ppmotskula/piactl

## piactl
#!/bin/bash

ABOUT="piactl 0.10
Copyright (c) 2018-2020 Peeter P. Mõtsküla <peeterpaul@motskula.net>
https://gist.github.com/ppmotskula/4288167460de27d22225e4959c44c6c4
License: MIT License (https://opensource.org/licenses/MIT)

piactl helps you to install, configure and control CNIL's PIA software
(https://www.cnil.fr/en/open-source-pia-software-helps-carry-out-data-protection-impact-assesment)

Special thanks to github.com/ylachgar for his runbook and github.com/kosmas58 for his pia_docker

NOTE: piactl has been successfully tested on a fresh DigitalOcean droplet
      with 2 GB RAM and 1 VCPU running Ubuntu 18.04.2, and fresh VirtualBox VMs
      running Ubuntu 18.04.1 (server and desktop editions).
"

USAGE="Usage:
  piactl [status]
      Display running PIA software if any
  piactl start back|front|all
      Start PIA software (pia-back, pia, or both)
  piactl stop back|front|all
      Stop running PIA software
  piactl install back|front|all HOST [VERSION]
      Download and install PIA software (latest version unless a
      particular version number is given), and configure it to be
      accessed via specified hostname
  piactl reinstall back|front|all HOST [VERSION]
      Shortcut for 'piactl remove OPTIONS && piactl install OPTIONS'
  piactl secure back|front|all HOST
      Reconfigure installed PIA software to be served via https,
      obtaining letsencrypt (test) certificates unless already present
  piactl certify HOST
      Request non-test letsencrypt certificate for the given hostname.
      Note that letsencrypt certificates expire in 90 days. To renew
      them, run 'certbot renew' from time to time, or read certbot
      documentation for how to configure your system to auto-renew them
  piactl remove back|front|all
      Remove installed PIA software. If you want to also remove the
      dependencies and/or certificates, then you must do it manually
  piactl resetcap
      re-setcap /usr/bin/node to allow pia-front to run on :443
      (this may be needed when nodejs has been updated)
  piactl help|--help|-h
      Show this help message and exit

NOTE: you need root permissions to use piactl.
"

main() {
  case "$1" in
    ""|"status")         # piactl
      pia-status
      ;;

    "start")    # piactl start back|front|all
      if [ $# != 2 ] ; then
        usage "piactl start back|front|all"
      fi
      case "$2" in
        back)
          start-back
          ;;
        front)
          start-front
          ;;
        all)
          start-back
          start-front
          ;;
        *)
          usage "piactl start back|front|all";
      esac
      ;;

    "stop")     # piactl stop back|front|all
      if [ $# != 2 ] ; then usage ; fi
      case "$2" in
        back)
          stop-back
          ;;
        front)
          stop-front
          ;;
        all)
          stop-back
          stop-front
          ;;
        *)
          usage "piactl stop back|front|all";
      esac
      ;;

    "install")  # piactl install back|front|all HOST [VERSION]
      if [[ $# < 3 || $# > 4 ]] ; then
        usage "piactl install back|front|all HOST [VERSION]"
      fi
      install $2 $3 $4
      ;;

    "reinstall")  # piactl reinstall back|front|all HOST [VERSION]
      if [[ $# < 3 || $# > 4 ]] ; then
        usage "piactl reinstall back|front|all HOST [VERSION]"
      fi
      remove $2 && install $2 $3 $4
      ;;

    "secure")   # piactl secure back|front|all HOST
      if [ $# != 3 ] ; then
        usage "piactl secure back|front|all HOST"
      fi
      case "$2" in
        back)
          secure-back $3
          ;;
        front)
          secure-front $3
          ;;
        all)
          secure-back $3
          secure-front $3
          ;;
        *)
          usage "piactl secure back|front|all HOST";
      esac
      ;;

    "certify")  # piactl certify HOST
      if [ $# != 2 ] ; then
        usage "piactl certify HOST"
      fi
      certify $2 --prod
      ;;

    "remove")   # piactl remove back|front|all
      remove $2 $3 $4
      ;;

    "resetcap") # piactl resetcap
      resetcap
      ;;

    "help"|"--help"|"-h")     # piactl help
      echo "$ABOUT"
      echo "$USAGE"
      exit
      ;;

    *)          # piactl <unrecognized params>
      usage
      ;;
  esac
}


usage() {
  local MSG
  if [ $# != 0 ] ; then
    MSG="$@"
  else
    MSG="piactl [COMMAND] [OPTIONS]"
  fi
  echo "Usage:
  $MSG
Run 'piactl help' for details"
  exit 1
}


pid-front() {
  echo $(ps ax|grep -v grep|grep ' ng'|sed -e 's/\([0-9 ]*\).*/\1/'|sed -e 's/ //g')
}


pid-back() {
  echo $(ps ax|grep -v grep|grep '\[pia-back]'|sed -e 's/\([0-9 ]*\).*/\1/'|sed -e 's/ //g')
}


pia-status() {
  echo -n "PIA status: backend "
  if [ ! -e ~/pia-back ] ; then echo -n "not installed"
  else
    if [ "$(pid-back)" != "" ] ; then echo -n "running ($(pid-back))" ; else echo -n "stopped" ; fi
  fi
  echo -n ", frontend "
  if [ ! -e ~/pia ] ; then echo -n "not installed"
  else
    if [ "$(pid-front)" != "" ] ; then echo -n "running ($(pid-front))" ; else echo -n "stopped" ; fi
  fi
  echo
}


start-back() {
  if ( ! sudo -v ) ; then nosudo ; fi
  if [ ! -e ~/pia-back ] ; then
    echo "piactl: warning: backend not installed"
  elif [ "$(pid-back)" != "" ] ; then
    echo "piactl: warning: backend is already running ($(pid-back))"
  else
    cd ~/pia-back
    if [ -e ssl ] ; then
      sudo -Hu www-data bin/rails s -b "ssl://0.0.0.0?key=ssl/server.key&cert=ssl/server.crt" &
    else
      sudo -Hu www-data bin/rails s -b 0.0.0.0 &
    fi
  fi
}


start-front() {
  if ( ! sudo -v ) ; then nosudo ; fi
  if [ ! -e ~/pia ] ; then
    echo "piactl: warning: frontend not installed"
  elif [ "$(pid-front)" != "" ] ; then
    echo "piactl: warning: frontend is already running ($(pid-front))"
  else
    cd ~/pia
    sudo -Hu www-data npm run-script start &
  fi
}


stop-back() {
  if ( ! sudo -v ) ; then nosudo ; fi
  if [ ! -e ~/pia-back ] ; then
    echo "piactl: warning: backend not installed"
  elif [ "$(pid-back)" = "" ] ; then
    echo "piactl: warning: backend not running"
  else
    sudo -Hu www-data kill $(pid-back)
  fi
}


stop-front() {
  if ( ! sudo -v ) ; then nosudo ; fi
  if [ ! -e ~/pia ] ; then
    echo "piactl: warning: frontend not installed"
  elif [ "$(pid-front)" = "" ] ; then
    echo "piactl: warning: frontend not running"
  else
    sudo -Hu www-data kill $(pid-front)
  fi
}


nosudo() {
  echo "piactl: ERROR: you need root permissions but sudo failed"
  exit 1
}


install() {     # install back|front|all HOST [VERSION]
  if [[ $# < 2 || $# > 3 ]] ; then
    usage "piactl install back|front|all HOST [VERSION]"
  fi
  if ( ! sudo -v ) ; then nosudo ; fi
  case "$1" in
    back)
      install-back $2 $3
      ;;
    front)
      install-front $2 $3
      ;;
    all)
      install-back $2 $3
      install-front $2 $3
      ;;
    *)
      usage "piactl install back|front|all HOST [VERSION]";
  esac
}


install-back() {        # install-back HOST [VERSION]
  if [ -e ~/pia-back ] ; then
    echo "piactl: ERROR: ~/pia-back exists; remove or reinstall. Run 'piactl help' for details'"
    exit 1
  fi
  echo Installing pia-back into ~/pia-back...

  local HOST=$1
  local VERSION=$2

  # install dependencies
  sudo apt update && sudo apt install -y git ruby-dev sqlite3 build-essential zlib1g-dev postgresql libpq-dev libssl-dev
  sudo gem install rails

  # set postgres password
  local PGPASS
  read -p 'Enter new password for PostgreSQL user (role) "postgres": ' PGPASS
  sudo -u postgres psql -c "ALTER USER postgres WITH PASSWORD '$PGPASS';"
  # the following alternative would be more secure as it leaves no traces in user's history
  # echo '\password postgres' | sudo -u postgres psql postgres

  # download latest pia-back, checking out specific version if provided
  cd
  git clone https://github.com/LINCnil/pia-back.git
  cd pia-back
  if [ "$VERSION" != "" ] ; then
    git checkout $VERSION
  fi

  # remove Gemfile.lock and install latest bundler
  rm Gemfile.lock
  sudo gem install bundler
  # alternative: install specific version of bundler
  #sudo gem install bundler -v `grep -A 1 "BUNDLED WITH" Gemfile.lock|tail -1`

  # fix Gemfile to refer to Ruby 2.5.1
  # as 2.6.5 is not yet available in Ubuntu repos
  sed -i "s/^\(ruby '~> 2\).6.5'/\1.5.1'/" Gemfile

  # fix Gemfile to fix Chrome 70 SSL curve compatibility issue
  # ( https://github.com/puma/puma/issues/1670 )
  sed -i "s/^gem 'puma'.*/gem 'puma', github: 'eric-norcross\/puma', branch: 'chrome_70_ssl_curve_compatiblity'/" Gemfile

  # configure and build pia-back
  sed -e "s/username:/username: postgres/" -e "s/password:/password: $PGPASS/" config/database.example.yml > config/database.yml
  bundle install
  bundle install --deployment # needed to get the SSL fix in
  local SECRET=`bin/rake secret`
  sed -e "s/__SECRET_KEY_HERE__/$SECRET/" config/application.example.yml > config/application.yml

  # allow requests to $HOST
  cat >> config/application.rb << .
Rails.application.configure do
  config.hosts << "$HOST"
end
.

  # create and initialise database
  bin/rake db:create
  bin/rake db:migrate

  # make log and tmp writeable to www-data
  sudo chgrp -R www-data tmp log
  sudo chmod -R g+w tmp log

  # create uploads and data and make them writeable to www-data
  sudo mkdir uploads data
  sudo chgrp -R www-data uploads data
  sudo chmod -R g+w uploads data

  # final message
  echo "Done. pia-back should now be installed. Start it with 'piactl start back', then go to http://$HOST:3000"
}


install-front() {       # install-front HOST [VERSION]
  if [ -e ~/pia ] ; then
    echo "piactl: ERROR: ~/pia exists; remove or reinstall. Run 'piactl help' for details'"
    exit 1
  fi
  echo "Installing pia (frontend) into ~/pia..."

  local HOST=$1
  local VERSION=$2

  # enable universe repository if not enabled -- needed for installing nodejs
  if ! grep -q universe /etc/apt/sources.list ; then
    sudo add-apt-repository "deb http://archive.ubuntu.com/ubuntu bionic universe"
  fi

  # install dependencies
  curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -
  sudo echo "deb https://dl.yarnpkg.com/debian/ stable main" | sudo tee /etc/apt/sources.list.d/yarn.list
  sudo apt update && sudo apt install -y nodejs npm yarn

  # download latest pia, checking out specific version if needed
  cd
  git clone https://github.com/LINCnil/pia.git
  cd pia
  if [ "$VERSION" != "" ] ; then
    git checkout $VERSION
  fi

  # configure pia
  yarn install
  cp src/environments/environment.prod.ts.example src/environments/environment.prod.ts
  sed -i -e "s/version: ''/version: '$VERSION'/g" src/environments/environment.prod.ts

  # if you want to BUILD pia for use with other webservers, use the following command
  # node_modules/@angular/cli/bin/ng build --prod --build-optimizer --sourcemaps

  # remove version number from package.json (might throw errors otherwise)
  sed -i -e 's/^ *"version": .*//' package.json

  # create npm startup script
  sed -i -e 's/"ng",/"node_modules\/@angular\/cli\/bin\/ng",/g' package.json
  sed -i -e 's/"ng serve",/"ng serve --host 0.0.0.0 --public-host '$HOST'",/g' package.json

  # final message
  echo "Done. pia should now be installed. Start it with 'piactl start front', then go to http://$HOST:4200"
}


remove() {      # remove back|front|all
  if [ $# != 1 ] ; then
    usage "piactl remove back|front|all"
  fi
  case "$1" in
    back)
      remove-back
      ;;
    front)
      remove-front
      ;;
    all)
      remove-back
      remove-front
      ;;
    *)
      usage "piactl remove back|front|all";
  esac
}


remove-back() {
  if ( ! sudo -v ) ; then nosudo ; fi
  if [ -e ~/pia-back ] ; then
    stop-back
    killall ruby # otherwise 'rake secret' will fail when reinstalling
    local SURE
    read -p "Removing ~/pia-back including any possible customizations. Continue (y/N)? " SURE
    case "$SURE" in
      y|Y)
        sudo rm -rf ~/pia-back
        echo "Removed ~/pia-back. You may remove database, dependencies and certificates manually."
        ;;
      *)
        exit 2
        ;;
    esac
  else
    echo "piactl: warning: ~/pia-back not found, nothing to remove"
  fi
}


remove-front() {
  if ( ! sudo -v ) ; then nosudo ; fi
  if [ -e ~/pia ] ; then
    stop-front
    local SURE
    read -p "Removing ~/pia including any possible customizations. Continue (y/N)? " SURE
    case "$SURE" in
      y|Y)
        sudo rm -rf ~/pia
        echo "Removed ~/pia. You may remove dependencies and certificates manually."
        ;;
      *)
        exit 2
        ;;
    esac
  else
    echo "piactl: warning: ~/pia not found, nothing to remove"
  fi
}


secure-back() {         # secure-back HOST
  if ( ! sudo -v ) ; then nosudo ; fi

  local HOST=$1

  if [ ! -e ~/pia-back ] ; then
    echo "piactl: warning: pia-back is not installed, skipping"
  elif [ -e ~/pia-back/ssl ] ; then
    echo "piactl: warning: pia-back is already secured, skipping"
  else
    certify $HOST
    mkdir ~/pia-back/ssl
    cd ~/pia-back/ssl
    ln -s /etc/letsencrypt/live/$HOST/fullchain.pem server.crt
    ln -s /etc/letsencrypt/live/$HOST/privkey.pem server.key

    ## reinstall puma to get ssl support
    #local PUMA=$(puma --version|sed -e "s/puma version //")
    #sudo gem uninstall puma
    #sudo gem install puma -v "$PUMA"

    echo "Done. Restart pia-back, then go to https://$HOST:3000"
  fi
}


secure-front() {        # secure-front HOST
  if ( ! sudo -v ) ; then nosudo ; fi

  local HOST=$1

  if [ ! -e ~/pia ] ; then
    echo "piactl: warning: pia is not installed, skipping"
  elif [ -e ~/pia/ssl ] ; then
    echo "piactl: warning: pia is already secured, skipping"
  else
    certify $HOST
    mkdir ~/pia/ssl
    cd ~/pia/ssl
    ln -s /etc/letsencrypt/live/$HOST/fullchain.pem server.crt
    ln -s /etc/letsencrypt/live/$HOST/privkey.pem server.key

    cd ~/pia
    sed -i -e "s/ng serve --host/ng serve --ssl --port 443 --ssl-cert=ssl\/server.crt --ssl-key=ssl\/server.key --host/" package.json
    sed -i -e "s/--public-host [^ \"]*/--public-host $HOST/" package.json
    sudo setcap 'cap_net_bind_service=+ep' /usr/bin/node

    echo "Done. Restart pia-front, then go to https://$HOST"
  fi
}


certify() {             # certify HOST [--prod]
  if ( ! sudo -v ) ; then nosudo ; fi

  local HOST=$1
  local PROD=$2
  local TYPE="--test-cert"
  if [ "$PROD" = "--prod" ] ; then TYPE="" ; fi

  if ! dpkg -l certbot >/dev/null 2>&1 ; then
    # install certbot if not already installed
    sudo apt install certbot
  fi

  if [[ (! -e /etc/letsencrypt/live/$HOST) || ("$PROD" = "--prod") ]] ; then
    # request new certs if not yet requested or requested for production
    sudo certbot $TYPE certonly --standalone -d $HOST
    sudo chmod 755 /etc/letsencrypt/live /etc/letsencrypt/archive
  fi
}


resetcap() {            # resetcap
  if ( ! sudo -v ) ; then nosudo ; fi

  sudo setcap 'cap_net_bind_service=+ep' /usr/bin/node
}


main "$@"
	#!/bin/bash

	ABOUT="piactl 0.10
	Copyright (c) 2018-2020 Peeter P. Mõtsküla <peeterpaul@motskula.net>
	https://gist.github.com/ppmotskula/4288167460de27d22225e4959c44c6c4
	License: MIT License (https://opensource.org/licenses/MIT)

	piactl helps you to install, configure and control CNIL's PIA software
	(https://www.cnil.fr/en/open-source-pia-software-helps-carry-out-data-protection-impact-assesment)

	Special thanks to github.com/ylachgar for his runbook and github.com/kosmas58 for his pia_docker

	NOTE: piactl has been successfully tested on a fresh DigitalOcean droplet
	with 2 GB RAM and 1 VCPU running Ubuntu 18.04.2, and fresh VirtualBox VMs
	running Ubuntu 18.04.1 (server and desktop editions).
	"

	USAGE="Usage:
	piactl [status]
	Display running PIA software if any
	piactl start back\|front\|all
	Start PIA software (pia-back, pia, or both)
	piactl stop back\|front\|all
	Stop running PIA software
	piactl install back\|front\|all HOST [VERSION]
	Download and install PIA software (latest version unless a
	particular version number is given), and configure it to be
	accessed via specified hostname
	piactl reinstall back\|front\|all HOST [VERSION]
	Shortcut for 'piactl remove OPTIONS && piactl install OPTIONS'
	piactl secure back\|front\|all HOST
	Reconfigure installed PIA software to be served via https,
	obtaining letsencrypt (test) certificates unless already present
	piactl certify HOST
	Request non-test letsencrypt certificate for the given hostname.
	Note that letsencrypt certificates expire in 90 days. To renew
	them, run 'certbot renew' from time to time, or read certbot
	documentation for how to configure your system to auto-renew them
	piactl remove back\|front\|all
	Remove installed PIA software. If you want to also remove the
	dependencies and/or certificates, then you must do it manually
	piactl resetcap
	re-setcap /usr/bin/node to allow pia-front to run on :443
	(this may be needed when nodejs has been updated)
	piactl help\|--help\|-h
	Show this help message and exit

	NOTE: you need root permissions to use piactl.
	"

	main() {
	case "$1" in
	""\|"status") # piactl
	pia-status
	;;

	"start") # piactl start back\|front\|all
	if [ $# != 2 ] ; then
	usage "piactl start back\|front\|all"
	fi
	case "$2" in
	back)
	start-back
	;;
	front)
	start-front
	;;
	all)
	start-back
	start-front
	;;
	*)
	usage "piactl start back\|front\|all";
	esac
	;;

	"stop") # piactl stop back\|front\|all
	if [ $# != 2 ] ; then usage ; fi
	case "$2" in
	back)
	stop-back
	;;
	front)
	stop-front
	;;
	all)
	stop-back
	stop-front
	;;
	*)
	usage "piactl stop back\|front\|all";
	esac
	;;

	"install") # piactl install back\|front\|all HOST [VERSION]
	if [[ $# < 3 \|\| $# > 4 ]] ; then
	usage "piactl install back\|front\|all HOST [VERSION]"
	fi
	install $2 $3 $4
	;;

	"reinstall") # piactl reinstall back\|front\|all HOST [VERSION]
	if [[ $# < 3 \|\| $# > 4 ]] ; then
	usage "piactl reinstall back\|front\|all HOST [VERSION]"
	fi
	remove $2 && install $2 $3 $4
	;;

	"secure") # piactl secure back\|front\|all HOST
	if [ $# != 3 ] ; then
	usage "piactl secure back\|front\|all HOST"
	fi
	case "$2" in
	back)
	secure-back $3
	;;
	front)
	secure-front $3
	;;
	all)
	secure-back $3
	secure-front $3
	;;
	*)
	usage "piactl secure back\|front\|all HOST";
	esac
	;;

	"certify") # piactl certify HOST
	if [ $# != 2 ] ; then
	usage "piactl certify HOST"
	fi
	certify $2 --prod
	;;

	"remove") # piactl remove back\|front\|all
	remove $2 $3 $4
	;;

	"resetcap") # piactl resetcap
	resetcap
	;;

	"help"\|"--help"\|"-h") # piactl help
	echo "$ABOUT"
	echo "$USAGE"
	exit
	;;

	*) # piactl <unrecognized params>
	usage
	;;
	esac
	}


	usage() {
	local MSG
	if [ $# != 0 ] ; then
	MSG="$@"
	else
	MSG="piactl [COMMAND] [OPTIONS]"
	fi
	echo "Usage:
	$MSG
	Run 'piactl help' for details"
	exit 1
	}


	pid-front() {
	echo $(ps ax\|grep -v grep\|grep ' ng'\|sed -e 's/\([0-9 ]\)./\1/'\|sed -e 's/ //g')
	}


	pid-back() {
	echo $(ps ax\|grep -v grep\|grep '\[pia-back]'\|sed -e 's/\([0-9 ]\)./\1/'\|sed -e 's/ //g')
	}


	pia-status() {
	echo -n "PIA status: backend "
	if [ ! -e ~/pia-back ] ; then echo -n "not installed"
	else
	if [ "$(pid-back)" != "" ] ; then echo -n "running ($(pid-back))" ; else echo -n "stopped" ; fi
	fi
	echo -n ", frontend "
	if [ ! -e ~/pia ] ; then echo -n "not installed"
	else
	if [ "$(pid-front)" != "" ] ; then echo -n "running ($(pid-front))" ; else echo -n "stopped" ; fi
	fi
	echo
	}


	start-back() {
	if ( ! sudo -v ) ; then nosudo ; fi
	if [ ! -e ~/pia-back ] ; then
	echo "piactl: warning: backend not installed"
	elif [ "$(pid-back)" != "" ] ; then
	echo "piactl: warning: backend is already running ($(pid-back))"
	else
	cd ~/pia-back
	if [ -e ssl ] ; then
	sudo -Hu www-data bin/rails s -b "ssl://0.0.0.0?key=ssl/server.key&cert=ssl/server.crt" &
	else
	sudo -Hu www-data bin/rails s -b 0.0.0.0 &
	fi
	fi
	}


	start-front() {
	if ( ! sudo -v ) ; then nosudo ; fi
	if [ ! -e ~/pia ] ; then
	echo "piactl: warning: frontend not installed"
	elif [ "$(pid-front)" != "" ] ; then
	echo "piactl: warning: frontend is already running ($(pid-front))"
	else
	cd ~/pia
	sudo -Hu www-data npm run-script start &
	fi
	}


	stop-back() {
	if ( ! sudo -v ) ; then nosudo ; fi
	if [ ! -e ~/pia-back ] ; then
	echo "piactl: warning: backend not installed"
	elif [ "$(pid-back)" = "" ] ; then
	echo "piactl: warning: backend not running"
	else
	sudo -Hu www-data kill $(pid-back)
	fi
	}


	stop-front() {
	if ( ! sudo -v ) ; then nosudo ; fi
	if [ ! -e ~/pia ] ; then
	echo "piactl: warning: frontend not installed"
	elif [ "$(pid-front)" = "" ] ; then
	echo "piactl: warning: frontend not running"
	else
	sudo -Hu www-data kill $(pid-front)
	fi
	}


	nosudo() {
	echo "piactl: ERROR: you need root permissions but sudo failed"
	exit 1
	}


	install() { # install back\|front\|all HOST [VERSION]
	if [[ $# < 2 \|\| $# > 3 ]] ; then
	usage "piactl install back\|front\|all HOST [VERSION]"
	fi
	if ( ! sudo -v ) ; then nosudo ; fi
	case "$1" in
	back)
	install-back $2 $3
	;;
	front)
	install-front $2 $3
	;;
	all)
	install-back $2 $3
	install-front $2 $3
	;;
	*)
	usage "piactl install back\|front\|all HOST [VERSION]";
	esac
	}


	install-back() { # install-back HOST [VERSION]
	if [ -e ~/pia-back ] ; then
	echo "piactl: ERROR: ~/pia-back exists; remove or reinstall. Run 'piactl help' for details'"
	exit 1
	fi
	echo Installing pia-back into ~/pia-back...

	local HOST=$1
	local VERSION=$2

	# install dependencies
	sudo apt update && sudo apt install -y git ruby-dev sqlite3 build-essential zlib1g-dev postgresql libpq-dev libssl-dev
	sudo gem install rails

	# set postgres password
	local PGPASS
	read -p 'Enter new password for PostgreSQL user (role) "postgres": ' PGPASS
	sudo -u postgres psql -c "ALTER USER postgres WITH PASSWORD '$PGPASS';"
	# the following alternative would be more secure as it leaves no traces in user's history
	# echo '\password postgres' \| sudo -u postgres psql postgres

	# download latest pia-back, checking out specific version if provided
	cd
	git clone https://github.com/LINCnil/pia-back.git
	cd pia-back
	if [ "$VERSION" != "" ] ; then
	git checkout $VERSION
	fi

	# remove Gemfile.lock and install latest bundler
	rm Gemfile.lock
	sudo gem install bundler
	# alternative: install specific version of bundler
	#sudo gem install bundler -v `grep -A 1 "BUNDLED WITH" Gemfile.lock\|tail -1`

	# fix Gemfile to refer to Ruby 2.5.1
	# as 2.6.5 is not yet available in Ubuntu repos
	sed -i "s/^\(ruby '~> 2\).6.5'/\1.5.1'/" Gemfile

	# fix Gemfile to fix Chrome 70 SSL curve compatibility issue
	# ( https://github.com/puma/puma/issues/1670 )
	sed -i "s/^gem 'puma'.*/gem 'puma', github: 'eric-norcross\/puma', branch: 'chrome_70_ssl_curve_compatiblity'/" Gemfile

	# configure and build pia-back
	sed -e "s/username:/username: postgres/" -e "s/password:/password: $PGPASS/" config/database.example.yml > config/database.yml
	bundle install
	bundle install --deployment # needed to get the SSL fix in
	local SECRET=`bin/rake secret`
	sed -e "s/__SECRET_KEY_HERE__/$SECRET/" config/application.example.yml > config/application.yml

	# allow requests to $HOST
	cat >> config/application.rb << .
	Rails.application.configure do
	config.hosts << "$HOST"
	end
	.

	# create and initialise database
	bin/rake db:create
	bin/rake db:migrate

	# make log and tmp writeable to www-data
	sudo chgrp -R www-data tmp log
	sudo chmod -R g+w tmp log

	# create uploads and data and make them writeable to www-data
	sudo mkdir uploads data
	sudo chgrp -R www-data uploads data
	sudo chmod -R g+w uploads data

	# final message
	echo "Done. pia-back should now be installed. Start it with 'piactl start back', then go to http://$HOST:3000"
	}


	install-front() { # install-front HOST [VERSION]
	if [ -e ~/pia ] ; then
	echo "piactl: ERROR: ~/pia exists; remove or reinstall. Run 'piactl help' for details'"
	exit 1
	fi
	echo "Installing pia (frontend) into ~/pia..."

	local HOST=$1
	local VERSION=$2

	# enable universe repository if not enabled -- needed for installing nodejs
	if ! grep -q universe /etc/apt/sources.list ; then
	sudo add-apt-repository "deb http://archive.ubuntu.com/ubuntu bionic universe"
	fi

	# install dependencies
	curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg \| sudo apt-key add -
	sudo echo "deb https://dl.yarnpkg.com/debian/ stable main" \| sudo tee /etc/apt/sources.list.d/yarn.list
	sudo apt update && sudo apt install -y nodejs npm yarn

	# download latest pia, checking out specific version if needed
	cd
	git clone https://github.com/LINCnil/pia.git
	cd pia
	if [ "$VERSION" != "" ] ; then
	git checkout $VERSION
	fi

	# configure pia
	yarn install
	cp src/environments/environment.prod.ts.example src/environments/environment.prod.ts
	sed -i -e "s/version: ''/version: '$VERSION'/g" src/environments/environment.prod.ts

	# if you want to BUILD pia for use with other webservers, use the following command
	# node_modules/@angular/cli/bin/ng build --prod --build-optimizer --sourcemaps

	# remove version number from package.json (might throw errors otherwise)
	sed -i -e 's/^ "version": .//' package.json

	# create npm startup script
	sed -i -e 's/"ng",/"node_modules\/@angular\/cli\/bin\/ng",/g' package.json
	sed -i -e 's/"ng serve",/"ng serve --host 0.0.0.0 --public-host '$HOST'",/g' package.json

	# final message
	echo "Done. pia should now be installed. Start it with 'piactl start front', then go to http://$HOST:4200"
	}


	remove() { # remove back\|front\|all
	if [ $# != 1 ] ; then
	usage "piactl remove back\|front\|all"
	fi
	case "$1" in
	back)
	remove-back
	;;
	front)
	remove-front
	;;
	all)
	remove-back
	remove-front
	;;
	*)
	usage "piactl remove back\|front\|all";
	esac
	}


	remove-back() {
	if ( ! sudo -v ) ; then nosudo ; fi
	if [ -e ~/pia-back ] ; then
	stop-back
	killall ruby # otherwise 'rake secret' will fail when reinstalling
	local SURE
	read -p "Removing ~/pia-back including any possible customizations. Continue (y/N)? " SURE
	case "$SURE" in
	y\|Y)
	sudo rm -rf ~/pia-back
	echo "Removed ~/pia-back. You may remove database, dependencies and certificates manually."
	;;
	*)
	exit 2
	;;
	esac
	else
	echo "piactl: warning: ~/pia-back not found, nothing to remove"
	fi
	}


	remove-front() {
	if ( ! sudo -v ) ; then nosudo ; fi
	if [ -e ~/pia ] ; then
	stop-front
	local SURE
	read -p "Removing ~/pia including any possible customizations. Continue (y/N)? " SURE
	case "$SURE" in
	y\|Y)
	sudo rm -rf ~/pia
	echo "Removed ~/pia. You may remove dependencies and certificates manually."
	;;
	*)
	exit 2
	;;
	esac
	else
	echo "piactl: warning: ~/pia not found, nothing to remove"
	fi
	}


	secure-back() { # secure-back HOST
	if ( ! sudo -v ) ; then nosudo ; fi

	local HOST=$1

	if [ ! -e ~/pia-back ] ; then
	echo "piactl: warning: pia-back is not installed, skipping"
	elif [ -e ~/pia-back/ssl ] ; then
	echo "piactl: warning: pia-back is already secured, skipping"
	else
	certify $HOST
	mkdir ~/pia-back/ssl
	cd ~/pia-back/ssl
	ln -s /etc/letsencrypt/live/$HOST/fullchain.pem server.crt
	ln -s /etc/letsencrypt/live/$HOST/privkey.pem server.key

	## reinstall puma to get ssl support
	#local PUMA=$(puma --version\|sed -e "s/puma version //")
	#sudo gem uninstall puma
	#sudo gem install puma -v "$PUMA"

	echo "Done. Restart pia-back, then go to https://$HOST:3000"
	fi
	}


	secure-front() { # secure-front HOST
	if ( ! sudo -v ) ; then nosudo ; fi

	local HOST=$1

	if [ ! -e ~/pia ] ; then
	echo "piactl: warning: pia is not installed, skipping"
	elif [ -e ~/pia/ssl ] ; then
	echo "piactl: warning: pia is already secured, skipping"
	else
	certify $HOST
	mkdir ~/pia/ssl
	cd ~/pia/ssl
	ln -s /etc/letsencrypt/live/$HOST/fullchain.pem server.crt
	ln -s /etc/letsencrypt/live/$HOST/privkey.pem server.key

	cd ~/pia
	sed -i -e "s/ng serve --host/ng serve --ssl --port 443 --ssl-cert=ssl\/server.crt --ssl-key=ssl\/server.key --host/" package.json
	sed -i -e "s/--public-host [^ \"]*/--public-host $HOST/" package.json
	sudo setcap 'cap_net_bind_service=+ep' /usr/bin/node

	echo "Done. Restart pia-front, then go to https://$HOST"
	fi
	}


	certify() { # certify HOST [--prod]
	if ( ! sudo -v ) ; then nosudo ; fi

	local HOST=$1
	local PROD=$2
	local TYPE="--test-cert"
	if [ "$PROD" = "--prod" ] ; then TYPE="" ; fi

	if ! dpkg -l certbot >/dev/null 2>&1 ; then
	# install certbot if not already installed
	sudo apt install certbot
	fi

	if [[ (! -e /etc/letsencrypt/live/$HOST) \|\| ("$PROD" = "--prod") ]] ; then
	# request new certs if not yet requested or requested for production
	sudo certbot $TYPE certonly --standalone -d $HOST
	sudo chmod 755 /etc/letsencrypt/live /etc/letsencrypt/archive
	fi
	}


	resetcap() { # resetcap
	if ( ! sudo -v ) ; then nosudo ; fi

	sudo setcap 'cap_net_bind_service=+ep' /usr/bin/node
	}


	main "$@"