transition to seperate templates for prod and test; update script to add ssh-key deployment
This commit is contained in:
test
parent
fe3da3dc3a
commit
259cb76cc1
3 changed files with 105 additions and 29 deletions
|
|
@ -1,6 +1,33 @@
|
|||
#!/usr/bin/env bash
|
||||
set -euf -o pipefail
|
||||
|
||||
# Ask if initialized for production or test
|
||||
while true; do
|
||||
read -p "Do you want to init a [P]roduction or [T]est environment? (P/T): " DEPLOYMENT_ENVIRONMENT
|
||||
case "$DEPLOYMENT_ENVIRONMENT" in
|
||||
[Pp]* )
|
||||
DEPLOYMENT_ENVIRONMENT="PRODUCTION"
|
||||
ENV_TEMPLATE="env.prod.template"
|
||||
break
|
||||
;;
|
||||
[Tt]* )
|
||||
DEPLOYMENT_ENVIRONMENT="TEST"
|
||||
ENV_TEMPLATE="env.test.template"
|
||||
break
|
||||
;;
|
||||
* )
|
||||
echo "Please answer with P or T."
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
source $(dirname "$(readlink -f "$0")")/../${ENV_TEMPLATE}
|
||||
|
||||
SERVICE_DOMAIN="${RESTIC_TAG:?Restic backup tag is missing -- RESTIC_TAG}"
|
||||
BACKUP_TARGET_DOMAIN="${RESTIC_REPO_ADDRESS:?Restic backup target domain is missing -- RESTIC_REPO_ADDRESS}"
|
||||
BACKUP_TARGET_USER="${RESTIC_REPO_USER:?Restic backup target user is missing -- RESTIC_REPO_USER}"
|
||||
HOSTNAME=$(hostname -f)
|
||||
|
||||
# Function to securely query user for a password, verify it, and return it for further use
|
||||
prompt_password() {
|
||||
local purpose="$1"
|
||||
|
|
@ -30,26 +57,6 @@ trap 'printf "\nOperation aborted by user.\n" >&2; exit 1' SIGINT
|
|||
cd "$(dirname "$(realpath "$0")")/../"
|
||||
AUTHENTIK_DOCKER_COMPOSE_PATH="$(realpath "$(pwd)")"
|
||||
|
||||
# Ask if initialized for production or test
|
||||
while true; do
|
||||
read -p "Do you want to init a [P]roduction or [T]est environment? (P/T): " DEPLOYMENT_ENVIRONMENT
|
||||
case "$DEPLOYMENT_ENVIRONMENT" in
|
||||
[Pp]* )
|
||||
DEPLOYMENT_ENVIRONMENT="PRODUCTION"
|
||||
PUBLIC_DOMAIN="sso.base23.de"
|
||||
break
|
||||
;;
|
||||
[Tt]* )
|
||||
DEPLOYMENT_ENVIRONMENT="TEST"
|
||||
PUBLIC_DOMAIN="sso.test.base23.de"
|
||||
break
|
||||
;;
|
||||
* )
|
||||
echo "Please answer with P or T."
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
if [[ ! -f ./docker-compose.yml ]]; then
|
||||
[[ "${DEPLOYMENT_ENVIRONMENT}" == "PRODUCTION" ]] && ln -s ./docker-compose.prod.yml ./docker-compose.yml
|
||||
[[ "${DEPLOYMENT_ENVIRONMENT}" == "TEST" ]] && ln -s ./docker-compose.test.yml ./docker-compose.yml
|
||||
|
|
@ -57,8 +64,7 @@ fi
|
|||
|
||||
# Check if .env exists and exit if it is
|
||||
if [[ ! -f ./.env ]]; then
|
||||
cat ./env.template >> ./.env
|
||||
sed -i "s/\(PUBLIC_DOMAIN=\).*/\1${PUBLIC_DOMAIN}/" ./.env
|
||||
cat ./${ENV_TEMPLATE} >> ./.env
|
||||
echo "# SECRETS" >> ./.env
|
||||
prompt_password "PG_PASS (leave empty to generate a password)"; echo "PG_PASS=$([[ -n ${RETURNED_PASSWORD} ]] && echo -n "${RETURNED_PASSWORD}" || openssl rand -base64 36 | tr -d '\n')" >> ./.env; unset RETURNED_PASSWORD
|
||||
prompt_password "AUTHENTIK_SECRET_KEY (leave empty to generate a password)"; echo "AUTHENTIK_SECRET_KEY=$([[ -n ${RETURNED_PASSWORD} ]] && echo -n "${RETURNED_PASSWORD}" || openssl rand -base64 60 | tr -d '\n')" >> ./.env; unset RETURNED_PASSWORD
|
||||
|
|
@ -75,9 +81,30 @@ if [[ ! -f ./lego.env && "${DEPLOYMENT_ENVIRONMENT}" == "PRODUCTION" ]]; then
|
|||
echo "" >> ./.env
|
||||
fi
|
||||
|
||||
BACKUP_TARGET_KEY_TYPES="ed25519,rsa"
|
||||
BACKUP_TARGET_IPV4=$(dig +short "${BACKUP_TARGET_DOMAIN}" A | grep -E '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$')
|
||||
BACKUP_TARGET_IPV6=$(dig +short "${BACKUP_TARGET_DOMAIN}" AAAA | grep -E '^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))$')
|
||||
|
||||
# Check if ssh key already exists, otherwise generate one
|
||||
[[ ! -d ./data/restic/ssh/ ]] && mkdir -p ./data/restic/ssh/
|
||||
[[ ! -f ./data/restic/ssh/id_ed25519 ]] && ssh-keygen -t ed25519 -C "sso.base23.de" -f ./data/restic/ssh/id_ed25519
|
||||
[[ ! -d ./data/restic/ssh/ ]] && mkdir -p ./data/restic/ssh/ && chmod 700 ./data/restic/ssh/
|
||||
if [[ ! -f ./data/restic/ssh/id_ed25519 ]]; then
|
||||
ssh-keygen -t ed25519 -C "${SERVICE_DOMAIN}" -f ./data/restic/ssh/id_ed25519 && chmod 600 ./data/restic/ssh/id_ed25519
|
||||
|
||||
# Copy SSH key to backup target
|
||||
cat ./data/restic/ssh/id_ed25519.pub | ssh -p23 ${BACKUP_TARGET_USER}@${BACKUP_TARGET_DOMAIN} install-ssh-key
|
||||
fi
|
||||
|
||||
# Setup known_hosts for backup container
|
||||
if [[ ! -f ./data/restic/ssh/known_hosts ]]; then
|
||||
ssh-keyscan -p 23 -t ${BACKUP_TARGET_KEY_TYPES} ${BACKUP_TARGET_DOMAIN} > ./data/restic/ssh/known_hosts
|
||||
ssh-keyscan -p 23 -t ${BACKUP_TARGET_KEY_TYPES} ${BACKUP_TARGET_IPV4} >> ./data/restic/ssh/known_hosts
|
||||
ssh-keyscan -p 23 -t ${BACKUP_TARGET_KEY_TYPES} ${BACKUP_TARGET_IPV6} >> ./data/restic/ssh/known_hosts
|
||||
ssh-keyscan -p 22 -t ${BACKUP_TARGET_KEY_TYPES} ${BACKUP_TARGET_DOMAIN} >> ./data/restic/ssh/known_hosts
|
||||
ssh-keyscan -p 22 -t ${BACKUP_TARGET_KEY_TYPES} ${BACKUP_TARGET_IPV4} >> ./data/restic/ssh/known_hosts
|
||||
ssh-keyscan -p 22 -t ${BACKUP_TARGET_KEY_TYPES} ${BACKUP_TARGET_IPV6} >> ./data/restic/ssh/known_hosts
|
||||
chmod 600 ./data/restic/ssh/known_hosts
|
||||
fi
|
||||
|
||||
|
||||
if [[ "${DEPLOYMENT_ENVIRONMENT}" == "PRODUCTION" ]]; then
|
||||
# Generate dhparam, if not existing
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue