From 21ffd6d094f3907392b71ed8fd5089259ee16974 Mon Sep 17 00:00:00 2001 From: Mo8it Date: Tue, 26 Apr 2022 02:20:57 +0200 Subject: [PATCH] Add logged_server_setup script --- scripts/logged_server_setup.xsh | 90 +++++++++++++++++++++++++++++++++ scripts/server_setup.xsh | 76 +++------------------------- 2 files changed, 98 insertions(+), 68 deletions(-) create mode 100644 scripts/logged_server_setup.xsh diff --git a/scripts/logged_server_setup.xsh b/scripts/logged_server_setup.xsh new file mode 100644 index 0000000..a84bf93 --- /dev/null +++ b/scripts/logged_server_setup.xsh @@ -0,0 +1,90 @@ +#!/usr/bin/env xonsh + +from pathlib import Path +import sys + +script_dir = Path(__file__).parent.absolute() + +sys.path.insert(0, str(script_dir)) + +from shared import step, install_latest_pipx, poetry_install_latest + +logs_dir = Path("/var/log/advlabdb/") + +step("Update system packages") +sudo apt update +sudo apt dist-upgrade + +step("Remove unused packages") +sudo apt autoremove + +step("Install needed system packages") +sudo apt install python3 python3-pip python3-venv ufw nginx systemd -y + +step("Install optional system packages") +sudo apt install htop + +step("Setup firewall") +sudo ufw default allow outgoing +sudo ufw default deny incoming +sudo ufw allow ssh +sudo ufw allow http/tcp +# TODO: Setup https +# sudo ufw allow https/tcp +sudo ufw enable +sudo ufw status + +step("Enable Gunicorn") +gunicorn_service_file = script_dir / "gunicorn.service" +sudo cp -v @(gunicorn_service_file) /etc/systemd/system/ +sudo systemctl enable gunicorn + +step("Setup Nginx") +for dir_appendix in ("available", "enabled"): + sudo rm -v /etc/nginx/sites-@(dir_appendix)/default + +nginx_conf_file = script_dir / "advlabdb.conf" +sudo cp -v @(nginx_conf_file) /etc/nginx/sites-available/ +sudo ln -v -s /etc/nginx/sites-available/advlabdb.conf /etc/nginx/sites-enabled/ +sudo systemctl enable nginx + +step("Install pipx") +install_latest_pipx() + +local_bin = Path("/home/admin/.local/bin/") +$PATH.insert(0, str(local_bin)) + +step("Install Poetry") +pipx install poetry + +step("Install Certbot") +pipx install certbot +pipx inject certbot certbot-nginx + +step("Setup Certbot") +certbot_bin = local_bin / "certbot" +sudo @(certbot_bin) --nginx +echo f"0 0,12 * * * root python3 -c 'import random; import time; time.sleep(random.random() * 3600)' && sudo {certbot_bin} renew -q" | sudo tee -a /etc/crontab + +step("Setup update cron jobs") +xonsh_bin = local_bin / "xonsh" + +user_update_script = script_dir / "user_update.xsh" +user_update_log = logs_dir / "user_update.log" + +root_update_script = script_dir / "root_update.xsh" +root_update_log = logs_dir / "root_update.log" + +# Every Sunday at 04:00 +echo f"0 4 * * 0 admin {xonsh_bin} {user_update_script} &>> {user_update_log}" | sudo tee -a /etc/crontab +# Every Sunday at 04:15 +echo f"15 4 * * 0 root {xonsh_bin} {root_update_script} &>> {root_update_log}" | sudo tee -a /etc/crontab + +step("Install latest Poetry packages") +poetry_install_latest() + +step("Deactivate the 'root' user") +sudo passwd -l root + +step("Reboot") +sudo reboot diff --git a/scripts/server_setup.xsh b/scripts/server_setup.xsh index 57f4cee..39b57be 100644 --- a/scripts/server_setup.xsh +++ b/scripts/server_setup.xsh @@ -1,77 +1,17 @@ #!/usr/bin/env xonsh from pathlib import Path -import sys script_dir = Path(__file__).parent.absolute() -sys.path.insert(0, str(script_dir)) +logs_dir = Path("/var/log/advlabdb/") -from shared import step, install_latest_pipx, poetry_install_latest +# Create logs directory +sudo mkdir -v -p @(logs_dir) +sudo chown -R admin:admin @(logs_dir) -logs_dir = Path("/var/log/advlabdb") +logged_server_setup_script = script_dir / "logged_server_setup.xsh" +log_file = logs_dir / "server_setup.log" -step("Update system packages") -sudo apt update -sudo apt dist-upgrade - -step("Remove unused packages") -sudo apt autoremove - -step("Install needed system packages") -sudo apt install python3 python3-pip python3-venv ufw nginx systemd -y - -step("Install optional system packages") -sudo apt install htop - -step("Setup firewall") -sudo ufw default allow outgoing -sudo ufw default deny incoming -sudo ufw allow ssh -sudo ufw allow http/tcp -# TODO: Setup https -# sudo ufw allow https/tcp -sudo ufw enable -sudo ufw status - -step("Enable Gunicorn") -sudo cp -v @(script_dir)/gunicorn.service /etc/systemd/system/ -sudo systemctl enable gunicorn - -step("Setup Nginx") -sudo rm -v /etc/nginx/sites-{available,enabled}/default -sudo cp -v @(script_dir)/advlabdb.conf /etc/nginx/sites-available/ -sudo ln -v -s /etc/nginx/sites-available/advlabdb.conf /etc/nginx/sites-enabled/ -sudo systemctl enable nginx - -step("Install pipx") -install_latest_pipx() - -local_bin = Path("/home/admin/.local/bin/") -$PATH.insert(0, str(local_bin)) - -step("Install Poetry") -pipx install poetry - -step("Install Certbot") -pipx install certbot -pipx inject certbot certbot-nginx - -step("Setup Certbot") -sudo @(local_bin)/certbot --nginx -echo f"0 0,12 * * * root python3 -c 'import random; import time; time.sleep(random.random() * 3600)' && sudo {local_bin}/certbot renew -q" | sudo tee -a /etc/crontab - -step("Setup update cron jobs") -# Every Sunday at 04:00 -echo f"0 4 * * 0 admin bash {script_dir}/user_update.sh &>> {logs_dir}/user_update.log" | sudo tee -a /etc/crontab -# Every Sunday at 04:15 -echo f"15 4 * * 0 root bash {script_dir}/root_update.sh &>> {logs_dir}/root_update.log" | sudo tee -a /etc/crontab - -step("Install latest Poetry packages") -poetry_install_latest() - -step("Deactivate the 'root' user") -sudo passwd -l root - -step("Reboot") -sudo reboot +# Start actual server setup script with logging +xonsh @(logged_server_setup_script) | tee @(log_file)