1
0
mirror of https://github.com/tommytran732/Linux-Setup-Scripts synced 2024-11-24 18:21:34 -05:00

Compare commits

..

13 Commits

Author SHA1 Message Date
71eff3c907
Fix permissions
Signed-off-by: Tommy <contact@tommytran.io>
2024-06-26 17:27:19 -07:00
3c8d0df520
Add more instructions
Signed-off-by: Tommy <contact@tommytran.io>
2024-06-26 17:18:35 -07:00
dcdad473bf
Cleanup instructions
Signed-off-by: Tommy <contact@tommytran.io>
2024-06-26 16:11:09 -07:00
6c5b398620
Bug fixes & instructions for Drupal
Signed-off-by: Tommy <contact@tommytran.io>
2024-06-26 15:27:01 -07:00
87c18d4de2
Add cross-origin-security
Signed-off-by: Tommy <contact@tommytran.io>
2024-06-26 12:25:13 -07:00
9835d65dde
Remove old comment
Signed-off-by: Tommy <contact@tommytran.io>
2024-06-26 12:13:26 -07:00
c2ef5743a2
Improve unbound systemd hardening
Signed-off-by: Tommy <contact@tommytran.io>
2024-06-26 12:12:54 -07:00
af99058f4e
Fix incorrect file permissions
Signed-off-by: Tommy <contact@tommytran.io>
2024-06-26 11:26:30 -07:00
359d9a5fc1
Manual installation of mariadb-client not required
Signed-off-by: Tommy <contact@tommytran.io>
2024-06-26 11:01:11 -07:00
1467625dbf
Typo fix
Signed-off-by: Tommy <contact@tommytran.io>
2024-06-26 10:57:40 -07:00
4651135596
Add missing sudo
Signed-off-by: Tommy <contact@tommytran.io>
2024-06-26 10:50:32 -07:00
afe921fd0c
Typo Fix
Signed-off-by: Tommy <contact@tommytran.io>
2024-06-26 10:28:27 -07:00
67e2496435
Make sure snap is installed
Signed-off-by: Tommy <contact@tommytran.io>
2024-06-26 10:07:45 -07:00
5 changed files with 165 additions and 16 deletions

View File

@ -188,6 +188,7 @@ sudo systemctl disable systemd-resolved
# UFW Snap is strictly confined, unlike its .deb counterpart
sudo apt purge -y ufw
sudo apt install -y snapd
sudo snap install ufw
sudo ufw enable -y
sudo ufw allow SSH

View File

@ -9,10 +9,11 @@ ProtectClock=true
ProtectControlGroups=true
ProtectKernelLogs=true
ProtectKernelModules=true
# This breaks using socket options like 'so-rcvbuf'. Explicitly disable for visibility.
ProtectKernelTunables=false
# This breaks using socket options like 'so-rcvbuf'.
ProtectKernelTunables=true
ProtectProc=invisible
#ProtectSystem=strict
# ProtectSystem with strict does not work - need further testing.
ProtectSystem=full
#RuntimeDirectory=unbound
#ConfigurationDirectory=unbound
#StateDirectory=unbound

View File

@ -12,7 +12,8 @@ ProtectKernelModules=true
# This breaks using socket options like 'so-rcvbuf'.
ProtectKernelTunables=true
ProtectProc=invisible
#ProtectSystem=strict
# ProtectSystem with strict does not work - need further testing.
ProtectSystem=full
#RuntimeDirectory=unbound
#ConfigurationDirectory=unbound
#StateDirectory=unbound

View File

@ -0,0 +1,138 @@
# Ubuntu 24.04 LEMP Drupal
First you need to run the following scripts:
- https://github.com/TommyTran732/Linux-Setup-Scripts/blob/main/Ubuntu-24.04-Server.sh
- https://github.com/TommyTran732/Linux-Setup-Scripts/blob/main/sample-scripts-Ubuntu-24.04-LEMP.sh
## Install composer
```
php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
php composer-setup.php
php -r "unlink('composer-setup.php');"
sudo chown root:root composer.phar
sudo mv composer.phar /usr/local/bin
```
## Setup Directory Structure
```
# Add unprivileged user for drupal
sudo useradd -U -m -s /bin/bash drupal
# Make drupal directory
sudo mkdir -p /srv/drupal
sudo chown drupal:drupal /srv/drupal
# Setup ACL
sudo apt install -y acl
sudo setfacl -dm u:nginx:rwx /srv/drupal
sudo setfacl -m u:nginx:rwx /srv/drupal
```
## Install Drupal
Switch to the `drupal` user:
```
sudo su - drupal
```
As the drupal user, run:
```
cd /srv/drupal
composer create-project drupal/recommended-project drupal.yourdomain.tld
cp /srv/drupal/drupal.yourdomain.tld/web/sites/default/default.settings.php /srv/drupal/drupal.yourdomain.tld/web/sites/default/settings.php
```
Exit the drupal user:
```
exit
```
## Generate an SSL certificate
```
certbot certonly --nginx --no-eff-email \
--key-type ecdsa --must-staple \
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
--cert-name drupal.yourdomain.tld \
-d drupal.yourdomain.tld
```
## NGINX configuration file
As root, put the following file in `/etc/nginx/conf.d/sites_drupal.conf`:
```
server {
listen 443 quic reuseport;
listen 443 ssl;
listen [::]:443 quic reuseport;
listen [::]:443 ssl;
server_name drupal.yourdomain.tld;
ssl_certificate /etc/letsencrypt/live/drupal.yourdomain.tld/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/drupal.yourdomain.tld/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/drupal.yourdomain.tld/chain.pem;
ssl_stapling_file /var/cache/certbot-ocsp-fetcher/drupal.yourdomain.tld.der;
include snippets/hsts.conf;
include snippets/security.conf;
include snippets/cross-origin-security.conf;
include snippets/quic.conf;
add_header Content-Security-Policy "default-src 'none'; connect-src 'self'; font-src 'self'; img-src 'self' data:; script-src 'self'; style-src 'self' 'unsafe-inline'; base-uri 'none'; block-all-mixed-content; form-action 'none'; frame-ancestors 'self'; upgrade-insecure-requests";
index index.php;
root /srv/drupal/drupal.yourdomain.tld/web;
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
fastcgi_pass unix:/var/run/php/php8.3-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
```
## Setup the Database for Drupal
As root, log into MariaDB:
```
mariadb -uroot
```
Run the following queries:
```
CREATE DATABASE drupal CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
CREATE USER 'drupal'@'127.0.0.1' IDENTIFIED BY 'yourPassword';
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES ON drupal.* TO 'drupal'@'127.0.0.1';
exit
```
## Install drupal
Go to drupal.yourdomain.tld and follow the prompts.
Switch to the `drupal` user:
```
sudo su - drupal
```
As the drupal user, run:
```
chmod 400 /srv/drupal/drupal.yourdomain.tld/web/sites/default/settings.php
setfacl -m u:nginx:r /srv/drupal/drupal.yourdomain.tld/web/sites/default/settings.php
```

View File

@ -33,54 +33,57 @@ sudo ufw allow 443
sudo curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
sudo chmod 644 /usr/share/keyrings/nginx-archive-keyring.gpg
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/apt/sources.list.d/nginx.sources | sudo tee /etc/apt/sources.list.d/nginx.sources
chmod 644 /etc/apt/sources.list.d/nginx.sources
sudo chmod 644 /etc/apt/sources.list.d/nginx.sources
# Add the PHP PPA (Ubuntu repos do not have the latest version, and do not handle pinning properly)
sudo add-apt-repository -y ppa:ondrej/php
# Add upstream MariaDB repo
curl https://supplychain.mariadb.com/mariadb-keyring-2019.gpg | sudo tee /usr/share/keyrings/mariadb-keyring-2019.gpg
chmod 644 /usr/share/keyrings/mariadb-keyring-2019.gpg
sudo chmod 644 /usr/share/keyrings/mariadb-keyring-2019.gpg
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/apt/sources.list.d/mariadb.sources | sudo tee /etc/apt/sources.list.d/mariadb.sources
chmod 644 /etc/apt/sources.list.d/nginx.sources
sudo chmod 644 /etc/apt/sources.list.d/maridadb.sources
# Update the VM again
sudo apt update
sudo apt full-upgrade -y
# Install the packages
sudo apt install -y nginx mariadb-server mariadb-client php8.3 php8.3-cli php8.3-common php8.3-curl php8.3-fpm php8.3-gd php8.3-mbstring php8.3-mysql php8.3-opcache php8.3-readline php8.3-sqlite3 php8.3-xml php8.3-zip php8.3-apcu
sudo apt install -y nginx mariadb-server php8.3 php8.3-cli php8.3-common php8.3-curl php8.3-fpm php8.3-gd php8.3-mbstring php8.3-mysql php8.3-opcache php8.3-readline php8.3-sqlite3 php8.3-xml php8.3-zip php8.3-apcu
# Install certbot
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
# Secure MariaDB
output "Running mariadb_secure_installation. You should answer yes to everything."
mariadb_secure_installation
output "Running mariadb-secure-installation."
output "You should answer yes to everything except setting the root password."
output "This is already done via the UNIX socket if you switch it with the prompts so you should be okay."
sudo mariadb-secure-installation
# Port NGINX configs from https://github.com/TommyTran732/NGINX-Configs
sudo rm -rf /etc/nginx/conf.d/default.conf
## Setup webroot for NGINX
sudo mkdir -p /srv/nginx
sudo mkdir -p /srv/nginx/.well-known/acme-challenge
## NGINX hardening
sudo mkdir -p /etc/systemd/system/nginx.service.d
unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/nginx.service.d/local.conf | sudo tee /etc/systemd/system/nginx.service.d/override.conf
sudo chmod 644 /etc/systemd/system/nginx.service.d/override.conf
sudo systemctl daemon-reload
## Setup certbot-ocsp-fetcher
unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/certbot-ocsp-fetcher | sudo tee /usr/local/bin/certbot-ocsp-fetcher
sudo chmod u+x /usr/local/bin/certbot-ocsp-fetcher
sudo mkdir -p /var/cache/certbot-ocsp-fetcher/
sudo chmod 755 /var/cache/certbot-ocsp-fetcher/
## Setup nginx-create-session-ticket-keys
unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/nginx-create-session-ticket-keys | sudo tee /usr/local/bin/nginx-create-session-ticket-keys
sudo chmod u+x /usr/local/bin/nginx-create-session-ticket-keys
## Setup nginx-rotate-session-ticket-keys
unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/nginx-rotate-session-ticket-keys | sudo tee /usr/local/bin/nginx-rotate-session-ticket-keys
sudo chmod u+x /usr/local/bin/nginx-rotate-session-ticket-keys
## Download the units
unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/certbot-ocsp-fetcher.service | sudo tee /etc/systemd/system/certbot-ocsp-fetcher.service
@ -92,6 +95,7 @@ unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/sys
## Systemd Hardening
sudo mkdir -p /etc/systemd/system/nginx.service.d
unpriv curl https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/systemd/system/nginx.service.d/override.conf | sudo tee /etc/systemd/system/nginx.service.d/override.conf
sudo chmod 644 /etc/systemd/system/nginx.service.d/override.conf
sudo systemctl daemon-reload
## Enable the units
@ -103,14 +107,18 @@ sudo systemctl enable --now nginx-rotate-session-ticket-keys.timer
unpriv curl https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/conf.d/http2.conf | sudo tee /etc/nginx/conf.d/http2.conf
unpriv curl https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/conf.d/sites_default.conf | sudo tee /etc/nginx/conf.d/sites_default.conf
sudo sed -i 's/include snippets/universal_paths.conf;//g' /etc/nginx/conf.d/sites_default.conf
sudo sed -i 's/ipv4_1://g' /etc/nginx/conf.d/sites_default.conf
sudo sed -i 's/ipv6_1/::/g' /etc/nginx/conf.d/sites_default.conf
unpriv curl https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/conf.d/tls.conf | sudo tee /etc/nginx/conf.d/tls.conf
sudo mkdir -p /etc/nginx/snippets
unpriv curl https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/tls.conf | sudo tee /etc/nginx/snippets/tls.conf
unpriv curl https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/hsts.conf | sudo tee /etc/nginx/snippets/hsts.conf
unpriv curl https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/proxy.conf | sudo tee /etc/nginx/snippets/proxy.conf
unpriv curl https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/quic.conf | sudo tee /etc/nginx/snippets/quic.conf
unpriv curl https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/security.conf | sudo tee /etc/nginx/snippets/security.conf
unpriv curl https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/universal_paths.conf | sudo tee /etc/nginx/snippets/universal_paths.conf
unpriv curl https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/cross-origin-security.conf | sudo tee /etc/nginx/snippets/cross-origin-security.conf
# Fix PHP permission
sudo sed -i 's/www-data/nginx/g' /etc/php/8.3/fpm/pool.d/www.sock
sudo systemctl restart php8.3-fpm