move all scripts out of config directory

2022-03-29 11:59:16 +01:00 · 2022-03-29 11:59:16 +01:00 · 4a71b9d6ee
parent b4f29bff98
commit 4a71b9d6ee
11 changed files with 125 additions and 21 deletions
--- a/debian/bullseye/etc/mysql
+++ b/debian/bullseye/etc/mysql
@ -1 +0,0 @@
-mariadb/
--- a/debian/bullseye/etc/php/7.4-localhost.conf.example
+++ b/debian/bullseye/etc/php/7.4-localhost.conf.example
--- a/debian/bullseye/etc/ssh/sshd_config.d/sftp.conf
+++ b/debian/bullseye/etc/ssh/sshd_config.d/sftp.conf
@ -1,8 +0,0 @@
-Match Group sftp
-    PasswordAuthentication yes
-    ChrootDirectory %h
-    X11Forwarding no
-    AllowTcpForwarding no
-    ForceCommand internal-sftp
-
-Match all
--- a/debian/bullseye/etc/caddy/caddy-install.sh
+++ b/debian/bullseye/etc/caddy/caddy-install.sh
@ -10,10 +10,3 @@ curl 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' -o /etc/apt/trusted.
 curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | tee /etc/apt/sources.list.d/caddy-stable.list
 apt update
 apt install caddy
-
-mkdir -v /var/www
-mv -v /etc/caddy/Caddyfile /etc/caddy/Caddyfile.old
-cp -v Caddyfile /etc/caddy/Caddyfile
-
-systemctl restart caddy
-systemctl status caddy
--- a/debian/bullseye/etc/mariadb/mariadb-add-user-db.sh
+++ b/debian/bullseye/etc/mariadb/mariadb-add-user-db.sh
--- a/debian/bullseye/etc/mariadb/mariadb-install.sh
+++ b/debian/bullseye/etc/mariadb/mariadb-install.sh
--- a/debian/bullseye/scripts/nginx-install.sh
+++ b/debian/bullseye/scripts/nginx-install.sh
@ -0,0 +1,115 @@
+#!/bin/bash
+
+# Run this script with "(sudo) bash <filename> <args>".
+
+# Exit on error.
+set -e
+
+# Taken from http://nginx.org/en/linux_packages.html
+
+apt install -y curl gnupg2 ca-certificates lsb-release debian-archive-keyring openssl
+
+curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \
+    | tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
+
+echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
+http://nginx.org/packages/debian `lsb_release -cs` nginx" \
+    | tee /etc/apt/sources.list.d/nginx.list
+
+echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" \
+    | tee /etc/apt/preferences.d/99nginx
+
+apt update
+apt install nginx
+
+mkdir /var/www/ || true
+
+mkdir /var/www/default
+
+mkdir /etc/nginx/pem/
+
+chown :nginx /etc/nginx/pem/ -Rv
+
+chmod 640 /etc/nginx/pem/
+
+chmod g+s /etc/nginx/pem/
+
+touch /etc/nginx/pem/default-{private,cert}.pem
+
+openssl req -x509 -nodes -days 3650 -subj "/C=US/ST=Self Signed/L=Self Signed/O=Self Signed/OU=Self Signed/CN=Self Signed/emailAddress=self@signed" -newkey rsa:2048 -keyout /etc/nginx/pem/default-private.pem -out /etc/nginx/pem/default-cert.pem
+
+openssl dhparam -out /etc/nginx/pem/default-dhparam.pem 4096
+
+mv /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf.disabled
+
+cat <<NGX > /etc/nginx/conf.d/default.conf
+# Warn on any null variables
+uninitialized_variable_warn on;
+
+# Don't print software version
+server_tokens off;
+
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+# Upstream for acme requests.
+upstream acme {
+    server 127.0.0.1:18080;
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+
+    ssl_certificate pem/default-cert.pem;
+    ssl_certificate_key pem/default-private.pem;
+    ssl_dhparam pem/default-dhparam.pem;
+
+    add_header Strict-Transport-Security "max-age=63072000" always;
+
+    resolver 1.1.1.1, 1.0.0.1;
+
+    root /var/www/default;
+    error_log /var/log/nginx/default-errors.log;
+    access_log /var/log/nginx/default-access.log;
+
+    # Proxy Let's Encrypt to acme upstream
+    location ^~ /.well-known/acme-challenge/ {
+        proxy_pass http://acme;
+    }
+
+    # Don't serve dot files.
+    location ~ /\. {
+        access_log off;
+        log_not_found off;
+        deny all;
+    }
+
+    # Don't log robots.
+    location = /robots.txt {
+        log_not_found off;
+    }
+
+    # Don't log common file requests.
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
+        expires max;
+        log_not_found off;
+    }
+
+    # Include extra files if needed.
+    include conf.d/default-*.conf
+
+}
+NGX
+
+systemctl restart nginx
--- a/debian/bullseye/scripts/php8.1-sury-install.sh
+++ b/debian/bullseye/scripts/php8.1-sury-install.sh
--- a/debian/bullseye/etc/caddy/caddy-new-site.sh
+++ b/debian/bullseye/etc/caddy/caddy-new-site.sh
--- a/debian/bullseye/etc/ssh/sshd_config.d/sshd-enable-sftp.sh
+++ b/debian/bullseye/etc/ssh/sshd_config.d/sshd-enable-sftp.sh
@ -14,11 +14,16 @@ else
    # Add sftp group.
    addgroup ${SFTP_GROUP:-sftp} || true

-    # Replace default match group with the group above.
-    cp ./sftp.conf /tmp/sftp.conf
-    sed -ie "s/Match Group sftp/Match Group ${SFTP_GROUP:-sftp}/g" \
-    /tmp/sftp.conf
-    cp -v /tmp/sftp.conf /etc/ssh/sshd_config.d/sftp.conf
+cat << EOF > /etc/ssh/sshd_config.d/sftp.conf
+Match Group ${SFTP_GROUP:-sftp}
+    PasswordAuthentication yes
+    ChrootDirectory %h
+    X11Forwarding no
+    AllowTcpForwarding no
+    ForceCommand internal-sftp
+
+Match all
+EOF

 systemctl restart sshd

--- a/debian/bullseye/etc/ssh/sshd_config.d/sshd-limit-passwords.sh
+++ b/debian/bullseye/etc/ssh/sshd_config.d/sshd-limit-passwords.sh