From e33fa32352343af085e51c22280bab3bc8178ba0 Mon Sep 17 00:00:00 2001
From: Christoph <ckubu@oopen.de>
Date: Mon, 11 May 2020 11:42:30 +0200
Subject: [PATCH] Fist version 'install-mattermost.sh' completed.

---
 examples/nginx/mattermost-host.conf | 109 ++++++++++++++
 install-mattermost.sh               | 224 +++++++++++++++++++++++++++-
 2 files changed, 330 insertions(+), 3 deletions(-)
 create mode 100644 examples/nginx/mattermost-host.conf

diff --git a/examples/nginx/mattermost-host.conf b/examples/nginx/mattermost-host.conf
new file mode 100644
index 0000000..50136f2
--- /dev/null
+++ b/examples/nginx/mattermost-host.conf
@@ -0,0 +1,109 @@
+# -- @FQHN_HOSTNAME@ --
+
+upstream mm_backend {
+   server 127.0.0.1:8065;
+   keepalive 32;
+}
+
+proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=mattermost_cache:10m max_size=3g inactive=120m use_temp_path=off;
+
+server {
+   listen 80;
+   listen [::]:80;
+
+   server_name @FQHN_HOSTNAME@;
+
+   return 301 https://$server_name$request_uri;
+}
+
+server {
+   listen 443 ssl http2;
+   listen [::]:443 ssl http2;
+
+   server_name @FQHN_HOSTNAME@;
+
+   # Include location directive for Let's Encrypt ACME Challenge
+   #
+   # Needed for (automated) updating certificate
+   #
+   include snippets/letsencrypt-acme-challenge.conf;
+
+   ssl on;
+
+   ssl_certificate /var/lib/dehydrated/certs/@FQHN_HOSTNAME@/fullchain.pem;
+   ssl_certificate_key /var/lib/dehydrated/certs/@FQHN_HOSTNAME@/privkey.pem;
+   ssl_trusted_certificate /var/lib/dehydrated/certs/@FQHN_HOSTNAME@/chain.pem;
+
+   # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
+   #
+   # To generate a dhparam.pem file, run in a terminal
+   #    openssl dhparam -dsaparam -out /etc/nginx/ssl/dhparam.pem 2048
+   #
+   ssl_dhparam /etc/nginx/ssl/dhparam.pem;
+
+   # Eable session resumption to improve https performance
+   ssl_session_cache shared:SSL:50m;
+   ssl_session_timeout 10m;
+   ssl_session_tickets off;
+
+   #ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # omit SSLv3 because of POODLE
+   # omit SSLv3 because of POODLE
+   # omit  TLSv1 TLSv1.1
+   ssl_protocols TLSv1.2 TLSv1.3;
+
+   # ECDHE better than DHE (faster)  ECDHE & DHE GCM better than CBC (attacks on AES)
+   # Everything better than SHA1 (deprecated)
+   #
+   ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+   ssl_prefer_server_ciphers on;
+
+   # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
+   #
+   add_header Strict-Transport-Security max-age=15768000;
+
+   # OCSP Stapling ---
+   # fetch OCSP records from URL in ssl_certificate and cache them
+   ssl_stapling on;
+   ssl_stapling_verify on;
+
+   location ~ /api/v[0-9]+/(users/)?websocket$ {
+      proxy_set_header Upgrade $http_upgrade;
+      proxy_set_header Connection "upgrade";
+      client_max_body_size 50M;
+      proxy_set_header Host $http_host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_set_header X-Frame-Options SAMEORIGIN;
+      proxy_buffers 256 16k;
+      proxy_buffer_size 16k;
+      client_body_timeout 60;
+      send_timeout 300;
+      lingering_timeout 5;
+      proxy_connect_timeout 90;
+      proxy_send_timeout 300;
+      proxy_read_timeout 90s;
+      proxy_pass http://mm_backend;
+   }
+
+   location / {
+      client_max_body_size 50M;
+      proxy_set_header Connection "";
+      proxy_set_header Host $http_host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_set_header X-Frame-Options SAMEORIGIN;
+      proxy_buffers 256 16k;
+      proxy_buffer_size 16k;
+      proxy_read_timeout 600s;
+      proxy_cache mattermost_cache;
+      proxy_cache_revalidate on;
+      proxy_cache_min_uses 2;
+      proxy_cache_use_stale timeout;
+      proxy_cache_lock on;
+      proxy_http_version 1.1;
+      proxy_pass http://mm_backend;
+   }
+}
+
diff --git a/install-mattermost.sh b/install-mattermost.sh
index 7efa501..ef81873 100755
--- a/install-mattermost.sh
+++ b/install-mattermost.sh
@@ -586,6 +586,21 @@ echo
 echo -e "\033[37m\033[1mSome pre-installation stuff..\033[m"
 echo
 
+echononl "Stop Mattermost Service.."
+if $(systemctl is-active --quiet service mattermost.service) ; then
+   systemctl stop mattermost.service > "$log_file" 2>&1
+   if [[ $? -ne 0 ]]; then
+      echo_failed
+      error "$(cat "$log_file")"
+   else
+      echo_ok
+   fi
+else
+   echo_skipped
+fi
+
+blank_line
+
 echononl "Create Database User '${DB_USER}' with Password '${DB_PASS}'.."
 if [[ "$(mysql $MYSQL_CREDENTIAL_ARGS  -N -s -e \
          "SELECT EXISTS(SELECT 1 FROM mysql.user WHERE user = '$DB_USER')" 2>/dev/null)" = 1 ]]; then
@@ -738,7 +753,7 @@ echo
 echo -e "\033[37m\033[1mConfigure Mattermost - file '/opt/mattermost/config/config.json'..\033[m"
 echo
 
-echononl "Set up 'DriverName'.."
+echononl "Set up 'SqlSettings'.."
 if ! $(grep -q -E "^\s*\"DriverName\":\s+mysql" /opt/mattermost/config/config.json 2> "$log_file") ; then 
 
    _found=false
@@ -783,6 +798,51 @@ else
    echo_skipped
 fi
 
+echononl "Set up 'ServiceSettings'.."
+if ! $(grep -q -E "^\s*\"DriverName\":\s+mysql" /opt/mattermost/config/config.json 2> "$log_file") ; then 
+
+   _found=false
+   :> ${LOCK_DIR}/config.json
+   :> $log_file
+
+   while IFS='' read -r _line || [[ -n $_line ]] ; do
+
+
+      if $_found && echo "$_line" | grep -iq -E "^\s*\"SiteURL\":" 2> /dev/null ; then
+         cat <<EOF >> ${LOCK_DIR}/config.json 2> "$log_file"
+   "SiteURL": "https://${FQHN_HOSTNAME}",
+EOF
+      elif $_found && echo "$_line" | grep -iq -E "^\s*\"ListenAddress\":" 2> /dev/null ; then
+         cat <<EOF >> ${LOCK_DIR}/config.json 2> "$log_file"
+   "ListenAddress": "127.0.0.1:8065",
+EOF
+      else
+         echo "$_line" >> ${LOCK_DIR}/config.json 2> "$log_file"
+      fi
+
+      if ! $_found && echo "$_line" | grep -iq -E "^\s*\"ServiceSettings\"" 2> /dev/null ; then
+         _found=true
+      fi
+
+      if $_found && echo "$_line" | grep -iq -E "^\s*\}," 2> /dev/null ; then
+         _found=false
+      fi
+
+   done < "/opt/mattermost/config/config.json"
+
+   cp -a "${LOCK_DIR}/config.json" /opt/mattermost/config/config.json >> "$log_file" 2>&1
+   
+   if [[ -s "$log_file" ]] ; then
+      echo_failed
+      error "$(cat "$log_file")"
+   else
+      echo_ok
+   fi
+
+else
+   echo_skipped
+fi
+
 echononl "Reset ownbership of '/opt/mattermost/config/config.json'.."
 chown ${MATTERMOST_USER}:${MATTERMOST_GROUP} /opt/mattermost/config/config.json > "$log_file" 2>&1
 if [[ $? -ne 0 ]]; then
@@ -858,11 +918,169 @@ else
 fi
 
 
+echo ""
+echo -e "\033[37m\033[1mConfiguring NGINX with SSL and HTTP/2..\033[m"
+echo ""
 
+echononl "Backup existing NGINX configuration.."
+if [[ -f "/etc/nginx/sites-available/${FQHN_HOSTNAME}.conf" ]] ; then
+   cp -a "/etc/nginx/sites-available/${FQHN_HOSTNAME}.conf" \
+      "/etc/nginx/sites-available/${FQHN_HOSTNAME}.conf.${backup_date}" > "$log_file" 2>&1
+   if [[ $? -ne 0 ]]; then
+      echo_failed
+      error "$(cat "$log_file")"
+   else
+      echo_ok
+   fi
+else
+   echo_skipped
+fi
 
-echo
+echononl "NGINX virtual host configuration for '${FQHN_HOSTNAME}'.."
+cat <<EOF > "/etc/nginx/sites-available/${FQHN_HOSTNAME}.conf" 2> "$log_file"
+# -- ${FQHN_HOSTNAME} --
+
+upstream mm_backend {
+   server 127.0.0.1:8065;
+   keepalive 32;
+}
+
+proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=mattermost_cache:10m max_size=3g inactive=120m use_temp_path=off;
+
+server {
+   listen 80;
+   listen [::]:80;
+
+   server_name ${FQHN_HOSTNAME};
+
+   return 301 https://\$server_name\$request_uri;
+}
+
+server {
+   listen 443 ssl http2;
+   listen [::]:443 ssl http2;
+
+   server_name ${FQHN_HOSTNAME};
+
+   # Include location directive for Let's Encrypt ACME Challenge
+   #
+   # Needed for (automated) updating certificate
+   #
+   include snippets/letsencrypt-acme-challenge.conf;
+
+   ssl on;
+
+   ssl_certificate /var/lib/dehydrated/certs/mm.oopen.de/fullchain.pem;
+   ssl_certificate_key /var/lib/dehydrated/certs/mm.oopen.de/privkey.pem;
+   ssl_trusted_certificate /var/lib/dehydrated/certs/mm.oopen.de/chain.pem;
+
+   # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
+   #
+   # To generate a dhparam.pem file, run in a terminal
+   #    openssl dhparam -dsaparam -out /etc/nginx/ssl/dhparam.pem 2048
+   #
+   ssl_dhparam /etc/nginx/ssl/dhparam.pem;
+
+   # Eable session resumption to improve https performance
+   ssl_session_cache shared:SSL:50m;
+   ssl_session_timeout 10m;
+   ssl_session_tickets off;
+
+   #ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # omit SSLv3 because of POODLE
+   # omit SSLv3 because of POODLE
+   # omit  TLSv1 TLSv1.1
+   ssl_protocols TLSv1.2 TLSv1.3;
+
+   # ECDHE better than DHE (faster)  ECDHE & DHE GCM better than CBC (attacks on AES)
+   # Everything better than SHA1 (deprecated)
+   #
+   ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+   ssl_prefer_server_ciphers on;
+
+   # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
+   #
+   add_header Strict-Transport-Security max-age=15768000;
+
+   # OCSP Stapling ---
+   # fetch OCSP records from URL in ssl_certificate and cache them
+   ssl_stapling on;
+   ssl_stapling_verify on;
+
+   location ~ /api/v[0-9]+/(users/)?websocket$ {
+      proxy_set_header Upgrade \$http_upgrade;
+      proxy_set_header Connection "upgrade";
+      client_max_body_size 50M;
+      proxy_set_header Host \$http_host;
+      proxy_set_header X-Real-IP \$remote_addr;
+      proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto \$scheme;
+      proxy_set_header X-Frame-Options SAMEORIGIN;
+      proxy_buffers 256 16k;
+      proxy_buffer_size 16k;
+      client_body_timeout 60;
+      send_timeout 300;
+      lingering_timeout 5;
+      proxy_connect_timeout 90;
+      proxy_send_timeout 300;
+      proxy_read_timeout 90s;
+      proxy_pass http://mm_backend;
+   }
+
+   location / {
+      client_max_body_size 50M;
+      proxy_set_header Connection "";
+      proxy_set_header Host \$http_host;
+      proxy_set_header X-Real-IP \$remote_addr;
+      proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto \$scheme;
+      proxy_set_header X-Frame-Options SAMEORIGIN;
+      proxy_buffers 256 16k;
+      proxy_buffer_size 16k;
+      proxy_read_timeout 600s;
+      proxy_cache mattermost_cache;
+      proxy_cache_revalidate on;
+      proxy_cache_min_uses 2;
+      proxy_cache_use_stale timeout;
+      proxy_cache_lock on;
+      proxy_http_version 1.1;
+      proxy_pass http://mm_backend;
+   }
+}
+
+EOF
+if [[ $? -ne 0 ]]; then
+   echo_failed
+   error "$(cat "$log_file")"
+else
+   echo_ok
+fi
+
+echononl "Enable created configuration.."
+if [[ ! -h "/etc/nginx/sites-enabled/${FQHN_HOSTNAME}.conf" ]]; then
+   ln -s "../sites-available/${FQHN_HOSTNAME}.conf" \
+      "/etc/nginx/sites-enabled/${FQHN_HOSTNAME}.conf"  > "$log_file" 2>&1
+   if [[ $? -ne 0 ]]; then
+      echo_failed
+      error "$(cat "$log_file")"
+   else
+      echo_ok
+   fi
+else
+   echo_skipped
+fi
+
+echononl "Restart NGINX Service.."
+systemctl restart nginx  > "$log_file" 2>&1
+if [[ $? -ne 0 ]]; then
+   echo_failed
+   error "$(cat "$log_file")"
+else
+   echo_ok
+fi
+
+echo ""
 echo -e "\033[37m\033[1mSome post-installation stuff..\033[m"
-echo
+echo ""
 
 echononl "Create/Update configuration file '$(basename "$conf_file")'"
 if [[ -f "$conf_file" ]] ; then