Files
peach-workspace/install.sh
2025-06-20 17:53:56 -04:00

220 lines
6.6 KiB
Bash

#!/bin/bash
set -e
#=============================
# BASIC CONFIGURATION
#=============================
# change the following with your configs
PASSWORD="changeme" # You should override this
DOMAIN=zpub.commoninternet.net
PORT=8000
PORT_SSB=8008
# these configs are probably fine as they are
APP="peach"
INSTALL_DIR="/opt/$APP"
TILDE_DIR="$INSTALL_DIR/.ssb-tilde"
PEACH_WEB_SERVICE="${APP}-peach-web"
TILDE_SBOT_SERVICE="${APP}-tilde-sbot"
GITHUB_BASE_URL="https://raw.githubusercontent.com/YunoHost-Apps/peachpub_ynh/refs/heads/master/conf/"
# Create app user if not exists
if ! id "$APP" &>/dev/null; then
useradd --system --create-home --shell /bin/bash "$APP"
fi
#=============================
# MAKE DIRECTORIES
#=============================
mkdir -p $INSTALL_DIR "$INSTALL_DIR/config" "$TILDE_DIR"
#=============================
# DOWNLOAD AND VERIFY SOURCE
#=============================
echo "Detecting architecture..."
ARCH=$(dpkg --print-architecture)
case "$ARCH" in
amd64)
ARCH_URL="https://files.commoninternet.net/assets/releases/peachpub-0.7.0~ynh1-amd64.tar.gz"
ARCH_SHA256="178750af87ba2ec2fc2778ad9031870224b85e6aaf85716aab0375c1077af80a"
;;
arm64)
ARCH_URL="https://files.commoninternet.net/assets/releases/peachpub-0.7.0~ynh1-arm64.tar.gz"
ARCH_SHA256="e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
;;
*)
echo "Unsupported architecture: $ARCH"
exit 1
;;
esac
TMP_TAR="/tmp/${APP}.tar.gz"
echo "Downloading from $ARCH_URL..."
curl -fsSL "$ARCH_URL" -o "$TMP_TAR"
echo "Verifying checksum..."
DOWNLOADED_HASH=$(sha256sum "$TMP_TAR" | awk '{print $1}')
if [ "$DOWNLOADED_HASH" != "$ARCH_SHA256" ]; then
echo "Checksum mismatch!"
echo "Expected: $ARCH_SHA256"
echo "Got: $DOWNLOADED_HASH"
exit 1
fi
echo "Checksum verified. Extracting to $INSTALL_DIR..."
mkdir -p "$INSTALL_DIR"
tar -xzf "$TMP_TAR" -C "$INSTALL_DIR"
rm "$TMP_TAR"
#=============================
# DOWNLOAD CONF FILES
#=============================
download_and_template() {
local template_name="$1"
local destination="$2"
echo "Downloading and templating $template_name -> $destination"
curl -fsSL "$GITHUB_BASE_URL/$template_name" -o "$destination"
sed -i "s|__APP__|$APP|g" "$destination"
sed -i "s|__DOMAIN__|$DOMAIN|g" "$destination"
sed -i "s|__PORT__|$PORT|g" "$destination"
sed -i "s|__SSB_PORT__|$SSB_PORT|g" "$destination"
sed -i "s|__INSTALL_DIR__|$INSTALL_DIR|g" "$destination"
sed -i "s|__PEACH_WEB_SERVICE__|$PEACH_WEB_SERVICE|g" "$destination"
sed -i "s|__TILDE_SBOT_SERVICE__|$TILDE_SBOT_SERVICE|g" "$destination"
sed -i "s|__TILDE_DIR__|$TILDE_DIR|g" "$destination"
sed -i "s|__PASSWORD__|$PASSWORD|g" "$destination"
}
# download config files
download_and_template "tilde-sbot.toml" "$TILDE_DIR/tilde-sbot.toml"
download_and_template "peach.yml" "$INSTALL_DIR/config/config.yml"
# permissions
chmod -R u+rwX,g+rwX $INSTALL_DIR
chown -R "$APP:$APP" $INSTALL_DIR
# download sudoers file that allows peach-web to stop and restart tilde-sbot
mkdir -p /etc/sudoers.d/
download_and_template "sudoers" "/etc/sudoers.d/$APP"
chmod 440 "/etc/sudoers.d/$APP"
chown root:root "/etc/sudoers.d/$APP"
# #=============================
# # LOGGING
# #=============================
mkdir -p "/var/log/$APP"
touch "/var/log/$APP/$PEACH_WEB_SERVICE.log"
touch "/var/log/$APP/$TILDE_SBOT_SERVICE.log"
chown -R "$APP:$APP" "/var/log/$APP"
#=============================
# SYSTEMD SETUP
#=============================
download_and_template "peach-web.service" "/etc/systemd/system/$PEACH_WEB_SERVICE.service"
download_and_template "tilde-sbot.service" "/etc/systemd/system/$TILDE_SBOT_SERVICE.service"
systemctl daemon-reexec
systemctl daemon-reload
systemctl enable --now "$TILDE_SBOT_SERVICE"
systemctl enable --now "$PEACH_WEB_SERVICE"
#=============================
# PASSWORD SETUP
#=============================
chmod 770 "$INSTALL_DIR/peach-web"
PEACH_CONFIGDIR="$INSTALL_DIR/config" PEACH_CONFIG_PATH="$INSTALL_DIR/config/config.yml" \
"$INSTALL_DIR/peach-web" change-password "$PASSWORD"
chown -R "$APP:$APP" "$INSTALL_DIR"
chmod -R u+rwX,g+rwX "$INSTALL_DIR"
#=============================
# INSTALL AND CONFIGURE NGINX
#=============================
apt-get update
apt-get install -y nginx
NGINX_CONF="/etc/nginx/sites-available/${APP}"
mkdir -p /var/www/html
#-------------------------------
# Write HTTP-only config
#-------------------------------
cat > "$NGINX_CONF" <<EOF
server {
listen 80;
server_name $DOMAIN;
access_log /var/log/nginx/${APP}_access.log;
error_log /var/log/nginx/${APP}_error.log;
location /.well-known/acme-challenge/ {
root /var/www/html;
}
location / {
proxy_set_header Accept-Encoding "";
try_files \$uri @proxy;
}
location @proxy {
proxy_pass http://localhost:$PORT;
proxy_set_header Host \$host;
proxy_set_header X-Forwarded-Host \$host;
proxy_set_header X-Forwarded-For \$remote_addr:\$remote_port;
proxy_set_header X-Forwarded-Proto \$scheme;
proxy_http_version 1.1;
}
}
EOF
ln -sf "$NGINX_CONF" "/etc/nginx/sites-enabled/${APP}"
echo "Testing and reloading HTTP nginx config..."
nginx -t && systemctl reload nginx
#-------------------------------
# RUN CERTBOT, WHICH WILL AUTOMATICALLY ADD HTTPS TO NGINX CONF IF IT SUCCEEDS
#-------------------------------
echo "installing certbot"
apt-get install -y certbot python3-certbot-nginx
# NOTE: if your domain was not properly configured before running install script,
# then you will need to re-run this certbot command after configuring your domain
echo "Attempting to request TLS certificate for $DOMAIN..."
if certbot --nginx --non-interactive --agree-tos --email "admin@$DOMAIN" -d "$DOMAIN"; then
echo "✔️ Certbot succeeded. linking HTTPS config..."
nginx -t && systemctl reload nginx
else
echo "⚠warning: Certbot failed. Skipping HTTPS. App will be available on HTTP only."
fi
#-------------------------------
# Auto-renew Cron
#-------------------------------
echo "Setting up certbot auto-renewal..."
echo "0 0 * * * root /usr/bin/certbot renew --quiet && /bin/systemctl reload nginx" > /etc/cron.d/certbot-renew
chmod 644 /etc/cron.d/certbot-renew
#=============================
# FINALIZE
#=============================
# NOTE ABOUT FAIL2BAN:
# logrotate and fail2ban not configured in this script
# example fail2ban regex is here if you want to configure manually
# https://github.com/YunoHost-Apps/peachpub_ynh/blob/a628312dc99425b158875fc1a5fe7ffc6da1be1a/scripts/install#L83
echo "☀ installation of $APP completed successfully ☀"