phg/packer
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add Crowdsec configuration and repository setup scripts

Browse source 
- Introduced `crowdsec-configuration.sh` to enable write-ahead logging in SQLite for improved performance.
- Added `crowdsec-repo-setup.sh` for automated installation of Crowdsec repositories, handling various Linux distributions and package managers.
- Included `tailscale.sh` for detecting the OS and installing Tailscale according to its conventions, supporting multiple package management systems.
This commit is contained in:
Philip Henning 2026-02-08 16:19:57 +01:00
parent b05a45f6eb
commit f6785b69ac
3 changed files with 1104 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

370
debian/13-trixie-luks/scripts/crowdsec-repo-setup.sh vendored Normal file
View file

@ -0,0 +1,370 @@
#!/bin/sh
#
# Inspired from packagecloud installation scripts
#
# #MIT License
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
# The above copyright notice and this permission notice shall be included in all
# copies or substantial portions of the Software.
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
#
# Crowdsec repositories installation script
#
# This script:
# - Requires `root` or `sudo` privileges to run
# - Attempts to detect your Linux distribution and version and configure your
# package management system for you.
# - Installs dependencies and recommendations without asking for confirmation.
# - Is POSIX compliant and can be run using bash or any POSIX-compliant shell
unknown_os() {
echo "Unfortunately, your operating system distribution and version are not supported by this script."
echo
echo "You can override the OS detection by setting os= and dist= prior to running this script."
echo "You can find a list of supported OSes and distributions on our website: https://packagecloud.io/docs#os_distro_version"
echo
echo "For example, to force Ubuntu Trusty: os=ubuntu dist=trusty ./script.sh"
echo
echo "Please file an issue at https://github.com/crowdsecurity/crowdsec"
exit 1
}
detect_os() {
if [ -z "$os" ] && [ -z "$dist" ]; then
if [ -e /etc/os-release ]; then
. /etc/os-release
os=$ID
if [ "$os" = "poky" ]; then
dist="$VERSION_ID"
elif [ "$os" = "sles" ]; then
dist="$VERSION_ID"
os=opensuse
elif [ "$os" = "opensuse" ]; then
dist="$VERSION_ID"
elif [ "$os" = "opensuse-leap" ]; then
os=opensuse
dist="$VERSION_ID"
elif [ "$os" = "amzn" ]; then
dist="$VERSION_ID"
else
dist=$(echo "$VERSION_ID" | awk -F '.' '{ print $1 }')
fi
elif command -v lsb_release >/dev/null; then
# get major version (e.g. '5' or '6')
dist=$(lsb_release -r | cut -f2 | awk -F '.' '{ print $1 }')
# get os (e.g. 'centos', 'redhatenterpriseserver', etc)
os=$(lsb_release -i | cut -f2 | awk '{ print tolower($1) }')
elif [ -e /etc/oracle-release ]; then
dist=$(cut -f5 --delimiter=' ' /etc/oracle-release | awk -F '.' '{ print $1 }')
os='ol'
elif [ -e /etc/fedora-release ]; then
dist=$(cut -f3 --delimiter=' ' /etc/fedora-release)
os='fedora'
elif [ -e /etc/redhat-release ]; then
os_hint=$(awk '{ print tolower($1) }' /etc/redhat-release)
if [ "$os_hint" = "centos" ]; then
dist=$(awk '{ print $3 }' /etc/redhat-release | awk -F '.' '{ print $1 }')
os='centos'
elif [ "$os_hint" = "scientific" ]; then
dist=$(awk '{ print $4 }' /etc/redhat-release | awk -F '.' '{ print $1 }')
os='scientific'
else
dist=$(awk '{ print tolower($7) }' /etc/redhat-release | cut -f1 --delimiter='.')
os='redhatenterpriseserver'
fi
elif grep -q Amazon /etc/issue; then
dist='6'
os='aws'
else
unknown_os
fi
fi
# remove whitespace from OS and dist name and transform to lowercase
os=$(echo "$os" | tr -d ' ' | tr '[:upper:]' '[:lower:]')
dist=$(echo "$dist" | tr -d ' ' | tr '[:upper:]' '[:lower:]')
if [ -z "$dist" ]; then
echo "Detected operating system as $os."
else
echo "Detected operating system as $os/$dist."
fi
if [ "$os" = "ol" ] || [ "$os" = "el" ] && [ "$dist" -gt 7 ]; then
_skip_pygpgme=1
else
_skip_pygpgme=0
fi
}
gpg_check_deb() {
echo "Checking for gpg..."
if command -v gpg >/dev/null; then
echo "Detected gpg..."
else
echo "Installing gnupg for GPG verification..."
if ! apt-get install -y gnupg; then
echo "Unable to install GPG! Your base system has a problem; please check your default OS's package repositories because GPG should work."
echo "Repository installation aborted."
echo
echo "Please file an issue at https://github.com/crowdsecurity/crowdsec"
exit 1
fi
fi
}
curl_check_deb() {
echo "Checking for curl..."
if command -v curl >/dev/null; then
echo "Detected curl..."
else
echo "Installing curl..."
if apt-get install -q -y curl; then
echo "Unable to install curl! Your base system has a problem; please check your default OS's package repositories because curl should work."
echo "Repository installation aborted."
echo
echo "Please file an issue at https://github.com/crowdsecurity/crowdsec"
exit 1
fi
fi
}
curl_check_rpm() {
echo "Checking for curl..."
if command -v curl >/dev/null; then
echo "Detected curl..."
else
echo "Installing curl..."
yum install -d0 -e0 -y curl
fi
}
curl_check_zypper() {
echo "Checking for curl..."
if command -v curl >/dev/null; then
echo "Detected curl..."
else
echo "Installing curl..."
zypper install curl
fi
}
finalize_yum_repo() {
if [ "$_skip_pygpgme" = 0 ]; then
echo "Installing pygpgme to verify GPG signatures..."
yum install -y pygpgme --disablerepo="crowdsec_${repo}"
if ! rpm -qa | grep -qw pygpgme; then
echo
echo "WARNING: "
echo "The pygpgme package could not be installed. This means GPG verification is not possible for any RPM installed on your system. "
echo "To fix this, add a repository with pygpgme. Usually, the EPEL repository for your system will have this. "
echo "More information: https://fedoraproject.org/wiki/EPEL#How_can_I_use_these_extra_packages.3F"
echo
# set the repo_gpgcheck option to 0
sed -i'' 's/repo_gpgcheck=1/repo_gpgcheck=0/' "/etc/yum.repos.d/crowdsec_${repo}.repo"
fi
fi
echo "Installing yum-utils..."
yum install -y yum-utils --disablerepo="crowdsec_${repo}"
if ! rpm -qa | grep -qw yum-utils; then
echo
echo "WARNING: "
echo "The yum-utils package could not be installed. This means you may not be able to install source RPMs or use other yum features."
echo
fi
echo "Generating yum cache for crowdsec..."
yum -q makecache -y --disablerepo='*' --enablerepo="crowdsec_${repo}"
}
install_debian_keyring() {
if [ "$os" = "debian" ]; then
echo "Installing debian-archive-keyring which is needed for installing "
echo "apt-transport-https on many Debian systems."
apt-get install -y debian-archive-keyring >/dev/null 2>&1
fi
}
detect_apt_version() {
apt_version_full=$(apt-get -v | head -1 | awk '{ print $2 }')
apt_version_major=$(echo "$apt_version_full" | cut -d. -f1)
apt_version_minor=$(echo "$apt_version_full" | cut -d. -f2)
apt_version_modified="${apt_version_major}${apt_version_minor}0"
echo "Detected apt version as $apt_version_full"
}
main() {
if [ -z "$repo" ]; then
repo="crowdsec"
fi
detect_os
case $os in
ubuntu | debian | raspbian | linuxmint)
detect_apt_version
gpg_check_deb
curl_check_deb
apt_source_path="/etc/apt/sources.list.d/crowdsec_${repo}.list"
pre_reqs="apt-transport-https ca-certificates curl"
if [ -f "$apt_source_path" ]; then
echo
echo "The file $apt_source_path already exists: overwriting it."
echo
fi
# needed dependencies
apt-get update -qq >/dev/null
#shellcheck disable=SC2086
DEBIAN_FRONTEND=noninteractive apt-get install -y -qq $pre_reqs >/dev/null
# gpg keys
gpg_key_url="https://packagecloud.io/crowdsec/${repo}/gpgkey"
apt_keyrings_dir="/etc/apt/keyrings"
gpg_keyring_path="$apt_keyrings_dir/crowdsec_${repo}-archive-keyring.gpg"
gpg_key_path_old="/etc/apt/trusted.gpg.d/crowdsec_${repo}.gpg"
echo
echo "Importing packagecloud gpg key... "
echo
# move gpg key to old path if apt version is older than 1.1
if [ "$apt_version_modified" -lt 110 ]; then
curl -fsSL "$gpg_key_url" | gpg --dearmor >"$gpg_key_path_old"
# grant 644 permisions to gpg key path old
chmod 0644 "$gpg_key_path_old"
# deletes the keyrings directory if it is empty
echo "Packagecloud gpg key imported to $gpg_key_path_old"
else
if [ ! -d "$apt_keyrings_dir" ]; then
install -d -m 0755 "$apt_keyrings_dir"
fi
# import the gpg key
curl -fsSL "$gpg_key_url" | gpg --dearmor >"$gpg_keyring_path"
# grant 644 permisions to gpg keyring path
chmod 0644 "$gpg_keyring_path"
echo "Packagecloud gpg key imported to $gpg_keyring_path"
fi
echo
echo "Installing ${apt_source_path}..."
echo
echo "deb [signed-by=/etc/apt/keyrings/crowdsec_${repo}-archive-keyring.gpg] https://packagecloud.io/crowdsec/${repo}/any/ any main" >"$apt_source_path"
echo "deb-src [signed-by=/etc/apt/keyrings/crowdsec_${repo}-archive-keyring.gpg] https://packagecloud.io/crowdsec/${repo}/any/ any main" >>"$apt_source_path"
apt-get update -qq >/dev/null
;;
centos | rhel | fedora | redhatentrepriseserver | amzn | cloudlinux | almalinux | rocky | opensuse | ol)
if [ "$os" = "ol" ] && [ "$dist" = "7" ] || [ "$os" = "amzn" ] && [ "$dist" = "2" ]; then
rpm_repo_config_url="https://packagecloud.io/install/repositories/crowdsec/${repo}/config_file.repo?os=${os}&dist=${dist}&source=script"
else
rpm_repo_config_url="https://packagecloud.io/install/repositories/crowdsec/${repo}/config_file.repo?os=rpm_any&dist=rpm_any&source=script"
fi
if [ "$os" = "opensuse" ]; then
curl_check_zypper
rpm_repo_path=/etc/zypp/repos.d/crowdsec_${repo}.repo
else
curl_check_rpm
rpm_repo_path=/etc/yum.repos.d/crowdsec_${repo}.repo
fi
echo "Downloading repository file: $rpm_repo_config_url"
curl -sSf "$rpm_repo_config_url" >"$rpm_repo_path"
curl_exit_code=$?
if [ "$curl_exit_code" = "22" ]; then
echo
echo
echo "Unable to download repo config from: "
echo "$rpm_repo_config_url"
echo
echo "This usually happens if your operating system is not supported by "
echo "packagecloud.io, or this script's OS detection failed."
echo
echo "You can override the OS detection by setting os= and dist= prior to running this script."
echo "You can find a list of supported OSes and distributions on our website: https://packagecloud.io/docs#os_distro_version"
echo
echo "For example, to force CentOS 6: os=el dist=6 ./script.sh"
echo
echo "If you are running a supported OS, please file an issue at https://github.com/crowdsecurity/crowdsec."
[ -e "$rpm_repo_path" ] && rm "$rpm_repo_path"
exit 1
elif [ "$curl_exit_code" = "35" ] || [ "$curl_exit_code" = "60" ]; then
echo
echo "curl is unable to connect to packagecloud.io over TLS when running: "
echo " curl $rpm_repo_config_url"
echo
echo "This is usually due to one of two things:"
echo
echo " 1.) Missing CA root certificates (make sure the ca-certificates package is installed)"
echo " 2.) An old version of libssl. Try upgrading libssl on your system to a more recent version"
echo
echo "Contact support@crowdsec.net with information about your system for help."
[ -e "$rpm_repo_path" ] && rm "$rpm_repo_path"
exit 1
elif [ "$curl_exit_code" -gt "0" ]; then
echo
echo "Unable to run: "
echo " curl $rpm_repo_config_url"
echo
echo "Double check your curl installation and try again."
echo
echo "Please file an issue at https://github.com/crowdsecurity/crowdsec if you think the behavior is not intended"
[ -e "$rpm_repo_path" ] && rm "$rpm_repo_path"
exit 1
else
echo "done."
fi
if [ "$os" = "opensuse" ]; then
zypper --gpg-auto-import-keys refresh "crowdsec_${repo}"
zypper --gpg-auto-import-keys refresh "crowdsec_${repo}-source"
else
echo "$os"
finalize_yum_repo
fi
;;
*)
echo "Error This system is not supported (yet) by this script."
echo "Please have a look at documentation https://docs.crowdsec.net/ or"
echo "file an issue at https://github.com/crowdsecurity/crowdsec if you think"
echo "the behavior is not intended"
exit 1
;;
esac
echo
}
if [ "$(id -u)" -ne 0 ]; then
echo "This script must be run as root"
echo
echo "file an issue at https://github.com/crowdsecurity/crowdsec if you think"
echo "the behavior is not intended"
exit 1
fi
main