From ccaeb8335e512039672a8d5659ba90eb5988575e Mon Sep 17 00:00:00 2001
From: Joby Elliott <code@byjoby.com>
Date: Fri, 25 Oct 2024 15:27:23 -0600
Subject: [PATCH] allow per-site custom nginx config, improving permissions

---
 add-site.sh                   | 11 ++++++++---
 install/000-update-install.sh |  3 +++
 site-config.conf              |  3 +++
 update-site.sh                | 15 +++++++++++++++
 4 files changed, 29 insertions(+), 3 deletions(-)

diff --git a/add-site.sh b/add-site.sh
index bae5eb8..4aeaea0 100755
--- a/add-site.sh
+++ b/add-site.sh
@@ -36,7 +36,7 @@ hostname=$(hostname -f)
 
 # Set up directory structure
 main_web_root="/var/www/$domain"
-sudo mkdir -p "$main_web_root"/{_main/www,subdomains,logs}
+sudo mkdir -p "$main_web_root"/{_main/www,subdomains,logs,nginx}
 
 # Create the user with the web root as home directory and add to www-data and websftpusers groups
 sudo useradd -m -d /var/www/$domain -s /bin/false -U -G www-data,websftpusers $username
@@ -50,11 +50,16 @@ sudo find "$main_web_root" -type f -exec chmod 640 {} +
 # Set ownership and permissions for the main web root
 # SFTP chroot requires the user's home directory to be owned by root and not writable by others
 sudo chown "root:www-data" "$main_web_root"
-sudo chmod 755 "$main_web_root"
+sudo chmod 750 "$main_web_root"
 
 # Set ownership and permissions for the logs directory
 sudo chown root:www-data "$main_web_root/logs"
-sudo chmod 755 "$main_web_root/logs"
+sudo chmod 750 "$main_web_root/logs"
+
+# Set ownership and permissions for the nginx directory
+sudo chown root:www-data "$main_web_root/nginx"
+sudo chmod 750 "$main_web_root/nginx"
+sudo chmod 640 "$main_web_root/nginx/*"
 
 # Create MySQL user and grant permissions
 sudo mysql <<EOF
diff --git a/install/000-update-install.sh b/install/000-update-install.sh
index 0a96ab7..5eee52a 100644
--- a/install/000-update-install.sh
+++ b/install/000-update-install.sh
@@ -16,6 +16,9 @@ apt install nginx ufw ntp fail2ban -y
 # Install PHP and necessary modules
 apt install php-fpm php-curl php-gd php-mbstring php-xml php-zip php-pdo php-mysql php-sqlite3 -y
 
+# Add ubuntu user to www-data group
+usermod -a -G www-data ubuntu
+
 # Set timezone
 timedatectl set-timezone UTC
 
diff --git a/site-config.conf b/site-config.conf
index ee7127b..2b2a6be 100644
--- a/site-config.conf
+++ b/site-config.conf
@@ -55,6 +55,9 @@ server {
     index index.html index.htm index.php;
     client_max_body_size 20M;
 
+    # Include site-specific configurations
+    include /var/www/$DOMAIN/nginx/*.conf;
+
     # Block .ht* files
     location ~ /\.ht {
         deny all;
diff --git a/update-site.sh b/update-site.sh
index 9faaff1..a2dd28d 100755
--- a/update-site.sh
+++ b/update-site.sh
@@ -31,6 +31,20 @@ if [ ! -d "/etc/letsencrypt/live/$domain" ]; then
     exit 1
 fi
 
+# Create nginx config directory in web root
+NGINX_CONF_DIR="/var/www/$domain/nginx"
+if [ ! -d "$NGINX_CONF_DIR" ]; then
+    echo "Creating nginx configuration directory..."
+    mkdir -p "$NGINX_CONF_DIR"
+    chown root:www-data "$NGINX_CONF_DIR"
+    chmod 750 "$NGINX_CONF_DIR"
+    # Only try to chmod files if they exist
+    if [ "$(ls -A $NGINX_CONF_DIR)" ]; then
+        chmod 640 "$NGINX_CONF_DIR"/*
+    fi
+    echo "Created $NGINX_CONF_DIR with secure permissions"
+fi
+
 # Backup existing configuration
 backup_file="/etc/nginx/sites-available/${domain}.backup-$(date +%Y%m%d-%H%M%S)"
 cp "/etc/nginx/sites-available/$domain" "$backup_file"
@@ -57,3 +71,4 @@ systemctl reload nginx
 
 echo "Configuration update complete for $domain"
 echo "Previous configuration backed up to: $backup_file"
+echo "Site-specific nginx configurations can be added in: $NGINX_CONF_DIR"