ss-install.txt

#!/bin/bash

#############################################################
#### author: slickstack #####################################
#### link: https://slickstack.io ############################
#### mirror: http://mirrors.slickstack.io/ss-install.txt ####
#### path: /var/www/ss-install ##############################
#### purpose: installs slickstack (re-installable) ##########
#############################################################

## slickstack config ##
source /var/www/ss-config

##################
#### ss-check ####
##################

## delete tmp files ##
rm -R -f /tmp/ss-check*

# download latest versions ##
cd /tmp/
wget --no-cache http://mirrors.slickstack.io/ss-check.txt

## rename files ##
mv ss-check.txt ss-check

## copy files to their destinations ##
cp -R -f -d --no-preserve=mode,ownership /tmp/ss-check /var/www/ss-check

## delete tmp files ##
rm -R -f /tmp/ss-check*

## reset permissions ##
chown root:root /var/www/ss-check
chmod 755 /var/www/ss-check

## call scripts ##
source /var/www/ss-check
source /var/www/ss-perms

###############
#### repos ####
###############

## fix dpkg ##
DEBIAN_FRONTEND=noninteractive dpkg --configure -a --force-confold

## update and upgrade repos ##
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' /usr/bin/apt -q --yes -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' /usr/bin/apt -q --yes -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" upgrade

## autoremove ##
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' /usr/bin/apt -q --yes -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" autoremove

## install update-manager-core ##
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' /usr/bin/apt -q --yes -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" install update-manager-core

## install linux utilities ##
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' /usr/bin/apt -q --yes -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" install zip unzip

## install git ##
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' /usr/bin/apt -q --yes -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" install git

#########################
#### configure users ####
#########################

## reset root ssh/sftp password ##
echo root:$rootpass | /usr/sbin/chpasswd

## ensure root password never expires ##
chage -E -1 -m 0 -M -1 -I -1 -W 99999 root

## add sudo ssh/sftp user ##
adduser --disabled-password --gecos "" $sudo
echo $sudo:$sudopass | /usr/sbin/chpasswd

## add non-sudo sftp user (chroot jail) ##
adduser --disabled-password --gecos "" $user
echo $user:$userpass | /usr/sbin/chpasswd

## set default editor to nano ##
update-alternatives --set editor /bin/nano

####################################
#### configure sudoers (visudo) ####
####################################

## delete tmp files ##
rm -R -f /tmp/sudoers.txt sudoers

## download latest versions ##
cd /tmp/
wget --no-cache http://mirrors.slickstack.io/ubuntu/sudoers.txt

## replace variables ##
sed -i "s/@SUDO/${sudo}/g" /tmp/sudoers.txt

## rename files ##
mv sudoers.txt sudoers

## copy files to their destinations ##
cp -R -f -d --no-preserve=mode,ownership /tmp/sudoers /etc/sudoers

## delete tmp files ##
rm -R -f /tmp/sudoers.txt sudoers

## reset permissions ##
chown root:root /etc/sudoers
chmod 440 /etc/sudoers

############################
#### configure ssh/sftp ####
############################

## delete tmp files ##
rm -R -f /tmp/sshd-config.txt sshd_config

## download latest versions ##
cd /tmp/
wget --no-cache http://mirrors.slickstack.io/ubuntu/sshd-config.txt

## replace variables ##
sed -i "s/@SUDO/${sudo}/g" /tmp/sshd-config.txt
sed -i "s/@USER/${user}/g" /tmp/sshd-config.txt

## rename files ##
mv sshd-config.txt sshd_config

## overwrite all files to their various destinations ##
cp -R -f --no-preserve=mode,ownership /tmp/sshd_config /etc/ssh/sshd_config

## delete tmp files ##
rm -R -f /tmp/sshd-config.txt sshd_config

## reset permissions ##
chown root:root /etc/ssh/sshd_config

## restart ssh ##
/etc/init.d/ssh restart

############################
#### configure timezone ####
############################

## set UTC timezone ##
timedatectl set-timezone UTC

#########################
#### install crontab ####
#########################

## delete tmp files ##
# rm -R -f /tmp/crontab.txt /tmp/root
## download latest versions ##
# cd /tmp/
# wget --no-cache http://mirrors.slickstack.io/ubuntu/crontab.txt
## rename files ##
# mv /tmp/crontab.txt /tmp/root
## copy files to destinations ##
# cp -R -f --preserve=mode,ownership /tmp/root /var/spool/cron/crontabs/root
## delete tmp files ##
# rm -R -f /tmp/crontab.txt /tmp/root

## install slickstack crontab ##
crontab /var/www/0-crontab

## reset permissions ##
chown root:root /var/spool/cron/crontabs/root

## reload crontab ##
/etc/init.d/cron reload

#######################
### install wp-cli ####
#######################

## download latest versions ##
cd /tmp/
wget --no-cache http://mirrors.slickstack.io/wp-cli/wp-cli.phar
wget --no-cache http://mirrors.slickstack.io/wp-cli/wp-completion.txt

## rename files and copy to their destinations ##
mv wp-cli.phar /usr/local/bin/wp

## rename files ##
mv /tmp/wp-completion.txt /tmp/wp-completion.bash

## copy files to destinations ##
cp -R -f --preserve=mode,ownership /tmp/wp-completion.bash /home/wp-completion.bash

## reset permissions ##
## https://www.alexgeorgiou.gr/wp-cli-www-data-user-permissions-linux/ ##
chown root:root /usr/local/bin/
chown www-data:www-data /usr/local/bin/wp
chmod 6775 /usr/local/bin/wp
chown www-data:www-data /home/wp-completion.bash
chmod 6775 /home/wp-completion.bash

#########################
#### install openssl ####
#########################

## generate ssl certificate ##
openssl req -new -x509 -nodes -days 730 -newkey rsa:2048 -keyout /etc/ssl/nginx.key -out /etc/ssl/nginx.crt -subj "/C=${country}/ST=${state}/L=${city}/O=${company}/OU=${dept}/CN=${domain}"

## reset permissions ##
chown root:root /etc/ssl/nginx.key
chown root:root /etc/ssl/nginx.crt

########################################
#### install nginx (latest version) ####
########################################

## update repos ##
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' /usr/bin/apt -q --yes -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" update

## add nginx mainline (dev) ppa ##
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' /usr/bin/add-apt-repository --yes ppa:nginx/development

## update repos ##
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' /usr/bin/apt -q --yes -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" update

## install nginx-extras ##
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' /usr/bin/apt -q --yes -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" install nginx-extras

#########################
#### configure nginx ####
#########################

## delete tmp files ##
rm -R -f /tmp/nginx-conf.txt /tmp/nginx-conf /tmp/nginx.conf

## download latest versions ##
cd /tmp/
wget --no-cache http://mirrors.slickstack.io/nginx/nginx-conf.txt

## replace placeholders with slickstack variables ##
sed -i "s/@CACHEMEMORY/${cachememory}/g" /tmp/nginx-conf.txt
sed -i "s/@CACHEINACTIVE/${cacheinactive}/g" /tmp/nginx-conf.txt
sed -i "s/@CACHEMAXSIZE/${cachemaxsize}/g" /tmp/nginx-conf.txt

## rename files ##
mv nginx-conf.txt nginx.conf

## copy files to destinations ##
cp -R -f --no-preserve=mode,ownership /tmp/nginx.conf /etc/nginx/nginx.conf

## delete tmp files ##
rm -R -f /tmp/nginx-conf.txt /tmp/nginx.conf

## create fastcgi cache directory if does not exist ##
mkdir /var/www/cache

## reset permissions ##
chown www-data:www-data /var/www/cache
chown root:root /etc/nginx/nginx.conf

######################################
#### configure nginx server block ####
######################################

## delete tmp files ##
rm -R -f /tmp/default.txt /tmp/default /tmp/server-block.txt /tmp/server-block /tmp/server-block-ssl.txt /tmp/server-block-ssl

## download latest versions ##
cd /tmp/
if [[ "$ssl" == "yes" ]]
then wget --no-cache http://mirrors.slickstack.io/nginx/server-block-ssl.txt
mv /tmp/server-block-ssl.txt /tmp/default.txt
else wget --no-cache http://mirrors.slickstack.io/nginx/server-block.txt
mv /tmp/server-block.txt /tmp/default.txt
fi

## replace @DOMAIN placeholder with slickstack variable ##
sed -i "s/@DOMAIN/${domain}/g" /tmp/default.txt
sed -i "s/@CACHEVALID/${cachevalid}/g" /tmp/default.txt

## enable or disable fastcgi cache ##
## set skip_cache default to 0 only if fastcgi cache enabled in ss-config ##
if [[ "$cache" == "fastcgi" ]]
then sed -i "s/@FASTCGI/0/g" /tmp/default.txt
else sed -i "s/@FASTCGI/1/g" /tmp/default.txt
fi

## rename files ##
mv /tmp/default.txt /tmp/default

## copy files to destinations ##
cp -R -f --no-preserve=mode,ownership /tmp/default /etc/nginx/sites-available/default

## delete tmp files ##
rm -R -f /tmp/default.txt /tmp/default /tmp/server-block.txt /tmp/server-block /tmp/server-block-ssl.txt /tmp/server-block-ssl

## reset permissions ##
chown root:root /etc/nginx/sites-available/default

## restart nginx ##
/etc/init.d/nginx restart

######################################
#### install php 7.0 and php 7.2 #####
######################################

## purge php 7.0 and extensions ##
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' /usr/bin/apt -q --yes -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" purge php7.0

## delete PHP 7.0 files ##
rm -R -f /etc/php/7.0*

## purge php 7.2 and extensions ##
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' /usr/bin/apt -q --yes -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" purge php7.2

## install php 7.2 and extensions ##
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' /usr/bin/apt -q --yes -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" install php7.2 php7.2-fpm php7.2-mysql php7.2-curl php7.2-zip php7.2-gd php7.2-mbstring php7.2-bcmath php7.2-xml php7.2-json php7.2-soap

## delete tmp files ##
rm -R -f /tmp/php.ini* /tmp/php-fpm.conf* /tmp/www.conf*

## download latest versions ##
cd /tmp/
wget --no-cache http://mirrors.slickstack.io/php/7.2/php.ini
wget --no-cache http://mirrors.slickstack.io/php/7.2/php-fpm.conf
wget --no-cache http://mirrors.slickstack.io/php/7.2/www.conf

## copy files to their destinations ##
cp -R -f --no-preserve=mode,ownership /tmp/php.ini /etc/php/7.2/fpm/php.ini
cp -R -f --no-preserve=mode,ownership /tmp/php.ini /etc/php/7.2/cli/php.ini
cp -R -f --no-preserve=mode,ownership /tmp/php-fpm.conf /etc/php/7.2/fpm/php-fpm.conf
cp -R -f --no-preserve=mode,ownership /tmp/www.conf /etc/php/7.2/fpm/pool.d/www.conf

## delete tmp files ##
rm -R -f /tmp/php.ini* /tmp/php-fpm.conf* /tmp/www.conf*

## customize php settings ##
# sed -i '/error_log/c\error_log = /var/www/logs/error.log' /etc/php/7.0/fpm/php-fpm.conf
# sed -i '/error_log/c\error_log = /var/www/logs/error.log' /etc/php/7.2/fpm/php-fpm.conf

## reset permissions ##
chown root:root /etc/php/7.2/fpm/php.ini
chown root:root /etc/php/7.2/cli/php.ini
chown root:root /etc/php/7.2/fpm/php-fpm.conf
chown root:root /etc/php/7.2/fpm/pool.d/www.conf

## set default php version ##
update-alternatives --set php /usr/bin/php7.2

## restart php ##
/etc/init.d/php7.2-fpm restart

###########################
#### install mysql 5.7 ####
###########################

## set noninteractive ##
export DEBIAN_FRONTEND=noninteractive;

## store mysql root password ##
## http://serverfault.com/a/830352/344471 ##
echo debconf mysql-server/root_password password ${dbrootpass} | debconf-set-selections
echo debconf mysql-server/root_password_again password ${dbrootpass} | debconf-set-selections
# echo "mysql-server-5.7 mysql-server/root_password password ${dbrootpass}" | debconf-set-selections
# echo "mysql-server-5.7 mysql-server/root_password_again password ${dbrootpass}" | debconf-set-selections
# debconf-set-selections <<< "mysql-server-5.7 mysql-server/root_password password ${dbrootpass}"
# debconf-set-selections <<< "mysql-server-5.7 mysql-server/root_password_again password ${dbrootpass}"

## install mysql 5.7 ##
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' /usr/bin/apt -q --yes -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" install mysql-server-5.7 

## confirm installed ##
echo "MySQL 5.7 is installed, now we will secure it."

##########################
#### secure mysql 5.7 ####
##########################

## install expect ##
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' /usr/bin/apt -q --yes -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" install expect

## build expect script ##
tee ~/secure_our_mysql.sh > /dev/null << EOF
spawn $(which mysql_secure_installation)

## re-enter root password ##
expect "Enter password for user root:"
send "${dbrootpass}\r"

## skip the validate password plugin ##
expect "Press y|Y for Yes, any other key for No:"
send "n\r"

## skip change root password ##
expect "Change the password for root ? ((Press y|Y for Yes, any other key for No) :"
send "n\r"

## remove anonymous users ##
expect "Remove anonymous users? (Press y|Y for Yes, any other key for No) :"
send "y\r"

## disable remote connections ##
expect "Disallow root login remotely? (Press y|Y for Yes, any other key for No) :"
send "y\r"

## remote test database ##
expect "Remove test database and access to it? (Press y|Y for Yes, any other key for No) :"
send "y\r"

## reload privileges ##
expect "Reload privilege tables now? (Press y|Y for Yes, any other key for No) :"
send "y\r"

## end of script ##
EOF

## run expect script ##
expect ~/secure_our_mysql.sh

## cleanup ##
rm -v ~/secure_our_mysql.sh

## uninstall expect ##
# apt -qq purge expect > /dev/null # Uninstall Expect, commented out in case you need Expect

## confirm secured ##
echo "Congratulations, MySQL 5.7 is installed and secured. Onward!"

###############################
#### setup mysql 5.7 users ####
###############################

mysql -uroot -p${dbrootpass} -e "CREATE DATABASE ${dbname};"
mysql -uroot -p${dbrootpass} -e "CREATE USER '${dbuser}'@'localhost' IDENTIFIED BY '${dbuserpass}';"
mysql -uroot -p${dbrootpass} -e "CREATE USER '${dbuser}'@'127.0.0.1' IDENTIFIED BY '${dbuserpass}';"
mysql -uroot -p${dbrootpass} -e "GRANT ALL PRIVILEGES ON ${dbname}.* TO '${dbuser}'@'localhost';"
mysql -uroot -p${dbrootpass} -e "GRANT ALL PRIVILEGES ON ${dbname}.* TO '${dbuser}'@'127.0.0.1';"
mysql -uroot -p${dbrootpass} -e "FLUSH PRIVILEGES;"

############################################
#### install wordpress (latest version) ####
############################################

## download latest version ##
cd /var/www/html/
wget --no-cache http://wordpress.org/latest.tar.gz

## untar files ##
tar xfz latest.tar.gz
rsync -raqIp wordpress/* ./

## cleanup ##
rm -rf wordpress
rm -f latest.tar.gz

## install wplite mu-plugins ##
source /var/www/ss-muplugs

## create temp directory if doesn't exist (will not overwrite) ##
mkdir /var/www/html/wp-content/temp

#############################
#### configure wordpress ####
#############################

## delete tmp files ##
rm -R -f /tmp/wp-config*

## download latest versions ##
cd /tmp/
wget --no-cache http://mirrors.slickstack.io/wordpress/wp-config.txt

## replace placeholders with variables ##
sed -i "s/@DBNAME/${dbname}/g" /tmp/wp-config.txt
sed -i "s/@DBUSER/${dbuser}/g" /tmp/wp-config.txt
sed -i "s/@DBPASSWORD/${dbuserpass}/g" /tmp/wp-config.txt
sed -i "s/@DBNAME/${dbname}/g" /tmp/wp-config.txt
sed -i "s/@TABLEPREFIX/${dbprefix}/g" /tmp/wp-config.txt
# sed -i "s/@DBHOST/${dbhost}/g" /tmp/wp-config.txt
# sed -i "s/@DBCHARSET/${dbcharset}/g" /tmp/wp-config.txt
# sed -i "s/@DBCOLLATE/${dbcollate}/g" /tmp/wp-config.txt

## replace cloudflare placeholders ##
sed -i "s/@CLOUDFLAREAPIKEY/${cloudflareapikey}/g" /tmp/wp-config.txt
sed -i "s/@CLOUDFLAREAPIEMAIL/${cloudflareapiemail}/g" /tmp/wp-config.txt

## replace salt keys ##
sed -i "s/@AUTHKEY/$(openssl rand -hex 48)/g" /tmp/wp-config.txt
sed -i "s/@SECUREAUTHKEY/$(openssl rand -hex 48)/g" /tmp/wp-config.txt
sed -i "s/@LOGGEDINKEY/$(openssl rand -hex 48)/g" /tmp/wp-config.txt
sed -i "s/@NONCEKEY/$(openssl rand -hex 48)/g" /tmp/wp-config.txt
sed -i "s/@AUTHSALT/$(openssl rand -hex 48)/g" /tmp/wp-config.txt
sed -i "s/@SECUREAUTHSALT/$(openssl rand -hex 48)/g" /tmp/wp-config.txt
sed -i "s/@LOGGEDINSALT/$(openssl rand -hex 48)/g" /tmp/wp-config.txt
sed -i "s/@NONCESALT/$(openssl rand -hex 48)/g" /tmp/wp-config.txt

## replace debug placeholers ##
if [[ "$production" == "yes" ]]
then sed -i "s/@DEBUGON/false/g" /tmp/wp-config.txt
else sed -i "s/@DEBUGON/true/g" /tmp/wp-config.txt
fi

## replace debug placeholers ##
# if [[ "$production" == "yes" ]]
# then sed -i "s/@DEBUGLOG/false/g" /tmp/wp-config.txt
# else sed -i "s/@DEBUGLOG/true/g" /tmp/wp-config.txt
# fi

## replace debug placeholers ##
if [[ "$production" == "yes" ]]
then sed -i "s/@DEBUGDISPLAY/false/g" /tmp/wp-config.txt
else sed -i "s/@DEBUGDISPLAY/true/g" /tmp/wp-config.txt
fi

## rename files ##
mv /tmp/wp-config.txt /tmp/wp-config.php

## copy files to destinations ##
cp -R -f --no-preserve=mode,ownership /tmp/wp-config.php /var/www/html/wp-config.php

## delete tmp files ##
rm -R -f /tmp/wp-config*

############################################
#### install redis (latest apt version) ####
############################################

## install redis-server ##
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' /usr/bin/apt -q --yes -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" install redis-server

## install php-redis ##
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' /usr/bin/apt -q --yes -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" install php-redis

## start redis ##
/etc/init.d/redis-server start

##############################################
#### configure redis (latest apt version) ####
##############################################

## configure redis for object caching ##
sed -i '/maxmemory.*bytes.*/c\maxmemory 512mb' /etc/redis/redis.conf
sed -i '/maxmemory-policy noeviction/c\maxmemory-policy allkeys-lru' /etc/redis/redis.conf

## reset permissions ##
chown redis:redis /etc/redis/redis.conf
chown redis:redis /var/run/redis

## restart services ##
/etc/init.d/redis-server restart
/etc/init.d/php7.2-fpm restart

############################################
#### install monit (latest apt version) ####
############################################

# ## install monit ##
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' /usr/bin/apt -q --yes -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" install monit

## configure monit settings ##
sed -i 's@/var/log/monit.log@/var/www/monit.log@' /etc/monit/monitrc

## reset permissions ##
chown root:root /etc/monit/monitrc
chmod 0700 /etc/monit/monitrc 

## restart monit ##
/etc/init.d/monit restart

#####################
#### install ufw ####
#####################

## delete tmp files ##
rm -R -f /tmp/ufw-conf.txt* /tmp/ufw.conf*
rm -R -f /tmp/user-rules.txt* /tmp/user.rules*

## install ufw ##
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' /usr/bin/apt -q --yes -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" install ufw

## ufw rules ##
ufw default deny incoming
ufw default allow outgoing
ufw allow 6969
ufw allow 80
ufw allow 443
ufw allow 6379
ufw --force disable
ufw --force enable
echo "y" | ufw enable

# retrieve latest versions ##
cd /tmp/
wget --no-cache http://mirrors.slickstack.io/ubuntu/ufw-conf.txt
wget --no-cache http://mirrors.slickstack.io/ubuntu/user-rules.txt
# wget --no-cache http://mirrors.slickstack.io/ubuntu/18.04/ufw/ver/ufw-conf.txt
# wget --no-cache http://mirrors.slickstack.io/ubuntu/18.04/ufw/ver/user-rules.txt

## rename files ##
mv ufw-conf.txt ufw.conf
mv user-rules.txt user.rules

## copy files to their destinations ##
cp -R -f -d --no-preserve=mode,ownership /tmp/ufw.conf /etc/ufw/ufw.conf
cp -R -f -d --no-preserve=mode,ownership /tmp/user.rules /etc/ufw/user.rules

## delete tmp files ##
rm -R -f /tmp/ufw-conf.txt* /tmp/ufw.conf*
rm -R -f /tmp/user-rules.txt* /tmp/user.rules*

## restart ufw ##
/etc/init.d/ufw force-reload
/etc/init.d/ufw restart

###############################
#### complete installation ####
###############################

## update and upgrade repos ##
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' /usr/bin/apt -q --yes -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' /usr/bin/apt -q --yes -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" upgrade

## autoremove ##
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' /usr/bin/apt -q --yes -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" autoremove

## fix dpkg ##
DEBIAN_FRONTEND=noninteractive dpkg --configure -a --force-confold

## run scripts ##
source /var/www/ss-clean
source /var/www/ss-perms

## restart services ##
/etc/init.d/nginx restart
/etc/init.d/php7.2-fpm restart