lucymhdavies/bootstrap.sh

## bootstrap.sh
#!/bin/bash
set -e

# Proof of Concept Bash Script to connect to NAS and configure everything

REMOTE_PORT=1337
REMOTE_HOST=codex.davnet.lmhd.me
REMOTE_USER=shenanigans


export VAULT_ADDR=https://vault.fancycorp.io


echo
echo ========================================
echo Generating AppRole Credentials
echo ========================================

# Read Role ID and create Secret ID
role_id=$(vault read --field=role_id auth/approle/role/pki-davnet/role-id)
secret_id=$(vault write -f --field=secret_id auth/approle/role/pki-davnet/secret-id)


echo
echo ========================================
echo Running Setup on ${REMOTE_HOST}
echo ========================================

ssh -p ${REMOTE_PORT}          ${REMOTE_USER}@${REMOTE_HOST} mkdir -p /tmp/lmhd/

ssh -p ${REMOTE_PORT}          ${REMOTE_USER}@${REMOTE_HOST} "echo ${role_id}   > /tmp/lmhd/role-id"
ssh -p ${REMOTE_PORT}          ${REMOTE_USER}@${REMOTE_HOST} "echo ${secret_id} > /tmp/lmhd/secret-id"

scp -P ${REMOTE_PORT} setup.sh ${REMOTE_USER}@${REMOTE_HOST}:/tmp/lmhd/setup.sh

# Need the admin password, so we can sudo to root
# because Synology decided running NGINX as root was a GREAT idea!

echo Enter Admin Password:
read -s admin_pass
echo ${admin_pass} | ssh -p ${REMOTE_PORT}          ${REMOTE_USER}@${REMOTE_HOST} sudo -S /tmp/lmhd/setup.sh

## setup.sh
#!/bin/bash
set -e

# TODO: Put these files elsewhere
# they are currently running in the Admin user's home directory
# which... okay, kinda works as a PoC... but not what I really want

mkdir -p vault
cd vault

if [ ! -f vault ]; then
	echo
	echo ========================================
	echo Installing Vault
	echo ========================================

	VAULT_VERSION=1.7.2
	curl https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_arm64.zip > vault.zip
	gunzip -S .zip vault.zip
	./vault version
fi


echo
echo ========================================
echo Setting up Vault Agent
echo ========================================

cat > vault_agent.hcl << EOF
vault {
  address = "https://vault.fancycorp.io"
}

auto_auth {
  method "approle" {
    config = {
      role_id_file_path   = "role-id"
      secret_id_file_path = "secret-id"
    }
  }
}

template {
  contents = <<EOT
{{ with secret "pki/inter/issue/davnet.lmhd.me" "common_name=codex.davnet.lmhd.me" }}
{{ toJSONPretty .Data }}
{{ end }}
EOT

  destination = "codex.json"

  command = "./split-cert.sh"
}
EOF

mv /tmp/lmhd/role-id .
mv /tmp/lmhd/secret-id .

cat > split-cert.sh << EOF
#!/bin/bash
set -ex

cat codex.json | jq -r '.certificate'              > /usr/syno/etc/certificate/system/default/cert.pem
cat codex.json | jq -r '.issuing_ca'               > /usr/syno/etc/certificate/system/default/chain.pem
cat codex.json | jq -r '.certificate, .issuing_ca' > /usr/syno/etc/certificate/system/default/fullchain.pem
cat codex.json | jq -r '.private_key'              > /usr/syno/etc/certificate/system/default/privkey.pem

cat codex.json | jq -r '.certificate'              > /usr/syno/etc/certificate/system/FQDN/cert.pem
cat codex.json | jq -r '.issuing_ca'               > /usr/syno/etc/certificate/system/FQDN/chain.pem
cat codex.json | jq -r '.certificate, .issuing_ca' > /usr/syno/etc/certificate/system/FQDN/fullchain.pem
cat codex.json | jq -r '.private_key'              > /usr/syno/etc/certificate/system/FQDN/privkey.pem

nginx -s reload
EOF

# TODO: get this running automatically as some kind of service, so it
# survives a reboot

# TODO: This nohup bit doesn't actually work yet
# Works when I run it manually, which is good enough for now
echo
echo ========================================
echo Running Vault Agent
echo ========================================
nohup ./vault agent -config vault_agent.hcl &
	#!/bin/bash
	set -e

	# Proof of Concept Bash Script to connect to NAS and configure everything

	REMOTE_PORT=1337
	REMOTE_HOST=codex.davnet.lmhd.me
	REMOTE_USER=shenanigans


	export VAULT_ADDR=https://vault.fancycorp.io


	echo
	echo ========================================
	echo Generating AppRole Credentials
	echo ========================================

	# Read Role ID and create Secret ID
	role_id=$(vault read --field=role_id auth/approle/role/pki-davnet/role-id)
	secret_id=$(vault write -f --field=secret_id auth/approle/role/pki-davnet/secret-id)


	echo
	echo ========================================
	echo Running Setup on ${REMOTE_HOST}
	echo ========================================

	ssh -p ${REMOTE_PORT} ${REMOTE_USER}@${REMOTE_HOST} mkdir -p /tmp/lmhd/

	ssh -p ${REMOTE_PORT} ${REMOTE_USER}@${REMOTE_HOST} "echo ${role_id} > /tmp/lmhd/role-id"
	ssh -p ${REMOTE_PORT} ${REMOTE_USER}@${REMOTE_HOST} "echo ${secret_id} > /tmp/lmhd/secret-id"

	scp -P ${REMOTE_PORT} setup.sh ${REMOTE_USER}@${REMOTE_HOST}:/tmp/lmhd/setup.sh

	# Need the admin password, so we can sudo to root
	# because Synology decided running NGINX as root was a GREAT idea!

	echo Enter Admin Password:
	read -s admin_pass
	echo ${admin_pass} \| ssh -p ${REMOTE_PORT} ${REMOTE_USER}@${REMOTE_HOST} sudo -S /tmp/lmhd/setup.sh
	#!/bin/bash
	set -e

	# TODO: Put these files elsewhere
	# they are currently running in the Admin user's home directory
	# which... okay, kinda works as a PoC... but not what I really want

	mkdir -p vault
	cd vault

	if [ ! -f vault ]; then
	echo
	echo ========================================
	echo Installing Vault
	echo ========================================

	VAULT_VERSION=1.7.2
	curl https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_arm64.zip > vault.zip
	gunzip -S .zip vault.zip
	./vault version
	fi


	echo
	echo ========================================
	echo Setting up Vault Agent
	echo ========================================

	cat > vault_agent.hcl << EOF
	vault {
	address = "https://vault.fancycorp.io"
	}

	auto_auth {
	method "approle" {
	config = {
	role_id_file_path = "role-id"
	secret_id_file_path = "secret-id"
	}
	}
	}

	template {
	contents = <<EOT
	{{ with secret "pki/inter/issue/davnet.lmhd.me" "common_name=codex.davnet.lmhd.me" }}
	{{ toJSONPretty .Data }}
	{{ end }}
	EOT

	destination = "codex.json"

	command = "./split-cert.sh"
	}
	EOF

	mv /tmp/lmhd/role-id .
	mv /tmp/lmhd/secret-id .

	cat > split-cert.sh << EOF
	#!/bin/bash
	set -ex

	cat codex.json \| jq -r '.certificate' > /usr/syno/etc/certificate/system/default/cert.pem
	cat codex.json \| jq -r '.issuing_ca' > /usr/syno/etc/certificate/system/default/chain.pem
	cat codex.json \| jq -r '.certificate, .issuing_ca' > /usr/syno/etc/certificate/system/default/fullchain.pem
	cat codex.json \| jq -r '.private_key' > /usr/syno/etc/certificate/system/default/privkey.pem

	cat codex.json \| jq -r '.certificate' > /usr/syno/etc/certificate/system/FQDN/cert.pem
	cat codex.json \| jq -r '.issuing_ca' > /usr/syno/etc/certificate/system/FQDN/chain.pem
	cat codex.json \| jq -r '.certificate, .issuing_ca' > /usr/syno/etc/certificate/system/FQDN/fullchain.pem
	cat codex.json \| jq -r '.private_key' > /usr/syno/etc/certificate/system/FQDN/privkey.pem

	nginx -s reload
	EOF

	# TODO: get this running automatically as some kind of service, so it
	# survives a reboot

	# TODO: This nohup bit doesn't actually work yet
	# Works when I run it manually, which is good enough for now
	echo
	echo ========================================
	echo Running Vault Agent
	echo ========================================
	nohup ./vault agent -config vault_agent.hcl &