From 929f22d0d341996de091e80bc56770234e42a759 Mon Sep 17 00:00:00 2001
From: Manevolent <manevolent@team.lixo>
Date: Tue, 21 Sep 2021 12:37:42 -0600
Subject: [PATCH] Make daemon work!

Signed-off-by: Manevolent <manevolent@team.lixo>
---
 Dockerfile | 10 ++++++----
 build.sh   | 18 +++++++++++++-----
 install.sh | 44 +++++++++++++++++++++++++++++++++++++++++++-
 run.sh     | 54 ++++++++++++++++++++++++++++++++++++++++--------------
 4 files changed, 102 insertions(+), 24 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index de76e06..1612535 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,14 +1,16 @@
 FROM docker/compose:alpine-1.25.5
 MAINTAINER Team Lixo <lixonet@team.lixo>
 
-RUN apk add gnupg curl git py-pip openssh && pip install netcalc
+RUN apk add gnupg curl git py-pip openssh bash && pip install netcalc
 RUN curl -L "https://github.com/gliderlabs/sigil/releases/download/v0.5.0/sigil_0.5.0_$(uname -sm|tr \  _).tgz" | tar -zxC /usr/local/bin
+RUN adduser -u 431 -g docker -s /sbin/nologin -D lixonet
 
 VOLUME /etc/lixonet
 
-WORKDIR /run
+WORKDIR /app
 ADD . .
-RUN chmod +x run.sh
+
+RUN chown -R lixonet:lixonet /app && chmod -R 700 /app && chmod +x /app/run.sh
 
 USER lixonet
-CMD  ["./run.sh"]
+CMD  ["/app/run.sh"]
diff --git a/build.sh b/build.sh
index 3fafe42..b0c65dd 100644
--- a/build.sh
+++ b/build.sh
@@ -1,9 +1,15 @@
 #!/bin/ash
 
+# https://stackoverflow.com/questions/3474526/stop-on-first-error
+# http://web.archive.org/web/20110314180918/http://www.davidpashley.com/articles/writing-robust-shell-scripts.html
+set +e
+
 process_template ( ) {
     processed_filename=$(dirname $1)/$(basename $1 .tmpl)
     echo "Processing template $1 -> $processed_filename"
+	set -e
     sh -c "sigil -f $1 -p $2 > $processed_filename"
+	set +e
     rm $1
 }
 
@@ -41,7 +47,7 @@ do
 
     # Clone and copy the repository
     rm -rf "$(basename "$git" .git)"
-    git clone $git || { echo "clone $git failed, quitting" ; exit 1; }
+    GIT_SSH_COMMAND="ssh -i /etc/lixonet/${netname}/id_rsa -o IdentitiesOnly=yes" git clone $git || { echo "clone $git failed, quitting" ; exit 1; }
     echo "Creating work directory..."
     rm -rf work
     mkdir --verbose work
@@ -60,6 +66,7 @@ do
     # Tinc
     #  Remove existing configuration
     rm -v -rf /etc/tinc/$netname/*
+	
     #  Copy all tinc default files to /etc/(tinc)
     find tinc -type d | sed -e "s@tinc@tinc/${netname}@g" | xargs -I '{}' mkdir --verbose -p /etc/{}
     find tinc -type f | sed -e "s@tinc/@@g" | xargs -I '{}' cp --verbose tinc/{} /etc/tinc/$netname/{}
@@ -71,10 +78,7 @@ do
     #  Copy private key
     cp /etc/lixonet/$netname/tinc.key /etc/tinc/$netname/rsa_key.priv
     #  Set permissions for tinc scripts
-    chmod +x /etc/tinc/$netname/tinc-up
-    chmod +x /etc/tinc/$netname/tinc-down
-    chmod +x /etc/tinc/$netname/subnet-up
-    chmod +x /etc/tinc/$netname/subnet-down
+    chmod +x /etc/tinc/$netname/tinc-up /etc/tinc/$netname/tinc-down /etc/tinc/$netname/subnet-up /etc/tinc/$netname/subnet-down
 
     # Bird
     #  Remove existing configuration
@@ -105,8 +109,12 @@ do
 
     echo $sigil_vars | tr ' ' '\n' > .env
     cat docker-compose.yml
+	
+	set -e
     docker-compose -p $netname down
     docker-compose -p $netname up -d --build --remove-orphans
+	set +e
+	
     rm .env
 
     # Pop directory
diff --git a/install.sh b/install.sh
index f356dc0..19bb802 100644
--- a/install.sh
+++ b/install.sh
@@ -1,3 +1,45 @@
 #!/bin/ash
 
-docker build -t lixonet-ee . && docker run --restart always -d -e GIT_URL=git@github.com:Manevolent/lixonet-ee.git -v /var/run/docker.sock:/var/run/docker.sock -v /etc/bird:/etc/bird/ -v /etc/tinc:/etc/tinc -v /etc/bind:/etc/bind -v /etc/lixonet:/etc/lixonet -v /root/.ssh/id_rsa:/home/lixonet/.ssh/id_rsa lixonet-ee
\ No newline at end of file
+# See: Dockerfile
+UID=431
+GID=431
+
+# Grab origin
+ORIGIN=`git remote get-url origin`
+
+echo "Setting access to /var/run/docker.sock."
+chown -v $UID:$GID /var/run/docker.sock
+
+echo "Setting read access to /etc/lixonet/."
+chown -R $UID:$GID /etc/lixonet/
+chmod -R 440 /etc/lixonet/
+chmod -R a+X /etc/lixonet/
+
+echo "Setting write access to service directories."
+mkdir /etc/bind
+chown -R $UID:$GID /etc/bind/
+chmod -R 660 /etc/bind/
+chmod -R a+X /etc/bind/
+
+mkdir /etc/bird
+chown -R $UID:$GID /etc/bird/
+chmod -R 660 /etc/bird/
+chmod -R a+X /etc/bird/
+
+mkdir /etc/tinc
+chown -R $UID:$GID /etc/tinc/
+chmod -R 660 /etc/tinc/
+chmod -R a+X /etc/tinc/
+
+echo "Setting exclusive read access to SSH keys."
+chmod -v 400 /etc/lixonet/id_rsa
+chmod -v 400 /etc/lixonet/*/id_rsa
+stat /etc/lixonet/id_rsa
+stat /etc/lixonet/*/id_rsa
+
+echo "Enabling write access to /etc/lixonet/version."
+touch /etc/lixonet/version
+chmod 660 /etc/lixonet/version
+stat /etc/lixonet/version
+
+docker build -t lixonet-ee . && docker run --restart always -d -e DOCKER_HOST=unix:///var/run/docker.sock -e GIT_URL=$ORIGIN -v /var/run/docker.sock:/var/run/docker.sock -v /etc/bird:/etc/bird/ -v /etc/tinc:/etc/tinc -v /etc/bind:/etc/bind -v /etc/lixonet:/etc/lixonet -v /etc/lixonet/known_hosts:/home/lixonet/.ssh/known_hosts -v /etc/lixonet/id_rsa:/home/lixonet/.ssh/id_rsa lixonet-ee
\ No newline at end of file
diff --git a/run.sh b/run.sh
index 1ef475b..c26dbe3 100644
--- a/run.sh
+++ b/run.sh
@@ -1,29 +1,55 @@
-#!/bin/ash
+#!/bin/bash
 delay=900
 version_file=/etc/lixonet/version
+log=/app/log/lixonet.log
+
+mkdir /app/log
+
 while true
 do
   (
-      set -e
+      set +e
       current_version=`cat $version_file || echo 0`
 	  
-	  gpg --import <trusted_signers > /dev/null
-	  (echo 5; echo y; echo save) | gpg --command-fd 0 --no-tty --no-greeting -q --edit-key "$(gpg --list-packets <trusted_signers | awk '$1=="keyid:"{print$2;exit}')" trust > /dev/null
-	  
-	  git fetch $GIT_URL
-	  latest_commit=`git log "--format=%G? %H" | grep ^G | head -n 1 | cut -d' ' -f2`
-	  if test -z $latest_commit; then
-	    echo "No trusted commits found! Re-checking in 60 seconds..."
-		sleep 60
+	  gpg --import <trusted_signers >> $log 2>&1
+	  (echo 5; echo y; echo save) | gpg --command-fd 0 --no-tty --no-greeting -q --edit-key "$(gpg --list-packets <trusted_signers | awk '$1=="keyid:"{print$2;exit}')" trust >> $log 2>&1
+	  if [ $? -ne 0 ]; then
+		echo "GPG import from trusted_signers failed. For more details, see $log"
+		sleep $delay
 		continue
 	  fi
-	  git checkout $latest_commit
+	  
+	  git fetch $GIT_URL >> $log 2>&1
+	  if [ $? -ne 0 ]; then
+		echo "Git fetch from $GIT_URL failed. For more details, see $log"
+		sleep $delay
+		continue
+	  fi
+	  
+	  latest_commit=`git log "--format=%G? %H" | grep ^G | head -n 1 | cut -d' ' -f2`
+	  if test -z $latest_commit; then
+		sleep $delay
+		continue
+	  fi
+	  
+	  git checkout $latest_commit >> $log 2>&1
+	  if [ $? -ne 0 ]; then
+		echo "Git checkout failed. For more details, see $log"
+		sleep $delay
+		continue
+	  fi
+	  
 	  checkout_version=`cat version`
 	  if [ "$checkout_version" -gt "$current_version" ]; then
 		echo "Updating to version $checkout_version..."
-		chmod +x build.sh && ./build.sh
-		echo "Updated to version $checkout_version."
-		echo $checkout_version > $version_file
+		chmod +x build.sh && ./build.sh >> $log 2>&1
+		if [ $? -eq 0 ]; then
+			echo "Update completed successfully."
+			echo $checkout_version > $version_file
+		else
+			echo "Update failed; version was not updated. Trying again in $delay seconds. For more details, see $log"
+			continue
+		fi
 	  fi
   )
   sleep $delay