Deploy-ready LEMP

by heyjonboy
129 deployments · 22 still active · last rev. 5 years ago

Nginx, MySQL, PHP-FPM, local Postfix, iptables, sudo user, Git

Compatible with: No distros currently supported
						#!/bin/bash

# <UDF name="DB_PASSWORD"      Label="MySQL root password" />
# <udf name="sqladmin_domain" label="SQLadmin domain" default="" />

# <udf name="user_name" label="Unprivileged User Account" />
# <udf name="user_password" label="Unprivileged User Password" />

# <udf name="admin_email" label="Admin Email Address" default="" />
# <udf name="HOSTNAME" label="Hostname" default="" />


 
#scripts used
	source <ssinclude StackScriptID="1">        #StackScript Bash Library
	source <ssinclude StackScriptID="41">       #LEMP_lib

#functions to use from sourced scripts
	lemp_system_update_aptitude         #StackScriptID="41"
	lemp_mysql_install              #StackScriptID="41"
	lemp_php-fpm                    #StackScriptID="41"
	lemp_nginx                  #StackScriptID="41"
	postfix_install_loopback_only           #StackScriptID="1"
	restartServices                 #StackScriptID="1"


IFUP=/etc/network/if-up.d/iptables.sh
IFDOWN=/etc/network/if-down.d/iptables.sh
IPTABLES() {
    echo iptables $@ >&1 2>&1
    iptables $@
}

# Make sure we have iptables, and do this business while we're at it
echo Updating system and installing iptables.
aptitude -y install iptables
 
echo
echo ===========================================================================
echo Configuring iptables firewall.
 
# Set up scripts to load/unload the rules at ifup/ifdown
echo Generating store/restore scripts.
for i in $IFUP $IFDOWN; do
    echo $i
    touch $i && chmod 744 $i
    echo >$i "#!/bin/bash"
    echo >>$i "# Generated by iptables StackScript"
    echo >>$i
done
echo >>$IFUP "iptables-restore < /etc/firewall.conf"
echo >>$IFDOWN "iptables-save > /etc/firewall.conf"
 
# Fix sysctl so this will not log to console
# The distro-default kernel printk is commented out, so we cheat and add
echo Changing kernel.printk in the kernel.
echo "3 1 1 1" > /proc/sys/kernel/printk
echo Modifying /etc/sysctl.conf.
echo >>/etc/sysctl.conf
echo "# Added by iptables StackScript, to not log iptables information to console" >>/etc/sysctl.conf
echo 'kernel.printk = "3 1 1 1"' >>/etc/sysctl.conf
 
# Build iptables
echo Building iptables rules.
for i in INPUT OUTPUT; do IPTABLES -P $i ACCEPT && IPTABLES -F $i; done
IPTABLES -P FORWARD DROP && IPTABLES -F FORWARD
for i in DROP1 DROP2 TCP UDP; do
    IPTABLES -F $i >/dev/null 2>/dev/null
    IPTABLES -X $i >/dev/null 2>/dev/null
    IPTABLES -N $i
done

for i in DROP1 DROP2; do IPTABLES -A $i -j DROP; done
 
# Preamble
IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
IPTABLES -A INPUT -m state --state INVALID -j DROP1
IPTABLES -A INPUT -i lo -j ACCEPT
IPTABLES -A INPUT -p tcp -j TCP
IPTABLES -A INPUT -p udp -j UDP
 
# SSH is open by default
if [ -z "$SSHRANGE" ]; then SSHRANGE="0/0"; fi
echo Allowing: SSH from $SSHRANGE
IPTABLES -A TCP -p tcp --dport ssh -s $SSHRANGE -j ACCEPT
 
# Allowed services
IFS=$','
for service in $ALLOW; do
    echo Allowing: $service
    interested=${service#*: }
    IFS=$' '
    set -- $interested
    for i in TCP UDP; do
        if [[ "$1" == *$i* ]]; then IPTABLES -A $i -p $i --dport $2 -j ACCEPT; fi
    done
done
unset IFS
 
# Extras
for i in $EXTRAU; do
    echo Allowing: UDP $i
    IPTABLES -A UDP -p UDP --dport $i -j ACCEPT
done
for i in $EXTRAT; do
    echo Allowing: TCP $i
    IPTABLES -A TCP -p TCP --dport $i -j ACCEPT
done
 
# Lock 'n save
echo Completing.
IPTABLES -P INPUT DROP
iptables-save > /etc/firewall.conf
 
echo Done.


# Update the System
system_update
 
# Install and Configure Sudo
aptitude -y install sudo
 
cp /etc/sudoers /etc/sudoers.tmp
chmod 0640 /etc/sudoers.tmp
echo "%`echo sudo_nopw | tr '[:upper:]' '[:lower:]'` ALL = NOPASSWD: ALL" >> /etc/sudoers.tmp
echo "%`echo sudo_pw | tr '[:upper:]' '[:lower:]'` ALL = (ALL) ALL" >> /etc/sudoers.tmp
chmod 0440 /etc/sudoers.tmp
mv /etc/sudoers.tmp /etc/sudoers
 
# Configure SSHD
echo "Port 22" > /etc/ssh/sshd_config.tmp
echo "Protocol 2" >> /etc/ssh/sshd_config.tmp
 
sed -n 's/\(HostKey .*\)/\1/p' < /etc/ssh/sshd_config >> /etc/ssh/sshd_config.tmp
 
sed -n 's/\(UsePrivilegeSeparation .*\)/\1/p' < /etc/ssh/sshd_config >> /etc/ssh/sshd_config.tmp
 
sed -n 's/\(KeyRegenerationInterval .*\)/\1/p' < /etc/ssh/sshd_config >> /etc/ssh/sshd_config.tmp
sed -n 's/\(ServerKeyBits .*\)/\1/p' < /etc/ssh/sshd_config >> /etc/ssh/sshd_config.tmp
 
sed -n 's/\(SyslogFacility .*\)/\1/p' < /etc/ssh/sshd_config >> /etc/ssh/sshd_config.tmp
sed -n 's/\(LogLevel .*\)/\1/p' < /etc/ssh/sshd_config >> /etc/ssh/sshd_config.tmp
 
sed -n 's/\(LoginGraceTime .*\)/\1/p' < /etc/ssh/sshd_config >> /etc/ssh/sshd_config.tmp
echo "PermitRootLogin no" >> /etc/ssh/sshd_config.tmp
sed -n 's/\(StrictModes .*\)/\1/p' < /etc/ssh/sshd_config >> /etc/ssh/sshd_config.tmp
 
sed -n 's/\(RSAAuthentication .*\)/\1/p' < /etc/ssh/sshd_config >> /etc/ssh/sshd_config.tmp
sed -n 's/\(PubkeyAuthentication .*\)/\1/p' < /etc/ssh/sshd_config >> /etc/ssh/sshd_config.tmp
 
sed -n 's/\(IgnoreRhosts .*\)/\1/p' < /etc/ssh/sshd_config >> /etc/ssh/sshd_config.tmp
sed -n 's/\(RhostsRSAAuthentication .*\)/\1/p' < /etc/ssh/sshd_config >> /etc/ssh/sshd_config.tmp
sed -n 's/\(HostbasedAuthentication .*\)/\1/p' < /etc/ssh/sshd_config >> /etc/ssh/sshd_config.tmp
 
sed -n 's/\(PermitEmptyPasswords .*\)/\1/p' < /etc/ssh/sshd_config >> /etc/ssh/sshd_config.tmp
 
sed -n 's/\(ChallengeResponseAuthentication .*\)/\1/p' < /etc/ssh/sshd_config >> /etc/ssh/sshd_config.tmp
 
echo "PasswordAuthentication yes" >> /etc/ssh/sshd_config.tmp
 
sed -n 's/\(X11Forwarding .*\)/\1/p' < /etc/ssh/sshd_config >> /etc/ssh/sshd_config.tmp
sed -n 's/\(X11DisplayOffset .*\)/\1/p' < /etc/ssh/sshd_config >> /etc/ssh/sshd_config.tmp
sed -n 's/\(PrintMotd .*\)/\1/p' < /etc/ssh/sshd_config >> /etc/ssh/sshd_config.tmp
sed -n 's/\(PrintLastLog .*\)/\1/p' < /etc/ssh/sshd_config >> /etc/ssh/sshd_config.tmp
sed -n 's/\(TCPKeepAlive .*\)/\1/p' < /etc/ssh/sshd_config >> /etc/ssh/sshd_config.tmp
 
sed -n 's/\(MaxStartups .*\)/\1/p' < /etc/ssh/sshd_config >> /etc/ssh/sshd_config.tmp
 
sed -n 's/\(AcceptEnv .*\)/\1/p' < /etc/ssh/sshd_config >> /etc/ssh/sshd_config.tmp
 
sed -n 's/\(Subsystem .*\)/\1/p' < /etc/ssh/sshd_config >> /etc/ssh/sshd_config.tmp
 
sed -n 's/\(UsePAM .*\)/\1/p' < /etc/ssh/sshd_config >> /etc/ssh/sshd_config.tmp
 
echo "AllowGroups ssh" >> /etc/ssh/sshd_config.tmp
 
chmod 0600 /etc/ssh/sshd_config.tmp
mv /etc/ssh/sshd_config.tmp /etc/ssh/sshd_config
touch /tmp/restart-ssh

# create an ssh key for root
ssh-keygen -t rsa -q -N "" -f /root/.ssh/id_rsa
 
# Create Groups
groupadd ssh
groupadd sudo_pw
 
# Create User & Add SSH Key
USER_NAME_LOWER=`echo ${USER_NAME} | tr '[:upper:]' '[:lower:]'`
 
useradd -m -s /bin/bash -G ssh,sudo_pw ${USER_NAME_LOWER}
echo "${USER_NAME_LOWER}:${USER_PASSWORD}" | chpasswd

USER_HOME=`sed -n "s/${USER_NAME_LOWER}:x:[0-9]*:[0-9]*:[^:]*:\(.*\):.*/\1/p" < /etc/passwd`

echo "syntax on" > ${USER_HOME}/.vimrc
chown ${USER_NAME_LOWER}:${USER_NAME_LOWER} ${USER_HOME}/.vimrc
sed -i "s/#force_color_prompt=yes/force_color_prompt=yes/g" ${USER_HOME}/.bashrc
 
# Setup Hostname
echo $HOSTNAME > /etc/hostname
echo "127.0.0.1 ${HOSTNAME}" >> /etc/hosts
/etc/init.d/hostname.sh start

echo y|apt-get install zip 
echo y|apt-get install git 

# Setup Domains
mkdir /var/domains

# Restart Services
restartServices

# notify the admin
if [ -n "$admin_email" ]; then
	echo "build complete" | mail -s "Your server is ready" $admin_email
fi