-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathinit.sh
executable file
·164 lines (135 loc) · 6.03 KB
/
init.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
#!/bin/bash
# shellcheck disable=SC2154
set -exuo pipefail
# Determine the region
AWS_DEFAULT_REGION="$(/opt/aws/bin/ec2-metadata -z | sed 's/placement: \(.*\).$/\1/')"
export AWS_DEFAULT_REGION
function retry {
local retries=$1
shift
local count=0
until "$@"; do
exit=$?
wait=$((2 ** count))
count=$((count + 1))
if [ "$count" -lt "$retries" ]; then
echo "Retry $count/$retries exited $exit, retrying in $wait seconds..."
sleep $wait
else
echo "Retry $count/$retries exited $exit, no more retries left."
return $exit
fi
done
return 0
}
# Allocate 1G disk space to be used as memory with a swap file to prevent errors like:
# Error downloading packages:
# gobject-introspection-1.56.1-1.amzn2.x86_64: [Errno 5] [Errno 12] Cannot allocate memory
dd if=/dev/zero of=/swapfile count=1024 bs=1MiB
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfile
cat >> /etc/fstab << 'EOF'
/swapfile none swap sw 0 0
EOF
# Attach the ENI
instance_id="$(/opt/aws/bin/ec2-metadata -i | cut -d' ' -f2)"
retry 10 aws ec2 attach-network-interface \
--instance-id "$instance_id" \
--device-index 1 \
--network-interface-id "${eni_id}"
# Wait for network initialization
sleep 10
# Waiting for network connection
curl --retry 10 http://www.example.com
# Attach the EBS volume
retry 10 aws ec2 attach-volume \
--volume-id "${volume_id}" \
--instance-id "$instance_id" \
--device /dev/xvdf
# Wait for the EBS volume to be attached
sleep 10
# Mount the EBS volume
mkdir -p /home/ec2-user/bitwarden
chown ec2-user:ec2-user /home/ec2-user/bitwarden
retry 10 lsblk -f /dev/xvdf
if ! lsblk -f /dev/xvdf | grep -E "xvdf|nvme1n1" | grep -q ext4; then
echo "The EBS volume is not formatted. Formatting it..."
mkfs.ext4 /dev/xvdf
fi
mount /dev/xvdf /home/ec2-user/bitwarden
# Upgrade python
yum remove -y python3
amazon-linux-extras install -y python3.8
ln -s /usr/bin/python3.8 /usr/bin/python3
ln -s /usr/bin/pip3.8 /usr/bin/pip3
# Install docker
yum update -y
yum install -y docker
usermod -a -G docker ec2-user
systemctl start docker.service
# Create the directories where the configuration files will be stored
mkdir -p /home/ec2-user/conf/{compose,traefik,scripts}
# Install docker-compose
# renovate: datasource=github-releases depName=docker/compose versioning=semver
export ENV_DOCKER_COMPOSE_VERSION="v2.33.0"
curl -L "https://github.com/docker/compose/releases/download/$ENV_DOCKER_COMPOSE_VERSION/docker-compose-linux-x86_64" -o /usr/local/bin/docker-compose
chmod a+x /usr/local/bin/docker-compose
# Install mozilla sops
# renovate: datasource=github-releases depName=mozilla/sops versioning=semver
export ENV_SOPS_VERSION="v3.9.4"
curl -L "https://github.com/mozilla/sops/releases/download/$ENV_SOPS_VERSION/sops-$(echo $ENV_SOPS_VERSION | cut -c2-).x86_64.rpm" -o "/tmp/sops-$(echo $ENV_SOPS_VERSION | cut -c2-).x86_64.rpm"
rpm -i "/tmp/sops-$(echo $ENV_SOPS_VERSION | cut -c2-).x86_64.rpm"
rm -f "/tmp/sops-$(echo $ENV_SOPS_VERSION | cut -c2-).x86_64.rpm"
# Get the secrets
aws s3 cp "s3://${resources_bucket}/${bitwarden_env_key}" /home/ec2-user/conf/compose/env.enc
/usr/bin/sops -d /home/ec2-user/conf/compose/env.enc > /home/ec2-user/conf/compose/.env
rm -f /home/ec2-user/conf/compose/env.enc
# Configure docker-compose
yum install -y jq
mkdir -p /home/ec2-user/bitwarden/{bitwarden-data,mysql}
mkdir -p /home/ec2-user/bitwarden/traefik/{letsencrypt,log}
touch -f /home/ec2-user/bitwarden/traefik/log/access.log
touch -f /home/ec2-user/bitwarden/bitwarden-data/bitwarden.log
aws s3 cp "s3://${resources_bucket}/${bitwarden_compose_key}" /home/ec2-user/conf/compose/docker-compose.yml
aws s3 cp "s3://${resources_bucket}/${traefik-dynamic_key}" /home/ec2-user/conf/traefik/dynamic.yaml
# The backup script
aws s3 cp "s3://${resources_bucket}/${backup_script_key}" /home/ec2-user/conf/scripts/backup.sh
chmod a+x /home/ec2-user/conf/scripts/backup.sh
cat >> /etc/cron.d/bitwarden-backup << 'EOF'
${backup_schedule} root /home/ec2-user/conf/scripts/backup.sh > /dev/null 2>&1
EOF
# The restore script
aws s3 cp "s3://${resources_bucket}/${restore_script_key}" /home/ec2-user/conf/scripts/restore.sh
chmod a+x /home/ec2-user/conf/scripts/restore.sh
# Install fail2ban
amazon-linux-extras install epel -y
yum -y install fail2ban
systemctl restart fail2ban
aws s3 cp "s3://${resources_bucket}/${fail2ban_filter_key}" /etc/fail2ban/filter.d/bitwarden.local
aws s3 cp "s3://${resources_bucket}/${fail2ban_jail_key}" /etc/fail2ban/jail.d/bitwarden.local
aws s3 cp "s3://${resources_bucket}/${admin_fail2ban_filter_key}" /etc/fail2ban/filter.d/bitwarden-admin.local
aws s3 cp "s3://${resources_bucket}/${admin_fail2ban_jail_key}" /etc/fail2ban/jail.d/bitwarden-admin.local
systemctl reload fail2ban
# Logrotate
aws s3 cp "s3://${resources_bucket}/${bitwarden-logrotate_key}" /etc/logrotate.d/bitwarden
aws s3 cp "s3://${resources_bucket}/${traefik-logrotate_key}" /etc/logrotate.d/traefik
# Gracefully shutdown the app if the instance is scheduled for termination
aws s3 cp "s3://${resources_bucket}/${AWS_SpotTerminationNotifier_script_key}" /home/ec2-user/conf/scripts/AWS_SpotTerminationNotifier.sh
chmod a+x /home/ec2-user/conf/scripts/AWS_SpotTerminationNotifier.sh
screen -dm -S AWS_SpotTerminationNotifier /home/ec2-user/conf/scripts/AWS_SpotTerminationNotifier.sh
# Add AWS EC2 Spot Instance Pricing Script
aws s3 cp "s3://${resources_bucket}/${AWS_SpotInstancePricing_script_key}" /home/ec2-user/conf/scripts/AWS_SpotInstancePricing.py
chmod a+x /home/ec2-user/conf/scripts/AWS_SpotInstancePricing.py
pip3 install boto3 --no-color
# Pull all the docker images
docker-compose -f /home/ec2-user/conf/compose/docker-compose.yml pull -q
# Fix permissions
chown ec2-user:ec2-user -R /home/ec2-user/conf
chown ec2-user:ec2-user -R /home/ec2-user/bitwarden/{bitwarden-data,mysql,traefik}
# Start bitwarden
echo "Starting bitwarden in 2 minutes"
sleep 120 # wait 2 minutes for other resources to come up
docker-compose -f /home/ec2-user/conf/compose/docker-compose.yml --env-file /home/ec2-user/conf/compose/.env up -d
# Switch the default route to eth1
ip route del default dev eth0