1
0
mirror of https://github.com/tommytran732/Linux-Setup-Scripts synced 2024-10-29 15:51:32 -04:00

Compare commits

..

No commits in common. "ff53556f25aea34c8a66bb733e233780bd739753" and "01da22602b9be57549f1497e7a76ca704b0d5403" have entirely different histories.

5 changed files with 491 additions and 0 deletions

5
sample-scripts/README.md Normal file
View File

@ -0,0 +1,5 @@
# Sample Scripts
These are sample scripts to set up some common stacks, meant to be run after the main scripts have been run.
I am writing these for convenience and to do demos. I do not actually use them in production, so they will not be maintained properly like the main scripts.

View File

@ -0,0 +1,155 @@
# RHEL 9 LEMP Drupal Multisite
First you need to run the following scripts:
- https://github.com/TommyTran732/Linux-Setup-Scripts/blob/main/RHEL-9.sh
- https://github.com/TommyTran732/Linux-Setup-Scripts/blob/main/sample-scripts/RHEL-9-LEMP.sh
## Install composer
```
sudo dnf install -y composer
```
## Install other necessary packages
```
sudo dnf install -y php-gd php-mysqlnd php-opcache php-pdo unzip
```
## Setup Directory Structure
```
# Add unprivileged user for drupal
sudo useradd -U -m -s /bin/bash drupal
# Make drupal directory
sudo mkdir -p /srv/drupal
sudo chown drupal:drupal /srv/drupal
# Setup ACL
sudo setfacl -dm u:nginx:rwx /srv/drupal
sudo setfacl -m u:nginx:rwx /srv/drupal
# Setup SELinux context
sudo semanage fcontext -a -t httpd_sys_content_t "$(realpath /srv/drupal)(/.*)?"
sudo semanage fcontext -a -t httpd_sys_rw_content_t "$(realpath /srv/drupal)(/.*)/web/sites(/.*)/files(/.*)?"
sudo semanage fcontext -a -t httpd_sys_rw_content_t "$(realpath /srv/drupal)(/.*)/web/sites(/.*)/settings.php"
sudo restorecon -Rv /srv/drupal
```
## Install Drupal
Switch to the `drupal` user:
```
sudo su - drupal
```
As the drupal user, run:
```
# This is only needed on RHEL, for some reason upstream composer on Ubuntu sets the correct permission regardless of umask
umask 022
cd /srv/drupal
composer create-project drupal/recommended-project drupal.yourdomain.tld
cp /srv/drupal/drupal.yourdomain.tld/web/sites/default/default.settings.php /srv/drupal/drupal.yourdomain.tld/web/sites/default/settings.php
```
Exit the drupal user:
```
exit
```
Fix the labels (why mkdir is giving us the wrong label idk, need more investigation):
```
sudo restorecon -Rv /srv/drupal
```
## Generate an SSL certificate
```
certbot certonly --nginx --no-eff-email \
--key-type ecdsa \
--cert-name drupal.yourdomain.tld \
-d drupal.yourdomain.tld
```
## NGINX configuration file
As root, download [this file](https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/sample-configurations/snippets/security-drupal-no-proxy.conf) and put it in `/etc/nginx/snippets/security-drupal-no-proxy.conf`
As root, put the following file in `/etc/nginx/conf.d/sites_drupal.conf`:
```
server {
listen 443 quic reuseport;
listen 443 ssl;
listen [::]:443 quic reuseport;
listen [::]:443 ssl;
server_name drupal.yourdomain.tld;
ssl_certificate /etc/letsencrypt/live/drupal.yourdomain.tld/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/drupal.yourdomain.tld/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/drupal.yourdomain.tld/chain.pem;
include snippets/hsts.conf;
include snippets/security-drupal-no-proxy.conf;
include snippets/cross-origin-security.conf;
include snippets/quic.conf;
add_header Content-Security-Policy "default-src 'none'; connect-src 'self'; font-src 'self'; img-src 'self' data:; script-src 'self'; style-src 'self' 'unsafe-inline'; base-uri 'none'; block-all-mixed-content; form-action 'self'; frame-ancestors 'self'; upgrade-insecure-requests";
index index.php;
root /srv/drupal/drupal.yourdomain.tld/web;
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
fastcgi_pass unix:/var/run/php-fpm/www.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
```
**Notes**: `listen 443 quic reuseport;` is only needed once. If you plan to have multiple vhosts on this setup with SSL, consider making a dedicated vhost for this config so that it is nicer and easier to manage. An example can be found [here](https://github.com/TommyTran732/NGINX-Configs/blob/main/etc/nginx/conf.d/sites_default_quic.conf).
## Setup the Database for Drupal
As root, log into MariaDB:
```
mariadb -uroot
```
Run the following queries:
```
CREATE DATABASE drupal_default CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
CREATE USER 'drupal_default'@'127.0.0.1' IDENTIFIED BY 'yourPassword';
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES ON drupal_default.* TO 'drupal_default'@'127.0.0.1';
exit
```
## Configure Drupal
Go to drupal.yourdomain.tld and follow the prompts.
Switch to the `drupal` user:
```
sudo su - drupal
```
As the drupal user, run:
```
chmod 400 /srv/drupal/drupal.yourdomain.tld/web/sites/default/settings.php
setfacl -m u:nginx:r /srv/drupal/drupal.yourdomain.tld/web/sites/default/settings.php
```

View File

@ -0,0 +1,68 @@
#!/bin/sh
# Copyright (C) 2024 Thien Tran
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy of
# the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations under
# the License.
# Assumes that it is run AFTER https://github.com/TommyTran732/Linux-Setup-Scripts/blob/main/RHEL.sh
set -eu
output(){
printf '\e[1;34m%-6s\e[m\n' "${@}"
}
unpriv(){
sudo -u nobody "$@"
}
# Remove hardened_malloc (It breaks php-fpm)
sudo rm -rf /etc/ld.so.preload
sudo dnf remove -y hardened_malloc
# Install NGINX
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/yum.repos.d/nginx.repo | sudo tee /etc/yum.repos.d/nginx.repo > /dev/null
sudo chmod 644 /etc/yum.repos.d/nginx.repo
sudo dnf install -y nginx
# Install EPEL
sudo subscription-manager repos --enable "codeready-builder-for-rhel-9-$(arch)-rpms"
sudo dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
# Install certbot
sudo dnf install -y certbot python3-certbot-nginx
# Install PHP
sudo dnf install -y https://rpms.remirepo.net/enterprise/remi-release-9.rpm
sudo dnf module install -y php:remi-8.3/common
sudo systemctl enable --now php-fpm
# Install MariaDB
unpriv curl -LsS https://r.mariadb.com/downloads/mariadb_repo_setup | sudo bash
sudo dnf install -y MariaDB-server
sudo systemctl enable --now mariadb
# Secure MariaDB
output "Running mariadb-secure-installation."
output "You should answer yes to everything except setting the root password."
output "This is already done via the UNIX socket if you switch it with the prompts so you should be okay."
sudo mariadb-secure-installation
# Run NGINX Setup script
unpriv curl -LsS https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/setup.sh | sudo bash
# Fix PHP permission
sudo sed -i 's/user = apache/user = nginx/g' /etc/php-fpm.d/www.conf
sudo sed -i 's/group = apache/group = nginx/g' /etc/php-fpm.d/www.conf
sudo chgrp nginx /var/lib/php/opcache /var/lib/php/session /var/lib/php/wsdlcache
sudo systemctl restart php-fpm

View File

@ -0,0 +1,146 @@
# Ubuntu 24.04 LEMP Drupal
First you need to run the following scripts:
- https://github.com/TommyTran732/Linux-Setup-Scripts/blob/main/Ubuntu-24.04-Server.sh
- https://github.com/TommyTran732/Linux-Setup-Scripts/blob/main/sample-scripts/Ubuntu-24.04-LEMP.sh
## Install composer
```
php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
php composer-setup.php
php -r "unlink('composer-setup.php');"
sudo chown root:root composer.phar
sudo mv composer.phar /usr/local/bin
```
## Install other necessary packages
```
sudo apt install -y unzip
```
## Setup Directory Structure
```
# Add unprivileged user for drupal
sudo useradd -U -m -s /bin/bash drupal
# Make drupal directory
sudo mkdir -p /srv/drupal
sudo chown drupal:drupal /srv/drupal
# Setup ACL
sudo apt install -y acl
sudo setfacl -dm u:nginx:rwx /srv/drupal
sudo setfacl -m u:nginx:rwx /srv/drupal
```
## Install Drupal
Switch to the `drupal` user:
```
sudo su - drupal
```
As the drupal user, run:
```
cd /srv/drupal
composer create-project drupal/recommended-project drupal.yourdomain.tld
cp /srv/drupal/drupal.yourdomain.tld/web/sites/default/default.settings.php /srv/drupal/drupal.yourdomain.tld/web/sites/default/settings.php
```
Exit the drupal user:
```
exit
```
## Generate an SSL certificate
```
certbot certonly --nginx --no-eff-email \
--key-type ecdsa \
--cert-name drupal.yourdomain.tld \
-d drupal.yourdomain.tld
```
## NGINX configuration file
As root, download [this file](https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/sample-configurations/snippets/security-drupal-no-proxy.conf) and put it in `/etc/nginx/snippets/security-drupal-no-proxy.conf`
As root, put the following file in `/etc/nginx/conf.d/sites_drupal.conf`:
```
server {
listen 443 quic reuseport;
listen 443 ssl;
listen [::]:443 quic reuseport;
listen [::]:443 ssl;
server_name drupal.yourdomain.tld;
ssl_certificate /etc/letsencrypt/live/drupal.yourdomain.tld/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/drupal.yourdomain.tld/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/drupal.yourdomain.tld/chain.pem;
include snippets/hsts.conf;
include snippets/security-drupal-no-proxy.conf;
include snippets/cross-origin-security.conf;
include snippets/quic.conf;
add_header Content-Security-Policy "default-src 'none'; connect-src 'self'; font-src 'self'; img-src 'self' data:; script-src 'self'; style-src 'self' 'unsafe-inline'; base-uri 'none'; block-all-mixed-content; form-action 'self'; frame-ancestors 'self'; upgrade-insecure-requests";
index index.php;
root /srv/drupal/drupal.yourdomain.tld/web;
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
fastcgi_pass unix:/var/run/php/php8.3-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
```
**Notes**: `listen 443 quic reuseport;` is only needed once. If you plan to have multiple vhosts on this setup with SSL, consider making a dedicated vhost for this config so that it is nicer and easier to manage. An example can be found [here](https://github.com/TommyTran732/NGINX-Configs/blob/main/etc/nginx/conf.d/sites_default_quic.conf).
## Setup the Database for Drupal
As root, log into MariaDB:
```
mariadb -uroot
```
Run the following queries:
```
CREATE DATABASE drupal CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
CREATE USER 'drupal'@'127.0.0.1' IDENTIFIED BY 'yourPassword';
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES ON drupal.* TO 'drupal'@'127.0.0.1';
exit
```
## Configure Drupal
Go to drupal.yourdomain.tld and follow the prompts.
Switch to the `drupal` user:
```
sudo su - drupal
```
As the drupal user, run:
```
chmod 400 /srv/drupal/drupal.yourdomain.tld/web/sites/default/settings.php
setfacl -m u:nginx:r /srv/drupal/drupal.yourdomain.tld/web/sites/default/settings.php
```

View File

@ -0,0 +1,117 @@
#!/bin/sh
# Copyright (C) 2024 Thien Tran
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy of
# the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations under
# the License.
# Assumes that it is run AFTER https://github.com/TommyTran732/Linux-Setup-Scripts/blob/main/Ubuntu-24.04-Server.sh
set -eu
output(){
printf '\e[1;34m%-6s\e[m\n' "${@}"
}
unpriv(){
sudo -u nobody "$@"
}
# Open ports
sudo ufw allow 80/tcp
sudo ufw allow 443
# Add mainline NGINX repo
# This is extremely important as Ubuntu keeps shipping outdated NGINX
unpriv curl -s https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
sudo chmod 644 /usr/share/keyrings/nginx-archive-keyring.gpg
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/apt/sources.list.d/nginx.sources | sudo tee /etc/apt/sources.list.d/nginx.sources > /dev/null
sudo chmod 644 /etc/apt/sources.list.d/nginx.sources
# Add the PHP PPA (Ubuntu repos do not have the latest version, and do not handle pinning properly)
sudo add-apt-repository -y ppa:ondrej/php
# Add upstream MariaDB repo
unpriv curl -s https://supplychain.mariadb.com/mariadb-keyring-2019.gpg | sudo tee /usr/share/keyrings/mariadb-keyring-2019.gpg
sudo chmod 644 /usr/share/keyrings/mariadb-keyring-2019.gpg
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/apt/sources.list.d/mariadb.sources | sudo tee /etc/apt/sources.list.d/mariadb.sources > /dev/null
sudo chmod 644 /etc/apt/sources.list.d/maridadb.sources
# Update the VM again
sudo apt update
sudo apt full-upgrade -y
# Install the packages
sudo apt install -y nginx mariadb-server php8.3 php8.3-cli php8.3-common php8.3-curl php8.3-fpm php8.3-gd php8.3-mbstring php8.3-mysql php8.3-opcache php8.3-readline php8.3-sqlite3 php8.3-xml php8.3-zip php8.3-apcu
# Install certbot
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
# Secure MariaDB
output "Running mariadb-secure-installation."
output "You should answer yes to everything except setting the root password."
output "This is already done via the UNIX socket if you switch it with the prompts so you should be okay."
sudo mariadb-secure-installation
# Port NGINX configs from https://github.com/TommyTran732/NGINX-Configs
sudo rm -rf /etc/nginx/conf.d/default.conf
## NGINX hardening
sudo mkdir -p /etc/systemd/system/nginx.service.d
unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/nginx.service.d/local.conf | sudo tee /etc/systemd/system/nginx.service.d/override.conf > /dev/null
sudo chmod 644 /etc/systemd/system/nginx.service.d/override.conf
sudo systemctl daemon-reload
## Setup nginx-create-session-ticket-keys
unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/nginx-create-session-ticket-keys | sudo tee /usr/local/bin/nginx-create-session-ticket-keys > /dev/null
sudo chmod u+x /usr/local/bin/nginx-create-session-ticket-keys
## Setup nginx-rotate-session-ticket-keys
unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/nginx-rotate-session-ticket-keys | sudo tee /usr/local/bin/nginx-rotate-session-ticket-keys > /dev/null
sudo chmod u+x /usr/local/bin/nginx-rotate-session-ticket-keys
## Download the units
unpriv curl -s https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/nginx-create-session-ticket-keys.service | sudo tee /etc/systemd/system/nginx-create-session-ticket-keys.service > /dev/null
unpriv curl -s https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/nginx-rotate-session-ticket-keys.service | sudo tee /etc/systemd/system/nginx-rotate-session-ticket-keys.service > /dev/null
unpriv curl -s https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/nginx-rotate-session-ticket-keys.timer | sudo tee /etc/systemd/system/nginx-rotate-session-ticket-keys.timer > /dev/null
## Systemd Hardening
sudo mkdir -p /etc/systemd/system/nginx.service.d
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/systemd/system/nginx.service.d/override.conf | sudo tee /etc/systemd/system/nginx.service.d/override.conf > /dev/null
sudo chmod 644 /etc/systemd/system/nginx.service.d/override.conf
sudo systemctl daemon-reload
## Enable the units
sudo systemctl enable --now nginx-create-session-ticket-keys.service
sudo systemctl enable --now nginx-rotate-session-ticket-keys.timer
## Download NGINX configs
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/conf.d/http2.conf | sudo tee /etc/nginx/conf.d/http2.conf > /dev/null
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/conf.d/sites_default.conf | sudo tee /etc/nginx/conf.d/sites_default.conf > /dev/null
sudo sed -i 's/include snippets/universal_paths.conf;//g' /etc/nginx/conf.d/sites_default.conf
sudo sed -i 's/ipv4_1://g' /etc/nginx/conf.d/sites_default.conf
sudo sed -i 's/ipv6_1/::/g' /etc/nginx/conf.d/sites_default.conf
unpriv curl https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/conf.d/tls.conf | sudo tee /etc/nginx/conf.d/tls.conf > /dev/null
sudo mkdir -p /etc/nginx/snippets
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/hsts.conf | sudo tee /etc/nginx/snippets/hsts.conf > /dev/null
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/proxy.conf | sudo tee /etc/nginx/snippets/proxy.conf > /dev/null
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/quic.conf | sudo tee /etc/nginx/snippets/quic.conf > /dev/null
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/security.conf | sudo tee /etc/nginx/snippets/security.conf > /dev/null
unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/cross-origin-security.conf | sudo tee /etc/nginx/snippets/cross-origin-security.conf > /dev/null
# Fix PHP permission
sudo sed -i 's/www-data/nginx/g' /etc/php/8.3/fpm/pool.d/www.conf
sudo systemctl restart php8.3-fpm