Compare commits

..

47 commits

Author SHA1 Message Date
7fe80d7fb4 Merge branch 'issue-47' into 'antifascista'
fix: no usar sysctl sin root #47

See merge request sutty/haini.sh!52
2023-01-18 16:50:05 +00:00
f
02efc493aa fix: no usar sysctl sin root #47 2023-01-16 14:54:50 -03:00
f
c23ce4b2cc fix: $HOME 2022-12-01 14:15:01 -03:00
f
01a1eca869 fix: expandir la ruta 2022-12-01 14:12:11 -03:00
f
4149df450a fix: detectar presencia de Xauthority 2022-12-01 14:10:05 -03:00
ac4bd0a57a Merge branch 'issue-34' into 'antifascista'
fix: leer stdin solo si es una terminal real #34

See merge request sutty/haini.sh!46
2022-12-01 16:41:32 +00:00
1127d5ab61 Merge branch 'soportar-x' into 'antifascista'
soportar X

See merge request sutty/haini.sh!42
2022-12-01 16:40:50 +00:00
f
def36cf183 fix: montar xauthority ro 2022-11-28 12:05:37 -03:00
f
79f72a80f0 fix: instalar npm 2022-11-16 16:47:22 -03:00
f
5729880a37 fix: no actualizar en cronjobs 2022-11-10 13:32:30 -03:00
f
306ec0efc0 fix: leer stdin solo si es una terminal real #34 2022-11-09 20:04:51 -03:00
Nulo
834d485b18 Merge branch 'issue-36' into 'antifascista'
fix: comprobar actualizacion de hainish

See merge request sutty/haini.sh!45
2022-10-30 14:30:01 +00:00
f
8698a22f0a fix: no mostrar la salida del ping
relacionado con #28
2022-10-29 18:25:22 -03:00
f
9bd12bc8fd fix: typo en la comprobación #36 2022-10-29 18:25:04 -03:00
f
6de964e649 soportar X
por si estamos testeando en navegadores por ejemplo
2022-08-27 22:40:00 -03:00
Nulo
6a465a1fa4 Merge branch 'unprivileged_userns_clone' into 'antifascista'
no fallar si no existe  /proc/sys/kernel/unprivileged_userns_clone

See merge request sutty/haini.sh!37
2022-03-30 17:47:20 +00:00
ba1a7c75fe Merge branch 'optimizar-imagenes' into 'antifascista'
instalar optimizadores de imagenes

See merge request sutty/haini.sh!40
2022-03-30 17:46:34 +00:00
77e8f140f3 Merge branch 'auto-update' into 'antifascista'
hacer autoactualización

See merge request sutty/haini.sh!39
2022-03-17 16:14:53 +00:00
09e732bdc4 Notificar cuando se actualiza o falla 2022-03-17 15:25:49 +00:00
f
6010347b8c instalar optimizadores de imagenes 2022-03-15 13:55:35 -03:00
f
9095a54a97 hacer autoactualización 2022-03-15 13:52:10 -03:00
0229fa5fbc Merge branch 'localized-pack' into 'antifascista'
que el js funcione en otros idiomas

See merge request sutty/haini.sh!38
2022-02-16 18:37:10 +00:00
f
6b00075d63 que el js funcione en otros idiomas 2022-02-10 19:23:39 -03:00
f
2f7d16626b no fallar si no existe /proc/sys/kernel/unprivileged_userns_clone 2022-01-07 12:02:27 -03:00
69e0d7f9c4 Merge branch 'custom-nginx' into 'antifascista'
nginx.conf: permitir configuración propia del sitio

Closes #27

See merge request sutty/haini.sh!35
2021-11-25 22:57:16 +00:00
034924f69e Merge branch 'env-file' into 'antifascista'
Aceptar un parametro ENV_FILE

Closes #11

See merge request sutty/haini.sh!33
2021-11-25 22:56:40 +00:00
c6287ab8ff nginx.conf: usar _nginx.conf de los sitios 2021-11-25 22:49:17 +00:00
c4efdd0334 Merge branch 'certificados-tienda' into 'antifascista'
domains.ext: generar certificados para la tienda

Closes #13

See merge request sutty/haini.sh!36
2021-11-25 21:38:13 +00:00
ec471e1d4e domains.ext: generar certificados para la tienda 2021-11-25 21:28:58 +00:00
8e1a834e47 nginx.conf: permitir configuración propia del sitio 2021-11-25 21:27:03 +00:00
Nulo
018a2a443e Merge branch 'pem' into 'antifascista'
el .pem estaba de más

See merge request sutty/haini.sh!34
2021-11-18 15:26:27 +00:00
f
6762ee5394 el .pem estaba de más 2021-11-18 12:19:44 -03:00
b3c9e18fac Aceptar un parametro ENV_FILE 2021-10-28 15:29:56 -03:00
Nulo
4ea037359b Merge branch 'exit-0' into 'antifascista'
devolver el status de salida de hainish

See merge request sutty/haini.sh!31
2021-10-07 22:35:28 +00:00
f
5e52834eae devolver el status de salida de hainish
como el último comando era ssh-agent, salíamos con el status incorrecto
2021-10-05 21:05:23 -03:00
Nulo
25d1977b37 Merge branch 'ssh' into 'antifascista'
Soportar las llaves SSH de le usuarie

See merge request sutty/haini.sh!24
2021-09-28 18:29:46 +00:00
f
b372a54e1f No hacía falta bindear el socket 2021-09-28 15:21:54 -03:00
f
5b3516d0f8 Eliminar la configuración 2021-09-28 15:16:28 -03:00
f
347b7eab2c No hace falta recomendar la instalación si no dejamos agents abiertos 2021-09-28 15:11:36 -03:00
f
62cb0883cc No fallar si no hay ssh-agent 2021-09-28 15:11:19 -03:00
f
74a4985ea2 Instalar archivos dentro de /home/suttier 2021-09-28 14:27:06 -03:00
f
19aac59bdc Avisar cuando no hay ssh-agent 2021-09-28 14:27:06 -03:00
f
1af786a9e1 No dejar ssh-agents flotando 2021-09-28 14:27:06 -03:00
f
c1525d9e0f Utilizar SSH Agent
Es necesario usar ssh-agent para poder hacer conexiones SSH dentro de
Hainish compartiendo las mismas llaves.  Si montáramos ~/.ssh, el
cliente SSH insiste en expandir ~ al home externo en lugar del interno y
no encontramos documentación al respecto.
2021-09-28 14:27:06 -03:00
f
d088b5115e Soportar las llaves SSH de le usuarie 2021-09-28 14:27:06 -03:00
84444bba04 Merge branch 'usuarix-real' into 'antifascista'
Crear usuarix dentro de haini.sh

See merge request sutty/haini.sh!30
2021-09-28 17:26:29 +00:00
50b3d04792 Crear usuarix dentro de haini.sh
..en vez de mentir en $HOME.

/Sutty$ id
uid=1000(suttier) gid=1000(suttier) groups=65534(nobody),65534(nobody),65534(nobody),65534(nobody),65534(nobody),65534(nobody),65534(nobody),65534(nobody),65534(nobody),1000(suttier)

/Sutty$ ssh -vvv 0xacab.org
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/suttier/.ssh/known_hosts'
2021-09-28 13:32:02 -03:00
5 changed files with 94 additions and 7 deletions

View file

@ -5,3 +5,4 @@ subjectAltName = @alt_names
[alt_names] [alt_names]
DNS.1 = sutty.local DNS.1 = sutty.local
DNS.2 = *.sutty.local DNS.2 = *.sutty.local
DNS.3 = *.tienda.sutty.local

View file

@ -8,6 +8,7 @@ uname -m | grep -q x86_64 || exit 1
DIR="$(dirname "$(realpath "$0")")" DIR="$(dirname "$(realpath "$0")")"
ROOT="$(dirname "$DIR")" ROOT="$(dirname "$DIR")"
SELF="$(basename "$0")" SELF="$(basename "$0")"
SSH_ADHOC=false
# Sólo se puede correr desde el directorio de Sutty # Sólo se puede correr desde el directorio de Sutty
if test "$ROOT" != "$(dirname "$PWD")" && test "$ROOT" != "$PWD"; then if test "$ROOT" != "$(dirname "$PWD")" && test "$ROOT" != "$PWD"; then
@ -20,7 +21,7 @@ if ! test "$HAIN_ENV" && ! type bwrap >/dev/null 2>&1 ; then
exit 1 exit 1
fi fi
if test "$(sysctl -n kernel.unprivileged_userns_clone)" -ne 1 ; then if test -f /proc/sys/kernel/unprivileged_userns_clone && test "$(cat /proc/sys/kernel/unprivileged_userns_clone)" -ne 1 ; then
echo "Necesitamos configurar tu sistema, ingresa tu contraseña para correr el comando" >&2 echo "Necesitamos configurar tu sistema, ingresa tu contraseña para correr el comando" >&2
echo "sudo sysctl -a kernel.unprivileged_userns_clone=1" >&2 echo "sudo sysctl -a kernel.unprivileged_userns_clone=1" >&2
sudo sysctl -a kernel.unprivileged_userns_clone=1 sudo sysctl -a kernel.unprivileged_userns_clone=1
@ -40,26 +41,38 @@ ENTORNO=${ENTORNO:-${ROOT}/hain}
correr() { correr() {
echo "> $1" >&2 echo "> $1" >&2
if test "$AS_ROOT"; then
SET_UID=0
SET_GID=0
else
SET_UID="$(id -u)"
SET_GID="$(id -g)"
fi
env -i \ env -i \
DISPLAY="$DISPLAY" \
TERM="$TERM" \ TERM="$TERM" \
USER="$USER" \ USER="suttier" \
HOME="/home/suttier" \ HOME="/home/suttier" \
HAIN_ENV=true \ HAIN_ENV=true \
RAILS_ENV="${RAILS_ENV:-development}" \ RAILS_ENV="${RAILS_ENV:-development}" \
JEKYLL_ENV="${JEKYLL_ENV:-development}" \ JEKYLL_ENV="${JEKYLL_ENV:-development}" \
$(test -f "$ENV_FILE" && (grep -v '^#' "$ENV_FILE" | xargs -0) || true) \
EDITOR="nano" \ EDITOR="nano" \
PAGER="less -niSFX" \ PAGER="less -niSFX" \
SSH_AUTH_SOCK="${SSH_AUTH_SOCK}" \
bwrap \ bwrap \
--die-with-parent \ --die-with-parent \
--unshare-user-try \ --unshare-user \
--uid "$SET_UID" \
--gid "$SET_GID" \
--unshare-ipc \ --unshare-ipc \
--unshare-uts \ --unshare-uts \
--unshare-cgroup-try \ --unshare-cgroup-try \
--bind "$ENTORNO" / \ --bind "$ENTORNO" / \
--bind "$ROOT" /Sutty \ --bind "$ROOT" /Sutty \
$(test -f ~/.Xauthority && echo "--ro-bind $HOME/.Xauthority /home/suttier/.Xauthority") \
--ro-bind /etc/hosts /etc/hosts \ --ro-bind /etc/hosts /etc/hosts \
--ro-bind /etc/passwd /etc/passwd \
--ro-bind /etc/group /etc/group \
--ro-bind /etc/resolv.conf /etc/resolv.conf \ --ro-bind /etc/resolv.conf /etc/resolv.conf \
--ro-bind /etc/localtime /etc/localtime \ --ro-bind /etc/localtime /etc/localtime \
--dev-bind /dev /dev \ --dev-bind /dev /dev \
@ -106,7 +119,7 @@ generar_certificado() {
-keyout $domain_key -out $domain_csr \ -keyout $domain_key -out $domain_csr \
-subj '/C=AR/ST=Ninguno/L=Interdimension/O=Sutty-Local/CN=sutty.local'" -subj '/C=AR/ST=Ninguno/L=Interdimension/O=Sutty-Local/CN=sutty.local'"
correr "openssl x509 -req -sha256 -days 3650 \ correr "openssl x509 -req -sha256 -days 3650 \
-in $domain_csr -CA $ca_crt.pem -CAkey $ca_key \ -in $domain_csr -CA $ca_crt -CAkey $ca_key \
-CAcreateserial -extfile /Sutty/haini.sh/domains.ext -out $domain_crt" -CAcreateserial -extfile /Sutty/haini.sh/domains.ext -out $domain_crt"
rm "$ENTORNO$ca_crt.pem" rm "$ENTORNO$ca_crt.pem"
@ -169,6 +182,22 @@ crear_entorno() {
&& mv "$ENTORNO$HOME" "$ENTORNO/home/suttier" && mv "$ENTORNO$HOME" "$ENTORNO/home/suttier"
mkdir -p "$ENTORNO/home/suttier" mkdir -p "$ENTORNO/home/suttier"
if ! grep ^suttier: "$ENTORNO/etc/group" >/dev/null 2>&1 ; then
AS_ROOT=true correr "addgroup \
-g $(id -g) \
suttier"
fi
if ! correr "id suttier" >/dev/null 2>&1 ; then
AS_ROOT=true correr "adduser \
--disabled-password \
--gecos '' \
--home /home/suttier \
--no-create-home \
--uid $(id -u) \
--ingroup suttier \
suttier"
fi
# Configurar rubygems para que descargue las gemas desde Sutty # Configurar rubygems para que descargue las gemas desde Sutty
install -m 640 "$DIR/.gemrc" "$ENTORNO/home/suttier/.gemrc" install -m 640 "$DIR/.gemrc" "$ENTORNO/home/suttier/.gemrc"
@ -180,10 +209,37 @@ crear_entorno() {
install -m 755 "$script" "$ENTORNO/usr/local/bin/${script##*/}" install -m 755 "$script" "$ENTORNO/usr/local/bin/${script##*/}"
done done
# Configurar SSH
install -m 700 -d "$ENTORNO/home/suttier/.ssh"
install -m 644 "$DIR/ssh/known_hosts" "$ENTORNO/home/suttier/.ssh/known_hosts"
test -f "$ENTORNO/etc/ssl/certs/sutty.local.crt" || generar_certificado test -f "$ENTORNO/etc/ssl/certs/sutty.local.crt" || generar_certificado
test -f "$ENTORNO/usr/local/share/ca-certificates/ca-sutty.crt" || mv "$ENTORNO/etc/ssl/certs/ca-sutty.crt" "$ENTORNO/usr/local/share/ca-certificates/ca-sutty.crt" test -f "$ENTORNO/usr/local/share/ca-certificates/ca-sutty.crt" || mv "$ENTORNO/etc/ssl/certs/ca-sutty.crt" "$ENTORNO/usr/local/share/ca-certificates/ca-sutty.crt"
} }
# Auto-actualizar una vez por hora
actualizar() {
test ! "$TERM" = "dumb" || return
last_update="$(find "$DIR/.git/FETCH_HEAD" -mmin +60 | wc -l)"
if test ! $last_update -ne 0; then
return
fi
echo -n "Actualizando haini.sh... " >&2
if ping -q -c 1 0xacab.org >/dev/null 2>&1; then
git -C "$DIR" pull --ff-only
if test "$DIR/.git/FETCH_HEAD" -ot "$DIR/.git/ORIG_HEAD"; then
echo "haini.sh se actualizó, por favor volvé a ejecutar el comando" >&2
exit 0
fi
else
echo "no se pudo conectar 0xacab.org, intentando la próxima vez." >&2
fi
}
DEFAULT="sh" DEFAULT="sh"
case $1 in case $1 in
@ -203,6 +259,23 @@ esac
if test "$HAIN_ENV"; then if test "$HAIN_ENV"; then
${*:-$DEFAULT} ${*:-$DEFAULT}
else else
crear_entorno if test -z "${SSH_AUTH_SOCK}"; then
stdin=/dev/stdin correr "${*:-$DEFAULT}" if ! type ssh-agent >/dev/null 2>&1 ; then
echo "Instala ssh-agent para poder trabajar con git remoto dentro de haini.sh" >&2
else
SSH_ADHOC=true
echo "Iniciando un ssh-agent temporal." >&2
eval "$(ssh-agent)"
ssh-add
fi
fi
actualizar
crear_entorno
stdin="$(test "$TERM" = "dumb" || echo "/dev/stdin")" correr "${*:-$DEFAULT}" ; salida=$?
${SSH_ADHOC} && ssh-agent -k
exit $salida
fi fi

View file

@ -9,6 +9,10 @@ server {
add_header Cache-Control "no-store; max-age=0"; add_header Cache-Control "no-store; max-age=0";
location ~ /../assets/js/pack.js {
rewrite ^ /assets/js/pack.js last;
}
location /assets/js/pack.js { location /assets/js/pack.js {
proxy_pass http://127.0.0.1:65001; proxy_pass http://127.0.0.1:65001;
} }
@ -23,3 +27,5 @@ server {
proxy_pass http://127.0.0.1:65001; proxy_pass http://127.0.0.1:65001;
} }
} }
include /Sutty/*-jekyll-theme/_nginx.conf;

View file

@ -4,6 +4,7 @@ ffmpeg
file file
git git
git-lfs git-lfs
jpegoptim
less less
libssh2 libssh2
libxml2 libxml2
@ -14,7 +15,10 @@ nano-syntax
ncurses-terminfo ncurses-terminfo
nginx nginx
nodejs nodejs
npm
openssh-client
openssl openssl
oxipng
postgresql postgresql
postgresql-contrib postgresql-contrib
postgresql-libs postgresql-libs

3
ssh/known_hosts Normal file
View file

@ -0,0 +1,3 @@
0xacab.org,198.252.153.239 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKdh69MJNIA4hZNdplalK1BOD4QZEKn8msMwsEzA7nrr
athshe.sutty.nl,172.96.172.58 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIDqJl9IW6WXAxrtZXMzvMnIpTjIZB+Tp+dDUpSaOrqdjqdMVjHVQSFnVh0MLHbvdjKKtxaKDAuT3JXGrSp8wyA=
anarres.sutty.nl,54.39.161.205 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGw9aXovdiR44WzGfaitjlGiAO7I5OP/XgxFEc+t6HWeS0oqIVaEo17y7j29hLZbTRpN8vWoGSMa+UtquQZ6JG8=