From 2ee6e8bf7cda5fbc32a00c2a9d2a4a307ff72d01 Mon Sep 17 00:00:00 2001 From: leo <426742@gmail.com> Date: Mon, 5 Aug 2024 04:21:06 +0500 Subject: [PATCH] changes --- README.md | 30 +++++++++++++++++++++++++++++- install.sh | 28 +++++++++++++++++++--------- remote.sh | 46 ++++++++++++++++++++++++++++++++++++++++------ secrets-decrypt.sh | 34 ++++++++++++++++++++++++++++++++++ secrets-encrypt.sh | 43 +++++++++++++++++++++++++++++++++++++++++++ secrets-le-save.sh | 27 +++++++++++++++++++++++++++ secrets-push.sh | 33 +++++++++++++++++++++++++++++++++ 7 files changed, 225 insertions(+), 16 deletions(-) create mode 100644 secrets-decrypt.sh create mode 100644 secrets-encrypt.sh create mode 100644 secrets-le-save.sh create mode 100644 secrets-push.sh diff --git a/README.md b/README.md index b13c56a..315baf2 100644 --- a/README.md +++ b/README.md @@ -4,4 +4,32 @@ Install: `sudo bash remote.sh SERVER_HOST` Install server-backup -`sudo bash remote.sh 5.252.21.50` \ No newline at end of file +`sudo bash remote.sh 5.252.21.50` + + +## Основной алгоритм: + +Установка предполагает полностью автоматизированное развертывание из репозиториев всей структуры сервера. +На текущий момент это Alpha версия, которая может содержать в себе значительные недостатки. + +1. С сервера разработчика dev.dd запускается скрипт `remote.sh ` + * плдключает .env `secrets/` + * считывает SAFE_PASSWORD из `$SECRETS_SAFE/keys.env` + + * Установите открытый ключ SSH с хоста разработчика на целевой хост + * Скопируйте сценарий установки с хоста разработчика на целевой хост в каталоге tmp + * Скопируйте скрипт secrets-decrypt с хоста разработчика на целевой хост в каталоге tmp + * Создать каталог секретов на целевом хосте + * Копирование секретного архива с исходного хоста на целевой хост + * Запустите скрипт secrets-decrypt для расшифровки архива секретов на целевом хосте + * Запустите сценарий установки на целевом хосте + +2. Далее запускается `install.sh` на удаленном сервере: + * ... + +3. Далее запускается `init-server.sh` на удаленном сервере: + * ... + +4. Далее запускается `$SERVER_NAME/install.sh` на удаленном сервере: +Он устанавливает и настраивает уже непосредственно программы, котрые выполняются на сервере + * ... diff --git a/install.sh b/install.sh index bc72255..afc22a8 100644 --- a/install.sh +++ b/install.sh @@ -10,18 +10,18 @@ if [ -z "$1" ]; then exit 1 fi -#SSH_PORT=2525 REMOTE_USER="root" SERVER_HOST=$1 SECRETS_PATH=/data/secrets/$SERVER_HOST/$SERVER_HOST.env -source $SECRETS_PATH - trap 'echo -e "\033[31minstall.sh: Something went wrong\033[0m"; exit 1' ERR set -e export DEBIAN_FRONTEND=noninteractive +source $SECRETS_PATH + + #mkdir -p /data #chown usradmin:usradmin /data #chmod 770 /data @@ -38,8 +38,13 @@ else ssh-keygen -t ed25519 -C "$SERVER_NAME" -f ~/.ssh/id_ed25519 -N "" fi +apt install -y sshpass + +# Install public SSH key from HOST to ORIGIN: +echo "Add public key to origin server..." sshpass -p $SERVER_ORIGIN_PASSWORD ssh-copy-id -i ~/.ssh/id_ed25519.pub $REMOTE_USER@$SERVER_ORIGIN_DOMAIN +echo "Add public key to gitea app..." SSH_PUBLIC_KEY=$(cat ~/.ssh/id_ed25519.pub) curl -X POST \ @@ -51,20 +56,25 @@ curl -X POST \ \"key\": \"$SSH_PUBLIC_KEY\" }" -#echo -e "\033[31mCopy this public key to Gitea:\033[0m" -#cat ~/.ssh/id_ed25519.pub -#echo "Press Enter to continue..." -#read -#read -n 1 -s -r -p "Press any key to continue..." - +# Install utils from gitea origin: cd /data echo "Connect to git repository on host: $GIT_SSH_DOMAIN" echo "On username: $GIT_USER" git clone git@"$GIT_SSH_DOMAIN":"$GIT_USER"/utils.git cd /data/utils +# Run init-server: +echo "Run init-server.sh..." bash init-server.sh + +# Install $SERVER_NAME from gitea origin: +cd /data +echo "Connect to git repository on host: $GIT_SSH_DOMAIN" +echo "On username: $GIT_USER" +git clone git@"$GIT_SSH_DOMAIN":"$GIT_USER"/$SERVER_NAME.git +cd /data/$SERVER_NAME + bash /data/$SERVER_NAME/install.sh $SERVER_HOST # SSH config: diff --git a/remote.sh b/remote.sh index ba660f4..32e7e0b 100644 --- a/remote.sh +++ b/remote.sh @@ -10,21 +10,55 @@ if [ -z "$1" ]; then exit 1 fi +SSH_PORT=22 REMOTE_USER="root" SERVER_HOST=$1 -SECRETS_PATH=/data/secrets/$SERVER_HOST/$SERVER_HOST.env +SECRETS_DIR=/data/secrets +SECRETS_ENV=$SECRETS_DIR/$SERVER_HOST/$SERVER_HOST.env -source $SECRETS_PATH +source $SECRETS_ENV + +SECRETS_SAFE=$SECRETS_DIR/safe +SECRETS_PATH=$SECRETS_SAFE/$SERVER_HOST.tar.gz + +KEYS_FILE="$SECRETS_SAFE/keys.env" trap 'echo -e "\033[31mremote.sh: Something went wrong\033[0m"; exit 1' ERR set -e export DEBIAN_FRONTEND=noninteractive -sshpass -p $SERVER_PASSWORD ssh-copy-id -i ~/.ssh/id_ed25519.pub $REMOTE_USER@$SERVER_HOST -scp install.sh $REMOTE_USER@$SERVER_HOST:/tmp/install.sh -ssh $REMOTE_USER@$SERVER_HOST 'mkdir -p /data/secrets' -scp $SECRETS_PATH $REMOTE_USER@$SERVER_HOST:$SECRETS_PATH +# Get SAFE_PASSWORD for decrypt secrets archive on target host: +KEY_VAR=$(echo "$SERVER_HOST" | tr '.' '_') + +if grep -q "^$KEY_VAR=" "$KEYS_FILE"; then + SAFE_PASSWORD=$(grep "^$KEY_VAR=" "$KEYS_FILE" | cut -d '=' -f2) +else + echo "SAFE_PASSWORD for $SERVER_HOST not found" +fi + +# Reset known_hosts: +ssh-keygen -f '/root/.ssh/known_hosts' -R $SERVER_HOST + +# Install public SSH key from dev host to target host: +sshpass -p $SERVER_PASSWORD ssh-copy-id -i ~/.ssh/id_ed25519.pub -p $SSH_PORT -o StrictHostKeyChecking=no $REMOTE_USER@$SERVER_HOST + +# Copy install script from dev host to target host in tmp dir: +scp -P $SSH_PORT install.sh $REMOTE_USER@$SERVER_HOST:/tmp/install.sh + +# Copy secrets-decrypt script from dev host to target host in tmp dir: +scp -P $SSH_PORT secrets-decrypt.sh $REMOTE_USER@$SERVER_HOST:/tmp/secrets-decrypt.sh + +# Create secrets directory on target host: +ssh -p $SSH_PORT $REMOTE_USER@$SERVER_HOST "mkdir -p $SECRETS_SAFE" + +# Copy secret archive from origin host to target host: +ssh $REMOTE_USER@$SERVER_ORIGIN_DOMAIN "cat $SECRETS_PATH" | ssh $REMOTE_USER@$SERVER_HOST -p $SSH_PORT "cat > $SECRETS_PATH" + +# Run secrets-decrypt script for decrypt secrets archive on target host: +ssh $REMOTE_USER@$SERVER_HOST "bash /tmp/secrets-decrypt.sh $SAFE_PASSWORD $SECRETS_PATH $SECRETS_DIR" + +# Run install script on target host: ssh $REMOTE_USER@$SERVER_HOST "bash /tmp/install.sh $SERVER_HOST" trap - ERR diff --git a/secrets-decrypt.sh b/secrets-decrypt.sh new file mode 100644 index 0000000..cc6d38f --- /dev/null +++ b/secrets-decrypt.sh @@ -0,0 +1,34 @@ +#!/bin/bash + +# Проверка наличия аргументов +if [ "$#" -ne 3 ]; then + echo "Usage: $0 PASSWORD ARCHIVE_FILE DESTINATION_DIR" + exit 1 +fi + +# Присваиваем аргументы переменным +PASSWORD=$1 +ARCHIVE_FILE=$2 +DESTINATION_DIR=$3 + +# Проверка наличия существующего файла архива +if [ ! -f "$ARCHIVE_FILE" ]; then + echo "Error: Archive file '$ARCHIVE_FILE' not found!" + exit 2 +fi + +# Создание директории назначения, если она не существует +if [ ! -d "$DESTINATION_DIR" ]; then + mkdir -p "$DESTINATION_DIR" +fi + +# Расшифровываем и извлекаем архив +openssl enc -aes-256-cbc -d -in "$ARCHIVE_FILE" -out - -pass pass:"$PASSWORD" -pbkdf2 -iter 100000 | tar -xzf - -C "$DESTINATION_DIR" + +# Проверка успешности выполнения команд +if [ $? -eq 0 ]; then + echo "Archive successfully decrypted and extracted to '$DESTINATION_DIR'" +else + echo "Error during decryption or extraction" + exit 3 +fi \ No newline at end of file diff --git a/secrets-encrypt.sh b/secrets-encrypt.sh new file mode 100644 index 0000000..5bffa19 --- /dev/null +++ b/secrets-encrypt.sh @@ -0,0 +1,43 @@ +#!/bin/bash + +# Проверим, что серверный домен передан как параметр +if [ -z "$1" ]; then + echo "Usage: $0 " + exit 1 +fi + +SERVER_DOMAIN=$1 +SAFE_DIR="/data/secrets/safe" +DOMAIN_DIR="/data/secrets/$SERVER_DOMAIN" +KEYS_FILE="$SAFE_DIR/keys.env" +ARCHIVE_FILE="$SAFE_DIR/$SERVER_DOMAIN.tar.gz" + +trap 'echo -e "\033[31mSomething went wrong\033[0m"; exit 1' ERR +set -e + +export DEBIAN_FRONTEND=noninteractive + +# Функция генерации пароля +generate_password() { + tr -dc 'a-z0-9' < /dev/urandom | head -c20 +} + +# Проверяем наличие ключа в keys.env и получаем его +KEY_VAR=$(echo "$SERVER_DOMAIN" | tr '.' '_') + +if grep -q "^$KEY_VAR=" "$KEYS_FILE"; then + PASSWORD=$(grep "^$KEY_VAR=" "$KEYS_FILE" | cut -d '=' -f2) + echo "Password for $SERVER_DOMAIN already exists." +else + PASSWORD=$(generate_password) + echo "$KEY_VAR=$PASSWORD" >> "$KEYS_FILE" + echo "Generated new password for $SERVER_DOMAIN." +fi + +# Упаковываем и шифруем архив +#tar -czf - -C "$DOMAIN_DIR" . | openssl enc -aes-256-cbc -e -out "$ARCHIVE_FILE" -pass pass:"$PASSWORD" + +tar -czf - -C "$DOMAIN_DIR" . | openssl enc -aes-256-cbc -e -out "$ARCHIVE_FILE" -pass pass:"$PASSWORD" -pbkdf2 -iter 100000 + +trap - ERR +echo "Encrypted archive created at $ARCHIVE_FILE" \ No newline at end of file diff --git a/secrets-le-save.sh b/secrets-le-save.sh new file mode 100644 index 0000000..884351a --- /dev/null +++ b/secrets-le-save.sh @@ -0,0 +1,27 @@ +#!/bin/bash + +# Copy $SERVER_HOST.acme.json from remote server to dev server + +if [ "$(id -u)" != "0" ]; then + echo -e "\033[31mThis script requires superuser rights.\033[0m" + exit 0 +fi + +if [ -z "$1" ]; then + echo "Usage: $0 " + exit 1 +fi + +SERVER_HOST=$1 +REMOTE_USER="root" +ACME_FILE="/data/secrets/$SERVER_HOST/letsencrypt/$SERVER_HOST.acme.json" + +trap 'echo -e "\033[31mSomething went wrong\033[0m"; exit 1' ERR +set -e + +export DEBIAN_FRONTEND=noninteractive + +scp $REMOTE_USER@$SERVER_HOST:$ACME_FILE $ACME_FILE + +trap - ERR +echo "remote $SERVER_HOST.acme.json copied to local folder" \ No newline at end of file diff --git a/secrets-push.sh b/secrets-push.sh new file mode 100644 index 0000000..fb57c36 --- /dev/null +++ b/secrets-push.sh @@ -0,0 +1,33 @@ +#!/bin/bash + +# Push secrets to storage of secrets on $SERVER_ORIGIN_DOMAIN + +if [ "$(id -u)" != "0" ]; then + echo -e "\033[31mThis script requires superuser rights.\033[0m" + exit 0 +fi + +if [ -z "$1" ]; then + echo "Usage: $0 " + exit 1 +fi + +SERVER_HOST=$1 +SAFE_DIR="/data/secrets/safe" +ARCHIVE_FILE="$SAFE_DIR/$SERVER_HOST.tar.gz" +REMOTE_USER="root" +SECRETS_PATH=/data/secrets/$SERVER_HOST/$SERVER_HOST.env + +source $SECRETS_PATH + +trap 'echo -e "\033[31mSomething went wrong\033[0m"; exit 1' ERR +set -e + +export DEBIAN_FRONTEND=noninteractive + +bash secrets-encrypt.sh $SERVER_HOST +ssh $REMOTE_USER@$SERVER_ORIGIN_DOMAIN "mkdir -p $SAFE_DIR" +scp $ARCHIVE_FILE $REMOTE_USER@$SERVER_ORIGIN_DOMAIN:$SAFE_DIR + +trap - ERR +echo "Secrets for $SERVER_HOST pushed complete" \ No newline at end of file