Skip to content

Instantly share code, notes, and snippets.

@SirNeural

SirNeural/setup-fpm.sh

Last active August 29, 2016 14:17
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save SirNeural/59f7d6dcf11aff7d59bcd5c59a493fb8 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save SirNeural/59f7d6dcf11aff7d59bcd5c59a493fb8 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
setup-fpm.sh
#!/usr/bin/env bash
# Check if using bash
if [ ! "$BASH_VERSION" ] ; then
echo "Please do not use sh to run this script ($0), just execute it directly with bash" 1>&2
exit 1
fi
# Set variables
read -p "Username: " USERNAME
read -s -p "Primary Password: " PASSWORD
echo
read -s -p "Repeat Primary Password: " PASSWORD
echo
read -s -p "Htpasswd Password: " HTPASSWORD
echo
read -s -p "Repeat Htpasswd Password: " HTPASSWORD
echo
read -p "Project Name: " PROJECT
read -p "URL: (example.com) " URL
SYNCPORT='9024'
# Add the syncthing release PGP keys:
curl -s https://syncthing.net/release-key.txt | sudo apt-key add -
# Add the "release" channel to your APT sources:
echo "deb http://apt.syncthing.net/ syncthing release" | sudo tee /etc/apt/sources.list.d/syncthing.list
# Find IP Address
IP=""
if [ -f /usr/bin/ec2metadata ]
then
IP=`timeout 1 ec2metadata --public-hostname`
fi
if [ "$IP" = "unavailable" ]
then
IP=`curl http://ipinfo.io/ip 2>/dev/null | egrep -o "[0-9\.]*"`
fi
if [ "$IP" = "" ]
then
IP=`ifconfig | perl -ple 'print $_ if /inet addr/ and $_ =~ s/.*inet addr:((?:\d+\.){3}\d+).*/$1/g ;$_=""' | grep -v ^\s*$ | grep -v 127.0.0.1 | head -n 1`
fi
if [ "$IP" = "" ]
then
IP=`cat /etc/hostname | head -n 1`
fi
# Create project folder, written in 4 single mkdir-statements to make sure this runs everywhere without problems
sudo mkdir "/var/www"
sudo mkdir "/var/www/html"
# Update repositories
sudo apt-get update
sudo apt-get -y upgrade
# Set firewall options
sudo ufw allow ssh
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw allow 587/tcp
sudo ufw allow 1723/tcp
sudo ufw allow $SYNCPORT/tcp
sudo ufw allow 22000/tcp
sudo ufw allow 21027/udp
sed -ie 's/DEFAULT_FORWARD_POLICY="DROP"/DEFAULT_FORWARD_POLICY="ACCEPT"/' /etc/default/ufw
sed -i "1i# START OPENVPN RULES\n# NAT table rules\n*nat\n:POSTROUTING ACCEPT [0:0]\n# Allow traffic from OpenVPN client to eth0\n\n-A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE\nCOMMIT\n# END OPENVPN RULES\n" /etc/ufw/before.rules
sed -i "29i# allow GRE protocol for VPN\n-A ufw-before-input -p 47 -j ACCEPT\n" /etc/ufw/before.rules
echo "y" | sudo ufw enable
# Set configuration options
sudo debconf-set-selections <<< "mysql-server mysql-server/root_password password $PASSWORD"
sudo debconf-set-selections <<< "mysql-server mysql-server/root_password_again password $PASSWORD"
sudo apt-get install -y nginx mysql-server php-fpm php-mysql php-mbstring php-gettext php-mcrypt php-curl php-cli php-zip php-memcached memcached php-redis
# Change PHP-FPM settings
sed -i '/cgi.fix_pathinfo=1/c cgi.fix_pathinfo=0' /etc/php/7.0/fpm/php.ini
sed -i '/max_execution_time = 30/c max_execution_time = 300' /etc/php/7.0/fpm/php.ini
sed -i '/upload_max_filesize = 2M/c upload_max_filesize = 8M' /etc/php/7.0/fpm/php.ini
sed -i '/listen = 127.0.0.1:9000/c listen = /var/run/php/php7.0-fpm.sock' /etc/php/7.0/fpm/pool.d/www.conf
# Create database
echo "CREATE DATABASE ${PROJECT,,}" | mysql -uroot -p$PASSWORD
# Enable PHP7 Mods
phpenmod mcrypt
# Install PHPMyAdmin
sudo debconf-set-selections <<< "phpmyadmin phpmyadmin/dbconfig-install boolean true"
sudo debconf-set-selections <<< "phpmyadmin phpmyadmin/app-password-confirm password $PASSWORD"
sudo debconf-set-selections <<< "phpmyadmin phpmyadmin/mysql/admin-pass password $PASSWORD"
sudo debconf-set-selections <<< "phpmyadmin phpmyadmin/mysql/app-pass password $PASSWORD"
sudo debconf-set-selections <<< "phpmyadmin phpmyadmin/reconfigure-webserver multiselect none"
sudo apt-get -y install phpmyadmin
# Install miscellaneous packages
sudo apt-get -y install openssl git npm curl zip screen syncthing apache2-utils
# Install bower
npm install bower -g
# Install Composer
curl -s https://getcomposer.org/installer | php
mv composer.phar /usr/local/bin/composer
# Install Laravel
composer global require "laravel/installer"
PATH=~/.config/composer/vendor/bin:$PATH
# Setup a new project
cd /var/www/html
laravel new ${PROJECT,,}
chown -R www-data ${PROJECT,,}/storage
chown -R www-data ${PROJECT,,}/bootstrap/cache
chmod -R 755 ${PROJECT,,}/storage
chmod -R 755 ${PROJECT,,}/bootstrap/cache
# Install Project Dependencies
composer require "laravelcollective/html"
composer require "spatie/laravel-backup"
# Run setup for syncthing
syncthing -generate="/root/.config/syncthing"
# Replace default configuration
sed -e "s/<gui enabled=\"true\" tls=\"false\">/<gui enabled=\"true\" tls=\"true\">/g" /root/.config/syncthing/config.xml > /root/.config/syncthing/config.xml.tmp && mv /root/.config/syncthing/config.xml.tmp /root/.config/syncthing/config.xml
sed -e "s/<address>127.0.0.1:8384<\/address>/<address>0.0.0.0:$SYNCPORT<\/address>/g" /root/.config/syncthing/config.xml > /root/.config/syncthing/config.xml.tmp && mv /root/.config/syncthing/config.xml.tmp /root/.config/syncthing/config.xml
# Set a symbolic link to connect phpmyadmin and root web directory
ln -s /usr/share/phpmyadmin /var/www/html/${PROJECT,,}/public
# Set Password
VHOST=$(cat <<EOF
AuthType Basic
AuthName "Restricted Files"
AuthUserFile /etc/phpmyadmin/.htpasswd
Require valid-user
EOF
)
echo "$VHOST" > /usr/share/phpmyadmin/.htaccess
htpasswd -c -b -B -C 14 /etc/phpmyadmin/.htpasswd $USERNAME $HTPASSWORD
# Setup ssl certificates
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/ssl.key -out /etc/ssl/ssl.crt -subj "/C=US/CN=www.$URL/emailAddress=admin@$URL"
# Replace default configuration
VHOST=$(cat <<EOF
server {
listen 80;
server_name $IP;
return 301 https://$URL;
}
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
listen 443 ssl;
listen [::]:443 ssl ipv6only=on;
root /var/www/html/${PROJECT,,}/public;
index index.php index.html index.htm;
server_name $URL www.$URL;
ssl_certificate /etc/ssl/ssl.crt;
ssl_certificate_key /etc/ssl/ssl.key;
sendfile off;
error_page 404 /index.php;
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
location /phpmyadmin {
auth_basic "Restricted Files";
auth_basic_user_file /etc/phpmyadmin/.htpasswd;
}
location / {
try_files \$uri \$uri/ /index.php\$is_args\$args;
}
if (!-d \$request_filename) {
rewrite ^/(.+)/\$ /\$1 permanent;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)\$;
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
fastcgi_intercept_errors off;
fastcgi_buffer_size 16k;
fastcgi_buffers 4 16k;
}
location ~* .*/\..* {
deny all;
}
location ~* /(\.|wp-config.php|readme.html|license.txt|schema.txt|password.txt|passwords.txt) {
deny all;
}
location ~* \.(engine|inc\.php|class\.php|phps|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|\.php_ {
deny all;
}
location ~ ~\$ {
access_log off;
log_not_found off;
deny all;
}
}
EOF
)
echo "$VHOST" > /etc/nginx/sites-available/default
# Restart web services
service php7.0-fpm restart
service nginx restart
# Secure mysql installation (mysql_secure_installation)
echo "DELETE FROM mysql.user WHERE User='';" | mysql -uroot -p$PASSWORD
echo "DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');" | mysql -uroot -p$PASSWORD
echo "DROP DATABASE IF EXISTS test;" | mysql -uroot -p$PASSWORD
echo "DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%';" | mysql -uroot -p$PASSWORD
echo "FLUSH PRIVILEGES;" | mysql -uroot -p$PASSWORD
# final feedback
echo "Voila!"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment