feat: add support for http and style output #22

Author: jchiarulli

cmd/install.go

@@ -22,10 +22,6 @@ var installCmd = &cobra.Command{
 
 		relayDomain, _ := pterm.DefaultInteractiveTextInput.Show("Relay domain name")
 		pterm.Println()
-		pterm.Println(pterm.Yellow("Leave email empty if you don't want to receive notifications from Let's Encrypt about your SSL cert."))
-		pterm.Println()
-		ssl_email, _ := pterm.DefaultInteractiveTextInput.Show("Email address")
-		pterm.Println()
 
 		// Supported relay options
 		options := []string{"Khatru Pyramid", "strfry", "Khatru29", "WoT Relay"}
@@ -62,22 +58,20 @@ var installCmd = &cobra.Command{
 			khatru_pyramid.ConfigureNginxHttp(relayDomain)
 
 			// Step 4: Get SSL certificates
-			var shouldContinue = network.GetCertificates(relayDomain, ssl_email)
-			if !shouldContinue {
-				return
+			var httpsEnabled = network.GetCertificates(relayDomain)
+			if httpsEnabled {
+				// Step 5: Configure Nginx for HTTPS
+				khatru_pyramid.ConfigureNginxHttps(relayDomain)
 			}
 
-			// Step 5: Configure Nginx for HTTPS
-			khatru_pyramid.ConfigureNginxHttps(relayDomain)
-
 			// Step 6: Download and install the relay binary
 			khatru_pyramid.InstallRelayBinary()
 
 			// Step 7: Set up the relay service
 			khatru_pyramid.SetupRelayService(relayDomain, pubkey)
 
 			// Step 8: Show success messages
-			khatru_pyramid.SuccessMessages(relayDomain)
+			khatru_pyramid.SuccessMessages(relayDomain, httpsEnabled)
 		} else if selectedRelayOption == "strfry" {
 			// Step 2: Configure the firewall
 			network.ConfigureFirewall()
@@ -86,22 +80,20 @@ var installCmd = &cobra.Command{
 			strfry.ConfigureNginxHttp(relayDomain)
 
 			// Step 4: Get SSL certificates
-			var shouldContinue = network.GetCertificates(relayDomain, ssl_email)
-			if !shouldContinue {
-				return
+			var httpsEnabled = network.GetCertificates(relayDomain)
+			if httpsEnabled {
+				// Step 5: Configure Nginx for HTTPS
+				strfry.ConfigureNginxHttps(relayDomain)
 			}
 
-			// Step 5: Configure Nginx for HTTPS
-			strfry.ConfigureNginxHttps(relayDomain)
-
 			// Step 6: Download and install the relay binary
 			strfry.InstallRelayBinary()
 
 			// Step 7: Set up the relay service
 			strfry.SetupRelayService(relayDomain)
 
 			// Step 8: Show success messages
-			strfry.SuccessMessages(relayDomain)
+			strfry.SuccessMessages(relayDomain, httpsEnabled)
 		} else if selectedRelayOption == "Khatru29" {
 			// Step 2: Configure the firewall
 			network.ConfigureFirewall()
@@ -110,22 +102,20 @@ var installCmd = &cobra.Command{
 			khatru29.ConfigureNginxHttp(relayDomain)
 
 			// Step 4: Get SSL certificates
-			var shouldContinue = network.GetCertificates(relayDomain, ssl_email)
-			if !shouldContinue {
-				return
+			var httpsEnabled = network.GetCertificates(relayDomain)
+			if httpsEnabled {
+				// Step 5: Configure Nginx for HTTPS
+				khatru29.ConfigureNginxHttps(relayDomain)
 			}
 
-			// Step 5: Configure Nginx for HTTPS
-			khatru29.ConfigureNginxHttps(relayDomain)
-
 			// Step 6: Download and install the relay binary
 			khatru29.InstallRelayBinary()
 
 			// Step 7: Set up the relay service
 			khatru29.SetupRelayService(relayDomain, privkey)
 
 			// Step 8: Show success messages
-			khatru29.SuccessMessages(relayDomain)
+			khatru29.SuccessMessages(relayDomain, httpsEnabled)
 		} else if selectedRelayOption == "WoT Relay" {
 			// Step 2: Configure the firewall
 			network.ConfigureFirewall()
@@ -134,29 +124,27 @@ var installCmd = &cobra.Command{
 			wot_relay.ConfigureNginxHttp(relayDomain)
 
 			// Step 4: Get SSL certificates
-			var shouldContinue = network.GetCertificates(relayDomain, ssl_email)
-			if !shouldContinue {
-				return
+			var httpsEnabled = network.GetCertificates(relayDomain)
+			if httpsEnabled {
+				// Step 5: Configure Nginx for HTTPS
+				wot_relay.ConfigureNginxHttps(relayDomain)
 			}
 
-			// Step 5: Configure Nginx for HTTPS
-			wot_relay.ConfigureNginxHttps(relayDomain)
-
 			// Step 6: Download and install the relay binary
 			wot_relay.InstallRelayBinary()
 
 			// Step 7: Set up the relay service
-			wot_relay.SetupRelayService(relayDomain, pubkey)
+			wot_relay.SetupRelayService(relayDomain, pubkey, httpsEnabled)
 
 			// Step 8: Show success messages
-			wot_relay.SuccessMessages(relayDomain)
+			wot_relay.SuccessMessages(relayDomain, httpsEnabled)
 		}
 
 		pterm.Println()
-		pterm.Println(pterm.Magenta("Join the NODE-TEC Discord to get support:"))
+		pterm.Println(pterm.Cyan("Join the NODE-TEC Discord to get support:"))
 		pterm.Println(pterm.Magenta("https://discord.gg/J9gRK5pbWb"))
 		pterm.Println()
-		pterm.Println(pterm.Magenta("We plan to use relay groups for support in the future..."))
+		pterm.Println(pterm.Cyan("We plan to use relay groups for support in the future..."))
 
 		pterm.Println()
 		pterm.Println(pterm.Magenta("You can re-run this installer with `rwz install`."))

pkg/network/certbot.go

@@ -10,15 +10,23 @@ import (
 )
 
 // Function to get SSL certificates using Certbot
-func GetCertificates(domainName, email string) bool {
+func GetCertificates(domainName string) bool {
 
-	options := []string{"yes", "no"}
+	var ThemeDefault = pterm.ThemeDefault
 
-	prompt := pterm.DefaultInteractiveContinue.WithOptions(options)
+	var prompt = pterm.InteractiveContinuePrinter{
+		DefaultValueIndex: 0,
+		DefaultText:       "Obtain SSL certificates?",
+		TextStyle:         &ThemeDefault.PrimaryStyle,
+		Options:           []string{"yes", "no"},
+		OptionsStyle:      &ThemeDefault.SuccessMessageStyle,
+		SuffixStyle:       &ThemeDefault.SecondaryStyle,
+		Delimiter:         ": ",
+	}
 
 	pterm.Println()
 	pterm.Println(pterm.Cyan("Do you want to obtain SSL certificates using Certbot?"))
-	pterm.Println(pterm.Cyan("This step requires that you already have a configured domain name."))
+	pterm.Println(pterm.Cyan("If you select 'yes', then this step requires that you already have a configured domain name."))
 	pterm.Println(pterm.Cyan("You can always re-run this installer after you have configured your domain name."))
 	pterm.Println()
 
@@ -28,6 +36,11 @@ func GetCertificates(domainName, email string) bool {
 		return false
 	}
 
+	pterm.Println()
+	pterm.Println(pterm.Yellow("Leave email empty if you don't want to receive notifications from Let's Encrypt about your SSL certificates."))
+
+	pterm.Println()
+	email, _ := pterm.DefaultInteractiveTextInput.Show("Email address")
 	pterm.Println()
 
 	spinner, _ := pterm.DefaultSpinner.Start("Checking SSL certificates...")
@@ -36,7 +49,8 @@ func GetCertificates(domainName, email string) bool {
 
 	// Check if certificates already exist
 	if files.FileExists(fmt.Sprintf("%s/fullchain.pem", certificatePath)) &&
-		files.FileExists(fmt.Sprintf("%s/privkey.pem", certificatePath)) {
+		files.FileExists(fmt.Sprintf("%s/privkey.pem", certificatePath)) &&
+		files.FileExists(fmt.Sprintf("%s/chain.pem", certificatePath)) {
 		spinner.Info("SSL certificates already exist.")
 		return true
 	}

pkg/relays/khatru29/nginx_http.go

@@ -2,7 +2,6 @@ package khatru29
 
 import (
 	"fmt"
-	"github.com/nodetec/rwz/pkg/utils/directories"
 	"github.com/nodetec/rwz/pkg/utils/files"
 	"github.com/nodetec/rwz/pkg/utils/systemd"
 	"github.com/pterm/pterm"
@@ -16,8 +15,6 @@ func ConfigureNginxHttp(domainName string) {
 
 	var configContent string
 
-	directories.CreateDirectory(fmt.Sprintf("/var/www/%s/.well-known/acme-challenge/", domainName), 0755)
-
 	files.RemoveFile(configFilePath)
 
 	configContent = fmt.Sprintf(`map $http_upgrade $connection_upgrade {
@@ -35,21 +32,50 @@ server {
     listen [::]:80;
     server_name %s;
 
-    location /.well-known/acme-challenge/ {
-        root /var/www/%s;
-        allow all;
-    }
-
     location / {
+        # First attempt to serve request as file, then
+        # as directory, then fall back to displaying 404.
+        try_files $uri $uri/ =404;
         proxy_pass http://websocket_khatru29;
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection $connection_upgrade;
         proxy_set_header Host $host;
         proxy_set_header X-Forwarded-For $remote_addr;
     }
+
+    # Only return Nginx in server header
+    server_tokens off;
+
+    #### Security Headers ####
+    # Test configuration:
+    # https://securityheaders.com/
+    # https://observatory.mozilla.org/
+		add_header X-Frame-Options DENY;
+
+    # Avoid MIME type sniffing
+		add_header X-Content-Type-Options nosniff always;
+
+		add_header Referrer-Policy "no-referrer" always;
+
+		add_header X-XSS-Protection 0 always;
+
+		add_header Permissions-Policy "geolocation=(), midi=(), sync-xhr=(), microphone=(), camera=(), magnetometer=(), gyroscope=(), fullscreen=(self), payment=()" always;
+
+    #### Content-Security-Policy (CSP) ####
+		add_header Content-Security-Policy "base-uri 'self'; object-src 'none'; frame-ancestors 'none';" always;
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name %s;
+
+    location / {
+        return 301 http://%s$request_uri;
+    }
 }
-`, domainName, domainName, domainName)
+`, domainName, domainName, domainName, domainName)
 
 	files.WriteFile(configFilePath, configContent, 0644)
 

pkg/relays/khatru29/nginx_https.go

@@ -2,6 +2,7 @@ package khatru29
 
 import (
 	"fmt"
+	"github.com/nodetec/rwz/pkg/utils/directories"
 	"github.com/nodetec/rwz/pkg/utils/files"
 	"github.com/nodetec/rwz/pkg/utils/systemd"
 	"github.com/pterm/pterm"
@@ -17,6 +18,8 @@ func ConfigureNginxHttps(domainName string) {
 
 	files.RemoveFile(configFilePath)
 
+	directories.CreateDirectory(fmt.Sprintf("/var/www/%s/.well-known/acme-challenge/", domainName), 0755)
+
 	configContent = fmt.Sprintf(`map $http_upgrade $connection_upgrade {
     default upgrade;
     '' close;
@@ -45,6 +48,9 @@ server {
         proxy_set_header X-Forwarded-For $remote_addr;
     }
 
+    # Only return Nginx in server header
+    server_tokens off;
+
     #### SSL Configuration ####
     # Test configuration:
     # https://www.ssllabs.com/ssltest/analyze.html
@@ -54,9 +60,6 @@ server {
     # Verify chain of trust of OCSP response using Root CA and Intermediate certs
     ssl_trusted_certificate /etc/letsencrypt/live/%s/chain.pem;
 
-    # Only return Nginx in server header
-    server_tokens off;
-
     # TODO
     # Add support to generate the file in the script
     #ssl_dhparam /etc/ssl/certs/dhparam.pem;
@@ -87,7 +90,7 @@ server {
     ssl_stapling on;
     ssl_stapling_verify on;
 
-    # Security headers
+    #### Security Headers ####
     # Test configuration:
     # https://securityheaders.com/
     # https://observatory.mozilla.org/
@@ -104,7 +107,7 @@ server {
 
     add_header Permissions-Policy "geolocation=(), midi=(), sync-xhr=(), microphone=(), camera=(), magnetometer=(), gyroscope=(), fullscreen=(self), payment=()" always;
 
-    # Content-Security-Policy (CSP)
+    #### Content-Security-Policy (CSP) ####
     add_header Content-Security-Policy "base-uri 'self'; object-src 'none'; frame-ancestors 'none'; upgrade-insecure-requests;" always;
 }
 

pkg/relays/khatru29/success_messages.go

@@ -4,14 +4,14 @@ import (
 	"github.com/nodetec/rwz/pkg/utils/messages"
 )
 
-func SuccessMessages(domain string) {
+func SuccessMessages(domain string, httpsEnabled bool) {
 	const dataDir = "/var/lib/khatru29"
 	const envFile = "/etc/systemd/system/khatru29.env"
 	const serviceFile = "/etc/systemd/system/khatru29.service"
 	const service = "khatru29"
 	const relayName = "Khatru29"
 	const githubLink = "https://github.com/fiatjaf/relay29/tree/master"
 
-	successMsgParams := messages.SuccessMsgParams{Domain: domain, DataDir: dataDir, EnvFile: envFile, ServiceFile: serviceFile, Service: service, RelayName: relayName, GitHubLink: githubLink}
+	successMsgParams := messages.SuccessMsgParams{Domain: domain, HTTPSEnabled: httpsEnabled, DataDir: dataDir, EnvFile: envFile, ServiceFile: serviceFile, Service: service, RelayName: relayName, GitHubLink: githubLink}
 	messages.SuccessMessages(&successMsgParams)
 }