95 lines
4.1 KiB
Bash
95 lines
4.1 KiB
Bash
#!/bin/bash
|
|
# ansipa-smb-setup.sh — configure the Samba scan-results share on the IPA container.
|
|
#
|
|
# Runs on every container start via ansipa-smb.service so that smb.conf and
|
|
# the Samba user are always in place after container restarts (ephemeral rootfs).
|
|
#
|
|
# Password source (first match wins):
|
|
# 1. SMB_SCAN_PASSWORD environment variable (first boot / explicit override)
|
|
# 2. /data/samba/ansipa-smb.env (persisted from first boot)
|
|
|
|
set -euo pipefail
|
|
|
|
LOG_TAG="ansipa-smb-setup"
|
|
SCAN_BASE="/data/scan-results"
|
|
SMB_CONF="/etc/samba/smb.conf"
|
|
SMB_USER="scanupload"
|
|
ENV_FILE="/data/samba/ansipa-smb.env"
|
|
|
|
log() { echo "[$LOG_TAG] $*"; }
|
|
die() { echo "[$LOG_TAG][ERROR] $*" >&2; exit 1; }
|
|
|
|
# ── Resolve password ──────────────────────────────────────────────────────────
|
|
SMB_PASS="${SMB_SCAN_PASSWORD:-}"
|
|
|
|
if [[ -z "$SMB_PASS" ]] && [[ -f "$ENV_FILE" ]]; then
|
|
# shellcheck source=/dev/null
|
|
source "$ENV_FILE"
|
|
SMB_PASS="${SMB_SCAN_PASSWORD:-}"
|
|
fi
|
|
|
|
[[ -z "$SMB_PASS" ]] && die "SMB_SCAN_PASSWORD not set and $ENV_FILE not present. Set it in .env."
|
|
|
|
# ── Persist for subsequent restarts ──────────────────────────────────────────
|
|
# %q shell-quotes the value so passwords with spaces or special chars are safe.
|
|
mkdir -p "$(dirname "$ENV_FILE")"
|
|
printf 'SMB_SCAN_PASSWORD=%q\n' "$SMB_PASS" > "$ENV_FILE"
|
|
chmod 600 "$ENV_FILE"
|
|
|
|
# ── Directory structure (idempotent) ──────────────────────────────────────────
|
|
mkdir -p "$SCAN_BASE/archive" "$SCAN_BASE/alerts"
|
|
|
|
# ── System user ───────────────────────────────────────────────────────────────
|
|
if ! id "$SMB_USER" &>/dev/null; then
|
|
useradd -r -s /sbin/nologin -d "$SCAN_BASE" -M "$SMB_USER"
|
|
log "Created system user: $SMB_USER"
|
|
fi
|
|
chown -R "$SMB_USER:$SMB_USER" "$SCAN_BASE"
|
|
|
|
# ── smb.conf ──────────────────────────────────────────────────────────────────
|
|
log "Writing $SMB_CONF"
|
|
cat > "$SMB_CONF" <<CONF
|
|
[global]
|
|
workgroup = WORKGROUP
|
|
server string = Ansipa Security Server
|
|
security = user
|
|
map to guest = never
|
|
# Store passdb on the persistent volume so passwords survive container restarts.
|
|
passdb backend = tdbsam:/data/samba/passdb.tdb
|
|
log file = /var/log/samba/log.%m
|
|
max log size = 50
|
|
# Disable printing subsystem entirely.
|
|
load printers = no
|
|
printing = bsd
|
|
printcap name = /dev/null
|
|
disable spoolss = yes
|
|
|
|
[ansipa-scans]
|
|
comment = Ansipa scan results — managed by ansipa-enforce-policies
|
|
path = $SCAN_BASE
|
|
valid users = $SMB_USER
|
|
read only = no
|
|
browseable = no
|
|
create mask = 0644
|
|
directory mask = 0755
|
|
force user = $SMB_USER
|
|
CONF
|
|
|
|
# ── Samba password (idempotent — smbpasswd -a adds or updates) ────────────────
|
|
log "Setting Samba password for $SMB_USER"
|
|
printf '%s\n%s\n' "$SMB_PASS" "$SMB_PASS" | smbpasswd -a -s "$SMB_USER" 2>/dev/null || \
|
|
printf '%s\n%s\n' "$SMB_PASS" "$SMB_PASS" | smbpasswd -s "$SMB_USER" 2>/dev/null || \
|
|
log "WARN: smbpasswd returned non-zero (user may already exist with correct password)"
|
|
|
|
# ── Server-side scan checker cron (hourly, analysed on the IPA server itself) ─
|
|
# Always (re-)write: /etc/cron.d is on the ephemeral container layer and is
|
|
# lost on container recreation, so we must restore it on every start.
|
|
cat > /etc/cron.d/ansipa-check-scans <<'CRON'
|
|
# ansipa: analyze client scan logs and write alerts — managed, do not edit.
|
|
0 * * * * root /usr/local/sbin/ansipa-check-scans.sh 2>&1 | logger -t ansipa-check-scans
|
|
CRON
|
|
chmod 644 /etc/cron.d/ansipa-check-scans
|
|
log "Installed hourly scan-checker cron"
|
|
|
|
log "Samba setup complete. Share: //localhost/ansipa-scans user: $SMB_USER"
|