-
Notifications
You must be signed in to change notification settings - Fork 19
/
Copy pathsecure.sh
executable file
·107 lines (92 loc) · 4.04 KB
/
secure.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
#!/bin/bash
MONKSHU_PATH="$( cd "$( dirname "$0" )" && pwd )"
DOMAIN=${1:-`hostname --fqdn`}
USER_MONKSHU=`stat -c "%U" "$MONKSHU_PATH/monkshu.sh"`
GROUP_MONKSHU=`stat -c "%G" "$MONKSHU_PATH/monkshu.sh"`
if [ "$EUID" -ne 0 ]; then
echo Please run as root. E.g. sudo $0
exit 1
fi
if ! systemctl --all --type service | grep -q monkshu; then
echo Monkshu service does not exist, exiting.
exit 1
fi
systemctl daemon-reload #reload just in case Monkshu was updated
if cat "$MONKSHU_PATH/frontend/server/conf/httpd.json" | grep -e '^\s*"ssl":\s*true'; then
echo Already secured. Exiting.
exit 1
elif cat "$MONKSHU_PATH/backend/server/conf/httpd.json" | grep -e '^\s*"ssl":\s*true'; then
echo Already secured. Exiting.
exit 1
fi
echo Using domain name $DOMAIN
read -p "OK to configure? [Y|N] " -n 1 -r ; echo
if [[ ! $REPLY =~ ^[Yy]$ ]]; then
exit 1
fi
echo Starting Monkshu on port 80 for Certbot challenge.
mkdir "$MONKSHU_PATH/frontend/server/certbot_tmp/"
cp "$MONKSHU_PATH/frontend/server/conf/httpd.json.letsencrypt" "$MONKSHU_PATH/frontend/server/certbot_tmp/httpd.json"
pushd ./ > /dev/null
cd "$MONKSHU_PATH/frontend/server/" > /dev/null
`which node` "$MONKSHU_PATH/frontend/server/server.js" -standalone -c "$MONKSHU_PATH/frontend/server/certbot_tmp" &
popd > /dev/null
PID_CERTBOT_SERVER=$!
echo Certbot server started witl PID $PID_CERTBOT_SERVER
echo Done.
echo Installing Certbot.
if [ -f "`which apt`" ]; then
apt -y install certbot
elif [ -f "`which yum`" ]; then
yum install -y certbot
else
echo Certbot install failed. Exiting.
exit 1
fi
if ! certbot certonly --webroot -d $DOMAIN -w "$MONKSHU_PATH/frontend"; then
echo Certbot install failed. Exiting.
kill -9 $PID_CERTBOT_SERVER
rm -rf "$MONKSHU_PATH/frontend/server/certbot_tmp"
exit 1
else
kill -9 $PID_CERTBOT_SERVER
rm -rf "$MONKSHU_PATH/frontend/server/certbot_tmp"
chmod 644 /etc/letsencrypt/live/$DOMAIN/privkey.pem
chmod 755 /etc/letsencrypt/archive/
chmod 755 /etc/letsencrypt/live/
fi
echo Done.
echo Setting Certificates to autorenew daily.
systemctl enable cron
rm /etc/cron.daily/certbot_renew_monkshu &> /dev/null
ln -s "$MONKSHU_PATH/certbot.renew.sh" /etc/cron.daily/certbot_renew_monkshu
echo Done.
read -p "OK to modify Monkshu's httpd.json files to use SSL? [Y|N] " -n 1 -r ; echo
if [[ ! $REPLY =~ ^[Yy]$ ]]; then
exit 1
fi
echo Stopping Monkshu...
systemctl stop monkshu
echo Done.
echo Configuring Monkshu to use SSL.
cp "$MONKSHU_PATH/frontend/server/conf/httpd.json" "$MONKSHU_PATH/frontend/server/conf/httpd.json.sslbackup"
sed -i -r -e 's/^([ \t]*)"port":.+,[ \t]*$/\1"port": 443,/g' "$MONKSHU_PATH/frontend/server/conf/httpd.json"
sed -i -r -e $'s/^([ \t]*)"ssl":[ \t]*false[ \t]*,[ \t]*$/\t"ssl": true,/g' "$MONKSHU_PATH/frontend/server/conf/httpd.json"
sed -i -r -e 's/^([ \t]*)"timeout":(.+)$/\1"timeout":\2,/g' "$MONKSHU_PATH/frontend/server/conf/httpd.json"
sed -i -r -e $"s/^[ \t]*}[ \t]*$/\\t\"sslKeyFile\": \"\/etc\/letsencrypt\/live\/$DOMAIN\/privkey.pem\",/g" "$MONKSHU_PATH/frontend/server/conf/httpd.json"
echo -e "\n\t\"sslCertFile\": \"/etc/letsencrypt/live/$DOMAIN/fullchain.pem\"\n}" >> "$MONKSHU_PATH/frontend/server/conf/httpd.json"
cp "$MONKSHU_PATH/backend/server/conf/httpd.json" "$MONKSHU_PATH/backend/server/conf/httpd.json.sslbackup"
sed -i -r -e $'s/^([ \t]*)"ssl":[ \t]*false[ \t]*,[ \t]*$/\t"ssl": true,/g' "$MONKSHU_PATH/backend/server/conf/httpd.json"
sed -i -r -e 's/^([ \t]*)"ipwhitelistRefresh":(.+)$/\1"ipwhitelistRefresh":\2,/g' "$MONKSHU_PATH/backend/server/conf/httpd.json"
sed -i -r -e $"s/^[ \t]*}[ \t]*$/\\t\"sslKeyFile\": \"\/etc\/letsencrypt\/live\/$DOMAIN\/privkey.pem\",/g" "$MONKSHU_PATH/backend/server/conf/httpd.json"
echo -e "\n\t\"sslCertFile\": \"/etc/letsencrypt/live/$DOMAIN/fullchain.pem\"\n}" >> "$MONKSHU_PATH/backend/server/conf/httpd.json"
echo Done.
echo Setting NodeJS to bind to lower ports
setcap 'cap_net_bind_service=+ep' `which node`
echo Done.
echo Setting permissions to use the user account
chown -R $USER_MONKSHU:$GROUP_MONKSHU "$MONKSHU_PATH"
echo Done.
echo Starting Monkshu....
systemctl start monkshu
echo Done.