Output all generated files on ./generated/, refactor .envrc variables

author: EuAndreh <eu@euandre.org> 2019-06-10 22:21:38 -0300
committer: EuAndreh <eu@euandre.org> 2019-06-10 23:26:02 -0300
commit: 217d2863709ebbe1ed766a360edb228e8899fc68 (patch)
tree: 098d505648c380bd3af6430d9e222c621f776f5f /scripts
parent: TODOs.org (diff)
download: server-217d2863709ebbe1ed766a360edb228e8899fc68.tar.gz
server-217d2863709ebbe1ed766a360edb228e8899fc68.tar.xz
5 files changed, 47 insertions, 52 deletions
diff --git a/scripts/box/user-data.env.sh b/scripts/box/user-data.env.sh
new file mode 100755
index 0000000..f9da5d7
--- /dev/null
+++ b/scripts/box/user-data.env.sh
@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+# shellcheck disable=SC2016
+
+echo '$SSH_SERVER_PRIVATE_KEY' > /etc/ssh/vps-box-server
+chmod 400 /etc/ssh/vps-box-server
+echo '$SSH_SERVER_PUBLIC_KEY' > /etc/ssh/vps-box-server.pub
+echo 'HostKey /etc/ssh/vps-box-server' >> /etc/ssh/sshd_config
+echo 'Port $SSH_PORT' >> /etc/ssh/sshd_config
+systemctl restart sshd
+
+# SSH logs on /var/log/auth.log
diff --git a/scripts/ci/provision.sh b/scripts/ci/deploy.sh
index d96d854..7fcfda7 100755
--- a/scripts/ci/provision.sh
+++ b/scripts/ci/deploy.sh
@@ -5,14 +5,10 @@ set -Eeuo pipefail
 cd "$(dirname "${BASH_SOURCE[0]}")"
 cd ../../
 
-VPS_COMMIT_SHA="$(git rev-parse HEAD)"
-export VPS_COMMIT_SHA
-gpg --import "${GPG_TO}.gpg"
-
 mail_debug_log() {
   local -r ec="${?}"
   echo "Sending logs via email..."
-  ./scripts/ci/mail.sh "${VPS_COMMIT_SHA}" "${ec}"
+  ./scripts/ci/mail.sh "${ec}"
   echo "Done."
 
   echo "Storing file changes to '.tfstate' files..."
@@ -26,26 +22,18 @@ mail_debug_log() {
 trap mail_debug_log EXIT
 
 create_known_hosts_file() {
-  echo "${TLD},$(terraform output public_floating_ip) ssh-rsa $(awk '{print $2}' < ./secrets/ssh/vps-box-server.pub)" > ./generated-known-hosts.txt
-}
-
-setup_borg_files() {
-  local -r template_file="${1}"
-  local -r destination_name="${2}"
-  scp ./secrets/borg/borg-remote.pub "$TLD":/root/.ssh/id_rsa.pub
-  scp ./secrets/borg/borg-remote     "$TLD":/root/.ssh/id_rsa
-  scp ./secrets/borg/known-hosts.txt "$TLD":/root/.ssh/known_hosts
-  ssh "$TLD" 'chmod 400 /root/.ssh/id_rsa'
-  # shellcheck disable=SC2029
-  envsubst < "${template_file}" | ssh "$TLD" "cat > /home/vps/${destination_name} && chmod +x /home/vps/${destination_name}"
-  # shellcheck disable=SC2029
-  ssh "$TLD" "chmod +x /home/vps/${destination_name}"
+  echo "${TLD},$(terraform output public_floating_ip) ssh-rsa $(awk '{print $2}' < ./secrets/ssh/vps-box-server.pub)" > ./generated/generated-known-hosts.txt
 }
 
 echo "Shutting down running containers and backing up data..."
 create_known_hosts_file
 ssh "$TLD" "cd /home/vps/ && docker-compose down"
-setup_borg_files ./scripts/box/create-backup.env.sh create-backup.sh
+scp ./secrets/borg/borg-remote.pub "$TLD":/root/.ssh/id_rsa.pub
+scp ./secrets/borg/borg-remote     "$TLD":/root/.ssh/id_rsa
+scp ./secrets/borg/known-hosts.txt "$TLD":/root/.ssh/known_hosts
+scp ./generated/create-backup.sh   "$TLD":/home/vps/create-backup.sh
+ssh "$TLD" 'chmod 400 /root/.ssh/id_rsa'
+ssh "$TLD" "chmod +x /home/vps/create-backup.sh"
 ssh "$TLD" /home/vps/create-backup.sh > ./logs/borg-create.txt 2>&1
 echo "Done."
 
@@ -64,31 +52,31 @@ echo "Done."
 
 echo "Running 'terraform plan' and storing the planfile..."
 mkdir -p "../vps-state/secrets/plan-files/"
-PLAN_FILE_NAME="$(date -Iseconds)-$VPS_COMMIT_SHA.tfplan"
-PLAN_FILE_PATH="../vps-state/secrets/plan-files/$PLAN_FILE_NAME"
-terraform plan -input=false -out="$PLAN_FILE_PATH" > ./logs/terraform-plan.txt 2>&1
+PLAN_FILE_NAME="$(date -Iseconds)-${VPS_COMMIT_SHA}.tfplan"
+PLAN_FILE_PATH="../vps-state/secrets/plan-files/${PLAN_FILE_NAME}"
+terraform plan -input=false -out="${PLAN_FILE_PATH}" > ./logs/terraform-plan.txt 2>&1
 pushd ../vps-state/
-git add "secrets/plan-files/$PLAN_FILE_NAME"
-git commit -m "CI: add .tfplan plan file for CI run $VPS_COMMIT_SHA"
+git add "secrets/plan-files/${PLAN_FILE_NAME}"
+git commit -m "CI: add .tfplan plan file for CI run ${VPS_COMMIT_SHA}"
 git push origin master
 popd
 echo "Done."
 
 echo "Running 'terraform apply'..."
-terraform apply -input=false -auto-approve "$PLAN_FILE_PATH" > ./logs/terraform-apply.txt 2>&1
+terraform apply -input=false -auto-approve "${PLAN_FILE_PATH}" > ./logs/terraform-apply.txt 2>&1
 echo "Done."
 
 echo "Storing .tfstate file..."
 pushd ../vps-state/
 git add secrets/terraform.tfstate secrets/terraform.tfstate.backup
-git commit -m "CI: update Terraform .tfstate files for CI run $VPS_COMMIT_SHA"
+git commit -m "CI: update Terraform .tfstate files for CI run ${VPS_COMMIT_SHA}"
 git push origin master
 popd
 echo "Done."
 
 echo "Running the Ansible playbook..."
 create_known_hosts_file
-ansible-playbook -vvv provision.yaml > ./logs/ansible.txt
+ansible-playbook -v provision.yaml > ./logs/ansible.txt 2>&1
 echo "Done."
 
 echo "Locking git-crypt repositories back..."
diff --git a/scripts/ci/mail.sh b/scripts/ci/mail.sh
index 7058233..29420fa 100755
--- a/scripts/ci/mail.sh
+++ b/scripts/ci/mail.sh
@@ -3,14 +3,7 @@ set -Eeuo pipefail
 cd "$(dirname "${BASH_SOURCE[0]}")"
 cd ../../
 
-VPS_COMMIT_SHA="${1:-}"
-EXIT_CODE="${2:-}"
-
-[[ -z "${VPS_COMMIT_SHA}" ]] && {
-  # shellcheck disable=SC2016
-  echo 'Error: missing $VPS_COMMIT_SHA positional argument.'
-  exit 2
-}
+EXIT_CODE="${1:-}"
 
 [[ -z "${EXIT_CODE}" ]] && {
   # shellcheck disable=SC2016
diff --git a/scripts/ci/setup.sh b/scripts/ci/setup.sh
index d9ac70c..84958d0 100755
--- a/scripts/ci/setup.sh
+++ b/scripts/ci/setup.sh
@@ -6,7 +6,7 @@ cd "$(dirname "${BASH_SOURCE[0]}")"
 cd ../../
 
 echo "Unlocking git-crypt repos and configuring git..."
-git config --global user.email "ci@euandre.org"
+git config --global user.email "${GIT_CI_USER}"
 git config --global user.name "sr.ht CI"
 
 git crypt unlock
@@ -17,25 +17,17 @@ git remote set-url origin git@git.sr.ht:~euandreh/vps-state
 popd
 echo "Done."
 
+gpg --import "${GPG_TO}.gpg"
+
 # git smudge after git-crypt clears file permissions
 chmod 400 ./secrets/ssh/vps-box-client
 cat .envrc >> ~/.buildenv
 
 source .envrc
 
-SSH_SERVER_PRIVATE_KEY="$(cat ./secrets/ssh/vps-box-server)"
-export SSH_SERVER_PRIVATE_KEY
-SSH_SERVER_PUBLIC_KEY="$(cat ./secrets/ssh/vps-box-server.pub)"
-export SSH_SERVER_PUBLIC_KEY
-
-# Used for keeping bash variables for run-time substituion instead of execution time substitution.
-# Taken from:
-# https://stackoverflow.com/questions/24963705/is-there-an-escape-character-for-envsubst
-export DOLLAR='$'
-
 envsubst < ./ssh.env.conf >> ~/.ssh/config
-envsubst < ./hosts.env > ./hosts
-envsubst < ./docker-compose.env.yaml > ./docker-compose.yaml
-envsubst < ./user-data.env.sh > ./user-data.sh
-envsubst < ./scripts/box/create-backup.env.sh > ./scripts/box/create-backup.sh
-envsubst < ./scripts/box/restore-backup.env.sh > ./scripts/box/restore-backup.sh
+envsubst < ./hosts.env                         > ./generated/hosts
+envsubst < ./docker-compose.env.yaml           > ./generated/docker-compose.yaml
+envsubst < ./scripts/box/user-data.env.sh      > ./generated/user-data.sh
+envsubst < ./scripts/box/create-backup.env.sh  > ./generated/create-backup.sh
+envsubst < ./scripts/box/restore-backup.env.sh > ./generated/restore-backup.sh
diff --git a/scripts/local/rotate-ssh-keys.sh b/scripts/local/rotate-ssh-keys.sh
new file mode 100755
index 0000000..337f351
--- /dev/null
+++ b/scripts/local/rotate-ssh-keys.sh
@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+cd "$(dirname "${BASH_SOURCE[0]}")"
+cd ../../
+
+rm -f ./secrets/ssh/*
+ssh-keygen -t rsa -b 4096 -q -N '' -f ./secrets/ssh/vps-box-client
+ssh-keygen -t rsa -b 4096 -q -N '' -f ./secrets/ssh/vps-box-server
+
+git add ./secrets/ssh/
+git commit -m "Script: rotate SSH keys"
author	EuAndreh <eu@euandre.org>	2019-06-10 22:21:38 -0300
committer	EuAndreh <eu@euandre.org>	2019-06-10 23:26:02 -0300
commit	217d2863709ebbe1ed766a360edb228e8899fc68 (patch)
tree	098d505648c380bd3af6430d9e222c621f776f5f /scripts
parent	TODOs.org (diff)
download	server-217d2863709ebbe1ed766a360edb228e8899fc68.tar.gz server-217d2863709ebbe1ed766a360edb228e8899fc68.tar.xz