1
0
mirror of https://github.com/tommytran732/Linux-Setup-Scripts synced 2024-11-23 09:51:32 -05:00

Compare commits

..

No commits in common. "f06107063aa32a44818a8a23a7afa297bcb3767f" and "e04febb0fe6c7685e1371ec6d701ce42be6d0a13" have entirely different histories.

11 changed files with 39 additions and 246 deletions

View File

@ -62,14 +62,13 @@ sudo chmod 644 /etc/ssh/sshd_config.d/10-custom.conf
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/ssh_config.d/10-custom.conf | sudo tee /etc/ssh/ssh_config.d/10-custom.conf > /dev/null unpriv curl -s https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/ssh_config.d/10-custom.conf | sudo tee /etc/ssh/ssh_config.d/10-custom.conf > /dev/null
sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
sudo mkdir -p /etc/systemd/system/sshd.service.d/ sudo mkdir -p /etc/systemd/system/sshd.service.d/
sudo chmod 755 /etc/systemd/system/sshd.service.d/
unpriv curl -s https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf | sudo tee /etc/systemd/system/sshd.service.d/override.conf > /dev/null unpriv curl -s https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf | sudo tee /etc/systemd/system/sshd.service.d/override.conf > /dev/null
sudo chmod 644 /etc/systemd/system/sshd.service.d/override.conf sudo chmod 644 /etc/systemd/system/sshd.service.d/override.conf
sudo systemctl daemon-reload sudo systemctl daemon-reload
sudo systemctl restart sshd sudo systemctl restart sshd
# Security kernel settings # Security kernel settings
unpriv curl -s https://raw.githubusercontent.com/secureblue/secureblue/live/files/system/usr/etc/modprobe.d/blacklist.conf | sudo tee /etc/modprobe.d/server-blacklist.conf > /dev/null unpriv curl -s https://raw.githubusercontent.com/secureblue/secureblue/live/config/files/usr/etc/modprobe.d/blacklist.conf | sudo tee /etc/modprobe.d/server-blacklist.conf > /dev/null
sudo chmod 644 /etc/modprobe.d/server-blacklist.conf sudo chmod 644 /etc/modprobe.d/server-blacklist.conf
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysctl.d/99-server.conf | sudo tee /etc/sysctl.d/99-server.conf > /dev/null unpriv curl -s https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysctl.d/99-server.conf | sudo tee /etc/sysctl.d/99-server.conf > /dev/null
sudo chmod 644 /etc/sysctl.d/99-server.conf sudo chmod 644 /etc/sysctl.d/99-server.conf
@ -163,7 +162,6 @@ else
fi fi
# Setup networking # Setup networking
sudo systemctl enable --now firewalld
sudo firewall-cmd --permanent --remove-service=cockpit sudo firewall-cmd --permanent --remove-service=cockpit
sudo firewall-cmd --reload sudo firewall-cmd --reload
sudo firewall-cmd --lockdown-on sudo firewall-cmd --lockdown-on

View File

@ -67,7 +67,7 @@ sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
if [ "${virtualization}" = 'parallels' ]; then if [ "${virtualization}" = 'parallels' ]; then
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/Kernel-Module-Blacklist/main/etc/modprobe.d/workstation-blacklist.conf | sudo tee /etc/modprobe.d/workstation-blacklist.conf > /dev/null unpriv curl -s https://raw.githubusercontent.com/TommyTran732/Kernel-Module-Blacklist/main/etc/modprobe.d/workstation-blacklist.conf | sudo tee /etc/modprobe.d/workstation-blacklist.conf > /dev/null
else else
unpriv curl -s https://raw.githubusercontent.com/secureblue/secureblue/live/files/system/usr/etc/modprobe.d/blacklist.conf | sudo tee /etc/modprobe.d/workstation-blacklist.conf > /dev/null unpriv curl -s https://raw.githubusercontent.com/secureblue/secureblue/live/config/files/usr/etc/modprobe.d/blacklist.conf | sudo tee /etc/modprobe.d/workstation-blacklist.conf > /dev/null
fi fi
sudo chmod 644 /etc/modprobe.d/workstation-blacklist.conf sudo chmod 644 /etc/modprobe.d/workstation-blacklist.conf
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysctl.d/99-workstation.conf | sudo tee /etc/sysctl.d/99-workstation.conf > /dev/null unpriv curl -s https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysctl.d/99-workstation.conf | sudo tee /etc/sysctl.d/99-workstation.conf > /dev/null
@ -241,7 +241,6 @@ else
fi fi
# Setup networking # Setup networking
sudo systemctl enable --now firewalld
sudo firewall-cmd --set-default-zone=block sudo firewall-cmd --set-default-zone=block
sudo firewall-cmd --permanent --add-service=dhcpv6-client sudo firewall-cmd --permanent --add-service=dhcpv6-client
sudo firewall-cmd --reload sudo firewall-cmd --reload

View File

@ -37,8 +37,7 @@ systemctl restart chronyd
curl -s https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/sshd_config.d/10-custom.conf | tee /etc/ssh/sshd_config.d/10-custom.conf > /dev/null curl -s https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/sshd_config.d/10-custom.conf | tee /etc/ssh/sshd_config.d/10-custom.conf > /dev/null
sed -i 's/PermitRootLogin no/PermitRootLogin yes/g' /etc/ssh/sshd_config.d/10-custom.conf sed -i 's/PermitRootLogin no/PermitRootLogin yes/g' /etc/ssh/sshd_config.d/10-custom.conf
curl -s https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/ssh_config.d/10-custom.conf | tee /etc/ssh/ssh_config.d/10-custom.conf > /dev/null curl -s https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/ssh_config.d/10-custom.conf | tee /etc/ssh/ssh_config.d/10-custom.conf > /dev/null
sudo mkdir -p /etc/systemd/system/sshd.service.d/ mkdir -p /etc/systemd/system/ssh.service.d
sudo chmod 755 /etc/systemd/system/sshd.service.d/
curl -s https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf | tee /etc/systemd/system/ssh.service.d/override.conf > /dev/null curl -s https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf | tee /etc/systemd/system/ssh.service.d/override.conf > /dev/null
systemctl daemon-reload systemctl daemon-reload
systemctl restart sshd systemctl restart sshd
@ -74,7 +73,7 @@ proxmox-boot-tool refresh
### ###
# Kernel hardening # Kernel hardening
curl -s https://raw.githubusercontent.com/secureblue/secureblue/live/files/system/usr/etc/modprobe.d/blacklist.conf | tee /etc/modprobe.d/server-blacklist.conf > /dev/null curl -s https://raw.githubusercontent.com/secureblue/secureblue/live/config/files/usr/etc/modprobe.d/blacklist.conf | tee /etc/modprobe.d/server-blacklist.conf > /dev/null
curl -s https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysctl.d/99-server.conf | tee /etc/sysctl.d/99-server.conf > /dev/null curl -s https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysctl.d/99-server.conf | tee /etc/sysctl.d/99-server.conf > /dev/null
sysctl -p sysctl -p

View File

@ -56,14 +56,12 @@ unpriv curl -s https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Script
sudo chmod 644 /etc/ssh/sshd_config.d/10-custom.conf sudo chmod 644 /etc/ssh/sshd_config.d/10-custom.conf
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/ssh_config.d/10-custom.conf | sudo tee /etc/ssh/ssh_config.d/10-custom.conf > /dev/null unpriv curl -s https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/ssh_config.d/10-custom.conf | sudo tee /etc/ssh/ssh_config.d/10-custom.conf > /dev/null
sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
sudo mkdir -p /etc/systemd/system/sshd.service.d/
sudo chmod 755 /etc/systemd/system/sshd.service.d/
unpriv curl -s https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf | sudo tee /etc/systemd/system/sshd.service.d/override.conf > /dev/null unpriv curl -s https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf | sudo tee /etc/systemd/system/sshd.service.d/override.conf > /dev/null
sudo systemctl daemon-reload sudo systemctl daemon-reload
sudo systemctl restart sshd sudo systemctl restart sshd
# Security kernel settings # Security kernel settings
unpriv curl -s https://raw.githubusercontent.com/secureblue/secureblue/live/files/system/usr/etc/modprobe.d/blacklist.conf | sudo tee /etc/modprobe.d/server-blacklist.conf > /dev/null unpriv curl -s https://raw.githubusercontent.com/secureblue/secureblue/live/config/files/usr/etc/modprobe.d/blacklist.conf | sudo tee /etc/modprobe.d/server-blacklist.conf > /dev/null
sudo chmod 644 /etc/modprobe.d/server-blacklist.conf sudo chmod 644 /etc/modprobe.d/server-blacklist.conf
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysctl.d/99-server.conf | sudo tee /etc/sysctl.d/99-server.conf > /dev/null unpriv curl -s https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysctl.d/99-server.conf | sudo tee /etc/sysctl.d/99-server.conf > /dev/null
sudo chmod 644 /etc/sysctl.d/99-server.conf sudo chmod 644 /etc/sysctl.d/99-server.conf
@ -186,7 +184,6 @@ else
fi fi
# Setup networking # Setup networking
sudo systemctl enable --now firewalld
sudo firewall-cmd --permanent --remove-service=cockpit sudo firewall-cmd --permanent --remove-service=cockpit
sudo firewall-cmd --reload sudo firewall-cmd --reload
sudo firewall-cmd --lockdown-on sudo firewall-cmd --lockdown-on

View File

@ -60,7 +60,7 @@ if [ "${virtualization}" = 'parallels' ]; then
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/Kernel-Module-Blacklist/main/etc/modprobe.d/workstation-blacklist.conf | sudo tee /etc/modprobe.d/workstation-blacklist.conf > /dev/null unpriv curl -s https://raw.githubusercontent.com/TommyTran732/Kernel-Module-Blacklist/main/etc/modprobe.d/workstation-blacklist.conf | sudo tee /etc/modprobe.d/workstation-blacklist.conf > /dev/null
sudo chmod 644 /etc/modprobe.d/workstation-blacklist.conf sudo chmod 644 /etc/modprobe.d/workstation-blacklist.conf
else else
unpriv curl -s https://raw.githubusercontent.com/secureblue/secureblue/live/files/system/usr/etc/modprobe.d/blacklist.conf | sudo tee /etc/modprobe.d/workstation-blacklist.conf > /dev/null unpriv curl -s https://raw.githubusercontent.com/secureblue/secureblue/live/config/files/usr/etc/modprobe.d/blacklist.conf | sudo tee /etc/modprobe.d/workstation-blacklist.conf > /dev/null
sudo chmod 644 /etc/modprobe.d/workstation-blacklist.conf sudo chmod 644 /etc/modprobe.d/workstation-blacklist.conf
fi fi
sudo chmod 644 /etc/modprobe.d/workstation-blacklist.conf sudo chmod 644 /etc/modprobe.d/workstation-blacklist.conf

View File

@ -55,15 +55,14 @@ unpriv curl -s https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Script
sudo chmod 644 /etc/ssh/sshd_config.d/10-custom.conf sudo chmod 644 /etc/ssh/sshd_config.d/10-custom.conf
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/ssh_config.d/10-custom.conf | sudo tee /etc/ssh/ssh_config.d/10-custom.conf > /dev/null unpriv curl -s https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/ssh_config.d/10-custom.conf | sudo tee /etc/ssh/ssh_config.d/10-custom.conf > /dev/null
sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
sudo mkdir -p /etc/systemd/system/sshd.service.d/ sudo mkdir -p /etc/systemd/system/ssh.service.d
sudo chmod 755 /etc/systemd/system/sshd.service.d/
unpriv curl -s https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf | sudo tee /etc/systemd/system/ssh.service.d/override.conf > /dev/null unpriv curl -s https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf | sudo tee /etc/systemd/system/ssh.service.d/override.conf > /dev/null
sudo chmod 644 /etc/systemd/system/ssh.service.d/override.conf sudo chmod 644 /etc/systemd/system/ssh.service.d/override.conf
sudo systemctl daemon-reload sudo systemctl daemon-reload
sudo systemctl restart ssh sudo systemctl restart ssh
# Security kernel settings # Security kernel settings
unpriv curl -s https://raw.githubusercontent.com/secureblue/secureblue/live/files/system/usr/etc/modprobe.d/blacklist.conf | sudo tee /etc/modprobe.d/server-blacklist.conf > /dev/null unpriv curl -s https://raw.githubusercontent.com/secureblue/secureblue/live/config/files/usr/etc/modprobe.d/blacklist.conf | sudo tee /etc/modprobe.d/server-blacklist.conf > /dev/null
sudo chmod 644 /etc/modprobe.d/server-blacklist.conf sudo chmod 644 /etc/modprobe.d/server-blacklist.conf
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysctl.d/99-server.conf | sudo tee /etc/sysctl.d/99-server.conf > /dev/null unpriv curl -s https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysctl.d/99-server.conf | sudo tee /etc/sysctl.d/99-server.conf > /dev/null
sudo chmod 644 /etc/sysctl.d/99-server.conf sudo chmod 644 /etc/sysctl.d/99-server.conf

View File

@ -1,15 +0,0 @@
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=0
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
[nginx-mainline]
name=nginx mainline repo
baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

View File

@ -1,137 +0,0 @@
# Ubuntu 24.04 LEMP Drupal
First you need to run the following scripts:
- https://github.com/TommyTran732/Linux-Setup-Scripts/blob/main/RHEL-9.sh
- https://github.com/TommyTran732/Linux-Setup-Scripts/blob/main/sample-scripts-RHEL-9-LEMP.sh
## Install composer
```
sudo dnf install -y composer
```
## Setup Directory Structure
```
# Add unprivileged user for drupal
sudo useradd -U -m -s /bin/bash drupal
# Make drupal directory
sudo mkdir -p /srv/drupal
sudo chown drupal:drupal /srv/drupal
# Setup ACL
sudo setfacl -dm u:nginx:rwx /srv/drupal
sudo setfacl -m u:nginx:rwx /srv/drupal
# Setup SELinux context
sudo semanage fcontext -a -t httpd_sys_content_t "$(realpath /srv/drupal)(/.*)?"
```
## Install Drupal
Switch to the `drupal` user:
```
sudo su - drupal
```
As the drupal user, run:
```
cd /srv/drupal
composer create-project drupal/recommended-project drupal.yourdomain.tld
cp /srv/drupal/drupal.yourdomain.tld/web/sites/default/default.settings.php /srv/drupal/drupal.yourdomain.tld/web/sites/default/settings.php
```
Exit the drupal user:
```
exit
```
## Generate an SSL certificate
```
certbot certonly --nginx --no-eff-email \
--key-type ecdsa
--cert-name drupal.yourdomain.tld \
-d drupal.yourdomain.tld
```
## NGINX configuration file
As root, download [this file](https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/sample-configurations/snippets/security-drupal-no-proxy.conf) and put it in `/etc/nginx/conf.d/snippets.conf`
As root, put the following file in `/etc/nginx/conf.d/sites_drupal.conf`:
```
server {
listen 443 quic reuseport;
listen 443 ssl;
listen [::]:443 quic reuseport;
listen [::]:443 ssl;
server_name drupal.yourdomain.tld;
ssl_certificate /etc/letsencrypt/live/drupal.yourdomain.tld/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/drupal.yourdomain.tld/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/drupal.yourdomain.tld/chain.pem;
include snippets/hsts.conf;
include snippets/security-drupal-no-proxy.conf;
include snippets/cross-origin-security.conf;
include snippets/quic.conf;
add_header Content-Security-Policy "default-src 'none'; connect-src 'self'; font-src 'self'; img-src 'self' data:; script-src 'self'; style-src 'self' 'unsafe-inline'; base-uri 'none'; block-all-mixed-content; form-action 'none'; frame-ancestors 'self'; upgrade-insecure-requests";
index index.php;
root /srv/drupal/drupal.yourdomain.tld/web;
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
fastcgi_pass unix:/var/run/php-fpm/www.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
```
**Notes**: `listen 443 quic reuseport;` is only needed once. If you plan to have multiple vhosts on this setup with SSL, consider making a dedicated vhost for this config so that it is nicer and easier to manage. An example can be found [here](https://github.com/TommyTran732/NGINX-Configs/blob/main/etc/nginx/conf.d/sites_default_quic.conf).
## Setup the Database for Drupal
As root, log into MariaDB:
```
mariadb -uroot
```
Run the following queries:
```
CREATE DATABASE drupal CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
CREATE USER 'drupal'@'127.0.0.1' IDENTIFIED BY 'yourPassword';
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES ON drupal.* TO 'drupal'@'127.0.0.1';
exit
```
## Configure Drupal
Go to drupal.yourdomain.tld and follow the prompts.
Switch to the `drupal` user:
```
sudo su - drupal
```
As the drupal user, run:
```
chmod 400 /srv/drupal/drupal.yourdomain.tld/web/sites/default/settings.php
setfacl -m u:nginx:r /srv/drupal/drupal.yourdomain.tld/web/sites/default/settings.php
```

View File

@ -1,58 +0,0 @@
#!/bin/sh
# Copyright (C) 2024 Thien Tran
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy of
# the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations under
# the License.
# Assumes that it is run AFTER https://github.com/TommyTran732/Linux-Setup-Scripts/blob/main/RHEL.sh
set -eu
output(){
printf '\e[1;34m%-6s\e[m\n' "${@}"
}
unpriv(){
sudo -u nobody "$@"
}
# Remove hardened_malloc (It breaks php-fpm)
sudo dnf remove -y hardened_malloc
# Install NGINX
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/yum.repos.d/nginx.repo | sudo tee /etc/yum.repos.d/nginx.repo > /dev/null
sudo chmod 644 /etc/yum.repos.d/nginx.repo
sudo dnf install -y nginx
# Install certbot
sudo dnf install -y certbot
# Install PHP
sudo subscription-manager repos --enable "codeready-builder-for-rhel-9-$(arch)-rpms"
sudo dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
sudo dnf install -y https://rpms.remirepo.net/enterprise/remi-release-9.rpm
sudo dnf module install -y php:remi-8.3/common
sudo systemctl enable --now php-fpm
# Install MariaDB
unpriv curl -LsS https://r.mariadb.com/downloads/mariadb_repo_setup | sudo bash
sudo dnf install -y MariaDB-server
# Run NGINX Setup script
unpriv curl -LsS https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/setup.sh | sudo bash
# Fix PHP permission
sudo sed -i 's/user = apache/user = nginx/g' /etc/php-fpm.d/www.conf
sudo sed -i 's/group = apache/group = nginx/g' /etc/php-fpm.d/www.conf
sudo chgrp nginx /var/lib/php/opcache /var/lib/php/session /var/lib/php/wsdlcache
sudo systemctl restart php-fpm

View File

@ -58,7 +58,8 @@ exit
``` ```
certbot certonly --nginx --no-eff-email \ certbot certonly --nginx --no-eff-email \
--key-type ecdsa --key-type ecdsa --must-staple \
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
--cert-name drupal.yourdomain.tld \ --cert-name drupal.yourdomain.tld \
-d drupal.yourdomain.tld -d drupal.yourdomain.tld
``` ```
@ -81,6 +82,7 @@ server {
ssl_certificate /etc/letsencrypt/live/drupal.yourdomain.tld/fullchain.pem; ssl_certificate /etc/letsencrypt/live/drupal.yourdomain.tld/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/drupal.yourdomain.tld/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/drupal.yourdomain.tld/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/drupal.yourdomain.tld/chain.pem; ssl_trusted_certificate /etc/letsencrypt/live/drupal.yourdomain.tld/chain.pem;
ssl_stapling_file /var/cache/certbot-ocsp-fetcher/drupal.yourdomain.tld.der;
include snippets/hsts.conf; include snippets/hsts.conf;
include snippets/security-drupal-no-proxy.conf; include snippets/security-drupal-no-proxy.conf;

View File

@ -32,18 +32,18 @@ sudo ufw allow 443
# Add mainline NGINX repo # Add mainline NGINX repo
# This is extremely important as Ubuntu keeps shipping outdated NGINX # This is extremely important as Ubuntu keeps shipping outdated NGINX
unpriv curl -s https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null unpriv curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
sudo chmod 644 /usr/share/keyrings/nginx-archive-keyring.gpg sudo chmod 644 /usr/share/keyrings/nginx-archive-keyring.gpg
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/apt/sources.list.d/nginx.sources | sudo tee /etc/apt/sources.list.d/nginx.sources > /dev/null > /dev/null unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/apt/sources.list.d/nginx.sources | sudo tee /etc/apt/sources.list.d/nginx.sources
sudo chmod 644 /etc/apt/sources.list.d/nginx.sources sudo chmod 644 /etc/apt/sources.list.d/nginx.sources
# Add the PHP PPA (Ubuntu repos do not have the latest version, and do not handle pinning properly) # Add the PHP PPA (Ubuntu repos do not have the latest version, and do not handle pinning properly)
sudo add-apt-repository -y ppa:ondrej/php sudo add-apt-repository -y ppa:ondrej/php
# Add upstream MariaDB repo # Add upstream MariaDB repo
unpriv curl -s https://supplychain.mariadb.com/mariadb-keyring-2019.gpg | sudo tee /usr/share/keyrings/mariadb-keyring-2019.gpg unpriv curl https://supplychain.mariadb.com/mariadb-keyring-2019.gpg | sudo tee /usr/share/keyrings/mariadb-keyring-2019.gpg
sudo chmod 644 /usr/share/keyrings/mariadb-keyring-2019.gpg sudo chmod 644 /usr/share/keyrings/mariadb-keyring-2019.gpg
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/apt/sources.list.d/mariadb.sources | sudo tee /etc/apt/sources.list.d/mariadb.sources > /dev/null unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/apt/sources.list.d/mariadb.sources | sudo tee /etc/apt/sources.list.d/mariadb.sources
sudo chmod 644 /etc/apt/sources.list.d/maridadb.sources sudo chmod 644 /etc/apt/sources.list.d/maridadb.sources
# Update the VM again # Update the VM again
@ -69,48 +69,57 @@ sudo rm -rf /etc/nginx/conf.d/default.conf
## NGINX hardening ## NGINX hardening
sudo mkdir -p /etc/systemd/system/nginx.service.d sudo mkdir -p /etc/systemd/system/nginx.service.d
unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/nginx.service.d/local.conf | sudo tee /etc/systemd/system/nginx.service.d/override.conf > /dev/null unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/nginx.service.d/local.conf | sudo tee /etc/systemd/system/nginx.service.d/override.conf
sudo chmod 644 /etc/systemd/system/nginx.service.d/override.conf sudo chmod 644 /etc/systemd/system/nginx.service.d/override.conf
sudo systemctl daemon-reload sudo systemctl daemon-reload
## Setup certbot-ocsp-fetcher
unpriv curl https://raw.githubusercontent.com/tomwassenberg/certbot-ocsp-fetcher/main/certbot-ocsp-fetcher | sudo tee /usr/local/bin/certbot-ocsp-fetcher
sudo chmod u+x /usr/local/bin/certbot-ocsp-fetcher
sudo mkdir -p /var/cache/certbot-ocsp-fetcher/
sudo chmod 755 /var/cache/certbot-ocsp-fetcher/
## Setup nginx-create-session-ticket-keys ## Setup nginx-create-session-ticket-keys
unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/nginx-create-session-ticket-keys | sudo tee /usr/local/bin/nginx-create-session-ticket-keys > /dev/null unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/nginx-create-session-ticket-keys | sudo tee /usr/local/bin/nginx-create-session-ticket-keys
sudo chmod u+x /usr/local/bin/nginx-create-session-ticket-keys sudo chmod u+x /usr/local/bin/nginx-create-session-ticket-keys
## Setup nginx-rotate-session-ticket-keys ## Setup nginx-rotate-session-ticket-keys
unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/nginx-rotate-session-ticket-keys | sudo tee /usr/local/bin/nginx-rotate-session-ticket-keys > /dev/null unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/nginx-rotate-session-ticket-keys | sudo tee /usr/local/bin/nginx-rotate-session-ticket-keys
sudo chmod u+x /usr/local/bin/nginx-rotate-session-ticket-keys sudo chmod u+x /usr/local/bin/nginx-rotate-session-ticket-keys
## Download the units ## Download the units
unpriv curl -s https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/nginx-create-session-ticket-keys.service | sudo tee /etc/systemd/system/nginx-create-session-ticket-keys.service > /dev/null unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/certbot-ocsp-fetcher.service | sudo tee /etc/systemd/system/certbot-ocsp-fetcher.service
unpriv curl -s https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/nginx-rotate-session-ticket-keys.service | sudo tee /etc/systemd/system/nginx-rotate-session-ticket-keys.service > /dev/null unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/certbot-ocsp-fetcher.timer | sudo tee /etc/systemd/system/certbot-ocsp-fetcher.timer
unpriv curl -s https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/nginx-rotate-session-ticket-keys.timer | sudo tee /etc/systemd/system/nginx-rotate-session-ticket-keys.timer > /dev/null unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/nginx-create-session-ticket-keys.service | sudo tee /etc/systemd/system/nginx-create-session-ticket-keys.service
unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/nginx-rotate-session-ticket-keys.service | sudo tee /etc/systemd/system/nginx-rotate-session-ticket-keys.service
unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/nginx-rotate-session-ticket-keys.timer | sudo tee /etc/systemd/system/nginx-rotate-session-ticket-keys.timer
## Systemd Hardening ## Systemd Hardening
sudo mkdir -p /etc/systemd/system/nginx.service.d sudo mkdir -p /etc/systemd/system/nginx.service.d
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/systemd/system/nginx.service.d/override.conf | sudo tee /etc/systemd/system/nginx.service.d/override.conf > /dev/null unpriv curl https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/systemd/system/nginx.service.d/override.conf | sudo tee /etc/systemd/system/nginx.service.d/override.conf
sudo chmod 644 /etc/systemd/system/nginx.service.d/override.conf sudo chmod 644 /etc/systemd/system/nginx.service.d/override.conf
sudo systemctl daemon-reload sudo systemctl daemon-reload
## Enable the units ## Enable the units
sudo systemctl enable certbot-ocsp-fetcher.timer
sudo systemctl enable --now nginx-create-session-ticket-keys.service sudo systemctl enable --now nginx-create-session-ticket-keys.service
sudo systemctl enable --now nginx-rotate-session-ticket-keys.timer sudo systemctl enable --now nginx-rotate-session-ticket-keys.timer
## Download NGINX configs ## Download NGINX configs
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/conf.d/http2.conf | sudo tee /etc/nginx/conf.d/http2.conf > /dev/null unpriv curl https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/conf.d/http2.conf | sudo tee /etc/nginx/conf.d/http2.conf
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/conf.d/sites_default.conf | sudo tee /etc/nginx/conf.d/sites_default.conf > /dev/null unpriv curl https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/conf.d/sites_default.conf | sudo tee /etc/nginx/conf.d/sites_default.conf
sudo sed -i 's/include snippets/universal_paths.conf;//g' /etc/nginx/conf.d/sites_default.conf sudo sed -i 's/include snippets/universal_paths.conf;//g' /etc/nginx/conf.d/sites_default.conf
sudo sed -i 's/ipv4_1://g' /etc/nginx/conf.d/sites_default.conf sudo sed -i 's/ipv4_1://g' /etc/nginx/conf.d/sites_default.conf
sudo sed -i 's/ipv6_1/::/g' /etc/nginx/conf.d/sites_default.conf sudo sed -i 's/ipv6_1/::/g' /etc/nginx/conf.d/sites_default.conf
unpriv curl https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/conf.d/tls.conf | sudo tee /etc/nginx/conf.d/tls.conf > /dev/null unpriv curl https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/conf.d/tls.conf | sudo tee /etc/nginx/conf.d/tls.conf
sudo mkdir -p /etc/nginx/snippets sudo mkdir -p /etc/nginx/snippets
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/hsts.conf | sudo tee /etc/nginx/snippets/hsts.conf > /dev/null unpriv curl https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/hsts.conf | sudo tee /etc/nginx/snippets/hsts.conf
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/proxy.conf | sudo tee /etc/nginx/snippets/proxy.conf > /dev/null unpriv curl https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/proxy.conf | sudo tee /etc/nginx/snippets/proxy.conf
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/quic.conf | sudo tee /etc/nginx/snippets/quic.conf > /dev/null unpriv curl https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/quic.conf | sudo tee /etc/nginx/snippets/quic.conf
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/security.conf | sudo tee /etc/nginx/snippets/security.conf > /dev/null unpriv curl https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/security.conf | sudo tee /etc/nginx/snippets/security.conf
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/cross-origin-security.conf | sudo tee /etc/nginx/snippets/cross-origin-security.conf > /dev/null unpriv curl https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/cross-origin-security.conf | sudo tee /etc/nginx/snippets/cross-origin-security.conf
# Fix PHP permission # Fix PHP permission
sudo sed -i 's/www-data/nginx/g' /etc/php/8.3/fpm/pool.d/www.sock sudo sed -i 's/www-data/nginx/g' /etc/php/8.3/fpm/pool.d/www.sock