enki/torrent-gateway
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
torrent-gateway/scripts/install_native.sh
enki 963966ee0c
Some checks are pending
CI Pipeline / Run Tests (push) Waiting to run
Details
CI Pipeline / Lint Code (push) Waiting to run
Details
CI Pipeline / Security Scan (push) Waiting to run
Details
CI Pipeline / E2E Tests (push) Blocked by required conditions
Details
more install fixes
2025-08-27 13:36:10 -07:00

704 lines
21 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# Native Installation Script
# Complete setup for Torrent Gateway without Docker
set -e
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(dirname "$SCRIPT_DIR")"
echo "🚀 Torrent Gateway Native Installation"
echo "======================================"
# Check if running as root
if [ "$EUID" -ne 0 ]; then
echo "❌ This script must be run as root"
echo "Please run: sudo $0"
exit 1
fi
# Parse arguments
ENABLE_MONITORING=false
SKIP_BUILD=false
DOMAIN=""
EMAIL=""
SKIP_SSL=false
USE_EXISTING_MONITORING=false
while [[ $# -gt 0 ]]; do
case $1 in
--with-monitoring)
ENABLE_MONITORING=true
shift
;;
--skip-build)
SKIP_BUILD=true
shift
;;
--domain)
DOMAIN="$2"
shift 2
;;
--email)
EMAIL="$2"
shift 2
;;
--skip-ssl)
SKIP_SSL=true
shift
;;
--use-existing-monitoring)
USE_EXISTING_MONITORING=true
shift
;;
--non-interactive)
INTERACTIVE=false
shift
;;
--help)
echo "Usage: $0 [OPTIONS]"
echo ""
echo "Options:"
echo " --with-monitoring Install Prometheus, Grafana, and AlertManager"
echo " --skip-build Skip building the application (use existing binary)"
echo " --domain DOMAIN Domain name for SSL certificate (e.g., gateway.example.com)"
echo " --email EMAIL Email for Let's Encrypt certificate notifications (required for SSL)"
echo " --skip-ssl Skip SSL/HTTPS setup (HTTP only)"
echo " --use-existing-monitoring Don't install Prometheus/Grafana (use existing stack)"
echo " --non-interactive Skip all prompts (use command line flags only)"
echo " --help Show this help message"
echo ""
echo "Example:"
echo " $0 --domain gateway.example.com --email admin@example.com"
exit 0
;;
*)
echo "Unknown option: $1"
echo "Use --help for usage information"
exit 1
;;
esac
done
# Check for INTERACTIVE variable (add if not exists)
if [ -z "${INTERACTIVE+x}" ]; then
INTERACTIVE=true
fi
# Interactive setup for monitoring if not specified
if [ "$INTERACTIVE" = true ] && [ "$ENABLE_MONITORING" = false ] && [ "$USE_EXISTING_MONITORING" = false ]; then
echo ""
echo "🔍 Monitoring Setup"
echo "==================="
echo "Do you have an existing Prometheus/Grafana monitoring stack? (y/N)"
read -r HAS_EXISTING
if [ "${HAS_EXISTING,,}" = "y" ] || [ "${HAS_EXISTING,,}" = "yes" ]; then
USE_EXISTING_MONITORING=true
echo "✅ Will configure for existing monitoring stack"
else
echo "Would you like to install a new Prometheus/Grafana monitoring stack? (Y/n)"
read -r INSTALL_NEW
if [ "${INSTALL_NEW,,}" != "n" ] && [ "${INSTALL_NEW,,}" != "no" ]; then
ENABLE_MONITORING=true
echo "✅ Will install new monitoring stack"
else
echo "✅ Will skip monitoring installation"
fi
fi
fi
# Interactive domain setup if not specified
if [ "$INTERACTIVE" = true ] && [ -z "$DOMAIN" ] && [ "$SKIP_SSL" = false ]; then
echo ""
echo "🔐 SSL/Domain Setup"
echo "=================="
echo "Do you want to configure SSL/HTTPS with a domain name? (Y/n)"
read -r SETUP_SSL
if [ "${SETUP_SSL,,}" != "n" ] && [ "${SETUP_SSL,,}" != "no" ]; then
echo "Enter your domain name (e.g., gateway.example.com):"
read -r DOMAIN
if [ -n "$DOMAIN" ]; then
echo "Enter your email for SSL certificate notifications:"
read -r EMAIL
if [ -z "$EMAIL" ]; then
echo "⚠️ Email is required for SSL certificates. Skipping SSL setup."
DOMAIN=""
SKIP_SSL=true
fi
else
SKIP_SSL=true
fi
else
SKIP_SSL=true
fi
fi
echo ""
echo "Configuration:"
echo " Monitoring: $ENABLE_MONITORING"
echo " Use existing monitoring: $USE_EXISTING_MONITORING"
echo " Skip build: $SKIP_BUILD"
echo " Domain: ${DOMAIN:-'Not set (HTTP only)'}"
echo " Email: ${EMAIL:-'Not set'}"
echo " Skip SSL: $SKIP_SSL"
echo ""
cd "$PROJECT_ROOT"
# Step 1: Install system dependencies
echo "📦 Installing system dependencies..."
apt-get update
apt-get install -y \
golang-go \
git \
sqlite3 \
nginx \
certbot \
python3-certbot-nginx \
fail2ban \
ufw \
logrotate \
curl \
jq \
bc \
htop \
tree \
unzip \
wget \
ffmpeg
# Verify Go installation
if ! command -v go &> /dev/null; then
echo "❌ Go installation failed"
exit 1
fi
GO_VERSION=$(go version | grep -o 'go[0-9.]*' | head -1)
echo "✅ Go $GO_VERSION installed"
# Step 2: Build application
if [ "$SKIP_BUILD" = false ]; then
echo "🔨 Building Torrent Gateway..."
# Install Go dependencies
go mod download
# Create bin directory if it doesn't exist
mkdir -p bin
# Build binary
go build -o bin/gateway \
-ldflags "-X main.version=$(git describe --tags --always 2>/dev/null || echo 'dev') -X main.buildTime=$(date -u +%Y-%m-%dT%H:%M:%SZ) -s -w" \
./cmd/gateway
if [ ! -f "bin/gateway" ]; then
echo "❌ Build failed"
exit 1
fi
echo "✅ Application built successfully"
else
echo "⏭️ Skipping build (using existing binary)"
if [ ! -f "bin/gateway" ]; then
echo "❌ No existing binary found. Remove --skip-build or build first."
exit 1
fi
fi
# Step 3: Setup systemd service
echo "⚙️ Setting up systemd service..."
MONITORING_FLAG=""
if [ "$ENABLE_MONITORING" = true ] && [ "$USE_EXISTING_MONITORING" = false ]; then
MONITORING_FLAG="--with-monitoring"
elif [ "$USE_EXISTING_MONITORING" = true ]; then
MONITORING_FLAG="--use-existing-monitoring"
fi
./scripts/setup_systemd.sh $MONITORING_FLAG --skip-build
# Step 4: Configure cache (in-memory LRU - no Redis needed)
echo "🧠 Gateway uses in-memory LRU cache (no Redis required)"
# Step 5: Setup monitoring (if requested)
if [ "$ENABLE_MONITORING" = true ]; then
echo "📊 Installing monitoring components..."
# Install Node Exporter for system metrics
NODE_EXPORTER_VERSION="1.7.0"
cd /tmp
wget "https://github.com/prometheus/node_exporter/releases/download/v${NODE_EXPORTER_VERSION}/node_exporter-${NODE_EXPORTER_VERSION}.linux-amd64.tar.gz"
tar -xzf "node_exporter-${NODE_EXPORTER_VERSION}.linux-amd64.tar.gz"
mkdir -p /opt/node_exporter
cp "node_exporter-${NODE_EXPORTER_VERSION}.linux-amd64/node_exporter" /opt/node_exporter/
# Create node_exporter systemd service
cat > /etc/systemd/system/node-exporter.service << 'EOF'
[Unit]
Description=Node Exporter
After=network.target
[Service]
Type=simple
User=prometheus
Group=prometheus
ExecStart=/opt/node_exporter/node_exporter
Restart=always
RestartSec=5
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable node-exporter
systemctl start node-exporter
echo "✅ Node Exporter installed and started"
fi
# Step 6: Configure nginx
echo "🌐 Configuring nginx..."
# Create nginx configuration
cat > /etc/nginx/sites-available/torrent-gateway << EOF
server {
listen 80;
server_name ${DOMAIN:-'_'};
# Security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
# Main application proxy
location / {
proxy_pass http://127.0.0.1:9877;
proxy_set_header Host \$host;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto \$scheme;
# WebSocket support
proxy_http_version 1.1;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection "upgrade";
# Timeouts for large uploads
proxy_connect_timeout 60s;
proxy_send_timeout 300s;
proxy_read_timeout 300s;
}
# Health check endpoint
location /health {
access_log off;
proxy_pass http://127.0.0.1:9877/api/health;
}
# Increase client max body size for file uploads
client_max_body_size 10G;
client_body_timeout 300s;
client_header_timeout 300s;
# Enable gzip compression
gzip on;
gzip_vary on;
gzip_min_length 1024;
gzip_proxied any;
gzip_comp_level 6;
gzip_types
text/plain
text/css
text/xml
text/javascript
application/json
application/javascript
application/xml+rss
application/atom+xml
image/svg+xml;
}
EOF
# Enable the site
ln -sf /etc/nginx/sites-available/torrent-gateway /etc/nginx/sites-enabled/
rm -f /etc/nginx/sites-enabled/default
# Test nginx configuration
nginx -t
if [ $? -ne 0 ]; then
echo "❌ Nginx configuration error"
exit 1
fi
echo "✅ Nginx configured"
# Step 7: Setup SSL with certbot (if domain provided)
if [ -n "$DOMAIN" ] && [ "$SKIP_SSL" = false ]; then
echo "🔐 Setting up SSL certificate for $DOMAIN..."
if [ -z "$EMAIL" ]; then
echo "❌ Email is required for SSL certificate"
echo "Please provide --email argument or use --skip-ssl"
exit 1
fi
# Start nginx to respond to HTTP challenges
systemctl start nginx
# Get SSL certificate
certbot --nginx --non-interactive --agree-tos --email "$EMAIL" -d "$DOMAIN"
if [ $? -eq 0 ]; then
echo "✅ SSL certificate obtained successfully"
# Setup auto-renewal
(crontab -l 2>/dev/null; echo "0 12 * * * /usr/bin/certbot renew --quiet") | crontab -
echo "✅ SSL auto-renewal configured"
else
echo "⚠️ SSL certificate setup failed. Continuing with HTTP only."
echo "You may need to:"
echo " 1. Ensure $DOMAIN points to this server's IP"
echo " 2. Check firewall allows ports 80/443"
echo " 3. Run: sudo certbot --nginx -d $DOMAIN"
fi
else
if [ -n "$DOMAIN" ]; then
echo "⏭️ Skipping SSL setup (--skip-ssl specified)"
else
echo "⏭️ Skipping SSL setup (no domain provided)"
fi
fi
# Step 8: Configure comprehensive firewall
echo "🔒 Configuring comprehensive firewall..."
if command -v ufw &> /dev/null; then
# Reset UFW to defaults
echo "Resetting UFW to defaults..."
ufw --force reset
# Set default policies
ufw default deny incoming
ufw default allow outgoing
# Allow SSH with rate limiting
ufw limit ssh/tcp comment "SSH with rate limiting"
# Allow HTTP/HTTPS with rate limiting
ufw limit 80/tcp comment "HTTP with rate limiting"
ufw limit 443/tcp comment "HTTPS with rate limiting"
# Configure monitoring ports based on setup
if [ "$ENABLE_MONITORING" = true ]; then
# New monitoring stack - localhost only
ufw allow from 127.0.0.1 to any port 9090 comment "Prometheus (localhost)"
ufw allow from 127.0.0.1 to any port 3000 comment "Grafana (localhost)"
ufw allow from 127.0.0.1 to any port 9100 comment "Node Exporter (localhost)"
echo "📊 Monitoring ports configured for localhost access only"
elif [ "$USE_EXISTING_MONITORING" = true ]; then
# Existing monitoring stack - allow external access
ufw allow 9090/tcp comment "Prometheus for existing monitoring"
ufw allow 3000/tcp comment "Grafana for existing monitoring"
ufw allow 9100/tcp comment "Node Exporter for existing monitoring"
ufw allow 9877/tcp comment "Gateway metrics for existing monitoring"
echo "📊 Monitoring ports opened for external monitoring server"
fi
# Gateway uses in-memory cache (no Redis ports needed)
# Block common attack vectors
ufw deny 23/tcp comment "Block Telnet"
ufw deny 135/tcp comment "Block RPC"
ufw deny 445/tcp comment "Block SMB"
ufw deny 1433/tcp comment "Block MSSQL"
ufw deny 3389/tcp comment "Block RDP"
# Enable logging for security monitoring
ufw logging medium
# Enable UFW
echo "Enabling UFW firewall..."
ufw --force enable
# Show final status
echo "📋 Firewall Status:"
ufw status numbered
echo "✅ Comprehensive firewall configured"
else
echo "❌ UFW not available, firewall configuration failed"
echo "Please install ufw: apt-get install -y ufw"
exit 1
fi
# Step 9: Configure fail2ban
echo "🛡️ Configuring fail2ban..."
# Configure fail2ban for nginx and SSH protection
cat > /etc/fail2ban/jail.local << 'EOF'
[DEFAULT]
# Ban hosts for 1 hour (3600 seconds)
bantime = 3600
# A host is banned if it has generated "maxretry" during the last "findtime" seconds
findtime = 600
maxretry = 5
# Email settings (optional)
# destemail = your@email.com
# sendername = Fail2Ban
# action = %(action_mwl)s
[sshd]
enabled = true
port = ssh
logpath = /var/log/auth.log
bantime = 3600
maxretry = 3
[nginx-http-auth]
enabled = true
port = http,https
logpath = /var/log/nginx/error.log
bantime = 3600
maxretry = 6
[nginx-noscript]
enabled = true
port = http,https
logpath = /var/log/nginx/access.log
bantime = 3600
maxretry = 6
[nginx-badbots]
enabled = true
port = http,https
logpath = /var/log/nginx/access.log
bantime = 86400
maxretry = 2
[nginx-noproxy]
enabled = true
port = http,https
logpath = /var/log/nginx/access.log
bantime = 3600
maxretry = 2
[nginx-limit-req]
enabled = true
port = http,https
logpath = /var/log/nginx/error.log
bantime = 3600
maxretry = 10
EOF
# Create custom filter for torrent gateway specific attacks
cat > /etc/fail2ban/filter.d/torrent-gateway.conf << 'EOF'
[Definition]
# Fail regex for torrent gateway API abuse
failregex = ^<HOST> .* "(?:GET|POST) /api/.* HTTP/.*" 429 .*$
^<HOST> .* "(?:GET|POST) /api/upload.* HTTP/.*" 413 .*$
^<HOST> .* ".*" 4[0-9][0-9] .*$
# Ignore successful requests
ignoreregex = ^<HOST> .* "(?:GET|POST) .* HTTP/.*" 2[0-9][0-9] .*$
EOF
# Add torrent gateway jail
cat >> /etc/fail2ban/jail.local << 'EOF'
[torrent-gateway]
enabled = true
port = http,https
logpath = /var/log/nginx/access.log
filter = torrent-gateway
bantime = 1800
maxretry = 15
EOF
# Configure fail2ban to work with UFW
cat > /etc/fail2ban/action.d/ufw.conf << 'EOF'
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = ufw insert 1 deny from <ip> to any comment "fail2ban <name>"
actionunban = ufw --force delete deny from <ip> to any
EOF
# Update fail2ban to use UFW action
sed -i 's/banaction = iptables-multiport/banaction = ufw/' /etc/fail2ban/jail.local
# Enable and start fail2ban
systemctl enable fail2ban
systemctl restart fail2ban
# Wait a moment for fail2ban to start
sleep 3
echo "📋 Fail2ban Status:"
fail2ban-client status
echo "✅ Fail2ban configured with nginx and SSH protection"
# Step 10: Create maintenance scripts
echo "🛠️ Creating maintenance scripts..."
# Create backup cron job
cat > /etc/cron.d/torrent-gateway << 'EOF'
# Torrent Gateway maintenance cron jobs
# Daily backup at 2 AM
0 2 * * * root /opt/torrent-gateway/scripts/backup.sh > /var/log/torrent-gateway-backup.log 2>&1
# Database maintenance at 3 AM
0 3 * * * root /opt/torrent-gateway/scripts/migrate.sh > /var/log/torrent-gateway-migrate.log 2>&1
# Health check every 5 minutes
*/5 * * * * root /opt/torrent-gateway/scripts/health_check.sh > /var/log/torrent-gateway-health.log 2>&1 || true
EOF
# Create log cleanup script
cat > /opt/torrent-gateway/scripts/cleanup.sh << 'EOF'
#!/bin/bash
# Cleanup Script
# Removes old logs and temporary files
set -e
INSTALL_DIR="/opt/torrent-gateway"
cd "$INSTALL_DIR"
echo "🧹 Cleaning up old files..."
# Remove old log files (older than 30 days)
find logs/ -name "*.log" -mtime +30 -delete 2>/dev/null || true
# Remove old backups (keep last 30)
cd backups/
ls -t gateway_backup_*.tar.gz 2>/dev/null | tail -n +31 | xargs rm -f || true
ls -t database_*.sql 2>/dev/null | tail -n +31 | xargs rm -f || true
# Clean up temporary chunk files
find data/chunks/ -name "*.tmp" -mtime +1 -delete 2>/dev/null || true
echo "✅ Cleanup completed"
EOF
chmod +x /opt/torrent-gateway/scripts/cleanup.sh
# Add weekly cleanup to cron
echo "0 4 * * 0 root /opt/torrent-gateway/scripts/cleanup.sh > /var/log/torrent-gateway-cleanup.log 2>&1" >> /etc/cron.d/torrent-gateway
# Step 10: Final service startup
echo "🚀 Starting all services..."
# Start dependencies first
systemctl start nginx
if [ "$ENABLE_MONITORING" = true ]; then
systemctl start prometheus
systemctl start grafana-server
fi
# Start main service
/opt/torrent-gateway/scripts/start.sh
# Wait for service to be ready
echo "⏳ Waiting for services to be ready..."
timeout 60 bash -c 'until curl -sf http://localhost:9877/api/health; do sleep 2; done'
# Test nginx proxy
echo "🧪 Testing nginx proxy..."
timeout 30 bash -c 'until curl -sf http://localhost/api/health; do sleep 2; done'
# Run health checks
echo "🏥 Running health checks..."
/opt/torrent-gateway/scripts/health_check.sh
if [ $? -eq 0 ]; then
echo ""
echo "🎉 Installation completed successfully!"
echo ""
echo "📊 Service Information:"
echo " Status: systemctl status torrent-gateway"
echo " Logs: journalctl -u torrent-gateway -f"
echo " Config: /opt/torrent-gateway/"
echo ""
echo "🌐 Access URLs:"
if [ -n "$DOMAIN" ] && [ "$SKIP_SSL" = false ]; then
echo " Gateway: https://$DOMAIN"
echo " API: https://$DOMAIN/api/"
echo " Admin Panel: https://$DOMAIN/admin"
elif [ -n "$DOMAIN" ]; then
echo " Gateway: http://$DOMAIN"
echo " API: http://$DOMAIN/api/"
echo " Admin Panel: http://$DOMAIN/admin"
else
echo " Gateway: http://localhost (or http://YOUR_SERVER_IP)"
echo " API: http://localhost/api/"
echo " Admin Panel: http://localhost/admin"
fi
if [ "$ENABLE_MONITORING" = true ]; then
echo " Prometheus: http://localhost:9090"
echo " Grafana: http://localhost:3000 (admin/admin)"
elif [ "$USE_EXISTING_MONITORING" = true ]; then
echo " Node Exporter: http://localhost:9100/metrics (for your Prometheus)"
echo " Gateway Metrics: http://localhost:9877/metrics"
echo " Via nginx: http://localhost/node-metrics"
fi
echo ""
echo "🔧 Management Commands:"
echo " Start: sudo systemctl start torrent-gateway"
echo " Stop: sudo systemctl stop torrent-gateway"
echo " Restart: sudo systemctl restart torrent-gateway"
echo " Status: sudo systemctl status torrent-gateway"
echo " Nginx: sudo systemctl restart nginx"
echo ""
echo "💾 Backup & Restore:"
echo " Backup: sudo /opt/torrent-gateway/scripts/backup.sh"
echo " Restore: sudo /opt/torrent-gateway/scripts/restore.sh <timestamp>"
echo ""
echo "📝 Logs and Monitoring:"
echo " App logs: sudo journalctl -u torrent-gateway -f"
echo " Nginx logs: sudo tail -f /var/log/nginx/error.log"
echo " System logs: sudo tail -f /var/log/syslog"
echo " Health: sudo /opt/torrent-gateway/scripts/health_check.sh"
echo ""
echo "🛡️ Security Features Enabled:"
echo " UFW Firewall: sudo ufw status"
echo " Fail2ban: sudo fail2ban-client status"
echo " SSL Certs: sudo certbot certificates"
echo ""
if [ -n "$DOMAIN" ]; then
echo "🔐 SSL Certificate:"
echo " Status: sudo certbot certificates"
echo " Renew: sudo certbot renew"
echo " Test Renew: sudo certbot renew --dry-run"
echo ""
fi
echo "🛠️ Domain Setup Instructions:"
echo ""
echo " To use a custom domain, you need to:"
echo " 1. Point your domain's DNS A record to this server's IP"
echo " 2. Ensure ports 80 and 443 are open in your firewall"
echo " 3. Re-run install with: sudo $0 --domain yourdomain.com --email your@email.com"
echo ""
echo " Example DNS setup:"
echo " - Type: A"
echo " - Name: gateway (or @ for root domain)"
echo " - Value: $(curl -s https://api.ipify.org || echo 'YOUR_SERVER_IP')"
echo " - TTL: 300 (5 minutes)"
echo ""
echo " After DNS propagation (usually 5-60 minutes), SSL will be automatically configured."
else
echo "❌ Installation completed but health checks failed"
echo "Check logs: journalctl -u torrent-gateway"
exit 1
fi
Reference in New Issue View Git Blame Copy Permalink