File size: 3,550 Bytes
ab6c61e | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 | #!/usr/bin/env bash
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(dirname "$SCRIPT_DIR")"
NGINX_CONF_SOURCE="$PROJECT_ROOT/deploy/nginx/creditscope.conf"
NGINX_CONF_TARGET="/etc/nginx/sites-available/creditscope"
NGINX_ENABLED_TARGET="/etc/nginx/sites-enabled/creditscope"
SSL_CERT_TARGET="/etc/ssl/certs/creditscope-selfsigned.crt"
SSL_KEY_TARGET="/etc/ssl/private/creditscope-selfsigned.key"
HTPASSWD_TARGET="/etc/nginx/.htpasswd"
if ! command -v sudo >/dev/null 2>&1; then
echo "sudo is required" >&2
exit 1
fi
export DEBIAN_FRONTEND=noninteractive
if [ -f "$PROJECT_ROOT/.env" ]; then
set -a
# shellcheck disable=SC1091
source "$PROJECT_ROOT/.env"
set +a
fi
PUBLIC_IP=${PUBLIC_IP:-$(curl -4 -s https://ifconfig.me 2>/dev/null || hostname -I | awk '{print $1}')}
BASIC_AUTH_USERS=${BASIC_AUTH_USERS:-}
BASIC_AUTH_PASSWORD=${BASIC_AUTH_PASSWORD:-}
if [ -z "$PUBLIC_IP" ]; then
echo "Unable to determine PUBLIC_IP" >&2
exit 1
fi
if ! command -v nginx >/dev/null 2>&1; then
sudo apt-get update
sudo apt-get install -y nginx
fi
if [ -n "$BASIC_AUTH_USERS" ] && [ -n "$BASIC_AUTH_PASSWORD" ] && ! command -v htpasswd >/dev/null 2>&1; then
sudo apt-get update
sudo apt-get install -y apache2-utils
fi
sudo mkdir -p /etc/nginx/sites-available /etc/nginx/sites-enabled
sudo cp "$NGINX_CONF_SOURCE" "$NGINX_CONF_TARGET"
if [ -n "$BASIC_AUTH_USERS" ] && [ -n "$BASIC_AUTH_PASSWORD" ]; then
first_user=true
old_ifs=$IFS
IFS=,
for raw_user in $BASIC_AUTH_USERS; do
IFS=$old_ifs
user=$(printf '%s' "$raw_user" | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')
IFS=,
if [ -z "$user" ]; then
continue
fi
if [ "$first_user" = true ]; then
sudo htpasswd -bc "$HTPASSWD_TARGET" "$user" "$BASIC_AUTH_PASSWORD" >/dev/null
first_user=false
else
sudo htpasswd -b "$HTPASSWD_TARGET" "$user" "$BASIC_AUTH_PASSWORD" >/dev/null
fi
done
IFS=$old_ifs
if [ "$first_user" = true ]; then
echo "No valid BASIC_AUTH_USERS entries were provided" >&2
exit 1
fi
else
sudo rm -f "$HTPASSWD_TARGET"
fi
if [ ! -f "$SSL_CERT_TARGET" ] || [ ! -f "$SSL_KEY_TARGET" ]; then
tmp_openssl_config=$(mktemp)
cat > "$tmp_openssl_config" <<EOF
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
CN = $PUBLIC_IP
[v3_req]
subjectAltName = @alt_names
[alt_names]
IP.1 = $PUBLIC_IP
EOF
sudo openssl req \
-x509 \
-nodes \
-newkey rsa:2048 \
-days 365 \
-keyout "$SSL_KEY_TARGET" \
-out "$SSL_CERT_TARGET" \
-config "$tmp_openssl_config"
rm -f "$tmp_openssl_config"
sudo chmod 600 "$SSL_KEY_TARGET"
fi
if [ -L "$NGINX_ENABLED_TARGET" ] || [ -e "$NGINX_ENABLED_TARGET" ]; then
sudo rm -f "$NGINX_ENABLED_TARGET"
fi
sudo ln -s "$NGINX_CONF_TARGET" "$NGINX_ENABLED_TARGET"
if [ -e /etc/nginx/sites-enabled/default ]; then
sudo rm -f /etc/nginx/sites-enabled/default
fi
sudo nginx -t
if command -v systemctl >/dev/null 2>&1; then
sudo systemctl enable nginx
sudo systemctl reload nginx 2>/dev/null || sudo systemctl restart nginx
elif command -v service >/dev/null 2>&1; then
sudo service nginx reload 2>/dev/null || sudo service nginx restart
else
sudo nginx -s reload 2>/dev/null || sudo nginx
fi
echo "nginx is serving CreditScope on ports 80 and 443 for $PUBLIC_IP" |