some updates

assets/deploy-drupal.sh

@@ -6,6 +6,7 @@ cd ./public_html
 echo ""
 echo "Pulling down latest code."
 git pull --ff-only origin prod
+git submodule update --init --recursive
 echo ""
 echo "Clearing drush caches."
 drush cache-clear drush

assets/drupal-ssl-decoupled.nginxconf

@@ -0,0 +1,157 @@
+# https://www.nginx.com/resources/wiki/start/topics/recipes/drupal/
+server {
+  listen 80;
+  listen [::]:80;
+  server_name DOMAIN.LTD;
+  return 301 https://$server_name$request_uri;
+}
+
+
+server {
+  listen 443 ssl;
+  listen [::]:443 ssl;
+  server_name DOMAIN.LTD;
+
+  #SSL Certificates
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+  ssl_certificate "/etc/letsencrypt/live/DOMAIN.LTD/fullchain.pem";
+  ssl_certificate_key "/etc/letsencrypt/live/DOMAIN.LTD/privkey.pem";
+  ssl_dhparam /etc/nginx/ssl/certs/DOMAIN.LTD/dhparam.pem;
+  ssl_session_cache shared:SSL:1m;
+  ssl_session_timeout 10m;
+  ssl_ciphers HIGH:!aNULL:!MD5;
+  #ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
+  ssl_prefer_server_ciphers  on;
+
+  add_header Strict-Transport-Security "max-age=31536000;
+  #includeSubDomains" always;
+
+  charset utf-8;
+
+  access_log on;
+  error_log /var/www/DOMAIN.LTD/log/error.log; # debug;
+
+  root /var/www/DOMAIN.LTD/app/src/dist/;
+
+  index index.php index.html index.htm;
+
+  location @app {
+    rewrite ^/(.*)$ /index.html;
+  }
+
+  location / {
+  	#alias /var/www/enfrancais.fr/app/web/;
+	  try_files $uri $uri/ @app;
+  }
+
+  location @api {
+      rewrite ^/api/(.*)$ /api/index.php;
+  }
+
+  location @rewrite {
+    rewrite ^/api/(.*)$ /index.php?q=$1;
+  }
+
+  location /api {
+  	alias /var/www/enfrancais.fr/api/src/web/;
+    try_files $uri $uri/ @api;
+
+    # In Drupal 8, we must also match new paths where the '.php' appears in
+    # the middle, such as update.php/selection. The rule we use is strict,
+    # and only allows this pattern with the update.php front controller.
+    # This allows legacy path aliases in the form of
+    # blog/index.php/legacy-path to continue to route to Drupal nodes. If
+    # you do not have any paths like that, then you might prefer to use a
+    # laxer rule, such as:
+    #   # location ~ \.php(/|$) {
+    # The laxer rule will continue to work if Drupal uses this new URL
+    # pattern with front controllers other than update.php in a future
+    # release.
+    #location ~ '\.php$|^/update.php' {
+    #location ~ \.php(/|$) {
+    location ~ \.php$ {
+      #fastcgi_split_path_info ^(.+\.php)(/.+)$;
+      #fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+      #fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+      include fastcgi_params;
+      #fastcgi_index index.php;
+      # Block httpoxy attacks. See https://httpoxy.org/.
+      #fastcgi_param HTTP_PROXY "";
+      #fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+      #fastcgi_param SCRIPT_FILENAME index.php;
+      fastcgi_param SCRIPT_FILENAME $request_filename;
+      #fastcgi_param REQUEST_URI $request_uri;
+      #fastcgi_param PATH_INFO $fastcgi_path_info;
+      #set $path_info $fastcgi_path_info;
+      #fastcgi_param PATH_INFO /;
+      #fastcgi_param QUERY_STRING $query_string;
+      #fastcgi_intercept_errors off;
+      #fastcgi_param DOCUMENT_ROOT /var/www/enfrancais.fr/api;
+      # fastcgi_buffer_size 16k;
+      # fastcgi_buffers 4 16k;
+      fastcgi_pass unix:/run/php/php8.2-fpm.sock;
+    }
+
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
+      try_files $uri @rewrite;
+      expires max;
+      log_not_found off;
+    }
+    location ~ \..*/.*\.php$ {
+      return 403;
+    }
+
+    location ~ ^/sites/.*/private/ {
+      return 403;
+    }
+
+    # Block access to scripts in site files directory
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+      deny all;
+    }
+
+    # Allow "Well-Known URIs" as per RFC 5785
+    location ~* ^/.well-known/ {
+        allow all;
+    }
+
+    # Block access to "hidden" files and directories whose names begin with a
+    # period. This includes directories used by version control systems such
+    # as Subversion or Git to store control files.
+    location ~ (^|/)\. {
+      return 403;
+    }
+
+    # Don't allow direct access to PHP files in the vendor directory.
+    location ~ /vendor/.*\.php$ {
+      deny all;
+      return 404;
+    }
+
+    location ~ /\.ht {
+      deny all;
+    }
+
+    sendfile off;
+
+    client_max_body_size 100m;
+
+    # Fighting with Styles? This little gem is amazing.
+    # location ~ ^/sites/.*/files/imagecache/ { # For Drupal <= 6
+    location ~ ^/sites/.*/files/styles/ { # For Drupal >= 7
+      try_files $uri @rewrite;
+    }
+
+    # Handle private files through Drupal. Private file's path can come
+    # with a language prefix.
+    location ~ ^(/[a-z\-]+)?/system/files/ { # For Drupal >= 7
+      try_files $uri /index.php?$query_string;
+    }
+
+  }
+
+  location = /favicon.ico { access_log off; log_not_found off; }
+
+  # website should not be displayed inside a <frame>, an <iframe> or an <object>
+  add_header X-Frame-Options SAMEORIGIN;
+}

assets/drupal-ssl.nginxconf

@@ -2,6 +2,7 @@
 # https://www.howtoforge.com/tutorial/install-letsencrypt-and-secure-nginx-in-debian-9/
 server {
   listen 80;
+  listen [::]:80;
   server_name DOMAIN.LTD;
   return 301 https://$server_name$request_uri;
 }
@@ -115,7 +116,7 @@ server {
     fastcgi_intercept_errors on;
     # fastcgi_buffer_size 16k;
     # fastcgi_buffers 4 16k;
-    fastcgi_pass unix:/run/php/php7.0-fpm.sock;
+    fastcgi_pass unix:/run/php/php8.1-fpm.sock;
   }
   # Fighting with Styles? This little gem is amazing.
   # location ~ ^/sites/.*/files/imagecache/ { # For Drupal <= 6

assets/drupal.nginxconf

@@ -1,117 +1,118 @@
 # https://www.nginx.com/resources/wiki/start/topics/recipes/drupal/
 server {
-    listen 80;
-    server_name DOMAIN.LTD;
-    root /var/www/DOMAIN.LTD/public_html;
+  listen 80;
+  listen [::]:80;
+  server_name DOMAIN.LTD;
+  root /var/www/DOMAIN.LTD/public_html;
 
-    charset utf-8;
+  charset utf-8;
 
-    location = /favicon.ico {
-      access_log off;
-      log_not_found off;
-    }
+  location = /favicon.ico {
+    access_log off;
+    log_not_found off;
+  }
 
-    location = /robots.txt  {
+  location = /robots.txt  {
+    allow all;
+    access_log off;
+    log_not_found off;
+  }
+
+  location ~ \..*/.*\.php$ {
+    return 403;
+  }
+
+  location ~ ^/sites/.*/private/ {
+    return 403;
+  }
+
+  # Block access to scripts in site files directory
+  location ~ ^/sites/[^/]+/files/.*\.php$ {
+    deny all;
+  }
+
+  # Allow "Well-Known URIs" as per RFC 5785
+  location ~* ^/.well-known/ {
       allow all;
-      access_log off;
-      log_not_found off;
-    }
+  }
 
-    location ~ \..*/.*\.php$ {
-      return 403;
-    }
+  # Block access to "hidden" files and directories whose names begin with a
+  # period. This includes directories used by version control systems such
+  # as Subversion or Git to store control files.
+  location ~ (^|/)\. {
+    return 403;
+  }
 
-    location ~ ^/sites/.*/private/ {
-      return 403;
-    }
+  location / {
+    # try_files $uri @rewrite; # For Drupal <= 6
+    try_files $uri /index.php?$query_string; # For Drupal >= 7
+  }
 
-    # Block access to scripts in site files directory
-    location ~ ^/sites/[^/]+/files/.*\.php$ {
-      deny all;
-    }
+  location @rewrite {
+    rewrite ^/(.*)$ /index.php?q=$1;
+  }
 
-    # Allow "Well-Known URIs" as per RFC 5785
-    location ~* ^/.well-known/ {
-        allow all;
-    }
+  # Don't allow direct access to PHP files in the vendor directory.
+  location ~ /vendor/.*\.php$ {
+    deny all;
+    return 404;
+  }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-      return 403;
-    }
+  location ~ /\.ht {
+    deny all;
+  }
 
-    location / {
-      # try_files $uri @rewrite; # For Drupal <= 6
-      try_files $uri /index.php?$query_string; # For Drupal >= 7
-    }
+  access_log on;
+  error_log /var/www/DOMAIN.LTD/log/error.log;
 
-    location @rewrite {
-      rewrite ^/(.*)$ /index.php?q=$1;
-    }
+  sendfile off;
 
-    # Don't allow direct access to PHP files in the vendor directory.
-    location ~ /vendor/.*\.php$ {
-      deny all;
-      return 404;
-    }
+  client_max_body_size 100m;
 
-    location ~ /\.ht {
-      deny all;
-    }
+  # In Drupal 8, we must also match new paths where the '.php' appears in
+  # the middle, such as update.php/selection. The rule we use is strict,
+  # and only allows this pattern with the update.php front controller.
+  # This allows legacy path aliases in the form of
+  # blog/index.php/legacy-path to continue to route to Drupal nodes. If
+  # you do not have any paths like that, then you might prefer to use a
+  # laxer rule, such as:
+  #   location ~ \.php(/|$) {
+  # The laxer rule will continue to work if Drupal uses this new URL
+  # pattern with front controllers other than update.php in a future
+  # release.
+  location ~ '\.php$|^/update.php' {
+    # fastcgi_split_path_info ^(.+\.php)(/.+)$;
+    fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+    include fastcgi_params;
+    # Block httpoxy attacks. See https://httpoxy.org/.
+    fastcgi_param HTTP_PROXY "";
+    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+    fastcgi_param PATH_INFO $fastcgi_path_info;
+    fastcgi_param QUERY_STRING $query_string;
+    fastcgi_intercept_errors on;
+    # fastcgi_buffer_size 16k;
+    # fastcgi_buffers 4 16k;
+    fastcgi_pass unix:/run/php/php8.2-fpm.sock;
+  }
+  # Fighting with Styles? This little gem is amazing.
+  # location ~ ^/sites/.*/files/imagecache/ { # For Drupal <= 6
+  location ~ ^/sites/.*/files/styles/ { # For Drupal >= 7
+    try_files $uri @rewrite;
+  }
 
-    access_log on;
-    error_log /var/www/DOMAIN.LTD/log/error.log;
+  # Handle private files through Drupal. Private file's path can come
+  # with a language prefix.
+  location ~ ^(/[a-z\-]+)?/system/files/ { # For Drupal >= 7
+    try_files $uri /index.php?$query_string;
+  }
 
-    sendfile off;
-
-    client_max_body_size 100m;
-
-    # In Drupal 8, we must also match new paths where the '.php' appears in
-    # the middle, such as update.php/selection. The rule we use is strict,
-    # and only allows this pattern with the update.php front controller.
-    # This allows legacy path aliases in the form of
-    # blog/index.php/legacy-path to continue to route to Drupal nodes. If
-    # you do not have any paths like that, then you might prefer to use a
-    # laxer rule, such as:
-    #   location ~ \.php(/|$) {
-    # The laxer rule will continue to work if Drupal uses this new URL
-    # pattern with front controllers other than update.php in a future
-    # release.
-    location ~ '\.php$|^/update.php' {
-      # fastcgi_split_path_info ^(.+\.php)(/.+)$;
-      fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-      include fastcgi_params;
-      # Block httpoxy attacks. See https://httpoxy.org/.
-      fastcgi_param HTTP_PROXY "";
-      fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-      fastcgi_param PATH_INFO $fastcgi_path_info;
-      fastcgi_param QUERY_STRING $query_string;
-      fastcgi_intercept_errors on;
-      # fastcgi_buffer_size 16k;
-      # fastcgi_buffers 4 16k;
-      fastcgi_pass unix:/run/php/php7.0-fpm.sock;
-    }
-    # Fighting with Styles? This little gem is amazing.
-    # location ~ ^/sites/.*/files/imagecache/ { # For Drupal <= 6
-    location ~ ^/sites/.*/files/styles/ { # For Drupal >= 7
-      try_files $uri @rewrite;
-    }
-
-    # Handle private files through Drupal. Private file's path can come
-    # with a language prefix.
-    location ~ ^(/[a-z\-]+)?/system/files/ { # For Drupal >= 7
-      try_files $uri /index.php?$query_string;
-    }
-
-    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
-      try_files $uri @rewrite;
-      expires max;
-      log_not_found off;
-    }
+  location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
+    try_files $uri @rewrite;
+    expires max;
+    log_not_found off;
+  }
 
 
-    # website should not be displayed inside a <frame>, an <iframe> or an <object>
-    add_header X-Frame-Options SAMEORIGIN;
+  # website should not be displayed inside a <frame>, an <iframe> or an <object>
+  add_header X-Frame-Options SAMEORIGIN;
 }

assets/fail2ban/filter.d/nginx-badbots.conf

@@ -0,0 +1,5 @@
+[Definition]
+
+failregex = FastCGI sent in stderr: "Primary script unknown" .*, client: <HOST>, server: .*
+
+ignoreregex =

assets/fail2ban/jail.d/nginx-badbots.conf

@@ -0,0 +1,7 @@
+[nginx-badbots]
+
+enabled  = true
+port     = http,https
+filter   = <FILTER>
+logpath  = <LOGPATH>
+maxretry = 2

assets/knockd.conf

@@ -18,7 +18,7 @@
 [SSH]
       sequence    = 7000,8000,9000
       seq_timeout = 5
-      # TODO do not limit port 22 to the ip as it don't work with 4G connection
+      # do not limit port 22 to the ip as it don't work with 4G connection
       # start_command = ufw insert 1 allow from %IP% to any port 22
       start_command = ufw allow ssh
       tcpflags    = syn

assets/nginx-phpmyadmin.conf

@@ -0,0 +1,31 @@
+server {
+  listen 80;
+  location /phpmyadmin {
+    # server_name phpmyadmin.idroot.net;
+    root /var/www/phpmyadmin;
+
+    index  index.php;
+
+    ## Images and static content is treated different
+    location ~* ^.+.(jpg|jpeg|gif|css|png|js|ico|xml)$ {
+      access_log        off;
+      expires           30d;
+    }
+
+    location ~ /\.ht {
+      deny  all;
+    }
+
+    location ~ /(libraries|setup/frames|setup/libs) {
+      deny all;
+      return 404;
+    }
+
+    location ~ \.php$ {
+      fastcgi_pass unix:/run/php/php8.2-fpm.sock;
+      fastcgi_index index.php;
+      include fastcgi_params;
+      fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+    }
+  }
+}

assets/pgsqlbackup.sh

@@ -0,0 +1,59 @@
+#!/bin/bash
+# Simple script to backup postgresql databases
+
+# Parent backup directory
+backup_parent_dir="/var/backups/postgresql"
+
+# PostgreSQL settings
+pg_host="HOST"
+pg_port="PORT"
+pg_user="USER"
+pg_password="PASSWD"
+
+
+# Check MySQL password
+# echo exit | mysql --user=${mysql_user} --password=${mysql_password} -B 2>/dev/null
+# if [ "$?" -gt 0 ]; then
+#   echo "MySQL ${mysql_user} password incorrect"
+#   exit 1
+# else
+#   echo "MySQL ${mysql_user} password correct."
+# fi
+
+# Create backup directory and set permissions
+backup_date=`date +%Y_%m_%d_%H_%M`
+backup_dir="${backup_parent_dir}/${backup_date}"
+echo "Backup directory: ${backup_dir}"
+mkdir -p "${backup_dir}"
+chmod 644 "${backup_dir}"
+
+# Get postgresql databases
+pgsql_databases=`psql "host=$pg_host port=$pg_port user=$pg_user password=$pg_password" -At -c "select datname from pg_database where not datistemplate and datallowconn;"`
+
+
+# Backup and compress each database
+for database in $pgsql_databases
+do
+  echo "Creating backup of \"${database}\" database"
+  # mysqldump ${additional_mysqldump_params} --user=${mysql_user} --password=${mysql_password} ${database} | gzip > "${backup_dir}/${database}.sql.gz"
+  # chmod 644 "${backup_dir}/${database}.sql.gz"
+	set -o pipefail
+	# if ! pg_dump -Fp -h "$pg_host" -U "$pg_user" "$database" | gzip > $backup_dir"/$database".sql.gz.in_progress; then
+  # if ! pg_dump -Fp "host=$pg_host port=$pg_port user=$pg_user password=$pg_password" "$database" | gzip > $backup_dir"/$database".sql.gz.in_progress; then
+  if ! pg_dump -Fp --dbname="postgresql://$pg_user:$pg_password@$pg_host:$pg_port/$database" | gzip > $backup_dir"/$database".sql.gz.in_progress; then
+		echo "[!!ERROR!!] Failed to produce plain backup database $database" 1>&2
+	else
+		mv $backup_dir"/$database".sql.gz.in_progress $backup_dir"/$database".sql.gz
+	fi
+	set +o pipefail
+done
+
+# compress the folder
+# tar -zcvf "${backup_dir}.tar.gz" "${backup_dir}"
+# rm -rf "${backup_dir}"
+
+# Rotate backups
+# Delete files older than 30 days
+find $backup_parent_dir/ -type f -mtime +60 -delete;
+# Delete empty directories
+find $backup_parent_dir/ -type d -empty -delete;

assets/simple-phpfpm-ssl.nginxconf

@@ -2,6 +2,7 @@
 
 server {
   listen 80;
+  listen [::]:80;
   server_name DOMAIN.LTD;
   return 301 https://$server_name$request_uri;
 }
@@ -47,7 +48,7 @@ server {
 
   location ~ \.php$ {
     fastcgi_split_path_info ^(.+\.php)(/.+)$;
-    fastcgi_pass unix:/run/php/php7.0-fpm.sock;
+    fastcgi_pass unix:/run/php/php8.1-fpm.sock;
     fastcgi_index index.php;
     include fastcgi_params;
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

assets/simple-phpfpm.nginxconf

@@ -1,5 +1,6 @@
 server {
   listen 80;
+  listen [::]:80;
   server_name DOMAIN.LTD;
 
   root /var/www/DOMAIN.LTD/public_html;
@@ -23,7 +24,7 @@ server {
 
   location ~ \.php$ {
     fastcgi_split_path_info ^(.+\.php)(/.+)$;
-    fastcgi_pass unix:/run/php/php7.0-fpm.sock;
+    fastcgi_pass unix:/run/php/php8.1-fpm.sock;
     fastcgi_index index.php;
     include fastcgi_params;
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

assets/urbackup.service

@@ -5,7 +5,7 @@ ConditionPathExists=/usr/local/sbin/urbackupclientbackend
 [Service]
 Type=forking
 ExecStart=/usr/local/sbin/urbackupclientbackend -d
-PIDFile = /var/run/urbackup_srv.pid
+PIDFile = /run/urbackup_srv.pid
 TimeoutSec=0
 
 [Install]

assets/webhook-deploy.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+# update bare repos
+echo "Updating bare repos"
+su -c "git --git-dir=git-repositories/DOMAIN.git fetch origin prod:prod" USER
+# deploy prod
+cd www/DOMAIN/
+su -c "./deploy.sh" USER

assets/webhook.service

@@ -0,0 +1,10 @@
+[Unit]
+Description=Small server for creating HTTP endpoints (hooks)
+Documentation=https://github.com/adnanh/webhook/
+
+[Service]
+ExecStart=webhook -hooks /etc/webhooks.conf -verbose -nopanic -hotreload
+Restart=always
+
+[Install]
+WantedBy=multi-user.target

assets/webhook/etc/systemd/system/webhook.service

@@ -0,0 +1,11 @@
+[Unit]
+Description=Small server for creating HTTP endpoints (hooks)
+Documentation=https://github.com/adnanh/webhook/
+
+[Service]
+ExecStart=webhook -hooks /etc/webhooks.conf -verbose -nopanic -hotreload
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
+

assets/webhook/etc/webhook.conf

@@ -0,0 +1,3 @@
+- id: deploy-app-enfrancais
+  execute-command: "/root/deploy-app-enfrancais-hook.sh"
+  command-working-directory: "/home/appdev/"

assets/webhook/root/deploy-app-hook.sh

@@ -0,0 +1,9 @@
+#!/bin/sh
+
+# $cwd is defined in webhook conf
+
+# update bare repos
+git --git-dir=git-repositories/app.enfrancais.fr.git fetch origin prod:prod
+# deploy prod
+cd www/enfrancais.fr/app
+./deploy.sh

assets/zabbix/userparameter_linux_name_version.conf

@@ -0,0 +1 @@
+UserParameter=linux.system.name.version,(lsb_release -d > dev/null 2>&1) && lsb_release -d || (cat /etc/centos-release > /dev/null > /dev/null 2>&1 && cat /etc/centos-release || cat /etc/redhat-release)

bin/_addUserSite.sh

@@ -4,14 +4,14 @@
 
 # TODO check if root
 
-echo '\033[35m
+echo -e '\033[35m
    __  _______ __________
   / / / / ___// ____/ __ \
  / / / /\__ \/ __/ / /_/ /
 / /_/ /___/ / /___/ _, _/
 \____//____/_____/_/ |_|
 \033[0m'
-echo "\033[35;1mCreate new user (you will be asked a user name and a password) \033[0m"
+echo -e "\033[35;1mCreate new user (you will be asked a user name and a password) \033[0m"
 sleep 3
 while [ "$user" = "" ]
 do
@@ -34,14 +34,14 @@ mkdir /home/$user/backups
 
 chmod -w /home/"$user"
 
-echo '\033[35m
+echo -e '\033[35m
         __               __
  _   __/ /_  ____  _____/ /_
 | | / / __ \/ __ \/ ___/ __/
 | |/ / / / / /_/ (__  ) /_
 |___/_/ /_/\____/____/\__/
 \033[0m'
-echo "\033[35;1mVHOST install \033[0m"
+echo -e "\033[35;1mVHOST install \033[0m"
 
 while [ "$_host_name" = "" ]
 do
@@ -75,12 +75,12 @@ ln -s /home/"$user"/logs /var/www/"$_host_name"/logs
 # a2ensite "$_host_name".conf
 #restart apache
 # service apache2 restart
-echo "\033[92;1mvhost $_host_name configured\033[Om"
+echo -e "\033[92;1mvhost $_host_name configured\033[Om"
 
 
 # todo add mysql user and database
 
-echo '\033[35m
+echo -e '\033[35m
     __  ___                 __
    /  |/  /_  ___________ _/ /
   / /|_/ / / / / ___/ __ `/ /
@@ -88,7 +88,7 @@ echo '\033[35m
 /_/  /_/\__, /____/\__, /_/
        /____/        /_/
 \033[0m'
-echo "\033[35;1mMysql database \033[0m"
+echo -e "\033[35;1mMysql database \033[0m"
 
 while [ "$_dbname" = "" ]
 do

bin/autoupdate.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 
-echo '\033[35m
+echo -e '\033[35m
     ___         __           __  __          __      __
    /   | __  __/ /_____     / / / /___  ____/ /___ _/ /____
   / /| |/ / / / __/ __ \   / / / / __ \/ __  / __ `/ __/ _ \
@@ -16,8 +16,8 @@ if [ "$EUID" -ne 0 ]; then
   exit
 fi
 
-echo "\033[35;1mInstalling apticron \033[0m"
-apt-get --yes --force-yes install apticron
+echo -e "\033[35;1mInstalling apticron \033[0m"
+apt-get --yes install apticron
 
 sleep 3
 echo -n "Enter an email: "
@@ -27,4 +27,4 @@ sed -i -r "s/EMAIL=\"root\"/EMAIL=\"$email\"/g" /etc/apticron/apticron.conf
 # sed -i -r "s/# DIFF_ONLY=\"1\"/DIFF_ONLY=\"1\"/g" /etc/apticron/apticron.conf
 sed -i -r "s/# NOTIFY_NEW=\"0\"/NOTIFY_NEW=\"0\"/g" /etc/apticron/apticron.conf
 
-echo "\033[92;1mApticron installed and configured\033[0m"
+echo -e "\033[92;1mApticron installed and configured\033[0m"

bin/dotfiles.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 
-echo '\033[35m
+echo -e '\033[35m
     ____        __     _______ __
    / __ \____  / /_   / ____(_) /__  _____
   / / / / __ \/ __/  / /_  / / / _ \/ ___/
@@ -8,7 +8,7 @@ echo '\033[35m
 /_____/\____/\__/  /_/   /_/_/\___/____/
 \033[0m'
 #installing better prompt and some goodies
-echo "\033[35;1mInstalling shell prompt for current user $USER \033[0m"
+echo -e "\033[35;1mInstalling shell prompt for current user $USER \033[0m"
 sleep 2
 # get the current position
 _cwd="$(pwd)"
@@ -19,4 +19,4 @@ git clone https://figureslibres.io/gogs/bachir/dotfiles-server.git ~/.dotfiles-s
 source ~/.bashrc
 # return to working directory
 cd "$_cwd"
-echo "\033[92;1mDot files installed for $USER\033[0m"
+echo -e "\033[92;1mDot files installed for $USER\033[0m"

bin/email.sh

@@ -1,13 +1,13 @@
 #!/bin/sh
 
-echo '\033[35m
+echo -e '\033[35m
     __  ______    ______
    /  |/  /   |  /  _/ /
   / /|_/ / /| |  / // /
  / /  / / ___ |_/ // /___
 /_/  /_/_/  |_/___/_____/
 \033[0m'
-echo "\033[35;1mEnable mail sending for php \033[0m"
+echo -e "\033[35;1mEnable mail sending for php \033[0m"
 
 if [ "$EUID" -ne 0 ]; then
   echo "Please run as root"
@@ -28,8 +28,8 @@ fi
 
 # http://www.sycha.com/lamp-setup-debian-linux-apache-mysql-php#anchor13
 sleep 2
-apt-get --yes --force-yes install exim4
-echo "\033[35;1mConfiguring EXIM4 \033[0m"
+apt-get --yes install exim4
+echo -e "\033[35;1mConfiguring EXIM4 \033[0m"
 while [ "$configexim" != "y" ] && [ "$configexim" != "n" ]
 do
   echo -n "Should we configure exim4 ? [y|n] "
@@ -48,7 +48,7 @@ systemctl restart exim4
 
 # dkim spf
 # https://debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4
-echo "\033[35;1mConfiguring DKIM \033[0m"
+echo -e "\033[35;1mConfiguring DKIM \033[0m"
 while [ "$installdkim" != "y" ] && [ "$installdkim" != "n" ]
 do
   echo -n "Should we install dkim for exim4 ? [y|n] "
@@ -60,10 +60,11 @@ if [ "$installdkim" = "y" ]; then
   selector=$(date +%Y%m%d)
 
   mkdir /etc/exim4/dkim
-  openssl genrsa -out /etc/exim4/dkim/"$domain"-private.pem 1024 -outform PEM
-  openssl rsa -in /etc/exim4/dkim/"$domain"-private.pem -out /etc/exim4/dkim/"$domain".pem -pubout -outform PEM
-  chown root:Debian-exim /etc/exim4/dkim/"$domain"-private.pem
-  chmod 440 /etc/exim4/dkim/"$domain"-private.pem
+  # openssl genrsa -out /etc/exim4/dkim/"$domain"-private.pem 1024 -outform PEM
+  openssl genrsa -out /etc/exim4/dkim/"$domain"-private.key 1024
+  openssl rsa -in /etc/exim4/dkim/"$domain"-private.key -out /etc/exim4/dkim/"$domain".pub -pubout
+  chown root:Debian-exim /etc/exim4/dkim/"$domain"-private.key
+  chmod 440 /etc/exim4/dkim/"$domain"-private.key
 
   cp "$_assets"/exim4_dkim.conf /etc/exim4/conf.d/main/00_local_macros
   sed -i -r "s/DOMAIN_TO_CHANGE/$domain/g" /etc/exim4/conf.d/main/00_local_macros
@@ -73,7 +74,7 @@ if [ "$installdkim" = "y" ]; then
   systemctl restart exim4
   echo "please create a TXT entry in your dns zone : $selector._domainkey.$domain \n"
   echo "your public key is : \n"
-  cat /etc/exim4/dkim/"$domain".pem
+  cat /etc/exim4/dkim/"$domain".pub
   echo "press any key to continue."
   read continu
 else

bin/fail2ban.sh

@@ -17,7 +17,7 @@ if [ "$EUID" -ne 0 ]; then
 fi
 
 sleep 2
-apt-get --yes --force-yes install fail2ban
+apt-get --yes install fail2ban
 cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
 # ToDo ask for email and configure jail.local with it
 touch /var/log/auth.log

bin/firewall.sh

@@ -17,8 +17,8 @@ if [ "$EUID" -ne 0 ]; then
 fi
 
 sleep 2
-apt-get --yes --force-yes install ufw
-# ufw allow ssh # knockd will open the ssh port
+apt-get --yes install ufw
+ufw allow ssh
 ufw allow http
 ufw allow https
 

bin/ftp.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 
 
-echo '\033[35m
+echo -e '\033[35m
   ______ _______ _____
  |  ____|__   __|  __ \
  | |__     | |  | |__) |
@@ -28,7 +28,7 @@ if [ ! -d "$_assets" ]; then
 fi
 
 echo "installing proftpd"
-apt-get --yes --force-yes install proftpd
+apt-get --yes install proftpd
 while [ "$_server_name" = "" ]
 do
 read -p "enter a server name ? " _server_name

bin/gitbarrerepos.sh

@@ -51,7 +51,7 @@ if [ "$vh" = "yes" ]; then
             user=""
           fi
         else
-          echo -e "user $user doesn't exists, you must provide an existing user"
+          echo "user $user doesn't exists, you must provide an existing user"
           user=""
         fi
       fi
@@ -112,11 +112,11 @@ if [ "$vh" = "yes" ]; then
 
   # setup git repo on site folder
   cd /home/"$user"/www/"$_domain"/public_html
-  git init
+  su -c "git init" $user
   # link to the bare repo
-  git remote add origin /home/"$user"/git-repositories/"$_domain".git
+  su -c "git remote add origin /home/$user/git-repositories/$_domain.git" $user
+  chown -R "$user":"$user" /home/"$user"/www/"$_domain"
 
-  chown -R "$user":"$user" /home/"$user"/www/"$_domain"/public_html
 
   cd "$_cwd"
   # done

bin/knockd.sh

@@ -29,7 +29,7 @@ if [ ! -d "$_assets" ]; then
 fi
 
 sleep 2
-apt-get --yes --force-yes install knockd
+apt-get --yes install knockd
 
 mv /etc/knockd.conf /etc/knockd.conf.ori
 cp "$_assets"/knockd.conf /etc/knockd.conf

bin/lemp.sh

@@ -11,7 +11,7 @@ echo -e '\033[35m
 echo -e "\033[35;1mLEMP server (Nginx Mysql Php-fpm) \033[0m"
 
 if [ "$EUID" -ne 0 ]; then
-  echo -e "Please run as root"
+  echo "Please run as root"
   exit
 fi
 
@@ -29,25 +29,6 @@ fi
 
 sleep 2
 
-echo -e '\033[35m
-    __  ___                 __
-   /  |/  /_  ___________ _/ /
-  / /|_/ / / / / ___/ __ `/ /
- / /  / / /_/ (__  ) /_/ / /
-/_/  /_/\__, /____/\__, /_/
-       /____/        /_/
-\033[0m'
-echo -e "\033[35;1minstalling Mysql \033[0m"
-sleep 3
-apt-get --yes --force-yes install mariadb-server
-mysql_secure_installation
-
-cp "$_assets"/mysql/innodb-file-per-table.cnf /etc/mysql/conf.d/
-
-systemctl enable mariadb.service
-systemctl restart mariadb.service
-echo -e "\033[92;1mmysql installed\033[Om"
-
 echo -e '\033[35m
     ____  __  ______
    / __ \/ / / / __ \
@@ -55,25 +36,50 @@ echo -e '\033[35m
  / ____/ __  / ____/
 /_/   /_/ /_/_/
 \033[0m'
-echo -e "\033[35;1mInstalling PHP 7.0 \033[0m"
+
+echo -e "\033[35;1mInstalling SURY \033[0m"
 sleep 3
-apt-get --yes --force-yes install php7.0-fpm php7.0-mysql php7.0-opcache php7.0-curl php7.0-mbstring php7.0-zip php7.0-xml php7.0-gd php7.0-mcrypt php-memcached php7.0-imagick
 
-mv /etc/php/7.0/fpm/php.ini /etc/php/7.0/fpm/php.ini.back
-cp "$_assets"/php-fpm.ini /etc/php/7.0/fpm/php.ini
+apt-get --yes install ca-certificates apt-transport-https software-properties-common curl lsb-release
+curl -sSL https://packages.sury.org/php/README.txt | bash -x
+apt-get update && apt-get upgrade
 
-echo -e "Configuring PHP"
+echo -e "\033[35;1mInstalling PHP \033[0m"
+sleep 3
+
+
+
+# mv: cannot stat '/etc/php/7.0/fpm/php.ini': No such file or directory
+# cp: cannot create regular file '/etc/php/7.0/fpm/php.ini': No such file or directory
+# Configuring PHP
+# Failed to enable unit: Unit file php7.0-fpm.service does not exist.
+# Failed to start php7.0-fpm.service: Unit php7.0-fpm.service not found.
+
+# apt-get --yes install php7.4-fpm php7.4-mysql php7.4-opcache php7.4-curl php7.4-mbstring php7.4-zip php7.4-xml php7.4-gd php-memcached php7.4-imagick php7.4-apcu
+# php7.4-mcrypt  ??
+
+apt-get --yes install php8.1-fpm php8.1-mysql php8.1-opcache php8.1-curl php8.1-mbstring php8.1-zip php8.1-xml php8.1-gd php8.1-memcached php8.1-imagick php8.1-apcu php8.1-redis php8.1-bz2 php8.1-bcmath
+
+# apt-get --yes install php8.2-fpm php8.2-mysql php8.2-opcache php8.2-curl php8.2-mbstring php8.2-zip php8.2-xml php8.2-gd php-memcached php8.2-imagick php8.2-apcu php8.2-redis php8.2-bz2 php8.2-bcmath
+
+# apt-get --yes install php8.3-fpm php8.3-mysql php8.3-opcache php8.3-curl php8.3-mbstring php8.3-zip php8.3-xml php8.3-gd php8.3-memcached php8.3-imagick php8.3-apcu php8.3-redis php8.3-bz2 php8.3-bcmath
+
+
+mv /etc/php/8.1/fpm/php.ini /etc/php/8.1/fpm/php.ini.back
+cp "$_assets"/php8.1-fpm.ini /etc/php/8.1/fpm/php.ini
+
+echo "Configuring PHP"
 
 mkdir /var/log/php
 chown www-data /var/log/php
 cp "$_assets"/logrotate-php /etc/logrotate.d/php
 
-systemctl enable php7.0-fpm
-systemctl start php7.0-fpm
+systemctl enable php8.1-fpm
+systemctl start php8.1-fpm
 
-# echo -e "Installing memecached"
+# echo "Installing memecached"
 # replaced by redis
-# apt-get --yes --force-yes install memcached
+# apt-get --yes install memcached
 # sed -i "s/-m\s64/-m 128/g" /etc/memcached.conf
 #
 # systemctl start memcached
@@ -90,7 +96,7 @@ echo -e '\033[35m
 \033[0m'
 echo -e "\033[35;1mInstalling Nginx \033[0m"
 sleep 3
-apt-get --yes --force-yes install nginx
+apt-get --yes install nginx
 mv /etc/nginx/sites-available/default /etc/nginx/sites-available/default.ori
 cp "$_assets"/default.nginxconf /etc/nginx/sites-available/default
 
@@ -98,29 +104,80 @@ systemctl enable nginx
 systemctl restart nginx
 echo -e "\033[92;1mNginx installed\033[Om"
 
-echo -e '\033[35m
-           __          __  ___      ___       __          _
-    ____  / /_  ____  /  |/  /_  __/   | ____/ /___ ___  (_)___
-   / __ \/ __ \/ __ \/ /|_/ / / / / /| |/ __  / __ `__ \/ / __ \
-  / /_/ / / / / /_/ / /  / / /_/ / ___ / /_/ / / / / / / / / / /
- / .___/_/ /_/ .___/_/  /_/\__, /_/  |_\__,_/_/ /_/ /_/_/_/ /_/
-/_/         /_/           /____/
-\033[0m'
-echo -e "\033[35;1mInstalling phpMyAdmin \033[0m"
-apt-get --yes --force-yes install phpmyadmin
-ln -s /usr/share/phpmyadmin /var/www/html/
-cp "$_assets"/nginx-phpmyadmin.conf > /etc/nginx/sites-available/phpmyadmin.conf
-ln -s /etc/nginx/sites-available/phpmyadmin.conf /etc/nginx/sites-enabled/phpmyadmin.conf
 
-# echo -e "\033[35;1msecuring phpMyAdmin \033[0m"
-# sed -i "s/DirectoryIndex index.php/DirectoryIndex index.php\nAllowOverride all/"
-# cp "$_assets"/phpmyadmin_htaccess > /usr/share/phpmyadmin/.htaccess
-# echo -n "define a user name for phpmyadmin : "
-# read un
-# htpasswd -c /etc/phpmyadmin/.htpasswd $un
-# service apache2 restart
-echo -e "\033[92;1mphpMyAdmin installed\033[Om"
-echo -e "\033[92;1mYou can access it at yourip/phpmyadmin\033[Om"
+
+while [ "$installmysql" != "yes" ] && [ "$installmysql" != "no" ]
+do
+echo -n "install mysql? [yes|no] "
+read installmysql
+# installmysql=${installmysql:-y}
+done
+if [ "$installmysql" = "yes" ]; then
+
+  echo -e '\033[35m
+      __  ___                 __
+     /  |/  /_  ___________ _/ /
+    / /|_/ / / / / ___/ __ `/ /
+   / /  / / /_/ (__  ) /_/ / /
+  /_/  /_/\__, /____/\__, /_/
+         /____/        /_/
+  \033[0m'
+  echo -e "\033[35;1minstalling Mysql \033[0m"
+  sleep 3
+  apt-get --yes install mariadb-server
+  mysql_secure_installation
+
+  cp "$_assets"/mysql/innodb-file-per-table.cnf /etc/mysql/conf.d/
+
+  # you may increase memory
+  # innodb_buffer_pool_size = 1024M
+
+  systemctl enable mariadb.service
+  systemctl restart mariadb.service
+  echo -e "\033[92;1mmysql installed\033[Om"
+
+  echo -e '\033[35m
+             __          __  ___      ___       __          _
+      ____  / /_  ____  /  |/  /_  __/   | ____/ /___ ___  (_)___
+     / __ \/ __ \/ __ \/ /|_/ / / / / /| |/ __  / __ `__ \/ / __ \
+    / /_/ / / / / /_/ / /  / / /_/ / ___ / /_/ / / / / / / / / / /
+   / .___/_/ /_/ .___/_/  /_/\__, /_/  |_\__,_/_/ /_/ /_/_/_/ /_/
+  /_/         /_/           /____/
+  \033[0m'
+  echo -e "\033[35;1mInstalling phpMyAdmin \033[0m"
+  ##### Building dependency tree
+  ##### Reading state information... Done
+  ##### Package phpmyadmin is not available, but is referred to by another package.
+  ##### This may mean that the package is missing, has been obsoleted, or
+  ##### is only available from another source
+  #####
+  ##### E: Package 'phpmyadmin' has no installation candidate
+  ##### cp: missing destination file operand after '/root/debian-web-server/assets/nginx-phpmyadmin.conf'
+  ##### Try 'cp --help' for more information.
+
+  # TODO no pma package available :(
+  apt-get --yes install phpmyadmin
+  ln -s /usr/share/phpmyadmin /var/www/html/
+  cp "$_assets"/nginx-phpmyadmin.conf /etc/nginx/sites-available/phpmyadmin.conf
+    
+  echo -e "\033[92;1mphpMyAdmin installed\033[Om"
+  echo -e "\033[92;1mYou can access it at yourip/phpmyadmin\033[Om"
+
+  # install from source
+  # apt-get --yes install php-{mbstring,zip,gd,xml,pear,gettext,cgi}
+  # cd /var/www/html/
+  # wget https://www.phpmyadmin.net/downloads/phpMyAdmin-latest-all-languages.zip
+  # unzip phpMyAdmin-latest-all-languages.zip
+  # mv phpMyAdmin-*-all-languages pma
+  # rm phpMyAdmin-latest-all-languages.zip
+  # # cp "$_assets"/nginx-phpmyadmin.conf > /etc/nginx/sites-available/phpmyadmin.conf
+  # # ln -s /etc/nginx/sites-available/phpmyadmin.conf /etc/nginx/sites-enabled/phpmyadmin.conf
+  # echo -e "\033[92;1mphpMyAdmin installed\033[Om"
+  # echo -e "\033[92;1mYou can access it at yourip/pma\033[Om"
+fi
+
+
+
 
 echo -e '\033[35m
     ____           ___
@@ -131,16 +188,21 @@ echo -e '\033[35m
 \033[0m'
 echo -e "\033[35;1mInstalling Redis \033[0m"
 sleep 3
-apt-get --yes --force-yes install redis-server php-redis
+apt-get --yes install redis-server php8.1-redis
 
 # TODO set maxmemory=2gb
 # TODO set maxmemory-policy=volatile-lru
 # TODO comment all save line
 
+# WARNING: The TCP backlog setting of 511 cannot be enforced because /proc/sys/net/core/somaxconn is set to the lower value of 128.
+# WARNING overcommit_memory is set to 0! Background save may fail under low memory condition. To fix this issue add 'vm.overcommit_memory = 1' to /etc/sysctl.conf and then reboot or run the command 'sysctl vm.overcommit_memory=1' for this to take effect.
+# WARNING you have Transparent Huge Pages (THP) support enabled in your kernel. This will create latency and memory usage issues with Redis. To fix this issue run the command 'echo never > /sys/kernel/mm/transparent_hugepage/enabled' as root, and add it to your /etc/rc.local in order to retain the setting after a reboot. Redis must be restarted after THP is disabled.
+
+# https://blog.opstree.com/2019/04/16/redis-best-practices-and-performance-tuning/
 
 systemctl enable redis-server
 systemctl restart redis-server
-systemctl restart php7.0-fpm
+systemctl restart php8.1-fpm
 echo -e "\033[92;1mRedis installed\033[Om"
 
 echo -e '\033[35m
@@ -166,111 +228,9 @@ echo -e '\033[35m
  / /_/ / /  / /_/ (__  ) / / /
 /_____/_/   \__,_/____/_/ /_/
 \033[0m'
-echo -e "\033[35;1mInstalling Drush and DrupalConsole\033[0m"
+echo -e "\033[35;1mInstalling Drush\033[0m"
 sleep 3
-curl https://drupalconsole.com/installer -L -o /usr/local/bin/drupal
-chmod +x /usr/local/bin/drupal
-curl https://github.com/drush-ops/drush-launcher/releases/download/0.6.0/drush.phar -L -o /usr/local/bin/drush
+# curl https://github.com/drush-ops/drush-launcher/releases/download/0.6.0/drush.phar -L -o /usr/local/bin/drush
+wget -O /usr/local/bin/drush https://github.com/drush-ops/drush-launcher/releases/latest/download/drush.phar
 chmod +x /usr/local/bin/drush
-echo -e "\033[92;1mDrush and DrupalConsoleinstalled\033[Om"
-
-
-
-# TODO supervising
-# echo -e '\033[35m
-#    __  ___          _ __      __  __  ___          _
-#   /  |/  /__  ___  (_) /_   _/_/ /  |/  /_ _____  (_)__
-#  / /|_/ / _ \/ _ \/ / __/ _/_/  / /|_/ / // / _ \/ / _ \
-# /_/  /_/\___/_//_/_/\__/ /_/   /_/  /_/\_,_/_//_/_/_//_/
-# \033[0m'
-# echo -e "\033[35;1mInstalling Munin \033[0m"
-# sleep 3
-# # https://www.howtoforge.com/tutorial/server-monitoring-with-munin-and-monit-on-debian/
-# apt-get --yes --force-yes install munin munin-node munin-plugins-extra
-# # Configure Munin
-# # enable plugins
-# ln -s /usr/share/munin/plugins/mysql_ /etc/munin/plugins/mysql_
-# ln -s /usr/share/munin/plugins/mysql_bytes /etc/munin/plugins/mysql_bytes
-# ln -s /usr/share/munin/plugins/mysql_innodb /etc/munin/plugins/mysql_innodb
-# ln -s /usr/share/munin/plugins/mysql_isam_space_ /etc/munin/plugins/mysql_isam_space_
-# ln -s /usr/share/munin/plugins/mysql_queries /etc/munin/plugins/mysql_queries
-# ln -s /usr/share/munin/plugins/mysql_slowqueries /etc/munin/plugins/mysql_slowqueries
-# ln -s /usr/share/munin/plugins/mysql_threads /etc/munin/plugins/mysql_threads
-#
-# ln -s /usr/share/munin/plugins/apache_accesses /etc/munin/plugins/
-# ln -s /usr/share/munin/plugins/apache_processes /etc/munin/plugins/
-# ln -s /usr/share/munin/plugins/apache_volume /etc/munin/plugins/
-#
-# # ln -s /usr/share/munin/plugins/fail2ban /etc/munin/plugins/
-#
-# # dbdir, htmldir, logdir, rundir, and tmpldir
-# sed -i 's/^#dbdir/dbdir/' /etc/munin/munin.conf
-# sed -i 's/^#htmldir/htmldir/' /etc/munin/munin.conf
-# sed -i 's/^#logdir/logdir/' /etc/munin/munin.conf
-# sed -i 's/^#rundir/rundir/' /etc/munin/munin.conf
-# sed -i 's/^#tmpldir/tmpldir/' /etc/munin/munin.conf
-#
-# sed -i "s/^\[localhost.localdomain\]/[${HOSTNAME}]/" /etc/munin/munin.conf
-#
-# # ln -s /etc/munin/apache24.conf /etc/apache2/conf-enabled/munin.conf
-# sed -i 's/Require local/Require all granted\nOptions FollowSymLinks SymLinksIfOwnerMatch/g' /etc/munin/apache24.conf
-# htpasswd -c /etc/munin/munin-htpasswd admin
-# sed -i 's/Require all granted/AuthUserFile \/etc\/munin\/munin-htpasswd\nAuthName "Munin"\nAuthType Basic\nRequire valid-user/g' /etc/munin/apache24.conf
-#
-#
-# service apache2 restart
-# service munin-node restart
-# echo -e "\033[92;1mMunin installed\033[Om"
-#
-# echo -e "\033[35;1mInstalling Monit \033[0m"
-# sleep 3
-# # https://www.howtoforge.com/tutorial/server-monitoring-with-munin-and-monit-on-debian/2/
-# apt-get --yes --force-yes install monit
-# # TODO setup monit rc
-# cat "$_assets"/monitrc > /etc/monit/monitrc
-#
-# # TODO setup webaccess
-# passok=0
-# while [ "$passok" = "0" ]
-# do
-#   echo -n "Write web access password to monit"
-#   read passwda
-#   echo -n "ReWrite web access password to monit"
-#   read passwdb
-#   if [ "$passwda" = "$passwdb" ]; then
-#     sed -i 's/PASSWD_TO_REPLACE/$passwda/g' /etc/monit/monitrc
-#     passok=1
-#   else
-#     echo -e "pass words don't match, please try again"
-#   fi
-# done
-#
-# # TODO setup mail settings
-# sed -i "s/server1\.example\.com/$HOSTNAME/g" /etc/monit/monitrc
-#
-# mkdir /var/www/html/monit
-# echo -e "hello" > /var/www/html/monit/token
-#
-# service monit start
-#
-# echo -e "\033[92;1mMonit installed\033[Om"
-
-
-# echo -e '\033[35m
-#     ___                __        __
-#    /   |_      _______/ /_____ _/ /_
-#   / /| | | /| / / ___/ __/ __ `/ __/
-#  / ___ | |/ |/ (__  ) /_/ /_/ / /_
-# /_/  |_|__/|__/____/\__/\__,_/\__/
-# \033[0m'
-# echo -e "\033[35;1mInstalling Awstat \033[0m"
-# sleep 3
-# apt-get --yes --force-yes install awstats
-# # Configure AWStats
-# temp=`grep -i sitedomain /etc/awstats/awstats.conf.local | wc -l`
-# if [ $temp -lt 1 ]; then
-#     echo SiteDomain="$_domain" >> /etc/awstats/awstats.conf.local
-# fi
-# # Disable Awstats from executing every 10 minutes. Put a hash in front of any line.
-# sed -i 's/^[^#]/#&/' /etc/cron.d/awstats
-# echo -e "\033[92;1mAwstat installed\033[Om"
+echo -e "\033[92;1mDrush\033[Om"

bin/misc.sh

@@ -15,12 +15,13 @@ if [ "$EUID" -ne 0 ]; then
 fi
 
 sleep 2
-apt-get --yes --force-yes install vim curl
+# TODO --force-yes is deprecated, use one of the options starting with --allow instead.
+apt-get --yes install vim curl
 sed -i "s/^# en_GB.UTF-8/en_GB.UTF-8/g" /etc/locale.gen
 locale-gen
-apt-get --yes --force-yes install ntp
+apt-get --yes install ntp
 dpkg-reconfigure tzdata
-apt-get --yes --force-yes install tmux etckeeper needrestart htop lynx unzip
+apt-get --yes install tmux etckeeper needrestart htop lynx unzip nfs-common
 
 # TODO cron
 # https://askubuntu.com/questions/56683/where-is-the-cron-crontab-log/121560#121560

bin/mysql-db.sh

@@ -0,0 +1,56 @@
+#!/bin/sh
+
+echo -e '
+     _ _      _   _
+  __| | |__  | | | |___ ___ _ _
+ / _` |  _ \ | |_| (_-</ -_)  _|
+ \__,_|_.__/  \___//__/\___|_|
+'
+
+echo -e "Create new mysql db and user (you will be asked a db name and a password)"
+
+. bin/checkroot.sh
+
+sleep 3
+
+# configure
+echo -n "Please provide the mysql root passwd : "
+read _root_mysql_passwd
+
+mysql -u root -p$_root_mysql_passwd -e "show databases;"
+
+echo -n "Enter new db name: "
+read db_name
+while [ "$db_name" = "" ]
+do
+  read -p "enter a db name ? " db_name
+  if [ "$db_name" != "" ]; then
+    # TODO check if db already exists
+    # if id "$db_name" >/dev/null 2>&1; then
+    #   echo "user $db_name alreday exists, you must provide a non existing user name."
+    #   db=""
+    # else
+      read -p "is db name $db_name correcte [y|n] " validated
+      if [ "$validated" = "y" ]; then
+        break
+      else
+        db_name=""
+      fi
+    # fi
+  fi
+done
+
+# generate random password for new mysql user
+_passwd="$(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c16)"
+
+# create new mysql user
+mysql -u root -p$_root_mysql_passwd -e "CREATE DATABASE $db_name;"
+mysql -u root -p$_root_mysql_passwd -e "CREATE USER '$db_name'@'localhost' IDENTIFIED BY '$_passwd';"
+mysql -u root -p$_root_mysql_passwd -e "GRANT ALL ON $db_name.* TO '$db_name'@'localhost';"
+
+mysql -u root -p$_root_mysql_passwd -e "show databases;"
+
+echo "database and user : $db_name installed"
+echo " please record your password $_passwd"
+echo "press any key to continue."
+read continu

bin/mysqlbackup.sh

@@ -39,4 +39,4 @@ touch /var/spool/cron/crontabs/root
 crontab -l > /tmp/mycron
 echo "30 2 */2 * * /usr/local/bin/mysqlbackup.sh" >> /tmp/mycron
 crontab /tmp/mycron
-rm /tmp/mycron
+rm -f /tmp/mycron

bin/nfs.sh

@@ -0,0 +1,44 @@
+#!/bin/sh
+
+echo -e '\033[35m
+        __     
+ _ __  / _|___ 
+|  _ \| |_/ __|
+| | | |  _\__ \
+|_| |_|_| |___/
+                
+\033[0m'
+echo -e "\033[35;1mLEMP server (Nginx Mysql Php-fpm) \033[0m"
+
+
+apt install nfs-kernel-server
+vim /etc/exports 
+mkdir /home/proxmox-backup
+mkdir /home/urbackup
+
+ufw allow from 37.187.134.71 to any port nfs
+ufw allow from 37.187.134.71 to any port 111
+ufw allow proto udp from 37.187.134.71 to any port 32764:32769
+ufw allow proto tcp from 37.187.134.71 to any port 32764:32769
+
+ufw allow from 37.187.93.155 to any port nfs
+ufw allow from 37.187.93.155 to any port 111
+ufw allow proto udp from 37.187.93.155 to any port 32764:32769
+ufw allow proto tcp from 37.187.93.155 to any port 32764:32769
+
+ufw allow from 37.187.128.147 to any port nfs
+ufw allow from 37.187.128.147 to any port 111
+ufw allow proto udp from 37.187.128.147 to any port 32764:32769
+ufw allow proto tcp from 37.187.128.147 to any port 32764:32769
+
+
+ufw allow from 94.23.8.104 to any port nfs
+ufw allow from 94.23.8.104 to any port 111
+ufw allow proto udp from 94.23.8.104 to any port 32764:32769
+ufw allow proto tcp from 94.23.8.104 to any port 32764:32769
+
+systemctl restart nfs-server
+systemctl enable nfs-server
+
+vim /etc/ufw/user.rules
+

bin/php7.4.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+echo -e "\033[35;1mInstalling PHP 7.4 \033[0m"
+apt-get -y install lsb-release apt-transport-https ca-certificates
+wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
+echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" | tee /etc/apt/sources.list.d/php.list
+apt-get update
+apt-get -y install php7.4 php7.4-{fpm,mysql,opcache,curl,mbstring,zip,xml,gd,imagick,apcu}
+
+mv /etc/php/7.4/fpm/php.ini /etc/php/7.4/fpm/php.ini.back
+cp "$_assets"/php7.4-fpm.ini /etc/php/7.4/fpm/php.ini
+
+systemctl enable php7.4-fpm
+systemctl start php7.4-fpm
+
+echo -e "\033[92;1mphp7.4-fpm installed\033[O"

bin/postgresqlbackup.sh

@@ -0,0 +1,54 @@
+#!/bin/sh
+
+echo -e '\033[35m
+  ___        _                ___  ___  _      ___          _
+ | _ \___ __| |_ __ _ _ _ ___/ __|/ _ \| |    | _ ) __ _ __| |___  _ _ __
+ |  _/ _ (_-<  _/ _. | ._/ -_)__ \ (_) | |__  | _ \/ _. / _| / / || | ._ \
+ |_| \___/__/\__\__, |_| \___|___/\__\_\____| |___/\__,_\__|_\_\\_,_| .__/
+                |___/                                               |_|
+\033[0m'
+
+if [ "$EUID" -ne 0 ]; then
+  echo "Please run as root"
+  exit
+fi
+
+# get the current position
+_cwd="$(pwd)"
+# check for assets forlder
+_assets="$_cwd/assets"
+if [ ! -d "$_assets" ]; then
+  _assets="$_cwd/../assets"
+  if [ ! -d "$_assets" ]; then
+    echo "!! can't find assets directory !!"
+    exit
+  fi
+fi
+
+# adding the script
+cp "$_assets"/pgsqlbackup.sh /usr/local/bin/
+chmod +x /usr/local/bin/pgsqlbackup.sh
+
+# configure
+echo -n "Please provide the postgresql host : "
+read _pg_host
+sed -i "s/HOST/$_pg_host/g" /usr/local/bin/pgsqlbackup.sh
+
+echo -n "Please provide the postgresql port : "
+read _pg_port
+sed -i "s/PORT/$_pg_port/g" /usr/local/bin/pgsqlbackup.sh
+
+echo -n "Please provide the postgresql user : "
+read _pg_user
+sed -i "s/USER/$_pg_user/g" /usr/local/bin/pgsqlbackup.sh
+
+echo -n "Please provide the postgresql passwd : "
+read _pg_passwd
+sed -i "s/PASSWD/$_pg_passwd/g" /usr/local/bin/pgsqlbackup.sh
+
+# creating crontab
+touch /var/spool/cron/crontabs/root
+crontab -l > /tmp/mycron
+echo "30 2 */2 * * /usr/local/bin/pgsqlbackup.sh" >> /tmp/mycron
+crontab /tmp/mycron
+rm /tmp/mycron

bin/ssh.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 
 
-echo '\033[35m
+echo -e '\033[35m
    __________ __  __
   / ___/ ___// / / /
   \__ \\__ \/ /_/ /
@@ -14,8 +14,13 @@ if [ "$EUID" -ne 0 ]; then
   exit
 fi
 
-sed -i 's/PermitRootLogin\ yes/PermitRootLogin no/g' /etc/ssh/sshd_config
-sed -i 's/PermitEmptyPasswords\ yes/PermitEmptyPasswords no/g' /etc/ssh/sshd_config
-sed -i 's/Protocol\ [0-9]/Protocol 2/g' /etc/ssh/sshd_config
+# sed -i 's/PermitRootLogin\ yes/PermitRootLogin no/g' /etc/ssh/sshd_config
+# sed -i 's/PermitEmptyPasswords\ yes/PermitEmptyPasswords no/g' /etc/ssh/sshd_config
+# sed -i 's/Protocol\ [0-9]/Protocol 2/g' /etc/ssh/sshd_config
+
+touch /etc/ssh/sshd_config.d/custom.conf
+echo "PermitRootLogin no" >> /etc/ssh/sshd_config.d/custom.conf
+echo "PermitEmptyPasswords no" >> /etc/ssh/sshd_config.d/custom.conf
+
 systemctl reload ssh
-echo "\033[92;1mSSH secured\033[Om"
+echo -e "\033[92;1mSSH secured\033[Om"

bin/upgrade.sh

@@ -2,7 +2,7 @@
 
 # TODO check if root
 
-echo '\033[35m
+echo -e '\033[35m
    __  ______  __________  ___    ____  ______
   / / / / __ \/ ____/ __ \/   |  / __ \/ ____/
  / / / / /_/ / / __/ /_/ / /| | / / / / __/

bin/urbackup.sh

@@ -38,12 +38,18 @@ apt install build-essential "g++" "libcrypto++-dev" libz-dev -y
 #  libwxgtk3.0-dev
 
 # Download the UrBackup client source files and extract them
-wget -P /tmp/ https://hndl.urbackup.org/Client/latest/urbackup-client-2.3.4.0.tar.gz
+# wget -P /tmp/ https://hndl.urbackup.org/Client/latest/urbackup-client-2.3.4.0.tar.gz
+# wget -P /tmp/ https://hndl.urbackup.org/Client/2.4.11/urbackup-client-2.4.11.0.tar.gz
+# wget -P /tmp/ https://hndl.urbackup.org/Client/2.5.20/urbackup-client-2.5.20.0.tar.gz
+# wget -P /tmp/ https://hndl.urbackup.org/Client/2.5.20/urbackup-client-2.5.24.0.tar.gz
+wget -P /tmp/ https://hndl.urbackup.org/Client/2.5.25/urbackup-client-2.5.25.0.tar.gz
 cd /tmp
-tar xzf /tmp/urbackup-client-2.3.4.0.tar.gz
+
+tar xzf /tmp/urbackup-client-2.5.25.0.tar.gz
 
 # Build the UrBackup client and install it
-cd /tmp/urbackup-client-2.3.4.0
+# cd /tmp/urbackup-client-2.3.4.0
+cd /tmp/urbackup-client-2.5.25.0
 ./configure --enable-headless
 make -j4
 make install
@@ -66,7 +72,8 @@ internet_mode_enabled=true
 internet_image_backups_def=false
 default_dirs_def=/etc;var/www;/var/backups/mysql
 startup_backup_delay_def=3
-computername=$_computername" > /usr/local/var/urbackup/data/settings.cfg
+computername=$_computername" > /etc/default/urbackupclient
+# /usr/local/var/urbackup/data/settings.cfg
 
 # firewall
 ufw allow from "$_ip" to any port 35621
@@ -74,7 +81,8 @@ ufw allow from "$_ip" to any port 35622
 ufw allow from "$_ip" to any port 35623
 
 # install and enable systemd service
-cp "$_assets"/urbackup.service /etc/systemd/system/
+# cp "$_assets"/urbackup.service /etc/systemd/system/
+cp urbackupclientbackend-debian.service /etc/systemd/system/urbackup.service
 chmod a+x /etc/systemd/system/urbackup.service
 
 systemctl --system daemon-reload

bin/user.sh

@@ -37,8 +37,6 @@ do
   fi
 done
 
-
-# read -p "Continue? (Y/N): " confirm && [[ $confirm == [yY] || $confirm == [yY][eE][sS] ]] || exit 1
 adduser "$user"
 echo "adding $user to admin group and limiting su to the admin group"
 groupadd admin

bin/vhost.sh

@@ -27,6 +27,7 @@ if [ "$vh" = "y" ]; then
     fi
   fi
 
+  _domain=""
   while [ "$_domain" = "" ]
   do
   read -p "enter a domain name ? " _domain
@@ -41,6 +42,7 @@ if [ "$vh" = "y" ]; then
   done
 
   # ask for simple php conf or drupal conf
+  _drupal=""
   while [ "$_drupal" != "yes" ] && [ "$_drupal" != "no" ]
   do
     echo -n "Is your site is a drupal one? [yes|no] "
@@ -48,28 +50,30 @@ if [ "$vh" = "y" ]; then
   done
 
   # ask for let's encrypt
+  _letsencrypt=""
   while [ "$_letsencrypt" != "yes" ] && [ "$_letsencrypt" != "no" ]
   do
     echo -e "\033[35;1mLet's encrypt \033[0m"
-    echo -e "Let's encrypt needs a public registered domain name with proper DNS records ( A records or CNAME records for subdomains pointing to your server)."
+    echo "Let's encrypt needs a public registered domain name with proper DNS records ( A records or CNAME records for subdomains pointing to your server)."
     echo -n "Should we install let's encrypt certificate with $_domain? [yes|no] "
     read _letsencrypt
   done
 
-  systemctl stop nginx
 
   # lets'encrypt
   # https://certbot.eff.org/lets-encrypt/debianstretch-nginx
   if [ "$_letsencrypt" = "yes" ]; then
-    apt-get --yes --force-yes install certbot
+    apt-get --yes install certbot
+    systemctl stop nginx
     certbot certonly --standalone -d "$_domain" --cert-name "$_domain"
+    systemctl start nginx
     # TODO stop the whole process if letsencrypt faile
     mkdir -p /etc/nginx/ssl/certs/"$_domain"
     openssl dhparam -out /etc/nginx/ssl/certs/"$_domain"/dhparam.pem 2048
     # renewing
     touch /var/spool/cron/crontabs/root
     crontab -l > mycron
-    echo -e "0 3 * * * certbot renew --pre-hook 'systemctl stop nginx' --post-hook 'systemctl start nginx' --cert-name $_domain" >> mycron
+    echo "0 3 * * * certbot renew --pre-hook 'systemctl stop nginx' --post-hook 'systemctl start nginx' --cert-name $_domain" >> mycron
     crontab mycron
     rm mycron
   fi
@@ -102,6 +106,16 @@ if [ "$vh" = "y" ]; then
   chmod -R g+w /var/www/"$_domain"/
   chmod -R g+r /var/www/"$_domain"/
 
+  #set fail2ban for vhost
+  # https://stackoverflow.com/a/65552146
+  cp "$_assets/fail2ban/jail.d/nginx-badbots.conf" "/etc/fail2ban/jail.d/nginx-badbots-$_domain.conf"
+  sed -i -r "s/\[nginx-badbots\]/\[nginx-badbots-$_domain\]/g" "/etc/fail2ban/jail.d/nginx-badbots-$_domain.conf"
+  sed -i -r "s/<FILTER>/\[nginx-badbots-$_domain\]/g" "/etc/fail2ban/jail.d/nginx-badbots-$_domain.conf"
+  sed -i -r "s/<LOGPATH>/\/var\/www\/$_domain\/log\/error.log/g" "/etc/fail2ban/jail.d/nginx-badbots-$_domain.conf"
+
+  cp "$_assets/fail2ban/filter.d/nginx-badbots.conf" "/etc/fail2ban/filter.d/nginx-badbots-$_domain.conf"
+  sed -i -r "s/<HOST>/$_domain/g" "/etc/fail2ban/filter.d/nginx-badbots-$_domain.conf"
+
 
 
   # create a shortcut to the site
@@ -110,7 +124,8 @@ if [ "$vh" = "y" ]; then
   yn=${yn:-y}
   if [ "$yn" = "Y" ] || [ "$yn" = "y" ]; then
     # if $user var does not exists (vhost.sh ran directly) ask for it
-    if [ -z ${user+x} ]; then
+    user=""
+    # if [ -z ${user+x} ]; then
       while [ "$user" = "" ]
       do
         read -p "enter an existing user name ? " user
@@ -124,14 +139,14 @@ if [ "$vh" = "y" ]; then
               user=""
             fi
           else
-            echo -e "user $user doesn't exists, you must provide an existing user"
+            echo "user $user doesn't exists, you must provide an existing user"
             user=""
           fi
         fi
       done
-    fi
+    # fi
 
-    echo -e "shortcut will be installed for '$user'";
+    echo "shortcut will be installed for '$user'";
     sleep 3
 
     mkdir /home/"$user"/www/
@@ -140,14 +155,14 @@ if [ "$vh" = "y" ]; then
     chown "$user":admin /home/"$user"/www/"$_domain"
 
   else
-    echo -e 'no shortcut installed'
+    echo 'no shortcut installed'
   fi
   # activate the vhost
   ln -s /etc/nginx/sites-available/"$_domain".conf /etc/nginx/sites-enabled/"$_domain".conf
 
   # restart nginx
-  systemctl start nginx
+  systemctl restart nginx
   echo -e "\033[92;1mvhost $_domain configured \033[Om"
 else
-  echo -e "Vhost installation aborted"
+  echo "Vhost installation aborted"
 fi

bin/webhook.sh

@@ -0,0 +1,122 @@
+#!/bin/bash
+
+# bachir soussi chiadmi
+
+# get the current position
+_cwd="$(pwd)"
+
+echo -e '\033[35m
+ __      __   _    _  _          _
+ \ \    / /__| |__| || |___  ___| |__
+  \ \/\/ / -_) `_ \ __ / _ \/ _ \ / /
+   \_/\_/\___|_.__/_||_\___/\___/_\_\
+\033[0m'
+
+# check for assets folder
+_assets="$_cwd/assets"
+if [ ! -d "$_assets" ]; then
+  _assets="$_cwd/../assets"
+  if [ ! -d "$_assets" ]; then
+    echo "!! can't find assets directory !!"
+    exit
+  fi
+fi
+
+user=""
+while [ "$user" = "" ]
+do
+  read -p "enter an existing user name ? " user
+  if [ "$user" != "" ]; then
+    # check if user already exists
+    if id "$user" >/dev/null 2>&1; then
+      read -p "is user name $user correcte [y|n] " validated
+      if [ "$validated" = "y" ]; then
+        break
+      else
+        user=""
+      fi
+    else
+      echo "user $user doesn't exists, you must provide an existing user"
+      user=""
+    fi
+  fi
+done
+
+_domain=""
+while [ "$_domain" = "" ]
+do
+read -p "enter a domain name ? " _domain
+if [ "$_domain" != "" ]; then
+  read -p "is domain $_domain correcte [y|n] " validated
+  if [ "$validated" = "y" ]; then
+    break
+  else
+    _domain=""
+  fi
+fi
+done
+
+_id=$(echo "$_domain" | sed "s/\./_/g")
+
+_remote=""
+while [ "$_remote" = "" ]
+do
+read -p "enter teh remote git repos url to pull from ? " _remote
+if [ "$_remote" != "" ]; then
+  read -p "is $_remote correcte [y|n] " validated
+  if [ "$validated" = "y" ]; then
+    break
+  else
+    _remote=""
+  fi
+fi
+done
+
+# TODO check for /home/"$user"/www/"$_domain"
+if [ ! -d /home/"$user"/www/"$_domain" ]; then
+  echo "/home/$user/www/$_domain does not exists !"
+  exit
+fi
+
+# TODO check for /home/"$user"/git-repositories/"$_domain.git"
+if [ ! -d /home/"$user"/git-repositories/"$_domain.git" ]; then
+  echo "/home/$user/git-repositories/$_domain.git does not exists !"
+  exit
+fi
+
+apt-get install webhook
+
+# git bare repos remote
+git --git-dir=/home/"$user"/git-repositories/"$_domain.git" remote add origin "$_remote"
+
+# hook deploy script
+cp -f "$_assets"/webhook-deploy.sh /home/"$user"/webhook-deploy-"$_id".sh
+sed -i -r "s/DOMAIN/$_domain/g" /home/"$user"/webhook-deploy-"$_id".sh
+sed -i -r "s/USER/$user/g" /home/"$user"/webhook-deploy-"$_id".sh
+chowm $user:$user /home/"$user"/webhook-deploy-"$_id".sh
+chmod +x /home/"$user"/webhook-deploy-"$_id".sh
+
+# remove git bare repos hook
+mv /home/"$user"/git-repositories/"$_domain".git/hooks/post-receive /home/"$user"/git-repositories/"$_domain".git/hooks/post-receive.back
+
+# webhook conf
+touch /etc/webhooks.conf
+echo "
+- id: deploy_app_$_id
+  execute-command: /home/$user/webhook-deploy-$_id.sh
+  command-working-directory: /home/$user/
+" >> /etc/webhooks.conf
+
+# webhook service
+cp -f "$_assets"/webhook.service /etc/systemd/system/webhook.service
+systemctl enable webhook
+systemctl start webhook
+systemctl restart webhook
+
+# systemctl reload webhook
+
+ufw allow 9000
+
+echo "webhook done"
+echo "you can configure your webhook trigger with the following url :"
+echo "http://$_domain:9000/hooks/deploy_app_$_id"

bin/zabbix.sh

@@ -26,8 +26,9 @@ if [ ! -d "$_assets" ]; then
   fi
 fi
 
-wget -P /tmp/ http://repo.zabbix.com/zabbix/3.4/debian/pool/main/z/zabbix-release/zabbix-release_3.4-1+stretch_all.deb
-dpkg -i /tmp/zabbix-release_3.4-1+stretch_all.deb
+
+wget -P /tmp/ wget https://repo.zabbix.com/zabbix/6.4/debian/pool/main/z/zabbix-release/zabbix-release_6.4-1+debian12_all.deb
+dpkg -i /tmp/zabbix-release_6.4-1+debian12_all.deb
 
 apt-get update -y
 
@@ -40,8 +41,6 @@ echo -n "Please provide the zabbix-server's ip : "
 read _ip
 echo -n "Please provide the hostname of this agent : "
 read _host_name
-echo -n "Please provide the mysql root password : "
-read _root_mysql_passwd
 
 _agent_conf_d="/etc/zabbix/zabbix_agentd.d" # for debian 8
 if [ ! -d "$_agent_conf_d" ]; then
@@ -53,6 +52,10 @@ sed -i "s#Server=127.0.0.1#Server=$_ip#g" /etc/zabbix/zabbix_agentd.conf
 sed -i "s#ServerActive=127.0.0.1#ServerActive=$_ip#g" /etc/zabbix/zabbix_agentd.conf
 sed -i "s#Hostname=Zabbix server#Hostname=$_host_name#g" /etc/zabbix/zabbix_agentd.conf
 
+
+# todo ask if LXC container, if yes install this script
+# https://github.com/kvaps/zabbix-linux-container-template
+
 # APT
 # check for debian security updates
 # not working : https://www.osso.nl/blog/zabbix-counting-security-updates
@@ -64,27 +67,44 @@ cp "$_assets"/zabbix/apt.conf "$_agent_conf_d"/
 # MYSQL
 # https://serverfault.com/questions/737018/zabbix-user-parameter-mysql-status-setting-home
 # create zabbix user home
-mkdir /var/lib/zabbix
-# generate random password for zabbix mysql user
-_passwd="$(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c12)"
-# add mysql credentials to zabbix home
-printf "[client]\n
-user=zabbix\n
-password=$_passwd" > /var/lib/zabbix/.my.cnf
-# create zabbix mysql user
-mysql -uroot -p"$_root_mysql_passwd" -e "CREATE USER 'zabbix' IDENTIFIED BY '$_passwd';"
-mysql -uroot -p"$_root_mysql_passwd" -e "GRANT USAGE ON *.* TO 'zabbix'@'localhost' IDENTIFIED BY '$_passwd';"
-# add zabbix-agent parameter
-cp "$_assets"/zabbix/userparameter_mysql.conf "$_agent_conf_d"/
+
+echo -n "monitor mysql? [Y|n] "
+read yn
+yn=${yn:-y}
+if [ "$yn" = "Y" ] || [ "$yn" = "y" ]; then
+  echo -n "Please provide the mysql root password : "
+  read _root_mysql_passwd
+
+  mkdir /var/lib/zabbix
+  # generate random password for zabbix mysql user
+  _passwd="$(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c12)"
+  # add mysql credentials to zabbix home
+  printf "[client]\n
+  user=zabbix\n
+  password=$_passwd" > /var/lib/zabbix/.my.cnf
+  # create zabbix mysql user
+  mysql -uroot -p"$_root_mysql_passwd" -e "CREATE USER 'zabbix' IDENTIFIED BY '$_passwd';"
+  mysql -uroot -p"$_root_mysql_passwd" -e "GRANT USAGE ON *.* TO 'zabbix'@'localhost' IDENTIFIED BY '$_passwd';"
+  # add zabbix-agent parameter
+  cp "$_assets"/zabbix/userparameter_mysql.conf "$_agent_conf_d"/
+fi
+
 
 # NGINX
 # https://github.com/sfuerte/zbx-nginx
 # nginxconf already included in default.nginxconf asset
-sed -i "s/# allow CURRENT-SERVER-IP/allow $_cur_ip/g" /etc/nginx/sites-available/default
-cp "$_assets"/zabbix/userparameter_nginx.conf "$_agent_conf_d"/
-mkdir /etc/zabbix/zabbix_agentd.scripts
-cp "$_assets"/zabbix/scripts/nginx-stat.py /etc/zabbix/zabbix_agentd.scripts/
-chmod +x /etc/zabbix/zabbix_agentd.scripts/nginx-stat.py
+
+echo -n "Monitor nginx? [Y|n] "
+read yn
+yn=${yn:-y}
+if [ "$yn" = "Y" ] || [ "$yn" = "y" ]; then
+  sed -i "s/# allow CURRENT-SERVER-IP/allow $_cur_ip/g" /etc/nginx/sites-available/default
+  cp "$_assets"/zabbix/userparameter_nginx.conf "$_agent_conf_d"/
+  mkdir /etc/zabbix/zabbix_agentd.scripts
+  cp "$_assets"/zabbix/scripts/nginx-stat.py /etc/zabbix/zabbix_agentd.scripts/
+  chmod +x /etc/zabbix/zabbix_agentd.scripts/nginx-stat.py
+fi
+
 
 echo -n "This is box is a proxmox CT? [Y|n] "
 read yn
@@ -96,6 +116,8 @@ fi
 # SYSTEMD
 # https://github.com/MogiePete/zabbix-systemd-service-monitoring
 cp "$_assets"/zabbix/userparameter_systemd_services.conf "$_agent_conf_d"/
+# https://www.zabbix.com/forum/zabbix-cookbook/23024-monitor-the-version-of-centos-debian-ubuntu?p=386466#post386466
+cp "$_assets"/zabbix/userparameter_linux_name_version.conf "$_agent_conf_d"/
 
 # disble unused system units
 systemctl disable rsync

install.sh

@@ -13,10 +13,10 @@ echo -e '\033[35m
 /_____/\___/_.___/_/\__,_/_/ /_/   /____/\___/_/    |___/\___/_/
 
 \033[0m'
-echo -e "\033[35;1mThis script has been tested only on Linux Debian 9 \033[0m"
+echo -e "\033[35;1mThis script has been tested only on Linux Debian 10 \033[0m"
 
 if [ "$EUID" -ne 0 ]; then
-  echo -e "Please run as root"
+  echo "Please run as root"
   exit
 fi
 
@@ -24,7 +24,7 @@ echo -n "Should we start? [Y|n] "
 read yn
 yn=${yn:-y}
 if [ "$yn" != "y" ]; then
-  echo -e "aborting script!"
+  echo "aborting script!"
   exit
 fi
 
@@ -35,7 +35,7 @@ _cwd="$(pwd)"
 . bin/misc.sh
 . bin/firewall.sh
 . bin/fail2ban.sh
-. bin/knockd.sh
+# . bin/knockd.sh
 . bin/user.sh
 . bin/email.sh
 
@@ -48,7 +48,7 @@ done
 if [ "$securssh" = "yes" ]; then
   . bin/ssh.sh
 else
-  echo -e 'root user can still conect through ssh'
+  echo 'root user can still conect through ssh'
 fi
 
 
@@ -58,7 +58,7 @@ yn=${yn:-y}
 if [ "$yn" = "y" ]; then
   . bin/ftp.sh
 else
-  echo -e 'ftp server not installed'
+  echo 'ftp server not installed'
 fi
 
 while [ "$lemp" != "yes" ] && [ "$lemp" != "no" ]
@@ -69,7 +69,7 @@ done
 if [ "$lemp" = "yes" ]; then
   . bin/lemp.sh
 else
-  echo -e 'lemp server not installed'
+  echo 'lemp server not installed'
 fi
 
 while [ "$_install_vhost" != "yes" ] && [ "$_install_vhost" != "no" ]
@@ -78,9 +78,10 @@ do
   read _install_vhost
 done
 if [ "$_install_vhost" = "yes" ]; then
+  # TODO bug vhost.sh file does not exists ...
   . bin/vhost.sh
 else
-  echo -e 'no vhost installed'
+  echo 'no vhost installed'
 fi
 
 while [ "$_install_zabbix_agent" != "yes" ] && [ "$_install_zabbix_agent" != "no" ]
@@ -91,7 +92,7 @@ done
 if [ "$_install_zabbix_agent" = "yes" ]; then
   . bin/zabbix.sh
 else
-  echo -e 'zabbix-agent not installed'
+  echo 'zabbix-agent not installed'
 fi
 
 while [ "$_install_urbackup" != "yes" ] && [ "$_install_urbackup" != "no" ]
@@ -102,11 +103,12 @@ done
 if [ "$_install_urbackup" = "yes" ]; then
   . bin/urbackup.sh
 else
-  echo -e 'urbackup client not installed'
+  echo 'urbackup client not installed'
 fi
 
-
+# ./install.sh: line 109: bin/dotfiles.sh: No such file or directory
 . bin/dotfiles.sh
+
 # . bin/autoupdate.sh
 
 # echo -e '\033[35m
@@ -139,7 +141,7 @@ fi
 
 #   mount -t tmpfs -o rw,noexec,nosuid tmpfs /tmp
 #   chmod 1777 /tmp
-#   echo -e "tmpfs /tmp tmpfs rw,noexec,nosuid 0 0" >> /etc/fstab
+#   echo "tmpfs /tmp tmpfs rw,noexec,nosuid 0 0" >> /etc/fstab
 
 #   # Restore /tmp
 #   cp -Rpf /tmpbackup/* /tmp/ >/dev/null 2>&1

raw.githubusercontent.com_kvaps_zabbix-linux-container-template_master_zabbix_container.conf.txt

@@ -0,0 +1,4 @@
+UserParameter=ct.memory.size[*],free -b | awk 'NR==2 {total=$ 2; used=($ 3+$ 5); pused=(($ 3+$ 5)*100/$ 2); free=$ 4; pfree=($ 4*100/$ 2); shared=$ 5; buffers=$ 6; cached=$ 6; available=$ 7; pavailable=($ 7*100/$ 2); if("$1" == "") {printf("%.0f", total )} else {printf("%.0f", $1 "" )} }'
+UserParameter=ct.swap.size[*],free -b | awk 'NR==3 {total=$ 2; used=$ 3; free=$ 4; pfree=($ 4*100/$ 2); pused=($ 3*100/$ 2); if("$1" == "") {printf("%.0f", free )} else {printf("%.0f", $1 "" )} }'
+UserParameter=ct.cpu.load[*],cut -d" " -f1-3 /proc/loadavg | awk -F'[, ]+' '{avg1=$(NF-2); avg5=$(NF-1); avg15=$(NF)}{print $2/'$(nproc)'}'
+UserParameter=ct.uptime,cut -d"." -f1 /proc/uptime

readme.md

@@ -1,10 +1,11 @@
-# Install web server and secure it on debian 9
+# Install LEMP web server and secure it on debian 12
 
 Fail2ban, Ufw, Proftpd, Knockd, Nginx, Mariadb, php7.0-fpm, redis, vhosts, git barre repos, zabbix-agent, dotfiles and more
 
 ## how to use it
 on a fresh install
-as root
+
+All commands below are run as root user. Either log in as root user directly or log in as your normal user and then use the command ```su -``` to become root user on your server before you proceed. IMPORTANT: You must use ```su -``` and not just ```su```, otherwise your PATH variable is set wrong by Debian.
 
 1 install git
 ```
@@ -16,7 +17,13 @@ apt-get install git
 git clone https://figureslibres.io/gogs/bachir/debian-web-server.git
 ```
 
-3 run the script as root
+3 change defaut shell from dash to bash
+```
+dpkg-reconfigure dash
+```
+and answer NO to the the question
+
+4 run the script as root
 ```
 su
 cd debian-web-server
@@ -25,6 +32,23 @@ chmod a+x install.sh
 
 ```
 
+5 steps
+
+* misc.sh
+* dotfliles.sh
+* user.sh
+* ssh.sh
+* firewall.sh
+* fail2ban.sh
+* email.sh
+* lemp.sh
+* mysqlbackup.sh
+* vhost.sh
+* gitbarrerepos.sh
+* webhook.sh
+* urbackup.sh
+* zabbix.sh
+* 
 
 ## ref
 http://www.debian.org/doc/manuals/securing-debian-howto/