181 lines
5.5 KiB
Bash
Executable File
181 lines
5.5 KiB
Bash
Executable File
#!/bin/bash
|
|
set -euo pipefail
|
|
|
|
SKATO_ANSIBLE_ROOT=$(dirname "$0")
|
|
SKATO_ANSIBLE_ROOT=$(dirname "$SKATO_ANSIBLE_ROOT")
|
|
export SKATO_ANSIBLE_ROOT
|
|
printf "root=%s\n" "$SKATO_ANSIBLE_ROOT" > "./config" # INI format
|
|
export SKATO_BOOTSTRAP_ROLE="${SKATO_ANSIBLE_ROOT}/roles/bootstrap"
|
|
export SKANSIBLE_SECRETS="${SKATO_ANSIBLE_ROOT}/.secrets"
|
|
|
|
if [[ -f "./ansible_aliases" ]]; then
|
|
source ./ansible_aliases
|
|
fi
|
|
|
|
# Relative directory paths for role templates/files
|
|
export SKANSIBLE_ARIA="aria2"
|
|
export SKANSIBLE_PROFTPD="proftpd"
|
|
export SKANSIBLE_PROFTPD_CONFS="${SKANSIBLE_PROFTPD}/conf.d"
|
|
# @NOTE below 4 filepaths have filenames that must correspond to
|
|
# the filenames in role ProFTPd templates'/files' Display settings
|
|
export SKANSIBLE_PROFTPD_CONFS_WELCOME="${SKANSIBLE_PROFTPD}/conf.d/WELCOME.txt"
|
|
export SKANSIBLE_PROFTPD_CONFS_BANNER="${SKANSIBLE_PROFTPD}/conf.d/BANNER.txt"
|
|
export SKANSIBLE_PROFTPD_CONFS_SUCCESS="${SKANSIBLE_PROFTPD}/conf.d/SUCCESS.txt"
|
|
export SKANSIBLE_PROFTPD_CONFS_EXIT="${SKANSIBLE_PROFTPD}/conf.d/BYE.txt"
|
|
export SKANSIBLE_SSHD_CONFS="sshd_config.d"
|
|
export SKANSIBLE_SYSTEMD="systemd"
|
|
export SKANSIBLE_SYSTEMD_USER_UNITS="${SKANSIBLE_SYSTEMD}/user"
|
|
export SKANSIBLE_FAIL2BAN="fail2ban"
|
|
export SKANSIBLE_FAIL2BAN_JAILS="${SKANSIBLE_FAIL2BAN}/jail.d"
|
|
export SKANSIBLE_FAIL2BAN_FILTERS="${SKANSIBLE_FAIL2BAN}/filter.d"
|
|
export SKANSIBLE_GITCONFIG_CONFS="gitconfig.d"
|
|
# @NOTE files in here must have extension "key" with IDs in
|
|
# "gpg_keys" inventory variable list as basenames.
|
|
export SKANSIBLE_GPG="gnupg"
|
|
# @NOTE files in path below must have extensions "key" (private),
|
|
# "crt" (signed), or "pem" (public) with inventory host FQDN as basename
|
|
export SKANSIBLE_SSL="ca-certificates"
|
|
|
|
set-root () {
|
|
if [[ $# -eq 0 ]]; then
|
|
SKATO_ANSIBLE_ROOT=$(awk -F "=" '/root/ {print $2}' "./config")
|
|
export SKATO_ANSIBLE_ROOT
|
|
elif [[ -z "$1" ]]; then
|
|
SKATO_ANSIBLE_ROOT="$1"
|
|
export SKATO_ANSIBLE_ROOT
|
|
sed -i 's|^(root=).*||g' "./config"
|
|
sed -i "1 i\root=${SKATO_ANSIBLE_ROOT}" "./config"
|
|
fi
|
|
}
|
|
|
|
gxy () {
|
|
ansible-galaxy "$@"
|
|
}
|
|
|
|
vult () {
|
|
ansible-vault "$@"
|
|
}
|
|
|
|
play () {
|
|
ansible-playbook "$@"
|
|
}
|
|
|
|
import-gpg () {
|
|
for id in "$@";
|
|
do
|
|
gpg --export-secret-keys "$id" > "${SKATO_BOOTSTRAP_ROLE}/files/${SKANSIBLE_GPG}/${id}.key"
|
|
done
|
|
}
|
|
|
|
import-ssl () {
|
|
for domain in "$@";
|
|
do
|
|
cp "/usr/local/share/ca-certificates/${domain}.key" "${SKATO_BOOTSTRAP_ROLE}/files/${SKANSIBLE_SSL}/${domain}.key"
|
|
cp "/usr/local/share/ca-certificates/${domain}.pem" "${SKATO_BOOTSTRAP_ROLE}/files/${SKANSIBLE_SSL}/${domain}.pem"
|
|
cp "/usr/local/share/ca-certificates/${domain}.crt" "${SKATO_BOOTSTRAP_ROLE}/files/${SKANSIBLE_SSL}/${domain}.crt"
|
|
done
|
|
}
|
|
|
|
import () {
|
|
case "$1" in
|
|
ssl) shift; import-ssl "$@";;
|
|
gpg) shift; import-gpg "$@";;
|
|
*) exit 1;;
|
|
esac
|
|
}
|
|
|
|
mksecret () {
|
|
true
|
|
}
|
|
|
|
decrypt () {
|
|
while getopts "mv:i:d:" flag; do
|
|
case "$flag" in
|
|
m) METHOD=$OPTARG;;
|
|
v) VAULT_ID=$OPTARG;;
|
|
i) INPUT_FILE=$OPTARG;;
|
|
d) OUTPUT_PATH=$OPTARG;;
|
|
*) exit 1;;
|
|
esac
|
|
done
|
|
|
|
if ! [[ "$VAULT_ID" == *"@"* ]]; then
|
|
ID_TAG="$VAULT_ID"
|
|
|
|
if [[ "$METHOD" == "prompt" ]]; then
|
|
VAULT_ID="${VAULT_ID}@prompt"
|
|
elif [[ "$METHOD" == "file" ]]; then
|
|
if [[ -z "$INPUT_FILE" ]]; then
|
|
exit 1
|
|
else
|
|
VAULT_ID="${VAULT_ID}@${INPUT_FILE}"
|
|
fi
|
|
else
|
|
exit 1
|
|
fi
|
|
fi
|
|
|
|
if [[ -z "$OUTPUT_PATH" ]]; then
|
|
OUTPUT_FILE="${SKANSIBLE_SECRETS}/${ID_TAG}.txt"
|
|
else
|
|
mkdir -p "${SKANSIBLE_SECRETS}/${OUTPUT_PATH}"
|
|
OUTPUT_FILE="${SKANSIBLE_SECRETS}/${OUTPUT_PATH}/${ID_TAG}.txt"
|
|
fi
|
|
|
|
ansible-vault decrypt --vault-id "$VAULT_ID" --output "$OUTPUT_FILE" "$INPUT_FILE"
|
|
}
|
|
|
|
encrypt () {
|
|
while getopts "mv:d:pn:" flag; do
|
|
case "$flag" in
|
|
m) METHOD="$OPTARG";;
|
|
v) VAULT_ID="$OPTARG";;
|
|
d) PASS_PATH="$OPTARG";;
|
|
p) read -rp "Provide intended password: " PASSWORD;;
|
|
n) VAR_NAME="$OPTARG";;
|
|
*) exit 1;;
|
|
esac
|
|
done
|
|
|
|
while [[ -z "$PASSWORD" ]]; do
|
|
printf "Password missing. \nPlease specify a password. \n"
|
|
read -rp "Provide intended password: " PASSWORD
|
|
done
|
|
|
|
if ! [[ "$VAULT_ID" == *"@"* ]]; then
|
|
ID_TAG="${VAULT_ID}"
|
|
|
|
if [[ "$METHOD" == "prompt" ]]; then
|
|
VAULT_ID="${VAULT_ID}@prompt"
|
|
elif [[ "$METHOD" == "file" ]]; then
|
|
if [[ -z "$PASS_PATH" ]]; then
|
|
PASS_FILE="${SKANSIBLE_SECRETS}/${VAULT_ID}.txt"
|
|
else
|
|
mkdir -p "${SKANSIBLE_SECRETS}/${PASS_PATH}"
|
|
PASS_FILE="${SKANSIBLE_SECRETS}/${PASS_PATH}/${VAULT_ID}.txt"
|
|
fi
|
|
printf "%s\n" "$PASSWORD" > "$PASS_FILE"
|
|
VAULT_ID="${VAULT_ID}@${PASS_FILE}"
|
|
fi
|
|
fi
|
|
|
|
printf "Make sure to copy following output to appropriate YAML location.\n"
|
|
if [[ -z "$VAR_NAME" ]]; then
|
|
ansible-vault encrypt_string --name "$VAR_NAME" --stdin-name "$VAR_NAME" --vault-id "$VAULT_ID" --output - "$PASSWORD"
|
|
else
|
|
ansible-vault encrypt_string --stdin-name "$ID_TAG" --vault-id "$VAULT_ID" --output - "$PASSWORD"
|
|
fi
|
|
}
|
|
|
|
# source ./extensions.d/edit.sh
|
|
|
|
case "$1" in
|
|
set-root) shift; set-root "$1";;
|
|
gxy) shift; gxy "$@";;
|
|
vult) shift; vult "$@";;
|
|
play) shift; play "$@";;
|
|
import) shift; import "$@";;
|
|
decrypt) shift; decrypt "$@";;
|
|
encrypt) shift; encrypt "$@";;
|
|
*) exit 1;;
|
|
esac |