setup.sh 6.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200
  1. #!/bin/sh
  2. # Copyright 2022 Felix Freeman <libsys@hacktivista.org>
  3. #
  4. # This script is licensed under the 'MIT No Attribution' license terms. I don't
  5. # want attribution nor exclusive rights over it, but I'd love that you free your
  6. # software too.
  7. # This is an automated setup for the services on a Debian 11 machine.
  8. #
  9. # Environment variables
  10. #
  11. # - HAWESE_ENV: 'development' or 'production' (default)
  12. # - PROJECTS: space-separated list of projects to install, defaults to
  13. # 'hawese-core hawese-wallet hawese-payment hawese-seeds userland'
  14. # - ENDPOINT: API endpoint, defaults to 'dev.api.hackware.cl'
  15. # - CORS_ENDPOINT: endpoint from which API will be called, usually userland,
  16. # defaults to 'dev.userland.hackware.cl'
  17. # - WALLET_ADD_FUNDS_URL: Wallet add funds url, defaults to
  18. # "https://$CORS_ENDPOINT/add-funds"
  19. # - PAYMENT_RETURN_URL: Page to return after a sucessful payment, defaults to
  20. # "https://$CORS_ENDPOINT/add-funds/verify"
  21. # - CERTBOT_EMAIL: Email to use for certbot certificates on production, defaults
  22. # to a randomly generated email @mt2015.com
  23. # - XDEBUG_CLIENT_HOST: Host from which XDebug will connect. Defaults to
  24. # '_gateway.lxd' when using LXD, 'localhost' otherwise.
  25. #
  26. # This scripts use tabs for indentation of script and spaces for indentation of
  27. # generated config files.
  28. export HAWESE_ENV=${HAWESE_ENV:-production}
  29. export PROJECTS=${PROJECTS:-hawese-core hawese-wallet hawese-payment hawese-seeds userland}
  30. export ENDPOINT=${ENDPOINT:-dev.api.hackware.cl}
  31. export CORS_ENDPOINT=${CORS_ENDPOINT:-dev.userland.hackware.cl}
  32. export WALLET_ADD_FUNDS_URL
  33. export PAYMENT_RETURN_URL
  34. apt install -y mariadb-server php-fpm php-curl php-mysql php-xml php-bcmath composer nginx pwgen
  35. test "$HAWESE_ENV" = 'development' && apt install -y php-xdebug git
  36. case "$PROJECTS" in *userland*) apt install -y npm; esac
  37. export DB_NAME=hawese
  38. export DB_USER=hawese
  39. export DB_PASS="$(pwgen -syc -r \' 32)"
  40. mysql -sf << EOF
  41. CREATE DATABASE $DB_NAME;
  42. GRANT ALL PRIVILEGES ON $DB_NAME.* TO $DB_USER IDENTIFIED BY '$DB_PASS';
  43. FLUSH PRIVILEGES;
  44. EOF
  45. test "$HAWESE_ENV" = 'development' && mysql -sf <<- EOF
  46. CREATE DATABASE hawese_test;
  47. GRANT ALL PRIVILEGES ON hawese_test.* TO hawese_test IDENTIFIED BY 'hawese_test';
  48. EOF
  49. useradd -m -d /opt/hawese -k /dev/null -s /bin/sh -g www-data hawese
  50. cd /opt/hawese
  51. USER=hawese HOME=/opt/hawese sudo -E -u hawese setup/setup_user.sh
  52. cat << EOF > /etc/php/7.4/fpm/pool.d/$ENDPOINT.conf
  53. [hawese]
  54. user = hawese
  55. group = www-data
  56. listen = /run/php/php7.4-fpm-hawese.sock
  57. listen.owner = www-data
  58. listen.group = www-data
  59. pm = ondemand
  60. pm.max_children = 5
  61. pm.process_idle_timeout = 60s
  62. EOF
  63. service php7.4-fpm restart
  64. cat << EOF > /etc/nginx/conf.d/$ENDPOINT.conf
  65. server {
  66. listen 80;
  67. listen [::]:80;
  68. server_name $ENDPOINT;
  69. location / { return 301 https://\$host\$request_uri; }
  70. }
  71. server {
  72. listen 443 ssl http2;
  73. listen [::]:443 ssl http2;
  74. server_name $ENDPOINT;
  75. access_log /var/log/nginx/${ENDPOINT}.access.log;
  76. error_log /var/log/nginx/${ENDPOINT}.error.log;
  77. root /opt/hawese/public;
  78. index index.php;
  79. EOF
  80. if [ "$HAWESE_ENV" = 'development' ]; then
  81. openssl req -x509 -nodes -newkey rsa:4096 -keyout /etc/ssl/private/$ENDPOINT.key -out /etc/ssl/certs/$ENDPOINT.crt -sha256 -days 3650 -subj "/CN=$ENDPOINT"
  82. cat <<- EOF >> /etc/nginx/conf.d/$ENDPOINT.conf
  83. ssl_certificate /etc/ssl/certs/$ENDPOINT.crt;
  84. ssl_certificate_key /etc/ssl/private/$ENDPOINT.key;
  85. EOF
  86. cat <<- EOF | tee -a /etc/php/7.4/fpm/php.ini | tee -a /etc/php/7.4/cli/php.ini
  87. [XDebug]
  88. xdebug.mode = develop,debug
  89. xdebug.client_host = ${XDEBUG_CLIENT_HOST:-localhost}
  90. EOF
  91. else
  92. apt install -y python3-certbot-nginx
  93. certbot certonly --nginx --agree-tos --email "${CERTBOT_EMAIL:=$(pwgen 12 1)@mt2015.com}" --no-eff-email -d $ENDPOINT
  94. cat <<- EOF >> /etc/nginx/conf.d/$ENDPOINT.conf
  95. # Certbot certificates
  96. ssl_certificate /etc/letsencrypt/live/$ENDPOINT/fullchain.pem;
  97. ssl_certificate_key /etc/letsencrypt/live/$ENDPOINT/privkey.pem;
  98. EOF
  99. fi
  100. cat << EOF >> /etc/nginx/conf.d/$ENDPOINT.conf
  101. location / {
  102. try_files \$uri \$uri/ /index.php?\$query_string;
  103. }
  104. location ~ \.php$ {
  105. fastcgi_pass unix:/run/php/php7.4-fpm-hawese.sock;
  106. fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
  107. include fastcgi.conf;
  108. }
  109. }
  110. EOF
  111. case "$PROJECTS" in *userland*)
  112. cat <<- EOF > /etc/nginx/conf.d/$CORS_ENDPOINT.conf
  113. server {
  114. listen 80;
  115. listen [::]:80;
  116. server_name $CORS_ENDPOINT;
  117. location / { return 301 https://\$host\$request_uri; }
  118. }
  119. server {
  120. listen 443 ssl http2;
  121. listen [::]:443 ssl http2;
  122. server_name $CORS_ENDPOINT;
  123. access_log /var/log/nginx/${CORS_ENDPOINT}.access.log;
  124. error_log /var/log/nginx/${CORS_ENDPOINT}.error.log;
  125. root /opt/hawese/userland/public;
  126. index index.html;
  127. EOF
  128. if [ "$HAWESE_ENV" = 'development' ]; then
  129. openssl req -x509 -nodes -newkey rsa:4096 -keyout /etc/ssl/private/$CORS_ENDPOINT.key -out /etc/ssl/certs/$CORS_ENDPOINT.crt -sha256 -days 3650 -subj "/CN=$CORS_ENDPOINT"
  130. cat <<- EOF >> /etc/nginx/conf.d/$CORS_ENDPOINT.conf
  131. ssl_certificate /etc/ssl/certs/$CORS_ENDPOINT.crt;
  132. ssl_certificate_key /etc/ssl/private/$CORS_ENDPOINT.key;
  133. location / {
  134. proxy_pass http://localhost:8080;
  135. }
  136. }
  137. EOF
  138. else
  139. certbot certonly --nginx --agree-tos --email "$CERTBOT_EMAIL" --no-eff-email -d $CORS_ENDPOINT
  140. cat <<- EOF >> /etc/nginx/conf.d/$CORS_ENDPOINT.conf
  141. # Certbot certificates
  142. ssl_certificate /etc/letsencrypt/live/$CORS_ENDPOINT/fullchain.pem;
  143. ssl_certificate_key /etc/letsencrypt/live/$CORS_ENDPOINT/privkey.pem;
  144. }
  145. EOF
  146. fi
  147. cat <<- EOF > "/etc/systemd/system/userland.service"
  148. [Unit]
  149. Description=HAWESE userland
  150. After=syslog.target network.target
  151. [Service]
  152. Type=simple
  153. User=hawese
  154. Group=www-data
  155. WorkingDirectory=/opt/hawese/userland
  156. ExecStart=/usr/bin/npm run serve -- --public https://$CORS_ENDPOINT
  157. SyslogIdentifier=userland
  158. [Install]
  159. WantedBy=default.target
  160. EOF
  161. systemctl enable --now userland
  162. esac
  163. service nginx reload