1 files changed, 194 insertions, 0 deletions

diff --git a/whiterabbit.sh b/whiterabbit.sh
new file mode 100644
index 0000000..8f1d77d
--- /dev/null
+++ b/whiterabbit.sh
@@ -0,0 +1,194 @@
+#!/bin/sh
+set -e
+
+echo "Warning: secrets will be visible when typing. Press Enter after each input."
+
+# --- User input ---
+printf "Base domain (e.g., example.com): "
+read DOMAIN
+printf "Subdomain for this instance (e.g., matrix1): "
+read SUBDOMAIN
+CN="$SUBDOMAIN.$DOMAIN"
+
+printf "Postgres secret: "
+read POSTGRES_SECRET
+printf "REG Secret (registration_shared_secret): "
+read REG_SECRET
+
+# --- Directories ---
+BASE_DIR="/opt/matrix/$CN"
+mkdir -p "$BASE_DIR/data"
+mkdir -p "$BASE_DIR/db"
+
+# --- Automatic port assignment ---
+BASE_PORT=8008
+FEDERATION_PORT=8448
+
+for dir in /opt/matrix/*; do
+    if [ -f "$dir/docker-compose.yml" ]; then
+        used_ports=$(grep 'ports:' -A1 "$dir/docker-compose.yml" | awk -F: '{print $2}' | tr -d '"')
+        for port in $used_ports; do
+            if [ "$port" ] && [ "$port" -ge "$BASE_PORT" ]; then
+                BASE_PORT=$((port + 1))
+            fi
+            if [ "$port" ] && [ "$port" -ge "$FEDERATION_PORT" ]; then
+                FEDERATION_PORT=$((port + 1))
+            fi
+        done
+    fi
+done
+
+echo "Assigning ports: client-server=$BASE_PORT, federation=$FEDERATION_PORT"
+
+# --- Docker Compose ---
+cat > "$BASE_DIR/docker-compose.yml" <<EOF
+services:
+  dendrite:
+    image: ghcr.io/element-hq/dendrite-monolith:latest
+    restart: unless-stopped
+    environment:
+      POSTGRES_URI: postgres://dendrite:$POSTGRES_SECRET@db/dendrite
+      SERVER_NAME: $CN
+      REGISTRATION_SHARED_SECRET: $REG_SECRET
+      DISABLE_TLS: "true"
+    ports:
+      - "$BASE_PORT:8008"
+      - "$FEDERATION_PORT:8448"
+    volumes:
+      - ./data:/data
+
+  db:
+    image: postgres:15
+    restart: unless-stopped
+    environment:
+      POSTGRES_USER: dendrite
+      POSTGRES_PASSWORD: $POSTGRES_SECRET
+    volumes:
+      - ./db:/var/lib/postgresql/data
+EOF
+
+# --- Nginx config ---
+NGINX_CONF="/etc/nginx/sites-available/$CN"
+sudo tee "$NGINX_CONF" > /dev/null <<EOF
+server {
+    listen 80;
+    listen [::]:80;
+    server_name $CN;
+
+    location /.well-known/matrix/ {
+        try_files \$uri =404;
+    }
+
+    location / {
+        proxy_pass http://127.0.0.1:$BASE_PORT;
+        proxy_http_version 1.1;
+        proxy_set_header Host \$host;
+        proxy_set_header X-Real-IP \$remote_addr;
+        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto \$scheme;
+        client_max_body_size 50M;
+        proxy_read_timeout 600s;
+    }
+}
+EOF
+
+sudo ln -sf "$NGINX_CONF" /etc/nginx/sites-enabled/
+sudo nginx -t
+sudo systemctl reload nginx
+
+# --- Start Docker Compose ---
+cd "$BASE_DIR"
+docker compose up -d
+
+# --- DNS propagation check ---
+if ! command -v dig >/dev/null 2>&1; then
+    echo "Installing dnsutils (needed for DNS checks)..."
+    sudo apt-get update && sudo apt-get install -y dnsutils
+fi
+
+# Collect all VPS IPs (IPv4 + IPv6)
+VPS_IPS=$(hostname -I | tr ' ' '\n')
+echo "VPS addresses: $VPS_IPS"
+
+echo "Checking DNS propagation for $CN ..."
+MAX_RETRIES=30
+SLEEP_SEC=10
+count=0
+
+while true; do
+    DNS_IPS=$( (dig +short "$CN" A; dig +short "$CN" AAAA) | sort -u )
+    MATCH="false"
+
+    for dns_ip in $DNS_IPS; do
+        for vps_ip in $VPS_IPS; do
+            if [ "$dns_ip" = "$vps_ip" ]; then
+                MATCH="true"
+                break
+            fi
+        done
+    done
+
+    if [ "$MATCH" = "true" ]; then
+        echo "$CN resolves correctly to one of the VPS IPs: $DNS_IPS"
+        break
+    else
+        count=$((count + 1))
+        if [ "$count" -ge "$MAX_RETRIES" ]; then
+            echo "DNS propagation not detected after $((MAX_RETRIES*SLEEP_SEC)) seconds."
+            echo "Please make sure $CN points to this VPS and rerun the script."
+            exit 1
+        fi
+        echo "DNS not ready yet ($count/$MAX_RETRIES). Found: $DNS_IPS Expected one of: $VPS_IPS"
+        echo "Retrying in $SLEEP_SEC seconds..."
+        sleep $SLEEP_SEC
+    fi
+done
+
+# --- Obtain HTTPS certificate ---
+sudo certbot certonly --nginx -d "$CN" --non-interactive --agree-tos -m "admin@$DOMAIN"
+
+sudo tee "$NGINX_CONF" > /dev/null <<EOF
+server {
+    listen 80;
+    listen [::]:80;
+    server_name $CN;
+    return 301 https://\$host\$request_uri;
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name $CN;
+
+    ssl_certificate     /etc/letsencrypt/live/$CN/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/$CN/privkey.pem;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305';
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 1h;
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+    add_header X-Content-Type-Options nosniff;
+    add_header X-Frame-Options DENY;
+    add_header X-XSS-Protection "1; mode=block";
+    add_header Referrer-Policy "no-referrer-when-downgrade";
+
+    location /.well-known/matrix/ {
+        try_files \$uri =404;
+    }
+
+    location / {
+        proxy_pass http://127.0.0.1:$BASE_PORT;
+        proxy_http_version 1.1;
+        proxy_set_header Host \$host;
+        proxy_set_header X-Real-IP \$remote_addr;
+        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto \$scheme;
+        client_max_body_size 50M;
+        proxy_read_timeout 600s;
+    }
+}
+EOF
+sudo nginx -t
+sudo systemctl reload nginx
+echo "HTTPS active for $CN with federation support!"