-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathcloud-init.sh
More file actions
137 lines (119 loc) · 4.58 KB
/
cloud-init.sh
File metadata and controls
137 lines (119 loc) · 4.58 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
#!/bin/bash
set -euo pipefail
# === Configuration ===
DEPLOY_USER="deploy"
APP_DIR="/srv/app"
REPO_URL="https://github.com/PROxZIMA/ContributionAPI.git"
SERVICE_NAME="contribution-api"
echo ">>> Creating user $DEPLOY_USER"
if ! id "$DEPLOY_USER" &>/dev/null; then
useradd -m -s /bin/bash -G sudo "$DEPLOY_USER"
echo "$DEPLOY_USER ALL=(ALL) NOPASSWD:ALL" >/etc/sudoers.d/$DEPLOY_USER
chmod 440 /etc/sudoers.d/$DEPLOY_USER
fi
# Add your public SSH key
mkdir -p /home/$DEPLOY_USER/.ssh
# !!!!! REPLACE THE BELOW SSH KEY WITH YOUR OWN !!!!!
cat > /home/$DEPLOY_USER/.ssh/authorized_keys <<'EOF'
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2RKIVsWPoImlIEZHQ1H7NJn0s/0XmMeADBg/nN4yW0uPLAbG8VVElaDnSrhr+wEWh/FMwk/L1YdeCf8wx7HiMMn6v+XexJa9PZ7Ww3JjR+LSErjnJ7EJLEriRBQwpqKPkJ0qvHqu8XW+1d145PsosPaEdnaBbXHZ2EFkrVjJG1nGp9Juya8R4k3bJ7LbA/kUpWWaXP/dHScl78eumBoQegVugfYwl+RT30myax60l4qCW3ZxQfNSjPZOEIENMOFW5ChxgYhGbb+fRvH8DG8w2C274//uZcq3GDreXle39lorgPhvuPg0K+DvSv3ZMwGroj/Khb6sBP/3mA0Zkj0Ph ssh-key-2025-10-07
EOF
chown -R $DEPLOY_USER:$DEPLOY_USER /home/$DEPLOY_USER/.ssh
chmod 700 /home/$DEPLOY_USER/.ssh
chmod 600 /home/$DEPLOY_USER/.ssh/authorized_keys
echo ">>> Updating system and installing base packages"
apt-get update -y
apt-get upgrade -y
apt-get install -y apt-transport-https ca-certificates curl gnupg lsb-release ufw git
echo ">>> Installing Docker"
mkdir -p /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
echo "deb [arch=arm64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" > /etc/apt/sources.list.d/docker.list
apt-get update
apt-get install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin
usermod -aG docker "$DEPLOY_USER"
systemctl enable --now docker
echo ">>> Configuring firewall"
ufw allow 22
ufw allow 80
ufw allow 443
ufw allow 3420/tcp
ufw --force enable
echo ">>> Cloning repository into $APP_DIR"
mkdir -p "$APP_DIR"
chown $DEPLOY_USER:$DEPLOY_USER "$APP_DIR"
cd "$APP_DIR"
sudo -u $DEPLOY_USER git clone "$REPO_URL" . || true
chown -R $DEPLOY_USER:$DEPLOY_USER "$APP_DIR"
echo ">>> Creating secrets directory"
mkdir -p "$APP_DIR/.secrets"
chown $DEPLOY_USER:$DEPLOY_USER "$APP_DIR/.secrets"
chmod 700 "$APP_DIR/.secrets"
echo ">>> Creating GHCR login helper script"
cat > /usr/local/bin/ghcr-login.sh <<'EOF'
#!/bin/bash
set -e
TOKEN_FILE="/home/deploy/.ghcr_token"
GOOGLE_CREDS_FILE="/home/deploy/.google_credentials_b64"
if [ -f "$TOKEN_FILE" ]; then
GHCR_TOKEN=$(cat "$TOKEN_FILE")
echo "$GHCR_TOKEN" | docker login ghcr.io -u deploy --password-stdin || true
echo "Successfully logged into GHCR"
fi
if [ -f "$GOOGLE_CREDS_FILE" ]; then
echo "Setting up Google Application Credentials..."
cat "$GOOGLE_CREDS_FILE" | base64 --decode > /srv/app/.secrets/google-credentials.json
chown deploy:deploy /srv/app/.secrets/google-credentials.json
chmod 644 /srv/app/.secrets/google-credentials.json
echo "Google credentials configured successfully"
fi
EOF
chmod +x /usr/local/bin/ghcr-login.sh
chown root:root /usr/local/bin/ghcr-login.sh
echo ">>> Creating systemd service for $SERVICE_NAME"
cat > /etc/systemd/system/${SERVICE_NAME}.service <<'EOF'
[Unit]
Description=ContributionAPI Docker Compose Services
Requires=docker.service
After=network-online.target docker.service
[Service]
Type=oneshot
RemainAfterExit=yes
User=deploy
Group=deploy
WorkingDirectory=/srv/app
ExecStartPre=/usr/local/bin/ghcr-login.sh
ExecStartPre=/usr/bin/git pull origin master
ExecStart=/usr/bin/docker compose pull
ExecStartPost=/usr/bin/docker compose up -d
ExecStop=/usr/bin/docker compose down
ExecReload=/usr/bin/docker compose pull
ExecReload=/usr/bin/docker compose up -d
TimeoutStartSec=300
Restart=on-failure
RestartSec=10
[Install]
WantedBy=multi-user.target
EOF
echo ">>> Creating update helper script"
cat > /usr/local/bin/update-contribution-api.sh <<'EOF'
#!/bin/bash
set -e
echo "Updating ContributionAPI deployment..."
cd /srv/app
git pull origin master
/usr/local/bin/ghcr-login.sh
docker compose pull
docker compose up -d
docker image prune -f
echo "ContributionAPI updated successfully!"
EOF
chmod +x /usr/local/bin/update-contribution-api.sh
chown root:root /usr/local/bin/update-contribution-api.sh
echo ">>> Creating Caddy log directory"
mkdir -p /var/log/caddy
chown $DEPLOY_USER:$DEPLOY_USER /var/log/caddy
echo ">>> Reloading systemd and enabling service"
systemctl daemon-reload
systemctl enable --now ${SERVICE_NAME}.service
echo "✅ Setup complete: ContributionAPI deployed and managed by systemd."
echo ">>> To update ContributionAPI, run: /usr/local/bin/update-contribution-api.sh"