291 lines
		
	
	
		
			7.7 KiB
		
	
	
	
		
			Bash
		
	
	
	
	
	
			
		
		
	
	
			291 lines
		
	
	
		
			7.7 KiB
		
	
	
	
		
			Bash
		
	
	
	
	
	
| #!/usr/bin/env bash
 | |
| 
 | |
| # Copyright (c) 2021-2025 community-scripts ORG
 | |
| # Author: vhsdream
 | |
| # License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
 | |
| # Source: https://github.com/PatcMmon/PatchMon
 | |
| 
 | |
| source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
 | |
| color
 | |
| verb_ip6
 | |
| catch_errors
 | |
| setting_up_container
 | |
| network_check
 | |
| update_os
 | |
| 
 | |
| msg_info "Installing Dependencies"
 | |
| $STD apt install -y \
 | |
|   build-essential \
 | |
|   gcc \
 | |
|   nginx \
 | |
|   redis-server
 | |
| msg_ok "Installed Dependencies"
 | |
| 
 | |
| NODE_VERSION="22" setup_nodejs
 | |
| PG_VERSION="17" setup_postgresql
 | |
| 
 | |
| msg_info "Creating PostgreSQL Database"
 | |
| DB_NAME=patchmon_db
 | |
| DB_USER=patchmon_usr
 | |
| DB_PASS="$(openssl rand -base64 18 | tr -dc 'a-zA-Z0-9' | cut -c1-13)"
 | |
| $STD sudo -u postgres psql -c "CREATE ROLE $DB_USER WITH LOGIN PASSWORD '$DB_PASS';"
 | |
| $STD sudo -u postgres psql -c "CREATE DATABASE $DB_NAME WITH OWNER $DB_USER ENCODING 'UTF8' TEMPLATE template0;"
 | |
| $STD sudo -u postgres psql -c "ALTER ROLE $DB_USER SET client_encoding TO 'utf8';"
 | |
| $STD sudo -u postgres psql -c "GRANT ALL PRIVILEGES ON DATABASE $DB_NAME TO $DB_USER;"
 | |
| 
 | |
| cat <<EOF >~/patchmon.creds
 | |
| PatchMon Credentials
 | |
| PatchMon Database Name: $DB_NAME
 | |
| PatchMon Database User: $DB_USER
 | |
| PatchMon Database Password: $DB_PASS
 | |
| EOF
 | |
| msg_ok "Created PostgreSQL Database"
 | |
| 
 | |
| fetch_and_deploy_gh_release "PatchMon" "PatchMon/PatchMon" "tarball" "latest" "/opt/patchmon"
 | |
| 
 | |
| msg_info "Configuring PatchMon"
 | |
| cd /opt/patchmon
 | |
| export NODE_ENV=production
 | |
| export NPM_CONFIG_CACHE=/opt/patchmon/.npm
 | |
| export NPM_CONFIG_PREFIX=/opt/patchmon/.npm-global
 | |
| export NPM_CONFIG_TMP=/opt/patchmon/.npm/tmp
 | |
| $STD npm install --omit=dev --no-audit --no-fund --no-save --ignore-scripts
 | |
| cd /opt/patchmon/backend
 | |
| $STD npm install --omit=dev --no-audit --no-fund --no-save --ignore-scripts
 | |
| cd /opt/patchmon/frontend
 | |
| export npm_config_production=false
 | |
| $STD npm install --no-audit --no-fund --no-save
 | |
| $STD npm run build
 | |
| msg_ok "Configured PatchMon"
 | |
| 
 | |
| msg_info "Creating env files"
 | |
| JWT_SECRET="$(openssl rand -base64 64 | tr -d "=+/" | cut -c1-50)"
 | |
| LOCAL_IP="$(hostname -I | awk '{print $1}')"
 | |
| cat <<EOF >/opt/patchmon/backend/.env
 | |
| # Database Configuration
 | |
| DATABASE_URL="postgresql://$DB_USER:$DB_PASS@localhost:5432/$DB_NAME"
 | |
| PY_THRESHOLD=3M_DB_CONN_MAX_ATTEMPTS=30
 | |
| PM_DB_CONN_WAIT_INTERVAL=2
 | |
| 
 | |
| # JWT Configuration
 | |
| JWT_SECRET="$JWT_SECRET"
 | |
| JWT_EXPIRES_IN=1h
 | |
| JWT_REFRESH_EXPIRES_IN=7d
 | |
| 
 | |
| # Server Configuration
 | |
| PORT=3399
 | |
| NODE_ENV=production
 | |
| 
 | |
| # API Configuration
 | |
| API_VERSION=v1
 | |
| 
 | |
| # CORS Configuration
 | |
| CORS_ORIGIN="http://$LOCAL_IP"
 | |
| 
 | |
| # Session Configuration
 | |
| SESSION_INACTIVITY_TIMEOUT_MINUTES=30
 | |
| 
 | |
| # User Configuration
 | |
| DEFAULT_USER_ROLE=user
 | |
| 
 | |
| # Rate Limiting (times in milliseconds)
 | |
| RATE_LIMIT_WINDOW_MS=900000
 | |
| RATE_LIMIT_MAX=5000
 | |
| AUTH_RATE_LIMIT_WINDOW_MS=600000
 | |
| AUTH_RATE_LIMIT_MAX=500
 | |
| AGENT_RATE_LIMIT_WINDOW_MS=60000
 | |
| AGENT_RATE_LIMIT_MAX=1000
 | |
| 
 | |
| # Redis Configuration
 | |
| REDIS_HOST=localhost
 | |
| REDIS_PORT=6379
 | |
| 
 | |
| # Logging
 | |
| LOG_LEVEL=info
 | |
| ENABLE_LOGGING=true
 | |
| 
 | |
| # TFA Configuration
 | |
| TFA_REMEMBER_ME_EXPIRES_IN=30d
 | |
| TFA_MAX_REMEMBER_SESSIONS=5
 | |
| TFA_SUSPICIOUS_ACTIVITY_THRESHOLD=3
 | |
| EOF
 | |
| 
 | |
| cat <<EOF >/opt/patchmon/frontend/.env
 | |
| VITE_API_URL=http://$LOCAL_IP/api/v1
 | |
| VITE_APP_NAME=PatchMon
 | |
| VITE_APP_VERSION=1.3.0
 | |
| EOF
 | |
| msg_ok "Created env files"
 | |
| 
 | |
| msg_info "Running database migrations"
 | |
| cd /opt/patchmon/backend
 | |
| $STD npx prisma migrate deploy
 | |
| $STD npx prisma generate
 | |
| msg_ok "Database migrations complete"
 | |
| 
 | |
| msg_info "Configuring Nginx"
 | |
| cat <<EOF >/etc/nginx/sites-available/patchmon.conf
 | |
| server {
 | |
|     listen 80;
 | |
|     server_name $LOCAL_IP;
 | |
| 
 | |
|     # Security headers
 | |
|     add_header X-Frame-Options DENY always;
 | |
|     add_header X-Content-Type-Options nosniff always;
 | |
|     add_header X-XSS-Protection "1; mode=block" always;
 | |
|     add_header Referrer-Policy "strict-origin-when-cross-origin" always;
 | |
| 
 | |
|     # Frontend
 | |
|     location / {
 | |
|         root /opt/patchmon/frontend/dist;
 | |
|         try_files \$uri \$uri/ /index.html;
 | |
|     }
 | |
| 
 | |
|     # Bull Board proxy
 | |
|     location /bullboard {
 | |
|         proxy_pass http://127.0.0.1:3399;
 | |
|         proxy_http_version 1.1;
 | |
|         proxy_set_header Upgrade \$http_upgrade;
 | |
|         proxy_set_header Connection 'upgrade';
 | |
|         proxy_set_header Host \$host;
 | |
|         proxy_set_header X-Real-IP \$remote_addr;
 | |
|         proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
 | |
|         proxy_set_header X-Forwarded-Proto \$scheme;
 | |
|         proxy_set_header X-Forwarded-Host \$host;
 | |
|         proxy_set_header Cookie \$http_cookie;
 | |
|         proxy_cache_bypass \$http_upgrade;
 | |
|         proxy_read_timeout 300s;
 | |
|         proxy_connect_timeout 75s;
 | |
| 
 | |
|         # Enable cookie passthrough
 | |
|         proxy_pass_header Set-Cookie;
 | |
|         proxy_cookie_path / /;
 | |
| 
 | |
|         # Preserve original client IP
 | |
|         proxy_set_header X-Original-Forwarded-For \$http_x_forwarded_for;
 | |
|         if (\$request_method = 'OPTIONS') {
 | |
|             return 204;
 | |
|         }
 | |
|     }
 | |
| 
 | |
|     # API proxy
 | |
|     location /api/ {
 | |
|         proxy_pass http://127.0.0.1:3399;
 | |
|         proxy_http_version 1.1;
 | |
|         proxy_set_header Upgrade \$http_upgrade;
 | |
|         proxy_set_header Connection 'upgrade';
 | |
|         proxy_set_header Host \$host;
 | |
|         proxy_set_header X-Real-IP \$remote_addr;
 | |
|         proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
 | |
|         proxy_set_header X-Forwarded-Proto \$scheme;
 | |
|         proxy_cache_bypass \$http_upgrade;
 | |
|         proxy_read_timeout 300s;
 | |
|         proxy_connect_timeout 75s;
 | |
| 
 | |
|         # Preserve original client IP
 | |
|         proxy_set_header X-Original-Forwarded-For \$http_x_forwarded_for;
 | |
|         if (\$request_method = 'OPTIONS') {
 | |
|             return 204;
 | |
|         }
 | |
|     }
 | |
| 
 | |
|     # Static assets caching (exclude Bull Board assets)
 | |
|     location ~* ^/(?!bullboard).*\.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
 | |
|         root /opt/patchmon/frontend/dist;
 | |
|         expires 1y;
 | |
|         add_header Cache-Control "public, immutable";
 | |
|     }
 | |
| 
 | |
|     # Health check endpoint
 | |
|     location /health {
 | |
|         proxy_pass http://127.0.0.1:3399/health;
 | |
|         access_log off;
 | |
|     }
 | |
| }
 | |
| EOF
 | |
| ln -sf /etc/nginx/sites-available/patchmon.conf /etc/nginx/sites-enabled/
 | |
| rm -f /etc/nginx/sites-enabled/default
 | |
| $STD nginx -t
 | |
| systemctl restart nginx
 | |
| msg_ok "Configured Nginx"
 | |
| 
 | |
| msg_info "Creating service"
 | |
| cat <<EOF >/etc/systemd/system/patchmon-server.service
 | |
| [Unit]
 | |
| Description=PatchMon Service
 | |
| After=network.target postgresql.service
 | |
| 
 | |
| [Service]
 | |
| Type=simple
 | |
| WorkingDirectory=/opt/patchmon/backend
 | |
| ExecStart=/usr/bin/node src/server.js
 | |
| Restart=always
 | |
| RestartSec=10
 | |
| Environment=NODE_ENV=production
 | |
| Environment=PATH=/usr/bin:/usr/local/bin
 | |
| NoNewPrivileges=true
 | |
| PrivateTmp=true
 | |
| ProtectSystem=strict
 | |
| ProtectHome=true
 | |
| ReadWritePaths=/opt/patchmon
 | |
| 
 | |
| [Install]
 | |
| WantedBy=multi-user.target
 | |
| EOF
 | |
| systemctl enable -q --now patchmon-server
 | |
| msg_ok "Created and started service"
 | |
| 
 | |
| msg_info "Populating server settings in DB"
 | |
| cat <<EOF >/opt/patchmon/backend/update-settings.js
 | |
| const { PrismaClient } = require('@prisma/client');
 | |
| const prisma = new PrismaClient();
 | |
| 
 | |
| async function updateSettings() {
 | |
|   try {
 | |
|     const settingsData = {
 | |
|       server_url: 'http://$LOCAL_IP',
 | |
|       server_protocol: 'http',
 | |
|       server_host: '$LOCAL_IP',
 | |
|       server_port: 3399,
 | |
|       update_interval: 60,
 | |
|       auto_update: true
 | |
|     };
 | |
| 
 | |
|   if (existingSettings) {
 | |
|     // Update existing settings
 | |
|     await prisma.settings.update({
 | |
|       where: { id: existingSettings.id },
 | |
|       data: settingsData
 | |
|     });
 | |
|   } else {
 | |
|     // Create new settings record
 | |
|     await prisma.settings.create({
 | |
|       data: settingsData
 | |
|     });
 | |
|   }
 | |
| 
 | |
|   console.log('✅ Database settings updated successfully');
 | |
|   } catch (error) {
 | |
|     console.error('❌ Error updating settings:', error.message);
 | |
|     process.exit(1);
 | |
|   } finally {
 | |
|     await prisma.\$disconnect();
 | |
|   }
 | |
| }
 | |
| 
 | |
| updateSettings();
 | |
| EOF
 | |
| 
 | |
| cd /opt/patchmon/backend
 | |
| $STD node update-settings.js
 | |
| msg_ok "Server settings populated successfully"
 | |
| 
 | |
| motd_ssh
 | |
| customize
 | |
| 
 | |
| msg_info "Cleaning up"
 | |
| $STD apt -y autoremove
 | |
| $STD apt -y autoclean
 | |
| $STD apt -y clean
 | |
| msg_ok "Cleaned"
 |