Updates in install scripts

2018-12-25 08:32:14 +00:00 · 2018-12-25 08:32:14 +00:00 · 9204954691
commit 9204954691
parent a6c7e6327b
5 changed files with 285 additions and 543 deletions
--- a/setup/functions
+++ b/setup/functions
@ -0,0 +1,279 @@
+# This is not a standalone script. It provides common functions to server-*.sh scripts
+
+if hash firewall-cmd 2>/dev/null; then
+    firewallCmdExists=yes
+fi
+
+function installBase {
+    local urlBaseTrusted="$1"
+    local urlBaseSandbox="$2"
+    local urlBasePublic="$3"
+    
+    yum -y install epel-release
+    
+    curl --silent --location https://rpm.nodesource.com/setup_10.x | bash -
+    cat > /etc/yum.repos.d/mongodb-org.repo <<EOT
+[mongodb-org-4.0]
+name=MongoDB Repository
+baseurl=https://repo.mongodb.org/yum/redhat/\$releasever/mongodb-org/4.0/x86_64/
+gpgcheck=1
+enabled=1
+gpgkey=https://www.mongodb.org/static/pgp/server-4.0.asc
+EOT
+    
+    yum -y install mariadb-server nodejs ImageMagick git python redis pwgen bind-utils gcc-c++ make mongodb-org
+    
+    systemctl start mariadb
+    systemctl enable mariadb
+    
+    systemctl start redis
+    systemctl enable redis
+    
+    systemctl start mongod
+    systemctl enable mongod
+    
+    
+    mysqlPassword=`pwgen 12 -1`
+    mysqlRoPassword=`pwgen 12 -1`
+    
+    # Setup MySQL user for Mailtrain
+    mysql -u root -e "CREATE USER 'mailtrain'@'localhost' IDENTIFIED BY '$mysqlPassword';"
+    mysql -u root -e "GRANT ALL PRIVILEGES ON mailtrain.* TO 'mailtrain'@'localhost';"
+    mysql -u root -e "CREATE USER 'mailtrain_ro'@'localhost' IDENTIFIED BY '$mysqlRoPassword';"
+    mysql -u root -e "GRANT SELECT ON mailtrain.* TO 'mailtrain_ro'@'localhost';"
+    mysql -u mailtrain --password="$mysqlPassword" -e "CREATE database mailtrain;"
+    
+    # Add new user for the mailtrain daemon to run as
+    useradd mailtrain || true
+    
+    # Setup installation configuration
+    cat > server/config/production.yaml <<EOT
+user: mailtrain
+group: mailtrain
+roUser: nobody
+roGroup: nobody
+
+www:
+  secret: "`pwgen -1`"
+  trustedUrlBase: $urlBaseTrusted
+  sandboxUrlBase: $urlBaseSandbox
+  publicUrlBase: $urlBasePublic
+
+
+mysql:
+  password: "$mysqlPassword"
+
+redis:
+  enabled: true
+
+log:
+  level: warn
+
+builtinZoneMTA:
+  log:
+    level: info
+
+queue:
+  processes: 5
+EOT
+    
+    cat >> server/services/workers/reports/config/production.yaml <<EOT
+log:
+  level: warn
+
+mysql:
+  user: mailtrain_ro
+  password: "$mysqlRoPassword"
+EOT
+    
+    # Install required node packages
+    for idx in client shared server zone-mta; do
+        (cd $idx && npm install)
+    done
+    
+    (cd client && npm run build)
+    
+    chown -R mailtrain:mailtrain .
+    chmod o-rwx server/config
+    
+    # Setup log rotation to not spend up entire storage on logs
+    cat <<EOT > /etc/logrotate.d/mailtrain
+/var/log/mailtrain.log {
+    daily
+    rotate 12
+    compress
+    delaycompress
+    missingok
+    notifempty
+    copytruncate
+    nomail
+}
+EOT
+    
+    # Set up systemd service script
+    cp setup/mailtrain-centos7.service /etc/systemd/system/mailtrain.service
+    systemctl enable mailtrain.service
+    
+    # Start the service
+    systemctl daemon-reload
+    
+    systemctl start mailtrain.service
+    
+    echo "Success! Open http://$urlBaseTrusted/ and login as admin:test"
+
+    if [ -n "$firewallCmdExists" ]; then
+        echo "Note that firewall was not setup because firewall-cmd is missing on your system. Please make sure your firewall is correctly setup. If you are on AWS, this means to enable HTTPS and HTTP in your security group."
+    fi
+}
+
+
+
+function installHttps {
+    local hostTrusted="$1"
+    local portTrusted="$2"
+    local hostSandbox="$3"
+    local portSandbox="$4"
+    local hostPublic="$5"
+    local portPublic="$6"
+    local certificateFile="$7"
+    local certificateKey="$8"
+    local caChainFile="$9"
+
+    yum -y install httpd mod_ssl
+
+    echo > /etc/httpd/conf.d/mailtrain.conf
+
+    cat >> /etc/httpd/conf.d/mailtrain.conf <<EOT
+<VirtualHost ${hostTrusted}:80>
+    ServerName ${hostTrusted}
+
+    ServerSignature Off
+
+    RewriteEngine On
+    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
+
+    ErrorLog logs/${hostTrusted}_redirect_error.log
+    LogLevel warn
+</VirtualHost>
+
+<VirtualHost ${hostSandbox}:80>
+    ServerName ${hostSandbox}
+
+    ServerSignature Off
+
+    RewriteEngine On
+    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
+
+    ErrorLog logs/${hostSandbox}_redirect_error.log
+    LogLevel warn
+</VirtualHost>
+
+<VirtualHost ${hostPublic}:80>
+    ServerName ${hostPublic}
+
+    ServerSignature Off
+
+    RewriteEngine On
+    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
+
+    ErrorLog logs/${hostPublic}_redirect_error.log
+    LogLevel warn
+</VirtualHost>
+EOT
+
+    if [ -n "$firewallCmdExists" ]; then
+        # Enable port 80 on the firewall
+        firewall-cmd --add-port=80/tcp --permanent
+    fi
+
+    cat >> /etc/httpd/conf.d/mailtrain.conf <<EOT
+<VirtualHost ${hostTrusted}:${portTrusted}>
+    ServerName ${hostTrusted}:${portTrusted}
+
+    ErrorLog logs/${hostTrusted}_ssl_error.log
+    TransferLog logs/${hostTrusted}_ssl_access.log
+    LogLevel warn
+
+    SSLEngine on
+    SSLCertificateFile ${certificateFile}
+    SSLCertificateKeyFile ${certificateKey}
+    SSLCertificateChainFile ${caChainFile}
+
+    ProxyPreserveHost On
+    ProxyPass "/" "http://127.0.0.1:3000/"
+    ProxyPassReverse "/" "http://127.0.0.1:3000/"
+</VirtualHost>
+
+<VirtualHost ${hostSandbox}:${portSandbox}>
+    ServerName ${hostSandbox}:${portSandbox}
+
+    ErrorLog logs/${hostSandbox}_ssl_error.log
+    TransferLog logs/${hostSandbox}_ssl_access.log
+    LogLevel warn
+
+    SSLEngine on
+    SSLCertificateFile ${certificateFile}
+    SSLCertificateKeyFile ${certificateKey}
+    SSLCertificateChainFile ${caChainFile}
+
+    ProxyPreserveHost On
+    ProxyPass "/" "http://127.0.0.1:3003/"
+    ProxyPassReverse "/" "http://127.0.0.1:3003/"
+</VirtualHost>
+
+<VirtualHost ${hostPublic}:${portPublic}>
+    ServerName ${hostPublic}:${portPublic}
+
+    ErrorLog logs/${hostPublic}_ssl_error.log
+    TransferLog logs/${hostPublic}_ssl_access.log
+    LogLevel warn
+
+    SSLEngine on
+    SSLCertificateFile ${certificateFile}
+    SSLCertificateKeyFile ${certificateKey}
+    SSLCertificateChainFile ${caChainFile}
+
+    ProxyPreserveHost On
+    ProxyPass "/" "http://127.0.0.1:3004/"
+    ProxyPassReverse "/" "http://127.0.0.1:3004/"
+</VirtualHost>
+EOT
+
+
+    # Enable and start httpd
+    systemctl start httpd
+    systemctl enable httpd
+
+    if [ -n "$firewallCmdExists" ]; then
+        # Enable SSL ports on the firewall
+        for port in "${portTrusted}/tcp" "${portSandbox}/tcp" "${portPublic}/tcp"; do
+            firewall-cmd --add-port=$port --permanent
+        done
+
+        # Activate the firefall settings
+        firewall-cmd --reload
+    fi
+}
+
+
+function createCertificates {
+    local hostTrusted="$1"
+    local hostSandbox="$2"
+    local hostPublic="$3"
+    local email="$4"
+
+    yum install -y certbot
+
+    if [ -n "$firewallCmdExists" ]; then
+        # Temporarily enable port 80 on the firewall
+        firewall-cmd --add-port=80/tcp
+    fi
+
+    certbot certonly --agree-tos --email "${email}" --standalone -n -d "${hostPublic}" -d "${hostTrusted}" -d "${hostSandbox}"
+
+    if [ -n "$firewallCmdExists" ]; then
+        # Revert firewall to original state
+        firewall-cmd --reload
+    fi
+}
+