#!/usr/bin/env xonsh from pathlib import Path import sys script_dir = Path(__file__).parent.absolute() sys.path.insert(0, str(script_dir)) from shared import step, install_latest_pipx, poetry_install_latest logs_dir = Path("/var/log/advlabdb/") step("Update system packages") sudo apt update sudo apt dist-upgrade step("Remove unused packages") sudo apt autoremove step("Install needed system packages") sudo apt install python3 python3-pip python3-venv ufw nginx systemd -y step("Install optional system packages") sudo apt install htop step("Setup firewall") sudo ufw default allow outgoing sudo ufw default deny incoming sudo ufw allow ssh sudo ufw allow http/tcp # TODO: Setup https # sudo ufw allow https/tcp sudo ufw enable sudo ufw status step("Enable Gunicorn") gunicorn_service_file = script_dir / "gunicorn.service" sudo cp -v @(gunicorn_service_file) /etc/systemd/system/ sudo systemctl enable gunicorn step("Setup Nginx") for dir_appendix in ("available", "enabled"): sudo rm -v /etc/nginx/sites-@(dir_appendix)/default nginx_conf_file = script_dir / "advlabdb.conf" sudo cp -v @(nginx_conf_file) /etc/nginx/sites-available/ sudo ln -v -s /etc/nginx/sites-available/advlabdb.conf /etc/nginx/sites-enabled/ sudo systemctl enable nginx step("Install pipx") install_latest_pipx() local_bin = Path("/home/admin/.local/bin/") $PATH.insert(0, str(local_bin)) step("Install Poetry") pipx install poetry step("Install Certbot") pipx install certbot pipx inject certbot certbot-nginx step("Setup Certbot") certbot_bin = local_bin / "certbot" sudo @(certbot_bin) --nginx echo f"0 0,12 * * * root python3 -c 'import random; import time; time.sleep(random.random() * 3600)' && sudo {certbot_bin} renew -q" | sudo tee -a /etc/crontab step("Setup update cron jobs") xonsh_bin = local_bin / "xonsh" user_update_script = script_dir / "user_update.xsh" user_update_log = logs_dir / "user_update.log" root_update_script = script_dir / "root_update.xsh" root_update_log = logs_dir / "root_update.log" # Every Sunday at 04:00 echo f"0 4 * * 0 admin {xonsh_bin} {user_update_script} &>> {user_update_log}" | sudo tee -a /etc/crontab # Every Sunday at 04:15 echo f"15 4 * * 0 root {xonsh_bin} {root_update_script} &>> {root_update_log}" | sudo tee -a /etc/crontab step("Install latest Poetry packages") poetry_install_latest(script_dir) step("Deactivate the 'root' user") sudo passwd -l root step("Reboot") sudo reboot