initial commit

README.md

@@ -0,0 +1,15 @@
+# Web Server Setup Scripts
+
+This repository contains scripts for setting up a very basic web server and adding new sites. It is not perfect, but it will get you off the ground quickly.
+
+This script will install PHP and nginx, and create a 
+
+## One-liner
+
+The following command will install these tools.
+
+It is adviseable to review the contents of `quickstart.sh` before running it, as it's generally a good security practice to understand what a script does before executing it, especially with elevated privileges.
+
+```bash
+curl -sSL https://raw.githubusercontent.com/joby-lol/webserver-setup/main/quickstart.sh | bash
+```

add-site.sh

@@ -0,0 +1,136 @@
+#!/bin/bash
+
+# Prompt for user input
+read -p "Enter the desired username: " username
+read -sp "Enter the password for $username: " password
+echo
+read -p "Enter the domain name (e.g., example.com): " domain
+read -sp "Enter your Cloudflare API key: " cf_api_key
+echo
+
+# Create the user and add to www-data group
+sudo useradd -m -s /bin/bash -G www-data $username
+echo "$username:$password" | sudo chpasswd
+
+# Set up directory structure
+main_web_root="/var/www/$domain"
+sudo mkdir -p $main_web_root/{_main/www,subdomains,logs}
+
+# Set ownership and permissions for the main site directory
+sudo chown -R $username:www-data $main_web_root
+sudo find $main_web_root -type d -exec chmod 2750 {} +
+sudo find $main_web_root -type f -exec chmod 640 {} +
+
+# Set ownership and permissions for the logs directory
+sudo chown root:www-data $main_web_root/logs
+sudo chmod 755 $main_web_root/logs
+
+# Ensure new log files get correct permissions
+sudo bash -c "echo '
+# Set proper permissions for new log files
+umask 022
+' >> /etc/nginx/nginx.conf"
+
+# Create Cloudflare credentials file
+cf_credentials="/root/.cloudflare/$domain.ini"
+sudo mkdir -p /root/.cloudflare
+sudo bash -c "cat > $cf_credentials << EOL
+dns_cloudflare_api_token = $cf_api_key
+EOL"
+sudo chmod 600 $cf_credentials
+
+# Request wildcard certificate using Cloudflare DNS challenge
+sudo certbot certonly --dns-cloudflare \
+    --dns-cloudflare-credentials $cf_credentials \
+    -d $domain -d *.$domain \
+    --non-interactive
+
+# Create Nginx configuration
+nginx_config="/etc/nginx/sites-available/$domain"
+sudo bash -c "cat > $nginx_config << EOL
+server {
+    listen 80;
+    listen [::]:80;
+    server_name .$domain;
+    return 301 https://\$host\$request_uri;
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name .$domain;
+
+    ssl_certificate /etc/letsencrypt/live/$domain/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/$domain/privkey.pem;
+
+    # Determine the subdomain and set the root accordingly
+    set \$subdomain '';
+    if (\$host ~* ^([^.]+)\.$domain$) {
+        set \$subdomain \$1;
+    }
+
+    # Default root for subdomains
+    root $main_web_root/subdomains/\$subdomain/www;
+
+    # For the main domain, use the _main/www directory
+    if (\$host = $domain) {
+        root $main_web_root/_main/www;
+        access_log $main_web_root/logs/main_access.log;
+        error_log $main_web_root/logs/main_error.log;
+    }
+
+    # For subdomains, use separate log files
+    if (\$subdomain != '') {
+        access_log $main_web_root/logs/\${subdomain}_access.log;
+        error_log $main_web_root/logs/\${subdomain}_error.log;
+    }
+
+    index index.html index.htm index.php;
+
+    location / {
+        try_files \$uri \$uri/ @router;
+    }
+
+    location @router {
+        if (!-f \$document_root/router.php) {
+            return 404;
+        }
+        fastcgi_pass unix:/var/run/php/php-fpm.sock;
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME \$document_root/router.php;
+    }
+
+    location ~ \.php$ {
+        try_files \$uri =404;
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        fastcgi_pass unix:/var/run/php/php-fpm.sock;
+        fastcgi_index index.php;
+        include fastcgi_params;
+    }
+
+    location ~ /\.ht {
+        deny all;
+    }
+}
+EOL"
+
+# Enable the site
+sudo ln -s $nginx_config /etc/nginx/sites-enabled/
+
+# Test Nginx configuration
+sudo nginx -t
+
+# If the test is successful, reload Nginx
+if [ $? -eq 0 ]; then
+    sudo systemctl reload nginx
+    echo "Nginx configuration has been updated and reloaded."
+else
+    echo "Nginx configuration test failed. Please check the configuration."
+fi
+
+echo "Setup complete for $domain"
+echo "Main website files should be placed in: $main_web_root/_main/www"
+echo "Subdomain files should be placed in: $main_web_root/subdomains/[subdomain]/www"
+echo "Logs will be stored in: $main_web_root/logs"
+echo "Cloudflare credentials for this domain are stored in: $cf_credentials"
+echo "Remember to log out and log back in for group changes to take effect."

install-server.sh

@@ -0,0 +1,69 @@
+#!/bin/bash
+
+# Core Setup Script for Web Server
+
+# Update and upgrade packages
+sudo apt update
+sudo apt upgrade -y
+
+# Install Nginx and UFW
+sudo apt install nginx ufw -y
+
+# Install PHP and necessary modules
+sudo apt install php-fpm php-curl php-gd php-mbstring php-xml php-zip php-pdo php-sqlite3 -y
+
+# Start and enable PHP-FPM service
+sudo systemctl start php-fpm
+sudo systemctl enable php-fpm
+
+# Ensure Nginx is started and enabled
+sudo systemctl start nginx
+sudo systemctl enable nginx
+
+# UFW Setup
+sudo ufw default deny incoming
+sudo ufw default allow outgoing
+sudo ufw allow ssh
+sudo ufw allow 'Nginx Full'
+sudo ufw --force enable
+
+# Swap Setup
+sudo fallocate -l 2G /swapfile
+sudo chmod 600 /swapfile
+sudo mkswap /swapfile
+sudo swapon /swapfile
+
+# Make swap permanent
+echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab
+
+# Adjust swappiness
+echo 'vm.swappiness=10' | sudo tee -a /etc/sysctl.conf
+sudo sysctl -p
+
+# Install Certbot and Cloudflare plugin
+sudo apt install certbot python3-certbot-dns-cloudflare -y
+
+# Prompt user for email address
+read -p "Enter your email address for Certbot registration: " email_address
+
+# Register with Certbot
+sudo certbot register --email "$email_address" --agree-tos --no-eff-email
+
+# Create post-renewal hook for Nginx reload
+sudo mkdir -p /etc/letsencrypt/renewal-hooks/deploy
+sudo bash -c "cat > /etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh << EOL
+#!/bin/bash
+systemctl reload nginx
+EOL"
+sudo chmod +x /etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh
+
+# Verify auto-renewal configuration
+echo "Verifying Certbot auto-renewal configuration..."
+sudo certbot renew --dry-run
+
+echo "Core setup completed successfully!"
+echo "Certbot has been registered with the provided email address"
+echo "A post-renewal hook has been added to reload Nginx after certificate renewal"
+echo "Auto-renewal has been verified. If you saw no errors, it's correctly set up."
+echo "UFW has been configured and enabled"
+echo "A 2GB swap file has been set up and configured"

quickstart.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+
+# Exit immediately if a command exits with a non-zero status.
+set -e
+
+# Update package list
+sudo apt update
+
+# Install curl and git
+sudo apt install -y curl git
+
+# Clone the repository
+git clone https://github.com/joby-lol/webserver-config.git
+
+# Change to the repository directory
+cd webserver-config
+
+# Make install-server.sh executable
+chmod +x install-server.sh
+
+# Execute install-server.sh
+sudo ./install-server.sh
+
+echo "Server setup complete. Use 'sudo bash add_site.sh' to add new sites."