692 lines
20 KiB
Bash
Executable File
692 lines
20 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
if [ $EUID -eq 0 ]; then
|
|
echo -ne "\033[0;31mDo NOT run this script as root. Exiting.\e[0m\n"
|
|
exit 1
|
|
fi
|
|
|
|
|
|
DJANGO_SEKRET=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 50 | head -n 1)
|
|
SALTPW=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)
|
|
ADMINURL=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 30 | head -n 1)
|
|
|
|
GREEN='\033[0;32m'
|
|
YELLOW='\033[1;33m'
|
|
BLUE='\033[0;34m'
|
|
NC='\033[0m'
|
|
|
|
cls() {
|
|
printf "\033c"
|
|
}
|
|
|
|
print_green() {
|
|
printf >&2 "${GREEN}%0.s-${NC}" {1..80}
|
|
printf >&2 "\n"
|
|
printf >&2 "${GREEN}${1}${NC}\n"
|
|
printf >&2 "${GREEN}%0.s-${NC}" {1..80}
|
|
printf >&2 "\n"
|
|
}
|
|
|
|
cls
|
|
|
|
|
|
echo -ne "${YELLOW}Create a username for the postgres database${NC}: "
|
|
read pgusername
|
|
echo -ne "${YELLOW}Create a password for the postgres database${NC}: "
|
|
read pgpw
|
|
echo -ne "${YELLOW}Enter the backend API domain for the rmm${NC}: "
|
|
read rmmdomain
|
|
echo -ne "${YELLOW}Enter the frontend domain for the rmm${NC}: "
|
|
read frontenddomain
|
|
echo -ne "${YELLOW}Enter the domain for meshcentral${NC}: "
|
|
read meshdomain
|
|
echo -ne "${YELLOW}Enter your username for meshcentral${NC}: "
|
|
read meshusername
|
|
echo -ne "${YELLOW}Enter your email address for let's encrypt renewal notifications${NC}: "
|
|
read letsemail
|
|
|
|
|
|
print_green 'Creating saltapi user'
|
|
|
|
sudo adduser --no-create-home --disabled-password --gecos "" saltapi
|
|
echo "saltapi:${SALTPW}" | sudo chpasswd
|
|
|
|
print_green 'Creating sudoers conf to restart celery'
|
|
|
|
echo "${USER} ALL=(ALL) NOPASSWD: /bin/systemctl restart celerybeat.service" | sudo tee /etc/sudoers.d/${USER}
|
|
sudo chmod 0440 /etc/sudoers.d/${USER}
|
|
|
|
|
|
print_green 'Installing Nginx'
|
|
|
|
sudo apt install -y software-properties-common
|
|
sudo add-apt-repository -y ppa:nginx/stable
|
|
sudo apt update
|
|
sudo apt install -y nginx
|
|
|
|
print_green 'Installing NodeJS'
|
|
|
|
sudo apt install -y curl wget
|
|
|
|
curl -sL https://deb.nodesource.com/setup_12.x | sudo -E bash -
|
|
sudo apt update
|
|
sudo apt install -y gcc g++ make
|
|
sudo apt install -y nodejs
|
|
|
|
print_green 'Installing MongoDB'
|
|
|
|
wget -qO - https://www.mongodb.org/static/pgp/server-4.2.asc | sudo apt-key add -
|
|
echo "deb [ arch=amd64 ] https://repo.mongodb.org/apt/ubuntu bionic/mongodb-org/4.2 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-4.2.list
|
|
sudo apt update
|
|
sudo apt install -y mongodb-org
|
|
sudo systemctl enable mongod
|
|
sudo systemctl restart mongod
|
|
|
|
print_green 'Installing MeshCentral'
|
|
|
|
sudo mkdir -p /meshcentral/meshcentral-data
|
|
sudo chown ${USER}:${USER} -R /meshcentral
|
|
cd /meshcentral
|
|
npm install meshcentral
|
|
cd /home/${USER}
|
|
sudo chown ${USER}:${USER} -R /meshcentral
|
|
|
|
meshcfg="$(cat << EOF
|
|
{
|
|
"settings": {
|
|
"Cert": "${meshdomain}",
|
|
"MongoDb": "mongodb://127.0.0.1:27017",
|
|
"MongoDbName": "meshcentral",
|
|
"WANonly": true,
|
|
"Minify": 1,
|
|
"Port": 4430,
|
|
"AliasPort": 443,
|
|
"RedirPort": 800,
|
|
"AllowLoginToken": true,
|
|
"AllowFraming": true,
|
|
"_AgentPing": 60,
|
|
"AgentPong": 300,
|
|
"AllowHighQualityDesktop": true,
|
|
"TlsOffload": "127.0.0.1",
|
|
"MaxInvalidLogin": { "time": 5, "count": 5, "coolofftime": 30 }
|
|
},
|
|
"domains": {
|
|
"": {
|
|
"Title": "Dev RMM",
|
|
"Title2": "DevRMM",
|
|
"NewAccounts": false,
|
|
"mstsc": true,
|
|
"CertUrl": "https://${meshdomain}:443/",
|
|
"GeoLocation": true,
|
|
"httpheaders": {
|
|
"Strict-Transport-Security": "max-age=360000",
|
|
"_x-frame-options": "sameorigin",
|
|
"Content-Security-Policy": "default-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; frame-src 'self'; media-src 'self'"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
EOF
|
|
)"
|
|
echo "${meshcfg}" > /meshcentral/meshcentral-data/config.json
|
|
|
|
print_green 'Installing python, redis and git'
|
|
|
|
sudo add-apt-repository -y ppa:deadsnakes/ppa
|
|
sudo apt update
|
|
sudo apt install -y python3.7 python3.7-venv python3.7-dev python3-pip python3-dev python3-venv python3-setuptools ca-certificates redis git python3-cherrypy3
|
|
|
|
print_green 'Installing postgresql'
|
|
|
|
sudo sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt/ $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list'
|
|
wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo apt-key add -
|
|
sudo apt update
|
|
sudo apt install -y postgresql-11
|
|
|
|
print_green 'Creating database for the rmm'
|
|
|
|
sudo -u postgres psql -c "CREATE DATABASE tacticalrmm"
|
|
sudo -u postgres psql -c "CREATE USER ${pgusername} WITH PASSWORD '${pgpw}'"
|
|
sudo -u postgres psql -c "ALTER ROLE ${pgusername} SET client_encoding TO 'utf8'"
|
|
sudo -u postgres psql -c "ALTER ROLE ${pgusername} SET default_transaction_isolation TO 'read committed'"
|
|
sudo -u postgres psql -c "ALTER ROLE ${pgusername} SET timezone TO 'UTC'"
|
|
sudo -u postgres psql -c "GRANT ALL PRIVILEGES ON DATABASE tacticalrmm TO ${pgusername}"
|
|
|
|
|
|
sudo usermod -a -G www-data ${USER}
|
|
sudo chmod 710 /home/${USER}
|
|
sudo chown ${USER}:www-data /home/${USER}
|
|
|
|
mkdir -p /home/${USER}/rmm
|
|
sudo mkdir -p /var/log/celery
|
|
sudo chown ${USER}:${USER} /var/log/celery
|
|
git clone https://github.com/wh1te909/tacticalrmm.git /home/${USER}/rmm/
|
|
sudo chown ${USER}:www-data -R /home/${USER}/rmm/api/tacticalrmm
|
|
|
|
localvars="$(cat << EOF
|
|
SECRET_KEY = "${DJANGO_SEKRET}"
|
|
|
|
DEBUG = False
|
|
|
|
ALLOWED_HOSTS = ['${rmmdomain}']
|
|
|
|
ADMIN_URL = "${ADMINURL}/"
|
|
|
|
CORS_ORIGIN_WHITELIST = [
|
|
"https://${frontenddomain}"
|
|
]
|
|
|
|
DATABASES = {
|
|
'default': {
|
|
'ENGINE': 'django.db.backends.postgresql',
|
|
'NAME': 'tacticalrmm',
|
|
'USER': '${pgusername}',
|
|
'PASSWORD': '${pgpw}',
|
|
'HOST': 'localhost',
|
|
'PORT': '5432',
|
|
}
|
|
}
|
|
|
|
REST_FRAMEWORK = {
|
|
'DATETIME_FORMAT': "%b-%d-%Y - %H:%M",
|
|
|
|
'DEFAULT_PERMISSION_CLASSES': (
|
|
'rest_framework.permissions.IsAuthenticated',
|
|
),
|
|
'DEFAULT_AUTHENTICATION_CLASSES': (
|
|
'knox.auth.TokenAuthentication',
|
|
),
|
|
}
|
|
|
|
if not DEBUG:
|
|
REST_FRAMEWORK.update({
|
|
'DEFAULT_RENDERER_CLASSES': (
|
|
'rest_framework.renderers.JSONRenderer',
|
|
)
|
|
})
|
|
|
|
EMAIL_USE_TLS = True
|
|
EMAIL_HOST = 'smtp.gmail.com'
|
|
EMAIL_HOST_USER = 'example@gmail.com'
|
|
EMAIL_HOST_PASSWORD = 'yourgmailpassword'
|
|
EMAIL_PORT = 587
|
|
EMAIL_ALERT_RECIPIENTS = ["jsmith@example.com",]
|
|
|
|
SALT_USERNAME = "saltapi"
|
|
SALT_PASSWORD = "${SALTPW}"
|
|
SALT_HOST = "127.0.0.1"
|
|
MESH_USERNAME = "${meshusername}"
|
|
MESH_SITE = "https://${meshdomain}"
|
|
REDIS_HOST = "localhost"
|
|
EOF
|
|
)"
|
|
echo "${localvars}" > /home/${USER}/rmm/api/tacticalrmm/tacticalrmm/local_settings.py
|
|
|
|
print_green 'Installing the backend'
|
|
|
|
cd /home/${USER}/rmm/api
|
|
python3.7 -m venv env
|
|
source /home/${USER}/rmm/api/env/bin/activate
|
|
cd /home/${USER}/rmm/api/tacticalrmm
|
|
pip install --no-cache-dir --upgrade pip
|
|
pip install --no-cache-dir --upgrade setuptools wheel
|
|
pip install -r /home/${USER}/rmm/api/tacticalrmm/requirements.txt
|
|
python manage.py migrate
|
|
python manage.py collectstatic
|
|
python manage.py initial_db_setup
|
|
python manage.py load_chocos
|
|
printf >&2 "${YELLOW}%0.s*${NC}" {1..80}
|
|
printf >&2 "\n"
|
|
printf >&2 "${YELLOW}Please create your login for the RMM website and django admin${NC}\n"
|
|
printf >&2 "${YELLOW}%0.s*${NC}" {1..80}
|
|
printf >&2 "\n"
|
|
echo -ne "Username: "
|
|
read djangousername
|
|
python manage.py createsuperuser --username ${djangousername} --email ${letsemail}
|
|
RANDBASE=$(python manage.py generate_totp)
|
|
cls
|
|
python manage.py generate_barcode ${RANDBASE} ${djangousername} ${frontenddomain}
|
|
deactivate
|
|
read -n 1 -s -r -p "Press any key to continue..."
|
|
|
|
|
|
uwsgini="$(cat << EOF
|
|
[uwsgi]
|
|
|
|
logto = /home/${USER}/rmm/api/tacticalrmm/tacticalrmm/private/log/uwsgi.log
|
|
chdir = /home/${USER}/rmm/api/tacticalrmm
|
|
module = tacticalrmm.wsgi
|
|
home = /home/${USER}/rmm/api/env
|
|
master = true
|
|
processes = 6
|
|
threads = 6
|
|
enable-threads = True
|
|
socket = /home/${USER}/rmm/api/tacticalrmm/tacticalrmm.sock
|
|
harakiri = 300
|
|
chmod-socket = 660
|
|
# clear environment on exit
|
|
vacuum = true
|
|
die-on-term = true
|
|
max-requests = 500
|
|
max-requests-delta = 1000
|
|
EOF
|
|
)"
|
|
echo "${uwsgini}" > /home/${USER}/rmm/api/tacticalrmm/app.ini
|
|
|
|
|
|
rmmservice="$(cat << EOF
|
|
[Unit]
|
|
Description=tacticalrmm uwsgi daemon
|
|
After=network.target
|
|
|
|
[Service]
|
|
User=${USER}
|
|
Group=www-data
|
|
WorkingDirectory=/home/${USER}/rmm/api/tacticalrmm
|
|
Environment="PATH=/home/${USER}/rmm/api/env/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
|
ExecStart=/home/${USER}/rmm/api/env/bin/uwsgi --ini app.ini
|
|
Restart=always
|
|
RestartSec=10s
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
EOF
|
|
)"
|
|
echo "${rmmservice}" | sudo tee /etc/systemd/system/rmm.service > /dev/null
|
|
|
|
|
|
nginxrmm="$(cat << EOF
|
|
server_tokens off;
|
|
|
|
upstream tacticalrmm {
|
|
server unix:////home/${USER}/rmm/api/tacticalrmm/tacticalrmm.sock;
|
|
}
|
|
|
|
server {
|
|
listen 80;
|
|
server_name ${rmmdomain};
|
|
return 301 https://\$server_name\$request_uri;
|
|
}
|
|
|
|
server {
|
|
listen 443 ssl;
|
|
server_name ${rmmdomain};
|
|
client_max_body_size 300M;
|
|
access_log /home/${USER}/rmm/api/tacticalrmm/tacticalrmm/private/log/access.log;
|
|
error_log /home/${USER}/rmm/api/tacticalrmm/tacticalrmm/private/log/error.log;
|
|
ssl_certificate /etc/letsencrypt/live/${rmmdomain}/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/${rmmdomain}/privkey.pem;
|
|
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
|
|
|
|
location /static/ {
|
|
root /home/${USER}/rmm/api/tacticalrmm;
|
|
}
|
|
|
|
location /private/ {
|
|
internal;
|
|
add_header "Access-Control-Allow-Origin" "https://${frontenddomain}";
|
|
alias /home/${USER}/rmm/api/tacticalrmm/tacticalrmm/private/;
|
|
}
|
|
|
|
location /saltscripts/ {
|
|
internal;
|
|
add_header "Access-Control-Allow-Origin" "https://${frontenddomain}";
|
|
alias /srv/salt/scripts/userdefined/;
|
|
}
|
|
|
|
|
|
location / {
|
|
uwsgi_pass tacticalrmm;
|
|
include /etc/nginx/uwsgi_params;
|
|
uwsgi_read_timeout 9999s;
|
|
uwsgi_ignore_client_abort on;
|
|
}
|
|
}
|
|
EOF
|
|
)"
|
|
echo "${nginxrmm}" | sudo tee /etc/nginx/sites-available/rmm.conf > /dev/null
|
|
|
|
|
|
nginxmesh="$(cat << EOF
|
|
server {
|
|
listen 80;
|
|
server_name ${meshdomain};
|
|
location / {
|
|
proxy_pass http://127.0.0.1:800;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header X-Forwarded-Host \$host:\$server_port;
|
|
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto \$scheme;
|
|
}
|
|
|
|
}
|
|
|
|
server {
|
|
|
|
listen 443 ssl;
|
|
proxy_send_timeout 330s;
|
|
proxy_read_timeout 330s;
|
|
server_name ${meshdomain};
|
|
ssl_certificate /etc/letsencrypt/live/${meshdomain}/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/${meshdomain}/privkey.pem;
|
|
ssl_session_cache shared:WEBSSL:10m;
|
|
ssl_ciphers HIGH:!aNULL:!MD5;
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
location / {
|
|
proxy_pass http://127.0.0.1:4430/;
|
|
proxy_http_version 1.1;
|
|
|
|
proxy_set_header Upgrade \$http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
proxy_set_header X-Forwarded-Host \$host:\$server_port;
|
|
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto \$scheme;
|
|
}
|
|
}
|
|
EOF
|
|
)"
|
|
echo "${nginxmesh}" | sudo tee /etc/nginx/sites-available/meshcentral.conf > /dev/null
|
|
|
|
sudo ln -s /etc/nginx/sites-available/rmm.conf /etc/nginx/sites-enabled/rmm.conf
|
|
sudo ln -s /etc/nginx/sites-available/meshcentral.conf /etc/nginx/sites-enabled/meshcentral.conf
|
|
|
|
print_green 'Installing Salt Master'
|
|
|
|
wget -O - https://repo.saltstack.com/py3/ubuntu/18.04/amd64/latest/SALTSTACK-GPG-KEY.pub | sudo apt-key add -
|
|
echo 'deb http://repo.saltstack.com/py3/ubuntu/18.04/amd64/latest bionic main' | sudo tee /etc/apt/sources.list.d/saltstack.list
|
|
sudo apt update
|
|
sudo apt install -y salt-master
|
|
|
|
saltvars="$(cat << EOF
|
|
timeout: 60
|
|
gather_job_timeout: 30
|
|
max_event_size: 30485760
|
|
external_auth:
|
|
pam:
|
|
saltapi:
|
|
- .*
|
|
- '@runner'
|
|
- '@wheel'
|
|
- '@jobs'
|
|
|
|
rest_cherrypy:
|
|
port: 8123
|
|
disable_ssl: True
|
|
max_request_body_size: 30485760
|
|
|
|
EOF
|
|
)"
|
|
echo "${saltvars}" | sudo tee --append /etc/salt/master > /dev/null
|
|
|
|
print_green 'Waiting 30 seconds for salt to start'
|
|
sleep 30 # wait for salt to start
|
|
|
|
print_green 'Installing Salt API'
|
|
sudo apt install -y salt-api
|
|
|
|
sudo mkdir /etc/conf.d
|
|
|
|
celeryservice="$(cat << EOF
|
|
[Unit]
|
|
Description=Celery Service
|
|
After=network.target
|
|
After=redis.service
|
|
|
|
[Service]
|
|
Type=forking
|
|
User=${USER}
|
|
Group=${USER}
|
|
EnvironmentFile=/etc/conf.d/celery.conf
|
|
WorkingDirectory=/home/${USER}/rmm/api/tacticalrmm
|
|
ExecStart=/bin/sh -c '\${CELERY_BIN} multi start \${CELERYD_NODES} -A \${CELERY_APP} --pidfile=\${CELERYD_PID_FILE} --logfile=\${CELERYD_LOG_FILE} --loglevel=\${CELERYD_LOG_LEVEL} \${CELERYD_OPTS}'
|
|
ExecStop=/bin/sh -c '\${CELERY_BIN} multi stopwait \${CELERYD_NODES} --pidfile=\${CELERYD_PID_FILE}'
|
|
ExecReload=/bin/sh -c '\${CELERY_BIN} multi restart \${CELERYD_NODES} -A \${CELERY_APP} --pidfile=\${CELERYD_PID_FILE} --logfile=\${CELERYD_LOG_FILE} --loglevel=\${CELERYD_LOG_LEVEL} \${CELERYD_OPTS}'
|
|
Restart=always
|
|
RestartSec=10s
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
EOF
|
|
)"
|
|
echo "${celeryservice}" | sudo tee /etc/systemd/system/celery.service > /dev/null
|
|
|
|
celerywinupdatesvc="$(cat << EOF
|
|
[Unit]
|
|
Description=Celery Win Update Service
|
|
After=network.target
|
|
After=redis.service
|
|
|
|
[Service]
|
|
Type=forking
|
|
User=${USER}
|
|
Group=${USER}
|
|
EnvironmentFile=/etc/conf.d/celery-winupdate.conf
|
|
WorkingDirectory=/home/${USER}/rmm/api/tacticalrmm
|
|
ExecStart=/bin/sh -c '\${CELERY_BIN} multi start \${CELERYD_NODES} -A \${CELERY_APP} --pidfile=\${CELERYD_PID_FILE} --logfile=\${CELERYD_LOG_FILE} --loglevel=\${CELERYD_LOG_LEVEL} -Q wupdate \${CELERYD_OPTS}'
|
|
ExecStop=/bin/sh -c '\${CELERY_BIN} multi stopwait \${CELERYD_NODES} --pidfile=\${CELERYD_PID_FILE}'
|
|
ExecReload=/bin/sh -c '\${CELERY_BIN} multi restart \${CELERYD_NODES} -A \${CELERY_APP} --pidfile=\${CELERYD_PID_FILE} --logfile=\${CELERYD_LOG_FILE} --loglevel=\${CELERYD_LOG_LEVEL} -Q wupdate \${CELERYD_OPTS}'
|
|
Restart=always
|
|
RestartSec=10s
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
EOF
|
|
)"
|
|
echo "${celerywinupdatesvc}" | sudo tee /etc/systemd/system/celery-winupdate.service > /dev/null
|
|
|
|
celeryconf="$(cat << EOF
|
|
CELERYD_NODES="w1"
|
|
|
|
CELERY_BIN="/home/${USER}/rmm/api/env/bin/celery"
|
|
|
|
CELERY_APP="tacticalrmm"
|
|
|
|
CELERYD_MULTI="multi"
|
|
|
|
CELERYD_OPTS="--time-limit=2900 --autoscale=50,5"
|
|
|
|
CELERYD_PID_FILE="/home/${USER}/rmm/api/tacticalrmm/%n.pid"
|
|
CELERYD_LOG_FILE="/var/log/celery/%n%I.log"
|
|
CELERYD_LOG_LEVEL="INFO"
|
|
|
|
CELERYBEAT_PID_FILE="/home/${USER}/rmm/api/tacticalrmm/beat.pid"
|
|
CELERYBEAT_LOG_FILE="/var/log/celery/beat.log"
|
|
EOF
|
|
)"
|
|
echo "${celeryconf}" | sudo tee /etc/conf.d/celery.conf > /dev/null
|
|
|
|
celerywinupdate="$(cat << EOF
|
|
CELERYD_NODES="w2"
|
|
|
|
CELERY_BIN="/home/${USER}/rmm/api/env/bin/celery"
|
|
|
|
CELERY_APP="tacticalrmm"
|
|
|
|
CELERYD_MULTI="multi"
|
|
|
|
CELERYD_OPTS="--time-limit=4000 --autoscale=15,1"
|
|
|
|
CELERYD_PID_FILE="/home/${USER}/rmm/api/tacticalrmm/%n.pid"
|
|
CELERYD_LOG_FILE="/var/log/celery/%n%I.log"
|
|
CELERYD_LOG_LEVEL="INFO"
|
|
EOF
|
|
)"
|
|
echo "${celerywinupdate}" | sudo tee /etc/conf.d/celery-winupdate.conf > /dev/null
|
|
|
|
|
|
celerybeatservice="$(cat << EOF
|
|
[Unit]
|
|
Description=Celery Beat Service
|
|
After=network.target
|
|
After=redis.service
|
|
|
|
[Service]
|
|
Type=simple
|
|
User=${USER}
|
|
Group=${USER}
|
|
EnvironmentFile=/etc/conf.d/celery.conf
|
|
WorkingDirectory=/home/${USER}/rmm/api/tacticalrmm
|
|
ExecStart=/bin/sh -c '\${CELERY_BIN} beat -A \${CELERY_APP} --pidfile=\${CELERYBEAT_PID_FILE} --logfile=\${CELERYBEAT_LOG_FILE} --loglevel=\${CELERYD_LOG_LEVEL}'
|
|
Restart=always
|
|
RestartSec=10s
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
EOF
|
|
)"
|
|
echo "${celerybeatservice}" | sudo tee /etc/systemd/system/celerybeat.service > /dev/null
|
|
|
|
sudo mkdir -p /srv/salt
|
|
sudo cp -r /home/${USER}/rmm/_modules /srv/salt/
|
|
sudo cp -r /home/${USER}/rmm/scripts /srv/salt/
|
|
sudo mkdir /srv/salt/scripts/userdefined
|
|
sudo chown ${USER}:${USER} -R /srv/salt/
|
|
sudo chown ${USER}:www-data /srv/salt/scripts/userdefined
|
|
sudo chmod 750 /srv/salt/scripts/userdefined
|
|
|
|
meshservice="$(cat << EOF
|
|
[Unit]
|
|
Description=MeshCentral Server
|
|
After=network.target
|
|
After=nginx.service
|
|
[Service]
|
|
Type=simple
|
|
LimitNOFILE=1000000
|
|
ExecStart=/usr/bin/node node_modules/meshcentral
|
|
Environment=NODE_ENV=production
|
|
WorkingDirectory=/meshcentral
|
|
User=${USER}
|
|
Group=${USER}
|
|
Restart=always
|
|
RestartSec=10s
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
EOF
|
|
)"
|
|
echo "${meshservice}" | sudo tee /etc/systemd/system/meshcentral.service > /dev/null
|
|
|
|
sudo systemctl daemon-reload
|
|
|
|
|
|
sudo systemctl enable salt-master
|
|
sudo systemctl enable salt-api
|
|
|
|
sudo systemctl restart salt-api
|
|
|
|
print_green 'Installing certbot'
|
|
|
|
sudo add-apt-repository -y ppa:certbot/certbot
|
|
sudo apt install -y certbot
|
|
sudo systemctl stop nginx
|
|
|
|
print_green 'Getting https certs'
|
|
|
|
sudo certbot certonly --standalone --agree-tos -m ${letsemail} --no-eff-email -d ${meshdomain}
|
|
sudo certbot certonly --standalone --agree-tos -m ${letsemail} --no-eff-email -d ${rmmdomain}
|
|
sudo certbot certonly --standalone --agree-tos -m ${letsemail} --no-eff-email -d ${frontenddomain}
|
|
|
|
sudo chown -R $USER:$GROUP /home/${USER}/.npm
|
|
sudo chown -R $USER:$GROUP /home/${USER}/.config
|
|
|
|
quasarenv="$(cat << EOF
|
|
PROD_URL = "https://${rmmdomain}"
|
|
DEV_URL = "https://api.example.com"
|
|
APP_URL = "https://app.example.com"
|
|
DEV_HOST = 0.0.0.0
|
|
DEV_PORT = 80
|
|
EOF
|
|
)"
|
|
echo "${quasarenv}" | tee /home/${USER}/rmm/web/.env > /dev/null
|
|
|
|
print_green 'Installing the frontend'
|
|
|
|
cd /home/${USER}/rmm/web
|
|
npm install
|
|
npm run build
|
|
sudo mkdir -p /var/www/rmm
|
|
sudo cp -pvr /home/${USER}/rmm/web/dist /var/www/rmm/
|
|
sudo chown www-data:www-data -R /var/www/rmm/dist
|
|
|
|
nginxfrontend="$(cat << EOF
|
|
server {
|
|
server_name ${frontenddomain};
|
|
charset utf-8;
|
|
location / {
|
|
root /var/www/rmm/dist;
|
|
try_files \$uri \$uri/ /index.html;
|
|
add_header Cache-Control "no-store, no-cache, must-revalidate";
|
|
add_header Pragma "no-cache";
|
|
}
|
|
error_log /var/log/nginx/frontend-error.log;
|
|
access_log /var/log/nginx/frontend-access.log;
|
|
|
|
listen 443 ssl;
|
|
ssl_certificate /etc/letsencrypt/live/${frontenddomain}/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/${frontenddomain}/privkey.pem;
|
|
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
|
|
}
|
|
|
|
server {
|
|
if (\$host = ${frontenddomain}) {
|
|
return 301 https://\$host\$request_uri;
|
|
}
|
|
|
|
listen 80;
|
|
server_name ${frontenddomain};
|
|
return 404;
|
|
}
|
|
EOF
|
|
)"
|
|
echo "${nginxfrontend}" | sudo tee /etc/nginx/sites-available/frontend.conf > /dev/null
|
|
|
|
sudo ln -s /etc/nginx/sites-available/frontend.conf /etc/nginx/sites-enabled/frontend.conf
|
|
|
|
|
|
print_green 'Restarting Services'
|
|
|
|
for i in nginx celery.service celery-winupdate.service celerybeat.service rmm.service
|
|
do
|
|
sudo systemctl enable ${i}
|
|
sudo systemctl restart ${i}
|
|
done
|
|
sleep 5
|
|
sudo systemctl enable meshcentral
|
|
|
|
print_green 'Restarting meshcentral and waiting for it to install plugins'
|
|
|
|
sudo systemctl restart meshcentral
|
|
|
|
sleep 30
|
|
|
|
print_green 'Generating meshcentral login token key'
|
|
|
|
MESHTOKENKEY=$(node /meshcentral/node_modules/meshcentral --logintokenkey)
|
|
|
|
meshtoken="$(cat << EOF
|
|
MESH_TOKEN_KEY = "${MESHTOKENKEY}"
|
|
EOF
|
|
)"
|
|
echo "${meshtoken}" | tee --append /home/${USER}/rmm/api/tacticalrmm/tacticalrmm/local_settings.py > /dev/null
|
|
|
|
print_green 'Restarting all services'
|
|
for i in nginx celery.service celery-winupdate.service celerybeat.service rmm.service meshcentral.service
|
|
do
|
|
sudo systemctl restart ${i}
|
|
done
|
|
|
|
print_green 'Restarting salt-master and waiting 30 seconds'
|
|
sudo systemctl restart salt-master
|
|
sleep 30
|
|
sudo systemctl restart salt-api
|
|
|
|
printf >&2 "${YELLOW}%0.s*${NC}" {1..80}
|
|
printf >&2 "\n\n"
|
|
printf >&2 "${YELLOW}Installation complete!${NC}\n\n"
|
|
printf >&2 "${YELLOW}Access your rmm at: ${GREEN}https://${frontenddomain}${NC}\n"
|
|
printf >&2 "${YELLOW}Django admin url: ${GREEN}https://${rmmdomain}/${ADMINURL}${NC}\n\n"
|
|
printf >&2 "${YELLOW}Please refer to the github README for next steps${NC}\n\n"
|
|
printf >&2 "${YELLOW}%0.s*${NC}" {1..80}
|
|
printf >&2 "\n"
|