update Linode and DigitalOcean server recipes (#274)

scripts/smp-server-digitalocean-droplet/files/opt/simplex/on_login.sh

@@ -1,17 +1,17 @@
 #!/bin/bash
-# receives fingerprint file location as the first parameter
+
+fingerprint=$1
 
 ip_address=$(hostname -I | awk '{print$1}')
-hash=$(cat $1)
 
 cat <<EOF
 ********************************************************************************
 
-SMP server address: $ip_address#$hash
+SMP server address: $ip_address#$fingerprint
 Check SMP server status with: systemctl status smp-server
 
 To keep this server secure, the UFW firewall is enabled.
-All ports are BLOCKED except 22 (SSH), 80 (HTTP), 5223 (SMP server).
+All ports are BLOCKED except 22 (SSH), 443 (HTTPS), 5223 (SMP server).
 
 ********************************************************************************
 To stop seeing this message delete line - bash /opt/simplex/on_login.sh - from /root/.bashrc

scripts/smp-server-digitalocean-droplet/scripts/01-packages.sh

@@ -16,9 +16,10 @@ sudo DEBIAN_FRONTEND=noninteractive \
   -y --allow-downgrades --allow-remove-essential --allow-change-held-packages \
   dist-upgrade
 
-sudo DEBIAN_FRONTEND=noninteractive \
-  apt-get \
-  -o Dpkg::Options::=--force-confold \
-  -o Dpkg::Options::=--force-confdef \
-  -y --allow-downgrades --allow-remove-essential --allow-change-held-packages \
-  install jq
+# TODO install unattended-upgrades; jq is not needed on DigitalOcean
+# sudo DEBIAN_FRONTEND=noninteractive \
+#   apt-get \
+#   -o Dpkg::Options::=--force-confold \
+#   -o Dpkg::Options::=--force-confdef \
+#   -y --allow-downgrades --allow-remove-essential --allow-change-held-packages \
+#   install jq

scripts/smp-server-digitalocean-droplet/scripts/02-firewall.sh

@@ -1,9 +1,9 @@
 #!/bin/sh
 
-# add firewall
+# Add firewall
 echo "y" | ufw enable
 
-# open ports
+# Open ports
 ufw allow ssh
-ufw allow http
+ufw allow https
 ufw allow 5223

scripts/smp-server-digitalocean-droplet/scripts/03-init-start.sh

@@ -1,24 +1,16 @@
 #!/bin/bash
 
 bin_dir="/opt/simplex/bin"
+binary="$bin_dir/smp-server"
 conf_dir="/etc/opt/simplex"
 
+# Download latest release
 mkdir -p $bin_dir
+curl -L -o $binary https://github.com/simplex-chat/simplexmq/releases/latest/download/smp-server-ubuntu-20_04-x86-64
+chmod +x $binary
+$binary --version
 
-echo "downloading the latest SMP server release"
-curl -s https://api.github.com/repos/simplex-chat/simplexmq/releases/latest > release.json
-jq '.assets[].browser_download_url | select(test("smp-server-ubuntu-20_04-x86-64"))' release.json \
-| tr -d \" \
-| wget -qi -
-
-release_version=$(jq '.tag_name' release.json | tr -d \")
-echo "downloaded SMP server $release_version"
-rm release.json
-
-echo "preparing for SMP server initiaization"
-mv smp-server-ubuntu-20_04-x86-64 $bin_dir/smp-server
-chmod +x $bin_dir/smp-server
-
+# Add to PATH
 cat <<EOT >> /etc/profile.d/simplex.sh
 #!/bin/bash
 
@@ -27,31 +19,32 @@ export PATH="$PATH:$bin_dir"
 EOT
 source /etc/profile.d/simplex.sh
 
-# prepare SMP server systemd service
+# Initialize server
+smp-server init -l
+
+# Turn off websockets support
+sed -e '/websockets/s/^/# /g' -i $conf_dir/smp-server.ini
+
+# Server fingerprint
+fingerprint=$(cat $conf_dir/fingerprint)
+
+# On login script
+echo "bash /opt/simplex/on_login.sh $fingerprint" >> /root/.bashrc
+
+# Create and start systemd service
 cat <<EOT >> /etc/systemd/system/smp-server.service
 [Unit]
 Description=SMP server systemd service
 
 [Service]
 Type=simple
-ExecStart=/bin/sh -c "$bin_dir/smp-server start"
+ExecStart=/bin/sh -c "$binary start"
 
 [Install]
 WantedBy=multi-user.target
 
 EOT
+
 chmod 644 /etc/systemd/system/smp-server.service
-
-echo "initializing SMP server"
-smp-server init -l
-# CA certificate (identity/offline) fingerprint
-hash_file="$conf_dir/fingerprint"
-# turn off websockets support
-sed -e '/websockets/s/^/# /g' -i $conf_dir/smp-server.ini
-
-# add welcome script to .bashrc
-echo "bash /opt/simplex/on_login.sh $hash_file" >> /root/.bashrc
-
-echo "starting SMP server"
 sudo systemctl enable smp-server
 sudo systemctl start smp-server

scripts/smp-server-linode.sh

@@ -1,11 +1,13 @@
 #!/bin/bash
+
 # <UDF name="enable_store_log" label="Store log - persists SMP queues to append only log and restores them upon server restart." default="on" oneof="on, off" />
 # <UDF name="api_token" label="Linode API token - enables StackScript to create tags containing SMP server FQDN / IP address, CA certificate fingerprint and server version. Use `fqdn#fingerprint` or `ip#fingerprint` as SMP server address in the client. Note: minimal permissions token should have are - read/write access to `linodes` (to update linode tags) and `domains` (to add A record for the chosen 3rd level domain)" default="" />
 # <UDF name="fqdn" label="FQDN (Fully qualified domain name) - provide third level domain name (ex: smp.example.com). If provided can be used instead of IP address." default="" />
 
-# log all stdout output to stackscript.log
+# Log all stdout output to stackscript.log
 exec &> >(tee -i /var/log/stackscript.log)
-# uncomment next line to enable debugging features
+
+# Uncomment next line to enable debugging features
 # set -xeo pipefail
 
 cd $HOME
@@ -26,6 +28,7 @@ sudo DEBIAN_FRONTEND=noninteractive \
   -y --allow-downgrades --allow-remove-essential --allow-change-held-packages \
   dist-upgrade
 
+# TODO install unattended-upgrades
 sudo DEBIAN_FRONTEND=noninteractive \
   apt-get \
   -o Dpkg::Options::=--force-confold \
@@ -33,27 +36,25 @@ sudo DEBIAN_FRONTEND=noninteractive \
   -y --allow-downgrades --allow-remove-essential --allow-change-held-packages \
   install jq
 
-# add firewall
+# Add firewall
 echo "y" | ufw enable
-# open ports
+
+# Open ports
 ufw allow ssh
-ufw allow http
+ufw allow https
 ufw allow 5223
 
 bin_dir="/opt/simplex/bin"
+binary="$bin_dir/smp-server"
 conf_dir="/etc/opt/simplex"
 
+# Download latest release
 mkdir -p $bin_dir
+curl -L -o $binary https://github.com/simplex-chat/simplexmq/releases/latest/download/smp-server-ubuntu-20_04-x86-64
+chmod +x $binary
+$binary --version
 
-# retrieve latest release info and download smp-server executable
-curl -s https://api.github.com/repos/simplex-chat/simplexmq/releases/latest > release.json
-jq '.assets[].browser_download_url | select(test("smp-server-ubuntu-20_04-x86-64"))' release.json \
-| tr -d \" \
-| wget -qi -
-
-mv smp-server-ubuntu-20_04-x86-64 $bin_dir/smp-server
-chmod +x $bin_dir/smp-server
-
+# Add to PATH
 cat <<EOT >> /etc/profile.d/simplex.sh
 #!/bin/bash
 
@@ -62,83 +63,86 @@ export PATH="$PATH:$bin_dir"
 EOT
 source /etc/profile.d/simplex.sh
 
-# initialize SMP server
+# Initialize server
 init_opts=()
 [[ $ENABLE_STORE_LOG == "on" ]] && init_opts+=(-l)
 smp-server init "${init_opts[@]}"
-# CA certificate (identity/offline) fingerprint
-hash_file="$conf_dir/fingerprint"
-# turn off websockets support
+
+# Turn off websockets support
 sed -e '/websockets/s/^/# /g' -i $conf_dir/smp-server.ini
 
-# create script that will run on login
+# Server fingerprint
+fingerprint=$(cat $conf_dir/fingerprint)
+
+# On login script
 on_login_script="/opt/simplex/on_login.sh"
+
 cat <<EOT >> $on_login_script
 #!/bin/bash
-# receives fingerprint file location as the first parameter
+
+fingerprint=\$1
 
 ip_address=\$(hostname -I | awk '{print\$1}')
-hash=\$(cat \$1)
 
 cat <<EOF
 ********************************************************************************
 
-SMP server address: \$ip_address#\$hash
+SMP server address: \$ip_address#\$fingerprint
 Check SMP server status with: systemctl status smp-server
 
 To keep this server secure, the UFW firewall is enabled.
-All ports are BLOCKED except 22 (SSH), 80 (HTTP), 5223 (SMP server).
+All ports are BLOCKED except 22 (SSH), 443 (HTTPS), 5223 (SMP server).
 
 ********************************************************************************
 To stop seeing this message delete line - bash /opt/simplex/on_login.sh - from /root/.bashrc
 EOF
 
 EOT
+
 chmod +x $on_login_script
-echo "bash $on_login_script $hash_file" >> /root/.bashrc
+echo "bash $on_login_script $fingerprint" >> /root/.bashrc
 
-# create A record and update linode's tags
+# Create A record and update Linode's tags
 if [ ! -z "$API_TOKEN" ]; then
-     ip_address=$(curl ifconfig.me)
-     address=$ip_address
-     if [ ! -z "$FQDN" ]; then
-          domain_address=$(echo $FQDN | rev | cut -d "." -f 1,2 | rev)
-          domain_id=$(curl -H "Authorization: Bearer $API_TOKEN" https://api.linode.com/v4/domains \
-          | jq --arg da "$domain_address" '.data[] | select( .domain == $da ) | .id')
-          if [[ ! -z $domain_id ]]; then
-               curl -s -H "Content-Type: application/json" \
-                    -H "Authorization: Bearer $API_TOKEN" \
-                    -X POST -d "{\"type\":\"A\",\"name\":\"$FQDN\",\"target\":\"$ip_address\"}" \
-                    https://api.linode.com/v4/domains/${domain_id}/records
-               address=$FQDN
-          fi
-     fi
+  ip_address=$(curl ifconfig.me)
+  address=$ip_address
+  if [ ! -z "$FQDN" ]; then
+    domain_address=$(echo $FQDN | rev | cut -d "." -f 1,2 | rev)
+    domain_id=$(curl -H "Authorization: Bearer $API_TOKEN" https://api.linode.com/v4/domains \
+    | jq --arg da "$domain_address" '.data[] | select( .domain == $da ) | .id')
+    if [[ ! -z $domain_id ]]; then
+      curl \
+        -s -H "Content-Type: application/json" \
+        -H "Authorization: Bearer $API_TOKEN" \
+        -X POST -d "{\"type\":\"A\",\"name\":\"$FQDN\",\"target\":\"$ip_address\"}" \
+        https://api.linode.com/v4/domains/${domain_id}/records
+      address=$FQDN
+    fi
+  fi
 
-     hash=$(cat $hash_file)
-     release_version=$(jq '.tag_name' release.json | tr -d \")
+  version=$($binary --version | cut -d ' ' -f 3-)
 
-     curl -s -H "Content-Type: application/json" \
-          -H "Authorization: Bearer $API_TOKEN" \
-          -X PUT -d "{\"tags\":[\"$address\",\"#$hash\",\"$release_version\"]}" \
-          https://api.linode.com/v4/linode/instances/$LINODE_ID
+  curl \
+    -s -H "Content-Type: application/json" \
+    -H "Authorization: Bearer $API_TOKEN" \
+    -X PUT -d "{\"tags\":[\"$address\",\"#$fingerprint\",\"$version\"]}" \
+    https://api.linode.com/v4/linode/instances/$LINODE_ID
 fi
 
-# create, enable and start SMP server systemd service
+# Create and start systemd service
 cat <<EOT >> /etc/systemd/system/smp-server.service
 [Unit]
 Description=SMP server systemd service
 
 [Service]
 Type=simple
-ExecStart=/bin/sh -c "$bin_dir/smp-server start"
+ExecStart=/bin/sh -c "$binary start"
 
 [Install]
 WantedBy=multi-user.target
 
 EOT
+
 chmod 644 /etc/systemd/system/smp-server.service
 sudo systemctl enable smp-server
 sudo systemctl start smp-server
-
-# cleanup
-rm release.json