alee/vigilar
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
c7f9304f2a
vigilar/scripts/install.sh
Aaron D. Lee ebcc49b474 Add kiosk setup and deployment scripts (Phases 5 + 9) 
Phase 5 — RPi Kiosk:
- setup_kiosk.sh: full RPi OS Lite setup (X11, Chromium kiosk mode,
  auto-login, DPMS disabled, GPU memory split, screen rotation)
- kiosk.service: systemd unit for reliable auto-start
- update_kiosk.sh: reconfigure URL/rotation/resolution without re-setup
- Handles both Bullseye and Bookworm RPi OS versions

Phase 9 — Hardening + Deployment:
- install.sh: full server setup (apt/pacman, vigilar user, venv,
  directories, permissions, mosquitto config, systemd units)
- gen_cert.sh: TLS cert via mkcert or openssl fallback
- gen_vapid_keys.sh: VAPID keys for Web Push notifications
- setup_nut.sh: NUT configuration with USB UPS auto-detection
- backup.sh: SQLite snapshot + config archive, cron-ready
- uninstall.sh: clean removal with data preservation option
- vigilar.service: hardened systemd unit (ProtectSystem, NoNewPrivileges,
  PrivateTmp, syscall filtering)
- vigilar-mosquitto.conf: localhost-only MQTT broker config

All scripts idempotent, bash -n validated, support Debian + Arch.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-02 23:25:03 -04:00

233 lines
7.6 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
set -euo pipefail
# Vigilar Home Security — Installation Script
# Supports Debian/Ubuntu (apt) and Arch Linux (pacman).
VIGILAR_USER="vigilar"
VIGILAR_GROUP="vigilar"
INSTALL_DIR="/opt/vigilar"
VENV_DIR="${INSTALL_DIR}/venv"
CONFIG_DIR="/etc/vigilar"
DATA_DIR="/var/vigilar"
SYSTEMD_DIR="/etc/systemd/system"
MOSQUITTO_CONF_DIR="/etc/mosquitto/conf.d"
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_DIR="$(dirname "$SCRIPT_DIR")"
# ---------------------------------------------------------------------------
# Helpers
# ---------------------------------------------------------------------------
info() { printf '\033[1;34m[INFO]\033[0m %s\n' "$*"; }
warn() { printf '\033[1;33m[WARN]\033[0m %s\n' "$*"; }
ok() { printf '\033[1;32m[ OK ]\033[0m %s\n' "$*"; }
fail() { printf '\033[1;31m[FAIL]\033[0m %s\n' "$*" >&2; exit 1; }
need_cmd() {
command -v "$1" &>/dev/null || fail "Required command not found: $1"
}
detect_pkg_manager() {
if command -v apt-get &>/dev/null; then
echo "apt"
elif command -v pacman &>/dev/null; then
echo "pacman"
else
fail "Unsupported package manager. This script supports apt (Debian/Ubuntu) and pacman (Arch)."
fi
}
# ---------------------------------------------------------------------------
# 1. System dependencies
# ---------------------------------------------------------------------------
install_system_deps() {
local pkg_mgr
pkg_mgr="$(detect_pkg_manager)"
info "Detected package manager: ${pkg_mgr}"
case "$pkg_mgr" in
apt)
sudo apt-get update -qq
sudo apt-get install -y -qq \
ffmpeg mosquitto python3 python3-venv python3-pip nut-client
;;
pacman)
sudo pacman -Sy --needed --noconfirm \
ffmpeg mosquitto python python-virtualenv nut
;;
esac
ok "System dependencies installed"
}
# ---------------------------------------------------------------------------
# 2. System user & group
# ---------------------------------------------------------------------------
create_user() {
if id "$VIGILAR_USER" &>/dev/null; then
ok "User '${VIGILAR_USER}' already exists"
return
fi
info "Creating system user '${VIGILAR_USER}'"
sudo useradd --system --home-dir "$INSTALL_DIR" --shell /usr/sbin/nologin \
--create-home "$VIGILAR_USER"
ok "User '${VIGILAR_USER}' created"
}
# ---------------------------------------------------------------------------
# 3. Directories & permissions
# ---------------------------------------------------------------------------
create_directories() {
info "Creating directories"
# Data directories — owned by vigilar
sudo mkdir -p "${DATA_DIR}/data" "${DATA_DIR}/recordings" "${DATA_DIR}/hls"
sudo chown -R "${VIGILAR_USER}:${VIGILAR_GROUP}" "$DATA_DIR"
sudo chmod -R 0750 "$DATA_DIR"
# Config directories
sudo mkdir -p "${CONFIG_DIR}/secrets" "${CONFIG_DIR}/certs"
sudo chown root:root "${CONFIG_DIR}"
sudo chmod 0755 "${CONFIG_DIR}"
# Secrets — root-owned, restricted
sudo chown root:root "${CONFIG_DIR}/secrets"
sudo chmod 0700 "${CONFIG_DIR}/secrets"
# Certs — readable by vigilar
sudo chown root:"${VIGILAR_GROUP}" "${CONFIG_DIR}/certs"
sudo chmod 0750 "${CONFIG_DIR}/certs"
# Install dir
sudo mkdir -p "$INSTALL_DIR"
sudo chown "${VIGILAR_USER}:${VIGILAR_GROUP}" "$INSTALL_DIR"
ok "Directories created"
}
# ---------------------------------------------------------------------------
# 4. Python venv & package
# ---------------------------------------------------------------------------
install_venv() {
if [[ -d "$VENV_DIR" ]]; then
info "Venv already exists at ${VENV_DIR}, upgrading"
else
info "Creating Python venv at ${VENV_DIR}"
sudo -u "$VIGILAR_USER" python3 -m venv "$VENV_DIR"
fi
info "Installing vigilar package into venv"
sudo -u "$VIGILAR_USER" "${VENV_DIR}/bin/pip" install --upgrade pip setuptools wheel -q
sudo -u "$VIGILAR_USER" "${VENV_DIR}/bin/pip" install "${PROJECT_DIR}" -q
ok "Vigilar installed into ${VENV_DIR}"
}
# ---------------------------------------------------------------------------
# 5. Storage encryption key
# ---------------------------------------------------------------------------
generate_storage_key() {
local key_file="${CONFIG_DIR}/secrets/storage.key"
if [[ -f "$key_file" ]]; then
ok "Storage encryption key already exists"
return
fi
info "Generating storage encryption key"
sudo dd if=/dev/urandom bs=32 count=1 2>/dev/null | sudo tee "$key_file" > /dev/null
sudo chmod 0600 "$key_file"
sudo chown root:root "$key_file"
ok "Storage key written to ${key_file}"
}
# ---------------------------------------------------------------------------
# 6. Sample config
# ---------------------------------------------------------------------------
install_config() {
local dest="${CONFIG_DIR}/vigilar.toml"
if [[ -f "$dest" ]]; then
ok "Config already exists at ${dest}"
return
fi
info "Copying sample config"
sudo cp "${PROJECT_DIR}/config/vigilar.toml" "$dest"
sudo chmod 0644 "$dest"
sudo chown root:"${VIGILAR_GROUP}" "$dest"
ok "Config installed to ${dest}"
}
# ---------------------------------------------------------------------------
# 7. Systemd units
# ---------------------------------------------------------------------------
install_systemd() {
info "Installing systemd service"
sudo cp "${PROJECT_DIR}/systemd/vigilar.service" "${SYSTEMD_DIR}/vigilar.service"
sudo chmod 0644 "${SYSTEMD_DIR}/vigilar.service"
sudo systemctl daemon-reload
sudo systemctl enable vigilar.service
ok "vigilar.service enabled"
}
# ---------------------------------------------------------------------------
# 8. Mosquitto configuration
# ---------------------------------------------------------------------------
configure_mosquitto() {
local conf="${MOSQUITTO_CONF_DIR}/vigilar.conf"
info "Configuring mosquitto for localhost-only"
sudo mkdir -p "$MOSQUITTO_CONF_DIR"
sudo cp "${PROJECT_DIR}/systemd/vigilar-mosquitto.conf" "$conf"
sudo chmod 0644 "$conf"
sudo systemctl enable mosquitto.service
sudo systemctl restart mosquitto.service
ok "Mosquitto configured and restarted"
}
# ---------------------------------------------------------------------------
# Main
# ---------------------------------------------------------------------------
main() {
info "=== Vigilar Home Security — Installer ==="
info "Project dir: ${PROJECT_DIR}"
echo
install_system_deps
create_user
create_directories
install_venv
generate_storage_key
install_config
install_systemd
configure_mosquitto
echo
ok "=== Installation complete ==="
echo
info "Summary:"
info " Service user: ${VIGILAR_USER}"
info " Venv: ${VENV_DIR}"
info " Config: ${CONFIG_DIR}/vigilar.toml"
info " Data: ${DATA_DIR}/"
info " Secrets: ${CONFIG_DIR}/secrets/"
info " Systemd unit: ${SYSTEMD_DIR}/vigilar.service"
echo
info "Next steps:"
info " 1. Edit /etc/vigilar/vigilar.toml — set camera RTSP URLs, passwords, etc."
info " 2. Run: sudo ${SCRIPT_DIR}/gen_cert.sh — generate TLS certs"
info " 3. Run: sudo ${SCRIPT_DIR}/gen_vapid_keys.sh — generate VAPID keys for push"
info " 4. Run: sudo ${SCRIPT_DIR}/setup_nut.sh — configure UPS monitoring"
info " 5. Start: sudo systemctl start vigilar"
info " 6. Open: https://vigilar.local:49735"
}
main "$@"
Reference in New Issue View Git Blame Copy Permalink