install-ff-syncserver.sh
Raw
#!/bin/bash
IMPORTANT: make sure to edit the mysql connection info. The lines you need to edit look like this:
mysql://firefox_sync:ecaith8ezieMe7oowies0shee0oj9zii@172.0.2.106/firefox_tokenserver
exit 1
if [ "$EUID" -ne 0 ]; then
echo "Please run as root"
exit
fi
sudo apt install cmake gcc golang libcurl4-openssl-dev libssl-dev make pkg-config libmariadb-dev-compat mariadb-client python3.10-venv python3-dev
git clone https://github.com/mozilla-services/syncstorage-rs.git /srv/syncstorage
cd /srv/syncstorage
adduser ffsync --system
chown -R ffsync:nogroup /srv/syncstorage
sudo -H -u ffsync bash -c "curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh"
apt install -y nginx
echo '''server {
listen 443 ssl http2 default_server;
server_name _;
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
location / {
proxy_pass http://127.0.0.1:8000$request_uri;
}
include /etc/nginx/snippets/ssl-params.conf;
}''' >/etc/nginx/sites-enabled/default
openssl req -x509 -nodes -days 99999 -newkey rsa:4096 \
-subj "/C=PE/ST=Lima/L=Lima/O=Acme Inc. /OU=IT Department/CN=acme.com" \
-keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
echo """ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers \"EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH\";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security \"max-age=63072000; includeSubdomains\";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_dhparam /etc/ssl/certs/dhparam.pem;""" >/etc/nginx/snippets/ssl-params.conf
systemctl enable --now nginx
systemctl restart nginx
systemctl status --no-pager nginx
sudo -u ffsync bash -c "/home/ffsync/.cargo/bin/cargo install diesel_cli --no-default-features --features mysql"
sudo -H -u ffsync bash -c "/home/ffsync/.cargo/bin/diesel --database-url 'mysql://firefox_sync:ecaith8ezieMe7oowies0shee0oj9zii@172.0.2.106/firefox_syncstorage' migration --migration-dir syncstorage-mysql/migrations run"
sudo -H -u ffsync bash -c "/home/ffsync/.cargo/bin/diesel --database-url 'mysql://firefox_sync:ecaith8ezieMe7oowies0shee0oj9zii@172.0.2.106/firefox_tokenserver' migration --migration-dir tokenserver-db/migrations run"
mysql -u firefox_sync -p"ecaith8ezieMe7oowies0shee0oj9zii" -h 172.0.2.106 -P 3306 <<EOF
USE firefox_tokenserver
INSERT INTO services (id, service, pattern) VALUES
(1, "sync-1.5", "{node}/1.5/{uid}");
EOF
sudo -H -u ffsync bash -c "venv/bin/pip install -r tools/tokenserver/requirements.txt"
sudo -H -u ffsync bash -c "SYNC_TOKENSERVER__DATABASE_URL='mysql://firefox_sync:ecaith8ezieMe7oowies0shee0oj9zii@172.0.2.106/firefox_tokenserver' venv/bin/python3 tools/tokenserver/add_node.py https://ffsync.example.com 1000"
sudo -H -u ffsync bash -c "/home/ffsync/.cargo/bin/cargo clean; /home/ffsync/.cargo/bin/cargo build"
echo '''#!/bin/bash
source venv/bin/activate; PATH="/srv/syncstorage/venv/bin:$PATH" PYTHONPATH=$PYTHON_SITE_PACKGES RUST_LOG=debug RUST_BACKTRACE=full /srv/syncstorage/target/debug/syncserver --config /srv/syncstorage/config/local.toml''' >/srv/syncstorage/start.sh
chmod +x /srv/syncstorage/start.sh
echo """[Unit]
Description=Firefox Sync Server
After=network.target
[Service]
Type=simple
User=ffsync
WorkingDirectory=/srv/syncstorage/
ExecStart=/bin/bash /srv/syncstorage/start.sh
Restart=on-failure
[Install]
WantedBy=multi-user.target
""" >/etc/systemd/system/ffsync.service
systemctl daemon-reload
systemctl enable --now ffsync
systemctl status --no-pager ffsync
journalctl -b -f -u ffsync
echo "\n\n\nNow, read the instructions at the end of this installer to set everything else up"
exit 0
# Nginx edge proxy
"""
server
{
listen 80;
listen [::]:80;
server_name ffsync.example.com;
add_header Strict-Transport-Security "max-age=0;";
return 301 https://$server_name$request_uri;
}
server
{
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ffsync.example.com;
client_max_body_size 100M;
location /
{
proxy_pass https://172.0.2.121$request_uri;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
include /etc/nginx/includes/vhost-log.conf;
}
"""
# Firefox Settings:
# identity.sync.tokenserver.uri: https://ffsync.example.com/1.0/sync/1.5
# for android, make sure you arent logged in when changing the sync server url. change the url when you are not signed in
# the server is just https://ffsync.example.com
| 1 | #!/bin/bash |
| 2 | |
| 3 | |
| 4 | |
| 5 | IMPORTANT: make sure to edit the mysql connection info. The lines you need to edit look like this: |
| 6 | |
| 7 | mysql://firefox_sync:ecaith8ezieMe7oowies0shee0oj9zii@172.0.2.106/firefox_tokenserver |
| 8 | |
| 9 | exit 1 |
| 10 | |
| 11 | |
| 12 | if [ "$EUID" -ne 0 ]; then |
| 13 | echo "Please run as root" |
| 14 | exit |
| 15 | fi |
| 16 | |
| 17 | sudo apt install cmake gcc golang libcurl4-openssl-dev libssl-dev make pkg-config libmariadb-dev-compat mariadb-client python3.10-venv python3-dev |
| 18 | |
| 19 | git clone https://github.com/mozilla-services/syncstorage-rs.git /srv/syncstorage |
| 20 | |
| 21 | cd /srv/syncstorage |
| 22 | |
| 23 | adduser ffsync --system |
| 24 | chown -R ffsync:nogroup /srv/syncstorage |
| 25 | |
| 26 | sudo -H -u ffsync bash -c "curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh" |
| 27 | |
| 28 | apt install -y nginx |
| 29 | |
| 30 | echo '''server { |
| 31 | listen 443 ssl http2 default_server; |
| 32 | server_name _; |
| 33 | ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt; |
| 34 | ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key; |
| 35 | location / { |
| 36 | proxy_pass http://127.0.0.1:8000$request_uri; |
| 37 | } |
| 38 | include /etc/nginx/snippets/ssl-params.conf; |
| 39 | }''' >/etc/nginx/sites-enabled/default |
| 40 | |
| 41 | openssl req -x509 -nodes -days 99999 -newkey rsa:4096 \ |
| 42 | -subj "/C=PE/ST=Lima/L=Lima/O=Acme Inc. /OU=IT Department/CN=acme.com" \ |
| 43 | -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt |
| 44 | openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048 |
| 45 | |
| 46 | echo """ssl_protocols TLSv1 TLSv1.1 TLSv1.2; |
| 47 | ssl_prefer_server_ciphers on; |
| 48 | ssl_ciphers \"EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH\"; |
| 49 | ssl_ecdh_curve secp384r1; |
| 50 | ssl_session_cache shared:SSL:10m; |
| 51 | ssl_session_tickets off; |
| 52 | ssl_stapling on; |
| 53 | ssl_stapling_verify on; |
| 54 | resolver 8.8.8.8 8.8.4.4 valid=300s; |
| 55 | resolver_timeout 5s; |
| 56 | add_header Strict-Transport-Security \"max-age=63072000; includeSubdomains\"; |
| 57 | add_header X-Frame-Options DENY; |
| 58 | add_header X-Content-Type-Options nosniff; |
| 59 | ssl_dhparam /etc/ssl/certs/dhparam.pem;""" >/etc/nginx/snippets/ssl-params.conf |
| 60 | |
| 61 | systemctl enable --now nginx |
| 62 | systemctl restart nginx |
| 63 | systemctl status --no-pager nginx |
| 64 | |
| 65 | |
| 66 | sudo -u ffsync bash -c "/home/ffsync/.cargo/bin/cargo install diesel_cli --no-default-features --features mysql" |
| 67 | sudo -H -u ffsync bash -c "/home/ffsync/.cargo/bin/diesel --database-url 'mysql://firefox_sync:ecaith8ezieMe7oowies0shee0oj9zii@172.0.2.106/firefox_syncstorage' migration --migration-dir syncstorage-mysql/migrations run" |
| 68 | sudo -H -u ffsync bash -c "/home/ffsync/.cargo/bin/diesel --database-url 'mysql://firefox_sync:ecaith8ezieMe7oowies0shee0oj9zii@172.0.2.106/firefox_tokenserver' migration --migration-dir tokenserver-db/migrations run" |
| 69 | |
| 70 | mysql -u firefox_sync -p"ecaith8ezieMe7oowies0shee0oj9zii" -h 172.0.2.106 -P 3306 <<EOF |
| 71 | USE firefox_tokenserver |
| 72 | INSERT INTO services (id, service, pattern) VALUES |
| 73 | (1, "sync-1.5", "{node}/1.5/{uid}"); |
| 74 | EOF |
| 75 | |
| 76 | sudo -H -u ffsync bash -c "venv/bin/pip install -r tools/tokenserver/requirements.txt" |
| 77 | sudo -H -u ffsync bash -c "SYNC_TOKENSERVER__DATABASE_URL='mysql://firefox_sync:ecaith8ezieMe7oowies0shee0oj9zii@172.0.2.106/firefox_tokenserver' venv/bin/python3 tools/tokenserver/add_node.py https://ffsync.example.com 1000" |
| 78 | |
| 79 | sudo -H -u ffsync bash -c "/home/ffsync/.cargo/bin/cargo clean; /home/ffsync/.cargo/bin/cargo build" |
| 80 | |
| 81 | echo '''#!/bin/bash |
| 82 | source venv/bin/activate; PATH="/srv/syncstorage/venv/bin:$PATH" PYTHONPATH=$PYTHON_SITE_PACKGES RUST_LOG=debug RUST_BACKTRACE=full /srv/syncstorage/target/debug/syncserver --config /srv/syncstorage/config/local.toml''' >/srv/syncstorage/start.sh |
| 83 | chmod +x /srv/syncstorage/start.sh |
| 84 | |
| 85 | echo """[Unit] |
| 86 | Description=Firefox Sync Server |
| 87 | After=network.target |
| 88 | |
| 89 | [Service] |
| 90 | Type=simple |
| 91 | User=ffsync |
| 92 | WorkingDirectory=/srv/syncstorage/ |
| 93 | ExecStart=/bin/bash /srv/syncstorage/start.sh |
| 94 | Restart=on-failure |
| 95 | |
| 96 | [Install] |
| 97 | WantedBy=multi-user.target |
| 98 | """ >/etc/systemd/system/ffsync.service |
| 99 | |
| 100 | systemctl daemon-reload |
| 101 | systemctl enable --now ffsync |
| 102 | systemctl status --no-pager ffsync |
| 103 | journalctl -b -f -u ffsync |
| 104 | |
| 105 | echo "\n\n\nNow, read the instructions at the end of this installer to set everything else up" |
| 106 | exit 0 |
| 107 | |
| 108 | # Nginx edge proxy |
| 109 | """ |
| 110 | server |
| 111 | { |
| 112 | listen 80; |
| 113 | listen [::]:80; |
| 114 | server_name ffsync.example.com; |
| 115 | add_header Strict-Transport-Security "max-age=0;"; |
| 116 | return 301 https://$server_name$request_uri; |
| 117 | } |
| 118 | |
| 119 | |
| 120 | server |
| 121 | { |
| 122 | listen 443 ssl http2; |
| 123 | listen [::]:443 ssl http2; |
| 124 | server_name ffsync.example.com; |
| 125 | |
| 126 | client_max_body_size 100M; |
| 127 | |
| 128 | location / |
| 129 | { |
| 130 | proxy_pass https://172.0.2.121$request_uri; |
| 131 | proxy_set_header X-Forwarded-Proto $scheme; |
| 132 | proxy_set_header X-Real-IP $remote_addr; |
| 133 | proxy_set_header X-Forwarded-Host $host:$server_port; |
| 134 | proxy_set_header X-Forwarded-Server $host; |
| 135 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
| 136 | } |
| 137 | |
| 138 | ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot |
| 139 | ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot |
| 140 | include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot |
| 141 | ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot |
| 142 | include /etc/nginx/includes/vhost-log.conf; |
| 143 | } |
| 144 | """ |
| 145 | |
| 146 | # Firefox Settings: |
| 147 | # identity.sync.tokenserver.uri: https://ffsync.example.com/1.0/sync/1.5 |
| 148 | |
| 149 | # for android, make sure you arent logged in when changing the sync server url. change the url when you are not signed in |
| 150 | # the server is just https://ffsync.example.com |