Gogs Server Setup - Digital Ocean - Centos 7 - Start to Finish

gistfile1.bash

useradd -c"Matt Butler" -Gwheel -m matt
# install ssl key for authentication

visudo # change wheel to allow nopassword

vim /etc/ssh/sshd_config # add "PermitRootLogin no"

yum install vim-enhanced
yum install git
yum install epel-release
yum install bind-utils

# install and setup postgres
yum install postgresql-server postgresql-contrib
sudo postgresql-setup initdb
vim /var/lib/pgsql/data/pg_hba.conf # change ident to md5
systemctl start postgresql
systemctl enable postgresql

# add gogs role and db
su - postgres
createuser --interactive -P # role: gogs
createdb -Ogogs gogs
exit

# add nginx server to proxy gogs
yum install nginx
cat > /etc/nginx/conf.d/default.conf <<EOF
server {
  server_name gogs.domain.tld;
  listen 80;
  location / {
    proxy_pass http://localhost:3000;
  }
}
EOF
systemctl start nginx
systemctl enable nginx

# install gogs
rpm --import https://rpm.packager.io/key
echo "[gogs]
name=Repository for pkgr/gogs application.
baseurl=https://rpm.packager.io/gh/pkgr/gogs/centos7/pkgr
enabled=1" | tee /etc/yum.repos.d/gogs.repo
yum install gogs
# browse to gogs.domain.tld to configure (may also have
#     to manually adjust config [/etc/gogs/conf/app.ini],
#     some options didn't seem to stick)

# get certs
cd /root/
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto
# run following for each domain, keys are placed in
#     /etc/letsencrypt/live
./letsencrypt-auto certonly

# add sites to nginx
cd /etc/nginx
# dhparam is to raise length for certain ciphers, dsaparam uses a much quicker method of generating primes
#   not thought to be any less secure according to:
#      http://security.stackexchange.com/questions/95178/diffie-hellman-parameters-still-calculating-after-24-hours/95184#95184
openssl dhparam -dsaparam -out dhparam.pem 4096
vim nginx.conf # add "include /etc/nginx/sites-enabled/*;" in http{}
# in existing http {
#   include /etc/ngingx/sites-enabled/*;
#   ssl_prefer_server_ciphers on;
#   ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#   ssl_dhparam /etc/nginx/dhparam.pem;
#   ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
# }
mkdir sites-available
mkdir sites-enabled
rm conf.d/default.conf
cat > /etc/nginx/conf.d/default.conf <<EOF
server {
  server_name gogs.domain.tld;
  listen 80;
  return 301 https://$server_name$request_uri;
}
server {
  server_name gogs.domain.tld
  listen 443 ssl;
  ssl_certificate /etc/letsencrypt/live/gogs.domain.tld/cert.pem;
  ssl_certificate_key /etc/letsencrypt/live/gogs.domain.tld/privkey.pem;
  location / {
    proxy_pass http://localhost:3000;
  }
}
EOF
cd sites-enabled
ln -s ../sites-available/gogs.domain.tld

# setup cron to auto renew letsencrypt certs every 2 months
cat > /root/letsencrypt/renew.sh <<EOF
#!/bin/bash
systemctl stop nginx
/root/letsencrypt/letsencrypt-auto renew
systemctl start nginx
EOF
(crontab -l ; echo "0 0 1 */2 * /root/letsencrypt/renew.sh") | crontab -

# fail2ban
yum install fail2ban
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
# add IP address to ignoreip
vi /etc/fail2ban/jail.local
systemctl enable fail2ban
systemctl start fail2ban

# firewall
systemctl start firewalld
firewall-cmd --permanent --add-service=ssh
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --reload
systemctl enable firewalld

# NTP
timedatectl set-timezone America/New_York
yum install ntp
systemctl start ntpd
systemctl enable ntpd

# swapfile
fallocate -l 4G /swapfile
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfile
vim /etc/fstab # add "/swapfile none swap sw 0 0"

# disable password for root
passwd --lock root
rm ~/root/.ssh/authorized_keys
# at this point the only way to get root should be through sudo

# setup backup
yum install duplicity python-boto duply
mkdir /backup
mv /home/gogs/gogs-repositories /backup
ln -s /backup/gogs-repositories /home/gogs/gogs-repositories
duply server create # server is just a name
vim ~/.duply/server/conf # set GPG_KEY, TARGET, TARGET_USER, TARGET_PASS, SOURCE
# symlink any other files to be backed up, e.g. nginx conf, php.ini, etc.
crontab -e
# Mon-Sat run backups every six hours, Sun full backup at midnight and continue
#     incremental every six hours
# 0 */6    * * 1-6 duply server backup
# 0 1-23/6 * * 7   duply server backup
# 0 0      * * 7   duply server full && duply server purge

#if postfix installed
yum erase postfix

vim /etc/yum.repos.d/CentOS-Base.repo # enable centos plus
yum install dovecot dovecot-pgsql postfix

sudo -u postgres psql postgres
> CREATE USER mail_server WITH PASSWORD '*password*';
> CREATE DATABASE mail_server;
> GRANT ALL PRIVILEGES ON DATABASE mail_server to mail_server;
> \q

export PGPASSWORD=*password*
psql -hlocalhost -Umail_server mail_server
> CREATE TABLE domains (domain varchar(50) NOT NULL, PRIMARY KEY (domain) );
> CREATE TABLE forwardings (source varchar(80) NOT NULL, destination TEXT NOT NULL, PRIMARY KEY (source) );
> CREATE TABLE users (email varchar(80) NOT NULL, password varchar(20) NOT NULL, PRIMARY KEY (email) );
> CREATE TABLE transport (domain varchar(128) NOT NULL default '', transport varchar(128) NOT NULL default '', PRIMARY KEY (domain) );
> \q

echo "user = mail_server
password = *password*
dbname = mail_server
query = SELECT domain AS virtual FROM domains WHERE domain='%s'
hosts = localhost
" > /etc/postfix/pgsql-virtual_domains.cf

echo "user = mail_server
password = *password*
dbname = mail_server
query = SELECT destination FROM forwardings WHERE source='%s'
hosts = localhost
" > /etc/postfix/pgsql-virtual_forwardings.cf

echo "user = mail_server
password = *password*
dbname = mail_server
query = SELECT CONCAT(SUBSTRING_INDEX(email,<'@'>,-1),'/',SUBSTRING_INDEX(email,<'@'>,1),'/') FROM users WHERE email='%s'
hosts = localhost
" > /etc/postfix/pgsql-virtual_mailboxes.cf

echo "user = mail_server
password = *password*
dbname = mail_server
query = SELECT email FROM users WHERE email='%s'
hosts = localhost
" > /etc/postfix/pgsql-virtual_email2email.cf

cd /etc/nginx/sites-available
cp mattbutler.cool fit.mattbutler.cool
vim fit.mattbutler.cool
# update "mattbutler.cool" to "fit.mattbutler.cool"
# set root to /srv/fit.mattbutler.cool/public

# run letsencrypt

mkdir /srv/fit.mattbutler.cool
chown matt:matt /srv/fit.mattbutler.cool

yum install php php-pgsql php-fpm
vim /etc/php.ini # disable cgi.fix_pathinfo

vim /etc/php-fpm.d/www.conf
# set listen = /var/run/php-fpm/php-fpm.sock
# set listen.owner = nobody
# set listen.group = nobody
# set user = nginx
# set group = nginx

systemctl start php-fpm
systemctl enable php-fpm

vim /etc/nginx/sites-enabled/fit.mattbutler.cool
# add missing
# server {
#   index index.php index.html index.htm;
#   location / {
#     try_files $uri $uri/ =404;
#   }
#   location ~ \.php$ {
#     try_files $uri =404;
#     fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
#     fastcgi_index index.php;
#     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
#     include fastcgi_params;
#   }
# }


yum install yum-cron
vim /etc/yum/yum-cron.conf
# set to check only and email
chkconfig yum-cron on
# chkconfig should automatically run systemctl enable, if not run manually
systemctl start yum-cron