diff options
| author | Thomas Vanbesien <tvanbesi@proton.me> | 2026-06-04 17:25:34 +0200 |
|---|---|---|
| committer | Thomas Vanbesien <tvanbesi@proton.me> | 2026-06-04 17:25:34 +0200 |
| commit | f87b35613f82e66b3854747ef6952dedc0674213 (patch) | |
| tree | 0ae4244105e89a47d967a0ca1cab24c6f01e3819 /tools | |
| parent | 8511f9d5c5d37f66239b571cf2a2b19c97705edf (diff) | |
| download | net_services-f87b35613f82e66b3854747ef6952dedc0674213.tar.gz net_services-f87b35613f82e66b3854747ef6952dedc0674213.zip | |
misc: add git user setup, move TLS folder, nginx don't use cmd.bash
Diffstat (limited to 'tools')
| -rwxr-xr-x | tools/net_services | 105 |
1 files changed, 79 insertions, 26 deletions
diff --git a/tools/net_services b/tools/net_services index 64a4fb5..9652948 100755 --- a/tools/net_services +++ b/tools/net_services @@ -4,13 +4,68 @@ set -euo pipefail script_dir="$(dirname "$(realpath "$0")")" root_dir="$(realpath "$script_dir/..")" -env_file="$script_dir/../.env" -if ! [[ -r "$env_file" ]]; then - echo "$env_file is missing" >&2 - exit 1 -fi -# shellcheck disable=1090 -source "$env_file" +# generate_self_signed_cert <domain> <crt_dst> <key_dst> [<subdomains>...] +_generate_self_signed_cert() { + local crt_dst=${1:?missing crt_dst argument} + local key_dst=${2:?missing key_dst argument} + local domain=${3:?missing domain argument} + shift 3 + local -a subdomains=("$@") + mkcert -install + mkcert -cert-file "$crt_dst" -key-file "$key_dst" "${subdomains[@]/%/.$domain}" "$domain" +} + +# _generate_ovh_cert ovh_api_creds.ini example.com www dav sftp +_generate_ovh_cert() { + ini="${1:?missing ini argument}" + domain="${2:?missing domain argument}" + shift 2 + subdomains=("$@") + + shopt -s patsub_replacement + # Certificates are stored in `/etc/letsencrypt` by default + # shellcheck disable=SC2068 + sudo certbot certonly \ + --non-interactive \ + --expand \ + --dns-ovh \ + --dns-ovh-credentials "$ini" \ + --dns-ovh-propagation-seconds 60 \ + --domain "$domain" \ + ${subdomains[@]/*/--domain &."$domain"} +} + +setup_ssh_git_user() { + repo_folder="${1:-/home/git/git}" + + if ! id git &>/dev/null; then + sudo useradd --create-home git + fi + sudo usermod --shell "$(command -v git-shell)" git + + sudo mkdir --parent --mode 0755 /home/git/{git-shell-commands,.ssh} + sudo chown --recursive git /home/git + sudo mkdir --parent --mode 0755 "$repo_folder" + sudo chown --recursive git "$repo_folder" + + echo " +Match User git + PasswordAuthentication no + PubkeyAuthentication yes +" | sudo tee /etc/ssh/sshd_config.d/50-git-user.conf >/dev/null + + sudo systemctl restart sshd +} + +source_env() { + env_file="$script_dir/../.env" + if ! [[ -r "$env_file" ]]; then + echo "$env_file is missing" >&2 + exit 1 + fi + # shellcheck disable=1090 + source "$env_file" +} init() { for service in nginx radicale; do @@ -31,26 +86,22 @@ init() { mkdir --parents "$dir" done - # generate_self_signed_cert <domain> <crt_dst> <key_dst> [<subdomains>...] - generate_self_signed_cert() { - local crt_dst=${1:?missing crt_dst argument} - local key_dst=${2:?missing key_dst argument} - local domain=${3:?missing domain argument} - shift 3 - local -a subdomains=("$@") - mkcert -install - mkcert -cert-file "$crt_dst" -key-file "$key_dst" "${subdomains[@]/%/.$domain}" "$domain" - } local crt_file="$HOST__SECRET_DIR/server.crt" local key_file="$HOST__SECRET_DIR/server.key" - if ! [[ -e "$crt_file" && -e "$key_file" ]]; then - echo "$crt_file or $key_file missing" - read -rn 1 -p "Create? (y/n)" input - echo - if [[ $input == y ]]; then - generate_self_signed_cert "$crt_file" "$key_file" "$NGINX__HOST" www git sync dav - fi - fi + local -a subdomains=(www dav git sync) + echo "Generate/renew TLS certificate?" + select choice in OVH self-signed no; do + case $choice in + OVH) + read -rep "Enter path (relative or absolute) to your OVH API credentials:" ovh_api_creds_file + _generate_ovh_cert "$ovh_api_creds_file" "$NGINX__HOST" "${subdomains[@]}" + sudo ln --symbolic --relative --force "/etc/letsencrypt/live/$NGINX__HOST/fullchain.pem" /etc/letsencrypt/server.crt + sudo ln --symbolic --relative --force "/etc/letsencrypt/live/$NGINX__HOST/privkey.pem" /etc/letsencrypt/server.key + ;; + self-signed) _generate_self_signed_cert "$crt_file" "$key_file" "$NGINX__HOST" "${subdomains[@]}" ;; + esac + break + done if ! [[ -e "$HOST__RADICALE_USERS_DIR/.htpasswd" ]]; then read -rp "Initial Radicale username: " username @@ -67,10 +118,12 @@ init() { cp_if_absent "$root_dir/services/cgit/examples/commit-filter.sh" "$HOST__CGIT_FILTER_DIR/commit-filter.sh" } +source_env case ${1:-} in init) init ;; +git) setup_ssh_git_user ;; *) - echo "usage: net_services init" + echo "usage: net_services init|git" exit 1 ;; esac |