wordpress-dev/prod-webserver-provision.sh

#!/bin/sh

# TODO basic error checking
# TODO verbosity

_lets_encrypt_email="wptest@isnet.uk"
_server_base_url="wptest.isnet.uk"

# add user
useradd -m -s /bin/bash ray
groupadd docker
usermod -aG docker ray
mkdir /home/ray/.ssh
cp /root/.ssh/authorized_keys /home/ray/.ssh/
chown ray: /home/ray/.ssh/authorized_keys

apt-get update
apt-get install \
    apt-transport-https \
    ca-certificates \
    curl \
    gnupg2 \
    software-properties-common \
    apache2-utils \
    ufw

ufw allow ssh
ufw allow http
ufw allow https
ufw enable

curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -
add-apt-repository \
  "deb [arch=amd64] https://download.docker.com/linux/debian \
  $(lsb_release -cs) \
  stable"
apt-get update
apt-get install docker-ce docker-ce-cli containerd.io

curl -L "https://github.com/docker/compose/releases/download/1.25.4/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose

echo "Basic HTTP authorisation password for user: ray"
_HT_PASSWD=$(htpasswd -nB ray | sed -e 's/\$/\$\$/g')

docker network create web

mkdir -p /var/docker/traefik
mkdir -p /var/docker/portainer
touch /var/docker/traefik/acme.json
chmod 600 /var/docker/traefik/acme.json

cd /var/docker/traefik || exit 20
echo "api:
  dashboard: true

entryPoints:
  http:
    address: \":80\"
  https:
    address: \":443\"

providers:
  docker:
    endpoint: \"unix:///var/run/docker.sock\"
    exposedByDefault: false

certificatesResolvers:
  http:
    acme:
      email: $_lets_encrypt_email
      storage: acme.json
      httpChallenge:
        entryPoint: http
" > traefik.yml

echo "version: '3'

services:
  traefik:
    image: traefik:v2.0
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - web
    ports:
      - 80:80
      - 443:443
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./traefik.yml:/traefik.yml:ro
      - ./acme.json:/acme.json
    labels:
      - \"traefik.enable=true\"
      - \"traefik.http.routers.traefik.entrypoints=http\"
      - \"traefik.http.routers.traefik.rule=Host(\`$_server_base_url\`)\"
      - \"traefik.http.middlewares.traefik-auth.basicauth.users=$_HT_PASSWD\"
      - \"traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https\"
      - \"traefik.http.routers.traefik.middlewares=traefik-https-redirect\"
      - \"traefik.http.routers.traefik-secure.entrypoints=https\"
      - \"traefik.http.routers.traefik-secure.rule=Host(\`$_server_base_url\`)\"
      - \"traefik.http.routers.traefik-secure.middlewares=traefik-auth\"
      - \"traefik.http.routers.traefik-secure.tls=true\"
      - \"traefik.http.routers.traefik-secure.tls.certresolver=http\"
      - \"traefik.http.routers.traefik-secure.service=api@internal\"

networks:
  web:
    external: true
" >> docker-compose.yml
docker-compose up -d

cd /var/docker/portainer || exit 30
# create /var/docker/portainer/docker-compose.yml
_portainer_url="portainer.$_server_base_url"
echo "version: '3'

services:
  portainer:
    image: portainer/portainer:latest
    container_name: portainer
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - web
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./data:/data
    labels:
      - \"traefik.enable=true\"
      - \"traefik.http.routers.portainer.entrypoints=http\"
      - \"traefik.http.routers.portainer.rule=Host(\`$_portainer_url\`)\"
      - \"traefik.http.middlewares.portainer-https-redirect.redirectscheme.scheme=https\"
      - \"traefik.http.routers.portainer.middlewares=portainer-https-redirect\"
      - \"traefik.http.routers.portainer-secure.entrypoints=https\"
      - \"traefik.http.routers.portainer-secure.rule=Host(\`$_portainer_url\`)\"
      - \"traefik.http.routers.portainer-secure.tls=true\"
      - \"traefik.http.routers.portainer-secure.tls.certresolver=http\"
      - \"traefik.http.routers.portainer-secure.service=portainer\"
      - \"traefik.http.services.portainer.loadbalancer.server.port=9000\"
      - \"traefik.docker.network=web\"

networks:
  web:
    external: true
" >> docker-compose.yml
docker-compose up -d
echo "VISIT PORTAINER URL NOW TO SET INITIAL LOGIN:" # or see if can set from script
echo "  https://$_portainer_url"
add production server deployment script 2020-03-04 12:46:51 +00:00			`#!/bin/sh`

			`# TODO basic error checking`
			`# TODO verbosity`

			`_lets_encrypt_email="wptest@isnet.uk"`
			`_server_base_url="wptest.isnet.uk"`

			`# add user`
			`useradd -m -s /bin/bash ray`
			`groupadd docker`
			`usermod -aG docker ray`
			`mkdir /home/ray/.ssh`
			`cp /root/.ssh/authorized_keys /home/ray/.ssh/`
			`chown ray: /home/ray/.ssh/authorized_keys`

			`apt-get update`
			`apt-get install \`
			`apt-transport-https \`
			`ca-certificates \`
			`curl \`
			`gnupg2 \`
			`software-properties-common \`
			`apache2-utils \`
			`ufw`

			`ufw allow ssh`
			`ufw allow http`
			`ufw allow https`
			`ufw enable`

			`curl -fsSL https://download.docker.com/linux/debian/gpg \| sudo apt-key add -`
			`add-apt-repository \`
			`"deb [arch=amd64] https://download.docker.com/linux/debian \`
			`$(lsb_release -cs) \`
			`stable"`
			`apt-get update`
			`apt-get install docker-ce docker-ce-cli containerd.io`

			`curl -L "https://github.com/docker/compose/releases/download/1.25.4/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose`
			`chmod +x /usr/local/bin/docker-compose`

			`echo "Basic HTTP authorisation password for user: ray"`
			`_HT_PASSWD=$(htpasswd -nB ray \| sed -e 's/\$/\$\$/g')`

			`docker network create web`

			`mkdir -p /var/docker/traefik`
			`mkdir -p /var/docker/portainer`
			`touch /var/docker/traefik/acme.json`
			`chmod 600 /var/docker/traefik/acme.json`

			`cd /var/docker/traefik \|\| exit 20`
			`echo "api:`
			`dashboard: true`

			`entryPoints:`
			`http:`
			`address: \":80\"`
			`https:`
			`address: \":443\"`

			`providers:`
			`docker:`
			`endpoint: \"unix:///var/run/docker.sock\"`
			`exposedByDefault: false`

			`certificatesResolvers:`
			`http:`
			`acme:`
			`email: $_lets_encrypt_email`
			`storage: acme.json`
			`httpChallenge:`
			`entryPoint: http`
			`" > traefik.yml`

			`echo "version: '3'`

			`services:`
			`traefik:`
			`image: traefik:v2.0`
			`container_name: traefik`
			`restart: unless-stopped`
			`security_opt:`
			`- no-new-privileges:true`
			`networks:`
			`- web`
			`ports:`
			`- 80:80`
			`- 443:443`
			`volumes:`
			`- /etc/localtime:/etc/localtime:ro`
			`- /var/run/docker.sock:/var/run/docker.sock:ro`
			`- ./traefik.yml:/traefik.yml:ro`
			`- ./acme.json:/acme.json`
			`labels:`
			`- \"traefik.enable=true\"`
			`- \"traefik.http.routers.traefik.entrypoints=http\"`
			- \"traefik.http.routers.traefik.rule=Host(\`$_server_base_url\`)\"
			`- \"traefik.http.middlewares.traefik-auth.basicauth.users=$_HT_PASSWD\"`
			`- \"traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https\"`
			`- \"traefik.http.routers.traefik.middlewares=traefik-https-redirect\"`
			`- \"traefik.http.routers.traefik-secure.entrypoints=https\"`
			- \"traefik.http.routers.traefik-secure.rule=Host(\`$_server_base_url\`)\"
			`- \"traefik.http.routers.traefik-secure.middlewares=traefik-auth\"`
			`- \"traefik.http.routers.traefik-secure.tls=true\"`
			`- \"traefik.http.routers.traefik-secure.tls.certresolver=http\"`
			`- \"traefik.http.routers.traefik-secure.service=api@internal\"`

			`networks:`
			`web:`
			`external: true`
			`" >> docker-compose.yml`
			`docker-compose up -d`

			`cd /var/docker/portainer \|\| exit 30`
			`# create /var/docker/portainer/docker-compose.yml`
			`_portainer_url="portainer.$_server_base_url"`
			`echo "version: '3'`

			`services:`
			`portainer:`
			`image: portainer/portainer:latest`
			`container_name: portainer`
			`restart: unless-stopped`
			`security_opt:`
			`- no-new-privileges:true`
			`networks:`
			`- web`
			`volumes:`
			`- /etc/localtime:/etc/localtime:ro`
			`- /var/run/docker.sock:/var/run/docker.sock:ro`
			`- ./data:/data`
			`labels:`
			`- \"traefik.enable=true\"`
			`- \"traefik.http.routers.portainer.entrypoints=http\"`
			- \"traefik.http.routers.portainer.rule=Host(\`$_portainer_url\`)\"
			`- \"traefik.http.middlewares.portainer-https-redirect.redirectscheme.scheme=https\"`
			`- \"traefik.http.routers.portainer.middlewares=portainer-https-redirect\"`
			`- \"traefik.http.routers.portainer-secure.entrypoints=https\"`
			- \"traefik.http.routers.portainer-secure.rule=Host(\`$_portainer_url\`)\"
			`- \"traefik.http.routers.portainer-secure.tls=true\"`
			`- \"traefik.http.routers.portainer-secure.tls.certresolver=http\"`
			`- \"traefik.http.routers.portainer-secure.service=portainer\"`
			`- \"traefik.http.services.portainer.loadbalancer.server.port=9000\"`
			`- \"traefik.docker.network=web\"`

			`networks:`
			`web:`
			`external: true`
			`" >> docker-compose.yml`
			`docker-compose up -d`
			`echo "VISIT PORTAINER URL NOW TO SET INITIAL LOGIN:" # or see if can set from script`
			`echo " https://$_portainer_url"`