diff --git a/scripts/install_services.sh b/scripts/install_services.sh new file mode 100755 index 0000000..e13aa80 --- /dev/null +++ b/scripts/install_services.sh @@ -0,0 +1,90 @@ +#!/bin/bash + +set -e + +# Colors +GREEN='\033[0;32m' +RED='\033[0;31m' +YELLOW='\033[1;33m' +NC='\033[0m' # No Color + +log_info() { + echo -e "${YELLOW}[INFO]${NC} $1" +} + +log_success() { + echo -e "${GREEN}[SUCCESS]${NC} $1" +} + +log_error() { + echo -e "${RED}[ERROR]${NC} $1" +} + +# Check for sudo/root +if [ "$EUID" -ne 0 ]; then + log_error "Please run as root or with sudo" + exit 1 +fi + +# Determine paths +SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )" +PROJECT_ROOT="$(dirname "$SCRIPT_DIR")" +SYSTEMD_DIR="$PROJECT_ROOT/systemd" +DEST_DIR="/etc/systemd/system" + +SERVICE_FILE="cert-renewer.service" +TIMER_FILE="cert-renewer.timer" + +install_unit() { + local unit_file=$1 + local src_path="$SYSTEMD_DIR/$unit_file" + local dest_path="$DEST_DIR/$unit_file" + + if [ ! -f "$src_path" ]; then + log_error "Source file not found: $src_path" + exit 1 + fi + + log_info "Installing $unit_file..." + + # Remove existing link or file if it exists to ensure clean install + if [ -L "$dest_path" ] || [ -f "$dest_path" ]; then + log_info "Removing existing $dest_path" + rm -f "$dest_path" + fi + + # Create symlink + ln -s "$src_path" "$dest_path" + + if [ -L "$dest_path" ]; then + log_success "Linked $src_path to $dest_path" + else + log_error "Failed to link $unit_file" + exit 1 + fi +} + +# Main execution +log_info "Starting installation of systemd services..." + +install_unit "$SERVICE_FILE" +install_unit "$TIMER_FILE" + +log_info "Reloading systemd daemon..." +systemctl daemon-reload +log_success "Systemd daemon reloaded" + +log_info "Enabling and starting $TIMER_FILE..." +systemctl enable --now "$TIMER_FILE" +log_success "$TIMER_FILE enabled and started" + +log_info "Checking status of $TIMER_FILE..." +if systemctl is-active --quiet "$TIMER_FILE"; then + systemctl status "$TIMER_FILE" --no-pager + echo "" + log_success "Installation complete!" +else + log_error "$TIMER_FILE is not active" + systemctl status "$TIMER_FILE" --no-pager + exit 1 +fi diff --git a/scripts/setup_client.sh b/scripts/setup_client.sh new file mode 100755 index 0000000..5fc8c78 --- /dev/null +++ b/scripts/setup_client.sh @@ -0,0 +1,139 @@ +#!/bin/bash + +set -e + +# Colors +GREEN='\033[0;32m' +YELLOW='\033[1;33m' +RED='\033[0;31m' +NC='\033[0m' # No Color + +log_info() { echo -e "${YELLOW}[INFO]${NC} $1"; } +log_success() { echo -e "${GREEN}[SUCCESS]${NC} $1"; } +log_error() { echo -e "${RED}[ERROR]${NC} $1"; } + +# Check for required tools +check_command() { + if ! command -v "$1" &> /dev/null; then + log_error "$1 is required but not installed." + exit 1 + fi +} + +check_command step +check_command curl +check_command wget +check_command bunzip2 + +# 1. Setup Step Certificates +log_info "Setting up Step Certificates..." + +STEP_PATH="$(step path)" +CERTS_DIR="$STEP_PATH/certs" + +if [ ! -d "$CERTS_DIR" ]; then + log_info "Creating directory $CERTS_DIR" + mkdir -p "$CERTS_DIR" +fi + +# Prompt for secret securely (reading from /dev/tty to support pipe execution) +echo -e "${YELLOW}Please enter the provisioner password for 'admin':${NC}" +read -s secret < /dev/tty +echo "" + +if [ -z "$secret" ]; then + log_error "Password cannot be empty." + exit 1 +fi + +# Prompt for Repo Name +DEFAULT_REPO_NAME=$(hostnamectl hostname 2>/dev/null || hostname) +echo -e "${YELLOW}Please enter the Restic Repository Name (default: $DEFAULT_REPO_NAME):${NC}" +read repo_name < /dev/tty + +if [ -z "$repo_name" ]; then + repo_name="$DEFAULT_REPO_NAME" +fi + +# Save secret temporarily +SECRET_FILE="$CERTS_DIR/secret.txt" +(umask 077; echo "$secret" > "$SECRET_FILE") +log_success "Secret saved to $SECRET_FILE" + +# Generate Certificates +log_info "Generating certificates for repo/client: $repo_name" + +cd "$CERTS_DIR" + +if step ca certificate \ + --provisioner admin --password-file secret.txt \ + "$repo_name" restic.crt restic.key; then + + # Combine into PEM + (umask 077; cat restic.crt restic.key > restic.pem) + log_success "Certificates generated and combined into restic.pem" + + # Clean up secret? The README keeps it, but usually it's good to ask. + # The README implies keeping it for renewal maybe? + # But for client certs, renewal might need the password again if using the same provisioner. + # I'll leave it as per README instructions. +else + log_error "Failed to generate certificates. Check your password and connection to the CA." + rm -f "$SECRET_FILE" + exit 1 +fi + +# 2. Install Restic +log_info "Checking for Restic..." + +if ! command -v restic &> /dev/null; then + log_info "Restic not found. Installing latest version..." + + RESTIC_VERSION="0.18.1" + DOWNLOAD_URL="https://github.com/restic/restic/releases/download/v${RESTIC_VERSION}/restic_${RESTIC_VERSION}_linux_amd64.bz2" + + TMP_DIR=$(mktemp -d) + pushd "$TMP_DIR" > /dev/null + + wget -q -O restic.bz2 "$DOWNLOAD_URL" + bunzip2 restic.bz2 + chmod +x restic + + log_info "Installing restic to /usr/local/bin (requires sudo)..." + if sudo mv restic /usr/local/bin/; then + log_success "Restic installed successfully." + else + log_error "Failed to move restic to /usr/local/bin" + popd > /dev/null + rm -rf "$TMP_DIR" + exit 1 + fi + + popd > /dev/null + rm -rf "$TMP_DIR" +else + CURRENT_VERSION=$(restic version | awk '{print $2}') + log_success "Restic is already installed (version $CURRENT_VERSION)" +fi + +# 3. Final Instructions +ROOT_CA="$CERTS_DIR/root_ca.crt" +CLIENT_PEM="$CERTS_DIR/restic.pem" + +# Ensure root_ca exists (it should if step is bootstrapped) +if [ ! -f "$ROOT_CA" ]; then + log_info "Downloading Root CA..." + step ca root "$ROOT_CA" +fi + +log_success "Setup complete!" +echo "" +echo -e "${GREEN}=== Environment Configuration ===${NC}" +echo "Add the following lines to your shell configuration (.bashrc, .zshrc, etc) or script:" +echo "" +echo "export RESTIC_CACERT=$ROOT_CA" +echo "export RESTIC_TLS_CLIENT_CERT=$CLIENT_PEM" +echo "export RESTIC_REPOSITORY=rest:https://soteria.john-stream.com/$repo_name" +echo "export RESTIC_PASSWORD_FILE=~/.config/resticprofile/password.txt" +echo "" +echo -e "${YELLOW}Note: Adjust RESTIC_REPOSITORY and RESTIC_PASSWORD_FILE as needed.${NC}"