codemasher/1a-root~install.sh Secret

## 1a-root~install.sh
# install ubuntu 17.10 minimal, then:

# as root (or sudo :P)
apt-get update
apt-get install -y linux-headers-$(uname -r) build-essential
apt-get -y upgrade

apt-get install -y build-essential software-properties-common curl dos2unix gcc libc-dev g++ git libmcrypt4 \
libpcre3-dev ntp unzip make autoconf python2.7-dev python-pip re2c supervisor unattended-upgrades whois \
vim libnotify-bin pv cifs-utils pkg-config

apt-add-repository ppa:ondrej/apache2 -y
apt-add-repository ppa:ondrej/php -y
apt-add-repository ppa:chris-lea/redis-server -y
apt-add-repository ppa:certbot/certbot -y

apt-get update

# libapache2-mod-php7.2
apt-get install -y --allow-downgrades --allow-remove-essential --allow-change-held-packages \
apache2 certbot python-certbot-apache php-pear \
mysql-server postgresql sqlite3 libsqlite3-dev imagemagick redis-server memcached \
php7.2-cli php7.2-fpm php7.2-dev php7.2-curl php7.2-mbstring php7.2-xml php7.2-zip php7.2-bcmath \
php7.2-soap php7.2-intl php7.2-readline php7.2-memcached php7.2-mysql php7.2-gmp \
php7.2-imagick php7.2-pgsql php7.2-sqlite3 php7.2-enchant php7.2-pspell

service apache2 stop

a2dismod php7.2 mpm_prefork
a2enmod mpm_event proxy_fcgi setenvif http2 rewrite actions alias headers
a2dissite 000-default

a2ensite <SITE_DEFAULT>
a2ensite <SITE_SSL>
phpenmod fileinfo curl mbstring xml zip bcmath soap intl readline memcached mysqli gmp imagick pdo pgsql sqlite3

adduser webmaster
chsh -s /bin/bash webmaster

## 1b-webmaster~install.sh
# as webmaster
su webmaster

# Install Composer
sudo curl -sS https://getcomposer.org/installer | php
sudo mv composer.phar /usr/local/bin/composer
sudo printf "\nPATH=\"$(sudo su - webmaster -c 'composer config -g home 2>/dev/null')/vendor/bin:\$PATH\"\n" | tee -a /home/webmaster/.profile

# Install global PHPUnit
sudo wget -nv https://phar.phpunit.de/phpunit.phar
sudo chmod +x phpunit.phar
sudo mv phpunit.phar /usr/local/bin/phpunit
phpunit --version

# PHPMyAdmin
sudo wget -nv https://files.phpmyadmin.net/phpMyAdmin/4.7.7/phpMyAdmin-4.7.7-all-languages.tar.gz
sudo tar -xzf phpMyAdmin-4.7.7-all-languages.tar.gz && sudo mv phpMyAdmin-4.7.7-all-languages /usr/share/phpmyadmin && sudo rm phpMyAdmin-4.7.7-all-languages.tar.gz
cd /usr/share/phpmyadmin/ && sudo composer install --no-dev --no-interaction --prefer-dist


## 1c-root~install.sh
# back as root
systemctl start php7.2-fpm
systemctl enable php7.2-fpm

service apache2 start

certbot certonly --must-staple --redirect --hsts --staple-ocsp --webroot -w <DIR> -d <DOMAIN> [ -w <DIR> -d <DOMAIN>]

systemctl status apache2.service
systemctl status php7.2-fpm.service
systemctl status certbot.service

# disable webmaster login
#chsh -s /usr/sbin/nologin webmaster

## 2-etc~apache2~sites-available~default-site.conf
<VirtualHost *:80>
	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html
	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined
	RewriteEngine on
	RewriteCond %{SERVER_NAME}=<YOUR_SERVER_NAME>
	RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>

Alias /phpmyadmin "/usr/share/phpmyadmin/"
<Directory "/usr/share/phpmyadmin/">
     Order allow,deny
     Allow from all
     Require all granted
</Directory>

# PHP-FPM
<FilesMatch "\.php$">
	SetHandler "proxy:unix:/var/run/php/php7.2-fpm.sock|fcgi://localhost/"
</FilesMatch>
<Proxy "fcgi://localhost/">
</Proxy>

## 3-etc~apache2~sites-available~default-site-ssl.conf
<IfModule mod_ssl.c>
	Include /etc/apache2/sites-ssl.conf
	<VirtualHost *:443>
		ServerAlias *
		DocumentRoot /var/www
		ServerAdmin webmaster@localhost
		ErrorLog ${APACHE_LOG_DIR}/error.log
		CustomLog ${APACHE_LOG_DIR}/access.log combined
		SSLCertificateFile /etc/letsencrypt/live/<DIR>/fullchain.pem
		SSLCertificateKeyFile /etc/letsencrypt/live/<DIR>/privkey.pem
		Include /etc/apache2/letsencrypt-ssl-apache.conf
	</VirtualHost>
	<Directory /var/www>
		AllowOverride All
	</Directory>
</IfModule>

## 4-etc~apache2~sites-ssl.conf
SSLStaplingCache shmcb:/var/run/apache2/stapling_cache(128000)

## 5-etc~apache2~letsencrypt-ssl-apache.conf
# Baseline setting to Include for SSL sites
# in <VirtualHost *:443>

SSLEngine on

# Intermediate configuration, tweak to your needs

# letsencrypt
#SSLProtocol             all -SSLv2 -SSLv3
#SSLCipherSuite         ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

# mozilla
SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

SSLHonorCipherOrder     on
SSLCompression          off

SSLOptions +StrictRequire
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off

# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common

#CustomLog /var/log/apache2/access.log vhost_combined
#LogLevel warn
#ErrorLog /var/log/apache2/error.log

# Always ensure Cookies have "Secure" set (JAH 2012/1)
Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4"
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
Header set Timing-Allow-Origin: "*"
Header unset ETag
	# install ubuntu 17.10 minimal, then:

	# as root (or sudo :P)
	apt-get update
	apt-get install -y linux-headers-$(uname -r) build-essential
	apt-get -y upgrade

	apt-get install -y build-essential software-properties-common curl dos2unix gcc libc-dev g++ git libmcrypt4 \
	libpcre3-dev ntp unzip make autoconf python2.7-dev python-pip re2c supervisor unattended-upgrades whois \
	vim libnotify-bin pv cifs-utils pkg-config

	apt-add-repository ppa:ondrej/apache2 -y
	apt-add-repository ppa:ondrej/php -y
	apt-add-repository ppa:chris-lea/redis-server -y
	apt-add-repository ppa:certbot/certbot -y

	apt-get update

	# libapache2-mod-php7.2
	apt-get install -y --allow-downgrades --allow-remove-essential --allow-change-held-packages \
	apache2 certbot python-certbot-apache php-pear \
	mysql-server postgresql sqlite3 libsqlite3-dev imagemagick redis-server memcached \
	php7.2-cli php7.2-fpm php7.2-dev php7.2-curl php7.2-mbstring php7.2-xml php7.2-zip php7.2-bcmath \
	php7.2-soap php7.2-intl php7.2-readline php7.2-memcached php7.2-mysql php7.2-gmp \
	php7.2-imagick php7.2-pgsql php7.2-sqlite3 php7.2-enchant php7.2-pspell

	service apache2 stop

	a2dismod php7.2 mpm_prefork
	a2enmod mpm_event proxy_fcgi setenvif http2 rewrite actions alias headers
	a2dissite 000-default

	a2ensite <SITE_DEFAULT>
	a2ensite <SITE_SSL>
	phpenmod fileinfo curl mbstring xml zip bcmath soap intl readline memcached mysqli gmp imagick pdo pgsql sqlite3

	adduser webmaster
	chsh -s /bin/bash webmaster
	# as webmaster
	su webmaster

	# Install Composer
	sudo curl -sS https://getcomposer.org/installer \| php
	sudo mv composer.phar /usr/local/bin/composer
	sudo printf "\nPATH=\"$(sudo su - webmaster -c 'composer config -g home 2>/dev/null')/vendor/bin:\$PATH\"\n" \| tee -a /home/webmaster/.profile

	# Install global PHPUnit
	sudo wget -nv https://phar.phpunit.de/phpunit.phar
	sudo chmod +x phpunit.phar
	sudo mv phpunit.phar /usr/local/bin/phpunit
	phpunit --version

	# PHPMyAdmin
	sudo wget -nv https://files.phpmyadmin.net/phpMyAdmin/4.7.7/phpMyAdmin-4.7.7-all-languages.tar.gz
	sudo tar -xzf phpMyAdmin-4.7.7-all-languages.tar.gz && sudo mv phpMyAdmin-4.7.7-all-languages /usr/share/phpmyadmin && sudo rm phpMyAdmin-4.7.7-all-languages.tar.gz
	cd /usr/share/phpmyadmin/ && sudo composer install --no-dev --no-interaction --prefer-dist
	# back as root
	systemctl start php7.2-fpm
	systemctl enable php7.2-fpm

	service apache2 start

	certbot certonly --must-staple --redirect --hsts --staple-ocsp --webroot -w <DIR> -d <DOMAIN> [ -w <DIR> -d <DOMAIN>]

	systemctl status apache2.service
	systemctl status php7.2-fpm.service
	systemctl status certbot.service

	# disable webmaster login
	#chsh -s /usr/sbin/nologin webmaster
	<VirtualHost *:80>
	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html
	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined
	RewriteEngine on
	RewriteCond %{SERVER_NAME}=<YOUR_SERVER_NAME>
	RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
	</VirtualHost>

	Alias /phpmyadmin "/usr/share/phpmyadmin/"
	<Directory "/usr/share/phpmyadmin/">
	Order allow,deny
	Allow from all
	Require all granted
	</Directory>

	# PHP-FPM
	<FilesMatch "\.php$">
	SetHandler "proxy:unix:/var/run/php/php7.2-fpm.sock\|fcgi://localhost/"
	</FilesMatch>
	<Proxy "fcgi://localhost/">
	</Proxy>
	<IfModule mod_ssl.c>
	Include /etc/apache2/sites-ssl.conf
	<VirtualHost *:443>
	ServerAlias *
	DocumentRoot /var/www
	ServerAdmin webmaster@localhost
	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined
	SSLCertificateFile /etc/letsencrypt/live/<DIR>/fullchain.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/<DIR>/privkey.pem
	Include /etc/apache2/letsencrypt-ssl-apache.conf
	</VirtualHost>
	<Directory /var/www>
	AllowOverride All
	</Directory>
	</IfModule>
	# Baseline setting to Include for SSL sites
	# in <VirtualHost *:443>

	SSLEngine on

	# Intermediate configuration, tweak to your needs

	# letsencrypt
	#SSLProtocol all -SSLv2 -SSLv3
	#SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

	# mozilla
	SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
	SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

	SSLHonorCipherOrder on
	SSLCompression off

	SSLOptions +StrictRequire
	SSLUseStapling on
	SSLStaplingResponderTimeout 5
	SSLStaplingReturnResponderErrors off

	# Add vhost name to log entries:
	LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
	LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common

	#CustomLog /var/log/apache2/access.log vhost_combined
	#LogLevel warn
	#ErrorLog /var/log/apache2/error.log

	# Always ensure Cookies have "Secure" set (JAH 2012/1)
	Header edit Set-Cookie (?i)^(.)(;\ssecure)??((\s;)?(.)) "$1; Secure$3$4"
	Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
	Header set Timing-Allow-Origin: "*"
	Header unset ETag