provisioning tool for building opinionated architecture
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 

125 lines
3.9 KiB

#!/bin/bash
readonly EXPANDED_CONF="$MIAOU_CONFIGDIR/miaou.expanded.yaml"
TARGET=$(yq '.target' "$EXPANDED_CONF")
readonly TARGET
function check() {
container_exists "$CONTAINER" || return 1
container_running "$CONTAINER" || return 2
check_reverseproxy || return 4
check_banner || return 5
check_certbot || return 6
PREFIX="recipe:dmz:check" echo "container <$CONTAINER> approved successfully!"
return 0
}
function check_reverseproxy() {
lxc exec "$CONTAINER" -- bash <<EOF
set -Eeuo pipefail
dpkg -l nginx | grep -q ^ii
systemctl is-active --quiet nginx
nginx -tq
EOF
}
function check_certbot() {
lxc exec "$CONTAINER" -- bash <<EOF
set -Eeuo pipefail
dpkg -l certbot | grep -q ^ii
dpkg -l python3-certbot-nginx | grep -q ^ii
EOF
}
function check_banner() {
if [[ $TARGET != "prod" ]]; then
lxc exec "$CONTAINER" -- bash <<EOF
set -Eeuo pipefail
test -f /etc/nginx/snippets/banner_$TARGET.conf
EOF
fi
}
function install() {
PREFIX="recipe:dmz:install"
: $PREFIX
echowarn "about to deploy new container <$CONTAINER> ..."
if ! container_exists "$CONTAINER"; then
echowarn "about to create new container <$CONTAINER> ..."
lxc-miaou-create "$CONTAINER"
echo OK
fi
if ! container_running "$CONTAINER"; then
echowarn "about to start asleep container <$CONTAINER> ..."
lxc start "$CONTAINER"
echo OK
fi
credential_email=$(load_yaml_from_expanded credential.email)
lxc exec "$CONTAINER" -- bash <<EOF
set -Eeuo pipefail
apt-get update && apt-get dist-upgrade -y
apt-get install -y nftables nginx ssl-cert libnginx-mod-http-subs-filter certbot python3-certbot-nginx
echo "registering with your default credential email <$credential_email>"
certbot register --agree-tos --email $credential_email --no-eff-email || echo "already resgistered!"
rm /etc/nginx/sites-{enabled,available}/default -f
systemctl enable nginx
nginx -tq || rm /etc/nginx/sites-enabled/hosts
systemctl start nginx
EOF
if [[ "$TARGET" != "prod" ]]; then
echo "copying Nginx banner to container <$CONTAINER> ... "
lxc file push --uid 0 --gid 0 "$MIAOU_BASEDIR/templates/nginx/snippets/banner_$TARGET.conf" "$CONTAINER/etc/nginx/snippets/banner_$TARGET.conf"
lxc file push --uid 0 --gid 0 "$MIAOU_BASEDIR/templates/nginx/snippets/banner_exp.conf" "$CONTAINER/etc/nginx/snippets/banner_exp.conf"
echo "copying files over container <$CONTAINER> ... OK"
else
echo "no Nginx banner on PROD!"
fi
echo "populate nftables entries into yaml"
local wan_interface dmz_ip
wan_interface=$(ip route show default | cut -d ' ' -f5)
dmz_ip=$(host "$CONTAINER.lxd" | cut -d ' ' -f4)
yq ".nftables.wan_interface=\"$wan_interface\"" "$EXPANDED_CONF" -i
yq ".nftables.dmz_ip=\"$dmz_ip\"" "$EXPANDED_CONF" -i
local nftables_reloading=false
if [[ "$TARGET" != "dev" ]]; then
mkdir -p "$MIAOU_CONFIGDIR/nftables.rules.d"
echo "nat http/s port to dmz"
tera -t "$MIAOU_BASEDIR/templates/nftables/nat.table.j2" "$EXPANDED_CONF" -o "$MIAOU_CONFIGDIR/nftables.rules.d/nat.table" &>/dev/null
sudo cp "$MIAOU_CONFIGDIR/nftables.rules.d/nat.table" /etc/nftables.rules.d/nat.table
nftables_reloading=true
else
if [[ -f /etc/nftables.rules.d/nat.table ]]; then
sudo_required "remove previous nat.table"
sudo rm -f /etc/nftables.rules.d/nat.table
nftables_reloading=true
fi
fi
if [[ "$nftables_reloading" == true ]]; then
sudo_required "reload nftables"
sudo systemctl reload nftables.service
fi
}
# MAIN
. "$MIAOU_BASEDIR/lib/init.sh"
arg1_required "$@"
readonly CONTAINER="$1"
check || (
install
check
)