#!/usr/bin/perl use warnings; use strict; # provision.pl # script to provision a tilde instance # # This script is intended to be run on a fresh # OpenBSD install # # gashapwn # Nov 2020 my $GIT_REPO = 'https://git.lain.church/gashapwn/lyadmin.git'; my ($REPO_DIR) = $GIT_REPO =~ /\/([^\/]*)\.git$/; my $INST_DIR = "/tilde"; my $SVC_ACCT = "_lingyind"; my $pwuid; my $admin_un; my $admin_home_dir; # Given a username... prompts and creates that user sub create(){ my $id; my $username; my $user_email; my $pub_key; my $p0; # Prompts... $p0 = [ "Enter username: ", "Enter pubkey: " ]; # read in username and validate printf($p0->[0]); $username = ; chomp $username; if(length($username) > 31 || !($username =~ /^[A-Za-z][A-Za-z0-9]+$/)){ printf("%s is an INVALID username\n", $id); die ("oh no"); } # read in pub key printf($p0->[1]); $pub_key = ; chomp $pub_key; { # Prompt to make sure the username looks OK my $cmd; $cmd = "useradd -m " . $username; printf("Y/N is this command OK?: %s\n", $cmd); if(!( =~ /^y/i)){ die "provision cancelled..."; } # create the user system($cmd); system("echo '".$pub_key."' > /home/$username/.ssh/authorized_keys"); system("chmod 711 /home/$username"); } } # Make sure we're running as root $pwuid = getpwuid( $< ); if($pwuid ne "root"){ die "script must be run as root"; } # Make sure script is provisioning a fresh instance # and doesn't clobber users existing configs printf("This script is meant to be run on a fresh install\n"); printf("Y/N OK to proceed?"); if(!( =~ /^y/i)){ die "provision cancelled..."; } unless( ($admin_un) = `tail /etc/passwd | grep -v "nobody:"` =~ /([^:\n]+):[^:]+:[0-9]{4,}/){ printf("to provision the instance there must be a non root user with an authorized_keys file"); printf("creating user...\n"); create(); } # install git system("pkg_add git"); # Setup install dir system("mkdir $INST_DIR"); system("useradd -d $INST_DIR -r 100..900 $SVC_ACCT"); system("chown $SVC_ACCT:$SVC_ACCT $INST_DIR"); chdir $INST_DIR; # clone repo system("su $SVC_ACCT -c 'git clone $GIT_REPO'"); chdir $REPO_DIR; # Copy the skel directory system("mkdir ./skel/public_html/cgi"); system("cp -r ./skel/* /etc/skel/"); # Check /etc/passwd for the username created during # installation if( ($admin_un) = `tail /etc/passwd | grep -v "nobody:"` =~ /([^:\n]+):[^:]+:[0-9]{4,}/){ # grant doas access to admin user system("echo 'permit nopass $admin_un' > /etc/doas.conf"); # setup admin user system("cp -r ./skel/* /home/$admin_un/"); system("chown -R $admin_un:$admin_un /home/$admin_un"); system("echo $admin_un >> ./user_list.txt"); } # Setup the virtual environment system("pkg_add python3 openssl rust bash"); printf("generating virtual enviornment...\n"); system("su $SVC_ACCT -c 'python3 -m venv venv'"); printf("running pip. can take up to 3 minutes due to slow compilation.\n"); system("su $SVC_ACCT -c '. ./venv/bin/activate && python3 -m pip install --upgrade pip'"); system("su $SVC_ACCT -c '. ./venv/bin/activate && pip3 install -r requirements.txt'"); system("cp ./perl-script/conf/lingyin.rc /etc/rc.d/lingyind"); system("chmod 755 /etc/rc.d/lingyind"); system("rcctl enable lingyind"); system("rcctl start lingyind"); system("pkg_add p5-JSON"); # Install apache system("pkg_add apache-httpd"); printf("configuring apache\n"); # enable the userdir module system("sed -i -e 's/^\\(.\\)*#\\(LoadModule userdir_module\\)/\\1\\2/' /etc/apache2/httpd2.conf"); system("sed -i -e 's/^\\(.\\)*#\\(Include \\/etc\\/apache2\\/extra\\/httpd-userdir.conf\\)/\\1\\2/' /etc/apache2/httpd2.conf"); # Enable the CGI directory system("echo ' Require all granted Options +ExecCGI AddHandler cgi-script .cgi ' >> /etc/apache2/extra/httpd-userdir.conf"); # Enable the CGI modules system("sed -i -e 's/^\\(.\\)*#\\(LoadModule cgi_module\\)/\\1\\2/' /etc/apache2/httpd2.conf"); system("sed -i -e 's/^\\(.\\)*#\\(LoadModule cgid_module\\)/\\1\\2/' /etc/apache2/httpd2.conf"); # Disable directory listing system("sed -i -e 's/\\(<\\/Directory>\\)/ Options -Indexes\\ \\1/g' /etc/apache2/extra/httpd-userdir.conf"); # Change the port to 5001 system("sed -i -e 's/^\\(.\\)*Listen *80/\\1Listen 5001/' /etc/apache2/httpd2.conf"); # rev up those apache processes! system("rcctl enable apache2"); system("rcctl start apache2"); # Install and config haproxy system("pkg_add haproxy"); printf("configuring haproxy\n"); system("cp ./perl-script/conf/haproxy.cfg /etc/haproxy/haproxy.cfg"); system("rcctl enable haproxy"); system("rcctl start haproxy"); # Disable root login system("sed -i -e 's/^[^#]*PermitRootLogin.*\$/PermitRootLogin no/' /etc/ssh/sshd_config"); system("sed -i -e 's/^PasswordAuthentication.*$//' /etc/ssh/sshd_config"); system("echo 'PasswordAuthentication no' >> /etc/ssh/sshd_config"); system("rcctl restart sshd"); printf("\n\nInstall complete\n"); printf("==================================================\n"); printf("Protip: use doas instead of sudo\n"); printf("root login and password login is now disabled, so dont forget\nto set a password\n"); printf("and test your pub key\n");