PrivacyAI/deploy.sh at main · ru-aish/PrivacyAI · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
#!/bin/bash

# Privacy Guardian Gateway Deployment Script
# This script helps deploy the application in various environments

set -e

# Configuration
APP_NAME="privacy-guardian-gateway"
APP_DIR="/opt/${APP_NAME}"
SERVICE_USER="guardian"
PYTHON_VERSION="3.11"

# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color

# Logging function
log() {
    echo -e "${GREEN}[$(date +'%Y-%m-%d %H:%M:%S')] $1${NC}"
}

warn() {
    echo -e "${YELLOW}[$(date +'%Y-%m-%d %H:%M:%S')] WARNING: $1${NC}"
}

error() {
    echo -e "${RED}[$(date +'%Y-%m-%d %H:%M:%S')] ERROR: $1${NC}"
    exit 1
}

# Check if running as root
check_root() {
    if [[ $EUID -eq 0 ]]; then
        error "This script should not be run as root for security reasons"
    fi
}

# Install system dependencies
install_dependencies() {
    log "Installing system dependencies..."

    # Update package list
    sudo apt-get update

    # Install required packages
    sudo apt-get install -y \
        python${PYTHON_VERSION} \
        python${PYTHON_VERSION}-pip \
        python${PYTHON_VERSION}-venv \
        nginx \
        supervisor \
        curl \
        git \
        ufw

    log "System dependencies installed successfully"
}

# Setup application user
setup_user() {
    log "Setting up application user..."

    if ! id "$SERVICE_USER" &>/dev/null; then
        sudo useradd --system --shell /bin/bash --home $APP_DIR $SERVICE_USER
        log "Created user: $SERVICE_USER"
    else
        log "User $SERVICE_USER already exists"
    fi
}

# Setup application directory
setup_directory() {
    log "Setting up application directory..."

    sudo mkdir -p $APP_DIR
    sudo chown $SERVICE_USER:$SERVICE_USER $APP_DIR

    log "Application directory created: $APP_DIR"
}

# Deploy application
deploy_app() {
    log "Deploying application..."

    # Copy application files
    sudo cp -r . $APP_DIR/
    sudo chown -R $SERVICE_USER:$SERVICE_USER $APP_DIR

    # Setup Python virtual environment
    sudo -u $SERVICE_USER python${PYTHON_VERSION} -m venv $APP_DIR/venv
    sudo -u $SERVICE_USER $APP_DIR/venv/bin/pip install --upgrade pip
    sudo -u $SERVICE_USER $APP_DIR/venv/bin/pip install -r $APP_DIR/requirements.txt

    log "Application deployed successfully"
}

# Configure firewall
configure_firewall() {
    log "Configuring firewall..."

    # Enable UFW
    sudo ufw --force enable

    # Allow SSH (important!)
    sudo ufw allow ssh

    # Allow HTTP and HTTPS
    sudo ufw allow 80
    sudo ufw allow 443

    # Allow application port (if different)
    sudo ufw allow 5000

    log "Firewall configured"
}

# Setup Nginx reverse proxy
setup_nginx() {
    log "Setting up Nginx reverse proxy..."

    cat > /tmp/privacy-guardian-nginx.conf << 'EOF'
server {
    listen 80;
    server_name _;

    # Security headers
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

    # Rate limiting
    limit_req_zone $binary_remote_addr zone=api:10m rate=60r/m;

    location / {
        limit_req zone=api burst=20 nodelay;

        proxy_pass http://127.0.0.1:5000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # Timeouts
        proxy_connect_timeout 60s;
        proxy_send_timeout 60s;
        proxy_read_timeout 60s;
    }

    # Health check endpoint
    location /health {
        access_log off;
        proxy_pass http://127.0.0.1:5000/health;
    }
}
EOF

    sudo mv /tmp/privacy-guardian-nginx.conf /etc/nginx/sites-available/$APP_NAME
    sudo ln -sf /etc/nginx/sites-available/$APP_NAME /etc/nginx/sites-enabled/
    sudo rm -f /etc/nginx/sites-enabled/default

    # Test nginx configuration
    sudo nginx -t
    sudo systemctl reload nginx

    log "Nginx configured successfully"
}

# Setup Supervisor for process management
setup_supervisor() {
    log "Setting up Supervisor..."

    cat > /tmp/privacy-guardian-supervisor.conf << EOF
[program:privacy-guardian-gateway]
command=$APP_DIR/venv/bin/gunicorn --config $APP_DIR/gunicorn.conf.py app:app
directory=$APP_DIR
user=$SERVICE_USER
autostart=true
autorestart=true
redirect_stderr=true
stdout_logfile=$APP_DIR/logs/supervisor.log
environment=PATH="$APP_DIR/venv/bin"
EOF

    sudo mv /tmp/privacy-guardian-supervisor.conf /etc/supervisor/conf.d/$APP_NAME.conf
    sudo supervisorctl reread
    sudo supervisorctl update

    log "Supervisor configured successfully"
}

# Setup log rotation
setup_logrotate() {
    log "Setting up log rotation..."

    cat > /tmp/privacy-guardian-logrotate << EOF
$APP_DIR/logs/*.log {
    daily
    missingok
    rotate 30
    compress
    delaycompress
    notifempty
    create 644 $SERVICE_USER $SERVICE_USER
    postrotate
        supervisorctl restart privacy-guardian-gateway
    endscript
}
EOF

    sudo mv /tmp/privacy-guardian-logrotate /etc/logrotate.d/$APP_NAME

    log "Log rotation configured"
}

# Main deployment function
main() {
    log "Starting Privacy Guardian Gateway deployment..."

    case "${1:-full}" in
        "deps")
            install_dependencies
            ;;
        "app")
            setup_user
            setup_directory
            deploy_app
            ;;
        "services")
            setup_nginx
            setup_supervisor
            setup_logrotate
            ;;
        "security")
            configure_firewall
            ;;
        "full")
            check_root
            install_dependencies
            setup_user
            setup_directory
            deploy_app
            configure_firewall
            setup_nginx
            setup_supervisor
            setup_logrotate
            ;;
        *)
            error "Usage: $0 {deps|app|services|security|full}"
            ;;
    esac

    log "Deployment completed successfully!"
    log "Application should be available at: http://$(hostname -I | awk '{print $1}')"
    log "Check status with: sudo supervisorctl status privacy-guardian-gateway"
}

# Run main function
main "$@"