#!/bin/bash # Native Installation Script # Complete setup for Torrent Gateway without Docker set -e SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" PROJECT_ROOT="$(dirname "$SCRIPT_DIR")" echo "๐Ÿš€ Torrent Gateway Native Installation" echo "======================================" # Check if running as root if [ "$EUID" -ne 0 ]; then echo "โŒ This script must be run as root" echo "Please run: sudo $0" exit 1 fi # Parse arguments ENABLE_MONITORING=false SKIP_BUILD=false DOMAIN="" EMAIL="" SKIP_SSL=false USE_EXISTING_MONITORING=false while [[ $# -gt 0 ]]; do case $1 in --with-monitoring) ENABLE_MONITORING=true shift ;; --skip-build) SKIP_BUILD=true shift ;; --domain) DOMAIN="$2" shift 2 ;; --email) EMAIL="$2" shift 2 ;; --skip-ssl) SKIP_SSL=true shift ;; --use-existing-monitoring) USE_EXISTING_MONITORING=true shift ;; --non-interactive) INTERACTIVE=false shift ;; --help) echo "Usage: $0 [OPTIONS]" echo "" echo "Options:" echo " --with-monitoring Install Prometheus, Grafana, and AlertManager" echo " --skip-build Skip building the application (use existing binary)" echo " --domain DOMAIN Domain name for SSL certificate (e.g., gateway.example.com)" echo " --email EMAIL Email for Let's Encrypt certificate notifications (required for SSL)" echo " --skip-ssl Skip SSL/HTTPS setup (HTTP only)" echo " --use-existing-monitoring Don't install Prometheus/Grafana (use existing stack)" echo " --non-interactive Skip all prompts (use command line flags only)" echo " --help Show this help message" echo "" echo "Example:" echo " $0 --domain gateway.example.com --email admin@example.com" exit 0 ;; *) echo "Unknown option: $1" echo "Use --help for usage information" exit 1 ;; esac done # Check for INTERACTIVE variable (add if not exists) if [ -z "${INTERACTIVE+x}" ]; then INTERACTIVE=true fi # Interactive setup for monitoring if not specified if [ "$INTERACTIVE" = true ] && [ "$ENABLE_MONITORING" = false ] && [ "$USE_EXISTING_MONITORING" = false ]; then echo "" echo "๐Ÿ” Monitoring Setup" echo "===================" echo "Do you have an existing Prometheus/Grafana monitoring stack? (y/N)" read -r HAS_EXISTING if [ "${HAS_EXISTING,,}" = "y" ] || [ "${HAS_EXISTING,,}" = "yes" ]; then USE_EXISTING_MONITORING=true echo "โœ… Will configure for existing monitoring stack" else echo "Would you like to install a new Prometheus/Grafana monitoring stack? (Y/n)" read -r INSTALL_NEW if [ "${INSTALL_NEW,,}" != "n" ] && [ "${INSTALL_NEW,,}" != "no" ]; then ENABLE_MONITORING=true echo "โœ… Will install new monitoring stack" else echo "โœ… Will skip monitoring installation" fi fi fi # Interactive domain setup if not specified if [ "$INTERACTIVE" = true ] && [ -z "$DOMAIN" ] && [ "$SKIP_SSL" = false ]; then echo "" echo "๐Ÿ” SSL/Domain Setup" echo "==================" echo "Do you want to configure SSL/HTTPS with a domain name? (Y/n)" read -r SETUP_SSL if [ "${SETUP_SSL,,}" != "n" ] && [ "${SETUP_SSL,,}" != "no" ]; then echo "Enter your domain name (e.g., gateway.example.com):" read -r DOMAIN if [ -n "$DOMAIN" ]; then echo "Enter your email for SSL certificate notifications:" read -r EMAIL if [ -z "$EMAIL" ]; then echo "โš ๏ธ Email is required for SSL certificates. Skipping SSL setup." DOMAIN="" SKIP_SSL=true fi else SKIP_SSL=true fi else SKIP_SSL=true fi fi echo "" echo "Configuration:" echo " Monitoring: $ENABLE_MONITORING" echo " Use existing monitoring: $USE_EXISTING_MONITORING" echo " Skip build: $SKIP_BUILD" echo " Domain: ${DOMAIN:-'Not set (HTTP only)'}" echo " Email: ${EMAIL:-'Not set'}" echo " Skip SSL: $SKIP_SSL" echo "" cd "$PROJECT_ROOT" # Step 1: Install system dependencies echo "๐Ÿ“ฆ Installing system dependencies..." apt-get update apt-get install -y \ golang-go \ git \ sqlite3 \ nginx \ certbot \ python3-certbot-nginx \ fail2ban \ ufw \ logrotate \ curl \ jq \ bc \ htop \ tree \ unzip \ wget \ ffmpeg # Verify Go installation if ! command -v go &> /dev/null; then echo "โŒ Go installation failed" exit 1 fi GO_VERSION=$(go version | grep -o 'go[0-9.]*' | head -1) echo "โœ… Go $GO_VERSION installed" # Step 2: Build application if [ "$SKIP_BUILD" = false ]; then echo "๐Ÿ”จ Building Torrent Gateway..." # Install Go dependencies go mod download # Build binary go build -o bin/gateway \ -ldflags "-X main.version=$(git describe --tags --always 2>/dev/null || echo 'dev') -X main.buildTime=$(date -u +%Y-%m-%dT%H:%M:%SZ) -s -w" \ cmd/gateway/main.go if [ ! -f "bin/gateway" ]; then echo "โŒ Build failed" exit 1 fi echo "โœ… Application built successfully" else echo "โญ๏ธ Skipping build (using existing binary)" if [ ! -f "bin/gateway" ]; then echo "โŒ No existing binary found. Remove --skip-build or build first." exit 1 fi fi # Step 3: Setup systemd service echo "โš™๏ธ Setting up systemd service..." MONITORING_FLAG="" if [ "$ENABLE_MONITORING" = true ] && [ "$USE_EXISTING_MONITORING" = false ]; then MONITORING_FLAG="--with-monitoring" elif [ "$USE_EXISTING_MONITORING" = true ]; then MONITORING_FLAG="--use-existing-monitoring" fi ./scripts/setup_systemd.sh $MONITORING_FLAG # Step 4: Configure cache (in-memory LRU - no Redis needed) echo "๐Ÿง  Gateway uses in-memory LRU cache (no Redis required)" # Step 5: Setup monitoring (if requested) if [ "$ENABLE_MONITORING" = true ]; then echo "๐Ÿ“Š Installing monitoring components..." # Install Node Exporter for system metrics NODE_EXPORTER_VERSION="1.7.0" cd /tmp wget "https://github.com/prometheus/node_exporter/releases/download/v${NODE_EXPORTER_VERSION}/node_exporter-${NODE_EXPORTER_VERSION}.linux-amd64.tar.gz" tar -xzf "node_exporter-${NODE_EXPORTER_VERSION}.linux-amd64.tar.gz" mkdir -p /opt/node_exporter cp "node_exporter-${NODE_EXPORTER_VERSION}.linux-amd64/node_exporter" /opt/node_exporter/ # Create node_exporter systemd service cat > /etc/systemd/system/node-exporter.service << 'EOF' [Unit] Description=Node Exporter After=network.target [Service] Type=simple User=prometheus Group=prometheus ExecStart=/opt/node_exporter/node_exporter Restart=always RestartSec=5 [Install] WantedBy=multi-user.target EOF systemctl daemon-reload systemctl enable node-exporter systemctl start node-exporter echo "โœ… Node Exporter installed and started" fi # Step 6: Configure nginx echo "๐ŸŒ Configuring nginx..." # Create nginx configuration cat > /etc/nginx/sites-available/torrent-gateway << EOF server { listen 80; server_name ${DOMAIN:-'_'}; # Security headers add_header X-Frame-Options "SAMEORIGIN" always; add_header X-XSS-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "no-referrer-when-downgrade" always; # Main application proxy location / { proxy_pass http://127.0.0.1:9877; proxy_set_header Host \$host; proxy_set_header X-Real-IP \$remote_addr; proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto \$scheme; # WebSocket support proxy_http_version 1.1; proxy_set_header Upgrade \$http_upgrade; proxy_set_header Connection "upgrade"; # Timeouts for large uploads proxy_connect_timeout 60s; proxy_send_timeout 300s; proxy_read_timeout 300s; } # Health check endpoint location /health { access_log off; proxy_pass http://127.0.0.1:9877/api/health; } # Increase client max body size for file uploads client_max_body_size 10G; client_body_timeout 300s; client_header_timeout 300s; # Enable gzip compression gzip on; gzip_vary on; gzip_min_length 1024; gzip_proxied any; gzip_comp_level 6; gzip_types text/plain text/css text/xml text/javascript application/json application/javascript application/xml+rss application/atom+xml image/svg+xml; } EOF # Enable the site ln -sf /etc/nginx/sites-available/torrent-gateway /etc/nginx/sites-enabled/ rm -f /etc/nginx/sites-enabled/default # Test nginx configuration nginx -t if [ $? -ne 0 ]; then echo "โŒ Nginx configuration error" exit 1 fi echo "โœ… Nginx configured" # Step 7: Setup SSL with certbot (if domain provided) if [ -n "$DOMAIN" ] && [ "$SKIP_SSL" = false ]; then echo "๐Ÿ” Setting up SSL certificate for $DOMAIN..." if [ -z "$EMAIL" ]; then echo "โŒ Email is required for SSL certificate" echo "Please provide --email argument or use --skip-ssl" exit 1 fi # Start nginx to respond to HTTP challenges systemctl start nginx # Get SSL certificate certbot --nginx --non-interactive --agree-tos --email "$EMAIL" -d "$DOMAIN" if [ $? -eq 0 ]; then echo "โœ… SSL certificate obtained successfully" # Setup auto-renewal (crontab -l 2>/dev/null; echo "0 12 * * * /usr/bin/certbot renew --quiet") | crontab - echo "โœ… SSL auto-renewal configured" else echo "โš ๏ธ SSL certificate setup failed. Continuing with HTTP only." echo "You may need to:" echo " 1. Ensure $DOMAIN points to this server's IP" echo " 2. Check firewall allows ports 80/443" echo " 3. Run: sudo certbot --nginx -d $DOMAIN" fi else if [ -n "$DOMAIN" ]; then echo "โญ๏ธ Skipping SSL setup (--skip-ssl specified)" else echo "โญ๏ธ Skipping SSL setup (no domain provided)" fi fi # Step 8: Configure comprehensive firewall echo "๐Ÿ”’ Configuring comprehensive firewall..." if command -v ufw &> /dev/null; then # Reset UFW to defaults echo "Resetting UFW to defaults..." ufw --force reset # Set default policies ufw default deny incoming ufw default allow outgoing # Allow SSH with rate limiting ufw limit ssh/tcp comment "SSH with rate limiting" # Allow HTTP/HTTPS with rate limiting ufw limit 80/tcp comment "HTTP with rate limiting" ufw limit 443/tcp comment "HTTPS with rate limiting" # Configure monitoring ports based on setup if [ "$ENABLE_MONITORING" = true ]; then # New monitoring stack - localhost only ufw allow from 127.0.0.1 to any port 9090 comment "Prometheus (localhost)" ufw allow from 127.0.0.1 to any port 3000 comment "Grafana (localhost)" ufw allow from 127.0.0.1 to any port 9100 comment "Node Exporter (localhost)" echo "๐Ÿ“Š Monitoring ports configured for localhost access only" elif [ "$USE_EXISTING_MONITORING" = true ]; then # Existing monitoring stack - allow external access ufw allow 9090/tcp comment "Prometheus for existing monitoring" ufw allow 3000/tcp comment "Grafana for existing monitoring" ufw allow 9100/tcp comment "Node Exporter for existing monitoring" ufw allow 9877/tcp comment "Gateway metrics for existing monitoring" echo "๐Ÿ“Š Monitoring ports opened for external monitoring server" fi # Gateway uses in-memory cache (no Redis ports needed) # Block common attack vectors ufw deny 23/tcp comment "Block Telnet" ufw deny 135/tcp comment "Block RPC" ufw deny 445/tcp comment "Block SMB" ufw deny 1433/tcp comment "Block MSSQL" ufw deny 3389/tcp comment "Block RDP" # Enable logging for security monitoring ufw logging medium # Enable UFW echo "Enabling UFW firewall..." ufw --force enable # Show final status echo "๐Ÿ“‹ Firewall Status:" ufw status numbered echo "โœ… Comprehensive firewall configured" else echo "โŒ UFW not available, firewall configuration failed" echo "Please install ufw: apt-get install -y ufw" exit 1 fi # Step 9: Configure fail2ban echo "๐Ÿ›ก๏ธ Configuring fail2ban..." # Configure fail2ban for nginx and SSH protection cat > /etc/fail2ban/jail.local << 'EOF' [DEFAULT] # Ban hosts for 1 hour (3600 seconds) bantime = 3600 # A host is banned if it has generated "maxretry" during the last "findtime" seconds findtime = 600 maxretry = 5 # Email settings (optional) # destemail = your@email.com # sendername = Fail2Ban # action = %(action_mwl)s [sshd] enabled = true port = ssh logpath = /var/log/auth.log bantime = 3600 maxretry = 3 [nginx-http-auth] enabled = true port = http,https logpath = /var/log/nginx/error.log bantime = 3600 maxretry = 6 [nginx-noscript] enabled = true port = http,https logpath = /var/log/nginx/access.log bantime = 3600 maxretry = 6 [nginx-badbots] enabled = true port = http,https logpath = /var/log/nginx/access.log bantime = 86400 maxretry = 2 [nginx-noproxy] enabled = true port = http,https logpath = /var/log/nginx/access.log bantime = 3600 maxretry = 2 [nginx-limit-req] enabled = true port = http,https logpath = /var/log/nginx/error.log bantime = 3600 maxretry = 10 EOF # Create custom filter for torrent gateway specific attacks cat > /etc/fail2ban/filter.d/torrent-gateway.conf << 'EOF' [Definition] # Fail regex for torrent gateway API abuse failregex = ^ .* "(?:GET|POST) /api/.* HTTP/.*" 429 .*$ ^ .* "(?:GET|POST) /api/upload.* HTTP/.*" 413 .*$ ^ .* ".*" 4[0-9][0-9] .*$ # Ignore successful requests ignoreregex = ^ .* "(?:GET|POST) .* HTTP/.*" 2[0-9][0-9] .*$ EOF # Add torrent gateway jail cat >> /etc/fail2ban/jail.local << 'EOF' [torrent-gateway] enabled = true port = http,https logpath = /var/log/nginx/access.log filter = torrent-gateway bantime = 1800 maxretry = 15 EOF # Configure fail2ban to work with UFW cat > /etc/fail2ban/action.d/ufw.conf << 'EOF' [Definition] actionstart = actionstop = actioncheck = actionban = ufw insert 1 deny from to any comment "fail2ban " actionunban = ufw --force delete deny from to any EOF # Update fail2ban to use UFW action sed -i 's/banaction = iptables-multiport/banaction = ufw/' /etc/fail2ban/jail.local # Enable and start fail2ban systemctl enable fail2ban systemctl restart fail2ban # Wait a moment for fail2ban to start sleep 3 echo "๐Ÿ“‹ Fail2ban Status:" fail2ban-client status echo "โœ… Fail2ban configured with nginx and SSH protection" # Step 10: Create maintenance scripts echo "๐Ÿ› ๏ธ Creating maintenance scripts..." # Create backup cron job cat > /etc/cron.d/torrent-gateway << 'EOF' # Torrent Gateway maintenance cron jobs # Daily backup at 2 AM 0 2 * * * root /opt/torrent-gateway/scripts/backup.sh > /var/log/torrent-gateway-backup.log 2>&1 # Database maintenance at 3 AM 0 3 * * * root /opt/torrent-gateway/scripts/migrate.sh > /var/log/torrent-gateway-migrate.log 2>&1 # Health check every 5 minutes */5 * * * * root /opt/torrent-gateway/scripts/health_check.sh > /var/log/torrent-gateway-health.log 2>&1 || true EOF # Create log cleanup script cat > /opt/torrent-gateway/scripts/cleanup.sh << 'EOF' #!/bin/bash # Cleanup Script # Removes old logs and temporary files set -e INSTALL_DIR="/opt/torrent-gateway" cd "$INSTALL_DIR" echo "๐Ÿงน Cleaning up old files..." # Remove old log files (older than 30 days) find logs/ -name "*.log" -mtime +30 -delete 2>/dev/null || true # Remove old backups (keep last 30) cd backups/ ls -t gateway_backup_*.tar.gz 2>/dev/null | tail -n +31 | xargs rm -f || true ls -t database_*.sql 2>/dev/null | tail -n +31 | xargs rm -f || true # Clean up temporary chunk files find data/chunks/ -name "*.tmp" -mtime +1 -delete 2>/dev/null || true echo "โœ… Cleanup completed" EOF chmod +x /opt/torrent-gateway/scripts/cleanup.sh # Add weekly cleanup to cron echo "0 4 * * 0 root /opt/torrent-gateway/scripts/cleanup.sh > /var/log/torrent-gateway-cleanup.log 2>&1" >> /etc/cron.d/torrent-gateway # Step 10: Final service startup echo "๐Ÿš€ Starting all services..." # Start dependencies first systemctl start nginx if [ "$ENABLE_MONITORING" = true ]; then systemctl start prometheus systemctl start grafana-server fi # Start main service /opt/torrent-gateway/scripts/start.sh # Wait for service to be ready echo "โณ Waiting for services to be ready..." timeout 60 bash -c 'until curl -sf http://localhost:9877/api/health; do sleep 2; done' # Test nginx proxy echo "๐Ÿงช Testing nginx proxy..." timeout 30 bash -c 'until curl -sf http://localhost/api/health; do sleep 2; done' # Run health checks echo "๐Ÿฅ Running health checks..." /opt/torrent-gateway/scripts/health_check.sh if [ $? -eq 0 ]; then echo "" echo "๐ŸŽ‰ Installation completed successfully!" echo "" echo "๐Ÿ“Š Service Information:" echo " Status: systemctl status torrent-gateway" echo " Logs: journalctl -u torrent-gateway -f" echo " Config: /opt/torrent-gateway/" echo "" echo "๐ŸŒ Access URLs:" if [ -n "$DOMAIN" ] && [ "$SKIP_SSL" = false ]; then echo " Gateway: https://$DOMAIN" echo " API: https://$DOMAIN/api/" echo " Admin Panel: https://$DOMAIN/admin" elif [ -n "$DOMAIN" ]; then echo " Gateway: http://$DOMAIN" echo " API: http://$DOMAIN/api/" echo " Admin Panel: http://$DOMAIN/admin" else echo " Gateway: http://localhost (or http://YOUR_SERVER_IP)" echo " API: http://localhost/api/" echo " Admin Panel: http://localhost/admin" fi if [ "$ENABLE_MONITORING" = true ]; then echo " Prometheus: http://localhost:9090" echo " Grafana: http://localhost:3000 (admin/admin)" elif [ "$USE_EXISTING_MONITORING" = true ]; then echo " Node Exporter: http://localhost:9100/metrics (for your Prometheus)" echo " Gateway Metrics: http://localhost:9877/metrics" echo " Via nginx: http://localhost/node-metrics" fi echo "" echo "๐Ÿ”ง Management Commands:" echo " Start: sudo systemctl start torrent-gateway" echo " Stop: sudo systemctl stop torrent-gateway" echo " Restart: sudo systemctl restart torrent-gateway" echo " Status: sudo systemctl status torrent-gateway" echo " Nginx: sudo systemctl restart nginx" echo "" echo "๐Ÿ’พ Backup & Restore:" echo " Backup: sudo /opt/torrent-gateway/scripts/backup.sh" echo " Restore: sudo /opt/torrent-gateway/scripts/restore.sh " echo "" echo "๐Ÿ“ Logs and Monitoring:" echo " App logs: sudo journalctl -u torrent-gateway -f" echo " Nginx logs: sudo tail -f /var/log/nginx/error.log" echo " System logs: sudo tail -f /var/log/syslog" echo " Health: sudo /opt/torrent-gateway/scripts/health_check.sh" echo "" echo "๐Ÿ›ก๏ธ Security Features Enabled:" echo " UFW Firewall: sudo ufw status" echo " Fail2ban: sudo fail2ban-client status" echo " SSL Certs: sudo certbot certificates" echo "" if [ -n "$DOMAIN" ]; then echo "๐Ÿ” SSL Certificate:" echo " Status: sudo certbot certificates" echo " Renew: sudo certbot renew" echo " Test Renew: sudo certbot renew --dry-run" echo "" fi echo "๐Ÿ› ๏ธ Domain Setup Instructions:" echo "" echo " To use a custom domain, you need to:" echo " 1. Point your domain's DNS A record to this server's IP" echo " 2. Ensure ports 80 and 443 are open in your firewall" echo " 3. Re-run install with: sudo $0 --domain yourdomain.com --email your@email.com" echo "" echo " Example DNS setup:" echo " - Type: A" echo " - Name: gateway (or @ for root domain)" echo " - Value: $(curl -s https://api.ipify.org || echo 'YOUR_SERVER_IP')" echo " - TTL: 300 (5 minutes)" echo "" echo " After DNS propagation (usually 5-60 minutes), SSL will be automatically configured." else echo "โŒ Installation completed but health checks failed" echo "Check logs: journalctl -u torrent-gateway" exit 1 fi