bachir/debion-web-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: bachir:master
Branches Tags
bachir:master
bachir:deb12
bachir:deb11
bachir:deb10
bachir:deb9
bachir:deb9-nginx
bachir:deb9-apache
..
compare: bachir:deb9-apache
Branches Tags
bachir:deb12
bachir:master
bachir:deb11
bachir:deb10
bachir:deb9
bachir:deb9-nginx
bachir:deb9-apache

No commits in common. "master" and "deb9-apache" have entirely different histories.
master ... deb9-apach

74 changed files with 1045 additions and 13977 deletions
Show Stats Expand all files Collapse all files

37
bin/_addUserSite.sh → addUserSite.sh Executable file → Normal file
View File

@ -2,16 +2,15 @@
# bachir soussi chiadmi # bachir soussi chiadmi
# TODO check if root
echo -e '\033[35m echo '\033[35m
__ _______ __________ __ _______ __________
/ / / / ___// ____/ __ \ / / / / ___// ____/ __ \
/ / / /\__ \/ __/ / /_/ / / / / /\__ \/ __/ / /_/ /
/ /_/ /___/ / /___/ _, _/ / /_/ /___/ / /___/ _, _/
\____//____/_____/_/ |_| \____//____/_____/_/ |_|
\033[0m' \033[0m'
echo -e "\033[35;1mCreate new user (you will be asked a user name and a password) \033[0m" echo "\033[35;1mCreate new user (you will be asked a user name and a password) \033[0m"
sleep 3 sleep 3
while [ "$user" = "" ] while [ "$user" = "" ]
do do
@ -34,14 +33,14 @@ mkdir /home/$user/backups
chmod -w /home/"$user" chmod -w /home/"$user"
echo -e '\033[35m echo '\033[35m
__ __ __ __
_ __/ /_ ____ _____/ /_ _ __/ /_ ____ _____/ /_
| | / / __ \/ __ \/ ___/ __/ | | / / __ \/ __ \/ ___/ __/
| |/ / / / / /_/ (__ ) /_ | |/ / / / / /_/ (__ ) /_
|___/_/ /_/\____/____/\__/ |___/_/ /_/\____/____/\__/
\033[0m' \033[0m'
echo -e "\033[35;1mVHOST install \033[0m" echo "\033[35;1mVHOST install \033[0m"
while [ "$_host_name" = "" ] while [ "$_host_name" = "" ]
do do
@ -56,6 +55,9 @@ if [ "$_host_name" != "" ]; then
fi fi
done done
cp "$_cwd"/assets/example.org.conf /etc/apache2/sites-available/"$_host_name".conf
sed -ir "s/example\.org/$_host_name/g" /etc/apache2/sites-available/"$_host_name".conf
#set proper right to user will handle the app #set proper right to user will handle the app
chown -R "$user":admin /home/"$user"/public_html chown -R "$user":admin /home/"$user"/public_html
chown -R "$user":admin /home/"$user"/logs chown -R "$user":admin /home/"$user"/logs
@ -68,19 +70,17 @@ mkdir -p /var/www/"$_host_name"
ln -s /home/"$user"/public_html /var/www/"$_host_name"/public_html ln -s /home/"$user"/public_html /var/www/"$_host_name"/public_html
ln -s /home/"$user"/logs /var/www/"$_host_name"/logs ln -s /home/"$user"/logs /var/www/"$_host_name"/logs
# TODO create nginx vhost
# cp "$_cwd"/assets/example.org.conf /etc/apache2/sites-available/"$_host_name".conf
# sed -i -r "s/example\.org/$_host_name/g" /etc/apache2/sites-available/"$_host_name".conf
#activate the vhost #activate the vhost
# a2ensite "$_host_name".conf a2ensite "$_host_name".conf
#restart apache #restart apache
# service apache2 restart service apache2 restart
echo -e "\033[92;1mvhost $_host_name configured\033[Om" echo "\033[92;1mvhost $_host_name configured\033[Om"
# todo add mysql user and database # todo add mysql user and database
echo -e '\033[35m echo '\033[35m
__ ___ __ __ ___ __
/ |/ /_ ___________ _/ / / |/ /_ ___________ _/ /
/ /|_/ / / / / ___/ __ `/ / / /|_/ / / / / ___/ __ `/ /
@ -88,7 +88,7 @@ echo -e '\033[35m
/_/ /_/\__, /____/\__, /_/ /_/ /_/\__, /____/\__, /_/
/____/ /_/ /____/ /_/
\033[0m' \033[0m'
echo -e "\033[35;1mMysql database \033[0m" echo "\033[35;1mMysql database \033[0m"
while [ "$_dbname" = "" ] while [ "$_dbname" = "" ]
do do
@ -118,9 +118,8 @@ do
fi fi
done done
if [ "$passok" = 1 ]; then
# mysql> create user '$_dbname'@'localhost' identified by '$_pswd'; # mysql> create user '$_dbname'@'localhost' identified by '$_pswd';
# mysql> create database $_dbname; # mysql> create database $_dbname;
# mysql> grant all privileges on esadhar_eval.* to 'esadhar_eval'@'localhost'; # mysql> grant all privileges on esadhar_eval.* to 'esadhar_eval'@'localhost';
# mysql> flush privileges; # mysql> flush privileges;
fi

19
assets/99-lamp-php.ini Normal file
View File

@ -0,0 +1,19 @@
# conf added by custom lamp install script
max_execution_time = 60
max_input_time = 60
memory_limit = 512M
error_reporting = E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERROR
display_errors = Off
log_errors = On
error_log = /var/log/php/php_errors.log
# security
allow_url_include = Off
allow_url_fopen = Off
session.use_only_cookies = 1
session.cookie_httponly = 1
expose_php = Off
display_errors = Off
register_globals = Off
disable_functions = shell_exec, escapeshellarg, escapeshellcmd, passthru, proc_close, proc_get_status, proc_nice, proc_open,proc_terminate

277
assets/apache2.conf Normal file
View File

@ -0,0 +1,277 @@
# This is the main Apache server configuration file. It contains the
# configuration directives that give the server its instructions.
# See http://httpd.apache.org/docs/2.2/ for detailed information about
# the directives and /usr/share/doc/apache2-common/README.Debian.gz about
# Debian specific hints.
#
#
# Summary of how the Apache 2 configuration works in Debian:
# The Apache 2 web server configuration in Debian is quite different to
# upstream's suggested way to configure the web server. This is because Debian's
# default Apache2 installation attempts to make adding and removing modules,
# virtual hosts, and extra configuration directives as flexible as possible, in
# order to make automating the changes and administering the server as easy as
# possible.
# It is split into several files forming the configuration hierarchy outlined
# below, all located in the /etc/apache2/ directory:
#
# /etc/apache2/
# |-- apache2.conf
# | `-- ports.conf
# |-- mods-enabled
# | |-- *.load
# | `-- *.conf
# |-- conf.d
# | `-- *
# `-- sites-enabled
# `-- *
#
#
# * apache2.conf is the main configuration file (this file). It puts the pieces
# together by including all remaining configuration files when starting up the
# web server.
#
# In order to avoid conflicts with backup files, the Include directive is
# adapted to ignore files that:
# - do not begin with a letter or number
# - contain a character that is neither letter nor number nor _-:.
# - contain .dpkg
#
# Yet we strongly suggest that all configuration files either end with a
# .conf or .load suffix in the file name. The next Debian release will
# ignore files not ending with .conf (or .load for mods-enabled).
#
# * ports.conf is always included from the main configuration file. It is
# supposed to determine listening ports for incoming connections, and which
# of these ports are used for name based virtual hosts.
#
# * Configuration files in the mods-enabled/ and sites-enabled/ directories
# contain particular configuration snippets which manage modules or virtual
# host configurations, respectively.
#
# They are activated by symlinking available configuration files from their
# respective *-available/ counterparts. These should be managed by using our
# helpers a2enmod/a2dismod, a2ensite/a2dissite. See
# their respective man pages for detailed information.
#
# * Configuration files in the conf.d directory are either provided by other
# packages or may be added by the local administrator. Local additions
# should start with local- or end with .local.conf to avoid name clashes. All
# files in conf.d are considered (excluding the exceptions noted above) by
# the Apache 2 web server.
#
# * The binary is called apache2. Due to the use of environment variables, in
# the default configuration, apache2 needs to be started/stopped with
# /etc/init.d/apache2 or apache2ctl. Calling /usr/bin/apache2 directly will not
# work with the default configuration.
# Global configuration
#
#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# NOTE! If you intend to place this on an NFS (or otherwise network)
# mounted filesystem then please read the LockFile documentation (available
# at <URL:http://httpd.apache.org/docs/2.2/mod/mpm_common.html#lockfile>);
# you will save yourself a lot of trouble.
#
# Do NOT add a slash at the end of the directory path.
#
#ServerRoot "/etc/apache2"
#
# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
#
LockFile ${APACHE_LOCK_DIR}/accept.lock
#
# PidFile: The file in which the server should record its process
# identification number when it starts.
# This needs to be set in /etc/apache2/envvars
#
PidFile ${APACHE_PID_FILE}
#
# Timeout: The number of seconds before receives and sends time out.
#
Timeout 300
#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#
KeepAlive On
#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#
MaxKeepAliveRequests 100
#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
KeepAliveTimeout 5
##
## Server-Pool Size Regulation (MPM specific)
##
# prefork MPM
# StartServers: number of server processes to start
# MinSpareServers: minimum number of server processes which are kept spare
# MaxSpareServers: maximum number of server processes which are kept spare
# MaxClients: maximum number of server processes allowed to start
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule mpm_prefork_module>
StartServers 5
MinSpareServers 5
MaxSpareServers 10
MaxClients 150
MaxRequestsPerChild 0
</IfModule>
# worker MPM
# StartServers: initial number of server processes to start
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# ThreadLimit: ThreadsPerChild can be changed to this maximum value during a
# graceful restart. ThreadLimit can only be changed by stopping
# and starting Apache.
# ThreadsPerChild: constant number of worker threads in each server process
# MaxClients: maximum number of simultaneous client connections
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule mpm_worker_module>
StartServers 2
MinSpareThreads 25
MaxSpareThreads 75
ThreadLimit 64
ThreadsPerChild 25
MaxClients 150
MaxRequestsPerChild 0
</IfModule>
# event MPM
# StartServers: initial number of server processes to start
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# ThreadsPerChild: constant number of worker threads in each server process
# MaxClients: maximum number of simultaneous client connections
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule mpm_event_module>
StartServers 1
MinSpareThreads 2
MaxSpareThreads 5
ThreadLimit 20
ThreadsPerChild 20
MaxClients 60
MaxRequestsPerChild 5000
</IfModule>
# These need to be set in /etc/apache2/envvars
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
#
# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives. See also the AllowOverride
# directive.
#
AccessFileName .htaccess
#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<Files ~ "^\.ht">
Order allow,deny
Deny from all
Satisfy all
</Files>
# TuxLite. Better to put this block here compared to Debian's default
<Directory />
Options -Indexes FollowSymLinks
AllowOverride All
Order allow,deny
allow from all
</Directory>
#
# DefaultType is the default MIME type the server will use for a document
# if it cannot otherwise determine one, such as from filename extensions.
# If your server contains mostly text or HTML documents, "text/plain" is
# a good value. If most of your content is binary, such as applications
# or images, you may want to use "application/octet-stream" instead to
# keep browsers from trying to display binary files as though they are
# text.
#
# It is also possible to omit any default MIME type and let the
# client's browser guess an appropriate action instead. Typically the
# browser will decide based on the file's extension then. In cases
# where no good assumption can be made, letting the default MIME type
# unset is suggested instead of forcing the browser to accept
# incorrect metadata.
#
DefaultType None
#
# HostnameLookups: Log the names of clients or just their IP addresses
# e.g., www.apache.org (on) or 204.62.129.132 (off).
# The default is off because it'd be overall better for the net if people
# had to knowingly turn this feature on, since enabling it means that
# each client request will result in AT LEAST one lookup request to the
# nameserver.
#
HostnameLookups Off
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here. If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog ${APACHE_LOG_DIR}/error.log
#
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
#
LogLevel warn
# Include module configuration:
Include mods-enabled/*.load
Include mods-enabled/*.conf
# Include list of ports to listen on and which to use for name based vhosts
Include ports.conf
#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
# If you are behind a reverse proxy, you might want to change %h into %{X-Forwarded-For}i
#
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
# Include of directories ignores editors' and dpkg's backup files,
# see the comments above for details.
# Include generic snippets of statements
Include conf.d/
# Include the virtual host configurations:
Include sites-enabled/

106
assets/default.nginxconf
View File

@ -1,106 +0,0 @@
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
# Default server configuration
#
server {
listen 80 default_server;
listen [::]:80 default_server;
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html index.php;
server_name _;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
# pass PHP scripts to FastCGI server
location ~ \.php$ {
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
location ~ /\.ht {
deny all;
}
## Images and static content is treated different
location ~* ^.+.(jpg|jpeg|gif|css|png|js|ico|xml)$ {
access_log off;
expires max;
}
location ~ /(libraries|setup/frames|setup/libs) {
deny all;
return 404;
}
location /nginx_status {
stub_status on;
access_log off;
allow 127.0.0.1;
# allow CURRENT-SERVER-IP;
deny all;
}
}
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}

26
assets/deploy-drupal.sh
View File

@ -1,26 +0,0 @@
#!/bin/bash
echo "updating drupal 8"
echo "Switching to project docroot."
cd ./public_html
echo ""
echo "Pulling down latest code."
git pull --ff-only origin prod
git submodule update --init --recursive
echo ""
echo "Clearing drush caches."
drush cache-clear drush
echo ""
echo "Composer install."
composer install --no-dev
echo ""
echo "Running database updates."
drush updb -y
echo ""
echo "Importing configuration."
drush config-import -y
echo ""
echo "Clearing caches."
drush cr
echo ""
echo "Deployment complete."

10
assets/deploy-simple.sh
View File

@ -1,10 +0,0 @@
#!/bin/bash
echo "updating"
echo "Switching to project docroot."
cd ./public_html
echo ""
echo "Pulling down latest code."
git pull --ff-only origin prod
echo ""
echo "Deployment complete."

157
assets/drupal-ssl-decoupled.nginxconf
View File

@ -1,157 +0,0 @@
# https://www.nginx.com/resources/wiki/start/topics/recipes/drupal/
server {
listen 80;
listen [::]:80;
server_name DOMAIN.LTD;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name DOMAIN.LTD;
#SSL Certificates
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate "/etc/letsencrypt/live/DOMAIN.LTD/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/DOMAIN.LTD/privkey.pem";
ssl_dhparam /etc/nginx/ssl/certs/DOMAIN.LTD/dhparam.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
#ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=31536000;
#includeSubDomains" always;
charset utf-8;
access_log on;
error_log /var/www/DOMAIN.LTD/log/error.log; # debug;
root /var/www/DOMAIN.LTD/app/src/dist/;
index index.php index.html index.htm;
location @app {
rewrite ^/(.*)$ /index.html;
}
location / {
#alias /var/www/enfrancais.fr/app/web/;
try_files $uri $uri/ @app;
}
location @api {
rewrite ^/api/(.*)$ /api/index.php;
}
location @rewrite {
rewrite ^/api/(.*)$ /index.php?q=$1;
}
location /api {
alias /var/www/enfrancais.fr/api/src/web/;
try_files $uri $uri/ @api;
# In Drupal 8, we must also match new paths where the '.php' appears in
# the middle, such as update.php/selection. The rule we use is strict,
# and only allows this pattern with the update.php front controller.
# This allows legacy path aliases in the form of
# blog/index.php/legacy-path to continue to route to Drupal nodes. If
# you do not have any paths like that, then you might prefer to use a
# laxer rule, such as:
# # location ~ \.php(/|$) {
# The laxer rule will continue to work if Drupal uses this new URL
# pattern with front controllers other than update.php in a future
# release.
#location ~ '\.php$|^/update.php' {
#location ~ \.php(/|$) {
location ~ \.php$ {
#fastcgi_split_path_info ^(.+\.php)(/.+)$;
#fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
#fastcgi_split_path_info ^(.+?\.php)(/.*)$;
include fastcgi_params;
#fastcgi_index index.php;
# Block httpoxy attacks. See https://httpoxy.org/.
#fastcgi_param HTTP_PROXY "";
#fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
#fastcgi_param SCRIPT_FILENAME index.php;
fastcgi_param SCRIPT_FILENAME $request_filename;
#fastcgi_param REQUEST_URI $request_uri;
#fastcgi_param PATH_INFO $fastcgi_path_info;
#set $path_info $fastcgi_path_info;
#fastcgi_param PATH_INFO /;
#fastcgi_param QUERY_STRING $query_string;
#fastcgi_intercept_errors off;
#fastcgi_param DOCUMENT_ROOT /var/www/enfrancais.fr/api;
# fastcgi_buffer_size 16k;
# fastcgi_buffers 4 16k;
fastcgi_pass unix:/run/php/php8.2-fpm.sock;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
try_files $uri @rewrite;
expires max;
log_not_found off;
}
location ~ \..*/.*\.php$ {
return 403;
}
location ~ ^/sites/.*/private/ {
return 403;
}
# Block access to scripts in site files directory
location ~ ^/sites/[^/]+/files/.*\.php$ {
deny all;
}
# Allow "Well-Known URIs" as per RFC 5785
location ~* ^/.well-known/ {
allow all;
}
# Block access to "hidden" files and directories whose names begin with a
# period. This includes directories used by version control systems such
# as Subversion or Git to store control files.
location ~ (^|/)\. {
return 403;
}
# Don't allow direct access to PHP files in the vendor directory.
location ~ /vendor/.*\.php$ {
deny all;
return 404;
}
location ~ /\.ht {
deny all;
}
sendfile off;
client_max_body_size 100m;
# Fighting with Styles? This little gem is amazing.
# location ~ ^/sites/.*/files/imagecache/ { # For Drupal <= 6
location ~ ^/sites/.*/files/styles/ { # For Drupal >= 7
try_files $uri @rewrite;
}
# Handle private files through Drupal. Private file's path can come
# with a language prefix.
location ~ ^(/[a-z\-]+)?/system/files/ { # For Drupal >= 7
try_files $uri /index.php?$query_string;
}
}
location = /favicon.ico { access_log off; log_not_found off; }
# website should not be displayed inside a <frame>, an <iframe> or an <object>
add_header X-Frame-Options SAMEORIGIN;
}

141
assets/drupal-ssl.nginxconf
View File

@ -1,141 +0,0 @@
# https://www.nginx.com/resources/wiki/start/topics/recipes/drupal/
# https://www.howtoforge.com/tutorial/install-letsencrypt-and-secure-nginx-in-debian-9/
server {
listen 80;
listen [::]:80;
server_name DOMAIN.LTD;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name DOMAIN.LTD;
root /var/www/DOMAIN.LTD/public_html;
#SSL Certificates
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate "/etc/letsencrypt/live/DOMAIN.LTD/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/DOMAIN.LTD/privkey.pem";
ssl_dhparam /etc/nginx/ssl/certs/DOMAIN.LTD/dhparam.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
#ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=31536000;
#includeSubDomains" always;
charset utf-8;
location = /favicon.ico {
access_log off;
log_not_found off;
}
location = /robots.txt {
allow all;
access_log off;
log_not_found off;
}
location ~ \..*/.*\.php$ {
return 403;
}
location ~ ^/sites/.*/private/ {
return 403;
}
# Block access to scripts in site files directory
location ~ ^/sites/[^/]+/files/.*\.php$ {
deny all;
}
# Allow "Well-Known URIs" as per RFC 5785
location ~* ^/.well-known/ {
allow all;
}
# Block access to "hidden" files and directories whose names begin with a
# period. This includes directories used by version control systems such
# as Subversion or Git to store control files.
location ~ (^|/)\. {
return 403;
}
location / {
# try_files $uri @rewrite; # For Drupal <= 6
try_files $uri /index.php?$query_string; # For Drupal >= 7
}
location @rewrite {
rewrite ^/(.*)$ /index.php?q=$1;
}
# Don't allow direct access to PHP files in the vendor directory.
location ~ /vendor/.*\.php$ {
deny all;
return 404;
}
location ~ /\.ht {
deny all;
}
access_log on;
error_log /var/www/DOMAIN.LTD/log/error.log;
sendfile off;
client_max_body_size 100m;
# In Drupal 8, we must also match new paths where the '.php' appears in
# the middle, such as update.php/selection. The rule we use is strict,
# and only allows this pattern with the update.php front controller.
# This allows legacy path aliases in the form of
# blog/index.php/legacy-path to continue to route to Drupal nodes. If
# you do not have any paths like that, then you might prefer to use a
# laxer rule, such as:
# location ~ \.php(/|$) {
# The laxer rule will continue to work if Drupal uses this new URL
# pattern with front controllers other than update.php in a future
# release.
location ~ '\.php$|^/update.php' {
# fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
include fastcgi_params;
# Block httpoxy attacks. See https://httpoxy.org/.
fastcgi_param HTTP_PROXY "";
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param QUERY_STRING $query_string;
fastcgi_intercept_errors on;
# fastcgi_buffer_size 16k;
# fastcgi_buffers 4 16k;
fastcgi_pass unix:/run/php/php8.1-fpm.sock;
}
# Fighting with Styles? This little gem is amazing.
# location ~ ^/sites/.*/files/imagecache/ { # For Drupal <= 6
location ~ ^/sites/.*/files/styles/ { # For Drupal >= 7
try_files $uri @rewrite;
}
# Handle private files through Drupal. Private file's path can come
# with a language prefix.
location ~ ^(/[a-z\-]+)?/system/files/ { # For Drupal >= 7
try_files $uri /index.php?$query_string;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
try_files $uri @rewrite;
expires max;
log_not_found off;
}
# website should not be displayed inside a <frame>, an <iframe> or an <object>
add_header X-Frame-Options SAMEORIGIN;
}

118
assets/drupal.nginxconf
View File

@ -1,118 +0,0 @@
# https://www.nginx.com/resources/wiki/start/topics/recipes/drupal/
server {
listen 80;
listen [::]:80;
server_name DOMAIN.LTD;
root /var/www/DOMAIN.LTD/public_html;
charset utf-8;
location = /favicon.ico {
access_log off;
log_not_found off;
}
location = /robots.txt {
allow all;
access_log off;
log_not_found off;
}
location ~ \..*/.*\.php$ {
return 403;
}
location ~ ^/sites/.*/private/ {
return 403;
}
# Block access to scripts in site files directory
location ~ ^/sites/[^/]+/files/.*\.php$ {
deny all;
}
# Allow "Well-Known URIs" as per RFC 5785
location ~* ^/.well-known/ {
allow all;
}
# Block access to "hidden" files and directories whose names begin with a
# period. This includes directories used by version control systems such
# as Subversion or Git to store control files.
location ~ (^|/)\. {
return 403;
}
location / {
# try_files $uri @rewrite; # For Drupal <= 6
try_files $uri /index.php?$query_string; # For Drupal >= 7
}
location @rewrite {
rewrite ^/(.*)$ /index.php?q=$1;
}
# Don't allow direct access to PHP files in the vendor directory.
location ~ /vendor/.*\.php$ {
deny all;
return 404;
}
location ~ /\.ht {
deny all;
}
access_log on;
error_log /var/www/DOMAIN.LTD/log/error.log;
sendfile off;
client_max_body_size 100m;
# In Drupal 8, we must also match new paths where the '.php' appears in
# the middle, such as update.php/selection. The rule we use is strict,
# and only allows this pattern with the update.php front controller.
# This allows legacy path aliases in the form of
# blog/index.php/legacy-path to continue to route to Drupal nodes. If
# you do not have any paths like that, then you might prefer to use a
# laxer rule, such as:
# location ~ \.php(/|$) {
# The laxer rule will continue to work if Drupal uses this new URL
# pattern with front controllers other than update.php in a future
# release.
location ~ '\.php$|^/update.php' {
# fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
include fastcgi_params;
# Block httpoxy attacks. See https://httpoxy.org/.
fastcgi_param HTTP_PROXY "";
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param QUERY_STRING $query_string;
fastcgi_intercept_errors on;
# fastcgi_buffer_size 16k;
# fastcgi_buffers 4 16k;
fastcgi_pass unix:/run/php/php8.2-fpm.sock;
}
# Fighting with Styles? This little gem is amazing.
# location ~ ^/sites/.*/files/imagecache/ { # For Drupal <= 6
location ~ ^/sites/.*/files/styles/ { # For Drupal >= 7
try_files $uri @rewrite;
}
# Handle private files through Drupal. Private file's path can come
# with a language prefix.
location ~ ^(/[a-z\-]+)?/system/files/ { # For Drupal >= 7
try_files $uri /index.php?$query_string;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
try_files $uri @rewrite;
expires max;
log_not_found off;
}
# website should not be displayed inside a <frame>, an <iframe> or an <object>
add_header X-Frame-Options SAMEORIGIN;
}

8
assets/example.org.conf Normal file
View File

@ -0,0 +1,8 @@
<VirtualHost *:80>
ServerAdmin webmaster@example.org
ServerName example.org
ServerAlias www.example.org
DocumentRoot /srv/www/example.org/public_html/
ErrorLog /srv/www/example.org/logs/error.log
CustomLog /srv/www/example.org/logs/access.log combined
</VirtualHost>

5
assets/fail2ban/filter.d/nginx-badbots.conf
View File

@ -1,5 +0,0 @@
[Definition]
failregex = FastCGI sent in stderr: "Primary script unknown" .*, client: <HOST>, server: .*
ignoreregex =

7
assets/fail2ban/jail.d/nginx-badbots.conf
View File

@ -1,7 +0,0 @@
[nginx-badbots]
enabled = true
port = http,https
filter = <FILTER>
logpath = <LOGPATH>
maxretry = 2

6
assets/git-post-receive → assets/git-post-reveive
View File

@ -10,11 +10,9 @@ if [ $refname = "refs/heads/prod" ]; then
unset GIT_DIR unset GIT_DIR
cd ~ cd ~
cd $PRODDIR cd $PRODDIR
# git pull --ff-only origin prod git pull --ff-only origin prod
# run deploy script instead
. deploy.sh
echo $? echo $?
echo "====== OK =====" echo "====== OK ====="
else else
echo "Warning Commit not deployed, please use prod branch" echo "Warning Commit not deployed, please use prod branch"
fi fi

3
assets/git-pre-receive
View File

@ -1,7 +1,6 @@
#!/bin/bash #!/bin/bash
#hook/pre-receive #hook/pre-receive
#CONFIG #CONFIG
PRODDIR="www" PRODDIR="www"
read oldrev newrev refname read oldrev newrev refname
@ -15,4 +14,4 @@ if [ $refname = "refs/heads/prod" ]; then
echo "====== OK =====" echo "====== OK ====="
else else
echo "Warning Commit not deployed, please use prod branch" echo "Warning Commit not deployed, please use prod branch"
fi fi

13
assets/index.php
View File

@ -1,13 +0,0 @@
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<meta charset="utf-8">
<title>DOMAIN.LTD</title>
</head>
<body>
<h1>DOMAIN.LTD</h1>
<?php phpinfo(); ?>
</body>
</html>

38
assets/knockd.conf
View File

@ -1,27 +1,15 @@
# claranet serveur
# [options]
# UseSyslog
#
# [Client]
# sequence = 5019,8599,4468
# seq_timeout = 5
# command = /sbin/iptables -I internet_inbound 1 -s %IP% -p tcp --match multiport --dports 22,21,40000:40200 -j ACCEPT
# tcpflags = syn
# cmd_timeout = 86400
# stop_command = /sbin/iptables -D internet_inbound -s %IP% -p tcp --match multiport --dports 22,21,40000:40200 -j ACCEPT
[options] [options]
logfile = /var/log/knockd.log UseSyslog
[openSSH]
sequence = 7000,8000,9000
seq_timeout = 5
command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
[closeSSH]
sequence = 9000,8000,7000
seq_timeout = 5
command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
[SSH]
sequence = 7000,8000,9000
seq_timeout = 5
# do not limit port 22 to the ip as it don't work with 4G connection
# start_command = ufw insert 1 allow from %IP% to any port 22
start_command = ufw allow ssh
tcpflags = syn
cmd_timeout = 600
# stop_command = ufw delete allow from %IP% to any port 22
stop_command = ufw delete allow ssh

12
assets/mysql/innodb-file-per-table.cnf
View File

@ -1,12 +0,0 @@
# https://howto.biapy.com/fr/debian-gnu-linux/serveurs/mysql/installer-et-configurer-mysql-sur-debian
# Use one file by InnoDB table.
# Use Barracuda as InnoDB engine.
# Allow InnoDB large indexs.
# Use Dynamic row format.
# Reduce disk usage, ease disk space reclaiming.
[mysqld]
innodb_file_per_table = 1
innodb_file_format=Barracuda
innodb_large_prefix=1
; Option below only for MariaDB 10.2
;innodb_default_row_format=DYNAMIC

58
assets/mysqlbackup.sh
View File

@ -1,58 +0,0 @@
#!/bin/bash
# Simple script to backup MySQL databases
# Parent backup directory
backup_parent_dir="/var/backups/mysql"
# MySQL settings
mysql_user="root"
mysql_password="ROOTPASSWD"
# Read MySQL password from stdin if empty
# if [ -z "${mysql_password}" ]; then
# echo -n "Enter MySQL ${mysql_user} password: "
# read -s mysql_password
# echo
# fi
# Check MySQL password
echo exit | mysql --user=${mysql_user} --password=${mysql_password} -B 2>/dev/null
if [ "$?" -gt 0 ]; then
echo "MySQL ${mysql_user} password incorrect"
exit 1
else
echo "MySQL ${mysql_user} password correct."
fi
# Create backup directory and set permissions
backup_date=`date +%Y_%m_%d_%H_%M`
backup_dir="${backup_parent_dir}/${backup_date}"
echo "Backup directory: ${backup_dir}"
mkdir -p "${backup_dir}"
chmod 644 "${backup_dir}"
# Get MySQL databases
mysql_databases=`echo 'show databases' | mysql --user=${mysql_user} --password=${mysql_password} -B | sed /^Database$/d`
# Backup and compress each database
for database in $mysql_databases
do
if [ "${database}" == "information_schema" ] || [ "${database}" == "performance_schema" ]; then
additional_mysqldump_params="--skip-lock-tables --compact --no-autocommit "
else
additional_mysqldump_params=""
fi
echo "Creating backup of \"${database}\" database"
mysqldump ${additional_mysqldump_params} --user=${mysql_user} --password=${mysql_password} ${database} | gzip > "${backup_dir}/${database}.sql.gz"
chmod 644 "${backup_dir}/${database}.sql.gz"
done
# compress the folder
# tar -zcvf "${backup_dir}.tar.gz" "${backup_dir}"
# rm -rf "${backup_dir}"
# Rotate backups
# Delete files older than 30 days
find $backup_parent_dir/ -type f -mtime +60 -delete;
# Delete empty directories
find $backup_parent_dir/ -type d -empty -delete;

31
assets/nginx-phpmyadmin.conf
View File

@ -1,31 +0,0 @@
server {
listen 80;
location /phpmyadmin {
# server_name phpmyadmin.idroot.net;
root /var/www/phpmyadmin;
index index.php;
## Images and static content is treated different
location ~* ^.+.(jpg|jpeg|gif|css|png|js|ico|xml)$ {
access_log off;
expires 30d;
}
location ~ /\.ht {
deny all;
}
location ~ /(libraries|setup/frames|setup/libs) {
deny all;
return 404;
}
location ~ \.php$ {
fastcgi_pass unix:/run/php/php8.2-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
}
}

59
assets/pgsqlbackup.sh
View File

@ -1,59 +0,0 @@
#!/bin/bash
# Simple script to backup postgresql databases
# Parent backup directory
backup_parent_dir="/var/backups/postgresql"
# PostgreSQL settings
pg_host="HOST"
pg_port="PORT"
pg_user="USER"
pg_password="PASSWD"
# Check MySQL password
# echo exit | mysql --user=${mysql_user} --password=${mysql_password} -B 2>/dev/null
# if [ "$?" -gt 0 ]; then
# echo "MySQL ${mysql_user} password incorrect"
# exit 1
# else
# echo "MySQL ${mysql_user} password correct."
# fi
# Create backup directory and set permissions
backup_date=`date +%Y_%m_%d_%H_%M`
backup_dir="${backup_parent_dir}/${backup_date}"
echo "Backup directory: ${backup_dir}"
mkdir -p "${backup_dir}"
chmod 644 "${backup_dir}"
# Get postgresql databases
pgsql_databases=`psql "host=$pg_host port=$pg_port user=$pg_user password=$pg_password" -At -c "select datname from pg_database where not datistemplate and datallowconn;"`
# Backup and compress each database
for database in $pgsql_databases
do
echo "Creating backup of \"${database}\" database"
# mysqldump ${additional_mysqldump_params} --user=${mysql_user} --password=${mysql_password} ${database} | gzip > "${backup_dir}/${database}.sql.gz"
# chmod 644 "${backup_dir}/${database}.sql.gz"
set -o pipefail
# if ! pg_dump -Fp -h "$pg_host" -U "$pg_user" "$database" | gzip > $backup_dir"/$database".sql.gz.in_progress; then
# if ! pg_dump -Fp "host=$pg_host port=$pg_port user=$pg_user password=$pg_password" "$database" | gzip > $backup_dir"/$database".sql.gz.in_progress; then
if ! pg_dump -Fp --dbname="postgresql://$pg_user:$pg_password@$pg_host:$pg_port/$database" | gzip > $backup_dir"/$database".sql.gz.in_progress; then
echo "[!!ERROR!!] Failed to produce plain backup database $database" 1>&2
else
mv $backup_dir"/$database".sql.gz.in_progress $backup_dir"/$database".sql.gz
fi
set +o pipefail
done
# compress the folder
# tar -zcvf "${backup_dir}.tar.gz" "${backup_dir}"
# rm -rf "${backup_dir}"
# Rotate backups
# Delete files older than 30 days
find $backup_parent_dir/ -type f -mtime +60 -delete;
# Delete empty directories
find $backup_parent_dir/ -type d -empty -delete;

1920
assets/php7.3-fpm.ini
View File

File diff suppressed because it is too large Load Diff

1920
assets/php7.4-fpm.ini
View File

File diff suppressed because it is too large Load Diff

1920
assets/php8.1-fpm.ini
View File

File diff suppressed because it is too large Load Diff

1920
assets/php8.2-fpm.ini
View File

File diff suppressed because it is too large Load Diff

66
assets/simple-phpfpm-ssl.nginxconf
View File

@ -1,66 +0,0 @@
# https://www.howtoforge.com/tutorial/install-letsencrypt-and-secure-nginx-in-debian-9/
server {
listen 80;
listen [::]:80;
server_name DOMAIN.LTD;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name DOMAIN.LTD;
root /var/www/DOMAIN.LTD/public_html;
index index.html index.php;
charset utf-8;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
access_log on;
error_log /var/www/DOMAIN.LTD/log/error.log;
sendfile off;
client_max_body_size 100m;
#SSL Certificates
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate "/etc/letsencrypt/live/DOMAIN.LTD/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/DOMAIN.LTD/privkey.pem";
ssl_dhparam /etc/nginx/ssl/certs/DOMAIN.LTD/dhparam.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
#ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=31536000;
#includeSubDomains" always;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php/php8.1-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors off;
fastcgi_buffer_size 16k;
fastcgi_buffers 4 16k;
}
location ~ /\.ht {
deny all;
}
# website should not be displayed inside a <frame>, an <iframe> or an <object>
add_header X-Frame-Options SAMEORIGIN;
}

42
assets/simple-phpfpm.nginxconf
View File

@ -1,42 +0,0 @@
server {
listen 80;
listen [::]:80;
server_name DOMAIN.LTD;
root /var/www/DOMAIN.LTD/public_html;
index index.html index.php;
charset utf-8;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
access_log on;
error_log /var/www/DOMAIN.LTD/log/error.log;
sendfile off;
client_max_body_size 100m;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php/php8.1-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors off;
fastcgi_buffer_size 16k;
fastcgi_buffers 4 16k;
}
location ~ /\.ht {
deny all;
}
# website should not be displayed inside a <frame>, an <iframe> or an <object>
add_header X-Frame-Options SAMEORIGIN;
}

12
assets/urbackup.service
View File

@ -1,12 +0,0 @@
[Unit]
Description=Urbackup Backend
ConditionPathExists=/usr/local/sbin/urbackupclientbackend
[Service]
Type=forking
ExecStart=/usr/local/sbin/urbackupclientbackend -d
PIDFile = /run/urbackup_srv.pid
TimeoutSec=0
[Install]
WantedBy=multi-user.target

8
assets/webhook-deploy.sh
View File

@ -1,8 +0,0 @@
#!/bin/bash
# update bare repos
echo "Updating bare repos"
su -c "git --git-dir=git-repositories/DOMAIN.git fetch origin prod:prod" USER
# deploy prod
cd www/DOMAIN/
su -c "./deploy.sh" USER

10
assets/webhook.service
View File

@ -1,10 +0,0 @@
[Unit]
Description=Small server for creating HTTP endpoints (hooks)
Documentation=https://github.com/adnanh/webhook/
[Service]
ExecStart=webhook -hooks /etc/webhooks.conf -verbose -nopanic -hotreload
Restart=always
[Install]
WantedBy=multi-user.target

11
assets/webhook/etc/systemd/system/webhook.service
View File

@ -1,11 +0,0 @@
[Unit]
Description=Small server for creating HTTP endpoints (hooks)
Documentation=https://github.com/adnanh/webhook/
[Service]
ExecStart=webhook -hooks /etc/webhooks.conf -verbose -nopanic -hotreload
Restart=always
[Install]
WantedBy=multi-user.target

3
assets/webhook/etc/webhook.conf
View File

@ -1,3 +0,0 @@
- id: deploy-app-enfrancais
execute-command: "/root/deploy-app-enfrancais-hook.sh"
command-working-directory: "/home/appdev/"

9
assets/webhook/root/deploy-app-hook.sh
View File

@ -1,9 +0,0 @@
#!/bin/sh
# $cwd is defined in webhook conf
# update bare repos
git --git-dir=git-repositories/app.enfrancais.fr.git fetch origin prod:prod
# deploy prod
cd www/enfrancais.fr/app
./deploy.sh

6
assets/zabbix/apt.conf
View File

@ -1,6 +0,0 @@
# Treat security and regular updates differently
# This is just a simulation, that can be run under zabbix user
# Since updating packages lists (apt-get update) requires root user,
# use APT::Periodic or some other functionality for that
UserParameter=apt.security,apt-get -s upgrade | grep -ci ^inst.*security | tr -d '\n'
UserParameter=apt.updates,apt-get -s upgrade | grep -iPc '^Inst((?!security).)*$' | tr -d '\n'

6
assets/zabbix/debian-updates-BAD.conf
View File

@ -1,6 +0,0 @@
# Check for debian updates
UserParameter=debian_updates[*], aptitude -F%p search "?upgradable ?archive(`sed '/^deb .*$1/!d;s/^deb [^ ]* \([^ ]*\) .*/\1/;q' /etc/apt/sources.list`)" 2>/dev/null | wc -l
# Increase the global timeout (unfortunately), or zabbix killing
# aptitude will leave a /tmp/aptitude-zabbix.* directory turd every
# now and then.
Timeout=12

2
assets/zabbix/misc/02periodic
View File

@ -1,2 +0,0 @@
APT::Periodic::Enable "1";
APT::Periodic::Update-Package-Lists "1";

5
assets/zabbix/promox-ct.conf
View File

@ -1,5 +0,0 @@
# https://support.zabbix.com/browse/ZBX-12164
# https://github.com/kvaps/zabbix-linux-container-template
UserParameter=ct.memory.size[*],free -b | awk '$ 1 == "Mem:" {total=$ 2; used=($ 3+$ 5); pused=(($ 3+$ 5)*100/$ 2); free=$ 4; pfree=($ 4*100/$ 2); shared=$ 5; buffers=$ 6; cache=$ 6; available=($ 6+$ 7); pavailable=(($ 6+$ 7)*100/$ 2); if("$1" == "") {printf("%.0f", total )} else {printf("%.0f", $1 "" )} }'
UserParameter=ct.swap.size[*],free -b | awk '$ 1 == "Swap:" {total=$ 2; used=$ 3; free=$ 4; pfree=($ 4*100/$ 2); pused=($ 3*100/$ 2); if("$1" == "") {printf("%.0f", free )} else {printf("%.0f", $1 "" )} }'
UserParameter=ct.cpu.load[*],uptime | awk -F'[, ]+' '{avg1=$(NF-2); avg5=$(NF-1); avg15=$(NF)}{print $2/'$(nproc)'}'

91
assets/zabbix/scripts/nginx-stat.py
View File

@ -1,91 +0,0 @@
#!/usr/bin/python
#
# Options:
#
# -a active
# -a accepted
# -a handled
# -a requests
# -a reading
# -a writing
# -a waiting
#
import sys
import getopt
import urllib2
import re
import ssl
def usage():
print "usage: nginx-stat.py -h 127.0.0.1 -p 80 -a [active|accepted|handled|request|reading|writing|waiting]"
sys.exit(2)
def main():
# Default values
host = "localhost"
port = "80"
getInfo = "None"
proto = "http"
_headers = {}
gcontext = ""
if len(sys.argv) < 2:
usage()
try:
opts, _ = getopt.getopt(sys.argv[1:], "h:p:a:")
except getopt.GetoptError:
usage()
# Assign parameters as variables
for opt, arg in opts:
if opt == "-h":
host = arg
if opt == "-p":
port = arg
if opt == "-a":
getInfo = arg
if port == "443":
proto = "https"
_headers = {'X-Mashape-Key': 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'}
gcontext = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
url = proto + "://" + host + ":" + port + "/nginx_status/"
request = urllib2.Request(url, headers=_headers)
result = urllib2.urlopen(request, context=gcontext)
buffer = re.findall(r'\d{1,8}', result.read())
## Format:
## Active connections: 196
## server accepts handled requests
## 272900 272900 328835
## Reading: 0 Writing: 6 Waiting: 190
if getInfo == "active":
print buffer[0]
elif getInfo == "accepted":
print buffer[1]
elif getInfo == "handled":
print buffer[2]
elif getInfo == "requests":
print buffer[3]
elif getInfo == "reading":
print buffer[4]
elif getInfo == "writing":
print buffer[5]
elif getInfo == "waiting":
print buffer[6]
else:
print "unknown"
sys.exit(1)
if __name__ == "__main__":
main()

219
assets/zabbix/templates/Template_App_systemd_Services.xml
View File

@ -1,219 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<zabbix_export>
<version>3.4</version>
<date>2018-07-20T14:31:02Z</date>
<groups>
<group>
<name>Templates/Applications</name>
</group>
</groups>
<templates>
<template>
<template>Template App systemd Services</template>
<name>Template App systemd Services</name>
<description>Discovery enabled systemd services, checks status every 1m, and checks PID every 10m to determine if service has rebooted.</description>
<groups>
<group>
<name>Templates/Applications</name>
</group>
</groups>
<applications>
<application>
<name>systemd</name>
</application>
</applications>
<items>
<item>
<name>System uptime</name>
<type>0</type>
<snmp_community/>
<snmp_oid/>
<key>systemd.uptime</key>
<delay>10m</delay>
<history>1d</history>
<trends>1w</trends>
<status>0</status>
<value_type>3</value_type>
<allowed_hosts/>
<units>uptime</units>
<snmpv3_contextname/>
<snmpv3_securityname/>
<snmpv3_securitylevel>0</snmpv3_securitylevel>
<snmpv3_authprotocol>0</snmpv3_authprotocol>
<snmpv3_authpassphrase/>
<snmpv3_privprotocol>0</snmpv3_privprotocol>
<snmpv3_privpassphrase/>
<params/>
<ipmi_sensor/>
<authtype>0</authtype>
<username/>
<password/>
<publickey/>
<privatekey/>
<port/>
<description/>
<inventory_link>0</inventory_link>
<applications/>
<valuemap/>
<logtimefmt/>
<preprocessing/>
<jmx_endpoint/>
<master_item/>
</item>
</items>
<discovery_rules>
<discovery_rule>
<name>Service Discovery</name>
<type>0</type>
<snmp_community/>
<snmp_oid/>
<key>systemd.service.discovery</key>
<delay>24h</delay>
<status>0</status>
<allowed_hosts/>
<snmpv3_contextname/>
<snmpv3_securityname/>
<snmpv3_securitylevel>0</snmpv3_securitylevel>
<snmpv3_authprotocol>0</snmpv3_authprotocol>
<snmpv3_authpassphrase/>
<snmpv3_privprotocol>0</snmpv3_privprotocol>
<snmpv3_privpassphrase/>
<params/>
<ipmi_sensor/>
<authtype>0</authtype>
<username/>
<password/>
<publickey/>
<privatekey/>
<port/>
<filter>
<evaltype>0</evaltype>
<formula/>
<conditions/>
</filter>
<lifetime>1d</lifetime>
<description/>
<item_prototypes>
<item_prototype>
<name>{#SERVICE} PID</name>
<type>0</type>
<snmp_community/>
<snmp_oid/>
<key>systemd.service.PID[{#SERVICE}]</key>
<delay>10m</delay>
<history>30d</history>
<trends>365d</trends>
<status>0</status>
<value_type>3</value_type>
<allowed_hosts/>
<units/>
<snmpv3_contextname/>
<snmpv3_securityname/>
<snmpv3_securitylevel>0</snmpv3_securitylevel>
<snmpv3_authprotocol>0</snmpv3_authprotocol>
<snmpv3_authpassphrase/>
<snmpv3_privprotocol>0</snmpv3_privprotocol>
<snmpv3_privpassphrase/>
<params/>
<ipmi_sensor/>
<authtype>0</authtype>
<username/>
<password/>
<publickey/>
<privatekey/>
<port/>
<description/>
<inventory_link>0</inventory_link>
<applications/>
<valuemap/>
<logtimefmt/>
<preprocessing/>
<jmx_endpoint/>
<application_prototypes/>
<master_item_prototype/>
</item_prototype>
<item_prototype>
<name>{#SERVICE} Status</name>
<type>0</type>
<snmp_community/>
<snmp_oid/>
<key>systemd.service.status[{#SERVICE}]</key>
<delay>1m</delay>
<history>30d</history>
<trends>365d</trends>
<status>0</status>
<value_type>3</value_type>
<allowed_hosts/>
<units/>
<snmpv3_contextname/>
<snmpv3_securityname/>
<snmpv3_securitylevel>0</snmpv3_securitylevel>
<snmpv3_authprotocol>0</snmpv3_authprotocol>
<snmpv3_authpassphrase/>
<snmpv3_privprotocol>0</snmpv3_privprotocol>
<snmpv3_privpassphrase/>
<params/>
<ipmi_sensor/>
<authtype>0</authtype>
<username/>
<password/>
<publickey/>
<privatekey/>
<port/>
<description>Returns the status of the</description>
<inventory_link>0</inventory_link>
<applications/>
<valuemap/>
<logtimefmt/>
<preprocessing/>
<jmx_endpoint/>
<application_prototypes/>
<master_item_prototype/>
</item_prototype>
</item_prototypes>
<trigger_prototypes>
<trigger_prototype>
<expression>{Template App systemd Services:systemd.service.PID[{#SERVICE}].diff(0)}&lt;&gt;0 and {Template App systemd Services:systemd.uptime.last()}&gt;180</expression>
<recovery_mode>0</recovery_mode>
<recovery_expression/>
<name>{#SERVICE} has restarted</name>
<correlation_mode>0</correlation_mode>
<correlation_tag/>
<url/>
<status>0</status>
<priority>2</priority>
<description>The Service has been restarted and is using a new PID</description>
<type>0</type>
<manual_close>1</manual_close>
<dependencies/>
<tags/>
</trigger_prototype>
<trigger_prototype>
<expression>{Template App systemd Services:systemd.service.status[{#SERVICE}].last()}&lt;&gt;0</expression>
<recovery_mode>0</recovery_mode>
<recovery_expression/>
<name>{#SERVICE} not running</name>
<correlation_mode>0</correlation_mode>
<correlation_tag/>
<url/>
<status>0</status>
<priority>4</priority>
<description/>
<type>0</type>
<manual_close>1</manual_close>
<dependencies/>
<tags/>
</trigger_prototype>
</trigger_prototypes>
<graph_prototypes/>
<host_prototypes/>
<jmx_endpoint/>
</discovery_rule>
</discovery_rules>
<httptests/>
<macros/>
<templates/>
<screens/>
</template>
</templates>
</zabbix_export>

170
assets/zabbix/templates/apt-updates.xml
View File

@ -1,170 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<zabbix_export>
<version>3.2</version>
<date>2017-01-29T14:52:23Z</date>
<groups>
<group>
<name>Templates</name>
</group>
</groups>
<templates>
<template>
<template>Template App APT Updates</template>
<name>Template App APT Updates</name>
<description/>
<groups>
<group>
<name>Templates</name>
</group>
</groups>
<applications>
<application>
<name>APT</name>
</application>
</applications>
<items>
<item>
<name>Security Updates</name>
<type>0</type>
<snmp_community/>
<multiplier>0</multiplier>
<snmp_oid/>
<key>apt.security</key>
<delay>900</delay>
<history>90</history>
<trends>365</trends>
<status>0</status>
<value_type>3</value_type>
<allowed_hosts/>
<units/>
<delta>0</delta>
<snmpv3_contextname/>
<snmpv3_securityname/>
<snmpv3_securitylevel>0</snmpv3_securitylevel>
<snmpv3_authprotocol>0</snmpv3_authprotocol>
<snmpv3_authpassphrase/>
<snmpv3_privprotocol>0</snmpv3_privprotocol>
<snmpv3_privpassphrase/>
<formula>1</formula>
<delay_flex/>
<params/>
<ipmi_sensor/>
<data_type>0</data_type>
<authtype>0</authtype>
<username/>
<password/>
<publickey/>
<privatekey/>
<port/>
<description/>
<inventory_link>0</inventory_link>
<applications>
<application>
<name>APT</name>
</application>
</applications>
<valuemap/>
<logtimefmt/>
</item>
<item>
<name>Non-Critical Updates</name>
<type>0</type>
<snmp_community/>
<multiplier>0</multiplier>
<snmp_oid/>
<key>apt.updates</key>
<delay>900</delay>
<history>90</history>
<trends>365</trends>
<status>0</status>
<value_type>3</value_type>
<allowed_hosts/>
<units/>
<delta>0</delta>
<snmpv3_contextname/>
<snmpv3_securityname/>
<snmpv3_securitylevel>0</snmpv3_securitylevel>
<snmpv3_authprotocol>0</snmpv3_authprotocol>
<snmpv3_authpassphrase/>
<snmpv3_privprotocol>0</snmpv3_privprotocol>
<snmpv3_privpassphrase/>
<formula>1</formula>
<delay_flex/>
<params/>
<ipmi_sensor/>
<data_type>0</data_type>
<authtype>0</authtype>
<username/>
<password/>
<publickey/>
<privatekey/>
<port/>
<description/>
<inventory_link>0</inventory_link>
<applications>
<application>
<name>APT</name>
</application>
</applications>
<valuemap/>
<logtimefmt/>
</item>
</items>
<discovery_rules/>
<httptests/>
<macros/>
<templates/>
<screens/>
</template>
</templates>
<triggers>
<trigger>
<expression>{Template App APT Updates:apt.security.last()}&gt;0 and {Template App APT Updates:apt.updates.last()}&gt;0</expression>
<recovery_mode>0</recovery_mode>
<recovery_expression/>
<name>{ITEM.LASTVALUE1} security and {ITEM.LASTVALUE2} regular updates on {HOST.NAME}</name>
<correlation_mode>0</correlation_mode>
<correlation_tag/>
<url/>
<status>0</status>
<priority>2</priority>
<description/>
<type>0</type>
<manual_close>1</manual_close>
<dependencies/>
<tags/>
</trigger>
<trigger>
<expression>{Template App APT Updates:apt.updates.last()}&gt;0 and {Template App APT Updates:apt.security.last()}=0</expression>
<recovery_mode>0</recovery_mode>
<recovery_expression/>
<name>{ITEM.LASTVALUE} regular updates on {HOST.NAME}</name>
<correlation_mode>0</correlation_mode>
<correlation_tag/>
<url/>
<status>0</status>
<priority>1</priority>
<description/>
<type>0</type>
<manual_close>1</manual_close>
<dependencies/>
<tags/>
</trigger>
<trigger>
<expression>{Template App APT Updates:apt.security.last()}&gt;0 and {Template App APT Updates:apt.updates.last()}=0</expression>
<recovery_mode>0</recovery_mode>
<recovery_expression/>
<name>{ITEM.LASTVALUE} security updates on {HOST.NAME}</name>
<correlation_mode>0</correlation_mode>
<correlation_tag/>
<url/>
<status>0</status>
<priority>2</priority>
<description/>
<type>0</type>
<manual_close>1</manual_close>
<dependencies/>
<tags/>
</trigger>
</triggers>
</zabbix_export>

2487
assets/zabbix/templates/zbx_linux_container_template.xml
View File

File diff suppressed because it is too large Load Diff

560
assets/zabbix/templates/zbx_template_nginx.xml
View File

@ -1,560 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<zabbix_export>
<version>3.4</version>
<date>2017-12-20T20:10:24Z</date>
<groups>
<group>
<name>Templates</name>
</group>
</groups>
<templates>
<template>
<template>Template App Nginx</template>
<name>Template App Nginx</name>
<description/>
<groups>
<group>
<name>Templates</name>
</group>
</groups>
<applications>
<application>
<name>Nginx</name>
</application>
</applications>
<items>
<item>
<name>Nginx Accepted Requests</name>
<type>0</type>
<snmp_community/>
<snmp_oid/>
<key>nginx.accepted[{HOST.IP},{$NGINX_PORT}]</key>
<delay>5m</delay>
<history>1w</history>
<trends>365d</trends>
<status>0</status>
<value_type>3</value_type>
<allowed_hosts/>
<units/>
<snmpv3_contextname/>
<snmpv3_securityname/>
<snmpv3_securitylevel>0</snmpv3_securitylevel>
<snmpv3_authprotocol>0</snmpv3_authprotocol>
<snmpv3_authpassphrase/>
<snmpv3_privprotocol>0</snmpv3_privprotocol>
<snmpv3_privpassphrase/>
<params/>
<ipmi_sensor/>
<authtype>0</authtype>
<username/>
<password/>
<publickey/>
<privatekey/>
<port/>
<description/>
<inventory_link>0</inventory_link>
<applications>
<application>
<name>Nginx</name>
</application>
</applications>
<valuemap/>
<logtimefmt/>
<preprocessing>
<step>
<type>9</type>
<params/>
</step>
</preprocessing>
<jmx_endpoint/>
<master_item/>
</item>
<item>
<name>Nginx Active Connections</name>
<type>0</type>
<snmp_community/>
<snmp_oid/>
<key>nginx.active[{HOST.IP},{$NGINX_PORT}]</key>
<delay>5m</delay>
<history>1w</history>
<trends>365d</trends>
<status>0</status>
<value_type>3</value_type>
<allowed_hosts/>
<units/>
<snmpv3_contextname/>
<snmpv3_securityname/>
<snmpv3_securitylevel>0</snmpv3_securitylevel>
<snmpv3_authprotocol>0</snmpv3_authprotocol>
<snmpv3_authpassphrase/>
<snmpv3_privprotocol>0</snmpv3_privprotocol>
<snmpv3_privpassphrase/>
<params/>
<ipmi_sensor/>
<authtype>0</authtype>
<username/>
<password/>
<publickey/>
<privatekey/>
<port/>
<description/>
<inventory_link>0</inventory_link>
<applications>
<application>
<name>Nginx</name>
</application>
</applications>
<valuemap/>
<logtimefmt/>
<preprocessing/>
<jmx_endpoint/>
<master_item/>
</item>
<item>
<name>Nginx Handled Requests</name>
<type>0</type>
<snmp_community/>
<snmp_oid/>
<key>nginx.handled[{HOST.IP},{$NGINX_PORT}]</key>
<delay>5m</delay>
<history>1w</history>
<trends>365d</trends>
<status>0</status>
<value_type>3</value_type>
<allowed_hosts/>
<units/>
<snmpv3_contextname/>
<snmpv3_securityname/>
<snmpv3_securitylevel>0</snmpv3_securitylevel>
<snmpv3_authprotocol>0</snmpv3_authprotocol>
<snmpv3_authpassphrase/>
<snmpv3_privprotocol>0</snmpv3_privprotocol>
<snmpv3_privpassphrase/>
<params/>
<ipmi_sensor/>
<authtype>0</authtype>
<username/>
<password/>
<publickey/>
<privatekey/>
<port/>
<description/>
<inventory_link>0</inventory_link>
<applications>
<application>
<name>Nginx</name>
</application>
</applications>
<valuemap/>
<logtimefmt/>
<preprocessing>
<step>
<type>9</type>
<params/>
</step>
</preprocessing>
<jmx_endpoint/>
<master_item/>
</item>
<item>
<name>Nginx Reading Connections</name>
<type>0</type>
<snmp_community/>
<snmp_oid/>
<key>nginx.reading[{HOST.IP},{$NGINX_PORT}]</key>
<delay>5m</delay>
<history>1w</history>
<trends>365d</trends>
<status>0</status>
<value_type>3</value_type>
<allowed_hosts/>
<units/>
<snmpv3_contextname/>
<snmpv3_securityname/>
<snmpv3_securitylevel>0</snmpv3_securitylevel>
<snmpv3_authprotocol>0</snmpv3_authprotocol>
<snmpv3_authpassphrase/>
<snmpv3_privprotocol>0</snmpv3_privprotocol>
<snmpv3_privpassphrase/>
<params/>
<ipmi_sensor/>
<authtype>0</authtype>
<username/>
<password/>
<publickey/>
<privatekey/>
<port/>
<description/>
<inventory_link>0</inventory_link>
<applications>
<application>
<name>Nginx</name>
</application>
</applications>
<valuemap/>
<logtimefmt/>
<preprocessing/>
<jmx_endpoint/>
<master_item/>
</item>
<item>
<name>Nginx Total Requests</name>
<type>0</type>
<snmp_community/>
<snmp_oid/>
<key>nginx.total[{HOST.IP},{$NGINX_PORT}]</key>
<delay>5m</delay>
<history>1w</history>
<trends>365d</trends>
<status>0</status>
<value_type>3</value_type>
<allowed_hosts/>
<units/>
<snmpv3_contextname/>
<snmpv3_securityname/>
<snmpv3_securitylevel>0</snmpv3_securitylevel>
<snmpv3_authprotocol>0</snmpv3_authprotocol>
<snmpv3_authpassphrase/>
<snmpv3_privprotocol>0</snmpv3_privprotocol>
<snmpv3_privpassphrase/>
<params/>
<ipmi_sensor/>
<authtype>0</authtype>
<username/>
<password/>
<publickey/>
<privatekey/>
<port/>
<description/>
<inventory_link>0</inventory_link>
<applications>
<application>
<name>Nginx</name>
</application>
</applications>
<valuemap/>
<logtimefmt/>
<preprocessing>
<step>
<type>9</type>
<params/>
</step>
</preprocessing>
<jmx_endpoint/>
<master_item/>
</item>
<item>
<name>Nginx Version</name>
<type>0</type>
<snmp_community/>
<snmp_oid/>
<key>nginx.version</key>
<delay>12h</delay>
<history>1w</history>
<trends>0</trends>
<status>0</status>
<value_type>1</value_type>
<allowed_hosts/>
<units/>
<snmpv3_contextname/>
<snmpv3_securityname/>
<snmpv3_securitylevel>0</snmpv3_securitylevel>
<snmpv3_authprotocol>0</snmpv3_authprotocol>
<snmpv3_authpassphrase/>
<snmpv3_privprotocol>0</snmpv3_privprotocol>
<snmpv3_privpassphrase/>
<params/>
<ipmi_sensor/>
<authtype>0</authtype>
<username/>
<password/>
<publickey/>
<privatekey/>
<port/>
<description/>
<inventory_link>0</inventory_link>
<applications>
<application>
<name>Nginx</name>
</application>
</applications>
<valuemap/>
<logtimefmt/>
<preprocessing/>
<jmx_endpoint/>
<master_item/>
</item>
<item>
<name>Nginx Waiting Connections</name>
<type>0</type>
<snmp_community/>
<snmp_oid/>
<key>nginx.waiting[{HOST.IP},{$NGINX_PORT}]</key>
<delay>5m</delay>
<history>1w</history>
<trends>365d</trends>
<status>0</status>
<value_type>3</value_type>
<allowed_hosts/>
<units/>
<snmpv3_contextname/>
<snmpv3_securityname/>
<snmpv3_securitylevel>0</snmpv3_securitylevel>
<snmpv3_authprotocol>0</snmpv3_authprotocol>
<snmpv3_authpassphrase/>
<snmpv3_privprotocol>0</snmpv3_privprotocol>
<snmpv3_privpassphrase/>
<params/>
<ipmi_sensor/>
<authtype>0</authtype>
<username/>
<password/>
<publickey/>
<privatekey/>
<port/>
<description/>
<inventory_link>0</inventory_link>
<applications>
<application>
<name>Nginx</name>
</application>
</applications>
<valuemap/>
<logtimefmt/>
<preprocessing/>
<jmx_endpoint/>
<master_item/>
</item>
<item>
<name>Nginx Writing Connections</name>
<type>0</type>
<snmp_community/>
<snmp_oid/>
<key>nginx.writing[{HOST.IP},{$NGINX_PORT}]</key>
<delay>5m</delay>
<history>1w</history>
<trends>365d</trends>
<status>0</status>
<value_type>3</value_type>
<allowed_hosts/>
<units/>
<snmpv3_contextname/>
<snmpv3_securityname/>
<snmpv3_securitylevel>0</snmpv3_securitylevel>
<snmpv3_authprotocol>0</snmpv3_authprotocol>
<snmpv3_authpassphrase/>
<snmpv3_privprotocol>0</snmpv3_privprotocol>
<snmpv3_privpassphrase/>
<params/>
<ipmi_sensor/>
<authtype>0</authtype>
<username/>
<password/>
<publickey/>
<privatekey/>
<port/>
<description/>
<inventory_link>0</inventory_link>
<applications>
<application>
<name>Nginx</name>
</application>
</applications>
<valuemap/>
<logtimefmt/>
<preprocessing/>
<jmx_endpoint/>
<master_item/>
</item>
</items>
<discovery_rules/>
<httptests/>
<macros>
<macro>
<macro>{$NGINX_PORT}</macro>
<value>80</value>
</macro>
</macros>
<templates/>
<screens>
<screen>
<name>Nginx Performance</name>
<hsize>2</hsize>
<vsize>1</vsize>
<screen_items>
<screen_item>
<resourcetype>0</resourcetype>
<width>500</width>
<height>100</height>
<x>0</x>
<y>0</y>
<colspan>1</colspan>
<rowspan>1</rowspan>
<elements>0</elements>
<valign>0</valign>
<halign>0</halign>
<style>0</style>
<url/>
<dynamic>0</dynamic>
<sort_triggers>0</sort_triggers>
<resource>
<name>Nginx Requests Statistics</name>
<host>Template App Nginx</host>
</resource>
<max_columns>3</max_columns>
<application/>
</screen_item>
<screen_item>
<resourcetype>0</resourcetype>
<width>500</width>
<height>100</height>
<x>1</x>
<y>0</y>
<colspan>1</colspan>
<rowspan>1</rowspan>
<elements>0</elements>
<valign>0</valign>
<halign>0</halign>
<style>0</style>
<url/>
<dynamic>0</dynamic>
<sort_triggers>0</sort_triggers>
<resource>
<name>Nginx Connection Status</name>
<host>Template App Nginx</host>
</resource>
<max_columns>3</max_columns>
<application/>
</screen_item>
</screen_items>
</screen>
</screens>
</template>
</templates>
<graphs>
<graph>
<name>Nginx Connection Status</name>
<width>900</width>
<height>200</height>
<yaxismin>0.0000</yaxismin>
<yaxismax>100.0000</yaxismax>
<show_work_period>1</show_work_period>
<show_triggers>1</show_triggers>
<type>0</type>
<show_legend>1</show_legend>
<show_3d>0</show_3d>
<percent_left>0.0000</percent_left>
<percent_right>0.0000</percent_right>
<ymin_type_1>0</ymin_type_1>
<ymax_type_1>0</ymax_type_1>
<ymin_item_1>0</ymin_item_1>
<ymax_item_1>0</ymax_item_1>
<graph_items>
<graph_item>
<sortorder>0</sortorder>
<drawtype>5</drawtype>
<color>00C800</color>
<yaxisside>0</yaxisside>
<calc_fnc>2</calc_fnc>
<type>0</type>
<item>
<host>Template App Nginx</host>
<key>nginx.active[{HOST.IP},{$NGINX_PORT}]</key>
</item>
</graph_item>
<graph_item>
<sortorder>1</sortorder>
<drawtype>0</drawtype>
<color>0000C8</color>
<yaxisside>0</yaxisside>
<calc_fnc>2</calc_fnc>
<type>0</type>
<item>
<host>Template App Nginx</host>
<key>nginx.reading[{HOST.IP},{$NGINX_PORT}]</key>
</item>
</graph_item>
<graph_item>
<sortorder>2</sortorder>
<drawtype>0</drawtype>
<color>C80000</color>
<yaxisside>0</yaxisside>
<calc_fnc>2</calc_fnc>
<type>0</type>
<item>
<host>Template App Nginx</host>
<key>nginx.waiting[{HOST.IP},{$NGINX_PORT}]</key>
</item>
</graph_item>
<graph_item>
<sortorder>3</sortorder>
<drawtype>0</drawtype>
<color>C800C8</color>
<yaxisside>0</yaxisside>
<calc_fnc>2</calc_fnc>
<type>0</type>
<item>
<host>Template App Nginx</host>
<key>nginx.writing[{HOST.IP},{$NGINX_PORT}]</key>
</item>
</graph_item>
</graph_items>
</graph>
<graph>
<name>Nginx Requests Statistics</name>
<width>900</width>
<height>200</height>
<yaxismin>0.0000</yaxismin>
<yaxismax>100.0000</yaxismax>
<show_work_period>1</show_work_period>
<show_triggers>1</show_triggers>
<type>0</type>
<show_legend>1</show_legend>
<show_3d>0</show_3d>
<percent_left>0.0000</percent_left>
<percent_right>0.0000</percent_right>
<ymin_type_1>0</ymin_type_1>
<ymax_type_1>0</ymax_type_1>
<ymin_item_1>0</ymin_item_1>
<ymax_item_1>0</ymax_item_1>
<graph_items>
<graph_item>
<sortorder>0</sortorder>
<drawtype>5</drawtype>
<color>00C800</color>
<yaxisside>0</yaxisside>
<calc_fnc>2</calc_fnc>
<type>0</type>
<item>
<host>Template App Nginx</host>
<key>nginx.handled[{HOST.IP},{$NGINX_PORT}]</key>
</item>
</graph_item>
<graph_item>
<sortorder>1</sortorder>
<drawtype>0</drawtype>
<color>0000C8</color>
<yaxisside>0</yaxisside>
<calc_fnc>2</calc_fnc>
<type>0</type>
<item>
<host>Template App Nginx</host>
<key>nginx.accepted[{HOST.IP},{$NGINX_PORT}]</key>
</item>
</graph_item>
<graph_item>
<sortorder>2</sortorder>
<drawtype>0</drawtype>
<color>C80000</color>
<yaxisside>0</yaxisside>
<calc_fnc>2</calc_fnc>
<type>0</type>
<item>
<host>Template App Nginx</host>
<key>nginx.total[{HOST.IP},{$NGINX_PORT}]</key>
</item>
</graph_item>
</graph_items>
</graph>
</graphs>
</zabbix_export>

1
assets/zabbix/userparameter_linux_name_version.conf
View File

@ -1 +0,0 @@
UserParameter=linux.system.name.version,(lsb_release -d > dev/null 2>&1) && lsb_release -d || (cat /etc/centos-release > /dev/null > /dev/null 2>&1 && cat /etc/centos-release || cat /etc/redhat-release)

18
assets/zabbix/userparameter_mysql.conf
View File

@ -1,18 +0,0 @@
# For all the following commands HOME should be set to the directory that has .my.cnf file with password information.
# Flexible parameter to grab global variables. On the frontend side, use keys like mysql.status[Com_insert].
# Key syntax is mysql.status[variable].
UserParameter=mysql.status[*],echo "show global status where Variable_name='$1';" | HOME=/var/lib/zabbix mysql -N | awk '{print $$2}'
# Flexible parameter to determine database or table size. On the frontend side, use keys like mysql.size[zabbix,history,data].
# Key syntax is mysql.size[<database>,<table>,<type>].
# Database may be a database name or "all". Default is "all".
# Table may be a table name or "all". Default is "all".
# Type may be "data", "index", "free" or "both". Both is a sum of data and index. Default is "both".
# Database is mandatory if a table is specified. Type may be specified always.
# Returns value in bytes.
# 'sum' on data_length or index_length alone needed when we are getting this information for whole database instead of a single table
UserParameter=mysql.size[*],bash -c 'echo "select sum($(case "$3" in both|"") echo "data_length+index_length";; data|index) echo "$3_length";; free) echo "data_free";; esac)) from information_schema.tables$([[ "$1" = "all" || ! "$1" ]] || echo " where table_schema=\"$1\"")$([[ "$2" = "all" || ! "$2" ]] || echo "and table_name=\"$2\"");" | HOME=/var/lib/zabbix mysql -N'
UserParameter=mysql.ping,HOME=/var/lib/zabbix mysqladmin ping | grep -c alive
UserParameter=mysql.version,mysql -V

21
assets/zabbix/userparameter_nginx.conf
View File

@ -1,21 +0,0 @@
# in nginx config:
# location /nginx_status {
# # Turn on nginx stats
# stub_status on;
# # I do not need logs for stats
# access_log off;
# # Security: Only allow access from IP #
# allow $1;
# # Send rest of the world to /dev/null #
# deny all;
# }
UserParameter=nginx.accepted[*],/etc/zabbix/zabbix_agentd.scripts/nginx-stat.py -h $1 -p $2 -a accepted
UserParameter=nginx.active[*],/etc/zabbix/zabbix_agentd.scripts/nginx-stat.py -h $1 -p $2 -a active
UserParameter=nginx.handled[*],/etc/zabbix/zabbix_agentd.scripts/nginx-stat.py -h $1 -p $2 -a handled
UserParameter=nginx.reading[*],/etc/zabbix/zabbix_agentd.scripts/nginx-stat.py -h $1 -p $2 -a reading
UserParameter=nginx.total[*],/etc/zabbix/zabbix_agentd.scripts/nginx-stat.py -h $1 -p $2 -a requests
UserParameter=nginx.waiting[*],/etc/zabbix/zabbix_agentd.scripts/nginx-stat.py -h $1 -p $2 -a waiting
UserParameter=nginx.writing[*],/etc/zabbix/zabbix_agentd.scripts/nginx-stat.py -h $1 -p $2 -a writing
UserParameter=nginx.version,nginx -v 2>&1

7
assets/zabbix/userparameter_systemd_services.conf
View File

@ -1,7 +0,0 @@
UserParameter=systemd.service.discovery,service_list=$(systemctl list-unit-files | grep service | grep enabled | awk '{print $1}' | sed -e 's/.service//' | grep -Ev 'getty|autovt');echo -n '{"data":[';for s in ${service_list}; do echo -n "{\"{#SERVICE}\": \"$s\"},";done | sed -e 's:\},$:\}:';echo -n ']}'
UserParameter=systemd.service.status[*],$(systemctl status $1 2>/dev/null | grep -Ei 'running|active \(exited\)|active \(running\)' > /dev/null) && echo 0 || echo 1
UserParameter=systemd.service.PID[*],systemctl status $1 2>/dev/null | grep 'Main PID' | cut -f2 -d: | awk '{print $$1}'
UserParameter=systemd.uptime,cat /proc/uptime | awk '{ print $1 }' | cut -f1 -d.

30
bin/autoupdate.sh
View File

@ -1,30 +0,0 @@
#!/bin/sh
echo -e '\033[35m
___ __ __ __ __ __
/ | __ __/ /_____ / / / /___ ____/ /___ _/ /____
/ /| |/ / / / __/ __ \ / / / / __ \/ __ / __ `/ __/ _ \
/ ___ / /_/ / /_/ /_/ / / /_/ / /_/ / /_/ / /_/ / /_/ __/
/_/ |_\__,_/\__/\____/ \____/ .___/\__,_/\__,_/\__/\___/
/_/
\033[0m'
# https://www.howtoforge.com/how-to-configure-automatic-updates-on-debian-wheezy
# https://www.bisolweb.com/tutoriels/serveur-vps-ovh-partie-5-installation-apticron/
if [ "$EUID" -ne 0 ]; then
echo "Please run as root"
exit
fi
echo -e "\033[35;1mInstalling apticron \033[0m"
apt-get --yes install apticron
sleep 3
echo -n "Enter an email: "
read email
sed -i -r "s/EMAIL=\"root\"/EMAIL=\"$email\"/g" /etc/apticron/apticron.conf
# sed -i -r "s/# DIFF_ONLY=\"1\"/DIFF_ONLY=\"1\"/g" /etc/apticron/apticron.conf
sed -i -r "s/# NOTIFY_NEW=\"0\"/NOTIFY_NEW=\"0\"/g" /etc/apticron/apticron.conf
echo -e "\033[92;1mApticron installed and configured\033[0m"

22
bin/dotfiles.sh
View File

@ -1,22 +0,0 @@
#!/bin/sh
echo -e '\033[35m
____ __ _______ __
/ __ \____ / /_ / ____(_) /__ _____
/ / / / __ \/ __/ / /_ / / / _ \/ ___/
/ /_/ / /_/ / /_ / __/ / / / __(__ )
/_____/\____/\__/ /_/ /_/_/\___/____/
\033[0m'
#installing better prompt and some goodies
echo -e "\033[35;1mInstalling shell prompt for current user $USER \033[0m"
sleep 2
# get the current position
_cwd="$(pwd)"
# go to user home
cd
echo "cloning https://figureslibres.io/gogs/bachir/dotfiles-server.git"
git clone https://figureslibres.io/gogs/bachir/dotfiles-server.git ~/.dotfiles-server && cd ~/.dotfiles-server && ./install.sh && cd ~
source ~/.bashrc
# return to working directory
cd "$_cwd"
echo -e "\033[92;1mDot files installed for $USER\033[0m"

82
bin/email.sh
View File

@ -1,82 +0,0 @@
#!/bin/sh
echo -e '\033[35m
__ ______ ______
/ |/ / | / _/ /
/ /|_/ / /| | / // /
/ / / / ___ |_/ // /___
/_/ /_/_/ |_/___/_____/
\033[0m'
echo -e "\033[35;1mEnable mail sending for php \033[0m"
if [ "$EUID" -ne 0 ]; then
echo "Please run as root"
exit
fi
# get the current position
_cwd="$(pwd)"
# check for assets forlder
_assets="$_cwd/assets"
if [ ! -d "$_assets" ]; then
_assets="$_cwd/../assets"
if [ ! -d "$_assets" ]; then
echo "!! can't find assets directory !!"
exit
fi
fi
# http://www.sycha.com/lamp-setup-debian-linux-apache-mysql-php#anchor13
sleep 2
apt-get --yes install exim4
echo -e "\033[35;1mConfiguring EXIM4 \033[0m"
while [ "$configexim" != "y" ] && [ "$configexim" != "n" ]
do
echo -n "Should we configure exim4 ? [y|n] "
read configexim
done
if [ "$configexim" = "y" ]; then
echo "choose the first option :internet site; mail is sent and received directly using SMTP. Leave the other options as default exepted for domain name which should be valid domain name if you want your mails to not be considered as spam"
echo "press any key to continue."
read continu
dpkg-reconfigure exim4-config
else
echo 'exim not configured'
fi
systemctl enable exim4
systemctl restart exim4
# dkim spf
# https://debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4
echo -e "\033[35;1mConfiguring DKIM \033[0m"
while [ "$installdkim" != "y" ] && [ "$installdkim" != "n" ]
do
echo -n "Should we install dkim for exim4 ? [y|n] "
read installdkim
done
if [ "$installdkim" = "y" ]; then
echo -n "Choose a domain for dkim (same domain as you chose before for exim4): "
read domain
selector=$(date +%Y%m%d)
mkdir /etc/exim4/dkim
# openssl genrsa -out /etc/exim4/dkim/"$domain"-private.pem 1024 -outform PEM
openssl genrsa -out /etc/exim4/dkim/"$domain"-private.key 1024
openssl rsa -in /etc/exim4/dkim/"$domain"-private.key -out /etc/exim4/dkim/"$domain".pub -pubout
chown root:Debian-exim /etc/exim4/dkim/"$domain"-private.key
chmod 440 /etc/exim4/dkim/"$domain"-private.key
cp "$_assets"/exim4_dkim.conf /etc/exim4/conf.d/main/00_local_macros
sed -i -r "s/DOMAIN_TO_CHANGE/$domain/g" /etc/exim4/conf.d/main/00_local_macros
sed -i -r "s/DATE_TO_CHANGE/$selector/g" /etc/exim4/conf.d/main/00_local_macros
update-exim4.conf
systemctl restart exim4
echo "please create a TXT entry in your dns zone : $selector._domainkey.$domain \n"
echo "your public key is : \n"
cat /etc/exim4/dkim/"$domain".pub
echo "press any key to continue."
read continu
else
echo 'dkim not installed'
fi

26
bin/fail2ban.sh
View File

@ -1,26 +0,0 @@
#!/bin/sh
# TODO check if root
echo -e '\033[35m
______ _ _____ __
/ ____/___ _(_) /__ \ / /_ ____ _____
/ /_ / __ `/ / /__/ // __ \/ __ `/ __ \
/ __/ / /_/ / / // __// /_/ / /_/ / / / /
/_/ \__,_/_/_//____/_.___/\__,_/_/ /_/
\033[0m'
echo -e "\033[35;1mInstalling fall2ban \033[0m"
if [ "$EUID" -ne 0 ]; then
echo "Please run as root"
exit
fi
sleep 2
apt-get --yes install fail2ban
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
# ToDo ask for email and configure jail.local with it
touch /var/log/auth.log
systemctl enable fail2ban
systemctl restart fail2ban
echo -e "\033[92;1mfail2ban installed and configured\033[Om"

29
bin/firewall.sh
View File

@ -1,29 +0,0 @@
#!/bin/sh
# TODO check if root
echo -e '\033[35m
______________ _______ _____ __ __
/ ____/ _/ __ \/ ____/ | / / | / / / /
/ /_ / // /_/ / __/ | | /| / / /| | / / / /
/ __/ _/ // _, _/ /___ | |/ |/ / ___ |/ /___/ /___
/_/ /___/_/ |_/_____/ |__/|__/_/ |_/_____/_____/
\033[0m'
echo -e "\033[35;1mInstalling ufw and setup firewall (allowing only ssh and http) \033[0m"
if [ "$EUID" -ne 0 ]; then
echo "Please run as root"
exit
fi
sleep 2
apt-get --yes install ufw
ufw allow ssh
ufw allow http
ufw allow https
# TODO ask for allowing ssh for some ip
ufw enable
ufw status verbose
echo -e "\033[92;1mufw installed and firwall configured\033[Om"

61
bin/ftp.sh
View File

@ -1,61 +0,0 @@
#!/bin/sh
echo -e '\033[35m
______ _______ _____
| ____|__ __| __ \
| |__ | | | |__) |
| __| | | | ___/
| | | | | |
|_| |_| |_|
\033[0m'
if [ "$EUID" -ne 0 ]
then echo "Please run as root"
exit
fi
# get the current position
_cwd="$(pwd)"
# check for assets forlder
_assets="$_cwd/assets"
if [ ! -d "$_assets" ]; then
_assets="$_cwd/../assets"
if [ ! -d "$_assets" ]; then
echo "!! can't find assets directory !!"
exit
fi
fi
echo "installing proftpd"
apt-get --yes install proftpd
while [ "$_server_name" = "" ]
do
read -p "enter a server name ? " _server_name
if [ "$_server_name" != "" ]; then
read -p "is server name $_server_name correcte [y|n] " validated
if [ "$validated" = "y" ]; then
break
else
_server_name=""
fi
fi
done
echo "Configuring proftpd"
cp "$_assets"/proftpd.conf /etc/proftpd/conf.d/"$_server_name".conf
sed -i -r "s/example/$_server_name/g" /etc/proftpd/conf.d/"$_server_name".conf
ufw allow ftp
addgroup ftpuser
systemctl enable proftpd
systemctl restart proftpd
echo "ftp installtion done"
echo "to permit to a user to connect through ftp, add him to the ftpuser group by running : usermod -a -G ftpuser USERNAME"
echo "FTP users are jailed on their home by default"
# TODO : allow ssh/ftp connection only from given ips

4
bin/genpass.sh
View File

@ -1,4 +0,0 @@
#!/bin/sh
_pass="$(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c12)"
echo "$_pass"

129
bin/gitbarrerepos.sh
View File

@ -1,129 +0,0 @@
#!/bin/sh
# bachir soussi chiadmi
# get the current position
_cwd="$(pwd)"
echo -e '\033[35m
_______ __
/ ____(_) /_
/ / __/ / __/
/ /_/ / / /_
\____/_/\__/
\033[0m'
echo -e "\033[35;1mCreate new git barre repos and deploy script\033[0m"
echo "Git barre repo will be installed in chosen user home directory"
echo "git prod repos will be installed in public_html directory of provided domain, the domain have to exists as shortcut in chosen user/www before running this script. Please run first vhost.sh script and say yes to the question create a shortcut !"
while [ "$vh" != "yes" ] && [ "$vh" != "no" ]
do
echo -n "Should we create a barre repo? [yes|no] "
read vh
# vh=${vh:-y}
done
if [ "$vh" = "yes" ]; then
# get the current position
_cwd="$(pwd)"
# check for assets forlder
_assets="$_cwd/assets"
if [ ! -d "$_assets" ]; then
_assets="$_cwd/../assets"
if [ ! -d "$_assets" ]; then
echo "!! can't find assets directory !!"
exit
fi
fi
# if $user var does not exists (vhost.sh ran directly) ask for it
if [ -z ${user+x} ]; then
while [ "$user" = "" ]
do
read -p "enter an existing user name ? " user
if [ "$user" != "" ]; then
# check if user already exists
if id "$user" >/dev/null 2>&1; then
read -p "is user name $user correcte [y|n] " validated
if [ "$validated" = "y" ]; then
break
else
user=""
fi
else
echo "user $user doesn't exists, you must provide an existing user"
user=""
fi
fi
done
fi
while [ "$_domain" = "" ]
do
read -p "enter a domain name ? " _domain
if [ "$_domain" != "" ]; then
read -p "is domain $_domain correcte [y|n] " validated
if [ "$validated" = "y" ]; then
break
else
_domain=""
fi
fi
done
# ask for simple php conf or drupal conf
while [ "$_drupal" != "yes" ] && [ "$_drupal" != "no" ]
do
echo -n "Is your site is a drupal one? [yes|no] "
read _drupal
done
# TODO check for /home/"$user"/www/"$_domain"
if [ ! -d /home/"$user"/www/"$_domain" ]; then
echo "/home/$user/www/$_domain does not exists !"
exit
fi
# setup bare repositorie to push to
mkdir /home/"$user"/git-repositories
mkdir /home/"$user"/git-repositories/"$_domain".git
cd /home/"$user"/git-repositories/"$_domain".git
git init --bare
echo "adding deploy script"
if [ "$_drupal" = "yes" ]; then
cp "$_assets"/deploy-drupal.sh /home/"$user"/www/"$_domain"/deploy.sh
else
cp "$_assets"/deploy-simple.sh /home/"$user"/www/"$_domain"/deploy.sh
fi
echo "creating hooks that will update the site repo"
# cp "$_assets"/git-pre-receive /home/"$user"/git-repositories/"$_domain".git/hooks/pre-receive
cp "$_assets"/git-post-receive /home/"$user"/git-repositories/"$_domain".git/hooks/post-receive
# sed -i -r "s/PRODDIR=\"www\"/PRODDIR=/home/$user/www/$_domain/g" /home/"$user"/git-repositories/"$_domain".git/hooks/pre-receive
sed -i -r "s#PRODDIR=\"www\"#PRODDIR=\"/home/$user/www/$_domain\"#g" /home/"$user"/git-repositories/"$_domain".git/hooks/post-receive
chown -R "$user":"$user" /home/"$user"/git-repositories
cd /home/"$user"/git-repositories/"$_domain".git/hooks/
chmod +x post-receive # pre-receive
# setup git repo on site folder
cd /home/"$user"/www/"$_domain"/public_html
su -c "git init" $user
# link to the bare repo
su -c "git remote add origin /home/$user/git-repositories/$_domain.git" $user
chown -R "$user":"$user" /home/"$user"/www/"$_domain"
cd "$_cwd"
# done
echo "git repos for $_domain install succeed"
echo "your site stay now to /home/$user/www/$_domain"
echo "you can push updates on prod branch through $user@IP.IP.IP.IP:git-repositories/$_domain.git"
echo "* * *"
else
echo "Git barre repo creation aborted"
fi

56
bin/knockd.sh
View File

@ -1,56 +0,0 @@
#!/bin/sh
# TODO check if root
echo -e '\033[35m
__ __ __
/ /______ ____ _____/ /______/ /
/ //_/ __ \/ __ \/ ___/ //_/ __ /
/ ,< / / / / /_/ / /__/ ,< / /_/ /
/_/|_/_/ /_/\____/\___/_/|_|\__,_/
\033[0m'
echo -e "\033[35;1mInstalling knockd to control ssh port opening\033[0m"
if [ "$EUID" -ne 0 ]; then
echo "Please run as root"
exit
fi
# get the current position
_cwd="$(pwd)"
# check for assets forlder
_assets="$_cwd/assets"
if [ ! -d "$_assets" ]; then
_assets="$_cwd/../assets"
if [ ! -d "$_assets" ]; then
echo "!! can't find assets directory !!"
exit
fi
fi
sleep 2
apt-get --yes install knockd
mv /etc/knockd.conf /etc/knockd.conf.ori
cp "$_assets"/knockd.conf /etc/knockd.conf
echo -n "define a sequence number for opening ssh (as 7000,8000,9000) : "
read sq
sed -i "s/7000,8000,9000/$sq/g" /etc/knockd.conf
sed -i 's/START_KNOCKD=0/START_KNOCKD=1/g' /etc/default/knockd
# /etc/init.d/knockd start
# patch https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868015
# TODO this line is buggy
echo "
# patch https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868015
[Install]
WantedBy=multi-user.target
Alias=knockd.service" >> /lib/systemd/system/knockd.service
systemctl enable knockd
systemctl start knockd
echo -e "\033[92;1mknockd installed and configured\033[Om"
echo -e "\033[92;1mplease note this sequence for future ssh knocking\033[Om"
echo "$sq"
sleep 3

236
bin/lemp.sh
View File

@ -1,236 +0,0 @@
#!/bin/sh
echo -e '\033[35m
__
/ /__ ____ ___ ____
/ / _ \/ __ `__ \/ __ \
/ / __/ / / / / / /_/ /
/_/\___/_/ /_/ /_/ .___/
/_/
\033[0m'
echo -e "\033[35;1mLEMP server (Nginx Mysql Php-fpm) \033[0m"
if [ "$EUID" -ne 0 ]; then
echo "Please run as root"
exit
fi
# get the current position
_cwd="$(pwd)"
# check for assets forlder
_assets="$_cwd/assets"
if [ ! -d "$_assets" ]; then
_assets="$_cwd/../assets"
if [ ! -d "$_assets" ]; then
echo "!! can't find assets directory !!"
exit
fi
fi
sleep 2
echo -e '\033[35m
____ __ ______
/ __ \/ / / / __ \
/ /_/ / /_/ / /_/ /
/ ____/ __ / ____/
/_/ /_/ /_/_/
\033[0m'
echo -e "\033[35;1mInstalling SURY \033[0m"
sleep 3
apt-get --yes install ca-certificates apt-transport-https software-properties-common curl lsb-release
curl -sSL https://packages.sury.org/php/README.txt | bash -x
apt-get update && apt-get upgrade
echo -e "\033[35;1mInstalling PHP \033[0m"
sleep 3
# mv: cannot stat '/etc/php/7.0/fpm/php.ini': No such file or directory
# cp: cannot create regular file '/etc/php/7.0/fpm/php.ini': No such file or directory
# Configuring PHP
# Failed to enable unit: Unit file php7.0-fpm.service does not exist.
# Failed to start php7.0-fpm.service: Unit php7.0-fpm.service not found.
# apt-get --yes install php7.4-fpm php7.4-mysql php7.4-opcache php7.4-curl php7.4-mbstring php7.4-zip php7.4-xml php7.4-gd php-memcached php7.4-imagick php7.4-apcu
# php7.4-mcrypt ??
apt-get --yes install php8.1-fpm php8.1-mysql php8.1-opcache php8.1-curl php8.1-mbstring php8.1-zip php8.1-xml php8.1-gd php8.1-memcached php8.1-imagick php8.1-apcu php8.1-redis php8.1-bz2 php8.1-bcmath
# apt-get --yes install php8.2-fpm php8.2-mysql php8.2-opcache php8.2-curl php8.2-mbstring php8.2-zip php8.2-xml php8.2-gd php-memcached php8.2-imagick php8.2-apcu php8.2-redis php8.2-bz2 php8.2-bcmath
# apt-get --yes install php8.3-fpm php8.3-mysql php8.3-opcache php8.3-curl php8.3-mbstring php8.3-zip php8.3-xml php8.3-gd php8.3-memcached php8.3-imagick php8.3-apcu php8.3-redis php8.3-bz2 php8.3-bcmath
mv /etc/php/8.1/fpm/php.ini /etc/php/8.1/fpm/php.ini.back
cp "$_assets"/php8.1-fpm.ini /etc/php/8.1/fpm/php.ini
echo "Configuring PHP"
mkdir /var/log/php
chown www-data /var/log/php
cp "$_assets"/logrotate-php /etc/logrotate.d/php
systemctl enable php8.1-fpm
systemctl start php8.1-fpm
# echo "Installing memecached"
# replaced by redis
# apt-get --yes install memcached
# sed -i "s/-m\s64/-m 128/g" /etc/memcached.conf
#
# systemctl start memcached
echo -e "\033[92;1mphp installed\033[Om"
echo -e '\033[35m
_ __ _
/ | / /___ _(_)___ _ __
/ |/ / __ `/ / __ \| |/_/
/ /| / /_/ / / / / /> <
/_/ |_/\__, /_/_/ /_/_/|_|
/____/
\033[0m'
echo -e "\033[35;1mInstalling Nginx \033[0m"
sleep 3
apt-get --yes install nginx
mv /etc/nginx/sites-available/default /etc/nginx/sites-available/default.ori
cp "$_assets"/default.nginxconf /etc/nginx/sites-available/default
systemctl enable nginx
systemctl restart nginx
echo -e "\033[92;1mNginx installed\033[Om"
while [ "$installmysql" != "yes" ] && [ "$installmysql" != "no" ]
do
echo -n "install mysql? [yes|no] "
read installmysql
# installmysql=${installmysql:-y}
done
if [ "$installmysql" = "yes" ]; then
echo -e '\033[35m
__ ___ __
/ |/ /_ ___________ _/ /
/ /|_/ / / / / ___/ __ `/ /
/ / / / /_/ (__ ) /_/ / /
/_/ /_/\__, /____/\__, /_/
/____/ /_/
\033[0m'
echo -e "\033[35;1minstalling Mysql \033[0m"
sleep 3
apt-get --yes install mariadb-server
mysql_secure_installation
cp "$_assets"/mysql/innodb-file-per-table.cnf /etc/mysql/conf.d/
# you may increase memory
# innodb_buffer_pool_size = 1024M
systemctl enable mariadb.service
systemctl restart mariadb.service
echo -e "\033[92;1mmysql installed\033[Om"
echo -e '\033[35m
__ __ ___ ___ __ _
____ / /_ ____ / |/ /_ __/ | ____/ /___ ___ (_)___
/ __ \/ __ \/ __ \/ /|_/ / / / / /| |/ __ / __ `__ \/ / __ \
/ /_/ / / / / /_/ / / / / /_/ / ___ / /_/ / / / / / / / / / /
/ .___/_/ /_/ .___/_/ /_/\__, /_/ |_\__,_/_/ /_/ /_/_/_/ /_/
/_/ /_/ /____/
\033[0m'
echo -e "\033[35;1mInstalling phpMyAdmin \033[0m"
##### Building dependency tree
##### Reading state information... Done
##### Package phpmyadmin is not available, but is referred to by another package.
##### This may mean that the package is missing, has been obsoleted, or
##### is only available from another source
#####
##### E: Package 'phpmyadmin' has no installation candidate
##### cp: missing destination file operand after '/root/debian-web-server/assets/nginx-phpmyadmin.conf'
##### Try 'cp --help' for more information.
# TODO no pma package available :(
apt-get --yes install phpmyadmin
ln -s /usr/share/phpmyadmin /var/www/html/
cp "$_assets"/nginx-phpmyadmin.conf /etc/nginx/sites-available/phpmyadmin.conf
echo -e "\033[92;1mphpMyAdmin installed\033[Om"
echo -e "\033[92;1mYou can access it at yourip/phpmyadmin\033[Om"
# install from source
# apt-get --yes install php-{mbstring,zip,gd,xml,pear,gettext,cgi}
# cd /var/www/html/
# wget https://www.phpmyadmin.net/downloads/phpMyAdmin-latest-all-languages.zip
# unzip phpMyAdmin-latest-all-languages.zip
# mv phpMyAdmin-*-all-languages pma
# rm phpMyAdmin-latest-all-languages.zip
# # cp "$_assets"/nginx-phpmyadmin.conf > /etc/nginx/sites-available/phpmyadmin.conf
# # ln -s /etc/nginx/sites-available/phpmyadmin.conf /etc/nginx/sites-enabled/phpmyadmin.conf
# echo -e "\033[92;1mphpMyAdmin installed\033[Om"
# echo -e "\033[92;1mYou can access it at yourip/pma\033[Om"
fi
echo -e '\033[35m
____ ___
/ __ \___ ____/ (_)____
/ /_/ / _ \/ __ / / ___/
/ _, _/ __/ /_/ / (__ )
/_/ |_|\___/\__,_/_/____/
\033[0m'
echo -e "\033[35;1mInstalling Redis \033[0m"
sleep 3
apt-get --yes install redis-server php8.1-redis
# TODO set maxmemory=2gb
# TODO set maxmemory-policy=volatile-lru
# TODO comment all save line
# WARNING: The TCP backlog setting of 511 cannot be enforced because /proc/sys/net/core/somaxconn is set to the lower value of 128.
# WARNING overcommit_memory is set to 0! Background save may fail under low memory condition. To fix this issue add 'vm.overcommit_memory = 1' to /etc/sysctl.conf and then reboot or run the command 'sysctl vm.overcommit_memory=1' for this to take effect.
# WARNING you have Transparent Huge Pages (THP) support enabled in your kernel. This will create latency and memory usage issues with Redis. To fix this issue run the command 'echo never > /sys/kernel/mm/transparent_hugepage/enabled' as root, and add it to your /etc/rc.local in order to retain the setting after a reboot. Redis must be restarted after THP is disabled.
# https://blog.opstree.com/2019/04/16/redis-best-practices-and-performance-tuning/
systemctl enable redis-server
systemctl restart redis-server
systemctl restart php8.1-fpm
echo -e "\033[92;1mRedis installed\033[Om"
echo -e '\033[35m
______
/ ____/___ ____ ___ ____ ____ ________ _____
/ / / __ \/ __ `__ \/ __ \/ __ \/ ___/ _ \/ ___/
/ /___/ /_/ / / / / / / /_/ / /_/ (__ ) __/ /
\____/\____/_/ /_/ /_/ .___/\____/____/\___/_/
/_/
\033[0m'
echo -e "\033[35;1mInstalling Composer \033[0m"
sleep 3
export COMPOSER_HOME=/usr/local/composer
curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer
echo -e "\033[92;1mComposer installed\033[Om"
echo -e '\033[35m
____ __
/ __ \_______ _______/ /_
/ / / / ___/ / / / ___/ __ \
/ /_/ / / / /_/ (__ ) / / /
/_____/_/ \__,_/____/_/ /_/
\033[0m'
echo -e "\033[35;1mInstalling Drush\033[0m"
sleep 3
# curl https://github.com/drush-ops/drush-launcher/releases/download/0.6.0/drush.phar -L -o /usr/local/bin/drush
wget -O /usr/local/bin/drush https://github.com/drush-ops/drush-launcher/releases/latest/download/drush.phar
chmod +x /usr/local/bin/drush
echo -e "\033[92;1mDrush\033[Om"

31
bin/misc.sh
View File

@ -1,31 +0,0 @@
#!/bin/sh
echo -e '\033[35m
__ ____
/ |/ (_)_________
/ /|_/ / / ___/ ___/
/ / / / (__ ) /__
/_/ /_/_/____/\___/
\033[0m'
if [ "$EUID" -ne 0 ]; then
echo "Please run as root"
exit
fi
sleep 2
# TODO --force-yes is deprecated, use one of the options starting with --allow instead.
apt-get --yes install vim curl
sed -i "s/^# en_GB.UTF-8/en_GB.UTF-8/g" /etc/locale.gen
locale-gen
apt-get --yes install ntp
dpkg-reconfigure tzdata
apt-get --yes install tmux etckeeper needrestart htop lynx unzip nfs-common
# TODO cron
# https://askubuntu.com/questions/56683/where-is-the-cron-crontab-log/121560#121560
echo -e "\033[92;1mMisc done \033[Om"

56
bin/mysql-db.sh
View File

@ -1,56 +0,0 @@
#!/bin/sh
echo -e '
_ _ _ _
__| | |__ | | | |___ ___ _ _
/ _` | _ \ | |_| (_-</ -_) _|
\__,_|_.__/ \___//__/\___|_|
'
echo -e "Create new mysql db and user (you will be asked a db name and a password)"
. bin/checkroot.sh
sleep 3
# configure
echo -n "Please provide the mysql root passwd : "
read _root_mysql_passwd
mysql -u root -p$_root_mysql_passwd -e "show databases;"
echo -n "Enter new db name: "
read db_name
while [ "$db_name" = "" ]
do
read -p "enter a db name ? " db_name
if [ "$db_name" != "" ]; then
# TODO check if db already exists
# if id "$db_name" >/dev/null 2>&1; then
# echo "user $db_name alreday exists, you must provide a non existing user name."
# db=""
# else
read -p "is db name $db_name correcte [y|n] " validated
if [ "$validated" = "y" ]; then
break
else
db_name=""
fi
# fi
fi
done
# generate random password for new mysql user
_passwd="$(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c16)"
# create new mysql user
mysql -u root -p$_root_mysql_passwd -e "CREATE DATABASE $db_name;"
mysql -u root -p$_root_mysql_passwd -e "CREATE USER '$db_name'@'localhost' IDENTIFIED BY '$_passwd';"
mysql -u root -p$_root_mysql_passwd -e "GRANT ALL ON $db_name.* TO '$db_name'@'localhost';"
mysql -u root -p$_root_mysql_passwd -e "show databases;"
echo "database and user : $db_name installed"
echo " please record your password $_passwd"
echo "press any key to continue."
read continu

42
bin/mysqlbackup.sh
View File

@ -1,42 +0,0 @@
#!/bin/sh
echo -e '\033[35m
__ __ _ ___ _
| \/ |_ _ ___ __ _| | | _ ) __ _ __| |___ _ _ __ ___
| |\/| | || (_-</ _ | | | _ \/ _ / _| / / || | _ (_-<
|_| |_|\_, /__/\__, |_| |___/\__,_\__|_\_\\_,_| .__/__/
|__/ |_| |_|
\033[0m'
if [ "$EUID" -ne 0 ]; then
echo "Please run as root"
exit
fi
# get the current position
_cwd="$(pwd)"
# check for assets forlder
_assets="$_cwd/assets"
if [ ! -d "$_assets" ]; then
_assets="$_cwd/../assets"
if [ ! -d "$_assets" ]; then
echo "!! can't find assets directory !!"
exit
fi
fi
# adding the script
cp "$_assets"/mysqlbackup.sh /usr/local/bin/
chmod +x /usr/local/bin/mysqlbackup.sh
# configure
echo -n "Please provide the mysql root passwd : "
read _root_mysql_passwd
sed -i "s/ROOTPASSWD/$_root_mysql_passwd/g" /usr/local/bin/mysqlbackup.sh
# creating crontab
touch /var/spool/cron/crontabs/root
crontab -l > /tmp/mycron
echo "30 2 */2 * * /usr/local/bin/mysqlbackup.sh" >> /tmp/mycron
crontab /tmp/mycron
rm -f /tmp/mycron

44
bin/nfs.sh
View File

@ -1,44 +0,0 @@
#!/bin/sh
echo -e '\033[35m
__
_ __ / _|___
| _ \| |_/ __|
| | | | _\__ \
|_| |_|_| |___/
\033[0m'
echo -e "\033[35;1mLEMP server (Nginx Mysql Php-fpm) \033[0m"
apt install nfs-kernel-server
vim /etc/exports
mkdir /home/proxmox-backup
mkdir /home/urbackup
ufw allow from 37.187.134.71 to any port nfs
ufw allow from 37.187.134.71 to any port 111
ufw allow proto udp from 37.187.134.71 to any port 32764:32769
ufw allow proto tcp from 37.187.134.71 to any port 32764:32769
ufw allow from 37.187.93.155 to any port nfs
ufw allow from 37.187.93.155 to any port 111
ufw allow proto udp from 37.187.93.155 to any port 32764:32769
ufw allow proto tcp from 37.187.93.155 to any port 32764:32769
ufw allow from 37.187.128.147 to any port nfs
ufw allow from 37.187.128.147 to any port 111
ufw allow proto udp from 37.187.128.147 to any port 32764:32769
ufw allow proto tcp from 37.187.128.147 to any port 32764:32769
ufw allow from 94.23.8.104 to any port nfs
ufw allow from 94.23.8.104 to any port 111
ufw allow proto udp from 94.23.8.104 to any port 32764:32769
ufw allow proto tcp from 94.23.8.104 to any port 32764:32769
systemctl restart nfs-server
systemctl enable nfs-server
vim /etc/ufw/user.rules

16
bin/php7.4.sh
View File

@ -1,16 +0,0 @@
#!/bin/bash
echo -e "\033[35;1mInstalling PHP 7.4 \033[0m"
apt-get -y install lsb-release apt-transport-https ca-certificates
wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" | tee /etc/apt/sources.list.d/php.list
apt-get update
apt-get -y install php7.4 php7.4-{fpm,mysql,opcache,curl,mbstring,zip,xml,gd,imagick,apcu}
mv /etc/php/7.4/fpm/php.ini /etc/php/7.4/fpm/php.ini.back
cp "$_assets"/php7.4-fpm.ini /etc/php/7.4/fpm/php.ini
systemctl enable php7.4-fpm
systemctl start php7.4-fpm
echo -e "\033[92;1mphp7.4-fpm installed\033[O"

54
bin/postgresqlbackup.sh
View File

@ -1,54 +0,0 @@
#!/bin/sh
echo -e '\033[35m
___ _ ___ ___ _ ___ _
| _ \___ __| |_ __ _ _ _ ___/ __|/ _ \| | | _ ) __ _ __| |___ _ _ __
| _/ _ (_-< _/ _. | ._/ -_)__ \ (_) | |__ | _ \/ _. / _| / / || | ._ \
|_| \___/__/\__\__, |_| \___|___/\__\_\____| |___/\__,_\__|_\_\\_,_| .__/
|___/ |_|
\033[0m'
if [ "$EUID" -ne 0 ]; then
echo "Please run as root"
exit
fi
# get the current position
_cwd="$(pwd)"
# check for assets forlder
_assets="$_cwd/assets"
if [ ! -d "$_assets" ]; then
_assets="$_cwd/../assets"
if [ ! -d "$_assets" ]; then
echo "!! can't find assets directory !!"
exit
fi
fi
# adding the script
cp "$_assets"/pgsqlbackup.sh /usr/local/bin/
chmod +x /usr/local/bin/pgsqlbackup.sh
# configure
echo -n "Please provide the postgresql host : "
read _pg_host
sed -i "s/HOST/$_pg_host/g" /usr/local/bin/pgsqlbackup.sh
echo -n "Please provide the postgresql port : "
read _pg_port
sed -i "s/PORT/$_pg_port/g" /usr/local/bin/pgsqlbackup.sh
echo -n "Please provide the postgresql user : "
read _pg_user
sed -i "s/USER/$_pg_user/g" /usr/local/bin/pgsqlbackup.sh
echo -n "Please provide the postgresql passwd : "
read _pg_passwd
sed -i "s/PASSWD/$_pg_passwd/g" /usr/local/bin/pgsqlbackup.sh
# creating crontab
touch /var/spool/cron/crontabs/root
crontab -l > /tmp/mycron
echo "30 2 */2 * * /usr/local/bin/pgsqlbackup.sh" >> /tmp/mycron
crontab /tmp/mycron
rm /tmp/mycron

26
bin/ssh.sh
View File

@ -1,26 +0,0 @@
#!/bin/sh
echo -e '\033[35m
__________ __ __
/ ___/ ___// / / /
\__ \\__ \/ /_/ /
___/ /__/ / __ /
/____/____/_/ /_/
\033[0m'
if [ "$EUID" -ne 0 ]; then
echo "Please run as root"
exit
fi
# sed -i 's/PermitRootLogin\ yes/PermitRootLogin no/g' /etc/ssh/sshd_config
# sed -i 's/PermitEmptyPasswords\ yes/PermitEmptyPasswords no/g' /etc/ssh/sshd_config
# sed -i 's/Protocol\ [0-9]/Protocol 2/g' /etc/ssh/sshd_config
touch /etc/ssh/sshd_config.d/custom.conf
echo "PermitRootLogin no" >> /etc/ssh/sshd_config.d/custom.conf
echo "PermitEmptyPasswords no" >> /etc/ssh/sshd_config.d/custom.conf
systemctl reload ssh
echo -e "\033[92;1mSSH secured\033[Om"

20
bin/upgrade.sh
View File

@ -1,20 +0,0 @@
#!/bin/sh
# TODO check if root
echo -e '\033[35m
__ ______ __________ ___ ____ ______
/ / / / __ \/ ____/ __ \/ | / __ \/ ____/
/ / / / /_/ / / __/ /_/ / /| | / / / / __/
/ /_/ / ____/ /_/ / _, _/ ___ |/ /_/ / /___
\____/_/ \____/_/ |_/_/ |_/_____/_____/
\033[0m'
if [ "$EUID" -ne 0 ]; then
echo "Please run as root"
exit
fi
apt-get update
apt-get dist-upgrade
needrestart -rl

90
bin/urbackup.sh
View File

@ -1,90 +0,0 @@
#!/bin/sh
echo -e '\033[35m
_ _ _ _ ___ _ _ _
| | | |_ _| |__ __ _ __| |___ _ _ __ / __| | (_)___ _ _| |_
| |_| | _| _ \/ _` / _| / / || | _ \ | (__| |__| / -_) \ _|
\___/|_| |_.__/\__,_\__|_\_\\_,_| .__/ \___|____|_\___|_||_\__|
|_|
\033[0m'
if [ "$EUID" -ne 0 ]; then
echo "Please run as root"
exit
fi
# get the current position
_cwd="$(pwd)"
# check for assets forlder
_assets="$_cwd/assets"
if [ ! -d "$_assets" ]; then
_assets="$_cwd/../assets"
if [ ! -d "$_assets" ]; then
echo "!! can't find assets directory !!"
exit
fi
fi
# install urbackup client
# https://www.urbackup.org/client_debian_ubuntu_install.html
# https://blog.stephane-huc.net/systeme/debian/urbackup_client_gui
# https://urbackup.atlassian.net/wiki/spaces/US/pages/9142274/Headless+Linux+client+setup
# Install the dependencies UrBackup needs
apt install build-essential "g++" "libcrypto++-dev" libz-dev -y
# libwxgtk3.0-dev
# Download the UrBackup client source files and extract them
# wget -P /tmp/ https://hndl.urbackup.org/Client/latest/urbackup-client-2.3.4.0.tar.gz
# wget -P /tmp/ https://hndl.urbackup.org/Client/2.4.11/urbackup-client-2.4.11.0.tar.gz
# wget -P /tmp/ https://hndl.urbackup.org/Client/2.5.20/urbackup-client-2.5.20.0.tar.gz
# wget -P /tmp/ https://hndl.urbackup.org/Client/2.5.20/urbackup-client-2.5.24.0.tar.gz
wget -P /tmp/ https://hndl.urbackup.org/Client/2.5.25/urbackup-client-2.5.25.0.tar.gz
cd /tmp
tar xzf /tmp/urbackup-client-2.5.25.0.tar.gz
# Build the UrBackup client and install it
# cd /tmp/urbackup-client-2.3.4.0
cd /tmp/urbackup-client-2.5.25.0
./configure --enable-headless
make -j4
make install
# Make sure that the UrBackup client backend runs correctly
# urbackupclientbackend -v info
# configure
echo -n "Please provide the urbackup-server's ip : "
read _ip
echo -n "Please provide the internet_authkey of server : "
read _authkey
echo -n "Please provide the computer name of this client : "
read _computername
echo "internet_server=$_ip
internet_server_port=55415
internet_authkey=$_authkey
internet_mode_enabled=true
internet_image_backups_def=false
default_dirs_def=/etc;var/www;/var/backups/mysql
startup_backup_delay_def=3
computername=$_computername" > /etc/default/urbackupclient
# /usr/local/var/urbackup/data/settings.cfg
# firewall
ufw allow from "$_ip" to any port 35621
ufw allow from "$_ip" to any port 35622
ufw allow from "$_ip" to any port 35623
# install and enable systemd service
# cp "$_assets"/urbackup.service /etc/systemd/system/
cp urbackupclientbackend-debian.service /etc/systemd/system/urbackup.service
chmod a+x /etc/systemd/system/urbackup.service
systemctl --system daemon-reload
systemctl start urbackup.service
systemctl enable urbackup.service

46
bin/user.sh
View File

@ -1,46 +0,0 @@
#!/bin/sh
echo -e '\033[35m
__ _______ __________
/ / / / ___// ____/ __ \
/ / / /\__ \/ __/ / /_/ /
/ /_/ /___/ / /___/ _, _/
\____//____/_____/_/ |_|
\033[0m'
echo -e "\033[35;1mCreate new user (you will be asked a user name and a password) \033[0m"
if [ "$EUID" -ne 0 ]; then
echo "Please run as root"
exit
fi
sleep 3
echo -n "Enter user name: "
read user
while [ "$user" = "" ]
do
read -p "enter a user name ? " user
if [ "$user" != "" ]; then
# check if user already exists
if id "$user" >/dev/null 2>&1; then
echo "user $user alreday exists, you must provide a non existing user name."
user=""
else
read -p "is user name $user correcte [y|n] " validated
if [ "$validated" = "y" ]; then
break
else
user=""
fi
fi
fi
done
adduser "$user"
echo "adding $user to admin group and limiting su to the admin group"
groupadd admin
usermod -a -G admin "$user"
# allow admin group to su
dpkg-statoverride --update --add root admin 4750 /bin/su
echo -e "\033[92;1muser $user configured\033[Om"

168
bin/vhost.sh
View File

@ -1,168 +0,0 @@
echo -e '\033[35m
__ __
_ __/ /_ ____ _____/ /_
| | / / __ \/ __ \/ ___/ __/
| |/ / / / / /_/ (__ ) /_
|___/_/ /_/\____/____/\__/
\033[0m'
echo -e "\033[35;1mNginx VHOST install \033[0m"
while [ "$vh" != "y" ] && [ "$vh" != "n" ]
do
echo -n "Should we install a vhost? [y|n] "
read vh
# vh=${vh:-y}
done
if [ "$vh" = "y" ]; then
# get the current position
_cwd="$(pwd)"
# check for assets forlder
_assets="$_cwd/assets"
if [ ! -d "$_assets" ]; then
_assets="$_cwd/../assets"
if [ ! -d "$_assets" ]; then
echo "!! can't find assets directory !!"
exit
fi
fi
_domain=""
while [ "$_domain" = "" ]
do
read -p "enter a domain name ? " _domain
if [ "$_domain" != "" ]; then
read -p "is domain $_domain correcte [y|n] " validated
if [ "$validated" = "y" ]; then
break
else
_domain=""
fi
fi
done
# ask for simple php conf or drupal conf
_drupal=""
while [ "$_drupal" != "yes" ] && [ "$_drupal" != "no" ]
do
echo -n "Is your site is a drupal one? [yes|no] "
read _drupal
done
# ask for let's encrypt
_letsencrypt=""
while [ "$_letsencrypt" != "yes" ] && [ "$_letsencrypt" != "no" ]
do
echo -e "\033[35;1mLet's encrypt \033[0m"
echo "Let's encrypt needs a public registered domain name with proper DNS records ( A records or CNAME records for subdomains pointing to your server)."
echo -n "Should we install let's encrypt certificate with $_domain? [yes|no] "
read _letsencrypt
done
# lets'encrypt
# https://certbot.eff.org/lets-encrypt/debianstretch-nginx
if [ "$_letsencrypt" = "yes" ]; then
apt-get --yes install certbot
systemctl stop nginx
certbot certonly --standalone -d "$_domain" --cert-name "$_domain"
systemctl start nginx
# TODO stop the whole process if letsencrypt faile
mkdir -p /etc/nginx/ssl/certs/"$_domain"
openssl dhparam -out /etc/nginx/ssl/certs/"$_domain"/dhparam.pem 2048
# renewing
touch /var/spool/cron/crontabs/root
crontab -l > mycron
echo "0 3 * * * certbot renew --pre-hook 'systemctl stop nginx' --post-hook 'systemctl start nginx' --cert-name $_domain" >> mycron
crontab mycron
rm mycron
fi
if [ "$_drupal" = "yes" ]; then
if [ "$_letsencrypt" = "yes" ]; then
_conffile="drupal-ssl.nginxconf"
else
_conffile="drupal.nginxconf"
fi
else
if [ "$_letsencrypt" = "yes" ]; then
_conffile="simple-phpfpm-ssl.nginxconf"
else
_conffile="simple-phpfpm.nginxconf"
fi
fi
cp "$_assets/$_conffile" /etc/nginx/sites-available/"$_domain".conf
sed -i -r "s/DOMAIN\.LTD/$_domain/g" /etc/nginx/sites-available/"$_domain".conf
mkdir -p /var/www/"$_domain"/public_html
mkdir /var/www/"$_domain"/log
cp "$_assets/index.php" /var/www/"$_domain"/public_html/
sed -i -r "s/DOMAIN\.LTD/$_domain/g" /var/www/"$_domain"/public_html/index.php
#set proper right to user will handle the app
chown -R root:admin /var/www/"$_domain"/
chmod -R g+w /var/www/"$_domain"/
chmod -R g+r /var/www/"$_domain"/
#set fail2ban for vhost
# https://stackoverflow.com/a/65552146
cp "$_assets/fail2ban/jail.d/nginx-badbots.conf" "/etc/fail2ban/jail.d/nginx-badbots-$_domain.conf"
sed -i -r "s/\[nginx-badbots\]/\[nginx-badbots-$_domain\]/g" "/etc/fail2ban/jail.d/nginx-badbots-$_domain.conf"
sed -i -r "s/<FILTER>/\[nginx-badbots-$_domain\]/g" "/etc/fail2ban/jail.d/nginx-badbots-$_domain.conf"
sed -i -r "s/<LOGPATH>/\/var\/www\/$_domain\/log\/error.log/g" "/etc/fail2ban/jail.d/nginx-badbots-$_domain.conf"
cp "$_assets/fail2ban/filter.d/nginx-badbots.conf" "/etc/fail2ban/filter.d/nginx-badbots-$_domain.conf"
sed -i -r "s/<HOST>/$_domain/g" "/etc/fail2ban/filter.d/nginx-badbots-$_domain.conf"
# create a shortcut to the site
echo -n "Should we install a shortcut for a user? [Y|n] "
read yn
yn=${yn:-y}
if [ "$yn" = "Y" ] || [ "$yn" = "y" ]; then
# if $user var does not exists (vhost.sh ran directly) ask for it
user=""
# if [ -z ${user+x} ]; then
while [ "$user" = "" ]
do
read -p "enter an existing user name ? " user
if [ "$user" != "" ]; then
# check if user already exists
if id "$user" >/dev/null 2>&1; then
read -p "is user name $user correcte [y|n] " validated
if [ "$validated" = "y" ]; then
break
else
user=""
fi
else
echo "user $user doesn't exists, you must provide an existing user"
user=""
fi
fi
done
# fi
echo "shortcut will be installed for '$user'";
sleep 3
mkdir /home/"$user"/www/
chown "$user":admin /home/"$user"/www/
ln -s /var/www/"$_domain" /home/"$user"/www/"$_domain"
chown "$user":admin /home/"$user"/www/"$_domain"
else
echo 'no shortcut installed'
fi
# activate the vhost
ln -s /etc/nginx/sites-available/"$_domain".conf /etc/nginx/sites-enabled/"$_domain".conf
# restart nginx
systemctl restart nginx
echo -e "\033[92;1mvhost $_domain configured \033[Om"
else
echo "Vhost installation aborted"
fi

122
bin/webhook.sh
View File

@ -1,122 +0,0 @@
#!/bin/bash
# bachir soussi chiadmi
# get the current position
_cwd="$(pwd)"
echo -e '\033[35m
__ __ _ _ _ _
\ \ / /__| |__| || |___ ___| |__
\ \/\/ / -_) `_ \ __ / _ \/ _ \ / /
\_/\_/\___|_.__/_||_\___/\___/_\_\
\033[0m'
# check for assets folder
_assets="$_cwd/assets"
if [ ! -d "$_assets" ]; then
_assets="$_cwd/../assets"
if [ ! -d "$_assets" ]; then
echo "!! can't find assets directory !!"
exit
fi
fi
user=""
while [ "$user" = "" ]
do
read -p "enter an existing user name ? " user
if [ "$user" != "" ]; then
# check if user already exists
if id "$user" >/dev/null 2>&1; then
read -p "is user name $user correcte [y|n] " validated
if [ "$validated" = "y" ]; then
break
else
user=""
fi
else
echo "user $user doesn't exists, you must provide an existing user"
user=""
fi
fi
done
_domain=""
while [ "$_domain" = "" ]
do
read -p "enter a domain name ? " _domain
if [ "$_domain" != "" ]; then
read -p "is domain $_domain correcte [y|n] " validated
if [ "$validated" = "y" ]; then
break
else
_domain=""
fi
fi
done
_id=$(echo "$_domain" | sed "s/\./_/g")
_remote=""
while [ "$_remote" = "" ]
do
read -p "enter teh remote git repos url to pull from ? " _remote
if [ "$_remote" != "" ]; then
read -p "is $_remote correcte [y|n] " validated
if [ "$validated" = "y" ]; then
break
else
_remote=""
fi
fi
done
# TODO check for /home/"$user"/www/"$_domain"
if [ ! -d /home/"$user"/www/"$_domain" ]; then
echo "/home/$user/www/$_domain does not exists !"
exit
fi
# TODO check for /home/"$user"/git-repositories/"$_domain.git"
if [ ! -d /home/"$user"/git-repositories/"$_domain.git" ]; then
echo "/home/$user/git-repositories/$_domain.git does not exists !"
exit
fi
apt-get install webhook
# git bare repos remote
git --git-dir=/home/"$user"/git-repositories/"$_domain.git" remote add origin "$_remote"
# hook deploy script
cp -f "$_assets"/webhook-deploy.sh /home/"$user"/webhook-deploy-"$_id".sh
sed -i -r "s/DOMAIN/$_domain/g" /home/"$user"/webhook-deploy-"$_id".sh
sed -i -r "s/USER/$user/g" /home/"$user"/webhook-deploy-"$_id".sh
chowm $user:$user /home/"$user"/webhook-deploy-"$_id".sh
chmod +x /home/"$user"/webhook-deploy-"$_id".sh
# remove git bare repos hook
mv /home/"$user"/git-repositories/"$_domain".git/hooks/post-receive /home/"$user"/git-repositories/"$_domain".git/hooks/post-receive.back
# webhook conf
touch /etc/webhooks.conf
echo "
- id: deploy_app_$_id
execute-command: /home/$user/webhook-deploy-$_id.sh
command-working-directory: /home/$user/
" >> /etc/webhooks.conf
# webhook service
cp -f "$_assets"/webhook.service /etc/systemd/system/webhook.service
systemctl enable webhook
systemctl start webhook
systemctl restart webhook
# systemctl reload webhook
ufw allow 9000
echo "webhook done"
echo "you can configure your webhook trigger with the following url :"
echo "http://$_domain:9000/hooks/deploy_app_$_id"

139
bin/zabbix.sh
View File

@ -1,139 +0,0 @@
#!/bin/sh
echo -e '\033[35m
_____ __ __ _
/__ / ____ _/ /_ / /_ (_) __
/ / / __ `/ __ \/ __ \/ / |/_/
/ /__/ /_/ / /_/ / /_/ / /> <
/____/\__,_/_.___/_.___/_/_/|_|
\033[0m'
if [ "$EUID" -ne 0 ]; then
echo "Please run as root"
exit
fi
# get the current position
_cwd="$(pwd)"
# check for assets forlder
_assets="$_cwd/assets"
if [ ! -d "$_assets" ]; then
_assets="$_cwd/../assets"
if [ ! -d "$_assets" ]; then
echo "!! can't find assets directory !!"
exit
fi
fi
wget -P /tmp/ wget https://repo.zabbix.com/zabbix/6.4/debian/pool/main/z/zabbix-release/zabbix-release_6.4-1+debian12_all.deb
dpkg -i /tmp/zabbix-release_6.4-1+debian12_all.deb
apt-get update -y
apt-get install zabbix-agent -y
# configure
echo -n "Please provide the current server's public ip : "
read _cur_ip
echo -n "Please provide the zabbix-server's ip : "
read _ip
echo -n "Please provide the hostname of this agent : "
read _host_name
_agent_conf_d="/etc/zabbix/zabbix_agentd.d" # for debian 8
if [ ! -d "$_agent_conf_d" ]; then
_agent_conf_d="/etc/zabbix/zabbix_agentd.conf.d" # for debian 9
fi
# configure zabbix agent
sed -i "s#Server=127.0.0.1#Server=$_ip#g" /etc/zabbix/zabbix_agentd.conf
sed -i "s#ServerActive=127.0.0.1#ServerActive=$_ip#g" /etc/zabbix/zabbix_agentd.conf
sed -i "s#Hostname=Zabbix server#Hostname=$_host_name#g" /etc/zabbix/zabbix_agentd.conf
# todo ask if LXC container, if yes install this script
# https://github.com/kvaps/zabbix-linux-container-template
# APT
# check for debian security updates
# not working : https://www.osso.nl/blog/zabbix-counting-security-updates
# https://github.com/theranger/zabbix-apt
# enable automatic update of apt
cp "$_assets"/zabbix/misc/02periodic /etc/apt/apt.conf.d/
cp "$_assets"/zabbix/apt.conf "$_agent_conf_d"/
# MYSQL
# https://serverfault.com/questions/737018/zabbix-user-parameter-mysql-status-setting-home
# create zabbix user home
echo -n "monitor mysql? [Y|n] "
read yn
yn=${yn:-y}
if [ "$yn" = "Y" ] || [ "$yn" = "y" ]; then
echo -n "Please provide the mysql root password : "
read _root_mysql_passwd
mkdir /var/lib/zabbix
# generate random password for zabbix mysql user
_passwd="$(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c12)"
# add mysql credentials to zabbix home
printf "[client]\n
user=zabbix\n
password=$_passwd" > /var/lib/zabbix/.my.cnf
# create zabbix mysql user
mysql -uroot -p"$_root_mysql_passwd" -e "CREATE USER 'zabbix' IDENTIFIED BY '$_passwd';"
mysql -uroot -p"$_root_mysql_passwd" -e "GRANT USAGE ON *.* TO 'zabbix'@'localhost' IDENTIFIED BY '$_passwd';"
# add zabbix-agent parameter
cp "$_assets"/zabbix/userparameter_mysql.conf "$_agent_conf_d"/
fi
# NGINX
# https://github.com/sfuerte/zbx-nginx
# nginxconf already included in default.nginxconf asset
echo -n "Monitor nginx? [Y|n] "
read yn
yn=${yn:-y}
if [ "$yn" = "Y" ] || [ "$yn" = "y" ]; then
sed -i "s/# allow CURRENT-SERVER-IP/allow $_cur_ip/g" /etc/nginx/sites-available/default
cp "$_assets"/zabbix/userparameter_nginx.conf "$_agent_conf_d"/
mkdir /etc/zabbix/zabbix_agentd.scripts
cp "$_assets"/zabbix/scripts/nginx-stat.py /etc/zabbix/zabbix_agentd.scripts/
chmod +x /etc/zabbix/zabbix_agentd.scripts/nginx-stat.py
fi
echo -n "This is box is a proxmox CT? [Y|n] "
read yn
yn=${yn:-y}
if [ "$yn" = "Y" ] || [ "$yn" = "y" ]; then
cp "$_assets"/zabbix/proxmox-ct.conf "$_agent_conf_d"/
fi
# SYSTEMD
# https://github.com/MogiePete/zabbix-systemd-service-monitoring
cp "$_assets"/zabbix/userparameter_systemd_services.conf "$_agent_conf_d"/
# https://www.zabbix.com/forum/zabbix-cookbook/23024-monitor-the-version-of-centos-debian-ubuntu?p=386466#post386466
cp "$_assets"/zabbix/userparameter_linux_name_version.conf "$_agent_conf_d"/
# disble unused system units
systemctl disable rsync
systemctl disable systemd-timesyncd
# TODO add modules path to agent ??
# allow comm. port with zabbix-server
ufw allow from "$_ip" to any port 10050
ufw allow from "$_ip" to any port 22
# ufw allow from "$_ip" to any port 10051
# iptables -A INPUT -p tcp -m tcp --dport 10050 -j ACCEPT
systemctl restart zabbix-agent
systemctl enable zabbix-agent
echo -e "\033[92;1mZabbix-agent installed and configured, please add the host $_host_name in your zabbix-server \033[Om"
echo -e "\033[92;1mAnd import requested templates in assets/zabbix/templates/ \033[Om"
echo -e "\033[92;1mzabbix user mysql password is $_passwd \033[Om"

64
gitbarrerepos.sh Normal file
View File

@ -0,0 +1,64 @@
#!/bin/sh
# bachir soussi chiadmi
# get the current position
_cwd="$(pwd)"
while [ "$_bare_name" = "" ]
do
read -p "enter the bare repos folder name ? " _host_name
if [ "$_bare_name" != "" ]; then
read -p "is bare folder name $_bare_name correcte [y|n] " validated
if [ "$validated" = "y" ]; then
break
else
_bare_name=""
fi
fi
done
while [ "$_prod_folder_path" = "" ]
do
read -p "enter the prod folder path folder name ? " _host_name
if [ "$_bare_name" != "" ]; then
read -p "is prod folder path $_prod_folder_path correcte [y|n] " validated
if [ "$validated" = "y" ]; then
break
else
_prod_folder_path=""
fi
fi
done
# setup bare repositorie to push to
mkdir ~/git-repositories
mkdir ~/git-repositories/"$_bare_name".git
cd ~/git-repositories/"$_bare_name".git
git init --bare
# setup git repo on site folder
cd "$_prod_folder_path"
git init
# link to the bare repo
git remote add origin /home/"$USER"/git-repositories/"$_bare_name".git
# create hooks that will update the site repo
cd ~
cp "$_cwd"/assets/git-pre-receive /home/"$USER"/git-repositories/"$_bare_name".git/hooks/pre-receive
cp "$_cwd"/assets/git-post-receive /home/"$USER"/git-repositories/"$_bare_name".git/hooks/post-receive
sed -ir "s/PRODDIR=\"www\"/PRODDIR=\/srv\/www\/$_bare_name\/public_html/g" /home/"$USER"/git-repositories/"$_bare_name".git/hooks/pre-receive
sed -ir "s/PRODDIR=\"www\"/PRODDIR=\/srv\/www\/$_bare_name\/public_html/g" /home/"$USER"/git-repositories/"$_bare_name".git/hooks/post-receive
cd /home/"$USER"/git-repositories/"$_bare_name".git/hooks/
chmod +x post-receive pre-receive
# done
echo "git repos for $_bare_name install succeed"
echo "your site stay now to /home/$USER/www/$_bare_name"
echo "you can push updates on prod branch through $USER@IP.IP.IP.IP:git-repositories/$_bare_name.git"
echo "* * *"

627
install-debian-server.sh Executable file
View File

@ -0,0 +1,627 @@
#!/bin/sh
# bachir soussi chiadmi
#
# http://www.pontikis.net/blog/debian-9-stretch-rc3-web-server-setup-php7-mariadb
# http://web-74.com/blog/reseaux/gerer-le-deploiement-facilement-avec-git/
#
echo '\033[35m
____ __ _ _____
/ __ \___ / /_ (_)___ _____ / ___/___ ______ _____ _____
/ / / / _ \/ __ \/ / __ `/ __ \ \__ \/ _ \/ ___/ | / / _ \/ ___/
/ /_/ / __/ /_/ / / /_/ / / / / ___/ / __/ / | |/ / __/ /
/_____/\___/_.___/_/\__,_/_/ /_/ /____/\___/_/ |___/\___/_/
\033[0m'
echo "\033[35;1mThis script has been tested only on Linux Debian 9 \033[0m"
echo "Please run this script as root"
echo -n "Should we start? [Y|n] "
read yn
yn=${yn:-y}
if [ "$yn" != "y" ]; then
echo "aborting script!"
exit
fi
# get the current position
_cwd="$(pwd)"
echo '\033[35m
__ ______ __________ ___ ____ ______
/ / / / __ \/ ____/ __ \/ | / __ \/ ____/
/ / / / /_/ / / __/ /_/ / /| | / / / / __/
/ /_/ / ____/ /_/ / _, _/ ___ |/ /_/ / /___
\____/_/ \____/_/ |_/_/ |_/_____/_____/
\033[0m'
apt-get update
apt-get upgrade
echo '\033[35m
__ ____
/ |/ (_)_________
/ /|_/ / / ___/ ___/
/ / / / (__ ) /__
/_/ /_/_/____/\___/
\033[0m'
apt-get install vim
sed -i "s/^# en_GB.UTF-8/en_GB.UTF-8/g" /etc/locale.gen
locale-gen
apt-get install ntp
echo '\033[35m
______________ _______ _____ __ __
/ ____/ _/ __ \/ ____/ | / / | / / / /
/ /_ / // /_/ / __/ | | /| / / /| | / / / /
/ __/ _/ // _, _/ /___ | |/ |/ / ___ |/ /___/ /___
/_/ /___/_/ |_/_____/ |__/|__/_/ |_/_____/_____/
\033[0m'
echo "\033[35;1mInstalling ufw and setup firewall (allowing only ssh and http) \033[0m"
sleep 3
apt-get install ufw
# ufw allow ssh # knockd will open the ssh port
ufw allow http
ufw allow https
ufw enable
ufw status verbose
echo "\033[92;1mufw installed and firwall configured\033[Om"
echo '\033[35m
______ _ _____ __
/ ____/___ _(_) /__ \ / /_ ____ _____
/ /_ / __ `/ / /__/ // __ \/ __ `/ __ \
/ __/ / /_/ / / // __// /_/ / /_/ / / / /
/_/ \__,_/_/_//____/_.___/\__,_/_/ /_/
\033[0m'
echo "\033[35;1mInstalling fall2ban \033[0m"
apt-get install fail2ban
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
# ToDo ask for email and configure jail.local with it
service fail2ban restart
echo "\033[92;1mfail2ban installed and configured\033[Om"
echo '\033[35m
__ __ __
/ /______ ____ _____/ /______/ /
/ //_/ __ \/ __ \/ ___/ //_/ __ /
/ ,< / / / / /_/ / /__/ ,< / /_/ /
/_/|_/_/ /_/\____/\___/_/|_|\__,_/
\033[0m'
echo "\033[35;1mInstalling knockd \033[0m"
sleep 3
apt-get install knockd
echo -n "define a sequence number for opening (as 7000,8000,9000) : "
read sq1
echo -n "define a sequence number for closing (as 9000,8000,7000) : "
read sq2
sed -i "s/7000,8000,9000/$sq1/g" /etc/knockd.conf
sed -i "s/9000,8000,7000/$sq2/g" /etc/knockd.conf
sed -i 's/START_KNOCKD=0/START_KNOCKD=1/g' /etc/default/knockd
service knockd start
echo "\033[92;1mknockd installed and configured\033[Om"
echo "\033[92;1mplease note these sequences for future knocking\033[Om"
echo "opening : $sq1 ; closing : $sq2"
echo '\033[35m
__ _______ __________
/ / / / ___// ____/ __ \
/ / / /\__ \/ __/ / /_/ /
/ /_/ /___/ / /___/ _, _/
\____//____/_____/_/ |_|
\033[0m'
echo "\033[35;1mCreate new user (you will be asked a user name and a password) \033[0m"
sleep 3
echo -n "Enter user name: "
read user
# read -p "Continue? (Y/N): " confirm && [[ $confirm == [yY] || $confirm == [yY][eE][sS] ]] || exit 1
adduser "$user"
echo "adding $user to admin group and limiting su to the admin group"
groupadd admin
usermod -a -G admin "$user"
# allow admin group to su
dpkg-statoverride --update --add root admin 4750 /bin/su
echo "\033[92;1muser $user configured\033[Om"
echo '\033[35m
__ ______ ______
/ |/ / | / _/ /
/ /|_/ / /| | / // /
/ / / / ___ |_/ // /___
/_/ /_/_/ |_/___/_____/
\033[0m'
echo "\033[35;1mEnable mail sending for php \033[0m"
# http://www.sycha.com/lamp-setup-debian-linux-apache-mysql-php#anchor13
sleep 3
apt-get install exim4
echo "\033[35;1mConfiguring EXIM4 \033[0m"
while [ "$configexim" != "y" ] && [ "$configexim" != "n" ]
do
echo -n "Should we configure exim4 ? [y|n] "
read configexim
done
if [ "$configexim" = "y" ]; then
echo "choose the first option :internet site; mail is sent and received directly using SMTP. Leave the other options as default exepted for domain name which should be valid domain name if you want your mails to not be considered as spam"
echo "press any key to continue."
read continu
dpkg-reconfigure exim4-config
else
echo 'exim not configured'
fi
service exim4 restart
# dkim spf
# https://debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4
echo "\033[35;1mConfiguring DKIM \033[0m"
while [ "$installdkim" != "y" ] && [ "$installdkim" != "n" ]
do
echo -n "Should we install dkim for exim4 ? [y|n] "
read installdkim
done
if [ "$installdkim" = "y" ]; then
echo -n "Choose a domain for dkim (same domain as you chose before for exim4): "
read domain
selector=$(date +%Y%m%d)
mkdir /etc/exim4/dkim
openssl genrsa -out /etc/exim4/dkim/"$domain"-private.pem 1024 -outform PEM
openssl rsa -in /etc/exim4/dkim/"$domain"-private.pem -out /etc/exim4/dkim/"$domain".pem -pubout -outform PEM
chown root:Debian-exim /etc/exim4/dkim/"$domain"-private.pem
chmod 440 /etc/exim4/dkim/"$domain"-private.pem
cp "$_cwd"/assets/exima4_dkim.conf /etc/exim4/conf.d/main/00_local_macros
sed -ir "s/DOMAIN_TO_CHANGE/$domain/g" /etc/exim4/conf.d/main/00_local_macros
sed -ir "s/DATE_TO_CHANGE/$selector/g" /etc/exim4/conf.d/main/00_local_macros
update-exim4.conf
service exim4 restart
echo "please create a TXT entry in your dns zone : $selector._domainkey.$domain \n"
echo "your public key is : \n"
cat /etc/exim4/dkim/"$domain".pem
echo "press any key to continue."
read continu
else
echo 'dkim not installed'
fi
echo '\033[35m
__________ __ __
/ ___/ ___// / / /
\__ \\__ \/ /_/ /
___/ /__/ / __ /
/____/____/_/ /_/
\033[0m'
while [ "$securssh" != "y" ] && [ "$securssh" != "n" ]
do
echo -n "Securing ssh (disabling root login)? [y|n] "
read securssh
# securssh=${securssh:-y}
done
if [ "$securssh" = "y" ]; then
sed -i 's/PermitRootLogin\ yes/PermitRootLogin no/g' /etc/ssh/sshd_config
sed -i 's/PermitEmptyPasswords\ yes/PermitEmptyPasswords no/g' /etc/ssh/sshd_config
sed -i 's/Protocol\ [0-9]/Protocol 2/g' /etc/ssh/sshd_config
service ssh reload
echo "\033[92;1mSSH secured\033[Om"
else
echo 'root user can still conect through ssh'
fi
echo '\033[35m
______ _______ _____
| ____|__ __| __ \
| |__ | | | |__) |
| __| | | | ___/
| | | | | |
|_| |_| |_|
\033[0m'
echo -n "Should we install ftp server? [Y|n] "
read yn
yn=${yn:-y}
if [ "$yn" = "y" ]; then
echo "installing proftpd"
apt-get install proftpd
while [ "$_server_name" = "" ]
do
read -p "enter a server name ? " _server_name
if [ "$_server_name" != "" ]; then
read -p "is server name $_server_name correcte [y|n] " validated
if [ "$validated" = "y" ]; then
break
else
_server_name=""
fi
fi
done
echo "Configuring proftpd"
cp "$_cwd"/assets/proftpd.conf /etc/proftpd/conf.d/"$_server_name".conf
sed -ir "s/example/$_server_name/g" /etc/proftpd/conf.d/"$_server_name".conf
ufw allow ftp
addgroup ftpuser
echo "ftp installtion done"
echo "to permit to a user to connect through ftp, add him to the ftpuser group by running : usermod -a -G admin USERNAME"
echo "FTP users are jailed on their home by default"
fi
# TODO : allow ssh/ftp connection only from given ips
echo "\033[35;1mInstalling AMP web server \033[0m"
echo '\033[35m
__ ___ __
/ |/ /_ ___________ _/ /
/ /|_/ / / / / ___/ __ `/ /
/ / / / /_/ (__ ) /_/ / /
/_/ /_/\__, /____/\__, /_/
/____/ /_/
\033[0m'
echo "\033[35;1minstalling Mysql \033[0m"
sleep 3
apt-get install mariadb-server
mysql_secure_installation
systemctl restart mariadb.service
echo "\033[92;1mmysql installed\033[Om"
echo '\033[35m
___ __ ___
/ | ____ ____ ______/ /_ ___ |__ \
/ /| | / __ \/ __ `/ ___/ __ \/ _ \__/ /
/ ___ |/ /_/ / /_/ / /__/ / / / __/ __/
/_/ |_/ .___/\__,_/\___/_/ /_/\___/____/
/_/
\033[0m'
echo "\033[35;1mInstalling Apache2 \033[0m"
sleep 3
apt-get install apache2
a2enmod rewrite
# cp /etc/apache2/apache2.conf /etc/apache2/apache2.conf.back
# cat "$_cwd"/assets/apache2.conf > /etc/apache2/apache2.conf
# Change logrotate for Apache2 log files to keep 10 days worth of logs
sed -i 's/\tweekly/\tdaily/' /etc/logrotate.d/apache2
sed -i 's/\trotate .*/\trotate 10/' /etc/logrotate.d/apache2
# Remove Apache server information from headers.
sed -i 's/ServerTokens .*/ServerTokens Prod/' /etc/apache2/conf-enabled/security.conf
sed -i 's/ServerSignature .*/ServerSignature Off/' /etc/apache2/conf-enabled/security.conf
service apache2 restart
echo "\033[92;1mApache2 installed\033[Om"
echo '\033[35m
____ __ ______
/ __ \/ / / / __ \
/ /_/ / /_/ / /_/ /
/ ____/ __ / ____/
/_/ /_/ /_/_/
\033[0m'
echo "\033[35;1mInstalling PHP \033[0m"
sleep 3
apt-get install php7.0 php-pear php7-gd
echo "Configuring PHP"
cp "$_cwd"/assets/99-lamp-php.ini /etc/php/7.0/apache2/conf.d/
# conffile=/etc/php/7.0/apache2/conf.d/99-lamp-php.ini
# cp /etc/php/7.0/apache2/php.ini $conffile
# sed -i "s/max_execution_time\ =\ [0-9]\+/max_execution_time = 60/g" $conffile
# sed -i "s/max_input_time\ =\ [0-9]\+/max_input_time = 60/g" $conffile
# sed -i "s/memory_limit\ =\ [0-9]\+M/memory_limit = 512M/g" $conffile
# sed -i "s/;\?error_reporting\ =\ [^\n]\+/error_reporting = E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERROR/g" $conffile
# sed -i "s/;\?display_errors\ =\ On/display_errors = Off/g" $conffile
# sed -i "s/;\?log_errors\ =\ Off/log_errors = On/g" $conffile
# echo "register_globals = Off" >> $conffile
# following command doesn't work, make teh change manualy
#sed -ri ":a;$!{N;ba};s/;\?\ \?error_log\ =\ [^\n]\+([^\n]*\n(\n|$))/error_log = \/var\/log\/php\/error.log\1/g" /etc/php5/apache2/php.ini
mkdir /var/log/php
chown www-data /var/log/php
cp "$_cwd"/assets/logrotate-php /etc/logrotate.d/php
apt-get install php7.0-mysql php7.0-curl php7.0-mbstring php7.0-zip php7.0-xml php7.0-gd php7.0-mcrypt php-memcached
apt-get install memcached
sed -i "s/-m\s64/-m 128/g" /etc/memcached.conf
systemctl start memcached
echo "\033[92;1mphp installed\033[Om"
echo '\033[35m
__ __ ___ ___ __ _
____ / /_ ____ / |/ /_ __/ | ____/ /___ ___ (_)___
/ __ \/ __ \/ __ \/ /|_/ / / / / /| |/ __ / __ `__ \/ / __ \
/ /_/ / / / / /_/ / / / / /_/ / ___ / /_/ / / / / / / / / / /
/ .___/_/ /_/ .___/_/ /_/\__, /_/ |_\__,_/_/ /_/ /_/_/_/ /_/
/_/ /_/ /____/
\033[0m'
echo "\033[35;1mInstalling phpMyAdmin \033[0m"
apt-get install phpmyadmin
# echo "include /etc/phpmyadmin/apache.conf" >> /etc/apache2/apache2.conf
ln -s /etc/phpmyadmin/apache.conf /etc/apache2/conf-available/phpmyadmin.conf
a2enconf phpmyadmin.conf
echo "\033[35;1msecuring phpMyAdmin \033[0m"
# sed -i "s/DirectoryIndex index.php/DirectoryIndex index.php\nAllowOverride all/"
cp "$_cwd"/assets/phpmyadmin_htaccess > /usr/share/phpmyadmin/.htaccess
echo -n "define a user name for phpmyadmin : "
read un
htpasswd -c /etc/phpmyadmin/.htpasswd $un
service apache2 restart
echo "\033[92;1mphpMyAdmin installed\033[Om"
echo "\033[92;1mYou can access it at yourip/phpmyadmin\033[Om"
echo '\033[35m
__ __
_ __/ /_ ____ _____/ /_
| | / / __ \/ __ \/ ___/ __/
| |/ / / / / /_/ (__ ) /_
|___/_/ /_/\____/____/\__/
\033[0m'
echo "\033[35;1mVHOST install \033[0m"
while [ "$vh" != "y" ] && [ "$vh" != "n" ]
do
echo -n "Should we install a vhost? [y|n] "
read vh
# vh=${vh:-y}
done
if [ "$vh" = "y" ]; then
while [ "$_host_name" = "" ]
do
read -p "enter a hostname ? " _host_name
if [ "$_host_name" != "" ]; then
read -p "is hostname $_host_name correcte [y|n] " validated
if [ "$validated" = "y" ]; then
break
else
_host_name=""
fi
fi
done
cp "$_cwd"/assets/example.org.conf /etc/apache2/sites-available/"$_host_name".conf
sed -ir "s/example\.org/$_host_name/g" /etc/apache2/sites-available/"$_host_name".conf
mkdir -p /srv/www/"$_host_name"/public_html
mkdir /srv/www/"$_host_name"/logs
#set proper right to user will handle the app
chown -R root:admin /srv/www/"$_host_name"/
chmod -R g+w /srv/www/"$_host_name"/
chmod -R g+r /srv/www/"$_host_name"/
# create a shortcut to the site
mkdir /home/"$user"/www/
chown "$user":admin /home/"$user"/www/
ln -s /srv/www/"$_host_name" /home/"$user"/www/"$_host_name"
#activate the vhost
a2ensite "$_host_name".conf
#restart apache
service apache2 restart
echo "\033[92;1mvhost $_host_name configured\033[Om"
else
echo "Vhost installation aborted"
fi
# TODO supervising
# echo '\033[35m
# __ ___ _ __ __ __ ___ _
# / |/ /__ ___ (_) /_ _/_/ / |/ /_ _____ (_)__
# / /|_/ / _ \/ _ \/ / __/ _/_/ / /|_/ / // / _ \/ / _ \
# /_/ /_/\___/_//_/_/\__/ /_/ /_/ /_/\_,_/_//_/_/_//_/
# \033[0m'
# echo "\033[35;1mInstalling Munin \033[0m"
# sleep 3
# # https://www.howtoforge.com/tutorial/server-monitoring-with-munin-and-monit-on-debian/
# apt-get install munin munin-node munin-plugins-extra
# # Configure Munin
# # enable plugins
# ln -s /usr/share/munin/plugins/mysql_ /etc/munin/plugins/mysql_
# ln -s /usr/share/munin/plugins/mysql_bytes /etc/munin/plugins/mysql_bytes
# ln -s /usr/share/munin/plugins/mysql_innodb /etc/munin/plugins/mysql_innodb
# ln -s /usr/share/munin/plugins/mysql_isam_space_ /etc/munin/plugins/mysql_isam_space_
# ln -s /usr/share/munin/plugins/mysql_queries /etc/munin/plugins/mysql_queries
# ln -s /usr/share/munin/plugins/mysql_slowqueries /etc/munin/plugins/mysql_slowqueries
# ln -s /usr/share/munin/plugins/mysql_threads /etc/munin/plugins/mysql_threads
#
# ln -s /usr/share/munin/plugins/apache_accesses /etc/munin/plugins/
# ln -s /usr/share/munin/plugins/apache_processes /etc/munin/plugins/
# ln -s /usr/share/munin/plugins/apache_volume /etc/munin/plugins/
#
# # ln -s /usr/share/munin/plugins/fail2ban /etc/munin/plugins/
#
# # dbdir, htmldir, logdir, rundir, and tmpldir
# sed -i 's/^#dbdir/dbdir/' /etc/munin/munin.conf
# sed -i 's/^#htmldir/htmldir/' /etc/munin/munin.conf
# sed -i 's/^#logdir/logdir/' /etc/munin/munin.conf
# sed -i 's/^#rundir/rundir/' /etc/munin/munin.conf
# sed -i 's/^#tmpldir/tmpldir/' /etc/munin/munin.conf
#
# sed -i "s/^\[localhost.localdomain\]/[${HOSTNAME}]/" /etc/munin/munin.conf
#
# # ln -s /etc/munin/apache24.conf /etc/apache2/conf-enabled/munin.conf
# sed -i 's/Require local/Require all granted\nOptions FollowSymLinks SymLinksIfOwnerMatch/g' /etc/munin/apache24.conf
# htpasswd -c /etc/munin/munin-htpasswd admin
# sed -i 's/Require all granted/AuthUserFile \/etc\/munin\/munin-htpasswd\nAuthName "Munin"\nAuthType Basic\nRequire valid-user/g' /etc/munin/apache24.conf
#
#
# service apache2 restart
# service munin-node restart
# echo "\033[92;1mMunin installed\033[Om"
#
# echo "\033[35;1mInstalling Monit \033[0m"
# sleep 3
# # https://www.howtoforge.com/tutorial/server-monitoring-with-munin-and-monit-on-debian/2/
# apt-get install monit
# # TODO setup monit rc
# cat "$_cwd"/assets/monitrc > /etc/monit/monitrc
#
# # TODO setup webaccess
# passok=0
# while [ "$passok" = "0" ]
# do
# echo -n "Write web access password to monit"
# read passwda
# echo -n "ReWrite web access password to monit"
# read passwdb
# if [ "$passwda" = "$passwdb" ]; then
# sed -i 's/PASSWD_TO_REPLACE/$passwda/g' /etc/monit/monitrc
# passok=1
# else
# echo "pass words don't match, please try again"
# fi
# done
#
# # TODO setup mail settings
# sed -i "s/server1\.example\.com/$HOSTNAME/g" /etc/monit/monitrc
#
# mkdir /var/www/html/monit
# echo "hello" > /var/www/html/monit/token
#
# service monit start
#
# echo "\033[92;1mMonit installed\033[Om"
# echo '\033[35m
# ___ __ __
# / |_ _______/ /_____ _/ /_
# / /| | | /| / / ___/ __/ __ `/ __/
# / ___ | |/ |/ (__ ) /_/ /_/ / /_
# /_/ |_|__/|__/____/\__/\__,_/\__/
# \033[0m'
# echo "\033[35;1mInstalling Awstat \033[0m"
# sleep 3
# apt-get install awstats
# # Configure AWStats
# temp=`grep -i sitedomain /etc/awstats/awstats.conf.local | wc -l`
# if [ $temp -lt 1 ]; then
# echo SiteDomain="$_host_name" >> /etc/awstats/awstats.conf.local
# fi
# # Disable Awstats from executing every 10 minutes. Put a hash in front of any line.
# sed -i 's/^[^#]/#&/' /etc/cron.d/awstats
# echo "\033[92;1mAwstat installed\033[Om"
# echo '\033[35m
# ______________ _______
# /_ __/ ____/ |/ / __ \
# / / / __/ / /|_/ / /_/ /
# / / / /___/ / / / ____/
# /_/ /_____/_/ /_/_/
# \033[0m'
# function check_tmp_secured {
# temp1=`grep -w "/var/tempFS /tmp ext3 loop,nosuid,noexec,rw 0 0" /etc/fstab | wc -l`
# temp2=`grep -w "tmpfs /tmp tmpfs rw,noexec,nosuid 0 0" /etc/fstab | wc -l`
# if [ $temp1 -gt 0 ] || [ $temp2 -gt 0 ]; then
# return 1
# else
# return 0
# fi
# } # End function check_tmp_secured
# function secure_tmp_tmpfs {
# cp /etc/fstab /etc/fstab.bak
# # Backup /tmp
# cp -Rpf /tmp /tmpbackup
# rm -rf /tmp
# mkdir /tmp
# mount -t tmpfs -o rw,noexec,nosuid tmpfs /tmp
# chmod 1777 /tmp
# echo "tmpfs /tmp tmpfs rw,noexec,nosuid 0 0" >> /etc/fstab
# # Restore /tmp
# cp -Rpf /tmpbackup/* /tmp/ >/dev/null 2>&1
# #Remove old tmp dir
# rm -rf /tmpbackup
# # Backup /var/tmp and link it to /tmp
# mv /var/tmp /var/tmpbackup
# ln -s /tmp /var/tmp
# # Copy the old data back
# cp -Rpf /var/tmpold/* /tmp/ >/dev/null 2>&1
# # Remove old tmp dir
# rm -rf /var/tmpbackup
# echo -e "\033[35;1m /tmp and /var/tmp secured using tmpfs. \033[0m"
# } # End function secure_tmp_tmpfs
# check_tmp_secured
# if [ $? = 0 ]; then
# secure_tmp_tmpfs
# else
# echo -e "\033[35;1mFunction canceled. /tmp already secured. \033[0m"
# fi
echo '\033[35m
____ __ _______ __
/ __ \____ / /_ / ____(_) /__ _____
/ / / / __ \/ __/ / /_ / / / _ \/ ___/
/ /_/ / /_/ / /_ / __/ / / / __(__ )
/_____/\____/\__/ /_/ /_/_/\___/____/
\033[0m'
#installing better prompt and some goodies for root
echo "\033[35;1mInstalling shell prompt for root \033[0m"
sleep 3
echo "cloning github.com/bachy/dotfiles-server"
git clone git://github.com/bachy/dotfiles-server.git ~/.dotfiles-server && cd ~/.dotfiles-server && ./install.sh && cd ~
source ~/.bashrc
echo "\033[92;1mDot files installed for root, you should installed them manually for $USER\033[0m"
# TODO add warning message on ssh connection if system needs updates
# TODO install and configure tmux
echo '\033[35m
___ __ __ __ __ __
/ | __ __/ /_____ / / / /___ ____/ /___ _/ /____
/ /| |/ / / / __/ __ \ / / / / __ \/ __ / __ `/ __/ _ \
/ ___ / /_/ / /_/ /_/ / / /_/ / /_/ / /_/ / /_/ / /_/ __/
/_/ |_\__,_/\__/\____/ \____/ .___/\__,_/\__,_/\__/\___/
/_/
\033[0m'
# https://www.howtoforge.com/how-to-configure-automatic-updates-on-debian-wheezy
# https://www.bisolweb.com/tutoriels/serveur-vps-ovh-partie-5-installation-apticron/
echo "\033[35;1mInstalling apticron \033[0m"
apt-get install apticron
sleep 3
echo -n "Enter an email: "
read email
sed -ir "s/EMAIL=\"root\"/EMAIL=\"$email\"/g" /etc/apticron/apticron.conf
# sed -ir "s/# DIFF_ONLY=\"1\"/DIFF_ONLY=\"1\"/g" /etc/apticron/apticron.conf
sed -ir "s/# NOTIFY_NEW=\"0\"/NOTIFY_NEW=\"0\"/g" /etc/apticron/apticron.conf
echo "\033[92;1mApticron installed and configured\033[0m"
echo '\033[35m
__
___ ____ ____/ /
/ _ \/ __ \/ __ /
/ __/ / / / /_/ /
\___/_/ /_/\__,_/
\033[0m'
echo "\033[35;1m* * script done * * \033[0m"

184
install.sh
View File

@ -1,184 +0,0 @@
#!/bin/sh
# bachir soussi chiadmi
#
# http://www.pontikis.net/blog/debian-9-stretch-rc3-web-server-setup-php7-mariadb
# http://web-74.com/blog/reseaux/gerer-le-deploiement-facilement-avec-git/
#
echo -e '\033[35m
____ __ _ _____
/ __ \___ / /_ (_)___ _____ / ___/___ ______ _____ _____
/ / / / _ \/ __ \/ / __ `/ __ \ \__ \/ _ \/ ___/ | / / _ \/ ___/
/ /_/ / __/ /_/ / / /_/ / / / / ___/ / __/ / | |/ / __/ /
/_____/\___/_.___/_/\__,_/_/ /_/ /____/\___/_/ |___/\___/_/
\033[0m'
echo -e "\033[35;1mThis script has been tested only on Linux Debian 10 \033[0m"
if [ "$EUID" -ne 0 ]; then
echo "Please run as root"
exit
fi
echo -n "Should we start? [Y|n] "
read yn
yn=${yn:-y}
if [ "$yn" != "y" ]; then
echo "aborting script!"
exit
fi
# get the current position
_cwd="$(pwd)"
. bin/upgrade.sh
. bin/misc.sh
. bin/firewall.sh
. bin/fail2ban.sh
# . bin/knockd.sh
. bin/user.sh
. bin/email.sh
while [ "$securssh" != "yes" ] && [ "$securssh" != "no" ]
do
echo -n "Securing ssh (disabling root login)? [yes|no] "
read securssh
# securssh=${securssh:-y}
done
if [ "$securssh" = "yes" ]; then
. bin/ssh.sh
else
echo 'root user can still conect through ssh'
fi
echo -n "Should we install ftp server? [Y|n] "
read yn
yn=${yn:-y}
if [ "$yn" = "y" ]; then
. bin/ftp.sh
else
echo 'ftp server not installed'
fi
while [ "$lemp" != "yes" ] && [ "$lemp" != "no" ]
do
echo -n "Should we install lemp ? [yes|no] "
read lemp
done
if [ "$lemp" = "yes" ]; then
. bin/lemp.sh
else
echo 'lemp server not installed'
fi
while [ "$_install_vhost" != "yes" ] && [ "$_install_vhost" != "no" ]
do
echo -n "Should we install a vhost ? [yes|no] "
read _install_vhost
done
if [ "$_install_vhost" = "yes" ]; then
# TODO bug vhost.sh file does not exists ...
. bin/vhost.sh
else
echo 'no vhost installed'
fi
while [ "$_install_zabbix_agent" != "yes" ] && [ "$_install_zabbix_agent" != "no" ]
do
echo -n "Should we install zabbix-agent ? [yes|no] "
read _install_zabbix_agent
done
if [ "$_install_zabbix_agent" = "yes" ]; then
. bin/zabbix.sh
else
echo 'zabbix-agent not installed'
fi
while [ "$_install_urbackup" != "yes" ] && [ "$_install_urbackup" != "no" ]
do
echo -n "Should we install urbackup client ? [yes|no] "
read _install_urbackup
done
if [ "$_install_urbackup" = "yes" ]; then
. bin/urbackup.sh
else
echo 'urbackup client not installed'
fi
# ./install.sh: line 109: bin/dotfiles.sh: No such file or directory
. bin/dotfiles.sh
# . bin/autoupdate.sh
# echo -e '\033[35m
# ______________ _______
# /_ __/ ____/ |/ / __ \
# / / / __/ / /|_/ / /_/ /
# / / / /___/ / / / ____/
# /_/ /_____/_/ /_/_/
# \033[0m'
# function check_tmp_secured {
# temp1=`grep -w "/var/tempFS /tmp ext3 loop,nosuid,noexec,rw 0 0" /etc/fstab | wc -l`
# temp2=`grep -w "tmpfs /tmp tmpfs rw,noexec,nosuid 0 0" /etc/fstab | wc -l`
# if [ $temp1 -gt 0 ] || [ $temp2 -gt 0 ]; then
# return 1
# else
# return 0
# fi
# } # End function check_tmp_secured
# function secure_tmp_tmpfs {
# cp /etc/fstab /etc/fstab.bak
# # Backup /tmp
# cp -Rpf /tmp /tmpbackup
# rm -rf /tmp
# mkdir /tmp
# mount -t tmpfs -o rw,noexec,nosuid tmpfs /tmp
# chmod 1777 /tmp
# echo "tmpfs /tmp tmpfs rw,noexec,nosuid 0 0" >> /etc/fstab
# # Restore /tmp
# cp -Rpf /tmpbackup/* /tmp/ >/dev/null 2>&1
# #Remove old tmp dir
# rm -rf /tmpbackup
# # Backup /var/tmp and link it to /tmp
# mv /var/tmp /var/tmpbackup
# ln -s /tmp /var/tmp
# # Copy the old data back
# cp -Rpf /var/tmpold/* /tmp/ >/dev/null 2>&1
# # Remove old tmp dir
# rm -rf /var/tmpbackup
# echo -e "\033[35;1m /tmp and /var/tmp secured using tmpfs. \033[0m"
# } # End function secure_tmp_tmpfs
# check_tmp_secured
# if [ $? = 0 ]; then
# secure_tmp_tmpfs
# else
# echo -e "\033[35;1mFunction canceled. /tmp already secured. \033[0m"
# fi
# TODO add warning message on ssh connection if system needs updates
# TODO install and configure tmux
echo -e '\033[35m
__
___ ____ ____/ /
/ _ \/ __ \/ __ /
/ __/ / / / /_/ /
\___/_/ /_/\__,_/
\033[0m'
echo -e "\033[35;1m* * script done * * \033[0m"

9
prompt.sh Normal file
View File

@ -0,0 +1,9 @@
# setup user environment
echo "\033[35;1mInstalling shell prompt \033[0m"
sleep 3
git clone git://github.com/bachy/dotfiles-server.git ~/.dotfiles-server && cd ~/.dotfiles-server && ./install.sh
source ~/.bashrc
echo "done"
echo "* * *"

4
raw.githubusercontent.com_kvaps_zabbix-linux-container-template_master_zabbix_container.conf.txt
View File

@ -1,4 +0,0 @@
UserParameter=ct.memory.size[*],free -b | awk 'NR==2 {total=$ 2; used=($ 3+$ 5); pused=(($ 3+$ 5)*100/$ 2); free=$ 4; pfree=($ 4*100/$ 2); shared=$ 5; buffers=$ 6; cached=$ 6; available=$ 7; pavailable=($ 7*100/$ 2); if("$1" == "") {printf("%.0f", total )} else {printf("%.0f", $1 "" )} }'
UserParameter=ct.swap.size[*],free -b | awk 'NR==3 {total=$ 2; used=$ 3; free=$ 4; pfree=($ 4*100/$ 2); pused=($ 3*100/$ 2); if("$1" == "") {printf("%.0f", free )} else {printf("%.0f", $1 "" )} }'
UserParameter=ct.cpu.load[*],cut -d" " -f1-3 /proc/loadavg | awk -F'[, ]+' '{avg1=$(NF-2); avg5=$(NF-1); avg15=$(NF)}{print $2/'$(nproc)'}'
UserParameter=ct.uptime,cut -d"." -f1 /proc/uptime

40
readme.md
View File

@ -1,11 +1,8 @@
# Install LEMP web server and secure it on debian 12 # Install Lamp server and secure it on debian 9
Fail2ban, Ufw, Proftpd, Knockd, Nginx, Mariadb, php7.0-fpm, redis, vhosts, git barre repos, zabbix-agent, dotfiles and more
## how to use it ## how to use it
on a fresh install on a fresh install
as root
All commands below are run as root user. Either log in as root user directly or log in as your normal user and then use the command ```su -``` to become root user on your server before you proceed. IMPORTANT: You must use ```su -``` and not just ```su```, otherwise your PATH variable is set wrong by Debian.
1 install git 1 install git
``` ```
@ -14,41 +11,18 @@ apt-get install git
2 clone the repo 2 clone the repo
``` ```
git clone https://figureslibres.io/gogs/bachir/debian-web-server.git git clone https://github.com/bachy/debian-lamp.git
``` ```
3 change defaut shell from dash to bash 3 run the script as root
```
dpkg-reconfigure dash
```
and answer NO to the the question
4 run the script as root
``` ```
su su
cd debian-web-server cd debian-lamp
chmod a+x install.sh chmod a+x install-debian-server.sh
./install.sh ./install-debian-server.sh
``` ```
5 steps
* misc.sh
* dotfliles.sh
* user.sh
* ssh.sh
* firewall.sh
* fail2ban.sh
* email.sh
* lemp.sh
* mysqlbackup.sh
* vhost.sh
* gitbarrerepos.sh
* webhook.sh
* urbackup.sh
* zabbix.sh
*
## ref ## ref
http://www.debian.org/doc/manuals/securing-debian-howto/ http://www.debian.org/doc/manuals/securing-debian-howto/