-
Notifications
You must be signed in to change notification settings - Fork 18
Expand file tree
/
Copy pathconfiguration.sh
More file actions
105 lines (88 loc) · 3.21 KB
/
configuration.sh
File metadata and controls
105 lines (88 loc) · 3.21 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
#!/bin/bash
# Prompt for ports with defaults
read -p "Enter AUTHENTICATION_SERVER_PORT [3001]: " AUTH_PORT
AUTH_PORT=${AUTH_PORT:-3001}
read -p "Enter CLIENT_PORT [3000]: " CLIENT_PORT
CLIENT_PORT=${CLIENT_PORT:-3000}
read -p "Enter HASURA_PORT [8080]: " HASURA_PORT
HASURA_PORT=${HASURA_PORT:-8080}
read -p "Enter POSTGRES_PORT [5432]: " POSTGRES_PORT
POSTGRES_PORT=${POSTGRES_PORT:-5432}
read -p "Enter DOCKER_HOST_IP [127.0.0.1]: " DOCKER_HOST_IP
DOCKER_HOST_IP=${DOCKER_HOST_IP:-127.0.0.1}
# Prompt for the domain without default, required input
read -p "Enter the DOMAIN of your instance. Do not include the https://: " DOMAIN
if [ -z "$DOMAIN" ]; then
echo "Error: DOMAIN is required."
exit 1
fi
# Generate UUIDs
JWT_SECRET=$(uuidgen)
HASURA_ADMIN_SECRET=$(uuidgen)
POSTGRES_PASSWORD=$(uuidgen)
# Write to .env file
cat <<EOF > .env
AUTHENTICATION_SERVER_PORT=$AUTH_PORT
CLIENT_PORT=$CLIENT_PORT
DOCKER_HOST_IP=$DOCKER_HOST_IP
DOMAIN=$DOMAIN
HASURA_GRAPHQL_ADMIN_SECRET=$HASURA_ADMIN_SECRET
HASURA_GRAPHQL_JWT_SECRET='{"type":"HS256","key":"$JWT_SECRET"}'
HASURA_PORT=$HASURA_PORT
JWT_SIGNING_SECRET=$JWT_SECRET
POSTGRES_PASSWORD=$POSTGRES_PASSWORD
POSTGRES_PORT=$POSTGRES_PORT
EOF
cat <<EOF > Caddyfile
$DOMAIN {
header /* {
Referrer-Policy "strict-origin"
Strict-Transport-Security "max-age=31536000; includeSubDomains;"
X-Content-Type-Options "nosniff"
X-Frame-Options "DENY"
X-XSS-Protection "0"
Content-Security-Policy "default-src 'self'; script-src 'self' 'wasm-unsafe-eval' https://apis.google.com https://www.google.com https://www.gstatic.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; connect-src 'self' *.ingest.sentry.io https://identitytoolkit.googleapis.com https://securetoken.googleapis.com https://apis.google.com https://world.openfoodfacts.org; frame-src 'self' *.firebaseapp.com https://www.google.com; img-src 'self' https://www.gstatic.com data:; font-src 'self' https://fonts.gstatic.com https://fonts.googleapis.com; worker-src 'self'; object-src 'none';"
Permissions-Policy "accelerometer=(self), autoplay=(self), camera=(self), cross-origin-isolated=(self), display-capture=(self), encrypted-media=(self), fullscreen=(self), geolocation=(self), gyroscope=(self), keyboard-map=(self), magnetometer=(self), microphone=(self), midi=(self), payment=(self), picture-in-picture=(self), publickey-credentials-get=(self), screen-wake-lock=(self), sync-xhr=(self), usb=(self), xr-spatial-tracking=(self)"
}
header /console* {
-Content-Security-Policy
}
route /v1* {
# API (Hasura)
reverse_proxy localhost:$HASURA_PORT {
header_up -X-Hasura-Role
}
}
route /v2* {
# API (Hasura)
reverse_proxy localhost:$HASURA_PORT {
header_up -X-Hasura-Role
}
}
route /console* {
# Admin panel (Hasura)
reverse_proxy localhost:$HASURA_PORT {
header_up -X-Hasura-Role
}
}
route /healthz {
# Health check (Hasura)
reverse_proxy localhost:$HASURA_PORT {
header_up -X-Hasura-Role
}
}
route /auth* {
# Authentication server (Express.js)
reverse_proxy localhost:$AUTH_PORT {
header_up -X-Hasura-Role
}
}
route /* {
# Static files (Client)
reverse_proxy localhost:$CLIENT_PORT {
header_up -X-Hasura-Role
}
}
}
EOF
echo ".env file and Caddyfile generated!"