[people/pmueller/ipfire-2.x.git] / src / initscripts / helper / azure-setup

#!/bin/bash
###############################################################################
#                                                                             #
# IPFire.org - A linux based firewall                                         #
# Copyright (C) 2007-2022  IPFire Team  <info@ipfire.org>                     #
#                                                                             #
# This program is free software: you can redistribute it and/or modify        #
# it under the terms of the GNU General Public License as published by        #
# the Free Software Foundation, either version 3 of the License, or           #
# (at your option) any later version.                                         #
#                                                                             #
# This program is distributed in the hope that it will be useful,             #
# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
# GNU General Public License for more details.                                #
#                                                                             #
# You should have received a copy of the GNU General Public License           #
# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
#                                                                             #
###############################################################################

. /etc/sysconfig/rc
. ${rc_functions}

# Set PATH to find our own executables
export PATH=/usr/local/sbin:/usr/local/bin:${PATH}

get() {
	local file="${1}"

	wget --timeout=3 --tries=3 -qO - --header="Metadata:true" "http://169.254.169.254/metadata/instance/${file}?api-version=2019-06-01&format=text"
}

format_mac() {
	local mac="${1,,}"

	echo "${mac:0:2}:${mac:2:2}:${mac:4:2}:${mac:6:2}:${mac:8:2}:${mac:10:2}"
}

to_address() {
	local n="${1}"

	local o1=$(( (n & 0xff000000) >> 24 ))
	local o2=$(( (n & 0xff0000) >> 16 ))
	local o3=$(( (n & 0xff00) >> 8 ))
	local o4=$(( (n & 0xff) ))

	printf "%d.%d.%d.%d\n" "${o1}" "${o2}" "${o3}" "${o4}"
}

to_integer() {
	local address="${1}"

	local integer=0

	local i
	for i in ${address//\./ }; do
		integer=$(( (integer << 8) + i ))
	done

	printf "%d\n" "${integer}"
}

prefix2netmask() {
	local prefix=${1}

	local zeros=$(( 32 - prefix ))
	local netmask=0

	local i
	for (( i=0; i<${zeros}; i++ )); do
		netmask=$(( (netmask << 1) ^ 1 ))
	done

	to_address "$(( netmask ^ 0xffffffff ))"
}

import_azure_configuration() {
	local instance_id="$(get compute/vmId)"
	if [ -z "${instance_id}" ]; then
		return 0
	fi

	boot_mesg "Importing Microsoft Azure configuration for instance ${instance_id}..."

	# Store instance ID
	echo "${instance_id}" > /var/run/azure-instance-id

	# Initialise system settings
	local hostname=$(get compute/name)

	# Set hostname
	if ! grep -q "^HOSTNAME=" /var/ipfire/main/settings; then
		echo "HOSTNAME=${hostname%%.*}" >> /var/ipfire/main/settings
	fi

	# Set domainname
	if ! grep -q "^DOMAINNAME=" /var/ipfire/main/settings; then
		echo "DOMAINNAME=${hostname#*.}" >> /var/ipfire/main/settings
	fi

	# Import SSH keys for setup user
	local line
	for line in $(get "compute/publicKeys/"); do
		# Remove trailing slash
		local key_no="${line//\//}"

		# Get the path where this key should be installed
		local path="$(get "compute/publicKeys/${key_no}/path")"
		local key="$(get "compute/publicKeys/${key_no}/keyData")"

		local user
		if [[ "${path}" =~ ^/home ]]; then
			user="${path:6}"
			user="${user%%/*}"
		else
			# Cannot process this user
			continue
		fi

		# Create user if it does not exist
		if ! getent passwd "${user}" &>/dev/null; then
			useradd "${user}" -s /usr/bin/run-setup -g nobody -m

			# Unlock the account
			usermod -p "x" "${user}"
		fi

		if [ -n "${key}" ] && ! grep -q "^${key}$" "${path}" 2>/dev/null; then
			local dir="$(dirname "${path}")"

			# Install directory
			mkdir -p "${dir}"
			chmod 700 "${dir}"
			chown "${user}.nobody" "${dir}"

			# Install the key
			echo "${key}" >> "${path}"
			chmod 600 "${path}"
			chown "${user}.nobody" "${path}"
		fi
	done

	# Download the user-data script only on the first boot
	if [ ! -e "/var/ipfire/main/firstsetup_ok" ]; then
		# Download user-data
		local user_data="$(get customData)"

		# Save user-data script to be executed later
		if [ "${user_data:0:2}" = "#!" ]; then
			echo "${user_data}" > /tmp/azure-user-data.script
			chmod 700 /tmp/azure-user-data.script

			# Run the user-data script
			local now="$(date -u +"%s")"
			/tmp/azure-user-data.script &>/var/log/user-data.log.${now}

			# Delete the script right away
			rm /tmp/azure-user-data.script
		fi
	fi

	# Import network configuration
	# After this, no network connectivity will be available from this script due to the
	# renaming of the network interfaces for which they have to be shut down
	local config_type=1
	: > /var/ipfire/ethernet/settings

	local device_number
	for device_number in $(get network/interface); do
		# Remove trailing slash
		device_number="${device_number//\//}"

		local mac="$(get "network/interface/${device_number}/macAddress")"
		mac="$(format_mac "${mac}")"

		# First IPv4 address
		local ipv4_address="$(get "network/interface/${device_number}/ipv4/ipAddress/0/privateIpAddress")"
		local ipv4_address_num="$(to_integer "${ipv4_address}")"
		local prefix="$(get "network/interface/${device_number}/ipv4/subnet/0/prefix")"
		local netmask="$(prefix2netmask "${prefix}")"

		# Get the network address
		local netaddress="$(get "network/interface/${device_number}/ipv4/subnet/0/address")"
		local netaddress_num="$(to_integer "${netaddress}")"

		case "${device_number}" in
			# RED
			0)
				local interface_name="red0"

				# The gateway is always the first IP address in the subnet
				local gateway="$(to_address $(( netaddress_num + 1 )))"

				(
					echo "RED_TYPE=STATIC"
					echo "RED_DEV=${interface_name}"
					echo "RED_MACADDR=${mac}"
					echo "RED_DESCRIPTION='${interface_id}'"
					echo "RED_ADDRESS=${ipv4_address}"
					echo "RED_NETMASK=${netmask}"
					echo "RED_NETADDRESS=${netaddress}"
					echo "DEFAULT_GATEWAY=${gateway}"
				) >> /var/ipfire/ethernet/settings

				# Import aliases for RED
				local address_no
				for address_no in $(get "network/interface/0/ipv4/ipAddress"); do
					# Remove trailing slash
					address_no="${address_no//\//}"

					# Skip the first address
					[ "${address_no}" = "0" ] && continue

					# Fetch the IP address
					local alias="$(get "network/interface/0/ipv4/ipAddress/${address_no}/privateIpAddress")"
					echo "${alias},on,"
				done > /var/ipfire/ethernet/aliases
				;;

			# GREEN
			1)
				local interface_name="green0"

				(
					echo "GREEN_DEV=${interface_name}"
					echo "GREEN_MACADDR=${mac}"
					echo "GREEN_DESCRIPTION='${interface_id}'"
					echo "GREEN_ADDRESS=${ipv4_address}"
					echo "GREEN_NETMASK=${netmask}"
					echo "GREEN_NETADDRESS=${netaddress}"
				) >> /var/ipfire/ethernet/settings
				;;

			# ORANGE
			2)
				local interface_name="orange0"
				config_type=2

				(
					echo "ORANGE_DEV=${interface_name}"
					echo "ORANGE_MACADDR=${mac}"
					echo "ORANGE_DESCRIPTION='${interface_id}'"
					echo "ORANGE_ADDRESS=${ipv4_address}"
					echo "ORANGE_NETMASK=${netmask}"
					echo "ORANGE_NETADDRESS=${netaddress}"
				) >> /var/ipfire/ethernet/settings
				;;
		esac
	done

	# Save CONFIG_TYPE
	echo "CONFIG_TYPE=${config_type}" >> /var/ipfire/ethernet/settings

	# Actions performed only on the very first start
	if [ ! -e "/var/ipfire/main/firstsetup_ok" ]; then
		# Disable using ISP nameservers
		sed -e "s/^USE_ISP_NAMESERVERS=.*/USE_ISP_NAMESERVERS=off/" -i /var/ipfire/dns/settings

		# Enable SSH
		sed -e "s/ENABLE_SSH=.*/ENABLE_SSH=on/g" -i /var/ipfire/remote/settings

		# Disable SSH password authentication
		sed -e "s/^ENABLE_SSH_PASSWORDS=.*/ENABLE_SSH_PASSWORDS=off/" -i /var/ipfire/remote/settings

		# Enable SSH key authentication
		sed -e "s/^ENABLE_SSH_KEYS=.*/ENABLE_SSH_KEYS=on/" -i /var/ipfire/remote/settings

		# Apply SSH settings
		/usr/local/bin/sshctrl

		# Mark SSH to start immediately (but not right now)
		touch /var/ipfire/remote/enablessh
		chown nobody:nobody /var/ipfire/remote/enablessh

		# Firewall rules for SSH and WEBIF
		(
			echo "1,ACCEPT,INPUTFW,ON,std_net_src,ALL,ipfire,RED1,,TCP,,,ON,,,cust_srv,SSH,,,,,,,,,,,00:00,00:00,,AUTO,,dnat,,,,,second"
			echo "2,ACCEPT,INPUTFW,ON,std_net_src,ALL,ipfire,RED1,,TCP,,,ON,,,TGT_PORT,444,,,,,,,,,,,00:00,00:00,,AUTO,,dnat,,,,,second"
		) >> /var/ipfire/firewall/input

		# This script has now completed the first steps of setup
		touch /var/ipfire/main/firstsetup_ok
	fi

	# All done
	echo_ok
}

case "${reason}" in
	PREINIT)
		# Bring up the interface
		ip link set "${interface}" up
		;;

	BOUND|RENEW|REBIND|REBOOT)
		# Remove any previous IP addresses
		ip addr flush dev "${interface}"

		# Add (or re-add) the new IP address
		ip addr add "${new_ip_address}/${new_subnet_mask}" dev "${interface}"

		# Add the default route
		ip route add default via "${new_routers}"

		# Setup DNS
		for domain_name_server in ${new_domain_name_servers}; do
			echo "nameserver ${domain_name_server}"
		done > /etc/resolv.conf

		# The system is online now
		touch /var/ipfire/red/active

		# Import Azure configuration
		import_azure_configuration
		;;

	EXPIRE|FAIL|RELEASE|STOP)
		# The system is no longer online
		rm -f /var/ipfire/red/active

		# Remove all IP addresses
		ip addr flush dev "${interface}"

		# Shut down the interface
		ip link set "${interface}" down
		;;

	*)
		echo "Unhandled reason: ${reason}" >&2
		exit 2
		;;
esac

# Terminate
exit 0
Commit	Line	Data
acf47bfa	1	#!/bin/bash
66c36198 PM	2	###############################################################################
	3	# #
	4	# IPFire.org - A linux based firewall #
	5	# Copyright (C) 2007-2022 IPFire Team <info@ipfire.org> #
	6	# #
	7	# This program is free software: you can redistribute it and/or modify #
	8	# it under the terms of the GNU General Public License as published by #
	9	# the Free Software Foundation, either version 3 of the License, or #
	10	# (at your option) any later version. #
	11	# #
	12	# This program is distributed in the hope that it will be useful, #
	13	# but WITHOUT ANY WARRANTY; without even the implied warranty of #
	14	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
	15	# GNU General Public License for more details. #
	16	# #
	17	# You should have received a copy of the GNU General Public License #
	18	# along with this program. If not, see <http://www.gnu.org/licenses/>. #
	19	# #
	20	###############################################################################
acf47bfa MT	21
	22	. /etc/sysconfig/rc
	23	. ${rc_functions}
	24
	25	# Set PATH to find our own executables
	26	export PATH=/usr/local/sbin:/usr/local/bin:${PATH}
	27
	28	get() {
	29	local file="${1}"
	30
5b17fea8	31	wget --timeout=3 --tries=3 -qO - --header="Metadata:true" "http://169.254.169.254/metadata/instance/${file}?api-version=2019-06-01&format=text"
acf47bfa MT	32	}
	33
	34	format_mac() {
	35	local mac="${1,,}"
	36
abccd997	37	echo "${mac:0:2}:${mac:2:2}:${mac:4:2}:${mac:6:2}:${mac:8:2}:${mac:10:2}"
acf47bfa MT	38	}
	39
	40	to_address() {
	41	local n="${1}"
	42
	43	local o1=$(( (n & 0xff000000) >> 24 ))
	44	local o2=$(( (n & 0xff0000) >> 16 ))
	45	local o3=$(( (n & 0xff00) >> 8 ))
	46	local o4=$(( (n & 0xff) ))
	47
	48	printf "%d.%d.%d.%d\n" "${o1}" "${o2}" "${o3}" "${o4}"
	49	}
	50
	51	to_integer() {
	52	local address="${1}"
	53
	54	local integer=0
	55
	56	local i
	57	for i in ${address//\./ }; do
	58	integer=$(( (integer << 8) + i ))
	59	done
	60
	61	printf "%d\n" "${integer}"
	62	}
	63
	64	prefix2netmask() {
	65	local prefix=${1}
	66
	67	local zeros=$(( 32 - prefix ))
	68	local netmask=0
	69
	70	local i
	71	for (( i=0; i<${zeros}; i++ )); do
	72	netmask=$(( (netmask << 1) ^ 1 ))
	73	done
	74
	75	to_address "$(( netmask ^ 0xffffffff ))"
	76	}
	77
	78	import_azure_configuration() {
	79	local instance_id="$(get compute/vmId)"
26eab1fe MT	80	if [ -z "${instance_id}" ]; then
	81	return 0
	82	fi
acf47bfa MT	83
	84	boot_mesg "Importing Microsoft Azure configuration for instance ${instance_id}..."
	85
	86	# Store instance ID
	87	echo "${instance_id}" > /var/run/azure-instance-id
	88
	89	# Initialise system settings
	90	local hostname=$(get compute/name)
	91
	92	# Set hostname
	93	if ! grep -q "^HOSTNAME=" /var/ipfire/main/settings; then
	94	echo "HOSTNAME=${hostname%%.*}" >> /var/ipfire/main/settings
	95	fi
	96
	97	# Set domainname
	98	if ! grep -q "^DOMAINNAME=" /var/ipfire/main/settings; then
	99	echo "DOMAINNAME=${hostname#*.}" >> /var/ipfire/main/settings
	100	fi
	101
	102	# Import SSH keys for setup user
	103	local line
	104	for line in $(get "compute/publicKeys/"); do
	105	# Remove trailing slash
	106	local key_no="${line//\//}"
	107
	108	# Get the path where this key should be installed
	109	local path="$(get "compute/publicKeys/${key_no}/path")"
	110	local key="$(get "compute/publicKeys/${key_no}/keyData")"
	111
	112	local user
	113	if [[ "${path}" =~ ^/home ]]; then
	114	user="${path:6}"
	115	user="${user%%/*}"
	116	else
	117	# Cannot process this user
	118	continue
	119	fi
	120
	121	# Create user if it does not exist
	122	if ! getent passwd "${user}" &>/dev/null; then
	123	useradd "${user}" -s /usr/bin/run-setup -g nobody -m
	124
	125	# Unlock the account
	126	usermod -p "x" "${user}"
	127	fi
	128
	129	if [ -n "${key}" ] && ! grep -q "^${key}$" "${path}" 2>/dev/null; then
	130	local dir="$(dirname "${path}")"
	131
	132	# Install directory
	133	mkdir -p "${dir}"
	134	chmod 700 "${dir}"
	135	chown "${user}.nobody" "${dir}"
	136
	137	# Install the key
	138	echo "${key}" >> "${path}"
	139	chmod 600 "${path}"
	140	chown "${user}.nobody" "${path}"
	141	fi
	142	done
	143
	144	# Download the user-data script only on the first boot
	145	if [ ! -e "/var/ipfire/main/firstsetup_ok" ]; then
	146	# Download user-data
147	local user_data="$(get customData)"
148
149	# Save user-data script to be executed later
150	if [ "${user_data:0:2}" = "#!" ]; then
151	echo "${user_data}" > /tmp/azure-user-data.script
152	chmod 700 /tmp/azure-user-data.script
153
154	# Run the user-data script
155	local now="$(date -u +"%s")"
156	/tmp/azure-user-data.script &>/var/log/user-data.log.${now}
157
158	# Delete the script right away
159	rm /tmp/azure-user-data.script
160	fi
161	fi
162
acf47bfa MT	163	# Import network configuration
	164	# After this, no network connectivity will be available from this script due to the
	165	# renaming of the network interfaces for which they have to be shut down
	166	local config_type=1
	167	: > /var/ipfire/ethernet/settings
	168
	169	local device_number
	170	for device_number in $(get network/interface); do
	171	# Remove trailing slash
	172	device_number="${device_number//\//}"
	173
	174	local mac="$(get "network/interface/${device_number}/macAddress")"
	175	mac="$(format_mac "${mac}")"
	176
	177	# First IPv4 address
	178	local ipv4_address="$(get "network/interface/${device_number}/ipv4/ipAddress/0/privateIpAddress")"
	179	local ipv4_address_num="$(to_integer "${ipv4_address}")"
	180	local prefix="$(get "network/interface/${device_number}/ipv4/subnet/0/prefix")"
	181	local netmask="$(prefix2netmask "${prefix}")"
acf47bfa	182
b67f02d5	183	# Get the network address
acf47bfa MT	184	local netaddress="$(get "network/interface/${device_number}/ipv4/subnet/0/address")"
acf47bfa MT	185	local netaddress_num="$(to_integer "${netaddress}")"
acf47bfa MT	186
	187	case "${device_number}" in
	188	# RED
	189	0)
	190	local interface_name="red0"
	191
	192	# The gateway is always the first IP address in the subnet
	193	local gateway="$(to_address $(( netaddress_num + 1 )))"
	194
acf47bfa MT	195	(
	196	echo "RED_TYPE=STATIC"
	197	echo "RED_DEV=${interface_name}"
	198	echo "RED_MACADDR=${mac}"
	199	echo "RED_DESCRIPTION='${interface_id}'"
	200	echo "RED_ADDRESS=${ipv4_address}"
	201	echo "RED_NETMASK=${netmask}"
	202	echo "RED_NETADDRESS=${netaddress}"
acf47bfa	203	echo "DEFAULT_GATEWAY=${gateway}"
acf47bfa MT	204	) >> /var/ipfire/ethernet/settings
	205
	206	# Import aliases for RED
	207	local address_no
	208	for address_no in $(get "network/interface/0/ipv4/ipAddress"); do
	209	# Remove trailing slash
	210	address_no="${address_no//\//}"
	211
	212	# Skip the first address
	213	[ "${address_no}" = "0" ] && continue
	214
	215	# Fetch the IP address
	216	local alias="$(get "network/interface/0/ipv4/ipAddress/${address_no}/privateIpAddress")"
	217	echo "${alias},on,"
	218	done > /var/ipfire/ethernet/aliases
	219	;;
	220
	221	# GREEN
	222	1)
	223	local interface_name="green0"
	224
	225	(
	226	echo "GREEN_DEV=${interface_name}"
	227	echo "GREEN_MACADDR=${mac}"
	228	echo "GREEN_DESCRIPTION='${interface_id}'"
	229	echo "GREEN_ADDRESS=${ipv4_address}"
	230	echo "GREEN_NETMASK=${netmask}"
	231	echo "GREEN_NETADDRESS=${netaddress}"
acf47bfa MT	232	) >> /var/ipfire/ethernet/settings
	233	;;
	234
	235	# ORANGE
	236	2)
	237	local interface_name="orange0"
	238	config_type=2
	239
	240	(
	241	echo "ORANGE_DEV=${interface_name}"
	242	echo "ORANGE_MACADDR=${mac}"
	243	echo "ORANGE_DESCRIPTION='${interface_id}'"
	244	echo "ORANGE_ADDRESS=${ipv4_address}"
	245	echo "ORANGE_NETMASK=${netmask}"
	246	echo "ORANGE_NETADDRESS=${netaddress}"
acf47bfa MT	247	) >> /var/ipfire/ethernet/settings
	248	;;
	249	esac
	250	done
	251
	252	# Save CONFIG_TYPE
	253	echo "CONFIG_TYPE=${config_type}" >> /var/ipfire/ethernet/settings
	254
	255	# Actions performed only on the very first start
	256	if [ ! -e "/var/ipfire/main/firstsetup_ok" ]; then
88cb5eb1 MT	257	# Disable using ISP nameservers
	258	sed -e "s/^USE_ISP_NAMESERVERS=.*/USE_ISP_NAMESERVERS=off/" -i /var/ipfire/dns/settings
	259
acf47bfa MT	260	# Enable SSH
	261	sed -e "s/ENABLE_SSH=.*/ENABLE_SSH=on/g" -i /var/ipfire/remote/settings
	262
	263	# Disable SSH password authentication
	264	sed -e "s/^ENABLE_SSH_PASSWORDS=.*/ENABLE_SSH_PASSWORDS=off/" -i /var/ipfire/remote/settings
	265
	266	# Enable SSH key authentication
	267	sed -e "s/^ENABLE_SSH_KEYS=.*/ENABLE_SSH_KEYS=on/" -i /var/ipfire/remote/settings
	268
	269	# Apply SSH settings
	270	/usr/local/bin/sshctrl
	271
	272	# Mark SSH to start immediately (but not right now)
	273	touch /var/ipfire/remote/enablessh
	274	chown nobody:nobody /var/ipfire/remote/enablessh
	275
	276	# Firewall rules for SSH and WEBIF
	277	(
	278	echo "1,ACCEPT,INPUTFW,ON,std_net_src,ALL,ipfire,RED1,,TCP,,,ON,,,cust_srv,SSH,,,,,,,,,,,00:00,00:00,,AUTO,,dnat,,,,,second"
	279	echo "2,ACCEPT,INPUTFW,ON,std_net_src,ALL,ipfire,RED1,,TCP,,,ON,,,TGT_PORT,444,,,,,,,,,,,00:00,00:00,,AUTO,,dnat,,,,,second"
	280	) >> /var/ipfire/firewall/input
	281
	282	# This script has now completed the first steps of setup
	283	touch /var/ipfire/main/firstsetup_ok
	284	fi
	285
	286	# All done
	287	echo_ok
	288	}
	289
	290	case "${reason}" in
	291	PREINIT)
	292	# Bring up the interface
	293	ip link set "${interface}" up
	294	;;
	295
	296	BOUND\|RENEW\|REBIND\|REBOOT)
	297	# Remove any previous IP addresses
	298	ip addr flush dev "${interface}"
	299
	300	# Add (or re-add) the new IP address
	301	ip addr add "${new_ip_address}/${new_subnet_mask}" dev "${interface}"
	302
	303	# Add the default route
	304	ip route add default via "${new_routers}"
	305
	306	# Setup DNS
	307	for domain_name_server in ${new_domain_name_servers}; do
	308	echo "nameserver ${domain_name_server}"
	309	done > /etc/resolv.conf
	310
	311	# The system is online now
	312	touch /var/ipfire/red/active
	313
	314	# Import Azure configuration
	315	import_azure_configuration
	316	;;
	317
	318	EXPIRE\|FAIL\|RELEASE\|STOP)
	319	# The system is no longer online
	320	rm -f /var/ipfire/red/active
	321
	322	# Remove all IP addresses
	323	ip addr flush dev "${interface}"
324
325	# Shut down the interface
326	ip link set "${interface}" down
327	;;
328
329	*)
330	echo "Unhandled reason: ${reason}" >&2
331	exit 2
332	;;
333	esac
334
335	# Terminate
336	exit 0