From 0a9f3493b9532c317a0d183c98588f1c885b9d03 Mon Sep 17 00:00:00 2001 From: mwiegand Date: Sun, 20 Jun 2021 01:49:25 +0200 Subject: [PATCH] wip --- bundles/archive/files/get_file | 10 ++++++++++ bundles/archive/files/validate_file | 15 +++++++++++++++ bundles/archive/items.py | 26 +++++++++++++++++++++++++- bundles/archive/metadata.py | 5 +++++ bundles/gcloud/README.md | 1 + bundles/gcloud/items.py | 19 ++++++++++++++++--- bundles/gocryptfs-inspect/items.py | 6 ++++++ bundles/gocryptfs-inspect/metadata.py | 7 +++++++ groups/applications/archive.py | 1 + 9 files changed, 86 insertions(+), 4 deletions(-) create mode 100644 bundles/archive/files/get_file create mode 100644 bundles/archive/files/validate_file create mode 100644 bundles/gocryptfs-inspect/items.py create mode 100644 bundles/gocryptfs-inspect/metadata.py diff --git a/bundles/archive/files/get_file b/bundles/archive/files/get_file new file mode 100644 index 0000000..88a60c5 --- /dev/null +++ b/bundles/archive/files/get_file @@ -0,0 +1,10 @@ +#!/bin/bash + +FILENAME=$1 +TMPFILE=$(mktemp /tmp/archive_file.XXXXXXXXXX) +BUCKET=$(cat /etc/gcloud/gcloud.json | jq -r .bucket) +NODE=$(cat /etc/archive/archive.json | jq -r .node_name) +MASTERKEY=$(cat /etc/gocryptfs/masterkey) + +gsutil cat "gs://$BUCKET/$NODE$FILENAME" > "$TMPFILE" +/opt/gocryptfs-inspect/gocryptfs.py --aessiv --config=/etc/gocryptfs/gocryptfs.conf --masterkey="$MASTERKEY" "$TMPFILE" diff --git a/bundles/archive/files/validate_file b/bundles/archive/files/validate_file new file mode 100644 index 0000000..57da963 --- /dev/null +++ b/bundles/archive/files/validate_file @@ -0,0 +1,15 @@ +#!/bin/bash + +FILENAME=$1 + +ARCHIVE=$(/opt/archive/get_file "$FILENAME" | sha256sum) +ORIGINAL=$(cat "$FILENAME" | sha256sum) + +if [[ "$ARCHIVE" == "$ORIGINAL" ]] +then + echo "OK" + exit 0 +else + echo "ERROR" + exit 1 +fi diff --git a/bundles/archive/items.py b/bundles/archive/items.py index 306ab38..fb42c07 100644 --- a/bundles/archive/items.py +++ b/bundles/archive/items.py @@ -1,8 +1,25 @@ assert node.has_bundle('gcloud') assert node.has_bundle('gocryptfs') +assert node.has_bundle('gocryptfs-inspect') assert node.has_bundle('systemd') -files['/opt/archive'] = { +from json import dumps + +directories['/opt/archive'] = {} +directories['/etc/archive'] = {} + +files['/etc/archive/archive.json'] = { + 'content': dumps( + { + 'node_name': node.name, + **node.metadata.get('archive'), + }, + indent=4, + sort_keys=True + ), +} + +files['/opt/archive/archive'] = { 'content_type': 'mako', 'mode': '700', 'context': { @@ -16,3 +33,10 @@ files['/opt/archive'] = { ], } +files['/opt/archive/get_file'] = { + 'mode': '700', +} + +files['/opt/archive/validate_file'] = { + 'mode': '700', +} diff --git a/bundles/archive/metadata.py b/bundles/archive/metadata.py index 9447382..39b9282 100644 --- a/bundles/archive/metadata.py +++ b/bundles/archive/metadata.py @@ -1,4 +1,9 @@ defaults = { + 'apt': { + 'packages': { + 'jq': {}, + }, + }, 'archive': { 'paths': {}, }, diff --git a/bundles/gcloud/README.md b/bundles/gcloud/README.md index c3faf72..7da56af 100644 --- a/bundles/gcloud/README.md +++ b/bundles/gcloud/README.md @@ -1,6 +1,7 @@ ``` gcloud projects add-iam-policy-binding sublimity-182017 --member 'serviceAccount:backup@sublimity-182017.iam.gserviceaccount.com' --role 'roles/storage.objectViewer' gcloud projects add-iam-policy-binding sublimity-182017 --member 'serviceAccount:backup@sublimity-182017.iam.gserviceaccount.com' --role 'roles/storage.objectCreator' +gcloud projects add-iam-policy-binding sublimity-182017 --member 'serviceAccount:backup@sublimity-182017.iam.gserviceaccount.com' --role 'roles/storage.objectAdmin' gsutil -o "GSUtil:parallel_process_count=3" -o GSUtil:parallel_thread_count=4 -m rsync -r -d -e /var/vmail gs://sublimity-backup/mailserver gsutil config gsutil versioning set on gs://sublimity-backup diff --git a/bundles/gcloud/items.py b/bundles/gcloud/items.py index c329b3f..b619fc8 100644 --- a/bundles/gcloud/items.py +++ b/bundles/gcloud/items.py @@ -1,9 +1,22 @@ from os.path import join +from json import dumps service_account = node.metadata.get('gcloud/service_account') project = node.metadata.get('gcloud/project') -files[f'/root/.config/gcloud/service_account.json'] = { +directories[f'/etc/gcloud'] = { + 'purge': True, +} + +files['/etc/gcloud/gcloud.json'] = { + 'content': dumps( + node.metadata.get('gcloud'), + indent=4, + sort_keys=True + ), +} + +files['/etc/gcloud/service_account.json'] = { 'content': repo.vault.decrypt_file( join(repo.path, 'data', 'gcloud', 'service_accounts', f'{service_account}@{project}.json.enc') ), @@ -14,10 +27,10 @@ files[f'/root/.config/gcloud/service_account.json'] = { } actions['gcloud_activate_service_account'] = { - 'command': 'gcloud auth activate-service-account --key-file /root/.config/gcloud/service_account.json', + 'command': 'gcloud auth activate-service-account --key-file /etc/gcloud/service_account.json', 'unless': f"gcloud auth list | grep -q '^\*[[:space:]]*{service_account}@{project}.iam.gserviceaccount.com'", 'needs': [ - f'file:/root/.config/gcloud/service_account.json' + f'file:/etc/gcloud/service_account.json' ], } diff --git a/bundles/gocryptfs-inspect/items.py b/bundles/gocryptfs-inspect/items.py new file mode 100644 index 0000000..4466343 --- /dev/null +++ b/bundles/gocryptfs-inspect/items.py @@ -0,0 +1,6 @@ +directories['/opt/gocryptfs-inspect'] = {} + +git_deploy['/opt/gocryptfs-inspect'] = { + 'repo': 'https://github.com/slackner/gocryptfs-inspect.git', + 'rev': 'ecd296c8f014bf18f5889e3cb9cb64807ff6b9c4', +} diff --git a/bundles/gocryptfs-inspect/metadata.py b/bundles/gocryptfs-inspect/metadata.py new file mode 100644 index 0000000..b12c65d --- /dev/null +++ b/bundles/gocryptfs-inspect/metadata.py @@ -0,0 +1,7 @@ +defaults = { + 'apt': { + 'packages': { + 'python3-pycryptodome': {}, + }, + }, +} diff --git a/groups/applications/archive.py b/groups/applications/archive.py index 5ce7e4a..237d004 100644 --- a/groups/applications/archive.py +++ b/groups/applications/archive.py @@ -5,5 +5,6 @@ 'bundles': [ 'archive', 'gocryptfs', + 'gocryptfs-inspect', ], }