* php-doc: fix apt install

* fix logging path in various scripts
* remove acme-helper but add notes
* backup.sh: skip non-existant files/folders
* nginx install: fix paths

debian/bullseye/notes/acme.sh.md

@@ -0,0 +1,54 @@
+# Install Acme.sh for nginx
+
+```
+apt install socat curl
+
+mkdir /etc/nginx/acme
+
+chmod 740 /etc/nginx/acme
+
+chmod nginx:nginx /etc/nginx/acme
+
+chmod g+s,o+s /etc/nginx/acme
+
+sudo -s -u nginx
+
+curl -o /tmp/acme.sh "https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh"
+
+cd /tmp
+
+bash ./acme.sh --home /etc/nginx/acme --install
+
+```
+
+# Issue cert
+```
+sudo -s -u nginx
+
+cd /etc/nginx/acme
+
+./acme.sh --home /etc/nginx/acme --issue --server letsencrypt --standalone --httpport 18080 -d domain.com -d domain.com --test
+
+./acme.sh --home /etc/nginx/acme --issue --server letsencrypt --standalone --httpport 18080 -d domain.com -d domain.com --force
+```
+
+# Allow acme.sh under nginx to reload itself
+
+```
+echo "# Allow reloading of nginx
+nginx ALL=(ALL) NOPASSWD: /bin/systemctl force-reload nginx.service
+" | tee /etc/sudoers.d/allow-user-nginx-to-force-reload-nginx
+```
+
+# Install cert
+
+```
+sudo -s -u nginx
+
+cd /etc/nginx/acme
+
+./acme.sh --home /etc/nginx/acme --install-cert -d domain.com \
+--key-file       /etc/nginx/pem/domain.com-key.pem \
+--fullchain-file /etc/nginx/pem/domain.com-cert.pem \
+--reloadcmd     "sudo /bin/systemctl force-reload nginx.service"
+```

debian/bullseye/php/README.md

@@ -3,7 +3,7 @@
 Installing PHP on Debian is easy as...
 
 ```
-apt install apt install php-fpm php-readline php-mbstring php-gd \
+apt install php-fpm php-readline php-mbstring php-gd \
 php-curl php-zip php-mysql php-dom php-json php-pdo php-fileinfo \
 php-bz2 php-intl php-gmp php-apcu php-pear php-cli php-imagick
 ```

debian/bullseye/scripts/acme-helper.sh

@@ -1,91 +0,0 @@
-#!/bin/bash
-
-# Run this script with "(sudo) bash <filename> <args>".
-
-# Exit on error.
-#set -e
-# Debug
-set -eux
-
-# The Acme.sh user.
-ACME_USER='acme'
-
-# The Acme.sh group.
-ACME_GROUP='acme'
-
-# The acme.sh home.
-ACME_HOME='/etc/acme'
-
-# Where to download the acme.sh script.
-ACME_SCRIPT_URL='https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh'
-
-# Temporary script location.
-ACME_SCRIPT_TMP='/tmp'
-
-install() {
-# Add user.
-adduser --system --disabled-login --gecos GECOS \
-        --no-create-home --home "${ACME_HOME}" "${ACME_USER}"
-
-# Lock the user.
-passwd -l "${ACME_USER}"
-
-# Add user to group if it exists otherwise add it & then add the user
-# to the group.
-usermod -aG ${ACME_GROUP} ${ACME_USER} || \
-    addgroup --system ${ACME_GROUP}
-    usermod -aG ${ACME_GROUP} ${ACME_USER}
-
-# Make the home dir.
-mkdir -v ${ACME_HOME} ${ACME_HOME}/pem
-chown ${ACME_USER}:${ACME_GROUP} ${ACME_HOME}
-chmod -cR 750 ${ACME_HOME}
-chmod -cR u+s,g+s,o+s ${ACME_HOME}
-
-# Add needed binaries.
-apt install sudo socat curl coreutils
-
-allowreloadnginx
-
-# Download & install.
-curl -o "${ACME_SCRIPT_TMP}/acme.sh" "${ACME_SCRIPT_URL}"
-
-chmod +x ${ACME_SCRIPT_TMP}/acme.sh
-
-cat <<todo
-
-This script cannot do the following, you must copy, paste and run...
-
-sudo -s -u ${ACME_USER}
-
-cd ${ACME_SCRIPT_TMP}
-
-./acme.sh --home ${ACME_HOME} --install
-
-exit
-
-----
-Examples (as acme user).
-# Issue cert..
-./acme.sh --issue --server letsencrypt --standalone --httpport 18080 -d domain.com -d domain.com --test
-
-# If the first command succeeds..
-./acme.sh --issue --server letsencrypt --standalone --httpport 18080 -d domain.com -d domain.com --force
-
-./acme.sh  --install-cert -d domain.com \
---key-file       /etc/acme/pem/domain.com-key.pem \
---fullchain-file /etc/acme/pem/domain.com-cert.pem \
---reloadcmd     "sudo /bin/systemctl force-reload nginx.service"
-todo
-
-}
-
-allowreloadnginx() {
-
-echo "# Allow reloading of nginx
-${ACME_USER:-nginx} ALL=(ALL) NOPASSWD: /bin/systemctl force-reload nginx.service
-" | tee /etc/sudoers.d/allow-user-${ACME_USER:-nginx}-to-force-reload-nginx
-
-}
-
-${1} "$@"

debian/bullseye/scripts/backup.sh

@@ -1,5 +1,8 @@
 #!/bin/bash
 
+# Crontab line.
+#0 2 * * * bash /root/backup.sh | tee -a /var/log/backup_$(date +"\%Y-\%m-\%d").log
+
 # Exit on error.
 # Because I've been grilled about not using this - phillw, I'm looking
 # at you ;)
@@ -12,7 +15,7 @@ BACKUP_STORE='/backup'
 # Each _full_ path must be seperated by a space. If a path uses a
 # special char e.g, space or non-alphanumeric chars escape it with a
 # backslash.
-BACKUP_DIRS='/etc /home /var/www /root /srv /var/lib/caddy/.config/'
+BACKUP_DIRS='/etc /home /var/www /root'
 
 # A date string for file/folder-names.
 SCRIPT_RUN_DATE=`date '+%Y-%m-%d-%H-%M'`
@@ -46,9 +49,17 @@ if [[ "$BACKUP_DIRECTORIES_AND_FILES" == "1" ]]; then
     for OBJ in ${BACKUP_DIRS:-}; do
         OBJ_S=${OBJ//\//-}
         OBJ_S=${OBJ_S/-/}
+
+        if [[ ! -f "${OBJ}" ]]; then
+            if [[ ! -d "${OBJ}" ]]; then
+                printf "\n!! file or directory \"%s\" not found, skipping..\n" "${OBJ}"
+                continue;
+            fi
+        fi
+
         tar -zcf "./$OBJ_S.tar.gz" "${OBJ}"
     done
-    
+
 fi
 
 if [[ "$BACKUP_SQL" == "1" ]]; then
@@ -66,8 +77,10 @@ fi
 if [[ "$BACKUP_CRON" == "1" ]]; then
 
     for USER in $(cut -f1 -d: /etc/passwd); do
-        crontab -u $USER -l  > "${USER}-cron.txt"
+        crontab -u $USER -l  > "${USER}-cron.txt" || continue;
     done
-    
+
 fi
 
+echo "$SCRIPT_RUN_DATE OK" >> /var/log/$0-run.log
+

debian/bullseye/scripts/nextcloud-sync.sh

@@ -2,7 +2,7 @@
 
 # Run this script with "(sudo) bash <filename> <args>".
 #
-# 0 2 * * * bash /root/nc-sync.sh | tee -a /var/log/nc_$(date +"\%Y-\%m-\%d").log
+# 0 2 * * * bash /root/nc-sync.sh | tee -a /var/log/$0_$(date +"\%Y-\%m-\%d").log
 
 
 # Exit on error.
@@ -83,4 +83,4 @@ mysql $NEXTCLOUD_DATABASE_NAME < /tmp/nextcloud-$DATE_STAMP.sql && rm /tmp/nextc
 # Disable local MAINTENANCE mode.
 ${NC_MAINTENANCE_OFF}
 
-echo "$DATE_STAMP OK" >> /tmp/nc-sync.log
+echo "$DATE_STAMP OK" >> /var/log/nc-sync.log

debian/bullseye/scripts/nginx.sh

@@ -105,15 +105,15 @@ cd ${NGINX_PEM_DIR:-/no_path/3} && (
     cd ${NGINX_PEM_DIR:-/no_path/3}
 )
 
-chown :${NGINX_GROUP:-nginx} ${NGINX_PEM_DIR:-/no_path/3}
+chown ${NGINX_USER:-nginx}:${NGINX_GROUP:-nginx} ${NGINX_PEM_DIR:-/no_path/3}
 
-chmod 640 ${NGINX_PEM_DIR:-/no_path/3}
+chmod 740 ${NGINX_PEM_DIR:-/no_path/3}
 
 chmod g+s ${NGINX_PEM_DIR:-/no_path/3}
 
-touch ${NGINX_PEM_DIR:-/no_path/3}/default-{private,cert,dhparam}.pem
+touch ${NGINX_PEM_DIR:-/no_path/3}/default-{key,cert,dhparam}.pem
 
-openssl req -x509 -nodes -days 3650 -subj "/C=US/ST=Self Signed/L=Self Signed/O=Self Signed/OU=Self Signed/CN=Self Signed/emailAddress=self@signed" -newkey rsa:2048 -keyout ${NGINX_PEM_DIR:-/no_path/3}/default-private.pem -out ${NGINX_PEM_DIR:-/no_path/3}/default-cert.pem
+openssl req -x509 -nodes -days 3650 -subj "/C=US/ST=Self Signed/L=Self Signed/O=Self Signed/OU=Self Signed/CN=Self Signed/emailAddress=self@signed" -newkey rsa:2048 -keyout ${NGINX_PEM_DIR:-/no_path/3}/default-key.pem -out ${NGINX_PEM_DIR:-/no_path/3}/default-cert.pem
 
 openssl dhparam -out ${NGINX_PEM_DIR:-/no_path/3}/default-dhparam.pem 4096
 
@@ -164,7 +164,7 @@ server {
     ssl_prefer_server_ciphers off;
 
     ssl_certificate ${NGINX_PEM_DIR:-/no_path/6}/default-cert.pem;
-    ssl_certificate_key ${NGINX_PEM_DIR:-/no_path/6}/default-private.pem;
+    ssl_certificate_key ${NGINX_PEM_DIR:-/no_path/6}/default-key.pem;
     ssl_dhparam ${NGINX_PEM_DIR:-/no_path/6}/default-dhparam.pem;
 
     add_header Strict-Transport-Security "max-age=63072000" always;