#!/bin/sh set -e DEFAULT_AUTH_TYPE=ed25519 force() { [ "$FORCE" ] } in_group() { local g for g in $(groups) do [ "$g" = "$1" ] && return done false } as_root() { if [ "$(id -u)" = 0 ] then "$@" elif in_group sudo then sudo "$@" else su -c "$*" fi } apt_install() { as_root apt-get install "$@" } dpkg_install() { case "$(lsb_release -cs)" in buster) echo 'deb http://httpredir.debian.org/debian buster-backports main' | as_root tee -a /etc/apt/sources.list.d/buster-backports.list >/dev/null ;; esac as_root $SHELL -c "set -$- +e; dpkg -i $*; apt-get -t buster-backports -f install" } control_file() { cat <= 2.4.46), libssl1.1 (>= 1.1.1d), fortune-mod, fortunes-min, curl, cgit Description: selfpublish.sh dependency package This package depends on the dependencies of the selfpublish.sh script, and is installed by that script to self-satisfy those dependencies. EOF } equivocate() { if dpkg-query -s selfpublish-dot-sh-deps | grep -q '^Status: install ok installed' then as_root dpkg -r selfpublish-dot-sh-deps fi which equivs-build >/dev/null 2>&1 || apt_install equivs ( destdir=$(mktemp -d) cd "$destdir" control_file > ./control equivs-build ./control >/dev/null 2>&1 dpkg_install selfpublish-dot-sh-deps_1.0_all.deb ) } ssh_keytag_to_path_fragment() { case "$1" in ssh-dss) echo dsa ;; ecdsa-sha2-nistp256) echo ecdsa ;; ssh-rsa|ssh-ed25519) echo ${1#ssh-} ;; *) return 1 ;; esac } path_fragment_to_ssh_keytag() { case "$1" in ssh-dss|ecdsa-sha2-nistp256|ssh-rsa|ssh-ed25519) echo $1;; dss|rsa|ed25519) echo ssh-$1 ;; dsa) echo ssh-dss ;; ecdsa) echo ecdsa-sha2-nistp256 ;; *) return 1 ;; esac } get_dyndns_domain() { fragment=$(ssh_keytag_to_path_fragment "$1") || return host_keyfile=/etc/ssh/ssh_host_${fragment}_key user_keyfile=$HOME/.ssh/id_${fragment} set -- -q dyndns@cryptonomic.net if [ -r "$host_keyfile" ] then set -- ssh -i "$host_keyfile" "$@" elif in_group sudo then set -- sudo ssh -i "$host_keyfile" "$@" elif [ -r "$user_keyfile" ] then set -- ssh -i "$user_keyfile" "$@" else set -- ssh "$@" fi "$@" } enable_apache_modules() { local restart= for MODULE in $APACHE_MODULES do if ! [ -e /etc/apache2/mods-enabled/$MODULE.load ] && ! [ "$MODULE" = cgi -a -e /etc/apache2/mods-enabled/cgid.load ] then a2enmod $MODULE >/dev/null restart=y fi done if [ "$restart" ] then systemctl restart apache2 fi } site_conf_template() { cat < MDContactEmail webmaster@$DOMAIN MDCertificateAgreement accepted MDRequireHttps temporary ServerName $DOMAIN ServerAlias ${DOMAIN}. Redirect / https://$DOMAIN ServerName $DOMAIN ServerAdmin webmaster@$DOMAIN SSLEngine on ErrorLog /srv/$DOMAIN/logs/error.log CustomLog /srv/$DOMAIN/logs/access.log combined SetHandler server-status DocumentRoot /srv/$DOMAIN/public_html/ Options Indexes FollowSymLinks MultiViews Includes IndexOrderDefault Descending Date IndexOptions +IgnoreCase FancyIndexing IndexOptions +HTMLTable SuppressDescription IndexStyleSheet /css/autoindex.css IndexIgnore /unindexed /HEADER.html /css /images # Using an absolute url for header HeaderName /HEADER.html XBitHack on AllowOverride None Require all granted END } wait_for_certificate_issuance() { local f state f=/etc/apache2/md/domains/"$1"/md.json local set=$- set +x echo -n Waiting for certificate... >&2 while true do if [ -e "$f" ] && state=$(sed -ne 's/^ *"state": *$[0-9]\+$,/\1/p' "$f") && [ "$state" = 2 ] then set -$set return fi sleep 1 echo -n . >&2 done } install_apache_vhost() { if [ -e "$SITE_CONF" ] && ! force then return fi for DIR in $APACHE_SITE_DIRS do mkdir -p "$SITE_DIR"/"$DIR" done local tmp tmp=$(mktemp "$SITE_CONF".XXXXXX) site_conf_template > "$tmp" mv -T "$tmp" "$SITE_CONF" || { rm -f "$tmp"; false; } a2ensite "$DOMAIN" >/dev/null } install_self_to_site() { SOURCE_BASENAME=${0##*/} [ -d "$SITE_DIR"/public_html ] || return dst=$SITE_DIR/public_html/$SOURCE_BASENAME src=$0 [ -e "$src" ] || return 0 if [ ! "$src" -ef "$dst" ] then cp -Tuv "$src" "$dst" >&2 cp -Tuv "$src" "$dst".txt >&2 fi } write_cgit_config() { cgit_scan_dir=$SITE_DIR/public_git/ mkdir -p "$cgit_scan_dir" line="scan-path=$cgit_scan_dir" grep -xF "$line" /etc/cgitrc || printf '%s\n' "$line" >> /etc/cgitrc } configure_apache_vhost() { enable_apache_modules install_self_to_site install_header_to_site write_cgit_config } install_header_to_site() { cat > "$SITE_DIR"/public_html/HEADER.html <

source code for selfpublish.sh available:
	git repository:
		git clone ssh://d@cryptonomic.net:public_html/selfpublish.sh/
	git repository browser:
		upstream: https://git.cryptonomic.net/selfpublish.sh/
		local: https:///git/selfpublish.sh
	this web server:
		https:///selfpublish.sh

Fortunately,

EOF chmod +x "$SITE_DIR"/public_html/HEADER.html } check_tls() { curl -s -S -I https://"$1" >/dev/null } [ "$NO_APT" ] || equivocate APACHE_MODULES='status md rewrite ssl include cgi' APACHE_SITE_DIRS='logs public_html' AUTH_TYPE=$(path_fragment_to_ssh_keytag "${1:-$DEFAULT_AUTH_TYPE}") DYNDNS=$(get_dyndns_domain "$AUTH_TYPE") DOMAIN=${DYNDNS%% *} SITE_DIR=/srv/$DOMAIN SITE_CONF=/etc/apache2/sites-available/$DOMAIN.conf case "$DOMAIN" in *."$AUTH_TYPE".cryptonomic.net) ;; *) printf 'Error: %s\n' "Unexpected domain returned by server: $DOMAIN" exit 1 ;; esac if ! check_tls "$DOMAIN" || force then install_apache_vhost configure_apache_vhost systemctl restart apache2 wait_for_certificate_issuance "$DOMAIN" systemctl reload apache2 || systemctl restart apache2 else install_apache_vhost configure_apache_vhost systemctl reload apache2 || systemctl restart apache2 fi check_tls "$DOMAIN" printf '%s\n' "https://$DOMAIN/selfpublish.sh"