#!/bin/bash if [ ! "$BASH_VERSION" ] ; then bash $0 $1 $2 $3 $4 $5 $6 $7 $8 $9 exit 1 fi wiRed=$(tput setaf 196) wiGreen=$(tput setaf 46) wiYellow=$(tput setaf 226) wiBlue=$(tput setaf 21) wiPurple=$(tput setaf 165) wiTurquoise=$(tput setaf 14) wiPink=$(tput setaf 198) wiOrange=$(tput setaf 202) wiBold=$(tput bold) wiNormal=$(tput sgr0) wi-header(){ wx-header "$1" "$2" } wi-repeat(){ wx-repeat "$1" "$2" } wi-login(){ wx-login "$1" "$2" } wx-start(){ wi-start } wx-stop(){ wi-stop } wxBold=$wiBold wxNormal=$wiNormal wx-header(){ if [[ $2 == "h1" ]] then echo "" echo "" echo "" echo "==============================" wx-repeat " " $((30/2-${#1}/2)) echo -n "$wxBold" echo -n "$1" echo -n "$wxNormal" echo "" echo "==============================" fi if [[ $2 == "h2" || -z $2 ]] then wx-start wx-repeat " " $((30/2-6/2-${#1}/2)) echo -n ">> $1 <<" echo "" echo "------------------------------" fi } wi-init(){ wi-login $1 $2 wi-header "Init" mkdir -p ~/.ssh/keys &> /dev/null apt-get install -y python3-pip python3-venv jq git curl &> /dev/null python3 -m venv /opt/ansible &> /dev/null /opt/ansible/bin/pip3 install ansible &> /dev/null /opt/ansible/bin/pip3 install cryptography dnspython hvac jmespath netaddr pexpect &> /dev/null curl \ -H "X-Vault-Token: ${config["login",$ORG]}" \ -X GET \ https://$VAULT_DOMAIN/v1/init.sh/data/ssh -s | jq -r '.data.data.privkey' > ~/.ssh/keys/init chmod 700 ~/.ssh/keys/init &> /dev/null mkdir -p ~/.ansible &> /dev/null if [ ! -f ~/.ansible/vars.yml ] then openssl rand -base64 64 | tr -d '\n' | head -c 64 > ~/.ansible/vault.yml ANSIBLE_VAULT_SECRET=$(<~/.ansible/vault.yml) echo "---" > ~/.ansible/vars.yml echo "hostname: $HOSTNAME" >> ~/.ansible/vars.yml echo "folder: /$FOLDER/" >> ~/.ansible/vars.yml echo "vault:" >> ~/.ansible/vars.yml echo " ansible:" >> ~/.ansible/vars.yml echo " secret: $ANSIBLE_VAULT_SECRET" >> ~/.ansible/vars.yml echo " hashicorp:" >> ~/.ansible/vars.yml echo " domain: $VAULT_DOMAIN" >> ~/.ansible/vars.yml /opt/ansible/bin/ansible-vault encrypt --vault-password-file ~/.ansible/vault.yml ~/.ansible/vars.yml > /dev/null fi GIT_DOMAIN="git.cwinfo.net" GIT_PORT="2222" GIT_REPOSITORY="warengroup-private/infra-plus" export HVT=${config["login",$ORG]} /opt/ansible/bin/ansible-galaxy collection install ansible.posix ansible.utils community.crypto community.dns community.docker community.general community.hashi_vault community.libvirt community.mongodb community.mysql community.postgresql containers.podman --upgrade &> /dev/null /opt/ansible/bin/ansible-pull -U ssh://git@$GIT_DOMAIN:$GIT_PORT/$GIT_REPOSITORY --accept-host-key --vault-password-file ~/.ansible/vault.yml --private-key ~/.ssh/keys/init playbooks/init.yml -t init unset HVT } wx-login(){ if [[ -z "$HOSTNAME" || ${#HOSTNAME} -lt 5 ]] then wx-header "Login" echo "Status: Hostname Required" wx-stop fi if [[ ! -z $1 ]] then ORG=$1 elif [[ $(hostname -d) = *"devices.waren.io" ]] then ORG=warengroup elif [[ $(hostname -d) = *"devices.cwinfo.net" ]] then ORG=cwinfo elif [[ $(hostname -d) = *"devices.christerwaren.fi" ]] then ORG=cwchristerw else wx-header "Login" echo "Status: Organization Required" wx-stop fi if [[ $ORG == "warengroup" ]] then DOMAIN=waren.io elif [[ $ORG == "cwinfo" ]] then DOMAIN=cwinfo.net elif [[ $ORG == "cwchristerw" ]] then DOMAIN=christerwaren.fi else wx-header "Login" echo "Status: Organization Unsupported" wx-stop fi FOLDER=$ORG DEVICE_DOMAIN="devices.$DOMAIN" IDM_DOMAIN="idm.cwinfo.net" VAULT_DOMAIN="vault.cwinfo.net" if [[ ! -z $2 ]] then HOSTNAME="$2.$DEVICE_DOMAIN" elif [[ $(hostname -d) ]] then HOSTNAME=$(hostname --fqdn) else wx-header "Login" echo "Status: Hostname Required" wx-stop fi if [[ -z $USER || $USER == "root" || $USER == "local" ]] then if [[ -z $SUDO_USER ]] then if [[ -z LOGNAME ]] then wx-header "Login" echo "Status: Username Required" wx-stop else USERNAME=$LOGNAME fi else USERNAME=$SUDO_USER fi else USERNAME=$USER fi VAULT_STATUS=$(curl -s -o /dev/null -w "%{http_code}" https://$VAULT_DOMAIN/v1/sys/health) if [[ $VAULT_STATUS -eq 200 ]] then if [[ $USER != "root" && $USER != "local" && -f "$HOME/.config/warengroup/config.json" ]] then TOKEN="$(cat $HOME/.config/warengroup/config.json | jq -r .login.$ORG)" fi VAULT_LOGIN=$(curl https://$VAULT_DOMAIN/v1/auth/token/renew -X POST --header "X-Vault-Token: $TOKEN" -d '{ "token": "'$TOKEN'" }' -s | jq -r '.auth.client_token') if [[ ! -z $VAULT_LOGIN && ${#VAULT_LOGIN} == 95 ]] then config["login",${ORG}]=$VAULT_LOGIN if [[ $USER != "root" && $USER != "local" ]] then jq '.login.'$ORG' = "'$VAULT_LOGIN'"' $HOME/.config/warengroup/config.json 1> $HOME/.config/warengroup/config.json.tmp mv $HOME/.config/warengroup/config.json.tmp $HOME/.config/warengroup/config.json &> /dev/null fi else IDM_STATUS=$(curl -s -o /dev/null -w "%{http_code}" https://$IDM_DOMAIN) if [[ $IDM_STATUS -eq 301 ]] then wx-header "Login" echo $wxBold$ORG$wxNormal if [[ -z $USERNAME || $USERNAME == "root" || $USERNAME == "local" ]] then echo -n "Username: " read USERNAME else echo "Username: $USERNAME" fi echo -n "Password: " read -s PASSWORD echo "****************" if [[ -z $USERNAME || -z $PASSWORD ]] then echo "Status: Username & Password Required" wx-stop else VAULT_LOGIN=$(curl https://$VAULT_DOMAIN/v1/auth/ldap/login/$USERNAME -X POST -d '{ "password": "'$PASSWORD'" }' -s | jq -r '.auth.client_token') if [[ -z $VAULT_LOGIN || ${#VAULT_LOGIN} -lt 95 || ${#VAULT_LOGIN} -gt 95 ]] then echo "Status: Login Failed" wx-stop fi config["login",${ORG}]=$VAULT_LOGIN if [[ $USER != "root" && $USER != "local" ]] then jq '.login.'$ORG' = "'$VAULT_LOGIN'"' $HOME/.config/warengroup/config.json &> $HOME/.config/warengroup/config.json.tmp mv $HOME/.config/warengroup/config.json.tmp $HOME/.config/warengroup/config.json &> /dev/null fi fi else wx-header "Login" echo $wxBold$ORG$wxNormal echo -n "Token: " read -s TOKEN echo "****************" if [[ -z $TOKEN || ${#TOKEN} -lt 95 || ${#TOKEN} -gt 95 ]] then echo "Status: Vault Token Required" wx-stop fi VAULT_LOGIN=$(curl https://$VAULT_DOMAIN/v1/auth/token/renew -X POST --header "X-Vault-Token: $TOKEN" -d '{ "token": "'$TOKEN'" }' -s | jq -r '.auth.client_token') if [[ -z $VAULT_LOGIN || ${#VAULT_LOGIN} -lt 95 || ${#VAULT_LOGIN} -gt 95 ]] then echo "Status: Login Failed" wx-stop fi config["login",${ORG}]=$VAULT_LOGIN if [[ $USER != "root" && $USER != "local" ]] then jq '.login.'$ORG' = "'$VAULT_LOGIN'"' $HOME/.config/warengroup/config.json &> $HOME/.config/warengroup/config.json.tmp mv $HOME/.config/warengroup/config.json.tmp $HOME/.config/warengroup/config.json &> /dev/null fi fi fi else wx-header "Login" echo $wxBold$ORG$wxNormal echo "Status: Vault Offline" wx-stop fi } wx-repeat() { local str=$1 n=$2 spaces printf -v spaces "%*s" $n " " printf "%s" "${spaces// /$str}" } wi-restricted(){ if [[ $USER != "root" && $USER != "local" ]] then sudo $1 exit 1 fi } wi-start(){ wi-header "Warén Init" h1 } wi-stop (){ echo " " echo " " echo " " rm -rf /.ssh/keys/init &> /dev/null exit 1 } wi-restricted "$0 $1 $2" if [[ ! -f /bin/jq ]] then apt update &> /dev/null apt install -y jq &> /dev/null fi wi-init $1 $2 wi-stop