-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathsdms.sh
executable file
·674 lines (594 loc) · 22.5 KB
/
sdms.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
#!/bin/sh
# MIT License
# Copyright (c) 2019 Jacob Gelling
# Exit when any command fails
set -e
trap '[ $? -eq 0 ] && exit 0 || echo "sdms failed with exit status $?"' EXIT
# Help function
sdms_help() {
echo "sdms"
echo "Usage: sdms --deploy email hostname"
echo " sdms --new domain"
echo " sdms --ssl domain"
echo " sdms --delete domain"
echo " sdms --backup"
}
# Get PHP version function
sdms_php() {
# Get latest PHP folder
if [ -d "/etc/php" ]; then
sdms_php="$(ls /etc/php | sort -nr | head -n1)"
fi
# Check php.ini files exist
if [ ! -f "/etc/php/$sdms_php/fpm/php.ini" ] || [ ! -f "/etc/php/$sdms_php/cli/php.ini" ]; then
echo "sdms could not find php" >&2
exit 1
fi
}
# Password generation function
sdms_pass() {
sdms_length=$1
if [ -z "$sdms_length" ]; then
sdms_length=16
fi
tr -dc 'a-zA-Z0-9-_!@%^&*()_+{}|:<>?=' < /dev/urandom | head -c "${sdms_length}" | xargs
}
# Deploy function
sdms_deploy() {
sdms_email="$1"
sdms_hostname="$2"
# Update and install packages
DEBIAN_FRONTEND=noninteractive apt-get -qy update
DEBIAN_FRONTEND=noninteractive apt-get -qy dist-upgrade
DEBIAN_FRONTEND=noninteractive apt-get -qy install ca-certificates certbot composer curl git libnginx-mod-http-headers-more-filter libnginx-mod-http-uploadprogress mariadb-client mariadb-server nftables nginx php-cli php-curl php-fpm php-gd php-json php-mbstring php-mysql php-xml php-zip unattended-upgrades unzip wget zip
# Set hostname
hostnamectl set-hostname "$sdms_hostname"
# Set timezone to UTC
timedatectl set-timezone UTC
# Enable unattended upgrades
DEBIAN_FRONTEND=noninteractive dpkg-reconfigure -plow unattended-upgrades
# Configure git
git config --global pull.rebase false
# Disable extra version suffix in SSH banner
if [ -f /etc/ssh/sshd_config ] && ! grep -q "DebianBanner" /etc/ssh/sshd_config; then
{
echo ""
echo "# Specifies whether the distribution-specified extra version suffix is"
echo "# included during initial protocol handshake. The default is yes."
echo "DebianBanner no"
} >> "/etc/ssh/sshd_config"
systemctl restart ssh.service
fi
# Configure nftables
{
echo '#!/usr/sbin/nft -f'
echo 'flush ruleset'
echo ''
echo 'table inet filter {'
echo '\tchain input {'
echo '\t\ttype filter hook input priority 0;'
echo ''
echo '\t\t# Accept any localhost traffic'
echo '\t\tiif lo accept'
echo ''
echo '\t\t# Accept traffic originated from us'
echo '\t\tct state established,related accept'
echo ''
echo '\t\t# Accept SSH and web server traffic'
echo '\t\ttcp dport { 22, 80, 443 } ct state new accept'
echo ''
echo '\t\t# Accept ICMP traffic'
echo '\t\tip protocol icmp accept'
echo '\t\tip6 nexthdr icmpv6 accept'
echo ''
echo '\t\t# Count and drop any other traffic'
echo '\t\tcounter drop'
echo '\t}'
echo '}'
} > /etc/nftables.conf
nft -f /etc/nftables.conf
systemctl enable nftables.service
# Secure MariaDB server
mariadb -e "DELETE FROM mysql.user WHERE User='';"
mariadb -e "DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');"
mariadb -e "DROP DATABASE IF EXISTS test;"
mariadb -e "DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%';"
mariadb -e "FLUSH PRIVILEGES;"
# Generate Diffie–Hellman parameters
touch /etc/nginx/dhparams.pem
chmod o-r,o-w /etc/nginx/dhparams.pem
openssl dhparam -out /etc/nginx/dhparams.pem 2048
# Configure NGINX
if [ -f /etc/nginx/nginx.conf ]; then
# Hide NGINX version
sed -i -e 's/# server_tokens off;/server_tokens off;\n\tmore_clear_headers Server;/g' /etc/nginx/nginx.conf
# Enable gzip
sed -i -e 's/# gzip on;/gzip on;/g' /etc/nginx/nginx.conf
# Disable gzip for IE6
sed -i -e 's/# gzip_disable "msie6";/gzip_disable "msie6";/g' /etc/nginx/nginx.conf
# Enable gzip for proxies
sed -i -e 's/# gzip_proxied any;/gzip_proxied any;/g' /etc/nginx/nginx.conf
# Enable gzip vary
sed -i -e 's/# gzip_vary on;/gzip_vary on;/g' /etc/nginx/nginx.conf
# Increase gzip level
sed -i -e 's/# gzip_comp_level/gzip_comp_level/g' /etc/nginx/nginx.conf
# Set minimum gzip length
sed -i -e 's/# gzip_types/gzip_min_length 256;\n\t# gzip_types/g' /etc/nginx/nginx.conf
# Enable gzip for all applicable files
sed -i -e 's/# gzip_types/gzip_types application\/vnd.ms-fontobject image\/svg+xml image\/x-icon text\/x-component/g' /etc/nginx/nginx.conf
systemctl reload nginx.service
else
echo "sdms could not find /etc/nginx/nginx.conf" >&2
exit 1
fi
# Create NGINX cache snippet
{
echo '# Cache the following file types for 1 month'
echo 'location ~ \.(css|eot|gif|htc|ico|jpeg|jpg|js|otf|png|svg|ttf|woff|woff2)$ {'
echo '\texpires 1M;'
echo '\tlog_not_found off;'
echo '}'
} > /etc/nginx/snippets/cache.conf
# Create NGINX SSL snippet
{
if [ "$(sed 's/\..*//' '/etc/debian_version')" -ge 10 ]; then
echo 'ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;'
else
echo 'ssl_protocols TLSv1 TLSv1.1 TLSv1.2;'
fi
echo 'ssl_ciphers HIGH:!aNULL:!MD5;'
echo 'ssl_prefer_server_ciphers on;'
echo ''
echo 'ssl_session_cache shared:SSL:10m;'
echo 'ssl_session_timeout 2h;'
echo ''
echo 'ssl_stapling on;'
echo 'ssl_stapling_verify on;'
echo ''
echo 'ssl_dhparam /etc/nginx/dhparams.pem;'
} > /etc/nginx/snippets/ssl.conf
# Create NGINX PHP snippet
{
echo '# Set max body size'
echo 'client_max_body_size 38m;'
echo ''
echo '# Regex to split $uri to $fastcgi_script_name and $fastcgi_path'
echo 'fastcgi_split_path_info ^(.+\.php)(/.+)$;'
echo ''
echo '# Check that the PHP script exists before passing it'
echo 'try_files $fastcgi_script_name =404;'
echo ''
echo '# Bypass the fact that try_files resets $fastcgi_path_info'
echo 'set $path_info $fastcgi_path_info;'
echo 'fastcgi_param PATH_INFO $path_info;'
echo ''
echo 'fastcgi_index index.php;'
echo 'include fastcgi.conf;'
} > /etc/nginx/snippets/php.conf
# Configure PHP
sdms_php
if [ -f "/etc/php/$sdms_php/cli/php.ini" ] && [ -f "/etc/php/$sdms_php/fpm/php.ini" ]; then
# Hide version
sed -i -e 's/expose_php = On/expose_php = Off/g' "/etc/php/$sdms_php/fpm/php.ini" "/etc/php/$sdms_php/cli/php.ini"
# Set maximum file upload and post size
sed -i -e 's/upload_max_filesize = 2M/upload_max_filesize = 32M/g' "/etc/php/$sdms_php/fpm/php.ini" "/etc/php/$sdms_php/cli/php.ini"
sed -i -e 's/post_max_size = 8M/post_max_size = 38M/g' "/etc/php/$sdms_php/fpm/php.ini" "/etc/php/$sdms_php/cli/php.ini"
# Hide PHP-FPM errors
sed -i -e 's/display_errors = On/display_errors = Off/g' "/etc/php/$sdms_php/fpm/php.ini"
# Enable strict sessions
sed -i -e 's/session.use_strict_mode = 0/session.use_strict_mode = 1/g' "/etc/php/$sdms_php/fpm/php.ini" "/etc/php/$sdms_php/cli/php.ini"
# Restart PHP-FPM
systemctl restart "php$sdms_php-fpm.service"
else
echo "sdms could not find /etc/php/$sdms_php/cli/php.ini and /etc/php/$sdms_php/fpm/php.ini" >&2
exit 1
fi
# Opt-out of Microsoft telemetry
if [ -f /etc/environment ] && ! grep -q "DOTNET_CLI_TELEMETRY_OPTOUT" /etc/environment; then
echo "DOTNET_CLI_TELEMETRY_OPTOUT=1" >> /etc/environment
fi
if [ -f /etc/environment ] && ! grep -q "POWERSHELL_TELEMETRY_OPTOUT" /etc/environment; then
echo "POWERSHELL_TELEMETRY_OPTOUT=1" >> /etc/environment
fi
# Create www directory
mkdir -p "/srv/www"
# Register Let's Encrypt ACME account
certbot register -m "$sdms_email" --agree-tos --no-eff-email -n -q || certbot update_account -m "$sdms_email" --agree-tos --no-eff-email -n -q
}
# New domain function
sdms_new() {
sdms_domain="$1"
sdms_php
# Get redirect domain
if [ "${sdms_domain#www.}" != "${sdms_domain}" ]; then
sdms_redirect_domain="${sdms_domain#www.}"
else
sdms_redirect_domain=""
fi
# Create home variable
sdms_home="/srv/www/$sdms_domain"
# Check domain is not already added to server
if [ -d "$sdms_home" ]; then
echo "sdms found domain already exists" >&2
exit 1
fi
# Check redirect domain is not already added to server
if [ ! -z "${sdms_redirect_domain}" ] && [ -d "/srv/www/$sdms_redirect_domain" ]; then
echo "sdms found redirect domain already exists" >&2
exit 1
fi
# Create other variables
sdms_username="$(echo "$sdms_domain" | sed -e 's/\./_/g' | head -c 32)"
sdms_db_pass="$(sdms_pass 32)"
# Create user
adduser --system --home "$sdms_home" --group --gecos "" "$sdms_username"
# Add www-data to group
adduser www-data "$sdms_username"
# Create required directories
sudo -u "$sdms_username" mkdir "$sdms_home/sessions" "$sdms_home/tmp" "$sdms_home/root" "$sdms_home/root/public" "$sdms_home/.well-known" "$sdms_home/.ssh"
chmod -R o-r,o-w,o-x "$sdms_home"
# Create MariaDB database and user
mariadb -e "CREATE DATABASE \`$sdms_username\`;"
mariadb -e "GRANT ALL ON \`$sdms_username\`.* TO '$sdms_username'@'localhost' IDENTIFIED BY '$sdms_db_pass';"
mariadb -e "FLUSH PRIVILEGES;"
sudo -u "$sdms_username" touch "$sdms_home/.my.cnf"
chmod o-r,o-w "$sdms_home/.my.cnf"
{
echo "[client]"
echo "host=localhost"
echo "user=$sdms_username"
echo "password=$sdms_db_pass"
} > "$sdms_home/.my.cnf"
# Create PHP pool
{
echo "[$sdms_domain]"
echo "user = $sdms_username"
echo "group = $sdms_username"
echo ""
echo "listen = /run/php/$sdms_domain.sock"
echo "listen.owner = www-data"
echo "listen.group = www-data"
echo "listen.allowed_clients = 127.0.0.1, ::1"
echo ""
echo "pm = ondemand"
echo "pm.max_children = 5"
echo ""
echo "security.limit_extensions = .php"
echo ""
echo "env[HOSTNAME] = \$HOSTNAME"
echo "env[PATH] = /usr/local/bin:/usr/bin:/bin"
echo ""
echo "php_admin_value[upload_tmp_dir] = $sdms_home/tmp"
echo "env[TMP] = $sdms_home/tmp"
echo "env[TMPDIR] = $sdms_home/tmp"
echo "env[TEMP] = $sdms_home/tmp"
echo ""
echo "php_admin_value[session.save_path] = $sdms_home/sessions"
} > "/etc/php/$sdms_php/fpm/pool.d/$sdms_domain.conf"
# Disable default PHP-FPM pool
if [ -f "/etc/php/$sdms_php/fpm/pool.d/www.conf" ]; then
mv "/etc/php/$sdms_php/fpm/pool.d/www.conf" "/etc/php/$sdms_php/fpm/pool.d/www.conf.disabled"
fi
# Restart PHP-FPM
systemctl restart "php$sdms_php-fpm.service"
# Create NGINX config
{
if [ ! -z "${sdms_redirect_domain}" ]; then
echo "# Redirect $sdms_redirect_domain to $sdms_domain"
echo "server {"
echo "\tlisten 80;"
echo "\tlisten [::]:80;"
echo "\tserver_name $sdms_redirect_domain;"
echo ""
echo "\t# Allow ACME challenge validation by Let's Encrypt"
echo "\tlocation ^~ /.well-known/acme-challenge/ {"
echo "\t\troot $sdms_home;"
echo "\t\tdefault_type text/plain;"
echo "\t}"
echo ""
echo "\tlocation / {"
echo "\t\treturn 301 http://$sdms_domain\$request_uri;"
echo "\t}"
echo "}"
echo ""
fi
echo "# Serve website"
echo "server {"
echo "\tlisten 80;"
echo "\tlisten [::]:80;"
echo "\tserver_name $sdms_domain;"
echo ""
echo "\troot $sdms_home/root/public;"
echo "\tindex index.php index.html;"
echo ""
echo "\tcharset utf-8;"
echo "\tadd_header X-Content-Type-Options nosniff always;"
echo ""
echo "\tlocation / {"
echo "\t\ttry_files \$uri \$uri/ /index.php\$is_args\$args;"
echo "\t\t# try_files \$uri \$uri/ =404;"
echo "\t}"
echo ""
echo "\t# Allow ACME challenge validation by Let's Encrypt"
echo "\tlocation ^~ /.well-known/acme-challenge/ {"
echo "\t\troot $sdms_home;"
echo "\t\tdefault_type text/plain;"
echo "\t}"
echo ""
echo "\t# Allow Git push to deploy"
echo "\t# location ^~ /.git-webhooks/ {"
echo "\t\t# root $sdms_home;"
echo ""
echo "\t\t# Execute .php files"
echo "\t\t# location ~ \\.php\$ {"
echo "\t\t\t# include snippets/php.conf;"
echo "\t\t\t# fastcgi_pass unix:/run/php/$sdms_domain.sock;"
echo "\t\t# }"
echo "\t# }"
echo ""
echo "\t# Allow access to /.well-known/"
echo "\tlocation ^~ /.well-known/ {}"
echo ""
echo "\t# Deny access to hidden files"
echo "\tlocation ~ /\\. {"
echo "\t\tdeny all;"
echo "\t}"
echo ""
echo "\t# Execute .php files"
echo "\tlocation ~ \\.php\$ {"
echo "\t\tinclude snippets/php.conf;"
echo "\t\tfastcgi_pass unix:/run/php/$sdms_domain.sock;"
echo "\t}"
echo ""
echo "\t# Cache files"
echo "\tinclude snippets/cache.conf;"
echo "}"
} > "/etc/nginx/sites-available/$sdms_domain"
# Enable NGINX config
ln -s "/etc/nginx/sites-available/$sdms_domain" "/etc/nginx/sites-enabled/$sdms_domain"
# Restart NGINX
systemctl restart nginx.service
# Configure git
sudo -u "$sdms_username" git config --global pull.rebase false
}
# SSL domain function
sdms_ssl() {
sdms_domain="$1"
# Get redirect domain
if [ "${sdms_domain#www.}" != "${sdms_domain}" ]; then
sdms_redirect_domain="${sdms_domain#www.}"
else
sdms_redirect_domain=""
fi
# Create home variable
sdms_home="/srv/www/$sdms_domain"
# Check domain is added to server
if [ ! -d "$sdms_home" ]; then
echo "sdms domain does not exist" >&2
exit 1
fi
# Generate SSL certificate
if [ ! -z "${sdms_redirect_domain}" ]; then
certbot certonly --webroot -n -q --renew-hook "systemctl reload nginx.service" -w "$sdms_home" -d "$sdms_domain" -d "$sdms_redirect_domain"
else
certbot certonly --webroot -n -q --renew-hook "systemctl reload nginx.service" -w "$sdms_home" -d "$sdms_domain"
fi
# Generate NGINX config
{
echo "# Redirect HTTP to HTTPS"
echo "server {"
echo "\tlisten 80;"
echo "\tlisten [::]:80;"
if [ ! -z "${sdms_redirect_domain}" ]; then
echo "\tserver_name $sdms_redirect_domain $sdms_domain;"
else
echo "\tserver_name $sdms_domain;"
fi
echo ""
echo "\t# Allow ACME challenge validation by Let's Encrypt"
echo "\tlocation ^~ /.well-known/acme-challenge/ {"
echo "\t\troot $sdms_home;"
echo "\t\tdefault_type text/plain;"
echo "\t}"
echo ""
echo "\tlocation / {"
echo "\t\treturn 301 https://$sdms_domain\$request_uri;"
echo "\t}"
echo "}"
echo ""
if [ ! -z "${sdms_redirect_domain}" ]; then
echo "# Redirect $sdms_redirect_domain to $sdms_domain"
echo "server {"
echo "\tlisten 443 ssl http2;"
echo "\tlisten [::]:443 ssl http2;"
echo "\tserver_name $sdms_redirect_domain;"
echo ""
echo "\tssl_certificate /etc/letsencrypt/live/$sdms_domain/fullchain.pem;"
echo "\tssl_trusted_certificate /etc/letsencrypt/live/$sdms_domain/chain.pem;"
echo "\tssl_certificate_key /etc/letsencrypt/live/$sdms_domain/privkey.pem;"
echo "\t# add_header Strict-Transport-Security max-age=31536000 always;"
echo "\t# add_header Strict-Transport-Security \"max-age=31536000; includeSubDomains\" always;"
echo "\t# add_header Strict-Transport-Security \"max-age=31536000; includeSubDomains; preload\" always;"
echo "\tinclude snippets/ssl.conf;"
echo ""
echo "\t# Allow ACME challenge validation by Let's Encrypt"
echo "\tlocation ^~ /.well-known/acme-challenge/ {"
echo "\t\troot $sdms_home;"
echo "\t\tdefault_type text/plain;"
echo "\t}"
echo ""
echo "\tlocation / {"
echo "\t\treturn 301 https://$sdms_domain\$request_uri;"
echo "\t}"
echo "}"
echo ""
fi
echo "# Serve website"
echo "server {"
echo "\tlisten 443 ssl http2;"
echo "\tlisten [::]:443 ssl http2;"
echo "\tserver_name $sdms_domain;"
echo ""
echo "\tssl_certificate /etc/letsencrypt/live/$sdms_domain/fullchain.pem;"
echo "\tssl_trusted_certificate /etc/letsencrypt/live/$sdms_domain/chain.pem;"
echo "\tssl_certificate_key /etc/letsencrypt/live/$sdms_domain/privkey.pem;"
echo "\t# add_header Strict-Transport-Security max-age=31536000 always;"
echo "\t# add_header Strict-Transport-Security \"max-age=31536000; includeSubDomains\" always;"
echo "\t# add_header Strict-Transport-Security \"max-age=31536000; includeSubDomains; preload\" always;"
echo "\tinclude snippets/ssl.conf;"
echo ""
echo "\troot $sdms_home/root/public;"
echo "\tindex index.php index.html;"
echo ""
echo "\tcharset utf-8;"
echo "\tadd_header X-Content-Type-Options nosniff always;"
echo ""
echo "\tlocation / {"
echo "\t\ttry_files \$uri \$uri/ /index.php\$is_args\$args;"
echo "\t\t# try_files \$uri \$uri/ =404;"
echo "\t}"
echo ""
echo "\t# Allow ACME challenge validation by Let's Encrypt"
echo "\tlocation ^~ /.well-known/acme-challenge/ {"
echo "\t\troot $sdms_home;"
echo "\t\tdefault_type text/plain;"
echo "\t}"
echo ""
echo "\t# Allow Git push to deploy"
echo "\t# location ^~ /.git-webhooks/ {"
echo "\t\t# root $sdms_home;"
echo ""
echo "\t\t# Execute .php files"
echo "\t\t# location ~ \\.php\$ {"
echo "\t\t\t# include snippets/php.conf;"
echo "\t\t\t# fastcgi_pass unix:/run/php/$sdms_domain.sock;"
echo "\t\t# }"
echo "\t# }"
echo ""
echo "\t# Allow access to /.well-known/"
echo "\tlocation ^~ /.well-known/ {}"
echo ""
echo "\t# Deny access to hidden files"
echo "\tlocation ~ /\\. {"
echo "\t\tdeny all;"
echo "\t}"
echo ""
echo "\t# Execute .php files"
echo "\tlocation ~ \\.php\$ {"
echo "\t\tinclude snippets/php.conf;"
echo "\t\tfastcgi_pass unix:/run/php/$sdms_domain.sock;"
echo "\t}"
echo ""
echo "\t# Cache files"
echo "\tinclude snippets/cache.conf;"
echo "}"
} > "/etc/nginx/sites-available/$sdms_domain"
# Reload NGINX
systemctl reload nginx.service
}
# Delete domain function
sdms_delete() {
sdms_domain="$1"
sdms_php
# Create home variable
sdms_home="/srv/www/$sdms_domain"
# Check domain is added to server
if [ ! -d "$sdms_home" ]; then
echo "sdms domain does not exist" >&2
exit 1
fi
# Disable NGINX config
rm -f "/etc/nginx/sites-enabled/$sdms_domain"
# Create username variable
sdms_username="$(echo "$sdms_domain" | sed -e 's/\./_/g' | head -c 32)"
# Remove www-data from group
deluser www-data "$sdms_username"
# Restart NGINX
systemctl restart nginx.service
# Delete PHP pool
rm -f "/etc/php/$sdms_php/fpm/pool.d/$sdms_domain.conf"
# Restart PHP-FPM
systemctl restart "php$sdms_php-fpm.service"
# Delete NGINX config
rm -f "/etc/nginx/sites-available/$sdms_domain"
# Delete MariaDB database and user
mariadb -e "DROP DATABASE IF EXISTS \`$sdms_username\`;"
mariadb -e "DROP USER IF EXISTS '$sdms_username'@'localhost';"
mariadb -e "FLUSH PRIVILEGES;"
# Delete user
userdel -r "$sdms_username"
# Delete SSL certificate
certbot delete -n -q --cert-name "$sdms_domain"
}
# Backup server function
sdms_backup() {
sdms_php
sdms_time_backup="$(date +'%Y-%m-%d_%H%M')"
# Dump databases
mysqldump --all-databases | gzip -c > "sdms-backup-$sdms_time_backup.sql.gz"
# Backup files, excluding temporary files
tar --exclude="/srv/www/*/tmp/*" --exclude="/srv/www/*/sessions/*" --exclude="/srv/www/*/.well-known/acme-challenge/*" --exclude="/srv/www/*/root/storage/logs/*" -zcvf "sdms-backup-$sdms_time_backup.tar.gz" "/etc/letsencrypt" "/etc/nginx" "/etc/php/$sdms_php/cli" "/etc/php/$sdms_php/fpm" "/srv/www" "/etc/nftables.conf"
}
# Ensure script is running as root
if [ "$(id -u)" != "0" ]; then
echo "sdms must be run as root" >&2
exit 1
fi
# Ensure script is running on Debian 9 or later
if [ ! -f '/etc/debian_version' ] || [ "$(sed 's/\..*//' '/etc/debian_version')" -lt 9 ]; then
echo "sdms must be run on Debian 9 or later" >&2
exit 1
fi
# Parse CLI parameters and call respective functions
if [ -z "$1" ]; then
sdms_help
exit 0
fi
while test -n "$1"; do
case "$1" in
--deploy)
if [ -z "$3" ] || [ ! -z "$4" ]; then
echo "Usage: sdms --deploy email hostname" >&2
exit 1
fi
sdms_deploy "$2" "$3"
break
;;
-n|--new)
if [ -z "$2" ]; then
echo "Usage: sdms --new domain..." >&2
exit 1
fi
sdms_new "$2"
break
;;
-s|--ssl)
if [ -z "$2" ]; then
echo "Usage: sdms --ssl domain..." >&2
exit 1
fi
sdms_ssl "$2"
break
;;
-d|--delete)
if [ -z "$2" ]; then
echo "Usage: sdms --delete domain..." >&2
exit 1
fi
sdms_delete "$2"
break
;;
-b|--backup)
sdms_backup
break
;;
-h|--help)
sdms_help
break
;;
*)
sdms_help
exit 1
;;
esac
done