From e8dc250a5b4b243ee91652ed730062cb1cd1c161 Mon Sep 17 00:00:00 2001 From: Christian Heller Date: Tue, 1 Apr 2025 00:40:40 +0200 Subject: [PATCH] Fixes. --- bookworm/scripts/init_server_access.sh | 4 +- bookworm/scripts/lib/constants_server | 2 - bookworm/scripts/lib/constants_ssh | 3 ++ bookworm/scripts/setup_server.sh | 5 +- testing/home/all/.local/bin/lib | 1 + testing/home/desktop/.local/bin/borgplom | 17 +++---- testing/home/desktop/.local/bin/make_secrets | 28 +++++++++++ testing/home/desktop/.plomlib.sh/abort | 1 + .../home/desktop/.plomlib.sh/abort_if_exists | 1 + .../home/desktop/.plomlib.sh/constants_borg | 1 + .../desktop/.plomlib.sh/constants_secrets | 1 + .../home/desktop/.plomlib.sh/constants_ssh | 1 + .../home/desktop/.plomlib.sh/constants_user | 1 + .../desktop/.plomlib.sh/expect_min_n_args | 1 + .../home/desktop/.plomlib.sh/mount_secrets | 1 + testing/scripts/_setup_secrets_user.sh | 48 +++++++------------ testing/scripts/lib/abort_if_exists | 3 +- testing/scripts/lib/constants_borg | 2 + testing/scripts/lib/constants_secrets | 5 ++ testing/scripts/lib/constants_ssh | 1 + testing/scripts/lib/mount_secrets | 45 +++++++++++++++++ testing/scripts/setup_desktop.sh | 1 + testing/scripts/setup_secrets.sh | 48 ++----------------- 23 files changed, 130 insertions(+), 91 deletions(-) delete mode 100644 bookworm/scripts/lib/constants_server create mode 100644 bookworm/scripts/lib/constants_ssh create mode 120000 testing/home/all/.local/bin/lib create mode 100755 testing/home/desktop/.local/bin/make_secrets create mode 120000 testing/home/desktop/.plomlib.sh/abort create mode 120000 testing/home/desktop/.plomlib.sh/abort_if_exists create mode 120000 testing/home/desktop/.plomlib.sh/constants_borg create mode 120000 testing/home/desktop/.plomlib.sh/constants_secrets create mode 120000 testing/home/desktop/.plomlib.sh/constants_ssh create mode 120000 testing/home/desktop/.plomlib.sh/constants_user create mode 120000 testing/home/desktop/.plomlib.sh/expect_min_n_args create mode 120000 testing/home/desktop/.plomlib.sh/mount_secrets create mode 100644 testing/scripts/lib/constants_borg create mode 100644 testing/scripts/lib/constants_secrets create mode 120000 testing/scripts/lib/constants_ssh create mode 100644 testing/scripts/lib/mount_secrets diff --git a/bookworm/scripts/init_server_access.sh b/bookworm/scripts/init_server_access.sh index 4ec9b18..385b3b3 100755 --- a/bookworm/scripts/init_server_access.sh +++ b/bookworm/scripts/init_server_access.sh @@ -1,10 +1,10 @@ #!/bin/sh set -e cd $(dirname "$0") -. lib/constants_server +. lib/constants_ssh # PATH_USER_SSH . lib/expect_min_n_args -PATH_KNOWN_HOSTS="${PATH_SSH}/known_hosts" +PATH_KNOWN_HOSTS="${PATH_USER_SSH}/known_hosts" expect_min_n_args 1 '(server)' "$@" SERVER="$1" diff --git a/bookworm/scripts/lib/constants_server b/bookworm/scripts/lib/constants_server deleted file mode 100644 index 9a10aaa..0000000 --- a/bookworm/scripts/lib/constants_server +++ /dev/null @@ -1,2 +0,0 @@ -PATH_REL_SSH=.ssh -PATH_SSH="${HOME}/${PATH_REL_SSH}" diff --git a/bookworm/scripts/lib/constants_ssh b/bookworm/scripts/lib/constants_ssh new file mode 100644 index 0000000..43e6ee5 --- /dev/null +++ b/bookworm/scripts/lib/constants_ssh @@ -0,0 +1,3 @@ +. lib/constants_user +PATH_REL_SSH=.ssh +PATH_USER_SSH="${PATH_USER_HOME}/${PATH_REL_SSH}" diff --git a/bookworm/scripts/setup_server.sh b/bookworm/scripts/setup_server.sh index 79086ef..b79920e 100755 --- a/bookworm/scripts/setup_server.sh +++ b/bookworm/scripts/setup_server.sh @@ -2,7 +2,7 @@ set -e cd $(dirname "$0") . lib/constants_repopaths # PATH_CONF -. lib/constants_server # PATH_REL_SSH, PATH_SSH +. lib/constants_ssh # PATH_REL_SSH, PATH_USER_SSH . lib/constants_user # USERNAME . lib/copy_dirtree . lib/determine_ip @@ -18,7 +18,6 @@ FQDN="$2" PATH_REL_ETC=etc PATH_CONF_ETC="${PATH_CONF}/${PATH_REL_ETC}" -PATH_USER_SSH="${PATH_USER_HOME}/${PATH_REL_SSH}" PATH_ETC="/${PATH_REL_ETC}" PATH_HOSTS="${PATH_ETC}/hosts" @@ -40,7 +39,7 @@ ntpdate-debian setup_users "${MIN_TAGS}" "" mkdir -p "${PATH_USER_SSH}" -mv "${PATH_SSH}/authorized_keys" "${PATH_USER_SSH}/" +mv "/root/${PATH_REL_SSH}/authorized_keys" "${PATH_USER_SSH}/" chown -R "${USERNAME}:${USERNAME}" "${PATH_USER_SSH}" # # Enable firewall. diff --git a/testing/home/all/.local/bin/lib b/testing/home/all/.local/bin/lib new file mode 120000 index 0000000..78bf2ef --- /dev/null +++ b/testing/home/all/.local/bin/lib @@ -0,0 +1 @@ +../../.plomlib.sh \ No newline at end of file diff --git a/testing/home/desktop/.local/bin/borgplom b/testing/home/desktop/.local/bin/borgplom index ecbcaf8..1ecefe7 100755 --- a/testing/home/desktop/.local/bin/borgplom +++ b/testing/home/desktop/.local/bin/borgplom @@ -1,19 +1,20 @@ #!/bin/sh set -e +cd $(dirname "$0") +. lib/constants_borg +. lib/get_passphrase +. lib/path_tmp_timestamped -. "${HOME}/.plomlib.sh/get_passphrase" -. "${HOME}/.plomlib.sh/path_tmp_timestamped" - -PATH_BORGKEYS="${HOME}/.config/borg/keys" +PATH_CONF_SECURITY="${PATH_BORG_CONF}/security" NAME_REPO=borg NAME_ARCHIVE=orgdir if [ "$1" = "orgpull" ]; then PATH_PIPE="$(path_tmp_timestamped 'pipe')" mkfifo "${PATH_PIPE}" - ls -1 "${PATH_BORGKEYS}/" > "${PATH_PIPE}" & + ls -1 "${PATH_CONF_SECURITY}/" > "${PATH_PIPE}" & while read FILENAME; do - NAME_SERVER=$(echo "${FILENAME}" | sed 's/.*@//') + NAME_SERVER="$(echo ${FILENAME} | cut -d'/' -f3 | cut -d'@' -f2)" if ping -c1 -W2 "${NAME_SERVER}" > /dev/null 2>&1; then break else @@ -22,9 +23,10 @@ if [ "$1" = "orgpull" ]; then done < "${PATH_PIPE}" rm "${PATH_PIPE}" REPO="${NAME_SERVER}:${NAME_REPO}" + echo "Checking out ${REPO} …" while true; do if [ -z "${BORG_PASSPHRASE}" ]; then - printf 'Passhrapse:' + printf 'Passhrase:' export BORG_PASSPHRASE="$(get_passphrase)" echo '' fi @@ -44,5 +46,4 @@ if [ "$1" = "orgpull" ]; then echo "Pulling archive: ${ARCHIVE}" cd / borg extract --verbose "${REPO}::${ARCHIVE}" - break fi diff --git a/testing/home/desktop/.local/bin/make_secrets b/testing/home/desktop/.local/bin/make_secrets new file mode 100755 index 0000000..2114199 --- /dev/null +++ b/testing/home/desktop/.local/bin/make_secrets @@ -0,0 +1,28 @@ +#!/bin/sh +set -e + +cd $(dirname "$0") +. lib/abort_if_exists +. lib/constants_borg # PATH_BORG_CONF +. lib/constants_secrets # PATH_REL_SECRETS, PATH_SECRETS +. lib/constants_ssh # PATH_USER_SSH +. lib/constants_user # USERNAME +. lib/mount_secrets # mount_secrets, copy_and_unmount_secrets + +abort_if_exists "${PATH_SECRETS}" +echo "Collecting new ${PATH_REL_SECRETS}." +mkdir "${PATH_SECRETS}" +cp -a "${PATH_BORG_CONF}" "${PATH_SECRETS}/" +cp -a "${PATH_USER_SSH}" "${PATH_SECRETS_SSH}" +echo "secrets file, last update: $(whoami)/$(hostname) at $(date)" > "${PATH_SECRETS}/info" + +mount_secrets # sets PATH_MOUNTED_SECRETS +SUFFIX_OLD=.old +PATH_REL_SECRETS_OLD="${PATH_REL_SECRETS}${SUFFIX_OLD}" +PATH_MOUNTED_SECRETS_OLD="${PATH_MOUNTED_SECRETS}${SUFFIX_OLD}" +if [ -d "${PATH_MOUNTED_SECRETS}" ]; then + echo "Drive already has ${PATH_REL_SECRETS}, moving to ${PATH_REL_SECRETS_OLD}." + rm -rf "${PATH_MOUNTED_SECRETS_OLD}" + mv "${PATH_MOUNTED_SECRETS}" "${PATH_MOUNTED_SECRETS_OLD}" +fi +copy_and_unmount_secrets 'out' diff --git a/testing/home/desktop/.plomlib.sh/abort b/testing/home/desktop/.plomlib.sh/abort new file mode 120000 index 0000000..3afad55 --- /dev/null +++ b/testing/home/desktop/.plomlib.sh/abort @@ -0,0 +1 @@ +../../../scripts/lib/abort \ No newline at end of file diff --git a/testing/home/desktop/.plomlib.sh/abort_if_exists b/testing/home/desktop/.plomlib.sh/abort_if_exists new file mode 120000 index 0000000..8ea409a --- /dev/null +++ b/testing/home/desktop/.plomlib.sh/abort_if_exists @@ -0,0 +1 @@ +../../../scripts/lib/abort_if_exists \ No newline at end of file diff --git a/testing/home/desktop/.plomlib.sh/constants_borg b/testing/home/desktop/.plomlib.sh/constants_borg new file mode 120000 index 0000000..1cc05f7 --- /dev/null +++ b/testing/home/desktop/.plomlib.sh/constants_borg @@ -0,0 +1 @@ +../../../scripts/lib/constants_borg \ No newline at end of file diff --git a/testing/home/desktop/.plomlib.sh/constants_secrets b/testing/home/desktop/.plomlib.sh/constants_secrets new file mode 120000 index 0000000..85c9977 --- /dev/null +++ b/testing/home/desktop/.plomlib.sh/constants_secrets @@ -0,0 +1 @@ +../../../scripts/lib/constants_secrets \ No newline at end of file diff --git a/testing/home/desktop/.plomlib.sh/constants_ssh b/testing/home/desktop/.plomlib.sh/constants_ssh new file mode 120000 index 0000000..7b0ccb4 --- /dev/null +++ b/testing/home/desktop/.plomlib.sh/constants_ssh @@ -0,0 +1 @@ +../../../scripts/lib/constants_ssh \ No newline at end of file diff --git a/testing/home/desktop/.plomlib.sh/constants_user b/testing/home/desktop/.plomlib.sh/constants_user new file mode 120000 index 0000000..79ec36f --- /dev/null +++ b/testing/home/desktop/.plomlib.sh/constants_user @@ -0,0 +1 @@ +../../../scripts/lib/constants_user \ No newline at end of file diff --git a/testing/home/desktop/.plomlib.sh/expect_min_n_args b/testing/home/desktop/.plomlib.sh/expect_min_n_args new file mode 120000 index 0000000..2966623 --- /dev/null +++ b/testing/home/desktop/.plomlib.sh/expect_min_n_args @@ -0,0 +1 @@ +../../../scripts/lib/expect_min_n_args \ No newline at end of file diff --git a/testing/home/desktop/.plomlib.sh/mount_secrets b/testing/home/desktop/.plomlib.sh/mount_secrets new file mode 120000 index 0000000..86f3878 --- /dev/null +++ b/testing/home/desktop/.plomlib.sh/mount_secrets @@ -0,0 +1 @@ +../../../scripts/lib/mount_secrets \ No newline at end of file diff --git a/testing/scripts/_setup_secrets_user.sh b/testing/scripts/_setup_secrets_user.sh index f190d5d..9947ab8 100644 --- a/testing/scripts/_setup_secrets_user.sh +++ b/testing/scripts/_setup_secrets_user.sh @@ -1,40 +1,34 @@ #!/bin/sh set -e cd $(dirname "$0") - -. lib/constants_user # USERNAME . lib/abort . lib/abort_if_exists . lib/abort_if_not_user . lib/abort_if_offline +. lib/constants_borg # PATH_BORG_CONF, PATH_REL_BORG_CONF +. lib/constants_secrets # PATH_SECRETS +. lib/constants_ssh # PATH_USER_SSH +. lib/constants_user # USERNAME +. lib/mount_secrets # mount_secrets, copy_and_unmount_secrets PATH_REPOS="${HOME}/repos" -PATH_BORGKEYS="${HOME}/.config/borg/keys" -PATH_USER_SSH="${HOME}/.ssh" -FILENAME_KEY=id_rsa -PATH_PRIVATE_KEY="${PATH_USER_SSH}/${FILENAME_KEY}" -PATH_KNOWN_HOSTS="${PATH_USER_SSH}/known_hosts" REPOS_SITE_DOMAIN=plomlompom.com REMOTE_PATH_REPOS=/var/repos NAME_BORGAPP=borgplom -abort_if_not_user "${USERNAME}" abort_if_offline +abort_if_not_user "${USERNAME}" +abort_if_exists "${PATH_SECRETS}" abort_if_exists "${PATH_USER_SSH}" abort_if_exists "${PATH_REPOS}" -abort_if_exists "${PATH_BORGKEYS}" +abort_if_exists "${PATH_BORG_CONF}" + +mount_secrets # sets PASSPHRASE +copy_and_unmount_secrets 'in' +export BORG_PASSPHRASE="${PASSPHRASE}" echo "\nSetting up ~/.ssh" -PATH_PUBLIC_KEY="${PATH_PRIVATE_KEY}.pub" -mkdir -p "${PATH_USER_SSH}" -cp "${PATH_SECRETS}/${FILENAME_KEY}" "${PATH_PRIVATE_KEY}" -while [ ! -s "${PATH_PUBLIC_KEY}" ]; do - stty -echo - set +e - ssh-keygen -y -f "${PATH_PRIVATE_KEY}" > "${PATH_PUBLIC_KEY}" - set -e - stty echo -done +cp -a "${PATH_SECRETS_SSH}" "${PATH_USER_SSH}" eval $(ssh-agent) while true; do echo '' @@ -53,7 +47,6 @@ done echo "\n\nSetting up ~/repos" REPOS_SITE_LOGIN="${USERNAME}@${REPOS_SITE_DOMAIN}" -ssh-keyscan "${REPOS_SITE_DOMAIN}" >> "${PATH_KNOWN_HOSTS}" mkdir "${PATH_REPOS}" cd "${PATH_REPOS}" ssh ${REPOS_SITE_LOGIN} "cd ${REMOTE_PATH_REPOS} && ls -1" | while read REPO_NAME; do @@ -62,18 +55,9 @@ done cd - echo "\nSetting up borg and pull in ~/org" -PATH_TARED_KEYS=borg_keyfiles -mkdir -p "${PATH_BORGKEYS}" -tar xf "${PATH_SECRETS}/${PATH_TARED_KEYS}.tar" -mv "${PATH_TARED_KEYS}"/* "${PATH_BORGKEYS}/" -rmdir "${PATH_TARED_KEYS}" -ls -1 "${PATH_BORGKEYS}/" | while read FILENAME; do - SERVER_NAME=$(echo "${FILENAME}" | sed 's/.*@//') - set +e - ssh-keyscan "${SERVER_NAME}" >> "${PATH_KNOWN_HOSTS}" - set -e - echo '' -done +PATH_PARENT_BORG_CONF="$(dirname ${PATH_BORG_CONF})" +mkdir -p "${PATH_BORG_CONF}" +cp -a "${PATH_SECRETS}/${PATH_REL_BORG_CONF}" "${PATH_PARENT_BORG_CONF}/" while true; do set +e "${NAME_BORGAPP}" orgpull diff --git a/testing/scripts/lib/abort_if_exists b/testing/scripts/lib/abort_if_exists index a459a38..7c4d62d 100644 --- a/testing/scripts/lib/abort_if_exists +++ b/testing/scripts/lib/abort_if_exists @@ -1,6 +1,7 @@ +. lib/abort + abort_if_exists() { if [ -e "$1" ]; then abort "$1 already exists." fi } - diff --git a/testing/scripts/lib/constants_borg b/testing/scripts/lib/constants_borg new file mode 100644 index 0000000..e345750 --- /dev/null +++ b/testing/scripts/lib/constants_borg @@ -0,0 +1,2 @@ +PATH_REL_BORG_CONF=borg +PATH_BORG_CONF="${HOME}/.config/${PATH_REL_BORG_CONF}" diff --git a/testing/scripts/lib/constants_secrets b/testing/scripts/lib/constants_secrets new file mode 100644 index 0000000..8e11fe7 --- /dev/null +++ b/testing/scripts/lib/constants_secrets @@ -0,0 +1,5 @@ +. lib/constants_user +PATH_MEDIA=/media +PATH_REL_SECRETS=.secrets +PATH_SECRETS="${PATH_USER_HOME}/${PATH_REL_SECRETS}" +PATH_SECRETS_SSH="${PATH_SECRETS}/ssh" diff --git a/testing/scripts/lib/constants_ssh b/testing/scripts/lib/constants_ssh new file mode 120000 index 0000000..b711025 --- /dev/null +++ b/testing/scripts/lib/constants_ssh @@ -0,0 +1 @@ +../../../bookworm/scripts/lib/constants_ssh \ No newline at end of file diff --git a/testing/scripts/lib/mount_secrets b/testing/scripts/lib/mount_secrets new file mode 100644 index 0000000..3b98f3d --- /dev/null +++ b/testing/scripts/lib/mount_secrets @@ -0,0 +1,45 @@ +. lib/constants_secrets # PATH_MEDIA, PATH_REL_SECRETS +. lib/expect_min_n_args +. lib/get_passphrase +. lib/path_tmp_timestamped + +mount_secrets() { + expect_min_n_args 1 "(device name, e.g. 'sda')" "$@" + SECRETS_DEV=$1 + PATH_MOUNTED_SECRETS="${PATH_MEDIA}/${SECRETS_DEV}/${PATH_REL_SECRETS}" + PATH_DEV="/dev/${SECRETS_DEV}" + PATH_PMOUNT_ERR="$(path_tmp_timestamped 'err_mount')" + echo "Put secrets drive into slot for ${PATH_DEV}." + while [ ! -e "${PATH_DEV}" ]; do + sleep 0.1 + done + while true; do + printf 'Passphrase: ' + PASSPHRASE=$(get_passphrase) + echo '' + set +e + echo "${PASSPHRASE}" | pmount "${PATH_DEV}" 2> "${PATH_PMOUNT_ERR}" + RESULT=$? + set -e + if [ "${RESULT}" = "0" ]; then + break + elif [ "${RESULT}" != "100" ]; then + PMOUNT_ERR="$(cat ${PATH_PMOUNT_ERR})" + rm "${PATH_PMOUNT_ERR}" + abort "Aborting due to pmount error: ${PMOUNT_ERR}" + fi + done +} + +copy_and_unmount_secrets() { + echo "Copying over ${PATH_REL_SECRETS}." + if [ "$1" = "out" ]; then + cp -a "${PATH_SECRETS}" "${PATH_MOUNTED_SECRETS}" + elif [ "$1" = "in" ]; then + cp -a "${PATH_MOUNTED_SECRETS}" "${PATH_SECRETS}" + else + echo abort "Illegal argument to unmount_secrets." + fi + pumount "${SECRETS_DEV}" + echo "You can remove device ${SECRETS_DEV} now." +} diff --git a/testing/scripts/setup_desktop.sh b/testing/scripts/setup_desktop.sh index 9284b23..1fb5ff0 100755 --- a/testing/scripts/setup_desktop.sh +++ b/testing/scripts/setup_desktop.sh @@ -112,4 +112,5 @@ ln -sf /usr/share/zoneinfo/Europe/Berlin /etc/localtime ntpdate-debian setup_users "${MIN_TAGS}" "${TAGS_USER}" +adduser plom plugdev # so user may use pmount passwd "${USERNAME}" diff --git a/testing/scripts/setup_secrets.sh b/testing/scripts/setup_secrets.sh index 573ced9..7f0bf47 100755 --- a/testing/scripts/setup_secrets.sh +++ b/testing/scripts/setup_secrets.sh @@ -1,56 +1,18 @@ #!/bin/sh set -e cd $(dirname "$0") -. lib/abort -. lib/abort_if_exists . lib/abort_if_not_user -. lib/abort_if_offline -. lib/constants_user # PATH_USER_HOME, USERNAME . lib/constants_repopaths # PATH_CONF, PATH_SCRIPTS -. lib/expect_min_n_args -. lib/get_passphrase +. lib/constants_user # USERNAME . lib/path_tmp_timestamped +abort_if_not_user root PATH_REL_SETUP_SECRETS_USER="$(basename ${PATH_CONF})/$(basename ${PATH_SCRIPTS})/_setup_secrets_user.sh" PATH_REPO="$(dirname ${PATH_CONF})" -PATH_REL_SECRETS=.secrets -export PATH_SECRETS="${PATH_USER_HOME}/${PATH_REL_SECRETS}" - -# Mount secrets device and copy over its content. -abort_if_exists "${PATH_SECRETS}" -expect_min_n_args 1 "(device name, e.g. 'sda')" "$@" -SECRETS_DEV=$1 -PATH_SOURCE=/media/${SECRETS_DEV}/${PATH_REL_SECRETS} -PATH_DEV=/dev/${SECRETS_DEV} -PATH_PMOUNT_ERR="$(path_tmp_timestamped 'err_mount')" -echo "Put secrets drive into slot for ${PATH_DEV}." -while [ ! -e "${PATH_DEV}" ]; do - sleep 0.1 -done -while true; do - printf 'Passphrase: ' - PASSPHRASE=$(get_passphrase) - echo '' - set +e - echo "${PASSPHRASE}" | pmount "${PATH_DEV}" 2> "${PATH_PMOUNT_ERR}" - RESULT=$? - set -e - if [ "${RESULT}" = "0" ]; then - break - elif [ "${RESULT}" != "100" ]; then - PMOUNT_ERR="$(cat ${PATH_PMOUNT_ERR})" - rm "${PATH_PMOUNT_ERR}" - abort "Aborting due to pmount error: ${PMOUNT_ERR}" - fi -done -cp -a "${PATH_SOURCE}" "${PATH_SECRETS}" -pumount "${SECRETS_DEV}" -echo "You can remove ${PATH_DEV} now." -chown -R "${USERNAME}:${USERNAME}" "${PATH_SECRETS}" - -export BORG_PASSPHRASE="${PASSPHRASE}" PATH_TMP_REPO="$(path_tmp_timestamped configrepo)" + +echo "Setting up config repo copy for user at ${PATH_TMP_REPO} …" cp -a "${PATH_REPO}" "${PATH_TMP_REPO}" chown -R "${USERNAME}:${USERNAME}" "${PATH_TMP_REPO}" -su -l "${USERNAME}" --whitelist-environment=PATH_SECRETS,BORG_PASSPHRASE -c "/bin/sh ${PATH_TMP_REPO}/${PATH_REL_SETUP_SECRETS_USER}" +su -l "${USERNAME}" --whitelist-environment=BORG_PASSPHRASE -c "/bin/sh ${PATH_TMP_REPO}/${PATH_REL_SETUP_SECRETS_USER}" rm -rf "${PATH_TMP_REPO}" -- 2.30.2