Compare commits
4 Commits
385e60aee5
...
be80681485
| Author | SHA1 | Date | |
|---|---|---|---|
be80681485
|
|||
|
a2e60972c7
|
|||
|
598359854f
|
|||
|
ef812c1877
|
@ -1,7 +1,24 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Finds the SSH private key under ./.vagrant and connects to
|
||||
# the Vagrant box, port forwarding localhost ports: 8443, 80, 443
|
||||
# the Vagrant box, port forwarding localhost ports: 8443, 443, 80, 22
|
||||
#
|
||||
# Download the latest script:
|
||||
# https://git.krislamo.org/kris/homelab/raw/branch/main/forward-ssh.sh
|
||||
#
|
||||
# Copyright (C) 2023 Kris Lamoureux
|
||||
#
|
||||
# This program is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, version 3 of the License.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <https://www.gnu.org/licenses/>.
|
||||
|
||||
# Root check
|
||||
if [ "$EUID" -ne 0 ]; then
|
||||
@ -41,21 +58,38 @@ function ssh_connect {
|
||||
}
|
||||
|
||||
# Check for valid PRIVATE_KEY location
|
||||
PRIVATE_KEY="$(find .vagrant -name "private_key" 2>/dev/null)"
|
||||
if ! ssh-keygen -l -f "$PRIVATE_KEY" &>/dev/null; then
|
||||
echo "[ERROR]: The SSH key '$PRIVATE_KEY' is not valid. Is your virtual machine running?"
|
||||
PRIVATE_KEY="$(find .vagrant -name "private_key" 2>/dev/null | sort)"
|
||||
|
||||
# Single vagrant machine or multiple
|
||||
if [ "$(echo "$PRIVATE_KEY" | wc -l)" -gt 1 ]; then
|
||||
while IFS= read -r KEYFILE; do
|
||||
if ! ssh-keygen -l -f "$KEYFILE" &>/dev/null; then
|
||||
echo "[ERROR]: The SSH key '$KEYFILE' is not valid. Is your virtual machines running?"
|
||||
exit 1
|
||||
fi
|
||||
echo "[CHECK]: Valid key at $KEYFILE"
|
||||
done < <(echo "$PRIVATE_KEY")
|
||||
PRIVATE_KEY="$(echo "$PRIVATE_KEY" | grep -m1 "${1:-default}")"
|
||||
elif ! ssh-keygen -l -f "$PRIVATE_KEY" &>/dev/null; then
|
||||
echo "[ERROR]: The SSH key '$PRIVATE_KEY' is not valid. Is your virtual machine running?"
|
||||
exit 1
|
||||
else
|
||||
echo "[CHECK]: Valid key at $PRIVATE_KEY"
|
||||
fi
|
||||
|
||||
# Grab first IP or use whatever HOST_IP_FIELD is set to and check that the guest is up
|
||||
HOST_IP="$(vagrant ssh -c "hostname -I | cut -d' ' -f${HOST_IP_FIELD:-1}" 2>/dev/null)"
|
||||
HOST_IP="$(vagrant ssh -c "hostname -I | cut -d' ' -f${HOST_IP_FIELD:-1}" "${1:-default}" 2>/dev/null)"
|
||||
if [ -z "$HOST_IP" ]; then
|
||||
echo "[ERROR]: Failed to find ${1:-default}'s IP"
|
||||
exit 1
|
||||
fi
|
||||
HOST_IP="${HOST_IP::-1}" # trim
|
||||
|
||||
if ! ping -c 1 "$HOST_IP" &>/dev/null; then
|
||||
echo "[ERROR]: Cannot ping the host IP '$HOST_IP'"
|
||||
exit 1
|
||||
fi
|
||||
echo "[CHECK]: Host at $HOST_IP is up"
|
||||
echo "[CHECK]: Host at $HOST_IP (${1:-default}) is up"
|
||||
|
||||
# Pattern for matching processes running
|
||||
MATCH_PATTERN="ssh -fNT -i ${PRIVATE_KEY}.*vagrant@"
|
||||
|
||||
@ -5,7 +5,12 @@
|
||||
listen: rebuild_bitwarden
|
||||
|
||||
- name: Rebuild Bitwarden
|
||||
ansible.builtin.shell: "{{ bitwarden_root }}/bitwarden.sh rebuild"
|
||||
ansible.builtin.command: "{{ bitwarden_root }}/bitwarden.sh rebuild"
|
||||
listen: rebuild_bitwarden
|
||||
|
||||
- name: Reload systemd manager configuration
|
||||
ansible.builtin.systemd:
|
||||
daemon_reload: true
|
||||
listen: rebuild_bitwarden
|
||||
|
||||
- name: Start Bitwarden after rebuild
|
||||
@ -14,3 +19,10 @@
|
||||
state: started
|
||||
enabled: true
|
||||
listen: rebuild_bitwarden
|
||||
|
||||
- name: Create Bitwarden's initial log file
|
||||
ansible.builtin.file:
|
||||
path: "{{ bitwarden_logs_identity }}/{{ bitwarden_logs_identity_date }}.txt"
|
||||
state: touch
|
||||
mode: "644"
|
||||
listen: touch_bitwarden
|
||||
|
||||
@ -7,6 +7,7 @@
|
||||
ansible.builtin.file:
|
||||
path: "{{ bitwarden_root }}"
|
||||
state: directory
|
||||
mode: "755"
|
||||
|
||||
- name: Download Bitwarden script
|
||||
ansible.builtin.get_url:
|
||||
@ -22,7 +23,7 @@
|
||||
mode: u+x
|
||||
|
||||
- name: Run Bitwarden installation script
|
||||
ansible.builtin.shell: "{{ bitwarden_root }}/bw_wrapper"
|
||||
ansible.builtin.command: "{{ bitwarden_root }}/bw_wrapper"
|
||||
args:
|
||||
creates: "{{ bitwarden_root }}/bwdata/config.yml"
|
||||
|
||||
@ -30,6 +31,7 @@
|
||||
ansible.builtin.template:
|
||||
src: compose.override.yml.j2
|
||||
dest: "{{ bitwarden_root }}/bwdata/docker/docker-compose.override.yml"
|
||||
mode: "644"
|
||||
when: bitwarden_override | default(true)
|
||||
notify: rebuild_bitwarden
|
||||
|
||||
@ -76,6 +78,7 @@
|
||||
ansible.builtin.template:
|
||||
src: bitwarden.service.j2
|
||||
dest: "/etc/systemd/system/{{ bitwarden_name }}.service"
|
||||
mode: "644"
|
||||
register: bitwarden_systemd
|
||||
notify: rebuild_bitwarden
|
||||
|
||||
@ -83,22 +86,12 @@
|
||||
ansible.builtin.file:
|
||||
path: "{{ bitwarden_logs_identity }}"
|
||||
state: directory
|
||||
register: bitwarden_logs
|
||||
|
||||
- name: Create Bitwarden's initial log file
|
||||
ansible.builtin.file:
|
||||
path: "{{ bitwarden_logs_identity }}/{{ bitwarden_logs_identity_date }}.txt"
|
||||
state: touch
|
||||
when: bitwarden_logs.changed
|
||||
mode: "755"
|
||||
notify: touch_bitwarden
|
||||
|
||||
- name: Install Bitwarden's Fail2ban jail
|
||||
ansible.builtin.template:
|
||||
src: fail2ban-jail.conf.j2
|
||||
dest: /etc/fail2ban/jail.d/bitwarden.conf
|
||||
mode: "640"
|
||||
notify: restart_fail2ban
|
||||
|
||||
- name: Reload systemd manager configuration
|
||||
ansible.builtin.systemd:
|
||||
daemon_reload: true
|
||||
when: bitwarden_systemd.changed
|
||||
notify: rebuild_bitwarden
|
||||
|
||||
@ -21,6 +21,7 @@
|
||||
- name: Create git's .ssh directory
|
||||
ansible.builtin.file:
|
||||
path: /home/git/.ssh
|
||||
mode: "700"
|
||||
state: directory
|
||||
|
||||
- name: Generate git's SSH keys
|
||||
@ -40,6 +41,7 @@
|
||||
- name: Create git's authorized_keys file
|
||||
ansible.builtin.file:
|
||||
path: /home/git/.ssh/authorized_keys
|
||||
mode: "600"
|
||||
state: touch
|
||||
when: not git_authkeys.stat.exists
|
||||
|
||||
@ -53,21 +55,24 @@
|
||||
ansible.builtin.template:
|
||||
src: gitea.sh.j2
|
||||
dest: /usr/local/bin/gitea
|
||||
mode: 0755
|
||||
mode: "755"
|
||||
|
||||
- name: Create Gitea's logging directory
|
||||
ansible.builtin.file:
|
||||
name: /var/log/gitea
|
||||
state: directory
|
||||
mode: "755"
|
||||
|
||||
- name: Install Gitea's Fail2ban filter
|
||||
ansible.builtin.template:
|
||||
src: fail2ban-filter.conf.j2
|
||||
dest: /etc/fail2ban/filter.d/gitea.conf
|
||||
mode: "644"
|
||||
notify: restart_fail2ban
|
||||
|
||||
- name: Install Gitea's Fail2ban jail
|
||||
ansible.builtin.template:
|
||||
src: fail2ban-jail.conf.j2
|
||||
dest: /etc/fail2ban/jail.d/gitea.conf
|
||||
mode: "640"
|
||||
notify: restart_fail2ban
|
||||
|
||||
@ -6,7 +6,7 @@
|
||||
listen: restart_mariadb
|
||||
|
||||
- name: Set MariaDB as restarted
|
||||
set_fact:
|
||||
ansible.builtin.set_fact:
|
||||
mariadb_restarted: true
|
||||
when: not mariadb_restarted
|
||||
listen: restart_mariadb
|
||||
|
||||
@ -4,7 +4,7 @@
|
||||
state: present
|
||||
|
||||
- name: Set MariaDB restarted fact
|
||||
set_fact:
|
||||
ansible.builtin.set_fact:
|
||||
mariadb_restarted: false
|
||||
|
||||
- name: Regather facts for the potentially new docker0 interface
|
||||
|
||||
@ -1,3 +1,13 @@
|
||||
- name: Enable nginx sites configuration
|
||||
ansible.builtin.file:
|
||||
src: "/etc/nginx/sites-available/{{ item.item.domain }}.conf"
|
||||
dest: "/etc/nginx/sites-enabled/{{ item.item.domain }}.conf"
|
||||
state: link
|
||||
mode: "400"
|
||||
loop: "{{ nginx_sites.results }}"
|
||||
when: item.changed
|
||||
listen: reload_nginx
|
||||
|
||||
- name: Reload nginx
|
||||
ansible.builtin.service:
|
||||
name: nginx
|
||||
|
||||
@ -19,28 +19,18 @@
|
||||
ansible.builtin.template:
|
||||
src: nginx.conf.j2
|
||||
dest: /etc/nginx/nginx.conf
|
||||
mode: 0644
|
||||
mode: "644"
|
||||
notify: reload_nginx
|
||||
|
||||
- name: Install nginx sites configuration
|
||||
ansible.builtin.template:
|
||||
src: server-nginx.conf.j2
|
||||
dest: "/etc/nginx/sites-available/{{ item.domain }}.conf"
|
||||
mode: 0400
|
||||
mode: "400"
|
||||
loop: "{{ proxy.servers }}"
|
||||
notify: reload_nginx
|
||||
register: nginx_sites
|
||||
|
||||
- name: Enable nginx sites configuration
|
||||
ansible.builtin.file:
|
||||
src: "/etc/nginx/sites-available/{{ item.item.domain }}.conf"
|
||||
dest: "/etc/nginx/sites-enabled/{{ item.item.domain }}.conf"
|
||||
state: link
|
||||
mode: 0400
|
||||
loop: "{{ nginx_sites.results }}"
|
||||
when: item.changed
|
||||
notify: reload_nginx
|
||||
|
||||
- name: Generate self-signed certificate
|
||||
ansible.builtin.command: 'openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes \
|
||||
-subj "/C=US/ST=Local/L=Local/O=Org/OU=IT/CN=example.com" \
|
||||
@ -61,14 +51,14 @@
|
||||
ansible.builtin.template:
|
||||
src: cloudflare.ini.j2
|
||||
dest: /root/.cloudflare.ini
|
||||
mode: 0400
|
||||
mode: "400"
|
||||
when: proxy.production is defined and proxy.production and proxy.dns_cloudflare is defined
|
||||
|
||||
- name: Create nginx post renewal hook directory
|
||||
ansible.builtin.file:
|
||||
path: /etc/letsencrypt/renewal-hooks/post
|
||||
state: directory
|
||||
mode: 0500
|
||||
mode: "500"
|
||||
when: proxy.production is defined and proxy.production
|
||||
|
||||
- name: Install nginx post renewal hook
|
||||
|
||||
Loading…
Reference in New Issue
Block a user