svedova/install-prod-env.bash

## install-prod-env.bash
#!/bin/bash
# Exit on error
set -e

echo "Hello, what is your app name?"
read appname

# slugify the app name
appslug="$(echo $appname | iconv -t ascii//TRANSLIT | sed -r s/[^a-zA-Z0-9]+/-/g | sed -r s/^-+\|-+$//g | tr A-Z a-z)"

echo "What is the host name? (eg: example.com)"
read hostname

echo "What is the root path for the project? (Leave empty for `pwd`)"
read rootpath

if [ -z "$VAR" ]
then
  rootpath="$(pwd)"
fi

#############################################################
# WE GOT THE VARIABLES, LET'S PROCEED WITH THE INSTALLATION #
#############################################################
apt-get update
apt-get upgrade

echo "Installing webserver..."
apt install nginx

# nginx conf for port 80
cat > /etc/nginx/sites-available/${appslug}-80 <<EOL
server {
    listen 80;
    server_name ${hostname};

    root ${rootpath};

    # Required for letsencrypt
    location ~ /.well-known {
        allow all;
    }
}
EOL

# nginx conf for post 443
cat > /etc/nginx/sites-available/${appslug}-443 <<EOL
server {
    listen 80;
    listen [::]:80;
    server_name ${hostname};
    return 301 https://$server_name$request_uri;
}

server {
    ssl on;
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;
    include snippets/ssl-${appslug}.conf;
    include snippets/ssl-params.conf;

    server_name ${hostname};

    # Turn off error logging for favicon
    location = /favicon.ico {
        access_log off;
        log_not_found off;
    }

    location /static/ {
        root ${rootpath}/static;
    }
}
EOL

# enable confs
ln -s /etc/nginx/sites-available/${appslug}-80 /etc/nginx/sites-enabled

# Check for syntax
nginx -t
systemctl restart nginx

echo "Configuring letsencrypt..."
add-apt-repository ppa:certbot/certbot
apt-get update
apt-get install certbot

# Create certificate for
certbot certonly --webroot --webroot-path=${rootpath} -d ${hostname}

# Check for the file if it exists
ls -l /etc/letsencrypt/live/${hostname}

# Generate strong Diffie-Hellman group to further increase security
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

cat > /etc/nginx/snippets/ssl-${appslug}.conf <<EOL
ssl_certificate /etc/letsencrypt/live/${hostname}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${hostname}/privkey.pem;
EOL

# Create a conf with strong encryption settings
cat > /etc/nginx/snippets/ssl-params.conf <<EOL
# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# disable HSTS header for now
#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_dhparam /etc/ssl/certs/dhparam.pem;
EOL

# Now we can disable the http config and proceed with https
rm /etc/nginx/sites-enabled/${appslug}-80
ln -s /etc/nginx/sites-available/${appslug}-443 /etc/nginx/sites-enabled

nginx -t
systemctl restart nginx

##########################################################################
# INSTALLED AND CONFIGURED HTTPS, LET'S INSTALL NODEJS and LESS COMPILER #
##########################################################################

echo "Installing nodejs..."
apt install nodejs
# linking is needed for django-lessc
ln -s /usr/bin/nodejs /usr/bin/node

echo "Installing yarn..."
curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -
echo "deb https://dl.yarnpkg.com/debian/ stable main" | sudo tee /etc/apt/sources.list.d/yarn.list
apt-get update && sudo apt-get install yarn

echo "Installing lessc executable..."
yarn global add less
	#!/bin/bash
	# Exit on error
	set -e

	echo "Hello, what is your app name?"
	read appname

	# slugify the app name
	appslug="$(echo $appname \| iconv -t ascii//TRANSLIT \| sed -r s/[^a-zA-Z0-9]+/-/g \| sed -r s/^-+\\|-+$//g \| tr A-Z a-z)"

	echo "What is the host name? (eg: example.com)"
	read hostname

	echo "What is the root path for the project? (Leave empty for `pwd`)"
	read rootpath

	if [ -z "$VAR" ]
	then
	rootpath="$(pwd)"
	fi

	#############################################################
	# WE GOT THE VARIABLES, LET'S PROCEED WITH THE INSTALLATION #
	#############################################################
	apt-get update
	apt-get upgrade

	echo "Installing webserver..."
	apt install nginx

	# nginx conf for port 80
	cat > /etc/nginx/sites-available/${appslug}-80 <<EOL
	server {
	listen 80;
	server_name ${hostname};

	root ${rootpath};

	# Required for letsencrypt
	location ~ /.well-known {
	allow all;
	}
	}
	EOL

	# nginx conf for post 443
	cat > /etc/nginx/sites-available/${appslug}-443 <<EOL
	server {
	listen 80;
	listen [::]:80;
	server_name ${hostname};
	return 301 https://$server_name$request_uri;
	}

	server {
	ssl on;
	listen 443 ssl http2 default_server;
	listen [::]:443 ssl http2 default_server;
	include snippets/ssl-${appslug}.conf;
	include snippets/ssl-params.conf;

	server_name ${hostname};

	# Turn off error logging for favicon
	location = /favicon.ico {
	access_log off;
	log_not_found off;
	}

	location /static/ {
	root ${rootpath}/static;
	}
	}
	EOL

	# enable confs
	ln -s /etc/nginx/sites-available/${appslug}-80 /etc/nginx/sites-enabled

	# Check for syntax
	nginx -t
	systemctl restart nginx

	echo "Configuring letsencrypt..."
	add-apt-repository ppa:certbot/certbot
	apt-get update
	apt-get install certbot

	# Create certificate for
	certbot certonly --webroot --webroot-path=${rootpath} -d ${hostname}

	# Check for the file if it exists
	ls -l /etc/letsencrypt/live/${hostname}

	# Generate strong Diffie-Hellman group to further increase security
	openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

	cat > /etc/nginx/snippets/ssl-${appslug}.conf <<EOL
	ssl_certificate /etc/letsencrypt/live/${hostname}/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/${hostname}/privkey.pem;
	EOL

	# Create a conf with strong encryption settings
	cat > /etc/nginx/snippets/ssl-params.conf <<EOL
	# from https://cipherli.st/
	# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;
	ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
	ssl_ecdh_curve secp384r1;
	ssl_session_cache shared:SSL:10m;
	ssl_session_tickets off;
	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 8.8.8.8 8.8.4.4 valid=300s;
	resolver_timeout 5s;
	# disable HSTS header for now
	#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
	add_header X-Frame-Options DENY;
	add_header X-Content-Type-Options nosniff;

	ssl_dhparam /etc/ssl/certs/dhparam.pem;
	EOL

	# Now we can disable the http config and proceed with https
	rm /etc/nginx/sites-enabled/${appslug}-80
	ln -s /etc/nginx/sites-available/${appslug}-443 /etc/nginx/sites-enabled

	nginx -t
	systemctl restart nginx

	##########################################################################
	# INSTALLED AND CONFIGURED HTTPS, LET'S INSTALL NODEJS and LESS COMPILER #
	##########################################################################

	echo "Installing nodejs..."
	apt install nodejs
	# linking is needed for django-lessc
	ln -s /usr/bin/nodejs /usr/bin/node

	echo "Installing yarn..."
	curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg \| sudo apt-key add -
	echo "deb https://dl.yarnpkg.com/debian/ stable main" \| sudo tee /etc/apt/sources.list.d/yarn.list
	apt-get update && sudo apt-get install yarn

	echo "Installing lessc executable..."
	yarn global add less