WiP on install scripts

2018-12-24 15:41:10 +00:00 · 2018-12-24 15:41:10 +00:00 · a6c7e6327b
commit a6c7e6327b
parent dcc5b18058
3 changed files with 467 additions and 0 deletions
--- a/setup/functions.sh
+++ b/setup/functions.sh
@ -0,0 +1,377 @@
+# This is not a standalone script. It provides common functions to server-*.sh scripts
+
+function installBase {
+    local urlBaseTrusted="$1"
+    local urlBaseSandbox="$2"
+    local urlBasePublic="$3"
+    
+    yum -y install epel-release
+    
+    curl --silent --location https://rpm.nodesource.com/setup_11.x | bash -
+    cat > /etc/yum.repos.d/mongodb-org.repo <<EOT
+    [mongodb-org-4.0]
+    name=MongoDB Repository
+    baseurl=https://repo.mongodb.org/yum/redhat/\$releasever/mongodb-org/4.0/x86_64/
+    gpgcheck=1
+    enabled=1
+    gpgkey=https://www.mongodb.org/static/pgp/server-4.0.asc
+    EOT
+    
+    yum -y install mariadb-server nodejs ImageMagick git python redis pwgen bind-utils gcc-c++ make mongodb-org
+    
+    systemctl start mariadb
+    systemctl enable mariadb
+    
+    systemctl start redis
+    systemctl enable redis
+    
+    systemctl start mongod
+    systemctl enable mongod
+    
+    
+    mysqlPassword=`pwgen 12 -1`
+    mysqlRoPassword=`pwgen 12 -1`
+    
+    # Setup MySQL user for Mailtrain
+    mysql -u root -e "CREATE USER 'mailtrain'@'localhost' IDENTIFIED BY '$mysqlPassword';"
+    mysql -u root -e "GRANT ALL PRIVILEGES ON mailtrain.* TO 'mailtrain'@'localhost';"
+    mysql -u root -e "CREATE USER 'mailtrain_ro'@'localhost' IDENTIFIED BY '$mysqlRoPassword';"
+    mysql -u root -e "GRANT SELECT ON mailtrain.* TO 'mailtrain_ro'@'localhost';"
+    mysql -u mailtrain --password="$mysqlPassword" -e "CREATE database mailtrain;"
+    
+    # Add new user for the mailtrain daemon to run as
+    useradd mailtrain || true
+    
+    # Setup installation configuration
+    cat > server/config/production.yaml <<EOT
+    user: mailtrain
+    group: mailtrain
+    roUser: nobody
+    roGroup: nobody
+    
+    www:
+      secret: "`pwgen -1`"
+      trustedUrlBase: $urlBaseTrusted
+      sandboxUrlBase: $urlBaseSandbox
+      publicUrlBase: $urlBasePublic
+    
+    
+    mysql:
+      password: "$mysqlPassword"
+    
+    redis:
+      enabled: true
+    
+    log:
+      level: warn
+    
+    builtinZoneMTA:
+      log:
+        level: info
+    
+    queue:
+      processes: 5
+    EOT
+    
+    cat >> server/services/workers/reports/config/production.yaml <<EOT
+    log:
+      level: warn
+    
+    mysql:
+      user: mailtrain_ro
+      password: "$mysqlRoPassword"
+    EOT
+    
+    # Install required node packages
+    for idx in client shared server zone-mta; do
+        (cd $idx && npm install)
+    done
+    
+    (cd client && npm run build)
+    
+    chown -R mailtrain:mailtrain .
+    chmod o-rwx server/config
+    
+    # Setup log rotation to not spend up entire storage on logs
+    cat <<EOM > /etc/logrotate.d/mailtrain
+    /var/log/mailtrain.log {
+        daily
+        rotate 12
+        compress
+        delaycompress
+        missingok
+        notifempty
+        copytruncate
+        nomail
+    }
+    EOM
+    
+    # Set up systemd service script
+    cp setup/mailtrain-centos7.service /etc/systemd/system/mailtrain.service
+    systemctl enable mailtrain.service
+    
+    # Start the service
+    systemctl daemon-reload
+    
+    systemctl start mailtrain.service
+    
+    echo "Success! Open http://$urlBaseTrusted/"
+    echo "If this is a fresh installation, log in as admin:test". If this is an upgrade over existing Mailtrain DB, use the original admin password."
+}
+
+
+
+function installHttps {
+    local hostTrusted="$1"
+    local portTrusted="$2"
+    local hostSandbox="$3"
+    local portSandbox="$4"
+    local hostPublic="$5"
+    local portPublic="$6"
+    local certificateFile="$7"
+    local certificateKey="$8"
+    local caChainFile="$9"
+    local skipHttpRedirect="$10"
+
+    echo > /etc/httpd/conf.d/mailtrain.conf
+
+    if [ "$skipHttpRedirect" = "--skip-http-redirect" ]; then
+        cat >> /etc/httpd/conf.d/mailtrain.conf <<EOT
+    <VirtualHost ${hostTrusted}:80>
+        ServerName ${hostTrusted}
+
+        ServerSignature Off
+
+        RewriteEngine On
+        RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
+
+        ErrorLog logs/${hostTrusted}_redirect_error.log
+        LogLevel warn
+    </VirtualHost>
+
+    <VirtualHost ${hostSandbox}:80>
+        ServerName ${hostSandbox}
+
+        ServerSignature Off
+
+        RewriteEngine On
+        RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
+
+        ErrorLog logs/${hostSandbox}_redirect_error.log
+        LogLevel warn
+    </VirtualHost>
+
+    <VirtualHost ${hostPublic}:80>
+        ServerName ${hostPublic}
+
+        ServerSignature Off
+
+        RewriteEngine On
+        RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
+
+        ErrorLog logs/${hostPublic}_redirect_error.log
+        LogLevel warn
+    </VirtualHost>
+EOT
+    fi    
+
+    cat >> /etc/httpd/conf.d/mailtrain.conf <<EOT
+    <VirtualHost ${hostTrusted}:${portTrusted}>
+        ServerName ${hostTrusted}:${portTrusted}
+
+        ErrorLog logs/${hostTrusted}_ssl_error.log
+        TransferLog logs/${hostTrusted}_ssl_access.log
+        LogLevel warn
+
+        SSLEngine on
+        SSLCertificateFile ${certificateFile}
+        SSLCertificateKeyFile ${certificateKey}
+        SSLCertificateChainFile ${caChainFile}
+
+        ProxyPreserveHost On
+        ProxyPass "/" "http://127.0.0.1:3000/"
+        ProxyPassReverse "/" "http://127.0.0.1:3000/"
+    </VirtualHost>
+
+    <VirtualHost ${hostSandbox}:${portSandbox}>
+        ServerName ${hostSandbox}:${portSandbox}
+
+        ErrorLog logs/${hostSandbox}_ssl_error.log
+        TransferLog logs/${hostSandbox}_ssl_access.log
+        LogLevel warn
+
+        SSLEngine on
+        SSLCertificateFile ${certificateFile}
+        SSLCertificateKeyFile ${certificateKey}
+        SSLCertificateChainFile ${caChainFile}
+
+        ProxyPreserveHost On
+        ProxyPass "/" "http://127.0.0.1:3003/"
+        ProxyPassReverse "/" "http://127.0.0.1:3003/"
+    </VirtualHost>
+
+    <VirtualHost ${hostPublic}:${portPublic}>
+        ServerName ${hostPublic}:${portPublic}
+
+        ErrorLog logs/${hostPublic}_ssl_error.log
+        TransferLog logs/${hostPublic}_ssl_access.log
+        LogLevel warn
+
+        SSLEngine on
+        SSLCertificateFile ${certificateFile}
+        SSLCertificateKeyFile ${certificateKey}
+        SSLCertificateChainFile ${caChainFile}
+
+        ProxyPreserveHost On
+        ProxyPass "/" "http://127.0.0.1:3004/"
+        ProxyPassReverse "/" "http://127.0.0.1:3004/"
+    </VirtualHost>
+EOT
+}
+
+
+
+function installHttps {
+    local hostTrusted="$1"
+    local portTrusted="$2"
+    local hostSandbox="$3"
+    local portSandbox="$4"
+    local hostPublic="$5"
+    local portPublic="$6"
+    local certificateFile="$7"
+    local certificateKey="$8"
+    local caChainFile="$9"
+    local installHttpRedirect="$10"
+
+    yum -y install httpd mod_ssl
+
+    echo > /etc/httpd/conf.d/mailtrain.conf
+
+    if [ "$installHttpRedirect" != "yes" ]; then
+        cat >> /etc/httpd/conf.d/mailtrain.conf <<EOT
+    <VirtualHost ${hostTrusted}:80>
+        ServerName ${hostTrusted}
+
+        ServerSignature Off
+
+        RewriteEngine On
+        RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
+
+        ErrorLog logs/${hostTrusted}_redirect_error.log
+        LogLevel warn
+    </VirtualHost>
+
+    <VirtualHost ${hostSandbox}:80>
+        ServerName ${hostSandbox}
+
+        ServerSignature Off
+
+        RewriteEngine On
+        RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
+
+        ErrorLog logs/${hostSandbox}_redirect_error.log
+        LogLevel warn
+    </VirtualHost>
+
+    <VirtualHost ${hostPublic}:80>
+        ServerName ${hostPublic}
+
+        ServerSignature Off
+
+        RewriteEngine On
+        RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
+
+        ErrorLog logs/${hostPublic}_redirect_error.log
+        LogLevel warn
+    </VirtualHost>
+EOT
+
+        # Enable port 80 on the firewall
+        firewall-cmd --add-port=80/tcp --permanent
+    fi
+
+    cat >> /etc/httpd/conf.d/mailtrain.conf <<EOT
+    <VirtualHost ${hostTrusted}:${portTrusted}>
+        ServerName ${hostTrusted}:${portTrusted}
+
+        ErrorLog logs/${hostTrusted}_ssl_error.log
+        TransferLog logs/${hostTrusted}_ssl_access.log
+        LogLevel warn
+
+        SSLEngine on
+        SSLCertificateFile ${certificateFile}
+        SSLCertificateKeyFile ${certificateKey}
+        SSLCertificateChainFile ${caChainFile}
+
+        ProxyPreserveHost On
+        ProxyPass "/" "http://127.0.0.1:3000/"
+        ProxyPassReverse "/" "http://127.0.0.1:3000/"
+    </VirtualHost>
+
+    <VirtualHost ${hostSandbox}:${portSandbox}>
+        ServerName ${hostSandbox}:${portSandbox}
+
+        ErrorLog logs/${hostSandbox}_ssl_error.log
+        TransferLog logs/${hostSandbox}_ssl_access.log
+        LogLevel warn
+
+        SSLEngine on
+        SSLCertificateFile ${certificateFile}
+        SSLCertificateKeyFile ${certificateKey}
+        SSLCertificateChainFile ${caChainFile}
+
+        ProxyPreserveHost On
+        ProxyPass "/" "http://127.0.0.1:3003/"
+        ProxyPassReverse "/" "http://127.0.0.1:3003/"
+    </VirtualHost>
+
+    <VirtualHost ${hostPublic}:${portPublic}>
+        ServerName ${hostPublic}:${portPublic}
+
+        ErrorLog logs/${hostPublic}_ssl_error.log
+        TransferLog logs/${hostPublic}_ssl_access.log
+        LogLevel warn
+
+        SSLEngine on
+        SSLCertificateFile ${certificateFile}
+        SSLCertificateKeyFile ${certificateKey}
+        SSLCertificateChainFile ${caChainFile}
+
+        ProxyPreserveHost On
+        ProxyPass "/" "http://127.0.0.1:3004/"
+        ProxyPassReverse "/" "http://127.0.0.1:3004/"
+    </VirtualHost>
+EOT
+
+
+    # Enable and start httpd
+    systemctl start httpd
+    systemctl enable httpd
+
+    # Enable SSL ports on the firewall
+    for port in "${portTrusted}/tcp" "${portSandbox}/tcp" "${portPublic}/tcp"; do
+        firewall-cmd --add-port=$port --permanent
+    done
+
+    # Activate the firefall settings
+    firewall-cmd --reload
+}
+
+
+function createCertificates {
+    local hostTrusted="$1"
+    local hostSandbox="$2"
+    local hostPublic="$3"
+    local email="$4"
+
+    yum install -y certbot
+
+    # Temporarily enable port 80 on the firewall
+    firewall-cmd --add-port=80/tcp
+
+    certbot certonly --agree-tos --email "${email}" --standalone -n -d "${hostPublic}" -d "${hostTrusted}" -d "${hostSandbox}"
+
+    # Revert firewall to original state
+    firewall-cmd --reload
+}
+
--- a/setup/install-centos7-https.sh
+++ b/setup/install-centos7-https.sh
@ -0,0 +1,52 @@
+#!/bin/bash
+
+# This installation script works on CentOS 7
+# Run as root!
+
+if [[ $EUID -ne 0 ]]; then
+   echo "This script must be run as root" 1>&2
+   exit 1
+fi
+
+set -e
+
+SCRIPT_PATH=$(dirname $(realpath -s $0))
+. $SCRIPT_PATH/functions
+cd $SCRIPT_PATH/..
+
+
+# Help function
+function HELP {
+cat << EOF
+
+Basic usage: install-centos7-https.sh <trusted host> <sandbox host> <public host> <email>
+
+Installs Mailtrain 2 on CentOS 7. This performs installation for external use. It installs Mailtrain, sets up
+a reverse HTTPS proxy using Apache HTTPD, sets up firewall rules, and obtains a certificate from Letsencrypt.
+
+You have to allocate three endpoints for Mailtrain - trusted (admin UI), sandbox (editors for templates), public (subscription forms and archive).
+These endpoints have to differ in hostname. It's fine to host them all from one IP address.
+
+The email is needed by certbot. Please note that by running the script, you agree with Letsencrypt's conditions.
+
+Example: install-centos7-https.sh mailtrain.example.com sbox.mailtrain.example.com mail.example.com admin@example.com
+EOF
+
+  exit 1
+}
+
+if [ $# -lt 4 ]; then
+        echo "Error: incorrect number of parameters."
+        HELP
+fi
+
+hostTrusted="$1"
+hostSandbox="$2"
+hostPublic="$3"
+email="$4"
+
+createCertificates "${hostTrusted}" "${hostSandbox}" "${hostPublic}" "${email}"
+
+installHttps "${hostTrusted}" 443 "${hostSandbox}" 443 "${hostPublic}" 443 "/etc/letsencrypt/live/${hostPublic}/cert.pem" "/etc/letsencrypt/live/${hostPublic}/privkey.pem" "/etc/letsencrypt/live/${hostPublic}/chain.pem" ""
+
+installBase "https://${hostTrusted}" "https://${hostSandbox}" "https://${hostPublic}" "${email}"
--- a/setup/install-centos7-local.sh
+++ b/setup/install-centos7-local.sh
@ -0,0 +1,38 @@
+#!/bin/bash
+
+# This installation script works on CentOS 7
+# Run as root!
+
+if [[ $EUID -ne 0 ]]; then
+   echo "This script must be run as root" 1>&2
+   exit 1
+fi
+
+set -e
+
+SCRIPT_PATH=$(dirname $(realpath -s $0))
+. $SCRIPT_PATH/functions
+cd $SCRIPT_PATH/..
+
+
+# Help function
+function HELP {
+cat << EOF
+
+Basic usage: install-centos7-local.sh
+
+Installs Mailtrain 2 on CentOS 7. This performs installation for local use on HTTP ports 3000, 3003, 3004. If you want
+to make these ports available from outside, setup an HTTPS proxy yourself or use install-centos7-https.sh instead.
+
+Example: install-centos7-local.sh
+EOF
+
+  exit 1
+}
+
+if [ $# -lt 0 ]; then
+        echo "Error: incorrect number of parameters."
+        HELP
+fi
+
+installBase http://localhost:3000 http://localhost:3003 http://localhost:3004