diff --git a/scripts/local/setup-hosts.sh b/scripts/local/setup-hosts.sh index d15ccf0..4fd48f0 100644 --- a/scripts/local/setup-hosts.sh +++ b/scripts/local/setup-hosts.sh @@ -1,5 +1,5 @@ #!/bin/sh -# Add /etc/hosts entries for VM service domains. Requires root. +# Add /etc/hosts entries for VM service domains. set -eu # Domains on vm-proxy (WG: 10.0.0.1) @@ -21,12 +21,12 @@ accounts.tiararodney.com for domain in $PROXY_DOMAINS; do grep -q "$domain" /etc/hosts 2>/dev/null && continue - echo "10.0.0.1 $domain" >> /etc/hosts + echo "10.0.0.1 $domain" | sudo tee -a /etc/hosts > /dev/null echo " added $domain -> 10.0.0.1" done for domain in $IDP_DOMAINS; do grep -q "$domain" /etc/hosts 2>/dev/null && continue - echo "10.0.0.2 $domain" >> /etc/hosts + echo "10.0.0.2 $domain" | sudo tee -a /etc/hosts > /dev/null echo " added $domain -> 10.0.0.2" done diff --git a/scripts/local/setup-wireguard.sh b/scripts/local/setup-wireguard.sh index a467bb7..910fe79 100644 --- a/scripts/local/setup-wireguard.sh +++ b/scripts/local/setup-wireguard.sh @@ -1,9 +1,9 @@ #!/bin/sh -# Configure local WireGuard interface to peer with the VMs. Requires root. +# Configure local WireGuard interface to peer with the VMs. # # Expects /etc/wireguard/private.key and /etc/wireguard/public.key to exist. # Generate with: -# wg genkey | tee /etc/wireguard/private.key | wg pubkey > /etc/wireguard/public.key +# sudo sh -c 'wg genkey | tee /etc/wireguard/private.key | wg pubkey > /etc/wireguard/public.key' set -eu SSH_USER=debian @@ -15,8 +15,10 @@ WG_IFACE=wg-dev LOCAL_WG_IP=10.0.0.3/24 WG_PORT=51820 -# Get the VM public keys +# Get the VM public keys (runs as calling user, not root) +# shellcheck disable=SC2086 PROXY_PUBKEY=$(ssh $SSH_OPTS "${SSH_USER}@${PROXY_HOST}" 'sudo cat /etc/wireguard/public.key' 2>/dev/null) +# shellcheck disable=SC2086 IDP_PUBKEY=$(ssh $SSH_OPTS "${SSH_USER}@${IDP_HOST}" 'sudo cat /etc/wireguard/public.key' 2>/dev/null) if [ -z "$PROXY_PUBKEY" ] || [ -z "$IDP_PUBKEY" ]; then @@ -25,10 +27,10 @@ if [ -z "$PROXY_PUBKEY" ] || [ -z "$IDP_PUBKEY" ]; then exit 1 fi -cat > /etc/wireguard/${WG_IFACE}.conf < /dev/null </dev/null || true -wg-quick up ${WG_IFACE} +sudo wg-quick down ${WG_IFACE} 2>/dev/null || true +sudo wg-quick up ${WG_IFACE} echo "==> WireGuard ${WG_IFACE} up (${LOCAL_WG_IP})" diff --git a/scripts/local/teardown-hosts.sh b/scripts/local/teardown-hosts.sh index 87a0917..38fb19a 100644 --- a/scripts/local/teardown-hosts.sh +++ b/scripts/local/teardown-hosts.sh @@ -1,5 +1,5 @@ #!/bin/sh -# Remove VM service domain entries from /etc/hosts. Requires root. +# Remove VM service domain entries from /etc/hosts. set -eu DOMAINS=" @@ -15,7 +15,7 @@ accounts.tiararodney.com " for domain in $DOMAINS; do - sed -i "/[[:space:]]${domain}$/d" /etc/hosts + sudo sed -i "/[[:space:]]${domain}$/d" /etc/hosts done echo "==> /etc/hosts entries removed" diff --git a/scripts/local/teardown-wireguard.sh b/scripts/local/teardown-wireguard.sh index 1749c05..d4cf22b 100644 --- a/scripts/local/teardown-wireguard.sh +++ b/scripts/local/teardown-wireguard.sh @@ -1,10 +1,10 @@ #!/bin/sh -# Remove local WireGuard interface. Requires root. +# Remove local WireGuard interface. set -eu WG_IFACE=wg-dev -wg-quick down ${WG_IFACE} 2>/dev/null || true -rm -f /etc/wireguard/${WG_IFACE}.conf +sudo wg-quick down ${WG_IFACE} 2>/dev/null || true +sudo rm -f /etc/wireguard/${WG_IFACE}.conf echo "==> WireGuard ${WG_IFACE} removed" diff --git a/scripts/prod-deploy.sh b/scripts/prod-deploy.sh index a78c7e2..194bbe4 100755 --- a/scripts/prod-deploy.sh +++ b/scripts/prod-deploy.sh @@ -33,13 +33,13 @@ done if [ -n "$service" ]; then echo "==> Deploying to production: $service" if [ -n "$skip_tags" ]; then - exec ansible-playbook -i "$INVENTORY" "$PLAYBOOK" \ + exec ansible-playbook -i "$INVENTORY" "$PLAYBOOK" --vault-password-file .vault-pass \ --tags "$service" --skip-tags "$skip_tags" else - exec ansible-playbook -i "$INVENTORY" "$PLAYBOOK" \ + exec ansible-playbook -i "$INVENTORY" "$PLAYBOOK" --vault-password-file .vault-pass \ --tags "$service" fi else echo "==> Full production deployment" - exec ansible-playbook -i "$INVENTORY" "$PLAYBOOK" + exec ansible-playbook -i "$INVENTORY" "$PLAYBOOK" --vault-password-file .vault-pass fi diff --git a/scripts/provision.sh b/scripts/provision.sh index 70ce093..06dff30 100755 --- a/scripts/provision.sh +++ b/scripts/provision.sh @@ -18,10 +18,10 @@ echo "==> Running full playbook" ansible-playbook -i "$INVENTORY" "$PLAYBOOK" --vault-password-file "$VAULT_PASS" echo "==> Setting up local WireGuard" -sudo "$SCRIPT_DIR/local/setup-wireguard.sh" +"$SCRIPT_DIR/local/setup-wireguard.sh" echo "==> Setting up local /etc/hosts" -sudo "$SCRIPT_DIR/local/setup-hosts.sh" +"$SCRIPT_DIR/local/setup-hosts.sh" echo "==> Snapshotting 'provisioned'" "$SCRIPT_DIR/vm/snapshot.sh" provisioned diff --git a/scripts/teardown.sh b/scripts/teardown.sh index 7761d45..cb5b128 100644 --- a/scripts/teardown.sh +++ b/scripts/teardown.sh @@ -7,9 +7,9 @@ echo "==> Destroying VMs" "$SCRIPT_DIR/vm/destroy.sh" echo "==> Tearing down local WireGuard" -sudo "$SCRIPT_DIR/local/teardown-wireguard.sh" +"$SCRIPT_DIR/local/teardown-wireguard.sh" echo "==> Removing local /etc/hosts entries" -sudo "$SCRIPT_DIR/local/teardown-hosts.sh" +"$SCRIPT_DIR/local/teardown-hosts.sh" echo "==> Done. Run scripts/provision.sh to start over."