bachir/debion-web-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: bachir:master
Branches Tags
bachir:master
bachir:deb12
bachir:deb11
bachir:deb10
bachir:deb9
bachir:deb9-nginx
bachir:deb9-apache
..
compare: bachir:deb9-nginx
Branches Tags
bachir:deb12
bachir:master
bachir:deb11
bachir:deb10
bachir:deb9
bachir:deb9-nginx
bachir:deb9-apache

No commits in common. "master" and "deb9-nginx" have entirely different histories.
master ... deb9-nginx

48 changed files with 360 additions and 6758 deletions
Show Stats Expand all files Collapse all files

1
assets/deploy-drupal.sh
View File

@ -6,7 +6,6 @@ cd ./public_html
echo "" echo ""
echo "Pulling down latest code." echo "Pulling down latest code."
git pull --ff-only origin prod git pull --ff-only origin prod
git submodule update --init --recursive
echo "" echo ""
echo "Clearing drush caches." echo "Clearing drush caches."
drush cache-clear drush drush cache-clear drush

157
assets/drupal-ssl-decoupled.nginxconf
View File

@ -1,157 +0,0 @@
# https://www.nginx.com/resources/wiki/start/topics/recipes/drupal/
server {
listen 80;
listen [::]:80;
server_name DOMAIN.LTD;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name DOMAIN.LTD;
#SSL Certificates
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate "/etc/letsencrypt/live/DOMAIN.LTD/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/DOMAIN.LTD/privkey.pem";
ssl_dhparam /etc/nginx/ssl/certs/DOMAIN.LTD/dhparam.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
#ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=31536000;
#includeSubDomains" always;
charset utf-8;
access_log on;
error_log /var/www/DOMAIN.LTD/log/error.log; # debug;
root /var/www/DOMAIN.LTD/app/src/dist/;
index index.php index.html index.htm;
location @app {
rewrite ^/(.*)$ /index.html;
}
location / {
#alias /var/www/enfrancais.fr/app/web/;
try_files $uri $uri/ @app;
}
location @api {
rewrite ^/api/(.*)$ /api/index.php;
}
location @rewrite {
rewrite ^/api/(.*)$ /index.php?q=$1;
}
location /api {
alias /var/www/enfrancais.fr/api/src/web/;
try_files $uri $uri/ @api;
# In Drupal 8, we must also match new paths where the '.php' appears in
# the middle, such as update.php/selection. The rule we use is strict,
# and only allows this pattern with the update.php front controller.
# This allows legacy path aliases in the form of
# blog/index.php/legacy-path to continue to route to Drupal nodes. If
# you do not have any paths like that, then you might prefer to use a
# laxer rule, such as:
# # location ~ \.php(/|$) {
# The laxer rule will continue to work if Drupal uses this new URL
# pattern with front controllers other than update.php in a future
# release.
#location ~ '\.php$|^/update.php' {
#location ~ \.php(/|$) {
location ~ \.php$ {
#fastcgi_split_path_info ^(.+\.php)(/.+)$;
#fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
#fastcgi_split_path_info ^(.+?\.php)(/.*)$;
include fastcgi_params;
#fastcgi_index index.php;
# Block httpoxy attacks. See https://httpoxy.org/.
#fastcgi_param HTTP_PROXY "";
#fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
#fastcgi_param SCRIPT_FILENAME index.php;
fastcgi_param SCRIPT_FILENAME $request_filename;
#fastcgi_param REQUEST_URI $request_uri;
#fastcgi_param PATH_INFO $fastcgi_path_info;
#set $path_info $fastcgi_path_info;
#fastcgi_param PATH_INFO /;
#fastcgi_param QUERY_STRING $query_string;
#fastcgi_intercept_errors off;
#fastcgi_param DOCUMENT_ROOT /var/www/enfrancais.fr/api;
# fastcgi_buffer_size 16k;
# fastcgi_buffers 4 16k;
fastcgi_pass unix:/run/php/php8.2-fpm.sock;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
try_files $uri @rewrite;
expires max;
log_not_found off;
}
location ~ \..*/.*\.php$ {
return 403;
}
location ~ ^/sites/.*/private/ {
return 403;
}
# Block access to scripts in site files directory
location ~ ^/sites/[^/]+/files/.*\.php$ {
deny all;
}
# Allow "Well-Known URIs" as per RFC 5785
location ~* ^/.well-known/ {
allow all;
}
# Block access to "hidden" files and directories whose names begin with a
# period. This includes directories used by version control systems such
# as Subversion or Git to store control files.
location ~ (^|/)\. {
return 403;
}
# Don't allow direct access to PHP files in the vendor directory.
location ~ /vendor/.*\.php$ {
deny all;
return 404;
}
location ~ /\.ht {
deny all;
}
sendfile off;
client_max_body_size 100m;
# Fighting with Styles? This little gem is amazing.
# location ~ ^/sites/.*/files/imagecache/ { # For Drupal <= 6
location ~ ^/sites/.*/files/styles/ { # For Drupal >= 7
try_files $uri @rewrite;
}
# Handle private files through Drupal. Private file's path can come
# with a language prefix.
location ~ ^(/[a-z\-]+)?/system/files/ { # For Drupal >= 7
try_files $uri /index.php?$query_string;
}
}
location = /favicon.ico { access_log off; log_not_found off; }
# website should not be displayed inside a <frame>, an <iframe> or an <object>
add_header X-Frame-Options SAMEORIGIN;
}

3
assets/drupal-ssl.nginxconf
View File

@ -2,7 +2,6 @@
# https://www.howtoforge.com/tutorial/install-letsencrypt-and-secure-nginx-in-debian-9/ # https://www.howtoforge.com/tutorial/install-letsencrypt-and-secure-nginx-in-debian-9/
server { server {
listen 80; listen 80;
listen [::]:80;
server_name DOMAIN.LTD; server_name DOMAIN.LTD;
return 301 https://$server_name$request_uri; return 301 https://$server_name$request_uri;
} }
@ -116,7 +115,7 @@ server {
fastcgi_intercept_errors on; fastcgi_intercept_errors on;
# fastcgi_buffer_size 16k; # fastcgi_buffer_size 16k;
# fastcgi_buffers 4 16k; # fastcgi_buffers 4 16k;
fastcgi_pass unix:/run/php/php8.1-fpm.sock; fastcgi_pass unix:/run/php/php7.0-fpm.sock;
} }
# Fighting with Styles? This little gem is amazing. # Fighting with Styles? This little gem is amazing.
# location ~ ^/sites/.*/files/imagecache/ { # For Drupal <= 6 # location ~ ^/sites/.*/files/imagecache/ { # For Drupal <= 6

195
assets/drupal.nginxconf
View File

@ -1,118 +1,117 @@
# https://www.nginx.com/resources/wiki/start/topics/recipes/drupal/ # https://www.nginx.com/resources/wiki/start/topics/recipes/drupal/
server { server {
listen 80; listen 80;
listen [::]:80; server_name DOMAIN.LTD;
server_name DOMAIN.LTD; root /var/www/DOMAIN.LTD/public_html;
root /var/www/DOMAIN.LTD/public_html;
charset utf-8; charset utf-8;
location = /favicon.ico { location = /favicon.ico {
access_log off; access_log off;
log_not_found off; log_not_found off;
} }
location = /robots.txt { location = /robots.txt {
allow all;
access_log off;
log_not_found off;
}
location ~ \..*/.*\.php$ {
return 403;
}
location ~ ^/sites/.*/private/ {
return 403;
}
# Block access to scripts in site files directory
location ~ ^/sites/[^/]+/files/.*\.php$ {
deny all;
}
# Allow "Well-Known URIs" as per RFC 5785
location ~* ^/.well-known/ {
allow all; allow all;
} access_log off;
log_not_found off;
}
# Block access to "hidden" files and directories whose names begin with a location ~ \..*/.*\.php$ {
# period. This includes directories used by version control systems such return 403;
# as Subversion or Git to store control files. }
location ~ (^|/)\. {
return 403;
}
location / { location ~ ^/sites/.*/private/ {
# try_files $uri @rewrite; # For Drupal <= 6 return 403;
try_files $uri /index.php?$query_string; # For Drupal >= 7 }
}
location @rewrite { # Block access to scripts in site files directory
rewrite ^/(.*)$ /index.php?q=$1; location ~ ^/sites/[^/]+/files/.*\.php$ {
} deny all;
}
# Don't allow direct access to PHP files in the vendor directory. # Allow "Well-Known URIs" as per RFC 5785
location ~ /vendor/.*\.php$ { location ~* ^/.well-known/ {
deny all; allow all;
return 404; }
}
location ~ /\.ht { # Block access to "hidden" files and directories whose names begin with a
deny all; # period. This includes directories used by version control systems such
} # as Subversion or Git to store control files.
location ~ (^|/)\. {
return 403;
}
access_log on; location / {
error_log /var/www/DOMAIN.LTD/log/error.log; # try_files $uri @rewrite; # For Drupal <= 6
try_files $uri /index.php?$query_string; # For Drupal >= 7
}
sendfile off; location @rewrite {
rewrite ^/(.*)$ /index.php?q=$1;
}
client_max_body_size 100m; # Don't allow direct access to PHP files in the vendor directory.
location ~ /vendor/.*\.php$ {
deny all;
return 404;
}
# In Drupal 8, we must also match new paths where the '.php' appears in location ~ /\.ht {
# the middle, such as update.php/selection. The rule we use is strict, deny all;
# and only allows this pattern with the update.php front controller. }
# This allows legacy path aliases in the form of
# blog/index.php/legacy-path to continue to route to Drupal nodes. If
# you do not have any paths like that, then you might prefer to use a
# laxer rule, such as:
# location ~ \.php(/|$) {
# The laxer rule will continue to work if Drupal uses this new URL
# pattern with front controllers other than update.php in a future
# release.
location ~ '\.php$|^/update.php' {
# fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
include fastcgi_params;
# Block httpoxy attacks. See https://httpoxy.org/.
fastcgi_param HTTP_PROXY "";
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param QUERY_STRING $query_string;
fastcgi_intercept_errors on;
# fastcgi_buffer_size 16k;
# fastcgi_buffers 4 16k;
fastcgi_pass unix:/run/php/php8.2-fpm.sock;
}
# Fighting with Styles? This little gem is amazing.
# location ~ ^/sites/.*/files/imagecache/ { # For Drupal <= 6
location ~ ^/sites/.*/files/styles/ { # For Drupal >= 7
try_files $uri @rewrite;
}
# Handle private files through Drupal. Private file's path can come access_log on;
# with a language prefix. error_log /var/www/DOMAIN.LTD/log/error.log;
location ~ ^(/[a-z\-]+)?/system/files/ { # For Drupal >= 7
try_files $uri /index.php?$query_string;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ { sendfile off;
try_files $uri @rewrite;
expires max; client_max_body_size 100m;
log_not_found off;
} # In Drupal 8, we must also match new paths where the '.php' appears in
# the middle, such as update.php/selection. The rule we use is strict,
# and only allows this pattern with the update.php front controller.
# This allows legacy path aliases in the form of
# blog/index.php/legacy-path to continue to route to Drupal nodes. If
# you do not have any paths like that, then you might prefer to use a
# laxer rule, such as:
# location ~ \.php(/|$) {
# The laxer rule will continue to work if Drupal uses this new URL
# pattern with front controllers other than update.php in a future
# release.
location ~ '\.php$|^/update.php' {
# fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
include fastcgi_params;
# Block httpoxy attacks. See https://httpoxy.org/.
fastcgi_param HTTP_PROXY "";
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param QUERY_STRING $query_string;
fastcgi_intercept_errors on;
# fastcgi_buffer_size 16k;
# fastcgi_buffers 4 16k;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
}
# Fighting with Styles? This little gem is amazing.
# location ~ ^/sites/.*/files/imagecache/ { # For Drupal <= 6
location ~ ^/sites/.*/files/styles/ { # For Drupal >= 7
try_files $uri @rewrite;
}
# Handle private files through Drupal. Private file's path can come
# with a language prefix.
location ~ ^(/[a-z\-]+)?/system/files/ { # For Drupal >= 7
try_files $uri /index.php?$query_string;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
try_files $uri @rewrite;
expires max;
log_not_found off;
}
# website should not be displayed inside a <frame>, an <iframe> or an <object> # website should not be displayed inside a <frame>, an <iframe> or an <object>
add_header X-Frame-Options SAMEORIGIN; add_header X-Frame-Options SAMEORIGIN;
} }

5
assets/fail2ban/filter.d/nginx-badbots.conf
View File

@ -1,5 +0,0 @@
[Definition]
failregex = FastCGI sent in stderr: "Primary script unknown" .*, client: <HOST>, server: .*
ignoreregex =

7
assets/fail2ban/jail.d/nginx-badbots.conf
View File

@ -1,7 +0,0 @@
[nginx-badbots]
enabled = true
port = http,https
filter = <FILTER>
logpath = <LOGPATH>
maxretry = 2

2
assets/knockd.conf
View File

@ -18,7 +18,7 @@
[SSH] [SSH]
sequence = 7000,8000,9000 sequence = 7000,8000,9000
seq_timeout = 5 seq_timeout = 5
# do not limit port 22 to the ip as it don't work with 4G connection # TODO do not limit port 22 to the ip as it don't work with 4G connection
# start_command = ufw insert 1 allow from %IP% to any port 22 # start_command = ufw insert 1 allow from %IP% to any port 22
start_command = ufw allow ssh start_command = ufw allow ssh
tcpflags = syn tcpflags = syn

31
assets/nginx-phpmyadmin.conf
View File

@ -1,31 +0,0 @@
server {
listen 80;
location /phpmyadmin {
# server_name phpmyadmin.idroot.net;
root /var/www/phpmyadmin;
index index.php;
## Images and static content is treated different
location ~* ^.+.(jpg|jpeg|gif|css|png|js|ico|xml)$ {
access_log off;
expires 30d;
}
location ~ /\.ht {
deny all;
}
location ~ /(libraries|setup/frames|setup/libs) {
deny all;
return 404;
}
location ~ \.php$ {
fastcgi_pass unix:/run/php/php8.2-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
}
}

59
assets/pgsqlbackup.sh
View File

@ -1,59 +0,0 @@
#!/bin/bash
# Simple script to backup postgresql databases
# Parent backup directory
backup_parent_dir="/var/backups/postgresql"
# PostgreSQL settings
pg_host="HOST"
pg_port="PORT"
pg_user="USER"
pg_password="PASSWD"
# Check MySQL password
# echo exit | mysql --user=${mysql_user} --password=${mysql_password} -B 2>/dev/null
# if [ "$?" -gt 0 ]; then
# echo "MySQL ${mysql_user} password incorrect"
# exit 1
# else
# echo "MySQL ${mysql_user} password correct."
# fi
# Create backup directory and set permissions
backup_date=`date +%Y_%m_%d_%H_%M`
backup_dir="${backup_parent_dir}/${backup_date}"
echo "Backup directory: ${backup_dir}"
mkdir -p "${backup_dir}"
chmod 644 "${backup_dir}"
# Get postgresql databases
pgsql_databases=`psql "host=$pg_host port=$pg_port user=$pg_user password=$pg_password" -At -c "select datname from pg_database where not datistemplate and datallowconn;"`
# Backup and compress each database
for database in $pgsql_databases
do
echo "Creating backup of \"${database}\" database"
# mysqldump ${additional_mysqldump_params} --user=${mysql_user} --password=${mysql_password} ${database} | gzip > "${backup_dir}/${database}.sql.gz"
# chmod 644 "${backup_dir}/${database}.sql.gz"
set -o pipefail
# if ! pg_dump -Fp -h "$pg_host" -U "$pg_user" "$database" | gzip > $backup_dir"/$database".sql.gz.in_progress; then
# if ! pg_dump -Fp "host=$pg_host port=$pg_port user=$pg_user password=$pg_password" "$database" | gzip > $backup_dir"/$database".sql.gz.in_progress; then
if ! pg_dump -Fp --dbname="postgresql://$pg_user:$pg_password@$pg_host:$pg_port/$database" | gzip > $backup_dir"/$database".sql.gz.in_progress; then
echo "[!!ERROR!!] Failed to produce plain backup database $database" 1>&2
else
mv $backup_dir"/$database".sql.gz.in_progress $backup_dir"/$database".sql.gz
fi
set +o pipefail
done
# compress the folder
# tar -zcvf "${backup_dir}.tar.gz" "${backup_dir}"
# rm -rf "${backup_dir}"
# Rotate backups
# Delete files older than 30 days
find $backup_parent_dir/ -type f -mtime +60 -delete;
# Delete empty directories
find $backup_parent_dir/ -type d -empty -delete;

0
assets/php7.3-fpm.ini → assets/php-fpm.ini
View File

1920
assets/php7.4-fpm.ini
View File

File diff suppressed because it is too large Load Diff

1920
assets/php8.1-fpm.ini
View File

File diff suppressed because it is too large Load Diff

1920
assets/php8.2-fpm.ini
View File

File diff suppressed because it is too large Load Diff

3
assets/simple-phpfpm-ssl.nginxconf
View File

@ -2,7 +2,6 @@
server { server {
listen 80; listen 80;
listen [::]:80;
server_name DOMAIN.LTD; server_name DOMAIN.LTD;
return 301 https://$server_name$request_uri; return 301 https://$server_name$request_uri;
} }
@ -48,7 +47,7 @@ server {
location ~ \.php$ { location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php/php8.1-fpm.sock; fastcgi_pass unix:/run/php/php7.0-fpm.sock;
fastcgi_index index.php; fastcgi_index index.php;
include fastcgi_params; include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

3
assets/simple-phpfpm.nginxconf
View File

@ -1,6 +1,5 @@
server { server {
listen 80; listen 80;
listen [::]:80;
server_name DOMAIN.LTD; server_name DOMAIN.LTD;
root /var/www/DOMAIN.LTD/public_html; root /var/www/DOMAIN.LTD/public_html;
@ -24,7 +23,7 @@ server {
location ~ \.php$ { location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php/php8.1-fpm.sock; fastcgi_pass unix:/run/php/php7.0-fpm.sock;
fastcgi_index index.php; fastcgi_index index.php;
include fastcgi_params; include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

2
assets/urbackup.service
View File

@ -5,7 +5,7 @@ ConditionPathExists=/usr/local/sbin/urbackupclientbackend
[Service] [Service]
Type=forking Type=forking
ExecStart=/usr/local/sbin/urbackupclientbackend -d ExecStart=/usr/local/sbin/urbackupclientbackend -d
PIDFile = /run/urbackup_srv.pid PIDFile = /var/run/urbackup_srv.pid
TimeoutSec=0 TimeoutSec=0
[Install] [Install]

8
assets/webhook-deploy.sh
View File

@ -1,8 +0,0 @@
#!/bin/bash
# update bare repos
echo "Updating bare repos"
su -c "git --git-dir=git-repositories/DOMAIN.git fetch origin prod:prod" USER
# deploy prod
cd www/DOMAIN/
su -c "./deploy.sh" USER

10
assets/webhook.service
View File

@ -1,10 +0,0 @@
[Unit]
Description=Small server for creating HTTP endpoints (hooks)
Documentation=https://github.com/adnanh/webhook/
[Service]
ExecStart=webhook -hooks /etc/webhooks.conf -verbose -nopanic -hotreload
Restart=always
[Install]
WantedBy=multi-user.target

11
assets/webhook/etc/systemd/system/webhook.service
View File

@ -1,11 +0,0 @@
[Unit]
Description=Small server for creating HTTP endpoints (hooks)
Documentation=https://github.com/adnanh/webhook/
[Service]
ExecStart=webhook -hooks /etc/webhooks.conf -verbose -nopanic -hotreload
Restart=always
[Install]
WantedBy=multi-user.target

3
assets/webhook/etc/webhook.conf
View File

@ -1,3 +0,0 @@
- id: deploy-app-enfrancais
execute-command: "/root/deploy-app-enfrancais-hook.sh"
command-working-directory: "/home/appdev/"

9
assets/webhook/root/deploy-app-hook.sh
View File

@ -1,9 +0,0 @@
#!/bin/sh
# $cwd is defined in webhook conf
# update bare repos
git --git-dir=git-repositories/app.enfrancais.fr.git fetch origin prod:prod
# deploy prod
cd www/enfrancais.fr/app
./deploy.sh

1
assets/zabbix/userparameter_linux_name_version.conf
View File

@ -1 +0,0 @@
UserParameter=linux.system.name.version,(lsb_release -d > dev/null 2>&1) && lsb_release -d || (cat /etc/centos-release > /dev/null > /dev/null 2>&1 && cat /etc/centos-release || cat /etc/redhat-release)

14
bin/_addUserSite.sh
View File

@ -4,14 +4,14 @@
# TODO check if root # TODO check if root
echo -e '\033[35m echo '\033[35m
__ _______ __________ __ _______ __________
/ / / / ___// ____/ __ \ / / / / ___// ____/ __ \
/ / / /\__ \/ __/ / /_/ / / / / /\__ \/ __/ / /_/ /
/ /_/ /___/ / /___/ _, _/ / /_/ /___/ / /___/ _, _/
\____//____/_____/_/ |_| \____//____/_____/_/ |_|
\033[0m' \033[0m'
echo -e "\033[35;1mCreate new user (you will be asked a user name and a password) \033[0m" echo "\033[35;1mCreate new user (you will be asked a user name and a password) \033[0m"
sleep 3 sleep 3
while [ "$user" = "" ] while [ "$user" = "" ]
do do
@ -34,14 +34,14 @@ mkdir /home/$user/backups
chmod -w /home/"$user" chmod -w /home/"$user"
echo -e '\033[35m echo '\033[35m
__ __ __ __
_ __/ /_ ____ _____/ /_ _ __/ /_ ____ _____/ /_
| | / / __ \/ __ \/ ___/ __/ | | / / __ \/ __ \/ ___/ __/
| |/ / / / / /_/ (__ ) /_ | |/ / / / / /_/ (__ ) /_
|___/_/ /_/\____/____/\__/ |___/_/ /_/\____/____/\__/
\033[0m' \033[0m'
echo -e "\033[35;1mVHOST install \033[0m" echo "\033[35;1mVHOST install \033[0m"
while [ "$_host_name" = "" ] while [ "$_host_name" = "" ]
do do
@ -75,12 +75,12 @@ ln -s /home/"$user"/logs /var/www/"$_host_name"/logs
# a2ensite "$_host_name".conf # a2ensite "$_host_name".conf
#restart apache #restart apache
# service apache2 restart # service apache2 restart
echo -e "\033[92;1mvhost $_host_name configured\033[Om" echo "\033[92;1mvhost $_host_name configured\033[Om"
# todo add mysql user and database # todo add mysql user and database
echo -e '\033[35m echo '\033[35m
__ ___ __ __ ___ __
/ |/ /_ ___________ _/ / / |/ /_ ___________ _/ /
/ /|_/ / / / / ___/ __ `/ / / /|_/ / / / / ___/ __ `/ /
@ -88,7 +88,7 @@ echo -e '\033[35m
/_/ /_/\__, /____/\__, /_/ /_/ /_/\__, /____/\__, /_/
/____/ /_/ /____/ /_/
\033[0m' \033[0m'
echo -e "\033[35;1mMysql database \033[0m" echo "\033[35;1mMysql database \033[0m"
while [ "$_dbname" = "" ] while [ "$_dbname" = "" ]
do do

8
bin/autoupdate.sh
View File

@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
echo -e '\033[35m echo '\033[35m
___ __ __ __ __ __ ___ __ __ __ __ __
/ | __ __/ /_____ / / / /___ ____/ /___ _/ /____ / | __ __/ /_____ / / / /___ ____/ /___ _/ /____
/ /| |/ / / / __/ __ \ / / / / __ \/ __ / __ `/ __/ _ \ / /| |/ / / / __/ __ \ / / / / __ \/ __ / __ `/ __/ _ \
@ -16,8 +16,8 @@ if [ "$EUID" -ne 0 ]; then
exit exit
fi fi
echo -e "\033[35;1mInstalling apticron \033[0m" echo "\033[35;1mInstalling apticron \033[0m"
apt-get --yes install apticron apt-get --yes --force-yes install apticron
sleep 3 sleep 3
echo -n "Enter an email: " echo -n "Enter an email: "
@ -27,4 +27,4 @@ sed -i -r "s/EMAIL=\"root\"/EMAIL=\"$email\"/g" /etc/apticron/apticron.conf
# sed -i -r "s/# DIFF_ONLY=\"1\"/DIFF_ONLY=\"1\"/g" /etc/apticron/apticron.conf # sed -i -r "s/# DIFF_ONLY=\"1\"/DIFF_ONLY=\"1\"/g" /etc/apticron/apticron.conf
sed -i -r "s/# NOTIFY_NEW=\"0\"/NOTIFY_NEW=\"0\"/g" /etc/apticron/apticron.conf sed -i -r "s/# NOTIFY_NEW=\"0\"/NOTIFY_NEW=\"0\"/g" /etc/apticron/apticron.conf
echo -e "\033[92;1mApticron installed and configured\033[0m" echo "\033[92;1mApticron installed and configured\033[0m"

6
bin/dotfiles.sh
View File

@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
echo -e '\033[35m echo '\033[35m
____ __ _______ __ ____ __ _______ __
/ __ \____ / /_ / ____(_) /__ _____ / __ \____ / /_ / ____(_) /__ _____
/ / / / __ \/ __/ / /_ / / / _ \/ ___/ / / / / __ \/ __/ / /_ / / / _ \/ ___/
@ -8,7 +8,7 @@ echo -e '\033[35m
/_____/\____/\__/ /_/ /_/_/\___/____/ /_____/\____/\__/ /_/ /_/_/\___/____/
\033[0m' \033[0m'
#installing better prompt and some goodies #installing better prompt and some goodies
echo -e "\033[35;1mInstalling shell prompt for current user $USER \033[0m" echo "\033[35;1mInstalling shell prompt for current user $USER \033[0m"
sleep 2 sleep 2
# get the current position # get the current position
_cwd="$(pwd)" _cwd="$(pwd)"
@ -19,4 +19,4 @@ git clone https://figureslibres.io/gogs/bachir/dotfiles-server.git ~/.dotfiles-s
source ~/.bashrc source ~/.bashrc
# return to working directory # return to working directory
cd "$_cwd" cd "$_cwd"
echo -e "\033[92;1mDot files installed for $USER\033[0m" echo "\033[92;1mDot files installed for $USER\033[0m"

21
bin/email.sh
View File

@ -1,13 +1,13 @@
#!/bin/sh #!/bin/sh
echo -e '\033[35m echo '\033[35m
__ ______ ______ __ ______ ______
/ |/ / | / _/ / / |/ / | / _/ /
/ /|_/ / /| | / // / / /|_/ / /| | / // /
/ / / / ___ |_/ // /___ / / / / ___ |_/ // /___
/_/ /_/_/ |_/___/_____/ /_/ /_/_/ |_/___/_____/
\033[0m' \033[0m'
echo -e "\033[35;1mEnable mail sending for php \033[0m" echo "\033[35;1mEnable mail sending for php \033[0m"
if [ "$EUID" -ne 0 ]; then if [ "$EUID" -ne 0 ]; then
echo "Please run as root" echo "Please run as root"
@ -28,8 +28,8 @@ fi
# http://www.sycha.com/lamp-setup-debian-linux-apache-mysql-php#anchor13 # http://www.sycha.com/lamp-setup-debian-linux-apache-mysql-php#anchor13
sleep 2 sleep 2
apt-get --yes install exim4 apt-get --yes --force-yes install exim4
echo -e "\033[35;1mConfiguring EXIM4 \033[0m" echo "\033[35;1mConfiguring EXIM4 \033[0m"
while [ "$configexim" != "y" ] && [ "$configexim" != "n" ] while [ "$configexim" != "y" ] && [ "$configexim" != "n" ]
do do
echo -n "Should we configure exim4 ? [y|n] " echo -n "Should we configure exim4 ? [y|n] "
@ -48,7 +48,7 @@ systemctl restart exim4
# dkim spf # dkim spf
# https://debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4 # https://debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4
echo -e "\033[35;1mConfiguring DKIM \033[0m" echo "\033[35;1mConfiguring DKIM \033[0m"
while [ "$installdkim" != "y" ] && [ "$installdkim" != "n" ] while [ "$installdkim" != "y" ] && [ "$installdkim" != "n" ]
do do
echo -n "Should we install dkim for exim4 ? [y|n] " echo -n "Should we install dkim for exim4 ? [y|n] "
@ -60,11 +60,10 @@ if [ "$installdkim" = "y" ]; then
selector=$(date +%Y%m%d) selector=$(date +%Y%m%d)
mkdir /etc/exim4/dkim mkdir /etc/exim4/dkim
# openssl genrsa -out /etc/exim4/dkim/"$domain"-private.pem 1024 -outform PEM openssl genrsa -out /etc/exim4/dkim/"$domain"-private.pem 1024 -outform PEM
openssl genrsa -out /etc/exim4/dkim/"$domain"-private.key 1024 openssl rsa -in /etc/exim4/dkim/"$domain"-private.pem -out /etc/exim4/dkim/"$domain".pem -pubout -outform PEM
openssl rsa -in /etc/exim4/dkim/"$domain"-private.key -out /etc/exim4/dkim/"$domain".pub -pubout chown root:Debian-exim /etc/exim4/dkim/"$domain"-private.pem
chown root:Debian-exim /etc/exim4/dkim/"$domain"-private.key chmod 440 /etc/exim4/dkim/"$domain"-private.pem
chmod 440 /etc/exim4/dkim/"$domain"-private.key
cp "$_assets"/exim4_dkim.conf /etc/exim4/conf.d/main/00_local_macros cp "$_assets"/exim4_dkim.conf /etc/exim4/conf.d/main/00_local_macros
sed -i -r "s/DOMAIN_TO_CHANGE/$domain/g" /etc/exim4/conf.d/main/00_local_macros sed -i -r "s/DOMAIN_TO_CHANGE/$domain/g" /etc/exim4/conf.d/main/00_local_macros
@ -74,7 +73,7 @@ if [ "$installdkim" = "y" ]; then
systemctl restart exim4 systemctl restart exim4
echo "please create a TXT entry in your dns zone : $selector._domainkey.$domain \n" echo "please create a TXT entry in your dns zone : $selector._domainkey.$domain \n"
echo "your public key is : \n" echo "your public key is : \n"
cat /etc/exim4/dkim/"$domain".pub cat /etc/exim4/dkim/"$domain".pem
echo "press any key to continue." echo "press any key to continue."
read continu read continu
else else

2
bin/fail2ban.sh
View File

@ -17,7 +17,7 @@ if [ "$EUID" -ne 0 ]; then
fi fi
sleep 2 sleep 2
apt-get --yes install fail2ban apt-get --yes --force-yes install fail2ban
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
# ToDo ask for email and configure jail.local with it # ToDo ask for email and configure jail.local with it
touch /var/log/auth.log touch /var/log/auth.log

4
bin/firewall.sh
View File

@ -17,8 +17,8 @@ if [ "$EUID" -ne 0 ]; then
fi fi
sleep 2 sleep 2
apt-get --yes install ufw apt-get --yes --force-yes install ufw
ufw allow ssh # ufw allow ssh # knockd will open the ssh port
ufw allow http ufw allow http
ufw allow https ufw allow https

4
bin/ftp.sh
View File

@ -1,7 +1,7 @@
#!/bin/sh #!/bin/sh
echo -e '\033[35m echo '\033[35m
______ _______ _____ ______ _______ _____
| ____|__ __| __ \ | ____|__ __| __ \
| |__ | | | |__) | | |__ | | | |__) |
@ -28,7 +28,7 @@ if [ ! -d "$_assets" ]; then
fi fi
echo "installing proftpd" echo "installing proftpd"
apt-get --yes install proftpd apt-get --yes --force-yes install proftpd
while [ "$_server_name" = "" ] while [ "$_server_name" = "" ]
do do
read -p "enter a server name ? " _server_name read -p "enter a server name ? " _server_name

8
bin/gitbarrerepos.sh
View File

@ -51,7 +51,7 @@ if [ "$vh" = "yes" ]; then
user="" user=""
fi fi
else else
echo "user $user doesn't exists, you must provide an existing user" echo -e "user $user doesn't exists, you must provide an existing user"
user="" user=""
fi fi
fi fi
@ -112,11 +112,11 @@ if [ "$vh" = "yes" ]; then
# setup git repo on site folder # setup git repo on site folder
cd /home/"$user"/www/"$_domain"/public_html cd /home/"$user"/www/"$_domain"/public_html
su -c "git init" $user git init
# link to the bare repo # link to the bare repo
su -c "git remote add origin /home/$user/git-repositories/$_domain.git" $user git remote add origin /home/"$user"/git-repositories/"$_domain".git
chown -R "$user":"$user" /home/"$user"/www/"$_domain"
chown -R "$user":"$user" /home/"$user"/www/"$_domain"/public_html
cd "$_cwd" cd "$_cwd"
# done # done

2
bin/knockd.sh
View File

@ -29,7 +29,7 @@ if [ ! -d "$_assets" ]; then
fi fi
sleep 2 sleep 2
apt-get --yes install knockd apt-get --yes --force-yes install knockd
mv /etc/knockd.conf /etc/knockd.conf.ori mv /etc/knockd.conf /etc/knockd.conf.ori
cp "$_assets"/knockd.conf /etc/knockd.conf cp "$_assets"/knockd.conf /etc/knockd.conf

280
bin/lemp.sh
View File

@ -11,7 +11,7 @@ echo -e '\033[35m
echo -e "\033[35;1mLEMP server (Nginx Mysql Php-fpm) \033[0m" echo -e "\033[35;1mLEMP server (Nginx Mysql Php-fpm) \033[0m"
if [ "$EUID" -ne 0 ]; then if [ "$EUID" -ne 0 ]; then
echo "Please run as root" echo -e "Please run as root"
exit exit
fi fi
@ -29,6 +29,25 @@ fi
sleep 2 sleep 2
echo -e '\033[35m
__ ___ __
/ |/ /_ ___________ _/ /
/ /|_/ / / / / ___/ __ `/ /
/ / / / /_/ (__ ) /_/ / /
/_/ /_/\__, /____/\__, /_/
/____/ /_/
\033[0m'
echo -e "\033[35;1minstalling Mysql \033[0m"
sleep 3
apt-get --yes --force-yes install mariadb-server
mysql_secure_installation
cp "$_assets"/mysql/innodb-file-per-table.cnf /etc/mysql/conf.d/
systemctl enable mariadb.service
systemctl restart mariadb.service
echo -e "\033[92;1mmysql installed\033[Om"
echo -e '\033[35m echo -e '\033[35m
____ __ ______ ____ __ ______
/ __ \/ / / / __ \ / __ \/ / / / __ \
@ -36,50 +55,25 @@ echo -e '\033[35m
/ ____/ __ / ____/ / ____/ __ / ____/
/_/ /_/ /_/_/ /_/ /_/ /_/_/
\033[0m' \033[0m'
echo -e "\033[35;1mInstalling PHP 7.0 \033[0m"
echo -e "\033[35;1mInstalling SURY \033[0m"
sleep 3 sleep 3
apt-get --yes --force-yes install php7.0-fpm php7.0-mysql php7.0-opcache php7.0-curl php7.0-mbstring php7.0-zip php7.0-xml php7.0-gd php7.0-mcrypt php-memcached php7.0-imagick
apt-get --yes install ca-certificates apt-transport-https software-properties-common curl lsb-release mv /etc/php/7.0/fpm/php.ini /etc/php/7.0/fpm/php.ini.back
curl -sSL https://packages.sury.org/php/README.txt | bash -x cp "$_assets"/php-fpm.ini /etc/php/7.0/fpm/php.ini
apt-get update && apt-get upgrade
echo -e "\033[35;1mInstalling PHP \033[0m" echo -e "Configuring PHP"
sleep 3
# mv: cannot stat '/etc/php/7.0/fpm/php.ini': No such file or directory
# cp: cannot create regular file '/etc/php/7.0/fpm/php.ini': No such file or directory
# Configuring PHP
# Failed to enable unit: Unit file php7.0-fpm.service does not exist.
# Failed to start php7.0-fpm.service: Unit php7.0-fpm.service not found.
# apt-get --yes install php7.4-fpm php7.4-mysql php7.4-opcache php7.4-curl php7.4-mbstring php7.4-zip php7.4-xml php7.4-gd php-memcached php7.4-imagick php7.4-apcu
# php7.4-mcrypt ??
apt-get --yes install php8.1-fpm php8.1-mysql php8.1-opcache php8.1-curl php8.1-mbstring php8.1-zip php8.1-xml php8.1-gd php8.1-memcached php8.1-imagick php8.1-apcu php8.1-redis php8.1-bz2 php8.1-bcmath
# apt-get --yes install php8.2-fpm php8.2-mysql php8.2-opcache php8.2-curl php8.2-mbstring php8.2-zip php8.2-xml php8.2-gd php-memcached php8.2-imagick php8.2-apcu php8.2-redis php8.2-bz2 php8.2-bcmath
# apt-get --yes install php8.3-fpm php8.3-mysql php8.3-opcache php8.3-curl php8.3-mbstring php8.3-zip php8.3-xml php8.3-gd php8.3-memcached php8.3-imagick php8.3-apcu php8.3-redis php8.3-bz2 php8.3-bcmath
mv /etc/php/8.1/fpm/php.ini /etc/php/8.1/fpm/php.ini.back
cp "$_assets"/php8.1-fpm.ini /etc/php/8.1/fpm/php.ini
echo "Configuring PHP"
mkdir /var/log/php mkdir /var/log/php
chown www-data /var/log/php chown www-data /var/log/php
cp "$_assets"/logrotate-php /etc/logrotate.d/php cp "$_assets"/logrotate-php /etc/logrotate.d/php
systemctl enable php8.1-fpm systemctl enable php7.0-fpm
systemctl start php8.1-fpm systemctl start php7.0-fpm
# echo "Installing memecached" # echo -e "Installing memecached"
# replaced by redis # replaced by redis
# apt-get --yes install memcached # apt-get --yes --force-yes install memcached
# sed -i "s/-m\s64/-m 128/g" /etc/memcached.conf # sed -i "s/-m\s64/-m 128/g" /etc/memcached.conf
# #
# systemctl start memcached # systemctl start memcached
@ -96,7 +90,7 @@ echo -e '\033[35m
\033[0m' \033[0m'
echo -e "\033[35;1mInstalling Nginx \033[0m" echo -e "\033[35;1mInstalling Nginx \033[0m"
sleep 3 sleep 3
apt-get --yes install nginx apt-get --yes --force-yes install nginx
mv /etc/nginx/sites-available/default /etc/nginx/sites-available/default.ori mv /etc/nginx/sites-available/default /etc/nginx/sites-available/default.ori
cp "$_assets"/default.nginxconf /etc/nginx/sites-available/default cp "$_assets"/default.nginxconf /etc/nginx/sites-available/default
@ -104,80 +98,29 @@ systemctl enable nginx
systemctl restart nginx systemctl restart nginx
echo -e "\033[92;1mNginx installed\033[Om" echo -e "\033[92;1mNginx installed\033[Om"
echo -e '\033[35m
__ __ ___ ___ __ _
____ / /_ ____ / |/ /_ __/ | ____/ /___ ___ (_)___
/ __ \/ __ \/ __ \/ /|_/ / / / / /| |/ __ / __ `__ \/ / __ \
/ /_/ / / / / /_/ / / / / /_/ / ___ / /_/ / / / / / / / / / /
/ .___/_/ /_/ .___/_/ /_/\__, /_/ |_\__,_/_/ /_/ /_/_/_/ /_/
/_/ /_/ /____/
\033[0m'
echo -e "\033[35;1mInstalling phpMyAdmin \033[0m"
apt-get --yes --force-yes install phpmyadmin
ln -s /usr/share/phpmyadmin /var/www/html/
cp "$_assets"/nginx-phpmyadmin.conf > /etc/nginx/sites-available/phpmyadmin.conf
ln -s /etc/nginx/sites-available/phpmyadmin.conf /etc/nginx/sites-enabled/phpmyadmin.conf
# echo -e "\033[35;1msecuring phpMyAdmin \033[0m"
while [ "$installmysql" != "yes" ] && [ "$installmysql" != "no" ] # sed -i "s/DirectoryIndex index.php/DirectoryIndex index.php\nAllowOverride all/"
do # cp "$_assets"/phpmyadmin_htaccess > /usr/share/phpmyadmin/.htaccess
echo -n "install mysql? [yes|no] " # echo -n "define a user name for phpmyadmin : "
read installmysql # read un
# installmysql=${installmysql:-y} # htpasswd -c /etc/phpmyadmin/.htpasswd $un
done # service apache2 restart
if [ "$installmysql" = "yes" ]; then echo -e "\033[92;1mphpMyAdmin installed\033[Om"
echo -e "\033[92;1mYou can access it at yourip/phpmyadmin\033[Om"
echo -e '\033[35m
__ ___ __
/ |/ /_ ___________ _/ /
/ /|_/ / / / / ___/ __ `/ /
/ / / / /_/ (__ ) /_/ / /
/_/ /_/\__, /____/\__, /_/
/____/ /_/
\033[0m'
echo -e "\033[35;1minstalling Mysql \033[0m"
sleep 3
apt-get --yes install mariadb-server
mysql_secure_installation
cp "$_assets"/mysql/innodb-file-per-table.cnf /etc/mysql/conf.d/
# you may increase memory
# innodb_buffer_pool_size = 1024M
systemctl enable mariadb.service
systemctl restart mariadb.service
echo -e "\033[92;1mmysql installed\033[Om"
echo -e '\033[35m
__ __ ___ ___ __ _
____ / /_ ____ / |/ /_ __/ | ____/ /___ ___ (_)___
/ __ \/ __ \/ __ \/ /|_/ / / / / /| |/ __ / __ `__ \/ / __ \
/ /_/ / / / / /_/ / / / / /_/ / ___ / /_/ / / / / / / / / / /
/ .___/_/ /_/ .___/_/ /_/\__, /_/ |_\__,_/_/ /_/ /_/_/_/ /_/
/_/ /_/ /____/
\033[0m'
echo -e "\033[35;1mInstalling phpMyAdmin \033[0m"
##### Building dependency tree
##### Reading state information... Done
##### Package phpmyadmin is not available, but is referred to by another package.
##### This may mean that the package is missing, has been obsoleted, or
##### is only available from another source
#####
##### E: Package 'phpmyadmin' has no installation candidate
##### cp: missing destination file operand after '/root/debian-web-server/assets/nginx-phpmyadmin.conf'
##### Try 'cp --help' for more information.
# TODO no pma package available :(
apt-get --yes install phpmyadmin
ln -s /usr/share/phpmyadmin /var/www/html/
cp "$_assets"/nginx-phpmyadmin.conf /etc/nginx/sites-available/phpmyadmin.conf
echo -e "\033[92;1mphpMyAdmin installed\033[Om"
echo -e "\033[92;1mYou can access it at yourip/phpmyadmin\033[Om"
# install from source
# apt-get --yes install php-{mbstring,zip,gd,xml,pear,gettext,cgi}
# cd /var/www/html/
# wget https://www.phpmyadmin.net/downloads/phpMyAdmin-latest-all-languages.zip
# unzip phpMyAdmin-latest-all-languages.zip
# mv phpMyAdmin-*-all-languages pma
# rm phpMyAdmin-latest-all-languages.zip
# # cp "$_assets"/nginx-phpmyadmin.conf > /etc/nginx/sites-available/phpmyadmin.conf
# # ln -s /etc/nginx/sites-available/phpmyadmin.conf /etc/nginx/sites-enabled/phpmyadmin.conf
# echo -e "\033[92;1mphpMyAdmin installed\033[Om"
# echo -e "\033[92;1mYou can access it at yourip/pma\033[Om"
fi
echo -e '\033[35m echo -e '\033[35m
____ ___ ____ ___
@ -188,21 +131,16 @@ echo -e '\033[35m
\033[0m' \033[0m'
echo -e "\033[35;1mInstalling Redis \033[0m" echo -e "\033[35;1mInstalling Redis \033[0m"
sleep 3 sleep 3
apt-get --yes install redis-server php8.1-redis apt-get --yes --force-yes install redis-server php-redis
# TODO set maxmemory=2gb # TODO set maxmemory=2gb
# TODO set maxmemory-policy=volatile-lru # TODO set maxmemory-policy=volatile-lru
# TODO comment all save line # TODO comment all save line
# WARNING: The TCP backlog setting of 511 cannot be enforced because /proc/sys/net/core/somaxconn is set to the lower value of 128.
# WARNING overcommit_memory is set to 0! Background save may fail under low memory condition. To fix this issue add 'vm.overcommit_memory = 1' to /etc/sysctl.conf and then reboot or run the command 'sysctl vm.overcommit_memory=1' for this to take effect.
# WARNING you have Transparent Huge Pages (THP) support enabled in your kernel. This will create latency and memory usage issues with Redis. To fix this issue run the command 'echo never > /sys/kernel/mm/transparent_hugepage/enabled' as root, and add it to your /etc/rc.local in order to retain the setting after a reboot. Redis must be restarted after THP is disabled.
# https://blog.opstree.com/2019/04/16/redis-best-practices-and-performance-tuning/
systemctl enable redis-server systemctl enable redis-server
systemctl restart redis-server systemctl restart redis-server
systemctl restart php8.1-fpm systemctl restart php7.0-fpm
echo -e "\033[92;1mRedis installed\033[Om" echo -e "\033[92;1mRedis installed\033[Om"
echo -e '\033[35m echo -e '\033[35m
@ -228,9 +166,111 @@ echo -e '\033[35m
/ /_/ / / / /_/ (__ ) / / / / /_/ / / / /_/ (__ ) / / /
/_____/_/ \__,_/____/_/ /_/ /_____/_/ \__,_/____/_/ /_/
\033[0m' \033[0m'
echo -e "\033[35;1mInstalling Drush\033[0m" echo -e "\033[35;1mInstalling Drush and DrupalConsole\033[0m"
sleep 3 sleep 3
# curl https://github.com/drush-ops/drush-launcher/releases/download/0.6.0/drush.phar -L -o /usr/local/bin/drush curl https://drupalconsole.com/installer -L -o /usr/local/bin/drupal
wget -O /usr/local/bin/drush https://github.com/drush-ops/drush-launcher/releases/latest/download/drush.phar chmod +x /usr/local/bin/drupal
curl https://github.com/drush-ops/drush-launcher/releases/download/0.6.0/drush.phar -L -o /usr/local/bin/drush
chmod +x /usr/local/bin/drush chmod +x /usr/local/bin/drush
echo -e "\033[92;1mDrush\033[Om" echo -e "\033[92;1mDrush and DrupalConsoleinstalled\033[Om"
# TODO supervising
# echo -e '\033[35m
# __ ___ _ __ __ __ ___ _
# / |/ /__ ___ (_) /_ _/_/ / |/ /_ _____ (_)__
# / /|_/ / _ \/ _ \/ / __/ _/_/ / /|_/ / // / _ \/ / _ \
# /_/ /_/\___/_//_/_/\__/ /_/ /_/ /_/\_,_/_//_/_/_//_/
# \033[0m'
# echo -e "\033[35;1mInstalling Munin \033[0m"
# sleep 3
# # https://www.howtoforge.com/tutorial/server-monitoring-with-munin-and-monit-on-debian/
# apt-get --yes --force-yes install munin munin-node munin-plugins-extra
# # Configure Munin
# # enable plugins
# ln -s /usr/share/munin/plugins/mysql_ /etc/munin/plugins/mysql_
# ln -s /usr/share/munin/plugins/mysql_bytes /etc/munin/plugins/mysql_bytes
# ln -s /usr/share/munin/plugins/mysql_innodb /etc/munin/plugins/mysql_innodb
# ln -s /usr/share/munin/plugins/mysql_isam_space_ /etc/munin/plugins/mysql_isam_space_
# ln -s /usr/share/munin/plugins/mysql_queries /etc/munin/plugins/mysql_queries
# ln -s /usr/share/munin/plugins/mysql_slowqueries /etc/munin/plugins/mysql_slowqueries
# ln -s /usr/share/munin/plugins/mysql_threads /etc/munin/plugins/mysql_threads
#
# ln -s /usr/share/munin/plugins/apache_accesses /etc/munin/plugins/
# ln -s /usr/share/munin/plugins/apache_processes /etc/munin/plugins/
# ln -s /usr/share/munin/plugins/apache_volume /etc/munin/plugins/
#
# # ln -s /usr/share/munin/plugins/fail2ban /etc/munin/plugins/
#
# # dbdir, htmldir, logdir, rundir, and tmpldir
# sed -i 's/^#dbdir/dbdir/' /etc/munin/munin.conf
# sed -i 's/^#htmldir/htmldir/' /etc/munin/munin.conf
# sed -i 's/^#logdir/logdir/' /etc/munin/munin.conf
# sed -i 's/^#rundir/rundir/' /etc/munin/munin.conf
# sed -i 's/^#tmpldir/tmpldir/' /etc/munin/munin.conf
#
# sed -i "s/^\[localhost.localdomain\]/[${HOSTNAME}]/" /etc/munin/munin.conf
#
# # ln -s /etc/munin/apache24.conf /etc/apache2/conf-enabled/munin.conf
# sed -i 's/Require local/Require all granted\nOptions FollowSymLinks SymLinksIfOwnerMatch/g' /etc/munin/apache24.conf
# htpasswd -c /etc/munin/munin-htpasswd admin
# sed -i 's/Require all granted/AuthUserFile \/etc\/munin\/munin-htpasswd\nAuthName "Munin"\nAuthType Basic\nRequire valid-user/g' /etc/munin/apache24.conf
#
#
# service apache2 restart
# service munin-node restart
# echo -e "\033[92;1mMunin installed\033[Om"
#
# echo -e "\033[35;1mInstalling Monit \033[0m"
# sleep 3
# # https://www.howtoforge.com/tutorial/server-monitoring-with-munin-and-monit-on-debian/2/
# apt-get --yes --force-yes install monit
# # TODO setup monit rc
# cat "$_assets"/monitrc > /etc/monit/monitrc
#
# # TODO setup webaccess
# passok=0
# while [ "$passok" = "0" ]
# do
# echo -n "Write web access password to monit"
# read passwda
# echo -n "ReWrite web access password to monit"
# read passwdb
# if [ "$passwda" = "$passwdb" ]; then
# sed -i 's/PASSWD_TO_REPLACE/$passwda/g' /etc/monit/monitrc
# passok=1
# else
# echo -e "pass words don't match, please try again"
# fi
# done
#
# # TODO setup mail settings
# sed -i "s/server1\.example\.com/$HOSTNAME/g" /etc/monit/monitrc
#
# mkdir /var/www/html/monit
# echo -e "hello" > /var/www/html/monit/token
#
# service monit start
#
# echo -e "\033[92;1mMonit installed\033[Om"
# echo -e '\033[35m
# ___ __ __
# / |_ _______/ /_____ _/ /_
# / /| | | /| / / ___/ __/ __ `/ __/
# / ___ | |/ |/ (__ ) /_/ /_/ / /_
# /_/ |_|__/|__/____/\__/\__,_/\__/
# \033[0m'
# echo -e "\033[35;1mInstalling Awstat \033[0m"
# sleep 3
# apt-get --yes --force-yes install awstats
# # Configure AWStats
# temp=`grep -i sitedomain /etc/awstats/awstats.conf.local | wc -l`
# if [ $temp -lt 1 ]; then
# echo SiteDomain="$_domain" >> /etc/awstats/awstats.conf.local
# fi
# # Disable Awstats from executing every 10 minutes. Put a hash in front of any line.
# sed -i 's/^[^#]/#&/' /etc/cron.d/awstats
# echo -e "\033[92;1mAwstat installed\033[Om"

7
bin/misc.sh
View File

@ -15,13 +15,12 @@ if [ "$EUID" -ne 0 ]; then
fi fi
sleep 2 sleep 2
# TODO --force-yes is deprecated, use one of the options starting with --allow instead. apt-get --yes --force-yes install vim curl
apt-get --yes install vim curl
sed -i "s/^# en_GB.UTF-8/en_GB.UTF-8/g" /etc/locale.gen sed -i "s/^# en_GB.UTF-8/en_GB.UTF-8/g" /etc/locale.gen
locale-gen locale-gen
apt-get --yes install ntp apt-get --yes --force-yes install ntp
dpkg-reconfigure tzdata dpkg-reconfigure tzdata
apt-get --yes install tmux etckeeper needrestart htop lynx unzip nfs-common apt-get --yes --force-yes install tmux etckeeper needrestart htop lynx unzip
# TODO cron # TODO cron
# https://askubuntu.com/questions/56683/where-is-the-cron-crontab-log/121560#121560 # https://askubuntu.com/questions/56683/where-is-the-cron-crontab-log/121560#121560

56
bin/mysql-db.sh
View File

@ -1,56 +0,0 @@
#!/bin/sh
echo -e '
_ _ _ _
__| | |__ | | | |___ ___ _ _
/ _` | _ \ | |_| (_-</ -_) _|
\__,_|_.__/ \___//__/\___|_|
'
echo -e "Create new mysql db and user (you will be asked a db name and a password)"
. bin/checkroot.sh
sleep 3
# configure
echo -n "Please provide the mysql root passwd : "
read _root_mysql_passwd
mysql -u root -p$_root_mysql_passwd -e "show databases;"
echo -n "Enter new db name: "
read db_name
while [ "$db_name" = "" ]
do
read -p "enter a db name ? " db_name
if [ "$db_name" != "" ]; then
# TODO check if db already exists
# if id "$db_name" >/dev/null 2>&1; then
# echo "user $db_name alreday exists, you must provide a non existing user name."
# db=""
# else
read -p "is db name $db_name correcte [y|n] " validated
if [ "$validated" = "y" ]; then
break
else
db_name=""
fi
# fi
fi
done
# generate random password for new mysql user
_passwd="$(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c16)"
# create new mysql user
mysql -u root -p$_root_mysql_passwd -e "CREATE DATABASE $db_name;"
mysql -u root -p$_root_mysql_passwd -e "CREATE USER '$db_name'@'localhost' IDENTIFIED BY '$_passwd';"
mysql -u root -p$_root_mysql_passwd -e "GRANT ALL ON $db_name.* TO '$db_name'@'localhost';"
mysql -u root -p$_root_mysql_passwd -e "show databases;"
echo "database and user : $db_name installed"
echo " please record your password $_passwd"
echo "press any key to continue."
read continu

2
bin/mysqlbackup.sh
View File

@ -39,4 +39,4 @@ touch /var/spool/cron/crontabs/root
crontab -l > /tmp/mycron crontab -l > /tmp/mycron
echo "30 2 */2 * * /usr/local/bin/mysqlbackup.sh" >> /tmp/mycron echo "30 2 */2 * * /usr/local/bin/mysqlbackup.sh" >> /tmp/mycron
crontab /tmp/mycron crontab /tmp/mycron
rm -f /tmp/mycron rm /tmp/mycron

44
bin/nfs.sh
View File

@ -1,44 +0,0 @@
#!/bin/sh
echo -e '\033[35m
__
_ __ / _|___
| _ \| |_/ __|
| | | | _\__ \
|_| |_|_| |___/
\033[0m'
echo -e "\033[35;1mLEMP server (Nginx Mysql Php-fpm) \033[0m"
apt install nfs-kernel-server
vim /etc/exports
mkdir /home/proxmox-backup
mkdir /home/urbackup
ufw allow from 37.187.134.71 to any port nfs
ufw allow from 37.187.134.71 to any port 111
ufw allow proto udp from 37.187.134.71 to any port 32764:32769
ufw allow proto tcp from 37.187.134.71 to any port 32764:32769
ufw allow from 37.187.93.155 to any port nfs
ufw allow from 37.187.93.155 to any port 111
ufw allow proto udp from 37.187.93.155 to any port 32764:32769
ufw allow proto tcp from 37.187.93.155 to any port 32764:32769
ufw allow from 37.187.128.147 to any port nfs
ufw allow from 37.187.128.147 to any port 111
ufw allow proto udp from 37.187.128.147 to any port 32764:32769
ufw allow proto tcp from 37.187.128.147 to any port 32764:32769
ufw allow from 94.23.8.104 to any port nfs
ufw allow from 94.23.8.104 to any port 111
ufw allow proto udp from 94.23.8.104 to any port 32764:32769
ufw allow proto tcp from 94.23.8.104 to any port 32764:32769
systemctl restart nfs-server
systemctl enable nfs-server
vim /etc/ufw/user.rules

16
bin/php7.4.sh
View File

@ -1,16 +0,0 @@
#!/bin/bash
echo -e "\033[35;1mInstalling PHP 7.4 \033[0m"
apt-get -y install lsb-release apt-transport-https ca-certificates
wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" | tee /etc/apt/sources.list.d/php.list
apt-get update
apt-get -y install php7.4 php7.4-{fpm,mysql,opcache,curl,mbstring,zip,xml,gd,imagick,apcu}
mv /etc/php/7.4/fpm/php.ini /etc/php/7.4/fpm/php.ini.back
cp "$_assets"/php7.4-fpm.ini /etc/php/7.4/fpm/php.ini
systemctl enable php7.4-fpm
systemctl start php7.4-fpm
echo -e "\033[92;1mphp7.4-fpm installed\033[O"

54
bin/postgresqlbackup.sh
View File

@ -1,54 +0,0 @@
#!/bin/sh
echo -e '\033[35m
___ _ ___ ___ _ ___ _
| _ \___ __| |_ __ _ _ _ ___/ __|/ _ \| | | _ ) __ _ __| |___ _ _ __
| _/ _ (_-< _/ _. | ._/ -_)__ \ (_) | |__ | _ \/ _. / _| / / || | ._ \
|_| \___/__/\__\__, |_| \___|___/\__\_\____| |___/\__,_\__|_\_\\_,_| .__/
|___/ |_|
\033[0m'
if [ "$EUID" -ne 0 ]; then
echo "Please run as root"
exit
fi
# get the current position
_cwd="$(pwd)"
# check for assets forlder
_assets="$_cwd/assets"
if [ ! -d "$_assets" ]; then
_assets="$_cwd/../assets"
if [ ! -d "$_assets" ]; then
echo "!! can't find assets directory !!"
exit
fi
fi
# adding the script
cp "$_assets"/pgsqlbackup.sh /usr/local/bin/
chmod +x /usr/local/bin/pgsqlbackup.sh
# configure
echo -n "Please provide the postgresql host : "
read _pg_host
sed -i "s/HOST/$_pg_host/g" /usr/local/bin/pgsqlbackup.sh
echo -n "Please provide the postgresql port : "
read _pg_port
sed -i "s/PORT/$_pg_port/g" /usr/local/bin/pgsqlbackup.sh
echo -n "Please provide the postgresql user : "
read _pg_user
sed -i "s/USER/$_pg_user/g" /usr/local/bin/pgsqlbackup.sh
echo -n "Please provide the postgresql passwd : "
read _pg_passwd
sed -i "s/PASSWD/$_pg_passwd/g" /usr/local/bin/pgsqlbackup.sh
# creating crontab
touch /var/spool/cron/crontabs/root
crontab -l > /tmp/mycron
echo "30 2 */2 * * /usr/local/bin/pgsqlbackup.sh" >> /tmp/mycron
crontab /tmp/mycron
rm /tmp/mycron

15
bin/ssh.sh
View File

@ -1,7 +1,7 @@
#!/bin/sh #!/bin/sh
echo -e '\033[35m echo '\033[35m
__________ __ __ __________ __ __
/ ___/ ___// / / / / ___/ ___// / / /
\__ \\__ \/ /_/ / \__ \\__ \/ /_/ /
@ -14,13 +14,8 @@ if [ "$EUID" -ne 0 ]; then
exit exit
fi fi
# sed -i 's/PermitRootLogin\ yes/PermitRootLogin no/g' /etc/ssh/sshd_config sed -i 's/PermitRootLogin\ yes/PermitRootLogin no/g' /etc/ssh/sshd_config
# sed -i 's/PermitEmptyPasswords\ yes/PermitEmptyPasswords no/g' /etc/ssh/sshd_config sed -i 's/PermitEmptyPasswords\ yes/PermitEmptyPasswords no/g' /etc/ssh/sshd_config
# sed -i 's/Protocol\ [0-9]/Protocol 2/g' /etc/ssh/sshd_config sed -i 's/Protocol\ [0-9]/Protocol 2/g' /etc/ssh/sshd_config
touch /etc/ssh/sshd_config.d/custom.conf
echo "PermitRootLogin no" >> /etc/ssh/sshd_config.d/custom.conf
echo "PermitEmptyPasswords no" >> /etc/ssh/sshd_config.d/custom.conf
systemctl reload ssh systemctl reload ssh
echo -e "\033[92;1mSSH secured\033[Om" echo "\033[92;1mSSH secured\033[Om"

2
bin/upgrade.sh
View File

@ -2,7 +2,7 @@
# TODO check if root # TODO check if root
echo -e '\033[35m echo '\033[35m
__ ______ __________ ___ ____ ______ __ ______ __________ ___ ____ ______
/ / / / __ \/ ____/ __ \/ | / __ \/ ____/ / / / / __ \/ ____/ __ \/ | / __ \/ ____/
/ / / / /_/ / / __/ /_/ / /| | / / / / __/ / / / / /_/ / / __/ /_/ / /| | / / / / __/

18
bin/urbackup.sh
View File

@ -38,18 +38,12 @@ apt install build-essential "g++" "libcrypto++-dev" libz-dev -y
# libwxgtk3.0-dev # libwxgtk3.0-dev
# Download the UrBackup client source files and extract them # Download the UrBackup client source files and extract them
# wget -P /tmp/ https://hndl.urbackup.org/Client/latest/urbackup-client-2.3.4.0.tar.gz wget -P /tmp/ https://hndl.urbackup.org/Client/latest/urbackup-client-2.3.4.0.tar.gz
# wget -P /tmp/ https://hndl.urbackup.org/Client/2.4.11/urbackup-client-2.4.11.0.tar.gz
# wget -P /tmp/ https://hndl.urbackup.org/Client/2.5.20/urbackup-client-2.5.20.0.tar.gz
# wget -P /tmp/ https://hndl.urbackup.org/Client/2.5.20/urbackup-client-2.5.24.0.tar.gz
wget -P /tmp/ https://hndl.urbackup.org/Client/2.5.25/urbackup-client-2.5.25.0.tar.gz
cd /tmp cd /tmp
tar xzf /tmp/urbackup-client-2.3.4.0.tar.gz
tar xzf /tmp/urbackup-client-2.5.25.0.tar.gz
# Build the UrBackup client and install it # Build the UrBackup client and install it
# cd /tmp/urbackup-client-2.3.4.0 cd /tmp/urbackup-client-2.3.4.0
cd /tmp/urbackup-client-2.5.25.0
./configure --enable-headless ./configure --enable-headless
make -j4 make -j4
make install make install
@ -72,8 +66,7 @@ internet_mode_enabled=true
internet_image_backups_def=false internet_image_backups_def=false
default_dirs_def=/etc;var/www;/var/backups/mysql default_dirs_def=/etc;var/www;/var/backups/mysql
startup_backup_delay_def=3 startup_backup_delay_def=3
computername=$_computername" > /etc/default/urbackupclient computername=$_computername" > /usr/local/var/urbackup/data/settings.cfg
# /usr/local/var/urbackup/data/settings.cfg
# firewall # firewall
ufw allow from "$_ip" to any port 35621 ufw allow from "$_ip" to any port 35621
@ -81,8 +74,7 @@ ufw allow from "$_ip" to any port 35622
ufw allow from "$_ip" to any port 35623 ufw allow from "$_ip" to any port 35623
# install and enable systemd service # install and enable systemd service
# cp "$_assets"/urbackup.service /etc/systemd/system/ cp "$_assets"/urbackup.service /etc/systemd/system/
cp urbackupclientbackend-debian.service /etc/systemd/system/urbackup.service
chmod a+x /etc/systemd/system/urbackup.service chmod a+x /etc/systemd/system/urbackup.service
systemctl --system daemon-reload systemctl --system daemon-reload

2
bin/user.sh
View File

@ -37,6 +37,8 @@ do
fi fi
done done
# read -p "Continue? (Y/N): " confirm && [[ $confirm == [yY] || $confirm == [yY][eE][sS] ]] || exit 1
adduser "$user" adduser "$user"
echo "adding $user to admin group and limiting su to the admin group" echo "adding $user to admin group and limiting su to the admin group"
groupadd admin groupadd admin

37
bin/vhost.sh
View File

@ -27,7 +27,6 @@ if [ "$vh" = "y" ]; then
fi fi
fi fi
_domain=""
while [ "$_domain" = "" ] while [ "$_domain" = "" ]
do do
read -p "enter a domain name ? " _domain read -p "enter a domain name ? " _domain
@ -42,7 +41,6 @@ if [ "$vh" = "y" ]; then
done done
# ask for simple php conf or drupal conf # ask for simple php conf or drupal conf
_drupal=""
while [ "$_drupal" != "yes" ] && [ "$_drupal" != "no" ] while [ "$_drupal" != "yes" ] && [ "$_drupal" != "no" ]
do do
echo -n "Is your site is a drupal one? [yes|no] " echo -n "Is your site is a drupal one? [yes|no] "
@ -50,30 +48,28 @@ if [ "$vh" = "y" ]; then
done done
# ask for let's encrypt # ask for let's encrypt
_letsencrypt=""
while [ "$_letsencrypt" != "yes" ] && [ "$_letsencrypt" != "no" ] while [ "$_letsencrypt" != "yes" ] && [ "$_letsencrypt" != "no" ]
do do
echo -e "\033[35;1mLet's encrypt \033[0m" echo -e "\033[35;1mLet's encrypt \033[0m"
echo "Let's encrypt needs a public registered domain name with proper DNS records ( A records or CNAME records for subdomains pointing to your server)." echo -e "Let's encrypt needs a public registered domain name with proper DNS records ( A records or CNAME records for subdomains pointing to your server)."
echo -n "Should we install let's encrypt certificate with $_domain? [yes|no] " echo -n "Should we install let's encrypt certificate with $_domain? [yes|no] "
read _letsencrypt read _letsencrypt
done done
systemctl stop nginx
# lets'encrypt # lets'encrypt
# https://certbot.eff.org/lets-encrypt/debianstretch-nginx # https://certbot.eff.org/lets-encrypt/debianstretch-nginx
if [ "$_letsencrypt" = "yes" ]; then if [ "$_letsencrypt" = "yes" ]; then
apt-get --yes install certbot apt-get --yes --force-yes install certbot
systemctl stop nginx
certbot certonly --standalone -d "$_domain" --cert-name "$_domain" certbot certonly --standalone -d "$_domain" --cert-name "$_domain"
systemctl start nginx
# TODO stop the whole process if letsencrypt faile # TODO stop the whole process if letsencrypt faile
mkdir -p /etc/nginx/ssl/certs/"$_domain" mkdir -p /etc/nginx/ssl/certs/"$_domain"
openssl dhparam -out /etc/nginx/ssl/certs/"$_domain"/dhparam.pem 2048 openssl dhparam -out /etc/nginx/ssl/certs/"$_domain"/dhparam.pem 2048
# renewing # renewing
touch /var/spool/cron/crontabs/root touch /var/spool/cron/crontabs/root
crontab -l > mycron crontab -l > mycron
echo "0 3 * * * certbot renew --pre-hook 'systemctl stop nginx' --post-hook 'systemctl start nginx' --cert-name $_domain" >> mycron echo -e "0 3 * * * certbot renew --pre-hook 'systemctl stop nginx' --post-hook 'systemctl start nginx' --cert-name $_domain" >> mycron
crontab mycron crontab mycron
rm mycron rm mycron
fi fi
@ -106,16 +102,6 @@ if [ "$vh" = "y" ]; then
chmod -R g+w /var/www/"$_domain"/ chmod -R g+w /var/www/"$_domain"/
chmod -R g+r /var/www/"$_domain"/ chmod -R g+r /var/www/"$_domain"/
#set fail2ban for vhost
# https://stackoverflow.com/a/65552146
cp "$_assets/fail2ban/jail.d/nginx-badbots.conf" "/etc/fail2ban/jail.d/nginx-badbots-$_domain.conf"
sed -i -r "s/\[nginx-badbots\]/\[nginx-badbots-$_domain\]/g" "/etc/fail2ban/jail.d/nginx-badbots-$_domain.conf"
sed -i -r "s/<FILTER>/\[nginx-badbots-$_domain\]/g" "/etc/fail2ban/jail.d/nginx-badbots-$_domain.conf"
sed -i -r "s/<LOGPATH>/\/var\/www\/$_domain\/log\/error.log/g" "/etc/fail2ban/jail.d/nginx-badbots-$_domain.conf"
cp "$_assets/fail2ban/filter.d/nginx-badbots.conf" "/etc/fail2ban/filter.d/nginx-badbots-$_domain.conf"
sed -i -r "s/<HOST>/$_domain/g" "/etc/fail2ban/filter.d/nginx-badbots-$_domain.conf"
# create a shortcut to the site # create a shortcut to the site
@ -124,8 +110,7 @@ if [ "$vh" = "y" ]; then
yn=${yn:-y} yn=${yn:-y}
if [ "$yn" = "Y" ] || [ "$yn" = "y" ]; then if [ "$yn" = "Y" ] || [ "$yn" = "y" ]; then
# if $user var does not exists (vhost.sh ran directly) ask for it # if $user var does not exists (vhost.sh ran directly) ask for it
user="" if [ -z ${user+x} ]; then
# if [ -z ${user+x} ]; then
while [ "$user" = "" ] while [ "$user" = "" ]
do do
read -p "enter an existing user name ? " user read -p "enter an existing user name ? " user
@ -139,14 +124,14 @@ if [ "$vh" = "y" ]; then
user="" user=""
fi fi
else else
echo "user $user doesn't exists, you must provide an existing user" echo -e "user $user doesn't exists, you must provide an existing user"
user="" user=""
fi fi
fi fi
done done
# fi fi
echo "shortcut will be installed for '$user'"; echo -e "shortcut will be installed for '$user'";
sleep 3 sleep 3
mkdir /home/"$user"/www/ mkdir /home/"$user"/www/
@ -155,14 +140,14 @@ if [ "$vh" = "y" ]; then
chown "$user":admin /home/"$user"/www/"$_domain" chown "$user":admin /home/"$user"/www/"$_domain"
else else
echo 'no shortcut installed' echo -e 'no shortcut installed'
fi fi
# activate the vhost # activate the vhost
ln -s /etc/nginx/sites-available/"$_domain".conf /etc/nginx/sites-enabled/"$_domain".conf ln -s /etc/nginx/sites-available/"$_domain".conf /etc/nginx/sites-enabled/"$_domain".conf
# restart nginx # restart nginx
systemctl restart nginx systemctl start nginx
echo -e "\033[92;1mvhost $_domain configured \033[Om" echo -e "\033[92;1mvhost $_domain configured \033[Om"
else else
echo "Vhost installation aborted" echo -e "Vhost installation aborted"
fi fi

122
bin/webhook.sh
View File

@ -1,122 +0,0 @@
#!/bin/bash
# bachir soussi chiadmi
# get the current position
_cwd="$(pwd)"
echo -e '\033[35m
__ __ _ _ _ _
\ \ / /__| |__| || |___ ___| |__
\ \/\/ / -_) `_ \ __ / _ \/ _ \ / /
\_/\_/\___|_.__/_||_\___/\___/_\_\
\033[0m'
# check for assets folder
_assets="$_cwd/assets"
if [ ! -d "$_assets" ]; then
_assets="$_cwd/../assets"
if [ ! -d "$_assets" ]; then
echo "!! can't find assets directory !!"
exit
fi
fi
user=""
while [ "$user" = "" ]
do
read -p "enter an existing user name ? " user
if [ "$user" != "" ]; then
# check if user already exists
if id "$user" >/dev/null 2>&1; then
read -p "is user name $user correcte [y|n] " validated
if [ "$validated" = "y" ]; then
break
else
user=""
fi
else
echo "user $user doesn't exists, you must provide an existing user"
user=""
fi
fi
done
_domain=""
while [ "$_domain" = "" ]
do
read -p "enter a domain name ? " _domain
if [ "$_domain" != "" ]; then
read -p "is domain $_domain correcte [y|n] " validated
if [ "$validated" = "y" ]; then
break
else
_domain=""
fi
fi
done
_id=$(echo "$_domain" | sed "s/\./_/g")
_remote=""
while [ "$_remote" = "" ]
do
read -p "enter teh remote git repos url to pull from ? " _remote
if [ "$_remote" != "" ]; then
read -p "is $_remote correcte [y|n] " validated
if [ "$validated" = "y" ]; then
break
else
_remote=""
fi
fi
done
# TODO check for /home/"$user"/www/"$_domain"
if [ ! -d /home/"$user"/www/"$_domain" ]; then
echo "/home/$user/www/$_domain does not exists !"
exit
fi
# TODO check for /home/"$user"/git-repositories/"$_domain.git"
if [ ! -d /home/"$user"/git-repositories/"$_domain.git" ]; then
echo "/home/$user/git-repositories/$_domain.git does not exists !"
exit
fi
apt-get install webhook
# git bare repos remote
git --git-dir=/home/"$user"/git-repositories/"$_domain.git" remote add origin "$_remote"
# hook deploy script
cp -f "$_assets"/webhook-deploy.sh /home/"$user"/webhook-deploy-"$_id".sh
sed -i -r "s/DOMAIN/$_domain/g" /home/"$user"/webhook-deploy-"$_id".sh
sed -i -r "s/USER/$user/g" /home/"$user"/webhook-deploy-"$_id".sh
chowm $user:$user /home/"$user"/webhook-deploy-"$_id".sh
chmod +x /home/"$user"/webhook-deploy-"$_id".sh
# remove git bare repos hook
mv /home/"$user"/git-repositories/"$_domain".git/hooks/post-receive /home/"$user"/git-repositories/"$_domain".git/hooks/post-receive.back
# webhook conf
touch /etc/webhooks.conf
echo "
- id: deploy_app_$_id
execute-command: /home/$user/webhook-deploy-$_id.sh
command-working-directory: /home/$user/
" >> /etc/webhooks.conf
# webhook service
cp -f "$_assets"/webhook.service /etc/systemd/system/webhook.service
systemctl enable webhook
systemctl start webhook
systemctl restart webhook
# systemctl reload webhook
ufw allow 9000
echo "webhook done"
echo "you can configure your webhook trigger with the following url :"
echo "http://$_domain:9000/hooks/deploy_app_$_id"

64
bin/zabbix.sh
View File

@ -26,9 +26,8 @@ if [ ! -d "$_assets" ]; then
fi fi
fi fi
wget -P /tmp/ http://repo.zabbix.com/zabbix/3.4/debian/pool/main/z/zabbix-release/zabbix-release_3.4-1+stretch_all.deb
wget -P /tmp/ wget https://repo.zabbix.com/zabbix/6.4/debian/pool/main/z/zabbix-release/zabbix-release_6.4-1+debian12_all.deb dpkg -i /tmp/zabbix-release_3.4-1+stretch_all.deb
dpkg -i /tmp/zabbix-release_6.4-1+debian12_all.deb
apt-get update -y apt-get update -y
@ -41,6 +40,8 @@ echo -n "Please provide the zabbix-server's ip : "
read _ip read _ip
echo -n "Please provide the hostname of this agent : " echo -n "Please provide the hostname of this agent : "
read _host_name read _host_name
echo -n "Please provide the mysql root password : "
read _root_mysql_passwd
_agent_conf_d="/etc/zabbix/zabbix_agentd.d" # for debian 8 _agent_conf_d="/etc/zabbix/zabbix_agentd.d" # for debian 8
if [ ! -d "$_agent_conf_d" ]; then if [ ! -d "$_agent_conf_d" ]; then
@ -52,10 +53,6 @@ sed -i "s#Server=127.0.0.1#Server=$_ip#g" /etc/zabbix/zabbix_agentd.conf
sed -i "s#ServerActive=127.0.0.1#ServerActive=$_ip#g" /etc/zabbix/zabbix_agentd.conf sed -i "s#ServerActive=127.0.0.1#ServerActive=$_ip#g" /etc/zabbix/zabbix_agentd.conf
sed -i "s#Hostname=Zabbix server#Hostname=$_host_name#g" /etc/zabbix/zabbix_agentd.conf sed -i "s#Hostname=Zabbix server#Hostname=$_host_name#g" /etc/zabbix/zabbix_agentd.conf
# todo ask if LXC container, if yes install this script
# https://github.com/kvaps/zabbix-linux-container-template
# APT # APT
# check for debian security updates # check for debian security updates
# not working : https://www.osso.nl/blog/zabbix-counting-security-updates # not working : https://www.osso.nl/blog/zabbix-counting-security-updates
@ -67,44 +64,27 @@ cp "$_assets"/zabbix/apt.conf "$_agent_conf_d"/
# MYSQL # MYSQL
# https://serverfault.com/questions/737018/zabbix-user-parameter-mysql-status-setting-home # https://serverfault.com/questions/737018/zabbix-user-parameter-mysql-status-setting-home
# create zabbix user home # create zabbix user home
mkdir /var/lib/zabbix
echo -n "monitor mysql? [Y|n] " # generate random password for zabbix mysql user
read yn _passwd="$(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c12)"
yn=${yn:-y} # add mysql credentials to zabbix home
if [ "$yn" = "Y" ] || [ "$yn" = "y" ]; then printf "[client]\n
echo -n "Please provide the mysql root password : " user=zabbix\n
read _root_mysql_passwd password=$_passwd" > /var/lib/zabbix/.my.cnf
# create zabbix mysql user
mkdir /var/lib/zabbix mysql -uroot -p"$_root_mysql_passwd" -e "CREATE USER 'zabbix' IDENTIFIED BY '$_passwd';"
# generate random password for zabbix mysql user mysql -uroot -p"$_root_mysql_passwd" -e "GRANT USAGE ON *.* TO 'zabbix'@'localhost' IDENTIFIED BY '$_passwd';"
_passwd="$(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c12)" # add zabbix-agent parameter
# add mysql credentials to zabbix home cp "$_assets"/zabbix/userparameter_mysql.conf "$_agent_conf_d"/
printf "[client]\n
user=zabbix\n
password=$_passwd" > /var/lib/zabbix/.my.cnf
# create zabbix mysql user
mysql -uroot -p"$_root_mysql_passwd" -e "CREATE USER 'zabbix' IDENTIFIED BY '$_passwd';"
mysql -uroot -p"$_root_mysql_passwd" -e "GRANT USAGE ON *.* TO 'zabbix'@'localhost' IDENTIFIED BY '$_passwd';"
# add zabbix-agent parameter
cp "$_assets"/zabbix/userparameter_mysql.conf "$_agent_conf_d"/
fi
# NGINX # NGINX
# https://github.com/sfuerte/zbx-nginx # https://github.com/sfuerte/zbx-nginx
# nginxconf already included in default.nginxconf asset # nginxconf already included in default.nginxconf asset
sed -i "s/# allow CURRENT-SERVER-IP/allow $_cur_ip/g" /etc/nginx/sites-available/default
echo -n "Monitor nginx? [Y|n] " cp "$_assets"/zabbix/userparameter_nginx.conf "$_agent_conf_d"/
read yn mkdir /etc/zabbix/zabbix_agentd.scripts
yn=${yn:-y} cp "$_assets"/zabbix/scripts/nginx-stat.py /etc/zabbix/zabbix_agentd.scripts/
if [ "$yn" = "Y" ] || [ "$yn" = "y" ]; then chmod +x /etc/zabbix/zabbix_agentd.scripts/nginx-stat.py
sed -i "s/# allow CURRENT-SERVER-IP/allow $_cur_ip/g" /etc/nginx/sites-available/default
cp "$_assets"/zabbix/userparameter_nginx.conf "$_agent_conf_d"/
mkdir /etc/zabbix/zabbix_agentd.scripts
cp "$_assets"/zabbix/scripts/nginx-stat.py /etc/zabbix/zabbix_agentd.scripts/
chmod +x /etc/zabbix/zabbix_agentd.scripts/nginx-stat.py
fi
echo -n "This is box is a proxmox CT? [Y|n] " echo -n "This is box is a proxmox CT? [Y|n] "
read yn read yn
@ -116,8 +96,6 @@ fi
# SYSTEMD # SYSTEMD
# https://github.com/MogiePete/zabbix-systemd-service-monitoring # https://github.com/MogiePete/zabbix-systemd-service-monitoring
cp "$_assets"/zabbix/userparameter_systemd_services.conf "$_agent_conf_d"/ cp "$_assets"/zabbix/userparameter_systemd_services.conf "$_agent_conf_d"/
# https://www.zabbix.com/forum/zabbix-cookbook/23024-monitor-the-version-of-centos-debian-ubuntu?p=386466#post386466
cp "$_assets"/zabbix/userparameter_linux_name_version.conf "$_agent_conf_d"/
# disble unused system units # disble unused system units
systemctl disable rsync systemctl disable rsync

26
install.sh
View File

@ -13,10 +13,10 @@ echo -e '\033[35m
/_____/\___/_.___/_/\__,_/_/ /_/ /____/\___/_/ |___/\___/_/ /_____/\___/_.___/_/\__,_/_/ /_/ /____/\___/_/ |___/\___/_/
\033[0m' \033[0m'
echo -e "\033[35;1mThis script has been tested only on Linux Debian 10 \033[0m" echo -e "\033[35;1mThis script has been tested only on Linux Debian 9 \033[0m"
if [ "$EUID" -ne 0 ]; then if [ "$EUID" -ne 0 ]; then
echo "Please run as root" echo -e "Please run as root"
exit exit
fi fi
@ -24,7 +24,7 @@ echo -n "Should we start? [Y|n] "
read yn read yn
yn=${yn:-y} yn=${yn:-y}
if [ "$yn" != "y" ]; then if [ "$yn" != "y" ]; then
echo "aborting script!" echo -e "aborting script!"
exit exit
fi fi
@ -35,7 +35,7 @@ _cwd="$(pwd)"
. bin/misc.sh . bin/misc.sh
. bin/firewall.sh . bin/firewall.sh
. bin/fail2ban.sh . bin/fail2ban.sh
# . bin/knockd.sh . bin/knockd.sh
. bin/user.sh . bin/user.sh
. bin/email.sh . bin/email.sh
@ -48,7 +48,7 @@ done
if [ "$securssh" = "yes" ]; then if [ "$securssh" = "yes" ]; then
. bin/ssh.sh . bin/ssh.sh
else else
echo 'root user can still conect through ssh' echo -e 'root user can still conect through ssh'
fi fi
@ -58,7 +58,7 @@ yn=${yn:-y}
if [ "$yn" = "y" ]; then if [ "$yn" = "y" ]; then
. bin/ftp.sh . bin/ftp.sh
else else
echo 'ftp server not installed' echo -e 'ftp server not installed'
fi fi
while [ "$lemp" != "yes" ] && [ "$lemp" != "no" ] while [ "$lemp" != "yes" ] && [ "$lemp" != "no" ]
@ -69,7 +69,7 @@ done
if [ "$lemp" = "yes" ]; then if [ "$lemp" = "yes" ]; then
. bin/lemp.sh . bin/lemp.sh
else else
echo 'lemp server not installed' echo -e 'lemp server not installed'
fi fi
while [ "$_install_vhost" != "yes" ] && [ "$_install_vhost" != "no" ] while [ "$_install_vhost" != "yes" ] && [ "$_install_vhost" != "no" ]
@ -78,10 +78,9 @@ do
read _install_vhost read _install_vhost
done done
if [ "$_install_vhost" = "yes" ]; then if [ "$_install_vhost" = "yes" ]; then
# TODO bug vhost.sh file does not exists ...
. bin/vhost.sh . bin/vhost.sh
else else
echo 'no vhost installed' echo -e 'no vhost installed'
fi fi
while [ "$_install_zabbix_agent" != "yes" ] && [ "$_install_zabbix_agent" != "no" ] while [ "$_install_zabbix_agent" != "yes" ] && [ "$_install_zabbix_agent" != "no" ]
@ -92,7 +91,7 @@ done
if [ "$_install_zabbix_agent" = "yes" ]; then if [ "$_install_zabbix_agent" = "yes" ]; then
. bin/zabbix.sh . bin/zabbix.sh
else else
echo 'zabbix-agent not installed' echo -e 'zabbix-agent not installed'
fi fi
while [ "$_install_urbackup" != "yes" ] && [ "$_install_urbackup" != "no" ] while [ "$_install_urbackup" != "yes" ] && [ "$_install_urbackup" != "no" ]
@ -103,12 +102,11 @@ done
if [ "$_install_urbackup" = "yes" ]; then if [ "$_install_urbackup" = "yes" ]; then
. bin/urbackup.sh . bin/urbackup.sh
else else
echo 'urbackup client not installed' echo -e 'urbackup client not installed'
fi fi
# ./install.sh: line 109: bin/dotfiles.sh: No such file or directory
. bin/dotfiles.sh
. bin/dotfiles.sh
# . bin/autoupdate.sh # . bin/autoupdate.sh
# echo -e '\033[35m # echo -e '\033[35m
@ -141,7 +139,7 @@ fi
# mount -t tmpfs -o rw,noexec,nosuid tmpfs /tmp # mount -t tmpfs -o rw,noexec,nosuid tmpfs /tmp
# chmod 1777 /tmp # chmod 1777 /tmp
# echo "tmpfs /tmp tmpfs rw,noexec,nosuid 0 0" >> /etc/fstab # echo -e "tmpfs /tmp tmpfs rw,noexec,nosuid 0 0" >> /etc/fstab
# # Restore /tmp # # Restore /tmp
# cp -Rpf /tmpbackup/* /tmp/ >/dev/null 2>&1 # cp -Rpf /tmpbackup/* /tmp/ >/dev/null 2>&1

4
raw.githubusercontent.com_kvaps_zabbix-linux-container-template_master_zabbix_container.conf.txt
View File

@ -1,4 +0,0 @@
UserParameter=ct.memory.size[*],free -b | awk 'NR==2 {total=$ 2; used=($ 3+$ 5); pused=(($ 3+$ 5)*100/$ 2); free=$ 4; pfree=($ 4*100/$ 2); shared=$ 5; buffers=$ 6; cached=$ 6; available=$ 7; pavailable=($ 7*100/$ 2); if("$1" == "") {printf("%.0f", total )} else {printf("%.0f", $1 "" )} }'
UserParameter=ct.swap.size[*],free -b | awk 'NR==3 {total=$ 2; used=$ 3; free=$ 4; pfree=($ 4*100/$ 2); pused=($ 3*100/$ 2); if("$1" == "") {printf("%.0f", free )} else {printf("%.0f", $1 "" )} }'
UserParameter=ct.cpu.load[*],cut -d" " -f1-3 /proc/loadavg | awk -F'[, ]+' '{avg1=$(NF-2); avg5=$(NF-1); avg15=$(NF)}{print $2/'$(nproc)'}'
UserParameter=ct.uptime,cut -d"." -f1 /proc/uptime

30
readme.md
View File

@ -1,11 +1,10 @@
# Install LEMP web server and secure it on debian 12 # Install web server and secure it on debian 9
Fail2ban, Ufw, Proftpd, Knockd, Nginx, Mariadb, php7.0-fpm, redis, vhosts, git barre repos, zabbix-agent, dotfiles and more Fail2ban, Ufw, Proftpd, Knockd, Nginx, Mariadb, php7.0-fpm, redis, vhosts, git barre repos, zabbix-agent, dotfiles and more
## how to use it ## how to use it
on a fresh install on a fresh install
as root
All commands below are run as root user. Either log in as root user directly or log in as your normal user and then use the command ```su -``` to become root user on your server before you proceed. IMPORTANT: You must use ```su -``` and not just ```su```, otherwise your PATH variable is set wrong by Debian.
1 install git 1 install git
``` ```
@ -17,13 +16,7 @@ apt-get install git
git clone https://figureslibres.io/gogs/bachir/debian-web-server.git git clone https://figureslibres.io/gogs/bachir/debian-web-server.git
``` ```
3 change defaut shell from dash to bash 3 run the script as root
```
dpkg-reconfigure dash
```
and answer NO to the the question
4 run the script as root
``` ```
su su
cd debian-web-server cd debian-web-server
@ -32,23 +25,6 @@ chmod a+x install.sh
``` ```
5 steps
* misc.sh
* dotfliles.sh
* user.sh
* ssh.sh
* firewall.sh
* fail2ban.sh
* email.sh
* lemp.sh
* mysqlbackup.sh
* vhost.sh
* gitbarrerepos.sh
* webhook.sh
* urbackup.sh
* zabbix.sh
*
## ref ## ref
http://www.debian.org/doc/manuals/securing-debian-howto/ http://www.debian.org/doc/manuals/securing-debian-howto/