diff --git a/install.sh b/install.sh index 5c72f6ac..779582f1 100755 --- a/install.sh +++ b/install.sh @@ -6,9 +6,10 @@ if [ $EUID -eq 0 ]; then fi -DJANGO_SEKRET=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 50 | head -n 1) -SALTPW=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1) -ADMINURL=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 30 | head -n 1) +DJANGO_SEKRET=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 80 | head -n 1) +SALTPW=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1) +ADMINURL=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 70 | head -n 1) +MESHPASSWD=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 25 | head -n 1) GREEN='\033[0;32m' YELLOW='\033[1;33m' @@ -34,16 +35,47 @@ echo -ne "${YELLOW}Create a username for the postgres database${NC}: " read pgusername echo -ne "${YELLOW}Create a password for the postgres database${NC}: " read pgpw -echo -ne "${YELLOW}Enter the backend API domain for the rmm${NC}: " + +while [[ $rmmdomain != *[.]*[.]* ]] +do +echo -ne "${YELLOW}Enter the subdomain for the backend (e.g. api.example.com)${NC}: " read rmmdomain -echo -ne "${YELLOW}Enter the frontend domain for the rmm${NC}: " +done + +while [[ $frontenddomain != *[.]*[.]* ]] +do +echo -ne "${YELLOW}Enter the subdomain for the frontend (e.g. app.example.com)${NC}: " read frontenddomain -echo -ne "${YELLOW}Enter the domain for meshcentral${NC}: " +done + +while [[ $meshdomain != *[.]*[.]* ]] +do +echo -ne "${YELLOW}Enter the subdomain for meshcentral (e.g. mesh.example.com)${NC}: " read meshdomain -echo -ne "${YELLOW}Enter your username for meshcentral${NC}: " +done + +echo -ne "${YELLOW}Create a username for meshcentral${NC}: " read meshusername -echo -ne "${YELLOW}Enter your email address for let's encrypt renewal notifications${NC}: " + +while [[ $letsemail != *[@]*[.]* ]] +do +echo -ne "${YELLOW}Enter a valid email address for let's encrypt renewal notifications and meshcentral${NC}: " read letsemail +done + +rootdomain=$(expr match "$rmmdomain" '.*\.\(.*\..*\)') + +print_green 'Getting wildcard cert' + +sudo apt install -y software-properties-common +sudo apt update +sudo apt install -y certbot + +sudo certbot certonly --manual -d *.${rootdomain} --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns -m ${letsemail} --no-eff-email +while [[ $? -ne 0 ]] +do +sudo certbot certonly --manual -d *.${rootdomain} --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns -m ${letsemail} --no-eff-email +done print_green 'Creating saltapi user' @@ -53,8 +85,6 @@ echo "saltapi:${SALTPW}" | sudo chpasswd print_green 'Installing Nginx' -sudo apt install -y software-properties-common -sudo apt update sudo apt install -y nginx sudo systemctl stop nginx @@ -82,7 +112,6 @@ sudo mkdir -p /meshcentral/meshcentral-data sudo chown ${USER}:${USER} -R /meshcentral cd /meshcentral npm install meshcentral -cd /home/${USER} sudo chown ${USER}:${USER} -R /meshcentral meshcfg="$(cat << EOF @@ -106,8 +135,8 @@ meshcfg="$(cat << EOF }, "domains": { "": { - "Title": "Dev RMM", - "Title2": "DevRMM", + "Title": "Tactical RMM", + "Title2": "Tactical RMM", "NewAccounts": false, "CertUrl": "https://${meshdomain}:443/", "GeoLocation": true, @@ -146,16 +175,11 @@ sudo -u postgres psql -c "ALTER ROLE ${pgusername} SET default_transaction_isola sudo -u postgres psql -c "ALTER ROLE ${pgusername} SET timezone TO 'UTC'" sudo -u postgres psql -c "GRANT ALL PRIVILEGES ON DATABASE tacticalrmm TO ${pgusername}" - -sudo usermod -a -G www-data ${USER} -sudo chmod 710 /home/${USER} -sudo chown ${USER}:www-data /home/${USER} - -mkdir -p /home/${USER}/rmm +sudo mkdir /rmm +sudo chown ${USER}:${USER} /rmm sudo mkdir -p /var/log/celery sudo chown ${USER}:${USER} /var/log/celery -git clone https://github.com/wh1te909/tacticalrmm.git /home/${USER}/rmm/ -sudo chown ${USER}:www-data -R /home/${USER}/rmm/api/tacticalrmm +git clone https://github.com/wh1te909/tacticalrmm.git /rmm/ localvars="$(cat << EOF SECRET_KEY = "${DJANGO_SEKRET}" @@ -199,13 +223,6 @@ if not DEBUG: ) }) -EMAIL_USE_TLS = True -EMAIL_HOST = 'smtp.gmail.com' -EMAIL_HOST_USER = 'example@gmail.com' -EMAIL_HOST_PASSWORD = 'yourgmailpassword' -EMAIL_PORT = 587 -EMAIL_ALERT_RECIPIENTS = ["jsmith@example.com",] - SALT_USERNAME = "saltapi" SALT_PASSWORD = "${SALTPW}" SALT_HOST = "127.0.0.1" @@ -214,17 +231,17 @@ MESH_SITE = "https://${meshdomain}" REDIS_HOST = "localhost" EOF )" -echo "${localvars}" > /home/${USER}/rmm/api/tacticalrmm/tacticalrmm/local_settings.py +echo "${localvars}" > /rmm/api/tacticalrmm/tacticalrmm/local_settings.py print_green 'Installing the backend' -cd /home/${USER}/rmm/api +cd /rmm/api python3 -m venv env -source /home/${USER}/rmm/api/env/bin/activate -cd /home/${USER}/rmm/api/tacticalrmm +source /rmm/api/env/bin/activate +cd /rmm/api/tacticalrmm pip install --no-cache-dir --upgrade pip pip install --no-cache-dir --upgrade setuptools wheel -pip install --no-cache-dir -r /home/${USER}/rmm/api/tacticalrmm/requirements.txt +pip install --no-cache-dir -r /rmm/api/tacticalrmm/requirements.txt python manage.py migrate python manage.py collectstatic python manage.py initial_db_setup @@ -247,15 +264,15 @@ read -n 1 -s -r -p "Press any key to continue..." uwsgini="$(cat << EOF [uwsgi] -logto = /home/${USER}/rmm/api/tacticalrmm/tacticalrmm/private/log/uwsgi.log -chdir = /home/${USER}/rmm/api/tacticalrmm +logto = /rmm/api/tacticalrmm/tacticalrmm/private/log/uwsgi.log +chdir = /rmm/api/tacticalrmm module = tacticalrmm.wsgi -home = /home/${USER}/rmm/api/env +home = /rmm/api/env master = true processes = 6 threads = 6 enable-threads = True -socket = /home/${USER}/rmm/api/tacticalrmm/tacticalrmm.sock +socket = /rmm/api/tacticalrmm/tacticalrmm.sock harakiri = 300 chmod-socket = 660 # clear environment on exit @@ -265,7 +282,7 @@ max-requests = 500 max-requests-delta = 1000 EOF )" -echo "${uwsgini}" > /home/${USER}/rmm/api/tacticalrmm/app.ini +echo "${uwsgini}" > /rmm/api/tacticalrmm/app.ini rmmservice="$(cat << EOF @@ -276,9 +293,9 @@ After=network.target [Service] User=${USER} Group=www-data -WorkingDirectory=/home/${USER}/rmm/api/tacticalrmm -Environment="PATH=/home/${USER}/rmm/api/env/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" -ExecStart=/home/${USER}/rmm/api/env/bin/uwsgi --ini app.ini +WorkingDirectory=/rmm/api/tacticalrmm +Environment="PATH=/rmm/api/env/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +ExecStart=/rmm/api/env/bin/uwsgi --ini app.ini Restart=always RestartSec=10s @@ -293,7 +310,7 @@ nginxrmm="$(cat << EOF server_tokens off; upstream tacticalrmm { - server unix:////home/${USER}/rmm/api/tacticalrmm/tacticalrmm.sock; + server unix:////rmm/api/tacticalrmm/tacticalrmm.sock; } server { @@ -306,20 +323,20 @@ server { listen 443 ssl; server_name ${rmmdomain}; client_max_body_size 300M; - access_log /home/${USER}/rmm/api/tacticalrmm/tacticalrmm/private/log/access.log; - error_log /home/${USER}/rmm/api/tacticalrmm/tacticalrmm/private/log/error.log; - ssl_certificate /etc/letsencrypt/live/${rmmdomain}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/${rmmdomain}/privkey.pem; - ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + access_log /rmm/api/tacticalrmm/tacticalrmm/private/log/access.log; + error_log /rmm/api/tacticalrmm/tacticalrmm/private/log/error.log; + ssl_certificate /etc/letsencrypt/live/${rootdomain}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/${rootdomain}/privkey.pem; + ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; location /static/ { - root /home/${USER}/rmm/api/tacticalrmm; + root /rmm/api/tacticalrmm; } location /private/ { internal; add_header "Access-Control-Allow-Origin" "https://${frontenddomain}"; - alias /home/${USER}/rmm/api/tacticalrmm/tacticalrmm/private/; + alias /rmm/api/tacticalrmm/tacticalrmm/private/; } location /saltscripts/ { @@ -361,8 +378,8 @@ server { proxy_send_timeout 330s; proxy_read_timeout 330s; server_name ${meshdomain}; - ssl_certificate /etc/letsencrypt/live/${meshdomain}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/${meshdomain}/privkey.pem; + ssl_certificate /etc/letsencrypt/live/${rootdomain}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/${rootdomain}/privkey.pem; ssl_session_cache shared:WEBSSL:10m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; @@ -439,7 +456,7 @@ Type=forking User=${USER} Group=${USER} EnvironmentFile=/etc/conf.d/celery.conf -WorkingDirectory=/home/${USER}/rmm/api/tacticalrmm +WorkingDirectory=/rmm/api/tacticalrmm ExecStart=/bin/sh -c '\${CELERY_BIN} multi start \${CELERYD_NODES} -A \${CELERY_APP} --pidfile=\${CELERYD_PID_FILE} --logfile=\${CELERYD_LOG_FILE} --loglevel=\${CELERYD_LOG_LEVEL} \${CELERYD_OPTS}' ExecStop=/bin/sh -c '\${CELERY_BIN} multi stopwait \${CELERYD_NODES} --pidfile=\${CELERYD_PID_FILE}' ExecReload=/bin/sh -c '\${CELERY_BIN} multi restart \${CELERYD_NODES} -A \${CELERY_APP} --pidfile=\${CELERYD_PID_FILE} --logfile=\${CELERYD_LOG_FILE} --loglevel=\${CELERYD_LOG_LEVEL} \${CELERYD_OPTS}' @@ -463,7 +480,7 @@ Type=forking User=${USER} Group=${USER} EnvironmentFile=/etc/conf.d/celery-winupdate.conf -WorkingDirectory=/home/${USER}/rmm/api/tacticalrmm +WorkingDirectory=/rmm/api/tacticalrmm ExecStart=/bin/sh -c '\${CELERY_BIN} multi start \${CELERYD_NODES} -A \${CELERY_APP} --pidfile=\${CELERYD_PID_FILE} --logfile=\${CELERYD_LOG_FILE} --loglevel=\${CELERYD_LOG_LEVEL} -Q wupdate \${CELERYD_OPTS}' ExecStop=/bin/sh -c '\${CELERY_BIN} multi stopwait \${CELERYD_NODES} --pidfile=\${CELERYD_PID_FILE}' ExecReload=/bin/sh -c '\${CELERY_BIN} multi restart \${CELERYD_NODES} -A \${CELERY_APP} --pidfile=\${CELERYD_PID_FILE} --logfile=\${CELERYD_LOG_FILE} --loglevel=\${CELERYD_LOG_LEVEL} -Q wupdate \${CELERYD_OPTS}' @@ -479,7 +496,7 @@ echo "${celerywinupdatesvc}" | sudo tee /etc/systemd/system/celery-winupdate.ser celeryconf="$(cat << EOF CELERYD_NODES="w1" -CELERY_BIN="/home/${USER}/rmm/api/env/bin/celery" +CELERY_BIN="/rmm/api/env/bin/celery" CELERY_APP="tacticalrmm" @@ -487,11 +504,11 @@ CELERYD_MULTI="multi" CELERYD_OPTS="--time-limit=2900 --autoscale=50,5" -CELERYD_PID_FILE="/home/${USER}/rmm/api/tacticalrmm/%n.pid" +CELERYD_PID_FILE="/rmm/api/tacticalrmm/%n.pid" CELERYD_LOG_FILE="/var/log/celery/%n%I.log" CELERYD_LOG_LEVEL="INFO" -CELERYBEAT_PID_FILE="/home/${USER}/rmm/api/tacticalrmm/beat.pid" +CELERYBEAT_PID_FILE="/rmm/api/tacticalrmm/beat.pid" CELERYBEAT_LOG_FILE="/var/log/celery/beat.log" EOF )" @@ -500,7 +517,7 @@ echo "${celeryconf}" | sudo tee /etc/conf.d/celery.conf > /dev/null celerywinupdate="$(cat << EOF CELERYD_NODES="w2" -CELERY_BIN="/home/${USER}/rmm/api/env/bin/celery" +CELERY_BIN="/rmm/api/env/bin/celery" CELERY_APP="tacticalrmm" @@ -508,7 +525,7 @@ CELERYD_MULTI="multi" CELERYD_OPTS="--time-limit=4000 --autoscale=15,1" -CELERYD_PID_FILE="/home/${USER}/rmm/api/tacticalrmm/%n.pid" +CELERYD_PID_FILE="/rmm/api/tacticalrmm/%n.pid" CELERYD_LOG_FILE="/var/log/celery/%n%I.log" CELERYD_LOG_LEVEL="INFO" EOF @@ -527,7 +544,7 @@ Type=simple User=${USER} Group=${USER} EnvironmentFile=/etc/conf.d/celery.conf -WorkingDirectory=/home/${USER}/rmm/api/tacticalrmm +WorkingDirectory=/rmm/api/tacticalrmm ExecStart=/bin/sh -c '\${CELERY_BIN} beat -A \${CELERY_APP} --pidfile=\${CELERYBEAT_PID_FILE} --logfile=\${CELERYBEAT_LOG_FILE} --loglevel=\${CELERYD_LOG_LEVEL}' Restart=always RestartSec=10s @@ -539,8 +556,8 @@ EOF echo "${celerybeatservice}" | sudo tee /etc/systemd/system/celerybeat.service > /dev/null sudo mkdir -p /srv/salt -sudo cp -r /home/${USER}/rmm/_modules /srv/salt/ -sudo cp -r /home/${USER}/rmm/scripts /srv/salt/ +sudo cp -r /rmm/_modules /srv/salt/ +sudo cp -r /rmm/scripts /srv/salt/ sudo mkdir /srv/salt/scripts/userdefined sudo chown ${USER}:${USER} -R /srv/salt/ sudo chown ${USER}:www-data /srv/salt/scripts/userdefined @@ -577,36 +594,23 @@ sudo systemctl enable salt-api sudo systemctl restart salt-api -print_green 'Installing certbot' - -sudo apt install -y certbot - -print_green 'Getting https certs' - -sudo certbot certonly --standalone --agree-tos -m ${letsemail} --no-eff-email -d ${meshdomain} -sudo certbot certonly --standalone --agree-tos -m ${letsemail} --no-eff-email -d ${rmmdomain} -sudo certbot certonly --standalone --agree-tos -m ${letsemail} --no-eff-email -d ${frontenddomain} - sudo chown -R $USER:$GROUP /home/${USER}/.npm sudo chown -R $USER:$GROUP /home/${USER}/.config quasarenv="$(cat << EOF PROD_URL = "https://${rmmdomain}" -DEV_URL = "https://api.example.com" -APP_URL = "https://app.example.com" -DEV_HOST = 0.0.0.0 -DEV_PORT = 80 +DEV_URL = "https://${rmmdomain}" EOF )" -echo "${quasarenv}" | tee /home/${USER}/rmm/web/.env > /dev/null +echo "${quasarenv}" | tee /rmm/web/.env > /dev/null print_green 'Installing the frontend' -cd /home/${USER}/rmm/web +cd /rmm/web npm install npm run build sudo mkdir -p /var/www/rmm -sudo cp -pvr /home/${USER}/rmm/web/dist /var/www/rmm/ +sudo cp -pvr /rmm/web/dist /var/www/rmm/ sudo chown www-data:www-data -R /var/www/rmm/dist nginxfrontend="$(cat << EOF @@ -623,9 +627,9 @@ server { access_log /var/log/nginx/frontend-access.log; listen 443 ssl; - ssl_certificate /etc/letsencrypt/live/${frontenddomain}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/${frontenddomain}/privkey.pem; - ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + ssl_certificate /etc/letsencrypt/live/${rootdomain}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/${rootdomain}/privkey.pem; + ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; } server { @@ -644,7 +648,7 @@ echo "${nginxfrontend}" | sudo tee /etc/nginx/sites-available/frontend.conf > /d sudo ln -s /etc/nginx/sites-available/frontend.conf /etc/nginx/sites-enabled/frontend.conf -print_green 'Restarting Services' +print_green 'Enabling Services' for i in nginx celery.service celery-winupdate.service celerybeat.service rmm.service do @@ -668,10 +672,25 @@ meshtoken="$(cat << EOF MESH_TOKEN_KEY = "${MESHTOKENKEY}" EOF )" -echo "${meshtoken}" | tee --append /home/${USER}/rmm/api/tacticalrmm/tacticalrmm/local_settings.py > /dev/null +echo "${meshtoken}" | tee --append /rmm/api/tacticalrmm/tacticalrmm/local_settings.py > /dev/null -print_green 'Restarting all services' -for i in nginx celery.service celery-winupdate.service celerybeat.service rmm.service meshcentral.service + +print_green 'Creating meshcentral account and group' + +sudo systemctl stop meshcentral +cd /meshcentral + +node node_modules/meshcentral --createaccount ${meshusername} --pass ${MESHPASSWD} --email ${letsemail} +node node_modules/meshcentral --adminaccount ${meshusername} + +sudo systemctl start meshcentral +sleep 5 + +node node_modules/meshcentral/meshctrl.js --url wss://${meshdomain}:443 --loginuser ${meshusername} --loginpass ${MESHPASSWD} AddDeviceGroup --name TacticalRMM +MESHEXE=$(node node_modules/meshcentral/meshctrl.js --url wss://${meshdomain}:443 --loginuser ${meshusername} --loginpass ${MESHPASSWD} GenerateInviteLink --group TacticalRMM --hours 8) + +print_green 'Restarting services' +for i in celery.service celery-winupdate.service celerybeat.service rmm.service do sudo systemctl restart ${i} done @@ -684,8 +703,10 @@ sudo systemctl restart salt-api printf >&2 "${YELLOW}%0.s*${NC}" {1..80} printf >&2 "\n\n" printf >&2 "${YELLOW}Installation complete!${NC}\n\n" -printf >&2 "${YELLOW}Access your rmm at: ${GREEN}https://${frontenddomain}${NC}\n" +printf >&2 "${YELLOW}Download the meshagent 64 bit EXE from: ${GREEN}${MESHEXE}${NC}\n\n" +printf >&2 "${YELLOW}Access your rmm at: ${GREEN}https://${frontenddomain}${NC}\n\n" printf >&2 "${YELLOW}Django admin url: ${GREEN}https://${rmmdomain}/${ADMINURL}${NC}\n\n" +printf >&2 "${YELLOW}MeshCentral password: ${GREEN}${MESHPASSWD}${NC}\n\n" printf >&2 "${YELLOW}Please refer to the github README for next steps${NC}\n\n" printf >&2 "${YELLOW}%0.s*${NC}" {1..80} printf >&2 "\n"