fatalerrors/init.sh
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: fatalerrors:9144f48000340989824cba31ba73de5e490b916c
Branches Tags
fatalerrors:master
...
compare: fatalerrors:34c917d2d210d121c4c29ab9d73a01f1d4f7d681
Branches Tags
fatalerrors:master

5 Commits
9144f48000 ... 34c917d2d2

Author SHA1 Message Date
fatalerrors
34c917d2d2 use fetch_secret for ceph secret 2025-09-22 18:37:42 +02:00
fatalerrors
1a23968a9d updated gl.conf to new checkmk module 2025-09-22 18:35:37 +02:00
fatalerrors
dab7132d31 reworked the checkmk module 2025-09-22 18:34:48 +02:00
fatalerrors
d292e0e486 added secret management lib 2025-09-22 18:33:55 +02:00
fatalerrors
10e2150353 updated ntp.conf to modern ntpsec serveur 2025-09-19 15:31:29 +02:00
7 changed files with 247 additions and 128 deletions
Expand all files Collapse all files

9
conf/includes/gl.conf.sh
View File

@@ -24,16 +24,19 @@ export CEPHIP_mayon="192.168.1.254"
export CEPHIP_pinatubo="192.168.1.253" export CEPHIP_pinatubo="192.168.1.253"
export CEPHIP_ragang="192.168.1.252" export CEPHIP_ragang="192.168.1.252"
export CEPHIP_taal="192.168.1.251" export CEPHIP_taal="192.168.1.251"
export CEPH_SECRET="AQAxSf5c2A/CMxAAnOu1RrSf7Yr2h60CLttq4g==" export CEPH_SECRET="file:/share/services/gestparc/ceph_secret"
export SHARED_HOME="false" export SHARED_HOME="false"
# SSH # SSH
export SSHD_PERMITROOT_RANGE="192.168.1.0/24" export SSHD_PERMITROOT_RANGE="192.168.1.0/24"
# Check MK # Check MK
export MK_VERSION="2.3.0p27-1" #export MK_VERSION="2.3.0p27-1" No longer needed
export MK_URL="http://10.250.42.20/check_mk/check_mk/agents/check-mk-agent_${MK_VERSION}_all.deb"
export MK_SERVER_IP="10.250.42.20" export MK_SERVER_IP="10.250.42.20"
export MK_SITE="check_mk"
export MK_URL="http://$MK_SERVER_IP/$MK_SITE/check_mk/agents/check-mk-agent_latest_all.deb"
export MK_SECRET="file:/share/services/gestparc/mk_secret"
# Samba # Samba
export SMBSRV="silay.$REALM" export SMBSRV="silay.$REALM"

4
init.sh
View File

@@ -1,7 +1,7 @@
#!/usr/bin/env bash #!/usr/bin/env bash
# ------------------------------------------------------------------------------ # ------------------------------------------------------------------------------
# Init.sh: initialise a computer and conform it # Init.sh: initialise a computer and conform it
# Copyright (c) 2019-2023 Geoffray Levasseur <fatalerrors@geoffray-levasseur.org> # Copyright (c) 2019-2025 Geoffray Levasseur <fatalerrors@geoffray-levasseur.org>
# ------------------------------------------------------------------------------ # ------------------------------------------------------------------------------
# This file is distributed under 3-clause BSD license. # This file is distributed under 3-clause BSD license.
# The complete license agreement can be obtained at: # The complete license agreement can be obtained at:
@@ -36,7 +36,7 @@ export LC_ALL=C
export LANG=C export LANG=C
# Version of init # Version of init
export VERSION="0.99.22" export VERSION="0.99.23"
# Store script's path (realpath -s resolve symlinks if init.sh is a symlink) # Store script's path (realpath -s resolve symlinks if init.sh is a symlink)
export MYPATH=$(dirname "$(realpath -s "$0")") export MYPATH=$(dirname "$(realpath -s "$0")")

114
lib/secret.sh Normal file
View File

@@ -0,0 +1,114 @@
#!/bin/bash
# ------------------------------------------------------------------------------
# Secret management functions
# This file is part of the init.sh project
# Copyright (c) 2025 Geoffray Levasseur <fatalerrors@geoffray-levasseur.org>
# ------------------------------------------------------------------------------
# This file is distributed under 3-clause BSD license.
# The complete license agreement can be obtained at:
# https://opensource.org/licenses/BSD-3-Clause
# ------------------------------------------------------------------------------
# ------------------------------------------------------------------------------
# Passbolt
get_passbolt_secret() {
local name="$1" secret
if ! command -v passbolt >/dev/null 2>&1; then
prnt E "Passbolt CLI not found (required to fetch passbolt:$name)."
return 3
fi
# Exemple basé sur CLI Passbolt + jq
secret=$(passbolt secret list --json 2>/dev/null | jq -r --arg NAME "$name" \
'.[] | select(.name == $NAME) | .secrets[0].data' 2>/dev/null)
if [[ -z "$secret" || "$secret" == "null" ]]; then
prnt E "Secret '$name' not found in Passbolt."
return 4
fi
printf '%s' "$secret"
}
# ------------------------------------------------------------------------------
# ------------------------------------------------------------------------------
# File
get_file_secret() {
local path="$1" secret
if [[ -z "$path" ]]; then
prnt E "get_file_secret: missing path"
return 5
fi
if [[ ! -r "$path" ]]; then
prnt E "get_file_secret: '$path' not readable"
return 6
fi
secret=$(<"$path")
secret="${secret%$'\r'}"
secret="${secret%$'\n'}"
printf '%s' "$secret"
}
# ------------------------------------------------------------------------------
# ------------------------------------------------------------------------------
# Environment variable
get_var_secret() {
local var="$1" secret
if [[ -z "$var" ]]; then
prnt E "get_var_secret: missing variable name"
return 7
fi
if ! printenv "$var" >/dev/null 2>&1; then
prnt E "get_var_secret: variable '$var' not set"
return 8
fi
secret="$(printenv "$var")"
secret="${secret%$'\r'}"
secret="${secret%$'\n'}"
printf '%s' "$secret"
}
# ------------------------------------------------------------------------------
# ------------------------------------------------------------------------------
# Main dispatcher
# Usage: fetch_secret "scheme:identifier"
fetch_secret() {
local ref="$1"
local scheme identifier func
if [[ -z "$ref" ]]; then
prnt E "fetch_secret: no reference provided"
return 1
fi
# par défaut, si pas de scheme -> "file"
if [[ "$ref" != *:* ]]; then
scheme="file"
identifier="$ref"
else
scheme="${ref%%:*}"
identifier="${ref#*:}"
fi
func="get_${scheme}_secret"
if ! declare -f "$func" >/dev/null 2>&1; then
prnt E "fetch_secret: unsupported scheme '$scheme' (no function $func)"
return 2
fi
"$func" "$identifier"
}
export -f fetch_secret
# ------------------------------------------------------------------------------
# EOF

3
modules/conf_ceph.sh
View File

@@ -68,11 +68,12 @@ conf_ceph()
tag_file /etc/fstab tag_file /etc/fstab
echo >> /etc/fstab echo >> /etc/fstab
local srvlist=$(echo $CEPH_SRV_NAMES | sed "s/ /,/g") local srvlist=$(echo $CEPH_SRV_NAMES | sed "s/ /,/g")
local secret=$(fetch_secret "$CEPH_SECRET")
if [[ -z $(grep $srvlist /etc/fstab) ]]; then if [[ -z $(grep $srvlist /etc/fstab) ]]; then
echo "# Ceph :" >> /etc/fstab echo "# Ceph :" >> /etc/fstab
for mnt in $CEPH_MOUNTS; do for mnt in $CEPH_MOUNTS; do
mkdir -pv $mnt mkdir -pv $mnt
echo "$srvlist:/ $(eval echo \$CEPH_MP_$mnt) ceph defaults,_netdev,name=admin,secret=$CEPH_SECRET,id=$mnt 0 0" >> /etc/fstab echo "$srvlist:/ $(eval echo \$CEPH_MP_$mnt) ceph defaults,_netdev,name=admin,secret=$secret,id=$mnt 0 0" >> /etc/fstab
done done
else else
prnt W "Ceph entry already in /etc/fstab, nothing to do" prnt W "Ceph entry already in /etc/fstab, nothing to do"

89
modules/install_mkagent.sh
View File

@@ -9,54 +9,87 @@
# ------------------------------------------------------------------------------ # ------------------------------------------------------------------------------
# Variable: # Variable:
# * MK_SERVER: Server IP address # * MK_SERVER: Server IP address
# * MK_PORT: Port check_mk agent will use to communicate with server # * MK_SITE: The check_mk site (or instance) to use
# * MK_URL: The URL to use to download the agent
# * MK_SECRET: The secret to use to register the agent
# * MK_USER: The user to use to register
# ------------------------------------------------------------------------------ # ------------------------------------------------------------------------------
export VER_install_mkagent="0.0.7" export VER_install_mkagent="0.1.0"
export DEP_install_mkagent="" export DEP_install_mkagent=""
install_mkagent() install_mkagent()
{ {
wget $MK_URL -O /tmp/check-mk-agent_${MK_VERSION}_all.deb # Download and install agent
pkginst xinetd /tmp/check-mk-agent_${MK_VERSION}_all.deb wget "$MK_URL" -O /tmp/check-mk-agent_latest_all.deb
rm /tmp/check-mk-agent_${MK_VERSION}_all.deb pkginst /tmp/check-mk-agent_latest_all.deb
rm /tmp/check-mk-agent_latest_all.deb
backup_dist /etc/xinetd.d/check_mk # Activate correct service depending on system configuration
install_file cmk/check_mk /etc/xinetd.d/check_mk if pidof systemd >/dev/null; then
tag_file /etc/xinetd.d/check_mk systemctl enable --now check-mk-agent.socket
sed -i -e "s/@MK_SERVER_IP@/$MK_SERVER_IP/" /etc/xinetd.d/check_mk else
pkginst xinetd
backup_dist /etc/xinetd.d/check-mk-agent
install_file cmk/check_mk /etc/xinetd.d/check-mk-agent
tag_file /etc/xinetd.d/check-mk-agent
sed -i -e "s/@MK_SERVER_IP@/$MK_SERVER_IP/" /etc/xinetd.d/check-mk-agent
svc_restart xinetd
fi
mkdir -pv /usr/lib/check_mk_agent/plugins/7200 # Install apt plugin (for Debian)
install_file cmk/mk_apt /usr/lib/check_mk_agent/plugins/7200/mk_apt if [[ $PKG_MAN == "apt-get" ]]; then
mkdir -pv /usr/lib/check_mk_agent/plugins/3600
install_file cmk/mk_apt /usr/lib/check_mk_agent/plugins/3600/mk_apt
fi
# Cmk > 2.1, configure agent # Cmk > 2.1, configure agent
if [[ -e /var/lib/cmk-agent/cmk-agent-ctl.gz ]]; then if [[ -n $MK_SECRET ]]; then
gunzip /var/lib/cmk-agent/cmk-agent-ctl.gz local secret
chmod +x /var/lib/cmk-agent/cmk-agent-ctl secret=$(fetch_secret "$MK_SECRET")
scp -O $MK_SERVER_IP:/etc/check_mk/agentpwd /tmp/mk-pwd
sleep 1 # Some execution of cmk-agent-ctl have failed with file not found without that line if [[ -e /var/lib/cmk-agent/cmk-agent-ctl.gz ]]; then
/var/lib/cmk-agent/cmk-agent-ctl register --hostname $HOSTNAME \ gunzip -f /var/lib/cmk-agent/cmk-agent-ctl.gz
--server $MK_SERVER_IP --site check_mk --user check_mk --password \ chmod +x /var/lib/cmk-agent/cmk-agent-ctl
"$(read /tmp/mk-pwd)" fi
if [[ -e /var/lib/cmk-agent/cmk-agent-ctl ]]; then
/var/lib/cmk-agent/cmk-agent-ctl register \
--hostname "$HOSTNAME" \
--server "$MK_SERVER_IP" \
--site "$MK_SITE" \
--user "$MK_USER" \
--password "$secret"
fi
unset secret
else
prnt W "No secret configured, agent cannot be registered."
fi fi
svc_restart xinetd
} }
precheck_install_mkagent() precheck_install_mkagent()
{ {
if [[ -z $MK_VERSION ]]; then if [[ -z $MK_SITE ]]; then
prnt E "Undeclared check_mk version of the agent to install." prnt E "Undeclared check_mk site to use."
die 162 die 162
fi fi
if [[ -z $MK_URL ]]; then if [[ -z $MK_URL ]]; then
prnt E "Undeclared check_mk download URL." prnt E "Undeclared check_mk download URL."
die 162 die 162
fi fi
if [[ -z $MK_SERVER_IP ]]; then if [[ -z $MK_SERVER_IP ]]; then
prnt E "Undeclared check_mk server." prnt E "Undeclared check_mk server."
die 162 die 162
fi
if [[ $PKG_MAN == "apt-get" ]]; then
file_must_exists cmk/check_mk cmk/mk_apt
fi
if [[ -z $MK_SECRET ]]; then
prnt W "No secret set for CheckMK, registration won't be possible."
if [[ -z $MK_USER ]]; then
prnt E "A CheckMK user is required to register."
die 162
fi
fi fi
file_must_exists cmk/check_mk cmk/mk_apt
} }
export -f install_mkagent export -f install_mkagent

78
repo/hosts/cagua/ntp.conf
View File

@@ -1,64 +1,48 @@
*# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help # /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
# State files
driftfile /var/lib/ntp/ntp.drift driftfile /var/lib/ntp/ntp.drift
leapfile /usr/share/zoneinfo/leap-seconds.list
# Enable this if you want statistics to be logged. # Statistics
#statsdir /var/log/ntpstats/
statistics loopstats peerstats clockstats statistics loopstats peerstats clockstats sysstats
filegen loopstats file loopstats type day enable filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable filegen clockstats file clockstats type day enable
filegen sysstats file sysstats type day enable
# Interfaces to listen on:
interface listen 192.168.1.0/24
interface listen 10.250.42.0/24
interface listen 10.42.250.0/16
interface ignore wildcard
# You do need to talk to an NTP server or two (or three). # NTP sources
#server ntp.your-provider.example # Our other NTP server, to have consistant REFID
server didicas prefer iburst
# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will server ntp.laas.fr iburst
# pick a different set every time it starts up. Please consider joining the server ntp.sophia.cnrs.fr iburst
# pool: <http://www.pool.ntp.org/join.html> server ntp2.emn.fr iburst
server ntp.laas.fr iburst server delphi.phys.univ-tours.fr iburst
server ntp.sophia.cnrs.fr iburst server ntp.crashdump.fr iburst
server ntp2.emn.fr iburst server ntp.ilianum.com iburst
server delphi.phys.univ-tours.fr iburst server ntp.unice.fr iburst
server ntp.crashdump.fr iburst server ntp.accelance.net iburst
server ntp.ilianum.com iburst server ntp.deuza.net iburst
server ntp.unice.fr iburst server ntp1.jussieu.fr iburst
server ntp.accelance.net iburst server time.resolvlab.com iburst
server ntp.deuza.net iburst
server ntp1.jussieu.fr iburst
server time.resolvlab.com iburst
# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for # Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
# details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions> # details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
# might also be helpful. # might also be helpful.
# #
# Note that "restrict" applies to both servers and clients, so a configuration restrict default limited nomodify notrap nopeer noquery
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.
# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery limited
restrict -6 default kod notrap nomodify nopeer noquery limited
# Local users may interrogate the ntp server more closely.
restrict 192.168.1.0/24
restrict 127.0.0.1
restrict ::1
# Needed for adding pool entries
restrict source notrap nomodify noquery restrict source notrap nomodify noquery
# Clients from this (example!) subnet have unlimited access, but only if restrict 192.168.1.0/24
# cryptographically authenticated. restrict 10.250.42.0/24
restrict 192.168.0.0 mask 255.255.0.0 trust restrict 10.42.250.0/16
restrict 127.0.0.1
restrict ::1
# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
broadcast 192.168.1.255
# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines. Please do this only if you trust everybody on the network!
#disable auth
#broadcastclient

78
repo/hosts/didicas/ntp.conf
View File

@@ -1,64 +1,48 @@
*# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help # /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
# State files
driftfile /var/lib/ntp/ntp.drift driftfile /var/lib/ntp/ntp.drift
leapfile /usr/share/zoneinfo/leap-seconds.list
# Enable this if you want statistics to be logged. # Statistics
#statsdir /var/log/ntpstats/
statistics loopstats peerstats clockstats statistics loopstats peerstats clockstats sysstats
filegen loopstats file loopstats type day enable filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable filegen clockstats file clockstats type day enable
filegen sysstats file sysstats type day enable
# Interfaces to listen on:
interface listen 192.168.1.0/24
interface listen 10.250.42.0/24
interface listen 10.42.250.0/16
interface ignore wildcard
# You do need to talk to an NTP server or two (or three). # NTP sources
#server ntp.your-provider.example # Our other NTP server, to have consistant REFID
server cagua prefer iburst
# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will server ntp.laas.fr iburst
# pick a different set every time it starts up. Please consider joining the server ntp.sophia.cnrs.fr iburst
# pool: <http://www.pool.ntp.org/join.html> server ntp2.emn.fr iburst
server ntp.laas.fr iburst server delphi.phys.univ-tours.fr iburst
server ntp.sophia.cnrs.fr iburst server ntp.crashdump.fr iburst
server ntp2.emn.fr iburst server ntp.ilianum.com iburst
server delphi.phys.univ-tours.fr iburst server ntp.unice.fr iburst
server ntp.crashdump.fr iburst server ntp.accelance.net iburst
server ntp.ilianum.com iburst server ntp.deuza.net iburst
server ntp.unice.fr iburst server ntp1.jussieu.fr iburst
server ntp.accelance.net iburst server time.resolvlab.com iburst
server ntp.deuza.net iburst
server ntp1.jussieu.fr iburst
server time.resolvlab.com iburst
# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for # Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
# details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions> # details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
# might also be helpful. # might also be helpful.
# #
# Note that "restrict" applies to both servers and clients, so a configuration restrict default limited nomodify notrap nopeer noquery
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.
# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery limited
restrict -6 default kod notrap nomodify nopeer noquery limited
# Local users may interrogate the ntp server more closely.
restrict 192.168.1.0/24
restrict 127.0.0.1
restrict ::1
# Needed for adding pool entries
restrict source notrap nomodify noquery restrict source notrap nomodify noquery
# Clients from this (example!) subnet have unlimited access, but only if restrict 192.168.1.0/24
# cryptographically authenticated. restrict 10.250.42.0/24
restrict 192.168.0.0 mask 255.255.0.0 trust restrict 10.42.250.0/16
restrict 127.0.0.1
restrict ::1
# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
broadcast 192.168.1.255
# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines. Please do this only if you trust everybody on the network!
#disable auth
#broadcastclient