From f99e053b41849b805f33e29876ced270998213b9 Mon Sep 17 00:00:00 2001 From: daniel fusser Date: Sat, 11 Mar 2023 21:07:32 +0100 Subject: [PATCH] initial commit --- 42git.sh | 61 +++++++++++++++++++++++++++++++++++++++++++++++++ cert2-40_api.sh | 48 ++++++++++++++++++++++++++++++++++++++ certs2-40.sh | 23 +++++++++++++++++++ sshkey_2-40.sh | 29 +++++++++++++++++++++++ util.sh | 4 ++++ 5 files changed, 165 insertions(+) create mode 100644 42git.sh create mode 100644 cert2-40_api.sh create mode 100644 certs2-40.sh create mode 100644 sshkey_2-40.sh create mode 100644 util.sh diff --git a/42git.sh b/42git.sh new file mode 100644 index 0000000..41895da --- /dev/null +++ b/42git.sh @@ -0,0 +1,61 @@ +#!/bin/sh +set -e + +# ssh options for fortigate scp +ssh_identity="/root/.ssh/id_ed25519" +ssh_user="admin" +ssh_host="192.168.2.1" +ssh_port=11422 +enc_key="/root/.secrets/backup-enc.key" + +git_repo="git@git.dafu.dev:3022/dafu/fg_backup" + +# temp dir +temp_dir=$(mktemp -d) +cd "$temp_dir" + +# git +echo "cloning from $git_repo" +git clone --quiet --depth=1 \ + "ssh://${git_repo}" . + +# -O disables sftp which is not enabled on FG +echo "grabbing config from ${ssh_user}@${ssh_host}:sys_config" +scp -q -i ${ssh_identity} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -O -P ${ssh_port} \ + ${ssh_user}@${ssh_host}:sys_config . + +# get file version and firmware +config_version=$(grep -o -P '(?<=^#conf_file_ver=).*$' sys_config) +firmware_version=$(grep -o -P '(?<=#config-version=).*(?=-FW.*)' sys_config) + +echo "found version: ${firmware_version} - ${config_version}" + +# copy full config to temp file +cp sys_config temp_"${config_version}" + +# apply regexes to config file +perl -0777 -pi -e 's/ENC .*/_ENC_REMOVED_/g' sys_config +perl -0777 -pi -e 's/(?ms)(set.*?)"-----.*?"/$1 _REMOVED_/g' sys_config +perl -0777 -pi -e 's/(?ms)(set.*?key) ".*?"/$1 _PUB_KEY_REMOVED_/g' sys_config +perl -0777 -pi -e 's/.*(#private-encryption-key=).*/$1 _PRIV_KEY_REMOVED_/g' sys_config +perl -0777 -pi -e 's/conf_file_ver=(.*)/conf_file_ver=_REMOVED_/g' sys_config + +echo "checking for changes" +git diff --stat + +# check for changes with git diff or if sys_config exists in root dir with git ls +if ! (git ls | grep "^sys_config$" && git diff-index --exit-code --quiet HEAD); then + echo "found changes: committing" + echo "temp folder: $(pwd)" + mv temp_"$config_version" sys_config_full + rm -f sys_config_full.gpg + gpg -e --recipient-file "$enc_key" sys_config_full + git add sys_config sys_config_full.gpg + git commit -m "Backup Version: ${firmware_version} - ${config_version}" + git push +else + echo "no changes found. aborting" +fi + +# cleanup +rm -r "$temp_dir" diff --git a/cert2-40_api.sh b/cert2-40_api.sh new file mode 100644 index 0000000..12a4ece --- /dev/null +++ b/cert2-40_api.sh @@ -0,0 +1,48 @@ +#!/bin/sh +set -e + +api_host="https://192.168.2.1:11443" +api_endpoint="api/v2/monitor/vpn-certificate/local/import" +api_token= +ssh_host="fg" +certname=fg.dafu.dev + +key=$(cat /mnt/docker/volumes/caddy_caddy_data/_data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${certname}/${certname}.key | base64 | tr -d "\n" ) +crt=$(cat /mnt/docker/volumes/caddy_caddy_data/_data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${certname}/${certname}.crt | base64 | tr -d "\n" ) + +run_ssh_script() { printf "%s" "${1}" | ssh $ssh_host; } +run_upload_cert() { + printf "%s" "${1}" + printf "%s" "${api_host}/${api_endpoint}" + curl -q -k -H "Authorization: Bearer ${api_token}" -d "${1}" \ + -H "Content-Type: application/json" \ + -X POST "${api_host}/${api_endpoint}" +} + +api_data="{ + 'type': 'regular', + 'certname': '${certname}', + 'file_content': '${crt}', + 'key_file_content': '${key}' +}" + +fg_delete_cert_script=" +execute batch start +config sys global +unset admin-server-cert +end +config vpn certificate local +delete ${certname} +end +execute batch end" + +fg_set_cert_script=" +execute batch start +config sys global +set admin-server-cert ${certname} +end +execute batch end" + +run_ssh_script "${fg_delete_cert_script}" +run_upload_cert "${api_data}" +run_ssh_script "${fg_set_cert_script}" diff --git a/certs2-40.sh b/certs2-40.sh new file mode 100644 index 0000000..d3b8c9d --- /dev/null +++ b/certs2-40.sh @@ -0,0 +1,23 @@ +#!/bin/sh +set -e + +ssh_host="fg" +certname=fg.dafu.dev + +key=$(cat /mnt/docker/volumes/caddy_caddy_data/_data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${certname}/${certname}.key) +crt=$(cat /mnt/docker/volumes/caddy_caddy_data/_data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${certname}/${certname}.crt) + +run_ssh_script() { printf "%s" "${1}" | ssh $ssh_host; } + +fg_set_cert_script=" +execute batch start +config vpn certificate local +edit ${certname} +set private-key \"${key}\" +set certificate \"${crt}\" +end +execute batch end +execute batch lastlog +" + +run_ssh_script "${fg_set_cert_script}" diff --git a/sshkey_2-40.sh b/sshkey_2-40.sh new file mode 100644 index 0000000..7b88a42 --- /dev/null +++ b/sshkey_2-40.sh @@ -0,0 +1,29 @@ +#!/bin/sh +# +# DOCS: +# https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/813125/public-key-ssh-access +# +set -e + +ssh_pubkey="/root/.ssh/id_ed25519.pub" +ssh_keytype="ed25519" +ssh_user="admin" +ssh_host="${ssh_user}@192.168.2.1" +ssh_opts="-p 11422" + +. util.sh # import ssh function after options are set + +ssh_pubkey_data=$(cut -f2 -d' ' < "$ssh_pubkey") # cut: only keydata is needed + +fg_updatekey_script=" +execute batch start +config system admin + edit ${ssh_user} + set ssh-public-key1 \"${ssh_keytype} ${ssh_pubkey_data}\" + next +end +execute batch end +execute batch lastlog +" + +run_ssh_script "${fg_updatekey_script}" diff --git a/util.sh b/util.sh new file mode 100644 index 0000000..5472aa0 --- /dev/null +++ b/util.sh @@ -0,0 +1,4 @@ +#!/bin/sh + +# -o StrictHostKeyChecking=no +run_ssh_script() { printf "%s" "${1}" | ssh $ssh_opts $ssh_host; }