diff options
| author | EuAndreh <eu@euandre.org> | 2019-06-10 22:21:38 -0300 |
|---|---|---|
| committer | EuAndreh <eu@euandre.org> | 2019-06-10 23:26:02 -0300 |
| commit | 217d2863709ebbe1ed766a360edb228e8899fc68 (patch) | |
| tree | 098d505648c380bd3af6430d9e222c621f776f5f /scripts | |
| parent | TODOs.org (diff) | |
| download | toph-217d2863709ebbe1ed766a360edb228e8899fc68.tar.gz toph-217d2863709ebbe1ed766a360edb228e8899fc68.tar.xz | |
Output all generated files on ./generated/, refactor .envrc variables
Diffstat (limited to 'scripts')
| -rwxr-xr-x | scripts/box/user-data.env.sh | 11 | ||||
| -rwxr-xr-x | scripts/ci/deploy.sh (renamed from scripts/ci/provision.sh) | 44 | ||||
| -rwxr-xr-x | scripts/ci/mail.sh | 9 | ||||
| -rwxr-xr-x | scripts/ci/setup.sh | 24 | ||||
| -rwxr-xr-x | scripts/local/rotate-ssh-keys.sh | 11 |
5 files changed, 47 insertions, 52 deletions
diff --git a/scripts/box/user-data.env.sh b/scripts/box/user-data.env.sh new file mode 100755 index 0000000..f9da5d7 --- /dev/null +++ b/scripts/box/user-data.env.sh @@ -0,0 +1,11 @@ +#!/usr/bin/env bash +# shellcheck disable=SC2016 + +echo '$SSH_SERVER_PRIVATE_KEY' > /etc/ssh/vps-box-server +chmod 400 /etc/ssh/vps-box-server +echo '$SSH_SERVER_PUBLIC_KEY' > /etc/ssh/vps-box-server.pub +echo 'HostKey /etc/ssh/vps-box-server' >> /etc/ssh/sshd_config +echo 'Port $SSH_PORT' >> /etc/ssh/sshd_config +systemctl restart sshd + +# SSH logs on /var/log/auth.log diff --git a/scripts/ci/provision.sh b/scripts/ci/deploy.sh index d96d854..7fcfda7 100755 --- a/scripts/ci/provision.sh +++ b/scripts/ci/deploy.sh @@ -5,14 +5,10 @@ set -Eeuo pipefail cd "$(dirname "${BASH_SOURCE[0]}")" cd ../../ -VPS_COMMIT_SHA="$(git rev-parse HEAD)" -export VPS_COMMIT_SHA -gpg --import "${GPG_TO}.gpg" - mail_debug_log() { local -r ec="${?}" echo "Sending logs via email..." - ./scripts/ci/mail.sh "${VPS_COMMIT_SHA}" "${ec}" + ./scripts/ci/mail.sh "${ec}" echo "Done." echo "Storing file changes to '.tfstate' files..." @@ -26,26 +22,18 @@ mail_debug_log() { trap mail_debug_log EXIT create_known_hosts_file() { - echo "${TLD},$(terraform output public_floating_ip) ssh-rsa $(awk '{print $2}' < ./secrets/ssh/vps-box-server.pub)" > ./generated-known-hosts.txt -} - -setup_borg_files() { - local -r template_file="${1}" - local -r destination_name="${2}" - scp ./secrets/borg/borg-remote.pub "$TLD":/root/.ssh/id_rsa.pub - scp ./secrets/borg/borg-remote "$TLD":/root/.ssh/id_rsa - scp ./secrets/borg/known-hosts.txt "$TLD":/root/.ssh/known_hosts - ssh "$TLD" 'chmod 400 /root/.ssh/id_rsa' - # shellcheck disable=SC2029 - envsubst < "${template_file}" | ssh "$TLD" "cat > /home/vps/${destination_name} && chmod +x /home/vps/${destination_name}" - # shellcheck disable=SC2029 - ssh "$TLD" "chmod +x /home/vps/${destination_name}" + echo "${TLD},$(terraform output public_floating_ip) ssh-rsa $(awk '{print $2}' < ./secrets/ssh/vps-box-server.pub)" > ./generated/generated-known-hosts.txt } echo "Shutting down running containers and backing up data..." create_known_hosts_file ssh "$TLD" "cd /home/vps/ && docker-compose down" -setup_borg_files ./scripts/box/create-backup.env.sh create-backup.sh +scp ./secrets/borg/borg-remote.pub "$TLD":/root/.ssh/id_rsa.pub +scp ./secrets/borg/borg-remote "$TLD":/root/.ssh/id_rsa +scp ./secrets/borg/known-hosts.txt "$TLD":/root/.ssh/known_hosts +scp ./generated/create-backup.sh "$TLD":/home/vps/create-backup.sh +ssh "$TLD" 'chmod 400 /root/.ssh/id_rsa' +ssh "$TLD" "chmod +x /home/vps/create-backup.sh" ssh "$TLD" /home/vps/create-backup.sh > ./logs/borg-create.txt 2>&1 echo "Done." @@ -64,31 +52,31 @@ echo "Done." echo "Running 'terraform plan' and storing the planfile..." mkdir -p "../vps-state/secrets/plan-files/" -PLAN_FILE_NAME="$(date -Iseconds)-$VPS_COMMIT_SHA.tfplan" -PLAN_FILE_PATH="../vps-state/secrets/plan-files/$PLAN_FILE_NAME" -terraform plan -input=false -out="$PLAN_FILE_PATH" > ./logs/terraform-plan.txt 2>&1 +PLAN_FILE_NAME="$(date -Iseconds)-${VPS_COMMIT_SHA}.tfplan" +PLAN_FILE_PATH="../vps-state/secrets/plan-files/${PLAN_FILE_NAME}" +terraform plan -input=false -out="${PLAN_FILE_PATH}" > ./logs/terraform-plan.txt 2>&1 pushd ../vps-state/ -git add "secrets/plan-files/$PLAN_FILE_NAME" -git commit -m "CI: add .tfplan plan file for CI run $VPS_COMMIT_SHA" +git add "secrets/plan-files/${PLAN_FILE_NAME}" +git commit -m "CI: add .tfplan plan file for CI run ${VPS_COMMIT_SHA}" git push origin master popd echo "Done." echo "Running 'terraform apply'..." -terraform apply -input=false -auto-approve "$PLAN_FILE_PATH" > ./logs/terraform-apply.txt 2>&1 +terraform apply -input=false -auto-approve "${PLAN_FILE_PATH}" > ./logs/terraform-apply.txt 2>&1 echo "Done." echo "Storing .tfstate file..." pushd ../vps-state/ git add secrets/terraform.tfstate secrets/terraform.tfstate.backup -git commit -m "CI: update Terraform .tfstate files for CI run $VPS_COMMIT_SHA" +git commit -m "CI: update Terraform .tfstate files for CI run ${VPS_COMMIT_SHA}" git push origin master popd echo "Done." echo "Running the Ansible playbook..." create_known_hosts_file -ansible-playbook -vvv provision.yaml > ./logs/ansible.txt +ansible-playbook -v provision.yaml > ./logs/ansible.txt 2>&1 echo "Done." echo "Locking git-crypt repositories back..." diff --git a/scripts/ci/mail.sh b/scripts/ci/mail.sh index 7058233..29420fa 100755 --- a/scripts/ci/mail.sh +++ b/scripts/ci/mail.sh @@ -3,14 +3,7 @@ set -Eeuo pipefail cd "$(dirname "${BASH_SOURCE[0]}")" cd ../../ -VPS_COMMIT_SHA="${1:-}" -EXIT_CODE="${2:-}" - -[[ -z "${VPS_COMMIT_SHA}" ]] && { - # shellcheck disable=SC2016 - echo 'Error: missing $VPS_COMMIT_SHA positional argument.' - exit 2 -} +EXIT_CODE="${1:-}" [[ -z "${EXIT_CODE}" ]] && { # shellcheck disable=SC2016 diff --git a/scripts/ci/setup.sh b/scripts/ci/setup.sh index d9ac70c..84958d0 100755 --- a/scripts/ci/setup.sh +++ b/scripts/ci/setup.sh @@ -6,7 +6,7 @@ cd "$(dirname "${BASH_SOURCE[0]}")" cd ../../ echo "Unlocking git-crypt repos and configuring git..." -git config --global user.email "ci@euandre.org" +git config --global user.email "${GIT_CI_USER}" git config --global user.name "sr.ht CI" git crypt unlock @@ -17,25 +17,17 @@ git remote set-url origin git@git.sr.ht:~euandreh/vps-state popd echo "Done." +gpg --import "${GPG_TO}.gpg" + # git smudge after git-crypt clears file permissions chmod 400 ./secrets/ssh/vps-box-client cat .envrc >> ~/.buildenv source .envrc -SSH_SERVER_PRIVATE_KEY="$(cat ./secrets/ssh/vps-box-server)" -export SSH_SERVER_PRIVATE_KEY -SSH_SERVER_PUBLIC_KEY="$(cat ./secrets/ssh/vps-box-server.pub)" -export SSH_SERVER_PUBLIC_KEY - -# Used for keeping bash variables for run-time substituion instead of execution time substitution. -# Taken from: -# https://stackoverflow.com/questions/24963705/is-there-an-escape-character-for-envsubst -export DOLLAR='$' - envsubst < ./ssh.env.conf >> ~/.ssh/config -envsubst < ./hosts.env > ./hosts -envsubst < ./docker-compose.env.yaml > ./docker-compose.yaml -envsubst < ./user-data.env.sh > ./user-data.sh -envsubst < ./scripts/box/create-backup.env.sh > ./scripts/box/create-backup.sh -envsubst < ./scripts/box/restore-backup.env.sh > ./scripts/box/restore-backup.sh +envsubst < ./hosts.env > ./generated/hosts +envsubst < ./docker-compose.env.yaml > ./generated/docker-compose.yaml +envsubst < ./scripts/box/user-data.env.sh > ./generated/user-data.sh +envsubst < ./scripts/box/create-backup.env.sh > ./generated/create-backup.sh +envsubst < ./scripts/box/restore-backup.env.sh > ./generated/restore-backup.sh diff --git a/scripts/local/rotate-ssh-keys.sh b/scripts/local/rotate-ssh-keys.sh new file mode 100755 index 0000000..337f351 --- /dev/null +++ b/scripts/local/rotate-ssh-keys.sh @@ -0,0 +1,11 @@ +#!/usr/bin/env bash +set -Eeuo pipefail +cd "$(dirname "${BASH_SOURCE[0]}")" +cd ../../ + +rm -f ./secrets/ssh/* +ssh-keygen -t rsa -b 4096 -q -N '' -f ./secrets/ssh/vps-box-client +ssh-keygen -t rsa -b 4096 -q -N '' -f ./secrets/ssh/vps-box-server + +git add ./secrets/ssh/ +git commit -m "Script: rotate SSH keys" |