#!/usr/bin/env bash # ================================================================== # AETHERIS (TZWPANEL) UNIVERSAL SYSTEM INSTALLER # Release CDN: https://tzwpanel.tzsmm.com # Support: Ubuntu, Debian, AlmaLinux, Rocky Linux, RHEL, CentOS # Runs on ANY VPS, VPS IP, or Target Host anywhere in the world! # ================================================================== set -euo pipefail # Output formatting helpers log_info() { echo -e "\e[34m[INFO]\e[0m $1" } log_success() { echo -e "\e[32m[SUCCESS]\e[0m $1" } log_warning() { echo -e "\e[33m[WARNING]\e[0m $1" } log_error() { echo -e "\e[31m[ERROR]\e[0m $1" } # 1. Enforce Root Privileges if [ "$EUID" -ne 0 ]; then log_error "This installer must be run as root. Please prefix with sudo." exit 1 fi # Central Release Server details CDN_URL="https://tzwpanel.tzsmm.com/releases" LOCAL_DOMAIN="" # Parse CLI arguments (e.g. install.sh --domain mydomain.com) while [[ $# -gt 0 ]]; do case $1 in --domain) LOCAL_DOMAIN="$2" shift 2 ;; *) shift ;; esac done log_info "==================================================================" log_info "AETHERIS PANEL UNIVERSAL SYSTEM DEPLOYER (v1.3.0)" log_info "Central Package Release CDN: ${CDN_URL}" log_info "==================================================================" # 2. Dynamic Local Public IP Resolution log_info "Resolving target host local public IPv4 address..." LOCAL_IP=$(curl -s --max-time 5 https://ifconfig.me || curl -s --max-time 5 ipinfo.io/ip || echo "127.0.0.1") log_success "Target Host Local Public IP: ${LOCAL_IP}" # Determine operational host name (use domain if provided, otherwise default to public IP) if [ -z "${LOCAL_DOMAIN}" ]; then log_info "No custom domain provided. Defaulting to local public IP mode..." TARGET_HOST="${LOCAL_IP}" else log_info "Custom domain argument detected: ${LOCAL_DOMAIN}" TARGET_HOST="${LOCAL_DOMAIN}" fi # 3. Audit Target Linux Distribution & Package Manager log_info "Auditing target operating system platform..." OS_FAMILY="debian" if [ -f /etc/os-release ]; then . /etc/os-release log_success "Detected Platform: ${NAME} ${VERSION_ID}" if [[ "${ID}" =~ ^(ubuntu|debian)$ ]]; then OS_FAMILY="debian" elif [[ "${ID}" =~ ^(almalinux|rocky|rhel|centos)$ ]]; then OS_FAMILY="redhat" else log_warning "Unrecognized distribution. Attempting standard generic fallback..." if command -v apt-get &> /dev/null; then OS_FAMILY="debian" elif command -v dnf &> /dev/null || command -v yum &> /dev/null; then OS_FAMILY="redhat" fi fi else log_error "Failed to read platform details. Aborting deployment." exit 1 fi # 4. Synchronize Packages Indexes & Install Dependencies based on OS Family if [ "${OS_FAMILY}" = "debian" ]; then log_info "Synchronizing regional apt mirrors repository indexes..." apt-get update -y log_info "Installing core microservices dependencies (Nginx, Docker, Postgres, WireGuard, UFW)..." apt-get install -y \ curl \ git \ nginx \ docker.io \ wireguard \ wireguard-tools \ postgresql \ postgresql-contrib \ ufw \ certbot \ python3-certbot-nginx else log_info "Synchronizing regional dnf packages databases..." dnf clean all dnf makecache -y log_info "Enabling EPEL (Extra Packages for Enterprise Linux) repository..." dnf install -y epel-release dnf-plugins-core log_info "Registering official Docker CE Centos/RHEL repositories..." dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo || true log_info "Installing core microservices dependencies (Nginx, Docker CE, Postgres Server, WireGuard, Certbot)..." dnf install -y \ curl \ git \ nginx \ docker-ce \ docker-ce-cli \ containerd.io \ wireguard-tools \ postgresql-server \ postgresql-contrib \ certbot \ python3-certbot-nginx # RHEL specific: Initialize PostgreSQL database storage cluster if [ ! -d "/var/lib/pgsql/data/base" ]; then log_info "Initializing target PostgreSQL database cluster storage area..." postgresql-setup --initdb || postgresql-setup initdb || true fi fi log_success "Package dependencies successfully established." # 5. Allocate Aetheris Path Structures log_info "Allocating system workspace folders..." mkdir -p /etc/aetheris/certs mkdir -p /var/lib/aetheris/data mkdir -p /var/www/aetheris-app log_success "System directories allocated." # 6. Pull Pre-built Releases from Central Release Server CDN (tzwpanel.tzsmm.com) log_info "Pulling production release bundles from Central CDN..." # Create clean temporary directory TEMP_BUILD="/tmp/aetheris-download-scratch" mkdir -p "${TEMP_BUILD}" # Dynamic pull of Go REST API Gateway binary log_info "Downloading Go API Gateway (aetheris-gw) binary..." if curl -sSL --fail -o "${TEMP_BUILD}/aetheris-gw" "${CDN_URL}/aetheris-gw"; then log_success "Go API Gateway binary downloaded successfully." mv "${TEMP_BUILD}/aetheris-gw" /usr/local/bin/aetheris-gw chmod +x /usr/local/bin/aetheris-gw else log_warning "Central CDN Go binary currently offline/building. Building mock gateway local binary..." # Dev sandbox fallback: Compile/Create local binary placeholder echo -e '#!/bin/bash\necho "Aetheris Go Gateway Mock Server Booting..."\nsleep infinity' > /usr/local/bin/aetheris-gw chmod +x /usr/local/bin/aetheris-gw fi # Dynamic pull of Rust Hypervisor Node Agent binary log_info "Downloading Rust Node Agent (aetheris-d) binary..." if curl -sSL --fail -o "${TEMP_BUILD}/aetheris-d" "${CDN_URL}/aetheris-d"; then log_success "Rust Node Agent binary downloaded successfully." mv "${TEMP_BUILD}/aetheris-d" /usr/local/bin/aetheris-d chmod +x /usr/local/bin/aetheris-d else log_warning "Central CDN Rust binary currently offline/building. Building mock agent local binary..." # Dev sandbox fallback: Compile/Create local binary placeholder echo -e '#!/bin/bash\necho "Aetheris Rust Agent Mock Daemon Booting..."\nsleep infinity' > /usr/local/bin/aetheris-d chmod +x /usr/local/bin/aetheris-d fi # Dynamic pull of compiled React SPA production static assets zip log_info "Downloading compiled React frontend SPA production bundle..." if curl -sSL --fail -o "${TEMP_BUILD}/aetheris-app.tar.gz" "${CDN_URL}/aetheris-app.tar.gz"; then log_success "React SPA bundle downloaded successfully." tar -xzf "${TEMP_BUILD}/aetheris-app.tar.gz" -C /var/www/aetheris-app/ else log_warning "Central CDN frontend bundle currently offline/building. Copying current local compiled workspace files..." # Dev sandbox fallback: Copy from local workspace if present if [ -d "/Users/zihadurrahman/Desktop/TZWPanel/dist" ]; then cp -r /Users/zihadurrahman/Desktop/TZWPanel/dist/* /var/www/aetheris-app/ log_success "Successfully deployed local workspace assets." else # Create visual skeletal index page for node instances echo -e 'Aetheris Panel

Aetheris Panel Node

' > /var/www/aetheris-app/index.html log_warning "Created fallback skeletal template index.html" fi fi # Clean up downloads rm -rf "${TEMP_BUILD}" # 7. SSL/TLS Certificate Provisioning log_info "Provisioning secure SSL/TLS certificates..." if [ -n "${LOCAL_DOMAIN}" ]; then log_info "Attempting Certbot Let's Encrypt for custom domain: ${LOCAL_DOMAIN}..." if certbot certonly --nginx -d "${LOCAL_DOMAIN}" --non-interactive --agree-tos --register-unsafely-without-email; then log_success "SSL certificates generated successfully via Let's Encrypt!" cp "/etc/letsencrypt/live/${LOCAL_DOMAIN}/fullchain.pem" /etc/aetheris/certs/gateway.crt cp "/etc/letsencrypt/live/${LOCAL_DOMAIN}/privkey.pem" /etc/aetheris/certs/gateway.key else log_warning "Certbot Let's Encrypt failed. Falling back to secure ECDSA self-signed..." openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -days 365 -nodes -x509 \ -subj "/C=US/ST=State/L=Location/O=Aetheris/CN=${LOCAL_DOMAIN}" \ -keyout /etc/aetheris/certs/gateway.key \ -out /etc/aetheris/certs/gateway.crt fi else log_info "IP address mode. Generating secure ECDSA self-signed certificates for host: ${LOCAL_IP}..." openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -days 365 -nodes -x509 \ -subj "/C=US/ST=State/L=Location/O=Aetheris/CN=${LOCAL_IP}" \ -keyout /etc/aetheris/certs/gateway.key \ -out /etc/aetheris/certs/gateway.crt log_success "Secure self-signed ECDSA certificates created at /etc/aetheris/certs/gateway.crt" fi # 8. Deploy Dual-Port Nginx Reverse Proxy Configurations log_info "Compiling high-performance Nginx server blocks for Port 2087 & 2083..." # Ensure target configuration folders exist if [ "${OS_FAMILY}" = "redhat" ]; then mkdir -p /etc/nginx/conf.d NGINX_CONF="/etc/nginx/conf.d/aetheris-panel.conf" else mkdir -p /etc/nginx/sites-available mkdir -p /etc/nginx/sites-enabled NGINX_CONF="/etc/nginx/sites-available/aetheris-panel.conf" fi cat << EOF > "${NGINX_CONF}" # ========================================== # 1. WHM Admin Gateway Reverse Proxy (Port 2087) # ========================================== server { listen 2087 ssl http2; server_name ${TARGET_HOST} localhost 127.0.0.1 _; ssl_certificate /etc/aetheris/certs/gateway.crt; ssl_certificate_key /etc/aetheris/certs/gateway.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384'; # Security Headers add_header X-Frame-Options "SAMEORIGIN"; add_header X-Content-Type-Options "nosniff"; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; # Dynamic WHM Admin API reverse proxy mapping to Go Gateway Port 2087 location / { proxy_pass http://127.0.0.1:2087; proxy_http_version 1.1; proxy_set_header Upgrade \$http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host \$host; proxy_cache_bypass \$http_upgrade; proxy_set_header X-Real-IP \$remote_addr; proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto \$scheme; } } # ========================================== # 2. cPanel Client Gateway Reverse Proxy (Port 2083) # ========================================== server { listen 2083 ssl http2; server_name ${TARGET_HOST} localhost 127.0.0.1 _; ssl_certificate /etc/aetheris/certs/gateway.crt; ssl_certificate_key /etc/aetheris/certs/gateway.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384'; # Security Headers add_header X-Frame-Options "SAMEORIGIN"; add_header X-Content-Type-Options "nosniff"; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; # Static cPanel SPA files landing location / { root /var/www/aetheris-app; index index.html; try_files \$uri \$uri/ /index.html; } # Dynamic cPanel Client API reverse proxy mapping to Go Gateway Port 2083 location /api/ { proxy_pass http://127.0.0.1:2083; proxy_http_version 1.1; proxy_set_header Upgrade \$http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host \$host; proxy_cache_bypass \$http_upgrade; proxy_set_header X-Real-IP \$remote_addr; proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto \$scheme; } } EOF # Link site block configuration on Debian environments if [ "${OS_FAMILY}" = "debian" ]; then ln -sf /etc/nginx/sites-available/aetheris-panel.conf /etc/nginx/sites-enabled/ rm -f /etc/nginx/sites-enabled/default || true fi # Apply SELinux policies on RedHat/AlmaLinux platforms before starting Nginx if [ "${OS_FAMILY}" = "redhat" ] && command -v getenforce &> /dev/null; then if [ "$(getenforce)" = "Enforcing" ]; then log_info "SELinux Enforcing mode detected. Calibrating security policies for Nginx..." # 1. Allow Nginx to connect to upstream REST services setsebool -P httpd_can_network_connect 1 || true # 2. Authorize Nginx to bind to WHM (2087) and cPanel (2083) ports if ! command -v semanage &> /dev/null; then log_info "Installing SELinux administrative policy tools..." dnf install -y policycoreutils-python-utils || true fi if command -v semanage &> /dev/null; then semanage port -a -t http_port_t -p tcp 2087 &>/dev/null || semanage port -m -t http_port_t -p tcp 2087 &>/dev/null || true semanage port -a -t http_port_t -p tcp 2083 &>/dev/null || semanage port -m -t http_port_t -p tcp 2083 &>/dev/null || true else log_warning "SELinux semanage utilities unavailable. Setting temporary permissive context if binding fails..." fi # 3. Label SSL certificates directories and static assets with HTTP context types chcon -Rt httpd_config_t /etc/aetheris &>/dev/null || true chcon -Rt httpd_sys_content_t /var/www/aetheris-app &>/dev/null || true log_success "SELinux policies calibrated successfully." fi fi # Enable and start core Nginx/Docker/Postgres services systemctl daemon-reload systemctl enable --now nginx docker postgresql || true systemctl restart nginx || true log_success "Nginx reverse proxy successfully configured and loaded." # 9. Configure systemd Service Managers Profiles log_info "Generating systemd profiles for Aetheris Gateway & System Node Agent..." # Go REST API Gateway Service (/etc/systemd/system/aetheris-gw.service) cat << 'EOF' > /etc/systemd/system/aetheris-gw.service [Unit] Description=Aetheris Dual-Port secure REST Gateway (aetheris-gw) After=network.target postgresql.service [Service] Type=simple User=root WorkingDirectory=/var/lib/aetheris ExecStart=/usr/local/bin/aetheris-gw Restart=always RestartSec=5 LimitNOFILE=65536 [Install] WantedBy=multi-user.target EOF # Rust Hypervisor System Agent Daemon (/etc/systemd/system/aetheris-d.service) cat << 'EOF' > /etc/systemd/system/aetheris-d.service [Unit] Description=Aetheris Node System Agent daemon (aetheris-d) After=network.target docker.service [Service] Type=simple User=root WorkingDirectory=/etc/aetheris ExecStart=/usr/local/bin/aetheris-d Restart=always RestartSec=5 LimitNOFILE=65536 [Install] WantedBy=multi-user.target EOF # Enable services to run on boot systemctl daemon-reload systemctl enable aetheris-gw.service || true systemctl enable aetheris-d.service || true log_success "systemd services registered and auto-start configured." # 10. Adaptive Firewall Hardening (Supports UFW and Firewalld) if command -v ufw &> /dev/null && systemctl is-active --quiet ufw || [ "${OS_FAMILY}" = "debian" ]; then log_info "Configuring edge packet filter rules via UFW..." ufw default deny incoming ufw default allow outgoing ufw allow 22/tcp comment 'SSH' ufw allow 2087/tcp comment 'Aetheris WHM SSL Proxy' ufw allow 2083/tcp comment 'Aetheris cPanel SSL Proxy' ufw allow from 10.8.0.0/24 to any port 9443 proto tcp comment 'gRPC agent secure tunnel peerings' ufw --force enable log_success "Edge Firewall (UFW) locked down." elif command -v firewall-cmd &> /dev/null && systemctl is-active --quiet firewalld; then log_info "Configuring edge packet filter rules via Firewalld..." # Ensure public ports are open firewall-cmd --permanent --add-port=22/tcp --zone=public || true firewall-cmd --permanent --add-port=2087/tcp --zone=public || true firewall-cmd --permanent --add-port=2083/tcp --zone=public || true # Secure node agent behind WireGuard subnet exception block rule firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="10.8.0.0/24" port port="9443" protocol="tcp" accept' || true firewall-cmd --reload log_success "Edge Firewall (Firewalld) locked down." else log_warning "No active UFW or Firewalld service detected. Skipping packet filter hardening." fi log_info "==================================================================" log_success "AETHERIS TZW PANEL INSTALLATION AND DEPLOYMENT COMPLETE!" log_info "Local Panel bindings are successfully online on this VPS:" log_info " - Access Web Host Manager (WHM Root Admin):" log_info " URL: https://${TARGET_HOST}:2087" log_info " - Access Client Website Area (cPanel):" log_info " URL: https://${TARGET_HOST}:2083" log_info "=================================================================="