diff --git a/core/default/etc/sudoers.d/allow-jenkins-updateRepositories b/core/default/etc/sudoers.d/allow-jenkins-updateRepositories new file mode 100644 index 0000000..804dba5 --- /dev/null +++ b/core/default/etc/sudoers.d/allow-jenkins-updateRepositories @@ -0,0 +1,6 @@ +Cmnd_Alias C_JENKINS = \ + /cis/updateRepositories.sh --core, \ + /cis/updateRepositories.sh --scripts, \ + /cis/updateRepositories.sh --definitions, \ + /cis/updateRepositories.sh --states +jenkins ALL = (root) NOPASSWD: C_JENKINS diff --git a/core/ensureUsageOfDefinitions.sh b/core/ensureUsageOfDefinitions.sh index a67e872..3a4c6db 100755 --- a/core/ensureUsageOfDefinitions.sh +++ b/core/ensureUsageOfDefinitions.sh @@ -47,33 +47,41 @@ function filterInvalidAuthorizedKeysFilesOfRoot() { } function printSelectedDefinition() { - local _CORE_FILE_DEFINED_ALL_HOSTS _CORE_FILE_DEFINED_THIS_HOST _FILE_DEFINED_ALL_HOSTS _FILE_DEFINED_THIS_HOST - _CORE_FILE_DEFINED_ALL_HOSTS="${1:?"Missing DEFINITIONS"}/core/all${2:?"Missing CURRENT_FULLFILE"}" - _CORE_FILE_DEFINED_THIS_HOST="${1:?"Missing DEFINITIONS"}/core/$(hostname -s)${2:?"Missing CURRENT_FULLFILE"}" - _FILE_DEFINED_ALL_HOSTS="${1:?"Missing DEFINITIONS"}/hosts/all${2:?"Missing CURRENT_FULLFILE"}" - _FILE_DEFINED_THIS_HOST="${1:?"Missing DEFINITIONS"}/hosts/$(hostname -s)${2:?"Missing CURRENT_FULLFILE"}" - readonly _CORE_FILE_DEFINED_ALL_HOSTS _CORE_FILE_DEFINED_THIS_HOST _FILE_DEFINED_ALL_HOSTS _FILE_DEFINED_THIS_HOST + local _DEFINITIONS _CORE_FILE_DEFINED_ALL_HOSTS _CORE_FILE_DEFINED_THIS_HOST _FILE_DEFINED_ALL_HOSTS _FILE_DEFINED_THIS_HOST + _DEFINITIONS="${1:?"Missing CIS_ROOT"}definitions/${2:?"Missing DOMAIN"}/" + _CORE_DEFAULT_ALL_HOSTS="${1:?"Missing CIS_ROOT"}core/default${3:?"Missing CURRENT_FULLFILE"}" + _CORE_FILE_DEFINED_ALL_HOSTS="${_DEFINITIONS:?"Missing DEFINITIONS"}core/all${3:?"Missing CURRENT_FULLFILE"}" + _CORE_FILE_DEFINED_THIS_HOST="${_DEFINITIONS:?"Missing DEFINITIONS"}core/$(hostname -s)${3:?"Missing CURRENT_FULLFILE"}" + _FILE_DEFINED_ALL_HOSTS="${_DEFINITIONS:?"Missing DEFINITIONS"}hosts/all${3:?"Missing CURRENT_FULLFILE"}" + _FILE_DEFINED_THIS_HOST="${_DEFINITIONS:?"Missing DEFINITIONS"}hosts/$(hostname -s)${3:?"Missing CURRENT_FULLFILE"}" + readonly _DEFINITIONS _CORE_FILE_DEFINED_ALL_HOSTS _CORE_FILE_DEFINED_THIS_HOST _FILE_DEFINED_ALL_HOSTS _FILE_DEFINED_THIS_HOST #The following are special definitions that affect the core functionality. #Try this host first because it should be priorized. - isCoreDefinition "${2:?"Missing CURRENT_FULLFILE"}" \ + isCoreDefinition "${3:?"Missing CURRENT_FULLFILE"}" \ && [ -s "${_CORE_FILE_DEFINED_THIS_HOST}" ] \ && filterInvalidAuthorizedKeysFilesOfRoot "${_CORE_FILE_DEFINED_THIS_HOST}" \ && return 0 #The following are special definitions that affect the core functionality. - isCoreDefinition "${2:?"Missing CURRENT_FULLFILE"}" \ + isCoreDefinition "${3:?"Missing CURRENT_FULLFILE"}" \ && [ -s "${_CORE_FILE_DEFINED_ALL_HOSTS}" ] \ && filterInvalidAuthorizedKeysFilesOfRoot "${_CORE_FILE_DEFINED_ALL_HOSTS}" \ && return 0 + #The following are special definitions that affect the core functionality. + isCoreDefinition "${3:?"Missing CURRENT_FULLFILE"}" \ + && [ -s "${_CORE_DEFAULT_ALL_HOSTS}" ] \ + && filterInvalidAuthorizedKeysFilesOfRoot "${_CORE_DEFAULT_ALL_HOSTS}" \ + && return 0 + #Try this host first because it should be priorized. - ! isCoreDefinition "${2:?"Missing CURRENT_FULLFILE"}" \ + ! isCoreDefinition "${3:?"Missing CURRENT_FULLFILE"}" \ && [ -s "${_FILE_DEFINED_THIS_HOST}" ] \ && echo "${_FILE_DEFINED_THIS_HOST}" \ && return 0 - ! isCoreDefinition "${2:?"Missing CURRENT_FULLFILE"}" \ + ! isCoreDefinition "${3:?"Missing CURRENT_FULLFILE"}" \ && [ -s "${_FILE_DEFINED_ALL_HOSTS}" ] \ && echo "${_FILE_DEFINED_ALL_HOSTS}" \ && return 0 @@ -110,12 +118,12 @@ function createSymlinkToDefinition() { function ensureUsageOfDefinitions() { local _CIS_ROOT _CURRENT_FILE _CURRENT_FOLDER _CURRENT_FULLFILE _DEFINITIONS _DOMAIN _DEFINED_FULLFILE _NOW _SAVED_FULLFILE - _DEFINITIONS="$(realpath -s "${1:?"Missing first parameter DEFINITIONS: 'ROOT/definitions/DOMAIN'"}")" + _DEFINITIONS="$(realpath -s "${1:?"Missing first parameter DEFINITIONS: 'ROOT/definitions/DOMAIN'"}")/" _CIS_ROOT="${_DEFINITIONS%%/definitions/*}/" #Removes longest matching pattern '/definitions/*' from the end _DOMAIN="${_DEFINITIONS##*/definitions/}" #Removes longest matching pattern '*/definitions/' from the begin _DOMAIN="${_DOMAIN%/}" #Removes shortest matching pattern '/' from the end #Build from components for safety - _DEFINITIONS="$(printIfEqual "${_DEFINITIONS}" "${_CIS_ROOT:?"Missing ROOT"}definitions/${_DOMAIN:?"Missing DOMAIN"}")" + _DEFINITIONS="$(printIfEqual "${_DEFINITIONS}" "${_CIS_ROOT:?"Missing ROOT"}definitions/${_DOMAIN:?"Missing DOMAIN"}/")" _CURRENT_FOLDER="$(dirname "${2:?"Missing second parameter CURRENT_FULLFILE"}")" @@ -135,7 +143,7 @@ function ensureUsageOfDefinitions() { _CURRENT_FULLFILE="${_CURRENT_FOLDER:?"Missing CURRENT_FOLDER"}${_CURRENT_FILE:?"Missing CURRENT_FILE"}" - _DEFINED_FULLFILE="$(printSelectedDefinition "${_DEFINITIONS}" "${_CURRENT_FULLFILE}")" + _DEFINED_FULLFILE="$(printSelectedDefinition "${_CIS_ROOT}" "${_DOMAIN}" "${_CURRENT_FULLFILE}")" _NOW="$(date +%Y%m%d_%H%M)" _SAVED_FULLFILE="${_CURRENT_FULLFILE}-backup@${_NOW:?"Missing NOW"}" readonly _CIS_ROOT _CURRENT_FILE _CURRENT_FOLDER _CURRENT_FULLFILE _DEFINITIONS _DOMAIN _DEFINED_FULLFILE _NOW _SAVED_FULLFILE @@ -198,5 +206,5 @@ ensureUsageOfDefinitions \ "$(echo ${1} | sed -E 's|[^a-zA-Z0-9/:@._-]*||g')" \ "$(echo ${2} | sed -E 's|[^a-zA-Z0-9/:@._-]*||g')" \ && exit 0 - + exit 1 diff --git a/prepareDefinitionsRepository.sh b/prepareDefinitionsRepository.sh index f0c6a94..81c84d3 100755 --- a/prepareDefinitionsRepository.sh +++ b/prepareDefinitionsRepository.sh @@ -1,15 +1,12 @@ #!/bin/bash -[ "$(id -u)" == "0" ] \ - && echo "This script prepares the content of the repository for the definitions." \ - && echo "You have run it as root, please run it with a user who has write access to the Git server." \ - && echo \ - && echo "Do not use the SSH key of root for this." \ - && echo \ +[ "$(id -u)" != "0" ] \ + && echo "This script prepares the user 'root' of this host and the host itself," \ + && echo "so this script is allowed to be executed if you are root only." \ && exit 1 -_BOOT_HOSTNAME="$(hostname -b)" -_BOOT_DOMAIN="${_BOOT_HOSTNAME#*.}" #Removes shortest matching pattern '*.' from the begin to get the domain +# There has to be one dot at least. +_BOOT_DOMAIN="$(hostname -b | grep -F '.' | cut -d. -f2-)" [ -z "${_BOOT_DOMAIN}" ] \ && echo "It was impossible to find out the domain of this host, please prepare this host first." \ @@ -29,16 +26,9 @@ EOF -#Generate sudoers file 'allow-jenkins-updateRepositories' -mkdir -p /tmp/skeleton/definition/core/all/etc/sudoers.d -cat << EOF > /tmp/skeleton/definition/core/all/etc/sudoers.d/allow-jenkins-updateRepositories -Cmnd_Alias C_JENKINS = \\ - /cis/updateRepositories.sh --core, \\ - /cis/updateRepositories.sh --scripts, \\ - /cis/updateRepositories.sh --definitions, \\ - /cis/updateRepositories.sh --states -jenkins ALL = (root) NOPASSWD: C_JENKINS -EOF +#Use current file 'authorized_keys' of root as definition +mkdir -p /tmp/skeleton/definition/core/all/root/.ssh +cp /root/.ssh/authorized_keys /tmp/skeleton/definition/core/all/root/.ssh/authorized_keys @@ -52,12 +42,6 @@ EOF -#Use current file 'authorized_keys' of root as definition -mkdir -p /tmp/skeleton/definition/core/all/root/.ssh -cp /root/.ssh/authorized_keys /tmp/skeleton/definition/core/all/root/.ssh/authorized_keys - - - cat << EOF The first content for your repository for the definitions of the '$_BOOT_DOMAIN' domain has been created. @@ -65,6 +49,9 @@ The first content for your repository for the definitions of the '$_BOOT_DOMAIN' Please create a definition repository. To follow the naming convention name it '$_REOPSITORY_NAME' +Please DO NOT use the SSH key of root for this. +Maybe you can use https and user password for pushing the first commit. + Go to folder '/tmp/skeleton/definition' and check the content of all 'authorized_keys' files, correct them if required to prevent losing access to your hosts. @@ -73,11 +60,12 @@ The public ssh key of your jenkins server has to be added. Only now follow the instructions as our git server shows. For example: + cd /tmp/skeleton/definition git init git checkout -b main git add . git commit -m "first core definitions" - git remote add origin ssh://git@git.example.dev:22448/$_REOPSITORY_NAME.git + git remote add origin https://git.example.dev/[SOME_PATH/]$_REOPSITORY_NAME.git git push -u origin main EOF diff --git a/prepareStatesRepository.sh b/prepareStatesRepository.sh index 622b0fd..6cef868 100755 --- a/prepareStatesRepository.sh +++ b/prepareStatesRepository.sh @@ -1,15 +1,12 @@ #!/bin/bash -[ "$(id -u)" == "0" ] \ - && echo "This script prepares the content of the repository for the definitions." \ - && echo "You have run it as root, please run it with a user who has write access to the Git server." \ - && echo \ - && echo "Do not use the SSH key of root for this." \ - && echo \ +[ "$(id -u)" != "0" ] \ + && echo "This script prepares the user 'root' of this host and the host itself," \ + && echo "so this script is allowed to be executed if you are root only." \ && exit 1 -_BOOT_HOSTNAME="$(hostname -b)" -_BOOT_DOMAIN="${_BOOT_HOSTNAME#*.}" #Removes shortest matching pattern '*.' from the begin to get the domain +# There has to be one dot at least. +_BOOT_DOMAIN="$(hostname -b | grep -F '.' | cut -d. -f2-)" [ -z "${_BOOT_DOMAIN}" ] \ && echo "It was impossible to find out the domain of this host, please prepare this host first." \ @@ -36,14 +33,18 @@ The first content for your repository for the state of the '$_BOOT_DOMAIN' domai Please create a states repository. To follow the naming convention name it '$_REOPSITORY_NAME' +Please DO NOT use the SSH key of root for this. +Maybe you can use https and user password for pushing the first commit. + Then go to folder '/tmp/skeleton/state' and follow the instructions as your git server shows. For example: + cd /tmp/skeleton/state git init git checkout -b main git add . git commit -m "first state" - git remote add origin ssh://git@git.example.dev:22448/$_REOPSITORY_NAME.git + git remote add origin https://git.example.dev/[SOME_PATH/]$_REOPSITORY_NAME.git git push -u origin main EOF