* php-doc: fix apt install
* fix logging path in various scripts * remove acme-helper but add notes * backup.sh: skip non-existant files/folders * nginx install: fix paths
This commit is contained in:
parent
2e1996af7b
commit
7c0e02ee79
|
@ -0,0 +1,54 @@
|
|||
# Install Acme.sh for nginx
|
||||
|
||||
```
|
||||
apt install socat curl
|
||||
|
||||
mkdir /etc/nginx/acme
|
||||
|
||||
chmod 740 /etc/nginx/acme
|
||||
|
||||
chmod nginx:nginx /etc/nginx/acme
|
||||
|
||||
chmod g+s,o+s /etc/nginx/acme
|
||||
|
||||
sudo -s -u nginx
|
||||
|
||||
curl -o /tmp/acme.sh "https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh"
|
||||
|
||||
cd /tmp
|
||||
|
||||
bash ./acme.sh --home /etc/nginx/acme --install
|
||||
|
||||
```
|
||||
|
||||
# Issue cert
|
||||
```
|
||||
sudo -s -u nginx
|
||||
|
||||
cd /etc/nginx/acme
|
||||
|
||||
./acme.sh --home /etc/nginx/acme --issue --server letsencrypt --standalone --httpport 18080 -d domain.com -d domain.com --test
|
||||
|
||||
./acme.sh --home /etc/nginx/acme --issue --server letsencrypt --standalone --httpport 18080 -d domain.com -d domain.com --force
|
||||
```
|
||||
|
||||
# Allow acme.sh under nginx to reload itself
|
||||
|
||||
```
|
||||
echo "# Allow reloading of nginx
|
||||
nginx ALL=(ALL) NOPASSWD: /bin/systemctl force-reload nginx.service
|
||||
" | tee /etc/sudoers.d/allow-user-nginx-to-force-reload-nginx
|
||||
```
|
||||
|
||||
# Install cert
|
||||
|
||||
```
|
||||
sudo -s -u nginx
|
||||
|
||||
cd /etc/nginx/acme
|
||||
|
||||
./acme.sh --home /etc/nginx/acme --install-cert -d domain.com \
|
||||
--key-file /etc/nginx/pem/domain.com-key.pem \
|
||||
--fullchain-file /etc/nginx/pem/domain.com-cert.pem \
|
||||
--reloadcmd "sudo /bin/systemctl force-reload nginx.service"
|
||||
```
|
|
@ -3,7 +3,7 @@
|
|||
Installing PHP on Debian is easy as...
|
||||
|
||||
```
|
||||
apt install apt install php-fpm php-readline php-mbstring php-gd \
|
||||
apt install php-fpm php-readline php-mbstring php-gd \
|
||||
php-curl php-zip php-mysql php-dom php-json php-pdo php-fileinfo \
|
||||
php-bz2 php-intl php-gmp php-apcu php-pear php-cli php-imagick
|
||||
```
|
||||
|
|
|
@ -1,91 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Run this script with "(sudo) bash <filename> <args>".
|
||||
|
||||
# Exit on error.
|
||||
#set -e
|
||||
# Debug
|
||||
set -eux
|
||||
|
||||
# The Acme.sh user.
|
||||
ACME_USER='acme'
|
||||
|
||||
# The Acme.sh group.
|
||||
ACME_GROUP='acme'
|
||||
|
||||
# The acme.sh home.
|
||||
ACME_HOME='/etc/acme'
|
||||
|
||||
# Where to download the acme.sh script.
|
||||
ACME_SCRIPT_URL='https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh'
|
||||
|
||||
# Temporary script location.
|
||||
ACME_SCRIPT_TMP='/tmp'
|
||||
|
||||
install() {
|
||||
# Add user.
|
||||
adduser --system --disabled-login --gecos GECOS \
|
||||
--no-create-home --home "${ACME_HOME}" "${ACME_USER}"
|
||||
|
||||
# Lock the user.
|
||||
passwd -l "${ACME_USER}"
|
||||
|
||||
# Add user to group if it exists otherwise add it & then add the user
|
||||
# to the group.
|
||||
usermod -aG ${ACME_GROUP} ${ACME_USER} || \
|
||||
addgroup --system ${ACME_GROUP}
|
||||
usermod -aG ${ACME_GROUP} ${ACME_USER}
|
||||
|
||||
# Make the home dir.
|
||||
mkdir -v ${ACME_HOME} ${ACME_HOME}/pem
|
||||
chown ${ACME_USER}:${ACME_GROUP} ${ACME_HOME}
|
||||
chmod -cR 750 ${ACME_HOME}
|
||||
chmod -cR u+s,g+s,o+s ${ACME_HOME}
|
||||
|
||||
# Add needed binaries.
|
||||
apt install sudo socat curl coreutils
|
||||
|
||||
allowreloadnginx
|
||||
|
||||
# Download & install.
|
||||
curl -o "${ACME_SCRIPT_TMP}/acme.sh" "${ACME_SCRIPT_URL}"
|
||||
|
||||
chmod +x ${ACME_SCRIPT_TMP}/acme.sh
|
||||
|
||||
cat <<todo
|
||||
|
||||
This script cannot do the following, you must copy, paste and run...
|
||||
|
||||
sudo -s -u ${ACME_USER}
|
||||
|
||||
cd ${ACME_SCRIPT_TMP}
|
||||
|
||||
./acme.sh --home ${ACME_HOME} --install
|
||||
|
||||
exit
|
||||
|
||||
----
|
||||
Examples (as acme user).
|
||||
# Issue cert..
|
||||
./acme.sh --issue --server letsencrypt --standalone --httpport 18080 -d domain.com -d domain.com --test
|
||||
|
||||
# If the first command succeeds..
|
||||
./acme.sh --issue --server letsencrypt --standalone --httpport 18080 -d domain.com -d domain.com --force
|
||||
|
||||
./acme.sh --install-cert -d domain.com \
|
||||
--key-file /etc/acme/pem/domain.com-key.pem \
|
||||
--fullchain-file /etc/acme/pem/domain.com-cert.pem \
|
||||
--reloadcmd "sudo /bin/systemctl force-reload nginx.service"
|
||||
todo
|
||||
|
||||
}
|
||||
|
||||
allowreloadnginx() {
|
||||
|
||||
echo "# Allow reloading of nginx
|
||||
${ACME_USER:-nginx} ALL=(ALL) NOPASSWD: /bin/systemctl force-reload nginx.service
|
||||
" | tee /etc/sudoers.d/allow-user-${ACME_USER:-nginx}-to-force-reload-nginx
|
||||
|
||||
}
|
||||
|
||||
${1} "$@"
|
|
@ -1,5 +1,8 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Crontab line.
|
||||
#0 2 * * * bash /root/backup.sh | tee -a /var/log/backup_$(date +"\%Y-\%m-\%d").log
|
||||
|
||||
# Exit on error.
|
||||
# Because I've been grilled about not using this - phillw, I'm looking
|
||||
# at you ;)
|
||||
|
@ -12,7 +15,7 @@ BACKUP_STORE='/backup'
|
|||
# Each _full_ path must be seperated by a space. If a path uses a
|
||||
# special char e.g, space or non-alphanumeric chars escape it with a
|
||||
# backslash.
|
||||
BACKUP_DIRS='/etc /home /var/www /root /srv /var/lib/caddy/.config/'
|
||||
BACKUP_DIRS='/etc /home /var/www /root'
|
||||
|
||||
# A date string for file/folder-names.
|
||||
SCRIPT_RUN_DATE=`date '+%Y-%m-%d-%H-%M'`
|
||||
|
@ -46,9 +49,17 @@ if [[ "$BACKUP_DIRECTORIES_AND_FILES" == "1" ]]; then
|
|||
for OBJ in ${BACKUP_DIRS:-}; do
|
||||
OBJ_S=${OBJ//\//-}
|
||||
OBJ_S=${OBJ_S/-/}
|
||||
|
||||
if [[ ! -f "${OBJ}" ]]; then
|
||||
if [[ ! -d "${OBJ}" ]]; then
|
||||
printf "\n!! file or directory \"%s\" not found, skipping..\n" "${OBJ}"
|
||||
continue;
|
||||
fi
|
||||
fi
|
||||
|
||||
tar -zcf "./$OBJ_S.tar.gz" "${OBJ}"
|
||||
done
|
||||
|
||||
|
||||
fi
|
||||
|
||||
if [[ "$BACKUP_SQL" == "1" ]]; then
|
||||
|
@ -66,8 +77,10 @@ fi
|
|||
if [[ "$BACKUP_CRON" == "1" ]]; then
|
||||
|
||||
for USER in $(cut -f1 -d: /etc/passwd); do
|
||||
crontab -u $USER -l > "${USER}-cron.txt"
|
||||
crontab -u $USER -l > "${USER}-cron.txt" || continue;
|
||||
done
|
||||
|
||||
|
||||
fi
|
||||
|
||||
echo "$SCRIPT_RUN_DATE OK" >> /var/log/$0-run.log
|
||||
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
# Run this script with "(sudo) bash <filename> <args>".
|
||||
#
|
||||
# 0 2 * * * bash /root/nc-sync.sh | tee -a /var/log/nc_$(date +"\%Y-\%m-\%d").log
|
||||
# 0 2 * * * bash /root/nc-sync.sh | tee -a /var/log/$0_$(date +"\%Y-\%m-\%d").log
|
||||
|
||||
|
||||
# Exit on error.
|
||||
|
@ -83,4 +83,4 @@ mysql $NEXTCLOUD_DATABASE_NAME < /tmp/nextcloud-$DATE_STAMP.sql && rm /tmp/nextc
|
|||
# Disable local MAINTENANCE mode.
|
||||
${NC_MAINTENANCE_OFF}
|
||||
|
||||
echo "$DATE_STAMP OK" >> /tmp/nc-sync.log
|
||||
echo "$DATE_STAMP OK" >> /var/log/nc-sync.log
|
||||
|
|
|
@ -105,15 +105,15 @@ cd ${NGINX_PEM_DIR:-/no_path/3} && (
|
|||
cd ${NGINX_PEM_DIR:-/no_path/3}
|
||||
)
|
||||
|
||||
chown :${NGINX_GROUP:-nginx} ${NGINX_PEM_DIR:-/no_path/3}
|
||||
chown ${NGINX_USER:-nginx}:${NGINX_GROUP:-nginx} ${NGINX_PEM_DIR:-/no_path/3}
|
||||
|
||||
chmod 640 ${NGINX_PEM_DIR:-/no_path/3}
|
||||
chmod 740 ${NGINX_PEM_DIR:-/no_path/3}
|
||||
|
||||
chmod g+s ${NGINX_PEM_DIR:-/no_path/3}
|
||||
|
||||
touch ${NGINX_PEM_DIR:-/no_path/3}/default-{private,cert,dhparam}.pem
|
||||
touch ${NGINX_PEM_DIR:-/no_path/3}/default-{key,cert,dhparam}.pem
|
||||
|
||||
openssl req -x509 -nodes -days 3650 -subj "/C=US/ST=Self Signed/L=Self Signed/O=Self Signed/OU=Self Signed/CN=Self Signed/emailAddress=self@signed" -newkey rsa:2048 -keyout ${NGINX_PEM_DIR:-/no_path/3}/default-private.pem -out ${NGINX_PEM_DIR:-/no_path/3}/default-cert.pem
|
||||
openssl req -x509 -nodes -days 3650 -subj "/C=US/ST=Self Signed/L=Self Signed/O=Self Signed/OU=Self Signed/CN=Self Signed/emailAddress=self@signed" -newkey rsa:2048 -keyout ${NGINX_PEM_DIR:-/no_path/3}/default-key.pem -out ${NGINX_PEM_DIR:-/no_path/3}/default-cert.pem
|
||||
|
||||
openssl dhparam -out ${NGINX_PEM_DIR:-/no_path/3}/default-dhparam.pem 4096
|
||||
|
||||
|
@ -164,7 +164,7 @@ server {
|
|||
ssl_prefer_server_ciphers off;
|
||||
|
||||
ssl_certificate ${NGINX_PEM_DIR:-/no_path/6}/default-cert.pem;
|
||||
ssl_certificate_key ${NGINX_PEM_DIR:-/no_path/6}/default-private.pem;
|
||||
ssl_certificate_key ${NGINX_PEM_DIR:-/no_path/6}/default-key.pem;
|
||||
ssl_dhparam ${NGINX_PEM_DIR:-/no_path/6}/default-dhparam.pem;
|
||||
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
|
|
Loading…
Reference in New Issue