From f287ecedc78c0cc8fb485c5995b8d1cfae9f0fe8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Karel=20Ko=C4=8D=C3=AD?= Date: Wed, 20 Sep 2017 21:19:05 +0200 Subject: Commit current state --- ops/bridge_net | 72 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ ops/cynerd_account | 65 ++++++++++++++++++++++++++++++++++++++++++++++++ ops/firewall | 65 ++++++++++++++++++++++++++++++++++++++++++++++++ ops/multiconfig | 41 +++++++++++++++++++++++++++++++ ops/openvpn | 0 ops/wireguard | 0 6 files changed, 243 insertions(+) create mode 100644 ops/bridge_net create mode 100644 ops/cynerd_account create mode 100644 ops/firewall create mode 100644 ops/multiconfig create mode 100644 ops/openvpn create mode 100644 ops/wireguard (limited to 'ops') diff --git a/ops/bridge_net b/ops/bridge_net new file mode 100644 index 0000000..bab94ad --- /dev/null +++ b/ops/bridge_net @@ -0,0 +1,72 @@ +# vim:ft=sh:noexpandtab +# Bridge with dhcpd +# TODO FreeBSD + +BRIDGE_NET_BRIDGE="./files/bridge_net/bridge.service" +BRIDGE_NET_SYSCTL="./files/bridge_net/sysctl.conf" +BRIDGE_NET_DHCPD="./files/bridge_net/dhcpd.conf" +BRIDGE_NET_BRIDGE_DHCP="./files/bridge_net/bridge-dhcp.service" + +bridge_net_check() { + ops_set_current bridge_net + if ! ( which dhcpd ) >/dev/null; then + echo_error "Bridge_net expects dhcpd to be installed" + return 0 + fi + # TODO check that we are using openrc otherwise this doesn't work + + # Setup bridge service + if do_diff "$BRIDGE_NET_BRIDGE" "/etc/init.d/bridge" \ + "Bridge service changes"; then + ops_require bridge_service + fi + # Setup ipv4 forward + if do_diff "$BRIDGE_NET_SYSCTL" "/etc/sysctl.d/bridge_net.conf" \ + "Sysctl changes"; then + ops_require sysctl + fi + # DHCPd service + if do_diff "$BRIDGE_NET_BRIDGE_DHCP" "/etc/init.d/bridge-dhcp" \ + "Bridge dhcp service changes"; then + ops_require bridge_dhcp_service + fi + # DHCPd configuration + if do_diff "$BRIDGE_NET_DHCPD" "/etc/dhcp/bridge_dhcpd.conf" \ + "DHCPD configuration changes"; then + ops_require dhcpd_conf + fi + + # TODO enable bridge_dhcp and bridge service + + ops_required_any "Bridge_net" # return 1 fall trough +} + +bridge_net_prepare() { + local BRIDGE_RESTART=false + + if ops_is_required bridge_service; then + echo_trace "Updating bridge service" + cp "$BRIDGE_NET_BRIDGE" "/etc/init.d/bridge" + BRIDGE_RESTART=true + fi + if ops_is_required sysctl; then + echo_trace "Updating sysctl configuration for bridge" + cp "$BRIDGE_NET_SYSCTL" "/etc/sysctl.d/bridge" + fi + + if $BRIDGE_RESTART; then + service bridge restart + fi +} + +bridge_net_apply() { + # We have nothing to do for apply + # TODO + true +} + +bridge_net_clean() { + # We have nothing to do for clean + # TODO + true +} diff --git a/ops/cynerd_account b/ops/cynerd_account new file mode 100644 index 0000000..941ff66 --- /dev/null +++ b/ops/cynerd_account @@ -0,0 +1,65 @@ +# vim:ft=sh:noexpandtab +# My personal account + +# Configuration options: +# CYNERD_ACCOUNT_GROUPS - Additional groups to default cynerd,wheel +# CYNERD_ACCOUNT_SSH_KEY - ssh public key to be added as authorized_keys +# CYNERD_ACCOUNT_CONFIGS - myconfigs branch (currently accepting only server) + +. tools/grusr +. tools/package +. tools/git + +CYNERD_ACCOUNT_ARGS="" +CYNERD_ACCOUNT_MYCNF_GIT="" + +cynerd_account_check() { + package_check zsh || CYNERD_ACCOUNT_NEED="zsh" + user_check $CYNERD_ACCOUNT_ARGS || CYNERD_ACCOUNT_NEED="$CYNERD_ACCOUNT_NEED user" + # TODO check that we have correct ssh key + package_check rsync || CYNERD_ACCOUNT_NEED="$CYNERD_ACCOUNT_NEED rsync" + git_check $CYNERD_ACCOUNT_MYCNF_GIT || CYNERD_ACCOUNT_NEED="$CYNERD_ACCOUNT_NEED myconfigs" + if [ -n "$CYNERD_ACCOUNT_NEED" ]; then + echo_info "Cynerd account requires update of these components: $CYNERD_ACCOUNT_NEED" + return 1 + fi +} + +cynerd_account_prepare() { + for N in $CYNERD_ACCOUNT_NEED; do + case "$N" in + zsh|rsync) + package_prepare "$N" || return 1 + ;; + user) + user_prepare $CYNERD_ACCOUNT_ARGS || return 1 + ;; + myconfigs) + git_prepare $CYNERD_ACCOUNT_MYCNF_GIT || return 1 + ;; + esac + done +} + +cynerd_account_apply() { + for N in $CYNERD_ACCOUNT_NEED; do + case "$N" in + zsh|rsync) + package_apply "$N" || return 1 + ;; + user) + user_apply $CYNERD_ACCOUNT_ARGS || return 1 + ;; + myconfigs) + git_apply $CYNERD_ACCOUNT_MYCNF_GIT || return 1 + ;; + esac + done +} + +cynerd_account_clean() { + local FAIL=0 + package_clean zsh rsync || FAIL=1 + git_clean $CYNERD_ACCOUNT_MYCNF_GIT || FAIL=1 + return $FAIL +} diff --git a/ops/firewall b/ops/firewall new file mode 100644 index 0000000..e20b730 --- /dev/null +++ b/ops/firewall @@ -0,0 +1,65 @@ +# vim:ft=sh:noexpandtab +# Firewall configuration (iptables on linux) +# TODO FreeBSD + +FIREWALL_PREFIX="./files/firewall/$(hostname)" + +firewall_check_common() { + if do_diff "./files/firewall/$2.conf" "/etc/conf.d/$2" \ + "Firewall IPv$1 service config changes"; then + ops_require "ipv$1_config" + fi + if do_diff "$FIREWALL_PREFIX.ipv$1" "/etc/iptables/ipv$1" \ + "Firewall IPv$1 changes"; then + ops_require "ipv$1" + fi +} + +firewall_check() { + ops_set_current firewall + if ! ( which iptables && which ip6tables ) >/dev/null; then + echo_error "Firewall operation requires iptables and ip6tables." + return 0 + fi + + firewall_check_common 4 iptables + [ -n "$FIREWALL_NO_IPV6" ] && [ "$FIREWALL_NO_IPV6" = "true" ] || \ + firewall_check_common 6 ip6tables + + ops_required_any "Firewall" # return 1 fall trough +} + +firewall_prepare() { + # We have nothing to do for prepare + true +} + +firewall_apply_common() { + local RELOAD=false + if ops_is_required "ipv$1_config"; then + echo_trace "Updating $2 service config" + cp "./files/firewall/$2.conf" "/etc/conf.d/$2" + RELOAD=true + fi + if ops_is_required "ipv$1"; then + echo_trace "Updating ipv$1 tables" + mkdir -p /etc/iptables + cp "$FIREWALL_PREFIX.ipv$1" "/etc/iptables/ipv$1" + RELOAD=true + fi + if $RELOAD; then + echo_trace "Reloading service $2" + service "$2" reload + fi +} + +firewall_apply() { + ops_set_current firewall + firewall_apply_common 4 iptables + firewall_apply_common 6 ip6tables +} + +firewall_clean() { + # We have nothing to do for clean + true +} diff --git a/ops/multiconfig b/ops/multiconfig new file mode 100644 index 0000000..cee4d78 --- /dev/null +++ b/ops/multiconfig @@ -0,0 +1,41 @@ +# vim:ft=sh:noexpandtab +# Multiconfig system configuration + +# TODO setup cron +# TODO configure sending email account +# TODO configure keys +# TODO setup root ssh key to access git repo + +MULTICONFIG_SCRIPT="./scripts/multiconfig.sh" +MULTICONFIG_CRON_SCRIPT="./scripts/multiconfig-cron.sh" + +multiconfig_check() { + ops_set_current multiconfig + + if do_diff "$MULTICONFIG_SCRIPT" "/usr/local/bin/multiconfig.sh" \ + "Multiconfig script changes"; then + ops_require script + fi + + if do_diff "$MULTICONFIG_CRON_SCRIPT" "/etc/cron.daily/multiconfig" \ + "Multiconfig cron script changes"; then + ops_require cron + fi + + ops_required_any "Multiconfig" # return 1 fall trough +} + +multiconfig_prepare() { + # We have nothing to do for prepare + true +} + +multiconfig_apply() { + ops_set_current multiconfig + +} + +multiconfig_clean() { + # We have nothing to do for clean + true +} diff --git a/ops/openvpn b/ops/openvpn new file mode 100644 index 0000000..e69de29 diff --git a/ops/wireguard b/ops/wireguard new file mode 100644 index 0000000..e69de29 -- cgit v1.2.3