Skip to content

Instantly share code, notes, and snippets.

@filljoyner

filljoyner/Ubuntu LEMP Server for Development (Home Lab).md

Created July 29, 2023 22:16
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save filljoyner/b37ca1b9ec1e528cb687211ce963baf1 to your computer and use it in GitHub Desktop.
Save filljoyner/b37ca1b9ec1e528cb687211ce963baf1 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Ubuntu LEMP Server for Development (Home Lab).md

Server

Install

Install Ubuntu 22.04

Update

Update all the things

sudo apt update
sudo apt upgrade --yes
sudo apt autoremove --yes
sudo apt autoclean --yes
sudo reboot

Fix issue where available size is capped

See disk make up

lsblk

Add free space to logical volume

sudo lvextend -l +100%FREE /dev/mapper/ubuntu--vg-ubuntu--lv

Fill available space

sudo resize2fs /dev/mapper/ubuntu--vg-ubuntu--lv

LEMP Installation

Nginx

Install

sudo apt install nginx

Check

sudo systemctl status nginx

MariaDB

Install

sudo apt install mariadb-server -y

Ready for PHP

sudo apt install php-mysql -y

PHP

Install

sudo apt install php-fpm -y

Install Common Packages

sudo apt install php-curl php-gd php-mbstring php-xml php-xmlrpc php-cli php-redis unzip sqlite3 -y

Composer

Install

cd ~
curl -sS https://getcomposer.org/installer -o /tmp/composer-setup.php
HASH=`curl -sS https://composer.github.io/installer.sig`
php -r "if (hash_file('SHA384', '/tmp/composer-setup.php') === '$HASH') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;"
sudo php /tmp/composer-setup.php --install-dir=/usr/local/bin --filename=composer

Node

Install Node & NPM

sudo apt update
sudo apt install nodejs npm -y

Install NVM

See repo for full instructions.

curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.3/install.sh | bash
source ~/.bashrc

Meilisearch

Install

cd ~
curl -L https://install.meilisearch.com | sh
chmod +x meilisearch
sudo mv ./meilisearch /usr/local/bin/

WP CLI

Install

cd ~
curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
chmod +x wp-cli.phar
sudo mv wp-cli.phar /usr/local/bin/wp

Redis

Install

sudo apt install lsb-release curl gpg -y
curl -fsSL https://packages.redis.io/gpg | sudo gpg --dearmor -o /usr/share/keyrings/redis-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/redis-archive-keyring.gpg] https://packages.redis.io/deb $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/redis.list

sudo apt-get update
sudo apt-get install redis -y

Enable on start

sudo systemctl enable redis-server

Configuration

SSL

Create Self Signed Certificate

Create Certificate

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt

Create Diffie-Hellman group

sudo openssl dhparam -out /etc/nginx/dhparam.pem 4096

Warning

This is going to take a loooooooooooong time

Configure Nginx to use SSL

Create snippet

sudo vim /etc/nginx/snippets/self-signed.conf

Snippet contents

ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

Create snippet

sudo vim /etc/nginx/snippets/ssl-params.conf

Snippet content

ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem; 
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ecdh_curve secp384r1;
ssl_session_timeout  10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling off;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable strict transport security for now. You can uncomment the following
# line if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";

Tip

The resolver are DNS resolvers. This is set to Google. Use whatever you'd like.

Firewall

Open Web Ports

sudo ufw allow OpenSSH
sudo ufw allow in "Nginx Full"
sudo ufw enable

Check Status

sudo ufw status

Now Nginx splash page should be visible by visiting IP in web browser.

PHP

Accept requests for files that exist

This is a security tweak that helps prevent malicious code injection by only accept requests to files that exist.

sudo sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/g' /etc/php/8.1/fpm/php.ini

Change PHP User & Group

Access the PHP config file

sudo vim /etc/php/8.1/fpm/pool.d/www.conf

Change the [www] to [username] and change the following to the updated user and group.

# early in the file
user = username
group = groupname

# futher down
listen.owner = username
listen.group = groupname

Nginx

Unlink default site

sudo unlink /etc/nginx/sites-enabled/default

Change Nginx User & Group

Edit config

sudo vim /etc/nginx/nginx.conf

At the top of the file, change the www-data to username whichever user you'd like.

user www-data

Create Web Directory

  • Recommend putting this at the user's home directory.
  • We'll update the Nginx and PHP users to accommodate
  • Create site directories
    • Create a site root and web root (example ~/site and ~/site/public)
    • clone repo into user root

Create Config File

sudo cp /etc/nginx/sites-available/default /etc/nginx/sites-available/website.dv.conf

Edit File

This uses the self signed certificate we generated earlier

server {
    listen 80;
    listen [::]:80;

	#access_log /home/username/logs/website-access.log;
    error_log /home/username/logs/website-error.log error;

    server_name website.dv www.website.dv;
    root /home/username/website/public;
    index index.php index index.html index.htm index.nginx-debian.html;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/run/php/php8.1-fpm.sock;
    }

    location ~ /\.ht {
        deny all;
    }
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    include snippets/self-signed.conf;
    include snippets/ssl-params.conf;
    
    #access_log /home/develop/logs/website-access.log;
    error_log /home/develop/logs/website-error.log error;

    server_name website.com www.website.com;
    root /home/username/website/public;
    index index.php index index.html index.htm index.nginx-debian.html;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/run/php/php8.1-fpm.sock;
    }

    location ~ /\.ht {
	    deny all;
    }
}

Create Link to Config

sudo ln -s /etc/nginx/sites-available/website.dv.conf /etc/nginx/sites-enabled/

Tip

If you'd prefer not to use an SSL

  • skip SSL section above
  • in the first server section...
  • change the listen port to 80 and remove ssl
  • remove the snippet includes
  • remove the 2nd server section

Test Nginx' Config

sudo nginx -t

MariaDB

Secure

sudo mysql_secure_installation

[!info]

  • Not necessary to switch to Unix socket authentication
  • Not necessary to change root password
  • All other questions Y (remove anon users, disallow remote root, remove test db, reload privs)

Login

sudo mysql -u root

Create a Database

CREATE DATABASE database_name;

Create User

CREATE USER 'homestead'@'localhost' IDENTIFIED BY 'secret';

Give User Access to Database

GRANT ALL ON database_name.* TO 'homestead'@'localhost';

Tip

To exist mysql type quit

Meilisearch

Config Files

curl https://raw.githubusercontent.com/meilisearch/meilisearch/latest/config.toml > ~/meilisearch.toml
sudo mv ~/meilisearch.toml /etc/meilisearch.toml
sudo vim /etc/meilisearch.toml
env = "development"
master_key = "YOUR_MASTER_KEY_VALUE"
db_path = "/var/lib/meilisearch/data"
dump_dir = "/var/lib/meilisearch/dumps"
snapshot_dir = "/var/lib/meilisearch/snapshots"

Directories

sudo mkdir /var/lib/meilisearch /var/lib/meilisearch/data /var/lib/meilisearch/dumps /var/lib/meilisearch/snapshots
sudo chown -R develop:develop /var/lib/meilisearch
sudo chmod 750 /var/lib/meilisearch

Service

sudo vim /etc/systemd/system/meilisearch.service
[Unit]
Description=Meilisearch
After=systemd-user-sessions.service

[Service]
Type=simple
WorkingDirectory=/var/lib/meilisearch
ExecStart=/usr/local/bin/meilisearch --config-file-path /etc/meilisearch.toml
User=develop
Group=develop

[Install]
WantedBy=multi-user.target

Master Key

cd ~
meilisearch

Clean up

cd ~
rm -rf data.ms
rm -rf dumps

Copy the master key and use that in the following file

sudo vim /etc/meilisearch.toml
sudo systemctl enable meilisearch
sudo systemctl start meilisearch
sudo systemctl status meilisearch

Nginx Config

This is for direct access.

sudo vim /etc/nginx/sites-available/meilisearch.conf

Below, change the server_name to whatever you'd like.

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    include snippets/self-signed.conf;
    include snippets/ssl-params.conf;

	server_name meilisearch.dv;
 
	location / { 
		proxy_pass http://localhost:7700;
	}
}

Link

sudo ln -s /etc/nginx/sites-available/meilisearch.conf /etc/nginx/sites-enabled/

Restart all the things

sudo systemctl daemon-reload
sudo systemctl restart nginx

Restart Things

PHP

sudo systemctl restart php8.1-fpm

Nginx

sudo nginx -s reload

Meilisearch

sudo systemctl restart meilisearch

Generate SSH Key

ssh-keygen -t ed25519 -C "your@email.com"

Configure Git Username & Email

git config --global user.name "Your Name"
git config --global user.email "your@email.com"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment