-
Notifications
You must be signed in to change notification settings - Fork 0
/
user_data.tpl
executable file
·183 lines (145 loc) · 4.65 KB
/
user_data.tpl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
#!/bin/bash
set -ue
# Functions
mount_home_drive() {
echo '/dev/disk/by-id/scsi-0DO_Volume_${GITHUB_USER}-code-server-home /home ext4 defaults,nofail,discard 0 0' \
| sudo tee -a /etc/fstab
mount /home
}
add_user() {
useradd -m -G sudo -s /bin/bash ${USERNAME}
echo -e "${USERPASS}\n${USERPASS}" | passwd ${USERNAME}
echo ${USERPASS} > /home/${USERNAME}/sudo.txt
mkdir /home/${USERNAME}/.ssh && \
curl https://github.com/${GITHUB_USER}.keys >> /home/${USERNAME}/.ssh/authorized_keys
chown -R ${USERNAME}:${USERNAME} /home/${USERNAME}/
}
update_system() {
echo "deb [trusted=yes] https://apt.fury.io/caddy/ /" \
| sudo tee -a /etc/apt/sources.list.d/caddy-fury.list
apt update
apt install -y jq systemd-container caddy
apt -y autoclean
apt -y autoremove
}
install_code_server() {
CODE_SERVER_RELEASE=$(curl -s https://api.github.com/repos/cdr/code-server/releases/latest \
| jq -r ".assets[] | select(.name | test(\"amd64.deb\")) | .browser_download_url")
DEB=$(echo "$CODE_SERVER_RELEASE" | awk -F'/' '{print $9}')
wget "$CODE_SERVER_RELEASE"
yes | dpkg -i "$DEB"
rm "$DEB"
}
code_server_config() {
mkdir -p /home/${USERNAME}/.config/code-server && \
chown -R ${USERNAME}:${USERNAME} /home/${USERNAME}/.config
cat <<EOF > "/home/${USERNAME}/.config/code-server/config.yaml"
bind-addr: 127.0.0.1:8080
auth: none
password:
cert: false
EOF
}
enable_code_server() {
loginctl enable-linger ${USERNAME}
machinectl shell --uid=${USERNAME} .host /usr/bin/systemctl --user enable --now code-server.service
}
install_oauth2_proxy() {
OAUTH2_PROXY_RELEASE=$(curl -s https://api.github.com/repos/oauth2-proxy/oauth2-proxy/releases/latest \
| jq -r ".assets[] | select(.name | test(\"linux-amd64.go\")) | .browser_download_url")
TARBALL=$(echo "$OAUTH2_PROXY_RELEASE" | awk -F'/' '{print $9}')
wget "$OAUTH2_PROXY_RELEASE"
tar -xzf "$TARBALL" -C /usr/local/bin --strip-components=1
rm "$TARBALL"
}
oauth2_proxy_config() {
mkdir /etc/oauth2_proxy
if [ -z ${EMAIL} ]; then
EMAIL_CONFIG='email_domains = ["*"]'
else
EMAIL_CONFIG='authenticated_emails_file = "/etc/oauth2_proxy/email_list.cfg"'
echo ${EMAIL} > /etc/oauth2_proxy/email_list.cfg
fi
cat <<EOF > "/etc/oauth2_proxy/oauth2_proxy.cfg"
## OAuth provider
provider = "${OAUTH2_PROVIDER}"
## <addr>:<port> to listen on for HTTP/HTTPS clients
http_address = "127.0.0.1:4180"
https_address = ":443"
## Are we running behind a reverse proxy? Will not accept headers like X-Real-Ip unless this is set.
reverse_proxy = true
## the http url(s) of the upstream endpoint. If multiple, routing is based on path
upstreams = [
"http://127.0.0.1:8080/"
]
## Logging configuration
logging_filename = "/var/log/oauth2_proxy.log"
logging_max_size = 100
logging_max_age = 7
logging_local_time = true
logging_compress = false
standard_logging = true
standard_logging_format = "[{{.Timestamp}}] [{{.File}}] {{.Message}}"
request_logging = true
request_logging_format = "{{.Client}} - {{.Username}} [{{.Timestamp}}] {{.Host}} {{.RequestMethod}} {{.Upstream}} {{.RequestURI}} {{.Protocol}} {{.UserAgent}} {{.StatusCode}} {{.ResponseSize}} {{.RequestDuration}}"
auth_logging = true
auth_logging_format = "{{.Client}} - {{.Username}} [{{.Timestamp}}] [{{.Status}}] {{.Message}}"
## pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream
pass_basic_auth = true
pass_user_headers = true
## pass the request Host Header to upstream
pass_host_header = true
## Authenticated Email Addresses
$EMAIL_CONFIG
## The OAuth Client ID, Secret
client_id = "${OAUTH2_CLIENT_ID}"
client_secret = "${OAUTH2_CLIENT_SECRET}"
## Cookie Settings
cookie_name = "_oauth2_proxy"
cookie_secret = "${COOKIE}"
cookie_expire = "168h"
cookie_refresh = "1h"
cookie_secure = true
cookie_httponly = true
## Skip Provider Screen
skip_provider_button = true
EOF
}
enable_oauth2_proxy() {
cat <<EOF > "/etc/systemd/system/oauth2_proxy.service"
[Unit]
Description=Oauth2 Proxy
After=network.target
[Service]
ExecStart=oauth2-proxy --config=/etc/oauth2_proxy/oauth2_proxy.cfg
Restart=on-failure
RestartSec=5
User=root
[Install]
WantedBy=multi-user.target
EOF
chmod 0755 /etc/systemd/system/oauth2_proxy.service
systemctl enable --now oauth2_proxy.service
}
caddy_config() {
cat <<EOF > "/etc/caddy/Caddyfile"
${DOMAIN}
reverse_proxy 127.0.0.1:4180
EOF
systemctl restart caddy.service
}
main () {
mount_home_drive
add_user
update_system
install_code_server
code_server_config
enable_code_server
install_oauth2_proxy
oauth2_proxy_config
enable_oauth2_proxy
caddy_config
}
# Exectution
main
exit 0