#!/bin/bash



IMPORTANT: make sure to edit the mysql connection info. The lines you need to edit look like this:

mysql://firefox_sync:ecaith8ezieMe7oowies0shee0oj9zii@172.0.2.106/firefox_tokenserver

exit 1


if [ "$EUID" -ne 0 ]; then
  echo "Please run as root"
  exit
fi

sudo apt install cmake gcc golang libcurl4-openssl-dev libssl-dev make pkg-config libmariadb-dev-compat mariadb-client python3.10-venv python3-dev

git clone https://github.com/mozilla-services/syncstorage-rs.git /srv/syncstorage

cd /srv/syncstorage

adduser ffsync --system
chown -R ffsync:nogroup /srv/syncstorage

sudo -H -u ffsync bash -c "curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh"

apt install -y nginx

echo '''server {
    listen 443 ssl http2 default_server;
    server_name _;
    ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
    ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
    location / {
      proxy_pass http://127.0.0.1:8000$request_uri;
    }
    include /etc/nginx/snippets/ssl-params.conf;
}''' >/etc/nginx/sites-enabled/default

openssl req -x509 -nodes -days 99999 -newkey rsa:4096 \
  -subj "/C=PE/ST=Lima/L=Lima/O=Acme Inc. /OU=IT Department/CN=acme.com" \
  -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

echo """ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers \"EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH\";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security \"max-age=63072000; includeSubdomains\";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_dhparam /etc/ssl/certs/dhparam.pem;""" >/etc/nginx/snippets/ssl-params.conf

systemctl enable --now nginx
systemctl restart nginx
systemctl status --no-pager nginx


sudo -u ffsync bash -c "/home/ffsync/.cargo/bin/cargo install diesel_cli --no-default-features --features mysql"
sudo -H -u ffsync bash -c "/home/ffsync/.cargo/bin/diesel --database-url 'mysql://firefox_sync:ecaith8ezieMe7oowies0shee0oj9zii@172.0.2.106/firefox_syncstorage' migration --migration-dir syncstorage-mysql/migrations run"
sudo -H -u ffsync bash -c "/home/ffsync/.cargo/bin/diesel --database-url 'mysql://firefox_sync:ecaith8ezieMe7oowies0shee0oj9zii@172.0.2.106/firefox_tokenserver' migration --migration-dir tokenserver-db/migrations run"

mysql -u firefox_sync -p"ecaith8ezieMe7oowies0shee0oj9zii" -h 172.0.2.106 -P 3306 <<EOF
USE firefox_tokenserver
INSERT INTO services (id, service, pattern) VALUES
    (1, "sync-1.5", "{node}/1.5/{uid}");
EOF

sudo -H -u ffsync bash -c "venv/bin/pip install -r tools/tokenserver/requirements.txt"
sudo -H -u ffsync bash -c "SYNC_TOKENSERVER__DATABASE_URL='mysql://firefox_sync:ecaith8ezieMe7oowies0shee0oj9zii@172.0.2.106/firefox_tokenserver' venv/bin/python3 tools/tokenserver/add_node.py https://ffsync.example.com 1000"

sudo -H -u ffsync bash -c "/home/ffsync/.cargo/bin/cargo clean; /home/ffsync/.cargo/bin/cargo build"

echo '''#!/bin/bash
source venv/bin/activate; PATH="/srv/syncstorage/venv/bin:$PATH" PYTHONPATH=$PYTHON_SITE_PACKGES RUST_LOG=debug RUST_BACKTRACE=full /srv/syncstorage/target/debug/syncserver --config /srv/syncstorage/config/local.toml''' >/srv/syncstorage/start.sh
chmod +x /srv/syncstorage/start.sh

echo """[Unit]
Description=Firefox Sync Server
After=network.target

[Service]
Type=simple
User=ffsync
WorkingDirectory=/srv/syncstorage/
ExecStart=/bin/bash /srv/syncstorage/start.sh
Restart=on-failure

[Install]
WantedBy=multi-user.target
""" >/etc/systemd/system/ffsync.service

systemctl daemon-reload
systemctl enable --now ffsync
systemctl status --no-pager ffsync
journalctl -b -f -u ffsync

echo "\n\n\nNow, read the instructions at the end of this installer to set everything else up"
exit 0

# Nginx edge proxy
"""
server
{
  listen 80;
  listen [::]:80;
  server_name ffsync.example.com;
  add_header Strict-Transport-Security "max-age=0;";
  return 301 https://$server_name$request_uri;
}


server
{
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name ffsync.example.com;

  client_max_body_size 100M;

  location /
  {
    proxy_pass https://172.0.2.121$request_uri;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Real-IP          $remote_addr;
    proxy_set_header X-Forwarded-Host $host:$server_port;
    proxy_set_header X-Forwarded-Server $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  }

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
    include /etc/nginx/includes/vhost-log.conf;
}
"""

# Firefox Settings:
# identity.sync.tokenserver.uri: https://ffsync.example.com/1.0/sync/1.5

# for android, make sure you arent logged in when changing the sync server url. change the url when you are not signed in
# the server is just https://ffsync.example.com