install-ff-syncserver.sh
Raw
#!/bin/bash
IMPORTANT: make sure to edit the mysql connection info. The lines you need to edit look like this:
mysql://firefox_sync:ecaith8ezieMe7oowies0shee0oj9zii@172.0.2.106/firefox_tokenserver
exit 1
if [ "$EUID" -ne 0 ]; then
echo "Please run as root"
exit
fi
sudo apt install cmake gcc golang libcurl4-openssl-dev libssl-dev make pkg-config libmariadb-dev-compat mariadb-client python3.10-venv python3-dev
git clone https://github.com/mozilla-services/syncstorage-rs.git /srv/syncstorage
cd /srv/syncstorage
adduser ffsync --system
chown -R ffsync:nogroup /srv/syncstorage
sudo -H -u ffsync bash -c "curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh"
apt install -y nginx
echo '''server {
listen 443 ssl http2 default_server;
server_name _;
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
location / {
proxy_pass http://127.0.0.1:8000$request_uri;
}
include /etc/nginx/snippets/ssl-params.conf;
}''' >/etc/nginx/sites-enabled/default
openssl req -x509 -nodes -days 99999 -newkey rsa:4096 \
-subj "/C=PE/ST=Lima/L=Lima/O=Acme Inc. /OU=IT Department/CN=acme.com" \
-keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
echo """ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers \"EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH\";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security \"max-age=63072000; includeSubdomains\";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_dhparam /etc/ssl/certs/dhparam.pem;""" >/etc/nginx/snippets/ssl-params.conf
systemctl enable --now nginx
systemctl restart nginx
systemctl status --no-pager nginx
sudo -u ffsync bash -c "/home/ffsync/.cargo/bin/cargo install diesel_cli --no-default-features --features mysql"
sudo -H -u ffsync bash -c "/home/ffsync/.cargo/bin/diesel --database-url 'mysql://firefox_sync:ecaith8ezieMe7oowies0shee0oj9zii@172.0.2.106/firefox_syncstorage' migration --migration-dir syncstorage-mysql/migrations run"
sudo -H -u ffsync bash -c "/home/ffsync/.cargo/bin/diesel --database-url 'mysql://firefox_sync:ecaith8ezieMe7oowies0shee0oj9zii@172.0.2.106/firefox_tokenserver' migration --migration-dir tokenserver-db/migrations run"
mysql -u firefox_sync -p"ecaith8ezieMe7oowies0shee0oj9zii" -h 172.0.2.106 -P 3306 <<EOF
USE firefox_tokenserver
INSERT INTO services (id, service, pattern) VALUES
(1, "sync-1.5", "{node}/1.5/{uid}");
EOF
sudo -H -u ffsync bash -c "venv/bin/pip install -r tools/tokenserver/requirements.txt"
sudo -H -u ffsync bash -c "SYNC_TOKENSERVER__DATABASE_URL='mysql://firefox_sync:ecaith8ezieMe7oowies0shee0oj9zii@172.0.2.106/firefox_tokenserver' venv/bin/python3 tools/tokenserver/add_node.py https://ffsync.example.com 1000"
sudo -H -u ffsync bash -c "/home/ffsync/.cargo/bin/cargo clean; /home/ffsync/.cargo/bin/cargo build"
echo '''#!/bin/bash
source venv/bin/activate; PATH="/srv/syncstorage/venv/bin:$PATH" PYTHONPATH=$PYTHON_SITE_PACKGES RUST_LOG=debug RUST_BACKTRACE=full /srv/syncstorage/target/debug/syncserver --config /srv/syncstorage/config/local.toml''' >/srv/syncstorage/start.sh
chmod +x /srv/syncstorage/start.sh
echo """[Unit]
Description=Firefox Sync Server
After=network.target
[Service]
Type=simple
User=ffsync
WorkingDirectory=/srv/syncstorage/
ExecStart=/bin/bash /srv/syncstorage/start.sh
Restart=on-failure
[Install]
WantedBy=multi-user.target
""" >/etc/systemd/system/ffsync.service
systemctl daemon-reload
systemctl enable --now ffsync
systemctl status --no-pager ffsync
journalctl -b -f -u ffsync
echo "\n\n\nNow, read the instructions at the end of this installer to set everything else up"
exit 0
# Nginx edge proxy
"""
server
{
listen 80;
listen [::]:80;
server_name ffsync.example.com;
add_header Strict-Transport-Security "max-age=0;";
return 301 https://$server_name$request_uri;
}
server
{
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ffsync.example.com;
client_max_body_size 100M;
location /
{
proxy_pass https://172.0.2.121$request_uri;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
include /etc/nginx/includes/vhost-log.conf;
}
"""
# Firefox Settings:
# identity.sync.tokenserver.uri: https://ffsync.example.com/1.0/sync/1.5
# for android, make sure you arent logged in when changing the sync server url. change the url when you are not signed in
# the server is just https://ffsync.example.com
1 | #!/bin/bash |
2 | |
3 | |
4 | |
5 | IMPORTANT: make sure to edit the mysql connection info. The lines you need to edit look like this: |
6 | |
7 | mysql://firefox_sync:ecaith8ezieMe7oowies0shee0oj9zii@172.0.2.106/firefox_tokenserver |
8 | |
9 | exit 1 |
10 | |
11 | |
12 | if [ "$EUID" -ne 0 ]; then |
13 | echo "Please run as root" |
14 | exit |
15 | fi |
16 | |
17 | sudo apt install cmake gcc golang libcurl4-openssl-dev libssl-dev make pkg-config libmariadb-dev-compat mariadb-client python3.10-venv python3-dev |
18 | |
19 | git clone https://github.com/mozilla-services/syncstorage-rs.git /srv/syncstorage |
20 | |
21 | cd /srv/syncstorage |
22 | |
23 | adduser ffsync --system |
24 | chown -R ffsync:nogroup /srv/syncstorage |
25 | |
26 | sudo -H -u ffsync bash -c "curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh" |
27 | |
28 | apt install -y nginx |
29 | |
30 | echo '''server { |
31 | listen 443 ssl http2 default_server; |
32 | server_name _; |
33 | ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt; |
34 | ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key; |
35 | location / { |
36 | proxy_pass http://127.0.0.1:8000$request_uri; |
37 | } |
38 | include /etc/nginx/snippets/ssl-params.conf; |
39 | }''' >/etc/nginx/sites-enabled/default |
40 | |
41 | openssl req -x509 -nodes -days 99999 -newkey rsa:4096 \ |
42 | -subj "/C=PE/ST=Lima/L=Lima/O=Acme Inc. /OU=IT Department/CN=acme.com" \ |
43 | -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt |
44 | openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048 |
45 | |
46 | echo """ssl_protocols TLSv1 TLSv1.1 TLSv1.2; |
47 | ssl_prefer_server_ciphers on; |
48 | ssl_ciphers \"EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH\"; |
49 | ssl_ecdh_curve secp384r1; |
50 | ssl_session_cache shared:SSL:10m; |
51 | ssl_session_tickets off; |
52 | ssl_stapling on; |
53 | ssl_stapling_verify on; |
54 | resolver 8.8.8.8 8.8.4.4 valid=300s; |
55 | resolver_timeout 5s; |
56 | add_header Strict-Transport-Security \"max-age=63072000; includeSubdomains\"; |
57 | add_header X-Frame-Options DENY; |
58 | add_header X-Content-Type-Options nosniff; |
59 | ssl_dhparam /etc/ssl/certs/dhparam.pem;""" >/etc/nginx/snippets/ssl-params.conf |
60 | |
61 | systemctl enable --now nginx |
62 | systemctl restart nginx |
63 | systemctl status --no-pager nginx |
64 | |
65 | |
66 | sudo -u ffsync bash -c "/home/ffsync/.cargo/bin/cargo install diesel_cli --no-default-features --features mysql" |
67 | sudo -H -u ffsync bash -c "/home/ffsync/.cargo/bin/diesel --database-url 'mysql://firefox_sync:ecaith8ezieMe7oowies0shee0oj9zii@172.0.2.106/firefox_syncstorage' migration --migration-dir syncstorage-mysql/migrations run" |
68 | sudo -H -u ffsync bash -c "/home/ffsync/.cargo/bin/diesel --database-url 'mysql://firefox_sync:ecaith8ezieMe7oowies0shee0oj9zii@172.0.2.106/firefox_tokenserver' migration --migration-dir tokenserver-db/migrations run" |
69 | |
70 | mysql -u firefox_sync -p"ecaith8ezieMe7oowies0shee0oj9zii" -h 172.0.2.106 -P 3306 <<EOF |
71 | USE firefox_tokenserver |
72 | INSERT INTO services (id, service, pattern) VALUES |
73 | (1, "sync-1.5", "{node}/1.5/{uid}"); |
74 | EOF |
75 | |
76 | sudo -H -u ffsync bash -c "venv/bin/pip install -r tools/tokenserver/requirements.txt" |
77 | sudo -H -u ffsync bash -c "SYNC_TOKENSERVER__DATABASE_URL='mysql://firefox_sync:ecaith8ezieMe7oowies0shee0oj9zii@172.0.2.106/firefox_tokenserver' venv/bin/python3 tools/tokenserver/add_node.py https://ffsync.example.com 1000" |
78 | |
79 | sudo -H -u ffsync bash -c "/home/ffsync/.cargo/bin/cargo clean; /home/ffsync/.cargo/bin/cargo build" |
80 | |
81 | echo '''#!/bin/bash |
82 | source venv/bin/activate; PATH="/srv/syncstorage/venv/bin:$PATH" PYTHONPATH=$PYTHON_SITE_PACKGES RUST_LOG=debug RUST_BACKTRACE=full /srv/syncstorage/target/debug/syncserver --config /srv/syncstorage/config/local.toml''' >/srv/syncstorage/start.sh |
83 | chmod +x /srv/syncstorage/start.sh |
84 | |
85 | echo """[Unit] |
86 | Description=Firefox Sync Server |
87 | After=network.target |
88 | |
89 | [Service] |
90 | Type=simple |
91 | User=ffsync |
92 | WorkingDirectory=/srv/syncstorage/ |
93 | ExecStart=/bin/bash /srv/syncstorage/start.sh |
94 | Restart=on-failure |
95 | |
96 | [Install] |
97 | WantedBy=multi-user.target |
98 | """ >/etc/systemd/system/ffsync.service |
99 | |
100 | systemctl daemon-reload |
101 | systemctl enable --now ffsync |
102 | systemctl status --no-pager ffsync |
103 | journalctl -b -f -u ffsync |
104 | |
105 | echo "\n\n\nNow, read the instructions at the end of this installer to set everything else up" |
106 | exit 0 |
107 | |
108 | # Nginx edge proxy |
109 | """ |
110 | server |
111 | { |
112 | listen 80; |
113 | listen [::]:80; |
114 | server_name ffsync.example.com; |
115 | add_header Strict-Transport-Security "max-age=0;"; |
116 | return 301 https://$server_name$request_uri; |
117 | } |
118 | |
119 | |
120 | server |
121 | { |
122 | listen 443 ssl http2; |
123 | listen [::]:443 ssl http2; |
124 | server_name ffsync.example.com; |
125 | |
126 | client_max_body_size 100M; |
127 | |
128 | location / |
129 | { |
130 | proxy_pass https://172.0.2.121$request_uri; |
131 | proxy_set_header X-Forwarded-Proto $scheme; |
132 | proxy_set_header X-Real-IP $remote_addr; |
133 | proxy_set_header X-Forwarded-Host $host:$server_port; |
134 | proxy_set_header X-Forwarded-Server $host; |
135 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
136 | } |
137 | |
138 | ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot |
139 | ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot |
140 | include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot |
141 | ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot |
142 | include /etc/nginx/includes/vhost-log.conf; |
143 | } |
144 | """ |
145 | |
146 | # Firefox Settings: |
147 | # identity.sync.tokenserver.uri: https://ffsync.example.com/1.0/sync/1.5 |
148 | |
149 | # for android, make sure you arent logged in when changing the sync server url. change the url when you are not signed in |
150 | # the server is just https://ffsync.example.com |