Startseite Erkunden Hilfe
Anmelden
Troglodyne
/
tCMS
2
0
Fork 0
Dateien Issues 0 Pull-Requests 0 Wiki
Struktur: 1f211947a5
Branches Tags
tCMS
/
Installer.mk

Installer.mk 8.8 KB
Verlauf Originalformat

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191 
  1. SHELL := /bin/bash
    2. 

  2. SERVER_NAME := $(shell bin/tcms-hostname)
    3. 

  3. 

  4. .PHONY: depend
    5. 

  5. depend:
    6. 

  6. 	[ -f "/etc/debian_version" ] && make -f Installer.mk prereq-debs; /bin/true;
    7. 

  7. 	make -f Installer.mk prereq-perl prereq-frontend
    8. 

  8. 

  9. .PHONY: install
    10. 

  10. install:
    11. 

  11. 	test -d www/themes || mkdir -p www/themes
    12. 

  12. 	test -d data/files || mkdir -p data/files
    13. 

  13. 	test -d www/assets || mkdir -p www/assets
    14. 

  14. 	test -d www/statics || mkdir -p www/statics
    15. 

  15. 	test -d totp/ || mkdir -p totp
    16. 

  16. 	test -d ~/.tcms || mkdir ~/.tcms
    17. 

  17. 	test -d logs/ && mkdir -p logs/; /bin/true
    18. 

  18. 	$(RM) pod2htmd.tmp;
    19. 

  19. 

  20. .PHONY: install-service
    21. 

  21. install-service:
    22. 

  22. 	mkdir -p ~/.config/systemd/user
    23. 

  23. 	cp service-files/systemd.unit ~/.config/systemd/user/tCMS.service
    24. 

  24. 	sed -ie 's#__REPLACEME__#$(shell pwd)#g' ~/.config/systemd/user/tCMS.service
    25. 

  25. 	systemctl --user daemon-reload
    26. 

  26. 	systemctl --user enable tCMS
    27. 

  27. 	systemctl --user start tCMS
    28. 

  28. 	loginctl enable-linger $(USER)
    29. 

  29. 

  30. .PHONY: prereq-debian
    31. 

  31. prereq-debian: prereq-debs prereq-perl prereq-frontend prereq-node
    32. 

  32. 

  33. .PHONY: prereq-debs
    34. 

  34. prereq-debs:
    35. 

  35. 	sudo apt-get update
    36. 

  36. 	sudo apt-get install -y sqlite3 nodejs npm libsqlite3-dev libdbd-sqlite3-perl cpanminus starman libxml2 curl cmake \
    37. 

  37. 		uwsgi uwsgi-plugin-psgi fail2ban nginx certbot postfix dovecot-imapd dovecot-pop3d postgrey spamassassin amavis clamav\
    38. 

  38. 		opendmarc opendkim opendkim-tools libunbound-dev \
    39. 

  39. 	    libtext-xslate-perl libplack-perl libconfig-tiny-perl libdatetime-format-http-perl libjson-maybexs-perl          \
    40. 

  40. 	    libuuid-tiny-perl libcapture-tiny-perl libconfig-simple-perl libdbi-perl libfile-slurper-perl libfile-touch-perl \
    41. 

  41. 	    libfile-copy-recursive-perl libxml-rss-perl libmodule-install-perl libio-string-perl uuid-dev                    \
    42. 

  42. 	    libmoose-perl libmoosex-types-datetime-perl libxml-libxml-perl liblist-moreutils-perl libclone-perl libpath-tiny-perl \
    43. 

  43. 		selinux-utils setools policycoreutils-python-utils policycoreutils selinux-basics auditd \
    44. 

  44. 		pdns-tools pdns-server pdns-backend-sqlite3 libmagic-dev
    45. 

  45. 

  46. .PHONY: prereq-perl
    47. 

  47. prereq-perl:
    48. 

  48. 	sudo cpanm -n --installdeps .
    49. 

  49. 

  50. .PHONY: prereq-node
    51. 

  51. prereq-node:
    52. 

  52. 	npm i
    53. 

  53. 

  54. .PHONY: prereq-frontend
    55. 

  55. prereq-frontend:
    56. 

  56. 	mkdir -p www/scripts; pushd www/scripts && curl -L --remote-name-all                        \
    57. 

  57. 		"https://raw.githubusercontent.com/chalda-pnuzig/emojis.json/master/dist/list.min.json" \
    58. 

  58. 		"https://raw.githubusercontent.com/highlightjs/cdn-release/main/build/highlight.min.js" \
    59. 

  59. 		"https://cdn.jsdelivr.net/npm/chart.js"; popd
    60. 

  60. 	mkdir -p www/styles; cd www/styles && curl -L --remote-name-all \
    61. 

  61. 		"https://raw.githubusercontent.com/highlightjs/cdn-release/main/build/styles/obsidian.min.css"
    62. 

  62. 

  63. .PHONY: reset
    64. 

  64. reset: reset-remove install
    65. 

  65. 

  66. .PHONY: reset-remove
    67. 

  67. reset-remove:
    68. 

  68. 	rm -rf data; /bin/true
    69. 

  69. 	rm -rf www/themes; /bin/true
    70. 

  70. 	rm -rf www/assets; /bin/true
    71. 

  71. 	rm config/auth.db; /bin/true
    72. 

  72. 	rm config/main.cfg; /bin/true
    73. 

  73. 	rm config/has_users; /bin/true
    74. 

  74. 	rm config/setup; /bin/true
    75. 

  75. 

  76. .PHONY: fail2ban
    77. 

  77. fail2ban:
    78. 

  78. 	cp fail2ban/tcms-jail.tmpl fail2ban/tcms-jail.conf
    79. 

  79. 	sed -i 's#__LOGDIR__#$(shell pwd)#g' fail2ban/tcms-jail.conf
    80. 

  80. 	sed -i 's#__DOMAIN__#$(shell bin/tcms-hostname)#g' fail2ban/tcms-jail.conf
    81. 

  81. 	sudo rm /etc/fail2ban/jail.d/$(shell bin/tcms-hostname).conf; /bin/true
    82. 

  82. 	sudo rm /etc/fail2ban/filter.d/$(shell bin/tcms-hostname).conf; /bin/true
    83. 

  83. 	sudo ln -sr fail2ban/tcms-jail.conf   /etc/fail2ban/jail.d/$(shell bin/tcms-hostname).conf
    84. 

  84. 	sudo ln -sr fail2ban/tcms-filter.conf /etc/fail2ban/filter.d/$(shell bin/tcms-hostname).conf
    85. 

  85. 	sudo systemctl reload fail2ban
    86. 

  86. 

  87. .PHONY: nginx
    88. 

  88. nginx:
    89. 

  89. 	[ -n "$$SERVER_NAME" ] || ( echo "Please set the SERVER_NAME environment variable before running (e.g. test.test)" && /bin/false )
    90. 

  90. 	sed 's/\%SERVER_NAME\%/$(SERVER_NAME)/g' nginx/tcms.conf.tmpl > nginx/tcms.conf.intermediate
    91. 

  91. 	sed 's/\%SERVER_SOCK\%/$(shell pwd)/g' nginx/tcms.conf.intermediate > nginx/tcms.conf
    92. 

  92. 	rm nginx/tcms.conf.intermediate
    93. 

  93. 	mkdir run
    94. 

  94. 	chown $(USER):www-data run
    95. 

  95. 	chmod 0770 run
    96. 

  96. 	sudo mkdir -p '/var/www/$(SERVER_NAME)'
    97. 

  97. 	sudo mkdir -p '/var/www/mail.$(SERVER_NAME)'
    98. 

  98. 	sudo mkdir -p '/etc/letsencrypt/live/$(SERVER_NAME)'
    99. 

  99. 	[ -e "/etc/nginx/sites-enabled/$$SERVER_NAME.conf" ] && sudo rm "/etc/nginx/sites-enabled/$$SERVER_NAME.conf"; /bin/true
    100. 

  100. 	sudo ln -sr nginx/tcms.conf '/etc/nginx/sites-enabled/$(SERVER_NAME).conf'
    101. 

  101. 	# Make a self-signed cert FIRST, because certbot has a chicken/egg problem
    102. 

  102. 	sudo openssl req -x509 -config etc/openssl.conf -nodes -newkey rsa:4096 -subj '/CN=$(SERVER_NAME)' -addext 'subjectAltName=DNS:www.$(SERVER_NAME),DNS:mail.$(SERVER_NAME)' -keyout '/etc/letsencrypt/live/$(SERVER_NAME)/privkey.pem' -out '/etc/letsencrypt/live/$(SERVER_NAME)/fullchain.pem' -days 365
    103. 

  103. 	sudo systemctl reload nginx
    104. 

  104. 	# Now run certbot and get that http dcv. We have to do a "gamer move" so that certbot doesn't complain about live dir existing.
    105. 

  105. 	sudo rm -rf '/etc/letsencrypt/live/$(SERVER_NAME)'
    106. 

  106. 	sudo certbot certonly --webroot -w '/var/www/$(SERVER_NAME)/' -d '$(SERVER_NAME)' -d 'www.$(SERVER_NAME)' -w '/var/www/mail.$(SERVER_NAME)' -d 'mail.$(SERVER_NAME)'
    107. 

  107. 	sudo systemctl reload nginx
    108. 

  108. 

  109. .PHONY: mail
    110. 

  110. mail: dkim dmarc
    111. 

  111. 	# Dovecot
    112. 

  112. 	sudo cp /etc/dovecot/conf.d/10-ssl.conf /etc/dovecot/conf.d/10-ssl.conf.orig
    113. 

  113. 	sudo sed -i 's/^\(ssl_cert\s*=\).*/\1<\/etc\/letsencrypt\/live\/$(SERVER_NAME)\/fullchain.pem/g' /etc/dovecot/conf.d/10-ssl.conf
    114. 

  114. 	sudo sed -i 's/^\(ssl_key\s*=\).*/\1\<\/etc\/letsencrypt\/live\/$(SERVER_NAME)\/privkey.pem/g' /etc/dovecot/conf.d/10-ssl.conf
    115. 

  115. 	# Postfix
    116. 

  116. 	sudo cp /etc/postfix/main.cf /etc/postfix/main.cf.orig
    117. 

  117. 	sudo sed -i 's/^\(smtpd_tls_cert_file\s*=\).*/\1\/etc\/letsencrypt\/live\/$(SERVER_NAME)\/fullchain.pem/g' /etc/postfix/main.cf
    118. 

  118. 	sudo sed -i 's/^\(smtpd_tls_key_file\s*=\).*/\1\/etc\/letsencrypt\/live\/$(SERVER_NAME)\/privkey.pem/g' /etc/postfix/main.cf
    119. 

  119. 	# XXX we should not do these two.
    120. 

  120. 	sudo sed -i 's/^\(myhostname\s*=\).*/\1$(SERVER_NAME)/g' /etc/postfix/main.cf
    121. 

  121. 	sudo echo '$(SERVER_NAME)' > /etc/mailname
    122. 

  122. 	# Configure postfix to put on its socks and shoes.  This all implicitly relies on good defaults in the opendkim/opendmarc packages.
    123. 

  123. 	sudo postconf -e milter_default_action=accept
    124. 

  124. 	sudo postconf -e milter_protocol=2
    125. 

  125. 	sudo postconf -e smtpd_milters=local:opendkim/opendkim.sock,local:opendmarc/opendmarc.sock
    126. 

  126. 	sudo postconf -e non_smtpd_milters=\$smtpd_milters
    127. 

  127. 	sudo service postfix reload
    128. 

  128. 	# TODO setup various mail aliases and so forth, e.g. postmaster@, soa@, the various lists etc
    129. 

  129. 

  130. .PHONY: dkim
    131. 

  131. dkim:
    132. 

  132. 	sudo mkdir -p /etc/opendkim/keys/$(SERVER_NAME)
    133. 

  133. 	sudo opendkim-genkey --directory /etc/opendkim/keys/$(SERVER_NAME) -s mail -d $(SERVER_NAME)
    134. 

  134. 	sudo openssl rsa -in /etc/opendkim/keys/$(SERVER_NAME)/mail.private -pubout > /tmp/mail.public
    135. 

  135. 	sudo mv /tmp/mail.public /etc/opendkim/keys/$(SERVER_NAME)/mail.public
    136. 

  136. 	sudo chown -R opendkim:opendkim /etc/opendkim
    137. 

  137. 	sudo mail/mongle_dkim_config $(SERVER_NAME)
    138. 

  138. 	sudo service opendkim enable
    139. 

  139. 	sudo service opendkim start
    140. 

  140. 

  141. .PHONY: dmarc
    142. 

  142. dmarc:
    143. 

  143. 	sudo mail/mongle_dmarc_config $(SERVER_NAME) mail.$(SERVER_NAME)
    144. 

  144. 	sudo service opendmarc enable
    145. 

  145. 	sudo service opendmarc start
    146. 

  146. 

  147. .PHONY: dns
    148. 

  148. dns:
    149. 

  149. 	cp dns/tcms.tmpl dns/tcms.conf
    150. 

  150. 	sed -i 's#__DIR__#$(shell pwd)#g' dns/tcms.conf
    151. 

  151. 	sed -i 's#__DOMAIN__#$(SERVER_NAME)#g' dns/tcms.conf
    152. 

  152. 	[[ -e /etc/powerdns/pdns.d/$(SERVER_NAME).conf ]] && sudo rm /etc/powerdns/pdns.d/$(SERVER_NAME).conf
    153. 

  153. 	sudo cp dns/tcms.conf /etc/powerdns/pdns.d/$(SERVER_NAME).conf
    154. 

  154. 	sudo mkdir /etc/systemd/resolved.conf.d/; /bin/true
    155. 

  155. 	sudo cp dns/10-disable-stub-resolver.conf /etc/systemd/resolved.conf.d/
    156. 

  156. 	sudo chown -R systemd-resolve:systemd-resolve /etc/systemd/resolved.conf.d/
    157. 

  157. 	sudo chmod 0660 /etc/systemd/resolved.conf.d/10-disable-stub-resolver.conf
    158. 

  158. 	sudo systemctl restart systemd-resolved
    159. 

  159. 	# Build the zone database and initialize the zone for our domain
    160. 

  160. 	rm dns/zones.db; /bin/true
    161. 

  161. 	sqlite3 dns/zones.db < /usr/share/pdns-backend-sqlite3/schema/schema.sqlite3.sql
    162. 

  162. 	bin/build_zone > dns/default.zone
    163. 

  163. 	zone2sql --gsqlite --zone=dns/default.zone --zone-name=$(SERVER_NAME) > dns/default.zone.sql
    164. 

  164. 	sqlite3 dns/zones.db < dns/default.zone.sql
    165. 

  165. 	# Bind mount our dns/ folder so that pdns can see it in chroot
    166. 

  166. 	sudo mkdir /var/spool/powerdns/$(SERVER_NAME); /bin/true
    167. 

  167. 	sudo chown pdns:pdns /var/spool/powerdns/$(SERVER_NAME); /bin/true
    168. 

  168. 	sudo cp /etc/fstab /tmp/fstab.new
    169. 

  169. 	sudo chown $(USER) /tmp/fstab.new
    170. 

  170. 	echo "$(shell pwd)/dns /var/spool/powerdns/$(SERVER_NAME) none defaults,bind 0 0" >> /tmp/fstab.new
    171. 

  171. 	sort < /tmp/fstab.new | uniq | grep -o '^[^#]*' > /tmp/fstab.new
    172. 

  172. 	sudo chown root:root /tmp/fstab.new
    173. 

  173. 	sudo mv /etc/fstab /etc/fstab.bak
    174. 

  174. 	sudo mv /tmp/fstab.new /etc/fstab
    175. 

  175. 	sudo mount /var/spool/powerdns/$(SERVER_NAME)
    176. 

  176. 	# Don't need no bind
    177. 

  177. 	[[ -e /etc/powerdns/pdns.d/bind.conf ]] && sudo rm /etc/powerdns/pdns.d/bind.conf
    178. 

  178. 	# Fix broken service configuration
    179. 

  179. 	sudo bin/configure_pdns
    180. 

  180. 	sudo cp dns/10-powerdns.conf /etc/rsyslog.d/10-powerdns.conf 
    181. 

  181. 	sudo systemctl daemon-reload
    182. 

  182. 	sudo service rsyslog restart
    183. 

  183. 	sudo service pdns enable
    184. 

  184. 	sudo service pdns start
    185. 

  185. 

  186. .PHONY: githook
    187. 

  187. githook:
    188. 

  188. 	cp git-hooks/pre-commit .git/hooks
    189. 

  189. 

  190. .PHONY: all
    191. 

  191. all: prereq-debian install fail2ban nginx mail dns githook
    192.