267 lines
7.2 KiB
Bash
267 lines
7.2 KiB
Bash
#!/bin/bash
|
|
|
|
# Router Enrollment Script Configuration
|
|
# Edit these values to customize the enrollment process
|
|
|
|
# =============================================================================
|
|
# API Configuration
|
|
# =============================================================================
|
|
|
|
# Default ZitiNexus Portal API endpoint
|
|
# Change this to your actual portal URL
|
|
DEFAULT_API_ENDPOINT="https://your-zitinexus-portal.com/api"
|
|
|
|
# API timeout settings (in seconds)
|
|
API_CONNECT_TIMEOUT=30
|
|
API_MAX_TIME=60
|
|
|
|
# Retry configuration
|
|
MAX_API_RETRIES=3
|
|
RETRY_DELAY_BASE=2 # Base delay for exponential backoff
|
|
|
|
# =============================================================================
|
|
# Directory and File Paths
|
|
# =============================================================================
|
|
|
|
# Router configuration directory
|
|
CONFIG_DIR="/etc/zitirouter"
|
|
|
|
# Certificates directory
|
|
CERTS_DIR="${CONFIG_DIR}/certs"
|
|
|
|
# Router configuration file
|
|
ROUTER_CONFIG="${CONFIG_DIR}/router.yaml"
|
|
|
|
# JWT token file
|
|
JWT_FILE="${CONFIG_DIR}/enrollment.jwt"
|
|
|
|
# Log file location
|
|
LOG_FILE="/var/log/ziti-router-enrollment.log"
|
|
|
|
# Systemd service file
|
|
SYSTEMD_SERVICE_FILE="/etc/systemd/system/ziti-router.service"
|
|
|
|
# =============================================================================
|
|
# OpenZiti Configuration
|
|
# =============================================================================
|
|
|
|
# OpenZiti CLI installation URL
|
|
ZITI_INSTALL_URL="https://get.openziti.io/install.bash"
|
|
|
|
# OpenZiti CLI binary path
|
|
ZITI_CLI_PATH="/usr/local/bin/ziti"
|
|
|
|
# =============================================================================
|
|
# Service Configuration
|
|
# =============================================================================
|
|
|
|
# Service name
|
|
SERVICE_NAME="ziti-router"
|
|
|
|
# Service user (must be root for router operations)
|
|
SERVICE_USER="root"
|
|
|
|
# Service restart delay (in seconds)
|
|
SERVICE_RESTART_DELAY=5
|
|
|
|
# =============================================================================
|
|
# Security Settings
|
|
# =============================================================================
|
|
|
|
# Directory permissions
|
|
CONFIG_DIR_PERMS=755
|
|
CERTS_DIR_PERMS=700
|
|
CONFIG_FILE_PERMS=644
|
|
JWT_FILE_PERMS=600
|
|
|
|
# =============================================================================
|
|
# Validation Settings
|
|
# =============================================================================
|
|
|
|
# Hash key validation pattern
|
|
HASH_KEY_PATTERN="^[a-fA-F0-9]{32}$"
|
|
|
|
# Required system commands
|
|
REQUIRED_COMMANDS=(
|
|
"curl"
|
|
"jq"
|
|
"systemctl"
|
|
)
|
|
|
|
# Required directories for write access
|
|
REQUIRED_WRITE_DIRS=(
|
|
"/etc"
|
|
"/var/log"
|
|
"/etc/systemd/system"
|
|
)
|
|
|
|
# =============================================================================
|
|
# Network Configuration
|
|
# =============================================================================
|
|
|
|
# Test connectivity URLs
|
|
CONNECTIVITY_TEST_URLS=(
|
|
"https://get.openziti.io"
|
|
"https://github.com"
|
|
)
|
|
|
|
# DNS servers to test (optional)
|
|
DNS_TEST_SERVERS=(
|
|
"8.8.8.8"
|
|
"1.1.1.1"
|
|
)
|
|
|
|
# =============================================================================
|
|
# Logging Configuration
|
|
# =============================================================================
|
|
|
|
# Log level (DEBUG, INFO, WARNING, ERROR)
|
|
LOG_LEVEL="INFO"
|
|
|
|
# Maximum log file size (in MB)
|
|
MAX_LOG_SIZE=10
|
|
|
|
# Number of log files to keep
|
|
LOG_ROTATE_COUNT=5
|
|
|
|
# =============================================================================
|
|
# Advanced Settings
|
|
# =============================================================================
|
|
|
|
# Enable debug mode (set to true for verbose output)
|
|
DEBUG_MODE=false
|
|
|
|
# Enable dry run mode (set to true to simulate without making changes)
|
|
DRY_RUN=false
|
|
|
|
# Skip system requirements check (not recommended)
|
|
SKIP_REQUIREMENTS_CHECK=false
|
|
|
|
# Skip OpenZiti CLI installation if already present
|
|
SKIP_ZITI_INSTALL_IF_PRESENT=true
|
|
|
|
# Enable automatic cleanup on failure
|
|
AUTO_CLEANUP_ON_FAILURE=true
|
|
|
|
# =============================================================================
|
|
# Customization Functions
|
|
# =============================================================================
|
|
|
|
# Custom pre-enrollment hook
|
|
# This function is called before starting the enrollment process
|
|
pre_enrollment_hook() {
|
|
# Add custom logic here
|
|
# Example: Check additional requirements, send notifications, etc.
|
|
return 0
|
|
}
|
|
|
|
# Custom post-enrollment hook
|
|
# This function is called after successful enrollment
|
|
post_enrollment_hook() {
|
|
# Add custom logic here
|
|
# Example: Configure firewall, send notifications, etc.
|
|
return 0
|
|
}
|
|
|
|
# Custom error handler
|
|
# This function is called when an error occurs
|
|
error_handler() {
|
|
local error_message="$1"
|
|
local exit_code="$2"
|
|
|
|
# Add custom error handling logic here
|
|
# Example: Send alerts, cleanup resources, etc.
|
|
|
|
return 0
|
|
}
|
|
|
|
# =============================================================================
|
|
# Environment-Specific Overrides
|
|
# =============================================================================
|
|
|
|
# Load environment-specific configuration if it exists
|
|
if [[ -f "${CONFIG_DIR}/local.conf" ]]; then
|
|
source "${CONFIG_DIR}/local.conf"
|
|
fi
|
|
|
|
# Load user-specific configuration if it exists
|
|
if [[ -f "${HOME}/.ziti-router-enrollment.conf" ]]; then
|
|
source "${HOME}/.ziti-router-enrollment.conf"
|
|
fi
|
|
|
|
# =============================================================================
|
|
# Validation
|
|
# =============================================================================
|
|
|
|
# Validate configuration
|
|
validate_config() {
|
|
local errors=0
|
|
|
|
# Check API endpoint format
|
|
if [[ ! "$DEFAULT_API_ENDPOINT" =~ ^https?:// ]]; then
|
|
echo "ERROR: DEFAULT_API_ENDPOINT must start with http:// or https://" >&2
|
|
((errors++))
|
|
fi
|
|
|
|
# Check timeout values
|
|
if [[ ! "$API_CONNECT_TIMEOUT" =~ ^[0-9]+$ ]] || [[ "$API_CONNECT_TIMEOUT" -lt 1 ]]; then
|
|
echo "ERROR: API_CONNECT_TIMEOUT must be a positive integer" >&2
|
|
((errors++))
|
|
fi
|
|
|
|
if [[ ! "$API_MAX_TIME" =~ ^[0-9]+$ ]] || [[ "$API_MAX_TIME" -lt 1 ]]; then
|
|
echo "ERROR: API_MAX_TIME must be a positive integer" >&2
|
|
((errors++))
|
|
fi
|
|
|
|
# Check directory paths
|
|
if [[ ! "$CONFIG_DIR" =~ ^/ ]]; then
|
|
echo "ERROR: CONFIG_DIR must be an absolute path" >&2
|
|
((errors++))
|
|
fi
|
|
|
|
if [[ ! "$LOG_FILE" =~ ^/ ]]; then
|
|
echo "ERROR: LOG_FILE must be an absolute path" >&2
|
|
((errors++))
|
|
fi
|
|
|
|
# Check permissions
|
|
if [[ ! "$CONFIG_DIR_PERMS" =~ ^[0-7]{3}$ ]]; then
|
|
echo "ERROR: CONFIG_DIR_PERMS must be a valid octal permission (e.g., 755)" >&2
|
|
((errors++))
|
|
fi
|
|
|
|
return $errors
|
|
}
|
|
|
|
# Export all configuration variables
|
|
export DEFAULT_API_ENDPOINT
|
|
export API_CONNECT_TIMEOUT
|
|
export API_MAX_TIME
|
|
export MAX_API_RETRIES
|
|
export RETRY_DELAY_BASE
|
|
export CONFIG_DIR
|
|
export CERTS_DIR
|
|
export ROUTER_CONFIG
|
|
export JWT_FILE
|
|
export LOG_FILE
|
|
export SYSTEMD_SERVICE_FILE
|
|
export ZITI_INSTALL_URL
|
|
export ZITI_CLI_PATH
|
|
export SERVICE_NAME
|
|
export SERVICE_USER
|
|
export SERVICE_RESTART_DELAY
|
|
export CONFIG_DIR_PERMS
|
|
export CERTS_DIR_PERMS
|
|
export CONFIG_FILE_PERMS
|
|
export JWT_FILE_PERMS
|
|
export HASH_KEY_PATTERN
|
|
export LOG_LEVEL
|
|
export MAX_LOG_SIZE
|
|
export LOG_ROTATE_COUNT
|
|
export DEBUG_MODE
|
|
export DRY_RUN
|
|
export SKIP_REQUIREMENTS_CHECK
|
|
export SKIP_ZITI_INSTALL_IF_PRESENT
|
|
export AUTO_CLEANUP_ON_FAILURE
|