Make daemon work!
Signed-off-by: Manevolent <manevolent@team.lixo>
This commit is contained in:
Manevolent
parent
20b1290066
commit
929f22d0d3
10
Dockerfile
10
Dockerfile
@ -1,14 +1,16 @@
|
||||
FROM docker/compose:alpine-1.25.5
|
||||
MAINTAINER Team Lixo <lixonet@team.lixo>
|
||||
|
||||
RUN apk add gnupg curl git py-pip openssh && pip install netcalc
|
||||
RUN apk add gnupg curl git py-pip openssh bash && pip install netcalc
|
||||
RUN curl -L "https://github.com/gliderlabs/sigil/releases/download/v0.5.0/sigil_0.5.0_$(uname -sm|tr \ _).tgz" | tar -zxC /usr/local/bin
|
||||
RUN adduser -u 431 -g docker -s /sbin/nologin -D lixonet
|
||||
|
||||
VOLUME /etc/lixonet
|
||||
|
||||
WORKDIR /run
|
||||
WORKDIR /app
|
||||
ADD . .
|
||||
RUN chmod +x run.sh
|
||||
|
||||
RUN chown -R lixonet:lixonet /app && chmod -R 700 /app && chmod +x /app/run.sh
|
||||
|
||||
USER lixonet
|
||||
CMD ["./run.sh"]
|
||||
CMD ["/app/run.sh"]
|
||||
|
||||
18
build.sh
18
build.sh
@ -1,9 +1,15 @@
|
||||
#!/bin/ash
|
||||
|
||||
# https://stackoverflow.com/questions/3474526/stop-on-first-error
|
||||
# http://web.archive.org/web/20110314180918/http://www.davidpashley.com/articles/writing-robust-shell-scripts.html
|
||||
set +e
|
||||
|
||||
process_template ( ) {
|
||||
processed_filename=$(dirname $1)/$(basename $1 .tmpl)
|
||||
echo "Processing template $1 -> $processed_filename"
|
||||
set -e
|
||||
sh -c "sigil -f $1 -p $2 > $processed_filename"
|
||||
set +e
|
||||
rm $1
|
||||
}
|
||||
|
||||
@ -41,7 +47,7 @@ do
|
||||
|
||||
# Clone and copy the repository
|
||||
rm -rf "$(basename "$git" .git)"
|
||||
git clone $git || { echo "clone $git failed, quitting" ; exit 1; }
|
||||
GIT_SSH_COMMAND="ssh -i /etc/lixonet/${netname}/id_rsa -o IdentitiesOnly=yes" git clone $git || { echo "clone $git failed, quitting" ; exit 1; }
|
||||
echo "Creating work directory..."
|
||||
rm -rf work
|
||||
mkdir --verbose work
|
||||
@ -60,6 +66,7 @@ do
|
||||
# Tinc
|
||||
# Remove existing configuration
|
||||
rm -v -rf /etc/tinc/$netname/*
|
||||
|
||||
# Copy all tinc default files to /etc/(tinc)
|
||||
find tinc -type d | sed -e "s@tinc@tinc/${netname}@g" | xargs -I '{}' mkdir --verbose -p /etc/{}
|
||||
find tinc -type f | sed -e "s@tinc/@@g" | xargs -I '{}' cp --verbose tinc/{} /etc/tinc/$netname/{}
|
||||
@ -71,10 +78,7 @@ do
|
||||
# Copy private key
|
||||
cp /etc/lixonet/$netname/tinc.key /etc/tinc/$netname/rsa_key.priv
|
||||
# Set permissions for tinc scripts
|
||||
chmod +x /etc/tinc/$netname/tinc-up
|
||||
chmod +x /etc/tinc/$netname/tinc-down
|
||||
chmod +x /etc/tinc/$netname/subnet-up
|
||||
chmod +x /etc/tinc/$netname/subnet-down
|
||||
chmod +x /etc/tinc/$netname/tinc-up /etc/tinc/$netname/tinc-down /etc/tinc/$netname/subnet-up /etc/tinc/$netname/subnet-down
|
||||
|
||||
# Bird
|
||||
# Remove existing configuration
|
||||
@ -105,8 +109,12 @@ do
|
||||
|
||||
echo $sigil_vars | tr ' ' '\n' > .env
|
||||
cat docker-compose.yml
|
||||
|
||||
set -e
|
||||
docker-compose -p $netname down
|
||||
docker-compose -p $netname up -d --build --remove-orphans
|
||||
set +e
|
||||
|
||||
rm .env
|
||||
|
||||
# Pop directory
|
||||
|
||||
44
install.sh
44
install.sh
@ -1,3 +1,45 @@
|
||||
#!/bin/ash
|
||||
|
||||
docker build -t lixonet-ee . && docker run --restart always -d -e GIT_URL=git@github.com:Manevolent/lixonet-ee.git -v /var/run/docker.sock:/var/run/docker.sock -v /etc/bird:/etc/bird/ -v /etc/tinc:/etc/tinc -v /etc/bind:/etc/bind -v /etc/lixonet:/etc/lixonet -v /root/.ssh/id_rsa:/home/lixonet/.ssh/id_rsa lixonet-ee
|
||||
# See: Dockerfile
|
||||
UID=431
|
||||
GID=431
|
||||
|
||||
# Grab origin
|
||||
ORIGIN=`git remote get-url origin`
|
||||
|
||||
echo "Setting access to /var/run/docker.sock."
|
||||
chown -v $UID:$GID /var/run/docker.sock
|
||||
|
||||
echo "Setting read access to /etc/lixonet/."
|
||||
chown -R $UID:$GID /etc/lixonet/
|
||||
chmod -R 440 /etc/lixonet/
|
||||
chmod -R a+X /etc/lixonet/
|
||||
|
||||
echo "Setting write access to service directories."
|
||||
mkdir /etc/bind
|
||||
chown -R $UID:$GID /etc/bind/
|
||||
chmod -R 660 /etc/bind/
|
||||
chmod -R a+X /etc/bind/
|
||||
|
||||
mkdir /etc/bird
|
||||
chown -R $UID:$GID /etc/bird/
|
||||
chmod -R 660 /etc/bird/
|
||||
chmod -R a+X /etc/bird/
|
||||
|
||||
mkdir /etc/tinc
|
||||
chown -R $UID:$GID /etc/tinc/
|
||||
chmod -R 660 /etc/tinc/
|
||||
chmod -R a+X /etc/tinc/
|
||||
|
||||
echo "Setting exclusive read access to SSH keys."
|
||||
chmod -v 400 /etc/lixonet/id_rsa
|
||||
chmod -v 400 /etc/lixonet/*/id_rsa
|
||||
stat /etc/lixonet/id_rsa
|
||||
stat /etc/lixonet/*/id_rsa
|
||||
|
||||
echo "Enabling write access to /etc/lixonet/version."
|
||||
touch /etc/lixonet/version
|
||||
chmod 660 /etc/lixonet/version
|
||||
stat /etc/lixonet/version
|
||||
|
||||
docker build -t lixonet-ee . && docker run --restart always -d -e DOCKER_HOST=unix:///var/run/docker.sock -e GIT_URL=$ORIGIN -v /var/run/docker.sock:/var/run/docker.sock -v /etc/bird:/etc/bird/ -v /etc/tinc:/etc/tinc -v /etc/bind:/etc/bind -v /etc/lixonet:/etc/lixonet -v /etc/lixonet/known_hosts:/home/lixonet/.ssh/known_hosts -v /etc/lixonet/id_rsa:/home/lixonet/.ssh/id_rsa lixonet-ee
|
||||
54
run.sh
54
run.sh
@ -1,29 +1,55 @@
|
||||
#!/bin/ash
|
||||
#!/bin/bash
|
||||
delay=900
|
||||
version_file=/etc/lixonet/version
|
||||
log=/app/log/lixonet.log
|
||||
|
||||
mkdir /app/log
|
||||
|
||||
while true
|
||||
do
|
||||
(
|
||||
set -e
|
||||
set +e
|
||||
current_version=`cat $version_file || echo 0`
|
||||
|
||||
gpg --import <trusted_signers > /dev/null
|
||||
(echo 5; echo y; echo save) | gpg --command-fd 0 --no-tty --no-greeting -q --edit-key "$(gpg --list-packets <trusted_signers | awk '$1=="keyid:"{print$2;exit}')" trust > /dev/null
|
||||
|
||||
git fetch $GIT_URL
|
||||
latest_commit=`git log "--format=%G? %H" | grep ^G | head -n 1 | cut -d' ' -f2`
|
||||
if test -z $latest_commit; then
|
||||
echo "No trusted commits found! Re-checking in 60 seconds..."
|
||||
sleep 60
|
||||
gpg --import <trusted_signers >> $log 2>&1
|
||||
(echo 5; echo y; echo save) | gpg --command-fd 0 --no-tty --no-greeting -q --edit-key "$(gpg --list-packets <trusted_signers | awk '$1=="keyid:"{print$2;exit}')" trust >> $log 2>&1
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "GPG import from trusted_signers failed. For more details, see $log"
|
||||
sleep $delay
|
||||
continue
|
||||
fi
|
||||
git checkout $latest_commit
|
||||
|
||||
git fetch $GIT_URL >> $log 2>&1
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "Git fetch from $GIT_URL failed. For more details, see $log"
|
||||
sleep $delay
|
||||
continue
|
||||
fi
|
||||
|
||||
latest_commit=`git log "--format=%G? %H" | grep ^G | head -n 1 | cut -d' ' -f2`
|
||||
if test -z $latest_commit; then
|
||||
sleep $delay
|
||||
continue
|
||||
fi
|
||||
|
||||
git checkout $latest_commit >> $log 2>&1
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "Git checkout failed. For more details, see $log"
|
||||
sleep $delay
|
||||
continue
|
||||
fi
|
||||
|
||||
checkout_version=`cat version`
|
||||
if [ "$checkout_version" -gt "$current_version" ]; then
|
||||
echo "Updating to version $checkout_version..."
|
||||
chmod +x build.sh && ./build.sh
|
||||
echo "Updated to version $checkout_version."
|
||||
echo $checkout_version > $version_file
|
||||
chmod +x build.sh && ./build.sh >> $log 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
echo "Update completed successfully."
|
||||
echo $checkout_version > $version_file
|
||||
else
|
||||
echo "Update failed; version was not updated. Trying again in $delay seconds. For more details, see $log"
|
||||
continue
|
||||
fi
|
||||
fi
|
||||
)
|
||||
sleep $delay
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user