diff --git a/alpine/.bashrc b/alpine/.bashrc index d226a8b..f8aa567 100644 --- a/alpine/.bashrc +++ b/alpine/.bashrc @@ -14,4 +14,4 @@ set_prod() { export host_vars_dir="/app/host_vars/vault/" echo "LIVE MODE ENABLED !!! " } - +clear diff --git a/alpine/Dockerfile b/alpine/Dockerfile index 048e455..f0a7bd2 100644 --- a/alpine/Dockerfile +++ b/alpine/Dockerfile @@ -14,7 +14,8 @@ RUN apk add --no-cache \ mc \ e2fsprogs \ screen \ - rsync + rsync \ + device-mapper WORKDIR /root @@ -30,7 +31,6 @@ RUN ssh-keygen -t rsa -b 4096 -f /root/.ssh/id_rsa -N "" && \ COPY rex /usr/bin/ COPY template /usr/bin/ -COPY dpush /usr/bin/ COPY create_volume /usr/bin/ COPY mount_volume /usr/bin/ diff --git a/alpine/config b/alpine/config index 292a809..8917097 100644 --- a/alpine/config +++ b/alpine/config @@ -9,23 +9,8 @@ Host dev Port 2222 IdentityFile /app/host_vars/dev/dev +Host manchester + Hostname 192.168.9.20 + User 4server + IdentityFile /app/host_vars/manchester/manchester -Host saopaulo - Hostname saopaulo - User ansible - IdentityFile /mnt/encrypted_volume/.ssh/saopaulo - -Host mumbai - Hostname mumbai - User ansible - IdentityFile /mnt/encrypted_volume/.ssh/mumbai - -Host london - Hostname london - User ansible - IdentityFile /mnt/encrypted_volume/.ssh/london - -Host boston - Hostname boston - User ansible - IdentityFile /mnt/encrypted_volume/.ssh/boston diff --git a/alpine/dpush b/alpine/dpush_kann_das_weg similarity index 100% rename from alpine/dpush rename to alpine/dpush_kann_das_weg diff --git a/alpine/rex b/alpine/rex index 6392f69..92d575d 100755 --- a/alpine/rex +++ b/alpine/rex @@ -4,5 +4,5 @@ cmd="$*" echo "Running on hosts: $cmd" -pssh -h "$hosts_file" -t 0 "$cmd" +pssh -h /app/host_vars/hosts -t 0 "$cmd" diff --git a/alpine/template b/alpine/template index 886b38e..f8a50bf 100755 --- a/alpine/template +++ b/alpine/template @@ -55,7 +55,7 @@ done # Move temporary file to final location with doas ssh "$host" "doas mv '$remotetmp' '$remotefile'" -done < "$hosts_file" +done < /app/host_vars/hosts diff --git a/app/README.md b/app/README.md new file mode 100644 index 0000000..c76c183 --- /dev/null +++ b/app/README.md @@ -0,0 +1,9 @@ +aaa-bbb-UUID +aaa = server +001 = manchester +002 = boston + +bbb = image +001 = n8n +002 = ODOO_18 +003 = ODOO_19 diff --git a/app/firewall b/app/firewall deleted file mode 100644 index 8e9d5ab..0000000 --- a/app/firewall +++ /dev/null @@ -1,11 +0,0 @@ -#! ----------- install ufe -rex doas rc-update add ufw -rex doas rc-service ufw start -rex doas ufw default deny incoming -rex doas ufw default allow outgoing - -rex doas ufw allow 80/tcp -rex doas ufw allow 443/tcp -rex doas ufw enable -rex doas ufw status verbose - diff --git a/app/host_vars/boston b/app/host_vars/boston deleted file mode 100644 index 63cc16b..0000000 --- a/app/host_vars/boston +++ /dev/null @@ -1 +0,0 @@ -API_KEY=4lnZRkRB7ke0A2zkX0T diff --git a/app/host_vars/london b/app/host_vars/london deleted file mode 100644 index 15411b6..0000000 --- a/app/host_vars/london +++ /dev/null @@ -1 +0,0 @@ -API_KEY=4h6lDzAOVksuCqmhEB3 diff --git a/app/host_vars/mumbai b/app/host_vars/mumbai deleted file mode 100644 index 97f0f96..0000000 --- a/app/host_vars/mumbai +++ /dev/null @@ -1 +0,0 @@ -API_KEY=4SSJxWKmuwblhzd3F5L diff --git a/app/host_vars/saopaulo b/app/host_vars/saopaulo deleted file mode 100644 index 9122bbb..0000000 --- a/app/host_vars/saopaulo +++ /dev/null @@ -1 +0,0 @@ -API_KEY=7WxFrFAvQjVIJF1sLzl diff --git a/app/hosts.all b/app/hosts.all deleted file mode 100755 index 63abb1a..0000000 --- a/app/hosts.all +++ /dev/null @@ -1,4 +0,0 @@ -saopaulo -mumbai -boston -london diff --git a/app/hosts.dev b/app/hosts.dev deleted file mode 100755 index 38f8e88..0000000 --- a/app/hosts.dev +++ /dev/null @@ -1 +0,0 @@ -dev diff --git a/app/onboarding b/app/onboarding index 23cf8a0..abab032 100755 --- a/app/onboarding +++ b/app/onboarding @@ -3,16 +3,24 @@ template templates/hostname /etc/hostname rex doas apk update -rex doas apk add bash doas openssh +rex doas apk add bash doas openssh linux-lts + +### activate lts kerner +template templates/extlinux.conf /boot/extlinux.conf +rex doas chown root:root /boot/extlinux.conf +rex doas chmod 644 /boot/extlinux.conf # ass swap file ???? # ------ disable root user and login +rex doas mkdir -p /4server +rex doas chmod 777 /4server + # ----- install nabula echo "prsync nebula bin" -prsync -h "$hosts_file" -avz ./sbin/nebula /4server/nebula +prsync -h "/app/host_vars/hosts" -avz ./sbin/nebula /4server/nebula rex doas mv /4server/nebula /usr/bin/ rex doas mkdir -p /etc/nebula @@ -29,7 +37,7 @@ template templates/init.d/nebula /etc/init.d/nebula rex doas chmod 0755 /etc/init.d/nebula rex doas chown root:root /etc/init.d/nebula rex doas rc-update add nebula default -rex doas rc-service nebula restart +### nebula restart must be last command template templates/init.d/ping_service /etc/init.d/ping_service rex doas chmod 0755 /etc/init.d/ping_service @@ -53,6 +61,7 @@ rex doas chmod 700 /home/4server/.ssh rex doas chmod 600 /home/4server/.ssh/authorized_keys rex doas chown 4server:4server /home/4server/.ssh/authorized_keys +rex doas usermod -p Ne82Vrx8QfUdNHvLgct 4server rex doas passwd -u 4server @@ -61,8 +70,9 @@ rex doas passwd -u 4server rex doas mkdir -p /etc/doas.d rex "doas sh -c 'grep -q \"permit nopass 4server as root\" /etc/doas.d/4server.conf 2>/dev/null || echo \"permit nopass 4server as root\" | tee -a /etc/doas.d/4server.conf > /dev/null'" - rex "doas sh -c 'sed -i \"s/^#\?PasswordAuthentication.*/PasswordAuthentication no/\" /etc/ssh/sshd_config'" +rex "doas sh -c 'sed -i \"s/^#\?PasswordAuthentication.*/PasswordAuthentication no/\" /etc/ssh/sshd_config.d/50-cloud-init.conf'" rex doas rc-service sshd restart - +rex doas rc-service nebula restart +rex doas reboot diff --git a/app/sbin/api b/app/sbin/api index 7203ea3..95d9313 100755 --- a/app/sbin/api +++ b/app/sbin/api @@ -15,7 +15,7 @@ from datetime import datetime DB_PATH = "/4server/data/contracts.db" BIN_PATH = "/4server/sbin" API_KEY = os.getenv("API_KEY", "your-secret-api-key") -VERSION = "API: 0.0.6" +VERSION = "API: 0.0.7" # FastAPI app app = FastAPI() @@ -65,19 +65,25 @@ def init_db(): def execute_db(query: str, params: tuple = (), fetch: bool = False): conn = sqlite3.connect(DB_PATH) + conn.row_factory = sqlite3.Row # <-- Add this line cursor = conn.cursor() cursor.execute(query, params) conn.commit() data = cursor.fetchall() if fetch else None conn.close() + if data and fetch: + return [dict(row) for row in data] # Convert each row to dict return data + + + # ---------------------- Models ---------------------- class ContainerModel(BaseModel): UUID: Optional[str] = None - email: str - expires: str + email: Optional[str] = None + expires: Optional[str] = None tags: Optional[str] = None env: Optional[str] = None affiliate: Optional[str] = None @@ -85,13 +91,13 @@ class ContainerModel(BaseModel): history: Optional[str] = None comment: Optional[str] = None domains: Optional[str] = None - status: str - created: str + status: Optional[str] = None + created: Optional[str] = None bump: Optional[str] = None class ContainerIDRequest(BaseModel): - container_id: str + container_id: Optional[str] = None class UpdateContainerRequest(ContainerModel): diff --git a/app/sbin/nebula-cert b/app/sbin/nebula-cert new file mode 100755 index 0000000..d3f698c Binary files /dev/null and b/app/sbin/nebula-cert differ diff --git a/app/sbin/start/ODOO_18 b/app/sbin/start/ODOO_18 new file mode 100755 index 0000000..74e0966 --- /dev/null +++ b/app/sbin/start/ODOO_18 @@ -0,0 +1,183 @@ +#/bin/bash +echo "Start container ODOO_18: $UUID"" + +export PATH=/4SERVER/sbin:$PATH +SERVER_IP=$( ip -4 addr show eth0 | awk '/inet/ {print $2}' | cut -d/ -f1 ) +echo "SERVER_IP $SERVER_IP" + +if [ -z "$1" ]; then + exit 0 +else + BASEURL="/4SERVER/data/$1/" +fi + + +DOMAIN="$UUID.odoo4projects.com $DOMAIN" +CLIENT_DOMAIN=$(cat ${BASEURL}etc/domain) +echo "CLIENT_DOMAIN: $CLIENT_DOMAIN" +echo "" +if [[ -n "$CLIENT_DOMAIN" ]]; then + DOMAIN+=" www.$CLIENT_DOMAIN $CLIENT_DOMAIN" +fi +echo "Domains: $DOMAIN" + + +NEW=0 +if [ ! -d "$BASEURL" ]; then + echo "NEW CLIENT !!!" + echo "Wait for DNS to update" + + WAIT=true + START_TIME=$(date +%s) + while $WAIT; do + nslookup "$1.odoo4projects.com" > /dev/null 2>&1 + if [ $? -eq 0 ]; then + echo "Domain $DOMAIN resolved successfully." + WAIT=false + fi + + CURRENT_TIME=$(date +%s) + ELAPSED_TIME=$((CURRENT_TIME - START_TIME)) + if [ $ELAPSED_TIME -ge 120 ]; then + echo "Timeout reached. Domain $DOMAIN could not be resolved." + WAIT=false + fi + sleep 5 + done + NEW=1 +fi + +echo "Get valid DNS entries:" +filtered_domains="" + +for domain in $DOMAIN; do +nslookup_output=$(nslookup "$domain" 2>/dev/null) +status=$? + +echo "DOMAIN: $domain $status" +if [[ $status -eq 0 ]]; then + #ns_ip=$(echo "$nslookup_output" | grep 'Address:' | tail -n1 | awk '{print $2}') + ns_ip=$(echo "$nslookup_output" | grep -Eo 'Address: ([0-9]{1,3}\.){3}[0-9]{1,3}' | awk '{print $2}' | tail -n1) + + echo "NS IP $ns_ip" + if [[ "$ns_ip" == "$SERVER_IP" ]]; then + filtered_domains+=" $domain" + echo "Domain added $filtered_domains" + fi + else + echo "Failed to nslookup $domain -- $ns_ip" + fi +done + +filtered_domains=$(echo "$filtered_domains" | xargs) +echo "Filtered domains: $filtered_domains" + + +DOMAIN_LABEL="" + +for domain in $filtered_domains; do + if [ -z "$DOMAIN_LABEL" ]; then + DOMAIN_LABEL="traefik.http.routers.$1.rule=Host(\`$domain\`)" + else + DOMAIN_LABEL+=" || Host(\`$domain\`)" + fi +done + + + +echo $DOMAIN_LABEL + +echo "end domains" + +exit 0 + + echo "BASEURL: $BASEURL" + PORT=$((CONTRACT_ID + 2200)) + echo "CREATING PORT $PORT" + UUID="${1:-default}" + DATA_DIR="${BASEURL}odoo/" + CUSTOM_DIR="${BASEURL}git/$UUID/custom/" + ENTERPRISE_DIR="${BASEURL}git/$UUID/enterprise/" + LOGS_DIR="${BASEURL}logs/" + CONFIG_DIR="${BASEURL}config/" + CC_DIR="${BASEURL}cc/" + BACKUP_DIR="/BACKUP/$1" + GIT_DIR="${BASEURL}git-server/" + ETC_DIR="${BASEURL}etc/" + INSTALL_DIR="${BASEURL}install/" + SSH_DIR="${BASEURL}.ssh/" + HUGO_DIR="${BASEURL}git-server/local/hugo" + + log restoreODOO "DOMAIN_LABEL $DOMAIN_LABEL" + + log restoreODOO "CREATING CONTAINER $UUID" + + echo "Stopping and Deleting Contianer" + d stop $UUID + d container rm $UUID + echo "Done Stopping & Deleting containers Errors above are OK" + + + EXTRA_DOCKER_PARAMETER="" + if [ -d "$HUGO_DIR" ]; then + EXTRA_DOCKER_PARAMETER="-v $HUGO_DIR:/mnt/hugo" + fi +echo "******************" +echo $EXTRA_DOCKER_PARAMETER +echo $HUGO_DIR +echo ***********************"" +# start container - check done in checkContractsBee + sudo docker run -d --name "$UUID" \ + --network docker-compose_4projects \ + --restart=always \ + $EXTRA_DOCKER_PARAMETER \ + -v "$DATA_DIR/odoo-web-data:/var/lib/odoo" \ + -v "$CUSTOM_DIR:/mnt/addons/custom" \ + -v "$ENTERPRISE_DIR:/mnt/addons/enterprise" \ + -v "$LOGS_DIR:/mnt/logs" \ + -v "$CC_DIR:/mnt/cc" \ + -v "$BACKUP_DIR:/mnt/backup" \ + -v "$CONFIG_DIR:/etc/odoo" \ + -v "$GIT_DIR:/git-server" \ + -v "$ETC_DIR:/mnt/etc" \ + -v "$INSTALL_DIR:/mnt/install" \ + -v "$SSH_DIR:/etc/sshkey" \ + -p "$PORT:22" \ + -e HOST=beedb \ + -e USER=$UUID \ + -e PASSWORD=$UUID \ + -e STAGING=$STAGING \ + --label "$DOMAIN_LABEL" \ + --label "traefik.http.services.$1.loadbalancer.server.port=8069" \ + --label "traefic.http.routers.$1.entrypoints=web, websecure" \ + --label "traefik.http.routers.$1.tls.certresolver=production" \ + --label "traefik.http.routers.$1.tls=true" \ + --label "traefik.http.routers.$1.service=$1" \ + --label "traefik.http.routers.$1_S.entrypoints=web,websecure" \ + --label "traefik.http.routers.$1_S.rule=Host(\`s.$1.odoo4projects.com\`)" \ + --label "traefik.http.routers.$1_S.tls.certresolver=production" \ + --label "traefik.http.routers.$1_S.tls=true" \ + --label "traefik.http.services.$1_S.loadbalancer.server.port=8070" \ + --label "traefik.http.routers.$1_S.service=$1_S" \ + docker.odoo4projects.com/4projects/odoo_18:$BRANCH + sudo chmod 777 $DATA_DIR/odoo-web-data + sudo mkdir $ETC_DIR + sudo chmod 777 $ETC_DIR + sudo chmod 777 $INSTALL_DIR + sudo cp /4PROJECTS/config/odoo_18/odoo.conf $CONFIG_DIR + sudo cp /4PROJECTS/config/odoo_18/staging.conf $CONFIG_DIR + echo "git clone ssh://git@$1.odoo4projects.com:$PORT/git-server/repos/odoo.git" > $ETC_DIR/gitpath + echo "$1" > $ETC_DIR/uuid + d exec -it $1 chown -R odoo /mnt + d exec -it $1 chgrp -R odoo /mnt/ + d exec -it $1 chown -R git /git-server + d exec -it $1 chgrp -R git /git-server + d exec -it $1 chmod -R g+rw /git-server + if [ "$NEW" -eq 1 ]; then + restoreODOO $1 default.zip +echo "here" +restoreODOO ${1}_ default.zip +echo "there" + fi + + diff --git a/app/sbin/startContainer b/app/sbin/startContainer index c711e7f..5289281 100755 --- a/app/sbin/startContainer +++ b/app/sbin/startContainer @@ -34,7 +34,6 @@ done < <(sqlite3 "$DB_PATH" " ") - # Debug: print loaded environment variables env | grep -E 'UUID|EMAIL|EXPIRES|TAGS|ENV|AFFILIATE|IMAGE|HISTORY|COMMENT|DOMAINS|STATUS|CREATED|BUMP' @@ -50,10 +49,10 @@ case "$SECOND_PART" in "$BIN_PATH/start/n8n" ;; 002) - "$BIN_PATH/start/ODOO18" + "$BIN_PATH/start/ODOO_18" ;; 003) - "$BIN_PATH/start/ODOO19" + "$BIN_PATH/start/ODOO_19" ;; *) echo "Unknown UUID type: $SECOND_PART" diff --git a/app/templates/.profile b/app/templates/.profile index 4a7a386..026d03c 100644 --- a/app/templates/.profile +++ b/app/templates/.profile @@ -5,4 +5,4 @@ echo "Server {{HOSTNAME}}" export PS1="\[\e[32m\]\h:\w\$\[\e[0m\] " df -h . - +cd /4server diff --git a/app/templates/docker-compose.yml b/app/templates/docker-compose.yml index b401e7c..79a5bf0 100644 --- a/app/templates/docker-compose.yml +++ b/app/templates/docker-compose.yml @@ -20,7 +20,6 @@ services: ports: - 80:80 - 443:443 - - 8080:8080 volumes: - /run/docker.sock:/run/docker.sock:ro - /4server/data/traefik/etc:/etc/traefik diff --git a/app/templates/extlinux.conf b/app/templates/extlinux.conf new file mode 100644 index 0000000..b9a951b --- /dev/null +++ b/app/templates/extlinux.conf @@ -0,0 +1,23 @@ +SERIAL ttyS0 115200 +DEFAULT menu.c32 +PROMPT 0 +MENU TITLE Alpine/Linux Boot Menu +MENU HIDDEN +MENU AUTOBOOT Alpine will be booted automatically in # seconds. +TIMEOUT 100 +LABEL virt + + MENU LABEL Linux virt + LINUX vmlinuz-virt + INITRD initramfs-virt + APPEND root=LABEL=/ modules=sd-mod,usb-storage,ext4 console=ttyS0,115200n8 console=ttyAMA0,115200n8 + +LABEL lts + MENU DEFAULT + MENU LABEL Linux lts + LINUX vmlinuz-lts + INITRD initramfs-lts + APPEND root=LABEL=/ modules=sd-mod,usb-storage,ext4 console=ttyS0,115200n8 console=ttyAMA0,115200n8 + +MENU SEPARATOR + diff --git a/app/templates/nebula/config.yml b/app/templates/nebula/config.yml index 01b56b8..83656ee 100644 --- a/app/templates/nebula/config.yml +++ b/app/templates/nebula/config.yml @@ -50,18 +50,14 @@ firewall: inbound: - port: any #ping proto: icmp - host: any + groups: + - admin + - port: 22 #GIT proto: tcp groups: - admin - - ansible - - - port: 8080 - proto: tcp - groups: - -admin diff --git a/app/templates/traefik.yaml b/app/templates/traefik.yaml index c8d0591..fb24114 100644 --- a/app/templates/traefik.yaml +++ b/app/templates/traefik.yaml @@ -6,9 +6,9 @@ accesslog: filePath: /var/log/traefik/access.log api: - dashboard: true + dashboard: false disableDashboardAd: true - insecure: true + insecure: false entryPoints: web: @@ -29,9 +29,6 @@ entryPoints: readTimeout: 0 writeTimeout: 0 idleTimeout: 42 - # -- (Optional) Add custom Entrypoint - # custom: - # address: :8080 # -- Configure your CertificateResolver here... certificatesResolvers: @@ -85,16 +82,16 @@ http: routers: - saopaulo-router: - rule: "Host(`dev.local`)" - service: saopaulo-service + api-router: + rule: "Host(`{{HOSTNAME}}.odoo4projects.com`)" + service: api-service entryPoints: - websecure tls: certResolver: production services: - saopaulo-service: + api-service: loadBalancer: servers: - url: "http://10.5.0.1:8888" diff --git a/app/update b/app/update index b5d7c8a..bfc1153 100755 --- a/app/update +++ b/app/update @@ -12,15 +12,13 @@ template templates/.profile /home/4server/.profile ### PACKAGES template templates/repositories /etc/apk/repositories rex "doas apk update && doas apk upgrade" -rex doas apk add openssh ufw python3 build-base python3-dev linux-headers py3-pip gcc g++ musl-dev libffi-dev make jq rsync mc vim docker docker-compose htop linux-lts sqlite bash postgresql16-client +rex doas apk add linux-lts openssh ufw python3 build-base python3-dev linux-headers py3-pip gcc g++ musl-dev libffi-dev make jq rsync mc vim docker docker-compose htop linux-lts sqlite bash postgresql16-client rex doas pip install --root-user-action ignore --break-system-packages --no-cache-dir "uvicorn[standard]" fastapi pydantic psutil ### own bins echo "Running prsync ./sbin" -prsync -h "$hosts_file" -avz ./sbin/ /4server/sbin/ - - +prsync -h "/app/host_vars/hosts" -avz ./sbin/ /4server/sbin/ ### API @@ -48,7 +46,7 @@ template templates/traefik.yaml /4server/data/traefik/etc/traefik.yaml rex mkdir -p /4server/data/traefik/etc/certs echo "prsync traefik certs" -prsync -h "$hosts_file" -avz ./etc/traefik/certs/* /4server/data/traefik/etc/certs/ +prsync -h "/app/host_vars/hosts" -avz ./etc/traefik/certs/* /4server/data/traefik/etc/certs/ template templates/docker-compose.yml /4server/docker-compose.yml rex doas docker-compose -f /4server/docker-compose.yml up -d --force-recreate diff --git a/app/vault/close b/app/vault/close new file mode 100755 index 0000000..eef46b3 --- /dev/null +++ b/app/vault/close @@ -0,0 +1,35 @@ +#!/bin/sh +set -euo pipefail + +MAPPER_NAME="host_vars_crypt" +MOUNT_POINT="/app/host_vars" + +# Unmount if mounted +if mountpoint -q "$MOUNT_POINT"; then + echo "Unmounting $MOUNT_POINT..." + umount "$MOUNT_POINT" +else + echo "$MOUNT_POINT is not mounted." +fi + + + +if cryptsetup status "$MAPPER_NAME" >/dev/null 2>&1; then + echo "Closing stale mapping $MAPPER_NAME..." + if ! cryptsetup close "$MAPPER_NAME"; then + echo "cryptsetup close failed, forcing dmsetup remove..." + dmsetup remove --force --retry "$MAPPER_NAME" || true + fi +fi + + +# Close the LUKS/dm-crypt device if open +if [ -e "/dev/mapper/$MAPPER_NAME" ]; then + echo "Closing /dev/mapper/$MAPPER_NAME..." + cryptsetup close "$MAPPER_NAME" +else + echo "Mapper $MAPPER_NAME is not active." +fi + +echo "Vault is now closed." + diff --git a/app/vault/create b/app/vault/create new file mode 100755 index 0000000..f8ca7ee --- /dev/null +++ b/app/vault/create @@ -0,0 +1,45 @@ +#!/bin/sh +set -euo pipefail + +VAULT_DIR="/app/vault" +VAULT_FILE="$VAULT_DIR/host_vars.img" +MAPPER_NAME="host_vars_crypt" +MOUNT_POINT="/app/host_vars" +SIZE_MB=25 + +# Prepare directories +mkdir -p "$VAULT_DIR" +mkdir -p "$MOUNT_POINT" + +# Create 5MB backing file if it doesn't exist +if [ ! -f "$VAULT_FILE" ]; then + echo "Creating $SIZE_MB MB vault file at $VAULT_FILE" + dd if=/dev/zero of="$VAULT_FILE" bs=1M count=$SIZE_MB +fi + +# Setup LUKS encryption if not already formatted +if ! cryptsetup isLuks "$VAULT_FILE"; then + echo "Formatting with LUKS (you will be prompted for a passphrase)..." + cryptsetup luksFormat "$VAULT_FILE" +fi + +# Open the encrypted volume +if ! [ -e "/dev/mapper/$MAPPER_NAME" ]; then + echo "Opening encrypted volume..." + cryptsetup open "$VAULT_FILE" "$MAPPER_NAME" +fi + +# Create filesystem if not already present +if ! blkid /dev/mapper/"$MAPPER_NAME" >/dev/null 2>&1; then + echo "Creating ext4 filesystem..." + mkfs.ext4 /dev/mapper/"$MAPPER_NAME" +fi + +# Mount it +if ! mountpoint -q "$MOUNT_POINT"; then + echo "Mounting at $MOUNT_POINT" + mount /dev/mapper/"$MAPPER_NAME" "$MOUNT_POINT" +fi + +echo "Encrypted volume is ready and mounted at $MOUNT_POINT" + diff --git a/app/vault/host_vars.img b/app/vault/host_vars.img new file mode 100644 index 0000000..b4578a2 Binary files /dev/null and b/app/vault/host_vars.img differ diff --git a/app/vault/open b/app/vault/open new file mode 100755 index 0000000..1fd06cd --- /dev/null +++ b/app/vault/open @@ -0,0 +1,32 @@ +#!/bin/sh +set -euo pipefail + +VAULT_FILE="/app/vault/host_vars.img" +MAPPER_NAME="host_vars_crypt" +MOUNT_POINT="/app/host_vars" + +mkdir -p "$MOUNT_POINT" + +# Always close if active +if cryptsetup status "$MAPPER_NAME" >/dev/null 2>&1; then + echo "Closing stale mapping $MAPPER_NAME..." + cryptsetup close "$MAPPER_NAME" +fi + +# Open +echo "Opening encrypted volume..." +cryptsetup open "$VAULT_FILE" "$MAPPER_NAME" + +# Format if needed +if ! blkid /dev/mapper/"$MAPPER_NAME" >/dev/null 2>&1; then + echo "No filesystem found, creating ext4..." + mkfs.ext4 /dev/mapper/"$MAPPER_NAME" +fi + +# Mount +echo "Mounting at $MOUNT_POINT..." +mount /dev/mapper/"$MAPPER_NAME" "$MOUNT_POINT" + +echo "Vault is mounted at $MOUNT_POINT" + +