Decicus/.acmeenv Secret

## .acmeenv
. "$HOME/.acme.sh/acme.sh.env"

export CF_Account_ID="422c4fb547f02ab95c920ac70a78c4bf"
export CF_Token=""

## 000-default.conf
server {
    listen 80 default_server;
    listen [::]:80 default_server;

    include letsencrypt.conf;

    server_name _;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name _;
    root /var/www/html;

    ssl_certificate /srv/ssl/default/fullchain.pem;
    ssl_certificate_key /srv/ssl/default/key.pem;

    server_tokens off;

    include ssl_params.conf;
    include letsencrypt.conf;

    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";

    index index.nginx-debian.html index.html index.htm;

    charset utf-8;

    location / {
        try_files $uri $uri/ =404;
    }

    location /.well-known {
        auth_basic "off";
    }

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    # Uncomment for PHP support (check /etc/nginx/phpfpm.conf), assumes PHP 8.1 FPM is installed.
    # include phpfpm.conf;

    access_log /var/log/nginx/default-access.log combined;
    error_log  /var/log/nginx/default-error.log error;

    location ~ /\.ht {
        deny all;
    }
}

## generate-dhparams.sh
#!/bin/bash

BITS=2048;

if [[ ! -z "$1" ]]; then
    BITS=$1;
fi

sudo touch /etc/nginx/dhparams.pem
sudo chmod 700 /etc/nginx/dhparams.pem
sudo openssl dhparam -out /etc/nginx/dhparams.pem $BITS

## letsencrypt.conf
location /.well-known/acme-challenge {
    alias /var/www/html/.well-known/acme-challenge;
}

## phpfpm.conf
location ~ \.php$ {
    try_files $uri =404;
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass unix:/var/run/php/php8.1-fpm.sock;
    fastcgi_index index.php;
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
}

## proxy_params
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

## setup.sh
#!/bin/bash

INSTALL_ACMESH=0;
DOWNLOAD_DEFAULT=0;

GIST="https://gist.github.com/Decicus/2f09db5d30f4f24e39de3792bba75b72/raw"
NGINX="/etc/nginx"
SSL_BASE="/srv/ssl"
DEFAULT_DIR="$NGINX/conf.d";
DEFAULT_NAME="000-default.conf";
DH_PARAMS_BITS=2048;

help()
{
cat << EOF
usage: $0
Install the \`nginx\` package via apt and add extra configuration files.
OPTIONS:
    -h        Shows helptext
    -a        Installs acme.sh and downloads "bootstrapping" files.
    -d        Downloads the $DEFAULT_NAME file into $DEFAULT_DIR
    -b        Use 4096 bits for dhparams (default: $DH_PARAMS_BITS)
EOF
}

while getopts "hadb" opt; do
    case $opt in
        h)
            help
            exit 0
            ;;
        a)
            INSTALL_ACMESH=1;
            echo "Installing and bootstrapping \`acme.sh\`";
            ;;
        d)
            DOWNLOAD_DEFAULT=1;
            echo "Downloading 000-default.conf to /etc/nginx/conf.d";
            ;;
        b)
            DH_PARAMS_BITS=4096;
            echo "Using 4096 bits for dhparams";
            ;;
        \?)
            echo "Invalid option: -$OPTARG" >&2
            exit 1
            ;;
        :)
            echo "Option -$OPTARG requires an argument." >&2
            exit 1
            ;;
    esac
done

# Make sure the 'essentials' are installed
# We use `nginx` as the script assumes the script for using nginx.org APT repos has been used (https://git.io/nginx-debian)
# Using `nginx-full` would in this case use the Debian/Ubuntu repos, which are a few versions behind.
sudo apt install -y nginx openssl curl

if [[ $INSTALL_ACMESH != 0 ]]; then
    # Get acme.sh for issuing certificates
    curl -L https://get.acme.sh/ | sudo bash
fi

# Create preferred base directory for storing SSL certificates
mkdir -p $SSL_BASE
chown -R root:root $SSL_BASE
chmod -R 600 $SSL_BASE

# Now the fun starts

# I have bash scripts that interact with acme.sh
# But I use zsh as the main shell
# Therefore I need a shared "environment file" that loads acme.sh
# And related environment variables
if [[ $INSTALL_ACMESH != 0 ]]; then
    # Add to ZSH/Bash config files
    curl -L "$GIST/.acmeenv" > "$HOME/.acmeenv"
    echo '. "$HOME/.acmeenv"' >> "$HOME/.zshrc";
    echo '. "$HOME/.acmeenv"' >> "$HOME/.bashrc";
fi

# Get the alias config for Let's Encrypt challenges:
curl -L "$GIST/letsencrypt.conf" > "$NGINX/letsencrypt.conf"

# Get the base SSL configuration
curl -L "$GIST/ssl_params.conf" > "$NGINX/ssl_params.conf"

# Get the base reverse proxy configuration
curl -L "$GIST/proxy_params" > "$NGINX/proxy_params"

# Get the PHP 8.1 FPM configuration (not enabled by default)
# You also need to install PHP before enabling it.
curl -L "$GIST/phpfpm.conf" > "$NGINX/phpfpm.conf"

# Get the dhparams file generation script, and execute.
DH_PARAMS_TEMP="$(mktemp)";
curl -L "$GIST/generate-dhparams.sh" -o "${DH_PARAMS_TEMP}";
sudo bash "${DH_PARAMS_TEMP}" $DH_PARAMS_BITS;
rm "${DH_PARAMS_TEMP}";

# Check if systemd is installed and enable the service.
# Since I usually just install stock Debian with systemd, this may not be required.
CHECK_SYSTEMD=$(whereis systemctl)
if [[ $? -eq 0 ]]; then
    systemctl enable --now nginx
fi

if [[ $DOWNLOAD_DEFAULT != 0 ]]; then
    curl -L "$GIST/$DEFAULT_NAME" > "$DEFAULT_DIR/$DEFAULT_NAME"

    # Remove the default configuration included when installing nginx.
    rm /etc/nginx/conf.d/default.conf
fi

echo "Base setup done. Open this link for a base nginx site configuration: $GIST/$DEFAULT_NAME"

## ssl_params.conf
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_dhparam /etc/nginx/dhparams.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_session_tickets off;
	. "$HOME/.acme.sh/acme.sh.env"

	export CF_Account_ID="422c4fb547f02ab95c920ac70a78c4bf"
	export CF_Token=""
	server {
	listen 80 default_server;
	listen [::]:80 default_server;

	include letsencrypt.conf;

	server_name _;
	return 301 https://$host$request_uri;
	}

	server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;
	server_name _;
	root /var/www/html;

	ssl_certificate /srv/ssl/default/fullchain.pem;
	ssl_certificate_key /srv/ssl/default/key.pem;

	server_tokens off;

	include ssl_params.conf;
	include letsencrypt.conf;

	add_header X-Frame-Options "SAMEORIGIN";
	add_header X-XSS-Protection "1; mode=block";
	add_header X-Content-Type-Options "nosniff";
	add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";

	index index.nginx-debian.html index.html index.htm;

	charset utf-8;

	location / {
	try_files $uri $uri/ =404;
	}

	location /.well-known {
	auth_basic "off";
	}

	location = /favicon.ico { access_log off; log_not_found off; }
	location = /robots.txt { access_log off; log_not_found off; }

	# Uncomment for PHP support (check /etc/nginx/phpfpm.conf), assumes PHP 8.1 FPM is installed.
	# include phpfpm.conf;

	access_log /var/log/nginx/default-access.log combined;
	error_log /var/log/nginx/default-error.log error;

	location ~ /\.ht {
	deny all;
	}
	}
	#!/bin/bash

	BITS=2048;

	if [[ ! -z "$1" ]]; then
	BITS=$1;
	fi

	sudo touch /etc/nginx/dhparams.pem
	sudo chmod 700 /etc/nginx/dhparams.pem
	sudo openssl dhparam -out /etc/nginx/dhparams.pem $BITS
	location /.well-known/acme-challenge {
	alias /var/www/html/.well-known/acme-challenge;
	}
	location ~ \.php$ {
	try_files $uri =404;
	fastcgi_split_path_info ^(.+\.php)(/.+)$;
	fastcgi_pass unix:/var/run/php/php8.1-fpm.sock;
	fastcgi_index index.php;
	include fastcgi_params;
	fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
	}
	proxy_set_header Host $http_host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $scheme;
	#!/bin/bash

	INSTALL_ACMESH=0;
	DOWNLOAD_DEFAULT=0;

	GIST="https://gist.github.com/Decicus/2f09db5d30f4f24e39de3792bba75b72/raw"
	NGINX="/etc/nginx"
	SSL_BASE="/srv/ssl"
	DEFAULT_DIR="$NGINX/conf.d";
	DEFAULT_NAME="000-default.conf";
	DH_PARAMS_BITS=2048;

	help()
	{
	cat << EOF
	usage: $0
	Install the \`nginx\` package via apt and add extra configuration files.
	OPTIONS:
	-h Shows helptext
	-a Installs acme.sh and downloads "bootstrapping" files.
	-d Downloads the $DEFAULT_NAME file into $DEFAULT_DIR
	-b Use 4096 bits for dhparams (default: $DH_PARAMS_BITS)
	EOF
	}

	while getopts "hadb" opt; do
	case $opt in
	h)
	help
	exit 0
	;;
	a)
	INSTALL_ACMESH=1;
	echo "Installing and bootstrapping \`acme.sh\`";
	;;
	d)
	DOWNLOAD_DEFAULT=1;
	echo "Downloading 000-default.conf to /etc/nginx/conf.d";
	;;
	b)
	DH_PARAMS_BITS=4096;
	echo "Using 4096 bits for dhparams";
	;;
	\?)
	echo "Invalid option: -$OPTARG" >&2
	exit 1
	;;
	:)
	echo "Option -$OPTARG requires an argument." >&2
	exit 1
	;;
	esac
	done

	# Make sure the 'essentials' are installed
	# We use `nginx` as the script assumes the script for using nginx.org APT repos has been used (https://git.io/nginx-debian)
	# Using `nginx-full` would in this case use the Debian/Ubuntu repos, which are a few versions behind.
	sudo apt install -y nginx openssl curl

	if [[ $INSTALL_ACMESH != 0 ]]; then
	# Get acme.sh for issuing certificates
	curl -L https://get.acme.sh/ \| sudo bash
	fi

	# Create preferred base directory for storing SSL certificates
	mkdir -p $SSL_BASE
	chown -R root:root $SSL_BASE
	chmod -R 600 $SSL_BASE

	# Now the fun starts

	# I have bash scripts that interact with acme.sh
	# But I use zsh as the main shell
	# Therefore I need a shared "environment file" that loads acme.sh
	# And related environment variables
	if [[ $INSTALL_ACMESH != 0 ]]; then
	# Add to ZSH/Bash config files
	curl -L "$GIST/.acmeenv" > "$HOME/.acmeenv"
	echo '. "$HOME/.acmeenv"' >> "$HOME/.zshrc";
	echo '. "$HOME/.acmeenv"' >> "$HOME/.bashrc";
	fi

	# Get the alias config for Let's Encrypt challenges:
	curl -L "$GIST/letsencrypt.conf" > "$NGINX/letsencrypt.conf"

	# Get the base SSL configuration
	curl -L "$GIST/ssl_params.conf" > "$NGINX/ssl_params.conf"

	# Get the base reverse proxy configuration
	curl -L "$GIST/proxy_params" > "$NGINX/proxy_params"

	# Get the PHP 8.1 FPM configuration (not enabled by default)
	# You also need to install PHP before enabling it.
	curl -L "$GIST/phpfpm.conf" > "$NGINX/phpfpm.conf"

	# Get the dhparams file generation script, and execute.
	DH_PARAMS_TEMP="$(mktemp)";
	curl -L "$GIST/generate-dhparams.sh" -o "${DH_PARAMS_TEMP}";
	sudo bash "${DH_PARAMS_TEMP}" $DH_PARAMS_BITS;
	rm "${DH_PARAMS_TEMP}";

	# Check if systemd is installed and enable the service.
	# Since I usually just install stock Debian with systemd, this may not be required.
	CHECK_SYSTEMD=$(whereis systemctl)
	if [[ $? -eq 0 ]]; then
	systemctl enable --now nginx
	fi

	if [[ $DOWNLOAD_DEFAULT != 0 ]]; then
	curl -L "$GIST/$DEFAULT_NAME" > "$DEFAULT_DIR/$DEFAULT_NAME"

	# Remove the default configuration included when installing nginx.
	rm /etc/nginx/conf.d/default.conf
	fi

	echo "Base setup done. Open this link for a base nginx site configuration: $GIST/$DEFAULT_NAME"
	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
	ssl_prefer_server_ciphers off;
	ssl_dhparam /etc/nginx/dhparams.pem;
	ssl_session_cache shared:SSL:10m;
	ssl_session_timeout 1d;
	ssl_session_tickets off;