├── LICENSE
├── README.md
├── backup
    ├── apache
    ├── configs
    └── configs-custom
    │   ├── .gitignore
    │   └── README.md
├── config
    ├── jail-create
    ├── jail-ezjail
    ├── jail-syncthing
    ├── jail-turnserver
    └── jail-unifi
├── lib
    ├── shell.common
    ├── shell.io
    └── shell.pkg
├── portsfetch
└── update-host


/LICENSE:
--------------------------------------------------------------------------------
 1 | BSD 3-Clause License
 2 | 
 3 | Copyright (c) 2018, Chris Wells
 4 | All rights reserved.
 5 | 
 6 | Redistribution and use in source and binary forms, with or without
 7 | modification, are permitted provided that the following conditions are met:
 8 | 
 9 | * Redistributions of source code must retain the above copyright notice, this
10 |   list of conditions and the following disclaimer.
11 | 
12 | * Redistributions in binary form must reproduce the above copyright notice,
13 |   this list of conditions and the following disclaimer in the documentation
14 |   and/or other materials provided with the distribution.
15 | 
16 | * Neither the name of the copyright holder nor the names of its
17 |   contributors may be used to endorse or promote products derived from
18 |   this software without specific prior written permission.
19 | 
20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # freebsd-scripts
  2 | 
  3 | A collection of shell scripts to perform common actions (mostly related to system administration) on FreeBSD.
  4 | 
  5 | Feedback and contributions are welcome!
  6 | 
  7 | ## Scripts
  8 | 
  9 | [backup/apache](backup/apache) backs up Let's Encrypt certs (if present), Apache includes, and the www directory. If Apache is installed in a jail, you can provide the path to the jail to back up from there.
 10 | 
 11 | ---
 12 | 
 13 | [backup/configs](backup/configs) backs up common config files that may have been modified on the system. Includes /etc and /usr/local/etc from the host as well as from inside all jails.
 14 | 
 15 | ---
 16 | 
 17 | [portsfetch](portsfetch) can be used to switch to the current quarterly branch for FreeBSD ports and to update your local ports tree after switching. See [Using Quarterly Ports on FreeBSD](https://chriswells.io/blog/using-quarterly-ports-on-freebsd) for background information and usage instructions.
 18 | 
 19 | ---
 20 | 
 21 | [update-host](update-host) performs a basic update sequence including `freebsd-update` on the host plus a vulnerability audit and upgrade of packages on the host and inside each jail.
 22 | 
 23 | ## Libraries
 24 | 
 25 | Currently, the bulk of this project consists of the scripts in the [lib](lib) directory that provide functions for other scripts to use. I've made changes to make those libraries more flexible before sharing them, and I'll release additional scripts over time as I update them to incorporate those changes.
 26 | 
 27 | ---
 28 | 
 29 | ### shell.common
 30 | 
 31 | [lib/shell.common](lib/shell.common) defines functions frequently used in shell scripts.
 32 | 
 33 | #### General
 34 | 
 35 | * getScriptPath: Returns full path to the current script.
 36 | * importScript: Imports another script.
 37 | * pressEnterTo: Asks the user to press enter to perform an action.
 38 | * requireRootOrExit: Exits the script with an error message if the user is not root or using sudo.
 39 | 
 40 | #### Hashes (Associative Arrays / Dictionaries)
 41 | 
 42 | It includes functions for managing hashes (associative arrays / dictionaries), which are used by other functions in the file:
 43 | 
 44 | * hashContainsKey: Returns result code indicating whether the specified key exists in the hash.
 45 | * hashContainsValue: Returns result code indicating whether the specified value exists in the hash.
 46 | * hashGet: Returns value found for the specified key.
 47 | * hashPut: Adds an item to the hash.
 48 | 
 49 | #### Script Options
 50 | 
 51 | There are limited functions for reading script options such as `-p` and `-param value`, but not `-abc` where all 3 are different options:
 52 | 
 53 | * getOption: Returns the value provided for the specified option.
 54 | * optionIsEnabled: Returns result code indicating whether the specified option was passed to the script.
 55 | * parseScriptOptions: Parses the command line options for the other option functions.
 56 | * setOption: Sets an option. Used by parseScriptOptions, but available to scripts as well.
 57 | 
 58 | #### Note Management
 59 | 
 60 | Finally, a couple of functions that allow scripts to accumulate a list of notes to be shown to the user after the script completes:
 61 | 
 62 | * addNote: Adds a note such as a status message to a file.
 63 | * showNotes: Displays the contents of the notes file and its location to the user.
 64 | 
 65 | ---
 66 | 
 67 | ### shell.io
 68 | 
 69 | [lib/shell.io](lib/shell.io) defines functions commonly used for file input/output.
 70 | 
 71 | #### Utility Functions
 72 | 
 73 | * generateHexString: Returns a random hex string of the requested length (default 8).
 74 | * getTempFileName: Provides a string that can be used as the name of a temp file.
 75 | * runAsScriptInJail: Executes commands as a shell script inside the specified jail.
 76 | 
 77 | #### Text Manipulation
 78 | 
 79 | * escapeAwkSearchText: Returns input string with special characters escaped for awk.
 80 | * escapeForSed: Returns input string with special characters escaped for sed.
 81 | * escapeNewlines: Returns input string with newlines escaped.
 82 | 
 83 | #### File Manipulation
 84 | 
 85 | * appendToFile: Appends text to the end of the specified file.
 86 | * createOrReplaceFile: Creates or replaces the specified file with the provided contents.
 87 | * deleteLine: Deletes the provided line of text from the specified file.
 88 | * insertAfterLine: Inserts the provided text after the specified text.
 89 | * insertBeforeLine: Inserts the provided text before the specified text.
 90 | * replaceLine: Replaces the specified line of text with the provided text.
 91 | * replacePattern: Replaces the specified regular expression with the provided text.
 92 | * replaceText: Replaces the specified text with the provided text.
 93 | * commentLine: Comments a line by prefixing with # or a provided value.
 94 | * uncommentLine: Uncomments a line by removing # or a provided value.
 95 | 
 96 | ---
 97 | 
 98 | ### shell.pkg
 99 | 
100 | [lib/shell.pkg](lib/shell.pkg) defines functions to assist with package management.
101 | 
102 | #### Package Management Functions
103 | 
104 | * hasPackage: Checks to see whether a given package is installed on the host.
105 | * installPackages: Installs one or more packages on the host.
106 | * jailHasPackage: Checks to see whether a given package is installed in a jail.
107 | * jailPackages: Installs one or more packages in a jail.
108 | 


--------------------------------------------------------------------------------
/backup/apache:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | 
 3 | :<<DOCUMENTATION
 4 | 
 5 | 	Description:	Backs up Let's Encrypt certs, Apache includes, and the www directory.
 6 | 	Parameters:
 7 | 		-d destination (optional): directory to save the backup to
 8 | 			Default: /var/backups/apache/yyyy-mm-ddThh:mm:ss
 9 | 		-j jail_path (optional): path to a jail where Apache is installed
10 | 			Default: no value - backs up Apache from the local host
11 | 	Author:			Chris Wells (https://chriswells.io)
12 | 
13 | DOCUMENTATION
14 | 
15 | 
16 | # shellcheck source=/dev/null
17 | . "$(dirname "$(readlink -f "$0")")/../lib/shell.common"
18 | 
19 | 
20 | # Require root to be sure all files are accessible. -- cwells
21 | requireRootOrExit
22 | 
23 | parseScriptOptions "$@"
24 | 
25 | JAIL_PATH=$(getOption '-j')
26 | if [ -z "$JAIL_PATH" ]; then
27 | 	JAIL_PATH=''
28 | fi
29 | 
30 | BACKUP_DIR=$(getOption '-d')
31 | if [ -z "$BACKUP_DIR" ]; then
32 | 	if [ -n "$JAIL_PATH" ]; then # Include the jail name in the backup. -- cwells
33 | 		BACKUP_DIR="/var/backups/apache/$(basename "$JAIL_PATH")-$(date +%Y-%m-%dT%H:%M:%S)"
34 | 	else
35 | 		BACKUP_DIR="/var/backups/apache/$(date '+%Y-%m-%dT%H:%M:%S')"
36 | 	fi
37 | fi
38 | 
39 | 
40 | # Create backup directory if it does not exist. -- cwells
41 | if [ ! -d "$BACKUP_DIR" ]; then
42 | 	# shellcheck disable=SC2174
43 | 	mkdir -m 750 -p "$BACKUP_DIR"
44 | fi
45 | 
46 | # Ensure the backup does not already exist. -- cwells
47 | if [ -f "$BACKUP_DIR/Includes.tar.gz" ]; then
48 | 	echo 'Error: Includes.tar.gz already exists.'
49 | 	exit 1
50 | elif [ -f "$BACKUP_DIR/letsencrypt.tar.gz" ]; then
51 | 	echo 'Error: letsencrypt.tar.gz already exists.'
52 | 	exit 1
53 | elif [ -f "$BACKUP_DIR/www.tar.gz" ]; then
54 | 	echo 'Error: www.tar.gz already exists.'
55 | 	exit 1
56 | fi
57 | 
58 | echo '
59 | Creating backup:
60 | '
61 | 
62 | if [ -d "$JAIL_PATH/usr/local/etc/letsencrypt" ]; then
63 | 	echo 'TLS certs...'
64 | 	tar -czf "$BACKUP_DIR/letsencrypt.tar.gz" -C "$JAIL_PATH/usr/local/etc/" "letsencrypt/"
65 | fi
66 | if [ -d "$JAIL_PATH/usr/local/etc/apache24/Includes" ]; then
67 | 	echo 'Config files...'
68 | 	tar -czf "$BACKUP_DIR/Includes.tar.gz" -C "$JAIL_PATH/usr/local/etc/apache24/Includes/" "."
69 | fi
70 | if [ -d "$JAIL_PATH/usr/local/www" ]; then
71 | 	echo 'Hosted files...'
72 | 	tar -czf "$BACKUP_DIR/www.tar.gz" -C "$JAIL_PATH/usr/local/www/" "."
73 | fi
74 | 
75 | echo "
76 | Saved backup to: $BACKUP_DIR"
77 | 
78 | exit 0
79 | 


--------------------------------------------------------------------------------
/backup/configs:
--------------------------------------------------------------------------------
  1 | #!/bin/sh
  2 | 
  3 | :<<DOCUMENTATION
  4 | 
  5 | 	Description:	Backs up common config files that may have been modified on the system.
  6 | 	Parameters:
  7 | 		-d destination (optional): directory to save the backup to
  8 | 			Default: /var/backups/configs
  9 | 		-f file_name (optional): name to use for the backup file
 10 | 			Default: hostname-yyyy-mm-ddThh:mm:ss.tar.gz
 11 | 		-j jail_root (optional): path where jails are located
 12 | 			Default: /usr/jails
 13 | 		-s subdirectory (optional): subdirectory to use for the backup
 14 | 			Default: no value
 15 | 			Useful for naming a backup snapshot while using the default destination and name.
 16 | 		-t type (optional): type of system being backed up (e.g., desktop, server, or any value)
 17 | 			Default: no value
 18 | 			Useful for backing up a default set of files based on the system type.
 19 | 		-x (optional): exclude the default set of files defined in this script
 20 | 			Use with files in configs-custom to have full control over the backup list.
 21 | 	Author:			Chris Wells (https://chriswells.io)
 22 | 
 23 | DOCUMENTATION
 24 | 
 25 | 
 26 | # shellcheck source=/dev/null
 27 | . "$(dirname "$(readlink -f "$0")")/../lib/shell.common"
 28 | 
 29 | 
 30 | # Require root to be sure all files are accessible. -- cwells
 31 | requireRootOrExit
 32 | 
 33 | parseScriptOptions "$@"
 34 | 
 35 | BACKUP_DIR=$(getOption '-d')
 36 | if [ -z "$BACKUP_DIR" ]; then
 37 | 	BACKUP_DIR=/var/backups/configs
 38 | fi
 39 | 
 40 | BACKUP_FILE=$(getOption '-f')
 41 | if [ -z "$BACKUP_FILE" ]; then
 42 | 	BACKUP_FILE="$(hostname)-$(date +%Y-%m-%dT%H:%M:%S).tar.gz"
 43 | fi
 44 | 
 45 | JAIL_ROOT=$(getOption '-j')
 46 | if [ -z "$JAIL_ROOT" ]; then
 47 | 	JAIL_ROOT=/usr/jails
 48 | fi
 49 | 
 50 | if optionIsEnabled '-x'; then
 51 | 	CONFIGS=''
 52 | else
 53 | 	# Any paths in this list that don't exist on the current system will be omitted. -- cwells
 54 | 	CONFIGS="/boot/*.eli
 55 | /boot/device.hints
 56 | /boot/encryption.key
 57 | /boot/loader.conf
 58 | /etc/
 59 | /root/.cshrc
 60 | /root/.login
 61 | /root/.profile
 62 | /usr/home/*/.bashrc
 63 | /usr/home/*/.cshrc
 64 | /usr/home/*/.inputrc
 65 | /usr/home/*/.login
 66 | /usr/home/*/.profile
 67 | /usr/local/etc/
 68 | $JAIL_ROOT/*/etc/
 69 | $JAIL_ROOT/*/usr/local/etc/
 70 | $JAIL_ROOT/*/var/db/dkim/
 71 | $(getScriptPath)/configs-custom/*.txt"
 72 | fi
 73 | 
 74 | # Back up files for this type of system. -- cwells
 75 | TYPE=$(getOption '-t')
 76 | if [ -n "$TYPE" ] && [ -s "$(getScriptPath)/configs-custom/type-$TYPE.txt" ]; then
 77 | 	CONFIGS="$CONFIGS
 78 | $(cat "$(getScriptPath)/configs-custom/type-$TYPE.txt")"
 79 | fi
 80 | 
 81 | # Include custom files that are common to all hosts. -- cwells
 82 | if [ -s "$(getScriptPath)/configs-custom/host-all.txt" ]; then
 83 | 	CONFIGS="$CONFIGS
 84 | $(cat "$(getScriptPath)/configs-custom/host-all.txt")"
 85 | fi
 86 | 
 87 | # Back up files that are specific to this host. -- cwells
 88 | HOST=$(hostname)
 89 | if [ -n "$HOST" ] && [ -s "$(getScriptPath)/configs-custom/host-$HOST.txt" ]; then
 90 | 	CONFIGS="$CONFIGS
 91 | $(cat "$(getScriptPath)/configs-custom/host-$HOST.txt")"
 92 | fi
 93 | 
 94 | # Create backup directory if it does not exist. -- cwells
 95 | if [ ! -d "$BACKUP_DIR" ]; then
 96 | 	# shellcheck disable=SC2174
 97 | 	mkdir -m 750 -p "$BACKUP_DIR"
 98 | fi
 99 | 
100 | # If a subdirectory was provided, append it to the backup directory. -- cwells
101 | SUBDIRECTORY=$(getOption '-s')
102 | if [ -n "$SUBDIRECTORY" ]; then
103 | 	BACKUP_DIR="$BACKUP_DIR/$SUBDIRECTORY"
104 | 	if [ ! -d "$BACKUP_DIR" ]; then
105 | 		# shellcheck disable=SC2174
106 | 		mkdir -m 750 -p "$BACKUP_DIR"
107 | 	fi
108 | fi
109 | 
110 | 
111 | # Expand wildcards and remove invalid (non-existent) paths from the list. -- cwells
112 | VALID_CONFIGS=''
113 | OLD_IFS=$IFS
114 | IFS=$'\n'
115 | for CONFIG_PATH in $CONFIGS; do
116 | 	if [ -e "$CONFIG_PATH" ]; then
117 | 		VALID_CONFIGS="$VALID_CONFIGS$CONFIG_PATH
118 | "
119 | 	fi
120 | done
121 | IFS=$OLD_IFS
122 | 
123 | 
124 | echo '
125 | Backing up config files...'
126 | 
127 | # shellcheck disable=SC2039
128 | echo -n "$VALID_CONFIGS" | tar -czf "$BACKUP_DIR/$BACKUP_FILE" -T -
129 | 
130 | if [ -e "$BACKUP_DIR/$BACKUP_FILE" ] && [ -s "$BACKUP_DIR/$BACKUP_FILE" ]; then
131 | 	chmod 640 "$BACKUP_DIR/$BACKUP_FILE"
132 | 	echo "Saved configs to: $BACKUP_DIR/$BACKUP_FILE"
133 | else
134 | 	echo 'Error creating backup!'
135 | fi
136 | 
137 | 
138 | exit 0
139 | 


--------------------------------------------------------------------------------
/backup/configs-custom/.gitignore:
--------------------------------------------------------------------------------
1 | *.txt


--------------------------------------------------------------------------------
/backup/configs-custom/README.md:
--------------------------------------------------------------------------------
 1 | # Custom Configs
 2 | 
 3 | This directory provides a simple way to customize your config backups without modifying the shell script. Using this approach, you can pull the latest code without having to merge your custom file/directory lists. Additionally, you can have different config lists based on the type of system or the specific host being backed up.
 4 | 
 5 | Create a `host-all.txt` file to provide a list of files/directories that should be backed up on all hosts. An example `hosts-all.txt` file might contain this:
 6 | 
 7 | ```
 8 | /root/bin/
 9 | /usr/home/*/bin/
10 | /usr/local/ossec-hids/etc/
11 | /usr/local/ossec-hids/rules/
12 | ```
13 | 
14 | To provide a list of files/directories to back up for a specific host, create a file named `host-<hostname>.txt`.  For example, the custom list for a system named **Beastie** would be named `host-Beastie.txt` (case sensitive, so execute `hostname` to check the proper case).
15 | 
16 | To include a list of files/directories across a type or class of system, create a file named `type-<type>.txt` and provide the type on the command line when backing up. You can create any types that you want. For example, to back up a consistent set of config files on all desktop systems, create the list in `type-desktop.txt` and use `sudo backup/configs -t desktop` to perform the backup.
17 | 
18 | The lists that are included in a given backup are:
19 | 
20 | * The default config files defined in the [backup/configs](../configs) script.
21 | * If `-t <mytype>` is specified, the files listed in `type-<mytype>.txt`.
22 | * The files listed in `host-all.txt`.
23 | * The files listed in `host-<hostname>.txt`.
24 | 
25 | The `configs-custom/*.txt` files are excluded from git to prevent conflicts, but they are included in all backups to preserve your custom lists.
26 | 


--------------------------------------------------------------------------------
/config/jail-create:
--------------------------------------------------------------------------------
  1 | #!/bin/sh
  2 | 
  3 | :<<DOCUMENTATION
  4 | 
  5 | 	Description:	Creates a jail and performs the base configuration.
  6 | 	Parameters:
  7 | 		--name jail_root (required): the name to use for the new jail
  8 | 		--interface ifname (optional): interface to assign to the jail
  9 | 			Default: lo1
 10 | 		--ip x.x.x.x (optional): IP address to assign to the jail
 11 | 			Default: 127.1.1.1
 12 | 		--root-email email_address (optional): email address to use for root inside the jail
 13 | 			Default: no value
 14 | 	Author:			Chris Wells (https://chriswells.io)
 15 | 
 16 | DOCUMENTATION
 17 | 
 18 | 
 19 | # shellcheck source=/dev/null
 20 | . "$(dirname "$(readlink -f "$0")")/../lib/shell.common"
 21 | importScript 'shell.io'
 22 | importScript 'shell.pkg'
 23 | 
 24 | # Require root in order to write to the config files. -- cwells
 25 | requireRootOrExit
 26 | 
 27 | SCRIPT_PATH="$(getScriptPath)"
 28 | 
 29 | parseScriptOptions "$@"
 30 | 
 31 | INTERFACE=$(getOption '--interface')
 32 | JAIL_IP=$(getOption '--ip')
 33 | JAIL_NAME=$(getOption '--name')
 34 | ROOT_EMAIL=$(getOption '--root-email')
 35 | 
 36 | if [ -z "$JAIL_NAME" ]; then
 37 | 	echo 'You must specify the jail name using --name.'
 38 | 	exit 1
 39 | fi
 40 | 
 41 | if [ -z "$INTERFACE" ]; then
 42 | 	INTERFACE='lo1'
 43 | fi
 44 | 
 45 | if [ -z "$JAIL_IP" ]; then
 46 | 	JAIL_IP='127.1.1.1'
 47 | fi
 48 | 
 49 | ################################################################################
 50 | 
 51 | if ! hasPackage 'ezjail'; then
 52 | 	echo 'You must run jail-ezjail before running this script.'
 53 | 	exit 1
 54 | fi
 55 | 
 56 | ezjail-admin create "$JAIL_NAME" "$INTERFACE|$JAIL_IP"
 57 | ezjail-admin start "$JAIL_NAME"
 58 | 
 59 | # Back up the fresh jail config files. -- cwells
 60 | "$SCRIPT_PATH/../backup/configs" -s "jail-create-${JAIL_NAME}-fresh"
 61 | addNote "Created backup: jail-create-${JAIL_NAME}-fresh"
 62 | 
 63 | echo 'Done.'
 64 | 
 65 | ################################################################################
 66 | 
 67 | # Configure the jail. -- cwells
 68 | mkdir "/usr/jails/$JAIL_NAME/root/bin/"
 69 | cp /etc/resolv.conf "/usr/jails/$JAIL_NAME/etc/"
 70 | commentLine "/usr/jails/$JAIL_NAME/etc/hosts" '127.0.0.1		localhost localhost.my.domain'
 71 | appendToFile "/usr/jails/$JAIL_NAME/etc/hosts" "
 72 | # Must use the jail loopback IP for some services to work. -- cwells
 73 | $JAIL_IP		localhost localhost.my.domain $JAIL_NAME
 74 | "
 75 | # shellcheck disable=SC2016
 76 | appendToFile "/usr/jails/$JAIL_NAME/etc/rc.conf" '
 77 | kern_securelevel_enable="YES"
 78 | kern_securelevel="3"
 79 | rpcbind_enable="NO"
 80 | sendmail_enable="NO"
 81 | cron_flags="$cron_flags -J 15"
 82 | syslogd_flags="-ss"
 83 | clear_tmp_enable="YES"
 84 | '
 85 | 
 86 | # This cron job should be disabled inside jails. -- cwells
 87 | commentLine "/usr/jails/$JAIL_NAME/etc/crontab" '1,31	0-5	*	*	*	root	adjkerntz -a'
 88 | 
 89 | if [ -n "$ROOT_EMAIL" ]; then
 90 | 	insertAfterLine "/usr/jails/$JAIL_NAME/etc/mail/aliases" '# root:	me@my.domain' "root: $ROOT_EMAIL"
 91 | fi
 92 | 
 93 | runAsScriptInJail "$JAIL_NAME" '
 94 | passwd
 95 | tzsetup
 96 | cd /etc/mail
 97 | make aliases
 98 | make # Generates <jailname>.mc
 99 | cd /etc/mail/certs
100 | openssl dhparam -out dh.param 2048
101 | '
102 | 
103 | ################################################################################
104 | 
105 | # shellcheck disable=SC2039
106 | echo -n '
107 | Creating hosts entry...'
108 | appendToFile /etc/hosts "
109 | # Jail:
110 | $JAIL_IP	$JAIL_NAME"
111 | echo ' Done.'
112 | 
113 | service ezjail restart
114 | ezjail-admin update -u
115 | 
116 | ################################################################################
117 | 
118 | # Back up the fresh jail config files. -- cwells
119 | "$SCRIPT_PATH/../backup/configs" -s "jail-create-${JAIL_NAME}-base"
120 | addNote "Created backup: jail-create-${JAIL_NAME}-base"
121 | 
122 | echo 'Done.'
123 | 
124 | exit 0
125 | 


--------------------------------------------------------------------------------
/config/jail-ezjail:
--------------------------------------------------------------------------------
  1 | #!/bin/sh
  2 | 
  3 | :<<DOCUMENTATION
  4 | 
  5 | 	Description:	Installs and configures ezjail.
  6 | 	Author:			Chris Wells (https://chriswells.io)
  7 | 
  8 | DOCUMENTATION
  9 | 
 10 | 
 11 | # shellcheck source=/dev/null
 12 | . "$(dirname "$(readlink -f "$0")")/../lib/shell.common"
 13 | importScript 'shell.io'
 14 | importScript 'shell.pkg'
 15 | 
 16 | # Require root in order to write to the config files. -- cwells
 17 | requireRootOrExit
 18 | 
 19 | SCRIPT_PATH="$(getScriptPath)"
 20 | 
 21 | parseScriptOptions "$@"
 22 | 
 23 | ################################################################################
 24 | 
 25 | if ! installPackages 'ezjail'; then
 26 | 	echo 'Failed to install ezjail.'
 27 | 	exit 1
 28 | fi
 29 | 
 30 | # Back up the config files. -- cwells
 31 | "$SCRIPT_PATH/../backup/configs" -s jail-ezjail-fresh
 32 | addNote 'Created backup: jail-ezjail-fresh'
 33 | 
 34 | # Enable ZFS for jails. -- cwells
 35 | # shellcheck disable=SC2039
 36 | echo -n '
 37 | Updating ezjail.conf...'
 38 | uncommentLine /usr/local/etc/ezjail.conf 'ezjail_use_zfs="YES"'
 39 | uncommentLine /usr/local/etc/ezjail.conf 'ezjail_use_zfs_for_jails="YES"'
 40 | replaceLine /usr/local/etc/ezjail.conf '# ezjail_jailzfs="tank/ezjail"' 'ezjail_jailzfs="zroot/usr/jails"'
 41 | echo ' Done.'
 42 | 
 43 | # Configure a cloned loopback interface for the jail and enable ezjail. -- cwells
 44 | # shellcheck disable=SC2039
 45 | echo -n '
 46 | Updating rc.conf...'
 47 | # shellcheck disable=SC2016
 48 | appendToFile /etc/rc.conf '
 49 | # Enable jails on a cloned loopback interface:
 50 | ezjail_enable="YES"
 51 | cloned_interfaces="${cloned_interfaces} lo1"
 52 | ifconfig_lo1="inet 127.1.0.0/16"
 53 | '
 54 | echo ' Done.'
 55 | 
 56 | echo -n '
 57 | Updating periodic.conf.local...'
 58 | appendToFile /etc/periodic.conf.local '
 59 | # Enable security audits for all jails:
 60 | pkg_jails="*"
 61 | '
 62 | 
 63 | # Configure pf for jails. -- cwells
 64 | # shellcheck disable=SC2039
 65 | echo -n '
 66 | Updating pf.conf...'
 67 | # shellcheck disable=SC2016
 68 | insertAfterLine /etc/pf.conf 'loop_if="lo0"' '# Interface and network for jails:
 69 | jail_if="lo1"
 70 | jail_net=$jail_if:network'
 71 | # shellcheck disable=SC2016
 72 | insertAfterLine /etc/pf.conf 'scrub in all' '
 73 | # Enable NAT for jails:
 74 | nat on $ext_if from $jail_net to any -> ($ext_if)
 75 | '
 76 | echo ' Done.'
 77 | 
 78 | # Enable the cloned loopback interface, start ezjail, and install the ports tree. -- cwells
 79 | service netif cloneup
 80 | service ezjail start
 81 | if optionIsEnabled '-q'; then
 82 | 	ezjail-admin install -p
 83 | 	"$SCRIPT_PATH/../portsfetch" /usr/jails/basejail/usr/ports
 84 | elif optionIsEnabled '-p'; then
 85 | 	ezjail-admin install -p
 86 | else
 87 | 	ezjail-admin install
 88 | fi
 89 | 
 90 | # Back up the config files. -- cwells
 91 | "$SCRIPT_PATH/../backup/configs" -s jail-ezjail-configured
 92 | addNote 'Created backup: jail-ezjail-configured'
 93 | 
 94 | addNote 'Installed and configured ezjail, but no jails were created.'
 95 | showNotes
 96 | 
 97 | # Saved until the end because it disconnects the SSH session. -- cwells
 98 | pressEnterTo 'enable NAT for jails (disconnects SSH session)'
 99 | pfctl -F all -f /etc/pf.conf
100 | # Can I use this instead without losing the connection?
101 | # pfctl -s nat
102 | 
103 | exit 0
104 | 


--------------------------------------------------------------------------------
/config/jail-syncthing:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | 
 3 | :<<DOCUMENTATION
 4 | 
 5 | 	Description:	Installs and configures Syncthing inside a jail.
 6 | 	Parameters:
 7 | 		--name jail_name (required): the name of an existing jail to configure
 8 | 	Author:			Chris Wells (https://chriswells.io)
 9 | 
10 | DOCUMENTATION
11 | 
12 | 
13 | # shellcheck source=/dev/null
14 | . "$(dirname "$(readlink -f "$0")")/../lib/shell.common"
15 | importScript 'shell.io'
16 | importScript 'shell.pkg'
17 | 
18 | # Require root in order to write to the config files. -- cwells
19 | requireRootOrExit
20 | 
21 | SCRIPT_PATH="$(getScriptPath)"
22 | 
23 | if ! hasPackage 'ezjail'; then
24 | 	echo 'You must run jail-ezjail before running this script.'
25 | 	exit 1
26 | fi
27 | 
28 | parseScriptOptions "$@"
29 | 
30 | JAIL_NAME=$(getOption '--name')
31 | JAIL_IP="$(jls -N -j "$JAIL_NAME" ip4.addr)"
32 | 
33 | if [ -z "$JAIL_NAME" ]; then
34 | 	echo 'You must specify the jail name using --name.'
35 | 	exit 1
36 | elif [ -z "$JAIL_IP" ]; then
37 | 	echo "Failed to get IP for $JAIL_NAME jail. Do you need to create it using jail-create?"
38 | 	exit 1
39 | fi
40 | 
41 | ################################################################################
42 | 
43 | # Back up the config files. -- cwells
44 | "$SCRIPT_PATH/../backup/configs" -s "jail-$JAIL_NAME-before-config"
45 | addNote "Created backup: jail-$JAIL_NAME-before-config"
46 | 
47 | jailPackages "$JAIL_NAME" 'syncthing'
48 | 
49 | appendToFile "/usr/jails/$JAIL_NAME/etc/rc.conf" '
50 | # Enable Syncthing:
51 | syncthing_enable="YES"
52 | '
53 | 
54 | runAsScriptInJail "$JAIL_NAME" 'mkdir /usr/local/syncthing
55 | chown syncthing:syncthing /usr/local/syncthing
56 | service syncthing start'
57 | 
58 | if hasPackage 'ossec-hids-local'; then
59 | 	insertBeforeLine /usr/local/ossec-hids/etc/ossec.conf '</ossec_config>' "
60 | 
61 |   <!-- Syncthing Jail: $JAIL_NAME -->
62 | 
63 |   <localfile>
64 |     <log_format>syslog</log_format>
65 |     <location>/usr/jails/$JAIL_NAME/var/log/syncthing.log</location>
66 |   </localfile>
67 | 
68 | "
69 | fi
70 | 
71 | ################################################################################
72 | 
73 | # shellcheck disable=SC2039
74 | echo -n '
75 | Updating pf.conf...'
76 | # shellcheck disable=SC2016
77 | # shellcheck disable=SC2140
78 | insertAfterLine /etc/pf.conf 'jail_net=$jail_if:network' "${JAIL_NAME}_jail="\""$JAIL_IP"\""
79 | ${JAIL_NAME}_tcp_ports="\""{ 22000 }"\""
80 | ${JAIL_NAME}_udp_ports="\""{ 21027 }"\"
81 | # shellcheck disable=SC2016
82 | insertAfterLine /etc/pf.conf 'nat on $ext_if from $jail_net to any -> ($ext_if)' "rdr pass on \$ext_if inet proto tcp to port \$${JAIL_NAME}_tcp_ports -> \$${JAIL_NAME}_jail
83 | rdr pass on \$ext_if inet proto udp to port \$${JAIL_NAME}_udp_ports -> \$${JAIL_NAME}_jail"
84 | echo ' Done.'
85 | 
86 | ################################################################################
87 | 
88 | # Back up the final config files. -- cwells
89 | "$SCRIPT_PATH/../backup/configs" -s "jail-$JAIL_NAME-done"
90 | addNote "Created backup: jail-$JAIL_NAME-done"
91 | 
92 | showNotes
93 | 
94 | # Saved until the end because it disconnects the SSH session. -- cwells
95 | pressEnterTo 'reload pf config (disconnects SSH session)'
96 | pfctl -F all -f /etc/pf.conf
97 | 
98 | exit 0
99 | 


--------------------------------------------------------------------------------
/config/jail-turnserver:
--------------------------------------------------------------------------------
  1 | #!/bin/sh
  2 | 
  3 | :<<DOCUMENTATION
  4 | 
  5 | 	Description:	Installs and configures the Coturn TURN Server inside a jail.
  6 | 					Uses a config optimized for use with Nextcloud Talk / Spreed.ME.
  7 | 					References:
  8 | 					https://hub.docker.com/r/spreed/turnserver
  9 | 					https://github.com/coturn/coturn/blob/master/examples/etc/turnserver.conf
 10 | 					https://github.com/strukturag/docker-webrtc-turnserver/blob/master/coturn.sh
 11 | 					https://help.nextcloud.com/t/howto-setup-nextcloud-talk-with-turn-server/30794
 12 | 	Parameters:
 13 | 		--name jail_name (required): the name of an existing jail to configure
 14 | 		--realm domain_name (required): the domain name to use as the TURN realm
 15 | 		--static-auth-secret password (required): password to use for static auth
 16 | 		--cert tls_cert (required): path to a valid TLS public certificate
 17 | 		--pkey private_key (required): path to the TLS private key
 18 | 	Author:			Chris Wells (https://chriswells.io)
 19 | 
 20 | DOCUMENTATION
 21 | 
 22 | 
 23 | # shellcheck source=/dev/null
 24 | . "$(dirname "$(readlink -f "$0")")/../lib/shell.common"
 25 | importScript 'shell.io'
 26 | importScript 'shell.pkg'
 27 | 
 28 | # Require root in order to write to the config files. -- cwells
 29 | requireRootOrExit
 30 | 
 31 | SCRIPT_PATH="$(getScriptPath)"
 32 | 
 33 | if ! hasPackage 'ezjail'; then
 34 | 	echo 'You must run jail-ezjail before running this script.'
 35 | 	exit 1
 36 | fi
 37 | 
 38 | parseScriptOptions "$@"
 39 | 
 40 | JAIL_NAME=$(getOption '--name')
 41 | JAIL_IP="$(jls -N -j "$JAIL_NAME" ip4.addr)"
 42 | REALM=$(getOption '--realm')
 43 | STATIC_AUTH_SECRET=$(getOption '--static-auth-secret')
 44 | PRIVATE_KEY=$(getOption '--pkey')
 45 | TLS_CERT=$(getOption '--cert')
 46 | 
 47 | if [ -z "$JAIL_NAME" ]; then
 48 | 	echo 'You must specify the jail name using --name.'
 49 | 	exit 1
 50 | elif [ -z "$REALM" ]; then
 51 | 	echo 'You must specify a realm name using --realm.'
 52 | 	exit 1
 53 | elif [ -z "$STATIC_AUTH_SECRET" ]; then
 54 | 	echo 'You must specify a password using --static-auth-secret.'
 55 | 	exit 1
 56 | elif [ -z "$PRIVATE_KEY" ]; then
 57 | 	echo 'You must provide the path to a TLS private key using --pkey.'
 58 | 	exit 1
 59 | elif [ -z "$TLS_CERT" ]; then
 60 | 	echo 'You must provide the path to a TLS public certificate using --cert.'
 61 | 	exit 1
 62 | elif [ -z "$JAIL_IP" ]; then
 63 | 	echo "Failed to get IP for $JAIL_NAME jail. Do you need to create it using jail-create?"
 64 | 	exit 1
 65 | fi
 66 | 
 67 | ################################################################################
 68 | 
 69 | # Back up the config files. -- cwells
 70 | "$SCRIPT_PATH/../backup/configs" -s "jail-$JAIL_NAME-before-config"
 71 | addNote "Created backup: jail-$JAIL_NAME-before-config"
 72 | 
 73 | jailPackages "$JAIL_NAME" 'turnserver'
 74 | 
 75 | appendToFile "/usr/jails/$JAIL_NAME/etc/rc.conf" '
 76 | # Enable TURN server:
 77 | turnserver_enable="YES"
 78 | '
 79 | 
 80 | # Create the turnserver config file. -- cwells
 81 | createOrReplaceFile "/usr/jails/${JAIL_NAME}/usr/local/etc/turnserver.conf" "
 82 | # Listen on the jail IP (local interface).
 83 | listening-ip=$JAIL_IP
 84 | 
 85 | # Specify external IP since it will differ from the jail IP.
 86 | external-ip=$(curl ifconfig.me/ip)
 87 | 
 88 | # Use fingerprints in the TURN messages.
 89 | fingerprint
 90 | 
 91 | # Enable using a static password:
 92 | use-auth-secret
 93 | 
 94 | # 'Static' authentication secret value.
 95 | static-auth-secret=$STATIC_AUTH_SECRET
 96 | 
 97 | # The default realm to be used for the users.
 98 | realm=$REALM
 99 | 
100 | # Across the session, all requests must have the same
101 | # main ORIGIN attribute value (if the ORIGIN was
102 | # initially used by the session).
103 | check-origin-consistency
104 | 
105 | # Limit the nonce lifetime to 600 seconds (10 minutes).
106 | stale-nonce=600
107 | 
108 | # Certificate file (public key).
109 | cert=$TLS_CERT
110 | 
111 | # Private key file.
112 | pkey=$PRIVATE_KEY
113 | 
114 | # Use a secure cipher list:
115 | cipher-list="\""ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5"\""
116 | 
117 | # Reuse the sendmail DH param file:
118 | dh-file=/etc/mail/certs/dh.param
119 | 
120 | # Flag to prevent stdout log messages.
121 | no-stdout-log
122 | 
123 | # This flag means that no log file rollover will be used, and the log file
124 | # name will be constructed as-is, without PID and date appendage.
125 | simple-log
126 | 
127 | # Disallow peers on well-known broadcast addresses (224.0.0.0 and above, and FFXX:*).
128 | no-multicast-peers
129 | 
130 | # Require authentication of the STUN Binding request.
131 | secure-stun
132 | 
133 | # User name to run the process.
134 | #proc-user=nobody
135 | 
136 | # Group name to run the process.
137 | #proc-group=nogroup
138 | 
139 | # Turn OFF the CLI support.
140 | no-cli
141 | 
142 | # Do not allow old versions of TLS.
143 | no-tlsv1
144 | no-tlsv1_1
145 | "
146 | 
147 | runAsScriptInJail "$JAIL_NAME" 'service turnserver start'
148 | 
149 | if hasPackage 'ossec-hids-local'; then
150 | 	insertBeforeLine /usr/local/ossec-hids/etc/ossec.conf '</ossec_config>' "
151 | 
152 |   <!-- TURN Jail: $JAIL_NAME -->
153 | 
154 |   <localfile>
155 |     <log_format>syslog</log_format>
156 |     <location>/usr/jails/$JAIL_NAME/var/log/turn_*</location>
157 |   </localfile>
158 | 
159 | "
160 | fi
161 | 
162 | ################################################################################
163 | 
164 | # shellcheck disable=SC2039
165 | echo -n '
166 | Updating pf.conf...'
167 | # shellcheck disable=SC2016
168 | # shellcheck disable=SC2140
169 | insertAfterLine /etc/pf.conf 'jail_net=$jail_if:network' "${JAIL_NAME}_jail="\""$JAIL_IP"\""
170 | ${JAIL_NAME}_tcp_ports="\""{ 3478, 5349 }"\""
171 | ${JAIL_NAME}_udp_ports="\""{ 3478, 5349, 49152:65535 }"\"
172 | # shellcheck disable=SC2016
173 | insertAfterLine /etc/pf.conf 'nat on $ext_if from $jail_net to any -> ($ext_if)' "rdr pass on \$ext_if inet proto tcp to port \$${JAIL_NAME}_tcp_ports -> \$${JAIL_NAME}_jail
174 | rdr pass on \$ext_if inet proto udp to port \$${JAIL_NAME}_udp_ports -> \$${JAIL_NAME}_jail"
175 | echo ' Done.'
176 | 
177 | ################################################################################
178 | 
179 | # Back up the final config files. -- cwells
180 | "$SCRIPT_PATH/../backup/configs" -s "jail-$JAIL_NAME-done"
181 | addNote "Created backup: jail-$JAIL_NAME-done"
182 | 
183 | showNotes
184 | 
185 | # Saved until the end because it disconnects the SSH session. -- cwells
186 | pressEnterTo 'reload pf config (disconnects SSH session)'
187 | pfctl -F all -f /etc/pf.conf
188 | 
189 | exit 0
190 | 


--------------------------------------------------------------------------------
/config/jail-unifi:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | 
 3 | :<<DOCUMENTATION
 4 | 
 5 | 	Description:	Installs and configures UniFi Controller inside a jail.
 6 | 	Parameters:
 7 | 		--name jail_name (required): the name of the existing jail to configure
 8 | 	Author:			Chris Wells (https://chriswells.io)
 9 | 
10 | DOCUMENTATION
11 | 
12 | 
13 | # shellcheck source=/dev/null
14 | . "$(dirname "$(readlink -f "$0")")/../lib/shell.common"
15 | importScript 'shell.io'
16 | importScript 'shell.pkg'
17 | 
18 | # Require root in order to write to the config files. -- cwells
19 | requireRootOrExit
20 | 
21 | SCRIPT_PATH="$(getScriptPath)"
22 | 
23 | if ! hasPackage 'ezjail'; then
24 | 	echo 'You must run jail-ezjail before running this script.'
25 | 	exit 1
26 | fi
27 | 
28 | parseScriptOptions "$@"
29 | 
30 | JAIL_NAME=$(getOption '--name')
31 | if [ -z "$JAIL_NAME" ]; then
32 | 	echo 'You must specify the jail name using --name.'
33 | 	exit 1
34 | fi
35 | 
36 | JAIL_IP="$(jls -N -j "$JAIL_NAME" ip4.addr)"
37 | if [ -z "$JAIL_IP" ]; then
38 | 	echo "Failed to get IP for $JAIL_NAME jail. Do you need to create it using jail-create?"
39 | 	exit 1
40 | fi
41 | 
42 | ################################################################################
43 | 
44 | # Back up the config files. -- cwells
45 | "$SCRIPT_PATH/../backup/configs" -s "jail-$JAIL_NAME-before-config"
46 | addNote "Created backup: jail-$JAIL_NAME-before-config"
47 | 
48 | jailPackages "$JAIL_NAME" 'unifi5'
49 | 
50 | appendToFile "/usr/jails/$JAIL_NAME/etc/rc.conf" '
51 | # Enable UniFi Controller:
52 | unifi_enable="YES"
53 | '
54 | 
55 | # If custom settings are needed for UniFi, the file is here:
56 | # /usr/jails/$JAIL_NAME/usr/local/share/java/unifi/data/system.properties
57 | 
58 | runAsScriptInJail "$JAIL_NAME" 'service unifi start'
59 | 
60 | ################################################################################
61 | 
62 | # shellcheck disable=SC2039
63 | echo -n '
64 | Updating pf.conf...'
65 | # shellcheck disable=SC2016
66 | # shellcheck disable=SC2140
67 | insertAfterLine /etc/pf.conf 'jail_net=$jail_if:network' "${JAIL_NAME}_jail="\""$JAIL_IP"\""
68 | ${JAIL_NAME}_tcp_ports="\""{ 8080, 8443 }"\""
69 | ${JAIL_NAME}_udp_ports="\""{ 3478 }"\"
70 | # shellcheck disable=SC2016
71 | insertAfterLine /etc/pf.conf 'nat on $ext_if from $jail_net to any -> ($ext_if)' "rdr pass on \$ext_if inet proto tcp to port \$${JAIL_NAME}_tcp_ports -> \$${JAIL_NAME}_jail
72 | rdr pass on \$ext_if inet proto udp to port \$${JAIL_NAME}_udp_ports -> \$${JAIL_NAME}_jail"
73 | echo ' Done.'
74 | 
75 | ################################################################################
76 | 
77 | # Back up the final config files. -- cwells
78 | "$SCRIPT_PATH/../backup/configs" -s "jail-$JAIL_NAME-done"
79 | addNote "Created backup: jail-$JAIL_NAME-done"
80 | 
81 | showNotes
82 | 
83 | # Saved until the end because it disconnects the SSH session. -- cwells
84 | pressEnterTo 'reload pf config (disconnects SSH session)'
85 | pfctl -F all -f /etc/pf.conf
86 | 
87 | exit 0
88 | 


--------------------------------------------------------------------------------
/lib/shell.common:
--------------------------------------------------------------------------------
  1 | #!/bin/sh
  2 | 
  3 | :<<DOCUMENTATION
  4 | 
  5 | 	Description:	Defines functions frequently used in shell scripts.
  6 | 	Author:			Chris Wells (https://chriswells.io)
  7 | 
  8 | DOCUMENTATION
  9 | 
 10 | 
 11 | # Returns:
 12 | #	full path to the current script
 13 | getScriptPath() {
 14 | 	dirname "$(readlink -f "$0")"
 15 | }
 16 | 
 17 | # Parameters:
 18 | #	$1 = relative or full path to the script to import
 19 | importScript() {
 20 | 	SCRIPT_PATH=$(getScriptPath)
 21 | 	if [ -f "$SCRIPT_PATH/lib/$1" ]; then
 22 | 		# shellcheck source=/dev/null
 23 | 		. "$SCRIPT_PATH/lib/$1"
 24 | 	elif [ -f "$SCRIPT_PATH/../lib/$1" ]; then
 25 | 		# shellcheck source=/dev/null
 26 | 		. "$SCRIPT_PATH/../lib/$1"
 27 | 	elif [ -f "$SCRIPT_PATH/$1" ]; then
 28 | 		# shellcheck source=/dev/null
 29 | 		. "$SCRIPT_PATH/$1"
 30 | 	elif [ -f "$1" ]; then
 31 | 		# shellcheck source=/dev/null
 32 | 		. "$1"
 33 | 	else
 34 | 		echo "Error: '$1' was not found."
 35 | 		exit 1
 36 | 	fi
 37 | }
 38 | 
 39 | # Parameters:
 40 | #	$1 (optional) = action that occurs after pressing Enter
 41 | #		Default is 'continue' when not provided.
 42 | pressEnterTo() {
 43 | 	if [ -n "$1" ]; then
 44 | 		ACTION="$1"
 45 | 	else
 46 | 		ACTION='continue'
 47 | 	fi
 48 | 	# shellcheck disable=SC2039
 49 | 	read -r -p "
 50 | Press \"Enter\" to $ACTION..." _
 51 | }
 52 | 
 53 | # Parameters:
 54 | #	$1 (optional) = custom error message to display if the user is not root
 55 | requireRootOrExit() {
 56 | 	if [ "$(id -u)" != "0" ]; then
 57 | 		if [ -n "$1" ]; then
 58 | 			MESSAGE="$1"
 59 | 		else
 60 | 			MESSAGE='This script must be executed as root or using sudo.'
 61 | 		fi
 62 | 		echo "$MESSAGE" 1>&2
 63 | 		exit 1
 64 | 	fi
 65 | }
 66 | 
 67 | 
 68 | ################################################################################
 69 | # Hashes (Associative Arrays / Dictionaries)
 70 | ################################################################################
 71 | 
 72 | # Parameters:
 73 | #	$1 = name of the hash variable
 74 | #	$2 = key to search for
 75 | # Returns:
 76 | #	result code indicating whether the specified key exists in the hash
 77 | hashContainsKey() {
 78 | 	alias "HASH_$1_$2" > /dev/null 2>&1
 79 | }
 80 | 
 81 | # Parameters:
 82 | #	$1 = name of the hash variable
 83 | #	$2 = value to search for
 84 | # Returns:
 85 | #	result code indicating whether the specified value exists in the hash
 86 | hashContainsValue() {
 87 | 	alias | grep -Eq "^HASH_$1_.+='?$2'?\$"
 88 | }
 89 | 
 90 | # Parameters:
 91 | #	$1 = name of the hash variable
 92 | #	$2 = key for the value that should be retrieved
 93 | # Returns:
 94 | #	value found for the specified key
 95 | hashGet() {
 96 | 	alias "HASH_$1_$2" 2> /dev/null | awk -F"=" '{ gsub(/^'\''|'\''$/, "", $2); print $2; }'
 97 | }
 98 | 
 99 | # Parameters:
100 | #	$1 = name of the hash variable
101 | #	$2 = key to use
102 | #	$3 (optional) = the value to store
103 | #		Default is an empty string when not provided.
104 | hashPut() {
105 | 	# shellcheck disable=SC2139
106 | 	alias "HASH_$1_$2=$3"
107 | }
108 | 
109 | 
110 | ################################################################################
111 | # Script Options
112 | ################################################################################
113 | 
114 | # Parameters:
115 | #	$1 = name of the option whose value should be returned
116 | # Returns:
117 | #	value provided for the specified option
118 | getOption() {
119 | 	hashGet 'SCRIPT_OPTS' "$1"
120 | }
121 | 
122 | # Parameters:
123 | #	$1 = name of the option to check
124 | # Returns:
125 | #	result code indicating whether the specified option was passed to the script
126 | optionIsEnabled() {
127 | 	hashContainsKey 'SCRIPT_OPTS' "$1"
128 | }
129 | 
130 | # Parameters:
131 | #	$@ = full list of options passed to the script
132 | parseScriptOptions() {
133 | 	for SCRIPT_ARG in "$@"; do
134 | 		case $SCRIPT_ARG in
135 | 			-* )
136 | 				setOption "$SCRIPT_ARG"
137 | 				LAST_SWITCH=$SCRIPT_ARG ;;
138 | 			* )
139 | 				if [ -n "$LAST_SWITCH" ]; then
140 | 					setOption "$LAST_SWITCH" "$SCRIPT_ARG"
141 | 				else
142 | 					setOption "$SCRIPT_ARG"
143 | 				fi
144 | 				LAST_SWITCH='' ;;
145 | 		esac
146 | 	done
147 | }
148 | 
149 | # Parameters:
150 | #	$1 = name of the option to set
151 | #	$2 = value to set for the specified option
152 | setOption() {
153 | 	hashPut 'SCRIPT_OPTS' "$1" "$2"
154 | }
155 | 
156 | 
157 | ################################################################################
158 | # Note Management
159 | ################################################################################
160 | 
161 | # Parameters:
162 | #	$1 = message to append to the notes for the currently running script
163 | addNote() {
164 | 	# Not using appendToFile here to ensure this file has no dependencies. -- cwells
165 | 	#appendToFile "$0.notes" "$1"
166 | 	echo "$1" >> "$(getScriptPath)/$(basename $0).notes"
167 | }
168 | 
169 | # Parameters:
170 | #	$1 (optional) = message to display above the notes for this script
171 | showNotes() {
172 | 	if [ -n "$1" ]; then
173 | 		MESSAGE="$1"
174 | 	else
175 | 		MESSAGE='The following notes were saved in'
176 | 	fi
177 | 	echo "$MESSAGE $0.notes:
178 | 
179 | $(cat "$(getScriptPath)/$(basename $0).notes")"
180 | }
181 | 


--------------------------------------------------------------------------------
/lib/shell.io:
--------------------------------------------------------------------------------
  1 | #!/bin/sh
  2 | 
  3 | :<<DOCUMENTATION
  4 | 
  5 | 	Description:	Defines functions commonly used for file input/output.
  6 | 	Author:			Chris Wells (https://chriswells.io)
  7 | 
  8 | DOCUMENTATION
  9 | 
 10 | 
 11 | ################################################################################
 12 | # Utility Functions
 13 | ################################################################################
 14 | 
 15 | # Parameters:
 16 | #	$1 (optional) = number of hex characters to return
 17 | #		Default is 8 when not provided.
 18 | # Returns:
 19 | #	random hex string of the requested length
 20 | # shellcheck disable=SC2120
 21 | generateHexString() {
 22 | 	if [ $# -eq 0 ]; then
 23 | 		LENGTH=4
 24 | 	else
 25 | 		LENGTH=$(($1 / 2))
 26 | 	fi
 27 | 	hexdump -n $LENGTH -v -e '/1 "%02X"' /dev/urandom
 28 | }
 29 | 
 30 | # Parameters:
 31 | #	$1 (optional) = file for which a temp file needs to be created
 32 | # Returns:
 33 | #	string that can be used as the name of a temp file
 34 | # shellcheck disable=SC2119
 35 | getTempFileName() {
 36 | 	echo "$1.$(generateHexString).tmp"
 37 | }
 38 | 
 39 | # Parameters:
 40 | #	$1 = the name of the jail to run the script inside
 41 | #	$2 = the code to execute inside the jail
 42 | runAsScriptInJail() {
 43 | 	TEMP_SCRIPT="$(getTempFileName 'temp').sh"
 44 | 	createOrReplaceFile "/usr/jails/$1/tmp/$TEMP_SCRIPT" "#!/bin/sh
 45 | $2
 46 | exit 0
 47 | "
 48 | 	chmod +x "/usr/jails/$1/tmp/$TEMP_SCRIPT"
 49 | 	jexec "$1" "/tmp/$TEMP_SCRIPT"
 50 | 	# Delete the script since it's no longer needed. Done here instead of
 51 | 	# inside the script because the script could exit early. -- cwells
 52 | 	rm "/usr/jails/$1/tmp/$TEMP_SCRIPT"
 53 | }
 54 | 
 55 | ################################################################################
 56 | # Text Manipulation
 57 | ################################################################################
 58 | 
 59 | # Parameters:
 60 | #	$1 = text containing special characters
 61 | # Returns:
 62 | #	input string with special characters escaped
 63 | escapeAwkSearchText() {
 64 | 	echo "$1" | sed -e 's/[()]/\\\\&/g'
 65 | }
 66 | 
 67 | # Parameters:
 68 | #	$1 = sed expression
 69 | # Returns:
 70 | #	input string with special characters escaped
 71 | escapeForSed() {
 72 | 	echo "$1" | sed -e 's/[\/&]/\\&/g'
 73 | }
 74 | 
 75 | # Parameters:
 76 | #	$1 = text containing newline characters
 77 | # Returns:
 78 | #	input string with newlines escaped
 79 | escapeNewlines() {
 80 | 	echo "$1" | awk 1 ORS='\\n'
 81 | }
 82 | 
 83 | ################################################################################
 84 | # File Manipulation
 85 | ################################################################################
 86 | 
 87 | # Parameters:
 88 | #	$1 = file path
 89 | #	$2 = text to append to file
 90 | appendToFile() {
 91 | 	echo "$2" >> "$1"
 92 | }
 93 | 
 94 | # Parameters:
 95 | #	$1 = file path
 96 | #	$2 = text to save as file
 97 | createOrReplaceFile() {
 98 | 	echo "$2" > "$1"
 99 | }
100 | 
101 | # Parameters:
102 | #	$1 = file path
103 | #	$2 = line to delete
104 | deleteLine() {
105 | 	TEMP_FILE=$(getTempFileName "$1")
106 | 	if awk -v line="$2" '$0 != line' "$1" > "$TEMP_FILE"; then
107 | 		cat "$TEMP_FILE" > "$1"
108 | 	fi
109 | 	if [ -f "$TEMP_FILE" ]; then
110 | 		rm "$TEMP_FILE"
111 | 	fi
112 | }
113 | 
114 | # Parameters:
115 | #	$1 = file path
116 | #	$2 = line to insert after
117 | #	$3 = text to insert into file
118 | insertAfterLine() {
119 | 	TEMP_FILE=$(getTempFileName "$1")
120 | 	if awk -v line="$2" -v insert="$(escapeNewlines "$3")" '
121 | 		BEGIN {
122 | 			gsub(/\n$/, "", insert);
123 | 		}
124 | 		$0 == line {
125 | 			$0 = sprintf("%s\n%s", $0, insert);
126 | 		}
127 | 		1
128 | 	' "$1" > "$TEMP_FILE"; then
129 | 		cat "$TEMP_FILE" > "$1"
130 | 	fi
131 | 	if [ -f "$TEMP_FILE" ]; then
132 | 		rm "$TEMP_FILE"
133 | 	fi
134 | }
135 | 
136 | # Parameters:
137 | #	$1 = file path
138 | #	$2 = line to insert before
139 | #	$3 = text to insert into file
140 | insertBeforeLine() {
141 | 	TEMP_FILE=$(getTempFileName "$1")
142 | 	if awk -v line="$2" -v insert="$(escapeNewlines "$3")" '
143 | 		BEGIN {
144 | 			gsub(/\n$/, "", insert);
145 | 		}
146 | 		$0 == line {
147 | 			$0 = sprintf("%s\n%s", insert, $0);
148 | 		}
149 | 		1
150 | 	' "$1" > "$TEMP_FILE"; then
151 | 		cat "$TEMP_FILE" > "$1"
152 | 	fi
153 | 	if [ -f "$TEMP_FILE" ]; then
154 | 		rm "$TEMP_FILE"
155 | 	fi
156 | }
157 | 
158 | # Parameters:
159 | #	$1 = file path
160 | #	$2 = old line
161 | #	$3 = new line
162 | replaceLine() {
163 | 	TEMP_FILE=$(getTempFileName "$1")
164 | 	if awk -v line="$2" -v replace="$(escapeNewlines "$3")" '
165 | 		BEGIN {
166 | 			gsub(/\n$/, "", replace);
167 | 		}
168 | 		$0 == line {
169 | 			$0 = replace;
170 | 		}
171 | 		1
172 | 	' "$1" > "$TEMP_FILE"; then
173 | 		cat "$TEMP_FILE" > "$1"
174 | 	fi
175 | 	if [ -f "$TEMP_FILE" ]; then
176 | 		rm "$TEMP_FILE"
177 | 	fi
178 | }
179 | 
180 | # Parameters:
181 | #	$1 = file path
182 | #	$2 = pattern to match
183 | #	$3 = replacement text
184 | replacePattern() {
185 | 	TEMP_FILE=$(getTempFileName "$1")
186 | 	if awk -v search="$2" -v replace="$(escapeNewlines "$3")" '
187 | 		BEGIN {
188 | 			gsub(/\n$/, "", replace);
189 | 		}
190 | 		1 {
191 | 			gsub(search, replace);
192 | 			print $0;
193 | 		}
194 | 	' "$1" > "$TEMP_FILE"; then
195 | 		cat "$TEMP_FILE" > "$1"
196 | 	fi
197 | 	if [ -f "$TEMP_FILE" ]; then
198 | 		rm "$TEMP_FILE"
199 | 	fi
200 | }
201 | 
202 | # Parameters:
203 | #	$1 = file path
204 | #	$2 = old text
205 | #	$3 = new text
206 | replaceText() {
207 | 	TEMP_FILE=$(getTempFileName "$1")
208 | 	if awk -v search="$(escapeAwkSearchText "$2")" -v replace="$(escapeNewlines "$3")" '
209 | 		BEGIN {
210 | 			gsub(/\n$/, "", replace);
211 | 		}
212 | 		1 {
213 | 			gsub(search, replace);
214 | 			print $0;
215 | 		}
216 | 	' "$1" > "$TEMP_FILE"; then
217 | 		cat "$TEMP_FILE" > "$1"
218 | 	fi
219 | 	if [ -f "$TEMP_FILE" ]; then
220 | 		rm "$TEMP_FILE"
221 | 	fi
222 | }
223 | 
224 | # Parameters:
225 | #	$1 = file path
226 | #	$2 = line to comment
227 | #	$3 (optional) = string used to comment lines
228 | commentLine() {
229 | 	if echo "$2" | grep -Eq '^\s*<.+>$'; then # This line is markup. -- cwells
230 | 		COMMENT=$(echo "$2" | sed -e 's/^\( *\)<\(.*\)>$/\1<!-- \2 -->/')
231 | 		replaceText "$1" "$2" "$COMMENT"
232 | 	else
233 | 		if [ -n "$3" ]; then
234 | 			COMMENT_MARKER="$3"
235 | 		else
236 | 			COMMENT_MARKER="#"
237 | 		fi
238 | 		replaceLine "$1" "$2" "$COMMENT_MARKER$2"
239 | 	fi
240 | }
241 | 
242 | # Parameters:
243 | #	$1 = file path
244 | #	$2 = line to uncomment
245 | #	$3 (optional) = string used to comment lines
246 | uncommentLine() {
247 | 	if echo "$2" | grep -Eq '^\s*<.+>$'; then # This line is markup. -- cwells
248 | 		MARKUP=$(echo "$2" | sed -e 's/^\( *\)<!-- *\(.*\) -->$/\1<\2>/')
249 | 		replaceText "$1" "$2" "$MARKUP"
250 | 	else
251 | 		if [ -n "$3" ]; then
252 | 			COMMENT_MARKER="$3"
253 | 		else
254 | 			COMMENT_MARKER="#"
255 | 		fi
256 | 		SEARCH="$(echo "$2" | sed -e 's/[().*^$?&[]/\\\\&/g')"
257 | 		REPLACE="$(echo "$2" | sed -e 's/&/\\\\&/g')"
258 | 		replacePattern "$1" "^$COMMENT_MARKER+ *$SEARCH$" "$REPLACE"
259 | 	fi
260 | }
261 | 


--------------------------------------------------------------------------------
/lib/shell.pkg:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | 
 3 | :<<DOCUMENTATION
 4 | 
 5 | 	Description:	Defines very basic functions for package management.
 6 | 	Author:			Chris Wells (https://chriswells.io)
 7 | 
 8 | DOCUMENTATION
 9 | 
10 | 
11 | ################################################################################
12 | # Package Management for Hosts
13 | ################################################################################
14 | 
15 | # Parameters:
16 | #	$1 = name of the package to check for
17 | # Returns:
18 | #	result code indicating whether the specified package is installed on the host
19 | hasPackage() {
20 | 	pkg info "$1" > /dev/null 2>&1
21 | }
22 | 
23 | # Parameters:
24 | #	$1 = name of the package(s) to install
25 | # Returns:
26 | #	result code indicating whether the specified package was installed on the host
27 | installPackages() {
28 | 	# shellcheck disable=SC2086
29 | 	pkg install -y $1
30 | }
31 | 
32 | 
33 | ################################################################################
34 | # Package Management for Jails
35 | ################################################################################
36 | 
37 | # Parameters:
38 | #	$1 = name of the jail
39 | #	$2 = name of the package to check for
40 | # Returns:
41 | #	result code indicating whether the specified package is installed in the jail
42 | jailHasPackage() {
43 | 	pkg -j "$1" info "$2" > /dev/null 2>&1
44 | }
45 | 
46 | # Parameters:
47 | #	$1 = name of the jail
48 | #	$2 = name of the package(s) to install
49 | # Returns:
50 | #	result code indicating whether the specified package was installed in the jail
51 | jailPackages() {
52 | 	# shellcheck disable=SC2086
53 | 	pkg -j "$1" install -y $2
54 | }
55 | 


--------------------------------------------------------------------------------
/portsfetch:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | 
 3 | :<<DOCUMENTATION
 4 | 
 5 | 	Description:	Updates the local ports tree from the current quarterly Git branch.
 6 | 	Author:			Chris Wells (https://chriswells.io)
 7 | 
 8 | DOCUMENTATION
 9 | 
10 | 
11 | REPO_URL="https://git.freebsd.org/ports.git"
12 | 
13 | # Require root in order to write to the ports dir. -- cwells
14 | if [ "$(id -u)" != "0" ]; then
15 | 	echo 'This script must be run as root or using sudo.' 1>&2
16 | 	exit 1
17 | fi
18 | 
19 | if ! which git > /dev/null; then
20 | 	pkg install git
21 | fi
22 | 
23 | # If a parameter was passed, use it as the destination directory.  For example,
24 | # to update the ezjail ports tree: portsfetch /usr/jails/basejail/usr/ports
25 | if [ -n "$1" ]; then
26 | 	DESTDIR="$1"
27 | else
28 | 	DESTDIR=/usr/ports
29 | fi
30 | 
31 | if [ ! -d "${DESTDIR}" ]; then
32 | 	mkdir "${DESTDIR}"
33 | fi
34 | 
35 | # Clear the contents of the destination directory if it's not being managed by Git. -- cwells
36 | if [ ! -z "$(ls -qAL -- "${DESTDIR}")" ] && [ ! -d "${DESTDIR}/.git" ]; then
37 | 	echo 'Destination directory contains files but is not a Git repo.'
38 | 	echo 'You must delete the existing files to switch to a quarterly branch.'
39 | 	# shellcheck disable=SC2039
40 | 	read -r -p "Do you want to delete the contents of \"${DESTDIR}\"? [y/N]: " DELETE_FILES
41 | 	echo ''
42 | 	case $DELETE_FILES in
43 | 		[Yy]* ) find "${DESTDIR}" -mindepth 1 -delete ;; # Delete all files in the dir. -- cwells
44 | 		* )
45 | 			if [ -d "${DESTDIR}/.svn" ]; then
46 | 				echo 'The destination directory is an SVN repo, so no update was performed.'
47 | 				echo 'Your ports tree is still out of date. You should switch to Git.'
48 | 			elif [ -f "${DESTDIR}/.portsnap.INDEX" ]; then
49 | 				portsnap fetch update # Use portsnap to update from HEAD. -- cwells
50 | 				echo ''
51 | 				echo 'The destination directory is managed by portsnap, so an update was performed.'
52 | 				echo 'This means you are still using the latest branch instead of quarterly.'
53 | 			fi
54 | 			echo 'Run portsfetch again and choose to delete your files to switch.'
55 | 			exit 0 ;;
56 | 	esac
57 | 	echo ''
58 | fi
59 | 
60 | if [ ! -d "${DESTDIR}/.git" ]; then # Initial clone of the repo. -- cwells
61 | 	git clone "${REPO_URL}" "${DESTDIR}"
62 | else # Update the existing repo. -- cwells
63 | 	git -C "${DESTDIR}" pull --ff-only
64 | fi
65 | 
66 | BRANCH=$(git -C "${DESTDIR}" branch --list -r | grep -E '^[[:space:]]*origin/20[0-9]{2}Q[1-4]$' | sort | tail -1 | sed 's/ *origin\///')
67 | if [ "${#BRANCH}" != "6" ]; then
68 | 	echo 'Failed to determine the correct branch to use.'
69 | 	exit 1
70 | fi
71 | 
72 | if [ "$(git -C "${DESTDIR}" branch --show-current)" != "${BRANCH}" ]; then
73 | 	git -C "${DESTDIR}" checkout "${BRANCH}"
74 | fi
75 | 
76 | exit 0
77 | 


--------------------------------------------------------------------------------
/update-host:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | 
 3 | :<<DOCUMENTATION
 4 | 
 5 | 	Description:	Updates the base system plus performs package upgrades on the host and jails.
 6 | 	Author:			Chris Wells (https://chriswells.io)
 7 | 
 8 | DOCUMENTATION
 9 | 
10 | # shellcheck source=/dev/null
11 | . "$(dirname "$(readlink -f "$0")")/lib/shell.common"
12 | 
13 | 
14 | # Require root to perform updates. -- cwells
15 | requireRootOrExit
16 | 
17 | # Create a boot environment in case there are issues. -- cwells
18 | if which bectl > /dev/null; then
19 | 	bectl create $(date +%Y-%m-%d.%H%M%S)
20 | fi
21 | 
22 | freebsd-update fetch install
23 | 
24 | printf "\nChecking for vulnerable packages on the host...\n"
25 | pkg audit -F
26 | printf "\nUpgrading packages on the host...\n"
27 | pkg upgrade
28 | 
29 | for JAIL in $(jls -N host.hostname); do
30 | 	printf "\nChecking for vulnerable packages in the %s jail...\n" "$JAIL"
31 | 	pkg -j "$JAIL" audit -F
32 | 	printf "\nUpgrading packages in the %s jail...\n" "$JAIL"
33 | 	pkg -j "$JAIL" upgrade
34 | done
35 | 
36 | exit 0
37 | 


--------------------------------------------------------------------------------