Commit 87f4e597 authored by Aral Balkan's avatar Aral Balkan
Browse files

Initial add.

parents
#!/bin/bash
################################################################################
#
# Sets up the Better Archive Site.
#
# For Ubuntu 14.04. Not designed for/tested on any other operating system.
#
# Prerequisites:
#
# Requires a server with git. You will need git
# to clone this repo so this should not be an unexpected requirement:
#
# sudo apt-get update
# sudo apt-get install git
#
# Usage:
#
# git clone git@source.ind.ie:blockdown/site-server-setup.git
# cd site-server-setup
#
# ./install
#
################################################################################
# Abort on errors.
set -e
# ANSI character codes
ansiBoldStart='\033[1m'
ansiBoldEnd='\033[22m'
ansiForegroundBlack='\033[30m'
ansiForegroundDefault='\033[39m'
ansiBackgroundBlue='\033[44m'
ansiBackgroundYellow='\033[43m'
ansiBackgroundDefault='\033[49m'
echo -e "\n───────────────────────────────────────────────────────────────────────"
echo -e "${ansiBackgroundBlue}${ansiForegroundBlack} Better Archive Server Setup ${ansiBackgroundDefault}${ansiForegroundDefault}"
echo -e "───────────────────────────────────────────────────────────────────────\n"
# Check for commandline arguments.
# -s: Use Let’s Encrypt *staging server*. Useful when testing the
# deployment script so that we don’t hit the rate limits.
letsEncryptServer='default'
letsEncryptServerURL='https:\/\/acme-v01.api.letsencrypt.org\/directory' # default: live
curlSecurity=''
while getopts ":s" opt; do
case $opt in
s)
# Set the server URL to use the staging server.
letsEncryptServer='staging'
letsEncryptServerURL='https:\/\/acme-staging.api.letsencrypt.org\/directory'
curlSecurity='--insecure'
;;
\?)
echo "Invalid option: -$OPTARG" >&2
;;
esac
done
echo -e " ┌────────────────────────────────────────┐"
echo -e " │ Using Let’s Encrypt ${ansiBoldStart}${letsEncryptServer}${ansiBoldEnd} server. │"
echo -e " └────────────────────────────────────────┘\n"
#
# Configuration options.
#
echo -e "1. Configuration options (all defaults are for better.fyi).\n"
#
# Prompt for configuration (With defaults set for better.fyi.)
# Note: defaults are Bash 3-compatible on purpose.
#
# The server names to use in /etc/nginx/sites-available/(http.conf|https.conf)
#
# In your DNS configuration, create an alias (A record; IP address) to point to archive.better.fyi.
#
read -e -p " ▸ Server name (archive.better.fyi): " serverName
serverName=${serverName:-archive.better.fyi}
echo -e "Thank you, I have all the information I need to set up the Better web site.\n"
echo -e "Checking for previously-installed components…"
#
# If an installation already exists, remove it.
# (This is to aid in testing the script and should not be relied on for actual server commissioning.)
#
if [ -d /etc/nginx ]; then
# Remove nginx if it exists
echo " * [Cleanup] Removing existing nginx installation…\n"
sudo apt-get purge -y nginx
sudo apt-get autoremove -y --purge nginx
sudo rm -rf /etc/nginx
fi
if hash /etc/letsencrypt/letsencrypt.sh 2>/dev/null; then
# Remove letsencrypt.sh script if it exists.
echo " * [Cleanup] Removing existing letencrypt.sh script.\n"
sudo rm -rf /etc/letsencrypt
fi
if [ -d /var/www ]; then
# Remove the www folder we created earlier.
echo " * [Cleanup] Removing the /var/www folder…\n"
sudo rm -rf /var/www
fi
if [ -f /etc/cron.weekly/letsencrypt-auto-renew-certificate.sh ]; then
# Remove the cron task.
echo " * [Cleanup] Removing the cron task…\n"
sudo rm /etc/cron.weekly/letsencrypt-auto-renew-certificate.sh
fi
echo " * Done."
#
# Start the installation.
#
echo -e "Configuring the Better Archive site…\n"
#
# Set up nginx
#
echo -e "Setting up nginx…\n"
# Install nginx
sudo apt-get update
sudo apt-get -y install nginx
echo -e " * Creating the http & https site settings templates…"
# Copy over the setting templates.
sudo cp ./nginx/http.conf.template /etc/nginx/sites-available/http.conf
sudo cp ./nginx/https.conf.template /etc/nginx/sites-available/https.conf
echo -e " * Carrying out site settings template substitutions…"
# Carry out template substitutions.
sudo sed -i "s/{SERVER_NAMES}/${serverName}/g" /etc/nginx/sites-available/http.conf
sudo sed -i "s/{SERVER_NAMES}/${serverName}/g" /etc/nginx/sites-available/https.conf
#
# Configure TLS using Let’s Encrypt
#
# Based on instructions at:
# http://blog.thesparktree.com/post/138452017979/automating-ssl-certificates-using-nginx
#
echo -e "Configuring TLS using Let’s Encrypt"
echo " * Installing letsencrypt.sh dependencies (if necessary)…"
sudo apt-get install -y openssl curl sed grep mktemp git
echo " * Installing letsencrypt.sh…"
sudo git clone https://github.com/lukas2511/letsencrypt.sh.git /etc/letsencrypt
sudo chmod +x /etc/letsencrypt/letsencrypt.sh
echo " * Creating ACME challenges folder and symlinking it for nginx’s use…"
sudo mkdir -p /etc/letsencrypt/.acme-challenges
sudo mkdir -p /var/www/
sudo ln -s /etc/letsencrypt/.acme-challenges /var/www/letsencrypt
echo " * Writing out the server domains for the letsencrypt script…"
sudo bash -c "echo \"${serverName}\" > /etc/letsencrypt/domains.txt"
echo " * Copying the letsencrypt.sh configuration file template…"
sudo cp ./letsencrypt/config.sh.template /etc/letsencrypt/config.sh
sudo chmod +x /etc/letsencrypt/config.sh
echo " * Carrying out template substituions in letsencrypt.sh configuration file…"
sudo sed -i "s/{URL}/${letsEncryptServerURL}/g" /etc/letsencrypt/config.sh
sudo sed -i "s/{EMAIL}/${gitAccountEmail}/g" /etc/letsencrypt/config.sh
echo " * Stopping nginx service…"
sudo service nginx stop
echo " * Disabling the default nginx configuration…"
sudo rm /etc/nginx/sites-enabled/default
echo " * Enabling the HTTP endpoint…"
sudo ln -s /etc/nginx/sites-available/http.conf /etc/nginx/sites-enabled/http.conf
echo " * Starting nginx service…"
sudo service nginx start
echo " * Generating the Let’s Encrypt certificates…"
sudo /etc/letsencrypt/letsencrypt.sh --cron
echo " * Enabling the HTTPS endpoint…"
sudo ln -s /etc/nginx/sites-available/https.conf /etc/nginx/sites-enabled/https.conf
echo " * Reloading the nginx service…"
sudo service nginx reload
echo " * Setting up automatic Let‘s Encrypt certificate renewals with weekly expiration checks…"
sudo cp ./letsencrypt/letsencrypt-auto-renew-certificate.sh /etc/cron.weekly/
echo -e "\n ┌───────────────────────────────────────────────────────┐"
echo -e " │ Done! The Better Archive site is now ready for use. │"
echo -e " └───────────────────────────────────────────────────────┘\n"
#!/bin/bash
######################################
# letsencrypt.sh configuration file. #
######################################
#
# Live or Staging URL
# (Injected at runtime.)
#
# Live: https://acme-v01.api.letsencrypt.org/directory
# Staging: https://acme-staging.api.letsencrypt.org/directory
#
CA={URL}
#
# The contact email to use during registration.
# (Injected at runtime.)
#
CONTACT_EMAIL={EMAIL}
#!/bin/bash
# Attempt to renew the certificate and reload nginx
sudo /etc/letsencrypt/letsencrypt.sh --cron && service nginx reload
#
# HTTP server
#
# Handles the Let’s Encrypt verification challenge.
server {
listen 80;
server_name {SERVER_NAMES};
location '/.well-known/acme-challenge' {
default_type "text/plain";
alias /var/www/letsencrypt;
}
location / {
return 301 https://$server_name$request_uri;
}
}
#
# Better.fyi Web Site. (HTTPS server.)
#
server {
listen 443;
server_name {SERVER_NAMES};
ssl on;
ssl_certificate /etc/letsencrypt/certs/better.fyi/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/certs/better.fyi/privkey.pem;
# Serve the site from the git repository.
root /home/git/site/;
index index.html index.htm;
# Make site accessible from http://localhost/
server_name localhost;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
# Uncomment to enable naxsi on this location
# include /etc/nginx/naxsi.rules
}
location = /apple-app-site-association {
# The Apple App Site Association file must be served with the
# application/pkcs7-mime type.
# (See http://blog.tapstream.com/ios9-search-universal-links/ and
# validate via https://limitless-sierra-4673.herokuapp.com)
default_type application/pkcs7-mime;
}
# Deny access to hidden files (including the .git folder)
location ~ /\. {
access_log off;
log_not_found off;
deny all;
}
#error_page 404 /404.html;
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment