Init Git

scripts/setup_tunnel.sh

@@ -0,0 +1,56 @@
+#!/bin/bash
+set -euo pipefail
+
+AWS_REGION="ap-southeast-7"
+SSM_PREFIX="/amrez/eop"
+
+need() {
+  aws ssm get-parameter --with-decryption --region "$AWS_REGION" --name "${SSM_PREFIX}/$1" \
+    --query "Parameter.Value" --output text
+}
+
+# autossh
+if ! command -v autossh >/dev/null 2>&1; then
+  dnf install -y autossh >/dev/null
+fi
+
+SSH_USER=$(need "tunnel/ssh_user")
+BASTION_HOST=$(need "tunnel/bastion_host")
+DB_HOST=$(need "tunnel/db_host")
+DB_PORT=$(need "tunnel/db_port")
+LOCAL_PORT=$(need "tunnel/local_port")
+
+install -d -m 700 -o root -g root /opt/eop-tunnel
+aws ssm get-parameter --with-decryption --region "$AWS_REGION" \
+  --name "${SSM_PREFIX}/tunnel/private_key" --query "Parameter.Value" --output text > /opt/eop-tunnel/id_rsa
+chmod 600 /opt/eop-tunnel/id_rsa
+
+cat >/etc/systemd/system/eop-db-tunnel.service <<EOF
+[Unit]
+Description=EOP DB SSH tunnel (LOCAL:${LOCAL_PORT} -> ${DB_HOST}:${DB_PORT} via ${BASTION_HOST})
+After=network-online.target
+Wants=network-online.target
+[Service]
+Type=simple
+User=root
+Restart=always
+RestartSec=5
+ExecStartPre=/usr/bin/bash -lc 'ss -lnt | grep -q ":${LOCAL_PORT} " && killall -q -w ssh || true'
+ExecStart=/usr/bin/autossh -M 0 -N \
+  -o ServerAliveInterval=30 -o ServerAliveCountMax=3 -o ExitOnFailure=yes -o ExitOnForwardFailure=yes \
+  -o StrictHostKeyChecking=no -i /opt/eop-tunnel/id_rsa \
+  -L 127.0.0.1:${LOCAL_PORT}:${DB_HOST}:${DB_PORT} ${SSH_USER}@${BASTION_HOST}
+[Install]
+WantedBy=multi-user.target
+EOF
+
+systemctl daemon-reload
+systemctl enable --now eop-db-tunnel.service
+
+# wait ready
+for i in {1..30}; do
+  ss -lnt | grep -q ":${LOCAL_PORT} " && exit 0
+  sleep 1
+done
+echo "Tunnel not ready on 127.0.0.1:${LOCAL_PORT}" >&2
+exit 1