mirror of https://github.com/status-im/cabot.git
170 lines
4.5 KiB
Bash
170 lines
4.5 KiB
Bash
#!/usr/bin/env bash
|
|
|
|
set -e
|
|
set -o pipefail
|
|
|
|
cd "$(dirname "$0")"
|
|
|
|
# Add the 'ubuntu' user if it does not already exist
|
|
if [ -z "$(cat /etc/passwd | grep '^ubuntu:')" ]; then
|
|
useradd -m --shell /bin/bash ubuntu
|
|
fi
|
|
|
|
# Give the ubuntu user sudo privileges without a password
|
|
if [ ! -e /etc/sudoers.d/ubuntu ]; then
|
|
echo 'ubuntu ALL=(ALL) NOPASSWD:ALL' > /etc/sudoers.d/ubuntu
|
|
chmod 440 /etc/sudoers.d/ubuntu
|
|
fi
|
|
|
|
# Generate a keypair the ubuntu user
|
|
if [ ! -f /home/ubuntu/.ssh/id_rsa ]; then
|
|
su ubuntu -c 'mkdir -p ~/.ssh && ssh-keygen -t rsa -N "" -f ~/.ssh/id_rsa'
|
|
fi
|
|
|
|
if [ ! -z "$LOCAL_SSH_KEY" ]; then
|
|
if grep -Fxq "$LOCAL_SSH_KEY" /home/ubuntu/.ssh/authorized_keys; then
|
|
echo 'Local SSH public key already in remote authorized_keys'
|
|
else
|
|
echo 'Adding local SSH public key to authorized_keys'
|
|
echo "$LOCAL_SSH_KEY" >> /home/ubuntu/.ssh/authorized_keys
|
|
echo 'Key successfully added. You should now be able to SSH to this host as ubuntu@host'
|
|
fi
|
|
fi
|
|
|
|
# SSH permissions
|
|
chown -R ubuntu:ubuntu /home/ubuntu/.ssh
|
|
chmod -R 600 /home/ubuntu/.ssh
|
|
chmod +x /home/ubuntu/.ssh
|
|
|
|
# Disable root access
|
|
passwd -l root
|
|
echo 'SSH access for root disabled. You will need to connect as ubuntu.'
|
|
|
|
packages=(
|
|
'gcc'
|
|
'g++'
|
|
'make'
|
|
'git'
|
|
'python-pip'
|
|
'python-dev'
|
|
'python-virtualenv'
|
|
'build-essential'
|
|
'redis-server'
|
|
'libpq-dev'
|
|
'rubygems'
|
|
'libxml2-dev'
|
|
'libxslt-dev'
|
|
'nodejs'
|
|
'npm'
|
|
'postgresql-9.1'
|
|
'nginx'
|
|
'htop'
|
|
)
|
|
|
|
sudo apt-get update
|
|
sudo apt-get install --quiet --assume-yes ${packages[*]}
|
|
set +e
|
|
sudo pip install -U pip # upgrade pip
|
|
set -e
|
|
sudo pip install -U pip --no-use-wheel # Don't ask
|
|
|
|
# install coffee and less
|
|
sudo npm install -g coffee-script less@1.3 --registry http://registry.npmjs.org/
|
|
|
|
sudo gem install foreman
|
|
|
|
# Set redis pass
|
|
set +e
|
|
grep -q '^requirepass' /etc/redis/redis.conf
|
|
DID_FAIL=$?
|
|
set -e
|
|
if [[ DID_FAIL -eq 1 ]] ; then # if line not found
|
|
echo 'requirepass yourredispassword' | sudo tee -a /etc/redis/redis.conf
|
|
fi
|
|
|
|
# Install nginx
|
|
set -o pipefail
|
|
|
|
sudo apt-get install --quiet --assume-yes nginx
|
|
|
|
# Remove default ubuntu nginx configuration
|
|
sudo rm -f /etc/nginx/sites-enabled/default
|
|
|
|
# Generate self-signed ssl certs
|
|
# http://wiki.nginx.org/HttpSslModule
|
|
sudo mkdir -p /usr/local/nginx
|
|
if [ ! -e /usr/local/nginx/testing.crt ]; then
|
|
echo 'Generating self-signed certificate'
|
|
cd /usr/local/nginx
|
|
sudo openssl genrsa -des3 -passout pass:pass -out testing.key 1024
|
|
(
|
|
echo '.' # Country 2-letter code
|
|
echo '.' # State/province name
|
|
echo '.' # Locality name
|
|
echo 'Arachnys' # Company name
|
|
echo '.' # Organizational unit name
|
|
echo '.' # Common name
|
|
echo '.' # Email address
|
|
echo '' # Challenge password
|
|
echo '' # Optional company name
|
|
) |
|
|
sudo openssl req -new -key testing.key -passin pass:pass -out testing.csr
|
|
sudo cp testing.key testing.key.orig
|
|
sudo openssl rsa -in testing.key.orig -passin pass:pass -out testing.key
|
|
sudo openssl x509 -req -days 1825 -in testing.csr -signkey testing.key -out testing.crt
|
|
sudo rm testing.key.orig testing.csr
|
|
cd -
|
|
fi
|
|
|
|
# Configure nginx proxy
|
|
echo 'Writing nginx proxy configuration'
|
|
if [ -e /etc/nginx/sites-available/cabot ]; then
|
|
echo 'WARNING: overwriting existing nginx configuration. Any local changes will be lost'
|
|
fi
|
|
sudo tee /etc/nginx/sites-available/cabot << EOF
|
|
server {
|
|
listen 80;
|
|
|
|
location / {
|
|
proxy_pass http://localhost:5000/;
|
|
proxy_set_header Host \$http_host;
|
|
proxy_set_header X-Real-IP \$remote_addr;
|
|
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
|
|
}
|
|
|
|
location /static/ {
|
|
alias /home/ubuntu/cabot/static/;
|
|
}
|
|
|
|
# Uncomment line below to force https
|
|
#return 301 https://\$host\$request_uri;
|
|
}
|
|
|
|
# Proxy secure traffic to cabot
|
|
# server {
|
|
# listen 443 ssl;
|
|
# ssl_certificate /usr/local/nginx/testing.crt;
|
|
# ssl_certificate_key /usr/local/nginx/testing.pem;
|
|
|
|
# location / {
|
|
# proxy_pass http://localhost:5000/;
|
|
# proxy_set_header Host \$http_host;
|
|
# proxy_set_header X-Real-IP \$remote_addr;
|
|
# proxy_set_header X-Forwarded-Proto https;
|
|
# proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
|
|
# proxy_redirect http:// https://;
|
|
# }
|
|
|
|
# location /static/ {
|
|
# alias $DEPLOY_PATH/static/;
|
|
# }
|
|
# }
|
|
EOF
|
|
|
|
# Enable cabot configuration and restart nginx
|
|
if [ ! -e /etc/nginx/sites-enabled/cabot ]; then
|
|
echo 'Enabling proxy in nginx configuration'
|
|
sudo ln -s /etc/nginx/sites-available/cabot /etc/nginx/sites-enabled/cabot
|
|
fi
|
|
|
|
sudo service nginx restart |