mailtrain/setup/functions

# This is not a standalone script. It provides common functions to server-*.sh scripts

if hash firewall-cmd 2>/dev/null; then
    firewallCmdExists=yes
fi

function installPrerequisities {
    yum -y install epel-release

    curl --silent --location https://rpm.nodesource.com/setup_10.x | bash -
    cat > /etc/yum.repos.d/mongodb-org.repo <<EOT
[mongodb-org-4.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/\$releasever/mongodb-org/4.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.0.asc
EOT

    yum -y install mariadb-server nodejs ImageMagick git python redis pwgen bind-utils gcc-c++ make mongodb-org bzip2

    systemctl start mariadb
    systemctl enable mariadb

    systemctl start redis
    systemctl enable redis

    systemctl start mongod
    systemctl enable mongod
}


function installMailtrain {
    local urlBaseTrusted="$1"
    local urlBaseSandbox="$2"
    local urlBasePublic="$3"
    local wwwHost="$4"

    mysqlPassword=`pwgen 12 -1`
    mysqlRoPassword=`pwgen 12 -1`
    
    # Setup MySQL user for Mailtrain
    mysql -u root -e "CREATE USER 'mailtrain'@'localhost' IDENTIFIED BY '$mysqlPassword';"
    mysql -u root -e "GRANT ALL PRIVILEGES ON mailtrain.* TO 'mailtrain'@'localhost';"
    mysql -u root -e "CREATE USER 'mailtrain_ro'@'localhost' IDENTIFIED BY '$mysqlRoPassword';"
    mysql -u root -e "GRANT SELECT ON mailtrain.* TO 'mailtrain_ro'@'localhost';"
    mysql -u mailtrain --password="$mysqlPassword" -e "CREATE database mailtrain;"
    
    # Add new user for the mailtrain daemon to run as
    useradd mailtrain || true
    
    # Setup installation configuration
    cat > server/config/production.yaml <<EOT
user: mailtrain
group: mailtrain
roUser: nobody
roGroup: nobody

www:
  host: $wwwHost
  secret: "`pwgen -1`"
  trustedUrlBase: $urlBaseTrusted
  sandboxUrlBase: $urlBaseSandbox
  publicUrlBase: $urlBasePublic


mysql:
  password: "$mysqlPassword"

redis:
  enabled: true

log:
  level: info

builtinZoneMTA:
  log:
    level: warn

queue:
  processes: 5
EOT
    
    cat >> server/services/workers/reports/config/production.yaml <<EOT
log:
  level: warn

mysql:
  user: mailtrain_ro
  password: "$mysqlRoPassword"
EOT
    
    # Install required node packages
    for idx in client shared server zone-mta; do
        (cd $idx && npm install)
    done
    
    (cd client && npm run build)
    
    chown -R mailtrain:mailtrain .
    chmod o-rwx server/config
    
    # Setup log rotation to not spend up entire storage on logs
    cat <<EOT > /etc/logrotate.d/mailtrain
/var/log/mailtrain.log {
    daily
    rotate 12
    compress
    delaycompress
    missingok
    notifempty
    copytruncate
    nomail
}
EOT
    
    # Set up systemd service script
    cp setup/mailtrain-centos7.service /etc/systemd/system/mailtrain.service
    systemctl enable mailtrain.service
    
    # Start the service
    systemctl daemon-reload
    
    systemctl start mailtrain.service

    echo
    echo
    echo "Success! Open http://$urlBaseTrusted/ and login as admin:test"

    if [ -z "$firewallCmdExists" ]; then
        echo "Note that firewall was not setup because firewall-cmd is missing on your system. Please make sure your firewall is correctly setup. If you are on AWS, this means to enable HTTPS and HTTP in your security group."
    fi
}



function installHttps {
    local hostTrusted="$1"
    local portTrusted="$2"
    local hostSandbox="$3"
    local portSandbox="$4"
    local hostPublic="$5"
    local portPublic="$6"
    local certificateFile="$7"
    local certificateKey="$8"
    local caChainFile="$9"

    yum -y install httpd mod_ssl

    echo > /etc/httpd/conf.d/mailtrain.conf

    cat >> /etc/httpd/conf.d/mailtrain.conf <<EOT
<VirtualHost *:80>
    ServerName ${hostTrusted}

    ServerSignature Off

    RewriteEngine On
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]

    ErrorLog logs/${hostTrusted}_redirect_error.log
    LogLevel warn
</VirtualHost>

<VirtualHost *:80>
    ServerName ${hostSandbox}

    ServerSignature Off

    RewriteEngine On
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]

    ErrorLog logs/${hostSandbox}_redirect_error.log
    LogLevel warn
</VirtualHost>

<VirtualHost *:80>
    ServerName ${hostPublic}

    ServerSignature Off

    RewriteEngine On
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]

    ErrorLog logs/${hostPublic}_redirect_error.log
    LogLevel warn
</VirtualHost>

EOT

    if [ -n "$firewallCmdExists" ]; then
        # Enable port 80 on the firewall
        firewall-cmd --add-port=80/tcp --permanent
    fi

    cat >> /etc/httpd/conf.d/mailtrain.conf <<EOT
<VirtualHost *:${portTrusted}>
    ServerName ${hostTrusted}:${portTrusted}

    ErrorLog logs/${hostTrusted}_ssl_error.log
    TransferLog logs/${hostTrusted}_ssl_access.log
    LogLevel warn

    SSLEngine on
    SSLCertificateFile ${certificateFile}
    SSLCertificateKeyFile ${certificateKey}
    SSLCertificateChainFile ${caChainFile}

    ProxyPreserveHost On
    ProxyPass "/" "http://127.0.0.1:3000/"
    ProxyPassReverse "/" "http://127.0.0.1:3000/"
</VirtualHost>

<VirtualHost *:${portSandbox}>
    ServerName ${hostSandbox}:${portSandbox}

    ErrorLog logs/${hostSandbox}_ssl_error.log
    TransferLog logs/${hostSandbox}_ssl_access.log
    LogLevel warn

    SSLEngine on
    SSLCertificateFile ${certificateFile}
    SSLCertificateKeyFile ${certificateKey}
    SSLCertificateChainFile ${caChainFile}

    ProxyPreserveHost On
    ProxyPass "/" "http://127.0.0.1:3003/"
    ProxyPassReverse "/" "http://127.0.0.1:3003/"
</VirtualHost>

<VirtualHost *:${portPublic}>
    ServerName ${hostPublic}:${portPublic}

    ErrorLog logs/${hostPublic}_ssl_error.log
    TransferLog logs/${hostPublic}_ssl_access.log
    LogLevel warn

    SSLEngine on
    SSLCertificateFile ${certificateFile}
    SSLCertificateKeyFile ${certificateKey}
    SSLCertificateChainFile ${caChainFile}

    ProxyPreserveHost On
    ProxyPass "/" "http://127.0.0.1:3004/"
    ProxyPassReverse "/" "http://127.0.0.1:3004/"
</VirtualHost>
EOT


    # Enable and start httpd
    systemctl start httpd
    systemctl enable httpd

    if [ -n "$firewallCmdExists" ]; then
        # Enable SSL ports on the firewall
        for port in "${portTrusted}/tcp" "${portSandbox}/tcp" "${portPublic}/tcp"; do
            firewall-cmd --add-port=$port --permanent
        done

        # Activate the firefall settings
        firewall-cmd --reload
    fi
}


function createCertificates {
    # This assumes that HTTPD is not yet running

    local hostTrusted="$1"
    local hostSandbox="$2"
    local hostPublic="$3"
    local email="$4"

    yum install -y certbot

    if [ -n "$firewallCmdExists" ]; then
        # Temporarily enable port 80 on the firewall
        firewall-cmd --add-port=80/tcp
    fi

    certbot certonly --agree-tos --email "${email}" --standalone -n -d "${hostPublic}" -d "${hostTrusted}" -d "${hostSandbox}"

    # Install cron
    echo "0 3 * * * /usr/bin/certbot certonly --apache -n -d \"${hostPublic}\" -d \"${hostTrusted}\" -d \"${hostSandbox}\"" > crontab
    crontab crontab
    rm -rf crontab

    if [ -n "$firewallCmdExists" ]; then
        # Revert firewall to original state
        firewall-cmd --reload
    fi
}


function installService {
    cat > /etc/systemd/system/mailtrain.service <<EOT
[Unit]
Description=Mailtrain server
After=syslog.target network.target mariadb.service redis.service mongod.service

[Service]
Environment="NODE_ENV=production"
WorkingDirectory=/opt/mailtrain/server
ExecStart=/usr/bin/node index.js
Type=simple
Restart=always
RestartSec=10

[Install]
WantedBy=multi-user.target
EOT

    systemctl daemon-reload
}