220 lines
6.6 KiB
Bash
220 lines
6.6 KiB
Bash
#!/bin/bash
|
|
|
|
set -e
|
|
|
|
#=============================
|
|
# BASIC CONFIGURATION
|
|
#=============================
|
|
|
|
# change the following with your configs
|
|
PASSWORD="changeme" # You should override this
|
|
DOMAIN=zpub.commoninternet.net
|
|
PORT=8000
|
|
PORT_SSB=8008
|
|
|
|
# these configs are probably fine as they are
|
|
APP="peach"
|
|
INSTALL_DIR="/opt/$APP"
|
|
TILDE_DIR="$INSTALL_DIR/.ssb-tilde"
|
|
PEACH_WEB_SERVICE="${APP}-peach-web"
|
|
TILDE_SBOT_SERVICE="${APP}-tilde-sbot"
|
|
GITHUB_BASE_URL="https://raw.githubusercontent.com/YunoHost-Apps/peachpub_ynh/refs/heads/master/conf/"
|
|
|
|
# Create app user if not exists
|
|
if ! id "$APP" &>/dev/null; then
|
|
useradd --system --create-home --shell /bin/bash "$APP"
|
|
fi
|
|
|
|
#=============================
|
|
# MAKE DIRECTORIES
|
|
#=============================
|
|
mkdir -p $INSTALL_DIR "$INSTALL_DIR/config" "$TILDE_DIR"
|
|
|
|
#=============================
|
|
# DOWNLOAD AND VERIFY SOURCE
|
|
#=============================
|
|
|
|
echo "Detecting architecture..."
|
|
ARCH=$(dpkg --print-architecture)
|
|
case "$ARCH" in
|
|
amd64)
|
|
ARCH_URL="https://files.commoninternet.net/assets/releases/peachpub-0.7.0~ynh1-amd64.tar.gz"
|
|
ARCH_SHA256="178750af87ba2ec2fc2778ad9031870224b85e6aaf85716aab0375c1077af80a"
|
|
;;
|
|
arm64)
|
|
ARCH_URL="https://files.commoninternet.net/assets/releases/peachpub-0.7.0~ynh1-arm64.tar.gz"
|
|
ARCH_SHA256="e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
|
|
;;
|
|
*)
|
|
echo "Unsupported architecture: $ARCH"
|
|
exit 1
|
|
;;
|
|
esac
|
|
|
|
TMP_TAR="/tmp/${APP}.tar.gz"
|
|
echo "Downloading from $ARCH_URL..."
|
|
curl -fsSL "$ARCH_URL" -o "$TMP_TAR"
|
|
|
|
echo "Verifying checksum..."
|
|
DOWNLOADED_HASH=$(sha256sum "$TMP_TAR" | awk '{print $1}')
|
|
if [ "$DOWNLOADED_HASH" != "$ARCH_SHA256" ]; then
|
|
echo "Checksum mismatch!"
|
|
echo "Expected: $ARCH_SHA256"
|
|
echo "Got: $DOWNLOADED_HASH"
|
|
exit 1
|
|
fi
|
|
|
|
echo "Checksum verified. Extracting to $INSTALL_DIR..."
|
|
mkdir -p "$INSTALL_DIR"
|
|
tar -xzf "$TMP_TAR" -C "$INSTALL_DIR"
|
|
|
|
rm "$TMP_TAR"
|
|
|
|
#=============================
|
|
# DOWNLOAD CONF FILES
|
|
#=============================
|
|
|
|
download_and_template() {
|
|
local template_name="$1"
|
|
local destination="$2"
|
|
echo "Downloading and templating $template_name -> $destination"
|
|
|
|
curl -fsSL "$GITHUB_BASE_URL/$template_name" -o "$destination"
|
|
|
|
sed -i "s|__APP__|$APP|g" "$destination"
|
|
sed -i "s|__DOMAIN__|$DOMAIN|g" "$destination"
|
|
sed -i "s|__PORT__|$PORT|g" "$destination"
|
|
sed -i "s|__SSB_PORT__|$SSB_PORT|g" "$destination"
|
|
sed -i "s|__INSTALL_DIR__|$INSTALL_DIR|g" "$destination"
|
|
sed -i "s|__PEACH_WEB_SERVICE__|$PEACH_WEB_SERVICE|g" "$destination"
|
|
sed -i "s|__TILDE_SBOT_SERVICE__|$TILDE_SBOT_SERVICE|g" "$destination"
|
|
sed -i "s|__TILDE_DIR__|$TILDE_DIR|g" "$destination"
|
|
sed -i "s|__PASSWORD__|$PASSWORD|g" "$destination"
|
|
}
|
|
|
|
|
|
|
|
# download config files
|
|
download_and_template "tilde-sbot.toml" "$TILDE_DIR/tilde-sbot.toml"
|
|
download_and_template "peach.yml" "$INSTALL_DIR/config/config.yml"
|
|
|
|
# permissions
|
|
chmod -R u+rwX,g+rwX $INSTALL_DIR
|
|
chown -R "$APP:$APP" $INSTALL_DIR
|
|
|
|
# download sudoers file that allows peach-web to stop and restart tilde-sbot
|
|
mkdir -p /etc/sudoers.d/
|
|
download_and_template "sudoers" "/etc/sudoers.d/$APP"
|
|
chmod 440 "/etc/sudoers.d/$APP"
|
|
chown root:root "/etc/sudoers.d/$APP"
|
|
|
|
|
|
# #=============================
|
|
# # LOGGING
|
|
# #=============================
|
|
mkdir -p "/var/log/$APP"
|
|
touch "/var/log/$APP/$PEACH_WEB_SERVICE.log"
|
|
touch "/var/log/$APP/$TILDE_SBOT_SERVICE.log"
|
|
chown -R "$APP:$APP" "/var/log/$APP"
|
|
|
|
#=============================
|
|
# SYSTEMD SETUP
|
|
#=============================
|
|
download_and_template "peach-web.service" "/etc/systemd/system/$PEACH_WEB_SERVICE.service"
|
|
download_and_template "tilde-sbot.service" "/etc/systemd/system/$TILDE_SBOT_SERVICE.service"
|
|
|
|
systemctl daemon-reexec
|
|
systemctl daemon-reload
|
|
systemctl enable --now "$TILDE_SBOT_SERVICE"
|
|
systemctl enable --now "$PEACH_WEB_SERVICE"
|
|
|
|
#=============================
|
|
# PASSWORD SETUP
|
|
#=============================
|
|
chmod 770 "$INSTALL_DIR/peach-web"
|
|
PEACH_CONFIGDIR="$INSTALL_DIR/config" PEACH_CONFIG_PATH="$INSTALL_DIR/config/config.yml" \
|
|
"$INSTALL_DIR/peach-web" change-password "$PASSWORD"
|
|
|
|
chown -R "$APP:$APP" "$INSTALL_DIR"
|
|
chmod -R u+rwX,g+rwX "$INSTALL_DIR"
|
|
|
|
#=============================
|
|
# INSTALL AND CONFIGURE NGINX
|
|
#=============================
|
|
apt-get update
|
|
apt-get install -y nginx
|
|
|
|
NGINX_CONF="/etc/nginx/sites-available/${APP}"
|
|
|
|
mkdir -p /var/www/html
|
|
|
|
#-------------------------------
|
|
# Write HTTP-only config
|
|
#-------------------------------
|
|
cat > "$NGINX_CONF" <<EOF
|
|
server {
|
|
listen 80;
|
|
server_name $DOMAIN;
|
|
|
|
access_log /var/log/nginx/${APP}_access.log;
|
|
error_log /var/log/nginx/${APP}_error.log;
|
|
|
|
location /.well-known/acme-challenge/ {
|
|
root /var/www/html;
|
|
}
|
|
|
|
location / {
|
|
proxy_set_header Accept-Encoding "";
|
|
try_files \$uri @proxy;
|
|
}
|
|
|
|
location @proxy {
|
|
proxy_pass http://localhost:$PORT;
|
|
proxy_set_header Host \$host;
|
|
proxy_set_header X-Forwarded-Host \$host;
|
|
proxy_set_header X-Forwarded-For \$remote_addr:\$remote_port;
|
|
proxy_set_header X-Forwarded-Proto \$scheme;
|
|
proxy_http_version 1.1;
|
|
}
|
|
}
|
|
EOF
|
|
|
|
ln -sf "$NGINX_CONF" "/etc/nginx/sites-enabled/${APP}"
|
|
|
|
echo "Testing and reloading HTTP nginx config..."
|
|
nginx -t && systemctl reload nginx
|
|
|
|
#-------------------------------
|
|
# RUN CERTBOT, WHICH WILL AUTOMATICALLY ADD HTTPS TO NGINX CONF IF IT SUCCEEDS
|
|
#-------------------------------
|
|
echo "installing certbot"
|
|
apt-get install -y certbot python3-certbot-nginx
|
|
|
|
# NOTE: if your domain was not properly configured before running install script,
|
|
# then you will need to re-run this certbot command after configuring your domain
|
|
echo "Attempting to request TLS certificate for $DOMAIN..."
|
|
if certbot --nginx --non-interactive --agree-tos --email "admin@$DOMAIN" -d "$DOMAIN"; then
|
|
echo "✔️ Certbot succeeded. linking HTTPS config..."
|
|
nginx -t && systemctl reload nginx
|
|
else
|
|
echo "⚠warning: Certbot failed. Skipping HTTPS. App will be available on HTTP only."
|
|
fi
|
|
|
|
#-------------------------------
|
|
# Auto-renew Cron
|
|
#-------------------------------
|
|
echo "Setting up certbot auto-renewal..."
|
|
echo "0 0 * * * root /usr/bin/certbot renew --quiet && /bin/systemctl reload nginx" > /etc/cron.d/certbot-renew
|
|
chmod 644 /etc/cron.d/certbot-renew
|
|
|
|
#=============================
|
|
# FINALIZE
|
|
#=============================
|
|
|
|
# NOTE ABOUT FAIL2BAN:
|
|
# logrotate and fail2ban not configured in this script
|
|
# example fail2ban regex is here if you want to configure manually
|
|
# https://github.com/YunoHost-Apps/peachpub_ynh/blob/a628312dc99425b158875fc1a5fe7ffc6da1be1a/scripts/install#L83
|
|
|
|
echo "☀ installation of $APP completed successfully ☀"
|