simplex/install.sh

#!/bin/bash

set -o errexit

INSTALL_DIR=$(pwd)
OPENRESTY_VERSION=1.13.6.1
LUAROCKS_VERSION=2.4.1
POSTGRES_PASSWORD=$(cat /dev/urandom | head -c 12 | base64)

if [ "$1" != "dev" ]
then
  read -p "Enter email address for use with certbot-auto: " EMAIL_ADDRESS
  read -p "Enter the domain name this will be running on: " DOMAIN_NAME
  read -p "Enter the port this will be running on: " PORT
fi

EMAIL_ADDRESS=${EMAIL_ADDRESS:-noone@example.com}
DOMAIN_NAME=${DOMAIN_NAME:-localhost}
PORT=${PORT:-9872}

### PREREQUISITES ###
sudo apt-get update

if ! command -v nginx >/dev/null 2>&1 && [ "$1" != "dev" ]
then
  sudo apt-get install nginx -y
fi

if ! command -v certbot-auto >/dev/null 2>&1 && [ "$1" != "dev" ]
then
  wget https://dl.eff.org/certbot-auto
  chmod a+x ./certbot-auto
  sudo mv ./certbot-auto /bin/certbot-auto
fi

if ! command -v psql >/dev/null 2>&1
then
  sudo apt-get install postgresql -y
fi

if ! command -v openresty >/dev/null 2>&1 || [ ! -d '/usr/local/openresty' ]
then
  sudo apt-get install wget curl lua5.1 liblua5.1-0-dev zip unzip libreadline-dev libncurses5-dev libpcre3-dev openssl libssl-dev perl make build-essential -y
  cd ..
  wget https://openresty.org/download/openresty-$OPENRESTY_VERSION.tar.gz
  tar xvf openresty-$OPENRESTY_VERSION.tar.gz
  cd openresty-$OPENRESTY_VERSION
  ./configure
  make
  sudo make install
  cd ..
  rm -rf openresty-$OPENRESTY_VERSION*
  cd $INSTALL_DIR
fi

if ! command -v luarocks >/dev/null 2>&1
then
  sudo apt-get install wget curl lua5.1 liblua5.1-0-dev zip unzip libreadline-dev libncurses5-dev libpcre3-dev openssl libssl-dev perl make build-essential -y
  cd ..
  wget https://keplerproject.github.io/luarocks/releases/luarocks-$LUAROCKS_VERSION.tar.gz
  tar xvf luarocks-$LUAROCKS_VERSION.tar.gz
  cd luarocks-$LUAROCKS_VERSION
  ./configure
  make build
  sudo make install
  cd ..
  rm -rf luarocks-$LUAROCKS_VERSION*
  cd $INSTALL_DIR
fi

sudo luarocks install luacrypto # needed for pgmoon, but not installed automatically ?
sudo luarocks install lapis
sudo luarocks install moonscript
sudo luarocks install bcrypt
sudo luarocks install lapis-console # not used yet, but I totally will

# Certificate / TLS Security
if [ "$1" != "dev" ]
then
  sudo nginx -s stop
  sudo certbot-auto certonly --standalone --agree-tos --no-eff-email -n -m $EMAIL_ADDRESS -d $DOMAIN_NAME
  sudo nginx
  openssl dhparam -out ./dhparams.pem 2048
fi

# Database access
sudo -u postgres createuser simplex
sudo -u postgres createdb simplex
sudo -u postgres bash -c 'psql -c "ALTER USER simplex WITH ENCRYPTED PASSWORD '\'$POSTGRES_PASSWORD\''; GRANT ALL PRIVILEGES ON DATABASE simplex TO simplex;"'

# Secrets setup
echo "{
  sql_password: '$POSTGRES_PASSWORD'
  session_secret: '$(cat /dev/urandom | head -c 12 | base64)'
  _domain: '$DOMAIN_NAME'
  _port: $PORT
}" > ./secret.moon

# Compile, Change owner, Run migrations
moonc .
sudo chown -R www-data:www-data ./
lapis migrate production

# As-a-Service
if [ "$1" != "dev" ]
then
  sudo echo "[Unit]
Description=simplex server

[Service]
User=www-data
Type=forking
WorkingDirectory=$INSTALL_DIR
ExecStart=$(which lapis) server production
ExecReload=$(which lapis) build production
ExecStop=$(which lapis) term

[Install]
WantedBy=multi-user.target" > /etc/systemd/system/simplex.service
  sudo systemctl daemon-reload
  sudo systemctl enable simplex.service
  sudo service simplex start

  # Proxy
  sudo echo "server {
  listen 443 ssl;
  server_name $DOMAIN_NAME;

  add_header Strict-Transport-Security \"max-age=63072000; preload\"; # DO NOT includeSubDomains; (some subdomains intentionally served over HTTP for now)
  add_header X-Frame-Options DENY;
  add_header X-Content-Type-Options nosniff;

  ssl_certificate /etc/letsencrypt/live/$DOMAIN_NAME/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/$DOMAIN_NAME/privkey.pem;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_ciphers \"EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH\";
  ssl_ecdh_curve secp384r1;
  ssl_session_cache shared:SSL:10m;
  ssl_session_tickets off;
  ssl_stapling on;
  ssl_stapling_verify on;
  ssl_dhparam $INSTALL_DIR/dhparams.pem;

  location / {
    proxy_pass http://127.0.0.1:$PORT;
  }
}" > /etc/nginx/sites-enabled/simplex-proxy.conf
  sudo nginx -s reload
fi
init 2018-04-23 12:00:42 +00:00			`#!/bin/bash`

			`set -o errexit`

			`INSTALL_DIR=$(pwd)`
			`OPENRESTY_VERSION=1.13.6.1`
			`LUAROCKS_VERSION=2.4.1`
			`POSTGRES_PASSWORD=$(cat /dev/urandom \| head -c 12 \| base64)`

corrected logic error in install.sh 2018-04-24 13:04:57 +00:00			`if [ "$1" != "dev" ]`
corrected typo in api, install script fixed/supports dev option 2018-04-24 13:00:58 +00:00			`then`
			`read -p "Enter email address for use with certbot-auto: " EMAIL_ADDRESS`
			`read -p "Enter the domain name this will be running on: " DOMAIN_NAME`
			`read -p "Enter the port this will be running on: " PORT`
			`fi`
init 2018-04-23 12:00:42 +00:00
corrected install.sh, completed API key giving / new task adding / task checking 2018-04-24 05:42:56 +00:00			`EMAIL_ADDRESS=${EMAIL_ADDRESS:-noone@example.com}`
corrected typo in api, install script fixed/supports dev option 2018-04-24 13:00:58 +00:00			`DOMAIN_NAME=${DOMAIN_NAME:-localhost}`
corrected install.sh, completed API key giving / new task adding / task checking 2018-04-24 05:42:56 +00:00			`PORT=${PORT:-9872}`
init 2018-04-23 12:00:42 +00:00
			`### PREREQUISITES ###`
fix #7 apt-get update before prerequisite check 2018-04-24 16:38:09 +00:00			`sudo apt-get update`
init 2018-04-23 12:00:42 +00:00
fix #7 apt-get update before prerequisite check 2018-04-24 16:38:09 +00:00			`if ! command -v nginx >/dev/null 2>&1 && [ "$1" != "dev" ]`
init 2018-04-23 12:00:42 +00:00			`then`
			`sudo apt-get install nginx -y`
			`fi`

corrected logic error in install.sh 2018-04-24 13:04:57 +00:00			`if ! command -v certbot-auto >/dev/null 2>&1 && [ "$1" != "dev" ]`
init 2018-04-23 12:00:42 +00:00			`then`
			`wget https://dl.eff.org/certbot-auto`
			`chmod a+x ./certbot-auto`
			`sudo mv ./certbot-auto /bin/certbot-auto`
			`fi`

			`if ! command -v psql >/dev/null 2>&1`
			`then`
			`sudo apt-get install postgresql -y`
			`fi`

corrected typo in api, install script fixed/supports dev option 2018-04-24 13:00:58 +00:00			`if ! command -v openresty >/dev/null 2>&1 \|\| [ ! -d '/usr/local/openresty' ]`
init 2018-04-23 12:00:42 +00:00			`then`
			`sudo apt-get install wget curl lua5.1 liblua5.1-0-dev zip unzip libreadline-dev libncurses5-dev libpcre3-dev openssl libssl-dev perl make build-essential -y`
			`cd ..`
			`wget https://openresty.org/download/openresty-$OPENRESTY_VERSION.tar.gz`
			`tar xvf openresty-$OPENRESTY_VERSION.tar.gz`
			`cd openresty-$OPENRESTY_VERSION`
			`./configure`
			`make`
			`sudo make install`
			`cd ..`
			`rm -rf openresty-$OPENRESTY_VERSION*`
			`cd $INSTALL_DIR`
			`fi`

			`if ! command -v luarocks >/dev/null 2>&1`
			`then`
			`sudo apt-get install wget curl lua5.1 liblua5.1-0-dev zip unzip libreadline-dev libncurses5-dev libpcre3-dev openssl libssl-dev perl make build-essential -y`
			`cd ..`
			`wget https://keplerproject.github.io/luarocks/releases/luarocks-$LUAROCKS_VERSION.tar.gz`
			`tar xvf luarocks-$LUAROCKS_VERSION.tar.gz`
			`cd luarocks-$LUAROCKS_VERSION`
			`./configure`
			`make build`
			`sudo make install`
			`cd ..`
			`rm -rf luarocks-$LUAROCKS_VERSION*`
			`cd $INSTALL_DIR`
			`fi`

corrected typo in api, install script fixed/supports dev option 2018-04-24 13:00:58 +00:00			`sudo luarocks install luacrypto # needed for pgmoon, but not installed automatically ?`
init 2018-04-23 12:00:42 +00:00			`sudo luarocks install lapis`
			`sudo luarocks install moonscript`
			`sudo luarocks install bcrypt`
			`sudo luarocks install lapis-console # not used yet, but I totally will`

finishing up security pieces of install.sh 2018-04-24 04:59:50 +00:00			`# Certificate / TLS Security`
corrected logic error in install.sh 2018-04-24 13:04:57 +00:00			`if [ "$1" != "dev" ]`
corrected typo in api, install script fixed/supports dev option 2018-04-24 13:00:58 +00:00			`then`
			`sudo nginx -s stop`
finish install script automation 2018-04-24 13:36:32 +00:00			`sudo certbot-auto certonly --standalone --agree-tos --no-eff-email -n -m $EMAIL_ADDRESS -d $DOMAIN_NAME`
corrected typo in api, install script fixed/supports dev option 2018-04-24 13:00:58 +00:00			`sudo nginx`
			`openssl dhparam -out ./dhparams.pem 2048`
			`fi`
init 2018-04-23 12:00:42 +00:00
			`# Database access`
			`sudo -u postgres createuser simplex`
			`sudo -u postgres createdb simplex`
			`sudo -u postgres bash -c 'psql -c "ALTER USER simplex WITH ENCRYPTED PASSWORD '\'$POSTGRES_PASSWORD\''; GRANT ALL PRIVILEGES ON DATABASE simplex TO simplex;"'`

			`# Secrets setup`
			`echo "{`
			`sql_password: '$POSTGRES_PASSWORD'`
			`session_secret: '$(cat /dev/urandom \| head -c 12 \| base64)'`
			`_domain: '$DOMAIN_NAME'`
corrected install.sh, completed API key giving / new task adding / task checking 2018-04-24 05:42:56 +00:00			`_port: $PORT`
init 2018-04-23 12:00:42 +00:00			`}" > ./secret.moon`

corrected typo in api, install script fixed/supports dev option 2018-04-24 13:00:58 +00:00			`# Compile, Change owner, Run migrations`
init 2018-04-23 12:00:42 +00:00			`moonc .`
corrected typo in api, install script fixed/supports dev option 2018-04-24 13:00:58 +00:00			`sudo chown -R www-data:www-data ./`
init 2018-04-23 12:00:42 +00:00			`lapis migrate production`

			`# As-a-Service`
corrected logic error in install.sh 2018-04-24 13:04:57 +00:00			`if [ "$1" != "dev" ]`
corrected typo in api, install script fixed/supports dev option 2018-04-24 13:00:58 +00:00			`then`
			`sudo echo "[Unit]`
init 2018-04-23 12:00:42 +00:00			`Description=simplex server`

			`[Service]`
			`User=www-data`
			`Type=forking`
			`WorkingDirectory=$INSTALL_DIR`
			`ExecStart=$(which lapis) server production`
			`ExecReload=$(which lapis) build production`
			`ExecStop=$(which lapis) term`

			`[Install]`
the most insecure commit I could make! 2018-04-23 13:06:56 +00:00			`WantedBy=multi-user.target" > /etc/systemd/system/simplex.service`
corrected typo in api, install script fixed/supports dev option 2018-04-24 13:00:58 +00:00			`sudo systemctl daemon-reload`
			`sudo systemctl enable simplex.service`
			`sudo service simplex start`
init 2018-04-23 12:00:42 +00:00
corrected typo in api, install script fixed/supports dev option 2018-04-24 13:00:58 +00:00			`# Proxy`
			`sudo echo "server {`
init 2018-04-23 12:00:42 +00:00			`listen 443 ssl;`
			`server_name $DOMAIN_NAME;`

finishing up security pieces of install.sh 2018-04-24 04:59:50 +00:00			`add_header Strict-Transport-Security \"max-age=63072000; preload\"; # DO NOT includeSubDomains; (some subdomains intentionally served over HTTP for now)`
			`add_header X-Frame-Options DENY;`
			`add_header X-Content-Type-Options nosniff;`

init 2018-04-23 12:00:42 +00:00			`ssl_certificate /etc/letsencrypt/live/$DOMAIN_NAME/fullchain.pem;`
			`ssl_certificate_key /etc/letsencrypt/live/$DOMAIN_NAME/privkey.pem;`
			`ssl_protocols TLSv1 TLSv1.1 TLSv1.2;`
			`ssl_prefer_server_ciphers on;`
			`ssl_ciphers \"EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH\";`
			`ssl_ecdh_curve secp384r1;`
			`ssl_session_cache shared:SSL:10m;`
			`ssl_session_tickets off;`
			`ssl_stapling on;`
			`ssl_stapling_verify on;`
			`ssl_dhparam $INSTALL_DIR/dhparams.pem;`

			`location / {`
corrected install.sh, completed API key giving / new task adding / task checking 2018-04-24 05:42:56 +00:00			`proxy_pass http://127.0.0.1:$PORT;`
init 2018-04-23 12:00:42 +00:00			`}`
			`}" > /etc/nginx/sites-enabled/simplex-proxy.conf`
corrected typo in api, install script fixed/supports dev option 2018-04-24 13:00:58 +00:00			`sudo nginx -s reload`
			`fi`