turn-stack/90_lib.sh at main · yboujraf/turn-stack · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
#!/usr/bin/env bash
set -euo pipefail

load_env(){ local dir; dir="$(cd "$(dirname "$0")" && pwd)"; [[ -f "$dir/.env" ]] && { set -a; source "$dir/.env"; set +a; }; }

log(){ printf "\n[+] %s\n" "$*"; }
warn(){ printf "\n[!] %s\n" "$*"; }
info(){ printf "[*] %s\n" "$*"; }

ensure_pkg(){ DEBIAN_FRONTEND=noninteractive apt-get update -y; DEBIAN_FRONTEND=noninteractive apt-get install -y "$@"; }

ensure_nginx_base(){ ensure_pkg nginx
  sed -E -i 's/^[[:space:]]*gzip[[:space:]]+on;/# gzip on; (disabled by generator)/' /etc/nginx/nginx.conf || true
  sed -E -i 's/^[[:space:]]*gzip_types[[:space:]]+.*/# & (disabled by generator)/' /etc/nginx/nginx.conf || true
  rm -f /etc/nginx/conf.d/*gzip*.conf /etc/nginx/snippets/*gzip*.conf 2>/dev/null || true
  cat > /etc/nginx/conf.d/10-gzip.conf <<'GZ'
# gzip baseline
gzip on;
gzip_types text/plain text/css application/javascript application/json image/svg+xml;
GZ
  cat > /etc/nginx/sites-available/00-status.conf <<'NGX'
server {
    listen 127.0.0.1:8080;
    server_name localhost;
    location /stub_status {
        stub_status;
        allow 127.0.0.1;
        deny all;
    }
}
NGX
  ln -sf /etc/nginx/sites-available/00-status.conf /etc/nginx/sites-enabled/00-status.conf
  if nginx -t; then systemctl enable --now nginx; systemctl reload nginx || true; else warn "nginx -t failed; not reloading"; fi
}

ensure_snap_certbot_cf(){ ensure_pkg snapd
  snap install core || true; snap refresh core || true
  apt-get remove -y certbot || true
  snap install --classic certbot
  ln -sf /snap/bin/certbot /usr/bin/certbot
  snap set certbot trust-plugin-with-root=ok || true
  snap install certbot-dns-cloudflare || true
  mkdir -p /root/.secrets/certbot
  local cf_ini=/root/.secrets/certbot/cloudflare.ini
  printf "dns_cloudflare_api_token = %s\n" "${CF_API_TOKEN:-}" > "$cf_ini"
  chmod 600 "$cf_ini"
}

issue_cert(){ local domain="$1"; local wait="${2:-${CF_PROPAGATION_SECONDS:-30}}"; [[ -z "$domain" ]] && { warn "issue_cert: domain empty"; return 1; }
  info "Issuing/renewing certificate for $domain (prop ${wait}s)"
  certbot certonly \
    --agree-tos -m "${SYS_ADMIN_EMAIL}" --non-interactive \
    --dns-cloudflare --dns-cloudflare-credentials /root/.secrets/certbot/cloudflare.ini \
    --dns-cloudflare-propagation-seconds "$wait" \
    -d "$domain" || true
}

nginx_enable_site(){ local name="$1";
  find /etc/nginx/sites-enabled -maxdepth 1 -type l -name "*${name}*.conf" -not -path "/etc/nginx/sites-enabled/${name}.conf" -delete 2>/dev/null || true
  ln -sf "/etc/nginx/sites-available/${name}.conf" "/etc/nginx/sites-enabled/${name}.conf"
  if nginx -t; then systemctl reload nginx; else warn "nginx config invalid; site ${name} not reloaded"; fi
}

build_htpasswd(){ local users_str="$1"; local out="$2"; : > "$out"; chmod 640 "$out"; chown root:www-data "$out" || true; : > "${out}.plain"; chmod 600 "${out}.plain"; local entry u p; for entry in $users_str; do u="${entry%%:*}"; p="${entry#*:}"; [[ -z "$u" ]] && continue; [[ -z "$p" ]] && p="$(openssl rand -base64 16)"; htpasswd -bB "$out" "$u" "$p" >/dev/null; echo "$u:$p" >> "${out}.plain"; done }

report_cert(){ local domain="$1"; certbot certificates 2>/dev/null | awk -v d="$domain" 'found&&/^\s*\*/{exit} $0~d{found=1} found{print}'; }

curl_head(){ local url="$1"; curl -skI "$url" | head -n1 || true; }