Initial import to GitHub

Signed-off-by: Samuli Seppänen <[email protected]>
Signed-off-by: Samuli Seppänen <[email protected]>

Author: mattock

LICENSE.BSD

@@ -0,0 +1,27 @@
+Copyright 2015 Samuli Seppänen and OpenVPN Technologies, Inc. (from this point 
+onward "developers") and contributors. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification, 
+are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this 
+list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice, 
+this list of conditions and the following disclaimer in the documentation and/or 
+other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE DEVELOPERS ''AS IS'' AND ANY EXPRESS OR IMPLIED 
+WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT 
+SHALL THE DEVELOPERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 
+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 
+PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 
+LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE 
+OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF 
+ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+The views and conclusions contained in the software and documentation are those 
+of the authors and should not be interpreted as representing official policies, 
+either expressed or implied, of the developers.

LICENSE.MIT

@@ -0,0 +1,20 @@
+The MIT License (MIT)
+
+Copyright (c) 2013-2014 Joe Fitzgerald
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

README.md

@@ -1,2 +1,47 @@
-# scripts
-Various scripts for bootstrapping systems
+# Puppet-Finland scripts
+
+A collection of useful scripts (shell and Powershell) used for bootstrapping 
+systems. In this context bootstrapping means getting the node to a state where a 
+real configuration management system (e.g. Puppet) can take over it's 
+configuration.
+
+These scripts are particularly useful with tools such as Vagrant for 
+provisioning virtual machines.
+
+These scripts can be run standalone for the most part. One strategy is to 
+distribute a single site-specific initialization script that fetches and runs 
+other bootstrapping scripts to do things like setup OpenVPN and then run Puppet.
+
+# Project structure
+
+Currently the project structure is simple:
+
+    .
+    ├── bootstrap
+    │   ├── linux
+    │   │   └── setup_puppet.ps1
+    │   └── windows
+    │       ├── config.ps1
+    │       ├── create_user.ps1
+    │       ├── init.bat
+    │       ├── setup_openvpn.ps1
+    │       ├── setup_puppet.ps1
+    │       ├── setup_ssh_rsync.ps1
+    │       ├── transcript_example.ps1
+    │       └── utils.ps1
+    └── README.md
+
+The "bootstrap" directory contains all bootstrapping scripts. Scripts aimed at 
+bootstrapping Linux (or *NIX) nodes are under "linux" and are typically (but not 
+necessarily) written with sh shell in mind.
+
+Powershell scripts and batch files used for bootstrapping Windows nodes are 
+under the "windows" subdirectory. There are two special files: utils.ps1 and 
+config.ps1. The former contains general purpose Powershell functions which are 
+included in other Powershell scripts. The latter, config.ps1, contains common 
+configuration for other Powershell scripts.
+
+# License and copyrights
+
+Unless otherwise stated the scripts use the BSD license (see LICENSE.BSD). Files 
+taken from the packer-windows project use the MIT license (see LICENSE.MIT).

bootstrap/linux/setup_puppet.ps1

@@ -0,0 +1,35 @@
+#!/bin/bash
+#
+# Setup Puppet on the node and do the first run
+
+PATH=/bin:/usr/bin/
+
+# Arguments from Vagrant
+LSBDISTCODENAME=$1
+FQDN=$2
+HOST=`echo $FQDN|cut -d "." -f 1`
+
+# Install Puppet
+cd ~
+wget https://apt.puppetlabs.com/puppetlabs-release-$LSBDISTCODENAME.deb
+sudo dpkg -i puppetlabs-release-$LSBDISTCODENAME.deb
+sudo apt-get update
+sudo apt-get -y install puppet facter
+
+# Set hostname/fqdn. Simply doing a "sudo echo" does not seem to work, hence the 
+# trickery.
+sudo hostname $FQDN
+echo $FQDN|sudo tee /etc/hostname > /dev/null
+echo "127.0.1.1 $FQDN $HOST"|sudo tee -a /etc/hosts > /dev/null
+
+# Setup puppet.conf
+if [ -r "/vagrant/puppet.conf" ]; then
+    sudo cp /etc/puppet/puppet.conf /etc/puppet/puppet.conf.dist
+    sudo cp /vagrant/puppet.conf /etc/puppet/puppet.conf
+fi
+
+# Run Puppet
+puppet agent --test --waitforcert 60
+
+# Install security updates
+apt-get update && apt-get dist-upgrade -y

bootstrap/windows/config.ps1

@@ -0,0 +1,7 @@
+### Parameters for scripts are stored in this file
+
+# BASIC AUTH settings. These are used to securely fetch resources from 
+# remote webservers.
+$filesBaseUrl = 'https://server.domain.com/protected/bootstrap'
+$filesHTTPUser = 'bootstrap'
+$filesHTTPPassword = 'somepassword'

bootstrap/windows/create_user.ps1

@@ -0,0 +1,2 @@
+### Create the "vagrant" user
+net user vagrant "password" /ADD

bootstrap/windows/init.bat

@@ -0,0 +1,3 @@
+rem Set Powershell ExecutionPolicy and run a Powershell initialization script
+@powershell -Command Set-ExecutionPolicy unrestricted
+powershell .\init.ps1

bootstrap/windows/setup_openvpn.ps1

@@ -0,0 +1,47 @@
+### Install OpenVPN and connect to a VPN server to get access to intranet 
+### resources
+
+# Include other scripts to reduce repetition
+. ".\utils.ps1"
+. ".\config.ps1"
+
+# (More or less) static variables
+$location = 'C:\Users\Administrator\bootstrap'
+$openvpnVersion = '2.3.6'
+$openvpnBuild = 'I603'
+$openvpnArch = 'x86_64'
+$openvpnBaseUrl = 'http://swupdate.openvpn.org/community/releases'
+$openvpnInstallerBaseName = "openvpn-install-$openvpnVersion-$openvpnBuild-$openvpnArch.exe"
+$openvpnUrl = "$openvpnBaseUrl/$openvpnInstallerBaseName"
+
+$ovpnCertBaseName = 'openvpn.cer'
+$ovpnCertUrl = "$filesBaseUrl/windows/$ovpnCertBaseName"
+$ovpnConfBasename = 'client.ovpn'
+$ovpnConfUrl = "$filesBaseUrl/common/$ovpnConfBaseName"
+$ovpnPassBaseName = 'client.pass'
+$ovpnPassUrl = "$filesBaseUrl/common/$ovpnPassBaseName"
+
+### Script begin
+New-Item -ItemType directory -Path $location -Force
+Set-Location $location
+
+### Download files
+
+Invoke-WebRequest -Uri $openvpnUrl -OutFile "$openvpnInstallerBaseName"
+Invoke-WebRequest -Uri $puppetUrl -OutFile $puppetInstallerBaseName
+download_file $ovpnCertUrl "$location\$ovpnCertBaseName"
+download_file $ovpnConfUrl "$location\$ovpnConfBaseName"
+download_file $ovpnPassUrl "$location\$ovpnPassBaseName"
+
+### Setup OpenVPN
+
+# Import OpenVPN publisher certificate so that tap-windows6 driver installation does not give a warning
+Import-Certificate -FilePath $ovpnCertBaseName -CertStoreLocation cert:\LocalMachine\TrustedPublisher
+
+& $location\$openvpnInstallerBaseName /S | Out-Null
+
+Copy-Item $ovpnConfBaseName "${Env:ProgramFiles}\openvpn\config\$ovpnConfBaseName"
+Copy-Item $ovpnPassBaseName "${Env:ProgramFiles}\openvpn\config\$ovpnPassBaseName"
+
+Start-Service OpenVPNService
+Set-Service OpenVPNService -StartupType Automatic

bootstrap/windows/setup_puppet.ps1

@@ -0,0 +1,34 @@
+### Setup Puppet and run Puppet Agent
+
+# Include other scripts to reduce repetition
+. ".\utils.ps1"
+. ".\config.ps1"
+
+# (More or less) static variables
+$location = 'C:\Users\Administrator\bootstrap'
+$puppetVersion = '3.7.4'
+$puppetArch = '-x64'
+$puppetBaseUrl = 'https://downloads.puppetlabs.com/windows'
+$puppetInstallerBaseName = "puppet-$puppetVersion$puppetArch.msi"
+$puppetUrl = "$puppetBaseUrl/$puppetInstallerBaseName"
+$puppetConfBasename = 'puppet.conf'
+$puppetConfUrl = "$filesBaseUrl/common/$puppetConfBaseName"
+$puppetBat = 'C:\Program Files\Puppet Labs\Puppet\bin\puppet.bat'
+
+### Script begin
+
+New-Item -ItemType directory -Path $location -Force
+Set-Location $location
+
+### Download files
+
+Invoke-WebRequest -Uri $puppetUrl -OutFile $puppetInstallerBaseName
+download_file $puppetConfUrl "$location\$puppetConfBaseName"
+
+### Setup Puppet
+
+& msiexec.exe /qn /i $location\$puppetInstallerBaseName | Out-Null
+
+Copy-Item $puppetConfBaseName "${Env:ProgramData}\PuppetLabs\puppet\etc\$puppetConfBaseName"
+
+& $puppetBat agent --test --waitforcert 10 --certname test.example.com | Out-Null

bootstrap/windows/setup_ssh_rsync.ps1

@@ -0,0 +1,100 @@
+### Setup SSH and Rsync
+#
+# The script has been adapted from
+#
+# <https://github.com/joefitzgerald/packer-windows>
+
+# This section is based on openssh.ps1 in https://github.com/joefitzgerald/packer-windows
+
+$is_64bit = [IntPtr]::size -eq 8
+
+# setup openssh
+$ssh_download_url = "http://www.mls-software.com/files/setupssh-6.6p1-1.exe"
+if ($is_64bit) {
+    Write-Host "64 bit OS found"
+    $ssh_download_url = "http://www.mls-software.com/files/setupssh-6.6p1-1(x64).exe"
+}
+
+if (!(Test-Path "C:\Program Files\OpenSSH\bin\ssh.exe")) {
+    Write-Host "Downloading $ssh_download_url"
+    (New-Object System.Net.WebClient).DownloadFile($ssh_download_url, "C:\Windows\Temp\openssh.exe")
+    Start-Process "C:\Windows\Temp\openssh.exe" "/S /port=22 /privsep=1 /password=D@rj33l1ng" -NoNewWindow -Wait
+}
+
+Stop-Service "OpenSSHd" -Force
+
+# ensure vagrant can log in
+Write-Host "Setting vagrant user file permissions"
+New-Item -ItemType Directory -Force -Path "C:\Users\vagrant\.ssh"
+C:\Windows\System32\icacls.exe "C:\Users\vagrant" /grant "vagrant:(OI)(CI)F"
+C:\Windows\System32\icacls.exe "C:\Program Files\OpenSSH\bin" /grant "vagrant:(OI)RX"
+C:\Windows\System32\icacls.exe "C:\Program Files\OpenSSH\usr\sbin" /grant "vagrant:(OI)RX"
+
+Write-Host "Setting SSH home directories" 
+    (Get-Content "C:\Program Files\OpenSSH\etc\passwd") |
+    Foreach-Object { $_ -replace '/home/(\w+)', '/cygdrive/c/Users/$1' } |
+    Set-Content 'C:\Program Files\OpenSSH\etc\passwd'
+
+# Set shell to /bin/sh to return exit status
+$passwd_file = Get-Content 'C:\Program Files\OpenSSH\etc\passwd'
+$passwd_file = $passwd_file -replace '/bin/bash', '/bin/sh'
+Set-Content 'C:\Program Files\OpenSSH\etc\passwd' $passwd_file
+
+# fix opensshd to not be strict
+Write-Host "Setting OpenSSH to be non-strict"
+$sshd_config = Get-Content "C:\Program Files\OpenSSH\etc\sshd_config"
+$sshd_config = $sshd_config -replace 'StrictModes yes', 'StrictModes no'
+$sshd_config = $sshd_config -replace '#PubkeyAuthentication yes', 'PubkeyAuthentication yes'
+$sshd_config = $sshd_config -replace '#PermitUserEnvironment no', 'PermitUserEnvironment yes'
+# disable the use of DNS to speed up the time it takes to establish a connection
+$sshd_config = $sshd_config -replace '#UseDNS yes', 'UseDNS no'
+# disable the login banner
+$sshd_config = $sshd_config -replace 'Banner /etc/banner.txt', '#Banner /etc/banner.txt'
+Set-Content "C:\Program Files\OpenSSH\etc\sshd_config" $sshd_config
+
+# use c:\Windows\Temp as /tmp location
+Write-Host "Setting temp directory location"
+Remove-Item -Recurse -Force -ErrorAction SilentlyContinue "C:\Program Files\OpenSSH\tmp"
+C:\Program` Files\OpenSSH\bin\junction.exe /accepteula "C:\Program Files\OpenSSH\tmp" "C:\Windows\Temp"
+C:\Windows\System32\icacls.exe "C:\Windows\Temp" /grant "vagrant:(OI)(CI)F"
+
+# add 64 bit environment variables missing from SSH
+Write-Host "Setting SSH environment"
+$sshenv = "TEMP=C:\Windows\Temp"
+if ($is_64bit) {
+    $env_vars = "ProgramFiles(x86)=C:\Program Files (x86)", `
+        "ProgramW6432=C:\Program Files", `
+        "CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files", `
+        "CommonProgramW6432=C:\Program Files\Common Files"
+    $sshenv = $sshenv + "`r`n" + ($env_vars -join "`r`n")
+}
+Set-Content C:\Users\vagrant\.ssh\environment $sshenv
+
+# record the path for provisioners (without the newline)
+Write-Host "Recording PATH for provisioners"
+Set-Content C:\Windows\Temp\PATH ([byte[]][char[]] $env:PATH) -Encoding Byte
+
+# configure firewall
+Write-Host "Configuring firewall"
+netsh advfirewall firewall add rule name="SSHD" dir=in action=allow service=OpenSSHd enable=yes
+netsh advfirewall firewall add rule name="SSHD" dir=in action=allow program="C:\Program Files\OpenSSH\usr\sbin\sshd.exe" enable=yes
+netsh advfirewall firewall add rule name="ssh" dir=in action=allow protocol=TCP localport=22
+
+Start-Service "OpenSSHd"
+
+
+# This section is adapted from rsync.bat in https://github.com/joefitzgerald/packer-windows
+
+Set-Location C:\Windows\Temp
+
+(New-Object System.Net.WebClient).DownloadFile('http://downloads.sourceforge.net/sevenzip/7z920-x64.msi', 'C:\Windows\Temp\7z920-x64.msi')
+msiexec /q /i C:\Windows\Temp\7z920-x64.msi
+
+(New-Object System.Net.WebClient).DownloadFile('http://mirrors.kernel.org/sourceware/cygwin/x86_64/release/rsync/rsync-3.1.0-1.tar.xz', 'C:\Windows\Temp\rsync-3.1.0-1.tar.xz')
+C:\Program` Files\7-Zip\7z.exe x rsync-3.1.0-1.tar.xz
+C:\Program` Files\7-Zip\7z.exe x rsync-3.1.0-1.tar
+Copy-Item usr\bin\rsync.exe C:\Program` Files\OpenSSH\bin\rsync.exe
+
+Remove-Item -Recurse -Path usr
+Remove-Item rsync-3.1.0-1.tar
+msiexec /q /x C:\Windows\Temp\7z920-x64.msi

bootstrap/windows/transcript_example.ps1

@@ -0,0 +1,12 @@
+### Example of Powershell script transcript and log
+
+$logBaseName = "bootstrap-log.txt"
+$transcriptBaseName = "bootstrap-transcript.txt"
+
+Start-Transcript -Path $transcriptBaseName -Force
+
+Add-Content $logBaseName -value "Initializing"
+Add-Content $logBaseName -value "Downloading files"
+Add-Content $logBaseName -value "Setting up an application"
+
+Stop-Transcript

bootstrap/windows/utils.ps1

@@ -0,0 +1,17 @@
+# Invoke-WebRequest will fail with self-signed certificates:
+#
+# <https://connect.microsoft.com/PowerShell/feedback/details/419466/new-webserviceproxy-needs-force-parameter-to-ignore-ssl-errors>
+#
+# This solution is combined from a few of sources:
+#
+# <http://stackoverflow.com/questions/11696944/powershell-v3-invoke-webrequest-https-error/15841856>
+# <http://powershell.org/wp/forums/topic/trouble-with-invoke-webrequest>
+# <https://msdn.microsoft.com/en-us/library/system.net.webclient%28v=vs.110%29.aspx>
+#
+function download_file($url, $targetfile) {
+    # In this case fully-qualified paths are necessary.
+    $wc = New-Object System.Net.WebClient
+    [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
+    $wc.Credentials = New-Object System.Net.NetworkCredential($filesHTTPUser, $filesHTTPPassword)
+    $wc.DownloadFile($url, $targetfile)
+}