dafu/40scripts
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

initial commit

Browse Source
This commit is contained in:
daniel fusser 2023-03-11 21:07:32 +01:00
commit f99e053b41
5 changed files with 165 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
42git.sh Normal file
View File

@ -0,0 +1,61 @@
#!/bin/sh
set -e
# ssh options for fortigate scp
ssh_identity="/root/.ssh/id_ed25519"
ssh_user="admin"
ssh_host="192.168.2.1"
ssh_port=11422
enc_key="/root/.secrets/backup-enc.key"
git_repo="git@git.dafu.dev:3022/dafu/fg_backup"
# temp dir
temp_dir=$(mktemp -d)
cd "$temp_dir"
# git
echo "cloning from $git_repo"
git clone --quiet --depth=1 \
"ssh://${git_repo}" .
# -O disables sftp which is not enabled on FG
echo "grabbing config from ${ssh_user}@${ssh_host}:sys_config"
scp -q -i ${ssh_identity} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -O -P ${ssh_port} \
${ssh_user}@${ssh_host}:sys_config .
# get file version and firmware
config_version=$(grep -o -P '(?<=^#conf_file_ver=).*$' sys_config)
firmware_version=$(grep -o -P '(?<=#config-version=).*(?=-FW.*)' sys_config)
echo "found version: ${firmware_version} - ${config_version}"
# copy full config to temp file
cp sys_config temp_"${config_version}"
# apply regexes to config file
perl -0777 -pi -e 's/ENC .*/_ENC_REMOVED_/g' sys_config
perl -0777 -pi -e 's/(?ms)(set.*?)"-----.*?"/$1 _REMOVED_/g' sys_config
perl -0777 -pi -e 's/(?ms)(set.*?key) ".*?"/$1 _PUB_KEY_REMOVED_/g' sys_config
perl -0777 -pi -e 's/.*(#private-encryption-key=).*/$1 _PRIV_KEY_REMOVED_/g' sys_config
perl -0777 -pi -e 's/conf_file_ver=(.*)/conf_file_ver=_REMOVED_/g' sys_config
echo "checking for changes"
git diff --stat
# check for changes with git diff or if sys_config exists in root dir with git ls
if ! (git ls | grep "^sys_config$" && git diff-index --exit-code --quiet HEAD); then
echo "found changes: committing"
echo "temp folder: $(pwd)"
mv temp_"$config_version" sys_config_full
rm -f sys_config_full.gpg
gpg -e --recipient-file "$enc_key" sys_config_full
git add sys_config sys_config_full.gpg
git commit -m "Backup Version: ${firmware_version} - ${config_version}"
git push
else
echo "no changes found. aborting"
fi
# cleanup
rm -r "$temp_dir"

48
cert2-40_api.sh Normal file
View File

@ -0,0 +1,48 @@
#!/bin/sh
set -e
api_host="https://192.168.2.1:11443"
api_endpoint="api/v2/monitor/vpn-certificate/local/import"
api_token=
ssh_host="fg"
certname=fg.dafu.dev
key=$(cat /mnt/docker/volumes/caddy_caddy_data/_data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${certname}/${certname}.key | base64 | tr -d "\n" )
crt=$(cat /mnt/docker/volumes/caddy_caddy_data/_data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${certname}/${certname}.crt | base64 | tr -d "\n" )
run_ssh_script() { printf "%s" "${1}" | ssh $ssh_host; }
run_upload_cert() {
printf "%s" "${1}"
printf "%s" "${api_host}/${api_endpoint}"
curl -q -k -H "Authorization: Bearer ${api_token}" -d "${1}" \
-H "Content-Type: application/json" \
-X POST "${api_host}/${api_endpoint}"
}
api_data="{
'type': 'regular',
'certname': '${certname}',
'file_content': '${crt}',
'key_file_content': '${key}'
}"
fg_delete_cert_script="
execute batch start
config sys global
unset admin-server-cert
end
config vpn certificate local
delete ${certname}
end
execute batch end"
fg_set_cert_script="
execute batch start
config sys global
set admin-server-cert ${certname}
end
execute batch end"
run_ssh_script "${fg_delete_cert_script}"
run_upload_cert "${api_data}"
run_ssh_script "${fg_set_cert_script}"

23
certs2-40.sh Normal file
View File

@ -0,0 +1,23 @@
#!/bin/sh
set -e
ssh_host="fg"
certname=fg.dafu.dev
key=$(cat /mnt/docker/volumes/caddy_caddy_data/_data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${certname}/${certname}.key)
crt=$(cat /mnt/docker/volumes/caddy_caddy_data/_data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${certname}/${certname}.crt)
run_ssh_script() { printf "%s" "${1}" | ssh $ssh_host; }
fg_set_cert_script="
execute batch start
config vpn certificate local
edit ${certname}
set private-key \"${key}\"
set certificate \"${crt}\"
end
execute batch end
execute batch lastlog
"
run_ssh_script "${fg_set_cert_script}"

29
sshkey_2-40.sh Normal file
View File

@ -0,0 +1,29 @@
#!/bin/sh
#
# DOCS:
# https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/813125/public-key-ssh-access
#
set -e
ssh_pubkey="/root/.ssh/id_ed25519.pub"
ssh_keytype="ed25519"
ssh_user="admin"
ssh_host="${ssh_user}@192.168.2.1"
ssh_opts="-p 11422"
. util.sh # import ssh function after options are set
ssh_pubkey_data=$(cut -f2 -d' ' < "$ssh_pubkey") # cut: only keydata is needed
fg_updatekey_script="
execute batch start
config system admin
edit ${ssh_user}
set ssh-public-key1 \"${ssh_keytype} ${ssh_pubkey_data}\"
next
end
execute batch end
execute batch lastlog
"
run_ssh_script "${fg_updatekey_script}"

4
util.sh Normal file
View File

@ -0,0 +1,4 @@
#!/bin/sh
# -o StrictHostKeyChecking=no
run_ssh_script() { printf "%s" "${1}" | ssh $ssh_opts $ssh_host; }