File: install.sh

package info (click to toggle)
crowdsec-firewall-bouncer 0.0.25-5
  • links: PTS, VCS
  • area: main
  • in suites: sid, trixie
  • size: 656 kB
  • sloc: python: 438; sh: 231; makefile: 103
file content (152 lines) | stat: -rwxr-xr-x 4,363 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
 
#!/bin/sh

#shellcheck disable=SC2312
if [ "$(id -u)" -ne 0 ]; then
    echo "Please run $0 as root or with sudo"
    exit 1
fi

BIN_PATH_INSTALLED="/usr/local/bin/crowdsec-firewall-bouncer"
BIN_PATH="./crowdsec-firewall-bouncer"
CONFIG_DIR="/etc/crowdsec/bouncers/"
SYSTEMD_PATH_FILE="/etc/systemd/system/crowdsec-firewall-bouncer.service"

# Default package manager is apt
PKG="apt"

# Default firewall backend is nftables
FW_BACKEND="nftables"
API_KEY=""


check_pkg_manager(){
    if [ -f /etc/redhat-release ]; then
        PKG="yum"
    elif grep -q "Amazon Linux release 2 (Karoo)" </etc/system-release; then
        PKG="yum"
    elif [ -f /etc/debian_version ]; then
        PKG="apt"
    else
        echo "Distribution is not supported, exiting."
        exit
    fi
}


check_firewall() {
    FW_BACKEND=""

    iptables="true"
    if command -v iptables >/dev/null; then 
        FW_BACKEND="iptables"
        echo "iptables found"
    else
        echo "iptables is not present"
        iptables="false"
    fi

    nftables="true"
    if command -v nft >/dev/null; then 
        FW_BACKEND="nftables"
        echo "nftables found"
    else
        echo "nftables is not present"
        nftables="false"
    fi

    if [ "$nftables" = "false" ] && [ "$iptables" = "false" ]; then
        echo "No firewall found, do you want to install nftables (Y/n) ?"
        read -r answer
        if [ "$answer" = "" ]; then
            answer="y"
        fi
        if [ "$answer" != "${answer#[Yy]}" ] ;then
            "$PKG" install -y -qq nftables > /dev/null && echo "nftables successfully installed"
        else
            echo "unable to continue without nftables. Please install nftables or iptables to use this bouncer."
            exit 1
        fi
    fi

    if [ "$nftables" = "true" ] && [ "$iptables" = "true" ]; then
        echo "Found nftables(default) and iptables, which firewall do you want to use (nftables/iptables)?"
        read -r answer
        if [ "$answer" = "iptables" ]; then
            FW_BACKEND="iptables"
        fi
    fi

    if [ "$FW_BACKEND" = "iptables" ]; then
        check_ipset
    fi
}


gen_apikey() {
    if command -v cscli >/dev/null; then
        echo "cscli found, generating bouncer api key."
        SUFFIX=$(tr -dc A-Za-z0-9 </dev/urandom | head -c 8)
        API_KEY=$(cscli bouncers add "cs-firewall-bouncer-${SUFFIX}" -o raw)
        READY="yes"
    else
        echo "cscli not found, you will need to generate api key."
        READY="no"
    fi
}


gen_config_file() {
    (umask 077; API_KEY=${API_KEY} BACKEND=${FW_BACKEND} envsubst <./config/crowdsec-firewall-bouncer.yaml >"${CONFIG_DIR}crowdsec-firewall-bouncer.yaml")
}


check_ipset() {
    if ! command -v ipset >/dev/null; then
        echo "ipset not found, do you want to install it (Y/n)? "
        read -r answer
        if [ "$answer" = "" ]; then
            answer="y"
        fi
        if [ "$answer" != "${answer#[Yy]}" ] ;then
            "$PKG" install -y -qq ipset > /dev/null && echo "ipset successfully installed"
        else
            echo "unable to continue without ipset. Exiting"
            exit 1
        fi
    fi
}


install_firewall_bouncer() {
    install -v -m 0755 -D "$BIN_PATH" "$BIN_PATH_INSTALLED"
    mkdir -p "$CONFIG_DIR"
    install -m 0600 "./config/crowdsec-firewall-bouncer.yaml" "${CONFIG_DIR}crowdsec-firewall-bouncer.yaml"
    CFG=${CONFIG_DIR} BIN=${BIN_PATH_INSTALLED} envsubst <./config/crowdsec-firewall-bouncer.service >"$SYSTEMD_PATH_FILE"
    systemctl daemon-reload
}


check_pkg_manager
check_firewall
echo "Installing firewall-bouncer"
install_firewall_bouncer
gen_apikey
gen_config_file

if command -v cscli >/dev/null; then
    PORT=$(cscli config show --key "Config.API.Server.ListenURI" | cut -d ":" -f2)
    if [ "$PORT" != "" ]; then
       sed -i "s/localhost:8080/127.0.0.1:${PORT}/g" "${CONFIG_DIR}crowdsec-firewall-bouncer.yaml"
       sed -i "s/127.0.0.1:8080/127.0.0.1:${PORT}/g" "${CONFIG_DIR}crowdsec-firewall-bouncer.yaml"
    fi
fi

systemctl enable crowdsec-firewall-bouncer.service
if [ "$READY" = "yes" ]; then
    systemctl start crowdsec-firewall-bouncer.service
else
    echo "service not started. You need to get an API key and configure it in ${CONFIG_DIR}crowdsec-firewall-bouncer.yaml"
fi

echo "The firewall-bouncer service has been installed!"
exit 0