diff --git a/setup/functions b/setup/functions index 821b315d..8cd47ee1 100644 --- a/setup/functions +++ b/setup/functions @@ -1,14 +1,110 @@ # This is not a standalone script. It provides common functions to server-*.sh scripts -if hash firewall-cmd 2>/dev/null; then - firewallCmdExists=yes -fi +local hostType="$1" + +case "$hostType" in + centos7) + hostTypeLabel="CentOS 7" + redisService=redis + apacheConf="/etc/httpd/conf.d/mailtrain.conf" + + if hash firewall-cmd 2>/dev/null; then + firewallCmdExists=yes + fi + ;; + + ubuntu1804) + hostTypeLabel="Ubuntu 18.04 LTS" + redisService=redis-server + apacheConf="/etc/apache2/conf-available/mailtrain.conf" + + if hash ufw 2>/dev/null; then + firewallCmdExists=yes + fi + ;; +esac + + + + +function performInstallLocal { + local paramCount="$1" + + if [ $paramCount -ne 0 ]; then + echo "Error: incorrect number of parameters." + + cat < + +Installs Mailtrain 2 on ${hostTypeLabel}. This performs installation for external use. It installs Mailtrain, sets up +a reverse HTTPS proxy using Apache HTTPD, sets up firewall rules, and obtains a certificate from Letsencrypt. + +You have to allocate three endpoints for Mailtrain - trusted (admin UI), sandbox (editors for templates), public (subscription forms and archive). +These endpoints have to differ in hostname. It's fine to host them all from one IP address. The email parameters is needed by certbot. + +Note, that this will automatically accept the Let's Encrypt's Terms of Service. +Thus, by running this script below, you agree with the Let's Encrypt's Terms of Service (https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf). + +Example: install-${hostType}-https.sh mailtrain.example.com sbox.mailtrain.example.com lists.example.com admin@example.com +EOF + + exit 1 + fi + + installPrerequisities + installHttpd + createCertificates "${hostTrusted}" "${hostSandbox}" "${hostPublic}" "${email}" + installHttpsProxy "${hostTrusted}" 443 "${hostSandbox}" 443 "${hostPublic}" 443 "/etc/letsencrypt/live/${hostPublic}/cert.pem" "/etc/letsencrypt/live/${hostPublic}/privkey.pem" "/etc/letsencrypt/live/${hostPublic}/chain.pem" + installMailtrain "https://${hostTrusted}" "https://${hostSandbox}" "https://${hostPublic}" 127.0.0.1 true + installService +} + + function installPrerequisities { - yum -y install epel-release + # Run as root! + if [[ $EUID -ne 0 ]]; then + echo "This script must be run as root" 1>&2 + exit 1 + fi - curl --silent --location https://rpm.nodesource.com/setup_10.x | bash - - cat > /etc/yum.repos.d/mongodb-org.repo < /etc/yum.repos.d/mongodb-org.repo < /etc/logrotate.d/mailtrain -/var/log/mailtrain.log { - daily - rotate 12 - compress - delaycompress - missingok - notifempty - copytruncate - nomail -} -EOT - - # Set up systemd service script - cp setup/mailtrain-centos7.service /etc/systemd/system/mailtrain.service - systemctl enable mailtrain.service - - # Start the service - systemctl daemon-reload - - systemctl start mailtrain.service - - echo - echo - echo "Success! Open http://$urlBaseTrusted/ and login as admin:test" - - if [ -z "$firewallCmdExists" ]; then - echo "Note that firewall was not setup because firewall-cmd is missing on your system. Please make sure your firewall is correctly setup. If you are on AWS, this means to enable HTTPS and HTTP in your security group." - fi } +function installHttpd { + case "$hostType" in + centos7) + yum -y install httpd mod_ssl + systemctl start httpd + systemctl enable httpd -function installHttps { + setsebool -P httpd_can_network_connect 1 + + if [ -n "$firewallCmdExists" ]; then + # Enable SSL ports on the firewall + for port in "80/tcp" "${portTrusted}/tcp" "${portSandbox}/tcp" "${portPublic}/tcp"; do + firewall-cmd --add-port=$port --permanent + done + + # Activate the firefall settings + firewall-cmd --reload + fi + ;; + + ubuntu1804) + apt-get install -y apache2 + a2enmod ssl + systemctl restart apache2 + + if [ -n "$firewallCmdExists" ]; then + # Enable SSL ports on the firewall + for port in "80/tcp" "${portTrusted}/tcp" "${portSandbox}/tcp" "${portPublic}/tcp"; do + ufw allow $port + done + + ufw --force enable + fi + ;; + esac +} + + +function installHttpsProxy { local hostTrusted="$1" local portTrusted="$2" local hostSandbox="$3" @@ -145,11 +261,10 @@ function installHttps { local certificateKey="$8" local caChainFile="$9" - yum -y install httpd mod_ssl - echo > /etc/httpd/conf.d/mailtrain.conf + > $apacheConf - cat >> /etc/httpd/conf.d/mailtrain.conf <> $apacheConf < ServerName ${hostTrusted} @@ -186,14 +301,6 @@ function installHttps { LogLevel warn -EOT - - if [ -n "$firewallCmdExists" ]; then - # Enable port 80 on the firewall - firewall-cmd --add-port=80/tcp --permanent - fi - - cat >> /etc/httpd/conf.d/mailtrain.conf < ServerName ${hostTrusted}:${portTrusted} @@ -247,56 +354,53 @@ EOT EOT - # Enable and start httpd - systemctl start httpd - systemctl enable httpd + case "$hostType" in + centos7) + systemctl restart httpd + ;; - if [ -n "$firewallCmdExists" ]; then - # Enable SSL ports on the firewall - for port in "${portTrusted}/tcp" "${portSandbox}/tcp" "${portPublic}/tcp"; do - firewall-cmd --add-port=$port --permanent - done + ubuntu1804) + a2enconf mailtrain + systemctl restart apache2 + ;; + esac - # Activate the firefall settings - firewall-cmd --reload - fi } function createCertificates { - # This assumes that HTTPD is not yet running + # This assumes that HTTPD is already running local hostTrusted="$1" local hostSandbox="$2" local hostPublic="$3" local email="$4" - yum install -y certbot + case "$hostType" in + centos7) + yum install -y certbot + ;; - if [ -n "$firewallCmdExists" ]; then - # Temporarily enable port 80 on the firewall - firewall-cmd --add-port=80/tcp - fi + ubuntu1804) + apt-get install -y certbot + ;; + esac - certbot certonly --agree-tos --email "${email}" --standalone -n -d "${hostPublic}" -d "${hostTrusted}" -d "${hostSandbox}" + certbot certonly --agree-tos --email "${email}" --apache -n -d "${hostPublic}" -d "${hostTrusted}" -d "${hostSandbox}" # Install cron echo "0 3 * * * /usr/bin/certbot certonly --apache -n -d \"${hostPublic}\" -d \"${hostTrusted}\" -d \"${hostSandbox}\"" > crontab crontab crontab rm -rf crontab - - if [ -n "$firewallCmdExists" ]; then - # Revert firewall to original state - firewall-cmd --reload - fi } + function installService { cat > /etc/systemd/system/mailtrain.service <&2 - exit 1 -fi - set -e SCRIPT_PATH=$(dirname $(realpath -s $0)) -. $SCRIPT_PATH/functions +. $SCRIPT_PATH/functions centos7 cd $SCRIPT_PATH/.. - -# Help function -function HELP { -cat < - -Installs Mailtrain 2 on CentOS 7. This performs installation for external use. It installs Mailtrain, sets up -a reverse HTTPS proxy using Apache HTTPD, sets up firewall rules, and obtains a certificate from Letsencrypt. - -You have to allocate three endpoints for Mailtrain - trusted (admin UI), sandbox (editors for templates), public (subscription forms and archive). -These endpoints have to differ in hostname. It's fine to host them all from one IP address. The email parameters is needed by certbot. - -Note, that this will automatically accept the Let's Encrypt's Terms of Service. -Thus, by running this script below, you agree with the Let's Encrypt's Terms of Service (https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf). - -Example: install-centos7-https.sh mailtrain.example.com sbox.mailtrain.example.com lists.example.com admin@example.com -EOF - - exit 1 -} - -if [ $# -lt 4 ]; then - echo "Error: incorrect number of parameters." - HELP -fi - -hostTrusted="$1" -hostSandbox="$2" -hostPublic="$3" -email="$4" - -installPrerequisities - -createCertificates "${hostTrusted}" "${hostSandbox}" "${hostPublic}" "${email}" - -installHttps "${hostTrusted}" 443 "${hostSandbox}" 443 "${hostPublic}" 443 "/etc/letsencrypt/live/${hostPublic}/cert.pem" "/etc/letsencrypt/live/${hostPublic}/privkey.pem" "/etc/letsencrypt/live/${hostPublic}/chain.pem" - -installMailtrain "https://${hostTrusted}" "https://${hostSandbox}" "https://${hostPublic}" 127.0.0.1 - -installService +performInstallHttps "$#" "$1" "$2" "$3" "$4" \ No newline at end of file diff --git a/setup/install-centos7-local.sh b/setup/install-centos7-local.sh index 55b072dc..71ebabcb 100644 --- a/setup/install-centos7-local.sh +++ b/setup/install-centos7-local.sh @@ -1,42 +1,9 @@ #!/bin/bash -# This installation script works on CentOS 7 -# Run as root! - -if [[ $EUID -ne 0 ]]; then - echo "This script must be run as root" 1>&2 - exit 1 -fi - set -e SCRIPT_PATH=$(dirname $(realpath -s $0)) -. $SCRIPT_PATH/functions +. $SCRIPT_PATH/functions centos7 cd $SCRIPT_PATH/.. - -# Help function -function HELP { -cat <