-
Notifications
You must be signed in to change notification settings - Fork 0
/
06-install-local-files.sh
executable file
·92 lines (64 loc) · 3.64 KB
/
06-install-local-files.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
. /usr/local/etc/host-init/jail-vars.sh
# install the fstab files for the jails (well, just nginx jail so far...
if [ ! -z ${WEB_JAIL} ] ; then
cp fstab/fstab.nginx /etc/fstab.${WEB_JAIL}
sed -i '' -e "s#%%JAIL_ROOT%%#$jailroot#g" /etc/fstab.${WEB_JAIL}
sed -i '' -e "s#%%JAIL_NAME_INGRESS%%#${INGRESS_JAIL}#g" /etc/fstab.${WEB_JAIL}
sed -i '' -e "s#%%JAIL_NAME_NGINX%%#${WEB_JAIL}#g" /etc/fstab.${WEB_JAIL}
fi
# anvil configuration
# which jails have certs and need cert-puller configured
for jail in ${CERT_JAILS}
do
mkdir -p ${jailroot}/$jail/usr/local/etc/anvil
cp cert-puller.conf.template ${jailroot}/$jail/usr/local/etc/anvil/cert-puller.conf
done
# this is harder to put into a for loop because the jail name and the cert name do corresponds
# Yeah, where are the variables for the cert names?
# anvil configuration
if [ ! -z ${WEB_JAIL} ] ; then
sed -i '' -e "s/%%MYCERTS%%/${WEB_JAIL_CERT}/g" ${jailroot}/${WEB_JAIL}/usr/local/etc/anvil/cert-puller.conf
sed -i '' -e "s/%%SERVICES_RESTART%%//g" ${jailroot}/${WEB_JAIL}/usr/local/etc/anvil/cert-puller.conf
sed -i '' -e "s/%%SERVICES_RELOAD%%/SERVICES_RELOAD=\"nginx\"/g" ${jailroot}/${WEB_JAIL}/usr/local/etc/anvil/cert-puller.conf
fi
if [ ! -z ${PG_JAIL} ] ; then
sed -i '' -e "s/%%MYCERTS%%/${PG_JAIL_CERT}/g" ${jailroot}/${PG_JAIL}/usr/local/etc/anvil/cert-puller.conf
sed -i '' -e "s/%%SERVICES_RESTART%%/SERVICES_RELOAD=\"postgresql\"/g" ${jailroot}/${PG_JAIL}/usr/local/etc/anvil/cert-puller.conf
sed -i '' -e "s/%%SERVICES_RELOAD%%//g" ${jailroot}/${PG_JAIL}/usr/local/etc/anvil/cert-puller.conf
fi
# now set the sudo permissions for each jail
for jail in ${CERT_JAILS}
do
# we have to create it because sudo has not yet been installed
mkdir -p ${jailroot}/$jail/usr/local/etc/sudoers.d/
# set sudo permissions for anvil re cert-puller
jexec $jail /usr/local/bin/cert-puller -s > ${jailroot}/$jail/usr/local/etc/sudoers.d/anvil
# pull down the certs
jexec -U anvil $jail sh /usr/local/bin/cert-puller
done
# anvil configuration
zfs set canmount=off ${datazpool}/freshports/${INGRESS_JAIL}/freshports
zfs set mountpoint=${jailroot}/${INGRESS_JAIL}/var/db/freshports ${datazpool}/freshports/${INGRESS_JAIL}/freshports
#zfs inherit mountpoint ${datazpool}/freshports/${INGRESS_JAIL}/var/db/freshports/cache/html
#zfs inherit mountpoint ${datazpool}/freshports/${INGRESS_JAIL}/var/db/freshports/cache/spooling
#zfs inherit mountpoint ${datazpool}/freshports/${INGRESS_JAIL}/var/db/freshports/message-queues
#zfs inherit mountpoint ${datazpool}/freshports/${INGRESS_JAIL}/var/db/freshports/repos
zfs set canmount=off ${datazpool}/freshports/${INGRESS_JAIL}/ingress
zfs set mountpoint=${jailroot}/${INGRESS_JAIL}/var/db/ingress ${datazpool}/freshports/${INGRESS_JAIL}/ingress
#zfs inherit mountpoint ${datazpool}/freshports/${INGRESS_JAIL}/ingress/message-queues
#zfs inherit mountpoint ${datazpool}/freshports/${INGRESS_JAIL}/ingress/repos
# aliases for dma - make sure mail for root gets out
for jail in $JAILS
do
sed -i '' -e "s/# root: [email protected]/root: [email protected]/g" ${jailroot}/${jail}/etc/mail/aliases
done
PWD=$(pwd)
# fix broken logcheck installs
for jail in $JAILS
do
# the jails are not running at this point, we can't use jexec
cd ${jailroot}/${jail}/usr/local/etc/logcheck
chgrp logcheck . cracking.d ignore.d.paranoid ignore.d.server ignore.d.workstation violations.d violations.ignore.d
done
# go back to where we were
cd ${PWD}