simplex/install.sh
2018-04-24 06:36:32 -07:00

150 lines
4.2 KiB
Bash
Executable File

#!/bin/bash
set -o errexit
INSTALL_DIR=$(pwd)
OPENRESTY_VERSION=1.13.6.1
LUAROCKS_VERSION=2.4.1
POSTGRES_PASSWORD=$(cat /dev/urandom | head -c 12 | base64)
if [ "$1" != "dev" ]
then
read -p "Enter email address for use with certbot-auto: " EMAIL_ADDRESS
read -p "Enter the domain name this will be running on: " DOMAIN_NAME
read -p "Enter the port this will be running on: " PORT
fi
EMAIL_ADDRESS=${EMAIL_ADDRESS:-noone@example.com}
DOMAIN_NAME=${DOMAIN_NAME:-localhost}
PORT=${PORT:-9872}
### PREREQUISITES ###
if ! command -v nginx >/dev/null 2>&1
then
sudo apt-get install nginx -y
fi
if ! command -v certbot-auto >/dev/null 2>&1 && [ "$1" != "dev" ]
then
wget https://dl.eff.org/certbot-auto
chmod a+x ./certbot-auto
sudo mv ./certbot-auto /bin/certbot-auto
fi
if ! command -v psql >/dev/null 2>&1
then
sudo apt-get install postgresql -y
fi
if ! command -v openresty >/dev/null 2>&1 || [ ! -d '/usr/local/openresty' ]
then
sudo apt-get install wget curl lua5.1 liblua5.1-0-dev zip unzip libreadline-dev libncurses5-dev libpcre3-dev openssl libssl-dev perl make build-essential -y
cd ..
wget https://openresty.org/download/openresty-$OPENRESTY_VERSION.tar.gz
tar xvf openresty-$OPENRESTY_VERSION.tar.gz
cd openresty-$OPENRESTY_VERSION
./configure
make
sudo make install
cd ..
rm -rf openresty-$OPENRESTY_VERSION*
cd $INSTALL_DIR
fi
if ! command -v luarocks >/dev/null 2>&1
then
sudo apt-get install wget curl lua5.1 liblua5.1-0-dev zip unzip libreadline-dev libncurses5-dev libpcre3-dev openssl libssl-dev perl make build-essential -y
cd ..
wget https://keplerproject.github.io/luarocks/releases/luarocks-$LUAROCKS_VERSION.tar.gz
tar xvf luarocks-$LUAROCKS_VERSION.tar.gz
cd luarocks-$LUAROCKS_VERSION
./configure
make build
sudo make install
cd ..
rm -rf luarocks-$LUAROCKS_VERSION*
cd $INSTALL_DIR
fi
sudo luarocks install luacrypto # needed for pgmoon, but not installed automatically ?
sudo luarocks install lapis
sudo luarocks install moonscript
sudo luarocks install bcrypt
sudo luarocks install lapis-console # not used yet, but I totally will
# Certificate / TLS Security
if [ "$1" != "dev" ]
then
sudo nginx -s stop
sudo certbot-auto certonly --standalone --agree-tos --no-eff-email -n -m $EMAIL_ADDRESS -d $DOMAIN_NAME
sudo nginx
openssl dhparam -out ./dhparams.pem 2048
fi
# Database access
sudo -u postgres createuser simplex
sudo -u postgres createdb simplex
sudo -u postgres bash -c 'psql -c "ALTER USER simplex WITH ENCRYPTED PASSWORD '\'$POSTGRES_PASSWORD\''; GRANT ALL PRIVILEGES ON DATABASE simplex TO simplex;"'
# Secrets setup
echo "{
sql_password: '$POSTGRES_PASSWORD'
session_secret: '$(cat /dev/urandom | head -c 12 | base64)'
_domain: '$DOMAIN_NAME'
_port: $PORT
}" > ./secret.moon
# Compile, Change owner, Run migrations
moonc .
sudo chown -R www-data:www-data ./
lapis migrate production
# As-a-Service
if [ "$1" != "dev" ]
then
sudo echo "[Unit]
Description=simplex server
[Service]
User=www-data
Type=forking
WorkingDirectory=$INSTALL_DIR
ExecStart=$(which lapis) server production
ExecReload=$(which lapis) build production
ExecStop=$(which lapis) term
[Install]
WantedBy=multi-user.target" > /etc/systemd/system/simplex.service
sudo systemctl daemon-reload
sudo systemctl enable simplex.service
sudo service simplex start
# Proxy
sudo echo "server {
listen 443 ssl;
server_name $DOMAIN_NAME;
add_header Strict-Transport-Security \"max-age=63072000; preload\"; # DO NOT includeSubDomains; (some subdomains intentionally served over HTTP for now)
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_certificate /etc/letsencrypt/live/$DOMAIN_NAME/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$DOMAIN_NAME/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers \"EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH\";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
ssl_dhparam $INSTALL_DIR/dhparams.pem;
location / {
proxy_pass http://127.0.0.1:$PORT;
}
}" > /etc/nginx/sites-enabled/simplex-proxy.conf
sudo nginx -s reload
fi