wip

2021-06-20 01:49:25 +02:00 · 2021-06-20 01:49:25 +02:00 · 0a9f3493b9
commit 0a9f3493b9
parent a19ce59c51
9 changed files with 86 additions and 4 deletions
--- a/bundles/archive/files/get_file
+++ b/bundles/archive/files/get_file
@ -0,0 +1,10 @@
+#!/bin/bash
+
+FILENAME=$1
+TMPFILE=$(mktemp /tmp/archive_file.XXXXXXXXXX)
+BUCKET=$(cat /etc/gcloud/gcloud.json | jq -r .bucket)
+NODE=$(cat /etc/archive/archive.json | jq -r .node_name)
+MASTERKEY=$(cat /etc/gocryptfs/masterkey)
+
+gsutil cat "gs://$BUCKET/$NODE$FILENAME" > "$TMPFILE"
+/opt/gocryptfs-inspect/gocryptfs.py --aessiv --config=/etc/gocryptfs/gocryptfs.conf --masterkey="$MASTERKEY" "$TMPFILE"
--- a/bundles/archive/files/validate_file
+++ b/bundles/archive/files/validate_file
@ -0,0 +1,15 @@
+#!/bin/bash
+
+FILENAME=$1
+
+ARCHIVE=$(/opt/archive/get_file "$FILENAME" | sha256sum)
+ORIGINAL=$(cat "$FILENAME" | sha256sum)
+
+if [[ "$ARCHIVE" == "$ORIGINAL" ]]
+then
+  echo "OK"
+  exit 0
+else
+  echo "ERROR"
+  exit 1
+fi
--- a/bundles/archive/items.py
+++ b/bundles/archive/items.py
@ -1,8 +1,25 @@
 assert node.has_bundle('gcloud')
 assert node.has_bundle('gocryptfs')
+assert node.has_bundle('gocryptfs-inspect')
 assert node.has_bundle('systemd')

-files['/opt/archive'] = {
+from json import dumps
+
+directories['/opt/archive'] = {}
+directories['/etc/archive'] = {}
+
+files['/etc/archive/archive.json'] = {
+    'content': dumps(
+        {
+            'node_name': node.name,
+            **node.metadata.get('archive'),
+        },
+        indent=4,
+        sort_keys=True
+    ),
+}
+
+files['/opt/archive/archive'] = {
    'content_type': 'mako',
    'mode': '700',
    'context': {
@ -16,3 +33,10 @@ files['/opt/archive'] = {
    ],
 }
    
+files['/opt/archive/get_file'] = {
+    'mode': '700',
+}
+
+files['/opt/archive/validate_file'] = {
+    'mode': '700',
+}
--- a/bundles/archive/metadata.py
+++ b/bundles/archive/metadata.py
@ -1,4 +1,9 @@
 defaults = {
+    'apt': {
+        'packages': {
+            'jq': {},
+        },
+    },
    'archive': {
        'paths': {},
    },
--- a/bundles/gcloud/README.md
+++ b/bundles/gcloud/README.md
@ -1,6 +1,7 @@
 ```
 gcloud projects add-iam-policy-binding sublimity-182017 --member 'serviceAccount:backup@sublimity-182017.iam.gserviceaccount.com' --role 'roles/storage.objectViewer'
 gcloud projects add-iam-policy-binding sublimity-182017 --member 'serviceAccount:backup@sublimity-182017.iam.gserviceaccount.com' --role 'roles/storage.objectCreator'
+gcloud projects add-iam-policy-binding sublimity-182017 --member 'serviceAccount:backup@sublimity-182017.iam.gserviceaccount.com' --role 'roles/storage.objectAdmin'
 gsutil -o "GSUtil:parallel_process_count=3" -o GSUtil:parallel_thread_count=4 -m rsync -r -d -e /var/vmail gs://sublimity-backup/mailserver
 gsutil config
 gsutil versioning set on gs://sublimity-backup
--- a/bundles/gcloud/items.py
+++ b/bundles/gcloud/items.py
@ -1,9 +1,22 @@
 from os.path import join
+from json import dumps

 service_account = node.metadata.get('gcloud/service_account')
 project = node.metadata.get('gcloud/project')

-files[f'/root/.config/gcloud/service_account.json'] = {
+directories[f'/etc/gcloud'] = {
+    'purge': True,
+}
+
+files['/etc/gcloud/gcloud.json'] = {
+    'content': dumps(
+        node.metadata.get('gcloud'),
+        indent=4,
+        sort_keys=True
+    ),
+}
+
+files['/etc/gcloud/service_account.json'] = {
    'content': repo.vault.decrypt_file(
        join(repo.path, 'data', 'gcloud', 'service_accounts', f'{service_account}@{project}.json.enc')
    ),
@ -14,10 +27,10 @@ files[f'/root/.config/gcloud/service_account.json'] = {
 }

 actions['gcloud_activate_service_account'] = {
-    'command': 'gcloud auth activate-service-account --key-file /root/.config/gcloud/service_account.json',
+    'command': 'gcloud auth activate-service-account --key-file /etc/gcloud/service_account.json',
    'unless': f"gcloud auth list | grep -q '^\*[[:space:]]*{service_account}@{project}.iam.gserviceaccount.com'",
    'needs': [
-        f'file:/root/.config/gcloud/service_account.json'
+        f'file:/etc/gcloud/service_account.json'
    ],
 }

--- a/bundles/gocryptfs-inspect/items.py
+++ b/bundles/gocryptfs-inspect/items.py
@ -0,0 +1,6 @@
+directories['/opt/gocryptfs-inspect'] = {}
+
+git_deploy['/opt/gocryptfs-inspect'] = {
+    'repo': 'https://github.com/slackner/gocryptfs-inspect.git',
+    'rev': 'ecd296c8f014bf18f5889e3cb9cb64807ff6b9c4',
+}
--- a/bundles/gocryptfs-inspect/metadata.py
+++ b/bundles/gocryptfs-inspect/metadata.py
@ -0,0 +1,7 @@
+defaults = {
+    'apt': {
+        'packages': {
+            'python3-pycryptodome': {},
+        },
+    },
+}
--- a/groups/applications/archive.py
+++ b/groups/applications/archive.py
@ -5,5 +5,6 @@
    'bundles': [
        'archive',
        'gocryptfs',
+        'gocryptfs-inspect',
    ],
 }