Skip to content

Latest commit

 

History

History
384 lines (269 loc) · 9.91 KB

104-LEMP_scambi.md

File metadata and controls

384 lines (269 loc) · 9.91 KB

LEMP for scambi.org

Procedure

Follow Debian 11 template

swap tuning

nano /etc/sysctl.d/88-tuning.conf

vm.swappiness = 1
vm.vfs_cache_pressure = 150

sysctl --system

install useful packages

apt install screen git gnupg rsync curl

prerequirements installation

apt install nginx python3-certbot-nginx mariadb-server msmtp-mta mutt

msmtp configuration

nano /etc/msmtprc

defaults
auth on
tls on  

account gandi
host mail.gandi.net
port 587
tls_starttls on
from [email protected]
user [email protected]
password abcdef   

account default : gandi

systemctl enable --now msmtpd

mutt configuration

su - silicon
nano .muttrc

set sendmail="/usr/bin/msmtp"
set use_from=yes
set realname="lemp1see.scambi"
set [email protected]
set envelope_from=yes
set copy = no
set folder = ""

exit

php installation

apt install php-fpm php-xml php-cli php-cgi php-mysql php-mbstring php-gd php-curl php-zip php-json php-common php-intl php-bz2 php-gmp php-bcmath php-opcache php-pear php-imagick

php configuration

nano /etc/php/7.4/fpm/php.ini

date.timezone = Europe/Rome

post_max_size = 10M

upload_max_filesize = 8M

opcache.enable=1
opcache.fast_shutdown=1
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=4000
opcache.memory_consumption=64
opcache.revalidate_freq=60
opcache.validate_timestamps=1

nano /etc/php/7.4/fpm/pool.d/www.conf

pm.max_children = 20
pm.start_servers = 8
pm.min_spare_servers = 4
pm.max_spare_servers = 8
pm.max_requests = 10000

systemctl restart php7.4-fpm

firewall configuration

firewall-cmd --permanent --zone=public --add-service={http,https}
firewall-cmd --reload

nginx configuration

nano /etc/nginx/nginx.conf

server_tokens off;

nano /etc/nginx/sites-available/scambiorg

server {
    listen 80;
    listen [::]:80;
    server_name www.scambi.org;
    rewrite ^ http://scambi.org$request_uri? permanent;
}

server {
    listen 80;
    listen [::]:80;
    server_name scambi.org;
    root /var/www/scambiorg;

    client_max_body_size 8M;

    access_log /var/log/nginx/scambiorg-access.log;
    error_log /var/log/nginx/scambiorg-error.log;

    location / {
        try_files $uri $uri/ /index.php?args;
        index index.php index.html;
    }

    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
    }
    
    location ~* .(?:webp|jpg|png|svg)$ {
        expires 1y;
        add_header Cache-Control "public";
    }

    error_page 404 403 /404.html;

}

rm /etc/nginx/sites-enabled/default
ln -s /etc/nginx/sites-available/scambiorg /etc/nginx/sites-enabled/

mkdir /var/www/scambiorg
chown -R silicon:www-data /var/www/scambiorg

systemctl restart nginx

certbot --nginx -d scambi.org,www.scambi.org

modify configuration file for TLS options

nano /etc/nginx/sites-available/scambiorg

add_header Strict-Transport-Security "max-age=31536000";

systemctl restart nginx

site compilation

curl -fsSL https://deb.nodesource.com/setup_lts.x | bash -
apt install gcc g++ make nodejs

usermod -a -G www-data silicon
su - silicon
git clone https://github.com/scambifestival/scambi.org.git

nano build-scambiorg.sh

#!/bin/bash

LOG_FILE=/home/silicon/scambiorg-build.log

echo -e "$(date +%Y%m%d-%H%M%S) - START EXECUTION" >$LOG_FILE

cd /home/silicon/scambi.org

updated=$(git fetch --dry-run 2>&1)
if [[ -z "$updated" ]]
then
  echo -e "\n$(date +%Y%m%d-%H%M%S) - NOTHING TO DO" >>$LOG_FILE
  echo -e "\n$(date +%Y%m%d-%H%M%S) - END EXECUTION" >>$LOG_FILE
  exit 0
else
  rm -rf /home/silicon/scambi.org/web
  sleep 1
  echo -e "\n$(date +%Y%m%d-%H%M%S) - GIT PULL" >>$LOG_FILE
  git pull -q >>$LOG_FILE 2>&1
  sleep 1
  echo -e "\n$(date +%Y%m%d-%H%M%S) - NPM CLEAN-INSTALL" >>$LOG_FILE
  npm clean-install >>$LOG_FILE 2>&1
  sleep 1
  echo -e "\n$(date +%Y%m%d-%H%M%S) - NPM RUN BUILD" >>$LOG_FILE
  npm run build >>$LOG_FILE 2>&1
  if [[ $? -eq 0 ]]
  then
    sleep 1
    echo -e "\n$(date +%Y%m%d-%H%M%S) - RSYNC" >>$LOG_FILE
    rsync -a --delete /home/silicon/scambi.org/www/ /var/www/scambiorg/ >>$LOG_FILE 2>&1
    sleep 1
    echo -e "\n$(date +%Y%m%d-%H%M%S) - PERMISSIONS" >>$LOG_FILE
    chown -R silicon:www-data /var/www/scambiorg >>$LOG_FILE 2>&1
    find /var/www/scambiorg -type d -exec chmod 2775 {} \; >>$LOG_FILE 2>&1
    find /var/www/scambiorg -type f -exec chmod 664 {} \; >>$LOG_FILE 2>&1
    echo -e "\n$(date +%Y%m%d-%H%M%S) - END EXECUTION" >>$LOG_FILE
    sleep 1
    mutt -a $LOG_FILE -s "$(date +%Y%m%d-%H%M) - Build sito scambi.org" -- "[email protected]" < "/dev/null"
    exit 0
  else
    echo -e "\n$(date +%Y%m%d-%H%M%S) - BUILD ERROR" >>$LOG_FILE
    echo -e "\n$(date +%Y%m%d-%H%M%S) - END EXECUTION" >>$LOG_FILE
    sleep 1
    mutt -a $LOG_FILE -s "$(date +%Y%m%d-%H%M) - Build sito scambi.org - ERROR" -- "[email protected]" < "/dev/null"
    exit 1
  fi
fi

crontab -e

*/15 * * * * bash /home/silicon/build-scambiorg.sh

backup locale

mkdir -p /var/local/backup/raw/{files,sql}

borg configuration

apt install borgbackup
mkdir -p /var/local/backup/borg

borg init /var/local/backup/borg -e repokey (REMOVED)

nano /var/local/backup/backup_script.sh

#!/bin/bash

/usr/bin/rsync -a --delete -R /./etc/nginx/sites-* /var/local/backup/raw/files/ 2>&1

sleep 1

/usr/bin/rsync -a --delete -R /./var/www/ /var/local/backup/raw/files/ 2>&1

sleep 1

/usr/bin/mysqldump --user=root wordpress > /var/local/backup/raw/sql/wordpress.sql

sleep 1

# variables to configure
BKP_STRING="/var/local/backup/raw/"
export BORG_REPO="/var/local/backup/borg"
export BORG_PASSPHRASE="***REMOVED***"

# script start
LOG_FILE="$(dirname $0)/backup_log/$(date +%Y%m)_$(basename $0 .sh).log"

echo -e "\n$(date +%Y%m%d-%H%M) - START EXECUTION" >>$LOG_FILE

echo -e "\n$(date +%Y%m%d-%H%M) - START ARCHIVE CREATION\n" >>$LOG_FILE
borg create -v --stats --compression lz4 $BORG_REPO::{now:%Y%m%d-%H%M} $BKP_STRING >>$LOG_FILE 2>&1

if [ "$?" = "1" ] ; then
    echo -e "\n$(date +%Y%m%d-%H%M) - BACKUP ERROR\n" >>$LOG_FILE
    export BORG_REPO=""
    export BORG_PASSPHRASE=""
    exit 1
fi

echo -e "\n$(date +%Y%m%d-%H%M) - START PRUNE\n" >>$LOG_FILE
borg prune -v --list $BORG_REPO --keep-daily=7 --keep-weekly=4 >>$LOG_FILE 2>&1

if [ "$?" = "1" ] ; then
    echo -e "\n$(date +%Y%m%d-%H%M) - PRUNE ERROR\n" >>$LOG_FILE
    export BORG_REPO=""
    export BORG_PASSPHRASE=""
    exit 1
fi

echo -e "\n$(date +%Y%m%d-%H%M) - END EXECUTION\n" >>$LOG_FILE

export BORG_REPO=""
export BORG_PASSPHRASE=""
exit 0

mkdir /var/local/backup/backup_log

crontab -e

00 04 * * * /bin/bash /var/local/backup/backup_script.sh

remote backup

borg init ssh://[email protected]:822/home/lemp1see/borg -e repokey (see Keepass database)

nano /var/local/backup/dr_script.sh

#!/bin/bash

# variables to configure
BKP_STRING="/var/local/backup/raw/"
export BORG_REPO="ssh://[email protected]:822/home/lemp1see/borg"
export BORG_PASSPHRASE="see Keepass database"

# script start
LOG_FILE="$(dirname $0)/backup_log/$(date +%Y%m)_$(basename $0 .sh).log"

echo -e "\n$(date +%Y%m%d-%H%M) - START EXECUTION" >>$LOG_FILE

echo -e "\n$(date +%Y%m%d-%H%M) - START ARCHIVE CREATION\n" >>$LOG_FILE

borg create -v --stats --compression lz4 $BORG_REPO::{now:%Y%m%d-%H%M} $BKP_STRING >>$LOG_FILE 2>&1

if [ "$?" = "1" ] ; then
    echo -e "\n$(date +%Y%m%d-%H%M) - BACKUP ERROR\n" >>$LOG_FILE
    export BORG_REPO=""
    export BORG_PASSPHRASE=""
    exit 1
fi

echo -e "\n$(date +%Y%m%d-%H%M) - START PRUNE\n" >>$LOG_FILE
borg prune -v --list $BORG_REPO --keep-daily=7 --keep-weekly=4 >>$LOG_FILE 2>&1

if [ "$?" = "1" ] ; then
    echo -e "\n$(date +%Y%m%d-%H%M) - PRUNE ERROR\n" >>$LOG_FILE
    export BORG_REPO=""
    export BORG_PASSPHRASE=""
    exit 1
fi

echo -e "\n$(date +%Y%m%d-%H%M) - END EXECUTION\n" >>$LOG_FILE

export BORG_REPO=""
export BORG_PASSPHRASE=""
exit 0

crontab -e

30 04 * * * /bin/bash /var/local/backup/dr_script.sh

visits.scambi.org

mkdir /var/www/visits
chown -R silicon:www-data /var/www/visits

apt install goaccess

nano /root/visits-script.sh

#!/bin/bash
/usr/bin/zcat -f /var/log/nginx/scambiorg-access.log* | /usr/bin/goaccess - --log-format=COMBINED --anonymize-ip -o /var/www/visits/index.html

crontab -e

    12,42 * * * * /bin/bash /root/visits-script.sh

nano /etc/nginx/sites-available/visits

server {
    listen 80;
    listen [::]:80;
    server_name visits.scambi.org;
    root /var/www/visits;

    access_log /var/log/nginx/visits-access.log;
    error_log /var/log/nginx/visits-error.log;

    location / {
        try_files $uri $uri/ /index.php?args;
        index index.php index.html;
    }

    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
    }

}

ln -s /etc/nginx/sites-available/visits /etc/nginx/sites-enabled/

systemctl restart nginx

certbot --nginx -d visits.scambi.org

modify configuration file for TLS options

nano /etc/nginx/sites-available/visits

add_header Strict-Transport-Security "max-age=31536000";

systemctl restart nginx