rename files & update site-dirs
This commit is contained in:
parent
9e551777b1
commit
8bcf9c1a45
|
@ -1,6 +1,9 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Run this script with "(sudo) bash <filename> <args>".
|
||||
#
|
||||
# 0 2 * * * bash /root/nc-sync.sh | tee -a /var/log/nc_$(date +"\%Y-\%m-\%d").log
|
||||
|
||||
|
||||
# Exit on error.
|
||||
#set -eux # debug on
|
||||
|
@ -25,9 +28,9 @@ PHP_REMOTE_BIN='php'
|
|||
NEXTCLOUD_REMOTE_FILE_DATA='/nextcloud/data'
|
||||
NEXTCLOUD_REMOTE_FILE_ROOT='/var/www/nextcloud/htdocs'
|
||||
|
||||
REMOTE_NC_MAINTAINANCE_ON="ssh $SSH_REMOTE_USER@$SSH_REMOTE_HOST sudo -u $NEXTCLOUD_REMOTE_USER $PHP_REMOTE_BIN $NEXTCLOUD_REMOTE_FILE_ROOT/occ maintenance:mode --on"
|
||||
REMOTE_NC_MAINTENANCE_ON="ssh $SSH_REMOTE_USER@$SSH_REMOTE_HOST sudo -u $NEXTCLOUD_REMOTE_USER $PHP_REMOTE_BIN $NEXTCLOUD_REMOTE_FILE_ROOT/occ maintenance:mode --on"
|
||||
|
||||
REMOTE_NC_MAINTAINANCE_OFF="ssh $SSH_REMOTE_USER@$SSH_REMOTE_HOST sudo -u $NEXTCLOUD_REMOTE_USER $PHP_REMOTE_BIN $NEXTCLOUD_REMOTE_FILE_ROOT/occ maintenance:mode --off"
|
||||
REMOTE_NC_MAINTENANCE_OFF="ssh $SSH_REMOTE_USER@$SSH_REMOTE_HOST sudo -u $NEXTCLOUD_REMOTE_USER $PHP_REMOTE_BIN $NEXTCLOUD_REMOTE_FILE_ROOT/occ maintenance:mode --off"
|
||||
|
||||
REMOTE_DB_CREATE_DUMP="ssh $SSH_REMOTE_USER@$SSH_REMOTE_HOST mysqldump --single-transaction $NEXTCLOUD_REMOTE_DATABASE_NAME > /tmp/nextcloud-$DATE_STAMP.sql"
|
||||
|
||||
|
@ -40,9 +43,9 @@ PHP_BIN='php'
|
|||
NEXTCLOUD_FILE_DATA='/nextcloud/data'
|
||||
NEXTCLOUD_FILE_ROOT='/var/www/nextcloud/htdocs'
|
||||
|
||||
NC_MAINTAINANCE_ON="sudo -u $NEXTCLOUD_USER $PHP_BIN $NEXTCLOUD_FILE_ROOT/occ maintenance:mode --on"
|
||||
NC_MAINTENANCE_ON="sudo -u $NEXTCLOUD_USER $PHP_BIN $NEXTCLOUD_FILE_ROOT/occ maintenance:mode --on"
|
||||
|
||||
NC_MAINTAINANCE_OFF="sudo -u $NEXTCLOUD_USER $PHP_BIN $NEXTCLOUD_FILE_ROOT/occ maintenance:mode --off"
|
||||
NC_MAINTENANCE_OFF="sudo -u $NEXTCLOUD_USER $PHP_BIN $NEXTCLOUD_FILE_ROOT/occ maintenance:mode --off"
|
||||
|
||||
GET_DB_DUMP_FROM_REMOTE="rsync --progress -Aavx $SSH_REMOTE_USER@$SSH_REMOTE_HOST:/tmp/nextcloud-$DATE_STAMP.sql /tmp/nextcloud-$DATE_STAMP.sql"
|
||||
|
||||
|
@ -52,14 +55,14 @@ GET_NC_FILES_FROM_REMOTE="rsync --progress -Aavx $SSH_REMOTE_USER@$SSH_REMOTE_HO
|
|||
|
||||
#########
|
||||
|
||||
# Enable remote maintainance mode.
|
||||
${REMOTE_NC_MAINTAINANCE_ON}
|
||||
# Enable remote MAINTENANCE mode.
|
||||
${REMOTE_NC_MAINTENANCE_ON}
|
||||
|
||||
# Make remote dump.
|
||||
${REMOTE_DB_CREATE_DUMP}
|
||||
|
||||
# Enable local maintainance mode.
|
||||
${NC_MAINTAINANCE_ON}
|
||||
# Enable local MAINTENANCE mode.
|
||||
${NC_MAINTENANCE_ON}
|
||||
|
||||
# Sync nc files.
|
||||
${GET_NC_FILES_FROM_REMOTE}
|
||||
|
@ -70,14 +73,14 @@ ${GET_DATA_FILES_FROM_REMOTE}
|
|||
# Get database dump.
|
||||
${GET_DB_DUMP_FROM_REMOTE}
|
||||
|
||||
# Disable remote maintainance mode.
|
||||
${REMOTE_NC_MAINTAINANCE_OFF}
|
||||
# Disable remote MAINTENANCE mode.
|
||||
${REMOTE_NC_MAINTENANCE_OFF}
|
||||
|
||||
# Restore database dump.
|
||||
# You can't script this due to the redirection.
|
||||
mysql $NEXTCLOUD_DATABASE_NAME < /tmp/nextcloud-$DATE_STAMP.sql && rm /tmp/nextcloud-$DATE_STAMP.sql
|
||||
|
||||
# Disable local maintainance mode.
|
||||
${NC_MAINTAINANCE_OFF}
|
||||
# Disable local MAINTENANCE mode.
|
||||
${NC_MAINTENANCE_OFF}
|
||||
|
||||
echo "$DATE_STAMP OK" >> /tmp/nc-sync.log
|
|
@ -1,120 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Run this script with "(sudo) bash <filename> <args>".
|
||||
|
||||
# Exit on error.
|
||||
set -e
|
||||
|
||||
# Taken from http://nginx.org/en/linux_packages.html
|
||||
|
||||
apt install -y curl gnupg2 ca-certificates lsb-release debian-archive-keyring openssl
|
||||
|
||||
curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \
|
||||
| tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
|
||||
|
||||
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
|
||||
http://nginx.org/packages/debian `lsb_release -cs` nginx" \
|
||||
| tee /etc/apt/sources.list.d/nginx.list
|
||||
|
||||
echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" \
|
||||
| tee /etc/apt/preferences.d/99nginx
|
||||
|
||||
apt update
|
||||
apt install nginx
|
||||
|
||||
mkdir /var/www/ || true
|
||||
|
||||
mkdir /var/www/default
|
||||
|
||||
mkdir /etc/nginx/pem/
|
||||
|
||||
chown :nginx /etc/nginx/pem/ -Rv
|
||||
|
||||
chmod 640 /etc/nginx/pem/
|
||||
|
||||
chmod g+s /etc/nginx/pem/
|
||||
|
||||
touch /etc/nginx/pem/default-{private,cert}.pem
|
||||
|
||||
openssl req -x509 -nodes -days 3650 -subj "/C=US/ST=Self Signed/L=Self Signed/O=Self Signed/OU=Self Signed/CN=Self Signed/emailAddress=self@signed" -newkey rsa:2048 -keyout /etc/nginx/pem/default-private.pem -out /etc/nginx/pem/default-cert.pem
|
||||
|
||||
openssl dhparam -out /etc/nginx/pem/default-dhparam.pem 4096
|
||||
|
||||
mv /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf.disabled
|
||||
|
||||
cat <<NGX > /etc/nginx/conf.d/default.conf
|
||||
# Warn on any null variables
|
||||
uninitialized_variable_warn on;
|
||||
|
||||
# Don't print software version
|
||||
server_tokens off;
|
||||
|
||||
server {
|
||||
listen 80 default_server;
|
||||
listen [::]:80 default_server;
|
||||
|
||||
# Proxy Let's Encrypt to acme upstream.
|
||||
location ^~ /.well-known/acme-challenge/ {
|
||||
proxy_pass http://acme;
|
||||
}
|
||||
|
||||
location / {
|
||||
return 301 https://\$host\$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
# Upstream for acme requests.
|
||||
upstream acme {
|
||||
server 127.0.0.1:18080;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
||||
ssl_prefer_server_ciphers off;
|
||||
|
||||
ssl_certificate pem/default-cert.pem;
|
||||
ssl_certificate_key pem/default-private.pem;
|
||||
ssl_dhparam pem/default-dhparam.pem;
|
||||
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
|
||||
resolver 1.1.1.1 1.0.0.1;
|
||||
|
||||
root /var/www/default;
|
||||
error_log /var/log/nginx/default-error.log;
|
||||
access_log /var/log/nginx/default-access.log;
|
||||
|
||||
# Proxy Let's Encrypt to acme upstream
|
||||
location ^~ /.well-known/acme-challenge/ {
|
||||
proxy_pass http://acme;
|
||||
}
|
||||
|
||||
# Don't serve dot files.
|
||||
location ~ /\. {
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
deny all;
|
||||
}
|
||||
|
||||
# Don't log robots.
|
||||
location = /robots.txt {
|
||||
log_not_found off;
|
||||
}
|
||||
|
||||
# Don't log common file requests.
|
||||
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
|
||||
expires max;
|
||||
log_not_found off;
|
||||
}
|
||||
|
||||
# Include extra files if needed.
|
||||
include conf.d/default-*.inc;
|
||||
|
||||
}
|
||||
NGX
|
||||
|
||||
systemctl restart nginx
|
|
@ -0,0 +1,209 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Run this script with "(sudo) bash <filename> <args>".
|
||||
|
||||
# Exit on error.
|
||||
#set -e
|
||||
# Debug
|
||||
set -eux
|
||||
|
||||
# Don't use ending slashes in paths!
|
||||
|
||||
# The user nginx runs as.
|
||||
NGINX_USER='nginx'
|
||||
|
||||
# The group nginx runs with.
|
||||
NGINX_GROUP='nginx'
|
||||
|
||||
# Nginx configuration directory.
|
||||
NGINX_CONF='/etc/nginx'
|
||||
|
||||
# Nginx configuration drop-in path.
|
||||
NGINX_CONFD='/etc/nginx/conf.d'
|
||||
|
||||
# Where dummy SSL pems are stored.
|
||||
NGINX_NGINX_PEM_DIR='/etc/nginx/pem'
|
||||
|
||||
# The default site filename, don't use a full path or filename here.
|
||||
# Just a name please.
|
||||
NGINX_DEFAULT_SITE_CONF_NAME="default"
|
||||
|
||||
# Default site directory.
|
||||
NGINX_DEFAULT_SITE_PATH='/var/www/default'
|
||||
|
||||
# Default site publicly served path.
|
||||
NGINX_DEFAULT_SITE_PUB='/var/www/default/public'
|
||||
|
||||
main() {
|
||||
cat <<INFO
|
||||
Run with one of the following options:-
|
||||
"sudo bash $0 <function> <args>" for example ...
|
||||
"sudo bash $0 nginx"
|
||||
|
||||
nginx - Add nginx stable repo & install nginx.
|
||||
nginx-config - Add a basic nginx config with dumb SSL.
|
||||
-----
|
||||
|
||||
You'll be asked to continue if a file exists, if you're happy to
|
||||
continue hit enter or ctrl+c to cancel.
|
||||
INFO
|
||||
}
|
||||
|
||||
|
||||
nginx() {
|
||||
# Mostly taken from http://nginx.org/en/linux_packages.html
|
||||
|
||||
# Continue if already installed?
|
||||
dpkg -l nginx && (
|
||||
echo "Already installed? Continue (hit enter)?"
|
||||
read
|
||||
)
|
||||
|
||||
apt install -y curl gnupg2 ca-certificates lsb-release \
|
||||
debian-archive-keyring openssl
|
||||
|
||||
curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \
|
||||
| tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
|
||||
|
||||
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
|
||||
http://nginx.org/packages/debian `lsb_release -cs` nginx" \
|
||||
| tee /etc/apt/sources.list.d/nginx.list
|
||||
|
||||
echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" \
|
||||
| tee /etc/apt/preferences.d/99nginx
|
||||
|
||||
apt update
|
||||
apt install nginx
|
||||
}
|
||||
|
||||
nginx-config() {
|
||||
|
||||
cd ${NGINX_CONF:-/no_path/9} || (
|
||||
echo "\"${NGINX_CONF}\" doesn't exist?"
|
||||
return 1;
|
||||
)
|
||||
|
||||
systemctl stop nginx
|
||||
|
||||
# Make default site directories.
|
||||
cd ${NGINX_DEFAULT_SITE_PATH:-/no_path/1} && (
|
||||
echo "\"${NGINX_DEFAULT_SITE_PATH}\" exists? Continue (hit enter)?"
|
||||
read
|
||||
) || (
|
||||
mkdir ${NGINX_DEFAULT_SITE_PATH:-/no_path/1} -p
|
||||
cd ${NGINX_DEFAULT_SITE_PATH:-/no_path/1}
|
||||
)
|
||||
|
||||
mkdir ${NGINX_DEFAULT_SITE_PUB:-/no_path/2} -p
|
||||
|
||||
# Make pems.
|
||||
cd ${NGINX_PEM_DIR:-/no_path/3} && (
|
||||
echo "\"${NGINX_PEM_DIR}\" exists? Continue (hit enter)?"
|
||||
read
|
||||
) || (
|
||||
mkdir ${NGINX_PEM_DIR:-/no_path/3}
|
||||
cd ${NGINX_PEM_DIR:-/no_path/3}
|
||||
)
|
||||
|
||||
chown :${NGINX_GROUP:-nginx} ${NGINX_PEM_DIR:-/no_path/3}
|
||||
|
||||
chmod 640 ${NGINX_PEM_DIR:-/no_path/3}
|
||||
|
||||
chmod g+s ${NGINX_PEM_DIR:-/no_path/3}
|
||||
|
||||
touch ${NGINX_PEM_DIR:-/no_path/3}/default-{private,cert,dhparam}.pem
|
||||
|
||||
openssl req -x509 -nodes -days 3650 -subj "/C=US/ST=Self Signed/L=Self Signed/O=Self Signed/OU=Self Signed/CN=Self Signed/emailAddress=self@signed" -newkey rsa:2048 -keyout ${NGINX_PEM_DIR:-/no_path/3}/default-private.pem -out ${NGINX_PEM_DIR:-/no_path/3}/default-cert.pem
|
||||
|
||||
openssl dhparam -out ${NGINX_PEM_DIR:-/no_path/3}/default-dhparam.pem 4096
|
||||
|
||||
cd ${NGINX_CONFD:-/no_path/4}
|
||||
|
||||
# This doesn't always exist.
|
||||
[[ -f "default.conf" ]] && mv default.conf default.conf.backup
|
||||
|
||||
NGINX_DEFAULT_SITE_CONF_NAME=${NGINX_DEFAULT_SITE_CONF_NAME:-fail}
|
||||
|
||||
NGINX_DEFAULT_SITE_CONF_NAME_FULL="${NGINX_CONFD:-/no_path/4}/${NGINX_DEFAULT_SITE_CONF_NAME:-fail}.conf"
|
||||
|
||||
[[ -f "${NGINX_DEFAULT_SITE_CONF_NAME_FULL}" ]] && (
|
||||
echo "\"${NGINX_DEFAULT_SITE_CONF_NAME_FULL}\" exists? Continue (hit enter)?"
|
||||
read
|
||||
)
|
||||
|
||||
cat <<NGX > ${NGINX_DEFAULT_SITE_CONF_NAME_FULL}
|
||||
# Warn on any null variables
|
||||
uninitialized_variable_warn on;
|
||||
|
||||
# Don't print software version
|
||||
server_tokens off;
|
||||
|
||||
server {
|
||||
listen 80 default_server;
|
||||
listen [::]:80 default_server;
|
||||
|
||||
location / {
|
||||
return 301 https://\$host\$request_uri;
|
||||
}
|
||||
|
||||
# Don't serve dot files.
|
||||
location ~ /\. {
|
||||
return 404;
|
||||
}
|
||||
|
||||
# Include extra files.
|
||||
include ${NGINX_CONFD:-/no_path/5}/${NGINX_DEFAULT_SITE_CONF_NAME:-fail}-*.inc;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
||||
ssl_prefer_server_ciphers off;
|
||||
|
||||
ssl_certificate ${NGINX_PEM_DIR:-/no_path/6}/default-cert.pem;
|
||||
ssl_certificate_key ${NGINX_PEM_DIR:-/no_path/6}/default-private.pem;
|
||||
ssl_dhparam ${NGINX_PEM_DIR:-/no_path/6}/default-dhparam.pem;
|
||||
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
|
||||
resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4;
|
||||
|
||||
root ${NGINX_DEFAULT_SITE_PUB:-/no_path/7}/;
|
||||
error_log ${NGINX_DEFAULT_SITE_PUB:-/no_path/7}/.error.log;
|
||||
access_log ${NGINX_DEFAULT_SITE_PUB:-/no_path/7}/.access.log;
|
||||
|
||||
# Don't serve dot files.
|
||||
location ~ /\. {
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
return 404;
|
||||
}
|
||||
|
||||
# Don't log robots.
|
||||
location = /robots.txt {
|
||||
log_not_found off;
|
||||
access_log off;
|
||||
}
|
||||
|
||||
# Don't log common file requests.
|
||||
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
|
||||
expires max;
|
||||
log_not_found off;
|
||||
access_log off;
|
||||
}
|
||||
|
||||
# Include extra files.
|
||||
include ${NGINX_CONFD:-/no_path/8}/${NGINX_DEFAULT_SITE_CONF_NAME:-fail}-*.inc;
|
||||
}
|
||||
NGX
|
||||
|
||||
nginx -t
|
||||
|
||||
systemctl restart nginx
|
||||
|
||||
}
|
||||
|
||||
${1:-main} "$@"
|
|
@ -10,7 +10,7 @@ OWNER=${2:-www-data}
|
|||
OWNER_GROUP=${3:-`id -gn $OWNER`}
|
||||
|
||||
PRIVATE_DIRS="data tmp sessions"
|
||||
PUBLIC_DIRS="htdocs"
|
||||
PUBLIC_DIRS="public"
|
||||
|
||||
printf 'Create site directories in "%s" owned by "%s" with group "%s"...
|
||||
|
||||
|
@ -65,13 +65,15 @@ chown "$OWNER":"$OWNER_GROUP" .test || (
|
|||
# Create the private & public folders then set permissions...
|
||||
for private_folder in $PRIVATE_DIRS; do
|
||||
mkdir -v "$private_folder"
|
||||
chmod -cR 750 "$private_folder"
|
||||
chown -v "$OWNER":"$OWNER_GROUP" "$private_folder"
|
||||
chmod -cR 750 "$private_folder"
|
||||
chmod -cR u+s,g+s,o+s "$private_folder"
|
||||
done
|
||||
|
||||
for public_folder in $PUBLIC_DIRS; do
|
||||
mkdir -v "$public_folder"
|
||||
chmod -cR 755 "$public_folder"
|
||||
chown -v "$OWNER":"$OWNER_GROUP" "$public_folder"
|
||||
chmod -cR 755 "$public_folder"
|
||||
chmod -cR u+s,g+s,o+s "$public_folder"
|
||||
done
|
||||
|
||||
|
|
Loading…
Reference in New Issue