Created
October 23, 2017 15:13
-
-
Save derrekbertrand/06a7dc4dcf2c5316cf96f42f85c0607a to your computer and use it in GitHub Desktop.
LEMP on Ubuntu 16.04
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| # This installs a multi tenant Nginx setup with PHP FPM 7.1 and MariaDB | |
| # it is suitable for Laravel 5.5 | |
| # THIS IS NOT A SCRIPT PER SE! | |
| # THE COMMENTS MAY HAVE INSTRUCTIONS TOO! | |
| # USING: Digital Ocean's vanilla Ubuntu 16.04 droplet | |
| #---------------------------------------------------------- | |
| # SECURITY CONCERNS | |
| #---------------------------------------------------------- | |
| # change new home permissions in /etc/adduser.conf to 0750 (usually it's 0755) | |
| # set up ssh files for new users | |
| mkdir /etc/skel/.ssh | |
| chmod 700 /etc/skel/.ssh | |
| touch /etc/skel/.ssh/authorized_keys | |
| chmod 644 /etc/skel/.ssh/authorized_keys | |
| mkdir -p /etc/skel/www/public | |
| adduser admin | |
| usermod -aG sudo admin | |
| # alter as necessary; mileage may vary | |
| cat .ssh/authorized_keys >> /home/admin/.ssh/authorized_keys | |
| # ENSURE AT THIS POINT THAT YOUR NEW USER CAN, IN FACT, SSH IN AND RUN SUDO COMMANDS! | |
| rm /root/.ssh/authorized_keys | |
| passwd -l root | |
| # at this point, set PermitRootLogin to 'no' in /etc/ssh/sshd_config | |
| # restart your sshd | |
| service ssh restart | |
| #---------------------------------------------------------- | |
| # INSTALL OUR STACK | |
| #---------------------------------------------------------- | |
| apt-add-repository ppa:ondrej/php | |
| apt-add-repository ppa:ondrej/nginx-mainline | |
| apt update | |
| apt upgrade | |
| apt install nginx php7.1-cli php7.1-fpm mariadb-server | |
| # COMPOSER INSTALL AND VERIFICATION; this is a script from composer's site | |
| EXPECTED_SIGNATURE=$(wget -q -O - https://composer.github.io/installer.sig) | |
| php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" | |
| ACTUAL_SIGNATURE=$(php -r "echo hash_file('SHA384', 'composer-setup.php');") | |
| if [ "$EXPECTED_SIGNATURE" != "$ACTUAL_SIGNATURE" ] | |
| then | |
| >&2 echo 'ERROR: Invalid installer signature' | |
| rm composer-setup.php | |
| exit 1 | |
| fi | |
| php composer-setup.php --quiet | |
| RESULT=$? | |
| rm composer-setup.php | |
| # END COMPOSER SCRIPT | |
| mv composer.phar /usr/bin/composer | |
| # run mysql_secure_installation | |
| #---------------------------------------------------------- | |
| # CREATE A WEB USER | |
| #---------------------------------------------------------- | |
| adduser webuser | |
| # you can CTRL+D to not add a password, and then just say no to retrying, the account won't have a password | |
| usermod -aG webuser www-data | |
| cp /etc/nginx/sites-available/default /etc/nginx/sites-available/webuser | |
| # Edit your server block to have a server name and not be 'default_server' | |
| # enable the hash bucket in /etc/nginx/nginx.conf | |
| # https://www.digitalocean.com/community/tutorials/how-to-set-up-nginx-server-blocks-virtual-hosts-on-ubuntu-16-04#step-four-enable-your-server-blocks-and-restart-nginx | |
| # link your server block to enable it; reload config; and then test that you can access a static file there | |
| ln -s /etc/nginx/sites-available/webuser /etc/nginx/sites-enabled/webuser | |
| # test the config | |
| nginx -t | |
| # all good? | |
| systemctl restart nginx | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment