root
/
public
mirror of https://github.com/01-edu/public.git
14
27
Fork 0
Code Releases Wiki Activity
Browse Source

fix(configure): separate deploy keys & logic

pull/2582/head
Harry 4 months ago committed by GitHub
parent
4b5604108e
commit
86656ea442
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 266 additions and 237 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 503
      sh/debian/configure.sh

503
sh/debian/configure.sh diff.vendored
unescape_control_characters View File

@ -14,31 +14,31 @@ export DEBIAN_PRIORITY=critical
PATH=/sbin:/usr/sbin:$PATH PATH=/sbin:/usr/sbin:$PATH
function sysConfig() { function sysConfig() {
echo "Enter the server FQDN $(tput setaf 2)[System: $(hostname)]$(tput sgr0):" echo "Enter the server FQDN $(tput setaf 2)[System: $(hostname)]$(tput sgr0):"
read serverFQDN read -r serverFQDN
hostnamectl set-hostname $serverFQDN hostnamectl set-hostname "$serverFQDN"
echo "Enter the server Time Zone $(tput setaf 2)[System: $(cat /etc/timezone)]$(tput sgr0): " echo "Enter the server Time Zone $(tput setaf 2)[System: $(cat /etc/timezone)]$(tput sgr0): "
read serverTZ read -r serverTZ
timedatectl set-timezone $serverTZ timedatectl set-timezone "$serverTZ"
# Navigate to tmp # Navigate to tmp
cd /tmp cd /tmp
# Debian stable OS # Debian stable OS
apt-get update apt-get update
apt-get -y -o "Dpkg::Options::=--force-confdef" -o "Dpkg::Options::=--force-confold" upgrade apt-get -y -o "Dpkg::Options::=--force-confdef" -o "Dpkg::Options::=--force-confold" upgrade
apt-get -y dist-upgrade apt-get -y dist-upgrade
# Disable OpenStack SSH malware # Disable OpenStack SSH malware
mv /home/debian/.ssh/authorized_keys /root/.ssh/authorized_keys || : mv /home/debian/.ssh/authorized_keys /root/.ssh/authorized_keys || :
sed -i '/Generated-by-Nova/d' /root/.ssh/authorized_keys || : sed -i '/Generated-by-Nova/d' /root/.ssh/authorized_keys || :
chown root:root /root/.ssh/authorized_keys || : chown root:root /root/.ssh/authorized_keys || :
# Terminal goodies # Terminal goodies
touch .hushlogin touch .hushlogin
cat <<'EOF' >>/root/.bashrc cat <<'EOF' >>/root/.bashrc
export LS_OPTIONS="--color=auto" export LS_OPTIONS="--color=auto"
eval "`dircolors`" eval "`dircolors`"
@ -58,13 +58,13 @@ export HISTTIMEFORMAT="%F %T "
export DOCKER_BUILDKIT=1 COMPOSE_DOCKER_CLI_BUILD=1 export DOCKER_BUILDKIT=1 COMPOSE_DOCKER_CLI_BUILD=1
EOF EOF
cat <<'EOF' >>/etc/inputrc cat <<'EOF' >>/etc/inputrc
set completion-ignore-case set completion-ignore-case
set show-all-if-ambiguous On set show-all-if-ambiguous On
set show-all-if-unmodified On set show-all-if-unmodified On
EOF EOF
cat <<'EOF' >>/etc/bash.bashrc cat <<'EOF' >>/etc/bash.bashrc
if ! shopt -oq posix; then if ! shopt -oq posix; then
if [ -f /usr/share/bash-completion/bash_completion ]; then if [ -f /usr/share/bash-completion/bash_completion ]; then
. /usr/share/bash-completion/bash_completion . /usr/share/bash-completion/bash_completion
@ -74,258 +74,287 @@ if ! shopt -oq posix; then
fi fi
EOF EOF
# Basic packages # Basic packages
apt-get -y install man bash-completion git ufw jq curl build-essential wget psmisc lz4 file net-tools brotli unzip zip moreutils dnsutils fail2ban xauth sysfsutils rsync iperf pv tree mc screen ssh iotop htop awscli whois sudo apt-get -y install man bash-completion git ufw jq curl build-essential wget psmisc lz4 file net-tools brotli unzip zip moreutils dnsutils fail2ban xauth sysfsutils rsync iperf pv tree mc screen ssh iotop htop awscli whois sudo
# Enable time synchronization # Enable time synchronization
timedatectl set-ntp true timedatectl set-ntp true
# Configure screen # Configure screen
cat <<'EOF' >>/etc/screenrc cat <<'EOF' >>/etc/screenrc
startup_message off startup_message off
shell -$SHELL shell -$SHELL
defscrollback 100000 defscrollback 100000
bind l eval clear "scrollback 0" "scrollback 100000" bind l eval clear "scrollback 0" "scrollback 100000"
EOF EOF
# Configure SSH # Configure SSH
cat <<'EOF' >>/etc/ssh/sshd_config cat <<'EOF' >>/etc/ssh/sshd_config
Port 521 Port 521
PasswordAuthentication no PasswordAuthentication no
AllowUsers root AllowUsers root
X11UseLocalhost no X11UseLocalhost no
EOF EOF
systemctl restart ssh systemctl restart ssh
touch /root/.Xauthority touch /root/.Xauthority
# Firewall # Firewall
ufw allow in 80/tcp ufw allow in 80/tcp
ufw allow in 443/tcp ufw allow in 443/tcp
ufw allow in 521/tcp ufw allow in 521/tcp
ufw allow in 8080/tcp ufw allow in 8080/tcp
ufw allow in 8082/tcp ufw allow in 8082/tcp
ufw logging off ufw logging off
ufw --force enable ufw --force enable
ufw --force delete 6 ufw --force delete 6
ufw --force delete 6 ufw --force delete 6
ufw --force delete 6 ufw --force delete 6
ufw --force delete 6 ufw --force delete 6
ufw --force delete 6 ufw --force delete 6
# Optimize # Optimize
systemctl disable apt-daily.timer apt-daily-upgrade.timer remote-fs.target man-db.timer systemctl disable apt-daily.timer apt-daily-upgrade.timer remote-fs.target man-db.timer
sed -i 's/MODULES=most/MODULES=dep/g' /etc/initramfs-tools/initramfs.conf sed -i 's/MODULES=most/MODULES=dep/g' /etc/initramfs-tools/initramfs.conf
sed -i 's/COMPRESS=gzip/COMPRESS=lz4/g' /etc/initramfs-tools/initramfs.conf sed -i 's/COMPRESS=gzip/COMPRESS=lz4/g' /etc/initramfs-tools/initramfs.conf
echo 'RESUME=none' >>/etc/initramfs-tools/conf.d/resume echo 'RESUME=none' >>/etc/initramfs-tools/conf.d/resume
update-initramfs -u update-initramfs -u
echo 'GRUB_TIMEOUT=0' >>/etc/default/grub echo 'GRUB_TIMEOUT=0' >>/etc/default/grub
update-grub update-grub
apt-get -y purge apparmor exim\* apt-get -y purge apparmor exim\*
for i in $(seq 0 "$(nproc --ignore 1)"); do for i in $(seq 0 "$(nproc --ignore 1)"); do
echo "devices/system/cpu/cpu${i}/cpufreq/scaling_governor = performance" >>/etc/sysfs.conf echo "devices/system/cpu/cpu${i}/cpufreq/scaling_governor = performance" >>/etc/sysfs.conf
done done
# Disable sleep when closing laptop screen # Disable sleep when closing laptop screen
echo HandleLidSwitch=ignore >>/etc/systemd/logind.conf echo HandleLidSwitch=ignore >>/etc/systemd/logind.conf
# noatime # noatime
sed -i 's| / ext4 | / ext4 noatime,|g' /etc/fstab sed -i 's| / ext4 | / ext4 noatime,|g' /etc/fstab
# Disable swap # Disable swap
swapoff -a swapoff -a
sed -i '/swap/d' /etc/fstab sed -i '/swap/d' /etc/fstab
# Docker # Docker
curl -fsSL https://get.docker.com -o get-docker.sh && sh get-docker.sh curl -fsSL https://get.docker.com -o get-docker.sh && sh get-docker.sh
# NodeJS # NodeJS
curl -fsSL https://deb.nodesource.com/setup_20.x | bash && apt-get install -y nodejs curl -fsSL https://deb.nodesource.com/setup_20.x | bash && apt-get install -y nodejs
# Git # Git
apt-get update && apt-get -y install git apt-get update && apt-get -y install git
# Generate SSH key #!/bin/bash
ssh-keygen -ted25519 -f ~/.ssh/id_ed25519 -N ''
# Generate SSH key
# Use Cloudflare DNS server for key_type in all https runner; do
echo 'supersede domain-name-servers 1.1.1.1;' >>/etc/dhcp/dhclient.conf ssh-keygen -t ed25519 -f ~/.ssh/ed25519_01edu_$key_type -N ''
# Cleanup # Create SSH config for each key
sed -i '/^deb-src/d' /etc/apt/sources.list echo "Host github.com-01-edu-$key_type
apt-get update HostName github.com
apt-get -y purge unattended-upgrades User git
apt-get -y autoremove --purge IdentityFile ~/.ssh/ed25519_01edu_$key_type" >~/.ssh/config.d/01-edu-$key_type.conf
apt-get clean done
# SSH Keys Infra Team # Include custom SSH configurations from the config directory
curl https://github.com/{harryvasanth,frenchris,kigiri}.keys >>~/.ssh/authorized_keys echo "Include ~/.ssh/config.d/*.conf" >>~/.ssh/config
# Create Core directories # Use Cloudflare DNS server
mkdir -p /root/core/scripts/misc echo 'supersede domain-name-servers 1.1.1.1;' >>/etc/dhcp/dhclient.conf
# Cleanup
sed -i '/^deb-src/d' /etc/apt/sources.list
apt-get update
apt-get -y purge unattended-upgrades
apt-get -y autoremove --purge
apt-get clean
# SSH Keys Infra Team
curl https://github.com/{harryvasanth,frenchris,kigiri}.keys >>~/.ssh/authorized_keys
# Create Core directories
mkdir -p /root/core/scripts/misc
} }
# Check Config # Check Config
function checkConfig() { function checkConfig() {
test "$(command -v "${1:-}")" && echo -n ✅ || echo -n ❌ test "$(command -v "${1:-}")" && echo -n ✅ || echo -n ❌
echo " $@" echo " $*"
}
function checkKeys() {
# Check if SSH key pairs are generated
if [ -f ~/.ssh/ed25519_01edu_all ] && [ -f ~/.ssh/ed25519_01edu_all.pub ] &&
[ -f ~/.ssh/ed25519_01edu_https ] && [ -f ~/.ssh/ed25519_01edu_https.pub ] &&
[ -f ~/.ssh/ed25519_01edu_runner ] && [ -f ~/.ssh/ed25519_01edu_runner.pub ]; then
echo "âś… SSH private/public key pairs generated"
# Echo public keys
echo "Public keys:"
cat ~/.ssh/ed25519_01edu_all.pub
cat ~/.ssh/ed25519_01edu_https.pub
cat ~/.ssh/ed25519_01edu_runner.pub
else
echo "❌ SSH private/public key pairs not found"
fi
} }
# Check configs in the List # Check configs in the List
function checkList() { function checkList() {
checkConfig docker checkConfig docker
checkConfig node checkConfig node
checkConfig git checkConfig git
checkConfig man checkConfig man
checkConfig ufw checkConfig ufw
checkConfig jq checkConfig jq
checkConfig curl checkConfig curl
checkConfig netcat checkConfig netcat
checkConfig wget checkConfig wget
checkConfig lz4 checkConfig lz4
checkConfig file checkConfig file
checkConfig brotli checkConfig brotli
checkConfig unzip checkConfig unzip
checkConfig zip checkConfig zip
checkConfig fail2ban-server checkConfig fail2ban-server
checkConfig xauth checkConfig xauth
checkConfig rsync checkConfig rsync
checkConfig iperf checkConfig iperf
checkConfig pv checkConfig pv
checkConfig tree checkConfig tree
checkConfig mc checkConfig mc
checkConfig screen checkConfig screen
checkConfig ssh checkConfig ssh
checkConfig iotop checkConfig iotop
checkConfig htop checkConfig htop
checkConfig aws checkConfig aws
checkConfig whois checkConfig whois
checkConfig sudo checkConfig sudo
test "$(ls ~/.ssh/*.pub 2>/dev/null)" && echo -n ✅ || echo -n ❌ checkKeys
echo " SSH private/public key pair generated"
} }
function runHTTPS() { function runHTTPS() {
echo -e "Deploying HTTPS service: \n" echo -e "Deploying HTTPS service: \n"
echo "Enter the server FQDN $(tput setaf 2)[System: $(hostname)]$(tput sgr0):" echo "Enter the server FQDN $(tput setaf 2)[System: $(hostname)]$(tput sgr0):"
read httpsFQDN read -r httpsFQDN
# Check if the FQDN is valid # Check if the FQDN is valid
if dig +short $httpsFQDN >/dev/null 2>&1; then if dig +short "$httpsFQDN" >/dev/null 2>&1; then
cd /root/core/https cd /root/core/https
DOMAIN=$httpsFQDN ./run.sh DOMAIN=$httpsFQDN ./run.sh
echo -e "HTTPS service is up! \n" echo -e "HTTPS service is up! \n"
else else
echo "$(tput setaf 1)$(tput bold)The FQDN: $httpsFQDN is not reachable$(tput sgr0)" echo "$(tput setaf 1)$(tput bold)The FQDN: $httpsFQDN is not reachable$(tput sgr0)"
echo "$(tput setaf 1)Please check your DNS configuration$(tput sgr0)" echo "$(tput setaf 1)Please check your DNS configuration$(tput sgr0)"
runHTTPS runHTTPS
fi fi
} }
# Deploy core repositories # Deploy core repositories
function deployCore() { function deployCore() {
# Check for the presence of configurations # Check for the presence of configurations
test "$(ls ~/.ssh/*.pub 2>/dev/null)" && echo -n "$(tput setaf 2)$(tput bold)Config check passed!$(tput sgr0)" || exit 1 test "$(ls ~/.ssh/*.pub 2>/dev/null)" && echo -n "$(tput setaf 2)$(tput bold)Config check passed!$(tput sgr0)" || exit 1
echo -e "$(tput setaf 6)$(tput bold)\nThe core components will be deployed to the server: $(tput sgr0)\n" echo -e "$(tput setaf 6)$(tput bold)\nThe core components will be deployed to the server: $(tput sgr0)\n"
# Clone core repositories # Clone core repositories
git clone git@github.com:01-edu/runner.git /root/core/runner git clone git@github.com-01-edu-runner:01-edu/runner.git /root/core/runner
git clone git@github.com:01-edu/https.git /root/core/https git clone git@github.com-01-edu-https:01-edu/https.git /root/core/https
# Docker login # Docker login
echo -e "Enter the docker username: " echo -e "Enter the docker username: "
read dockerUsername read -r dockerUsername
echo -e "Enter the docker password: " echo -e "Enter the docker password: "
read dockerPassword read -r dockerPassword
docker login docker.01-edu.org -u $dockerUsername -p $dockerPassword docker login docker.01-edu.org -u "$dockerUsername" -p "$dockerPassword"
# Deploy HTTPS # Deploy HTTPS
runHTTPS runHTTPS
# Deploy Runner # Deploy Runner
echo -e "Deploying Runner service: \n " echo -e "Deploying Runner service: \n "
cd /root/core/runner cd /root/core/runner
# Get the latest release version tag and create latest branch # Get the latest release version tag and create latest branch
tag=$(git describe --tags $(git rev-list --tags --max-count=1)) tag=$(git describe --tags "$(git rev-list --tags --max-count=1)")
git checkout $tag git checkout "$tag"
# Get user auth infor for the runner # Get user auth infor for the runner
echo -e "Enter the runner Registry password: " echo -e "Enter the runner Registry password: "
read registryPassword read -r registryPassword
echo -e "Enter the runner GitHub username: " echo -e "Enter the runner GitHub username: "
read githubUsername read -r githubUsername
echo -e "Enter the runner GitHub token: " echo -e "Enter the runner GitHub token: "
read githubToken read -r githubToken
REGISTRY_PASSWORD=$registryPassword GITHUB_USERNAME=$githubUsername GITHUB_TOKEN=$githubToken ./run.sh REGISTRY_PASSWORD=$registryPassword GITHUB_USERNAME=$githubUsername GITHUB_TOKEN=$githubToken ./run.sh
echo -e "Runner service is up! \n" echo -e "Runner service is up! \n"
} }
function deployPlatform() { function deployPlatform() {
# Check for the presence of configurations # Check for the presence of configurations
test "$(ls ~/.ssh/*.pub 2>/dev/null)" && echo -n "$(tput setaf 2)$(tput bold)Config check passed!$(tput sgr0)" || exit 1 test "$(ls ~/.ssh/*.pub 2>/dev/null)" && echo -n "$(tput setaf 2)$(tput bold)Config check passed!$(tput sgr0)" || exit 1
echo -e "$(tput setaf 6)$(tput bold)\nThe platform components will be deployed to the server: $(tput sgr0)\n" echo -e "$(tput setaf 6)$(tput bold)\nThe platform components will be deployed to the server: $(tput sgr0)\n"
# Clone platform repository # Clone platform repository
echo "Enter the server FQDN $(tput setaf 2)[System: $(hostname)]$(tput sgr0):" echo "Enter the server FQDN $(tput setaf 2)[System: $(hostname)]$(tput sgr0):"
read serverFQDN read -r serverFQDN
git clone git@github.com:01-edu/all.git /root/$serverFQDN git clone git@github.com-01-edu-all:01-edu/all.git /root/"$serverFQDN"
cd /root/$serverFQDN cd /root/"$serverFQDN"
# Generate platform environment file automatically # Generate platform environment file automatically
./generate_env.sh --auto ./generate_env.sh --auto
./redeploy.sh --hard ./redeploy.sh --hard
} }
function clonePlatform() { function clonePlatform() {
# Check for the presence of configurations # Check for the presence of configurations
test "$(ls ~/.ssh/*.pub 2>/dev/null)" && echo -n "$(tput setaf 2)$(tput bold)Config check passed!$(tput sgr0)" || exit 1 test "$(ls ~/.ssh/*.pub 2>/dev/null)" && echo -n "$(tput setaf 2)$(tput bold)Config check passed!$(tput sgr0)" || exit 1
echo -e "$(tput setaf 6)$(tput bold)\nThe platform components will be deployed to the server: $(tput sgr0)\n" echo -e "$(tput setaf 6)$(tput bold)\nThe platform components will be deployed to the server: $(tput sgr0)\n"
# Clone platform repository # Clone platform repository
echo "Enter the target directory for the platform $(tput setaf 2)[System: $(pwd)/$(hostname)]$(tput sgr0):" echo "Enter the target directory for the platform $(tput setaf 2)[System: $(pwd)/$(hostname)]$(tput sgr0):"
read serverDir read -r serverDir
git clone git@github.com:01-edu/all.git $serverDir git clone git@github.com:01-edu/all.git "$serverDir"
cd $serverDir cd "$serverDir"
# Generate platform environment file automatically # Generate platform environment file automatically
./generate_env.sh --gen ./generate_env.sh --gen
} }
if [[ ! -n ${1:-} ]] || [[ "--check" = $1 ]]; then if [[ -z ${1:-} ]] || [[ "--check" = "$1" ]]; then
echo -e "$(tput setaf 2)$(tput bold)Commencing configuration check: $(tput sgr0)" echo -e "$(tput setaf 2)$(tput bold)Commencing configuration check: $(tput sgr0)"
checkList checkList
echo -e "$(tput setaf 2)\nSystem configuration check complete! $(tput sgr0)\n" echo -e "$(tput setaf 2)\nSystem configuration check complete! $(tput sgr0)\n"
exit 0 exit 0
elif [[ "--help" = $1 ]]; then elif [[ "--help" = "$1" ]]; then
echo "$(tput setaf 2) --check : to check the current configuration. $(tput sgr0)" echo "$(tput setaf 2) --check : to check the current configuration. $(tput sgr0)"
echo "$(tput setaf 3) --run : to configure the system. $(tput sgr0)" echo "$(tput setaf 3) --run : to configure the system. $(tput sgr0)"
echo "$(tput setaf 1) --reboot : to configure the system and reboot. $(tput sgr0)" echo "$(tput setaf 1) --reboot : to configure the system and reboot. $(tput sgr0)"
echo "$(tput setaf 6) --deploy : to deploy and spin-up platform components. $(tput sgr0)" echo "$(tput setaf 6) --deploy : to deploy and spin-up platform components. $(tput sgr0)"
echo "$(tput setaf 5) --platform : to clone platform. $(tput sgr0)" echo "$(tput setaf 5) --platform : to clone platform. $(tput sgr0)"
echo "$(tput setaf 7) --help : to display this message. $(tput sgr0)" echo "$(tput setaf 7) --help : to display this message. $(tput sgr0)"
elif [[ "--reboot" = $1 ]]; then elif [[ "--reboot" = "$1" ]]; then
echo -e "$(tput setaf 1)$(tput bold)\nSystem will be configured and rebooted. $(tput sgr0)" echo -e "$(tput setaf 1)$(tput bold)\nSystem will be configured and rebooted. $(tput sgr0)"
sysConfig sysConfig
echo -e "$(tput setaf 1)\nSystem configuration complete. Rebooting now... $(tput sgr0)" echo -e "$(tput setaf 1)\nSystem configuration complete. Rebooting now... $(tput sgr0)"
reboot reboot
elif [[ "--run" = $1 ]]; then elif [[ "--run" = "$1" ]]; then
echo -e "$(tput setaf 3)$(tput bold)\nSystem will be configured without rebooting. $(tput sgr0)" echo -e "$(tput setaf 3)$(tput bold)\nSystem will be configured without rebooting. $(tput sgr0)"
sysConfig sysConfig
echo -e "$(tput setaf 3)\nSystem configuration complete! $(tput sgr0)" echo -e "$(tput setaf 3)\nSystem configuration complete! $(tput sgr0)"
exit 0 exit 0
elif [[ "--deploy" = $1 ]]; then elif [[ "--deploy" = "$1" ]]; then
deployCore deployCore
deployPlatform deployPlatform
echo -e "$(tput setaf 6)\nRepositories cloned and platform has been deployed successfully! $(tput sgr0)" echo -e "$(tput setaf 6)\nRepositories cloned and platform has been deployed successfully! $(tput sgr0)"
exit 0 exit 0
elif [[ "--platform" = $1 ]]; then elif [[ "--platform" = "$1" ]]; then
clonePlatform clonePlatform
echo -e "$(tput setaf 5)\nPlatform has been cloned successfully! $(tput sgr0)" echo -e "$(tput setaf 5)\nPlatform has been cloned successfully! $(tput sgr0)"
exit 0 exit 0
else else
echo "$(tput setaf 1)$(tput bold) Unknown configuration option: $1 $(tput sgr0)" echo "$(tput setaf 1)$(tput bold) Unknown configuration option: $1 $(tput sgr0)"
echo "$(tput setaf 1)Please use --help for all available options. $(tput sgr0)" echo "$(tput setaf 1)Please use --help for all available options. $(tput sgr0)"
echo "$(tput setaf 1)No changes are made $(tput sgr0)" echo "$(tput setaf 1)No changes are made $(tput sgr0)"
exit 0 exit 0
fi fi

Write Preview
Loading…
Cancel
Save