allow per-site custom nginx config, improving permissions

add-site.sh

@@ -36,7 +36,7 @@ hostname=$(hostname -f)
 
 # Set up directory structure
 main_web_root="/var/www/$domain"
-sudo mkdir -p "$main_web_root"/{_main/www,subdomains,logs}
+sudo mkdir -p "$main_web_root"/{_main/www,subdomains,logs,nginx}
 
 # Create the user with the web root as home directory and add to www-data and websftpusers groups
 sudo useradd -m -d /var/www/$domain -s /bin/false -U -G www-data,websftpusers $username
@@ -50,11 +50,16 @@ sudo find "$main_web_root" -type f -exec chmod 640 {} +
 # Set ownership and permissions for the main web root
 # SFTP chroot requires the user's home directory to be owned by root and not writable by others
 sudo chown "root:www-data" "$main_web_root"
-sudo chmod 755 "$main_web_root"
+sudo chmod 750 "$main_web_root"
 
 # Set ownership and permissions for the logs directory
 sudo chown root:www-data "$main_web_root/logs"
-sudo chmod 755 "$main_web_root/logs"
+sudo chmod 750 "$main_web_root/logs"
+
+# Set ownership and permissions for the nginx directory
+sudo chown root:www-data "$main_web_root/nginx"
+sudo chmod 750 "$main_web_root/nginx"
+sudo chmod 640 "$main_web_root/nginx/*"
 
 # Create MySQL user and grant permissions
 sudo mysql <<EOF

install/000-update-install.sh

@@ -16,6 +16,9 @@ apt install nginx ufw ntp fail2ban -y
 # Install PHP and necessary modules
 apt install php-fpm php-curl php-gd php-mbstring php-xml php-zip php-pdo php-mysql php-sqlite3 -y
 
+# Add ubuntu user to www-data group
+usermod -a -G www-data ubuntu
+
 # Set timezone
 timedatectl set-timezone UTC
 

site-config.conf

@@ -55,6 +55,9 @@ server {
     index index.html index.htm index.php;
     client_max_body_size 20M;
 
+    # Include site-specific configurations
+    include /var/www/$DOMAIN/nginx/*.conf;
+
     # Block .ht* files
     location ~ /\.ht {
         deny all;

update-site.sh

@@ -31,6 +31,20 @@ if [ ! -d "/etc/letsencrypt/live/$domain" ]; then
     exit 1
 fi
 
+# Create nginx config directory in web root
+NGINX_CONF_DIR="/var/www/$domain/nginx"
+if [ ! -d "$NGINX_CONF_DIR" ]; then
+    echo "Creating nginx configuration directory..."
+    mkdir -p "$NGINX_CONF_DIR"
+    chown root:www-data "$NGINX_CONF_DIR"
+    chmod 750 "$NGINX_CONF_DIR"
+    # Only try to chmod files if they exist
+    if [ "$(ls -A $NGINX_CONF_DIR)" ]; then
+        chmod 640 "$NGINX_CONF_DIR"/*
+    fi
+    echo "Created $NGINX_CONF_DIR with secure permissions"
+fi
+
 # Backup existing configuration
 backup_file="/etc/nginx/sites-available/${domain}.backup-$(date +%Y%m%d-%H%M%S)"
 cp "/etc/nginx/sites-available/$domain" "$backup_file"
@@ -57,3 +71,4 @@ systemctl reload nginx
 
 echo "Configuration update complete for $domain"
 echo "Previous configuration backed up to: $backup_file"
+echo "Site-specific nginx configurations can be added in: $NGINX_CONF_DIR"