some updates

assets/deploy-drupal.sh

@@ -6,6 +6,7 @@ cd ./public_html
 echo ""
 echo "Pulling down latest code."
 git pull --ff-only origin prod
+git submodule update --init --recursive
 echo ""
 echo "Clearing drush caches."
 drush cache-clear drush

assets/drupal-ssl-decoupled.nginxconf

@@ -89,7 +89,7 @@ server {
       #fastcgi_param DOCUMENT_ROOT /var/www/enfrancais.fr/api;
       # fastcgi_buffer_size 16k;
       # fastcgi_buffers 4 16k;
-      fastcgi_pass unix:/run/php/php7.4-fpm.sock;
+      fastcgi_pass unix:/run/php/php8.2-fpm.sock;
     }
 
     location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {

assets/drupal-ssl.nginxconf

@@ -116,7 +116,7 @@ server {
     fastcgi_intercept_errors on;
     # fastcgi_buffer_size 16k;
     # fastcgi_buffers 4 16k;
-    fastcgi_pass unix:/run/php/php7.4-fpm.sock;
+    fastcgi_pass unix:/run/php/php8.1-fpm.sock;
   }
   # Fighting with Styles? This little gem is amazing.
   # location ~ ^/sites/.*/files/imagecache/ { # For Drupal <= 6

assets/drupal.nginxconf

@@ -92,7 +92,7 @@ server {
     fastcgi_intercept_errors on;
     # fastcgi_buffer_size 16k;
     # fastcgi_buffers 4 16k;
-    fastcgi_pass unix:/run/php/php7.4-fpm.sock;
+    fastcgi_pass unix:/run/php/php8.2-fpm.sock;
   }
   # Fighting with Styles? This little gem is amazing.
   # location ~ ^/sites/.*/files/imagecache/ { # For Drupal <= 6

assets/fail2ban/filter.d/nginx-badbots.conf

@@ -1,5 +1,5 @@
 [Definition]
 
-failregex = FastCGI sent in stderr: "Primary script unknown" .*, client: <HOST>
+failregex = FastCGI sent in stderr: "Primary script unknown" .*, client: <HOST>, server: .*
 
 ignoreregex =

assets/nginx-phpmyadmin.conf

@@ -22,7 +22,7 @@ server {
     }
 
     location ~ \.php$ {
-      fastcgi_pass unix:/run/php/php7.4-fpm.sock;
+      fastcgi_pass unix:/run/php/php8.2-fpm.sock;
       fastcgi_index index.php;
       include fastcgi_params;
       fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

assets/simple-phpfpm-ssl.nginxconf

@@ -48,7 +48,7 @@ server {
 
   location ~ \.php$ {
     fastcgi_split_path_info ^(.+\.php)(/.+)$;
-    fastcgi_pass unix:/run/php/php7.4-fpm.sock;
+    fastcgi_pass unix:/run/php/php8.1-fpm.sock;
     fastcgi_index index.php;
     include fastcgi_params;
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

assets/simple-phpfpm.nginxconf

@@ -24,7 +24,7 @@ server {
 
   location ~ \.php$ {
     fastcgi_split_path_info ^(.+\.php)(/.+)$;
-    fastcgi_pass unix:/run/php/php7.4-fpm.sock;
+    fastcgi_pass unix:/run/php/php8.1-fpm.sock;
     fastcgi_index index.php;
     include fastcgi_params;
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

assets/webhook-deploy.sh

@@ -1,7 +1,8 @@
 #!/bin/bash
 
 # update bare repos
-git --git-dir=git-repositories/DOMAIN.git fetch origin prod:prod
+echo "Updating bare repos"
+su -c "git --git-dir=git-repositories/DOMAIN.git fetch origin prod:prod" USER
 # deploy prod
 cd www/DOMAIN/
-./deploy.sh
+su -c "./deploy.sh" USER

assets/zabbix/userparameter_linux_name_version.conf

@@ -0,0 +1 @@
+UserParameter=linux.system.name.version,(lsb_release -d > dev/null 2>&1) && lsb_release -d || (cat /etc/centos-release > /dev/null > /dev/null 2>&1 && cat /etc/centos-release || cat /etc/redhat-release)

bin/gitbarrerepos.sh

@@ -111,12 +111,12 @@ if [ "$vh" = "yes" ]; then
   chmod +x post-receive # pre-receive
 
   # setup git repo on site folder
-  cd /home/"$user"/www/"$_domain"/app
+  cd /home/"$user"/www/"$_domain"/public_html
-  git init
+  su -c "git init" $user
   # link to the bare repo
-  git remote add origin /home/"$user"/git-repositories/"$_domain".git
+  su -c "git remote add origin /home/$user/git-repositories/$_domain.git" $user
+  chown -R "$user":"$user" /home/"$user"/www/"$_domain"
 
-  chown -R "$user":"$user" /home/"$user"/www/"$_domain"/app
 
   cd "$_cwd"
   # done

bin/lemp.sh

@@ -36,24 +36,37 @@ echo -e '\033[35m
  / ____/ __  / ____/
 /_/   /_/ /_/_/
 \033[0m'
-echo -e "\033[35;1mInstalling PHP 7.4 \033[0m"
+
+echo -e "\033[35;1mInstalling SURY \033[0m"
 sleep 3
 
+apt-get --yes install ca-certificates apt-transport-https software-properties-common curl lsb-release
+curl -sSL https://packages.sury.org/php/README.txt | bash -x
+apt-get update && apt-get upgrade
+
+echo -e "\033[35;1mInstalling PHP \033[0m"
+sleep 3
+
+
+
 # mv: cannot stat '/etc/php/7.0/fpm/php.ini': No such file or directory
 # cp: cannot create regular file '/etc/php/7.0/fpm/php.ini': No such file or directory
 # Configuring PHP
 # Failed to enable unit: Unit file php7.0-fpm.service does not exist.
 # Failed to start php7.0-fpm.service: Unit php7.0-fpm.service not found.
 
-apt-get --yes install php7.4-fpm php7.4-mysql php7.4-opcache php7.4-curl php7.4-mbstring php7.4-zip php7.4-xml php7.4-gd php-memcached php7.4-imagick php7.4-apcu
+# apt-get --yes install php7.4-fpm php7.4-mysql php7.4-opcache php7.4-curl php7.4-mbstring php7.4-zip php7.4-xml php7.4-gd php-memcached php7.4-imagick php7.4-apcu
 # php7.4-mcrypt  ??
 
-apt-get --yes install php8.1-fpm php8.1-mysql php8.1-opcache php8.1-curl php8.1-mbstring php8.1-zip php8.1-xml php8.1-gd php-memcached php8.1-imagick php8.1-apcu php8.1-redis php8.1-bz2 php8.1-bcmath
+apt-get --yes install php8.1-fpm php8.1-mysql php8.1-opcache php8.1-curl php8.1-mbstring php8.1-zip php8.1-xml php8.1-gd php8.1-memcached php8.1-imagick php8.1-apcu php8.1-redis php8.1-bz2 php8.1-bcmath
 
 # apt-get --yes install php8.2-fpm php8.2-mysql php8.2-opcache php8.2-curl php8.2-mbstring php8.2-zip php8.2-xml php8.2-gd php-memcached php8.2-imagick php8.2-apcu php8.2-redis php8.2-bz2 php8.2-bcmath
 
-mv /etc/php/7.4/fpm/php.ini /etc/php/7.4/fpm/php.ini.back
+# apt-get --yes install php8.3-fpm php8.3-mysql php8.3-opcache php8.3-curl php8.3-mbstring php8.3-zip php8.3-xml php8.3-gd php8.3-memcached php8.3-imagick php8.3-apcu php8.3-redis php8.3-bz2 php8.3-bcmath
-cp "$_assets"/php7.4-fpm.ini /etc/php/7.4/fpm/php.ini
+
+
+mv /etc/php/8.1/fpm/php.ini /etc/php/8.1/fpm/php.ini.back
+cp "$_assets"/php8.1-fpm.ini /etc/php/8.1/fpm/php.ini
 
 echo "Configuring PHP"
 
@@ -61,8 +74,8 @@ mkdir /var/log/php
 chown www-data /var/log/php
 cp "$_assets"/logrotate-php /etc/logrotate.d/php
 
-systemctl enable php7.4-fpm
+systemctl enable php8.1-fpm
-systemctl start php7.4-fpm
+systemctl start php8.1-fpm
 
 # echo "Installing memecached"
 # replaced by redis
@@ -116,6 +129,9 @@ if [ "$installmysql" = "yes" ]; then
 
   cp "$_assets"/mysql/innodb-file-per-table.cnf /etc/mysql/conf.d/
 
+  # you may increase memory
+  # innodb_buffer_pool_size = 1024M
+
   systemctl enable mariadb.service
   systemctl restart mariadb.service
   echo -e "\033[92;1mmysql installed\033[Om"
@@ -172,7 +188,7 @@ echo -e '\033[35m
 \033[0m'
 echo -e "\033[35;1mInstalling Redis \033[0m"
 sleep 3
-apt-get --yes install redis-server php-redis
+apt-get --yes install redis-server php8.1-redis
 
 # TODO set maxmemory=2gb
 # TODO set maxmemory-policy=volatile-lru
@@ -186,7 +202,7 @@ apt-get --yes install redis-server php-redis
 
 systemctl enable redis-server
 systemctl restart redis-server
-systemctl restart php7.4-fpm
+systemctl restart php8.1-fpm
 echo -e "\033[92;1mRedis installed\033[Om"
 
 echo -e '\033[35m
@@ -212,11 +228,9 @@ echo -e '\033[35m
  / /_/ / /  / /_/ (__  ) / / /
 /_____/_/   \__,_/____/_/ /_/
 \033[0m'
-echo -e "\033[35;1mInstalling Drush and DrupalConsole\033[0m"
+echo -e "\033[35;1mInstalling Drush\033[0m"
 sleep 3
-curl https://drupalconsole.com/installer -L -o /usr/local/bin/drupal
-chmod +x /usr/local/bin/drupal
 # curl https://github.com/drush-ops/drush-launcher/releases/download/0.6.0/drush.phar -L -o /usr/local/bin/drush
 wget -O /usr/local/bin/drush https://github.com/drush-ops/drush-launcher/releases/latest/download/drush.phar
 chmod +x /usr/local/bin/drush
-echo -e "\033[92;1mDrush and DrupalConsoleinstalled\033[Om"
+echo -e "\033[92;1mDrush\033[Om"

bin/nfs.sh

@@ -0,0 +1,44 @@
+#!/bin/sh
+
+echo -e '\033[35m
+        __     
+ _ __  / _|___ 
+|  _ \| |_/ __|
+| | | |  _\__ \
+|_| |_|_| |___/
+                
+\033[0m'
+echo -e "\033[35;1mLEMP server (Nginx Mysql Php-fpm) \033[0m"
+
+
+apt install nfs-kernel-server
+vim /etc/exports 
+mkdir /home/proxmox-backup
+mkdir /home/urbackup
+
+ufw allow from 37.187.134.71 to any port nfs
+ufw allow from 37.187.134.71 to any port 111
+ufw allow proto udp from 37.187.134.71 to any port 32764:32769
+ufw allow proto tcp from 37.187.134.71 to any port 32764:32769
+
+ufw allow from 37.187.93.155 to any port nfs
+ufw allow from 37.187.93.155 to any port 111
+ufw allow proto udp from 37.187.93.155 to any port 32764:32769
+ufw allow proto tcp from 37.187.93.155 to any port 32764:32769
+
+ufw allow from 37.187.128.147 to any port nfs
+ufw allow from 37.187.128.147 to any port 111
+ufw allow proto udp from 37.187.128.147 to any port 32764:32769
+ufw allow proto tcp from 37.187.128.147 to any port 32764:32769
+
+
+ufw allow from 94.23.8.104 to any port nfs
+ufw allow from 94.23.8.104 to any port 111
+ufw allow proto udp from 94.23.8.104 to any port 32764:32769
+ufw allow proto tcp from 94.23.8.104 to any port 32764:32769
+
+systemctl restart nfs-server
+systemctl enable nfs-server
+
+vim /etc/ufw/user.rules
+

bin/ssh.sh

@@ -14,8 +14,13 @@ if [ "$EUID" -ne 0 ]; then
   exit
 fi
 
-sed -i 's/PermitRootLogin\ yes/PermitRootLogin no/g' /etc/ssh/sshd_config
+# sed -i 's/PermitRootLogin\ yes/PermitRootLogin no/g' /etc/ssh/sshd_config
-sed -i 's/PermitEmptyPasswords\ yes/PermitEmptyPasswords no/g' /etc/ssh/sshd_config
+# sed -i 's/PermitEmptyPasswords\ yes/PermitEmptyPasswords no/g' /etc/ssh/sshd_config
-sed -i 's/Protocol\ [0-9]/Protocol 2/g' /etc/ssh/sshd_config
+# sed -i 's/Protocol\ [0-9]/Protocol 2/g' /etc/ssh/sshd_config
+
+touch /etc/ssh/sshd_config.d/custom.conf
+echo "PermitRootLogin no" >> /etc/ssh/sshd_config.d/custom.conf
+echo "PermitEmptyPasswords no" >> /etc/ssh/sshd_config.d/custom.conf
+
 systemctl reload ssh
 echo -e "\033[92;1mSSH secured\033[Om"

bin/urbackup.sh

@@ -40,15 +40,16 @@ apt install build-essential "g++" "libcrypto++-dev" libz-dev -y
 # Download the UrBackup client source files and extract them
 # wget -P /tmp/ https://hndl.urbackup.org/Client/latest/urbackup-client-2.3.4.0.tar.gz
 # wget -P /tmp/ https://hndl.urbackup.org/Client/2.4.11/urbackup-client-2.4.11.0.tar.gz
-wget -P /tmp/ https://hndl.urbackup.org/Client/2.5.20/urbackup-client-2.5.20.0.tar.gz
+# wget -P /tmp/ https://hndl.urbackup.org/Client/2.5.20/urbackup-client-2.5.20.0.tar.gz
-
+# wget -P /tmp/ https://hndl.urbackup.org/Client/2.5.20/urbackup-client-2.5.24.0.tar.gz
+wget -P /tmp/ https://hndl.urbackup.org/Client/2.5.25/urbackup-client-2.5.25.0.tar.gz
 cd /tmp
-# tar xzf /tmp/urbackup-client-2.3.4.0.tar.gz
+
-tar xzf /tmp/urbackup-client-2.5.20.0.tar.gz
+tar xzf /tmp/urbackup-client-2.5.25.0.tar.gz
 
 # Build the UrBackup client and install it
 # cd /tmp/urbackup-client-2.3.4.0
-cd /tmp/urbackup-client-2.5.20.0
+cd /tmp/urbackup-client-2.5.25.0
 ./configure --enable-headless
 make -j4
 make install

bin/webhook.sh

@@ -90,10 +90,11 @@ apt-get install webhook
 git --git-dir=/home/"$user"/git-repositories/"$_domain.git" remote add origin "$_remote"
 
 # hook deploy script
-cp -f "$_assets"/webhook-deploy.sh /home/"$user"/webhook_deploy_"$_id".sh
+cp -f "$_assets"/webhook-deploy.sh /home/"$user"/webhook-deploy-"$_id".sh
-sed -i -r "s/DOMAIN/$_domain/g" /home/"$user"/webhook_deploy_"$_id".sh
+sed -i -r "s/DOMAIN/$_domain/g" /home/"$user"/webhook-deploy-"$_id".sh
-chowm $user:$user /home/"$user"/webhook_deploy_"$_id".sh
+sed -i -r "s/USER/$user/g" /home/"$user"/webhook-deploy-"$_id".sh
-chmod +x /home/"$user"/webhook_deploy_"$_id".sh
+chowm $user:$user /home/"$user"/webhook-deploy-"$_id".sh
+chmod +x /home/"$user"/webhook-deploy-"$_id".sh
 
 # remove git bare repos hook
 mv /home/"$user"/git-repositories/"$_domain".git/hooks/post-receive /home/"$user"/git-repositories/"$_domain".git/hooks/post-receive.back
@@ -116,4 +117,6 @@ systemctl restart webhook
 
 ufw allow 9000
 
+echo "webhook done"
+echo "you can configure your webhook trigger with the following url :"
 echo "http://$_domain:9000/hooks/deploy_app_$_id"

bin/zabbix.sh

@@ -26,12 +26,9 @@ if [ ! -d "$_assets" ]; then
   fi
 fi
 
-# not necessary anymore zabbix-agent 4 is in apt
-# https://packages.debian.org/fr/buster/zabbix-agent
-# TODO downgrade zabbix-agent to 3.4
 
-wget -P /tmp/ http://repo.zabbix.com/zabbix/3.4/debian/pool/main/z/zabbix-release/zabbix-release_3.4-1+stretch_all.deb
+wget -P /tmp/ wget https://repo.zabbix.com/zabbix/6.4/debian/pool/main/z/zabbix-release/zabbix-release_6.4-1+debian12_all.deb
-dpkg -i /tmp/zabbix-release_3.4-1+stretch_all.deb
+dpkg -i /tmp/zabbix-release_6.4-1+debian12_all.deb
 
 apt-get update -y
 
@@ -44,8 +41,6 @@ echo -n "Please provide the zabbix-server's ip : "
 read _ip
 echo -n "Please provide the hostname of this agent : "
 read _host_name
-echo -n "Please provide the mysql root password : "
-read _root_mysql_passwd
 
 _agent_conf_d="/etc/zabbix/zabbix_agentd.d" # for debian 8
 if [ ! -d "$_agent_conf_d" ]; then
@@ -57,6 +52,10 @@ sed -i "s#Server=127.0.0.1#Server=$_ip#g" /etc/zabbix/zabbix_agentd.conf
 sed -i "s#ServerActive=127.0.0.1#ServerActive=$_ip#g" /etc/zabbix/zabbix_agentd.conf
 sed -i "s#Hostname=Zabbix server#Hostname=$_host_name#g" /etc/zabbix/zabbix_agentd.conf
 
+
+# todo ask if LXC container, if yes install this script
+# https://github.com/kvaps/zabbix-linux-container-template
+
 # APT
 # check for debian security updates
 # not working : https://www.osso.nl/blog/zabbix-counting-security-updates
@@ -68,27 +67,44 @@ cp "$_assets"/zabbix/apt.conf "$_agent_conf_d"/
 # MYSQL
 # https://serverfault.com/questions/737018/zabbix-user-parameter-mysql-status-setting-home
 # create zabbix user home
-mkdir /var/lib/zabbix
+
-# generate random password for zabbix mysql user
+echo -n "monitor mysql? [Y|n] "
-_passwd="$(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c12)"
+read yn
-# add mysql credentials to zabbix home
+yn=${yn:-y}
-printf "[client]\n
+if [ "$yn" = "Y" ] || [ "$yn" = "y" ]; then
-user=zabbix\n
+  echo -n "Please provide the mysql root password : "
-password=$_passwd" > /var/lib/zabbix/.my.cnf
+  read _root_mysql_passwd
-# create zabbix mysql user
+
-mysql -uroot -p"$_root_mysql_passwd" -e "CREATE USER 'zabbix' IDENTIFIED BY '$_passwd';"
+  mkdir /var/lib/zabbix
-mysql -uroot -p"$_root_mysql_passwd" -e "GRANT USAGE ON *.* TO 'zabbix'@'localhost' IDENTIFIED BY '$_passwd';"
+  # generate random password for zabbix mysql user
-# add zabbix-agent parameter
+  _passwd="$(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c12)"
-cp "$_assets"/zabbix/userparameter_mysql.conf "$_agent_conf_d"/
+  # add mysql credentials to zabbix home
+  printf "[client]\n
+  user=zabbix\n
+  password=$_passwd" > /var/lib/zabbix/.my.cnf
+  # create zabbix mysql user
+  mysql -uroot -p"$_root_mysql_passwd" -e "CREATE USER 'zabbix' IDENTIFIED BY '$_passwd';"
+  mysql -uroot -p"$_root_mysql_passwd" -e "GRANT USAGE ON *.* TO 'zabbix'@'localhost' IDENTIFIED BY '$_passwd';"
+  # add zabbix-agent parameter
+  cp "$_assets"/zabbix/userparameter_mysql.conf "$_agent_conf_d"/
+fi
+
 
 # NGINX
 # https://github.com/sfuerte/zbx-nginx
 # nginxconf already included in default.nginxconf asset
-sed -i "s/# allow CURRENT-SERVER-IP/allow $_cur_ip/g" /etc/nginx/sites-available/default
+
-cp "$_assets"/zabbix/userparameter_nginx.conf "$_agent_conf_d"/
+echo -n "Monitor nginx? [Y|n] "
-mkdir /etc/zabbix/zabbix_agentd.scripts
+read yn
-cp "$_assets"/zabbix/scripts/nginx-stat.py /etc/zabbix/zabbix_agentd.scripts/
+yn=${yn:-y}
-chmod +x /etc/zabbix/zabbix_agentd.scripts/nginx-stat.py
+if [ "$yn" = "Y" ] || [ "$yn" = "y" ]; then
+  sed -i "s/# allow CURRENT-SERVER-IP/allow $_cur_ip/g" /etc/nginx/sites-available/default
+  cp "$_assets"/zabbix/userparameter_nginx.conf "$_agent_conf_d"/
+  mkdir /etc/zabbix/zabbix_agentd.scripts
+  cp "$_assets"/zabbix/scripts/nginx-stat.py /etc/zabbix/zabbix_agentd.scripts/
+  chmod +x /etc/zabbix/zabbix_agentd.scripts/nginx-stat.py
+fi
+
 
 echo -n "This is box is a proxmox CT? [Y|n] "
 read yn
@@ -100,6 +116,8 @@ fi
 # SYSTEMD
 # https://github.com/MogiePete/zabbix-systemd-service-monitoring
 cp "$_assets"/zabbix/userparameter_systemd_services.conf "$_agent_conf_d"/
+# https://www.zabbix.com/forum/zabbix-cookbook/23024-monitor-the-version-of-centos-debian-ubuntu?p=386466#post386466
+cp "$_assets"/zabbix/userparameter_linux_name_version.conf "$_agent_conf_d"/
 
 # disble unused system units
 systemctl disable rsync

raw.githubusercontent.com_kvaps_zabbix-linux-container-template_master_zabbix_container.conf.txt

@@ -0,0 +1,4 @@
+UserParameter=ct.memory.size[*],free -b | awk 'NR==2 {total=$ 2; used=($ 3+$ 5); pused=(($ 3+$ 5)*100/$ 2); free=$ 4; pfree=($ 4*100/$ 2); shared=$ 5; buffers=$ 6; cached=$ 6; available=$ 7; pavailable=($ 7*100/$ 2); if("$1" == "") {printf("%.0f", total )} else {printf("%.0f", $1 "" )} }'
+UserParameter=ct.swap.size[*],free -b | awk 'NR==3 {total=$ 2; used=$ 3; free=$ 4; pfree=($ 4*100/$ 2); pused=($ 3*100/$ 2); if("$1" == "") {printf("%.0f", free )} else {printf("%.0f", $1 "" )} }'
+UserParameter=ct.cpu.load[*],cut -d" " -f1-3 /proc/loadavg | awk -F'[, ]+' '{avg1=$(NF-2); avg5=$(NF-1); avg15=$(NF)}{print $2/'$(nproc)'}'
+UserParameter=ct.uptime,cut -d"." -f1 /proc/uptime

readme.md

@@ -1,4 +1,4 @@
-# Install LEMP web server and secure it on debian 10
+# Install LEMP web server and secure it on debian 12
 
 Fail2ban, Ufw, Proftpd, Knockd, Nginx, Mariadb, php7.0-fpm, redis, vhosts, git barre repos, zabbix-agent, dotfiles and more
 
@@ -32,6 +32,23 @@ chmod a+x install.sh
 
 ```
 
+5 steps
+
+* misc.sh
+* dotfliles.sh
+* user.sh
+* ssh.sh
+* firewall.sh
+* fail2ban.sh
+* email.sh
+* lemp.sh
+* mysqlbackup.sh
+* vhost.sh
+* gitbarrerepos.sh
+* webhook.sh
+* urbackup.sh
+* zabbix.sh
+* 
 
 ## ref
 http://www.debian.org/doc/manuals/securing-debian-howto/