webserver/README.md

# webserver

Provisioning + virtual-host scripts for a LAMP-style web server on **Ubuntu 24.04 LTS**.

Stack: **Apache** (event MPM) + **PHP 8.3-FPM** + **MariaDB** + Node + Python, with
phpMyAdmin (IP-restricted), Composer, Certbot, UFW and Fail2ban. `.htaccess` works out
of the box (`mod_rewrite` + `AllowOverride All`).

## Contents

| File | What it does |
|------|--------------|
| [`setup-webserver.sh`](setup-webserver.sh) | One-shot provisioning of a fresh server. Idempotent — safe to re-run. |
| [`add-vhost.sh`](add-vhost.sh) | Add an Apache virtual host (+ optional DB + TLS) for a domain. |
| [`CHEATSHEET.md`](CHEATSHEET.md) | Day-to-day CLI commands for running the server. |

## Quick start

On a fresh Ubuntu 24.04 box, as root (or with `sudo`):

```bash
# 1. Get the scripts
git clone https://git.rkeus.com/rkeus/webserver.git
cd webserver

# 2. Provision the server (prompts for each optional component)
sudo bash setup-webserver.sh

# 3. Verify, then DELETE the test page
#    http://<server-ip>/info.php
sudo rm /var/www/html/info.php
```

### Add a site

```bash
# Interactive
sudo bash add-vhost.sh

# Domain as arg, rest prompted
sudo bash add-vhost.sh example.com

# Domain + web root
sudo bash add-vhost.sh example.com /var/www/example.com
```

After DNS points at the server, get HTTPS:

```bash
sudo certbot --apache -d example.com -d www.example.com
```

## Non-interactive / automation

Both scripts read environment variables so prompts are skipped — good for CI or
unattended runs.

`setup-webserver.sh` toggles (`yes` | `no`):

```bash
sudo INSTALL_NODE=no INSTALL_SWAP=yes HARDEN_SSH=no bash setup-webserver.sh
```

| Var | Default | Component |
|-----|---------|-----------|
| `INSTALL_PHPMYADMIN` | yes | phpMyAdmin, IP-restricted |
| `INSTALL_NODE` | yes | Node.js + PM2 |
| `INSTALL_REDIS` | yes | Redis + php-redis |
| `INSTALL_CERTBOT` | yes | Certbot (cert requested later) |
| `INSTALL_SWAP` | yes if RAM<4GB | swapfile |
| `INSTALL_DB_BACKUP` | yes | nightly mysqldump cron |
| `TUNE_PHP` | yes | OPcache + FPM pool tuning |
| `INSTALL_HEALTHCHECK` | yes | `healthcheck` command |
| `HARDEN_SSH` | no | key-only SSH (**lockout risk**) |

Other config (env, with defaults):

| Var | Default | Meaning |
|-----|---------|---------|
| `SERVER_NAME` | `_` | default vhost ServerName (catch-all) |
| `ADMIN_EMAIL` | `admin@example.com` | certbot contact |
| `TIMEZONE` | `UTC` | system timezone |
| `PMA_ALLOW_IPS` | `127.0.0.1` | IPs/CIDRs allowed to reach phpMyAdmin |
| `NODE_MAJOR` | `22` | NodeSource LTS line |

`add-vhost.sh` non-interactive:

```bash
sudo DOMAIN=example.com MAKE_DB=yes RUN_TLS=yes bash add-vhost.sh
```

| Var | Default | Meaning |
|-----|---------|---------|
| `DOMAIN` | — (required) | the site domain |
| `WEB_ROOT` | `/var/www/<domain>` | document root |
| `ADMIN_EMAIL` | `admin@<domain>` | TLS contact |
| `MAKE_DB` | no | create matching MariaDB DB + user |
| `RUN_TLS` | no | request Let's Encrypt cert now (DNS must resolve) |

When `MAKE_DB=yes`, generated DB credentials are written to
`/root/<domain>.db-credentials.txt` (root-only, `chmod 600`).

## Notes & safety

- **Run as root.** Both scripts refuse to run otherwise.
- **Tested on Ubuntu 24.04.** Other versions warn and continue.
- **MariaDB root** uses `unix_socket` auth — connect locally with `sudo mariadb`, no password.
- **phpMyAdmin is not public.** Defaults to localhost only; set `PMA_ALLOW_IPS` or use an
  SSH tunnel: `ssh -L 8080:localhost:80 user@server` then `http://localhost:8080/phpmyadmin`.
- **`HARDEN_SSH=yes` can lock you out.** It refuses unless an `authorized_keys` already
  exists. Keep an SSH session open and test a new login before closing it.
- After provisioning, **delete** `/var/www/html/info.php`.

See [`CHEATSHEET.md`](CHEATSHEET.md) for the day-to-day command reference.