Last active
September 2, 2021 13:23
-
-
Save fiso/cceef9c9c4c6e4d4b44f59ce65a205e8 to your computer and use it in GitHub Desktop.
LEMP
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
if [ $# -ne 1 ]; then | |
echo 1>&2 "Usage: $0 domainname" | |
exit 1 | |
fi | |
DOMAIN=$1 | |
export DEBIAN_FRONTEND=noninteractive | |
set -e | |
echo v0.2.3 | |
# FIXME: Should edit /etc/systemd/journald.conf and set SystemMaxUse=10M | |
# then run: service systemd-journald restart | |
echo -------------------------------------- | |
echo INSTALLING PACKAGES | |
echo -------------------------------------- | |
apt-get --yes update > /dev/null | |
apt-get --yes -o 'Dpkg::Options::=--force-confdef' -o 'Dpkg::Options::=--force-confold' upgrade > /dev/null | |
apt-get --yes dist-upgrade > /dev/null | |
apt-get --yes install software-properties-common > /dev/null | |
add-apt-repository ppa:ondrej/php -y | |
apt-get --yes update > /dev/null | |
apt-get --yes -o 'Dpkg::Options::=--force-confdef' -o 'Dpkg::Options::=--force-confold' install vim less nginx php7.2-fpm php7.2-mysql mysql-server certbot python3-certbot-nginx mysql-server php7.2-curl php7.2-gd redis-server php-pear php7.2-dev php7.2-mbstring pwgen > /dev/null | |
echo -------------------------------------- | |
echo CONFIGURING MYSQL | |
echo -------------------------------------- | |
DB_PASS=`pwgen -s 40 1` | |
DB_USER='dbuser' | |
DB_NAME=$DOMAIN | |
mysql -e "CREATE USER '$DB_USER'@'localhost' IDENTIFIED BY '$DB_PASS'" | |
mysql -e "CREATE DATABASE \`$DB_NAME\`" | |
mysql -e "GRANT ALL PRIVILEGES ON \`$DB_NAME\` . * TO 'dbuser'@'localhost'" | |
mysql -e 'FLUSH PRIVILEGES' | |
echo -------------------------------------- | |
echo CONFIGURING NGINX | |
echo -------------------------------------- | |
wget -q https://gist.githubusercontent.com/fiso/cceef9c9c4c6e4d4b44f59ce65a205e8/raw/nginx.conf | |
wget -q https://gist.githubusercontent.com/fiso/cceef9c9c4c6e4d4b44f59ce65a205e8/raw/default | |
wget -q https://gist.githubusercontent.com/fiso/cceef9c9c4c6e4d4b44f59ce65a205e8/raw/static | |
sed -i -e "s/{{DOMAIN}}/$DOMAIN/g" default | |
sed -i -e "s/{{DOMAIN}}/$DOMAIN/g" static | |
mv nginx.conf /etc/nginx | |
mv default /etc/nginx/sites-available | |
mv static /etc/nginx/sites-available | |
ln -sf /etc/nginx/sites-available/static /etc/nginx/sites-enabled/ | |
service nginx restart | |
echo -------------------------------------- | |
echo INSTALLING PHP REDIS EXTENSION | |
echo -------------------------------------- | |
pecl config-set php_ini /etc/php/7.2/fpm/php.ini | |
yes '' | pecl install redis > /dev/null | |
echo 'extension=redis.so' >> /etc/php/7.2/fpm/php.ini | |
echo -------------------------------------- | |
echo SETTING UP HTTPS AND HTTP2 | |
echo -------------------------------------- | |
certbot --noninteractive --redirect --agree-tos --email webmaster@changeme.com --nginx --domains $DOMAIN,static.$DOMAIN | |
sed -i -e 's/443 ssl/443 ssl http2/g' /etc/nginx/sites-available/default | |
sed -i -e 's/443 ssl/443 ssl http2/g' /etc/nginx/sites-available/static | |
service nginx restart | |
echo -------------------------------------- | |
echo CLEANING UP | |
echo -------------------------------------- | |
apt-get --yes autoremove | |
rm /var/www/html/index.nginx-debian.html | |
echo '<?php phpinfo();' > /var/www/html/index.php | |
echo 'All done.' | |
echo "Your database credentials are \`$DB_USER\` / \`$DB_PASS\` for the database \`$DB_NAME\`" | |
echo '' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
map $sent_http_content_type $expires { | |
default off; | |
text/html epoch; | |
text/css max; | |
application/javascript max; | |
image/svg+xml max; | |
~image/ max; | |
~video/ max; | |
~audio/ max; | |
~font/ max; | |
application/font-woff max; | |
application/font-woff2 max; | |
application/octet-stream max; | |
} | |
server { | |
server_name {{DOMAIN}}; | |
listen 80 default_server; | |
listen [::]:80 default_server; | |
root /var/www/html; | |
index index.php index.html; | |
expires $expires; | |
add_header Strict-Transport-Security "max-age=63072000" always; | |
proxy_cookie_path / "/; HTTPOnly; Secure"; | |
add_header X-Frame-Options "SAMEORIGIN"; | |
add_header X-XSS-Protection "1; mode=block"; | |
add_header X-Content-Type-Options "nosniff"; | |
add_header Referrer-Policy "strict-origin-when-cross-origin"; | |
add_header Content-Security-Policy "default-src https: 'unsafe-inline' 'unsafe-eval'"; | |
location = /wp-admin { | |
rewrite ^ /wp-admin/ permanent; | |
} | |
if (!-e $request_filename) { | |
rewrite ^.*$ /index.php last; | |
} | |
location / { | |
try_files $uri $uri/ /index.php?$args =404; | |
} | |
location ~ \.php$ { | |
include snippets/fastcgi-php.conf; | |
fastcgi_pass unix:/var/run/php/php7.2-fpm.sock; | |
} | |
location ~ /\.ht { | |
deny all; | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
user www-data; | |
worker_processes auto; | |
pid /run/nginx.pid; | |
include /etc/nginx/modules-enabled/*.conf; | |
events { | |
worker_connections 768; | |
# multi_accept on; | |
} | |
http { | |
sendfile on; | |
tcp_nopush on; | |
tcp_nodelay on; | |
keepalive_timeout 65; | |
types_hash_max_size 2048; | |
ssl_session_cache shared:SSL:5m; | |
ssl_session_timeout 1h; | |
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always; | |
include /etc/nginx/mime.types; | |
default_type application/octet-stream; | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
ssl_prefer_server_ciphers on; | |
access_log /var/log/nginx/access.log; | |
error_log /var/log/nginx/error.log; | |
gzip on; | |
gzip_vary on; | |
gzip_proxied any; | |
gzip_comp_level 6; | |
gzip_buffers 16 8k; | |
gzip_http_version 1.1; | |
gzip_types *; | |
gzip_min_length 256; | |
include /etc/nginx/conf.d/*.conf; | |
include /etc/nginx/sites-enabled/*; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
map $sent_http_content_type $expires { | |
default off; | |
text/html epoch; | |
text/css max; | |
application/javascript max; | |
image/svg+xml max; | |
~image/ max; | |
~video/ max; | |
~audio/ max; | |
~font/ max; | |
application/font-woff max; | |
application/font-woff2 max; | |
application/octet-stream max; | |
} | |
server { | |
server_name static.{{DOMAIN}}; | |
listen 80; | |
listen [::]:80; | |
root /var/www/html; | |
expires $expires; | |
add_header Strict-Transport-Security "max-age=63072000" always; | |
proxy_hide_header Set-Cookie; | |
proxy_ignore_headers Set-Cookie; | |
proxy_set_header Cookie ""; | |
location ~ \.php$ { | |
deny all; | |
} | |
location ~* \.(eot|ttf|woff|woff2)$ { | |
add_header Access-Control-Allow-Origin *; | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
First set up A-records for both yourdomain.com and *.yourdomain.com. When those records have been verified to work, run:
curl https://gist.githubusercontent.com/fiso/cceef9c9c4c6e4d4b44f59ce65a205e8/raw/\!lempme.sh -o lempme.sh && chmod u+x lempme.sh && sudo ./lempme.sh DOMAINNAME.COM