started some setup scripts
This commit is contained in:
John Lancaster
90
scripts/install_services.sh
Executable file
90
scripts/install_services.sh
Executable file
@@ -0,0 +1,90 @@
|
||||
#!/bin/bash
|
||||
|
||||
set -e
|
||||
|
||||
# Colors
|
||||
GREEN='\033[0;32m'
|
||||
RED='\033[0;31m'
|
||||
YELLOW='\033[1;33m'
|
||||
NC='\033[0m' # No Color
|
||||
|
||||
log_info() {
|
||||
echo -e "${YELLOW}[INFO]${NC} $1"
|
||||
}
|
||||
|
||||
log_success() {
|
||||
echo -e "${GREEN}[SUCCESS]${NC} $1"
|
||||
}
|
||||
|
||||
log_error() {
|
||||
echo -e "${RED}[ERROR]${NC} $1"
|
||||
}
|
||||
|
||||
# Check for sudo/root
|
||||
if [ "$EUID" -ne 0 ]; then
|
||||
log_error "Please run as root or with sudo"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Determine paths
|
||||
SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
|
||||
PROJECT_ROOT="$(dirname "$SCRIPT_DIR")"
|
||||
SYSTEMD_DIR="$PROJECT_ROOT/systemd"
|
||||
DEST_DIR="/etc/systemd/system"
|
||||
|
||||
SERVICE_FILE="cert-renewer.service"
|
||||
TIMER_FILE="cert-renewer.timer"
|
||||
|
||||
install_unit() {
|
||||
local unit_file=$1
|
||||
local src_path="$SYSTEMD_DIR/$unit_file"
|
||||
local dest_path="$DEST_DIR/$unit_file"
|
||||
|
||||
if [ ! -f "$src_path" ]; then
|
||||
log_error "Source file not found: $src_path"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
log_info "Installing $unit_file..."
|
||||
|
||||
# Remove existing link or file if it exists to ensure clean install
|
||||
if [ -L "$dest_path" ] || [ -f "$dest_path" ]; then
|
||||
log_info "Removing existing $dest_path"
|
||||
rm -f "$dest_path"
|
||||
fi
|
||||
|
||||
# Create symlink
|
||||
ln -s "$src_path" "$dest_path"
|
||||
|
||||
if [ -L "$dest_path" ]; then
|
||||
log_success "Linked $src_path to $dest_path"
|
||||
else
|
||||
log_error "Failed to link $unit_file"
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
# Main execution
|
||||
log_info "Starting installation of systemd services..."
|
||||
|
||||
install_unit "$SERVICE_FILE"
|
||||
install_unit "$TIMER_FILE"
|
||||
|
||||
log_info "Reloading systemd daemon..."
|
||||
systemctl daemon-reload
|
||||
log_success "Systemd daemon reloaded"
|
||||
|
||||
log_info "Enabling and starting $TIMER_FILE..."
|
||||
systemctl enable --now "$TIMER_FILE"
|
||||
log_success "$TIMER_FILE enabled and started"
|
||||
|
||||
log_info "Checking status of $TIMER_FILE..."
|
||||
if systemctl is-active --quiet "$TIMER_FILE"; then
|
||||
systemctl status "$TIMER_FILE" --no-pager
|
||||
echo ""
|
||||
log_success "Installation complete!"
|
||||
else
|
||||
log_error "$TIMER_FILE is not active"
|
||||
systemctl status "$TIMER_FILE" --no-pager
|
||||
exit 1
|
||||
fi
|
||||
139
scripts/setup_client.sh
Executable file
139
scripts/setup_client.sh
Executable file
@@ -0,0 +1,139 @@
|
||||
#!/bin/bash
|
||||
|
||||
set -e
|
||||
|
||||
# Colors
|
||||
GREEN='\033[0;32m'
|
||||
YELLOW='\033[1;33m'
|
||||
RED='\033[0;31m'
|
||||
NC='\033[0m' # No Color
|
||||
|
||||
log_info() { echo -e "${YELLOW}[INFO]${NC} $1"; }
|
||||
log_success() { echo -e "${GREEN}[SUCCESS]${NC} $1"; }
|
||||
log_error() { echo -e "${RED}[ERROR]${NC} $1"; }
|
||||
|
||||
# Check for required tools
|
||||
check_command() {
|
||||
if ! command -v "$1" &> /dev/null; then
|
||||
log_error "$1 is required but not installed."
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
check_command step
|
||||
check_command curl
|
||||
check_command wget
|
||||
check_command bunzip2
|
||||
|
||||
# 1. Setup Step Certificates
|
||||
log_info "Setting up Step Certificates..."
|
||||
|
||||
STEP_PATH="$(step path)"
|
||||
CERTS_DIR="$STEP_PATH/certs"
|
||||
|
||||
if [ ! -d "$CERTS_DIR" ]; then
|
||||
log_info "Creating directory $CERTS_DIR"
|
||||
mkdir -p "$CERTS_DIR"
|
||||
fi
|
||||
|
||||
# Prompt for secret securely (reading from /dev/tty to support pipe execution)
|
||||
echo -e "${YELLOW}Please enter the provisioner password for 'admin':${NC}"
|
||||
read -s secret < /dev/tty
|
||||
echo ""
|
||||
|
||||
if [ -z "$secret" ]; then
|
||||
log_error "Password cannot be empty."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Prompt for Repo Name
|
||||
DEFAULT_REPO_NAME=$(hostnamectl hostname 2>/dev/null || hostname)
|
||||
echo -e "${YELLOW}Please enter the Restic Repository Name (default: $DEFAULT_REPO_NAME):${NC}"
|
||||
read repo_name < /dev/tty
|
||||
|
||||
if [ -z "$repo_name" ]; then
|
||||
repo_name="$DEFAULT_REPO_NAME"
|
||||
fi
|
||||
|
||||
# Save secret temporarily
|
||||
SECRET_FILE="$CERTS_DIR/secret.txt"
|
||||
(umask 077; echo "$secret" > "$SECRET_FILE")
|
||||
log_success "Secret saved to $SECRET_FILE"
|
||||
|
||||
# Generate Certificates
|
||||
log_info "Generating certificates for repo/client: $repo_name"
|
||||
|
||||
cd "$CERTS_DIR"
|
||||
|
||||
if step ca certificate \
|
||||
--provisioner admin --password-file secret.txt \
|
||||
"$repo_name" restic.crt restic.key; then
|
||||
|
||||
# Combine into PEM
|
||||
(umask 077; cat restic.crt restic.key > restic.pem)
|
||||
log_success "Certificates generated and combined into restic.pem"
|
||||
|
||||
# Clean up secret? The README keeps it, but usually it's good to ask.
|
||||
# The README implies keeping it for renewal maybe?
|
||||
# But for client certs, renewal might need the password again if using the same provisioner.
|
||||
# I'll leave it as per README instructions.
|
||||
else
|
||||
log_error "Failed to generate certificates. Check your password and connection to the CA."
|
||||
rm -f "$SECRET_FILE"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# 2. Install Restic
|
||||
log_info "Checking for Restic..."
|
||||
|
||||
if ! command -v restic &> /dev/null; then
|
||||
log_info "Restic not found. Installing latest version..."
|
||||
|
||||
RESTIC_VERSION="0.18.1"
|
||||
DOWNLOAD_URL="https://github.com/restic/restic/releases/download/v${RESTIC_VERSION}/restic_${RESTIC_VERSION}_linux_amd64.bz2"
|
||||
|
||||
TMP_DIR=$(mktemp -d)
|
||||
pushd "$TMP_DIR" > /dev/null
|
||||
|
||||
wget -q -O restic.bz2 "$DOWNLOAD_URL"
|
||||
bunzip2 restic.bz2
|
||||
chmod +x restic
|
||||
|
||||
log_info "Installing restic to /usr/local/bin (requires sudo)..."
|
||||
if sudo mv restic /usr/local/bin/; then
|
||||
log_success "Restic installed successfully."
|
||||
else
|
||||
log_error "Failed to move restic to /usr/local/bin"
|
||||
popd > /dev/null
|
||||
rm -rf "$TMP_DIR"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
popd > /dev/null
|
||||
rm -rf "$TMP_DIR"
|
||||
else
|
||||
CURRENT_VERSION=$(restic version | awk '{print $2}')
|
||||
log_success "Restic is already installed (version $CURRENT_VERSION)"
|
||||
fi
|
||||
|
||||
# 3. Final Instructions
|
||||
ROOT_CA="$CERTS_DIR/root_ca.crt"
|
||||
CLIENT_PEM="$CERTS_DIR/restic.pem"
|
||||
|
||||
# Ensure root_ca exists (it should if step is bootstrapped)
|
||||
if [ ! -f "$ROOT_CA" ]; then
|
||||
log_info "Downloading Root CA..."
|
||||
step ca root "$ROOT_CA"
|
||||
fi
|
||||
|
||||
log_success "Setup complete!"
|
||||
echo ""
|
||||
echo -e "${GREEN}=== Environment Configuration ===${NC}"
|
||||
echo "Add the following lines to your shell configuration (.bashrc, .zshrc, etc) or script:"
|
||||
echo ""
|
||||
echo "export RESTIC_CACERT=$ROOT_CA"
|
||||
echo "export RESTIC_TLS_CLIENT_CERT=$CLIENT_PEM"
|
||||
echo "export RESTIC_REPOSITORY=rest:https://soteria.john-stream.com/$repo_name"
|
||||
echo "export RESTIC_PASSWORD_FILE=~/.config/resticprofile/password.txt"
|
||||
echo ""
|
||||
echo -e "${YELLOW}Note: Adjust RESTIC_REPOSITORY and RESTIC_PASSWORD_FILE as needed.${NC}"
|
||||
Reference in New Issue
Block a user