From 22cb83fbcc39bf09431a4a81f130660d880324f9 Mon Sep 17 00:00:00 2001 From: Daniel Hansson Date: Mon, 27 Apr 2020 20:00:42 +0200 Subject: [PATCH 01/86] 20.04 --- lib.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib.sh b/lib.sh index 4cc0e0b..8126eda 100644 --- a/lib.sh +++ b/lib.sh @@ -44,7 +44,7 @@ UNIXUSER_PROFILE="/home/$UNIXUSER/.bash_profile" ROOT_PROFILE="/root/.bash_profile" # PHP-FPM -PHPVER=7.2 +PHPVER=7.4 PHP_INI=/etc/php/"$PHPVER"/fpm/php.ini PHP_POOL_DIR=/etc/php/"$PHPVER"/fpm/pool.d PHP_FPM_SOCK=/var/run//php/php"$PHPVER"-fpm-wordpress.sock From 1b6ff795ef9679f796555f47ec7225c425d6c445 Mon Sep 17 00:00:00 2001 From: Daniel Hansson Date: Wed, 21 Oct 2020 20:11:42 +0200 Subject: [PATCH 02/86] get all the latest functions and variables --- lib.sh | 944 ++++++++++++++++++++++++++++++++++++++++++++------------- 1 file changed, 738 insertions(+), 206 deletions(-) diff --git a/lib.sh b/lib.sh index 8126eda..edf9413 100644 --- a/lib.sh +++ b/lib.sh @@ -3,54 +3,107 @@ true # see https://github.com/koalaman/shellcheck/wiki/Directive -## variables +## VARIABLES + # Dirs SCRIPTS=/var/scripts WWW_ROOT=/var/www/html WPATH=$WWW_ROOT/wordpress GPGDIR=/tmp/gpg +VMLOGS=/var/log/wordpress + +# Helper function for generating random passwords +gen_passwd() { + local length=$1 + local charset="$2" + local password="" + while [ ${#password} -lt "$length" ] + do + password=$(echo "$password""$(head -c 100 /dev/urandom | LC_ALL=C tr -dc "$charset")" | fold -w "$length" | head -n 1) + done + echo "$password" +} # Ubuntu OS -DISTRO=$(lsb_release -sd | cut -d ' ' -f 2) -OS=$(grep -ic "Ubuntu" /etc/issue.net) +DISTRO=$(lsb_release -sr) +KEYBOARD_LAYOUT=$(localectl status | grep "Layout" | awk '{print $3}') +# Hypervisor +# HYPERVISOR=$(dmesg --notime | grep -i hypervisor | cut -d ':' -f2 | head -1 | tr -d ' ') TODO +SYSVENDOR=$(cat /sys/devices/virtual/dmi/id/sys_vendor) # Network -[ -n "$FIRST_IFACE" ] && IFACE=$(lshw -c network | grep "logical name" | awk '{print $3; exit}') +IFACE=$(ip r | grep "default via" | awk '{print $5}') IFACE2=$(ip -o link show | awk '{print $2,$9}' | grep 'UP' | cut -d ':' -f 1) -[ -n "$CHECK_CURRENT_REPO" ] && REPO=$(apt-get update | grep -m 1 Hit | awk '{ print $2}') +REPO=$(grep deb-src /etc/apt/sources.list | grep http | awk '{print $3}' | head -1) ADDRESS=$(hostname -I | cut -d ' ' -f 1) -WGET="/usr/bin/wget" -WANIP4=$(curl -s -m 5 ipinfo.io/ip) -[ -n "$LOAD_IP6" ] && WANIP6=$(curl -s -k -m 7 https://6.ifcfg.me) -IFCONFIG="/sbin/ifconfig" + +# WANIP4=$(dig +short myip.opendns.com @resolver1.opendns.com) # as an alternative +WANIP4=$(curl -s -k -m 5 https://ipv4bot.whatismyipaddress.com) INTERFACES="/etc/netplan/01-netcfg.yaml" -NETMASK=$($IFCONFIG | grep -w inet |grep -v 127.0.0.1| awk '{print $4}' | cut -d ":" -f 2) -GATEWAY=$(route -n|grep "UG"|grep -v "UGH"|cut -f 10 -d " ") +GATEWAY=$(ip route | grep default | awk '{print $3}') + +# Internet DNS +INTERNET_DNS="9.9.9.9" + +# Default Quad9 DNS servers, overwritten by the systemd global DNS defined servers, if set DNS1="9.9.9.9" DNS2="149.112.112.112" +use_global_systemd_dns() { +if [ -f "/etc/systemd/resolved.conf" ] +then + local resolvedDns1 + resolvedDns1=$(grep -m 1 -E "^DNS=.+" /etc/systemd/resolved.conf | sed s/^DNS=// | awk '{print $1}') + if [ -n "$resolvedDns1" ] + then + DNS1="$resolvedDns1" + + local resolvedDns2 + resolvedDns2=$(grep -m 1 -E "^DNS=.+" /etc/systemd/resolved.conf | sed s/^DNS=// | awk '{print $2}') + if [ -n "$resolvedDns2" ] + then + DNS2="$resolvedDns2" + else + DNS2= + fi + fi +fi +} +use_global_systemd_dns + +# Whiptails +TITLE="Wordpress VM - $(date +%Y)" +[ -n "$SCRIPT_NAME" ] && TITLE+=" - $SCRIPT_NAME" +CHECKLIST_GUIDE="Navigate with the [ARROW] keys and (de)select with the [SPACE] key. \ +Confirm by pressing [ENTER]. Cancel by pressing [ESC]." +MENU_GUIDE="Navigate with the [ARROW] keys and confirm by pressing [ENTER]. Cancel by pressing [ESC]." +RUN_LATER_GUIDE="You can view this script later by running 'sudo bash $SCRIPTS/menu.sh'." # Repo GITHUB_REPO="https://raw.githubusercontent.com/techandme/wordpress-vm/master" STATIC="$GITHUB_REPO/static" LETS_ENC="$GITHUB_REPO/lets-encrypt" -ISSUES="https://github.com/techandme/wordpress-vm/issues" APP="$GITHUB_REPO/apps" +OLD="$GITHUB_REPO/old" +ADDONS="$GITHUB_REPO/addons" +MENU="$GITHUB_REPO/menu" +DISK="$GITHUB_REPO/disk" +NETWORK="$GITHUB_REPO/network" +WPDOWNLOADLATEST="https://wordpress.org/latest.zip" +ISSUES="https://github.com/techandme/wordpress-vm/vm/issues" # User information -WPDBNAME=wordpress_by_www_hanssonit_se -WPADMINUSER=change_this_user +WPPASS=wordpress +WPUSER=wordpress UNIXUSER=$SUDO_USER UNIXUSER_PROFILE="/home/$UNIXUSER/.bash_profile" ROOT_PROFILE="/root/.bash_profile" -# PHP-FPM -PHPVER=7.4 -PHP_INI=/etc/php/"$PHPVER"/fpm/php.ini -PHP_POOL_DIR=/etc/php/"$PHPVER"/fpm/pool.d -PHP_FPM_SOCK=/var/run//php/php"$PHPVER"-fpm-wordpress.sock - -# MARIADB +# Database SHUF=$(shuf -i 25-29 -n 1) +PGDB_PASS=$(gen_passwd "$SHUF" "a-zA-Z0-9@#*=") +NEWPGPASS=$(gen_passwd "$SHUF" "a-zA-Z0-9@#*=") +WPDBNAME=wordpress_by_www_hanssonit_se +WPADMINUSER=change_this_user MARIADB_PASS=$(tr -dc "a-zA-Z0-9@#*=" < /dev/urandom | fold -w "$SHUF" | head -n 1) WPDBPASS=$(tr -dc "a-zA-Z0-9@#*=" < /dev/urandom | fold -w "$SHUF" | head -n 1) NEWMARIADBPASS=$(tr -dc "a-zA-Z0-9@#*=" < /dev/urandom | fold -w "$SHUF" | head -n 1) @@ -59,36 +112,47 @@ WPADMINPASS=$(tr -dc "a-zA-Z0-9@#*=" < /dev/urandom | fold -w "$SHUF" | head -n [ -n "$WPDB" ] && WPCONFIGDB=$(grep "DB_PASSWORD" /var/www/html/wordpress/wp-config.php | awk '{print $3}' | cut -d "'" -f2) MYCNF=/root/.my.cnf [ -n "$MYCNFPW" ] && MARIADBMYCNFPASS=$(grep "password" $MYCNF | sed -n "/password/s/^password='\(.*\)'$/\1/p") + +# Set the hour for automatic updates. This would be 18:00 as only the hour is configurable. +AUT_UPDATES_TIME="18" + +# Keys +OpenPGP_fingerprint='28806A878AE423A28372792ED75899B9A724937A' + +# Letsencrypt +SITES_AVAILABLE="/etc/nginx/sites-available" +SITES_ENABLED="/etc/nginx/sites-enabled" +LETSENCRYPTPATH="/etc/letsencrypt" +CERTFILES="$LETSENCRYPTPATH/live" +DHPARAMS_TLS="$CERTFILES/$TLSDOMAIN/dhparam.pem" +DHPARAMS_SUB="$CERTFILES/$SUBDOMAIN/dhparam.pem" +TLS_CONF="wordpress_tls_domain_self_signed.conf" +HTTP_CONF="wordpress_http_domain_self_signed.conf" + # Path to specific files SECURE="$SCRIPTS/wp-permissions.sh" -SSL_CONF="/etc/nginx/sites-available/wordpress_port_443.conf" -HTTP_CONF="/etc/nginx/sites-available/wordpress_port_80.conf" ETCMYCNF="/etc/mysql/my.cnf" NGINX_CONF="/etc/nginx/nginx.conf" NGINX_DEF="/etc/nginx/sites-available/default" -# Letsencrypt -LETSENCRYPTPATH="/etc/letsencrypt" -CERTFILES="$LETSENCRYPTPATH/live" -DHPARAMS="$CERTFILES/$SUBDOMAIN/dhparam.pem" +# PHP-FPM +PHPVER=7.4 +PHP_FPM_DIR=/etc/php/$PHPVER/fpm +PHP_INI=$PHP_FPM_DIR/php.ini +PHP_POOL_DIR=$PHP_FPM_DIR/pool.d +PHP_MODS_DIR=/etc/php/"$PHPVER"/mods-available # Adminer ADMINERDIR=/usr/share/adminer -ADMINER_CONF=/etc/nginx/sites-available/adminer.conf +ADMINER_CONF="$SITES_AVAILABLE/adminer.conf" # Redis REDIS_CONF=/etc/redis/redis.conf REDIS_SOCK=/var/run/redis/redis-server.sock RSHUF=$(shuf -i 30-35 -n 1) -REDIS_PASS=$(tr -dc "a-zA-Z0-9@#*=" < /dev/urandom | fold -w "$RSHUF" | head -n 1) -REDISPTXT=/tmp/redispasstxt +REDIS_PASS=$(gen_passwd "$SHUF" "a-zA-Z0-9@#*=") -# Extra security -SPAMHAUS=/etc/spamhaus.wl -ENVASIVE=/etc/apache2/mods-available/mod-evasive.load -APACHE2=/etc/apache2/apache2.conf - -## functions +## FUNCTIONS # If script is running as root? # @@ -114,23 +178,158 @@ is_root() { root_check() { if ! is_root then -msg_box "Sorry, you are not root. You now have two options: + msg_box "Sorry, you are not root. You now have two options: + 1. With SUDO directly: a) :~$ sudo bash $SCRIPTS/name-of-script.sh + 2. Become ROOT and then type your command: a) :~$ sudo -i - b) :~# $SCRIPTS/name-of-script.sh + b) :~# bash $SCRIPTS/name-of-script.sh + In both cases above you can leave out $SCRIPTS/ if the script is directly in your PATH. + More information can be found here: https://unix.stackexchange.com/a/3064" exit 1 fi } +debug_mode() { +if [ "$DEBUG" -eq 1 ] +then + set -ex +fi +} + +msg_box() { + [ -n "$2" ] && local SUBTITLE=" - $2" + whiptail --title "$TITLE$SUBTITLE" --msgbox "$1" "$WT_HEIGHT" "$WT_WIDTH" 3>&1 1>&2 2>&3 +} + +yesno_box_yes() { + [ -n "$2" ] && local SUBTITLE=" - $2" + if (whiptail --title "$TITLE$SUBTITLE" --yesno "$1" "$WT_HEIGHT" "$WT_WIDTH" 3>&1 1>&2 2>&3) + then + return 0 + else + return 1 + fi +} + +yesno_box_no() { + [ -n "$2" ] && local SUBTITLE=" - $2" + if (whiptail --title "$TITLE$SUBTITLE" --defaultno --yesno "$1" "$WT_HEIGHT" "$WT_WIDTH" 3>&1 1>&2 2>&3) + then + return 0 + else + return 1 + fi +} + +input_box() { + [ -n "$2" ] && local SUBTITLE=" - $2" + local RESULT && RESULT=$(whiptail --title "$TITLE$SUBTITLE" --nocancel --inputbox "$1" "$WT_HEIGHT" "$WT_WIDTH" 3>&1 1>&2 2>&3) + echo "$RESULT" +} + +input_box_flow() { + local RESULT + while : + do + RESULT=$(input_box "$1" "$2") + if [ -z "$RESULT" ] + then + msg_box "Input is empty, please try again." "$2" + elif ! yesno_box_yes "Is this correct? $RESULT" "$2" + then + msg_box "OK, please try again." "$2" + else + break + fi + done + echo "$RESULT" +} + +install_popup() { + msg_box "$SCRIPT_EXPLAINER" + if yesno_box_yes "Do you want to install $1?" + then + print_text_in_color "$ICyan" "Installing $1..." + else + if [ -z "$2" ] || [ "$2" = "exit" ] + then + exit 1 + elif [ "$2" = "sleep" ] + then + sleep 1 + elif [ "$2" = "return" ] + then + return 1 + else + exit 1 + fi + fi +} + +reinstall_remove_menu() { + REINSTALL_REMOVE=$(whiptail --title "$TITLE" --menu \ +"It seems like $1 is already installed.\nChoose what you want to do. +$MENU_GUIDE\n\n$RUN_LATER_GUIDE" "$WT_HEIGHT" "$WT_WIDTH" 4 \ +"Reinstall" " $1" \ +"Uninstall" " $1" 3>&1 1>&2 2>&3) + if [ "$REINSTALL_REMOVE" = "Reinstall" ] + then + print_text_in_color "$ICyan" "Reinstalling $1..." + elif [ "$REINSTALL_REMOVE" = "Uninstall" ] + then + print_text_in_color "$ICyan" "Uninstalling $1..." + elif [ -z "$REINSTALL_REMOVE" ] + then + if [ -z "$2" ] || [ "$2" = "exit" ] + then + exit 1 + elif [ "$2" = "sleep" ] + then + sleep 1 + elif [ "$2" = "return" ] + then + return 1 + else + exit 1 + fi + fi +} + +removal_popup() { + if [ "$REINSTALL_REMOVE" = "Uninstall" ] + then + msg_box "$1 was successfully uninstalled." + if [ -z "$2" ] || [ "$2" = "exit" ] + then + exit 1 + elif [ "$2" = "sleep" ] + then + sleep 1 + elif [ "$2" = "return" ] + then + return 1 + else + exit 1 + fi + elif [ "$REINSTALL_REMOVE" = "Reinstall" ] + then + print_text_in_color "$ICyan" "Reinstalling $1..." + else + msg_box "It seems like neither Uninstall nor Reinstall is chosen, \ +something is wrong here. Please report this to $ISSUES" + exit 1 + fi +} + wp_cli_cmd() { export WP_CLI_CACHE_DIR=$WPATH/.wp-cli/cache check_command sudo -u www-data /usr/local/bin/wp "$@"; -} # Check if process is runnnig: is_process_running dpkg is_process_running() { @@ -143,37 +342,180 @@ do if [ "${RESULT:-null}" = null ]; then break else - print_text_in_color "$ICyan" "${PROCESS} is running. Waiting for it to stop..." + print_text_in_color "$ICyan" "${PROCESS} is running, waiting for it to stop..." sleep 10 fi done } -debug_mode() { -if [ "$DEBUG" -eq 1 ] +# Checks if site is reachable with a HTTP 200 status +site_200() { +print_text_in_color "$ICyan" "Checking connection..." + CURL_STATUS="$(curl -LI "${1}" -o /dev/null -w '%{http_code}\n' -s)" + if [[ "$CURL_STATUS" = "200" ]] + then + return 0 + else + print_text_in_color "$IRed" "curl didn't produce a 200 status, is ${1} reachable?" + return 1 + fi +} + +# Do a DNS lookup and compare the WAN address with the A record +domain_check_200() { + print_text_in_color "$ICyan" "Doing a DNS lookup for ${1}..." + install_if_not dnsutils + + # Try to resolve the domain with nslookup using $DNS as resolver + if nslookup "${1}" "$INTERNET_DNS" >/dev/null 2>&1 + then + print_text_in_color "$IGreen" "DNS seems correct when checking with nslookup!" + else + print_text_in_color "$IRed" "DNS lookup failed with nslookup." + print_text_in_color "$IRed" "Please check your DNS settings! Maybe the domain isn't propagated?" + print_text_in_color "$ICyan" "Please check https://www.whatsmydns.net/#A/${1} if the IP seems correct." + nslookup "${1}" "$INTERNET_DNS" + return 1 + fi + + # Is the DNS record same as the external IP address of the server? + if dig +short "${1}" @resolver1.opendns.com | grep -q "$WANIP4" + then + print_text_in_color "$IGreen" "DNS seems correct when checking with dig!" + else + msg_box "DNS lookup failed with dig. The external IP ($WANIP4) \ +address of this server is not the same as the A-record ($DIG). +Please check your DNS settings! Maybe the domain isn't propagated? +Please check https://www.whatsmydns.net/#A/${1} if the IP seems correct." + + msg_box "As you noticed your WAN IP and DNS record doesn't match. \ +This can happen when using DDNS for example, or in some edge cases. +If you feel brave, or are sure that everything is setup correctly, \ +then you can choose to skip this test in the next step. + +You can always contact us for further support if you wish: \ +https://shop.hanssonit.se/product/premium-support-per-30-minutes/" + if ! yesno_box_no "Do you feel brave and want to continue?" + then + exit + fi + fi +} + +# A function to set the systemd-resolved default DNS servers based on the +# current Internet facing interface. This is needed for docker interfaces +# that might not use the same DNS servers otherwise. +set_systemd_resolved_dns() { +local iface="$1" +local pattern="$iface(?:.|\n)*?DNS Servers: ((?:[0-9a-f.: ]|\n)*?)\s*(?=\n\S|\n.+: |$)" +local dnss +dnss=$( systemd-resolve --status | perl -0777 -ne "if ((\$v) = (/$pattern/)) {\$v=~s/(?:\s|\n)+/ /g;print \"\$v\n\";}" ) +if [ -n "$dnss" ] then - set -ex + sed -i "s/^#\?DNS=.*$/DNS=${dnss}/" /etc/systemd/resolved.conf + systemctl restart systemd-resolved &>/dev/null + sleep 1 +fi +} + +# A function to fetch a file with curl to a directory +# 1 = https://example.com +# 2 = name of file +# 3 = directory that the file should end up in +curl_to_dir() { +if [ ! -d "$3" ] +then + mkdir -p "$3" +fi + rm -f "$3"/"$2" + curl -sfL "$1"/"$2" -o "$3"/"$2" +} + +start_if_stopped() { +if ! pgrep "$1" +then + print_text_in_color "$ICyan" "Starting $1..." + systemctl start "$1".service +fi +} + +# Compatibility with older VMs +calculate_max_children() { + calculate_php_fpm +} + +test_connection() { +version(){ + local h t v + + [[ $2 = "$1" || $2 = "$3" ]] && return 0 + + v=$(printf '%s\n' "$@" | sort -V) + h=$(head -n1 <<<"$v") + t=$(tail -n1 <<<"$v") + + [[ $2 != "$h" && $2 != "$t" ]] +} +if ! version 18.04 "$DISTRO" 20.04.6 +then + print_text_in_color "$IRed" "Your current Ubuntu version is $DISTRO but must be between \ +18.04 - 20.04.4 to run this script." + print_text_in_color "$ICyan" "Please contact us to get support for upgrading your server:" + print_text_in_color "$ICyan" "https://www.hanssonit.se/#contact" + print_text_in_color "$ICyan" "https://shop.hanssonit.se/" + sleep 300 +fi + +# Install dnsutils if not existing +if ! dpkg-query -W -f='${Status}' "dnsutils" | grep -q "ok installed" +then + apt update -q4 & spinner_loading && apt install dnsutils -y +fi +# Install net-tools if not existing +if ! dpkg-query -W -f='${Status}' "net-tools" | grep -q "ok installed" +then + apt update -q4 & spinner_loading && apt install net-tools -y +fi +# After applying Netplan settings, try a DNS lookup. +# Restart systemd-networkd if this fails and try again. +# If this second check also fails, consider this a problem. +print_text_in_color "$ICyan" "Checking connection..." +netplan apply +sleep 2 +if ! nslookup github.com +then + print_text_in_color "$ICyan" "Trying to restart netplan service..." + check_command systemctl restart systemd-networkd && sleep 2 + if ! nslookup github.com + then + msg_box "Network NOT OK. You must have a working network connection to run this script. +If you think that this is a bug, please report it to https://github.com/techandme/wordpress-vm/issues." + return 1 + fi fi +print_text_in_color "$IGreen" "Online!" +return 0 } -ask_yes_or_no() { - read -r -p "$1 ([y]es or [N]o): " - case ${REPLY,,} in - y|yes) - echo "yes" - ;; - *) - echo "no" - ;; - esac + +# Check that the script can see the external IP (nginx fails otherwise), used e.g. in the adminer app script. +check_external_ip() { +if [ -z "$WANIP4" ] +then + print_text_in_color "$IRed" "WANIP4 is an emtpy value, Nginx will fail on reboot due to this. \ +Please check your network and try again." + sleep 3 + exit 1 +fi } restart_webserver() { -check_command systemctl restart nginx +check_command systemctl restart nginx.service if is_this_installed php"$PHPVER"-fpm then check_command systemctl restart php"$PHPVER"-fpm.service fi + } # Install certbot (Let's Encrypt) @@ -182,44 +524,168 @@ certbot --version 2> /dev/null LE_IS_AVAILABLE=$? if [ $LE_IS_AVAILABLE -eq 0 ] then - certbot --version + certbot --version 2> /dev/null else print_text_in_color "$ICyan" "Installing certbot (Let's Encrypt)..." - apt update -q4 & spinner_loading - apt install software-properties-common - add-apt-repository ppa:certbot/certbot -y - apt update -q4 & spinner_loading - apt install certbot -y -q - apt update -q4 & spinner_loading - apt dist-upgrade -y + install_if_not snapd + snap install certbot --classic + # Update $PATH in current session (login and logout is required otherwise) + check_command hash -r +fi +} + +# Generate certs and configure it automatically +# https://certbot.eff.org/docs/using.html#certbot-command-line-options +generate_cert() { +uir_hsts="" +if [ -z "$SUBDOMAIN" ] +then + uir_hsts="--uir --hsts" +fi +rm -f "$SITES_ENABLED"/default.conf +rm -f "$SITES_ENABLED"/default +systemctl reload nginx.service +default_le="--rsa-key-size 4096 --renew-by-default --no-eff-email --agree-tos $uir_hsts --server https://acme-v02.api.letsencrypt.org/directory -d $1" +#http-01 +local standalone="certbot certonly --standalone --pre-hook \"systemctl stop nginx.service\" --post-hook \"systemctl start nginx.service\" $default_le" +#tls-alpn-01 +local tls_alpn_01="certbot certonly --preferred-challenges tls-alpn-01 $default_le" +#dns +local dns="certbot certonly --manual --manual-public-ip-logging-ok --preferred-challenges dns $default_le" +local methods=(standalone dns) + +for f in ${methods[*]} +do + print_text_in_color "${ICyan}" "Trying to generate certs and validate them with $f method." + current_method="" + eval current_method="\$$f" + if eval "$current_method" + then + return 0 + elif [ "$f" != "${methods[$((${#methods[*]} - 1))]}" ] + then + msg_box "It seems like no certs were generated when trying \ +to validate them with the $f method. We will do more tries." + else + msg_box "It seems like no certs were generated when trying \ +to validate them with the $f method. We have tried all the methods. Please check your DNS and try again." + return 1; + fi +done +} + +# Last message depending on with script that is being run when using the generate_cert() function +last_fail_tls() { + msg_box "All methods failed. :/ + +You can run the script again by executing: sudo bash $SCRIPTS/menu.sh +Please try to run it again some other time with other settings. + +There are different configs you can try in Let's Encrypt's user guide: +https://letsencrypt.readthedocs.org/en/latest/index.html +Please check the guide for further information on how to enable TLS. + +This script is developed on GitHub, feel free to contribute: +https://github.com/techandme/wordpress-vm" + +if [ -n "$2" ] +then + msg_box "The script will now do some cleanup and revert the settings." + # Cleanup + snap remove certbot + rm -f "$SCRIPTS"/test-new-config.sh fi + +# Restart webserver services +restart_webserver +} + +# Use like this: open_port 443 TCP +# or e.g. open_port 3478 UDP +open_port() { + install_if_not miniupnpc + print_text_in_color "$ICyan" "Trying to open port $1 automatically..." + if ! upnpc -a "$ADDRESS" "$1" "$1" "$2" &>/dev/null + then + msg_box "Failed to open port $1 $2 automatically. You have to do this manually." + FAIL=1 + fi +} + +cleanup_open_port() { + if [ -n "$FAIL" ] + then + apt-get purge miniupnpc -y + apt autoremove -y + fi } # Check if port is open # check_open_port 443 domain.example.com check_open_port() { -print_text_in_color "${ICyan}" "Checking if port ${1} is open with https://ports.yougetsignal.com..." +print_text_in_color "$ICyan" "Checking if port ${1} is open with https://www.networkappers.com/tools/open-port-checker..." install_if_not curl # WAN Adress -if check_command curl -s -H 'Cache-Control: no-cache' 'https://ports.yougetsignal.com/check-port.php' --data "remoteAddress=${WANIP4}&portNumber=${1}" | grep -q "is open on" +if check_command curl -s -H 'Cache-Control: no-cache' -H 'Referer: https://www.networkappers.com/tools/open-port-checker' "https://networkappers.com/api/port.php?ip=${WANIP4}&port=${1}" | grep -q "open" then - print_text_in_color "${IGreen}" "Port ${1} is open on ${WANIP4}!" + print_text_in_color "$IGreen" "Port ${1} is open on ${WANIP4}!" # Domain name -elif check_command curl -s -H 'Cache-Control: no-cache' 'https://ports.yougetsignal.com/check-port.php' --data "remoteAddress=${2}&portNumber=${1}" | grep -q "is open on" +elif check_command curl -s -H 'Cache-Control: no-cache' -H 'Referer: https://www.networkappers.com/tools/open-port-checker' "https://www.networkappers.com/api/port.php?ip=${2}&port=${1}" | grep -q "open" then - print_text_in_color "${IGreen}" "Port ${1} is open on ${2}!" + print_text_in_color "$IGreen" "Port ${1} is open on ${2}!" else - msg_box "Port $1 is not open on either ${WANIP4} or ${2}.\n\nPlease follow this guide to open ports in your router or firewall:\nhttps://www.techandme.se/open-port-80-443/" - any_key "Press any key to exit..." - exit 1 + msg_box "It seems like the port ${1} is closed. This could happend when your +ISP has blocked the port, or that the port isn't open. + +If you are 100% sure the port ${1} is open you can now choose to +continue. There are no guarantees that it will work anyway though, +since the service depend on that the port ${1} is open and +accessible from outside your network." + if ! yesno_box_no "Are you 100% sure the port ${1} is open?" + then + msg_box "Port $1 is not open on either ${WANIP4} or ${2}. + +Please follow this guide to open ports in your router or firewall:\nhttps://www.techandme.se/open-port-80-443/" + any_key "Press any key to exit..." + exit 1 + fi fi } -msg_box() { -local PROMPT="$1" - whiptail --msgbox "${PROMPT}" "$WT_HEIGHT" "$WT_WIDTH" +check_distro_version() { +# Check Ubuntu version +if lsb_release -sc | grep -ic "bionic" &> /dev/null || lsb_release -sc | grep -ic "focal" &> /dev/null +then + OS=1 +elif lsb_release -i | grep -ic "Ubuntu" &> /dev/null +then + OS=1 +elif uname -a | grep -ic "bionic" &> /dev/null || uname -a | grep -ic "focal" &> /dev/null +then + OS=1 +elif uname -v | grep -ic "Ubuntu" &> /dev/null +then + OS=1 +fi + +if [ "$OS" != 1 ] +then + msg_box "Ubuntu Server is required to run this script. +Please install that distro and try again. + +You can find the download link here: https://www.ubuntu.com/download/server" + exit 1 +fi + +if ! version 18.04 "$DISTRO" 20.04.4; then + msg_box "Your current Ubuntu version is $DISTRO but must be between 18.04 - 20.04.4 to run this script." + msg_box "Please contact us to get support for upgrading your server: +https://www.hanssonit.se/#contact +https://shop.hanssonit.se/" + exit 1 +fi } -# Check if program is installed (stop_if_installed apache2) +# Check if program is installed (stop_if_installed nginx) stop_if_installed() { if [ "$(dpkg-query -W -f='${Status}' "${1}" 2>/dev/null | grep -c "ok installed")" == "1" ] then @@ -228,7 +694,7 @@ then fi } -# Check if program is installed (is_this_installed apache2) +# Check if program is installed (is_this_installed nginx) is_this_installed() { if dpkg-query -W -f='${Status}' "${1}" | grep -q "ok installed" then @@ -239,29 +705,10 @@ fi } # Install_if_not program -install_if_not () { -if [[ "$(stop_if_installed "${1}")" != "${1} is installed, it must be a clean server." ]] +install_if_not() { +if ! dpkg-query -W -f='${Status}' "${1}" | grep -q "ok installed" then - apt update -q4 & spinner_loading && apt install "${1}" -y -fi -} - -test_connection() { -install_if_not dnsutils -install_if_not network-manager -check_command service network-manager restart -ip link set "$IFACE" down -wait -ip link set "$IFACE" up -wait -check_command service network-manager restart -print_text_in_color "$ICyan" "Checking connection..." -sleep 3 -if ! nslookup github.com -then -msg_box "Network NOT OK. You must have a working network connection to run this script -If you think that this is a bug, please report it to https://github.com/nextcloud/vm/issues." - exit 1 + apt update -q4 & spinner_loading && RUNLEVEL=1 apt install "${1}" -y fi } @@ -269,18 +716,21 @@ fi # Call it like this: ram_check [amount of min RAM in GB] [for which program] # Example: ram_check 2 Wordpress ram_check() { +install_if_not bc mem_available="$(awk '/MemTotal/{print $2}' /proc/meminfo)" -if [ "${mem_available}" -lt "$((${1}*1002400))" ] +mem_available_gb="$(LC_NUMERIC="en_US.UTF-8" printf '%0.2f\n' "$(echo "scale=3; $mem_available/(1024*1024)" | bc)")" +mem_required="$((${1}*(924*1024)))" # 100MiB/GiB margin and allow 90% to be able to run on physical machines +if [ "${mem_available}" -lt "${mem_required}" ] then - print_text_in_color "${Red}" "Error: ${1} GB RAM required to install ${2}!" >&2 - print_text_in_color "${Red}" "Current RAM is: ("$((mem_available/1002400))" GB)" >&2 + print_text_in_color "$IRed" "Error: ${1} GB RAM required to install ${2}!" >&2 + print_text_in_color "$IRed" "Current RAM is: ($mem_available_gb GB)" >&2 sleep 3 - msg_box "If you want to bypass this check you could do so by commenting out (# before the line) 'ram_check X' in the script that you are trying to run. - In nextcloud_install_production.sh you can find the check somewhere around line #34. - Please notice that things may be veery slow and not work as expeced. YOU HAVE BEEN WARNED!" + msg_box "** Error: insufficient memory. ${mem_available_gb}GB RAM installed, ${1}GB required. + +Please shutdown the server, raise your RAM and then try again" exit 1 else - print_text_in_color "${IGreen}" "RAM for ${2} OK! ($((mem_available/1002400)) GB)" + print_text_in_color "$IGreen" "RAM for ${2} OK! ($mem_available_gb GB)" fi } @@ -291,38 +741,65 @@ cpu_check() { nr_cpu="$(nproc)" if [ "${nr_cpu}" -lt "${1}" ] then - print_text_in_color "${Red}" "Error: ${1} CPU required to install ${2}!" >&2 - print_text_in_color "${Red}" "Current CPU: ($((nr_cpu)))" >&2 + print_text_in_color "$IRed" "Error: ${1} CPU required to install ${2}!" >&2 + print_text_in_color "$IRed" "Current CPU: ($((nr_cpu)))" >&2 sleep 3 exit 1 else - print_text_in_color "${IGreen}" "CPU for ${2} OK! ($((nr_cpu)))" + print_text_in_color "$IGreen" "CPU for ${2} OK! ($((nr_cpu)))" fi } check_command() { - if ! "$@"; - then - print_text_in_color "${Red}" "Sorry but something went wrong. Please report this issue to $ISSUES and include the output of the error message. Thank you!" - print_text_in_color "$IRed" "$* failed" +if ! "$@"; +then + print_text_in_color "$ICyan" "Sorry but something went wrong. Please report \ +this issue to $ISSUES and include the output of the error message. Thank you!" + print_text_in_color "$IRed" "$* failed" exit 1 - fi +fi } network_ok() { +version(){ + local h t v + + [[ $2 = "$1" || $2 = "$3" ]] && return 0 + + v=$(printf '%s\n' "$@" | sort -V) + h=$(head -n1 <<<"$v") + t=$(tail -n1 <<<"$v") + + [[ $2 != "$h" && $2 != "$t" ]] +} +if version 18.04 "$DISTRO" 20.04.6 +then print_text_in_color "$ICyan" "Testing if network is OK..." - install_if_not network-manager - if ! service network-manager restart > /dev/null + if ! netplan apply then - service networking restart > /dev/null + systemctl restart systemd-networkd > /dev/null fi - sleep 2 - if wget -q -T 20 -t 2 http://github.com -O /dev/null & spinner_loading + # Check the connention + countdown 'Waiting for network to restart...' 3 + if ! site_200 github.com then - return 0 - else - return 1 + # sleep 10 seconds so that some slow networks have time to restart + countdown 'Not online yet, waiting a bit more...' 10 + if ! site_200 github.com + then + # sleep 30 seconds so that some REALLY slow networks have time to restart + countdown 'Not online yet, waiting a bit more (last try)...' 30 + site_200 github.com + fi fi +else + msg_box "Your current Ubuntu version is $DISTRO but must be between 18.04 - 20.04.6 to run this script." + msg_box "Please contact us to get support for upgrading your server: +https://www.hanssonit.se/#contact +https://shop.hanssonit.se/" + msg_box "We will now pause for 60 seconds. Please press CTRL+C when prompted to do so." + countdown "Please press CTRL+C to abort..." 60 +fi } # Whiptail auto-size @@ -340,30 +817,55 @@ calc_wt_size() { export WT_MENU_HEIGHT } -# Initial download of script in ../static -# call like: download_static_script name_of_script -download_static_script() { - # Get ${1} script - rm -f "${SCRIPTS}/${1}.sh" "${SCRIPTS}/${1}.php" "${SCRIPTS}/${1}.py" - if ! { wget -q "${STATIC}/${1}.sh" -P "$SCRIPTS" || wget -q "${STATIC}/${1}.php" -P "$SCRIPTS" || wget -q "${STATIC}/${1}.py" -P "$SCRIPTS"; } +# call like: download_script folder_variable name_of_script +# e.g. download_script MENU additional_apps +# Use it for functions like download_static_script +download_script() { + rm -f "${SCRIPTS}/${2}.sh" "${SCRIPTS}/${2}.php" "${SCRIPTS}/${2}.py" + if ! { curl_to_dir "${!1}" "${2}.sh" "$SCRIPTS" || curl_to_dir "${!1}" "${2}.php" "$SCRIPTS" || curl_to_dir "${!1}" "${2}.py" "$SCRIPTS"; } then - print_text_in_color "$IRed" "{$1} failed to download. Please run: 'sudo wget ${STATIC}/${1}.sh|.php|.py' again." - print_text_in_color "$IRed" "If you get this error when running the wordpress-startup-script then just re-run it with:" - print_text_in_color "$IRed" "'sudo bash $SCRIPTS/wordpress-startup-script.sh' and all the scripts will be downloaded again" + print_text_in_color "$IRed" "{$2} failed to download." + sleep 2 + if ! yesno_box_yes "Are you running the first setup of this server?" + then + msg_box "Please run sudo bash '$SCRIPTS/update.sh' \ +from your CLI to get the latest scripts from Github, needed for a successful run." + else + msg_box "If you get this error when running the first setup script, \ +then just re-run it with: 'sudo bash $SCRIPTS/wordpress-startup-script.sh' \ +from your CLI, and all the scripts will be downloaded again. + +If it still fails, please report this issue to: $ISSUES." + fi exit 1 fi } -# Initial download of script in ../lets-encrypt -# call like: download_le_script name_of_script -download_le_script() { - # Get ${1} script - rm -f "${SCRIPTS}/${1}.sh" "${SCRIPTS}/${1}.php" "${SCRIPTS}/${1}.py" - if ! { wget -q "${LETS_ENC}/${1}.sh" -P "$SCRIPTS" || wget -q "${LETS_ENC}/${1}.php" -P "$SCRIPTS" || wget -q "${LETS_ENC}/${1}.py" -P "$SCRIPTS"; } +# call like: run_script folder_variable name_of_script +# e.g. run_script MENU additional_apps +# Use it for functions like run_script STATIC +run_script() { + rm -f "${SCRIPTS}/${2}.sh" "${SCRIPTS}/${2}.php" "${SCRIPTS}/${2}.py" + if download_script "${1}" "${2}" then - print_text_in_color "$IRed" "{$1} failed to download. Please run: 'sudo wget ${STATIC}/${1}.sh|.php|.py' again." - print_text_in_color "$IRed" "If you get this error when running the wordpress-startup-script then just re-run it with:" - print_text_in_color "$IRed" "'sudo bash $SCRIPTS/wordpress-startup-script.sh' and all the scripts will be downloaded again" + if [ -f "${SCRIPTS}/${2}".sh ] + then + bash "${SCRIPTS}/${2}.sh" + rm -f "${SCRIPTS}/${2}.sh" + elif [ -f "${SCRIPTS}/${2}".php ] + then + php "${SCRIPTS}/${2}.php" + rm -f "${SCRIPTS}/${2}.php" + elif [ -f "${SCRIPTS}/${2}".py ] + then + install_if_not python3 + python3 "${SCRIPTS}/${2}.py" + rm -f "${SCRIPTS}/${2}.py" + fi + else + print_text_in_color "$IRed" "Running ${2} failed" + print_text_in_color "$ICyan" "Script failed to execute. Please run: \ +'sudo curl -sLO ${!1}/${2}.sh|php|py' and try again." exit 1 fi } @@ -371,71 +873,7 @@ download_le_script() { # Run any script in ../master # call like: run_main_script name_of_script run_main_script() { - rm -f "${SCRIPTS}/${1}.sh" "${SCRIPTS}/${1}.php" "${SCRIPTS}/${1}.py" - if wget -q "${GITHUB_REPO}/${1}.sh" -P "$SCRIPTS" - then - bash "${SCRIPTS}/${1}.sh" - rm -f "${SCRIPTS}/${1}.sh" - elif wget -q "${GITHUB_REPO}/${1}.php" -P "$SCRIPTS" - then - php "${SCRIPTS}/${1}.php" - rm -f "${SCRIPTS}/${1}.php" - elif wget -q "${GITHUB_REPO}/${1}.py" -P "$SCRIPTS" - then - python "${SCRIPTS}/${1}.py" - rm -f "${SCRIPTS}/${1}.py" - else - print_text_in_color "$IRed" "Downloading ${1} failed" - print_text_in_color "$IRed" "Script failed to download. Please run: 'sudo wget ${GITHUB_REPO}/${1}.sh|php|py' again." - sleep 3 - fi -} - -# Run any script in ../static -# call like: run_static_script name_of_script -run_static_script() { - # Get ${1} script - rm -f "${SCRIPTS}/${1}.sh" "${SCRIPTS}/${1}.php" "${SCRIPTS}/${1}.py" - if wget -q "${STATIC}/${1}.sh" -P "$SCRIPTS" - then - bash "${SCRIPTS}/${1}.sh" - rm -f "${SCRIPTS}/${1}.sh" - elif wget -q "${STATIC}/${1}.php" -P "$SCRIPTS" - then - php "${SCRIPTS}/${1}.php" - rm -f "${SCRIPTS}/${1}.php" - elif wget -q "${STATIC}/${1}.py" -P "$SCRIPTS" - then - python "${SCRIPTS}/${1}.py" - rm -f "${SCRIPTS}/${1}.py" - else - print_text_in_color "$IRed" "Downloading ${1} failed" - print_text_in_color "$IRed" "Script failed to download. Please run: 'sudo wget ${STATIC}/${1}.sh|php|py' again." - sleep 3 - fi -} - -# Run any script in ../apps -# call like: run_app_script collabora|nextant|passman|spreedme|contacts|calendar|webmin|previewgenerator -run_app_script() { - rm -f "${SCRIPTS}/${1}.sh" "${SCRIPTS}/${1}.php" "${SCRIPTS}/${1}.py" - if wget -q "${APP}/${1}.sh" -P "$SCRIPTS" - then - bash "${SCRIPTS}/${1}.sh" - rm -f "${SCRIPTS}/${1}.sh" - elif wget -q "${APP}/${1}.php" -P "$SCRIPTS" - then - php "${SCRIPTS}/${1}.php" - rm -f "${SCRIPTS}/${1}.php" - elif wget -q "${APP}/${1}.py" -P "$SCRIPTS" - then - python "${SCRIPTS}/${1}.py" - rm -f "${SCRIPTS}/${1}.py" - else - print_text_in_color "$IRed" "Downloading ${1} failed" - print_text_in_color "$IRed" "Script failed to download. Please run: 'sudo wget ${APP}/${1}.sh|php|py' again." - sleep 3 - fi +run_script GITHUB_REPO "${1}" } version(){ @@ -473,12 +911,106 @@ spinner_loading() { any_key() { local PROMPT="$1" - read -r -p "$(printf "${Green}${PROMPT}${Color_Off}")" -n1 -s - echo + read -r -sn 1 -p "$(printf "%b" "${IGreen}${PROMPT}${Color_Off}")";echo +} + +# Check universe reposiroty +check_universe() { +UNIV=$(apt-cache policy | grep http | awk '{print $3}' | grep universe | head -n 1 | cut -d "/" -f 2) +if [ "$UNIV" != "universe" ] +then + print_text_in_color "$ICyan" "Adding required repo (universe)." + add-apt-repository universe +fi +} + +# Check universe reposiroty +check_multiverse() { +MULTIV=$(apt-cache policy | grep http | awk '{print $3}' | grep multiverse | head -n 1 | cut -d "/" -f 2) +if [ "$MULTIV" != "multiverse" ] +then + print_text_in_color "$ICyan" "Adding required repo (multiverse)." + add-apt-repository multiverse +fi +} + +# countdown 'message looks like this' 10 +countdown() { +print_text_in_color "$ICyan" "$1" +secs="$(($2))" +while [ $secs -gt 0 ]; do + echo -ne "$secs\033[0K\r" + sleep 1 + : $((secs--)) +done } print_text_in_color() { - printf "%b%s%b\n" "$1" "$2" "$Color_Off" +printf "%b%s%b\n" "$1" "$2" "$Color_Off" +} + + +# Check if the value is a number +# EXAMPLE: https://github.com/nextcloud/vm/pull/1012 +check_if_number() { +case "${1}" in + ''|*[!0-9]*) return 1 ;; + *) return 0 ;; +esac +} + +# Use this to send system mails +# e.g.: send_mail "subject" "text" +send_mail() { + local RECIPIENT + if [ -f /etc/msmtprc ] + then + RECIPIENT=$(grep "recipient=" /etc/msmtprc) + RECIPIENT="${RECIPIENT##*recipient=}" + if [ -n "$RECIPIENT" ] + then + print_text_in_color "$ICyan" "Sending '$1' to $RECIPIENT" + echo -e "$2" | mail --subject "NcVM - $1" "$RECIPIENT" + fi + fi +} + +check_php() { +print_text_in_color "$ICyan" "Getting current PHP-version..." +GETPHP="$(php -v | grep -m 1 PHP | awk '{print $2}' | cut -d '-' -f1)" + +if [ -z "$GETPHP" ] +then + print_text_in_color "$IRed" "Can't find proper PHP version, aborting..." + exit 1 +fi + +if grep 7.0 <<< "$GETPHP" >/dev/null 2>&1 +then + export PHPVER=7.0 +elif grep 7.1 <<< "$GETPHP" >/dev/null 2>&1 +then + export PHPVER=7.1 +elif grep 7.2 <<< "$GETPHP" >/dev/null 2>&1 +then + export PHPVER=7.2 +elif grep 7.3 <<< "$GETPHP" >/dev/null 2>&1 +then + export PHPVER=7.3 +elif grep 7.4 <<< "$GETPHP" >/dev/null 2>&1 +then + export PHPVER=7.4 +elif grep 8.0 <<< "$GETPHP" >/dev/null 2>&1 +then +# export PHPVER=8.0 + msg_box "Sorry, but PHP 8 is not supported yet." + exit 1 +fi + +export PHP_INI=/etc/php/"$PHPVER"/fpm/php.ini +export PHP_POOL_DIR=/etc/php/"$PHPVER"/fpm/pool.d + +print_text_in_color "$IGreen" PHPVER="$PHPVER" } ## bash colors From 4d528d80c344be973d1afccb1fb12b44dd4d79da Mon Sep 17 00:00:00 2001 From: Daniel Hansson Date: Wed, 21 Oct 2020 20:53:54 +0200 Subject: [PATCH 03/86] update install script --- wordpress_install.sh | 441 +++++++++++++++++++++++++++---------------- 1 file changed, 275 insertions(+), 166 deletions(-) diff --git a/wordpress_install.sh b/wordpress_install.sh index b05f3f1..4f30f0c 100644 --- a/wordpress_install.sh +++ b/wordpress_install.sh @@ -1,16 +1,60 @@ #!/bin/bash -# T&M Hansson IT AB © - 2019, https://www.hanssonit.se/ +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ -# Prefer IPv4 -sed -i "s|#precedence ::ffff:0:0/96 100|precedence ::ffff:0:0/96 100|g" /etc/gai.conf +# Prefer IPv4 for apt +echo 'Acquire::ForceIPv4 "true";' >> /etc/apt/apt.conf.d/99force-ipv4 + +# Install curl if not existing +if [ "$(dpkg-query -W -f='${Status}' "curl" 2>/dev/null | grep -c "ok installed")" == "1" ] +then + echo "curl OK" +else + apt update -q4 + apt install curl -y +fi + +# shellcheck disable=2034,2059 +true +SCRIPT_NAME="Wordpress Install Script" +# shellcheck source=lib.sh +source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh) + +# Check if dpkg or apt is running +is_process_running apt +is_process_running dpkg + +# Install lshw if not existing +if [ "$(dpkg-query -W -f='${Status}' "lshw" 2>/dev/null | grep -c "ok installed")" == "1" ] +then + print_text_in_color "$IGreen" "lshw OK" +else + apt update -q4 & spinner_loading + apt install lshw -y +fi + +# Install net-tools if not existing +if [ "$(dpkg-query -W -f='${Status}' "net-tools" 2>/dev/null | grep -c "ok installed")" == "1" ] +then + print_text_in_color "$IGreen" "net-tools OK" +else + apt update -q4 & spinner_loading + apt install net-tools -y +fi + +# Install whiptail if not existing +if [ "$(dpkg-query -W -f='${Status}' "whiptail" 2>/dev/null | grep -c "ok installed")" == "1" ] +then + print_text_in_color "$IGreen" "whiptail OK" +else + apt update -q4 & spinner_loading + apt install whiptail -y +fi # shellcheck disable=2034,2059 true # shellcheck source=lib.sh -FIRST_IFACE=1 && CHECK_CURRENT_REPO=1 . <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh) -unset FIRST_IFACE -unset CHECK_CURRENT_REPO +source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh) # Check for errors + debug code and abort if something isn't right # 1 = ON @@ -19,38 +63,66 @@ DEBUG=0 debug_mode # Check if root -if ! is_root -then - printf "\n${Red}Sorry, you are not root.\n${Color_Off}You must type: ${Cyan}sudo ${Color_Off}bash %s/wordpress_install.sh\n" "$SCRIPTS" - exit 1 -fi +root_check # Test RAM size (2GB min) + CPUs (min 1) -ram_check 1 Wordpress +ram_check 2 Wordpress cpu_check 1 Wordpress +# Download needed libraries before execution of the first script +mkdir -p "$SCRIPTS" +download_script GITHUB_REPO lib +download_script STATIC fetch_lib + # Set locales -apt install language-pack-en-base -y -sudo locale-gen "sv_SE.UTF-8" && sudo dpkg-reconfigure --frontend=noninteractive locales +run_script ADDONS locales -# Show current user -download_static_script adduser +# Create new current user +download_script STATIC adduser bash $SCRIPTS/adduser.sh "wordpress_install.sh" -rm $SCRIPTS/adduser.sh +rm -f $SCRIPTS/adduser.sh -# Check Ubuntu version -print_text_in_color "$ICyan" "Checking server OS and version..." -if [ "$OS" != 1 ] +# Check distribution and version +if ! version 20.04 "$DISTRO" 20.04.6 then - print_text_in_color "$IRed" "Ubuntu Server is required to run this script." - print_text_in_color "$IRed" "Please install that distro and try again." + msg_box "This script can only be run on Ubuntu 20.04 (server)." exit 1 fi +# Use this when Ubuntu 18.04 is deprecated from the function: +#check_distro_version +check_universe +check_multiverse - -if ! version 18.04 "$DISTRO" 18.04.4; then - print_text_in_color "$IRed" "Ubuntu version $DISTRO must be between 18.04 - 18.04.4" - exit +# Fix LVM on BASE image +if grep -q "LVM" /etc/fstab +then + if yesno_box_yes "Do you want to make all free space available to your root partition?" + then + # Resize LVM (live installer is &%¤%/! + # VM + print_text_in_color "$ICyan" "Extending LVM, this may take a long time..." + lvextend -l +100%FREE /dev/ubuntu-vg/ubuntu-lv + + # Run it again manually just to be sure it's done + while : + do + lvdisplay | grep "Size" | awk '{print $3}' + if ! lvextend -L +10G /dev/ubuntu-vg/ubuntu-lv >/dev/null 2>&1 + then + if ! lvextend -L +1G /dev/ubuntu-vg/ubuntu-lv >/dev/null 2>&1 + then + if ! lvextend -L +100M /dev/ubuntu-vg/ubuntu-lv >/dev/null 2>&1 + then + if ! lvextend -L +1M /dev/ubuntu-vg/ubuntu-lv >/dev/null 2>&1 + then + resize2fs /dev/ubuntu-vg/ubuntu-lv + break + fi + fi + fi + fi + done + fi fi # Check if it's a clean server @@ -58,6 +130,12 @@ stop_if_installed postgresql stop_if_installed apache2 stop_if_installed nginx stop_if_installed php +stop_if_installed php-fpm +stop_if_installed php"$PHPVER"-fpm +stop_if_installed php7.0-fpm +stop_if_installed php7.1-fpm +stop_if_installed php7.2-fpm +stop_if_installed php7.3-fpm stop_if_installed mysql-common stop_if_installed mariadb-server @@ -67,51 +145,56 @@ then mkdir -p "$SCRIPTS" fi -# Change DNS -install_if_not resolvconf -yes | dpkg-reconfigure --frontend=noninteractive resolvconf -echo "nameserver 9.9.9.9" > /etc/resolvconf/resolv.conf.d/base -echo "nameserver 149.112.112.112" >> /etc/resolvconf/resolv.conf.d/base - -# Check network -test_connection - -# Check where the best mirrors are and update -print_text_in_color "$ICyan" "Your current server repository is: $REPO" -if [[ "no" == $(ask_yes_or_no "Do you want to try to find a better mirror?") ]] +# Create $VMLOGS dir +if [ ! -d "$VMLOGS" ] then - print_text_in_color "$ICyan" "Keeping $REPO as mirror..." - sleep 1 -else - print_text_in_color "$ICyan" "Locating the best mirrors..." - apt update -q4 & spinner_loading - apt install python-pip -y - pip install \ - --upgrade pip \ - apt-select - apt-select -m up-to-date -t 5 -c - sudo cp /etc/apt/sources.list /etc/apt/sources.list.backup && \ - if [ -f sources.list ] - then - sudo mv sources.list /etc/apt/ - fi + mkdir -p "$VMLOGS" fi -clear -# Set keyboard layout -print_text_in_color "$ICyan" "Current keyboard layout is $(localectl status | grep "Layout" | awk '{print $3}')" -if [[ "no" == $(ask_yes_or_no "Do you want to change keyboard layout?") ]] -then - print_text_in_color "$ICyan" "Not changing keyboard layout..." - sleep 1 - clear -else - dpkg-reconfigure keyboard-configuration - clear -fi - -# Update system -apt update -q4 & spinner_loading +# Install needed network +install_if_not netplan.io + +# Install build-essentials to get make +install_if_not build-essential + +# Set DNS resolver +# https://unix.stackexchange.com/questions/442598/how-to-configure-systemd-resolved-and-systemd-networkd-to-use-local-dns-server-f +while : +do +choice=$(whiptail --title "$TITLE - Set DNS Resolver" --menu \ +"Which DNS provider should this Wordpress server use? +$MENU_GUIDE" "$WT_HEIGHT" "$WT_WIDTH" 4 \ +"Quad9" "(https://www.quad9.net/)" \ +"Cloudflare" "(https://www.cloudflare.com/dns/)" \ +"Local" "($GATEWAY) - DNS on gateway" 3>&1 1>&2 2>&3) + + case "$choice" in + "Quad9") + sed -i "s|^#\?DNS=.*$|DNS=9.9.9.9 149.112.112.112 2620:fe::fe 2620:fe::9|g" /etc/systemd/resolved.conf + ;; + "Cloudflare") + sed -i "s|^#\?DNS=.*$|DNS=1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001|g" /etc/systemd/resolved.conf + ;; + "Local") + sed -i "s|^#\?DNS=.*$|DNS=$GATEWAY|g" /etc/systemd/resolved.conf + if network_ok + then + break + else + msg_box "Could not validate the local DNS server. Pick an Internet DNS server and try again." + continue + fi + ;; + *) + ;; + esac + if test_connection + then + break + else + msg_box "Could not validate the DNS server. Please try again." + fi +done # Install dependencies for GEO-block in Nginx install_if_not geoip-database @@ -128,11 +211,11 @@ chown root:root $MYCNF # Install MARIADB apt install software-properties-common -y sudo apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0xF1656F24C74CD1D8 -sudo add-apt-repository 'deb [arch=amd64,i386,ppc64el] http://ftp.ddg.lth.se/mariadb/repo/10.2/ubuntu xenial main' -sudo debconf-set-selections <<< "mariadb-server-10.2 mysql-server/root_password password $MARIADB_PASS" -sudo debconf-set-selections <<< "mariadb-server-10.2 mysql-server/root_password_again password $MARIADB_PASS" +sudo add-apt-repository 'deb [arch=amd64,i386,ppc64el] http://ftp.ddg.lth.se/mariadb/repo/10.5/ubuntu xenial main' +sudo debconf-set-selections <<< "mariadb-server-10.5 mysql-server/root_password password $MARIADB_PASS" +sudo debconf-set-selections <<< "mariadb-server-10.5 mysql-server/root_password_again password $MARIADB_PASS" apt update -q4 & spinner_loading -check_command apt install mariadb-server-10.2 -y +check_command apt install mariadb-server-10.5 -y # Prepare for Wordpress installation # https://blog.v-gar.de/2017/02/en-solved-error-1698-28000-in-mysqlmariadb/ @@ -180,7 +263,7 @@ sudo systemctl enable nginx.service rm -f /etc/nginx/nginx.conf check_command wget -q $STATIC/nginx.conf -P /etc/nginx/ -# Install PHP 7.2 +# Install PHP 7.4 apt install -y \ php \ php"$PHPVER"-fpm \ @@ -195,22 +278,60 @@ apt install -y \ php"$PHPVER"-curl # Configure PHP -sed -i "s|allow_url_fopen =.*|allow_url_fopen = On|g" /etc/php/"$PHPVER"/fpm/php.ini -sed -i "s|max_execution_time =.*|max_execution_time = 360|g" /etc/php/"$PHPVER"/fpm/php.ini -sed -i "s|file_uploads =.*|file_uploads = On|g" /etc/php/"$PHPVER"/fpm/php.ini -sed -i "s|upload_max_filesize =.*|upload_max_filesize = 100M|g" /etc/php/"$PHPVER"/fpm/php.ini -sed -i "s|memory_limit =.*|memory_limit = 256M|g" /etc/php/"$PHPVER"/fpm/php.ini -sed -i "s|post_max_size =.*|post_max_size = 110M|g" /etc/php/"$PHPVER"/fpm/php.ini -sed -i "s|cgi.fix_pathinfo =.*|cgi.fix_pathinfo=0|g" /etc/php/"$PHPVER"/fpm/php.ini -sed -i "s|date.timezone =.*|date.timezone = Europe/Stockholm|g" /etc/php/"$PHPVER"/fpm/php.ini - -# Make sure the passwords are the same, this file will be deleted when Redis is run. +sed -i "s|allow_url_fopen =.*|allow_url_fopen = On|g" "$PHP_INI" +sed -i "s|max_execution_time =.*|max_execution_time = 360|g" "$PHP_INI" +sed -i "s|file_uploads =.*|file_uploads = On|g" "$PHP_INI" +sed -i "s|upload_max_filesize =.*|upload_max_filesize = 100M|g" "$PHP_INI" +sed -i "s|memory_limit =.*|memory_limit = 256M|g" "$PHP_INI" +sed -i "s|post_max_size =.*|post_max_size = 110M|g" "$PHP_INI" +sed -i "s|cgi.fix_pathinfo =.*|cgi.fix_pathinfo=0|g" "$PHP_INI" +sed -i "s|date.timezone =.*|date.timezone = Europe/Stockholm|g" "$PHP_INI" + +# Make sure the passwords are the same, this file will be deleted when redis is run. check_command echo "$REDIS_PASS" > $REDISPTXT # Install Redis run_static_script redis-server-ubuntu -# Enable igbinary for PHP +# Enable OPCache for PHP +phpenmod opcache +{ +echo "# OPcache settings for Wordpress" +echo "opcache.enable=1" +echo "opcache.enable_cli=1" +echo "opcache.interned_strings_buffer=8" +echo "opcache.max_accelerated_files=10000" +echo "opcache.memory_consumption=256" +echo "opcache.save_comments=1" +echo "opcache.revalidate_freq=1" +echo "opcache.validate_timestamps=1" +} >> "$PHP_INI" + +# PHP-FPM optimization +# https://geekflare.com/php-fpm-optimization/ +sed -i "s|;emergency_restart_threshold.*|emergency_restart_threshold = 10|g" /etc/php/"$PHPVER"/fpm/php-fpm.conf +sed -i "s|;emergency_restart_interval.*|emergency_restart_interval = 1m|g" /etc/php/"$PHPVER"/fpm/php-fpm.conf +sed -i "s|;process_control_timeout.*|process_control_timeout = 10|g" /etc/php/"$PHPVER"/fpm/php-fpm.conf + +# Install Redis (distrubuted cache) +run_script ADDONS redis-server-ubuntu + +# Install smbclient +# php"$PHPVER"-smbclient does not yet work in PHP 7.4 +install_if_not libsmbclient-dev +yes no | pecl install smbclient +if [ ! -f $PHP_MODS_DIR/smbclient.ini ] +then + touch $PHP_MODS_DIR/smbclient.ini +fi +if ! grep -qFx extension=smbclient.so $PHP_MODS_DIR/smbclient.ini +then + echo "# PECL smbclient" > $PHP_MODS_DIR/smbclient.ini + echo "extension=smbclient.so" >> $PHP_MODS_DIR/smbclient.ini + check_command phpenmod -v ALL smbclient +fi + +# Enable igbinary for PHP # https://github.com/igbinary/igbinary if is_this_installed "php$PHPVER"-dev then @@ -226,7 +347,7 @@ echo "# igbinary for PHP" echo "extension=igbinary.so" echo "session.serialize_handler=igbinary" echo "igbinary.compact_strings=On" -} >> $PHP_INI +} >> "$PHP_INI" restart_webserver fi @@ -237,18 +358,19 @@ then then msg_box "APCu PHP module installation failed" exit - else + else print_text_in_color "$IGreen" "APCu PHP module installation OK!" fi { echo "# APCu settings for Wordpress" echo "extension=apcu.so" echo "apc.enabled=1" +echo "apc.max_file_size=5M" echo "apc.shm_segments=1" -echo "apc.shm_size=32M" +echo "apc.shm_size=128M" echo "apc.entries_hint=4096" -echo "apc.ttl=0" -echo "apc.gc_ttl=3600" +echo "apc.ttl=3600" +echo "apc.gc_ttl=7200" echo "apc.mmap_file_mask=NULL" echo "apc.slam_defense=1" echo "apc.enable_cli=1" @@ -256,7 +378,7 @@ echo "apc.use_request_time=1" echo "apc.serializer=igbinary" echo "apc.coredump_unmap=0" echo "apc.preload_path" -} >> $PHP_INI +} >> "$PHP_INI" restart_webserver fi @@ -306,13 +428,15 @@ wp_cli_cmd core config --dbname=$WPDBNAME --dbuser=$WPDBUSER --dbpass="$WPDBPASS /** REDIS PASSWORD */ define( 'WP_REDIS_PASSWORD', '$REDIS_PASS' ); /** REDIS CLIENT */ -define( 'WP_REDIS_CLIENT', 'pecl' ); +define( 'WP_REDIS_CLIENT', 'phpredis' ); /** REDIS SOCKET */ define( 'WP_REDIS_SCHEME', 'unix' ); /** REDIS PATH TO SOCKET */ define( 'WP_REDIS_PATH', '$REDIS_SOCK' ); -/** REDIS SALT */ +/** REDIS TTL */ define('WP_REDIS_MAXTTL', 9600); +/** REDIS SALT */ +define('WP_REDIS_PREFIX', $(gen_passwd "$SHUF" "a-zA-Z0-9@#*=")); /** AUTO UPDATE */ define( 'WP_AUTO_UPDATE_CORE', true ); @@ -357,7 +481,7 @@ wp_cli_cmd plugin delete akismet wp_cli_cmd plugin delete hello # Secure permissions -run_static_script wp-permissions +run_script wp-permissions # Hardening security # create .htaccess to protect uploads directory @@ -393,19 +517,19 @@ echo "" } >> $WPATH/.htaccess # Set up a php-fpm pool with a unixsocket -cat << POOL_CONF > "$PHP_POOL_DIR/Wordpress.conf" -[www_wordpress] +cat << POOL_CONF > "$PHP_POOL_DIR"/wordpress.conf +[Wordpress] user = www-data group = www-data -listen = $PHP_FPM_SOCK +listen = /run/php/php"$PHPVER"-fpm.wordpress.sock listen.owner = www-data listen.group = www-data pm = dynamic -pm.max_children = 17 -pm.start_servers = 5 +; max_children is set dynamically with calculate_php_fpm() +pm.max_children = 22 +pm.start_servers = 9 pm.min_spare_servers = 2 -pm.max_spare_servers = 10 -pm.max_requests = 500 +pm.max_spare_servers = 11 env[HOSTNAME] = $(hostname -f) env[PATH] = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin env[TMP] = /tmp @@ -413,10 +537,16 @@ env[TMPDIR] = /tmp env[TEMP] = /tmp security.limit_extensions = .php php_admin_value [cgi.fix_pathinfo] = 1 + +; Optional +; pm.max_requests = 2000 POOL_CONF -# Disable regular pool -mv $PHP_POOL_DIR/www.conf $PHP_POOL_DIR/default_www.config +# Disable the idling example pool. +mv "$PHP_POOL_DIR"/www.conf "$PHP_POOL_DIR"/www.conf.backup + +# Enable the new php-fpm config +restart_webserver # Force wp-cron.php (updates WooCommerce Services and run Scheluded Tasks) if [ -f $WPATH/wp-cron.php ] @@ -431,10 +561,10 @@ apt install figlet -y # Generate $SSL_CONF install_if_not ssl-cert systemctl stop nginx.service && wait -if [ ! -f $SSL_CONF ]; - then - touch $SSL_CONF - cat << SSL_CREATE > $SSL_CONF +if [ ! -f $SITES_AVAILABLE/$TLS_CONF ] +then + touch "$SITES_AVAILABLE/$TLS_CONF" + cat << TLS_CREATE > "$SITES_AVAILABLE/$TLS_CONF" server { listen 443 ssl http2; listen [::]:443 ssl http2; @@ -531,16 +661,16 @@ server { log_not_found off; } } -SSL_CREATE -print_text_in_color "$IGreen" "$SSL_CONF was successfully created" +TLS_CREATE +print_text_in_color "$IGreen" "$TLS_CONF was successfully created" sleep 1 fi # Generate $HTTP_CONF -if [ ! -f $HTTP_CONF ]; - then - touch $HTTP_CONF - cat << HTTP_CREATE > $HTTP_CONF +if [ ! -f $SITES_AVAILABLE/$HTTP_CONF ] +then + touch "$SITES_AVAILABLE/$HTTP_CONF" + cat << HTTP_CREATE > "$SITES_AVAILABLE/$HTTP_CONF" server { listen 80; listen [::]:80; @@ -724,7 +854,7 @@ fi if [ -f "$NGINX_DEF" ]; then rm -f $NGINX_DEF - rm -f /etc/nginx/sites-enabled/default + rm -f "$SITES_ENABLED"/default touch $NGINX_DEF cat << NGINX_DEFAULT > "$NGINX_DEF" ## @@ -790,9 +920,9 @@ fi # Enable new config ln -s "$NGINX_DEF" /etc/nginx/sites-enabled/ -ln -s "$SSL_CONF" /etc/nginx/sites-enabled/ +ln -s "$TLS_CONF" /etc/nginx/sites-enabled/ ln -s "$HTTP_CONF" /etc/nginx/sites-enabled/ -systemctl restart nginx.service +restart_webserver # Enable UTF8mb4 (4-byte support) databases=$(mysql -u root -p"$MARIADB_PASS" -e "SHOW DATABASES;" | tr -d "| " | grep -v Database) @@ -804,67 +934,46 @@ for db in $databases; do fi done -# Enable OPCache for PHP -phpenmod opcache -{ -echo "# OPcache settings for Wordpress" -echo "opcache.enable=1" -echo "opcache.enable_cli=1" -echo "opcache.interned_strings_buffer=8" -echo "opcache.max_accelerated_files=10000" -echo "opcache.memory_consumption=128" -echo "opcache.save_comments=1" -echo "opcache.revalidate_freq=1" -echo "opcache.validate_timestamps=1" -} >> /etc/php/"$PHPVER"/fpm/php.ini +# Set secure permissions final (./data/.htaccess has wrong permissions otherwise) +bash $SECURE & spinner_loading -# Set secure permissions final -run_static_script wp-permissions +# Put IP adress in /etc/issue (shown before the login) +if [ -f /etc/issue ] +then + echo "\4" >> /etc/issue +fi -# Prepare for first mount -download_static_script instruction -download_static_script history -run_static_script change-root-profile -run_static_script change-wordpress-profile -if [ ! -f "$SCRIPTS"/wordpress-startup-script.sh ] +# Force MOTD to show correct number of updates +if is_this_installed update-notifier-common then -check_command wget -q "$GITHUB_REPO"/wordpress-startup-script.sh -P "$SCRIPTS" + sudo /usr/lib/update-notifier/update-motd-updates-available --force fi +# It has to be this order: +# Download scripts +# chmod +x +# Set permissions for ncadmin in the change scripts + +# Get needed scripts for first bootup +download_script GITHUB_REPO wordpress-startup-script +download_script STATIC instruction +download_script STATIC history +download_script NETWORK static_ip + # Make $SCRIPTS excutable chmod +x -R "$SCRIPTS" chown root:root -R "$SCRIPTS" -# Allow wordpress to run theese scripts -chown wordpress:wordpress "$SCRIPTS/instruction.sh" -chown wordpress:wordpress "$SCRIPTS/history.sh" - -# Upgrade -apt dist-upgrade -y - -# Remove LXD (always shows up as failed during boot) -apt purge lxd -y +# Prepare first bootup +check_command run_script STATIC change-wordpress-profile +check_command run_script STATIC change-root-profile -# Cleanup -apt autoremove -y -apt autoclean -find /root "/home/$UNIXUSER" -type f \( -name '*.sh*' -o -name '*.html*' -o -name '*.tar*' -o -name '*.zip*' \) -delete - -# Install virtual kernels for Hyper-V -# Kernel 4.15 -apt install -y --install-recommends \ -linux-virtual \ -linux-tools-virtual \ -linux-cloud-tools-virtual \ -linux-image-virtual \ -linux-image-extra-virtual - -# Force MOTD to show correct number of updates -sudo /usr/lib/update-notifier/update-motd-updates-available --force - -# Prefer IPv6 -sed -i "s|precedence ::ffff:0:0/96 100|#precedence ::ffff:0:0/96 100|g" /etc/gai.conf +# Disable hibernation +print_text_in_color "$ICyan" "Disable hibernation..." +systemctl mask sleep.target suspend.target hibernate.target hybrid-sleep.target # Reboot -print_text_in_color "$IGreen" "Installation done, system will now reboot..." +msg_box "Installation almost done, system will reboot when you hit OK. + +Please log in again once rebooted to run the setup script." reboot From ca9e48d6aa3f960c08550436725c96ef1f339ed9 Mon Sep 17 00:00:00 2001 From: Daniel Hansson Date: Wed, 21 Oct 2020 21:43:41 +0200 Subject: [PATCH 04/86] update startup script --- wordpress-startup-script.sh | 581 +++++++++++++++--------------------- 1 file changed, 233 insertions(+), 348 deletions(-) diff --git a/wordpress-startup-script.sh b/wordpress-startup-script.sh index 7749923..c5cfcd9 100644 --- a/wordpress-startup-script.sh +++ b/wordpress-startup-script.sh @@ -1,80 +1,46 @@ #!/bin/bash -# shellcheck disable=2034,2059 -true -# shellcheck source=lib.sh -WPDB=1 && MYCNFPW=1 && FIRST_IFACE=1 && CHECK_CURRENT_REPO=1 . <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh) -unset FIRST_IFACE -unset CHECK_CURRENT_REPO -unset MYCNFPW -unset WPDB -# T&M Hansson IT AB © - 2019, https://www.hanssonit.se/ +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ -## If you want debug mode, please activate it further down in the code at line ~132 +######### -# FUNCTIONS # - -msg_box() { -local PROMPT="$1" - whiptail --msgbox "${PROMPT}" "$WT_HEIGHT" "$WT_WIDTH" +IRed='\e[0;91m' # Red +IGreen='\e[0;92m' # Green +ICyan='\e[0;96m' # Cyan +Color_Off='\e[0m' # Text Reset +print_text_in_color() { + printf "%b%s%b\n" "$1" "$2" "$Color_Off" } -is_root() { - if [[ "$EUID" -ne 0 ]] - then - return 1 - else - return 0 - fi -} +print_text_in_color "$ICyan" "Fetching all the variables from lib.sh..." -root_check() { -if ! is_root -then -msg_box "Sorry, you are not root. You now have two options: -1. With SUDO directly: - a) :~$ sudo bash $SCRIPTS/name-of-script.sh -2. Become ROOT and then type your command: - a) :~$ sudo -i - b) :~# $SCRIPTS/name-of-script.sh -In both cases above you can leave out $SCRIPTS/ if the script -is directly in your PATH. -More information can be found here: https://unix.stackexchange.com/a/3064" - exit 1 -fi -} +is_process_running() { +PROCESS="$1" -network_ok() { - print_text_in_color "$ICyan" "Testing if network is OK..." - service network-manager restart - if wget -q -T 20 -t 2 http://github.com -O /dev/null - then - return 0 +while : +do + RESULT=$(pgrep "${PROCESS}") + + if [ "${RESULT:-null}" = null ]; then + break else - return 1 + print_text_in_color "$ICyan" "${PROCESS} is running, waiting for it to stop..." + sleep 10 fi +done } -check_command() { - if ! "$@"; - then - print_text_in_color "$IRed" "Sorry but something went wrong. Please report this issue to $ISSUES and include the output of the error message. Thank you!" - print_text_in_color "$IRed" "$* failed" - exit 1 - fi -} - -# Colors -Color_Off='\e[0m' -IRed='\e[0;91m' -IGreen='\e[0;92m' -ICyan='\e[0;96m' +######### -print_text_in_color() { - printf "%b%s%b\n" "$1" "$2" "$Color_Off" -} +# Check if dpkg or apt is running +is_process_running apt +is_process_running dpkg -# END OF FUNCTIONS # +# shellcheck disable=2034,2059,1091 +true +SCRIPT_NAME="Nextcloud Startup Script" +# shellcheck source=lib.sh +source /var/scripts/fetch_lib.sh # Check if root root_check @@ -82,104 +48,82 @@ root_check # Check network if network_ok then - printf "${IGreen}Online!${Color_Off}\n" + print_text_in_color "$IGreen" "Online!" else print_text_in_color "$ICyan" "Setting correct interface..." [ -z "$IFACE" ] && IFACE=$(lshw -c network | grep "logical name" | awk '{print $3; exit}') # Set correct interface -cat <<-SETDHCP > "/etc/netplan/01-netcfg.yaml" + cat <<-SETDHCP > "/etc/netplan/01-netcfg.yaml" network: version: 2 renderer: networkd ethernets: $IFACE: - dhcp4: yes - dhcp6: yes + dhcp4: true + dhcp6: true SETDHCP check_command netplan apply - check_command service network-manager restart - ip link set "$IFACE" down - wait - ip link set "$IFACE" up - wait - check_command service network-manager restart print_text_in_color "$ICyan" "Checking connection..." sleep 1 + set_systemd_resolved_dns "$IFACE" if ! nslookup github.com then -msg_box "The script failed to get an address from DHCP. + msg_box "The script failed to get an address from DHCP. You must have a working network connection to run this script. -You will now be provided with the option to set a static IP manually instead." - # Copy old interfaces files -msg_box "Copying old netplan.io config files file to: -/tmp/netplan_io_backup/" - if [ -d /etc/netplan/ ] - then - mkdir -p /tmp/netplan_io_backup - check_command cp -vR /etc/netplan/* /tmp/netplan_io_backup/ - fi +You will now be provided with the option to set a static IP manually instead." - # Ask for IP address -cat << ENTERIP -+----------------------------------------------------------+ -| Please enter the static IP address you want to set, | -| including the subnet. Example: 192.168.1.100/24 | -+----------------------------------------------------------+ -ENTERIP - echo - read -r LANIP - echo - - # Ask for gateway address -cat << ENTERGATEWAY -+----------------------------------------------------------+ -| Please enter the gateway address you want to set, | -| Example: 192.168.1.1 | -+----------------------------------------------------------+ -ENTERGATEWAY - echo - read -r GATEWAYIP - echo - - # Create the Static IP file -cat <<-IPCONFIG > /etc/netplan/01-netcfg.yaml -network: - version: 2 - renderer: networkd - ethernets: - $IFACE: #object name - dhcp4: no # dhcp v4 disable - dhcp6: no # dhcp v6 disable - addresses: [$LANIP] # client IP address - gateway4: $GATEWAYIP # gateway address - nameservers: - addresses: [9.9.9.9,149.112.112.112] #name servers -IPCONFIG - -msg_box "These are your settings, please make sure they are correct: -$(cat /etc/netplan/01-netcfg.yaml)" - netplan try + # Run static_ip script + bash /var/scripts/static_ip.sh fi fi # Check network again if network_ok then - printf "${IGreen}Online!${Color_Off}\n" + print_text_in_color "$IGreen" "Online!" +elif home_sme_server +then + msg_box "It seems like the last try failed as well using LAN ethernet. + +Since the Home/SME server is equipped with a WIFI module, you will now be asked to enable it to get connectivity. + +Please note: It's not recomended to run a server on WIFI. Using an ethernet cable is always the best." + if yesno_box_yes "Do you want to enable WIFI on this server?" + then + nmtui + fi + if network_ok + then + print_text_in_color "$IGreen" "Online!" + else + msg_box "Network NOT OK. You must have a working network connection to run this script. + +Please contact us for support: +https://shop.hanssonit.se/product/premium-support-per-30-minutes/ + +Please also post this issue on: https://github.com/nextcloud/vm/issues" + exit 1 + fi else -msg_box "Network NOT OK. You must have a working network connection to run this script. + msg_box "Network NOT OK. You must have a working network connection to run this script. + Please contact us for support: https://shop.hanssonit.se/product/premium-support-per-30-minutes/ -Please also post this issue on: $ISSUES" + +Please also post this issue on: https://github.com/techandme/wordpress-vm/issues" exit 1 fi + +# shellcheck disable=2034,2059,1091 +true +SCRIPT_NAME="Wordpress Startup Script" # shellcheck source=lib.sh -WPDB=1 && MYCNFPW=1 && FIRST_IFACE=1 && CHECK_CURRENT_REPO=1 . <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh) -unset FIRST_IFACE -unset CHECK_CURRENT_REPO -unset MYCNFPW -unset WPDB +source /var/scripts/fetch_lib.sh + +# Get all needed variables from the library +mycnfpw +wpdb # Check for errors + debug code and abort if something isn't right # 1 = ON @@ -187,23 +131,46 @@ unset WPDB DEBUG=0 debug_mode +# Run the startup menu +run_script MENU startup_configuration + +######## The first setup is OK to run to this point several times, but not any further ######## +if [ -f "$SCRIPTS/you-can-not-run-the-startup-script-several-times" ] +then + msg_box "$SCRIPT_NAME script that handles the first setup \ +(this one) is desinged to be run once, not several times in a row. + +If you feel uncertain about adding some extra features during this setup, \ +then it's best to wait until after the first setup is done. You can always add all the extra features later. + +[For the Wordpress VM:] +Please delete this VM from your host and reimport it once again, then run this setup like you did the first time. + +Full documentation can be found here: https://docs.hanssonit.se +Please report any bugs you find here: $ISSUES" + exit 1 +fi + +touch "$SCRIPTS/you-can-not-run-the-startup-script-several-times" + print_text_in_color "$ICyan" "Getting scripts from GitHub to be able to run the first setup..." -# All the shell scripts in static (.sh) -download_static_script security -download_static_script update -download_static_script test_connection -download_static_script wp-permissions -download_static_script change_mysql_pass -download_static_script techandme -download_static_script index -download_le_script activate-ssl +# Scripts in static (.sh, .php, .py) +download_script LETS_ENC activate-tls +download_script STATIC update +download_script STATIC wp-permissions +download_script STATIC change_db_pass +download_script STATIC wordpress +download_script MENU menu +download_script MENU server_configuration +download_script MENU nextcloud_configuration +download_script MENU additional_apps # Make $SCRIPTS excutable chmod +x -R $SCRIPTS chown root:root -R $SCRIPTS # Allow wordpress to run figlet script -chown wordpress:wordpress $SCRIPTS/techandme.sh +chown "$SUDO_USER":"$SUDO_USER" $SCRIPTS/wordpress.sh clear msg_box"This script will do the final setup for you @@ -221,177 +188,91 @@ msg_box"This script will do the final setup for you ############### T&M Hansson IT AB - $(date +"%Y") ###############" clear -# Set keyboard layout -print_text_in_color "$ICyan" "Current keyboard layout is $(localectl status | grep "Layout" | awk '{print $3}')" -if [[ "no" == $(ask_yes_or_no "Do you want to change keyboard layout?") ]] -then - print_text_in_color "$ICyan" "Not changing keyboard layout..." - sleep 1 - clear -else - dpkg-reconfigure keyboard-configuration -clear -fi - -# Change Timezone -print_text_in_color "$ICyan" "Current timezone is $(cat /etc/timezone)" -if [[ "no" == $(ask_yes_or_no "Do you want to change timezone?") ]] -then - print_text_in_color "$ICyan" "Not changing timezone..." - sleep 1 - clear -else - dpkg-reconfigure tzdata -clear -fi - -# Check where the best mirrors are and update -msg_box "To make downloads as fast as possible when updating you should have mirrors that are as close to you as possible. -This VM comes with mirrors based on servers in that where used when the VM was released and packaged. -If you are located outside of Europe, we recomend you to change the mirrors so that downloads are faster." -print_text_in_color "$ICyan" "Checking current mirror..." -print_text_in_color "$ICyan" "Your current server repository is: $REPO" - -if [[ "no" == $(ask_yes_or_no "Do you want to try to find a better mirror?") ]] -then - print_text_in_color "$ICyan" "Keeping $REPO as mirror..." - sleep 1 -else - print_text_in_color "$ICyan" "Locating the best mirrors..." - apt update -q4 & spinner_loading - apt install python-pip -y - pip install \ - --upgrade pip \ - apt-select - check_command apt-select -m up-to-date -t 5 -c -C "$(localectl status | grep "Layout" | awk '{print $3}')" - sudo cp /etc/apt/sources.list /etc/apt/sources.list.backup && \ - if [ -f sources.list ] - then - sudo mv sources.list /etc/apt/ - fi -fi -clear +msg_box "PLEASE NOTE: +[#] Please finish the whole setup. The server will reboot once done. +[#] Please read the on-screen instructions carefully, they will guide you through the setup. +[#] When complete it will delete all the *.sh, *.html, *.tar, *.zip inside: + /root + /home/$SUDO_USER +[#] Please consider donating if you like the product: + https://shop.hanssonit.se/product-category/donate/ +[#] You can also ask for help here: + https://shop.hanssonit.se/product/premium-support-per-30-minutes/" + +msg_box "PLEASE NOTE: +The first setup is meant to be run once, and not aborted. +If you feel uncertain about the options during the setup, just choose the defaults by hitting [ENTER] at each question. +When the setup is done, the server will automatically reboot. +Please report any issues to: $ISSUES" + +# Change timezone in PHP +sed -i "s|;date.timezone.*|date.timezone = $(cat /etc/timezone)|g" "$PHP_INI" # Generate new SSH Keys printf "\nGenerating new SSH keys for the server...\n" rm -v /etc/ssh/ssh_host_* dpkg-reconfigure openssh-server -# Generate new MARIADB password -print_text_in_color "$ICyan" "Generating new MARIADB password..." -if bash "$SCRIPTS/change_mysql_pass.sh" && wait -then - rm "$SCRIPTS/change_mysql_pass.sh" -fi -clear +# Generate new MariaDB password +print_text_in_color "$ICyan" "Generating new PostgreSQL password..." +check_command bash "$SCRIPTS/change_db_pass.sh" +sleep 3 -whiptail --title "Which apps do you want to install?" --checklist --separate-output "Automatically configure and install selected apps\nSelect by pressing the spacebar" "$WT_HEIGHT" "$WT_WIDTH" 4 \ -"Fail2ban" "(Extra Bruteforce protection) " OFF \ -"Webmin" "(Server GUI) " OFF \ -"Adminer" "(*SQL GUI) " OFF 2>results -while read -r -u 9 choice -do - case $choice in - Fail2ban) - run_app_script fail2ban +# Server configurations +bash $SCRIPTS/server_configuration.sh - ;; +# Nextcloud configuration +bash $SCRIPTS/wordpress_configuration.sh - Webmin) - run_app_script webmin +# Install apps +bash $SCRIPTS/additional_apps.sh - ;; - Adminer) - run_app_script adminer - ;; +### Change passwords +# CLI USER +msg_box "For better security, we will now change the password for the CLI user in Ubuntu." +UNIXUSER="$(getent group sudo | cut -d: -f4 | cut -d, -f1)" +while : +do + UNIX_PASSWORD=$(input_box_flow "Please type in the new password for the current CLI user in Ubuntu: $UNIXUSER.") + if [[ "$UNIX_PASSWORD" == *" "* ]] + then + msg_box "Please don't use spaces." + else + break + fi +done +if check_command echo "$UNIXUSER:$UNIX_PASSWORD" | sudo chpasswd +then + msg_box "The new password for the current CLI user in Ubuntu ($UNIXUSER) is now set to: $UNIX_PASSWORD + +This is used when you login to the Ubuntu CLI." +fi +unset UNIX_PASSWORD - *) - ;; - esac -done 9< results -rm -f results -clear +# WORDPRESS USER +while : +do +msg_box "Please define the FQDN and create a new user for Wordpress. -# Extra configurations -whiptail --title "Extra configurations" --checklist --separate-output "Choose what you want to configure\nSelect by pressing the spacebar" "$WT_HEIGHT" "$WT_WIDTH" 4 \ -"Security" "(Add extra security based on this http://goo.gl/gEJHi7)" OFF \ -"Static IP" "(Set static IP in Ubuntu with netplan.io)" OFF 2>results +Make sure your FQDN starts with either http:// or https://, +otherwise your installation will not work correctly!" -while read -r -u 9 choice -do - case $choice in - "Security") - clear - run_static_script security - ;; - - "Static IP") - clear - run_static_script static_ip - ;; - - *) - ;; - esac -done 9< results -rm -f results -clear +FQDN=$(input_box_flow "Please enter your domain name or IP address, e.g: https://www.example.com or http://192.168.1.100.") +USER=$(input_box_flow "Please enter your Wordpress username.") +NEWWPADMINPASS=$(input_box_flow "Please enter your Wordpress password.") +EMAIL=$(input_box_flow "Please enter your Wordpress admin email address.") -# Change password -printf "${Color_Off}\n" -print_text_in_color "$ICyan" "For better security, change the system user password for [$(getent group sudo | cut -d: -f4 | cut -d, -f1)]" -any_key "Press any key to change password for system user..." -while true -do - sudo passwd "$(getent group sudo | cut -d: -f4 | cut -d, -f1)" && break -done -clear +if yesno_box_yes "Is this correct? -cat << LETSENC -+-----------------------------------------------+ -| The following script will install a trusted | -| SSL certificate through Let's Encrypt. | -+-----------------------------------------------+ -LETSENC -# Let's Encrypt -if [[ "yes" == $(ask_yes_or_no "Do you want to install SSL?") ]] +Domain or IP address: $FQDN +Wordpress user: $USER +Wordpress password: $NEWWPADMINPASS +Wordpress admin email: $EMAIL" then - bash $SCRIPTS/activate-ssl.sh -else - print_text_in_color "$ICyan" "OK, but if you want to run it later, just type: sudo bash $SCRIPTS/activate-ssl.sh" - any_key "Press any key to continue..." + break fi - -# Define FQDN and create new WP user -MYANSWER="no" -while [ "$MYANSWER" == "no" ] -do - clear - cat << ENTERNEW -+-----------------------------------------------+ -| Please define the FQDN and create a new | -| user for Wordpress. | -| Make sure your FQDN starts with either | -| http:// or https://, otherwise your | -| installation will not work correctly! | -+-----------------------------------------------+ -ENTERNEW - print_text_in_color "$IGreen" "Enter FQDN (http(s)://yourdomain.com):" - read -r FQDN - echo - print_text_in_color "$IGreen" "Enter username:" - read -r USER - echo - print_text_in_color "$IGreen" "Enter password:" - read -r NEWWPADMINPASS - echo - print_text_in_color "$IGreen" "Enter email address:" - read -r EMAIL - echo - MYANSWER=$(ask_yes_or_no "Is this correct? FQDN: $FQDN User: $USER Password: $NEWWPADMINPASS Email: $EMAIL") done -clear echo "$FQDN" > fqdn.txt wp_cli_cmd option update siteurl < fqdn.txt --path="$WPATH" @@ -409,9 +290,9 @@ echo "WP PASS: $NEWWPADMINPASS" # Change servername in Nginx server_name=$(echo "$FQDN" | cut -d "/" -f3) -sed -i "s|# server_name .*|server_name $server_name;|g" /etc/nginx/sites-available/wordpress_port_80.conf -sed -i "s|# server_name .*|server_name $server_name;|g" /etc/nginx/sites-available/wordpress_port_443.conf -check_command service nginx restart +sed -i "s|# server_name .*|server_name $server_name;|g" "$HTTP_CONF" +sed -i "s|# server_name .*|server_name $server_name;|g" "$TLS_CONF" +restart_webserver # Show current administrators echo @@ -420,46 +301,49 @@ wp_cli_cmd user list --role=administrator --path="$WPATH" any_key "Press any key to continue..." clear -# Fixes https://github.com/techandme/wordpress-vm/issues/58 -a2dismod status -service apache2 reload - # Cleanup 1 -rm -f "$SCRIPTS/ip.sh" -rm -f "$SCRIPTS/test_connection.sh" +rm -f "$SCRIPTS/change_db_pass.sh" rm -f "$SCRIPTS/instruction.sh" -rm -f "$SCRIPTS/wordpress-startup-script.sh" -find /root "/home/$UNIXUSER" -type f \( -name '*.sh*' -o -name '*.html*' -o -name '*.tar*' -o -name '*.zip*' \) -delete -sed -i "s|instruction.sh|techandme.sh|g" "/home/$UNIXUSER/.bash_profile" +rm -f "$SCRIPTS/static_ip.sh" +rm -f "$SCRIPTS/lib.sh" +rm -f "$SCRIPTS/server_configuration.sh" +rm -f "$SCRIPTS/wordpress_configuration.sh" +rm -f "$SCRIPTS/additional_apps.sh" +rm -f "$SCRIPTS/adduser.sh" +find /root "/home/$SUDO_USER" -type f \( -name '*.sh*' -o -name '*.html*' -o -name '*.tar*' -o -name 'results' -o -name '*.zip*' \) -delete +find "$WPPATH" -type f \( -name 'results' -o -name '*.sh*' \) -delete +sed -i "s|instruction.sh|wordpress.sh|g" "/home/$SUDO_USER/.bash_profile" truncate -s 0 \ /root/.bash_history \ "/home/$UNIXUSER/.bash_history" \ /var/spool/mail/root \ "/var/spool/mail/$UNIXUSER" \ - /var/log/apache2/access.log \ - /var/log/apache2/error.log \ + /var/log/nginx/access.log \ + /var/log/nginx/error.log \ /var/log/cronjobs_success.log -sed -i "s|sudo -i||g" "/home/$UNIXUSER/.bash_profile" -cat << RCLOCAL > "/etc/rc.local" -#!/bin/sh -e -# -# rc.local -# -# This script is executed at the end of each multiuser runlevel. -# Make sure that the script will "exit 0" on success or any other -# value on error. -# -# In order to enable or disable this script just change the execution -# bits. -# -# By default this script does nothing. - -exit 0 - -RCLOCAL -clear +sed -i "s|sudo -i||g" "$UNIXUSER_PROFILE" + +cat << ROOTNEWPROFILE > "$ROOT_PROFILE" +# ~/.profile: executed by Bourne-compatible login shells. +if [ "/bin/bash" ] +then + if [ -f ~/.bashrc ] + then + . ~/.bashrc + fi +fi +if [ -x /var/scripts/wordpress-startup-script.sh ] +then + /var/scripts/wordpress-startup-script.sh +fi +if [ -x /var/scripts/history.sh ] +then + /var/scripts/history.sh +fi +mesg n +ROOTNEWPROFILE # Upgrade system print_text_in_color "$ICyan" "System will now upgrade..." @@ -469,33 +353,34 @@ bash $SCRIPTS/update.sh apt autoremove -y apt autoclean -ADDRESS2=$(grep "server_name" /etc/nginx/sites-available/wordpress_port_80.conf | awk '$1 == "server_name" { print $2 }' | cut -d ";" -f1) -# Success! -clear -# Success! -msg_box "Congratulations! You have successfully installed Wordpress! -Login to Wordpress in your browser: -- IP: $ADDRESS -- Hostname: $(hostname -f) +# Remove preference for IPv4 +rm -f /etc/apt/apt.conf.d/99force-ipv4 +apt update -SUPPORT: -Please ask for help in the forums, or visit our shop to buy support, -https://shop.hanssonit.se/product/premium-support-per-30-minutes/ - -BUGS: -Please report any bugs here: https://github.com/techandme/wordpress-vm +# Success! +msg_box "The installation process is *almost* done. +Please hit OK in all the following prompts and let the server reboot to complete the installation process." -TIPS & TRICKS: +msg_box "TIPS & TRICKS: 1. Publish your server online: https://goo.gl/iUGE2U -2. To update this VM just type: sudo bash /var/scripts/update.sh -3. Change IP to something outside DHCP: sudo nano /etc/netplan/01-netcfg.yaml -4. To allow access to wp-login.php, please edit your nginx virtual hosts file. - You can find it here: $HTTP_CONF +3. To update this server just type: sudo bash /var/scripts/update.sh +4. Install apps, configure Wordpress, and server: sudo bash $SCRIPTS/menu.sh" +5. To allow access to wp-login.php, please edit your nginx virtual hosts file. + You can find it here: $HTTP_CONF" - ######################### T&M Hansson IT - $(date +"%Y") ######################### " +BUGS & SUPPORT: +- SUPPORT: https://shop.hanssonit.se/product/premium-support-per-30-minutes/ +- BUGS: Please report any bugs here: $ISSUES" -# Prefer IPv6 -sed -i "s|precedence ::ffff:0:0/96 100|#precedence ::ffff:0:0/96 100|g" /etc/gai.conf +msg_box "Congratulations! You have successfully installed Wordpress! +LOGIN: +Login to Wordpress in your browser: +- IP: $ADDRESS +- Hostname: $(hostname -f) +### PLEASE HIT OK TO REBOOT ###" # Reboot +print_text_in_color "$IGreen" "Installation done, system will now reboot..." +check_command rm -f "$SCRIPTS/you-can-not-run-the-startup-script-several-times" +check_command rm -f "$SCRIPTS/wordpress-startup-script.sh" reboot From 1191463535728311afe718ffc6b820bbb1dbee0c Mon Sep 17 00:00:00 2001 From: enoch85 Date: Wed, 21 Oct 2020 21:51:26 +0200 Subject: [PATCH 05/86] add folders Signed-off-by: enoch85 --- wordpress_install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/wordpress_install.sh b/wordpress_install.sh index 4f30f0c..6256ebf 100644 --- a/wordpress_install.sh +++ b/wordpress_install.sh @@ -18,7 +18,7 @@ fi true SCRIPT_NAME="Wordpress Install Script" # shellcheck source=lib.sh -source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh) +source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) # Check if dpkg or apt is running is_process_running apt @@ -54,7 +54,7 @@ fi # shellcheck disable=2034,2059 true # shellcheck source=lib.sh -source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh) +source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) # Check for errors + debug code and abort if something isn't right # 1 = ON From d4f73b5609a27431ac73dc0c130437b17514e443 Mon Sep 17 00:00:00 2001 From: enoch85 Date: Wed, 21 Oct 2020 21:51:34 +0200 Subject: [PATCH 06/86] add folders Signed-off-by: enoch85 --- addons/automatic_updates.sh | 47 ++++++ addons/cookielifetime.sh | 82 +++++++++ addons/locales.sh | 44 +++++ addons/locate_mirror.sh | 58 +++++++ addons/redis-server-ubuntu.sh | 108 ++++++++++++ addons/security.sh | 122 ++++++++++++++ addons/smtp-mail.sh | 270 ++++++++++++++++++++++++++++++ menu/additional_apps.sh | 119 +++++++++++++ menu/bitwarden_menu.sh | 61 +++++++ menu/documentserver.sh | 48 ++++++ menu/fail2ban_menu.sh | 52 ++++++ menu/main_menu.sh | 63 +++++++ menu/menu.sh | 31 ++++ menu/nextcloud_configuration.sh | 121 +++++++++++++ menu/server_configuration.sh | 117 +++++++++++++ menu/startup_configuration.sh | 129 ++++++++++++++ network/ddclient-configuration.sh | 172 +++++++++++++++++++ network/geoblock.sh | 187 +++++++++++++++++++++ network/static_ip.sh | 241 ++++++++++++++++++++++++++ network/trusted.sh | 29 ++++ network/update-config.php | 53 ++++++ static/fetch_lib.sh | 37 ++++ 22 files changed, 2191 insertions(+) create mode 100644 addons/automatic_updates.sh create mode 100644 addons/cookielifetime.sh create mode 100644 addons/locales.sh create mode 100644 addons/locate_mirror.sh create mode 100644 addons/redis-server-ubuntu.sh create mode 100644 addons/security.sh create mode 100644 addons/smtp-mail.sh create mode 100644 menu/additional_apps.sh create mode 100644 menu/bitwarden_menu.sh create mode 100644 menu/documentserver.sh create mode 100644 menu/fail2ban_menu.sh create mode 100644 menu/main_menu.sh create mode 100644 menu/menu.sh create mode 100644 menu/nextcloud_configuration.sh create mode 100644 menu/server_configuration.sh create mode 100644 menu/startup_configuration.sh create mode 100644 network/ddclient-configuration.sh create mode 100644 network/geoblock.sh create mode 100644 network/static_ip.sh create mode 100644 network/trusted.sh create mode 100644 network/update-config.php create mode 100644 static/fetch_lib.sh diff --git a/addons/automatic_updates.sh b/addons/automatic_updates.sh new file mode 100644 index 0000000..de7a3a9 --- /dev/null +++ b/addons/automatic_updates.sh @@ -0,0 +1,47 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +SCRIPT_NAME="Automatic Updates" +# shellcheck source=lib.sh +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +print_text_in_color "$ICyan" "Configuring automatic updates..." + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Check if root +root_check + +msg_box "This option will update your server every week on Saturdays at $AUT_UPDATES_TIME:00. +The update will run the built in script '$SCRIPTS/update.sh' which will update both the server packages and Nextcloud itself. + +You can read more about it here: https://www.techandme.se/nextcloud-update-is-now-fully-automated/ +Please keep in mind that automatic updates might fail hence it's \ +important to have a proper backup in place if you plan to run this option. + +You can disable the automatic updates by entering the crontab file like this: +'sudo crontab -e -u root' +Then just put a hash (#) in front of the row that you want to disable. + +In the next step you will be able to choose to proceed or exit." "$SUBTITLE" + +if yesno_box_yes "Do you want to enable automatic updates?" +then + # TODO: delete the following line after a few releases. It was copied to the install-script. + nextcloud_occ config:app:set updatenotification notify_groups --value="[]" + touch $VMLOGS/update.log + crontab -u root -l | { cat; echo "0 $AUT_UPDATES_TIME * * 6 $SCRIPTS/update.sh minor >> $VMLOGS/update.log"; } | crontab -u root - + if yesno_box_yes "Do you want to reboot your server after every update? *recommended*" + then + sed -i "s|exit|/sbin/shutdown -r +1|g" "$SCRIPTS"/update.sh + echo "exit" >> "$SCRIPTS"/update.sh + fi + msg_box "Please remember to keep backups in case something should go wrong, you never know." "$SUBTITLE" +fi diff --git a/addons/cookielifetime.sh b/addons/cookielifetime.sh new file mode 100644 index 0000000..12e58e7 --- /dev/null +++ b/addons/cookielifetime.sh @@ -0,0 +1,82 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +SCRIPT_NAME="Set Cookie Lifetime" +# shellcheck source=lib.sh +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +print_text_in_color "$ICyan" "Configuring Cookie Lifetime timeout..." + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Check if root +root_check + +choice=$(whiptail --title "$TITLE" --menu \ +"Configure the logout time (in seconds) which will forcefully logout \ +the Nextcloud user from the web browser when the timeout is reached. +$MENU_GUIDE\n\n$RUN_LATER_GUIDE" "$WT_HEIGHT" "$WT_WIDTH" 4 \ +"1800s" "30 minutes" \ +"7200s" "2 hours" \ +"43200s" "12 hours" \ +"172800s" "2 days" \ +"604800s" "1 week" \ +"2419200s" "4 weeks" \ +"Custom" "setup a custom time" 3>&1 1>&2 2>&3) + +case "$choice" in + "1800s") + nextcloud_occ config:system:set remember_login_cookie_lifetime --value="1800" + ;; + "7200s") + nextcloud_occ config:system:set remember_login_cookie_lifetime --value="7200" + ;; + "43200s") + nextcloud_occ config:system:set remember_login_cookie_lifetime --value="43200" + ;; + "172800s") + nextcloud_occ config:system:set remember_login_cookie_lifetime --value="172800" + ;; + "604800s") + nextcloud_occ config:system:set remember_login_cookie_lifetime --value="604800" + ;; + "2419200s") + nextcloud_occ config:system:set remember_login_cookie_lifetime --value="2419200" + ;; + "Custom") + while : + do + COOKIE_LIFETIME=$(input_box "Configure the logout time (in seconds) which \ +will forcefully logout the Nextcloud user from the web browser when the timeout is reached. + +Please enter the Cookie Lifetime in seconds, so e.g. 1800 for 30 minutes or 3600 for 1 hour + +You can not set a value below 30 minutes (1800 seconds).") + if ! check_if_number "$COOKIE_LIFETIME" + then + msg_box "The value you entered doesn't seem to be a number between 0-9, please enter a valid number." + elif [ "$COOKIE_LIFETIME" -lt "1800" ] + then + msg_box "Please choose a value more than 1800 seconds." + elif ! yesno_box_yes "Is this correct? $COOKIE_LIFETIME seconds" + then + msg_box "It seems like you weren't satisfied with your setting of ($COOKIE_LIFETIME) seconds. Please try again." + else + if nextcloud_occ config:system:set remember_login_cookie_lifetime --value="$COOKIE_LIFETIME" + then + msg_box "Cookie Lifetime is now successfully set to $COOKIE_LIFETIME seconds." + fi + break + fi + done + ;; + *) + ;; +esac diff --git a/addons/locales.sh b/addons/locales.sh new file mode 100644 index 0000000..6391808 --- /dev/null +++ b/addons/locales.sh @@ -0,0 +1,44 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059,1091 +true +SCRIPT_NAME="Locales" +# shellcheck source=lib.sh +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Must be root +root_check + +################################################################## + +# Set locales +print_text_in_color "$ICyan" "Setting locales..." +if [ "$KEYBOARD_LAYOUT" = "us" ] +then + print_text_in_color "$ICyan" "US locales are already set." +elif [ "$KEYBOARD_LAYOUT" = "se" ] +then + sudo locale-gen "sv_SE.UTF-8" && sudo dpkg-reconfigure --frontend=noninteractive locales +elif [ "$KEYBOARD_LAYOUT" = "de" ] +then + sudo locale-gen "de_DE.UTF-8" && sudo dpkg-reconfigure --frontend=noninteractive locales +elif [ "$KEYBOARD_LAYOUT" = "us" ] +then + sudo locale-gen "en_US.UTF-8" && sudo dpkg-reconfigure --frontend=noninteractive locales +elif [ "$KEYBOARD_LAYOUT" = "fr" ] +then + sudo locale-gen "fr_FR.UTF-8" && sudo dpkg-reconfigure --frontend=noninteractive locales +elif [ "$KEYBOARD_LAYOUT" = "ch" ] +then + sudo locale-gen "de_CH.UTF-8" && sudo dpkg-reconfigure --frontend=noninteractive locales +fi + +# TODO: "localectl list-x11-keymap-layouts" and pair with "cat /etc/locale.gen | grep UTF-8" diff --git a/addons/locate_mirror.sh b/addons/locate_mirror.sh new file mode 100644 index 0000000..67588b6 --- /dev/null +++ b/addons/locate_mirror.sh @@ -0,0 +1,58 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +SCRIPT_NAME="Locate Mirror" +# shellcheck source=lib.sh +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# Must be root +root_check + +# Use another method if the new one doesn't work +if [ -z "$REPO" ] +then + REPO=$(apt update -q4 && apt-cache policy | grep http | tail -1 | awk '{print $2}') +fi + +# Check where the best mirrors are and update +msg_box "To make downloads as fast as possible when updating Ubuntu \ +you should have download mirrors that are as close to you as possible. + +Please note that there are no gurantees that the download mirrors \ +this script will find are staying up for the lifetime of this server. +Because of this, we don't recommend to change the mirror, except you live far away from the default mirror. + +This is the method used: https://github.com/jblakeman/apt-select" +msg_box "Your current server repository is: $REPO" + +if ! yesno_box_no "Do you want to try to find a better mirror?" +then + print_text_in_color "$ICyan" "Keeping $REPO as mirror..." + sleep 1 +else + if [[ "$KEYBOARD_LAYOUT" =~ ,|/|_ ]] + then + msg_box "Your keymap contains more than one language, or a special character. ($KEYBOARD_LAYOUT) +This script can only handle one keymap at the time.\nThe default mirror ($REPO) will be kept." + exit 1 + fi + print_text_in_color "$ICyan" "Locating the best mirrors..." + curl_to_dir https://bootstrap.pypa.io get-pip.py /tmp + install_if_not python3 + install_if_not python3-testresources + install_if_not python3-distutils + cd /tmp && python3 get-pip.py + pip install \ + --upgrade pip \ + apt-select + check_command apt-select -m up-to-date -t 4 -c -C "$KEYBOARD_LAYOUT" + sudo cp /etc/apt/sources.list /etc/apt/sources.list.backup && \ + if [ -f sources.list ] + then + sudo mv sources.list /etc/apt/ + fi + msg_box "The apt-mirror was successfully changed." +fi diff --git a/addons/redis-server-ubuntu.sh b/addons/redis-server-ubuntu.sh new file mode 100644 index 0000000..923e415 --- /dev/null +++ b/addons/redis-server-ubuntu.sh @@ -0,0 +1,108 @@ +#!/bin/bash +# shellcheck disable=2034,2059 +true +SCRIPT_NAME="Redis Server Ubuntu" +# shellcheck source=lib.sh +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Must be root +root_check + +# Check Ubuntu version +if ! version 16.04 "$DISTRO" 20.04.6 +then + msg_box "Your current Ubuntu version is $DISTRO but must be between 16.04 - 20.04.6 to run this script." + msg_box "Please contact us to get support for upgrading your server: +https://www.hanssonit.se/#contact +https://shop.hanssonit.se/" + exit 1 +fi + +# Check if dir exists +if [ ! -d $SCRIPTS ] +then + mkdir -p $SCRIPTS +fi + +# Check the current PHPVER +check_php + +# Install Redis +install_if_not php"$PHPVER"-dev +pecl channel-update pecl.php.net +if ! yes no | pecl install -Z redis +then + msg_box "PHP module installation failed" +exit 1 +else + printf "${IGreen}\nPHP module installation OK!${Color_Off}\n" +fi +install_if_not redis-server + +# Setting direct to PHP-FPM as it's installed with PECL (globally doesn't work) +print_text_in_color "$ICyan" "Adding extension=redis.so to $PHP_INI..." +echo 'extension=redis.so' >> "$PHP_INI" + +# Prepare for adding redis configuration +sed -i "s|);||g" $NCPATH/config/config.php + +# Add the needed config to Nextclouds config.php +cat <> $NCPATH/config/config.php + 'memcache.local' => '\\OC\\Memcache\\APCu', + 'filelocking.enabled' => true, + 'memcache.distributed' => '\\OC\\Memcache\\Redis', + 'memcache.locking' => '\\OC\\Memcache\\Redis', + 'redis' => + array ( + 'host' => '$REDIS_SOCK', + 'port' => 0, + 'timeout' => 0.5, + 'dbindex' => 0, + 'password' => '$REDIS_PASS', + ), +); +ADD_TO_CONFIG + +## Redis performance tweaks ## +if ! grep -Fxq "vm.overcommit_memory = 1" /etc/sysctl.conf +then + echo 'vm.overcommit_memory = 1' >> /etc/sysctl.conf +fi + +# Disable THP +if ! grep -Fxq "never" /sys/kernel/mm/transparent_hugepage/enabled +then + echo "never" > /sys/kernel/mm/transparent_hugepage/enabled +fi + +# Raise TCP backlog +#if ! grep -Fxq "net.core.somaxconn" /proc/sys/net/core/somaxconn +#then +# sed -i "s|net.core.somaxconn.*||g" /etc/sysctl.conf +# sysctl -w net.core.somaxconn=512 +# echo "net.core.somaxconn = 512" >> /etc/sysctl.conf +#fi +sed -i "s|# unixsocket .*|unixsocket $REDIS_SOCK|g" $REDIS_CONF +sed -i "s|# unixsocketperm .*|unixsocketperm 777|g" $REDIS_CONF +sed -i "s|^port.*|port 0|" $REDIS_CONF +sed -i "s|# requirepass .*|requirepass $REDIS_PASS|g" $REDIS_CONF +sed -i 's|# rename-command CONFIG ""|rename-command CONFIG ""|' $REDIS_CONF +redis-cli SHUTDOWN + +# Secure Redis +chown redis:root /etc/redis/redis.conf +chmod 600 /etc/redis/redis.conf + +apt update -q4 & spinner_loading +apt autoremove -y +apt autoclean + +exit diff --git a/addons/security.sh b/addons/security.sh new file mode 100644 index 0000000..e4a23db --- /dev/null +++ b/addons/security.sh @@ -0,0 +1,122 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# REMOVE disable of SC2154 WHEN PUTTING SPAMHAUS IN PRODUCTION (it's just to fixing travis for now) +# shellcheck disable=2034,2059,SC2154 +true +SCRIPT_NAME="Setup Extra Security" +# shellcheck source=lib.sh +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Check if root +root_check + +print_text_in_color "$ICyan" "Installing Extra Security..." + +# Based on: http://www.techrepublic.com/blog/smb-technologist/secure-your-apache-server-from-ddos-slowloris-and-dns-injection-attacks/ + +# Protect against DDOS +apt update -q4 & spinner_loading +apt -y install libapache2-mod-evasive +mkdir -p /var/log/apache2/evasive +chown -R www-data:root /var/log/apache2/evasive +if [ ! -f "$ENVASIVE" ] +then + touch "$ENVASIVE" + cat << ENVASIVE > "$ENVASIVE" +DOSHashTableSize 2048 +DOSPageCount 20 # maximum number of requests for the same page +DOSSiteCount 300 # total number of requests for any object by the same client IP on the same listener +DOSPageInterval 1.0 # interval for the page count threshold +DOSSiteInterval 1.0 # interval for the site count threshold +DOSBlockingPeriod 10.0 # time that a client IP will be blocked for +DOSLogDir +ENVASIVE +fi + +# Protect against Slowloris +#apt -y install libapache2-mod-qos +a2enmod reqtimeout # http://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html + +# Don't enable SpamHaus now as it's now working anyway +# REMOVE disable of SC2154 WHEN PUTTING SPAMHAUS IN PRODUCTION (it's just to fixing travis for now) +exit + +# Protect against DNS Injection +# Insipired by: https://www.c-rieger.de/nextcloud-13-nginx-installation-guide-for-ubuntu-18-04-lts/#spamhausproject + +# shellcheck disable=SC2016 +DATE='$(date +%Y-%m-%d)' +cat << SPAMHAUS_ENABLE > "$SCRIPTS/spamhaus_cronjob.sh" +#!/bin/bash +# Thanks to @ank0m +EXEC_DATE='date +%Y-%m-%d' +SPAMHAUS_DROP="/usr/local/src/drop.txt" +SPAMHAUS_eDROP="/usr/local/src/edrop.txt" +URL="https://www.spamhaus.org/drop/drop.txt" +eURL="https://www.spamhaus.org/drop/edrop.txt" +DROP_ADD_TO_UFW="/usr/local/src/DROP2.txt" +eDROP_ADD_TO_UFW="/usr/local/src/eDROP2.txt" +DROP_ARCHIVE_FILE="/usr/local/src/DROP_{$EXEC_DATE}" +eDROP_ARCHIVE_FILE="/usr/local/src/eDROP_{$EXEC_DATE}" +# All credits for the following BLACKLISTS goes to "The Spamhaus Project" - https://www.spamhaus.org +echo "Start time: $(date)" +echo " " +echo "Download daily DROP file:" +curl -fsSL "$URL" > $SPAMHAUS_DROP +grep -v '^;' $SPAMHAUS_DROP | cut -d ' ' -f 1 > $DROP_ADD_TO_UFW +echo " " +echo "Extract DROP IP addresses and add to UFW:" +cat $DROP_ADD_TO_UFW | while read line +do +/usr/sbin/ufw insert 1 deny from "$line" comment 'DROP_Blacklisted_IPs' +done +echo " " +echo "Downloading eDROP list and import to UFW" +echo " " +echo "Download daily eDROP file:" +curl -fsSL "$eURL" > $SPAMHAUS_eDROP +grep -v '^;' $SPAMHAUS_eDROP | cut -d ' ' -f 1 > $eDROP_ADD_TO_UFW +echo " " +echo "Extract eDROP IP addresses and add to UFW:" +cat $eDROP_ADD_TO_UFW | while read line +do +/usr/sbin/ufw insert 1 deny from "$line" comment 'eDROP_Blacklisted_IPs' +done +echo " " +##### +## To remove or revert these rules, keep the list of IPs! +## Run a command like so to remove the rules: +# while read line; do ufw delete deny from $line; done < $ARCHIVE_FILE +##### +echo "Backup DROP IP address list:" +mv $DROP_ADD_TO_UFW $DROP_ARCHIVE_FILE +echo " " +echo "Backup eDROP IP address list:" +mv $eDROP_ADD_TO_UFW $eDROP_ARCHIVE_FILE +echo " " +echo End time: $(date) +SPAMHAUS_ENABLE + +# Make the file executable +chmod +x "$SCRIPTS"/spamhaus_cronjob.sh + +# Add it to crontab +(crontab -l ; echo "10 2 * * * $SCRIPTS/spamhaus_crontab.sh 2>&1") | crontab -u root - + +# Run it for the first time +check_command bash "$SCRIPTS"/spamhaus_cronjob.sh + +# Enable $SPAMHAUS +if sed -i "s|#MS_WhiteList /etc/spamhaus.wl|MS_WhiteList $SPAMHAUS|g" /etc/apache2/mods-enabled/spamhaus.conf +then + print_text_in_color "$IGreen" "Security added!" + restart_webserver +fi diff --git a/addons/smtp-mail.sh b/addons/smtp-mail.sh new file mode 100644 index 0000000..255f941 --- /dev/null +++ b/addons/smtp-mail.sh @@ -0,0 +1,270 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +SCRIPT_NAME="SMTP Relay with msmtp" +SCRIPT_EXPLAINER="This script will setup an SMTP Relay (Mail Server) in your Nextcloud Server \ +that will be used to send emails about failed cronjob's and such." +# shellcheck source=lib.sh +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Must be root +root_check + +# Check if Smtp Relay was already configured +if ! [ -f /etc/msmtprc ] +then + # Ask for installing + install_popup "$SCRIPT_NAME" +else + # Ask for removal or reinstallation + reinstall_remove_menu "$SCRIPT_NAME" + # Removal + apt-get purge msmtp -y + apt-get purge msmtp-mta -y + apt-get purge mailutils -y + apt autoremove -y + rm -f /etc/mail.rc + rm -f /etc/msmtprc + rm -f /var/log/msmtp + echo "" > /etc/aliases + # Show successful uninstall if applicable + removal_popup "$SCRIPT_NAME" +fi + +# Install needed tools +install_if_not msmtp +install_if_not msmtp-mta +install_if_not mailutils + +# Enter Mail Server +MAIL_SERVER=$(input_box_flow "Please enter the SMTP Relay URL that you want to use.\nE.g. smtp.mail.com") + +# Enter if you want to use ssl +PROTOCOL=$(whiptail --title "$TITLE" --nocancel --menu \ +"Please choose the encryption protocol for your SMTP Relay. +$MENU_GUIDE\n\n$RUN_LATER_GUIDE" "$WT_HEIGHT" "$WT_WIDTH" 4 \ +"SSL" "" \ +"STARTTLS" "" \ +"NO-ENCRYPTION" "" 3>&1 1>&2 2>&3) + +if [ -z "$PROTOCOL" ] +then + exit 1 +fi + +case "$PROTOCOL" in + "SSL") + DEFAULT_PORT=465 + ;; + "STARTTLS") + DEFAULT_PORT=587 + ;; + "NO-ENCRYPTION") + DEFAULT_PORT=25 + ;; + *) + ;; +esac + +# Enter custom port or just use the default port +SMTP_PORT=$(whiptail --title "$TITLE" --nocancel --menu \ +"Based on your selection of encryption the default port is $DEFAULT_PORT. Would you like to use that port or something else? +$MENU_GUIDE\n\n$RUN_LATER_GUIDE" "$WT_HEIGHT" "$WT_WIDTH" 4 \ +"Use default port" "($DEFAULT_PORT)" \ +"Enter another port" "" 3>&1 1>&2 2>&3) + +if [ -z "$SMTP_PORT" ] +then + exit 1 +fi + +case "$SMTP_PORT" in + "Use default port") + SMTP_PORT="$DEFAULT_PORT" + ;; + "Enter another port") + SMTP_PORT="$(input_box_flow 'Please enter the port for your SMTP Relay.')" + ;; + *) + ;; +esac + +# Enter your SMTP username +if yesno_box_yes "Does $MAIL_SERVER require any credenitals, like username and password?" +then + MAIL_USERNAME=$(input_box_flow "Please enter the SMTP username to your email provider.\nE.g. you@mail.com") + + # Enter your mailuser password + MAIL_PASSWORD=$(input_box_flow "Please enter the SMTP password to your email provider.") +fi + +# Enter the recipient +RECIPIENT=$(input_box_flow "Please enter the recipient email address that shall receive all mails.\nE.g. recipient@mail.com") + +# Present what we gathered, if everything okay, write to files +msg_box "These are the settings that will be used. Please check that everything seems correct. + +SMTP Relay URL=$MAIL_SERVER +Encryption=$PROTOCOL +SMTP Port=$SMTP_PORT +SMTP Username=$MAIL_USERNAME +SMTP Password=$MAIL_PASSWORD +Recipient=$RECIPIENT" + +# Ask if everything is okay +if ! yesno_box_yes "Does everything look correct?" +then + exit +fi + +# Add the encryption settings to the file as well +if [ "$PROTOCOL" = "SSL" ] +then + MSMTP_ENCRYPTION1="tls on" + MSMTP_ENCRYPTION2="tls_starttls off" +elif [ "$PROTOCOL" = "STARTTLS" ] +then + MSMTP_ENCRYPTION1="tls on" + MSMTP_ENCRYPTION2="tls_starttls on" +elif [ "$PROTOCOL" = "NO-ENCRYPTION" ] +then + MSMTP_ENCRYPTION1="tls off" + MSMTP_ENCRYPTION2="tls_starttls off" +fi + +# Check if auth should be set or not +if [ -z "$MAIL_USERNAME" ] +then + MAIL_USERNAME="no-reply@nextcloudvm.com" + +# Without AUTH (Username and Password) +cat << MSMTP_CONF > /etc/msmtprc +# Set default values for all following accounts. +defaults +auth off +aliases /etc/aliases +$MSMTP_ENCRYPTION1 +$MSMTP_ENCRYPTION2 + +tls_trust_file /etc/ssl/certs/ca-certificates.crt +# logfile /var/log/msmtp + +# Account to send emails +account $MAIL_USERNAME +host $MAIL_SERVER +port $SMTP_PORT +from $MAIL_USERNAME + +account default : $MAIL_USERNAME + +### DO NOT REMOVE THIS LINE (it's used in one of the functions in on the Nextcloud Server) +# recipient=$RECIPIENT +MSMTP_CONF +else +# With AUTH (Username and Password) +cat << MSMTP_CONF > /etc/msmtprc +# Set default values for all following accounts. +defaults +auth on +aliases /etc/aliases +$MSMTP_ENCRYPTION1 +$MSMTP_ENCRYPTION2 + +tls_trust_file /etc/ssl/certs/ca-certificates.crt +logfile /var/log/msmtp + +# Account to send emails +account $MAIL_USERNAME +host $MAIL_SERVER +port $SMTP_PORT +from $MAIL_USERNAME +user $MAIL_USERNAME +password $MAIL_PASSWORD + +account default : $MAIL_USERNAME + +### DO NOT REMOVE THIS LINE (it's used in one of the functions in on the Nextcloud Server) +# recipient=$RECIPIENT + +MSMTP_CONF +fi + +# Secure the file +chmod 600 /etc/msmtprc + +# Create logs +rm -f /var/log/msmtp +touch /var/log/msmtp +chmod 666 /var/log/msmtp + +# Create aliases +cat << ALIASES_CONF > /etc/aliases +root: $RECIPIENT +default: $RECIPIENT +cron: $RECIPIENT +ALIASES_CONF + +# Store message in a variable +TEST_MAIL="Congratulations! + +Since this email reached you, it seems like everything is working properly. :) + +To change the settings please check /etc/msmtprc on your server, or simply just run the setup script again. + +YOUR CURRENT SETTINGS: +------------------------------------------- +$(grep -v password /etc/msmtprc) +------------------------------------------- + +Best regards +The NcVM team +https://nextcloudvm.com" + +# Define the mail-program +echo 'set sendmail="/usr/bin/msmtp -t"' > /etc/mail.rc + +# Test mail +if ! echo -e "$TEST_MAIL" | mail -s "Test email from your NcVM" "$RECIPIENT" >> /var/log/msmtp 2>&1 +then + # Test another version + echo 'set sendmail="/usr/bin/msmtp"' > /etc/mail.rc + + # Second try + if ! echo -e "$TEST_MAIL" | mail -s "Test email from your NcVM" "$RECIPIENT" >> /var/log/msmtp 2>&1 + then + # Fail message + msg_box "It seems like something has failed. +You can look at /var/log/msmtp for further logs. +Please run this script once more if you want to make another try." + + # Let the user decide if configs/packets shall get resetted/uninstalled + if yesno_box_yes "Do you want to reset all configs and uninstall all packets \ +that were made/installed by this script so that you keep a clean system? +This will make debugging more complicated since you will only have the log file to debug this." + then + apt-get purge msmtp -y + apt-get purge msmtp-mta -y + apt-get purge mailutils -y + apt autoremove -y + rm -f /etc/mail.rc + rm -f /etc/msmtprc + echo "" > /etc/aliases + msg_box "Uninstallation of MSMTP was successfully done" + fi + exit 1 + fi +fi + +# Success message +msg_box "Congratulations, the test email was successfully sent! +Please check the inbox for $RECIPIENT. The test email should arrive soon." +exit diff --git a/menu/additional_apps.sh b/menu/additional_apps.sh new file mode 100644 index 0000000..004998b --- /dev/null +++ b/menu/additional_apps.sh @@ -0,0 +1,119 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +SCRIPT_NAME="Additional Apps Menu" +# shellcheck source=lib.sh +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Must be root +root_check + +# Set the startup switch +if [ -f "$SCRIPTS/nextcloud-startup-script.sh" ] +then + STARTUP_SWITCH="ON" +else + STARTUP_SWITCH="OFF" +fi + +# Show a msg_box during the startup script +if [ -f "$SCRIPTS/nextcloud-startup-script.sh" ] +then + msg_box "In the next step, you will be offered to easily install apps that are made to enhance your server and experiance. +We have pre-selected apps that we recommend for any installation. + +PLEASE NOTE: For stability reasons you should *not* select apps just for the sake of it. +It's better to run: sudo bash $SCRIPTS/menu.sh when the first setup is complete, and after you've made a snapshot/backup of the server." +fi + +# Install Apps +choice=$(whiptail --title "$TITLE" --checklist \ +"Which apps do you want to install?\n\nAutomatically configure and install selected apps +$CHECKLIST_GUIDE\n\n$RUN_LATER_GUIDE" "$WT_HEIGHT" "$WT_WIDTH" 4 \ +"Documentserver" "(OnlyOffice or Collabora - Docker or Integrated)" OFF \ +"Bitwarden" "(External password manager)" OFF \ +"Fail2ban " "(Extra Bruteforce protection)" "$STARTUP_SWITCH" \ +"Adminer" "(PostgreSQL GUI)" OFF \ +"Netdata" "(Real-time server monitoring in Web GUI)" OFF \ +"BPYTOP" "(Real-time server monitoring in CLI)" OFF \ +"Midnight Commander" "(CLI file manager)" OFF \ +"FullTextSearch" "(Elasticsearch for Nextcloud [2GB RAM])" OFF \ +"PreviewGenerator" "(Pre-generate previews for Nextcloud)" "$STARTUP_SWITCH" \ +"LDAP" "(Windows Active directory for Nextcloud)" OFF \ +"Talk" "(Video calls and chat for Nextcloud)" OFF \ +"Webmin" "(Server GUI like Cpanel)" "$STARTUP_SWITCH" \ +"SMB-mount" "(Mount SMB-shares from your local network)" OFF 3>&1 1>&2 2>&3) + +case "$choice" in + *"Documentserver"*) + print_text_in_color "$ICyan" "Downloading the Documentserver Menu..." + run_script MENU documentserver + ;;& + *"Bitwarden"*) + print_text_in_color "$ICyan" "Downloading the Bitwarden Menu..." + run_script MENU bitwarden_menu + ;;& + *"Fail2ban "*) + print_text_in_color "$ICyan" "Downloading the Fail2ban Menu..." + run_script MENU fail2ban_menu + ;;& + *"Adminer"*) + print_text_in_color "$ICyan" "Downloading the Adminer script..." + run_script APP adminer + ;;& + *"Netdata"*) + print_text_in_color "$ICyan" "Downloading the Netdata script..." + run_script APP netdata + ;;& + *"BPYTOP"*) + print_text_in_color "$ICyan" "Downloading the BPYTOP script..." + run_script APP bpytop + ;;& + *"Midnight Commander"*) + print_text_in_color "$ICyan" "Downloading the Midnight Commander script..." + run_script APP midnight-commander + ;;& + *"FullTextSearch"*) + print_text_in_color "$ICyan" "Downloading the FullTextSearch script..." + run_script APP fulltextsearch + ;;& + *"PreviewGenerator"*) + print_text_in_color "$ICyan" "Downloading the PreviewGenerator script..." + run_script APP previewgenerator + ;;& + *"LDAP"*) + SUBTITLE="LDAP" + print_text_in_color "$ICyan" "Installing LDAP..." + if install_and_enable_app user_ldap + then + msg_box "LDAP installed! Please visit https://subdomain.yourdomain.com/settings/admin/ldap \ +to finish the setup once this script is done." "$SUBTITLE" + else + msg_box "LDAP installation failed." "$SUBTITLE" + fi + ;;& + *"Talk"*) + print_text_in_color "$ICyan" "Downloading the Talk script..." + run_script APP talk + ;;& + *"Webmin"*) + print_text_in_color "$ICyan" "Downloading the Webmin script..." + run_script APP webmin + ;;& + *"SMB-mount"*) + print_text_in_color "$ICyan" "Downloading the SMB-mount script..." + run_script APP smbmount + ;;& + *) + ;; +esac +exit diff --git a/menu/bitwarden_menu.sh b/menu/bitwarden_menu.sh new file mode 100644 index 0000000..dac175e --- /dev/null +++ b/menu/bitwarden_menu.sh @@ -0,0 +1,61 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +SCRIPT_NAME="Bitwarden Menu" +# shellcheck source=lib.sh +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Must be root +root_check + +# Set the startup switch +if [ -f "$SCRIPTS/nextcloud-startup-script.sh" ] +then + STARTUP_SWITCH="ON" +else + STARTUP_SWITCH="OFF" +fi + +choice=$(whiptail --title "$TITLE" --checklist \ +"Automatically configure and install the Bitwarden or configure some aspects of it. +$CHECKLIST_GUIDE\n\n$RUN_LATER_GUIDE" "$WT_HEIGHT" "$WT_WIDTH" 4 \ +"Bitwarden " "(External password manager [4GB RAM] - subdomain required)" OFF \ +"Bitwarden Registration" "(Enable or disable public user registration for Bitwarden)" OFF \ +"Bitwarden Mail-Configuration" "(Configure the mailserver settings for Bitwarden)" OFF \ +"Bitwarden-RS " "(Unofficial Bitwarden password manager - subdomain required)" OFF \ +"Bitwarden-RS Admin-panel" "(Enable or disable the admin-panel for Bitwarden-RS)" OFF 3>&1 1>&2 2>&3) + +case "$choice" in + *"Bitwarden "*) + print_text_in_color "$ICyan" "Downloading the Bitwarden script..." + run_script APP tmbitwarden + ;;& + *"Bitwarden Registration"*) + print_text_in_color "$ICyan" "Downloading the Bitwarden Registration script..." + run_script APP bitwarden_registration + ;;& + *"Bitwarden Mail-Configuration"*) + print_text_in_color "$ICyan" "Downloading the Bitwarden Mailconfig script..." + run_script APP bitwarden_mailconfig + ;;& + *"Bitwarden-RS "*) + print_text_in_color "$ICyan" "Downloading the Bitwarden-RS script..." + run_script APP bitwarden-rs + ;;& + *"Bitwarden-RS Admin-panel"*) + print_text_in_color "$ICyan" "Downloading the Bitwarden-RS Admin-panel script..." + run_script APP bitwarden-rs_admin-panel + ;;& + *) + ;; +esac +exit diff --git a/menu/documentserver.sh b/menu/documentserver.sh new file mode 100644 index 0000000..761dae9 --- /dev/null +++ b/menu/documentserver.sh @@ -0,0 +1,48 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +SCRIPT_NAME="Documentserver Menu" +# shellcheck source=lib.sh +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Must be root +root_check + +choice=$(whiptail --title "$TITLE" --menu \ +"Which Documentserver do you want to install?\n\nAutomatically configure and install the selected Documentserver. +$MENU_GUIDE\n\n$RUN_LATER_GUIDE" "$WT_HEIGHT" "$WT_WIDTH" 4 \ +"Collabora (Docker)" "(Online editing - Extra Subdomain required)" \ +"Collabora (Integrated)" "(Online editing - No Subdomain required)" \ +"OnlyOffice (Docker)" "(Online editing - Extra Subdomain required)" \ +"OnlyOffice (Integrated)" "(Online editing - No Subdomain required)" 3>&1 1>&2 2>&3) + +case "$choice" in + "Collabora (Docker)") + print_text_in_color "$ICyan" "Downloading the Collabora (Docker) script..." + run_script APP collabora_docker + ;; + "Collabora (Integrated)") + print_text_in_color "$ICyan" "Downloading the Collabora (Integrated) script..." + run_script APP collabora_integrated + ;; + "OnlyOffice (Docker)") + print_text_in_color "$ICyan" "Downloading the OnlyOffice (Docker) script..." + run_script APP onlyoffice_docker + ;; + "OnlyOffice (Integrated)") + print_text_in_color "$ICyan" "Downloading the OnlyOffice (Integrated) script..." + run_script APP onlyoffice_integrated + ;; + *) + ;; +esac +exit diff --git a/menu/fail2ban_menu.sh b/menu/fail2ban_menu.sh new file mode 100644 index 0000000..9f2b75b --- /dev/null +++ b/menu/fail2ban_menu.sh @@ -0,0 +1,52 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +SCRIPT_NAME="Fail2ban Menu" +# shellcheck source=lib.sh +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Must be root +root_check + +# Set the startup switch +if [ -f "$SCRIPTS/nextcloud-startup-script.sh" ] +then + STARTUP_SWITCH="ON" +else + STARTUP_SWITCH="OFF" +fi + +choice=$(whiptail --title "$TITLE" --checklist \ +"Automatically install and configure Fail2ban. +$CHECKLIST_GUIDE\n\n$RUN_LATER_GUIDE" "$WT_HEIGHT" "$WT_WIDTH" 4 \ +"Install-Fail2ban" "(Install Fail2ban and protect Nextcloud + SSH)" "$STARTUP_SWITCH" \ +"Fail2ban-Statuscheck" "(Check status of currently blocked attacks)" OFF 3>&1 1>&2 2>&3) + +case "$choice" in + *"Install-Fail2ban"*) + print_text_in_color "$ICyan" "Downloading the Fail2ban install script..." + run_script APP fail2ban + ;;& + *"Fail2ban-Statuscheck"*) + SUBTITLE="Fail2ban Statuscheck" + if is_this_installed fail2ban && [ -f "/etc/fail2ban/filter.d/nextcloud.conf" ] + then + msg_box "$(fail2ban-client status nextcloud && fail2ban-client status sshd && iptables -L -n)" "$SUBTITLE" + else + msg_box "Fail2ban isn't installed. Please run 'sudo bash /var/scripts/menu.sh' to install it." "$SUBTITLE" + fi + ;;& + *) + ;; +esac +exit + diff --git a/menu/main_menu.sh b/menu/main_menu.sh new file mode 100644 index 0000000..dc39b95 --- /dev/null +++ b/menu/main_menu.sh @@ -0,0 +1,63 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059,1091 +true +SCRIPT_NAME="Main Menu" +# shellcheck source=lib.sh +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Must be root +root_check + +################################################################## + +# Main menu +choice=$(whiptail --title "$TITLE" --menu \ +"Choose what you want to do. +$MENU_GUIDE\n\n$RUN_LATER_GUIDE" "$WT_HEIGHT" "$WT_WIDTH" 4 \ +"Additional Apps" "(Choose which apps to install)" \ +"Nextcloud Configuration" "(Choose between available Nextcloud configurations)" \ +"Startup Configuration" "(Choose between available startup configurations)" \ +"Server Configuration" "(Choose between available server configurations)" \ +"Update Nextcloud" "(Update Nextcloud to the latest release)" 3>&1 1>&2 2>&3) + +case "$choice" in + "Additional Apps") + print_text_in_color "$ICyan" "Downloading the Additional Apps Menu..." + run_script MENU additional_apps + ;; + "Nextcloud Configuration") + print_text_in_color "$ICyan" "Downloading the Nextcloud Configuration Menu..." + run_script MENU nextcloud_configuration + ;; + "Startup Configuration") + print_text_in_color "$ICyan" "Downloading the Startup Configuration Menu..." + run_script MENU startup_configuration + ;; + "Server Configuration") + print_text_in_color "$ICyan" "Downloading the Server Configuration Menu..." + run_script MENU server_configuration + ;; + "Update Nextcloud") + if [ -f "$SCRIPTS"/update.sh ] + then + bash "$SCRIPTS"/update.sh + else + print_text_in_color "$ICyan" "Downloading the Update script..." + download_script STATIC update + chmod +x "$SCRIPTS"/update.sh + bash "$SCRIPTS"/update.sh + fi + ;; + *) + ;; +esac +exit diff --git a/menu/menu.sh b/menu/menu.sh new file mode 100644 index 0000000..4670cc5 --- /dev/null +++ b/menu/menu.sh @@ -0,0 +1,31 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059,1091 +true +SCRIPT_NAME="Main Menu" +# shellcheck source=lib.sh +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Must be root +root_check + +################################################################## + +mkdir -p "$SCRIPTS" +print_text_in_color "$ICyan" "Running the main menu script..." + +if network_ok +then + # Delete, download, run + run_script MENU main_menu +fi + +exit diff --git a/menu/nextcloud_configuration.sh b/menu/nextcloud_configuration.sh new file mode 100644 index 0000000..b3eca80 --- /dev/null +++ b/menu/nextcloud_configuration.sh @@ -0,0 +1,121 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +SCRIPT_NAME="Nextcloud Configuration Menu" +# shellcheck source=lib.sh +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# Get all needed variables from the library +nc_update + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Must be root +root_check + +# Set the startup switch +if [ -f "$SCRIPTS/nextcloud-startup-script.sh" ] +then + STARTUP_SWITCH="ON" +else + STARTUP_SWITCH="OFF" +fi + +# Configure Nextcloud +choice=$(whiptail --title "$TITLE" --checklist \ +"Which settings do you want to configure? +$CHECKLIST_GUIDE\n\n$RUN_LATER_GUIDE" "$WT_HEIGHT" "$WT_WIDTH" 4 \ +"CookieLifetime" "(Configure forced logout timeout for users using the web GUI)" OFF \ +"Share-folder" "(Shares from other users will appear in a folder named 'Shared')" OFF \ +"Disable workspaces" "(disable top notes in GUI)" OFF \ +"Disable user flows" "(Disable user settings for Nextcloud Flow)" OFF \ +"Enable logrotate" "(Use logrotate to keep more Nextcloud logs)" OFF 3>&1 1>&2 2>&3) + +case "$choice" in + *"CookieLifetime"*) + print_text_in_color "$ICyan" "Downloading the CookieLifetime script..." + run_script ADDONS cookielifetime + ;;& + *"Share-folder"*) + SUBTITLE="Share-folder" + msg_box "This option will make all Nextcloud shares from \ +other users appear in a folder named 'Shared' in the Nextcloud GUI. + +If you don't enable this option, all shares will appear directly in \ +the Nextcloud GUI root folder, which is the default behaviour." "$SUBTITLE" + if yesno_box_yes "Do you want to enable this option?" "$SUBTITLE" + then + nextcloud_occ config:system:set share_folder --value="/Shared" + msg_box "All new Nextcloud shares from other \ +users will appear in the 'Shared' folder from now on." "$SUBTITLE" + fi + ;;& + *"Disable workspaces"*) + SUBTITLE="Disable workspaces" + msg_box "This option will will disable a feature named 'rich workspaces'. \ +It will disable the top notes in GUI." "$SUBTITLE" + if yesno_box_yes "Do you want to disable rich workspaces?" "$SUBTITLE" + then + # Check if text is enabled + if ! is_app_enabled text + then + msg_box "The text app isn't enabled - unable to disable rich workspaces." "$SUBTITLE" + sleep 1 + else + # Disable workspaces + nextcloud_occ config:app:set text workspace_available --value=0 + msg_box "Rich workspaces are now disabled." "$SUBTITLE" + fi + fi + ;;& + *"Disable user flows"*) + SUBTITLE="Disable user flows" + # Greater than 18.0.3 is 18.0.4 which is required + if version_gt "$CURRENTVERSION" "18.0.3" + then + msg_box "This option will disable the with Nextcloud 18 introduced user flows. \ +It will disable the user flow settings. Admin flows will continue to work." "$SUBTITLE" + if yesno_box_yes "Do you want to disable user flows?" "$SUBTITLE" + then + nextcloud_occ config:app:set workflowengine user_scope_disabled --value yes + msg_box "User flow settings are now disabled." "$SUBTITLE" + fi + else + msg_box "'Disable user flows' is only available on Nextcloud 18.0.4 and above. +Please upgrade by running 'sudo bash /var/scripts/update.sh'" "$SUBTITLE" + sleep 1 + fi + ;;& + *"Enable logrotate"*) + SUBTITLE="Enable logrotate" + msg_box "This option enables logrotate for Nextcloud logs to keep all logs for 10 days" "$SUBTITLE" + if yesno_box_yes "Do you want to enable logrotate for Nextcloud logs?" "$SUBTITLE" + then + # Set logrotate (without size restriction) + nextcloud_occ config:system:set log_rotate_size --value=0 + + # Configure logrotate to rotate logs for us (max 10, every day a new one) + cat << NEXTCLOUD_CONF > /etc/logrotate.d/nextcloud.log.conf +$VMLOGS/nextcloud.log { +daily +rotate 10 +} +NEXTCLOUD_CONF + + # Set needed ownerchip for the nextcloud log folder to work correctly + chown www-data:www-data "${VMLOGS}"/ + + msg_box "Logrotate was successfully enabled." "$SUBTITLE" + fi + ;;& + *) + ;; +esac +exit diff --git a/menu/server_configuration.sh b/menu/server_configuration.sh new file mode 100644 index 0000000..5f7d3fe --- /dev/null +++ b/menu/server_configuration.sh @@ -0,0 +1,117 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +SCRIPT_NAME="Server Configuration Menu" +# shellcheck source=lib.sh +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Must be root +root_check + +# Set the correct switch for activate_tls +if [ -f $SCRIPTS/activate-tls.sh ] +then + ACTIVATE_TLS_SWITCH="ON" +else + ACTIVATE_TLS_SWITCH="OFF" +fi + +# Set the startup switch +if [ -f "$SCRIPTS/nextcloud-startup-script.sh" ] +then + STARTUP_SWITCH="ON" +else + STARTUP_SWITCH="OFF" +fi + +# Show a msg_box during the startup script +if [ -f "$SCRIPTS/nextcloud-startup-script.sh" ] +then + msg_box "In the next step, you will be offered to easily install different configurations that are made to enhance your server and experiance. +We have pre-selected some choices that we recommend for any installation. + +PLEASE NOTE: For stability reasons you should *not* select everything just for the sake of it. +It's better to run: sudo bash $SCRIPTS/menu.sh when the first setup is complete, and after you've made a snapshot/backup of the server." +fi + +# Server configurations +choice=$(whiptail --title "$TITLE" --checklist \ +"Choose what you want to configure +$CHECKLIST_GUIDE\n\n$RUN_LATER_GUIDE" "$WT_HEIGHT" "$WT_WIDTH" 4 \ +"Static IP" "(Set static IP in Ubuntu with netplan.io)" OFF \ +"Security" "(Add extra security based on this http://goo.gl/gEJHi7)" OFF \ +"DDclient Configuration" "(Use ddclient for automatic DDNS updates)" OFF \ +"Activate TLS" "(Enable HTTPS with Let's Encrypt)" "$ACTIVATE_TLS_SWITCH" \ +"GeoBlock" "(Only allow certain countries to access your server)" OFF \ +"Automatic updates" "(Automatically update your server every week on Sundays)" OFF \ +"SMTP Mail" "(Enable beeing notified by mail from your server)" OFF \ +"Disk Check" "(Check for S.M.A.R.T errors on your disks every week on Mondays)" OFF 3>&1 1>&2 2>&3) + +case "$choice" in + *"Static IP"*) + print_text_in_color "$ICyan" "Downloading the Static IP script..." + run_script NETWORK static_ip + ;;& + *"Security"*) + print_text_in_color "$ICyan" "Downloading the Security script..." + run_script ADDONS security + ;;& + *"DDclient Configuration"*) + print_text_in_color "$ICyan" "Downloading the DDclient Configuration script..." + run_script NETWORK ddclient-configuration + ;;& + *"Activate TLS"*) + SUBTITLE="Activate TLS" + msg_box "The following script will install a trusted +TLS certificate through Let's Encrypt. +It's recommended to use TLS (https) together with Nextcloud. +Please open port 80 and 443 to this servers IP before you continue. +More information can be found here: +https://www.techandme.se/open-port-80-443/" "$SUBTITLE" + + if yesno_box_yes "Do you want to install TLS?" "$SUBTITLE" + then + if [ -f $SCRIPTS/activate-tls.sh ] + then + bash $SCRIPTS/activate-tls.sh + else + print_text_in_color "$ICyan" "Downloading the Let's Encrypt script..." + download_script LETS_ENC activate-tls + bash $SCRIPTS/activate-tls.sh + fi + else + msg_box "OK, but if you want to run it later, just type: sudo bash $SCRIPTS/activate-tls.sh" "$SUBTITLE" + fi + + # Just make sure it is gone + rm -f "$SCRIPTS/test-new-config.sh" + ;;& + *"GeoBlock"*) + print_text_in_color "$ICyan" "Downloading the Geoblock script..." + run_script NETWORK geoblock + ;;& + *"Automatic updates"*) + print_text_in_color "$ICyan" "Downloading the Automatic Updates script..." + run_script ADDONS automatic_updates + ;;& + *"SMTP Mail"*) + print_text_in_color "$ICyan" "Downloading the SMTP Mail script..." + run_script ADDONS smtp-mail + ;;& + *"Disk Check"*) + print_text_in_color "$ICyan" "Downloading the Disk Check script..." + run_script DISK smartctl + ;;& + *) + ;; +esac +exit diff --git a/menu/startup_configuration.sh b/menu/startup_configuration.sh new file mode 100644 index 0000000..33978c0 --- /dev/null +++ b/menu/startup_configuration.sh @@ -0,0 +1,129 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +SCRIPT_NAME="Startup Configuration Menu" +# shellcheck source=lib.sh +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Update the lib once during the startup script +# TODO: delete this again e.g. with NC 20.0.1 +download_script GITHUB_REPO lib + +# Must be root +root_check + +# Get the correct keyboard layout switch +if [ "$KEYBOARD_LAYOUT" = "us" ] +then + KEYBOARD_LAYOUT_SWITCH="ON" +else + KEYBOARD_LAYOUT_SWITCH="OFF" +fi + +# Get the correct timezone switch +if [ "$(cat /etc/timezone)" = "Etc/UTC" ] +then + TIMEZONE_SWITCH="ON" +else + TIMEZONE_SWITCH="OFF" +fi + +# Get the correct apt-mirror +if [ "$REPO" = 'http://archive.ubuntu.com/ubuntu' ] +then + MIRROR_SWITCH="ON" +else + MIRROR_SWITCH="OFF" +fi + +# Show a msg_box during the startup script +if [ -f "$SCRIPTS/nextcloud-startup-script.sh" ] +then + msg_box "Running a server, it's important that certain things are correct. +In the following menu you will be asked to setup the most basic stuff of your server. + +The script is smart, and have already pre-selected the values that you'd want to change based on the current settings." +fi + +# Startup configurations +choice=$(whiptail --title "$TITLE" --checklist \ +"Choose what you want to change. +$CHECKLIST_GUIDE\n\n$RUN_LATER_GUIDE" "$WT_HEIGHT" "$WT_WIDTH" 4 \ +"Keyboard Layout" "(Change the keyboard layout from '$KEYBOARD_LAYOUT')" "$KEYBOARD_LAYOUT_SWITCH" \ +"Timezone" "(Change the timezone from $(cat /etc/timezone))" "$TIMEZONE_SWITCH" \ +"Locate Mirror" "(Change the apt-mirror from $REPO)" OFF 3>&1 1>&2 2>&3) + +case "$choice" in + *"Keyboard Layout"*) + SUBTITLE="Keyboard Layout" + msg_box "Current keyboard layout is $KEYBOARD_LAYOUT." "$SUBTITLE" + if ! yesno_box_yes "Do you want to change keyboard layout?" "$SUBTITLE" + then + print_text_in_color "$ICyan" "Not changing keyboard layout..." + sleep 1 + else + # Change layout + dpkg-reconfigure keyboard-configuration + setupcon --force + # Set locales + run_script ADDONS locales + input_box "Please try out all buttons (e.g: @ # \$ : y n) \ +to find out if the keyboard settings were correctly applied. +If the keyboard is still wrong, you will be offered to reboot the server in the next step. + +Please continue by hitting [ENTER]" "$SUBTITLE" >/dev/null + if ! yesno_box_yes "Did the keyboard work as expected??\n\nIf you choose 'No' \ +the server will be rebooted. After the reboot, please login as usual and run this script again." "$SUBTITLE" + then + reboot + fi + fi + ;;& + *"Timezone"*) + SUBTITLE="Timezone" + msg_box "Current timezone is $(cat /etc/timezone)" "$SUBTITLE" + if ! yesno_box_yes "Do you want to change the timezone?" "$SUBTITLE" + then + print_text_in_color "$ICyan" "Not changing timezone..." + sleep 1 + else + if dpkg-reconfigure tzdata + then + # Change timezone in php and logging if the startup script not exists + if ! [ -f "$SCRIPTS/nextcloud-startup-script.sh" ] + then + # Change timezone in PHP + sed -i "s|;date.timezone.*|date.timezone = $(cat /etc/timezone)|g" "$PHP_INI" + + # Change timezone for logging + nextcloud_occ config:system:set logtimezone --value="$(cat /etc/timezone)" + msg_box "The timezone was changed successfully." "$SUBTITLE" + fi + fi + fi + ;;& + *"Locate Mirror"*) + SUBTITLE="apt-mirror" + msg_box "Current apt-mirror is $REPO" "$SUBTITLE" + if ! yesno_box_yes "Do you want to change the apt-mirror?" "$SUBTITLE" + then + print_text_in_color "$ICyan" "Not changing the apt-mirror..." + sleep 1 + else + print_text_in_color "$ICyan" "Downloading the Locate Mirror script..." + run_script ADDONS locate_mirror + fi + ;;& + *) + ;; +esac +exit diff --git a/network/ddclient-configuration.sh b/network/ddclient-configuration.sh new file mode 100644 index 0000000..ced0792 --- /dev/null +++ b/network/ddclient-configuration.sh @@ -0,0 +1,172 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ +# Copyright © 2020 Simon Lindner (https://github.com/szaimen) + +# shellcheck disable=2034,2059 +true +SCRIPT_NAME="DynDNS with ddclient" +SCRIPT_EXPLAINER="This script lets you setup DynDNS by using the Linux ddclient software." +# shellcheck source=lib.sh +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Check if root +root_check + +# Check if ddclient is already installed +if ! is_this_installed ddclient +then + # Ask for installing + install_popup "$SCRIPT_NAME" +else + # Ask for removal or reinstallation + reinstall_remove_menu "$SCRIPT_NAME" + # Removal + apt purge ddclient -y + if is_this_installed libjson-any-perl + then + apt purge libjson-any-perl -y + fi + apt autoremove -y + rm -f /etc/ddclient.conf + # Show successful uninstall if applicable + removal_popup "$SCRIPT_NAME" +fi + +# install needed tool +DEBIAN_FRONTEND=noninteractive apt install ddclient -y + +# Test if file exists +if [ ! -f /etc/ddclient.conf ] +then + msg_box "The default ddclient.conf doesn't seem to exist.\nPlease report this to\n$ISSUES." + exit 1 +fi + +choice=$(whiptail --title "$TITLE" --menu \ +"Please choose your DynDNS-Provider.\nYou have to setup an account before you can start.\n +If your DDNS provider isn't already supported, please open a new issue here:\n$ISSUES +$MENU_GUIDE\n\n$RUN_LATER_GUIDE" "$WT_HEIGHT" "$WT_WIDTH" 4 \ +"Cloudflare" "(cloudflare.com)" \ +"deSEC" "(desec.io)" \ +"Duck DNS" "(duckdns.org)" \ +"Strato" "(strato.de)" 3>&1 1>&2 2>&3) + +case "$choice" in + "Cloudflare") + PROVIDER="Cloudflare" + INSTRUCTIONS="register an email address for your domain and get an Cloudflare API-key" + GUIDE="https://www.techandme.se/setup-multiple-accounts-with-ddclient-and-cloudflare/" + PROTOCOL="cloudflare" + SERVER="www.cloudflare.com" + USE_SSL="yes" + ;; + "deSEC") + PROVIDER="deSEC" + INSTRUCTIONS="get a DDNS account with password" + GUIDE="https://desec.io/#" + PROTOCOL="dyndns2" + SERVER="update.dedyn.io" + USE_SSL="yes" + ;; + "Duck DNS") + PROVIDER="Duck DNS" + INSTRUCTIONS="get a DDNS account with password" + GUIDE="https://www.duckdns.org/faqs.jsp" + PROTOCOL="duckdns" + SERVER="www.duckdns.org" + USE_SSL="yes" + ;; + "Strato") + PROVIDER="Strato" + INSTRUCTIONS="activate DynDNS for your Domain" + GUIDE="https://www.strato.de/faq/domains/so-einfach-richten-sie-dyndns-fuer-ihre-domains-ein/" + PROTOCOL="dyndns2" + SERVER="dyndns.strato.com" + USE_SSL="yes" + ;; + "") + msg_box "You haven't selected any option. Exiting!" + exit 1 + ;; + *) + ;; +esac + +# Instructions +msg_box "Before you can continue, you have to access $PROVIDER and $INSTRUCTIONS.\n\nHere is a guide:\n$GUIDE" + +# Ask if everything is prepared +if ! yesno_box_yes "Are you ready to continue?" +then + exit +fi + +# Enter your Hostname +HOSTNAME=$(input_box_flow "Please enter the Host that you want to configure DDNS for.\nE.g. 'example.com'") + +# Enter your login +LOGIN=$(input_box_flow "Please enter the login for your DDNS provider.\nIt will be most likely the domain \ +or registered email address depending on your DDNS Provider.\nE.g. 'example.com' or 'mail@example.com' +If you are not sure, please refer to the documentation of your DDNS provider.") + +# Enter your password +PASSWORD=$(input_box_flow "Please enter the password or api-key that you've got for DynDNS from your DDNS provider. +If you are not sure, please refer to the documentation of your DDNS provider.") + +# Present what we gathered +msg_box "You will see now a list of all entered information. Please check that everything seems correct.\n +Provider=$PROVIDER +Host=$HOSTNAME +Login=$LOGIN +Password=$PASSWORD" + +# If everything okay, write to file +if ! yesno_box_yes "Do you want to proceed?" +then + exit +fi + +# needed for cloudflare to work +if [ "$PROVIDER" = "Cloudflare" ] +then + install_if_not libjson-any-perl +fi + +# Write information to ddclient.conf +cat << DDCLIENT_CONF > "/etc/ddclient.conf" +# Configuration file for ddclient generated by debconf +# +# /etc/ddclient.conf + +# Default system settings +use=if, if=$IFACE +use=web, web=https://ipv4bot.whatismyipaddress.com + +# DDNS-service specific setting +# Provider=$PROVIDER +protocol=$PROTOCOL +server=$SERVER +ssl=$USE_SSL + +# user specific setting +login=$LOGIN +password=$PASSWORD + +# Hostname follows: +zone=$HOSTNAME +$HOSTNAME +DDCLIENT_CONF + +# Test connection +msg_box "Everything is setup by now and we will check the connection." +OUTPUT="$(ddclient -verbose)" +msg_box "Please check the logs below and make sure that everything looks good. If not, just run this script again. +If you are certain that you entered all things correctly and it didn't work, please report this to\n$ISSUES\n\n$OUTPUT" +exit diff --git a/network/geoblock.sh b/network/geoblock.sh new file mode 100644 index 0000000..46f0cf7 --- /dev/null +++ b/network/geoblock.sh @@ -0,0 +1,187 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ +# Copyright © 2020 Simon Lindner (https://github.com/szaimen) + +# shellcheck disable=2034,2059,1091 +true +SCRIPT_NAME="GeoBlock" +SCRIPT_EXPLAINER="This script lets you restrict access to your server, only allowing the countries you choose." +# shellcheck source=lib.sh +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Must be root +root_check + +# Check if it is already configured +if ! grep -q "^#Geoip-block" /etc/apache2/apache2.conf +then + # Ask for installing + install_popup "$SCRIPT_NAME" +else + # Ask for removal or reinstallation + reinstall_remove_menu "$SCRIPT_NAME" + # Removal + find /var/scripts -type f -regex \ +"$SCRIPTS/202[0-9]-[01][0-9]-Maxmind-Country-IPv[46]\.dat" -delete + if is_this_installed jq + then + apt purge jq -y + fi + if is_this_installed libapache2-mod-geoip + then + a2dismod geoip + apt purge libapache2-mod-geoip -y + fi + apt autoremove -y + sed -i "/^#Geoip-block-start/,/^#Geoip-block-end/d" /etc/apache2/apache2.conf + check_command systemctl restart apache2 + # Show successful uninstall if applicable + removal_popup "$SCRIPT_NAME" +fi + +# Install needed tools +# Unfortunately jq is needed for this +install_if_not jq +install_if_not libapache2-mod-geoip + +# Enable apache mod +check_command a2enmod geoip rewrite +check_command systemctl restart apache2 + +# Download newest dat files +find /var/scripts -type f -regex \ +"$SCRIPTS/202[0-9]-[01][0-9]-Maxmind-Country-IPv[46]\.dat" -delete +get_newest_dat_files + +# Restrict to countries and/or continents +choice=$(whiptail --title "$TITLE" --checklist \ +"Do you want to restrict to countries and/or continents? +$CHECKLIST_GUIDE\n\n$RUN_LATER_GUIDE" "$WT_HEIGHT" "$WT_WIDTH" 4 \ +"Countries" "" ON \ +"Continents" "" ON 3>&1 1>&2 2>&3) +if [ -z "$choice" ] +then + exit 1 +fi + +# Countries +if [[ "$choice" = *"Countries"* ]] +then + # Get country names + COUNTRY_NAMES=$(jq .[][].name /usr/share/iso-codes/json/iso_3166-1.json | sed 's|^"||;s|"$||') + mapfile -t COUNTRY_NAMES <<< "$COUNTRY_NAMES" + + # Get country codes + COUNTRY_CODES=$(jq .[][].alpha_2 /usr/share/iso-codes/json/iso_3166-1.json | sed 's|^"||;s|"$||') + mapfile -t COUNTRY_CODES <<< "$COUNTRY_CODES" + + # Check if both arrays match + if [ "${#COUNTRY_NAMES[@]}" != "${#COUNTRY_CODES[@]}" ] + then + msg_box "Somethings is wrong. The names length is not equal to the codees length. + Please report this to $ISSUES" + fi + + # Create checklist + args=(whiptail --title "$TITLE - $SUBTITLE" --separate-output --checklist \ +"Please select all countries that shall have access to your server. +All countries that are'nt selected will *not* have access to your server. \ +To allow them you have to choose the specific continent. +$CHECKLIST_GUIDE\n\n$RUN_LATER_GUIDE" "$WT_HEIGHT" "$WT_WIDTH" 4) + count=0 + while [ "$count" -lt "${#COUNTRY_NAMES[@]}" ] + do + args+=("${COUNTRY_CODES[$count]}" "${COUNTRY_NAMES[$count]}" OFF) + ((count++)) + done + + # Let the user choose the countries + selected_options=$("${args[@]}" 3>&1 1>&2 2>&3) + if [ -z "$selected_options" ] + then + unset selected_options + fi +fi + +# Continents +if [[ "$choice" = *"Continents"* ]] +then + # Restrict to continents + choice=$(whiptail --title "$TITLE" --separate-output --checklist \ +"Please choose all continents that shall have access to your server. +All countries on not selected continents will not have access to your server \ +if you haven't explicitely chosen them in the countries menu before. +$CHECKLIST_GUIDE\n\n$RUN_LATER_GUIDE" "$WT_HEIGHT" "$WT_WIDTH" 4 \ +"AF" "Africa" OFF \ +"AN" "Antarctica" OFF \ +"AS" "Asia" OFF \ +"EU" "Europe" OFF \ +"NA" "North America" OFF \ +"OC" "Oceania" OFF \ +"SA" "South America" OFF 3>&1 1>&2 2>&3) + if [ -z "$choice" ] + then + unset choice + fi +else + unset choice +fi + +# Exit if nothing chosen +if [ -z "$selected_options" ] && [ -z "$choice" ] +then + exit 1 +fi + +# Convert to array +if [ -n "$selected_options" ] +then + mapfile -t selected_options <<< "$selected_options" +fi +if [ -n "$choice" ] +then + mapfile -t choice <<< "$choice" +fi + +GEOIP_CONF="#Geoip-block-start - Please don't remove or change this line + + GeoIPEnable On + GeoIPDBFile /usr/share/GeoIP/GeoIP.dat + GeoIPDBFile /usr/share/GeoIP/GeoIPv6.dat + +\n" +for continent in "${choice[@]}" +do + GEOIP_CONF+=" SetEnvIf GEOIP_CONTINENT_CODE $continent AllowCountryOrContinent\n" + GEOIP_CONF+=" SetEnvIf GEOIP_CONTINENT_CODE_V6 $continent AllowCountryOrContinent\n" +done +for country in "${selected_options[@]}" +do + GEOIP_CONF+=" SetEnvIf GEOIP_COUNTRY_CODE $country AllowCountryOrContinent\n" + GEOIP_CONF+=" SetEnvIf GEOIP_COUNTRY_CODE_V6 $country AllowCountryOrContinent\n" +done +GEOIP_CONF+=" Allow from env=AllowCountryOrContinent + Allow from 127.0.0.1/8 + Allow from 192.168.0.0/16 + Allow from 172.16.0.0/12 + Allow from 10.0.0.0/8 + Order Deny,Allow + Deny from all + +#Geoip-block-end - Please don't remove or change this line" + +# Write everything to the file +echo -e "$GEOIP_CONF" >> /etc/apache2/apache2.conf + +check_command systemctl restart apache2 + +msg_box "GeoBlock was successfully configured" + +exit diff --git a/network/static_ip.sh b/network/static_ip.sh new file mode 100644 index 0000000..7e8f474 --- /dev/null +++ b/network/static_ip.sh @@ -0,0 +1,241 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# Use local lib file in case there is no internet connection +if printf "Testing internet connection..." && ping github.com -c 2 >/dev/null 2>&1 +then +# shellcheck disable=2034,2059 +true +SCRIPT_NAME="Static IP" +# shellcheck source=lib.sh +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + # If we have internet, then use the latest variables from the lib remote file +elif [ -f /var/scripts/lib.sh ] +then +# shellcheck disable=2034,2059 +true +SCRIPT_NAME="Static IP" +# shellcheck source=lib.sh +source /var/scripts/lib.sh +else + printf "You don't seem to have a working internet connection, and \ +/var/scripts/lib.sh is missing so you can't run this script." + printf "Please report this to https://github.com/nextcloud/vm/issues/" + exit 1 +fi + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Must be root +root_check + +# Check Ubuntu version +check_distro_version + +# Copy old interfaces files +msg_box "Copying old netplan.io config files file to: + +/tmp/netplan_io_backup/" +if [ -d /etc/netplan/ ] +then + mkdir -p /tmp/netplan_io_backup + check_command cp -vR /etc/netplan/* /tmp/netplan_io_backup/ +fi + +msg_box "Please note that if the IP address changes during an (remote) SSH connection \ +(via Putty, or CLI for example), the connection will break and the IP will reset to \ +DHCP or the IP you had before you started this script. + +To avoid issues with lost connectivity, please use the VM Console directly, and not SSH." +if yesno_box_yes "Are you connected via SSH?" +then + msg_box "Please use the VM Console instead." + sleep 1 + exit +fi + +# Loop until working network settings are validated or the user asks to quit +echo +while : +do + # Loop until user is happy with the IP address and subnet + echo + while : + do + # Ask for IP address + LANIP=$(input_box "Please enter the static IP address you want to set, \ +including the subnet.\nExample: 192.168.1.100/24") + if [[ $LANIP == *"/"* ]] + then + if yesno_box_yes "Is this correct? $LANIP" + then + break + fi + else + msg_box "Did you forget the /subnet?" + fi + done + + # Loop until user is happy with the default gateway + echo + while : + do + # Ask for domain name + GATEWAYIP=$(input_box "Please enter the gateway address you want to set. +Just hit enter to choose the current gateway.\nYour current gateway is: $GATEWAY") + if [ -z "$GATEWAYIP" ] + then + GATEWAYIP="$GATEWAY" + fi + if yesno_box_yes "Is this correct? $GATEWAYIP" + then + break + fi + done + + # DNS + msg_box "You will now be provided with the option to set your own local DNS. + +If you're not sure what DNS is, or if you don't have a local DNS server, +please don't touch this setting. + +If something goes wrong here, you will not be +able to get any deb packages, download files, or reach the internet. + +The current nameservers are: +$DNS1 +$DNS2 +" + + # Set the variable used to fill in the Netplan nameservers. The existing + # values are used if the user does not decides not to update the nameservers. + DNSs="$DNS1" + # Only add a second nameserver to the list if it is defined. + if [ -n "$DNS2" ] + then + DNSs="$DNS1,$DNS2" + fi + + if yesno_box_no "Do you want to set your own nameservers?" + then + # Loop until user is happy with the nameserver 1 + echo + while : + do + # Ask for nameserver + NSIP1=$(input_box "Please enter the local nameserver address you want to set. +Just hit enter to choose the current NS1.\nYour current NS1 is: $DNS1") + if [ -z "$NSIP1" ] + then + NSIP1="$DNS1" + fi + if yesno_box_yes "Is this correct? $NSIP1" + then + break + fi + done + + # Nameserver 2 might be empty. As this will not be clear + # in prompts, 'none' is used in this case. + DISPLAY_DNS2="$DNS2" + if [ -z "$DISPLAY_DNS2" ] + then + DISPLAY_DNS2="'none'" + fi + + # Loop until user is happy with the nameserver 2 + echo + while : + do + # Ask for nameserver + NSIP2=$(input_box "Please enter the local nameserver address you want to set. The 3 options are: +- Hit enter to choose the current NS2.\n- Enter a new IP address for NS2. +- Enter the text 'none' if you only have one NS.\nYour current NS2 is: $DISPLAY_DNS2") + if [ -z "$NSIP2" ] + then + NSIP2="$DISPLAY_DNS2" + fi + if yesno_box_yes "Is this correct? $NSIP2" + then + break + fi + done + fi + + # Check if DNS is set manaully and set variables accordingly + if [ -n "$NSIP1" ] + then + DNSs="$NSIP1" + # Only add a second nameserver to the list if it is defined and not 'none'. + if [[ -n "$NSIP2" && ! ( "none" == "$NSIP2" || "'none'" == "$NSIP2" ) ]] + then + DNSs="$NSIP1,$NSIP2" + fi + fi + + # Check if IFACE is empty, if yes, try another method: + if [ -n "$IFACE" ] + then + cat <<-IPCONFIG > "$INTERFACES" +network: + version: 2 + ethernets: + $IFACE: #object name + dhcp4: false # dhcp v4 disable + dhcp6: false # dhcp v6 disable + addresses: [$LANIP] # client IP address + gateway4: $GATEWAYIP # gateway address + nameservers: + addresses: [$DNSs] #name servers +IPCONFIG + + msg_box "These are your settings, please make sure they are correct: + +$(cat /etc/netplan/01-netcfg.yaml)" + netplan try + set_systemd_resolved_dns "$IFACE" + else + cat <<-IPCONFIGnonvmware > "$INTERFACES" +network: + version: 2 + ethernets: + $IFACE2: #object name + dhcp4: false # dhcp v4 disable + dhcp6: false # dhcp v6 disable + addresses: [$LANIP] # client IP address + gateway4: $GATEWAY # gateway address + nameservers: + addresses: [$DNSs] #name servers +IPCONFIGnonvmware + + msg_box "These are your settings, please make sure they are correct: + +$(cat /etc/netplan/01-netcfg.yaml)" + netplan try + set_systemd_resolved_dns "$IFACE2" + fi + + if test_connection + then + sleep 1 + msg_box "Static IP sucessfully set!" + break + fi + + cat << BADNETWORKTEXT + +The network settings do not provide access to the Internet and/or the DNS +servers are not reachable. Unless Wi-Fi is required and still to be configured +proceeding will not succeed. + +BADNETWORKTEXT + if ! yesno_box_yes "Try new network settings?" + then + break + fi +done diff --git a/network/trusted.sh b/network/trusted.sh new file mode 100644 index 0000000..4b05ca2 --- /dev/null +++ b/network/trusted.sh @@ -0,0 +1,29 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +SCRIPT_NAME="Trusted" +# shellcheck source=lib.sh +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +download_script NETWORK update-config +if [ -f $SCRIPTS/update-config.php ] +then + # Change config.php + php $SCRIPTS/update-config.php $NCPATH/config/config.php 'trusted_domains[]' localhost "${ADDRESS[@]}" "$(hostname)" "$(hostname --fqdn)" >/dev/null 2>&1 + php $SCRIPTS/update-config.php $NCPATH/config/config.php overwrite.cli.url https://"$(hostname --fqdn)"/ >/dev/null 2>&1 + + # Change .htaccess accordingly + sed -i "s|RewriteBase /nextcloud|RewriteBase /|g" $NCPATH/.htaccess + + # Cleanup + rm -f $SCRIPTS/update-config.php +fi diff --git a/network/update-config.php b/network/update-config.php new file mode 100644 index 0000000..cf88651 --- /dev/null +++ b/network/update-config.php @@ -0,0 +1,53 @@ +#!/usr/bin/php + +# Credit to: https://github.com/jnweiger + + 3) + { + # append [] to the key name, if you need to pass an array object. + if (substr($argv[2], -2) === '[]') + { + $CONFIG[substr($argv[2],0,-2)] = array_slice($argv,3); + } + else + { + $CONFIG[$argv[2]] = $argv[3]; + } + } +else + { + # exactly two parameter given -- means delete. + unset($CONFIG[$argv[2]]); + } + +$text = var_export($CONFIG, true); +## A warning is printed, if argv[1] is not writable. +## PHP does not issue proper errno or strerror() does it? +file_put_contents($argv[1], " diff --git a/static/fetch_lib.sh b/static/fetch_lib.sh new file mode 100644 index 0000000..3bf4ad0 --- /dev/null +++ b/static/fetch_lib.sh @@ -0,0 +1,37 @@ +#!/bin/bash +# shellcheck disable=2034,2059 +true +# see https://github.com/koalaman/shellcheck/wiki/Directive + +IRed='\e[0;91m' # Red +IGreen='\e[0;92m' # Green +ICyan='\e[0;96m' # Cyan +Color_Off='\e[0m' # Text Reset +print_text_in_color() { + printf "%b%s%b\n" "$1" "$2" "$Color_Off" +} + +if [[ "$EUID" -ne 0 ]] +then + print_text_in_color "$IRed" "You must run fetch_lib with sudo privileges, or directly as root!" + print_text_in_color "$ICyan" "Please report this to https://github.com/nextcloud/vm/issues if you think it's a bug." + exit 1 +fi + +mkdir -p /var/scripts +if ! [ -f /var/scripts/lib.sh ] +then + if ! curl -sfL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh -o /var/scripts/lib.sh + then + print_text_in_color "$IRed" "You don't seem to have an internet \ +connection and the local lib isn't available. Hence you cannot run this script." + exit 1 + fi +elif ! [ -f /var/scripts/nextcloud-startup-script.sh ] +then + print_text_in_color "$ICyan" "Updating lib..." + curl -sfL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh -o /var/scripts/lib.sh +fi + +# shellcheck source=lib.sh +source /var/scripts/lib.sh From cbe673bf9a2924dd1eb22077dbc7120ac1fe9b79 Mon Sep 17 00:00:00 2001 From: enoch85 Date: Wed, 21 Oct 2020 21:54:55 +0200 Subject: [PATCH 07/86] add missing redis var Signed-off-by: enoch85 --- lib.sh | 1 + static/fetch_lib.sh | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/lib.sh b/lib.sh index edf9413..fe21d32 100644 --- a/lib.sh +++ b/lib.sh @@ -151,6 +151,7 @@ REDIS_CONF=/etc/redis/redis.conf REDIS_SOCK=/var/run/redis/redis-server.sock RSHUF=$(shuf -i 30-35 -n 1) REDIS_PASS=$(gen_passwd "$SHUF" "a-zA-Z0-9@#*=") +REDISPTXT=/tmp/redispasstxt ## FUNCTIONS diff --git a/static/fetch_lib.sh b/static/fetch_lib.sh index 3bf4ad0..d525984 100644 --- a/static/fetch_lib.sh +++ b/static/fetch_lib.sh @@ -21,16 +21,16 @@ fi mkdir -p /var/scripts if ! [ -f /var/scripts/lib.sh ] then - if ! curl -sfL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh -o /var/scripts/lib.sh + if ! curl -sfL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh -o /var/scripts/lib.sh then print_text_in_color "$IRed" "You don't seem to have an internet \ connection and the local lib isn't available. Hence you cannot run this script." exit 1 fi -elif ! [ -f /var/scripts/nextcloud-startup-script.sh ] +elif ! [ -f /var/scripts/wordpress-startup-script.sh ] then print_text_in_color "$ICyan" "Updating lib..." - curl -sfL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh -o /var/scripts/lib.sh + curl -sfL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh -o /var/scripts/lib.sh fi # shellcheck source=lib.sh From 74611b741811f7248ef62dce9eca0c8e36b48c2e Mon Sep 17 00:00:00 2001 From: enoch85 Date: Wed, 21 Oct 2020 22:12:32 +0200 Subject: [PATCH 08/86] fix apps Signed-off-by: enoch85 --- apps/adminer.sh | 116 +++++++++++++++++++++++++++++------------------ apps/fail2ban.sh | 67 +++++++++++++++++++++------ apps/webmin.sh | 61 ++++++++++++++++++++++--- 3 files changed, 179 insertions(+), 65 deletions(-) diff --git a/apps/adminer.sh b/apps/adminer.sh index 2dc47f9..a15c00e 100644 --- a/apps/adminer.sh +++ b/apps/adminer.sh @@ -1,14 +1,13 @@ #!/bin/bash -# T&M Hansson IT AB © - 2019, https://www.hanssonit.se/ - -# Prefer IPv4 -sed -i "s|#precedence ::ffff:0:0/96 100|precedence ::ffff:0:0/96 100|g" /etc/gai.conf +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ # shellcheck disable=2034,2059 true +SCRIPT_NAME="Adminer" +SCRIPT_EXPLAINER="Adminer is a full-featured database management tool written in PHP." # shellcheck source=lib.sh -. <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh) +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) # Check for errors + debug code and abort if something isn't right # 1 = ON @@ -17,73 +16,103 @@ DEBUG=0 debug_mode # Check if root -if ! is_root -then - printf "\n${Red}Sorry, you are not root.\n${Color_Off}You must type: ${Cyan}sudo ${Color_Off}bash %s/wordpress_install.sh\n" "$SCRIPTS" - exit 1 -fi - - -print_text_in_color "$ICyan" "Installing and securing Adminer..." +root_check -# Check Ubuntu version -if [ "$OS" != 1 ] +# Check if adminer is already installed +if ! is_this_installed adminer then - print_text_in_color "$IRed" "Ubuntu Server is required to run this script." - print_text_in_color "$IRed" "Please install that distro and try again." - sleep 3 - exit 1 + # Ask for installing + install_popup "$SCRIPT_NAME" +else + # Ask for removal or reinstallation + reinstall_remove_menu "$SCRIPT_NAME" + # Removal + check_external_ip # Check that the script can see the external IP (apache fails otherwise) + a2disconf adminer.conf + rm -f $ADMINER_CONF + rm -rf $ADMINERDIR + check_command apt-get purge adminer -y + restart_webserver + # Show successful uninstall if applicable + removal_popup "$SCRIPT_NAME" fi +# Check that the script can see the external IP (apache fails otherwise) +check_external_ip -if ! version 16.04 "$DISTRO" 18.04.4; then - print_text_in_color "$IRed" "Ubuntu version seems to be $DISTRO" - print_text_in_color "$IRed" "It must be between 16.04 - 18.04.4" - print_text_in_color "$IRed" "Please install that version and try again." - exit 1 -fi +# Check distrobution and version +check_distro_version # Install Adminer apt update -q4 & spinner_loading install_if_not adminer -sudo wget -q "http://www.adminer.org/latest.php" -O "$ADMINERDIR"/latest.php -sudo ln -s "$ADMINERDIR"/latest.php "$ADMINERDIR"/adminer.php +curl_to_dir "http://www.adminer.org" "latest.php" "$ADMINERDIR" +curl_to_dir "https://raw.githubusercontent.com/Niyko/Hydra-Dark-Theme-for-Adminer/master" "adminer.css" "$ADMINERDIR" +ln -s "$ADMINERDIR"/latest.php "$ADMINERDIR"/adminer.php + +# Only add TLS 1.3 on Ubuntu later than 20.04 +if version 20.04 "$DISTRO" 20.04.10 +then + TLS13="+TLSv1.3" +fi cat << ADMINER_CREATE > "$ADMINER_CONF" server { + listen 443 ssl http2; + listen [::]:443 ssl http2; - # Listen on port 81 - listen 81; - - # Server name being used (exact name, wildcards or regular expression) - # server_name adminer.my; - + ## Your website name goes here. + # server_name example.com; + ## Your only path reference. root /usr/share/adminer/adminer; - - # Logging - error_log /var/log/adminer.access_log; - access_log /var/log/adminer.error_log; - + ## This should be in your http block and if it is, it's not needed here. + index adminer.php; + resolver $GATEWAY; + + ## Show real IP behind proxy (change to the proxy IP) +# set_real_ip_from $GATEWAY/24; +# set_real_ip_from $GATEWAY; +# set_real_ip_from 2001:0db8::/32; +# real_ip_header X-Forwarded-For; +# real_ip_recursive on; + + # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate + ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; + ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:50m; + ssl_session_tickets off; + # Diffie-Hellman parameter for DHE ciphersuites, recommended 4096 bits + # ssl_dhparam /path/to/dhparam.pem; + # intermediate configuration. tweak to your needs. + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; + ssl_prefer_server_ciphers on; + # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) + add_header Strict-Transport-Security max-age=15768000; + # OCSP Stapling --- + # fetch OCSP records from URL in ssl_certificate and cache them + ssl_stapling on; + ssl_stapling_verify on; + ## verify chain of trust of OCSP response using Root CA and Intermediate certs + # ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates; location / { index index.php; allow $GATEWAY/24; deny all; } - location ~* ^/adminer/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ { root /usr/share/adminer/; } - + location ~ /\.ht { deny all; } - location ~ /(libraries|setup/frames|setup/libs) { deny all; return 404; } - # Pass the PHP scripts to FastCGI server location ~* \\.php$ { #NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini @@ -113,12 +142,9 @@ The script will exit." else msg_box "Adminer was sucessfully installed and can be reached here: http://$ADDRESS:81 - You can download more plugins and get more information here: https://www.adminer.org - Your MariaDB connection information can be found in /root/.my.cnf - In case you try to access Adminer and get 'Forbidden' you need to change the IP in: $ADMINER_CONF" fi diff --git a/apps/fail2ban.sh b/apps/fail2ban.sh index 5130293..40c532a 100644 --- a/apps/fail2ban.sh +++ b/apps/fail2ban.sh @@ -1,11 +1,21 @@ #!/bin/bash -# T&M Hansson IT AB © - 2019, https://www.hanssonit.se/ +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ +# Inspired by https://github.com/nextcloud/nextcloudpi/blob/master/etc/nextcloudpi-config.d/fail2ban.sh # shellcheck disable=2034,2059 true +SCRIPT_NAME="Fail2ban" +SCRIPT_EXPLAINER="Fail2ban provides extra Brute Force protextion for Nextcloud. +It scans the Nextcloud and SSH log files and bans IPs that show malicious \ +signs -- too many password failures, seeking for exploits, etc. +Generally Fail2Ban is then used to update firewall rules to \ +reject the IP addresses for a specified amount of time." # shellcheck source=lib.sh -. <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh) +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# Get all needed variables from the library +nc_update # Check for errors + debug code and abort if something isn't right # 1 = ON @@ -14,24 +24,35 @@ DEBUG=0 debug_mode # Check if root -if ! is_root +root_check + +# Check if fail2ban is already installed +if ! is_this_installed fail2ban then - printf "\n${Red}Sorry, you are not root.\n${Color_Off}You must type: ${Cyan}sudo ${Color_Off}bash %s/fail2ban.sh\n" "$SCRIPTS" - sleep 3 - exit 1 + # Ask for installing + install_popup "$SCRIPT_NAME" +else + # Ask for removal or reinstallation + reinstall_remove_menu "$SCRIPT_NAME" + # Removal + print_text_in_color "$ICyan" "Unbanning all currently blocked IPs..." + fail2ban-client unban --all + rm /etc/fail2ban/filter.d/wordpress.conf + rm /etc/fail2ban/jail.local + check_command apt-get purge fail2ban -y + # Show successful uninstall if applicable + removal_popup "$SCRIPT_NAME" fi ### Local variables ### # location of logs AUTHLOG="/var/log/auth.log" # time to ban an IP that exceeded attempts -BANTIME_=600000 +BANTIME_=1209600 # cooldown time for incorrect passwords FINDTIME_=1800 -#bad attempts before banning an IP -MAXRETRY_=10 - -print_text_in_color "$ICyan" "Installing Fail2ban..." +# failed attempts before banning an IP +MAXRETRY_=20 apt update -q4 & spinner_loading check_command apt install fail2ban -y @@ -59,6 +80,14 @@ cat << FCONF > /etc/fail2ban/jail.d/wordpress.conf # defined using space separator. ignoreip = 127.0.0.1/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 +# "bantime" is the number of seconds that a host is banned. +bantime = $BANTIME_ + +# A host is banned if it has generated "maxretry" during the last "findtime" +# seconds. +findtime = $FINDTIME_ +maxretry = $MAXRETRY_ + # # ACTIONS # @@ -70,6 +99,15 @@ action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protoc action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] action = %(action_)s +# +# SSH +# + +[sshd] + +enabled = true +maxretry = $MAXRETRY_ + # # HTTP servers # @@ -87,11 +125,12 @@ FCONF # Update settings check_command update-rc.d fail2ban defaults check_command update-rc.d fail2ban enable -check_command service fail2ban restart +check_command systemctl restart fail2ban.service # The End msg_box "Fail2ban is now sucessfully installed. -Please use 'fail2ban-client set wordpress unbanip ' to unban certain IPs + +Please use 'fail2ban-client set nextcloud unbanip ' to unban certain IPs You can also use 'iptables -L -n' to check which IPs that are banned" -clear +exit diff --git a/apps/webmin.sh b/apps/webmin.sh index 865da45..35c1047 100644 --- a/apps/webmin.sh +++ b/apps/webmin.sh @@ -1,11 +1,18 @@ #!/bin/bash -# T&M Hansson IT AB © - 2019, https://www.hanssonit.se/ +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ # shellcheck disable=2034,2059 true +SCRIPT_NAME="Webmin" +SCRIPT_EXPLAINER="Webmin is a web-based interface for system administration for Unix. +Using any modern web browser, you can setup user accounts, Apache, DNS, file sharing and much more. +Webmin removes the need to manually edit Unix configuration files like /etc/passwd, \ +and lets you manage a system from the console or remotely. +See the following page with standard modules for a list of all the functions built into Webmin: \ +https://webmin.com/standard.html" # shellcheck source=lib.sh -. <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh) +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) # Check for errors + debug code and abort if something isn't right # 1 = ON @@ -13,13 +20,55 @@ true DEBUG=0 debug_mode +# Check if root +root_check + +# Check if webmin is already installed +if ! is_this_installed webmin +then + # Ask for installing + install_popup "$SCRIPT_NAME" +else + # Ask for removal or reinstallation + reinstall_remove_menu "$SCRIPT_NAME" + # Removal + check_command apt-get purge webmin -y + rm -rf /etc/apt/sources.list.d/webmin.list + # Show successful uninstall if applicable + removal_popup "$SCRIPT_NAME" +fi + # Install packages for Webmin -apt install -y zip perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl apt-show-versions python +install_if_not apt-transport-https +install_if_not perl +install_if_not libnet-ssleay-perl +install_if_not openssl +install_if_not libauthen-pam-perl +install_if_not libpam-runtime +install_if_not libio-pty-perl +install_if_not apt-show-versions +install_if_not python2 # Install Webmin -sed -i '$a deb http://download.webmin.com/download/repository sarge contrib' /etc/apt/sources.list -if wget -q http://www.webmin.com/jcameron-key.asc -O- | sudo apt-key add - +if curl -fsSL http://www.webmin.com/jcameron-key.asc | sudo apt-key add - then + echo "deb https://download.webmin.com/download/repository sarge contrib" > /etc/apt/sources.list.d/webmin.list apt update -q4 & spinner_loading - apt install webmin -y + install_if_not webmin fi + +print_text_in_color "$ICyan" "Configuring Webmin..." +# redirect access on http to https +check_command systemctl stop webmin +# Redirect http to https on the LAN IP +check_command sed -i '/^ssl=.*/a ssl_redirect=1' /etc/webmin/miniserv.conf +check_command sed -i "/^port=.*/a host=$ADDRESS" /etc/webmin/miniserv.conf +start_if_stopped webmin + +msg_box "Webmin is now installed and can be accessed from this address: + +https://$ADDRESS:10000 + +You can log in with your Ubuntu CLI user: $SUDO_USER." + +exit From fed3b1daa3f7897f1e1cae83182cce026a425dd4 Mon Sep 17 00:00:00 2001 From: enoch85 Date: Wed, 21 Oct 2020 22:13:55 +0200 Subject: [PATCH 09/86] remove scripts Signed-off-by: enoch85 --- addons/automatic_updates.sh | 47 --------------------- addons/cookielifetime.sh | 82 ------------------------------------- menu/bitwarden_menu.sh | 61 --------------------------- menu/documentserver.sh | 48 ---------------------- 4 files changed, 238 deletions(-) delete mode 100644 addons/automatic_updates.sh delete mode 100644 addons/cookielifetime.sh delete mode 100644 menu/bitwarden_menu.sh delete mode 100644 menu/documentserver.sh diff --git a/addons/automatic_updates.sh b/addons/automatic_updates.sh deleted file mode 100644 index de7a3a9..0000000 --- a/addons/automatic_updates.sh +++ /dev/null @@ -1,47 +0,0 @@ -#!/bin/bash - -# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ - -# shellcheck disable=2034,2059 -true -SCRIPT_NAME="Automatic Updates" -# shellcheck source=lib.sh -source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) - -print_text_in_color "$ICyan" "Configuring automatic updates..." - -# Check for errors + debug code and abort if something isn't right -# 1 = ON -# 0 = OFF -DEBUG=0 -debug_mode - -# Check if root -root_check - -msg_box "This option will update your server every week on Saturdays at $AUT_UPDATES_TIME:00. -The update will run the built in script '$SCRIPTS/update.sh' which will update both the server packages and Nextcloud itself. - -You can read more about it here: https://www.techandme.se/nextcloud-update-is-now-fully-automated/ -Please keep in mind that automatic updates might fail hence it's \ -important to have a proper backup in place if you plan to run this option. - -You can disable the automatic updates by entering the crontab file like this: -'sudo crontab -e -u root' -Then just put a hash (#) in front of the row that you want to disable. - -In the next step you will be able to choose to proceed or exit." "$SUBTITLE" - -if yesno_box_yes "Do you want to enable automatic updates?" -then - # TODO: delete the following line after a few releases. It was copied to the install-script. - nextcloud_occ config:app:set updatenotification notify_groups --value="[]" - touch $VMLOGS/update.log - crontab -u root -l | { cat; echo "0 $AUT_UPDATES_TIME * * 6 $SCRIPTS/update.sh minor >> $VMLOGS/update.log"; } | crontab -u root - - if yesno_box_yes "Do you want to reboot your server after every update? *recommended*" - then - sed -i "s|exit|/sbin/shutdown -r +1|g" "$SCRIPTS"/update.sh - echo "exit" >> "$SCRIPTS"/update.sh - fi - msg_box "Please remember to keep backups in case something should go wrong, you never know." "$SUBTITLE" -fi diff --git a/addons/cookielifetime.sh b/addons/cookielifetime.sh deleted file mode 100644 index 12e58e7..0000000 --- a/addons/cookielifetime.sh +++ /dev/null @@ -1,82 +0,0 @@ -#!/bin/bash - -# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ - -# shellcheck disable=2034,2059 -true -SCRIPT_NAME="Set Cookie Lifetime" -# shellcheck source=lib.sh -source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) - -print_text_in_color "$ICyan" "Configuring Cookie Lifetime timeout..." - -# Check for errors + debug code and abort if something isn't right -# 1 = ON -# 0 = OFF -DEBUG=0 -debug_mode - -# Check if root -root_check - -choice=$(whiptail --title "$TITLE" --menu \ -"Configure the logout time (in seconds) which will forcefully logout \ -the Nextcloud user from the web browser when the timeout is reached. -$MENU_GUIDE\n\n$RUN_LATER_GUIDE" "$WT_HEIGHT" "$WT_WIDTH" 4 \ -"1800s" "30 minutes" \ -"7200s" "2 hours" \ -"43200s" "12 hours" \ -"172800s" "2 days" \ -"604800s" "1 week" \ -"2419200s" "4 weeks" \ -"Custom" "setup a custom time" 3>&1 1>&2 2>&3) - -case "$choice" in - "1800s") - nextcloud_occ config:system:set remember_login_cookie_lifetime --value="1800" - ;; - "7200s") - nextcloud_occ config:system:set remember_login_cookie_lifetime --value="7200" - ;; - "43200s") - nextcloud_occ config:system:set remember_login_cookie_lifetime --value="43200" - ;; - "172800s") - nextcloud_occ config:system:set remember_login_cookie_lifetime --value="172800" - ;; - "604800s") - nextcloud_occ config:system:set remember_login_cookie_lifetime --value="604800" - ;; - "2419200s") - nextcloud_occ config:system:set remember_login_cookie_lifetime --value="2419200" - ;; - "Custom") - while : - do - COOKIE_LIFETIME=$(input_box "Configure the logout time (in seconds) which \ -will forcefully logout the Nextcloud user from the web browser when the timeout is reached. - -Please enter the Cookie Lifetime in seconds, so e.g. 1800 for 30 minutes or 3600 for 1 hour - -You can not set a value below 30 minutes (1800 seconds).") - if ! check_if_number "$COOKIE_LIFETIME" - then - msg_box "The value you entered doesn't seem to be a number between 0-9, please enter a valid number." - elif [ "$COOKIE_LIFETIME" -lt "1800" ] - then - msg_box "Please choose a value more than 1800 seconds." - elif ! yesno_box_yes "Is this correct? $COOKIE_LIFETIME seconds" - then - msg_box "It seems like you weren't satisfied with your setting of ($COOKIE_LIFETIME) seconds. Please try again." - else - if nextcloud_occ config:system:set remember_login_cookie_lifetime --value="$COOKIE_LIFETIME" - then - msg_box "Cookie Lifetime is now successfully set to $COOKIE_LIFETIME seconds." - fi - break - fi - done - ;; - *) - ;; -esac diff --git a/menu/bitwarden_menu.sh b/menu/bitwarden_menu.sh deleted file mode 100644 index dac175e..0000000 --- a/menu/bitwarden_menu.sh +++ /dev/null @@ -1,61 +0,0 @@ -#!/bin/bash - -# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ - -# shellcheck disable=2034,2059 -true -SCRIPT_NAME="Bitwarden Menu" -# shellcheck source=lib.sh -source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) - -# Check for errors + debug code and abort if something isn't right -# 1 = ON -# 0 = OFF -DEBUG=0 -debug_mode - -# Must be root -root_check - -# Set the startup switch -if [ -f "$SCRIPTS/nextcloud-startup-script.sh" ] -then - STARTUP_SWITCH="ON" -else - STARTUP_SWITCH="OFF" -fi - -choice=$(whiptail --title "$TITLE" --checklist \ -"Automatically configure and install the Bitwarden or configure some aspects of it. -$CHECKLIST_GUIDE\n\n$RUN_LATER_GUIDE" "$WT_HEIGHT" "$WT_WIDTH" 4 \ -"Bitwarden " "(External password manager [4GB RAM] - subdomain required)" OFF \ -"Bitwarden Registration" "(Enable or disable public user registration for Bitwarden)" OFF \ -"Bitwarden Mail-Configuration" "(Configure the mailserver settings for Bitwarden)" OFF \ -"Bitwarden-RS " "(Unofficial Bitwarden password manager - subdomain required)" OFF \ -"Bitwarden-RS Admin-panel" "(Enable or disable the admin-panel for Bitwarden-RS)" OFF 3>&1 1>&2 2>&3) - -case "$choice" in - *"Bitwarden "*) - print_text_in_color "$ICyan" "Downloading the Bitwarden script..." - run_script APP tmbitwarden - ;;& - *"Bitwarden Registration"*) - print_text_in_color "$ICyan" "Downloading the Bitwarden Registration script..." - run_script APP bitwarden_registration - ;;& - *"Bitwarden Mail-Configuration"*) - print_text_in_color "$ICyan" "Downloading the Bitwarden Mailconfig script..." - run_script APP bitwarden_mailconfig - ;;& - *"Bitwarden-RS "*) - print_text_in_color "$ICyan" "Downloading the Bitwarden-RS script..." - run_script APP bitwarden-rs - ;;& - *"Bitwarden-RS Admin-panel"*) - print_text_in_color "$ICyan" "Downloading the Bitwarden-RS Admin-panel script..." - run_script APP bitwarden-rs_admin-panel - ;;& - *) - ;; -esac -exit diff --git a/menu/documentserver.sh b/menu/documentserver.sh deleted file mode 100644 index 761dae9..0000000 --- a/menu/documentserver.sh +++ /dev/null @@ -1,48 +0,0 @@ -#!/bin/bash - -# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ - -# shellcheck disable=2034,2059 -true -SCRIPT_NAME="Documentserver Menu" -# shellcheck source=lib.sh -source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) - -# Check for errors + debug code and abort if something isn't right -# 1 = ON -# 0 = OFF -DEBUG=0 -debug_mode - -# Must be root -root_check - -choice=$(whiptail --title "$TITLE" --menu \ -"Which Documentserver do you want to install?\n\nAutomatically configure and install the selected Documentserver. -$MENU_GUIDE\n\n$RUN_LATER_GUIDE" "$WT_HEIGHT" "$WT_WIDTH" 4 \ -"Collabora (Docker)" "(Online editing - Extra Subdomain required)" \ -"Collabora (Integrated)" "(Online editing - No Subdomain required)" \ -"OnlyOffice (Docker)" "(Online editing - Extra Subdomain required)" \ -"OnlyOffice (Integrated)" "(Online editing - No Subdomain required)" 3>&1 1>&2 2>&3) - -case "$choice" in - "Collabora (Docker)") - print_text_in_color "$ICyan" "Downloading the Collabora (Docker) script..." - run_script APP collabora_docker - ;; - "Collabora (Integrated)") - print_text_in_color "$ICyan" "Downloading the Collabora (Integrated) script..." - run_script APP collabora_integrated - ;; - "OnlyOffice (Docker)") - print_text_in_color "$ICyan" "Downloading the OnlyOffice (Docker) script..." - run_script APP onlyoffice_docker - ;; - "OnlyOffice (Integrated)") - print_text_in_color "$ICyan" "Downloading the OnlyOffice (Integrated) script..." - run_script APP onlyoffice_integrated - ;; - *) - ;; -esac -exit From 9037430835c94fb65d03f8b8802e8e405233b179 Mon Sep 17 00:00:00 2001 From: enoch85 Date: Wed, 21 Oct 2020 22:14:46 +0200 Subject: [PATCH 10/86] remove scripts Signed-off-by: enoch85 --- network/geoblock.sh | 187 -------------------------------------- network/trusted.sh | 29 ------ network/update-config.php | 53 ----------- 3 files changed, 269 deletions(-) delete mode 100644 network/geoblock.sh delete mode 100644 network/trusted.sh delete mode 100644 network/update-config.php diff --git a/network/geoblock.sh b/network/geoblock.sh deleted file mode 100644 index 46f0cf7..0000000 --- a/network/geoblock.sh +++ /dev/null @@ -1,187 +0,0 @@ -#!/bin/bash - -# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ -# Copyright © 2020 Simon Lindner (https://github.com/szaimen) - -# shellcheck disable=2034,2059,1091 -true -SCRIPT_NAME="GeoBlock" -SCRIPT_EXPLAINER="This script lets you restrict access to your server, only allowing the countries you choose." -# shellcheck source=lib.sh -source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) - -# Check for errors + debug code and abort if something isn't right -# 1 = ON -# 0 = OFF -DEBUG=0 -debug_mode - -# Must be root -root_check - -# Check if it is already configured -if ! grep -q "^#Geoip-block" /etc/apache2/apache2.conf -then - # Ask for installing - install_popup "$SCRIPT_NAME" -else - # Ask for removal or reinstallation - reinstall_remove_menu "$SCRIPT_NAME" - # Removal - find /var/scripts -type f -regex \ -"$SCRIPTS/202[0-9]-[01][0-9]-Maxmind-Country-IPv[46]\.dat" -delete - if is_this_installed jq - then - apt purge jq -y - fi - if is_this_installed libapache2-mod-geoip - then - a2dismod geoip - apt purge libapache2-mod-geoip -y - fi - apt autoremove -y - sed -i "/^#Geoip-block-start/,/^#Geoip-block-end/d" /etc/apache2/apache2.conf - check_command systemctl restart apache2 - # Show successful uninstall if applicable - removal_popup "$SCRIPT_NAME" -fi - -# Install needed tools -# Unfortunately jq is needed for this -install_if_not jq -install_if_not libapache2-mod-geoip - -# Enable apache mod -check_command a2enmod geoip rewrite -check_command systemctl restart apache2 - -# Download newest dat files -find /var/scripts -type f -regex \ -"$SCRIPTS/202[0-9]-[01][0-9]-Maxmind-Country-IPv[46]\.dat" -delete -get_newest_dat_files - -# Restrict to countries and/or continents -choice=$(whiptail --title "$TITLE" --checklist \ -"Do you want to restrict to countries and/or continents? -$CHECKLIST_GUIDE\n\n$RUN_LATER_GUIDE" "$WT_HEIGHT" "$WT_WIDTH" 4 \ -"Countries" "" ON \ -"Continents" "" ON 3>&1 1>&2 2>&3) -if [ -z "$choice" ] -then - exit 1 -fi - -# Countries -if [[ "$choice" = *"Countries"* ]] -then - # Get country names - COUNTRY_NAMES=$(jq .[][].name /usr/share/iso-codes/json/iso_3166-1.json | sed 's|^"||;s|"$||') - mapfile -t COUNTRY_NAMES <<< "$COUNTRY_NAMES" - - # Get country codes - COUNTRY_CODES=$(jq .[][].alpha_2 /usr/share/iso-codes/json/iso_3166-1.json | sed 's|^"||;s|"$||') - mapfile -t COUNTRY_CODES <<< "$COUNTRY_CODES" - - # Check if both arrays match - if [ "${#COUNTRY_NAMES[@]}" != "${#COUNTRY_CODES[@]}" ] - then - msg_box "Somethings is wrong. The names length is not equal to the codees length. - Please report this to $ISSUES" - fi - - # Create checklist - args=(whiptail --title "$TITLE - $SUBTITLE" --separate-output --checklist \ -"Please select all countries that shall have access to your server. -All countries that are'nt selected will *not* have access to your server. \ -To allow them you have to choose the specific continent. -$CHECKLIST_GUIDE\n\n$RUN_LATER_GUIDE" "$WT_HEIGHT" "$WT_WIDTH" 4) - count=0 - while [ "$count" -lt "${#COUNTRY_NAMES[@]}" ] - do - args+=("${COUNTRY_CODES[$count]}" "${COUNTRY_NAMES[$count]}" OFF) - ((count++)) - done - - # Let the user choose the countries - selected_options=$("${args[@]}" 3>&1 1>&2 2>&3) - if [ -z "$selected_options" ] - then - unset selected_options - fi -fi - -# Continents -if [[ "$choice" = *"Continents"* ]] -then - # Restrict to continents - choice=$(whiptail --title "$TITLE" --separate-output --checklist \ -"Please choose all continents that shall have access to your server. -All countries on not selected continents will not have access to your server \ -if you haven't explicitely chosen them in the countries menu before. -$CHECKLIST_GUIDE\n\n$RUN_LATER_GUIDE" "$WT_HEIGHT" "$WT_WIDTH" 4 \ -"AF" "Africa" OFF \ -"AN" "Antarctica" OFF \ -"AS" "Asia" OFF \ -"EU" "Europe" OFF \ -"NA" "North America" OFF \ -"OC" "Oceania" OFF \ -"SA" "South America" OFF 3>&1 1>&2 2>&3) - if [ -z "$choice" ] - then - unset choice - fi -else - unset choice -fi - -# Exit if nothing chosen -if [ -z "$selected_options" ] && [ -z "$choice" ] -then - exit 1 -fi - -# Convert to array -if [ -n "$selected_options" ] -then - mapfile -t selected_options <<< "$selected_options" -fi -if [ -n "$choice" ] -then - mapfile -t choice <<< "$choice" -fi - -GEOIP_CONF="#Geoip-block-start - Please don't remove or change this line - - GeoIPEnable On - GeoIPDBFile /usr/share/GeoIP/GeoIP.dat - GeoIPDBFile /usr/share/GeoIP/GeoIPv6.dat - -\n" -for continent in "${choice[@]}" -do - GEOIP_CONF+=" SetEnvIf GEOIP_CONTINENT_CODE $continent AllowCountryOrContinent\n" - GEOIP_CONF+=" SetEnvIf GEOIP_CONTINENT_CODE_V6 $continent AllowCountryOrContinent\n" -done -for country in "${selected_options[@]}" -do - GEOIP_CONF+=" SetEnvIf GEOIP_COUNTRY_CODE $country AllowCountryOrContinent\n" - GEOIP_CONF+=" SetEnvIf GEOIP_COUNTRY_CODE_V6 $country AllowCountryOrContinent\n" -done -GEOIP_CONF+=" Allow from env=AllowCountryOrContinent - Allow from 127.0.0.1/8 - Allow from 192.168.0.0/16 - Allow from 172.16.0.0/12 - Allow from 10.0.0.0/8 - Order Deny,Allow - Deny from all - -#Geoip-block-end - Please don't remove or change this line" - -# Write everything to the file -echo -e "$GEOIP_CONF" >> /etc/apache2/apache2.conf - -check_command systemctl restart apache2 - -msg_box "GeoBlock was successfully configured" - -exit diff --git a/network/trusted.sh b/network/trusted.sh deleted file mode 100644 index 4b05ca2..0000000 --- a/network/trusted.sh +++ /dev/null @@ -1,29 +0,0 @@ -#!/bin/bash - -# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ - -# shellcheck disable=2034,2059 -true -SCRIPT_NAME="Trusted" -# shellcheck source=lib.sh -source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) - -# Check for errors + debug code and abort if something isn't right -# 1 = ON -# 0 = OFF -DEBUG=0 -debug_mode - -download_script NETWORK update-config -if [ -f $SCRIPTS/update-config.php ] -then - # Change config.php - php $SCRIPTS/update-config.php $NCPATH/config/config.php 'trusted_domains[]' localhost "${ADDRESS[@]}" "$(hostname)" "$(hostname --fqdn)" >/dev/null 2>&1 - php $SCRIPTS/update-config.php $NCPATH/config/config.php overwrite.cli.url https://"$(hostname --fqdn)"/ >/dev/null 2>&1 - - # Change .htaccess accordingly - sed -i "s|RewriteBase /nextcloud|RewriteBase /|g" $NCPATH/.htaccess - - # Cleanup - rm -f $SCRIPTS/update-config.php -fi diff --git a/network/update-config.php b/network/update-config.php deleted file mode 100644 index cf88651..0000000 --- a/network/update-config.php +++ /dev/null @@ -1,53 +0,0 @@ -#!/usr/bin/php - -# Credit to: https://github.com/jnweiger - - 3) - { - # append [] to the key name, if you need to pass an array object. - if (substr($argv[2], -2) === '[]') - { - $CONFIG[substr($argv[2],0,-2)] = array_slice($argv,3); - } - else - { - $CONFIG[$argv[2]] = $argv[3]; - } - } -else - { - # exactly two parameter given -- means delete. - unset($CONFIG[$argv[2]]); - } - -$text = var_export($CONFIG, true); -## A warning is printed, if argv[1] is not writable. -## PHP does not issue proper errno or strerror() does it? -file_put_contents($argv[1], " From 7d084935515298849bd09c70330239df2ee634f0 Mon Sep 17 00:00:00 2001 From: enoch85 Date: Wed, 21 Oct 2020 22:23:15 +0200 Subject: [PATCH 11/86] change branch Signed-off-by: enoch85 --- addons/locales.sh | 2 +- addons/locate_mirror.sh | 2 +- addons/redis-server-ubuntu.sh | 2 +- addons/security.sh | 2 +- addons/smtp-mail.sh | 2 +- apps/adminer.sh | 2 +- apps/fail2ban.sh | 2 +- apps/webmin.sh | 2 +- lets-encrypt/activate-ssl.sh | 2 +- lets-encrypt/test-new-config.sh | 2 +- lib.sh | 2 +- menu/additional_apps.sh | 2 +- menu/fail2ban_menu.sh | 2 +- menu/main_menu.sh | 2 +- menu/menu.sh | 2 +- menu/nextcloud_configuration.sh | 2 +- menu/server_configuration.sh | 2 +- menu/startup_configuration.sh | 2 +- network/ddclient-configuration.sh | 2 +- network/static_ip.sh | 2 +- static/adduser.sh | 2 +- static/change-root-profile.sh | 2 +- static/change-wordpress-profile.sh | 2 +- static/change_mysql_pass.sh | 2 +- static/fetch_lib.sh | 4 ++-- static/new_etc_mycnf.sh | 2 +- static/ntpdate.sh | 2 +- static/redis-server-ubuntu.sh | 2 +- static/security.sh | 2 +- static/static_ip.sh | 2 +- static/test_connection.sh | 2 +- static/update.sh | 2 +- static/wordpress_update.sh | 2 +- 33 files changed, 34 insertions(+), 34 deletions(-) diff --git a/addons/locales.sh b/addons/locales.sh index 6391808..58fe0e3 100644 --- a/addons/locales.sh +++ b/addons/locales.sh @@ -6,7 +6,7 @@ true SCRIPT_NAME="Locales" # shellcheck source=lib.sh -source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) # Check for errors + debug code and abort if something isn't right # 1 = ON diff --git a/addons/locate_mirror.sh b/addons/locate_mirror.sh index 67588b6..1f7289f 100644 --- a/addons/locate_mirror.sh +++ b/addons/locate_mirror.sh @@ -6,7 +6,7 @@ true SCRIPT_NAME="Locate Mirror" # shellcheck source=lib.sh -source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) # Must be root root_check diff --git a/addons/redis-server-ubuntu.sh b/addons/redis-server-ubuntu.sh index 923e415..a04e816 100644 --- a/addons/redis-server-ubuntu.sh +++ b/addons/redis-server-ubuntu.sh @@ -3,7 +3,7 @@ true SCRIPT_NAME="Redis Server Ubuntu" # shellcheck source=lib.sh -source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) # T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ diff --git a/addons/security.sh b/addons/security.sh index e4a23db..6d3a8ac 100644 --- a/addons/security.sh +++ b/addons/security.sh @@ -7,7 +7,7 @@ true SCRIPT_NAME="Setup Extra Security" # shellcheck source=lib.sh -source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) # Check for errors + debug code and abort if something isn't right # 1 = ON diff --git a/addons/smtp-mail.sh b/addons/smtp-mail.sh index 255f941..698d113 100644 --- a/addons/smtp-mail.sh +++ b/addons/smtp-mail.sh @@ -8,7 +8,7 @@ SCRIPT_NAME="SMTP Relay with msmtp" SCRIPT_EXPLAINER="This script will setup an SMTP Relay (Mail Server) in your Nextcloud Server \ that will be used to send emails about failed cronjob's and such." # shellcheck source=lib.sh -source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) # Check for errors + debug code and abort if something isn't right # 1 = ON diff --git a/apps/adminer.sh b/apps/adminer.sh index a15c00e..987f415 100644 --- a/apps/adminer.sh +++ b/apps/adminer.sh @@ -7,7 +7,7 @@ true SCRIPT_NAME="Adminer" SCRIPT_EXPLAINER="Adminer is a full-featured database management tool written in PHP." # shellcheck source=lib.sh -source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) # Check for errors + debug code and abort if something isn't right # 1 = ON diff --git a/apps/fail2ban.sh b/apps/fail2ban.sh index 40c532a..e390a8d 100644 --- a/apps/fail2ban.sh +++ b/apps/fail2ban.sh @@ -12,7 +12,7 @@ signs -- too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to \ reject the IP addresses for a specified amount of time." # shellcheck source=lib.sh -source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) # Get all needed variables from the library nc_update diff --git a/apps/webmin.sh b/apps/webmin.sh index 35c1047..7aa0bdc 100644 --- a/apps/webmin.sh +++ b/apps/webmin.sh @@ -12,7 +12,7 @@ and lets you manage a system from the console or remotely. See the following page with standard modules for a list of all the functions built into Webmin: \ https://webmin.com/standard.html" # shellcheck source=lib.sh -source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) # Check for errors + debug code and abort if something isn't right # 1 = ON diff --git a/lets-encrypt/activate-ssl.sh b/lets-encrypt/activate-ssl.sh index 7885f5b..17708cb 100644 --- a/lets-encrypt/activate-ssl.sh +++ b/lets-encrypt/activate-ssl.sh @@ -2,7 +2,7 @@ # shellcheck disable=2034,2059 true # shellcheck source=lib.sh -. <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh) +. <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) # T&M Hansson IT AB © - 2019, https://www.hanssonit.se/ diff --git a/lets-encrypt/test-new-config.sh b/lets-encrypt/test-new-config.sh index 93b6608..cc932ca 100644 --- a/lets-encrypt/test-new-config.sh +++ b/lets-encrypt/test-new-config.sh @@ -2,7 +2,7 @@ # shellcheck disable=2034,2059 true # shellcheck source=lib.sh -. <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh) +. <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) # T&M Hansson IT AB © - 2019, https://www.hanssonit.se/ diff --git a/lib.sh b/lib.sh index fe21d32..c739113 100644 --- a/lib.sh +++ b/lib.sh @@ -79,7 +79,7 @@ MENU_GUIDE="Navigate with the [ARROW] keys and confirm by pressing [ENTER]. Canc RUN_LATER_GUIDE="You can view this script later by running 'sudo bash $SCRIPTS/menu.sh'." # Repo -GITHUB_REPO="https://raw.githubusercontent.com/techandme/wordpress-vm/master" +GITHUB_REPO="https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing" STATIC="$GITHUB_REPO/static" LETS_ENC="$GITHUB_REPO/lets-encrypt" APP="$GITHUB_REPO/apps" diff --git a/menu/additional_apps.sh b/menu/additional_apps.sh index 004998b..8a71070 100644 --- a/menu/additional_apps.sh +++ b/menu/additional_apps.sh @@ -6,7 +6,7 @@ true SCRIPT_NAME="Additional Apps Menu" # shellcheck source=lib.sh -source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) # Check for errors + debug code and abort if something isn't right # 1 = ON diff --git a/menu/fail2ban_menu.sh b/menu/fail2ban_menu.sh index 9f2b75b..09f785a 100644 --- a/menu/fail2ban_menu.sh +++ b/menu/fail2ban_menu.sh @@ -6,7 +6,7 @@ true SCRIPT_NAME="Fail2ban Menu" # shellcheck source=lib.sh -source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) # Check for errors + debug code and abort if something isn't right # 1 = ON diff --git a/menu/main_menu.sh b/menu/main_menu.sh index dc39b95..8bbeb9f 100644 --- a/menu/main_menu.sh +++ b/menu/main_menu.sh @@ -6,7 +6,7 @@ true SCRIPT_NAME="Main Menu" # shellcheck source=lib.sh -source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) # Check for errors + debug code and abort if something isn't right # 1 = ON diff --git a/menu/menu.sh b/menu/menu.sh index 4670cc5..6e87b81 100644 --- a/menu/menu.sh +++ b/menu/menu.sh @@ -6,7 +6,7 @@ true SCRIPT_NAME="Main Menu" # shellcheck source=lib.sh -source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) # Check for errors + debug code and abort if something isn't right # 1 = ON diff --git a/menu/nextcloud_configuration.sh b/menu/nextcloud_configuration.sh index b3eca80..6f9c5f7 100644 --- a/menu/nextcloud_configuration.sh +++ b/menu/nextcloud_configuration.sh @@ -6,7 +6,7 @@ true SCRIPT_NAME="Nextcloud Configuration Menu" # shellcheck source=lib.sh -source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) # Get all needed variables from the library nc_update diff --git a/menu/server_configuration.sh b/menu/server_configuration.sh index 5f7d3fe..76d4376 100644 --- a/menu/server_configuration.sh +++ b/menu/server_configuration.sh @@ -6,7 +6,7 @@ true SCRIPT_NAME="Server Configuration Menu" # shellcheck source=lib.sh -source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) # Check for errors + debug code and abort if something isn't right # 1 = ON diff --git a/menu/startup_configuration.sh b/menu/startup_configuration.sh index 33978c0..81853ba 100644 --- a/menu/startup_configuration.sh +++ b/menu/startup_configuration.sh @@ -6,7 +6,7 @@ true SCRIPT_NAME="Startup Configuration Menu" # shellcheck source=lib.sh -source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) # Check for errors + debug code and abort if something isn't right # 1 = ON diff --git a/network/ddclient-configuration.sh b/network/ddclient-configuration.sh index ced0792..212bc4c 100644 --- a/network/ddclient-configuration.sh +++ b/network/ddclient-configuration.sh @@ -8,7 +8,7 @@ true SCRIPT_NAME="DynDNS with ddclient" SCRIPT_EXPLAINER="This script lets you setup DynDNS by using the Linux ddclient software." # shellcheck source=lib.sh -source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) # Check for errors + debug code and abort if something isn't right # 1 = ON diff --git a/network/static_ip.sh b/network/static_ip.sh index 7e8f474..99e8e8e 100644 --- a/network/static_ip.sh +++ b/network/static_ip.sh @@ -9,7 +9,7 @@ then true SCRIPT_NAME="Static IP" # shellcheck source=lib.sh -source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) # If we have internet, then use the latest variables from the lib remote file elif [ -f /var/scripts/lib.sh ] then diff --git a/static/adduser.sh b/static/adduser.sh index 21217ae..6a6ad66 100644 --- a/static/adduser.sh +++ b/static/adduser.sh @@ -2,7 +2,7 @@ # shellcheck disable=2034,2059 true # shellcheck source=lib.sh -. <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh) +. <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) # T&M Hansson IT AB © - 2019, https://www.hanssonit.se/ diff --git a/static/change-root-profile.sh b/static/change-root-profile.sh index 2a43c42..9bc1af0 100644 --- a/static/change-root-profile.sh +++ b/static/change-root-profile.sh @@ -5,7 +5,7 @@ # shellcheck disable=2034,2059 true # shellcheck source=lib.sh -. <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh) +. <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) # Check for errors + debug code and abort if something isn't right # 1 = ON diff --git a/static/change-wordpress-profile.sh b/static/change-wordpress-profile.sh index 730f826..5a27406 100644 --- a/static/change-wordpress-profile.sh +++ b/static/change-wordpress-profile.sh @@ -5,7 +5,7 @@ # shellcheck disable=2034,2059 true # shellcheck source=lib.sh -. <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh) +. <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) # Check for errors + debug code and abort if something isn't right # 1 = ON diff --git a/static/change_mysql_pass.sh b/static/change_mysql_pass.sh index 829e5d8..2c9c23a 100644 --- a/static/change_mysql_pass.sh +++ b/static/change_mysql_pass.sh @@ -2,7 +2,7 @@ # shellcheck disable=2034,2059 true # shellcheck source=lib.sh -MYCNFPW=1 . <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh) +MYCNFPW=1 . <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) unset MYCNFPW # T&M Hansson IT AB © - 2019, https://www.hanssonit.se/ diff --git a/static/fetch_lib.sh b/static/fetch_lib.sh index d525984..edeff9d 100644 --- a/static/fetch_lib.sh +++ b/static/fetch_lib.sh @@ -21,7 +21,7 @@ fi mkdir -p /var/scripts if ! [ -f /var/scripts/lib.sh ] then - if ! curl -sfL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh -o /var/scripts/lib.sh + if ! curl -sfL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh -o /var/scripts/lib.sh then print_text_in_color "$IRed" "You don't seem to have an internet \ connection and the local lib isn't available. Hence you cannot run this script." @@ -30,7 +30,7 @@ connection and the local lib isn't available. Hence you cannot run this script." elif ! [ -f /var/scripts/wordpress-startup-script.sh ] then print_text_in_color "$ICyan" "Updating lib..." - curl -sfL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh -o /var/scripts/lib.sh + curl -sfL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh -o /var/scripts/lib.sh fi # shellcheck source=lib.sh diff --git a/static/new_etc_mycnf.sh b/static/new_etc_mycnf.sh index bd239c9..4e8dbe1 100644 --- a/static/new_etc_mycnf.sh +++ b/static/new_etc_mycnf.sh @@ -2,7 +2,7 @@ # shellcheck disable=2034,2059 true # shellcheck source=lib.sh -. <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh) +. <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) # Check for errors + debug code and abort if something isn't right # 1 = ON diff --git a/static/ntpdate.sh b/static/ntpdate.sh index aa27a2d..8185c7a 100644 --- a/static/ntpdate.sh +++ b/static/ntpdate.sh @@ -5,7 +5,7 @@ # shellcheck disable=2034,2059 true # shellcheck source=lib.sh -. <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh) +. <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) # Check for errors + debug code and abort if something isn't right # 1 = ON diff --git a/static/redis-server-ubuntu.sh b/static/redis-server-ubuntu.sh index 0839b13..13bd589 100644 --- a/static/redis-server-ubuntu.sh +++ b/static/redis-server-ubuntu.sh @@ -2,7 +2,7 @@ # shellcheck disable=2034,2059 true # shellcheck source=lib.sh -. <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh) +. <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) # T&M Hansson IT AB © - 2019, https://www.hanssonit.se/ diff --git a/static/security.sh b/static/security.sh index 8ea0828..8b73584 100644 --- a/static/security.sh +++ b/static/security.sh @@ -6,7 +6,7 @@ # shellcheck disable=2034,2059,SC2154 true # shellcheck source=lib.sh -. <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh) +. <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) # Check for errors + debug code and abort if something isn't right # 1 = ON diff --git a/static/static_ip.sh b/static/static_ip.sh index 4549846..5f55018 100644 --- a/static/static_ip.sh +++ b/static/static_ip.sh @@ -5,7 +5,7 @@ # shellcheck disable=2034,2059 true # shellcheck source=lib.sh -FIRST_IFACE=1 . <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh) +FIRST_IFACE=1 . <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) unset FIRST_IFACE # Check for errors + debug code and abort if something isn't right diff --git a/static/test_connection.sh b/static/test_connection.sh index 6b206e8..200e961 100644 --- a/static/test_connection.sh +++ b/static/test_connection.sh @@ -2,7 +2,7 @@ # shellcheck disable=2034,2059 true # shellcheck source=lib.sh -. <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh) +. <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) # T&M Hansson IT AB © - 2019, https://www.hanssonit.se/ diff --git a/static/update.sh b/static/update.sh index f55303b..10c89b2 100644 --- a/static/update.sh +++ b/static/update.sh @@ -5,7 +5,7 @@ # shellcheck disable=2034,2059 true # shellcheck source=lib.sh -. <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh) +. <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) # Check for errors + debug code and abort if something isn't right # 1 = ON diff --git a/static/wordpress_update.sh b/static/wordpress_update.sh index 7e626b7..f2682c5 100644 --- a/static/wordpress_update.sh +++ b/static/wordpress_update.sh @@ -5,7 +5,7 @@ # shellcheck disable=2034,2059 true # shellcheck source=lib.sh -. <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh) +. <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) # Check for errors + debug code and abort if something isn't right # 1 = ON From 26650d75a8c256dd2c7d6efef46da54dda85200b Mon Sep 17 00:00:00 2001 From: Daniel Hansson Date: Wed, 21 Oct 2020 22:43:52 +0200 Subject: [PATCH 12/86] travis --- lib.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/lib.sh b/lib.sh index c739113..d7a515e 100644 --- a/lib.sh +++ b/lib.sh @@ -331,6 +331,7 @@ something is wrong here. Please report this to $ISSUES" wp_cli_cmd() { export WP_CLI_CACHE_DIR=$WPATH/.wp-cli/cache check_command sudo -u www-data /usr/local/bin/wp "$@"; +} # Check if process is runnnig: is_process_running dpkg is_process_running() { From 3cf1b3a24535e1b246636738b1a371b1a9b72957 Mon Sep 17 00:00:00 2001 From: enoch85 Date: Wed, 21 Oct 2020 23:06:01 +0200 Subject: [PATCH 13/86] travis Signed-off-by: enoch85 --- addons/redis-server-ubuntu.sh | 26 +++++--------------------- wordpress-startup-script.sh | 2 +- 2 files changed, 6 insertions(+), 22 deletions(-) diff --git a/addons/redis-server-ubuntu.sh b/addons/redis-server-ubuntu.sh index a04e816..bf94a45 100644 --- a/addons/redis-server-ubuntu.sh +++ b/addons/redis-server-ubuntu.sh @@ -49,27 +49,11 @@ install_if_not redis-server # Setting direct to PHP-FPM as it's installed with PECL (globally doesn't work) print_text_in_color "$ICyan" "Adding extension=redis.so to $PHP_INI..." -echo 'extension=redis.so' >> "$PHP_INI" - -# Prepare for adding redis configuration -sed -i "s|);||g" $NCPATH/config/config.php - -# Add the needed config to Nextclouds config.php -cat <> $NCPATH/config/config.php - 'memcache.local' => '\\OC\\Memcache\\APCu', - 'filelocking.enabled' => true, - 'memcache.distributed' => '\\OC\\Memcache\\Redis', - 'memcache.locking' => '\\OC\\Memcache\\Redis', - 'redis' => - array ( - 'host' => '$REDIS_SOCK', - 'port' => 0, - 'timeout' => 0.5, - 'dbindex' => 0, - 'password' => '$REDIS_PASS', - ), -); -ADD_TO_CONFIG +# FPM is needed for frontend +echo 'extension=redis.so' >> /etc/php/"$PHPVER"/fpm/php.ini +# CLI is needed for backend +echo 'extension=redis.so' >> /etc/php/"$PHPVER"/cli/php.ini +restart_webserver ## Redis performance tweaks ## if ! grep -Fxq "vm.overcommit_memory = 1" /etc/sysctl.conf diff --git a/wordpress-startup-script.sh b/wordpress-startup-script.sh index c5cfcd9..3772e5b 100644 --- a/wordpress-startup-script.sh +++ b/wordpress-startup-script.sh @@ -311,7 +311,7 @@ rm -f "$SCRIPTS/wordpress_configuration.sh" rm -f "$SCRIPTS/additional_apps.sh" rm -f "$SCRIPTS/adduser.sh" find /root "/home/$SUDO_USER" -type f \( -name '*.sh*' -o -name '*.html*' -o -name '*.tar*' -o -name 'results' -o -name '*.zip*' \) -delete -find "$WPPATH" -type f \( -name 'results' -o -name '*.sh*' \) -delete +find "$PPATH" -type f \( -name 'results' -o -name '*.sh*' \) -delete sed -i "s|instruction.sh|wordpress.sh|g" "/home/$SUDO_USER/.bash_profile" truncate -s 0 \ From e90b24e6e448f1b7d3e1b67aa21d0897770eb6c9 Mon Sep 17 00:00:00 2001 From: enoch85 Date: Wed, 21 Oct 2020 23:07:39 +0200 Subject: [PATCH 14/86] remove old redis script Signed-off-by: enoch85 --- static/redis-server-ubuntu.sh | 96 ----------------------------------- 1 file changed, 96 deletions(-) delete mode 100644 static/redis-server-ubuntu.sh diff --git a/static/redis-server-ubuntu.sh b/static/redis-server-ubuntu.sh deleted file mode 100644 index 13bd589..0000000 --- a/static/redis-server-ubuntu.sh +++ /dev/null @@ -1,96 +0,0 @@ -#!/bin/bash -# shellcheck disable=2034,2059 -true -# shellcheck source=lib.sh -. <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) - -# T&M Hansson IT AB © - 2019, https://www.hanssonit.se/ - -# Check for errors + debug code and abort if something isn't right -# 1 = ON -# 0 = OFF -DEBUG=0 -debug_mode - -# Must be root -root_check - -# Check Ubuntu version -print_text_in_color "$ICyan" "Checking server OS and version..." -if [ "$OS" != 1 ] -then - print_text_in_color "$IRed" "Ubuntu Server is required to run this script." - print_text_in_color "$IRed" "Please install that distro and try again." - exit 1 -fi - - -if ! version 18.04 "$DISTRO" 18.04.4; then - print_text_in_color "$IRed" "Ubuntu version $DISTRO must be between 18.04 - 18.04.4" - exit -fi - -# Check if dir exists -if [ ! -d $SCRIPTS ] -then - mkdir -p $SCRIPTS -fi - -# Install Redis -install_if_not php"$PHPVER"-dev -pecl channel-update pecl.php.net -if ! yes no | pecl install -Z redis -then - msg_box "PHP module installation failed" -exit 1 -else - print_text_in_color "$IGreen" "PHP module installation OK!" -fi -install_if_not redis-server - -# FPM is needed for frontend -echo 'extension=redis.so' >> /etc/php/"$PHPVER"/fpm/php.ini -# CLI is needed for backend -echo 'extension=redis.so' >> /etc/php/"$PHPVER"/cli/php.ini -service php"$PHPVER"-fpm restart -service nginx restart - -# Install Redis -if ! apt -y install redis-server -then - print_text_in_color "$IRed" "Installation failed." - sleep 3 - exit 1 -else - print_text_in_color "$IGreen" "Redis installation OK!" -fi - -## Redis performance tweaks ## -if ! grep -Fxq "vm.overcommit_memory = 1" /etc/sysctl.conf -then - echo 'vm.overcommit_memory = 1' >> /etc/sysctl.conf -fi - -# Disable THP -if ! grep -Fxq "never" /sys/kernel/mm/transparent_hugepage/enabled -then - echo "never" > /sys/kernel/mm/transparent_hugepage/enabled -fi - -sed -i "s|# unixsocket .*|unixsocket $REDIS_SOCK|g" $REDIS_CONF -sed -i "s|# unixsocketperm .*|unixsocketperm 777|g" $REDIS_CONF -sed -i "s|^port.*|port 0|" $REDIS_CONF -sed -i "s|# requirepass .*|requirepass $(cat $REDISPTXT)|g" $REDIS_CONF -sed -i 's|# rename-command CONFIG ""|rename-command CONFIG ""|' $REDIS_CONF -redis-cli SHUTDOWN -rm -f $REDISPTXT - -# Secure Redis -chown redis:root /etc/redis/redis.conf -chmod 600 /etc/redis/redis.conf - -apt update -q4 & spinner_loading -apt autoremove -y -apt autoclean - -exit From 2b6a61b1bf7cd0b3231f3be55a0330ccc9def4f3 Mon Sep 17 00:00:00 2001 From: enoch85 Date: Wed, 21 Oct 2020 23:10:49 +0200 Subject: [PATCH 15/86] adopt wp to redis Signed-off-by: enoch85 --- addons/redis-server-ubuntu.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/addons/redis-server-ubuntu.sh b/addons/redis-server-ubuntu.sh index bf94a45..16af41b 100644 --- a/addons/redis-server-ubuntu.sh +++ b/addons/redis-server-ubuntu.sh @@ -77,7 +77,7 @@ fi sed -i "s|# unixsocket .*|unixsocket $REDIS_SOCK|g" $REDIS_CONF sed -i "s|# unixsocketperm .*|unixsocketperm 777|g" $REDIS_CONF sed -i "s|^port.*|port 0|" $REDIS_CONF -sed -i "s|# requirepass .*|requirepass $REDIS_PASS|g" $REDIS_CONF +sed -i "s|# requirepass .*|requirepass $(cat $REDISPTXT)|g" $REDIS_CONF sed -i 's|# rename-command CONFIG ""|rename-command CONFIG ""|' $REDIS_CONF redis-cli SHUTDOWN @@ -88,5 +88,6 @@ chmod 600 /etc/redis/redis.conf apt update -q4 & spinner_loading apt autoremove -y apt autoclean +rm -f "$REDISPTXT" exit From 4f7b178b542a661816496e4695e5ef22f4e40482 Mon Sep 17 00:00:00 2001 From: enoch85 Date: Wed, 21 Oct 2020 23:26:03 +0200 Subject: [PATCH 16/86] travis Signed-off-by: enoch85 --- wordpress-startup-script.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wordpress-startup-script.sh b/wordpress-startup-script.sh index 3772e5b..15a3a73 100644 --- a/wordpress-startup-script.sh +++ b/wordpress-startup-script.sh @@ -311,7 +311,7 @@ rm -f "$SCRIPTS/wordpress_configuration.sh" rm -f "$SCRIPTS/additional_apps.sh" rm -f "$SCRIPTS/adduser.sh" find /root "/home/$SUDO_USER" -type f \( -name '*.sh*' -o -name '*.html*' -o -name '*.tar*' -o -name 'results' -o -name '*.zip*' \) -delete -find "$PPATH" -type f \( -name 'results' -o -name '*.sh*' \) -delete +find "WPATH" -type f \( -name 'results' -o -name '*.sh*' \) -delete sed -i "s|instruction.sh|wordpress.sh|g" "/home/$SUDO_USER/.bash_profile" truncate -s 0 \ From e39e3941f48a517313e7ca452e7abf4fe46cccd3 Mon Sep 17 00:00:00 2001 From: Daniel Hansson Date: Thu, 22 Oct 2020 21:33:58 +0200 Subject: [PATCH 17/86] use new function --- static/adduser.sh | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/static/adduser.sh b/static/adduser.sh index 6a6ad66..5f12b45 100644 --- a/static/adduser.sh +++ b/static/adduser.sh @@ -1,10 +1,11 @@ #!/bin/bash # shellcheck disable=2034,2059 true +SCRIPT_NAME="Add CLI User" # shellcheck source=lib.sh -. <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) -# T&M Hansson IT AB © - 2019, https://www.hanssonit.se/ +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ # Check for errors + debug code and abort if something isn't right # 1 = ON @@ -14,13 +15,14 @@ debug_mode if [[ $UNIXUSER != "wordpress" ]] then -msg_box "Current user with sudo permissions is: $UNIXUSER. + msg_box "Current user with sudo permissions is: $UNIXUSER. This script will set up everything with that user. If the field after ':' is blank you are probably running as a pure root user. It's possible to install with root, but there will be minor errors. + Please create a user with sudo permissions if you want an optimal installation. -The preferred user is 'wordpress'." - if [[ "no" == $(ask_yes_or_no "Do you want to create a new user?") ]] +The preferred user is 'ncadmin'." + if ! yesno_box_yes "Do you want to create a new user?" then print_text_in_color "$ICyan" "Not adding another user..." sleep 1 @@ -29,7 +31,7 @@ The preferred user is 'wordpress'." adduser --disabled-password --gecos "" "$NEWUSER" sudo usermod -aG sudo "$NEWUSER" usermod -s /bin/bash "$NEWUSER" - while true + while : do sudo passwd "$NEWUSER" && break done From 330d88f46be1580e43537581a55336cbfa1ee59b Mon Sep 17 00:00:00 2001 From: Daniel Hansson Date: Thu, 22 Oct 2020 22:21:44 +0200 Subject: [PATCH 18/86] minor changes --- wordpress_install.sh | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/wordpress_install.sh b/wordpress_install.sh index 6a87615..f9d0a58 100644 --- a/wordpress_install.sh +++ b/wordpress_install.sh @@ -209,13 +209,12 @@ chmod 0600 $MYCNF chown root:root $MYCNF # Install MARIADB -apt install software-properties-common -y -sudo apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0xF1656F24C74CD1D8 -sudo add-apt-repository 'deb [arch=amd64,i386,ppc64el] http://ftp.ddg.lth.se/mariadb/repo/10.5/ubuntu xenial main' +install_if_not software-properties-common +curl -LsS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup | sudo bash -s -- --mariadb-server-version="mariadb-10.5" --skip-maxscale sudo debconf-set-selections <<< "mariadb-server-10.5 mysql-server/root_password password $MARIADB_PASS" sudo debconf-set-selections <<< "mariadb-server-10.5 mysql-server/root_password_again password $MARIADB_PASS" apt update -q4 & spinner_loading -check_command apt install mariadb-server-10.5 -y +install_if_not mariadb-server-10.5 # Prepare for Wordpress installation # https://blog.v-gar.de/2017/02/en-solved-error-1698-28000-in-mysqlmariadb/ @@ -249,7 +248,7 @@ apt -y purge expect run_static_script new_etc_mycnf # Install VM-tools -apt install open-vm-tools -y +install_if_not open-vm-tools # Install Nginx check_command yes | add-apt-repository ppa:nginx/stable @@ -557,7 +556,7 @@ then fi # Install Figlet -apt install figlet -y +install_if_not figlet # Generate $SSL_CONF install_if_not ssl-cert From c638b3c55ebbfe2c40d98b9a6676629c7b440bac Mon Sep 17 00:00:00 2001 From: Daniel Hansson Date: Thu, 22 Oct 2020 22:27:03 +0200 Subject: [PATCH 19/86] remove geoblock --- static/nginx.conf | 35 +---------------------------------- 1 file changed, 1 insertion(+), 34 deletions(-) diff --git a/static/nginx.conf b/static/nginx.conf index 970d962..4242717 100644 --- a/static/nginx.conf +++ b/static/nginx.conf @@ -12,37 +12,6 @@ events { } http { - -# GEO IP BLOCK DOMAIN -geoip_country /usr/share/GeoIP/GeoIP.dat; - map $geoip_country_code $allowed_country { - default yes; - CN no; #China -# RU no; #Russia -# HK no; #Hong Kong -# IN no; #India -# IR no; #Iran -# VN no; #Vietnam -# TR no; #Turkey -# EG no; #Egypt -# MX no; #Mexico -# JP no; #Japan -# KR no; #South Korea -# KP no; #North Korea :) -# PE no; #Peru -# BR no; #Brazil -# UA no; #Ukraine -# ID no; #Indonesia -# TH no; #Thailand - } - -# To activate GEO BLOCK, add this in the default conf: -# COUNTRY GEO BLOCK -# if ($allowed_country = no) { -# return 444; -# } - - ## # Basic Settings ## @@ -67,12 +36,10 @@ geoip_country /usr/share/GeoIP/GeoIP.dat; # SSL Settings ## - ssl_early_data on; + ssl_early_data on; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers on; - - ## # Logging Settings From a2a256502779520af19b6dbcb88bdb8826de367f Mon Sep 17 00:00:00 2001 From: enoch85 Date: Thu, 22 Oct 2020 22:34:17 +0200 Subject: [PATCH 20/86] run_script Signed-off-by: enoch85 --- static/update.sh | 2 +- wordpress_install.sh | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/static/update.sh b/static/update.sh index 10c89b2..cc7ea23 100644 --- a/static/update.sh +++ b/static/update.sh @@ -23,6 +23,6 @@ fi mkdir -p "$SCRIPTS" # Delete, download, run -run_static_script wordpress_update +run_script STATIC wordpress_update exit diff --git a/wordpress_install.sh b/wordpress_install.sh index f9d0a58..cb87eec 100644 --- a/wordpress_install.sh +++ b/wordpress_install.sh @@ -245,7 +245,7 @@ echo "$SECURE_MYSQL" apt -y purge expect # Write a new MariaDB config -run_static_script new_etc_mycnf +run_script STATIC new_etc_mycnf # Install VM-tools install_if_not open-vm-tools @@ -291,7 +291,7 @@ sed -i "s|date.timezone =.*|date.timezone = Europe/Stockholm|g" "$PHP_INI" check_command echo "$REDIS_PASS" > $REDISPTXT # Install Redis -run_static_script redis-server-ubuntu +run_script STATIC redis-server-ubuntu # Enable OPCache for PHP phpenmod opcache From 5aa4d61b1b954b0022d670000b72af7f6ab44c2a Mon Sep 17 00:00:00 2001 From: enoch85 Date: Thu, 22 Oct 2020 22:41:10 +0200 Subject: [PATCH 21/86] smaller fixes Signed-off-by: enoch85 --- wordpress_install.sh | 47 ++++++++++++++++++++++---------------------- 1 file changed, 23 insertions(+), 24 deletions(-) diff --git a/wordpress_install.sh b/wordpress_install.sh index cb87eec..621d00b 100644 --- a/wordpress_install.sh +++ b/wordpress_install.sh @@ -481,7 +481,7 @@ wp_cli_cmd plugin delete akismet wp_cli_cmd plugin delete hello # Secure permissions -run_script wp-permissions +run_script STATIC wp-permissions # Hardening security # create .htaccess to protect uploads directory @@ -568,7 +568,7 @@ then server { listen 443 ssl http2; listen [::]:443 ssl http2; - + ## Your website name goes here. # server_name example.com; ## Your only path reference. @@ -577,14 +577,14 @@ server { index index.php; resolver $GATEWAY; - + ## Show real IP behind proxy (change to the proxy IP) # set_real_ip_from $GATEWAY/24; # set_real_ip_from $GATEWAY; # set_real_ip_from 2001:0db8::/32; # real_ip_header X-Forwarded-For; # real_ip_recursive on; - + # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; @@ -611,14 +611,13 @@ server { ## verify chain of trust of OCSP response using Root CA and Intermediate certs # ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates; - location / { - try_files \$uri \$uri/ /index.php?\$args; + try_files \$uri \$uri/ /index.php?\$args; } - + location ~ /\\. { access_log off; - log_not_found off; + log_not_found off; deny all; } @@ -674,7 +673,7 @@ then server { listen 80; listen [::]:80; - + ## Your website name goes here. # server_name example.com; ## Your only path reference. @@ -683,18 +682,18 @@ server { index index.php; resolver $GATEWAY; - + ## Show real IP behind proxy (change to the proxy IP) # set_real_ip_from $GATEWAY/24; # set_real_ip_from $GATEWAY; # set_real_ip_from 2001:0db8::/32; # real_ip_header X-Forwarded-For; # real_ip_recursive on; - + location / { - try_files \$uri \$uri/ /index.php?\$args; + try_files \$uri \$uri/ /index.php?\$args; } - + location ~ /\\. { access_log off; log_not_found off; @@ -711,7 +710,7 @@ server { log_not_found off; access_log off; } - + location ~* \.php$ { location ~ \wp-login.php$ { allow $GATEWAY/24; @@ -762,7 +761,7 @@ events { multi_accept on; use epoll; } - + http { ## @@ -810,7 +809,7 @@ http { # gzip_proxied any; # gzip_comp_level 6; gzip_buffers 16 4k; - # gzip_http_version 1.1; + # gzip_http_version 1.1; # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; ## @@ -828,17 +827,17 @@ http { #mail { # # See sample authentication script at: # # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript -# +# # # auth_http localhost/auth.php; # # pop3_capabilities "TOP" "USER"; # # imap_capabilities "IMAP4rev1" "UIDPLUS"; -# +# # server { # listen localhost:110; # protocol pop3; # proxy on; # } -# +# # server { # listen localhost:143; # protocol imap; @@ -919,9 +918,9 @@ sleep 1 fi # Enable new config -ln -s "$NGINX_DEF" /etc/nginx/sites-enabled/ -ln -s "$TLS_CONF" /etc/nginx/sites-enabled/ -ln -s "$HTTP_CONF" /etc/nginx/sites-enabled/ +ln -s "$SITES_AVAILABLE"/"$NGINX_DEF" /etc/nginx/sites-enabled/ +ln -s "$SITES_AVAILABLE"/"$TLS_CONF" /etc/nginx/sites-enabled/ +ln -s "$SITES_AVAILABLE"/"$HTTP_CONF" /etc/nginx/sites-enabled/ restart_webserver # Enable UTF8mb4 (4-byte support) @@ -965,8 +964,8 @@ chmod +x -R "$SCRIPTS" chown root:root -R "$SCRIPTS" # Prepare first bootup -check_command run_script STATIC change-wordpress-profile -check_command run_script STATIC change-root-profile +run_script STATIC change-wordpress-profile +run_script STATIC change-root-profile # Disable hibernation print_text_in_color "$ICyan" "Disable hibernation..." From f252fa59a2920b43296dfe371f08c35732e01261 Mon Sep 17 00:00:00 2001 From: enoch85 Date: Thu, 22 Oct 2020 22:49:20 +0200 Subject: [PATCH 22/86] ln -s Signed-off-by: enoch85 --- wordpress_install.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/wordpress_install.sh b/wordpress_install.sh index 621d00b..e077d41 100644 --- a/wordpress_install.sh +++ b/wordpress_install.sh @@ -918,9 +918,9 @@ sleep 1 fi # Enable new config -ln -s "$SITES_AVAILABLE"/"$NGINX_DEF" /etc/nginx/sites-enabled/ -ln -s "$SITES_AVAILABLE"/"$TLS_CONF" /etc/nginx/sites-enabled/ -ln -s "$SITES_AVAILABLE"/"$HTTP_CONF" /etc/nginx/sites-enabled/ +ln -s "$SITES_AVAILABLE"/"$NGINX_DEF" "$SITES_ENABLED"/"$NGINX_DEF" +ln -s "$SITES_AVAILABLE"/"$TLS_CONF" "$SITES_ENABLED"/"$TLS_CONF" +ln -s "$SITES_AVAILABLE"/"$HTTP_CONF" "$SITES_ENABLED"/"$HTTP_CONF" restart_webserver # Enable UTF8mb4 (4-byte support) From 4615eb663e54ae78bf5aef3c22ff0d2bc9d9c7ff Mon Sep 17 00:00:00 2001 From: Daniel Hansson Date: Thu, 22 Oct 2020 23:16:28 +0200 Subject: [PATCH 23/86] 10.5 --- static/new_etc_mycnf.sh | 50 ++++++++--------------------------------- 1 file changed, 9 insertions(+), 41 deletions(-) diff --git a/static/new_etc_mycnf.sh b/static/new_etc_mycnf.sh index 4e8dbe1..0fe10d6 100644 --- a/static/new_etc_mycnf.sh +++ b/static/new_etc_mycnf.sh @@ -1,27 +1,3 @@ -#!/bin/bash -# shellcheck disable=2034,2059 -true -# shellcheck source=lib.sh -. <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) - -# Check for errors + debug code and abort if something isn't right -# 1 = ON -# 0 = OFF -DEBUG=0 -debug_mode - -# Check if root -if ! is_root -then - printf "\n${Red}Sorry, you are not root.\n${Color_Off}You must type: ${Cyan}sudo ${Color_Off}bash %s/wordpress_install_production.sh\n" "$SCRIPTS" - exit 1 -fi - -# MariaDB recomends this -mv -f /etc/mysql/my.cnf /etc/mysql/my.cnf.old -ln -sf mariadb.cnf $ETCMYCNF - -/bin/cat <"$ETCMYCNF" # MariaDB database server configuration file. # # You can copy this file to one of: @@ -61,6 +37,7 @@ tmpdir = /tmp lc_messages_dir = /usr/share/mysql lc_messages = en_US skip-external-locking +skip-name-resolve # # Instead of skip-networking the default is now to listen only on # localhost which is more compatible and is not less secure. @@ -70,13 +47,13 @@ bind-address = 127.0.0.1 # max_connections = 100 connect_timeout = 5 -wait_timeout = 600 +wait_timeout = 300 max_allowed_packet = 16M thread_cache_size = 128 sort_buffer_size = 4M bulk_insert_buffer_size = 16M -tmp_table_size = 32M -max_heap_table_size = 32M +tmp_table_size = 64M +max_heap_table_size = 64M # # * MyISAM # @@ -94,8 +71,10 @@ read_rnd_buffer_size = 1M # * Query Cache Configuration # # Cache only tiny result sets, so we can fit more in the query cache. -query_cache_limit = 128K -query_cache_size = 64M +query_cache_type = 1 +query_cache_limit = 256K +query_cache_min_res_unit = 2k +query_cache_size = 80M # for more write intensive setups, set to DEMAND or OFF #query_cache_type = DEMAND # @@ -115,7 +94,7 @@ log_warnings = 2 # Enable the slow query log to see queries with especially long duration #slow_query_log[={0|1}] slow_query_log_file = /var/log/mysql/mariadb-slow.log -long_query_time = 10 +long_query_time = 10 #log_slow_rate_limit = 1000 log_slow_verbosity = query_plan #log-queries-not-using-indexes @@ -208,9 +187,7 @@ max_allowed_packet = 16M default-character-set = utf8mb4 #no-auto-rehash # faster start of mysql but no tab completion [mariadb] -innodb_use_fallocate = 1 innodb_use_atomic_writes = 1 -innodb_use_trim = 1 [isamchk] key_buffer = 16M # @@ -218,12 +195,3 @@ key_buffer = 16M # The files must end with '.cnf', otherwise they'll be ignored. # !includedir /etc/mysql/conf.d/ -WRITENEW - -# Restart MariaDB -check_command systemctl stop mariadb & spinner_loading -# mysqladmin shutdown --force & spinner_loading -wait -check_command systemctl restart mariadb & spinner_loading - -exit From a35b04419d1c58949130e5a3b9c5bdd1e3c9aa64 Mon Sep 17 00:00:00 2001 From: Daniel Hansson Date: Thu, 22 Oct 2020 23:26:17 +0200 Subject: [PATCH 24/86] add begining and end --- static/new_etc_mycnf.sh | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/static/new_etc_mycnf.sh b/static/new_etc_mycnf.sh index 0fe10d6..37feb5a 100644 --- a/static/new_etc_mycnf.sh +++ b/static/new_etc_mycnf.sh @@ -1,3 +1,27 @@ +#!/bin/bash +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +. <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Check if root +if ! is_root +then + printf "\n${Red}Sorry, you are not root.\n${Color_Off}You must type: ${Cyan}sudo ${Color_Off}bash %s/wordpress_install_production.sh\n" "$SCRIPTS" + exit 1 +fi + +# MariaDB recomends this +mv -f /etc/mysql/my.cnf /etc/mysql/my.cnf.old +ln -sf mariadb.cnf $ETCMYCNF + +/bin/cat <"$ETCMYCNF" # MariaDB database server configuration file. # # You can copy this file to one of: @@ -195,3 +219,12 @@ key_buffer = 16M # The files must end with '.cnf', otherwise they'll be ignored. # !includedir /etc/mysql/conf.d/ +WRITENEW + +# Restart MariaDB +check_command systemctl stop mariadb & spinner_loading +# mysqladmin shutdown --force & spinner_loading +wait +check_command systemctl restart mariadb & spinner_loading + +exit From b55638d951cc4a02d606588481e3bd35f1b8387b Mon Sep 17 00:00:00 2001 From: enoch85 Date: Thu, 22 Oct 2020 23:28:16 +0200 Subject: [PATCH 25/86] fix redis Signed-off-by: enoch85 --- wordpress_install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/wordpress_install.sh b/wordpress_install.sh index e077d41..40158ce 100644 --- a/wordpress_install.sh +++ b/wordpress_install.sh @@ -275,7 +275,7 @@ apt install -y \ php"$PHPVER"-cli \ php"$PHPVER"-zip \ php"$PHPVER"-curl - + # Configure PHP sed -i "s|allow_url_fopen =.*|allow_url_fopen = On|g" "$PHP_INI" sed -i "s|max_execution_time =.*|max_execution_time = 360|g" "$PHP_INI" @@ -291,7 +291,7 @@ sed -i "s|date.timezone =.*|date.timezone = Europe/Stockholm|g" "$PHP_INI" check_command echo "$REDIS_PASS" > $REDISPTXT # Install Redis -run_script STATIC redis-server-ubuntu +run_script ADDONS redis-server-ubuntu # Enable OPCache for PHP phpenmod opcache From a10cd225c001dd7f08eee0bb5fb2b09649d43d6e Mon Sep 17 00:00:00 2001 From: Daniel Hansson Date: Thu, 22 Oct 2020 23:34:17 +0200 Subject: [PATCH 26/86] don't install redis two times --- wordpress_install.sh | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/wordpress_install.sh b/wordpress_install.sh index 40158ce..5fbaf6a 100644 --- a/wordpress_install.sh +++ b/wordpress_install.sh @@ -286,13 +286,6 @@ sed -i "s|post_max_size =.*|post_max_size = 110M|g" "$PHP_INI" sed -i "s|cgi.fix_pathinfo =.*|cgi.fix_pathinfo=0|g" "$PHP_INI" sed -i "s|date.timezone =.*|date.timezone = Europe/Stockholm|g" "$PHP_INI" - -# Make sure the passwords are the same, this file will be deleted when redis is run. -check_command echo "$REDIS_PASS" > $REDISPTXT - -# Install Redis -run_script ADDONS redis-server-ubuntu - # Enable OPCache for PHP phpenmod opcache { @@ -313,6 +306,9 @@ sed -i "s|;emergency_restart_threshold.*|emergency_restart_threshold = 10|g" /et sed -i "s|;emergency_restart_interval.*|emergency_restart_interval = 1m|g" /etc/php/"$PHPVER"/fpm/php-fpm.conf sed -i "s|;process_control_timeout.*|process_control_timeout = 10|g" /etc/php/"$PHPVER"/fpm/php-fpm.conf +# Make sure the passwords are the same, this file will be deleted when redis is run. +check_command echo "$REDIS_PASS" > $REDISPTXT + # Install Redis (distrubuted cache) run_script ADDONS redis-server-ubuntu From 02bc187576aeb78a8214714b405665fb45cfd6c0 Mon Sep 17 00:00:00 2001 From: enoch85 Date: Thu, 22 Oct 2020 23:54:07 +0200 Subject: [PATCH 27/86] fpm sock Signed-off-by: enoch85 --- lib.sh | 1 + wordpress_install.sh | 8 ++++---- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/lib.sh b/lib.sh index d7a515e..e0082df 100644 --- a/lib.sh +++ b/lib.sh @@ -141,6 +141,7 @@ PHP_FPM_DIR=/etc/php/$PHPVER/fpm PHP_INI=$PHP_FPM_DIR/php.ini PHP_POOL_DIR=$PHP_FPM_DIR/pool.d PHP_MODS_DIR=/etc/php/"$PHPVER"/mods-available +PHP_FPM_SOCK=/var/run/php"$PHPVER"-fpm-wordpress.sock # Adminer ADMINERDIR=/usr/share/adminer diff --git a/wordpress_install.sh b/wordpress_install.sh index 40158ce..84b9e55 100644 --- a/wordpress_install.sh +++ b/wordpress_install.sh @@ -521,7 +521,7 @@ cat << POOL_CONF > "$PHP_POOL_DIR"/wordpress.conf [Wordpress] user = www-data group = www-data -listen = /run/php/php"$PHPVER"-fpm.wordpress.sock +listen = $PHP_FPM_SOCK listen.owner = www-data listen.group = www-data pm = dynamic @@ -640,7 +640,7 @@ server { deny all; include fastcgi.conf; fastcgi_intercept_errors on; - fastcgi_pass unix:/var/run/php/php7.2-fpm-wordpress.sock; + fastcgi_pass unix:$PHP_FPM_SOCK; } fastcgi_split_path_info ^(.+\.php)(/.+)$; try_files \$uri =404; @@ -696,7 +696,7 @@ server { location ~ /\\. { access_log off; - log_not_found off; + log_not_found off; deny all; } @@ -719,7 +719,7 @@ server { deny all; include fastcgi.conf; fastcgi_intercept_errors on; - fastcgi_pass unix:/var/run/php/php7.2-fpm-wordpress.sock; + fastcgi_pass unix:$PHP_FPM_SOCK; } fastcgi_split_path_info ^(.+\.php)(/.+)$; try_files \$uri =404; From b8809be0fe7665b0bb021bfa9ea535d954530b8b Mon Sep 17 00:00:00 2001 From: Daniel Hansson Date: Thu, 22 Oct 2020 23:59:14 +0200 Subject: [PATCH 28/86] try to fix wp error --- wordpress_install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/wordpress_install.sh b/wordpress_install.sh index 5fbaf6a..d714a58 100644 --- a/wordpress_install.sh +++ b/wordpress_install.sh @@ -430,9 +430,9 @@ define( 'WP_REDIS_SCHEME', 'unix' ); /** REDIS PATH TO SOCKET */ define( 'WP_REDIS_PATH', '$REDIS_SOCK' ); /** REDIS TTL */ -define('WP_REDIS_MAXTTL', 9600); +define('WP_REDIS_MAXTTL', 9600 ); /** REDIS SALT */ -define('WP_REDIS_PREFIX', $(gen_passwd "$SHUF" "a-zA-Z0-9@#*=")); +define('WP_REDIS_PREFIX', '$(gen_passwd "$SHUF" "a-zA-Z0-9@#*=")' ); /** AUTO UPDATE */ define( 'WP_AUTO_UPDATE_CORE', true ); From 8ec4ee6750d737dc30d6b8ee45a9285f28e23dc4 Mon Sep 17 00:00:00 2001 From: Daniel Hansson Date: Fri, 23 Oct 2020 00:32:17 +0200 Subject: [PATCH 29/86] fix expect --- wordpress_install.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/wordpress_install.sh b/wordpress_install.sh index 8592a34..9bfc83b 100644 --- a/wordpress_install.sh +++ b/wordpress_install.sh @@ -223,12 +223,14 @@ mysql -u root mysql -p"$MARIADB_PASS" -e "UPDATE user SET password=PASSWORD('$MA mysql -u root -p"$MARIADB_PASS" -e "flush privileges;" # mysql_secure_installation -apt -y install expect +install_if_not expect SECURE_MYSQL=$(expect -c " set timeout 10 spawn mysql_secure_installation expect \"Enter current password for root (enter for none):\" send \"$MARIADB_PASS\r\" +expect \"Switch to unix_socket authentication?\" +send \"y\r\" expect \"Change the root password?\" send \"n\r\" expect \"Remove anonymous users?\" From b93bfbc86abaadbdffe9f22a5333f1e6faa0de4b Mon Sep 17 00:00:00 2001 From: enoch85 Date: Fri, 23 Oct 2020 00:59:23 +0200 Subject: [PATCH 30/86] fix nginx_def Signed-off-by: enoch85 --- wordpress_install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wordpress_install.sh b/wordpress_install.sh index 9bfc83b..e2e34fd 100644 --- a/wordpress_install.sh +++ b/wordpress_install.sh @@ -916,7 +916,7 @@ sleep 1 fi # Enable new config -ln -s "$SITES_AVAILABLE"/"$NGINX_DEF" "$SITES_ENABLED"/"$NGINX_DEF" +ln -s "$NGINX_DEF" "$SITES_ENABLED"/default ln -s "$SITES_AVAILABLE"/"$TLS_CONF" "$SITES_ENABLED"/"$TLS_CONF" ln -s "$SITES_AVAILABLE"/"$HTTP_CONF" "$SITES_ENABLED"/"$HTTP_CONF" restart_webserver From b05768f694bb0eeaa856247cfc426b5b14ce43c7 Mon Sep 17 00:00:00 2001 From: enoch85 Date: Fri, 23 Oct 2020 01:06:57 +0200 Subject: [PATCH 31/86] install_if_not Signed-off-by: enoch85 --- apps/fail2ban.sh | 2 +- network/ddclient-configuration.sh | 2 +- wordpress_install.sh | 5 +++-- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/apps/fail2ban.sh b/apps/fail2ban.sh index e390a8d..c4728c2 100644 --- a/apps/fail2ban.sh +++ b/apps/fail2ban.sh @@ -55,7 +55,7 @@ FINDTIME_=1800 MAXRETRY_=20 apt update -q4 & spinner_loading -check_command apt install fail2ban -y +install_if_not fail2ban check_command update-rc.d fail2ban disable # Install WP-Fail2ban and activate conf diff --git a/network/ddclient-configuration.sh b/network/ddclient-configuration.sh index 212bc4c..46de888 100644 --- a/network/ddclient-configuration.sh +++ b/network/ddclient-configuration.sh @@ -40,7 +40,7 @@ else fi # install needed tool -DEBIAN_FRONTEND=noninteractive apt install ddclient -y +DEBIAN_FRONTEND=noninteractive install_if_not ddclient # Test if file exists if [ ! -f /etc/ddclient.conf ] diff --git a/wordpress_install.sh b/wordpress_install.sh index e2e34fd..d005095 100644 --- a/wordpress_install.sh +++ b/wordpress_install.sh @@ -197,8 +197,9 @@ $MENU_GUIDE" "$WT_HEIGHT" "$WT_WIDTH" 4 \ done # Install dependencies for GEO-block in Nginx -install_if_not geoip-database -install_if_not libgeoip1 +# TODO: https://linuxhint.com/nginx_block_geo_location/ +#install_if_not geoip-database +#install_if_not libgeoip1 # Write MARIADB pass to file and keep it safe { From 59520577e6d8cc196cf6ffbdd882bb8e9b3b47eb Mon Sep 17 00:00:00 2001 From: Daniel Hansson Date: Fri, 23 Oct 2020 16:56:03 +0200 Subject: [PATCH 32/86] Update wordpress-startup-script.sh --- wordpress-startup-script.sh | 27 ++------------------------- 1 file changed, 2 insertions(+), 25 deletions(-) diff --git a/wordpress-startup-script.sh b/wordpress-startup-script.sh index 15a3a73..76a2968 100644 --- a/wordpress-startup-script.sh +++ b/wordpress-startup-script.sh @@ -82,29 +82,6 @@ fi if network_ok then print_text_in_color "$IGreen" "Online!" -elif home_sme_server -then - msg_box "It seems like the last try failed as well using LAN ethernet. - -Since the Home/SME server is equipped with a WIFI module, you will now be asked to enable it to get connectivity. - -Please note: It's not recomended to run a server on WIFI. Using an ethernet cable is always the best." - if yesno_box_yes "Do you want to enable WIFI on this server?" - then - nmtui - fi - if network_ok - then - print_text_in_color "$IGreen" "Online!" - else - msg_box "Network NOT OK. You must have a working network connection to run this script. - -Please contact us for support: -https://shop.hanssonit.se/product/premium-support-per-30-minutes/ - -Please also post this issue on: https://github.com/nextcloud/vm/issues" - exit 1 - fi else msg_box "Network NOT OK. You must have a working network connection to run this script. @@ -117,7 +94,7 @@ fi # shellcheck disable=2034,2059,1091 true -SCRIPT_NAME="Wordpress Startup Script" +SCRIPT_NAME="Wordpress startup script" # shellcheck source=lib.sh source /var/scripts/fetch_lib.sh @@ -137,7 +114,7 @@ run_script MENU startup_configuration ######## The first setup is OK to run to this point several times, but not any further ######## if [ -f "$SCRIPTS/you-can-not-run-the-startup-script-several-times" ] then - msg_box "$SCRIPT_NAME script that handles the first setup \ + msg_box "The $SCRIPT_NAME that handles the first setup \ (this one) is desinged to be run once, not several times in a row. If you feel uncertain about adding some extra features during this setup, \ From d24497f59b1fe8ff023078d59fb0ef66aca96730 Mon Sep 17 00:00:00 2001 From: Daniel Hansson Date: Fri, 23 Oct 2020 17:03:11 +0200 Subject: [PATCH 33/86] Update activate-ssl.sh --- lets-encrypt/activate-ssl.sh | 436 ++++++++++++++--------------------- 1 file changed, 169 insertions(+), 267 deletions(-) diff --git a/lets-encrypt/activate-ssl.sh b/lets-encrypt/activate-ssl.sh index 17708cb..1bf001e 100644 --- a/lets-encrypt/activate-ssl.sh +++ b/lets-encrypt/activate-ssl.sh @@ -1,10 +1,11 @@ #!/bin/bash # shellcheck disable=2034,2059 true +SCRIPT_NAME="Activate TLS" # shellcheck source=lib.sh -. <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) -# T&M Hansson IT AB © - 2019, https://www.hanssonit.se/ +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ # Check for errors + debug code and abort if something isn't right # 1 = ON @@ -16,313 +17,214 @@ debug_mode root_check # Information -msg_box "Important! Please read this: - -This script will install SSL from Let's Encrypt. -It's free of charge, and very easy to maintain. - -Before we begin the installation you need to have -a domain that the SSL certs will be valid for. -If you don't have a domain yet, get one before -you run this script! +# Information +msg_box "Before we begin the installation of your TLS certificate you need to: -You also have to open port 80+443 against this VMs -IP address: $ADDRESS - do this in your router/FW. -Here is a guide: https://goo.gl/Uyuf65 +1. Have a domain like: cloud.example.com +If you want to get a domain at a fair price, please check this out: https://store.binero.se/?lang=en-US -You can find the script here: $SCRIPTS/activate-ssl.sh -and you can run it after you got a domain. +2. Open port 80 and 443 against this servers IP address: $ADDRESS. +Here is a guide: https://www.techandme.se/open-port-80-443 +It's also possible to automatically open ports with UPNP, if you have that enabled in your firewall/router. -Please don't run this script if you don't have -a domain yet. You can get one for a fair price here: -https://store.binero.se/?lang=en-US" +PLEASE NOTE: +This script can be run again by executing: sudo bash $SCRIPTS/menu.sh, and choose 'Server Configuration' --> 'Activate TLS'" -if [[ "no" == $(ask_yes_or_no "Are you sure you want to continue?") ]] +if ! yesno_box_yes "Are you sure you want to continue?" then -msg_box "OK, but if you want to run this script later, -just type: sudo bash $SCRIPTS/activate-ssl.sh" + msg_box "OK, but if you want to run this script later, just execute this in your CLI: sudo \ +bash /var/scripts/menu.sh and choose 'Server Configuration' --> 'Activate TLS'" exit fi -if [[ "no" == $(ask_yes_or_no "Have you forwarded port 80+443 in your router?") ]] +if ! yesno_box_yes "Have you opened port 80 and 443 in your router, or are you using UPNP?" then -msg_box "OK, but if you want to run this script later, -just type: sudo bash /var/scripts/activate-ssl.sh" + msg_box "OK, but if you want to run this script later, just execute this in your CLI: sudo \ +bash /var/scripts/menu.sh and choose 'Server Configuration' --> 'Activate TLS'" exit fi -if [[ "yes" == $(ask_yes_or_no "Do you have a domain that you will use?") ]] +if ! yesno_box_yes "Do you have a domain that you will use?" then - sleep 1 -else -msg_box "OK, but if you want to run this script later, -just type: sudo bash /var/scripts/activate-ssl.sh" + msg_box "OK, but if you want to run this script later, just execute this in your CLI: sudo \ +bash /var/scripts/menu.sh and choose 'Server Configuration' --> 'Activate TLS'" exit fi -echo -while true -do -# Ask for domain name -cat << ENTERDOMAIN -+---------------------------------------------------------------+ -| Please enter the domain name you will use for Wordpress: | -| Like this: example.com, or wordpress.example.com | -+---------------------------------------------------------------+ -ENTERDOMAIN -echo -read -r domain -echo -if [[ "yes" == $(ask_yes_or_no "Is this correct? $domain") ]] +# Wordpress Main Domain (activate-tls.sh) +TLSDOMAIN=$(input_box_flow "Please enter the domain name you will use for Wordpress. +Make sure it looks like this:\nyourdomain.com, or www.yourdomain.com") + +msg_box "Before continuing, please make sure that you have you have edited the DNS settings for $TLSDOMAIN, \ +and opened port 80 and 443 directly to this servers IP. A full exstensive guide can be found here: +https://www.techandme.se/open-port-80-443 + +This can be done automatically if you have UNNP enabled in your firewall/router. \ +You will be offered to use UNNP in the next step." + +if yesno_box_no "Do you want to use UPNP to open port 80 and 443?" then - break + unset FAIL + open_port 80 TCP + open_port 443 TCP + cleanup_open_port fi -done + +# Curl the lib another time to get the correct https_conf +# shellcheck source=lib.sh +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/w0.04_testing/lib.sh) + +# Check if $TLSDOMAIN exists and is reachable +echo +print_text_in_color "$ICyan" "Checking if $TLSDOMAIN exists and is reachable..." +domain_check_200 "$TLSDOMAIN" # Check if port is open with NMAP -sed -i "s|127.0.1.1.*|127.0.1.1 $domain wordpress|g" /etc/hosts +sed -i "s|127.0.1.1.*|127.0.1.1 $TLSDOMAIN wordpress|g" /etc/hosts network_ok -check_open_port 80 "$domain" -check_open_port 443 "$domain" +check_open_port 80 "$TLSDOMAIN" +check_open_port 443 "$TLSDOMAIN" # Fetch latest version of test-new-config.sh -check_command download_le_script test-new-config - -# Check if $domain exists and is reachable -echo -print_text_in_color "$ICyan" "Checking if $domain exists and is reachable..." -if wget -q -T 10 -t 2 --spider "$domain"; then - sleep 1 -elif wget -q -T 10 -t 2 --spider --no-check-certificate "https://$domain"; then - sleep 1 -elif curl -s -k -m 10 "$domain"; then - sleep 1 -elif curl -s -k -m 10 "https://$domain" -o /dev/null ; then - sleep 1 -else -msg_box "Nope, it's not there. You have to create $domain and point -it to this server before you can run this script." - exit 1 -fi +check_command download_script LETS_ENC test-new-config # Install certbot (Let's Encrypt) install_certbot #Fix issue #28 -ssl_conf="/etc/nginx/sites-available/"$domain.conf"" - -# DHPARAM -DHPARAMS="$CERTFILES/$domain/dhparam.pem" +tls_conf="$SITES_AVAILABLE/$TLSDOMAIN.conf" -# Check if "$ssl.conf" exists, and if, then delete -if [ -f "$ssl_conf" ] +# Check if "$tls.conf" exists, and if, then delete +if [ -f "$tls_conf" ] then - rm -f "$ssl_conf" + rm -f "$tls_conf" fi -# Generate vhost.conf -if [ ! -f "$ssl_conf" ] +# Check current PHP version --> PHPVER +# To get the correct version for the Apache conf file +check_php + +# Only add TLS 1.3 on Ubuntu later than 20.04 +if version 20.04 "$DISTRO" 20.04.10 then - touch "$ssl_conf" - print_text_in_color "$IGreen" "$ssl_conf was successfully created." - sleep 2 - cat << SSL_CREATE > "$ssl_conf" -server { - listen 80; - server_name $domain; - return 301 https://$domain\$request_uri; -} - -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - - ## Your website name goes here. - server_name $domain; - ## Your only path reference. - root $WPATH; - ## This should be in your http block and if it is, it's not needed here. - index index.php; - - resolver $GATEWAY; - - ## Show real IP behind proxy (change to the proxy IP) -# set_real_ip_from $GATEWAY/24; -# set_real_ip_from $GATEWAY; -# set_real_ip_from 2001:0db8::/32; -# real_ip_header X-Forwarded-For; -# real_ip_recursive on; - - # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate - ssl_certificate $CERTFILES/$domain/fullchain.pem; - ssl_certificate_key $CERTFILES/$domain/privkey.pem; - ssl_session_timeout 1d; - ssl_session_cache shared:SSL:50m; - ssl_session_tickets off; - # Diffie-Hellman parameter for DHE ciphersuites, recommended 4096 bits - ssl_dhparam $DHPARAMS; - # intermediate configuration. tweak to your needs. - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; - ssl_prefer_server_ciphers on; - # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) - add_header Strict-Transport-Security max-age=15768000; - # OCSP Stapling --- - # fetch OCSP records from URL in ssl_certificate and cache them - ssl_stapling on; - ssl_stapling_verify on; - - location / { - try_files \$uri \$uri/ /index.php?\$args; - # https://veerasundar.com/blog/2014/09/setting-expires-header-for-assets-nginx/ - if (\$request_uri ~* ".(ico|css|js|gif|jpe?g|png)$") { - expires 15d; - access_log off; - add_header Pragma public; - add_header Cache-Control "public"; - break; - } - } - location /.well-known { - root /usr/share/nginx/html; - } - location ~ /\\. { - access_log off; - log_not_found off; - deny all; - } - location = /favicon.ico { - log_not_found off; - access_log off; - } - location = /robots.txt { - allow all; - log_not_found off; - access_log off; - } - location ~* \.php$ { - location ~ \wp-login.php$ { - allow $GATEWAY/24; - #allow $ADDRESS; - #allow $WAN4IP; - deny all; - include fastcgi.conf; - fastcgi_intercept_errors on; - fastcgi_pass unix:/var/run/php/php7.2-fpm-wordpress.sock; - } - fastcgi_split_path_info ^(.+\.php)(/.+)$; - try_files \$uri =404; - fastcgi_index index.php; - include fastcgi.conf; - include fastcgi_params; - fastcgi_intercept_errors on; - fastcgi_pass unix:$PHP_FPM_SOCK; - fastcgi_buffers 16 16k; - fastcgi_buffer_size 32k; - fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name; - fastcgi_param SCRIPT_NAME \$fastcgi_script_name; - } - location ~* \\.(js|css|png|jpg|jpeg|gif|ico)$ { - expires max; - log_not_found off; - } -} -SSL_CREATE + TLS13="+TLSv1.3" fi -# Methods -# https://certbot.eff.org/docs/using.html#certbot-command-line-options -default_le="--rsa-key-size 4096 --renew-by-default --no-eff-email --agree-tos --uir --hsts --server https://acme-v02.api.letsencrypt.org/directory -d $domain" - -standalone() { -# Generate certs -if eval "certbot certonly --standalone --pre-hook 'service nginx stop' --post-hook 'service nginx start' $default_le" +# Generate wordpress_tls_domain.conf +if [ ! -f "$tls_conf" ] then - echo "success" > /tmp/le_test -else - echo "fail" > /tmp/le_test + touch "$tls_conf" + print_text_in_color "$IGreen" "$tls_conf was successfully created." + sleep 2 + cat << TLS_CREATE > "$tls_conf" + + RewriteEngine On + RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L] + + + +### YOUR SERVER ADDRESS ### + + ServerAdmin admin@$TLSDOMAIN + ServerName $TLSDOMAIN + +### SETTINGS ### + + SetHandler "proxy:unix:$PHP_FPM_SOCK|fcgi://localhost" + + + # Intermediate configuration + Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains" + SSLEngine on + SSLCompression off + SSLProtocol -all +TLSv1.2 $TLS13 + SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + SSLHonorCipherOrder off + SSLSessionTickets off + ServerSignature off + + # Logs + LogLevel warn + CustomLog ${APACHE_LOG_DIR}/access.log combined + ErrorLog ${APACHE_LOG_DIR}/error.log + + DocumentRoot $NCPATH + + + Options Indexes FollowSymLinks + AllowOverride All + Require all granted + Satisfy Any + + + + Dav off + + + SetEnv HOME $NCPATH + SetEnv HTTP_HOME $NCPATH + + # The following lines prevent .htaccess and .htpasswd files from being + # viewed by Web clients. + + Require all denied + + + # Disable HTTP TRACE method. + TraceEnable off + # Disable HTTP TRACK method. + RewriteEngine On + RewriteCond %{REQUEST_METHOD} ^TRACK + RewriteRule .* - [R=405,L] + + # Avoid "Sabre\DAV\Exception\BadRequest: expected filesize XXXX got XXXX" + + RequestReadTimeout body=0 + + +### LOCATION OF CERT FILES ### + + SSLCertificateChainFile $CERTFILES/$TLSDOMAIN/chain.pem + SSLCertificateFile $CERTFILES/$TLSDOMAIN/cert.pem + SSLCertificateKeyFile $CERTFILES/$TLSDOMAIN/privkey.pem + SSLOpenSSLConfCmd DHParameters $DHPARAMS_TLS + + +### EXTRAS ### + SSLUseStapling On + SSLStaplingCache "shmcb:logs/ssl_stapling(32768)" +TLS_CREATE fi -} -tls-alpn-01() { -if eval "certbot certonly --preferred-challenges tls-alpn-01 $default_le" + +# Check if PHP-FPM is installed and if not, then remove PHP-FPM related lines from config +if ! pgrep php-fpm then - echo "success" > /tmp/le_test -else - echo "fail" > /tmp/le_test + sed -i "s| /tmp/le_test -else - echo "fail" > /tmp/le_test -fi -} - -methods=(standalone dns) - -create_config() { -# $1 = method -local method="$1" -# Check if $CERTFILES exists -if [ -d "$CERTFILES" ] - then - # Generate DHparams chifer - if [ ! -f "$DHPARAMS" ] + if [ -d "$CERTFILES" ] then - openssl dhparam -dsaparam -out "$DHPARAMS" 4096 + # Generate DHparams chifer + if [ ! -f "$DHPARAMS_TLS" ] + then + openssl dhparam -dsaparam -out "$DHPARAMS_TLS" 4096 + fi + # Activate new config + check_command bash "$SCRIPTS/test-new-config.sh" "$TLSDOMAIN.conf" + msg_box "Please remember to keep port 80 (and 443) open so that Let's Encrypt can do \ +the automatic renewal of the cert. If port 80 is closed the cert will expire in 3 months. + +You don't need to worry about security as port 80 is directly forwarded to 443, so \ +no traffic will actually be on port 80, except for the forwarding to 443 (HTTPS)." + exit 0 fi - # Activate new config - check_command bash "$SCRIPTS/test-new-config.sh" "$domain.conf" - exit -fi -} - -attempts_left() { -local method="$1" -if [ "$method" == "standalone" ] -then - printf "%b" "${ICyan}It seems like no certs were generated, we will do 1 more try.\n${Color_Off}" - any_key "Press any key to continue..." -#elif [ "$method" == "tls-alpn-01" ] -#then -# printf "%b" "${ICyan}It seems like no certs were generated, we will do 1 more try.\n${Color_Off}" -# any_key "Press any key to continue..." -elif [ "$method" == "dns" ] -then - printf "%b" "${IRed}It seems like no certs were generated, please check your DNS and try again.\n${Color_Off}" - any_key "Press any key to continue..." -fi -} - -# Generate the cert -for f in "${methods[@]}"; do "$f" -if [ "$(grep 'success' /tmp/le_test)" == 'success' ]; then - rm -f /tmp/le_test - create_config "$f" else - rm -f /tmp/le_test - attempts_left "$f" + last_fail_tls "$SCRIPTS"/activate-tls.sh cleanup fi -done - -# Failed -msg_box "Sorry, last try failed as well. :/ - -The script is located in $SCRIPTS/activate-ssl.sh -Please try to run it again some other time with other settings. - -There are different configs you can try in Let's Encrypt's user guide: -https://letsencrypt.readthedocs.org/en/latest/index.html -Please check the guide for further information on how to enable SSL. - -This script is developed on GitHub, feel free to contribute: -https://github.com/techandme/wordpress-vm - -The script will now do some cleanup and revert the settings." -# Cleanup -apt remove certbot -y -apt autoremove -y -clear +exit From bf269e3a97f9cd54388d8ad43ac7b152efbc367d Mon Sep 17 00:00:00 2001 From: Daniel Hansson Date: Fri, 23 Oct 2020 17:03:25 +0200 Subject: [PATCH 34/86] Rename activate-ssl.sh to activate-tls.sh --- lets-encrypt/{activate-ssl.sh => activate-tls.sh} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename lets-encrypt/{activate-ssl.sh => activate-tls.sh} (100%) diff --git a/lets-encrypt/activate-ssl.sh b/lets-encrypt/activate-tls.sh similarity index 100% rename from lets-encrypt/activate-ssl.sh rename to lets-encrypt/activate-tls.sh From 293c74d184df203ae2dbaa378f50f4011d38192a Mon Sep 17 00:00:00 2001 From: Daniel Hansson Date: Fri, 23 Oct 2020 17:24:46 +0200 Subject: [PATCH 35/86] Update test-new-config.sh --- lets-encrypt/test-new-config.sh | 40 +++++++++++++++++---------------- 1 file changed, 21 insertions(+), 19 deletions(-) diff --git a/lets-encrypt/test-new-config.sh b/lets-encrypt/test-new-config.sh index cc932ca..b0ebc0f 100644 --- a/lets-encrypt/test-new-config.sh +++ b/lets-encrypt/test-new-config.sh @@ -1,10 +1,11 @@ #!/bin/bash # shellcheck disable=2034,2059 true +SCRIPT_NAME="Test New Configuration" # shellcheck source=lib.sh -. <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) -# T&M Hansson IT AB © - 2019, https://www.hanssonit.se/ +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ # Check for errors + debug code and abort if something isn't right # 1 = ON @@ -13,16 +14,15 @@ DEBUG=0 debug_mode # Activate the new config -printf "${Color_Off}We will now test that everything is OK\n" -any_key "Press any key to continue... " -ln -s /etc/nginx/sites-available/"$1" /etc/nginx/sites-enabled/"$1" -rm -f /etc/nginx/sites-enabled/wordpress_port_80.conf -rm -f /etc/nginx/sites-enabled/wordpress_port_443.conf -rm -f /etc/nginx/sites-enabled/default.conf -rm -f /etc/nginx/sites-enabled/default +msg_box "We will now test that everything is OK" +ln -s "$SITES_AVALIABLE"/"$1" "$SITES_ENABLED"/"$1" +rm -f "$SITES_AVALIABLE"/"$HTTP_CONF" +rm -f "$SITES_AVALIABLE"/"$TLS_CONF" +rm -f "$NGINX_DEF" +rm -f "$SITES_ENABLED"/default if restart_webserver then -msg_box "New settings works! SSL is now activated and OK! + msg_box "New settings works! TLS is now activated and OK! This cert will expire in 90 days if you don't renew it. There are several ways of renewing this cert and here are some tips and tricks: @@ -33,9 +33,9 @@ If you need to edit the crontab please type: crontab -u root -e If you need to edit the script itself, please check: $SCRIPTS/letsencryptrenew.sh Feel free to contribute to this project: https://goo.gl/3fQD65" - crontab -u root -l | { cat; echo "@daily $SCRIPTS/letsencryptrenew.sh"; } | crontab -u root - + crontab -u root -l | { cat; echo "3 */12 * * * $SCRIPTS/letsencryptrenew.sh"; } | crontab -u root - -FQDOMAIN=$(grep -m 1 "server_name" "/etc/nginx/sites-enabled/$1" | awk '{print $2}') +FQDOMAIN=$(grep -m 1 "server_name" "$SITES_ENABLED"/"$1" | awk '{print $2}') if [ "$(hostname)" != "$FQDOMAIN" ] then print_text_in_color "$ICyan" "Setting hostname to $FQDOMAIN..." @@ -43,7 +43,7 @@ then # Change /etc/hosts as well sed -i "s|127.0.1.1.*|127.0.1.1 $FQDOMAIN $(hostname -s)|g" /etc/hosts # And in the php-fpm pool conf - sed -i "s|env\[HOSTNAME\] = .*|env[HOSTNAME] = $(hostname -f)|g" "$PHP_POOL_DIR/www_wordpress.conf" + sed -i "s|env\[HOSTNAME\] = .*|env[HOSTNAME] = $(hostname -f)|g" "$PHP_POOL_DIR"/wordpress.conf fi add_crontab_le() { @@ -60,7 +60,7 @@ fi # Check if service is running if ! pgrep nginx > /dev/null then - service nginx start + start_if_stopped nginx.service fi CRONTAB } @@ -71,14 +71,16 @@ chmod +x $SCRIPTS/letsencryptrenew.sh # Cleanup rm -f $SCRIPTS/test-new-config.sh -rm -f $SCRIPTS/activate-ssl.sh +rm -f $SCRIPTS/activate-tls.sh else + + + # If it fails, revert changes back to normal - rm -f /etc/nginx/sites-enabled/"$1" - ln -s /etc/nginx/sites-available/wordpress_port_80.conf /etc/nginx/sites-enabled/ + rm -f "$SITES_ENABLED"/"$1" + ln -s "$SITES_AVALIABLE"/"$HTTP_CONF" "$SITES_ENABLED" restart_webserver - printf "${ICyan}Couldn't load new config, reverted to old settings. Self-signed SSL is OK!${Color_Off}\n" - any_key "Press any key to continue... " + msg_box "Couldn't load new config, reverted to old settings. Self-signed TLS is OK!" exit 1 fi From ac25ca12d40c1bb48274cdff3cb082fcb099955b Mon Sep 17 00:00:00 2001 From: Daniel Hansson Date: Fri, 23 Oct 2020 17:34:50 +0200 Subject: [PATCH 36/86] change to functions --- lib.sh | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/lib.sh b/lib.sh index e0082df..2ad30e0 100644 --- a/lib.sh +++ b/lib.sh @@ -88,7 +88,6 @@ ADDONS="$GITHUB_REPO/addons" MENU="$GITHUB_REPO/menu" DISK="$GITHUB_REPO/disk" NETWORK="$GITHUB_REPO/network" -WPDOWNLOADLATEST="https://wordpress.org/latest.zip" ISSUES="https://github.com/techandme/wordpress-vm/vm/issues" # User information @@ -103,15 +102,19 @@ SHUF=$(shuf -i 25-29 -n 1) PGDB_PASS=$(gen_passwd "$SHUF" "a-zA-Z0-9@#*=") NEWPGPASS=$(gen_passwd "$SHUF" "a-zA-Z0-9@#*=") WPDBNAME=wordpress_by_www_hanssonit_se -WPADMINUSER=change_this_user +WPADMINUSER=wordpress_db_user MARIADB_PASS=$(tr -dc "a-zA-Z0-9@#*=" < /dev/urandom | fold -w "$SHUF" | head -n 1) WPDBPASS=$(tr -dc "a-zA-Z0-9@#*=" < /dev/urandom | fold -w "$SHUF" | head -n 1) NEWMARIADBPASS=$(tr -dc "a-zA-Z0-9@#*=" < /dev/urandom | fold -w "$SHUF" | head -n 1) WPDBUSER=wordpress_user WPADMINPASS=$(tr -dc "a-zA-Z0-9@#*=" < /dev/urandom | fold -w "$SHUF" | head -n 1) -[ -n "$WPDB" ] && WPCONFIGDB=$(grep "DB_PASSWORD" /var/www/html/wordpress/wp-config.php | awk '{print $3}' | cut -d "'" -f2) MYCNF=/root/.my.cnf -[ -n "$MYCNFPW" ] && MARIADBMYCNFPASS=$(grep "password" $MYCNF | sed -n "/password/s/^password='\(.*\)'$/\1/p") +wpdb() { +WPCONFIGDB=$(grep "DB_PASSWORD" /var/www/html/wordpress/wp-config.php | awk '{print $3}' | cut -d "'" -f2) +} +mycnfpw() { +MARIADBMYCNFPASS=$(grep "password" $MYCNF | sed -n "/password/s/^password='\(.*\)'$/\1/p") +} # Set the hour for automatic updates. This would be 18:00 as only the hour is configurable. AUT_UPDATES_TIME="18" From 7fbe61e69694dc3ce7fb0c23768f79d8ad93dfd6 Mon Sep 17 00:00:00 2001 From: Daniel Hansson Date: Fri, 23 Oct 2020 17:34:57 +0200 Subject: [PATCH 37/86] change to functions --- static/{change_mysql_pass.sh => change_db_pass.sh} | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) rename static/{change_mysql_pass.sh => change_db_pass.sh} (69%) diff --git a/static/change_mysql_pass.sh b/static/change_db_pass.sh similarity index 69% rename from static/change_mysql_pass.sh rename to static/change_db_pass.sh index 2c9c23a..4ee06ac 100644 --- a/static/change_mysql_pass.sh +++ b/static/change_db_pass.sh @@ -1,11 +1,15 @@ #!/bin/bash # shellcheck disable=2034,2059 true +SCRIPT_NAME="Change Database Password" # shellcheck source=lib.sh -MYCNFPW=1 . <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) -unset MYCNFPW +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) -# T&M Hansson IT AB © - 2019, https://www.hanssonit.se/ +# Get all needed variables from the library +wpdb +mycnfpw + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ # Check for errors + debug code and abort if something isn't right # 1 = ON From f4e116ee51b8e4702b78a68a91f1d8ff243f46a2 Mon Sep 17 00:00:00 2001 From: Daniel Hansson Date: Fri, 23 Oct 2020 17:42:10 +0200 Subject: [PATCH 38/86] Rename techandme.sh to wordpress.sh --- static/{techandme.sh => wordpress.sh} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename static/{techandme.sh => wordpress.sh} (100%) diff --git a/static/techandme.sh b/static/wordpress.sh similarity index 100% rename from static/techandme.sh rename to static/wordpress.sh From 6679f523953725b1ee5821cbbf0be53ee36e6aae Mon Sep 17 00:00:00 2001 From: Daniel Hansson Date: Fri, 23 Oct 2020 17:44:36 +0200 Subject: [PATCH 39/86] Rename nextcloud_configuration.sh to wordpress_configuration.sh --- menu/{nextcloud_configuration.sh => wordpress_configuration.sh} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename menu/{nextcloud_configuration.sh => wordpress_configuration.sh} (100%) diff --git a/menu/nextcloud_configuration.sh b/menu/wordpress_configuration.sh similarity index 100% rename from menu/nextcloud_configuration.sh rename to menu/wordpress_configuration.sh From 1181c9efe8db593ec1d4978ab66d25b9939fe240 Mon Sep 17 00:00:00 2001 From: Daniel Hansson Date: Fri, 23 Oct 2020 17:52:09 +0200 Subject: [PATCH 40/86] fix bugs --- wordpress-startup-script.sh | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/wordpress-startup-script.sh b/wordpress-startup-script.sh index 76a2968..e888ce1 100644 --- a/wordpress-startup-script.sh +++ b/wordpress-startup-script.sh @@ -98,10 +98,6 @@ SCRIPT_NAME="Wordpress startup script" # shellcheck source=lib.sh source /var/scripts/fetch_lib.sh -# Get all needed variables from the library -mycnfpw -wpdb - # Check for errors + debug code and abort if something isn't right # 1 = ON # 0 = OFF @@ -191,7 +187,7 @@ rm -v /etc/ssh/ssh_host_* dpkg-reconfigure openssh-server # Generate new MariaDB password -print_text_in_color "$ICyan" "Generating new PostgreSQL password..." +print_text_in_color "$ICyan" "Generating new MariaDB password..." check_command bash "$SCRIPTS/change_db_pass.sh" sleep 3 @@ -267,8 +263,8 @@ echo "WP PASS: $NEWWPADMINPASS" # Change servername in Nginx server_name=$(echo "$FQDN" | cut -d "/" -f3) -sed -i "s|# server_name .*|server_name $server_name;|g" "$HTTP_CONF" -sed -i "s|# server_name .*|server_name $server_name;|g" "$TLS_CONF" +sed -i "s|# server_name .*|server_name $server_name;|g" "$SITES_ENABLED"/"$HTTP_CONF" +sed -i "s|# server_name .*|server_name $server_name;|g" "$SITES_ENABLED"/"$TLS_CONF" restart_webserver # Show current administrators @@ -287,9 +283,9 @@ rm -f "$SCRIPTS/server_configuration.sh" rm -f "$SCRIPTS/wordpress_configuration.sh" rm -f "$SCRIPTS/additional_apps.sh" rm -f "$SCRIPTS/adduser.sh" -find /root "/home/$SUDO_USER" -type f \( -name '*.sh*' -o -name '*.html*' -o -name '*.tar*' -o -name 'results' -o -name '*.zip*' \) -delete +find /root /home/"$UNIXUSER" -type f \( -name '*.sh*' -o -name '*.html*' -o -name '*.tar*' -o -name 'results' -o -name '*.zip*' \) -delete find "WPATH" -type f \( -name 'results' -o -name '*.sh*' \) -delete -sed -i "s|instruction.sh|wordpress.sh|g" "/home/$SUDO_USER/.bash_profile" +sed -i "s|instruction.sh|wordpress.sh|g" /home/"$UNIXUSER"/.bash_profile truncate -s 0 \ /root/.bash_history \ @@ -341,7 +337,7 @@ Please hit OK in all the following prompts and let the server reboot to complete msg_box "TIPS & TRICKS: 1. Publish your server online: https://goo.gl/iUGE2U 3. To update this server just type: sudo bash /var/scripts/update.sh -4. Install apps, configure Wordpress, and server: sudo bash $SCRIPTS/menu.sh" +4. Install apps, configure Wordpress, and server: sudo bash $SCRIPTS/menu.sh 5. To allow access to wp-login.php, please edit your nginx virtual hosts file. You can find it here: $HTTP_CONF" From d498ac7784a65954f0417188aee4d51788952447 Mon Sep 17 00:00:00 2001 From: Daniel Hansson Date: Sat, 24 Oct 2020 20:42:07 +0200 Subject: [PATCH 41/86] minor fixes --- wordpress-startup-script.sh | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/wordpress-startup-script.sh b/wordpress-startup-script.sh index e888ce1..7d06d6a 100644 --- a/wordpress-startup-script.sh +++ b/wordpress-startup-script.sh @@ -38,7 +38,7 @@ is_process_running dpkg # shellcheck disable=2034,2059,1091 true -SCRIPT_NAME="Nextcloud Startup Script" +SCRIPT_NAME="Wordpress Startup Script" # shellcheck source=lib.sh source /var/scripts/fetch_lib.sh @@ -135,7 +135,7 @@ download_script STATIC change_db_pass download_script STATIC wordpress download_script MENU menu download_script MENU server_configuration -download_script MENU nextcloud_configuration +download_script MENU wordpress_configuration download_script MENU additional_apps # Make $SCRIPTS excutable @@ -152,9 +152,8 @@ msg_box"This script will do the final setup for you - Set static IP - Create a new WP user - Upgrade the system -- Activate SSL (Let's Encrypt) +- Activate TLS (Let's Encrypt) - Install Adminer -- Change keyboard setup (current is Swedish) - Change system timezone - Set new password to the Linux system (user: wordpress) From e9110ac0c467cf73e5f72fb4f857888e023e0a1d Mon Sep 17 00:00:00 2001 From: enoch85 Date: Sat, 24 Oct 2020 21:06:58 +0200 Subject: [PATCH 42/86] some more fixes Signed-off-by: enoch85 --- apps/webmin.sh | 2 +- menu/additional_apps.sh | 48 +------------ menu/fail2ban_menu.sh | 6 +- menu/main_menu.sh | 9 +-- menu/server_configuration.sh | 24 ++----- menu/startup_configuration.sh | 6 +- menu/wordpress_configuration.sh | 121 -------------------------------- wordpress-startup-script.sh | 4 +- wordpress_install.sh | 8 +-- 9 files changed, 20 insertions(+), 208 deletions(-) delete mode 100644 menu/wordpress_configuration.sh diff --git a/apps/webmin.sh b/apps/webmin.sh index 7aa0bdc..de3bb6e 100644 --- a/apps/webmin.sh +++ b/apps/webmin.sh @@ -69,6 +69,6 @@ msg_box "Webmin is now installed and can be accessed from this address: https://$ADDRESS:10000 -You can log in with your Ubuntu CLI user: $SUDO_USER." +You can log in with your Ubuntu CLI user: $UNIXUSER." exit diff --git a/menu/additional_apps.sh b/menu/additional_apps.sh index 8a71070..ed3170b 100644 --- a/menu/additional_apps.sh +++ b/menu/additional_apps.sh @@ -18,7 +18,7 @@ debug_mode root_check # Set the startup switch -if [ -f "$SCRIPTS/nextcloud-startup-script.sh" ] +if [ -f "$SCRIPTS/wordpress-startup-script.sh" ] then STARTUP_SWITCH="ON" else @@ -26,7 +26,7 @@ else fi # Show a msg_box during the startup script -if [ -f "$SCRIPTS/nextcloud-startup-script.sh" ] +if [ -f "$SCRIPTS/wordpress-startup-script.sh" ] then msg_box "In the next step, you will be offered to easily install apps that are made to enhance your server and experiance. We have pre-selected apps that we recommend for any installation. @@ -39,29 +39,14 @@ fi choice=$(whiptail --title "$TITLE" --checklist \ "Which apps do you want to install?\n\nAutomatically configure and install selected apps $CHECKLIST_GUIDE\n\n$RUN_LATER_GUIDE" "$WT_HEIGHT" "$WT_WIDTH" 4 \ -"Documentserver" "(OnlyOffice or Collabora - Docker or Integrated)" OFF \ -"Bitwarden" "(External password manager)" OFF \ "Fail2ban " "(Extra Bruteforce protection)" "$STARTUP_SWITCH" \ -"Adminer" "(PostgreSQL GUI)" OFF \ +"Adminer" "(Database Administraton GUI)" OFF \ "Netdata" "(Real-time server monitoring in Web GUI)" OFF \ "BPYTOP" "(Real-time server monitoring in CLI)" OFF \ "Midnight Commander" "(CLI file manager)" OFF \ -"FullTextSearch" "(Elasticsearch for Nextcloud [2GB RAM])" OFF \ -"PreviewGenerator" "(Pre-generate previews for Nextcloud)" "$STARTUP_SWITCH" \ -"LDAP" "(Windows Active directory for Nextcloud)" OFF \ -"Talk" "(Video calls and chat for Nextcloud)" OFF \ "Webmin" "(Server GUI like Cpanel)" "$STARTUP_SWITCH" \ -"SMB-mount" "(Mount SMB-shares from your local network)" OFF 3>&1 1>&2 2>&3) case "$choice" in - *"Documentserver"*) - print_text_in_color "$ICyan" "Downloading the Documentserver Menu..." - run_script MENU documentserver - ;;& - *"Bitwarden"*) - print_text_in_color "$ICyan" "Downloading the Bitwarden Menu..." - run_script MENU bitwarden_menu - ;;& *"Fail2ban "*) print_text_in_color "$ICyan" "Downloading the Fail2ban Menu..." run_script MENU fail2ban_menu @@ -82,37 +67,10 @@ case "$choice" in print_text_in_color "$ICyan" "Downloading the Midnight Commander script..." run_script APP midnight-commander ;;& - *"FullTextSearch"*) - print_text_in_color "$ICyan" "Downloading the FullTextSearch script..." - run_script APP fulltextsearch - ;;& - *"PreviewGenerator"*) - print_text_in_color "$ICyan" "Downloading the PreviewGenerator script..." - run_script APP previewgenerator - ;;& - *"LDAP"*) - SUBTITLE="LDAP" - print_text_in_color "$ICyan" "Installing LDAP..." - if install_and_enable_app user_ldap - then - msg_box "LDAP installed! Please visit https://subdomain.yourdomain.com/settings/admin/ldap \ -to finish the setup once this script is done." "$SUBTITLE" - else - msg_box "LDAP installation failed." "$SUBTITLE" - fi - ;;& - *"Talk"*) - print_text_in_color "$ICyan" "Downloading the Talk script..." - run_script APP talk - ;;& *"Webmin"*) print_text_in_color "$ICyan" "Downloading the Webmin script..." run_script APP webmin ;;& - *"SMB-mount"*) - print_text_in_color "$ICyan" "Downloading the SMB-mount script..." - run_script APP smbmount - ;;& *) ;; esac diff --git a/menu/fail2ban_menu.sh b/menu/fail2ban_menu.sh index 09f785a..957bad3 100644 --- a/menu/fail2ban_menu.sh +++ b/menu/fail2ban_menu.sh @@ -18,7 +18,7 @@ debug_mode root_check # Set the startup switch -if [ -f "$SCRIPTS/nextcloud-startup-script.sh" ] +if [ -f "$SCRIPTS/wordpress-startup-script.sh" ] then STARTUP_SWITCH="ON" else @@ -28,7 +28,7 @@ fi choice=$(whiptail --title "$TITLE" --checklist \ "Automatically install and configure Fail2ban. $CHECKLIST_GUIDE\n\n$RUN_LATER_GUIDE" "$WT_HEIGHT" "$WT_WIDTH" 4 \ -"Install-Fail2ban" "(Install Fail2ban and protect Nextcloud + SSH)" "$STARTUP_SWITCH" \ +"Install-Fail2ban" "(Install Fail2ban and protect Wordpress + SSH)" "$STARTUP_SWITCH" \ "Fail2ban-Statuscheck" "(Check status of currently blocked attacks)" OFF 3>&1 1>&2 2>&3) case "$choice" in @@ -40,7 +40,7 @@ case "$choice" in SUBTITLE="Fail2ban Statuscheck" if is_this_installed fail2ban && [ -f "/etc/fail2ban/filter.d/nextcloud.conf" ] then - msg_box "$(fail2ban-client status nextcloud && fail2ban-client status sshd && iptables -L -n)" "$SUBTITLE" + msg_box "$(fail2ban-client status wordpress && fail2ban-client status sshd && iptables -L -n)" "$SUBTITLE" else msg_box "Fail2ban isn't installed. Please run 'sudo bash /var/scripts/menu.sh' to install it." "$SUBTITLE" fi diff --git a/menu/main_menu.sh b/menu/main_menu.sh index 8bbeb9f..6d45879 100644 --- a/menu/main_menu.sh +++ b/menu/main_menu.sh @@ -24,20 +24,15 @@ choice=$(whiptail --title "$TITLE" --menu \ "Choose what you want to do. $MENU_GUIDE\n\n$RUN_LATER_GUIDE" "$WT_HEIGHT" "$WT_WIDTH" 4 \ "Additional Apps" "(Choose which apps to install)" \ -"Nextcloud Configuration" "(Choose between available Nextcloud configurations)" \ "Startup Configuration" "(Choose between available startup configurations)" \ "Server Configuration" "(Choose between available server configurations)" \ -"Update Nextcloud" "(Update Nextcloud to the latest release)" 3>&1 1>&2 2>&3) +"Update Wordpress" "(Update Wordpress to the latest release)" 3>&1 1>&2 2>&3) case "$choice" in "Additional Apps") print_text_in_color "$ICyan" "Downloading the Additional Apps Menu..." run_script MENU additional_apps ;; - "Nextcloud Configuration") - print_text_in_color "$ICyan" "Downloading the Nextcloud Configuration Menu..." - run_script MENU nextcloud_configuration - ;; "Startup Configuration") print_text_in_color "$ICyan" "Downloading the Startup Configuration Menu..." run_script MENU startup_configuration @@ -46,7 +41,7 @@ case "$choice" in print_text_in_color "$ICyan" "Downloading the Server Configuration Menu..." run_script MENU server_configuration ;; - "Update Nextcloud") + "Update Wordpress") if [ -f "$SCRIPTS"/update.sh ] then bash "$SCRIPTS"/update.sh diff --git a/menu/server_configuration.sh b/menu/server_configuration.sh index 76d4376..82f02d0 100644 --- a/menu/server_configuration.sh +++ b/menu/server_configuration.sh @@ -18,7 +18,7 @@ debug_mode root_check # Set the correct switch for activate_tls -if [ -f $SCRIPTS/activate-tls.sh ] +if [ -f "$SCRIPTS"/activate-tls.sh ] then ACTIVATE_TLS_SWITCH="ON" else @@ -26,7 +26,7 @@ else fi # Set the startup switch -if [ -f "$SCRIPTS/nextcloud-startup-script.sh" ] +if [ -f "$SCRIPTS/wordpress-startup-script.sh" ] then STARTUP_SWITCH="ON" else @@ -34,7 +34,7 @@ else fi # Show a msg_box during the startup script -if [ -f "$SCRIPTS/nextcloud-startup-script.sh" ] +if [ -f "$SCRIPTS/wordpress-startup-script.sh" ] then msg_box "In the next step, you will be offered to easily install different configurations that are made to enhance your server and experiance. We have pre-selected some choices that we recommend for any installation. @@ -48,23 +48,16 @@ choice=$(whiptail --title "$TITLE" --checklist \ "Choose what you want to configure $CHECKLIST_GUIDE\n\n$RUN_LATER_GUIDE" "$WT_HEIGHT" "$WT_WIDTH" 4 \ "Static IP" "(Set static IP in Ubuntu with netplan.io)" OFF \ -"Security" "(Add extra security based on this http://goo.gl/gEJHi7)" OFF \ "DDclient Configuration" "(Use ddclient for automatic DDNS updates)" OFF \ "Activate TLS" "(Enable HTTPS with Let's Encrypt)" "$ACTIVATE_TLS_SWITCH" \ -"GeoBlock" "(Only allow certain countries to access your server)" OFF \ "Automatic updates" "(Automatically update your server every week on Sundays)" OFF \ "SMTP Mail" "(Enable beeing notified by mail from your server)" OFF \ -"Disk Check" "(Check for S.M.A.R.T errors on your disks every week on Mondays)" OFF 3>&1 1>&2 2>&3) case "$choice" in *"Static IP"*) print_text_in_color "$ICyan" "Downloading the Static IP script..." run_script NETWORK static_ip ;;& - *"Security"*) - print_text_in_color "$ICyan" "Downloading the Security script..." - run_script ADDONS security - ;;& *"DDclient Configuration"*) print_text_in_color "$ICyan" "Downloading the DDclient Configuration script..." run_script NETWORK ddclient-configuration @@ -73,7 +66,7 @@ case "$choice" in SUBTITLE="Activate TLS" msg_box "The following script will install a trusted TLS certificate through Let's Encrypt. -It's recommended to use TLS (https) together with Nextcloud. +It's recommended to use TLS (https) together with Wordpress. Please open port 80 and 443 to this servers IP before you continue. More information can be found here: https://www.techandme.se/open-port-80-443/" "$SUBTITLE" @@ -91,14 +84,9 @@ https://www.techandme.se/open-port-80-443/" "$SUBTITLE" else msg_box "OK, but if you want to run it later, just type: sudo bash $SCRIPTS/activate-tls.sh" "$SUBTITLE" fi - # Just make sure it is gone rm -f "$SCRIPTS/test-new-config.sh" ;;& - *"GeoBlock"*) - print_text_in_color "$ICyan" "Downloading the Geoblock script..." - run_script NETWORK geoblock - ;;& *"Automatic updates"*) print_text_in_color "$ICyan" "Downloading the Automatic Updates script..." run_script ADDONS automatic_updates @@ -107,10 +95,6 @@ https://www.techandme.se/open-port-80-443/" "$SUBTITLE" print_text_in_color "$ICyan" "Downloading the SMTP Mail script..." run_script ADDONS smtp-mail ;;& - *"Disk Check"*) - print_text_in_color "$ICyan" "Downloading the Disk Check script..." - run_script DISK smartctl - ;;& *) ;; esac diff --git a/menu/startup_configuration.sh b/menu/startup_configuration.sh index 81853ba..fbd7ef3 100644 --- a/menu/startup_configuration.sh +++ b/menu/startup_configuration.sh @@ -14,10 +14,6 @@ source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercont DEBUG=0 debug_mode -# Update the lib once during the startup script -# TODO: delete this again e.g. with NC 20.0.1 -download_script GITHUB_REPO lib - # Must be root root_check @@ -46,7 +42,7 @@ else fi # Show a msg_box during the startup script -if [ -f "$SCRIPTS/nextcloud-startup-script.sh" ] +if [ -f "$SCRIPTS/wordpress-startup-script.sh" ] then msg_box "Running a server, it's important that certain things are correct. In the following menu you will be asked to setup the most basic stuff of your server. diff --git a/menu/wordpress_configuration.sh b/menu/wordpress_configuration.sh deleted file mode 100644 index 6f9c5f7..0000000 --- a/menu/wordpress_configuration.sh +++ /dev/null @@ -1,121 +0,0 @@ -#!/bin/bash - -# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ - -# shellcheck disable=2034,2059 -true -SCRIPT_NAME="Nextcloud Configuration Menu" -# shellcheck source=lib.sh -source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) - -# Get all needed variables from the library -nc_update - -# Check for errors + debug code and abort if something isn't right -# 1 = ON -# 0 = OFF -DEBUG=0 -debug_mode - -# Must be root -root_check - -# Set the startup switch -if [ -f "$SCRIPTS/nextcloud-startup-script.sh" ] -then - STARTUP_SWITCH="ON" -else - STARTUP_SWITCH="OFF" -fi - -# Configure Nextcloud -choice=$(whiptail --title "$TITLE" --checklist \ -"Which settings do you want to configure? -$CHECKLIST_GUIDE\n\n$RUN_LATER_GUIDE" "$WT_HEIGHT" "$WT_WIDTH" 4 \ -"CookieLifetime" "(Configure forced logout timeout for users using the web GUI)" OFF \ -"Share-folder" "(Shares from other users will appear in a folder named 'Shared')" OFF \ -"Disable workspaces" "(disable top notes in GUI)" OFF \ -"Disable user flows" "(Disable user settings for Nextcloud Flow)" OFF \ -"Enable logrotate" "(Use logrotate to keep more Nextcloud logs)" OFF 3>&1 1>&2 2>&3) - -case "$choice" in - *"CookieLifetime"*) - print_text_in_color "$ICyan" "Downloading the CookieLifetime script..." - run_script ADDONS cookielifetime - ;;& - *"Share-folder"*) - SUBTITLE="Share-folder" - msg_box "This option will make all Nextcloud shares from \ -other users appear in a folder named 'Shared' in the Nextcloud GUI. - -If you don't enable this option, all shares will appear directly in \ -the Nextcloud GUI root folder, which is the default behaviour." "$SUBTITLE" - if yesno_box_yes "Do you want to enable this option?" "$SUBTITLE" - then - nextcloud_occ config:system:set share_folder --value="/Shared" - msg_box "All new Nextcloud shares from other \ -users will appear in the 'Shared' folder from now on." "$SUBTITLE" - fi - ;;& - *"Disable workspaces"*) - SUBTITLE="Disable workspaces" - msg_box "This option will will disable a feature named 'rich workspaces'. \ -It will disable the top notes in GUI." "$SUBTITLE" - if yesno_box_yes "Do you want to disable rich workspaces?" "$SUBTITLE" - then - # Check if text is enabled - if ! is_app_enabled text - then - msg_box "The text app isn't enabled - unable to disable rich workspaces." "$SUBTITLE" - sleep 1 - else - # Disable workspaces - nextcloud_occ config:app:set text workspace_available --value=0 - msg_box "Rich workspaces are now disabled." "$SUBTITLE" - fi - fi - ;;& - *"Disable user flows"*) - SUBTITLE="Disable user flows" - # Greater than 18.0.3 is 18.0.4 which is required - if version_gt "$CURRENTVERSION" "18.0.3" - then - msg_box "This option will disable the with Nextcloud 18 introduced user flows. \ -It will disable the user flow settings. Admin flows will continue to work." "$SUBTITLE" - if yesno_box_yes "Do you want to disable user flows?" "$SUBTITLE" - then - nextcloud_occ config:app:set workflowengine user_scope_disabled --value yes - msg_box "User flow settings are now disabled." "$SUBTITLE" - fi - else - msg_box "'Disable user flows' is only available on Nextcloud 18.0.4 and above. -Please upgrade by running 'sudo bash /var/scripts/update.sh'" "$SUBTITLE" - sleep 1 - fi - ;;& - *"Enable logrotate"*) - SUBTITLE="Enable logrotate" - msg_box "This option enables logrotate for Nextcloud logs to keep all logs for 10 days" "$SUBTITLE" - if yesno_box_yes "Do you want to enable logrotate for Nextcloud logs?" "$SUBTITLE" - then - # Set logrotate (without size restriction) - nextcloud_occ config:system:set log_rotate_size --value=0 - - # Configure logrotate to rotate logs for us (max 10, every day a new one) - cat << NEXTCLOUD_CONF > /etc/logrotate.d/nextcloud.log.conf -$VMLOGS/nextcloud.log { -daily -rotate 10 -} -NEXTCLOUD_CONF - - # Set needed ownerchip for the nextcloud log folder to work correctly - chown www-data:www-data "${VMLOGS}"/ - - msg_box "Logrotate was successfully enabled." "$SUBTITLE" - fi - ;;& - *) - ;; -esac -exit diff --git a/wordpress-startup-script.sh b/wordpress-startup-script.sh index 7d06d6a..867f070 100644 --- a/wordpress-startup-script.sh +++ b/wordpress-startup-script.sh @@ -143,7 +143,7 @@ chmod +x -R $SCRIPTS chown root:root -R $SCRIPTS # Allow wordpress to run figlet script -chown "$SUDO_USER":"$SUDO_USER" $SCRIPTS/wordpress.sh +chown "$UNIXUSER":"$UNIXUSER" $SCRIPTS/wordpress.sh clear msg_box"This script will do the final setup for you @@ -165,7 +165,7 @@ msg_box "PLEASE NOTE: [#] Please read the on-screen instructions carefully, they will guide you through the setup. [#] When complete it will delete all the *.sh, *.html, *.tar, *.zip inside: /root - /home/$SUDO_USER + /home/$UNIXUSER [#] Please consider donating if you like the product: https://shop.hanssonit.se/product-category/donate/ [#] You can also ask for help here: diff --git a/wordpress_install.sh b/wordpress_install.sh index d005095..30b5290 100644 --- a/wordpress_install.sh +++ b/wordpress_install.sh @@ -389,17 +389,17 @@ mv wp-cli.phar /usr/local/bin/wp # Add www-data in sudoers { echo "# WP-CLI" -echo "$SUDO_USER ALL=(www-data) NOPASSWD: /usr/local/bin/wp" +echo "$UNIXUSER ALL=(www-data) NOPASSWD: /usr/local/bin/wp" echo "root ALL=(www-data) NOPASSWD: /usr/local/bin/wp" } >> /etc/sudoers # Create dir mkdir -p "$WPATH" chown -R www-data:www-data "$WPATH" -if [ ! -d /home/"$SUDO_USER"/.wp-cli ] +if [ ! -d /home/"$UNIXUSER"/.wp-cli ] then - mkdir -p /home/"$SUDO_USER"/.wp-cli/ - chown -R www-data:www-data /home/"$SUDO_USER"/.wp-cli/ + mkdir -p /home/"$UNIXUSER"/.wp-cli/ + chown -R www-data:www-data /home/"$UNIXUSER"/.wp-cli/ fi # Create wp-cli.yml From 340b41e0a944bee7162d8276c9017b528e3c0142 Mon Sep 17 00:00:00 2001 From: enoch85 Date: Sat, 24 Oct 2020 21:07:08 +0200 Subject: [PATCH 43/86] some more fixes Signed-off-by: enoch85 --- apps/bpytop.sh | 77 ++++++++++++++++++++++++++++++++ apps/midnight-commander.sh | 72 ++++++++++++++++++++++++++++++ apps/netdata.sh | 91 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 240 insertions(+) create mode 100644 apps/bpytop.sh create mode 100644 apps/midnight-commander.sh create mode 100644 apps/netdata.sh diff --git a/apps/bpytop.sh b/apps/bpytop.sh new file mode 100644 index 0000000..2872d8d --- /dev/null +++ b/apps/bpytop.sh @@ -0,0 +1,77 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +SCRIPT_NAME="BPYTOP" +SCRIPT_EXPLAINER="BPYTOP is an amazing alternative to resource-monitor software like top or htop." +# shellcheck source=lib.sh +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Must be root +root_check + +# Needed for snaps to run +install_if_not snapd + +# Check if bpytop is already installed +if ! snap list | grep -q bpytop +then + # Ask for installing + install_popup "$SCRIPT_NAME" +else + # Ask for removal or reinstallation + reinstall_remove_menu "$SCRIPT_NAME" + # Removal + if [ -f /home/"$UNIXUSER"/.bash_aliases ] + then + sed -i "s|.*bpytop'||g" /home/"$UNIXUSER"/.bash_aliases + fi + if [ -f /root/.bash_aliases ] + then + sed -i "s|.*bpytop'||g" /root/.bash_aliases + fi + snap remove bpytop + # Show successful uninstall if applicable + removal_popup "$SCRIPT_NAME" +fi + +# Install it! +if snap install bpytop +then + snap connect bpytop:mount-observe + snap connect bpytop:network-control + snap connect bpytop:hardware-observe + snap connect bpytop:system-observe + snap connect bpytop:process-control + snap connect bpytop:physical-memory-observe + hash -r + msg_box "BPYTOP is now installed! Check out the amazing stats by runnning 'bpytop' from your CLI. +You can check out their Gihub repo here: https://github.com/aristocratos/bpytop/blob/master/README.md" + # Ask for aliases + if [ -f /root/.bash_aliases ] + then + if yesno_box_yes "Would you like to add an alias for bpytop to replace both htop and top?" + then + echo "alias top='bpytop'" >> /root/.bash_aliases + echo "alias htop='bpytop'" >> /root/.bash_aliases + if [ -d /home/"$UNIXUSER" ] + then + touch /home/"$UNIXUSER"/.bash_aliases + chown "$UNIXUSER":"$UNIXUSER" /home/"$UNIXUSER"/.bash_aliases + echo "alias top='bpytop'" >> /home/"$UNIXUSER"/.bash_aliases + echo "alias htop='bpytop'" >> /home/"$UNIXUSER"/.bash_aliases + fi + msg_box "Alias for bpytop is now set! You can now type both 'htop' and 'top' in your CLI to use bpytop." + fi + fi +else + msg_box "It seems like the installation of BPYTOP failed. Please try again." +fi diff --git a/apps/midnight-commander.sh b/apps/midnight-commander.sh new file mode 100644 index 0000000..22073b4 --- /dev/null +++ b/apps/midnight-commander.sh @@ -0,0 +1,72 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ +# Copyright © 2020 Simon Lindner (https://github.com/szaimen) + +# shellcheck disable=2034,2059 +true +SCRIPT_NAME="Midnight Commander" +SCRIPT_EXPLAINER="The Midnight Commander is a directory browsing and file manipulation program \ +that provides a flexible, powerful, and convenient set of file and directory operations. +It is capable of running in either a console or an xterm under X11. +Its basic operation is easily mastered by the novice while providing a rich feature set and extensive customization." +# shellcheck source=lib.sh +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Check if root +root_check + +# Check if webmin is already installed +if ! is_this_installed mc +then + # Ask for installing + install_popup "$SCRIPT_NAME" +else + # Ask for removal or reinstallation + reinstall_remove_menu "$SCRIPT_NAME" + # Removal + apt purge mc -y + apt autoremove -y + # Show successful uninstall if applicable + removal_popup "$SCRIPT_NAME" +fi + +# Install mc +check_command apt install mc -y + +# Show successful installation +msg_box "Midnight Commander was successfully installed. +You can launch it by running 'mc' in the CLI." + +# Allow to install a dark theme +if ! yesno_box_yes "Do you want to install a dark theme for Midnight Commander?" +then + exit +fi + +# Install dark theme +print_text_in_color "$ICyan" "Installing dark theme for Midnight Commander..." +USER_HOMES=$(find /home -mindepth 1 -maxdepth 1 -type d) +mapfile -t USER_HOMES <<< "$USER_HOMES" +USER_HOMES+=(/root) +for user_home in "${USER_HOMES[@]}" +do + mkdir -p "$user_home/.config/mc" + cat << MC_INI > "$user_home/.config/mc/ini" +[Colors] +base_color=linux:normal=white,black:marked=yellow,black:input=,green:menu=black:menusel=white:\ +menuhot=red,:menuhotsel=black,red:dfocus=white,black:dhotnormal=white,black:\ +dhotfocus=white,black:executable=,black:directory=white,black:link=white,black:\ +device=white,black:special=white,black:core=,black:stalelink=red,black:editnormal=white,black +MC_INI +done + +# Inform the user +msg_box "The dark theme for Midnight Commander was successfully applied." +exit diff --git a/apps/netdata.sh b/apps/netdata.sh new file mode 100644 index 0000000..eae072e --- /dev/null +++ b/apps/netdata.sh @@ -0,0 +1,91 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +SCRIPT_NAME="Netdata" +SCRIPT_EXPLAINER="Netdata is an open source tool designed to collect real-time metrics, \ +such as CPU usage, disk activity, bandwidth usage, website visits, etc., \ +and then display them in live, easy-to-interpret charts. +The tool is designed to visualize activity in the greatest possible detail, \ +allowing the user to obtain an overview of what is happening \ +and what has just happened in their system or application." +# shellcheck source=lib.sh +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Must be root +root_check + +# Check if netdata is already installed +if ! [ -d /etc/netdata ] +then + # Ask for installing + install_popup "$SCRIPT_NAME" +else + # Ask for removal or reinstallation + reinstall_remove_menu "$SCRIPT_NAME" + # Removal + if [ -f /usr/src/netdata.git/netdata-uninstaller.sh ] + then + if ! yes no | bash /usr/src/netdata.git/netdata-uninstaller.sh --force + then + rm -Rf /usr/src/netdata.git + fi + elif [ -f /usr/libexec/netdata-uninstaller.sh ] + then + yes no | bash /usr/libexec/netdata-uninstaller.sh --yes + elif [ -f /usr/libexec/netdata/netdata-uninstaller.sh ] + then + bash /usr/libexec/netdata/netdata-uninstaller.sh --force --yes + else + check_command curl_to_dir https://raw.githubusercontent.com/netdata/netdata/master/packaging/installer netdata-uninstaller.sh $SCRIPTS + check_command bash $SCRIPTS/netdata-uninstaller.sh --force --yes + rm $SCRIPTS/netdata-uninstaller.sh + rm -rf /var/lib/netdata + fi + rm -rf /etc/netdata + # Show successful uninstall if applicable + removal_popup "$SCRIPT_NAME" +fi + +# Install +is_process_running dpkg +is_process_running apt +apt update -q4 & spinner_loading +curl_to_dir https://my-netdata.io kickstart.sh $SCRIPTS +sudo -u "$UNIXUSER" bash $SCRIPTS/kickstart.sh all --dont-wait --no-updates --stable-channel +rm -f $SCRIPTS/kickstart.sh + +# Check Netdata instructions after script is done +any_key "Please check information above and press any key to continue..." + +# Installation done? +if [ -d /etc/netdata ] +then + msg_box "Netdata is now installed and can be accessed from this address: + +http://$ADDRESS:19999 + +If you want to reach it from the internet you need to open port 19999 in your firewall. +If you don't know how to open ports, please follow this guide: +https://www.techandme.se/open-port-80-443/ + +After you have opened the correct port, then you can visit Netdata from your domain: + +http://$(hostname -f):19999 and or http://yourdomanin.com:19999 + +You can find more configuration options in their WIKI: +https://docs.netdata.cloud/daemon/config#configuration-guide" + +# Cleanup +rm -rf /tmp/netdata* +fi + +exit From aa64c7eef2b34fc5bbdc512d8a55d74ca659c9c1 Mon Sep 17 00:00:00 2001 From: enoch85 Date: Sat, 24 Oct 2020 21:10:05 +0200 Subject: [PATCH 44/86] lib fixes Signed-off-by: enoch85 --- lib.sh | 4 +--- static/wp-permissions.sh | 0 2 files changed, 1 insertion(+), 3 deletions(-) mode change 100755 => 100644 static/wp-permissions.sh diff --git a/lib.sh b/lib.sh index 2ad30e0..d910b5b 100644 --- a/lib.sh +++ b/lib.sh @@ -99,8 +99,6 @@ ROOT_PROFILE="/root/.bash_profile" # Database SHUF=$(shuf -i 25-29 -n 1) -PGDB_PASS=$(gen_passwd "$SHUF" "a-zA-Z0-9@#*=") -NEWPGPASS=$(gen_passwd "$SHUF" "a-zA-Z0-9@#*=") WPDBNAME=wordpress_by_www_hanssonit_se WPADMINUSER=wordpress_db_user MARIADB_PASS=$(tr -dc "a-zA-Z0-9@#*=" < /dev/urandom | fold -w "$SHUF" | head -n 1) @@ -136,7 +134,7 @@ HTTP_CONF="wordpress_http_domain_self_signed.conf" SECURE="$SCRIPTS/wp-permissions.sh" ETCMYCNF="/etc/mysql/my.cnf" NGINX_CONF="/etc/nginx/nginx.conf" -NGINX_DEF="/etc/nginx/sites-available/default" +NGINX_DEF="$SITES_AVAILABLE/default" # PHP-FPM PHPVER=7.4 diff --git a/static/wp-permissions.sh b/static/wp-permissions.sh old mode 100755 new mode 100644 From 992285da6c964e6984095a4c730691d873b1e7f5 Mon Sep 17 00:00:00 2001 From: enoch85 Date: Sat, 24 Oct 2020 21:12:28 +0200 Subject: [PATCH 45/86] bug Signed-off-by: enoch85 --- wordpress-startup-script.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wordpress-startup-script.sh b/wordpress-startup-script.sh index 867f070..4f1c40c 100644 --- a/wordpress-startup-script.sh +++ b/wordpress-startup-script.sh @@ -283,7 +283,7 @@ rm -f "$SCRIPTS/wordpress_configuration.sh" rm -f "$SCRIPTS/additional_apps.sh" rm -f "$SCRIPTS/adduser.sh" find /root /home/"$UNIXUSER" -type f \( -name '*.sh*' -o -name '*.html*' -o -name '*.tar*' -o -name 'results' -o -name '*.zip*' \) -delete -find "WPATH" -type f \( -name 'results' -o -name '*.sh*' \) -delete +find "$WPATH" -type f \( -name 'results' -o -name '*.sh*' \) -delete sed -i "s|instruction.sh|wordpress.sh|g" /home/"$UNIXUSER"/.bash_profile truncate -s 0 \ From 1315c6b74c8752c4c2af663e450edbd367fd6bac Mon Sep 17 00:00:00 2001 From: enoch85 Date: Sat, 24 Oct 2020 21:17:13 +0200 Subject: [PATCH 46/86] menu fixes Signed-off-by: enoch85 --- menu/additional_apps.sh | 3 +-- wordpress_install.sh | 15 --------------- 2 files changed, 1 insertion(+), 17 deletions(-) diff --git a/menu/additional_apps.sh b/menu/additional_apps.sh index ed3170b..3028867 100644 --- a/menu/additional_apps.sh +++ b/menu/additional_apps.sh @@ -44,8 +44,7 @@ $CHECKLIST_GUIDE\n\n$RUN_LATER_GUIDE" "$WT_HEIGHT" "$WT_WIDTH" 4 \ "Netdata" "(Real-time server monitoring in Web GUI)" OFF \ "BPYTOP" "(Real-time server monitoring in CLI)" OFF \ "Midnight Commander" "(CLI file manager)" OFF \ -"Webmin" "(Server GUI like Cpanel)" "$STARTUP_SWITCH" \ - +"Webmin" "(Server GUI like Cpanel)" "$STARTUP_SWITCH" 3>&1 1>&2 2>&3) case "$choice" in *"Fail2ban "*) print_text_in_color "$ICyan" "Downloading the Fail2ban Menu..." diff --git a/wordpress_install.sh b/wordpress_install.sh index 30b5290..a7c01a0 100644 --- a/wordpress_install.sh +++ b/wordpress_install.sh @@ -315,21 +315,6 @@ check_command echo "$REDIS_PASS" > $REDISPTXT # Install Redis (distrubuted cache) run_script ADDONS redis-server-ubuntu -# Install smbclient -# php"$PHPVER"-smbclient does not yet work in PHP 7.4 -install_if_not libsmbclient-dev -yes no | pecl install smbclient -if [ ! -f $PHP_MODS_DIR/smbclient.ini ] -then - touch $PHP_MODS_DIR/smbclient.ini -fi -if ! grep -qFx extension=smbclient.so $PHP_MODS_DIR/smbclient.ini -then - echo "# PECL smbclient" > $PHP_MODS_DIR/smbclient.ini - echo "extension=smbclient.so" >> $PHP_MODS_DIR/smbclient.ini - check_command phpenmod -v ALL smbclient -fi - # Enable igbinary for PHP # https://github.com/igbinary/igbinary if is_this_installed "php$PHPVER"-dev From 1b102ec9983c2253d6a529662b7d6a9c674e687d Mon Sep 17 00:00:00 2001 From: enoch85 Date: Sat, 24 Oct 2020 21:26:16 +0200 Subject: [PATCH 47/86] fixes Signed-off-by: enoch85 --- apps/fail2ban.sh | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/apps/fail2ban.sh b/apps/fail2ban.sh index c4728c2..73654f6 100644 --- a/apps/fail2ban.sh +++ b/apps/fail2ban.sh @@ -6,17 +6,14 @@ # shellcheck disable=2034,2059 true SCRIPT_NAME="Fail2ban" -SCRIPT_EXPLAINER="Fail2ban provides extra Brute Force protextion for Nextcloud. -It scans the Nextcloud and SSH log files and bans IPs that show malicious \ -signs -- too many password failures, seeking for exploits, etc. +SCRIPT_EXPLAINER="Fail2ban provides extra Brute Force protextion for Wordpress. +It scans the Wordpress and SSH log files and bans IPs that show malicious \ +signs -- too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to \ reject the IP addresses for a specified amount of time." # shellcheck source=lib.sh source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) -# Get all needed variables from the library -nc_update - # Check for errors + debug code and abort if something isn't right # 1 = ON # 0 = OFF From e92aaf613e7079047d984a31688fafbbb500372a Mon Sep 17 00:00:00 2001 From: enoch85 Date: Sat, 24 Oct 2020 21:27:31 +0200 Subject: [PATCH 48/86] fixes Signed-off-by: enoch85 --- menu/server_configuration.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/menu/server_configuration.sh b/menu/server_configuration.sh index 82f02d0..db62c96 100644 --- a/menu/server_configuration.sh +++ b/menu/server_configuration.sh @@ -51,7 +51,7 @@ $CHECKLIST_GUIDE\n\n$RUN_LATER_GUIDE" "$WT_HEIGHT" "$WT_WIDTH" 4 \ "DDclient Configuration" "(Use ddclient for automatic DDNS updates)" OFF \ "Activate TLS" "(Enable HTTPS with Let's Encrypt)" "$ACTIVATE_TLS_SWITCH" \ "Automatic updates" "(Automatically update your server every week on Sundays)" OFF \ -"SMTP Mail" "(Enable beeing notified by mail from your server)" OFF \ +"SMTP Mail" "(Enable beeing notified by mail from your server)" OFF 3>&1 1>&2 2>&3) case "$choice" in *"Static IP"*) From 74225f30bc03a4aaf52bef2ea9f0b26b0d3c2abb Mon Sep 17 00:00:00 2001 From: enoch85 Date: Sat, 24 Oct 2020 21:31:54 +0200 Subject: [PATCH 49/86] automatic updates Signed-off-by: enoch85 --- addons/automatic_updates.sh | 45 +++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 addons/automatic_updates.sh diff --git a/addons/automatic_updates.sh b/addons/automatic_updates.sh new file mode 100644 index 0000000..49e5bb5 --- /dev/null +++ b/addons/automatic_updates.sh @@ -0,0 +1,45 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +SCRIPT_NAME="Automatic Updates" +# shellcheck source=lib.sh +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) + +print_text_in_color "$ICyan" "Configuring automatic updates..." + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Check if root +root_check + +msg_box "This option will update your server every week on Saturdays at $AUT_UPDATES_TIME:00. +The update will run the built in script '$SCRIPTS/update.sh' which will update both the server packages and Wordpress itself. + +Please keep in mind that automatic updates might fail hence it's +important to have a proper backup in place if you plan to run this option. + +You can disable the automatic updates by entering the crontab file like this: +'sudo crontab -e -u root' +Then just put a hash (#) in front of the row that you want to disable. + +In the next step you will be able to choose to proceed or exit." "$SUBTITLE" + +if yesno_box_yes "Do you want to enable automatic updates?" +then + # TODO: delete the following line after a few releases. It was copied to the install-script. + touch $VMLOGS/update.log + crontab -u root -l | { cat; echo "0 $AUT_UPDATES_TIME * * 6 $SCRIPTS/update.sh >> $VMLOGS/update.log"; } | crontab -u root - + if yesno_box_yes "Do you want to reboot your server after every update? *recommended*" + then + sed -i "s|exit|/sbin/shutdown -r +1|g" "$SCRIPTS"/update.sh + echo "exit" >> "$SCRIPTS"/update.sh + fi + msg_box "Please remember to keep backups in case something should go wrong, you never know." "$SUBTITLE" +fi From ffc9e8734cc36c11c09d6231681272736d85de75 Mon Sep 17 00:00:00 2001 From: enoch85 Date: Sat, 24 Oct 2020 21:42:04 +0200 Subject: [PATCH 50/86] fixes Signed-off-by: enoch85 --- apps/adminer.sh | 1 - apps/fail2ban.sh | 3 +-- apps/netdata.sh | 8 ++++++++ 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/apps/adminer.sh b/apps/adminer.sh index 987f415..9e211dc 100644 --- a/apps/adminer.sh +++ b/apps/adminer.sh @@ -28,7 +28,6 @@ else reinstall_remove_menu "$SCRIPT_NAME" # Removal check_external_ip # Check that the script can see the external IP (apache fails otherwise) - a2disconf adminer.conf rm -f $ADMINER_CONF rm -rf $ADMINERDIR check_command apt-get purge adminer -y diff --git a/apps/fail2ban.sh b/apps/fail2ban.sh index 73654f6..23972fb 100644 --- a/apps/fail2ban.sh +++ b/apps/fail2ban.sh @@ -34,9 +34,8 @@ else # Removal print_text_in_color "$ICyan" "Unbanning all currently blocked IPs..." fail2ban-client unban --all - rm /etc/fail2ban/filter.d/wordpress.conf - rm /etc/fail2ban/jail.local check_command apt-get purge fail2ban -y + rm -Rf /etc/fail2ban/ # Show successful uninstall if applicable removal_popup "$SCRIPT_NAME" fi diff --git a/apps/netdata.sh b/apps/netdata.sh index eae072e..e650233 100644 --- a/apps/netdata.sh +++ b/apps/netdata.sh @@ -23,6 +23,14 @@ debug_mode # Must be root root_check +# Can't be run as pure root user +if [ -z $UNIXUSER ] +then + msg_box "You can't run this script as a pure root user. You need to issue the following command: +sudo -u regular_user sudo bash $SCRIPTS/menu.sh + +Then choose "Additional Apps --> Netdata" + # Check if netdata is already installed if ! [ -d /etc/netdata ] then From 36008a5bcbb4e00c6a142c2f6e9250dc40d18c16 Mon Sep 17 00:00:00 2001 From: enoch85 Date: Sat, 24 Oct 2020 21:53:55 +0200 Subject: [PATCH 51/86] fix secure bug Signed-off-by: enoch85 --- wordpress_install.sh | 3 --- 1 file changed, 3 deletions(-) diff --git a/wordpress_install.sh b/wordpress_install.sh index a7c01a0..ef16e74 100644 --- a/wordpress_install.sh +++ b/wordpress_install.sh @@ -917,9 +917,6 @@ for db in $databases; do fi done -# Set secure permissions final (./data/.htaccess has wrong permissions otherwise) -bash $SECURE & spinner_loading - # Put IP adress in /etc/issue (shown before the login) if [ -f /etc/issue ] then From 64cb56045eaeefeb2aa2e7010bd0d2f696c820dd Mon Sep 17 00:00:00 2001 From: enoch85 Date: Sat, 24 Oct 2020 22:24:43 +0200 Subject: [PATCH 52/86] more fixes Signed-off-by: enoch85 --- apps/adminer.sh | 2 +- lib.sh | 4 ++-- static/change-wordpress-profile.sh | 2 +- wordpress-startup-script.sh | 7 +------ 4 files changed, 5 insertions(+), 10 deletions(-) diff --git a/apps/adminer.sh b/apps/adminer.sh index 9e211dc..1d64ebe 100644 --- a/apps/adminer.sh +++ b/apps/adminer.sh @@ -47,7 +47,7 @@ apt update -q4 & spinner_loading install_if_not adminer curl_to_dir "http://www.adminer.org" "latest.php" "$ADMINERDIR" curl_to_dir "https://raw.githubusercontent.com/Niyko/Hydra-Dark-Theme-for-Adminer/master" "adminer.css" "$ADMINERDIR" -ln -s "$ADMINERDIR"/latest.php "$ADMINERDIR"/adminer.php +check_command mv "$ADMINERDIR"/latest.php "$ADMINERDIR"/adminer.php # Only add TLS 1.3 on Ubuntu later than 20.04 if version 20.04 "$DISTRO" 20.04.10 diff --git a/lib.sh b/lib.sh index d910b5b..c89f29f 100644 --- a/lib.sh +++ b/lib.sh @@ -100,11 +100,11 @@ ROOT_PROFILE="/root/.bash_profile" # Database SHUF=$(shuf -i 25-29 -n 1) WPDBNAME=wordpress_by_www_hanssonit_se -WPADMINUSER=wordpress_db_user +WPADMINUSER=wordpress_gui_admin_user MARIADB_PASS=$(tr -dc "a-zA-Z0-9@#*=" < /dev/urandom | fold -w "$SHUF" | head -n 1) WPDBPASS=$(tr -dc "a-zA-Z0-9@#*=" < /dev/urandom | fold -w "$SHUF" | head -n 1) NEWMARIADBPASS=$(tr -dc "a-zA-Z0-9@#*=" < /dev/urandom | fold -w "$SHUF" | head -n 1) -WPDBUSER=wordpress_user +WPDBUSER=wordpress_db_user WPADMINPASS=$(tr -dc "a-zA-Z0-9@#*=" < /dev/urandom | fold -w "$SHUF" | head -n 1) MYCNF=/root/.my.cnf wpdb() { diff --git a/static/change-wordpress-profile.sh b/static/change-wordpress-profile.sh index 5a27406..e1649c9 100644 --- a/static/change-wordpress-profile.sh +++ b/static/change-wordpress-profile.sh @@ -13,7 +13,7 @@ true DEBUG=0 debug_mode -rm "/home/$UNIXUSER/.profile" +rm -f "/home/$UNIXUSER/.profile" cat <<-UNIXUSER-PROFILE > "$UNIXUSER_PROFILE" # ~/.profile: executed by the command interpreter for login shells. diff --git a/wordpress-startup-script.sh b/wordpress-startup-script.sh index 4f1c40c..704df33 100644 --- a/wordpress-startup-script.sh +++ b/wordpress-startup-script.sh @@ -135,7 +135,6 @@ download_script STATIC change_db_pass download_script STATIC wordpress download_script MENU menu download_script MENU server_configuration -download_script MENU wordpress_configuration download_script MENU additional_apps # Make $SCRIPTS excutable @@ -193,9 +192,6 @@ sleep 3 # Server configurations bash $SCRIPTS/server_configuration.sh -# Nextcloud configuration -bash $SCRIPTS/wordpress_configuration.sh - # Install apps bash $SCRIPTS/additional_apps.sh @@ -217,7 +213,7 @@ done if check_command echo "$UNIXUSER:$UNIX_PASSWORD" | sudo chpasswd then msg_box "The new password for the current CLI user in Ubuntu ($UNIXUSER) is now set to: $UNIX_PASSWORD - + This is used when you login to the Ubuntu CLI." fi unset UNIX_PASSWORD @@ -279,7 +275,6 @@ rm -f "$SCRIPTS/instruction.sh" rm -f "$SCRIPTS/static_ip.sh" rm -f "$SCRIPTS/lib.sh" rm -f "$SCRIPTS/server_configuration.sh" -rm -f "$SCRIPTS/wordpress_configuration.sh" rm -f "$SCRIPTS/additional_apps.sh" rm -f "$SCRIPTS/adduser.sh" find /root /home/"$UNIXUSER" -type f \( -name '*.sh*' -o -name '*.html*' -o -name '*.tar*' -o -name 'results' -o -name '*.zip*' \) -delete From 9f9b62bffe7701ba6d98599e292a9daede84ba54 Mon Sep 17 00:00:00 2001 From: enoch85 Date: Sat, 24 Oct 2020 22:43:52 +0200 Subject: [PATCH 53/86] travis Signed-off-by: enoch85 --- lets-encrypt/test-new-config.sh | 6 +++--- wordpress-startup-script.sh | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/lets-encrypt/test-new-config.sh b/lets-encrypt/test-new-config.sh index b0ebc0f..f052018 100644 --- a/lets-encrypt/test-new-config.sh +++ b/lets-encrypt/test-new-config.sh @@ -15,9 +15,9 @@ debug_mode # Activate the new config msg_box "We will now test that everything is OK" -ln -s "$SITES_AVALIABLE"/"$1" "$SITES_ENABLED"/"$1" -rm -f "$SITES_AVALIABLE"/"$HTTP_CONF" -rm -f "$SITES_AVALIABLE"/"$TLS_CONF" +ln -s "$SITES_AVAILABLE"/"$1" "$SITES_ENABLED"/"$1" +rm -f "$SITES_AVAILABLE"/"$HTTP_CONF" +rm -f "$SITES_AVAILABLE"/"$TLS_CONF" rm -f "$NGINX_DEF" rm -f "$SITES_ENABLED"/default if restart_webserver diff --git a/wordpress-startup-script.sh b/wordpress-startup-script.sh index 704df33..39b89fa 100644 --- a/wordpress-startup-script.sh +++ b/wordpress-startup-script.sh @@ -333,7 +333,7 @@ msg_box "TIPS & TRICKS: 3. To update this server just type: sudo bash /var/scripts/update.sh 4. Install apps, configure Wordpress, and server: sudo bash $SCRIPTS/menu.sh 5. To allow access to wp-login.php, please edit your nginx virtual hosts file. - You can find it here: $HTTP_CONF" + You can find it here: $HTTP_CONF BUGS & SUPPORT: - SUPPORT: https://shop.hanssonit.se/product/premium-support-per-30-minutes/ From d68a2385bbc5d6be310457831fd57c4fb40a5b1f Mon Sep 17 00:00:00 2001 From: enoch85 Date: Sat, 24 Oct 2020 22:48:47 +0200 Subject: [PATCH 54/86] travis Signed-off-by: enoch85 --- apps/netdata.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/netdata.sh b/apps/netdata.sh index e650233..edada27 100644 --- a/apps/netdata.sh +++ b/apps/netdata.sh @@ -29,7 +29,7 @@ then msg_box "You can't run this script as a pure root user. You need to issue the following command: sudo -u regular_user sudo bash $SCRIPTS/menu.sh -Then choose "Additional Apps --> Netdata" +Then choose Additional Apps --> Netdata" # Check if netdata is already installed if ! [ -d /etc/netdata ] From 7050272f27712bc85cd88d6bb0d06fbd6d01f964 Mon Sep 17 00:00:00 2001 From: enoch85 Date: Sat, 24 Oct 2020 23:08:32 +0200 Subject: [PATCH 55/86] remove wget Signed-off-by: enoch85 --- addons/security.sh | 122 ------------------------------------- apps/netdata.sh | 1 + static/ntpdate.sh | 20 ------ static/security.sh | 121 ------------------------------------ static/wordpress_update.sh | 2 +- wordpress_install.sh | 10 +-- 6 files changed, 7 insertions(+), 269 deletions(-) delete mode 100644 addons/security.sh delete mode 100644 static/ntpdate.sh delete mode 100644 static/security.sh diff --git a/addons/security.sh b/addons/security.sh deleted file mode 100644 index 6d3a8ac..0000000 --- a/addons/security.sh +++ /dev/null @@ -1,122 +0,0 @@ -#!/bin/bash - -# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ - -# REMOVE disable of SC2154 WHEN PUTTING SPAMHAUS IN PRODUCTION (it's just to fixing travis for now) -# shellcheck disable=2034,2059,SC2154 -true -SCRIPT_NAME="Setup Extra Security" -# shellcheck source=lib.sh -source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) - -# Check for errors + debug code and abort if something isn't right -# 1 = ON -# 0 = OFF -DEBUG=0 -debug_mode - -# Check if root -root_check - -print_text_in_color "$ICyan" "Installing Extra Security..." - -# Based on: http://www.techrepublic.com/blog/smb-technologist/secure-your-apache-server-from-ddos-slowloris-and-dns-injection-attacks/ - -# Protect against DDOS -apt update -q4 & spinner_loading -apt -y install libapache2-mod-evasive -mkdir -p /var/log/apache2/evasive -chown -R www-data:root /var/log/apache2/evasive -if [ ! -f "$ENVASIVE" ] -then - touch "$ENVASIVE" - cat << ENVASIVE > "$ENVASIVE" -DOSHashTableSize 2048 -DOSPageCount 20 # maximum number of requests for the same page -DOSSiteCount 300 # total number of requests for any object by the same client IP on the same listener -DOSPageInterval 1.0 # interval for the page count threshold -DOSSiteInterval 1.0 # interval for the site count threshold -DOSBlockingPeriod 10.0 # time that a client IP will be blocked for -DOSLogDir -ENVASIVE -fi - -# Protect against Slowloris -#apt -y install libapache2-mod-qos -a2enmod reqtimeout # http://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html - -# Don't enable SpamHaus now as it's now working anyway -# REMOVE disable of SC2154 WHEN PUTTING SPAMHAUS IN PRODUCTION (it's just to fixing travis for now) -exit - -# Protect against DNS Injection -# Insipired by: https://www.c-rieger.de/nextcloud-13-nginx-installation-guide-for-ubuntu-18-04-lts/#spamhausproject - -# shellcheck disable=SC2016 -DATE='$(date +%Y-%m-%d)' -cat << SPAMHAUS_ENABLE > "$SCRIPTS/spamhaus_cronjob.sh" -#!/bin/bash -# Thanks to @ank0m -EXEC_DATE='date +%Y-%m-%d' -SPAMHAUS_DROP="/usr/local/src/drop.txt" -SPAMHAUS_eDROP="/usr/local/src/edrop.txt" -URL="https://www.spamhaus.org/drop/drop.txt" -eURL="https://www.spamhaus.org/drop/edrop.txt" -DROP_ADD_TO_UFW="/usr/local/src/DROP2.txt" -eDROP_ADD_TO_UFW="/usr/local/src/eDROP2.txt" -DROP_ARCHIVE_FILE="/usr/local/src/DROP_{$EXEC_DATE}" -eDROP_ARCHIVE_FILE="/usr/local/src/eDROP_{$EXEC_DATE}" -# All credits for the following BLACKLISTS goes to "The Spamhaus Project" - https://www.spamhaus.org -echo "Start time: $(date)" -echo " " -echo "Download daily DROP file:" -curl -fsSL "$URL" > $SPAMHAUS_DROP -grep -v '^;' $SPAMHAUS_DROP | cut -d ' ' -f 1 > $DROP_ADD_TO_UFW -echo " " -echo "Extract DROP IP addresses and add to UFW:" -cat $DROP_ADD_TO_UFW | while read line -do -/usr/sbin/ufw insert 1 deny from "$line" comment 'DROP_Blacklisted_IPs' -done -echo " " -echo "Downloading eDROP list and import to UFW" -echo " " -echo "Download daily eDROP file:" -curl -fsSL "$eURL" > $SPAMHAUS_eDROP -grep -v '^;' $SPAMHAUS_eDROP | cut -d ' ' -f 1 > $eDROP_ADD_TO_UFW -echo " " -echo "Extract eDROP IP addresses and add to UFW:" -cat $eDROP_ADD_TO_UFW | while read line -do -/usr/sbin/ufw insert 1 deny from "$line" comment 'eDROP_Blacklisted_IPs' -done -echo " " -##### -## To remove or revert these rules, keep the list of IPs! -## Run a command like so to remove the rules: -# while read line; do ufw delete deny from $line; done < $ARCHIVE_FILE -##### -echo "Backup DROP IP address list:" -mv $DROP_ADD_TO_UFW $DROP_ARCHIVE_FILE -echo " " -echo "Backup eDROP IP address list:" -mv $eDROP_ADD_TO_UFW $eDROP_ARCHIVE_FILE -echo " " -echo End time: $(date) -SPAMHAUS_ENABLE - -# Make the file executable -chmod +x "$SCRIPTS"/spamhaus_cronjob.sh - -# Add it to crontab -(crontab -l ; echo "10 2 * * * $SCRIPTS/spamhaus_crontab.sh 2>&1") | crontab -u root - - -# Run it for the first time -check_command bash "$SCRIPTS"/spamhaus_cronjob.sh - -# Enable $SPAMHAUS -if sed -i "s|#MS_WhiteList /etc/spamhaus.wl|MS_WhiteList $SPAMHAUS|g" /etc/apache2/mods-enabled/spamhaus.conf -then - print_text_in_color "$IGreen" "Security added!" - restart_webserver -fi diff --git a/apps/netdata.sh b/apps/netdata.sh index edada27..4a288f0 100644 --- a/apps/netdata.sh +++ b/apps/netdata.sh @@ -30,6 +30,7 @@ then sudo -u regular_user sudo bash $SCRIPTS/menu.sh Then choose Additional Apps --> Netdata" +fi # Check if netdata is already installed if ! [ -d /etc/netdata ] diff --git a/static/ntpdate.sh b/static/ntpdate.sh deleted file mode 100644 index 8185c7a..0000000 --- a/static/ntpdate.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/bash - -# T&M Hansson IT AB © - 2019, https://www.hanssonit.se/ - -# shellcheck disable=2034,2059 -true -# shellcheck source=lib.sh -. <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) - -# Check for errors + debug code and abort if something isn't right -# 1 = ON -# 0 = OFF -DEBUG=0 -debug_mode - -if wget -q -T 10 -t 2 http://google.com > /dev/null -then - ntpdate -s 1.se.pool.ntp.org -fi -exit diff --git a/static/security.sh b/static/security.sh deleted file mode 100644 index 8b73584..0000000 --- a/static/security.sh +++ /dev/null @@ -1,121 +0,0 @@ -#!/bin/bash - -# T&M Hansson IT AB © - 2019, https://www.hanssonit.se/ - -# REMOVE disable of SC2154 WHEN PUTTING SPAMHAUS IN PRODUCTION (it's just to fixing travis for now) -# shellcheck disable=2034,2059,SC2154 -true -# shellcheck source=lib.sh -. <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) - -# Check for errors + debug code and abort if something isn't right -# 1 = ON -# 0 = OFF -DEBUG=0 -debug_mode - -# Check if root -root_check - -print_text_in_color "$ICyan" "Installing Extra Security..." - -# Based on: http://www.techrepublic.com/blog/smb-technologist/secure-your-apache-server-from-ddos-slowloris-and-dns-injection-attacks/ - -# Protect against DDOS -apt update -q4 & spinner_loading -apt -y install libapache2-mod-evasive -mkdir -p /var/log/apache2/evasive -chown -R www-data:root /var/log/apache2/evasive -if [ ! -f "$ENVASIVE" ] -then - touch "$ENVASIVE" - cat << ENVASIVE > "$ENVASIVE" -DOSHashTableSize 2048 -DOSPageCount 20 # maximum number of requests for the same page -DOSSiteCount 300 # total number of requests for any object by the same client IP on the same listener -DOSPageInterval 1.0 # interval for the page count threshold -DOSSiteInterval 1.0 # interval for the site count threshold -DOSBlockingPeriod 10.0 # time that a client IP will be blocked for -DOSLogDir -ENVASIVE -fi - -# Protect against Slowloris -#apt -y install libapache2-mod-qos -a2enmod reqtimeout # http://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html - -# Don't enable SpamHaus now as it's now working anyway -# REMOVE disable of SC2154 WHEN PUTTING SPAMHAUS IN PRODUCTION (it's just to fixing travis for now) -exit - -# Protect against DNS Injection -# Insipired by: https://www.c-rieger.de/nextcloud-13-nginx-installation-guide-for-ubuntu-18-04-lts/#spamhausproject - -# shellcheck disable=SC2016 -DATE='$(date +%Y-%m-%d)' -cat << SPAMHAUS_ENABLE > "$SCRIPTS/spamhaus_cronjob.sh" -#!/bin/bash -# Thanks to @ank0m -EXEC_DATE='date +%Y-%m-%d' -SPAMHAUS_DROP="/usr/local/src/drop.txt" -SPAMHAUS_eDROP="/usr/local/src/edrop.txt" -URL="https://www.spamhaus.org/drop/drop.txt" -eURL="https://www.spamhaus.org/drop/edrop.txt" -DROP_ADD_TO_UFW="/usr/local/src/DROP2.txt" -eDROP_ADD_TO_UFW="/usr/local/src/eDROP2.txt" -DROP_ARCHIVE_FILE="/usr/local/src/DROP_{$EXEC_DATE}" -eDROP_ARCHIVE_FILE="/usr/local/src/eDROP_{$EXEC_DATE}" -# All credits for the following BLACKLISTS goes to "The Spamhaus Project" - https://www.spamhaus.org -echo "Start time: $(date)" -echo " " -echo "Download daily DROP file:" -wget -q -O - "$URL" > $SPAMHAUS_DROP -grep -v '^;' $SPAMHAUS_DROP | cut -d ' ' -f 1 > $DROP_ADD_TO_UFW -echo " " -echo "Extract DROP IP addresses and add to UFW:" -cat $DROP_ADD_TO_UFW | while read line -do -/usr/sbin/ufw insert 1 deny from "$line" comment 'DROP_Blacklisted_IPs' -done -echo " " -echo "Downloading eDROP list and import to UFW" -echo " " -echo "Download daily eDROP file:" -wget -q -O - "$eURL" > $SPAMHAUS_eDROP -grep -v '^;' $SPAMHAUS_eDROP | cut -d ' ' -f 1 > $eDROP_ADD_TO_UFW -echo " " -echo "Extract eDROP IP addresses and add to UFW:" -cat $eDROP_ADD_TO_UFW | while read line -do -/usr/sbin/ufw insert 1 deny from "$line" comment 'eDROP_Blacklisted_IPs' -done -echo " " -##### -## To remove or revert these rules, keep the list of IPs! -## Run a command like so to remove the rules: -# while read line; do ufw delete deny from $line; done < $ARCHIVE_FILE -##### -echo "Backup DROP IP address list:" -mv $DROP_ADD_TO_UFW $DROP_ARCHIVE_FILE -echo " " -echo "Backup eDROP IP address list:" -mv $eDROP_ADD_TO_UFW $eDROP_ARCHIVE_FILE -echo " " -echo End time: $(date) -SPAMHAUS_ENABLE - -# Make the file executable -chmod +x "$SCRIPTS"/spamhaus_cronjob.sh - -# Add it to crontab -(crontab -l ; echo "10 2 * * * $SCRIPTS/spamhaus_crontab.sh 2>&1") | crontab -u root - - -# Run it for the first time -check_command bash "$SCRIPTS"/spamhaus_cronjob.sh - -# Enable $SPAMHAUS -if sed -i "s|#MS_WhiteList /etc/spamhaus.wl|MS_WhiteList $SPAMHAUS|g" /etc/apache2/mods-enabled/spamhaus.conf -then - print_text_in_color "$IGreen" "Security added!" - restart_webserver -fi diff --git a/static/wordpress_update.sh b/static/wordpress_update.sh index f2682c5..9de18bf 100644 --- a/static/wordpress_update.sh +++ b/static/wordpress_update.sh @@ -102,7 +102,7 @@ if [ -d $ADMINERDIR ] then print_text_in_color "$ICyan" "Updating Adminer..." rm -f "$ADMINERDIR"/latest.php "$ADMINERDIR"/adminer.php - wget -q "http://www.adminer.org/latest.php" -O "$ADMINERDIR"/latest.php + curl_to_dir "http://www.adminer.org" "latest.php" "$ADMINERDIR" ln -s "$ADMINERDIR"/latest.php "$ADMINERDIR"/adminer.php fi diff --git a/wordpress_install.sh b/wordpress_install.sh index ef16e74..d27d566 100644 --- a/wordpress_install.sh +++ b/wordpress_install.sh @@ -263,7 +263,7 @@ sudo systemctl enable nginx.service # Download TLSv 1.3 modified nginx.conf rm -f /etc/nginx/nginx.conf -check_command wget -q $STATIC/nginx.conf -P /etc/nginx/ +curl_to_dir $STATIC nginx.conf /etc/nginx/ # Install PHP 7.4 apt install -y \ @@ -438,11 +438,11 @@ echo "WP PASS: $WPADMINPASS" > /var/adminpass.txt chown wordpress:wordpress /var/adminpass.txt # Create welcome post -check_command wget -q $STATIC/welcome.txt -sed -i "s|wordpress_user_login|$WPADMINUSER|g" welcome.txt -sed -i "s|wordpress_password_login|$WPADMINPASS|g" welcome.txt +curl_to_dir "$STATIC" welcome.txt "$SCRIPTS" +sed -i "s|wordpress_user_login|$WPADMINUSER|g" "$SCRIPTS"/welcome.txt +sed -i "s|wordpress_password_login|$WPADMINPASS|g" "$SCRIPTS"/welcome.txt wp_cli_cmd post create ./welcome.txt --post_title='T&M Hansson IT AB - Welcome' --post_status=publish --path=$WPATH -rm -f welcome.txt +rm -f "$SCRIPTS"/welcome.txt wp_cli_cmd post delete 1 --force # Show version From 86ccaf8abeccc82ff150ea3751113a6e853cc2ce Mon Sep 17 00:00:00 2001 From: enoch85 Date: Sat, 24 Oct 2020 23:11:28 +0200 Subject: [PATCH 56/86] travis Signed-off-by: enoch85 --- apps/netdata.sh | 2 +- lets-encrypt/test-new-config.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apps/netdata.sh b/apps/netdata.sh index 4a288f0..21fb078 100644 --- a/apps/netdata.sh +++ b/apps/netdata.sh @@ -24,7 +24,7 @@ debug_mode root_check # Can't be run as pure root user -if [ -z $UNIXUSER ] +if [ -z "$UNIXUSER" ] then msg_box "You can't run this script as a pure root user. You need to issue the following command: sudo -u regular_user sudo bash $SCRIPTS/menu.sh diff --git a/lets-encrypt/test-new-config.sh b/lets-encrypt/test-new-config.sh index f052018..7977640 100644 --- a/lets-encrypt/test-new-config.sh +++ b/lets-encrypt/test-new-config.sh @@ -79,7 +79,7 @@ else # If it fails, revert changes back to normal rm -f "$SITES_ENABLED"/"$1" - ln -s "$SITES_AVALIABLE"/"$HTTP_CONF" "$SITES_ENABLED" + ln -s "$$SITES_AVAILABLE"/"$HTTP_CONF" "$SITES_ENABLED" restart_webserver msg_box "Couldn't load new config, reverted to old settings. Self-signed TLS is OK!" exit 1 From 889256cbaf9ee9a1b83fe4cfdab116f57c495024 Mon Sep 17 00:00:00 2001 From: Daniel Hansson Date: Sat, 24 Oct 2020 23:23:29 +0200 Subject: [PATCH 57/86] always ask for alias --- apps/bpytop.sh | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/apps/bpytop.sh b/apps/bpytop.sh index 2872d8d..22f774b 100644 --- a/apps/bpytop.sh +++ b/apps/bpytop.sh @@ -56,21 +56,18 @@ then msg_box "BPYTOP is now installed! Check out the amazing stats by runnning 'bpytop' from your CLI. You can check out their Gihub repo here: https://github.com/aristocratos/bpytop/blob/master/README.md" # Ask for aliases - if [ -f /root/.bash_aliases ] + if yesno_box_yes "Would you like to add an alias for bpytop to replace both htop and top?" then - if yesno_box_yes "Would you like to add an alias for bpytop to replace both htop and top?" + echo "alias top='bpytop'" >> /root/.bash_aliases + echo "alias htop='bpytop'" >> /root/.bash_aliases + if [ -d /home/"$UNIXUSER" ] then - echo "alias top='bpytop'" >> /root/.bash_aliases - echo "alias htop='bpytop'" >> /root/.bash_aliases - if [ -d /home/"$UNIXUSER" ] - then - touch /home/"$UNIXUSER"/.bash_aliases - chown "$UNIXUSER":"$UNIXUSER" /home/"$UNIXUSER"/.bash_aliases - echo "alias top='bpytop'" >> /home/"$UNIXUSER"/.bash_aliases - echo "alias htop='bpytop'" >> /home/"$UNIXUSER"/.bash_aliases - fi - msg_box "Alias for bpytop is now set! You can now type both 'htop' and 'top' in your CLI to use bpytop." + touch /home/"$UNIXUSER"/.bash_aliases + chown "$UNIXUSER":"$UNIXUSER" /home/"$UNIXUSER"/.bash_aliases + echo "alias top='bpytop'" >> /home/"$UNIXUSER"/.bash_aliases + echo "alias htop='bpytop'" >> /home/"$UNIXUSER"/.bash_aliases fi + msg_box "Alias for bpytop is now set! You can now type both 'htop' and 'top' in your CLI to use bpytop." fi else msg_box "It seems like the installation of BPYTOP failed. Please try again." From 1e5a519ff98532cb997b7be7ac3708120ccc15c7 Mon Sep 17 00:00:00 2001 From: Daniel Hansson Date: Sat, 24 Oct 2020 23:26:01 +0200 Subject: [PATCH 58/86] travis --- lets-encrypt/test-new-config.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lets-encrypt/test-new-config.sh b/lets-encrypt/test-new-config.sh index 7977640..dd6bbab 100644 --- a/lets-encrypt/test-new-config.sh +++ b/lets-encrypt/test-new-config.sh @@ -79,7 +79,7 @@ else # If it fails, revert changes back to normal rm -f "$SITES_ENABLED"/"$1" - ln -s "$$SITES_AVAILABLE"/"$HTTP_CONF" "$SITES_ENABLED" + ln -s "$$SITES_AVAILABLE/$HTTP_CONF" "$SITES_ENABLED" restart_webserver msg_box "Couldn't load new config, reverted to old settings. Self-signed TLS is OK!" exit 1 From d09906ab7a81006c667c6514af69b7345f07947e Mon Sep 17 00:00:00 2001 From: Daniel Hansson Date: Sat, 24 Oct 2020 23:44:27 +0200 Subject: [PATCH 59/86] Update wordpress_update.sh --- static/wordpress_update.sh | 186 +++++++++++++++++++++++++------------ 1 file changed, 127 insertions(+), 59 deletions(-) diff --git a/static/wordpress_update.sh b/static/wordpress_update.sh index 9de18bf..3d3d08e 100644 --- a/static/wordpress_update.sh +++ b/static/wordpress_update.sh @@ -13,69 +13,96 @@ true DEBUG=0 debug_mode -# Check if root -if ! is_root -then - printf "\n${Red}Sorry, you are not root.\n${Color_Off}You must type: ${Cyan}sudo ${Color_Off}bash %s/wordpress_update.sh\n" "$SCRIPTS" - exit 1 -fi +# Must be root +root_check # Check if dpkg or apt is running is_process_running apt is_process_running dpkg -# System Upgrade -apt update -q2 -apt dist-upgrade -y - -# Update Redis PHP extension -print_text_in_color "$ICyan" "Trying to upgrade the Redis PECL extenstion..." -if ! pecl list | grep redis >/dev/null 2>&1 +# Check if /boot is filled more than 90% and exit the script if that's +# the case since we don't want to end up with a broken system +if [ -d /boot ] then - if is_this_installed php"$PHPVER" + if [[ "$(df -h | grep -m 1 /boot | awk '{print $5}' | cut -d "%" -f1)" -gt 90 ]] then - install_if_not php"$PHPVER"-dev - else - install_if_not php7.0-dev + msg_box "It seems like your boot drive is filled more than 90%. \ +You can't proceed to upgrade since it probably will break your system +To be able to proceed with the update you need to delete some old Linux kernels. If you need support, please visit: +https://shop.hanssonit.se/product/premium-support-per-30-minutes/" + exit fi - apt purge php-redis -y - apt autoremove -y - pecl channel-update pecl.php.net - yes no | pecl install redis - service redis-server restart - if nginx -v 2> /dev/null - then - service nginx restart - elif apache2 -v 2> /dev/null +fi + +# Ubuntu 16.04 is deprecated +check_distro_version + +send_mail \ +"Wordpress update started!" \ +"Please don't shutdown or reboot your server during the update! $(date +%T)" +wp_cli_cmd maintenance-mode activate + +# Hold PHP if Ondrejs PPA is used +print_text_in_color "$ICyan" "Fetching latest packages with apt..." +apt update -q4 & spinner_loading +if apt-cache policy | grep "ondrej" >/dev/null 2>&1 +then + print_text_in_color "$ICyan" "Ondrejs PPA is installed. \ +Holding PHP to avoid upgrading to a newer version without migration..." + apt-mark hold php* +fi + +# Make sure everyone gets access to menu.sh +download_script MENU menu + +# Make sure fetch_lib.sh is available +download_script STATIC fetch_lib + +export DEBIAN_FRONTEND=noninteractive ; apt dist-upgrade -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" + +# Update Netdata +if [ -d /etc/netdata ] +then + print_text_in_color "$ICyan" "Updating Netdata..." + NETDATA_UPDATER_PATH="$(find /usr -name 'netdata-updater.sh')" + if [ -n "$NETDATA_UPDATER_PATH" ] then - service apache2 restart + install_if_not cmake # Needed for Netdata in newer versions + bash "$NETDATA_UPDATER_PATH" fi -elif pecl list | grep redis >/dev/null 2>&1 +fi + +# Update Redis PHP extension (18.04 --> 20.04 since 16.04 already is deprecated in the top of this script) +print_text_in_color "$ICyan" "Trying to upgrade the Redis PECL extension..." + +# Check current PHP version +check_php + +# Do the upgrade +if pecl list | grep redis >/dev/null 2>&1 then - if is_this_installed php"$PHPVER" + if is_this_installed php"$PHPVER"-common then install_if_not php"$PHPVER"-dev - else - install_if_not php7.0-dev fi pecl channel-update pecl.php.net yes no | pecl upgrade redis - service redis-server restart - if nginx -v 2> /dev/null - then - service nginx restart - elif apache2 -v 2> /dev/null - then - service apache2 restart - fi + systemctl restart redis-server.service +fi + +# Double check if redis.so is enabled +if ! grep -qFx extension=redis.so "$PHP_INI" +then + echo "extension=redis.so" >> "$PHP_INI" fi +restart_webserver # Upgrade APCu and igbinary -if is_this_installed php"$PHPVER" +if is_this_installed php"$PHPVER"-dev then if [ -f "$PHP_INI" ] then - print_text_in_color "$ICyan" "Trying to upgrade igbinary and APCu..." + print_text_in_color "$ICyan" "Trying to upgrade igbinary, and APCu..." if pecl list | grep igbinary >/dev/null 2>&1 then yes no | pecl upgrade igbinary @@ -85,7 +112,7 @@ then echo "extension=igbinary.so" >> "$PHP_INI" fi fi - if pecl list | grep apcu >/dev/null 2>&1 + if pecl list | grep -q apcu then yes no | pecl upgrade apcu # Check if apcu.so is enabled @@ -94,6 +121,15 @@ then echo "extension=apcu.so" >> "$PHP_INI" fi fi + if pecl list | grep -q inotify + then + yes no | pecl upgrade inotify + # Check if inotify.so is enabled + if ! grep -qFx extension=inotify.so "$PHP_INI" + then + echo "extension=inotify.so" >> "$PHP_INI" + fi + fi fi fi @@ -106,6 +142,39 @@ then ln -s "$ADMINERDIR"/latest.php "$ADMINERDIR"/adminer.php fi +# Cleanup un-used packages +apt autoremove -y +apt autoclean + +# Update GRUB, just in case +update-grub + +# Remove update lists +rm /var/lib/apt/lists/* -r + +# Fix bug in nextcloud.sh +CURRUSR="$(getent group sudo | cut -d: -f4 | cut -d, -f1)" +if grep -q "6.ifcfg.me" $SCRIPTS/wordpress.sh &>/dev/null +then + rm -f "$SCRIPTS/wordpress.sh" + download_script STATIC wordpress + chown "$CURRUSR":"$CURRUSR" "$SCRIPTS/wordpress.sh" + chmod +x "$SCRIPTS/wordpress.sh" +elif [ -f $SCRIPTS/techandme.sh ] +then + rm -f "$SCRIPTS/techandme.sh" + download_script STATIC wordpress + chown "$CURRUSR":"$CURRUSR" "$SCRIPTS/wordpress.sh" + chmod +x "$SCRIPTS/wordpress.sh" + if [ -f /home/"$CURRUSR"/.bash_profile ] + then + sed -i "s|techandme|wordpress|g" /home/"$CURRUSR"/.bash_profile + elif [ -f /home/"$CURRUSR"/.profile ] + then + sed -i "s|techandme|wordpress|g" /home/"$CURRUSR"/.profile + fi +fi + # Check if Wordpress is installed in the regular path or try to find it if [ ! -d "$WPATH" ] then @@ -139,12 +208,12 @@ fi if [ ! -f "$SECURE" ] then mkdir -p "$SCRIPTS" - download_static_script wp-permissions + download_script STATIC wp-permissions + chmod +x "$SECURE" +else + rm "$SECURE" + download_script STATIC wp-permissions chmod +x "$SECURE" - bash "$SECURE" -elif [ -f "$SECURE" ] -then - bash "$SECURE" fi # Upgrade WP-CLI @@ -160,18 +229,17 @@ wp_cli_cmd plugin update --all wp_cli_cmd core update-db wp_cli_cmd db optimize print_text_in_color "$ICyan" "This is the current version installed:" -wp_cli_cmd core version --extra - -# Cleanup un-used packages -apt autoremove -y -apt autoclean - -# Update GRUB, just in case -update-grub - -# Write to log -touch /var/log/cronjobs_success.log -echo "WORDPRESS UPDATE success-$(date +%Y-%m-%d_%H:%M)" >> /var/log/cronjobs_success.log +if wp_cli_cmd core version --extra +then + # Write to log + touch "$VMLOGS"/cronjobs_success.log + echo "WORDPRESS UPDATE success-$(date +%Y-%m-%d_%H:%M)" >> "$VMLOGS"/cronjobs_success.log + # Send email + send_mail \ +"Wordpress update finished!" \ +"Please don't shutdown or reboot your server during the update! $(date +%T)" + wp_cli_cmd maintenance-mode deactivate +fi # Un-hash this if you want the system to reboot # reboot From 926c00e84a67a12ead4c1412bc1d2720a0343c1c Mon Sep 17 00:00:00 2001 From: Daniel Hansson Date: Sat, 24 Oct 2020 23:45:08 +0200 Subject: [PATCH 60/86] wording --- static/wordpress_update.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/static/wordpress_update.sh b/static/wordpress_update.sh index 3d3d08e..8b7cceb 100644 --- a/static/wordpress_update.sh +++ b/static/wordpress_update.sh @@ -237,7 +237,7 @@ then # Send email send_mail \ "Wordpress update finished!" \ -"Please don't shutdown or reboot your server during the update! $(date +%T)" +"Please the maintenance mode will now be deactivated. $(date +%T)" wp_cli_cmd maintenance-mode deactivate fi From a007f18851e433742f7b71f95dd88b03abcc2719 Mon Sep 17 00:00:00 2001 From: enoch85 Date: Sat, 24 Oct 2020 23:55:21 +0200 Subject: [PATCH 61/86] wpath Signed-off-by: enoch85 --- static/wordpress_update.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/static/wordpress_update.sh b/static/wordpress_update.sh index 8b7cceb..e0f90ca 100644 --- a/static/wordpress_update.sh +++ b/static/wordpress_update.sh @@ -37,6 +37,7 @@ fi # Ubuntu 16.04 is deprecated check_distro_version +cd "$WPATH" send_mail \ "Wordpress update started!" \ "Please don't shutdown or reboot your server during the update! $(date +%T)" From 3fc4a5012869d26df0997910344b844e85339bc8 Mon Sep 17 00:00:00 2001 From: enoch85 Date: Sun, 25 Oct 2020 00:07:28 +0200 Subject: [PATCH 62/86] maintenance mode Signed-off-by: enoch85 --- static/wordpress_update.sh | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/static/wordpress_update.sh b/static/wordpress_update.sh index e0f90ca..c7882cd 100644 --- a/static/wordpress_update.sh +++ b/static/wordpress_update.sh @@ -238,8 +238,11 @@ then # Send email send_mail \ "Wordpress update finished!" \ -"Please the maintenance mode will now be deactivated. $(date +%T)" - wp_cli_cmd maintenance-mode deactivate +"Wordpress update is now complete. Please visit your site to check that everything looks alright. $(date +%T)" + if wp_cli_cmd maintenance-mode status | grep -q "is active" + then + wp_cli_cmd maintenance-mode deactivate + fi fi # Un-hash this if you want the system to reboot From 3667f8c70ea6b8edadcd6bde089dcede7ea827bf Mon Sep 17 00:00:00 2001 From: enoch85 Date: Sun, 25 Oct 2020 00:15:14 +0200 Subject: [PATCH 63/86] nextcloud wordpress Signed-off-by: enoch85 --- addons/smtp-mail.sh | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/addons/smtp-mail.sh b/addons/smtp-mail.sh index 698d113..3a5bc4c 100644 --- a/addons/smtp-mail.sh +++ b/addons/smtp-mail.sh @@ -5,7 +5,7 @@ # shellcheck disable=2034,2059 true SCRIPT_NAME="SMTP Relay with msmtp" -SCRIPT_EXPLAINER="This script will setup an SMTP Relay (Mail Server) in your Nextcloud Server \ +SCRIPT_EXPLAINER="This script will setup an SMTP Relay (Mail Server) in your Wordpress Server \ that will be used to send emails about failed cronjob's and such." # shellcheck source=lib.sh source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) @@ -144,7 +144,7 @@ fi # Check if auth should be set or not if [ -z "$MAIL_USERNAME" ] then - MAIL_USERNAME="no-reply@nextcloudvm.com" + MAIL_USERNAME="no-reply@hanssonit.com" # Without AUTH (Username and Password) cat << MSMTP_CONF > /etc/msmtprc @@ -166,7 +166,7 @@ from $MAIL_USERNAME account default : $MAIL_USERNAME -### DO NOT REMOVE THIS LINE (it's used in one of the functions in on the Nextcloud Server) +### DO NOT REMOVE THIS LINE (it's used in one of the functions in on the Wordpress Server) # recipient=$RECIPIENT MSMTP_CONF else @@ -192,7 +192,7 @@ password $MAIL_PASSWORD account default : $MAIL_USERNAME -### DO NOT REMOVE THIS LINE (it's used in one of the functions in on the Nextcloud Server) +### DO NOT REMOVE THIS LINE (it's used in one of the functions in on the Wordpress Server) # recipient=$RECIPIENT MSMTP_CONF @@ -226,8 +226,8 @@ $(grep -v password /etc/msmtprc) ------------------------------------------- Best regards -The NcVM team -https://nextcloudvm.com" +The Wordpress VM team +https://www.hanssonit.com" # Define the mail-program echo 'set sendmail="/usr/bin/msmtp -t"' > /etc/mail.rc From 968d9ad0379c60c83fb2a2938cd6503f007b633d Mon Sep 17 00:00:00 2001 From: enoch85 Date: Sun, 25 Oct 2020 08:51:25 +0100 Subject: [PATCH 64/86] fix source Signed-off-by: enoch85 --- static/change-root-profile.sh | 2 +- static/change-wordpress-profile.sh | 2 +- static/new_etc_mycnf.sh | 2 +- static/static_ip.sh | 2 +- static/test_connection.sh | 2 +- static/update.sh | 2 +- static/wordpress_update.sh | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/static/change-root-profile.sh b/static/change-root-profile.sh index 9bc1af0..5add304 100644 --- a/static/change-root-profile.sh +++ b/static/change-root-profile.sh @@ -5,7 +5,7 @@ # shellcheck disable=2034,2059 true # shellcheck source=lib.sh -. <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) # Check for errors + debug code and abort if something isn't right # 1 = ON diff --git a/static/change-wordpress-profile.sh b/static/change-wordpress-profile.sh index e1649c9..29f7a84 100644 --- a/static/change-wordpress-profile.sh +++ b/static/change-wordpress-profile.sh @@ -5,7 +5,7 @@ # shellcheck disable=2034,2059 true # shellcheck source=lib.sh -. <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) # Check for errors + debug code and abort if something isn't right # 1 = ON diff --git a/static/new_etc_mycnf.sh b/static/new_etc_mycnf.sh index 37feb5a..a2ee1e3 100644 --- a/static/new_etc_mycnf.sh +++ b/static/new_etc_mycnf.sh @@ -2,7 +2,7 @@ # shellcheck disable=2034,2059 true # shellcheck source=lib.sh -. <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) # Check for errors + debug code and abort if something isn't right # 1 = ON diff --git a/static/static_ip.sh b/static/static_ip.sh index 5f55018..aeb6545 100644 --- a/static/static_ip.sh +++ b/static/static_ip.sh @@ -5,7 +5,7 @@ # shellcheck disable=2034,2059 true # shellcheck source=lib.sh -FIRST_IFACE=1 . <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) +FIRST_IFACE=1 source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) unset FIRST_IFACE # Check for errors + debug code and abort if something isn't right diff --git a/static/test_connection.sh b/static/test_connection.sh index 200e961..098add6 100644 --- a/static/test_connection.sh +++ b/static/test_connection.sh @@ -2,7 +2,7 @@ # shellcheck disable=2034,2059 true # shellcheck source=lib.sh -. <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) # T&M Hansson IT AB © - 2019, https://www.hanssonit.se/ diff --git a/static/update.sh b/static/update.sh index cc7ea23..cb934cd 100644 --- a/static/update.sh +++ b/static/update.sh @@ -5,7 +5,7 @@ # shellcheck disable=2034,2059 true # shellcheck source=lib.sh -. <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) # Check for errors + debug code and abort if something isn't right # 1 = ON diff --git a/static/wordpress_update.sh b/static/wordpress_update.sh index c7882cd..ed7bf36 100644 --- a/static/wordpress_update.sh +++ b/static/wordpress_update.sh @@ -5,7 +5,7 @@ # shellcheck disable=2034,2059 true # shellcheck source=lib.sh -. <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) # Check for errors + debug code and abort if something isn't right # 1 = ON From 73cac37b487ff20ece6f3267a12896348bb351ce Mon Sep 17 00:00:00 2001 From: enoch85 Date: Sun, 25 Oct 2020 08:52:40 +0100 Subject: [PATCH 65/86] remove scripts Signed-off-by: enoch85 --- static/test_connection.sh | 21 --------------------- 1 file changed, 21 deletions(-) delete mode 100644 static/test_connection.sh diff --git a/static/test_connection.sh b/static/test_connection.sh deleted file mode 100644 index 098add6..0000000 --- a/static/test_connection.sh +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# shellcheck disable=2034,2059 -true -# shellcheck source=lib.sh -source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) - -# T&M Hansson IT AB © - 2019, https://www.hanssonit.se/ - -# Check for errors + debug code and abort if something isn't right -# 1 = ON -# 0 = OFF -DEBUG=0 -debug_mode - -$WGET -q --tries=20 --timeout=10 http://www.google.com -O /tmp/google.idx &> /dev/null -if [ ! -s /tmp/google.idx ] -then - printf "${Red}Not Connected!${Color_Off}\n" -else - printf "Connected!\n" -fi From 71d5aa49d34dfd2a98646c7ccb122a29f770935f Mon Sep 17 00:00:00 2001 From: enoch85 Date: Sun, 25 Oct 2020 09:04:16 +0100 Subject: [PATCH 66/86] improve wp_cli_cmd Signed-off-by: enoch85 --- lib.sh | 33 ++++++++++++++++++++++++++++-- static/update.sh | 2 +- static/wordpress_update.sh | 41 +++++--------------------------------- 3 files changed, 37 insertions(+), 39 deletions(-) diff --git a/lib.sh b/lib.sh index c89f29f..fd59813 100644 --- a/lib.sh +++ b/lib.sh @@ -331,8 +331,37 @@ something is wrong here. Please report this to $ISSUES" } wp_cli_cmd() { -export WP_CLI_CACHE_DIR=$WPATH/.wp-cli/cache -check_command sudo -u www-data /usr/local/bin/wp "$@"; +# Check if Wordpress is installed in the regular path or try to find it +if [ ! -d "$WPATH" ] +then + WPATH="/var/www/$(find /var/www/* -type d | grep wp | head -1 | cut -d "/" -f4)" + export WPATH + if [ ! -d "$WPATH"/wp-admin ] + then + WPATH="/var/www/$(find /var/www/* -type d | grep wp | tail -1 | cut -d "/" -f4)" + export WPATH + if [ ! -d "$WPATH"/wp-admin ] + then + WPATH="/var/www/html/$(find /var/www/html/* -type d | grep wp | head -1 | cut -d "/" -f5)" + export WPATH + if [ ! -d "$WPATH"/wp-admin ] + then + WPATH="/var/www/html/$(find /var/www/html/* -type d | grep wp | tail -1 | cut -d "/" -f5)" + export WPATH + if [ ! -d "$WPATH"/wp-admin ] + then + msg_box "Wordpress doesn't seem to be installed in the regular path. We tried to find it, but didn't succeed. + +The script will now exit." + exit 1 + fi + fi + fi + fi +fi +# If everytthing seems OK, then run wp cli +export WP_CLI_CACHE_DIR="$WPATH/.wp-cli/cache" +check_command sudo -u www-data /usr/local/bin/wp --path="$WPATH" "$@"; } # Check if process is runnnig: is_process_running dpkg diff --git a/static/update.sh b/static/update.sh index cb934cd..657d60f 100644 --- a/static/update.sh +++ b/static/update.sh @@ -5,7 +5,7 @@ # shellcheck disable=2034,2059 true # shellcheck source=lib.sh -source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) +source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) # Check for errors + debug code and abort if something isn't right # 1 = ON diff --git a/static/wordpress_update.sh b/static/wordpress_update.sh index ed7bf36..db718c2 100644 --- a/static/wordpress_update.sh +++ b/static/wordpress_update.sh @@ -5,7 +5,7 @@ # shellcheck disable=2034,2059 true # shellcheck source=lib.sh -source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) +source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) # Check for errors + debug code and abort if something isn't right # 1 = ON @@ -37,12 +37,6 @@ fi # Ubuntu 16.04 is deprecated check_distro_version -cd "$WPATH" -send_mail \ -"Wordpress update started!" \ -"Please don't shutdown or reboot your server during the update! $(date +%T)" -wp_cli_cmd maintenance-mode activate - # Hold PHP if Ondrejs PPA is used print_text_in_color "$ICyan" "Fetching latest packages with apt..." apt update -q4 & spinner_loading @@ -176,34 +170,10 @@ then fi fi -# Check if Wordpress is installed in the regular path or try to find it -if [ ! -d "$WPATH" ] -then - WPATH="/var/www/$(find /var/www/* -type d | grep wp | head -1 | cut -d "/" -f4)" - export WPATH - if [ ! -d "$WPATH"/wp-admin ] - then - WPATH="/var/www/$(find /var/www/* -type d | grep wp | tail -1 | cut -d "/" -f4)" - export WPATH - if [ ! -d "$WPATH"/wp-admin ] - then - WPATH="/var/www/html/$(find /var/www/html/* -type d | grep wp | head -1 | cut -d "/" -f5)" - export WPATH - if [ ! -d "$WPATH"/wp-admin ] - then - WPATH="/var/www/html/$(find /var/www/html/* -type d | grep wp | tail -1 | cut -d "/" -f5)" - export WPATH - if [ ! -d "$WPATH"/wp-admin ] - then -msg_box "Wordpress doesn't seem to be installed in the regular path. We tried to find it, but didn't succeed. - -The script will now exit." - exit 1 - fi - fi - fi - fi -fi +send_mail \ +"Wordpress update started!" \ +"Please don't shutdown or reboot your server during the update! $(date +%T)" +wp_cli_cmd maintenance-mode activate # Set secure permissions if [ ! -f "$SECURE" ] @@ -221,7 +191,6 @@ fi wp cli update # Upgrade Wordpress and apps -cd "$WPATH" wp_cli_cmd db export mysql_backup.sql mv "$WPATH"/mysql_backup.sql /var/www/mysql_backup.sql chown root:root /var/www/mysql_backup.sql From 77b0155e0a1ef8f155aa138acdb02ebaafc36bed Mon Sep 17 00:00:00 2001 From: enoch85 Date: Sun, 25 Oct 2020 09:12:39 +0100 Subject: [PATCH 67/86] improve wp_cli_cmd Signed-off-by: enoch85 --- lib.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lib.sh b/lib.sh index fd59813..f3d75a7 100644 --- a/lib.sh +++ b/lib.sh @@ -360,8 +360,11 @@ The script will now exit." fi fi # If everytthing seems OK, then run wp cli +cd "$WPATH" export WP_CLI_CACHE_DIR="$WPATH/.wp-cli/cache" check_command sudo -u www-data /usr/local/bin/wp --path="$WPATH" "$@"; +# Go back to user dir +cd } # Check if process is runnnig: is_process_running dpkg From 37d9471d3b6a01f64be87b163f30e8503d256dd9 Mon Sep 17 00:00:00 2001 From: enoch85 Date: Sun, 25 Oct 2020 09:16:50 +0100 Subject: [PATCH 68/86] set maintenance earlier Signed-off-by: enoch85 --- static/wordpress_update.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/static/wordpress_update.sh b/static/wordpress_update.sh index db718c2..0e40580 100644 --- a/static/wordpress_update.sh +++ b/static/wordpress_update.sh @@ -37,6 +37,11 @@ fi # Ubuntu 16.04 is deprecated check_distro_version +send_mail \ +"Wordpress update started!" \ +"Please don't shutdown or reboot your server during the update! $(date +%T)" +wp_cli_cmd maintenance-mode activate + # Hold PHP if Ondrejs PPA is used print_text_in_color "$ICyan" "Fetching latest packages with apt..." apt update -q4 & spinner_loading @@ -170,11 +175,6 @@ then fi fi -send_mail \ -"Wordpress update started!" \ -"Please don't shutdown or reboot your server during the update! $(date +%T)" -wp_cli_cmd maintenance-mode activate - # Set secure permissions if [ ! -f "$SECURE" ] then From c9ce5c66216fba0becc626854de12596da959d33 Mon Sep 17 00:00:00 2001 From: enoch85 Date: Sun, 25 Oct 2020 09:25:37 +0100 Subject: [PATCH 69/86] fix adminer Signed-off-by: enoch85 --- apps/adminer.sh | 8 ++------ lib.sh | 2 +- 2 files changed, 3 insertions(+), 7 deletions(-) diff --git a/apps/adminer.sh b/apps/adminer.sh index 1d64ebe..acb8d2b 100644 --- a/apps/adminer.sh +++ b/apps/adminer.sh @@ -27,10 +27,9 @@ else # Ask for removal or reinstallation reinstall_remove_menu "$SCRIPT_NAME" # Removal - check_external_ip # Check that the script can see the external IP (apache fails otherwise) + check_command apt-get purge adminer -y rm -f $ADMINER_CONF rm -rf $ADMINERDIR - check_command apt-get purge adminer -y restart_webserver # Show successful uninstall if applicable removal_popup "$SCRIPT_NAME" @@ -130,10 +129,7 @@ server { } ADMINER_CREATE -# Enable config -ln -s /etc/nginx/sites-available/adminer.conf /etc/nginx/sites-enabled/adminer.conf - -if ! service nginx restart +if ! systemctl restart nginx.service then msg_box "Nginx could not restart... The script will exit." diff --git a/lib.sh b/lib.sh index f3d75a7..504d5a1 100644 --- a/lib.sh +++ b/lib.sh @@ -146,7 +146,7 @@ PHP_FPM_SOCK=/var/run/php"$PHPVER"-fpm-wordpress.sock # Adminer ADMINERDIR=/usr/share/adminer -ADMINER_CONF="$SITES_AVAILABLE/adminer.conf" +ADMINER_CONF="$SITES_ENABLED/adminer.conf" # Redis REDIS_CONF=/etc/redis/redis.conf From 06038a01a0d7a43fb9a6b16475f5ad398b49a6a4 Mon Sep 17 00:00:00 2001 From: enoch85 Date: Sun, 25 Oct 2020 09:45:37 +0100 Subject: [PATCH 70/86] fix netdata Signed-off-by: enoch85 --- apps/netdata.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/apps/netdata.sh b/apps/netdata.sh index 21fb078..4f7e154 100644 --- a/apps/netdata.sh +++ b/apps/netdata.sh @@ -30,6 +30,7 @@ then sudo -u regular_user sudo bash $SCRIPTS/menu.sh Then choose Additional Apps --> Netdata" + exit 1 fi # Check if netdata is already installed From 2a54b9ce429bbcc7dbb46cdf4a08c125525e1561 Mon Sep 17 00:00:00 2001 From: enoch85 Date: Sun, 25 Oct 2020 10:11:41 +0100 Subject: [PATCH 71/86] travis Signed-off-by: enoch85 --- apps/fail2ban.sh | 1 - wordpress_install.sh | 15 +++++++-------- 2 files changed, 7 insertions(+), 9 deletions(-) diff --git a/apps/fail2ban.sh b/apps/fail2ban.sh index 23972fb..bb3a3aa 100644 --- a/apps/fail2ban.sh +++ b/apps/fail2ban.sh @@ -55,7 +55,6 @@ install_if_not fail2ban check_command update-rc.d fail2ban disable # Install WP-Fail2ban and activate conf -cd $WPATH wp_cli_cmd plugin install wp-fail2ban --activate curl https://plugins.svn.wordpress.org/wp-fail2ban/trunk/filters.d/wordpress-hard.conf > /etc/fail2ban/filter.d/wordpress.conf diff --git a/wordpress_install.sh b/wordpress_install.sh index d27d566..bb09f0f 100644 --- a/wordpress_install.sh +++ b/wordpress_install.sh @@ -388,7 +388,7 @@ then fi # Create wp-cli.yml -touch $WPATH/wp-cli.yml +touch "$WPATH/wp-cli.yml" cat << YML_CREATE > "$WPATH/wp-cli.yml" nginx_modules: - mod_rewrite @@ -398,8 +398,7 @@ YML_CREATE wp_cli_cmd --info # Download Wordpress -cd "$WPATH" -check_command wp_cli_cmd core download --force --debug --path="$WPATH" +check_command wp_cli_cmd core download --force --debug # Populate DB mysql -uroot -p"$MARIADB_PASS" < $WPATH/wp-content/uploads/.htaccess <<'EOL' +cat > "$WPATH/wp-content/uploads/.htaccess" <<'EOL' # Protect this file Order Deny,Allow @@ -498,7 +497,7 @@ echo "RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]" echo "RewriteRule ^wp-includes/theme-compat/ - [F,L]" echo "# RewriteRule ^wp-includes/* - [F,L]" # Block EVERYTHING echo "" -} >> $WPATH/.htaccess +} >> "$WPATH/.htaccess" # Set up a php-fpm pool with a unixsocket cat << POOL_CONF > "$PHP_POOL_DIR"/wordpress.conf @@ -533,9 +532,9 @@ mv "$PHP_POOL_DIR"/www.conf "$PHP_POOL_DIR"/www.conf.backup restart_webserver # Force wp-cron.php (updates WooCommerce Services and run Scheluded Tasks) -if [ -f $WPATH/wp-cron.php ] +if [ -f "$WPATH/wp-cron.php" ] then - chmod +x $WPATH/wp-cron.php + chmod +x "$WPATH/wp-cron.php" crontab -u www-data -l | { cat; echo "14 */1 * * * php -f $WPATH/wp-cron.php > /dev/null 2>&1"; } | crontab -u www-data - fi From 4a8df8f2d09b7dbe65972067a09d07803124ef12 Mon Sep 17 00:00:00 2001 From: enoch85 Date: Sun, 25 Oct 2020 10:15:51 +0100 Subject: [PATCH 72/86] fail2ban Signed-off-by: enoch85 --- apps/fail2ban.sh | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/apps/fail2ban.sh b/apps/fail2ban.sh index bb3a3aa..e715adf 100644 --- a/apps/fail2ban.sh +++ b/apps/fail2ban.sh @@ -36,6 +36,7 @@ else fail2ban-client unban --all check_command apt-get purge fail2ban -y rm -Rf /etc/fail2ban/ + wp_cli_cmd plugin remove wp-fail2ban # Show successful uninstall if applicable removal_popup "$SCRIPT_NAME" fi @@ -58,7 +59,7 @@ check_command update-rc.d fail2ban disable wp_cli_cmd plugin install wp-fail2ban --activate curl https://plugins.svn.wordpress.org/wp-fail2ban/trunk/filters.d/wordpress-hard.conf > /etc/fail2ban/filter.d/wordpress.conf -if [ ! -f $AUTHLOG ] +if [ ! -f "$AUTHLOG" ] then print_text_in_color "$IRed" "$AUTHLOG not found" exit 1 @@ -76,12 +77,12 @@ cat << FCONF > /etc/fail2ban/jail.d/wordpress.conf ignoreip = 127.0.0.1/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 # "bantime" is the number of seconds that a host is banned. -bantime = $BANTIME_ +bantime = "$BANTIME_" # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. -findtime = $FINDTIME_ -maxretry = $MAXRETRY_ +findtime = "$FINDTIME_" +maxretry = "$MAXRETRY_" # # ACTIONS @@ -101,7 +102,7 @@ action = %(action_)s [sshd] enabled = true -maxretry = $MAXRETRY_ +maxretry = "$MAXRETRY_" # # HTTP servers @@ -111,10 +112,10 @@ maxretry = $MAXRETRY_ enabled = true port = http,https filter = wordpress -logpath = $AUTHLOG -maxretry = $MAXRETRY_ -findtime = $FINDTIME_ -bantime = $BANTIME_ +logpath = "$AUTHLOG" +maxretry = "$MAXRETRY_" +findtime = "$FINDTIME_" +bantime = "$BANTIME_" FCONF # Update settings From d3bd1081a5b5e33cd305f9876b025ea6a98861d9 Mon Sep 17 00:00:00 2001 From: enoch85 Date: Sun, 25 Oct 2020 10:17:07 +0100 Subject: [PATCH 73/86] fail2ban Signed-off-by: enoch85 --- apps/fail2ban.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/fail2ban.sh b/apps/fail2ban.sh index e715adf..0f55030 100644 --- a/apps/fail2ban.sh +++ b/apps/fail2ban.sh @@ -36,7 +36,7 @@ else fail2ban-client unban --all check_command apt-get purge fail2ban -y rm -Rf /etc/fail2ban/ - wp_cli_cmd plugin remove wp-fail2ban + wp_cli_cmd plugin delete wp-fail2ban # Show successful uninstall if applicable removal_popup "$SCRIPT_NAME" fi From e75c7db0454050a7cc36c49e6dd87b3c3d07608e Mon Sep 17 00:00:00 2001 From: enoch85 Date: Sun, 25 Oct 2020 10:22:05 +0100 Subject: [PATCH 74/86] fail2ban Signed-off-by: enoch85 --- apps/fail2ban.sh | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/apps/fail2ban.sh b/apps/fail2ban.sh index 0f55030..1d56152 100644 --- a/apps/fail2ban.sh +++ b/apps/fail2ban.sh @@ -34,6 +34,7 @@ else # Removal print_text_in_color "$ICyan" "Unbanning all currently blocked IPs..." fail2ban-client unban --all + check_command update-rc.d fail2ban disable check_command apt-get purge fail2ban -y rm -Rf /etc/fail2ban/ wp_cli_cmd plugin delete wp-fail2ban @@ -77,12 +78,12 @@ cat << FCONF > /etc/fail2ban/jail.d/wordpress.conf ignoreip = 127.0.0.1/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 # "bantime" is the number of seconds that a host is banned. -bantime = "$BANTIME_" +bantime = $BANTIME_ # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. -findtime = "$FINDTIME_" -maxretry = "$MAXRETRY_" +findtime = $FINDTIME_ +maxretry = $MAXRETRY_ # # ACTIONS @@ -102,7 +103,7 @@ action = %(action_)s [sshd] enabled = true -maxretry = "$MAXRETRY_" +maxretry = $MAXRETRY_ # # HTTP servers @@ -112,10 +113,10 @@ maxretry = "$MAXRETRY_" enabled = true port = http,https filter = wordpress -logpath = "$AUTHLOG" -maxretry = "$MAXRETRY_" -findtime = "$FINDTIME_" -bantime = "$BANTIME_" +logpath = $AUTHLOG +maxretry = $MAXRETRY_ +findtime = $FINDTIME_ +bantime = $BANTIME_ FCONF # Update settings From ecf2c3995943fcd3131c2d8b2d6db41629553e86 Mon Sep 17 00:00:00 2001 From: enoch85 Date: Sun, 25 Oct 2020 10:36:14 +0100 Subject: [PATCH 75/86] fix maria db repo Signed-off-by: enoch85 --- static/nginx.conf | 2 +- wordpress_install.sh | 7 +++++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/static/nginx.conf b/static/nginx.conf index 4242717..338dd94 100644 --- a/static/nginx.conf +++ b/static/nginx.conf @@ -36,7 +36,7 @@ http { # SSL Settings ## - ssl_early_data on; + ssl_early_data off; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers on; diff --git a/wordpress_install.sh b/wordpress_install.sh index bb09f0f..934fc00 100644 --- a/wordpress_install.sh +++ b/wordpress_install.sh @@ -209,9 +209,12 @@ echo "password='$MARIADB_PASS'" chmod 0600 $MYCNF chown root:root $MYCNF -# Install MARIADB +# Install MariDB repos install_if_not software-properties-common curl -LsS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup | sudo bash -s -- --mariadb-server-version="mariadb-10.5" --skip-maxscale +# Avoid i386 since we use x64 +sed -i "s|deb http|deb [arch=amd64] http|g" /etc/apt/sources.list.d/mariadb.list +# USed debconf to install it sudo debconf-set-selections <<< "mariadb-server-10.5 mysql-server/root_password password $MARIADB_PASS" sudo debconf-set-selections <<< "mariadb-server-10.5 mysql-server/root_password_again password $MARIADB_PASS" apt update -q4 & spinner_loading @@ -263,7 +266,7 @@ sudo systemctl enable nginx.service # Download TLSv 1.3 modified nginx.conf rm -f /etc/nginx/nginx.conf -curl_to_dir $STATIC nginx.conf /etc/nginx/ +curl_to_dir "$STATIC" nginx.conf /etc/nginx/ # Install PHP 7.4 apt install -y \ From 6b832f0dd54e17b5184f0787e9576b2b743ae5d5 Mon Sep 17 00:00:00 2001 From: enoch85 Date: Sun, 25 Oct 2020 11:17:09 +0100 Subject: [PATCH 76/86] use unix socket for mariadb Signed-off-by: enoch85 --- apps/adminer.sh | 4 ++-- lib.sh | 1 - static/change_db_pass.sh | 14 +++++++------- static/instruction.sh | 4 ++-- static/wordpress.sh | 7 ++++--- wordpress_install.sh | 14 -------------- 6 files changed, 15 insertions(+), 29 deletions(-) diff --git a/apps/adminer.sh b/apps/adminer.sh index acb8d2b..f9ab8e0 100644 --- a/apps/adminer.sh +++ b/apps/adminer.sh @@ -137,9 +137,9 @@ The script will exit." else msg_box "Adminer was sucessfully installed and can be reached here: http://$ADDRESS:81 -You can download more plugins and get more information here: +You can download more plugins and get more information here: https://www.adminer.org -Your MariaDB connection information can be found in /root/.my.cnf +Your MariaDB connection information can be found in $WPATH/wp-config.php In case you try to access Adminer and get 'Forbidden' you need to change the IP in: $ADMINER_CONF" fi diff --git a/lib.sh b/lib.sh index 504d5a1..9ac234b 100644 --- a/lib.sh +++ b/lib.sh @@ -106,7 +106,6 @@ WPDBPASS=$(tr -dc "a-zA-Z0-9@#*=" < /dev/urandom | fold -w "$SHUF" | head -n 1) NEWMARIADBPASS=$(tr -dc "a-zA-Z0-9@#*=" < /dev/urandom | fold -w "$SHUF" | head -n 1) WPDBUSER=wordpress_db_user WPADMINPASS=$(tr -dc "a-zA-Z0-9@#*=" < /dev/urandom | fold -w "$SHUF" | head -n 1) -MYCNF=/root/.my.cnf wpdb() { WPCONFIGDB=$(grep "DB_PASSWORD" /var/www/html/wordpress/wp-config.php | awk '{print $3}' | cut -d "'" -f2) } diff --git a/static/change_db_pass.sh b/static/change_db_pass.sh index 4ee06ac..c3ed685 100644 --- a/static/change_db_pass.sh +++ b/static/change_db_pass.sh @@ -18,14 +18,14 @@ DEBUG=0 debug_mode # Change MARIADB Password -if mysqladmin -u root -p"$MARIADBMYCNFPASS" password "$NEWMARIADBPASS" > /dev/null 2>&1 +if mysqladmin -u root password "$NEWMARIADBPASS" > /dev/null 2>&1 then - print_text_in_color "$IGreen" "Your new MARIADB root password is: $NEWMARIADBPASS" - cat << LOGIN > "$MYCNF" -[client] -password='$NEWMARIADBPASS' -LOGIN - chmod 0600 $MYCNF + msg_box "Your new MARIADB root password is: $NEWMARIADBPASS +Please keep it somewhere safe. + +To login to MariaDB,, simply type 'mysql -u root' from your CLI. +Authentication happens with the UNIX socket. In other words, +no password is needed as long as you have access to the root account" exit 0 else print_text_in_color "$IRed" "Changing MARIADB root password failed." diff --git a/static/instruction.sh b/static/instruction.sh index e14f8a7..3562fcf 100644 --- a/static/instruction.sh +++ b/static/instruction.sh @@ -7,7 +7,7 @@ cat << WELCOME +-----------------------------------------------------------------------+ |Thank you for downloading this Wordpress VM made by T&M Hansson IT AB! | | | -|This WordPress appliance comes with PHP 7.2, NGINX and Redis Cache for | +|This WordPress appliance comes with PHP 7.4, NGINX and Redis Cache for | |best performance. The site(s) load very fast! | | | |In order to configure everything you have to run the setup script | @@ -15,7 +15,7 @@ cat << WELCOME | | |Complete instructions can be found here: https://bit.ly/2E5fbUn | | | -|If you have any questions please email me: daniel@hanssonit.se | +|If you have any questions please email us: github@hanssonit.se | +-----------------------------------------------------------------------+ WELCOME diff --git a/static/wordpress.sh b/static/wordpress.sh index 4ceb20c..ef08c62 100644 --- a/static/wordpress.sh +++ b/static/wordpress.sh @@ -19,9 +19,10 @@ echo "LAN IPv4: $ADDRESS" echo echo "Wordpress Login:" echo "$WPADMINUSER" -echo "WP PASS: 'grep WP PASS: /var/adminpass.txt'" +echo "Type this in your CLI to get the password:" +echo "grep 'WP PASS:' /var/adminpass.txt" echo echo "MySQL/MariaDB:" -echo "USER: root" -echo "PASS: 'cat /root/.my.cnf'" +echo "Login happens with the OS root account." +echo "Simply type 'mysql -u root' from your CLI" echo diff --git a/wordpress_install.sh b/wordpress_install.sh index 934fc00..6734b93 100644 --- a/wordpress_install.sh +++ b/wordpress_install.sh @@ -201,14 +201,6 @@ done #install_if_not geoip-database #install_if_not libgeoip1 -# Write MARIADB pass to file and keep it safe -{ -echo "[client]" -echo "password='$MARIADB_PASS'" -} > "$MYCNF" -chmod 0600 $MYCNF -chown root:root $MYCNF - # Install MariDB repos install_if_not software-properties-common curl -LsS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup | sudo bash -s -- --mariadb-server-version="mariadb-10.5" --skip-maxscale @@ -220,12 +212,6 @@ sudo debconf-set-selections <<< "mariadb-server-10.5 mysql-server/root_password_ apt update -q4 & spinner_loading install_if_not mariadb-server-10.5 -# Prepare for Wordpress installation -# https://blog.v-gar.de/2017/02/en-solved-error-1698-28000-in-mysqlmariadb/ -mysql -u root mysql -p"$MARIADB_PASS" -e "UPDATE user SET plugin='' WHERE user='root';" -mysql -u root mysql -p"$MARIADB_PASS" -e "UPDATE user SET password=PASSWORD('$MARIADB_PASS') WHERE user='root';" -mysql -u root -p"$MARIADB_PASS" -e "flush privileges;" - # mysql_secure_installation install_if_not expect SECURE_MYSQL=$(expect -c " From 78cbe97e69d59460fc9ce402e8cddddeedec442e Mon Sep 17 00:00:00 2001 From: enoch85 Date: Sun, 25 Oct 2020 11:25:14 +0100 Subject: [PATCH 77/86] fix path Signed-off-by: enoch85 --- wordpress_install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wordpress_install.sh b/wordpress_install.sh index 6734b93..6f578e0 100644 --- a/wordpress_install.sh +++ b/wordpress_install.sh @@ -429,7 +429,7 @@ chown wordpress:wordpress /var/adminpass.txt curl_to_dir "$STATIC" welcome.txt "$SCRIPTS" sed -i "s|wordpress_user_login|$WPADMINUSER|g" "$SCRIPTS"/welcome.txt sed -i "s|wordpress_password_login|$WPADMINPASS|g" "$SCRIPTS"/welcome.txt -wp_cli_cmd post create ./welcome.txt --post_title='T&M Hansson IT AB - Welcome' --post_status=publish +wp_cli_cmd post create "$SCRIPTS"/welcome.txt --post_title='T&M Hansson IT AB - Welcome' --post_status=publish rm -f "$SCRIPTS"/welcome.txt wp_cli_cmd post delete 1 --force From fc99b1690f8e837022509ac50f2599a7bd085bcc Mon Sep 17 00:00:00 2001 From: enoch85 Date: Sun, 25 Oct 2020 11:28:27 +0100 Subject: [PATCH 78/86] fix more bugs Signed-off-by: enoch85 --- lib.sh | 6 ------ static/change_db_pass.sh | 4 ---- 2 files changed, 10 deletions(-) diff --git a/lib.sh b/lib.sh index 9ac234b..8927eec 100644 --- a/lib.sh +++ b/lib.sh @@ -106,12 +106,6 @@ WPDBPASS=$(tr -dc "a-zA-Z0-9@#*=" < /dev/urandom | fold -w "$SHUF" | head -n 1) NEWMARIADBPASS=$(tr -dc "a-zA-Z0-9@#*=" < /dev/urandom | fold -w "$SHUF" | head -n 1) WPDBUSER=wordpress_db_user WPADMINPASS=$(tr -dc "a-zA-Z0-9@#*=" < /dev/urandom | fold -w "$SHUF" | head -n 1) -wpdb() { -WPCONFIGDB=$(grep "DB_PASSWORD" /var/www/html/wordpress/wp-config.php | awk '{print $3}' | cut -d "'" -f2) -} -mycnfpw() { -MARIADBMYCNFPASS=$(grep "password" $MYCNF | sed -n "/password/s/^password='\(.*\)'$/\1/p") -} # Set the hour for automatic updates. This would be 18:00 as only the hour is configurable. AUT_UPDATES_TIME="18" diff --git a/static/change_db_pass.sh b/static/change_db_pass.sh index c3ed685..772a91c 100644 --- a/static/change_db_pass.sh +++ b/static/change_db_pass.sh @@ -5,10 +5,6 @@ SCRIPT_NAME="Change Database Password" # shellcheck source=lib.sh source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) -# Get all needed variables from the library -wpdb -mycnfpw - # T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ # Check for errors + debug code and abort if something isn't right From 8d6588335b7f168c431a08d84ce3bde7db40cb2c Mon Sep 17 00:00:00 2001 From: enoch85 Date: Sun, 25 Oct 2020 11:47:49 +0100 Subject: [PATCH 79/86] fix more bugs Signed-off-by: enoch85 --- static/change_db_pass.sh | 2 +- wordpress_install.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/static/change_db_pass.sh b/static/change_db_pass.sh index 772a91c..95799b8 100644 --- a/static/change_db_pass.sh +++ b/static/change_db_pass.sh @@ -21,7 +21,7 @@ Please keep it somewhere safe. To login to MariaDB,, simply type 'mysql -u root' from your CLI. Authentication happens with the UNIX socket. In other words, -no password is needed as long as you have access to the root account" +no password is needed as long as you have access to the root account." exit 0 else print_text_in_color "$IRed" "Changing MARIADB root password failed." diff --git a/wordpress_install.sh b/wordpress_install.sh index 6f578e0..a494566 100644 --- a/wordpress_install.sh +++ b/wordpress_install.sh @@ -423,7 +423,7 @@ PHP # Install Wordpress check_command wp_cli_cmd core install --url=http://"$ADDRESS"/ --title=Wordpress --admin_user=$WPADMINUSER --admin_password="$WPADMINPASS" --admin_email=no-reply@hanssonit.se --skip-email echo "WP PASS: $WPADMINPASS" > /var/adminpass.txt -chown wordpress:wordpress /var/adminpass.txt +chown "$UNIXUSER":"$UNIXUSER" /var/adminpass.txt # Create welcome post curl_to_dir "$STATIC" welcome.txt "$SCRIPTS" From eba42c1c2ab63886fb2368c1c523086f10ed40af Mon Sep 17 00:00:00 2001 From: Daniel Hansson Date: Sun, 25 Oct 2020 12:09:26 +0100 Subject: [PATCH 80/86] change vhost --- lets-encrypt/activate-tls.sh | 177 ++++++++++++++++++++--------------- 1 file changed, 100 insertions(+), 77 deletions(-) diff --git a/lets-encrypt/activate-tls.sh b/lets-encrypt/activate-tls.sh index 1bf001e..9422f14 100644 --- a/lets-encrypt/activate-tls.sh +++ b/lets-encrypt/activate-tls.sh @@ -20,7 +20,7 @@ root_check # Information msg_box "Before we begin the installation of your TLS certificate you need to: -1. Have a domain like: cloud.example.com +1. Have a domain like: wordpress.example.com If you want to get a domain at a fair price, please check this out: https://store.binero.se/?lang=en-US 2. Open port 80 and 443 against this servers IP address: $ADDRESS. @@ -117,82 +117,105 @@ then print_text_in_color "$IGreen" "$tls_conf was successfully created." sleep 2 cat << TLS_CREATE > "$tls_conf" - - RewriteEngine On - RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L] - - - -### YOUR SERVER ADDRESS ### - - ServerAdmin admin@$TLSDOMAIN - ServerName $TLSDOMAIN - -### SETTINGS ### - - SetHandler "proxy:unix:$PHP_FPM_SOCK|fcgi://localhost" - - - # Intermediate configuration - Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains" - SSLEngine on - SSLCompression off - SSLProtocol -all +TLSv1.2 $TLS13 - SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 - SSLHonorCipherOrder off - SSLSessionTickets off - ServerSignature off - - # Logs - LogLevel warn - CustomLog ${APACHE_LOG_DIR}/access.log combined - ErrorLog ${APACHE_LOG_DIR}/error.log - - DocumentRoot $NCPATH - - - Options Indexes FollowSymLinks - AllowOverride All - Require all granted - Satisfy Any - - - - Dav off - - - SetEnv HOME $NCPATH - SetEnv HTTP_HOME $NCPATH - - # The following lines prevent .htaccess and .htpasswd files from being - # viewed by Web clients. - - Require all denied - - - # Disable HTTP TRACE method. - TraceEnable off - # Disable HTTP TRACK method. - RewriteEngine On - RewriteCond %{REQUEST_METHOD} ^TRACK - RewriteRule .* - [R=405,L] - - # Avoid "Sabre\DAV\Exception\BadRequest: expected filesize XXXX got XXXX" - - RequestReadTimeout body=0 - - -### LOCATION OF CERT FILES ### - - SSLCertificateChainFile $CERTFILES/$TLSDOMAIN/chain.pem - SSLCertificateFile $CERTFILES/$TLSDOMAIN/cert.pem - SSLCertificateKeyFile $CERTFILES/$TLSDOMAIN/privkey.pem - SSLOpenSSLConfCmd DHParameters $DHPARAMS_TLS - - -### EXTRAS ### - SSLUseStapling On - SSLStaplingCache "shmcb:logs/ssl_stapling(32768)" +server { + listen 80; + server_name $domain; + return 301 https://$domain\$request_uri; +} +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + ## Your website name goes here. + server_name $domain; + ## Your only path reference. + root $WPATH; + ## This should be in your http block and if it is, it's not needed here. + index index.php; + + resolver $GATEWAY; + + ## Show real IP behind proxy (change to the proxy IP) +# set_real_ip_from $GATEWAY/24; +# set_real_ip_from $GATEWAY; +# set_real_ip_from 2001:0db8::/32; +# real_ip_header X-Forwarded-For; +# real_ip_recursive on; + + # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate + ssl_certificate $CERTFILES/$domain/fullchain.pem; + ssl_certificate_key $CERTFILES/$domain/privkey.pem; + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:50m; + ssl_session_tickets off; + # Diffie-Hellman parameter for DHE ciphersuites, recommended 4096 bits + ssl_dhparam $DHPARAMS; + # intermediate configuration. tweak to your needs. + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers on; + # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) + add_header Strict-Transport-Security max-age=15768000; + # OCSP Stapling --- + # fetch OCSP records from URL in ssl_certificate and cache them + ssl_stapling on; + ssl_stapling_verify on; + + location / { + try_files \$uri \$uri/ /index.php?\$args; + # https://veerasundar.com/blog/2014/09/setting-expires-header-for-assets-nginx/ + if (\$request_uri ~* ".(ico|css|js|gif|jpe?g|png)$") { + expires 15d; + access_log off; + add_header Pragma public; + add_header Cache-Control "public"; + break; + } + } + location /.well-known { + root /usr/share/nginx/html; + } + location ~ /\\. { + access_log off; + log_not_found off; + deny all; + } + location = /favicon.ico { + log_not_found off; + access_log off; + } + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + location ~* \.php$ { + location ~ \wp-login.php$ { + allow $GATEWAY/24; + #allow $ADDRESS; + #allow $WAN4IP; + deny all; + include fastcgi.conf; + fastcgi_intercept_errors on; + fastcgi_pass unix:/var/run/php/php7.2-fpm-wordpress.sock; + } + fastcgi_split_path_info ^(.+\.php)(/.+)$; + try_files \$uri =404; + fastcgi_index index.php; + include fastcgi.conf; + include fastcgi_params; + fastcgi_intercept_errors on; + fastcgi_pass unix:$PHP_FPM_SOCK; + fastcgi_buffers 16 16k; + fastcgi_buffer_size 32k; + fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name; + fastcgi_param SCRIPT_NAME \$fastcgi_script_name; + } + location ~* \\.(js|css|png|jpg|jpeg|gif|ico)$ { + expires max; + log_not_found off; + } +} TLS_CREATE fi From 4d2e806245ceb3dc6e64b7023aa5f8057c5e821b Mon Sep 17 00:00:00 2001 From: enoch85 Date: Sun, 25 Oct 2020 12:17:15 +0100 Subject: [PATCH 81/86] fix more bugs Signed-off-by: enoch85 --- lets-encrypt/activate-tls.sh | 44 +++++++++++++++-------------------- menu/startup_configuration.sh | 2 +- 2 files changed, 20 insertions(+), 26 deletions(-) diff --git a/lets-encrypt/activate-tls.sh b/lets-encrypt/activate-tls.sh index 9422f14..0d13960 100644 --- a/lets-encrypt/activate-tls.sh +++ b/lets-encrypt/activate-tls.sh @@ -94,57 +94,51 @@ install_certbot #Fix issue #28 tls_conf="$SITES_AVAILABLE/$TLSDOMAIN.conf" -# Check if "$tls.conf" exists, and if, then delete -if [ -f "$tls_conf" ] +# Check if "$TLS.conf" exists, and if, then delete +if [ -f "$TLS_CONF" ] then - rm -f "$tls_conf" + rm -f "$TLS_CONF" fi # Check current PHP version --> PHPVER -# To get the correct version for the Apache conf file +# To get the correct version for the Nginx conf file check_php -# Only add TLS 1.3 on Ubuntu later than 20.04 -if version 20.04 "$DISTRO" 20.04.10 -then - TLS13="+TLSv1.3" -fi - # Generate wordpress_tls_domain.conf -if [ ! -f "$tls_conf" ] +if [ ! -f "$TLS_CONF" ] then - touch "$tls_conf" - print_text_in_color "$IGreen" "$tls_conf was successfully created." + touch "$TLS_CONF" + print_text_in_color "$IGreen" "$TLS_CONF was successfully created." sleep 2 - cat << TLS_CREATE > "$tls_conf" + cat << TLS_CREATE > "$TLS_CONF" server { listen 80; - server_name $domain; - return 301 https://$domain\$request_uri; + server_name $TLSDOMAIN; + return 301 https://$TLSDOMAIN\$request_uri; } server { listen 443 ssl http2; listen [::]:443 ssl http2; - + ## Your website name goes here. - server_name $domain; + server_name $TLSDOMAIN; ## Your only path reference. root $WPATH; ## This should be in your http block and if it is, it's not needed here. index index.php; - + resolver $GATEWAY; - + ## Show real IP behind proxy (change to the proxy IP) # set_real_ip_from $GATEWAY/24; # set_real_ip_from $GATEWAY; # set_real_ip_from 2001:0db8::/32; # real_ip_header X-Forwarded-For; # real_ip_recursive on; - + # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate - ssl_certificate $CERTFILES/$domain/fullchain.pem; - ssl_certificate_key $CERTFILES/$domain/privkey.pem; + ssl_certificate $CERTFILES/$TLSDOMAIN/fullchain.pem; + ssl_certificate_key $CERTFILES/$TLSDOMAIN/privkey.pem; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; @@ -160,7 +154,7 @@ server { # fetch OCSP records from URL in ssl_certificate and cache them ssl_stapling on; ssl_stapling_verify on; - + location / { try_files \$uri \$uri/ /index.php?\$args; # https://veerasundar.com/blog/2014/09/setting-expires-header-for-assets-nginx/ @@ -177,7 +171,7 @@ server { } location ~ /\\. { access_log off; - log_not_found off; + log_not_found off; deny all; } location = /favicon.ico { diff --git a/menu/startup_configuration.sh b/menu/startup_configuration.sh index fbd7ef3..a6a3b4d 100644 --- a/menu/startup_configuration.sh +++ b/menu/startup_configuration.sh @@ -77,7 +77,7 @@ to find out if the keyboard settings were correctly applied. If the keyboard is still wrong, you will be offered to reboot the server in the next step. Please continue by hitting [ENTER]" "$SUBTITLE" >/dev/null - if ! yesno_box_yes "Did the keyboard work as expected??\n\nIf you choose 'No' \ + if ! yesno_box_yes "Did the keyboard work as expected?\n\nIf you choose 'No' \ the server will be rebooted. After the reboot, please login as usual and run this script again." "$SUBTITLE" then reboot From e8322241c1f64bed7b3dd44bbcff55221039af0c Mon Sep 17 00:00:00 2001 From: enoch85 Date: Sun, 25 Oct 2020 12:22:00 +0100 Subject: [PATCH 82/86] fix more bugs Signed-off-by: enoch85 --- lets-encrypt/test-new-config.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lets-encrypt/test-new-config.sh b/lets-encrypt/test-new-config.sh index dd6bbab..a1e70d6 100644 --- a/lets-encrypt/test-new-config.sh +++ b/lets-encrypt/test-new-config.sh @@ -15,6 +15,8 @@ debug_mode # Activate the new config msg_box "We will now test that everything is OK" +rm -f "$SITES_AVAILABLE"/"$1" +rm -f "$SITES_ENABLED"/"$1" ln -s "$SITES_AVAILABLE"/"$1" "$SITES_ENABLED"/"$1" rm -f "$SITES_AVAILABLE"/"$HTTP_CONF" rm -f "$SITES_AVAILABLE"/"$TLS_CONF" From d29f3cc0cff73892fad4ec9fd0c3d646e8bb4a6c Mon Sep 17 00:00:00 2001 From: enoch85 Date: Sun, 25 Oct 2020 12:23:23 +0100 Subject: [PATCH 83/86] fix more bugs Signed-off-by: enoch85 --- lets-encrypt/activate-tls.sh | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/lets-encrypt/activate-tls.sh b/lets-encrypt/activate-tls.sh index 0d13960..d8d32bf 100644 --- a/lets-encrypt/activate-tls.sh +++ b/lets-encrypt/activate-tls.sh @@ -94,10 +94,10 @@ install_certbot #Fix issue #28 tls_conf="$SITES_AVAILABLE/$TLSDOMAIN.conf" -# Check if "$TLS.conf" exists, and if, then delete -if [ -f "$TLS_CONF" ] +# Check if "$tls.conf" exists, and if, then delete +if [ -f "$tls_conf" ] then - rm -f "$TLS_CONF" + rm -f "$tls_conf" fi # Check current PHP version --> PHPVER @@ -105,12 +105,12 @@ fi check_php # Generate wordpress_tls_domain.conf -if [ ! -f "$TLS_CONF" ] +if [ ! -f "$tls_conf" ] then - touch "$TLS_CONF" - print_text_in_color "$IGreen" "$TLS_CONF was successfully created." + touch "$tls_conf" + print_text_in_color "$IGreen" "$tls_conf was successfully created." sleep 2 - cat << TLS_CREATE > "$TLS_CONF" + cat << TLS_CREATE > "$tls_conf" server { listen 80; server_name $TLSDOMAIN; From 83e83cfd52e42e4ea3e3e958221f0073a0eb4ec6 Mon Sep 17 00:00:00 2001 From: enoch85 Date: Sun, 25 Oct 2020 12:31:35 +0100 Subject: [PATCH 84/86] fix more bugs Signed-off-by: enoch85 --- lets-encrypt/test-new-config.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lets-encrypt/test-new-config.sh b/lets-encrypt/test-new-config.sh index a1e70d6..ba343f6 100644 --- a/lets-encrypt/test-new-config.sh +++ b/lets-encrypt/test-new-config.sh @@ -15,11 +15,12 @@ debug_mode # Activate the new config msg_box "We will now test that everything is OK" -rm -f "$SITES_AVAILABLE"/"$1" rm -f "$SITES_ENABLED"/"$1" ln -s "$SITES_AVAILABLE"/"$1" "$SITES_ENABLED"/"$1" rm -f "$SITES_AVAILABLE"/"$HTTP_CONF" rm -f "$SITES_AVAILABLE"/"$TLS_CONF" +rm -f "$SITES_ENABLED"/"$HTTP_CONF" +rm -f "$SITES_ENABLED"/"$TLS_CONF" rm -f "$NGINX_DEF" rm -f "$SITES_ENABLED"/default if restart_webserver From bec49bf20ebbe4e8f8dfae3d0cda961a4325c822 Mon Sep 17 00:00:00 2001 From: enoch85 Date: Sun, 25 Oct 2020 12:42:41 +0100 Subject: [PATCH 85/86] change branch to master Signed-off-by: enoch85 --- addons/automatic_updates.sh | 2 +- addons/locales.sh | 2 +- addons/locate_mirror.sh | 2 +- addons/redis-server-ubuntu.sh | 2 +- addons/smtp-mail.sh | 2 +- apps/adminer.sh | 2 +- apps/bpytop.sh | 2 +- apps/fail2ban.sh | 2 +- apps/midnight-commander.sh | 2 +- apps/netdata.sh | 2 +- apps/webmin.sh | 2 +- lets-encrypt/activate-tls.sh | 2 +- lets-encrypt/test-new-config.sh | 2 +- lib.sh | 2 +- menu/additional_apps.sh | 2 +- menu/fail2ban_menu.sh | 2 +- menu/main_menu.sh | 2 +- menu/menu.sh | 2 +- menu/server_configuration.sh | 2 +- menu/startup_configuration.sh | 2 +- network/ddclient-configuration.sh | 2 +- network/static_ip.sh | 2 +- static/adduser.sh | 2 +- static/change-root-profile.sh | 2 +- static/change-wordpress-profile.sh | 2 +- static/change_db_pass.sh | 2 +- static/fetch_lib.sh | 4 ++-- static/new_etc_mycnf.sh | 2 +- static/static_ip.sh | 2 +- static/update.sh | 2 +- static/wordpress_update.sh | 2 +- wordpress_install.sh | 4 ++-- 32 files changed, 34 insertions(+), 34 deletions(-) diff --git a/addons/automatic_updates.sh b/addons/automatic_updates.sh index 49e5bb5..a5b0e7e 100644 --- a/addons/automatic_updates.sh +++ b/addons/automatic_updates.sh @@ -6,7 +6,7 @@ true SCRIPT_NAME="Automatic Updates" # shellcheck source=lib.sh -source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh) print_text_in_color "$ICyan" "Configuring automatic updates..." diff --git a/addons/locales.sh b/addons/locales.sh index 58fe0e3..a272a3c 100644 --- a/addons/locales.sh +++ b/addons/locales.sh @@ -6,7 +6,7 @@ true SCRIPT_NAME="Locales" # shellcheck source=lib.sh -source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh) # Check for errors + debug code and abort if something isn't right # 1 = ON diff --git a/addons/locate_mirror.sh b/addons/locate_mirror.sh index 1f7289f..bbc33b3 100644 --- a/addons/locate_mirror.sh +++ b/addons/locate_mirror.sh @@ -6,7 +6,7 @@ true SCRIPT_NAME="Locate Mirror" # shellcheck source=lib.sh -source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh) # Must be root root_check diff --git a/addons/redis-server-ubuntu.sh b/addons/redis-server-ubuntu.sh index 16af41b..d8b5144 100644 --- a/addons/redis-server-ubuntu.sh +++ b/addons/redis-server-ubuntu.sh @@ -3,7 +3,7 @@ true SCRIPT_NAME="Redis Server Ubuntu" # shellcheck source=lib.sh -source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh) # T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ diff --git a/addons/smtp-mail.sh b/addons/smtp-mail.sh index 3a5bc4c..9a4e705 100644 --- a/addons/smtp-mail.sh +++ b/addons/smtp-mail.sh @@ -8,7 +8,7 @@ SCRIPT_NAME="SMTP Relay with msmtp" SCRIPT_EXPLAINER="This script will setup an SMTP Relay (Mail Server) in your Wordpress Server \ that will be used to send emails about failed cronjob's and such." # shellcheck source=lib.sh -source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh) # Check for errors + debug code and abort if something isn't right # 1 = ON diff --git a/apps/adminer.sh b/apps/adminer.sh index f9ab8e0..47d59e1 100644 --- a/apps/adminer.sh +++ b/apps/adminer.sh @@ -7,7 +7,7 @@ true SCRIPT_NAME="Adminer" SCRIPT_EXPLAINER="Adminer is a full-featured database management tool written in PHP." # shellcheck source=lib.sh -source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh) # Check for errors + debug code and abort if something isn't right # 1 = ON diff --git a/apps/bpytop.sh b/apps/bpytop.sh index 22f774b..932db70 100644 --- a/apps/bpytop.sh +++ b/apps/bpytop.sh @@ -7,7 +7,7 @@ true SCRIPT_NAME="BPYTOP" SCRIPT_EXPLAINER="BPYTOP is an amazing alternative to resource-monitor software like top or htop." # shellcheck source=lib.sh -source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh) # Check for errors + debug code and abort if something isn't right # 1 = ON diff --git a/apps/fail2ban.sh b/apps/fail2ban.sh index 1d56152..8a73456 100644 --- a/apps/fail2ban.sh +++ b/apps/fail2ban.sh @@ -12,7 +12,7 @@ signs -- too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to \ reject the IP addresses for a specified amount of time." # shellcheck source=lib.sh -source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh) # Check for errors + debug code and abort if something isn't right # 1 = ON diff --git a/apps/midnight-commander.sh b/apps/midnight-commander.sh index 22073b4..220cdc0 100644 --- a/apps/midnight-commander.sh +++ b/apps/midnight-commander.sh @@ -11,7 +11,7 @@ that provides a flexible, powerful, and convenient set of file and directory ope It is capable of running in either a console or an xterm under X11. Its basic operation is easily mastered by the novice while providing a rich feature set and extensive customization." # shellcheck source=lib.sh -source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh) # Check for errors + debug code and abort if something isn't right # 1 = ON diff --git a/apps/netdata.sh b/apps/netdata.sh index 4f7e154..b1f2d06 100644 --- a/apps/netdata.sh +++ b/apps/netdata.sh @@ -12,7 +12,7 @@ The tool is designed to visualize activity in the greatest possible detail, \ allowing the user to obtain an overview of what is happening \ and what has just happened in their system or application." # shellcheck source=lib.sh -source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh) # Check for errors + debug code and abort if something isn't right # 1 = ON diff --git a/apps/webmin.sh b/apps/webmin.sh index de3bb6e..6fd978e 100644 --- a/apps/webmin.sh +++ b/apps/webmin.sh @@ -12,7 +12,7 @@ and lets you manage a system from the console or remotely. See the following page with standard modules for a list of all the functions built into Webmin: \ https://webmin.com/standard.html" # shellcheck source=lib.sh -source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh) # Check for errors + debug code and abort if something isn't right # 1 = ON diff --git a/lets-encrypt/activate-tls.sh b/lets-encrypt/activate-tls.sh index d8d32bf..9b210a4 100644 --- a/lets-encrypt/activate-tls.sh +++ b/lets-encrypt/activate-tls.sh @@ -3,7 +3,7 @@ true SCRIPT_NAME="Activate TLS" # shellcheck source=lib.sh -source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh) # T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ diff --git a/lets-encrypt/test-new-config.sh b/lets-encrypt/test-new-config.sh index ba343f6..c349646 100644 --- a/lets-encrypt/test-new-config.sh +++ b/lets-encrypt/test-new-config.sh @@ -3,7 +3,7 @@ true SCRIPT_NAME="Test New Configuration" # shellcheck source=lib.sh -source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh) # T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ diff --git a/lib.sh b/lib.sh index 8927eec..42cdd2a 100644 --- a/lib.sh +++ b/lib.sh @@ -79,7 +79,7 @@ MENU_GUIDE="Navigate with the [ARROW] keys and confirm by pressing [ENTER]. Canc RUN_LATER_GUIDE="You can view this script later by running 'sudo bash $SCRIPTS/menu.sh'." # Repo -GITHUB_REPO="https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing" +GITHUB_REPO="https://raw.githubusercontent.com/techandme/wordpress-vm/master" STATIC="$GITHUB_REPO/static" LETS_ENC="$GITHUB_REPO/lets-encrypt" APP="$GITHUB_REPO/apps" diff --git a/menu/additional_apps.sh b/menu/additional_apps.sh index 3028867..6d3ad2a 100644 --- a/menu/additional_apps.sh +++ b/menu/additional_apps.sh @@ -6,7 +6,7 @@ true SCRIPT_NAME="Additional Apps Menu" # shellcheck source=lib.sh -source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh) # Check for errors + debug code and abort if something isn't right # 1 = ON diff --git a/menu/fail2ban_menu.sh b/menu/fail2ban_menu.sh index 957bad3..e00022a 100644 --- a/menu/fail2ban_menu.sh +++ b/menu/fail2ban_menu.sh @@ -6,7 +6,7 @@ true SCRIPT_NAME="Fail2ban Menu" # shellcheck source=lib.sh -source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh) # Check for errors + debug code and abort if something isn't right # 1 = ON diff --git a/menu/main_menu.sh b/menu/main_menu.sh index 6d45879..391e0f5 100644 --- a/menu/main_menu.sh +++ b/menu/main_menu.sh @@ -6,7 +6,7 @@ true SCRIPT_NAME="Main Menu" # shellcheck source=lib.sh -source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh) # Check for errors + debug code and abort if something isn't right # 1 = ON diff --git a/menu/menu.sh b/menu/menu.sh index 6e87b81..e866d09 100644 --- a/menu/menu.sh +++ b/menu/menu.sh @@ -6,7 +6,7 @@ true SCRIPT_NAME="Main Menu" # shellcheck source=lib.sh -source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh) # Check for errors + debug code and abort if something isn't right # 1 = ON diff --git a/menu/server_configuration.sh b/menu/server_configuration.sh index db62c96..95baa36 100644 --- a/menu/server_configuration.sh +++ b/menu/server_configuration.sh @@ -6,7 +6,7 @@ true SCRIPT_NAME="Server Configuration Menu" # shellcheck source=lib.sh -source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh) # Check for errors + debug code and abort if something isn't right # 1 = ON diff --git a/menu/startup_configuration.sh b/menu/startup_configuration.sh index a6a3b4d..a1ab900 100644 --- a/menu/startup_configuration.sh +++ b/menu/startup_configuration.sh @@ -6,7 +6,7 @@ true SCRIPT_NAME="Startup Configuration Menu" # shellcheck source=lib.sh -source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh) # Check for errors + debug code and abort if something isn't right # 1 = ON diff --git a/network/ddclient-configuration.sh b/network/ddclient-configuration.sh index 46de888..9f182f8 100644 --- a/network/ddclient-configuration.sh +++ b/network/ddclient-configuration.sh @@ -8,7 +8,7 @@ true SCRIPT_NAME="DynDNS with ddclient" SCRIPT_EXPLAINER="This script lets you setup DynDNS by using the Linux ddclient software." # shellcheck source=lib.sh -source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh) # Check for errors + debug code and abort if something isn't right # 1 = ON diff --git a/network/static_ip.sh b/network/static_ip.sh index 99e8e8e..e2593af 100644 --- a/network/static_ip.sh +++ b/network/static_ip.sh @@ -9,7 +9,7 @@ then true SCRIPT_NAME="Static IP" # shellcheck source=lib.sh -source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh) # If we have internet, then use the latest variables from the lib remote file elif [ -f /var/scripts/lib.sh ] then diff --git a/static/adduser.sh b/static/adduser.sh index 5f12b45..cd06aee 100644 --- a/static/adduser.sh +++ b/static/adduser.sh @@ -3,7 +3,7 @@ true SCRIPT_NAME="Add CLI User" # shellcheck source=lib.sh -source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh) # T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ diff --git a/static/change-root-profile.sh b/static/change-root-profile.sh index 5add304..9c2106a 100644 --- a/static/change-root-profile.sh +++ b/static/change-root-profile.sh @@ -5,7 +5,7 @@ # shellcheck disable=2034,2059 true # shellcheck source=lib.sh -source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh) # Check for errors + debug code and abort if something isn't right # 1 = ON diff --git a/static/change-wordpress-profile.sh b/static/change-wordpress-profile.sh index 29f7a84..b6ff397 100644 --- a/static/change-wordpress-profile.sh +++ b/static/change-wordpress-profile.sh @@ -5,7 +5,7 @@ # shellcheck disable=2034,2059 true # shellcheck source=lib.sh -source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh) # Check for errors + debug code and abort if something isn't right # 1 = ON diff --git a/static/change_db_pass.sh b/static/change_db_pass.sh index 95799b8..f6e083c 100644 --- a/static/change_db_pass.sh +++ b/static/change_db_pass.sh @@ -3,7 +3,7 @@ true SCRIPT_NAME="Change Database Password" # shellcheck source=lib.sh -source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh) # T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ diff --git a/static/fetch_lib.sh b/static/fetch_lib.sh index edeff9d..d525984 100644 --- a/static/fetch_lib.sh +++ b/static/fetch_lib.sh @@ -21,7 +21,7 @@ fi mkdir -p /var/scripts if ! [ -f /var/scripts/lib.sh ] then - if ! curl -sfL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh -o /var/scripts/lib.sh + if ! curl -sfL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh -o /var/scripts/lib.sh then print_text_in_color "$IRed" "You don't seem to have an internet \ connection and the local lib isn't available. Hence you cannot run this script." @@ -30,7 +30,7 @@ connection and the local lib isn't available. Hence you cannot run this script." elif ! [ -f /var/scripts/wordpress-startup-script.sh ] then print_text_in_color "$ICyan" "Updating lib..." - curl -sfL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh -o /var/scripts/lib.sh + curl -sfL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh -o /var/scripts/lib.sh fi # shellcheck source=lib.sh diff --git a/static/new_etc_mycnf.sh b/static/new_etc_mycnf.sh index a2ee1e3..08fd356 100644 --- a/static/new_etc_mycnf.sh +++ b/static/new_etc_mycnf.sh @@ -2,7 +2,7 @@ # shellcheck disable=2034,2059 true # shellcheck source=lib.sh -source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh) # Check for errors + debug code and abort if something isn't right # 1 = ON diff --git a/static/static_ip.sh b/static/static_ip.sh index aeb6545..4d77ad7 100644 --- a/static/static_ip.sh +++ b/static/static_ip.sh @@ -5,7 +5,7 @@ # shellcheck disable=2034,2059 true # shellcheck source=lib.sh -FIRST_IFACE=1 source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) +FIRST_IFACE=1 source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh) unset FIRST_IFACE # Check for errors + debug code and abort if something isn't right diff --git a/static/update.sh b/static/update.sh index 657d60f..7cacb7a 100644 --- a/static/update.sh +++ b/static/update.sh @@ -5,7 +5,7 @@ # shellcheck disable=2034,2059 true # shellcheck source=lib.sh -source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) +source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh) # Check for errors + debug code and abort if something isn't right # 1 = ON diff --git a/static/wordpress_update.sh b/static/wordpress_update.sh index 0e40580..bc1bc70 100644 --- a/static/wordpress_update.sh +++ b/static/wordpress_update.sh @@ -5,7 +5,7 @@ # shellcheck disable=2034,2059 true # shellcheck source=lib.sh -source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) +source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh) # Check for errors + debug code and abort if something isn't right # 1 = ON diff --git a/wordpress_install.sh b/wordpress_install.sh index a494566..707e346 100644 --- a/wordpress_install.sh +++ b/wordpress_install.sh @@ -18,7 +18,7 @@ fi true SCRIPT_NAME="Wordpress Install Script" # shellcheck source=lib.sh -source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) +source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh) # Check if dpkg or apt is running is_process_running apt @@ -54,7 +54,7 @@ fi # shellcheck disable=2034,2059 true # shellcheck source=lib.sh -source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/20.04_testing/lib.sh) +source <(curl -sL https://raw.githubusercontent.com/techandme/wordpress-vm/master/lib.sh) # Check for errors + debug code and abort if something isn't right # 1 = ON From 9d8117a6b7e63aa3cf98fb5bb1997270dd0095e8 Mon Sep 17 00:00:00 2001 From: Daniel Hansson Date: Sun, 25 Oct 2020 12:44:21 +0100 Subject: [PATCH 86/86] change versions --- README.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 50f4116..30c640a 100644 --- a/README.md +++ b/README.md @@ -5,10 +5,12 @@ ### https://www.hanssonit.se/wordpress-vm/ - Ubuntu 18.04 -- MariaDB 10.2 -- NGINX 1.16 -- PHP-FPM 7.2 +- MariaDB 10.5 +- NGINX 1.18 +- PHP-FPM 7.4 - Latest Wordpress (updates automatically) - WP-CLI - Redis Cache +- Igbinary for PHP +- APCu Cache - and [more](https://docs.hanssonit.se/s/W6fMouPiqQz3_Mog/virtual-machines-vm/d/W7jL1OPiqQz3_MtV/wordpress-vm-machine-configuration).