Last active
July 4, 2016 20:31
-
-
Save Nezteb/6c37d3a29bf3fff9245052817596f933 to your computer and use it in GitHub Desktop.
Script to setup Wordpress on Ubuntu 14.04 with nginx.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Noah Betzen | |
# Ubuntu 14.04 WordPress Install Steps | |
# You should run this first: https://gist.github.com/Nezteb/1e0ccd82cc843b9c76e3b2bb929605eb | |
#################### VARIABLES TO CHANGE | |
read -p "Server domain name: " serverAddress # prompt server address for nginx | |
read -p "Your email address: " emailAddress # prompt email address for postfix | |
serverFilesPath=/var/www/html # web root location | |
mysqlUsername=mysql # mysql credentials | |
mysqlPassword=`openssl rand -base64 16` # if you don't want a secure password, change this ;) | |
mysqlRootPassword=`openssl rand -base64 16` # if you don't want a secure password, change this ;) | |
mysqlDatabaseName=wordpress # dayabase wordpress will use | |
webPort=80 # HTTP port | |
sslPort=443 # HTTPS port | |
postfixPort=12301 | |
#################### DO NOT EDIT BELOW THIS LINE | |
# Install and update packages | |
apt-get update -y | |
apt-get install -y linux-headers-`uname -r` | |
apt-get install -y build-essential curl wget zip unzip | |
apt-get install -y g++ gcc git | |
apt-get install -y fail2ban ufw | |
DEBIAN_FRONTEND=noninteractive apt-get install -y mariadb-server | |
apt-get install -y mailutils opendkim opendkim-tools spamassassin | |
apt-get install -y php5 php5-mysql php5-gd php5-mcrypt php5-curl libssh2-php php5-fpm | |
apt-get install -y nginx | |
apt-get autoremove | |
# Start services | |
service php5-fpm restart | |
service nginx restart | |
service mysql restart | |
service postfix restart | |
service opendkim restart | |
# Configure postfix | |
cat << EOF >> /etc/postfix/main.cf | |
inet_interfaces = localhost | |
milter_protocol = 2 | |
milter_default_action = accept | |
smtpd_milters = unix:/spamass/spamass.sock, inet:localhost:$postfixPort | |
non_smtpd_milters = unix:/spamass/spamass.sock, inet:localhost:$$postfixPort | |
EOF | |
echo "root: $emailAddress" >> /etc/aliases | |
newaliases | |
cat << EOF >> /etc/opendkim.conf | |
AutoRestart Yes | |
AutoRestartRate 10/1h | |
UMask 002 | |
Syslog yes | |
SyslogSuccess Yes | |
LogWhy Yes | |
Canonicalization relaxed/simple | |
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts | |
InternalHosts refile:/etc/opendkim/TrustedHosts | |
KeyTable refile:/etc/opendkim/KeyTable | |
SigningTable refile:/etc/opendkim/SigningTable | |
Mode sv | |
PidFile /var/run/opendkim/opendkim.pid | |
SignatureAlgorithm rsa-sha256 | |
UserID opendkim:opendkim | |
Socket inet:$postfixPort@localhost | |
EOF | |
echo 'SOCKET="inet:$postfixPort@localhost"' >> /etc/default/opendkim | |
mkdir /etc/opendkim | |
mkdir /etc/opendkim/keys | |
touch /etc/opendkim/TrustedHosts | |
cat << EOF >> /etc/opendkim/TrustedHosts | |
127.0.0.1 | |
localhost | |
192.168.0.1/24 | |
*.$serverAddress | |
EOF | |
touch /etc/opendkim/KeyTable | |
echo "mail._domainkey.$serverAddress $serverAddress:mail:/etc/opendkim/keys/$serverAddress/mail.private" > /etc/opendkim/KeyTable | |
touch /etc/opendkim/SigningTable | |
echo "*@$serverAddress mail._domainkey.$serverAddress" >> /etc/opendkim/SigningTable | |
cd /etc/opendkim/keys | |
mkdir $serverAddress | |
opendkim-genkey -s mail -d $serverAddress | |
chown opendkim:opendkim mail.private | |
publicKey=`cat mail.txt` | |
service postfix restart | |
service opendkim restart | |
# Remove default nginx site files | |
mkdir -p $serverFilesPath | |
cd $serverFilesPath | |
rm -rf ./* | |
# For more secure SSL | |
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048 | |
# Give CertBot access for security challenge | |
cd /etc/nginx/sites-available | |
rm -rf ./* | |
cat << EOF > default | |
server { | |
server_tokens off; | |
listen $webPort; | |
server_name $serverAddress; | |
root $serverFilesPath; | |
location ~ /.well-known { | |
allow all; | |
} | |
} | |
EOF | |
service nginx restart | |
# Get cert from LetsEncrypt | |
cd ~ | |
wget https://dl.eff.org/certbot-auto | |
chmod a+x certbot-auto | |
./certbot-auto | |
./certbot-auto certonly --webroot --webroot-path $serverFilesPath -d $serverAddress | |
# to renew later: ./certbot-auto renew --quiet --no-self-upgrade | |
# Configure MySQL | |
mysql --execute="CREATE DATABASE $mysqlDatabaseName;" | |
mysql --execute="CREATE USER '$mysqlUsername'@'localhost' IDENTIFIED BY '$mysqlPassword';" | |
mysql --execute="GRANT ALL PRIVILEGES ON $mysqlDatabaseName . * TO '$mysqlUsername'@'localhost';" | |
mysql --execute="FLUSH PRIVILEGES;" | |
mysqladmin -u root password $mysqlRootPassword | |
# Set up WordPress | |
cd $serverFilesPath | |
wget https://wordpress.org/latest.zip | |
unzip latest.zip | |
rm -f latest.zip | |
rsync -a wordpress/ . | |
rm -rf wordpress/ | |
cp wp-config-sample.php wp-config.php | |
# Give Worpress database credentials | |
sed -i "s~database_name_here~$mysqlDatabaseName~" wp-config.php | |
sed -i "s~username_here~$mysqlUsername~" wp-config.php | |
sed -i "s~password_here~$mysqlPassword~" wp-config.php | |
# Force WordPress to use your server name (so you don't have to do it from WordPress settings) | |
cat << EOF >> wp-config.php | |
define('WP_HOME','https://$serverAddress'); | |
define('WP_SITEURL','https://$serverAddress'); | |
EOF | |
# Create nginx config file | |
rm -rf /etc/nginx/sites-available/* | |
rm -rf /etc/nginx/sites-enabled/* | |
cd /etc/nginx/sites-available | |
touch wordpress | |
cat << EOF > wordpress | |
server { | |
server_tokens off; | |
listen 80 default_server; | |
server_name _; | |
return 444; | |
} | |
server { | |
server_tokens off; | |
# Force HTTPS | |
listen $webPort; | |
server_name $serverAddress; | |
return 301 https://\$host\$request_uri; | |
} | |
server { | |
server_tokens off; | |
listen $sslPort ssl; | |
server_name $serverAddress; | |
root $serverFilesPath; | |
index index.php index.html index.htm; | |
client_max_body_size 20M; | |
# Set up SSL | |
ssl_certificate /etc/letsencrypt/live/$serverAddress/fullchain.pem; | |
ssl_certificate_key /etc/letsencrypt/live/$serverAddress/privkey.pem; | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
ssl_prefer_server_ciphers on; | |
ssl_dhparam /etc/ssl/certs/dhparam.pem; | |
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; | |
ssl_session_timeout 1d; | |
ssl_session_cache shared:SSL:50m; | |
ssl_stapling on; | |
ssl_stapling_verify on; | |
add_header Strict-Transport-Security max-age=15768000; | |
# Protect against DDoS via xmlrpc | |
location = /xmlrpc.php { | |
deny all; | |
} | |
location / { | |
#try_files \$uri \$uri/ =404; | |
try_files \$uri \$uri/ /index.php?q=\$uri&$args; | |
} | |
error_page 404 /404.html; | |
error_page 500 502 503 504 /50x.html; | |
location = /50x.html { | |
root /usr/share/nginx/html; | |
} | |
location ~ \.php$ { | |
try_files \$uri =404; | |
fastcgi_split_path_info ^(.+\.php)(/.+)$; | |
fastcgi_pass unix:/var/run/php5-fpm.sock; | |
fastcgi_index index.php; | |
include fastcgi_params; | |
} | |
} | |
EOF | |
ln -fs /etc/nginx/sites-available/wordpress /etc/nginx/sites-enabled/ | |
# Enable nginx gzip compression | |
cat << EOF >> /etc/nginx/nginx.conf | |
http { | |
server_tokens off; | |
gzip on; | |
gzip_disable "MSIE [1-6]\.(?!.*SV1)"; | |
gzip_vary on; | |
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; | |
} | |
EOF | |
# Set permissions correctly | |
cd $serverFilesPath | |
chown -R www-data:www-data . | |
chmod -R 775 . | |
echo "upload_max_filesize = 10M" >> /etc/php5/fpm/php.ini | |
# Restart neccesary services | |
service php5-fpm restart | |
service mysql restart | |
service nginx restart | |
# Echo credentials | |
echo "!!! MAKE SURE YOU SAVE THESE !!!" | |
echo "Your credentials are:" | |
echo "MySQL User: $mysqlUsername" | |
echo "MySQL Database: $mysqlDatabaseName" | |
echo "MySQL Password: $mysqlPassword" | |
echo "MySQL root Password: $mysqlRootPassword" | |
echo -e "Make a DNS entry for PTR: IPADDRESSREVERSED.in-addr.arpa\t\t$serverAddress" | |
echo -e "Make a DNS entry for SPF: @\t\t\"v=spf1 a include:_spf.nezteb.net ~all\"" | |
echo -e "Make a DNS entry for TXT: mail._domainkey.$serverAddress.\t\t\"v=DKIM1; k=rsa; p=PUBLICKEY\"" | |
echo -e "\twhere PUBLICKEY is the p value of:\n$publicKey" | |
echo "!!! MAKE SURE YOU SAVE THESE !!!" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment