alee/vigilar
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
ebcc49b474
vigilar/remote/setup_droplet.sh
Aaron D. Lee 845a85d618 Initial commit: Vigilar DIY home security system 
Phase 1 (Foundation): project skeleton, TOML config + Pydantic validation,
MQTT bus wrapper, SQLite schema (9 tables), Click CLI, process supervisor.

Phase 2 (Camera): RTSP capture via OpenCV, MOG2 motion detection with
configurable sensitivity/zones, adaptive FPS recording (2fps idle/30fps
motion) via FFmpeg subprocess, HLS live streaming, pre-motion ring buffer.

Phase 3 (Web UI): Flask + Bootstrap 5 dark theme, 6 blueprints, Jinja2
templates (dashboard, kiosk 2x2 grid, events, sensors, recordings, settings),
PWA with service worker + Web Push, full admin settings UI with config
persistence.

Remote Access: WireGuard tunnel configs, nginx reverse proxy with HLS
caching + rate limiting, bandwidth-optimized remote HLS stream (426x240
@ 500kbps), DO droplet setup script, certbot TLS.

29 tests passing.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-02 23:11:27 -04:00

188 lines
5.2 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
# Full setup script for Digital Ocean droplet as Vigilar reverse proxy
# Run this on a fresh Ubuntu 24.04 LTS droplet.
#
# What it does:
# 1. Installs WireGuard, nginx, certbot
# 2. Configures WireGuard tunnel (interactive key exchange)
# 3. Deploys nginx reverse proxy config
# 4. Sets up TLS with Let's Encrypt
# 5. Configures firewall
set -euo pipefail
echo "============================================"
echo " Vigilar — Droplet Reverse Proxy Setup"
echo "============================================"
echo ""
# Require root
if [[ $EUID -ne 0 ]]; then
echo "Run as root: sudo bash setup_droplet.sh"
exit 1
fi
# --- Step 1: Install packages ---
echo "[1/6] Installing packages..."
apt update
apt install -y wireguard nginx certbot python3-certbot-nginx ufw
# --- Step 2: WireGuard ---
echo ""
echo "[2/6] Setting up WireGuard..."
if [[ -f /etc/wireguard/wg0.conf ]]; then
echo " WireGuard already configured. Skipping."
else
# Generate keys
PRIV_KEY=$(wg genkey)
PUB_KEY=$(echo "$PRIV_KEY" | wg pubkey)
echo ""
echo " Droplet PUBLIC key (give this to your home server):"
echo " $PUB_KEY"
echo ""
read -p " Enter home server's PUBLIC key: " HOME_PUB_KEY
cat > /etc/wireguard/wg0.conf <<EOF
[Interface]
Address = 10.99.0.1/32
ListenPort = 51820
PrivateKey = $PRIV_KEY
[Peer]
PublicKey = $HOME_PUB_KEY
AllowedIPs = 10.99.0.2/32
EOF
chmod 600 /etc/wireguard/wg0.conf
systemctl enable --now wg-quick@wg0
echo " WireGuard started. Tunnel IP: 10.99.0.1"
fi
# --- Step 3: Firewall ---
echo ""
echo "[3/6] Configuring firewall..."
ufw --force reset
ufw default deny incoming
ufw default allow outgoing
ufw allow 22/tcp # SSH
ufw allow 80/tcp # HTTP (certbot + redirect)
ufw allow 443/tcp # HTTPS
ufw allow 51820/udp # WireGuard
ufw --force enable
echo " Firewall configured."
# --- Step 4: Nginx ---
echo ""
echo "[4/6] Configuring nginx..."
read -p " Enter your domain (e.g., vigilar.yourdomain.com): " DOMAIN
# Create cache directory
mkdir -p /var/cache/nginx/vigilar_hls
# Deploy config
NGINX_CONF="/etc/nginx/sites-available/vigilar"
if [[ -f "$NGINX_CONF" ]]; then
cp "$NGINX_CONF" "${NGINX_CONF}.bak.$(date +%s)"
fi
# Copy template and replace domain
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
if [[ -f "$SCRIPT_DIR/nginx/vigilar.conf" ]]; then
sed "s/vigilar.yourdomain.com/$DOMAIN/g" "$SCRIPT_DIR/nginx/vigilar.conf" > "$NGINX_CONF"
else
echo " ERROR: nginx/vigilar.conf not found in $SCRIPT_DIR"
echo " Copy it manually to /etc/nginx/sites-available/vigilar"
exit 1
fi
# Enable site
ln -sf "$NGINX_CONF" /etc/nginx/sites-enabled/vigilar
rm -f /etc/nginx/sites-enabled/default
# Test config (will fail on TLS certs — that's OK, certbot fixes it)
echo " Testing nginx config (cert errors expected before certbot)..."
nginx -t 2>/dev/null || true
# --- Step 5: TLS with Let's Encrypt ---
echo ""
echo "[5/6] Setting up TLS..."
echo " Running certbot for $DOMAIN"
echo " Note: DNS must already point $DOMAIN to this droplet's IP."
echo ""
# Temporarily remove SSL directives so nginx starts
# Create a minimal config for certbot
cat > /etc/nginx/sites-available/vigilar-temp <<EOF
server {
listen 80;
server_name $DOMAIN;
location / {
proxy_pass http://10.99.0.2:49735;
}
}
EOF
ln -sf /etc/nginx/sites-available/vigilar-temp /etc/nginx/sites-enabled/vigilar-temp
rm -f /etc/nginx/sites-enabled/vigilar
nginx -t && systemctl reload nginx
# Run certbot
certbot --nginx -d "$DOMAIN" --non-interactive --agree-tos --register-unsafely-without-email || {
echo ""
echo " Certbot failed. Make sure DNS for $DOMAIN points to this server."
echo " You can retry manually: certbot --nginx -d $DOMAIN"
}
# Remove temp config, restore full config
rm -f /etc/nginx/sites-enabled/vigilar-temp /etc/nginx/sites-available/vigilar-temp
ln -sf "$NGINX_CONF" /etc/nginx/sites-enabled/vigilar
# Update the config with certbot's cert paths
sed -i "s|ssl_certificate .*|ssl_certificate /etc/letsencrypt/live/$DOMAIN/fullchain.pem;|" "$NGINX_CONF"
sed -i "s|ssl_certificate_key .*|ssl_certificate_key /etc/letsencrypt/live/$DOMAIN/privkey.pem;|" "$NGINX_CONF"
nginx -t && systemctl reload nginx
# --- Step 6: Verify ---
echo ""
echo "[6/6] Verifying setup..."
echo ""
# Check WireGuard
if wg show wg0 &>/dev/null; then
echo " [OK] WireGuard interface wg0 is up"
else
echo " [!!] WireGuard not running"
fi
# Check nginx
if systemctl is-active --quiet nginx; then
echo " [OK] nginx is running"
else
echo " [!!] nginx is not running"
fi
# Check cert
if [[ -f "/etc/letsencrypt/live/$DOMAIN/fullchain.pem" ]]; then
echo " [OK] TLS certificate present"
else
echo " [!!] TLS certificate missing — run certbot manually"
fi
echo ""
echo "============================================"
echo " Setup complete!"
echo ""
echo " Droplet WireGuard IP: 10.99.0.1"
echo " Home server should be: 10.99.0.2"
echo " Web URL: https://$DOMAIN"
echo ""
echo " Next steps:"
echo " 1. Configure WireGuard on your home server"
echo " 2. Test: ping 10.99.0.2 (from this droplet)"
echo " 3. Start Vigilar on home server"
echo " 4. Access https://$DOMAIN"
echo "============================================"
Reference in New Issue View Git Blame Copy Permalink