150 lines
4.2 KiB
Bash
Executable File
150 lines
4.2 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
set -o errexit
|
|
|
|
INSTALL_DIR=$(pwd)
|
|
OPENRESTY_VERSION=1.13.6.1
|
|
LUAROCKS_VERSION=2.4.1
|
|
POSTGRES_PASSWORD=$(cat /dev/urandom | head -c 12 | base64)
|
|
|
|
if [ "$1" != "dev" ]
|
|
then
|
|
read -p "Enter email address for use with certbot-auto: " EMAIL_ADDRESS
|
|
read -p "Enter the domain name this will be running on: " DOMAIN_NAME
|
|
read -p "Enter the port this will be running on: " PORT
|
|
fi
|
|
|
|
EMAIL_ADDRESS=${EMAIL_ADDRESS:-noone@example.com}
|
|
DOMAIN_NAME=${DOMAIN_NAME:-localhost}
|
|
PORT=${PORT:-9872}
|
|
|
|
### PREREQUISITES ###
|
|
|
|
if ! command -v nginx >/dev/null 2>&1
|
|
then
|
|
sudo apt-get install nginx -y
|
|
fi
|
|
|
|
if ! command -v certbot-auto >/dev/null 2>&1 && [ "$1" != "dev" ]
|
|
then
|
|
wget https://dl.eff.org/certbot-auto
|
|
chmod a+x ./certbot-auto
|
|
sudo mv ./certbot-auto /bin/certbot-auto
|
|
fi
|
|
|
|
if ! command -v psql >/dev/null 2>&1
|
|
then
|
|
sudo apt-get install postgresql -y
|
|
fi
|
|
|
|
if ! command -v openresty >/dev/null 2>&1 || [ ! -d '/usr/local/openresty' ]
|
|
then
|
|
sudo apt-get install wget curl lua5.1 liblua5.1-0-dev zip unzip libreadline-dev libncurses5-dev libpcre3-dev openssl libssl-dev perl make build-essential -y
|
|
cd ..
|
|
wget https://openresty.org/download/openresty-$OPENRESTY_VERSION.tar.gz
|
|
tar xvf openresty-$OPENRESTY_VERSION.tar.gz
|
|
cd openresty-$OPENRESTY_VERSION
|
|
./configure
|
|
make
|
|
sudo make install
|
|
cd ..
|
|
rm -rf openresty-$OPENRESTY_VERSION*
|
|
cd $INSTALL_DIR
|
|
fi
|
|
|
|
if ! command -v luarocks >/dev/null 2>&1
|
|
then
|
|
sudo apt-get install wget curl lua5.1 liblua5.1-0-dev zip unzip libreadline-dev libncurses5-dev libpcre3-dev openssl libssl-dev perl make build-essential -y
|
|
cd ..
|
|
wget https://keplerproject.github.io/luarocks/releases/luarocks-$LUAROCKS_VERSION.tar.gz
|
|
tar xvf luarocks-$LUAROCKS_VERSION.tar.gz
|
|
cd luarocks-$LUAROCKS_VERSION
|
|
./configure
|
|
make build
|
|
sudo make install
|
|
cd ..
|
|
rm -rf luarocks-$LUAROCKS_VERSION*
|
|
cd $INSTALL_DIR
|
|
fi
|
|
|
|
sudo luarocks install luacrypto # needed for pgmoon, but not installed automatically ?
|
|
sudo luarocks install lapis
|
|
sudo luarocks install moonscript
|
|
sudo luarocks install bcrypt
|
|
sudo luarocks install lapis-console # not used yet, but I totally will
|
|
|
|
# Certificate / TLS Security
|
|
if [ "$1" != "dev" ]
|
|
then
|
|
sudo nginx -s stop
|
|
sudo certbot-auto certonly --standalone --agree-tos --no-eff-email -n -m $EMAIL_ADDRESS -d $DOMAIN_NAME
|
|
sudo nginx
|
|
openssl dhparam -out ./dhparams.pem 2048
|
|
fi
|
|
|
|
# Database access
|
|
sudo -u postgres createuser simplex
|
|
sudo -u postgres createdb simplex
|
|
sudo -u postgres bash -c 'psql -c "ALTER USER simplex WITH ENCRYPTED PASSWORD '\'$POSTGRES_PASSWORD\''; GRANT ALL PRIVILEGES ON DATABASE simplex TO simplex;"'
|
|
|
|
# Secrets setup
|
|
echo "{
|
|
sql_password: '$POSTGRES_PASSWORD'
|
|
session_secret: '$(cat /dev/urandom | head -c 12 | base64)'
|
|
_domain: '$DOMAIN_NAME'
|
|
_port: $PORT
|
|
}" > ./secret.moon
|
|
|
|
# Compile, Change owner, Run migrations
|
|
moonc .
|
|
sudo chown -R www-data:www-data ./
|
|
lapis migrate production
|
|
|
|
# As-a-Service
|
|
if [ "$1" != "dev" ]
|
|
then
|
|
sudo echo "[Unit]
|
|
Description=simplex server
|
|
|
|
[Service]
|
|
User=www-data
|
|
Type=forking
|
|
WorkingDirectory=$INSTALL_DIR
|
|
ExecStart=$(which lapis) server production
|
|
ExecReload=$(which lapis) build production
|
|
ExecStop=$(which lapis) term
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target" > /etc/systemd/system/simplex.service
|
|
sudo systemctl daemon-reload
|
|
sudo systemctl enable simplex.service
|
|
sudo service simplex start
|
|
|
|
# Proxy
|
|
sudo echo "server {
|
|
listen 443 ssl;
|
|
server_name $DOMAIN_NAME;
|
|
|
|
add_header Strict-Transport-Security \"max-age=63072000; preload\"; # DO NOT includeSubDomains; (some subdomains intentionally served over HTTP for now)
|
|
add_header X-Frame-Options DENY;
|
|
add_header X-Content-Type-Options nosniff;
|
|
|
|
ssl_certificate /etc/letsencrypt/live/$DOMAIN_NAME/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/$DOMAIN_NAME/privkey.pem;
|
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
ssl_prefer_server_ciphers on;
|
|
ssl_ciphers \"EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH\";
|
|
ssl_ecdh_curve secp384r1;
|
|
ssl_session_cache shared:SSL:10m;
|
|
ssl_session_tickets off;
|
|
ssl_stapling on;
|
|
ssl_stapling_verify on;
|
|
ssl_dhparam $INSTALL_DIR/dhparams.pem;
|
|
|
|
location / {
|
|
proxy_pass http://127.0.0.1:$PORT;
|
|
}
|
|
}" > /etc/nginx/sites-enabled/simplex-proxy.conf
|
|
sudo nginx -s reload
|
|
fi
|