commit ddc12fe92eb52a3809b947c68f53587d8e569906 Author: Christer Warén Date: Sun Aug 27 07:01:54 2023 +0300 Initial Commit diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..1e65e46 --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2023 Warén Group + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/init.sh b/init.sh new file mode 100755 index 0000000..85fde78 --- /dev/null +++ b/init.sh @@ -0,0 +1,165 @@ +#!/bin/bash + +if [ ! "$BASH_VERSION" ] ; then + exit 1 +fi + +echo " +============================== + +Warén Group +Init Script + +------------------------------ +" + +stop () { +unset HVT + +echo " +============================== +" + +exit 1 + +} + +mkdir -p ~/.ssh &> /dev/null + +apt-get install -y python3-pip python3-venv jq git curl &> /dev/null +python3 -m venv /opt/ansible &> /dev/null +/opt/ansible/bin/pip3 install ansible hvac netaddr &> /dev/null + +HOSTNAME=$1 +if [[ -z "$HOSTNAME" || ${#HOSTNAME} -lt 5 ]]; then + stop +fi + +if [[ -z $USER || $USER == "root" ]]; then + if [[ -z $SUDO_USER ]]; then + if [[ -z LOGNAME ]]; then + echo -n "" + else + USER=$LOGNAME + fi + else + USER=$SUDO_USER + fi +fi + +ORG=$2 +case $ORG in + warengroup) + DOMAIN="waren.io" + FOLDER="warengroup" + ;; + cwinfo) + DOMAIN="cwinfo.net" + FOLDER="cwinfo" + ;; + cwchristerw) + DOMAIN="christerwaren.fi" + FOLDER="cwchristerw" + ;; + *) + echo "Organization is required." + stop + ;; +esac + +DEVICE_DOMAIN="devices.$DOMAIN" +IDM_DOMAIN="idm.$DOMAIN" +VAULT_DOMAIN="vault.cwinfo.net" +GIT_DOMAIN="git.cwinfo.net" +GIT_PORT=2222 +GIT_REPOSITORY="warengroup-private/ansible-pull" + +HOSTNAME="$HOSTNAME.$DEVICE_DOMAIN" + +VAULT_STATUS=$(curl -s -o /dev/null -w "%{http_code}" https://$VAULT_DOMAIN/v1/sys/health) +if [[ $VAULT_STATUS -eq 200 ]]; then + IDM_STATUS=$(curl -s -o /dev/null -w "%{http_code}" https://$IDM_DOMAIN) + if [[ $IDM_STATUS -eq 301 ]]; then + echo "$VAULT_DOMAIN - Login" + echo "Method: LDAP" + + if [[ -z $USER || $USER == "root" ]]; then + echo -n "Username: " + read USERNAME + else + echo "Username: $USER" + USERNAME=$USER + fi + + echo -n "Password: " + read -s PASSWORD + echo "****************" + echo "" + VAULT_LOGIN=$(curl https://$VAULT_DOMAIN/v1/auth/ldap/login/$USERNAME -X POST -d '{ "password": "'$PASSWORD'" }' -s | jq -r '.auth.client_token') + if [[ -z $VAULT_LOGIN || ${#VAULT_LOGIN} -lt 95 || ${#VAULT_LOGIN} -gt 95 ]]; then + stop + fi + + VAULT_TOKEN=$VAULT_LOGIN + export HVT="$VAULT_TOKEN" + echo -e "\n" + else + echo "$VAULT_DOMAIN - Login" + echo -n "Token: " + read -s VAULT_TOKEN + echo "***********************************************************************************************" + echo "" + if [[ -z $VAULT_TOKEN || ${#VAULT_TOKEN} -lt 95 || ${#VAULT_TOKEN} -gt 95 ]]; then + stop + fi + + VAULT_LOGIN=$(curl https://$VAULT_DOMAIN/v1/auth/token/lookup-self -X GET -H "X-Vault-Token: $VAULT_TOKEN" -s | jq -r '.data.id') + if [[ -z $VAULT_LOGIN ]]; then + stop + fi + VAULT_TOKEN=$VAULT_LOGIN + export HVT="$VAULT_TOKEN" + echo -e "\n" + fi +fi + + +curl \ + -H "X-Vault-Token: $VAULT_TOKEN" \ + -X GET \ + https://$VAULT_DOMAIN/v1/init.sh/data/ssh -s | jq -r '.data.data.privkey' > ~/.ssh/init + +chmod 700 ~/.ssh/init + +mkdir -p ~/.ansible > /dev/null + +if [ ! -f ~/.ansible/vars.yml ]; then + + openssl rand -base64 64 | tr -d '\n' | head -c 64 > ~/.ansible/vault.yml + + ANSIBLE_VAULT_SECRET=$(<~/.ansible/vault.yml) + HASHICORP_VAULT_SECRET=$(openssl rand -base64 64 | tr -d '\n' | head -c 64) + + echo "---" > ~/.ansible/vars.yml + echo "hostname: $HOSTNAME" >> ~/.ansible/vars.yml + echo "folder: /$FOLDER/" >> ~/.ansible/vars.yml + echo "vault:" >> ~/.ansible/vars.yml + echo " ansible:" >> ~/.ansible/vars.yml + echo " secret: $ANSIBLE_VAULT_SECRET" >> ~/.ansible/vars.yml + echo " hashicorp:" >> ~/.ansible/vars.yml + echo " domain: $VAULT_DOMAIN" >> ~/.ansible/vars.yml + echo " password: $HASHICORP_VAULT_SECRET" >> ~/.ansible/vars.yml + + /opt/ansible/bin/ansible-vault encrypt --vault-password-file ~/.ansible/vault.yml ~/.ansible/vars.yml > /dev/null +fi + +ssh-keyscan -p $GIT_PORT $GIT_DOMAIN &> ~/.ssh/known_hosts + +/opt/ansible/bin/ansible-pull -U ssh://git@$GIT_DOMAIN:$GIT_PORT/$GIT_REPOSITORY --vault-password-file ~/.ansible/vault.yml --private-key ~/.ssh/init playbooks/init.yml -t init + + +unset HVT + +echo " +============================== +"