forked from greenhost/certbot-haproxy
-
Notifications
You must be signed in to change notification settings - Fork 0
/
provisioning_server.sh
153 lines (126 loc) · 4.22 KB
/
provisioning_server.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
#!/bin/bash -x
set -ev
echo "$PROJECT_TZ" > /etc/timezone
dpkg-reconfigure -f noninteractive tzdata
export DEBIAN_FRONTEND="noninteractive"
# Install go 1.5
if [ ! -f go1.5.linux-amd64.tar.gz ]; then
wget -q https://storage.googleapis.com/golang/go1.5.linux-amd64.tar.gz
fi
tar -C /usr/local -xzf go1.5.linux-amd64.tar.gz
# Set GOROOT and GOPATH so that GO knows where it is and where it can install
# deps
if ! grep -Fxq "export GOROOT=/usr/local/go" ~/.variables; then
echo "export GOROOT=/usr/local/go" >> ~/.variables
fi
if ! grep -Fxq "export GOPATH=/gopath" ~/.variables; then
echo "export GOPATH=/gopath" >> ~/.variables
fi
if ! grep -Fxq "export GO15VENDOREXPERIMENT=1" ~/.variables; then
echo "export GO15VENDOREXPERIMENT=1" >> ~/.variables
fi
# Add go to PATH variable
if ! grep -Fxq "export PATH=\$PATH:\$GOPATH/bin:\$GOROOT/bin" ~/.variables; then
echo "export PATH=\$PATH:\$GOPATH/bin:\$GOROOT/bin" >> ~/.variables
fi
if ! grep -Fxq "source ~/.variables" ~/.bashrc; then
echo "source ~/.variables" >> ~/.bashrc
fi
if ! grep -Fxq "127.0.0.1 boulder boulder-rabbitmq boulder-mysql" /etc/hosts; then
echo '127.0.0.1 boulder boulder-rabbitmq boulder-mysql' >> /etc/hosts
fi
cat <<EOF >> /root/.bashrc
alias ll='ls -lah'
alias la='ls -A'
alias l='ls -CF'
EOF
source ~/.variables
# Add repo for MariaDb
sudo apt-get install -y software-properties-common
sudo apt-key adv --recv-keys --keyserver keyserver.ubuntu.com 0xcbcb082a1bb943db
sudo add-apt-repository 'deb [arch=amd64,i386] http://mirror.i3d.net/pub/mariadb/repo/10.1/debian jessie main'
apt-get update
apt-get upgrade -y
apt-get install -y \
sudo htop net-tools tcpdump ufw git curl g++ \
openssl ca-certificates \
python2.7 python-setuptools python-virtualenv \
rabbitmq-server make libltdl-dev mariadb-server nginx-light \
softhsm libsofthsm-dev vim
echo boulder.local > /etc/hostname
hostname -F /etc/hostname
ufw allow ssh
ufw allow http
ufw allow 4000
ufw allow 8000
ufw allow 8001
ufw allow 8002
ufw allow 8003
ufw allow 8004
ufw allow 8005
ufw default deny incoming
ufw --force enable
# Create new go directory for GOPATH
# Paths needed for installing go dependencies
mkdir -p /gopath/bin
mkdir -p /gopath/src
virtualenv /boulder_venv -p /usr/bin/python2
source /boulder_venv/bin/activate
# Install godep
go get github.com/tools/godep
# Goose is needed by the setup script (hope this will be fixed soon)
go get bitbucket.org/liamstask/goose/cmd/goose
# Install boulder into the gopath
go get -d github.com/letsencrypt/boulder/...
# Enter the boulder directory
cd /gopath/src/github.com/letsencrypt/boulder
# Install alle dependencies
godep restore
# Remaining setup
./test/setup.sh
# Apply softhsm configuration
./test/make-softhsm.sh
# Add softhsm configuration to .variables
if ! grep -Fxq "export SOFTHSM_CONF=$PWD/test/softhsm.conf" ~/.variables; then
echo "export SOFTHSM_CONF=$PWD/test/softhsm.conf" >> ~/.variables
fi
# Change pkcs to softhsm and IP to 192.168.33.111 and set high thresholds for rate limiting
if grep -Fq "/usr/local/lib/libpkcs11-proxy.so" test/test-ca.key-pkcs11.json; then
git apply /boulder/greenhost.patch
fi
cat <<EOF > /etc/nginx/sites-available/wfe
server {
listen 80;
location / {
proxy_pass http://localhost:4000;
proxy_redirect http://localhost:4000/ \$scheme://\$host:80/;
}
}
EOF
ln -fs /etc/nginx/sites-available/wfe /etc/nginx/sites-enabled/wfe
rm -rfv /etc/nginx/sites-enabled/default
systemctl restart nginx
cat <<EOF > /lib/systemd/system/boulder.service
[Unit]
Description=Boulder Server
After=network.target
Wants=mariadb.service,rabbitmq.service
[Service]
Type=simple
KillMode=mixed
RemainAfterExit=no
Restart=always
Environment="GOROOT=/usr/local/go"
Environment="GOPATH=/gopath"
Environment="PATH=/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/gopath/bin:/usr/local/go/bin"
Environment="GO15VENDOREXPERIMENT=1"
Environment="SOFTHSM_CONF=/gopath/src/github.com/letsencrypt/boulder/test/softhsm.conf"
Environment="FAKE_DNS=192.168.33.222"
WorkingDirectory=/gopath/src/github.com/letsencrypt/boulder/
ExecStart=/boulder_venv/bin/python ./start.py
[Install]
WantedBy=multi-user.target
EOF
systemctl enable boulder.service
systemctl start boulder.service
echo "Provisioning completed."