~ekez/negativefour

ref: a3ba218efef2773e5826b94d9ca3c096795b3ddc negativefour/serve/deploy.sh -rwxr-xr-x 3.2 KiB
a3ba218eZeke Medley Fix race condition between apache restart and status check 3 months ago
                                                                                
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
#!/bin/bash

# Given a URL pointing to a git repo and a NAME deploys a static site
# containing the contents of the URL to https://NAME.negativefour.app.
#
# The expectation is that this is run on a server running apache2 and
# Tor with SSL certificates for *.negativefour.app. Information about
# how to configure this server can be found in docs/.
#
# Note that at the moment this will only deploy webpages at
# negativefour.app subdomains. In order to deploy webpages for custom
# domains we will need to add logic to automatically configure SSL
# certificates.

# Copyright (C) 2021  Zeke Medley
#
# This program is free software: you can redistribute it and/or
# modify it under the terms of the GNU Affero General Public License
# as published by the Free Software Foundation, either version 3 of
# the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public
# License along with this program.  If not, see
# <https://www.gnu.org/licenses/>.

set -e
set -u
set -o pipefail

REPO=$1
NAME=$2
URL="$NAME.negativefour.app"

git clone "$REPO" "/home/admin/www/html/$URL"

PORT=$((3100 + `ls /etc/apache2/sites-available/ | wc -l`))

cat <<EOF >> "/etc/tor/torrc"
HiddenServiceDir /var/lib/tor/${URL}/
HiddenServicePort 80 127.0.0.1:${PORT}

EOF

systemctl restart tor

sleep 3

UNION_URL=$(sudo cat "/var/lib/tor/${URL}/hostname")

cat <<EOF > "/etc/apache2/sites-available/${URL}.conf"
Listen $PORT

# Listen on port 80 but redirect to 443.
<VirtualHost *:80>
	     ServerAdmin zekemedley@gmail.com
	     ServerName $URL
	     DocumentRoot /home/admin/www/html/$URL
	     DirectoryIndex index.html
	     ErrorLog \${APACHE_LOG_DIR}/${URL}_error.log
	     CustomLog \${APACHE_LOG_DIR}/${URL}_access.log combined
	     Redirect permanent / https://${URL}/
</VirtualHost>

<VirtualHost 127.0.0.1:${PORT}>
	     ServerAdmin zekemedley@gmail.com
	     ServerName ${URL}
	     DocumentRoot /home/admin/www/html/${URL}
	     DirectoryIndex index.html
	     ErrorLog \${APACHE_LOG_DIR}/${URL}_error.log
	     CustomLog \${APACHE_LOG_DIR}/${URL}_access.log combined
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost *:443>
	     ServerAdmin zekemedley@gmail.com
	     ServerName $URL
	     DocumentRoot /home/admin/www/html/${URL}
	     DirectoryIndex index.html
	     ErrorLog \${APACHE_LOG_DIR}/${URL}_error.log
	     CustomLog \${APACHE_LOG_DIR}/${URL}_access.log combined

	     # We only set the union location header for the https
	     # version of the website as union location will not work
	     # for http. See:
	     # https://community.torproject.org/onion-services/advanced/onion-location/
	     Header set Onion-Location "http://${UNION_URL}%{REQUEST_URI}s"

	     SSLCertificateFile /etc/letsencrypt/live/negativefour.app/fullchain.pem
	     SSLCertificateKeyFile /etc/letsencrypt/live/negativefour.app/privkey.pem
	     Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
EOF

a2ensite "${URL}"

systemctl restart apache2