From aa7cd9af662dac165bf7a1329e2ae4fb77487775 Mon Sep 17 00:00:00 2001 From: Joby Elliott Date: Mon, 14 Oct 2024 15:56:48 -0600 Subject: [PATCH] initial commit --- README.md | 15 +++++ add-site.sh | 136 ++++++++++++++++++++++++++++++++++++++++++++++ install-server.sh | 69 +++++++++++++++++++++++ quickstart.sh | 24 ++++++++ 4 files changed, 244 insertions(+) create mode 100644 README.md create mode 100644 add-site.sh create mode 100644 install-server.sh create mode 100644 quickstart.sh diff --git a/README.md b/README.md new file mode 100644 index 0000000..34f315e --- /dev/null +++ b/README.md @@ -0,0 +1,15 @@ +# Web Server Setup Scripts + +This repository contains scripts for setting up a very basic web server and adding new sites. It is not perfect, but it will get you off the ground quickly. + +This script will install PHP and nginx, and create a + +## One-liner + +The following command will install these tools. + +It is adviseable to review the contents of `quickstart.sh` before running it, as it's generally a good security practice to understand what a script does before executing it, especially with elevated privileges. + +```bash +curl -sSL https://raw.githubusercontent.com/joby-lol/webserver-setup/main/quickstart.sh | bash +``` diff --git a/add-site.sh b/add-site.sh new file mode 100644 index 0000000..5113ef9 --- /dev/null +++ b/add-site.sh @@ -0,0 +1,136 @@ +#!/bin/bash + +# Prompt for user input +read -p "Enter the desired username: " username +read -sp "Enter the password for $username: " password +echo +read -p "Enter the domain name (e.g., example.com): " domain +read -sp "Enter your Cloudflare API key: " cf_api_key +echo + +# Create the user and add to www-data group +sudo useradd -m -s /bin/bash -G www-data $username +echo "$username:$password" | sudo chpasswd + +# Set up directory structure +main_web_root="/var/www/$domain" +sudo mkdir -p $main_web_root/{_main/www,subdomains,logs} + +# Set ownership and permissions for the main site directory +sudo chown -R $username:www-data $main_web_root +sudo find $main_web_root -type d -exec chmod 2750 {} + +sudo find $main_web_root -type f -exec chmod 640 {} + + +# Set ownership and permissions for the logs directory +sudo chown root:www-data $main_web_root/logs +sudo chmod 755 $main_web_root/logs + +# Ensure new log files get correct permissions +sudo bash -c "echo ' +# Set proper permissions for new log files +umask 022 +' >> /etc/nginx/nginx.conf" + +# Create Cloudflare credentials file +cf_credentials="/root/.cloudflare/$domain.ini" +sudo mkdir -p /root/.cloudflare +sudo bash -c "cat > $cf_credentials << EOL +dns_cloudflare_api_token = $cf_api_key +EOL" +sudo chmod 600 $cf_credentials + +# Request wildcard certificate using Cloudflare DNS challenge +sudo certbot certonly --dns-cloudflare \ + --dns-cloudflare-credentials $cf_credentials \ + -d $domain -d *.$domain \ + --non-interactive + +# Create Nginx configuration +nginx_config="/etc/nginx/sites-available/$domain" +sudo bash -c "cat > $nginx_config << EOL +server { + listen 80; + listen [::]:80; + server_name .$domain; + return 301 https://\$host\$request_uri; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name .$domain; + + ssl_certificate /etc/letsencrypt/live/$domain/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/$domain/privkey.pem; + + # Determine the subdomain and set the root accordingly + set \$subdomain ''; + if (\$host ~* ^([^.]+)\.$domain$) { + set \$subdomain \$1; + } + + # Default root for subdomains + root $main_web_root/subdomains/\$subdomain/www; + + # For the main domain, use the _main/www directory + if (\$host = $domain) { + root $main_web_root/_main/www; + access_log $main_web_root/logs/main_access.log; + error_log $main_web_root/logs/main_error.log; + } + + # For subdomains, use separate log files + if (\$subdomain != '') { + access_log $main_web_root/logs/\${subdomain}_access.log; + error_log $main_web_root/logs/\${subdomain}_error.log; + } + + index index.html index.htm index.php; + + location / { + try_files \$uri \$uri/ @router; + } + + location @router { + if (!-f \$document_root/router.php) { + return 404; + } + fastcgi_pass unix:/var/run/php/php-fpm.sock; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME \$document_root/router.php; + } + + location ~ \.php$ { + try_files \$uri =404; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass unix:/var/run/php/php-fpm.sock; + fastcgi_index index.php; + include fastcgi_params; + } + + location ~ /\.ht { + deny all; + } +} +EOL" + +# Enable the site +sudo ln -s $nginx_config /etc/nginx/sites-enabled/ + +# Test Nginx configuration +sudo nginx -t + +# If the test is successful, reload Nginx +if [ $? -eq 0 ]; then + sudo systemctl reload nginx + echo "Nginx configuration has been updated and reloaded." +else + echo "Nginx configuration test failed. Please check the configuration." +fi + +echo "Setup complete for $domain" +echo "Main website files should be placed in: $main_web_root/_main/www" +echo "Subdomain files should be placed in: $main_web_root/subdomains/[subdomain]/www" +echo "Logs will be stored in: $main_web_root/logs" +echo "Cloudflare credentials for this domain are stored in: $cf_credentials" +echo "Remember to log out and log back in for group changes to take effect." diff --git a/install-server.sh b/install-server.sh new file mode 100644 index 0000000..4e0f93e --- /dev/null +++ b/install-server.sh @@ -0,0 +1,69 @@ +#!/bin/bash + +# Core Setup Script for Web Server + +# Update and upgrade packages +sudo apt update +sudo apt upgrade -y + +# Install Nginx and UFW +sudo apt install nginx ufw -y + +# Install PHP and necessary modules +sudo apt install php-fpm php-curl php-gd php-mbstring php-xml php-zip php-pdo php-sqlite3 -y + +# Start and enable PHP-FPM service +sudo systemctl start php-fpm +sudo systemctl enable php-fpm + +# Ensure Nginx is started and enabled +sudo systemctl start nginx +sudo systemctl enable nginx + +# UFW Setup +sudo ufw default deny incoming +sudo ufw default allow outgoing +sudo ufw allow ssh +sudo ufw allow 'Nginx Full' +sudo ufw --force enable + +# Swap Setup +sudo fallocate -l 2G /swapfile +sudo chmod 600 /swapfile +sudo mkswap /swapfile +sudo swapon /swapfile + +# Make swap permanent +echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab + +# Adjust swappiness +echo 'vm.swappiness=10' | sudo tee -a /etc/sysctl.conf +sudo sysctl -p + +# Install Certbot and Cloudflare plugin +sudo apt install certbot python3-certbot-dns-cloudflare -y + +# Prompt user for email address +read -p "Enter your email address for Certbot registration: " email_address + +# Register with Certbot +sudo certbot register --email "$email_address" --agree-tos --no-eff-email + +# Create post-renewal hook for Nginx reload +sudo mkdir -p /etc/letsencrypt/renewal-hooks/deploy +sudo bash -c "cat > /etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh << EOL +#!/bin/bash +systemctl reload nginx +EOL" +sudo chmod +x /etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh + +# Verify auto-renewal configuration +echo "Verifying Certbot auto-renewal configuration..." +sudo certbot renew --dry-run + +echo "Core setup completed successfully!" +echo "Certbot has been registered with the provided email address" +echo "A post-renewal hook has been added to reload Nginx after certificate renewal" +echo "Auto-renewal has been verified. If you saw no errors, it's correctly set up." +echo "UFW has been configured and enabled" +echo "A 2GB swap file has been set up and configured" diff --git a/quickstart.sh b/quickstart.sh new file mode 100644 index 0000000..d0cd75a --- /dev/null +++ b/quickstart.sh @@ -0,0 +1,24 @@ +#!/bin/bash + +# Exit immediately if a command exits with a non-zero status. +set -e + +# Update package list +sudo apt update + +# Install curl and git +sudo apt install -y curl git + +# Clone the repository +git clone https://github.com/joby-lol/webserver-config.git + +# Change to the repository directory +cd webserver-config + +# Make install-server.sh executable +chmod +x install-server.sh + +# Execute install-server.sh +sudo ./install-server.sh + +echo "Server setup complete. Use 'sudo bash add_site.sh' to add new sites."