Add webserver provisioning + vhost scripts, README, cheatsheet
- setup-webserver.sh: idempotent Ubuntu 24.04 LAMP provisioning (Apache event MPM + PHP 8.3-FPM + MariaDB + Node/Python, phpMyAdmin, Composer, Certbot, UFW, Fail2ban; optional components prompted/env-gated) - add-vhost.sh: add an Apache virtual host, optional DB + TLS - CHEATSHEET.md: day-to-day server CLI reference - README.md: setup instructions and env-var matrix
This commit is contained in:
@@ -0,0 +1,114 @@
|
||||
# webserver
|
||||
|
||||
Provisioning + virtual-host scripts for a LAMP-style web server on **Ubuntu 24.04 LTS**.
|
||||
|
||||
Stack: **Apache** (event MPM) + **PHP 8.3-FPM** + **MariaDB** + Node + Python, with
|
||||
phpMyAdmin (IP-restricted), Composer, Certbot, UFW and Fail2ban. `.htaccess` works out
|
||||
of the box (`mod_rewrite` + `AllowOverride All`).
|
||||
|
||||
## Contents
|
||||
|
||||
| File | What it does |
|
||||
|------|--------------|
|
||||
| [`setup-webserver.sh`](setup-webserver.sh) | One-shot provisioning of a fresh server. Idempotent — safe to re-run. |
|
||||
| [`add-vhost.sh`](add-vhost.sh) | Add an Apache virtual host (+ optional DB + TLS) for a domain. |
|
||||
| [`CHEATSHEET.md`](CHEATSHEET.md) | Day-to-day CLI commands for running the server. |
|
||||
|
||||
## Quick start
|
||||
|
||||
On a fresh Ubuntu 24.04 box, as root (or with `sudo`):
|
||||
|
||||
```bash
|
||||
# 1. Get the scripts
|
||||
git clone https://git.rkeus.com/rkeus/webserver.git
|
||||
cd webserver
|
||||
|
||||
# 2. Provision the server (prompts for each optional component)
|
||||
sudo bash setup-webserver.sh
|
||||
|
||||
# 3. Verify, then DELETE the test page
|
||||
# http://<server-ip>/info.php
|
||||
sudo rm /var/www/html/info.php
|
||||
```
|
||||
|
||||
### Add a site
|
||||
|
||||
```bash
|
||||
# Interactive
|
||||
sudo bash add-vhost.sh
|
||||
|
||||
# Domain as arg, rest prompted
|
||||
sudo bash add-vhost.sh example.com
|
||||
|
||||
# Domain + web root
|
||||
sudo bash add-vhost.sh example.com /var/www/example.com
|
||||
```
|
||||
|
||||
After DNS points at the server, get HTTPS:
|
||||
|
||||
```bash
|
||||
sudo certbot --apache -d example.com -d www.example.com
|
||||
```
|
||||
|
||||
## Non-interactive / automation
|
||||
|
||||
Both scripts read environment variables so prompts are skipped — good for CI or
|
||||
unattended runs.
|
||||
|
||||
`setup-webserver.sh` toggles (`yes` | `no`):
|
||||
|
||||
```bash
|
||||
sudo INSTALL_NODE=no INSTALL_SWAP=yes HARDEN_SSH=no bash setup-webserver.sh
|
||||
```
|
||||
|
||||
| Var | Default | Component |
|
||||
|-----|---------|-----------|
|
||||
| `INSTALL_PHPMYADMIN` | yes | phpMyAdmin, IP-restricted |
|
||||
| `INSTALL_NODE` | yes | Node.js + PM2 |
|
||||
| `INSTALL_REDIS` | yes | Redis + php-redis |
|
||||
| `INSTALL_CERTBOT` | yes | Certbot (cert requested later) |
|
||||
| `INSTALL_SWAP` | yes if RAM<4GB | swapfile |
|
||||
| `INSTALL_DB_BACKUP` | yes | nightly mysqldump cron |
|
||||
| `TUNE_PHP` | yes | OPcache + FPM pool tuning |
|
||||
| `INSTALL_HEALTHCHECK` | yes | `healthcheck` command |
|
||||
| `HARDEN_SSH` | no | key-only SSH (**lockout risk**) |
|
||||
|
||||
Other config (env, with defaults):
|
||||
|
||||
| Var | Default | Meaning |
|
||||
|-----|---------|---------|
|
||||
| `SERVER_NAME` | `_` | default vhost ServerName (catch-all) |
|
||||
| `ADMIN_EMAIL` | `admin@example.com` | certbot contact |
|
||||
| `TIMEZONE` | `UTC` | system timezone |
|
||||
| `PMA_ALLOW_IPS` | `127.0.0.1` | IPs/CIDRs allowed to reach phpMyAdmin |
|
||||
| `NODE_MAJOR` | `22` | NodeSource LTS line |
|
||||
|
||||
`add-vhost.sh` non-interactive:
|
||||
|
||||
```bash
|
||||
sudo DOMAIN=example.com MAKE_DB=yes RUN_TLS=yes bash add-vhost.sh
|
||||
```
|
||||
|
||||
| Var | Default | Meaning |
|
||||
|-----|---------|---------|
|
||||
| `DOMAIN` | — (required) | the site domain |
|
||||
| `WEB_ROOT` | `/var/www/<domain>` | document root |
|
||||
| `ADMIN_EMAIL` | `admin@<domain>` | TLS contact |
|
||||
| `MAKE_DB` | no | create matching MariaDB DB + user |
|
||||
| `RUN_TLS` | no | request Let's Encrypt cert now (DNS must resolve) |
|
||||
|
||||
When `MAKE_DB=yes`, generated DB credentials are written to
|
||||
`/root/<domain>.db-credentials.txt` (root-only, `chmod 600`).
|
||||
|
||||
## Notes & safety
|
||||
|
||||
- **Run as root.** Both scripts refuse to run otherwise.
|
||||
- **Tested on Ubuntu 24.04.** Other versions warn and continue.
|
||||
- **MariaDB root** uses `unix_socket` auth — connect locally with `sudo mariadb`, no password.
|
||||
- **phpMyAdmin is not public.** Defaults to localhost only; set `PMA_ALLOW_IPS` or use an
|
||||
SSH tunnel: `ssh -L 8080:localhost:80 user@server` then `http://localhost:8080/phpmyadmin`.
|
||||
- **`HARDEN_SSH=yes` can lock you out.** It refuses unless an `authorized_keys` already
|
||||
exists. Keep an SSH session open and test a new login before closing it.
|
||||
- After provisioning, **delete** `/var/www/html/info.php`.
|
||||
|
||||
See [`CHEATSHEET.md`](CHEATSHEET.md) for the day-to-day command reference.
|
||||
Reference in New Issue
Block a user