cyberes revised this gist . Go to revision
1 file changed, 150 insertions
install-ff-syncserver.sh(file created)
| @@ -0,0 +1,150 @@ | |||
| 1 | + | #!/bin/bash | |
| 2 | + | ||
| 3 | + | ||
| 4 | + | ||
| 5 | + | IMPORTANT: make sure to edit the mysql connection info. The lines you need to edit look like this: | |
| 6 | + | ||
| 7 | + | mysql://firefox_sync:ecaith8ezieMe7oowies0shee0oj9zii@172.0.2.106/firefox_tokenserver | |
| 8 | + | ||
| 9 | + | exit 1 | |
| 10 | + | ||
| 11 | + | ||
| 12 | + | if [ "$EUID" -ne 0 ]; then | |
| 13 | + | echo "Please run as root" | |
| 14 | + | exit | |
| 15 | + | fi | |
| 16 | + | ||
| 17 | + | sudo apt install cmake gcc golang libcurl4-openssl-dev libssl-dev make pkg-config libmariadb-dev-compat mariadb-client python3.10-venv python3-dev | |
| 18 | + | ||
| 19 | + | git clone https://github.com/mozilla-services/syncstorage-rs.git /srv/syncstorage | |
| 20 | + | ||
| 21 | + | cd /srv/syncstorage | |
| 22 | + | ||
| 23 | + | adduser ffsync --system | |
| 24 | + | chown -R ffsync:nogroup /srv/syncstorage | |
| 25 | + | ||
| 26 | + | sudo -H -u ffsync bash -c "curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh" | |
| 27 | + | ||
| 28 | + | apt install -y nginx | |
| 29 | + | ||
| 30 | + | echo '''server { | |
| 31 | + | listen 443 ssl http2 default_server; | |
| 32 | + | server_name _; | |
| 33 | + | ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt; | |
| 34 | + | ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key; | |
| 35 | + | location / { | |
| 36 | + | proxy_pass http://127.0.0.1:8000$request_uri; | |
| 37 | + | } | |
| 38 | + | include /etc/nginx/snippets/ssl-params.conf; | |
| 39 | + | }''' >/etc/nginx/sites-enabled/default | |
| 40 | + | ||
| 41 | + | openssl req -x509 -nodes -days 99999 -newkey rsa:4096 \ | |
| 42 | + | -subj "/C=PE/ST=Lima/L=Lima/O=Acme Inc. /OU=IT Department/CN=acme.com" \ | |
| 43 | + | -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt | |
| 44 | + | openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048 | |
| 45 | + | ||
| 46 | + | echo """ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
| 47 | + | ssl_prefer_server_ciphers on; | |
| 48 | + | ssl_ciphers \"EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH\"; | |
| 49 | + | ssl_ecdh_curve secp384r1; | |
| 50 | + | ssl_session_cache shared:SSL:10m; | |
| 51 | + | ssl_session_tickets off; | |
| 52 | + | ssl_stapling on; | |
| 53 | + | ssl_stapling_verify on; | |
| 54 | + | resolver 8.8.8.8 8.8.4.4 valid=300s; | |
| 55 | + | resolver_timeout 5s; | |
| 56 | + | add_header Strict-Transport-Security \"max-age=63072000; includeSubdomains\"; | |
| 57 | + | add_header X-Frame-Options DENY; | |
| 58 | + | add_header X-Content-Type-Options nosniff; | |
| 59 | + | ssl_dhparam /etc/ssl/certs/dhparam.pem;""" >/etc/nginx/snippets/ssl-params.conf | |
| 60 | + | ||
| 61 | + | systemctl enable --now nginx | |
| 62 | + | systemctl restart nginx | |
| 63 | + | systemctl status --no-pager nginx | |
| 64 | + | ||
| 65 | + | ||
| 66 | + | sudo -u ffsync bash -c "/home/ffsync/.cargo/bin/cargo install diesel_cli --no-default-features --features mysql" | |
| 67 | + | sudo -H -u ffsync bash -c "/home/ffsync/.cargo/bin/diesel --database-url 'mysql://firefox_sync:ecaith8ezieMe7oowies0shee0oj9zii@172.0.2.106/firefox_syncstorage' migration --migration-dir syncstorage-mysql/migrations run" | |
| 68 | + | sudo -H -u ffsync bash -c "/home/ffsync/.cargo/bin/diesel --database-url 'mysql://firefox_sync:ecaith8ezieMe7oowies0shee0oj9zii@172.0.2.106/firefox_tokenserver' migration --migration-dir tokenserver-db/migrations run" | |
| 69 | + | ||
| 70 | + | mysql -u firefox_sync -p"ecaith8ezieMe7oowies0shee0oj9zii" -h 172.0.2.106 -P 3306 <<EOF | |
| 71 | + | USE firefox_tokenserver | |
| 72 | + | INSERT INTO services (id, service, pattern) VALUES | |
| 73 | + | (1, "sync-1.5", "{node}/1.5/{uid}"); | |
| 74 | + | EOF | |
| 75 | + | ||
| 76 | + | sudo -H -u ffsync bash -c "venv/bin/pip install -r tools/tokenserver/requirements.txt" | |
| 77 | + | sudo -H -u ffsync bash -c "SYNC_TOKENSERVER__DATABASE_URL='mysql://firefox_sync:ecaith8ezieMe7oowies0shee0oj9zii@172.0.2.106/firefox_tokenserver' venv/bin/python3 tools/tokenserver/add_node.py https://ffsync.example.com 1000" | |
| 78 | + | ||
| 79 | + | sudo -H -u ffsync bash -c "/home/ffsync/.cargo/bin/cargo clean; /home/ffsync/.cargo/bin/cargo build" | |
| 80 | + | ||
| 81 | + | echo '''#!/bin/bash | |
| 82 | + | source venv/bin/activate; PATH="/srv/syncstorage/venv/bin:$PATH" PYTHONPATH=$PYTHON_SITE_PACKGES RUST_LOG=debug RUST_BACKTRACE=full /srv/syncstorage/target/debug/syncserver --config /srv/syncstorage/config/local.toml''' >/srv/syncstorage/start.sh | |
| 83 | + | chmod +x /srv/syncstorage/start.sh | |
| 84 | + | ||
| 85 | + | echo """[Unit] | |
| 86 | + | Description=Firefox Sync Server | |
| 87 | + | After=network.target | |
| 88 | + | ||
| 89 | + | [Service] | |
| 90 | + | Type=simple | |
| 91 | + | User=ffsync | |
| 92 | + | WorkingDirectory=/srv/syncstorage/ | |
| 93 | + | ExecStart=/bin/bash /srv/syncstorage/start.sh | |
| 94 | + | Restart=on-failure | |
| 95 | + | ||
| 96 | + | [Install] | |
| 97 | + | WantedBy=multi-user.target | |
| 98 | + | """ >/etc/systemd/system/ffsync.service | |
| 99 | + | ||
| 100 | + | systemctl daemon-reload | |
| 101 | + | systemctl enable --now ffsync | |
| 102 | + | systemctl status --no-pager ffsync | |
| 103 | + | journalctl -b -f -u ffsync | |
| 104 | + | ||
| 105 | + | echo "\n\n\nNow, read the instructions at the end of this installer to set everything else up" | |
| 106 | + | exit 0 | |
| 107 | + | ||
| 108 | + | # Nginx edge proxy | |
| 109 | + | """ | |
| 110 | + | server | |
| 111 | + | { | |
| 112 | + | listen 80; | |
| 113 | + | listen [::]:80; | |
| 114 | + | server_name ffsync.example.com; | |
| 115 | + | add_header Strict-Transport-Security "max-age=0;"; | |
| 116 | + | return 301 https://$server_name$request_uri; | |
| 117 | + | } | |
| 118 | + | ||
| 119 | + | ||
| 120 | + | server | |
| 121 | + | { | |
| 122 | + | listen 443 ssl http2; | |
| 123 | + | listen [::]:443 ssl http2; | |
| 124 | + | server_name ffsync.example.com; | |
| 125 | + | ||
| 126 | + | client_max_body_size 100M; | |
| 127 | + | ||
| 128 | + | location / | |
| 129 | + | { | |
| 130 | + | proxy_pass https://172.0.2.121$request_uri; | |
| 131 | + | proxy_set_header X-Forwarded-Proto $scheme; | |
| 132 | + | proxy_set_header X-Real-IP $remote_addr; | |
| 133 | + | proxy_set_header X-Forwarded-Host $host:$server_port; | |
| 134 | + | proxy_set_header X-Forwarded-Server $host; | |
| 135 | + | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| 136 | + | } | |
| 137 | + | ||
| 138 | + | ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot | |
| 139 | + | ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot | |
| 140 | + | include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot | |
| 141 | + | ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot | |
| 142 | + | include /etc/nginx/includes/vhost-log.conf; | |
| 143 | + | } | |
| 144 | + | """ | |
| 145 | + | ||
| 146 | + | # Firefox Settings: | |
| 147 | + | # identity.sync.tokenserver.uri: https://ffsync.example.com/1.0/sync/1.5 | |
| 148 | + | ||
| 149 | + | # for android, make sure you arent logged in when changing the sync server url. change the url when you are not signed in | |
| 150 | + | # the server is just https://ffsync.example.com | |
Newer
Older