certbot-haproxy/provisioning_server.sh

#!/bin/bash -x
set -ev
echo "$PROJECT_TZ" > /etc/timezone
dpkg-reconfigure -f noninteractive tzdata
export DEBIAN_FRONTEND="noninteractive"

# Install go 1.5
if [ ! -f go1.5.linux-amd64.tar.gz ]; then
    wget -q https://storage.googleapis.com/golang/go1.5.linux-amd64.tar.gz
fi
tar -C /usr/local -xzf go1.5.linux-amd64.tar.gz

# Set GOROOT and GOPATH so that GO knows where it is and where it can install
# deps
if ! grep -Fxq "export GOROOT=/usr/local/go" ~/.variables; then
    echo "export GOROOT=/usr/local/go" >> ~/.variables
fi
if ! grep -Fxq "export GOPATH=/gopath" ~/.variables; then
    echo "export GOPATH=/gopath" >> ~/.variables
fi
if ! grep -Fxq "export GO15VENDOREXPERIMENT=1" ~/.variables; then
    echo "export GO15VENDOREXPERIMENT=1" >> ~/.variables
fi
# Add go to PATH variable
if ! grep -Fxq "export PATH=\$PATH:\$GOPATH/bin:\$GOROOT/bin" ~/.variables; then
    echo "export PATH=\$PATH:\$GOPATH/bin:\$GOROOT/bin" >> ~/.variables
fi

if ! grep -Fxq "source ~/.variables" ~/.bashrc; then
    echo "source ~/.variables" >> ~/.bashrc
fi
if ! grep -Fxq "127.0.0.1 boulder boulder-rabbitmq boulder-mysql" /etc/hosts; then
  echo '127.0.0.1 boulder boulder-rabbitmq boulder-mysql' >> /etc/hosts
fi

cat <<EOF >> /root/.bashrc
alias ll='ls -lah'
alias la='ls -A'
alias l='ls -CF'
EOF

source ~/.variables

# Add repo for MariaDb
sudo apt-get install -y software-properties-common
sudo apt-key adv --recv-keys --keyserver keyserver.ubuntu.com 0xcbcb082a1bb943db
sudo add-apt-repository 'deb [arch=amd64,i386] http://mirror.i3d.net/pub/mariadb/repo/10.1/debian jessie main'

apt-get update
apt-get upgrade -y

apt-get install -y \
    sudo htop net-tools tcpdump ufw git curl g++ \
    openssl ca-certificates \
    python2.7 python-setuptools python-virtualenv \
    rabbitmq-server make libltdl-dev mariadb-server nginx-light \
    softhsm libsofthsm-dev vim

echo boulder.local > /etc/hostname
hostname -F /etc/hostname

ufw allow ssh
ufw allow http
ufw allow 4000
ufw allow 8000
ufw allow 8001
ufw allow 8002
ufw allow 8003
ufw allow 8004
ufw allow 8005
ufw default deny incoming
ufw --force enable

# Create new go directory for GOPATH
# Paths needed for installing go dependencies
mkdir -p /gopath/bin
mkdir -p /gopath/src

virtualenv /boulder_venv -p /usr/bin/python2
source /boulder_venv/bin/activate

# Install godep
go get github.com/tools/godep

# Goose is needed by the setup script (hope this will be fixed soon)
go get bitbucket.org/liamstask/goose/cmd/goose

# Install boulder into the gopath
go get -d github.com/letsencrypt/boulder/...

# Enter the boulder directory
cd $GOPATH/src/github.com/letsencrypt/boulder

# Install alle dependencies
godep restore

# Remaining setup
./test/setup.sh

# Apply softhsm configuration
./test/make-softhsm.sh

# Add softhsm configuration to .variables
if ! grep -Fxq "export SOFTHSM_CONF=$PWD/test/softhsm.conf" ~/.variables; then
    echo "export SOFTHSM_CONF=$PWD/test/softhsm.conf" >> ~/.variables
fi

# Change pkcs to softhsm and IP to 192.168.33.111 and set high thresholds for rate limiting
if grep -Fq "/usr/local/lib/libpkcs11-proxy.so" test/test-ca.key-pkcs11.json; then
    pip install simplejson pyyaml
    /boulder/hsmpatch.py
fi

cat <<EOF > /etc/nginx/sites-available/wfe
server {
    listen 80;
    location / {
        proxy_pass http://localhost:4000;
        proxy_redirect http://localhost:4000/ \$scheme://\$host:80/;
    }
}
EOF

ln -fs /etc/nginx/sites-available/wfe /etc/nginx/sites-enabled/wfe
rm -rfv /etc/nginx/sites-enabled/default
systemctl restart nginx

cat <<EOF > /lib/systemd/system/boulder.service
[Unit]
Description=Boulder Server
After=network.target
Wants=mariadb.service,rabbitmq.service
[Service]
Type=simple
KillMode=mixed
RemainAfterExit=no
Restart=always
Environment="GOROOT=/usr/local/go"
Environment="GOPATH=/gopath"
Environment="PATH=/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/gopath/bin:/usr/local/go/bin"
Environment="GO15VENDOREXPERIMENT=1"
Environment="SOFTHSM_CONF=/gopath/src/github.com/letsencrypt/boulder/test/softhsm.conf"
Environment="FAKE_DNS=192.168.33.222"
WorkingDirectory=/gopath/src/github.com/letsencrypt/boulder/
ExecStart=/boulder_venv/bin/python ./start.py
[Install]
WantedBy=multi-user.target
EOF

systemctl enable boulder.service
systemctl start boulder.service


echo "Provisioning completed."
Probably some stuff still missing, definately b0rken. 2016-08-01 17:16:53 +02:00			`#!/bin/bash -x`
initial commit? 2016-08-01 18:01:29 +02:00			`set -ev`
Probably some stuff still missing, definately b0rken. 2016-08-01 17:16:53 +02:00			`echo "$PROJECT_TZ" > /etc/timezone`
			`dpkg-reconfigure -f noninteractive tzdata`
			`export DEBIAN_FRONTEND="noninteractive"`
initial commit? 2016-08-01 18:01:29 +02:00
			`# Install go 1.5`
improve boulder provisioning, more dependencies, own version number 2016-09-16 18:03:02 +02:00			`if [ ! -f go1.5.linux-amd64.tar.gz ]; then`
			`wget -q https://storage.googleapis.com/golang/go1.5.linux-amd64.tar.gz`
			`fi`
initial commit? 2016-08-01 18:01:29 +02:00			`tar -C /usr/local -xzf go1.5.linux-amd64.tar.gz`

working a bit more 2016-08-02 16:11:40 +02:00			`# Set GOROOT and GOPATH so that GO knows where it is and where it can install`
			`# deps`
			`if ! grep -Fxq "export GOROOT=/usr/local/go" ~/.variables; then`
			`echo "export GOROOT=/usr/local/go" >> ~/.variables`
initial commit? 2016-08-01 18:01:29 +02:00			`fi`
working a bit more 2016-08-02 16:11:40 +02:00			`if ! grep -Fxq "export GOPATH=/gopath" ~/.variables; then`
			`echo "export GOPATH=/gopath" >> ~/.variables`
initial commit? 2016-08-01 18:01:29 +02:00			`fi`
add softhsm configuration to provisioning 2016-08-03 11:39:35 +02:00			`if ! grep -Fxq "export GO15VENDOREXPERIMENT=1" ~/.variables; then`
			`echo "export GO15VENDOREXPERIMENT=1" >> ~/.variables`
working a bit more 2016-08-02 16:11:40 +02:00			`fi`
			`# Add go to PATH variable`
less exports in .variables 2016-08-03 17:35:42 +02:00			`if ! grep -Fxq "export PATH=\$PATH:\$GOPATH/bin:\$GOROOT/bin" ~/.variables; then`
			`echo "export PATH=\$PATH:\$GOPATH/bin:\$GOROOT/bin" >> ~/.variables`
initial commit? 2016-08-01 18:01:29 +02:00			`fi`
add softhsm configuration to provisioning 2016-08-03 11:39:35 +02:00
working a bit more 2016-08-02 16:11:40 +02:00			`if ! grep -Fxq "source ~/.variables" ~/.bashrc; then`
			`echo "source ~/.variables" >> ~/.bashrc`
initial commit? 2016-08-01 18:01:29 +02:00			`fi`
			`if ! grep -Fxq "127.0.0.1 boulder boulder-rabbitmq boulder-mysql" /etc/hosts; then`
			`echo '127.0.0.1 boulder boulder-rabbitmq boulder-mysql' >> /etc/hosts`
			`fi`
Apache hosting node and haproxy forwarding configuration completed, /.well-known gets forwarded to another port. 2016-08-11 17:02:16 +02:00
			`cat <<EOF >> /root/.bashrc`
			`alias ll='ls -lah'`
			`alias la='ls -A'`
			`alias l='ls -CF'`
			`EOF`
initial commit? 2016-08-01 18:01:29 +02:00
working a bit more 2016-08-02 16:11:40 +02:00			`source ~/.variables`
initial commit? 2016-08-01 18:01:29 +02:00
Fully functioning Debian based boulder server =] 2016-08-04 11:07:36 +02:00			`# Add repo for MariaDb`
			`sudo apt-get install -y software-properties-common`
			`sudo apt-key adv --recv-keys --keyserver keyserver.ubuntu.com 0xcbcb082a1bb943db`
			`sudo add-apt-repository 'deb [arch=amd64,i386] http://mirror.i3d.net/pub/mariadb/repo/10.1/debian jessie main'`
initial commit? 2016-08-01 18:01:29 +02:00
Probably some stuff still missing, definately b0rken. 2016-08-01 17:16:53 +02:00			`apt-get update`
			`apt-get upgrade -y`
working a bit more 2016-08-02 16:11:40 +02:00
Probably some stuff still missing, definately b0rken. 2016-08-01 17:16:53 +02:00			`apt-get install -y \`
working a bit more 2016-08-02 16:11:40 +02:00			`sudo htop net-tools tcpdump ufw git curl g++ \`
initial commit? 2016-08-01 18:01:29 +02:00			`openssl ca-certificates \`
Probably some stuff still missing, definately b0rken. 2016-08-01 17:16:53 +02:00			`python2.7 python-setuptools python-virtualenv \`
add softhsm configuration to provisioning 2016-08-03 11:39:35 +02:00			`rabbitmq-server make libltdl-dev mariadb-server nginx-light \`
change boulder IP address, change example.org to greenhost.nl so boulder wont complain 2016-08-10 11:44:19 +02:00			`softhsm libsofthsm-dev vim`
Probably some stuff still missing, definately b0rken. 2016-08-01 17:16:53 +02:00
			`echo boulder.local > /etc/hostname`
			`hostname -F /etc/hostname`

			`ufw allow ssh`
Fix firewall of boulder server, some temporary changes for authenticator work. 2016-08-09 11:37:36 +02:00			`ufw allow http`
Probably some stuff still missing, definately b0rken. 2016-08-01 17:16:53 +02:00			`ufw allow 4000`
			`ufw allow 8000`
			`ufw allow 8001`
			`ufw allow 8002`
			`ufw allow 8003`
			`ufw allow 8004`
			`ufw allow 8005`
			`ufw default deny incoming`
			`ufw --force enable`

initial commit? 2016-08-01 18:01:29 +02:00			`# Create new go directory for GOPATH`
			`# Paths needed for installing go dependencies`
			`mkdir -p /gopath/bin`
			`mkdir -p /gopath/src`
Probably some stuff still missing, definately b0rken. 2016-08-01 17:16:53 +02:00
initial commit? 2016-08-01 18:01:29 +02:00			`virtualenv /boulder_venv -p /usr/bin/python2`
			`source /boulder_venv/bin/activate`
Probably some stuff still missing, definately b0rken. 2016-08-01 17:16:53 +02:00
working a bit more 2016-08-02 16:11:40 +02:00			`# Install godep`
			`go get github.com/tools/godep`
Probably some stuff still missing, definately b0rken. 2016-08-01 17:16:53 +02:00
working provisioning script for server 2016-08-03 14:44:42 +02:00			`# Goose is needed by the setup script (hope this will be fixed soon)`
			`go get bitbucket.org/liamstask/goose/cmd/goose`

working a bit more 2016-08-02 16:11:40 +02:00			`# Install boulder into the gopath`
			`go get -d github.com/letsencrypt/boulder/...`
initial commit? 2016-08-01 18:01:29 +02:00
working a bit more 2016-08-02 16:11:40 +02:00			`# Enter the boulder directory`
Fix provisioning boulder after changes by the LE team. 2017-02-24 12:32:31 +01:00			`cd $GOPATH/src/github.com/letsencrypt/boulder`
initial commit? 2016-08-01 18:01:29 +02:00
working a bit more 2016-08-02 16:11:40 +02:00			`# Install alle dependencies`
			`godep restore`
initial commit? 2016-08-01 18:01:29 +02:00
working a bit more 2016-08-02 16:11:40 +02:00			`# Remaining setup`
initial commit? 2016-08-01 18:01:29 +02:00			`./test/setup.sh`

add softhsm configuration to provisioning 2016-08-03 11:39:35 +02:00			`# Apply softhsm configuration`
			`./test/make-softhsm.sh`

			`# Add softhsm configuration to .variables`
provisioning_server bugfix 2016-08-03 17:06:37 +02:00			`if ! grep -Fxq "export SOFTHSM_CONF=$PWD/test/softhsm.conf" ~/.variables; then`
			`echo "export SOFTHSM_CONF=$PWD/test/softhsm.conf" >> ~/.variables`
add softhsm configuration to provisioning 2016-08-03 11:39:35 +02:00			`fi`

add 192.168.33.222 to the fake dns of boulder, typo fix in client provisioning 2016-08-12 10:30:57 +02:00			`# Change pkcs to softhsm and IP to 192.168.33.111 and set high thresholds for rate limiting`
working provisioning script for server 2016-08-03 14:44:42 +02:00			`if grep -Fq "/usr/local/lib/libpkcs11-proxy.so" test/test-ca.key-pkcs11.json; then`
Fix provisioning boulder after changes by the LE team. 2017-02-24 12:32:31 +01:00			`pip install simplejson pyyaml`
			`/boulder/hsmpatch.py`
add softhsm configuration to provisioning 2016-08-03 11:39:35 +02:00			`fi`
Probably some stuff still missing, definately b0rken. 2016-08-01 17:16:53 +02:00
Fix proxy (port 4000->80) 2016-08-05 16:06:59 +02:00			`cat <<EOF > /etc/nginx/sites-available/wfe`
			`server {`
			`listen 80;`
			`location / {`
			`proxy_pass http://localhost:4000;`
change boulder IP address, change example.org to greenhost.nl so boulder wont complain 2016-08-10 11:44:19 +02:00			`proxy_redirect http://localhost:4000/ \$scheme://\$host:80/;`
Fix proxy (port 4000->80) 2016-08-05 16:06:59 +02:00			`}`
			`}`
			`EOF`

improve boulder provisioning, more dependencies, own version number 2016-09-16 18:03:02 +02:00			`ln -fs /etc/nginx/sites-available/wfe /etc/nginx/sites-enabled/wfe`
Fix proxy (port 4000->80) 2016-08-05 16:06:59 +02:00			`rm -rfv /etc/nginx/sites-enabled/default`
			`systemctl restart nginx`

			`cat <<EOF > /lib/systemd/system/boulder.service`
Fully functioning Debian based boulder server =] 2016-08-04 11:07:36 +02:00			`[Unit]`
			`Description=Boulder Server`
			`After=network.target`
			`Wants=mariadb.service,rabbitmq.service`
			`[Service]`
			`Type=simple`
Fix proxy (port 4000->80) 2016-08-05 16:06:59 +02:00			`KillMode=mixed`
Fully functioning Debian based boulder server =] 2016-08-04 11:07:36 +02:00			`RemainAfterExit=no`
			`Restart=always`
			`Environment="GOROOT=/usr/local/go"`
			`Environment="GOPATH=/gopath"`
			`Environment="PATH=/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/gopath/bin:/usr/local/go/bin"`
			`Environment="GO15VENDOREXPERIMENT=1"`
			`Environment="SOFTHSM_CONF=/gopath/src/github.com/letsencrypt/boulder/test/softhsm.conf"`
add 192.168.33.222 to the fake dns of boulder, typo fix in client provisioning 2016-08-12 10:30:57 +02:00			`Environment="FAKE_DNS=192.168.33.222"`
Fully functioning Debian based boulder server =] 2016-08-04 11:07:36 +02:00			`WorkingDirectory=/gopath/src/github.com/letsencrypt/boulder/`
			`ExecStart=/boulder_venv/bin/python ./start.py`
			`[Install]`
			`WantedBy=multi-user.target`
			`EOF`

			`systemctl enable boulder.service`
			`systemctl start boulder.service`


Probably some stuff still missing, definately b0rken. 2016-08-01 17:16:53 +02:00			`echo "Provisioning completed."`