mirror of
https://github.com/tommytran732/Pterodactyl-Script
synced 2024-11-22 02:21:33 -05:00
Upstream NGINX
Signed-off-by: Tommy <contact@tommytran.io>
This commit is contained in:
parent
5234008aec
commit
e8b156bf44
44
README.md
44
README.md
@ -3,7 +3,7 @@ Installing Pterodactyl in just a few minutes! <br />
|
|||||||
Please note this script is meant to be used on fresh installations only. You must run it as root. <br />
|
Please note this script is meant to be used on fresh installations only. You must run it as root. <br />
|
||||||
<br />
|
<br />
|
||||||
`curl -Ls https://api.github.com/repos/TommyTran732/Pterodactyl-Script/releases/latest | grep -wo "https.*install.sh" | wget -qi -` <br />
|
`curl -Ls https://api.github.com/repos/TommyTran732/Pterodactyl-Script/releases/latest | grep -wo "https.*install.sh" | wget -qi -` <br />
|
||||||
<br />
|
<br />
|
||||||
`bash install.sh` <br />
|
`bash install.sh` <br />
|
||||||
<br />
|
<br />
|
||||||
Visit my Matrix group: https://matrix.to/#/#tommy:arcticfoxes.net
|
Visit my Matrix group: https://matrix.to/#/#tommy:arcticfoxes.net
|
||||||
@ -14,39 +14,31 @@ Visit my Matrix group: https://matrix.to/#/#tommy:arcticfoxes.net
|
|||||||
- Panel upgrade
|
- Panel upgrade
|
||||||
- Daemon installation
|
- Daemon installation
|
||||||
- Daemon upgrade
|
- Daemon upgrade
|
||||||
- phpMyAdmin installation (on nodes with the panel only - optional)
|
|
||||||
- Automatic LetsEncrypt certificate generation
|
|
||||||
- HSTS enabled
|
|
||||||
- MariaDB SSL
|
|
||||||
- Fail2ban sshd & phpMyAdmin-syslog jails
|
|
||||||
- Basic firewall configuration
|
- Basic firewall configuration
|
||||||
|
- Automatic LetsEncrypt certificate generation
|
||||||
|
- MariaDB SSL
|
||||||
|
- HSTS enabled
|
||||||
|
- Additional security headers (CSP, Permission Policy, CORP, COOP)
|
||||||
- Database password reset
|
- Database password reset
|
||||||
|
|
||||||
# Dependency updates
|
# Dependency Updates
|
||||||
Currently, Pterodactyl's dependencies (PHP, MariaDB) will only recieve minor version updates (e.g. PHP 8.0.1 -> PHP 8.0.x). Dependency upgrade scripts for major version changes (e.g. PHP 8.0.x -> PHP 8.1.0) are planned, but they are not yet available. For now, changing between major versions of Pterodactyl's depdencies are the user's own responsibility. <br />
|
|
||||||
|
|
||||||
I expect that a script for Fedora-based distributions to be relatively clean and simple, thanks to dnf's modular repositories. The same cannot be said for Debian-based distributions however, as we have to remove all of the old versions of the dependencies with apt, install the new ones, then apply reconfigurations. Please take this into account when choosing your distribution.
|
Currently, PHP, Composer, and Redis are installed from Remi's modular repository. As such, they will only get minor version updates with `dnf upgrade` (PHP 8.1.0 -> PHP 8.1.x for example). For updates between major versions of these dependencies, use `dnf module` to change the appstream for these dependencies.<br />
|
||||||
|
|
||||||
|
```bash
|
||||||
|
dnf module reset php:remi-8.0
|
||||||
|
dnf module install php:remi-8.1
|
||||||
|
dnf distro-sync
|
||||||
|
```
|
||||||
|
|
||||||
|
NGINX, MariaDB, and Docker-CE uses upstream repositories and will get the latest version available on there automatically.
|
||||||
|
|
||||||
# Script updates/Reproducibility
|
# Script updates/Reproducibility
|
||||||
Unfortunately, there is currently not an option to automatically apply new features / fixes I make to the script to an existing installation. The user has to look at the changelog and the code to apply it on their own. Theoratically, I could write a script to automate this process, but I currently don't have enough bandwidth for this and I want to spend my time developing new features. If anyone could help me with this, I would highly appreciate it. <br />
|
Unfortunately, there is currently not an option to automatically apply new features / fixes I make to the script to an existing installation. The user has to look at the changelog and the code to apply them on their own. Theoratically, I could write a script to automate this process, but I currently don't have enough bandwidth for this and I want to spend my time developing new features. If anyone could help me with this, I would highly appreciate it. <br />
|
||||||
|
|
||||||
Ideally, we would want everything to be reproducible from the OS to the Pterodactyl installation. I am currently looking at using Fedora CoreOS and Docker-Compose to accomplish this. If you are interested in such setup, please let me know.
|
Ideally, we would want everything to be reproducible from the OS to the Pterodactyl installation. I am currently looking at using Fedora CoreOS and Docker-Compose to accomplish this. If you are interested in such setup, please let me know.
|
||||||
|
|
||||||
# Supported Distributions
|
# Supported Distributions
|
||||||
Fedora, CentOS Stream, RHEL, Rocky Linux, AlmaLinux, Ubuntu, and Debian are currently supported distributions. <br />
|
Only RHEL 9 and its derivatives (CentOS Stream 9, Rocky Linux 9 , AlmaLinux 9) are supported at the moment. Fedora may get supported in the future if there are interest in it.
|
||||||
|
|
||||||
As it currently stands, RHEL is the best distribution for a production system. RHEL and its derivatives have much longer life cycle support (10 years) than Ubuntu LTS (5 years) and Debian (roughly 3 years - not counting Debian LTS), a much better Mandatory Access Control system, and a superior package manager. CentOS Stream is slightly (~1 minor version) ahead of RHEL, so you could expect it to be ever so slightly less stable. Rocky and AlmaLinux are RHEL rebuilds, so they are likely to get security patches after RHEL, just like how the old CentOS was. Red Hat now offers 16 licenses for free for production use, which also comes with Red Hat Insights, and I highly recommend that you choose RHEL over other distributions if possible. I am using RHEL on my personal Pterodactyl instance as well.<br />
|
Ubuntu, Debian, and openSUSE are unlikely to get supported, due to them not supporting modular repositories which makes dependency updates cumbersome.
|
||||||
|
|
||||||
If you live on the edge and don't mind doing a major OS upgrade every 6 months, then Fedora may be a perfect choice. However, I am not recommending it at the moment as it is probably not what people are looking for and I do not have enough energy to help with issues that may arise from doing in-place OS upgrades. <br />
|
|
||||||
|
|
||||||
As for Ubuntu, it is simply supported because it is a popular distribution and a lot of people might feel comfortable with it. That being said, I am not quite sure what the best practices are with Ubuntu at the moment - they seem to be pushing snaps very heavily, to the point where even Certbot and Docker are shipped and recommended as snaps. For simplicity, the script currently uses .deb packages just like it does with Debian, but this might change in the future if thoose .debs packages are neglected in favor of snaps. I personally would not use Ubuntu unless I have no other choices.
|
|
||||||
|
|
||||||
| Operating System | Version | Supported | Recommended | Notes |
|
|
||||||
| ----------------- | -------- | -------------------- | ------------------ | ------------------------------------ |
|
|
||||||
| Fedora | 35 | :heavy_check_mark: | 🔴 | |
|
|
||||||
| CentOS | Stream 8 | :heavy_check_mark: | ✔️ | |
|
|
||||||
| RHEL | 8 | :heavy_check_mark: | ✔️ | |
|
|
||||||
| Rocky Linux | 8 | :heavy_check_mark: | ✔️ | |
|
|
||||||
| Alma Linux | 8 | :heavy_check_mark: | ✔️ | |
|
|
||||||
| Ubuntu | 20.04 | :heavy_check_mark: | 🔴 | |
|
|
||||||
| Debian | 11 | :heavy_check_mark: | 🔴 | |
|
|
204
install.sh
204
install.sh
@ -69,9 +69,8 @@ install_options(){
|
|||||||
output "[4] Upgrade panel to ${PANEL}."
|
output "[4] Upgrade panel to ${PANEL}."
|
||||||
output "[5] Upgrade wings to ${WINGS}."
|
output "[5] Upgrade wings to ${WINGS}."
|
||||||
output "[6] Upgrade panel to ${PANEL} and daemon to ${WINGS}."
|
output "[6] Upgrade panel to ${PANEL} and daemon to ${WINGS}."
|
||||||
output "[7] Install phpMyAdmin (only use this after you have installed the panel)."
|
output "[7] Emergency MariaDB root password reset."
|
||||||
output "[8] Emergency MariaDB root password reset."
|
output "[8] Emergency database host information reset."
|
||||||
output "[9] Emergency database host information reset."
|
|
||||||
read -r choice
|
read -r choice
|
||||||
case $choice in
|
case $choice in
|
||||||
1 ) installoption=1
|
1 ) installoption=1
|
||||||
@ -92,13 +91,10 @@ install_options(){
|
|||||||
6 ) installoption=6
|
6 ) installoption=6
|
||||||
output "You have selected to upgrade panel to ${PANEL} and daemon to ${DAEMON}."
|
output "You have selected to upgrade panel to ${PANEL} and daemon to ${DAEMON}."
|
||||||
;;
|
;;
|
||||||
7 ) installoption=7
|
7 ) installoption=8
|
||||||
output "You have selected to install phpMyAdmin."
|
|
||||||
;;
|
|
||||||
8 ) installoption=8
|
|
||||||
output "You have selected MariaDB root password reset."
|
output "You have selected MariaDB root password reset."
|
||||||
;;
|
;;
|
||||||
9 ) installoption=9
|
8 ) installoption=9
|
||||||
output "You have selected Database Host information reset."
|
output "You have selected Database Host information reset."
|
||||||
;;
|
;;
|
||||||
* ) output "You did not enter a valid selection."
|
* ) output "You did not enter a valid selection."
|
||||||
@ -136,9 +132,6 @@ required_infos() {
|
|||||||
install_dependencies(){
|
install_dependencies(){
|
||||||
output "Installing dependencies..."
|
output "Installing dependencies..."
|
||||||
|
|
||||||
#Adding upstream repo because RHEL's version is extremely oudated.
|
|
||||||
curl -LsS https://r.mariadb.com/downloads/mariadb_repo_setup | sudo bash
|
|
||||||
|
|
||||||
if [ "$lsb_dist" != "rhel" ]; then
|
if [ "$lsb_dist" != "rhel" ]; then
|
||||||
subscription-manager repos --enable codeready-builder-for-rhel-9-$(arch)-rpms
|
subscription-manager repos --enable codeready-builder-for-rhel-9-$(arch)-rpms
|
||||||
rpm --import https://raw.githubusercontent.com/tommytran732/Pterodactyl-Script/master/epel9.asc
|
rpm --import https://raw.githubusercontent.com/tommytran732/Pterodactyl-Script/master/epel9.asc
|
||||||
@ -155,15 +148,44 @@ install_dependencies(){
|
|||||||
rpm --import https://raw.githubusercontent.com/tommytran732/Pterodactyl-Script/master/remi9.asc
|
rpm --import https://raw.githubusercontent.com/tommytran732/Pterodactyl-Script/master/remi9.asc
|
||||||
dnf install -y https://rpms.remirepo.net/enterprise/remi-release-9.rpm
|
dnf install -y https://rpms.remirepo.net/enterprise/remi-release-9.rpm
|
||||||
|
|
||||||
dnf install -y nginx redis mariadb-server composer tuned
|
dnf module install -y php:remi-8.1/common
|
||||||
systemctl enable --now nginx
|
|
||||||
systemctl enable --now redis
|
|
||||||
systemctl enable --now mariadb
|
|
||||||
tune-adm profile latency-performance
|
|
||||||
|
|
||||||
dnf module install php:remi-8.1/common
|
|
||||||
dnf install -y php-bcmath php-gd php-mysqlnd php-pdo php-sodium
|
dnf install -y php-bcmath php-gd php-mysqlnd php-pdo php-sodium
|
||||||
systemctl enable --now php-fpm
|
systemctl enable --now php-fpm
|
||||||
|
|
||||||
|
dnf module install -y composer:2/common
|
||||||
|
|
||||||
|
dnf module install -y redis:remi-7.0/common
|
||||||
|
systemctl enable --now redis
|
||||||
|
|
||||||
|
#Adding upstream repo because RHEL's version is extremely oudated.
|
||||||
|
curl -LsS https://r.mariadb.com/downloads/mariadb_repo_setup | sudo bash
|
||||||
|
dnf install -y nginx mariadb-server
|
||||||
|
systemctl enable --now mariadb
|
||||||
|
|
||||||
|
cat > /etc/yum.repos.d/nginx.repo <<- 'EOF'
|
||||||
|
[nginx-stable]
|
||||||
|
name=nginx stable repo
|
||||||
|
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
|
||||||
|
gpgcheck=1
|
||||||
|
enabled=1
|
||||||
|
gpgkey=https://nginx.org/keys/nginx_signing.key
|
||||||
|
module_hotfixes=true
|
||||||
|
|
||||||
|
[nginx-mainline]
|
||||||
|
name=nginx mainline repo
|
||||||
|
baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
|
||||||
|
gpgcheck=1
|
||||||
|
enabled=0
|
||||||
|
gpgkey=https://nginx.org/keys/nginx_signing.key
|
||||||
|
module_hotfixes=true
|
||||||
|
EOF
|
||||||
|
dnf config-manager --enable nginx-mainline
|
||||||
|
dnf install -y nginx
|
||||||
|
systemctl enable --now nginx
|
||||||
|
|
||||||
|
|
||||||
|
dnf install -y tuned
|
||||||
|
tune-adm profile latency-performance
|
||||||
}
|
}
|
||||||
|
|
||||||
install_pterodactyl() {
|
install_pterodactyl() {
|
||||||
@ -175,7 +197,7 @@ install_pterodactyl() {
|
|||||||
Q1="CREATE DATABASE IF NOT EXISTS panel;"
|
Q1="CREATE DATABASE IF NOT EXISTS panel;"
|
||||||
Q2="SET old_passwords=0;"
|
Q2="SET old_passwords=0;"
|
||||||
Q3="GRANT ALL ON panel.* TO 'pterodactyl'@'127.0.0.1' IDENTIFIED BY '$password';"
|
Q3="GRANT ALL ON panel.* TO 'pterodactyl'@'127.0.0.1' IDENTIFIED BY '$password';"
|
||||||
Q4="GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, ALTER, INDEX, DROP, CREATE ROUTINE, ALTER ROUTINE, EXECUTE, PROCESS, RELOAD, LOCK TABLES, CREATE USER ON *.* TO 'admin'@'$SERVER_IP' IDENTIFIED BY '$adminpassword' WITH GRANT OPTION;"
|
Q4="GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, CREATE VIEW, EVENT, TRIGGER, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, EXECUTE ON *.* TO 'admin'@'$SERVER_IP' IDENTIFIED BY '$adminpassword' WITH GRANT OPTION;"
|
||||||
Q5="SET PASSWORD FOR 'root'@'localhost' = PASSWORD('$rootpassword');"
|
Q5="SET PASSWORD FOR 'root'@'localhost' = PASSWORD('$rootpassword');"
|
||||||
Q6="DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');"
|
Q6="DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');"
|
||||||
Q7="DELETE FROM mysql.user WHERE User='';"
|
Q7="DELETE FROM mysql.user WHERE User='';"
|
||||||
@ -309,17 +331,19 @@ EOF
|
|||||||
|
|
||||||
output "Configuring Nginx web server..."
|
output "Configuring Nginx web server..."
|
||||||
|
|
||||||
echo '
|
rm -f /etc/nginx/conf.d/default.conf
|
||||||
|
|
||||||
|
cat > /etc/nginx/conf.d/pterodactyl.conf <<- 'EOF'
|
||||||
server {
|
server {
|
||||||
listen 80 default_server;
|
listen 80 default_server;
|
||||||
listen [::]:80 default_server;
|
listen [::]:80 default_server;
|
||||||
server_name '"$FQDN"';
|
server_name FQDN;
|
||||||
return 301 https://$server_name$request_uri;
|
return 301 https://$server_name$request_uri;
|
||||||
}
|
}
|
||||||
server {
|
server {
|
||||||
listen 443 ssl http2 default_server;
|
listen 443 ssl http2 default_server;
|
||||||
listen [::]:443 ssl http2 default_server;
|
listen [::]:443 ssl http2 default_server;
|
||||||
server_name '"$FQDN"';
|
server_name FQDN;
|
||||||
root /var/www/pterodactyl/public;
|
root /var/www/pterodactyl/public;
|
||||||
index index.php;
|
index index.php;
|
||||||
|
|
||||||
@ -331,8 +355,8 @@ server {
|
|||||||
client_body_timeout 120s;
|
client_body_timeout 120s;
|
||||||
|
|
||||||
sendfile off;
|
sendfile off;
|
||||||
ssl_certificate /etc/letsencrypt/live/'"$FQDN"'/fullchain.pem;
|
ssl_certificate /etc/letsencrypt/live/FQDN/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/'"$FQDN"'/privkey.pem;
|
ssl_certificate_key /etc/letsencrypt/live/FQDN/privkey.pem;
|
||||||
ssl_session_cache shared:SSL:10m;
|
ssl_session_cache shared:SSL:10m;
|
||||||
ssl_protocols TLSv1.2 TLSv1.3;
|
ssl_protocols TLSv1.2 TLSv1.3;
|
||||||
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256";
|
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256";
|
||||||
@ -374,7 +398,10 @@ server {
|
|||||||
location ~ /\.ht {
|
location ~ /\.ht {
|
||||||
deny all;
|
deny all;
|
||||||
}
|
}
|
||||||
}' | tee /etc/nginx/conf.d/pterodactyl.conf >/dev/null 2>&1
|
}
|
||||||
|
EOF
|
||||||
|
|
||||||
|
sed -i "s/FQDN/${FQDN}/g" /etc/nginx/conf.d/pterodactyl.conf
|
||||||
|
|
||||||
service nginx restart
|
service nginx restart
|
||||||
restorecon -R /var/www/pterodactyl
|
restorecon -R /var/www/pterodactyl
|
||||||
@ -440,80 +467,6 @@ upgrade_wings(){
|
|||||||
output "Your wings have been updated to version ${WINGS}."
|
output "Your wings have been updated to version ${WINGS}."
|
||||||
}
|
}
|
||||||
|
|
||||||
install_phpmyadmin(){
|
|
||||||
output "Installing phpMyAdmin..."
|
|
||||||
dnf -y install phpmyadmin
|
|
||||||
ln -s /usr/share/phpMyAdmin /var/www/pterodactyl/public/phpmyadmin
|
|
||||||
cd /var/www/pterodactyl/public/phpmyadmin || exit
|
|
||||||
SERVER_IP=$(dig +short myip.opendns.com @resolver1.opendns.com -4)
|
|
||||||
BOWFISH=`cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 34 | head -n 1`
|
|
||||||
bash -c 'cat > /etc/phpMyAdmin/config.inc.php' <<EOF
|
|
||||||
<?php
|
|
||||||
/* Servers configuration */
|
|
||||||
\$i = 0;
|
|
||||||
/* Server: MariaDB [1] */
|
|
||||||
\$i++;
|
|
||||||
\$cfg['Servers'][\$i]['verbose'] = 'MariaDB';
|
|
||||||
\$cfg['Servers'][\$i]['host'] = '${SERVER_IP}';
|
|
||||||
\$cfg['Servers'][\$i]['port'] = '3306';
|
|
||||||
\$cfg['Servers'][\$i]['socket'] = '';
|
|
||||||
\$cfg['Servers'][\$i]['auth_type'] = 'cookie';
|
|
||||||
\$cfg['Servers'][\$i]['user'] = 'root';
|
|
||||||
\$cfg['Servers'][\$i]['password'] = '';
|
|
||||||
\$cfg['Servers'][$i]['ssl'] = true;
|
|
||||||
\$cfg['ForceSSL'] = true;
|
|
||||||
/* End of servers configuration */
|
|
||||||
\$cfg['blowfish_secret'] = '${BOWFISH}';
|
|
||||||
\$cfg['DefaultLang'] = 'en';
|
|
||||||
\$cfg['ServerDefault'] = 1;
|
|
||||||
\$cfg['UploadDir'] = '/var/lib/phpMyAdmin/upload';
|
|
||||||
\$cfg['SaveDir'] = '/var/lib/phpMyAdmin/save';
|
|
||||||
\$cfg['CaptchaLoginPublicKey'] = '6LcJcjwUAAAAAO_Xqjrtj9wWufUpYRnK6BW8lnfn';
|
|
||||||
\$cfg['CaptchaLoginPrivateKey'] = '6LcJcjwUAAAAALOcDJqAEYKTDhwELCkzUkNDQ0J5';
|
|
||||||
\$cfg['AuthLog'] = syslog
|
|
||||||
?>
|
|
||||||
EOF
|
|
||||||
chmod 755 /etc/phpMyAdmin
|
|
||||||
chmod 644 /etc/phpMyAdmin/config.inc.php
|
|
||||||
chown -R nginx:nginx /var/www/pterodactyl
|
|
||||||
chown -R nginx:nginx /var/lib/phpMyAdmin/temp
|
|
||||||
|
|
||||||
bash -c 'cat > /etc/fail2ban/jail.local' <<-'EOF'
|
|
||||||
[DEFAULT]
|
|
||||||
# Ban hosts for one hours:
|
|
||||||
bantime = 3600
|
|
||||||
# Override /etc/fail2ban/jail.d/00-firewalld.conf:
|
|
||||||
banaction = iptables-multiport
|
|
||||||
[sshd]
|
|
||||||
enabled = true
|
|
||||||
[phpmyadmin-syslog]
|
|
||||||
enabled = true
|
|
||||||
maxentry = 15
|
|
||||||
EOF
|
|
||||||
service fail2ban restart
|
|
||||||
}
|
|
||||||
|
|
||||||
ssl_certs(){
|
|
||||||
output "Installing Let's Encrypt and creating an SSL certificate..."
|
|
||||||
dnf -y install certbot
|
|
||||||
|
|
||||||
if [ "$installoption" = "1" ] || [ "$installoption" = "3" ]; then
|
|
||||||
dnf -y install python3-certbot-nginx
|
|
||||||
certbot --nginx --redirect --no-eff-email --email "$email" --agree-tos -d "$FQDN"
|
|
||||||
setfacl -Rdm u:mysql:rx /etc/letsencrypt
|
|
||||||
setfacl -Rm u:mysql:rx /etc/letsencrypt
|
|
||||||
sed -i '/\[mysqld\]/a ssl-key=/etc/letsencrypt/live/'"${FQDN}"'/privkey.pem' /etc/my.cnf.d/server.cnf
|
|
||||||
sed -i '/\[mysqld\]/a ssl-ca=/etc/letsencrypt/live/'"${FQDN}"'/chain.pem' /etc/my.cnf.d/server.cnf
|
|
||||||
sed -i '/\[mysqld\]/a ssl-cert=/etc/letsencrypt/live/'"${FQDN}"'/cert.pem' /etc/my.cnf.d/server.cnf
|
|
||||||
systemctl restart mariadb
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ "$installoption" = "2" ]; then
|
|
||||||
certbot certonly --standalone --no-eff-email --email "$email" --agree-tos -d "$FQDN" --non-interactive
|
|
||||||
fi
|
|
||||||
systemctl enable --now certbot-renew.timer
|
|
||||||
}
|
|
||||||
|
|
||||||
firewall(){
|
firewall(){
|
||||||
if [ "$installoption" = "2" ]; then
|
if [ "$installoption" = "2" ]; then
|
||||||
if [ "$lsb_dist" != "rhel" ]; then
|
if [ "$lsb_dist" != "rhel" ]; then
|
||||||
@ -565,6 +518,50 @@ EOF
|
|||||||
firewall-cmd --reload
|
firewall-cmd --reload
|
||||||
}
|
}
|
||||||
|
|
||||||
|
ssl_certs(){
|
||||||
|
output "Installing Let's Encrypt and creating an SSL certificate..."
|
||||||
|
dnf -y install certbot
|
||||||
|
|
||||||
|
if [ "$installoption" = "1" ] || [ "$installoption" = "3" ]; then
|
||||||
|
dnf -y install python3-certbot-nginx
|
||||||
|
certbot --nginx --redirect --no-eff-email --email "$email" --agree-tos -d "$FQDN"
|
||||||
|
setfacl -Rdm u:mysql:rx /etc/letsencrypt
|
||||||
|
setfacl -Rm u:mysql:rx /etc/letsencrypt
|
||||||
|
sed -i '/\[mysqld\]/a ssl-key=/etc/letsencrypt/live/'"${FQDN}"'/privkey.pem' /etc/my.cnf.d/server.cnf
|
||||||
|
sed -i '/\[mysqld\]/a ssl-ca=/etc/letsencrypt/live/'"${FQDN}"'/chain.pem' /etc/my.cnf.d/server.cnf
|
||||||
|
sed -i '/\[mysqld\]/a ssl-cert=/etc/letsencrypt/live/'"${FQDN}"'/cert.pem' /etc/my.cnf.d/server.cnf
|
||||||
|
systemctl restart mariadb
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$installoption" = "2" ]; then
|
||||||
|
certbot certonly --standalone --no-eff-email --email "$email" --agree-tos -d "$FQDN" --non-interactive
|
||||||
|
fi
|
||||||
|
systemctl enable --now certbot-renew.timer
|
||||||
|
}
|
||||||
|
|
||||||
|
linux_hardening(){
|
||||||
|
curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf
|
||||||
|
curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf
|
||||||
|
sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /etc/sysctl.d/30_security-misc.conf
|
||||||
|
curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf -o /etc/sysctl.d/30_silent-kernel-printk.conf
|
||||||
|
sysctl -p
|
||||||
|
|
||||||
|
curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony.conf
|
||||||
|
systemctl restart chronyd
|
||||||
|
|
||||||
|
mkdir -p /etc/systemd/system/NetworkManager.service.d
|
||||||
|
curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf -o /etc/systemd/system/NetworkManager.service.d/99-brace.conf
|
||||||
|
systemctl restart NetworkManager
|
||||||
|
|
||||||
|
mkdir -p /etc/systemd/system/irqbalance.service.d
|
||||||
|
curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf -o /etc/systemd/system/irqbalance.service.d/99-brace.conf
|
||||||
|
systemctl restart irqbalance
|
||||||
|
|
||||||
|
mkdir -p /etc/systemd/system/sshd.service.d
|
||||||
|
curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/limits.conf -o /etc/systemd/system/sshd.service.d/limits.conf
|
||||||
|
systemctl restart sshd
|
||||||
|
}
|
||||||
|
|
||||||
database_host_reset(){
|
database_host_reset(){
|
||||||
adminpassword=`cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1`
|
adminpassword=`cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1`
|
||||||
Q0="SET old_passwords=0;"
|
Q0="SET old_passwords=0;"
|
||||||
@ -610,6 +607,7 @@ preflight
|
|||||||
install_options
|
install_options
|
||||||
case $installoption in
|
case $installoption in
|
||||||
1) required_infos
|
1) required_infos
|
||||||
|
linux_hardening
|
||||||
install_dependencies
|
install_dependencies
|
||||||
install_pterodactyl
|
install_pterodactyl
|
||||||
firewall
|
firewall
|
||||||
@ -619,6 +617,7 @@ case $installoption in
|
|||||||
print_info_database
|
print_info_database
|
||||||
;;
|
;;
|
||||||
2) required_infos
|
2) required_infos
|
||||||
|
linux_hardening
|
||||||
firewall
|
firewall
|
||||||
ssl_certs
|
ssl_certs
|
||||||
install_wings
|
install_wings
|
||||||
@ -626,6 +625,7 @@ case $installoption in
|
|||||||
print_info_database
|
print_info_database
|
||||||
;;
|
;;
|
||||||
3) required_infos
|
3) required_infos
|
||||||
|
linux_hardening
|
||||||
install_dependencies
|
install_dependencies
|
||||||
install_pterodactyl
|
install_pterodactyl
|
||||||
firewall
|
firewall
|
||||||
@ -641,10 +641,8 @@ case $installoption in
|
|||||||
6) upgrade_pterodactyl
|
6) upgrade_pterodactyl
|
||||||
upgrade_wings
|
upgrade_wings
|
||||||
;;
|
;;
|
||||||
7) install_phpmyadmin
|
7) curl -sSL https://raw.githubusercontent.com/tommytran732/MariaDB-Root-Password-Reset/master/mariadb-104.sh | sudo bash
|
||||||
;;
|
;;
|
||||||
8) curl -sSL https://raw.githubusercontent.com/tommytran732/MariaDB-Root-Password-Reset/master/mariadb-104.sh | sudo bash
|
8) database_host_reset
|
||||||
;;
|
|
||||||
9) database_host_reset
|
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
Loading…
Reference in New Issue
Block a user