intercept/start.sh at main · smittix/intercept · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
#!/usr/bin/env bash
# INTERCEPT - Production Startup Script
#
# Starts INTERCEPT with gunicorn + gevent for production use.
# Falls back to Flask dev server if gunicorn is not installed.
#
# Requires sudo for SDR, WiFi monitor mode, and Bluetooth access.
#
# Usage:
#   sudo ./start.sh                  # Default: 0.0.0.0:5050
#   sudo ./start.sh -p 8080          # Custom port
#   sudo ./start.sh --https          # HTTPS with self-signed cert
#   sudo ./start.sh --debug          # Debug mode (Flask dev server)
#   sudo ./start.sh --check-deps     # Check dependencies and exit

set -euo pipefail

# ── Resolve Python from venv or system ───────────────────────────────────────
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"

# ── Load .env if present ──────────────────────────────────────────────────────
if [[ -f "$SCRIPT_DIR/.env" ]]; then
    set -a
    source "$SCRIPT_DIR/.env"
    set +a
fi

if [[ -x "$SCRIPT_DIR/venv/bin/python" ]]; then
    PYTHON="$SCRIPT_DIR/venv/bin/python"
elif [[ -n "${VIRTUAL_ENV:-}" && -x "$VIRTUAL_ENV/bin/python" ]]; then
    PYTHON="$VIRTUAL_ENV/bin/python"
else
    PYTHON="$(command -v python3 || command -v python)"
fi

# ── Defaults (can be overridden by env vars or CLI flags) ────────────────────
HOST="${INTERCEPT_HOST:-0.0.0.0}"
PORT="${INTERCEPT_PORT:-5050}"
DEBUG=0
HTTPS=0
CHECK_DEPS=0

# ── Parse CLI arguments ─────────────────────────────────────────────────────
while [[ $# -gt 0 ]]; do
    case "$1" in
        -p|--port)
            PORT="$2"
            shift 2
            ;;
        -H|--host)
            HOST="$2"
            shift 2
            ;;
        -d|--debug)
            DEBUG=1
            shift
            ;;
        --https)
            HTTPS=1
            shift
            ;;
        --check-deps)
            CHECK_DEPS=1
            shift
            ;;
        -h|--help)
            echo "Usage: start.sh [OPTIONS]"
            echo ""
            echo "Options:"
            echo "  -p, --port PORT    Port to listen on (default: 5050)"
            echo "  -H, --host HOST    Host to bind to (default: 0.0.0.0)"
            echo "  -d, --debug        Run in debug mode (Flask dev server)"
            echo "  --https            Enable HTTPS with self-signed certificate"
            echo "  --check-deps       Check dependencies and exit"
            echo "  -h, --help         Show this help message"
            exit 0
            ;;
        *)
            echo "Unknown option: $1" >&2
            exit 1
            ;;
    esac
done

# ── Export for config.py ─────────────────────────────────────────────────────
export INTERCEPT_HOST="$HOST"
export INTERCEPT_PORT="$PORT"

# ── macOS: allow fork() after ObjC initialisation (gunicorn + gevent) ────
if [[ "$(uname)" == "Darwin" ]]; then
    export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES
fi

# ── Fix ownership of user data dirs when run via sudo ────────────────────────
# When invoked via sudo the server process runs as root, so every file it
# creates (configs, logs, database) ends up owned by root.  On the *next*
# startup we fix that retroactively, and we also pre-create known runtime
# directories so they get correct ownership from the start.
if [[ "$(id -u)" -eq 0 && -n "${SUDO_USER:-}" ]]; then
    # Pre-create directories that routes may need at runtime
    mkdir -p "$SCRIPT_DIR/instance" \
             "$SCRIPT_DIR/data/radiosonde/logs" \
             "$SCRIPT_DIR/data/weather_sat"

    for dir in instance data certs; do
        if [[ -d "$SCRIPT_DIR/$dir" ]]; then
            chown -R "$SUDO_USER" "$SCRIPT_DIR/$dir"
        fi
    done

    # Export real user identity so Python can chown runtime-created files
    export INTERCEPT_SUDO_UID="$(id -u "$SUDO_USER")"
    export INTERCEPT_SUDO_GID="$(id -g "$SUDO_USER")"
fi

# ── Dependency check (delegate to intercept.py) ─────────────────────────────
if [[ "$CHECK_DEPS" -eq 1 ]]; then
    exec "$PYTHON" intercept.py --check-deps
fi

# ── Debug mode always uses Flask dev server ──────────────────────────────────
if [[ "$DEBUG" -eq 1 ]]; then
    echo "[INTERCEPT] Starting in debug mode (Flask dev server)..."
    export INTERCEPT_DEBUG=1
    exec "$PYTHON" intercept.py --host "$HOST" --port "$PORT" --debug
fi

# ── HTTPS certificate generation ────────────────────────────────────────────
CERT_DIR="certs"
CERT_FILE="$CERT_DIR/intercept.crt"
KEY_FILE="$CERT_DIR/intercept.key"

if [[ "$HTTPS" -eq 1 ]]; then
    if [[ ! -f "$CERT_FILE" || ! -f "$KEY_FILE" ]]; then
        echo "[INTERCEPT] Generating self-signed SSL certificate..."
        mkdir -p "$CERT_DIR"
        openssl req -x509 -newkey rsa:2048 \
            -keyout "$KEY_FILE" -out "$CERT_FILE" \
            -days 365 -nodes \
            -subj '/CN=intercept/O=INTERCEPT/C=US' 2>/dev/null
        echo "[INTERCEPT] SSL certificate generated: $CERT_FILE"
    else
        echo "[INTERCEPT] Using existing SSL certificate: $CERT_FILE"
    fi
fi

# ── Detect gunicorn + gevent ─────────────────────────────────────────────────
HAS_GUNICORN=0
HAS_GEVENT=0

if "$PYTHON" -c "import gunicorn" 2>/dev/null; then
    HAS_GUNICORN=1
fi
if "$PYTHON" -c "import gevent" 2>/dev/null; then
    HAS_GEVENT=1
fi

# ── Resolve LAN address for display ──────────────────────────────────────────
if [[ "$HOST" == "0.0.0.0" ]]; then
    LAN_IP=$(hostname -I 2>/dev/null | awk '{print $1}' || true)
    # hostname -I on macOS fails or returns empty — try macOS methods
    if [[ -z "$LAN_IP" ]]; then
        LAN_IP=$(ipconfig getifaddr en0 2>/dev/null || true)
    fi
    if [[ -z "$LAN_IP" ]]; then
        LAN_IP=$(ipconfig getifaddr en1 2>/dev/null || true)
    fi
    if [[ -z "$LAN_IP" ]]; then
        LAN_IP=$(ifconfig 2>/dev/null | grep "inet " | grep -v 127.0.0.1 | head -1 | awk '{print $2}' || true)
    fi
    LAN_IP="${LAN_IP:-localhost}"
else
    LAN_IP="$HOST"
fi
PROTO="http"
[[ "$HTTPS" -eq 1 ]] && PROTO="https"

# ── Start the server ─────────────────────────────────────────────────────────
if [[ "$HAS_GUNICORN" -eq 1 && "$HAS_GEVENT" -eq 1 ]]; then
    echo "[INTERCEPT] Starting production server (gunicorn + gevent)..."
    echo "[INTERCEPT] Listening on ${PROTO}://${LAN_IP}:${PORT}"

    GUNICORN_ARGS=(
        -c "$SCRIPT_DIR/gunicorn.conf.py"
        -k gevent
        -w 1
        --timeout 300
        --graceful-timeout 5
        --worker-connections 1000
        --bind "${HOST}:${PORT}"
        --access-logfile -
        --error-logfile -
    )

    if [[ "$HTTPS" -eq 1 ]]; then
        GUNICORN_ARGS+=(--certfile "$CERT_FILE" --keyfile "$KEY_FILE")
        echo "[INTERCEPT] HTTPS enabled"
    fi

    exec "$PYTHON" -m gunicorn "${GUNICORN_ARGS[@]}" app:app
else
    if [[ "$HAS_GUNICORN" -eq 0 ]]; then
        echo "[INTERCEPT] gunicorn not found — falling back to Flask dev server"
    fi
    if [[ "$HAS_GEVENT" -eq 0 ]]; then
        echo "[INTERCEPT] gevent not found — falling back to Flask dev server"
    fi
    echo "[INTERCEPT] Install with: pip install gunicorn gevent"
    echo ""

    FLASK_ARGS=(--host "$HOST" --port "$PORT")
    if [[ "$HTTPS" -eq 1 ]]; then
        FLASK_ARGS+=(--https)
    fi

    exec "$PYTHON" intercept.py "${FLASK_ARGS[@]}"
fi