2021-04-24 14:48:13 +00:00
#!/bin/sh
# Fallar ante cualquier error
set -e
2021-08-25 21:03:13 +00:00
# Por ahora sólo soportamos x86_64
uname -m | grep -q x86_64 || exit 1
2021-05-25 13:48:32 +00:00
DIR = " $( dirname " $( realpath " $0 " ) " ) "
2021-08-25 21:04:24 +00:00
ROOT = " $( dirname " $DIR " ) "
2021-08-25 21:05:33 +00:00
SELF = " $( basename " $0 " ) "
2021-09-28 15:52:02 +00:00
SSH_ADHOC = false
2021-04-24 14:48:13 +00:00
2021-05-25 13:51:10 +00:00
# Sólo se puede correr desde el directorio de Sutty
2021-08-25 21:04:24 +00:00
if test " $ROOT " != " $( dirname " $PWD " ) " && test " $ROOT " != " $PWD " ; then
2021-08-31 21:05:55 +00:00
echo "¡No estás corriendo dentro de una carpeta de Sutty!" >& 2
2021-08-25 21:05:33 +00:00
fi
# Necesitamos bubblewrap
2021-08-26 19:25:06 +00:00
if ! test " $HAIN_ENV " && ! type bwrap >/dev/null 2>& 1 ; then
2021-08-31 21:05:55 +00:00
echo "Por favor, instala el paquete bubblewrap" >& 2
2021-05-25 13:51:10 +00:00
exit 1
fi
2022-01-07 15:02:27 +00:00
if test -f /proc/sys/kernel/unprivileged_userns_clone && test " $( sysctl -n kernel.unprivileged_userns_clone) " -ne 1 ; then
2021-08-25 21:05:54 +00:00
echo "Necesitamos configurar tu sistema, ingresa tu contraseña para correr el comando" >& 2
2021-08-31 21:05:55 +00:00
echo "sudo sysctl -a kernel.unprivileged_userns_clone=1" >& 2
2021-08-25 21:05:54 +00:00
sudo sysctl -a kernel.unprivileged_userns_clone= 1
fi
2021-08-25 21:04:24 +00:00
# Si estamos corriendo el comando desde la raíz de trabajo no hay que
# agregar el directorio.
if test " $ROOT " = " $PWD " ; then
WORKDIR = "/Sutty"
else
WORKDIR = " /Sutty/ ${ PWD ##*/ } / "
fi
2021-04-24 14:48:13 +00:00
2021-05-16 16:22:58 +00:00
# Podemos cambiar el entorno
2021-08-25 21:04:24 +00:00
ENTORNO = ${ ENTORNO :- ${ ROOT } /hain }
2021-04-24 14:48:13 +00:00
2021-05-16 15:45:16 +00:00
correr( ) {
2021-08-31 21:05:55 +00:00
echo " > $1 " >& 2
2021-04-24 14:48:13 +00:00
2021-09-28 16:32:02 +00:00
if test " $AS_ROOT " ; then
SET_UID = 0
SET_GID = 0
else
SET_UID = " $( id -u) "
SET_GID = " $( id -g) "
fi
2021-04-26 16:03:36 +00:00
env -i \
2022-08-28 01:40:00 +00:00
DISPLAY = " $DISPLAY " \
2021-04-27 18:29:15 +00:00
TERM = " $TERM " \
2021-09-28 16:32:02 +00:00
USER = "suttier" \
2021-04-28 18:16:30 +00:00
HOME = "/home/suttier" \
2021-05-08 23:22:42 +00:00
HAIN_ENV = true \
2021-06-01 15:44:16 +00:00
RAILS_ENV = " ${ RAILS_ENV :- development } " \
JEKYLL_ENV = " ${ JEKYLL_ENV :- development } " \
2021-10-28 18:29:56 +00:00
$( test -f " $ENV_FILE " && ( grep -v '^#' " $ENV_FILE " | xargs -0) || true ) \
2021-06-01 19:58:45 +00:00
EDITOR = "nano" \
2021-06-08 18:07:45 +00:00
PAGER = "less -niSFX" \
2021-09-27 22:56:51 +00:00
SSH_AUTH_SOCK = " ${ SSH_AUTH_SOCK } " \
2021-04-26 16:03:36 +00:00
bwrap \
2021-08-25 21:07:15 +00:00
--die-with-parent \
2021-09-28 16:32:02 +00:00
--unshare-user \
--uid " $SET_UID " \
--gid " $SET_GID " \
2021-04-26 16:03:36 +00:00
--unshare-ipc \
--unshare-uts \
--unshare-cgroup-try \
--bind " $ENTORNO " / \
2021-08-25 21:04:24 +00:00
--bind " $ROOT " /Sutty \
2022-12-01 17:15:01 +00:00
$( test -f ~/.Xauthority && echo " --ro-bind $HOME /.Xauthority /home/suttier/.Xauthority " ) \
2021-04-26 16:03:36 +00:00
--ro-bind /etc/hosts /etc/hosts \
--ro-bind /etc/resolv.conf /etc/resolv.conf \
--ro-bind /etc/localtime /etc/localtime \
--dev-bind /dev /dev \
--dev-bind /sys /sys \
--dev-bind /proc /proc \
--dev-bind /tmp /tmp \
2021-08-25 21:04:24 +00:00
--chdir " $WORKDIR " \
2021-06-01 15:42:32 +00:00
/bin/sh -l -c " $1 " < " ${ stdin :- /dev/null } "
2021-04-26 16:03:36 +00:00
}
2021-04-24 14:48:13 +00:00
2021-06-16 17:54:27 +00:00
generar_certificado( ) {
chmod 700 " $ENTORNO /etc/ssl/private "
ca_key = "/etc/ssl/private/ca-sutty.key"
2021-07-08 22:56:41 +00:00
ca_crt = "/usr/local/share/ca-certificates/ca-sutty.crt"
2021-06-16 17:54:27 +00:00
domain_key = "/etc/ssl/private/sutty.local.key"
domain_csr = "/etc/ssl/private/sutty.local.csr"
domain_crt = "/etc/ssl/certs/sutty.local.crt"
2021-08-25 21:04:24 +00:00
if test -f " $ROOT /sutty.local/domain/sutty.local.crt " ; then
SUTTY_LOCAL = " $ROOT /sutty.local "
2021-06-16 17:54:27 +00:00
2021-08-31 21:05:55 +00:00
echo "Migrando certificados de sutty.local..." >& 2
2021-06-16 17:54:27 +00:00
cp " $SUTTY_LOCAL /ca/key.key " " $ENTORNO $ca_key "
cp " $SUTTY_LOCAL /ca/crt.crt " " $ENTORNO $ca_crt "
cp " $SUTTY_LOCAL /domain/sutty.local.key " " $ENTORNO $domain_key "
cp " $SUTTY_LOCAL /domain/sutty.local.csr " " $ENTORNO $domain_csr "
cp " $SUTTY_LOCAL /domain/sutty.local.crt " " $ENTORNO $domain_crt "
return
fi
2021-08-31 21:05:55 +00:00
echo "Generando certificados..." >& 2
2021-06-16 17:54:27 +00:00
2021-07-22 15:55:19 +00:00
correr " openssl req -x509 -nodes -new -sha256 -days 3650 -newkey rsa:2048 \
2021-07-22 15:53:21 +00:00
-keyout $ca_key -out $ca_crt .pem -subj '/C=AR/CN=Sutty-Local-CA' "
correr " openssl x509 -outform pem -in $ca_crt .pem -out $ca_crt "
2021-06-16 17:54:27 +00:00
2021-07-08 22:56:41 +00:00
correr "update-ca-certificates"
2021-07-22 15:53:21 +00:00
correr " openssl req -new -nodes -newkey rsa:2048 \
-keyout $domain_key -out $domain_csr \
-subj '/C=AR/ST=Ninguno/L=Interdimension/O=Sutty-Local/CN=sutty.local' "
correr " openssl x509 -req -sha256 -days 3650 \
2021-11-18 15:19:44 +00:00
-in $domain_csr -CA $ca_crt -CAkey $ca_key \
2021-07-22 15:53:21 +00:00
-CAcreateserial -extfile /Sutty/haini.sh/domains.ext -out $domain_crt "
rm " $ENTORNO $ca_crt .pem "
2021-06-16 17:54:27 +00:00
2021-08-31 21:05:55 +00:00
echo "Instalando certificados..." >& 2
2021-06-16 17:54:27 +00:00
if which update-ca-certificates 2>/dev/null; then
sudo install -Dm 644 " $ENTORNO $ca_crt " /usr/share/ca-certificates/extra/sutty.crt
sudo dpkg-reconfigure ca-certificates
sudo update-ca-certificates
else
sudo trust anchor " $ENTORNO $ca_crt "
fi
}
2021-05-16 15:45:16 +00:00
crear_entorno( ) {
ALPINE = "3.13.5"
2021-04-26 16:03:36 +00:00
ALPINE_URL = " https://dl-cdn.alpinelinux.org/alpine/v ${ ALPINE %.* } /releases/x86_64/alpine-minirootfs- ${ ALPINE } -x86_64.tar.gz "
2021-04-24 14:48:13 +00:00
2021-04-26 16:03:36 +00:00
# Definir si vamos a usar wget o curl
2021-08-25 21:05:33 +00:00
type wget >/dev/null 2>& 1 && download = "wget -O -"
type busybox >/dev/null 2>& 1 && download = "busybox wget -O -"
type curl >/dev/null 2>& 1 && download = "curl"
2021-04-24 14:48:13 +00:00
2021-04-26 16:03:36 +00:00
# Si no hay ninguno de los dos, salir
test -z " ${ download } " && exit 1
2021-04-24 14:48:13 +00:00
2021-04-26 16:03:36 +00:00
# Darle permiso de lectura a otres también
umask 022
2021-04-24 14:48:13 +00:00
2021-04-26 16:03:36 +00:00
# Crear el directorio de trabajo
2021-05-16 16:33:32 +00:00
mkdir -p " $ENTORNO "
2021-04-24 14:48:13 +00:00
2021-04-26 16:03:36 +00:00
# Descargar y extraer Alpine
2021-05-16 16:33:32 +00:00
test -f " $ENTORNO /etc/os-release " || ${ download } " ${ ALPINE_URL } " | tar xz --directory " $ENTORNO "
2021-06-08 18:07:45 +00:00
# Configurar los repositorios de Sutty
grep -q sutty " $ENTORNO /etc/apk/repositories " || echo " https://alpine.sutty.nl/alpine/v ${ ALPINE % \. * } /sutty " >> " $ENTORNO /etc/apk/repositories "
test -f " $ENTORNO /etc/apk/keys/alpine@sutty.nl-5ea884cd.rsa.pub " || wget https://alpine.sutty.nl/alpine/sutty.pub -O " $ENTORNO /etc/apk/keys/alpine@sutty.nl-5ea884cd.rsa.pub "
2021-04-24 14:48:13 +00:00
2021-05-29 21:47:17 +00:00
# Instalar las dependencias solo si cambiaron
if test " $ENTORNO /etc/apk/world " -ot " $DIR /packages " ; then
2021-08-31 21:05:55 +00:00
echo "Instalando paquetes..." >& 2
2021-09-28 15:22:18 +00:00
packages = " $( tr "\n" " " < " $DIR /packages " ) "
2021-05-29 21:47:17 +00:00
correr " apk add --no-cache $packages "
fi
2021-04-26 16:03:36 +00:00
# Habilitar la instalación de gemas binarias
sed -re "s/#(@platforms = )/\1/" -i " $ENTORNO /usr/lib/ruby/2.7.0/rubygems.rb "
2021-05-08 21:31:13 +00:00
# Deshabilitar el usuario de nginx
sed -re "/user nginx/d" -i " $ENTORNO /etc/nginx/nginx.conf "
# Crear el directorio del PID
install -dm 755 " $ENTORNO /run/nginx "
# Instalar la configuración
install -m 640 " $DIR /nginx.conf " " $ENTORNO /etc/nginx/http.d/default.conf "
2021-06-01 19:58:45 +00:00
2021-08-26 18:50:24 +00:00
mkdir -p " $ENTORNO /home "
# migrar de versiones anteriores de hainish
test -d " $ENTORNO $HOME " && test ! -d " $ENTORNO /home/suttier " \
&& mv " $ENTORNO $HOME " " $ENTORNO /home/suttier "
mkdir -p " $ENTORNO /home/suttier "
2021-09-28 16:32:02 +00:00
if ! grep ^suttier: " $ENTORNO /etc/group " >/dev/null 2>& 1 ; then
AS_ROOT = true correr " addgroup \
-g $( id -g) \
suttier"
fi
if ! correr "id suttier" >/dev/null 2>& 1 ; then
AS_ROOT = true correr " adduser \
--disabled-password \
--gecos '' \
--home /home/suttier \
--no-create-home \
--uid $( id -u) \
--ingroup suttier \
suttier"
fi
2021-08-26 18:50:24 +00:00
# Configurar rubygems para que descargue las gemas desde Sutty
install -m 640 " $DIR /.gemrc " " $ENTORNO /home/suttier/.gemrc "
2021-06-01 19:58:45 +00:00
# Resaltado de sintaxis en nano
grep -q "^include " " $ENTORNO /etc/nanorc " || echo "include \"/usr/share/nano/*.nanorc\"" >> " $ENTORNO /etc/nanorc "
2021-06-08 18:07:45 +00:00
# Instalar scripts
for script in " $DIR /bin/ " *; do
install -m 755 " $script " " $ENTORNO /usr/local/bin/ ${ script ##*/ } "
done
2021-06-16 17:54:27 +00:00
2021-09-27 22:56:51 +00:00
# Configurar SSH
2021-09-28 16:10:51 +00:00
install -m 700 -d " $ENTORNO /home/suttier/.ssh "
install -m 644 " $DIR /ssh/known_hosts " " $ENTORNO /home/suttier/.ssh/known_hosts "
2021-09-27 22:56:51 +00:00
2021-06-16 17:54:27 +00:00
test -f " $ENTORNO /etc/ssl/certs/sutty.local.crt " || generar_certificado
2021-07-22 15:52:30 +00:00
test -f " $ENTORNO /usr/local/share/ca-certificates/ca-sutty.crt " || mv " $ENTORNO /etc/ssl/certs/ca-sutty.crt " " $ENTORNO /usr/local/share/ca-certificates/ca-sutty.crt "
2021-04-26 16:03:36 +00:00
}
2022-03-15 16:52:10 +00:00
# Auto-actualizar una vez por hora
actualizar( ) {
2022-11-10 16:32:30 +00:00
test ! " $TERM " = "dumb" || return
2022-03-15 16:52:10 +00:00
last_update = " $( find " $DIR /.git/FETCH_HEAD " -mmin +60 | wc -l) "
2022-03-17 15:25:49 +00:00
if test ! $last_update -ne 0; then
return
fi
echo -n "Actualizando haini.sh... " >& 2
2022-10-29 21:25:22 +00:00
if ping -q -c 1 0xacab.org >/dev/null 2>& 1; then
2022-03-15 16:52:10 +00:00
git -C " $DIR " pull --ff-only
2022-10-29 21:25:04 +00:00
if test " $DIR /.git/FETCH_HEAD " -ot " $DIR /.git/ORIG_HEAD " ; then
2022-03-15 16:52:10 +00:00
echo "haini.sh se actualizó, por favor volvé a ejecutar el comando" >& 2
exit 0
fi
2022-03-17 15:25:49 +00:00
else
echo "no se pudo conectar 0xacab.org, intentando la próxima vez." >& 2
2022-03-15 16:52:10 +00:00
fi
}
2021-08-25 21:15:34 +00:00
DEFAULT = "sh"
2021-08-25 21:05:33 +00:00
case $1 in
2021-08-31 21:12:48 +00:00
init)
echo " Advertencia: haini.sh init está deprecado, usá \`export PATH= $DIR :\$PATH\`. " >& 2
echo " export PATH= $DIR :\$PATH "
exit
; ;
2021-08-25 21:15:34 +00:00
serve) shift; DEFAULT = nginx ; ;
2021-08-25 21:05:33 +00:00
*)
2021-08-26 19:25:06 +00:00
if ! test " $HAIN_ENV " && ! type " $SELF " >/dev/null 2>& 1 ; then
2021-08-31 21:12:48 +00:00
echo " Tip: Usá \`export PATH= $DIR :\$PATH\` para poder correr comandos de haini.sh con solo 'haini.sh' " >& 2
2021-08-25 21:05:33 +00:00
fi
; ;
esac
2021-08-25 21:15:34 +00:00
2021-09-28 15:22:18 +00:00
if test " $HAIN_ENV " ; then
2021-08-26 19:25:06 +00:00
${ * :- $DEFAULT }
else
2021-09-27 22:56:51 +00:00
if test -z " ${ SSH_AUTH_SOCK } " ; then
2021-09-28 15:54:48 +00:00
if ! type ssh-agent >/dev/null 2>& 1 ; then
echo "Instala ssh-agent para poder trabajar con git remoto dentro de haini.sh" >& 2
else
SSH_ADHOC = true
2021-09-28 18:11:36 +00:00
echo "Iniciando un ssh-agent temporal." >& 2
2021-09-28 15:54:48 +00:00
eval " $( ssh-agent) "
ssh-add
fi
2021-09-27 22:56:51 +00:00
fi
2022-03-15 16:52:10 +00:00
actualizar
2021-08-26 19:25:06 +00:00
crear_entorno
2022-11-09 23:04:51 +00:00
stdin = " $( test " $TERM " = "dumb" || echo "/dev/stdin" ) " correr " ${ * :- $DEFAULT } " ; salida = $?
2021-09-28 15:52:02 +00:00
${ SSH_ADHOC } && ssh-agent -k
2021-10-06 00:05:23 +00:00
exit $salida
2021-08-26 19:25:06 +00:00
fi