mailtrain/setup/functions

# This is not a standalone script. It provides common functions to server-*.sh scripts

if hash firewall-cmd 2>/dev/null; then
    firewallCmdExists=yes
fi

function installBase {
    local urlBaseTrusted="$1"
    local urlBaseSandbox="$2"
    local urlBasePublic="$3"
    
    yum -y install epel-release
    
    curl --silent --location https://rpm.nodesource.com/setup_10.x | bash -
    cat > /etc/yum.repos.d/mongodb-org.repo <<EOT
[mongodb-org-4.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/\$releasever/mongodb-org/4.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.0.asc
EOT
    
    yum -y install mariadb-server nodejs ImageMagick git python redis pwgen bind-utils gcc-c++ make mongodb-org
    
    systemctl start mariadb
    systemctl enable mariadb
    
    systemctl start redis
    systemctl enable redis
    
    systemctl start mongod
    systemctl enable mongod
    
    
    mysqlPassword=`pwgen 12 -1`
    mysqlRoPassword=`pwgen 12 -1`
    
    # Setup MySQL user for Mailtrain
    mysql -u root -e "CREATE USER 'mailtrain'@'localhost' IDENTIFIED BY '$mysqlPassword';"
    mysql -u root -e "GRANT ALL PRIVILEGES ON mailtrain.* TO 'mailtrain'@'localhost';"
    mysql -u root -e "CREATE USER 'mailtrain_ro'@'localhost' IDENTIFIED BY '$mysqlRoPassword';"
    mysql -u root -e "GRANT SELECT ON mailtrain.* TO 'mailtrain_ro'@'localhost';"
    mysql -u mailtrain --password="$mysqlPassword" -e "CREATE database mailtrain;"
    
    # Add new user for the mailtrain daemon to run as
    useradd mailtrain || true
    
    # Setup installation configuration
    cat > server/config/production.yaml <<EOT
user: mailtrain
group: mailtrain
roUser: nobody
roGroup: nobody

www:
  secret: "`pwgen -1`"
  trustedUrlBase: $urlBaseTrusted
  sandboxUrlBase: $urlBaseSandbox
  publicUrlBase: $urlBasePublic


mysql:
  password: "$mysqlPassword"

redis:
  enabled: true

log:
  level: warn

builtinZoneMTA:
  log:
    level: info

queue:
  processes: 5
EOT
    
    cat >> server/services/workers/reports/config/production.yaml <<EOT
log:
  level: warn

mysql:
  user: mailtrain_ro
  password: "$mysqlRoPassword"
EOT
    
    # Install required node packages
    for idx in client shared server zone-mta; do
        (cd $idx && npm install)
    done
    
    (cd client && npm run build)
    
    chown -R mailtrain:mailtrain .
    chmod o-rwx server/config
    
    # Setup log rotation to not spend up entire storage on logs
    cat <<EOT > /etc/logrotate.d/mailtrain
/var/log/mailtrain.log {
    daily
    rotate 12
    compress
    delaycompress
    missingok
    notifempty
    copytruncate
    nomail
}
EOT
    
    # Set up systemd service script
    cp setup/mailtrain-centos7.service /etc/systemd/system/mailtrain.service
    systemctl enable mailtrain.service
    
    # Start the service
    systemctl daemon-reload
    
    systemctl start mailtrain.service
    
    echo "Success! Open http://$urlBaseTrusted/ and login as admin:test"

    if [ -n "$firewallCmdExists" ]; then
        echo "Note that firewall was not setup because firewall-cmd is missing on your system. Please make sure your firewall is correctly setup. If you are on AWS, this means to enable HTTPS and HTTP in your security group."
    fi
}


function installHttps {
    local hostTrusted="$1"
    local portTrusted="$2"
    local hostSandbox="$3"
    local portSandbox="$4"
    local hostPublic="$5"
    local portPublic="$6"
    local certificateFile="$7"
    local certificateKey="$8"
    local caChainFile="$9"

    yum -y install httpd mod_ssl

    echo > /etc/httpd/conf.d/mailtrain.conf

    cat >> /etc/httpd/conf.d/mailtrain.conf <<EOT
<VirtualHost ${hostTrusted}:80>
    ServerName ${hostTrusted}

    ServerSignature Off

    RewriteEngine On
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]

    ErrorLog logs/${hostTrusted}_redirect_error.log
    LogLevel warn
</VirtualHost>

<VirtualHost ${hostSandbox}:80>
    ServerName ${hostSandbox}

    ServerSignature Off

    RewriteEngine On
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]

    ErrorLog logs/${hostSandbox}_redirect_error.log
    LogLevel warn
</VirtualHost>

<VirtualHost ${hostPublic}:80>
    ServerName ${hostPublic}

    ServerSignature Off

    RewriteEngine On
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]

    ErrorLog logs/${hostPublic}_redirect_error.log
    LogLevel warn
</VirtualHost>
EOT

    if [ -n "$firewallCmdExists" ]; then
        # Enable port 80 on the firewall
        firewall-cmd --add-port=80/tcp --permanent
    fi

    cat >> /etc/httpd/conf.d/mailtrain.conf <<EOT
<VirtualHost ${hostTrusted}:${portTrusted}>
    ServerName ${hostTrusted}:${portTrusted}

    ErrorLog logs/${hostTrusted}_ssl_error.log
    TransferLog logs/${hostTrusted}_ssl_access.log
    LogLevel warn

    SSLEngine on
    SSLCertificateFile ${certificateFile}
    SSLCertificateKeyFile ${certificateKey}
    SSLCertificateChainFile ${caChainFile}

    ProxyPreserveHost On
    ProxyPass "/" "http://127.0.0.1:3000/"
    ProxyPassReverse "/" "http://127.0.0.1:3000/"
</VirtualHost>

<VirtualHost ${hostSandbox}:${portSandbox}>
    ServerName ${hostSandbox}:${portSandbox}

    ErrorLog logs/${hostSandbox}_ssl_error.log
    TransferLog logs/${hostSandbox}_ssl_access.log
    LogLevel warn

    SSLEngine on
    SSLCertificateFile ${certificateFile}
    SSLCertificateKeyFile ${certificateKey}
    SSLCertificateChainFile ${caChainFile}

    ProxyPreserveHost On
    ProxyPass "/" "http://127.0.0.1:3003/"
    ProxyPassReverse "/" "http://127.0.0.1:3003/"
</VirtualHost>

<VirtualHost ${hostPublic}:${portPublic}>
    ServerName ${hostPublic}:${portPublic}

    ErrorLog logs/${hostPublic}_ssl_error.log
    TransferLog logs/${hostPublic}_ssl_access.log
    LogLevel warn

    SSLEngine on
    SSLCertificateFile ${certificateFile}
    SSLCertificateKeyFile ${certificateKey}
    SSLCertificateChainFile ${caChainFile}

    ProxyPreserveHost On
    ProxyPass "/" "http://127.0.0.1:3004/"
    ProxyPassReverse "/" "http://127.0.0.1:3004/"
</VirtualHost>
EOT


    # Enable and start httpd
    systemctl start httpd
    systemctl enable httpd

    if [ -n "$firewallCmdExists" ]; then
        # Enable SSL ports on the firewall
        for port in "${portTrusted}/tcp" "${portSandbox}/tcp" "${portPublic}/tcp"; do
            firewall-cmd --add-port=$port --permanent
        done

        # Activate the firefall settings
        firewall-cmd --reload
    fi
}


function createCertificates {
    local hostTrusted="$1"
    local hostSandbox="$2"
    local hostPublic="$3"
    local email="$4"

    yum install -y certbot

    if [ -n "$firewallCmdExists" ]; then
        # Temporarily enable port 80 on the firewall
        firewall-cmd --add-port=80/tcp
    fi

    certbot certonly --agree-tos --email "${email}" --standalone -n -d "${hostPublic}" -d "${hostTrusted}" -d "${hostSandbox}"

    if [ -n "$firewallCmdExists" ]; then
        # Revert firewall to original state
        firewall-cmd --reload
    fi
}
Updates in install scripts 2018-12-25 08:32:14 +00:00			`# This is not a standalone script. It provides common functions to server-*.sh scripts`

			`if hash firewall-cmd 2>/dev/null; then`
			`firewallCmdExists=yes`
			`fi`

			`function installBase {`
			`local urlBaseTrusted="$1"`
			`local urlBaseSandbox="$2"`
			`local urlBasePublic="$3"`

			`yum -y install epel-release`

			`curl --silent --location https://rpm.nodesource.com/setup_10.x \| bash -`
			`cat > /etc/yum.repos.d/mongodb-org.repo <<EOT`
			`[mongodb-org-4.0]`
			`name=MongoDB Repository`
			`baseurl=https://repo.mongodb.org/yum/redhat/\$releasever/mongodb-org/4.0/x86_64/`
			`gpgcheck=1`
			`enabled=1`
			`gpgkey=https://www.mongodb.org/static/pgp/server-4.0.asc`
			`EOT`

			`yum -y install mariadb-server nodejs ImageMagick git python redis pwgen bind-utils gcc-c++ make mongodb-org`

			`systemctl start mariadb`
			`systemctl enable mariadb`

			`systemctl start redis`
			`systemctl enable redis`

			`systemctl start mongod`
			`systemctl enable mongod`


			mysqlPassword=`pwgen 12 -1`
			mysqlRoPassword=`pwgen 12 -1`

			`# Setup MySQL user for Mailtrain`
			`mysql -u root -e "CREATE USER 'mailtrain'@'localhost' IDENTIFIED BY '$mysqlPassword';"`
			`mysql -u root -e "GRANT ALL PRIVILEGES ON mailtrain.* TO 'mailtrain'@'localhost';"`
			`mysql -u root -e "CREATE USER 'mailtrain_ro'@'localhost' IDENTIFIED BY '$mysqlRoPassword';"`
			`mysql -u root -e "GRANT SELECT ON mailtrain.* TO 'mailtrain_ro'@'localhost';"`
			`mysql -u mailtrain --password="$mysqlPassword" -e "CREATE database mailtrain;"`

			`# Add new user for the mailtrain daemon to run as`
			`useradd mailtrain \|\| true`

			`# Setup installation configuration`
			`cat > server/config/production.yaml <<EOT`
			`user: mailtrain`
			`group: mailtrain`
			`roUser: nobody`
			`roGroup: nobody`

			`www:`
			secret: "`pwgen -1`"
			`trustedUrlBase: $urlBaseTrusted`
			`sandboxUrlBase: $urlBaseSandbox`
			`publicUrlBase: $urlBasePublic`


			`mysql:`
			`password: "$mysqlPassword"`

			`redis:`
			`enabled: true`

			`log:`
			`level: warn`

			`builtinZoneMTA:`
			`log:`
			`level: info`

			`queue:`
			`processes: 5`
			`EOT`

			`cat >> server/services/workers/reports/config/production.yaml <<EOT`
			`log:`
			`level: warn`

			`mysql:`
			`user: mailtrain_ro`
			`password: "$mysqlRoPassword"`
			`EOT`

			`# Install required node packages`
			`for idx in client shared server zone-mta; do`
			`(cd $idx && npm install)`
			`done`

			`(cd client && npm run build)`

			`chown -R mailtrain:mailtrain .`
			`chmod o-rwx server/config`

			`# Setup log rotation to not spend up entire storage on logs`
			`cat <<EOT > /etc/logrotate.d/mailtrain`
			`/var/log/mailtrain.log {`
			`daily`
			`rotate 12`
			`compress`
			`delaycompress`
			`missingok`
			`notifempty`
			`copytruncate`
			`nomail`
			`}`
			`EOT`

			`# Set up systemd service script`
			`cp setup/mailtrain-centos7.service /etc/systemd/system/mailtrain.service`
			`systemctl enable mailtrain.service`

			`# Start the service`
			`systemctl daemon-reload`

			`systemctl start mailtrain.service`

			`echo "Success! Open http://$urlBaseTrusted/ and login as admin:test"`

			`if [ -n "$firewallCmdExists" ]; then`
			`echo "Note that firewall was not setup because firewall-cmd is missing on your system. Please make sure your firewall is correctly setup. If you are on AWS, this means to enable HTTPS and HTTP in your security group."`
			`fi`
			`}`



			`function installHttps {`
			`local hostTrusted="$1"`
			`local portTrusted="$2"`
			`local hostSandbox="$3"`
			`local portSandbox="$4"`
			`local hostPublic="$5"`
			`local portPublic="$6"`
			`local certificateFile="$7"`
			`local certificateKey="$8"`
			`local caChainFile="$9"`

			`yum -y install httpd mod_ssl`

			`echo > /etc/httpd/conf.d/mailtrain.conf`

			`cat >> /etc/httpd/conf.d/mailtrain.conf <<EOT`
			`<VirtualHost ${hostTrusted}:80>`
			`ServerName ${hostTrusted}`

			`ServerSignature Off`

			`RewriteEngine On`
			`RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]`

			`ErrorLog logs/${hostTrusted}_redirect_error.log`
			`LogLevel warn`
			`</VirtualHost>`

			`<VirtualHost ${hostSandbox}:80>`
			`ServerName ${hostSandbox}`

			`ServerSignature Off`

			`RewriteEngine On`
			`RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]`

			`ErrorLog logs/${hostSandbox}_redirect_error.log`
			`LogLevel warn`
			`</VirtualHost>`

			`<VirtualHost ${hostPublic}:80>`
			`ServerName ${hostPublic}`

			`ServerSignature Off`

			`RewriteEngine On`
			`RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]`

			`ErrorLog logs/${hostPublic}_redirect_error.log`
			`LogLevel warn`
			`</VirtualHost>`
			`EOT`

			`if [ -n "$firewallCmdExists" ]; then`
			`# Enable port 80 on the firewall`
			`firewall-cmd --add-port=80/tcp --permanent`
			`fi`

			`cat >> /etc/httpd/conf.d/mailtrain.conf <<EOT`
			`<VirtualHost ${hostTrusted}:${portTrusted}>`
			`ServerName ${hostTrusted}:${portTrusted}`

			`ErrorLog logs/${hostTrusted}_ssl_error.log`
			`TransferLog logs/${hostTrusted}_ssl_access.log`
			`LogLevel warn`

			`SSLEngine on`
			`SSLCertificateFile ${certificateFile}`
			`SSLCertificateKeyFile ${certificateKey}`
			`SSLCertificateChainFile ${caChainFile}`

			`ProxyPreserveHost On`
			`ProxyPass "/" "http://127.0.0.1:3000/"`
			`ProxyPassReverse "/" "http://127.0.0.1:3000/"`
			`</VirtualHost>`

			`<VirtualHost ${hostSandbox}:${portSandbox}>`
			`ServerName ${hostSandbox}:${portSandbox}`

			`ErrorLog logs/${hostSandbox}_ssl_error.log`
			`TransferLog logs/${hostSandbox}_ssl_access.log`
			`LogLevel warn`

			`SSLEngine on`
			`SSLCertificateFile ${certificateFile}`
			`SSLCertificateKeyFile ${certificateKey}`
			`SSLCertificateChainFile ${caChainFile}`

			`ProxyPreserveHost On`
			`ProxyPass "/" "http://127.0.0.1:3003/"`
			`ProxyPassReverse "/" "http://127.0.0.1:3003/"`
			`</VirtualHost>`

			`<VirtualHost ${hostPublic}:${portPublic}>`
			`ServerName ${hostPublic}:${portPublic}`

			`ErrorLog logs/${hostPublic}_ssl_error.log`
			`TransferLog logs/${hostPublic}_ssl_access.log`
			`LogLevel warn`

			`SSLEngine on`
			`SSLCertificateFile ${certificateFile}`
			`SSLCertificateKeyFile ${certificateKey}`
			`SSLCertificateChainFile ${caChainFile}`

			`ProxyPreserveHost On`
			`ProxyPass "/" "http://127.0.0.1:3004/"`
			`ProxyPassReverse "/" "http://127.0.0.1:3004/"`
			`</VirtualHost>`
			`EOT`


			`# Enable and start httpd`
			`systemctl start httpd`
			`systemctl enable httpd`

			`if [ -n "$firewallCmdExists" ]; then`
			`# Enable SSL ports on the firewall`
			`for port in "${portTrusted}/tcp" "${portSandbox}/tcp" "${portPublic}/tcp"; do`
			`firewall-cmd --add-port=$port --permanent`
			`done`

			`# Activate the firefall settings`
			`firewall-cmd --reload`
			`fi`
			`}`


			`function createCertificates {`
			`local hostTrusted="$1"`
			`local hostSandbox="$2"`
			`local hostPublic="$3"`
			`local email="$4"`

			`yum install -y certbot`

			`if [ -n "$firewallCmdExists" ]; then`
			`# Temporarily enable port 80 on the firewall`
			`firewall-cmd --add-port=80/tcp`
			`fi`

			`certbot certonly --agree-tos --email "${email}" --standalone -n -d "${hostPublic}" -d "${hostTrusted}" -d "${hostSandbox}"`

			`if [ -n "$firewallCmdExists" ]; then`
			`# Revert firewall to original state`
			`firewall-cmd --reload`
			`fi`
			`}`