simplex/install.sh

#!/bin/bash

set -o errexit

INSTALL_DIR=$(pwd)
OPENRESTY_VERSION=1.13.6.1
LUAROCKS_VERSION=2.4.1
POSTGRES_PASSWORD=$(cat /dev/urandom | head -c 12 | base64)

if [ "$1" != "dev" ]
then
  read -p "Enter email address for use with certbot-auto: " EMAIL_ADDRESS
  read -p "Enter the domain name this will be running on: " DOMAIN_NAME
  read -p "Enter the port this will be running on: " PORT
fi

EMAIL_ADDRESS=${EMAIL_ADDRESS:-noone@example.com}
DOMAIN_NAME=${DOMAIN_NAME:-localhost}
PORT=${PORT:-9872}

### PREREQUISITES ###
sudo apt-get update

if ! command -v nginx >/dev/null 2>&1 && [ "$1" != "dev" ]
then
  sudo apt-get install nginx -y
fi

if ! command -v certbot-auto >/dev/null 2>&1 && [ "$1" != "dev" ]
then
  wget https://dl.eff.org/certbot-auto
  chmod a+x ./certbot-auto
  sudo mv ./certbot-auto /bin/certbot-auto
fi

if ! command -v psql >/dev/null 2>&1
then
  sudo apt-get install postgresql -y
fi

if ! command -v openresty >/dev/null 2>&1 || [ ! -d '/usr/local/openresty' ]
then
  sudo apt-get install wget curl lua5.1 liblua5.1-0-dev zip unzip libreadline-dev libncurses5-dev libpcre3-dev openssl libssl-dev perl make build-essential -y
  cd ..
  wget https://openresty.org/download/openresty-$OPENRESTY_VERSION.tar.gz
  tar xvf openresty-$OPENRESTY_VERSION.tar.gz
  cd openresty-$OPENRESTY_VERSION
  ./configure
  make
  sudo make install
  cd ..
  rm -rf openresty-$OPENRESTY_VERSION*
  cd $INSTALL_DIR
fi

if ! command -v luarocks >/dev/null 2>&1
then
  sudo apt-get install wget curl lua5.1 liblua5.1-0-dev zip unzip libreadline-dev libncurses5-dev libpcre3-dev openssl libssl-dev perl make build-essential -y
  cd ..
  wget https://keplerproject.github.io/luarocks/releases/luarocks-$LUAROCKS_VERSION.tar.gz
  tar xvf luarocks-$LUAROCKS_VERSION.tar.gz
  cd luarocks-$LUAROCKS_VERSION
  ./configure
  make build
  sudo make install
  cd ..
  rm -rf luarocks-$LUAROCKS_VERSION*
  cd $INSTALL_DIR
fi

sudo luarocks install luacrypto # needed for pgmoon, but not installed automatically ?
sudo luarocks install lapis
sudo luarocks install moonscript
sudo luarocks install bcrypt
sudo luarocks install lapis-console # not used yet, but I totally will

# Certificate / TLS Security
if [ "$1" != "dev" ]
then
  sudo nginx -s stop
  sudo certbot-auto certonly --standalone --agree-tos --no-eff-email -n -m $EMAIL_ADDRESS -d $DOMAIN_NAME
  sudo nginx
  openssl dhparam -out ./dhparams.pem 2048
fi

# Database access
sudo -u postgres createuser simplex
sudo -u postgres createdb simplex
sudo -u postgres bash -c 'psql -c "ALTER USER simplex WITH ENCRYPTED PASSWORD '\'$POSTGRES_PASSWORD\''; GRANT ALL PRIVILEGES ON DATABASE simplex TO simplex;"'

# Secrets setup
echo "{
  sql_password: '$POSTGRES_PASSWORD'
  session_secret: '$(cat /dev/urandom | head -c 12 | base64)'
  _domain: '$DOMAIN_NAME'
  _port: $PORT
}" > ./secret.moon

# Compile, Change owner, Run migrations
moonc .
sudo chown -R www-data:www-data ./
lapis migrate production

# As-a-Service
if [ "$1" != "dev" ]
then
  sudo echo "[Unit]
Description=simplex server

[Service]
User=www-data
Type=forking
WorkingDirectory=$INSTALL_DIR
ExecStart=$(which lapis) server production
ExecReload=$(which lapis) build production
ExecStop=$(which lapis) term

[Install]
WantedBy=multi-user.target" > /etc/systemd/system/simplex.service
  sudo systemctl daemon-reload
  sudo systemctl enable simplex.service
  sudo service simplex start

  # Proxy
  sudo echo "server {
  listen 443 ssl;
  server_name $DOMAIN_NAME;

  add_header Strict-Transport-Security \"max-age=63072000; preload\"; # DO NOT includeSubDomains; (some subdomains intentionally served over HTTP for now)
  add_header X-Frame-Options DENY;
  add_header X-Content-Type-Options nosniff;

  ssl_certificate /etc/letsencrypt/live/$DOMAIN_NAME/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/$DOMAIN_NAME/privkey.pem;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_ciphers \"EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH\";
  ssl_ecdh_curve secp384r1;
  ssl_session_cache shared:SSL:10m;
  ssl_session_tickets off;
  ssl_stapling on;
  ssl_stapling_verify on;
  ssl_dhparam $INSTALL_DIR/dhparams.pem;

  location / {
    proxy_pass http://127.0.0.1:$PORT;
  }
}" > /etc/nginx/sites-enabled/simplex-proxy.conf
  sudo nginx -s reload
fi