initial import

2024-03-17 12:53:54 -05:00 · 2024-03-17 12:53:54 -05:00 · 4b70c0023c
commit 4b70c0023c
parent 3ed58b0021
48 changed files with 1540 additions and 0 deletions
--- a/bin/jailstat.sh
+++ b/bin/jailstat.sh
@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+#
+# Get list of fail2ban jails and print status of each
+#
+# SPDX-License-Identifier: MIT
+
+# fail2ban-client requires root
+if [[ $(id -u) -ne 0 ]]; then
+  echo "Must run as root user"
+  exit 1
+fi
+
+## there's a tab after "list:"
+## fail2ban-client status ->
+# Status
+# |- Number of jail:	3
+# `- Jail list:	nginx-4xx, nginx-limit-req, sshd
+
+JAILS=$(fail2ban-client status | \
+  awk -F: '/list/{gsub(/, /," ",$2);gsub(/^[ \t]+/,"",$2);print $2}'
+)
+
+for jail in ${JAILS}; do
+  fail2ban-client status "${jail}"
+done
+
--- a/bin/teabak.sh
+++ b/bin/teabak.sh
@ -0,0 +1,67 @@
+#!/usr/bin/env bash
+#
+# Create Gitea backups
+#
+# Prep
+#  groupadd --system bkp
+#  mkdir /var/xyzzy/backup
+#  chmod 0750 /var/xyzzy/backup
+#  chown git:bkp /var/xyzzy/backup
+#
+# SPDX-License-Identifier: MIT
+
+_VERSION="0.0.2"
+
+BDTS=$(date +"%Y%m%d%H%M")
+BDIR="/var/xyzzy/backup"
+BFILE="${BDIR}/gitea-${BDTS}"
+
+# gitea dump adds ".tar.xz" to the name dynamically
+BDMP="${BDIR}/gitea-${BDTS}.tar.xz"
+BGRP="bkp"
+
+GCNF="/var/xyzzy/etc/gitea/app.ini"
+GBIN="/var/xyzzy/bin/gitea"
+GDATA="/var/xyzzy/gitea"
+
+# healthchecks.io ping URL upon success, uses curl - "none" to disable
+HCPING="none"
+
+# delete backups older than
+#  see 'man find'; "+3" = 3*24h ago
+BDEL="-mtime +3"
+
+# we need to chgrp/chmod to a foreign group
+if [[ $(id -u) -ne 0 ]]; then
+  echo "Must run as root user"
+  exit 1
+fi
+
+# just to be sure
+cd "${BDIR}" || (echo "Cannot cd to ${BDIR}"; exit 1)
+
+# runuser exits with the error code of the command
+_EC=1
+runuser -u git -- "${GBIN}" dump --config "${GCNF}" --tempdir "${BDIR}" \
+  --work-path "${GDATA}" --skip-log --type tar.xz --file "${BFILE}"
+_EC=$?
+
+# post processing
+if [[ $_EC -eq 0 ]]; then
+  # gitea dump writes git:git 0600
+  if [[ -f "${BDMP}" ]]; then
+    chgrp "${BGRP}" "${BDMP}"
+    chmod 0640 "${BDMP}"
+  fi
+  # delete older than BDEL backups
+  # shellcheck disable=SC2086
+  find "${BDIR}" -type f ${BDEL} \
+    -regextype egrep \
+    -regex '.*/gitea-[0-9]{12}\.tar\.xz' \
+    -delete
+  # ping healthchecks.io
+  if [[ "${HCPING}" != "none" ]]; then
+    curl -fsS -m 10 --retry 5 -o /dev/null "${HCPING}"
+  fi
+fi
+
--- a/bin/teaup.sh
+++ b/bin/teaup.sh
@ -0,0 +1,144 @@
+#!/usr/bin/env bash
+# shellcheck disable=SC2164,SC2181
+#
+# Upgrade gitea binary
+# - run this under sudo as it replaces and restarts gitea
+# - "gitea" is a symlink to the numbered github download binary
+# - allows for quick rollback if needed
+# - e.g.: 'ln -s gitea-1.16.3-linux-amd64 gitea'
+#
+# Exit codes
+#  0 = Success (already newest or upgrade worked)
+#  1 = curl failed to download new version
+#  2 = sha256sum check failed on download
+#  3 = "gitea" wasn't a symlink
+#  4 = upgrade version check failed, gitea not restarted
+#  5 = could not change directory to run sha256sum
+#  6 = cannot determine Gitea version info
+#  20 = not running under sudo (see TEA_SUDO)
+#  21 = gitea upgraded but not restarted (see TEA_HUP)
+#  22 = gitea upgrade downloaded only (see TEA_LINK)
+#
+# Requires: curl, awk, grep, sha256sum
+# Debug: bash -x /path/to/script.sh
+#
+# SPDX-License-Identifier: MIT
+
+_VERSION="0.0.1"
+
+# symlink name used to run gitea (e.g. "gitea")
+TEA_SYM="gitea"
+# where the binary is located (e.g. "/usr/local/bin")
+TEA_DIR="/var/xyzzy/bin"
+# 0 = verbose status, 1 = silent and rely on exit codes
+TEA_QUIET=0
+
+# require running this script under sudo, 0 to disable
+TEA_SUDO=1
+# restart gitea using TEA_CMD, 0 to disable
+TEA_HUP=0
+# replace symlink, 0 to disable (download only, implies TEA_HUP=0)
+TEA_LINK=1
+# command to restart gitea (e.g. "systemctl restart gitea")
+TEA_CMD="systemctl restart gitea"
+
+# github API endpoint to get latest version
+TEA_API="https://api.github.com/repos/go-gitea/gitea/releases/latest"
+# github download base URL to prepend with version info
+TEA_DLB="https://github.com/go-gitea/gitea/releases/download"
+# architecture being used, matches download name
+TEA_ARCH="linux-amd64"
+
+function noise() {
+  if [[ ${TEA_QUIET} -eq 0 ]]; then
+    echo "$*"
+  fi
+}
+
+if [[ ${TEA_SUDO} -eq 1 ]]; then
+  if [[ $(id -u) -ne 0 ]]; then
+    noise "Run this script as root (sudo)"
+    exit 20
+  fi
+fi
+
+# disable curl download progress if in quiet mode
+_COPT=""
+if [[ ${TEA_QUIET} -eq 1 ]]; then
+  _COPT="-s"
+fi
+
+noise "Checking gitea..."
+
+# get installed version
+_LOCAL=$("${TEA_DIR}/${TEA_SYM}" -version | awk '{print $3}')
+# get latest version, strip leading "v" (v1.55.1 -> 1.55.1)
+_REMOTE=$(curl -s "${TEA_API}" | grep -Po '"tag_name": "\K.*?(?=")')
+_REMOTE=${_REMOTE#v}
+
+# API failed, can't run local binary, etc. - something went wrong
+if [[ -z "${_LOCAL}" || -z "${_REMOTE}" ]]; then
+  noise "Cannot determine Gitea version information"
+  exit 6
+fi
+
+# bash doesn't see versions as numbers, but as strings
+if [[ "${_LOCAL}" != "${_REMOTE}" ]]; then
+  _TEA_NAME="gitea-${_REMOTE}-${TEA_ARCH}"
+  noise "Upgrading gitea - installed ${_LOCAL}, latest ${_REMOTE}"
+  # curl will handle a failure being able to write to output dir, etc.
+  curl ${_COPT} -L --output-dir "${TEA_DIR}" --remote-name-all \
+    "${TEA_DLB}/v${_REMOTE}/${_TEA_NAME}" \
+    "${TEA_DLB}/v${_REMOTE}/${_TEA_NAME}.sha256"
+  if [[ $? -eq 0 ]]; then
+    # downloads were successful and written to disk
+    pushd "$(pwd)" >/dev/null
+    cd "${TEA_DIR}" || (noise "Cannot cd to ${TEA_DIR}"; exit 5)
+    noise "Checking sha256sum..."
+    sha256sum --status -c "${_TEA_NAME}.sha256"
+    if [[ $? -eq 0 ]]; then
+      # sha256sum check passed
+      chmod +x "${_TEA_NAME}"
+      if [[ ${TEA_LINK} -eq 1 ]]; then
+        # user requested replacing symlink
+        if [[ -h "${TEA_SYM}" ]]; then
+          noise "Replacing symlink..."
+          rm -f "${TEA_SYM}"
+          ln -s "${_TEA_NAME}" "${TEA_SYM}"
+          # trust, but verify
+          _TEA_NEW=$("${TEA_DIR}/${TEA_SYM}" -version | awk '{print $3}')
+          if [[ "${_TEA_NEW}" == "${_REMOTE}" ]]; then
+            noise "Gitea binary/symlink upgraded to ${_TEA_NEW}"
+            if [[ ${TEA_HUP} -eq 1 ]]; then
+              # user requested restart
+              noise "Restarting gitea..."
+              ${TEA_CMD}
+            else
+              noise "Gitea needs restarted"
+              exit 21
+            fi
+          else
+            noise "Upgrade failed, not restarting gitea"
+            exit 4
+          fi
+        else
+          noise "${TEA_SYM} is not a symlink, not overwriting"
+          exit 3
+        fi
+      else
+        noise "Gitea ${_TEA_NAME} downloaded, ready to upgrade"
+        exit 22
+      fi
+    else
+      noise "Download of ${_TEA_NAME} failed sha256sum, not upgrading"
+      exit 2
+    fi
+    popd >/dev/null
+  else
+    noise "Download of ${_TEA_NAME} and sha256 failed, not upgrading"
+    exit 1
+  fi
+else
+  noise "Installed gitea is the latest - ${_LOCAL}"
+fi
+