Setting up a Django App with nginx, gunicorn and less compiler

install-prod-env.bash

#!/bin/bash
# Exit on error
set -e

echo "Hello, what is your app name?"
read appname

# slugify the app name
appslug="$(echo $appname | iconv -t ascii//TRANSLIT | sed -r s/[^a-zA-Z0-9]+/-/g | sed -r s/^-+\|-+$//g | tr A-Z a-z)"

echo "What is the host name? (eg: example.com)"
read hostname

echo "What is the root path for the project? (Leave empty for `pwd`)"
read rootpath

if [ -z "$VAR" ] 
then
  rootpath="$(pwd)"
fi

#############################################################
# WE GOT THE VARIABLES, LET'S PROCEED WITH THE INSTALLATION #
#############################################################
apt-get update
apt-get upgrade

echo "Installing webserver..."
apt install nginx

# nginx conf for port 80
cat > /etc/nginx/sites-available/${appslug}-80 <<EOL
server {
    listen 80;
    server_name ${hostname};
    
    root ${rootpath};
    
    # Required for letsencrypt
    location ~ /.well-known {
        allow all;
    }
}
EOL

# nginx conf for post 443
cat > /etc/nginx/sites-available/${appslug}-443 <<EOL
server {
    listen 80;
    listen [::]:80;
    server_name ${hostname};
    return 301 https://$server_name$request_uri;
}

server {
    ssl on;
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;
    include snippets/ssl-${appslug}.conf;
    include snippets/ssl-params.conf;
    
    server_name ${hostname};
    
    # Turn off error logging for favicon
    location = /favicon.ico {
        access_log off; 
        log_not_found off; 
    }
    
    location /static/ {
        root ${rootpath}/static;
    }
}
EOL

# enable confs
ln -s /etc/nginx/sites-available/${appslug}-80 /etc/nginx/sites-enabled

# Check for syntax
nginx -t
systemctl restart nginx

echo "Configuring letsencrypt..."
add-apt-repository ppa:certbot/certbot
apt-get update
apt-get install certbot

# Create certificate for 
certbot certonly --webroot --webroot-path=${rootpath} -d ${hostname}

# Check for the file if it exists
ls -l /etc/letsencrypt/live/${hostname}

# Generate strong Diffie-Hellman group to further increase security
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

cat > /etc/nginx/snippets/ssl-${appslug}.conf <<EOL
ssl_certificate /etc/letsencrypt/live/${hostname}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${hostname}/privkey.pem;
EOL

# Create a conf with strong encryption settings
cat > /etc/nginx/snippets/ssl-params.conf <<EOL
# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# disable HSTS header for now
#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_dhparam /etc/ssl/certs/dhparam.pem;
EOL

# Now we can disable the http config and proceed with https
rm /etc/nginx/sites-enabled/${appslug}-80
ln -s /etc/nginx/sites-available/${appslug}-443 /etc/nginx/sites-enabled

nginx -t
systemctl restart nginx

##########################################################################
# INSTALLED AND CONFIGURED HTTPS, LET'S INSTALL NODEJS and LESS COMPILER #
##########################################################################

echo "Installing nodejs..."
apt install nodejs
# linking is needed for django-lessc
ln -s /usr/bin/nodejs /usr/bin/node

echo "Installing yarn..."
curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -
echo "deb https://dl.yarnpkg.com/debian/ stable main" | sudo tee /etc/apt/sources.list.d/yarn.list
apt-get update && sudo apt-get install yarn

echo "Installing lessc executable..."
yarn global add less