initial commit
This commit is contained in:
commit
f99e053b41
61
42git.sh
Normal file
61
42git.sh
Normal file
@ -0,0 +1,61 @@
|
||||
#!/bin/sh
|
||||
set -e
|
||||
|
||||
# ssh options for fortigate scp
|
||||
ssh_identity="/root/.ssh/id_ed25519"
|
||||
ssh_user="admin"
|
||||
ssh_host="192.168.2.1"
|
||||
ssh_port=11422
|
||||
enc_key="/root/.secrets/backup-enc.key"
|
||||
|
||||
git_repo="git@git.dafu.dev:3022/dafu/fg_backup"
|
||||
|
||||
# temp dir
|
||||
temp_dir=$(mktemp -d)
|
||||
cd "$temp_dir"
|
||||
|
||||
# git
|
||||
echo "cloning from $git_repo"
|
||||
git clone --quiet --depth=1 \
|
||||
"ssh://${git_repo}" .
|
||||
|
||||
# -O disables sftp which is not enabled on FG
|
||||
echo "grabbing config from ${ssh_user}@${ssh_host}:sys_config"
|
||||
scp -q -i ${ssh_identity} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -O -P ${ssh_port} \
|
||||
${ssh_user}@${ssh_host}:sys_config .
|
||||
|
||||
# get file version and firmware
|
||||
config_version=$(grep -o -P '(?<=^#conf_file_ver=).*$' sys_config)
|
||||
firmware_version=$(grep -o -P '(?<=#config-version=).*(?=-FW.*)' sys_config)
|
||||
|
||||
echo "found version: ${firmware_version} - ${config_version}"
|
||||
|
||||
# copy full config to temp file
|
||||
cp sys_config temp_"${config_version}"
|
||||
|
||||
# apply regexes to config file
|
||||
perl -0777 -pi -e 's/ENC .*/_ENC_REMOVED_/g' sys_config
|
||||
perl -0777 -pi -e 's/(?ms)(set.*?)"-----.*?"/$1 _REMOVED_/g' sys_config
|
||||
perl -0777 -pi -e 's/(?ms)(set.*?key) ".*?"/$1 _PUB_KEY_REMOVED_/g' sys_config
|
||||
perl -0777 -pi -e 's/.*(#private-encryption-key=).*/$1 _PRIV_KEY_REMOVED_/g' sys_config
|
||||
perl -0777 -pi -e 's/conf_file_ver=(.*)/conf_file_ver=_REMOVED_/g' sys_config
|
||||
|
||||
echo "checking for changes"
|
||||
git diff --stat
|
||||
|
||||
# check for changes with git diff or if sys_config exists in root dir with git ls
|
||||
if ! (git ls | grep "^sys_config$" && git diff-index --exit-code --quiet HEAD); then
|
||||
echo "found changes: committing"
|
||||
echo "temp folder: $(pwd)"
|
||||
mv temp_"$config_version" sys_config_full
|
||||
rm -f sys_config_full.gpg
|
||||
gpg -e --recipient-file "$enc_key" sys_config_full
|
||||
git add sys_config sys_config_full.gpg
|
||||
git commit -m "Backup Version: ${firmware_version} - ${config_version}"
|
||||
git push
|
||||
else
|
||||
echo "no changes found. aborting"
|
||||
fi
|
||||
|
||||
# cleanup
|
||||
rm -r "$temp_dir"
|
48
cert2-40_api.sh
Normal file
48
cert2-40_api.sh
Normal file
@ -0,0 +1,48 @@
|
||||
#!/bin/sh
|
||||
set -e
|
||||
|
||||
api_host="https://192.168.2.1:11443"
|
||||
api_endpoint="api/v2/monitor/vpn-certificate/local/import"
|
||||
api_token=
|
||||
ssh_host="fg"
|
||||
certname=fg.dafu.dev
|
||||
|
||||
key=$(cat /mnt/docker/volumes/caddy_caddy_data/_data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${certname}/${certname}.key | base64 | tr -d "\n" )
|
||||
crt=$(cat /mnt/docker/volumes/caddy_caddy_data/_data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${certname}/${certname}.crt | base64 | tr -d "\n" )
|
||||
|
||||
run_ssh_script() { printf "%s" "${1}" | ssh $ssh_host; }
|
||||
run_upload_cert() {
|
||||
printf "%s" "${1}"
|
||||
printf "%s" "${api_host}/${api_endpoint}"
|
||||
curl -q -k -H "Authorization: Bearer ${api_token}" -d "${1}" \
|
||||
-H "Content-Type: application/json" \
|
||||
-X POST "${api_host}/${api_endpoint}"
|
||||
}
|
||||
|
||||
api_data="{
|
||||
'type': 'regular',
|
||||
'certname': '${certname}',
|
||||
'file_content': '${crt}',
|
||||
'key_file_content': '${key}'
|
||||
}"
|
||||
|
||||
fg_delete_cert_script="
|
||||
execute batch start
|
||||
config sys global
|
||||
unset admin-server-cert
|
||||
end
|
||||
config vpn certificate local
|
||||
delete ${certname}
|
||||
end
|
||||
execute batch end"
|
||||
|
||||
fg_set_cert_script="
|
||||
execute batch start
|
||||
config sys global
|
||||
set admin-server-cert ${certname}
|
||||
end
|
||||
execute batch end"
|
||||
|
||||
run_ssh_script "${fg_delete_cert_script}"
|
||||
run_upload_cert "${api_data}"
|
||||
run_ssh_script "${fg_set_cert_script}"
|
23
certs2-40.sh
Normal file
23
certs2-40.sh
Normal file
@ -0,0 +1,23 @@
|
||||
#!/bin/sh
|
||||
set -e
|
||||
|
||||
ssh_host="fg"
|
||||
certname=fg.dafu.dev
|
||||
|
||||
key=$(cat /mnt/docker/volumes/caddy_caddy_data/_data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${certname}/${certname}.key)
|
||||
crt=$(cat /mnt/docker/volumes/caddy_caddy_data/_data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${certname}/${certname}.crt)
|
||||
|
||||
run_ssh_script() { printf "%s" "${1}" | ssh $ssh_host; }
|
||||
|
||||
fg_set_cert_script="
|
||||
execute batch start
|
||||
config vpn certificate local
|
||||
edit ${certname}
|
||||
set private-key \"${key}\"
|
||||
set certificate \"${crt}\"
|
||||
end
|
||||
execute batch end
|
||||
execute batch lastlog
|
||||
"
|
||||
|
||||
run_ssh_script "${fg_set_cert_script}"
|
29
sshkey_2-40.sh
Normal file
29
sshkey_2-40.sh
Normal file
@ -0,0 +1,29 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# DOCS:
|
||||
# https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/813125/public-key-ssh-access
|
||||
#
|
||||
set -e
|
||||
|
||||
ssh_pubkey="/root/.ssh/id_ed25519.pub"
|
||||
ssh_keytype="ed25519"
|
||||
ssh_user="admin"
|
||||
ssh_host="${ssh_user}@192.168.2.1"
|
||||
ssh_opts="-p 11422"
|
||||
|
||||
. util.sh # import ssh function after options are set
|
||||
|
||||
ssh_pubkey_data=$(cut -f2 -d' ' < "$ssh_pubkey") # cut: only keydata is needed
|
||||
|
||||
fg_updatekey_script="
|
||||
execute batch start
|
||||
config system admin
|
||||
edit ${ssh_user}
|
||||
set ssh-public-key1 \"${ssh_keytype} ${ssh_pubkey_data}\"
|
||||
next
|
||||
end
|
||||
execute batch end
|
||||
execute batch lastlog
|
||||
"
|
||||
|
||||
run_ssh_script "${fg_updatekey_script}"
|
Loading…
Reference in New Issue
Block a user