#!/bin/bash set -euo pipefail APP_NAME="gsc-ops-api" APP_USER="gsc-ops-api" INSTALL_DIR="/srv/gosec/${APP_NAME}" CONFIG_DIR="/etc/${APP_NAME}" TLS_DIR="${CONFIG_DIR}/tls" BIN_DIR="${INSTALL_DIR}/bin" echo "=== Installing ${APP_NAME} ===" # Create system user if ! id "${APP_USER}" &>/dev/null; then useradd -r -s /sbin/nologin -d "${INSTALL_DIR}" "${APP_USER}" echo "Created system user: ${APP_USER}" fi # Create directories mkdir -p "${BIN_DIR}" "${CONFIG_DIR}" "${TLS_DIR}" # Copy binary if [ -f "${INSTALL_DIR}/bin/${APP_NAME}" ]; then echo "Binary found at ${BIN_DIR}/${APP_NAME}" else echo "WARNING: Binary not found. Build with 'make build' first." fi # Copy config if not exists if [ ! -f "${CONFIG_DIR}/config.yaml" ]; then cp "${INSTALL_DIR}/configs/config.yaml" "${CONFIG_DIR}/config.yaml" echo "Config installed to ${CONFIG_DIR}/config.yaml" else echo "Config already exists, skipping" fi # Set permissions chown -R root:${APP_USER} "${CONFIG_DIR}" chmod 750 "${CONFIG_DIR}" chmod 640 "${CONFIG_DIR}/config.yaml" chmod 750 "${TLS_DIR}" if [ -f "${CONFIG_DIR}/.infisical" ]; then chown root:${APP_USER} "${CONFIG_DIR}/.infisical" chmod 640 "${CONFIG_DIR}/.infisical" fi chown root:${APP_USER} "${BIN_DIR}" if [ -f "${BIN_DIR}/${APP_NAME}" ]; then chmod 750 "${BIN_DIR}/${APP_NAME}" fi # Install systemd service cat > /etc/systemd/system/${APP_NAME}.service << 'SYSTEMD_EOF' [Unit] Description=GSC Operations API Server Documentation=https://wiki.gosec.internal/infrastructure/gsc-ops-api After=network-online.target postgresql.service Wants=network-online.target [Service] Type=simple User=gsc-ops-api Group=gsc-ops-api ExecStart=/srv/gosec/gsc-ops-api/bin/gsc-ops-api Restart=on-failure RestartSec=5 StandardOutput=journal StandardError=journal SyslogIdentifier=gsc-ops-api # Security hardening NoNewPrivileges=true ProtectSystem=strict ProtectHome=true PrivateTmp=true ProtectKernelTunables=true ProtectKernelModules=true ProtectControlGroups=true RestrictSUIDSGID=true RestrictNamespaces=true ReadOnlyPaths=/etc/gsc-ops-api ReadWritePaths=/srv/gosec/gsc-ops-api/bin # Environment Environment=GSC_OPS_API_CONFIG=/etc/gsc-ops-api/config.yaml [Install] WantedBy=multi-user.target SYSTEMD_EOF systemctl daemon-reload echo "Systemd service installed" echo "" echo "=== Installation complete ===" echo "" echo "Next steps:" echo " 1. Copy TLS certificates to ${TLS_DIR}/" echo " 2. Copy Infisical token to ${CONFIG_DIR}/.infisical" echo " 3. Edit config: ${CONFIG_DIR}/config.yaml" echo " 4. Start service: systemctl enable --now ${APP_NAME}" echo " 5. Check status: systemctl status ${APP_NAME}" echo " 6. View logs: journalctl -u ${APP_NAME} -f"