lyadmin/perl-script/provision.pl

#!/usr/bin/perl

use warnings;
use strict;

# provision.pl
# script to provision a tilde instance
# 
# This script is intended to be run on a fresh
# OpenBSD install
#
# gashapwn
# Nov 2020

my $GIT_REPO = 'https://git.lain.church/gashapwn/lyadmin.git';
my ($REPO_DIR) = $GIT_REPO =~ /\/([^\/]*)\.git$/;
my $INST_DIR = "/tilde";

my $SVC_ACCT = "_lingyind";

my $pwuid;

my $admin_un;
my $admin_home_dir;

# Given a username... prompts and creates that user
sub create(){
    my $id;
    
    my $username;
    my $user_email;
    my $pub_key;

    my $p0;

    # Prompts...
    $p0 = [
	"Enter username: ",
	"Enter pubkey: "
	];

    # read in username and validate
    printf($p0->[0]);
    $username = <STDIN>;
    chomp $username;

    if(length($username) > 31 || !($username =~ /^[A-Za-z][A-Za-z0-9]+$/)){
	printf("%s is an INVALID username\n", $id);
	die ("oh no");
    }

    # read in pub key
    printf($p0->[1]);
    $pub_key = <STDIN>;
    chomp $pub_key;
    
    {
	# Prompt to make sure the username looks OK
	my $cmd;
	$cmd = "useradd -m " . $username; 
	printf("Y/N is this command OK?: %s\n", $cmd);
	
	if(!(<STDIN> =~ /^y/i)){
	    die "provision cancelled...";
	}

	# create the user
	system($cmd);
	system("echo '".$pub_key."' > /home/$username/.ssh/authorized_keys");
	system("chmod 711 /home/$username");
    }
}

# Make sure we're running as root
$pwuid = getpwuid( $< );

if($pwuid ne "root"){
    die "script must be run as root";
}

# Make sure script is provisioning a fresh instance
# and doesn't clobber users existing configs
printf("This script is meant to be run on a fresh install\n");
printf("Y/N OK to proceed?");

if(!(<STDIN> =~ /^y/i)){
    die "provision cancelled...";
}

unless( ($admin_un) = `tail /etc/passwd | grep -v "nobody:"` =~ /([^:\n]+):[^:]+:[0-9]{4,}/){
    printf("to provision the instance there must be a non root user with an authorized_keys file");
    printf("creating user...\n");
    create();
}

# install git
system("pkg_add git");

# Setup install dir
system("mkdir $INST_DIR");
system("useradd -d $INST_DIR -r 100..900 $SVC_ACCT");
system("chown $SVC_ACCT:$SVC_ACCT $INST_DIR");
chdir $INST_DIR;

# clone repo
system("su $SVC_ACCT -c 'git clone $GIT_REPO'");
chdir $REPO_DIR;

# Copy the skel directory
system("mkdir ./skel/public_html/cgi");
system("cp -r ./skel/* /etc/skel/");

# Check /etc/passwd for the username created during
# installation
if( ($admin_un) = `tail /etc/passwd | grep -v "nobody:"` =~ /([^:\n]+):[^:]+:[0-9]{4,}/){
    # grant doas access to admin user
    system("echo 'permit nopass $admin_un' > /etc/doas.conf");
    
    # setup admin user
    system("cp -r ./skel/* /home/$admin_un/");
    system("chown -R $admin_un:$admin_un /home/$admin_un");
    system("echo $admin_un >> ./user_list.txt");
}

# Setup the virtual environment
system("pkg_add python3 openssl rust");
printf("generating virtual enviornment...\n");
system("su $SVC_ACCT -c 'python3 -m venv venv'");
printf("running pip. can take up to 3 minutes due to slow compilation.\n");
system("su $SVC_ACCT -c '. ./venv/bin/activate && python3 -m pip install --upgrade pip'");
system("su $SVC_ACCT -c '. ./venv/bin/activate && pip3 install -r requirements.txt'");

system("cp ./perl-script/conf/lingyin.rc /etc/rc.d/lingyind");
system("chmod 755 /etc/rc.d/lingyind");
system("rcctl enable lingyind");
system("rcctl start lingyind");

system("pkg_add p5-JSON");

# Install apache
system("pkg_add apache-httpd");
printf("configuring apache\n");
# enable the userdir module
system("sed -i -e 's/^\\(.\\)*#\\(LoadModule userdir_module\\)/\\1\\2/' /etc/apache2/httpd2.conf");
system("sed -i -e 's/^\\(.\\)*#\\(Include \\/etc\\/apache2\\/extra\\/httpd-userdir.conf\\)/\\1\\2/' /etc/apache2/httpd2.conf");
# Enable the CGI directory
system("echo '<Directory \"/home/*/public_html/cgi/\">
    Require all granted
    Options +ExecCGI
    AddHandler cgi-script .cgi
</Directory>' >> /etc/apache2/extra/httpd-userdir.conf");
# Enable the CGI modules
system("sed -i -e 's/^\\(.\\)*#\\(LoadModule cgi_module\\)/\\1\\2/' /etc/apache2/httpd2.conf");
system("sed -i -e 's/^\\(.\\)*#\\(LoadModule cgid_module\\)/\\1\\2/' /etc/apache2/httpd2.conf");
# Disable directory listing
system("sed -i -e 's/\\(<\\/Directory>\\)/    Options -Indexes\\
       \\1/g' /etc/apache2/extra/httpd-userdir.conf");

# Change the port to 5001
system("sed -i -e 's/^\\(.\\)*Listen *80/\\1Listen 5001/' /etc/apache2/httpd2.conf");
# rev up those apache processes!
system("rcctl enable apache2");
system("rcctl start apache2");

# Install and config haproxy
system("pkg_add haproxy");

printf("configuring haproxy\n");
system("cp ./perl-script/conf/haproxy.cfg /etc/haproxy/haproxy.cfg");
system("rcctl enable haproxy");
system("rcctl start haproxy");

# Disable root login
system("sed -i -e 's/^[^#]*PermitRootLogin.*\$/PermitRootLogin no/' /etc/ssh/sshd_config");
system("sed -i -e 's/^PasswordAuthentication.*$//' /etc/ssh/sshd_config");
system("echo 'PasswordAuthentication no' >> /etc/ssh/sshd_config");
system("rcctl restart sshd");

printf("\n\nInstall complete\n");
printf("==================================================\n");

printf("Protip: use doas instead of sudo\n");

printf("root login and password login is now disabled, so dont forget\nto set a password\n");
printf("and test your pub key\n");