chore(ci): enforce shellscript formatting and style (#3679)

Noticed that we all have different styles of writing scripts :-).

This PR adds linting to our shell scripts to standardize on formatting,
catch common issues and/or possible security bugs.

For editor setup:
- Ensure [`shellcheck`](https://github.com/koalaman/shellcheck) and
[`shfmt`](https://github.com/mvdan/sh) are in your `PATH`
- Configure `shfmt` with indentation of `4`, otherwise it uses tabs by
default.
[Here](https://github.com/jamilbk/nvim/blob/master/init.vim#L159) is how
you can do that with Vim and
[here](https://marketplace.visualstudio.com/items?itemName=mkhl.shfmt)
is how for VScode.

---------

Signed-off-by: Jamil <jamilbk@users.noreply.github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Reactor Scram <ReactorScram@users.noreply.github.com>
Co-authored-by: Thomas Eizinger <thomas@eizinger.io>
Co-authored-by: Brian Manifold <bmanifold@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Andrew Dryga <andrew@dryga.com>
Co-authored-by: Gabi <gabrielalejandro7@gmail.com>

scripts/README.md

@@ -0,0 +1,40 @@
+# Firezone shell scripts
+
+This directory contains various shell scripts used for development, testing, and
+deployment of the Firezone product.
+
+## Developer Setup
+
+We lint shell scripts in CI. To get your PR to pass, you'll want to ensure your
+local development environment is set up to lint shell scripts:
+
+1. Install [`shfmt`](https://github.com/mvdan/sh):
+   - `brew install shfmt` on macOS
+   - Install shfmt from https://github.com/mvdan/sh/releases for other platforms
+1. Install [`shellcheck`](https://github.com/koalaman/shellcheck/tree/master):
+   - `brew install shellcheck` on macOS
+   - `sudo apt-get install shellcheck` on Ubuntu
+
+Then just lint and format your shell scripts before you commit:
+
+```
+shfmt -i 4 **/*.sh
+shellcheck --severity=warning **/*.sh
+```
+
+You can achieve this more easily by using `pre-commit`. See
+[CONTRIBUTING](../CONTRIBUTING.md#pre-commit).
+
+### Editor setup
+
+- [Vim](https://github.com/dense-analysis/ale/blob/master/autoload/ale/fixers/shfmt.vim)
+  ([here's an example](https://github.com/jamilbk/nvim/blob/master/init.vim#L159)
+  using ALE)
+- [VSCode](https://marketplace.visualstudio.com/items?itemName=mkhl.shfmt)
+
+## Scripting tips
+
+- Use `#!/usr/bin/env bash` along with `set -euo pipefail` in general for dev
+  and test scripts.
+- In Docker images and other minimal envs, stick to `#!/bin/sh` and simply
+  `set -eu`.

scripts/gateway-docker-upgrade.sh

@@ -1,20 +1,19 @@
 #!/usr/bin/env bash
 
-set -e
+set -euo pipefail
 
 TARGET_IMAGE="ghcr.io/firezone/gateway:1"
 
 CURRENTLY_RUNNING=$(docker ps --format "{{.Names}} {{.Image}}" | grep -e "$TARGET_IMAGE" | awk '{print $1}')
 if [ "$CURRENTLY_RUNNING" == "" ]; then
     echo "No Firezone gateway found running on this system. Exiting."
-    exit -1
+    exit 1
 fi
 
 echo "Pulling latest image..."
-docker pull "$TARGET_IMAGE" > /dev/null
+docker pull "$TARGET_IMAGE" >/dev/null
 echo "Checking for containers to upgrade..."
-for RUNNING_CONTAINER in $CURRENTLY_RUNNING
-do
+for RUNNING_CONTAINER in $CURRENTLY_RUNNING; do
     LATEST=$(docker inspect --format "{{.Id}}" "$TARGET_IMAGE")
     RUNNING=$(docker inspect --format "{{.Image}}" "$RUNNING_CONTAINER")
     RUNNING_NAME=$(docker inspect --format "{{.Name}}" "$RUNNING_CONTAINER" | sed 's~/~~g')
@@ -22,28 +21,28 @@ do
     # Upgrade if necessary
     if [ "$RUNNING" != "$LATEST" ]; then
         echo -n "Upgrading gateway..."
-        docker container inspect "$RUNNING_CONTAINER" --format '{{join .Config.Env "\n"}}' | grep -v "PATH" > variables.env
-        docker stop "$RUNNING_CONTAINER" > /dev/null
-        docker rm -f "$RUNNING_CONTAINER" > /dev/null
+        docker container inspect "$RUNNING_CONTAINER" --format '{{join .Config.Env "\n"}}' | grep -v "PATH" >variables.env
+        docker stop "$RUNNING_CONTAINER" >/dev/null
+        docker rm -f "$RUNNING_CONTAINER" >/dev/null
         docker run -d \
-          --restart=unless-stopped \
-          --pull=always \
-          --health-cmd="ip link | grep tun-firezone" \
-          --name="$RUNNING_NAME" \
-          --cap-add=NET_ADMIN \
-          --volume /var/lib/firezone \
-          --env-file variables.env \
-          --sysctl net.ipv4.ip_forward=1 \
-          --sysctl net.ipv4.conf.all.src_valid_mark=1 \
-          --sysctl net.ipv6.conf.all.disable_ipv6=0 \
-          --sysctl net.ipv6.conf.all.forwarding=1 \
-          --sysctl net.ipv6.conf.default.forwarding=1 \
-          --device="/dev/net/tun:/dev/net/tun" \
-          "$TARGET_IMAGE"
+            --restart=unless-stopped \
+            --pull=always \
+            --health-cmd="ip link | grep tun-firezone" \
+            --name="$RUNNING_NAME" \
+            --cap-add=NET_ADMIN \
+            --volume /var/lib/firezone \
+            --env-file variables.env \
+            --sysctl net.ipv4.ip_forward=1 \
+            --sysctl net.ipv4.conf.all.src_valid_mark=1 \
+            --sysctl net.ipv6.conf.all.disable_ipv6=0 \
+            --sysctl net.ipv6.conf.all.forwarding=1 \
+            --sysctl net.ipv6.conf.default.forwarding=1 \
+            --device="/dev/net/tun:/dev/net/tun" \
+            "$TARGET_IMAGE"
         rm variables.env
         echo "Container upgraded"
     else
-      echo "Gateway is already up to date"
+        echo "Gateway is already up to date"
     fi
 done
 

scripts/tests/direct-curl-portal-down.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-set -e
+set -euo pipefail
 
 source "./scripts/tests/lib.sh"
 

scripts/tests/direct-curl-portal-relay-down.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-set -e
+set -euo pipefail
 
 source "./scripts/tests/lib.sh"
 

scripts/tests/direct-curl-portal-restart.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-set -e
+set -euo pipefail
 
 source "./scripts/tests/lib.sh"
 

scripts/tests/lib.sh

@@ -1,5 +1,7 @@
 #!/usr/bin/env bash
 
+set -euo pipefail
+
 function install_iptables_drop_rules() {
     sudo iptables -I FORWARD 1 -s 172.28.0.100 -d 172.28.0.105 -j DROP
     sudo iptables -I FORWARD 1 -s 172.28.0.105 -d 172.28.0.100 -j DROP

scripts/tests/relayed-curl-portal-down.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-set -e
+set -euo pipefail
 
 source "./scripts/tests/lib.sh"
 

scripts/tests/relayed-curl-portal-restart.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-set -e
+set -euo pipefail
 
 source "./scripts/tests/lib.sh"