initial commit

2023-03-11 21:07:32 +01:00 · 2023-03-11 21:07:32 +01:00 · f99e053b41
commit f99e053b41
5 changed files with 165 additions and 0 deletions
--- a/42git.sh
+++ b/42git.sh
@ -0,0 +1,61 @@
 #!/bin/sh
 set -e
 # ssh options for fortigate scp
 ssh_identity="/root/.ssh/id_ed25519"
 ssh_user="admin"
 ssh_host="192.168.2.1"
 ssh_port=11422
 enc_key="/root/.secrets/backup-enc.key"
 git_repo="git@git.dafu.dev:3022/dafu/fg_backup"
 # temp dir
 temp_dir=$(mktemp -d)
 cd "$temp_dir"
 # git
 echo "cloning from $git_repo" 
 git clone --quiet --depth=1 \
   "ssh://${git_repo}" .
 # -O disables sftp which is not enabled on FG
 echo "grabbing config from ${ssh_user}@${ssh_host}:sys_config"
 scp -q -i ${ssh_identity} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -O -P ${ssh_port} \
  ${ssh_user}@${ssh_host}:sys_config .
 # get file version and firmware
 config_version=$(grep -o -P '(?<=^#conf_file_ver=).*$' sys_config)
 firmware_version=$(grep -o -P '(?<=#config-version=).*(?=-FW.*)' sys_config)
 echo "found version: ${firmware_version} - ${config_version}"
 # copy full config to temp file
 cp sys_config temp_"${config_version}"
 # apply regexes to config file
 perl -0777 -pi -e 's/ENC .*/_ENC_REMOVED_/g' sys_config 
 perl -0777 -pi -e 's/(?ms)(set.*?)"-----.*?"/$1 _REMOVED_/g' sys_config 
 perl -0777 -pi -e 's/(?ms)(set.*?key) ".*?"/$1 _PUB_KEY_REMOVED_/g' sys_config 
 perl -0777 -pi -e 's/.*(#private-encryption-key=).*/$1 _PRIV_KEY_REMOVED_/g' sys_config 
 perl -0777 -pi -e 's/conf_file_ver=(.*)/conf_file_ver=_REMOVED_/g' sys_config 
 echo "checking for changes"
 git diff --stat
 # check for changes with git diff or if sys_config exists in root dir with git ls
 if ! (git ls | grep "^sys_config$" && git diff-index --exit-code --quiet HEAD); then
  echo "found changes: committing"
  echo "temp folder: $(pwd)"
  mv temp_"$config_version" sys_config_full
  rm -f sys_config_full.gpg
  gpg -e --recipient-file "$enc_key" sys_config_full
  git add sys_config sys_config_full.gpg
  git commit -m "Backup Version: ${firmware_version} - ${config_version}"
  git push
 else
  echo "no changes found. aborting"
 fi
 # cleanup
 rm -r "$temp_dir"
--- a/cert2-40_api.sh
+++ b/cert2-40_api.sh
@ -0,0 +1,48 @@
 #!/bin/sh
 set -e
 api_host="https://192.168.2.1:11443"
 api_endpoint="api/v2/monitor/vpn-certificate/local/import"
 api_token=
 ssh_host="fg"
 certname=fg.dafu.dev
 key=$(cat /mnt/docker/volumes/caddy_caddy_data/_data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${certname}/${certname}.key | base64 | tr -d "\n" )
 crt=$(cat /mnt/docker/volumes/caddy_caddy_data/_data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${certname}/${certname}.crt | base64 | tr -d "\n" )
 run_ssh_script() { printf "%s" "${1}" | ssh $ssh_host; }
 run_upload_cert() {
  printf "%s" "${1}"
  printf "%s" "${api_host}/${api_endpoint}"
  curl -q -k -H "Authorization: Bearer ${api_token}" -d "${1}" \
    -H "Content-Type: application/json" \
    -X POST "${api_host}/${api_endpoint}"
 }
 api_data="{
  'type': 'regular',
  'certname': '${certname}',
  'file_content': '${crt}',
  'key_file_content': '${key}'
 }"
 fg_delete_cert_script="
 execute batch start 
 config sys global
 unset admin-server-cert 
 end 
 config vpn certificate local 
 delete ${certname}
 end
 execute batch end" 
 fg_set_cert_script="
 execute batch start
 config sys global
 set admin-server-cert ${certname}
 end 
 execute batch end" 
 run_ssh_script "${fg_delete_cert_script}"
 run_upload_cert "${api_data}"
 run_ssh_script "${fg_set_cert_script}"
--- a/certs2-40.sh
+++ b/certs2-40.sh
@ -0,0 +1,23 @@
 #!/bin/sh
 set -e
 ssh_host="fg"
 certname=fg.dafu.dev
 key=$(cat /mnt/docker/volumes/caddy_caddy_data/_data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${certname}/${certname}.key)
 crt=$(cat /mnt/docker/volumes/caddy_caddy_data/_data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${certname}/${certname}.crt)
 run_ssh_script() { printf "%s" "${1}" | ssh $ssh_host; }
 fg_set_cert_script="
 execute batch start
 config vpn certificate local
 edit ${certname}
 set private-key \"${key}\"
 set certificate \"${crt}\"
 end 
 execute batch end
 execute batch lastlog
 "
 run_ssh_script "${fg_set_cert_script}"
--- a/sshkey_2-40.sh
+++ b/sshkey_2-40.sh
@ -0,0 +1,29 @@
 #!/bin/sh
 #
 # DOCS:
 #   https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/813125/public-key-ssh-access
 #
 set -e
 ssh_pubkey="/root/.ssh/id_ed25519.pub"
 ssh_keytype="ed25519"
 ssh_user="admin"
 ssh_host="${ssh_user}@192.168.2.1"
 ssh_opts="-p 11422"
 . util.sh # import ssh function after options are set
 ssh_pubkey_data=$(cut -f2 -d' ' < "$ssh_pubkey") # cut: only keydata is needed
 fg_updatekey_script="
 execute batch start 
 config system admin
    edit ${ssh_user}
        set ssh-public-key1 \"${ssh_keytype} ${ssh_pubkey_data}\"
    next
 end
 execute batch end
 execute batch lastlog
 " 
 run_ssh_script "${fg_updatekey_script}"
--- a/util.sh
+++ b/util.sh
@ -0,0 +1,4 @@
 #!/bin/sh
 # -o StrictHostKeyChecking=no 
 run_ssh_script() { printf "%s" "${1}" | ssh $ssh_opts $ssh_host; }