-
Notifications
You must be signed in to change notification settings - Fork 33
/
Copy pathinstall
executable file
·311 lines (257 loc) · 9.11 KB
/
install
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
#!/usr/bin/env bash
set -e
export LOG_FILE=/tmp/install.log
if [[ -z "${NODE_ENV}" ]]; then
# Set NODE_ENV on this terminal session and system-wide
export NODE_ENV=production
echo 'export NODE_ENV=production' >> /etc/environment
fi
CERT_DIR=/etc/ssl/certs
KEY_DIR=/etc/ssl/private
CONFIG_DIR=/etc/lamassu
MIGRATE_STATE_PATH=$CONFIG_DIR/.migrate
LAMASSU_CA_PATH=$CERT_DIR/Lamassu_CA.pem
CA_KEY_PATH=$KEY_DIR/Lamassu_OP_Root_CA.key
CA_PATH=$CERT_DIR/Lamassu_OP_Root_CA.pem
SERVER_KEY_PATH=$KEY_DIR/Lamassu_OP.key
SERVER_CERT_PATH=$CERT_DIR/Lamassu_OP.pem
MNEMONIC_DIR=$CONFIG_DIR/mnemonics
MNEMONIC_FILE=$MNEMONIC_DIR/mnemonic.txt
BACKUP_DIR=/var/backups/postgresql
BLOCKCHAIN_DIR=/mnt/blockchains
OFAC_DATA_DIR=/var/lamassu/ofac
ID_PHOTO_CARD_DIR=/opt/lamassu-server/idphotocard
FRONTCAMERA_DIR=/opt/lamassu-server/frontcamera
OPERATOR_DIR=/opt/lamassu-server/operatordata
# Look into http://unix.stackexchange.com/questions/140734/configure-localtime-dpkg-reconfigure-tzdata
decho () {
echo `date +"%H:%M:%S"` $1
echo `date +"%H:%M:%S"` $1 >> $LOG_FILE
}
retry() {
local -r -i max_attempts="$1"; shift
local -r cmd="$@"
local -i attempt_num=1
until $cmd
do
if (( attempt_num == max_attempts ))
then
echo
echo "****************************************************************"
echo "Attempt $attempt_num failed and there are no more attempts left! ($cmd)"
return 1
else
echo
echo "****************************************************************"
echo "Attempt $attempt_num failed! Trying again in $attempt_num seconds..."
sleep $(( attempt_num++ ))
fi
done
}
rm -f $LOG_FILE
cat <<'FIG'
_
| | __ _ _ __ ___ __ _ ___ ___ _ _ ___ ___ _ ____ _____ _ __
| |/ _` | '_ ` _ \ / _` / __/ __| | | |_____/ __|/ _ \ '__\ \ / / _ \ '__|
| | (_| | | | | | | (_| \__ \__ \ |_| |_____\__ \ __/ | \ V / __/ |
|_|\__,_|_| |_| |_|\__,_|___/___/\__,_| |___/\___|_| \_/ \___|_|
FIG
echo
while :
do
read -p "Before starting, please insert your email for further registration: " email
if [ -z "$email" ]
then
echo -e 'Email cannot be blank, please try again.'
elif ! [[ "$email" =~ ^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}$ ]]
then
echo -e "Invalid email format, please try again."
else
break
fi
done
echo -e "\nStarting \033[1mlamassu-server\033[0m install. This will take a few minutes...\n"
if [ "$(whoami)" != "root" ]; then
echo -e "This script has to be run as \033[1mroot\033[0m user."
echo
exit 3
fi
release=$(lsb_release -rs)
if [ "$release" != "20.04" ]; then
echo "You're attempting to install on an unsupported Linux distribution or release ("$release")."
echo
uname -a
echo
echo "Please return to DigitalOcean and create a droplet running Ubuntu 20.04 (LTS) x64 instead."
echo
exit 1
fi
if [ -d "/usr/local/lib/node_modules/lamassu-server/" ] || [ -d "/usr/lib/node_modules/lamassu-server/" ]
then
echo "This server appears to have an instance of lamassu-server already installed. Installing again is not supported."
echo
echo "If you're trying to update, use our upgrade script instead."
echo
echo "If you're trying to correct an issue, please consult our knowledgebase or contact our support team."
echo
exit 1
fi
# So we don't run out of memory
decho "Enabling swap file for install only..."
fallocate -l 1G /swapfile >> $LOG_FILE 2>&1
chmod 600 /swapfile >> $LOG_FILE 2>&1
mkswap /swapfile >> $LOG_FILE 2>&1
swapon /swapfile >> $LOG_FILE 2>&1
decho "Updating system..."
sleep 10
curl -sL https://deb.nodesource.com/setup_14.x | sudo -E bash - >> $LOG_FILE 2>&1
apt update >> $LOG_FILE 2>&1
decho "Installing necessary packages..."
apt install nodejs python2-minimal build-essential supervisor postgresql libpq-dev net-tools -y -q >> $LOG_FILE 2>&1
IP=$(ifconfig eth0 | grep "inet" | grep -v "inet6" | awk '{print $2}')
NODE_MODULES=$(npm -g root)
NPM_BIN=$(npm -g bin)
decho "Installing lamassu-server (v10.0.7)..."
sourceHash=$'9d3a2f0fc3f72b12b89a6905aa3d56ec6d1a2aea65713a70582af45455165e00'
curl -sSLo /tmp/lamassu-server.tar.gz https://github.com/lamassu/lamassu-server/releases/download/v10.0.7/lamassu-server-v10.0.7.tar.gz >> $LOG_FILE 2>&1
hash=$(sha256sum /tmp/lamassu-server.tar.gz | awk '{print $1}' | sed 's/ *$//g')
if [ $hash != $sourceHash ] ; then
echo 'Package signature does not match!'
exit 1
fi
tar -xzf /tmp/lamassu-server.tar.gz -C /usr/lib/node_modules/ >> $LOG_FILE 2>&1
decho "Creating symlinks..."
for i in lamassu-* hkdf bip39; do cp -s $NODE_MODULES/lamassu-server/bin/$i $NPM_BIN/; done >> ${LOG_FILE} 2>&1
chmod +x $NODE_MODULES/lamassu-server/bin/* >> ${LOG_FILE} 2>&1
decho "Generating mnemonic..."
mkdir -p $MNEMONIC_DIR >> $LOG_FILE 2>&1
SEED=$(openssl rand -hex 32)
MNEMONIC=$(bip39 $SEED)
echo "$MNEMONIC" > $MNEMONIC_FILE
decho "Creating postgres user..."
POSTGRES_PW=$(hkdf postgres-pw $SEED)
su -l postgres >> $LOG_FILE 2>&1 <<EOF
psql -c "CREATE ROLE lamassu_pg WITH LOGIN SUPERUSER PASSWORD '$POSTGRES_PW';"
createdb lamassu
EOF
mkdir -p $CERT_DIR >> $LOG_FILE 2>&1
mkdir -p $CONFIG_DIR >> $LOG_FILE 2>&1
decho "Generating SSL certificates..."
sed -i '/RANDFILE/d' /etc/ssl/openssl.cnf
openssl genrsa \
-out $CA_KEY_PATH \
4096 >> $LOG_FILE 2>&1
openssl req \
-x509 \
-sha256 \
-new \
-nodes \
-key $CA_KEY_PATH \
-days 3650 \
-out $CA_PATH \
-subj "/C=IS/ST=/L=Reykjavik/O=Lamassu Operator CA/CN=operator.lamassu.is" \
>> $LOG_FILE 2>&1
openssl genrsa \
-out $SERVER_KEY_PATH \
4096 >> $LOG_FILE 2>&1
openssl req -new \
-key $SERVER_KEY_PATH \
-out /tmp/Lamassu_OP.csr.pem \
-subj "/C=IS/ST=/L=Reykjavik/O=Lamassu Operator/CN=$IP" \
-reqexts SAN \
-sha256 \
-config <(cat /etc/ssl/openssl.cnf \
<(printf "[SAN]\nsubjectAltName=IP.1:$IP")) \
>> $LOG_FILE 2>&1
openssl x509 \
-req -in /tmp/Lamassu_OP.csr.pem \
-CA $CA_PATH \
-CAkey $CA_KEY_PATH \
-CAcreateserial \
-out $SERVER_CERT_PATH \
-extfile <(cat /etc/ssl/openssl.cnf \
<(printf "[SAN]\nsubjectAltName=IP.1:$IP")) \
-extensions SAN \
-days 3650 >> $LOG_FILE 2>&1
rm /tmp/Lamassu_OP.csr.pem
decho "Copying Lamassu certificate authority..."
LAMASSU_CA_FILE=$NODE_MODULES/lamassu-server/Lamassu_CA.pem
cp $LAMASSU_CA_FILE $LAMASSU_CA_PATH
mkdir -p $OFAC_DATA_DIR
touch $CONFIG_DIR/.env
decho "Creating environment symlink..."
cp --symbolic-link $CONFIG_DIR/.env $NODE_MODULES/lamassu-server/.env >> $LOG_FILE 2>&1
decho "Setting up environment..."
node $NODE_MODULES/lamassu-server/tools/build-prod-env.js --db-password $POSTGRES_PW --hostname $IP
decho "Setting up database tables..."
lamassu-migrate >> $LOG_FILE 2>&1
decho "Setting up lamassu-admin..."
ADMIN_REGISTRATION_URL=`lamassu-register $email superuser 2>> $LOG_FILE`
decho "Setting up backups..."
BIN=$(npm -g bin)
BACKUP_CMD=$BIN/lamassu-backup-pg
mkdir -p $BACKUP_DIR
BACKUP_CRON="@daily $BACKUP_CMD > /dev/null"
(crontab -l 2>/dev/null || echo -n ""; echo "$BACKUP_CRON") | crontab - >> $LOG_FILE 2>&1
$BACKUP_CMD >> $LOG_FILE 2>&1
decho "Setting up firewall..."
ufw allow ssh >> $LOG_FILE 2>&1
ufw allow 443/tcp >> $LOG_FILE 2>&1 # Admin
ufw allow 3000/tcp >> $LOG_FILE 2>&1 # Server
ufw -f enable >> $LOG_FILE 2>&1
decho "Setting up supervisor..."
cat <<EOF > /etc/supervisor/conf.d/lamassu-server.conf
[program:lamassu-server]
command=${NPM_BIN}/lamassu-server
autostart=true
autorestart=true
stderr_logfile=/var/log/supervisor/lamassu-server.err.log
stdout_logfile=/var/log/supervisor/lamassu-server.out.log
environment=HOME="/root",NODE_ENV="production"
EOF
cat <<EOF > /etc/supervisor/conf.d/lamassu-admin-server.conf
[program:lamassu-admin-server]
command=${NPM_BIN}/lamassu-admin-server
autostart=true
autorestart=true
stderr_logfile=/var/log/supervisor/lamassu-admin-server.err.log
stdout_logfile=/var/log/supervisor/lamassu-admin-server.out.log
environment=HOME="/root",NODE_ENV="production"
EOF
cat <<EOF >> /etc/supervisor/supervisord.conf
[inet_http_server]
port = 127.0.0.1:9001
EOF
service supervisor restart >> $LOG_FILE 2>&1
decho "Disabling swap file..."
swapoff /swapfile >> $LOG_FILE 2>&1
# disable exiting on error in case DO changes motd scripts
set +e
chmod -x /etc/update-motd.d/*-release-upgrade 2>/dev/null
chmod -x /etc/update-motd.d/*-updates-available 2>/dev/null
chmod -x /etc/update-motd.d/*-reboot-required 2>/dev/null
chmod -x /etc/update-motd.d/*-help-text 2>/dev/null
chmod -x /etc/update-motd.d/*-cloudguest 2>/dev/null
chmod -x /etc/update-motd.d/*-motd-news 2>/dev/null
set -e
# reset terminal to link new executables
hash -r
# create /mnt/blockchains to obviate block volume
mkdir /mnt/blockchains/
echo
decho "Done! Now it's time to configure Lamassu stack."
echo
echo -e "\n*** IMPORTANT ***"
echo "In a private space, run lamassu-mnemonic, write down the words"
echo "and keep them in a safe place."
echo
echo "This secret will allow you to retrieve system passwords, such "
echo "as the keys to your Ethereum account. However, you must still "
echo "backup your wallets separately. Visit support.lamassu.is for "
echo "details on regularly backing up your wallets and coins."
echo
echo
echo "Activation URL for lamassu-admin:"
echo $ADMIN_REGISTRATION_URL
echo
echo