This repository has been archived by the owner on Apr 6, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 42
/
Copy pathcrowi.sh
executable file
·330 lines (284 loc) · 10.1 KB
/
crowi.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
#!/bin/bash
# @sacloud-name "Crowi"
# @sacloud-once
#
# @sacloud-require-archive distro-ubuntu distro-ver-18.04.*
#
# @sacloud-desc-begin
# Crowiをセットアップします。
# サーバ作成後は「http://サーバのIPアドレス/installer」から初期設定できます。
# APIキーとさくらのクラウドDNSで管理しているゾーンを指定すれば、DNSのAレコードの登録と Let's Encrypt を使用したSSL証明書の設定も可能です。
# その場合、セットアップ後のURLは「https://ドメイン/installer」になります。
# @sacloud-desc-end
#
# @sacloud-apikey permission=create AK "APIキー(DNSのAレコードと Let's Encrypt の証明書をセットアップします)"
# @sacloud-text ZONE "さくらのクラウドDNSで管理しているDNSゾーン名(APIキーの入力が必須です)" ex="example.com"
# @sacloud-text SUB "ドメイン(DNSゾーン名が含まれている必要があります。未入力の場合はDNSゾーン名でセットアップします)" ex="crowi.example.com"
#
#---------UPDATE /etc/motd----------#
_motd() {
log=$(ls /root/.sacloud-api/notes/*log)
motsh=/etc/update-motd.d/99-startup
status=/tmp/startup.status
echo "#!/bin/bash" > ${motsh}
echo "cat $status" >> ${motsh}
chmod 755 ${motsh}
case $1 in
start)
echo -e "\n#-- Startup-script is \\033[0;32mrunning\\033[0;39m. --#\n\nPlease check the logfile: ${log}\n" > ${status}
;;
fail)
echo -e "\n#-- Startup-script \\033[0;31mfailed\\033[0;39m. --#\n\nPlease check the logfile: ${log}\n" > ${status}
exit 1
;;
end)
rm -f ${motsh}
;;
esac
}
KEY="${SACLOUD_APIKEY_ACCESS_TOKEN}:${SACLOUD_APIKEY_ACCESS_TOKEN_SECRET}"
SSL=1
if [ "${KEY}" = ":" ]
then
SSL=0
fi
set -ex
trap '_motd fail' ERR
_motd start
apt-get update
apt-get install -y curl jq
IPADDR=$(hostname -i | awk '{ print $1 }')
if [ ${SSL} -eq 1 ]
then
ZONE="@@@ZONE@@@"
DOMAIN="@@@SUB@@@"
NAME="@"
if [ -n "${DOMAIN}" ]
then
if [ $(echo ${DOMAIN} | grep -c "\.${ZONE}$") -eq 1 ]
then
NAME=$(echo ${DOMAIN} | sed "s/\.${ZONE}$//")
elif [ "${DOMAIN}" != "${ZONE}" ]
then
echo "The Domain is not included in your Zone"
_motd fail
fi
else
DOMAIN=${ZONE}
fi
if [ $(dig ${ZONE} ns +short | egrep -c '^ns[0-9]+.gslb[0-9]+.sakura.ne.jp.$') -ne 2 ]
then
echo "対象ゾーンのNSレコードにさくらのクラウドDNSが設定されていません"
_motd fail
fi
if [ $(dig ${DOMAIN} A +short | grep -vc "^$") -ne 0 ]
then
echo "${DOMAIN}のAレコードが登録されています"
_motd fail
fi
CZONE=$(jq -r ".Zone.Name" /root/.sacloud-api/server.json)
BASE=https://secure.sakura.ad.jp/cloud/zone/${CZONE}/api/cloud/1.1
API=${BASE}/commonserviceitem/
RESJS=resource.json
ADDJS=add.json
UPDATEJS=update.json
RESTXT=response.txt
# api connect check
curl -s -v --user "${KEY}" ${API} 2>${RESTXT} | jq -r ".CommonServiceItems[] | select(.Status.Zone == \"${ZONE}\")" > ${RESJS}
if [ $(grep -c "^< Status: 200 OK" ${RESTXT}) -ne 1 ]
then
echo "API connect error"
_motd fail
fi
rm -f ${RESTXT}
RESID=$(jq -r .ID ${RESJS})
API=${API}${RESID}
RECODES=$(jq -r ".Settings.DNS.ResourceRecordSets" ${RESJS})
if [ $(echo "${RECODES}" | egrep -c "^(\[\]|null)$") -ne 1 ]
then
if [ -n "${RECODES}" ]
then
if [ "${DOMAIN}" = "${ZONE}" ]
then
echo "レコードを登録していないドメインを指定してください"
_motd fail
fi
else
echo "ドメインのリソースIDが取得できません"
_motd fail
fi
fi
cat <<_EOF_> ${ADDJS}
[
{ "Name": "${NAME}", "Type": "A", "RData": "${IPADDR}" }
]
_EOF_
DNSREC=$(echo "${RECODES}" | jq -r ".+$(cat ${ADDJS})")
cat <<_EOF_> ${UPDATEJS}
{
"CommonServiceItem": {
"Settings": {
"DNS": {
"ResourceRecordSets": $(echo ${DNSREC})
}
}
}
}
_EOF_
curl -s -v --user "${KEY}" -X PUT -d "$(cat ${UPDATEJS} | jq -c .)" ${API} 2>${RESTXT} | jq "."
if [ $(grep -c "^< Status: 200 OK" ${RESTXT}) -ne 1 ]
then
echo "API connect error"
_motd fail
fi
rm -f ${RESTXT}
fi
# package update
apt-get update
# install nodejs
curl -sL https://deb.nodesource.com/setup_12.x | bash -
apt-get install -y nodejs
npm install -g npm
# install MongoDB
wget -qO - https://www.mongodb.org/static/pgp/server-3.6.asc | apt-key add -
echo "deb http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.6 multiverse" | tee /etc/apt/sources.list.d/mongodb-org-3.6.list
apt-get update
apt-get install -y mongodb-org
cat << EOF >> /etc/systemd/system/mongodb.service
[Unit]
Description=MongoDB Database Service
Wants=network.target
After=network.target
[Service]
ExecStart=/usr/bin/mongod --config /etc/mongod.conf
ExecReload=/bin/kill -HUP $MAINPID
Restart=always
User=mongodb
Group=mongodb
StandardOutput=syslog
StandardError=syslog
[Install]
WantedBy=multi-user.target
EOF
systemctl status mongodb.service >/dev/null 2>&1 || systemctl start mongodb.service
for i in {1..5}; do
sleep 1
systemctl status mongodb.service && break
[ "$i" -lt 5 ] || exit 1
done
systemctl enable mongodb.service
apt-get install -y pwgen
PASSWD=$(pwgen -s 32 1)
cat << EOF >> /tmp/mongobat.js
db.createUser({user: "crowi", pwd: "$PASSWD", roles: [{role: "readWrite", db: "crowidb"}]});
EOF
mongo crowidb < /tmp/mongobat.js
rm -rf /tmp/mongobat.js
# install ElasticSerach
apt-get install -y openjdk-8-jre
apt-get install -y apt-transport-https
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
apt-get update
apt-get install -y elasticsearch
/usr/share/elasticsearch/bin/elasticsearch-plugin install analysis-kuromoji
systemctl status elasticsearch.service >/dev/null 2>&1 || systemctl start elasticsearch.service
for i in {1..5}; do
sleep 1
systemctl status elasticsearch.service && break
[ "$i" -lt 5 ] || exit 1
done
systemctl enable elasticsearch.service
# install Crowi
apt-get install -y git build-essential libkrb5-dev
git clone https://github.com/crowi/crowi.git /opt/crowi
cd /opt/crowi
latest_tag=$(curl --silent https://api.github.com/repos/crowi/crowi/releases/latest | jq --raw-output .tag_name)
git checkout -b ${latest_tag} refs/tags/${latest_tag}
npm install
npm run build
cat << EOF > /etc/systemd/system/crowi.service
[Unit]
Description=Crowi - The Simple & Powerful Communication Tool Based on Wiki
After=network.target mongodb.service
[Service]
WorkingDirectory=/opt/crowi
EnvironmentFile=/opt/crowi/crowi.conf
# Measures for failure at the first OS restart
ExecStartPre=/bin/sleep 5
ExecStart=/usr/bin/node app.js
[Install]
WantedBy=multi-user.target
EOF
cat << EOF > /opt/crowi/crowi.conf
PASSWORD_SEED="yourpasswordseed"
MONGO_URI="mongodb://crowi:$PASSWD@localhost/crowidb"
FILE_UPLOAD="local"
PORT=3000
ELASTICSEARCH_URI="localhost:9200"
EOF
systemctl status crowi.service >/dev/null 2>&1 || systemctl start crowi.service
for i in {1..5}; do
sleep 1
systemctl status crowi.service && break
[ "$i" -lt 5 ] || exit 1
done
systemctl enable crowi.service
# nginx
apt-get install -y nginx
systemctl stop nginx.service
if [ ${SSL} -eq 1 ]
then
HOSTNAME=${DOMAIN}
else
HOSTNAME="localhost"
fi
NGINX_CONFIGPATH="/etc/nginx/nginx.conf"
mv "$NGINX_CONFIGPATH" "${NGINX_CONFIGPATH}.origin"
cp "/opt/crowi/public/nginx.conf" "$NGINX_CONFIGPATH"
cp "/opt/crowi/public/nginx-mime.types" "/etc/nginx/nginx-mime.types"
sed -i -e "s/\r//g" "$NGINX_CONFIGPATH"
sed -i -e "s@\(^user.*$\)@# \1\nuser www-data;@g" "$NGINX_CONFIGPATH"
sed -i -e "s@\(^error_log.*$\)@# \1\nerror_log /var/log/nginx/error.log;@g" "$NGINX_CONFIGPATH"
sed -i -e "s@\(^pid.*$\)@# \1\npid /run/nginx.pid;@g" "$NGINX_CONFIGPATH"
sed -i -e "s@\(access_log.*access.log.*$\)@# \1\n access_log /var/log/nginx/access.log main;@g" "$NGINX_CONFIGPATH"
sed -i -e "s@\(listen\s80\sdefault_server;$\)@# \1\n listen 80 default_server deferred;@g" "$NGINX_CONFIGPATH"
sed -i -e "s@\(server_name.*$\)@\1\n server_name ${HOSTNAME};@g" "$NGINX_CONFIGPATH"
sed -i -e "s@\(root\s/sites/example.com/public;$\)@# \1\n root /opt/crowi/public;\n\n location / {\n proxy_pass http://127.0.0.1:3000;\n proxy_set_header Host \$host;\n proxy_set_header X-Forwarded-For \$remote_addr;\n proxy_set_header Upgrade \$http_upgrade;\n proxy_set_header Connection \"upgrade\";\n proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;\n proxy_set_header Host \$host;\n proxy_http_version 1.1;\n }\n@g" "$NGINX_CONFIGPATH"
sed -i -e "s@\(access_log logs/static.log;$\)@# \1\n access_log /var/log/nginx/static.log;@g" "$NGINX_CONFIGPATH"
systemctl start nginx.service
systemctl enable nginx.service
ufw allow 22
ufw allow 80
if [ ${SSL} -eq 1 ]
then
CPATH=/usr/local/certbot
git clone --depth 1 https://github.com/certbot/certbot ${CPATH}
WROOT=/opt/crowi/public
DOMAIN=${DOMAIN}
${CPATH}/certbot-auto -n certonly --webroot -w ${WROOT} -d ${DOMAIN} -m root@${DOMAIN} --agree-tos --server https://acme-v02.api.letsencrypt.org/directory
CERT=/etc/letsencrypt/live/${DOMAIN}/fullchain.pem
CKEY=/etc/letsencrypt/live/${DOMAIN}/privkey.pem
sed -i "s/listen 80 default_server deferred/listen 443 ssl http2 default_server deferred/" ${NGINX_CONFIGPATH}
sed -i "s#server_name ${HOSTNAME};#server_name ${HOSTNAME};\n ssl_protocols TLSv1.2;\n ssl_ciphers EECDH+AESGCM:EECDH+AES;\n ssl_ecdh_curve prime256v1;\n ssl_prefer_server_ciphers on;\n ssl_session_cache shared:SSL:10m;\n ssl_certificate ${CERT};\n ssl_certificate_key ${CKEY};#" ${NGINX_CONFIGPATH}
tac ${NGINX_CONFIGPATH} | sed '1,/^}$/ s#^}$#}\n include /etc/nginx/crowi_http.conf;#' | tac > /tmp/nginx.conf
mv -f /tmp/nginx.conf ${NGINX_CONFIGPATH}
cat <<_EOF_> /etc/nginx/crowi_http.conf
server {
listen 80 default_server;
server_name ${DOMAIN};
root /usr/share/nginx/html;
location ^~ /.well-known/acme-challenge/ {}
location / {
return 301 https://\$host\$request_uri;
}
}
_EOF_
ufw allow 443
systemctl restart nginx.service
WROOT=/usr/share/nginx/html
R=${RANDOM}
echo "$((${R}%60)) $((${R}%24)) * * $((${R}%7)) root ${CPATH}/certbot-auto renew --webroot -w ${WROOT} --post-hook 'systemctl reload nginx'" > /etc/cron.d/certbot-auto
fi
ufw enable
_motd end