147 lines
4.5 KiB
Bash
147 lines
4.5 KiB
Bash
#!/usr/bin/env bash
|
|
|
|
# The purpose of this script is to setup our print-scan server on a blank Armbian.
|
|
# This script is to be run as root.
|
|
|
|
# (Keep in mind that default root password is 1234)
|
|
# Flash SBC's SD with Armbian and clone this repository in /root
|
|
|
|
# YOU SHOULD REMOVE THIS SCRIPT AFTER SETUP
|
|
|
|
# Functions
|
|
init() {
|
|
echo "Starting initialization"
|
|
echo $fqdn > /etc/hostname
|
|
sed -i -e "s/$default_hostname/$fqdn $hostname/g" /etc/hosts
|
|
localectl set-keymap $keymap
|
|
timedatectl set-timezone $timezone
|
|
systemctl disable apt-daily-upgrade.timer
|
|
}
|
|
|
|
install_packages() {
|
|
echo "Starting packages installation"
|
|
sed -i -e "s/$deb_apt_default_repo/$deb_apt_repo/g" /etc/apt/sources.list
|
|
apt update
|
|
apt upgrade -y
|
|
apt install -y vim tree tmux neofetch sane sane-utils hplip apache2
|
|
}
|
|
|
|
add_users() {
|
|
echo "Adding users"
|
|
useradd -U -G sudo,lpadmin -m -s /bin/bash $user
|
|
chmod 700 /home/$user
|
|
usermod -a -G lp saned
|
|
}
|
|
|
|
get_sync() { # TODO when new conf-sync will be available
|
|
echo "Getting and deploying sync configuration"
|
|
sudo -H -u $user mkdir $sync_directory_path
|
|
sudo -H -u $user git clone https://gitea.kto.black/adminconf/rcs-general.git $sync_directory_path/rcs-general
|
|
sudo -H -u $user $sync_directoyy_path/rcs-general/install.sh
|
|
sudo -H -u $user git clone https://gitea.kto.black/adminconf/conf-sync.git $sync_directory_path/conf-sync
|
|
sudo -H -u $user cp $sync_directory_path/conf-sync/variables.conf.template \
|
|
$sync_directory_path/conf-sync/variables.conf
|
|
sudo -H -u $user $sync_directoyy_path/conf-sync/install.sh
|
|
}
|
|
|
|
set_cups_conf() {
|
|
echo "Setting CUPS configuration"
|
|
mv $cups_conf_path/cupsd.conf $cups_conf_path/cupsd.conf.orig
|
|
cp $run_directory_path/cupsd.conf $cups_conf_path/cupsd.conf
|
|
}
|
|
|
|
set_sane_conf() {
|
|
systemctl enable saned.socket # FIXME that really needed?
|
|
}
|
|
|
|
ssh_pubkey() {
|
|
echo "Getting SSH public key"
|
|
sudo -H -u $user mkdir /home/$user/.ssh
|
|
sudo -H -u $user wget -P /home/$user/.ssh $remote_pubkey_location/$remote_pubkey
|
|
sudo -H -u $user mv /home/$user/.ssh/$remote_pubkey /home/$user/.ssh/authorized_keys
|
|
}
|
|
|
|
# based on https://github.com/sbs20/scanservjs/blob/master/docs/install.md
|
|
install_scanservjs() {
|
|
wget -O $run_directory_path/scanservjs.tar.gz $(curl -s \
|
|
https://api.github.com/repos/sbs20/scanservjs/releases/latest | grep browser_download_url | cut -d '"' -f 4)
|
|
mkdir $run_directory_path/scanservjs
|
|
tar -xf scanservjs.tar.gz -C $run_directory_path/scanservjs/
|
|
sudo $run_directory_path/scanservjs/installer.sh -i
|
|
rm $run_directory_path/scanservjs.tar.gz
|
|
rm -r $run_directory_path/scanservjs
|
|
}
|
|
|
|
tls_cert() {
|
|
echo "Generating TLS certificate"
|
|
openssl req -newkey rsa:4096 -x509 -sha256 -days 999 -nodes -out $tls_directory/$cert -keyout $tls_directory/$cert_key -subj "/C=/ST=/L=/O=/OU=/CN="
|
|
chmod o+r $tls_directory/$cert_key
|
|
}
|
|
|
|
set_apache() {
|
|
echo "Setting up Apache HTTP Server"
|
|
cp $run_directory_path/apache-sites/scanservjs.conf $apache_sites_directory_path/
|
|
a2dissite *
|
|
a2ensite scanservjs
|
|
a2enmod ssl proxy proxy_http proxy_http2
|
|
}
|
|
|
|
# TODO add a firewall rule to prevent access to http:8080 from other than local
|
|
|
|
# Only run if the user is root
|
|
if [[ $USER != 'root' ]] ; then
|
|
echo "You must run this script as root!"
|
|
exit 1
|
|
fi
|
|
|
|
run_directory_path=$(pwd)
|
|
|
|
# Set parameters
|
|
default_hostname='pine64'
|
|
hostname='pn1'
|
|
fqdn='pn1.hr.kto.black'
|
|
keymap='fr'
|
|
timezone='Europe/Paris'
|
|
deb_apt_default_repo='deb.debian.org'
|
|
deb_apt_repo='ftp.fr.debian.org'
|
|
user='alex'
|
|
sync_directory_path="/home/$user/.sync"
|
|
systemd_units_path='/etc/systemd/system'
|
|
cups_conf_path='/etc/cups'
|
|
remote_pubkey_location='https://keys.kto.black'
|
|
remote_pubkey='home.pub'
|
|
scanservjs_dest='/srv/scanservjs'
|
|
tls_directory='/etc/ssl/'
|
|
cert='cert.crt'
|
|
cert_key='cert.key'
|
|
apache_sites_directory_path='/etc/apache2/sites-available'
|
|
|
|
# Main process
|
|
# You should comment below what you do not want to happen
|
|
init
|
|
install_packages
|
|
add_users
|
|
get_conf
|
|
set_cups_conf
|
|
set_sane_conf
|
|
ssh_pubkey
|
|
install_scanservjs
|
|
tls_cert
|
|
set_apache
|
|
|
|
echo ""
|
|
echo "We're all good here!"
|
|
echo "You should now:"
|
|
echo "* set $user's password"
|
|
echo "* lock root account"
|
|
echo "* reboot the SBC"
|
|
echo "And perhaps:"
|
|
echo "* connect to http://$hostname:631/ and add a printer"
|
|
echo "* set htop at your convenience"
|
|
echo "* remove password for sudo" # TODO we should automate that, with a flag
|
|
echo "* use below commands to edit SSH config:"
|
|
echo " sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config"
|
|
echo " sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config"
|
|
echo "* MIND THAT CONF-SYNC IS NOT SET"
|
|
exit 0
|