|
- #!/usr/bin/perl
-
- use warnings;
- use strict;
-
- # provision.pl
- # script to provision a tilde instance
- #
- # This script is intended to be run on a fresh
- # OpenBSD install
- #
- # gashapwn
- # Nov 2020
-
- my $DEV_FLAG = shift || "";
-
- my $GIT_REPO = 'https://git.lain.church/gashapwn/lyadmin.git';
- my $GIT_BRANCH = length($DEV_FLAG) > 0 ? "-b gasha-branch " : "";
- my ($REPO_DIR) = $GIT_REPO =~ /\/([^\/]*)\.git$/;
- my $INST_DIR = "/tilde";
-
- my $SVC_ACCT = "_lingyind";
-
- my $pwuid;
-
- my $admin_un;
- my $admin_home_dir;
-
- # Given a username... prompts and creates that user
- sub create(){
- my $id;
-
- my $username;
- my $user_email;
- my $pub_key;
-
- my $p0;
-
- # Prompts...
- $p0 = [
- "Enter username: ",
- "Enter pubkey: "
- ];
-
- # read in username and validate
- printf($p0->[0]);
- $username = <STDIN>;
- chomp $username;
-
- if(length($username) > 31 || !($username =~ /^[A-Za-z][A-Za-z0-9]+$/)){
- printf("%s is an INVALID username\n", $id);
- die ("oh no");
- }
-
- # read in pub key
- printf($p0->[1]);
- $pub_key = <STDIN>;
- chomp $pub_key;
-
- {
- # Prompt to make sure the username looks OK
- my $cmd;
- $cmd = "useradd -m " . $username;
- printf("Y/N is this command OK?: %s\n", $cmd);
-
- if(!(<STDIN> =~ /^y/i)){
- die "provision cancelled...";
- }
-
- # create the user
- system($cmd);
- system("echo '".$pub_key."' > /home/$username/.ssh/authorized_keys");
- system("chmod 711 /home/$username");
- }
- }
-
- # Make sure we're running as root
- $pwuid = getpwuid( $< );
-
- if($pwuid ne "root"){
- die "script must be run as root";
- }
-
- # Make sure script is provisioning a fresh instance
- # and doesn't clobber users existing configs
- printf("This script is meant to be run on a fresh install\n");
- printf("Y/N OK to proceed?");
-
- if(!(<STDIN> =~ /^y/i)){
- die "provision cancelled...";
- }
-
- unless( ($admin_un) = `tail /etc/passwd | grep -v "nobody:"` =~ /([^:\n]+):[^:]+:[0-9]{4,}/){
- printf("to provision the instance there must be a non root user with an authorized_keys file");
- printf("creating user...\n");
- create();
- }
-
- # install git
- system("pkg_add git");
-
- # Setup install dir
- system("mkdir $INST_DIR");
- system("useradd -d $INST_DIR -r 100..900 $SVC_ACCT");
- system("chown $SVC_ACCT:$SVC_ACCT $INST_DIR");
- chdir $INST_DIR;
-
- # clone repo
- system("su $SVC_ACCT -c 'git clone $GIT_BRANCH$GIT_REPO'");
- chdir $REPO_DIR;
-
- # Copy the skel directory
- system("mkdir ./skel/public_html/cgi");
- system("cp -r ./skel/* /etc/skel/");
-
- # Check /etc/passwd for the username created during
- # installation
- if( ($admin_un) = `tail /etc/passwd | grep -v "nobody:"` =~ /([^:\n]+):[^:]+:[0-9]{4,}/){
- # grant doas access to admin user
- system("echo 'permit nopass $admin_un' > /etc/doas.conf");
-
- # setup admin user
- system("cp -r ./skel/* /home/$admin_un/");
- system("chown -R $admin_un:$admin_un /home/$admin_un");
- system("echo $admin_un >> ./user_list.txt");
- }
-
- # Setup the virtual environment
- system("pkg_add python3 openssl rust bash");
- printf("generating virtual enviornment...\n");
- system("su $SVC_ACCT -c 'python3 -m venv venv'");
- printf("running pip. can take up to 3 minutes due to slow compilation.\n");
- system("su $SVC_ACCT -c '. ./venv/bin/activate && python3 -m pip install --upgrade pip'");
- system("su $SVC_ACCT -c '. ./venv/bin/activate && pip3 install -r requirements.txt'");
-
- system("cp ./perl-script/conf/lingyin.rc /etc/rc.d/lingyind");
- system("chmod 755 /etc/rc.d/lingyind");
- system("rcctl enable lingyind");
- system("rcctl start lingyind");
-
- system("pkg_add p5-JSON");
-
- # Install apache
- system("pkg_add apache-httpd");
- printf("configuring apache\n");
- # enable the userdir module
- system("sed -i -e 's/^\\(.\\)*#\\(LoadModule userdir_module\\)/\\1\\2/' /etc/apache2/httpd2.conf");
- system("sed -i -e 's/^\\(.\\)*#\\(Include \\/etc\\/apache2\\/extra\\/httpd-userdir.conf\\)/\\1\\2/' /etc/apache2/httpd2.conf");
- # Enable the CGI directory
- system("echo '<Directory \"/home/*/public_html/cgi/\">
- Require all granted
- Options +ExecCGI
- AddHandler cgi-script .cgi
- </Directory>' >> /etc/apache2/extra/httpd-userdir.conf");
- # Enable the CGI modules
- system("sed -i -e 's/^\\(.\\)*#\\(LoadModule cgi_module\\)/\\1\\2/' /etc/apache2/httpd2.conf");
- system("sed -i -e 's/^\\(.\\)*#\\(LoadModule cgid_module\\)/\\1\\2/' /etc/apache2/httpd2.conf");
- # Disable directory listing
- system("sed -i -e 's/\\(<\\/Directory>\\)/ Options -Indexes\\
- \\1/g' /etc/apache2/extra/httpd-userdir.conf");
-
- # Change the port to 5001
- system("sed -i -e 's/^\\(.\\)*Listen *80/\\1Listen 5001/' /etc/apache2/httpd2.conf");
- # rev up those apache processes!
- system("rcctl enable apache2");
- system("rcctl start apache2");
-
- # Install and config haproxy
- system("pkg_add haproxy");
-
- printf("configuring haproxy\n");
- system("cp ./perl-script/conf/haproxy.cfg /etc/haproxy/haproxy.cfg");
- system("rcctl enable haproxy");
- system("rcctl start haproxy");
-
- # Install and configure ngircd and delegation
- system("pkg_add ngircd");
-
- # irc group is used for granting permissions
- # to irc admins
- system("groupadd irc");
- system("usermod -G irc _ngircd");
- # allow doas for irc admins
- system("echo 'permit nopass :irc as _ngircd' >> /etc/doas.conf");
-
- # Copy over our conf file to /etc
- # and set permissions
- chdir "$INST_DIR/$REPO_DIR";
- system("chmod 750 /etc/ngircd");
- system("cp ./perl-script/conf/ngircd.conf /etc/ngircd/ngircd.conf");
- system("chmod -R 660 /etc/ngircd/*");
- system("chown -R _ngircd:irc /etc/ngircd/");
-
- # copy over our admin script and set permissions
- system("cp ./perl-script/ngircd-ctl.pl /usr/local/sbin/ngircd-ctl");
- system("chown _ngircd:irc /usr/local/sbin/ngircd-ctl");
- system("chmod 770 /usr/local/sbin/ngircd-ctl");
-
- # Disable root login
- system("sed -i -e 's/^[^#]*PermitRootLogin.*\$/PermitRootLogin no/' /etc/ssh/sshd_config");
- system("sed -i -e 's/^PasswordAuthentication.*\$//' /etc/ssh/sshd_config");
- system("echo 'PasswordAuthentication no' >> /etc/ssh/sshd_config");
- system("rcctl restart sshd");
-
- printf("\n\nInstall complete\n");
- printf("==================================================\n");
-
- printf("Protip: use doas instead of sudo\n");
-
- printf("root login and password login is now disabled, so dont forget\nto set a password\n");
- printf("and test your pub key\n");
|