forked from openfrontio/OpenFrontIO
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathsetup.sh
More file actions
298 lines (259 loc) Β· 9.67 KB
/
setup.sh
File metadata and controls
298 lines (259 loc) Β· 9.67 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
#!/bin/bash
# Comprehensive setup script for Hetzner server with Docker, user setup, Node Exporter, and OpenTelemetry
# Exit on error
set -e
echo "====================================================="
echo "π STARTING SERVER SETUP"
echo "====================================================="
# Load environment variables from .env.setup if present
ENV_FILE="$(dirname "$0")/.env.setup"
if [ -f "$ENV_FILE" ]; then
echo "π Loading environment from $ENV_FILE"
set -a
# shellcheck source=/dev/null
source "$ENV_FILE"
set +a
else
echo "βΉοΈ No .env.setup file found"
exit 1
fi
# Verify required environment variables
if [ -z "$OTEL_EXPORTER_OTLP_ENDPOINT" ] || [ -z "$OTEL_AUTH_HEADER" ]; then
echo "β ERROR: Required environment variables are not set!"
echo "Please set OTEL_EXPORTER_OTLP_ENDPOINT and OTEL_AUTH_HEADER in .env.setup"
exit 1
fi
# CF_ORIGIN_CERT and CF_ORIGIN_KEY: Cloudflare Origin Certificate and private key.
# Generate at: Cloudflare dashboard β SSL/TLS β Origin Server β Create Certificate
if [ -z "$CF_ORIGIN_CERT" ] || [ -z "$CF_ORIGIN_KEY" ]; then
echo "β ERROR: CF_ORIGIN_CERT and CF_ORIGIN_KEY are not set!"
echo "Generate an origin certificate at: Cloudflare β SSL/TLS β Origin Server β Create Certificate"
echo "Then add CF_ORIGIN_CERT and CF_ORIGIN_KEY to .env.setup"
exit 1
fi
echo "π Updating system..."
apt update && apt upgrade -y
# Check if Docker is already installed
if command -v docker &> /dev/null; then
echo "Docker is already installed"
else
echo "π³ Installing Docker..."
# Install Docker using official script
curl -fsSL https://get.docker.com -o get-docker.sh
sh get-docker.sh
systemctl enable --now docker
echo "Docker installed successfully"
fi
echo "π€ Setting up openfront user..."
# Create openfront user if it doesn't exist
if id "openfront" &> /dev/null; then
echo "User openfront already exists"
else
useradd -m -s /bin/bash openfront
echo "User openfront created"
fi
# Check if openfront is already in docker group
if groups openfront | grep -q '\bdocker\b'; then
echo "User openfront is already in the docker group"
else
# Add openfront to docker group
usermod -aG docker openfront
echo "Added openfront to docker group"
fi
# Create .ssh directory for openfront if it doesn't exist
if [ ! -d "/home/openfront/.ssh" ]; then
mkdir -p /home/openfront/.ssh
chmod 700 /home/openfront/.ssh
echo "Created .ssh directory for openfront"
fi
# Copy SSH keys from root if they exist and haven't been copied yet
if [ -f /root/.ssh/authorized_keys ] && [ ! -f /home/openfront/.ssh/authorized_keys ]; then
cp /root/.ssh/authorized_keys /home/openfront/.ssh/
chmod 600 /home/openfront/.ssh/authorized_keys
echo "SSH keys copied from root to openfront"
fi
# Configure UDP buffer sizes for Cloudflare Tunnel
# https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes
echo "π§ Configuring UDP buffer sizes..."
# Check if settings already exist in sysctl.conf
if grep -q "net.core.rmem_max" /etc/sysctl.conf && grep -q "net.core.wmem_max" /etc/sysctl.conf; then
echo "UDP buffer size settings already configured"
else
# Add UDP buffer size settings to sysctl.conf
echo "# UDP buffer size settings for improved QUIC performance" >> /etc/sysctl.conf
echo "net.core.rmem_max=7500000" >> /etc/sysctl.conf
echo "net.core.wmem_max=7500000" >> /etc/sysctl.conf
# Apply the settings immediately
sysctl -p
echo "UDP buffer sizes configured and applied"
fi
# Set proper ownership for openfront's home directory
chown -R openfront:openfront /home/openfront
echo "Set proper ownership for openfront's home directory"
# Set up Traefik reverse proxy
echo "π Setting up Traefik..."
# Create the shared Docker network used by Traefik and app containers
if docker network ls --format '{{.Name}}' | grep -q '^web$'; then
echo "Docker network 'web' already exists"
else
docker network create web
echo "Created Docker network 'web'"
fi
TRAEFIK_CONFIG_DIR="/home/openfront/traefik"
TRAEFIK_CERTS_DIR="$TRAEFIK_CONFIG_DIR/certs"
mkdir -p "$TRAEFIK_CERTS_DIR"
# Write Cloudflare origin certificate and key (passed as env vars)
echo "$CF_ORIGIN_CERT" > "$TRAEFIK_CERTS_DIR/origin.crt"
echo "$CF_ORIGIN_KEY" > "$TRAEFIK_CERTS_DIR/origin.key"
chmod 600 "$TRAEFIK_CERTS_DIR/origin.crt" "$TRAEFIK_CERTS_DIR/origin.key"
# No [api] block β dashboard is disabled for production.
# To access it for debugging, SSH tunnel: ssh -L 8080:localhost:8080 user@server
cat > "$TRAEFIK_CONFIG_DIR/traefik.toml" << 'EOF'
[log]
level = "INFO"
[entryPoints]
[entryPoints.websecure]
address = ":443"
[providers]
[providers.docker]
endpoint = "unix:///var/run/docker.sock"
exposedByDefault = false # Only route containers with traefik.enable=true
network = "web"
watch = true
[providers.file]
filename = "/etc/traefik/tls.toml"
watch = true
EOF
# Static TLS configuration referencing the Cloudflare origin cert
cat > "$TRAEFIK_CONFIG_DIR/tls.toml" << 'EOF'
[[tls.certificates]]
certFile = "/certs/origin.crt"
keyFile = "/certs/origin.key"
[tls.options]
[tls.options.default]
minVersion = "VersionTLS12"
EOF
cat > "$TRAEFIK_CONFIG_DIR/compose.yaml" << 'EOF'
networks:
web:
# External so blue/green containers can join independently.
external: true
services:
traefik:
image: traefik:v3.6
container_name: traefik
restart: unless-stopped
ports:
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /home/openfront/traefik/traefik.toml:/etc/traefik/traefik.toml:ro
- /home/openfront/traefik/tls.toml:/etc/traefik/tls.toml:ro
- /home/openfront/traefik/certs:/certs:ro
networks:
- web
EOF
# Give openfront ownership of config files but keep certs owned by root.
# Traefik runs as root inside its container so it can read them, but the
# openfront app user cannot access the TLS private key.
chown -R openfront:openfront "$TRAEFIK_CONFIG_DIR"
chown root:root "$TRAEFIK_CERTS_DIR" "$TRAEFIK_CERTS_DIR/origin.crt" "$TRAEFIK_CERTS_DIR/origin.key"
docker compose -f "$TRAEFIK_CONFIG_DIR/compose.yaml" pull
docker compose -f "$TRAEFIK_CONFIG_DIR/compose.yaml" up -d
if docker ps | grep -q traefik; then
echo "β
Traefik started successfully!"
else
echo "β Failed to start Traefik. Check logs with: docker logs traefik"
exit 1
fi
# Create directory for OpenTelemetry configuration
echo "π Setting up Node Exporter and OpenTelemetry Collector..."
OTEL_CONFIG_DIR="/home/openfront/otel"
if [ ! -d "$OTEL_CONFIG_DIR" ]; then
mkdir -p "$OTEL_CONFIG_DIR"
echo "Created OpenTelemetry configuration directory"
fi
# Create OpenTelemetry Collector configuration
cat > "$OTEL_CONFIG_DIR/otel-collector-config.yaml" << EOF
receivers:
prometheus:
config:
scrape_configs:
- job_name: 'node'
scrape_interval: 10s
static_configs:
- targets: ['localhost:9100'] # Node Exporter endpoint
relabel_configs:
- source_labels: [__address__]
regex: '.*'
target_label: openfront.host
replacement: "\${HOSTNAME}"
processors:
batch:
# Batch metrics before sending
timeout: 10s
send_batch_size: 1000
exporters:
otlphttp:
endpoint: "${OTEL_EXPORTER_OTLP_ENDPOINT}"
headers:
Authorization: "Basic ${OTEL_AUTH_HEADER}"
tls:
insecure: true # Set to false in production with proper certs
service:
pipelines:
metrics:
receivers: [prometheus]
processors: [batch]
exporters: [otlphttp]
EOF
# Set ownership of all files
chmod 600 "$OTEL_CONFIG_DIR/otel-collector-config.yaml"
chown -R openfront:openfront "$OTEL_CONFIG_DIR"
# Run Node Exporter
echo "π Starting Node Exporter..."
docker pull prom/node-exporter:latest
docker rm -f node-exporter 2> /dev/null || true
docker run -d \
--name=node-exporter \
--restart=unless-stopped \
--net="host" \
--pid="host" \
-v "/:/host:ro,rslave" \
prom/node-exporter:latest \
--path.rootfs=/host
# Run OpenTelemetry Collector
echo "π Starting OpenTelemetry Collector..."
docker pull otel/opentelemetry-collector-contrib:latest
docker rm -f otel-collector 2> /dev/null || true
# Run OpenTelemetry Collector with appropriate permissions
echo "π Starting OpenTelemetry Collector..."
docker pull otel/opentelemetry-collector-contrib:latest
docker rm -f otel-collector 2> /dev/null || true
docker run -d \
--name=otel-collector \
--restart=unless-stopped \
--network=host \
--user=0 \
-v "$OTEL_CONFIG_DIR/otel-collector-config.yaml:/etc/otelcol-contrib/config.yaml:ro" \
otel/opentelemetry-collector-contrib:latest
# Check if containers are running
if docker ps | grep -q node-exporter && docker ps | grep -q otel-collector; then
echo "β
Node Exporter and OpenTelemetry Collector started successfully!"
else
echo "β Failed to start containers. Check logs with: docker logs node-exporter or docker logs otel-collector"
exit 1
fi
echo "====================================================="
echo "π SETUP COMPLETE!"
echo "====================================================="
echo "The openfront user has been set up and has Docker permissions."
echo "UDP buffer sizes have been configured for optimal QUIC/WebSocket performance."
echo "Traefik reverse proxy is running (HTTP :80, HTTPS :443 with Cloudflare origin cert)."
echo "Node Exporter is collecting system metrics."
echo "OpenTelemetry Collector is forwarding metrics to your endpoint."
echo ""
echo "π Configuration:"
echo " - Config Directory: $OTEL_CONFIG_DIR"
echo " - OpenTelemetry Endpoint: $OTEL_EXPORTER_OTLP_ENDPOINT"
echo "====================================================="