zamba-lxc-toolbox/src/ansible-semaphore/install-service.sh

#!/bin/bash

# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>

source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf

wget -q -O - https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/nginx.key >/dev/null
echo "deb [signed-by=/etc/apt/trusted.gpg.d/nginx.key] http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list

wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc  | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/postgresql.key >/dev/null
echo "deb [signed-by=/etc/apt/trusted.gpg.d/postgresql.key] http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list

apt update

DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq postgresql nginx git ssl-cert unzip zip ansible ansible-lint

systemctl enable --now postgresql

su - postgres <<EOF
psql -c "CREATE USER semaphore WITH PASSWORD '${SEMAPHORE_DB_PWD}';"
psql -c "CREATE DATABASE ${SEMAPHORE_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNER ${SEMAPHORE_DB_USR};"
echo "Postgres User ${SEMAPHORE_DB_USR} and database ${SEMAPHORE_DB_NAME} created."
EOF

curl -s https://api.github.com/repos/ansible-semaphore/semaphore/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep 'linux_amd64.deb$' | wget -i - -O /opt/semaphore_linux_amd64.deb

DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install /opt/semaphore_linux_amd64.deb

cat << EOF > /usr/local/bin/update-semaphore
PATH="/bin:/usr/bin:/usr/local/bin"
echo "Checking github for new semaphore version"
current_version=\$(curl -s https://api.github.com/repos/ansible-semaphore/semaphore/releases/latest | grep "tag_name" | cut -d '"' -f4)
installed_version=\$(semaphore version)
echo "Installed semaphore version is \$installed_version"
if [ \$installed_version != \$current_version ]; then
  echo "New semaphore version \$current_version available. Stopping semaphore.service"
  systemctl stop semaphore.service
  echo "Downloading semaphore version \$current_version..."
  curl -s https://api.github.com/repos/ansible-semaphore/semaphore/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep 'linux_amd64.deb$' | wget -i - -O /opt/semaphore_linux_amd64.deb
  DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install /opt/semaphore_linux_amd64.deb
  echo "Starting semaphore.service..."
  systemctl start semaphore.service
  echo "semaphore update finished!"
else
  echo "semaphore version is up-to-date!"
fi
EOF
chmod +x /usr/local/bin/update-semaphore

useradd -m -r -s /bin/bash semaphore
sudo -s -u semaphore bash -c 'ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 -q -N ""'

cat << EOF > /etc/apt/apt.conf.d/80-semaphore-apt-hook
DPkg::Post-Invoke {"/usr/local/bin/update-semaphore";};
EOF
chmod +x /etc/apt/apt.conf.d/80-semaphore-apt-hook

cat << EOF > /etc/systemd/system/semaphore.service
[Unit]
Description=Semaphore Ansible
Documentation=https://github.com/ansible-semaphore/semaphore
Wants=network-online.target
After=network-online.target

[Service]
Type=simple
ExecReload=/bin/kill -HUP \$MAINPID
ExecStart=/usr/bin/semaphore service --config=/etc/semaphore/config.json
SyslogIdentifier=semaphore
Restart=always
User=semaphore
Group=semaphore

[Install]
WantedBy=multi-user.target
EOF

mkdir -p /etc/semaphore

cat << EOF > /etc/semaphore/config.json
{
 	"mysql": {
 		"host": "",
 		"user": "",
 		"pass": "",
 		"name": "",
 		"options": null
 	},
 	"bolt": {
 		"host": "",
 		"user": "",
 		"pass": "",
 		"name": "",
 		"options": null
 	},
 	"postgres": {
 		"host": "127.0.0.1:5432",
 		"user": "${SEMAPHORE_DB_USR}",
 		"pass": "${SEMAPHORE_DB_PWD}",
 		"name": "${SEMAPHORE_DB_NAME}",
 		"options": {
 			"sslmode": "disable"
 		}
 	},
 	"dialect": "postgres",
 	"port": "",
 	"interface": "",
 	"tmp_path": "/tmp/semaphore",
 	"cookie_hash": "$(head -c32 /dev/urandom | base64)",
 	"cookie_encryption": "$(head -c32 /dev/urandom | base64)",
 	"access_key_encryption": "$(head -c32 /dev/urandom | base64)",
 	"email_sender": "",
 	"email_host": "",
 	"email_port": "",
 	"email_username": "",
 	"email_password": "",
 	"web_host": "",
 	"ldap_binddn": "",
 	"ldap_bindpassword": "",
 	"ldap_server": "",
 	"ldap_searchdn": "",
 	"ldap_searchfilter": "",
 	"ldap_mappings": {
 		"dn": "",
 		"mail": "",
 		"uid": "",
 		"cn": ""
 	},
 	"telegram_chat": "",
 	"telegram_token": "",
 	"slack_url": "",
 	"max_parallel_tasks": 0,
 	"email_alert": false,
 	"email_secure": false,
 	"telegram_alert": false,
 	"slack_alert": false,
 	"ldap_enable": false,
 	"ldap_needtls": false,
 	"ssh_config_path": "~/.ssh/",
 	"demo_mode": false,
 	"git_client": ""
 }
EOF

if [ -f /etc/nginx/sites-enabled/default ]; then
  unlink /etc/nginx/sites-enabled/default
fi

cat << EOF > /etc/nginx/conf.d/default.conf
server {
    listen 80;
    listen [::]:80;
    server_name _;
    
    server_tokens off;

    access_log /var/log/nginx/semaphore.access.log;
    error_log /var/log/nginx/semaphore.error.log;

    location /.well-known/ {
        root /var/www/html;
    }

    return 301 https://${LXC_HOSTNAME}.${LXC_DOMAIN}\$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};
    
    server_tokens off;
    ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
    ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;

    ssl_protocols TLSv1.3 TLSv1.2;
    ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM;
    ssl_dhparam /etc/nginx/dhparam.pem;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 180m;

    ssl_stapling on;
    ssl_stapling_verify on;

    resolver 1.1.1.1 1.0.0.1;

    add_header Strict-Transport-Security "max-age=31536000" always;

    access_log /var/log/nginx/semaphore.access.log;
    error_log  /var/log/nginx/semaphore.error.log;

    client_max_body_size 50M;

    location / {
        proxy_set_header X-Real-IP \$remote_addr;
        proxy_set_header Host \$host;
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
        proxy_pass http://127.0.0.1:3000;
        proxy_read_timeout 90;
    }
}
EOF

echo "source <(semaphore completion bash)" >> /root/.bashrc
semaphore user add --admin --login ${SEMAPHORE_ADMIN} --name ${SEMAPHORE_ADMIN_DISPLAY_NAME} --email ${SEMAPHORE_ADMIN_EMAIL} --password ${SEMAPHORE_ADMIN_PASSWORD} --config /etc/semaphore/config.json


generate_dhparam

systemctl daemon-reload
systemctl enable --now semaphore.service
systemctl restart nginx.service


echo -e "\n######################################################################\n\n    Please note this user and password for the semaphore login:\n        '$SEMAPHORE_ADMIN' / '$SEMAPHORE_ADMIN_PASSWORD'\n                Enjoy your semaphore intallation.\n\n######################################################################"
Add ansible semaphore container 2023-07-08 18:20:52 +02:00			`#!/bin/bash`

			`# Authors:`
			`# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>`
			`# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>`
			`# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>`

			`source /root/functions.sh`
			`source /root/zamba.conf`
			`source /root/constants-service.conf`

			`wget -q -O - https://nginx.org/keys/nginx_signing.key \| gpg --dearmor \| sudo tee /etc/apt/trusted.gpg.d/nginx.key >/dev/null`
			`echo "deb [signed-by=/etc/apt/trusted.gpg.d/nginx.key] http://nginx.org/packages/debian $(lsb_release -cs) nginx" \| tee /etc/apt/sources.list.d/nginx.list`

			`wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc \| gpg --dearmor \| sudo tee /etc/apt/trusted.gpg.d/postgresql.key >/dev/null`
			`echo "deb [signed-by=/etc/apt/trusted.gpg.d/postgresql.key] http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" \| tee /etc/apt/sources.list.d/pgdg.list`

			`apt update`

			`DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq postgresql nginx git ssl-cert unzip zip ansible ansible-lint`

			`systemctl enable --now postgresql`

			`su - postgres <<EOF`
			`psql -c "CREATE USER semaphore WITH PASSWORD '${SEMAPHORE_DB_PWD}';"`
			`psql -c "CREATE DATABASE ${SEMAPHORE_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNER ${SEMAPHORE_DB_USR};"`
			`echo "Postgres User ${SEMAPHORE_DB_USR} and database ${SEMAPHORE_DB_NAME} created."`
			`EOF`

			`curl -s https://api.github.com/repos/ansible-semaphore/semaphore/releases/latest \| grep browser_download_url \| cut -d '"' -f 4 \| grep 'linux_amd64.deb$' \| wget -i - -O /opt/semaphore_linux_amd64.deb`

			`DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install /opt/semaphore_linux_amd64.deb`

			`cat << EOF > /usr/local/bin/update-semaphore`
			`PATH="/bin:/usr/bin:/usr/local/bin"`
			`echo "Checking github for new semaphore version"`
			`current_version=\$(curl -s https://api.github.com/repos/ansible-semaphore/semaphore/releases/latest \| grep "tag_name" \| cut -d '"' -f4)`
			`installed_version=\$(semaphore version)`
			`echo "Installed semaphore version is \$installed_version"`
			`if [ \$installed_version != \$current_version ]; then`
			`echo "New semaphore version \$current_version available. Stopping semaphore.service"`
			`systemctl stop semaphore.service`
			`echo "Downloading semaphore version \$current_version..."`
			`curl -s https://api.github.com/repos/ansible-semaphore/semaphore/releases/latest \| grep browser_download_url \| cut -d '"' -f 4 \| grep 'linux_amd64.deb$' \| wget -i - -O /opt/semaphore_linux_amd64.deb`
			`DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install /opt/semaphore_linux_amd64.deb`
			`echo "Starting semaphore.service..."`
			`systemctl start semaphore.service`
			`echo "semaphore update finished!"`
			`else`
			`echo "semaphore version is up-to-date!"`
			`fi`
			`EOF`
			`chmod +x /usr/local/bin/update-semaphore`

run semaphore as unpriv user 2023-08-24 21:36:04 +02:00			`useradd -m -r -s /bin/bash semaphore`
			`sudo -s -u semaphore bash -c 'ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 -q -N ""'`

Add ansible semaphore container 2023-07-08 18:20:52 +02:00			`cat << EOF > /etc/apt/apt.conf.d/80-semaphore-apt-hook`
			`DPkg::Post-Invoke {"/usr/local/bin/update-semaphore";};`
			`EOF`
			`chmod +x /etc/apt/apt.conf.d/80-semaphore-apt-hook`

			`cat << EOF > /etc/systemd/system/semaphore.service`
			`[Unit]`
			`Description=Semaphore Ansible`
			`Documentation=https://github.com/ansible-semaphore/semaphore`
			`Wants=network-online.target`
			`After=network-online.target`

			`[Service]`
			`Type=simple`
			`ExecReload=/bin/kill -HUP \$MAINPID`
			`ExecStart=/usr/bin/semaphore service --config=/etc/semaphore/config.json`
			`SyslogIdentifier=semaphore`
			`Restart=always`
run semaphore as unpriv user 2023-08-24 21:36:04 +02:00			`User=semaphore`
			`Group=semaphore`
Add ansible semaphore container 2023-07-08 18:20:52 +02:00
			`[Install]`
			`WantedBy=multi-user.target`
			`EOF`

			`mkdir -p /etc/semaphore`

			`cat << EOF > /etc/semaphore/config.json`
			`{`
			`"mysql": {`
			`"host": "",`
			`"user": "",`
			`"pass": "",`
			`"name": "",`
			`"options": null`
			`},`
			`"bolt": {`
			`"host": "",`
			`"user": "",`
			`"pass": "",`
			`"name": "",`
			`"options": null`
			`},`
			`"postgres": {`
			`"host": "127.0.0.1:5432",`
			`"user": "${SEMAPHORE_DB_USR}",`
			`"pass": "${SEMAPHORE_DB_PWD}",`
			`"name": "${SEMAPHORE_DB_NAME}",`
			`"options": {`
			`"sslmode": "disable"`
			`}`
			`},`
			`"dialect": "postgres",`
			`"port": "",`
			`"interface": "",`
			`"tmp_path": "/tmp/semaphore",`
			`"cookie_hash": "$(head -c32 /dev/urandom \| base64)",`
			`"cookie_encryption": "$(head -c32 /dev/urandom \| base64)",`
			`"access_key_encryption": "$(head -c32 /dev/urandom \| base64)",`
			`"email_sender": "",`
			`"email_host": "",`
			`"email_port": "",`
			`"email_username": "",`
			`"email_password": "",`
			`"web_host": "",`
			`"ldap_binddn": "",`
			`"ldap_bindpassword": "",`
			`"ldap_server": "",`
			`"ldap_searchdn": "",`
			`"ldap_searchfilter": "",`
			`"ldap_mappings": {`
			`"dn": "",`
			`"mail": "",`
			`"uid": "",`
			`"cn": ""`
			`},`
			`"telegram_chat": "",`
			`"telegram_token": "",`
			`"slack_url": "",`
			`"max_parallel_tasks": 0,`
			`"email_alert": false,`
			`"email_secure": false,`
			`"telegram_alert": false,`
			`"slack_alert": false,`
			`"ldap_enable": false,`
			`"ldap_needtls": false,`
			`"ssh_config_path": "~/.ssh/",`
			`"demo_mode": false,`
			`"git_client": ""`
			`}`
			`EOF`

			`if [ -f /etc/nginx/sites-enabled/default ]; then`
			`unlink /etc/nginx/sites-enabled/default`
			`fi`

			`cat << EOF > /etc/nginx/conf.d/default.conf`
			`server {`
			`listen 80;`
			`listen [::]:80;`
			`server_name _;`

			`server_tokens off;`

			`access_log /var/log/nginx/semaphore.access.log;`
			`error_log /var/log/nginx/semaphore.error.log;`

			`location /.well-known/ {`
			`root /var/www/html;`
			`}`

			`return 301 https://${LXC_HOSTNAME}.${LXC_DOMAIN}\$request_uri;`
			`}`

			`server {`
			`listen 443 ssl http2;`
			`listen [::]:443 ssl http2;`

			`server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};`

			`server_tokens off;`
			`ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;`
			`ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;`

			`ssl_protocols TLSv1.3 TLSv1.2;`
			`ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM;`
			`ssl_dhparam /etc/nginx/dhparam.pem;`
			`ssl_prefer_server_ciphers on;`
			`ssl_session_cache shared:SSL:10m;`
			`ssl_session_timeout 180m;`

			`ssl_stapling on;`
			`ssl_stapling_verify on;`

			`resolver 1.1.1.1 1.0.0.1;`

			`add_header Strict-Transport-Security "max-age=31536000" always;`

			`access_log /var/log/nginx/semaphore.access.log;`
			`error_log /var/log/nginx/semaphore.error.log;`

			`client_max_body_size 50M;`

			`location / {`
			`proxy_set_header X-Real-IP \$remote_addr;`
			`proxy_set_header Host \$host;`
			`proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;`
			`proxy_pass http://127.0.0.1:3000;`
			`proxy_read_timeout 90;`
			`}`
			`}`
			`EOF`

			`echo "source <(semaphore completion bash)" >> /root/.bashrc`
			`semaphore user add --admin --login ${SEMAPHORE_ADMIN} --name ${SEMAPHORE_ADMIN_DISPLAY_NAME} --email ${SEMAPHORE_ADMIN_EMAIL} --password ${SEMAPHORE_ADMIN_PASSWORD} --config /etc/semaphore/config.json`


Change dh param gen to function 2023-09-10 11:25:55 +02:00			`generate_dhparam`
Add ansible semaphore container 2023-07-08 18:20:52 +02:00
			`systemctl daemon-reload`
			`systemctl enable --now semaphore.service`
			`systemctl restart nginx.service`
print credentials 2023-08-24 21:37:45 +02:00

			`echo -e "\n######################################################################\n\n Please note this user and password for the semaphore login:\n '$SEMAPHORE_ADMIN' / '$SEMAPHORE_ADMIN_PASSWORD'\n Enjoy your semaphore intallation.\n\n######################################################################"`