deploy

#!/usr/bin/env bash
set -eu -o pipefail

github_repository=sgtpep/tuxapp
hostname=tuxapp.org

encrypted_netrc="-----BEGIN PGP MESSAGE-----

hQIMAyeE+8FzL4OJARAAl8dr0Spz833O9LY7YbaNyTZ16g7u6bJHylK2U+NmNLwa
SCvrverA/ziFOKsgyBMXwxH1iP+W+zUOcIQGfh93Zy58tmPSGqoZX6V4PI5GyuGM
Ozfeh+LDhSFm4zfytWzyciwCl6L3fqDK1HDo8w/7rNc0xmuxpwB/W/ffwI/kEQis
lgqLtP0hihm0/MVLt9qO7VTJEqvB5tS72zlEZx62HHZIAphrQpRvmmGze4644aAt
JrVJwF1Yf9snsTRHXx+8r5O2beWKuXvZcjjqJiV2JKOwdSW66BFd3bkcTFeB2HwC
HznCQ4Ps9I3v6u6gXzHgrqHCll18SIrBgrAP0MaC4gyTZJBE1lXF0EHNGtIWWf2w
XD432qc5RrCrSPMiY7ffPzH8a7rfgru5I7Wn7f17VKN3mucWasIihJaLbTWU9suU
gfBVUXUolupo3lkUEE6XJaa0WTa/CPEbxB3fWR8cg4e5+VM37/pQjemcz8eyOcCw
0evBVBS2MhhgHWljyXtaJNOE8RBr3sFDqO8x6yIANkH3DKKDTWyLbeyBJ1uYw1Ms
kE1gnrY5VHTCsc13fXCv4hY8W/Mpz6f/h0UEinJAgoa5+h6s9ICySLdOQTi5khw0
9vRtb2H1WBE2XDnJ2weh7D71nX1BDNHETDCVbU5Cxd6UzeBnm/KYtXfUUtv9vcDS
hwEkrTWRbiAdii7PCOtk5FP5yoOSyAhwJ5mmARTxWiYwR97cENaSkfE1H0mfAqC8
CMmobWQtiZbo+Puj9GUF9JLO28iLdcGyk5/ODkt/6wJsmXlPKyHG5g0NTgYemgtW
UxJuLRgUJTm3GeH4DWoBreciF1EUQ68vdpCTBQmBfCiBuylqMGI/Gw==
=IeOj
-----END PGP MESSAGE-----"

ssh root@"$hostname" bash -eu -o pipefail -"$-" << EOF
! grep -q '^debian:' /etc/passwd || userdel -r debian
grep -q '^$USER:' /etc/passwd || useradd -m -G adm,sudo -c '$(grep -Po "(?<=^$USER:x:$UID:$UID:)[^,]+" /etc/passwd)' -s /bin/bash '$USER'
grep -q '^$USER:[^!]' /etc/shadow || chpasswd -e <<< '$USER:$(ssh root@"$hostname" grep -q "^$USER:[^!]" /etc/shadow || sudo grep -Po "(?<=^$USER:)[^:]+" /etc/shadow)'

echo '%sudo ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/nopasswd

sed -i 's/^mesg /#\0/' ~/.profile

cp -r ~/.ssh /home/'$USER'
chown -R '$USER': /home/'$USER'/.ssh
EOF

( cat << EOF; cat << \EOF2 ) | ssh "$hostname" bash -eu -o pipefail -"$-"
github_repository='$github_repository'
hostname='$hostname'
netrc='$(ssh root@"$hostname" test -f /etc/netrc || gpg -d <(echo "$encrypted_netrc"))'
EOF

[[ -f /etc/netrc ]] || sudo tee /etc/netrc > /dev/null <<< $netrc
sudo chmod o-r /etc/netrc
sudo chown "$USER": /etc/netrc
read _ smtp_hostname _ email _ < /etc/netrc

sudo tee /etc/apt/sources.list > /dev/null << \EOF
deb http://deb.debian.org/debian stretch main
deb http://security.debian.org/ stretch/updates main
EOF

packages=(
  bsd-mailx
  bubblewrap
  certbot
  firejail
  git
  goaccess
  haveged
  htop
  imagemagick
  man-db
  msmtp-mta
  nginx-light
  ranger
  rsync
  sqlite3
  strace
  unattended-upgrades
  xvfb
)
dpkg -s "${packages[@]}" &> /dev/null || sudo DEBIAN_FRONTEND=noninteractive apt install -y "${packages[@]}"

sudo tee /etc/aliases > /dev/null <<< "default: $email"

sudo sed -i 's/^[\/ ]*\(Unattended-Upgrade::Automatic-Reboot\) .*/\1 "true";/' /etc/apt/apt.conf.d/50unattended-upgrades

sudo tee /etc/cron.d/"${github_repository##*/}" > /dev/null <<< "0 */3 * * * $USER ~/${github_repository##*/}/cron 2>&1 | mail -E -r cron@$hostname -s ${github_repository##*/} $USER"

if ! grep -q '^/swap ' /etc/fstab; then
  sudo fallocate -l 512M /swap
  sudo chmod 600 /swap
  sudo mkswap /swap
  sudo swapon /swap
  sudo tee -a /etc/fstab > /dev/null <<< '/swap none swap defaults 0 0'
fi

[[ -d /etc/letsencrypt/live ]] || sudo certbot certonly -d "$hostname" -m "$email" -w /var/www/html --agree-tos --webroot

sudo tee /etc/msmtprc > /dev/null << EOF
account default
  aliases /etc/aliases
  auth on
  from $email
  host $smtp_hostname
  port 587
  tls on
  tls_trust_file /etc/ssl/certs/ca-certificates.crt
  user $email
EOF
sudo chmod o-r /etc/msmtprc
sudo chown "$USER": /etc/msmtprc

checksum=$(md5sum /etc/nginx/sites-enabled/default)
sudo tee /etc/nginx/sites-enabled/default > /dev/null << EOF
server {
  listen 80 default_server;
  listen [::]:80 default_server;
  return 301 https://\$host\$request_uri;
}

server {
  add_header Strict-Transport-Security 'max-age=63072000; includeSubDomains; preload';
  gzip on;
  listen 443 ssl default_server;
  listen [::]:443 ssl default_server;
  root /var/www/html;
  ssl_certificate /etc/letsencrypt/live/$hostname/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/$hostname/privkey.pem;

  location ~ ^/(favicon\.ico|robots\.txt)$ {
    access_log off;
    log_not_found off;
  }
}
EOF
md5sum -c --status <<< $checksum || sudo systemctl restart nginx

sudo chown "$USER": /var/www/html
sudo rm -fr /var/www/html/{.well-known,index.nginx-debian.html}

[[ -d ~/${github_repository##*/} ]] || git -C ~ clone https://github.com/"$github_repository".git
EOF2

ssh root@"$hostname" << EOF
rm /etc/sudoers.d/nopasswd
[[ ! -f /run/reboot-required ]] || reboot
EOF