chappy84/xbrowsersync_api_centos.sh

## xbrowsersync_api_centos.sh
#!/bin/sh

####################################################################################################
#
# Setup xBrowserSync API on CentOS
#
# Copyright (c) 2020, Tom Chapman (https://tom-chapman.uk)
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification, are
# permitted provided that the following conditions are met:
#
# 1. Redistributions of source code must retain the above copyright notice, this list of conditions
# and the following disclaimer.
#
# 2. Redistributions in binary form must reproduce the above copyright notice, this list of
# conditions and the following disclaimer in the documentation and/or other materials provided with
# the distribution.
#
# 3. Neither the name of the copyright holder nor the names of its contributors may be used to
# endorse or promote products derived from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR
# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY
# WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
####################################################################################################

CURR_DIR=`dirname $(readlink -f $0)`

# Set Required Software Versions
NODE_MAJOR_VER='16'
MONGODB_VER='6.0'
EL_RELEASE='8'
XBROWSERSYNC_VER='1.1.13'

# SSL cert details to use with the XBS Node service on HTTPS
SSL_CERT_FILE='example.crt'
SSL_KEY_FILE='example.key'

# Hostname the XBS api will be served from
HOSTNAME='api.examplexbs.com'

# Set Mongo credentials for XBS
XBROWSERSYNC_DB_USER='xbrowsersyncdb'
XBROWSERSYNC_DB_PWD=`cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1`

echo "DB username: $XBROWSERSYNC_DB_USER";
echo "DB password: $XBROWSERSYNC_DB_PWD";

set -e -x

# Create required system accounts
groupadd -r xbrowsersync
useradd -r -g xbrowsersync xbrowsersync

# Setup Firewall correctly
ex /etc/firewalld/firewalld.conf -s -c ':%s/AllowZoneDrifting=yes/AllowZoneDrifting=no/' -c ':wq!'
systemctl restart firewalld
firewall-cmd --add-service=https --permanent
firewall-cmd --reload

# Need to be able to extract & configure the below software
dnf -y install tar xz gzip jq

# Download all of the software we need
cd /usr/local/src/
curl -o node_setup_$NODE_MAJOR_VER.x.sh https://rpm.nodesource.com/setup_$NODE_MAJOR_VER.x
curl --location-trusted -o api-$XBROWSERSYNC_VER.tar.gz https://github.com/xbrowsersync/api/archive/v$XBROWSERSYNC_VER.tar.gz

# Install node
chmod u+x node_setup_$NODE_MAJOR_VER.x.sh
./node_setup_$NODE_MAJOR_VER.x.sh
# failovermethod is actually invalid config as far as dnf is concerned, but nodesource
# haven't fixed this yet: https://github.com/nodesource/distributions/issues/1311
ex /etc/yum.repos.d/nodesource-el$EL_RELEASE.repo -s -c ':%s/failovermethod=priority/#failovermethod=priority/g' -c ':wq!'
dnf install -y nodejs
npm install -g npm@latest

# Install Mongo
# .repo file contents slightly modified from here: https://www.mongodb.com/docs/manual/tutorial/install-mongodb-on-red-hat/
echo "[mongodb-org-$MONGODB_VER]
name=MongoDB $MONGODB_VER Repository
baseurl=https://repo.mongodb.org/yum/redhat/\$releasever/mongodb-org/$MONGODB_VER/\$basearch/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-$MONGODB_VER.asc" > /etc/yum.repos.d/mongo-org-$MONGODB_VER.repo
dnf -y install mongodb-org-server mongodb-mongosh mongodb-database-tools
systemctl daemon-reload
systemctl enable --now mongod
systemctl start mongod

# mongosh complains about this being too low on first launch, recommends this value
# here: https://www.mongodb.com/docs/manual/administration/production-checklist-operations/
sysctl -w vm.max_map_count=128000
# mongosh complains this is set to 'always', and should be set to 'never'
echo 'never' > /sys/kernel/mm/transparent_hugepage/enabled
grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) transparent_hugepage=never"
systemctl restart mongod

# Configure the DB for use with XBS
mongosh <<< "disableTelemetry();
db.disableFreeMonitoring();
use admin;
db.createUser({ user: \"$XBROWSERSYNC_DB_USER\", pwd: \"$XBROWSERSYNC_DB_PWD\", roles: [ { role: \"readWrite\", db: \"xbrowsersync\" }, { role: \"readWrite\", db: \"xbrowsersynctest\" } ] });
use xbrowsersync;
db.newsynclogs.createIndex( { \"expiresAt\": 1 }, { expireAfterSeconds: 0 } );
db.newsynclogs.createIndex({ \"ipAddress\": 1 });"

# Enable security on MongoDB after we've created the users and DB
ex /etc/mongod.conf -s -c ':%s/#security:/security: \r  authorization: enabled/' -c ':wq!'
systemctl restart mongod

# Setup xBrowserSync
tar xfz api-$XBROWSERSYNC_VER.tar.gz
mv api-$XBROWSERSYNC_VER /srv/xBrowserSync
cd /srv/xBrowserSync
npm install --only=production

# Configure XBS, altering certain default values
cd config
jq -M ".server.host = \"$HOSTNAME\" |
.server.https.certPath = \"/srv/certs/$SSL_CERT_FILE\" |
.server.https.enabled = true |
.server.https.keyPath = \"/srv/certs/$SSL_KEY_FILE\" |
.server.port = 443" settings.default.json > settings.json
cd ../

# Put the certs in place
mkdir /srv/certs/
cp $CURR_DIR/$SSL_CERT_FILE /srv/certs/
cp $CURR_DIR/$SSL_KEY_FILE /srv/certs/

# Setup the log directory
mkdir /var/log/xBrowserSync
chown -R xbrowsersync:xbrowsersync /var/log/xBrowserSync/

# Configure to work with systemd startup
echo '[Unit]
Description=xBrowserSync service
After=syslog.target network.target remote-fs.target nss-lookup.target

[Service]
User=xbrowsersync
Group=xbrowsersync
RuntimeDirectory=xBrowserSync
RuntimeDirectoryMode=0755
LogsDirectory=xBrowserSync
LogsDirectoryMode=0755

Type=exec
PIDFile=/run/xBrowserSync/xBrowserSync.pid
ExecStart=/usr/bin/node /srv/xBrowserSync/dist/api.js
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true
ProtectSystem=strict
ReadWritePaths=/run/xBrowserSync /var/log/xBrowserSync
ProtectHome=true
NoNewPrivileges=true
PrivateDevices=true
Environment="NODE_ENV=production"

ProtectKernelModules=true
ProtectKernelTunables=true
ProtectControlGroups=true
RestrictRealtime=true
RestrictNamespaces=true

# This allows xbrowsersync user to bind to ports below 1024
# which is normally restricted to the root user under systemd
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target' > /usr/lib/systemd/system/xBrowserSync.service

# Set the required credential env vars for systemd started XBS to connect to Mongo
mkdir -p /etc/systemd/system/xBrowserSync.service.d/
echo "[Service]
Environment=\"XBROWSERSYNC_DB_USER=$XBROWSERSYNC_DB_USER\"
Environment=\"XBROWSERSYNC_DB_PWD=$XBROWSERSYNC_DB_PWD\"
" > /etc/systemd/system/xBrowserSync.service.d/override.conf

# Ensure XBS is enabled correctly with systemd
systemctl daemon-reload
systemctl enable --now xBrowserSync
systemctl start xBrowserSync
	#!/bin/sh

	####################################################################################################
	#
	# Setup xBrowserSync API on CentOS
	#
	# Copyright (c) 2020, Tom Chapman (https://tom-chapman.uk)
	# All rights reserved.
	#
	# Redistribution and use in source and binary forms, with or without modification, are
	# permitted provided that the following conditions are met:
	#
	# 1. Redistributions of source code must retain the above copyright notice, this list of conditions
	# and the following disclaimer.
	#
	# 2. Redistributions in binary form must reproduce the above copyright notice, this list of
	# conditions and the following disclaimer in the documentation and/or other materials provided with
	# the distribution.
	#
	# 3. Neither the name of the copyright holder nor the names of its contributors may be used to
	# endorse or promote products derived from this software without specific prior written permission.
	#
	# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
	# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
	# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR
	# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
	# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY
	# WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	#
	####################################################################################################

	CURR_DIR=`dirname $(readlink -f $0)`

	# Set Required Software Versions
	NODE_MAJOR_VER='16'
	MONGODB_VER='6.0'
	EL_RELEASE='8'
	XBROWSERSYNC_VER='1.1.13'

	# SSL cert details to use with the XBS Node service on HTTPS
	SSL_CERT_FILE='example.crt'
	SSL_KEY_FILE='example.key'

	# Hostname the XBS api will be served from
	HOSTNAME='api.examplexbs.com'

	# Set Mongo credentials for XBS
	XBROWSERSYNC_DB_USER='xbrowsersyncdb'
	XBROWSERSYNC_DB_PWD=`cat /dev/urandom \| tr -dc 'a-zA-Z0-9' \| fold -w 32 \| head -n 1`

	echo "DB username: $XBROWSERSYNC_DB_USER";
	echo "DB password: $XBROWSERSYNC_DB_PWD";

	set -e -x

	# Create required system accounts
	groupadd -r xbrowsersync
	useradd -r -g xbrowsersync xbrowsersync

	# Setup Firewall correctly
	ex /etc/firewalld/firewalld.conf -s -c ':%s/AllowZoneDrifting=yes/AllowZoneDrifting=no/' -c ':wq!'
	systemctl restart firewalld
	firewall-cmd --add-service=https --permanent
	firewall-cmd --reload

	# Need to be able to extract & configure the below software
	dnf -y install tar xz gzip jq

	# Download all of the software we need
	cd /usr/local/src/
	curl -o node_setup_$NODE_MAJOR_VER.x.sh https://rpm.nodesource.com/setup_$NODE_MAJOR_VER.x
	curl --location-trusted -o api-$XBROWSERSYNC_VER.tar.gz https://github.com/xbrowsersync/api/archive/v$XBROWSERSYNC_VER.tar.gz

	# Install node
	chmod u+x node_setup_$NODE_MAJOR_VER.x.sh
	./node_setup_$NODE_MAJOR_VER.x.sh
	# failovermethod is actually invalid config as far as dnf is concerned, but nodesource
	# haven't fixed this yet: https://github.com/nodesource/distributions/issues/1311
	ex /etc/yum.repos.d/nodesource-el$EL_RELEASE.repo -s -c ':%s/failovermethod=priority/#failovermethod=priority/g' -c ':wq!'
	dnf install -y nodejs
	npm install -g npm@latest

	# Install Mongo
	# .repo file contents slightly modified from here: https://www.mongodb.com/docs/manual/tutorial/install-mongodb-on-red-hat/
	echo "[mongodb-org-$MONGODB_VER]
	name=MongoDB $MONGODB_VER Repository
	baseurl=https://repo.mongodb.org/yum/redhat/\$releasever/mongodb-org/$MONGODB_VER/\$basearch/
	gpgcheck=1
	enabled=1
	gpgkey=https://www.mongodb.org/static/pgp/server-$MONGODB_VER.asc" > /etc/yum.repos.d/mongo-org-$MONGODB_VER.repo
	dnf -y install mongodb-org-server mongodb-mongosh mongodb-database-tools
	systemctl daemon-reload
	systemctl enable --now mongod
	systemctl start mongod

	# mongosh complains about this being too low on first launch, recommends this value
	# here: https://www.mongodb.com/docs/manual/administration/production-checklist-operations/
	sysctl -w vm.max_map_count=128000
	# mongosh complains this is set to 'always', and should be set to 'never'
	echo 'never' > /sys/kernel/mm/transparent_hugepage/enabled
	grub2-editenv - set "$(grub2-editenv - list \| grep kernelopts) transparent_hugepage=never"
	systemctl restart mongod

	# Configure the DB for use with XBS
	mongosh <<< "disableTelemetry();
	db.disableFreeMonitoring();
	use admin;
	db.createUser({ user: \"$XBROWSERSYNC_DB_USER\", pwd: \"$XBROWSERSYNC_DB_PWD\", roles: [ { role: \"readWrite\", db: \"xbrowsersync\" }, { role: \"readWrite\", db: \"xbrowsersynctest\" } ] });
	use xbrowsersync;
	db.newsynclogs.createIndex( { \"expiresAt\": 1 }, { expireAfterSeconds: 0 } );
	db.newsynclogs.createIndex({ \"ipAddress\": 1 });"

	# Enable security on MongoDB after we've created the users and DB
	ex /etc/mongod.conf -s -c ':%s/#security:/security: \r authorization: enabled/' -c ':wq!'
	systemctl restart mongod

	# Setup xBrowserSync
	tar xfz api-$XBROWSERSYNC_VER.tar.gz
	mv api-$XBROWSERSYNC_VER /srv/xBrowserSync
	cd /srv/xBrowserSync
	npm install --only=production

	# Configure XBS, altering certain default values
	cd config
	jq -M ".server.host = \"$HOSTNAME\" \|
	.server.https.certPath = \"/srv/certs/$SSL_CERT_FILE\" \|
	.server.https.enabled = true \|
	.server.https.keyPath = \"/srv/certs/$SSL_KEY_FILE\" \|
	.server.port = 443" settings.default.json > settings.json
	cd ../

	# Put the certs in place
	mkdir /srv/certs/
	cp $CURR_DIR/$SSL_CERT_FILE /srv/certs/
	cp $CURR_DIR/$SSL_KEY_FILE /srv/certs/

	# Setup the log directory
	mkdir /var/log/xBrowserSync
	chown -R xbrowsersync:xbrowsersync /var/log/xBrowserSync/

	# Configure to work with systemd startup
	echo '[Unit]
	Description=xBrowserSync service
	After=syslog.target network.target remote-fs.target nss-lookup.target

	[Service]
	User=xbrowsersync
	Group=xbrowsersync
	RuntimeDirectory=xBrowserSync
	RuntimeDirectoryMode=0755
	LogsDirectory=xBrowserSync
	LogsDirectoryMode=0755

	Type=exec
	PIDFile=/run/xBrowserSync/xBrowserSync.pid
	ExecStart=/usr/bin/node /srv/xBrowserSync/dist/api.js
	ExecReload=/bin/kill -s HUP $MAINPID
	ExecStop=/bin/kill -s QUIT $MAINPID
	PrivateTmp=true
	ProtectSystem=strict
	ReadWritePaths=/run/xBrowserSync /var/log/xBrowserSync
	ProtectHome=true
	NoNewPrivileges=true
	PrivateDevices=true
	Environment="NODE_ENV=production"

	ProtectKernelModules=true
	ProtectKernelTunables=true
	ProtectControlGroups=true
	RestrictRealtime=true
	RestrictNamespaces=true

	# This allows xbrowsersync user to bind to ports below 1024
	# which is normally restricted to the root user under systemd
	AmbientCapabilities=CAP_NET_BIND_SERVICE

	[Install]
	WantedBy=multi-user.target' > /usr/lib/systemd/system/xBrowserSync.service

	# Set the required credential env vars for systemd started XBS to connect to Mongo
	mkdir -p /etc/systemd/system/xBrowserSync.service.d/
	echo "[Service]
	Environment=\"XBROWSERSYNC_DB_USER=$XBROWSERSYNC_DB_USER\"
	Environment=\"XBROWSERSYNC_DB_PWD=$XBROWSERSYNC_DB_PWD\"
	" > /etc/systemd/system/xBrowserSync.service.d/override.conf

	# Ensure XBS is enabled correctly with systemd
	systemctl daemon-reload
	systemctl enable --now xBrowserSync
	systemctl start xBrowserSync