-
-
Save ViktorNova/b8084bf58d2845d21ab01a4718f81943 to your computer and use it in GitHub Desktop.
#!/bin/bash | |
# Stop on error | |
set -e | |
# Stop on unitialized variables | |
set -u | |
# Stop on failed pipes | |
set -o pipefail | |
# IP_ADDR can be the IP address of your server OR FQDN that points to your server | |
# Example: | |
# IP_ADDR="example.com" | |
IP_ADDR="0.0.0.0" | |
SECRETKEY="yoursecretkey" | |
# Since the events password will be used inside an URL later, please use only web safe characters: a-z, A-Z, 0-9, and - . _ ~ | |
EVENTS_PASSWORD="someotherpassword" | |
#take care of selinx and the firewall | |
setsebool -P httpd_read_user_content true | |
setsebool -P httpd_can_network_connect true | |
dnf install -y policycoreutils-python-utils bash-completion vim git python36 | |
#semanage port -m -t http_port_t -p tcp 8000 | |
#semanage port -a -t http_port_t -p tcp 8001 | |
firewall-cmd --add-service http --permanent | |
firewall-cmd --add-service https --permanent | |
#firewall-cmd --add-port 8001/tcp --permanent | |
firewall-cmd --reload | |
# yum install -y gcc autoconf flex bison libjpeg-turbo-devel freetype-devel zlib-devel zeromq3-devel gdbm-devel ncurses-devel automake libtool libffi-devel curl git tmux libxml2-devel libxslt-devel wget openssl-devel gcc-c++ | |
#PostgreSQL 9.5 (pulls in scl-utils as a dep) | |
dnf install -y postgresql-server postgresql-server-devel | |
postgresql-setup --initdb | |
systemctl enable postgresql --now | |
#PostgreSQL initDB setting | |
cd /home | |
su postgres -c "createuser taiga" | |
su postgres -c "createdb taiga -O taiga" | |
#taiga add | |
adduser taiga | |
#taiga-back | |
cd /home/taiga | |
git clone https://github.com/taigaio/taiga-back.git taiga-back | |
cd taiga-back/ | |
git checkout stable | |
pip3 install --upgrade pip | |
su taiga -c "pip3 install -r requirements.txt" | |
chown -R taiga:taiga /home/taiga/ | |
su taiga -c "python3 manage.py migrate --noinput" | |
su taiga -c "python3 manage.py loaddata initial_user" | |
su taiga -c "python3 manage.py loaddata initial_project_templates" | |
#su taiga -c "python3 manage.py loaddata initial_role" | |
su taiga -c "python3 manage.py compilemessages" | |
su taiga -c "python3 manage.py collectstatic --noinput" | |
cat >> /home/taiga/taiga-back/settings/local.py << EOF | |
from .development import * | |
from .common import * | |
MEDIA_URL = "http://${IP_ADDR}/media/" | |
STATIC_URL = "http://${IP_ADDR}/static/" | |
ADMIN_MEDIA_PREFIX = "http://${IP_ADDR}/static/admin/" | |
SITES["front"]["scheme"] = "http" | |
SITES["front"]["domain"] = "${IP_ADDR}" | |
SECRET_KEY = $SECRETKEY | |
DEBUG = False | |
TEMPLATE_DEBUG = False | |
PUBLIC_REGISTER_ENABLED = True | |
DEFAULT_FROM_EMAIL = "[email protected]" | |
SERVER_EMAIL = DEFAULT_FROM_EMAIL | |
CHANGE_NOTIFICATIONS_MIN_INTERVAL = 60 #seconds | |
EVENTS_PUSH_BACKEND = "taiga.events.backends.rabbitmq.EventsPushBackend" | |
EVENTS_PUSH_BACKEND_OPTIONS = {"url": "amqp://taiga:$EVENTS_PASSWORD/taiga"} | |
EOF | |
#taiga-front | |
cd /home/taiga | |
git clone https://github.com/taigaio/taiga-front-dist.git taiga-front-dist | |
cd taiga-front-dist/ | |
git checkout stable | |
cd dist/ | |
# Update details for taiga-front | |
sed -e "s%localhost:8000%${IP_ADDR}%" conf.example.json > conf.json | |
sed -i "s|\"eventsUrl\": null|\"eventsUrl\": \"ws://$IP_ADDR/events\"|g" conf.json | |
#circus | |
cd /home/taiga | |
dnf install -y nginx | |
cat > /etc/nginx/nginx.conf << 'EOF' | |
# For more information on configuration, see: | |
# * Official English Documentation: http://nginx.org/en/docs/ | |
user nginx; | |
worker_processes auto; | |
error_log /var/log/nginx/error.log; | |
pid /run/nginx.pid; | |
# Load dynamic modules. See /usr/share/nginx/README.dynamic. | |
include /usr/share/nginx/modules/*.conf; | |
events { | |
worker_connections 1024; | |
} | |
http { | |
log_format main '$remote_addr - $remote_user [$time_local] "$request" ' | |
'$status $body_bytes_sent "$http_referer" ' | |
'"$http_user_agent" "$http_x_forwarded_for"'; | |
access_log /var/log/nginx/access.log main; | |
sendfile on; | |
tcp_nopush on; | |
tcp_nodelay on; | |
keepalive_timeout 65; | |
types_hash_max_size 2048; | |
include /etc/nginx/mime.types; | |
default_type application/octet-stream; | |
include /etc/nginx/conf.d/*.conf; | |
} | |
EOF | |
cat > /etc/nginx/conf.d/taiga.conf <<'EOF' | |
server { | |
listen 80 default_server; | |
server_name _; | |
large_client_header_buffers 4 32k; | |
client_max_body_size 50M; | |
charset utf-8; | |
access_log /var/log/nginx/taiga-nginx.access.log; | |
error_log /var/log/nginx/taiga-nginx.error.log; | |
# Frontend | |
location / { | |
root /home/taiga/taiga-front-dist/dist/; | |
try_files $uri $uri/ /index.html; | |
} | |
# Backend | |
location /api { | |
proxy_set_header Host $http_host; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Scheme $scheme; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_pass http://127.0.0.1:8001/api; | |
proxy_redirect off; | |
} | |
# Django admin access (/admin/) | |
location /admin { | |
proxy_set_header Host $http_host; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Scheme $scheme; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_pass http://127.0.0.1:8001$request_uri; | |
proxy_redirect off; | |
} | |
# Static files | |
location /static { | |
alias /home/taiga/taiga-back/static; | |
} | |
# Media files | |
location /media { | |
alias /home/taiga/taiga-back/media; | |
} | |
# Events | |
location /events { | |
proxy_pass http://127.0.0.1:8888/events; | |
proxy_http_version 1.1; | |
proxy_set_header Upgrade $http_upgrade; | |
proxy_set_header Connection "upgrade"; | |
proxy_connect_timeout 7d; | |
proxy_send_timeout 7d; | |
proxy_read_timeout 7d; | |
} | |
} | |
EOF | |
cat > /etc/systemd/system/taiga.service <<EOF | |
[Unit] | |
Description=Taiga Service | |
After=network.target | |
[Service] | |
Type=simple | |
User=taiga | |
WorkingDirectory=/home/taiga/taiga-back | |
ExecStart=/usr/bin/python3 /home/taiga/taiga-back/manage.py runserver 127.0.0.1:8001 | |
Restart=on-abort | |
[Install] | |
WantedBy=multi-user.target | |
EOF | |
# final steps | |
chown -R taiga:taiga /home/taiga/ | |
chmod o+x /home/taiga/ | |
chmod o+rx ~taiga/taiga-back/media | |
# now some systmectl stuff | |
systemctl daemon-reload | |
systemctl restart nginx taiga | |
systemctl enable nginx taiga | |
echo "Done installing Taiga" | |
echo "Press ENTER to continue installing Certbot" | |
read -p "You will be asked to enter some information and agree to LetsEncrypt terms" | |
# Install LetsEncrypt Certbot | |
wget https://dl.eff.org/certbot-auto | |
mv certbot-auto /usr/local/bin/certbot-auto | |
chmod 0755 /usr/local/bin/certbot-auto | |
certbot-auto -n --install-only | |
echo "0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && /usr/local/bin/certbot-auto renew" | tee -a /etc/crontab > /dev/null | |
echo "* * * * * taiga cd /home/taiga/taiga-back && python3 manage.py send_notifications" | tee -a /etc/crontab > /dev/null | |
### THIS PART IS A WORK IN PROGRESS ### | |
# Install events | |
echo "Installing realtime events..." | |
dnf install -y nodejs centos-release-rabbitmq @redis | |
dnf install -y rabbitmq-server | |
cd /home/taiga | |
su taiga -c "git clone https://github.com/taigaio/taiga-events.git taiga-events" | |
cd taiga-events | |
su taiga -c "npm install" | |
npm install -g coffeescript | |
echo ' | |
[Unit] | |
Description=taiga_events | |
After=network.target | |
[Service] | |
User=taiga | |
WorkingDirectory=/home/taiga/taiga-events | |
ExecStart=/bin/bash -c "node_modules/coffeescript/bin/coffee index.coffee" | |
Restart=always | |
RestartSec=3 | |
[Install] | |
WantedBy=default.target | |
' >> /etc/systemd/system/taiga-events.service | |
echo ' | |
{ | |
"url": "amqp://taiga:someotherpassword@localhost:5672/taiga", | |
"secret":"$SECRETKEY", | |
"webSocketServer": { | |
"port": 8888 | |
} | |
} | |
' > /home/taiga/taiga-events/config.json | |
chown taiga /home/taiga/taiga-events/config.json | |
rabbitmqctl add_user taiga $PASSWORD_FOR_EVENTS | |
rabbitmqctl add_vhost taiga | |
rabbitmqctl set_permissions -p taiga taiga ".*" ".*" ".*" | |
systemctl enable --now redis rabbitmq-server taiga-events | |
After installation and a domain is pointed, you can run certbot-auto --nginx to get https working. If you let certbot reconfigure nginx to auto redirect to https, it might mangle the file a little bit, but it's easy to clean up. Just make sure the reverse proxies and everything else is under the 443 server block. The 80 server block should only contain the following after enabling SSL
server {
listen 80 default_server;
server_name example.com;
if ($host = example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
return 404; # managed by Certbot
}
Important: the reverse proxies should remain as http://127.0.0.1:8001, do not change these to https
Follow this for more info, though lots of this stuff doesn't apply to this script
https://taigaio.github.io/taiga-doc/dist/setup-production.html#_taiga_hardening_https
Files to edit for https URLS:
/etc/nginx/conf.d/taiga.conf
Note: Make sure to change the events websockets URL ws:// to wss:// when switching to HTTPS
/home/taiga/taiga-front-dist/dist/conf.json
/home/taiga/taiga-back/settings/local.py
Make sure to set IP address and secret before running script!