aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKarel Kočí <cynerd@email.cz>2017-09-20 21:19:05 +0200
committerKarel Kočí <cynerd@email.cz>2017-09-20 21:22:36 +0200
commitf287ecedc78c0cc8fb485c5995b8d1cfae9f0fe8 (patch)
tree5025b33a8c3d4c69ad2b62e1169b669c56f712f9
parent65f52ead41dc6df73671ddd3a8c6a2edecb6dfb3 (diff)
downloadmulticonfig-f287ecedc78c0cc8fb485c5995b8d1cfae9f0fe8.tar.gz
multiconfig-f287ecedc78c0cc8fb485c5995b8d1cfae9f0fe8.tar.bz2
multiconfig-f287ecedc78c0cc8fb485c5995b8d1cfae9f0fe8.zip
Commit current statecomplicated
-rw-r--r--.gitmodules3
m---------files0
-rw-r--r--files/openssl_test_file1
-rw-r--r--hosts/cynerd-laptop7
-rw-r--r--hosts/cynerd-pc7
-rw-r--r--hosts/virt-public9
-rw-r--r--ops/bridge_net72
-rw-r--r--ops/cynerd_account65
-rw-r--r--ops/firewall65
-rw-r--r--ops/multiconfig41
-rw-r--r--ops/openvpn0
-rw-r--r--ops/wireguard0
-rwxr-xr-xrun.sh32
-rwxr-xr-xscripts/encrypt_file.sh12
-rw-r--r--scripts/multiconfig-cron.sh2
-rwxr-xr-xscripts/multiconfig.sh73
-rwxr-xr-xscripts/setup.sh38
-rw-r--r--tools/git0
-rw-r--r--tools/grusr0
-rw-r--r--tools/package0
-rw-r--r--utils/cleaner23
-rw-r--r--utils/diff28
-rw-r--r--utils/echo13
-rw-r--r--utils/encrypt42
-rw-r--r--utils/fdata36
-rw-r--r--utils/install7
-rw-r--r--utils/lock5
-rw-r--r--utils/ops30
-rw-r--r--utils/syscheck28
29 files changed, 606 insertions, 33 deletions
diff --git a/.gitmodules b/.gitmodules
new file mode 100644
index 0000000..b9b5024
--- /dev/null
+++ b/.gitmodules
@@ -0,0 +1,3 @@
+[submodule "files"]
+ path = files
+ url = git@cynerd.cz:multiconfig-private
diff --git a/files b/files
new file mode 160000
+Subproject 64daf404c238d0169acfebb1938c01def0144e1
diff --git a/files/openssl_test_file b/files/openssl_test_file
deleted file mode 100644
index 4de8759..0000000
--- a/files/openssl_test_file
+++ /dev/null
@@ -1 +0,0 @@
-U2FsdGVkX1/PZaRNKDDLHnuGz2rsTJZY/CdJVs90ktI=
diff --git a/hosts/cynerd-laptop b/hosts/cynerd-laptop
new file mode 100644
index 0000000..6f4cd29
--- /dev/null
+++ b/hosts/cynerd-laptop
@@ -0,0 +1,7 @@
+# vim:ft=sh:noexpandtab
+
+#OPERATIONS="cynerd_account sshd openvpn firewall"
+OPERATIONS="firewall"
+
+VPN_TYPE="client"
+VPN_NAME="laptop"
diff --git a/hosts/cynerd-pc b/hosts/cynerd-pc
new file mode 100644
index 0000000..1336402
--- /dev/null
+++ b/hosts/cynerd-pc
@@ -0,0 +1,7 @@
+# vim:ft=sh:noexpandtab
+
+#OPERATIONS="cynerd_account sshd openvpn firewall"
+OPERATIONS="firewall bridge_net"
+
+VPN_TYPE="client"
+VPN_NAME="desktop"
diff --git a/hosts/virt-public b/hosts/virt-public
new file mode 100644
index 0000000..d28e465
--- /dev/null
+++ b/hosts/virt-public
@@ -0,0 +1,9 @@
+# vim:ft=sh:noexpandtab
+
+OPERATIONS="cynerd_account sshd openvpn firewall git_server"
+
+VPN_TYPE="server"
+VPN_NAME="server"
+VPN_NO_RESOLV=true
+
+GIT_SERVER_PREFIX="git"
diff --git a/ops/bridge_net b/ops/bridge_net
new file mode 100644
index 0000000..bab94ad
--- /dev/null
+++ b/ops/bridge_net
@@ -0,0 +1,72 @@
+# vim:ft=sh:noexpandtab
+# Bridge with dhcpd
+# TODO FreeBSD
+
+BRIDGE_NET_BRIDGE="./files/bridge_net/bridge.service"
+BRIDGE_NET_SYSCTL="./files/bridge_net/sysctl.conf"
+BRIDGE_NET_DHCPD="./files/bridge_net/dhcpd.conf"
+BRIDGE_NET_BRIDGE_DHCP="./files/bridge_net/bridge-dhcp.service"
+
+bridge_net_check() {
+ ops_set_current bridge_net
+ if ! ( which dhcpd ) >/dev/null; then
+ echo_error "Bridge_net expects dhcpd to be installed"
+ return 0
+ fi
+ # TODO check that we are using openrc otherwise this doesn't work
+
+ # Setup bridge service
+ if do_diff "$BRIDGE_NET_BRIDGE" "/etc/init.d/bridge" \
+ "Bridge service changes"; then
+ ops_require bridge_service
+ fi
+ # Setup ipv4 forward
+ if do_diff "$BRIDGE_NET_SYSCTL" "/etc/sysctl.d/bridge_net.conf" \
+ "Sysctl changes"; then
+ ops_require sysctl
+ fi
+ # DHCPd service
+ if do_diff "$BRIDGE_NET_BRIDGE_DHCP" "/etc/init.d/bridge-dhcp" \
+ "Bridge dhcp service changes"; then
+ ops_require bridge_dhcp_service
+ fi
+ # DHCPd configuration
+ if do_diff "$BRIDGE_NET_DHCPD" "/etc/dhcp/bridge_dhcpd.conf" \
+ "DHCPD configuration changes"; then
+ ops_require dhcpd_conf
+ fi
+
+ # TODO enable bridge_dhcp and bridge service
+
+ ops_required_any "Bridge_net" # return 1 fall trough
+}
+
+bridge_net_prepare() {
+ local BRIDGE_RESTART=false
+
+ if ops_is_required bridge_service; then
+ echo_trace "Updating bridge service"
+ cp "$BRIDGE_NET_BRIDGE" "/etc/init.d/bridge"
+ BRIDGE_RESTART=true
+ fi
+ if ops_is_required sysctl; then
+ echo_trace "Updating sysctl configuration for bridge"
+ cp "$BRIDGE_NET_SYSCTL" "/etc/sysctl.d/bridge"
+ fi
+
+ if $BRIDGE_RESTART; then
+ service bridge restart
+ fi
+}
+
+bridge_net_apply() {
+ # We have nothing to do for apply
+ # TODO
+ true
+}
+
+bridge_net_clean() {
+ # We have nothing to do for clean
+ # TODO
+ true
+}
diff --git a/ops/cynerd_account b/ops/cynerd_account
new file mode 100644
index 0000000..941ff66
--- /dev/null
+++ b/ops/cynerd_account
@@ -0,0 +1,65 @@
+# vim:ft=sh:noexpandtab
+# My personal account
+
+# Configuration options:
+# CYNERD_ACCOUNT_GROUPS - Additional groups to default cynerd,wheel
+# CYNERD_ACCOUNT_SSH_KEY - ssh public key to be added as authorized_keys
+# CYNERD_ACCOUNT_CONFIGS - myconfigs branch (currently accepting only server)
+
+. tools/grusr
+. tools/package
+. tools/git
+
+CYNERD_ACCOUNT_ARGS=""
+CYNERD_ACCOUNT_MYCNF_GIT=""
+
+cynerd_account_check() {
+ package_check zsh || CYNERD_ACCOUNT_NEED="zsh"
+ user_check $CYNERD_ACCOUNT_ARGS || CYNERD_ACCOUNT_NEED="$CYNERD_ACCOUNT_NEED user"
+ # TODO check that we have correct ssh key
+ package_check rsync || CYNERD_ACCOUNT_NEED="$CYNERD_ACCOUNT_NEED rsync"
+ git_check $CYNERD_ACCOUNT_MYCNF_GIT || CYNERD_ACCOUNT_NEED="$CYNERD_ACCOUNT_NEED myconfigs"
+ if [ -n "$CYNERD_ACCOUNT_NEED" ]; then
+ echo_info "Cynerd account requires update of these components: $CYNERD_ACCOUNT_NEED"
+ return 1
+ fi
+}
+
+cynerd_account_prepare() {
+ for N in $CYNERD_ACCOUNT_NEED; do
+ case "$N" in
+ zsh|rsync)
+ package_prepare "$N" || return 1
+ ;;
+ user)
+ user_prepare $CYNERD_ACCOUNT_ARGS || return 1
+ ;;
+ myconfigs)
+ git_prepare $CYNERD_ACCOUNT_MYCNF_GIT || return 1
+ ;;
+ esac
+ done
+}
+
+cynerd_account_apply() {
+ for N in $CYNERD_ACCOUNT_NEED; do
+ case "$N" in
+ zsh|rsync)
+ package_apply "$N" || return 1
+ ;;
+ user)
+ user_apply $CYNERD_ACCOUNT_ARGS || return 1
+ ;;
+ myconfigs)
+ git_apply $CYNERD_ACCOUNT_MYCNF_GIT || return 1
+ ;;
+ esac
+ done
+}
+
+cynerd_account_clean() {
+ local FAIL=0
+ package_clean zsh rsync || FAIL=1
+ git_clean $CYNERD_ACCOUNT_MYCNF_GIT || FAIL=1
+ return $FAIL
+}
diff --git a/ops/firewall b/ops/firewall
new file mode 100644
index 0000000..e20b730
--- /dev/null
+++ b/ops/firewall
@@ -0,0 +1,65 @@
+# vim:ft=sh:noexpandtab
+# Firewall configuration (iptables on linux)
+# TODO FreeBSD
+
+FIREWALL_PREFIX="./files/firewall/$(hostname)"
+
+firewall_check_common() {
+ if do_diff "./files/firewall/$2.conf" "/etc/conf.d/$2" \
+ "Firewall IPv$1 service config changes"; then
+ ops_require "ipv$1_config"
+ fi
+ if do_diff "$FIREWALL_PREFIX.ipv$1" "/etc/iptables/ipv$1" \
+ "Firewall IPv$1 changes"; then
+ ops_require "ipv$1"
+ fi
+}
+
+firewall_check() {
+ ops_set_current firewall
+ if ! ( which iptables && which ip6tables ) >/dev/null; then
+ echo_error "Firewall operation requires iptables and ip6tables."
+ return 0
+ fi
+
+ firewall_check_common 4 iptables
+ [ -n "$FIREWALL_NO_IPV6" ] && [ "$FIREWALL_NO_IPV6" = "true" ] || \
+ firewall_check_common 6 ip6tables
+
+ ops_required_any "Firewall" # return 1 fall trough
+}
+
+firewall_prepare() {
+ # We have nothing to do for prepare
+ true
+}
+
+firewall_apply_common() {
+ local RELOAD=false
+ if ops_is_required "ipv$1_config"; then
+ echo_trace "Updating $2 service config"
+ cp "./files/firewall/$2.conf" "/etc/conf.d/$2"
+ RELOAD=true
+ fi
+ if ops_is_required "ipv$1"; then
+ echo_trace "Updating ipv$1 tables"
+ mkdir -p /etc/iptables
+ cp "$FIREWALL_PREFIX.ipv$1" "/etc/iptables/ipv$1"
+ RELOAD=true
+ fi
+ if $RELOAD; then
+ echo_trace "Reloading service $2"
+ service "$2" reload
+ fi
+}
+
+firewall_apply() {
+ ops_set_current firewall
+ firewall_apply_common 4 iptables
+ firewall_apply_common 6 ip6tables
+}
+
+firewall_clean() {
+ # We have nothing to do for clean
+ true
+}
diff --git a/ops/multiconfig b/ops/multiconfig
new file mode 100644
index 0000000..cee4d78
--- /dev/null
+++ b/ops/multiconfig
@@ -0,0 +1,41 @@
+# vim:ft=sh:noexpandtab
+# Multiconfig system configuration
+
+# TODO setup cron
+# TODO configure sending email account
+# TODO configure keys
+# TODO setup root ssh key to access git repo
+
+MULTICONFIG_SCRIPT="./scripts/multiconfig.sh"
+MULTICONFIG_CRON_SCRIPT="./scripts/multiconfig-cron.sh"
+
+multiconfig_check() {
+ ops_set_current multiconfig
+
+ if do_diff "$MULTICONFIG_SCRIPT" "/usr/local/bin/multiconfig.sh" \
+ "Multiconfig script changes"; then
+ ops_require script
+ fi
+
+ if do_diff "$MULTICONFIG_CRON_SCRIPT" "/etc/cron.daily/multiconfig" \
+ "Multiconfig cron script changes"; then
+ ops_require cron
+ fi
+
+ ops_required_any "Multiconfig" # return 1 fall trough
+}
+
+multiconfig_prepare() {
+ # We have nothing to do for prepare
+ true
+}
+
+multiconfig_apply() {
+ ops_set_current multiconfig
+
+}
+
+multiconfig_clean() {
+ # We have nothing to do for clean
+ true
+}
diff --git a/ops/openvpn b/ops/openvpn
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/ops/openvpn
diff --git a/ops/wireguard b/ops/wireguard
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/ops/wireguard
diff --git a/run.sh b/run.sh
index 7a0ae4c..d0e7c71 100755
--- a/run.sh
+++ b/run.sh
@@ -3,16 +3,13 @@ set -e
# Go to root directory
cd "$(dirname $0)"
-# Include utilities
+# Include basic utilities
. utils/echo
REQ_OPS=
while [ $# -gt 0 ]; do
case "$1" in
- -h|--help)
- # TODO
- ;;
--verbose|-v)
echo_verbose + 1
;;
@@ -24,7 +21,11 @@ while [ $# -gt 0 ]; do
REQ_OPS="$REQ_OPS $1"
;;
--key)
- KEY_FILE=""
+ shift
+ KEY_FILE="$1"
+ ;;
+ *)
+ echo_die "Unknown argument: $1"
;;
esac
shift
@@ -34,10 +35,21 @@ done
[ -f hosts/"$(hostname)" ] || echo_die "No configuration for host $(hostname) found."
. hosts/"$(hostname)"
-# Run system sanity checks
-. utils/syscheck
-# Identify some variables from system
+# Update git submodules
+git submodule update --init --recursive || echo_die "Git submodule update failed!"
+
+# Include rest of the utilities
+. utils/ops
+. utils/encrypt
. utils/identify
+. utils/syscheck # This performs system check
+. utils/cleaner
+. utils/lock # This also creates lock
+. utils/fdata
+. utils/diff
+
+# Always add multiconfig operation
+OPERATIONS="multiconfig $OPERATIONS"
# Include enabled operations
for OPT in $OPERATIONS; do
@@ -48,13 +60,11 @@ for OPT in $OPERATIONS; do
fi
done
-# TODO do we want to have some explicit sorting?
-
# Check if operations need some update
if [ -z "$REQ_OPS" ]; then
for OPT in $OPERATIONS; do
if ! "$OPT"_check; then
- echo_info "Scheduled: $OPT"
+ echo_info "$OPT scheduled"
REQ_OPS="$REQ_OPS $OPT"
fi
done
diff --git a/scripts/encrypt_file.sh b/scripts/encrypt_file.sh
new file mode 100755
index 0000000..cee8c86
--- /dev/null
+++ b/scripts/encrypt_file.sh
@@ -0,0 +1,12 @@
+#!/bin/sh
+set -e
+
+F="$(readlink -f "$1")"
+
+cd "$(dirname "$0")/.."
+
+TMP="$(mktemp)"
+KEY="$(gpg2 --decrypt files/keys/primary.gpg)"
+
+PASS_ENC="$KEY" openssl aes-192-cbc -e -a -pass env:PASS_ENC -in "$F" -out "$TMP"
+mv "$TMP" "$F"
diff --git a/scripts/multiconfig-cron.sh b/scripts/multiconfig-cron.sh
new file mode 100644
index 0000000..97bd82d
--- /dev/null
+++ b/scripts/multiconfig-cron.sh
@@ -0,0 +1,2 @@
+#!/bin/sh
+/usr/local/bin/multiconfig.sh --syslog -v -v
diff --git a/scripts/multiconfig.sh b/scripts/multiconfig.sh
new file mode 100755
index 0000000..1519e48
--- /dev/null
+++ b/scripts/multiconfig.sh
@@ -0,0 +1,73 @@
+#!/bin/sh
+set -e
+
+ARGS=""
+LOCAL=false
+SYSLOG=false
+
+# TODO email notifications
+
+while [ $# -gt 0 ]; do
+ case "$1" in
+ -h|--help)
+ echo "Multiconfig system call script"
+ echo "Usage: multiconfig.sh [OPTION]..."
+ echo
+ echo "Options:"
+ echo "--local - Use current working directory as multiconfig source."
+ echo "--syslog - pipe output to syslog"
+ echo "Passed options:"
+ echo "--verbose - Make output more verbose"
+ echo "--quiet - Make output more quiet"
+ echo "--operation OPT - run only given operation"
+ exit 0
+ ;;
+ --verbose|-v|--quiet|-q)
+ ARGS="$ARGS $1"
+ ;;
+ --operation|-o)
+ ARGS="$ARGS $1 $2"
+ shift
+ ;;
+ --local)
+ LOCAL=true
+ ;;
+ --syslog)
+ SYSLOG=true
+ ;;
+ esac
+ shift
+done
+
+[ "$(id -u)" == 0 ] || {
+ echo "Please run this script only as root."
+ exit 1
+}
+
+PREFIX="/root/.multiconfig"
+
+# Check if we have key
+if [ ! -f "$PREFIX/key" ]; then
+ echo "Key is not in expected path. Please setup this host for multiconfig."
+ exit 1
+fi
+
+# TODO check key access rights
+
+if ! $LOCAL; then
+ if [ -d "$PREFIX/repo" ]; then
+ true
+ # TODO git clone
+ fi
+ cd "$PREFIX/repo"
+ # Pull git repository
+ git fetch
+ git reset --hard origin/master
+ git clean -xdf
+fi
+
+# TODO check repository signature
+
+CMD="./run.sh --key $PREFIX/key $ARGS"
+# Run command
+$CMD
diff --git a/scripts/setup.sh b/scripts/setup.sh
new file mode 100755
index 0000000..5ca4211
--- /dev/null
+++ b/scripts/setup.sh
@@ -0,0 +1,38 @@
+#!/bin/sh
+set -e
+
+while [ $# -gt 0 ]; do
+ case "$1" in
+ -h|--help)
+ echo "Multiconfig system setup script"
+ echo "Usage: setup.sh"
+ exit 0
+ ;;
+ esac
+ shift
+done
+
+# Move to multiconfig root
+cd "$(dirname "$(dirname "$(readlink -f "$1")")")"
+
+PREFIX="/root/.multiconfig"
+
+echo "Creating directory $PREFIX"
+sudo mkdir -p "$PREFIX"
+
+# Manage new key
+echo "Generating new key for this host"
+KEY="$(tr -dc A-Za-z0-9_ < /dev/urandom | head -c 128 | xargs)"
+sudo -- sh -c "echo -n '$KEY' > '$PREFIX/key'"
+# TODO setup access rights
+
+echo -n "$KEY" > wkey
+FKEY="files/keys/$(hostname)"
+echo "Writing key to repository"
+gpg2 --decrypt files/keys/primary.gpg | \
+ openssl aes-192-cbc -e -a -kfile wkey -out "$FKEY"
+rm -f wkey
+echo "Don't forget to add key to git!"
+
+# Deploy multiconfig script
+sudo cp scripts/multiconfig.sh /usr/local/bin/multiconfig.sh
diff --git a/tools/git b/tools/git
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tools/git
diff --git a/tools/grusr b/tools/grusr
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tools/grusr
diff --git a/tools/package b/tools/package
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tools/package
diff --git a/utils/cleaner b/utils/cleaner
new file mode 100644
index 0000000..4919085
--- /dev/null
+++ b/utils/cleaner
@@ -0,0 +1,23 @@
+# vim:ft=sh:noexpandtab
+# Functions for cleanups
+
+EXIT_CODE=0
+
+do_cleanup() {
+ echo "$CLEANUP_ACTIONS" | while read CMD; do
+ eval "$CMD"
+ done
+ exit $EXIT_CODE
+}
+
+trap do_cleanup EXIT INT QUIT TERM ABRT
+
+cleaner_add() {
+ CLEANUP_ACTIONS="$CLEANUP_ACTIONS
+$@"
+}
+
+cleaner_rm() {
+ # TODO this might be problematic with special characters
+ CLEANUP_ACTIONS="$(echo "$CLEANUP_ACTIONS" | sed "/^$@$/d")"
+}
diff --git a/utils/diff b/utils/diff
new file mode 100644
index 0000000..0d093c7
--- /dev/null
+++ b/utils/diff
@@ -0,0 +1,28 @@
+# vim:ft=sh:noexpandtab
+# Clever diff function
+
+# TODO directory diff
+
+# This function does diff and reports changes on debug level
+# First and second arguments have to be paths to compared files and third argument
+# have to be a debug message prepended string.
+# It exits with nonzero exit code if there is no difference.
+do_diff() {
+ if [ ! -f "$1" ]; then
+ echo_error "No reference file to compare to: $1"
+ return 1 # We pretend that there is no change as reference file is missing
+ fi
+ if [ ! -f "$2" ]; then
+ echo_dbg "$3: No target file"
+ return 0
+ fi
+
+ # Do real diff if both files exists
+ local DIFF="$(diff --suppress-common-lines -ay "$1" "$2")"
+ if [ -n "$DIFF" ]; then
+ echo_dbg "$3:
+$DIFF"
+ else
+ return 1
+ fi
+}
diff --git a/utils/echo b/utils/echo
index c936f63..eeb8fa9 100644
--- a/utils/echo
+++ b/utils/echo
@@ -5,21 +5,21 @@ ECHO_VERBOSE=0
echo_info() {
set +x
- [ $ECHO_VERBOSE -ge 0 ] || return
+ [ $ECHO_VERBOSE -ge 0 ] || return 0
echo -e "\e[1;34m$@\e[0m" >&2
[ $ECHO_VERBOSE -lt 3 ] || set -x
}
echo_warn() {
set +x
- [ $ECHO_VERBOSE -ge -1 ] || return
+ [ $ECHO_VERBOSE -ge -1 ] || return 0
echo -e "\e[1;33m$@\e[0m" >&2
[ $ECHO_VERBOSE -lt 3 ] || set -x
}
echo_error() {
set +x
- [ $ECHO_VERBOSE -ge -2 ] || return
+ [ $ECHO_VERBOSE -ge -2 ] || return 0
echo -e "\e[1;31m$@\e[0m" >&2
[ $ECHO_VERBOSE -lt 3 ] || set -x
}
@@ -31,20 +31,21 @@ echo_die() {
fi
[ $ECHO_VERBOSE -lt 3 ] || set -x
# Suicide
+ EXIT_CODE=2
kill $$
}
echo_dbg() {
set +x
- [ $ECHO_VERBOSE -ge 1 ] || return
+ [ $ECHO_VERBOSE -ge 1 ] || return 0
echo -e "\e[1;90m$@\e[0m" >&2
[ $ECHO_VERBOSE -lt 3 ] || set -x
}
echo_trace() {
set +x
- [ $ECHO_VERBOSE -ge 2 ] || return
- echo -e "\e[1;90m$@\e[0m" >&2
+ [ $ECHO_VERBOSE -ge 2 ] || return 0
+ echo -e "\e[0;90m$@\e[0m" >&2
[ $ECHO_VERBOSE -lt 3 ] || set -x
}
diff --git a/utils/encrypt b/utils/encrypt
new file mode 100644
index 0000000..d1cb938
--- /dev/null
+++ b/utils/encrypt
@@ -0,0 +1,42 @@
+# vim:ft=sh:noexpandtab
+# Allows work with encrypted files using their temporally copy.
+
+if [ -n "$KEY_FILE" ] && [ -f "files/keys/$(hostname)" ]; then
+ SECRET_KEY="$(openssl aes-192-cbc -d -a -kfile "$KEY_FILE" -in files/keys/"$(hostname)")"
+else
+ SECRET_KEY="$(gpg2 --decrypt files/keys/primary.gpg)"
+fi
+
+# Decrypt to temporally file in /tmp
+# First argument should be the path to file to be decrypted and second argument
+# output file.
+fdecrypt() {
+ PASS_ENC="$SECRET_KEY" openssl aes-192-cbc -d -a -pass env:PASS_ENC -in "$1" -out "$2"
+}
+
+# Encrypt given file to target path
+# First argument have to be a path to file to be encrypted and second argument
+# output file.
+fencprypt() {
+ PASS_ENC="$SECRET_KEY" openssl aes-192-cbc -e -a -pass env:PASS_ENC -in "$1" -out "$2"
+}
+
+# Decrypt file to temporally one
+# First argument have to be path to file to be extracted.
+tfdecrypt() {
+ local TEMPF="$(mktemp /tmp/multiconfig_XXXXXXXX)"
+ fdecrypt "$1" "$TEMPF"
+ echo "$TEMPF"
+}
+
+# Cat decrypted file
+# First argument have to be a path to file to be catted.
+catdecrypt() {
+ PASS_ENC="$SECRET_KEY" openssl aes-192-cbc -d -a -pass env:PASS_ENC -in "$1"
+}
+
+# Encrypt stdin to file
+# First argument have to be a path to output file.
+outencrypt() {
+ PASS_ENC="$SECRET_KEY" openssl aes-192-cbc -e -a -pass env:PASS_ENC -out "$2"
+}
diff --git a/utils/fdata b/utils/fdata
new file mode 100644
index 0000000..4d36242
--- /dev/null
+++ b/utils/fdata
@@ -0,0 +1,36 @@
+# vim:ft=sh:noexpandtab
+# Datasets on filesystem
+
+FDATA_PATH="/tmp/multiconfig-fdata"
+mkdir -p "$FDATA_PATH"
+cleaner_add "rm -rf '$FDATA_PATH'"
+
+dict_set() {
+ local DPATH="$FDATA_PATH/$1"; shift
+ mkdir -p "$DPATH"
+ local FPATH="$DPATH/$1"; shift
+ echo "$@" > "$FPATH"
+}
+
+dict_get() {
+ local P="$FDATA_PATH/$1/$2"
+ [ -f "$P" ] || return
+ cat "$P"
+}
+
+dict_keys() {
+ local P="$FDATA_PATH/$1"
+ if [ -d "$P" ]; then
+ ls -A "$P" | tr '\n' ' '
+ fi
+}
+
+dict_contains() {
+ local P="$FDATA_PATH/$1/$2"
+ [ -f "$P" ]
+}
+
+dict_empty() {
+ local P="$FDATA_PATH/$1"
+ [ ! -d "$P" ] || [ -z "$(ls -A "$P")" ]
+}
diff --git a/utils/install b/utils/install
new file mode 100644
index 0000000..852163e
--- /dev/null
+++ b/utils/install
@@ -0,0 +1,7 @@
+# vim:ft=sh:noexpandtab
+# Various install functions
+
+# Install directory of file
+install() {
+ true
+}
diff --git a/utils/lock b/utils/lock
new file mode 100644
index 0000000..9d02dae
--- /dev/null
+++ b/utils/lock
@@ -0,0 +1,5 @@
+# vim:ft=sh:noexpandtab
+# This implements lock to check to run tool just once
+
+# TODO create lock and fail if no lock is present
+# TODO remove lock at the exit using cleaner
diff --git a/utils/ops b/utils/ops
new file mode 100644
index 0000000..1365ec8
--- /dev/null
+++ b/utils/ops
@@ -0,0 +1,30 @@
+# vim:ft=sh:noexpandtab
+# Utility functions for operations
+
+# Set operation we are working on
+ops_set_current() {
+ OPERATION_CURRENT="$1"
+}
+
+ops_require() {
+ while [ $# -gt 0 ]; do
+ dict_set "ops/$OPERATION_CURRENT" "$1" true
+ shift
+ done
+}
+
+ops_required_any() {
+ if ! dict_empty "ops/$OPERATION_CURRENT"; then
+ echo_warn "$1 requires update for following components: $(ops_required_list)"
+ else
+ return 1
+ fi
+}
+
+ops_is_required() {
+ dict_contains "ops/$OPERATION_CURRENT" "$1"
+}
+
+ops_required_list() {
+ dict_keys "ops/$OPERATION_CURRENT"
+}
diff --git a/utils/syscheck b/utils/syscheck
index a0c29a0..fcddae4 100644
--- a/utils/syscheck
+++ b/utils/syscheck
@@ -3,19 +3,19 @@
# Check that we are root (this tool can be run only as root)
# TODO uncomment
-# [ "$(id -u)" = "0" ] || echo_die "Distconfig have to be run as root."
+# [ "$(id -u)" = "0" ] || echo_die "Multiconfig have to be run as root."
-# We have sudo or su
-which sudo >/dev/null || which su >/dev/null || echo_die "There is no sudo or su command."
+# We have su
+which su >/dev/null || echo_die "There is no su command."
# Check that we are not using csh or tcsh
# Note: variable shell should be defined only on csh or tcsh (note lowercase)
-[ -z "$shell" ] || echo_die "Distconfig doesn't support csh nor tcsh."
+[ -z "$shell" ] || echo_die "Multiconfig doesn't support csh nor tcsh."
# Check that we have gpg
which gpg >/dev/null || echo_die "There is no gpg command."
-# Check that trunk is signed using correct key
+# Check that git trunk is signed using trusted key
# TODO
# Check root owner (should be root)
@@ -31,18 +31,16 @@ which openssl >/dev/null || echo_die "There is no openssl command."
# Check that we can decrypt using openssl and aes-192-cbc
OPENSSL_TEST_PASSWORD="XduF2T_opDknbzN0EyJJCBFyS1i6yaBU5Beb6IZkFVHWZGWOIZCF1Cc0zrupjEaV"
-[ "$(openssl aes-192-cbc -d -a -k "$OPENSSL_TEST_PASSWORD" < files/openssl_test_file)" = "It works!" ] || \
+[ "$(openssl aes-192-cbc -d -a -k "$OPENSSL_TEST_PASSWORD" -in files/openssl_test_file)" = "It works!" ] || \
echo_die "Test message couldn't been decrypted."
-# Check that we have key file
-[ -n "$KEY_FILE" ] || echo_die "No key specified. Please pass --key."
-
# Check that given key works with our machinery
-# TODO
+[ "$(catdecrypt files/encrypted_test)" = "It works!" ] || \
+ echo_die "Encryption machinery failed to decrypt test file"
# Check that we have internet connection
-DC_INTERNET=true
-if ! ping -c 5 -w 30 cynerd.cz >/dev/null; then
- echo_warn "No internet connection detected. All operations requiring internet connection will be skipped"
- DC_INTERNET=false
-fi
+#DC_INTERNET=true
+#if ! ping -c 5 -w 30 cynerd.cz >/dev/null; then
+# echo_warn "No internet connection detected. All operations requiring internet connection will be skipped"
+# DC_INTERNET=false
+#fi