224 lines
6.5 KiB
Bash
224 lines
6.5 KiB
Bash
#!/bin/bash
|
|
set -e
|
|
|
|
DOMAIN=$1
|
|
ACME_EMAIL=$2
|
|
|
|
if [[ "$EUID" -ne 0 ]]; then
|
|
echo -e "\e[31m[FATAL]\e[39m Currently this script requires being ran as root user - please try again as root."
|
|
exit 1
|
|
fi
|
|
|
|
echo -e "\n\nINSTALL LOG FOR Uberbringer: $(date --rfc-3339=seconds)\n" >> /var/log/uberbringer-install.log
|
|
|
|
info() {
|
|
echo -e "\e[34m[INFO]\e[39m $1"
|
|
echo "[INFO] $1" >> /var/log/uberbringer-install.log
|
|
}
|
|
|
|
debug() {
|
|
if [[ ! -z "$DEBUG" ]]; then
|
|
echo -e "\e[96m[DEBUG]\e[39m $1"
|
|
fi
|
|
echo "[DEBUG] $1" >> /var/log/uberbringer-install.log
|
|
}
|
|
|
|
warn() {
|
|
echo -e "\e[33m[WARNING]\e[39m $1"
|
|
echo "[WARNING] $1" >> /var/log/uberbringer-install.log
|
|
}
|
|
|
|
fatal() {
|
|
echo -e "\e[31m[FATAL]\e[39m $1"
|
|
echo "[FATAL] $1" >> /var/log/uberbringer-install.log
|
|
exit 1
|
|
}
|
|
|
|
create_jwt(){
|
|
jwt_header=$(echo -n '{"alg":"HS256","typ":"JWT"}' | base64 | sed s/\+/-/g | sed 's/\//_/g' | sed -E s/=+$//)
|
|
payload=$(echo -n '{"user_id":"uberbringer"}' | base64 | sed s/\+/-/g |sed 's/\//_/g' | sed -E s/=+$//)
|
|
secret=$(openssl rand -base64 32)
|
|
hexsecret=$(echo -n "$secret" | xxd -p | paste -sd "")
|
|
hmac_signature=$(echo -n "${jwt_header}.${payload}" | openssl dgst -sha256 -mac HMAC -macopt hexkey:$hexsecret -binary | base64 | sed s/\+/-/g | sed 's/\//_/g' | sed -E s/=+$//)
|
|
JWT_TOKEN="${jwt_header}.${payload}.${hmac_signature}"
|
|
}
|
|
|
|
install_nginx(){
|
|
info "Installing nginx..."
|
|
|
|
mkdir -p /etc/nginx/includes
|
|
|
|
cat <<EOT > /etc/nginx/includes/letsencrypt-webroot
|
|
location / {
|
|
alias /var/www/$DOMAIN/;
|
|
}
|
|
EOT
|
|
|
|
rm /etc/nginx/sites-enabled/default || true
|
|
rm /etc/nginx/sites-available/default || true
|
|
|
|
cat <<EOT > /etc/nginx/sites-available/default.conf
|
|
server {
|
|
listen 80;
|
|
listen [::]:80;
|
|
server_name $DOMAIN;
|
|
|
|
include includes/letsencrypt-webroot;
|
|
}
|
|
EOT
|
|
|
|
ln -s /etc/nginx/sites-available/default.conf /etc/nginx/sites-enabled/default.conf || true
|
|
|
|
systemctl enable nginx
|
|
|
|
debug "Starting Nginx..."
|
|
systemctl restart nginx
|
|
}
|
|
|
|
install_acmesh() {
|
|
mkdir -p /etc/letsencrypt/live/$DOMAIN > /dev/null 2>&1
|
|
|
|
info "Installing Acme.sh..."
|
|
curl https://get.acme.sh | sh -s email=$ACME_EMAIL
|
|
|
|
info "Issuing SSL Certificate..."
|
|
/root/.acme.sh/acme.sh --issue -w /var/www/$DOMAIN --keypath /etc/letsencrypt/live/$DOMAIN/privkey.pem --fullchainpath /etc/letsencrypt/live/$DOMAIN/fullchain.pem -d $DOMAIN --reloadcmd "systemctl restart nginx" --force
|
|
|
|
info "Enabling Acme.sh Automatic Upgrade..."
|
|
/root/.acme.sh/acme.sh --upgrade --auto-upgrade || true
|
|
|
|
cat <<EOT > /etc/nginx/sites-available/reverse-proxy.conf
|
|
server {
|
|
listen 443;
|
|
listen [::]:443;
|
|
server_name $DOMAIN;
|
|
|
|
ssl on;
|
|
ssl_certificate /etc/letsencrypt/live/$DOMAIN/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/$DOMAIN/privkey.pem;
|
|
ssl_session_cache builtin:1000 shared:SSL:10m;
|
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
ssl_ciphers 'EECDH+AES128:EECDH+AES256:+SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RSA+3DES:!DSS';
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
# Set the access log location
|
|
error_log /var/log/nginx/default_error.log;
|
|
access_log /var/log/nginx/default_access.log;
|
|
|
|
location / {
|
|
|
|
# Set the proxy headers
|
|
proxy_redirect off;
|
|
proxy_pass_request_headers on;
|
|
proxy_set_header Upgrade \$http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
proxy_set_header Host \$http_host;
|
|
proxy_set_header Referer \$http_referer;
|
|
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto \$scheme;
|
|
|
|
# Configure which address the request is proxied to
|
|
proxy_pass http://127.0.0.1:8080/;
|
|
proxy_read_timeout 90;
|
|
|
|
# Security headers
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
|
|
add_header X-Frame-Options DENY;
|
|
add_header X-Content-Type-Options nosniff;
|
|
add_header X-XSS-Protection "1; mode=block";
|
|
add_header Referrer-Policy "origin";
|
|
|
|
}
|
|
}
|
|
EOT
|
|
|
|
ln -s /etc/nginx/sites-available/reverse-proxy.conf /etc/nginx/sites-enabled/reverse-proxy.conf || true
|
|
|
|
debug "Restarting Nginx..."
|
|
systemctl restart nginx > /dev/null 2>&1
|
|
|
|
}
|
|
|
|
install_uberbringer(){
|
|
info "Installing Uberbringer web service..."
|
|
mkdir -p /etc/uberbringer > /dev/null 2>&1
|
|
|
|
info "Creating Uberbringer config..."
|
|
cat <<EOT > /etc/uberbringer/config.toml
|
|
[webserver]
|
|
bind_ip = "127.0.0.1"
|
|
port = 8080
|
|
|
|
[api]
|
|
secret = "$secret"
|
|
EOT
|
|
|
|
info "Downloading uberbringer_linux_amd64..."
|
|
wget -O uberbringer_linux_amd64.tar https://git.anomalous.dev/57_Wolve/uberbringer/releases/download/latest/uberbringer_linux_amd64.tar || true
|
|
|
|
tar xvf uberbringer_linux_amd64.tar -C /usr/local/bin/
|
|
|
|
rm uberbringer_linux_amd64.tar.gz > /dev/null 2>&1 || true
|
|
|
|
chmod u+x /usr/local/bin/uberbringer
|
|
|
|
info "Creating uberbringer.service..."
|
|
cat <<EOT > /etc/systemd/system/uberbringer.service
|
|
[Unit]
|
|
Description=Uberbringer Daemon
|
|
Wants=network-online.target
|
|
After=network.target network-online.target
|
|
|
|
[Service]
|
|
User=root
|
|
WorkingDirectory=/etc/uberbringer
|
|
LimitNOFILE=4096
|
|
PIDFile=/var/run/uberbringer/daemon.pid
|
|
ExecStart=/usr/local/bin/uberbringer
|
|
Restart=on-failure
|
|
StartLimitInterval=600
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
EOT
|
|
|
|
systemctl daemon-reload > /dev/null 2>&1 || true
|
|
systemctl enable uberbringer > /dev/null 2>&1 || true
|
|
|
|
debug "Starting Uberbringer Web Service..."
|
|
systemctl start uberbringer > /dev/null 2>&1 || true
|
|
}
|
|
|
|
main() {
|
|
info "Script loaded, starting the install process..."
|
|
|
|
info "Installing curl, socat, xxd, and nginx..."
|
|
apt install -y nginx curl openssl xxd socat > /dev/null 2>&1
|
|
|
|
if [[ ! -x "$(command -v nginx)" ]]; then
|
|
fatal "Couldn't find curl installed on the system - please install it first and rerun the script."
|
|
fi
|
|
|
|
if [[ ! -x "$(command -v openssl)" ]]; then
|
|
fatal "Couldn't find openssl installed on the system - please install it first and rerun the script."
|
|
fi
|
|
|
|
if [[ ! -x "$(command -v curl)" ]]; then
|
|
fatal "Couldn't find curl installed on the system - please install it first and rerun the script."
|
|
fi
|
|
|
|
if [[ ! -x "$(command -v socat)" ]]; then
|
|
fatal "Couldn't find socat installed on the system - please install it first and rerun the script."
|
|
fi
|
|
|
|
create_jwt
|
|
install_nginx
|
|
install_acmesh
|
|
install_uberbringer
|
|
|
|
info "Uberbringer Service is now installed, install script finished."
|
|
echo -e "\e[34m[INFO]\e[39m API Token: $JWT_TOKEN"
|
|
}
|
|
|
|
main
|