ip

This reverts commit 8a64ccaa3f.

README.md

@@ -1 +1 @@
-Some scripts to automate VPS setup
+Scripts to automate VPS setup and maintenance

cbr.get

@@ -1,4 +1,4 @@
 #!/bin/bash
 URL=https://www.cbr.ru/scripts/XML_daily.asp
-OUT=/var/www/html/cbr.xml
+OUT=/var/www/html/cbr/cur.xml
 wget $URL -O $OUT

cert/clientRenew

@@ -0,0 +1,7 @@
+#!/bin/bash -e
+SDIR=$(cd "$(dirname "$0")" ; pwd -P)
+T=$SDIR/../step
+
+STEP=0
+source $T/ensureRootUser
+source $T/renewCertbot

cert/clientSetup

@@ -0,0 +1,3 @@
+#!/bin/bash -e
+# https://habr.com/ru/articles/735712/
+brew install certbot

cert/vpsRenew

@@ -0,0 +1,23 @@
+#!/bin/bash -e
+SDIR=$(cd "$(dirname "$0")" ; pwd -P)
+T=$SDIR/../step
+
+ACME_FILE=$1
+ACME_VALUE=$2
+
+if [ -z "$ACME_FILE" ] || [ -z "$ACME_VALUE" ]; then
+  echo "Usage: $0 ACME_FILE ACME_VALUE"
+  exit 1
+fi
+
+ACME_DIR="/var/www/html/.well-known/acme-challenge"
+
+STEP=0
+source $T/ensureRootUser
+source $T/copyNginxACMEConfig
+source $T/restartNginx
+source $T/createACMEChallenge
+source $T/waitForReturnKey
+source $T/deleteACMEChallenge
+source $T/copyNginxProdConfig
+source $T/restartNginx

nginx.setup

@@ -1,5 +0,0 @@
-#!/bin/bash
-
-apt install nginx
-cp nginx/cfg /etc/nginx/sites-enabled/default
-systemctl restart nginx

nginx/acme.cfg

@@ -0,0 +1,10 @@
+# Serve only through HTTP while updating the certificate
+server {
+  listen 80;
+  server_name kornerr.ru;
+  root /var/www/html;
+
+  location / {
+    try_files $uri $uri/ =404;
+  }
+}

nginx/prod.cfg

@@ -1,11 +1,18 @@
+# Redirect HTTP to HTTPS
 server {
-  listen 80 default_server;
-  listen [::]:80 default_server;
+  listen 80;
+  server_name kornerr.ru;
+  return 301 https://$server_name$request_uri;
+}
+
+# Serve through HTTPS only
+server {
+  listen 443 ssl;
+  server_name kornerr.ru;
+
+  ssl_certificate /etc/encrypt/fullchain.pem;
+  ssl_certificate_key /etc/encrypt/privkey.pem;
 
-  # SSL configuration
-  #
-  # listen 443 ssl default_server;
-  # listen [::]:443 ssl default_server;
   #
   # Note: You should disable gzip for SSL traffic.
   # See: https://bugs.debian.org/773332
@@ -20,7 +27,6 @@ server {
 
   root /var/www/html;
 
-  # Add index.php to the list if you are using PHP
   index index.html;
 
   server_name _;
@@ -30,6 +36,7 @@ server {
     # as directory, then fall back to displaying a 404.
     try_files $uri $uri/ =404;
     add_header "Access-Control-Allow-Origin" "*";
+    add_header "Cache-Control" "max-age=43200";
     # Remove CORS.
     if ($request_method = "OPTIONS") {
       add_header "Access-Control-Allow-Origin" "*";

nginx/setup

@@ -0,0 +1,9 @@
+#!/bin/bash -e
+SDIR=$(cd "$(dirname "$0")" ; pwd -P)
+T=$SDIR/../step
+
+STEP=0
+source $T/ensureRootUser
+source $T/installNginx
+source $T/copyNginxProdConfig
+source $T/restartNginx

publish.dbg

@@ -0,0 +1,53 @@
+#!/bin/bash
+
+DST_DIR=/var/www/dbg
+KMP_FILE=kornerr-ver-browser
+KMP_FILE_EXT=js
+MAIN_BRANCH=main
+REPO_DIR=/home/kornerr/repo-ru
+REPO_URL=https://github.com/kornerr/ru
+
+# Clone if the directory does not exist
+if [ ! -d "$REPO_DIR" ]; then
+    git clone $REPO_URL $REPO_DIR
+fi
+
+# Get the latest changes
+cd $REPO_DIR
+git checkout -f $MAIN_BRANCH
+git clean -fd
+git fetch --all
+git pull
+
+# Find out the latest commit in the whole repo
+#git branch -av --sort=-committerdate
+#git branch -av --sort=-committerdate | tr -s ' ' | head -n1
+cmt=`git branch -av --sort=-committerdate | tr -s ' ' | head -n1 | cut -d' ' -f3`
+echo "Latest commit: $cmt"
+
+# Switch to the latest commit
+git checkout -f $cmt
+
+# Copy dist
+mkdir -p $DST_DIR
+rm -fR $DST_DIR/*
+cp -R dist/* $DST_DIR
+
+# Rename kornerr-ver-browser.js to work around caching
+kmpWas=$KMP_FILE.$KMP_FILE_EXT
+kmpNow=${KMP_FILE}_`uuidgen`.$KMP_FILE_EXT
+mv $DST_DIR/$kmpWas $DST_DIR/$kmpNow
+
+# Replace text in a file
+function replace {
+    file=$1
+    was=$2
+    now=$3
+    cmd="sed -i 's|$was|$now|g' $file"
+    eval "$cmd"
+}
+
+# Rename references
+replace $DST_DIR/bank.html "$kmpWas" "$kmpNow"
+replace $DST_DIR/budget.html "$kmpWas" "$kmpNow"
+replace $DST_DIR/quiz.html "$kmpWas" "$kmpNow"

publish.prod

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+DBG_DIR=/var/www/dbg
+DST_DIR=/var/www/html
+
+# Remove current prod
+rm -fR $DST_DIR
+
+# Copy dbg to prod
+rsync -aivc --delete $DBG_DIR/ $DST_DIR
+
+# Symlink
+cd $DST_DIR
+ln -s ../cbr
+ln -s ../cv
+ln -s ../dbg
+ln -s ../vid

publish.setup

@@ -0,0 +1,4 @@
+#!/bin/bash
+CMD="0 20 * * * root /home/kornerr/vps/publish.dbg"
+CRON_FILE=/etc/cron.d/dbg
+echo "$CMD" > $CRON_FILE

squid/cfg

@@ -1,4 +1,6 @@
-acl tul src 83.221.16.86
+acl tul src 37.113.215.50
+acl tul src 83.221.24.250
 http_access allow tul
 http_access deny all
 http_port 3128
+

step/copyNginxACMEConfig

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+STEP=$((STEP+1))
+echo -e "\n> > > > Шаг №$STEP. Копируем настройки Nginx для ACME"
+cp $SDIR/../nginx/acme.cfg /etc/nginx/sites-enabled/default

step/copyNginxProdConfig

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+STEP=$((STEP+1))
+echo -e "\n> > > > Шаг №$STEP. Копируем боевые настройки Nginx"
+cp $SDIR/../nginx/prod.cfg /etc/nginx/sites-enabled/default

step/createACMEChallenge

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+STEP=$((STEP+1))
+echo -e "\n> > > > Шаг №$STEP. Создаём файл проверки для ACME"
+mkdir -p $ACME_DIR
+echo "$ACME_VALUE" > "$ACME_DIR/$ACME_FILE"

step/deleteACMEChallenge

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+STEP=$((STEP+1))
+echo -e "\n> > > > Шаг №$STEP. Удаляем файл проверки для ACME"
+rm $ACME_DIR/$ACME_FILE
+rmdir $ACME_DIR

step/ensureRootUser

@@ -0,0 +1,9 @@
+#!/bin/bash
+# https://askubuntu.com/a/15856
+
+STEP=$((STEP+1))
+echo -e "\n> > > > Шаг №$STEP. Проверяем запуск из-под root"
+if [[ $EUID -ne 0 ]]; then
+   echo "ОШИБКА: Перезапустите как root"
+   exit 1
+fi

step/installNginx

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+STEP=$((STEP+1))
+echo -e "\n> > > > Шаг №$STEP. Устанавливаем Nginx"
+apt install nginx

step/renewCertbot

@@ -0,0 +1,6 @@
+#!/bin/bash -e
+# https://habr.com/ru/articles/735712/
+
+STEP=$((STEP+1))
+echo -e "\n> > > > Шаг №$STEP. Просим certbot обновить"
+certbot certonly --manual --preferred-challenges http -d "kornerr.ru"

step/restartNginx

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+STEP=$((STEP+1))
+echo -e "\n> > > > Шаг №$STEP. Перезапускаем Nginx"
+systemctl restart nginx

step/waitForReturnKey

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+STEP=$((STEP+1))
+echo -e "\n> > > > Шаг №$STEP. Ожидаем нажатия клавиши Return"
+read -p "Нажмите Return..."