-
-
Notifications
You must be signed in to change notification settings - Fork 17
/
install.sh
144 lines (114 loc) · 3.42 KB
/
install.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
#!/bin/bash
cd ~
sudo apt update
sudo apt install -y docker.io curl dnsutils apt-transport-https ca-certificates software-properties-common unattended-upgrades nginx certbot python3-certbot-nginx
systemctl enable --now docker
echo 'Unattended-Upgrade::Automatic-Reboot "true";' >> /etc/apt/apt.conf.d/50unattended-upgrades
systemctl restart unattended-upgrades
#
# install ssb-room image
#
docker pull staltz/ssb-room
#
# create room container
#
mkdir ~/ssb-room-data
chown -R 1000:1000 ~/ssb-room-data
# create ./create-room script
cat > ./create-room <<EOF
#!/bin/bash
memory_limit=$(($(free -b --si | awk '/Mem\:/ { print $2 }') - 200*(10**6)))
docker run -d --name room \
-v ~/ssb-room-data/:/home/node/.ssb/ \
-p 127.0.0.1:8007:8007 \
-p 8008:8008 \
--restart unless-stopped \
--memory "\$memory_limit" \
staltz/ssb-room
EOF
# make the script executable
chmod +x ./create-room
# run the script
./create-room
# create ./room script
cat > ./room <<EOF
#!/bin/sh
docker exec -it room room "\$@"
EOF
# make the script executable
chmod +x ./room
#
# setup auto-healer
#
docker pull ahdinosaur/healer
docker run -d --name healer \
-v /var/run/docker.sock:/tmp/docker.sock \
--restart unless-stopped \
ahdinosaur/healer
# ensure containers are always running
printf '#!/bin/sh\n\ndocker start room\n' | tee /etc/cron.hourly/room && chmod +x /etc/cron.hourly/room
printf '#!/bin/sh\n\ndocker start healer\n' | tee /etc/cron.hourly/healer && chmod +x /etc/cron.hourly/healer
# auto-update docker images for security
docker run -d \
--name watchtower \
-v /var/run/docker.sock:/var/run/docker.sock \
--restart unless-stopped \
containrrr/watchtower
# WARNING: This method of converting an IP address to a domain name
# allows the *wildcard DNS provider* to impersonate your service
# even if HTTPS is used.
WILDCARD_DNSv4_SUFFIX="nip.io" # xip.io & sslip.io also exist
WILDCARD_DNSv6_SUFFIX="sslip.io" # only sslip.io has IPv6 support
PREFIX="ssb-room"
DOMAIN_V4=$(curl https://ipv4.wtfismyip.com/text 2>/dev/null | tr . - | sed s/\^/${PREFIX}./ | sed s/\$/.${WILDCARD_DNSv4_SUFFIX}/)
DOMAIN_V6=$(curl https://ipv6.wtfismyip.com/text 2>/dev/null | tr : - | sed s/\^/${PREFIX}./ | sed s/\$/.${WILDCARD_DNSv6_SUFFIX}/)
cat > /etc/nginx/sites-enabled/default <<EOF
geo \$ipv4 {
0.0.0.0/0 ipv4;
}
geo \$ipv6 {
::0/0 ipv6;
}
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
location / {
EOF
if [ ! -z "${DOMAIN_V4}" ]; then
cat >> /etc/nginx/sites-enabled/default <<EOF
if (\$ipv4) {
return 301 https://${DOMAIN_V4};
}
EOF
fi
if [ ! -z "${DOMAIN_V6}" ]; then
cat >> /etc/nginx/sites-enabled/default <<EOF
if (\$ipv6) {
return 301 https://${DOMAIN_V6};
}
EOF
fi
cat >> /etc/nginx/sites-enabled/default <<EOF
return 404;
}
}
server {
listen 80;
listen [::]:80;
server_name ${DOMAIN_V4} ${DOMAIN_V6};
location / {
proxy_pass http://localhost:8007;
proxy_set_header Host $host;
}
}
EOF
systemctl restart nginx
# Random email, change if necessary. Or ask the user to input one?
EMAIL="$(head /dev/urandom | tr -dc a-z0-9 | head -c 16)@$(head /dev/urandom | tr -dc a-z0-9 | head -c 16).com"
if [ ! -z "${DOMAIN_V4}" ]; then
certbot --nginx -n -d "${DOMAIN_V4}" --agree-tos --email "${EMAIL}" --redirect
fi
if [ ! -z "${DOMAIN_V6}" ]; then
certbot --nginx -n -d "${DOMAIN_V6}" --agree-tos --email "${EMAIL}" --redirect
fi