numbus/Numbus
1
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity
Files
92e0f077a48281ef191dcfe496d5d7c7032fb210
Numbus/script/deploy.sh
T
Raphaël Numbus 92e0f077a4 Changed known_hosts file location.
2026-05-29 16:04:04 +02:00

843 lines
30 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env nix-shell
#!nix-shell -i bash -p bash coreutils gnused gum xkcdpass sops ssh-to-age age sshpass envsubst pciutils usbutils mosquitto curl jq yq python3
# --- UTILITY FUNCTIONS --->
echod() {
MESSAGE=${1}
if [[ ${DEBUG} -eq 1 ]]; then
echo -e ${MESSAGE}
fi
}
ssh_to_host() {
local COMMAND="${1}"
ssh -i "${TMP_EXTRA_PATH}/home/numbus-admin/.ssh/id_ed25519" "${TARGET_USER}@${LIVE_TARGET_IP}" "${COMMAND}"
}
get_valid_input() {
local VAR_NAME="${1}"
local HEADER="${2}"
local PLACEHOLDER="${3}"
local REGEX="${4}"
local MANDATORY="${5:-true}"
local SENSITIVE="${6:-false}"
if [[ "${MANDATORY}" == "true" ]]; then
local PROMPT="(Required) > "
elif [[ "${MANDATORY}" == "false" ]]; then
local PROMPT="(Optional) > "
fi
while true; do
local INPUT=$(gum input --header "${HEADER}" --prompt "${PROMPT}" --placeholder "${PLACEHOLDER}")
# Handle empty input
if [[ -z "${INPUT}" ]]; then
if [[ "${MANDATORY}" == true ]]; then
gum style --foreground "#ff0000" -- " ❌ This field is mandatory."
continue
else
INPUT=""
break
fi
fi
# Handle Regex Validation
if [[ -n "${REGEX}" ]]; then
if [[ "${INPUT}" =~ ${REGEX} ]]; then
export "${VAR_NAME}"="${INPUT}"
break
else
gum style --foreground "#ff0000" -- " ❌ Invalid format. Please try again."
fi
else
export "${VAR_NAME}"="${INPUT}"
break
fi
done
}
# --- UTILITY FUNCTIONS ---<
# --- GLOBAL FUNCTIONS --->
cleanup() {
if [[ "${DEBUG}" -eq 1 ]]; then
echo -e "\n ✅ Exiting..."
echo -e "\n ✅ Debug mode is enabled. Clean up manually files located at ${INSTALL_DIR} or reboot."
else
echo -e "\n ✅ Cleaning up..."
rm -${DIR_RM_FLAGS} "${INSTALL_DIR}"
fi
if [[ -n "${BRIDGE_PID:-}" ]] && ps -p ${BRIDGE_PID} >> "${STDOUT}" 2>> "${STDERR}"; then
kill ${BRIDGE_PID}
fi
echo -e "\n 🌟 Thanks for using Numbus, consider supporting the project !"
}
launch_gui() {
echo -e "\n 🚀 Launching Numbus Configurator..."
echo -e " ➡️ You will now proceed to the configuration of your device through your browser"
python3 "${BRIDGE_SCRIPT}" >> "${STDOUT}" 2>> "${STDERR}" &
export BRIDGE_PID=$!
local START_URL="http://localhost:${WEBSERVER_PORT}/pages/index.html"
xdg-open "${START_URL}" >> "${STDOUT}" 2>> "${STDERR}" || open "${START_URL}" >> "${STDOUT}" 2>> "${STDERR}" || true
sleep 5
echo -e "\n ⚠️ If it doesn't automatically, open your browser at: $(gum style "${START_URL}")"
}
hierarchy_preparation() {
echod "\n 🔄 Preparing the folder hierarchy for the final configuration..."
# Extra files folders
mkdir -${MKDIR_FLAGS} ${TMP_EXTRA_PATH}/home/numbus-admin/.ssh/
mkdir -${MKDIR_FLAGS} ${TMP_EXTRA_PATH}/var/lib/sops-nix/
mkdir -${MKDIR_FLAGS} ${TMP_EXTRA_PATH}/etc/nixos/secrets/disks
mkdir -${MKDIR_FLAGS} ${TMP_EXTRA_PATH}/etc/nixos/secrets/system
mkdir -${MKDIR_FLAGS} ${TMP_EXTRA_PATH}/etc/nixos/secrets/podman
echod "\n ✅ Folder hierarchy ready"
}
setup_ssh() {
echod "\n ➡️ Generating new SSH key for numbus-admin..."
chmod 700 "${TMP_EXTRA_PATH}/home/numbus-admin/.ssh/"
ssh-keygen -t "ed25519" -C "numbus-admin@numbus-${DEVICE_TYPE}" -f "${TMP_EXTRA_PATH}/home/numbus-admin/.ssh/id_ed25519" -N "" -q
echod "\n ➡️ Copying SSH key to target host '${TARGET_USER}@${LIVE_TARGET_IP}'..."
if cat "/home/${USER}/.ssh/known_hosts" | grep "${LIVE_TARGET_IP}" >> "${STDOUT}" 2>> "${STDERR}"; then
echo -e "\n ⚠️ The SSH fingerprint for the selected IP address $(gum style --italic "\"${LIVE_TARGET_IP}\"") is not the same as the one in $(gum style --italic "\".ssh/known_hosts\"").
This could occur for multiple reasons :
- You ran the script multiple times and rebooted your live machine
- Your live machine uses an IP address that was used by another devices you SSHed in
- You are under a Man-In-The-Middle attack
- Other
The script $(gum style --bold "cannot continue") without the correct fingerprint installed.
If you are unsure, it is always better to check manually.\n"
gum confirm "Remove the old fingerprint and accept the new one ?" || { echo -e "\n\n ❌ SSH fingerprints don't match."; exit 22; }
sed -i '/${LIVE_TARGET_IP}/d' "/home/${USER}/.ssh/known_hosts"
fi
if sshpass -p "${LIVE_TARGET_PASSWORD}" ssh-copy-id -o StrictHostKeyChecking=no -i "${TMP_EXTRA_PATH}/home/numbus-admin/.ssh/id_ed25519" "${TARGET_USER}@${LIVE_TARGET_IP}" >> "${STDOUT}" 2>> "${STDERR}"; then
echod "\n ✅ SSH key copied successfully"
else
echo -e "\n ❌ Failed to copy SSH key. Please check the host IP and password."
exit 1
fi
}
hardware_detection() {
local TMPFILE="/run/user/1000/numbus-installer/hw_detection.json"
ssh_to_host "nix-shell -p jq pciutils usbutils smartmontools iproute2 --run 'bash -s'" << SSHEND >> "${STDOUT}" 2>> "${STDERR}"
set -euo pipefail
HW_REPORT=\$(jq -n '{}')
append_to_report() {
local key="\${1}"
local json_array="\${2}"
HW_REPORT=\$(echo "\${HW_REPORT}" | jq --argjson arr "\${json_array}" --arg k "\${key}" '.[\${k}] = \${arr}')
}
detect_graphics() {
local gpus="[]"
while read -r line; do
[[ -z "\${line}" ]] && continue
local brand="unknown"
local renderer="none"
local product="unknown"
local integrated="false"
local pci_addr="none"
# Extract PCI address
pci_addr="\$(echo "\${line}" | cut -d' ' -f1)"
# Brand
for b in Intel AMD NVIDIA; do
if echo "\${line}" | grep -iq "\${b}"; then
brand="\${b}"
break
fi
done
# Renderer
if [[ -d "/dev/dri/by-path" ]]; then
local render_node=\$(ls /dev/dri/by-path | grep "\${pci_addr}" | grep "render" | head -n1 || true)
if [[ -n "\${render_node}" ]]; then
renderer=\$(basename "\$(readlink -f "/dev/dri/by-path/\${render_node}")")
fi
fi
# Product name
product="\${line#*:}"
product="\${product#*: }"
# Form factor
if [[ "\${brand}" == "NVIDIA" ]]; then
integrated="false"
fi
if [[ "\${brand}" == "Intel" ]]; then
if echo "\${line}" | grep -Ei "HD Graphics|Xe"; then
integrated="true"
else
integrated="false"
fi
fi
if [[ "\${brand}" == "AMD" ]]; then
if echo "\$line" | grep -i "Mobile"; then
integrated="true"
else
integrated="false"
fi
fi
local obj=\$(jq -n \
--arg b "\${brand}" \
--arg r "\${renderer}" \
--arg p "\${product}" \
--argjson i "\${integrated}" \
'{brand: \$b, renderer: \$r, product: \$p, integrated: \$i}')
gpus=\$(echo "\$gpus" | jq --argjson obj "\$obj" '. += [\$obj]')
done < <(lspci | grep -Ei "VGA|3D")
append_to_report "graphics" "\$gpus"
}
# --- 2. Detect Coral TPUs ---
detect_corals() {
local corals="[]"
# Check PCIe Coral (Google ID 1ac1:089a)
if lspci -nn | grep -iq "1ac1:089a"; then
local pcie_count
pcie_count=\$(lspci -nn | grep -ic "1ac1:089a")
for ((i=1; i<=pcie_count; i++)); do
local obj=\$(jq -n --arg i "PCIe" '{interface: \$i, type: "Edge TPU"}')
corals=\$(echo "\$corals" | jq --argjson obj "\$obj" '. += [\$obj]')
done
fi
# Check USB Coral (Google ID 18d1:9302)
if lsusb | grep -iq "18d1:9302"; then
local usb_count
usb_count=\$(lsusb | grep -ic "18d1:9302")
for ((i=1; i<=usb_count; i++)); do
local obj=\$(jq -n --arg i "USB" '{interface: \$i, type: "Edge TPU"}')
corals=\$(echo "\$corals" | jq --argjson obj "\$obj" '. += [\$obj]')
done
fi
append_to_report "coral_devices" "\$corals"
}
# --- 3. Detect Zigbee Coordinators ---
detect_zigbee() {
local zigbees="[]"
local serial_dir="/dev/serial/by-id"
if [[ -d "\$serial_dir" ]]; then
for dev in "\$serial_dir"/*; do
[[ -e "\$dev" ]] || continue # skip if empty directory pattern matched
# Match common Zigbee adapter names (Sonoff, ConBee, ITead, CC2531, etc.)
if echo "\$dev" | grep -iE 'zigbee|conbee|sonoff|cc2531|efr32|itead'; then
local obj=\$(jq -n --arg p "\$dev" '{device_path: \$p}')
zigbees=\$(echo "\$zigbees" | jq --argjson obj "\$obj" '. += [\$obj]')
fi
done
fi
append_to_report "zigbee_devices" "\$zigbees"
}
# --- 4. Detect Network Interfaces ---
detect_network() {
local networks="[]"
local default_iface
default_iface=\$(ip -4 route show default | awk '{print \$5}' | head -n1)
for iface_path in /sys/class/net/*; do
[[ -e "\$iface_path" ]] || continue
local iface
iface=\$(basename "\$iface_path")
# Skip loopback and virtual interfaces
[[ "\$iface" == "lo" ]] && continue
[[ -L "\$iface_path" && \$(readlink "\$iface_path") == *"virtual"* ]] && continue
local type="wired"
[[ -d "\$iface_path/wireless" ]] && type="wireless"
local is_default="false"
[[ "\$iface" == "\$default_iface" ]] && is_default="true"
local obj=\$(jq -n --arg n "\$iface" --arg t "\$type" --argjson d "\$is_default" \
'{name: \$n, type: \$t, default: \$d}')
networks=\$(echo "\$networks" | jq --argjson obj "\$obj" '. += [\$obj]')
done
append_to_report "network_interfaces" "\$networks"
}
# --- 5. Detect TPM ---
detect_tpm() {
local tpms="[]"
for tpm_dir in /sys/class/tpm/tpm*; do
[[ -e "\$tpm_dir" ]] || continue
local name
name=\$(basename "\$tpm_dir")
local version="Unknown"
if [[ -f "\$tpm_dir/tpm_version_major" ]]; then
version=\$(cat "\$tpm_dir/tpm_version_major")
fi
local obj=\$(jq -n --arg n "\$name" --arg v "\$version" '{name: \$n, version: \$v}')
tpms=\$(echo "\$tpms" | jq --argjson obj "\$obj" '. += [\$obj]')
done
append_to_report "tpm" "\$tpms"
}
# --- 6. Detect Disks ---
detect_disks() {
local disks="[]"
while read -r disk_name; do
# Disk Type Mapping
local disk_type="unknown"
local disk_transport=\$(lsblk -d -n -o TRAN "/dev/\$disk_name" || echo "unknown")
local rotational=\$(lsblk -d -n -o ROTA "/dev/\$disk_name" || echo "1")
if [[ "\$disk_name" == nvme* ]]; then
disk_type="NVMe"
elif [[ "\$rotational" == "1" ]]; then
disk_type="HDD"
elif [[ "\$rotational" == "0" ]]; then
disk_type="SSD"
fi
# Size in GB
local disk_size=\$(lsblk -d -n -o SIZE "/dev/\$disk_name" || echo "unknown")
# ID via by-id
local disk_id="unknown"
if [[ -d "/dev/disk/by-id" ]]; then
local id_match=\$(find /dev/disk/by-id/ -type l -not -name "wwn-*" -not -name "nvme-eui*" -printf "%p %l\n" | grep -m1 "/\$disk_name\$" | awk '{print \$1}')
[[ -n "\$id_match" ]] && disk_id="\$id_match"
fi
# Health
local health="unknown"
if echo "${LIVE_TARGET_PASSWORD}" | sudo -S smartctl -H /dev/\$disk_name 2>/dev/null | grep -i "PASSED"; then
disk_health="Passed"
elif echo "${LIVE_TARGET_PASSWORD}" | sudo -S smartctl -H /dev/\$disk_name 2>/dev/null | grep -i "FAILED"; then
disk_health="Failed"
fi
local obj=\$(jq -n \
--arg n "\${disk_name}" \
--arg t "\${disk_type}" \
--arg tr "\${disk_transport}" \
--arg h "\${disk_health}" \
--arg s "\${disk_size}" \
--arg i "\${disk_id}" \
'{name: \$n, type: \$t, transport: \$tr, health: \$h, size: \$s, id: \$i}')
disks=\$(echo "\$disks" | jq --argjson obj "\$obj" '. += [\$obj]')
done < <(lsblk -d -n -o NAME -e 7,11,252)
append_to_report "disks" "\$disks"
}
# --- Execution ---
detect_graphics
detect_corals
detect_zigbee
detect_network
detect_tpm
detect_disks
# --- Output ---
echo "\$HW_REPORT" | jq '.' > "$TMPFILE"
SSHEND
scp -i "${TMP_EXTRA_PATH}/home/numbus-admin/.ssh/id_ed25519" "${TARGET_USER}@${LIVE_TARGET_IP}":"${TMPFILE}" "${HW_DATA_FILE}" >> "${STDOUT}" 2>> "${STDERR}"
[[ ${DEBUG} -eq 1 ]] && scp -i "${TMP_EXTRA_PATH}/home/numbus-admin/.ssh/id_ed25519" "${TARGET_USER}@${LIVE_TARGET_IP}":"${REMOTE_STDOUT}" "${INSTALL_DIR}/web/logs/hw_std.log" >> "${STDOUT}" 2>> "${STDERR}"
[[ ${DEBUG} -eq 1 ]] && scp -i "${TMP_EXTRA_PATH}/home/numbus-admin/.ssh/id_ed25519" "${TARGET_USER}@${LIVE_TARGET_IP}":"${REMOTE_STDERR}" "${INSTALL_DIR}/web/logs/hw_err.log" >> "${STDOUT}" 2>> "${STDERR}"
if ssh_to_host "echo \"${LIVE_TARGET_PASSWORD}\" | sudo -S nixos-generate-config --no-filesystems --show-hardware-config &> /dev/null" > ${TMP_EXTRA_PATH}/etc/nixos/hardware-configuration.nix; then
echo -e "\n ✅ Hardware configuration generated"
else
echo -e "\n ❌ Failed to generate hardware configuration"
exit 1
fi
}
# --- GLOBAL FUNCTIONS ---<
# --- MAIN SCRIPT FUNCTIONS --->
server_config_generation() {
echod "\n 📝 Generating structured settings.json..."
# Create a temporary JSON file with all the collected variables
# This file will be read by the Nix configuration using builtins.fromJSON
jq -n \
--arg tz "$INTERNATIONALIZATION_TIMEZONE" \
--arg lang "$INTERNATIONALIZATION_LANGUAGE" \
--arg owner "$SERVER_OWNER_NAME" \
--arg ip "$HOME_SERVER_IP" \
--arg iface "$TARGET_INTERFACE" \
--arg router "$NETWORK_ROUTER_IP" \
--arg domain "$DOMAIN_NAME" \
--argjson cockpit_enabled "true" \
--arg dns "${SELECTED_DNS_SERVICE[0]}" \
--argjson apps "$(printf '%s\n' "${SELECTED_WEB_APPLICATIONS[@]}" | jq -R . | jq -s .)" \
'{
system: {
timeZone: $tz,
language: $lang,
owner: $owner
},
network: {
ipAddress: $ip,
interface: $iface,
routerIp: $router
},
services: {
domain: $domain,
dnsProvider: $dns,
enabledApps: $apps,
managementConsole: $cockpit_enabled
}
}' > "${TMP_EXTRA_PATH}/etc/nixos/settings.json"
echo -e "{\n numbus.settings = builtins.fromJSON (builtins.readFile ./settings.json);\n}" > "${CONFIGURATION_PATH}"
# Ensure the settings file is writable by the management service
# and that the directory is prepared for local git tracking
chmod 664 "${TMP_EXTRA_PATH}/etc/nixos/settings.json"
}
# The existing network_config_generation and services_config_generation functions
# are now redundant as the logic is centralized in the JSON export.
mail_config_generation() {
echo -e "\n # Mail settings" >> ${CONFIGURATION_PATH}
echo -e " numbus.mail.enable = true;" >> ${CONFIGURATION_PATH}
echo -e " numbus.mail.userAddress = \"${SERVER_USER_EMAIL}\";" >> ${CONFIGURATION_PATH}
echo -e " numbus.mail.adminAddress = \"${SERVER_ADMIN_EMAIL}\";" >> ${CONFIGURATION_PATH}
echo -e " numbus.mail.smtpUsername = \"${SMTP_SERVER_USERNAME}\";" >> ${CONFIGURATION_PATH}
echo -e " numbus.mail.smtpPasswordPath = config.sops.secrets.smtpPassword.path;" >> ${CONFIGURATION_PATH}
if [[ "${SMTP_SERVER_HOST}" != "smtp.gmail.com" ]]; then
echo -e " numbus.mail.smtpServer = \"${SMTP_SERVER_HOST}\";" >> ${CONFIGURATION_PATH}
fi
if [[ "${SMTP_SERVER_PORT}" != "587" ]]; then
echo -e " numbus.mail.smtpPort = ${SMTP_SERVER_PORT};" >> ${CONFIGURATION_PATH}
fi
}
disk_config_generation() {
echo -e "\n # Hardware settings" >> ${CONFIGURATION_PATH}
if [[ "${TARGET_PCIE_CORAL}" == "true" ]]; then
echo " numbus.hardware.pcie-coral.enable = true;" >> ${CONFIGURATION_PATH}
fi
echo -e " numbus.hardware.bootDisksList = [ ${BOOT_DISKS_ID_LIST[@]} ];" >> ${CONFIGURATION_PATH}
echo -e " numbus.hardware.dataDisksList = [ ${CONTENT_DISK_LIST[@]} ];" >> ${CONFIGURATION_PATH}
echo -e " numbus.hardware.parityDisksList = [ ${PARITY_DISK_LIST[@]} ];" >> ${CONFIGURATION_PATH}
echo -e " numbus.hardware.spindownDisksList = [ ${SPINDOWN_DISKS_LIST[@]} ];" >> ${CONFIGURATION_PATH}
echo "}" >> ${CONFIGURATION_PATH}
}
keys_generation() {
for i in $(seq 1 "${#BOOT_DISKS_ID_LIST[@]}"); do
PASS="$(xkcdpass)"
echo -n "$PASS" > "${TMP_EXTRA_PATH}/etc/secrets/disks/boot-${i}"
chmod 600 "${TMP_EXTRA_PATH}/etc/secrets/disks/boot-${i}"
ssh_to_host 'bash -s' << EOF
echo "$LIVE_TARGET_PASSWORD" | sudo -S mkdir -p /etc/secrets/disks/
echo "$LIVE_TARGET_PASSWORD" | sudo -S bash -c "printf '%s' '$PASS' > /etc/secrets/disks/boot-${i}"
echo "$LIVE_TARGET_PASSWORD" | sudo -S chmod 600 /etc/secrets/disks/boot-${i}
EOF
done
for i in $(seq 1 "$CONTENT_DISK_NUMBER"); do
PASS="$(xkcdpass)"
echo -n "$PASS" > "${TMP_EXTRA_PATH}/etc/secrets/disks/content-${i}"
chmod 600 "${TMP_EXTRA_PATH}/etc/secrets/disks/content-${i}"
ssh_to_host 'bash -s' << EOF
echo "$LIVE_TARGET_PASSWORD" | sudo -S bash -c "printf '%s' '$PASS' > /etc/secrets/disks/content-${i}"
echo "$LIVE_TARGET_PASSWORD" | sudo -S chmod 600 /etc/secrets/disks/content-${i}
EOF
done
for i in $(seq 1 "$PARITY_DISK_NUMBER"); do
PASS="$(xkcdpass)"
echo -n "$PASS" > "${TMP_EXTRA_PATH}/etc/secrets/disks/parity-${i}"
chmod 600 "${TMP_EXTRA_PATH}/etc/secrets/disks/parity-${i}"
ssh_to_host 'bash -s' << EOF
echo "$LIVE_TARGET_PASSWORD" | sudo -S bash -c "printf '%s' '$PASS' > /etc/secrets/disks/parity-${i}"
echo "$LIVE_TARGET_PASSWORD" | sudo -S chmod 600 /etc/secrets/disks/parity-${i}
EOF
done
local SSH_KEYS_FORMATTED=""
if [[ "$(declare -p AUTHORIZED_SSH_PUBLIC_KEY)" =~ "declare -a" ]]; then
for key in "${AUTHORIZED_SSH_PUBLIC_KEY[@]}"; do
SSH_KEYS_FORMATTED+=" $key"$'\n'
done
else
SSH_KEYS_FORMATTED=" $AUTHORIZED_SSH_PUBLIC_KEY"$'\n'
fi
export SSH_KEYS_FORMATTED
echo -e "\n ✅ Generating sops-nix keys..."
ssh-to-age -private-key -i ${TMP_EXTRA_PATH}/home/numbus-admin/.ssh/id_ed25519 > ${TMP_EXTRA_PATH}/var/lib/sops-nix/key.txt
export SOPS_PUBLIC_KEY=$(age-keygen -y ${TMP_EXTRA_PATH}/var/lib/sops-nix/key.txt)
echo -e "\n ✅ Generating sops-nix configuration files..."
envsubst < templates/nix-config/sops-nix/.sops.yaml > ${TMP_EXTRA_PATH}/etc/nixos/.sops.yaml
echo -e "\n ✅ Encrypting secrets in the correct file..."
envsubst < "templates/nix-config/sops-nix/secrets.yaml" \
| sops encrypt --filename-override secrets.yaml \
--input-type yaml --output-type yaml \
--age $SOPS_PUBLIC_KEY \
--output ${TMP_EXTRA_PATH}/etc/nixos/secrets/secrets.yaml
}
cloudflare_dns_setup() {
gum confirm "➡️ This script can automatically create DNS records for your services. Proceed? (recommended)" || { echo -e "\n\n ⚠️ skipping the DNS records creation step..."; return 0; }
local ZONE_ID
local RECORD_COUNT
local IS_MATCHING
local DNS_RECORDS
create_records() {
local SUBDOMAIN="${1}"
local CREATION_STATUS
CREATION_STATUS=$(curl -s -X POST "https://api.cloudflare.com/client/v4/zones/${ZONE_ID}/dns_records" \
-H "Authorization: Bearer ${CLOUDFLARE_DNS_API_TOKEN}" \
-H "Content-Type: application/json" \
--data "{\"type\":\"A\",\"name\":\"${SUBDOMAIN}\",\"content\":\"${HOME_SERVER_IP}\",\"ttl\":1,\"proxied\":false}" | jq -r '.success')
if [[ "${CREATION_STATUS}" == "true" ]]; then
echo " ✅ Successfully created a DNS record for ${SUBDOMAIN}"
else
echo -e "❌ Failed to create a DNS record for ${SUBDOMAIN}. Check documentation to \n
learn how you can create them manually."
fi
}
erase_records() {
local SUBDOMAIN="${1}"
gum style --border normal --margin "1" --padding "1 2" --border-foreground 212 "
⚠️ $(gum style 'WARNING:') One or more existing type A DNS records found for \`${SUBDOMAIN}\`.
This script can clear those DNS records for you and create the correct ones needed for the server.
If you are unsure that these records are actually in use, please select \"no\"."
gum confirm "Select \"yes\" to clear ALL EXISTING type A DNS records for this subdomain and automatically create the correct ones." \
|| { echo -e "\n ⚠️ DNS records for ${SUBDOMAIN} will not be updated"; return 0; }
RECORD_IDS=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones/${ZONE_ID}/dns_records?name=${SUBDOMAIN}&type=A" \
-H "Authorization: Bearer ${CLOUDFLARE_DNS_API_TOKEN}" \
-H "Content-Type: application/json" | jq -r '.result[].id')
for id in ${RECORD_IDS}; do
curl -s -X DELETE "https://api.cloudflare.com/client/v4/zones/${ZONE_ID}/dns_records/${id}" \
-H "Authorization: Bearer ${CLOUDFLARE_DNS_API_TOKEN}" \
-H "Content-Type: application/json" >> "${STDOUT}" 2>> "${STDERR}"
done
create_records "${SUBDOMAIN}"
}
echo -e "\n\n ☁️ Configuring Cloudflare DNS records..."
i=0
for service in "${SELECTED_WEB_APPLICATIONS[@]}"; do
if [[ -n "${SELECTED_WEB_APPLICATIONS_SUBDOMAIN[${i}]:-}" ]]; then
SELECTED_SERVICES_DNS+=( "${SELECTED_WEB_APPLICATIONS_SUBDOMAIN[${i}]}.${DOMAIN_NAME}" )
else
SELECTED_SERVICES_DNS+=( "${service}.${DOMAIN_NAME}" )
fi
i=$((i + 1))
[[ "${service}" == "nextcloud" ]] && SELECTED_SERVICES_DNS+=( "onlyoffice.${DOMAIN_NAME}" "whiteboard.${DOMAIN_NAME}" )
done
if [[ -n "${SELECTED_DNS_SERVICE_SUBDOMAIN[0]:-}" ]]; then
SELECTED_SERVICES_DNS+=( "${SELECTED_DNS_SERVICE_SUBDOMAIN[0]}.${DOMAIN_NAME}" )
else
SELECTED_SERVICES_DNS+=( "${SELECTED_DNS_SERVICE}.${DOMAIN_NAME}" )
fi
# Get Zone ID
ZONE_ID=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones?name=${DOMAIN_NAME}" \
-H "Authorization: Bearer ${CLOUDFLARE_DNS_API_TOKEN}" \
-H "Content-Type: application/json" | jq -r '.result[0].id')
if [[ "${ZONE_ID}" == "null" || -z "${ZONE_ID}" ]]; then
echo -e "\n\n ⚠️ Could not fetch Zone ID for ${DOMAIN_NAME}. Please check your Cloudflare \"DNS ZONE\" API token"
echo "Check the Numbus-Server documentation to learn how to get one."
fi
# Check for existing records and create them if non-existent
for service_domain in "${SELECTED_SERVICES_DNS[@]}"; do
DNS_RECORDS=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones/${ZONE_ID}/dns_records?name=${service_domain}&type=A" \
-H "Authorization: Bearer ${CLOUDFLARE_DNS_API_TOKEN}" \
-H "Content-Type: application/json")
RECORD_COUNT=$(echo "${DNS_RECORDS}" | jq '.result | length')
if [[ "${RECORD_COUNT}" -eq 0 ]]; then
echo -e "\n ⚠️ No DNS record found for ${service_domain}"
create_records "${service_domain}"
elif [[ "${RECORD_COUNT}" -eq 1 ]]; then
if [[ $(echo "${DNS_RECORDS}" | jq ".result[0].content == \"${HOME_SERVER_IP}\"") == "true" ]]; then
echo -e "\n ✅ DNS record already configured for ${service_domain}"
else
echo -e "\n ⚠️ No DNS record found for ${service_domain}"
erase_records "${service_domain}"
fi
elif [[ "${RECORD_COUNT}" -gt 1 ]]; then
erase_records "${service_domain}"
fi
done
}
deploy() {
git -C . add -f "${TMP_EXTRA_PATH}/"
git -C . add -f "templates/"
git -C . add -f "deploy.conf"
# Initialize a git repo in the configuration to be deployed
# This allows the Management UI on the appliance to commit changes
# and provide a local history/rollback UI to the user.
if [ ! -d "${TMP_EXTRA_PATH}/etc/nixos/.git" ]; then
git -C "${TMP_EXTRA_PATH}/etc/nixos" init -q
git -C "${TMP_EXTRA_PATH}/etc/nixos" add .
git -C "${TMP_EXTRA_PATH}/etc/nixos" commit -m "Initial bootstrap via Numbus Deploy" -q
fi
echo -e "\n\n🔄 Deploying to the remote server..."
nix flake update --flake ./${TMP_EXTRA_PATH}/etc/nixos
nix run github:nix-community/nixos-anywhere -- \
--flake ${TMP_EXTRA_PATH}/etc/nixos#numbus-server \
--extra-files ${TMP_EXTRA_PATH} \
--chown "/home/numbus-admin/" 1000:1000 \
--target-host ${TARGET_USER}@${LIVE_TARGET_IP}
echo -e "\n\n✅ Installation successfull !"
sleep 1
}
postrun_action() {
TARGET_USER="numbus-admin"
LIVE_TARGET_IP="${HOME_SERVER_IP}"
LIVE_TARGET_PASSWORD="changeMe!"
echo -e "\n\n Now the remote machine will reboot. You will need to input the boot disk(s) passphrase.
This will be the only time you will have to do so, it will be automatic in the future."
gum spin --title "Rebooting the remote..." -- sleep 120
gum confirm "➡️ Select \"yes\" once the machine rebooted and you unlocked the disks." || { echo -e "\n\n❌ Aborting as requested."; exit 1; }
FOUND="false"
i="0"
while [[ "${FOUND}" == "false" ]]; do
if ping -c1 -W1 $HOME_SERVER_IP >> "${STDOUT}" 2>> "${STDERR}"; then
FOUND="true"
echo -e "\n✅ Ping ${HOME_SERVER_IP} successful ! Continuing..."
else
i=$((i + 1))
if [[ "${i}" -gt 150 ]]; then
echo -e "\n\n❌ Could not connect to the server after 150 retries. \
This is most likely due to a networking issue. Please double check your network settings. Aborting."
exit 1
fi
fi
done
if [[ "${TARGET_TPM}" == "true" && ${TARGET_TPM_VERSION} -eq 2 ]]; then
gum style --border normal --margin "1" --padding "1 2" --border-foreground 212 "
A TPM version 2 has been detected on the system. You can choose to enable automatic disk decryption on boot.
Enabling automatic disk decryption on boot means that you won't have to enter your disk password everytime you start your server.
This comes in very handy if you don't plan to leave your server accessible with a keyboard or if you don't have an IP KVM.
Note : This feature is currently vulnerable to on-site attacks. This means that an attacker with physical access to your machine
could steal the password from the TPM, and therefore have access to all your date.
Do you want to enable automatic disk decryption on boot ?"
if gum confirm "➡️ I understand, 'yes' to proceed."; then
sshpass -p "${LIVE_TARGET_PASSWORD}" ssh -i "${TMP_EXTRA_PATH}/home/numbus-admin/.ssh/id_ed25519" "${TARGET_USER}@${LIVE_TARGET_IP}" 'bash -s' << EOF
echo "Enrolling boot disk key to TPM..."
BOOT_DISKS_NAME=(${BOOT_DISKS_NAME[@]})
DEBUG=${DEBUG}
DISK_PATH=""
j=1
for i in \${!BOOT_DISKS_NAME[@]}; do
if echo "\${BOOT_DISKS_NAME[\${i}]}" | grep -iq "nvme"; then
[[ "\${DEBUG}" == "true" ]] && echo "NVMe detected..."
DISK_PATH="/dev/\${BOOT_DISKS_NAME[\${i}]}p2"
else
[[ "\${DEBUG}" == "true" ]] && echo "Non-NVMe drive detected..."
DISK_PATH="/dev/\${BOOT_DISKS_NAME[\${i}]}2"
fi
[[ "\${DEBUG}" == "true" ]] && echo "Issuing enroll command for disk \${DISK_PATH}..."
echo ${LIVE_TARGET_PASSWORD} | sudo -S systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 --unlock-key-file=/etc/secrets/disks/boot-\${j} \${DISK_PATH}
j=\$((j + 1))
done
echo "Getting PCRS 15 hash..."
PCR_HASH=\$(echo ${LIVE_TARGET_PASSWORD} | sudo -S systemd-analyze pcrs 15 --json=short)
echo ${LIVE_TARGET_PASSWORD} | sudo -S sed -i "s|PCR_HASH|\${PCR_HASH}|" /etc/nixos/configuration.nix
EOF
else
echo "Skipping TPM configuration."
fi
else
echo "No supported TPM detected (TPM version 2 required). Skipping TPM configuration."
fi
gum style --border normal --margin "1" --padding "1 2" --border-foreground 212 "
⚠️ $(gum style 'WARNING:') You will now set the password of the numbus-admin user.
You will almost never user it. Consider using a very strong password : you can write it down
securely on a hidden sheet of paper or add it to your password manager (locally with Passbolt
with any other online password manager provider)."
gum confirm "➡️ I understand, 'yes' to proceed." || { echo -e "\n\n❌ Aborting as requested."; exit 1; }
echo $LIVE_TARGET_PASSWORD | sudo -S passwd numbus-admin
}
# --- MAIN SCRIPT FUNCTIONS ---<
# --- DEFAULT VARIABLES --->
INSTALL_DIR="/run/user/$(id -u)/numbus-installer"
WEBSERVER_PORT=${WEBSERVER_PORT:-8088}
LIVE_DATA_FILE="web/config/live.yaml"
HW_DATA_FILE="web/config/hardware.yaml"
CONFIG_FILE="web/config/numbus.yaml"
BRIDGE_SCRIPT="web/logic/interactive.py"
# default is nixos
TARGET_USER="numbus-admin"
TMP_EXTRA_PATH="extra"
if [[ ${DEBUG-0} -eq 1 ]]; then
FILES_CP_FLAGS="vau"
FILES_RM_FLAGS="vf"
DIR_RM_FLAGS="rvf"
MKDIR_FLAGS="pv"
MV_FLAGS="vu"
STDOUT="${INSTALL_DIR}/web/logs/std.log"
STDERR="${INSTALL_DIR}/web/logs/err.log"
REMOTE_STDOUT="/run/user/1000/numbus-installer/std.log"
REMOTE_STDERR="/run/user/1000/numbus-installer/err.log"
else
DEBUG=0
FILES_CP_FLAGS="au"
FILES_RM_FLAGS="f"
DIR_RM_FLAGS="rf"
MKDIR_FLAGS="p"
MV_FLAGS="u"
STDOUT="/dev/null"
STDERR="/dev/null"
fi
IP_REGEX='^([0-9]{1,3}\.){3}[0-9]{1,3}$'
SUBNET_REGEX='^([0-9]{1,3}\.){3}[0-9]{1,3}/[0-9]{1,2}$'
DOMAIN_REGEX='^([a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}$'
EMAIL_REGEX='^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$'
PORT_REGEX='^[0-9]{1,5}$'
SSH_KEY_REGEX='^ssh-[a-z0-9]+ [A-Za-z0-9+/]+.*'
PHONE_REGEX='^\+[1-9][0-9]{7,14}$'
export FOREGROUND="212"
export GUM_INPUT_PADDING="1 1"
export GUM_INPUT_HEADER_FOREGROUND="212"
export GUM_INPUT_CURSOR_FOREGROUND="212"
export GUM_INPUT_TIMEOUT="3600s"
# --- DEFAULTS VARIABLES ---<
# --- PRE MAIN LOGIC --->
set -euo pipefail
clear
trap cleanup EXIT
# --- PRE MAIN LOGIC ---<
# --- MAIN LOGIC --->
echo """
_ ____ ____ ______ __ ______
/ |/ / / / / |/ / _ )/ / / / __/
/ / /_/ / /|_/ / _ / /_/ /\ \
/_/|_/\____/_/ /_/____/\____/___/
"""
launch_gui
until [[ -e "${LIVE_DATA_FILE}" ]]; do
sleep 5
done
INTERNATIONALIZATION_LANGUAGE="$(yq -r '.internationalization.language' ${LIVE_DATA_FILE})"
INTERNATIONALIZATION_COUNTRY="$(yq -r '.internationalization.country' ${LIVE_DATA_FILE})"
INTERNATIONALIZATION_TIMEZONE="$(yq -r '.internationalization.timeZone' ${LIVE_DATA_FILE})"
DEVICE_TYPE="$(yq -r '.device.type' ${LIVE_DATA_FILE})"
DEPLOYMENT_MODE="$(yq -r '.deployment.mode' ${LIVE_DATA_FILE})"
DEPLOYMENT_GIT_URL="$(yq -r '.deployment.git_url' ${LIVE_DATA_FILE})"
DEPLOYMENT_GIT_USERNAME="$(yq -r '.deployment.git_username' ${LIVE_DATA_FILE})"
DEPLOYMENT_GIT_PASSWORD="$(yq -r '.deployment.git_password' ${LIVE_DATA_FILE})"
LIVE_TARGET_IP="$(yq -r '.live_target.ip' ${LIVE_DATA_FILE})"
LIVE_TARGET_PASSWORD="$(yq -r '.live_target.password' ${LIVE_DATA_FILE})"
hierarchy_preparation
setup_ssh
hardware_detection
until [[ -e web/signals/configuration_ready ]]; do
sleep 5
done
until [[ -e web/signals/deployment_ready ]]; do
sleep 5
done
# --- MAIN LOGIC ---<
Reference in New Issue View Git Blame Copy Permalink