Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Branch: master
Fetching contributors…

Cannot retrieve contributors at this time

executable file 1356 lines (1250 sloc) 39.784 kB
#!/bin/bash
function check_install {
if [ -z "`which "$1" 2>/dev/null`" ]
then
# if [ "$1" = "postfix" ]; then
# DEBIAN_FRONTEND=noninteractive apt-get -t squeeze-backports --no-install-recommends -q -y install "$2"
# else
DEBIAN_FRONTEND=noninteractive apt-get --no-install-recommends -q -y install $2
# fi
print_info "$2 installed for $1"
else
print_warn "$2 already installed"
fi
}
function check_remove {
if [ -n "`which "$1" 2>/dev/null`" ]
then
DEBIAN_FRONTEND=noninteractive apt-get -q -y remove --purge "$2"
print_info "$2 removed"
else
print_warn "$2 is not installed"
fi
}
function check_sanity {
# Do some sanity checking.
if [ $(/usr/bin/id -u) != "0" ]
then
die 'Must be run by root user'
fi
if [ -f /etc/lsb-release ]
then
die "Distribution is not supported"
fi
if [ ! -f /etc/debian_version ]
then
die "Ubuntu is not supported"
fi
}
function die {
echo "ERROR: $1" > /dev/null 1>&2
exit 1
}
function get_domain_name() {
# Getting rid of the lowest part.
domain=${1%.*}
lowest=`expr "$domain" : '.*\.\([a-z][a-z]*\)'`
case "$lowest" in
com|net|org|gov|edu|co)
domain=${domain%.*}
;;
esac
lowest=`expr "$domain" : '.*\.\([a-z][a-z]*\)'`
[ -z "$lowest" ] && echo "$domain" || echo "$lowest"
}
function get_password() {
# Check whether our local salt is present.
SALT=/var/lib/radom_salt
if [ ! -f "$SALT" ]
then
head -c 512 /dev/urandom > "$SALT"
chmod 400 "$SALT"
fi
password=`(cat "$SALT"; echo $1) | md5sum | base64`
echo ${password:0:13}
}
function dotdeb {
if [ ! -f /etc/apt/sources.list.d/dotdeb.list ];then
cat > /etc/apt/sources.list.d/dotdeb.list <<END
deb http://packages.dotdeb.org squeeze all
deb-src http://packages.dotdeb.org squeeze all
END
wget -O - http://www.dotdeb.org/dotdeb.gpg | apt-key add -
print_info "dotdeb repository now being used"
fi
}
function install_dash {
check_install dash "dash"
rm -f /bin/sh
ln -s dash /bin/sh
}
function install_dropbear {
check_install ssh "ssh"
check_install dropbear "dropbear"
check_install /usr/sbin/xinetd "xinetd"
# Disable SSH
touch /etc/ssh/sshd_not_to_be_run
invoke-rc.d ssh stop
if [ -z $SSH_PORT ];then
SSH_PORT=22
print_info "Dropbear port set to 22"
else
if [ $SSH_PORT -le 65535 ]; then
print_info "Dropbear port set to $SSH_PORT"
else
SSH_PORT=22
print_warn "Dropbear port changed to 22"
fi
fi
# Enable dropbear to start. We are going to use xinetd as it is just
# easier to configure and might be used for other things.
cat > /etc/xinetd.d/dropbear <<END
service dropbear
{
socket_type = stream
wait = no
port = $SSH_PORT
type = unlisted
flags = $FLAGS
user = root
protocol = tcp
server = /usr/sbin/dropbear
server_args = -i
disable = no
}
END
invoke-rc.d xinetd restart
}
function install_postfix {
check_install postfix "postfix"
#sed -i "s/dc_eximconfig_configtype='local'/dc_eximconfig_configtype='internet'/" /etc/exim4/update-exim4.conf.conf
#invoke-rc.d postfix restart
cat > /etc/aliases <<END
postmaster: $EMAIL
MAILER-DAEMON: $EMAIL
abuse: $EMAIL
spam: $EMAIL
hostmaster: $EMAIL
root: $EMAIL
nobody: $EMAIL
mail: $EMAIL
END
newaliases
}
function install_exim4 {
check_install mail "exim4"
if [ -f /etc/exim4/update-exim4.conf.conf ]
then
sed -i \
"s/dc_eximconfig_configtype='local'/dc_eximconfig_configtype='internet'/" \
/etc/exim4/update-exim4.conf.conf
invoke-rc.d exim4 restart
fi
}
function install_mysql {
# Install the MySQL packages
check_install mysqld "mysql-server"
check_install mysql "mysql-client"
# Install a low-end copy of the my.cnf to disable InnoDB, and then delete
# all the related files.
invoke-rc.d mysql stop
rm -f /var/lib/mysql/ib*
cat > /etc/mysql/conf.d/lowendbox.cnf <<END
[mysqld]
key_buffer = 8M
query_cache_size = 0
ignore_builtin_innodb
default_storage_engine=MyISAM
END
invoke-rc.d mysql start
if [ ! -e ~/.my.cnf ]; then
# Generating a new password for the root user.
passwd=`get_password root@mysql`
mysqladmin password "$passwd"
cat > ~/.my.cnf <<END
[client]
user = root
password = $passwd
END
fi
chmod 600 ~/.my.cnf
}
function install_nginx {
check_install nginx "nginx"
# Need to increase the bucket size for Debian 5.
cat > /etc/nginx/conf.d/lowendbox.conf <<END
server_names_hash_bucket_size 64;
server_tokens off;
ignore_invalid_headers on;
log_format main '\$remote_addr \$host \$remote_user [\$time_local] "\$request" '
'\$status \$body_bytes_sent "\$http_referer" "\$http_user_agent" "\$gzip_ratio"';
access_log /var/log/nginx/access.log main;
upstream php {
server unix:/var/run/php5-fpm.sock;
}
END
cat > /etc/nginx/sites-available/default <<END
server {
END
if [ "$INTERFACE" = "all" ]; then
cat >> /etc/nginx/sites-available/default <<END
listen 80 default_server; ## listen for ipv4
listen 443 default_server ssl; ## listen for ipv4
listen [::]:80 default_server ipv6only=on; ## listen for ipv6
listen [::]:443 default_server ipv6only=on ssl; ## listen for ipv6
END
else
if [ "$INTERFACE" = "ipv6" ]; then
cat >> /etc/nginx/sites-available/default <<END
listen [::]:80 default_server; ## listen for ipv6
listen [::]:443 default_server ipv6only=on ssl; ## listen for ipv6
END
else
cat >> /etc/nginx/sites-available/default <<END
listen 80 default_server; ## listen for ipv4
listen 443 default_server ssl; ## listen for ipv4
END
fi
fi
cat >> /etc/nginx/sites-available/default <<END
server_name _;
access_log /var/log/nginx/default.log;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
return 444;
}
END
cat > /etc/nginx/standard.conf <<END
location = /favicon.ico {
return 204;
log_not_found off;
access_log off;
}
location = /robots.txt {
log_not_found off;
access_log off;
}
# Make sure files with the following extensions do not get loaded by nginx because nginx would display the source code, and these files can contain PASSWORDS!
location ~* \.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|\.php_
{
return 444;
}
# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
location ~ /\. {
return 444;
access_log off;
log_not_found off;
}
location ~* \.(jpg|jpeg|png|gif|css|js|ico)$ {
expires max;
log_not_found off;
}
END
cat > /etc/nginx/nophp.conf <<END
location ~* \.php\$ {
return 444;
}
END
cat > /etc/nginx/nocgi.conf <<END
location ~* \\.(pl|cgi|py|sh|lua)\$ {
return 444;
}
END
cat > /etc/nginx/disallow.conf <<END
location ~* (roundcube|webdav|smtp|http\\:|soap|w00tw00t) {
return 444;
}
if (\$http_user_agent ~* "(Morfeus|larbin|ZmEu|Toata|Huawei|talktalk)" ) {
return 444;
}
END
if [ -e /etc/nginx/disallow-agent.conf ]; then
rm /etc/nginx/disallow-agent.conf
fi
sed -i """/worker_processes/cworker_processes "$CPUCORES";""" /etc/nginx/nginx.conf
invoke-rc.d nginx restart
chown www-data:adm /var/log/nginx/*
}
function install_apache {
check_install apache "apache"
}
function install_lighttpd {
check_install lighttpd "lighttpd"
if [ ! -e /etc/lighttpd/conf-enabled/10-accesslog.conf ]; then
ln -s /etc/lighttpd/conf-available/10-accesslog.conf /etc/lighttpd/conf-enabled/10-accesslog.conf
fi
if [ ! -d /etc/lighttpd/sites-available ]; then
mkdir /etc/lighttpd/sites-available
fi
if [ ! -d /etc/lighttpd/sites-enabled ]; then
mkdir /etc/lighttpd/sites-enabled
fi
if [ ! -d /var/www/default ]; then
mkdir -p /var/www/default
fi
sed -i '/server.document-root/cserver.document-root = "\/var\/www\/default"' /etc/lighttpd/lighttpd.conf
sed -i '/mod_rewrite/c\ "mod_rewrite",' /etc/lighttpd/lighttpd.conf
if [ -z "`grep 'sites-enabled' /etc/lighttpd/lighttpd.conf`" ];then
echo include_shell \"cat /etc/lighttpd/sites-enabled/*.conf\" >> /etc/lighttpd/lighttpd.conf
fi
service lighttpd restart
}
function install_php {
if [ "$DISTRIBUTION" = "wheezy" ]; then
check_install php5-fpm "php5-fpm php5-cli php5-mysql php5-cgi php5-gd php5-curl php-apc"
else
check_install php5-fpm "php5-fpm php5-cli php5-mysql php5-cgi php5-gd php5-curl php5-apc php5-suhosin"
fi
if [ "$SERVER" = "nginx" ]; then
cat > /etc/nginx/fastcgi_php <<END
location ~ \.php$ {
include /etc/nginx/fastcgi_params;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
if (-f \$request_filename) {
fastcgi_pass php;
}
}
END
fi
sed -i "/pm =/cpm = ondemand" /etc/php5/fpm/pool.d/www.conf
if [ "$MEMORY" = "low" ]; then
sed -i "/pm.max_children =/cpm.max_children = 1" /etc/php5/fpm/pool.d/www.conf
elif [ "$MEMORY" = "64" ]; then
sed -i "/pm.max_children =/cpm.max_children = 2" /etc/php5/fpm/pool.d/www.conf
elif [ "$MEMORY" = "96" ]; then
sed -i "/pm.max_children =/cpm.max_children = 3" /etc/php5/fpm/pool.d/www.conf
elif [ "$MEMORY" = "128" ]; then
sed -i "/pm.max_children =/cpm.max_children = 4" /etc/php5/fpm/pool.d/www.conf
elif [ "$MEMORY" = "192" ]; then
sed -i "/pm.max_children =/cpm.max_children = 6" /etc/php5/fpm/pool.d/www.conf
elif [ "$MEMORY" = "256" ]; then
sed -i "/pm.max_children =/cpm.max_children = 8" /etc/php5/fpm/pool.d/www.conf
elif [ "$MEMORY" = "384" ]; then
sed -i "/pm.max_children =/cpm.max_children = 12" /etc/php5/fpm/pool.d/www.conf
elif [ "$MEMORY" = "512" ]; then
sed -i "/pm.max_children =/cpm.max_children = 16" /etc/php5/fpm/pool.d/www.conf
fi
sed -i "/pm.max_requests =/cpm.max_requests = 500" /etc/php5/fpm/pool.d/www.conf
sed -i "/pm.status_path =/cpm.status_path = \/status" /etc/php5/fpm/pool.d/www.conf
sed -i "/listen =/clisten = /var/run/php5-fpm.sock" /etc/php5/fpm/pool.d/www.conf
sed -i "/listen.owner =/clisten.owner = www-data" /etc/php5/fpm/pool.d/www.conf
sed -i "/listen.group =/clisten.group = www-data" /etc/php5/fpm/pool.d/www.conf
sed -i "/listen.mode =/clisten.mode = 0666" /etc/php5/fpm/pool.d/www.conf
cat > /etc/php5/conf.d/lowendscript.ini <<END
apc.enable_cli = 1
apc.mmap_file_mask=/tmp/apc.XXXXXX
date.timezone = `cat /etc/timezone`
END
if [ "$SERVER" = "lighttpd" ]; then
cat > /etc/lighttpd/conf-available/90-fastcgi-fpm.conf << END
server.modules += ( "mod_fastcgi" )
fastcgi.server = ( ".php" =>
( "localhost" =>
(
"socket" => "/var/run/php5-fpm.sock"
# "host" => "127.0.0.1",
# "port" => "9000"
)
)
)
END
if [ ! -e /etc/lighttpd/conf-enabled/90-fastcgi-fpm.conf ]; then
ln -s /etc/lighttpd/conf-available/90-fastcgi-fpm.conf /etc/lighttpd/conf-enabled/90-fastcgi-fpm.conf
fi
fi
service php5-fpm restart
if [ "$SERVER" = "nginx" ]; then
if [ -f /etc/init.d/php-cgi ];then
service php-cgi stop
update-rc.d php-cgi remove
rm /etc/init.d/php-cgi
service nginx restart
print_info "/etc/init.d/php-cgi removed"
fi
fi
if [ "$SERVER" = "lighttpd" ]; then
service lighttpd restart
fi
}
function install_cgi {
check_install fcgiwrap "fcgiwrap"
cat > /etc/nginx/fcgiwrap.conf <<END
location ~ (\.cgi|\.py|\.sh|\.pl|\.lua)$ {
gzip off;
root /var/www/\$server_name;
autoindex on;
fastcgi_pass unix:/var/run/fcgiwrap.socket;
include /etc/nginx/fastcgi_params;
fastcgi_param DOCUMENT_ROOT /var/www/\$server_name;
fastcgi_param SCRIPT_FILENAME /var/www/\$server_name\$fastcgi_script_name;
}
END
}
function install_domain {
if [ -z "$2" ]
then
die "Usage: `basename $0` domain <hostname>"
fi
if [ "$3" = "redo" -a "SERVER" = "nginx" ]; then
rm /etc/nginx/sites-available/$2.conf /etc/nginx/sites-enabled/$2.conf /var/www/$2/index.html
if [ -e /var/www/$2/index.sh ]; then
rm /var/www/$2/index.sh
fi
fi
if [ ! -d /var/www ]; then
mkdir /var/www
chown root:root /var/www
fi
if [ ! -d /var/www/$2 ]; then
mkdir /var/www/$2
fi
chown www-data:www-data /var/www/$2
cat > "/var/www/$2/index.html" <<END
<html><head>
<title>$2</title>
<meta name='description' content=$2>
<meta name='keywords' content=$2>
<meta http-equiv='Content-type' content='text/html;charset=UTF-8'>
<meta name='ROBOTS' content='INDEX, FOLLOW'>
<h1>It works!</h1>
<p>This is the default web page for $2</p>
<p>The web server software is running but no content has been added, yet.</p>
</head><body>
</pre></body></html>
END
cat > "/var/www/$2/robots.txt" <<END
User-agent: *
Disallow: /
END
if [ "SERVER" = "nginx" ];then
# Setting up Nginx mapping
cat > "/etc/nginx/sites-available/$2.conf" <<END
server {
listen 80;
END
if [ "$FLAGS" = "ipv6" ]; then
cat >> "/etc/nginx/sites-available/$2.conf" <<END
listen [::]:80;
END
fi
cat >> "/etc/nginx/sites-available/$2.conf" <<END
server_name www.$2;
rewrite ^(.*) http://$2\$1 permanent;
}
server {
listen 80;
END
if [ "$FLAGS" = "ipv6" ]; then
cat >> "/etc/nginx/sites-available/$2.conf" <<END
listen [::]:80;
server_name $2 ipv4.$2 ipv6.$2;
END
else
cat >> "/etc/nginx/sites-available/$2.conf" <<END
server_name $2;
END
fi
cat >> "/etc/nginx/sites-available/$2.conf" <<END
access_log /var/log/nginx/$2.log main;
include standard.conf;
# include fastcgi_php;
include nophp.conf;
# include fcgiwrap.conf;
include nocgi.conf;
include disallow.conf;
END
cat >> "/etc/nginx/sites-available/$2.conf" <<END
root /var/www/$2;
index index.html;
}
END
ln -s /etc/nginx/sites-available/$2.conf /etc/nginx/sites-enabled/$2.conf
invoke-rc.d nginx reload
fi
if [ "$SERVER" = "lighttpd" ]; then
host=${2//./\\.}
cat > "/etc/lighttpd/sites-available/$2.conf" << END
\$HTTP["host"] =~ "$host" {
server.document-root = "/var/www/$2"
accesslog.filename = "/var/log/lighttpd/$2.log"
}
END
if [ ! -e /etc/lighttpd/sites-enabled/$2.conf ]; then
ln -s /etc/lighttpd/sites-available/$2.conf /etc/lighttpd/sites-enabled/$2.conf
fi
service lighttpd restart
fi
}
function install_iptables {
check_install iptables "iptables"
if [ -z "$1" ]
then
die "Usage: `basename $0` iptables <ssh-port-#>"
fi
KERNEL=`uname -r`
if [ ! -d /lib/modules/$KERNEL ]; then
mkdir /lib/modules/$KERNEL
depmod
fi
# Create startup rules
cat > /etc/init.d/iptables <<END
#! /bin/sh
#This is an Ubuntu adapted iptables script from gentoo
#(http://www.gentoo.org) which was originally distributed
#under the terms of the GNU General Public License v2
#and was Copyrighted 1999-2004 by the Gentoo Foundation
#
#This adapted version was intended for and ad-hoc personal
#situation and as such no warranty is provided.
### BEGIN INIT INFO
# Provides: iptables
# Required-Start: \$local_fs \$remote_fs \$network \$syslog
# Required-Stop: \$local_fs \$remote_fs \$network \$syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start the iptables firewall
### END INIT INFO
. /lib/lsb/init-functions
IPTABLES_SAVE="/etc/default/iptables-rules"
SAVE_RESTORE_OPTIONS="-c"
checkrules() {
if [ ! -f \${IPTABLES_SAVE} ]
then
echo "Not starting iptables. First create some rules then run"
echo "\"/etc/init.d/iptables save\""
return 1
fi
}
save() {
/sbin/iptables-save \${SAVE_RESTORE_OPTIONS} > \${IPTABLES_SAVE}
return \$?
}
start(){
checkrules || return 1
/sbin/iptables-restore \${SAVE_RESTORE_OPTIONS} < \${IPTABLES_SAVE}
return \$?
}
case "\$1" in
save)
echo -n "Saving iptables state..."
save
if [ \$? -eq 0 ] ; then
echo " ok"
else
echo " error !"
fi
;;
start)
log_begin_msg "Loading iptables state and starting firewall..."
start
log_end_msg \$?
;;
stop)
log_begin_msg "Stopping firewall..."
for a in \`cat /proc/net/ip_tables_names\`; do
/sbin/iptables -F -t \$a
/sbin/iptables -X -t \$a
if [ \$a == nat ]; then
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT
elif [ \$a == mangle ]; then
/sbin/iptables -t mangle -P PREROUTING ACCEPT
/sbin/iptables -t mangle -P INPUT ACCEPT
/sbin/iptables -t mangle -P FORWARD ACCEPT
/sbin/iptables -t mangle -P OUTPUT ACCEPT
/sbin/iptables -t mangle -P POSTROUTING ACCEPT
elif [ \$a == filter ]; then
/sbin/iptables -t filter -P INPUT ACCEPT
/sbin/iptables -t filter -P FORWARD ACCEPT
/sbin/iptables -t filter -P OUTPUT ACCEPT
fi
done
log_end_msg 0
;;
restart)
log_begin_msg "Restarting firewall..."
for a in \`cat /proc/net/ip_tables_names\`; do
/sbin/iptables -F -t \$a
/sbin/iptables -X -t \$a
done;
start
log_end_msg \$?
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop|restart|save}" >&2
exit 1
;;
esac
exit 0
END
chmod +x /etc/init.d/iptables
# Flush any existing iptables
/sbin/iptables -v -F
# http://articles.slicehost.com/2010/4/30/ubuntu-lucid-setup-part-1
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
/sbin/iptables -v -A INPUT -i lo -j ACCEPT
/sbin/iptables -v -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
# Accepts all established inbound connections
/sbin/iptables -v -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allows all outbound traffic
# You can modify this to only allow certain traffic
/sbin/iptables -v -A OUTPUT -j ACCEPT
# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
/sbin/iptables -v -A INPUT -p tcp --dport 80 -j ACCEPT
/sbin/iptables -v -A INPUT -p tcp --dport 443 -j ACCEPT
# IF YOU USE INCOMMING MAIL UN-COMMENT THESE!!!
# Allows POP (and SSL-POP)
#/sbin/iptables -v -A INPUT -p tcp --dport 110 -j ACCEPT
#/sbin/iptables -v -A INPUT -p tcp --dport 995 -j ACCEPT
# SMTP (and SSMTP)
#/sbin/iptables -v -A INPUT -p tcp --dport 25 -j ACCEPT
#/sbin/iptables -v -A INPUT -p tcp --dport 465 -j ACCEPT
# IMAP (and IMAPS)
#/sbin/iptables -v -A INPUT -p tcp --dport 143 -j ACCEPT
#/sbin/iptables -v -A INPUT -p tcp --dport 993 -j ACCEPT
# Allows SSH connections (only 3 attempts by an IP every 2 minutes, drop the rest to prevent SSH attacks)
/sbin/iptables -v -A INPUT -p tcp -m tcp --dport $1 -m state --state NEW -m recent --set --name DEFAULT --rsource
/sbin/iptables -v -A INPUT -p tcp -m tcp --dport $1 -m state --state NEW -m recent --update --seconds 120 --hitcount 3 --name DEFAULT --rsource -j DROP
/sbin/iptables -v -A INPUT -p tcp -m state --state NEW --dport $1 -j ACCEPT
# Allow ping
/sbin/iptables -v -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# log iptables denied calls
/sbin/iptables -v -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy
/sbin/iptables -v -A INPUT -j REJECT
/sbin/iptables -v -A FORWARD -j REJECT
/etc/init.d/iptables save
update-rc.d iptables defaults
}
function install_syslogd {
# We just need a simple vanilla syslogd. Also there is no need to log to
# so many files (waste of fd). Just dump them into
# /var/log/(cron/mail/messages)
check_install /usr/sbin/syslogd "inetutils-syslogd"
invoke-rc.d inetutils-syslogd stop
for file in /var/log/*.log /var/log/mail.* /var/log/debug /var/log/syslog
do
[ -f "$file" ] && rm -f "$file"
done
for dir in fsck news
do
[ -d "/var/log/$dir" ] && rm -rf "/var/log/$dir"
done
cat > /etc/syslog.conf <<END
*.*;mail.none;cron.none -/var/log/messages
cron.* -/var/log/cron
mail.* -/var/log/mail
END
[ -d /etc/logrotate.d ] || mkdir -p /etc/logrotate.d
cat > /etc/logrotate.d/inetutils-syslogd <<END
/var/log/cron
/var/log/mail
/var/log/messages {
rotate 4
weekly
missingok
notifempty
compress
sharedscripts
postrotate
/etc/init.d/inetutils-syslogd reload >/dev/null
endscript
}
END
invoke-rc.d inetutils-syslogd start
}
function install_wordpress {
check_install wget "wget"
if [ -z "$1" ]
then
die "Usage: `basename $0` wordpress <hostname>"
fi
# Downloading the WordPress' latest and greatest distribution.
mkdir /tmp/wordpress.$$
wget -O - http://wordpress.org/latest.tar.gz | \
tar zxf - -C /tmp/wordpress.$$
if [ ! -d /var/www ]; then
mkdir /var/www
fi
mv /tmp/wordpress.$$/wordpress "/var/www/$1"
rm -rf /tmp/wordpress.$$
chown root:root -R "/var/www/$1"
# Setting up the MySQL database
dbname=`echo $1 | tr . _`
userid=`get_domain_name $1`
# MySQL userid cannot be more than 15 characters long
userid="${userid:0:15}"
passwd=`get_password "$userid@mysql"`
cp "/var/www/$1/wp-config-sample.php" "/var/www/$1/wp-config.php"
sed -i "s/database_name_here/$dbname/; s/username_here/$userid/; s/password_here/$passwd/" \
"/var/www/$1/wp-config.php"
mysqladmin create "$dbname"
echo "GRANT ALL PRIVILEGES ON \`$dbname\`.* TO \`$userid\`@localhost IDENTIFIED BY '$passwd';" | \
mysql
if [ "$SERVER" = "nginx" ]; then
# Setting up Nginx mapping
cat > "/etc/nginx/sites-available/$1.conf" <<END
server {
listen 80;
listen [::]:80;
server_name $1;
root /var/www/$1;
access_log /var/log/nginx/$1.log main;
index index.php;
include standard.conf;
include fastcgi_php;
include nocgi.conf;
include disallow.conf;
END
cat >> "/etc/nginx/sites-available/$1.conf" <<END
location / {
try_files \$uri \$uri/ /index.php;
}
END
if [ -e /etc/nginx/myips.conf ]; then
cat >> "/etc/nginx/sites-available/$1.conf" <<END
location /wp-admin {
include myips.conf;
try_files \$uri \$uri/ /index.php;
}
END
fi
cat >> "/etc/nginx/sites-available/$1.conf" <<END
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
#NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
include fastcgi_params;
fastcgi_intercept_errors on;
fastcgi_pass php;
}
}
END
ln -s /etc/nginx/sites-available/$1.conf /etc/nginx/sites-enabled/$1.conf
service nginx force-reload
fi
if [ "$SERVER" = "lighttpd" ]; then
host=${1//./\\.}
cat > "/etc/lighttpd/sites-available/$1.conf" <<END
\$HTTP["host"] =~ "^(www\.)?$host\$" {
server.document-root = "/var/www/$1"
accesslog.filename = "/var/log/lighttpd/$1.log"
}
END
ln -s /etc/lighttpd/sites-available/$1.conf /etc/lighttpd/sites-enabled/$1.conf
service lighttpd force-reload
fi
}
function install_friendica {
if [ -z "$2" ]; then
die "Usage: `basename $0` friendica <hostname>"
fi
if [ -d /var/www/$2 -a ! "$3" = "redo" ]; then
die "$2 already exists"
fi
check_install "friendica dependencies" "git php5-imap php5-mcrypt"
if [ ! -d /var/www ]; then
mkdir /var/www
fi
cd /var/www
if [ -d friendica ]; then
rm -r friendica #Delete previous clone, which may have errors
fi
if [ ! "$3" = "redo" ]; then
git clone https://github.com/friendica/friendica.git
mv friendica $2
chown www-data:www-data $2
cd $2
git clone https://github.com/friendica/friendica-addons.git
mv friendica-addons addon
chown www-data:www-data addon
fi
cd /var/www/$2
if [ "$SERVER" = "nginx" ]; then
cat > "/etc/nginx/sites-available/$2.conf" <<END
server {
listen 80;
# listen 443 ssl;
END
fi
if [ "$FLAGS" = "ipv6" -o "$FLAGS" = "all" ]; then
cat >> "/etc/nginx/sites-available/$2.conf" <<END
listen [::]:80;
# listen [::]:443 ssl;
END
fi
cat >> "/etc/nginx/sites-available/$2.conf" <<END
server_name $2;
access_log /var/log/nginx/$2.log main;
root /var/www/$2;
# ssl_certificate ssl_keys/$2.crt;
# ssl_certificate_key ssl_keys/$2.key;
# ssl_session_timeout 5m;
# ssl_session_cache shared:SSL:10m;
# ssl_protocols SSLv3 TLSv1;
# ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
# ssl_prefer_server_ciphers on;
location = /favicon.ico {
return 204;
log_not_found off;
access_log off;
}
location = /robots.txt {
log_not_found off;
access_log off;
}
location ~ /\.(ht|git) {
return 444;
access_log off;
log_not_found off;
}
location ~ \.log$ {
return 444;
access_log off;
log_not_found off;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
# fastcgi_param HTTPS on;
fastcgi_index index.php;
fastcgi_pass php;
try_files \$uri \$uri/ =404;
}
location / {
index index.php;
if (!-f \$request_filename) {
rewrite ^/(.+)\$ /index.php?q=\$1 last;
}
try_files \$uri \$uri/ =404;
}
}
END
if [ "$SERVER" = "lighttpd" ]; then
host=${2//./\\.}
cat > "/etc/lighttpd/sites-available/$2.conf" <<END
\$HTTP["host"] =~ "^(www\.)?$host\$" {
server.document-root = "/var/www/$2"
mimetype.assign += ( ".jar" => "x-java-archive",
".oga" => "audio/ogg" )
# uncomment for 1.4, which lacks $PHYSICAL
\$HTTP["url"] =~ "\.(out|log)$" {
url.access-deny = ( "" )
}
# for 1.5 and above
#PHYSICAL["path"] =~ "\.(out|log)$" {
# url.access-deny = ( "" )
#}
else \$HTTP["url"] =~ "(^|/)\." {
url.access-deny = ( "" )
}
url.rewrite-if-not-file = ( "^/([^?]*)(?:\?(.*))?" => "/index.php?q=\$1&\$2" )
accesslog.filename = "/var/log/lighttpd/$2.log"
}
END
fi
cat > "/var/www/$2/robots.txt" <<END
User-agent: *
Disallow: /
END
if [ ! "$3" = "redo" ]; then
cat >> "/etc/crontab" <<END
50 7 * * * root cd /var/www/$2;git pull;cd addon;git pull
*/10 * * * * www-data cd /var/www/$2; nice -n 15 /usr/bin/php include/poller.php > /dev/null
END
fi
if [ "$SERVER" = "nginx" ]; then
ln -s /etc/nginx/sites-available/$2.conf /etc/nginx/sites-enabled/$2.conf
service nginx force-reload
fi
if [ "$SERVER" = "lighttpd" ]; then
ln -s /etc/lighttpd/sites-available/$2.conf /etc/lighttpd/sites-enabled/$2.conf
service lighttpd force-reload
fi
cd /var/www/$2
cp htconfig.php .htconfig.php
echo -n "Enter admin email: "
read -e EMAIL
sed -i "/\['admin_email'\]/c\$a->config['admin_email'] = '$EMAIL';" .htconfig.php
sed -i "/\['sitename'\]/c\$a->config['sitename'] = '$2';" .htconfig.php
dbname=`echo $2 | tr . _`
echo database is $dbname
# userid=`substr($dbname,0,15)
echo $userid;
# MySQL userid cannot be more than 15 characters long
userid="${dbname:0:15}"
echo $userid;
passwd=`get_password "$userid@mysql"`
mysqladmin create "$dbname"
echo "GRANT ALL PRIVILEGES ON \`$dbname\`.* TO \`$userid\`@localhost IDENTIFIED BY '$passwd';" | mysql
sed -i "/\$db_host =/c\$db_host = 'localhost';" .htconfig.php
sed -i "/\$db_user =/c\$db_user = '$userid';" .htconfig.php
sed -i "/\$db_pass =/c\$db_pass = '$passwd';" .htconfig.php
sed -i "/\$db_data =/c\$db_data = '$dbname';" .htconfig.php
mysql $dbname < ./database.sql
}
function install_yourls {
if [ -z "$2" ]; then
die "Usage: `basename $0` yourls <hostname>"
fi
if [ -d /var/www/$2 -a ! "$3" = "redo" ]; then
die "$2 already exists"
fi
#check_install "yourls dependencies" "git php5-imap php5-mcrypt"
if [ ! -d /var/www ]; then
mkdir /var/www
fi
cd /var/www
}
function install_imap {
if [ -z "$2" ]; then
die "Usage: `basename $0` imap <username> <hostname>"
fi
if [ -d /var/www/$3 -a ! "$4" = "redo" ]; then
die "$3 already exists"
fi
check_install imap "postfix dovecot-imapd squirrelmail procmail php5-imap"
if [ -z "`grep $2: /etc/passwd`" ]; then
useradd -g users -m $2
echo creating password for $2
passwd $2
fi
if [ ! -d /home/$2/Maildir ]; then
mkdir /home/$2/Maildir
mkdir /home/$2/Maildir/cur
mkdir /home/$2/Maildir/tmp
mkdir /home/$2/Maildir/new
chown -R $2:users /home/$2/Maildir
fi
sed -i "/protocols = imap/cprotocols = imap" /etc/dovecot/dovecot.conf
sed -i "/#listen =/clisten = 127.0.0.1" /etc/dovecot/dovecot.conf
sed -i "/disable_plaintext_auth =/cdisable_plaintext_auth = no" /etc/dovecot/dovecot.conf
sed -i "/login_processes_count =/clogin_processes_count = 1" /etc/dovecot/dovecot.conf
service dovecot force-reload
ln -s /usr/share/squirrelmail /var/www/$3
cat >> "/etc/nginx/sites-available/$2.conf" <<END
server {
listen 80;
server_name $3;
access_log /var/log/nginx/$3.log;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_intercept_errors on;
fastcgi_pass php;
}
include myips.conf;
root /var/www/$3/;
index src/index.php;
include standard.conf;
location ~* ^/(.+\.(html|xml|txt))$ {
expires max;
log_not_found off;
}
}
END
ln -s /etc/nginx/sites-available/$3.conf /etc/nginx/sites-enabled/$3.conf
}
function install_statusnet {
if [ -z "$2" ]; then
die "Usage: `basename $0` statusnet <hostname>"
fi
if [ -d /var/www/$2 -a ! "$3" = "redo" ]; then
die "$2 already exists"
fi
check_install "statusnet dependencies" "git php5-imap php5-mcrypt"
if [ ! -d /var/www ]; then
mkdir /var/www
fi
cd /var/www
}
function print_info {
echo -n -e '\e[1;36m'
echo -n $1
echo -e '\e[0m'
}
function print_warn {
echo -n -e '\e[1;33m'
echo -n $1
echo -e '\e[0m'
}
function remove_unneeded {
# Some Debian have portmap installed. We don't need that.
if [ "$OPENVZ" != 'gnome' ]; then
check_remove /sbin/portmap portmap
fi
# Remove rsyslogd, which allocates ~30MB privvmpages on an OpenVZ system,
# which might make some low-end VPS inoperatable. We will do this even
# before running apt-get update.
check_remove /usr/sbin/rsyslogd rsyslog
# Other packages that seem to be pretty common in standard OpenVZ
# templates.
if [ ! "SERVER" = "apache" ]; then
check_remove /usr/sbin/apache2 'apache2*'
fi
check_remove /usr/sbin/named bind9
check_remove /usr/sbin/smbd 'samba*'
check_remove /usr/sbin/nscd nscd
apt-get -q -y purge smbfs libapr1
# Need to stop sendmail as removing the package does not seem to stop it.
if [ -f /usr/lib/sm.bin/smtpd ]
then
invoke-rc.d sendmail stop
check_remove /usr/lib/sm.bin/smtpd 'sendmail*'
fi
}
function update_upgrade {
# Run through the apt-get update/upgrade first. This should be done before
# we try to install any package
apt-get -q -y update
if [ "$OPENVZ" = 'yes' ]; then
if [ -z "`grep 'ulimit -s 256' /etc/init.d/rc`" ];then
sed -i "s/export PATH/export PATH\\nulimit -s 256/" /etc/init.d/rc
fi
if [ ! -f /etc/security/limits.d/stack.conf ]; then
cat > /etc/security/limits.d/stack.conf <<END
root - stack 256
* - stack 256
END
fi
fi
check_install locales "locales"
dpkg-reconfigure locales
apt-get -q -y upgrade
}
function vzquota_fix {
if [ -f /etc/init.d/vzquota -a ! -e /etc/insserv/overrides/vzquota ]; then
cat > /etc/insserv/overrides/vzquota <<END
### BEGIN INIT INFO
# Provides: vzquota
# Required-Start: \$all
# Required-Stop: \$all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start vzquota at the end of boot
# Description: This command is used to configure and see disk quota statistics for Containers.
### END INIT INFO
END
print_info "/etc/insserv/overrides/vzquota created"
else
print_warn "/etc/insserv/overrides/vzquota not created"
fi
if [ -f /etc/rc6.d/K00vzreboot ];then
rm /etc/rc6.d/K00vzreboot
print_info "/etc/rc6.d/K00vzreboot removed"
fi
if [ -f /etc/rc6.d/S00vzreboot ];then
rm /etc/rc6.d/S00vzreboot
print_info "/etc/rc6.d/S00vzreboot removed"
fi
}
# OPTIONAL
#Custom commands go here, mine are included as examples delete as required
function custom {
check_install keith "rsync autossh apticron dnsutils mc"
if [ "$OPENVZ" != 'gnome' ]; then
check_remove fancontrol fancontrol
check_remove dbus-daemon dbus
fi
check_remove saslauthd sasl2-bin
if [ -n '`grep "# set softwrap" /etc/nanorc`' ];then
sed -i "s/# set softwrap/set softwrap/" /etc/nanorc
print_info "set softwrap in /etc/nanorc"
fi
# if [ -n '`grep "# set tabsize 8" /etc/nanorc`' ];then
# sed -i "s/# set tabsize 8/set tabsize 4/" /etc/nanorc
# print_info "set tabsize 4 in /etc/nanorc"
# fi
if [ -n "`grep '# Port 22' /etc/ssh/ssh_config`" ];then
sed -i "s/# Port 22/ Port $SSH_PORT/" /etc/ssh/ssh_config
print_info "default outgoing ssh port set to $SSH_PORT"
else
print_warn "/etc/ssh/ssh_config already changed"
fi
if [ -z "`grep 'MAILTO=' /etc/crontab`" ];then
sed -i "s/SHELL=\/bin\/sh/SHELL=\/bin\/sh\\nMAILTO=root/" /etc/crontab
print_info "MAILTO=root now in /etc/crontab"
fi
if [ -z "`grep 'dpkg --get-selections' /etc/crontab`" ];then
echo "0 10 * * * root dpkg --get-selections >/root/dpkg-selections" >> /etc/crontab
fi
sed -i "s/rotate 52/rotate 1/" /etc/logrotate.d/nginx
sed -i "s/weekly/daily/" /etc/logrotate.conf
sed -i "s/rotate 4/rotate 1/" /etc/logrotate.conf
chown www-data:adm /var/log/nginx/*.log
service nginx restart
cat > /usr/local/bin/bootmail.py <<END
import datetime
import smtplib
def smtp():
host="`hostname -f`"
to = '$EMAIL'
mail_user = 'bootmail@%s' % (host)
smtpserver = smtplib.SMTP("127.0.0.1",25)
smtpserver.ehlo()
smtpserver.ehlo
header = 'To:' + to + '\\n' + 'From: ' + mail_user + '\\n' + 'Subject: %s has been booted' % (host)
print str(datetime.datetime.utcnow())[:19],host,"has been booted"
msg = header + '\\n\\n'
smtpserver.sendmail(mail_user, to, msg)
smtpserver.close()
return
smtp()
END
if [ -z "`grep 'python /usr/local/bin/bootmail.py' /etc/rc.local`" ]; then
sed -i "s/nothing./nothing.\\n\/usr\/bin\/python \/usr\/local\/bin\/bootmail.py/" /etc/rc.local
print_info "bootmail.py inserted into /etc/rc.local"
else
print_warn "bootmail.py already in /etc/rc.local"
fi
}
########################################################################
# START OF PROGRAM
########################################################################
export PATH=/bin:/usr/bin:/sbin:/usr/sbin
check_sanity
if [ ! -f ./setup-debian.conf ]; then
cat > ./setup-debian.conf <<END
SSH_PORT=1234 # Change 1234 to the port of your choice
INTERFACE=all # Options are all for a dual stack ipv4/ipv6 server
# ipv4 for an ipv4 server
# ipv6 for an ipv6 server
# Defaults to ipv4 only if incorrect
EMAIL=changeme@example.com # mail user or an external email address
OPENVZ=yes # Values are yes, no or gnome
DISTRIBUTION=squeeze # Values are squeeze or wheezy
SERVER=nginx # Values are nginx or lighttpd
END
fi
if [ -z "`grep 'CPUCORES' ./setup-debian.conf`" ]; then
echo CPUCORES=detect \# Options are detect or n where n = number of cpu cores to be used >> ./setup-debian.conf
fi
if [ -z "`grep 'MEMORY' ./setup-debian.conf`" ]; then
echo MEMORY=128 \# values are low, 64, 96, 128, 192, 256, 384, 512 - use 512 if more memory is available >> ./setup-debian.conf
fi
if [ -z "`grep 'DISTRIBUTION' ./setup-debian.conf`" ]; then
echo DISTRIBUTION=squeeze \# Values are squeeze or wheezy >> ./setup-debian.conf
fi
if [ -z "`grep 'SERVER' ./setup-debian.conf`" ]; then
echo SERVER=nginx \# Values are nginx or lighttpd >> ./setup-debian.conf
fi
if [ -z "`which "$1" 2>/dev/null`" -a ! "$1" = "domain" ]; then
apt-get -q -y update
check_install nano "nano"
fi
if [ ! "$1" = "domain" ]; then
nano ./setup-debian.conf
fi
[ -r ./setup-debian.conf ] && . ./setup-debian.conf
if [ "$OPENVZ" = 'yes' -a "$DISTRIBUTION" = "squeeze" ]; then
vzquota_fix
fi
if [ "$CPUCORES" = "detect" ]; then
CPUCORES=`grep -c processor //proc/cpuinfo`
fi
if [ "$INTERFACE" = "all" -o "$INTERFACE" = "ipv6" ]; then
FLAGS=ipv6
else
FLAGS=ipv4
fi
case "$1" in
all)
remove_unneeded
if [ "$DISTRIBUTION" = "squeeze" ]; then
dotdeb
elif [ -e /etc/apt/sources.list.d/dotdeb.list ];then
rm /etc/apt/sources.list.d/dotdeb.list
fi
update_upgrade
check_install tzdata "tzdata"
dpkg-reconfigure tzdata
install_dash
install_syslogd
install_dropbear
echo -n "To change root password press y then [ENTER]: "
read -e reply
if [ "$reply" = "y" ]; then
passwd
fi
install_postfix
install_mysql
if [ "$SERVER" = "apache" ]; then
install_apache
elif [ "$SERVER" = "lighttpd" ]; then
install_lighttpd
else
install_nginx #nginx is installed after postfix as it uses postfix's ssl cert
fi
install_php
if [ "$SERVER" = "nginx" ]; then
install_cgi
fi
# install_iptables $SSH_PORT
;;
postfix)
install_postfix
;;
exim4)
install_exim4
;;
iptables)
install_iptables $SSH_PORT
;;
mysql)
install_mysql
;;
nginx)
if [ -z "`which "postfix" 2>/dev/null`" ]; then
print_warn "Postfix has to be installed as nginx uses Postfix's ssl cert"
else
install_nginx
fi
;;
#apache)
# install_apache
# ;;
lighttpd)
install_lighttpd
;;
php)
install_php
;;
cgi)
install_cgi
;;
domain)
install_domain $1 $2 $3
;;
system)
remove_unneeded
dotdeb
update_upgrade
check_install tzdata "tzdata"
dpkg-reconfigure tzdata
install_dash
install_syslogd
install_dropbear
echo -n "To change root password press y then [ENTER]: "
read -e reply
if [ "$reply" = "y" ]; then
passwd
fi
;;
custom)
custom $2
;;
wordpress)
install_wordpress $2
;;
friendica)
install_friendica $1 $2 $3
;;
*) echo 'Usage:' `basename $0` '[option]'
echo 'Available option:'
for option in system postfix exim4 iptables mysql lighttpd nginx php cgi domain wordpress friendica custom
do
echo ' -' $option
done
;;
esac
Jump to Line
Something went wrong with that request. Please try again.