admin
7d4ae3e221
- setup-webserver.sh: idempotent Ubuntu 24.04 LAMP provisioning (Apache event MPM + PHP 8.3-FPM + MariaDB + Node/Python, phpMyAdmin, Composer, Certbot, UFW, Fail2ban; optional components prompted/env-gated) - add-vhost.sh: add an Apache virtual host, optional DB + TLS - CHEATSHEET.md: day-to-day server CLI reference - README.md: setup instructions and env-var matrix
webserver
Provisioning + virtual-host scripts for a LAMP-style web server on Ubuntu 24.04 LTS.
Stack: Apache (event MPM) + PHP 8.3-FPM + MariaDB + Node + Python, with
phpMyAdmin (IP-restricted), Composer, Certbot, UFW and Fail2ban. .htaccess works out
of the box (mod_rewrite + AllowOverride All).
Contents
| File | What it does |
|---|---|
setup-webserver.sh |
One-shot provisioning of a fresh server. Idempotent — safe to re-run. |
add-vhost.sh |
Add an Apache virtual host (+ optional DB + TLS) for a domain. |
CHEATSHEET.md |
Day-to-day CLI commands for running the server. |
Quick start
On a fresh Ubuntu 24.04 box, as root (or with sudo):
# 1. Get the scripts
git clone https://git.rkeus.com/rkeus/webserver.git
cd webserver
# 2. Provision the server (prompts for each optional component)
sudo bash setup-webserver.sh
# 3. Verify, then DELETE the test page
# http://<server-ip>/info.php
sudo rm /var/www/html/info.php
Add a site
# Interactive
sudo bash add-vhost.sh
# Domain as arg, rest prompted
sudo bash add-vhost.sh example.com
# Domain + web root
sudo bash add-vhost.sh example.com /var/www/example.com
After DNS points at the server, get HTTPS:
sudo certbot --apache -d example.com -d www.example.com
Non-interactive / automation
Both scripts read environment variables so prompts are skipped — good for CI or unattended runs.
setup-webserver.sh toggles (yes | no):
sudo INSTALL_NODE=no INSTALL_SWAP=yes HARDEN_SSH=no bash setup-webserver.sh
| Var | Default | Component |
|---|---|---|
INSTALL_PHPMYADMIN |
yes | phpMyAdmin, IP-restricted |
INSTALL_NODE |
yes | Node.js + PM2 |
INSTALL_REDIS |
yes | Redis + php-redis |
INSTALL_CERTBOT |
yes | Certbot (cert requested later) |
INSTALL_SWAP |
yes if RAM<4GB | swapfile |
INSTALL_DB_BACKUP |
yes | nightly mysqldump cron |
TUNE_PHP |
yes | OPcache + FPM pool tuning |
INSTALL_HEALTHCHECK |
yes | healthcheck command |
HARDEN_SSH |
no | key-only SSH (lockout risk) |
Other config (env, with defaults):
| Var | Default | Meaning |
|---|---|---|
SERVER_NAME |
_ |
default vhost ServerName (catch-all) |
ADMIN_EMAIL |
admin@example.com |
certbot contact |
TIMEZONE |
UTC |
system timezone |
PMA_ALLOW_IPS |
127.0.0.1 |
IPs/CIDRs allowed to reach phpMyAdmin |
NODE_MAJOR |
22 |
NodeSource LTS line |
add-vhost.sh non-interactive:
sudo DOMAIN=example.com MAKE_DB=yes RUN_TLS=yes bash add-vhost.sh
| Var | Default | Meaning |
|---|---|---|
DOMAIN |
— (required) | the site domain |
WEB_ROOT |
/var/www/<domain> |
document root |
ADMIN_EMAIL |
admin@<domain> |
TLS contact |
MAKE_DB |
no | create matching MariaDB DB + user |
RUN_TLS |
no | request Let's Encrypt cert now (DNS must resolve) |
When MAKE_DB=yes, generated DB credentials are written to
/root/<domain>.db-credentials.txt (root-only, chmod 600).
Notes & safety
- Run as root. Both scripts refuse to run otherwise.
- Tested on Ubuntu 24.04. Other versions warn and continue.
- MariaDB root uses
unix_socketauth — connect locally withsudo mariadb, no password. - phpMyAdmin is not public. Defaults to localhost only; set
PMA_ALLOW_IPSor use an SSH tunnel:ssh -L 8080:localhost:80 user@serverthenhttp://localhost:8080/phpmyadmin. HARDEN_SSH=yescan lock you out. It refuses unless anauthorized_keysalready exists. Keep an SSH session open and test a new login before closing it.- After provisioning, delete
/var/www/html/info.php.
See CHEATSHEET.md for the day-to-day command reference.