I have this so far but I'm missing a couple of things like getting the cron job scripted. Don't want to do this as root. So I'm assuming some more could be done to set up the first user at the same time. The script would need to be idempotent (can be run over and over again without risking changing anything if it was run with the same arguments before).
singledomaincertnginx.sh:
#!/bin/bash
if [ -z "$3" ]; then
echo use is "singledomaincertnginx.sh <server-ssh-address> <ssl-admin-email> <ssl-domain>"
echo example: "singledomaincertnginx.sh user#mydomain.com admin#mydomain.com some-sub-domain.mydomain.com"
exit
fi
ssh $1 "cat > ~/wks" << 'EOF'
#!/bin/bash
echo email: $1
echo domain: $2
sudo add-apt-repository -y ppa:certbot/certbot
sudo apt-get update
sudo apt-get upgrade -y
sudo apt-get install -y software-properties-common
sudo apt-get install -y python-certbot-nginx
sudo apt-get install -y nginx
sudo sed -i "s/server_name .*;/server_name $2;/" /etc/nginx/sites-available/default
sudo systemctl restart nginx.service
if [[ -e /etc/letsencrypt/live/$2/fullchain.pem ]]; then
sudo certbot -n --nginx --agree-tos -m "$1" -d "$2"
fi
if [[ ! sudo crontab -l | grep certbot ]]; then
# todo: add cron job to renew: 15 3 * * * /usr/bin/certbot renew --quiet
EOF
ssh $1 "chmod +x ~/wks"
ssh -t $1 "bash -x -e ~/wks $2 $3"
I have this so far but I'm missing a couple of things like getting the cron job scripted.
Here's one way to complete (and correct) what you started:
if ! sudo crontab -l | grep certbot; then
echo "15 3 * * * /usr/bin/certbot renew --quiet" | sudo tee -a /var/spool/cron/crontabs/root >/dev/null
fi
Here's another way I prefer because it doesn't need to know the path of the crontabs:
if ! sudo crontab -l | grep certbot; then
sudo crontab -l | { cat; echo "15 3 * * * /usr/bin/certbot renew --quiet"; } | sudo crontab -
fi
Something I see missing is how the certificate file /etc/letsencrypt/live/$domain/fullchain.pem gets created.
Do you provide that by other means,
or do you need help with that part?
Don't want to do this as root.
Most of the steps involve running apt-get,
and for that you already require root.
Perhaps you meant that you don't want to do the renewals using root.
Some services operate as a dedicated user instead of root,
but looking through the documentation of certbot I haven't seen anything like that.
So it seems a common practice to do the renewals with root,
so adding the renewal command to root's crontab seems fine to me.
I would improve a couple of things in the script to make it more robust:
The positional parameters $1, $2 and so on scattered around are easy to lose track of, which could lead to errors. I would give them proper names.
The command line argument validation if [ -z "$3" ] is weak, I would make that more strict as if [ $# != 3 ].
Once the remote script is generated, you call it with bash -e, which is good for safeguarding. But if the script is called by something else without -e, the safeguard won't be there. It would be better to build that safeguard into the script itself with set -e. I would go further and use set -euo pipefail which is even more strict. And I would put that in the outer script too.
Most of the commands in the remote script require sudo. For one thing that's tedious to write. For another, if one command ends up taking a long time such that the sudo session expires, you may have to reenter the root password a second time, which will be annoying, especially if you stepped out for a coffee break. It would be better to require to always run as root, by adding a check on the uid of the executing user.
Since you run the remote script with bash -x ~/wks ... instead of just ~/wks, there's no need to make it executable with chmod, so that step can be dropped.
Putting the above together (and then some), I would write like this:
#!/bin/bash
set -euo pipefail
if [ $# != 3 ]; then
echo "Usage: $0 <server-ssh-address> <ssl-admin-email> <ssl-domain>"
echo "Example: singledomaincertnginx.sh user#mydomain.com admin#mydomain.com some-sub-domain.mydomain.com"
exit 1
fi
remote=$1
email=$2
domain=$3
remote_script_path=./wks
ssh $remote "cat > $remote_script_path" << 'EOF'
#!/bin/bash
set -euo pipefail
if [[ "$(id -u)" != 0 ]]; then
echo "This script must be run as root. (sudo $0)"
exit 1
fi
email=$1
domain=$2
echo email: $email
echo domain: $domain
add-apt-repository -y ppa:certbot/certbot
apt-get update
apt-get upgrade -y
apt-get install -y software-properties-common
apt-get install -y python-certbot-nginx
apt-get install -y nginx
sed -i "s/server_name .*;/server_name $domain;/" /etc/nginx/sites-available/default
systemctl restart nginx.service
#service nginx restart
if [[ -e /etc/letsencrypt/live/$domain/fullchain.pem ]]; then
certbot -n --nginx --agree-tos -m $email -d $domain
fi
if ! crontab -l | grep -q certbot; then
crontab -l | {
cat
echo
echo "15 3 * * * /usr/bin/certbot renew --quiet"
echo
} | crontab -
fi
EOF
ssh -t $remote "sudo bash -x $remote_script_path $email $domain"
Are you looking for something like this:
if [[ "$(grep '/usr/bin/certbot' /var/spool/cron/crontabs/$(whoami))" = "" ]]
then
echo "15 3 * * * /usr/bin/certbot renew --quiet" >> /var/spool/cron/crontabs/$(whoami)
fi
and the fi at the end
you can also avoid doing that much sudo by concatenating them like in:
sudo bash -c 'add-apt-repository -y ppa:certbot/certbot;apt-get update;apt-get upgrade -y;apt-get install -y software-properties-common python-certbot-nginx nginx;sed -i "s/server_name .*;/server_name $2;/" /etc/nginx/sites-available/default;systemctl restart nginx.service'
If you are doing this with sudo you are doing this as root
this is a simple thing to do in ansible, best do it there
to do the cron job do this:
CRON_FILE="/etc/cron.d/certbot"
if [ ! -f $CRON_FILE ] ; then
echo '15 3 * * * /usr/bin/certbot renew --quiet' > $CRON_FILE
fi
There are multiple ways to do this and they could be considered "proper" depending on the scenario.
One way to do it on boot time could be using cloud-init, For testing in the case of using AWS when creating the instance you could add your custom script:
This will allow running commands on launch of your instance, In case you would like to automate this process (infrastructure like code) you could use for example terraform
If for some reason you already have the instance up and running and just want to update on demand but not using ssh, you could use saltstack.
Talking about "Idempotency" Ansible could be also a very good tool for doing this, from the ansible glossary:
An operation is idempotent if the result of performing it once is exactly the same as the result of performing it repeatedly without any intervening actions.
There are many tools that can help you achieve this, only thing is to find the tool that adapts better to your needs/scenario.
Copy-paste solution for nginx + Ubuntu
Install dependencies
sudo apt-get install nginx -y
sudo apt-get install software-properties-common -y
sudo add-apt-repository universe -y
sudo add-apt-repository ppa:certbot/certbot -y
sudo apt-get update
sudo apt-get install certbot python-certbot-nginx -y
Get SSL certificate and redirect all traffic from http to https
certbot --nginx --agree-tos --redirect --noninteractive \
--email YOUR#EMAIL.COM \
--domain YOUR.DOMAIN.COM
Test renewal
certbot renew --dry-run
Docs
https://certbot.eff.org/lets-encrypt/ubuntuxenial-nginx
Related
The following is my bash script setting up ssh tunneling. However, it always stops when it get to the echo part. does anyone know why? My distro is ubuntu 20.
apt update && apt install -y wget && DEBIAN_FRONTEND=noninteractive apt-get install
openssh-server -y &&
mkdir -p ~/.ssh && cd $_ &&
echo "ssh-ed25519
AAAAC3NzaC1lZDI1NTE5AAAAII2AOiMJXSWr/yYuAkSur/QSfdwBbmK3hs4qzlMvOQxT dmml#Dmms-MBP"
>> authorized_keys
&& service ssh start
thanks.
My response would be better placed in a comment, but I can't get the formatting right, so I'll post it here. The problem is likely due to a formatting issue. Splitting the string that's passed to the echo command over multiple lines is especially problematic. Try re-formatting as shown below, noting the backslash (\) at the end of each line. There's likely a better way to accomplish the goal than stringing a large number of commands together. Also, resist the temptation to use "set -e" here. See comments for additional details.
apt update && \
apt install -y wget && \
DEBIAN_FRONTEND=noninteractive apt-get installopenssh-server -y && \
mkdir -p ~/.ssh && \
cd $_ && \
echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII2AOiMJXSWr/yYuAkSur/QSfdwBbmK3hs4qzlMvOQxT dmml#Dmms-MBP" >> authorized_keys && \
service ssh start
The Xenial (Ubuntu 16.04) image on Travis-CI comes with Elasticsearch-5.5 preinstalled. What should I put in my .travis.yml to run my builds against Elasticsearch-7.0?
Add these commands to your before_install step:
- curl -s -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.0.1-amd64.deb
- sudo dpkg -i --force-confnew elasticsearch-7.0.1-amd64.deb
- sudo sed -i.old 's/-Xms1g/-Xms128m/' /etc/elasticsearch/jvm.options
- sudo sed -i.old 's/-Xmx1g/-Xmx128m/' /etc/elasticsearch/jvm.options
- echo -e '-XX:+DisableExplicitGC\n-Djdk.io.permissionsUseCanonicalPath=true\n-Dlog4j.skipJansi=true\n-server\n' | sudo tee -a /etc/elasticsearch/jvm.options
- sudo chown -R elasticsearch:elasticsearch /etc/default/elasticsearch
- sudo systemctl start elasticsearch
The changes to jvm.options are done in an attempt to emulate the existing config for Elasticsearch-5.5, which I assume the Travis peeps have actually thought about.
According to the Travis docs, you should also add this line to your before_script step:
- sleep 10
This is to ensure Elasticsearch is up and running, but I haven't checked if it's actually necessary.
One small addition to #kthy answer that had me stumbling for a bit. You need to remove - elasticsearch from your services: definition in the .travis.yml otherwise no matter what you put in before_install, the default service will override it!
services:
- elasticsearch
Remove ^^ and then you can proceed with the steps he outlined and it should all work smoothly.
if you want to wait for the elastic search to start (which may be longer or shorter than 10 seconds) replace the sleep 10 with this:
host="localhost:9200"
response=""
attempt=0
until [ "$response" = "200" ]; do
if [ $attempt -ge 25 ]; then
echo "FAILED. Elasticsearch not responding after $attempt tries."
exit 1
fi
echo "Contacting Elasticsearch on ${host}. Try number ${attempt}"
response=$(curl --write-out %{http_code} --silent --output /dev/null "$host")
sleep 1
attempt=$[$attempt+1]
done
I am trying to run a custom egg through the Pterodactyl panel however, I get the error "/entrypoint.sh: line 30: syntax error: unexpected end of file"
My Docker image is as followed;
FROM ubuntu:18.04
MAINTAINER Amelia, <me#amelia.fun>
RUN apt-get update -y
RUN DEBIAN_FRONTEND=noninteractive apt-get install -y dos2unix curl gnupg2 git-core zlib1g-dev libssl-dev libreadline-dev libyaml-dev libsqlite3-dev sqlite3 libxml2-dev libxslt1-dev libcurl4-openssl-dev libffi-dev yarn build-essential gpg-agent zip unzip software-properties-common git default-jre python3-pip python-minimal python-pip ffmpeg libopus-dev libsodium-dev libpython2.7 libpython2.7-dev wget php7.2 php7.2-common php7.2-cli php7.2-fpm
RUN curl -sL https://deb.nodesource.com/setup_10.x -o nodesource_setup.sh
RUN bash nodesource_setup.sh
RUN apt-get install -y nodejs
RUN rm -rf nodesource_setup.sh
RUN adduser -D -h /home/container container
USER container
ENV USER=container HOME=/home/container
WORKDIR /home/container
COPY ./entrypoint.sh /entrypoint.sh
CMD ["/bin/bash", "/entrypoint.sh"]
and my entrypoint.sh is as followed;
#!/bin/bash
cd /home/container
MODIFIED_STARTUP=`eval echo $(echo ${STARTUP_PARAMETERS} | sed -e 's/{{/${/g' -e 's/}}/}/g')`
rm -rf *
git clone ${REPO_PARAMETERS}
cd */
if grep -q 'Java' AppType
then
${STARTUP_PARAMETERS}
if grep -q 'PHP' AppType
then
${STARTUP_PARAMETERS}
elif grep -q 'Python2' AppType
then
[ -f "requirements.txt" ] && pip2 install -r requirements.txt ${STARTUP_PARAMETERS} || ${STARTUP_PARAMETERS}
elif grep -q 'Python3' AppType
then
[ -f "requirements.txt" ] && pip3 install -r requirements.txt ${STARTUP_PARAMETERS} || ${STARTUP_PARAMETERS}
elif grep -q 'NodeJS' AppType
then
npm install
${STARTUP_PARAMETERS}
else
echo "Application not supported"
fi
echo "${MODIFIED_STARTUP}"
the Bash file is nowhere near 30 lines long so I'm not really sure.
The guide I used can also be found here
The immediate problem is that you have two if statements, but only one of them is closed with fi; it looks to me like the second one should be elif. But there are a number of other things that look like bad ideas to me:
cd commands in scripts should (almost) always have error tests -- for example, if cd /home/container fails for some reason, the rest of the script (including rm -rf *) will run in an unexpected location. Now, a self-destroying Docker environment may not be as big a deal as a self-destroying real system, but it's still not a good thing. I'd use something like this instead:
cd /home/container || {
echo "Error -- can't move to /home/container, something rotten in Denmark." >&2
exit 1
}
A similar comment applies to cd */.
The next line, that sets MODIFIED_STARTUP, is a mishmash of bad ideas. I'm not familiar with what's going to be in $STARTUP_PARAMETERS, but in general: Use $( ) instead of backticks (and not a weird mix of both). echo $(somecommand) is pretty much a no-op, just run the command directly. Also, variable references (and similar expansions like $( )) should almost always be in double-quotes (exception: on the right side of an assignment). And eval is generally dangerous, and should be avoided if possible. I you give me an example of what $STARTUP_PARAMETERS looks like, I could probably give a cleaned-up version of this.
The big if ... elif... etc has several conditions that do the same thing, e.g.
elif grep -q 'Python2' AppType
then
[ -f "requirements.txt" ] && pip2 install -r requirements.txt ${STARTUP_PARAMETERS} || ${STARTUP_PARAMETERS}
elif grep -q 'Python3' AppType
then
[ -f "requirements.txt" ] && pip3 install -r requirements.txt ${STARTUP_PARAMETERS} || ${STARTUP_PARAMETERS}
On the DRY principle (Don't Repeat Yourself), it'd be better to have a single test for all equivalent situations, like this:
elif grep -q 'Python2' AppType || grep -q 'Python3' AppType
then
[ -f "requirements.txt" ] && pip2 install -r requirements.txt ${STARTUP_PARAMETERS} || ${STARTUP_PARAMETERS}
or even:
elif grep -q 'Python[23]' AppType
then
[ -f "requirements.txt" ] && pip2 install -r requirements.txt ${STARTUP_PARAMETERS} || ${STARTUP_PARAMETERS}
BTW, the use of ${STARTUP_PARAMETERS} without quotes is setting off warning bells for me here, but may be inevitable -- again, I don't know its format. And the && ... || construction isn't always a safe replacement for if then else fi, since it can run both branches. In this script, if requirements.txt exists but the pip2 install command fails, it'll go ahead and run ${STARTUP_PARAMETERS} as well. Is that intentional? If not, I'd use a proper if statement instead.
These commands, when run as a script, fails with error:
/etc/nginx/.htpasswd: No such file or directory
sudo touch /etc/nginx/.htpasswd
hash="$(echo -n "$MD5Password" | md5sum )"
echo "${ApplicationUserName}:$hash" >> /etc/nginx/.htpasswd
However, when I execute them one at a time manually they work just fine.
Complete code:
#!/bin/bash -x
yum -y update
yum install -y aws-cfn-bootstrap
yum install httpd-tools -y
echo
/opt/aws/bin/cfn-init --verbose --stack ${AWS::StackName} --resource EC2Instance --region ${AWS::Region}
/opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource EC2Instance --region ${AWS::Region}
sudo touch /etc/nginx/.htpasswd
hash="$(echo -n "$MD5Password" | md5sum )"
echo "${ApplicationUserName}:$hash" >> /etc/nginx/.htpasswd
This is part of user data I am passing in an AWS Cloudformation template.
What am I missing here?
The error message occurs because the /etc/nginx directory doesn't exist. Change it to:
mkdir -p /etc/nginx
touch /etc/nginx/.htpasswd
And it should be fine.
As noted in comments, the sudo isn't required or recommended there, so I removed it.
However, when I execute them one at a time manually they work just fine.
That's not possible. Something else must be creating the /etc/nginx directory later in your script or build process, but prior to you trying those commands manually. Maybe you install the nginx rpm later perhaps?
I added another condition to my if, elseif condition for my bash shell script. I am new to shell scripting, can you guys review my code if my syntax for if conditions are right especially the "fi" implementation. Much appreciated.
if [ -f /etc/system-release ] && grep Amazon /etc/system-release > /dev/null; then
cd /tmp
sudo yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm
else
# we're either RedHat or Ubuntu
DISTRIBUTOR=`lsb_release -is`
DISTRIBUTOR2=`lsb_release -cs`
if [ "trusty" == $DISTRIBUTOR2 ]; then
cd /tmp
wget https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/debian_amd64/amazon-ssm-agent.deb
sudo dpkg -i amazon-ssm-agent.deb
sudo start amazon-ssm-agent
elif [ "RedHatEnterpriseServer" == $DISTRIBUTOR ]; then
cd /tmp
sudo yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm
elif [ "xenial" == $DISTRIBUTOR2 ]; then
cd /tmp
wget https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/debian_amd64/amazon-ssm-agent.deb
sudo dpkg -i amazon-ssm-agent.deb
sudo systemctl enable amazon-ssm-agent
fi
fi
sleep 10
Looks basically ok, but https://www.shellcheck.net/ has a couple of comments that you should probably address.