WiP on install scripts

This commit is contained in:
Tomas Bures 2018-12-24 15:41:10 +00:00
parent dcc5b18058
commit a6c7e6327b
3 changed files with 467 additions and 0 deletions

377
setup/functions.sh Normal file
View file

@ -0,0 +1,377 @@
# This is not a standalone script. It provides common functions to server-*.sh scripts
function installBase {
local urlBaseTrusted="$1"
local urlBaseSandbox="$2"
local urlBasePublic="$3"
yum -y install epel-release
curl --silent --location https://rpm.nodesource.com/setup_11.x | bash -
cat > /etc/yum.repos.d/mongodb-org.repo <<EOT
[mongodb-org-4.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/\$releasever/mongodb-org/4.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.0.asc
EOT
yum -y install mariadb-server nodejs ImageMagick git python redis pwgen bind-utils gcc-c++ make mongodb-org
systemctl start mariadb
systemctl enable mariadb
systemctl start redis
systemctl enable redis
systemctl start mongod
systemctl enable mongod
mysqlPassword=`pwgen 12 -1`
mysqlRoPassword=`pwgen 12 -1`
# Setup MySQL user for Mailtrain
mysql -u root -e "CREATE USER 'mailtrain'@'localhost' IDENTIFIED BY '$mysqlPassword';"
mysql -u root -e "GRANT ALL PRIVILEGES ON mailtrain.* TO 'mailtrain'@'localhost';"
mysql -u root -e "CREATE USER 'mailtrain_ro'@'localhost' IDENTIFIED BY '$mysqlRoPassword';"
mysql -u root -e "GRANT SELECT ON mailtrain.* TO 'mailtrain_ro'@'localhost';"
mysql -u mailtrain --password="$mysqlPassword" -e "CREATE database mailtrain;"
# Add new user for the mailtrain daemon to run as
useradd mailtrain || true
# Setup installation configuration
cat > server/config/production.yaml <<EOT
user: mailtrain
group: mailtrain
roUser: nobody
roGroup: nobody
www:
secret: "`pwgen -1`"
trustedUrlBase: $urlBaseTrusted
sandboxUrlBase: $urlBaseSandbox
publicUrlBase: $urlBasePublic
mysql:
password: "$mysqlPassword"
redis:
enabled: true
log:
level: warn
builtinZoneMTA:
log:
level: info
queue:
processes: 5
EOT
cat >> server/services/workers/reports/config/production.yaml <<EOT
log:
level: warn
mysql:
user: mailtrain_ro
password: "$mysqlRoPassword"
EOT
# Install required node packages
for idx in client shared server zone-mta; do
(cd $idx && npm install)
done
(cd client && npm run build)
chown -R mailtrain:mailtrain .
chmod o-rwx server/config
# Setup log rotation to not spend up entire storage on logs
cat <<EOM > /etc/logrotate.d/mailtrain
/var/log/mailtrain.log {
daily
rotate 12
compress
delaycompress
missingok
notifempty
copytruncate
nomail
}
EOM
# Set up systemd service script
cp setup/mailtrain-centos7.service /etc/systemd/system/mailtrain.service
systemctl enable mailtrain.service
# Start the service
systemctl daemon-reload
systemctl start mailtrain.service
echo "Success! Open http://$urlBaseTrusted/"
echo "If this is a fresh installation, log in as admin:test". If this is an upgrade over existing Mailtrain DB, use the original admin password."
}
function installHttps {
local hostTrusted="$1"
local portTrusted="$2"
local hostSandbox="$3"
local portSandbox="$4"
local hostPublic="$5"
local portPublic="$6"
local certificateFile="$7"
local certificateKey="$8"
local caChainFile="$9"
local skipHttpRedirect="$10"
echo > /etc/httpd/conf.d/mailtrain.conf
if [ "$skipHttpRedirect" = "--skip-http-redirect" ]; then
cat >> /etc/httpd/conf.d/mailtrain.conf <<EOT
<VirtualHost ${hostTrusted}:80>
ServerName ${hostTrusted}
ServerSignature Off
RewriteEngine On
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
ErrorLog logs/${hostTrusted}_redirect_error.log
LogLevel warn
</VirtualHost>
<VirtualHost ${hostSandbox}:80>
ServerName ${hostSandbox}
ServerSignature Off
RewriteEngine On
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
ErrorLog logs/${hostSandbox}_redirect_error.log
LogLevel warn
</VirtualHost>
<VirtualHost ${hostPublic}:80>
ServerName ${hostPublic}
ServerSignature Off
RewriteEngine On
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
ErrorLog logs/${hostPublic}_redirect_error.log
LogLevel warn
</VirtualHost>
EOT
fi
cat >> /etc/httpd/conf.d/mailtrain.conf <<EOT
<VirtualHost ${hostTrusted}:${portTrusted}>
ServerName ${hostTrusted}:${portTrusted}
ErrorLog logs/${hostTrusted}_ssl_error.log
TransferLog logs/${hostTrusted}_ssl_access.log
LogLevel warn
SSLEngine on
SSLCertificateFile ${certificateFile}
SSLCertificateKeyFile ${certificateKey}
SSLCertificateChainFile ${caChainFile}
ProxyPreserveHost On
ProxyPass "/" "http://127.0.0.1:3000/"
ProxyPassReverse "/" "http://127.0.0.1:3000/"
</VirtualHost>
<VirtualHost ${hostSandbox}:${portSandbox}>
ServerName ${hostSandbox}:${portSandbox}
ErrorLog logs/${hostSandbox}_ssl_error.log
TransferLog logs/${hostSandbox}_ssl_access.log
LogLevel warn
SSLEngine on
SSLCertificateFile ${certificateFile}
SSLCertificateKeyFile ${certificateKey}
SSLCertificateChainFile ${caChainFile}
ProxyPreserveHost On
ProxyPass "/" "http://127.0.0.1:3003/"
ProxyPassReverse "/" "http://127.0.0.1:3003/"
</VirtualHost>
<VirtualHost ${hostPublic}:${portPublic}>
ServerName ${hostPublic}:${portPublic}
ErrorLog logs/${hostPublic}_ssl_error.log
TransferLog logs/${hostPublic}_ssl_access.log
LogLevel warn
SSLEngine on
SSLCertificateFile ${certificateFile}
SSLCertificateKeyFile ${certificateKey}
SSLCertificateChainFile ${caChainFile}
ProxyPreserveHost On
ProxyPass "/" "http://127.0.0.1:3004/"
ProxyPassReverse "/" "http://127.0.0.1:3004/"
</VirtualHost>
EOT
}
function installHttps {
local hostTrusted="$1"
local portTrusted="$2"
local hostSandbox="$3"
local portSandbox="$4"
local hostPublic="$5"
local portPublic="$6"
local certificateFile="$7"
local certificateKey="$8"
local caChainFile="$9"
local installHttpRedirect="$10"
yum -y install httpd mod_ssl
echo > /etc/httpd/conf.d/mailtrain.conf
if [ "$installHttpRedirect" != "yes" ]; then
cat >> /etc/httpd/conf.d/mailtrain.conf <<EOT
<VirtualHost ${hostTrusted}:80>
ServerName ${hostTrusted}
ServerSignature Off
RewriteEngine On
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
ErrorLog logs/${hostTrusted}_redirect_error.log
LogLevel warn
</VirtualHost>
<VirtualHost ${hostSandbox}:80>
ServerName ${hostSandbox}
ServerSignature Off
RewriteEngine On
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
ErrorLog logs/${hostSandbox}_redirect_error.log
LogLevel warn
</VirtualHost>
<VirtualHost ${hostPublic}:80>
ServerName ${hostPublic}
ServerSignature Off
RewriteEngine On
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
ErrorLog logs/${hostPublic}_redirect_error.log
LogLevel warn
</VirtualHost>
EOT
# Enable port 80 on the firewall
firewall-cmd --add-port=80/tcp --permanent
fi
cat >> /etc/httpd/conf.d/mailtrain.conf <<EOT
<VirtualHost ${hostTrusted}:${portTrusted}>
ServerName ${hostTrusted}:${portTrusted}
ErrorLog logs/${hostTrusted}_ssl_error.log
TransferLog logs/${hostTrusted}_ssl_access.log
LogLevel warn
SSLEngine on
SSLCertificateFile ${certificateFile}
SSLCertificateKeyFile ${certificateKey}
SSLCertificateChainFile ${caChainFile}
ProxyPreserveHost On
ProxyPass "/" "http://127.0.0.1:3000/"
ProxyPassReverse "/" "http://127.0.0.1:3000/"
</VirtualHost>
<VirtualHost ${hostSandbox}:${portSandbox}>
ServerName ${hostSandbox}:${portSandbox}
ErrorLog logs/${hostSandbox}_ssl_error.log
TransferLog logs/${hostSandbox}_ssl_access.log
LogLevel warn
SSLEngine on
SSLCertificateFile ${certificateFile}
SSLCertificateKeyFile ${certificateKey}
SSLCertificateChainFile ${caChainFile}
ProxyPreserveHost On
ProxyPass "/" "http://127.0.0.1:3003/"
ProxyPassReverse "/" "http://127.0.0.1:3003/"
</VirtualHost>
<VirtualHost ${hostPublic}:${portPublic}>
ServerName ${hostPublic}:${portPublic}
ErrorLog logs/${hostPublic}_ssl_error.log
TransferLog logs/${hostPublic}_ssl_access.log
LogLevel warn
SSLEngine on
SSLCertificateFile ${certificateFile}
SSLCertificateKeyFile ${certificateKey}
SSLCertificateChainFile ${caChainFile}
ProxyPreserveHost On
ProxyPass "/" "http://127.0.0.1:3004/"
ProxyPassReverse "/" "http://127.0.0.1:3004/"
</VirtualHost>
EOT
# Enable and start httpd
systemctl start httpd
systemctl enable httpd
# Enable SSL ports on the firewall
for port in "${portTrusted}/tcp" "${portSandbox}/tcp" "${portPublic}/tcp"; do
firewall-cmd --add-port=$port --permanent
done
# Activate the firefall settings
firewall-cmd --reload
}
function createCertificates {
local hostTrusted="$1"
local hostSandbox="$2"
local hostPublic="$3"
local email="$4"
yum install -y certbot
# Temporarily enable port 80 on the firewall
firewall-cmd --add-port=80/tcp
certbot certonly --agree-tos --email "${email}" --standalone -n -d "${hostPublic}" -d "${hostTrusted}" -d "${hostSandbox}"
# Revert firewall to original state
firewall-cmd --reload
}

View file

@ -0,0 +1,52 @@
#!/bin/bash
# This installation script works on CentOS 7
# Run as root!
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root" 1>&2
exit 1
fi
set -e
SCRIPT_PATH=$(dirname $(realpath -s $0))
. $SCRIPT_PATH/functions
cd $SCRIPT_PATH/..
# Help function
function HELP {
cat << EOF
Basic usage: install-centos7-https.sh <trusted host> <sandbox host> <public host> <email>
Installs Mailtrain 2 on CentOS 7. This performs installation for external use. It installs Mailtrain, sets up
a reverse HTTPS proxy using Apache HTTPD, sets up firewall rules, and obtains a certificate from Letsencrypt.
You have to allocate three endpoints for Mailtrain - trusted (admin UI), sandbox (editors for templates), public (subscription forms and archive).
These endpoints have to differ in hostname. It's fine to host them all from one IP address.
The email is needed by certbot. Please note that by running the script, you agree with Letsencrypt's conditions.
Example: install-centos7-https.sh mailtrain.example.com sbox.mailtrain.example.com mail.example.com admin@example.com
EOF
exit 1
}
if [ $# -lt 4 ]; then
echo "Error: incorrect number of parameters."
HELP
fi
hostTrusted="$1"
hostSandbox="$2"
hostPublic="$3"
email="$4"
createCertificates "${hostTrusted}" "${hostSandbox}" "${hostPublic}" "${email}"
installHttps "${hostTrusted}" 443 "${hostSandbox}" 443 "${hostPublic}" 443 "/etc/letsencrypt/live/${hostPublic}/cert.pem" "/etc/letsencrypt/live/${hostPublic}/privkey.pem" "/etc/letsencrypt/live/${hostPublic}/chain.pem" ""
installBase "https://${hostTrusted}" "https://${hostSandbox}" "https://${hostPublic}" "${email}"

View file

@ -0,0 +1,38 @@
#!/bin/bash
# This installation script works on CentOS 7
# Run as root!
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root" 1>&2
exit 1
fi
set -e
SCRIPT_PATH=$(dirname $(realpath -s $0))
. $SCRIPT_PATH/functions
cd $SCRIPT_PATH/..
# Help function
function HELP {
cat << EOF
Basic usage: install-centos7-local.sh
Installs Mailtrain 2 on CentOS 7. This performs installation for local use on HTTP ports 3000, 3003, 3004. If you want
to make these ports available from outside, setup an HTTPS proxy yourself or use install-centos7-https.sh instead.
Example: install-centos7-local.sh
EOF
exit 1
}
if [ $# -lt 0 ]; then
echo "Error: incorrect number of parameters."
HELP
fi
installBase http://localhost:3000 http://localhost:3003 http://localhost:3004