mirror of
https://github.com/tommytran732/Linux-Setup-Scripts
synced 2024-11-24 18:21:34 -05:00
Compare commits
No commits in common. "71eff3c907d10898de8bd791775d39d68211ca1b" and "3ff024e21bcbe626da36ae838ddf8a5512292ebc" have entirely different histories.
71eff3c907
...
3ff024e21b
@ -188,7 +188,6 @@ sudo systemctl disable systemd-resolved
|
||||
|
||||
# UFW Snap is strictly confined, unlike its .deb counterpart
|
||||
sudo apt purge -y ufw
|
||||
sudo apt install -y snapd
|
||||
sudo snap install ufw
|
||||
sudo ufw enable -y
|
||||
sudo ufw allow SSH
|
||||
|
@ -9,11 +9,10 @@ ProtectClock=true
|
||||
ProtectControlGroups=true
|
||||
ProtectKernelLogs=true
|
||||
ProtectKernelModules=true
|
||||
# This breaks using socket options like 'so-rcvbuf'.
|
||||
ProtectKernelTunables=true
|
||||
# This breaks using socket options like 'so-rcvbuf'. Explicitly disable for visibility.
|
||||
ProtectKernelTunables=false
|
||||
ProtectProc=invisible
|
||||
# ProtectSystem with strict does not work - need further testing.
|
||||
ProtectSystem=full
|
||||
#ProtectSystem=strict
|
||||
#RuntimeDirectory=unbound
|
||||
#ConfigurationDirectory=unbound
|
||||
#StateDirectory=unbound
|
||||
|
@ -12,8 +12,7 @@ ProtectKernelModules=true
|
||||
# This breaks using socket options like 'so-rcvbuf'.
|
||||
ProtectKernelTunables=true
|
||||
ProtectProc=invisible
|
||||
# ProtectSystem with strict does not work - need further testing.
|
||||
ProtectSystem=full
|
||||
#ProtectSystem=strict
|
||||
#RuntimeDirectory=unbound
|
||||
#ConfigurationDirectory=unbound
|
||||
#StateDirectory=unbound
|
||||
|
@ -1,138 +0,0 @@
|
||||
# Ubuntu 24.04 LEMP Drupal
|
||||
|
||||
First you need to run the following scripts:
|
||||
|
||||
- https://github.com/TommyTran732/Linux-Setup-Scripts/blob/main/Ubuntu-24.04-Server.sh
|
||||
- https://github.com/TommyTran732/Linux-Setup-Scripts/blob/main/sample-scripts-Ubuntu-24.04-LEMP.sh
|
||||
|
||||
## Install composer
|
||||
|
||||
```
|
||||
php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
|
||||
php composer-setup.php
|
||||
php -r "unlink('composer-setup.php');"
|
||||
|
||||
sudo chown root:root composer.phar
|
||||
sudo mv composer.phar /usr/local/bin
|
||||
```
|
||||
|
||||
## Setup Directory Structure
|
||||
|
||||
```
|
||||
# Add unprivileged user for drupal
|
||||
sudo useradd -U -m -s /bin/bash drupal
|
||||
|
||||
# Make drupal directory
|
||||
|
||||
sudo mkdir -p /srv/drupal
|
||||
sudo chown drupal:drupal /srv/drupal
|
||||
|
||||
# Setup ACL
|
||||
sudo apt install -y acl
|
||||
sudo setfacl -dm u:nginx:rwx /srv/drupal
|
||||
sudo setfacl -m u:nginx:rwx /srv/drupal
|
||||
```
|
||||
|
||||
## Install Drupal
|
||||
|
||||
Switch to the `drupal` user:
|
||||
|
||||
```
|
||||
sudo su - drupal
|
||||
```
|
||||
|
||||
As the drupal user, run:
|
||||
|
||||
```
|
||||
cd /srv/drupal
|
||||
composer create-project drupal/recommended-project drupal.yourdomain.tld
|
||||
cp /srv/drupal/drupal.yourdomain.tld/web/sites/default/default.settings.php /srv/drupal/drupal.yourdomain.tld/web/sites/default/settings.php
|
||||
```
|
||||
|
||||
Exit the drupal user:
|
||||
```
|
||||
exit
|
||||
```
|
||||
|
||||
## Generate an SSL certificate
|
||||
|
||||
```
|
||||
certbot certonly --nginx --no-eff-email \
|
||||
--key-type ecdsa --must-staple \
|
||||
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
||||
--cert-name drupal.yourdomain.tld \
|
||||
-d drupal.yourdomain.tld
|
||||
```
|
||||
|
||||
## NGINX configuration file
|
||||
|
||||
As root, put the following file in `/etc/nginx/conf.d/sites_drupal.conf`:
|
||||
|
||||
```
|
||||
server {
|
||||
listen 443 quic reuseport;
|
||||
listen 443 ssl;
|
||||
listen [::]:443 quic reuseport;
|
||||
listen [::]:443 ssl;
|
||||
|
||||
server_name drupal.yourdomain.tld;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/drupal.yourdomain.tld/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/drupal.yourdomain.tld/privkey.pem;
|
||||
ssl_trusted_certificate /etc/letsencrypt/live/drupal.yourdomain.tld/chain.pem;
|
||||
ssl_stapling_file /var/cache/certbot-ocsp-fetcher/drupal.yourdomain.tld.der;
|
||||
|
||||
include snippets/hsts.conf;
|
||||
include snippets/security.conf;
|
||||
include snippets/cross-origin-security.conf;
|
||||
include snippets/quic.conf;
|
||||
|
||||
add_header Content-Security-Policy "default-src 'none'; connect-src 'self'; font-src 'self'; img-src 'self' data:; script-src 'self'; style-src 'self' 'unsafe-inline'; base-uri 'none'; block-all-mixed-content; form-action 'none'; frame-ancestors 'self'; upgrade-insecure-requests";
|
||||
|
||||
index index.php;
|
||||
root /srv/drupal/drupal.yourdomain.tld/web;
|
||||
|
||||
location / {
|
||||
try_files $uri $uri/ /index.php?$args;
|
||||
}
|
||||
|
||||
location ~ \.php$ {
|
||||
fastcgi_pass unix:/var/run/php/php8.3-fpm.sock;
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
include fastcgi_params;
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
## Setup the Database for Drupal
|
||||
|
||||
As root, log into MariaDB:
|
||||
|
||||
```
|
||||
mariadb -uroot
|
||||
```
|
||||
|
||||
Run the following queries:
|
||||
```
|
||||
CREATE DATABASE drupal CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
|
||||
CREATE USER 'drupal'@'127.0.0.1' IDENTIFIED BY 'yourPassword';
|
||||
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES ON drupal.* TO 'drupal'@'127.0.0.1';
|
||||
exit
|
||||
```
|
||||
|
||||
## Install drupal
|
||||
|
||||
Go to drupal.yourdomain.tld and follow the prompts.
|
||||
|
||||
Switch to the `drupal` user:
|
||||
|
||||
```
|
||||
sudo su - drupal
|
||||
```
|
||||
|
||||
As the drupal user, run:
|
||||
|
||||
```
|
||||
chmod 400 /srv/drupal/drupal.yourdomain.tld/web/sites/default/settings.php
|
||||
setfacl -m u:nginx:r /srv/drupal/drupal.yourdomain.tld/web/sites/default/settings.php
|
||||
```
|
@ -33,57 +33,54 @@ sudo ufw allow 443
|
||||
sudo curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
|
||||
sudo chmod 644 /usr/share/keyrings/nginx-archive-keyring.gpg
|
||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/apt/sources.list.d/nginx.sources | sudo tee /etc/apt/sources.list.d/nginx.sources
|
||||
sudo chmod 644 /etc/apt/sources.list.d/nginx.sources
|
||||
chmod 644 /etc/apt/sources.list.d/nginx.sources
|
||||
|
||||
# Add the PHP PPA (Ubuntu repos do not have the latest version, and do not handle pinning properly)
|
||||
sudo add-apt-repository -y ppa:ondrej/php
|
||||
|
||||
# Add upstream MariaDB repo
|
||||
curl https://supplychain.mariadb.com/mariadb-keyring-2019.gpg | sudo tee /usr/share/keyrings/mariadb-keyring-2019.gpg
|
||||
sudo chmod 644 /usr/share/keyrings/mariadb-keyring-2019.gpg
|
||||
chmod 644 /usr/share/keyrings/mariadb-keyring-2019.gpg
|
||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/apt/sources.list.d/mariadb.sources | sudo tee /etc/apt/sources.list.d/mariadb.sources
|
||||
sudo chmod 644 /etc/apt/sources.list.d/maridadb.sources
|
||||
chmod 644 /etc/apt/sources.list.d/nginx.sources
|
||||
|
||||
# Update the VM again
|
||||
sudo apt update
|
||||
sudo apt full-upgrade -y
|
||||
|
||||
# Install the packages
|
||||
sudo apt install -y nginx mariadb-server php8.3 php8.3-cli php8.3-common php8.3-curl php8.3-fpm php8.3-gd php8.3-mbstring php8.3-mysql php8.3-opcache php8.3-readline php8.3-sqlite3 php8.3-xml php8.3-zip php8.3-apcu
|
||||
sudo apt install -y nginx mariadb-server mariadb-client php8.3 php8.3-cli php8.3-common php8.3-curl php8.3-fpm php8.3-gd php8.3-mbstring php8.3-mysql php8.3-opcache php8.3-readline php8.3-sqlite3 php8.3-xml php8.3-zip php8.3-apcu
|
||||
|
||||
# Install certbot
|
||||
sudo snap install --classic certbot
|
||||
sudo ln -s /snap/bin/certbot /usr/bin/certbot
|
||||
|
||||
# Secure MariaDB
|
||||
output "Running mariadb-secure-installation."
|
||||
output "You should answer yes to everything except setting the root password."
|
||||
output "This is already done via the UNIX socket if you switch it with the prompts so you should be okay."
|
||||
sudo mariadb-secure-installation
|
||||
output "Running mariadb_secure_installation. You should answer yes to everything."
|
||||
mariadb_secure_installation
|
||||
|
||||
# Port NGINX configs from https://github.com/TommyTran732/NGINX-Configs
|
||||
|
||||
sudo rm -rf /etc/nginx/conf.d/default.conf
|
||||
|
||||
## Setup webroot for NGINX
|
||||
sudo mkdir -p /srv/nginx
|
||||
sudo mkdir -p /srv/nginx/.well-known/acme-challenge
|
||||
|
||||
## NGINX hardening
|
||||
sudo mkdir -p /etc/systemd/system/nginx.service.d
|
||||
unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/nginx.service.d/local.conf | sudo tee /etc/systemd/system/nginx.service.d/override.conf
|
||||
sudo chmod 644 /etc/systemd/system/nginx.service.d/override.conf
|
||||
sudo systemctl daemon-reload
|
||||
|
||||
## Setup certbot-ocsp-fetcher
|
||||
unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/certbot-ocsp-fetcher | sudo tee /usr/local/bin/certbot-ocsp-fetcher
|
||||
sudo chmod u+x /usr/local/bin/certbot-ocsp-fetcher
|
||||
sudo mkdir -p /var/cache/certbot-ocsp-fetcher/
|
||||
sudo chmod 755 /var/cache/certbot-ocsp-fetcher/
|
||||
|
||||
## Setup nginx-create-session-ticket-keys
|
||||
unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/nginx-create-session-ticket-keys | sudo tee /usr/local/bin/nginx-create-session-ticket-keys
|
||||
sudo chmod u+x /usr/local/bin/nginx-create-session-ticket-keys
|
||||
|
||||
## Setup nginx-rotate-session-ticket-keys
|
||||
unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/nginx-rotate-session-ticket-keys | sudo tee /usr/local/bin/nginx-rotate-session-ticket-keys
|
||||
sudo chmod u+x /usr/local/bin/nginx-rotate-session-ticket-keys
|
||||
|
||||
## Download the units
|
||||
unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/certbot-ocsp-fetcher.service | sudo tee /etc/systemd/system/certbot-ocsp-fetcher.service
|
||||
@ -95,7 +92,6 @@ unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/sys
|
||||
## Systemd Hardening
|
||||
sudo mkdir -p /etc/systemd/system/nginx.service.d
|
||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/systemd/system/nginx.service.d/override.conf | sudo tee /etc/systemd/system/nginx.service.d/override.conf
|
||||
sudo chmod 644 /etc/systemd/system/nginx.service.d/override.conf
|
||||
sudo systemctl daemon-reload
|
||||
|
||||
## Enable the units
|
||||
@ -107,18 +103,14 @@ sudo systemctl enable --now nginx-rotate-session-ticket-keys.timer
|
||||
|
||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/conf.d/http2.conf | sudo tee /etc/nginx/conf.d/http2.conf
|
||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/conf.d/sites_default.conf | sudo tee /etc/nginx/conf.d/sites_default.conf
|
||||
sudo sed -i 's/include snippets/universal_paths.conf;//g' /etc/nginx/conf.d/sites_default.conf
|
||||
sudo sed -i 's/ipv4_1://g' /etc/nginx/conf.d/sites_default.conf
|
||||
sudo sed -i 's/ipv6_1/::/g' /etc/nginx/conf.d/sites_default.conf
|
||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/conf.d/tls.conf | sudo tee /etc/nginx/conf.d/tls.conf
|
||||
|
||||
sudo mkdir -p /etc/nginx/snippets
|
||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/hsts.conf | sudo tee /etc/nginx/snippets/hsts.conf
|
||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/tls.conf | sudo tee /etc/nginx/snippets/tls.conf
|
||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/proxy.conf | sudo tee /etc/nginx/snippets/proxy.conf
|
||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/quic.conf | sudo tee /etc/nginx/snippets/quic.conf
|
||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/security.conf | sudo tee /etc/nginx/snippets/security.conf
|
||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/cross-origin-security.conf | sudo tee /etc/nginx/snippets/cross-origin-security.conf
|
||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/universal_paths.conf | sudo tee /etc/nginx/snippets/universal_paths.conf
|
||||
|
||||
# Fix PHP permission
|
||||
sudo sed -i 's/www-data/nginx/g' /etc/php/8.3/fpm/pool.d/www.sock
|
||||
sudo systemctl restart php8.3-fpm
|
Loading…
Reference in New Issue
Block a user