From 6c5b3986209235420d3859aaac20228d24b3281a Mon Sep 17 00:00:00 2001
From: Tommy <contact@tommytran.io>
Date: Wed, 26 Jun 2024 15:27:01 -0700
Subject: [PATCH] Bug fixes & instructions for Drupal

Signed-off-by: Tommy <contact@tommytran.io>
---
 sample-scripts/Ubuntu-24.04-LEMP-Drupal.md | 114 +++++++++++++++++++++
 sample-scripts/Ubuntu-24.04-LEMP.sh        |  14 +--
 2 files changed, 122 insertions(+), 6 deletions(-)
 create mode 100644 sample-scripts/Ubuntu-24.04-LEMP-Drupal.md

diff --git a/sample-scripts/Ubuntu-24.04-LEMP-Drupal.md b/sample-scripts/Ubuntu-24.04-LEMP-Drupal.md
new file mode 100644
index 0000000..beb0589
--- /dev/null
+++ b/sample-scripts/Ubuntu-24.04-LEMP-Drupal.md
@@ -0,0 +1,114 @@
+# Ubuntu 24.04 LEMP Drupal
+
+First you need to run the following scripts:
+
+- https://github.com/TommyTran732/Linux-Setup-Scripts/blob/main/Ubuntu-24.04-Server.sh
+- https://github.com/TommyTran732/Linux-Setup-Scripts/blob/main/sample-scripts-Ubuntu-24.04-LEMP.sh
+
+## Install composer
+
+```
+php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
+php composer-setup.php
+php -r "unlink('composer-setup.php');"
+
+sudo chown root:root composer.phar
+sudo mv composer.phar /usr/local/bin
+```
+
+## Setup Directory Structure
+
+```
+# Add unprivileged user for drupal
+sudo useradd -U -m -s /bin/bash drupal
+
+# Make drupal directory
+
+sudo mkdir -p /srv/drupal
+sudo chmod 755 /srv/drupal
+sudo chown drupal:drupal /srv/drupal
+
+# Setup ACL
+sudo apt install -y acl
+sudo setfacl -Rdm u:nginx:rwx /srv/drupal
+```
+
+## Install Drupal
+
+Switch to the `drupal` user: 
+
+```
+sudo su - drupal
+```
+
+As the drupal user, run:
+
+```
+cd /srv/drupal
+composer create-project drupal/recommended-project drupal.yourdomain.tld
+```
+
+## Generate an SSL certificate
+
+```
+certbot certonly --nginx --no-eff-email \
+    --key-type ecdsa --must-staple \
+    --deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
+    --cert-name drupal.yourdomain.tld \
+    -d drupal.yourdomain.tld
+```
+
+## NGINX configuration file
+
+Put the following file in `/etc/nginx/conf.d/sites_drupal.conf`:
+
+```
+server {
+    listen 443 quic reuseport;
+    listen 443 ssl;
+    listen [::]:443 quic reuseport;
+    listen [::]:443 ssl;
+
+    server_name drupal.yourdomain.tld;
+
+    ssl_certificate /etc/letsencrypt/live/drupal.yourdomain.tld/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/drupal.yourdomain.tld/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/drupal.yourdomain.tld/chain.pem;
+    ssl_stapling_file  /var/cache/certbot-ocsp-fetcher/drupal.yourdomain.tld.der;
+
+    include snippets/hsts.conf;
+    include snippets/security.conf;
+    include snippets/cross-origin-security.conf;
+    include snippets/quic.conf;
+
+
+    index index.php;
+    client_max_body_size 100M;
+    root /srv/drupal/drupal.yourdomain.tld/web;
+
+    location / {
+        try_files $uri $uri/ /index.php$is_args$args;
+    }
+
+    location @rewrite {
+      rewrite ^/(.*)$ /index.php?q=$1;
+    }
+
+    location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
+        try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+
+    location ~ \.php$ {
+       try_files $uri =404;
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        fastcgi_pass unix:/var/run/php/php8.3-fpm.sock;
+        fastcgi_index index.php;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        include fastcgi_params;
+        client_max_body_size 100M;
+    }
+
+}
+```
\ No newline at end of file
diff --git a/sample-scripts/Ubuntu-24.04-LEMP.sh b/sample-scripts/Ubuntu-24.04-LEMP.sh
index b3aeb31..5a7c73a 100644
--- a/sample-scripts/Ubuntu-24.04-LEMP.sh
+++ b/sample-scripts/Ubuntu-24.04-LEMP.sh
@@ -63,19 +63,17 @@ sudo mariadb-secure-installation
 
 sudo rm -rf /etc/nginx/conf.d/default.conf
 
-## Setup webroot for NGINX
-sudo mkdir -p /srv/nginx
-sudo mkdir -p /srv/nginx/.well-known/acme-challenge
-
 ## NGINX hardening
 sudo mkdir -p /etc/systemd/system/nginx.service.d
 unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/nginx.service.d/local.conf | sudo tee /etc/systemd/system/nginx.service.d/override.conf
+sudo chmod 644 /etc/systemd/system/nginx.service.d/override.conf
 sudo systemctl daemon-reload
 
 ## Setup certbot-ocsp-fetcher
 unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/certbot-ocsp-fetcher | sudo tee /usr/local/bin/certbot-ocsp-fetcher
 sudo chmod u+x /usr/local/bin/certbot-ocsp-fetcher
 sudo mkdir -p /var/cache/certbot-ocsp-fetcher/
+sudo chmod 755 /var/cache/certbot-ocsp-fetcher/
 
 ## Setup nginx-create-session-ticket-keys
 unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/nginx-create-session-ticket-keys | sudo tee /usr/local/bin/nginx-create-session-ticket-keys
@@ -95,6 +93,7 @@ unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/sys
 ## Systemd Hardening
 sudo mkdir -p /etc/systemd/system/nginx.service.d
 unpriv curl https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/systemd/system/nginx.service.d/override.conf | sudo tee /etc/systemd/system/nginx.service.d/override.conf
+sudo chmod 644 /etc/systemd/system/nginx.service.d/override.conf
 sudo systemctl daemon-reload
 
 ## Enable the units
@@ -106,15 +105,18 @@ sudo systemctl enable --now nginx-rotate-session-ticket-keys.timer
 
 unpriv curl https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/conf.d/http2.conf | sudo tee /etc/nginx/conf.d/http2.conf
 unpriv curl https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/conf.d/sites_default.conf | sudo tee /etc/nginx/conf.d/sites_default.conf
+sudo sed -i 's/include snippets/universal_paths.conf;//g' /etc/nginx/conf.d/sites_default.conf
 sudo sed -i 's/ipv4_1://g' /etc/nginx/conf.d/sites_default.conf
 sudo sed -i 's/ipv6_1/::/g' /etc/nginx/conf.d/sites_default.conf
 unpriv curl https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/conf.d/tls.conf | sudo tee /etc/nginx/conf.d/tls.conf
 
 sudo mkdir -p /etc/nginx/snippets
-unpriv curl https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/tls.conf | sudo tee /etc/nginx/snippets/tls.conf
+unpriv curl https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/hsts.conf | sudo tee /etc/nginx/snippets/hsts.conf
 unpriv curl https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/proxy.conf | sudo tee /etc/nginx/snippets/proxy.conf
 unpriv curl https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/quic.conf | sudo tee /etc/nginx/snippets/quic.conf
 unpriv curl https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/security.conf | sudo tee /etc/nginx/snippets/security.conf
 unpriv curl https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/cross-origin-security.conf | sudo tee /etc/nginx/snippets/cross-origin-security.conf
-unpriv curl https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/universal_paths.conf | sudo tee /etc/nginx/snippets/universal_paths.conf
 
+# Fix PHP permission
+sudo sed -i 's/www-data/nginx/g' /etc/php/8.3/fpm/pool.d/www.sock
+sudo systemctl restart php8.3-fpm
\ No newline at end of file