REPOSITORY_NAME='LegacyPlayersV3' REPOSITORY='https://github.com/Geigerkind/LegacyPlayersV3' DOMAIN='legacyplayers.com' HOST_USER='root' BACKEND_USER='rpll' HOST_IP='78.46.41.90' DB_PASSWORD=$(cat /root/Keys/db_password) function fixCertificates { if [ ! -f "/etc/ssl/certs/ca-certificates.crt" ]; then cd /etc/ssl/certs cat *.pem >> ca-certificates.crt cd ~ fi } function initCertificates { pacman -S --noconfirm certbot python certbot-dns-ovh # See: https://certbot-dns-ovh.readthedocs.io/en/stable/ chmod -R 600 ~/Keys/ovh.ini # Requires user input certbot certonly --dns-ovh --dns-ovh-credentials ~/Keys/ovh.ini -d ${DOMAIN} -d smtp.${DOMAIN} } function installZopfli { git clone https://github.com/google/zopfli cd zopfli make zopflipng cp zopflipng /usr/bin/ cd .. rm -rf zopfli } function initNginx { pacman -S --noconfirm nginx nginx-mod-brotli cp ~/${REPOSITORY_NAME}/Deploy/conf/nginx.conf /etc/nginx/ mkdir -p /var/www/html systemctl enable nginx systemctl start nginx } function initMariaDb { pacman -S --noconfirm mariadb mysql_install_db --user=mysql --basedir=/usr --datadir=/var/lib/mysql cp ~/${REPOSITORY_NAME}/Deploy/conf/my.cnf /etc/ systemctl enable mysqld systemctl start mysqld mysql -u root mysql -e "CREATE USER 'rpll' IDENTIFIED BY '${DB_PASSWORD}'" mysql -u root mysql -e "GRANT USAGE ON *.* TO 'rpll'@localhost IDENTIFIED BY '${DB_PASSWORD}'" mysql -u root mysql -e "ALTER USER 'root'@'localhost' IDENTIFIED BY '${DB_PASSWORD}'" systemctl restart mysqld cd ~/${REPOSITORY_NAME}/Database bash merger.sh mysql -uroot -p${DB_PASSWORD} < merge.sql rm merge.sql cd ~ mysql -u root -p${DB_PASSWORD} mysql -e "GRANT ALL PRIVILEGES ON main.* TO 'rpll'@localhost" systemctl restart mysqld } function initPostfix { pacman -S --noconfirm postfix cp ~/${REPOSITORY_NAME}/Deploy/conf/virtual /etc/postfix/ cp ~/${REPOSITORY_NAME}/Deploy/conf/main.cf /etc/postfix/ postmap /etc/postfix/virtual systemctl enable postfix systemctl start postfix } function initSSH { mkdir /home/${BACKEND_USER}/.ssh touch /home/${BACKEND_USER}/.ssh/authorized_keys for filename in /root/${REPOSITORY_NAME}/Deploy/ssh/*.pub; do if [ ! -f "${filename}" ]; then continue fi cat ${filename} >> /home/${BACKEND_USER}/.ssh/authorized_keys done # Adjusting Configuration sed -i "s/#MaxAuthTries 6/MaxAuthTries 4/g" /etc/ssh/sshd_config sed -i "s/#Port 22/Port 2222/g" /etc/ssh/sshd_config sed -i "s/#PasswordAuthentication yes/PasswordAuthentication no/g" /etc/ssh/sshd_config sed -i "s/#PermitRootLogin prohibit-password/PermitRootLogin no/g" /etc/ssh/sshd_config echo "AllowUsers ${BACKEND_USER}" >> /etc/ssh/sshd_config systemctl restart sshd } function installRust { pacman -S --noconfirm rustup rustup toolchain install nightly rustup default nightly } function initPrometheus { pacman -S --noconfirm prometheus prometheus-node-exporter go cd /root git clone https://github.com/nginxinc/nginx-prometheus-exporter cd nginx-prometheus-exporter make cd ../ cp ./LegacyPlayersV3/Deploy/conf/prometheus_nginx.service /etc/systemd/system/ systemctl daemon-reload cp /root/${REPOSITORY_NAME}/Deploy/conf/prometheus.yml /etc/prometheus/ systemctl enable prometheus.service systemctl enable prometheus-node-exporter.service systemctl enable prometheus_nginx.service systemctl start prometheus-node-exporter.service systemctl start prometheus_nginx.service systemctl start prometheus.service } function initGrafana { pacman -S --noconfirm grafana mkdir /var/lib/grafana/provisioning mkdir /var/lib/grafana/dashboards cp -r /root/${REPOSITORY_NAME}/Deploy/conf/Grafana/provisioning/* /var/lib/grafana/provisioning/ # Replacing discord webhook WEBHOOK_URL=$(cat /root/Keys/discord_webhook | sed -e 's/[\/&\:\.\_-]/\\&/g') sed -i -r "s/\{\{DISCORD_WEBHOOK\}\}/${WEBHOOK_URL}/g" /var/lib/grafana/provisioning/notifiers/discord.yml cp /root/${REPOSITORY_NAME}/Deploy/conf/Grafana/dashboards/* /var/lib/grafana/dashboards/ sed -i "s/;provisioning = conf\/provisioning/provisioning = \/var\/lib\/grafana\/provisioning/g" /etc/grafana.ini sed -i "s/;domain = localhost/domain = ${DOMAIN}/g" /etc/grafana.ini sed -i "s/;reporting_enabled = true/reporting_enabled = false/g" /etc/grafana.ini sed -i "s/;check_for_updates = true/check_for_updates = false/g" /etc/grafana.ini sed -i "s/#enable anonymous access\n;enabled = false/enabled = true/g" /etc/grafana.ini sed -i "s/[auth.basic]\n;enabled = true/[auth.basic]\nenabled = false/g" /etc/grafana.ini sed -i "s/;disable_login_form = false/disable_login_form = true/g" /etc/grafana.ini sed -i "s/;root_url = \%\(protocol\)s:\/\/\%\(domain\)s:\%\(http_port\)s\//root_url = https:\/\/${DOMAIN}\/grafana\//g" /etc/grafana.ini systemctl enable grafana systemctl start grafana } function initUfw { pacman -S --noconfirm ufw ufw default deny incoming ufw allow 2222 ufw allow 443 ufw allow 5000 ufw allow 80 systemctl enable ufw #yes | ufw enable } function initModelGenerator { pacman -S --noconfirm python python-pip make git fakeroot binutils alsa-lib gtk3 libcups libxss libxtst nss xdg-utils git clone https://aur.archlinux.org/chromedriver.git git clone https://aur.archlinux.org/google-chrome.git # TODO: Makepkg cant be done as root cd chromedriver && makepkg && pacman -U --noconfirm chromedriver-*.pkg.tar.xz && cd ../ cd google-chrome && makepkg && pacman -U --noconfirm google-chrome-*.pkg.tar.xz && cd ../ pip install selenium pip install flask cp -r /root/${REPOSITORY_NAME}/ModelViewer /home/rpll/ chown -R rpll /home/rpll/ModelViewer } function initServer { # Requires user input useradd -m -G wheel ${BACKEND_USER} passwd ${BACKEND_USER} passwd -l root pacman -S archlinux-keyring --noconfirm pacman -Syu --noconfirm pacman -S --noconfirm git npm guetzli zopfli libwebp htop clang openssl pkg-config python python-werkzeug make fail2ban unzip vim zip sudo sed -i "s/# %wheel ALL=(ALL) ALL/%wheel ALL=(ALL) ALL/g" /etc/sudoers # Fail2Ban configuration sed -i "s/maxretry = 5/maxretry = 3/g" /etc/sudoers mkdir /root/DB_BACKUPS mount -o remount,rw,nosuid,nodev,noexec,relatime,hidepid=2 /proc echo "proc /proc proc defaults,nosuid,nodev,noexec,relatime,hidepid=2 0 0" >> /etc/fstab fixCertificates installRust installZopfli npm install -g html-minifier # Requires user input npm i -g @angular/cli # See: https://git-scm.com/book/de/v2/Git-Tools-Credential-Storage git config --global credential.helper cp ~/Keys/.git-credentials ~/ git clone ${REPOSITORY} cd /root/${REPOSITORY_NAME}/Webclient # Requires user input npm install cd /root cp /root/${REPOSITORY_NAME}/Deploy/conf/backend.service /etc/systemd/system/ cp /root/${REPOSITORY_NAME}/Deploy/conf/model_generator.service /etc/systemd/system/ cp /root/${REPOSITORY_NAME}/Deploy/conf/deploy.service /etc/systemd/system/ cp /root/${REPOSITORY_NAME}/Deploy/conf/backup_db.service /etc/systemd/system/ cp /root/${REPOSITORY_NAME}/Deploy/conf/backup_db.timer /etc/systemd/system/ cp /root/${REPOSITORY_NAME}/Deploy/conf/certbot_renew.service /etc/systemd/system/ cp /root/${REPOSITORY_NAME}/Deploy/conf/certbot_renew.timer /etc/systemd/system/ cp /root/${REPOSITORY_NAME}/Deploy/conf/restart_backend.service /etc/systemd/system/ cp /root/${REPOSITORY_NAME}/Deploy/conf/restart_backend.timer /etc/systemd/system/ systemctl daemon-reload systemctl enable backend.service systemctl enable model_generator.service systemctl enable deploy.service systemctl enable backup_db.timer systemctl enable restart_backend.timer systemctl enable certbot_renew.timer systemctl enable fail2ban systemctl start fail2ban systemctl start deploy timedatectl set-timezone Europe/Berlin initSSH initCertificates initNginx initMariaDb initPostfix initPrometheus initGrafana initUfw #initModelGenerator echo "initModelGenerator must currently done manually!" } initServer bash /root/${REPOSITORY_NAME}/Deploy/deploy.sh 1 echo "DONE! The server will restart now. Please enable ufw using: 'ufw enable', when it is back up!" sleep 5s reboot