-
-
Notifications
You must be signed in to change notification settings - Fork 6
/
Installer.mk
executable file
·224 lines (204 loc) · 10.5 KB
/
Installer.mk
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
SHELL := /bin/bash
SERVER_NAME := $(shell bin/tcms-hostname)
USER_NAME := $(shell bin/tcms-hostname --user)
.PHONY: depend
depend:
[ -f "/etc/debian_version" ] && make -f Installer.mk prereq-debs; /bin/true;
make -f Installer.mk prereq-perl prereq-frontend
.PHONY: install
install:
test -d www/themes || mkdir -p www/themes
test -d data/files || mkdir -p data/files
test -d www/assets || mkdir -p www/assets
test -d www/statics || mkdir -p www/statics
test -d totp/ || mkdir -p totp
test -d ~/.tcms || mkdir ~/.tcms
test -d logs || mkdir -p logs
$(RM) pod2htmd.tmp;
.PHONY: service-user
service-user:
sudo useradd -MU -s /sbin/nologin -d "$(shell pwd)" $(USER_NAME); /bin/true
sudo chown -R $(USER_NAME):$(USER_NAME) .
# Can be 760 if you aren't using git features as a developer user that is not the system user.
sudo chmod -R 0770 .
# For some reason, nginx needs world readability to see the socket, despite having group permissions.
# Seems pretty dumb to me, but whatever. We are locking every single other file away from it & other users.
sudo chmod 0755 .
sudo chmod 0775 run
sudo chown -R $(USER_NAME):www-data run
sudo chmod -R 0770 bin/ tcms www/server.psgi
sudo -u $(USER_NAME) mkdir 0700 .ssh
sudo -u $(USER_NAME) touch .ssh/authorized_keys
sudo -u $(USER_NAME) chmod 0600 .ssh/authorized_keys
.PHONY: install-service
install-service: #service-user
sudo systemctl disable $(SERVER_NAME); /bin/true
cp service-files/systemd.unit service-files/$(SERVER_NAME).service
sed -i 's#__DOMAIN__#$(SERVER_NAME)#g' service-files/$(SERVER_NAME).service
sed -i 's#__USER__#$(USER_NAME)#g' service-files/$(SERVER_NAME).service
sed -i 's#__REPLACEME__#$(shell pwd)#g' service-files/$(SERVER_NAME).service
sudo ln -sr service-files/$(SERVER_NAME).service /usr/lib/systemd/system/$(SERVER_NAME).service; /bin/true
sudo systemctl daemon-reload
sudo systemctl enable $(SERVER_NAME)
sudo systemctl start $(SERVER_NAME)
.PHONY: prereq-debian
prereq-debian: prereq-debs prereq-perl prereq-frontend prereq-node
.PHONY: prereq-debs
prereq-debs:
sudo apt-get update
sudo apt-get install -y sqlite3 nodejs npm libsqlite3-dev libdbd-sqlite3-perl cpanminus starman libxml2 curl cmake \
uwsgi uwsgi-plugin-psgi fail2ban nginx certbot postfix dovecot-imapd dovecot-pop3d postgrey spamassassin amavis clamav\
opendmarc opendkim opendkim-tools libunbound-dev \
libtext-xslate-perl libplack-perl libconfig-tiny-perl libdatetime-format-http-perl libjson-maybexs-perl \
libuuid-tiny-perl libcapture-tiny-perl libconfig-simple-perl libdbi-perl libfile-slurper-perl libfile-touch-perl \
libfile-copy-recursive-perl libxml-rss-perl libmodule-install-perl libio-string-perl uuid-dev \
libmoose-perl libmoosex-types-datetime-perl libxml-libxml-perl liblist-moreutils-perl libclone-perl libpath-tiny-perl \
selinux-utils setools policycoreutils-python-utils policycoreutils selinux-basics auditd \
pdns-tools pdns-server pdns-backend-sqlite3 libmagic-dev autotools-dev dh-autoreconf
.PHONY: prereq-perl
prereq-perl:
sudo cpanm -n --installdeps .
.PHONY: prereq-node
prereq-node:
npm i
.PHONY: prereq-frontend
prereq-frontend:
mkdir -p www/scripts; pushd www/scripts && curl -L --remote-name-all \
"https://raw.githubusercontent.com/chalda-pnuzig/emojis.json/master/dist/list.min.json" \
"https://raw.githubusercontent.com/highlightjs/cdn-release/main/build/highlight.min.js" \
"https://cdn.jsdelivr.net/npm/chart.js" \
"https://raw.githubusercontent.com/hakimel/reveal.js/master/dist/reveal.js"; popd
mkdir -p www/styles; pushd www/styles && curl -L --remote-name-all \
"https://raw.githubusercontent.com/highlightjs/cdn-release/main/build/styles/obsidian.min.css" \
"https://raw.githubusercontent.com/hakimel/reveal.js/master/dist/reveal.css" \
"https://raw.githubusercontent.com/hakimel/reveal.js/master/dist/theme/white.css"; popd
mv www/styles/white.css www/styles/reveal-white.css
sed -i 's/Source Sans Pro,//g' www/styles/reveal-white.css
.PHONY: reset
reset: reset-remove install
.PHONY: reset-remove
reset-remove:
rm -rf data; /bin/true
rm -rf www/themes; /bin/true
rm -rf www/assets; /bin/true
rm config/auth.db; /bin/true
rm config/main.cfg; /bin/true
rm config/has_users; /bin/true
rm config/setup; /bin/true
.PHONY: fail2ban
fail2ban:
cp fail2ban/tcms-jail.tmpl fail2ban/tcms-jail.conf
sed -i 's#__LOGDIR__#$(shell pwd)#g' fail2ban/tcms-jail.conf
sed -i 's#__DOMAIN__#$(SERVER_NAME)#g' fail2ban/tcms-jail.conf
sudo rm /etc/fail2ban/jail.d/$(SERVER_NAME).conf; /bin/true
sudo rm /etc/fail2ban/filter.d/$(SERVER_NAME).conf; /bin/true
sudo ln -sr fail2ban/tcms-jail.conf /etc/fail2ban/jail.d/$(SERVER_NAME).conf
sudo ln -sr fail2ban/tcms-filter.conf /etc/fail2ban/filter.d/$(SERVER_NAME).conf
sudo systemctl reload fail2ban
.PHONY: nginx
nginx:
[ -n "$$SERVER_NAME" ] || ( echo "Please set the SERVER_NAME environment variable before running (e.g. test.test)" && /bin/false )
sed 's/\%SERVER_NAME\%/$(SERVER_NAME)/g' nginx/tcms.conf.tmpl > nginx/tcms.conf.intermediate
sed 's/\%SERVER_SOCK\%/$(shell pwd)/g' nginx/tcms.conf.intermediate > nginx/tcms.conf
rm nginx/tcms.conf.intermediate
mkdir run
chown $(USER_NAME):www-data run
chmod 0770 run
sudo mkdir -p '/var/www/$(SERVER_NAME)'
sudo mkdir -p '/var/www/mail.$(SERVER_NAME)'
sudo mkdir -p '/etc/letsencrypt/live/$(SERVER_NAME)'
[ -e "/etc/nginx/sites-enabled/$$SERVER_NAME.conf" ] && sudo rm "/etc/nginx/sites-enabled/$$SERVER_NAME.conf"; /bin/true
sudo ln -sr nginx/tcms.conf '/etc/nginx/sites-enabled/$(SERVER_NAME).conf'
# Make a self-signed cert FIRST, because certbot has a chicken/egg problem
sudo openssl req -x509 -config etc/openssl.conf -nodes -newkey rsa:4096 -subj '/CN=$(SERVER_NAME)' -addext 'subjectAltName=DNS:www.$(SERVER_NAME),DNS:mail.$(SERVER_NAME)' -keyout '/etc/letsencrypt/live/$(SERVER_NAME)/privkey.pem' -out '/etc/letsencrypt/live/$(SERVER_NAME)/fullchain.pem' -days 365
sudo systemctl reload nginx
# Now run certbot and get that http dcv. We have to do a "gamer move" so that certbot doesn't complain about live dir existing.
sudo rm -rf '/etc/letsencrypt/live/$(SERVER_NAME)'
sudo certbot certonly --webroot -w '/var/www/$(SERVER_NAME)/' -d '$(SERVER_NAME)' -d 'www.$(SERVER_NAME)' -w '/var/www/mail.$(SERVER_NAME)' -d 'mail.$(SERVER_NAME)'
sudo systemctl reload nginx
.PHONY: mail
mail: dkim dmarc
# Dovecot
sudo cp /etc/dovecot/conf.d/10-ssl.conf /etc/dovecot/conf.d/10-ssl.conf.orig
sudo sed -i 's/^\(ssl_cert\s*=\).*/\1<\/etc\/letsencrypt\/live\/$(SERVER_NAME)\/fullchain.pem/g' /etc/dovecot/conf.d/10-ssl.conf
sudo sed -i 's/^\(ssl_key\s*=\).*/\1\<\/etc\/letsencrypt\/live\/$(SERVER_NAME)\/privkey.pem/g' /etc/dovecot/conf.d/10-ssl.conf
# Postfix
sudo cp /etc/postfix/main.cf /etc/postfix/main.cf.orig
sudo sed -i 's/^\(smtpd_tls_cert_file\s*=\).*/\1\/etc\/letsencrypt\/live\/$(SERVER_NAME)\/fullchain.pem/g' /etc/postfix/main.cf
sudo sed -i 's/^\(smtpd_tls_key_file\s*=\).*/\1\/etc\/letsencrypt\/live\/$(SERVER_NAME)\/privkey.pem/g' /etc/postfix/main.cf
# XXX we should not do these two.
sudo sed -i 's/^\(myhostname\s*=\).*/\1$(SERVER_NAME)/g' /etc/postfix/main.cf
sudo echo '$(SERVER_NAME)' > /etc/mailname
# Configure postfix to put on its socks and shoes. This all implicitly relies on good defaults in the opendkim/opendmarc packages.
sudo postconf -e milter_default_action=accept
sudo postconf -e milter_protocol=2
sudo postconf -e smtpd_milters=local:opendkim/opendkim.sock,local:opendmarc/opendmarc.sock
sudo postconf -e non_smtpd_milters=\$smtpd_milters
sudo service postfix reload
# TODO setup various mail aliases and so forth, e.g. postmaster@, soa@, the various lists etc
.PHONY: dkim
dkim:
sudo mkdir -p /etc/opendkim/keys/$(SERVER_NAME)
sudo opendkim-genkey --directory /etc/opendkim/keys/$(SERVER_NAME) -s mail -d $(SERVER_NAME)
sudo openssl rsa -in /etc/opendkim/keys/$(SERVER_NAME)/mail.private -pubout > /tmp/mail.public
sudo mv /tmp/mail.public /etc/opendkim/keys/$(SERVER_NAME)/mail.public
sudo chown -R opendkim:opendkim /etc/opendkim
sudo mail/mongle_dkim_config $(SERVER_NAME)
sudo service opendkim enable
sudo service opendkim start
.PHONY: dmarc
dmarc:
sudo mail/mongle_dmarc_config $(SERVER_NAME) mail.$(SERVER_NAME)
sudo service opendmarc enable
sudo service opendmarc start
.PHONY: dns
dns:
cp dns/tcms.tmpl dns/tcms.conf
sed -i 's#__DIR__#$(shell pwd)#g' dns/tcms.conf
sed -i 's#__DOMAIN__#$(SERVER_NAME)#g' dns/tcms.conf
[[ -e /etc/powerdns/pdns.d/$(SERVER_NAME).conf ]] && sudo rm /etc/powerdns/pdns.d/$(SERVER_NAME).conf
sudo cp dns/tcms.conf /etc/powerdns/pdns.d/$(SERVER_NAME).conf
sudo mkdir /etc/systemd/resolved.conf.d/; /bin/true
sudo cp dns/10-disable-stub-resolver.conf /etc/systemd/resolved.conf.d/
sudo chown -R systemd-resolve:systemd-resolve /etc/systemd/resolved.conf.d/
sudo chmod 0660 /etc/systemd/resolved.conf.d/10-disable-stub-resolver.conf
sudo systemctl restart systemd-resolved
# Build the zone database and initialize the zone for our domain
rm dns/zones.db; /bin/true
sqlite3 dns/zones.db < /usr/share/pdns-backend-sqlite3/schema/schema.sqlite3.sql
bin/build_zone > dns/default.zone
zone2sql --gsqlite --zone=dns/default.zone --zone-name=$(SERVER_NAME) > dns/default.zone.sql
sqlite3 dns/zones.db < dns/default.zone.sql
# Bind mount our dns/ folder so that pdns can see it in chroot
sudo mkdir /var/spool/powerdns/$(SERVER_NAME); /bin/true
sudo chown pdns:pdns /var/spool/powerdns/$(SERVER_NAME); /bin/true
sudo cp /etc/fstab /tmp/fstab.new
sudo chown $(USER) /tmp/fstab.new
echo "$(shell pwd)/dns /var/spool/powerdns/$(SERVER_NAME) none defaults,bind 0 0" >> /tmp/fstab.new
sort < /tmp/fstab.new | uniq | grep -o '^[^#]*' > /tmp/fstab.new
sudo chown root:root /tmp/fstab.new
sudo mv /etc/fstab /etc/fstab.bak
sudo mv /tmp/fstab.new /etc/fstab
sudo mount /var/spool/powerdns/$(SERVER_NAME)
# Don't need no bind
[[ -e /etc/powerdns/pdns.d/bind.conf ]] && sudo rm /etc/powerdns/pdns.d/bind.conf
# Fix broken service configuration
sudo dns/configure_pdns
sudo chown $(USER_NAME):pdns dns/
sudo chown $(USER_NAME):pdns dns/zones.db
sudo cp dns/10-powerdns.conf /etc/rsyslog.d/10-powerdns.conf
sudo systemctl daemon-reload
sudo service rsyslog restart
sudo service pdns enable
sudo service pdns start
.PHONY: githook
githook:
cp git-hooks/pre-commit .git/hooks
.PHONY: firewall
firewall:
# Remove dopey unauthenticated port for git from /etc/services
sudo sed -i '/^git\s/d' /etc/services
sudo cp ufw/git ufw/pdns_server /etc/ufw/applications.d
sudo ufw/setup-rules
.PHONY: all
all: prereq-debian install fail2ban nginx mail dns firewall githook