diff --git a/deployment/bare_metal/.env.dist b/deployment/bare_metal/.env.dist index 59cbf042e..3ce9b4cb5 100644 --- a/deployment/bare_metal/.env.dist +++ b/deployment/bare_metal/.env.dist @@ -91,6 +91,12 @@ META_AUTHOR="Bernd Hückstädt - Gradido-Akademie" # update page shown while updating gradido # page will be fed with status changes NGINX_UPDATE_PAGE_ROOT=/home/gradido/gradido/deployment/bare_metal/nginx/update-page +# NGINX SSL Setup with certbot +# will be generated by start.sh with $COMMUNITY_HOST, only need to set manual if setup differ from default +#NGINX_SSL_CERTIFICATE=/etc/letsencrypt/live/gddhost.tld/fullchain.pem +#NGINX_SSL_CERTIFICATE_KEY=/etc/letsencrypt/live/gddhost.tld/privkey.pem +NGINX_SSL_DHPARAM=/etc/letsencrypt/ssl-dhparams.pem +NGINX_SSL_INCLUDE=/etc/letsencrypt/options-ssl-nginx.conf # LEGACY NGINX_REWRITE_LEGACY_URLS=false diff --git a/deployment/bare_metal/nginx/sites-available/gradido.conf.ssl.template b/deployment/bare_metal/nginx/sites-available/gradido.conf.ssl.template new file mode 100644 index 000000000..a99327745 --- /dev/null +++ b/deployment/bare_metal/nginx/sites-available/gradido.conf.ssl.template @@ -0,0 +1,128 @@ +server { + if ($host = $NGINX_SERVER_NAME) { + return 301 https://$host$request_uri; + } + + server_name $NGINX_SERVER_NAME; + listen 80; + listen [::]:80; + return 404; +} + +server { + server_name $NGINX_SERVER_NAME; + + listen [::]:443 ssl ipv6only=on; + listen 443 ssl; + ssl_certificate $NGINX_SSL_CERTIFICATE; + ssl_certificate_key $NGINX_SSL_CERTIFICATE_KEY; + include $NGINX_SSL_INCLUDE; + ssl_dhparam $NGINX_SSL_DHPARAM; + + include /etc/nginx/common/protect.conf; + include /etc/nginx/common/protect_add_header.conf; + + #gzip_static on; + gzip on; + gzip_proxied any; + gzip_types + text/css + text/javascript + text/xml + text/plain + application/javascript + application/x-javascript + application/json; + + # Legacy URLS + set $REWRITE_LEGACY_URLS "$NGINX_REWRITE_LEGACY_URLS"; + if ($REWRITE_LEGACY_URLS = 'true') { + rewrite ^/vue/?(.*)$ /$1 permanent; + } + + # Frontend (default) + location / { + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection 'upgrade'; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + + proxy_pass http://127.0.0.1:3000; + proxy_redirect off; + + access_log $GRADIDO_LOG_PATH/nginx-access.frontend.log gradido_log; + error_log $GRADIDO_LOG_PATH/nginx-error.frontend.log warn; + } + + # Backend + location /graphql { + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection 'upgrade'; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + + proxy_pass http://127.0.0.1:4000; + proxy_redirect off; + + access_log $GRADIDO_LOG_PATH/nginx-access.backend.log gradido_log; + error_log $GRADIDO_LOG_PATH/nginx-error.backend.log warn; + } + + # Backend webhooks + location /hook { + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection 'upgrade'; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + + proxy_pass http://127.0.0.1:4000/hook; + proxy_redirect off; + + access_log $GRADIDO_LOG_PATH/nginx-access.backend.hook.log gradido_log; + error_log $GRADIDO_LOG_PATH/nginx-error.backend.hook.log warn; + } + + # Webhook reverse proxy + location /hooks/ { + proxy_pass http://127.0.0.1:9000/hooks/; + + access_log $GRADIDO_LOG_PATH/nginx-access.hooks.log gradido_log; + error_log $GRADIDO_LOG_PATH/nginx-error.hooks.log warn; + } + + # Admin Frontend + location /admin { + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection 'upgrade'; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + + proxy_pass http://127.0.0.1:8080/; + proxy_redirect off; + + access_log $GRADIDO_LOG_PATH/nginx-access.admin.log gradido_log; + error_log $GRADIDO_LOG_PATH/nginx-error.admin.log warn; + } + + # Federation + $FEDERATION_NGINX_CONF + + # TODO this could be a performance optimization + #location /vue { + # alias /var/www/html/gradido/frontend/build; + # index index.html; + # + # location ~* \.(png)$ { + # expires 39d; + # } + # try_files $uri $uri/ /index.html = 404; + #} +} \ No newline at end of file diff --git a/deployment/bare_metal/nginx/sites-available/update-page.conf.ssl.template b/deployment/bare_metal/nginx/sites-available/update-page.conf.ssl.template new file mode 100644 index 000000000..ddcb9ffc1 --- /dev/null +++ b/deployment/bare_metal/nginx/sites-available/update-page.conf.ssl.template @@ -0,0 +1,37 @@ + +server { + if ($host = $NGINX_SERVER_NAME) { + return 301 https://$host$request_uri; + } + + server_name $NGINX_SERVER_NAME; + listen 80; + listen [::]:80; + return 404; +} +server { + server_name $NGINX_SERVER_NAME; + + listen [::]:443 ssl ipv6only=on; + listen 443 ssl; + ssl_certificate $NGINX_SSL_CERTIFICATE; + ssl_certificate_key $NGINX_SSL_CERTIFICATE_KEY; + include $NGINX_SSL_INCLUDE; + ssl_dhparam $NGINX_SSL_DHPARAM; + + include /etc/nginx/common/protect.conf; + include /etc/nginx/common/protect_add_header.conf; + + gzip on; + + root $NGINX_UPDATE_PAGE_ROOT; + index updating.html; + + location / { + try_files /updating.html =404; + } + + access_log $GRADIDO_LOG_PATH/nginx-access.update-page.log gradido_log; + error_log $GRADIDO_LOG_PATH/nginx-error.update-page.log warn; +} + diff --git a/deployment/bare_metal/start.sh b/deployment/bare_metal/start.sh index 554b947af..dd185861e 100755 --- a/deployment/bare_metal/start.sh +++ b/deployment/bare_metal/start.sh @@ -41,6 +41,10 @@ else set +o allexport fi +# set env variables dynamic if not already set in .env or .env.dist +: ${NGINX_SSL_CERTIFICATE:=/etc/letsencrypt/live/$COMMUNITY_HOST/fullchain.pem} +: ${NGINX_SSL_CERTIFICATE_KEY:=/etc/letsencrypt/live/$COMMUNITY_HOST/privkey.pem} + # lock start if [ -f $LOCK_FILE ] ; then echo "Already building!" @@ -60,13 +64,8 @@ exec > >(tee -a $UPDATE_HTML) 2>&1 # configure nginx for the update-page echo 'Configuring nginx to serve the update-page' >> $UPDATE_HTML - -ln -s $SCRIPT_PATH/nginx/sites-available/update-page.conf $SCRIPT_PATH/nginx/sites-enabled/default +ln -sf $SCRIPT_DIR/nginx/sites-available/update-page.conf $SCRIPT_DIR/nginx/sites-enabled/default sudo /etc/init.d/nginx restart -# enable https if env variable has value https -if [ "$URL_PROTOCOL" = "https" ]; then - certbot install --nginx --non-interactive --cert-name $COMMUNITY_HOST --logs-dir ./log/ --work-dir . --config-dir . -fi # stop all services echo 'Stop and delete all Gradido services' >> $UPDATE_HTML @@ -110,7 +109,11 @@ export FEDERATION_NGINX_CONF=$(< $NGINX_CONFIG_DIR/gradido-federation.conf.locat # *** 3rd generate gradido nginx config including federation modules per api-version echo 'Generate new gradido nginx config' >> $UPDATE_HTML -envsubst '$FEDERATION_NGINX_CONF' < $NGINX_CONFIG_DIR/gradido.conf.template > $NGINX_CONFIG_DIR/gradido.conf.tmp +case "$URL_PROTOCOL" in + 'https') TEMPLATE_FILE="gradido.conf.ssl.template" ;; + *) TEMPLATE_FILE="gradido.conf.template" ;; +esac +envsubst '$FEDERATION_NGINX_CONF' < $NGINX_CONFIG_DIR/$TEMPLATE_FILE > $NGINX_CONFIG_DIR/gradido.conf.tmp unset FEDERATION_NGINX_CONF envsubst "$(env | sed -e 's/=.*//' -e 's/^/\$/g')" < $NGINX_CONFIG_DIR/gradido.conf.tmp > $NGINX_CONFIG_DIR/gradido.conf rm $NGINX_CONFIG_DIR/gradido.conf.tmp @@ -118,7 +121,11 @@ rm $NGINX_CONFIG_DIR/gradido-federation.conf.locations # Generate update-page.conf from template echo 'Generate new update-page nginx config' >> $UPDATE_HTML -envsubst "$(env | sed -e 's/=.*//' -e 's/^/\$/g')" < $NGINX_CONFIG_DIR/update-page.conf.template > $NGINX_CONFIG_DIR/update-page.conf +case "$URL_PROTOCOL" in + 'https') TEMPLATE_FILE="update-page.conf.ssl.template" ;; + *) TEMPLATE_FILE="update-page.conf.template" ;; +esac +envsubst "$(env | sed -e 's/=.*//' -e 's/^/\$/g')" < $NGINX_CONFIG_DIR/$TEMPLATE_FILE > $NGINX_CONFIG_DIR/update-page.conf # Clean tmp folder - remove yarn files find /tmp -name "yarn--*" -exec rm -r {} \; @@ -261,11 +268,8 @@ done # let nginx showing gradido echo 'Configuring nginx to serve gradido again' >> $UPDATE_HTML -ln -s $SCRIPT_PATH/nginx/sites-available/gradido.conf $SCRIPT_PATH/nginx/sites-enabled/default +ln -sf $SCRIPT_DIR/nginx/sites-available/gradido.conf $SCRIPT_DIR/nginx/sites-enabled/default sudo /etc/init.d/nginx restart -if [ "$URL_PROTOCOL" = "https" ]; then - certbot install --nginx --non-interactive --cert-name $COMMUNITY_HOST --logs-dir ./log/ --work-dir . --config-dir . -fi # keep the update log cat $UPDATE_HTML >> $GRADIDO_LOG_PATH/update.$TODAY.log diff --git a/deployment/hetzner_cloud/install.sh b/deployment/hetzner_cloud/install.sh index f39ce6c32..05c73622c 100755 --- a/deployment/hetzner_cloud/install.sh +++ b/deployment/hetzner_cloud/install.sh @@ -73,11 +73,14 @@ rmdir /etc/nginx/conf.d ln -s $SCRIPT_PATH/nginx/conf.d /etc/nginx/ # setup https with certbot -certbot --nginx --non-interactive --agree-tos --domains $COMMUNITY_HOST --email $COMMUNITY_SUPPORT_MAIL +certbot certonly --nginx --non-interactive --agree-tos --domains $COMMUNITY_HOST --email $COMMUNITY_SUPPORT_MAIL -# Install node 16.x -curl -sL https://deb.nodesource.com/setup_16.x | sudo -E bash - -apt-get install -y nodejs +# Install node 16. with nvm, with nodesource is depracted +curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash +# Close and reopen your terminal to start using nvm or run the following to use it now: +export NVM_DIR="$HOME/.nvm" +[ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh" # This loads nvm +nvm install 16 # first installed version will be set to default automatic # Install yarn curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -