254 lines
5.5 KiB
Bash
254 lines
5.5 KiB
Bash
#!/bin/ash
|
|
set -ex
|
|
|
|
#Usage: repos
|
|
repos() {
|
|
cat > /etc/apk/repositories <<EOF
|
|
http://dl-cdn.alpinelinux.org/alpine/$1/main
|
|
http://dl-cdn.alpinelinux.org/alpine/$1/community
|
|
##http://dl-cdn.alpinelinux.org/alpine/$1/testing
|
|
EOF
|
|
|
|
apk -U upgrade
|
|
}
|
|
|
|
#Usage: pkgs 'htop tmux emacs' [update]
|
|
pkgs() {
|
|
if [ "$2" == "update" ]; then
|
|
apk update
|
|
fi
|
|
|
|
if [ "$1" != "" ]; then
|
|
apk add $1
|
|
fi
|
|
}
|
|
|
|
#Usage: crontab_base [blank]
|
|
crontab_base() {
|
|
if [ "$2" == "blank" ]; then
|
|
cat > /tmp/new.cron >>EOF
|
|
EOF
|
|
else
|
|
cat > /tmp/new.cron <<EOF
|
|
# do daily/weekly/monthly maintenance
|
|
# min hour day month weekday command
|
|
*/15 * * * * run-parts /etc/periodic/15min
|
|
0 * * * * run-parts /etc/periodic/hourly
|
|
0 2 * * * run-parts /etc/periodic/daily
|
|
0 3 * * 6 run-parts /etc/periodic/weekly
|
|
0 5 1 * * run-parts /etc/periodic/monthly
|
|
EOF
|
|
fi
|
|
}
|
|
|
|
#Usage: crontab_append '*/15 * * * * /usr/local/bin/atentu -m > /etc/motd'
|
|
crontab_append() {
|
|
printf "$1\n" | tee -a /tmp/new.cron
|
|
}
|
|
|
|
#Usage: apply_crontab
|
|
apply_crontab() {
|
|
crontab /tmp/new.cron
|
|
}
|
|
|
|
#Usage: iptables_conf
|
|
#Variables:
|
|
iptables_conf() {
|
|
if [ ! -f /etc/iptables/salt.rules ]; then
|
|
touch /etc/iptables/salt.rules
|
|
else
|
|
rm /etc/iptables/salt.rules
|
|
fi
|
|
|
|
cat > /etc/iptables/salt.rules <<EOF
|
|
*nat
|
|
:PREROUTING ACCEPT [0:0]
|
|
:POSTROUTING ACCEPT [0:0]
|
|
:OUTPUT ACCEPT [0:0]
|
|
COMMIT
|
|
*filter
|
|
:INPUT DROP [0:0]
|
|
:FORWARD DROP [0:0]
|
|
:OUTPUT ACCEPT [0:0]
|
|
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
|
-A INPUT -i lo -j ACCEPT
|
|
-A INPUT -s 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable
|
|
# Allow ICMP
|
|
-A INPUT -i eth0 -p icmp -j ACCEPT
|
|
# Allow Salt
|
|
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 4505 -j ACCEPT
|
|
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 4506 -j ACCEPT
|
|
-A INPUT -j DROP
|
|
-A FORWARD -j DROP
|
|
-A OUTPUT -j ACCEPT
|
|
COMMIT
|
|
EOF
|
|
|
|
iptables-restore /etc/iptables/salt.rules
|
|
/etc/init.d/iptables save
|
|
}
|
|
|
|
#Usage: salt_config [high/low]
|
|
#Variables:
|
|
salt_config() {
|
|
security=$1
|
|
|
|
if [ -z $security ]; then
|
|
security=low
|
|
fi
|
|
|
|
if [ "$(grep -o salt /etc/shadow)" != "salt" ]; then
|
|
#Create user with disabled login and no home, but with access to a shell (for salt-run)
|
|
adduser -D -H -s /bin/ash salt
|
|
fi
|
|
|
|
if [ "$(grep -o salt /etc/group)" != "salt" ]; then
|
|
groupadd salt
|
|
fi
|
|
|
|
for dir in /etc/salt /var/cache/salt /var/log/salt /var/run/salt /srv/salt /srv/pillar; do
|
|
if [ ! -d $dir ]; then
|
|
mkdir -p $dir
|
|
chmod 0774 $dir
|
|
chown salt:salt $dir
|
|
fi
|
|
done
|
|
|
|
if [ ! -d /etc/salt/gpgkeys ]; then
|
|
mkdir -p /etc/salt/gpgkeys
|
|
chmod 0700 /etc/salt/gpgkeys
|
|
|
|
if [ ! -f /etc/salt/gpgkeys/genscript ]; then
|
|
cat > /etc/salt/gpgkeys/genscript <<EOF
|
|
Key-Type: RSA
|
|
Key-Length: 4096
|
|
Name-Real: Salt
|
|
Name-Email: no-reply@invalid.address
|
|
Expire-Date: 0
|
|
%no-ask-passphrase
|
|
%no-protection
|
|
EOF
|
|
fi
|
|
|
|
gpg --gen-key --homedir /etc/salt/gpgkeys --batch /etc/salt/gpgkeys/genscript
|
|
gpg --homedir /etc/salt/gpgkeys --armor --export > /etc/salt/gpgkeys/salt_pub.gpg
|
|
gpg --import /etc/salt/gpgkeys/salt_pub.gpg
|
|
fi
|
|
|
|
if [ ! -d /etc/salt/master.d ]; then
|
|
mkdir -p /etc/salt/master.d
|
|
fi
|
|
|
|
for conf in file.conf pillar.conf primary.conf security.conf state.conf reactor.conf; do
|
|
if [ -f /etc/salt/master.d/$conf ]; then
|
|
mv /etc/salt/master.d/$conf /etc/salt/master.d/$conf.bak
|
|
fi
|
|
done
|
|
|
|
cat > /etc/salt/master.d/file.conf <<EOF
|
|
file_roots:
|
|
base:
|
|
- /srv/salt/base
|
|
dev:
|
|
- /srv/salt/dev
|
|
prod:
|
|
- /srv/salt/prod
|
|
|
|
top_file_merging_strategy: same
|
|
default_top: dev
|
|
hash_type: sha512
|
|
EOF
|
|
|
|
cat > /etc/salt/master.d/pillar.conf <<EOF
|
|
pillar_roots:
|
|
base:
|
|
- /srv/pillar/base
|
|
dev:
|
|
- /srv/pillar/dev
|
|
prod:
|
|
- /srv/pillar/prod
|
|
|
|
pillar_safe_render_error: True
|
|
pillar_source_merging_strategy: none
|
|
pillarenv_from_saltenv: True
|
|
pillar_raise_on_missing: True
|
|
EOF
|
|
|
|
cat > /etc/salt/master.d/primary.conf <<EOF
|
|
user: salt
|
|
verify_env: True
|
|
enable_gpu_grains: True
|
|
ping_on_rotate: True
|
|
allow_minion_key_revoke: False
|
|
timeout: 30
|
|
EOF
|
|
|
|
if [ "$security" == "high" ]; then
|
|
cat > /etc/salt/master.d/security.conf <<EOF
|
|
keysize: 4096
|
|
autosign_timeout: 0
|
|
master_sign_pubkey: True
|
|
master_use_pubkey_signature: True
|
|
sign_pub_messages: True
|
|
require_minion_sign_messages: True
|
|
drop_messages_signature_fail: False
|
|
ssl:
|
|
keyfile: /etc/salt/pki/certs/salt.key
|
|
certfile: /etc/sale/pki/certs/salt.crt
|
|
ssl_version: PROTOCOL_TLSv1_2
|
|
EOF
|
|
fi
|
|
|
|
cat > /etc/salt/master.d/state.conf <<EOF
|
|
failhard: True
|
|
EOF
|
|
|
|
cat > /etc/salt/master.d/reactor.conf <<EOF
|
|
reactor:
|
|
#- 'salt/minion/*/start':
|
|
# - /srv/salt/reactor/start.sls
|
|
#- 'salt/beacon/*/beacon_name':
|
|
# - /srv/salt/reactor/beacon.sls
|
|
|
|
reactor_refresh_interval: 60
|
|
reactor_worker_threads: 10
|
|
reactor_worker_hwm: 10000
|
|
EOF
|
|
|
|
for dir in /etc/salt /var/cache/salt /var/log/salt /var/run/salt /srv/salt; do
|
|
chown -R salt:salt $dir
|
|
done
|
|
|
|
if [ "$security" == "high" ]; then
|
|
rc-service salt-master start
|
|
|
|
sleep 30
|
|
#Generate minion authentication keys
|
|
salt-key --gen-signature --auto-create
|
|
fi
|
|
}
|
|
|
|
#Usage: enable_services default 'lighttpd rsyslog samba iptables'
|
|
enable_services() {
|
|
for service in $2; do
|
|
rc-update add $service $1
|
|
done
|
|
}
|
|
|
|
#Usage: reboot_system
|
|
#Variables
|
|
reboot_system() {
|
|
reboot
|
|
}
|
|
|
|
repos edge
|
|
pkgs "procps htop iftop net-tools tmux iptables mg syslog-ng haveged iproute2 coreutils logrotate shadow openssh salt salt-master salt-minion salt-api salt-syndic gpg gnupg-utils gpg-agent py3-tornado"
|
|
crontab_base
|
|
crontab_append "0 2 * * 5 /sbin/apk -U -a upgrade"
|
|
apply_crontab
|
|
iptables_conf
|
|
salt_config high
|
|
enable_services boot "syslog-ng"
|
|
enable_services default "crond iptables salt-master sshd"
|
|
reboot_system
|