#!/usr/bin/env bash set -euo pipefail BASE_URL="${WRITEGUARD_BOOTSTRAP_BASE_URL:-https://writeguard.athena-noesis.com/assets}" MANIFEST_URL="${WRITEGUARD_BOOTSTRAP_MANIFEST_URL:-${BASE_URL}/writeguard-bootstrap-manifest.json}" WORKDIR="${WRITEGUARD_BOOTSTRAP_WORKDIR:-${PWD}/writeguard-bootstrap-work}" INSTALL_TARGET="${WRITEGUARD_BOOTSTRAP_INSTALL_TARGET:-${PWD}/writeguard-commercial-install}" NON_INTERACTIVE="${WRITEGUARD_BOOTSTRAP_NON_INTERACTIVE:-0}" ADMIN_USERNAME="${WRITEGUARD_BOOTSTRAP_ADMIN_USERNAME:-admin}" ADMIN_PASSWORD="${WRITEGUARD_BOOTSTRAP_ADMIN_PASSWORD:-}" SKIP_MODEL="${WRITEGUARD_BOOTSTRAP_SKIP_MODEL:-0}" log() { printf '[writeguard-bootstrap] %s\n' "$*"; } warn() { printf '[writeguard-bootstrap][warn] %s\n' "$*" >&2; } fail() { printf '[writeguard-bootstrap][fail] %s\n' "$*" >&2; exit 1; } require_cmd() { command -v "$1" >/dev/null 2>&1 || fail "missing required command: $1" } prompt_secret() { local prompt="$1" local value="" if [[ -n "$ADMIN_PASSWORD" ]]; then return 0 fi if [[ "$NON_INTERACTIVE" -eq 1 ]]; then fail "missing WRITEGUARD_BOOTSTRAP_ADMIN_PASSWORD in non-interactive mode" fi read -r -p "$prompt" -s value printf '\n' ADMIN_PASSWORD="$value" } download() { local url="$1" local out="$2" curl -fsSL "$url" -o "$out" } python_manifest_dump() { python3 - "$1" <<'PY' from __future__ import annotations import json import sys from pathlib import Path manifest = json.loads(Path(sys.argv[1]).read_text(encoding="utf-8")) print(manifest.get("base_url") or "") print(manifest.get("generated_at") or "") print(manifest.get("version") or "") for section in ("payloads", "optional_payloads"): for item in manifest.get(section) or []: if not isinstance(item, dict): continue print(json.dumps(item, sort_keys=True, separators=(",", ":"))) PY } extract_zip() { local zip_file="$1" local target_dir="$2" mkdir -p "$target_dir" unzip -q "$zip_file" -d "$target_dir" } verify_sha256() { local file="$1" local expected="$2" local actual actual="$(sha256sum "$file" | awk '{print tolower($1)}')" [[ "$actual" == "$expected" ]] || fail "sha256 mismatch for $file" } decrypt_if_needed() { local encrypted_file="$1" local out_file="$2" local passphrase_env="${3:-}" if [[ -z "$passphrase_env" ]]; then fail "encrypted payload requested without passphrase env" fi local passphrase="${!passphrase_env:-}" [[ -n "$passphrase" ]] || fail "missing passphrase environment variable: $passphrase_env" require_cmd openssl openssl enc -d -aes-256-cbc -pbkdf2 -salt -pass "env:${passphrase_env}" -in "$encrypted_file" -out "$out_file" } prompt_secret "Admin password (WriteGuard bootstrap): " mkdir -p "$WORKDIR" "$INSTALL_TARGET" manifest_file="$WORKDIR/manifest.json" download "$MANIFEST_URL" "$manifest_file" mapfile -t manifest_lines < <(python_manifest_dump "$manifest_file") base_url="${manifest_lines[0]}" generated_at="${manifest_lines[1]}" version="${manifest_lines[2]}" log "Loaded manifest version ${version:-unknown} generated ${generated_at:-unknown}" payloads=() for line in "${manifest_lines[@]:3}"; do payloads+=("$line") done if [[ -z "$base_url" ]]; then base_url="$BASE_URL" fi for raw in "${payloads[@]}"; do name="$(python3 - <<'PY' "$raw" import json,sys print(json.loads(sys.argv[1]).get("name") or "") PY )" url="$(python3 - <<'PY' "$raw" import json,sys print(json.loads(sys.argv[1]).get("url") or "") PY )" sha256="$(python3 - <<'PY' "$raw" import json,sys print(json.loads(sys.argv[1]).get("sha256") or "") PY )" encrypted="$(python3 - <<'PY' "$raw" import json,sys print("1" if json.loads(sys.argv[1]).get("encrypted") else "0") PY )" passphrase_env="$(python3 - <<'PY' "$raw" import json,sys print(json.loads(sys.argv[1]).get("passphrase_env") or "") PY )" required="$(python3 - <<'PY' "$raw" import json,sys print("1" if json.loads(sys.argv[1]).get("required", True) else "0") PY )" extract_to="$(python3 - <<'PY' "$raw" import json,sys print(json.loads(sys.argv[1]).get("extract_to") or "") PY )" kind="$(python3 - <<'PY' "$raw" import json,sys print(json.loads(sys.argv[1]).get("kind") or "zip") PY )" if [[ -z "$url" ]]; then [[ "$required" -eq 0 ]] && continue fail "manifest item $name has no url" fi resolved_url="$url" [[ "$resolved_url" =~ ^https?:// ]] || resolved_url="${base_url%/}/${resolved_url#./}" tmp_file="$WORKDIR/${name}.download" log "Downloading ${name} from ${resolved_url}" download "$resolved_url" "$tmp_file" if [[ -n "$sha256" ]]; then verify_sha256 "$tmp_file" "$sha256" fi payload_file="$tmp_file" if [[ "$encrypted" -eq 1 ]]; then decrypted_file="$WORKDIR/${name}.decrypted" decrypt_if_needed "$tmp_file" "$decrypted_file" "$passphrase_env" payload_file="$decrypted_file" fi if [[ "$kind" == "zip" ]]; then target_dir="$INSTALL_TARGET/${extract_to:-$name}" log "Extracting ${name} to ${target_dir}" extract_zip "$payload_file" "$target_dir" else warn "Skipping unsupported payload type '${kind}' for ${name}" fi done if [[ -d "${INSTALL_TARGET}/writeguard-commercial" ]]; then core_root="${INSTALL_TARGET}/writeguard-commercial/writeguard" if [[ -x "${core_root}/install_writeguard.sh" ]]; then log "Core bundle extracted. You can run the installer from: ${core_root}" if [[ "$NON_INTERACTIVE" -eq 1 ]]; then log "Non-interactive mode: skipping installer launch." exit 0 fi read -r -p "Launch installer now? [Y/n] " launch_now launch_now="${launch_now:-Y}" if [[ "$launch_now" =~ ^[Yy]$ ]]; then export WRITEGUARD_BOOTSTRAP_ADMIN_USERNAME="$ADMIN_USERNAME" export WRITEGUARD_BOOTSTRAP_ADMIN_PASSWORD="$ADMIN_PASSWORD" if [[ "$SKIP_MODEL" == "1" ]]; then export WRITEGUARD_CAPPY_PULL_MODEL=0 fi log "Launching installer..." ( cd "$core_root" exec ./install_writeguard.sh --up ) fi fi fi log "Bootstrap complete."