move all scripts out of config directory
This commit is contained in:
parent
b4f29bff98
commit
4a71b9d6ee
|
@ -1 +0,0 @@
|
|||
mariadb/
|
|
@ -1,8 +0,0 @@
|
|||
Match Group sftp
|
||||
PasswordAuthentication yes
|
||||
ChrootDirectory %h
|
||||
X11Forwarding no
|
||||
AllowTcpForwarding no
|
||||
ForceCommand internal-sftp
|
||||
|
||||
Match all
|
|
@ -10,10 +10,3 @@ curl 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' -o /etc/apt/trusted.
|
|||
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | tee /etc/apt/sources.list.d/caddy-stable.list
|
||||
apt update
|
||||
apt install caddy
|
||||
|
||||
mkdir -v /var/www
|
||||
mv -v /etc/caddy/Caddyfile /etc/caddy/Caddyfile.old
|
||||
cp -v Caddyfile /etc/caddy/Caddyfile
|
||||
|
||||
systemctl restart caddy
|
||||
systemctl status caddy
|
|
@ -0,0 +1,115 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Run this script with "(sudo) bash <filename> <args>".
|
||||
|
||||
# Exit on error.
|
||||
set -e
|
||||
|
||||
# Taken from http://nginx.org/en/linux_packages.html
|
||||
|
||||
apt install -y curl gnupg2 ca-certificates lsb-release debian-archive-keyring openssl
|
||||
|
||||
curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \
|
||||
| tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
|
||||
|
||||
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
|
||||
http://nginx.org/packages/debian `lsb_release -cs` nginx" \
|
||||
| tee /etc/apt/sources.list.d/nginx.list
|
||||
|
||||
echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" \
|
||||
| tee /etc/apt/preferences.d/99nginx
|
||||
|
||||
apt update
|
||||
apt install nginx
|
||||
|
||||
mkdir /var/www/ || true
|
||||
|
||||
mkdir /var/www/default
|
||||
|
||||
mkdir /etc/nginx/pem/
|
||||
|
||||
chown :nginx /etc/nginx/pem/ -Rv
|
||||
|
||||
chmod 640 /etc/nginx/pem/
|
||||
|
||||
chmod g+s /etc/nginx/pem/
|
||||
|
||||
touch /etc/nginx/pem/default-{private,cert}.pem
|
||||
|
||||
openssl req -x509 -nodes -days 3650 -subj "/C=US/ST=Self Signed/L=Self Signed/O=Self Signed/OU=Self Signed/CN=Self Signed/emailAddress=self@signed" -newkey rsa:2048 -keyout /etc/nginx/pem/default-private.pem -out /etc/nginx/pem/default-cert.pem
|
||||
|
||||
openssl dhparam -out /etc/nginx/pem/default-dhparam.pem 4096
|
||||
|
||||
mv /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf.disabled
|
||||
|
||||
cat <<NGX > /etc/nginx/conf.d/default.conf
|
||||
# Warn on any null variables
|
||||
uninitialized_variable_warn on;
|
||||
|
||||
# Don't print software version
|
||||
server_tokens off;
|
||||
|
||||
server {
|
||||
listen 80 default_server;
|
||||
listen [::]:80 default_server;
|
||||
|
||||
location / {
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
# Upstream for acme requests.
|
||||
upstream acme {
|
||||
server 127.0.0.1:18080;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
||||
ssl_prefer_server_ciphers off;
|
||||
|
||||
ssl_certificate pem/default-cert.pem;
|
||||
ssl_certificate_key pem/default-private.pem;
|
||||
ssl_dhparam pem/default-dhparam.pem;
|
||||
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
|
||||
resolver 1.1.1.1, 1.0.0.1;
|
||||
|
||||
root /var/www/default;
|
||||
error_log /var/log/nginx/default-errors.log;
|
||||
access_log /var/log/nginx/default-access.log;
|
||||
|
||||
# Proxy Let's Encrypt to acme upstream
|
||||
location ^~ /.well-known/acme-challenge/ {
|
||||
proxy_pass http://acme;
|
||||
}
|
||||
|
||||
# Don't serve dot files.
|
||||
location ~ /\. {
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
deny all;
|
||||
}
|
||||
|
||||
# Don't log robots.
|
||||
location = /robots.txt {
|
||||
log_not_found off;
|
||||
}
|
||||
|
||||
# Don't log common file requests.
|
||||
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
|
||||
expires max;
|
||||
log_not_found off;
|
||||
}
|
||||
|
||||
# Include extra files if needed.
|
||||
include conf.d/default-*.conf
|
||||
|
||||
}
|
||||
NGX
|
||||
|
||||
systemctl restart nginx
|
|
@ -14,11 +14,16 @@ else
|
|||
# Add sftp group.
|
||||
addgroup ${SFTP_GROUP:-sftp} || true
|
||||
|
||||
# Replace default match group with the group above.
|
||||
cp ./sftp.conf /tmp/sftp.conf
|
||||
sed -ie "s/Match Group sftp/Match Group ${SFTP_GROUP:-sftp}/g" \
|
||||
/tmp/sftp.conf
|
||||
cp -v /tmp/sftp.conf /etc/ssh/sshd_config.d/sftp.conf
|
||||
cat << EOF > /etc/ssh/sshd_config.d/sftp.conf
|
||||
Match Group ${SFTP_GROUP:-sftp}
|
||||
PasswordAuthentication yes
|
||||
ChrootDirectory %h
|
||||
X11Forwarding no
|
||||
AllowTcpForwarding no
|
||||
ForceCommand internal-sftp
|
||||
|
||||
Match all
|
||||
EOF
|
||||
|
||||
systemctl restart sshd
|
||||
|
Loading…
Reference in New Issue