#!/bin/bash # # LetsBe Server Setup Script # This script sets up the server and deploys selected tools. # # Usage: # ./setup.sh --tools "all" --domain "example.com" # ./setup.sh --tools "portainer,n8n,baserow" --domain "example.com" # ./setup.sh --tools "1,2,3" # ./setup.sh # Foundation only, no tools deployed # # Arguments: # --tools Comma-separated list of tools to deploy, "all", or tool numbers # --domain Domain name for SSL email (administrator@domain) # --skip-ssl Skip SSL certificate setup (useful for testing) # --admin-user Admin username to create with SSH key access # --admin-ssh-key Public SSH key for the admin user # set -euo pipefail # Prevent interactive prompts during apt install export DEBIAN_FRONTEND=noninteractive # ============================================================================= # ARGUMENT PARSING # ============================================================================= TOOLS_TO_DEPLOY="" SKIP_SSL=false ROOT_SSL=false DOMAIN="" # Docker registry authentication (optional) DOCKER_USER="" DOCKER_TOKEN="" DOCKER_REGISTRY="" # Gitea registry authentication (for private images from code.letsbe.solutions) GITEA_REGISTRY="" GITEA_USER="" GITEA_TOKEN="" # Admin user setup (optional - replaces hardcoded user) ADMIN_USER="" ADMIN_SSH_KEY="" while [[ $# -gt 0 ]]; do case $1 in --tools) TOOLS_TO_DEPLOY="$2" shift 2 ;; --domain) DOMAIN="$2" shift 2 ;; --skip-ssl) SKIP_SSL=true shift ;; --root-ssl) ROOT_SSL=true shift ;; --docker-user) DOCKER_USER="$2" shift 2 ;; --docker-token) DOCKER_TOKEN="$2" shift 2 ;; --docker-registry) DOCKER_REGISTRY="$2" shift 2 ;; --gitea-registry) GITEA_REGISTRY="$2" shift 2 ;; --gitea-user) GITEA_USER="$2" shift 2 ;; --gitea-token) GITEA_TOKEN="$2" shift 2 ;; --admin-user) ADMIN_USER="$2" shift 2 ;; --admin-ssh-key) ADMIN_SSH_KEY="$2" shift 2 ;; --help|-h) echo "Usage: $0 [--tools \"tool1,tool2,...\"|\"all\"] [--domain DOMAIN] [--skip-ssl] [--root-ssl]" echo "" echo "Options:" echo " --tools Comma-separated list of tools, 'all', or tool numbers" echo " --domain Domain name for SSL email (administrator@domain)" echo " --skip-ssl Skip SSL certificate setup" echo " --root-ssl Include root domain in SSL certificate" echo " --docker-user Docker registry username (optional)" echo " --docker-token Docker registry password/token (optional)" echo " --docker-registry Docker registry URL (optional, defaults to Docker Hub)" echo " --admin-user Admin username to create with SSH key access" echo " --admin-ssh-key Public SSH key for the admin user" echo "" echo "Examples:" echo " $0 --tools \"all\" --domain \"example.com\"" echo " $0 --tools \"portainer,n8n,baserow\"" echo " $0 --tools \"1,5,10\"" echo " $0 # Foundation only" exit 0 ;; *) echo "Unknown option: $1" echo "Use --help for usage information" exit 1 ;; esac done echo "=== LetsBe Server Setup ===" echo "" # ============================================================================= # PACKAGE INSTALLATION # ============================================================================= echo "[1/10] Installing system packages..." sudo apt update && sudo apt upgrade -y sudo apt install -y build-essential net-tools tree wget jq nano curl htop ufw fail2ban unattended-upgrades apt-listchanges apticron git gnupg ca-certificates apache2-utils acl certbot python3-certbot-nginx rsync rclone s3cmd zip sudo iptables htop dstat openssl # ============================================================================= # DOCKER INSTALLATION # ============================================================================= echo "[2/10] Installing Docker..." sudo install -m 0755 -d /etc/apt/keyrings # Use --batch and --yes for non-interactive gpg (required for nohup/background execution) sudo curl -fsSL https://download.docker.com/linux/debian/gpg -o /tmp/docker.gpg sudo gpg --batch --yes --dearmor -o /etc/apt/keyrings/docker.gpg /tmp/docker.gpg rm -f /tmp/docker.gpg sudo chmod a+r /etc/apt/keyrings/docker.gpg sudo echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(. /etc/os-release && echo $VERSION_CODENAME) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null sudo apt update sudo apt install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin sudo systemctl enable docker sudo curl -L "https://github.com/docker/compose/releases/latest/download/docker-compose-linux-$(uname -m)" -o /usr/local/bin/docker-compose sudo chmod 755 /usr/local/bin/docker-compose # Docker registry login (optional - for private registries or to bypass rate limits) if [[ -n "$DOCKER_USER" && -n "$DOCKER_TOKEN" ]]; then if [[ -n "$DOCKER_REGISTRY" ]]; then echo "Logging into Docker registry: $DOCKER_REGISTRY..." echo "$DOCKER_TOKEN" | docker login -u "$DOCKER_USER" --password-stdin "$DOCKER_REGISTRY" else echo "Logging into Docker Hub..." echo "$DOCKER_TOKEN" | docker login -u "$DOCKER_USER" --password-stdin fi fi # Gitea registry login (for private images from code.letsbe.solutions) if [[ -n "$GITEA_REGISTRY" && -n "$GITEA_USER" && -n "$GITEA_TOKEN" ]]; then echo "Logging into Gitea registry: $GITEA_REGISTRY..." echo "$GITEA_TOKEN" | docker login -u "$GITEA_USER" --password-stdin "$GITEA_REGISTRY" fi # ============================================================================= # DISABLE CONFLICTING SERVICES # ============================================================================= echo "[3/10] Disabling conflicting services..." sudo systemctl stop exim4 2>/dev/null || true sudo systemctl disable exim4 2>/dev/null || true sudo systemctl stop apache2 2>/dev/null || true sudo systemctl disable apache2 2>/dev/null || true sudo apt remove -y apache2 2>/dev/null || true # ============================================================================= # NGINX INSTALLATION & CONFIGURATION # ============================================================================= echo "[4/10] Installing and configuring nginx..." sudo apt install -y nginx sudo systemctl enable nginx sudo rm -f /etc/nginx/sites-enabled/default openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -keyout /etc/nginx/placeholder.key -out /etc/nginx/placeholder.crt cat < /etc/nginx/conf.d/fallback.conf server { listen 80 default_server; listen [::]:80 default_server; server_name _; return 444; } server { listen 443 ssl default_server; server_name _; return 444; ssl_certificate /etc/nginx/placeholder.crt; ssl_certificate_key /etc/nginx/placeholder.key; } EOF sudo systemctl restart nginx # ============================================================================= # FIREWALL CONFIGURATION # ============================================================================= echo "[5/10] Configuring UFW firewall..." ufw allow 22 ufw allow 22022 ufw allow 80 ufw allow 443 # Open mail ports only if Poste mail server is being deployed if [[ "$TOOLS_TO_DEPLOY" == *"poste"* || "$TOOLS_TO_DEPLOY" == "all" ]]; then echo "Opening mail ports for Poste..." ufw allow 25 ufw allow 587 ufw allow 143 ufw allow 110 ufw allow 4190 ufw allow 465 ufw allow 993 ufw allow 995 fi ufw --force enable # ============================================================================= # ADMIN USER SETUP # ============================================================================= if [[ -n "$ADMIN_USER" && -n "$ADMIN_SSH_KEY" ]]; then echo "[6/10] Configuring admin user '$ADMIN_USER'..." if ! id -u "$ADMIN_USER" > /dev/null 2>&1; then echo "User $ADMIN_USER does not exist, will be created." useradd -m -s /bin/bash "$ADMIN_USER" fi mkdir -p /home/$ADMIN_USER/.ssh chmod 700 /home/$ADMIN_USER/.ssh echo "$ADMIN_SSH_KEY" >> /home/$ADMIN_USER/.ssh/authorized_keys chmod 600 /home/$ADMIN_USER/.ssh/authorized_keys chown -R $ADMIN_USER:$ADMIN_USER /home/$ADMIN_USER/.ssh usermod -aG docker "$ADMIN_USER" echo "Public key was added for user $ADMIN_USER." else echo "[6/10] Skipping admin user setup (no --admin-user and --admin-ssh-key provided)" fi # ============================================================================= # SSH SECURITY HARDENING # ============================================================================= echo "[7/10] Hardening SSH configuration..." cat < /etc/ssh/sshd_config Include /etc/ssh/sshd_config.d/*.conf Port 22022 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key #HostKey /etc/ssh/ssh_host_ed25519_key SyslogFacility AUTH LogLevel VERBOSE LoginGraceTime 2m PermitRootLogin prohibit-password #StrictModes yes MaxAuthTries 6 MaxSessions 10 PasswordAuthentication no PermitEmptyPasswords no ChallengeResponseAuthentication no UsePAM yes X11Forwarding yes PrintMotd no PrintLastLog yes AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server UsePrivilegeSeparation sandbox AuthenticationMethods publickey EOF # NOTE: SSH restart moved to end of script to keep connection alive # ============================================================================= # AUTOMATIC SECURITY UPDATES # ============================================================================= echo "[8/10] Configuring automatic security updates..." cat < /etc/apt/apt.conf.d/20auto-upgrades // Enable the update/upgrade script (0=disable) APT::Periodic::Enable "1"; // Do "apt-get update" automatically every n-days (0=disable) APT::Periodic::Update-Package-Lists "1"; // Do "apt-get upgrade --download-only" every n-days (0=disable) APT::Periodic::Download-Upgradeable-Packages "1"; // Do "apt-get autoclean" every n-days (0=disable) APT::Periodic::AutocleanInterval "7"; // Send report mail to root // 0: no report (or null string) // 1: progress report (actually any string) // 2: + command outputs (remove -qq, remove 2>/dev/null, add -d) APT::Periodic::Unattended-Upgrade "1"; // Automatically upgrade packages from these Unattended-Upgrade::Origins-Pattern { // "o=Debian,a=stable"; // "o=Debian,a=stable-updates"; "origin=Debian,codename=\${distro_codename},label=Debian-Security"; }; // You can specify your own packages to NOT automatically upgrade here Unattended-Upgrade::Package-Blacklist { }; // Run dpkg --force-confold --configure -a if a unclean dpkg state is detected to true to ensure that updates get installed even when the system got interrupted during a previous run Unattended-Upgrade::AutoFixInterruptedDpkg "true"; // Perform the upgrade when the machine is running because we wont be shutting our server down often Unattended-Upgrade::InstallOnShutdown "false"; // Send an email to this address with information about the packages upgraded. Unattended-Upgrade::Mail "administrator@letsbe.biz"; // Always send an e-mail Unattended-Upgrade::MailOnlyOnError "true"; // Remove all unused dependencies after the upgrade has finished Unattended-Upgrade::Remove-Unused-Dependencies "true"; // Remove any new unused dependencies after the upgrade has finished Unattended-Upgrade::Remove-New-Unused-Dependencies "true"; // Automatically reboot WITHOUT CONFIRMATION if the file /var/run/reboot-required is found after the upgrade. Unattended-Upgrade::Automatic-Reboot "false"; // Automatically reboot even if users are logged in. Unattended-Upgrade::Automatic-Reboot-WithUsers "false"; EOF # ============================================================================= # BACKUP SCRIPT & CRON # ============================================================================= echo "Setting up backup script and cron..." chmod 750 /opt/letsbe/scripts/backups.sh 2>/dev/null || true chmod 750 /opt/letsbe/scripts/restore.sh 2>/dev/null || true mkdir -p /root/.config/rclone mkdir -p /opt/letsbe/logs # Install backup cron non-interactively (daily at 2am) BACKUP_CRON="0 2 * * * /bin/bash /opt/letsbe/scripts/backups.sh >> /opt/letsbe/logs/backup.log 2>&1" ( crontab -l 2>/dev/null | grep -v "backups.sh"; echo "$BACKUP_CRON" ) | crontab - echo "Backup cron installed (daily at 2:00 AM)" # ============================================================================= # TOOL DEPLOYMENT # ============================================================================= echo "[9/10] Deploying tools..." # Get list of available tools mapfile -t available_tools < <(ls /opt/letsbe/stacks/*/docker-compose.yml 2>/dev/null | xargs -I {} dirname {} | xargs -I {} basename {}) if [[ -z "$TOOLS_TO_DEPLOY" ]]; then echo "No tools specified. Skipping tool deployment." echo "Available tools: ${available_tools[*]}" echo "Use --tools to deploy tools later." else # Determine which tools to deploy declare -a tools_list=() if [[ "$TOOLS_TO_DEPLOY" == "all" || "$TOOLS_TO_DEPLOY" == "a" ]]; then tools_list=("${available_tools[@]}") else # Parse comma-separated list IFS=',' read -ra requested_tools <<< "$TOOLS_TO_DEPLOY" for tool in "${requested_tools[@]}"; do tool=$(echo "$tool" | xargs) # Trim whitespace # Check if it's a number (index) if [[ "$tool" =~ ^[0-9]+$ ]]; then idx=$((tool - 1)) if [[ $idx -ge 0 && $idx -lt ${#available_tools[@]} ]]; then tools_list+=("${available_tools[$idx]}") else echo "Warning: Tool index $tool out of range, skipping." fi else # It's a tool name if [[ " ${available_tools[*]} " =~ " ${tool} " ]]; then tools_list+=("$tool") else echo "Warning: Tool '$tool' not found, skipping." fi fi done fi # Ensure orchestrator is FIRST (creates network that sysadmin needs) if [[ -f "/opt/letsbe/stacks/orchestrator/docker-compose.yml" ]]; then # Remove orchestrator from current position if present declare -a new_list=() for tool in "${tools_list[@]}"; do if [[ "$tool" != "orchestrator" ]]; then new_list+=("$tool") fi done # Prepend orchestrator to front tools_list=("orchestrator" "${new_list[@]}") echo "Orchestrator moved to front (creates network for sysadmin)" fi echo "Deploying tools: ${tools_list[*]}" # Track deployed tools for SSL setup DEPLOYED_TOOLS=() for tool_name in "${tools_list[@]}"; do compose_file="/opt/letsbe/stacks/${tool_name}/docker-compose.yml" if [[ -f "$compose_file" ]]; then # Copy .env file to centralized env directory if it exists stack_env="/opt/letsbe/stacks/${tool_name}/.env" central_env="/opt/letsbe/env/${tool_name}.env" if [[ -f "$stack_env" ]]; then cp "$stack_env" "$central_env" chmod 600 "$central_env" echo "Copied env file for $tool_name" fi # Tool-specific pre-deployment setup if [[ "$tool_name" == "nextcloud" ]]; then echo "Creating Nextcloud bind mount directories..." mkdir -p /opt/letsbe/config/nextcloud mkdir -p /opt/letsbe/data/nextcloud # Set appropriate ownership for www-data (uid 33 in Nextcloud container) chown -R 33:33 /opt/letsbe/config/nextcloud chown -R 33:33 /opt/letsbe/data/nextcloud fi if [[ "$tool_name" == "sysadmin" ]]; then echo " Pulling latest sysadmin agent image..." docker-compose -f "$compose_file" pull fi echo "Starting $tool_name..." docker-compose -f "$compose_file" up -d # Tool-specific post-deployment initialization if [[ "$tool_name" == "portainer" ]]; then echo "Configuring Portainer local Docker endpoint..." # Get Portainer container name PORTAINER_CONTAINER=$(docker ps --format '{{.Names}}' | grep portainer | head -1) if [[ -n "$PORTAINER_CONTAINER" ]]; then # Wait for Portainer to be ready echo " Waiting for Portainer to be ready..." for i in {1..30}; do if curl -ks https://localhost:9443/api/system/status >/dev/null 2>&1; then echo " Portainer is ready." break fi sleep 2 done # Read admin password from file PORTAINER_PASSWORD=$(cat /opt/letsbe/env/portainer_admin_password.txt 2>/dev/null) if [[ -n "$PORTAINER_PASSWORD" ]]; then # Authenticate and get JWT token echo " Authenticating with Portainer..." JWT_RESPONSE=$(curl -ks -X POST https://localhost:9443/api/auth \ -H "Content-Type: application/json" \ -d "{\"username\":\"admin\",\"password\":\"${PORTAINER_PASSWORD}\"}" 2>/dev/null) JWT=$(echo "$JWT_RESPONSE" | grep -o '"jwt":"[^"]*"' | cut -d'"' -f4) if [[ -n "$JWT" ]]; then echo " Creating local Docker endpoint..." # Create local Docker socket endpoint ENDPOINT_RESPONSE=$(curl -ks -X POST https://localhost:9443/api/endpoints \ -H "Authorization: Bearer $JWT" \ -H "Content-Type: multipart/form-data" \ -F "Name=local" \ -F "EndpointCreationType=1" 2>/dev/null) if echo "$ENDPOINT_RESPONSE" | grep -q '"Id"'; then echo " Local Docker endpoint created successfully." else echo " Warning: Endpoint creation response: $ENDPOINT_RESPONSE" fi else echo " Warning: Could not authenticate with Portainer" fi else echo " Warning: Could not read Portainer password file" fi else echo " Warning: Could not find Portainer container" fi fi if [[ "$tool_name" == "chatwoot" ]]; then echo "Initializing Chatwoot database (pgvector + migrations)..." # Get the customer prefix from the container name CHATWOOT_POSTGRES=$(docker ps --format '{{.Names}}' | grep chatwoot-postgres | head -1) CHATWOOT_RAILS=$(docker ps --format '{{.Names}}' | grep chatwoot-rails | head -1) if [[ -n "$CHATWOOT_POSTGRES" && -n "$CHATWOOT_RAILS" ]]; then # Wait for Postgres to be ready echo " Waiting for Postgres to be ready..." for i in {1..30}; do if docker exec "$CHATWOOT_POSTGRES" pg_isready -U chatwoot -d chatwoot_production >/dev/null 2>&1; then echo " Postgres is ready." break fi sleep 2 done # Create pgvector extension echo " Creating pgvector extension..." docker exec "$CHATWOOT_POSTGRES" psql -U chatwoot -d chatwoot_production -c "CREATE EXTENSION IF NOT EXISTS vector;" 2>/dev/null || true # Wait for Rails container to be fully up echo " Waiting for Rails container..." sleep 10 # Run database migrations echo " Running Chatwoot database prepare..." docker exec "$CHATWOOT_RAILS" bundle exec rails db:chatwoot_prepare 2>&1 || echo " Note: db:chatwoot_prepare may have already run" echo " Chatwoot initialization complete." else echo " Warning: Could not find Chatwoot containers for initialization" fi fi # Link nginx config if exists nginx_conf="/opt/letsbe/nginx/${tool_name}.conf" if [[ -f "$nginx_conf" ]]; then cp "$nginx_conf" /etc/nginx/sites-available/ ln -sf /etc/nginx/sites-available/${tool_name}.conf /etc/nginx/sites-enabled/ echo "Nginx config linked for $tool_name" DEPLOYED_TOOLS+=("$tool_name") else echo "No nginx config for $tool_name (may not need one)" fi else echo "Warning: docker-compose.yml not found for $tool_name" fi done # Restart nginx to apply new configs systemctl restart nginx fi # ============================================================================= # SYSADMIN AGENT (Always deployed) # ============================================================================= echo "[9.5/10] Deploying sysadmin agent..." SYSADMIN_COMPOSE="/opt/letsbe/stacks/sysadmin/docker-compose.yml" if [[ -f "$SYSADMIN_COMPOSE" ]]; then # Check if sysadmin is already running if docker ps --format '{{.Names}}' | grep -q "agent$"; then echo " Sysadmin agent already running, updating..." fi echo " Pulling latest sysadmin agent image..." docker-compose -f "$SYSADMIN_COMPOSE" pull echo " Starting sysadmin agent..." docker-compose -f "$SYSADMIN_COMPOSE" up -d echo " Sysadmin agent deployed successfully." else echo "Warning: Sysadmin docker-compose.yml not found at $SYSADMIN_COMPOSE" fi # ============================================================================= # LOCAL ORCHESTRATOR BOOTSTRAP (License Validation + Agent Registration) # ============================================================================= echo "[9.6/10] Running local orchestrator bootstrap..." BOOTSTRAP_SCRIPT="/opt/letsbe/scripts/local_bootstrap.sh" CREDENTIALS_FILE="/opt/letsbe/env/credentials.env" if [[ -f "$BOOTSTRAP_SCRIPT" && -f "$CREDENTIALS_FILE" ]]; then # Source credentials to get required variables source "$CREDENTIALS_FILE" echo " Validating license and setting up local orchestrator..." echo " Instance ID: ${INSTANCE_ID:-unknown}" echo " Hub URL: ${HUB_URL:-unknown}" # Run bootstrap script with required environment variables HUB_URL="${HUB_URL}" \ LICENSE_KEY="${LICENSE_KEY}" \ INSTANCE_ID="${INSTANCE_ID}" \ ORCHESTRATOR_URL="http://localhost:8100" \ ADMIN_API_KEY="${ADMIN_API_KEY}" \ CUSTOMER="$(echo ${INSTANCE_ID} | sed 's/-orchestrator$//')" \ CREDENTIALS_DIR="/opt/letsbe/env" \ bash "$BOOTSTRAP_SCRIPT" BOOTSTRAP_EXIT=$? if [[ $BOOTSTRAP_EXIT -ne 0 ]]; then echo "" echo "==============================================" echo " BOOTSTRAP FAILED" echo "==============================================" echo "" echo "License validation or agent registration failed." echo "Check the error messages above for details." echo "" echo "Common issues:" echo " - Invalid license_key in config.json" echo " - Network connectivity to Hub (${HUB_URL})" echo " - Instance not registered in LetsBe Hub" echo "" echo "The stack has been deployed but is NOT properly configured." echo "Please fix the issue and re-run: bash /opt/letsbe/scripts/local_bootstrap.sh" echo "==============================================" # Don't exit - let the rest of setup complete, but warn else echo " Bootstrap completed successfully!" echo " Agent should register with local orchestrator within 30 seconds." fi else if [[ ! -f "$BOOTSTRAP_SCRIPT" ]]; then echo "Warning: Bootstrap script not found at $BOOTSTRAP_SCRIPT" fi if [[ ! -f "$CREDENTIALS_FILE" ]]; then echo "Warning: Credentials file not found at $CREDENTIALS_FILE" echo "Run env_setup.sh first to generate credentials." fi fi # Collect domains from deployed tools' nginx configs (for SSL) SSL_DOMAINS=() if [[ ${#DEPLOYED_TOOLS[@]} -gt 0 ]]; then for tool_name in "${DEPLOYED_TOOLS[@]}"; do tool_conf="/etc/nginx/sites-enabled/${tool_name}.conf" if [[ -f "$tool_conf" ]]; then # Extract server_name values (excluding placeholders and _) while IFS= read -r domain; do if [[ -n "$domain" && "$domain" != "_" && ! "$domain" =~ \{\{ ]]; then SSL_DOMAINS+=("$domain") fi done < <(grep -h "server_name" "$tool_conf" 2>/dev/null | awk '{print $2}' | tr -d ';' | sort -u) fi done fi # ============================================================================= # SSL CERTIFICATE SETUP # ============================================================================= echo "[10/10] Setting up SSL certificates..." # NOTE: Certbot cron disabled - crontab hangs in non-interactive mode # Certbot installs its own systemd timer, so manual cron not needed echo "Certbot renewal handled by systemd timer (certbot.timer)" if [[ "$SKIP_SSL" == "true" ]]; then echo "Skipping SSL setup (--skip-ssl flag set)" elif [[ ${#SSL_DOMAINS[@]} -eq 0 ]]; then echo "No deployed tools with valid domains found." echo "Skipping SSL setup. Either:" echo " - No tools were deployed, or" echo " - Templates not replaced (run env_setup.sh first with --domain parameter)" echo "To manually setup SSL later: certbot --nginx -d yourdomain.com" else # Remove duplicates from SSL_DOMAINS SSL_DOMAINS=($(printf '%s\n' "${SSL_DOMAINS[@]}" | sort -u)) # Add root domain if --root-ssl flag is set if [[ "$ROOT_SSL" == "true" && -n "$DOMAIN" ]]; then # Check if root domain is not already in the list if [[ ! " ${SSL_DOMAINS[*]} " =~ " ${DOMAIN} " ]]; then SSL_DOMAINS+=("$DOMAIN") echo "Including root domain: $DOMAIN" fi fi echo "----" echo "Setting up SSL certificates for deployed tools:" for domain in "${SSL_DOMAINS[@]}"; do echo " - $domain" done echo "" echo "Make sure DNS entries point to this server IP before proceeding." # Derive email from domain parameter or use default if [[ -n "$DOMAIN" ]]; then SSL_EMAIL="administrator@${DOMAIN}" else # Try to extract base domain from first SSL domain FIRST_DOMAIN="${SSL_DOMAINS[0]}" # Extract base domain (remove subdomain) BASE_DOMAIN=$(echo "$FIRST_DOMAIN" | awk -F. '{if(NF>2) print $(NF-1)"."$NF; else print $0}') SSL_EMAIL="administrator@${BASE_DOMAIN}" fi echo "Using email: $SSL_EMAIL" # Build domain arguments for certbot DOMAIN_ARGS="" for domain in "${SSL_DOMAINS[@]}"; do DOMAIN_ARGS="$DOMAIN_ARGS -d $domain" done # Run certbot non-interactively with specific domains sudo certbot --nginx \ --non-interactive \ --agree-tos \ --email "$SSL_EMAIL" \ --redirect \ $DOMAIN_ARGS \ || echo "Certbot completed (some domains may have failed - check DNS)" fi # ============================================================================= # COMPLETION SUMMARY # ============================================================================= echo "" echo "----" echo "Configured domains:" for conf_file in /etc/nginx/sites-enabled/*.conf; do if [[ -f "$conf_file" ]]; then server_names=$(grep -E "^\s*server_name\s+" "$conf_file" 2>/dev/null | awk '{print $2}' | tr -d ';' | sort | uniq) for server_name in $server_names; do if [[ "$server_name" != "_" ]]; then echo " - $server_name ($conf_file)" fi done fi done SERVER_IP=$(curl -4 -s ifconfig.co) echo "" echo "==============================================" echo " LetsBe Server Setup Complete" echo "==============================================" echo "" echo "Server IP: $SERVER_IP" echo "SSH Port: 22022" if [[ -n "$ADMIN_USER" ]]; then echo "SSH User: $ADMIN_USER (key-based auth only)" else echo "SSH User: root (key-based auth only, no admin user configured)" fi echo "" echo "Portainer (if deployed): https://$SERVER_IP:9443" echo "" echo "Important:" echo " - Configure rclone for backups: rclone config" echo " - SSH port changed to 22022" if [[ -n "$ADMIN_USER" ]]; then echo " - User '$ADMIN_USER' has Docker access (key in /home/$ADMIN_USER/.ssh/)" fi echo "" echo "==============================================" # ============================================================================= # MARK SETUP AS COMPLETE (before SSH restart) # ============================================================================= touch /opt/letsbe/.setup_installed echo "Setup marked as complete." # ============================================================================= # RESTART SSH (MUST BE LAST - This will disconnect the session!) # ============================================================================= echo "" echo "Restarting SSH on port 22022... (connection will drop)" if [[ -n "$ADMIN_USER" ]]; then echo "Reconnect with: ssh -i id_ed25519 -p 22022 $ADMIN_USER@$SERVER_IP" else echo "Reconnect with: ssh -p 22022 root@$SERVER_IP" fi echo "" # Small delay to ensure output is sent before disconnect sleep 2 systemctl restart sshd