scripts/install-debian.sh at main · tranquil.farm/tranquil-pds

tranquil.farm / tranquil-pds
fork atom
Our Personal Data Server from scratch! tranquil.farm
oauth atproto pds rust postgresql objectstorage fun
fork atom
tranquil-pds / scripts / install-debian.sh
at main 510 lines 16 kB view raw
wrap content
lewis.moe feat: initial in-house cache distribution 4w ago
326aadcd
  1#!/bin/bash
  2set -euo pipefail
  3
  4RED='\033[0;31m'
  5GREEN='\033[0;32m'
  6YELLOW='\033[1;33m'
  7BLUE='\033[0;34m'
  8NC='\033[0m'
  9
 10log_info() { echo -e "${BLUE}[INFO]${NC} $1"; }
 11log_success() { echo -e "${GREEN}[OK]${NC} $1"; }
 12log_warn() { echo -e "${YELLOW}[WARN]${NC} $1"; }
 13log_error() { echo -e "${RED}[ERROR]${NC} $1"; }
 14
 15if [[ $EUID -ne 0 ]]; then
 16   log_error "This script must be run as root"
 17   exit 1
 18fi
 19
 20if ! grep -qi "debian" /etc/os-release 2>/dev/null; then
 21    log_warn "This script is designed for Debian. Proceed with caution on other distros."
 22fi
 23
 24nuke_installation() {
 25    log_warn "NUKING EXISTING INSTALLATION"
 26    log_info "Stopping services..."
 27    systemctl stop tranquil-pds 2>/dev/null || true
 28    systemctl disable tranquil-pds 2>/dev/null || true
 29
 30    log_info "Removing Tranquil PDS files..."
 31    rm -rf /opt/tranquil-pds
 32    rm -rf /var/lib/tranquil-pds
 33    rm -f /usr/local/bin/tranquil-pds
 34    rm -f /usr/local/bin/tranquil-pds-sendmail
 35    rm -f /usr/local/bin/tranquil-pds-mailq
 36    rm -rf /var/spool/tranquil-pds-mail
 37    rm -f /etc/systemd/system/tranquil-pds.service
 38    systemctl daemon-reload
 39
 40    log_info "Removing Tranquil PDS configuration..."
 41    rm -rf /etc/tranquil-pds
 42
 43    log_info "Dropping postgres database and user..."
 44    sudo -u postgres psql -c "DROP DATABASE IF EXISTS pds;" 2>/dev/null || true
 45    sudo -u postgres psql -c "DROP USER IF EXISTS tranquil_pds;" 2>/dev/null || true
 46
 47    log_info "Removing blob storage..."
 48    rm -rf /var/lib/tranquil 2>/dev/null || true
 49
 50    log_info "Removing nginx config..."
 51    rm -f /etc/nginx/sites-enabled/tranquil-pds
 52    rm -f /etc/nginx/sites-available/tranquil-pds
 53    systemctl reload nginx 2>/dev/null || true
 54
 55    log_success "Previous installation nuked"
 56}
 57
 58if [[ -f /etc/tranquil-pds/tranquil-pds.env ]] || [[ -d /opt/tranquil-pds ]] || [[ -f /usr/local/bin/tranquil-pds ]]; then
 59    log_warn "Existing installation detected"
 60    echo ""
 61    echo "Options:"
 62    echo "  1) Nuke everything and start fresh (destroys database!)"
 63    echo "  2) Continue with existing installation (idempotent update)"
 64    echo "  3) Exit"
 65    echo ""
 66    read -p "Choose an option [1/2/3]: " INSTALL_CHOICE
 67
 68    case "$INSTALL_CHOICE" in
 69        1)
 70            echo ""
 71            log_warn "This will DELETE:"
 72            echo "  - PostgreSQL database 'pds' and all data"
 73            echo "  - All Tranquil PDS configuration and credentials"
 74            echo "  - All source code in /opt/tranquil-pds"
 75            echo "  - All blobs and backups in /var/lib/tranquil/"
 76            echo ""
 77            read -p "Type 'NUKE' to confirm: " CONFIRM_NUKE
 78            if [[ "$CONFIRM_NUKE" == "NUKE" ]]; then
 79                nuke_installation
 80            else
 81                log_error "Nuke cancelled"
 82                exit 1
 83            fi
 84            ;;
 85        2)
 86            log_info "Continuing with existing installation..."
 87            ;;
 88        3)
 89            exit 0
 90            ;;
 91        *)
 92            log_error "Invalid option"
 93            exit 1
 94            ;;
 95    esac
 96fi
 97
 98echo ""
 99log_info "Tranquil PDS Installation Script for Debian"
100echo ""
101
102get_public_ips() {
103    IPV4=$(curl -4 -s --max-time 5 ifconfig.me 2>/dev/null || curl -4 -s --max-time 5 icanhazip.com 2>/dev/null || echo "Could not detect")
104    IPV6=$(curl -6 -s --max-time 5 ifconfig.me 2>/dev/null || curl -6 -s --max-time 5 icanhazip.com 2>/dev/null || echo "")
105}
106
107log_info "Detecting public IP addresses..."
108get_public_ips
109echo "  IPv4: ${IPV4}"
110[[ -n "$IPV6" ]] && echo "  IPv6: ${IPV6}"
111echo ""
112
113read -p "Enter your PDS domain (eg., pds.example.com): " PDS_DOMAIN
114if [[ -z "$PDS_DOMAIN" ]]; then
115    log_error "Domain cannot be empty"
116    exit 1
117fi
118
119read -p "Enter your email for Let's Encrypt: " CERTBOT_EMAIL
120if [[ -z "$CERTBOT_EMAIL" ]]; then
121    log_error "Email cannot be empty"
122    exit 1
123fi
124
125echo ""
126log_info "DNS records required (create these now if you haven't):"
127echo ""
128echo "  ${PDS_DOMAIN}      A      ${IPV4}"
129[[ -n "$IPV6" ]] && echo "  ${PDS_DOMAIN}      AAAA   ${IPV6}"
130echo "  *.${PDS_DOMAIN}    A      ${IPV4}    (for user handles)"
131[[ -n "$IPV6" ]] && echo "  *.${PDS_DOMAIN}    AAAA   ${IPV6}    (for user handles)"
132echo ""
133read -p "Have you created these DNS records? (y/N): " DNS_CONFIRMED
134if [[ ! "$DNS_CONFIRMED" =~ ^[Yy]$ ]]; then
135    log_warn "Please create the DNS records and run this script again."
136    exit 0
137fi
138
139CREDENTIALS_FILE="/etc/tranquil-pds/.credentials"
140if [[ -f "$CREDENTIALS_FILE" ]]; then
141    log_info "Loading existing credentials..."
142    source "$CREDENTIALS_FILE"
143else
144    log_info "Generating secrets..."
145    JWT_SECRET=$(openssl rand -base64 48)
146    DPOP_SECRET=$(openssl rand -base64 48)
147    MASTER_KEY=$(openssl rand -base64 48)
148    DB_PASSWORD=$(openssl rand -base64 24 | tr -dc 'a-zA-Z0-9' | head -c 32)
149
150    mkdir -p /etc/tranquil-pds
151    cat > "$CREDENTIALS_FILE" << EOF
152JWT_SECRET="$JWT_SECRET"
153DPOP_SECRET="$DPOP_SECRET"
154MASTER_KEY="$MASTER_KEY"
155DB_PASSWORD="$DB_PASSWORD"
156EOF
157    chmod 600 "$CREDENTIALS_FILE"
158    log_success "Secrets generated"
159fi
160
161log_info "Checking swap space..."
162TOTAL_MEM_KB=$(grep MemTotal /proc/meminfo | awk '{print $2}')
163TOTAL_SWAP_KB=$(grep SwapTotal /proc/meminfo | awk '{print $2}')
164
165if [[ $TOTAL_SWAP_KB -lt 2000000 ]]; then
166    if [[ ! -f /swapfile ]]; then
167        log_info "Adding swap space for compilation..."
168        SWAP_SIZE="4G"
169        [[ $TOTAL_MEM_KB -ge 4000000 ]] && SWAP_SIZE="2G"
170        fallocate -l $SWAP_SIZE /swapfile || dd if=/dev/zero of=/swapfile bs=1M count=4096
171        chmod 600 /swapfile
172        mkswap /swapfile
173        swapon /swapfile
174        grep -q '/swapfile' /etc/fstab || echo '/swapfile none swap sw 0 0' >> /etc/fstab
175        log_success "Swap added ($SWAP_SIZE)"
176    else
177        swapon /swapfile 2>/dev/null || true
178    fi
179fi
180
181log_info "Updating system packages..."
182apt update && apt upgrade -y
183
184log_info "Installing build dependencies..."
185apt install -y curl git build-essential pkg-config libssl-dev ca-certificates gnupg lsb-release unzip xxd
186
187log_info "Installing postgres..."
188apt install -y postgresql postgresql-contrib
189systemctl enable postgresql
190systemctl start postgresql
191sudo -u postgres psql -c "CREATE USER tranquil_pds WITH PASSWORD '${DB_PASSWORD}';" 2>/dev/null || \
192    sudo -u postgres psql -c "ALTER USER tranquil_pds WITH PASSWORD '${DB_PASSWORD}';"
193sudo -u postgres psql -c "CREATE DATABASE pds OWNER tranquil_pds;" 2>/dev/null || true
194sudo -u postgres psql -c "GRANT ALL PRIVILEGES ON DATABASE pds TO tranquil_pds;"
195log_success "postgres configured"
196
197log_info "Creating blob storage directories..."
198mkdir -p /var/lib/tranquil/blobs /var/lib/tranquil/backups
199log_success "Blob storage directories created"
200
201log_info "Installing rust..."
202if [[ -f "$HOME/.cargo/env" ]]; then
203    source "$HOME/.cargo/env"
204fi
205if ! command -v rustc &>/dev/null; then
206    curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
207    source "$HOME/.cargo/env"
208fi
209
210log_info "Installing deno..."
211export PATH="$HOME/.deno/bin:$PATH"
212if ! command -v deno &>/dev/null && [[ ! -f "$HOME/.deno/bin/deno" ]]; then
213    curl -fsSL https://deno.land/install.sh | sh
214    grep -q 'deno/bin' ~/.bashrc 2>/dev/null || echo 'export PATH="$HOME/.deno/bin:$PATH"' >> ~/.bashrc
215fi
216
217log_info "Cloning Tranquil PDS..."
218if [[ ! -d /opt/tranquil-pds ]]; then
219    git clone https://tangled.org/tranquil.farm/tranquil-pds /opt/tranquil-pds
220else
221    cd /opt/tranquil-pds && git pull
222fi
223cd /opt/tranquil-pds
224
225log_info "Building frontend..."
226"$HOME/.deno/bin/deno" task build --filter=frontend
227log_success "Frontend built"
228
229log_info "Building Tranquil PDS (this takes a while)..."
230source "$HOME/.cargo/env"
231if [[ $TOTAL_MEM_KB -lt 4000000 ]]; then
232    log_info "Low memory - limiting parallel jobs"
233    CARGO_BUILD_JOBS=1 cargo build --release
234else
235    cargo build --release
236fi
237log_success "Tranquil PDS built"
238
239log_info "Running migrations..."
240cargo install sqlx-cli --no-default-features --features postgres
241export DATABASE_URL="postgres://tranquil_pds:${DB_PASSWORD}@localhost:5432/pds"
242"$HOME/.cargo/bin/sqlx" migrate run
243log_success "Migrations complete"
244
245log_info "Setting up mail trap..."
246mkdir -p /var/spool/tranquil-pds-mail
247chmod 1777 /var/spool/tranquil-pds-mail
248
249cat > /usr/local/bin/tranquil-pds-sendmail << 'SENDMAIL_EOF'
250#!/bin/bash
251MAIL_DIR="/var/spool/tranquil-pds-mail"
252TIMESTAMP=$(date +%Y%m%d-%H%M%S)
253RANDOM_ID=$(head -c 4 /dev/urandom | xxd -p)
254MAIL_FILE="${MAIL_DIR}/${TIMESTAMP}-${RANDOM_ID}.eml"
255mkdir -p "$MAIL_DIR"
256{
257    echo "X-Tranquil-PDS-Received: $(date -Iseconds)"
258    echo "X-Tranquil-PDS-Args: $*"
259    echo ""
260    cat
261} > "$MAIL_FILE"
262chmod 644 "$MAIL_FILE"
263exit 0
264SENDMAIL_EOF
265chmod +x /usr/local/bin/tranquil-pds-sendmail
266
267cat > /usr/local/bin/tranquil-pds-mailq << 'MAILQ_EOF'
268#!/bin/bash
269MAIL_DIR="/var/spool/tranquil-pds-mail"
270case "${1:-list}" in
271    list)
272        ls -lt "$MAIL_DIR"/*.eml 2>/dev/null | head -20 || echo "No emails"
273        ;;
274    latest)
275        f=$(ls -t "$MAIL_DIR"/*.eml 2>/dev/null | head -1)
276        [[ -f "$f" ]] && cat "$f" || echo "No emails"
277        ;;
278    clear)
279        rm -f "$MAIL_DIR"/*.eml
280        echo "Cleared"
281        ;;
282    count)
283        ls -1 "$MAIL_DIR"/*.eml 2>/dev/null | wc -l
284        ;;
285    [0-9]*)
286        f=$(ls -t "$MAIL_DIR"/*.eml 2>/dev/null | sed -n "${1}p")
287        [[ -f "$f" ]] && cat "$f" || echo "Not found"
288        ;;
289    *)
290        [[ -f "$MAIL_DIR/$1" ]] && cat "$MAIL_DIR/$1" || echo "Usage: tranquil-pds-mailq [list|latest|clear|count|N]"
291        ;;
292esac
293MAILQ_EOF
294chmod +x /usr/local/bin/tranquil-pds-mailq
295
296log_info "Creating Tranquil PDS configuration..."
297cat > /etc/tranquil-pds/tranquil-pds.env << EOF
298SERVER_HOST=127.0.0.1
299SERVER_PORT=3000
300PDS_HOSTNAME=${PDS_DOMAIN}
301DATABASE_URL=postgres://tranquil_pds:${DB_PASSWORD}@localhost:5432/pds
302DATABASE_MAX_CONNECTIONS=100
303DATABASE_MIN_CONNECTIONS=10
304BLOB_STORAGE_PATH=/var/lib/tranquil/blobs
305BACKUP_STORAGE_PATH=/var/lib/tranquil/backups
306JWT_SECRET=${JWT_SECRET}
307DPOP_SECRET=${DPOP_SECRET}
308MASTER_KEY=${MASTER_KEY}
309PLC_DIRECTORY_URL=https://plc.directory
310CRAWLERS=https://bsky.network
311AVAILABLE_USER_DOMAINS=${PDS_DOMAIN}
312MAIL_FROM_ADDRESS=noreply@${PDS_DOMAIN}
313MAIL_FROM_NAME=Tranquil PDS
314SENDMAIL_PATH=/usr/local/bin/tranquil-pds-sendmail
315EOF
316chmod 600 /etc/tranquil-pds/tranquil-pds.env
317
318log_info "Installing Tranquil PDS..."
319id -u tranquil-pds &>/dev/null || useradd -r -s /sbin/nologin tranquil-pds
320cp /opt/tranquil-pds/target/release/tranquil-pds /usr/local/bin/
321mkdir -p /var/lib/tranquil-pds
322cp -r /opt/tranquil-pds/frontend/dist /var/lib/tranquil-pds/frontend
323chown -R tranquil-pds:tranquil-pds /var/lib/tranquil-pds
324chown -R tranquil-pds:tranquil-pds /var/lib/tranquil
325
326cat > /etc/systemd/system/tranquil-pds.service << 'EOF'
327[Unit]
328Description=Tranquil PDS - AT Protocol PDS
329After=network.target postgresql.service
330
331[Service]
332Type=simple
333User=tranquil-pds
334Group=tranquil-pds
335EnvironmentFile=/etc/tranquil-pds/tranquil-pds.env
336ExecStart=/usr/local/bin/tranquil-pds
337Restart=always
338RestartSec=5
339ProtectSystem=strict
340ProtectHome=true
341PrivateTmp=true
342ReadWritePaths=/var/lib/tranquil
343
344[Install]
345WantedBy=multi-user.target
346EOF
347
348systemctl daemon-reload
349systemctl enable tranquil-pds
350systemctl start tranquil-pds
351log_success "Tranquil PDS service started"
352
353log_info "Installing nginx..."
354apt install -y nginx
355cat > /etc/nginx/sites-available/tranquil-pds << EOF
356server {
357    listen 80;
358    listen [::]:80;
359    server_name ${PDS_DOMAIN} *.${PDS_DOMAIN};
360
361    location /.well-known/acme-challenge/ {
362        root /var/www/html;
363    }
364
365    location / {
366        proxy_pass http://127.0.0.1:3000;
367        proxy_http_version 1.1;
368        proxy_set_header Upgrade \$http_upgrade;
369        proxy_set_header Connection "upgrade";
370        proxy_set_header Host \$host;
371        proxy_set_header X-Real-IP \$remote_addr;
372        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
373        proxy_set_header X-Forwarded-Proto \$scheme;
374        proxy_read_timeout 86400;
375        proxy_send_timeout 86400;
376        client_max_body_size 100M;
377    }
378}
379EOF
380
381ln -sf /etc/nginx/sites-available/tranquil-pds /etc/nginx/sites-enabled/
382rm -f /etc/nginx/sites-enabled/default
383nginx -t
384systemctl reload nginx
385log_success "nginx configured"
386
387log_info "Configuring firewall..."
388apt install -y ufw
389ufw --force reset
390ufw default deny incoming
391ufw default allow outgoing
392ufw allow ssh
393ufw allow 80/tcp
394ufw allow 443/tcp
395ufw --force enable
396log_success "Firewall configured"
397
398echo ""
399log_info "Obtaining wildcard SSL certificate..."
400echo ""
401echo "User handles are served as subdomains (eg., alice.${PDS_DOMAIN}),"
402echo "so you need a wildcard certificate. This requires DNS validation."
403echo ""
404echo "You'll need to add a TXT record to your DNS when prompted."
405echo ""
406read -p "Ready to proceed? (y/N): " CERT_READY
407
408if [[ "$CERT_READY" =~ ^[Yy]$ ]]; then
409    apt install -y certbot python3-certbot-nginx
410
411    log_info "Running certbot with DNS challenge..."
412    echo ""
413    echo "When prompted, add the TXT record to your DNS, wait a minute"
414    echo "for propagation, then press Enter to continue."
415    echo ""
416
417    if certbot certonly --manual --preferred-challenges dns \
418        -d "${PDS_DOMAIN}" -d "*.${PDS_DOMAIN}" \
419        --email "${CERTBOT_EMAIL}" --agree-tos; then
420
421        cat > /etc/nginx/sites-available/tranquil-pds << EOF
422server {
423    listen 80;
424    listen [::]:80;
425    server_name ${PDS_DOMAIN} *.${PDS_DOMAIN};
426
427    location /.well-known/acme-challenge/ {
428        root /var/www/html;
429    }
430
431    location / {
432        return 301 https://\$host\$request_uri;
433    }
434}
435
436server {
437    listen 443 ssl http2;
438    listen [::]:443 ssl http2;
439    server_name ${PDS_DOMAIN} *.${PDS_DOMAIN};
440
441    ssl_certificate /etc/letsencrypt/live/${PDS_DOMAIN}/fullchain.pem;
442    ssl_certificate_key /etc/letsencrypt/live/${PDS_DOMAIN}/privkey.pem;
443    ssl_protocols TLSv1.2 TLSv1.3;
444    ssl_ciphers HIGH:!aNULL:!MD5;
445    ssl_prefer_server_ciphers on;
446    ssl_session_cache shared:SSL:10m;
447
448    location / {
449        proxy_pass http://127.0.0.1:3000;
450        proxy_http_version 1.1;
451        proxy_set_header Upgrade \$http_upgrade;
452        proxy_set_header Connection "upgrade";
453        proxy_set_header Host \$host;
454        proxy_set_header X-Real-IP \$remote_addr;
455        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
456        proxy_set_header X-Forwarded-Proto \$scheme;
457        proxy_read_timeout 86400;
458        proxy_send_timeout 86400;
459        client_max_body_size 100M;
460    }
461}
462EOF
463        nginx -t && systemctl reload nginx
464        log_success "Wildcard SSL certificate installed"
465
466        echo ""
467        log_warn "Certificate renewal note:"
468        echo "Manual DNS challenges don't auto-renew. Before expiry, run:"
469        echo "  certbot renew --manual"
470        echo ""
471        echo "For auto-renewal, consider using a DNS provider plugin:"
472        echo "  apt install python3-certbot-dns-cloudflare  # or your provider"
473        echo ""
474    else
475        log_warn "Wildcard cert failed. You can retry later with:"
476        echo "  certbot certonly --manual --preferred-challenges dns \\"
477        echo "    -d ${PDS_DOMAIN} -d '*.${PDS_DOMAIN}'"
478    fi
479else
480    log_warn "Skipping SSL. Your PDS is running on HTTP only."
481    echo "To add SSL later, run:"
482    echo "  certbot certonly --manual --preferred-challenges dns \\"
483    echo "    -d ${PDS_DOMAIN} -d '*.${PDS_DOMAIN}'"
484fi
485
486log_info "Verifying installation..."
487sleep 3
488if curl -s "http://localhost:3000/xrpc/_health" | grep -q "version"; then
489    log_success "Tranquil PDS is responding"
490else
491    log_warn "Tranquil PDS may still be starting. Check: journalctl -u tranquil-pds -f"
492fi
493
494echo ""
495log_success "Installation complete"
496echo ""
497echo "PDS: https://${PDS_DOMAIN}"
498echo ""
499echo "Credentials (also in /etc/tranquil-pds/.credentials):"
500echo "  DB password: ${DB_PASSWORD}"
501echo ""
502echo "Data locations:"
503echo "  Blobs:   /var/lib/tranquil/blobs"
504echo "  Backups: /var/lib/tranquil/backups"
505echo ""
506echo "Commands:"
507echo "  journalctl -u tranquil-pds -f    # logs"
508echo "  systemctl restart tranquil-pds   # restart"
509echo "  tranquil-pds-mailq               # view trapped emails"
510echo ""