chore: setup hosting environment

script/setup.sh

@@ -0,0 +1,92 @@
+#!/usr/bin/env bash
+
+ui_host=oolon.kosherinata.internal
+ws_host=frootmig.kosherinata.internal
+app_fqdn=blekin.kosherinata.internal
+
+fedora_trusted_root_path=/etc/pki/ca-trust/source/anchors/root-internal.pem
+fedora_intermediate_path=/etc/pki/ca-trust/source/anchors/intermediate-internal.pem
+
+
+#ssh ${ui_host} sudo mkdir -p /etc/nginx/tls/${app_fqdn}
+app_cert_is_valid=false
+app_cert_remote_path=/etc/nginx/tls/cert/${app_fqdn}.pem
+app_key_remote_path=/etc/nginx/tls/key/${app_fqdn}.pem
+app_cert_local_path=/tmp/${app_fqdn}.pem
+
+if rsync \
+    --archive \
+    --compress \
+    --rsync-path 'sudo rsync' \
+    ${ui_host}:${app_cert_remote_path} \
+    ${app_cert_local_path} 2> /dev/null; then
+    if openssl verify \
+        -trusted ${fedora_trusted_root_path} \
+        -untrusted ${fedora_intermediate_path} \
+        ${app_cert_local_path}; then
+        echo "verified ${app_fqdn} cert from ${ui_host}"
+        app_cert_is_valid=true
+    else
+        echo "failed to verify ${app_fqdn} cert from ${ui_host}"
+        exit 1
+    fi
+else
+    echo "observed missing ${app_fqdn} cert on ${ui_host}"
+fi
+if [ "${app_cert_is_valid}" = "true" ]; then
+    echo "observed valid cert for ${app_fqdn} on ${ui_host}"
+else
+    if rsync \
+        --archive \
+        --compress \
+        --rsync-path 'sudo rsync' \
+        --chmod 600 \
+        --chown root:root \
+        ~/.step/secrets/provisioner \
+        ${ui_host}:/tmp/provisioner; then
+        echo "provisioner secret synced to ${ui_host}"
+    else
+        echo "failed to sync provisioner secret to ${ui_host}"
+        exit 1
+    fi
+    if ssh ${ui_host} sudo step ca certificate \
+        --force \
+        --provisioner lair \
+        --provisioner-password-file /tmp/provisioner \
+        --ca-url https://ca.internal \
+        --root /etc/pki/ca-trust/source/anchors/root-internal.pem \
+        --san ${app_fqdn} \
+        ${app_fqdn} \
+        ${app_cert_remote_path} \
+        ${app_key_remote_path}; then
+        echo "acquired ${app_fqdn} cert on ${ui_host}"
+    else
+        echo "failed to acquire ${app_fqdn} cert on ${ui_host}"
+    fi
+    ssh ${ui_host} sudo rm -f /tmp/provisioner
+fi
+
+if rsync \
+    --archive \
+    --compress \
+    --rsync-path 'sudo rsync' \
+    --chown root:root \
+    ~/git/grenade/blekin/asset/nginx/${app_fqdn}.conf \
+    ${ui_host}:/etc/nginx/sites-available/${app_fqdn}.conf; then
+    echo "${app_fqdn}.conf synced to ${ui_host}"
+else
+    echo "failed to sync ${app_fqdn}.conf to ${ui_host}"
+fi
+if ssh ${ui_host} sudo ln -sf /etc/nginx/sites-available/${app_fqdn}.conf /etc/nginx/sites-enabled/${app_fqdn}.conf; then
+    echo "${app_fqdn} enabled on ${ui_host}"
+else
+    echo "failed to enable ${app_fqdn} on ${ui_host}"
+fi
+if ssh ${ui_host} 'sudo nginx -t && sudo systemctl reload nginx.service'; then
+    echo "nginx reloaded on ${ui_host}"
+else
+    echo "failed to reload nginx on ${ui_host}"
+fi
+
+
+# sudo useradd --system --create-home --home-dir /var/lib/blekin --user-group blekin