Created
August 6, 2020 21:04
-
-
Save dkrusky/fd78dff50c7c19a70c181a62c643d8ef to your computer and use it in GitHub Desktop.
Debian post-install core configuration script with firewall, mysql, php, composer, and nvm.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # ************************************ | |
| # * SETTINGS * | |
| # ************************************ | |
| FIREWALL_DYNDNS=""; | |
| FIREWALL_GEOIP_ACCOUNT=""; | |
| FIREWALL_GEOIP_LICENSE=""; | |
| # Set value to 1 to install that feature. Otherwise set to 0 | |
| FEATURE_FIREWALL=1; | |
| FEATURE_MYSQL=1; | |
| FEATURE_PHP=1; | |
| FEATURE_COMPOSER=1; | |
| FEATURE_NVM=1; | |
| # ************************************ | |
| # * PROGRAM VERSIONS * | |
| # ************************************ | |
| VERSION_PHP="7.3"; | |
| VERSION_GEOIP="4.3.0"; | |
| VERSION_MYSQL="5.7"; | |
| VERSION_NVM="0.35.3"; | |
| ########################################################### | |
| ############### DO NOT EDIT BELOW HERE #################### | |
| ########################################################### | |
| TIMESTAMP=`date +%s`; | |
| # ************************************ | |
| # * CORE PACKAGES * | |
| # ************************************ | |
| function install_core { | |
| # add repos and update | |
| apt-get update -q -y && apt-get upgrade -q -y | |
| apt-get install apt-transport-https gnupg2 lsb-release ca-certificates -q -y | |
| wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg | |
| echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list | |
| echo "deb http://ftp.debian.org/debian stretch-backports main" > /etc/apt/sources.list.d/backports.list | |
| echo -e "deb http://repo.mysql.com/apt/debian/ stretch mysql-$VERSION_MYSQL\ndeb-src http://repo.mysql.com/apt/debian/ stretch mysql-$VERSION_MYSQL" > /etc/apt/sources.list.d/mysql.list | |
| wget -O /tmp/RPM-GPG-KEY-mysql https://repo.mysql.com/RPM-GPG-KEY-mysql | |
| apt-key add /tmp/RPM-GPG-KEY-mysql | |
| apt-key adv --keyserver keys.gnupg.net --recv-keys 8C718D3B5072E1F5 | |
| apt-get update -q -y | |
| apt-get upgrade -q -y | |
| CORE_VIMRC=~/.vimrc; | |
| CORE_BASHRC=~/.bashrc; | |
| [ -f $CORE_VIMRC ] && { echo "backing up"; cp "$CORE_VIMRC" $CORE_VIMRC.$TIMESTAMP; } | |
| [ -f $CORE_BASHRC ] && { echo "backing up"; cp "$CORE_BASHRC" $CORE_BASHRC.$TIMESTAMP; } | |
| # fix vim mouse and syntax | |
| echo "set mouse= | |
| set background=dark | |
| syntax on" > ~/.vimrc | |
| echo "export LS_OPTIONS='--color=auto' | |
| eval \"\`dircolors\`\" | |
| alias ls='ls \$LS_OPTIONS' | |
| alias ll='ls \$LS_OPTIONS -l' | |
| alias l='ls \$LS_OPTIONS -lA' | |
| alias rm='rm -i' | |
| alias cp='cp -i' | |
| alias mv='mv -i' | |
| " > ~/.bashrc | |
| # install core server stuff | |
| apt-get install git lrzsz sendmail net-tools ipset libwww-perl libio-socket-ssl-perl libnet-ssleay-perl libgd-graph-perl unzip -q -y | |
| apt-get update -q -y | |
| apt-get upgrade -q -y | |
| } | |
| # ************************************ | |
| # * PHP * | |
| # ************************************ | |
| function install_php { | |
| apt-get install php$VERSION_PHP-cgi php$VERSION_PHP-cli php$VERSION_PHP-common php$VERSION_PHP-curl php$VERSION_PHP-fpm php$VERSION_PHP-gd php$VERSION_PHP-imap php$VERSION_PHP-intl php$VERSION_PHP-json php$VERSION_PHP-mbstring php$VERSION_PHP-opcache php$VERSION_PHP-readline php$VERSION_PHP-soap php$VERSION_PHP-xml php$VERSION_PHP-xmlrpc php$VERSION_PHP-zip php$VERSION_PHP-bcmath unzip -q -y | |
| if ! command -v mysql &> /dev/null | |
| apt-get install php$VERSION_PHP-mysql -q -y | |
| then | |
| fi | |
| apt-get update -q -y | |
| apt-get upgrade -q -y | |
| service php$VERSION_PHP-fpm restart | |
| } | |
| # ************************************ | |
| # * CONFIGSERVER FIREWALL * | |
| # ************************************ | |
| function install_csf { | |
| if ! command -v csf &> /dev/null | |
| then | |
| # install geoip updater | |
| wget https://github.com/maxmind/geoipupdate/releases/download/v$VERSION_GEOIP/geoipupdate_$VERSION_GEOIP\_linux_amd64.deb | |
| dpkg -i geoipupdate_$VERSION_GEOIP\_linux_amd64.deb | |
| rm -rf geoipupdate_$VERSION_GEOIP\_linux_amd64.deb | |
| # get csf firewall | |
| wget https://download.configserver.com/csf.tgz | |
| tar xvf csf.tgz | |
| cd csf | |
| ./install.sh | |
| # geoip configure for firewall | |
| echo "# Please see https://dev.maxmind.com/geoip/geoipupdate/ for instructions | |
| # on setting up geoipupdate, including information on how to download a | |
| # pre-filled GeoIP.conf file. | |
| # Replace YOUR_ACCOUNT_ID_HERE and YOUR_LICENSE_KEY_HERE with an active account | |
| # ID and license key combination associated with your MaxMind account. These | |
| # are available from https://www.maxmind.com/en/my_license_key. | |
| AccountID $FIREWALL_GEOIP_ACCOUNT | |
| LicenseKey $FIREWALL_GEOIP_ACCOUNT | |
| # Enter the edition IDs of the databases you would like to update. | |
| # Multiple edition IDs are separated by spaces. | |
| EditionIDs GeoLite2-ASN GeoLite2-Country GeoLite2-City | |
| # The remaining settings are OPTIONAL. | |
| # The directory to store the database files. Defaults to /usr/share/GeoIP | |
| # DatabaseDirectory /usr/share/GeoIP | |
| # The server to use. Defaults to \"updates.maxmind.com\". | |
| # Host updates.maxmind.com | |
| # The proxy host name or IP address. You may optionally specify a | |
| # port number, e.g., 127.0.0.1:8888. If no port number is specified, 1080 | |
| # will be used. | |
| # Proxy 127.0.0.1:8888 | |
| # The user name and password to use with your proxy server. | |
| # ProxyUserPassword username:password | |
| # Whether to preserve modification times of files downloaded from the server. | |
| # Defaults to \"0\". | |
| # PreserveFileTimes 0 | |
| # The lock file to use. This ensures only one geoipupdate process can run at a | |
| # time. | |
| # Note: Once created, this lockfile is not removed from the filesystem. | |
| # Defaults to \".geoipupdate.lock\" under the DatabaseDirectory. | |
| # LockFile /usr/share/GeoIP/.geoipupdate.lock | |
| " > /etc/GeoIP.conf | |
| # setup CSF | |
| cp /etc/csf/csf.conf /etc/csf/csf.conf.$TIMESTAMP | |
| sed -i -E ' | |
| s/^(TESTING *= *\")[^\"]*/\1'"0"'/g | |
| s/^(VERBOSE *= *\")[^\"]*/\1'"0"'/g | |
| s/^(SYSLOG *= *\")[^\"]*/\1'"0"'/g | |
| s/^(URLGET *= *\")[^\"]*/\1'"2"'/g | |
| s/^(DYNDNS *= *\")[^\"]*/\1'"300"'/g | |
| s/^(DYNDNS_IGNORE *= *\")[^\"]*/\1'"1"'/g | |
| s/^(UI *= *\")[^\"]*/\1'"0"'/g | |
| s/^(RESTRICT_UI *= *\")[^\"]*/\1'"2"'/g | |
| s/^(RESTRICT_SYSLOG *= *\")[^\"]*/\1'"3"'/g | |
| s/^(LF_SPI *= *\")[^\"]*/\1'"1"'/g | |
| s/^(IPV6 *= *\")[^\"]*/\1'"1"'/g | |
| s/^(TCP_IN *= *\")[^\"]*/\1'"80,443"'/g | |
| s/^(TCP6_IN *= *\")[^\"]*/\1'"80,443"'/g | |
| s/^(TCP_OUT *= *\")[^\"]*/\1'"20:65534"'/g | |
| s/^(TCP6_OUT *= *\")[^\"]*/\1'"1:65535"'/g | |
| s/^(UDP_IN *= *\")[^\"]*/\1'""'/g | |
| s/^(UDP6_IN *= *\")[^\"]*/\1'""'/g | |
| s/^(UDP_OUT *= *\")[^\"]*/\1'"20:65534"'/g | |
| s/^(UDP6_OUT *= *\")[^\"]*/\1'"1:65535,9999"'/g | |
| s/^(ICMP_IN *= *\")[^\"]*/\1'"0"'/g | |
| s/^(ICMP_OUT *= *\")[^\"]*/\1'"1"'/g | |
| s/^(IGNORE_ALLOW *= *\")[^\"]*/\1'"0"'/g | |
| s/^(LF_DAEMON *= *\")[^\"]*/\1'"1"'/g | |
| s/^(LF_CSF *= *\")[^\"]*/\1'"1"'/g | |
| s/^(LF_IPSET *= *\")[^\"]*/\1'"1"'/g | |
| s/^(FASTSTART *= *\")[^\"]*/\1'"1"'/g | |
| s/^(SMTP_BLOCK *= *\")[^\"]*/\1'"0"'/g | |
| s/^(SMTP_ALLOWLOCAL *= *\")[^\"]*/\1'"1"'/g | |
| s/^(CC_DENY *= *\")[^\"]*/\1'""'/g | |
| s/^(CC_ALLOW *= *\")[^\"]*/\1'"CA"'/g | |
| s/^(CC_LOOKUPS *= *\")[^\"]*/\1'"1"'/g | |
| s/^(CC6_LOOKUPS *= *\")[^\"]*/\1'"1"'/g | |
| s/^(IPV6_ICMP_STRICT *= *\")[^\"]*/\1'"1"'/g | |
| s/^(MM_LICENSE_KEY *= *\")[^\"]*/\1'"$FIREWALL_GEOIP_LICENSE"'/g | |
| s/^(CC_SRC *= *\")[^\"]*/\1'"1"'/g | |
| ' /etc/csf/csf.conf | |
| echo "$FIREWALL_DYNDNS" >> /etc/csf/csf.dyndns | |
| echo "tcp:in:d=443:s=64.41.200.0/24" >> /etc/csf/csf.allow | |
| fi | |
| rm -rf csf | |
| rm -rf csf.tgz | |
| apt-get update -q -y | |
| apt-get upgrade -q -y | |
| # ensure latest MaxMind GeoIP data is downloaded | |
| geoipupdate | |
| # stop CSF if started | |
| csf -x | |
| # start CSF with new settings | |
| csf -e | |
| } | |
| # ************************************ | |
| # * MYSQL * | |
| # ************************************ | |
| function install_mysql { | |
| if ! command -v mysql &> /dev/null | |
| then | |
| export DEBIAN_FRONTEND=noninteractive | |
| apt-get install mysql-server | |
| service mysql stop | |
| mv /etc/mysql/mysql.conf.d/mysqld.cnf /etc/mysql/mysql.cnf.$TIMESTAMP | |
| echo "# Copyright (c) 2014, 2016, Oracle and/or its affiliates. All rights reserved. | |
| # | |
| # This program is free software; you can redistribute it and/or modify | |
| # it under the terms of the GNU General Public License as published by | |
| # the Free Software Foundation; version 2 of the License. | |
| # | |
| # This program is distributed in the hope that it will be useful, | |
| # but WITHOUT ANY WARRANTY; without even the implied warranty of | |
| # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
| # GNU General Public License for more details. | |
| # | |
| # You should have received a copy of the GNU General Public License | |
| # along with this program; if not, write to the Free Software | |
| # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA | |
| # | |
| # The MySQL Server configuration file. | |
| # | |
| # For explanations see | |
| # http://dev.mysql.com/doc/mysql/en/server-system-variables.html | |
| [mysqld] | |
| pid-file = /var/run/mysqld/mysqld.pid | |
| socket = /var/run/mysqld/mysqld.sock | |
| datadir = /var/lib/mysql | |
| log-error = /var/log/mysql/error.log | |
| # By default we only accept connections from localhost | |
| #bind-address = 127.0.0.1 | |
| # Disabling symbolic-links is recommended to prevent assorted security risks | |
| symbolic-links=0" > /etc/mysql/mysql.conf.d/mysqld.cnf | |
| service mysql start | |
| echo "MySQL Server Password" | |
| mysql -u root -p mysql -e "update user set Host=\"%\" where User=\"root\"; grant all privileges on *.* to 'root'@'%' with grant option; ALTER USER 'root'@'%' IDENTIFIED WITH mysql_native_password BY ''; flush privileges;" | |
| fi | |
| # if php is installed, then install the mysql module | |
| if command -v php &> /dev/null | |
| apt-get install php$VERSION_PHP-mysql -q -y | |
| then | |
| fi | |
| service mysql restart | |
| service php$VERSION_PHP-fpm restart | |
| } | |
| # ************************************ | |
| # * NODE SWITCHER * | |
| # ************************************ | |
| function install_nvm { | |
| if ! command -v nvm &> /dev/null | |
| then | |
| curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v$VERSION_NVM/install.sh | bash | |
| fi | |
| } | |
| # ************************************ | |
| # * COMPOSER * | |
| # ************************************ | |
| function install_composer { | |
| if ! command -v php &> /dev/null | |
| then | |
| install_php; | |
| fi | |
| if ! command -v composer &> /dev/null | |
| then | |
| wget --output-document=composer-setup.php https://getcomposer.org/installer | |
| php composer-setup.php --install-dir=/usr/local/bin --filename=composer | |
| rm -rf composer-setup.php | |
| fi | |
| } | |
| ########################################################### | |
| ########################################################### | |
| ########################################################### | |
| install_core | |
| if [ "$FEATURE_FIREWALL" eq "1" ]; then | |
| install_csf; | |
| fi | |
| if [ "$FEATURE_MYSQL" eq "1" ]; then | |
| install_mysql; | |
| fi | |
| if [ "$FEATURE_PHP" eq "1" ]; then | |
| install_php; | |
| fi | |
| if [ "$FEATURE_NVM" eq "1" ]; then | |
| install_nvm; | |
| fi | |
| if [ "$FEATURE_COMPOSER" eq "1" ]; then | |
| install_composer; | |
| fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment