webcron/setup-server.sh

#!/usr/bin/bash

# Note: This is post installation

INSTALL_LOG=~/server-setup.log

if [[ ! -f ~/utils/logging.sh ]]; then
	alias log="echo"
else
	. ~/utils/logging.sh
fi

# Making sure user is running this as root
if [[ ! "$USER" == "root" ]]; then
	echo "You are not root. Please either switch to root with (su -l) or login as root and rerun this script"
	exit 1
fi


# Updating repo metadata & package db
# (-y) just means assume yes (for package download and updates)
apt update -y && apt upgrade -y

declare -a python_packages=(
    # To enumerate the files from the FS
    pathlib

    #sqlite3 # this is already preinstalled
)

# These are the packages needed for setting up the server for my PHP application
declare -a needed_packages=(
	# Webserver packages
	firewalld
	apache2

	# Necessary packages for php
	php
	php-sqlite3

	# Filesystem Management
	acl

	# Necessary Project Packages
    python3
    python3-pip
	sqlite3

	# Check packages
	bind-utils
)
declare -a packages_to_install

INSTALLED_PACKAGES="$( apt list --installed )"

# Filtering packages from my needed_packages array (in case some are already installed)
for package in ${needed_packages[@]}; do
	if [[ ! "$INSTALLED_PACKAGES" == *$package* ]]; then
		packages_to_install+=( "$package" )
	fi
done

unset needed_packages
# Installing the packages that aren't already installed
apt install -y ${packages_to_install[@]}

# Start: Filesystem Setup

# Install the necessary python packages 
python3 -m pip install --user ${python_packages[@]}
unset python_packages


# This will give the webcron user the ability to read, write and execute crontab in all of the regular places
delcare -a crontab_dirs=(
	# All of the normal system crontabs are located here
	/etc/cron.d
	/etc/cron.hourly
	/etc/cron.daily
	/etc/cron.weekly
	/etc/cron.monthly

    # Depending on the system, user crontabs are stored in this directory and the crontabs sub directory doesn't exist
	/var/spool/cron
	# These are the crontabs created by users of the system (commented out becuse the above acl would include this directory and files
	#/var/spool/cron/crontabs
)

for dir in ${crontab_dirs[@]}; do
	# This (while not changing the permissions via chmod) what will allow the webcron user to access all of the crontab directories & files
	setfacl -m u:webcron:rwx -R $dir
done

# End: Filesystem Setup

# Start: Firewall Setup

# Setting up the rules for the webserver
firewall-cmd --zone=public --add-service=http  --perm
firewall-cmd --zone=public --add-service=https --perm

# Setup rules for SSH server (omitting from repo-commit for obvious reasons)
###Do SSH Rule setup###

# End: Firewall Setup


# Wildcard SSL Cert installation
# This will be uploaded seperately, as I do not want to share my certs with the world (this is just the bulk sum, I will be installing a complete encompassing certfile).
CERTS_ARCHIVE=~/tristanancelet-certs.tar
if [[ -f $CERTS_ARCHIVE ]]; then
	mv $CERTS_ARCHIVE /etc/
	cd /etc
	tar xf $CERTS_ARCHIVE
	[[ $? -eq 0 ]] && rm $CERTS_ARCHIVE
else
	log "Cert archive was not found. Installation will continue, but the backup certs will not be included"
fi

CERT=~/tristanancelet-cert.pem
if [[ ! -f $CERT ]]; then
	cp $CERT /etc/apache2/apache.pem
fi

# App Location
WebAppLocation=/opt/WebCron
if [[ ! -d $WebAppLocation ]]; then 
	# If the webroot directory doesn't exist then create and
	# set the www-data user to the owner
	mdkir -p $WebAppLocation

	# Recursively setting the directory and all subdirectories 
	# to the www-data user
	chown www-data: -R $WebAppLocation

	# Setting the filesystem permissions of the directory to only be accessible by the owner
	# (excluding the root user of course)
	chmod 700 -R $WebAppLocation

	cd $WebAppLocation
	# Cloning the project repo and it's submodules
	git clone https://github.com/TristanAncelet/WebCron
	git submodule init
	git submodule update
fi

# The IP or IPs that will have access to the web app.
ALLOWED_ACCESS_CONFIG=""


# Begin apache2 config

# 
a2enmod ssl
a2enmod php
# Since I will be using Apache2.4*
a2enmod authz_core


IP_REGEX='[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.'
if [[ ! "$ALLOWED_ACCESS_CONFIG" =~ ^$IP_REGEX$ ]]; then
	log "The configured IP ($ALLOWED_ACCESS_CONFIG) did not match the format of an IP. Please fix the mistake and rerun this"
	exit 1
fi



site_config_file=/etc/apache2/sites-available/webcron.conf
site_config="
# Redirecting all http traffic to https
<VirtualHost *:80>
        ServerAdmin webmaster@tristanancelet.com
        ServerName webcron.tristanancelet.com
	Redirect permanent / https://webcron.tristanancelet.com/
</VirtualHost>

<IfModule mod_ssl.c>
	<VirtualHost *:443>
		ServerAdmin webmaster@tristanancelet.com
		ServerName webcron.tristanancelet.com
		DocumentRoot /opt/WebCron


                ErrorLog \${APACHE_LOG_DIR}/webcron-error.log
		CustomLog \${APACHE_LOG_DIR}/webcron.log combined

		<Directory $WebAppLocation/>
			Require ip $ALLOWED_ACCESS_CONFIG
			SSLOptions +StdEnvVars
		</Directory>

		SSLEngine on
		SSLCertificateFile    /etc/apache/apache.pem
		SSLCertificateKeyFile /etc/apache/apache.pem

		<FilesMatch "\.(cgi|shtml|phtml|php)$">
				SSLOptions +StdEnvVars
		</FilesMatch>
	</VirtualHost>
</IfModule>" 

# If the site config files doesn't exist or doesn't match what it needs to be then it will be overwritten.
if [[ ! -f $site_config_file ]] || [[ ! "$(<$site_config_file)" == "$site_config" ]] ; then
	echo "$site_config" > $site_config_file
fi


# Enable the site with a2ensite
a2ensite webcron

[[ $? -ne 0 ]] && log " There was an error when enabling the site, please read the error message, that was provided from the a2ensite command"
# End apache2 config

# Start: DB Work
DB_FILE=$WebAppLocation/webcron.db
if [[ ! -f $DB_FILE ]]; then
	query="$( < Database/create-database.sql )"
	sqlite3 $DB_FILE <<< "$query"
	
fi
# End: DB Work


# Start: Enabling Services

for services in firewalld apache2; do
	service_status="$( systemctl status $service )"
	service_enabled="$( grep Loaded <<< "$service_status" | awk '{ print $4 }' )"
	service_active="$(  grep Active <<< "$service_status" | awk '{ pring $2 }' )"

	if [[ "$service_enabled" == *disabled* ]]; then
		# Enabling the service if it isn't
		systemctl enable $service
	fi

	case $service_active in 
		*inactive*)
			# If the service wasn't started in installation, go ahead and start it (as it would've also been enabled above)
			systemctl start $service
			continue
			;;

		*active*)
			# If the service was already running then just restart it so it can reload the new configs
			systemctl restart $service
			;;
	esac

	# Unsetting these variables to ensure that it doesn't cause an issue (although it's impossible with the current setup)
	unset service_status service_enabled service_active 
done

# End: Enabling Services




# Start: Post-Setup tests

## Checking that the A record for webcron.tristanancelet.com has been installed/configured on my DNS server
echo Doing post setup tests

echo "
Checking for DNS A record for this site

"
WebCronDNSLookupIP="$( dig webcron.tristanancelet.com +short | tail -n 1)"
if [[ ! "$WebCronDNSLookupIP" == *$(hostname -i)* ]]; then
	echo "DNS A record check: Fail
	
Reason:
An a record for webcron.tristanancelet.com doesn't exist

"
else
	echo "DNS A record check: Pass

"
fi

# End: Post-Setup tests