#!/bin/bash set -o errexit INSTALL_DIR=$(pwd) OPENRESTY_VERSION=1.13.6.1 LUAROCKS_VERSION=2.4.1 POSTGRES_PASSWORD=$(cat /dev/urandom | head -c 12 | base64) if [ "$1" != "dev" ] then read -p "Enter email address for use with certbot-auto: " EMAIL_ADDRESS read -p "Enter the domain name this will be running on: " DOMAIN_NAME read -p "Enter the port this will be running on: " PORT fi EMAIL_ADDRESS=${EMAIL_ADDRESS:-noone@example.com} DOMAIN_NAME=${DOMAIN_NAME:-localhost} PORT=${PORT:-9872} ### PREREQUISITES ### sudo apt-get update if ! command -v nginx >/dev/null 2>&1 && [ "$1" != "dev" ] then sudo apt-get install nginx -y fi if ! command -v certbot-auto >/dev/null 2>&1 && [ "$1" != "dev" ] then wget https://dl.eff.org/certbot-auto chmod a+x ./certbot-auto sudo mv ./certbot-auto /bin/certbot-auto fi if ! command -v psql >/dev/null 2>&1 then sudo apt-get install postgresql -y fi if ! command -v openresty >/dev/null 2>&1 || [ ! -d '/usr/local/openresty' ] then sudo apt-get install wget curl lua5.1 liblua5.1-0-dev zip unzip libreadline-dev libncurses5-dev libpcre3-dev openssl libssl-dev perl make build-essential -y cd .. wget https://openresty.org/download/openresty-$OPENRESTY_VERSION.tar.gz tar xvf openresty-$OPENRESTY_VERSION.tar.gz cd openresty-$OPENRESTY_VERSION ./configure make sudo make install cd .. rm -rf openresty-$OPENRESTY_VERSION* cd $INSTALL_DIR fi if ! command -v luarocks >/dev/null 2>&1 then sudo apt-get install wget curl lua5.1 liblua5.1-0-dev zip unzip libreadline-dev libncurses5-dev libpcre3-dev openssl libssl-dev perl make build-essential -y cd .. wget https://keplerproject.github.io/luarocks/releases/luarocks-$LUAROCKS_VERSION.tar.gz tar xvf luarocks-$LUAROCKS_VERSION.tar.gz cd luarocks-$LUAROCKS_VERSION ./configure make build sudo make install cd .. rm -rf luarocks-$LUAROCKS_VERSION* cd $INSTALL_DIR fi sudo luarocks install luacrypto # needed for pgmoon, but not installed automatically ? sudo luarocks install lapis sudo luarocks install moonscript sudo luarocks install bcrypt sudo luarocks install lapis-console # not used yet, but I totally will # Certificate / TLS Security if [ "$1" != "dev" ] then sudo nginx -s stop sudo certbot-auto certonly --standalone --agree-tos --no-eff-email -n -m $EMAIL_ADDRESS -d $DOMAIN_NAME sudo nginx openssl dhparam -out ./dhparams.pem 2048 fi # Database access sudo -u postgres createuser simplex sudo -u postgres createdb simplex sudo -u postgres bash -c 'psql -c "ALTER USER simplex WITH ENCRYPTED PASSWORD '\'$POSTGRES_PASSWORD\''; GRANT ALL PRIVILEGES ON DATABASE simplex TO simplex;"' # Secrets setup echo "{ sql_password: '$POSTGRES_PASSWORD' session_secret: '$(cat /dev/urandom | head -c 12 | base64)' _domain: '$DOMAIN_NAME' _port: $PORT }" > ./secret.moon # Compile, Change owner, Run migrations moonc . sudo chown -R www-data:www-data ./ lapis migrate production # As-a-Service if [ "$1" != "dev" ] then sudo echo "[Unit] Description=simplex server [Service] User=www-data Type=forking WorkingDirectory=$INSTALL_DIR ExecStart=$(which lapis) server production ExecReload=$(which lapis) build production ExecStop=$(which lapis) term [Install] WantedBy=multi-user.target" > /etc/systemd/system/simplex.service sudo systemctl daemon-reload sudo systemctl enable simplex.service sudo service simplex start # Proxy sudo echo "server { listen 443 ssl; server_name $DOMAIN_NAME; add_header Strict-Transport-Security \"max-age=63072000; preload\"; # DO NOT includeSubDomains; (some subdomains intentionally served over HTTP for now) add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; ssl_certificate /etc/letsencrypt/live/$DOMAIN_NAME/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/$DOMAIN_NAME/privkey.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers \"EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH\"; ssl_ecdh_curve secp384r1; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; ssl_dhparam $INSTALL_DIR/dhparams.pem; location / { proxy_pass http://127.0.0.1:$PORT; } }" > /etc/nginx/sites-enabled/simplex-proxy.conf sudo nginx -s reload fi