-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
9 changed files
with
615 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| 0.1.0 |
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,61 @@ | ||
| ##################### | ||
| ## MANUAL COMMANDS ## | ||
| ##################### | ||
|
|
||
| ## Login to new server: | ||
| ssh __username__@__server_ip_address__ | ||
|
|
||
| ## Monitor cloud-init script progress | ||
| grc tail -fn+1 /var/log/cloud-init-output.log | ||
|
|
||
| ## Change passwords | ||
| sudo passwd root | ||
| sudo passwd __username__ | ||
|
|
||
| ## Install and configure mysql | ||
| sudo apt install -y mariadb-server php-mysql | ||
| sudo mysql_install_db | ||
| sudo mysql_secure_installation | ||
|
|
||
| mysql -u root -p | ||
| CREATE DATABASE __mysql_db__ CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_520_ci; | ||
| CREATE USER '__mysql_user__'@'localhost' IDENTIFIED BY '__mysql_password__'; | ||
| GRANT ALL PRIVILEGES ON __mysql_db__.* TO '__mysql_user__'; | ||
| FLUSH PRIVILEGES; | ||
| exit; | ||
|
|
||
| sudo sed -i -e 's/# listen 443 ssl http2;/listen 443 ssl http2;/' /etc/nginx/sites-available/__site_domain.tld__ && sudo sed -i -e 's/# listen 443 ssl http2;/listen 443 ssl http2;/' /etc/nginx/sites-available/__site_domain.tld__ && sudo sed -i -e 's/# listen \[::\]:443 ssl http2;/listen \[::\]:443 ssl http2;/' /etc/nginx/sites-available/__site_domain.tld__ && sudo sed -i -e 's/# listen \[::\]:443 ssl http2;/listen \[::\]:443 ssl http2;/' /etc/nginx/sites-available/__site_domain.tld__ && sudo sed -i -e 's/# ssl_certificate /ssl_certificate /' /etc/nginx/sites-available/__site_domain.tld__ && sudo sed -i -e 's/# ssl_certificate_key /ssl_certificate_key /' /etc/nginx/sites-available/__site_domain.tld__ && sudo sed -i -e 's/# ssl_certificate /ssl_certificate /' /etc/nginx/sites-available/__site_domain.tld__ && sudo sed -i -e 's/# ssl_certificate_key /ssl_certificate_key /' /etc/nginx/sites-available/__site_domain.tld__ && sudo service nginx restart | ||
|
|
||
| ## Create the hostname | ||
| lsattr /etc/hostname && sudo chattr -i /etc/hostname | ||
| sudo sh -c "echo '__server_name.domain.tld__' > /etc/hostname" | ||
| sudo hostname -F /etc/hostname | ||
| sudo chattr +i /etc/hostname | ||
|
|
||
| ## Install and configure sendmail | ||
| sudo apt install -y sendmail sendmail-bin | ||
| sudo sendmailconfig | ||
|
|
||
| ## Install zsh | ||
| sh -c "$(curl -fsSL https://raw.githubusercontent.com/robbyrussell/oh-my-zsh/master/tools/install.sh)" && chsh -s /bin/zsh | ||
|
|
||
| ## UPDATE DNS FOR SITE DOMAINS TO IP ADDRESS OF NEW SERVER | ||
|
|
||
| ## Run certbot for all domains: | ||
| ## (this should be done only after we have updated the site's DNS to point to the new IP address) | ||
| sudo certbot certonly --email [email protected]__ --agree-tos --webroot -w /home/__username__/www/__site_domain.tld__/public -d __site_domain.tld__ && sudo certbot certonly --email [email protected]__ --agree-tos --webroot -w /home/__username__/www/__site_domain.tld__/public -d __site_domain.tld__ | ||
|
|
||
| ## Reboot the system | ||
| sudo reboot | ||
|
|
||
| ## Remove unnecessary packages | ||
| sudo apt autoremove -y | ||
|
|
||
| ## Run rootkit hunter | ||
| sudo rkhunter --checkall --skip-keypress | ||
|
|
||
| ## Run check rootkit | ||
| sudo chkrootkit | ||
|
|
||
| ## Run lynis security audit | ||
| sudo lynis audit system --quick |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,29 @@ | ||
| fastcgi_param QUERY_STRING $query_string; | ||
| fastcgi_param REQUEST_METHOD $request_method; | ||
| fastcgi_param CONTENT_TYPE $content_type; | ||
| fastcgi_param CONTENT_LENGTH $content_length; | ||
|
|
||
| fastcgi_param SCRIPT_NAME $fastcgi_script_name; | ||
| fastcgi_param REQUEST_URI $request_uri; | ||
| fastcgi_param DOCUMENT_URI $document_uri; | ||
| fastcgi_param DOCUMENT_ROOT $document_root; | ||
| fastcgi_param SERVER_PROTOCOL $server_protocol; | ||
| fastcgi_param REQUEST_SCHEME $scheme; | ||
| fastcgi_param HTTPS $https if_not_empty; | ||
|
|
||
| # Added for php7.1-fpm | ||
| fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | ||
| fastcgi_param PATH_INFO $fastcgi_path_info; | ||
| fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info; | ||
|
|
||
| fastcgi_param GATEWAY_INTERFACE CGI/1.1; | ||
| fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; | ||
|
|
||
| fastcgi_param REMOTE_ADDR $remote_addr; | ||
| fastcgi_param REMOTE_PORT $remote_port; | ||
| fastcgi_param SERVER_ADDR $server_addr; | ||
| fastcgi_param SERVER_PORT $server_port; | ||
| fastcgi_param SERVER_NAME $server_name; | ||
|
|
||
| # PHP only, required if PHP was built with --enable-force-cgi-redirect | ||
| fastcgi_param REDIRECT_STATUS 200; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,54 @@ | ||
| user __username__; | ||
| worker_processes 1; | ||
| pid /var/run/nginx.pid; | ||
|
|
||
| events { | ||
| worker_connections 1024; | ||
| multi_accept on; | ||
| } | ||
|
|
||
| http { | ||
| include /etc/nginx/mime.types; | ||
| default_type application/octet-stream; | ||
|
|
||
| log_format main '$remote_addr - $remote_user [$time_local] "$request" ' | ||
| '$status $body_bytes_sent "$http_referer" ' | ||
| '"$http_user_agent" "$http_x_forwarded_for"'; | ||
|
|
||
| access_log /var/log/nginx/access.log main; | ||
| error_log /var/log/nginx/error.log warn; | ||
|
|
||
| server_tokens off; | ||
| sendfile on; | ||
| tcp_nopush on; | ||
| tcp_nodelay on; | ||
| server_names_hash_bucket_size 64; | ||
| types_hash_max_size 2048; | ||
| client_max_body_size 64m; | ||
| keepalive_timeout 15; | ||
|
|
||
| ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE | ||
| ssl_prefer_server_ciphers on; | ||
| ssl_session_cache shared:SSL:10m; | ||
| ssl_session_timeout 10m; | ||
|
|
||
| gzip on; | ||
| gzip_disable "msie6"; | ||
|
|
||
| # gzip_vary on; | ||
| gzip_proxied any; | ||
| gzip_comp_level 2; | ||
| # gzip_buffers 16 8k; | ||
| # gzip_http_version 1.1; | ||
| gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; | ||
|
|
||
| include /etc/nginx/conf.d/*.conf; | ||
| include /etc/nginx/sites-enabled/*; | ||
|
|
||
| server { | ||
| listen 80 default_server; | ||
| listen [::]:80 default_server; | ||
| server_name _; | ||
| return 444; | ||
| } | ||
| } |
66 changes: 66 additions & 0 deletions
66
templates/etc/nginx/sites-available/__site_domain.tld__.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,66 @@ | ||
| server { | ||
| listen 80; | ||
| listen [::]:80; | ||
|
|
||
| ## UNCOMMENT ONCE SSL IS ENABLED | ||
| # listen 443 ssl http2; | ||
| # listen [::]:443 ssl http2; | ||
|
|
||
| ## UNCOMMENT ONCE SSL IS ENABLED | ||
| # ssl_certificate /etc/letsencrypt/live/__domain.tld__/fullchain.pem; | ||
| # ssl_certificate_key /etc/letsencrypt/live/__domain.tld__/privkey.pem; | ||
|
|
||
| server_name __domain.tld__; | ||
|
|
||
| access_log /home/__username__/www/__domain.tld__/logs/access.log; | ||
| error_log /home/__username__/www/__domain.tld__/logs/error.log; | ||
|
|
||
| root /home/__username__/www/__domain.tld__/public/; | ||
| index index.html index.php; | ||
|
|
||
| location = /favicon.ico { | ||
| log_not_found off; | ||
| access_log off; | ||
| } | ||
|
|
||
| location = /robots.txt { | ||
| allow all; | ||
| log_not_found off; | ||
| access_log off; | ||
| } | ||
|
|
||
| # Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac). | ||
| # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban) | ||
| location ~ /\.ht { | ||
| deny all; | ||
| } | ||
|
|
||
| # Deny access to any files with a .php extension in the uploads directory | ||
| # Works in sub-directory installs and also in multisite network | ||
| # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban) | ||
| location ~* /(?:uploads|files)/.*\.php$ { | ||
| deny all; | ||
| } | ||
|
|
||
| location / { | ||
| # This is cool because no php is touched for static content. | ||
| # include the "?$args" part so non-default permalinks doesn't break when using query string | ||
| try_files $uri $uri/ /index.php?$args; | ||
| } | ||
|
|
||
| # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 | ||
| location ~ \.php$ { | ||
| try_files $uri =404; | ||
| fastcgi_split_path_info ^(.+\.php)(/.+)$; | ||
| fastcgi_pass unix:/run/php/php7.1-fpm.sock; | ||
| fastcgi_index index.php; | ||
| include fastcgi_params; | ||
| fastcgi_param PATH_INFO $fastcgi_path_info; | ||
| fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | ||
| } | ||
|
|
||
| location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ { | ||
| expires max; | ||
| log_not_found off; | ||
| } | ||
| } |
Empty file.
10 changes: 10 additions & 0 deletions
10
templates/home/__username__/www/__site_domain.tld__/public/index.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| <!DOCTYPE html> | ||
| <html> | ||
| <head> | ||
| <meta charset="utf-8"> | ||
| <title>Hello World</title> | ||
| </head> | ||
| <body> | ||
| <h1>Hello World</h1> | ||
| </body> | ||
| </html> |