Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Install script for Ubuntu 18.04 (based on forge.laravel.com script, december 2018)
- # Your data
- SERVER_NAME="server-name"
- SERVER_IP="111.222.333.444"
- PUBLIC_SSH_KEYS="# place content id_rsa.pub here
- # key 1
- ssh-rsa xxxxxxx user@workstation
- # key 2
- ssh-rsa xxxxxxx user@notebook"
- USER="forge"
- SUDO_PASSWORD="pass_for_sudo"
- MYSQL_ROOT_PASSWORD="pass_for_mysql_root_user"
- PHP_VERSION="7.1"
- PHP_MEMORY_LIMIT="512M"
- PHP_TIMEZONE="UTC"
- GIT_USERNAME=""
- GIT_EMAIL=""
- SWAP_SIZE="1G"
- SERVER_TIMEZONE="Europe/Moscow" # local timezone for cron
- # =================== DO NOT CHANGE BELOW =====================================
- sudo sed -i "s/#precedence ::ffff:0:0\/96 100/precedence ::ffff:0:0\/96 100/" /etc/gai.conf
- # Upgrade The Base Packages
- export DEBIAN_FRONTEND=noninteractive
- apt-get update
- apt-get upgrade -y
- # Add A Few PPAs To Stay Current
- apt-get install -y --force-yes software-properties-common
- # apt-add-repository ppa:fkrull/deadsnakes-python2.7 -y
- apt-add-repository ppa:nginx/development -y
- apt-add-repository ppa:chris-lea/redis-server -y
- apt-add-repository ppa:ondrej/apache2 -y
- apt-add-repository ppa:ondrej/php -y
- # Update Package Lists
- apt-get update
- # Base Packages
- add-apt-repository universe
- apt-get install -y --force-yes build-essential curl fail2ban gcc git libmcrypt4 libpcre3-dev \
- make python2.7 python-pip sendmail supervisor ufw unattended-upgrades unzip whois zsh ncdu
- # Additional useful packages
- apt-get install -y --force-yes mc p7zip-full htop tmux
- # Install Python Httpie
- pip install httpie
- # Disable Password Authentication Over SSH
- sed -i "/PasswordAuthentication yes/d" /etc/ssh/sshd_config
- echo "" | sudo tee -a /etc/ssh/sshd_config
- echo "" | sudo tee -a /etc/ssh/sshd_config
- echo "PasswordAuthentication no" | sudo tee -a /etc/ssh/sshd_config
- # Restart SSH
- ssh-keygen -A
- service ssh restart
- # Set The Hostname If Necessary
- echo "$SERVER_NAME" > /etc/hostname
- sed -i "s/127\.0\.0\.1.*localhost/127.0.0.1 $SERVER_NAME localhost/" /etc/hosts
- hostname $SERVER_NAME
- # Set The Timezone
- ln -sf /usr/share/zoneinfo/$SERVER_TIMEZONE /etc/localtime
- # Create The Root SSH Directory If Necessary
- if [ ! -d /root/.ssh ]
- then
- mkdir -p /root/.ssh
- touch /root/.ssh/authorized_keys
- fi
- # Setup Forge User
- useradd $USER
- mkdir -p /home/$USER/.ssh
- mkdir -p /home/$USER/.forge
- adduser $USER sudo
- # Setup Bash For Forge User
- chsh -s /bin/bash $USER
- cp /root/.profile /home/$USER/.profile
- cp /root/.bashrc /home/$USER/.bashrc
- # Set The Sudo Password For Forge
- PASSWORD=$(mkpasswd $SUDO_PASSWORD)
- usermod --password $PASSWORD $USER
- # Build Formatted Keys & Copy Keys To Forge
- cat > /root/.ssh/authorized_keys << EOF
- $PUBLIC_SSH_KEYS
- EOF
- cp /root/.ssh/authorized_keys /home/$USER/.ssh/authorized_keys
- # Create The Server SSH Key
- ssh-keygen -f /home/$USER/.ssh/id_rsa -t rsa -N ''
- # Copy Source Control Public Keys Into Known Hosts File
- ssh-keyscan -H github.com >> /home/$USER/.ssh/known_hosts
- ssh-keyscan -H bitbucket.org >> /home/$USER/.ssh/known_hosts
- ssh-keyscan -H gitlab.com >> /home/$USER/.ssh/known_hosts
- # Configure Git Settings
- git config --global user.name "$GIT_USERNAME"
- git config --global user.email "$GIT_EMAIL"
- # Setup User Directory Permissions
- chown -R $USER:$USER /home/$USER
- chmod -R 755 /home/$USER
- chmod 700 /home/$USER/.ssh/id_rsa
- # Setup UFW Firewall
- ufw allow 22
- ufw allow 80
- ufw allow 443
- ufw enable
- # Allow FPM Restart
- echo "forge ALL=NOPASSWD: /usr/sbin/service php7.3-fpm reload" > /etc/sudoers.d/php-fpm
- echo "forge ALL=NOPASSWD: /usr/sbin/service php7.2-fpm reload" >> /etc/sudoers.d/php-fpm
- echo "forge ALL=NOPASSWD: /usr/sbin/service php7.1-fpm reload" >> /etc/sudoers.d/php-fpm
- echo "forge ALL=NOPASSWD: /usr/sbin/service php7.0-fpm reload" >> /etc/sudoers.d/php-fpm
- echo "forge ALL=NOPASSWD: /usr/sbin/service php5.6-fpm reload" >> /etc/sudoers.d/php-fpm
- echo "forge ALL=NOPASSWD: /usr/sbin/service php5-fpm reload" >> /etc/sudoers.d/php-fpm
- # Install Base PHP Packages
- apt-get install -y --force-yes php$PHP_VERSION-cli php$PHP_VERSION-dev \
- php$PHP_VERSION-pgsql php$PHP_VERSION-sqlite3 php$PHP_VERSION-gd \
- php$PHP_VERSION-curl php$PHP_VERSION-memcached \
- php$PHP_VERSION-imap php$PHP_VERSION-mysql php$PHP_VERSION-mbstring \
- php$PHP_VERSION-xml php$PHP_VERSION-zip php$PHP_VERSION-bcmath php$PHP_VERSION-soap \
- php$PHP_VERSION-intl php$PHP_VERSION-readline
- # Install Composer Package Manager
- curl -sS https://getcomposer.org/installer | php
- mv composer.phar /usr/local/bin/composer
- # Misc. PHP CLI Configuration
- sudo sed -i "s/error_reporting = .*/error_reporting = E_ALL/" /etc/php/$PHP_VERSION/cli/php.ini
- sudo sed -i "s/display_errors = .*/display_errors = On/" /etc/php/$PHP_VERSION/cli/php.ini
- sudo sed -i "s/memory_limit = .*/memory_limit = $PHP_MEMORY_LIMIT/" /etc/php/$PHP_VERSION/cli/php.ini
- sudo sed -i "s/;date.timezone.*/date.timezone = $PHP_TIMEZONE/" /etc/php/$PHP_VERSION/cli/php.ini
- # Configure Sessions Directory Permissions
- chmod 733 /var/lib/php/sessions
- chmod +t /var/lib/php/sessions
- # Install Nginx & PHP-FPM
- apt-get install -y --force-yes nginx php$PHP_VERSION-fpm
- systemctl enable nginx.service
- # Generate dhparam File
- openssl dhparam -out /etc/nginx/dhparams.pem 2048
- # Tweak Some PHP-FPM Settings
- sed -i "s/error_reporting = .*/error_reporting = E_ALL/" /etc/php/$PHP_VERSION/fpm/php.ini
- sed -i "s/display_errors = .*/display_errors = On/" /etc/php/$PHP_VERSION/fpm/php.ini
- sed -i "s/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/" /etc/php/$PHP_VERSION/fpm/php.ini
- sed -i "s/memory_limit = .*/memory_limit = $PHP_MEMORY_LIMIT/" /etc/php/$PHP_VERSION/fpm/php.ini
- sed -i "s/;date.timezone.*/date.timezone = $PHP_TIMEZONE/" /etc/php/$PHP_VERSION/fpm/php.ini
- # Configure FPM Pool Settings
- sed -i "s/^user = www-data/user = forge/" /etc/php/$PHP_VERSION/fpm/pool.d/www.conf
- sed -i "s/^group = www-data/group = forge/" /etc/php/$PHP_VERSION/fpm/pool.d/www.conf
- sed -i "s/;listen\.owner.*/listen.owner = forge/" /etc/php/$PHP_VERSION/fpm/pool.d/www.conf
- sed -i "s/;listen\.group.*/listen.group = forge/" /etc/php/$PHP_VERSION/fpm/pool.d/www.conf
- sed -i "s/;listen\.mode.*/listen.mode = 0666/" /etc/php/$PHP_VERSION/fpm/pool.d/www.conf
- sed -i "s/;request_terminate_timeout.*/request_terminate_timeout = 60/" /etc/php/$PHP_VERSION/fpm/pool.d/www.conf
- # Configure Primary Nginx Settings
- sed -i "s/user www-data;/user forge;/" /etc/nginx/nginx.conf
- sed -i "s/worker_processes.*/worker_processes auto;/" /etc/nginx/nginx.conf
- sed -i "s/# multi_accept.*/multi_accept on;/" /etc/nginx/nginx.conf
- sed -i "s/# server_names_hash_bucket_size.*/server_names_hash_bucket_size 128;/" /etc/nginx/nginx.conf
- # Configure Gzip
- cat > /etc/nginx/conf.d/gzip.conf << EOF
- gzip_comp_level 5;
- gzip_min_length 256;
- gzip_proxied any;
- gzip_vary on;
- gzip_types
- application/atom+xml
- application/javascript
- application/json
- application/rss+xml
- application/vnd.ms-fontobject
- application/x-font-ttf
- application/x-web-app-manifest+json
- application/xhtml+xml
- application/xml
- font/opentype
- image/svg+xml
- image/x-icon
- text/css
- text/plain
- text/x-component;
- EOF
- # Disable The Default Nginx Site
- rm /etc/nginx/sites-enabled/default
- rm /etc/nginx/sites-available/default
- service nginx restart
- # Install A Catch All Server
- cat > /etc/nginx/sites-available/catch-all << EOF
- server {
- return 404;
- }
- EOF
- ln -s /etc/nginx/sites-available/catch-all /etc/nginx/sites-enabled/catch-all
- cat > /etc/nginx/sites-available/example << EOF
- server {
- listen 80;
- server_name DOMAIN.COM;
- root /home/forge/DOMAIN.COM/public;
- index index.html index.htm index.php;
- charset utf-8;
- location / {
- try_files \$uri \$uri/ /index.php?\$query_string;
- }
- location = /favicon.ico { access_log off; log_not_found off; }
- location = /robots.txt { access_log off; log_not_found off; }
- access_log off;
- error_log /var/log/nginx/DOMAIN.COM-error.log error;
- error_page 404 /index.php;
- location ~ \.php$ {
- fastcgi_split_path_info ^(.+\.php)(/.+)$;
- fastcgi_pass unix:/run/php/php$PHP_VERSION-fpm.sock;
- fastcgi_index index.php;
- include fastcgi_params;
- }
- location ~ /\.ht {
- deny all;
- }
- }
- EOF
- # Restart Nginx & PHP-FPM Services
- #service nginx restart
- service nginx reload
- if [ ! -z "\$(ps aux | grep php-fpm | grep -v grep)" ]
- then
- service php7.3-fpm restart > /dev/null 2>&1
- service php7.2-fpm restart > /dev/null 2>&1
- service php7.1-fpm restart > /dev/null 2>&1
- service php7.0-fpm restart > /dev/null 2>&1
- service php5.6-fpm restart > /dev/null 2>&1
- service php5-fpm restart > /dev/null 2>&1
- fi
- # Add Forge User To www-data Group
- usermod -a -G www-data $USER
- id $USER
- groups $USER
- # Install Node.js
- curl --silent --location https://deb.nodesource.com/setup_8.x | bash -
- apt-get update
- sudo apt-get install -y --force-yes nodejs
- npm install -g pm2
- npm install -g gulp
- npm install -g yarn
- # Set The Automated Root Password
- export DEBIAN_FRONTEND=noninteractive
- debconf-set-selections <<< "mysql-community-server mysql-community-server/data-dir select ''"
- debconf-set-selections <<< "mysql-community-server mysql-community-server/root-pass password $MYSQL_ROOT_PASSWORD"
- debconf-set-selections <<< "mysql-community-server mysql-community-server/re-root-pass password $MYSQL_ROOT_PASSWORD"
- # Install MySQL
- apt-get install -y mysql-server
- # Configure Password Expiration
- echo "default_password_lifetime = 0" >> /etc/mysql/mysql.conf.d/mysqld.cnf
- # Configure Access Permissions For Root & Forge Users
- sed -i '/^bind-address/s/bind-address.*=.*/bind-address = */' /etc/mysql/mysql.conf.d/mysqld.cnf
- mysql --user="root" --password="$MYSQL_ROOT_PASSWORD" -e "GRANT ALL ON *.* TO root@'$SERVER_IP' IDENTIFIED BY '$MYSQL_ROOT_PASSWORD';"
- mysql --user="root" --password="$MYSQL_ROOT_PASSWORD" -e "GRANT ALL ON *.* TO root@'%' IDENTIFIED BY '$MYSQL_ROOT_PASSWORD';"
- service mysql restart
- mysql --user="root" --password="$MYSQL_ROOT_PASSWORD" -e "CREATE USER '$USER'@'$SERVER_IP' IDENTIFIED BY '$MYSQL_ROOT_PASSWORD';"
- mysql --user="root" --password="$MYSQL_ROOT_PASSWORD" -e "GRANT ALL ON *.* TO '$USER'@'$SERVER_IP' IDENTIFIED BY '$MYSQL_ROOT_PASSWORD' WITH GRANT OPTION;"
- mysql --user="root" --password="$MYSQL_ROOT_PASSWORD" -e "GRANT ALL ON *.* TO '$USER'@'%' IDENTIFIED BY '$MYSQL_ROOT_PASSWORD' WITH GRANT OPTION;"
- mysql --user="root" --password="$MYSQL_ROOT_PASSWORD" -e "FLUSH PRIVILEGES;"
- # Install & Configure Redis Server
- apt-get install -y redis-server
- sed -i 's/bind 127.0.0.1/bind 0.0.0.0/' /etc/redis/redis.conf
- service redis-server restart
- systemctl enable redis-server
- # Install & Configure Memcached
- apt-get install -y memcached
- sed -i 's/-l 127.0.0.1/-l 0.0.0.0/' /etc/memcached.conf
- service memcached restart
- # Install & Configure Beanstalk
- apt-get install -y --force-yes beanstalkd
- sed -i "s/BEANSTALKD_LISTEN_ADDR.*/BEANSTALKD_LISTEN_ADDR=0.0.0.0/" /etc/default/beanstalkd
- if grep START= /etc/default/beanstalkd; then
- sed -i "s/#START=yes/START=yes/" /etc/default/beanstalkd
- else
- echo "START=yes" >> /etc/default/beanstalkd
- fi
- service beanstalkd start
- sleep 5
- service beanstalkd restart
- systemctl enable beanstalkd
- # Configure Supervisor Autostart
- systemctl enable supervisor.service
- service supervisor start
- # Configure Swap Disk
- if [ -f /swapfile ]; then
- echo "Swap exists."
- else
- fallocate -l $SWAP_SIZE /swapfile
- chmod 600 /swapfile
- mkswap /swapfile
- swapon /swapfile
- echo "/swapfile none swap sw 0 0" >> /etc/fstab
- echo "vm.swappiness=30" >> /etc/sysctl.conf
- echo "vm.vfs_cache_pressure=50" >> /etc/sysctl.conf
- fi
- # Setup Unattended Security Upgrades
- cat > /etc/apt/apt.conf.d/50unattended-upgrades << EOF
- Unattended-Upgrade::Allowed-Origins {
- "Ubuntu bionic-security";
- };
- Unattended-Upgrade::Package-Blacklist {
- //
- };
- EOF
- cat > /etc/apt/apt.conf.d/10periodic << EOF
- APT::Periodic::Update-Package-Lists "1";
- APT::Periodic::Download-Upgradeable-Packages "1";
- APT::Periodic::AutocleanInterval "7";
- APT::Periodic::Unattended-Upgrade "1";
- EOF
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement