From a277d5faa3bc3e082957263878e15555eb64fa90 Mon Sep 17 00:00:00 2001 From: Paul Rock Date: Wed, 31 Jan 2018 04:04:52 +0300 Subject: [PATCH] installation process rewriten to step by step logic --- scripts/install-openvpn.sh | 132 ++--------------- scripts/install.sh | 234 +++--------------------------- scripts/install/00_env.sh | 49 +++++++ scripts/install/01_mysql.sh | 53 +++++++ scripts/install/02_app.sh | 12 ++ scripts/install/03_certificate.sh | 30 ++++ scripts/install/04_openvpn.sh | 15 ++ scripts/install/05_firewall.sh | 16 ++ 8 files changed, 206 insertions(+), 335 deletions(-) create mode 100644 scripts/install/00_env.sh create mode 100644 scripts/install/01_mysql.sh create mode 100644 scripts/install/02_app.sh create mode 100644 scripts/install/03_certificate.sh create mode 100644 scripts/install/04_openvpn.sh create mode 100644 scripts/install/05_firewall.sh diff --git a/scripts/install-openvpn.sh b/scripts/install-openvpn.sh index 7fdf9b1..b445717 100755 --- a/scripts/install-openvpn.sh +++ b/scripts/install-openvpn.sh @@ -5,133 +5,27 @@ print_error() { exit } -read_env() { - source "$1" -# grep -vE '^#|^$' "$1" | sed -r 's/\ /\\\ /g; s/\=/\t/g' | \ -# while read env val -# do -# env - $env="$val" -# done -} - # Ensure to be root if [ "$EUID" -ne 0 ]; then - echo "Please run as root" - exit + print_error "Please run as root" fi base_path=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) # Read dotEnv file -read_env "$base_path/../.env" - -printf "\n################## Server informations ##################\n" - -[ ! -z "$VPN_LOCAL" ] && echo "VPN_LOCAL=$VPN_LOCAL" -[ -z "$VPN_LOCAL" ] && read -p "Server local Hostname/IP: " VPN_LOCAL -[ -z "$VPN_LOCAL" ] && print_error "Server local address is required!" - -[ ! -z "$VPN_REMOTE" ] && echo "VPN_LOCAL=$VPN_REMOTE" -[ -z "$VPN_REMOTE" ] && read -p "Server remote Hostname/IP: " VPN_REMOTE -[ -z "$VPN_REMOTE" ] && print_error "Server remote address is required!" - -[ ! -z "$VPN_PROTO" ] && echo "VPN_PROTO=$VPN_PROTO" -[ -z "$VPN_PROTO" ] && read -p "OpenVPN protocol (tcp or udp) [tcp]: " VPN_PROTO -[ -z "$VPN_PROTO" ] && VPN_PROTO="tcp" - -[ ! -z "$VPN_PORT" ] && echo "VPN_PORT=$VPN_PORT" -[ -z "$VPN_PORT" ] && read -p "OpenVPN port [443]: " VPN_PORT -[ -z "$VPN_PORT" ] && VPN_PORT="443" - -[ ! -z "$VPN_GROUP" ] && echo "VPN_GROUP=$VPN_GROUP" -[ -z "$VPN_GROUP" ] && read -p "OpenVPN group [nogroup]: " VPN_GROUP -[ -z "$VPN_GROUP" ] && VPN_GROUP="nogroup" - -[ ! -z "$VPN_INIF" ] && echo "VPN_INIF=$VPN_INIF" -[ -z "$VPN_INIF" ] && read -p "OpenVPN input interface [tun0]: " VPN_INIF -[ -z "$VPN_INIF" ] && VPN_INIF="tun0" - -[ ! -z "$VPN_OUTIF" ] && echo "VPN_OUTIF=$VPN_OUTIF" -[ -z "$VPN_OUTIF" ] && read -p "OpenVPN output interface [eth0]: " VPN_OUTIF -[ -z "$VPN_OUTIF" ] && VPN_OUTIF="eth0" - -[ ! -z "$VPN_NET" ] && echo "VPN_NET=$VPN_NET" -[ -z "$VPN_NET" ] && read -p "OpenVPN clients subnet [10.8.0.0/24]: " VPN_NET -[ -z "$VPN_NET" ] && VPN_NET="10.8.0.0/24" - - -printf "\n################## Certificates informations ##################\n" - -[ -z "$EASYRSA_KEY_SIZE" ] && read -p "Key size (1024, 2048 or 4096) [2048]: " EASYRSA_KEY_SIZE -[ -z "$EASYRSA_CA_EXPIRE" ] && read -p "Root certificate expiration (in days) [3650]: " EASYRSA_CA_EXPIRE -[ -z "$EASYRSA_CERT_EXPIRE" ] && read -p "Certificate expiration (in days) [3650]: " EASYRSA_CERT_EXPIRE -[ -z "$EASYRSA_REQ_COUNTRY" ] && read -p "Country Name (2 letter code) [US]: " EASYRSA_REQ_COUNTRY -[ -z "$EASYRSA_REQ_PROVINCE" ] && read -p "State or Province Name (full name) [California]: " EASYRSA_REQ_PROVINCE -[ -z "$EASYRSA_REQ_CITY" ] && read -p "Locality Name (eg, city) [San Francisco]: " EASYRSA_REQ_CITY -[ -z "$EASYRSA_REQ_ORG" ] && read -p "Organization Name (eg, company) [Copyleft Certificate Co]: " EASYRSA_REQ_ORG -[ -z "$EASYRSA_REQ_OU" ] && read -p "Organizational Unit Name (eg, section) [My Organizational Unit]: " EASYRSA_REQ_OU -[ -z "$EASYRSA_REQ_EMAIL" ] && read -p "Email Address [me@example.net]: " EASYRSA_REQ_EMAIL -[ -z "$EASYRSA_REQ_CN" ] && read -p "Common Name (eg, your name or your server's hostname) [ChangeMe]: " EASYRSA_REQ_CN +source "$base_path/../.env" +source ./install/00_env.sh +source ./install/03_certificate.sh +source ./install/04_openvpn.sh +source ./install/05_firewall.sh -printf "\n################## Creating the certificates ##################\n" - -EASYRSA_RELEASES=( $( - curl -s https://api.github.com/repos/OpenVPN/easy-rsa/releases | \ - grep 'tag_name' | \ - grep -E '3(\.[0-9]+)+' | \ - awk '{ print $2 }' | \ - sed 's/[,|"|v]//g' -) ) -EASYRSA_LATEST=${EASYRSA_RELEASES[0]} - -# Get the rsa keys -wget -q https://github.com/OpenVPN/easy-rsa/releases/download/v${EASYRSA_LATEST}/EasyRSA-${EASYRSA_LATEST}.tgz -O /tmp/EasyRSA-${EASYRSA_LATEST}.tgz -mkdir -p /etc/openvpn/easy-rsa -tar -xaf /tmp/EasyRSA-${EASYRSA_LATEST}.tgz -C /etc/openvpn/easy-rsa --strip-components=1 -rm -r /tmp/EasyRSA-${EASYRSA_LATEST}.tgz -cd /etc/openvpn/easy-rsa - -# Init PKI dirs and build CA certs -./easyrsa --batch init-pki -./easyrsa --batch build-ca nopass -# Generate Diffie-Hellman parameters -./easyrsa --batch gen-dh -# Generate server keypair -./easyrsa --batch build-server-full server nopass - -# Generate shared-secret for TLS Authentication -openvpn --genkey --secret pki/ta.key - - -printf "\n################## Setup OpenVPN ##################\n" - -# Copy certificates and the server configuration in the openvpn directory -cp /etc/openvpn/easy-rsa/pki/{ca.crt,ta.key,issued/server.crt,private/server.key,dh.pem} "/etc/openvpn/" -chmod +r /etc/openvpn/{ca.crt,ta.key} -cp "$base_path/../configs/server.conf" "/etc/openvpn/" -mkdir -p "/etc/openvpn/ccd" -sed -i " -s/VPN_SERVER/$VPN_SERVER/; -s/VPN_PORT/$VPN_PORT/; -s/VPN_INIF/$VPN_INIF/; -s/VPN_PROTO/$VPN_PROTO/; -s/VPN_GROUP/$VPN_GROUP/" "/etc/openvpn/server.conf" - - -printf "\n################## Setup firewall ##################\n" - -# Make ip forwading and make it persistent -echo 1 > "/proc/sys/net/ipv4/ip_forward" -echo "net.ipv4.ip_forward = 1" >> "/etc/sysctl.conf" - -# Iptable rules -iptables -I FORWARD -i $VPN_INIF -j ACCEPT -iptables -I FORWARD -o $VPN_INIF -j ACCEPT -iptables -I OUTPUT -o $VPN_INIF -j ACCEPT +printf "\033[1m\n#################################### Finish ####################################\n" -iptables -A FORWARD -i $VPN_INIF -o $VPN_OUTIF -j ACCEPT -iptables -t nat -A POSTROUTING -o $VPN_OUTIF -j MASQUERADE -iptables -t nat -A POSTROUTING -s $VPN_NET -o $VPN_OUTIF -j MASQUERADE +echo -e "# Congratulations, you have successfully setup OpenVPN-Admin! #\r" +echo -e "Please, finish the installation by configuring your web server (Apache, Nginx...)" +echo -e "and install the web application by visiting http://your-installation/index.php?installation\r" +echo -e "Then, you will be able to run OpenVPN with systemctl start openvpn@server\r" +echo "Please, report any issues here https://github.com/Chocobozzz/OpenVPN-Admin" -printf "\033[1m\n#################################### Finish ####################################\n" +printf "\n################################################################################ \033[0m\n" diff --git a/scripts/install.sh b/scripts/install.sh index d56368e..8cf6f9e 100755 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -7,10 +7,14 @@ print_help () { echo -e "\tgroup: Group of the web application" } +print_error() { + echo "$1" + exit +} + # Ensure to be root if [ "$EUID" -ne 0 ]; then - echo "Please run as root" - exit + print_error "Please run as root" fi # Ensure there are enought arguments @@ -20,11 +24,10 @@ if [ "$#" -ne 3 ]; then fi # Ensure there are the prerequisites -for i in openvpn mysql php bower node unzip wget sed; do +for i in openvpn mysql php node npm unzip wget sed curl; do which $i > /dev/null if [ "$?" -ne 0 ]; then - echo "Miss $i" - exit + print_error "Miss $i" fi done @@ -42,223 +45,22 @@ fi base_path=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) +# Read dotEnv file +source "$base_path/../.env" -printf "\n################## Server informations ##################\n" - -read -p "Server Hostname/IP: " ip_server - -read -p "OpenVPN protocol (tcp or udp) [tcp]: " openvpn_proto - -if [[ -z $openvpn_proto ]]; then - openvpn_proto="tcp" -fi - -read -p "Port [443]: " server_port - -if [[ -z $server_port ]]; then - server_port="443" -fi - -# Get root pass (to create the database and the user) -mysql_root_pass="" -status_code=1 - -while [ $status_code -ne 0 ]; do - read -p "MySQL root password: " -s mysql_root_pass; echo - echo "SHOW DATABASES" | mysql -u root --password="$mysql_root_pass" &> /dev/null - status_code=$? -done - -sql_result=$(echo "SHOW DATABASES" | mysql -u root --password="$mysql_root_pass" | grep -e "^openvpn-admin$") -# Check if the database doesn't already exist -if [ "$sql_result" != "" ]; then - echo "The openvpn-admin database already exists." - exit -fi - - -# Check if the user doesn't already exist -read -p "MySQL user name for OpenVPN-Admin (will be created): " mysql_user - -echo "SHOW GRANTS FOR $mysql_user@localhost" | mysql -u root --password="$mysql_root_pass" &> /dev/null -if [ $? -eq 0 ]; then - echo "The MySQL user already exists." - exit -fi - -read -p "MySQL user password for OpenVPN-Admin: " -s mysql_pass; echo - -# TODO MySQL port & host ? - - -printf "\n################## Certificates informations ##################\n" - -read -p "Key size (1024, 2048 or 4096) [2048]: " key_size - -read -p "Root certificate expiration (in days) [3650]: " ca_expire - -read -p "Certificate expiration (in days) [3650]: " cert_expire - -read -p "Country Name (2 letter code) [US]: " cert_country - -read -p "State or Province Name (full name) [California]: " cert_province - -read -p "Locality Name (eg, city) [San Francisco]: " cert_city - -read -p "Organization Name (eg, company) [Copyleft Certificate Co]: " cert_org - -read -p "Organizational Unit Name (eg, section) [My Organizational Unit]: " cert_ou - -read -p "Email Address [me@example.net]: " cert_email - -read -p "Common Name (eg, your name or your server's hostname) [ChangeMe]: " key_cn - - -printf "\n################## Creating the certificates ##################\n" - -EASYRSA_RELEASES=( $( - curl -s https://api.github.com/repos/OpenVPN/easy-rsa/releases | \ - grep 'tag_name' | \ - grep -E '3(\.[0-9]+)+' | \ - awk '{ print $2 }' | \ - sed 's/[,|"|v]//g' -) ) -EASYRSA_LATEST=${EASYRSA_RELEASES[0]} - -# Get the rsa keys -wget -q https://github.com/OpenVPN/easy-rsa/releases/download/v${EASYRSA_LATEST}/EasyRSA-${EASYRSA_LATEST}.tgz -tar -xaf EasyRSA-${EASYRSA_LATEST}.tgz -mv EasyRSA-${EASYRSA_LATEST} /etc/openvpn/easy-rsa -rm -r EasyRSA-${EASYRSA_LATEST}.tgz -cd /etc/openvpn/easy-rsa - -if [[ ! -z $key_size ]]; then - export EASYRSA_KEY_SIZE=$key_size -fi -if [[ ! -z $ca_expire ]]; then - export EASYRSA_CA_EXPIRE=$ca_expire -fi -if [[ ! -z $cert_expire ]]; then - export EASYRSA_CERT_EXPIRE=$cert_expire -fi -if [[ ! -z $cert_country ]]; then - export EASYRSA_REQ_COUNTRY=$cert_country -fi -if [[ ! -z $cert_province ]]; then - export EASYRSA_REQ_PROVINCE=$cert_province -fi -if [[ ! -z $cert_city ]]; then - export EASYRSA_REQ_CITY=$cert_city -fi -if [[ ! -z $cert_org ]]; then - export EASYRSA_REQ_ORG=$cert_org -fi -if [[ ! -z $cert_ou ]]; then - export EASYRSA_REQ_OU=$cert_ou -fi -if [[ ! -z $cert_email ]]; then - export EASYRSA_REQ_EMAIL=$cert_email -fi -if [[ ! -z $key_cn ]]; then - export EASYRSA_REQ_CN=$key_cn -fi - -# Init PKI dirs and build CA certs -./easyrsa init-pki -./easyrsa build-ca nopass -# Generate Diffie-Hellman parameters -./easyrsa gen-dh -# Genrate server keypair -./easyrsa build-server-full server nopass - -# Generate shared-secret for TLS Authentication -openvpn --genkey --secret pki/ta.key - - -printf "\n################## Setup OpenVPN ##################\n" - -# Copy certificates and the server configuration in the openvpn directory -cp /etc/openvpn/easy-rsa/pki/{ca.crt,ta.key,issued/server.crt,private/server.key,dh.pem} "/etc/openvpn/" -cp "$base_path/installation/server.conf" "/etc/openvpn/" -mkdir "/etc/openvpn/ccd" -sed -i "s/port 443/port $server_port/" "/etc/openvpn/server.conf" - -if [ $openvpn_proto = "udp" ]; then - sed -i "s/proto tcp/proto $openvpn_proto/" "/etc/openvpn/server.conf" -fi - -nobody_group=$(id -ng nobody) -sed -i "s/group nogroup/group $nobody_group/" "/etc/openvpn/server.conf" - -printf "\n################## Setup firewall ##################\n" - -# Make ip forwading and make it persistent -echo 1 > "/proc/sys/net/ipv4/ip_forward" -echo "net.ipv4.ip_forward = 1" >> "/etc/sysctl.conf" - -# Iptable rules -iptables -I FORWARD -i tun0 -j ACCEPT -iptables -I FORWARD -o tun0 -j ACCEPT -iptables -I OUTPUT -o tun0 -j ACCEPT - -iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT -iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE -iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE -iptables -t nat -A POSTROUTING -s 10.8.0.2/24 -o eth0 -j MASQUERADE - - -printf "\n################## Setup MySQL database ##################\n" - -echo "CREATE DATABASE \`openvpn-admin\`" | mysql -u root --password="$mysql_root_pass" -echo "CREATE USER $mysql_user@localhost IDENTIFIED BY '$mysql_pass'" | mysql -u root --password="$mysql_root_pass" -echo "GRANT ALL PRIVILEGES ON \`openvpn-admin\`.* TO $mysql_user@localhost" | mysql -u root --password="$mysql_root_pass" -echo "FLUSH PRIVILEGES" | mysql -u root --password="$mysql_root_pass" - - -printf "\n################## Setup web application ##################\n" - -# Copy bash scripts (which will insert row in MySQL) -cp -r "$base_path/installation/scripts" "/etc/openvpn/" -chmod +x "/etc/openvpn/scripts/"* - -# Configure MySQL in openvpn scripts -sed -i "s/USER=''/USER='$mysql_user'/" "/etc/openvpn/scripts/config.sh" -sed -i "s/PASS=''/PASS='$mysql_pass'/" "/etc/openvpn/scripts/config.sh" - -# Create the directory of the web application -mkdir "$openvpn_admin" -cp -r "$base_path/"{index.php,sql,bower.json,.bowerrc,js,include,css,installation/client-conf} "$openvpn_admin" - -# New workspace -cd "$openvpn_admin" - -# Replace config.php variables -sed -i "s/\$user = '';/\$user = '$mysql_user';/" "./include/config.php" -sed -i "s/\$pass = '';/\$pass = '$mysql_pass';/" "./include/config.php" - -# Replace in the client configurations with the ip of the server and openvpn protocol -for file in "./client-conf/gnu-linux/client.conf" "./client-conf/osx-viscosity/client.conf" "./client-conf/windows/client.ovpn"; do - sed -i "s/remote xxx\.xxx\.xxx\.xxx 443/remote $ip_server $server_port/" $file - - if [ $openvpn_proto = "udp" ]; then - sed -i "s/proto tcp-client/proto udp/" $file - fi -done - -# Copy ta.key inside the client-conf directory -for directory in "./client-conf/gnu-linux/" "./client-conf/osx-viscosity/" "./client-conf/windows/"; do - cp "/etc/openvpn/"{ca.crt,ta.key} $directory -done - -# Install third parties -bower --allow-root install -chown -R "$user:$group" "$openvpn_admin" +source ./install/00_env.sh +source ./install/01_mysql.sh +source ./install/02_app.sh +source ./install/03_certificate.sh +source ./install/04_openvpn.sh +source ./install/05_firewall.sh printf "\033[1m\n#################################### Finish ####################################\n" echo -e "# Congratulations, you have successfully setup OpenVPN-Admin! #\r" -echo -e "Please, finish the installation by configuring your web server (Apache, NGinx...)" +echo -e "Please, finish the installation by configuring your web server (Apache, Nginx...)" echo -e "and install the web application by visiting http://your-installation/index.php?installation\r" echo -e "Then, you will be able to run OpenVPN with systemctl start openvpn@server\r" echo "Please, report any issues here https://github.com/Chocobozzz/OpenVPN-Admin" + printf "\n################################################################################ \033[0m\n" diff --git a/scripts/install/00_env.sh b/scripts/install/00_env.sh new file mode 100644 index 0000000..5438e68 --- /dev/null +++ b/scripts/install/00_env.sh @@ -0,0 +1,49 @@ +#!/bin/bash + +printf "\n################## Server informations ##################\n" + +[ ! -z "$VPN_LOCAL" ] && echo "VPN_LOCAL=$VPN_LOCAL" +[ -z "$VPN_LOCAL" ] && read -p "Server local Hostname/IP: " VPN_LOCAL +[ -z "$VPN_LOCAL" ] && print_error "Server local address is required!" + +[ ! -z "$VPN_REMOTE" ] && echo "VPN_LOCAL=$VPN_REMOTE" +[ -z "$VPN_REMOTE" ] && read -p "Server remote Hostname/IP: " VPN_REMOTE +[ -z "$VPN_REMOTE" ] && print_error "Server remote address is required!" + +[ ! -z "$VPN_PROTO" ] && echo "VPN_PROTO=$VPN_PROTO" +[ -z "$VPN_PROTO" ] && read -p "OpenVPN protocol (tcp or udp) [tcp]: " VPN_PROTO +[ -z "$VPN_PROTO" ] && VPN_PROTO="tcp" + +[ ! -z "$VPN_PORT" ] && echo "VPN_PORT=$VPN_PORT" +[ -z "$VPN_PORT" ] && read -p "OpenVPN port [443]: " VPN_PORT +[ -z "$VPN_PORT" ] && VPN_PORT="443" + +[ ! -z "$VPN_GROUP" ] && echo "VPN_GROUP=$VPN_GROUP" +[ -z "$VPN_GROUP" ] && read -p "OpenVPN group [nogroup]: " VPN_GROUP +[ -z "$VPN_GROUP" ] && VPN_GROUP="nogroup" + +[ ! -z "$VPN_INIF" ] && echo "VPN_INIF=$VPN_INIF" +[ -z "$VPN_INIF" ] && read -p "OpenVPN input interface [tun0]: " VPN_INIF +[ -z "$VPN_INIF" ] && VPN_INIF="tun0" + +[ ! -z "$VPN_OUTIF" ] && echo "VPN_OUTIF=$VPN_OUTIF" +[ -z "$VPN_OUTIF" ] && read -p "OpenVPN output interface [eth0]: " VPN_OUTIF +[ -z "$VPN_OUTIF" ] && VPN_OUTIF="eth0" + +[ ! -z "$VPN_NET" ] && echo "VPN_NET=$VPN_NET" +[ -z "$VPN_NET" ] && read -p "OpenVPN clients subnet [10.8.0.0/24]: " VPN_NET +[ -z "$VPN_NET" ] && VPN_NET="10.8.0.0/24" + + +printf "\n################## Certificates informations ##################\n" + +[ -z "$EASYRSA_KEY_SIZE" ] && read -p "Key size (1024, 2048 or 4096) [2048]: " EASYRSA_KEY_SIZE +[ -z "$EASYRSA_CA_EXPIRE" ] && read -p "Root certificate expiration (in days) [3650]: " EASYRSA_CA_EXPIRE +[ -z "$EASYRSA_CERT_EXPIRE" ] && read -p "Certificate expiration (in days) [3650]: " EASYRSA_CERT_EXPIRE +[ -z "$EASYRSA_REQ_COUNTRY" ] && read -p "Country Name (2 letter code) [US]: " EASYRSA_REQ_COUNTRY +[ -z "$EASYRSA_REQ_PROVINCE" ] && read -p "State or Province Name (full name) [California]: " EASYRSA_REQ_PROVINCE +[ -z "$EASYRSA_REQ_CITY" ] && read -p "Locality Name (eg, city) [San Francisco]: " EASYRSA_REQ_CITY +[ -z "$EASYRSA_REQ_ORG" ] && read -p "Organization Name (eg, company) [Copyleft Certificate Co]: " EASYRSA_REQ_ORG +[ -z "$EASYRSA_REQ_OU" ] && read -p "Organizational Unit Name (eg, section) [My Organizational Unit]: " EASYRSA_REQ_OU +[ -z "$EASYRSA_REQ_EMAIL" ] && read -p "Email Address [me@example.net]: " EASYRSA_REQ_EMAIL +[ -z "$EASYRSA_REQ_CN" ] && read -p "Common Name (eg, your name or your server's hostname) [ChangeMe]: " EASYRSA_REQ_CN diff --git a/scripts/install/01_mysql.sh b/scripts/install/01_mysql.sh new file mode 100644 index 0000000..44e1b38 --- /dev/null +++ b/scripts/install/01_mysql.sh @@ -0,0 +1,53 @@ +#!/bin/bash + +function mysql_exec() +{ + echo "$1" | mysql -u root --password="$mysql_root_pass" &> /dev/null +} + +printf "\n################## Setup MySQL database ##################\n" + +[ ! -z "$DB_HOST" ] && echo "DB_HOST=$DB_HOST" +[ -z "$DB_HOST" ] && read -p "MySQL database host: " DB_HOST +[ -z "$DB_HOST" ] && print_error "MySQL database host is required!" + +# Get root pass (to create the database and the user) +mysql_root_pass="" +status_code=1 + +while [ $status_code -ne 0 ]; do + read -p "MySQL root password: " -s mysql_root_pass; echo + mysql_exec "SHOW DATABASES" + status_code=$? +done + +[ ! -z "$DB_NAME" ] && echo "DB_NAME=$DB_NAME" +[ -z "$DB_NAME" ] && read -p "MySQL database name: " DB_NAME +[ -z "$DB_NAME" ] && print_error "MySQL database name is required!" + +[ ! -z "$DB_USER" ] && echo "DB_USER=$DB_USER" +[ -z "$DB_USER" ] && read -p "MySQL user name for $DB_NAME (will be created): " DB_USER +[ -z "$DB_USER" ] && print_error "MySQL user is required!" + +[ ! -z "$DB_PASS" ] && echo "DB_PASS=$DB_PASS" +[ -z "$DB_PASS" ] && read -p "MySQL user password for $DB_USER: " DB_PASS +[ -z "$DB_PASS" ] && print_error "MySQL user password is required!" + +sql_result=$(mysql_exec "SHOW DATABASES" | grep -e "^$DB_NAME$") + +# Check if the database doesn't already exist +if [ "$sql_result" != "" ]; then + echo "The $DB_NAME database already exists." + exit +fi + +mysql_exec "SHOW GRANTS FOR $DB_USER@localhost" +if [ $? -eq 0 ]; then + echo "The MySQL user already exists." + exit +fi + +mysql_exec "CREATE DATABASE \`$DB_NAME\`" +mysql_exec "CREATE USER $DB_USER@% IDENTIFIED BY '$DB_PASS'" +mysql_exec "GRANT ALL PRIVILEGES ON \`$DB_NAME\`.* TO $DB_USER@%" +mysql_exec "FLUSH PRIVILEGES" diff --git a/scripts/install/02_app.sh b/scripts/install/02_app.sh new file mode 100644 index 0000000..d6f9c68 --- /dev/null +++ b/scripts/install/02_app.sh @@ -0,0 +1,12 @@ +#!/bin/bash + +printf "\n################## Setup web application ##################\n" + +# Install third parties +npm install + +# Create the directory of the web application +mkdir -p "$openvpn_admin" +cp -r "$base_path/"{app/,public/,vendor/,.env} "$openvpn_admin" + +chown -R "$user:$group" "$openvpn_admin" diff --git a/scripts/install/03_certificate.sh b/scripts/install/03_certificate.sh new file mode 100644 index 0000000..6860efe --- /dev/null +++ b/scripts/install/03_certificate.sh @@ -0,0 +1,30 @@ +#!/bin/bash + +printf "\n################## Creating the certificates ##################\n" + +EASYRSA_RELEASES=( $( + curl -s https://api.github.com/repos/OpenVPN/easy-rsa/releases | \ + grep 'tag_name' | \ + grep -E '3(\.[0-9]+)+' | \ + awk '{ print $2 }' | \ + sed 's/[,|"|v]//g' +) ) +EASYRSA_LATEST=${EASYRSA_RELEASES[0]} + +# Get the rsa keys +wget -q https://github.com/OpenVPN/easy-rsa/releases/download/v${EASYRSA_LATEST}/EasyRSA-${EASYRSA_LATEST}.tgz -O /tmp/EasyRSA-${EASYRSA_LATEST}.tgz +mkdir -p /etc/openvpn/easy-rsa +tar -xaf /tmp/EasyRSA-${EASYRSA_LATEST}.tgz -C /etc/openvpn/easy-rsa --strip-components=1 +rm -r /tmp/EasyRSA-${EASYRSA_LATEST}.tgz +cd /etc/openvpn/easy-rsa + +# Init PKI dirs and build CA certs +./easyrsa --batch init-pki +./easyrsa --batch build-ca nopass +# Generate Diffie-Hellman parameters +./easyrsa --batch gen-dh +# Generate server keypair +./easyrsa --batch build-server-full server nopass + +# Generate shared-secret for TLS Authentication +openvpn --genkey --secret pki/ta.key diff --git a/scripts/install/04_openvpn.sh b/scripts/install/04_openvpn.sh new file mode 100644 index 0000000..026338a --- /dev/null +++ b/scripts/install/04_openvpn.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +printf "\n################## Setup OpenVPN ##################\n" + +# Copy certificates and the server configuration in the openvpn directory +cp /etc/openvpn/easy-rsa/pki/{ca.crt,ta.key,issued/server.crt,private/server.key,dh.pem} "/etc/openvpn/" +chmod +r /etc/openvpn/{ca.crt,ta.key} +cp "$base_path/../configs/server.conf" "/etc/openvpn/" +mkdir -p "/etc/openvpn/ccd" +sed -i " +s/VPN_SERVER/$VPN_SERVER/; +s/VPN_PORT/$VPN_PORT/; +s/VPN_INIF/$VPN_INIF/; +s/VPN_PROTO/$VPN_PROTO/; +s/VPN_GROUP/$VPN_GROUP/" "/etc/openvpn/server.conf" diff --git a/scripts/install/05_firewall.sh b/scripts/install/05_firewall.sh new file mode 100644 index 0000000..6198d4b --- /dev/null +++ b/scripts/install/05_firewall.sh @@ -0,0 +1,16 @@ +#!/bin/bash + +printf "\n################## Setup firewall ##################\n" + +# Make ip forwading and make it persistent +echo 1 > "/proc/sys/net/ipv4/ip_forward" +echo "net.ipv4.ip_forward = 1" >> "/etc/sysctl.conf" + +# Iptable rules +iptables -I FORWARD -i $VPN_INIF -j ACCEPT +iptables -I FORWARD -o $VPN_INIF -j ACCEPT +iptables -I OUTPUT -o $VPN_INIF -j ACCEPT + +iptables -A FORWARD -i $VPN_INIF -o $VPN_OUTIF -j ACCEPT +iptables -t nat -A POSTROUTING -o $VPN_OUTIF -j MASQUERADE +iptables -t nat -A POSTROUTING -s $VPN_NET -o $VPN_OUTIF -j MASQUERADE