Last active
December 6, 2019 08:35
-
-
Save erikgaal/5ab8d1ddd9ca35a6180b952e0599021d to your computer and use it in GitHub Desktop.
Forge Provision Script for PHP7.4 and Postgres 12
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# REQUIRES: | |
# - server (the forge server instance) | |
# - event (the forge event instance) | |
# - sudo_password (random password for sudo) | |
# - db_password (random password for database user) | |
# - callback (the callback URL) | |
# - recipe_id (recipe id to run at the end) | |
# | |
sudo sed -i "s/#precedence ::ffff:0:0\/96 100/precedence ::ffff:0:0\/96 100/" /etc/gai.conf | |
# Upgrade The Base Packages | |
export DEBIAN_FRONTEND=noninteractive | |
apt-get update | |
apt-get upgrade -y | |
# Add A Few PPAs To Stay Current | |
apt-get install -y --force-yes software-properties-common | |
# apt-add-repository ppa:fkrull/deadsnakes-python2.7 -y | |
apt-add-repository ppa:nginx/mainline -y | |
apt-add-repository ppa:chris-lea/redis-server -y | |
apt-add-repository ppa:ondrej/apache2 -y | |
apt-add-repository ppa:ondrej/php -y | |
# Setup MariaDB Repositories | |
# Update Package Lists | |
apt-get update | |
# Base Packages | |
add-apt-repository universe | |
apt-get install -y --force-yes build-essential curl fail2ban gcc git libmcrypt4 libpcre3-dev \ | |
make python2.7 python-pip sendmail supervisor ufw unattended-upgrades unzip whois zsh ncdu | |
# Install Python Httpie | |
pip install httpie | |
# Disable Password Authentication Over SSH | |
sed -i "/PasswordAuthentication yes/d" /etc/ssh/sshd_config | |
echo "" | sudo tee -a /etc/ssh/sshd_config | |
echo "" | sudo tee -a /etc/ssh/sshd_config | |
echo "PasswordAuthentication no" | sudo tee -a /etc/ssh/sshd_config | |
# Restart SSH | |
ssh-keygen -A | |
service ssh restart | |
# Set The Hostname If Necessary | |
echo "smooth-pebble" > /etc/hostname | |
sed -i 's/127\.0\.0\.1.*localhost/127.0.0.1 smooth-pebble.localdomain smooth-pebble localhost/' /etc/hosts | |
hostname smooth-pebble | |
# Set The Timezone | |
# ln -sf /usr/share/zoneinfo/UTC /etc/localtime | |
ln -sf /usr/share/zoneinfo/UTC /etc/localtime | |
# Create The Root SSH Directory If Necessary | |
if [ ! -d /root/.ssh ] | |
then | |
mkdir -p /root/.ssh | |
touch /root/.ssh/authorized_keys | |
fi | |
# Setup Forge User | |
useradd forge | |
mkdir -p /home/forge/.ssh | |
mkdir -p /home/forge/.forge | |
adduser forge sudo | |
# Setup Bash For Forge User | |
chsh -s /bin/bash forge | |
cp /root/.profile /home/forge/.profile | |
cp /root/.bashrc /home/forge/.bashrc | |
# Set The Sudo Password For Forge | |
PASSWORD=$(mkpasswd znR6l9d12B78chfHU1QP) | |
usermod --password $PASSWORD forge | |
# Build Formatted Keys & Copy Keys To Forge | |
cat > /root/.ssh/authorized_keys << EOF | |
# Laravel Forge | |
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwphgbWFeqQt3RZGwzwhyTVX9uxOosWUwa3YHdxY8NgCgTQzAMb+bBhlkHFSyxQc+vwyRUdD9r4zYn6jmnfpfLYeOMy833DWZfE0w7dqo9fW1wOQNgoJVeiKAHvGwLTeDv+frnIdAqawHMHKuNknKMh9kIlTKH78aGtwv+u0mGhzdtOtW13Kj7sdCWqBF0/dboTO8sxsOaoimVDsL4Spkl36DdkcfCkjIj7ffEK8C1VNm2ZG44YmY/kJKUaYkbpxDlnoXu87Y3EToCDCKWOZgLNxN6yTrnnknr9O8ecJ3/v6XXQ48OD0oR8jtdZhOoishYM6tSdHYOICGjjypWTGUr worker@forge.laravel.com | |
EOF | |
cp /root/.ssh/authorized_keys /home/forge/.ssh/authorized_keys | |
# Create The Server SSH Key | |
ssh-keygen -f /home/forge/.ssh/id_rsa -t rsa -N '' | |
# Copy Source Control Public Keys Into Known Hosts File | |
ssh-keyscan -H github.com >> /home/forge/.ssh/known_hosts | |
ssh-keyscan -H bitbucket.org >> /home/forge/.ssh/known_hosts | |
ssh-keyscan -H gitlab.com >> /home/forge/.ssh/known_hosts | |
# Configure Git Settings | |
git config --global user.name "Robert van Steen" | |
git config --global user.email "r.vansteen@scrn.com" | |
# Add The Reconnect Script Into Forge Directory | |
cat > /home/forge/.forge/reconnect << EOF | |
#!/usr/bin/env bash | |
echo "# Laravel Forge" | tee -a /home/forge/.ssh/authorized_keys > /dev/null | |
echo \$1 | tee -a /home/forge/.ssh/authorized_keys > /dev/null | |
echo "# Laravel Forge" | tee -a /root/.ssh/authorized_keys > /dev/null | |
echo \$1 | tee -a /root/.ssh/authorized_keys > /dev/null | |
echo "Keys Added!" | |
EOF | |
# Setup Forge Home Directory Permissions | |
chown -R forge:forge /home/forge | |
chmod -R 755 /home/forge | |
chmod 700 /home/forge/.ssh/id_rsa | |
# Setup UFW Firewall | |
ufw allow 22 | |
ufw allow 80 | |
ufw allow 443 | |
ufw --force enable | |
# Allow FPM Restart | |
echo "forge ALL=NOPASSWD: /usr/sbin/service php7.4-fpm reload" > /etc/sudoers.d/php-fpm | |
echo "forge ALL=NOPASSWD: /usr/sbin/service php7.3-fpm reload" >> /etc/sudoers.d/php-fpm | |
echo "forge ALL=NOPASSWD: /usr/sbin/service php7.2-fpm reload" >> /etc/sudoers.d/php-fpm | |
echo "forge ALL=NOPASSWD: /usr/sbin/service php7.1-fpm reload" >> /etc/sudoers.d/php-fpm | |
echo "forge ALL=NOPASSWD: /usr/sbin/service php7.0-fpm reload" >> /etc/sudoers.d/php-fpm | |
echo "forge ALL=NOPASSWD: /usr/sbin/service php5.6-fpm reload" >> /etc/sudoers.d/php-fpm | |
echo "forge ALL=NOPASSWD: /usr/sbin/service php5-fpm reload" >> /etc/sudoers.d/php-fpm | |
# Install Base PHP Packages | |
apt-get install -y --force-yes php7.4-cli php7.4-fpm php7.4-dev \ | |
php7.4-pgsql php7.4-sqlite3 php7.4-gd \ | |
php7.4-curl \ | |
php7.4-imap php7.4-mysql php7.4-mbstring \ | |
php7.4-xml php7.4-zip php7.4-bcmath php7.4-soap \ | |
php7.4-intl php7.4-readline | |
# Install Composer Package Manager | |
curl -sS https://getcomposer.org/installer | php | |
mv composer.phar /usr/local/bin/composer | |
# Misc. PHP CLI Configuration | |
sudo sed -i "s/error_reporting = .*/error_reporting = E_ALL/" /etc/php/7.4/cli/php.ini | |
sudo sed -i "s/display_errors = .*/display_errors = On/" /etc/php/7.4/cli/php.ini | |
sudo sed -i "s/memory_limit = .*/memory_limit = 512M/" /etc/php/7.4/cli/php.ini | |
sudo sed -i "s/;date.timezone.*/date.timezone = UTC/" /etc/php/7.4/cli/php.ini | |
# Configure Sessions Directory Permissions | |
chmod 733 /var/lib/php/sessions | |
chmod +t /var/lib/php/sessions | |
# Write Systemd File For Linode | |
# | |
# REQUIRES: | |
# - server (the forge server instance) | |
# - site_name (the name of the site folder) | |
# | |
# Install Nginx & PHP-FPM | |
apt-get install -y --force-yes nginx php7.4-fpm | |
systemctl enable nginx.service | |
# Generate dhparam File | |
openssl dhparam -out /etc/nginx/dhparams.pem 2048 | |
# Tweak Some PHP-FPM Settings | |
sed -i "s/error_reporting = .*/error_reporting = E_ALL/" /etc/php/7.4/fpm/php.ini | |
sed -i "s/display_errors = .*/display_errors = On/" /etc/php/7.4/fpm/php.ini | |
sed -i "s/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/" /etc/php/7.4/fpm/php.ini | |
sed -i "s/memory_limit = .*/memory_limit = 512M/" /etc/php/7.4/fpm/php.ini | |
sed -i "s/;date.timezone.*/date.timezone = UTC/" /etc/php/7.4/fpm/php.ini | |
# Configure FPM Pool Settings | |
sed -i "s/^user = www-data/user = forge/" /etc/php/7.4/fpm/pool.d/www.conf | |
sed -i "s/^group = www-data/group = forge/" /etc/php/7.4/fpm/pool.d/www.conf | |
sed -i "s/;listen\.owner.*/listen.owner = forge/" /etc/php/7.4/fpm/pool.d/www.conf | |
sed -i "s/;listen\.group.*/listen.group = forge/" /etc/php/7.4/fpm/pool.d/www.conf | |
sed -i "s/;listen\.mode.*/listen.mode = 0666/" /etc/php/7.4/fpm/pool.d/www.conf | |
sed -i "s/;request_terminate_timeout.*/request_terminate_timeout = 60/" /etc/php/7.4/fpm/pool.d/www.conf | |
# Configure Primary Nginx Settings | |
sed -i "s/user www-data;/user forge;/" /etc/nginx/nginx.conf | |
sed -i "s/worker_processes.*/worker_processes auto;/" /etc/nginx/nginx.conf | |
sed -i "s/# multi_accept.*/multi_accept on;/" /etc/nginx/nginx.conf | |
sed -i "s/# server_names_hash_bucket_size.*/server_names_hash_bucket_size 128;/" /etc/nginx/nginx.conf | |
# Configure Gzip | |
cat > /etc/nginx/conf.d/gzip.conf << EOF | |
gzip_comp_level 5; | |
gzip_min_length 256; | |
gzip_proxied any; | |
gzip_vary on; | |
gzip_types | |
application/atom+xml | |
application/javascript | |
application/json | |
application/rss+xml | |
application/vnd.ms-fontobject | |
application/x-font-ttf | |
application/x-web-app-manifest+json | |
application/xhtml+xml | |
application/xml | |
font/opentype | |
image/svg+xml | |
image/x-icon | |
text/css | |
text/plain | |
text/x-component; | |
EOF | |
# Disable The Default Nginx Site | |
rm /etc/nginx/sites-enabled/default | |
rm /etc/nginx/sites-available/default | |
service nginx restart | |
# Install A Catch All Server | |
cat > /etc/nginx/sites-available/catch-all << EOF | |
server { | |
return 404; | |
} | |
EOF | |
ln -s /etc/nginx/sites-available/catch-all /etc/nginx/sites-enabled/catch-all | |
# Restart Nginx & PHP-FPM Services | |
# Restart Nginx & PHP-FPM Services | |
#service nginx restart | |
service nginx reload | |
if [ ! -z "\$(ps aux | grep php-fpm | grep -v grep)" ] | |
then | |
service php7.4-fpm restart > /dev/null 2>&1 | |
service php7.3-fpm restart > /dev/null 2>&1 | |
service php7.2-fpm restart > /dev/null 2>&1 | |
service php7.1-fpm restart > /dev/null 2>&1 | |
service php7.0-fpm restart > /dev/null 2>&1 | |
service php5.6-fpm restart > /dev/null 2>&1 | |
service php5-fpm restart > /dev/null 2>&1 | |
fi | |
# Add Forge User To www-data Group | |
usermod -a -G www-data forge | |
id forge | |
groups forge | |
curl --silent --location https://deb.nodesource.com/setup_10.x | bash - | |
apt-get update | |
sudo apt-get install -y --force-yes nodejs | |
npm install -g pm2 | |
npm install -g gulp | |
npm install -g yarn | |
# | |
# REQUIRES: | |
# - server (the forge server instance) | |
# - db_password (random password for database user) | |
# | |
# Install Postgres | |
wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo apt-key add - | |
sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt/ `lsb_release -cs`-pgdg main" >> /etc/apt/sources.list.d/pgdg.list' | |
apt-get update | |
apt-get install -y --force-yes postgresql postgresql-contrib | |
# Configure Postgres For Remote Access | |
sed -i "s/#listen_addresses = 'localhost'/listen_addresses = '*'/g" /etc/postgresql/12/main/postgresql.conf | |
echo "host all all 0.0.0.0/0 md5" | tee -a /etc/postgresql/12/main/pg_hba.conf | |
sudo -u postgres psql -c "CREATE ROLE forge LOGIN PASSWORD 'mXZXPv4UDHdtQQKAP1aN' SUPERUSER INHERIT NOCREATEDB NOCREATEROLE NOREPLICATION;" | |
service postgresql restart | |
# Configure The Timezone | |
sudo sed -i "s/localtime/UTC/" /etc/postgresql/12/main/postgresql.conf | |
service postgresql restart | |
# Create The Initial Database If Specified | |
sudo -u postgres /usr/bin/createdb --echo --owner=forge forge | |
# Install & Configure Redis Server | |
apt-get install -y redis-server | |
sed -i 's/bind 127.0.0.1/bind 0.0.0.0/' /etc/redis/redis.conf | |
service redis-server restart | |
systemctl enable redis-server | |
pecl install redis | |
# Ensure PHPRedis extension is available | |
if pecl list | grep redis >/dev/null 2>&1; | |
then | |
echo "Configuring PHPRedis" | |
echo "extension=redis.so" > /etc/php/7.4/mods-available/redis.ini | |
sudo ln -s /etc/php/7.4/mods-available/redis.ini /etc/php/7.4/fpm/conf.d/30-redis.ini >/dev/null 2>&1; | |
sudo ln -s /etc/php/7.4/mods-available/redis.ini /etc/php/7.4/cli/conf.d/30-redis.ini >/dev/null 2>&1; | |
fi | |
# Install & Configure Memcached | |
apt-get install -y memcached | |
sed -i 's/-l 127.0.0.1/-l 0.0.0.0/' /etc/memcached.conf | |
service memcached restart | |
# Install & Configure Beanstalk | |
apt-get install -y --force-yes beanstalkd | |
sed -i "s/BEANSTALKD_LISTEN_ADDR.*/BEANSTALKD_LISTEN_ADDR=0.0.0.0/" /etc/default/beanstalkd | |
if grep START= /etc/default/beanstalkd; then | |
sed -i "s/#START=yes/START=yes/" /etc/default/beanstalkd | |
else | |
echo "START=yes" >> /etc/default/beanstalkd | |
fi | |
service beanstalkd start | |
sleep 5 | |
service beanstalkd restart | |
systemctl enable beanstalkd | |
# Configure Supervisor Autostart | |
systemctl enable supervisor.service | |
service supervisor start | |
# Configure Swap Disk | |
if [ -f /swapfile ]; then | |
echo "Swap exists." | |
else | |
fallocate -l 1G /swapfile | |
chmod 600 /swapfile | |
mkswap /swapfile | |
swapon /swapfile | |
echo "/swapfile none swap sw 0 0" >> /etc/fstab | |
echo "vm.swappiness=30" >> /etc/sysctl.conf | |
echo "vm.vfs_cache_pressure=50" >> /etc/sysctl.conf | |
fi | |
# Setup Unattended Security Upgrades | |
cat > /etc/apt/apt.conf.d/50unattended-upgrades << EOF | |
Unattended-Upgrade::Allowed-Origins { | |
"Ubuntu bionic-security"; | |
}; | |
Unattended-Upgrade::Package-Blacklist { | |
// | |
}; | |
EOF | |
cat > /etc/apt/apt.conf.d/10periodic << EOF | |
APT::Periodic::Update-Package-Lists "1"; | |
APT::Periodic::Download-Upgradeable-Packages "1"; | |
APT::Periodic::AutocleanInterval "7"; | |
APT::Periodic::Unattended-Upgrade "1"; | |
EOF | |
curl --insecure --data "event_id=34399672&server_id=334407&sudo_password=znR6l9d12B78chfHU1QP&db_password=mXZXPv4UDHdtQQKAP1aN&recipe_id=" https://forge.laravel.com/provisioning/callback/app |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment