sudo_required "reloading nftables"
echo -n "reloading nftables..."
sudo cp "$MIAOU_CONFIGDIR/nftables.rules.d/lxd.table" /etc/nftables.rules.d/lxd.table
sudo systemctl reload nftables
PREFIX="" echo OK
fi
}
# check whether http server responds 200 OK, required <url>, ie: http://example.com:8001, https://example.com
function curl_check() {
arg1_required "$@"
# echo "curl $1"
curl -m $MAX_WAIT -sLI4 "$1" | grep -q "^HTTP.* 200"
}
# check whether https server responds 200 OK, even unsecured certificate (auto-signed in mode DEV)
function curl_check_unsecure() {
arg1_required "$@"
curl -m $MAX_WAIT -skLI4 "$1" | grep -q "^HTTP.* 200"
}
function get_dmz_ip() {
if ! container_running "$DMZ_CONTAINER"; then
echowarn "Container running dmz <$DMZ_CONTAINER> seems down"
echoerr "please \`lxc start $DMZ_CONTAINER\` or initialize first!"
exit 1
fi
dmz_ip=$(host "$DMZ_CONTAINER.lxd" | cut -d ' ' -f4)
if ! valid_ipv4 "$dmz_ip"; then
echowarn "dmz seems up but no valid ip <$dmz_ip> found!"
echoerr "please fix this networking issue, then retry..."
exit 1
else
builtin echo "$dmz_ip"
fi
}
function fetch_container_of_type() {
local type="$1"
readarray -t dmzs < <(yqm ".containers.[].[] | select(.==\"$type\") | parent | key")
case ${#dmzs[@]} in
0) : ;;
1) builtin echo "${dmzs[0]}" ;;
*) for d in "${dmzs[@]}"; do
builtin echo "$d"
done ;;
esac
}
function get_container_for_domain_subdomain_app() {
local domain="$1"
local subdomain="$2"
local app="$3"
readarray -t containers < <(fetch_container_of_type "$app")
case ${#containers[@]} in
0) echoerr "no container of type <$app> found amongst containers for $subdomain.$domain\nHINT : Please, either :\n1. define at least one container for recipe <$app>\n2. remove all services related to recipe <$app>" && exit 1 ;;
1) builtin echo "${containers[0]}" ;;
*)
for d in "${containers[@]}"; do
echowarn "container of type $app found in <$d>"
done
echoerr "multiple containers (${#containers[@]}) provided same app <$app>, therefore container is mandatory alongside $subdomain.$domain" && exit 2
;;
esac
}
function get_unique_container_dmz() {
readarray -t containers < <(fetch_container_of_type "dmz")
case ${#containers[@]} in
0) echoerr "no container of type <dmz> found amongst containers" && exit 1 ;;
1) builtin echo "${containers[0]}" ;;
*)
for d in "${containers[@]}"; do
echowarn "container of type dmz found in <$d>"
done
echoerr "multiple dmz (${#containers[@]}) are not allowed, please select only one " && exit 2
;;
esac
}
function prepare_dmz_container() {
"$MIAOU_BASEDIR"/recipes/dmz/install.sh "$DMZ_CONTAINER"
}
function check_resolv_conf() {
local bridge_gw resolver
bridge_gw=$(lxc network get lxdbr0 ipv4.address | cut -d'/' -f1)
resolver=$(grep nameserver /etc/resolv.conf | head -n1 | cut -d ' ' -f2)
PREFIX="resolver:check" echo "container resolver is <$resolver>"
PREFIX="resolver:check" echo "container bridge is <$bridge_gw>"
[[ "$bridge_gw" != "$resolver" ]] && return 21
return 0
}
function prepare_containers() {
PREFIX="miaou:prepare"
readarray -t containers < <(yqmt ".containers.[] | [ key, .[] ] ")
for i in "${containers[@]}"; do
read -r -a item <<<"$i"
container=${item[0]}
for ((j = 1; j < ${#item[@]}; j++)); do
service="${item[$j]}"
recipe_install="$MIAOU_BASEDIR/recipes/$service/install.sh"
if [[ -f "$recipe_install" ]]; then
echo "install [$service] onto container <$container>"
"$recipe_install" "$container"
else
echoerr "FAILURE, for container <$container>, install recipe [$service] not found!"
echoerr "please review configuration, mismatch recipe name maybe?"
exit 50
fi
done
done
}
function build_services() {
PREFIX="miaou:build:services"
echo "building services..."
readarray -t services < <(yqmt '.expanded.services[] | [ .[] ]')
for i in "${services[@]}"; do
read -r -a item <<<"$i"
fqdn=${item[2]}
container=${item[3]}
port=${item[4]}
app=${item[5]}
name=${item[6]:-}
domain=${item[0]}
subdomain=${item[1]}
data=$(yqm ".services.\"$domain\".\"$subdomain\".data")
echo "domain=$domain, subdomain=$subdomain, data=$data"
recipe="$MIAOU_BASEDIR/recipes/$app/crud.sh"
if [[ -f "$recipe" ]]; then
echo "read [$app:$name] onto container <$container>"
if ! "$recipe" -r --port "$port" --container "$container" --name "$name" --fqdn "$fqdn"; then
echoinfo "CREATE RECIPE"
"$recipe" -c --port "$port" --container "$container" --name "$name" --fqdn "$fqdn"
echoinfo "CREATE RECIPE: OK"
fi
else
echowarn "for container <$container>, crud recipe [$app] not found!"
fi
done
}
### MAIN
. "$MIAOU_BASEDIR/lib/init.sh"
readonly CONF="/etc/miaou/miaou.yaml"
readonly DEFAULTS="/etc/miaou/defaults.yaml"
readonly EXPANDED_CONF="$MIAOU_CONFIGDIR/miaou.expanded.yaml"
readonly BRIDGE="lxdbr0"
readonly MAX_WAIT=3 # timeout in seconds
# shellcheck disable=SC2034
declare -a options=("$@")
FORCE=false
if containsElement options "-f" || containsElement options "--force"; then
FORCE=true
fi
if containsElement options "history"; then
echo "TODO: HISTORY"
exit 0
fi
if containsElement options "config"; then
editor /etc/miaou/miaou.yaml
if diff -q /etc/miaou/miaou.yaml $HOME/.config/miaou/archived/miaou.yaml/previous; then
exit 0
fi
fi
if check_expand_conf; then
archive_allconf
expand_conf
check_resolv_conf
build_nftables
prepare_containers
DMZ_CONTAINER=$(get_unique_container_dmz)
readonly DMZ_CONTAINER
build_services
DMZ_IP=$(get_dmz_ip)
readonly DMZ_IP
build_dmz_reverseproxy
build_routes
build_monit
fi
monit_show