diff options
author | Simon Rettberg | 2024-06-07 16:20:59 +0200 |
---|---|---|
committer | Simon Rettberg | 2024-06-07 16:20:59 +0200 |
commit | 3f9904d6a73d7795b102553cc94ec9ecce9d0b1c (patch) | |
tree | 599bc828970e567d53e1a0813c3f8177299cb230 /shib_secondary | |
parent | [SSPS] Add safety-fallback to dpkg hook (diff) | |
download | setup-scripts-3f9904d6a73d7795b102553cc94ec9ecce9d0b1c.tar.gz setup-scripts-3f9904d6a73d7795b102553cc94ec9ecce9d0b1c.tar.xz setup-scripts-3f9904d6a73d7795b102553cc94ec9ecce9d0b1c.zip |
[shib_secondary] Tool to deploy a secondary masterserver as fallback
Diffstat (limited to 'shib_secondary')
21 files changed, 681 insertions, 0 deletions
diff --git a/shib_secondary/deploy.sh b/shib_secondary/deploy.sh new file mode 100755 index 0000000..536f221 --- /dev/null +++ b/shib_secondary/deploy.sh @@ -0,0 +1,75 @@ +#!/bin/bash + +destination= +domain= +master= +secret= + +while (( $# > 0 )); do + case "$1" in + --dest*) + destination="$2" + shift + ;; + --domain) + domain="$2" + shift + ;; + --master) + master="$2" + shift + ;; + --secret) + secret="$2" + shift + ;; + *) + echo "WAAAAT? NO MAHNEEY?" + exit 1 + esac + shift +done + +if ! [[ $destination =~ ^[a-z0-9_]+@[a-z0-9_.-]+$ ]] \ + || [ -z "$domain" ] \ + || [ -z "$secret" ] \ + || ! [[ "$master" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then + echo "Usage: $0 --dest user@4.5.6.7 --domain foo.bar.example.com --master 1.2.3.4 --secret your_master_secret" + exit 1 +fi + +if [[ $destination == root@* ]]; then + sudo= +else + echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++" + echo "Using sudo on the remote server to gain root privs..." + sudo="sudo " +fi + +echo + +if ! ssh "$destination" "$sudo rm -rf -- /tmp/shib_deploy"; then + echo "Remote access for preparation failed :-(" + exit 1 +fi + +if ! scp -r "$( dirname -- "${BASH_SOURCE[0]}" )/remote" "${destination}:/tmp/shib_deploy"; then + echo "Copying data to $destination failed" + exit 1 +fi + +if ! ssh "$destination" "$sudo /tmp/shib_deploy/install.sh --domain '$domain' --master '$master' --secret '$secret'"; then + echo "Remote install failed :-(" + exit 1 +fi + +echo "------------------------------------------------------" +echo +echo "Success" +echo +echo +echo "Remember to make sure the new R/O instance's IP address" +echo "is allowed to pull the data from $master, and added to" +echo "the trusted proxy IP addresses." +echo "(RemoteIPInternalProxy)" +echo diff --git a/shib_secondary/remote/000-bwlp-default.conf b/shib_secondary/remote/000-bwlp-default.conf new file mode 100644 index 0000000..4c7b955 --- /dev/null +++ b/shib_secondary/remote/000-bwlp-default.conf @@ -0,0 +1,11 @@ +<VirtualHost *:80> + ServerName foobar + ServerAdmin webmaster@localhost + Redirect permanent / https://%DOMAIN%/ + + # Possible values include: debug, info, notice, warn, error, crit, + # alert, emerg. + LogLevel warn + CustomLog ${APACHE_LOG_DIR}/access.log combined + ErrorLog ${APACHE_LOG_DIR}/error.log +</VirtualHost> diff --git a/shib_secondary/remote/110-bwlp-active.conf b/shib_secondary/remote/110-bwlp-active.conf new file mode 100644 index 0000000..590fc4f --- /dev/null +++ b/shib_secondary/remote/110-bwlp-active.conf @@ -0,0 +1,59 @@ +<VirtualHost *:443> + ServerName %DOMAIN% + + UseCanonicalName On + + DocumentRoot /var/www/masterserver + + <Directory /> + Options FollowSymLinks + AllowOverride None + </Directory> + + <Location /shibboleth-ds> + Require all granted + AuthType shibboleth + ShibRequestSetting requireSession false + require shibboleth + </Location> + + <Location /Shibboleth.sso> + AuthType None + Require all granted + </Location> + <Location /shibboleth-sp> + AuthType None + Require all granted + </Location> + + Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css + Alias /shibboleth-sp/logo.jpg /usr/share/shibboleth/logo.jpg + + <Location /webif/shib> + AuthType shibboleth + ShibRequestSetting requireSession true + require valid-user + </Location> + + # optional (Metadata-Access at entityID-URL) + Redirect seeother /shibboleth /Shibboleth.sso/Metadata + RedirectMatch /start-session$ /Shibboleth.sso/Login + + LogLevel warn + ErrorLog ${APACHE_LOG_DIR}/masterserver/error.log + CustomLog ${APACHE_LOG_DIR}/masterserver/access.log combined + + SSLEngine on + SSLOptions +StrictRequire + # HSTS (mod_headers is required) (15768000 seconds = 6 months) + Header always set Strict-Transport-Security "max-age=15768000" + + SSLCertificateFile /opt/bwlp/ssl/live/ssl-cert/cert.pem + SSLCertificateKeyFile /opt/bwlp/ssl/live/ssl-cert/privkey.pem + SSLCertificateChainFile /opt/bwlp/ssl/live/ssl-cert/chain.pem + + <FilesMatch "\.(cgi|shtml|phtml|php)$"> + SSLOptions +StdEnvVars + </FilesMatch> + +</VirtualHost> diff --git a/shib_secondary/remote/110-bwlp-passthrough.conf b/shib_secondary/remote/110-bwlp-passthrough.conf new file mode 100644 index 0000000..807d8f8 --- /dev/null +++ b/shib_secondary/remote/110-bwlp-passthrough.conf @@ -0,0 +1,58 @@ +<VirtualHost *:443> + ServerName %DOMAIN% + + UseCanonicalName On + + DocumentRoot /var/www/masterserver + + <Directory /> + Options FollowSymLinks + AllowOverride None + </Directory> + + <Location /shibboleth-ds> + Require all granted + AuthType shibboleth + ShibRequestSetting requireSession false + require shibboleth + </Location> + + <Location /Shibboleth.sso> + AuthType None + Require all granted + </Location> + <Location /shibboleth-sp> + AuthType None + Require all granted + </Location> + + Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css + Alias /shibboleth-sp/logo.jpg /usr/share/shibboleth/logo.jpg + + SSLProxyEngine on + <LocationMatch ^/(webif/|netboot/|minilinux/|rpc/|/Shibboleth\.sso/|error_report.php)(.*)$> + ProxyPassMatch "https://%DOMAIN%/$1$2" connectiontimeout=5 timeout=30 max=10 + </LocationMatch> + + # optional (Metadata-Access at entityID-URL) + Redirect seeother /shibboleth /Shibboleth.sso/Metadata + RedirectMatch /start-session$ /Shibboleth.sso/Login + + LogLevel warn + ErrorLog ${APACHE_LOG_DIR}/masterserver/error.log + CustomLog ${APACHE_LOG_DIR}/masterserver/access.log combined + + SSLEngine on + SSLOptions +StrictRequire + # HSTS (mod_headers is required) (15768000 seconds = 6 months) + Header always set Strict-Transport-Security "max-age=15768000" + + SSLCertificateFile /opt/bwlp/ssl/live/ssl-cert/cert.pem + SSLCertificateKeyFile /opt/bwlp/ssl/live/ssl-cert/privkey.pem + SSLCertificateChainFile /opt/bwlp/ssl/live/ssl-cert/chain.pem + + <FilesMatch "\.(cgi|shtml|phtml|php)$"> + SSLOptions +StdEnvVars + </FilesMatch> + +</VirtualHost> diff --git a/shib_secondary/remote/alt-servers b/shib_secondary/remote/alt-servers new file mode 100644 index 0000000..5c8bebc --- /dev/null +++ b/shib_secondary/remote/alt-servers @@ -0,0 +1,4 @@ +[127.0.0.1:5005] +comment=SSL tunnel to %DOMAIN%:5006 for MaxiLinux +for=replication +namespace=stage4/bwlp/ diff --git a/shib_secondary/remote/bwlp-check-master.service b/shib_secondary/remote/bwlp-check-master.service new file mode 100644 index 0000000..f8528db --- /dev/null +++ b/shib_secondary/remote/bwlp-check-master.service @@ -0,0 +1,6 @@ +[Unit] +Description=Check availability of master server and enable/disable fallback mode + +[Service] +Type=oneshot +ExecStart=/opt/bwlp/check-and-toggle-mode.sh diff --git a/shib_secondary/remote/bwlp-check-master.timer b/shib_secondary/remote/bwlp-check-master.timer new file mode 100644 index 0000000..e2b83e5 --- /dev/null +++ b/shib_secondary/remote/bwlp-check-master.timer @@ -0,0 +1,10 @@ +[Unit] +Description=Trigger availability check of masterserver + +[Timer] +OnBootSec=10 +OnUnitActiveSec=120 +AccuracySec=10 + +[Install] +WantedBy=timers.target diff --git a/shib_secondary/remote/bwlp-copy-config.service b/shib_secondary/remote/bwlp-copy-config.service new file mode 100644 index 0000000..a4ad6c5 --- /dev/null +++ b/shib_secondary/remote/bwlp-copy-config.service @@ -0,0 +1,6 @@ +[Unit] +Description=Download current config from masterserver + +[Service] +Type=oneshot +ExecStart=/opt/bwlp/copy-current-config.sh diff --git a/shib_secondary/remote/bwlp-copy-config.timer b/shib_secondary/remote/bwlp-copy-config.timer new file mode 100644 index 0000000..96cea94 --- /dev/null +++ b/shib_secondary/remote/bwlp-copy-config.timer @@ -0,0 +1,10 @@ +[Unit] +Description=Trigger download of current config + +[Timer] +OnBootSec=2m +OnUnitActiveSec=12h +AccuracySec=10m + +[Install] +WantedBy=timers.target diff --git a/shib_secondary/remote/bwlp-master-socat@.service b/shib_secondary/remote/bwlp-master-socat@.service new file mode 100644 index 0000000..4e82880 --- /dev/null +++ b/shib_secondary/remote/bwlp-master-socat@.service @@ -0,0 +1,10 @@ +[Unit] +Description=Tunnel TCP:%i connections to actual masterserver + +[Service] +Type=simple +Restart=always +ExecStart=/usr/bin/socat tcp-listen:%i,reuseaddr,su=nobody,fork tcp:%DOMAIN%:%i + +[Install] +WantedBy=multi-user.target diff --git a/shib_secondary/remote/bwlp-master.service b/shib_secondary/remote/bwlp-master.service new file mode 100644 index 0000000..d0e1d20 --- /dev/null +++ b/shib_secondary/remote/bwlp-master.service @@ -0,0 +1,11 @@ +[Unit] +Description=bwLehrpool Masterserver + +[Service] +User=bwlp +WorkingDirectory=/home/bwlp/server +ExecStart=/usr/bin/java -Dlog4j2.formatMsgNoLookups=true -Xmx2G -jar /home/bwlp/server/server.jar +Restart=always + +[Install] +WantedBy=multi-user.target diff --git a/shib_secondary/remote/check-and-toggle-mode.sh b/shib_secondary/remote/check-and-toggle-mode.sh new file mode 100755 index 0000000..bd35adc --- /dev/null +++ b/shib_secondary/remote/check-and-toggle-mode.sh @@ -0,0 +1,92 @@ +#!/bin/bash + +use_dnbd3() { + mountpoint -q /mnt/store && [ -x "/opt/dnbd3/dnbd3-server" ] +} + +is_dnbd3() { + systemctl -q is-active dnbd3-server.service || return 1 + systemctl -q is-active dnbd3-ssl-in.service || return 1 + systemctl -q is-active dnbd3-ssl-out.service || return 1 + return 0 +} + +enable_dnbd3() { + echo "Enabling dnbd3 proxy" + systemctl disable --now bwlp-master-socat@5006.service + systemctl enable --now dnbd3-server.service + systemctl enable --now dnbd3-ssl-in.service + systemctl enable --now dnbd3-ssl-out.service +} + +disable_dnbd3() { + echo "Disabling dnbd3 proxy" + systemctl disable --now dnbd3-server.service + systemctl disable --now dnbd3-ssl-in.service + systemctl disable --now dnbd3-ssl-out.service +} + +is_passthrough() { + systemctl -q is-active apache2.service || return 1 + systemctl -q is-active bwlp-master-socat@9090.service || return 1 + systemctl -q is-active bwlp-master-socat@9091.service || return 1 + local lnk=$( readlink -f /etc/apache2/sites-enabled/110-bwlp.conf ) + [ "$lnk" = "/etc/apache2/sites-available/110-bwlp-passthrough.conf" ] || return 1 + return 0 +} + +is_active() { + systemctl -q is-active apache2.service || return 1 + systemctl -q is-active bwlp-master.service || return 1 + local lnk=$( readlink -f /etc/apache2/sites-enabled/110-bwlp.conf ) + [ "$lnk" = "/etc/apache2/sites-available/110-bwlp-active.conf" ] || return 1 + return 0 +} + +passthrough() { + is_passthrough && return 0 + echo "Enabling passthrough" + systemctl disable --now bwlp-master.service + ln -nfs ../sites-available/110-bwlp-passthrough.conf /etc/apache2/sites-enabled/110-bwlp.conf + systemctl restart apache2.service + systemctl enable --now bwlp-master-socat@9090.service + systemctl enable --now bwlp-master-socat@9091.service + systemctl enable --now bwlp-master-socat@9050.service + systemctl enable --now bwlp-master-socat@9051.service + if ! use_dnbd3; then + systemctl enable --now bwlp-master-socat@5006.service + fi +} + +activate() { + is_active && return 0 + echo "Enabling active mode" + systemctl disable --now bwlp-master-socat@9090.service + systemctl disable --now bwlp-master-socat@9091.service + systemctl disable --now bwlp-master-socat@9050.service + systemctl disable --now bwlp-master-socat@9051.service + systemctl disable --now bwlp-master-socat@5006.service + ln -nfs ../sites-available/110-bwlp-active.conf /etc/apache2/sites-enabled/110-bwlp.conf + systemctl restart apache2.service + systemctl enable --now bwlp-master.service +} + +# Check connectivity + +if curl -L -m 10 -o /dev/null -sS \ + --retry-max-time 40 --retry 4 --retry-all-errors \ + https://%DOMAIN%/webif/; then + # OK + passthrough +else + # Take over + activate +fi + +if use_dnbd3; then + is_dnbd3 || enable_dnbd3 +else + is_dnbd3 && disable_dnbd3 +fi + +exit 0 diff --git a/shib_secondary/remote/config.php b/shib_secondary/remote/config.php new file mode 100644 index 0000000..52f6460 --- /dev/null +++ b/shib_secondary/remote/config.php @@ -0,0 +1,36 @@ +<?php + +// This might leak sensitive information. Never enable in production! +define('CONFIG_DEBUG', (bool)preg_match('/^(132\.230\.8|10\.8\.8)\./', $_SERVER['REMOTE_ADDR'])); +define('CONFIG_PREFIX', '/webif/'); +define('CONFIG_SESSION_TIMEOUT', 86400 * 7); +define('CONFIG_FORCE_DOMAIN', '%DOMAIN%'); +define('CONFIG_ENTITLEMENT', ';http://bwidm.de/entitlement/bwLehrpool;'); +define('CONFIG_SUITE', 'bwLehrpool'); +define('CONFIG_HELPURL', 'www.bwlehrpool.de'); +define('CONFIG_HELPMAIL', 'info@bwlehrpool.de'); +define('CONFIG_FOOTER_SUPPORT', '//www.bwlehrpool.de/'); +define('CONFIG_MASTERWEBIF', 'https://%DOMAIN%/webif/'); +define('CONFIG_IDM', 'bwIDM'); +define('CONFIG_PROVIDER', 'Universität Freiburg'); + +define('CONFIG_ADMINS', serialize(array('5fb22037697816a70a847d15245c9f88', + '94e48d34587ab9963a2013ddc97e1e45', 'fb91f270a95a5b006be916f2b2da305c', '4abe094e4e0c89e5cc2e9106270b4aed'))); + +define('CONFIG_IDM_LINK_SN', 'https://www.bwidm.de/attribute.php#Nachname'); +define('CONFIG_IDM_LINK_GIVENNAME', 'https://www.bwidm.de/attribute.php#Vorname'); +define('CONFIG_IDM_LINK_MAIL', 'https://www.bwidm.de/attribute.php#E-Mail-Adresse'); +define('CONFIG_IDM_LINK_PID', 'https://www.bwidm.de/attribute.php#Persistant%20ID'); +define('CONFIG_IDM_LINK_EPSA', 'https://www.bwidm.de/attribute.php#Zugeh%C3%B6rigkeit'); + +define('CONFIG_SURNAME', 'sn'); +define('CONFIG_EPPN', 'eppn'); +define('CONFIG_SCOPED_AFFILIATION', 'affiliation'); +define('CONFIG_ALLOW_SHIB_MERGE', true); + +define('CONFIG_SQL_DSN', "mysql:dbname=bwlp;host=localhost"); +define('CONFIG_SQL_USER', 'bwlp'); +define('CONFIG_SQL_PASS', 'geheim'); +define('CONFIG_SQL_FORCE_UTF8', true); + +define('CONFIG_READ_ONLY', true); diff --git a/shib_secondary/remote/copy-current-config.sh b/shib_secondary/remote/copy-current-config.sh new file mode 100755 index 0000000..4b2a17c --- /dev/null +++ b/shib_secondary/remote/copy-current-config.sh @@ -0,0 +1,86 @@ +#!/bin/bash + +set -e + +mkdir -p /opt/bwlp/tmp/files +chmod 0700 /opt/bwlp/tmp + +aestgz="/opt/bwlp/tmp/tgz.aes" +tgz="/opt/bwlp/tmp/archive.tgz" + +# Get + +if ! curl -sS -L -m 60 --connect-timeout 20 --retry-max-time 300 -o "$aestgz" \ + "https://%DOMAIN%/slave-config.aes"; then + echo "Cannot download masterserver config" + exit 1 +fi + +. /opt/bwlp/config + +ENCPW="$SHARED_SECRET" openssl enc -d -aes-256-cbc -pbkdf2 -pass "env:ENCPW" \ + -in "$aestgz" -out "$tgz" + +# Extract +tar -C /opt/bwlp/tmp/files -x -z -f "$tgz" +cd /opt/bwlp/tmp/files + +# Check/update + +changed() { + local i + for i in "$@"; do + [ -f "/${i#/}" ] || return 0 + cmp "${i#/}" "/${i#/}" || return 0 + done + return 1 +} + +schema_changed= +data_changed= +restart_apache= +restart_master= +restart_shibd= +if changed "opt/bwlp/db-schema.sql"; then + schema_changed=1 +fi +if changed "opt/bwlp/db-data.sql"; then + data_changed=1 +fi + +if changed "opt/bwlp/ssl/live/ssl-cert/cert.pem" "opt/bwlp/ssl/live/ssl-cert/privkey.pem"; then + restart_apache=1 +fi + +if changed "home/bwlp/server/server.jar" "home/bwlp/server/config/masterserver.jks"; then + restart_master=1 +fi + +if changed "etc/shibboleth/shibboleth2.xml" "etc/shibboleth/dfn-aai.pem" "etc/shibboleth/attribute-map.xml"; then + restart_shibd=1 +fi + +# Copy to FS - *AFTER* checking for changes + +rsync -av . / + +# Now restart services - *AFTER* copying files + +if [ -n "$schema_changed" ]; then + mysql bwlp < /opt/bwlp/db-schema.sql +fi +if [ -n "$schema_changed" ] || [ -n "$data_changed" ]; then + mysql bwlp < /opt/bwlp/db-data.sql +fi + +if [ -n "$restart_apache" ]; then + systemctl --no-block restart apache2.service +fi +if [ -n "$restart_master" ]; then + systemctl --no-block try-restart bwlp-master.service +fi +if [ -n "$restart_shibd" ]; then + systemctl --no-block restart shibd.service +fi + +: diff --git a/shib_secondary/remote/dnbd3-server.service b/shib_secondary/remote/dnbd3-server.service new file mode 100644 index 0000000..43bb43e --- /dev/null +++ b/shib_secondary/remote/dnbd3-server.service @@ -0,0 +1,18 @@ +[Unit] +Description=DNBD3 Server +ConditionPathIsMountPoint=/mnt/store +ConditionPathExists=/mnt/store/dnbd3 +After=remote-fs.target local-fs.target +After=mnt-store.mount +Requires=mnt-store.mount + +[Service] +User=dnbd3 +ExecStart=/opt/dnbd3/dnbd3-server -n +Restart=always +RestartSec=5 +TimeoutStopSec=10 +LimitNOFILE=16384 + +[Install] +WantedBy=multi-user.target diff --git a/shib_secondary/remote/dnbd3-ssl-in.service b/shib_secondary/remote/dnbd3-ssl-in.service new file mode 100644 index 0000000..8719f20 --- /dev/null +++ b/shib_secondary/remote/dnbd3-ssl-in.service @@ -0,0 +1,10 @@ +[Unit] +Description=bwLehrpool DNBD3 SSL proxy [IN] +Wants=dnbd3-server.service + +[Service] +ExecStart=/usr/bin/socat openssl-listen:5006,reuseaddr,cert=/opt/bwlp/ssl/live/ssl-cert/full-privkey.pem,verify=0,su=nobody,fork tcp:127.0.0.1:5003 +Restart=always + +[Install] +WantedBy=multi-user.target diff --git a/shib_secondary/remote/dnbd3-ssl-out.service b/shib_secondary/remote/dnbd3-ssl-out.service new file mode 100644 index 0000000..4db4c22 --- /dev/null +++ b/shib_secondary/remote/dnbd3-ssl-out.service @@ -0,0 +1,11 @@ +[Unit] +Description=SSL Proxy for DNBD3 [OUT] +Wants=dnbd3-server.service + +[Service] +DynamicUser=true +ExecStart=/usr/bin/socat tcp-listen:5005,bind=127.0.0.1,fork,reuseaddr openssl-connect:%DOMAIN%:5006,capath=/etc/ssl/certs/ +Restart=always + +[Install] +WantedBy=multi-user.target diff --git a/shib_secondary/remote/global.properties b/shib_secondary/remote/global.properties new file mode 100644 index 0000000..b4b81bd --- /dev/null +++ b/shib_secondary/remote/global.properties @@ -0,0 +1,45 @@ +##################### +# Main # +##################### + +# no storage dir = no up/download +storage.dir= + +##################### +# Session # +##################### + +# session timeout for users (in seconds) +session.user.timeout=7200 + +# session timeout for servers (in seconds) +session.server.timeout=86400 + +##################### +# Ssl Socket # +##################### + +# Make sure this matches master, otherwise key is useless + +# keystore (.jks format) +ssl.keystore.file=./config/masterserver.jks + +# keystore alias +ssl.keystore.alias=alias + +# keystore password +ssl.keystore.password=password + +############ File transfer + +filetransfer.port.ssl=0 +filetransfer.port.plain=0 + +# timeout for kicking idling clients (in seconds) +filetransfer.timeout=60 +filetransfer.retries=4 + +################## Thrift + +thrift.port.plain = 9090 +thrift.port.ssl = 9091 diff --git a/shib_secondary/remote/install.sh b/shib_secondary/remote/install.sh new file mode 100755 index 0000000..dbd89ee --- /dev/null +++ b/shib_secondary/remote/install.sh @@ -0,0 +1,94 @@ +#!/bin/bash + +set -e + +domain= +master= +secret= + +while (( $# > 0 )); do + case "$1" in + --domain) + domain="$2" + shift + ;; + --master) + master="$2" + shift + ;; + --secret) + secret="$2" + shift + ;; + *) + echo "WAAT? NO MAHNEEY?" + exit 1 + esac + shift +done + +cd "$(dirname "$( readlink -f "$0" )" )" || cd /tmp/shib_deploy || exit 1 + +# Replace domain in everything +find . -type f -exec sed -i "s/%DOMAIN%/$domain/g" {} \; + +dest="/opt/bwlp" +mkdir -p "$dest" +mkdir -p "/etc/dnbd3-server" +cp check-and-toggle-mode.sh "$dest/" +cp copy-current-config.sh "$dest/" +cp bwlp-*.{service,timer} "/etc/systemd/system/" +cp dnbd3-*.service "/etc/systemd/system/" +cp ??0-bwlp-*.conf "/etc/apache2/sites-available/" +cp server.conf alt-servers "/etc/dnbd3-server/" + +sed -i "/$domain/d" "/etc/hosts" +echo "$master $domain" >> "/etc/hosts" + +apt install -y apache2 socat libjansson4 \ + libapache2-mod-php php-curl php-json php-mbstring php-mysql \ + libapache2-mod-shib mariadb-server default-jre-headless + +a2enmod proxy proxy_http ssl headers +mkdir -p /var/log/apache2/masterserver +rm -f -- /etc/apache2/sites-enabled/*.conf +ln -nfs ../sites-available/000-bwlp-default.conf /etc/apache2/sites-enabled/000-bwlp-default.conf + +if ! id bwlp; then + adduser --disabled-password --comment 'bwlp-user' bwlp +fi + +echo "SHARED_SECRET='$secret'" > /opt/bwlp/config + +mariadb <<EOF +CREATE DATABASE IF NOT EXISTS bwlp; +CREATE USER IF NOT EXISTS 'bwlp'@'localhost'; +SET PASSWORD FOR 'bwlp'@'localhost' = PASSWORD('geheim'); +GRANT ALL PRIVILEGES ON bwlp.* TO 'bwlp'@'localhost'; +EOF + +mkdir -p "/home/bwlp/server/config/" +cp global.properties mysql.properties "/home/bwlp/server/config/" +chown -R bwlp:bwlp "/home/bwlp/server/" +chmod -R o-rwx "/home/bwlp/server/config/" + +mkdir -p "/var/www/masterserver/webif/" +cp config.php "/var/www/masterserver/webif/" +chgrp www-data "/var/www/masterserver/webif/config.php" +chmod o-rwx "/var/www/masterserver/webif/config.php" + +if ! id dnbd3; then + adduser --disabled-password --comment 'dnbd3-user' dnbd3 +fi +if mountpoint /mnt/store; then + mkdir -p /mnt/store/dnbd3 + chown -R dnbd3:dnbd3 /mnt/store/dnbd3 +fi + +systemctl daemon-reload +systemctl enable --now bwlp-check-master.timer bwlp-copy-config.timer + +systemctl start bwlp-copy-config.service +systemctl start bwlp-check-master.service + +: diff --git a/shib_secondary/remote/mysql.properties b/shib_secondary/remote/mysql.properties new file mode 100644 index 0000000..f6395cd --- /dev/null +++ b/shib_secondary/remote/mysql.properties @@ -0,0 +1,4 @@ +host=localhost +db=bwlp +user=bwlp +password=geheim diff --git a/shib_secondary/remote/server.conf b/shib_secondary/remote/server.conf new file mode 100644 index 0000000..5f4ef72 --- /dev/null +++ b/shib_secondary/remote/server.conf @@ -0,0 +1,25 @@ +[dnbd3] +listenPort=5003 +basePath=/mnt/store/dnbd3 +serverPenalty=0 +clientPenalty=5000 +isProxy=true +removeMissingImages=true +uplinkTimeout=5000 +clientTimeout=15000 +vmdkLegacyMode=false +closeUnusedFd=true +autoFreeDiskSpaceDelay=10h +ignoreAllocErrors=true +bgrWindowSize=8 + +[limits] +maxPrefetch=512k + +; Log related config +[logging] +; protip: use SIGUSR2 to reopen log file +; DEACTIVATED +;;file=./dnbd3.log +fileMask=ERROR WARNING MINOR INFO DEBUG1 +consoleMask=ERROR WARNING MINOR INFO |