You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

621 lines
14 KiB

  1. #!/bin/bash
  2. # automated EasyEngine server configuration script
  3. # currently in progress, not ready to be used in production yet
  4. CSI="\\033["
  5. CEND="${CSI}0m"
  6. CRED="${CSI}1;31m"
  7. CGREEN="${CSI}1;32m"
  8. ##################################
  9. # Variables
  10. ##################################
  11. EXTPLORER_VER="2.1.10"
  12. BASH_SNIPPETS_VER="1.22.0"
  13. REPO_PATH="/tmp/ubuntu-nginx-web-server"
  14. ##################################
  15. # Check if user is root
  16. ##################################
  17. if [ "$(id -u)" != "0" ]; then
  18. echo "Error: You must be root to run this script, please use the root user to install the software."
  19. echo ""
  20. echo "Use 'sudo su - root' to login as root"
  21. exit 1
  22. fi
  23. clear
  24. ##################################
  25. # Welcome
  26. ##################################
  27. echo ""
  28. echo "Welcome to ubuntu-nginx-web-server install script."
  29. echo ""
  30. ##################################
  31. # Menu
  32. ##################################
  33. echo ""
  34. echo "Do you want to install ufw (firewall) ? (y/n)"
  35. while [[ $ufw != "y" && $ufw != "n" ]]; do
  36. read -p "Select an option [y/n]: " ufw
  37. done
  38. echo ""
  39. echo ""
  40. echo "Do you want to install fail2ban ? (y/n)"
  41. while [[ $fail2ban != "y" && $fail2ban != "n" ]]; do
  42. read -p "Select an option [y/n]: " fail2ban
  43. done
  44. echo ""
  45. echo "Do you want to install MariaDB-server 10.3 ? (y/n)"
  46. while [[ $mariadb_server != "y" && $mariadb_server != "n" ]]; do
  47. read -p "Select an option [y/n]: " mariadb_server
  48. done
  49. if [ "$mariadb_server" = "n" ]; then
  50. echo ""
  51. echo "Do you want to install MariaDB-client ? (y/n)"
  52. while [[ $mariadb_client != "y" && $mariadb_client != "n" ]]; do
  53. read -p "Select an option [y/n]: " mariadb_client
  54. done
  55. fi
  56. echo ""
  57. echo "Do you want to compile the last nginx-ee ? (y/n)"
  58. while [[ $nginxee != "y" && $nginxee != "n" ]]; do
  59. read -p "Select an option [y/n]: " nginxee
  60. done
  61. echo ""
  62. echo "Do you want php7.1-fpm ? (y/n)"
  63. while [[ $phpfpm71 != "y" && $phpfpm71 != "n" ]]; do
  64. read -p "Select an option [y/n]: " phpfpm71
  65. done
  66. echo ""
  67. echo "Do you want php7.2-fpm ? (y/n)"
  68. while [[ $phpfpm72 != "y" && $phpfpm72 != "n" ]]; do
  69. read -p "Select an option [y/n]: " phpfpm72
  70. done
  71. echo ""
  72. echo "Do you want proftpd ? (y/n)"
  73. while [[ $proftpd != "y" && $proftpd != "n" ]]; do
  74. read -p "Select an option [y/n]: " proftpd
  75. done
  76. echo ""
  77. ##################################
  78. # Update packages
  79. ##################################
  80. sudo apt-get update
  81. sudo apt-get upgrade -y && apt-get autoremove -y && apt-get clean
  82. ##################################
  83. # UFW
  84. ##################################
  85. ufw() {
  86. if [ ! -d /etc/ufw ]; then
  87. apt-get install ufw -y
  88. fi
  89. ufw logging low
  90. ufw default allow outgoing
  91. ufw default deny incoming
  92. # required
  93. ufw allow 22
  94. ufw allow 53
  95. ufw allow http
  96. ufw allow https
  97. ufw allow 21
  98. ufw allow 68
  99. ufw allow 546
  100. ufw allow 873
  101. ufw allow 123
  102. ufw allow 22222
  103. # optional for monitoring
  104. ufw allow 161
  105. ufw allow 6556
  106. ufw allow 10050
  107. }
  108. ##################################
  109. # Useful packages
  110. ##################################
  111. useful() {
  112. apt-get install haveged curl git unzip zip fail2ban htop nload nmon ntp -y
  113. # ntp time
  114. systemctl enable ntp
  115. }
  116. ##################################
  117. # clone repository
  118. ##################################
  119. dl_repo() {
  120. cd /tmp || exit
  121. rm -rf /tmp/ubuntu-nginx-web-server
  122. git clone https://github.com/VirtuBox/ubuntu-nginx-web-server.git /tmp/ubuntu-nginx-web-server
  123. }
  124. ##################################
  125. # Sysctl tweaks + open_files limits
  126. ##################################
  127. sysctl() {
  128. sudo modprobe tcp_htcp
  129. cp -f $REPO_PATH/etc/sysctl.conf /etc/sysctl.conf
  130. sysctl -p
  131. cp -f $REPO_PATH/etc/security/limits.conf /etc/security/limits.conf
  132. # Redis transparent_hugepage
  133. echo never >/sys/kernel/mm/transparent_hugepage/enabled
  134. }
  135. ##################################
  136. # Add MariaDB 10.3 repository
  137. ##################################
  138. mariadb_repo() {
  139. curl -sS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup |
  140. sudo bash -s -- --mariadb-server-version=10.3 --skip-maxscale -y
  141. sudo apt-get update
  142. }
  143. ##################################
  144. # MariaDB 10.3 install
  145. ##################################
  146. mariadb_setup() {
  147. sudo apt-get install -y mariadb-server
  148. }
  149. mariadb_client() {
  150. sudo apt-get install -y mariadb-client
  151. }
  152. ##################################
  153. # MariaDB tweaks
  154. ##################################
  155. mariadb_tweaks() {
  156. cp -f $REPO_PATH/etc/mysql/my.cnf /etc/mysql/my.cnf
  157. sudo service mysql stop
  158. sudo mv /var/lib/mysql/ib_logfile0 /var/lib/mysql/ib_logfile0.bak
  159. sudo mv /var/lib/mysql/ib_logfile1 /var/lib/mysql/ib_logfile1.bak
  160. cp -f $REPO_PATH/etc/systemd/system/mariadb.service.d/limits.conf /etc/systemd/system/mariadb.service.d/limits.conf
  161. sudo systemctl daemon-reload
  162. sudo service mysql start
  163. }
  164. ##################################
  165. # EasyEngine automated install
  166. ##################################
  167. ee_install() {
  168. sudo bash -c 'echo -e "[user]\n\tname = $USER\n\temail = $USER@$HOSTNAME" > $HOME/.gitconfig'
  169. sudo wget -qO ee rt.cx/ee && sudo bash ee
  170. source /etc/bash_completion.d/ee_auto.rc
  171. }
  172. ##################################
  173. # EasyEngine stacks install
  174. ##################################
  175. ee_setup() {
  176. ee stack install
  177. ee stack install --php7 --redis --admin --phpredisadmin
  178. }
  179. ##################################
  180. # Fix phpmyadmin install
  181. ##################################
  182. ee_fix() {
  183. cd ~/ || exit
  184. curl -sS https://getcomposer.org/installer | php
  185. mv composer.phar /usr/bin/composer
  186. chown www-data:www-data /var/www
  187. sudo -u www-data -H composer update -d /var/www/22222/htdocs/db/pma/
  188. }
  189. ##################################
  190. # Allow www-data shell access for SFTP + add .bashrc settings et completion
  191. ##################################
  192. web_user() {
  193. usermod -s /bin/bash www-data
  194. wget -O /etc/bash_completion.d/wp-completion.bash https://raw.githubusercontent.com/wp-cli/wp-cli/master/utils/wp-completion.bash
  195. cp -f /var/www/.profile $REPO_PATH/files/var/www/.profile
  196. cp -f /var/www/.bashrc $REPO_PATH/files/var/www/.bashrc
  197. chown www-data:www-data /var/www/.profile
  198. chown www-data:www-data /var/www/.bashrc
  199. sudo -u www-data -H wget https://raw.githubusercontent.com/scopatz/nanorc/files/install.sh -O- | sh
  200. }
  201. ##################################
  202. # Install php7.1-fpm
  203. ##################################
  204. php71() {
  205. sudo apt-get install php7.1-fpm php7.1-cli php7.1-zip php7.1-opcache php7.1-mysql php7.1-mcrypt php7.1-mbstring php7.1-json php7.1-intl \
  206. php7.1-gd php7.1-curl php7.1-bz2 php7.1-xml php7.1-tidy php7.1-soap php7.1-bcmath -y php7.1-xsl
  207. sudo cp -f $REPO_PATH/etc/php/7.1/fpm/pool.d/www.conf /etc/php/7.1/fpm/pool.d/www.conf
  208. sudo cp -f $REPO_PATH/etc/php/7.1/fpm/php.ini /etc/php/7.1/fpm/php.ini
  209. cp -f $REPO_PATH/etc/php/7.1/cli/php.ini /etc/php/7.1/cli/php.ini
  210. sudo service php7.1-fpm restart
  211. }
  212. ##################################
  213. # Install php7.2-fpm
  214. ##################################
  215. php72() {
  216. sudo apt-get install php7.2-fpm php7.2-xml php7.2-bz2 php7.2-zip php7.2-mysql php7.2-intl php7.2-gd php7.2-curl php7.2-soap php7.2-mbstring -y
  217. cp -f $REPO_PATH/etc/php/7.2/fpm/pool.d/www.conf /etc/php/7.2/fpm/pool.d/www.conf
  218. cp -f $REPO_PATH/etc/php/7.2/cli/php.ini /etc/php/7.2/cli/php.ini
  219. service php7.2-fpm restart
  220. }
  221. ##################################
  222. # Update php7.0-fpm config
  223. ##################################
  224. php7_conf() {
  225. if [ ! -d /etc/php/7.0 ]; then
  226. cp -f $REPO_PATH/etc/php/7.0/cli/php.ini /etc/php/7.0/cli/php.ini
  227. cp -f $REPO_PATH/etc/php/7.0/fpm/php.ini /etc/php/7.0/fpm/php.ini
  228. fi
  229. }
  230. ##################################
  231. # Compile latest nginx release from source
  232. ##################################
  233. nginx_ee() {
  234. wget https://raw.githubusercontent.com/VirtuBox/nginx-ee/master/nginx-build.sh
  235. chmod +x nginx-build.sh
  236. ./nginx-build.sh
  237. }
  238. ##################################
  239. # Add nginx additional conf
  240. ##################################
  241. nginx_conf() {
  242. # php7.1 & 7.2 common configurations
  243. cp -rf $REPO_PATH/etc/nginx/common/* /etc/nginx/common/
  244. # optimized nginx.config
  245. cp -f $REPO_PATH/etc/nginx/nginx.conf /etc/nginx/nginx.conf
  246. # check nginx configuration
  247. CONF_22222=$(grep -c netdata /etc/nginx/sites-available/22222)
  248. CONF_UPSTREAM=$(grep -c netdata /etc/nginx/conf.d/upstream.conf)
  249. CONF_DEFAULT=$(grep -c status /etc/nginx/sites-available/default)
  250. if [ "$CONF_22222" = 0 ]; then
  251. # add nginx reverse-proxy for netdata on https://yourserver.hostname:22222/netdata/
  252. sudo cp -f $REPO_PATH/etc/nginx/sites-available/22222 /etc/nginx/sites-available/22222
  253. fi
  254. if [ "$CONF_UPSTREAM" = 0 ]; then
  255. # add netdata, php7.1 and php7.2 upstream
  256. sudo cp -f $REPO_PATH/etc/nginx/conf.d/upstream.conf /etc/nginx/conf.d/upstream.conf
  257. fi
  258. if [ "$CONF_DEFAULT" = 0 ]; then
  259. # additional nginx locations for monitoring
  260. sudo cp -f $REPO_PATH/etc/nginx/sites-available/default /etc/nginx/sites-available/default
  261. fi
  262. # 1) add webp mapping
  263. cp -f $REPO_PATH/etc/nginx/conf.d/webp.conf /etc/nginx/conf.d/webp.conf
  264. nginx -t
  265. service nginx reload
  266. }
  267. ##################################
  268. # Add fail2ban configurations
  269. ##################################
  270. f2b() {
  271. cp -f $REPO_PATH/etc/fail2ban/filter.d/ddos.conf /etc/fail2ban/filter.d/ddos.conf
  272. cp -f $REPO_PATH/etc/fail2ban/filter.d/ee-wordpress.conf /etc/fail2ban/filter.d/ee-wordpress.conf
  273. cp -f $REPO_PATH/etc/fail2ban/jail.d/custom.conf /etc/fail2ban/jail.d/custom.conf
  274. cp -f $REPO_PATH/etc/fail2ban/jail.d/ddos.conf /etc/fail2ban/jail.d/ddos.conf
  275. sudo fail2ban-client reload
  276. }
  277. ##################################
  278. # Install cheat & nanorc
  279. ##################################
  280. bashrc_extra() {
  281. git clone https://github.com/alexanderepstein/Bash-Snippets .Bash-Snippets
  282. cd .Bash-Snippets || exit
  283. git checkout v$BASH_SNIPPETS_VER
  284. ./install.sh cheat
  285. wget https://raw.githubusercontent.com/scopatz/nanorc/files/install.sh -O- | sh
  286. }
  287. ##################################
  288. # Install ucaresystem
  289. ##################################
  290. ucaresystem() {
  291. sudo add-apt-repository ppa:utappia/stable -y
  292. sudo apt-get update
  293. sudo apt-get install ucaresystem-core -y
  294. }
  295. ##################################
  296. # Install ProFTPd
  297. ##################################
  298. proftpd_setup() {
  299. sudo apt install proftpd -y
  300. # secure proftpd and enable PassivePorts
  301. sed -i 's/# DefaultRoot/DefaultRoot/' /etc/proftpd/proftpd.conf
  302. sed -i 's/# RequireValidShell/RequireValidShell/' /etc/proftpd/proftpd.conf
  303. sed -i 's/# PassivePorts 49152 65534/PassivePorts 49000 50000/' /etc/proftpd/proftpd.conf
  304. sudo service proftpd restart
  305. if [ "$ufw" = "y" ]; then
  306. # ftp passive ports
  307. ufw allow 49000:50000/tcp
  308. fi
  309. }
  310. ##################################
  311. # Install Netdata
  312. ##################################
  313. netdata() {
  314. if [ ! -d /etc/netdata ]; then
  315. ## install dependencies
  316. sudo apt-get install autoconf autoconf-archive autogen automake gcc libmnl-dev lm-sensors make nodejs pkg-config python python-mysqldb python-psycopg2 python-pymongo python-yaml uuid-dev zlib1g-dev -y
  317. ## install nedata
  318. bash <(curl -Ss https://my-netdata.io/kickstart.sh) all --dont-wait
  319. ## optimize netdata resources usage
  320. echo 1 >/sys/kernel/mm/ksm/run
  321. echo 1000 >/sys/kernel/mm/ksm/sleep_millisecs
  322. ## disable email notifigrep -cions
  323. sudo sed -i 's/SEND_EMAIL="YES"/SEND_EMAIL="NO"/' /etc/netdata/health_alarm_notify.conf
  324. sudo service netdata restart
  325. fi
  326. }
  327. ##################################
  328. # Install eXtplorer
  329. ##################################
  330. extplorer() {
  331. if [ ! -d /var/www/22222/htdocs/files ]; then
  332. mkdir /var/www/22222/htdocs/files
  333. wget http://extplorer.net/attachments/download/74/eXtplorer_$EXTPLORER_VER.zip -O /var/www/22222/htdocs/files/ex.zip
  334. cd /var/www/22222/htdocs/files && unzip ex.zip && rm ex.zip
  335. fi
  336. }
  337. ##################################
  338. # Install EasyEngine Dashboard
  339. ##################################
  340. ee_dashboard() {
  341. cd /var/www/22222 || exit
  342. ## download latest version of EasyEngine-dashboard
  343. cd /tmp || exit
  344. git clone https://github.com/VirtuBox/easyengine-dashboard.git
  345. sudo cp -rf /tmp/easyengine-dashboard/* /var/www/22222/htdocs/
  346. sudo chown -R www-data:www-data /var/www/22222/htdocs
  347. }
  348. ##################################
  349. # Install Acme.sh
  350. ##################################
  351. acme_sh() {
  352. # install acme.sh if needed
  353. echo ""
  354. echo "checking if acme.sh is already installed"
  355. echo ""
  356. if [ ! -f $HOME/.acme.sh/acme.sh ]; then
  357. echo ""
  358. echo "installing acme.sh"
  359. echo ""
  360. wget -O - https://get.acme.sh | sh
  361. source $HOME/.bashrc
  362. fi
  363. }
  364. ##################################
  365. # Secure EasyEngine Dashboard with Acme.sh
  366. ##################################
  367. ee-acme-22222() {
  368. MY_HOSTNAME=$(hostname -f)
  369. MY_IP=$(curl -s v4.vtbox.net)
  370. MY_HOSTNAME_IP=$(dig +short @8.8.8.8 "$MY_HOSTNAME")
  371. if [[ "$MY_IP" == "$MY_HOSTNAME_IP" ]]; then
  372. if [ ! -f /etc/systemd/system/multi-user.target.wants/nginx.service ]; then
  373. sudo systemctl enable nginx.service
  374. fi
  375. if [ ! -d $HOME/.acme.sh/${MY_HOSTNAME}_ecc ]; then
  376. $HOME/.acme.sh/acme.sh --issue -d $MY_HOSTNAME --keylength ec-384 --standalone --pre-hook "service nginx stop " --post-hook "service nginx start"
  377. fi
  378. if [ -d /etc/letsencrypt/live/$MY_HOSTNAME ]; then
  379. rm -rf /etc/letsencrypt/live/$MY_HOSTNAME/*
  380. else
  381. mkdir -p /etc/letsencrypt/live/$MY_HOSTNAME
  382. fi
  383. # install the cert and reload nginx
  384. $HOME/.acme.sh/acme.sh --install-cert -d ${MY_HOSTNAME} --ecc \
  385. --cert-file /etc/letsencrypt/live/${MY_HOSTNAME}/cert.pem \
  386. --key-file /etc/letsencrypt/live/${MY_HOSTNAME}/key.pem \
  387. --fullchain-file /etc/letsencrypt/live/${MY_HOSTNAME}/fullchain.pem \
  388. --reloadcmd "systemctl reload nginx.service"
  389. if [ -f /etc/letsencrypt/live/${MY_HOSTNAME}/fullchain.pem ] && [ -f /etc/letsencrypt/live/${MY_HOSTNAME}/key.pem ]; then
  390. sed -i "s/ssl_certificate \/var\/www\/22222\/cert\/22222.crt;/ssl_certificate \/etc\/letsencrypt\/live\/${MY_HOSTNAME}\/fullchain.pem;/" /etc/nginx/sites-available/22222
  391. sed -i "s/ssl_certificate_key \/var\/www\/22222\/cert\/22222.key;/ssl_certificate_key \/etc\/letsencrypt\/live\/${MY_HOSTNAME}\/key.pem;/" /etc/nginx/sites-available/22222
  392. fi
  393. service nginx reload
  394. fi
  395. }
  396. ##################################
  397. # Functions
  398. ##################################
  399. useful
  400. dl_repo
  401. sysctl
  402. if [ "$ufw" = "y" ]; then
  403. ufw
  404. fi
  405. mariadb_repo
  406. if [ "$mariadb_server" = "y" ]; then
  407. mariadb_setup
  408. mariadb_tweaks
  409. fi
  410. if [ "$mariadb_client" = "y" ]; then
  411. mariadb_client
  412. fi
  413. ee_install
  414. ee_setup
  415. ee_fix
  416. web_user
  417. php7_conf
  418. if [ "$phpfpm71" = "y" ]; then
  419. php71
  420. fi
  421. if [ "$phpfpm72" = "y" ]; then
  422. php72
  423. fi
  424. if [ "$nginxee" = "y" ]; then
  425. nginx_ee
  426. nginx_conf
  427. fi
  428. if [ "$fail2ban" = "y" ]; then
  429. f2b
  430. fi
  431. if [ "$proftpd" = "y" ]; then
  432. proftpd_setup
  433. fi
  434. bashrc_extra
  435. #ucaresystem
  436. netdata
  437. extplorer
  438. ee_dashboard
  439. acme_sh
  440. ee-acme-22222