bachir/debion-web-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: bachir:deb9-apache
Branches Tags
bachir:master bachir:deb12 bachir:deb11 bachir:deb10 bachir:deb9 bachir:deb9-nginx bachir:deb9-apache
..
compare: bachir:deb9
Branches Tags
bachir:deb12 bachir:master bachir:deb11 bachir:deb10 bachir:deb9 bachir:deb9-nginx bachir:deb9-apache

88 Commits
deb9-apach ... deb9

Author SHA1 Message Date
Bachir Soussi Chiadmi
caf3d0e1f7 todo on knockd 2019-10-21 15:05:42 +02:00
Bachir Soussi Chiadmi
84691bb6d5 fix fail2ban 2019-06-12 15:24:07 +02:00
Bachir Soussi Chiadmi
934874b297 changed nginx X-Frame-Option to SAMEORIGIN 2019-04-29 13:07:14 +02:00
Bachir Soussi Chiadmi
b252c8c755 fixed sed bug" 2019-03-18 11:59:06 +01:00
Bachir Soussi Chiadmi
3eb1a34c19 zabbix disabling rsync & timesyncd systemd units 2019-01-23 13:14:18 +01:00
Bachir Soussi Chiadmi
ad10f722ea changed rolling time in mysqlbackups 2019-01-23 13:13:28 +01:00
Bachir Soussi Chiadmi
d8fe6562ae konckd allowing ssh without ip restriction as it would not work with 4g connection 2019-01-23 13:12:25 +01:00
Bachir Soussi Chiadmi
1eaabe41cd using find's -delete option, it's safer 2019-01-22 12:56:03 +01:00
Bachir Soussi Chiadmi
0842f3f99e removed folder compression, added rotation to mysqlbackups 2019-01-22 12:53:27 +01:00
Bachir Soussi Chiadmi
97ee1ffbb9 compressing the mysql backup folders 2019-01-22 12:43:37 +01:00
Bachir Soussi Chiadmi
1df4d6a72f added zabbix systemd units template 2019-01-22 12:42:54 +01:00
Bachir Soussi Chiadmi
f3e16903fe added unzip to misc 2019-01-21 16:16:47 +01:00
Bachir Soussi Chiadmi
e79ca699cb changed knockd timeout, added php7.0-imagick to lemp 2019-01-21 16:15:55 +01:00
Bachir Soussi Chiadmi
db2fcd1f6d updated urbackup client, added systemd monitoring 2019-01-21 16:14:09 +01:00
Bachir Soussi Chiadmi
69ca0e3f9a added lynx to misc 2018-10-29 16:38:18 +01:00
Bachir Soussi Chiadmi
10f038f0dc fixed zabbix nginx status install 2018-10-29 16:38:01 +01:00
Bachir Soussi Chiadmi
3bc0ee06ee applyed patch to knockd to be enableable 
patch https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868015
 2018-10-29 16:12:09 +01:00
Bachir Soussi Chiadmi
adfe0d6232 added htop on misc 2018-10-29 15:47:27 +01:00
Bachir Soussi Chiadmi
962017a84d redis install was not restarting php7-fpm 2018-10-29 15:47:03 +01:00
Bachir Soussi Chiadmi
b9d8d77d3a misc 2018-10-29 15:20:43 +01:00
Bachir Soussi Chiadmi
6d41024a76 better mysql config 2018-10-29 13:26:53 +01:00
Bachir Soussi Chiadmi
01384e7918 vhost minor improvement and todo 2018-10-17 17:10:53 +02:00
Bachir Soussi Chiadmi
3b81d81d6e fixed dkim install 2018-10-17 16:11:56 +02:00
Bachir Soussi Chiadmi
84f6ca754b fixed knockd finale sequence display 2018-10-17 15:23:31 +02:00
Bachir Soussi Chiadmi
fff73f9e3d added urbackup and some todos 2018-10-16 15:34:15 +02:00
Bachir Soussi Chiadmi
4d7fa59a86 added .sql to mysql dumps file name 2018-05-02 12:04:14 +02:00
Bachir Soussi Chiadmi
c76b459ab5 urbackup client more settings 2018-04-29 17:15:04 +02:00
Bachir Soussi Chiadmi
f0c24709bc added urbackup client settings 2018-04-29 16:09:01 +02:00
Bachir Soussi Chiadmi
3b63e963d4 fix urbackup.service install 2018-04-29 12:28:06 +02:00
Bachir Soussi Chiadmi
7917ae08fd fix urbackup ascii art 2018-04-29 12:14:03 +02:00
Bachir Soussi Chiadmi
03d9c1b1a9 fixed readme clone url 2018-04-29 12:11:01 +02:00
Bachir Soussi Chiadmi
5396130b53 fix mysql backups permissions 2018-04-29 12:06:16 +02:00
Bachir Soussi Chiadmi
bceb779027 fix crontab on mysqlbackup install script 2018-04-28 23:56:30 +02:00
Bachir Soussi Chiadmi
0b82941536 fix crontab on mysqlbackup install script 2018-04-28 23:50:43 +02:00
Bachir Soussi Chiadmi
4f329ef7c3 fix mysqlbackup install script 2018-04-28 23:47:44 +02:00
Bachir Soussi Chiadmi
017d7fb449 chmod +x bin/* 2018-04-28 23:46:29 +02:00
Bachir Soussi Chiadmi
bcf907e834 completed mysqlbackup install script 2018-04-28 23:45:36 +02:00
Bachir Soussi Chiadmi
0b0b23d1b4 added mysqlbackup install script 2018-04-28 23:42:37 +02:00
Bachir Soussi Chiadmi
69e53da217 created mysqlbackup.sh 2018-04-28 23:33:07 +02:00
Bachir Soussi Chiadmi
0ed87e11ee urbackup client install functional 2018-04-28 23:19:51 +02:00
Bachir Soussi Chiadmi
875027f99b minor fix on urbackup.sh 2018-04-28 22:43:02 +02:00
Bachir Soussi Chiadmi
77b0a828f9 minor fix on urbackup.sh 2018-04-28 22:40:05 +02:00
Bachir Soussi Chiadmi
3736ad1e06 fix urbackup.service file name 2018-04-28 22:37:37 +02:00
Bachir Soussi Chiadmi
4718725c87 started urbackup headless client install script 2018-04-28 22:36:29 +02:00
Bachir Soussi Chiadmi
3b75438c05 fixed knocd.conf, added etckeeper to misc 2018-04-28 15:15:53 +02:00
Bachir Soussi Chiadmi
ec941fac00 fixed wrong letsencrypt certifcate replaced cert.pem by fullchain.pem 2018-04-18 00:59:31 +02:00
Bachir Soussi Chiadmi
43d32c7d86 zabbix-agent install bug fix 2018-04-16 16:43:26 +02:00
Bachir Soussi Chiadmi
0d8fa7f928 zabbix-agent install bug fix 2018-04-16 16:40:51 +02:00
Bachir Soussi Chiadmi
9b547bb892 zabbix-agent install bug fix 2018-04-16 16:39:32 +02:00
Bachir Soussi Chiadmi
e60dd9a202 added proxmox-ct.conf zabbix agent conf 2018-04-16 16:36:43 +02:00
Bachir Soussi Chiadmi
a278a28042 fixed zabbix install 2018-04-16 16:31:10 +02:00
Bachir Soussi Chiadmi
3153ec19c1 renamed main script 2018-04-10 21:27:12 +02:00
Bachir Soussi Chiadmi
559feac68f updated readme 2018-04-10 21:26:39 +02:00
Bachir Soussi Chiadmi
367f7c816a updated readme 2018-04-10 21:26:16 +02:00
Bachir Soussi Chiadmi
735faaac3d added zabbix-agent install 2018-04-10 21:16:15 +02:00
Bachir Soussi Chiadmi
3f5967b5bb added a script to generate passwords 2018-04-10 21:14:40 +02:00
Bachir Soussi Chiadmi
a7fa31962e zabbix fix 2018-04-08 00:30:51 +02:00
Bachir Soussi Chiadmi
75e9dfb382 zabbix repo download to tmp 2018-04-08 00:29:38 +02:00
Bachir Soussi Chiadmi
3bdf7743be chmod +x zabbix 2018-04-08 00:24:29 +02:00
Bachir Soussi Chiadmi
30f38a09a1 added zabbix agent install, some fix 2018-04-08 00:22:44 +02:00
Bachir Soussi Chiadmi
2a1187aa50 gitbarrerepo.sh fix 2018-04-07 17:27:50 +02:00
Bachir Soussi Chiadmi
930616c71d gitbarrerepo.sh fix 2018-04-07 17:18:51 +02:00
Bachir Soussi Chiadmi
3c238f0e4d imporved gitbarrerpo.sh 2018-04-07 17:09:27 +02:00
Bachir Soussi Chiadmi
a587dc0847 some fix 2018-04-07 16:44:29 +02:00
Bachir Soussi Chiadmi
540d964935 fixed assets path every where 2018-04-07 16:13:19 +02:00
Bachir Soussi Chiadmi
0be97f397c added default index.php 2018-04-07 16:06:11 +02:00
Bachir Soussi Chiadmi
29c8d50b53 stop nginx at the begin of vhost install 2018-04-07 13:30:19 +02:00
Bachir Soussi Chiadmi
e3263e9c61 vhost fixe 2018-04-07 13:20:16 +02:00
Bachir Soussi Chiadmi
414c063a7c fixed vhost assets directory bug 2018-04-07 13:10:59 +02:00
Bachir Soussi Chiadmi
9b8670f4e4 added some color fixes, not finished 2018-04-07 12:59:00 +02:00
Bachir Soussi Chiadmi
21a121918e chmod +x vhost.sh 2018-04-07 12:50:12 +02:00
Bachir Soussi Chiadmi
c5a8b8b87b check for user in vhost and user creation 2018-04-07 12:47:24 +02:00
Bachir Soussi Chiadmi
6e5433b041 splitted vhost, added gitbarerepo creation 2018-04-07 12:27:55 +02:00
Bachir Soussi Chiadmi
e15e231cc5 chmod +x bin/* 2018-04-07 11:34:55 +02:00
Bachir Soussi Chiadmi
c1eefcd6fc added root check and needrestart check 2018-04-07 11:23:02 +02:00
Bachir Soussi Chiadmi
0e81a4ab11 splitted in subscripts, cleaned 2018-04-07 11:15:09 +02:00
Bachir Soussi Chiadmi
9677df40ab letsencrypt install + ssl nginx conf vhost 2018-04-06 19:15:20 +02:00
Bachir Soussi Chiadmi
10738b8897 activated php-fpm for default nginx conf 2018-04-06 11:28:48 +02:00
root
ba3a8af7c3 added default nginx conf and php-fpm.ini 2018-04-06 11:13:34 +02:00
Bachir Soussi Chiadmi
12b96c64ba cleaning 2018-04-06 11:09:48 +02:00
Bachir Soussi Chiadmi
8f21321eaf added nginx-phpmyadmin.conf 2018-04-06 10:51:11 +02:00
Bachir Soussi Chiadmi
e1a7b811e2 added drupal nginx conf 2018-04-06 09:35:20 +02:00
Bachir Soussi Chiadmi
a927903f81 bug fix 2018-04-05 23:28:32 +02:00
Bachir Soussi Chiadmi
5a54256c5a added nginx conf and vhost generation 2018-04-05 23:11:15 +02:00
Bachir Soussi Chiadmi
62493b59db knockd is working 2018-04-05 19:38:21 +02:00
Bachir Soussi Chiadmi
6d5d610189 fixed knockd 2018-04-05 19:31:53 +02:00
Bachir Soussi Chiadmi
ae1cc72a2b added --yes --force-yes to all apt-get install 2018-04-05 18:53:43 +02:00
Bachir Soussi Chiadmi
0fc667d9cc started to refactoring for LEMP + redis 2018-04-05 18:47:02 +02:00
54 changed files with 7570 additions and 1036 deletions
Expand all files Collapse all files

19
assets/99-lamp-php.ini
View File

@ -1,19 +0,0 @@
# conf added by custom lamp install script
max_execution_time = 60
max_input_time = 60
memory_limit = 512M
error_reporting = E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERROR
display_errors = Off
log_errors = On
error_log = /var/log/php/php_errors.log
# security
allow_url_include = Off
allow_url_fopen = Off
session.use_only_cookies = 1
session.cookie_httponly = 1
expose_php = Off
display_errors = Off
register_globals = Off
disable_functions = shell_exec, escapeshellarg, escapeshellcmd, passthru, proc_close, proc_get_status, proc_nice, proc_open,proc_terminate

277
assets/apache2.conf
View File

@ -1,277 +0,0 @@
# This is the main Apache server configuration file. It contains the
# configuration directives that give the server its instructions.
# See http://httpd.apache.org/docs/2.2/ for detailed information about
# the directives and /usr/share/doc/apache2-common/README.Debian.gz about
# Debian specific hints.
#
#
# Summary of how the Apache 2 configuration works in Debian:
# The Apache 2 web server configuration in Debian is quite different to
# upstream's suggested way to configure the web server. This is because Debian's
# default Apache2 installation attempts to make adding and removing modules,
# virtual hosts, and extra configuration directives as flexible as possible, in
# order to make automating the changes and administering the server as easy as
# possible.
# It is split into several files forming the configuration hierarchy outlined
# below, all located in the /etc/apache2/ directory:
#
# /etc/apache2/
# |-- apache2.conf
# | `-- ports.conf
# |-- mods-enabled
# | |-- *.load
# | `-- *.conf
# |-- conf.d
# | `-- *
# `-- sites-enabled
# `-- *
#
#
# * apache2.conf is the main configuration file (this file). It puts the pieces
# together by including all remaining configuration files when starting up the
# web server.
#
# In order to avoid conflicts with backup files, the Include directive is
# adapted to ignore files that:
# - do not begin with a letter or number
# - contain a character that is neither letter nor number nor _-:.
# - contain .dpkg
#
# Yet we strongly suggest that all configuration files either end with a
# .conf or .load suffix in the file name. The next Debian release will
# ignore files not ending with .conf (or .load for mods-enabled).
#
# * ports.conf is always included from the main configuration file. It is
# supposed to determine listening ports for incoming connections, and which
# of these ports are used for name based virtual hosts.
#
# * Configuration files in the mods-enabled/ and sites-enabled/ directories
# contain particular configuration snippets which manage modules or virtual
# host configurations, respectively.
#
# They are activated by symlinking available configuration files from their
# respective *-available/ counterparts. These should be managed by using our
# helpers a2enmod/a2dismod, a2ensite/a2dissite. See
# their respective man pages for detailed information.
#
# * Configuration files in the conf.d directory are either provided by other
# packages or may be added by the local administrator. Local additions
# should start with local- or end with .local.conf to avoid name clashes. All
# files in conf.d are considered (excluding the exceptions noted above) by
# the Apache 2 web server.
#
# * The binary is called apache2. Due to the use of environment variables, in
# the default configuration, apache2 needs to be started/stopped with
# /etc/init.d/apache2 or apache2ctl. Calling /usr/bin/apache2 directly will not
# work with the default configuration.
# Global configuration
#
#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# NOTE! If you intend to place this on an NFS (or otherwise network)
# mounted filesystem then please read the LockFile documentation (available
# at <URL:http://httpd.apache.org/docs/2.2/mod/mpm_common.html#lockfile>);
# you will save yourself a lot of trouble.
#
# Do NOT add a slash at the end of the directory path.
#
#ServerRoot "/etc/apache2"
#
# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
#
LockFile ${APACHE_LOCK_DIR}/accept.lock
#
# PidFile: The file in which the server should record its process
# identification number when it starts.
# This needs to be set in /etc/apache2/envvars
#
PidFile ${APACHE_PID_FILE}
#
# Timeout: The number of seconds before receives and sends time out.
#
Timeout 300
#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#
KeepAlive On
#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#
MaxKeepAliveRequests 100
#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
KeepAliveTimeout 5
##
## Server-Pool Size Regulation (MPM specific)
##
# prefork MPM
# StartServers: number of server processes to start
# MinSpareServers: minimum number of server processes which are kept spare
# MaxSpareServers: maximum number of server processes which are kept spare
# MaxClients: maximum number of server processes allowed to start
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule mpm_prefork_module>
StartServers 5
MinSpareServers 5
MaxSpareServers 10
MaxClients 150
MaxRequestsPerChild 0
</IfModule>
# worker MPM
# StartServers: initial number of server processes to start
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# ThreadLimit: ThreadsPerChild can be changed to this maximum value during a
# graceful restart. ThreadLimit can only be changed by stopping
# and starting Apache.
# ThreadsPerChild: constant number of worker threads in each server process
# MaxClients: maximum number of simultaneous client connections
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule mpm_worker_module>
StartServers 2
MinSpareThreads 25
MaxSpareThreads 75
ThreadLimit 64
ThreadsPerChild 25
MaxClients 150
MaxRequestsPerChild 0
</IfModule>
# event MPM
# StartServers: initial number of server processes to start
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# ThreadsPerChild: constant number of worker threads in each server process
# MaxClients: maximum number of simultaneous client connections
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule mpm_event_module>
StartServers 1
MinSpareThreads 2
MaxSpareThreads 5
ThreadLimit 20
ThreadsPerChild 20
MaxClients 60
MaxRequestsPerChild 5000
</IfModule>
# These need to be set in /etc/apache2/envvars
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
#
# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives. See also the AllowOverride
# directive.
#
AccessFileName .htaccess
#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<Files ~ "^\.ht">
Order allow,deny
Deny from all
Satisfy all
</Files>
# TuxLite. Better to put this block here compared to Debian's default
<Directory />
Options -Indexes FollowSymLinks
AllowOverride All
Order allow,deny
allow from all
</Directory>
#
# DefaultType is the default MIME type the server will use for a document
# if it cannot otherwise determine one, such as from filename extensions.
# If your server contains mostly text or HTML documents, "text/plain" is
# a good value. If most of your content is binary, such as applications
# or images, you may want to use "application/octet-stream" instead to
# keep browsers from trying to display binary files as though they are
# text.
#
# It is also possible to omit any default MIME type and let the
# client's browser guess an appropriate action instead. Typically the
# browser will decide based on the file's extension then. In cases
# where no good assumption can be made, letting the default MIME type
# unset is suggested instead of forcing the browser to accept
# incorrect metadata.
#
DefaultType None
#
# HostnameLookups: Log the names of clients or just their IP addresses
# e.g., www.apache.org (on) or 204.62.129.132 (off).
# The default is off because it'd be overall better for the net if people
# had to knowingly turn this feature on, since enabling it means that
# each client request will result in AT LEAST one lookup request to the
# nameserver.
#
HostnameLookups Off
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here. If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog ${APACHE_LOG_DIR}/error.log
#
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
#
LogLevel warn
# Include module configuration:
Include mods-enabled/*.load
Include mods-enabled/*.conf
# Include list of ports to listen on and which to use for name based vhosts
Include ports.conf
#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
# If you are behind a reverse proxy, you might want to change %h into %{X-Forwarded-For}i
#
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
# Include of directories ignores editors' and dpkg's backup files,
# see the comments above for details.
# Include generic snippets of statements
Include conf.d/
# Include the virtual host configurations:
Include sites-enabled/

106
assets/default.nginxconf Normal file
View File

@ -0,0 +1,106 @@
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
# Default server configuration
#
server {
listen 80 default_server;
listen [::]:80 default_server;
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html index.php;
server_name _;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
# pass PHP scripts to FastCGI server
location ~ \.php$ {
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
location ~ /\.ht {
deny all;
}
## Images and static content is treated different
location ~* ^.+.(jpg|jpeg|gif|css|png|js|ico|xml)$ {
access_log off;
expires max;
}
location ~ /(libraries|setup/frames|setup/libs) {
deny all;
return 404;
}
location /nginx_status {
stub_status on;
access_log off;
allow 127.0.0.1;
# allow CURRENT-SERVER-IP;
deny all;
}
}
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}

25
assets/deploy-drupal.sh Executable file
View File

@ -0,0 +1,25 @@
#!/bin/bash
echo "updating drupal 8"
echo "Switching to project docroot."
cd ./public_html
echo ""
echo "Pulling down latest code."
git pull --ff-only origin prod
echo ""
echo "Clearing drush caches."
drush cache-clear drush
echo ""
echo "Composer install."
composer install --no-dev
echo ""
echo "Running database updates."
drush updb -y
echo ""
echo "Importing configuration."
drush config-import -y
echo ""
echo "Clearing caches."
drush cr
echo ""
echo "Deployment complete."

10
assets/deploy-simple.sh Normal file
View File

@ -0,0 +1,10 @@
#!/bin/bash
echo "updating"
echo "Switching to project docroot."
cd ./public_html
echo ""
echo "Pulling down latest code."
git pull --ff-only origin prod
echo ""
echo "Deployment complete."

140
assets/drupal-ssl.nginxconf Normal file
View File

@ -0,0 +1,140 @@
# https://www.nginx.com/resources/wiki/start/topics/recipes/drupal/
# https://www.howtoforge.com/tutorial/install-letsencrypt-and-secure-nginx-in-debian-9/
server {
listen 80;
server_name DOMAIN.LTD;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name DOMAIN.LTD;
root /var/www/DOMAIN.LTD/public_html;
#SSL Certificates
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate "/etc/letsencrypt/live/DOMAIN.LTD/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/DOMAIN.LTD/privkey.pem";
ssl_dhparam /etc/nginx/ssl/certs/DOMAIN.LTD/dhparam.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
#ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=31536000;
#includeSubDomains" always;
charset utf-8;
location = /favicon.ico {
access_log off;
log_not_found off;
}
location = /robots.txt {
allow all;
access_log off;
log_not_found off;
}
location ~ \..*/.*\.php$ {
return 403;
}
location ~ ^/sites/.*/private/ {
return 403;
}
# Block access to scripts in site files directory
location ~ ^/sites/[^/]+/files/.*\.php$ {
deny all;
}
# Allow "Well-Known URIs" as per RFC 5785
location ~* ^/.well-known/ {
allow all;
}
# Block access to "hidden" files and directories whose names begin with a
# period. This includes directories used by version control systems such
# as Subversion or Git to store control files.
location ~ (^|/)\. {
return 403;
}
location / {
# try_files $uri @rewrite; # For Drupal <= 6
try_files $uri /index.php?$query_string; # For Drupal >= 7
}
location @rewrite {
rewrite ^/(.*)$ /index.php?q=$1;
}
# Don't allow direct access to PHP files in the vendor directory.
location ~ /vendor/.*\.php$ {
deny all;
return 404;
}
location ~ /\.ht {
deny all;
}
access_log on;
error_log /var/www/DOMAIN.LTD/log/error.log;
sendfile off;
client_max_body_size 100m;
# In Drupal 8, we must also match new paths where the '.php' appears in
# the middle, such as update.php/selection. The rule we use is strict,
# and only allows this pattern with the update.php front controller.
# This allows legacy path aliases in the form of
# blog/index.php/legacy-path to continue to route to Drupal nodes. If
# you do not have any paths like that, then you might prefer to use a
# laxer rule, such as:
# location ~ \.php(/|$) {
# The laxer rule will continue to work if Drupal uses this new URL
# pattern with front controllers other than update.php in a future
# release.
location ~ '\.php$|^/update.php' {
# fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
include fastcgi_params;
# Block httpoxy attacks. See https://httpoxy.org/.
fastcgi_param HTTP_PROXY "";
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param QUERY_STRING $query_string;
fastcgi_intercept_errors on;
# fastcgi_buffer_size 16k;
# fastcgi_buffers 4 16k;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
}
# Fighting with Styles? This little gem is amazing.
# location ~ ^/sites/.*/files/imagecache/ { # For Drupal <= 6
location ~ ^/sites/.*/files/styles/ { # For Drupal >= 7
try_files $uri @rewrite;
}
# Handle private files through Drupal. Private file's path can come
# with a language prefix.
location ~ ^(/[a-z\-]+)?/system/files/ { # For Drupal >= 7
try_files $uri /index.php?$query_string;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
try_files $uri @rewrite;
expires max;
log_not_found off;
}
# website should not be displayed inside a <frame>, an <iframe> or an <object>
add_header X-Frame-Options SAMEORIGIN;
}

117
assets/drupal.nginxconf Normal file
View File

@ -0,0 +1,117 @@
# https://www.nginx.com/resources/wiki/start/topics/recipes/drupal/
server {
listen 80;
server_name DOMAIN.LTD;
root /var/www/DOMAIN.LTD/public_html;
charset utf-8;
location = /favicon.ico {
access_log off;
log_not_found off;
}
location = /robots.txt {
allow all;
access_log off;
log_not_found off;
}
location ~ \..*/.*\.php$ {
return 403;
}
location ~ ^/sites/.*/private/ {
return 403;
}
# Block access to scripts in site files directory
location ~ ^/sites/[^/]+/files/.*\.php$ {
deny all;
}
# Allow "Well-Known URIs" as per RFC 5785
location ~* ^/.well-known/ {
allow all;
}
# Block access to "hidden" files and directories whose names begin with a
# period. This includes directories used by version control systems such
# as Subversion or Git to store control files.
location ~ (^|/)\. {
return 403;
}
location / {
# try_files $uri @rewrite; # For Drupal <= 6
try_files $uri /index.php?$query_string; # For Drupal >= 7
}
location @rewrite {
rewrite ^/(.*)$ /index.php?q=$1;
}
# Don't allow direct access to PHP files in the vendor directory.
location ~ /vendor/.*\.php$ {
deny all;
return 404;
}
location ~ /\.ht {
deny all;
}
access_log on;
error_log /var/www/DOMAIN.LTD/log/error.log;
sendfile off;
client_max_body_size 100m;
# In Drupal 8, we must also match new paths where the '.php' appears in
# the middle, such as update.php/selection. The rule we use is strict,
# and only allows this pattern with the update.php front controller.
# This allows legacy path aliases in the form of
# blog/index.php/legacy-path to continue to route to Drupal nodes. If
# you do not have any paths like that, then you might prefer to use a
# laxer rule, such as:
# location ~ \.php(/|$) {
# The laxer rule will continue to work if Drupal uses this new URL
# pattern with front controllers other than update.php in a future
# release.
location ~ '\.php$|^/update.php' {
# fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
include fastcgi_params;
# Block httpoxy attacks. See https://httpoxy.org/.
fastcgi_param HTTP_PROXY "";
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param QUERY_STRING $query_string;
fastcgi_intercept_errors on;
# fastcgi_buffer_size 16k;
# fastcgi_buffers 4 16k;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
}
# Fighting with Styles? This little gem is amazing.
# location ~ ^/sites/.*/files/imagecache/ { # For Drupal <= 6
location ~ ^/sites/.*/files/styles/ { # For Drupal >= 7
try_files $uri @rewrite;
}
# Handle private files through Drupal. Private file's path can come
# with a language prefix.
location ~ ^(/[a-z\-]+)?/system/files/ { # For Drupal >= 7
try_files $uri /index.php?$query_string;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
try_files $uri @rewrite;
expires max;
log_not_found off;
}
# website should not be displayed inside a <frame>, an <iframe> or an <object>
add_header X-Frame-Options SAMEORIGIN;
}

8
assets/example.org.conf
View File

@ -1,8 +0,0 @@
<VirtualHost *:80>
ServerAdmin webmaster@example.org
ServerName example.org
ServerAlias www.example.org
DocumentRoot /srv/www/example.org/public_html/
ErrorLog /srv/www/example.org/logs/error.log
CustomLog /srv/www/example.org/logs/access.log combined
</VirtualHost>

6
assets/git-post-reveive → assets/git-post-receive
View File

@ -10,9 +10,11 @@ if [ $refname = "refs/heads/prod" ]; then
unset GIT_DIR
cd ~
cd $PRODDIR
git pull --ff-only origin prod
# git pull --ff-only origin prod
# run deploy script instead
. deploy.sh
echo $?
echo "====== OK ====="
else
echo "Warning Commit not deployed, please use prod branch"
fi
fi

3
assets/git-pre-receive
View File

@ -1,6 +1,7 @@
#!/bin/bash
#hook/pre-receive
#CONFIG
PRODDIR="www"
read oldrev newrev refname
@ -14,4 +15,4 @@ if [ $refname = "refs/heads/prod" ]; then
echo "====== OK ====="
else
echo "Warning Commit not deployed, please use prod branch"
fi
fi

13
assets/index.php Normal file
View File

@ -0,0 +1,13 @@
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<meta charset="utf-8">
<title>DOMAIN.LTD</title>
</head>
<body>
<h1>DOMAIN.LTD</h1>
<?php phpinfo(); ?>
</body>
</html>

38
assets/knockd.conf
View File

@ -1,15 +1,27 @@
# claranet serveur
# [options]
# UseSyslog
#
# [Client]
# sequence = 5019,8599,4468
# seq_timeout = 5
# command = /sbin/iptables -I internet_inbound 1 -s %IP% -p tcp --match multiport --dports 22,21,40000:40200 -j ACCEPT
# tcpflags = syn
# cmd_timeout = 86400
# stop_command = /sbin/iptables -D internet_inbound -s %IP% -p tcp --match multiport --dports 22,21,40000:40200 -j ACCEPT
[options]
UseSyslog
[openSSH]
sequence = 7000,8000,9000
seq_timeout = 5
command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
[closeSSH]
sequence = 9000,8000,7000
seq_timeout = 5
command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
logfile = /var/log/knockd.log
[SSH]
sequence = 7000,8000,9000
seq_timeout = 5
# TODO do not limit port 22 to the ip as it don't work with 4G connection
# start_command = ufw insert 1 allow from %IP% to any port 22
start_command = ufw allow ssh
tcpflags = syn
cmd_timeout = 600
# stop_command = ufw delete allow from %IP% to any port 22
stop_command = ufw delete allow ssh

12
assets/mysql/innodb-file-per-table.cnf Normal file
View File

@ -0,0 +1,12 @@
# https://howto.biapy.com/fr/debian-gnu-linux/serveurs/mysql/installer-et-configurer-mysql-sur-debian
# Use one file by InnoDB table.
# Use Barracuda as InnoDB engine.
# Allow InnoDB large indexs.
# Use Dynamic row format.
# Reduce disk usage, ease disk space reclaiming.
[mysqld]
innodb_file_per_table = 1
innodb_file_format=Barracuda
innodb_large_prefix=1
; Option below only for MariaDB 10.2
;innodb_default_row_format=DYNAMIC

58
assets/mysqlbackup.sh Executable file
View File

@ -0,0 +1,58 @@
#!/bin/bash
# Simple script to backup MySQL databases
# Parent backup directory
backup_parent_dir="/var/backups/mysql"
# MySQL settings
mysql_user="root"
mysql_password="ROOTPASSWD"
# Read MySQL password from stdin if empty
# if [ -z "${mysql_password}" ]; then
# echo -n "Enter MySQL ${mysql_user} password: "
# read -s mysql_password
# echo
# fi
# Check MySQL password
echo exit | mysql --user=${mysql_user} --password=${mysql_password} -B 2>/dev/null
if [ "$?" -gt 0 ]; then
echo "MySQL ${mysql_user} password incorrect"
exit 1
else
echo "MySQL ${mysql_user} password correct."
fi
# Create backup directory and set permissions
backup_date=`date +%Y_%m_%d_%H_%M`
backup_dir="${backup_parent_dir}/${backup_date}"
echo "Backup directory: ${backup_dir}"
mkdir -p "${backup_dir}"
chmod 644 "${backup_dir}"
# Get MySQL databases
mysql_databases=`echo 'show databases' | mysql --user=${mysql_user} --password=${mysql_password} -B | sed /^Database$/d`
# Backup and compress each database
for database in $mysql_databases
do
if [ "${database}" == "information_schema" ] || [ "${database}" == "performance_schema" ]; then
additional_mysqldump_params="--skip-lock-tables --compact --no-autocommit "
else
additional_mysqldump_params=""
fi
echo "Creating backup of \"${database}\" database"
mysqldump ${additional_mysqldump_params} --user=${mysql_user} --password=${mysql_password} ${database} | gzip > "${backup_dir}/${database}.sql.gz"
chmod 644 "${backup_dir}/${database}.sql.gz"
done
# compress the folder
# tar -zcvf "${backup_dir}.tar.gz" "${backup_dir}"
# rm -rf "${backup_dir}"
# Rotate backups
# Delete files older than 30 days
find $backup_parent_dir/ -type f -mtime +60 -delete;
# Delete empty directories
find $backup_parent_dir/ -type d -empty -delete;

1920
assets/php-fpm.ini Normal file
View File

File diff suppressed because it is too large Load Diff

65
assets/simple-phpfpm-ssl.nginxconf Normal file
View File

@ -0,0 +1,65 @@
# https://www.howtoforge.com/tutorial/install-letsencrypt-and-secure-nginx-in-debian-9/
server {
listen 80;
server_name DOMAIN.LTD;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name DOMAIN.LTD;
root /var/www/DOMAIN.LTD/public_html;
index index.html index.php;
charset utf-8;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
access_log on;
error_log /var/www/DOMAIN.LTD/log/error.log;
sendfile off;
client_max_body_size 100m;
#SSL Certificates
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate "/etc/letsencrypt/live/DOMAIN.LTD/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/DOMAIN.LTD/privkey.pem";
ssl_dhparam /etc/nginx/ssl/certs/DOMAIN.LTD/dhparam.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
#ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=31536000;
#includeSubDomains" always;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors off;
fastcgi_buffer_size 16k;
fastcgi_buffers 4 16k;
}
location ~ /\.ht {
deny all;
}
# website should not be displayed inside a <frame>, an <iframe> or an <object>
add_header X-Frame-Options SAMEORIGIN;
}

41
assets/simple-phpfpm.nginxconf Normal file
View File

@ -0,0 +1,41 @@
server {
listen 80;
server_name DOMAIN.LTD;
root /var/www/DOMAIN.LTD/public_html;
index index.html index.php;
charset utf-8;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
access_log on;
error_log /var/www/DOMAIN.LTD/log/error.log;
sendfile off;
client_max_body_size 100m;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors off;
fastcgi_buffer_size 16k;
fastcgi_buffers 4 16k;
}
location ~ /\.ht {
deny all;
}
# website should not be displayed inside a <frame>, an <iframe> or an <object>
add_header X-Frame-Options SAMEORIGIN;
}

12
assets/urbackup.service Normal file
View File

@ -0,0 +1,12 @@
[Unit]
Description=Urbackup Backend
ConditionPathExists=/usr/local/sbin/urbackupclientbackend
[Service]
Type=forking
ExecStart=/usr/local/sbin/urbackupclientbackend -d
PIDFile = /var/run/urbackup_srv.pid
TimeoutSec=0
[Install]
WantedBy=multi-user.target

6
assets/zabbix/apt.conf Normal file
View File

@ -0,0 +1,6 @@
# Treat security and regular updates differently
# This is just a simulation, that can be run under zabbix user
# Since updating packages lists (apt-get update) requires root user,
# use APT::Periodic or some other functionality for that
UserParameter=apt.security,apt-get -s upgrade | grep -ci ^inst.*security | tr -d '\n'
UserParameter=apt.updates,apt-get -s upgrade | grep -iPc '^Inst((?!security).)*$' | tr -d '\n'

6
assets/zabbix/debian-updates-BAD.conf Normal file
View File

@ -0,0 +1,6 @@
# Check for debian updates
UserParameter=debian_updates[*], aptitude -F%p search "?upgradable ?archive(`sed '/^deb .*$1/!d;s/^deb [^ ]* \([^ ]*\) .*/\1/;q' /etc/apt/sources.list`)" 2>/dev/null | wc -l
# Increase the global timeout (unfortunately), or zabbix killing
# aptitude will leave a /tmp/aptitude-zabbix.* directory turd every
# now and then.
Timeout=12

2
assets/zabbix/misc/02periodic Normal file
View File

@ -0,0 +1,2 @@
APT::Periodic::Enable "1";
APT::Periodic::Update-Package-Lists "1";

5
assets/zabbix/promox-ct.conf Normal file
View File

@ -0,0 +1,5 @@
# https://support.zabbix.com/browse/ZBX-12164
# https://github.com/kvaps/zabbix-linux-container-template
UserParameter=ct.memory.size[*],free -b | awk '$ 1 == "Mem:" {total=$ 2; used=($ 3+$ 5); pused=(($ 3+$ 5)*100/$ 2); free=$ 4; pfree=($ 4*100/$ 2); shared=$ 5; buffers=$ 6; cache=$ 6; available=($ 6+$ 7); pavailable=(($ 6+$ 7)*100/$ 2); if("$1" == "") {printf("%.0f", total )} else {printf("%.0f", $1 "" )} }'
UserParameter=ct.swap.size[*],free -b | awk '$ 1 == "Swap:" {total=$ 2; used=$ 3; free=$ 4; pfree=($ 4*100/$ 2); pused=($ 3*100/$ 2); if("$1" == "") {printf("%.0f", free )} else {printf("%.0f", $1 "" )} }'
UserParameter=ct.cpu.load[*],uptime | awk -F'[, ]+' '{avg1=$(NF-2); avg5=$(NF-1); avg15=$(NF)}{print $2/'$(nproc)'}'

91
assets/zabbix/scripts/nginx-stat.py Normal file
View File

@ -0,0 +1,91 @@
#!/usr/bin/python
#
# Options:
#
# -a active
# -a accepted
# -a handled
# -a requests
# -a reading
# -a writing
# -a waiting
#
import sys
import getopt
import urllib2
import re
import ssl
def usage():
print "usage: nginx-stat.py -h 127.0.0.1 -p 80 -a [active|accepted|handled|request|reading|writing|waiting]"
sys.exit(2)
def main():
# Default values
host = "localhost"
port = "80"
getInfo = "None"
proto = "http"
_headers = {}
gcontext = ""
if len(sys.argv) < 2:
usage()
try:
opts, _ = getopt.getopt(sys.argv[1:], "h:p:a:")
except getopt.GetoptError:
usage()
# Assign parameters as variables
for opt, arg in opts:
if opt == "-h":
host = arg
if opt == "-p":
port = arg
if opt == "-a":
getInfo = arg
if port == "443":
proto = "https"
_headers = {'X-Mashape-Key': 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'}
gcontext = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
url = proto + "://" + host + ":" + port + "/nginx_status/"
request = urllib2.Request(url, headers=_headers)
result = urllib2.urlopen(request, context=gcontext)
buffer = re.findall(r'\d{1,8}', result.read())
## Format:
## Active connections: 196
## server accepts handled requests
## 272900 272900 328835
## Reading: 0 Writing: 6 Waiting: 190
if getInfo == "active":
print buffer[0]
elif getInfo == "accepted":
print buffer[1]
elif getInfo == "handled":
print buffer[2]
elif getInfo == "requests":
print buffer[3]
elif getInfo == "reading":
print buffer[4]
elif getInfo == "writing":
print buffer[5]
elif getInfo == "waiting":
print buffer[6]
else:
print "unknown"
sys.exit(1)
if __name__ == "__main__":
main()

219
assets/zabbix/templates/Template_App_systemd_Services.xml Normal file
View File

@ -0,0 +1,219 @@
<?xml version="1.0" encoding="UTF-8"?>
<zabbix_export>
<version>3.4</version>
<date>2018-07-20T14:31:02Z</date>
<groups>
<group>
<name>Templates/Applications</name>
</group>
</groups>
<templates>
<template>
<template>Template App systemd Services</template>
<name>Template App systemd Services</name>
<description>Discovery enabled systemd services, checks status every 1m, and checks PID every 10m to determine if service has rebooted.</description>
<groups>
<group>
<name>Templates/Applications</name>
</group>
</groups>
<applications>
<application>
<name>systemd</name>
</application>
</applications>
<items>
<item>
<name>System uptime</name>
<type>0</type>
<snmp_community/>
<snmp_oid/>
<key>systemd.uptime</key>
<delay>10m</delay>
<history>1d</history>
<trends>1w</trends>
<status>0</status>
<value_type>3</value_type>
<allowed_hosts/>
<units>uptime</units>
<snmpv3_contextname/>
<snmpv3_securityname/>
<snmpv3_securitylevel>0</snmpv3_securitylevel>
<snmpv3_authprotocol>0</snmpv3_authprotocol>
<snmpv3_authpassphrase/>
<snmpv3_privprotocol>0</snmpv3_privprotocol>
<snmpv3_privpassphrase/>
<params/>
<ipmi_sensor/>
<authtype>0</authtype>
<username/>
<password/>
<publickey/>
<privatekey/>
<port/>
<description/>
<inventory_link>0</inventory_link>
<applications/>
<valuemap/>
<logtimefmt/>
<preprocessing/>
<jmx_endpoint/>
<master_item/>
</item>
</items>
<discovery_rules>
<discovery_rule>
<name>Service Discovery</name>
<type>0</type>
<snmp_community/>
<snmp_oid/>
<key>systemd.service.discovery</key>
<delay>24h</delay>
<status>0</status>
<allowed_hosts/>
<snmpv3_contextname/>
<snmpv3_securityname/>
<snmpv3_securitylevel>0</snmpv3_securitylevel>
<snmpv3_authprotocol>0</snmpv3_authprotocol>
<snmpv3_authpassphrase/>
<snmpv3_privprotocol>0</snmpv3_privprotocol>
<snmpv3_privpassphrase/>
<params/>
<ipmi_sensor/>
<authtype>0</authtype>
<username/>
<password/>
<publickey/>
<privatekey/>
<port/>
<filter>
<evaltype>0</evaltype>
<formula/>
<conditions/>
</filter>
<lifetime>1d</lifetime>
<description/>
<item_prototypes>
<item_prototype>
<name>{#SERVICE} PID</name>
<type>0</type>
<snmp_community/>
<snmp_oid/>
<key>systemd.service.PID[{#SERVICE}]</key>
<delay>10m</delay>
<history>30d</history>
<trends>365d</trends>
<status>0</status>
<value_type>3</value_type>
<allowed_hosts/>
<units/>
<snmpv3_contextname/>
<snmpv3_securityname/>
<snmpv3_securitylevel>0</snmpv3_securitylevel>
<snmpv3_authprotocol>0</snmpv3_authprotocol>
<snmpv3_authpassphrase/>
<snmpv3_privprotocol>0</snmpv3_privprotocol>
<snmpv3_privpassphrase/>
<params/>
<ipmi_sensor/>
<authtype>0</authtype>
<username/>
<password/>
<publickey/>
<privatekey/>
<port/>
<description/>
<inventory_link>0</inventory_link>
<applications/>
<valuemap/>
<logtimefmt/>
<preprocessing/>
<jmx_endpoint/>
<application_prototypes/>
<master_item_prototype/>
</item_prototype>
<item_prototype>
<name>{#SERVICE} Status</name>
<type>0</type>
<snmp_community/>
<snmp_oid/>
<key>systemd.service.status[{#SERVICE}]</key>
<delay>1m</delay>
<history>30d</history>
<trends>365d</trends>
<status>0</status>
<value_type>3</value_type>
<allowed_hosts/>
<units/>
<snmpv3_contextname/>
<snmpv3_securityname/>
<snmpv3_securitylevel>0</snmpv3_securitylevel>
<snmpv3_authprotocol>0</snmpv3_authprotocol>
<snmpv3_authpassphrase/>
<snmpv3_privprotocol>0</snmpv3_privprotocol>
<snmpv3_privpassphrase/>
<params/>
<ipmi_sensor/>
<authtype>0</authtype>
<username/>
<password/>
<publickey/>
<privatekey/>
<port/>
<description>Returns the status of the</description>
<inventory_link>0</inventory_link>
<applications/>
<valuemap/>
<logtimefmt/>
<preprocessing/>
<jmx_endpoint/>
<application_prototypes/>
<master_item_prototype/>
</item_prototype>
</item_prototypes>
<trigger_prototypes>
<trigger_prototype>
<expression>{Template App systemd Services:systemd.service.PID[{#SERVICE}].diff(0)}&lt;&gt;0 and {Template App systemd Services:systemd.uptime.last()}&gt;180</expression>
<recovery_mode>0</recovery_mode>
<recovery_expression/>
<name>{#SERVICE} has restarted</name>
<correlation_mode>0</correlation_mode>
<correlation_tag/>
<url/>
<status>0</status>
<priority>2</priority>
<description>The Service has been restarted and is using a new PID</description>
<type>0</type>
<manual_close>1</manual_close>
<dependencies/>
<tags/>
</trigger_prototype>
<trigger_prototype>
<expression>{Template App systemd Services:systemd.service.status[{#SERVICE}].last()}&lt;&gt;0</expression>
<recovery_mode>0</recovery_mode>
<recovery_expression/>
<name>{#SERVICE} not running</name>
<correlation_mode>0</correlation_mode>
<correlation_tag/>
<url/>
<status>0</status>
<priority>4</priority>
<description/>
<type>0</type>
<manual_close>1</manual_close>
<dependencies/>
<tags/>
</trigger_prototype>
</trigger_prototypes>
<graph_prototypes/>
<host_prototypes/>
<jmx_endpoint/>
</discovery_rule>
</discovery_rules>
<httptests/>
<macros/>
<templates/>
<screens/>
</template>
</templates>
</zabbix_export>

170
assets/zabbix/templates/apt-updates.xml Normal file
View File

@ -0,0 +1,170 @@
<?xml version="1.0" encoding="UTF-8"?>
<zabbix_export>
<version>3.2</version>
<date>2017-01-29T14:52:23Z</date>
<groups>
<group>
<name>Templates</name>
</group>
</groups>
<templates>
<template>
<template>Template App APT Updates</template>
<name>Template App APT Updates</name>
<description/>
<groups>
<group>
<name>Templates</name>
</group>
</groups>
<applications>
<application>
<name>APT</name>
</application>
</applications>
<items>
<item>
<name>Security Updates</name>
<type>0</type>
<snmp_community/>
<multiplier>0</multiplier>
<snmp_oid/>
<key>apt.security</key>
<delay>900</delay>
<history>90</history>
<trends>365</trends>
<status>0</status>
<value_type>3</value_type>
<allowed_hosts/>
<units/>
<delta>0</delta>
<snmpv3_contextname/>
<snmpv3_securityname/>
<snmpv3_securitylevel>0</snmpv3_securitylevel>
<snmpv3_authprotocol>0</snmpv3_authprotocol>
<snmpv3_authpassphrase/>
<snmpv3_privprotocol>0</snmpv3_privprotocol>
<snmpv3_privpassphrase/>
<formula>1</formula>
<delay_flex/>
<params/>
<ipmi_sensor/>
<data_type>0</data_type>
<authtype>0</authtype>
<username/>
<password/>
<publickey/>
<privatekey/>
<port/>
<description/>
<inventory_link>0</inventory_link>
<applications>
<application>
<name>APT</name>
</application>
</applications>
<valuemap/>
<logtimefmt/>
</item>
<item>
<name>Non-Critical Updates</name>
<type>0</type>
<snmp_community/>
<multiplier>0</multiplier>
<snmp_oid/>
<key>apt.updates</key>
<delay>900</delay>
<history>90</history>
<trends>365</trends>
<status>0</status>
<value_type>3</value_type>
<allowed_hosts/>
<units/>
<delta>0</delta>
<snmpv3_contextname/>
<snmpv3_securityname/>
<snmpv3_securitylevel>0</snmpv3_securitylevel>
<snmpv3_authprotocol>0</snmpv3_authprotocol>
<snmpv3_authpassphrase/>
<snmpv3_privprotocol>0</snmpv3_privprotocol>
<snmpv3_privpassphrase/>
<formula>1</formula>
<delay_flex/>
<params/>
<ipmi_sensor/>
<data_type>0</data_type>
<authtype>0</authtype>
<username/>
<password/>
<publickey/>
<privatekey/>
<port/>
<description/>
<inventory_link>0</inventory_link>
<applications>
<application>
<name>APT</name>
</application>
</applications>
<valuemap/>
<logtimefmt/>
</item>
</items>
<discovery_rules/>
<httptests/>
<macros/>
<templates/>
<screens/>
</template>
</templates>
<triggers>
<trigger>
<expression>{Template App APT Updates:apt.security.last()}&gt;0 and {Template App APT Updates:apt.updates.last()}&gt;0</expression>
<recovery_mode>0</recovery_mode>
<recovery_expression/>
<name>{ITEM.LASTVALUE1} security and {ITEM.LASTVALUE2} regular updates on {HOST.NAME}</name>
<correlation_mode>0</correlation_mode>
<correlation_tag/>
<url/>
<status>0</status>
<priority>2</priority>
<description/>
<type>0</type>
<manual_close>1</manual_close>
<dependencies/>
<tags/>
</trigger>
<trigger>
<expression>{Template App APT Updates:apt.updates.last()}&gt;0 and {Template App APT Updates:apt.security.last()}=0</expression>
<recovery_mode>0</recovery_mode>
<recovery_expression/>
<name>{ITEM.LASTVALUE} regular updates on {HOST.NAME}</name>
<correlation_mode>0</correlation_mode>
<correlation_tag/>
<url/>
<status>0</status>
<priority>1</priority>
<description/>
<type>0</type>
<manual_close>1</manual_close>
<dependencies/>
<tags/>
</trigger>
<trigger>
<expression>{Template App APT Updates:apt.security.last()}&gt;0 and {Template App APT Updates:apt.updates.last()}=0</expression>
<recovery_mode>0</recovery_mode>
<recovery_expression/>
<name>{ITEM.LASTVALUE} security updates on {HOST.NAME}</name>
<correlation_mode>0</correlation_mode>
<correlation_tag/>
<url/>
<status>0</status>
<priority>2</priority>
<description/>
<type>0</type>
<manual_close>1</manual_close>
<dependencies/>
<tags/>
</trigger>
</triggers>
</zabbix_export>

2487
assets/zabbix/templates/zbx_linux_container_template.xml Normal file
View File

File diff suppressed because it is too large Load Diff

560
assets/zabbix/templates/zbx_template_nginx.xml Normal file
View File

@ -0,0 +1,560 @@
<?xml version="1.0" encoding="UTF-8"?>
<zabbix_export>
<version>3.4</version>
<date>2017-12-20T20:10:24Z</date>
<groups>
<group>
<name>Templates</name>
</group>
</groups>
<templates>
<template>
<template>Template App Nginx</template>
<name>Template App Nginx</name>
<description/>
<groups>
<group>
<name>Templates</name>
</group>
</groups>
<applications>
<application>
<name>Nginx</name>
</application>
</applications>
<items>
<item>
<name>Nginx Accepted Requests</name>
<type>0</type>
<snmp_community/>
<snmp_oid/>
<key>nginx.accepted[{HOST.IP},{$NGINX_PORT}]</key>
<delay>5m</delay>
<history>1w</history>
<trends>365d</trends>
<status>0</status>
<value_type>3</value_type>
<allowed_hosts/>
<units/>
<snmpv3_contextname/>
<snmpv3_securityname/>
<snmpv3_securitylevel>0</snmpv3_securitylevel>
<snmpv3_authprotocol>0</snmpv3_authprotocol>
<snmpv3_authpassphrase/>
<snmpv3_privprotocol>0</snmpv3_privprotocol>
<snmpv3_privpassphrase/>
<params/>
<ipmi_sensor/>
<authtype>0</authtype>
<username/>
<password/>
<publickey/>
<privatekey/>
<port/>
<description/>
<inventory_link>0</inventory_link>
<applications>
<application>
<name>Nginx</name>
</application>
</applications>
<valuemap/>
<logtimefmt/>
<preprocessing>
<step>
<type>9</type>
<params/>
</step>
</preprocessing>
<jmx_endpoint/>
<master_item/>
</item>
<item>
<name>Nginx Active Connections</name>
<type>0</type>
<snmp_community/>
<snmp_oid/>
<key>nginx.active[{HOST.IP},{$NGINX_PORT}]</key>
<delay>5m</delay>
<history>1w</history>
<trends>365d</trends>
<status>0</status>
<value_type>3</value_type>
<allowed_hosts/>
<units/>
<snmpv3_contextname/>
<snmpv3_securityname/>
<snmpv3_securitylevel>0</snmpv3_securitylevel>
<snmpv3_authprotocol>0</snmpv3_authprotocol>
<snmpv3_authpassphrase/>
<snmpv3_privprotocol>0</snmpv3_privprotocol>
<snmpv3_privpassphrase/>
<params/>
<ipmi_sensor/>
<authtype>0</authtype>
<username/>
<password/>
<publickey/>
<privatekey/>
<port/>
<description/>
<inventory_link>0</inventory_link>
<applications>
<application>
<name>Nginx</name>
</application>
</applications>
<valuemap/>
<logtimefmt/>
<preprocessing/>
<jmx_endpoint/>
<master_item/>
</item>
<item>
<name>Nginx Handled Requests</name>
<type>0</type>
<snmp_community/>
<snmp_oid/>
<key>nginx.handled[{HOST.IP},{$NGINX_PORT}]</key>
<delay>5m</delay>
<history>1w</history>
<trends>365d</trends>
<status>0</status>
<value_type>3</value_type>
<allowed_hosts/>
<units/>
<snmpv3_contextname/>
<snmpv3_securityname/>
<snmpv3_securitylevel>0</snmpv3_securitylevel>
<snmpv3_authprotocol>0</snmpv3_authprotocol>
<snmpv3_authpassphrase/>
<snmpv3_privprotocol>0</snmpv3_privprotocol>
<snmpv3_privpassphrase/>
<params/>
<ipmi_sensor/>
<authtype>0</authtype>
<username/>
<password/>
<publickey/>
<privatekey/>
<port/>
<description/>
<inventory_link>0</inventory_link>
<applications>
<application>
<name>Nginx</name>
</application>
</applications>
<valuemap/>
<logtimefmt/>
<preprocessing>
<step>
<type>9</type>
<params/>
</step>
</preprocessing>
<jmx_endpoint/>
<master_item/>
</item>
<item>
<name>Nginx Reading Connections</name>
<type>0</type>
<snmp_community/>
<snmp_oid/>
<key>nginx.reading[{HOST.IP},{$NGINX_PORT}]</key>
<delay>5m</delay>
<history>1w</history>
<trends>365d</trends>
<status>0</status>
<value_type>3</value_type>
<allowed_hosts/>
<units/>
<snmpv3_contextname/>
<snmpv3_securityname/>
<snmpv3_securitylevel>0</snmpv3_securitylevel>
<snmpv3_authprotocol>0</snmpv3_authprotocol>
<snmpv3_authpassphrase/>
<snmpv3_privprotocol>0</snmpv3_privprotocol>
<snmpv3_privpassphrase/>
<params/>
<ipmi_sensor/>
<authtype>0</authtype>
<username/>
<password/>
<publickey/>
<privatekey/>
<port/>
<description/>
<inventory_link>0</inventory_link>
<applications>
<application>
<name>Nginx</name>
</application>
</applications>
<valuemap/>
<logtimefmt/>
<preprocessing/>
<jmx_endpoint/>
<master_item/>
</item>
<item>
<name>Nginx Total Requests</name>
<type>0</type>
<snmp_community/>
<snmp_oid/>
<key>nginx.total[{HOST.IP},{$NGINX_PORT}]</key>
<delay>5m</delay>
<history>1w</history>
<trends>365d</trends>
<status>0</status>
<value_type>3</value_type>
<allowed_hosts/>
<units/>
<snmpv3_contextname/>
<snmpv3_securityname/>
<snmpv3_securitylevel>0</snmpv3_securitylevel>
<snmpv3_authprotocol>0</snmpv3_authprotocol>
<snmpv3_authpassphrase/>
<snmpv3_privprotocol>0</snmpv3_privprotocol>
<snmpv3_privpassphrase/>
<params/>
<ipmi_sensor/>
<authtype>0</authtype>
<username/>
<password/>
<publickey/>
<privatekey/>
<port/>
<description/>
<inventory_link>0</inventory_link>
<applications>
<application>
<name>Nginx</name>
</application>
</applications>
<valuemap/>
<logtimefmt/>
<preprocessing>
<step>
<type>9</type>
<params/>
</step>
</preprocessing>
<jmx_endpoint/>
<master_item/>
</item>
<item>
<name>Nginx Version</name>
<type>0</type>
<snmp_community/>
<snmp_oid/>
<key>nginx.version</key>
<delay>12h</delay>
<history>1w</history>
<trends>0</trends>
<status>0</status>
<value_type>1</value_type>
<allowed_hosts/>
<units/>
<snmpv3_contextname/>
<snmpv3_securityname/>
<snmpv3_securitylevel>0</snmpv3_securitylevel>
<snmpv3_authprotocol>0</snmpv3_authprotocol>
<snmpv3_authpassphrase/>
<snmpv3_privprotocol>0</snmpv3_privprotocol>
<snmpv3_privpassphrase/>
<params/>
<ipmi_sensor/>
<authtype>0</authtype>
<username/>
<password/>
<publickey/>
<privatekey/>
<port/>
<description/>
<inventory_link>0</inventory_link>
<applications>
<application>
<name>Nginx</name>
</application>
</applications>
<valuemap/>
<logtimefmt/>
<preprocessing/>
<jmx_endpoint/>
<master_item/>
</item>
<item>
<name>Nginx Waiting Connections</name>
<type>0</type>
<snmp_community/>
<snmp_oid/>
<key>nginx.waiting[{HOST.IP},{$NGINX_PORT}]</key>
<delay>5m</delay>
<history>1w</history>
<trends>365d</trends>
<status>0</status>
<value_type>3</value_type>
<allowed_hosts/>
<units/>
<snmpv3_contextname/>
<snmpv3_securityname/>
<snmpv3_securitylevel>0</snmpv3_securitylevel>
<snmpv3_authprotocol>0</snmpv3_authprotocol>
<snmpv3_authpassphrase/>
<snmpv3_privprotocol>0</snmpv3_privprotocol>
<snmpv3_privpassphrase/>
<params/>
<ipmi_sensor/>
<authtype>0</authtype>
<username/>
<password/>
<publickey/>
<privatekey/>
<port/>
<description/>
<inventory_link>0</inventory_link>
<applications>
<application>
<name>Nginx</name>
</application>
</applications>
<valuemap/>
<logtimefmt/>
<preprocessing/>
<jmx_endpoint/>
<master_item/>
</item>
<item>
<name>Nginx Writing Connections</name>
<type>0</type>
<snmp_community/>
<snmp_oid/>
<key>nginx.writing[{HOST.IP},{$NGINX_PORT}]</key>
<delay>5m</delay>
<history>1w</history>
<trends>365d</trends>
<status>0</status>
<value_type>3</value_type>
<allowed_hosts/>
<units/>
<snmpv3_contextname/>
<snmpv3_securityname/>
<snmpv3_securitylevel>0</snmpv3_securitylevel>
<snmpv3_authprotocol>0</snmpv3_authprotocol>
<snmpv3_authpassphrase/>
<snmpv3_privprotocol>0</snmpv3_privprotocol>
<snmpv3_privpassphrase/>
<params/>
<ipmi_sensor/>
<authtype>0</authtype>
<username/>
<password/>
<publickey/>
<privatekey/>
<port/>
<description/>
<inventory_link>0</inventory_link>
<applications>
<application>
<name>Nginx</name>
</application>
</applications>
<valuemap/>
<logtimefmt/>
<preprocessing/>
<jmx_endpoint/>
<master_item/>
</item>
</items>
<discovery_rules/>
<httptests/>
<macros>
<macro>
<macro>{$NGINX_PORT}</macro>
<value>80</value>
</macro>
</macros>
<templates/>
<screens>
<screen>
<name>Nginx Performance</name>
<hsize>2</hsize>
<vsize>1</vsize>
<screen_items>
<screen_item>
<resourcetype>0</resourcetype>
<width>500</width>
<height>100</height>
<x>0</x>
<y>0</y>
<colspan>1</colspan>
<rowspan>1</rowspan>
<elements>0</elements>
<valign>0</valign>
<halign>0</halign>
<style>0</style>
<url/>
<dynamic>0</dynamic>
<sort_triggers>0</sort_triggers>
<resource>
<name>Nginx Requests Statistics</name>
<host>Template App Nginx</host>
</resource>
<max_columns>3</max_columns>
<application/>
</screen_item>
<screen_item>
<resourcetype>0</resourcetype>
<width>500</width>
<height>100</height>
<x>1</x>
<y>0</y>
<colspan>1</colspan>
<rowspan>1</rowspan>
<elements>0</elements>
<valign>0</valign>
<halign>0</halign>
<style>0</style>
<url/>
<dynamic>0</dynamic>
<sort_triggers>0</sort_triggers>
<resource>
<name>Nginx Connection Status</name>
<host>Template App Nginx</host>
</resource>
<max_columns>3</max_columns>
<application/>
</screen_item>
</screen_items>
</screen>
</screens>
</template>
</templates>
<graphs>
<graph>
<name>Nginx Connection Status</name>
<width>900</width>
<height>200</height>
<yaxismin>0.0000</yaxismin>
<yaxismax>100.0000</yaxismax>
<show_work_period>1</show_work_period>
<show_triggers>1</show_triggers>
<type>0</type>
<show_legend>1</show_legend>
<show_3d>0</show_3d>
<percent_left>0.0000</percent_left>
<percent_right>0.0000</percent_right>
<ymin_type_1>0</ymin_type_1>
<ymax_type_1>0</ymax_type_1>
<ymin_item_1>0</ymin_item_1>
<ymax_item_1>0</ymax_item_1>
<graph_items>
<graph_item>
<sortorder>0</sortorder>
<drawtype>5</drawtype>
<color>00C800</color>
<yaxisside>0</yaxisside>
<calc_fnc>2</calc_fnc>
<type>0</type>
<item>
<host>Template App Nginx</host>
<key>nginx.active[{HOST.IP},{$NGINX_PORT}]</key>
</item>
</graph_item>
<graph_item>
<sortorder>1</sortorder>
<drawtype>0</drawtype>
<color>0000C8</color>
<yaxisside>0</yaxisside>
<calc_fnc>2</calc_fnc>
<type>0</type>
<item>
<host>Template App Nginx</host>
<key>nginx.reading[{HOST.IP},{$NGINX_PORT}]</key>
</item>
</graph_item>
<graph_item>
<sortorder>2</sortorder>
<drawtype>0</drawtype>
<color>C80000</color>
<yaxisside>0</yaxisside>
<calc_fnc>2</calc_fnc>
<type>0</type>
<item>
<host>Template App Nginx</host>
<key>nginx.waiting[{HOST.IP},{$NGINX_PORT}]</key>
</item>
</graph_item>
<graph_item>
<sortorder>3</sortorder>
<drawtype>0</drawtype>
<color>C800C8</color>
<yaxisside>0</yaxisside>
<calc_fnc>2</calc_fnc>
<type>0</type>
<item>
<host>Template App Nginx</host>
<key>nginx.writing[{HOST.IP},{$NGINX_PORT}]</key>
</item>
</graph_item>
</graph_items>
</graph>
<graph>
<name>Nginx Requests Statistics</name>
<width>900</width>
<height>200</height>
<yaxismin>0.0000</yaxismin>
<yaxismax>100.0000</yaxismax>
<show_work_period>1</show_work_period>
<show_triggers>1</show_triggers>
<type>0</type>
<show_legend>1</show_legend>
<show_3d>0</show_3d>
<percent_left>0.0000</percent_left>
<percent_right>0.0000</percent_right>
<ymin_type_1>0</ymin_type_1>
<ymax_type_1>0</ymax_type_1>
<ymin_item_1>0</ymin_item_1>
<ymax_item_1>0</ymax_item_1>
<graph_items>
<graph_item>
<sortorder>0</sortorder>
<drawtype>5</drawtype>
<color>00C800</color>
<yaxisside>0</yaxisside>
<calc_fnc>2</calc_fnc>
<type>0</type>
<item>
<host>Template App Nginx</host>
<key>nginx.handled[{HOST.IP},{$NGINX_PORT}]</key>
</item>
</graph_item>
<graph_item>
<sortorder>1</sortorder>
<drawtype>0</drawtype>
<color>0000C8</color>
<yaxisside>0</yaxisside>
<calc_fnc>2</calc_fnc>
<type>0</type>
<item>
<host>Template App Nginx</host>
<key>nginx.accepted[{HOST.IP},{$NGINX_PORT}]</key>
</item>
</graph_item>
<graph_item>
<sortorder>2</sortorder>
<drawtype>0</drawtype>
<color>C80000</color>
<yaxisside>0</yaxisside>
<calc_fnc>2</calc_fnc>
<type>0</type>
<item>
<host>Template App Nginx</host>
<key>nginx.total[{HOST.IP},{$NGINX_PORT}]</key>
</item>
</graph_item>
</graph_items>
</graph>
</graphs>
</zabbix_export>

18
assets/zabbix/userparameter_mysql.conf Normal file
View File

@ -0,0 +1,18 @@
# For all the following commands HOME should be set to the directory that has .my.cnf file with password information.
# Flexible parameter to grab global variables. On the frontend side, use keys like mysql.status[Com_insert].
# Key syntax is mysql.status[variable].
UserParameter=mysql.status[*],echo "show global status where Variable_name='$1';" | HOME=/var/lib/zabbix mysql -N | awk '{print $$2}'
# Flexible parameter to determine database or table size. On the frontend side, use keys like mysql.size[zabbix,history,data].
# Key syntax is mysql.size[<database>,<table>,<type>].
# Database may be a database name or "all". Default is "all".
# Table may be a table name or "all". Default is "all".
# Type may be "data", "index", "free" or "both". Both is a sum of data and index. Default is "both".
# Database is mandatory if a table is specified. Type may be specified always.
# Returns value in bytes.
# 'sum' on data_length or index_length alone needed when we are getting this information for whole database instead of a single table
UserParameter=mysql.size[*],bash -c 'echo "select sum($(case "$3" in both|"") echo "data_length+index_length";; data|index) echo "$3_length";; free) echo "data_free";; esac)) from information_schema.tables$([[ "$1" = "all" || ! "$1" ]] || echo " where table_schema=\"$1\"")$([[ "$2" = "all" || ! "$2" ]] || echo "and table_name=\"$2\"");" | HOME=/var/lib/zabbix mysql -N'
UserParameter=mysql.ping,HOME=/var/lib/zabbix mysqladmin ping | grep -c alive
UserParameter=mysql.version,mysql -V

21
assets/zabbix/userparameter_nginx.conf Normal file
View File

@ -0,0 +1,21 @@
# in nginx config:
# location /nginx_status {
# # Turn on nginx stats
# stub_status on;
# # I do not need logs for stats
# access_log off;
# # Security: Only allow access from IP #
# allow $1;
# # Send rest of the world to /dev/null #
# deny all;
# }
UserParameter=nginx.accepted[*],/etc/zabbix/zabbix_agentd.scripts/nginx-stat.py -h $1 -p $2 -a accepted
UserParameter=nginx.active[*],/etc/zabbix/zabbix_agentd.scripts/nginx-stat.py -h $1 -p $2 -a active
UserParameter=nginx.handled[*],/etc/zabbix/zabbix_agentd.scripts/nginx-stat.py -h $1 -p $2 -a handled
UserParameter=nginx.reading[*],/etc/zabbix/zabbix_agentd.scripts/nginx-stat.py -h $1 -p $2 -a reading
UserParameter=nginx.total[*],/etc/zabbix/zabbix_agentd.scripts/nginx-stat.py -h $1 -p $2 -a requests
UserParameter=nginx.waiting[*],/etc/zabbix/zabbix_agentd.scripts/nginx-stat.py -h $1 -p $2 -a waiting
UserParameter=nginx.writing[*],/etc/zabbix/zabbix_agentd.scripts/nginx-stat.py -h $1 -p $2 -a writing
UserParameter=nginx.version,nginx -v 2>&1

7
assets/zabbix/userparameter_systemd_services.conf Normal file
View File

@ -0,0 +1,7 @@
UserParameter=systemd.service.discovery,service_list=$(systemctl list-unit-files | grep service | grep enabled | awk '{print $1}' | sed -e 's/.service//' | grep -Ev 'getty|autovt');echo -n '{"data":[';for s in ${service_list}; do echo -n "{\"{#SERVICE}\": \"$s\"},";done | sed -e 's:\},$:\}:';echo -n ']}'
UserParameter=systemd.service.status[*],$(systemctl status $1 2>/dev/null | grep -Ei 'running|active \(exited\)|active \(running\)' > /dev/null) && echo 0 || echo 1
UserParameter=systemd.service.PID[*],systemctl status $1 2>/dev/null | grep 'Main PID' | cut -f2 -d: | awk '{print $$1}'
UserParameter=systemd.uptime,cat /proc/uptime | awk '{ print $1 }' | cut -f1 -d.

23
addUserSite.sh → bin/_addUserSite.sh Normal file → Executable file
View File

@ -2,6 +2,7 @@
# bachir soussi chiadmi
# TODO check if root
echo '\033[35m
__ _______ __________
@ -55,9 +56,6 @@ if [ "$_host_name" != "" ]; then
fi
done
cp "$_cwd"/assets/example.org.conf /etc/apache2/sites-available/"$_host_name".conf
sed -ir "s/example\.org/$_host_name/g" /etc/apache2/sites-available/"$_host_name".conf
#set proper right to user will handle the app
chown -R "$user":admin /home/"$user"/public_html
chown -R "$user":admin /home/"$user"/logs
@ -70,11 +68,13 @@ mkdir -p /var/www/"$_host_name"
ln -s /home/"$user"/public_html /var/www/"$_host_name"/public_html
ln -s /home/"$user"/logs /var/www/"$_host_name"/logs
# TODO create nginx vhost
# cp "$_cwd"/assets/example.org.conf /etc/apache2/sites-available/"$_host_name".conf
# sed -i -r "s/example\.org/$_host_name/g" /etc/apache2/sites-available/"$_host_name".conf
#activate the vhost
a2ensite "$_host_name".conf
# a2ensite "$_host_name".conf
#restart apache
service apache2 restart
# service apache2 restart
echo "\033[92;1mvhost $_host_name configured\033[Om"
@ -118,8 +118,9 @@ do
fi
done
# mysql> create user '$_dbname'@'localhost' identified by '$_pswd';
# mysql> create database $_dbname;
# mysql> grant all privileges on esadhar_eval.* to 'esadhar_eval'@'localhost';
# mysql> flush privileges;
if [ "$passok" = 1 ]; then
# mysql> create user '$_dbname'@'localhost' identified by '$_pswd';
# mysql> create database $_dbname;
# mysql> grant all privileges on esadhar_eval.* to 'esadhar_eval'@'localhost';
# mysql> flush privileges;
fi

30
bin/autoupdate.sh Executable file
View File

@ -0,0 +1,30 @@
#!/bin/sh
echo '\033[35m
___ __ __ __ __ __
/ | __ __/ /_____ / / / /___ ____/ /___ _/ /____
/ /| |/ / / / __/ __ \ / / / / __ \/ __ / __ `/ __/ _ \
/ ___ / /_/ / /_/ /_/ / / /_/ / /_/ / /_/ / /_/ / /_/ __/
/_/ |_\__,_/\__/\____/ \____/ .___/\__,_/\__,_/\__/\___/
/_/
\033[0m'
# https://www.howtoforge.com/how-to-configure-automatic-updates-on-debian-wheezy
# https://www.bisolweb.com/tutoriels/serveur-vps-ovh-partie-5-installation-apticron/
if [ "$EUID" -ne 0 ]; then
echo "Please run as root"
exit
fi
echo "\033[35;1mInstalling apticron \033[0m"
apt-get --yes --force-yes install apticron
sleep 3
echo -n "Enter an email: "
read email
sed -i -r "s/EMAIL=\"root\"/EMAIL=\"$email\"/g" /etc/apticron/apticron.conf
# sed -i -r "s/# DIFF_ONLY=\"1\"/DIFF_ONLY=\"1\"/g" /etc/apticron/apticron.conf
sed -i -r "s/# NOTIFY_NEW=\"0\"/NOTIFY_NEW=\"0\"/g" /etc/apticron/apticron.conf
echo "\033[92;1mApticron installed and configured\033[0m"

22
bin/dotfiles.sh Executable file
View File

@ -0,0 +1,22 @@
#!/bin/sh
echo '\033[35m
____ __ _______ __
/ __ \____ / /_ / ____(_) /__ _____
/ / / / __ \/ __/ / /_ / / / _ \/ ___/
/ /_/ / /_/ / /_ / __/ / / / __(__ )
/_____/\____/\__/ /_/ /_/_/\___/____/
\033[0m'
#installing better prompt and some goodies
echo "\033[35;1mInstalling shell prompt for current user $USER \033[0m"
sleep 2
# get the current position
_cwd="$(pwd)"
# go to user home
cd
echo "cloning https://figureslibres.io/gogs/bachir/dotfiles-server.git"
git clone https://figureslibres.io/gogs/bachir/dotfiles-server.git ~/.dotfiles-server && cd ~/.dotfiles-server && ./install.sh && cd ~
source ~/.bashrc
# return to working directory
cd "$_cwd"
echo "\033[92;1mDot files installed for $USER\033[0m"

81
bin/email.sh Executable file
View File

@ -0,0 +1,81 @@
#!/bin/sh
echo '\033[35m
__ ______ ______
/ |/ / | / _/ /
/ /|_/ / /| | / // /
/ / / / ___ |_/ // /___
/_/ /_/_/ |_/___/_____/
\033[0m'
echo "\033[35;1mEnable mail sending for php \033[0m"
if [ "$EUID" -ne 0 ]; then
echo "Please run as root"
exit
fi
# get the current position
_cwd="$(pwd)"
# check for assets forlder
_assets="$_cwd/assets"
if [ ! -d "$_assets" ]; then
_assets="$_cwd/../assets"
if [ ! -d "$_assets" ]; then
echo "!! can't find assets directory !!"
exit
fi
fi
# http://www.sycha.com/lamp-setup-debian-linux-apache-mysql-php#anchor13
sleep 2
apt-get --yes --force-yes install exim4
echo "\033[35;1mConfiguring EXIM4 \033[0m"
while [ "$configexim" != "y" ] && [ "$configexim" != "n" ]
do
echo -n "Should we configure exim4 ? [y|n] "
read configexim
done
if [ "$configexim" = "y" ]; then
echo "choose the first option :internet site; mail is sent and received directly using SMTP. Leave the other options as default exepted for domain name which should be valid domain name if you want your mails to not be considered as spam"
echo "press any key to continue."
read continu
dpkg-reconfigure exim4-config
else
echo 'exim not configured'
fi
systemctl enable exim4
systemctl restart exim4
# dkim spf
# https://debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4
echo "\033[35;1mConfiguring DKIM \033[0m"
while [ "$installdkim" != "y" ] && [ "$installdkim" != "n" ]
do
echo -n "Should we install dkim for exim4 ? [y|n] "
read installdkim
done
if [ "$installdkim" = "y" ]; then
echo -n "Choose a domain for dkim (same domain as you chose before for exim4): "
read domain
selector=$(date +%Y%m%d)
mkdir /etc/exim4/dkim
openssl genrsa -out /etc/exim4/dkim/"$domain"-private.pem 1024 -outform PEM
openssl rsa -in /etc/exim4/dkim/"$domain"-private.pem -out /etc/exim4/dkim/"$domain".pem -pubout -outform PEM
chown root:Debian-exim /etc/exim4/dkim/"$domain"-private.pem
chmod 440 /etc/exim4/dkim/"$domain"-private.pem
cp "$_assets"/exim4_dkim.conf /etc/exim4/conf.d/main/00_local_macros
sed -i -r "s/DOMAIN_TO_CHANGE/$domain/g" /etc/exim4/conf.d/main/00_local_macros
sed -i -r "s/DATE_TO_CHANGE/$selector/g" /etc/exim4/conf.d/main/00_local_macros
update-exim4.conf
systemctl restart exim4
echo "please create a TXT entry in your dns zone : $selector._domainkey.$domain \n"
echo "your public key is : \n"
cat /etc/exim4/dkim/"$domain".pem
echo "press any key to continue."
read continu
else
echo 'dkim not installed'
fi

26
bin/fail2ban.sh Executable file
View File

@ -0,0 +1,26 @@
#!/bin/sh
# TODO check if root
echo -e '\033[35m
______ _ _____ __
/ ____/___ _(_) /__ \ / /_ ____ _____
/ /_ / __ `/ / /__/ // __ \/ __ `/ __ \
/ __/ / /_/ / / // __// /_/ / /_/ / / / /
/_/ \__,_/_/_//____/_.___/\__,_/_/ /_/
\033[0m'
echo -e "\033[35;1mInstalling fall2ban \033[0m"
if [ "$EUID" -ne 0 ]; then
echo "Please run as root"
exit
fi
sleep 2
apt-get --yes --force-yes install fail2ban
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
# ToDo ask for email and configure jail.local with it
touch /var/log/auth.log
systemctl enable fail2ban
systemctl restart fail2ban
echo -e "\033[92;1mfail2ban installed and configured\033[Om"

29
bin/firewall.sh Executable file
View File

@ -0,0 +1,29 @@
#!/bin/sh
# TODO check if root
echo -e '\033[35m
______________ _______ _____ __ __
/ ____/ _/ __ \/ ____/ | / / | / / / /
/ /_ / // /_/ / __/ | | /| / / /| | / / / /
/ __/ _/ // _, _/ /___ | |/ |/ / ___ |/ /___/ /___
/_/ /___/_/ |_/_____/ |__/|__/_/ |_/_____/_____/
\033[0m'
echo -e "\033[35;1mInstalling ufw and setup firewall (allowing only ssh and http) \033[0m"
if [ "$EUID" -ne 0 ]; then
echo "Please run as root"
exit
fi
sleep 2
apt-get --yes --force-yes install ufw
# ufw allow ssh # knockd will open the ssh port
ufw allow http
ufw allow https
# TODO ask for allowing ssh for some ip
ufw enable
ufw status verbose
echo -e "\033[92;1mufw installed and firwall configured\033[Om"

61
bin/ftp.sh Executable file
View File

@ -0,0 +1,61 @@
#!/bin/sh
echo '\033[35m
______ _______ _____
| ____|__ __| __ \
| |__ | | | |__) |
| __| | | | ___/
| | | | | |
|_| |_| |_|
\033[0m'
if [ "$EUID" -ne 0 ]
then echo "Please run as root"
exit
fi
# get the current position
_cwd="$(pwd)"
# check for assets forlder
_assets="$_cwd/assets"
if [ ! -d "$_assets" ]; then
_assets="$_cwd/../assets"
if [ ! -d "$_assets" ]; then
echo "!! can't find assets directory !!"
exit
fi
fi
echo "installing proftpd"
apt-get --yes --force-yes install proftpd
while [ "$_server_name" = "" ]
do
read -p "enter a server name ? " _server_name
if [ "$_server_name" != "" ]; then
read -p "is server name $_server_name correcte [y|n] " validated
if [ "$validated" = "y" ]; then
break
else
_server_name=""
fi
fi
done
echo "Configuring proftpd"
cp "$_assets"/proftpd.conf /etc/proftpd/conf.d/"$_server_name".conf
sed -i -r "s/example/$_server_name/g" /etc/proftpd/conf.d/"$_server_name".conf
ufw allow ftp
addgroup ftpuser
systemctl enable proftpd
systemctl restart proftpd
echo "ftp installtion done"
echo "to permit to a user to connect through ftp, add him to the ftpuser group by running : usermod -a -G ftpuser USERNAME"
echo "FTP users are jailed on their home by default"
# TODO : allow ssh/ftp connection only from given ips

4
bin/genpass.sh Executable file
View File

@ -0,0 +1,4 @@
#!/bin/sh
_pass="$(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c12)"
echo "$_pass"

129
bin/gitbarrerepos.sh Executable file
View File

@ -0,0 +1,129 @@
#!/bin/sh
# bachir soussi chiadmi
# get the current position
_cwd="$(pwd)"
echo -e '\033[35m
_______ __
/ ____(_) /_
/ / __/ / __/
/ /_/ / / /_
\____/_/\__/
\033[0m'
echo -e "\033[35;1mCreate new git barre repos and deploy script\033[0m"
echo "Git barre repo will be installed in chosen user home directory"
echo "git prod repos will be installed in public_html directory of provided domain, the domain have to exists as shortcut in chosen user/www before running this script. Please run first vhost.sh script and say yes to the question create a shortcut !"
while [ "$vh" != "yes" ] && [ "$vh" != "no" ]
do
echo -n "Should we create a barre repo? [yes|no] "
read vh
# vh=${vh:-y}
done
if [ "$vh" = "yes" ]; then
# get the current position
_cwd="$(pwd)"
# check for assets forlder
_assets="$_cwd/assets"
if [ ! -d "$_assets" ]; then
_assets="$_cwd/../assets"
if [ ! -d "$_assets" ]; then
echo "!! can't find assets directory !!"
exit
fi
fi
# if $user var does not exists (vhost.sh ran directly) ask for it
if [ -z ${user+x} ]; then
while [ "$user" = "" ]
do
read -p "enter an existing user name ? " user
if [ "$user" != "" ]; then
# check if user already exists
if id "$user" >/dev/null 2>&1; then
read -p "is user name $user correcte [y|n] " validated
if [ "$validated" = "y" ]; then
break
else
user=""
fi
else
echo -e "user $user doesn't exists, you must provide an existing user"
user=""
fi
fi
done
fi
while [ "$_domain" = "" ]
do
read -p "enter a domain name ? " _domain
if [ "$_domain" != "" ]; then
read -p "is domain $_domain correcte [y|n] " validated
if [ "$validated" = "y" ]; then
break
else
_domain=""
fi
fi
done
# ask for simple php conf or drupal conf
while [ "$_drupal" != "yes" ] && [ "$_drupal" != "no" ]
do
echo -n "Is your site is a drupal one? [yes|no] "
read _drupal
done
# TODO check for /home/"$user"/www/"$_domain"
if [ ! -d /home/"$user"/www/"$_domain" ]; then
echo "/home/$user/www/$_domain does not exists !"
exit
fi
# setup bare repositorie to push to
mkdir /home/"$user"/git-repositories
mkdir /home/"$user"/git-repositories/"$_domain".git
cd /home/"$user"/git-repositories/"$_domain".git
git init --bare
echo "adding deploy script"
if [ "$_drupal" = "yes" ]; then
cp "$_assets"/deploy-drupal.sh /home/"$user"/www/"$_domain"/deploy.sh
else
cp "$_assets"/deploy-simple.sh /home/"$user"/www/"$_domain"/deploy.sh
fi
echo "creating hooks that will update the site repo"
# cp "$_assets"/git-pre-receive /home/"$user"/git-repositories/"$_domain".git/hooks/pre-receive
cp "$_assets"/git-post-receive /home/"$user"/git-repositories/"$_domain".git/hooks/post-receive
# sed -i -r "s/PRODDIR=\"www\"/PRODDIR=/home/$user/www/$_domain/g" /home/"$user"/git-repositories/"$_domain".git/hooks/pre-receive
sed -i -r "s#PRODDIR=\"www\"#PRODDIR=\"/home/$user/www/$_domain\"#g" /home/"$user"/git-repositories/"$_domain".git/hooks/post-receive
chown -R "$user":"$user" /home/"$user"/git-repositories
cd /home/"$user"/git-repositories/"$_domain".git/hooks/
chmod +x post-receive # pre-receive
# setup git repo on site folder
cd /home/"$user"/www/"$_domain"/public_html
git init
# link to the bare repo
git remote add origin /home/"$user"/git-repositories/"$_domain".git
chown -R "$user":"$user" /home/"$user"/www/"$_domain"/public_html
cd "$_cwd"
# done
echo "git repos for $_domain install succeed"
echo "your site stay now to /home/$user/www/$_domain"
echo "you can push updates on prod branch through $user@IP.IP.IP.IP:git-repositories/$_domain.git"
echo "* * *"
else
echo "Git barre repo creation aborted"
fi

56
bin/knockd.sh Executable file
View File

@ -0,0 +1,56 @@
#!/bin/sh
# TODO check if root
echo -e '\033[35m
__ __ __
/ /______ ____ _____/ /______/ /
/ //_/ __ \/ __ \/ ___/ //_/ __ /
/ ,< / / / / /_/ / /__/ ,< / /_/ /
/_/|_/_/ /_/\____/\___/_/|_|\__,_/
\033[0m'
echo -e "\033[35;1mInstalling knockd to control ssh port opening\033[0m"
if [ "$EUID" -ne 0 ]; then
echo "Please run as root"
exit
fi
# get the current position
_cwd="$(pwd)"
# check for assets forlder
_assets="$_cwd/assets"
if [ ! -d "$_assets" ]; then
_assets="$_cwd/../assets"
if [ ! -d "$_assets" ]; then
echo "!! can't find assets directory !!"
exit
fi
fi
sleep 2
apt-get --yes --force-yes install knockd
mv /etc/knockd.conf /etc/knockd.conf.ori
cp "$_assets"/knockd.conf /etc/knockd.conf
echo -n "define a sequence number for opening ssh (as 7000,8000,9000) : "
read sq
sed -i "s/7000,8000,9000/$sq/g" /etc/knockd.conf
sed -i 's/START_KNOCKD=0/START_KNOCKD=1/g' /etc/default/knockd
# /etc/init.d/knockd start
# patch https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868015
# TODO this line is buggy
echo "
# patch https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868015
[Install]
WantedBy=multi-user.target
Alias=knockd.service" >> /lib/systemd/system/knockd.service
systemctl enable knockd
systemctl start knockd
echo -e "\033[92;1mknockd installed and configured\033[Om"
echo -e "\033[92;1mplease note this sequence for future ssh knocking\033[Om"
echo "$sq"
sleep 3

276
bin/lemp.sh Executable file
View File

@ -0,0 +1,276 @@
#!/bin/sh
echo -e '\033[35m
__
/ /__ ____ ___ ____
/ / _ \/ __ `__ \/ __ \
/ / __/ / / / / / /_/ /
/_/\___/_/ /_/ /_/ .___/
/_/
\033[0m'
echo -e "\033[35;1mLEMP server (Nginx Mysql Php-fpm) \033[0m"
if [ "$EUID" -ne 0 ]; then
echo -e "Please run as root"
exit
fi
# get the current position
_cwd="$(pwd)"
# check for assets forlder
_assets="$_cwd/assets"
if [ ! -d "$_assets" ]; then
_assets="$_cwd/../assets"
if [ ! -d "$_assets" ]; then
echo "!! can't find assets directory !!"
exit
fi
fi
sleep 2
echo -e '\033[35m
__ ___ __
/ |/ /_ ___________ _/ /
/ /|_/ / / / / ___/ __ `/ /
/ / / / /_/ (__ ) /_/ / /
/_/ /_/\__, /____/\__, /_/
/____/ /_/
\033[0m'
echo -e "\033[35;1minstalling Mysql \033[0m"
sleep 3
apt-get --yes --force-yes install mariadb-server
mysql_secure_installation
cp "$_assets"/mysql/innodb-file-per-table.cnf /etc/mysql/conf.d/
systemctl enable mariadb.service
systemctl restart mariadb.service
echo -e "\033[92;1mmysql installed\033[Om"
echo -e '\033[35m
____ __ ______
/ __ \/ / / / __ \
/ /_/ / /_/ / /_/ /
/ ____/ __ / ____/
/_/ /_/ /_/_/
\033[0m'
echo -e "\033[35;1mInstalling PHP 7.0 \033[0m"
sleep 3
apt-get --yes --force-yes install php7.0-fpm php7.0-mysql php7.0-opcache php7.0-curl php7.0-mbstring php7.0-zip php7.0-xml php7.0-gd php7.0-mcrypt php-memcached php7.0-imagick
mv /etc/php/7.0/fpm/php.ini /etc/php/7.0/fpm/php.ini.back
cp "$_assets"/php-fpm.ini /etc/php/7.0/fpm/php.ini
echo -e "Configuring PHP"
mkdir /var/log/php
chown www-data /var/log/php
cp "$_assets"/logrotate-php /etc/logrotate.d/php
systemctl enable php7.0-fpm
systemctl start php7.0-fpm
# echo -e "Installing memecached"
# replaced by redis
# apt-get --yes --force-yes install memcached
# sed -i "s/-m\s64/-m 128/g" /etc/memcached.conf
#
# systemctl start memcached
echo -e "\033[92;1mphp installed\033[Om"
echo -e '\033[35m
_ __ _
/ | / /___ _(_)___ _ __
/ |/ / __ `/ / __ \| |/_/
/ /| / /_/ / / / / /> <
/_/ |_/\__, /_/_/ /_/_/|_|
/____/
\033[0m'
echo -e "\033[35;1mInstalling Nginx \033[0m"
sleep 3
apt-get --yes --force-yes install nginx
mv /etc/nginx/sites-available/default /etc/nginx/sites-available/default.ori
cp "$_assets"/default.nginxconf /etc/nginx/sites-available/default
systemctl enable nginx
systemctl restart nginx
echo -e "\033[92;1mNginx installed\033[Om"
echo -e '\033[35m
__ __ ___ ___ __ _
____ / /_ ____ / |/ /_ __/ | ____/ /___ ___ (_)___
/ __ \/ __ \/ __ \/ /|_/ / / / / /| |/ __ / __ `__ \/ / __ \
/ /_/ / / / / /_/ / / / / /_/ / ___ / /_/ / / / / / / / / / /
/ .___/_/ /_/ .___/_/ /_/\__, /_/ |_\__,_/_/ /_/ /_/_/_/ /_/
/_/ /_/ /____/
\033[0m'
echo -e "\033[35;1mInstalling phpMyAdmin \033[0m"
apt-get --yes --force-yes install phpmyadmin
ln -s /usr/share/phpmyadmin /var/www/html/
cp "$_assets"/nginx-phpmyadmin.conf > /etc/nginx/sites-available/phpmyadmin.conf
ln -s /etc/nginx/sites-available/phpmyadmin.conf /etc/nginx/sites-enabled/phpmyadmin.conf
# echo -e "\033[35;1msecuring phpMyAdmin \033[0m"
# sed -i "s/DirectoryIndex index.php/DirectoryIndex index.php\nAllowOverride all/"
# cp "$_assets"/phpmyadmin_htaccess > /usr/share/phpmyadmin/.htaccess
# echo -n "define a user name for phpmyadmin : "
# read un
# htpasswd -c /etc/phpmyadmin/.htpasswd $un
# service apache2 restart
echo -e "\033[92;1mphpMyAdmin installed\033[Om"
echo -e "\033[92;1mYou can access it at yourip/phpmyadmin\033[Om"
echo -e '\033[35m
____ ___
/ __ \___ ____/ (_)____
/ /_/ / _ \/ __ / / ___/
/ _, _/ __/ /_/ / (__ )
/_/ |_|\___/\__,_/_/____/
\033[0m'
echo -e "\033[35;1mInstalling Redis \033[0m"
sleep 3
apt-get --yes --force-yes install redis-server php-redis
# TODO set maxmemory=2gb
# TODO set maxmemory-policy=volatile-lru
# TODO comment all save line
systemctl enable redis-server
systemctl restart redis-server
systemctl restart php7.0-fpm
echo -e "\033[92;1mRedis installed\033[Om"
echo -e '\033[35m
______
/ ____/___ ____ ___ ____ ____ ________ _____
/ / / __ \/ __ `__ \/ __ \/ __ \/ ___/ _ \/ ___/
/ /___/ /_/ / / / / / / /_/ / /_/ (__ ) __/ /
\____/\____/_/ /_/ /_/ .___/\____/____/\___/_/
/_/
\033[0m'
echo -e "\033[35;1mInstalling Composer \033[0m"
sleep 3
export COMPOSER_HOME=/usr/local/composer
curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer
echo -e "\033[92;1mComposer installed\033[Om"
echo -e '\033[35m
____ __
/ __ \_______ _______/ /_
/ / / / ___/ / / / ___/ __ \
/ /_/ / / / /_/ (__ ) / / /
/_____/_/ \__,_/____/_/ /_/
\033[0m'
echo -e "\033[35;1mInstalling Drush and DrupalConsole\033[0m"
sleep 3
curl https://drupalconsole.com/installer -L -o /usr/local/bin/drupal
chmod +x /usr/local/bin/drupal
curl https://github.com/drush-ops/drush-launcher/releases/download/0.6.0/drush.phar -L -o /usr/local/bin/drush
chmod +x /usr/local/bin/drush
echo -e "\033[92;1mDrush and DrupalConsoleinstalled\033[Om"
# TODO supervising
# echo -e '\033[35m
# __ ___ _ __ __ __ ___ _
# / |/ /__ ___ (_) /_ _/_/ / |/ /_ _____ (_)__
# / /|_/ / _ \/ _ \/ / __/ _/_/ / /|_/ / // / _ \/ / _ \
# /_/ /_/\___/_//_/_/\__/ /_/ /_/ /_/\_,_/_//_/_/_//_/
# \033[0m'
# echo -e "\033[35;1mInstalling Munin \033[0m"
# sleep 3
# # https://www.howtoforge.com/tutorial/server-monitoring-with-munin-and-monit-on-debian/
# apt-get --yes --force-yes install munin munin-node munin-plugins-extra
# # Configure Munin
# # enable plugins
# ln -s /usr/share/munin/plugins/mysql_ /etc/munin/plugins/mysql_
# ln -s /usr/share/munin/plugins/mysql_bytes /etc/munin/plugins/mysql_bytes
# ln -s /usr/share/munin/plugins/mysql_innodb /etc/munin/plugins/mysql_innodb
# ln -s /usr/share/munin/plugins/mysql_isam_space_ /etc/munin/plugins/mysql_isam_space_
# ln -s /usr/share/munin/plugins/mysql_queries /etc/munin/plugins/mysql_queries
# ln -s /usr/share/munin/plugins/mysql_slowqueries /etc/munin/plugins/mysql_slowqueries
# ln -s /usr/share/munin/plugins/mysql_threads /etc/munin/plugins/mysql_threads
#
# ln -s /usr/share/munin/plugins/apache_accesses /etc/munin/plugins/
# ln -s /usr/share/munin/plugins/apache_processes /etc/munin/plugins/
# ln -s /usr/share/munin/plugins/apache_volume /etc/munin/plugins/
#
# # ln -s /usr/share/munin/plugins/fail2ban /etc/munin/plugins/
#
# # dbdir, htmldir, logdir, rundir, and tmpldir
# sed -i 's/^#dbdir/dbdir/' /etc/munin/munin.conf
# sed -i 's/^#htmldir/htmldir/' /etc/munin/munin.conf
# sed -i 's/^#logdir/logdir/' /etc/munin/munin.conf
# sed -i 's/^#rundir/rundir/' /etc/munin/munin.conf
# sed -i 's/^#tmpldir/tmpldir/' /etc/munin/munin.conf
#
# sed -i "s/^\[localhost.localdomain\]/[${HOSTNAME}]/" /etc/munin/munin.conf
#
# # ln -s /etc/munin/apache24.conf /etc/apache2/conf-enabled/munin.conf
# sed -i 's/Require local/Require all granted\nOptions FollowSymLinks SymLinksIfOwnerMatch/g' /etc/munin/apache24.conf
# htpasswd -c /etc/munin/munin-htpasswd admin
# sed -i 's/Require all granted/AuthUserFile \/etc\/munin\/munin-htpasswd\nAuthName "Munin"\nAuthType Basic\nRequire valid-user/g' /etc/munin/apache24.conf
#
#
# service apache2 restart
# service munin-node restart
# echo -e "\033[92;1mMunin installed\033[Om"
#
# echo -e "\033[35;1mInstalling Monit \033[0m"
# sleep 3
# # https://www.howtoforge.com/tutorial/server-monitoring-with-munin-and-monit-on-debian/2/
# apt-get --yes --force-yes install monit
# # TODO setup monit rc
# cat "$_assets"/monitrc > /etc/monit/monitrc
#
# # TODO setup webaccess
# passok=0
# while [ "$passok" = "0" ]
# do
# echo -n "Write web access password to monit"
# read passwda
# echo -n "ReWrite web access password to monit"
# read passwdb
# if [ "$passwda" = "$passwdb" ]; then
# sed -i 's/PASSWD_TO_REPLACE/$passwda/g' /etc/monit/monitrc
# passok=1
# else
# echo -e "pass words don't match, please try again"
# fi
# done
#
# # TODO setup mail settings
# sed -i "s/server1\.example\.com/$HOSTNAME/g" /etc/monit/monitrc
#
# mkdir /var/www/html/monit
# echo -e "hello" > /var/www/html/monit/token
#
# service monit start
#
# echo -e "\033[92;1mMonit installed\033[Om"
# echo -e '\033[35m
# ___ __ __
# / |_ _______/ /_____ _/ /_
# / /| | | /| / / ___/ __/ __ `/ __/
# / ___ | |/ |/ (__ ) /_/ /_/ / /_
# /_/ |_|__/|__/____/\__/\__,_/\__/
# \033[0m'
# echo -e "\033[35;1mInstalling Awstat \033[0m"
# sleep 3
# apt-get --yes --force-yes install awstats
# # Configure AWStats
# temp=`grep -i sitedomain /etc/awstats/awstats.conf.local | wc -l`
# if [ $temp -lt 1 ]; then
# echo SiteDomain="$_domain" >> /etc/awstats/awstats.conf.local
# fi
# # Disable Awstats from executing every 10 minutes. Put a hash in front of any line.
# sed -i 's/^[^#]/#&/' /etc/cron.d/awstats
# echo -e "\033[92;1mAwstat installed\033[Om"

30
bin/misc.sh Executable file
View File

@ -0,0 +1,30 @@
#!/bin/sh
echo -e '\033[35m
__ ____
/ |/ (_)_________
/ /|_/ / / ___/ ___/
/ / / / (__ ) /__
/_/ /_/_/____/\___/
\033[0m'
if [ "$EUID" -ne 0 ]; then
echo "Please run as root"
exit
fi
sleep 2
apt-get --yes --force-yes install vim curl
sed -i "s/^# en_GB.UTF-8/en_GB.UTF-8/g" /etc/locale.gen
locale-gen
apt-get --yes --force-yes install ntp
dpkg-reconfigure tzdata
apt-get --yes --force-yes install tmux etckeeper needrestart htop lynx unzip
# TODO cron
# https://askubuntu.com/questions/56683/where-is-the-cron-crontab-log/121560#121560
echo -e "\033[92;1mMisc done \033[Om"

42
bin/mysqlbackup.sh Executable file
View File

@ -0,0 +1,42 @@
#!/bin/sh
echo -e '\033[35m
__ __ _ ___ _
| \/ |_ _ ___ __ _| | | _ ) __ _ __| |___ _ _ __ ___
| |\/| | || (_-</ _ | | | _ \/ _ / _| / / || | _ (_-<
|_| |_|\_, /__/\__, |_| |___/\__,_\__|_\_\\_,_| .__/__/
|__/ |_| |_|
\033[0m'
if [ "$EUID" -ne 0 ]; then
echo "Please run as root"
exit
fi
# get the current position
_cwd="$(pwd)"
# check for assets forlder
_assets="$_cwd/assets"
if [ ! -d "$_assets" ]; then
_assets="$_cwd/../assets"
if [ ! -d "$_assets" ]; then
echo "!! can't find assets directory !!"
exit
fi
fi
# adding the script
cp "$_assets"/mysqlbackup.sh /usr/local/bin/
chmod +x /usr/local/bin/mysqlbackup.sh
# configure
echo -n "Please provide the mysql root passwd : "
read _root_mysql_passwd
sed -i "s/ROOTPASSWD/$_root_mysql_passwd/g" /usr/local/bin/mysqlbackup.sh
# creating crontab
touch /var/spool/cron/crontabs/root
crontab -l > /tmp/mycron
echo "30 2 */2 * * /usr/local/bin/mysqlbackup.sh" >> /tmp/mycron
crontab /tmp/mycron
rm /tmp/mycron

21
bin/ssh.sh Executable file
View File

@ -0,0 +1,21 @@
#!/bin/sh
echo '\033[35m
__________ __ __
/ ___/ ___// / / /
\__ \\__ \/ /_/ /
___/ /__/ / __ /
/____/____/_/ /_/
\033[0m'
if [ "$EUID" -ne 0 ]; then
echo "Please run as root"
exit
fi
sed -i 's/PermitRootLogin\ yes/PermitRootLogin no/g' /etc/ssh/sshd_config
sed -i 's/PermitEmptyPasswords\ yes/PermitEmptyPasswords no/g' /etc/ssh/sshd_config
sed -i 's/Protocol\ [0-9]/Protocol 2/g' /etc/ssh/sshd_config
systemctl reload ssh
echo "\033[92;1mSSH secured\033[Om"

20
bin/upgrade.sh Executable file
View File

@ -0,0 +1,20 @@
#!/bin/sh
# TODO check if root
echo '\033[35m
__ ______ __________ ___ ____ ______
/ / / / __ \/ ____/ __ \/ | / __ \/ ____/
/ / / / /_/ / / __/ /_/ / /| | / / / / __/
/ /_/ / ____/ /_/ / _, _/ ___ |/ /_/ / /___
\____/_/ \____/_/ |_/_/ |_/_____/_____/
\033[0m'
if [ "$EUID" -ne 0 ]; then
echo "Please run as root"
exit
fi
apt-get update
apt-get dist-upgrade
needrestart -rl

82
bin/urbackup.sh Executable file
View File

@ -0,0 +1,82 @@
#!/bin/sh
echo -e '\033[35m
_ _ _ _ ___ _ _ _
| | | |_ _| |__ __ _ __| |___ _ _ __ / __| | (_)___ _ _| |_
| |_| | _| _ \/ _` / _| / / || | _ \ | (__| |__| / -_) \ _|
\___/|_| |_.__/\__,_\__|_\_\\_,_| .__/ \___|____|_\___|_||_\__|
|_|
\033[0m'
if [ "$EUID" -ne 0 ]; then
echo "Please run as root"
exit
fi
# get the current position
_cwd="$(pwd)"
# check for assets forlder
_assets="$_cwd/assets"
if [ ! -d "$_assets" ]; then
_assets="$_cwd/../assets"
if [ ! -d "$_assets" ]; then
echo "!! can't find assets directory !!"
exit
fi
fi
# install urbackup client
# https://www.urbackup.org/client_debian_ubuntu_install.html
# https://blog.stephane-huc.net/systeme/debian/urbackup_client_gui
# https://urbackup.atlassian.net/wiki/spaces/US/pages/9142274/Headless+Linux+client+setup
# Install the dependencies UrBackup needs
apt install build-essential "g++" "libcrypto++-dev" libz-dev -y
# libwxgtk3.0-dev
# Download the UrBackup client source files and extract them
wget -P /tmp/ https://hndl.urbackup.org/Client/latest/urbackup-client-2.3.4.0.tar.gz
cd /tmp
tar xzf /tmp/urbackup-client-2.3.4.0.tar.gz
# Build the UrBackup client and install it
cd /tmp/urbackup-client-2.3.4.0
./configure --enable-headless
make -j4
make install
# Make sure that the UrBackup client backend runs correctly
# urbackupclientbackend -v info
# configure
echo -n "Please provide the urbackup-server's ip : "
read _ip
echo -n "Please provide the internet_authkey of server : "
read _authkey
echo -n "Please provide the computer name of this client : "
read _computername
echo "internet_server=$_ip
internet_server_port=55415
internet_authkey=$_authkey
internet_mode_enabled=true
internet_image_backups_def=false
default_dirs_def=/etc;var/www;/var/backups/mysql
startup_backup_delay_def=3
computername=$_computername" > /usr/local/var/urbackup/data/settings.cfg
# firewall
ufw allow from "$_ip" to any port 35621
ufw allow from "$_ip" to any port 35622
ufw allow from "$_ip" to any port 35623
# install and enable systemd service
cp "$_assets"/urbackup.service /etc/systemd/system/
chmod a+x /etc/systemd/system/urbackup.service
systemctl --system daemon-reload
systemctl start urbackup.service
systemctl enable urbackup.service

48
bin/user.sh Executable file
View File

@ -0,0 +1,48 @@
#!/bin/sh
echo -e '\033[35m
__ _______ __________
/ / / / ___// ____/ __ \
/ / / /\__ \/ __/ / /_/ /
/ /_/ /___/ / /___/ _, _/
\____//____/_____/_/ |_|
\033[0m'
echo -e "\033[35;1mCreate new user (you will be asked a user name and a password) \033[0m"
if [ "$EUID" -ne 0 ]; then
echo "Please run as root"
exit
fi
sleep 3
echo -n "Enter user name: "
read user
while [ "$user" = "" ]
do
read -p "enter a user name ? " user
if [ "$user" != "" ]; then
# check if user already exists
if id "$user" >/dev/null 2>&1; then
echo "user $user alreday exists, you must provide a non existing user name."
user=""
else
read -p "is user name $user correcte [y|n] " validated
if [ "$validated" = "y" ]; then
break
else
user=""
fi
fi
fi
done
# read -p "Continue? (Y/N): " confirm && [[ $confirm == [yY] || $confirm == [yY][eE][sS] ]] || exit 1
adduser "$user"
echo "adding $user to admin group and limiting su to the admin group"
groupadd admin
usermod -a -G admin "$user"
# allow admin group to su
dpkg-statoverride --update --add root admin 4750 /bin/su
echo -e "\033[92;1muser $user configured\033[Om"

153
bin/vhost.sh Executable file
View File

@ -0,0 +1,153 @@
echo -e '\033[35m
__ __
_ __/ /_ ____ _____/ /_
| | / / __ \/ __ \/ ___/ __/
| |/ / / / / /_/ (__ ) /_
|___/_/ /_/\____/____/\__/
\033[0m'
echo -e "\033[35;1mNginx VHOST install \033[0m"
while [ "$vh" != "y" ] && [ "$vh" != "n" ]
do
echo -n "Should we install a vhost? [y|n] "
read vh
# vh=${vh:-y}
done
if [ "$vh" = "y" ]; then
# get the current position
_cwd="$(pwd)"
# check for assets forlder
_assets="$_cwd/assets"
if [ ! -d "$_assets" ]; then
_assets="$_cwd/../assets"
if [ ! -d "$_assets" ]; then
echo "!! can't find assets directory !!"
exit
fi
fi
while [ "$_domain" = "" ]
do
read -p "enter a domain name ? " _domain
if [ "$_domain" != "" ]; then
read -p "is domain $_domain correcte [y|n] " validated
if [ "$validated" = "y" ]; then
break
else
_domain=""
fi
fi
done
# ask for simple php conf or drupal conf
while [ "$_drupal" != "yes" ] && [ "$_drupal" != "no" ]
do
echo -n "Is your site is a drupal one? [yes|no] "
read _drupal
done
# ask for let's encrypt
while [ "$_letsencrypt" != "yes" ] && [ "$_letsencrypt" != "no" ]
do
echo -e "\033[35;1mLet's encrypt \033[0m"
echo -e "Let's encrypt needs a public registered domain name with proper DNS records ( A records or CNAME records for subdomains pointing to your server)."
echo -n "Should we install let's encrypt certificate with $_domain? [yes|no] "
read _letsencrypt
done
systemctl stop nginx
# lets'encrypt
# https://certbot.eff.org/lets-encrypt/debianstretch-nginx
if [ "$_letsencrypt" = "yes" ]; then
apt-get --yes --force-yes install certbot
certbot certonly --standalone -d "$_domain" --cert-name "$_domain"
# TODO stop the whole process if letsencrypt faile
mkdir -p /etc/nginx/ssl/certs/"$_domain"
openssl dhparam -out /etc/nginx/ssl/certs/"$_domain"/dhparam.pem 2048
# renewing
touch /var/spool/cron/crontabs/root
crontab -l > mycron
echo -e "0 3 * * * certbot renew --pre-hook 'systemctl stop nginx' --post-hook 'systemctl start nginx' --cert-name $_domain" >> mycron
crontab mycron
rm mycron
fi
if [ "$_drupal" = "yes" ]; then
if [ "$_letsencrypt" = "yes" ]; then
_conffile="drupal-ssl.nginxconf"
else
_conffile="drupal.nginxconf"
fi
else
if [ "$_letsencrypt" = "yes" ]; then
_conffile="simple-phpfpm-ssl.nginxconf"
else
_conffile="simple-phpfpm.nginxconf"
fi
fi
cp "$_assets/$_conffile" /etc/nginx/sites-available/"$_domain".conf
sed -i -r "s/DOMAIN\.LTD/$_domain/g" /etc/nginx/sites-available/"$_domain".conf
mkdir -p /var/www/"$_domain"/public_html
mkdir /var/www/"$_domain"/log
cp "$_assets/index.php" /var/www/"$_domain"/public_html/
sed -i -r "s/DOMAIN\.LTD/$_domain/g" /var/www/"$_domain"/public_html/index.php
#set proper right to user will handle the app
chown -R root:admin /var/www/"$_domain"/
chmod -R g+w /var/www/"$_domain"/
chmod -R g+r /var/www/"$_domain"/
# create a shortcut to the site
echo -n "Should we install a shortcut for a user? [Y|n] "
read yn
yn=${yn:-y}
if [ "$yn" = "Y" ] || [ "$yn" = "y" ]; then
# if $user var does not exists (vhost.sh ran directly) ask for it
if [ -z ${user+x} ]; then
while [ "$user" = "" ]
do
read -p "enter an existing user name ? " user
if [ "$user" != "" ]; then
# check if user already exists
if id "$user" >/dev/null 2>&1; then
read -p "is user name $user correcte [y|n] " validated
if [ "$validated" = "y" ]; then
break
else
user=""
fi
else
echo -e "user $user doesn't exists, you must provide an existing user"
user=""
fi
fi
done
fi
echo -e "shortcut will be installed for '$user'";
sleep 3
mkdir /home/"$user"/www/
chown "$user":admin /home/"$user"/www/
ln -s /var/www/"$_domain" /home/"$user"/www/"$_domain"
chown "$user":admin /home/"$user"/www/"$_domain"
else
echo -e 'no shortcut installed'
fi
# activate the vhost
ln -s /etc/nginx/sites-available/"$_domain".conf /etc/nginx/sites-enabled/"$_domain".conf
# restart nginx
systemctl start nginx
echo -e "\033[92;1mvhost $_domain configured \033[Om"
else
echo -e "Vhost installation aborted"
fi

117
bin/zabbix.sh Executable file
View File

@ -0,0 +1,117 @@
#!/bin/sh
echo -e '\033[35m
_____ __ __ _
/__ / ____ _/ /_ / /_ (_) __
/ / / __ `/ __ \/ __ \/ / |/_/
/ /__/ /_/ / /_/ / /_/ / /> <
/____/\__,_/_.___/_.___/_/_/|_|
\033[0m'
if [ "$EUID" -ne 0 ]; then
echo "Please run as root"
exit
fi
# get the current position
_cwd="$(pwd)"
# check for assets forlder
_assets="$_cwd/assets"
if [ ! -d "$_assets" ]; then
_assets="$_cwd/../assets"
if [ ! -d "$_assets" ]; then
echo "!! can't find assets directory !!"
exit
fi
fi
wget -P /tmp/ http://repo.zabbix.com/zabbix/3.4/debian/pool/main/z/zabbix-release/zabbix-release_3.4-1+stretch_all.deb
dpkg -i /tmp/zabbix-release_3.4-1+stretch_all.deb
apt-get update -y
apt-get install zabbix-agent -y
# configure
echo -n "Please provide the current server's public ip : "
read _cur_ip
echo -n "Please provide the zabbix-server's ip : "
read _ip
echo -n "Please provide the hostname of this agent : "
read _host_name
echo -n "Please provide the mysql root password : "
read _root_mysql_passwd
_agent_conf_d="/etc/zabbix/zabbix_agentd.d" # for debian 8
if [ ! -d "$_agent_conf_d" ]; then
_agent_conf_d="/etc/zabbix/zabbix_agentd.conf.d" # for debian 9
fi
# configure zabbix agent
sed -i "s#Server=127.0.0.1#Server=$_ip#g" /etc/zabbix/zabbix_agentd.conf
sed -i "s#ServerActive=127.0.0.1#ServerActive=$_ip#g" /etc/zabbix/zabbix_agentd.conf
sed -i "s#Hostname=Zabbix server#Hostname=$_host_name#g" /etc/zabbix/zabbix_agentd.conf
# APT
# check for debian security updates
# not working : https://www.osso.nl/blog/zabbix-counting-security-updates
# https://github.com/theranger/zabbix-apt
# enable automatic update of apt
cp "$_assets"/zabbix/misc/02periodic /etc/apt/apt.conf.d/
cp "$_assets"/zabbix/apt.conf "$_agent_conf_d"/
# MYSQL
# https://serverfault.com/questions/737018/zabbix-user-parameter-mysql-status-setting-home
# create zabbix user home
mkdir /var/lib/zabbix
# generate random password for zabbix mysql user
_passwd="$(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c12)"
# add mysql credentials to zabbix home
printf "[client]\n
user=zabbix\n
password=$_passwd" > /var/lib/zabbix/.my.cnf
# create zabbix mysql user
mysql -uroot -p"$_root_mysql_passwd" -e "CREATE USER 'zabbix' IDENTIFIED BY '$_passwd';"
mysql -uroot -p"$_root_mysql_passwd" -e "GRANT USAGE ON *.* TO 'zabbix'@'localhost' IDENTIFIED BY '$_passwd';"
# add zabbix-agent parameter
cp "$_assets"/zabbix/userparameter_mysql.conf "$_agent_conf_d"/
# NGINX
# https://github.com/sfuerte/zbx-nginx
# nginxconf already included in default.nginxconf asset
sed -i "s/# allow CURRENT-SERVER-IP/allow $_cur_ip/g" /etc/nginx/sites-available/default
cp "$_assets"/zabbix/userparameter_nginx.conf "$_agent_conf_d"/
mkdir /etc/zabbix/zabbix_agentd.scripts
cp "$_assets"/zabbix/scripts/nginx-stat.py /etc/zabbix/zabbix_agentd.scripts/
chmod +x /etc/zabbix/zabbix_agentd.scripts/nginx-stat.py
echo -n "This is box is a proxmox CT? [Y|n] "
read yn
yn=${yn:-y}
if [ "$yn" = "Y" ] || [ "$yn" = "y" ]; then
cp "$_assets"/zabbix/proxmox-ct.conf "$_agent_conf_d"/
fi
# SYSTEMD
# https://github.com/MogiePete/zabbix-systemd-service-monitoring
cp "$_assets"/zabbix/userparameter_systemd_services.conf "$_agent_conf_d"/
# disble unused system units
systemctl disable rsync
systemctl disable systemd-timesyncd
# TODO add modules path to agent ??
# allow comm. port with zabbix-server
ufw allow from "$_ip" to any port 10050
ufw allow from "$_ip" to any port 22
# ufw allow from "$_ip" to any port 10051
# iptables -A INPUT -p tcp -m tcp --dport 10050 -j ACCEPT
systemctl restart zabbix-agent
systemctl enable zabbix-agent
echo -e "\033[92;1mZabbix-agent installed and configured, please add the host $_host_name in your zabbix-server \033[Om"
echo -e "\033[92;1mAnd import requested templates in assets/zabbix/templates/ \033[Om"
echo -e "\033[92;1mzabbix user mysql password is $_passwd \033[Om"

64
gitbarrerepos.sh
View File

@ -1,64 +0,0 @@
#!/bin/sh
# bachir soussi chiadmi
# get the current position
_cwd="$(pwd)"
while [ "$_bare_name" = "" ]
do
read -p "enter the bare repos folder name ? " _host_name
if [ "$_bare_name" != "" ]; then
read -p "is bare folder name $_bare_name correcte [y|n] " validated
if [ "$validated" = "y" ]; then
break
else
_bare_name=""
fi
fi
done
while [ "$_prod_folder_path" = "" ]
do
read -p "enter the prod folder path folder name ? " _host_name
if [ "$_bare_name" != "" ]; then
read -p "is prod folder path $_prod_folder_path correcte [y|n] " validated
if [ "$validated" = "y" ]; then
break
else
_prod_folder_path=""
fi
fi
done
# setup bare repositorie to push to
mkdir ~/git-repositories
mkdir ~/git-repositories/"$_bare_name".git
cd ~/git-repositories/"$_bare_name".git
git init --bare
# setup git repo on site folder
cd "$_prod_folder_path"
git init
# link to the bare repo
git remote add origin /home/"$USER"/git-repositories/"$_bare_name".git
# create hooks that will update the site repo
cd ~
cp "$_cwd"/assets/git-pre-receive /home/"$USER"/git-repositories/"$_bare_name".git/hooks/pre-receive
cp "$_cwd"/assets/git-post-receive /home/"$USER"/git-repositories/"$_bare_name".git/hooks/post-receive
sed -ir "s/PRODDIR=\"www\"/PRODDIR=\/srv\/www\/$_bare_name\/public_html/g" /home/"$USER"/git-repositories/"$_bare_name".git/hooks/pre-receive
sed -ir "s/PRODDIR=\"www\"/PRODDIR=\/srv\/www\/$_bare_name\/public_html/g" /home/"$USER"/git-repositories/"$_bare_name".git/hooks/post-receive
cd /home/"$USER"/git-repositories/"$_bare_name".git/hooks/
chmod +x post-receive pre-receive
# done
echo "git repos for $_bare_name install succeed"
echo "your site stay now to /home/$USER/www/$_bare_name"
echo "you can push updates on prod branch through $USER@IP.IP.IP.IP:git-repositories/$_bare_name.git"
echo "* * *"

627
install-debian-server.sh
View File

@ -1,627 +0,0 @@
#!/bin/sh
# bachir soussi chiadmi
#
# http://www.pontikis.net/blog/debian-9-stretch-rc3-web-server-setup-php7-mariadb
# http://web-74.com/blog/reseaux/gerer-le-deploiement-facilement-avec-git/
#
echo '\033[35m
____ __ _ _____
/ __ \___ / /_ (_)___ _____ / ___/___ ______ _____ _____
/ / / / _ \/ __ \/ / __ `/ __ \ \__ \/ _ \/ ___/ | / / _ \/ ___/
/ /_/ / __/ /_/ / / /_/ / / / / ___/ / __/ / | |/ / __/ /
/_____/\___/_.___/_/\__,_/_/ /_/ /____/\___/_/ |___/\___/_/
\033[0m'
echo "\033[35;1mThis script has been tested only on Linux Debian 9 \033[0m"
echo "Please run this script as root"
echo -n "Should we start? [Y|n] "
read yn
yn=${yn:-y}
if [ "$yn" != "y" ]; then
echo "aborting script!"
exit
fi
# get the current position
_cwd="$(pwd)"
echo '\033[35m
__ ______ __________ ___ ____ ______
/ / / / __ \/ ____/ __ \/ | / __ \/ ____/
/ / / / /_/ / / __/ /_/ / /| | / / / / __/
/ /_/ / ____/ /_/ / _, _/ ___ |/ /_/ / /___
\____/_/ \____/_/ |_/_/ |_/_____/_____/
\033[0m'
apt-get update
apt-get upgrade
echo '\033[35m
__ ____
/ |/ (_)_________
/ /|_/ / / ___/ ___/
/ / / / (__ ) /__
/_/ /_/_/____/\___/
\033[0m'
apt-get install vim
sed -i "s/^# en_GB.UTF-8/en_GB.UTF-8/g" /etc/locale.gen
locale-gen
apt-get install ntp
echo '\033[35m
______________ _______ _____ __ __
/ ____/ _/ __ \/ ____/ | / / | / / / /
/ /_ / // /_/ / __/ | | /| / / /| | / / / /
/ __/ _/ // _, _/ /___ | |/ |/ / ___ |/ /___/ /___
/_/ /___/_/ |_/_____/ |__/|__/_/ |_/_____/_____/
\033[0m'
echo "\033[35;1mInstalling ufw and setup firewall (allowing only ssh and http) \033[0m"
sleep 3
apt-get install ufw
# ufw allow ssh # knockd will open the ssh port
ufw allow http
ufw allow https
ufw enable
ufw status verbose
echo "\033[92;1mufw installed and firwall configured\033[Om"
echo '\033[35m
______ _ _____ __
/ ____/___ _(_) /__ \ / /_ ____ _____
/ /_ / __ `/ / /__/ // __ \/ __ `/ __ \
/ __/ / /_/ / / // __// /_/ / /_/ / / / /
/_/ \__,_/_/_//____/_.___/\__,_/_/ /_/
\033[0m'
echo "\033[35;1mInstalling fall2ban \033[0m"
apt-get install fail2ban
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
# ToDo ask for email and configure jail.local with it
service fail2ban restart
echo "\033[92;1mfail2ban installed and configured\033[Om"
echo '\033[35m
__ __ __
/ /______ ____ _____/ /______/ /
/ //_/ __ \/ __ \/ ___/ //_/ __ /
/ ,< / / / / /_/ / /__/ ,< / /_/ /
/_/|_/_/ /_/\____/\___/_/|_|\__,_/
\033[0m'
echo "\033[35;1mInstalling knockd \033[0m"
sleep 3
apt-get install knockd
echo -n "define a sequence number for opening (as 7000,8000,9000) : "
read sq1
echo -n "define a sequence number for closing (as 9000,8000,7000) : "
read sq2
sed -i "s/7000,8000,9000/$sq1/g" /etc/knockd.conf
sed -i "s/9000,8000,7000/$sq2/g" /etc/knockd.conf
sed -i 's/START_KNOCKD=0/START_KNOCKD=1/g' /etc/default/knockd
service knockd start
echo "\033[92;1mknockd installed and configured\033[Om"
echo "\033[92;1mplease note these sequences for future knocking\033[Om"
echo "opening : $sq1 ; closing : $sq2"
echo '\033[35m
__ _______ __________
/ / / / ___// ____/ __ \
/ / / /\__ \/ __/ / /_/ /
/ /_/ /___/ / /___/ _, _/
\____//____/_____/_/ |_|
\033[0m'
echo "\033[35;1mCreate new user (you will be asked a user name and a password) \033[0m"
sleep 3
echo -n "Enter user name: "
read user
# read -p "Continue? (Y/N): " confirm && [[ $confirm == [yY] || $confirm == [yY][eE][sS] ]] || exit 1
adduser "$user"
echo "adding $user to admin group and limiting su to the admin group"
groupadd admin
usermod -a -G admin "$user"
# allow admin group to su
dpkg-statoverride --update --add root admin 4750 /bin/su
echo "\033[92;1muser $user configured\033[Om"
echo '\033[35m
__ ______ ______
/ |/ / | / _/ /
/ /|_/ / /| | / // /
/ / / / ___ |_/ // /___
/_/ /_/_/ |_/___/_____/
\033[0m'
echo "\033[35;1mEnable mail sending for php \033[0m"
# http://www.sycha.com/lamp-setup-debian-linux-apache-mysql-php#anchor13
sleep 3
apt-get install exim4
echo "\033[35;1mConfiguring EXIM4 \033[0m"
while [ "$configexim" != "y" ] && [ "$configexim" != "n" ]
do
echo -n "Should we configure exim4 ? [y|n] "
read configexim
done
if [ "$configexim" = "y" ]; then
echo "choose the first option :internet site; mail is sent and received directly using SMTP. Leave the other options as default exepted for domain name which should be valid domain name if you want your mails to not be considered as spam"
echo "press any key to continue."
read continu
dpkg-reconfigure exim4-config
else
echo 'exim not configured'
fi
service exim4 restart
# dkim spf
# https://debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4
echo "\033[35;1mConfiguring DKIM \033[0m"
while [ "$installdkim" != "y" ] && [ "$installdkim" != "n" ]
do
echo -n "Should we install dkim for exim4 ? [y|n] "
read installdkim
done
if [ "$installdkim" = "y" ]; then
echo -n "Choose a domain for dkim (same domain as you chose before for exim4): "
read domain
selector=$(date +%Y%m%d)
mkdir /etc/exim4/dkim
openssl genrsa -out /etc/exim4/dkim/"$domain"-private.pem 1024 -outform PEM
openssl rsa -in /etc/exim4/dkim/"$domain"-private.pem -out /etc/exim4/dkim/"$domain".pem -pubout -outform PEM
chown root:Debian-exim /etc/exim4/dkim/"$domain"-private.pem
chmod 440 /etc/exim4/dkim/"$domain"-private.pem
cp "$_cwd"/assets/exima4_dkim.conf /etc/exim4/conf.d/main/00_local_macros
sed -ir "s/DOMAIN_TO_CHANGE/$domain/g" /etc/exim4/conf.d/main/00_local_macros
sed -ir "s/DATE_TO_CHANGE/$selector/g" /etc/exim4/conf.d/main/00_local_macros
update-exim4.conf
service exim4 restart
echo "please create a TXT entry in your dns zone : $selector._domainkey.$domain \n"
echo "your public key is : \n"
cat /etc/exim4/dkim/"$domain".pem
echo "press any key to continue."
read continu
else
echo 'dkim not installed'
fi
echo '\033[35m
__________ __ __
/ ___/ ___// / / /
\__ \\__ \/ /_/ /
___/ /__/ / __ /
/____/____/_/ /_/
\033[0m'
while [ "$securssh" != "y" ] && [ "$securssh" != "n" ]
do
echo -n "Securing ssh (disabling root login)? [y|n] "
read securssh
# securssh=${securssh:-y}
done
if [ "$securssh" = "y" ]; then
sed -i 's/PermitRootLogin\ yes/PermitRootLogin no/g' /etc/ssh/sshd_config
sed -i 's/PermitEmptyPasswords\ yes/PermitEmptyPasswords no/g' /etc/ssh/sshd_config
sed -i 's/Protocol\ [0-9]/Protocol 2/g' /etc/ssh/sshd_config
service ssh reload
echo "\033[92;1mSSH secured\033[Om"
else
echo 'root user can still conect through ssh'
fi
echo '\033[35m
______ _______ _____
| ____|__ __| __ \
| |__ | | | |__) |
| __| | | | ___/
| | | | | |
|_| |_| |_|
\033[0m'
echo -n "Should we install ftp server? [Y|n] "
read yn
yn=${yn:-y}
if [ "$yn" = "y" ]; then
echo "installing proftpd"
apt-get install proftpd
while [ "$_server_name" = "" ]
do
read -p "enter a server name ? " _server_name
if [ "$_server_name" != "" ]; then
read -p "is server name $_server_name correcte [y|n] " validated
if [ "$validated" = "y" ]; then
break
else
_server_name=""
fi
fi
done
echo "Configuring proftpd"
cp "$_cwd"/assets/proftpd.conf /etc/proftpd/conf.d/"$_server_name".conf
sed -ir "s/example/$_server_name/g" /etc/proftpd/conf.d/"$_server_name".conf
ufw allow ftp
addgroup ftpuser
echo "ftp installtion done"
echo "to permit to a user to connect through ftp, add him to the ftpuser group by running : usermod -a -G admin USERNAME"
echo "FTP users are jailed on their home by default"
fi
# TODO : allow ssh/ftp connection only from given ips
echo "\033[35;1mInstalling AMP web server \033[0m"
echo '\033[35m
__ ___ __
/ |/ /_ ___________ _/ /
/ /|_/ / / / / ___/ __ `/ /
/ / / / /_/ (__ ) /_/ / /
/_/ /_/\__, /____/\__, /_/
/____/ /_/
\033[0m'
echo "\033[35;1minstalling Mysql \033[0m"
sleep 3
apt-get install mariadb-server
mysql_secure_installation
systemctl restart mariadb.service
echo "\033[92;1mmysql installed\033[Om"
echo '\033[35m
___ __ ___
/ | ____ ____ ______/ /_ ___ |__ \
/ /| | / __ \/ __ `/ ___/ __ \/ _ \__/ /
/ ___ |/ /_/ / /_/ / /__/ / / / __/ __/
/_/ |_/ .___/\__,_/\___/_/ /_/\___/____/
/_/
\033[0m'
echo "\033[35;1mInstalling Apache2 \033[0m"
sleep 3
apt-get install apache2
a2enmod rewrite
# cp /etc/apache2/apache2.conf /etc/apache2/apache2.conf.back
# cat "$_cwd"/assets/apache2.conf > /etc/apache2/apache2.conf
# Change logrotate for Apache2 log files to keep 10 days worth of logs
sed -i 's/\tweekly/\tdaily/' /etc/logrotate.d/apache2
sed -i 's/\trotate .*/\trotate 10/' /etc/logrotate.d/apache2
# Remove Apache server information from headers.
sed -i 's/ServerTokens .*/ServerTokens Prod/' /etc/apache2/conf-enabled/security.conf
sed -i 's/ServerSignature .*/ServerSignature Off/' /etc/apache2/conf-enabled/security.conf
service apache2 restart
echo "\033[92;1mApache2 installed\033[Om"
echo '\033[35m
____ __ ______
/ __ \/ / / / __ \
/ /_/ / /_/ / /_/ /
/ ____/ __ / ____/
/_/ /_/ /_/_/
\033[0m'
echo "\033[35;1mInstalling PHP \033[0m"
sleep 3
apt-get install php7.0 php-pear php7-gd
echo "Configuring PHP"
cp "$_cwd"/assets/99-lamp-php.ini /etc/php/7.0/apache2/conf.d/
# conffile=/etc/php/7.0/apache2/conf.d/99-lamp-php.ini
# cp /etc/php/7.0/apache2/php.ini $conffile
# sed -i "s/max_execution_time\ =\ [0-9]\+/max_execution_time = 60/g" $conffile
# sed -i "s/max_input_time\ =\ [0-9]\+/max_input_time = 60/g" $conffile
# sed -i "s/memory_limit\ =\ [0-9]\+M/memory_limit = 512M/g" $conffile
# sed -i "s/;\?error_reporting\ =\ [^\n]\+/error_reporting = E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERROR/g" $conffile
# sed -i "s/;\?display_errors\ =\ On/display_errors = Off/g" $conffile
# sed -i "s/;\?log_errors\ =\ Off/log_errors = On/g" $conffile
# echo "register_globals = Off" >> $conffile
# following command doesn't work, make teh change manualy
#sed -ri ":a;$!{N;ba};s/;\?\ \?error_log\ =\ [^\n]\+([^\n]*\n(\n|$))/error_log = \/var\/log\/php\/error.log\1/g" /etc/php5/apache2/php.ini
mkdir /var/log/php
chown www-data /var/log/php
cp "$_cwd"/assets/logrotate-php /etc/logrotate.d/php
apt-get install php7.0-mysql php7.0-curl php7.0-mbstring php7.0-zip php7.0-xml php7.0-gd php7.0-mcrypt php-memcached
apt-get install memcached
sed -i "s/-m\s64/-m 128/g" /etc/memcached.conf
systemctl start memcached
echo "\033[92;1mphp installed\033[Om"
echo '\033[35m
__ __ ___ ___ __ _
____ / /_ ____ / |/ /_ __/ | ____/ /___ ___ (_)___
/ __ \/ __ \/ __ \/ /|_/ / / / / /| |/ __ / __ `__ \/ / __ \
/ /_/ / / / / /_/ / / / / /_/ / ___ / /_/ / / / / / / / / / /
/ .___/_/ /_/ .___/_/ /_/\__, /_/ |_\__,_/_/ /_/ /_/_/_/ /_/
/_/ /_/ /____/
\033[0m'
echo "\033[35;1mInstalling phpMyAdmin \033[0m"
apt-get install phpmyadmin
# echo "include /etc/phpmyadmin/apache.conf" >> /etc/apache2/apache2.conf
ln -s /etc/phpmyadmin/apache.conf /etc/apache2/conf-available/phpmyadmin.conf
a2enconf phpmyadmin.conf
echo "\033[35;1msecuring phpMyAdmin \033[0m"
# sed -i "s/DirectoryIndex index.php/DirectoryIndex index.php\nAllowOverride all/"
cp "$_cwd"/assets/phpmyadmin_htaccess > /usr/share/phpmyadmin/.htaccess
echo -n "define a user name for phpmyadmin : "
read un
htpasswd -c /etc/phpmyadmin/.htpasswd $un
service apache2 restart
echo "\033[92;1mphpMyAdmin installed\033[Om"
echo "\033[92;1mYou can access it at yourip/phpmyadmin\033[Om"
echo '\033[35m
__ __
_ __/ /_ ____ _____/ /_
| | / / __ \/ __ \/ ___/ __/
| |/ / / / / /_/ (__ ) /_
|___/_/ /_/\____/____/\__/
\033[0m'
echo "\033[35;1mVHOST install \033[0m"
while [ "$vh" != "y" ] && [ "$vh" != "n" ]
do
echo -n "Should we install a vhost? [y|n] "
read vh
# vh=${vh:-y}
done
if [ "$vh" = "y" ]; then
while [ "$_host_name" = "" ]
do
read -p "enter a hostname ? " _host_name
if [ "$_host_name" != "" ]; then
read -p "is hostname $_host_name correcte [y|n] " validated
if [ "$validated" = "y" ]; then
break
else
_host_name=""
fi
fi
done
cp "$_cwd"/assets/example.org.conf /etc/apache2/sites-available/"$_host_name".conf
sed -ir "s/example\.org/$_host_name/g" /etc/apache2/sites-available/"$_host_name".conf
mkdir -p /srv/www/"$_host_name"/public_html
mkdir /srv/www/"$_host_name"/logs
#set proper right to user will handle the app
chown -R root:admin /srv/www/"$_host_name"/
chmod -R g+w /srv/www/"$_host_name"/
chmod -R g+r /srv/www/"$_host_name"/
# create a shortcut to the site
mkdir /home/"$user"/www/
chown "$user":admin /home/"$user"/www/
ln -s /srv/www/"$_host_name" /home/"$user"/www/"$_host_name"
#activate the vhost
a2ensite "$_host_name".conf
#restart apache
service apache2 restart
echo "\033[92;1mvhost $_host_name configured\033[Om"
else
echo "Vhost installation aborted"
fi
# TODO supervising
# echo '\033[35m
# __ ___ _ __ __ __ ___ _
# / |/ /__ ___ (_) /_ _/_/ / |/ /_ _____ (_)__
# / /|_/ / _ \/ _ \/ / __/ _/_/ / /|_/ / // / _ \/ / _ \
# /_/ /_/\___/_//_/_/\__/ /_/ /_/ /_/\_,_/_//_/_/_//_/
# \033[0m'
# echo "\033[35;1mInstalling Munin \033[0m"
# sleep 3
# # https://www.howtoforge.com/tutorial/server-monitoring-with-munin-and-monit-on-debian/
# apt-get install munin munin-node munin-plugins-extra
# # Configure Munin
# # enable plugins
# ln -s /usr/share/munin/plugins/mysql_ /etc/munin/plugins/mysql_
# ln -s /usr/share/munin/plugins/mysql_bytes /etc/munin/plugins/mysql_bytes
# ln -s /usr/share/munin/plugins/mysql_innodb /etc/munin/plugins/mysql_innodb
# ln -s /usr/share/munin/plugins/mysql_isam_space_ /etc/munin/plugins/mysql_isam_space_
# ln -s /usr/share/munin/plugins/mysql_queries /etc/munin/plugins/mysql_queries
# ln -s /usr/share/munin/plugins/mysql_slowqueries /etc/munin/plugins/mysql_slowqueries
# ln -s /usr/share/munin/plugins/mysql_threads /etc/munin/plugins/mysql_threads
#
# ln -s /usr/share/munin/plugins/apache_accesses /etc/munin/plugins/
# ln -s /usr/share/munin/plugins/apache_processes /etc/munin/plugins/
# ln -s /usr/share/munin/plugins/apache_volume /etc/munin/plugins/
#
# # ln -s /usr/share/munin/plugins/fail2ban /etc/munin/plugins/
#
# # dbdir, htmldir, logdir, rundir, and tmpldir
# sed -i 's/^#dbdir/dbdir/' /etc/munin/munin.conf
# sed -i 's/^#htmldir/htmldir/' /etc/munin/munin.conf
# sed -i 's/^#logdir/logdir/' /etc/munin/munin.conf
# sed -i 's/^#rundir/rundir/' /etc/munin/munin.conf
# sed -i 's/^#tmpldir/tmpldir/' /etc/munin/munin.conf
#
# sed -i "s/^\[localhost.localdomain\]/[${HOSTNAME}]/" /etc/munin/munin.conf
#
# # ln -s /etc/munin/apache24.conf /etc/apache2/conf-enabled/munin.conf
# sed -i 's/Require local/Require all granted\nOptions FollowSymLinks SymLinksIfOwnerMatch/g' /etc/munin/apache24.conf
# htpasswd -c /etc/munin/munin-htpasswd admin
# sed -i 's/Require all granted/AuthUserFile \/etc\/munin\/munin-htpasswd\nAuthName "Munin"\nAuthType Basic\nRequire valid-user/g' /etc/munin/apache24.conf
#
#
# service apache2 restart
# service munin-node restart
# echo "\033[92;1mMunin installed\033[Om"
#
# echo "\033[35;1mInstalling Monit \033[0m"
# sleep 3
# # https://www.howtoforge.com/tutorial/server-monitoring-with-munin-and-monit-on-debian/2/
# apt-get install monit
# # TODO setup monit rc
# cat "$_cwd"/assets/monitrc > /etc/monit/monitrc
#
# # TODO setup webaccess
# passok=0
# while [ "$passok" = "0" ]
# do
# echo -n "Write web access password to monit"
# read passwda
# echo -n "ReWrite web access password to monit"
# read passwdb
# if [ "$passwda" = "$passwdb" ]; then
# sed -i 's/PASSWD_TO_REPLACE/$passwda/g' /etc/monit/monitrc
# passok=1
# else
# echo "pass words don't match, please try again"
# fi
# done
#
# # TODO setup mail settings
# sed -i "s/server1\.example\.com/$HOSTNAME/g" /etc/monit/monitrc
#
# mkdir /var/www/html/monit
# echo "hello" > /var/www/html/monit/token
#
# service monit start
#
# echo "\033[92;1mMonit installed\033[Om"
# echo '\033[35m
# ___ __ __
# / |_ _______/ /_____ _/ /_
# / /| | | /| / / ___/ __/ __ `/ __/
# / ___ | |/ |/ (__ ) /_/ /_/ / /_
# /_/ |_|__/|__/____/\__/\__,_/\__/
# \033[0m'
# echo "\033[35;1mInstalling Awstat \033[0m"
# sleep 3
# apt-get install awstats
# # Configure AWStats
# temp=`grep -i sitedomain /etc/awstats/awstats.conf.local | wc -l`
# if [ $temp -lt 1 ]; then
# echo SiteDomain="$_host_name" >> /etc/awstats/awstats.conf.local
# fi
# # Disable Awstats from executing every 10 minutes. Put a hash in front of any line.
# sed -i 's/^[^#]/#&/' /etc/cron.d/awstats
# echo "\033[92;1mAwstat installed\033[Om"
# echo '\033[35m
# ______________ _______
# /_ __/ ____/ |/ / __ \
# / / / __/ / /|_/ / /_/ /
# / / / /___/ / / / ____/
# /_/ /_____/_/ /_/_/
# \033[0m'
# function check_tmp_secured {
# temp1=`grep -w "/var/tempFS /tmp ext3 loop,nosuid,noexec,rw 0 0" /etc/fstab | wc -l`
# temp2=`grep -w "tmpfs /tmp tmpfs rw,noexec,nosuid 0 0" /etc/fstab | wc -l`
# if [ $temp1 -gt 0 ] || [ $temp2 -gt 0 ]; then
# return 1
# else
# return 0
# fi
# } # End function check_tmp_secured
# function secure_tmp_tmpfs {
# cp /etc/fstab /etc/fstab.bak
# # Backup /tmp
# cp -Rpf /tmp /tmpbackup
# rm -rf /tmp
# mkdir /tmp
# mount -t tmpfs -o rw,noexec,nosuid tmpfs /tmp
# chmod 1777 /tmp
# echo "tmpfs /tmp tmpfs rw,noexec,nosuid 0 0" >> /etc/fstab
# # Restore /tmp
# cp -Rpf /tmpbackup/* /tmp/ >/dev/null 2>&1
# #Remove old tmp dir
# rm -rf /tmpbackup
# # Backup /var/tmp and link it to /tmp
# mv /var/tmp /var/tmpbackup
# ln -s /tmp /var/tmp
# # Copy the old data back
# cp -Rpf /var/tmpold/* /tmp/ >/dev/null 2>&1
# # Remove old tmp dir
# rm -rf /var/tmpbackup
# echo -e "\033[35;1m /tmp and /var/tmp secured using tmpfs. \033[0m"
# } # End function secure_tmp_tmpfs
# check_tmp_secured
# if [ $? = 0 ]; then
# secure_tmp_tmpfs
# else
# echo -e "\033[35;1mFunction canceled. /tmp already secured. \033[0m"
# fi
echo '\033[35m
____ __ _______ __
/ __ \____ / /_ / ____(_) /__ _____
/ / / / __ \/ __/ / /_ / / / _ \/ ___/
/ /_/ / /_/ / /_ / __/ / / / __(__ )
/_____/\____/\__/ /_/ /_/_/\___/____/
\033[0m'
#installing better prompt and some goodies for root
echo "\033[35;1mInstalling shell prompt for root \033[0m"
sleep 3
echo "cloning github.com/bachy/dotfiles-server"
git clone git://github.com/bachy/dotfiles-server.git ~/.dotfiles-server && cd ~/.dotfiles-server && ./install.sh && cd ~
source ~/.bashrc
echo "\033[92;1mDot files installed for root, you should installed them manually for $USER\033[0m"
# TODO add warning message on ssh connection if system needs updates
# TODO install and configure tmux
echo '\033[35m
___ __ __ __ __ __
/ | __ __/ /_____ / / / /___ ____/ /___ _/ /____
/ /| |/ / / / __/ __ \ / / / / __ \/ __ / __ `/ __/ _ \
/ ___ / /_/ / /_/ /_/ / / /_/ / /_/ / /_/ / /_/ / /_/ __/
/_/ |_\__,_/\__/\____/ \____/ .___/\__,_/\__,_/\__/\___/
/_/
\033[0m'
# https://www.howtoforge.com/how-to-configure-automatic-updates-on-debian-wheezy
# https://www.bisolweb.com/tutoriels/serveur-vps-ovh-partie-5-installation-apticron/
echo "\033[35;1mInstalling apticron \033[0m"
apt-get install apticron
sleep 3
echo -n "Enter an email: "
read email
sed -ir "s/EMAIL=\"root\"/EMAIL=\"$email\"/g" /etc/apticron/apticron.conf
# sed -ir "s/# DIFF_ONLY=\"1\"/DIFF_ONLY=\"1\"/g" /etc/apticron/apticron.conf
sed -ir "s/# NOTIFY_NEW=\"0\"/NOTIFY_NEW=\"0\"/g" /etc/apticron/apticron.conf
echo "\033[92;1mApticron installed and configured\033[0m"
echo '\033[35m
__
___ ____ ____/ /
/ _ \/ __ \/ __ /
/ __/ / / / /_/ /
\___/_/ /_/\__,_/
\033[0m'
echo "\033[35;1m* * script done * * \033[0m"

182
install.sh Executable file
View File

@ -0,0 +1,182 @@
#!/bin/sh
# bachir soussi chiadmi
#
# http://www.pontikis.net/blog/debian-9-stretch-rc3-web-server-setup-php7-mariadb
# http://web-74.com/blog/reseaux/gerer-le-deploiement-facilement-avec-git/
#
echo -e '\033[35m
____ __ _ _____
/ __ \___ / /_ (_)___ _____ / ___/___ ______ _____ _____
/ / / / _ \/ __ \/ / __ `/ __ \ \__ \/ _ \/ ___/ | / / _ \/ ___/
/ /_/ / __/ /_/ / / /_/ / / / / ___/ / __/ / | |/ / __/ /
/_____/\___/_.___/_/\__,_/_/ /_/ /____/\___/_/ |___/\___/_/
\033[0m'
echo -e "\033[35;1mThis script has been tested only on Linux Debian 9 \033[0m"
if [ "$EUID" -ne 0 ]; then
echo -e "Please run as root"
exit
fi
echo -n "Should we start? [Y|n] "
read yn
yn=${yn:-y}
if [ "$yn" != "y" ]; then
echo -e "aborting script!"
exit
fi
# get the current position
_cwd="$(pwd)"
. bin/upgrade.sh
. bin/misc.sh
. bin/firewall.sh
. bin/fail2ban.sh
. bin/knockd.sh
. bin/user.sh
. bin/email.sh
while [ "$securssh" != "yes" ] && [ "$securssh" != "no" ]
do
echo -n "Securing ssh (disabling root login)? [yes|no] "
read securssh
# securssh=${securssh:-y}
done
if [ "$securssh" = "yes" ]; then
. bin/ssh.sh
else
echo -e 'root user can still conect through ssh'
fi
echo -n "Should we install ftp server? [Y|n] "
read yn
yn=${yn:-y}
if [ "$yn" = "y" ]; then
. bin/ftp.sh
else
echo -e 'ftp server not installed'
fi
while [ "$lemp" != "yes" ] && [ "$lemp" != "no" ]
do
echo -n "Should we install lemp ? [yes|no] "
read lemp
done
if [ "$lemp" = "yes" ]; then
. bin/lemp.sh
else
echo -e 'lemp server not installed'
fi
while [ "$_install_vhost" != "yes" ] && [ "$_install_vhost" != "no" ]
do
echo -n "Should we install a vhost ? [yes|no] "
read _install_vhost
done
if [ "$_install_vhost" = "yes" ]; then
. bin/vhost.sh
else
echo -e 'no vhost installed'
fi
while [ "$_install_zabbix_agent" != "yes" ] && [ "$_install_zabbix_agent" != "no" ]
do
echo -n "Should we install zabbix-agent ? [yes|no] "
read _install_zabbix_agent
done
if [ "$_install_zabbix_agent" = "yes" ]; then
. bin/zabbix.sh
else
echo -e 'zabbix-agent not installed'
fi
while [ "$_install_urbackup" != "yes" ] && [ "$_install_urbackup" != "no" ]
do
echo -n "Should we install urbackup client ? [yes|no] "
read _install_urbackup
done
if [ "$_install_urbackup" = "yes" ]; then
. bin/urbackup.sh
else
echo -e 'urbackup client not installed'
fi
. bin/dotfiles.sh
# . bin/autoupdate.sh
# echo -e '\033[35m
# ______________ _______
# /_ __/ ____/ |/ / __ \
# / / / __/ / /|_/ / /_/ /
# / / / /___/ / / / ____/
# /_/ /_____/_/ /_/_/
# \033[0m'
# function check_tmp_secured {
# temp1=`grep -w "/var/tempFS /tmp ext3 loop,nosuid,noexec,rw 0 0" /etc/fstab | wc -l`
# temp2=`grep -w "tmpfs /tmp tmpfs rw,noexec,nosuid 0 0" /etc/fstab | wc -l`
# if [ $temp1 -gt 0 ] || [ $temp2 -gt 0 ]; then
# return 1
# else
# return 0
# fi
# } # End function check_tmp_secured
# function secure_tmp_tmpfs {
# cp /etc/fstab /etc/fstab.bak
# # Backup /tmp
# cp -Rpf /tmp /tmpbackup
# rm -rf /tmp
# mkdir /tmp
# mount -t tmpfs -o rw,noexec,nosuid tmpfs /tmp
# chmod 1777 /tmp
# echo -e "tmpfs /tmp tmpfs rw,noexec,nosuid 0 0" >> /etc/fstab
# # Restore /tmp
# cp -Rpf /tmpbackup/* /tmp/ >/dev/null 2>&1
# #Remove old tmp dir
# rm -rf /tmpbackup
# # Backup /var/tmp and link it to /tmp
# mv /var/tmp /var/tmpbackup
# ln -s /tmp /var/tmp
# # Copy the old data back
# cp -Rpf /var/tmpold/* /tmp/ >/dev/null 2>&1
# # Remove old tmp dir
# rm -rf /var/tmpbackup
# echo -e "\033[35;1m /tmp and /var/tmp secured using tmpfs. \033[0m"
# } # End function secure_tmp_tmpfs
# check_tmp_secured
# if [ $? = 0 ]; then
# secure_tmp_tmpfs
# else
# echo -e "\033[35;1mFunction canceled. /tmp already secured. \033[0m"
# fi
# TODO add warning message on ssh connection if system needs updates
# TODO install and configure tmux
echo -e '\033[35m
__
___ ____ ____/ /
/ _ \/ __ \/ __ /
/ __/ / / / /_/ /
\___/_/ /_/\__,_/
\033[0m'
echo -e "\033[35;1m* * script done * * \033[0m"

9
prompt.sh
View File

@ -1,9 +0,0 @@
# setup user environment
echo "\033[35;1mInstalling shell prompt \033[0m"
sleep 3
git clone git://github.com/bachy/dotfiles-server.git ~/.dotfiles-server && cd ~/.dotfiles-server && ./install.sh
source ~/.bashrc
echo "done"
echo "* * *"

12
readme.md
View File

@ -1,4 +1,6 @@
# Install Lamp server and secure it on debian 9
# Install web server and secure it on debian 9
Fail2ban, Ufw, Proftpd, Knockd, Nginx, Mariadb, php7.0-fpm, redis, vhosts, git barre repos, zabbix-agent, dotfiles and more
## how to use it
on a fresh install
@ -11,15 +13,15 @@ apt-get install git
2 clone the repo
```
git clone https://github.com/bachy/debian-lamp.git
git clone https://figureslibres.io/gogs/bachir/debian-web-server.git
```
3 run the script as root
```
su
cd debian-lamp
chmod a+x install-debian-server.sh
./install-debian-server.sh
cd debian-web-server
chmod a+x install.sh
./install.sh
```