#!/bin/bash set -e # Colors GREEN='\033[0;32m' YELLOW='\033[1;33m' RED='\033[0;31m' NC='\033[0m' # No Color log_info() { echo -e "${YELLOW}[INFO]${NC} $1"; } log_success() { echo -e "${GREEN}[SUCCESS]${NC} $1"; } log_error() { echo -e "${RED}[ERROR]${NC} $1"; } # Check for required tools check_command() { if ! command -v "$1" &> /dev/null; then log_error "$1 is required but not installed." exit 1 fi } check_command step check_command curl check_command wget check_command bunzip2 # 1. Setup Step Certificates log_info "Setting up Step Certificates..." STEP_PATH="$(step path)" CERTS_DIR="$STEP_PATH/certs" if [ ! -d "$CERTS_DIR" ]; then log_info "Creating directory $CERTS_DIR" mkdir -p "$CERTS_DIR" fi # Prompt for secret securely (reading from /dev/tty to support pipe execution) echo -e "${YELLOW}Please enter the provisioner password for 'admin':${NC}" read -s secret < /dev/tty echo "" if [ -z "$secret" ]; then log_error "Password cannot be empty." exit 1 fi # Prompt for Repo Name DEFAULT_REPO_NAME=$(hostnamectl hostname 2>/dev/null || hostname) echo -e "${YELLOW}Please enter the Restic Repository Name (default: $DEFAULT_REPO_NAME):${NC}" read repo_name < /dev/tty if [ -z "$repo_name" ]; then repo_name="$DEFAULT_REPO_NAME" fi # Save secret temporarily SECRET_FILE="$CERTS_DIR/secret.txt" (umask 077; echo "$secret" > "$SECRET_FILE") log_success "Secret saved to $SECRET_FILE" # Generate Certificates log_info "Generating certificates for repo/client: $repo_name" cd "$CERTS_DIR" if step ca certificate \ --provisioner admin --password-file secret.txt \ "$repo_name" restic.crt restic.key; then # Combine into PEM (umask 077; cat restic.crt restic.key > restic.pem) log_success "Certificates generated and combined into restic.pem" # Clean up secret? The README keeps it, but usually it's good to ask. # The README implies keeping it for renewal maybe? # But for client certs, renewal might need the password again if using the same provisioner. # I'll leave it as per README instructions. else log_error "Failed to generate certificates. Check your password and connection to the CA." rm -f "$SECRET_FILE" exit 1 fi # 2. Install Restic log_info "Checking for Restic..." if ! command -v restic &> /dev/null; then log_info "Restic not found. Installing latest version..." RESTIC_VERSION="0.18.1" DOWNLOAD_URL="https://github.com/restic/restic/releases/download/v${RESTIC_VERSION}/restic_${RESTIC_VERSION}_linux_amd64.bz2" TMP_DIR=$(mktemp -d) pushd "$TMP_DIR" > /dev/null wget -q -O restic.bz2 "$DOWNLOAD_URL" bunzip2 restic.bz2 chmod +x restic log_info "Installing restic to /usr/local/bin (requires sudo)..." if sudo mv restic /usr/local/bin/; then log_success "Restic installed successfully." else log_error "Failed to move restic to /usr/local/bin" popd > /dev/null rm -rf "$TMP_DIR" exit 1 fi popd > /dev/null rm -rf "$TMP_DIR" else CURRENT_VERSION=$(restic version | awk '{print $2}') log_success "Restic is already installed (version $CURRENT_VERSION)" fi # 3. Final Instructions ROOT_CA="$CERTS_DIR/root_ca.crt" CLIENT_PEM="$CERTS_DIR/restic.pem" # Ensure root_ca exists (it should if step is bootstrapped) if [ ! -f "$ROOT_CA" ]; then log_info "Downloading Root CA..." step ca root "$ROOT_CA" fi log_success "Setup complete!" echo "" echo -e "${GREEN}=== Environment Configuration ===${NC}" echo "Add the following lines to your shell configuration (.bashrc, .zshrc, etc) or script:" echo "" echo "export RESTIC_CACERT=$ROOT_CA" echo "export RESTIC_TLS_CLIENT_CERT=$CLIENT_PEM" echo "export RESTIC_REPOSITORY=rest:https://soteria.john-stream.com/$repo_name" echo "export RESTIC_PASSWORD_FILE=~/.config/resticprofile/password.txt" echo "" echo -e "${YELLOW}Note: Adjust RESTIC_REPOSITORY and RESTIC_PASSWORD_FILE as needed.${NC}"