fastmover/go.sh

## go.sh
#!/bin/bash


# Installation now completes but panel is broken
# One issue is composer is ran as root user
# Panel is broken: Composer detected issues in your platform: Your Composer dependencies require a PHP version ">= 8.1.0".


#################################################### CONFIGURATION ###
BUILD=202112181
PASS=$(openssl rand -base64 32|sha256sum|base64|head -c 32| tr '[:upper:]' '[:lower:]')
DBPASS=$(openssl rand -base64 24|sha256sum|base64|head -c 32| tr '[:upper:]' '[:lower:]')
SERVERID=$(openssl rand -base64 12|sha256sum|base64|head -c 32| tr '[:upper:]' '[:lower:]')
REPO=fastmover/Spikster
if [ -z "$1" ];
    BRANCH=master
then
    BRANCH=$1
fi


####################################################   CLI TOOLS   ###
reset=$(tput sgr0)
bold=$(tput bold)
underline=$(tput smul)
black=$(tput setaf 0)
white=$(tput setaf 7)
red=$(tput setaf 1)
green=$(tput setaf 2)
yellow=$(tput setaf 3)
blue=$(tput setaf 4)
purple=$(tput setaf 5)
bgblack=$(tput setab 0)
bgwhite=$(tput setab 7)
bgred=$(tput setab 1)
bggreen=$(tput setab 2)
bgyellow=$(tput setab 4)
bgblue=$(tput setab 4)
bgpurple=$(tput setab 5)


#################################################### Spikster SETUP ######


# LOGO
# clear
# echo "${green}${bold}"
echo ""
echo " ██████ ██ ██████  ██"
echo "██      ██ ██   ██ ██"
echo "██      ██ ██████  ██"
echo "██      ██ ██      ██"
echo " ██████ ██ ██      ██"
echo ""
echo "Installation has been started... Hold on!"
sleep 2s


# OS CHECK
# clear
echo "OS check..."
sleep 0.1s

ID=$(grep -oP '(?<=^ID=).+' /etc/os-release | tr -d '"')
VERSION=$(grep -oP '(?<=^VERSION_ID=).+' /etc/os-release | tr -d '"')
if [ "$ID" = "ubuntu" ]; then
    case $VERSION in
        20.04)
            break
            ;;
        22.04)
            break
            ;;
        23.04)
            break
            ;;
        *)
            echo "${bgred}${white}${bold}"
            echo "Spikster requires a minimum of Linux Ubuntu 20.04 LTS"

            exit 1;
            break
            ;;
    esac
else
    echo "${bgred}${white}${bold}"
    echo "Spikster requires a minimum requires Linux Ubuntu 20.04 LTS"

    exit 1
fi


# ROOT CHECK
# clear
echo "Permission check..."
sleep 0.1s

if [ "$(id -u)" = "0" ]; then
    echo "root user confirmed"
else
    # clear
    # echo "${bgred}${white}${bold}"
    echo "You have to run Spikster as root. (In AWS use 'sudo -s')"

    exit 1
fi

# Auto restart services rather than popup dialog
echo "" >> /etc/needrestart/needrestart.conf
echo "\$nrconf{restart} = 'a';" >> /etc/needrestart/needrestart.conf

# BASIC SETUP
# clear
echo "Base setup..."
sleep 1s

apt-get update -qq
apt-get -qq install software-properties-common curl wget nano vim rpl sed zip unzip openssl expect dirmngr apt-transport-https lsb-release ca-certificates dnsutils dos2unix zsh htop ffmpeg

echo "Pausing momentarily"
sleep 5s

# GET IP
# clear
echo "Getting IP..."
sleep 0.1s

IP=$(curl -s https://checkip.amazonaws.com)


# MOTD WELCOME MESSAGE
echo "Motd settings..."
sleep 0.1s

WELCOME=/etc/motd
touch $WELCOME
cat > "$WELCOME" <<EOF

 ██████ ██ ██████  ██
██      ██ ██   ██ ██
██      ██ ██████  ██
██      ██ ██      ██
 ██████ ██ ██      ██

With great power comes great responsibility...

EOF


# SWAP
echo "Memory SWAP..."
sleep 0.1s

/bin/dd if=/dev/zero of=/var/swap.1 bs=1M count=1024
/sbin/mkswap /var/swap.1
/sbin/swapon /var/swap.1


# ALIAS
echo "Custom CLI configuration..."
sleep 0.1s

shopt -s expand_aliases
alias ll='ls -alF'


# Spikster DIRS
echo "Spikster directories..."
sleep 0.1s

mkdir /etc/spikster/
chmod o-r /etc/spikster
mkdir /var/spikster/
chmod o-r /var/spikster


# USER
echo "Spikster root user..."
sleep 0.1s

pam-auth-update --package
mount -o remount,rw /
chmod 640 /etc/shadow
useradd -m -s /bin/bash cipi
echo "cipi:$PASS"|chpasswd
usermod -aG sudo cipi


# NGINX
echo "nginx setup..."
sleep 0.1s


# @todo: replaces below don't do anything

apt-get -qq install nginx-core
systemctl start nginx.service
rpl -i "http {" "http { limit_req_zone \$binary_remote_addr zone=one:10m rate=1r/s; fastcgi_read_timeout 300;" /etc/nginx/nginx.conf
systemctl enable nginx.service


# FIREWALL
echo "fail2ban setup..."
sleep 0.1s

apt-get -qq install fail2ban
JAIL=/etc/fail2ban/jail.local
# @todo: test if file exists first
unlink JAIL
touch $JAIL
cat > "$JAIL" <<EOF
[DEFAULT]
bantime = 3600
banaction = iptables-multiport
[sshd]
enabled = true
logpath  = /var/log/auth.log
EOF
systemctl restart fail2ban
ufw --force enable
ufw allow ssh
ufw allow http
ufw allow https
ufw allow "Nginx Full"


# PHP
echo "PHP setup..."
sleep 0.1s


add-apt-repository -y ppa:ondrej/php
apt-get update -qq

if ! command -v php8.0 &> /dev/null
then
    # packages that can't be found: php8.0-openssl
    apt-get -qq install php8.0-fpm php8.0-common php8.0-curl php8.0-bcmath php8.0-mbstring php8.0-tokenizer php8.0-mysql php8.0-sqlite3 php8.0-pgsql php8.0-redis php8.0-memcached php8.0-zip php8.0-xml php8.0-soap php8.0-gd php8.0-imagick php8.0-fileinfo php8.0-imap php8.0-cli
    PHPINI=/etc/php/8.0/fpm/conf.d/cipi.ini
    touch $PHPINI
    cat > "$PHPINI" <<EOF
memory_limit = 256M
upload_max_filesize = 256M
post_max_size = 256M
max_execution_time = 180
max_input_time = 180
EOF
    service php8.0-fpm restart
fi

if ! command -v php8.1 &> /dev/null
then
    # packages that can't be found: php8.1-openssl
    apt-get -qq install php8.1-fpm php8.1-common php8.1-curl php8.1-bcmath php8.1-mbstring php8.1-tokenizer php8.1-mysql php8.1-sqlite3 php8.1-pgsql php8.1-redis php8.1-memcached php8.1-zip php8.1-xml php8.1-soap php8.1-gd php8.1-imagick php8.1-fileinfo php8.1-imap php8.1-cli
    PHPINI=/etc/php/8.1/fpm/conf.d/cipi.ini
    touch $PHPINI
    cat > "$PHPINI" <<EOF
memory_limit = 256M
upload_max_filesize = 256M
post_max_size = 256M
max_execution_time = 180
max_input_time = 180
EOF
    service php8.1-fpm restart
fi


# PHP EXTRA
apt-get -qq install php-dev php-pear


# PHP CLI
echo "PHP CLI configuration..."
sleep 0.1s

update-alternatives --set php /usr/bin/php8.1


# COMPOSER
echo "Composer setup..."
sleep 0.5s


if [ -f "/usr/local/bin/composer" ];
then
    echo "${yellow}Composer is already installed."

else


    su cipi <<'CIPIEOF'
cd ~
php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
php composer-setup.php --no-interaction
php -r "unlink('composer-setup.php');"

CIPIEOF


    mv /home/cipi/composer.phar /usr/local/bin/composer
    su cipi <<'CIPIEOF'
composer config --global repo.packagist composer https://packagist.org --no-interaction
CIPIEOF

fi


# GIT
echo "GIT setup..."
sleep 0.5s

if ! command -v git &> /dev/null
then
    apt-get -y install git
fi

ssh-keygen -t rsa -C "git@github.com" -f /etc/spikster/github -q -P ""


# SUPERVISOR
echo "Supervisor setup..."
sleep 0.1s

if service --status-all | grep -Fq 'supervisor'; then
    echo "${yellow}Supervisor is already installed $(mysql --version)"
    echo " "

else
    apt-get -y install supervisor
fi

service supervisor restart

# DEFAULT VHOST
echo "Default vhost..."
sleep 0.1s

NGINX=/etc/nginx/sites-available/default
if test -f "$NGINX"; then
    unlink NGINX
fi
touch $NGINX
cat > "$NGINX" <<EOF
server {
    listen 80 default_server;
    listen [::]:80 default_server;
    root /var/www/html/public;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";
    client_body_timeout 10s;
    client_header_timeout 10s;
    client_max_body_size 256M;
    index index.html index.php;
    charset utf-8;
    server_tokens off;
    location / {
        try_files   \$uri     \$uri/  /index.php?\$query_string;
    }
    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }
    error_page 404 /index.php;
    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/var/run/php/php8.1-fpm.sock;
    }
    location ~ /\.(?!well-known).* {
        deny all;
    }
}
EOF

mkdir /etc/nginx/spikster/
systemctl restart nginx.service


# MYSQL
echo "MySQL setup..."
sleep 0.1s

if service --status-all | grep -Fq 'mysql'; then
    echo "${yellow}MySQL already installed $(mysql --version)"
    echo " "

else
    apt-get install -y mysql-server
fi

SECURE_MYSQL=$(expect -c "
set timeout 10
spawn mysql_secure_installation
expect \"Press y|Y for Yes, any other key for No:\"
send \"n\r\"
expect \"Remove anonymous users? (Press y|Y for Yes, any other key for No)\"
send \"y\r\"
expect \"Disallow root login remotely? (Press y|Y for Yes, any other key for No)\"
send \"n\r\"
expect \"Remove test database and access to it? (Press y|Y for Yes, any other key for No)\"
send \"y\r\"
expect \"Reload privilege tables now? (Press y|Y for Yes, any other key for No) \"
send \"y\r\"
expect eof
")
echo "$SECURE_MYSQL"

mysql -uroot -e "CREATE USER 'cipi'@'%' IDENTIFIED WITH mysql_native_password BY '$DBPASS';
GRANT ALL PRIVILEGES ON *.* TO 'cipi'@'%' WITH GRANT OPTION;
FLUSH PRIVILEGES;"

# REDIS
echo "Redis setup..."
sleep 0.1s

apt install -y redis-server
rpl -i -w "supervised no" "supervised systemd" /etc/redis/redis.conf
systemctl restart redis.service


# LET'S ENCRYPT
echo "Let's Encrypt setup..."
sleep 0.1s

apt-get install -y certbot
apt-get install -y python3-certbot-nginx


# NODE
echo "Node/npm setup..."
sleep 0.1s

apt-get update && apt-get install -y ca-certificates curl gnupg
curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg
NODE_MAJOR=20
echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_$NODE_MAJOR.x nodistro main" | tee /etc/apt/sources.list.d/nodesource.list
apt-get update && apt-get install nodejs -y

#PANEL INSTALLATION
echo "Panel installation..."
sleep 0.1s


/usr/bin/mysql -u root -p$DBPASS <<EOF
CREATE DATABASE IF NOT EXISTS cipi;
EOF

# clear

rm -rf /var/www/html

mkdir /var/www/html

chown -R www-data:cipi /var/www/html
chmod 775 -R /var/www/html

su --whitelist-environment="BRANCH,DBPASS,IP,PASS,BUILD,SERVERID" cipi <<'CIPIEOL'

echo "Checking out repository"
"Echo Variables passed: $BRANCH,$DBPASS,$IP,${IP}"

git config --global --add safe.directory /var/www/html
cd /var/www/html && git clone https://github.com/fastmover/Spikster.git .
cd /var/www/html && git pull
cd /var/www/html && git checkout $BRANCH
cd /var/www/html && git pull

sleep 0.1

if [ -f "/var/www/html/.env" ];
then
    cd /var/www/html && unlink .env
fi

cd /var/www/html && cp .env.example .env

if [ -f "/var/www/html/composer.lock" ];
then
    cd /var/www/html && unlink composer.lock
fi

cd /var/www/html && composer install

cd /var/www/html && php artisan key:generate


CIPIEOL

echo ""
echo ""
echo "sleeping to ensure artisan finished"
echo ""
echo ""
sleep 10

rpl -i -w "DB_USERNAME=dbuser" "DB_USERNAME=cipi" /var/www/html/.env
rpl -i -w "DB_PASSWORD=dbpass" "DB_PASSWORD=$DBPASS" /var/www/html/.env
rpl -i -w "DB_DATABASE=dbname" "DB_DATABASE=cipi" /var/www/html/.env
rpl -i -w "APP_URL=http://localhost" "APP_URL=http://$IP" /var/www/html/.env
rpl -i -w "CIPISERVERID" $SERVERID /var/www/html/database/seeders/DatabaseSeeder.php
rpl -i -w "CIPIIP" $IP /var/www/html/database/seeders/DatabaseSeeder.php
rpl -i -w "CIPIPASS" $PASS /var/www/html/database/seeders/DatabaseSeeder.php
rpl -i -w "CIPIDB" $DBPASS /var/www/html/database/seeders/DatabaseSeeder.php

chmod -R o+w /var/www/html/storage
chmod -R 777 /var/www/html/storage
chmod -R o+w /var/www/html/bootstrap/cache
chmod -R 777 /var/www/html/bootstrap/cache

su --whitelist-environment="BUILD,SERVERID" cipi <<'CIPIEOL'
cd /var/www/html && composer update --no-interaction
cd /var/www/html && composer require guzzlehttp/psr7:1.5.2
cd /var/www/html && php artisan key:generate
cd /var/www/html && php artisan cache:clear
cd /var/www/html && php artisan storage:link
cd /var/www/html && php artisan view:cache
cd /var/www/html && php artisan cipi:activesetupcount
CIPIBULD=/var/www/html/public/build_$SERVERID.php
touch $CIPIBULD
cat > $CIPIBULD <<EOF
$BUILD
EOF
CIPIPING=/var/www/html/public/ping_$SERVERID.php
touch $CIPIPING
cat > $CIPIPING <<EOF
Up
EOF
PUBKEYGH=/var/www/html/public/ghkey_$SERVERID.php
touch $PUBKEYGH
cat > $PUBKEYGH <<EOF
<?php
echo exec("cat /etc/cipi/github.pub");
EOF
cd /var/www/html && php artisan migrate --seed --force
rpl -i -w "APP_ENV=local" "APP_ENV=production" /var/www/html/.env
cd /var/www/html && php artisan config:cache

CIPIEOL

chmod -R o+w /var/www/html/storage
chmod -R 775 /var/www/html/storage
chmod -R o+w /var/www/html/bootstrap/cache
chmod -R 775 /var/www/html/bootstrap/cache
chown -R www-data:cipi /var/www/html

# LAST STEPS
echo "Last steps..."
sleep 0.1s

chown www-data:cipi -R /var/www/html
chmod -R 750 /var/www/html
echo 'DefaultStartLimitIntervalSec=1s' >> /usr/lib/systemd/system/user@.service
echo 'DefaultStartLimitBurst=50' >> /usr/lib/systemd/system/user@.service
echo 'StartLimitBurst=0' >> /usr/lib/systemd/system/user@.service
systemctl daemon-reload

TASK=/etc/cron.d/cipi.crontab
touch $TASK
cat > "$TASK" <<EOF
10 4 * * 7 certbot renew --nginx --non-interactive --post-hook "systemctl restart nginx.service"
20 4 * * 7 apt-get -qq update
40 4 * * 7 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get -q -y -o "Dpkg::Options::=--force-confdef" -o "Dpkg::Options::=--force-confold" dist-upgrade
20 5 * * 7 apt-get clean && apt-get autoclean
50 5 * * * echo 3 > /proc/sys/vm/drop_caches && swapoff -a && swapon -a
* * * * * cd /var/www/html && php artisan schedule:run >> /dev/null 2>&1
5 2 * * * cd /var/www/html/utility/cipi-update && sh run.sh >> /dev/null 2>&1
EOF
crontab $TASK
systemctl restart nginx.service
rpl -i -w "#PasswordAuthentication" "PasswordAuthentication" /etc/ssh/sshd_config
rpl -i -w "# PasswordAuthentication" "PasswordAuthentication" /etc/ssh/sshd_config
rpl -i -w "PasswordAuthentication no" "PasswordAuthentication yes" /etc/ssh/sshd_config
rpl -i -w "PermitRootLogin yes" "PermitRootLogin no" /etc/ssh/sshd_config
# Added following for Ubuntu 22.04 - Vultr
rpl -i -w "#PasswordAuthentication yes" "PasswordAuthentication yes" /etc/ssh/sshd_config
# rpl -i -w "#PermitRootLogin prohibit-password" "PermitRootLogin no" /etc/ssh/sshd_config # disabled for debugging
service sshd restart
TASK=/etc/supervisor/conf.d/cipi.conf
touch $TASK
cat > "$TASK" <<EOF
[program:cipi-worker]
process_name=%(program_name)s_%(process_num)02d
command=php /var/www/html/artisan queue:work --sleep=3 --tries=3 --max-time=3600
autostart=true
autorestart=true
stopasgroup=true
killasgroup=true
user=cipi
numprocs=8
redirect_stderr=true
stdout_logfile=/var/www/worker.log
stopwaitsecs=3600
EOF
supervisorctl reread
supervisorctl update
supervisorctl start all
service supervisor restart

# COMPLETE
echo "Spikster installation has been completed..."
sleep 0.1s


# SETUP COMPLETE MESSAGE
# clear
echo "***********************************************************"
echo "                    SETUP COMPLETE"
echo "***********************************************************"
echo ""
echo " SSH user: cipi"
echo " SSH pass: $PASS"
echo " MySQL user: cipi"
echo " MySQL pass: $DBPASS"
echo ""
echo " To manage your server visit: http://$IP"
echo " and click on 'dashboard' button."
echo " Default credentials are: administrator / 12345678"
echo ""
echo "***********************************************************"
echo "          DO NOT LOSE AND KEEP SAFE THIS DATA"
echo "***********************************************************"
	#!/bin/bash


	# Installation now completes but panel is broken
	# One issue is composer is ran as root user
	# Panel is broken: Composer detected issues in your platform: Your Composer dependencies require a PHP version ">= 8.1.0".


	#################################################### CONFIGURATION ###
	BUILD=202112181
	PASS=$(openssl rand -base64 32\|sha256sum\|base64\|head -c 32\| tr '[:upper:]' '[:lower:]')
	DBPASS=$(openssl rand -base64 24\|sha256sum\|base64\|head -c 32\| tr '[:upper:]' '[:lower:]')
	SERVERID=$(openssl rand -base64 12\|sha256sum\|base64\|head -c 32\| tr '[:upper:]' '[:lower:]')
	REPO=fastmover/Spikster
	if [ -z "$1" ];
	BRANCH=master
	then
	BRANCH=$1
	fi


	#################################################### CLI TOOLS ###
	reset=$(tput sgr0)
	bold=$(tput bold)
	underline=$(tput smul)
	black=$(tput setaf 0)
	white=$(tput setaf 7)
	red=$(tput setaf 1)
	green=$(tput setaf 2)
	yellow=$(tput setaf 3)
	blue=$(tput setaf 4)
	purple=$(tput setaf 5)
	bgblack=$(tput setab 0)
	bgwhite=$(tput setab 7)
	bgred=$(tput setab 1)
	bggreen=$(tput setab 2)
	bgyellow=$(tput setab 4)
	bgblue=$(tput setab 4)
	bgpurple=$(tput setab 5)



	#################################################### Spikster SETUP ######



	# LOGO
	# clear
	# echo "${green}${bold}"
	echo ""
	echo " ██████ ██ ██████ ██"
	echo "██ ██ ██ ██ ██"
	echo "██ ██ ██████ ██"
	echo "██ ██ ██ ██"
	echo " ██████ ██ ██ ██"
	echo ""
	echo "Installation has been started... Hold on!"
	sleep 2s



	# OS CHECK
	# clear
	echo "OS check..."
	sleep 0.1s

	ID=$(grep -oP '(?<=^ID=).+' /etc/os-release \| tr -d '"')
	VERSION=$(grep -oP '(?<=^VERSION_ID=).+' /etc/os-release \| tr -d '"')
	if [ "$ID" = "ubuntu" ]; then
	case $VERSION in
	20.04)
	break
	;;
	22.04)
	break
	;;
	23.04)
	break
	;;
	*)
	echo "${bgred}${white}${bold}"
	echo "Spikster requires a minimum of Linux Ubuntu 20.04 LTS"

	exit 1;
	break
	;;
	esac
	else
	echo "${bgred}${white}${bold}"
	echo "Spikster requires a minimum requires Linux Ubuntu 20.04 LTS"

	exit 1
	fi



	# ROOT CHECK
	# clear
	echo "Permission check..."
	sleep 0.1s

	if [ "$(id -u)" = "0" ]; then
	echo "root user confirmed"
	else
	# clear
	# echo "${bgred}${white}${bold}"
	echo "You have to run Spikster as root. (In AWS use 'sudo -s')"

	exit 1
	fi

	# Auto restart services rather than popup dialog
	echo "" >> /etc/needrestart/needrestart.conf
	echo "\$nrconf{restart} = 'a';" >> /etc/needrestart/needrestart.conf

	# BASIC SETUP
	# clear
	echo "Base setup..."
	sleep 1s

	apt-get update -qq
	apt-get -qq install software-properties-common curl wget nano vim rpl sed zip unzip openssl expect dirmngr apt-transport-https lsb-release ca-certificates dnsutils dos2unix zsh htop ffmpeg

	echo "Pausing momentarily"
	sleep 5s

	# GET IP
	# clear
	echo "Getting IP..."
	sleep 0.1s

	IP=$(curl -s https://checkip.amazonaws.com)


	# MOTD WELCOME MESSAGE
	echo "Motd settings..."
	sleep 0.1s

	WELCOME=/etc/motd
	touch $WELCOME
	cat > "$WELCOME" <<EOF

	██████ ██ ██████ ██
	██ ██ ██ ██ ██
	██ ██ ██████ ██
	██ ██ ██ ██
	██████ ██ ██ ██

	With great power comes great responsibility...

	EOF



	# SWAP
	echo "Memory SWAP..."
	sleep 0.1s

	/bin/dd if=/dev/zero of=/var/swap.1 bs=1M count=1024
	/sbin/mkswap /var/swap.1
	/sbin/swapon /var/swap.1



	# ALIAS
	echo "Custom CLI configuration..."
	sleep 0.1s

	shopt -s expand_aliases
	alias ll='ls -alF'



	# Spikster DIRS
	echo "Spikster directories..."
	sleep 0.1s

	mkdir /etc/spikster/
	chmod o-r /etc/spikster
	mkdir /var/spikster/
	chmod o-r /var/spikster



	# USER
	echo "Spikster root user..."
	sleep 0.1s

	pam-auth-update --package
	mount -o remount,rw /
	chmod 640 /etc/shadow
	useradd -m -s /bin/bash cipi
	echo "cipi:$PASS"\|chpasswd
	usermod -aG sudo cipi


	# NGINX
	echo "nginx setup..."
	sleep 0.1s


	# @todo: replaces below don't do anything

	apt-get -qq install nginx-core
	systemctl start nginx.service
	rpl -i "http {" "http { limit_req_zone \$binary_remote_addr zone=one:10m rate=1r/s; fastcgi_read_timeout 300;" /etc/nginx/nginx.conf
	systemctl enable nginx.service





	# FIREWALL
	echo "fail2ban setup..."
	sleep 0.1s

	apt-get -qq install fail2ban
	JAIL=/etc/fail2ban/jail.local
	# @todo: test if file exists first
	unlink JAIL
	touch $JAIL
	cat > "$JAIL" <<EOF
	[DEFAULT]
	bantime = 3600
	banaction = iptables-multiport
	[sshd]
	enabled = true
	logpath = /var/log/auth.log
	EOF
	systemctl restart fail2ban
	ufw --force enable
	ufw allow ssh
	ufw allow http
	ufw allow https
	ufw allow "Nginx Full"




	# PHP
	echo "PHP setup..."
	sleep 0.1s


	add-apt-repository -y ppa:ondrej/php
	apt-get update -qq

	if ! command -v php8.0 &> /dev/null
	then
	# packages that can't be found: php8.0-openssl
	apt-get -qq install php8.0-fpm php8.0-common php8.0-curl php8.0-bcmath php8.0-mbstring php8.0-tokenizer php8.0-mysql php8.0-sqlite3 php8.0-pgsql php8.0-redis php8.0-memcached php8.0-zip php8.0-xml php8.0-soap php8.0-gd php8.0-imagick php8.0-fileinfo php8.0-imap php8.0-cli
	PHPINI=/etc/php/8.0/fpm/conf.d/cipi.ini
	touch $PHPINI
	cat > "$PHPINI" <<EOF
	memory_limit = 256M
	upload_max_filesize = 256M
	post_max_size = 256M
	max_execution_time = 180
	max_input_time = 180
	EOF
	service php8.0-fpm restart
	fi

	if ! command -v php8.1 &> /dev/null
	then
	# packages that can't be found: php8.1-openssl
	apt-get -qq install php8.1-fpm php8.1-common php8.1-curl php8.1-bcmath php8.1-mbstring php8.1-tokenizer php8.1-mysql php8.1-sqlite3 php8.1-pgsql php8.1-redis php8.1-memcached php8.1-zip php8.1-xml php8.1-soap php8.1-gd php8.1-imagick php8.1-fileinfo php8.1-imap php8.1-cli
	PHPINI=/etc/php/8.1/fpm/conf.d/cipi.ini
	touch $PHPINI
	cat > "$PHPINI" <<EOF
	memory_limit = 256M
	upload_max_filesize = 256M
	post_max_size = 256M
	max_execution_time = 180
	max_input_time = 180
	EOF
	service php8.1-fpm restart
	fi


	# PHP EXTRA
	apt-get -qq install php-dev php-pear


	# PHP CLI
	echo "PHP CLI configuration..."
	sleep 0.1s

	update-alternatives --set php /usr/bin/php8.1



	# COMPOSER
	echo "Composer setup..."
	sleep 0.5s


	if [ -f "/usr/local/bin/composer" ];
	then
	echo "${yellow}Composer is already installed."

	else


	su cipi <<'CIPIEOF'
	cd ~
	php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
	php composer-setup.php --no-interaction
	php -r "unlink('composer-setup.php');"

	CIPIEOF


	mv /home/cipi/composer.phar /usr/local/bin/composer
	su cipi <<'CIPIEOF'
	composer config --global repo.packagist composer https://packagist.org --no-interaction
	CIPIEOF

	fi


	# GIT
	echo "GIT setup..."
	sleep 0.5s

	if ! command -v git &> /dev/null
	then
	apt-get -y install git
	fi

	ssh-keygen -t rsa -C "git@github.com" -f /etc/spikster/github -q -P ""



	# SUPERVISOR
	echo "Supervisor setup..."
	sleep 0.1s

	if service --status-all \| grep -Fq 'supervisor'; then
	echo "${yellow}Supervisor is already installed $(mysql --version)"
	echo " "

	else
	apt-get -y install supervisor
	fi

	service supervisor restart

	# DEFAULT VHOST
	echo "Default vhost..."
	sleep 0.1s

	NGINX=/etc/nginx/sites-available/default
	if test -f "$NGINX"; then
	unlink NGINX
	fi
	touch $NGINX
	cat > "$NGINX" <<EOF
	server {
	listen 80 default_server;
	listen [::]:80 default_server;
	root /var/www/html/public;
	add_header X-Frame-Options "SAMEORIGIN";
	add_header X-XSS-Protection "1; mode=block";
	add_header X-Content-Type-Options "nosniff";
	client_body_timeout 10s;
	client_header_timeout 10s;
	client_max_body_size 256M;
	index index.html index.php;
	charset utf-8;
	server_tokens off;
	location / {
	try_files \$uri \$uri/ /index.php?\$query_string;
	}
	location = /favicon.ico { access_log off; log_not_found off; }
	location = /robots.txt { access_log off; log_not_found off; }
	error_page 404 /index.php;
	location ~ \.php$ {
	include snippets/fastcgi-php.conf;
	fastcgi_pass unix:/var/run/php/php8.1-fpm.sock;
	}
	location ~ /\.(?!well-known).* {
	deny all;
	}
	}
	EOF

	mkdir /etc/nginx/spikster/
	systemctl restart nginx.service


	# MYSQL
	echo "MySQL setup..."
	sleep 0.1s

	if service --status-all \| grep -Fq 'mysql'; then
	echo "${yellow}MySQL already installed $(mysql --version)"
	echo " "

	else
	apt-get install -y mysql-server
	fi

	SECURE_MYSQL=$(expect -c "
	set timeout 10
	spawn mysql_secure_installation
	expect \"Press y\|Y for Yes, any other key for No:\"
	send \"n\r\"
	expect \"Remove anonymous users? (Press y\|Y for Yes, any other key for No)\"
	send \"y\r\"
	expect \"Disallow root login remotely? (Press y\|Y for Yes, any other key for No)\"
	send \"n\r\"
	expect \"Remove test database and access to it? (Press y\|Y for Yes, any other key for No)\"
	send \"y\r\"
	expect \"Reload privilege tables now? (Press y\|Y for Yes, any other key for No) \"
	send \"y\r\"
	expect eof
	")
	echo "$SECURE_MYSQL"

	mysql -uroot -e "CREATE USER 'cipi'@'%' IDENTIFIED WITH mysql_native_password BY '$DBPASS';
	GRANT ALL PRIVILEGES ON . TO 'cipi'@'%' WITH GRANT OPTION;
	FLUSH PRIVILEGES;"

	# REDIS
	echo "Redis setup..."
	sleep 0.1s

	apt install -y redis-server
	rpl -i -w "supervised no" "supervised systemd" /etc/redis/redis.conf
	systemctl restart redis.service



	# LET'S ENCRYPT
	echo "Let's Encrypt setup..."
	sleep 0.1s

	apt-get install -y certbot
	apt-get install -y python3-certbot-nginx



	# NODE
	echo "Node/npm setup..."
	sleep 0.1s

	apt-get update && apt-get install -y ca-certificates curl gnupg
	curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key \| gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg
	NODE_MAJOR=20
	echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_$NODE_MAJOR.x nodistro main" \| tee /etc/apt/sources.list.d/nodesource.list
	apt-get update && apt-get install nodejs -y

	#PANEL INSTALLATION
	echo "Panel installation..."
	sleep 0.1s


	/usr/bin/mysql -u root -p$DBPASS <<EOF
	CREATE DATABASE IF NOT EXISTS cipi;
	EOF

	# clear

	rm -rf /var/www/html

	mkdir /var/www/html

	chown -R www-data:cipi /var/www/html
	chmod 775 -R /var/www/html

	su --whitelist-environment="BRANCH,DBPASS,IP,PASS,BUILD,SERVERID" cipi <<'CIPIEOL'

	echo "Checking out repository"
	"Echo Variables passed: $BRANCH,$DBPASS,$IP,${IP}"

	git config --global --add safe.directory /var/www/html
	cd /var/www/html && git clone https://github.com/fastmover/Spikster.git .
	cd /var/www/html && git pull
	cd /var/www/html && git checkout $BRANCH
	cd /var/www/html && git pull

	sleep 0.1

	if [ -f "/var/www/html/.env" ];
	then
	cd /var/www/html && unlink .env
	fi

	cd /var/www/html && cp .env.example .env

	if [ -f "/var/www/html/composer.lock" ];
	then
	cd /var/www/html && unlink composer.lock
	fi

	cd /var/www/html && composer install

	cd /var/www/html && php artisan key:generate


	CIPIEOL

	echo ""
	echo ""
	echo "sleeping to ensure artisan finished"
	echo ""
	echo ""
	sleep 10

	rpl -i -w "DB_USERNAME=dbuser" "DB_USERNAME=cipi" /var/www/html/.env
	rpl -i -w "DB_PASSWORD=dbpass" "DB_PASSWORD=$DBPASS" /var/www/html/.env
	rpl -i -w "DB_DATABASE=dbname" "DB_DATABASE=cipi" /var/www/html/.env
	rpl -i -w "APP_URL=http://localhost" "APP_URL=http://$IP" /var/www/html/.env
	rpl -i -w "CIPISERVERID" $SERVERID /var/www/html/database/seeders/DatabaseSeeder.php
	rpl -i -w "CIPIIP" $IP /var/www/html/database/seeders/DatabaseSeeder.php
	rpl -i -w "CIPIPASS" $PASS /var/www/html/database/seeders/DatabaseSeeder.php
	rpl -i -w "CIPIDB" $DBPASS /var/www/html/database/seeders/DatabaseSeeder.php

	chmod -R o+w /var/www/html/storage
	chmod -R 777 /var/www/html/storage
	chmod -R o+w /var/www/html/bootstrap/cache
	chmod -R 777 /var/www/html/bootstrap/cache

	su --whitelist-environment="BUILD,SERVERID" cipi <<'CIPIEOL'
	cd /var/www/html && composer update --no-interaction
	cd /var/www/html && composer require guzzlehttp/psr7:1.5.2
	cd /var/www/html && php artisan key:generate
	cd /var/www/html && php artisan cache:clear
	cd /var/www/html && php artisan storage:link
	cd /var/www/html && php artisan view:cache
	cd /var/www/html && php artisan cipi:activesetupcount
	CIPIBULD=/var/www/html/public/build_$SERVERID.php
	touch $CIPIBULD
	cat > $CIPIBULD <<EOF
	$BUILD
	EOF
	CIPIPING=/var/www/html/public/ping_$SERVERID.php
	touch $CIPIPING
	cat > $CIPIPING <<EOF
	Up
	EOF
	PUBKEYGH=/var/www/html/public/ghkey_$SERVERID.php
	touch $PUBKEYGH
	cat > $PUBKEYGH <<EOF
	<?php
	echo exec("cat /etc/cipi/github.pub");
	EOF
	cd /var/www/html && php artisan migrate --seed --force
	rpl -i -w "APP_ENV=local" "APP_ENV=production" /var/www/html/.env
	cd /var/www/html && php artisan config:cache

	CIPIEOL

	chmod -R o+w /var/www/html/storage
	chmod -R 775 /var/www/html/storage
	chmod -R o+w /var/www/html/bootstrap/cache
	chmod -R 775 /var/www/html/bootstrap/cache
	chown -R www-data:cipi /var/www/html

	# LAST STEPS
	echo "Last steps..."
	sleep 0.1s

	chown www-data:cipi -R /var/www/html
	chmod -R 750 /var/www/html
	echo 'DefaultStartLimitIntervalSec=1s' >> /usr/lib/systemd/system/user@.service
	echo 'DefaultStartLimitBurst=50' >> /usr/lib/systemd/system/user@.service
	echo 'StartLimitBurst=0' >> /usr/lib/systemd/system/user@.service
	systemctl daemon-reload

	TASK=/etc/cron.d/cipi.crontab
	touch $TASK
	cat > "$TASK" <<EOF
	10 4 * * 7 certbot renew --nginx --non-interactive --post-hook "systemctl restart nginx.service"
	20 4 * * 7 apt-get -qq update
	40 4 * * 7 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get -q -y -o "Dpkg::Options::=--force-confdef" -o "Dpkg::Options::=--force-confold" dist-upgrade
	20 5 * * 7 apt-get clean && apt-get autoclean
	50 5 * * * echo 3 > /proc/sys/vm/drop_caches && swapoff -a && swapon -a
	* * * * * cd /var/www/html && php artisan schedule:run >> /dev/null 2>&1
	5 2 * * * cd /var/www/html/utility/cipi-update && sh run.sh >> /dev/null 2>&1
	EOF
	crontab $TASK
	systemctl restart nginx.service
	rpl -i -w "#PasswordAuthentication" "PasswordAuthentication" /etc/ssh/sshd_config
	rpl -i -w "# PasswordAuthentication" "PasswordAuthentication" /etc/ssh/sshd_config
	rpl -i -w "PasswordAuthentication no" "PasswordAuthentication yes" /etc/ssh/sshd_config
	rpl -i -w "PermitRootLogin yes" "PermitRootLogin no" /etc/ssh/sshd_config
	# Added following for Ubuntu 22.04 - Vultr
	rpl -i -w "#PasswordAuthentication yes" "PasswordAuthentication yes" /etc/ssh/sshd_config
	# rpl -i -w "#PermitRootLogin prohibit-password" "PermitRootLogin no" /etc/ssh/sshd_config # disabled for debugging
	service sshd restart
	TASK=/etc/supervisor/conf.d/cipi.conf
	touch $TASK
	cat > "$TASK" <<EOF
	[program:cipi-worker]
	process_name=%(program_name)s_%(process_num)02d
	command=php /var/www/html/artisan queue:work --sleep=3 --tries=3 --max-time=3600
	autostart=true
	autorestart=true
	stopasgroup=true
	killasgroup=true
	user=cipi
	numprocs=8
	redirect_stderr=true
	stdout_logfile=/var/www/worker.log
	stopwaitsecs=3600
	EOF
	supervisorctl reread
	supervisorctl update
	supervisorctl start all
	service supervisor restart

	# COMPLETE
	echo "Spikster installation has been completed..."
	sleep 0.1s




	# SETUP COMPLETE MESSAGE
	# clear
	echo "***********************************************************"
	echo " SETUP COMPLETE"
	echo "***********************************************************"
	echo ""
	echo " SSH user: cipi"
	echo " SSH pass: $PASS"
	echo " MySQL user: cipi"
	echo " MySQL pass: $DBPASS"
	echo ""
	echo " To manage your server visit: http://$IP"
	echo " and click on 'dashboard' button."
	echo " Default credentials are: administrator / 12345678"
	echo ""
	echo "***********************************************************"
	echo " DO NOT LOSE AND KEEP SAFE THIS DATA"
	echo "***********************************************************"