terraform/provision/provision


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81

#!/bin/bash

panic() {
    echo "$1" >&2
    echo "Aborting."
    exit 1
}

[[ $1 == "--force" ]] || panic "Must be run with --force"
[[ $(id --user) -eq 0 ]] || panic "This script must be run as root."

log() {
    echo "provision: $1" >&2
}

log "install and configure most essential packages"
apt-get update --quiet=2
apt-get install --yes --quiet=2 ufw
ufw allow 22/tcp
ufw default deny
ufw --force enable

log "install service packages"
apt-get install --yes --quiet=2 \
	adduser \
	apt-listchanges \
	ca-certificates \
	cgit \
	curl \
	fcgiwrap \
	git-core \
	jq \
	nginx \
	openssl \
	python3-markdown \
	python3-pygments \
	rsync \
	ssl-cert \
	sudo \
	ufw \
	unattended-upgrades \
	wget

log "copy package configurations"
rsync -r /usr/local/share/provision/rootfs/ /

log "ensure certificate bundle exists"
# the ceritifcate bundle should be provisioned by terraform, however
# for testing purposes (such as in a vm) this copies the default
# "snakeoil" test certificates to the appropriate locations if they do
# not already exist
if [[ ! -r /etc/ssl/private/server.key.pem ]] \
       || [[ ! -r /etc/ssl/server.cert.pem ]] \
       || [[ ! -r /etc/ssl/issuer.cert.pem ]]; then
    ln -f -s /etc/ssl/private/ssl-cert-snakeoil.key /etc/ssl/private/server.key.pem
    ln -f -s /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/server.cert.pem
    ln -f -s /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/issuer.cert.pem
    log "WARNING: no certificates found, falling back to snakeoil certificates!"
fi

log "configure nginx"
rm -r /etc/nginx/sites-enabled/default
usermod --append --groups ssl-cert www-data
ufw allow 80/tcp
ufw allow 443/tcp

log "configure git"
adduser --group --system --home /var/lib/git git
mkdir -p /srv/git
chown -R git:git /srv/git
mkdir -p /var/lib/git/www/
ln -s /usr/share/cgit/cgit.css /var/lib/git/www/cgit.css
ln -s /usr/share/cgit/robots.txt /var/lib/git/www/robots.txt

log "configure shell accounts"
adduser --uid 1000 --disabled-password --gecos "" jodersky 

log "restart services"
systemctl restart nginx

log "configuration complete!"