Skip to content

Instantly share code, notes, and snippets.

@donaldsteele
Created October 2, 2017 13:57
Show Gist options
  • Save donaldsteele/74762c923327c513dc0a918b411c330b to your computer and use it in GitHub Desktop.
Save donaldsteele/74762c923327c513dc0a918b411c330b to your computer and use it in GitHub Desktop.
VPS install bash script for Ubuntu 16.04

This script install and configure LEMP-environment for Ubuntu 16.04

  1. Create VPS
  2. Login as root
  3. Download install.sh
  4. chmod 700 install.sh
  5. bash ./install.sh

####Software:

Nginx, PHP 7.0 with php7.0-fpm, Mysql 5.7, Redis, Memcached, Beanstalkd, Node.js 5, Supervisor, Composer, Fail2Ban

#####Settings:

Open ports only: 22, 80, 443

SSH password auth is disabled (only keys)

# =================== YOUR DATA ========================
SERVER_NAME="some-server-name"
SERVER_IP="111.111.11.11"
USER="someuser"
SUDO_PASSWORD="secret-password-one"
MYSQL_ROOT_PASSWORD="secret-password-two"
# SSH access via password will be disabled. Use keys instead.
PUBLIC_SSH_KEYS="# Home
ssh-rsa AAAAB3NzaC1yc2EAAAA......
# Notebook
ssh-rsa AAAAB3NzaC1yc2EAAAA......
# Work
ssh-rsa AAAAB3NzaC1yc2EAAAA......"
# if vps not contains swap file - create it
SWAP_SIZE="1G"
TIMEZONE="Etc/GMT+0" # lits of avaiable timezones: ls -R --group-directories-first /usr/share/zoneinfo
# =================== LETS MAGIC BEGINS ================
# Prefer IPv4 over IPv6 - make apt-get faster
sudo sed -i "s/#precedence ::ffff:0:0\/96 100/precedence ::ffff:0:0\/96 100/" /etc/gai.conf
# Upgrade The Base Packages
apt-get update
apt-get upgrade -y
# Add A Few PPAs To Stay Current
apt-get install -y --force-yes software-properties-common
apt-add-repository ppa:nginx/development -y
apt-add-repository ppa:chris-lea/redis-server -y
apt-add-repository ppa:ondrej/apache2 -y
apt-add-repository ppa:ondrej/php -y
# Update Package Lists
apt-get update
# Base Packages
apt-get install -y --force-yes build-essential curl fail2ban gcc git libmcrypt4 libpcre3-dev \
make python2.7 python-pip supervisor ufw unattended-upgrades unzip whois zsh mc p7zip-full htop
# Install Python Httpie
pip install httpie
# Disable Password Authentication Over SSH
sed -i "/PasswordAuthentication yes/d" /etc/ssh/sshd_config
echo "" | sudo tee -a /etc/ssh/sshd_config
echo "" | sudo tee -a /etc/ssh/sshd_config
echo "PasswordAuthentication no" | sudo tee -a /etc/ssh/sshd_config
# Restart SSH
ssh-keygen -A
service ssh restart
# Set The Hostname If Necessary
echo "$SERVER_NAME" > /etc/hostname
sed -i "s/127\.0\.0\.1.*localhost/127.0.0.1 $SERVER_NAME localhost/" /etc/hosts
hostname $SERVER_NAME
# Set The Timezone
ln -sf /usr/share/zoneinfo/$TIMEZONE /etc/localtime
# Create The Root SSH Directory If Necessary
if [ ! -d /root/.ssh ]
then
mkdir -p /root/.ssh
touch /root/.ssh/authorized_keys
fi
# Setup User
useradd $USER
mkdir -p /home/$USER/.ssh
adduser $USER sudo
# Setup Bash For User
chsh -s /bin/bash $USER
cp /root/.profile /home/$USER/.profile
cp /root/.bashrc /home/$USER/.bashrc
# Set The Sudo Password For User
PASSWORD=$(mkpasswd $SUDO_PASSWORD)
usermod --password $PASSWORD $USER
# Build Formatted Keys & Copy Keys To User
cat > /root/.ssh/authorized_keys << EOF
$PUBLIC_SSH_KEYS
EOF
cp /root/.ssh/authorized_keys /home/$USER/.ssh/authorized_keys
# Create The Server SSH Key
ssh-keygen -f /home/$USER/.ssh/id_rsa -t rsa -N ''
# Copy Github And Bitbucket Public Keys Into Known Hosts File
ssh-keyscan -H github.com >> /home/$USER/.ssh/known_hosts
ssh-keyscan -H bitbucket.org >> /home/$USER/.ssh/known_hosts
# Setup Site Directory Permissions
chown -R $USER:$USER /home/$USER
chmod -R 755 /home/$USER
chmod 700 /home/$USER/.ssh/id_rsa
# Setup Unattended Security Upgrades
cat > /etc/apt/apt.conf.d/50unattended-upgrades << EOF
Unattended-Upgrade::Allowed-Origins {
"Ubuntu xenial-security";
};
Unattended-Upgrade::Package-Blacklist {
//
};
EOF
cat > /etc/apt/apt.conf.d/10periodic << EOF
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";
EOF
# Setup UFW Firewall
ufw allow 22
ufw allow 80
ufw allow 443
ufw --force enable
# Allow FPM Restart
echo "$USER ALL=NOPASSWD: /usr/sbin/service php7.0-fpm reload" > /etc/sudoers.d/php-fpm
# Configure Supervisor Autostart
systemctl enable supervisor.service
service supervisor start
# Configure Swap Disk
if [ -f /swapfile ]; then
echo "Swap exists."
else
fallocate -l $SWAP_SIZE /swapfile
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfile
echo "/swapfile none swap sw 0 0" >> /etc/fstab
echo "vm.swappiness=30" >> /etc/sysctl.conf
echo "vm.vfs_cache_pressure=50" >> /etc/sysctl.conf
fi
# Install Base PHP Packages
apt-get install -y --force-yes php7.0-cli php7.0-dev \
php-sqlite3 php-gd \
php-curl php7.0-dev \
php-imap php-mysql php-memcached php-mcrypt php-mbstring \
php-xml php-imagick php7.0-zip php7.0-bcmath php-soap \
php7.0-intl php7.0-readline
# Install Composer Package Manager
curl -sS https://getcomposer.org/installer | php
mv composer.phar /usr/local/bin/composer
# Misc. PHP CLI Configuration
sudo sed -i "s/error_reporting = .*/error_reporting = E_ALL/" /etc/php/7.0/cli/php.ini
sudo sed -i "s/display_errors = .*/display_errors = On/" /etc/php/7.0/cli/php.ini
sudo sed -i "s/memory_limit = .*/memory_limit = 512M/" /etc/php/7.0/cli/php.ini
sudo sed -i "s/;date.timezone.*/date.timezone = UTC/" /etc/php/7.0/cli/php.ini
# Configure Sessions Directory Permissions
chmod 733 /var/lib/php/sessions
chmod +t /var/lib/php/sessions
# Install Nginx & PHP-FPM
apt-get install -y --force-yes nginx php7.0-fpm
# Generate dhparam File
openssl dhparam -out /etc/nginx/dhparams.pem 2048
# Disable The Default Nginx Site
rm /etc/nginx/sites-enabled/default
rm /etc/nginx/sites-available/default
service nginx restart
# Tweak Some PHP-FPM Settings
sed -i "s/error_reporting = .*/error_reporting = E_ALL/" /etc/php/7.0/fpm/php.ini
sed -i "s/display_errors = .*/display_errors = On/" /etc/php/7.0/fpm/php.ini
sed -i "s/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/" /etc/php/7.0/fpm/php.ini
sed -i "s/memory_limit = .*/memory_limit = 512M/" /etc/php/7.0/fpm/php.ini
sed -i "s/;date.timezone.*/date.timezone = UTC/" /etc/php/7.0/fpm/php.ini
sed -i "s/short_open_tag.*/short_open_tag = On/" /etc/php/7.0/fpm/php.ini
# Setup Session Save Path
sed -i "s/\;session.save_path = .*/session.save_path = \"\/var\/lib\/php5\/sessions\"/" /etc/php/7.0/fpm/php.ini
sed -i "s/php5\/sessions/php\/sessions/" /etc/php/7.0/fpm/php.ini
# Configure Nginx & PHP-FPM To Run As User
sed -i "s/user www-data;/user $USER;/" /etc/nginx/nginx.conf
sed -i "s/# server_names_hash_bucket_size.*/server_names_hash_bucket_size 64;/" /etc/nginx/nginx.conf
sed -i "s/^user = www-data/user = $USER/" /etc/php/7.0/fpm/pool.d/www.conf
sed -i "s/^group = www-data/group = $USER/" /etc/php/7.0/fpm/pool.d/www.conf
sed -i "s/;listen\.owner.*/listen.owner = $USER/" /etc/php/7.0/fpm/pool.d/www.conf
sed -i "s/;listen\.group.*/listen.group = $USER/" /etc/php/7.0/fpm/pool.d/www.conf
sed -i "s/;listen\.mode.*/listen.mode = 0666/" /etc/php/7.0/fpm/pool.d/www.conf
# Configure A Few More Server Things
sed -i "s/;request_terminate_timeout.*/request_terminate_timeout = 60/" /etc/php/7.0/fpm/pool.d/www.conf
sed -i "s/worker_processes.*/worker_processes auto;/" /etc/nginx/nginx.conf
sed -i "s/# multi_accept.*/multi_accept on;/" /etc/nginx/nginx.conf
# Install A Catch All Server
cat > /etc/nginx/sites-available/catch-all << EOF
server {
return 404;
}
EOF
ln -s /etc/nginx/sites-available/catch-all /etc/nginx/sites-enabled/catch-all
cat > /etc/nginx/sites-available/example << EOF
server {
listen 80;
server_name somedomain.com;
root /home/$USER/somedomain.com/public;
index index.html index.htm index.php;
charset utf-8;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
access_log off;
error_log /var/log/nginx/somedomain.com-error.log error;
error_page 404 /index.php;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
location ~ /\.ht {
deny all;
}
}
EOF
# Restart Nginx & PHP-FPM Services
if [ ! -z "\$(ps aux | grep php-fpm | grep -v grep)" ]
then
service php7.0-fpm restart
fi
service nginx restart
service nginx reload
# Add User To www-data Group
usermod -a -G www-data $USER
id $USER
groups $USER
# Install Node.js
curl --silent --location https://deb.nodesource.com/setup_5.x | bash -
apt-get update
sudo apt-get install -y --force-yes nodejs
npm install -g pm2
npm install -g gulp
# Set The Automated Root Password
export DEBIAN_FRONTEND=noninteractive
debconf-set-selections <<< "mysql-community-server mysql-community-server/data-dir select ''"
debconf-set-selections <<< "mysql-community-server mysql-community-server/root-pass password $MYSQL_ROOT_PASSWORD"
debconf-set-selections <<< "mysql-community-server mysql-community-server/re-root-pass password $MYSQL_ROOT_PASSWORD"
# Install MySQL
apt-get install -y mysql-server
# Configure Password Expiration
echo "default_password_lifetime = 0" >> /etc/mysql/mysql.conf.d/mysqld.cnf
# Configure Access Permissions For Root & User
sed -i '/^bind-address/s/bind-address.*=.*/bind-address = */' /etc/mysql/mysql.conf.d/mysqld.cnf
mysql --user="root" --password="$MYSQL_ROOT_PASSWORD" -e "GRANT ALL ON *.* TO root@'$SERVER_IP' IDENTIFIED BY '$MYSQL_ROOT_PASSWORD';"
mysql --user="root" --password="$MYSQL_ROOT_PASSWORD" -e "GRANT ALL ON *.* TO root@'%' IDENTIFIED BY '$MYSQL_ROOT_PASSWORD';"
service mysql restart
mysql --user="root" --password="$MYSQL_ROOT_PASSWORD" -e "CREATE USER '$USER'@'$SERVER_IP' IDENTIFIED BY '$MYSQL_ROOT_PASSWORD';"
mysql --user="root" --password="$MYSQL_ROOT_PASSWORD" -e "GRANT ALL ON *.* TO '$USER'@'$SERVER_IP' IDENTIFIED BY '$MYSQL_ROOT_PASSWORD' WITH GRANT OPTION;"
mysql --user="root" --password="$MYSQL_ROOT_PASSWORD" -e "GRANT ALL ON *.* TO '$USER'@'%' IDENTIFIED BY '$MYSQL_ROOT_PASSWORD' WITH GRANT OPTION;"
mysql --user="root" --password="$MYSQL_ROOT_PASSWORD" -e "FLUSH PRIVILEGES;"
# Install & Configure Redis Server
apt-get install -y redis-server
sed -i 's/bind 127.0.0.1/bind 0.0.0.0/' /etc/redis/redis.conf
service redis-server restart
# Install & Configure Memcached
apt-get install -y memcached
sed -i 's/-l 127.0.0.1/-l 0.0.0.0/' /etc/memcached.conf
service memcached restart
# Install & Configure Beanstalk
apt-get install -y --force-yes beanstalkd
sed -i "s/BEANSTALKD_LISTEN_ADDR.*/BEANSTALKD_LISTEN_ADDR=0.0.0.0/" /etc/default/beanstalkd
sed -i "s/#START=yes/START=yes/" /etc/default/beanstalkd
/etc/init.d/beanstalkd start
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment