diff --git a/config/helper.sh b/config/helper.sh deleted file mode 100755 index 131c323f..00000000 --- a/config/helper.sh +++ /dev/null @@ -1,88 +0,0 @@ -#!/bin/sh - -set -eu - -need_api_key() { - before=$(cat "$CONFIG") - # shellcheck disable=SC2016 - after=$(envsubst '$API_KEY' < "$CONFIG") - - if [ "$before" = "$after" ]; then - exit 1 - fi - exit 0 -} - -set_api_key() { - # if we can't set the key, the user will take care of it - API_KEY="" - ret=0 - - if command -v cscli >/dev/null; then - echo "cscli/crowdsec is present, generating API key" >&2 - unique=$(date +%s) - bouncer_id="$BOUNCER_PREFIX-$unique" - API_KEY=$(cscli -oraw bouncers add "$bouncer_id") - if [ $? -eq 1 ]; then - echo "failed to create API key" >&2 - ret=1 - else - echo "API Key successfully created" >&2 - echo "$bouncer_id" > "$CONFIG.id" - fi - else - echo "cscli/crowdsec is not present, please set the API key manually" >&2 - ret=1 - fi - - ( - umask 077 - # can't use redirection while overwriting a file - before=$(cat "$CONFIG") - # shellcheck disable=SC2016 - echo "$before" | API_KEY="$API_KEY" envsubst '$API_KEY' > "$CONFIG" - ) - - exit "$ret" -} - -set_local_port() { - command -v cscli >/dev/null || return 0 - PORT=$(cscli config show --key "Config.API.Server.ListenURI" | cut -d ":" -f2) - if [ "$PORT" != "" ]; then - sed -i "s/localhost:8080/127.0.0.1:$PORT/g" "$CONFIG" - sed -i "s/127.0.0.1:8080/127.0.0.1:$PORT/g" "$CONFIG" - fi -} - -cmd=$1 -shift -CONFIG=$1 -if [ "$CONFIG" = "" ]; then - echo "missing config file" >&2 - exit 1 -fi -shift - -case "$cmd" in - need-api-key) - need_api_key - ;; - set-api-key) - BOUNCER_PREFIX=$1 - shift - if [ "$BOUNCER_PREFIX" = "" ]; then - echo "missing bouncer prefix" >&2 - exit 1 - fi - set_api_key - ;; - set-local-port) - set_local_port - ;; - *) - echo "This script is not meant to be called directly." >&2 - exit 1 ;; -esac - -exit 0 diff --git a/debian/control b/debian/control index 8ef551a0..a6616eac 100644 --- a/debian/control +++ b/debian/control @@ -8,6 +8,8 @@ Description: Firewall bouncer for Crowdsec (iptables+ipset) Depends: iptables, ipset, gettext-base Replaces: crowdsec-firewall-bouncer Conflicts: crowdsec-firewall-bouncer-nftables +Section: admin +Priority: optional Package: crowdsec-firewall-bouncer-nftables Architecture: any @@ -15,3 +17,5 @@ Description: Firewall bouncer for Crowdsec (nftables) Depends: nftables, gettext-base Replaces: crowdsec-firewall-bouncer Conflicts: crowdsec-firewall-bouncer-iptables +Section: admin +Priority: optional diff --git a/debian/crowdsec-firewall-bouncer-iptables.postinst b/debian/crowdsec-firewall-bouncer-iptables.postinst index cafe1efc..55548d64 100755 --- a/debian/crowdsec-firewall-bouncer-iptables.postinst +++ b/debian/crowdsec-firewall-bouncer-iptables.postinst @@ -3,15 +3,15 @@ systemctl daemon-reload BOUNCER="crowdsec-firewall-bouncer" -CONFIG="/etc/crowdsec/bouncers/$BOUNCER.yaml" -SERVICE="$BOUNCER.service" +BOUNCER_PREFIX="FirewallBouncer" -helper="/usr/lib/$DPKG_MAINTSCRIPT_PACKAGE/helper.sh" +#shellcheck source=./scripts/_bouncer.sh +. "/usr/lib/$DPKG_MAINTSCRIPT_PACKAGE/_bouncer.sh" START=1 if [ "$1" = "configure" ]; then - if $helper need-api-key "$CONFIG"; then - if ! $helper set-api-key "$CONFIG" "FirewallBouncer"; then + if need_api_key; then + if ! set_api_key; then START=0 fi fi @@ -19,7 +19,7 @@ fi systemctl --quiet is-enabled "$SERVICE" || systemctl unmask "$SERVICE" && systemctl enable "$SERVICE" -$helper set-local-port "$CONFIG" +set_local_port if [ "$START" -eq 0 ]; then echo "no api key was generated, you can generate one on your LAPI server by running 'cscli bouncers add ' and add it to '$CONFIG'" >&2 diff --git a/debian/crowdsec-firewall-bouncer-iptables.postrm b/debian/crowdsec-firewall-bouncer-iptables.postrm deleted file mode 100644 index 277c170c..00000000 --- a/debian/crowdsec-firewall-bouncer-iptables.postrm +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/sh - -set -e - -BOUNCER="crowdsec-firewall-bouncer" -CONFIG="/etc/crowdsec/bouncers/$BOUNCER.yaml" - -if [ "$1" = "purge" ]; then - if [ -f "$CONFIG.id" ]; then - bouncer_id=$(cat "$CONFIG.id") - cscli -oraw bouncers delete "$bouncer_id" 2>/dev/null || true - rm -f "$CONFIG.id" - fi -fi diff --git a/debian/crowdsec-firewall-bouncer-iptables.prerm b/debian/crowdsec-firewall-bouncer-iptables.prerm index 798f7092..0284a709 100644 --- a/debian/crowdsec-firewall-bouncer-iptables.prerm +++ b/debian/crowdsec-firewall-bouncer-iptables.prerm @@ -1,4 +1,15 @@ #!/bin/sh -systemctl stop crowdsec-firewall-bouncer || echo "cannot stop service" -systemctl disable crowdsec-firewall-bouncer || echo "cannot disable service" +set -eu + +BOUNCER="crowdsec-firewall-bouncer" + +#shellcheck source=./scripts/_bouncer.sh +. "/usr/lib/$DPKG_MAINTSCRIPT_PACKAGE/_bouncer.sh" + +systemctl stop "$SERVICE" || echo "cannot stop service" +systemctl disable "$SERVICE" || echo "cannot disable service" + +if [ "$1" = "purge" ]; then + delete_bouncer +fi diff --git a/debian/crowdsec-firewall-bouncer-nftables.postinst b/debian/crowdsec-firewall-bouncer-nftables.postinst index cafe1efc..55548d64 100755 --- a/debian/crowdsec-firewall-bouncer-nftables.postinst +++ b/debian/crowdsec-firewall-bouncer-nftables.postinst @@ -3,15 +3,15 @@ systemctl daemon-reload BOUNCER="crowdsec-firewall-bouncer" -CONFIG="/etc/crowdsec/bouncers/$BOUNCER.yaml" -SERVICE="$BOUNCER.service" +BOUNCER_PREFIX="FirewallBouncer" -helper="/usr/lib/$DPKG_MAINTSCRIPT_PACKAGE/helper.sh" +#shellcheck source=./scripts/_bouncer.sh +. "/usr/lib/$DPKG_MAINTSCRIPT_PACKAGE/_bouncer.sh" START=1 if [ "$1" = "configure" ]; then - if $helper need-api-key "$CONFIG"; then - if ! $helper set-api-key "$CONFIG" "FirewallBouncer"; then + if need_api_key; then + if ! set_api_key; then START=0 fi fi @@ -19,7 +19,7 @@ fi systemctl --quiet is-enabled "$SERVICE" || systemctl unmask "$SERVICE" && systemctl enable "$SERVICE" -$helper set-local-port "$CONFIG" +set_local_port if [ "$START" -eq 0 ]; then echo "no api key was generated, you can generate one on your LAPI server by running 'cscli bouncers add ' and add it to '$CONFIG'" >&2 diff --git a/debian/crowdsec-firewall-bouncer-nftables.postrm b/debian/crowdsec-firewall-bouncer-nftables.postrm deleted file mode 100644 index 277c170c..00000000 --- a/debian/crowdsec-firewall-bouncer-nftables.postrm +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/sh - -set -e - -BOUNCER="crowdsec-firewall-bouncer" -CONFIG="/etc/crowdsec/bouncers/$BOUNCER.yaml" - -if [ "$1" = "purge" ]; then - if [ -f "$CONFIG.id" ]; then - bouncer_id=$(cat "$CONFIG.id") - cscli -oraw bouncers delete "$bouncer_id" 2>/dev/null || true - rm -f "$CONFIG.id" - fi -fi diff --git a/debian/crowdsec-firewall-bouncer-nftables.prerm b/debian/crowdsec-firewall-bouncer-nftables.prerm index 798f7092..0284a709 100644 --- a/debian/crowdsec-firewall-bouncer-nftables.prerm +++ b/debian/crowdsec-firewall-bouncer-nftables.prerm @@ -1,4 +1,15 @@ #!/bin/sh -systemctl stop crowdsec-firewall-bouncer || echo "cannot stop service" -systemctl disable crowdsec-firewall-bouncer || echo "cannot disable service" +set -eu + +BOUNCER="crowdsec-firewall-bouncer" + +#shellcheck source=./scripts/_bouncer.sh +. "/usr/lib/$DPKG_MAINTSCRIPT_PACKAGE/_bouncer.sh" + +systemctl stop "$SERVICE" || echo "cannot stop service" +systemctl disable "$SERVICE" || echo "cannot disable service" + +if [ "$1" = "purge" ]; then + delete_bouncer +fi diff --git a/debian/rules b/debian/rules index 1eebbd4c..369ce652 100755 --- a/debian/rules +++ b/debian/rules @@ -18,7 +18,7 @@ override_dh_auto_install: for BACKEND in iptables nftables; do \ PKG="$$BOUNCER-$$BACKEND"; \ install -D -m 0755 $$BOUNCER -t "debian/$$PKG/usr/bin/"; \ - install -D -m 0700 config/helper.sh -t "debian/$$PKG/usr/lib/$$PKG/"; \ + install -D -m 0600 scripts/_bouncer.sh -t "debian/$$PKG/usr/lib/$$PKG/"; \ BACKEND=$$BACKEND envsubst '$$BACKEND' < config/$$BOUNCER.yaml | install -D -m 0600 /dev/stdin "debian/$$PKG/etc/crowdsec/bouncers/$$BOUNCER.yaml"; \ BIN="/usr/bin/$$BOUNCER" CFG="/etc/crowdsec/bouncers" envsubst '$$BIN $$CFG' < "config/$$BOUNCER.service" | install -D -m 0644 /dev/stdin "debian/$$PKG/etc/systemd/system/$$BOUNCER.service"; \ done diff --git a/rpm/SPECS/crowdsec-firewall-bouncer.spec b/rpm/SPECS/crowdsec-firewall-bouncer.spec index 9a6309de..362fe15a 100644 --- a/rpm/SPECS/crowdsec-firewall-bouncer.spec +++ b/rpm/SPECS/crowdsec-firewall-bouncer.spec @@ -38,7 +38,7 @@ mkdir -p %{buildroot}/etc/crowdsec/bouncers/ install -m 600 config/%{name}.yaml %{buildroot}/etc/crowdsec/bouncers/%{name}.yaml mkdir -p %{buildroot}/usr/lib/%{name}/ -install -m 700 config/helper.sh %{buildroot}/usr/lib/%{name}/helper.sh +install -m 600 scripts/_bouncer.sh %{buildroot}/usr/lib/%{name}/_bouncer.sh mkdir -p %{buildroot}%{_unitdir}/ BIN=%{_bindir}/%{name} CFG=/etc/crowdsec/bouncers/ envsubst '$BIN $CFG' < config/%{name}.service | install -m 0644 /dev/stdin %{buildroot}%{_unitdir}/%{name}.service @@ -62,7 +62,7 @@ rm -rf %{buildroot} %files -n crowdsec-firewall-bouncer-iptables %defattr(-,root,root,-) /usr/bin/%{name} -/usr/lib/%{name}/helper.sh +/usr/lib/%{name}/_bouncer.sh %{_unitdir}/%{name}.service %config(noreplace) /etc/crowdsec/bouncers/%{name}.yaml %config(noreplace) %{_presetdir}/80-crowdsec-firewall-bouncer.preset @@ -71,10 +71,9 @@ rm -rf %{buildroot} systemctl daemon-reload BOUNCER="crowdsec-firewall-bouncer" -CONFIG="/etc/crowdsec/bouncers/$BOUNCER.yaml" -SERVICE="$BOUNCER.service" +BOUNCER_PREFIX="FirewallBouncer" -helper="/usr/lib/%{name}/helper.sh" +. /usr/lib/%{name}/_bouncer.sh START=1 if grep -q '${BACKEND}' "$CONFIG"; then @@ -83,8 +82,8 @@ if grep -q '${BACKEND}' "$CONFIG"; then fi if [ "$1" = "1" ]; then - if $helper need-api-key "$CONFIG"; then - if ! $helper set-api-key "$CONFIG" "FirewallBouncer"; then + if need_api_key; then + if ! set_api_key; then START=0 fi fi @@ -92,7 +91,7 @@ fi %systemd_post crowdsec-firewall-bouncer.service -$helper set-local-port "$CONFIG" +set_local_port if [ "$START" -eq 0 ]; then echo "no api key was generated, won't start the service" >&2 @@ -104,26 +103,20 @@ else fi %preun -p /usr/bin/sh -n crowdsec-firewall-bouncer-iptables +BOUNCER="crowdsec-firewall-bouncer" +. /usr/lib/%{name}/_bouncer.sh + if [ "$1" = "0" ]; then - systemctl stop crowdsec-firewall-bouncer || echo "cannot stop service" - systemctl disable crowdsec-firewall-bouncer || echo "cannot disable service" + systemctl stop "$SERVICE" || echo "cannot stop service" + systemctl disable "$SERVICE" || echo "cannot disable service" + delete_bouncer fi %postun -p /usr/bin/sh -n crowdsec-firewall-bouncer-iptables -BOUNCER="crowdsec-firewall-bouncer" -CONFIG="/etc/crowdsec/bouncers/$BOUNCER.yaml" - -if [ "$1" == "0" ]; then - if [ -f "$CONFIG.id" ]; then - bouncer_id=$(cat "$CONFIG.id") - cscli -oraw bouncers delete "$bouncer_id" 2>/dev/null || true - rm -f "$CONFIG.id" - fi -else +if [ "$1" = "1" ]; then systemctl restart crowdsec-firewall-bouncer || echo "cannot restart service" fi - # ------------------------------------ # nftables # ------------------------------------ @@ -137,7 +130,7 @@ Requires: nftables,gettext %files -n crowdsec-firewall-bouncer-nftables %defattr(-,root,root,-) /usr/bin/%{name} -/usr/lib/%{name}/helper.sh +/usr/lib/%{name}/_bouncer.sh %{_unitdir}/%{name}.service %config(noreplace) /etc/crowdsec/bouncers/%{name}.yaml %config(noreplace) %{_presetdir}/80-crowdsec-firewall-bouncer.preset @@ -146,10 +139,9 @@ Requires: nftables,gettext systemctl daemon-reload BOUNCER="crowdsec-firewall-bouncer" -CONFIG="/etc/crowdsec/bouncers/$BOUNCER.yaml" -SERVICE="$BOUNCER.service" +BOUNCER_PREFIX="FirewallBouncer" -helper="/usr/lib/%{name}/helper.sh" +. /usr/lib/%{name}/_bouncer.sh START=1 if grep -q '${BACKEND}' "$CONFIG"; then @@ -158,8 +150,8 @@ if grep -q '${BACKEND}' "$CONFIG"; then fi if [ "$1" = "1" ]; then - if $helper need-api-key "$CONFIG"; then - if ! $helper set-api-key "$CONFIG" "FirewallBouncer"; then + if need_api_key; then + if ! set_api_key; then START=0 fi fi @@ -167,10 +159,10 @@ fi %systemd_post crowdsec-firewall-bouncer.service -$helper set-local-port "$CONFIG" +set_local_port if [ "$START" -eq 0 ]; then - echo "no api key was generated, won't start the service" >&2 + echo "no api key was generated, you can generate one on your LAPI Server by running 'cscli bouncers add ' and add it to '/etc/crowdsec/bouncers/$BOUNCER.yaml'" >&2 else %if 0%{?fc35} systemctl enable "$SERVICE" @@ -178,23 +170,19 @@ else systemctl start "$SERVICE" fi +echo "$BOUNCER has been successfully installed" + %preun -p /usr/bin/sh -n crowdsec-firewall-bouncer-nftables +BOUNCER="crowdsec-firewall-bouncer" +. /usr/lib/%{name}/_bouncer.sh + if [ "$1" = "0" ]; then - systemctl stop crowdsec-firewall-bouncer || echo "cannot stop service" - systemctl disable crowdsec-firewall-bouncer || echo "cannot disable service" + systemctl stop "$SERVICE" || echo "cannot stop service" + systemctl disable "$SERVICE" || echo "cannot disable service" + delete_bouncer fi %postun -p /usr/bin/sh -n crowdsec-firewall-bouncer-nftables -BOUNCER="crowdsec-firewall-bouncer" -CONFIG="/etc/crowdsec/bouncers/$BOUNCER.yaml" - -if [ "$1" == "0" ]; then - if [ -f "$CONFIG.id" ]; then - bouncer_id=$(cat "$CONFIG.id") - cscli -oraw bouncers delete "$bouncer_id" 2>/dev/null || true - rm -f "$CONFIG.id" - fi -else +if [ "$1" = "1" ]; then systemctl restart crowdsec-firewall-bouncer || echo "cannot restart service" fi - diff --git a/scripts/_bouncer.sh b/scripts/_bouncer.sh new file mode 100644 index 00000000..534d4c7a --- /dev/null +++ b/scripts/_bouncer.sh @@ -0,0 +1,176 @@ +#!/bin/sh +#shellcheck disable=SC3043 + +# This is a library of functions that can be sourced by other scripts +# to install and configure bouncers. +# +# While not requiring bash, it is not strictly POSIX-compliant because +# it uses local variables, but it should woth with every modern shell. +# +# Since passing/parsing arguments in posix sh is tricky, we share +# some environment variables with the functions. It's a matter of +# readability balance between shorter vs cleaner code. + +set -eu + +set_colors() { + if [ ! -t 0 ]; then + # terminal is not interactive; no colors + FG_RED="" + FG_GREEN="" + FG_YELLOW="" + FG_CYAN="" + RESET="" + elif tput sgr0 >/dev/null; then + # terminfo + FG_RED=$(tput setaf 1) + FG_GREEN=$(tput setaf 2) + FG_YELLOW=$(tput setaf 3) + FG_CYAN=$(tput setaf 6) + RESET=$(tput sgr0) + else + FG_RED=$(printf '%b' '\033[31m') + FG_GREEN=$(printf '%b' '\033[32m') + FG_YELLOW=$(printf '%b' '\033[33m') + FG_CYAN=$(printf '%b' '\033[36m') + RESET=$(printf '%b' '\033[0m') + fi +} + +msg() { + set_colors + case "$1" in + info) echo "${FG_CYAN}$2${RESET}" >&2 ;; + warn) echo "${FG_YELLOW}WARN:${RESET} $2" >&2 ;; + err) echo "${FG_RED}ERR:${RESET} $2" >&2 ;; + succ) echo "${FG_GREEN}$2${RESET}" >&2 ;; + *) echo "$1" >&2 ;; + esac +} + +require() { + set | grep -q "^$1=" || { msg err "missing required variable \$$1"; exit 1; } + shift + [ "$#" -eq 0 ] || require "$@" +} + +# shellcheck disable=SC2034 +{ +require 'BOUNCER' +SERVICE="$BOUNCER.service" +BIN_PATH_INSTALLED="/usr/local/bin/$BOUNCER" +BIN_PATH="./$BOUNCER" +CONFIG_DIR="/etc/crowdsec/bouncers" +CONFIG_FILE="$BOUNCER.yaml" +CONFIG="$CONFIG_DIR/$CONFIG_FILE" +SYSTEMD_PATH_FILE="/etc/systemd/system/$SERVICE" +} + +assert_root() { + #shellcheck disable=SC2312 + if [ "$(id -u)" -ne 0 ]; then + msg warn "Please run $0 as root or with sudo" + exit 1 + fi +} + +# check if the configuration file contains the string +# "$API_KEY" and returns true if it does. +need_api_key() { + require 'CONFIG' + local before after + before=$(cat "$CONFIG") + # shellcheck disable=SC2016 + after=$(envsubst '$API_KEY' < "$CONFIG") + + if [ "$before" = "$after" ]; then + return 1 + fi + return 0 +} + +set_api_key() { + require 'CONFIG' 'BOUNCER_PREFIX' + local api_key ret unique bouncer_id before + # if we can't set the key, the user will take care of it + api_key="" + ret=0 + + if command -v cscli >/dev/null; then + echo "cscli/crowdsec is present, generating API key" >&2 + unique=$(date +%s) + bouncer_id="$BOUNCER_PREFIX-$unique" + api_key=$(cscli -oraw bouncers add "$bouncer_id") + if [ $? -eq 1 ]; then + echo "failed to create API key" >&2 + ret=1 + else + echo "API Key successfully created" >&2 + echo "$bouncer_id" > "$CONFIG.id" + fi + else + echo "cscli/crowdsec is not present, please set the API key manually" >&2 + ret=1 + fi + + # can't use redirection while overwriting a file + before=$(cat "$CONFIG") + # shellcheck disable=SC2016 + echo "$before" | \ + API_KEY="$api_key" envsubst '$API_KEY' | \ + install -m 0600 /dev/stdin "$CONFIG" + + return "$ret" +} + +set_local_port() { + require 'CONFIG' + local port + command -v cscli >/dev/null || return 0 + port=$(cscli config show --key "Config.API.Server.ListenURI" | cut -d ":" -f2) + if [ "$port" != "" ]; then + sed -i "s/localhost:8080/127.0.0.1:$port/g" "$CONFIG" + sed -i "s/127.0.0.1:8080/127.0.0.1:$port/g" "$CONFIG" + fi +} + +set_local_lapi_url() { + require 'CONFIG' + local port before varname + # $varname is the name of the variable to interpolate + # in the config file with the URL of the LAPI server, + # assuming it is running on the same host as the + # bouncer. + varname=$1 + if [ "$varname" = "" ]; then + msg err "missing required variable VARNAME" + exit 1 + fi + command -v cscli >/dev/null || return 0 + + port=$(cscli config show --key "Config.API.Server.ListenURI" | cut -d ":" -f2 || true) + if [ "$port" = "" ]; then + port=8080 + fi + + before=$(cat "$CONFIG") + echo "$before" | \ + env "$varname=http://127.0.0.1:$port" envsubst "\$$varname" | \ + install -m 0600 /dev/stdin "$CONFIG" +} + +delete_bouncer() { + require 'CONFIG' + local bouncer_id + if [ -f "$CONFIG.id" ]; then + bouncer_id=$(cat "$CONFIG.id") + cscli -oraw bouncers delete "$bouncer_id" 2>/dev/null || true + rm -f "$CONFIG.id" + fi +} + +upgrade_bin() { + require 'BIN_PATH' 'BIN_PATH_INSTALLED' + rm "$BIN_PATH_INSTALLED" + install -v -m 0755 -D "$BIN_PATH" "$BIN_PATH_INSTALLED" +} diff --git a/scripts/install.sh b/scripts/install.sh index a1461f26..d8b4ca25 100755 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -1,61 +1,16 @@ #!/bin/sh -set -e - -set_colors() { - if [ ! -t 0 ]; then - # terminal is not interactive; no colors - FG_RED="" - FG_GREEN="" - FG_YELLOW="" - FG_CYAN="" - RESET="" - elif tput sgr0 >/dev/null; then - # terminfo - FG_RED=$(tput setaf 1) - FG_GREEN=$(tput setaf 2) - FG_YELLOW=$(tput setaf 3) - FG_CYAN=$(tput setaf 6) - RESET=$(tput sgr0) - else - FG_RED=$(printf '%b' '\033[31m') - FG_GREEN=$(printf '%b' '\033[32m') - FG_YELLOW=$(printf '%b' '\033[33m') - FG_CYAN=$(printf '%b' '\033[36m') - RESET=$(printf '%b' '\033[0m') - fi -} +set -eu -set_colors +BOUNCER="crowdsec-firewall-bouncer" +BOUNCER_PREFIX="cs-firewall-bouncer" -msg() { - case "$1" in - info) echo "${FG_CYAN}$2${RESET}" >&2 ;; - warn) echo "${FG_YELLOW}$2${RESET}" >&2 ;; - err) echo "${FG_RED}$2${RESET}" >&2 ;; - succ) echo "${FG_GREEN}$2${RESET}" >&2 ;; - *) echo "$1" >&2 ;; - esac -} +. ./scripts/_bouncer.sh -#shellcheck disable=SC2312 -if [ "$(id -u)" -ne 0 ]; then - msg warn "Please run $0 as root or with sudo" - exit 1 -fi +assert_root # --------------------------------- # -BOUNCER="crowdsec-firewall-bouncer" -BOUNCER_PREFIX="cs-firewall-bouncer" -SERVICE="$BOUNCER.service" -BIN_PATH_INSTALLED="/usr/local/bin/$BOUNCER" -BIN_PATH="./$BOUNCER" -CONFIG_DIR="/etc/crowdsec/bouncers" -CONFIG_FILE="$BOUNCER.yaml" -CONFIG="$CONFIG_DIR/$CONFIG_FILE" -SYSTEMD_PATH_FILE="/etc/systemd/system/$SERVICE" - API_KEY="" install_pkg() { @@ -151,21 +106,9 @@ gen_apikey() { } gen_config_file() { - ( - umask 077 - # shellcheck disable=SC2016 - API_KEY=${API_KEY} BACKEND=${FW_BACKEND} envsubst '$API_KEY $BACKEND' <"./config/$CONFIG_FILE" >"$CONFIG" - ) -} - -set_local_port() { - if command -v cscli >/dev/null; then - PORT=$(cscli config show --key "Config.API.Server.ListenURI" | cut -d ":" -f2) - if [ "$PORT" != "" ]; then - sed -i "s/localhost:8080/127.0.0.1:${PORT}/g" "$CONFIG" - sed -i "s/127.0.0.1:8080/127.0.0.1:${PORT}/g" "$CONFIG" - fi - fi + # shellcheck disable=SC2016 + API_KEY=${API_KEY} BACKEND=${FW_BACKEND} envsubst '$API_KEY $BACKEND' <"./config/$CONFIG_FILE" | \ + install -D -m 0600 /dev/stdin "$CONFIG" } install_bouncer() { @@ -191,7 +134,6 @@ install_bouncer() { # --------------------------------- # -set_colors install_bouncer systemctl enable "$SERVICE" diff --git a/scripts/uninstall.sh b/scripts/uninstall.sh index a0344547..f8c7e551 100755 --- a/scripts/uninstall.sh +++ b/scripts/uninstall.sh @@ -1,74 +1,24 @@ #!/bin/sh -set -e +set -eu -set_colors() { - if [ ! -t 0 ]; then - # terminal is not interactive; no colors - FG_RED="" - FG_GREEN="" - FG_YELLOW="" - FG_CYAN="" - RESET="" - elif tput sgr0 >/dev/null; then - # terminfo - FG_RED=$(tput setaf 1) - FG_GREEN=$(tput setaf 2) - FG_YELLOW=$(tput setaf 3) - FG_CYAN=$(tput setaf 6) - RESET=$(tput sgr0) - else - FG_RED=$(printf '%b' '\033[31m') - FG_GREEN=$(printf '%b' '\033[32m') - FG_YELLOW=$(printf '%b' '\033[33m') - FG_CYAN=$(printf '%b' '\033[36m') - RESET=$(printf '%b' '\033[0m') - fi -} - -set_colors +BOUNCER="crowdsec-firewall-bouncer" -msg() { - case "$1" in - info) echo "${FG_CYAN}$2${RESET}" >&2 ;; - warn) echo "${FG_YELLOW}$2${RESET}" >&2 ;; - err) echo "${FG_RED}$2${RESET}" >&2 ;; - succ) echo "${FG_GREEN}$2${RESET}" >&2 ;; - *) echo "$1" >&2 ;; - esac -} +. ./scripts/_bouncer.sh -#shellcheck disable=SC2312 -if [ "$(id -u)" -ne 0 ]; then - msg warn "Please run $0 as root or with sudo" - exit 1 -fi +assert_root # --------------------------------- # -BOUNCER="crowdsec-firewall-bouncer" -SERVICE="$BOUNCER.service" -BIN_PATH_INSTALLED="/usr/local/bin/$BOUNCER" -CONFIG_DIR="/etc/crowdsec/bouncers" -CONFIG_FILE="$BOUNCER.yaml" -CONFIG="$CONFIG_DIR/$CONFIG_FILE" -LOG_FILE="/var/log/$BOUNCER.log" -SYSTEMD_PATH_FILE="/etc/systemd/system/$SERVICE" - uninstall() { systemctl stop "$SERVICE" - if [ -f "$CONFIG.id" ]; then - bouncer_id=$(cat "$CONFIG.id") - cscli -oraw bouncers delete "$bouncer_id" || true - rm -f "$CONFIG.id" - fi + delete_bouncer rm -f "$CONFIG" rm -f "$SYSTEMD_PATH_FILE" rm -f "$BIN_PATH_INSTALLED" - rm -f "$LOG_FILE" + rm -f "/var/log/$BOUNCER.log" } uninstall - msg succ "$BOUNCER has been successfully uninstalled" exit 0 diff --git a/scripts/upgrade.sh b/scripts/upgrade.sh index b99f0127..a481745b 100755 --- a/scripts/upgrade.sh +++ b/scripts/upgrade.sh @@ -1,73 +1,22 @@ #!/bin/sh -set -e +set -eu -set_colors() { - #shellcheck disable=SC2034 - if [ ! -t 0 ]; then - # terminal is not interactive; no colors - FG_RED="" - FG_GREEN="" - FG_YELLOW="" - FG_CYAN="" - RESET="" - elif tput sgr0 >/dev/null; then - # terminfo - FG_RED=$(tput setaf 1) - FG_GREEN=$(tput setaf 2) - FG_YELLOW=$(tput setaf 3) - FG_CYAN=$(tput setaf 6) - RESET=$(tput sgr0) - else - FG_RED=$(printf '%b' '\033[31m') - FG_GREEN=$(printf '%b' '\033[32m') - FG_YELLOW=$(printf '%b' '\033[33m') - FG_CYAN=$(printf '%b' '\033[36m') - RESET=$(printf '%b' '\033[0m') - fi -} - -set_colors - -msg() { - case "$1" in - info) echo "${FG_CYAN}$2${RESET}" >&2 ;; - warn) echo "${FG_YELLOW}$2${RESET}" >&2 ;; - err) echo "${FG_RED}$2${RESET}" >&2 ;; - succ) echo "${FG_GREEN}$2${RESET}" >&2 ;; - *) echo "$1" >&2 ;; - esac -} +BOUNCER="crowdsec-firewall-bouncer" +. ./scripts/_bouncer.sh -#shellcheck disable=SC2312 -if [ "$(id -u)" -ne 0 ]; then - msg warn "Please run $0 as root or with sudo" - exit 1 -fi +assert_root # --------------------------------- # -BOUNCER="crowdsec-firewall-bouncer" -SERVICE="$BOUNCER.service" -BIN_PATH_INSTALLED="/usr/local/bin/$BOUNCER" -BIN_PATH="./$BOUNCER" +systemctl stop "$SERVICE" -upgrade_bin() { - if [ ! -f "$BIN_PATH" ]; then - msg err "$BIN_PATH not found, exiting." - exit 1 - fi - if [ ! -e "$BIN_PATH_INSTALLED" ]; then - msg err "$BIN_PATH_INSTALLED is not installed, exiting." - exit 1 - fi - rm "$BIN_PATH_INSTALLED" - install -v -m 0755 -D "$BIN_PATH" "$BIN_PATH_INSTALLED" -} +if ! upgrade_bin; then + msg err "failed to upgrade $BOUNCER" + exit 1 +fi -systemctl stop "$SERVICE" -upgrade_bin systemctl start "$SERVICE" || msg warn "$SERVICE failed to start, please check the systemd logs" msg succ "$BOUNCER upgraded successfully."