From 3f9904d6a73d7795b102553cc94ec9ecce9d0b1c Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Fri, 7 Jun 2024 16:20:59 +0200
Subject: [shib_secondary] Tool to deploy a secondary masterserver as fallback

---
 shib_secondary/deploy.sh                         | 75 +++++++++++++++++++
 shib_secondary/remote/000-bwlp-default.conf      | 11 +++
 shib_secondary/remote/110-bwlp-active.conf       | 59 +++++++++++++++
 shib_secondary/remote/110-bwlp-passthrough.conf  | 58 +++++++++++++++
 shib_secondary/remote/alt-servers                |  4 +
 shib_secondary/remote/bwlp-check-master.service  |  6 ++
 shib_secondary/remote/bwlp-check-master.timer    | 10 +++
 shib_secondary/remote/bwlp-copy-config.service   |  6 ++
 shib_secondary/remote/bwlp-copy-config.timer     | 10 +++
 shib_secondary/remote/bwlp-master-socat@.service | 10 +++
 shib_secondary/remote/bwlp-master.service        | 11 +++
 shib_secondary/remote/check-and-toggle-mode.sh   | 92 +++++++++++++++++++++++
 shib_secondary/remote/config.php                 | 36 +++++++++
 shib_secondary/remote/copy-current-config.sh     | 86 ++++++++++++++++++++++
 shib_secondary/remote/dnbd3-server.service       | 18 +++++
 shib_secondary/remote/dnbd3-ssl-in.service       | 10 +++
 shib_secondary/remote/dnbd3-ssl-out.service      | 11 +++
 shib_secondary/remote/global.properties          | 45 ++++++++++++
 shib_secondary/remote/install.sh                 | 94 ++++++++++++++++++++++++
 shib_secondary/remote/mysql.properties           |  4 +
 shib_secondary/remote/server.conf                | 25 +++++++
 21 files changed, 681 insertions(+)
 create mode 100755 shib_secondary/deploy.sh
 create mode 100644 shib_secondary/remote/000-bwlp-default.conf
 create mode 100644 shib_secondary/remote/110-bwlp-active.conf
 create mode 100644 shib_secondary/remote/110-bwlp-passthrough.conf
 create mode 100644 shib_secondary/remote/alt-servers
 create mode 100644 shib_secondary/remote/bwlp-check-master.service
 create mode 100644 shib_secondary/remote/bwlp-check-master.timer
 create mode 100644 shib_secondary/remote/bwlp-copy-config.service
 create mode 100644 shib_secondary/remote/bwlp-copy-config.timer
 create mode 100644 shib_secondary/remote/bwlp-master-socat@.service
 create mode 100644 shib_secondary/remote/bwlp-master.service
 create mode 100755 shib_secondary/remote/check-and-toggle-mode.sh
 create mode 100644 shib_secondary/remote/config.php
 create mode 100755 shib_secondary/remote/copy-current-config.sh
 create mode 100644 shib_secondary/remote/dnbd3-server.service
 create mode 100644 shib_secondary/remote/dnbd3-ssl-in.service
 create mode 100644 shib_secondary/remote/dnbd3-ssl-out.service
 create mode 100644 shib_secondary/remote/global.properties
 create mode 100755 shib_secondary/remote/install.sh
 create mode 100644 shib_secondary/remote/mysql.properties
 create mode 100644 shib_secondary/remote/server.conf

diff --git a/shib_secondary/deploy.sh b/shib_secondary/deploy.sh
new file mode 100755
index 0000000..536f221
--- /dev/null
+++ b/shib_secondary/deploy.sh
@@ -0,0 +1,75 @@
+#!/bin/bash
+
+destination=
+domain=
+master=
+secret=
+
+while (( $# > 0 )); do
+	case "$1" in
+	--dest*)
+		destination="$2"
+		shift
+		;;
+	--domain)
+		domain="$2"
+		shift
+		;;
+	--master)
+		master="$2"
+		shift
+		;;
+	--secret)
+		secret="$2"
+		shift
+		;;
+	*)
+		echo "WAAAAT? NO MAHNEEY?"
+		exit 1
+	esac
+	shift
+done
+
+if ! [[ $destination =~ ^[a-z0-9_]+@[a-z0-9_.-]+$ ]] \
+		|| [ -z "$domain" ] \
+		|| [ -z "$secret" ] \
+		|| ! [[ "$master" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+	echo "Usage: $0 --dest user@4.5.6.7 --domain foo.bar.example.com --master 1.2.3.4 --secret your_master_secret"
+	exit 1
+fi
+
+if [[ $destination == root@* ]]; then
+	sudo=
+else
+	echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++"
+	echo "Using sudo on the remote server to gain root privs..."
+	sudo="sudo "
+fi
+
+echo
+
+if ! ssh "$destination" "$sudo rm -rf -- /tmp/shib_deploy"; then
+	echo "Remote access for preparation failed :-("
+	exit 1
+fi
+
+if ! scp -r "$( dirname -- "${BASH_SOURCE[0]}" )/remote" "${destination}:/tmp/shib_deploy"; then
+	echo "Copying data to $destination failed"
+	exit 1
+fi
+
+if ! ssh "$destination" "$sudo /tmp/shib_deploy/install.sh --domain '$domain' --master '$master' --secret '$secret'"; then
+	echo "Remote install failed :-("
+	exit 1
+fi
+
+echo "------------------------------------------------------"
+echo
+echo "Success"
+echo
+echo
+echo "Remember to make sure the new R/O instance's IP address"
+echo "is allowed to pull the data from $master, and added to"
+echo "the trusted proxy IP addresses."
+echo "(RemoteIPInternalProxy)"
+echo
diff --git a/shib_secondary/remote/000-bwlp-default.conf b/shib_secondary/remote/000-bwlp-default.conf
new file mode 100644
index 0000000..4c7b955
--- /dev/null
+++ b/shib_secondary/remote/000-bwlp-default.conf
@@ -0,0 +1,11 @@
+<VirtualHost *:80>
+	ServerName foobar
+	ServerAdmin webmaster@localhost
+	Redirect permanent / https://%DOMAIN%/
+
+	# Possible values include: debug, info, notice, warn, error, crit,
+	# alert, emerg.
+	LogLevel warn
+	CustomLog ${APACHE_LOG_DIR}/access.log combined
+	ErrorLog ${APACHE_LOG_DIR}/error.log
+</VirtualHost>
diff --git a/shib_secondary/remote/110-bwlp-active.conf b/shib_secondary/remote/110-bwlp-active.conf
new file mode 100644
index 0000000..590fc4f
--- /dev/null
+++ b/shib_secondary/remote/110-bwlp-active.conf
@@ -0,0 +1,59 @@
+<VirtualHost *:443>
+	ServerName %DOMAIN%
+
+	UseCanonicalName On
+
+	DocumentRoot /var/www/masterserver
+
+	<Directory />
+		Options FollowSymLinks
+		AllowOverride None
+	</Directory>
+
+	<Location /shibboleth-ds>
+		Require all granted
+		AuthType shibboleth
+		ShibRequestSetting requireSession false
+		require shibboleth
+	</Location>
+
+	<Location /Shibboleth.sso>
+		AuthType None
+		Require all granted
+	</Location>
+	<Location /shibboleth-sp>
+		AuthType None
+		Require all granted
+	</Location>
+
+	Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css
+	Alias /shibboleth-sp/logo.jpg /usr/share/shibboleth/logo.jpg
+
+	<Location /webif/shib>
+		AuthType shibboleth
+		ShibRequestSetting requireSession true
+		require valid-user
+	</Location>
+
+	# optional (Metadata-Access at entityID-URL)
+	Redirect seeother /shibboleth /Shibboleth.sso/Metadata
+	RedirectMatch /start-session$ /Shibboleth.sso/Login
+
+	LogLevel warn
+	ErrorLog ${APACHE_LOG_DIR}/masterserver/error.log
+	CustomLog ${APACHE_LOG_DIR}/masterserver/access.log combined
+
+	SSLEngine on
+	SSLOptions +StrictRequire
+	# HSTS (mod_headers is required) (15768000 seconds = 6 months)
+	Header always set Strict-Transport-Security "max-age=15768000"
+
+	SSLCertificateFile      /opt/bwlp/ssl/live/ssl-cert/cert.pem
+	SSLCertificateKeyFile   /opt/bwlp/ssl/live/ssl-cert/privkey.pem
+	SSLCertificateChainFile /opt/bwlp/ssl/live/ssl-cert/chain.pem
+
+	<FilesMatch "\.(cgi|shtml|phtml|php)$">
+		SSLOptions +StdEnvVars
+	</FilesMatch>
+
+</VirtualHost>
diff --git a/shib_secondary/remote/110-bwlp-passthrough.conf b/shib_secondary/remote/110-bwlp-passthrough.conf
new file mode 100644
index 0000000..807d8f8
--- /dev/null
+++ b/shib_secondary/remote/110-bwlp-passthrough.conf
@@ -0,0 +1,58 @@
+<VirtualHost *:443>
+	ServerName %DOMAIN%
+
+	UseCanonicalName On
+
+	DocumentRoot /var/www/masterserver
+
+	<Directory />
+		Options FollowSymLinks
+		AllowOverride None
+	</Directory>
+
+	<Location /shibboleth-ds>
+		Require all granted
+		AuthType shibboleth
+		ShibRequestSetting requireSession false
+		require shibboleth
+	</Location>
+
+	<Location /Shibboleth.sso>
+		AuthType None
+		Require all granted
+	</Location>
+	<Location /shibboleth-sp>
+		AuthType None
+		Require all granted
+	</Location>
+
+	Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css
+	Alias /shibboleth-sp/logo.jpg /usr/share/shibboleth/logo.jpg
+
+	SSLProxyEngine on
+	<LocationMatch ^/(webif/|netboot/|minilinux/|rpc/|/Shibboleth\.sso/|error_report.php)(.*)$>
+		ProxyPassMatch "https://%DOMAIN%/$1$2" connectiontimeout=5 timeout=30 max=10
+	</LocationMatch>
+
+	# optional (Metadata-Access at entityID-URL)
+	Redirect seeother /shibboleth /Shibboleth.sso/Metadata
+	RedirectMatch /start-session$ /Shibboleth.sso/Login
+
+	LogLevel warn
+	ErrorLog ${APACHE_LOG_DIR}/masterserver/error.log
+	CustomLog ${APACHE_LOG_DIR}/masterserver/access.log combined
+
+	SSLEngine on
+	SSLOptions +StrictRequire
+	# HSTS (mod_headers is required) (15768000 seconds = 6 months)
+	Header always set Strict-Transport-Security "max-age=15768000"
+
+	SSLCertificateFile      /opt/bwlp/ssl/live/ssl-cert/cert.pem
+	SSLCertificateKeyFile   /opt/bwlp/ssl/live/ssl-cert/privkey.pem
+	SSLCertificateChainFile /opt/bwlp/ssl/live/ssl-cert/chain.pem
+
+	<FilesMatch "\.(cgi|shtml|phtml|php)$">
+		SSLOptions +StdEnvVars
+	</FilesMatch>
+
+</VirtualHost>
diff --git a/shib_secondary/remote/alt-servers b/shib_secondary/remote/alt-servers
new file mode 100644
index 0000000..5c8bebc
--- /dev/null
+++ b/shib_secondary/remote/alt-servers
@@ -0,0 +1,4 @@
+[127.0.0.1:5005]
+comment=SSL tunnel to %DOMAIN%:5006 for MaxiLinux
+for=replication
+namespace=stage4/bwlp/
diff --git a/shib_secondary/remote/bwlp-check-master.service b/shib_secondary/remote/bwlp-check-master.service
new file mode 100644
index 0000000..f8528db
--- /dev/null
+++ b/shib_secondary/remote/bwlp-check-master.service
@@ -0,0 +1,6 @@
+[Unit]
+Description=Check availability of master server and enable/disable fallback mode
+
+[Service]
+Type=oneshot
+ExecStart=/opt/bwlp/check-and-toggle-mode.sh
diff --git a/shib_secondary/remote/bwlp-check-master.timer b/shib_secondary/remote/bwlp-check-master.timer
new file mode 100644
index 0000000..e2b83e5
--- /dev/null
+++ b/shib_secondary/remote/bwlp-check-master.timer
@@ -0,0 +1,10 @@
+[Unit]
+Description=Trigger availability check of masterserver
+
+[Timer]
+OnBootSec=10
+OnUnitActiveSec=120
+AccuracySec=10
+
+[Install]
+WantedBy=timers.target
diff --git a/shib_secondary/remote/bwlp-copy-config.service b/shib_secondary/remote/bwlp-copy-config.service
new file mode 100644
index 0000000..a4ad6c5
--- /dev/null
+++ b/shib_secondary/remote/bwlp-copy-config.service
@@ -0,0 +1,6 @@
+[Unit]
+Description=Download current config from masterserver
+
+[Service]
+Type=oneshot
+ExecStart=/opt/bwlp/copy-current-config.sh
diff --git a/shib_secondary/remote/bwlp-copy-config.timer b/shib_secondary/remote/bwlp-copy-config.timer
new file mode 100644
index 0000000..96cea94
--- /dev/null
+++ b/shib_secondary/remote/bwlp-copy-config.timer
@@ -0,0 +1,10 @@
+[Unit]
+Description=Trigger download of current config
+
+[Timer]
+OnBootSec=2m
+OnUnitActiveSec=12h
+AccuracySec=10m
+
+[Install]
+WantedBy=timers.target
diff --git a/shib_secondary/remote/bwlp-master-socat@.service b/shib_secondary/remote/bwlp-master-socat@.service
new file mode 100644
index 0000000..4e82880
--- /dev/null
+++ b/shib_secondary/remote/bwlp-master-socat@.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=Tunnel TCP:%i connections to actual masterserver
+
+[Service]
+Type=simple
+Restart=always
+ExecStart=/usr/bin/socat tcp-listen:%i,reuseaddr,su=nobody,fork tcp:%DOMAIN%:%i
+
+[Install]
+WantedBy=multi-user.target
diff --git a/shib_secondary/remote/bwlp-master.service b/shib_secondary/remote/bwlp-master.service
new file mode 100644
index 0000000..d0e1d20
--- /dev/null
+++ b/shib_secondary/remote/bwlp-master.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=bwLehrpool Masterserver
+
+[Service]
+User=bwlp
+WorkingDirectory=/home/bwlp/server
+ExecStart=/usr/bin/java -Dlog4j2.formatMsgNoLookups=true -Xmx2G -jar /home/bwlp/server/server.jar
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
diff --git a/shib_secondary/remote/check-and-toggle-mode.sh b/shib_secondary/remote/check-and-toggle-mode.sh
new file mode 100755
index 0000000..bd35adc
--- /dev/null
+++ b/shib_secondary/remote/check-and-toggle-mode.sh
@@ -0,0 +1,92 @@
+#!/bin/bash
+
+use_dnbd3() {
+	mountpoint -q /mnt/store && [ -x "/opt/dnbd3/dnbd3-server" ]
+}
+
+is_dnbd3() {
+	systemctl -q is-active dnbd3-server.service || return 1
+	systemctl -q is-active dnbd3-ssl-in.service || return 1
+	systemctl -q is-active dnbd3-ssl-out.service || return 1
+	return 0
+}
+
+enable_dnbd3() {
+	echo "Enabling dnbd3 proxy"
+	systemctl disable --now bwlp-master-socat@5006.service
+	systemctl enable --now dnbd3-server.service
+	systemctl enable --now dnbd3-ssl-in.service
+	systemctl enable --now dnbd3-ssl-out.service
+}
+
+disable_dnbd3() {
+	echo "Disabling dnbd3 proxy"
+	systemctl disable --now dnbd3-server.service
+	systemctl disable --now dnbd3-ssl-in.service
+	systemctl disable --now dnbd3-ssl-out.service
+}
+
+is_passthrough() {
+	systemctl -q is-active apache2.service || return 1
+	systemctl -q is-active bwlp-master-socat@9090.service || return 1
+	systemctl -q is-active bwlp-master-socat@9091.service || return 1
+	local lnk=$( readlink -f /etc/apache2/sites-enabled/110-bwlp.conf )
+	[ "$lnk" = "/etc/apache2/sites-available/110-bwlp-passthrough.conf" ] || return 1
+	return 0
+}
+
+is_active() {
+	systemctl -q is-active apache2.service || return 1
+	systemctl -q is-active bwlp-master.service || return 1
+	local lnk=$( readlink -f /etc/apache2/sites-enabled/110-bwlp.conf )
+	[ "$lnk" = "/etc/apache2/sites-available/110-bwlp-active.conf" ] || return 1
+	return 0
+}
+
+passthrough() {
+	is_passthrough && return 0
+	echo "Enabling passthrough"
+	systemctl disable --now bwlp-master.service
+	ln -nfs ../sites-available/110-bwlp-passthrough.conf /etc/apache2/sites-enabled/110-bwlp.conf
+	systemctl restart apache2.service
+	systemctl enable --now bwlp-master-socat@9090.service
+	systemctl enable --now bwlp-master-socat@9091.service
+	systemctl enable --now bwlp-master-socat@9050.service
+	systemctl enable --now bwlp-master-socat@9051.service
+	if ! use_dnbd3; then
+		systemctl enable --now bwlp-master-socat@5006.service
+	fi
+}
+
+activate() {
+	is_active && return 0
+	echo "Enabling active mode"
+	systemctl disable --now bwlp-master-socat@9090.service
+	systemctl disable --now bwlp-master-socat@9091.service
+	systemctl disable --now bwlp-master-socat@9050.service
+	systemctl disable --now bwlp-master-socat@9051.service
+	systemctl disable --now bwlp-master-socat@5006.service
+	ln -nfs ../sites-available/110-bwlp-active.conf /etc/apache2/sites-enabled/110-bwlp.conf
+	systemctl restart apache2.service
+	systemctl enable --now bwlp-master.service
+}
+
+# Check connectivity
+
+if curl -L -m 10 -o /dev/null -sS \
+		--retry-max-time 40 --retry 4 --retry-all-errors \
+		https://%DOMAIN%/webif/; then
+	# OK
+	passthrough
+else
+	# Take over
+	activate
+fi
+
+if use_dnbd3; then
+	is_dnbd3 || enable_dnbd3
+else
+	is_dnbd3 && disable_dnbd3
+fi
+
+exit 0
diff --git a/shib_secondary/remote/config.php b/shib_secondary/remote/config.php
new file mode 100644
index 0000000..52f6460
--- /dev/null
+++ b/shib_secondary/remote/config.php
@@ -0,0 +1,36 @@
+<?php
+
+// This might leak sensitive information. Never enable in production!
+define('CONFIG_DEBUG', (bool)preg_match('/^(132\.230\.8|10\.8\.8)\./', $_SERVER['REMOTE_ADDR']));
+define('CONFIG_PREFIX', '/webif/');
+define('CONFIG_SESSION_TIMEOUT', 86400 * 7);
+define('CONFIG_FORCE_DOMAIN', '%DOMAIN%');
+define('CONFIG_ENTITLEMENT', ';http://bwidm.de/entitlement/bwLehrpool;');
+define('CONFIG_SUITE', 'bwLehrpool');
+define('CONFIG_HELPURL', 'www.bwlehrpool.de');
+define('CONFIG_HELPMAIL', 'info@bwlehrpool.de');
+define('CONFIG_FOOTER_SUPPORT', '//www.bwlehrpool.de/');
+define('CONFIG_MASTERWEBIF', 'https://%DOMAIN%/webif/');
+define('CONFIG_IDM', 'bwIDM');
+define('CONFIG_PROVIDER', 'Universität Freiburg');
+
+define('CONFIG_ADMINS', serialize(array('5fb22037697816a70a847d15245c9f88',
+	'94e48d34587ab9963a2013ddc97e1e45', 'fb91f270a95a5b006be916f2b2da305c', '4abe094e4e0c89e5cc2e9106270b4aed')));
+
+define('CONFIG_IDM_LINK_SN', 'https://www.bwidm.de/attribute.php#Nachname');
+define('CONFIG_IDM_LINK_GIVENNAME', 'https://www.bwidm.de/attribute.php#Vorname');
+define('CONFIG_IDM_LINK_MAIL', 'https://www.bwidm.de/attribute.php#E-Mail-Adresse');
+define('CONFIG_IDM_LINK_PID', 'https://www.bwidm.de/attribute.php#Persistant%20ID');
+define('CONFIG_IDM_LINK_EPSA', 'https://www.bwidm.de/attribute.php#Zugeh%C3%B6rigkeit');
+
+define('CONFIG_SURNAME', 'sn');
+define('CONFIG_EPPN', 'eppn');
+define('CONFIG_SCOPED_AFFILIATION', 'affiliation');
+define('CONFIG_ALLOW_SHIB_MERGE', true);
+
+define('CONFIG_SQL_DSN', "mysql:dbname=bwlp;host=localhost");
+define('CONFIG_SQL_USER', 'bwlp');
+define('CONFIG_SQL_PASS', 'geheim');
+define('CONFIG_SQL_FORCE_UTF8', true);
+
+define('CONFIG_READ_ONLY', true);
diff --git a/shib_secondary/remote/copy-current-config.sh b/shib_secondary/remote/copy-current-config.sh
new file mode 100755
index 0000000..4b2a17c
--- /dev/null
+++ b/shib_secondary/remote/copy-current-config.sh
@@ -0,0 +1,86 @@
+#!/bin/bash
+
+set -e
+
+mkdir -p /opt/bwlp/tmp/files
+chmod 0700 /opt/bwlp/tmp
+
+aestgz="/opt/bwlp/tmp/tgz.aes"
+tgz="/opt/bwlp/tmp/archive.tgz"
+
+# Get
+
+if ! curl -sS -L -m 60 --connect-timeout 20 --retry-max-time 300 -o "$aestgz" \
+		"https://%DOMAIN%/slave-config.aes"; then
+	echo "Cannot download masterserver config"
+	exit 1
+fi
+
+. /opt/bwlp/config
+
+ENCPW="$SHARED_SECRET" openssl enc -d -aes-256-cbc -pbkdf2 -pass "env:ENCPW" \
+		-in "$aestgz" -out "$tgz"
+
+# Extract
+tar -C /opt/bwlp/tmp/files -x -z -f "$tgz"
+cd /opt/bwlp/tmp/files
+
+# Check/update
+
+changed() {
+	local i
+	for i in "$@"; do
+		[ -f "/${i#/}" ] || return 0
+		cmp "${i#/}" "/${i#/}" || return 0
+	done
+	return 1
+}
+
+schema_changed=
+data_changed=
+restart_apache=
+restart_master=
+restart_shibd=
+if changed "opt/bwlp/db-schema.sql"; then
+	schema_changed=1
+fi
+if changed "opt/bwlp/db-data.sql"; then
+	data_changed=1
+fi
+
+if changed "opt/bwlp/ssl/live/ssl-cert/cert.pem" "opt/bwlp/ssl/live/ssl-cert/privkey.pem"; then
+	restart_apache=1
+fi
+
+if changed "home/bwlp/server/server.jar" "home/bwlp/server/config/masterserver.jks"; then
+	restart_master=1
+fi
+
+if changed "etc/shibboleth/shibboleth2.xml" "etc/shibboleth/dfn-aai.pem" "etc/shibboleth/attribute-map.xml"; then
+	restart_shibd=1
+fi
+
+# Copy to FS - *AFTER* checking for changes
+
+rsync -av . /
+
+# Now restart services - *AFTER* copying files
+
+if [ -n "$schema_changed" ]; then
+	mysql bwlp < /opt/bwlp/db-schema.sql
+fi
+if [ -n "$schema_changed" ] || [ -n "$data_changed" ]; then
+	mysql bwlp < /opt/bwlp/db-data.sql
+fi
+
+if [ -n "$restart_apache" ]; then
+	systemctl --no-block restart apache2.service
+fi
+if [ -n "$restart_master" ]; then
+	systemctl --no-block try-restart bwlp-master.service
+fi
+if [ -n "$restart_shibd" ]; then
+	systemctl --no-block restart shibd.service
+fi
+
+:
diff --git a/shib_secondary/remote/dnbd3-server.service b/shib_secondary/remote/dnbd3-server.service
new file mode 100644
index 0000000..43bb43e
--- /dev/null
+++ b/shib_secondary/remote/dnbd3-server.service
@@ -0,0 +1,18 @@
+[Unit]
+Description=DNBD3 Server
+ConditionPathIsMountPoint=/mnt/store
+ConditionPathExists=/mnt/store/dnbd3
+After=remote-fs.target local-fs.target
+After=mnt-store.mount
+Requires=mnt-store.mount
+
+[Service]
+User=dnbd3
+ExecStart=/opt/dnbd3/dnbd3-server -n
+Restart=always
+RestartSec=5
+TimeoutStopSec=10
+LimitNOFILE=16384
+
+[Install]
+WantedBy=multi-user.target
diff --git a/shib_secondary/remote/dnbd3-ssl-in.service b/shib_secondary/remote/dnbd3-ssl-in.service
new file mode 100644
index 0000000..8719f20
--- /dev/null
+++ b/shib_secondary/remote/dnbd3-ssl-in.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=bwLehrpool DNBD3 SSL proxy [IN]
+Wants=dnbd3-server.service
+
+[Service]
+ExecStart=/usr/bin/socat openssl-listen:5006,reuseaddr,cert=/opt/bwlp/ssl/live/ssl-cert/full-privkey.pem,verify=0,su=nobody,fork tcp:127.0.0.1:5003
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
diff --git a/shib_secondary/remote/dnbd3-ssl-out.service b/shib_secondary/remote/dnbd3-ssl-out.service
new file mode 100644
index 0000000..4db4c22
--- /dev/null
+++ b/shib_secondary/remote/dnbd3-ssl-out.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=SSL Proxy for DNBD3 [OUT]
+Wants=dnbd3-server.service
+
+[Service]
+DynamicUser=true
+ExecStart=/usr/bin/socat tcp-listen:5005,bind=127.0.0.1,fork,reuseaddr openssl-connect:%DOMAIN%:5006,capath=/etc/ssl/certs/
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
diff --git a/shib_secondary/remote/global.properties b/shib_secondary/remote/global.properties
new file mode 100644
index 0000000..b4b81bd
--- /dev/null
+++ b/shib_secondary/remote/global.properties
@@ -0,0 +1,45 @@
+#####################
+#       Main        #
+#####################
+
+# no storage dir = no up/download
+storage.dir=
+
+#####################
+#      Session      #
+#####################
+
+# session timeout for users (in seconds)
+session.user.timeout=7200
+
+# session timeout for servers (in seconds)
+session.server.timeout=86400
+
+#####################
+#     Ssl Socket    #
+#####################
+
+# Make sure this matches master, otherwise key is useless
+
+# keystore (.jks format)
+ssl.keystore.file=./config/masterserver.jks
+
+# keystore alias
+ssl.keystore.alias=alias
+
+# keystore password
+ssl.keystore.password=password
+
+############ File transfer
+
+filetransfer.port.ssl=0
+filetransfer.port.plain=0
+
+# timeout for kicking idling clients (in seconds)
+filetransfer.timeout=60
+filetransfer.retries=4
+
+################## Thrift
+
+thrift.port.plain = 9090
+thrift.port.ssl = 9091
diff --git a/shib_secondary/remote/install.sh b/shib_secondary/remote/install.sh
new file mode 100755
index 0000000..dbd89ee
--- /dev/null
+++ b/shib_secondary/remote/install.sh
@@ -0,0 +1,94 @@
+#!/bin/bash
+
+set -e
+
+domain=
+master=
+secret=
+
+while (( $# > 0 )); do
+	case "$1" in
+	--domain)
+		domain="$2"
+		shift
+		;;
+	--master)
+		master="$2"
+		shift
+		;;
+	--secret)
+		secret="$2"
+		shift
+		;;
+	*)
+		echo "WAAT? NO MAHNEEY?"
+		exit 1
+	esac
+	shift
+done
+
+cd "$(dirname "$( readlink -f "$0" )" )" || cd /tmp/shib_deploy || exit 1
+
+# Replace domain in everything
+find . -type f -exec sed -i "s/%DOMAIN%/$domain/g" {} \;
+
+dest="/opt/bwlp"
+mkdir -p "$dest"
+mkdir -p "/etc/dnbd3-server"
+cp check-and-toggle-mode.sh "$dest/"
+cp copy-current-config.sh "$dest/"
+cp bwlp-*.{service,timer} "/etc/systemd/system/"
+cp dnbd3-*.service "/etc/systemd/system/"
+cp ??0-bwlp-*.conf "/etc/apache2/sites-available/"
+cp server.conf alt-servers "/etc/dnbd3-server/"
+
+sed -i "/$domain/d" "/etc/hosts"
+echo "$master	$domain" >> "/etc/hosts"
+
+apt install -y apache2 socat libjansson4 \
+	libapache2-mod-php php-curl php-json php-mbstring php-mysql \
+	libapache2-mod-shib mariadb-server default-jre-headless
+
+a2enmod proxy proxy_http ssl headers
+mkdir -p /var/log/apache2/masterserver
+rm -f -- /etc/apache2/sites-enabled/*.conf
+ln -nfs ../sites-available/000-bwlp-default.conf /etc/apache2/sites-enabled/000-bwlp-default.conf
+
+if ! id bwlp; then
+	adduser --disabled-password --comment 'bwlp-user' bwlp
+fi
+
+echo "SHARED_SECRET='$secret'" > /opt/bwlp/config
+
+mariadb <<EOF
+CREATE DATABASE IF NOT EXISTS bwlp;
+CREATE USER IF NOT EXISTS 'bwlp'@'localhost';
+SET PASSWORD FOR 'bwlp'@'localhost' = PASSWORD('geheim');
+GRANT ALL PRIVILEGES ON bwlp.* TO 'bwlp'@'localhost';
+EOF
+
+mkdir -p "/home/bwlp/server/config/"
+cp global.properties mysql.properties "/home/bwlp/server/config/"
+chown -R bwlp:bwlp "/home/bwlp/server/"
+chmod -R o-rwx "/home/bwlp/server/config/"
+
+mkdir -p "/var/www/masterserver/webif/"
+cp config.php "/var/www/masterserver/webif/"
+chgrp www-data "/var/www/masterserver/webif/config.php"
+chmod o-rwx "/var/www/masterserver/webif/config.php"
+
+if ! id dnbd3; then
+	adduser --disabled-password --comment 'dnbd3-user' dnbd3
+fi
+if mountpoint /mnt/store; then
+	mkdir -p /mnt/store/dnbd3
+	chown -R dnbd3:dnbd3 /mnt/store/dnbd3
+fi
+
+systemctl daemon-reload
+systemctl enable --now bwlp-check-master.timer bwlp-copy-config.timer
+
+systemctl start bwlp-copy-config.service
+systemctl start bwlp-check-master.service
+
+:
diff --git a/shib_secondary/remote/mysql.properties b/shib_secondary/remote/mysql.properties
new file mode 100644
index 0000000..f6395cd
--- /dev/null
+++ b/shib_secondary/remote/mysql.properties
@@ -0,0 +1,4 @@
+host=localhost
+db=bwlp
+user=bwlp
+password=geheim
diff --git a/shib_secondary/remote/server.conf b/shib_secondary/remote/server.conf
new file mode 100644
index 0000000..5f4ef72
--- /dev/null
+++ b/shib_secondary/remote/server.conf
@@ -0,0 +1,25 @@
+[dnbd3]
+listenPort=5003
+basePath=/mnt/store/dnbd3
+serverPenalty=0
+clientPenalty=5000
+isProxy=true
+removeMissingImages=true
+uplinkTimeout=5000
+clientTimeout=15000
+vmdkLegacyMode=false
+closeUnusedFd=true
+autoFreeDiskSpaceDelay=10h
+ignoreAllocErrors=true
+bgrWindowSize=8
+
+[limits]
+maxPrefetch=512k
+
+; Log related config
+[logging]
+; protip: use SIGUSR2 to reopen log file
+; DEACTIVATED
+;;file=./dnbd3.log
+fileMask=ERROR WARNING MINOR INFO DEBUG1
+consoleMask=ERROR WARNING MINOR INFO
-- 
cgit v1.2.3-55-g7522