Update services. Update configuration.
This commit is contained in:
Raphaël Numbus
@@ -1,5 +1,5 @@
|
||||
#!/usr/bin/env nix-shell
|
||||
#!nix-shell -i bash -p bash coreutils gnused gum fastfetch xkcdpass sops ssh-to-age age sshpass envsubst pciutils usbutils mosquitto
|
||||
#!nix-shell -i bash -p bash coreutils gnused gum fastfetch xkcdpass sops ssh-to-age age sshpass envsubst pciutils usbutils mosquitto curl jq
|
||||
|
||||
### --> Default settings
|
||||
export GUM_SPIN_SPINNER="minidot"
|
||||
@@ -728,6 +728,60 @@ export_configuration() {
|
||||
echo "export TRAEFIK_REF_NETWORKS=\"${TRAEFIK_REF_NETWORKS}\"" >> $CONFIG_EXPORT_FILE
|
||||
}
|
||||
|
||||
cloudflare_dns_setup() {
|
||||
echo -e "\n\n☁️ Configuring Cloudflare DNS records..."
|
||||
|
||||
# 1. Get Zone ID
|
||||
local ZONE_ID
|
||||
ZONE_ID=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones?name=${DOMAIN_NAME}" \
|
||||
-H "Authorization: Bearer ${CF_DNS_API_TOKEN}" \
|
||||
-H "Content-Type: application/json" | jq -r '.result[0].id')
|
||||
|
||||
if [[ "${ZONE_ID}" == "null" || -z "${ZONE_ID}" ]]; then
|
||||
echo -e "\n\n⚠️ Could not fetch Zone ID for ${DOMAIN_NAME}. Please check your Cloudflare \"DNS ZONE\" API token"
|
||||
echo "Check out the Numbus-Server documentation to see out to get one."
|
||||
fi
|
||||
|
||||
# 2. Iterate services
|
||||
for service in "${SELECTED_SERVICES[@]}"; do
|
||||
if [[ "${service}" == "virtualization" ]]; then continue; fi
|
||||
|
||||
local SUBDOMAIN="${service}.${DOMAIN_NAME}"
|
||||
echo -n " - Checking for existing record : ${SUBDOMAIN}..."
|
||||
|
||||
# Check existence
|
||||
local RECORD_ID
|
||||
RECORD_ID=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones/${ZONE_ID}/dns_records?name=${SUBDOMAIN}&type=A" \
|
||||
-H "Authorization: Bearer ${CF_DNS_API_TOKEN}" \
|
||||
-H "Content-Type: application/json" | jq -r '.result[0].id')
|
||||
|
||||
if [[ "${RECORD_ID}" != "null" && -n "${RECORD_ID}" ]]; then
|
||||
RECORD_ID_CONTENT=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones/${ZONE_ID}/dns_records?name=${SUBDOMAIN}&type=A" \
|
||||
-H "Authorization: Bearer ${CF_DNS_API_TOKEN}" \
|
||||
-H "Content-Type: application/json" | jq -r '.result[0].content')
|
||||
if [[ "${RECORD_ID_CONTENT}" == "${HOME_SERVER_IP}" ]]; then
|
||||
echo " ✅ Already configured"
|
||||
else
|
||||
echo " ⚠️ A DNS record is configured but does not point to the correct IP"
|
||||
echo "Do you want to update it? It could break past DNS record you defined"
|
||||
fi
|
||||
else
|
||||
echo -n " ⏳ Creating..."
|
||||
local CREATE_RES
|
||||
CREATE_RES=$(curl -s -X POST "https://api.cloudflare.com/client/v4/zones/${ZONE_ID}/dns_records" \
|
||||
-H "Authorization: Bearer ${CF_DNS_API_TOKEN}" \
|
||||
-H "Content-Type: application/json" \
|
||||
--data "{\"type\":\"A\",\"name\":\"${SUBDOMAIN}\",\"content\":\"${HOME_SERVER_IP}\",\"ttl\":1,\"proxied\":false}" | jq -r '.success')
|
||||
|
||||
if [[ "${CREATE_RES}" == "true" ]]; then
|
||||
echo " ✅ Created."
|
||||
else
|
||||
echo " ❌ Failed."
|
||||
fi
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
deploy() {
|
||||
git -C "/home/nixosd/numbus-server" add -f "final-nix-config"
|
||||
|
||||
@@ -772,10 +826,10 @@ postrun_action() {
|
||||
ssh_to_host 'bash -s' << EOF
|
||||
echo "Enrolling boot disk key to TPM..."
|
||||
if [[ ${#BOOT_DISKS_ID[@]} -eq 1 ]]; then
|
||||
echo $REMOTE_PASS | sudo -S systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 --unlock-key-file=/etc/secrets/disks/boot-1 /dev/${BOOT_DISKS_1_NAME}
|
||||
echo $REMOTE_PASS | sudo -S systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 --unlock-key-file=/etc/secrets/disks/boot-1 /dev/${BOOT_DISK_1_NAME}
|
||||
elif [[ ${#BOOT_DISKS_ID[@]} -eq 2 ]]; then
|
||||
echo $REMOTE_PASS | sudo -S systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 --unlock-key-file=/etc/secrets/disks/boot-1 /dev/${BOOT_DISKS_1_NAME}
|
||||
echo $REMOTE_PASS | sudo -S systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 --unlock-key-file=/etc/secrets/disks/boot-2 /dev/${BOOT_DISKS_2_NAME}
|
||||
echo $REMOTE_PASS | sudo -S systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 --unlock-key-file=/etc/secrets/disks/boot-1 /dev/${BOOT_DISK_1_NAME}
|
||||
echo $REMOTE_PASS | sudo -S systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 --unlock-key-file=/etc/secrets/disks/boot-2 /dev/${BOOT_DISK_2_NAME}
|
||||
fi
|
||||
|
||||
echo "Getting PCRS 15 hash..."
|
||||
@@ -786,6 +840,8 @@ sed -i "s|# systemIdentity.pcr15 = "PCR_HASH";| systemIdentity.pcr15 = "PCR_HA
|
||||
sed -i "s|PCR_HASH|\${PCR_HASH}|" /etc/nixos/configuration.nix
|
||||
EOF
|
||||
|
||||
|
||||
|
||||
gum style --border normal --margin "1" --padding "1 2" --border-foreground 212 "
|
||||
⚠️ $(gum style --foreground 212 'WARNING:') You will now set the password of the numbus-admin user. \
|
||||
You will almost never user it. Consider using a very strong password : you can write it down \
|
||||
@@ -864,6 +920,7 @@ if [[ "$ACTION_ANSWER" == "[1] 🌐 Deploy NixOS on a remote machine" ]]; then
|
||||
disks_generation
|
||||
keys_generation
|
||||
nix_generation
|
||||
cloudflare_dns_setup
|
||||
sum_up
|
||||
export_configuration
|
||||
deploy
|
||||
@@ -885,6 +942,7 @@ elif [[ "$ACTION_ANSWER" == "[2] 💽 Deploy NixOS on a remote machine with a fi
|
||||
disks_generation
|
||||
keys_generation
|
||||
nix_generation
|
||||
cloudflare_dns_setup
|
||||
sum_up
|
||||
export_configuration
|
||||
deploy
|
||||
|
||||
Reference in New Issue
Block a user