164 lines
6.1 KiB
Bash
Executable File
164 lines
6.1 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
|
|
# AUTHOR: Clemens Schwaighofer
|
|
# DATE: 2025/7/4
|
|
# DESC: Initial setup of the webhook clone folder structure
|
|
|
|
BASE_FOLDER=$(dirname "$(readlink -f "$0")")"/";
|
|
CONFIG_BASE="${BASE_FOLDER}../config/";
|
|
if [ -f "${CONFIG_BASE}webhook.cfg" ]; then
|
|
# shellcheck source=../config/webhook.cfg"
|
|
# shellcheck disable=SC1091
|
|
source <(grep "=" "${CONFIG_BASE}webhook.cfg" | sed 's/ *= */=/g')
|
|
fi;
|
|
|
|
# abort on not set
|
|
|
|
error=0;
|
|
if [ -z "${GIT_WEBHOOK_BASE_FOLDER}" ]; then
|
|
echo "[!] Missing GIT_WEBHOOK_BASE_FOLDER entry";
|
|
error=1;
|
|
fi;
|
|
if [ -z "${WWW_GROUP}" ]; then
|
|
echo "[!] Missing WWW_GROUP entry";
|
|
error=1;
|
|
elif ! getent group "${WWW_GROUP}" > /dev/null 2>&1; then
|
|
echo "[!] Group ${WWW_GROUP} does not exist. Is it the Apache web group?";
|
|
error=1;
|
|
fi;
|
|
if [ -z "${SUDO_USER}" ]; then
|
|
echo "[!] Missing SUDO_USER entry";
|
|
error=1;
|
|
elif [ "${USE_SUDO}" = "0" ] && ! id "${SUDO_USER}" &>/dev/null; then
|
|
echo "[!] SUDO is off, user must exist in system";
|
|
error=1;
|
|
fi;
|
|
# this script has to be run as root
|
|
if [ "$(whoami)" != "root" ]; then
|
|
echo "[!] Script must be run as root user";
|
|
error=1;
|
|
fi;
|
|
|
|
if [ $error -eq 1 ]; then
|
|
exit;
|
|
fi;
|
|
|
|
# Define base folders
|
|
CLONE_BASE="clone-base/"
|
|
LOG_FOLDER="log/"
|
|
SCRIPT_FOLDER="scripts/"
|
|
SECRETS_FOLDER="secrets/"
|
|
CONFIG_FOLDER="config/"
|
|
WWW_BASE="www/"
|
|
WWW_WEBHOOK_INCOMING="${WWW_BASE}webhook-incoming";
|
|
WWW_ADMIN="${WWW_BASE}admin";
|
|
|
|
# jump host PEM file
|
|
PEM_BASE="${BASE_FOLDER}../pem/";
|
|
JUMP_PEM_FILE="somen-jump.tequila.jp#scripts#webhook-git#ed25519.pem";
|
|
|
|
# add trailing slash if missing
|
|
GIT_WEBHOOK_BASE_FOLDER="${GIT_WEBHOOK_BASE_FOLDER%/}/"
|
|
|
|
if [ -d "${GIT_WEBHOOK_BASE_FOLDER}" ]; then
|
|
echo "Base folder already exists, update check";
|
|
# check folders
|
|
# check folder ACL
|
|
echo "[TODO] -> Not implemented: check folder, check ACL";
|
|
# copy scripts & default config
|
|
echo "~ Copy basic script and config files";
|
|
# git_sync.sh, init.sh, new_clone.sh, webhook.default.cfg
|
|
cp "${BASE_FOLDER}new_clone.sh" "${BASE_FOLDER}init.sh" "${BASE_FOLDER}git_sync.sh" "${GIT_WEBHOOK_BASE_FOLDER}${SCRIPT_FOLDER}";
|
|
cp "${CONFIG_BASE}/webhook.default.cfg" "${GIT_WEBHOOK_BASE_FOLDER}${CONFIG_FOLDER}";
|
|
# and make sure they are all owned by the correct user
|
|
chown "${SUDO_USER}" \
|
|
"${BASE_FOLDER}new_clone.sh" \
|
|
"${BASE_FOLDER}init.sh" \
|
|
"${BASE_FOLDER}git_sync.sh" \
|
|
"${CONFIG_BASE}/webhook.default.cfg";
|
|
# check config entries missing
|
|
exit;
|
|
else
|
|
echo "=> Create new folder structure";
|
|
# User for sudo, but only if SUDO is enabled
|
|
if [ "${USE_SUDO}" != "0" ]; then
|
|
echo "+ Add user ${SUDO_USER}:${WWW_GROUP} with base folder ${GIT_WEBHOOK_BASE_FOLDER}";
|
|
# Note: we need to set bin bash or we cannot use Jump Host
|
|
useradd -d "${GIT_WEBHOOK_BASE_FOLDER}" -m -s /bin/bash "${SUDO_USER}"
|
|
fi;
|
|
if [ ! -d "${GIT_WEBHOOK_BASE_FOLDER}" ]; then
|
|
echo "+ Create Folder: ${GIT_WEBHOOK_BASE_FOLDER}";
|
|
mkdir "${GIT_WEBHOOK_BASE_FOLDER}";
|
|
fi;
|
|
echo "+ Set folder user/group to ${SUDO_USER}/${WWW_GROUP}";
|
|
# user is not mandatory, but we need to set the group
|
|
setfacl -m u:"${SUDO_USER}":rwx -R "${GIT_WEBHOOK_BASE_FOLDER}"
|
|
setfacl -d -m u:"${SUDO_USER}":rwx -R "${GIT_WEBHOOK_BASE_FOLDER}"
|
|
setfacl -m g:"${WWW_GROUP}":rx -R "${GIT_WEBHOOK_BASE_FOLDER}"
|
|
# SSH
|
|
if [ "${USE_SUDO}" != "0" ]; then
|
|
echo "+ Add .ssh folder"
|
|
sudo -u "${SUDO_USER}" mkdir "${GIT_WEBHOOK_BASE_FOLDER}"/.ssh/
|
|
sudo -u "${SUDO_USER}" touch "${GIT_WEBHOOK_BASE_FOLDER}"/.ssh/config
|
|
sudo -u "${SUDO_USER}" chmod 700 "${GIT_WEBHOOK_BASE_FOLDER}"/.ssh/
|
|
sudo -u "${SUDO_USER}" chmod 600 "${GIT_WEBHOOK_BASE_FOLDER}"/.ssh/config
|
|
# add master jump host
|
|
cat >> "${GIT_WEBHOOK_BASE_FOLDER}"/.ssh/config << 'EOF'
|
|
Host UdonGitJump
|
|
Hostname somen-jump.tequila.jp
|
|
User webhook-git
|
|
IdentityFile ~/.ssh/somen-jump.tequila.jp#scripts#webhook-git#ed25519.pem
|
|
Port 37337
|
|
EOF
|
|
if [ -f "${PEM_BASE}${JUMP_PEM_FILE}" ]; then
|
|
cp "${PEM_BASE}${JUMP_PEM_FILE}" "${GIT_WEBHOOK_BASE_FOLDER}"/.ssh/;
|
|
chown "${SUDO_USER}:" "${GIT_WEBHOOK_BASE_FOLDER}/.ssh/${JUMP_PEM_FILE}"
|
|
sudo -u "${SUDO_USER}" chmod 600 "${GIT_WEBHOOK_BASE_FOLDER}/.ssh/${JUMP_PEM_FILE}"
|
|
else
|
|
echo "PEM FILE ${JUMP_PEM_FILE} must be added manually"
|
|
fi;
|
|
fi;
|
|
# All other FOLDER
|
|
echo "+ Other folders for clone base: ${CLONE_BASE}, ${LOG_FOLDER}, ${SCRIPT_FOLDER}, ${CONFIG_FOLDER}, ${WWW_WEBHOOK_INCOMING}, ${WWW_ADMIN}"
|
|
sudo -u "${SUDO_USER}" \
|
|
mkdir -p \
|
|
"${GIT_WEBHOOK_BASE_FOLDER}${CLONE_BASE}" \
|
|
"${GIT_WEBHOOK_BASE_FOLDER}${LOG_FOLDER}" \
|
|
"${GIT_WEBHOOK_BASE_FOLDER}${SCRIPT_FOLDER}" \
|
|
"${GIT_WEBHOOK_BASE_FOLDER}${CONFIG_FOLDER}" \
|
|
"${GIT_WEBHOOK_BASE_FOLDER}${SECRETS_FOLDER}" \
|
|
"${GIT_WEBHOOK_BASE_FOLDER}${WWW_WEBHOOK_INCOMING}" \
|
|
"${GIT_WEBHOOK_BASE_FOLDER}${WWW_ADMIN}";
|
|
# set basic folder rights, clone folder is excluded
|
|
sudo -u "${SUDO_USER}" chmod 700 \
|
|
"${GIT_WEBHOOK_BASE_FOLDER}${LOG_FOLDER}" \
|
|
"${GIT_WEBHOOK_BASE_FOLDER}${SCRIPT_FOLDER}" \
|
|
"${GIT_WEBHOOK_BASE_FOLDER}${CONFIG_FOLDER}" \
|
|
"${GIT_WEBHOOK_BASE_FOLDER}${SECRETS_FOLDER}" \
|
|
"${GIT_WEBHOOK_BASE_FOLDER}${WWW_WEBHOOK_INCOMING}" \
|
|
"${GIT_WEBHOOK_BASE_FOLDER}${WWW_ADMIN}";
|
|
# setfacl -m u:"${SUDO_USER}":rwx -R "${GIT_WEBHOOK_BASE_FOLDER}${CLONE_BASE}"
|
|
# setfacl -d -m u:"${SUDO_USER}":rwx -R "${GIT_WEBHOOK_BASE_FOLDER}${CLONE_BASE}"
|
|
# web user must have access to the clone folder, RWX
|
|
setfacl -m g:"${WWW_GROUP}":rwx -R \
|
|
"${GIT_WEBHOOK_BASE_FOLDER}${CLONE_BASE}" \
|
|
"${GIT_WEBHOOK_BASE_FOLDER}${WWW_BASE}";
|
|
setfacl -d -m g:"${WWW_GROUP}":rwx -R \
|
|
"${GIT_WEBHOOK_BASE_FOLDER}${CLONE_BASE}" \
|
|
"${GIT_WEBHOOK_BASE_FOLDER}${WWW_BASE}";
|
|
# Copy files
|
|
echo "+ Copy basic script and config files";
|
|
# git_sync.sh, init.sh, new_clone.sh, webhook.default.cfg
|
|
cp "${BASE_FOLDER}new_clone.sh" "${BASE_FOLDER}init.sh" "${BASE_FOLDER}git_sync.sh" "${GIT_WEBHOOK_BASE_FOLDER}${SCRIPT_FOLDER}";
|
|
cp "${CONFIG_BASE}/webhook.cfg" "${CONFIG_BASE}/webhook.default.cfg" "${GIT_WEBHOOK_BASE_FOLDER}${CONFIG_FOLDER}";
|
|
# and make sure they are all owned by the correct user
|
|
chown "${SUDO_USER}" \
|
|
"${BASE_FOLDER}new_clone.sh" \
|
|
"${BASE_FOLDER}init.sh" \
|
|
"${BASE_FOLDER}git_sync.sh" \
|
|
"${CONFIG_BASE}/webhook.cfg" \
|
|
"${CONFIG_BASE}/webhook.default.cfg";
|
|
fi;
|
|
|
|
# __END__
|