diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 0000000..1e902b6 --- /dev/null +++ b/.editorconfig @@ -0,0 +1,15 @@ +root = true + +[*] +charset = utf-8 +end_of_line = lf +insert_final_newline = true +indent_style = space +indent_size = 4 +trim_trailing_whitespace = true + +[*.{html,js}] +indent_size = 2 + +[*.md] +trim_trailing_whitespace = false diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml new file mode 100644 index 0000000..768cc15 --- /dev/null +++ b/.github/FUNDING.yml @@ -0,0 +1,8 @@ +# These are supported funding model platforms + +github: # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2] +custom: paypal.me/riipandi +custom: karyakarsa.com/aris +custom: www.buymeacoffee.com/ars +# patreon: riipandi +open_collective: # Replace with a single Open Collective username diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..f6e664d --- /dev/null +++ b/.gitignore @@ -0,0 +1,11 @@ +/web/logs/* +!/web/logs/.gitkeep + +__pycache__/ +stackup.ini +*.log + +.DS_Store +.DS_Store? + +x-notes.txt diff --git a/LICENSE b/LICENSE deleted file mode 100644 index 2210fb5..0000000 --- a/LICENSE +++ /dev/null @@ -1,21 +0,0 @@ -MIT License - -Copyright (c) 2018 Aris Ripandi - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. diff --git a/README.md b/README.md deleted file mode 100644 index ec629c7..0000000 --- a/README.md +++ /dev/null @@ -1,48 +0,0 @@ -# Linux Nginx PHP Stack - -Another LEMP Stack installer script. - -## Usage - -Just run this command: - -```bash -bash <(wget -qO- raw.githubusercontent.com/riipandi/lempstack/master/setup.sh) -``` - -## Create MySQL Database - -```bash -mysql -uroot -e "CREATE DATABASE IF NOT EXISTS dbname" -mysql -uroot -e "CREATE USER IF NOT EXISTS 'dbname'@'127.0.0.1' IDENTIFIED BY 'dbpass'" -mysql -uroot -e "GRANT ALL PRIVILEGES ON dbname.* TO 'dbname'@'127.0.0.1'; FLUSH PRIVILEGES" -``` - -## Create Nginx vHost - -```bash -# Web directory -mkdir -p /srv/domain.tld/public -cp /etc/nginx/manifest/welcome.tpl /srv/domain.tld/public/index.php -chown -R www-data: /srv/domain.tld - -# Virtual Host Configuration -cp /etc/nginx/manifest/vhost-php.tpl /etc/nginx/vhost.d/domain.tld.conf -sed -i "s/HOSTNAME/domain.tld/" /etc/nginx/vhost.d/domain.tld.conf - -# Generet SSL Certificate -systemctl stop nginx ; certbot certonly --standalone --rsa-key-size 4096 \ - --agree-tos --register-unsafely-without-email \ - -d domain.tld -d www.domain.tld - -# Set Permission File dan Folder -cd /srv/domain.tld -find . -type d -exec chmod 0777 {} \; -find . -type f -exec chmod 0775 {} \; -find . -exec chown -R www-data: {} \; -``` - -## License - -This project is open-sourced software licensed under the -[MIT license](https://opensource.org/licenses/MIT). diff --git a/changelog.md b/changelog.md new file mode 100644 index 0000000..0d30362 --- /dev/null +++ b/changelog.md @@ -0,0 +1,82 @@ +## Changelog + +All notable changes to this project will be documented here, the changelog +format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). + +### [Unreleased] + +### [4.0] - 2020/04/28 +- Support Ubuntu Focal Fossa (20.04) + +### [3.4] - 2019/11/14 +- Changed project structure +- Enabling multiple distributiion support + +### [3.3] - 2019/06/07 +- Fix FTP server setup and configuration +- FTP server are optional (not installed by default) +- Change FTP server from ProFTPd to PureFTPd +- Fix Nginx configuration +- Add backup snippets +- Some other fixes + +### [3.2] - 2019/05/20 +- Add installation wizard +- Add FTP server setup +- Change Nginx repo to mainline + +### [3.1] - 2019/04/09 +- Added FTP server setup with SQL backend +- Added Mail server setup (TODO: fix it) +- Added snippet to create html vhost + +### [3.0] - 2019/03/26 +- Each setup script as independent installer +- Some improvements and fixes + +### [2.4] - 2019/03/24 +- Changed license from MIT to Apache 2.0 +- Fix some configuration + +### [2.3] - 2019/01/29 +- Added Adminer as optional DB GUI +- Move phpMyAdmin to an alias +- Some configuration fixes + +### [2.2] - 2019/01/13 +- Add default user administartor +- Add feature for creating Ghost blogging platform +- Fix setup develoment environment +- Fix some nginx configuration +- Small fixes for some snippets +- Fix character encoding + +### [2.1] - 2019/01/12 +- Add development channel +- Fix default web page +- Fix default php page +- Fix some nginx configuration +- Some minor fixes and typo + +### [2.0] - 2019/01/12 +- Switch to Ubuntu LTS +- Nginx installer +- PHP FPM installer +- Python installer +- PostgreSQL installer +- MariaDB installer +- MySQL installer +- SSL Cert snippet +- MySQL snippet +- VirtualHost snippet +- Select databse version to install + +### [1.0] - 2018/12/30 +- Initial Release +- Nginx installer +- PHP FPM installer +- Python installer +- MariaDB installer +- VirtualHost snippet +- SSL Cert snippet +- MySQL snippet diff --git a/common.sh b/common.sh new file mode 100644 index 0000000..244f1fb --- /dev/null +++ b/common.sh @@ -0,0 +1,57 @@ +# Color message +#---------------------------------------------------------------------------------- +nocolor='\033[0m' +green='\033[0;32m' +red='\033[0;33m' +blue='\033[0;34m' + +# Common variables +#---------------------------------------------------------------------------------- +osDistro=`echo $(lsb_release -i | cut -d':' -f 2)` +osVersion=`echo $(lsb_release -c | cut -d':' -f 2)` +logFile="/root/stackup-info.log" +logInstall="/tmp/stackup-install.log" +checkCountry=$(wget -qO- ipapi.co/json | grep '"country":' | sed -E 's/.*"([^"]+)".*/\1/') + +# Display message +#---------------------------------------------------------------------------------- +msgContinue() { + echo -e "${green}" + read -p "Press [Enter] to Continue or [Ctrl+C] to Cancel..." + echo -e "${nocolor}" +} + +msgInfo() { + echo -e "${blue}${1}${nocolor}" +} + +msgSuccess() { + echo -e "${green}${1}${nocolor}" +} + +msgError() { + echo -e "${red}${1}${nocolor}" +} + + +# Common functions +#---------------------------------------------------------------------------------- + +# pkgInstall() {} + +# pkgUpdate() {} + +pkgUpgrade() { + apt update -qq &>${logInstall} + apt -yq full-upgrade &>${logInstall} + apt -y autoremove &>${logInstall} +} + +pkgClean() { + apt -yq autoremove &>${logInstall} + apt clean &>${logInstall} +} + +writeLogInfo () { + crudini --set ${logFile} '' ${1} ${2} +} diff --git a/config/.DS_Store b/config/.DS_Store new file mode 100644 index 0000000..75b6c65 Binary files /dev/null and b/config/.DS_Store differ diff --git a/config/apache/apache2.conf b/config/apache/apache2.conf new file mode 100644 index 0000000..d3e65aa --- /dev/null +++ b/config/apache/apache2.conf @@ -0,0 +1,93 @@ +# This is the main Apache server configuration file. It contains the +# configuration directives that give the server its instructions. +# See http://httpd.apache.org/docs/2.4/ for detailed information. +# + +ServerRoot "/etc/apache2" + +# +# The accept serialization lock file MUST BE STORED ON A LOCAL DISK. +# +#Mutex file:${APACHE_LOCK_DIR} default + +DefaultRuntimeDir ${APACHE_RUN_DIR} +PidFile ${APACHE_PID_FILE} +User ${APACHE_RUN_USER} +Group ${APACHE_RUN_GROUP} + +Timeout 300 +KeepAlive On +MaxKeepAliveRequests 100 +KeepAliveTimeout 5 +HostnameLookups Off +AccessFileName .htaccess + +LogLevel warn +ErrorLog ${APACHE_LOG_DIR}/error.log + +# Define an access log for VirtualHosts that don't define their own logfile +CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log vhost_combined + +# Include module configuration: +IncludeOptional mods-enabled/*.load +IncludeOptional mods-enabled/*.conf + +# +# List of ports to listen on +# If you just change the port or add more ports here, you will likely also +# have to change the VirtualHost statement in: /etc/apache2/sites-enabled/*.conf +# +Listen 80 + + Listen 443 + + + Listen 443 + + +# +# Sets the default security model of the Apache2 HTTPD server. It does +# not allow access to the root filesystem outside of /usr/share and /var/www. +# + + Options FollowSymLinks + AllowOverride None + Require all denied + + + + AllowOverride None + Require all granted + + + + Options Indexes FollowSymLinks + AllowOverride None + Require all granted + + + + Options Indexes FollowSymLinks + AllowOverride None + Require all granted + + + + Require all denied + + +# +# These deviate from the Common Log Format definitions in that they use %O +# (the actual bytes sent including headers) instead of %b (the size of the +# requested file), because the latter makes it impossible to detect partial +# requests. +# +LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined +LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined +LogFormat "%h %l %u %t \"%r\" %>s %O" common +LogFormat "%{Referer}i -> %U" referer +LogFormat "%{User-agent}i" agent + +# Load extra configuration +IncludeOptional conf-enabled/*.conf +IncludeOptional sites-enabled/*.conf diff --git a/config/apache/conf.d/charset.conf b/config/apache/conf.d/charset.conf new file mode 100644 index 0000000..77081f2 --- /dev/null +++ b/config/apache/conf.d/charset.conf @@ -0,0 +1,6 @@ +# Read the documentation before enabling AddDefaultCharset. +# In general, it is only a good idea if you know that all your files +# have this encoding. It will override any encoding given in the files +# in meta http-equiv or xml encoding tags. + +AddDefaultCharset UTF-8 diff --git a/config/apache/conf.d/localized-error-pages.conf b/config/apache/conf.d/localized-error-pages.conf new file mode 100644 index 0000000..557f7c6 --- /dev/null +++ b/config/apache/conf.d/localized-error-pages.conf @@ -0,0 +1,81 @@ +# Customizable error responses come in three flavors: +# 1) plain text +# 2) local redirects +# 3) external redirects +# +# Some examples: +#ErrorDocument 500 "The server made a boo boo." +#ErrorDocument 404 /missing.html +#ErrorDocument 404 "/cgi-bin/missing_handler.pl" +#ErrorDocument 402 http://www.example.com/subscription_info.html +# + +# +# Putting this all together, we can internationalize error responses. +# +# We use Alias to redirect any /error/HTTP_.html.var response to +# our collection of by-error message multi-language collections. We use +# includes to substitute the appropriate text. +# +# You can modify the messages' appearance without changing any of the +# default HTTP_.html.var files by adding the line: +# +#Alias /error/include/ "/your/include/path/" +# +# which allows you to create your own set of files by starting with the +# /usr/share/apache2/error/include/ files and copying them to /your/include/path/, +# even on a per-VirtualHost basis. If you include the Alias in the global server +# context, is has to come _before_ the 'Alias /error/ ...' line. +# +# The default include files will display your Apache version number and your +# ServerAdmin email address regardless of the setting of ServerSignature. +# +# WARNING: The configuration below will NOT work out of the box if you have a +# SetHandler directive in a context somewhere. Adding +# the following three lines AFTER the context should +# make it work in most cases: +# +# SetHandler none +# +# +# The internationalized error documents require mod_alias, mod_include +# and mod_negotiation. To activate them, uncomment the following 37 lines. + +# +# +# +# +# Alias /error/ "/usr/share/apache2/error/" +# +# +# Options IncludesNoExec +# AddOutputFilter Includes html +# AddHandler type-map var +# Order allow,deny +# Allow from all +# LanguagePriority en cs de es fr it nl sv pt-br ro +# ForceLanguagePriority Prefer Fallback +# +# +# ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var +# ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var +# ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var +# ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var +# ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var +# ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var +# ErrorDocument 410 /error/HTTP_GONE.html.var +# ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var +# ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var +# ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var +# ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var +# ErrorDocument 415 /error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var +# ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var +# ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var +# ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var +# ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var +# ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var +# +# +# + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/config/apache/conf.d/security.conf b/config/apache/conf.d/security.conf new file mode 100644 index 0000000..244af2c --- /dev/null +++ b/config/apache/conf.d/security.conf @@ -0,0 +1,68 @@ +# +# Disable access to the entire file system except for the directories that +# are explicitly allowed later. +# +# This currently breaks the configurations that come with some web application +# Debian packages. +# +# +# AllowOverride None +# Require all denied +# + +# Changing the following options will not really affect the security of the +# server, but might make attacks slightly more difficult in some cases. + +# +# This directive configures what you return as the Server HTTP response +# Header. The default is 'Full' which sends information about the OS-Type +# and compiled in modules. +# Set to one of: Full | OS | Minimal | Minor | Major | Prod +# where Full conveys the most information, and Prod the least. +ServerTokens Minimal + +# +# Optionally add a line containing the server version and virtual host +# name to server-generated pages (internal error documents, FTP directory +# listings, mod_status and mod_info output etc., but not CGI generated +# documents or custom error documents). +# Set to "EMail" to also include a mailto: link to the ServerAdmin. +# Set to one of: On | Off | EMail +ServerSignature Off + +# +# Allow TRACE method +# +# Set to "extended" to also reflect the request body (only for testing and +# diagnostic purposes). +# +# Set to one of: On | Off | extended +TraceEnable Off + +# +# Forbid access to version control directories +# +# If you use version control systems in your document root, you should +# probably deny access to their directories. For example, for subversion: +# + + Require all denied + + + + Require all denied + + +# +# Setting this header will prevent MSIE from interpreting files as something +# else than declared by the content type in the HTTP headers. +# Requires mod_headers to be enabled. +# +#Header set X-Content-Type-Options: "nosniff" + +# +# Setting this header will prevent other sites from embedding pages from this +# site as frames. This defends against clickjacking attacks. +# Requires mod_headers to be enabled. +# +#Header set X-Frame-Options: "sameorigin" diff --git a/config/apache/conf.d/serve-cgi-bin.conf b/config/apache/conf.d/serve-cgi-bin.conf new file mode 100644 index 0000000..e5c4b5f --- /dev/null +++ b/config/apache/conf.d/serve-cgi-bin.conf @@ -0,0 +1,18 @@ + + + Define ENABLE_USR_LIB_CGI_BIN + + + + Define ENABLE_USR_LIB_CGI_BIN + + + + ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ + + AllowOverride None + Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch + Require all granted + + + diff --git a/config/apache/envvars b/config/apache/envvars new file mode 100644 index 0000000..4d60183 --- /dev/null +++ b/config/apache/envvars @@ -0,0 +1,47 @@ +# envvars - default environment variables for apache2ctl + +# this won't be correct after changing uid +unset HOME + +# for supporting multiple apache2 instances +if [ "${APACHE_CONFDIR##/etc/apache2-}" != "${APACHE_CONFDIR}" ] ; then + SUFFIX="-${APACHE_CONFDIR##/etc/apache2-}" +else + SUFFIX= +fi + +# Since there is no sane way to get the parsed apache2 config in scripts, some +# settings are defined via environment variables and then used in apache2ctl, +# /etc/init.d/apache2, /etc/logrotate.d/apache2, etc. +export APACHE_RUN_USER=webmaster +export APACHE_RUN_GROUP=webmaster +# temporary state file location. This might be changed to /run in Wheezy+1 +export APACHE_PID_FILE=/var/run/apache2$SUFFIX/apache2.pid +export APACHE_RUN_DIR=/var/run/apache2$SUFFIX +export APACHE_LOCK_DIR=/var/lock/apache2$SUFFIX +# Only /var/log/apache2 is handled by /etc/logrotate.d/apache2. +export APACHE_LOG_DIR=/var/log/apache2$SUFFIX + +## The locale used by some modules like mod_dav +export LANG=C +## Uncomment the following line to use the system default locale instead: +#. /etc/default/locale + +export LANG + +## The command to get the status for 'apache2ctl status'. +## Some packages providing 'www-browser' need '--dump' instead of '-dump'. +#export APACHE_LYNX='www-browser -dump' + +## If you need a higher file descriptor limit, uncomment and adjust the +## following line (default is 8192): +#APACHE_ULIMIT_MAX_FILES='ulimit -n 65536' + +## If you would like to pass arguments to the web server, add them below +## to the APACHE_ARGUMENTS environment. +#export APACHE_ARGUMENTS='' + +## Enable the debug mode for maintainer scripts. +## This will produce a verbose output on package installations of web server modules and web application +## installations which interact with Apache +#export APACHE2_MAINTSCRIPT_DEBUG=1 diff --git a/config/apache/extras/php7.3-cgi.conf b/config/apache/extras/php7.3-cgi.conf new file mode 100644 index 0000000..181a4a7 --- /dev/null +++ b/config/apache/extras/php7.3-cgi.conf @@ -0,0 +1,32 @@ +# This file replaces old system MIME types and sets them only in the +# Apache webserver + +# application/x-httpd-php phtml php + + SetHandler application/x-httpd-php + +# application/x-httpd-php-source phps + + SetHandler application/x-httpd-php-source + # Deny access to raw php sources by default + # To re-enable it's recommended to enable access to the files + # only in specific virtual host or directory + Require all denied + +# Deny access to files without filename (e.g. '.php') + + Require all denied + + +# To enable PHP CGI site-wide, just uncomment following lines, however +# as a security measure, it's recommended to enable PHP just in the +# specific virtual servers or just specific directories + +#ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ +# +# AllowOverride None +# Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch +# Order allow,deny +# Allow from all +# +#Action application/x-httpd-php /cgi-bin/php7.3 diff --git a/config/apache/extras/php7.3-fpm.conf b/config/apache/extras/php7.3-fpm.conf new file mode 100644 index 0000000..f49f82e --- /dev/null +++ b/config/apache/extras/php7.3-fpm.conf @@ -0,0 +1,23 @@ +# Redirect to local php-fpm if mod_php is not available + + + # Enable http authorization headers + + SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1 + + + + SetHandler "proxy:unix:/run/php/php7.3-fpm.sock|fcgi://localhost" + + + # Deny access to raw php sources by default + # To re-enable it's recommended to enable access to the files + # only in specific virtual host or directory + Require all denied + + # Deny access to files without filename (e.g. '.php') + + Require all denied + + + diff --git a/config/apache/extras/php7.4-cgi.conf b/config/apache/extras/php7.4-cgi.conf new file mode 100644 index 0000000..ead5524 --- /dev/null +++ b/config/apache/extras/php7.4-cgi.conf @@ -0,0 +1,32 @@ +# This file replaces old system MIME types and sets them only in the +# Apache webserver + +# application/x-httpd-php phtml php + + SetHandler application/x-httpd-php + +# application/x-httpd-php-source phps + + SetHandler application/x-httpd-php-source + # Deny access to raw php sources by default + # To re-enable it's recommended to enable access to the files + # only in specific virtual host or directory + Require all denied + +# Deny access to files without filename (e.g. '.php') + + Require all denied + + +# To enable PHP CGI site-wide, just uncomment following lines, however +# as a security measure, it's recommended to enable PHP just in the +# specific virtual servers or just specific directories + +#ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ +# +# AllowOverride None +# Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch +# Order allow,deny +# Allow from all +# +#Action application/x-httpd-php /cgi-bin/php7.4 diff --git a/config/apache/extras/php7.4-fpm.conf b/config/apache/extras/php7.4-fpm.conf new file mode 100644 index 0000000..5e3d28f --- /dev/null +++ b/config/apache/extras/php7.4-fpm.conf @@ -0,0 +1,23 @@ +# Redirect to local php-fpm if mod_php is not available + + + # Enable http authorization headers + + SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1 + + + + SetHandler "proxy:unix:/run/php/php7.4-fpm.sock|fcgi://localhost" + + + # Deny access to raw php sources by default + # To re-enable it's recommended to enable access to the files + # only in specific virtual host or directory + Require all denied + + # Deny access to files without filename (e.g. '.php') + + Require all denied + + + diff --git a/config/apache/magic b/config/apache/magic new file mode 100644 index 0000000..8bb70b1 --- /dev/null +++ b/config/apache/magic @@ -0,0 +1,935 @@ +# Magic data for mod_mime_magic (originally for file(1) command) +# +# The format is 4-5 columns: +# Column #1: byte number to begin checking from, ">" indicates continuation +# Column #2: type of data to match +# Column #3: contents of data to match +# Column #4: MIME type of result +# Column #5: MIME encoding of result (optional) + +#------------------------------------------------------------------------------ +# Localstuff: file(1) magic for locally observed files +# Add any locally observed files here. + +# Real Audio (Magic .ra\0375) +0 belong 0x2e7261fd audio/x-pn-realaudio +0 string .RMF application/vnd.rn-realmedia + +#video/x-pn-realvideo +#video/vnd.rn-realvideo +#application/vnd.rn-realmedia +# sigh, there are many mimes for that but the above are the most common. + +# Taken from magic, converted to magic.mime +# mime types according to http://www.geocities.com/nevilo/mod.htm: +# audio/it .it +# audio/x-zipped-it .itz +# audio/xm fasttracker modules +# audio/x-s3m screamtracker modules +# audio/s3m screamtracker modules +# audio/x-zipped-mod mdz +# audio/mod mod +# audio/x-mod All modules (mod, s3m, 669, mtm, med, xm, it, mdz, stm, itz, xmz, s3z) + +# Taken from loader code from mikmod version 2.14 +# by Steve McIntyre (stevem@chiark.greenend.org.uk) +# added title printing on 2003-06-24 +0 string MAS_UTrack_V00 +>14 string >/0 audio/x-mod +#audio/x-tracker-module + +#0 string UN05 MikMod UNI format module sound data + +0 string Extended\ Module: audio/x-mod +#audio/x-tracker-module +##>17 string >\0 Title: "%s" + +21 string/c \!SCREAM! audio/x-mod +#audio/x-screamtracker-module +21 string BMOD2STM audio/x-mod +#audio/x-screamtracker-module +1080 string M.K. audio/x-mod +#audio/x-protracker-module +#>0 string >\0 Title: "%s" +1080 string M!K! audio/x-mod +#audio/x-protracker-module +#>0 string >\0 Title: "%s" +1080 string FLT4 audio/x-mod +#audio/x-startracker-module +#>0 string >\0 Title: "%s" +1080 string FLT8 audio/x-mod +#audio/x-startracker-module +#>0 string >\0 Title: "%s" +1080 string 4CHN audio/x-mod +#audio/x-fasttracker-module +#>0 string >\0 Title: "%s" +1080 string 6CHN audio/x-mod +#audio/x-fasttracker-module +#>0 string >\0 Title: "%s" +1080 string 8CHN audio/x-mod +#audio/x-fasttracker-module +#>0 string >\0 Title: "%s" +1080 string CD81 audio/x-mod +#audio/x-oktalyzer-tracker-module +#>0 string >\0 Title: "%s" +1080 string OKTA audio/x-mod +#audio/x-oktalyzer-tracker-module +#>0 string >\0 Title: "%s" +# Not good enough. +#1082 string CH +#>1080 string >/0 %.2s-channel Fasttracker "oktalyzer" module sound data +1080 string 16CN audio/x-mod +#audio/x-taketracker-module +#>0 string >\0 Title: "%s" +1080 string 32CN audio/x-mod +#audio/x-taketracker-module +#>0 string >\0 Title: "%s" + +# Impuse tracker module (it) +0 string IMPM audio/x-mod +#>4 string >\0 "%s" +#>40 leshort !0 compatible w/ITv%x +#>42 leshort !0 created w/ITv%x + +#------------------------------------------------------------------------------ +# end local stuff +#------------------------------------------------------------------------------ + +# xml based formats! + +# svg + +0 string \38 string \<\!DOCTYPE\040svg image/svg+xml + + +# xml +0 string \2 short 0xbabe application/java + +#------------------------------------------------------------------------------ +# audio: file(1) magic for sound formats +# +# from Jan Nicolai Langfeldt , +# + +# Sun/NeXT audio data +0 string .snd +>12 belong 1 audio/basic +>12 belong 2 audio/basic +>12 belong 3 audio/basic +>12 belong 4 audio/basic +>12 belong 5 audio/basic +>12 belong 6 audio/basic +>12 belong 7 audio/basic + +>12 belong 23 audio/x-adpcm + +# DEC systems (e.g. DECstation 5000) use a variant of the Sun/NeXT format +# that uses little-endian encoding and has a different magic number +# (0x0064732E in little-endian encoding). +0 lelong 0x0064732E +>12 lelong 1 audio/x-dec-basic +>12 lelong 2 audio/x-dec-basic +>12 lelong 3 audio/x-dec-basic +>12 lelong 4 audio/x-dec-basic +>12 lelong 5 audio/x-dec-basic +>12 lelong 6 audio/x-dec-basic +>12 lelong 7 audio/x-dec-basic +# compressed (G.721 ADPCM) +>12 lelong 23 audio/x-dec-adpcm + +# Bytes 0-3 of AIFF, AIFF-C, & 8SVX audio files are "FORM" +# AIFF audio data +8 string AIFF audio/x-aiff +# AIFF-C audio data +8 string AIFC audio/x-aiff +# IFF/8SVX audio data +8 string 8SVX audio/x-aiff + + + +# Creative Labs AUDIO stuff +# Standard MIDI data +0 string MThd audio/unknown +#>9 byte >0 (format %d) +#>11 byte >1 using %d channels +# Creative Music (CMF) data +0 string CTMF audio/unknown +# SoundBlaster instrument data +0 string SBI audio/unknown +# Creative Labs voice data +0 string Creative\ Voice\ File audio/unknown +## is this next line right? it came this way... +#>19 byte 0x1A +#>23 byte >0 - version %d +#>22 byte >0 \b.%d + +# [GRR 950115: is this also Creative Labs? Guessing that first line +# should be string instead of unknown-endian long...] +#0 long 0x4e54524b MultiTrack sound data +#0 string NTRK MultiTrack sound data +#>4 long x - version %ld + +# Microsoft WAVE format (*.wav) +# [GRR 950115: probably all of the shorts and longs should be leshort/lelong] +# Microsoft RIFF +0 string RIFF +# - WAVE format +>8 string WAVE audio/x-wav +>8 string/B AVI video/x-msvideo +# +>8 string CDRA image/x-coreldraw + +# AAC (aka MPEG-2 NBC) +0 beshort&0xfff6 0xfff0 audio/X-HX-AAC-ADTS +0 string ADIF audio/X-HX-AAC-ADIF +0 beshort&0xffe0 0x56e0 audio/MP4A-LATM +0 beshort 0x4De1 audio/MP4A-LATM + +# MPEG Layer 3 sound files +0 beshort&0xfffe =0xfffa audio/mpeg +#MP3 with ID3 tag +0 string ID3 audio/mpeg +# Ogg/Vorbis +0 string OggS application/ogg + +#------------------------------------------------------------------------------ +# c-lang: file(1) magic for C programs or various scripts +# + +# XPM icons (Greg Roelofs, newt@uchicago.edu) +# ideally should go into "images", but entries below would tag XPM as C source +0 string /*\ XPM image/x-xpmi 7bit + +# 3DS (3d Studio files) +#16 beshort 0x3d3d image/x-3ds + +# this first will upset you if you're a PL/1 shop... (are there any left?) +# in which case rm it; ascmagic will catch real C programs +# C or REXX program text +#0 string /* text/x-c +# C++ program text +#0 string // text/x-c++ + +#------------------------------------------------------------------------------ +# commands: file(1) magic for various shells and interpreters +# +#0 string :\ shell archive or commands for antique kernel text +0 string #!/bin/sh application/x-shellscript +0 string #!\ /bin/sh application/x-shellscript +0 string #!/bin/csh application/x-shellscript +0 string #!\ /bin/csh application/x-shellscript +# korn shell magic, sent by George Wu, gwu@clyde.att.com +0 string #!/bin/ksh application/x-shellscript +0 string #!\ /bin/ksh application/x-shellscript +0 string #!/bin/tcsh application/x-shellscript +0 string #!\ /bin/tcsh application/x-shellscript +0 string #!/usr/local/tcsh application/x-shellscript +0 string #!\ /usr/local/tcsh application/x-shellscript +0 string #!/usr/local/bin/tcsh application/x-shellscript +0 string #!\ /usr/local/bin/tcsh application/x-shellscript +# bash shell magic, from Peter Tobias (tobias@server.et-inf.fho-emden.de) +0 string #!/bin/bash application/x-shellscript +0 string #!\ /bin/bash application/x-shellscript +0 string #!/usr/local/bin/bash application/x-shellscript +0 string #!\ /usr/local/bin/bash application/x-shellscript + +# +# zsh/ash/ae/nawk/gawk magic from cameron@cs.unsw.oz.au (Cameron Simpson) +0 string #!/bin/zsh application/x-shellscript +0 string #!/usr/bin/zsh application/x-shellscript +0 string #!/usr/local/bin/zsh application/x-shellscript +0 string #!\ /usr/local/bin/zsh application/x-shellscript +0 string #!/usr/local/bin/ash application/x-shellscript +0 string #!\ /usr/local/bin/ash application/x-shellscript +#0 string #!/usr/local/bin/ae Neil Brown's ae +#0 string #!\ /usr/local/bin/ae Neil Brown's ae +0 string #!/bin/nawk application/x-nawk +0 string #!\ /bin/nawk application/x-nawk +0 string #!/usr/bin/nawk application/x-nawk +0 string #!\ /usr/bin/nawk application/x-nawk +0 string #!/usr/local/bin/nawk application/x-nawk +0 string #!\ /usr/local/bin/nawk application/x-nawk +0 string #!/bin/gawk application/x-gawk +0 string #!\ /bin/gawk application/x-gawk +0 string #!/usr/bin/gawk application/x-gawk +0 string #!\ /usr/bin/gawk application/x-gawk +0 string #!/usr/local/bin/gawk application/x-gawk +0 string #!\ /usr/local/bin/gawk application/x-gawk +# +0 string #!/bin/awk application/x-awk +0 string #!\ /bin/awk application/x-awk +0 string #!/usr/bin/awk application/x-awk +0 string #!\ /usr/bin/awk application/x-awk +# update to distinguish from *.vcf files by Joerg Jenderek: joerg dot jenderek at web dot de +#0 regex BEGIN[[:space:]]*[{] application/x-awk + +# For Larry Wall's perl language. The ``eval'' line recognizes an +# outrageously clever hack for USG systems. +# Keith Waclena +0 string #!/bin/perl application/x-perl +0 string #!\ /bin/perl application/x-perl +0 string eval\ "exec\ /bin/perl application/x-perl +0 string #!/usr/bin/perl application/x-perl +0 string #!\ /usr/bin/perl application/x-perl +0 string eval\ "exec\ /usr/bin/perl application/x-perl +0 string #!/usr/local/bin/perl application/x-perl +0 string #!\ /usr/local/bin/perl application/x-perl +0 string eval\ "exec\ /usr/local/bin/perl application/x-perl + +#------------------------------------------------------------------------------ +# compress: file(1) magic for pure-compression formats (no archives) +# +# compress, gzip, pack, compact, huf, squeeze, crunch, freeze, yabba, whap, etc. +# +# Formats for various forms of compressed data +# Formats for "compress" proper have been moved into "compress.c", +# because it tries to uncompress it to figure out what's inside. + +# standard unix compress +#0 string \037\235 application/x-compress + +# gzip (GNU zip, not to be confused with [Info-ZIP/PKWARE] zip archiver) +#0 string \037\213 application/x-gzip + +0 string PK\003\004 application/x-zip + +# RAR archiver (Greg Roelofs, newt@uchicago.edu) +0 string Rar! application/x-rar + +# According to gzip.h, this is the correct byte order for packed data. +0 string \037\036 application/octet-stream +# +# This magic number is byte-order-independent. +# +0 short 017437 application/octet-stream + +# XXX - why *two* entries for "compacted data", one of which is +# byte-order independent, and one of which is byte-order dependent? +# +# compacted data +0 short 0x1fff application/octet-stream +0 string \377\037 application/octet-stream +# huf output +0 short 0145405 application/octet-stream + +# Squeeze and Crunch... +# These numbers were gleaned from the Unix versions of the programs to +# handle these formats. Note that I can only uncrunch, not crunch, and +# I didn't have a crunched file handy, so the crunch number is untested. +# Keith Waclena +#0 leshort 0x76FF squeezed data (CP/M, DOS) +#0 leshort 0x76FE crunched data (CP/M, DOS) + +# Freeze +#0 string \037\237 Frozen file 2.1 +#0 string \037\236 Frozen file 1.0 (or gzip 0.5) + +# lzh? +#0 string \037\240 LZH compressed data + +257 string ustar\0 application/x-tar posix +257 string ustar\040\040\0 application/x-tar gnu + +0 short 070707 application/x-cpio +0 short 0143561 application/x-cpio swapped + +0 string = application/x-archive +0 string \! application/x-archive +>8 string debian application/x-debian-package + +#------------------------------------------------------------------------------ +# +# RPM: file(1) magic for Red Hat Packages Erik Troan (ewt@redhat.com) +# +0 beshort 0xedab +>2 beshort 0xeedb application/x-rpm + +0 lelong&0x8080ffff 0x0000081a application/x-arc lzw +0 lelong&0x8080ffff 0x0000091a application/x-arc squashed +0 lelong&0x8080ffff 0x0000021a application/x-arc uncompressed +0 lelong&0x8080ffff 0x0000031a application/x-arc packed +0 lelong&0x8080ffff 0x0000041a application/x-arc squeezed +0 lelong&0x8080ffff 0x0000061a application/x-arc crunched + +0 leshort 0xea60 application/x-arj + +# LHARC/LHA archiver (Greg Roelofs, newt@uchicago.edu) +2 string -lh0- application/x-lharc lh0 +2 string -lh1- application/x-lharc lh1 +2 string -lz4- application/x-lharc lz4 +2 string -lz5- application/x-lharc lz5 +# [never seen any but the last; -lh4- reported in comp.compression:] +2 string -lzs- application/x-lha lzs +2 string -lh\ - application/x-lha lh +2 string -lhd- application/x-lha lhd +2 string -lh2- application/x-lha lh2 +2 string -lh3- application/x-lha lh3 +2 string -lh4- application/x-lha lh4 +2 string -lh5- application/x-lha lh5 +2 string -lh6- application/x-lha lh6 +2 string -lh7- application/x-lha lh7 +# Shell archives +10 string #\ This\ is\ a\ shell\ archive application/octet-stream x-shell + +#------------------------------------------------------------------------------ +# frame: file(1) magic for FrameMaker files +# +# This stuff came on a FrameMaker demo tape, most of which is +# copyright, but this file is "published" as witness the following: +# +0 string \ +# +0 string/cB \14 byte 12 (OS/2 1.x format) +#>14 byte 64 (OS/2 2.x format) +#>14 byte 40 (Windows 3.x format) +#0 string IC icon +#0 string PI pointer +#0 string CI color icon +#0 string CP color pointer +#0 string BA bitmap array + +# CDROM Filesystems +32769 string CD001 application/x-iso9660 + +# Newer StuffIt archives (grant@netbsd.org) +0 string StuffIt application/x-stuffit +#>162 string >0 : %s + +# BinHex is the Macintosh ASCII-encoded file format (see also "apple") +# Daniel Quinlan, quinlan@yggdrasil.com +11 string must\ be\ converted\ with\ BinHex\ 4 application/mac-binhex40 +##>41 string x \b, version %.3s + + +#------------------------------------------------------------------------------ +# lisp: file(1) magic for lisp programs +# +# various lisp types, from Daniel Quinlan (quinlan@yggdrasil.com) +0 string ;; text/plain 8bit +# Emacs 18 - this is always correct, but not very magical. +0 string \012( application/x-elc +# Emacs 19 +0 string ;ELC\023\000\000\000 application/x-elc + +#------------------------------------------------------------------------------ +# mail.news: file(1) magic for mail and news +# +# There are tests to ascmagic.c to cope with mail and news. +0 string Relay-Version: message/rfc822 7bit +0 string #!\ rnews message/rfc822 7bit +0 string N#!\ rnews message/rfc822 7bit +0 string Forward\ to message/rfc822 7bit +0 string Pipe\ to message/rfc822 7bit +0 string Return-Path: message/rfc822 7bit +0 string Received: message/rfc822 +0 string Path: message/news 8bit +0 string Xref: message/news 8bit +0 string From: message/rfc822 7bit +0 string Article message/news 8bit +#------------------------------------------------------------------------------ +# msword: file(1) magic for MS Word files +# +# Contributor claims: +# Reversed-engineered MS Word magic numbers +# + +0 string \376\067\0\043 application/msword +0 string \320\317\021\340\241\261 application/msword +0 string \333\245-\0\0\0 application/msword + + + +#------------------------------------------------------------------------------ +# printer: file(1) magic for printer-formatted files +# + +# PostScript +0 string %! application/postscript +0 string \004%! application/postscript + +# Acrobat +# (due to clamen@cs.cmu.edu) +0 string %PDF- application/pdf + +#------------------------------------------------------------------------------ +# sc: file(1) magic for "sc" spreadsheet +# +38 string Spreadsheet application/x-sc + +#------------------------------------------------------------------------------ +# tex: file(1) magic for TeX files +# +# XXX - needs byte-endian stuff (big-endian and little-endian DVI?) +# +# From + +# Although we may know the offset of certain text fields in TeX DVI +# and font files, we can't use them reliably because they are not +# zero terminated. [but we do anyway, christos] +0 string \367\002 application/x-dvi +#0 string \367\203 TeX generic font data +#0 string \367\131 TeX packed font data +#0 string \367\312 TeX virtual font data +#0 string This\ is\ TeX, TeX transcript text +#0 string This\ is\ METAFONT, METAFONT transcript text + +# There is no way to detect TeX Font Metric (*.tfm) files without +# breaking them apart and reading the data. The following patterns +# match most *.tfm files generated by METAFONT or afm2tfm. +2 string \000\021 application/x-tex-tfm +2 string \000\022 application/x-tex-tfm +#>34 string >\0 (%s) + +# Texinfo and GNU Info, from Daniel Quinlan (quinlan@yggdrasil.com) +0 string \\input\ texinfo text/x-texinfo +0 string This\ is\ Info\ file text/x-info + +# correct TeX magic for Linux (and maybe more) +# from Peter Tobias (tobias@server.et-inf.fho-emden.de) +# +0 leshort 0x02f7 application/x-dvi + +# RTF - Rich Text Format +0 string {\\rtf text/rtf + +#------------------------------------------------------------------------------ +# animation: file(1) magic for animation/movie formats +# +# animation formats, originally from vax@ccwf.cc.utexas.edu (VaX#n8) +# MPEG file +# MPEG sequences +0 belong 0x000001BA +>4 byte &0x40 video/mp2p +>4 byte ^0x40 video/mpeg +0 belong 0x000001BB video/mpeg +0 belong 0x000001B0 video/mp4v-es +0 belong 0x000001B5 video/mp4v-es +0 belong 0x000001B3 video/mpv +0 belong&0xFF5FFF1F 0x47400010 video/mp2t +0 belong 0x00000001 +>4 byte&0x1F 0x07 video/h264 + +# FLI animation format +0 leshort 0xAF11 video/fli +# FLC animation format +0 leshort 0xAF12 video/flc +# +# SGI and Apple formats +# Added ISO mimes +0 string MOVI video/sgi +4 string moov video/quicktime +4 string mdat video/quicktime +4 string wide video/quicktime +4 string skip video/quicktime +4 string free video/quicktime +4 string idsc image/x-quicktime +4 string idat image/x-quicktime +4 string pckg application/x-quicktime +4 string/B jP image/jp2 +4 string ftyp +>8 string isom video/mp4 +>8 string mp41 video/mp4 +>8 string mp42 video/mp4 +>8 string/B jp2 image/jp2 +>8 string 3gp video/3gpp +>8 string avc1 video/3gpp +>8 string mmp4 video/mp4 +>8 string/B M4A audio/mp4 +>8 string/B qt video/quicktime +# The contributor claims: +# I couldn't find a real magic number for these, however, this +# -appears- to work. Note that it might catch other files, too, +# so BE CAREFUL! +# +# Note that title and author appear in the two 20-byte chunks +# at decimal offsets 2 and 22, respectively, but they are XOR'ed with +# 255 (hex FF)! DL format SUCKS BIG ROCKS. +# +# DL file version 1 , medium format (160x100, 4 images/screen) +0 byte 1 video/unknown +0 byte 2 video/unknown +# +# Databases +# +# GDBM magic numbers +# Will be maintained as part of the GDBM distribution in the future. +# +0 belong 0x13579ace application/x-gdbm +0 lelong 0x13579ace application/x-gdbm +0 string GDBM application/x-gdbm +# +0 belong 0x061561 application/x-dbm +# +# Executables +# +0 string \177ELF +>16 leshort 0 application/octet-stream +>16 leshort 1 application/x-object +>16 leshort 2 application/x-executable +>16 leshort 3 application/x-sharedlib +>16 leshort 4 application/x-coredump +>16 beshort 0 application/octet-stream +>16 beshort 1 application/x-object +>16 beshort 2 application/x-executable +>16 beshort 3 application/x-sharedlib +>16 beshort 4 application/x-coredump +# +# DOS +0 string MZ application/x-dosexec +# +# KDE +0 string [KDE\ Desktop\ Entry] application/x-kdelnk +0 string \#\ KDE\ Config\ File application/x-kdelnk +# xmcd database file for kscd +0 string \#\ xmcd text/xmcd + +#------------------------------------------------------------------------------ +# pkgadd: file(1) magic for SysV R4 PKG Datastreams +# +0 string #\ PaCkAgE\ DaTaStReAm application/x-svr4-package + +#PNG Image Format +0 string \x89PNG image/png + +# MNG Video Format, +0 string \x8aMNG video/x-mng +0 string \x8aJNG video/x-jng + +#------------------------------------------------------------------------------ +# Hierarchical Data Format, used to facilitate scientific data exchange +# specifications at http://hdf.ncsa.uiuc.edu/ +#Hierarchical Data Format (version 4) data +0 belong 0x0e031301 application/x-hdf +#Hierarchical Data Format (version 5) data +0 string \211HDF\r\n\032 application/x-hdf + +# Adobe Photoshop +0 string 8BPS image/x-photoshop + +# Felix von Leitner +0 string d8:announce application/x-bittorrent + + +# lotus 1-2-3 document +0 belong 0x00001a00 application/x-123 +0 belong 0x00000200 application/x-123 + +# MS Access database +4 string Standard\ Jet\ DB application/msaccess + +## magic for XBase files +#0 byte 0x02 +#>8 leshort >0 +#>>12 leshort 0 application/x-dbf +# +#0 byte 0x03 +#>8 leshort >0 +#>>12 leshort 0 application/x-dbf +# +#0 byte 0x04 +#>8 leshort >0 +#>>12 leshort 0 application/x-dbf +# +#0 byte 0x05 +#>8 leshort >0 +#>>12 leshort 0 application/x-dbf +# +#0 byte 0x30 +#>8 leshort >0 +#>>12 leshort 0 application/x-dbf +# +#0 byte 0x43 +#>8 leshort >0 +#>>12 leshort 0 application/x-dbf +# +#0 byte 0x7b +#>8 leshort >0 +#>>12 leshort 0 application/x-dbf +# +#0 byte 0x83 +#>8 leshort >0 +#>>12 leshort 0 application/x-dbf +# +#0 byte 0x8b +#>8 leshort >0 +#>>12 leshort 0 application/x-dbf +# +#0 byte 0x8e +#>8 leshort >0 +#>>12 leshort 0 application/x-dbf +# +#0 byte 0xb3 +#>8 leshort >0 +#>>12 leshort 0 application/x-dbf +# +#0 byte 0xf5 +#>8 leshort >0 +#>>12 leshort 0 application/x-dbf +# +#0 leshort 0x0006 application/x-dbt + +# Debian has entries for the old PGP formats: +# pgp: file(1) magic for Pretty Good Privacy +# see http://lists.gnupg.org/pipermail/gnupg-devel/1999-September/016052.html +#text/PGP key public ring +0 beshort 0x9900 application/pgp +#text/PGP key security ring +0 beshort 0x9501 application/pgp +#text/PGP key security ring +0 beshort 0x9500 application/pgp +#text/PGP encrypted data +0 beshort 0xa600 application/pgp-encrypted +#text/PGP armored data +##public key block +2 string ---BEGIN\ PGP\ PUBLIC\ KEY\ BLOCK- application/pgp-keys +0 string -----BEGIN\040PGP\40MESSAGE- application/pgp +0 string -----BEGIN\040PGP\40SIGNATURE- application/pgp-signature +# +# GnuPG Magic: +# +# +#text/GnuPG key public ring +0 beshort 0x9901 application/pgp +#text/OpenPGP data +0 beshort 0x8501 application/pgp-encrypted + +# flash: file(1) magic for Macromedia Flash file format +# +# See +# +# http://www.macromedia.com/software/flash/open/ +# +0 string FWS +>3 byte x application/x-shockwave-flash + +# The following paramaters are created for Namazu. +# +# +# 1999/08/13 +#0 string \ - - diff --git a/config/nginx/mime.types b/config/nginx/mime.types old mode 100755 new mode 100644 index 89be9a4..cd3d700 --- a/config/nginx/mime.types +++ b/config/nginx/mime.types @@ -1,4 +1,3 @@ - types { text/html html htm shtml; text/css css; diff --git a/config/nginx/modules.conf b/config/nginx/modules.conf index 255ae8e..1b87b68 100644 --- a/config/nginx/modules.conf +++ b/config/nginx/modules.conf @@ -1,10 +1,10 @@ -load_module modules/ngx_http_auth_pam_module.so; -load_module modules/ngx_http_dav_ext_module.so; -load_module modules/ngx_http_echo_module.so; -load_module modules/ngx_http_geoip_module.so; -load_module modules/ngx_http_image_filter_module.so; -load_module modules/ngx_http_subs_filter_module.so; -load_module modules/ngx_http_upstream_fair_module.so; -load_module modules/ngx_http_xslt_filter_module.so; -load_module modules/ngx_mail_module.so; -load_module modules/ngx_stream_module.so; +# load_module modules/ngx_http_auth_pam_module.so; +# load_module modules/ngx_http_echo_module.so; +# load_module modules/ngx_http_image_filter_module.so; +# load_module modules/ngx_http_upstream_fair_module.so; +# load_module modules/ngx_mail_module.so; +# load_module modules/ngx_http_dav_ext_module.so; +# load_module modules/ngx_http_geoip_module.so; +# load_module modules/ngx_http_subs_filter_module.so; +# load_module modules/ngx_http_xslt_filter_module.so; +# load_module modules/ngx_stream_module.so; diff --git a/config/nginx/nginx.conf b/config/nginx/nginx.conf old mode 100755 new mode 100644 index b3616c6..16c7d18 --- a/config/nginx/nginx.conf +++ b/config/nginx/nginx.conf @@ -1,7 +1,7 @@ -user www-data; +user webmaster; worker_processes 1; pid /var/run/nginx.pid; -#include /etc/nginx/modules.conf; +include /etc/nginx/modules.conf; events { worker_connections 1024; @@ -20,23 +20,25 @@ http { client_body_timeout 12; client_header_timeout 12; - keepalive_timeout 65; + keepalive_timeout 70; keepalive_requests 10000; send_timeout 10; - client_body_buffer_size 10K; - client_header_buffer_size 1k; client_max_body_size 384m; - output_buffers 1 32k; - postpone_output 1460; - large_client_header_buffers 2 1k; + client_body_buffer_size 32k; + client_header_buffer_size 8k; + large_client_header_buffers 8 64k; types_hash_max_size 1024; - server_names_hash_bucket_size 64; + output_buffers 1 32k; + postpone_output 1460; server_name_in_redirect off; include /etc/nginx/mime.types; default_type application/octet-stream; + # Default index file + index suspended.html index.php index.html default.html; + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for" ' @@ -44,24 +46,24 @@ http { 'ua="$upstream_addr" us="$upstream_status" ' 'ut="$upstream_response_time" ul="$upstream_response_length" ' 'cs=$upstream_cache_status'; - access_log /var/log/nginx/access.log main; error_log /var/log/nginx/error.log warn; ## ## SSL Settings - ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_protocols TLSv1.3 TLSv1.2; - ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL; - ssl_ecdh_curve secp384r1; + ssl_session_tickets off; + ssl_session_timeout 10m; + ssl_session_cache shared:SSL:10m; + ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DHE+AES128:!ADH:!AECDH:!MD5:!ECDHE-RSA-AES256-SHA384:!ECDHE-RSA-AES256-SHA:!ECDHE-RSA-AES128-SHA256:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES128-SHA; + ssl_ecdh_curve secp384r1; ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 20m; - ssl_session_tickets off; - ssl_stapling on; - ssl_stapling_verify on; - resolver 209.244.0.3 209.244.0.4 valid=300s; - resolver_timeout 5s; + ssl_stapling on; + ssl_stapling_verify on; + resolver 1.1.1.1 [2606:4700:4700::1111] valid=300s; + resolver_timeout 5s; + ssl_trusted_certificate /etc/ssl/certs/chain.pem; + ssl_dhparam /etc/ssl/certs/dhparam-4096.pem; ## ## Gzip Settings @@ -82,4 +84,17 @@ http { ## Extra config and VirtualHost include /etc/nginx/conf.d/*.conf; include /etc/nginx/vhost.d/*.conf; + + ## + ## Required by Nginx Amplify + ## curl -k http://127.0.0.1/nginx_status + server { + listen 127.0.0.1:80; + server_name 127.0.0.1; + location /nginx_status { + stub_status on; + allow 127.0.0.1; + deny all; + } + } } diff --git a/config/nginx/proxy_params b/config/nginx/proxy_params deleted file mode 100755 index df75bc5..0000000 --- a/config/nginx/proxy_params +++ /dev/null @@ -1,4 +0,0 @@ -proxy_set_header Host $http_host; -proxy_set_header X-Real-IP $remote_addr; -proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; -proxy_set_header X-Forwarded-Proto $scheme; diff --git a/config/nginx/scgi_params b/config/nginx/scgi_params deleted file mode 100755 index 6d4ce4f..0000000 --- a/config/nginx/scgi_params +++ /dev/null @@ -1,17 +0,0 @@ - -scgi_param REQUEST_METHOD $request_method; -scgi_param REQUEST_URI $request_uri; -scgi_param QUERY_STRING $query_string; -scgi_param CONTENT_TYPE $content_type; - -scgi_param DOCUMENT_URI $document_uri; -scgi_param DOCUMENT_ROOT $document_root; -scgi_param SCGI 1; -scgi_param SERVER_PROTOCOL $server_protocol; -scgi_param REQUEST_SCHEME $scheme; -scgi_param HTTPS $https if_not_empty; - -scgi_param REMOTE_ADDR $remote_addr; -scgi_param REMOTE_PORT $remote_port; -scgi_param SERVER_PORT $server_port; -scgi_param SERVER_NAME $server_name; diff --git a/config/nginx/server.d/common_param.conf b/config/nginx/server.d/common_param.conf new file mode 100644 index 0000000..2fe1802 --- /dev/null +++ b/config/nginx/server.d/common_param.conf @@ -0,0 +1,20 @@ +# Global restriction +location = /robots.txt { log_not_found off; access_log off; allow all; } +location ~ \.well-known { log_not_found off; access_log off; allow all; } +location ~ \.(htaccess|htpasswd|db|yml|log|svn|git|twig|cfg|conf|ini|tpl)$ { + return 444; +} + +# Site favicon +location = /favicon.ico { + expires 1M; access_log off; log_not_found off; + add_header Cache-Control 'public, no-transform'; + add_header X-Permitted-Cross-Domain-Policies none; + add_header X-Download-Options noopen; + add_header X-Robots-Tag none; + allow all; +} + +# Common header control +add_header X-Download-Options noopen; +add_header Cache-Control 'public, max-age=43200'; diff --git a/config/nginx/server.d/cors.conf b/config/nginx/server.d/cors.conf new file mode 100644 index 0000000..5f57ca1 --- /dev/null +++ b/config/nginx/server.d/cors.conf @@ -0,0 +1,37 @@ +# +# CORS header support +# +# One way to use this is by placing it into a file called "cors_support" +# under your Nginx configuration directory and placing the following +# statement inside your **location** block(s): +# +# include cors_support; +# +# As of Nginx 1.7.5, add_header supports an "always" parameter which +# allows CORS to work if the backend returns 4xx or 5xx status code. +# +# For more information on CORS, please see: http://enable-cors.org/ +# Forked from this Gist: https://gist.github.com/michiel/1064640 +# + +set $cors ''; +if ($http_origin ~ '^https?://(localhost|www\.yourdomain\.com|www\.yourotherdomain\.com)') { + set $cors 'true'; +} + +if ($cors = 'true') { + add_header 'Access-Control-Allow-Origin' "$http_origin" always; + add_header 'Access-Control-Allow-Credentials' 'true' always; + add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always; + add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With' always; + # required to be able to read Authorization header in frontend + #add_header 'Access-Control-Expose-Headers' 'Authorization' always; +} + +if ($request_method = 'OPTIONS') { + # Tell client that this pre-flight info is valid for 20 days + add_header 'Access-Control-Max-Age' 1728000; + add_header 'Content-Type' 'text/plain charset=UTF-8'; + add_header 'Content-Length' 0; + return 204; +} diff --git a/config/nginx/server.d/errorpage_param.conf b/config/nginx/server.d/errorpage_param.conf new file mode 100644 index 0000000..e553f56 --- /dev/null +++ b/config/nginx/server.d/errorpage_param.conf @@ -0,0 +1,7 @@ +# Custom 404 page +error_page 404 /404.html; +location = /404.html { root /usr/share/nginx/html; } + +# Custom error page +error_page 500 502 503 504 /50x.html; +location = /50x.html { root /usr/share/nginx/html; } diff --git a/config/nginx/fastcgi_params b/config/nginx/server.d/fastcgi_param.conf old mode 100755 new mode 100644 similarity index 72% rename from config/nginx/fastcgi_params rename to config/nginx/server.d/fastcgi_param.conf index 238f786..d5fa38f --- a/config/nginx/fastcgi_params +++ b/config/nginx/server.d/fastcgi_param.conf @@ -1,4 +1,3 @@ -fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param QUERY_STRING $query_string; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param CONTENT_TYPE $content_type; @@ -22,4 +21,15 @@ fastcgi_param SERVER_PORT $server_port; fastcgi_param SERVER_NAME $server_name; # PHP only, required if PHP was built with --enable-force-cgi-redirect -fastcgi_param REDIRECT_STATUS 200; \ No newline at end of file +fastcgi_param REDIRECT_STATUS 200; + +# Parameter for PHP-FPM +fastcgi_hide_header X-Powered-By; +fastcgi_intercept_errors on; +fastcgi_index index.php; + +try_files $fastcgi_script_name =404; +set $path_info $fastcgi_path_info; +fastcgi_split_path_info ^(.+?\.php)(|/.*)$; +fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; +fastcgi_param PATH_INFO $path_info; diff --git a/config/nginx/server.d/header_param.conf b/config/nginx/server.d/header_param.conf new file mode 100644 index 0000000..8b67d3d --- /dev/null +++ b/config/nginx/server.d/header_param.conf @@ -0,0 +1,7 @@ +# Enhanced security +#add_header X-Frame-Options SAMEORIGIN; +#add_header X-Content-Type-Options nosniff; +#add_header X-XSS-Protection '1; mode=block'; +#add_header Strict-Transport-Security 'max-age=15768000; preload'; +#add_header X-Permitted-Cross-Domain-Policies master-only; +#add_header Referrer-Policy 'same-origin'; diff --git a/config/nginx/server.d/listen_ipv6.conf b/config/nginx/server.d/listen_ipv6.conf new file mode 100644 index 0000000..191e1df --- /dev/null +++ b/config/nginx/server.d/listen_ipv6.conf @@ -0,0 +1,2 @@ +listen [::]:80; +listen [::]:443 ssl http2; diff --git a/config/nginx/server.d/maintenance.conf b/config/nginx/server.d/maintenance.conf deleted file mode 100755 index eb3f3f3..0000000 --- a/config/nginx/server.d/maintenance.conf +++ /dev/null @@ -1,11 +0,0 @@ -location / { - if ($remote_addr !~* "127.0.0.1|10.0.0.0/24|$ALLOWED_IP") { - return 503; - } -} - -error_page 503 @maintenance; - -location @maintenance { - rewrite ^(.*)$ /maintenance.html break; -} \ No newline at end of file diff --git a/config/nginx/server.d/phpfpm.conf b/config/nginx/server.d/phpfpm.conf deleted file mode 100755 index 7e7a8c1..0000000 --- a/config/nginx/server.d/phpfpm.conf +++ /dev/null @@ -1,7 +0,0 @@ -fastcgi_split_path_info ^(.+?\.php)(|/.*)$; -fastcgi_hide_header X-Powered-By; -try_files $fastcgi_script_name =404; -set $path_info $fastcgi_path_info; -fastcgi_param PATH_INFO $path_info; -fastcgi_index index.php; -include fastcgi_params; \ No newline at end of file diff --git a/config/nginx/server.d/phpmyadmin.conf b/config/nginx/server.d/phpmyadmin.conf new file mode 100644 index 0000000..1c636f7 --- /dev/null +++ b/config/nginx/server.d/phpmyadmin.conf @@ -0,0 +1,19 @@ +# phpMyAdmin +if ($http_host !~* "(localhost)|($hostname)") { + rewrite ^/php?myadmin(.*)$ https://$hostname/myadmin redirect; +} + +rewrite ^/php?myadmin(.*)$ /myadmin redirect; +location /myadmin { + root /var/www/; + index index.php index.html; + location ~ ^/myadmin/(.+\.php)$ { + fastcgi_pass unix:/var/run/php/php7.4-fpm.sock; + include server.d/fastcgi_param.conf; + fastcgi_read_timeout 1200; + root /var/www/; + } + location ~* ^/myadmin/(.+\.(html|xml|txt|css|js|jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|webm|htc|eot|ttf|ttc|otf|woff|woff2))$ { + root /var/www/; + } +} diff --git a/config/nginx/server.d/proxy_param.conf b/config/nginx/server.d/proxy_param.conf new file mode 100644 index 0000000..c20290a --- /dev/null +++ b/config/nginx/server.d/proxy_param.conf @@ -0,0 +1,24 @@ +# Common proxy params +proxy_set_header Host $http_host; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto $scheme; +proxy_hide_header X-Powered-By; + +proxy_redirect off; +proxy_hide_header Vary; +proxy_set_header Referer $http_referer; +proxy_set_header Cookie $http_cookie; +proxy_set_header X-Forwarded-Host $host; +proxy_set_header X-Forwarded-Server $host; +proxy_pass_header Set-Cookie; + +# Enhanced proxy params +proxy_http_version 1.1; +proxy_set_header X-Forwarded-Port $server_port; +proxy_set_header X-Request-URI $request; +proxy_set_header Upgrade $http_upgrade; +proxy_set_header Connection "upgrade"; +proxy_cache_bypass $http_upgrade; +proxy_next_upstream error timeout http_500; +proxy_buffering off; diff --git a/config/nginx/server.d/redirector.conf b/config/nginx/server.d/redirector.conf new file mode 100644 index 0000000..15de31f --- /dev/null +++ b/config/nginx/server.d/redirector.conf @@ -0,0 +1,15 @@ +# cPanel redirect +location /cpanel { + add_header X-Robots-Tag 'noindex, nofollow, nosnippet, noarchive'; + return 301 https://$hostname:2080; +} + +# redirect www to non-www +if ( $host ~ ^www\.(?.+)$ ) { + return 301 $scheme://$domain$request_uri; +} + +# Redirect to https +# if ($scheme = http) { +# return 301 https://$host$request_uri; +# } diff --git a/config/nginx/server.d/server.conf b/config/nginx/server.d/server.conf deleted file mode 100755 index 73219c4..0000000 --- a/config/nginx/server.d/server.conf +++ /dev/null @@ -1,36 +0,0 @@ -# limit_conn conn_limit_per_ip 10; -# limit_req zone=req_limit_per_ip burst=10 nodelay; - -index index.php index.html default.html; -location = /wp-config.php { deny all; } -location = /favicon.ico { log_not_found off; access_log off; allow all; } -location = /robots.txt { log_not_found off; access_log off; allow all; } -location ~ \.well-known { log_not_found off; access_log off; allow all; } -location ~ \.(htaccess|htpasswd|db|yml|log|svn|git|twig|cfg|conf|ini|tpl)$ { return 444; } - -# SSL Trusted Certificate -ssl_trusted_certificate /etc/ssl/certs/chain.pem; - -# Force https-redirects -if ($scheme = http) { - return 301 https://$server_name$request_uri; -} - -# Only allow specified method -if ($request_method !~ ^(GET|HEAD|POST)$ ) { - return 405; -} - -# Redirect to phpMyAdmin URL -if ($http_host !~* "HOSTNAME") { - rewrite ^/myadmin(.*)$ https://$hostname/myadmin redirect; - rewrite ^/cpanel(.*)$ https://$hostname:2082 redirect; -} - -# securing wordpres admin -# location /wp-admin { limit_req zone=one; } - -# robots.txt file generated on the fly -# location /robots.txt { -# return 200 "User-agent: *\nDisallow: /"; -# } diff --git a/config/nginx/server.d/static.conf b/config/nginx/server.d/static.conf deleted file mode 100755 index 6a3177a..0000000 --- a/config/nginx/server.d/static.conf +++ /dev/null @@ -1,29 +0,0 @@ -# Feed -location ~* \.(?:rss|atom)$ { - expires 1h; - add_header Cache-Control "public"; -} - -# Media: css, javascript, images, icons, video, audio, htc -location ~* \.(?:css|js|jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ { - expires 1y; - access_log off; - log_not_found off; - add_header Cache-Control "public"; -} - -# Other documents -location ~* \.(?:pdf|doc|docx|xls|xlsx|ppt|pptx|rtf)$ { - expires 7d; - access_log off; - log_not_found off; - add_header Cache-Control "public"; -} - -# Media: fonts -location ~* \.(?:eot|ttf|ttc|otf|woff|woff2)$ { - expires 1y; - access_log off; - log_not_found off; - add_header Cache-Control "public"; -} diff --git a/config/nginx/server.d/static_param.conf b/config/nginx/server.d/static_param.conf new file mode 100644 index 0000000..e7c2cab --- /dev/null +++ b/config/nginx/server.d/static_param.conf @@ -0,0 +1,22 @@ +# Media: css, javascript, images, icons, video, audio, htc +location ~* \.(?:css|js|jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ { + expires 1M; access_log off; log_not_found off; + add_header Cache-Control 'public, no-transform'; + add_header X-Permitted-Cross-Domain-Policies none; + add_header X-Download-Options noopen; + add_header X-Robots-Tag none; +} + +# rss, atom, favicon +location ~* \.(?:rss|atom)$ { + expires 1h; add_header Cache-Control 'public, no-transform'; +} + +# other documents +location ~* \.(?:pdf|doc|docx|xls|xlsx|ppt|pptx|rtf|eot|ttf|ttc|otf|woff|woff2)$ { + expires 7d; access_log off; log_not_found off; + add_header Cache-Control 'public, no-transform'; + add_header X-Permitted-Cross-Domain-Policies none; + add_header X-Download-Options noopen; + add_header X-Robots-Tag none; +} diff --git a/config/nginx/server.d/userdir.conf b/config/nginx/server.d/userdir.conf deleted file mode 100755 index bca02bb..0000000 --- a/config/nginx/server.d/userdir.conf +++ /dev/null @@ -1,10 +0,0 @@ -# User Directory -location ~ ^/~(.+?)(/.*)?$ { - alias /home/$1/Public$2; - index index.html index.php; - autoindex on; - location ~ \.php(/|$) { - fastcgi_pass unix:/var/run/php/php72-fpm.sock; - include server.d/phpfpm.conf; - } -} \ No newline at end of file diff --git a/config/nginx/server.d/userdirectory.conf b/config/nginx/server.d/userdirectory.conf new file mode 100644 index 0000000..055c03c --- /dev/null +++ b/config/nginx/server.d/userdirectory.conf @@ -0,0 +1,11 @@ +# User directory +location ~ ^/~(.+?)(/.*)?$ { + autoindex on; + alias /home/$1/Public$2; + index index.html default.html; + location ~ \.(cgi|php|py|sh)$ { + log_not_found off; + access_log off; + deny all; + } +} diff --git a/config/nginx/server.d/wordpress.conf b/config/nginx/server.d/wordpress.conf new file mode 100644 index 0000000..34658be --- /dev/null +++ b/config/nginx/server.d/wordpress.conf @@ -0,0 +1,23 @@ +# Restrtict wp essential files +location = /wp-config.php { deny all; } +location = /wp-content/debug.log { deny all; } + +# wp-mu handler +if (!-e $request_filename) { + rewrite /wp-admin$ $scheme://$host$uri/ permanent; + rewrite ^/[_0-9a-zA-Z-]+(/wp-.*) $1 last; + rewrite ^/[_0-9a-zA-Z-]+(/.*\.php)$ $1 last; +} + +# Seriously Simple Podcasting +rewrite podcast-download/([^/]+)/([^/]*)/? /index.php?podcast_episode=$1 break; +rewrite podcast-player/([^/]+)/([^/]*)/? /index.php?podcast_episode=$1&podcast_ref=player break; + +# SEOPress Sitemap +location ~ ([^/]*)sitemap(.*)\.x(m|s)l$ { + rewrite ^/sitemaps\.xml$ /index.php?seopress_sitemap=1 last; + rewrite ^/sitemaps_xsl\.xsl$ /index.php?seopress_sitemap_xsl=1 last; + rewrite ^/sitemaps/([_0-9a-zA-Z-]+)?\.xml$ /index.php?seopress_cpt=$1 last; + rewrite ^/sitemaps/([_0-9a-zA-Z-]+)?\.xml$ /index.php?seopress_news=$1 last; + rewrite ^/sitemaps/([_0-9a-zA-Z-]+)?\.xml$ /index.php?seopress_video=$1 last; +} diff --git a/config/nginx/server.d/wp-podcast.conf b/config/nginx/server.d/wp-podcast.conf deleted file mode 100755 index c03ae9f..0000000 --- a/config/nginx/server.d/wp-podcast.conf +++ /dev/null @@ -1,3 +0,0 @@ -# Seriously Simple Podcasting -rewrite podcast-download/([^/]+)/([^/]*)/? /index.php?podcast_episode=$1 break; -rewrite podcast-player/([^/]+)/([^/]*)/? /index.php?podcast_episode=$1&podcast_ref=player break; diff --git a/config/nginx/server.d/wpmu.conf b/config/nginx/server.d/wpmu.conf deleted file mode 100755 index d7d8a8f..0000000 --- a/config/nginx/server.d/wpmu.conf +++ /dev/null @@ -1,18 +0,0 @@ -# php-fpm handler -location / { try_files $uri $uri/ @rewrite; } -location @rewrite { rewrite ^/(.*)$ /index.php?q=$uri&$args; } -location ~ \.php$ { - fastcgi_pass unix:/var/run/php/php73-fpm.sock; - include server.d/phpfpm.conf; -} - -# wp-mu handler -if (!-e $request_filename) { - rewrite /wp-admin$ $scheme://$host$uri/ permanent; - rewrite ^/[_0-9a-zA-Z-]+(/wp-.*) $1 last; - rewrite ^/[_0-9a-zA-Z-]+(/.*\.php)$ $1 last; -} - -# other server configuration -include server.d/server.conf; -include server.d/static.conf; diff --git a/config/nginx/stubs/adminer.php b/config/nginx/stubs/adminer.php new file mode 100644 index 0000000..adf1fe5 --- /dev/null +++ b/config/nginx/stubs/adminer.php @@ -0,0 +1,45 @@ + [ + 'server' => 'localhost:3306', + ], + ]; + + $plugins = [ + new AdminerDumpZip, + new AdminerDatabaseHide($hide_db), + // new AdminerLoginServers($server), + new AdminerEditForeign, + new AdminerForeignSystem, + ]; + + class AdminerCustomization extends AdminerPlugin + { + public function name() + { + return 'Adminer'; + } + } + + return new AdminerCustomization($plugins); + + return new AdminerPlugin($plugins); +} + +include __DIR__.'/adminer.php'; diff --git a/config/nginx/stubs/default.html b/config/nginx/stubs/default.html new file mode 100644 index 0000000..a1297f3 --- /dev/null +++ b/config/nginx/stubs/default.html @@ -0,0 +1,113 @@ + + + + + + + + + Default Web Page + + + + + + +
+

Welcome!

+

Why am I seeing this?

+

There are a few reasons:

+
    +
  1. This is the default page for your new site.
    2. +
  2. This page used to test the web server configuration.
    3. +
  3. Maybe you haven't uploaded your website yet.
    4. +
  4. You may have deployed an empty directory.
    5. +
+

How can I deploy my first app?

+

+ Please contact the hosting provider + or system administrator to get help. +

+
+ + diff --git a/config/nginx/stubs/default.php b/config/nginx/stubs/default.php new file mode 100644 index 0000000..06bf771 --- /dev/null +++ b/config/nginx/stubs/default.php @@ -0,0 +1,117 @@ + + + + + + + + + + Default Web Page + + + + + + +
+

Welcome!

+

Why am I seeing this?

+

There are a few reasons:

+
    +
  1. This is the default page for your new site.
    2. +
  2. This page used to test the web server configuration.
    3. +
  3. Maybe you haven't uploaded your website yet.
    4. +
  4. You may have deployed an empty directory.
    5. +
+

How can I deploy my first app?

+

+ Please contact the hosting provider + or system administrator to get help. +

+
+ + + diff --git a/config/nginx/stubs/error404.html b/config/nginx/stubs/error404.html new file mode 100644 index 0000000..3777ed4 --- /dev/null +++ b/config/nginx/stubs/error404.html @@ -0,0 +1,112 @@ + + + + + + + + + 404 - Not Found! + + + + + + +
+

404 - Not Found!

+

Why am I seeing this?

+

There are a few reasons:

+
    +
  1. You are losing direction.
    2. +
  2. You have invalid web server configuration.
    3. +
  3. You may have deployed an empty directory.
    4. +
  4. You haven't finished setting it up your website.
    5. +
+

How solve this problem?

+

+ Please back to previous page, or contact the system administrator to get help. +

+
+ + diff --git a/config/nginx/stubs/example.py b/config/nginx/stubs/example.py new file mode 100644 index 0000000..6161fa7 --- /dev/null +++ b/config/nginx/stubs/example.py @@ -0,0 +1,35 @@ +#!/usr/bin/env python3 +# +# Run: +# gunicorn -b 127.0.0.1:8000 example:api +# +# Or, if using pipenv: +# pipenv run gunicorn -b 127.0.0.1:8000 example:api +# + +from falcon import falcon + +class QuoteResource: + def on_get(self, req, resp): + """Handles GET requests""" + result = { + 'title': 'Default Response', + 'message': ( + "This is an example application " + "using Python and Nginx reverse proxy." + ), + 'author': 'Aris Ripandi ', + } + resp.media = result + +def handle_404(req, resp): + resp.status = falcon.HTTP_404 + # resp.body = 'Resource not found' + resp.media = { + 'message': 'Resource not found', + 'documentation_url': 'https://github.com/riipandi/stackup-shell' + } + +api = falcon.API() +api.add_route('/', QuoteResource()) +api.add_sink(handle_404, '') diff --git a/config/nginx/stubs/suspended.html b/config/nginx/stubs/suspended.html new file mode 100644 index 0000000..6305ae9 --- /dev/null +++ b/config/nginx/stubs/suspended.html @@ -0,0 +1,114 @@ + + + + + + + + + Account Suspended! + + + + + + +
+

Website suspended!

+

Why am I seeing this?

+

+ Maybe you need to fix this following issue(s): +

+
    +
  1. Malware has been detected in website files.
    2. +
  2. Billing issues: non-payment, overdue invoice, etc.
    3. +
  3. Copyright violation: Unlawful use of copyrighted materials.
    4. +
  4. Other terms violation: breaching our terms and conditions.
    5. +
+

How can I restore my website?

+

+ Refer to the documentation page to get help. +

+ +
+ + diff --git a/config/nginx/stubs/wp-config-sample.php b/config/nginx/stubs/wp-config-sample.php new file mode 100644 index 0000000..8570850 --- /dev/null +++ b/config/nginx/stubs/wp-config-sample.php @@ -0,0 +1,119 @@ +isSMTP(); + $phpmailer->Host = SMTP_HOST; + $phpmailer->SMTPAuth = SMTP_AUTH; + $phpmailer->Port = SMTP_PORT; + $phpmailer->Username = SMTP_USER; + $phpmailer->Password = SMTP_PASS; + $phpmailer->SMTPSecure = SMTP_SECURE; + $phpmailer->From = SMTP_FROM; + $phpmailer->FromName = SMTP_NAME; +} + +// Force using Jetpack SSO and disable login by using password. +// add_filter( 'jetpack_sso_bypass_login_forward_wpcom', '__return_true' ); +// remove_filter( 'authenticate', 'wp_authenticate_email_password', 20 ); +// remove_filter( 'authenticate', 'wp_authenticate_username_password', 20); diff --git a/config/nginx/template/default.html b/config/nginx/template/default.html new file mode 100644 index 0000000..a1297f3 --- /dev/null +++ b/config/nginx/template/default.html @@ -0,0 +1,113 @@ + + + + + + + + + Default Web Page + + + + + + +
+

Welcome!

+

Why am I seeing this?

+

There are a few reasons:

+
    +
  1. This is the default page for your new site.
    2. +
  2. This page used to test the web server configuration.
    3. +
  3. Maybe you haven't uploaded your website yet.
    4. +
  4. You may have deployed an empty directory.
    5. +
+

How can I deploy my first app?

+

+ Please contact the hosting provider + or system administrator to get help. +

+
+ + diff --git a/config/nginx/template/default.php b/config/nginx/template/default.php new file mode 100644 index 0000000..06bf771 --- /dev/null +++ b/config/nginx/template/default.php @@ -0,0 +1,117 @@ + + + + + + + + + + Default Web Page + + + + + + +
+

Welcome!

+

Why am I seeing this?

+

There are a few reasons:

+
    +
  1. This is the default page for your new site.
    2. +
  2. This page used to test the web server configuration.
    3. +
  3. Maybe you haven't uploaded your website yet.
    4. +
  4. You may have deployed an empty directory.
    5. +
+

How can I deploy my first app?

+

+ Please contact the hosting provider + or system administrator to get help. +

+
+ + + diff --git a/config/nginx/template/redirector.conf b/config/nginx/template/redirector.conf new file mode 100644 index 0000000..3a7802e --- /dev/null +++ b/config/nginx/template/redirector.conf @@ -0,0 +1,9 @@ +server { + listen 80; + listen 443 ssl http2; + server_name HOSTNAME; + ssl_certificate /etc/letsencrypt/live/HOST_TARGET/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/HOST_TARGET/privkey.pem; + + return 301 $scheme://HOST_TARGET$request_uri; +} diff --git a/config/nginx/template/vhost-php.conf b/config/nginx/template/vhost-php.conf new file mode 100644 index 0000000..7cf96c2 --- /dev/null +++ b/config/nginx/template/vhost-php.conf @@ -0,0 +1,28 @@ +server { + listen 80; + server_name HOSTNAME; + # server_name www.HOSTNAME; + root /srv/web/HOSTNAME/public; + + #ssl listen 443 ssl http2; + #ssl ssl_certificate /etc/letsencrypt/live/HOSTNAME/fullchain.pem; + #ssl ssl_certificate_key /etc/letsencrypt/live/HOSTNAME/privkey.pem; + #ssl if ($scheme = http) {return 301 https://$host$request_uri;} + + # add_header X-Robots-Tag 'noindex, nofollow, nosnippet, noarchive'; + access_log /var/log/nginx/HOSTNAME-access.log main; + error_log /var/log/nginx/HOSTNAME-error.log warn; + + # include server.d/listen_ipv6.conf; + include server.d/common_param.conf; + include server.d/static_param.conf; + + # PHP-FPM Handler + # rewrite ^/(.*\.php)(/)(.*)$ /$1?file=/$3 last; + location / { try_files $uri $uri/ /index.php?$query_string; } + location ~ ^/(.+\.php)$ { + fastcgi_pass unix:/var/run/php/php7.4-fpm.sock; + include server.d/fastcgi_param.conf; + fastcgi_read_timeout 1200; + } +} diff --git a/config/nginx/template/vhost-proxy.conf b/config/nginx/template/vhost-proxy.conf new file mode 100644 index 0000000..4e747df --- /dev/null +++ b/config/nginx/template/vhost-proxy.conf @@ -0,0 +1,30 @@ +upstream APP_NAME { + zone upstreams 64K; + server 127.0.0.1:APP_PORT weight=100 max_fails=5 fail_timeout=5; + keepalive 2; +} + +server { + listen 80; + server_name HOSTNAME; + # server_name www.HOSTNAME; + root /srv/web/HOSTNAME/public; + + #ssl listen 443 ssl http2; + #ssl ssl_certificate /etc/letsencrypt/live/HOSTNAME/fullchain.pem; + #ssl ssl_certificate_key /etc/letsencrypt/live/HOSTNAME/privkey.pem; + #ssl if ($scheme = http) {return 301 https://$host$request_uri;} + + # add_header X-Robots-Tag 'noindex, nofollow, nosnippet, noarchive'; + access_log /var/log/nginx/HOSTNAME-access.log main; + error_log /var/log/nginx/HOSTNAME-error.log warn; + + # include server.d/listen_ipv6.conf; + include server.d/common_param.conf; + + # Reverse proxy Handler + location / { + proxy_pass http://APP_NAME/; + include server.d/proxy_param.conf; + } +} diff --git a/config/nginx/template/vhost-static.conf b/config/nginx/template/vhost-static.conf new file mode 100644 index 0000000..6d5d00b --- /dev/null +++ b/config/nginx/template/vhost-static.conf @@ -0,0 +1,26 @@ +server { + listen 80; + server_name HOSTNAME; + # server_name www.HOSTNAME; + root /srv/web/HOSTNAME/public; + + #ssl listen 443 ssl http2; + #ssl ssl_certificate /etc/letsencrypt/live/HOSTNAME/fullchain.pem; + #ssl ssl_certificate_key /etc/letsencrypt/live/HOSTNAME/privkey.pem; + #ssl if ($scheme = http) {return 301 https://$host$request_uri;} + + # add_header X-Robots-Tag 'noindex, nofollow, nosnippet, noarchive'; + access_log /var/log/nginx/HOSTNAME-access.log main; + error_log /var/log/nginx/HOSTNAME-error.log warn; + + # include server.d/listen_ipv6.conf; + include server.d/common_param.conf; + include server.d/static_param.conf; + + # autoindex on; + location ~ \.(cgi|php|py|sh)$ { + log_not_found off; + access_log off; + deny all; + } +} diff --git a/config/nginx/uwsgi_params b/config/nginx/uwsgi_params deleted file mode 100755 index 09c732c..0000000 --- a/config/nginx/uwsgi_params +++ /dev/null @@ -1,17 +0,0 @@ - -uwsgi_param QUERY_STRING $query_string; -uwsgi_param REQUEST_METHOD $request_method; -uwsgi_param CONTENT_TYPE $content_type; -uwsgi_param CONTENT_LENGTH $content_length; - -uwsgi_param REQUEST_URI $request_uri; -uwsgi_param PATH_INFO $document_uri; -uwsgi_param DOCUMENT_ROOT $document_root; -uwsgi_param SERVER_PROTOCOL $server_protocol; -uwsgi_param REQUEST_SCHEME $scheme; -uwsgi_param HTTPS $https if_not_empty; - -uwsgi_param REMOTE_ADDR $remote_addr; -uwsgi_param REMOTE_PORT $remote_port; -uwsgi_param SERVER_PORT $server_port; -uwsgi_param SERVER_NAME $server_name; diff --git a/config/nginx/vhost.d/.gitkeep b/config/nginx/vhost.d/.gitkeep deleted file mode 100755 index e69de29..0000000 diff --git a/config/powerdns/pdns.conf b/config/powerdns/pdns.conf deleted file mode 100644 index bde4e7f..0000000 --- a/config/powerdns/pdns.conf +++ /dev/null @@ -1,20 +0,0 @@ -setgid=pdns -setuid=pdns - -local-address=0.0.0.0 -local-port=53 - -api=yes -api-key=xxxxxxxxx -api-readonly=no -api-logfile=/var/log/pdns.log - -launch=gmysql - -webserver=yes -webserver-address=127.0.0.1 -webserver-allow-from=127.0.0.1 -webserver-password=secret -webserver-port=8081 - -include-dir=/etc/powerdns/pdns.d diff --git a/config/powerdns/pdns.d/pdns.local.conf b/config/powerdns/pdns.d/pdns.local.conf deleted file mode 100644 index 3e0c14c..0000000 --- a/config/powerdns/pdns.d/pdns.local.conf +++ /dev/null @@ -1,4 +0,0 @@ -gmysql-host=127.0.0.1 -gmysql-user=root -gmysql-dbname=powerdns -gmysql-password=root \ No newline at end of file diff --git a/config/proftpd/blacklist.dat b/config/proftpd/blacklist.dat deleted file mode 100644 index 44005c4..0000000 Binary files a/config/proftpd/blacklist.dat and /dev/null differ diff --git a/config/proftpd/conf.d/anonymous.conf b/config/proftpd/conf.d/anonymous.conf deleted file mode 100644 index 39e045f..0000000 --- a/config/proftpd/conf.d/anonymous.conf +++ /dev/null @@ -1,42 +0,0 @@ -# A basic anonymous configuration, no upload directories. - -# -# User ftp -# Group nogroup -# # We want clients to be able to login with "anonymous" as well as "ftp" -# UserAlias anonymous ftp -# # Cosmetic changes, all files belongs to ftp user -# DirFakeUser on ftp -# DirFakeGroup on ftp -# -# RequireValidShell off -# -# # Limit the maximum number of anonymous logins -# MaxClients 10 -# -# # We want 'welcome.msg' displayed at login, and '.message' displayed -# # in each newly chdired directory. -# DisplayLogin welcome.msg -# DisplayChdir .message -# -# # Limit WRITE everywhere in the anonymous chroot -# -# -# DenyAll -# -# -# -# # Uncomment this if you're brave. -# # -# # # Umask 022 is a good standard umask to prevent new files and dirs -# # # (second parm) from being group and world writable. -# # Umask 022 022 -# # -# # DenyAll -# # -# # -# # AllowAll -# # -# # -# -# diff --git a/config/proftpd/conf.d/sql.conf b/config/proftpd/conf.d/sql.conf deleted file mode 100644 index 278b71a..0000000 --- a/config/proftpd/conf.d/sql.conf +++ /dev/null @@ -1,27 +0,0 @@ - - SQLEngine on - SQLBackend mysql - SQLAuthTypes OpenSSL Crypt - SQLAuthenticate users groups - SQLConnectInfo DB_NAME@DB_HOST DB_NAME DB_PASS - SQLUserInfo ftpuser userid passwd uid gid homedir shell - SQLGroupInfo ftpgroup groupname gid members - SQLMinID 2000 - CreateHome on - SQLLog PASS updatecount - SQLNamedQuery updatecount UPDATE "count=count+1, accessed=now() WHERE userid='%u'" ftpuser - SQLLog STOR,DELE modified - SQLNamedQuery modified UPDATE "modified=now() WHERE userid='%u'" ftpuser - QuotaEngine on - QuotaDirectoryTally on - QuotaDisplayUnits Mb - QuotaShowQuotas on - SQLNamedQuery get-quota-limit SELECT "name, quota_type, per_session, limit_type, bytes_in_avail, bytes_out_avail, bytes_xfer_avail, files_in_avail, files_out_avail, files_xfer_avail FROM ftpquotalimits WHERE name = '%{0}' AND quota_type = '%{1}'" - SQLNamedQuery get-quota-tally SELECT "name, quota_type, bytes_in_used, bytes_out_used, bytes_xfer_used, files_in_used, files_out_used, files_xfer_used FROM ftpquotatallies WHERE name = '%{0}' AND quota_type = '%{1}'" - SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used + %{1}, bytes_xfer_used = bytes_xfer_used + %{2}, files_in_used = files_in_used + %{3}, files_out_used = files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name = '%{6}' AND quota_type = '%{7}'" ftpquotatallies - SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4}, %{5}, %{6}, %{7}" ftpquotatallies - QuotaLimitTable sql:/get-quota-limit - QuotaTallyTable sql:/get-quota-tally/update-quota-tally/insert-quota-tally - RootLogin off - RequireValidShell off - \ No newline at end of file diff --git a/config/proftpd/conf.d/tls.conf b/config/proftpd/conf.d/tls.conf deleted file mode 100644 index 8391c74..0000000 --- a/config/proftpd/conf.d/tls.conf +++ /dev/null @@ -1,9 +0,0 @@ - - TLSEngine on - TLSLog /var/log/proftpd/tls.log - TLSProtocol SSLv23 TLSv1.2 - TLSRSACertificateFile /etc/ssl/certs/proftpd.crt - TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key - TLSCACertificateFile /etc/ssl/certs/chain.pem - TLSDHParamFile /etc/ssl/private/proftpd-dhparam.pem - \ No newline at end of file diff --git a/config/proftpd/dhparams.pem b/config/proftpd/dhparams.pem deleted file mode 100644 index 0a4af11..0000000 --- a/config/proftpd/dhparams.pem +++ /dev/null @@ -1,184 +0,0 @@ -# This file contains a number of pregenerated Diffie-Hellman group parameters, -# ranging in size from 1024 to 8192 bits. These are intended for use during -# the Diffie-Hellman group exchange protocol, part of the SSH key exchange -# (see RFC4419). -# -# The file was generated using the following OpenSSL command: -# -# openssl dhparam -outform PEM -2|-5 1024|1536|2048|3072|4096|6144|7680|8192 >> dhparams.pem -# -# Note that these DH parameters should be refreshed every so often (e.g. -# every few years). These parameters were last updated on 2013-01-14. - -# 1024-bit DH group params ------BEGIN DH PARAMETERS----- -MIGHAoGBALbvOMiSzkUDxrpE0v150A1+hi9R0xSbwk2nyGBHznfZtvi3prJWIZwS -5WPTZI9QCUCGIfGt8xfVrzzzfmruEFUZK9Tz27mR+7dPiet3c51niPIOrBlUCeTB -Kz/urIJMeUcoUcDSbIeajAyLfwkWvLP44i/n7fDW9rsuzef6Eq+bAgEC ------END DH PARAMETERS----- ------BEGIN DH PARAMETERS----- -MIGHAoGBAM5hpw0SGB0LHC0hN3Cp2rwnRPQtgvywaj1Ju3odzswLaxYriqQODBCH -psywSpi5WAU2R/WUITW5VWLHlI7HpCJwNXG9s9GmHTelCGvBEd/c63jJlL6VjyOe -M2OW+RDONoNFTXXVMmPayuUq3vfWFPGcSRZg5CI+d4Xma4eRPRxbAgEF ------END DH PARAMETERS----- ------BEGIN DH PARAMETERS----- -MIGHAoGBAKP/HXSZf3Pbpczrl3tvL9L5g+vWsoBQWFA0PglX/RUV7wd/hgiRdcJG -MXktBIkBDxtdKZM5JKu8d99e5Lmbw6puluLF1lA8ZJ/lcIhojnDWQZ8bFBXx2DJ9 -DpDMMX/htR8u+cnPxeKDw2gnKjuN39Ku+1IdBLYSl9iu4GEwk9rDAgEC ------END DH PARAMETERS----- ------BEGIN DH PARAMETERS----- -MIGHAoGBAMLOI4dbum16dz3CVufbtZ/90kC92QElRU2yfEwQdxsufkcYd+uEPgfx -vD0PCMdCl2zAHfMjMtGCrb+8pTiO2eaC/4/wd6z0LUciawZo/dSE3n7S+D51ZH1I -IN1OyvIhMMBq+DyujB6t9jUlrpXriXdcvmv78R83uT6TwwhFtRXnAgEF ------END DH PARAMETERS----- ------BEGIN DH PARAMETERS----- -MIGHAoGBAO7i+5IQHjs6tHh5LXAwvD3XXgxyE6j7e1KWmgHDFg6GeEo2UZLu07Zt -Ynu9srvka3KsnzdDEqtQgZk9C1aRMpqYoy0DFptVHNFjyhydIwB23Eh5a5xmpCzg -X4yDC+2ADrU2PC0M+T8FuAOWvd3VBBrnm3msoRBRy26IKBAeDi5jAgEC ------END DH PARAMETERS----- ------BEGIN DH PARAMETERS----- -MIGHAoGBAIBl4JEof+IcUS/j+PnkmeYNLUtGwi/PrQ4xv5Q3V0aiy/qIOX8yYFIA -gwBidaoqPkG0CAAYO9o8gvFhHfJHd8B296mYybSHSGI2G6TVP3xdZYNmqG1lAqd/ -Vqmj+CvmkYsgacDVD6P8yOLrF6gzBb9PxVNOFqPhNX/0yOXBr6YTAgEF ------END DH PARAMETERS----- - -# 1536-bit DH group params ------BEGIN DH PARAMETERS----- -MIHHAoHBAJkp+TbtcuMfeImd5XIA7pKwGjtrcVtNpRXB4wlRbpJpbGGQcyCe65MJ -Kmxs8sndPv1S19fTH+3Fcp9jl7JmChHs+TcWqIpvmrBFRZ/5N2bf2fgimi7hSWWF -JwFdb9zpxUNWbAcNnR/jZdqQ61wweyUT0sfGPH+0xNRbtc1Ct1E95o4+7Os82Lh1 -TKokivVwwBf9m2vmCFEXDTgW0bLLqNRH1CQ8juEiw6i/zabmkutPPhKN0uxA7j75 -+eMc/DVzlwIBBQ== ------END DH PARAMETERS----- ------BEGIN DH PARAMETERS----- -MIHHAoHBAKhfKa4EANC76yzSGF+/8UKQnSzjhMDyqOmWlrvb66CTe4T6gTtpECkm -8KDmxuN3HrlXgkEQoMh4rgazpx3UG0z8T6aqQXFZmAVMK/Yp++9H/EzJhTyntJ31 -hz3QqkoZgznvKx2vF+Gmx7C4imd+EIi7b/Lz/yw1P3wIGt1t3rznudc46BfPbRMf -7sEQ20na5PEY5XwX3V9u2X61HM4YGto9XuNVL3uU70bxW6pceFBzdzVEadnXaJyW -00bevXWw2wIBAg== ------END DH PARAMETERS----- ------BEGIN DH PARAMETERS----- -MIHHAoHBANdeoQj9jcGLATPLTqI4vpKMgqJ5fuOe+8yiVVTmDGuNzDL7lDj5JMSF -lrpG99IPVb6Cy+kSAyO/PBbTkj9nPzls42GKmABjb3PHYiDIBcYq4xfP7Z/PEH9J -YIT/9PQVqVRFPHnzdZcXtaS3H6ve6npiwvgwPCNz7s7MX9C153XF99T0qCA8L/a+ -KsnKD2aaqsxi/6Njr7sBly9l6qre70lONzeOLzcwQSRq9l2pjSMEekJPY6E3yPPy -MA4GLMlaKwIBAg== ------END DH PARAMETERS----- - -# 2048-bit DH group params ------BEGIN DH PARAMETERS----- -MIIBCAKCAQEA6Y/KjtYFfcVooSk1p2pvVbqttLQNsMIC5t9GSyWlfCBoFPqffXsm -XVkXuy3k8zAjrdL3rGx5/+c5wlYfVAzz/q3rUR+mFEPQKgkvHKUFy0ubG0Wp/dBI -KZ+vkK+CK0NToKAdXv8G3TfCefw9dI/Nzy2j/wxlUFapFwnZocPXUlgQd52mdCsX -ACqZ5imBZcNQzwcEKTr2jen2l+NE2CKs8nJFVwcSlsFPqEB+7Yh1GwZik1wmBxrT -PwPMrTk1u9CqttF7aTZBHjn++e4TkqrQs1J04s0LjdvzNVaEcUfPPiTH+68KpMwj -NcAuMC6BV3L42Cald1HocD18s07VPcqiUwIBAg== ------END DH PARAMETERS----- ------BEGIN DH PARAMETERS----- -MIIBCAKCAQEAo+GoaemZ9KjBgLgwGZuObOQ/hQSoK1Aka/fPoSk3ECokqb0KeeI4 -Ai8YVup6WIJigf//UTZFgHXENUsJM3sSTKHe5l7LtQIkb2oPQFfzTpp2OOMceRkK -eXpgDYBct0T0KDAJXV4uB+l6PZfL4cOLfSMNCKTg2ptGGLbbqYPLd7LNwudpe1wO -0KB1GFEkB2ZEPTIkQx2W1ia5EHta5zlXRqa962Rbo1t5fdiM3whVTqlgKNNC5/zv -wH7vHqyJyqVOKQyjXPsT95iBTo1GsXRz8oLXchrTybs7yfilve1eTCnQKfiZHqKw -50XSRbAiSV8ephW8mbwCOLthruMKT7GDTwIBBQ== ------END DH PARAMETERS----- - -# 3072-bit DH group params ------BEGIN DH PARAMETERS----- -MIIBiAKCAYEA0kEgFEhmtqWiDoykb2ptlZQ3hcB6MP5Bd1mDDjG38j1MFWV6Uaj8 -T4y3tGUntQ0H/OJ8GEueL9OS9q2NU67GJ/XjtoXDVmZOdzYwN3Lr52/RnwLdUCH9 -MZjbXJYoqDJyXSHIFd40fRUkzZRYN6HZTkDad6wsoBgibe3gRvEzp7nBIJlDZy85 -9hmLJHJNGqgIpOTbX9AUNGVSAHEINx6kKX0c1/Kc5nhCytqRdYLnwqeryMdlZ4N0 -qlG8KJum0A8mEpgvUM5D0BLTbjkKgOoORsfrhzykqfxUrv+Pwcb/6UBbPSR99OSZ -nFBlP3xSTl1WucWNmeZ3o2lZF4H/WosuoiVsPtO3aKYiLEhRxJiQOrMzVnSOdTR7 -d3Sg8a+ufSyccCCjOHssRKk//qoiUpN5R53/lxpUrfl+cJXGuvp+4EM+mfRDKCo7 -FTTaU2QFkF9A7dddwsABZQeqcADVN7T6L8/AIF66mwH7nvaJeNenTUqZTR+i8Doe -V/QbD1cYDtHzAgEC ------END DH PARAMETERS----- - -# 4096-bit DH group params ------BEGIN DH PARAMETERS----- -MIICCAKCAgEAnlCYvstlmd2VCDwdI8u0khgNwpuGmjPv17RSGCnSjx6DjuYeOqGn -AqOjSEyDuoNx8KC6mZF5HKBoQ+nDeJ3O4y4NnZj1MaEFViu3a7XXu6Ff/fLB2nl+ -E1ryt9vk6d9GNgOF+JfB40SYsPnfX0FHd/MqJh4KQbkWoPzgfK4bgxNZUmdtFxbP -9jO0t08nEoBGAL6a6nx7AN/mSgdOh/CEjNP7xKGTuNLv0Lq3FAAJ4e0PDjFYb9TI -KRcwVIYpqt/DmN1+hCQ8O9GaC8gs99Gqyi4G6Iowq7oMqV8KRNdTNnfD1t3SjupE -xFTUeBw5FiB/44Vwjiahz0PJVQggrAUadqCrqOi1k/C7z/UpwOvpBVz5162p633H -XntMUzmi0JoomT+nR5je6wlJnpcvOeIn21rLOwkXDWmzrb1J7KYxnEa0F3fEck4P -V9L/dICTCBiTSq9bQGjCy6Mtc0pbW8AkhpoBtmJGhsB0+t6J5nLrleD68ePPEC1e -4kRPc3cJJPIvbMNxXPCYwjsP+AQcbxYvOlPPyDeWNj7AWQjMIAEOpBw76itfy7JP -o+Wz5EkpUtvK9Zqo4E8719U9R0aIVhsn+DX5l5Z8XKU8wZjUwK/Fg2tIVq8tXi7/ -WuXBUe8mHU+7bUQR1GRgBaLYiOERkNS87MPtbQ4I/pmfx63HIfOj67sCAQI= ------END DH PARAMETERS----- - -# 6144-bit DH group params ------BEGIN DH PARAMETERS----- -MIIDCAKCAwEA7WbPJRW6ZqHQQo6DFNV/exYBDYXTgHI8sOtX4ZsmckeLnn4MNWDx -rHymGA6EJqz7Iu3tlPqrZnAe/mOXJZVnWMdDrXaqufXCWA1GA1nOBsX2zjEAA4Yr -kOtE2JyNQ647gVWkZlAPNB1f0Tt4wuR2jvzMYmV+mcMfxurBoOhki7SibHs2UEvb -iFwJQM11b5W5NRQZpKnIpU6hWPGZMkSIBX7sIoMX9y/a0BVFqAXS8rLgmWh5RcQu -WqZPyZWHh+ctKaR3YPHyxX1kKUdFMxZVwXmnDJJeeT7NiNZd5OSJ5Z26XBoZufED -kzvpWigSJmMmfKXaGcxExrizRSBjjAPhc784yXZcnwR2nJB3svvuCnbfO6aoIbVF -78FtqXFiKd75mGTrPTdgfQH3OdjTaFZUp5JScpCfNwtDaWtvbgQ5x8dfxHcu/7CL -W9SeEvlCOwWiFvd0BkE4kRElUIzzLh0ufHHEhywkVGZIicL1qz+eeeTX8V6FmdRC -u2xHK5VtT2/yTMtDA48J5H7YTrSOiC+kgmaud5EAhxMidg4QqJa8jZYJIZpvwsEw -AC3mUv36RkJIhuePybaoa1U1TwSWwGg2dHqidQ6gXv0t+AXxxicKFBiKKMN7DxKo -DgA5asnrUv4Z/bfMU4yGgU3gkiJ7Sczra5N6UEJhCBScBbCI+KUXSsWpeZd2dwim -ELxyC2Da7wIYqJhe9KYRXOoauRUy+LMBzwbKQ7nS2Abw5zON5ANlR/KJJ4H+D19+ -LN7WDc1Z8SoF59wbboAmNKjTuUV3Whh0GZuxnd88Fw7DoSWIMe++DoxIvdCRwrFz -Ra/20ZCi99N96IX4r0WocACIG4ukPUInsup2qxMS7757gzcabD2T24irn9N9aJDf -BefKcId/iJBFRK/loSOXT4jcyTWQqID+spA9VhIcuGEBir21R29fU9fActctWOby -URKTuULh6Wqaf46B4suoL8jmvtyEJIwZ6zzD7mWLKv1665UD9SbKciKoy2CQ+AfC -wnKl1+O4DPcbAgEC ------END DH PARAMETERS----- - -# 7680-bit DH group params ------BEGIN DH PARAMETERS----- -MIIDyAKCA8EAmMxFUnXytlC9fIDwSgeG9cM+nqvPDufhOvzVwXXyKutq2rT+b8Iq -A/rTbvRLro1XpJedzS83HNfsHeCfKC6L5vMAT2rkOSAVjQCBs9/HfdzDXtU6QEqG -GDW6psiGNkgCahNKVxw1+kgKdnQc5sSKsK0iFXGdXFdaebWYN2yRFH8O+yWC/TQk -BVc3c6d+Bo1H7VTRJkKz6duL/GRmFVdznhTU8yx+oydfOAjkxNsMaX+/cuTbqcUN -LJm/g1tKVSw+1mvY9f4q1/B+hV8QxpbfcN8nYrye1+dmAPj/x+T1rfFVXMfQP4Ok -p0IKom5Esc7e5LZsGqngRl9e6gXgDM+hMX6w7XU/bvaKugBKTNj8PAugIFrsrybR -voB1bQynUEId1/q7c9soEicwEbGEiZ26LyaPHenAm1j8940Bp63SgiCfuCoEJAda -A9DWq9idP4eKECFTlt6j3UPs45if3SfkWf6KleZAO8e1LHSkLuRaZpHPzLaZ6zbE -bA8m8rdOhkbTkTNfVbEa0jTI8Ag4cq5LrMFSiPLRVVQadQzepBB0pv7F4UsqQwzU -b7FEwBm5xWQG+AlOugc1kZdgcSMdu4C2BhaKOe3xH1SfwEHZSxz3yKtxGcdIcSD3 -RTUQdX0/Yjj8Ia9asC+pZmbS2MGPehQdIvUmWMGeQkwLXz7bBVFBuOei8hkPnRwJ -ItihKSkZB0fk2olVmYzJwY4VOnfL1EWk6jKbndYBsJE0h/J3lO/xmMGaVmPhINQE -0kJipmRpqT9sEmghCmYTH5pjymnuOXEIDuAjjNxsaAAuGF9h2jlnAHQimQq3Kch1 -Hwlkb6R2T1XSizA838oLvqmyLOhYzHVVCnqq6DG9W7AAdaouL4tjNFNs9afsR3KG -H71IiS9+rv7u0m0dYrdRmpx6iXAIASTwhld2IFDyiUPeLYL2Jt9WPHdSA0aySF+7 -z/ntskV5soDIlUYQDZeKLuk2Lw+AMEbNgifCm7bLARm/fI9+c+IaBLE+e+zm+puO -UHYcWy75NQG8zT2RICuHvvIUkHhgtIDk7K/1AscCDVCgMTYtwMF16nJe+6Omn8TT -iQQZp76zZoTqjTRDLC9NszXxuewCi8JuklDyubPrqLTeM32bCZwjibPzL/O2NsGY -0N7AbX7nnBKrAhibA9wdBJpQUrjT2SfEZGHYPA0U24Cm8JKBRu6WHdGH97gwH9bY -ST5JTdXGPimZanmzidsGqLla4VxWGx+BWMLwXQtLaypHGfDFXHVpMY9KROGmtzsD -OcXDR4ullYdbAgEC ------END DH PARAMETERS----- - -# 8192-bit DH group params ------BEGIN DH PARAMETERS----- -MIIECAKCBAEAxcFcwEBebGISxZbtnocUuiv8Z5GoFb1fi3szRz1y1j6Hwe8mTzVM -oKeZ5QvXE8ZWk5Alnw1phfe7yDZan4BVqJ7U00w+jaUy5Y8Tmo34uSTTRX61dpYS -vBZsSTUEkteqWBbVQRz4l1NQ9eTVXchGAJeL9JzlUFZQbwUXfQPf95wg7y56jcqK -fYjqQWZZgpsxFyn/MFOq7+HQeLYGqRbA1wnKkKTF8ERH16PjChsnjA1i6rH5Tb9C -k0rpIYkZGj2pPoiNoWBEiJagYbt7XjnMGX8UPsQW8ImzoW+JIGUAHCzFZSnFp5eE -ZCL7Q7T8Z3/9RAxHhDUh8bxhWsd9K1pGZ9XYCF4b4TKBsc6GCCmhApgbcTE3/BOO -qLc0tu3sl75GU3wGMpiw97J8SO4LIgMKH5f+g30YBYXPY7z1Msytf6lVKrC8Lzxi -h69nckj9QjtPY4lYHH0q7K3bq4yuQob4EPF9WBrMzWw2roH6Jv8clc9gDcqzqBkk -zn2pKDlR2rFQ955O8A1/yjLIc21T+JwmpYYF7agRZcertzHipyoRkTfS08yQQJjg -cKovqCueVqBNZQvogJKzJRIs5YNQX7i25bH/4JPOG1YIiV7AQ41FQLItbsnB6qS+ -U/AzGLH/hd+y2fYsHFCLdNIbsvpmPiyEwJBMCtJ6YDSu3CqMhg4YddR0X9UszIhV -6wo/IhjNJur5AxYmVANjTyVgP48wDGwZN1V6KyCSYLjQk/tt/PY2CybRAON2ac8B -ud5RN0PT7vJcw6EiE5gv/IB5dNIllhqAcjBx/lbbc08uwjN+5LN/MWCIy2CyZCOz -wj3Pzqvl9QfFSFLTKFXMzxQcCKNrBmQL0t0n4X2YAD4ZJPiT/sRYQ8twXpmtKcmr -reXQdxuphB5XRfkawT7yJBVWKAxYiVWRfAqNHs8gjt967YK7nV7Xt0wwb+r9N79/ -rYqJFtXiGV/Z8/pUfCSAUoe79NftuzV7AH9C2gMOo7iP6uOeevv7oAlOnjpoOcRl -UnHTC4mZU5JvOF3Nbu/KRvwbX4B+mqq+O47OQm3tvNoACejMYihMlT48G2wgB5bb -0QJ8BxmgpLL4P+K1tZsvu0V5oRHkQ10QTFFsPddwGA+8Vw74dYXT+41RQBNpWgP+ -j/zRPUAXCl3FPQ/Hj7hMnBHPQc0HWaQF7XvQzAsWj8EtvyiqZoR4mIkGHOxGCV79 -/2Ko2JCsWLqo3y9dwX09Pf2pPhBUeX1GWfCTZGEerLch/I3Cihf9JQHQ03H6gMRM -FSRogNR62d2YmBjZM/xwWdBjpLdWNLuPRnYnbwJXs30R/oQY55iRdZdjvwPQl2uR -9ubWhepIOmE7t5+1o0JiA3x1TX82NHwsGwIBAg== ------END DH PARAMETERS----- diff --git a/config/proftpd/modules.conf b/config/proftpd/modules.conf deleted file mode 100644 index d1a9404..0000000 --- a/config/proftpd/modules.conf +++ /dev/null @@ -1,65 +0,0 @@ -# -# This file is used to manage DSO modules and features. -# - -# This is the directory where DSO modules reside - -ModulePath /usr/lib/proftpd - -# Allow only user root to load and unload modules, but allow everyone -# to see which modules have been loaded - -ModuleControlsACLs insmod,rmmod allow user root -ModuleControlsACLs lsmod allow user * - -LoadModule mod_ctrls_admin.c -LoadModule mod_tls.c - -LoadModule mod_sql.c -LoadModule mod_sql_mysql.c - -# Install proftpd-mod-pgsql and decomment the previous -# mod_sql.c module to use this. -#LoadModule mod_sql_postgres.c - -LoadModule mod_quotatab.c -LoadModule mod_quotatab_file.c - -# Install one of the previous SQL backends and decomment -# the previous mod_sql.c module to use this -LoadModule mod_quotatab_sql.c -LoadModule mod_quotatab_radius.c -LoadModule mod_wrap.c -LoadModule mod_rewrite.c -LoadModule mod_load.c -LoadModule mod_ban.c -LoadModule mod_wrap2.c -LoadModule mod_wrap2_file.c -# Install one of the previous SQL backends and decomment -# the previous mod_sql.c module to use this -#LoadModule mod_wrap2_sql.c -LoadModule mod_dynmasq.c -LoadModule mod_exec.c -LoadModule mod_shaper.c -LoadModule mod_ratio.c -LoadModule mod_site_misc.c - -#LoadModule mod_sftp.c -#LoadModule mod_sftp_pam.c -# Install one of the previous SQL backends and decomment -# the previous mod_sql.c module to use this -#LoadModule mod_sftp_sql.c - -LoadModule mod_facl.c -LoadModule mod_unique_id.c -LoadModule mod_copy.c -LoadModule mod_deflate.c -LoadModule mod_ifversion.c -LoadModule mod_tls_memcache.c - -# Install proftpd-mod-geoip to use the GeoIP feature -#LoadModule mod_geoip.c - -# keep this module the last one -LoadModule mod_ifsession.c - diff --git a/config/proftpd/proftpd.conf b/config/proftpd/proftpd.conf deleted file mode 100644 index c204256..0000000 --- a/config/proftpd/proftpd.conf +++ /dev/null @@ -1,92 +0,0 @@ -# -# /etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration file. -# To really apply changes, reload proftpd after modifications, if -# it runs in daemon mode. It is not required in inetd/xinetd mode. -# - -# Includes DSO modules -Include /etc/proftpd/modules.conf - -Port 21 -PassivePorts 50000 50100 - -UseIPv6 off -IdentLookups off - -ServerName "Awesome FTP Server" -ServerType standalone -DeferWelcome off - -MultilineRFC2228 on -DefaultServer on -ShowSymlinks on - -TimeoutNoTransfer 600 -TimeoutStalled 600 -TimeoutIdle 1200 -MaxInstances 30 - -DisplayLogin welcome.msg -DisplayChdir .message true -ListOptions "-l" - -DenyFilter \*.*/ - -# Use this to jail all users in their homes -DefaultRoot ~ - -# Users require a valid shell listed in /etc/shells to login. -# Use this directive to release that constrain. -# RequireValidShell off - -# If your host was NATted, this option is useful in order to -# allow passive tranfers to work. You have to use your public -# address and opening the passive ports used on your firewall as well. -# MasqueradeAddress 1.2.3.4 - -# This is useful for masquerading address with dynamic IPs: -# refresh any configured MasqueradeAddress directives every 8 hours - - # DynMasqRefresh 28800 - - -# Set the user and group that the server normally runs at. -User proftpd -Group nogroup - -Umask 022 022 -AllowOverwrite on - -# This is required to use both PAM-based authentication and local passwords -# AuthOrder mod_auth_pam.c* mod_auth_unix.c - -TransferLog /var/log/proftpd/xferlog -SystemLog /var/log/proftpd/proftpd.log - - - # QuotaEngine off - - - - Ratios off - - - - DelayEngine on - - - - ControlsEngine off - ControlsMaxClients 2 - ControlsInterval 5 - ControlsLog /var/log/proftpd/controls.log - ControlsSocket /var/run/proftpd/proftpd.sock - - - - AdminControlsEngine off - - -# Include other configuration files -Include /etc/proftpd/virtuals.conf -Include /etc/proftpd/conf.d/*.conf diff --git a/config/proftpd/virtuals.conf b/config/proftpd/virtuals.conf deleted file mode 100644 index 1a7a775..0000000 --- a/config/proftpd/virtuals.conf +++ /dev/null @@ -1,38 +0,0 @@ -# -# Proftpd sample configuration for Virtual Hosts and Virtual Roots. -# -# Note that FTP protocol requires IP based virtual host, not name based. -# - -# -# A generic sample virtual host. -# -# -#ServerAdmin ftpmaster@server.com -#ServerName "Big FTP Archive" -#TransferLog /var/log/proftpd/xfer/ftp.server.com -#MaxLoginAttempts 3 -#RequireValidShell no -#DefaultRoot /srv/ftp_root -#AllowOverwrite yes -# - -# -# The vroot module is not required, but can be useful for shared -# directories. -# - -#VRootEngine on - -#DefaultRoot ~ -#VRootAlias upload /var/ftp/upload -# -# -#VRootEngine on -#VRootServerRoot /etc/ftpd/a.b.c.d/ -#VRootOptions allowSymlinks -#DefaultRoot ~ -# -# - - diff --git a/config/repo/debian.list b/config/repo/debian.list new file mode 100644 index 0000000..81cc458 --- /dev/null +++ b/config/repo/debian.list @@ -0,0 +1,3 @@ +deb http://cloudfront.debian.net/debian CODENAME main contrib non-free +deb http://cloudfront.debian.net/debian CODENAME-updates main contrib non-free +deb http://cloudfront.debian.net/debian-security CODENAME/updates main contrib non-free diff --git a/config/repo/ubuntu-id.list b/config/repo/ubuntu-id.list new file mode 100644 index 0000000..7fab3d4 --- /dev/null +++ b/config/repo/ubuntu-id.list @@ -0,0 +1,4 @@ +deb http://mirror.unej.ac.id/ubuntu CODENAME main restricted universe multiverse +deb http://mirror.unej.ac.id/ubuntu CODENAME-updates main restricted universe multiverse +deb http://mirror.unej.ac.id/ubuntu CODENAME-security main restricted universe multiverse +deb http://mirror.unej.ac.id/ubuntu CODENAME-proposed main restricted universe multiverse diff --git a/config/repo/ubuntu-sg.list b/config/repo/ubuntu-sg.list new file mode 100644 index 0000000..e365e23 --- /dev/null +++ b/config/repo/ubuntu-sg.list @@ -0,0 +1,11 @@ +# AWS Mirror +deb http://ap-southeast-1.ec2.archive.ubuntu.com/ubuntu CODENAME main restricted universe multiverse +deb http://ap-southeast-1.ec2.archive.ubuntu.com/ubuntu CODENAME-updates main restricted universe multiverse +deb http://ap-southeast-1.ec2.archive.ubuntu.com/ubuntu CODENAME-security main restricted universe multiverse +deb http://ap-southeast-1.ec2.archive.ubuntu.com/ubuntu CODENAME-proposed main restricted universe multiverse + +# GCP Mirror +#deb http://asia-southeast1.gce.archive.ubuntu.com/ubuntu CODENAME main restricted universe multiverse +#deb http://asia-southeast1.gce.archive.ubuntu.com/ubuntu CODENAME-updates main restricted universe multiverse +#deb http://asia-southeast1.gce.archive.ubuntu.com/ubuntu CODENAME-security main restricted universe multiverse +#deb http://asia-southeast1.gce.archive.ubuntu.com/ubuntu CODENAME-proposed main restricted universe multiverse diff --git a/config/repo/ubuntu-us.list b/config/repo/ubuntu-us.list new file mode 100644 index 0000000..d4ed8e9 --- /dev/null +++ b/config/repo/ubuntu-us.list @@ -0,0 +1,11 @@ +# AWS Mirror +deb http://us-east-1.ec2.archive.ubuntu.com/ubuntu CODENAME main restricted universe multiverse +deb http://us-east-1.ec2.archive.ubuntu.com/ubuntu CODENAME-updates main restricted universe multiverse +deb http://us-east-1.ec2.archive.ubuntu.com/ubuntu CODENAME-security main restricted universe multiverse +deb http://us-east-1.ec2.archive.ubuntu.com/ubuntu CODENAME-proposed main restricted universe multiverse + +# GCP Mirror +#deb http://us-west1.gce.archive.ubuntu.com/ubuntu CODENAME main restricted universe multiverse +#deb http://us-west1.gce.archive.ubuntu.com/ubuntu CODENAME-updates main restricted universe multiverse +#deb http://us-west1.gce.archive.ubuntu.com/ubuntu CODENAME-security main restricted universe multiverse +#deb http://us-west1.gce.archive.ubuntu.com/ubuntu CODENAME-proposed main restricted universe multiverse diff --git a/config/repo/ubuntu-xx.list b/config/repo/ubuntu-xx.list new file mode 100644 index 0000000..6a9d088 --- /dev/null +++ b/config/repo/ubuntu-xx.list @@ -0,0 +1,4 @@ +deb mirror://mirrors.ubuntu.com/mirrors.txt CODENAME main restricted universe multiverse +deb mirror://mirrors.ubuntu.com/mirrors.txt CODENAME-updates main restricted universe multiverse +deb mirror://mirrors.ubuntu.com/mirrors.txt CODENAME-security main restricted universe multiverse +deb mirror://mirrors.ubuntu.com/mirrors.txt CODENAME-proposed main restricted universe multiverse diff --git a/config/telegram.sh b/config/telegram.sh new file mode 100644 index 0000000..8a8ded1 --- /dev/null +++ b/config/telegram.sh @@ -0,0 +1,37 @@ +#!/bin/bash +# Copyright (C) 2018, Aris Ripandi. +# Author: Aris Ripandi +# +# Purpose: Send realtime notification to Telegram +# when user logged in via ssh. +# +# Put here: +# /etc/profile.d/sshnotif.sh +# + +BOT_KEY="VAR_BOTKEY" +CHAT_ID=('VAR_CHATID') + +if [[ ! -z $SSH_CONNECTION ]]; then + + CLIENT_IP="${SSH_CONNECTION%% *}" + SERVER_IP=$(hostname -I | awk '{print $1}') + USER_INFO="https://ipinfo.io/$CLIENT_IP" + API_URL="https://api.telegram.org/bot$BOT_KEY/sendMessage" + + MESSAGE="*New remote SSH connection:* + +\`\`\` +New login : $USER @ $(hostname -f) +Date Time : $(date "+%d %b %Y %T") +Server IP : $SERVER_IP +Client IP : $CLIENT_IP +\`\`\` +More info : [$USER_INFO]($USER_INFO)" + + # Kirim ke notifikasi via Telegram + for user in "${CHAT_ID[@]}"; do + curl -Lsd "chat_id=$user&text=$MESSAGE&disable_web_page_preview=true&parse_mode=markdown" $API_URL >/dev/null 2>&1 + done + +fi diff --git a/custom.sh b/custom.sh deleted file mode 100644 index c53caa7..0000000 --- a/custom.sh +++ /dev/null @@ -1,51 +0,0 @@ -#!/usr/bin/env bash - -if [[ $EUID -ne 0 ]]; then echo -e 'This script must be run as root' ; exit 1 ; fi - -PWD=$(dirname "$(readlink -f "$0")") - -#----------------------------------------------------------------------------------------- -# Setup wizard -#----------------------------------------------------------------------------------------- - -read -e -p "Install PHP v5.6 y/n : " -i "y" answer -if [ "$answer" != "${answer#[Yy]}" ] ;then echo Yes > /tmp/install_php56 ;fi - -read -e -p "Install PHP v7.2 y/n : " -i "y" answer -if [ "$answer" != "${answer#[Yy]}" ] ;then echo No > /tmp/install_php72 ;fi - -read -e -p "Install Python Stack y/n : " -i "y" answer -if [ "$answer" != "${answer#[Yy]}" ] ;then echo Yes > /tmp/install_python ;fi - -read -e -p "Install PostgreSQL y/n : " -i "n" answer -if [ "$answer" != "${answer#[Yy]}" ] ;then echo Yes > /tmp/install_pgsql ;fi - -read -e -p "Install Redis Server y/n : " -i "n" answer -if [ "$answer" != "${answer#[Yy]}" ] ;then echo Yes > /tmp/install_redis ;fi - -read -e -p "Install FTP Server y/n : " -i "n" answer -if [ "$answer" != "${answer#[Yy]}" ] ;then echo Yes > /tmp/install_ftpd ;fi - -read -e -p "Install DNS Server y/n : " -i "n" answer -if [ "$answer" != "${answer#[Yy]}" ] ;then echo Yes > /tmp/install_pdns ;fi - -read -e -p "Install IMAP Sync y/n : " -i "n" answer -if [ "$answer" != "${answer#[Yy]}" ] ;then echo Yes > /tmp/install_imaps ;fi - -read -e -p "Database Bind Address : " -i "127.0.0.1" db_bindaddr -if [ "$db_bindaddr" != "" ] ;then - echo "$db_bindaddr" > /tmp/db_bindaddr -else - echo "127.0.0.1" > /tmp/db_bindaddr -fi - - -#----------------------------------------------------------------------------------------- -# Install the choosen packages -#----------------------------------------------------------------------------------------- -[[ "`cat /tmp/install_python`" != "Yes" ]] || source $PWD/installer/python.sh -[[ "`cat /tmp/install_pgsql`" != "Yes" ]] || source $PWD/installer/postgresql.sh -[[ "`cat /tmp/install_redis`" != "Yes" ]] || source $PWD/installer/rediscache.sh -[[ "`cat /tmp/install_ftpd`" != "Yes" ]] || source $PWD/installer/ftpserver.sh -[[ "`cat /tmp/install_pdns`" != "Yes" ]] || source $PWD/installer/powerdns.sh -[[ "`cat /tmp/install_imaps`" != "Yes" ]] || source $PWD/installer/imapsync.sh diff --git a/install.ini b/install.ini deleted file mode 100644 index abdb2de..0000000 --- a/install.ini +++ /dev/null @@ -1,45 +0,0 @@ -[system] -ssh_port=22 -timezone=Asia/Jakarta -disable_ipv6=no -country=ID -reboot=no - -[swap] -enable=no -size=2048 - -[nginx] -amplify=no -api_key= - -[tgnotif] -install=no -bot_key= -chat_id= - -[mysql] -install=yes -engine=mariadb -bind_address=127.0.0.1 -root_pass= - -[postgres] -install=no -root_pass= - -[extras] -nodejs=yes -php72=yes -php56=yes -python3=yes -imapsync=yes - -[powerdns] -install=no - -[ftpserver] -install=no - -[mailserver] -install=no diff --git a/install.sh b/install.sh deleted file mode 100644 index 9a312e9..0000000 --- a/install.sh +++ /dev/null @@ -1,165 +0,0 @@ -#!/usr/bin/env bash - -ROOT=$(dirname "$(readlink -f "$0")") - -# Check if this script running as root -if [[ $EUID -ne 0 ]]; then - echo -e 'This script must be run as root' ; exit 1 -else - read -p "Press enter to continue ..." -fi - -source $ROOT/snippets/helpers.sh - -#----------------------------------------------------------------------------------------- -# Initial Setup -#----------------------------------------------------------------------------------------- -rm -f /etc/resolv.conf -echo 'nameserver 209.244.0.3' > /etc/resolv.conf -echo 'nameserver 209.244.0.4' >> /etc/resolv.conf - -# Upgrade basic system packages -source $ROOT/installer/00-repo.sh -source $ROOT/installer/01-basepkg.sh - -#----------------------------------------------------------------------------------------- -# System setup -#----------------------------------------------------------------------------------------- -SetConfigSetup system country `curl -s ipinfo.io | grep country | awk -F":" '{print $2}' | cut -d '"' -f2` - -read -s -p "Enter new root password : " rootpass -usermod root --password `openssl passwd -1 "$rootpass"` - -echo -e "" -read -e -p "Enter new user fullname : " -i "Admin Sistem" fullname -read -e -p "Enter new user username : " -i "admin" username -read -s -p "Enter new user password : " userpass -useradd -mg sudo -s `which bash` $username -c "$fullname" -p `openssl passwd -1 "$userpass"` - -echo -e "" -read -e -p "Please specify SSH port : " -i "22" ssh_port -SetConfigSetup system ssh_port $ssh_port - -read -e -p "Please specify time zone : " -i "Asia/Jakarta" timezone -SetConfigSetup system timezone $timezone - -read -e -p "Disable IPv6 (yes/no) : " -i "no" disable_ipv6 -SetConfigSetup system disable_ipv6 $disable_ipv6 - -#----------------------------------------------------------------------------------------- -# Packages setup -#----------------------------------------------------------------------------------------- -echo -e "" -read -e -p "Use Telegram Notif (yes/no) : " -i "no" tgnotif_install -SetConfigSetup tgnotif install $tgnotif_install -if [[ "${tgnotif_install,,}" =~ ^(yes|y)$ ]] ; then - read -e -p "Telegram Bot Key : " -i "" tgnotif_bot_key - SetConfigSetup tgnotif bot_key $tgnotif_bot_key - read -e -p "Telegram User Chat ID : " -i "" tgnotif_chat_id - SetConfigSetup tgnotif bot_key $tgnotif_chat_id -fi - -read -e -p "Install Nginx Amplify (yes/no) : " -i "no" amplify_install -SetConfigSetup nginx amplify $amplify_install -if [[ "${amplify_install,,}" =~ ^(yes|y)$ ]] ; then - read -e -p "Nginx Amplify API Key : " -i "" amplify_api - SetConfigSetup nginx api_key $amplify_api -fi - -read -e -p "Install Database Engine (yes/no) : " -i "yes" db_install -SetConfigSetup mysql install $db_install -if [[ "${db_install,,}" =~ ^(yes|y)$ ]] ; then - read -e -p "Database Engine (mariadb/mysql) : " -i "mariadb" db_engine - SetConfigSetup mysql engine $db_engine - read -e -p "Database Bind Address : " -i "127.0.0.1" bind_address - SetConfigSetup mysql bind_address $bind_address - read -e -p "Database Root Password : " -i "auto" root_pass - if [[ "$root_pass" == "auto" ]] ; then - SetConfigSetup mysql root_pass `pwgen -1 12` - else - SetConfigSetup mysql root_pass $root_pass - fi -fi - -read -e -p "Install PostgreSQL (yes/no) : " -i "no" pgsql_install -SetConfigSetup postgres install $pgsql_install -if [[ "${pgsql_install,,}" =~ ^(yes|y)$ ]] ; then - read -e -p "PostgreSQL Root Password : " -i "auto" root_pass - if [[ "$root_pass" == "auto" ]] ; then - SetConfigSetup postgres root_pass `pwgen -1 12` - else - SetConfigSetup postgres root_pass $root_pass - fi -fi - -read -e -p "Install NodeJS and Yarn (yes/no) : " -i "yes" nodejs_install -SetConfigSetup extras nodejs $nodejs_install - -read -e -p "Install PHP 7.2 (yes/no) : " -i "yes" php72_install -SetConfigSetup extras php72 $php72_install - -read -e -p "Install PHP 5.6 (yes/no) : " -i "yes" php56_install -SetConfigSetup extras php56 $php56_install - -read -e -p "Install python (yes/no) : " -i "no" python_install -SetConfigSetup extras python $python_install - -read -e -p "Install IMAPSync (yes/no) : " -i "yes" imapsync_install -SetConfigSetup extras imapsync $imapsync_install - -read -e -p "Install PowerDNS (yes/no) : " -i "no" powerdns_install -SetConfigSetup powerdns install $powerdns_install - -read -e -p "Install FTP Server (yes/no) : " -i "no" ftpserver_install -SetConfigSetup ftpserver install $powerdns_install - -read -e -p "Install Mail Server (yes/no) : " -i "no" mailserver_install -SetConfigSetup mailserver install $powerdns_install - -read -e -p "Do you want to use Swap (yes/no) : " -i "no" swap_enable -SetConfigSetup swap enable $swap_enable -if [[ "${enabled,,}" =~ ^(yes|y)$ ]] ; then - read -e -p "Size of Swap (in megabyte) : " -i "2048" swap_size - SetConfigSetup swap size $swap_size -fi - -read -e -p "Reboot after install (yes/no) : " -i "no" reboot_after -SetConfigSetup system reboot $reboot_after - -echo -e "" && read -p "Press enter to continue ..." - -#----------------------------------------------------------------------------------------- -# Server configuration and install packages -#----------------------------------------------------------------------------------------- -source $ROOT/snippets/netconfig.sh -source $ROOT/installer/03-webserver.sh - -[[ `crudini --get $ROOT/install.ini swap enable` != "yes" ]] || source $ROOT/snippets/swap.sh -[[ `crudini --get $ROOT/install.ini extras nodejs` != "yes" ]] || source $ROOT/installer/04-nodejs.sh -[[ `crudini --get $ROOT/install.ini extras php72` != "yes" ]] || source $ROOT/installer/82-php72.sh -[[ `crudini --get $ROOT/install.ini extras php56` != "yes" ]] || source $ROOT/installer/81-php56.sh -[[ `crudini --get $ROOT/install.ini extras python` != "yes" ]] || source $ROOT/installer/83-python.sh - -# Setup MySQL / MariaDB -if [[ `crudini --get $ROOT/install.ini mysql install` == "yes" ]] ; then - if [[ `crudini --get $ROOT/install.ini mysql engine` == "mariadb" ]] ; then - source $ROOT/installer/02-mariadb.sh - else - source $ROOT/installer/85-mysql80.sh - fi -fi - -[[ `crudini --get $ROOT/install.ini extras imapsync` != "yes" ]] || source $ROOT/installer/86-imapsync.sh - -#----------------------------------------------------------------------------------------- -# Cleanup -#----------------------------------------------------------------------------------------- -apt -y autoremove && apt clean - -if [[ `crudini --get $ROOT/install.ini system reboot` == "yes" ]] ; then - shutdown -r now -else - echo -e "\n" && netstat -pltn && echo -e "\n" - echo -e "Server stack has been installed.\n" - echo -e "Congratulation, you can reboot server now if you want...\n" -fi diff --git a/install/common.sh b/install/common.sh new file mode 100644 index 0000000..48e4915 --- /dev/null +++ b/install/common.sh @@ -0,0 +1,175 @@ +#!/bin/bash +if [[ $EUID -ne 0 ]]; then echo 'This script must be run as root' ; exit 1 ; fi +[ -z $ROOTDIR ] && PWD=$(dirname $(dirname $(readlink -f $0))) || PWD=$ROOTDIR +source "$PWD/common.sh" + +#---------------------------------------------------------------------------------- +# -- +#---------------------------------------------------------------------------------- + +msgInfo "\nCurrent server hostname is: ${red}$(hostname -f)${nocolor}\n" + +# Server hostname +read -ep "Change server hostname? y/n : " -i "n" answer +if [[ "${answer,,}" =~ ^(yes|y)$ ]] ; then + read -ep "Enter server hostname : " -i "$(hostname -f)" answer + hostnamectl set-hostname $answer +fi + +# Create new user +#----------------------------------------------------------------------------------------- +createNewUser() { + while true; do + read -ep "Enter username for this user : " -i "admin" username + read -ep "Enter new user real name : " -i "${username^}" fullname + egrep "^$username" /etc/passwd >/dev/null + if [ $? -eq 0 ]; then + msgError "User $username already exists!" + else + while true; do + read -sp "Enter password for new user : " password + if [ "$password" == "" ]; then + msgError "\nPlease enter user password!" + else + password="$password" && break && echo + fi + done + # Create new user + pass=$(perl -e 'print crypt($ARGV[0], "password")' $password) + useradd -mg webmaster -s `which bash` $username -c "$fullname" -p $pass + usermod -a -G sudo $username + if [ $? -eq 0 ] ; then + HOMEDIR=$(eval echo "~$username") + mkdir -p $HOMEDIR/.ssh ; chmod 0700 $_ + touch $HOMEDIR/.ssh/id_rsa ; chmod 0600 $_ + touch $HOMEDIR/.ssh/id_rsa.pub ; chmod 0600 $_ + touch $HOMEDIR/.ssh/authorized_keys ; chmod 0600 $_ + chown -R $username: $HOMEDIR/.ssh + + # Confugure environment PATH + if ! grep -q 'composer' /home/$username/.bashrc ; then + echo 'export PATH=$PATH:$HOME/.config/composer/vendor/bin' >> "/home/$username/.bashrc" + fi + if ! grep -q 'yarn' /home/$username/.bashrc ; then + echo 'export PATH=$PATH:$HOME/.yarn/bin' >> "/home/$username/.bashrc" + fi + + # Composer environment + if [ -x "$(command -v composer)" ]; then + echo && read -ep "Configure Composer environment? y/n : " -i "y" answer + if [[ "${answer,,}" =~ ^(yes|y)$ ]] ; then + msgInfo "\nConfiguring Composer environment.." + runuser -l $username -c 'composer global require hirak/prestissimo --quiet' + fi + fi + + # Nodejs environment + if [ -x "$(command -v npm)" ]; then + echo && read -ep "Configure NodeJS environment? y/n : " -i "y" answer + if [[ "${answer,,}" =~ ^(yes|y)$ ]] ; then + msgInfo "\nConfiguring NodeJS environment.." + runuser -l $username -c 'sudo npm i -g ghost-cli@latest &>${logInstall}' + fi + fi + + echo -e "${blue}\nUser ${red}$username${nocolor}${blue} has been created!${nocolor}" + else + msgError "Failed to add a user!" + fi + break + fi + done +} + +perl -pi -e 's#(.*sudo.*ALL=)(.*)#${1}(ALL) NOPASSWD:ALL#' /etc/sudoers +[[ $(cat /etc/group | grep -c webmaster) -eq 1 ]] || groupadd -g 3000 webmaster +[[ $(cat /etc/passwd | grep -c webmaster) -eq 1 ]] || useradd -u 3000 -s /usr/sbin/nologin -d /bin/null -g webmaster webmaster +read -ep "Create new system user? y/n : " -i "n" answer +[[ "${answer,,}" =~ ^(yes|y)$ ]] && createNewUser && echo + +# Configure Timezone +#----------------------------------------------------------------------------------------- +read -ep "Please specify time zone : " -i "Asia/Jakarta" timezone +# [[ $(which ntp) -ne 0 ]] && apt purge -yqq ntp ntpdate &>${logInstall} +# timedatectl set-ntp true &>${logInstall} +timedatectl set-timezone $timezone &>${logInstall} +# systemctl enable systemd-timesyncd &>${logInstall} +# systemctl restart systemd-timesyncd &>${logInstall} + +# SSH server + welcome message +#----------------------------------------------------------------------------------------- +read -ep "Please specify SSH port : " -i "22" ssh_port +read -ep "Dou you want to enable root login? yes/no : " -i "no" ssh_root_login + +sed -i "s/#ListenAddress :://" /etc/ssh/sshd_config &>${logInstall} +sed -i "s/[#]*PasswordAuthentication/PasswordAuthentication/" /etc/ssh/sshd_config &>${logInstall} +sed -i "s/[#]*PubkeyAuthentication/PubkeyAuthentication/" /etc/ssh/sshd_config &>${logInstall} +sed -i "s/[#]*ClientAliveInterval/ClientAliveInterval/" /etc/ssh/sshd_config &>${logInstall} +sed -i "s/[#]*AllowTcpForwarding/AllowTcpForwarding/" /etc/ssh/sshd_config &>${logInstall} +sed -i "s/[#]*ClientAliveCountMax/ClientAliveCountMax/" /etc/ssh/sshd_config &>${logInstall} +sed -i "s/[#]*PermitRootLogin/PermitRootLogin/" /etc/ssh/sshd_config &>${logInstall} +sed -i "s/[#]*ListenAddress/ListenAddress/" /etc/ssh/sshd_config &>${logInstall} +sed -i "s/[#]*PermitTunnel/PermitTunnel/" /etc/ssh/sshd_config &>${logInstall} +sed -i "s/[#]*X11Forwarding/X11Forwarding/" /etc/ssh/sshd_config &>${logInstall} +sed -i "s/[#]*StrictModes/StrictModes/" /etc/ssh/sshd_config &>${logInstall} +sed -i "s|\("^PermitRootLogin" * *\).*|\1$ssh_root_login|" /etc/ssh/sshd_config &>${logInstall} +sed -i "s|\("^PasswordAuthentication" * *\).*|\1yes|" /etc/ssh/sshd_config &>${logInstall} +sed -i "s|\("^PubkeyAuthentication" * *\).*|\1yes|" /etc/ssh/sshd_config &>${logInstall} +sed -i "s|\("^ClientAliveInterval" * *\).*|\1600|" /etc/ssh/sshd_config &>${logInstall} +sed -i "s|\("^AllowTcpForwarding" * *\).*|\1yes|" /etc/ssh/sshd_config &>${logInstall} +sed -i "s|\("^ClientAliveCountMax" * *\).*|\13|" /etc/ssh/sshd_config &>${logInstall} +sed -i "s|\("^ListenAddress" * *\).*|\10.0.0.0|" /etc/ssh/sshd_config &>${logInstall} +sed -i "s|\("^PermitTunnel" * *\).*|\1yes|" /etc/ssh/sshd_config &>${logInstall} +sed -i "s|\("^X11Forwarding" * *\).*|\1no|" /etc/ssh/sshd_config &>${logInstall} +sed -i "s|\("^StrictModes" * *\).*|\1yes|" /etc/ssh/sshd_config &>${logInstall} +sed -i "s/[#]*Port [0-9]*/Port $ssh_port/" /etc/ssh/sshd_config &>${logInstall} +systemctl restart ssh &>${logInstall} + +# SSH welcome message +# hostnameLen=`echo $(hostname -f) | wc -c` +# if (( $hostnameLen >= 15 )); then +# motdMessage=`curl -s ifconfig.me` +# elif (( $hostnameLen <= 14 )); then +# motdMessage=`hostname -f` +# else +# motdMessage=`curl -s ifconfig.me` +# fi +motdMessage=`curl -s ifconfig.me` +echo -e "\n Welcome to:" > /etc/motd +echo -e "$(figlet ' '${motdMessage})\n" >> /etc/motd + +# Disable IPv6 +#----------------------------------------------------------------------------------------- +read -ep "Do you want to disable IPv6? y/n : " -i "n" answer +if [[ "${answer,,}" =~ ^(yes|y)$ ]] ; then + sed -i "s/ListenAddress :://" /etc/ssh/sshd_config &>${logInstall} + sed -i "s/#precedence ::ffff:0:0\/96 100/precedence ::ffff:0:0\/96 100/" /etc/gai.conf &>${logInstall} + crudini --set /etc/sysctl.conf '' 'net.ipv6.conf.all.disable_ipv6' '1' &>${logInstall} + crudini --set /etc/sysctl.conf '' 'net.ipv6.conf.default.disable_ipv6' '1' &>${logInstall} + crudini --set /etc/sysctl.conf '' 'net.ipv6.conf.lo.disable_ipv6' '1' &>${logInstall} + echo -e 'Acquire::ForceIPv4 "true";' > /etc/apt/apt.conf.d/99force-ipv4 &>${logInstall} + sysctl -p -q >/dev/null 2>&1 +fi + +# Sysctl tweak +#----------------------------------------------------------------------------------------- +crudini --set /etc/sysctl.conf '' 'net.ipv4.ip_forward' '1' &>${logInstall} +crudini --set /etc/sysctl.conf '' 'vm.vfs_cache_pressure' '50' &>${logInstall} +crudini --set /etc/sysctl.conf '' 'vm.swappiness' '10' &>${logInstall} +sysctl -p -q >/dev/null 2>&1 + +# Linux SWAP +#----------------------------------------------------------------------------------------- +if [[ $(cat /etc/fstab | grep -c "swapfile") -eq 0 ]]; then + memoryTotal=`grep MemTotal /proc/meminfo | awk '{print $2}'` + if (( $memoryTotal >= 2097152 )); then opsi="n"; else opsi="y"; fi + read -ep "Do you want to setup Linux Swap? y/n : " -i "$opsi" answer + if [[ "${answer,,}" =~ ^(yes|y)$ ]] ; then + read -ep "Enter size of Swap (in megabyte) : " -i "2048" swap_size + msgInfo "\nConfiguring Linux SWAP...\n" + echo "/swapfile none swap sw 0 0" >> /etc/fstab + dd if=/dev/zero of=/swapfile count=$swap_size bs=1M + chmod 600 /swapfile && mkswap /swapfile + swapon /swapfile && swapon --show + fi +fi diff --git a/install/custom.sh b/install/custom.sh new file mode 100644 index 0000000..59fdcf1 --- /dev/null +++ b/install/custom.sh @@ -0,0 +1,10 @@ +#!/bin/bash +if [[ $EUID -ne 0 ]]; then echo 'This script must be run as root' ; exit 1 ; fi +[ -z $ROOTDIR ] && PWD=$(dirname $(dirname $(readlink -f $0))) || PWD=$ROOTDIR +source "$PWD/common.sh" + +#---------------------------------------------------------------------------------- +# -- +#---------------------------------------------------------------------------------- + +msgContinue diff --git a/install/debian/core.sh b/install/debian/core.sh new file mode 100644 index 0000000..03c2b76 --- /dev/null +++ b/install/debian/core.sh @@ -0,0 +1,35 @@ +#!/bin/bash +if [[ $EUID -ne 0 ]]; then echo 'This script must be run as root' ; exit 1 ; fi + +# Determine root directory +[ -z $ROOTDIR ] && PWD=$(dirname `dirname $(dirname $(readlink -f $0))`) || PWD=$ROOTDIR + +# Common global variables +source "$PWD/common.sh" + +# Determine os codename +osver=`echo ${osVersion} | tr '[:upper:]' '[:lower:]'` + +#----------------------------------------------------------------------------------------- +msgSuccess "\n--- Upgrade system and install core packages" +#----------------------------------------------------------------------------------------- +cat "$PWD/config/repo/debian.list" > /etc/apt/sources.list +sed -i "s/CODENAME/$(lsb_release -cs)/" /etc/apt/sources.list +rm -fr /etc/apt/sources.list.d/* + +# -mmin -360 finds files that have a change time in the last 6 hours. +# You can use -mtime if you care about longer times (days). +if [ -z "$(find -H /var/lib/apt/lists -maxdepth 0 -mtime -60)" ]; then + msgInfo "\nUpdating base system packages..." + pkgUpgrade +else + apt update -yqq &>${logInstall} +fi + +# Install core packages +#----------------------------------------------------------------------------------------- +msgInfo "Installing essential packages.." +apt -yq install screen elinks lsof dirmngr net-tools gnupg debconf-utils build-essential gcc make \ +cmake whois rsync dh-autoreconf screenfetch jpegoptim optipng apache2-utils sshpass xsel \ +pv libpq-dev python3 python3-dev python3-wheel python3-pip python3-setuptools python3-venv \ +python3-virtualenv python3-psycopg2 virtualenv ansible nscd &>${logInstall} diff --git a/install/debian/httpd.sh b/install/debian/httpd.sh new file mode 100644 index 0000000..e0feecb --- /dev/null +++ b/install/debian/httpd.sh @@ -0,0 +1,20 @@ +#!/bin/bash +if [[ $EUID -ne 0 ]]; then echo 'This script must be run as root' ; exit 1 ; fi + +# Determine root directory +[ -z $ROOTDIR ] && PWD=$(dirname `dirname $(dirname $(readlink -f $0))`) || PWD=$ROOTDIR + +# Common global variables +source "$PWD/common.sh" + +#----------------------------------------------------------------------------------------- +msgSuccess "\n--- Installing Apache HTTPd" +#----------------------------------------------------------------------------------------- +! [[ -z $(which apache2) ]] && msgError "Already installed..." && exit 1 + +# Install packages +#----------------------------------------------------------------------------------------- +# apt update -qq ; apt full-upgrade -yqq ; apt -yq install xxxxxxxxxxxxxxxx + +# Configure packages +#----------------------------------------------------------------------------------------- diff --git a/install/debian/mariadb.sh b/install/debian/mariadb.sh new file mode 100644 index 0000000..e9250ee --- /dev/null +++ b/install/debian/mariadb.sh @@ -0,0 +1,77 @@ +#!/bin/bash +if [[ $EUID -ne 0 ]]; then echo 'This script must be run as root' ; exit 1 ; fi +[ -z $ROOTDIR ] && PWD=$(dirname `dirname $(dirname $(readlink -f $0))`) || PWD=$ROOTDIR +source "$PWD/common.sh" + +# Parameter +#----------------------------------------------------------------------------------------- +mariadb_version="10.4" +mysql_bind_address="127.0.0.1" +mysql_listen_port="3306" +mysql_root_user="root" +mysql_root_pass="auto" + +#----------------------------------------------------------------------------------------- +msgSuccess "\n--- Installing MariaDB ${mariadb_version}" +#----------------------------------------------------------------------------------------- +! [[ -z $(which mysql) ]] && msgError "Already installed..." && exit 1 + +# Install packages +#----------------------------------------------------------------------------------------- +apt-key adv --recv-keys --keyserver keyserver.ubuntu.com C74CD1D8 &>${logInstall} + +if [ $checkCountry == "ID" ] ; then + REPO="deb [arch=amd64] http://mirror.biznetgio.com/mariadb/repo/$mariadb_version/debian `lsb_release -cs` main" +elif [ $checkCountry == "SG" ] ; then + REPO="deb [arch=amd64] http://download.nus.edu.sg/mirror/mariadb/repo/$mariadb_version/debian `lsb_release -cs` main" +else + REPO="deb [arch=amd64] http://mirror.rackspace.com/mariadb/repo/$mariadb_version/debian `lsb_release -cs` main" +fi +echo $REPO > /etc/apt/sources.list.d/mariadb.list + +# Database root password +if [[ "$mysql_root_pass" == "auto" ]] ; then + DB_ROOT_PASS=$(openssl rand -base64 12 | tr -d "=+/" | cut -c1-25) +else + DB_ROOT_PASS=$mysql_root_pass +fi + +pkgUpgrade +debconf-set-selections <<< "mysql-server mysql-server/root_password password $DB_ROOT_PASS" +debconf-set-selections <<< "mysql-server mysql-server/root_password_again password $DB_ROOT_PASS" +apt -yq install mariadb-server mariadb-client &>${logInstall} + +# Configure packages +#----------------------------------------------------------------------------------------- +msgSuccess "\n--- Configuring MariaDB ${mariadb_version}" +sed -i "s/skip-external-locking//" /etc/mysql/my.cnf + +crudini --set /etc/mysql/conf.d/mysqld.cnf 'mysqld' 'bind-address' $mysql_bind_address +crudini --set /etc/mysql/conf.d/mysqld.cnf 'mysqld' 'port' $mysql_listen_port + +crudini --set /etc/mysql/conf.d/mysql.cnf 'mysql' 'host' $mysql_bind_address +crudini --set /etc/mysql/conf.d/mysql.cnf 'mysql' 'port' $mysql_listen_port +crudini --set /etc/mysql/conf.d/mysql.cnf 'mysql' 'user' $mysql_root_user +crudini --set /etc/mysql/conf.d/mysql.cnf 'mysql' 'password' $DB_ROOT_PASS + +crudini --set /etc/mysql/conf.d/mysql.cnf 'mysqldump' 'host' $mysql_bind_address +crudini --set /etc/mysql/conf.d/mysql.cnf 'mysqldump' 'port' $mysql_listen_port +crudini --set /etc/mysql/conf.d/mysql.cnf 'mysqldump' 'user' $mysql_root_user +crudini --set /etc/mysql/conf.d/mysql.cnf 'mysqldump' 'password' $DB_ROOT_PASS + +systemctl restart mysql + +# Reset db root password +#----------------------------------------------------------------------------------------- +systemctl stop mysql && killall -w mysqld +mysqld_safe --skip-grant-tables >res 2>&1 & +mysql -u root -e "FLUSH PRIVILEGES; ALTER USER 'root'@'localhost' IDENTIFIED BY '${DB_ROOT_PASS}';" +killall -w mysqld && systemctl restart mysql + +# Write log information +writeLogInfo 'mysql_password' $DB_ROOT_PASS + +# Disable plugin +#----------------------------------------------------------------------------------------- +mysql -uroot -p${DB_ROOT_PASS} -e "update mysql.user SET plugin='' where User='root';" +mysql -uroot -p${DB_ROOT_PASS} -e "drop database if exists test; flush privileges;" diff --git a/install/debian/mysql.sh b/install/debian/mysql.sh new file mode 100644 index 0000000..e52cc21 --- /dev/null +++ b/install/debian/mysql.sh @@ -0,0 +1,20 @@ +#!/bin/bash +if [[ $EUID -ne 0 ]]; then echo 'This script must be run as root' ; exit 1 ; fi + +# Determine root directory +[ -z $ROOTDIR ] && PWD=$(dirname `dirname $(dirname $(readlink -f $0))`) || PWD=$ROOTDIR + +# Common global variables +source "$PWD/common.sh" + +#----------------------------------------------------------------------------------------- +msgSuccess "\n--- Installing MySQL" +#----------------------------------------------------------------------------------------- +! [[ -z $(which mysql) ]] && msgError "Already installed..." && exit 1 + +# Install packages +#----------------------------------------------------------------------------------------- +apt update -qq ; apt full-upgrade -yqq ; apt -yq install xxxxxxxxxxxxxxxx + +# Configure packages +#----------------------------------------------------------------------------------------- diff --git a/install/debian/nginx.sh b/install/debian/nginx.sh new file mode 100644 index 0000000..200d977 --- /dev/null +++ b/install/debian/nginx.sh @@ -0,0 +1,87 @@ +#!/bin/bash +if [[ $EUID -ne 0 ]]; then echo 'This script must be run as root' ; exit 1 ; fi + +# Determine root directory +[ -z $ROOTDIR ] && PWD=$(dirname `dirname $(dirname $(readlink -f $0))`) || PWD=$ROOTDIR + +# Common global variables +source "$PWD/common.sh" + +#----------------------------------------------------------------------------------------- +msgSuccess "\n--- Installing Nginx Mainline" +#----------------------------------------------------------------------------------------- +! [[ -z $(which nginx) ]] && msgError "Already installed..." && exit 1 + +# Install packages +#----------------------------------------------------------------------------------------- +curl -sS http://nginx.org/keys/nginx_signing.key | apt-key add - &>${logInstall} +cat > /etc/apt/sources.list.d/nginx.list <${logInstall} + +# Download latest certbot +msgInfo "\nDownloading certbot and trusted certificates..." +curl -L# https://dl.eff.org/certbot-auto -o /usr/bin/certbot ; chmod a+x /usr/bin/certbot +curl -L# https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt -o /etc/ssl/certs/chain.pem +curl -L# https://2ton.com.au/dhparam/4096 -o /etc/ssl/certs/dhparam-4096.pem +curl -L# https://2ton.com.au/dhparam/2048 -o /etc/ssl/certs/dhparam-2048.pem + +# Configure packages +#----------------------------------------------------------------------------------------- +msgSuccess "\n--- Configuring Nginx Mainline" +ip6Check=$(crudini --get /etc/sysctl.conf '' 'net.ipv6.conf.all.disable_ipv6') + +systemctl enable --now haveged &>${logInstall} +rm -fr /etc/nginx/ ; cp -r $PWD/config/nginx/ /etc/ +sed -i "s|\("^worker_processes" * *\).*|\1$(nproc --all);|" /etc/nginx/nginx.conf +sed -i "s|\("^worker_connections" * *\).*|\1$(ulimit -n);|" /etc/nginx/nginx.conf +sed -i "s/HOSTNAME/$(hostname -f)/" /etc/nginx/conf.d/default.conf +sed -i "s/IPADDRESS/$(curl -s ifconfig.me)/" /etc/nginx/conf.d/default.conf + +mkdir -p /etc/nginx/vhost.d /srv/web /var/www/html +cat /etc/nginx/stubs/default.html > /usr/share/nginx/html/index.html +cat /etc/nginx/stubs/error404.html > /usr/share/nginx/html/404.html +chown -R webmaster: /var/www && chmod -R 0775 /var/www +chown -R root:root /etc/nginx +systemctl restart nginx + +# SSL certifiacte for default vhost +#----------------------------------------------------------------------------------------- +setupNginxDefaultHttps() { + # Update nginxconfiguration + # mv /etc/nginx/conf.d/force-https.conf{-disable,} + cat /etc/nginx/templates/default-ssl.conf > /etc/nginx/conf.d/default.conf + sed -i "s/HOSTNAME/$(hostname -f)/" /etc/nginx/conf.d/default.conf + sed -i "s/IPADDRESS/$(curl -s ifconfig.me)/" /etc/nginx/conf.d/default.conf + systemctl restart nginx +} + +if [ -d "/etc/letsencrypt/live/$(hostname -f)" ]; then + setupNginxDefaultHttps +elif [ ! -d "/etc/letsencrypt/live/$(hostname -f)" ]; then + read -ep "Generate ssl cert for default vhost? y/n : " -i "n" answer + if [[ "${answer,,}" =~ ^(yes|y)$ ]] ; then + systemctl stop nginx + certbot certonly --standalone --agree-tos --register-unsafely-without-email \ + --no-bootstrap --rsa-key-size 4096 --preferred-challenges http -d "$(hostname -f)" + setupNginxDefaultHttps + fi +fi + +# Use IPv6 or not? +#----------------------------------------------------------------------------------------- +if [[ $ip6Check -ne 1 ]]; then + sed -i "s/# include listen_ipv6/include listen_ipv6/" /etc/nginx/conf.d/default.conf + sed -i "s/# listen/listen/" /etc/nginx/conf.d/default.conf + systemctl restart nginx +fi + +# Crontab for renewing LetsEncrypt certificates +#----------------------------------------------------------------------------------------- +msgInfo "Configuring cron for renewing certificates..." +echo "01 01 01 */3 * /usr/local/bin/ssl-renew >/var/log/ssl-renew.log" > /tmp/ssl_renew +crontab /tmp/ssl_renew ; rm /tmp/ssl_renew diff --git a/install/debian/nginx_amplify.sh b/install/debian/nginx_amplify.sh new file mode 100644 index 0000000..258d4ea --- /dev/null +++ b/install/debian/nginx_amplify.sh @@ -0,0 +1,39 @@ +#!/bin/bash +if [[ $EUID -ne 0 ]]; then echo 'This script must be run as root' ; exit 1 ; fi + +# Determine root directory +[ -z $ROOTDIR ] && PWD=$(dirname `dirname $(dirname $(readlink -f $0))`) || PWD=$ROOTDIR + +# Common global variables +source "$PWD/common.sh" + +#----------------------------------------------------------------------------------------- +msgSuccess "\n--- Installing Nginx Amplify" +#----------------------------------------------------------------------------------------- + +# if [ -f "$PWD/config/stackup.ini" ]; then +# [[ $(cat "$PWD/config/stackup.ini" | grep -c "amplify_install") -eq 1 ]] && amplify_install=$(crudini --get $PWD/config/stackup.ini '' 'amplify_install') +# [[ -z "$amplify_install" ]] && read -ep "Do you want to use Nginx Amplify? y/n : " amplify_install +# fi + +if [[ "${amplify_install,,}" =~ ^(yes|y)$ ]] ; then + if [ -f "$PWD/config/stackup.ini" ]; then + [[ $(cat "$PWD/config/stackup.ini" | grep -c "amplify_key") -eq 1 ]] && amplify_key=$(crudini --get $PWD/config/stackup.ini '' 'amplify_key') + [[ -z "$amplify_key" ]] && read -ep "Nginx Amplify Key : " amplify_key + fi + + # Install and configure Nginx Amplify + API_KEY=$amplify_key bash <(curl -sLo- https://git.io/fNWVx) + DB_ROOT_USER=`crudini --get /etc/mysql/conf.d/mysql.cnf mysql user` + DB_ROOT_PASS=`crudini --get /etc/mysql/conf.d/mysql.cnf mysql password` + DB_SOCKET_PATH="/var/run/mysqld/mysqld.sock" + + crudini --set /etc/amplify-agent/agent.conf 'listener_syslog-default' '​address' '127.0.0.1:13579' + crudini --set /etc/amplify-agent/agent.conf 'credentials' 'hostname' `hostname -f` + crudini --set /etc/amplify-agent/agent.conf 'extensions' 'phpfpm' 'True' + crudini --set /etc/amplify-agent/agent.conf 'extensions' 'mysql' 'True' + crudini --set /etc/amplify-agent/agent.conf 'mysql' 'unix_socket' $DB_SOCKET_PATH + crudini --set /etc/amplify-agent/agent.conf 'mysql' 'password' $DB_ROOT_PASS + crudini --set /etc/amplify-agent/agent.conf 'mysql' 'user' $DB_ROOT_USER + systemctl restart amplify-agent +fi diff --git a/install/debian/nodejs.sh b/install/debian/nodejs.sh new file mode 100644 index 0000000..8b684d7 --- /dev/null +++ b/install/debian/nodejs.sh @@ -0,0 +1,24 @@ +#!/bin/bash +if [[ $EUID -ne 0 ]]; then echo 'This script must be run as root' ; exit 1 ; fi + +# Determine root directory +[ -z $ROOTDIR ] && PWD=$(dirname `dirname $(dirname $(readlink -f $0))`) || PWD=$ROOTDIR + +# Common global variables +source "$PWD/common.sh" + +#----------------------------------------------------------------------------------------- +msgSuccess "\n--- Installing Nodejs and Yarn" +#----------------------------------------------------------------------------------------- +! [[ -z $(which nodejs) ]] && msgError "Already installed..." && exit 1 + +# Install packages +#----------------------------------------------------------------------------------------- +cat > /etc/apt/sources.list.d/nodejs.list <${logInstall} +curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add - &>${logInstall} + +pkgUpgrade && apt -yq install nodejs yarn &>${logInstall} diff --git a/install/debian/phpfpm.sh b/install/debian/phpfpm.sh new file mode 100644 index 0000000..2a339f9 --- /dev/null +++ b/install/debian/phpfpm.sh @@ -0,0 +1,107 @@ +#!/bin/bash +if [[ $EUID -ne 0 ]]; then echo 'This script must be run as root' ; exit 1 ; fi + +# Determine root directory +[ -z $ROOTDIR ] && PWD=$(dirname `dirname $(dirname $(readlink -f $0))`) || PWD=$ROOTDIR + +# Common global variables +source "$PWD/common.sh" + +# Parameter +#----------------------------------------------------------------------------------------- +default_php="7.3" + +#----------------------------------------------------------------------------------------- +msgSuccess "\n--- Installing PHP v${default_php}" +#----------------------------------------------------------------------------------------- +! [[ -z $(which php) ]] && msgError "Already installed..." && exit 1 + +# Create runtime directory +[[ -d /var/run/php ]] || mkdir -p /var/run/php +[[ -d /run/php ]] || mkdir -p /run/php + +# Install packages +#----------------------------------------------------------------------------------------- +# apt-key adv --recv-keys --keyserver keyserver.ubuntu.com E5267A6C +curl -sS https://packages.sury.org/php/apt.gpg | apt-key add - &>${logInstall} +cat > /etc/apt/sources.list.d/php.list <${logInstall} + +# PHP v7.3 +apt -y install php7.3-{bcmath,cgi,cli,common,curl,fpm,gd,gmp,imap,intl,json,ldap,mbstring,mysql} \ +php7.3-{opcache,pgsql,readline,soap,sqlite3,xml,xmlrpc,zip,zip} php7.3 php7.3-imagick php-pear &>${logInstall} +find /etc/php/7.3/. -name 'php.ini' -exec bash -c 'crudini --set "$0" "PHP" "zend_extension" "/usr/share/ioncube/ioncube_loader_lin_7.3.so"' {} \; +crudini --set /etc/php/7.3/fpm/pool.d/www.conf 'www' 'listen' '/var/run/php/php7.3-fpm.sock' +phpenmod curl opcache imagick fileinfo && systemctl restart php7.3-fpm + +# Required package for all php version +apt -yq install composer gettext gamin mcrypt imagemagick aspell graphviz php-mailparse &>${logInstall} + +# PHP development packages +#----------------------------------------------------------------------------------------- +msgInfo "Downloading PHP development packages..." +curl -L# "https://git.io/vN3Ff" -o /usr/local/bin/wp +curl -L# "https://git.io/fAFyN" -o /usr/local/bin/phpcs +curl -L# "https://git.io/fAFyb" -o /usr/local/bin/phpcbf +curl -L# "https://cs.sensiolabs.org/download/php-cs-fixer-v2.phar" -o /usr/local/bin/php-cs-fixer +chmod +x /usr/local/bin/* && chown root:root /usr/local/bin/* + +# Configure packages +#----------------------------------------------------------------------------------------- +msgSuccess "\n--- Configuring PHP v${default_php}" +find /etc/php/. -name 'php.ini' -exec bash -c 'crudini --set "$0" "PHP" "date.timezone" "Asia/Jakarta"' {} \; +find /etc/php/. -name 'php.ini' -exec bash -c 'crudini --set "$0" "PHP" "upload_max_filesize" "32M"' {} \; +find /etc/php/. -name 'php.ini' -exec bash -c 'crudini --set "$0" "PHP" "max_execution_time" "300"' {} \; +find /etc/php/. -name 'php.ini' -exec bash -c 'crudini --set "$0" "PHP" "max_input_time" "300"' {} \; +find /etc/php/. -name 'php.ini' -exec bash -c 'crudini --set "$0" "PHP" "post_max_size" "16M"' {} \; +find /etc/php/. -name 'php.ini' -exec bash -c 'crudini --set "$0" "PHP" "display_errors" "Off"' {} \; +find /etc/php/. -name 'php.ini' -exec bash -c 'crudini --set "$0" "PHP" "cgi.fix_pathinfo" "0"' {} \; +find /etc/php/. -name 'php.ini' -exec bash -c 'crudini --set "$0" "PHP" "memory_limit" "256M"' {} \; +find /etc/php/. -name 'php.ini' -exec bash -c 'crudini --set "$0" "PHP" "expose_php" "Off"' {} \; +find /etc/php/. -name 'www.conf' -exec bash -c 'crudini --set "$0" "www" "pm" "ondemand"' {} \; +find /etc/php/. -name 'www.conf' -exec bash -c 'crudini --set "$0" "www" "pm.max_children" "32"' {} \; +find /etc/php/. -name 'www.conf' -exec bash -c 'crudini --set "$0" "www" "pm.start_servers" "2"' {} \; +find /etc/php/. -name 'www.conf' -exec bash -c 'crudini --set "$0" "www" "pm.min_spare_servers" "4"' {} \; +find /etc/php/. -name 'www.conf' -exec bash -c 'crudini --set "$0" "www" "pm.max_spare_servers" "8"' {} \; +find /etc/php/. -name 'www.conf' -exec bash -c 'crudini --set "$0" "www" "pm.max_requests" "256"' {} \; +find /etc/php/. -name 'www.conf' -exec bash -c 'crudini --set "$0" "www" "pm.process_idle_timeout" "5s"' {} \; +find /etc/php/. -name 'www.conf' -exec bash -c 'crudini --set "$0" "www" "pm.status_path" "/status"' {} \; +find /etc/php/. -name 'www.conf' -exec bash -c 'crudini --set "$0" "www" "listen.owner" "webmaster"' {} \; +find /etc/php/. -name 'www.conf' -exec bash -c 'crudini --set "$0" "www" "listen.group" "webmaster"' {} \; +find /etc/php/. -name 'www.conf' -exec bash -c 'crudini --set "$0" "www" "user" "webmaster"' {} \; +find /etc/php/. -name 'www.conf' -exec bash -c 'crudini --set "$0" "www" "group" "webmaster"' {} \; +systemctl restart php7.3-fpm + +# [[ "${install_php_73,,}" =~ ^(yes|y)$ ]] && systemctl restart php7.3-fpm +# [[ "${install_php_72,,}" =~ ^(yes|y)$ ]] && systemctl restart php7.2-fpm +# [[ "${install_php_56,,}" =~ ^(yes|y)$ ]] && systemctl restart php5.6-fpm + +# Set default PHP version +#----------------------------------------------------------------------------------------- +msgInfo "Set default PHP to v${default_php}" +update-alternatives --set php /usr/bin/php$default_php >/dev/null 2>&1 +update-alternatives --set phar /usr/bin/phar$default_php >/dev/null 2>&1 +update-alternatives --set phar.phar /usr/bin/phar.phar$default_php >/dev/null 2>&1 + +# Default PHP-FPM on Nginx configuration +#----------------------------------------------------------------------------------------- +cat /etc/nginx/stubs/default.php > /usr/share/nginx/html/index.php +cat /etc/nginx/templates/default-php.conf > /etc/nginx/conf.d/default.conf +sed -i "s/HOSTNAME/$(hostname -f)/" /etc/nginx/conf.d/default.conf +sed -i "s/IPADDRESS/$(curl -s ifconfig.me)/" /etc/nginx/conf.d/default.conf + +if [ -d "/etc/letsencrypt/live/$(hostname -f)" ]; then + sed -i "s/# listen/listen/" /etc/nginx/conf.d/default.conf + sed -i "s/# ssl_certificate/ssl_certificate/" /etc/nginx/conf.d/default.conf + sed -i "s/# ssl_certificate_key/ssl_certificate_key/" /etc/nginx/conf.d/default.conf +fi + +find /etc/nginx/templates/ -type f -exec sed -i "s/php.*.-fpm/php\/php${default_php}-fpm/g" {} + +sed -i "s/php.*.-fpm/php\/php${default_php}-fpm/g" /etc/nginx/conf.d/default.conf +systemctl restart nginx diff --git a/install/debian/phpmyadmin.sh b/install/debian/phpmyadmin.sh new file mode 100644 index 0000000..261a795 --- /dev/null +++ b/install/debian/phpmyadmin.sh @@ -0,0 +1,32 @@ +#!/bin/bash +if [[ $EUID -ne 0 ]]; then echo 'This script must be run as root' ; exit 1 ; fi +[ -z $ROOTDIR ] && PWD=$(dirname `dirname $(dirname $(readlink -f $0))`) || PWD=$ROOTDIR +source "$PWD/common.sh" + +#----------------------------------------------------------------------------------------- +msgSuccess "\n--- Installing phpMyAdmin" +#----------------------------------------------------------------------------------------- +[[ ! -d /var/www/myadmin ]] || rm -fr /var/www/myadmin + +pmaUrl="https://phpmyadmin.net/downloads/phpMyAdmin-latest-english.zip" +curl -fsSL ${pmaUrl} | bsdtar -xvf- -C /tmp &>${logInstall} +mv /tmp/phpMyAdmin*english /var/www/myadmin + +cat > /var/www/myadmin/config.inc.php < /etc/apt/sources.list +sed -i "s/CODENAME/$(lsb_release -cs)/" /etc/apt/sources.list +rm -fr /etc/apt/sources.list.d/* + +# -mmin -360 finds files that have a change time in the last 6 hours. +# You can use -mtime if you care about longer times (days). +if [ -z "$(find -H /var/lib/apt/lists -maxdepth 0 -mtime -60)" ]; then + msgInfo "\nUpdating base system packages..." + pkgUpgrade +else + apt update -yqq &>${logInstall} +fi + +# Install core packages +#----------------------------------------------------------------------------------------- +msgInfo "Installing essential packages.." +apt -yq install screen elinks lsof net-tools dirmngr gnupg debconf-utils build-essential gcc make \ +cmake whois rsync dh-autoreconf screenfetch jpegoptim optipng apache2-utils sshpass xsel \ +pv libpq-dev python3 python3-dev python3-wheel python3-pip python3-setuptools python3-venv \ +python3-virtualenv python3-psycopg2 virtualenv ansible &>${logInstall} diff --git a/install/ubuntu/httpd.sh b/install/ubuntu/httpd.sh new file mode 100644 index 0000000..9c042c6 --- /dev/null +++ b/install/ubuntu/httpd.sh @@ -0,0 +1,17 @@ +#!/bin/bash +if [[ $EUID -ne 0 ]]; then echo 'This script must be run as root' ; exit 1 ; fi + +# Determine root directory +[ -z $ROOTDIR ] && PWD=$(dirname `dirname $(dirname $(readlink -f $0))`) || PWD=$ROOTDIR + +# Common global variables +source "$PWD/common.sh" + +# Determine os codename +osver=`echo ${osVersion} | tr '[:upper:]' '[:lower:]'` + +#----------------------------------------------------------------------------------------- +msgSuccess "\n--- Installing Apache HTTPd" +#----------------------------------------------------------------------------------------- +# LC_ALL=C.UTF-8 add-apt-repository -y ppa:ondrej/apache2 && apt -y full-upgrade +apt -y install apache2 apache2-utils diff --git a/installer/00-repo.sh b/installer/00-repo.sh deleted file mode 100644 index 176f4a4..0000000 --- a/installer/00-repo.sh +++ /dev/null @@ -1,29 +0,0 @@ -#!/usr/bin/env bash - -if [[ $EUID -ne 0 ]]; then echo -e 'This script must be run as root' ; exit 1 ; fi - -# country=`cat /tmp/country` -# if [ "$country" == "ID" ] ; then -# echo "deb http://kebo.pens.ac.id/debian `lsb_release -cs` main contrib non-free" > /etc/apt/sources.list -# echo "deb http://kebo.pens.ac.id/debian `lsb_release -cs`-updates main contrib non-free" >> /etc/apt/sources.list -# elif [ "$country" == "SG" ] ; then -# echo "deb http://ftp.sg.debian.org/debian `lsb_release -cs` main contrib non-free" > /etc/apt/sources.list -# echo "deb http://ftp.sg.debian.org/debian `lsb_release -cs`-updates main contrib non-free" >> /etc/apt/sources.list -# else -# echo "deb http://mirror.0x.sg/debian `lsb_release -cs` main contrib non-free" > /etc/apt/sources.list -# echo "deb http://mirror.0x.sg/debian `lsb_release -cs`-updates main contrib non-free" >> /etc/apt/sources.list -# fi -# echo "deb http://debian-archive.trafficmanager.net/debian-security `lsb_release -cs`/updates main contrib non-free" >> /etc/apt/sources.list - -cat > /etc/apt/sources.list < /etc/apt/sources.list.d/mariadb.list -apt-key adv --recv-keys --keyserver keyserver.ubuntu.com C74CD1D8 #MariaDB - -debconf-set-selections <<< "mysql-server mysql-server/root_password password $rootdbpass" -debconf-set-selections <<< "mysql-server mysql-server/root_password_again password $rootdbpass" - -apt update ; apt -y install mariadb-server mariadb-client - -#----------------------------------------------------------------------------------------- -# 02 - Configuring MySQL -#----------------------------------------------------------------------------------------- -sed -i "s/skip-external-locking//" /etc/mysql/my.cnf -mysql -uroot -p$rootdbpass -e "UPDATE mysql.user SET plugin='' WHERE User='root';" -crudini --set /etc/mysql/conf.d/mariadb.cnf 'mysqld' 'bind-address' $bind_address -crudini --set /etc/mysql/conf.d/mysql.cnf 'mysql' 'host' $bind_address -crudini --set /etc/mysql/conf.d/mysql.cnf 'mysql' 'password' $rootdbpass -crudini --set /etc/mysql/conf.d/mysql.cnf 'mysql' 'user' 'root' - -crudini --set /etc/mysql/conf.d/mysql.cnf 'mysqldump' 'host' $bind_address -crudini --set /etc/mysql/conf.d/mysql.cnf 'mysqldump' 'password' $rootdbpass -crudini --set /etc/mysql/conf.d/mysql.cnf 'mysqldump' 'user' 'root' diff --git a/installer/03-webserver.sh b/installer/03-webserver.sh deleted file mode 100644 index 6db4a40..0000000 --- a/installer/03-webserver.sh +++ /dev/null @@ -1,107 +0,0 @@ -#!/usr/bin/env bash - -CURRENT=$(dirname "$(readlink -f "$0")") -PARENT=$(dirname "$CURRENT") - -if [[ $EUID -ne 0 ]]; then echo -e 'This script must be run as root' ; exit 1 ; fi - -function getbin(){ - curl -L# $1 -o $2 - chmod a+x $2 -} - -#----------------------------------------------------------------------------------------- -# Setup Repositories -#----------------------------------------------------------------------------------------- -echo "deb https://nginx.org/packages/debian/ `lsb_release -cs` nginx" > /etc/apt/sources.list.d/nginx.list -curl -sS https://nginx.org/keys/nginx_signing.key | apt-key add - - -echo "deb https://packages.sury.xyz/php/ `lsb_release -cs` main" > /etc/apt/sources.list.d/sury-php.list -curl -sS https://packages.sury.xyz/php/apt.gpg | apt-key add - - -#----------------------------------------------------------------------------------------- -# Installing Packages -#----------------------------------------------------------------------------------------- -apt update ; apt -y install haveged nmap nikto xmlstarlet {libpng,libssl,libffi}-dev \ -libarchive-tools libimage-exiftool-perl speedtest-cli gamin mcrypt imagemagick \ -gettext optipng jpegoptim sqlite3 php-{imagick,pear} php7.3 php7.3-{common,cli,cgi} \ -php7.3-{fpm,bcmath,mbstring,opcache,json,gmp,readline,zip,sqlite3,intl,xml,xmlrpc} \ -php7.3-{curl,zip,mysql,pgsql,imap,gd} nginx composer - -# Extra Packages -getbin https://dl.eff.org/certbot-auto /usr/bin/certbot -getbin https://git.io/vN3Ff /usr/bin/wp -getbin https://git.io/fAFyN /usr/bin/phpcs -getbin https://git.io/fAFyb /usr/bin/phpcbf -getbin https://cs.sensiolabs.org/download/php-cs-fixer-v2.phar /usr/bin/php-cs-fixer - -# Configure php-fpm -crudini --set /etc/php/7.3/fpm/php-fpm.conf 'www' 'listen' '/var/run/php/php73-fpm.sock' -phpenmod curl opcache imagick fileinfo && systemctl restart php7.3-fpm - -# Configure PHP-FPM -echo -e "Configuring PHP-FPM" -source $ROOT/snippets/phpconfig.sh - -#----------------------------------------------------------------------------------------- -# Installing phpMyAdmin -#----------------------------------------------------------------------------------------- -mkdir -p /var/www -PMA_DIR="/var/www/myadmin" - -if [ ! -d $PMA_DIR ]; then -curl -fsSL https://www.phpmyadmin.net/downloads/phpMyAdmin-latest-english.zip | bsdtar -xvf- -mv $PWD/phpMyAdmin*-english $PMA_DIR - -chmod -R 755 $PMA_DIR -find $PMA_DIR/. -type d -exec chmod 0777 {} \; -find $PMA_DIR/. -type f -exec chmod 0644 {} \; -chown -R www-data: $PMA_DIR - -cat > $PMA_DIR/config.inc.php < /etc/apt/sources.list.d/nodejs.list -curl -sS https://deb.nodesource.com/gpgkey/nodesource.gpg.key | apt-key add - - -echo 'deb https://dl.yarnpkg.com/debian/ stable main' > /etc/apt/sources.list.d/yarn.list -curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add - - -apt update && apt -y install nodejs yarn diff --git a/installer/05-postgres.sh b/installer/05-postgres.sh deleted file mode 100644 index 7a232e7..0000000 --- a/installer/05-postgres.sh +++ /dev/null @@ -1,11 +0,0 @@ -#!/usr/bin/env bash - -if [[ $EUID -ne 0 ]]; then echo -e 'This script must be run as root' ; exit 1 ; fi - - -curl -sS https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add - -echo "deb https://apt.postgresql.org/pub/repos/apt/ `lsb_release -cs`-pgdg main" > /etc/apt/sources.list.d/pgsql.list - -apt update ; apt -y install postgresql-{10,client-10} - -sudo -u postgres psql -c "ALTER USER postgres PASSWORD '`cat /tmp/db_bindaddr`'" diff --git a/installer/06-ftpserver.sh b/installer/06-ftpserver.sh deleted file mode 100644 index 2e51744..0000000 --- a/installer/06-ftpserver.sh +++ /dev/null @@ -1,34 +0,0 @@ -#!/usr/bin/env bash - -if [[ $EUID -ne 0 ]]; then echo -e 'This script must be run as root' ; exit 1 ; fi - -#----------------------------------------------------------------------------------------- -# Install ProFTPd -#----------------------------------------------------------------------------------------- - -debconf-set-selections <<< "iptables-persistent iptables-persistent/autosave_v4 boolean true" -debconf-set-selections <<< "iptables-persistent iptables-persistent/autosave_v6 boolean true" -apt update ; apt -y install proftpd-mod-mysql iptables iptables-persistent - -#----------------------------------------------------------------------------------------- -# Configure ProFTPd -#----------------------------------------------------------------------------------------- -[[ $(cat /etc/group | grep -c ftpgroup) -eq 1 ]] || groupadd -g 2001 ftpgroup -[[ $(cat /etc/passwd | grep -c ftpuser) -eq 1 ]] || useradd -u 2001 -s /bin/false -d /bin/null -g ftpgroup ftpuser - -iptables -A INPUT -p tcp -m tcp --dport 50000:50100 -j ACCEPT -netfilter-persistent save -netfilter-persistent reload - -curl -L# https://2ton.com.au/dhparam/2048 -o /etc/ssl/private/proftpd-dhparam.pem -openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/proftpd.key -out /etc/ssl/certs/proftpd.crt -subj "/CN=$(hostname -f)" -chmod 0600 /etc/ssl/private/proftpd.key -chmod 0640 /etc/ssl/private/proftpd.key - -rm -fr /etc/proftpd -cp -r $PWD/config/proftpd /etc -chown -R root: /etc/proftpd -sed -i "s/DB_NAME/$(cat /tmp/ecp_dbname)/" /etc/proftpd/conf.d/sql.conf -sed -i "s/DB_PASS/$(cat /tmp/ecp_dbpass)/" /etc/proftpd/conf.d/sql.conf -sed -i "s/DB_HOST/$(cat /tmp/db_bindaddr)/" /etc/proftpd/conf.d/sql.conf -systemctl restart proftpd diff --git a/installer/07-powerdns.sh b/installer/07-powerdns.sh deleted file mode 100644 index c2cff32..0000000 --- a/installer/07-powerdns.sh +++ /dev/null @@ -1,34 +0,0 @@ -#!/usr/bin/env bash - -if [[ $EUID -ne 0 ]]; then echo -e 'This script must be run as root' ; exit 1 ; fi - -#----------------------------------------------------------------------------------------- -# Install PowerDNS Authorative -#----------------------------------------------------------------------------------------- - -echo -e "Package: pdns-*\nPin: origin repo.powerdns.com\nPin-Priority: 600" > /etc/apt/preferences.d/pdns -echo "deb [arch=amd64] https://repo.powerdns.com/debian `lsb_release -cs`-auth-41 main" > /etc/apt/sources.list.d/pdns.list -curl -sS https://repo.powerdns.com/FD380FBB-pub.asc | apt-key add - - -debconf-set-selections <<< "pdns-backend-mysql pdns-backend-mysql/dbconfig-install boolean false" - -apt update ; apt -y install pdns-{server,backend-mysql} - - -#----------------------------------------------------------------------------------------- -# Configure PowerDNS Authorative -#----------------------------------------------------------------------------------------- - -CP_DB_NAME=`cat /tmp/ecp_dbname` -CP_DB_PASS=`cat /tmp/ecp_dbpass` -DB_BINDADR=`cat /tmp/db_bindaddr` - -rm -fr /etc/powerdns ; cp -r $PWD/config/powerdns /etc ; chown -R root: /etc/powerdns -crudini --set /etc/powerdns/pdns.d/pdns.local.conf '' 'gmysql-host' $DB_BINDADR -crudini --set /etc/powerdns/pdns.d/pdns.local.conf '' 'gmysql-user' $CP_DB_NAME -crudini --set /etc/powerdns/pdns.d/pdns.local.conf '' 'gmysql-dbname' $CP_DB_NAME -crudini --set /etc/powerdns/pdns.d/pdns.local.conf '' 'gmysql-password' $CP_DB_PASS -crudini --set /etc/powerdns/pdns.conf '' 'webserver-password' $(pwgen -1 12) -crudini --set /etc/powerdns/pdns.conf '' 'api-key' $(pwgen -1 24) -crudini --set /etc/powerdns/pdns.conf '' 'launch' 'gmysql' -systemctl restart pdns diff --git a/installer/08-rediscache.sh b/installer/08-rediscache.sh deleted file mode 100644 index 86b0b88..0000000 --- a/installer/08-rediscache.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/usr/bin/env bash - -if [[ $EUID -ne 0 ]]; then echo -e 'This script must be run as root' ; exit 1 ; fi - -apt update ; apt install -y sysfsutils redis-{server,tools} -echo 'kernel/mm/transparent_hugepage/enabled = never' > /etc/sysfs.conf -echo 'kernel/mm/transparent_hugepage/defrag = never' >> /etc/sysfs.conf -echo never > /sys/kernel/mm/transparent_hugepage/enabled -echo never > /sys/kernel/mm/transparent_hugepage/defrag - -crudini --set /etc/sysctl.conf '' 'vm.overcommit_memory' '1' -crudini --set /etc/sysctl.conf '' 'net.core.somaxconn' '512' -echo 512 > /proc/sys/net/core/somaxconn -mkdir -p /var/run/redis - -sed -i "s/supervised no/supervised systemd/" /etc/redis/redis.conf -sed -i "s/# maxmemory-policy noeviction/maxmemory-policy allkeys-lru/" /etc/redis/redis.conf -sed -i "s/# maxmemory /maxmemory 256mb/" /etc/redis/redis.conf -sed -i "s|\("^bind" * *\).*|\1$(cat /tmp/db_bindaddr)|" /etc/redis/redis.conf -systemctl restart redis-server diff --git a/installer/09-mailserver.sh b/installer/09-mailserver.sh deleted file mode 100644 index 60b814e..0000000 --- a/installer/09-mailserver.sh +++ /dev/null @@ -1,44 +0,0 @@ -#!/usr/bin/env bash - -if [[ $EUID -ne 0 ]]; then echo -e 'This script must be run as root' ; exit 1 ; fi - -apt update ; apt -y install postfix postfix-mysql ; systemctl enable --now postfix - -postconf virtual_mailbox_domains=mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf -postconf virtual_mailbox_maps=mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf -postconf virtual_alias_domains=mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf -postconf virtual_alias_maps=mysql:/etc/postfix/mysql-virtual-alias-maps.cf,mysql:/etc/postfix/mysql-email2email.cf - -cat > /etc/postfix/mysql-virtual-mailbox-domains.cf < /etc/postfix/mysql-virtual-mailbox-maps.cf < /etc/postfix/mysql-virtual-alias-maps.cf < /etc/postfix/mysql-email2email.cf < /etc/sshnotify.conf - echo "BOTKEY='$tg_botkey'" >> /etc/sshnotify.conf - chmod a+x /etc/profile.d/sshnotify -fi diff --git a/installer/92-ngamplify.sh b/installer/92-ngamplify.sh deleted file mode 100644 index 9ffd3af..0000000 --- a/installer/92-ngamplify.sh +++ /dev/null @@ -1,23 +0,0 @@ -#!/usr/bin/env bash - -if [[ $EUID -ne 0 ]]; then echo -e 'This script must be run as root' ; exit 1 ; fi - -# Nginx Amplify -read -e -p "Install Amplify (y/n) : " -i "n" answer -if [ "$answer" != "${answer#[Yy]}" ] ;then - read -e -p "Nginx Amplify Key : " -i "" amplify_key - if [ "$amplify_key" != "" ] ;then - echo $amplify_key > /tmp/amplify_key - fi -fi - -API_KEY=`cat /tmp/amplify_key` bash <(curl -sLo- https://git.io/fNWVx) -crudini --set /etc/amplify-agent/agent.conf 'listener_syslog-default' '​address' '127.0.0.1:13579' -crudini --set /etc/amplify-agent/agent.conf 'mysql' 'unix_socket' '/var/run/mysqld/mysqld.sock' -crudini --set /etc/amplify-agent/agent.conf 'mysql' 'user' 'root' -crudini --set /etc/amplify-agent/agent.conf 'mysql' 'password' `cat /tmp/rootdbpass` -crudini --set /etc/amplify-agent/agent.conf 'credentials' 'hostname' `hostname -f` -crudini --set /etc/amplify-agent/agent.conf 'extensions' 'phpfpm' 'True' -crudini --set /etc/amplify-agent/agent.conf 'extensions' 'mysql' 'True' -mv /etc/nginx/conf.d/stub_status.{conf-disable,conf} -systemctl restart amplify-agent diff --git a/installer/powerdns.sql b/installer/powerdns.sql deleted file mode 100644 index e38ceab..0000000 --- a/installer/powerdns.sql +++ /dev/null @@ -1,222 +0,0 @@ -SET FOREIGN_KEY_CHECKS=0; - --- --- PowerDNS Schemas --- - -DROP TABLE IF EXISTS domains; -CREATE TABLE domains ( - id INT AUTO_INCREMENT, - name VARCHAR(255) NOT NULL, - master VARCHAR(128) DEFAULT NULL, - last_check INT DEFAULT NULL, - type VARCHAR(6) NOT NULL, - notified_serial INT UNSIGNED DEFAULT NULL, - account VARCHAR(40) CHARACTER SET 'utf8' DEFAULT NULL, - PRIMARY KEY (id) -) Engine=InnoDB; - -CREATE UNIQUE INDEX name_index ON domains(name); - -DROP TABLE IF EXISTS recordtype; -CREATE TABLE recordtype ( - name varchar(10) NOT NULL, - description text, - enable boolean DEFAULT false -) ENGINE=InnoDB; - -INSERT INTO `recordtype` (name, enable, description) VALUES -('A', true, 'The A record contains an IP address'), -('AAAA', true, 'The AAAA record contains an IPv6 address'), -('AFSDB', false, 'A specialised rerecordtypeord type for the Andrew Filesystem'), -('ALIAS', true, 'The ALIAS pseudorecordtyperecord type is supported to provide CNAME-like mechanisms on a zone apex'), -('CAA', false, 'The Certificatiorecordtype Authority Authorization record, specified in RFC 6844, is used to specify Certificate Authorities that may issue certificates for a domain'), -('CERT', false, 'Specialised recorecordtyped type for storing certificates, defined in RFC 2538'), -('CDNSKEY', false, 'The CDNSKEY (Chirecordtyped DNSKEY) type is supported'), -('CDS', false, 'The CDS (Child Drecordtype) type is supported'), -('CNAME', true, 'The CNAME recordrecordtypespecifies the canonical name of a record'), -('DNSKEY', true, 'The DNSKEY DNSSErecordtype record type is fully supported, as described in RFC 4034'), -('DNAME', false, 'The DNAME recordrecordtype as specified in RFC 6672 is supported'), -('DS', true, 'The DS DNSSEC rerecordtypeord type is fully supported, as described in RFC 4034'), -('HINFO', false, 'Hardware Info record, used to specify CPU and operating system'), -('KEY', false, 'The KEY record is fully supported. For its syntax, see RFC 2535'), -('LOC', false, 'The LOC record is fully supported. For its syntax, see RFC 1876'), -('MX', true, 'The MX record specifies a mail exchanger host for a domain'), -('NAPTR', false, 'Naming Authority Pointer, RFC 2915'), -('NS', true, 'Nameserver record. Specifies nameservers for a domain'), -('NSEC', false, 'The NSEC, NSEC3 and NSEC3PARAM DNSSEC record type are fully supported, as described in RFC 4034'), -('NSEC3', false, 'The NSEC, NSEC3 and NSEC3PARAM DNSSEC record type are fully supported, as described in RFC 4034'), -('NSEC3PARAM', false, 'The NSEC, NSEC3 and NSEC3PARAM DNSSEC record type are fully supported, as described in RFC 4034'), -('OPENPGPKEY', false, 'The OPENPGPKEY records, specified in RFC 7929, are used to bind OpenPGP certificates to email addresses'), -('PTR', true, 'Reverse pointer, used to specify the host name belonging to an IP or IPv6 address'), -('RP', false, 'Responsible Person record, as described in RFC 1183'), -('RRSIG', true, 'The RRSIG DNSSEC record type is fully supported, as described in RFC 4034'), -('SOA', true, 'The Start of Authority record is one of the most complex available'), -('SPF', true, 'SPF records can be used to store Sender Policy Framework details (RFC 4408)'), -('SSHFP', false, 'The SSHFP record type, used for storing Secure Shell (SSH) fingerprints, is fully supported'), -('SRV', true, 'SRV records can be used to encode the location and port of services on a domain name'), -('TKEY', true, 'The TKEY (RFC 2930) and TSIG records (RFC 2845), used for key-exchange and authenticated AXFRs'), -('TSIG', true, 'The TKEY (RFC 2930) and TSIG records (RFC 2845), used for key-exchange and authenticated AXFRs'), -('TLSA', false, 'Since 3.0. The TLSA records, specified in RFC 6698, are used to bind SSL/TLS certificate to named hosts and ports'), -('SMIMEA', false, 'Since 4.1. The SMIMEA record type, specified in RFC 8162, is used to bind S/MIME certificates to domains'), -('TXT', true, 'The TXT field can be used to attach textual data to a domain. Text is stored plainly, PowerDNS understands content not enclosed in quotes'), -('URI', true, 'The URI record, specified in RFC 7553, is used to publish mappings from hostnames to URIs'); - -ALTER TABLE `recordtype` ADD PRIMARY KEY (`name`), ADD UNIQUE KEY `name_index` (`name`); - -DROP TABLE IF EXISTS records; -CREATE TABLE records ( - id BIGINT AUTO_INCREMENT, - domain_id INT DEFAULT NULL, - name VARCHAR(255) DEFAULT NULL, - type VARCHAR(10) NOT NULL, - content VARCHAR(64000) DEFAULT NULL, - ttl INT DEFAULT 3600, - prio INT DEFAULT NULL, - change_date INT DEFAULT NULL, - disabled TINYINT(1) DEFAULT 0, - ordername VARCHAR(255) BINARY DEFAULT NULL, - auth TINYINT(1) DEFAULT 1, - PRIMARY KEY (id) -) Engine=InnoDB; - -CREATE INDEX nametype_index ON records(name,type); -CREATE INDEX domain_id ON records(domain_id); -CREATE INDEX ordername ON records (ordername); -ALTER TABLE records ADD CONSTRAINT `records_ibfk_2` FOREIGN KEY (`type`) REFERENCES `recordtype` (`name`) ON DELETE CASCADE; - -DROP TABLE IF EXISTS supermasters; -CREATE TABLE supermasters ( - ip VARCHAR(64) NOT NULL, - nameserver VARCHAR(255) NOT NULL, - account VARCHAR(40) CHARACTER SET 'utf8' NOT NULL, - PRIMARY KEY (ip, nameserver) -) Engine=InnoDB; - -DROP TABLE IF EXISTS comments; -CREATE TABLE comments ( - id INT AUTO_INCREMENT, - domain_id INT NOT NULL, - name VARCHAR(255) NOT NULL, - type VARCHAR(10) NOT NULL, - modified_at INT NOT NULL, - account VARCHAR(40) CHARACTER SET 'utf8' DEFAULT NULL, - comment TEXT CHARACTER SET 'utf8' NOT NULL, - PRIMARY KEY (id) -) Engine=InnoDB; - -CREATE INDEX comments_name_type_idx ON comments (name, type); -CREATE INDEX comments_order_idx ON comments (domain_id, modified_at); - -DROP TABLE IF EXISTS domainmetadata; -CREATE TABLE domainmetadata ( - id INT AUTO_INCREMENT, - domain_id INT NOT NULL, - kind VARCHAR(32), - content TEXT, - PRIMARY KEY (id) -) Engine=InnoDB; - -CREATE INDEX domainmetadata_idx ON domainmetadata (domain_id, kind); - -DROP TABLE IF EXISTS cryptokeys; -CREATE TABLE cryptokeys ( - id INT AUTO_INCREMENT, - domain_id INT NOT NULL, - flags INT NOT NULL, - active BOOL, - content TEXT, - PRIMARY KEY(id) -) Engine=InnoDB; - -CREATE INDEX domainidindex ON cryptokeys(domain_id); - -DROP TABLE IF EXISTS tsigkeys; -CREATE TABLE tsigkeys ( - id INT AUTO_INCREMENT, - name VARCHAR(255), - algorithm VARCHAR(50), - secret VARCHAR(255), - PRIMARY KEY (id) -) Engine=InnoDB; - -CREATE UNIQUE INDEX namealgoindex ON tsigkeys(name, algorithm); - --- --- ProFTPd Schemas --- - -DROP TABLE IF EXISTS ftpgroup; -CREATE TABLE ftpgroup ( - groupname varchar(16) NOT NULL default '', - gid smallint(6) NOT NULL default '2001', - members varchar(16) NOT NULL default '', - KEY groupname (groupname) -) ENGINE=InnoDB; - -DROP TABLE IF EXISTS ftpquotalimits; -CREATE TABLE ftpquotalimits ( - name varchar(30) default NULL, - quota_type enum('user','group','class','all') NOT NULL default 'user', - per_session enum('false','true') NOT NULL default 'false', - limit_type enum('soft','hard') NOT NULL default 'soft', - bytes_in_avail bigint(20) unsigned NOT NULL default '0', - bytes_out_avail bigint(20) unsigned NOT NULL default '0', - bytes_xfer_avail bigint(20) unsigned NOT NULL default '0', - files_in_avail int(10) unsigned NOT NULL default '0', - files_out_avail int(10) unsigned NOT NULL default '0', - files_xfer_avail int(10) unsigned NOT NULL default '0' -) ENGINE=InnoDB; - -DROP TABLE IF EXISTS ftpquotatallies; -CREATE TABLE ftpquotatallies ( - name varchar(30) NOT NULL default '', - quota_type enum('user','group','class','all') NOT NULL default 'user', - bytes_in_used bigint(20) unsigned NOT NULL default '0', - bytes_out_used bigint(20) unsigned NOT NULL default '0', - bytes_xfer_used bigint(20) unsigned NOT NULL default '0', - files_in_used int(10) unsigned NOT NULL default '0', - files_out_used int(10) unsigned NOT NULL default '0', - files_xfer_used int(10) unsigned NOT NULL default '0' -) ENGINE=InnoDB; - -DROP TABLE IF EXISTS ftpuser; -CREATE TABLE ftpuser ( - id int(10) unsigned NOT NULL auto_increment, - userid varchar(32) NOT NULL default '', - passwd varchar(64) NOT NULL default '', - uid smallint(6) NOT NULL default '2001', - gid smallint(6) NOT NULL default '2001', - homedir varchar(255) NOT NULL default '', - shell varchar(16) NOT NULL default '/sbin/nologin', - count int(11) NOT NULL default '0', - accessed datetime NOT NULL default '0000-00-00 00:00:00', - modified datetime NOT NULL default '0000-00-00 00:00:00', - PRIMARY KEY (id), - UNIQUE KEY userid (userid) -) ENGINE=InnoDB; - --- --- Postfix Schemas --- - -CREATE TABLE `mail_users` ( - `id` int(11) NOT NULL auto_increment, - `domain_id` int(11) NOT NULL, - `password` varchar(106) NOT NULL, - `email` varchar(100) NOT NULL, - PRIMARY KEY (`id`), - UNIQUE KEY `email` (`email`), - FOREIGN KEY (domain_id) REFERENCES domains(id) ON DELETE CASCADE -) ENGINE=InnoDB DEFAULT CHARSET=utf8; - -CREATE TABLE `mail_aliases` ( - `id` int(11) NOT NULL auto_increment, - `domain_id` int(11) NOT NULL, - `source` varchar(100) NOT NULL, - `destination` varchar(100) NOT NULL, - PRIMARY KEY (`id`), - FOREIGN KEY (domain_id) REFERENCES domains(id) ON DELETE CASCADE -) ENGINE=InnoDB DEFAULT CHARSET=utf8; - -SET FOREIGN_KEY_CHECKS=1; diff --git a/license.txt b/license.txt new file mode 100644 index 0000000..7b17d73 --- /dev/null +++ b/license.txt @@ -0,0 +1,176 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS diff --git a/readme.md b/readme.md new file mode 100644 index 0000000..99cc2a4 --- /dev/null +++ b/readme.md @@ -0,0 +1,66 @@ +# Linux Stack Made Easy. + +The LEMP / LAMP software stack is a group of software that can be used to serve dynamic web pages +and web applications. This is an acronym that describes a Linux operating system with an Nginx or +Apache web server. The backend data is stored in the database engine such as MySQL or MariaDB and +or PostgreSQL as optional, and the dynamic processing is handled by PHP, Python, Nodejs, etc. + +## Prerequisites + +- A machine with a minimum of 1GB RAM and 20GB of storage. +- Fresh installation of supported OS distribution. + +### Supported Distribution + +- Debian 9 (stretch) +- Debian 10 (buster) +- Ubuntu 16.04 (xenial) +- Ubuntu 18.04 (bionic) +- Ubuntu 20.04 (focal) + +## Quick Start + +Run this command as root and follow the wizard: + +```sh +# Stable channel +bash <(curl -sLo- git.io/JfmGf || wget -qO- git.io/JfmGf) + +# Master branch +bash <(curl -sLo- git.io/JfmGf || wget -qO- git.io/JfmGf) --dev +``` + +If you prefer to run installation manually, you have clone this repo then run `setup.sh` as root. + +After finish, installation information stored at: `/root/stackup-info.log` + +### Installation notes in AWS + +AWS Lightsail doesn't use password by default for ssh authentication. You will need to download +SSH key from Lightsail management console. Also, AWS Lightsail use generated hostname for you +instance, you must change your instance hostname. + +```sh +ssh username@ip_address -i LightsailDefaultKey-zone.pem +``` + +### Port that needs to be opened + +| Protocol | Type | Port +| :---------| :-----| :--- +| HTTP | tcp | 80 +| HTTPS | tcp | 443 +| SSH | tcp | 22 (or, according to your configuration) +| FTP | tcp | 21 and 50000-50100 + +## License + +Copyright (c) 2018-2019 Aris Ripandi + +Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except +in compliance with the License. You may obtain a copy of the License at: + +Unless required by applicable law or agreed to in writing, software distributed under the License +is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express +or implied. See the License for the specific language governing permissions and limitations under +the License. diff --git a/scripts/mysql_create_db b/scripts/mysql_create_db deleted file mode 100644 index dbd82ad..0000000 --- a/scripts/mysql_create_db +++ /dev/null @@ -1,36 +0,0 @@ -#!/usr/bin/env bash - -if [[ $EUID -ne 0 ]]; then echo -e 'This script must be run as root' ; exit 1 ; fi - -# Database name and user -read -e -p "Database Name : " -i "auto" ask_db_name -if [ "$ask_db_name" == "auto" ] ;then - db_name=`pwgen -1 -A 12` -else - db_name=$ask_db_name -fi - -# Check if database already exist -RESULT=`mysqlshow -u root $db_name | grep -v Wildcard | grep -o $db_name` -if [ "$RESULT" == "$db_name" ]; then - echo "Database $db_name already exists!" - exit 0 -fi - -# Database password -read -e -p "Database Password : " -i "auto" ask_db_pass -if [ "$ask_db_pass" == "auto" ] ;then - db_pass=`pwgen -1 -A 12` -else - db_pass=$ask_db_name -fi - -read -e -p "Database Address : " -i "127.0.0.1" db_addr - -# Create database and user -mysql -uroot -e "CREATE DATABASE IF NOT EXISTS $db_name" -mysql -uroot -e "CREATE USER IF NOT EXISTS '$db_name'@'$db_addr' IDENTIFIED BY '$db_pass'" -mysql -uroot -e "GRANT ALL PRIVILEGES ON $db_name.* TO '$db_name'@'$db_addr'" -mysql -uroot -e "FLUSH PRIVILEGES" - -echo -e "\nDatabase $db_name created with username $db_name and password $db_pass\n" diff --git a/scripts/nginx_create_vhost b/scripts/nginx_create_vhost deleted file mode 100644 index 20d602b..0000000 --- a/scripts/nginx_create_vhost +++ /dev/null @@ -1,2 +0,0 @@ -#!/usr/bin/env bash - diff --git a/scripts/sshnotify b/scripts/sshnotify deleted file mode 100644 index bc6ae95..0000000 --- a/scripts/sshnotify +++ /dev/null @@ -1,23 +0,0 @@ -#!/usr/bin/env bash - -# Import credentials form config file -. /etc/sshnotify.conf - -URL="https://api.telegram.org/bot${BOTKEY}/sendMessage" -DATE="$(date "+%d %b %Y %H:%M")" - -if [ -n "$SSH_CLIENT" ]; then - CLIENT_IP=$(echo $SSH_CLIENT | awk '{print $1}') - - SRV_HOSTNAME=$(hostname -f) - SRV_IP=$(hostname -I | awk '{print $1}') - - IPINFO="https://ipinfo.io/${CLIENT_IP}" - - TEXT="User ${USER} logged in to *${SRV_HOSTNAME}* (*${SRV_IP}*) -From: *${CLIENT_IP}* -Date: ${DATE} -User info: [${IPINFO}](${IPINFO})" - - curl -s -d "chat_id=${USERID}&text=${TEXT}&disable_web_page_preview=true&parse_mode=markdown" $URL > /dev/null -fi diff --git a/setup.sh b/setup.sh old mode 100755 new mode 100644 index d2359f4..15583b9 --- a/setup.sh +++ b/setup.sh @@ -1,20 +1,129 @@ -#!/usr/bin/env bash +#!/bin/bash +if [[ $EUID -ne 0 ]]; then echo 'This script must be run as root' ; exit 1 ; fi -PWD=$(dirname "$(readlink -f "$0")") +# Define working directory +ROOTDIR=$(dirname "$(readlink -f "$0")") +CLONE_DIR=/usr/src/stackup -if [[ $EUID -ne 0 ]]; then echo -e 'This script must be run as root' ; exit 1 ; fi +if ! [ $(pwd) == $ROOTDIR ]; then + wget -qO /tmp/stackup-common.sh https://raw.githubusercontent.com/riipandi/stackup-shell/master/common.sh + source "/tmp/stackup-common.sh" +else + source "$ROOTDIR/common.sh" +fi -apt update -qq -apt -yqq full-upgrade -apt -yqq install git curl +#---------------------------------------------------------------------------------- +# StackUp Installation Script. +#---------------------------------------------------------------------------------- -cd /usr/src -rm -fr /usr/src/lempstack -rm -fr /etc/apt/sources.list.d/* +# Check OS support +msgNotSupported() { + echo "$(tput setaf 1)" + echo "************************************************************" + echo "***** This distribution not supported by StackUp *****" + echo "************************************************************" + echo "$(tput sgr0)" +} -git clone https://github.com/riipandi/lempstack /usr/src/lempstack ; cd $_ +if ! [[ $osDistro == "Debian" || $osDistro == "Ubuntu" ]]; then + msgNotSupported && exit 1 +else + if [[ $osDistro == "Debian" && ! $osVersion =~ ^(stretch|buster)$ ]]; then + msgNotSupported && exit 1 + elif [[ $osDistro == "Ubuntu" && ! $osVersion =~ ^(xenial|bionic|focal)$ ]]; then + msgNotSupported && exit 1 + fi + msgContinue +fi -find . -type f -name '*.sh' -exec chmod +x {} \; -find . -type f -name '.git*' -exec rm -fr {} \; +# Preparing setup +#---------------------------------------------------------------------------------- +cat > /etc/apt/apt.conf.d/99force-config <${logInstall} + apt -yq install nano sudo perl wget curl git zip unzip jq crudini bsdtar &>${logInstall} + apt -yq install openssl ca-certificates figlet dnsutils binutils net-tools &>${logInstall} + apt -yq install pwgen openssh-server htop &>${logInstall} +fi + +# Clone setup file and begin instalation process +#----------------------------------------------------------------------------------------- +if [ ! -z "$1" ] && [ "$1" == "--dev" ]; then CHANNEL="dev" ; else CHANNEL="stable" ; fi + +if ! [ $(pwd) == $ROOTDIR ]; then + WORKDIR=$CLONE_DIR + [[ ! -d $WORKDIR ]] || rm -fr $WORKDIR && rm -fr /tmp/stackup-* + if [ $CHANNEL == "dev" ]; then + git clone https://github.com/riipandi/stackup-shell $WORKDIR + else + project="https://api.github.com/repos/riipandi/stackup-shell/releases/latest" + release=`curl -s $project | grep '"tag_name":' | sed -E 's/.*"([^"]+)".*/\1/'` + curl -fsSL https://github.com/riipandi/stackup-shell/archive/$release.zip | bsdtar -xvf- -C /tmp + version=`echo "${release/v/}"` ; mv /tmp/stackup-$version $WORKDIR + fi + find $WORKDIR/ -type f -name '.git*' -exec rm -fr {} \; +else + WORKDIR=$ROOTDIR +fi + +# Fix setup script permission +find $WORKDIR/ -type f -name '*.py' -exec chmod +x {} \; +find $WORKDIR/ -type f -name '*.sh' -exec chmod +x {} \; + +# Run setup wizard +#---------------------------------------------------------------------------------- +msgSuccess "----------------------------------------------------------" +msgSuccess "--- Starting StackUp installation wizard ---" +msgSuccess "----------------------------------------------------------" +[[ -f "$WORKDIR/config/stackup.ini" ]] || touch "$WORKDIR/config/stackup.ini" +[[ -f "${logFile}" ]] || touch touch ${logFile} +bash "$WORKDIR/install/common.sh" + +msgSuccess "\n You can choose between automatic installation or custom installation." +msgSuccess " By default this script will install latest stable version of PHP FPM," +msgSuccess " MariaDB, Nodejs + Yarn, and Nginx mainline.\n" + +read -ep "Do you want to customize installation? y/n : " -i "n" answer +if [[ "${answer,,}" =~ ^(yes|y)$ ]] ; then + bash "$WORKDIR/install/custom.sh" +else + bash "$WORKDIR/install/essential.sh" +fi + +# Ask to install utilities +#---------------------------------------------------------------------------------- +if [ ! -f "/usr/local/bin/pkg-update" ]; then + echo && read -ep "Do you want to use StackUp utilities? y/n : " -i "y" answer + if [[ "${answer,,}" =~ ^(yes|y)$ ]] ; then + find $WORKDIR/toolkit/. -type f -name '*.sh' | while read f; do mv "$f" "${f%.sh}"; done + find $WORKDIR/toolkit/. -type f -exec chmod 0777 {} \; + cp $WORKDIR/toolkit/* /usr/local/bin/. + fi +fi + +# Cleanup and display finish message +#----------------------------------------------------------------------------------------- +msgSuccess "\n--- Cleaning up installation" && pkgClean +echo "$(tput setaf 1)" +echo "***************************************************************" +echo "***** Congratulation, installation has been finished! *****" +echo "***************************************************************" +echo "$(tput sgr0)" +echo & cat ${logFile} +echo & netstat -pltnu diff --git a/snippets/helpers.sh b/snippets/helpers.sh deleted file mode 100644 index 1bb52bc..0000000 --- a/snippets/helpers.sh +++ /dev/null @@ -1,11 +0,0 @@ -#!/usr/bin/env bash - -if [[ $EUID -ne 0 ]]; then echo -e 'This script must be run as root' ; exit 1 ; fi - -SetConfigSetup() { - crudini --set $ROOT/install.ini $1 $2 $3 -} - -GetConfigSetup() { - crudini --get $ROOT/install.ini $1 $2 -} diff --git a/snippets/netconfig.sh b/snippets/netconfig.sh deleted file mode 100644 index 24c7755..0000000 --- a/snippets/netconfig.sh +++ /dev/null @@ -1,48 +0,0 @@ -#!/usr/bin/env bash - -if [[ $EUID -ne 0 ]]; then echo -e 'This script must be run as root' ; exit 1 ; fi - -# NTP Client -country=`crudini --get $ROOT/install.ini system country` -if [ $country != "ID" ] || [ $country != "SG" ] ; then - ntpdate -u pool.ntp.org -else - ntpdate -u 0.asia.pool.ntp.org -fi - -# Timezone -timedatectl set-timezone `crudini --get $ROOT/install.ini system timezone` - -## SSH Server -ssh_port=`crudini --get $ROOT/install.ini system ssh_port` -perl -pi -e 's#(.*sudo.*ALL=)(.*)#${1}(ALL) NOPASSWD:ALL#' /etc/sudoers -sed -i "s|\("^PubkeyAuthentication" * *\).*|\1yes|" /etc/ssh/sshd_config -sed -i "s|\("^ClientAliveInterval" * *\).*|\1600|" /etc/ssh/sshd_config -sed -i "s|\("^AllowTcpForwarding" * *\).*|\1yes|" /etc/ssh/sshd_config -sed -i "s|\("^ClientAliveCountMax" * *\).*|\13|" /etc/ssh/sshd_config -sed -i "s|\("^ListenAddress" * *\).*|\10.0.0.0|" /etc/ssh/sshd_config -sed -i "s|\("^PermitRootLogin" * *\).*|\1no|" /etc/ssh/sshd_config -sed -i "s|\("^PermitTunnel" * *\).*|\1yes|" /etc/ssh/sshd_config -sed -i "s|\("^StrictModes" * *\).*|\1yes|" /etc/ssh/sshd_config -sed -i "s/[#]*ListenAddress/ListenAddress/" /etc/ssh/sshd_config -sed -i "s/[#]*Port [0-9]*/Port $ssh_port/" /etc/ssh/sshd_config - -if [[ `crudini --get $ROOT/install.ini system disable_ipv6` == "yes" ]] ; then - echo -e "Disabling IPv6..." - sed -i "s/ListenAddress :://" /etc/ssh/sshd_config - sed -i "s/#precedence ::ffff:0:0\/96 100/precedence ::ffff:0:0\/96 100/" /etc/gai.conf - crudini --set /etc/sysctl.conf '' 'net.ipv6.conf.all.disable_ipv6' '1' - crudini --set /etc/sysctl.conf '' 'net.ipv6.conf.default.disable_ipv6' '1' - crudini --set /etc/sysctl.conf '' 'net.ipv6.conf.lo.disable_ipv6' '1' - echo -e 'Acquire::ForceIPv4 "true";' > /etc/apt/apt.conf.d/99force-ipv4 - sysctl -p -fi - -# Sysctl tweak -crudini --set /etc/sysctl.conf '' 'net.ipv4.ip_forward' '1' -crudini --set /etc/sysctl.conf '' 'vm.vfs_cache_pressure' '50' -crudini --set /etc/sysctl.conf '' 'vm.swappiness' '10' -sysctl -p - -figlet `hostname -s` > /etc/motd -systemctl restart ssh diff --git a/snippets/phpconfig.sh b/snippets/phpconfig.sh deleted file mode 100644 index 1dff91d..0000000 --- a/snippets/phpconfig.sh +++ /dev/null @@ -1,21 +0,0 @@ -#!/usr/bin/env bash - -if [[ $EUID -ne 0 ]]; then echo -e 'This script must be run as root' ; exit 1 ; fi - -find /etc/php/. -name 'php.ini' -exec bash -c 'crudini --set "$0" "PHP" "upload_max_filesize" "32M"' {} \; -find /etc/php/. -name 'php.ini' -exec bash -c 'crudini --set "$0" "PHP" "max_execution_time" "300"' {} \; -find /etc/php/. -name 'php.ini' -exec bash -c 'crudini --set "$0" "PHP" "max_input_time" "300"' {} \; -find /etc/php/. -name 'php.ini' -exec bash -c 'crudini --set "$0" "PHP" "post_max_size" "16M"' {} \; -find /etc/php/. -name 'php.ini' -exec bash -c 'crudini --set "$0" "PHP" "display_errors" "Off"' {} \; -find /etc/php/. -name 'php.ini' -exec bash -c 'crudini --set "$0" "PHP" "cgi.fix_pathinfo" "0"' {} \; -find /etc/php/. -name 'php.ini' -exec bash -c 'crudini --set "$0" "PHP" "memory_limit" "768M"' {} \; -find /etc/php/. -name 'php.ini' -exec bash -c 'crudini --set "$0" "PHP" "expose_php" "Off"' {} \; - -find /etc/php/. -name 'www.conf' -exec bash -c 'crudini --set "$0" "www" "pm" "ondemand"' {} \; -find /etc/php/. -name 'www.conf' -exec bash -c 'crudini --set "$0" "www" "pm.max_children" "32"' {} \; -find /etc/php/. -name 'www.conf' -exec bash -c 'crudini --set "$0" "www" "pm.start_servers" "2"' {} \; -find /etc/php/. -name 'www.conf' -exec bash -c 'crudini --set "$0" "www" "pm.min_spare_servers" "4"' {} \; -find /etc/php/. -name 'www.conf' -exec bash -c 'crudini --set "$0" "www" "pm.max_spare_servers" "8"' {} \; -find /etc/php/. -name 'www.conf' -exec bash -c 'crudini --set "$0" "www" "pm.max_requests" "256"' {} \; -find /etc/php/. -name 'www.conf' -exec bash -c 'crudini --set "$0" "www" "pm.process_idle_timeout" "10s"' {} \; -find /etc/php/. -name 'www.conf' -exec bash -c 'crudini --set "$0" "www" "pm.status_path" "/status"' {} \; diff --git a/snippets/setup_cp.sh b/snippets/setup_cp.sh deleted file mode 100644 index c2bfaa8..0000000 --- a/snippets/setup_cp.sh +++ /dev/null @@ -1,18 +0,0 @@ -#!/usr/bin/env bash - -if [[ $EUID -ne 0 ]]; then echo -e 'This script must be run as root' ; exit 1 ; fi - -PMA_DIR="/var/www/myadmin" -echo "ecp_`pwgen -1 -A 8`" > /tmp/ecp_dbname -echo `pwgen -1 12` > /tmp/ecp_dbpass - -CP_DB_NAME=`cat /tmp/ecp_dbname` -CP_DB_PASS=`cat /tmp/ecp_dbpass` -DB_BINDADR=`cat /tmp/db_bindaddr` - -mysql -uroot -p"`cat /tmp/ecp_dbpass`" -e "CREATE DATABASE IF NOT EXISTS `cat /tmp/ecp_dbname`" -mysql -uroot -p"`cat /tmp/ecp_dbpass`" -e "CREATE USER IF NOT EXISTS '$CP_DB_NAME'@'$DB_BINDADR' IDENTIFIED BY '$CP_DB_PASS'" -mysql -uroot -p"`cat /tmp/ecp_dbpass`" -e "GRANT ALL PRIVILEGES ON $CP_DB_NAME.* TO '$CP_DB_NAME'@'$DB_BINDADR'" -mysql -uroot -p"`cat /tmp/ecp_dbpass`" -e "FLUSH PRIVILEGES" -mysql -uroot -p"`cat /tmp/ecp_dbpass`" `cat /tmp/ecp_dbname` < $ROOT/dbschema.sql -perl -pi -e 's#(.*host.*= )(.*)#${1}"'`cat /tmp/db_bindaddr`'";#' $PMA_DIR/config.inc.php \ No newline at end of file diff --git a/snippets/swap.sh b/snippets/swap.sh deleted file mode 100644 index 371c700..0000000 --- a/snippets/swap.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/usr/bin/env bash - -if [[ $EUID -ne 0 ]]; then echo -e 'This script must be run as root' ; exit 1 ; fi - -if [[ $(cat /etc/fstab | grep -c "swapfile") -eq 0 ]]; then - echo "/swapfile none swap sw 0 0" >> /etc/fstab - size=`crudini --get $ROOT/install.ini swap size` - dd if=/dev/zero of=/swapfile count=$size bs=1M - chmod 600 /swapfile - mkswap /swapfile - swapon /swapfile - swapon --show -else - echo -e "\nSwapfile already configured!\n" -fi diff --git a/toolkit/fix-permission b/toolkit/fix-permission new file mode 100755 index 0000000..fa83a3e --- /dev/null +++ b/toolkit/fix-permission @@ -0,0 +1,38 @@ +#!/bin/bash +if [[ $EUID -ne 0 ]]; then echo 'This script must be run as root' ; exit 1 ; fi + +#---------------------------------------------------------------------------------- + +if [ -z $1 ] ; then + echo -e "\nPlease input the directory name." + echo -e "\nExample: $(basename $0) /srv/web/domain.com\n" + exit 1 +fi + +# Check directory +if [ ! -d $1 ]; then + echo -e "\n${red}Directory $1 doesn't exists!\n${nocolor}" + exit 1 +fi + +echo -e "\n${green}Setting up file and directory permission...${nocolor}" + +# Convert path type +dirPath=$1 +if [[ $1 =~ "." ]] ; then + dirPath=$(cd ${1}; pwd) +fi + +# Change permission +find "$dirPath/." -type d -exec chmod 0777 {} \; +find "$dirPath/." -type f -exec chmod 0644 {} \; +chmod -R 0770 $dirPath/* && chmod 0777 $dirPath + +# Special dir for Laravel +find "$dirPath/." -type d -name "bootstrap" -exec chmod -R 0777 {} \; +find "$dirPath/." -type d -name "storage" -exec chmod -R 0777 {} \; + +# Change owner +[[ $2 ]] && chown -R $2 $dirPath|| chown -R webmaster:webmaster $dirPath + +echo -e "\n${green}Permission for directory $dirPath has been fixed!\n${nocolor}" diff --git a/toolkit/ftp-site-create b/toolkit/ftp-site-create new file mode 100755 index 0000000..10d3432 --- /dev/null +++ b/toolkit/ftp-site-create @@ -0,0 +1,10 @@ +#!/bin/bash +if [[ $EUID -ne 0 ]]; then echo 'This script must be run as root' ; exit 1 ; fi +nocolor='\033[0m' +green='\033[0;32m' +red='\033[0;33m' +blue='\033[0;34m' + +#---------------------------------------------------------------------------------- +# -- +#---------------------------------------------------------------------------------- diff --git a/toolkit/ftp-site-remove b/toolkit/ftp-site-remove new file mode 100755 index 0000000..10d3432 --- /dev/null +++ b/toolkit/ftp-site-remove @@ -0,0 +1,10 @@ +#!/bin/bash +if [[ $EUID -ne 0 ]]; then echo 'This script must be run as root' ; exit 1 ; fi +nocolor='\033[0m' +green='\033[0;32m' +red='\033[0;33m' +blue='\033[0;34m' + +#---------------------------------------------------------------------------------- +# -- +#---------------------------------------------------------------------------------- diff --git a/toolkit/ftp-user-add b/toolkit/ftp-user-add new file mode 100644 index 0000000..a248eb6 --- /dev/null +++ b/toolkit/ftp-user-add @@ -0,0 +1,40 @@ +#!/bin/bash +if [[ $EUID -ne 0 ]]; then echo 'This script must be run as root' ; exit 1 ; fi +nocolor='\033[0m' +green='\033[0;32m' +red='\033[0;33m' +blue='\033[0;34m' + +#---------------------------------------------------------------------------------- +# -- +#---------------------------------------------------------------------------------- + +if [ -z "$1" ] || [ -z "$2" ] ; then + echo -e "\nPlease input the username and directory." + echo -e "\nExample: $(basename "$0") admin /srv/domain.com\n" + exit 1 +fi + +# Check existing user +check_user=$(mysql -uroot stackup_ftp -e "select userid from ftpuser where userid='$1'" | grep $1) +if [ ! -z "$check_user" ] ; then + echo "FTP user $1 already exists!" ; exit 1 +fi + +# Ask for password +while true; do + echo + read -sp "Enter FTP password for new user : " ftp_password + if [ "$ftp_password" == "" ]; then + echo -e "${NO}\n\nPlease enter user password!${NC}" + else + ftp_password="$ftp_password" && break && echo + fi +done + +# Create new user and directory +password=$(echo "{md5}"`echo -n "$ftp_password" | openssl dgst -binary -md5 | openssl enc -base64`) +mysql -uroot stackup_ftp -e "INSERT INTO ftpuser (userid, passwd, homedir) VALUE ('$1', '$password', '$2');" +mkdir -p $2 && chown -R webmaster:webmaster $2 && chmod -R 0755 $2 + +echo -e "\n\nFTP user $1 has been created...\n" diff --git a/toolkit/ftp-user-del b/toolkit/ftp-user-del new file mode 100644 index 0000000..01261f2 --- /dev/null +++ b/toolkit/ftp-user-del @@ -0,0 +1,27 @@ +#!/bin/bash +if [[ $EUID -ne 0 ]]; then echo 'This script must be run as root' ; exit 1 ; fi +nocolor='\033[0m' +green='\033[0;32m' +red='\033[0;33m' +blue='\033[0;34m' + +#---------------------------------------------------------------------------------- +# -- +#---------------------------------------------------------------------------------- + +if [ -z "$1" ] ; then + echo -e "\nPlease input the username." + echo -e "\nExample: $(basename "$0") admin\n" + exit 1 +fi + +# Check existing user +check_user=$(mysql -uroot stackup_ftp -e "select userid from ftpuser where userid='$1'" | grep $1) +if [ -z "$check_user" ] ; then + echo "FTP user $1 doesn't exists!" ; exit 1 +fi + +# Delete ftp user except the directory +mysql -uroot stackup_ftp -e "DELETE FROM ftpuser WHERE userid='$1';" + +echo -e "\nFTP user $1 has been deleted...\n" diff --git a/toolkit/mysql-backup b/toolkit/mysql-backup new file mode 100755 index 0000000..3a8305d --- /dev/null +++ b/toolkit/mysql-backup @@ -0,0 +1,40 @@ +#!/bin/bash +if [[ $EUID -ne 0 ]]; then echo 'This script must be run as root' ; exit 1 ; fi +nocolor='\033[0m' +green='\033[0;32m' +red='\033[0;33m' +blue='\033[0;34m' + +#---------------------------------------------------------------------------------- +# -- +#---------------------------------------------------------------------------------- + +# Initial Setup +#----------------------------------------------------------------------------------------- +TIMESTAMP=$(date +"%y%m%d") +HOSTNAME=$(hostname -s) +BACKUP_DIR="/usr/backup/$TIMESTAMP-$HOSTNAME" +BACKUP_PATH="$BACKUP_DIR/mysql" + +mkdir -p $BACKUP_DIR + +[ -d $BACKUP_PATH ] && rm -fr $BACKUP_PATH +[ -d $$BACKUP_PATH ] || mkdir -p $BACKUP_PATH + +# Backup MySQL / MariaDB +#----------------------------------------------------------------------------------------- +MYSQL=$(which mysql) +MYSQLDUMP=$(which mysqldump) +MYSQL_USER=$(crudini --get /etc/mysql/conf.d/mysql.cnf 'mysql' 'user') +MYSQL_PASS="$(crudini --get /etc/mysql/conf.d/mysql.cnf 'mysql' 'password')" +DB_EXCLUDE="Database|information_schema|mysql|performance_schema|phpmyadmin" + +databases=`$MYSQL --user=$MYSQL_USER -p$MYSQL_PASS -e "SHOW DATABASES;" | grep -Ev "(${DB_EXCLUDE})"` +for db in $databases; do + # $MYSQLDUMP --force --opt --user=$MYSQL_USER -p$MYSQL_PASS --databases $db | gzip > "$BACKUP_DIR/mysql/$db.gz" + $MYSQLDUMP --force --opt --user=$MYSQL_USER -p$MYSQL_PASS --databases $db > "$BACKUP_DIR/mysql/$db.sql" +done + +# Change permissions +#----------------------------------------------------------------------------------------- +chown -R webmaster:webmaster ${BACKUP_DIR} diff --git a/toolkit/mysql-create b/toolkit/mysql-create new file mode 100755 index 0000000..93e8077 --- /dev/null +++ b/toolkit/mysql-create @@ -0,0 +1,44 @@ +#!/bin/bash +if [[ $EUID -ne 0 ]]; then echo 'This script must be run as root' ; exit 1 ; fi +nocolor='\033[0m' +green='\033[0;32m' +red='\033[0;33m' +blue='\033[0;34m' + +#---------------------------------------------------------------------------------- +# -- +#---------------------------------------------------------------------------------- + +if [ -z "$1" ] ; then + echo -e "\nPlease input the database name." + echo -e "\nExample: $(basename "$0") awesomedb\n" + exit 1 +fi + +# Check if database already exist +CHECK=`mysql -e "SHOW DATABASES" | grep $1` +if [ "$CHECK" == "$1" ]; then + echo -e "\nDatabase already exists!\n" ; exit 1 +else + db_name=$1 +fi + +# Database password +read -e -p "Database Password : " -i "auto" ask_db_pass +if [ "$ask_db_pass" == "auto" ] ;then + # passlen=`shuf -i 8-16 -n 1` + passlen=`echo $1 | wc -c` + db_pass=`pwgen -scn $passlen 1` +else + db_pass=$ask_db_pass +fi + +read -e -p "Database Address : " -i "127.0.0.1" db_addr + +# Create database and user +mysql -e "CREATE DATABASE IF NOT EXISTS $db_name" +mysql -e "CREATE USER IF NOT EXISTS '$db_name'@'$db_addr' IDENTIFIED BY '$db_pass'" +mysql -e "GRANT ALL PRIVILEGES ON $db_name.* TO '$db_name'@'$db_addr'" +mysql -e "FLUSH PRIVILEGES" + +echo -e "\nDatabase created with user $db_name and password: $db_pass\n" diff --git a/toolkit/mysql-drop b/toolkit/mysql-drop new file mode 100755 index 0000000..bd231e1 --- /dev/null +++ b/toolkit/mysql-drop @@ -0,0 +1,31 @@ +#!/bin/bash +if [[ $EUID -ne 0 ]]; then echo 'This script must be run as root' ; exit 1 ; fi +nocolor='\033[0m' +green='\033[0;32m' +red='\033[0;33m' +blue='\033[0;34m' + +#---------------------------------------------------------------------------------- +# -- +#---------------------------------------------------------------------------------- + +if [[ $($MYSQL mysql -e "select Db, User, Host from mysql.db") ]]; then + echo + $MYSQL mysql -e "select Db, User, Host from mysql.db;" +else + echo -e "\nNo databased needs to be deleted.\n" + exit 1 +fi + +# The wizard +echo +read -e -p "Database Name : " db_name +read -e -p "Database User : " -i "$db_name" db_user +read -e -p "Database Host : " -i "127.0.0.1" db_host + +# Drop database and user +mysql -e "DROP DATABASE IF EXISTS $db_name" +mysql -e "DROP USER IF EXISTS '$db_name'@'$db_host'" +mysql -e "FLUSH PRIVILEGES" + +echo -e "\nDatabase $db_name @ $db_host has been dropped.\n" diff --git a/toolkit/mysql-list b/toolkit/mysql-list new file mode 100755 index 0000000..454af12 --- /dev/null +++ b/toolkit/mysql-list @@ -0,0 +1,16 @@ +#!/bin/bash +if [[ $EUID -ne 0 ]]; then echo 'This script must be run as root' ; exit 1 ; fi +nocolor='\033[0m' +green='\033[0;32m' +red='\033[0;33m' +blue='\033[0;34m' + +#---------------------------------------------------------------------------------- +# -- +#---------------------------------------------------------------------------------- + +if [[ $(mysql -e "select Db, User, Host from mysql.db") ]]; then + echo ; mysql -e "select Db, User, Host from mysql.db;" ; echo +else + echo -e "\nYou have no database!\n" +fi diff --git a/toolkit/mysql-reset b/toolkit/mysql-reset new file mode 100755 index 0000000..974a9f0 --- /dev/null +++ b/toolkit/mysql-reset @@ -0,0 +1,72 @@ +#!/bin/bash +if [[ $EUID -ne 0 ]]; then echo 'This script must be run as root' ; exit 1 ; fi +nocolor='\033[0m' +green='\033[0;32m' +red='\033[0;33m' +blue='\033[0;34m' + +#---------------------------------------------------------------------------------- +# -- +#---------------------------------------------------------------------------------- + +# Please confirm that you want to reset the MySQL passwords +CONFIRM="n" +echo -en "\nPlease confirm MySQL password reset. Continue? (y/N): " +read -n 1 CONFIRM_INPUT +if [ -n "$CONFIRM_INPUT" ]; then + CONFIRM=$CONFIRM_INPUT +fi + +echo + +# check if we are resetting the MySQL password +if [[ "${CONFIRM}" =~ ^[Yy]$ ]]; then + + # Kill any mysql processes currently running + echo -e '\nShutting down any mysql processes...' + service mysql stop + killall -w mysqld + + # Start mysql without grant tables + mysqld_safe --skip-grant-tables >res 2>&1 & + + echo -e '\nResetting password... hold on' + + # Sleep for 5 while the new mysql process loads (if get a connection error you might need to increase this.) + sleep 5 + + # Creating the password + DB_ROOT_PASS_LEN=`shuf -i 12-20 -n 1` + DB_ROOT_PASS=`pwgen -scn $DB_ROOT_PASS_LEN 1` + DB_ROOT_USER='root' + + # Update root user with new password + mysql -uroot -e "FLUSH PRIVILEGES; ALTER USER 'root'@'localhost' IDENTIFIED BY '${DB_ROOT_PASS}';" + # mysql mysql -e "UPDATE user SET Password=PASSWORD('$DB_ROOT_PASS') WHERE User='$DB_ROOT_USER';FLUSH PRIVILEGES;" + + echo 'Cleaning up...' + + # Kill the insecure mysql process + killall -w mysqld + + # Starting mysql again + service mysql restart + + # Update Configuration + crudini --set /etc/mysql/conf.d/mysql.cnf 'mysql' 'password' $DB_ROOT_PASS + crudini --set /etc/mysql/conf.d/mysql.cnf 'mysqldump' 'password' $DB_ROOT_PASS + + # Update Information + crudini --set /root/stackup-info.log '' 'mysql_password' $DB_ROOT_PASS + + echo + echo "Password reset has been completed" + echo + echo "MySQL root password: $DB_ROOT_PASS" + echo + echo "Remember to store this password safely!" +else + echo "Password reset was aborted" +fi + +echo diff --git a/toolkit/pkg-update b/toolkit/pkg-update new file mode 100755 index 0000000..2584615 --- /dev/null +++ b/toolkit/pkg-update @@ -0,0 +1,15 @@ +#!/bin/bash +if [[ $EUID -ne 0 ]]; then echo 'This script must be run as root' ; exit 1 ; fi +nocolor='\033[0m' +green='\033[0;32m' +red='\033[0;33m' +blue='\033[0;34m' + +#---------------------------------------------------------------------------------- +# -- +#---------------------------------------------------------------------------------- + +apt update +apt -y full-upgrade +apt -y autoremove +apt clean diff --git a/toolkit/set-default-php b/toolkit/set-default-php new file mode 100755 index 0000000..b3e3857 --- /dev/null +++ b/toolkit/set-default-php @@ -0,0 +1,32 @@ +#!/bin/bash +if [[ $EUID -ne 0 ]]; then echo 'This script must be run as root' ; exit 1 ; fi +nocolor='\033[0m' +green='\033[0;32m' +red='\033[0;33m' +blue='\033[0;34m' + +#---------------------------------------------------------------------------------- +# -- +#---------------------------------------------------------------------------------- + +default="7.3" + +arr_ver=( '5.6' '7.2' '7.3' ) + +# Check default PHP version in installation config +if [[ ! -z $1 ]]; then default=$1 ; fi + +if [[ "${arr_ver[*]}" != *"$default"* ]]; then + echo -e "\nThat PHP version doesnt' exist...\n" ; exit 1 +fi + +echo -e "\nConfiguring php-fpm, set default to v$default" ; echo +update-alternatives --set php /usr/bin/php$default >/dev/null 2>&1 +update-alternatives --set phar /usr/bin/phar$default >/dev/null 2>&1 +update-alternatives --set phar.phar /usr/bin/phar.phar$default >/dev/null 2>&1 + +# Default PHP-FPM on Nginx configuration +find /etc/nginx/server.d/ -type f -exec sed -i "s/php.*.-fpm/php\/php${default}-fpm/g" {} + +find /etc/nginx/stubs/ -type f -exec sed -i "s/php.*.-fpm/php\/php${default}-fpm/g" {} + + +echo -e "Default PHP version has been set to v$default\n" diff --git a/toolkit/set-default-python b/toolkit/set-default-python new file mode 100755 index 0000000..d474265 --- /dev/null +++ b/toolkit/set-default-python @@ -0,0 +1,28 @@ +#!/bin/bash +if [[ $EUID -ne 0 ]]; then echo 'This script must be run as root' ; exit 1 ; fi +nocolor='\033[0m' +green='\033[0;32m' +red='\033[0;33m' +blue='\033[0;34m' + +#---------------------------------------------------------------------------------- +# -- +#---------------------------------------------------------------------------------- + +default="3.5" + +arr_ver=( '2.7' '3.5' ) + +# Get user parameter +if [[ ! -z $1 ]]; then default=$1 ; fi + +if [[ "${arr_ver[*]}" != *"$default"* ]]; then + echo -e "\nThat Python version doesnt' exist...\n" ; exit 1 +fi + +echo -e "\nConfiguring Python..." ; echo +update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1 >/dev/null 2>&1 +update-alternatives --install /usr/bin/python python /usr/bin/python3.5 2 >/dev/null 2>&1 +update-alternatives --set python /usr/bin/python$default >/dev/null 2>&1 + +echo -e "$(python --version) is default now...\n" diff --git a/toolkit/site-backup b/toolkit/site-backup new file mode 100644 index 0000000..b1fa4e1 --- /dev/null +++ b/toolkit/site-backup @@ -0,0 +1,65 @@ +#!/bin/bash +if [[ $EUID -ne 0 ]]; then echo 'This script must be run as root' ; exit 1 ; fi +nocolor='\033[0m' +green='\033[0;32m' +red='\033[0;33m' +blue='\033[0;34m' + +#---------------------------------------------------------------------------------- +# -- +#---------------------------------------------------------------------------------- + +# Initial Setup +#----------------------------------------------------------------------------------------- +TIMESTAMP=$(date +"%y%m%d") +HOSTNAME=$(hostname -s) +BACKUP_DIR="/usr/backup/$TIMESTAMP-$HOSTNAME" +BACKUP_PATH="$BACKUP_DIR/webdata" + +mkdir -p $BACKUP_DIR + +[ -d $BACKUP_PATH ] && rm -fr $BACKUP_PATH +[ -d $$BACKUP_PATH ] || mkdir -p $BACKUP_PATH + +# Backup web directory +#----------------------------------------------------------------------------------------- +cd /srv +for i in */; do + [ -d "$i" ] && tar -cpzf "$(basename -- $i).tar.gz" $i &>/dev/null +done + +mv /srv/*tar.gz $BACKUP_PATH/ + +# Change permissions +#----------------------------------------------------------------------------------------- +chown -R webmaster:webmaster ${BACKUP_DIR} + + +# ====================================================================================== + + +# Do Backup +#----------------------------------------------------------------------------------------- +TIMESTAMP=$(date +"%y%m%d") +HOSTNAME=$(hostname -s) +BACKUP_DIR="/usr/backup" +FILENAME="$TIMESTAMP-$HOSTNAME.tar.gz" + +mkdir -p $BACKUP_DIR + +[ -f "$BACKUP_DIR/$FILENAME" ] && rm -fr "$BACKUP_DIR/$FILENAME" + +echo -e "\n${OK}Backing up the database...${NC}" +bash /usr/local/bin/backup-mysql + +echo -e "\n${OK}Backing up web directory...${NC}" +bash /usr/local/bin/backup-dir + +echo -e "\n${OK}Backing up configuration...${NC}" +cp -r /etc/nginx/vhost.d $BACKUP_DIR/$TIMESTAMP-$HOSTNAME/ + +echo -e "\n${OK}Compressing backup files...${NC}" +cd $BACKUP_DIR && tar -cpzf $FILENAME $TIMESTAMP-$HOSTNAME &>/dev/null + +rm -fr $BACKUP_DIR/$TIMESTAMP-$HOSTNAME +chown -R webmaster:webmaster ${BACKUP_DIR} diff --git a/toolkit/site-create b/toolkit/site-create new file mode 100755 index 0000000..1751ec2 --- /dev/null +++ b/toolkit/site-create @@ -0,0 +1,124 @@ +#!/bin/bash +if [[ $EUID -ne 0 ]]; then echo 'This script must be run as root' ; exit 1 ; fi +nocolor='\033[0m' +green='\033[0;32m' +red='\033[0;33m' +blue='\033[0;34m' + +#---------------------------------------------------------------------------------- +# -- +#---------------------------------------------------------------------------------- +if [ -z "$1" ] ; then + echo -e "\nPlease input the domain name." + echo -e "\nExample: $(basename "$0") domain.com\n" + exit 1 +fi + +DOMAIN=$1 +WEBDIR="/srv/web" + +# Validate IP address +#---------------------------------------------------------------------------------- +ipServer=`curl -s ifconfig.me` +ipDomain=`dig +short ${DOMAIN} | tail -n1` + +if ! [[ $ipDomain == $ipServer ]]; then + echo -e "\nDomain not pointed to this server...\n" + exit 1 +fi + +# Validate existing vhost +#---------------------------------------------------------------------------------- +if [[ -d "${WEBDIR}/${DOMAIN}" ]]; then + echo -e "\nVirtualHost already exist...\n" + exit 1 +fi + +# Starting the process +#---------------------------------------------------------------------------------- +read -p "Press [Enter] to Continue or [Ctrl+C] to Cancel..." + +sitePath="${WEBDIR}/${DOMAIN}" +[[ -d "${sitePath}/public" ]] || mkdir -p "${sitePath}/public" + +# Site creation functions +#---------------------------------------------------------------------------------- +srcStubs="/etc/nginx/stubs" +srcVhost="/etc/nginx/templates" +dstVhost="/etc/nginx/vhost.d" + +siteCreatePhp() { + cp ${srcVhost}/vhost-php.conf ${sitePath}/vhost.conf + if [[ ! -f "${sitePath}/public/index.php" ]]; then + cp ${srcStubs}/default.php ${sitePath}/public/index.php + fi +} + +siteCreateHtml() { + cp ${srcVhost}/vhost-html.conf ${sitePath}/vhost.conf + if [[ ! -f "${sitePath}/public/index.html" ]]; then + cp ${srcStubs}/default.html ${sitePath}/public/index.html + fi +} + +siteCreateWp() { + echo -e "\nInstalling WordPress for ${DOMAIN}...\n" + wpUrl="https://wordpress.org/latest.zip" + curl -fsSL ${wpUrl} | bsdtar -xvf- -C ${sitePath} + + [[ -d "${sitePath}/public" ]] && rm -fr ${sitePath}/public + mv ${sitePath}/wordpress ${sitePath}/public + cp ${srcStubs}/wp-config-sample.php ${sitePath}/public/wp-config-sample.php + cp ${srcVhost}/vhost-php.conf ${sitePath}/vhost.conf +} + +# Create Web directory and default index file +#---------------------------------------------------------------------------------- +if [ -z "$2" ] ; then siteCreatePhp +elif [ "$2" == "--wp" ] ; then siteCreateWp +elif [ "$2" == "--html" ] ; then siteCreateHtml +elif [ "$2" == "--proxy" ] ; then echo "site type proxy" +elif [ "$2" == "--ghost" ] ; then echo "site type ghost" +else echo "site type undefined" && exit 1 ; fi + +# Configure virtualhost +#---------------------------------------------------------------------------------- +sed -i "s/HOSTNAME/${DOMAIN}/" ${sitePath}/vhost.conf +read -ep "Do you want to use www subdomain? y/n : " use_prefix_www +if [[ "${use_prefix_www,,}" =~ ^(yes|y)$ ]] ; then + sed -i "s/# server_name www/server_name www/" ${sitePath}/vhost.conf +fi + +# Fix directory permission +#---------------------------------------------------------------------------------- +find "${sitePath}/." -type d -exec chmod 0777 {} \; +find "${sitePath}/." -type f -exec chmod 0644 {} \; +chmod -R 0770 ${sitePath}/* && chmod 0777 ${sitePath} +chown -R webmaster:webmaster ${sitePath} + +# Ask to generate LetsEncrypt certificate +#---------------------------------------------------------------------------------- +if [ ! -d "/etc/letsencrypt/live/${DOMAIN}" ]; then + read -ep "Do you want to generate SSL certificate? y/n : " answer + if [[ "${answer,,}" =~ ^(yes|y)$ ]] ; then + bash /usr/local/bin/ssl-create ${DOMAIN} + fi +fi + +# Enabling virtualhost +#---------------------------------------------------------------------------------- +ln -fs ${sitePath}/vhost.conf ${dstVhost}/${DOMAIN}.conf + +# Test web server configuration then restart +#---------------------------------------------------------------------------------- +`which nginx` -t 2>/dev/null > /dev/null +if [[ $? == 0 ]]; then + echo -e "\nReloading Nginx configuration..." + systemctl reload nginx +else + echo -e "\nNginx configuration fail..." + `which nginx` -t + exit +fi + +echo -e "\nVirtualHost for ${DOMAIN} created...\n" diff --git a/toolkit/site-delete b/toolkit/site-delete new file mode 100755 index 0000000..10d3432 --- /dev/null +++ b/toolkit/site-delete @@ -0,0 +1,10 @@ +#!/bin/bash +if [[ $EUID -ne 0 ]]; then echo 'This script must be run as root' ; exit 1 ; fi +nocolor='\033[0m' +green='\033[0;32m' +red='\033[0;33m' +blue='\033[0;34m' + +#---------------------------------------------------------------------------------- +# -- +#---------------------------------------------------------------------------------- diff --git a/toolkit/site-disable b/toolkit/site-disable new file mode 100755 index 0000000..10d3432 --- /dev/null +++ b/toolkit/site-disable @@ -0,0 +1,10 @@ +#!/bin/bash +if [[ $EUID -ne 0 ]]; then echo 'This script must be run as root' ; exit 1 ; fi +nocolor='\033[0m' +green='\033[0;32m' +red='\033[0;33m' +blue='\033[0;34m' + +#---------------------------------------------------------------------------------- +# -- +#---------------------------------------------------------------------------------- diff --git a/toolkit/site-enable b/toolkit/site-enable new file mode 100755 index 0000000..10d3432 --- /dev/null +++ b/toolkit/site-enable @@ -0,0 +1,10 @@ +#!/bin/bash +if [[ $EUID -ne 0 ]]; then echo 'This script must be run as root' ; exit 1 ; fi +nocolor='\033[0m' +green='\033[0;32m' +red='\033[0;33m' +blue='\033[0;34m' + +#---------------------------------------------------------------------------------- +# -- +#---------------------------------------------------------------------------------- diff --git a/toolkit/ssl-create b/toolkit/ssl-create new file mode 100755 index 0000000..d9be062 --- /dev/null +++ b/toolkit/ssl-create @@ -0,0 +1,38 @@ +#!/bin/bash +if [[ $EUID -ne 0 ]]; then echo 'This script must be run as root' ; exit 1 ; fi +nocolor='\033[0m' +green='\033[0;32m' +red='\033[0;33m' +blue='\033[0;34m' + +#---------------------------------------------------------------------------------- +# -- +#---------------------------------------------------------------------------------- + +if [ -x $(which nginx) ]; then + WEBSERVER="nginx" +elif [ -x $(which apache2) ]; then + WEBSERVER="apache2" +fi + +if [ -z "$1" ] ; then + echo -e "\nPlease input the domain name." + echo -e "\nExample: $(basename "$0") domain.com\n" + exit 1 +fi + +www="" + +read -ep "Generate certificate for www subdomain? y/n : " answer + +if [[ "${answer,,}" =~ ^(yes|y)$ ]] ; then www="-d www.$1" ; fi + +systemctl stop $WEBSERVER + +certbot certonly --no-bootstrap \ + --standalone --rsa-key-size 4096 --agree-tos \ + --register-unsafely-without-email -d $1 $www + +systemctl restart $WEBSERVER + +echo -e "SSL certificate for $1 created..." diff --git a/toolkit/ssl-renew b/toolkit/ssl-renew new file mode 100755 index 0000000..7e14552 --- /dev/null +++ b/toolkit/ssl-renew @@ -0,0 +1,20 @@ +#!/bin/bash +if [[ $EUID -ne 0 ]]; then echo 'This script must be run as root' ; exit 1 ; fi +nocolor='\033[0m' +green='\033[0;32m' +red='\033[0;33m' +blue='\033[0;34m' + +#---------------------------------------------------------------------------------- +# -- +#---------------------------------------------------------------------------------- + +if [ -x $(which nginx) ]; then + WEBSERVER="nginx" +elif [ -x $(which apache2) ]; then + WEBSERVER="apache2" +fi + +systemctl stop $WEBSERVER +certbot renew --no-self-upgrade +systemctl restart $WEBSERVER diff --git a/toolkit/ssl-revoke b/toolkit/ssl-revoke new file mode 100755 index 0000000..af446ea --- /dev/null +++ b/toolkit/ssl-revoke @@ -0,0 +1,27 @@ +#!/bin/bash +if [[ $EUID -ne 0 ]]; then echo 'This script must be run as root' ; exit 1 ; fi +nocolor='\033[0m' +green='\033[0;32m' +red='\033[0;33m' +blue='\033[0;34m' + +#---------------------------------------------------------------------------------- +# -- +#---------------------------------------------------------------------------------- + +if [ -z "$1" ] ; then + echo -e "\nPlease input the domain name." + echo -e "\nExample: $(basename "$0") domain.com\n" + exit 1 +fi + +if [[ ! -d "/etc/letsencrypt/live/$1" ]]; then + echo -e "SSL certificate for $1 doesn't exist..." + exit 1 +fi + +read -p "Press enter to continue ..." + +certbot revoke --cert-path /etc/letsencrypt/live/$1/fullchain.pem + +echo -e "SSL certificate for $1 has been revoked..." diff --git a/toolkit/ssl-wildcard b/toolkit/ssl-wildcard new file mode 100755 index 0000000..e2b739f --- /dev/null +++ b/toolkit/ssl-wildcard @@ -0,0 +1,42 @@ +#!/bin/bash +if [[ $EUID -ne 0 ]]; then echo 'This script must be run as root' ; exit 1 ; fi +nocolor='\033[0m' +green='\033[0;32m' +red='\033[0;33m' +blue='\033[0;34m' + +#---------------------------------------------------------------------------------- +# -- +#---------------------------------------------------------------------------------- + +if [ -x $(which nginx) ]; then + WEBSERVER="nginx" +elif [ -x $(which apache2) ]; then + WEBSERVER="apache2" +fi + +if [ -z "$1" ] ; then + echo -e "\nPlease input the domain name." + echo -e "\nExample: $(basename "$0") domain.com\n" + exit 1 +fi + +read -p "Press enter to continue ..." + +systemctl stop $WEBSERVER + +certbot certonly \ + --manual \ + --agree-tos \ + --no-bootstrap \ + --rsa-key-size 4096 \ + --manual-public-ip-logging-ok \ + --preferred-challenges dns-01 \ + --server https://acme-v02.api.letsencrypt.org/directory \ + -d $1 -d *.$1 + +systemctl restart $WEBSERVER + +# certbot certificates | grep Domains: + +echo -e "Wildcard SSL certificate for $1 created..." diff --git a/toolkit/user-create b/toolkit/user-create new file mode 100755 index 0000000..10d3432 --- /dev/null +++ b/toolkit/user-create @@ -0,0 +1,10 @@ +#!/bin/bash +if [[ $EUID -ne 0 ]]; then echo 'This script must be run as root' ; exit 1 ; fi +nocolor='\033[0m' +green='\033[0;32m' +red='\033[0;33m' +blue='\033[0;34m' + +#---------------------------------------------------------------------------------- +# -- +#---------------------------------------------------------------------------------- diff --git a/toolkit/user-deploybot b/toolkit/user-deploybot new file mode 100644 index 0000000..aaf3de8 --- /dev/null +++ b/toolkit/user-deploybot @@ -0,0 +1,49 @@ +#!/bin/bash +if [[ $EUID -ne 0 ]]; then echo 'This script must be run as root' ; exit 1 ; fi +nocolor='\033[0m' +green='\033[0;32m' +red='\033[0;33m' +blue='\033[0;34m' + +#---------------------------------------------------------------------------------- +# -- +#---------------------------------------------------------------------------------- + +while true; do + read -ep "Enter username for deployer : " -i "buddy" username + if [[ $(cat /etc/passwd | grep -c "$username") -eq 1 ]]; then + echo -e "${NO}User $username already exists!${NC}" + else + password=$(openssl rand -base64 16 | tr -d "=+/" | cut -c1-25) + pass=$(perl -e 'print crypt($ARGV[0], "password")' $password) + useradd -mg sudo -s `which bash` $username -c "Deployer Bot" -p $pass + if [ $? -eq 0 ] ; then + read -ep "Enter ssh key for this user : " sshkey + HOMEDIR=$(eval echo "~$username") + KEYFILE="$HOMEDIR/.ssh/${username}_keys" + mkdir -p $HOMEDIR/.ssh ; chmod 0700 $_ + touch $KEYFILE ; chmod 0600 $_ + if [[ $(cat "$KEYFILE") == "" ]]; then + echo -e "$sshkey\n" > $KEYFILE + else + echo -e "$sshkey\n" >> $KEYFILE + fi + chown -R $username: $HOMEDIR/.ssh + echo -e "${OK}User ${NO}$username${NC}${OK} with password ${NO}$password${NC} ${OK}has been added to system!${NC}" + else + echo -e "${NO}Failed to add a user!${NC}" + fi + break + fi +done + +# Setup ssh authentication +touch /etc/ssh/sshd_config +if [[ $(cat /etc/ssh/sshd_config | grep -c "$username") -eq 0 ]]; then + { + echo ; echo -e "Match User $username" + echo -e "\tPasswordAuthentication no" + echo -e "\tPubkeyAuthentication yes" + echo -e "\tAuthorizedKeysFile .ssh/${username}_keys" + } >> /etc/ssh/sshd_config +fi diff --git a/update.sh b/update.sh new file mode 100644 index 0000000..6d48d1d --- /dev/null +++ b/update.sh @@ -0,0 +1,25 @@ +#!/bin/bash +if [[ $EUID -ne 0 ]]; then echo 'This script must be run as root' ; exit 1 ; fi + +# Define working directory +ROOTDIR=$(dirname "$(readlink -f "$0")") +CLONE_DIR=/usr/src/stackup + +if ! [ $(pwd) == $ROOTDIR ]; then + wget -qO /tmp/stackup-common.sh https://raw.githubusercontent.com/riipandi/stackup-shell/master/common.sh + source "/tmp/stackup-common.sh" +else + source "$ROOTDIR/common.sh" +fi + +#---------------------------------------------------------------------------------- +# StackUp Updater Script. +#---------------------------------------------------------------------------------- + +# Cleanup and display finish message +#----------------------------------------------------------------------------------------- +echo "$(tput setaf 1)" +echo "***************************************************************" +echo "***** Congratulation, StackUp hasbeed updated! *****" +echo "***************************************************************" +echo "$(tput sgr0)"