gashapwn
/
lyadmin
1
1
Fork 0
Code Issues 15 Pull Requests 0 Releases 2 Wiki Activity
scripts and tools to administer the lingy.in public unix / tilde
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
134 Commits
2 Branches
1.6MB
Tree: 821e0ab9d4
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '821e0ab9d4'
${ noResults }
lyadmin/perl-script/provision.pl

212 lines
6.0KB
Raw Blame History 

  1. #!/usr/bin/perl

  2. 

  3. use warnings;

  4. use strict;

  5. 

  6. # provision.pl

  7. # script to provision a tilde instance

  8. # 

  9. # This script is intended to be run on a fresh

  10. # OpenBSD install

  11. #

  12. # gashapwn

  13. # Nov 2020

  14. 

  15. my $DEV_FLAG = shift || "";

  16. 

  17. my $GIT_REPO = 'https://git.lain.church/gashapwn/lyadmin.git';

  18. my $GIT_BRANCH = length($DEV_FLAG) > 0 ? "-b gasha-branch " : "";

  19. my ($REPO_DIR) = $GIT_REPO =~ /\/([^\/]*)\.git$/;

  20. my $INST_DIR = "/tilde";

  21. 

  22. my $SVC_ACCT = "_lingyind";

  23. 

  24. my $pwuid;

  25. 

  26. my $admin_un;

  27. my $admin_home_dir;

  28. 

  29. # Given a username... prompts and creates that user

  30. sub create(){

  31.     my $id;

  32.     

  33.     my $username;

  34.     my $user_email;

  35.     my $pub_key;

  36. 

  37.     my $p0;

  38. 

  39.     # Prompts...

  40.     $p0 = [

  41. 	"Enter username: ",

  42. 	"Enter pubkey: "

  43. 	];

  44. 

  45.     # read in username and validate

  46.     printf($p0->[0]);

  47.     $username = <STDIN>;

  48.     chomp $username;

  49. 

  50.     if(length($username) > 31 || !($username =~ /^[A-Za-z][A-Za-z0-9]+$/)){

  51. 	printf("%s is an INVALID username\n", $id);

  52. 	die ("oh no");

  53.     }

  54. 

  55.     # read in pub key

  56.     printf($p0->[1]);

  57.     $pub_key = <STDIN>;

  58.     chomp $pub_key;

  59.     

  60.     {

  61. 	# Prompt to make sure the username looks OK

  62. 	my $cmd;

  63. 	$cmd = "useradd -m " . $username; 

  64. 	printf("Y/N is this command OK?: %s\n", $cmd);

  65. 	

  66. 	if(!(<STDIN> =~ /^y/i)){

  67. 	    die "provision cancelled...";

  68. 	}

  69. 

  70. 	# create the user

  71. 	system($cmd);

  72. 	system("echo '".$pub_key."' > /home/$username/.ssh/authorized_keys");

  73. 	system("chmod 711 /home/$username");

  74.     }

  75. }

  76. 

  77. # Make sure we're running as root

  78. $pwuid = getpwuid( $< );

  79. 

  80. if($pwuid ne "root"){

  81.     die "script must be run as root";

  82. }

  83. 

  84. # Make sure script is provisioning a fresh instance

  85. # and doesn't clobber users existing configs

  86. printf("This script is meant to be run on a fresh install\n");

  87. printf("Y/N OK to proceed?");

  88. 

  89. if(!(<STDIN> =~ /^y/i)){

  90.     die "provision cancelled...";

  91. }

  92. 

  93. unless( ($admin_un) = `tail /etc/passwd | grep -v "nobody:"` =~ /([^:\n]+):[^:]+:[0-9]{4,}/){

  94.     printf("to provision the instance there must be a non root user with an authorized_keys file");

  95.     printf("creating user...\n");

  96.     create();

  97. }

  98. 

  99. # install git

  100. system("pkg_add git");

  101. 

  102. # Setup install dir

  103. system("mkdir $INST_DIR");

  104. system("useradd -d $INST_DIR -r 100..900 $SVC_ACCT");

  105. system("chown $SVC_ACCT:$SVC_ACCT $INST_DIR");

  106. chdir $INST_DIR;

  107. 

  108. # clone repo

  109. system("su $SVC_ACCT -c 'git clone $GIT_BRANCH$GIT_REPO'");

  110. chdir $REPO_DIR;

  111. 

  112. # Copy the skel directory

  113. system("mkdir ./skel/public_html/cgi");

  114. system("cp -r ./skel/* /etc/skel/");

  115. 

  116. # Check /etc/passwd for the username created during

  117. # installation

  118. if( ($admin_un) = `tail /etc/passwd | grep -v "nobody:"` =~ /([^:\n]+):[^:]+:[0-9]{4,}/){

  119.     # grant doas access to admin user

  120.     system("echo 'permit nopass $admin_un' > /etc/doas.conf");

  121.     

  122.     # setup admin user

  123.     system("cp -r ./skel/* /home/$admin_un/");

  124.     system("chown -R $admin_un:$admin_un /home/$admin_un");

  125.     system("echo $admin_un >> ./user_list.txt");

  126. }

  127. 

  128. # Setup the virtual environment

  129. system("pkg_add python3 openssl rust bash");

  130. printf("generating virtual enviornment...\n");

  131. system("su $SVC_ACCT -c 'python3 -m venv venv'");

  132. printf("running pip. can take up to 3 minutes due to slow compilation.\n");

  133. system("su $SVC_ACCT -c '. ./venv/bin/activate && python3 -m pip install --upgrade pip'");

  134. system("su $SVC_ACCT -c '. ./venv/bin/activate && pip3 install -r requirements.txt'");

  135. 

  136. system("cp ./perl-script/conf/lingyin.rc /etc/rc.d/lingyind");

  137. system("chmod 755 /etc/rc.d/lingyind");

  138. system("rcctl enable lingyind");

  139. system("rcctl start lingyind");

  140. 

  141. system("pkg_add p5-JSON");

  142. 

  143. # Install apache

  144. system("pkg_add apache-httpd");

  145. printf("configuring apache\n");

  146. # enable the userdir module

  147. system("sed -i -e 's/^\\(.\\)*#\\(LoadModule userdir_module\\)/\\1\\2/' /etc/apache2/httpd2.conf");

  148. system("sed -i -e 's/^\\(.\\)*#\\(Include \\/etc\\/apache2\\/extra\\/httpd-userdir.conf\\)/\\1\\2/' /etc/apache2/httpd2.conf");

  149. # Enable the CGI directory

  150. system("echo '<Directory \"/home/*/public_html/cgi/\">

  151.     Require all granted

  152.     Options +ExecCGI

  153.     AddHandler cgi-script .cgi

  154. </Directory>' >> /etc/apache2/extra/httpd-userdir.conf");

  155. # Enable the CGI modules

  156. system("sed -i -e 's/^\\(.\\)*#\\(LoadModule cgi_module\\)/\\1\\2/' /etc/apache2/httpd2.conf");

  157. system("sed -i -e 's/^\\(.\\)*#\\(LoadModule cgid_module\\)/\\1\\2/' /etc/apache2/httpd2.conf");

  158. # Disable directory listing

  159. system("sed -i -e 's/\\(<\\/Directory>\\)/    Options -Indexes\\

  160.        \\1/g' /etc/apache2/extra/httpd-userdir.conf");

  161. 

  162. # Change the port to 5001

  163. system("sed -i -e 's/^\\(.\\)*Listen *80/\\1Listen 5001/' /etc/apache2/httpd2.conf");

  164. # rev up those apache processes!

  165. system("rcctl enable apache2");

  166. system("rcctl start apache2");

  167. 

  168. # Install and config haproxy

  169. system("pkg_add haproxy");

  170. 

  171. printf("configuring haproxy\n");

  172. system("cp ./perl-script/conf/haproxy.cfg /etc/haproxy/haproxy.cfg");

  173. system("rcctl enable haproxy");

  174. system("rcctl start haproxy");

  175. 

  176. # Install and configure ngircd and delegation

  177. system("pkg_add ngircd");

  178. 

  179. # irc group is used for granting permissions

  180. # to irc admins

  181. system("groupadd irc");

  182. system("usermod -G irc _ngircd");

  183. # allow doas for irc admins

  184. system("echo 'permit nopass :irc as _ngircd' >> /etc/doas.conf");

  185. 

  186. # Copy over our conf file to /etc

  187. # and set permissions

  188. system("chmod 750 /etc/ngircd");

  189. system("cp ./perl-script/conf/ngircd.conf /etc/ngircd/ngircd.conf");

  190. system("chmod -R 660 /etc/ngircd/*");

  191. system("chown -R _ngircd:irc /etc/ngircd/");

  192. 

  193. # copy over our admin script and set permissions

  194. system("cp ./perl-script/ngircd-ctl /usr/local/sbin/ngircd-ctl");

  195. system("chown _ngircd:irc /usr/local/sbin/ngircd-ctl");

  196. system("chmod 770 /usr/local/sbin/ngircd-ctl");

  197. 

  198. # Disable root login

  199. system("sed -i -e 's/^[^#]*PermitRootLogin.*\$/PermitRootLogin no/' /etc/ssh/sshd_config");

  200. system("sed -i -e 's/^PasswordAuthentication.*$//' /etc/ssh/sshd_config");

  201. system("echo 'PasswordAuthentication no' >> /etc/ssh/sshd_config");

  202. system("rcctl restart sshd");

  203. 

  204. printf("\n\nInstall complete\n");

  205. printf("==================================================\n");

  206. 

  207. printf("Protip: use doas instead of sudo\n");

  208. 

  209. printf("root login and password login is now disabled, so dont forget\nto set a password\n");

  210. printf("and test your pub key\n");