Revised script for LEMP install with PHP7.4 and PHP8.0

Currently successfully needs more testing on a Debian OS 11.5.0 installation.

Step-by-step is functioning, will now wipe the server to start from scratch again. Also, the previous article will now be deleted.

Note:
If you are using this on a fresh Debian install, SUDO might not have been installed, nor has the user (so not the root) been add to SUDO. This is how you do that if you are logged in as user:

su -
apt update
apt install sudo
usermod -aG sudo <username>
exit
exit

You need to exit twice so you log out as root and as user. After that, you need to log back in as user so you can start using sudo from now on.


Let’s begin! You can name the script something like

setup.sh
#!/bin/bash

# Update system
sudo apt update
sudo apt upgrade -y

# Install necessary packages
sudo apt install gnupg nginx mariadb-server php7.4-fpm php7.4-mysql php7.4-curl php7.4-gd php7.4-mbstring php7.4-xml php7.4-zip ssh ufw nano fail2ban curl wget sudo openssl net-tools unzip -y

# Add repository key for PHP 8.0
sudo apt install software-properties-common -y
sudo wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg

# Add repository for PHP 8.0
echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/php.list
sudo apt update

# Install PHP 8.0 and extensions
sudo apt install php8.0-fpm php8.0-mysql php8.0-curl php8.0-gd php8.0-mbstring php8.0-xml php8.0-zip -y

# Configure UFW to allow web traffic and SSH
sudo ufw allow OpenSSH
sudo ufw allow 'Nginx Full'
sudo ufw allow 3306/tcp

# Enable UFW
sudo ufw enable

# Configure automatic security updates
echo 'APT::Periodic::Update-Package-Lists "1";' | sudo tee -a /etc/apt/apt.conf.d/10periodic
echo 'APT::Periodic::Download-Upgradeable-Packages "1";' | sudo tee -a /etc/apt/apt.conf.d/10periodic
echo 'APT::Periodic::AutocleanInterval "7";' | sudo tee -a /etc/apt/apt.conf.d/10periodic
echo 'APT::Periodic::Unattended-Upgrade "1";' | sudo tee -a /etc/apt/apt.conf.d/20auto-upgrades

# Disable root login via SSH
sudo sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin no/' /etc/ssh/sshd_config
sudo systemctl restart sshd

# Generate SSH key pairs
ssh-keygen -t rsa -b 4096

# Configure Nginx
sudo systemctl start nginx
sudo systemctl enable nginx

# Configure PHP 7.4
sudo systemctl start php7.4-fpm
sudo systemctl enable php7.4-fpm

# Configure PHP 8.0
sudo systemctl start php8.0-fpm
sudo systemctl enable php8.0-fpm

# Configure MariaDB
sudo mysql_secure_installation

# Allow Nginx to use PHP
sudo sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/' /etc/php/7.4/fpm/php.ini
sudo sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/' /etc/php/8.0/fpm/php.ini

# Restart Nginx and PHP services
sudo systemctl restart nginx
sudo systemctl restart php7.4-fpm
sudo systemctl restart php8.0-fpm

# Create a temporary file to store server and PHP info
tmpfile=$(mktemp)

# Get server info
uname -a > "$tmpfile"

# Get PHP version
php -v >> "$tmpfile"

# Append server and PHP info to index.html
cat "$tmpfile" | sudo tee /var/www/html/index.html >/dev/null

# Remove temporary file
rm "$tmpfile"

# Install adminer 
sudo apt install adminer -y
sudo ln -s /usr/share/adminer/adminer.php /var/www/html/adminer.php
sudo chown -R www-data:www-data /usr/share/adminer /var/www/html/adminer.php

# Set the permissions correct for www
sudo chmod g+w /var/www
sudo chown -R :www-data www
sudo chmod g+s www

change_ownership() {
    sudo chown -R "$1":www-data /var/www
    echo "Ownership of the www folder has been set to $1:www-data."
}

# Loop until a valid username is provided
while true; do
    # Prompt the user to enter the desired username
    read -p "Enter the username for permissions: " username

    # Check if the username provided exists
    if id "$username" &>/dev/null; then
        change_ownership "$username"
        break  # Exit the loop if a valid username is provided
    else
        echo "Error: User $username does not exist."
    fi
done
echo "LEMP setup completed successfully."
echo "Check if Adminer is working by opening a browser, and entering http://IP_address/adminer.php in the address bar"

To make the script executable:

sudo chmod +x setup.sh

and run it with

sudo ./setup.sh

When things like PHP fail to work (becuase y’know… PHP)
These are the files that have to look this way to make PHP happen.

sudo nano /etc/nginx/sites-available/default
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or WordPress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##

# Default server configuration
#
server {
    listen 80 default_server;
    listen [::]:80 default_server;

    # SSL configuration
    #
    # listen 443 ssl default_server;
    # listen [::]:443 ssl default_server;
    #
    # Note: You should disable gzip for SSL traffic.
    # See: https://bugs.debian.org/773332
    #
    # Read up on ssl_ciphers to ensure a secure configuration.
    # See: https://bugs.debian.org/765782
    #
    # Self signed certs generated by the ssl-cert package
    # Don't use them in a production server!
    #
    # include snippets/snakeoil.conf;

    root /var/www/html;

    # Add index.php to the list if you are using PHP
    index index.php index.html index.htm index.nginx-debian.html;

    server_name _;

    location / {
        # First attempt to serve request as file, then
        # as directory, then fall back to displaying a 404.
        try_files $uri $uri/ =404;
    }

    # pass PHP scripts to FastCGI server
    #
    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
    
    #	# With php-fpm (or other unix sockets):
        fastcgi_pass unix:/run/php/php8.0-fpm.sock;
#non-standard addition
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
    #	# With php-cgi (or other tcp sockets):
    #	fastcgi_pass 127.0.0.1:9000;
    #}

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    #location ~ /\.ht {
    #	deny all;
    #}
}


# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
#	listen 80;
#	listen [::]:80;
#
#	server_name example.com;
#
#	root /var/www/example.com;
#	index index.html;
#
#	location / {
#		try_files $uri $uri/ =404;
#	}
#}
sudo nano /etc/nginx/nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
    worker_connections 768;
    # multi_accept on;
}

http {

    ##
    # Basic Settings
    ##

    sendfile on;
    tcp_nopush on;
    types_hash_max_size 2048;
    # server_tokens off;

    # server_names_hash_bucket_size 64;
    # server_name_in_redirect off;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    ##
    # SSL Settings
    ##

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
    ssl_prefer_server_ciphers on;

    ##
    # Logging Settings
    ##

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    ##
    # Gzip Settings
    ##

    gzip on;

    # gzip_vary on;
    # gzip_proxied any;
    # gzip_comp_level 6;
    # gzip_buffers 16 8k;
    # gzip_http_version 1.1;
    # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

    ##
    # Virtual Host Configs
    ##

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;

    ##
    # PHP Config
    ##

    # PHP-FPM upstream
    upstream php {
        server unix:/var/run/php/php8.0-fpm.sock; # Adjust the PHP version if necessary
    }


#mail {
#	# See sample authentication script at:
#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#	# auth_http localhost/auth.php;
#	# pop3_capabilities "TOP" "USER";
#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#	server {
#		listen     localhost:110;
#		protocol   pop3;
#		proxy      on;
#	}
#
#	server {
#		listen     localhost:143;
#		protocol   imap;
#		proxy      on;
#	}
#}
}

And when you enter the following commands, you restart NGINX and PHP FPM and there should be no error message.

sudo systemctl restart nginx

# Adjust the PHP version if necessary. In my case, I want PHP 8.0

sudo systemctl restart php8.0-fpm

Good luck 🙂

Loading

[MASTODON 4.2.5] How to update Mastodon to a new version

For the old version, click here.

So a new release came out and it is important to get this update as soon as possible! This manual is a transcript of the way that I have updated my Mastodon instance. Please make sure you make proper backups and use your brain while updating things

Linux flavour: Debian
Update from: 4.2.X

  1. Log into your server
  2. su - mastodon
  3. cd /home/mastodon/live
  4. git fetch --tags
  5. git checkout [type the most recent version here, starting with the letter v. For example; v4.2.5
    
    git checkout v4.2.5
  6. If you get a ruby version error, please see bottom of this article for a fix!
    
    bundle install
    
  7. yarn install
  8. RAILS_ENV=production bundle exec rails db:migrate
  9. RAILS_ENV=production bundle exec rails assets:precompile
  10. exit

Okay, you can not choose to either reboot or restart the services.

REBOOT:

  1. This command may vary, depending on your Linux flavour.
    
    systemctl reboot

RESTART:

  1. This command may vary, depending on your Linux flavour.
    
    systemctl restart mastodon-sidekiq
    systemctl reload mastodon-web
    
    Optional:
    
    systemctl restart mastodon-streaming

RUBY VERSION ISSUES

My system was unable to find the required v3.2.3 of Ruby and I have fixed this by doing the following steps:

  1. Please make sure that your path is correct.
    
    git -C ~/.rbenv/plugins/ruby-build pull
  2. rbenv install 3.2.3
    
    *WAIT TILL DONE* (it may take a little while)
  3. To check all the installed versions type:
    
    rbenv versions
  4. To set v3.2.3 as the global version, type:
    
    rbenv global 3.2.3
  5. To double-check the active, installed version, type:
    
    rbenv versions
  6. Done!

This manual is a transcript of the way that I have updated my Mastodon instance. Please make sure you make proper backups and use your brain while updating things.

Sources: https://richstone.io/where-is-ruby-3-0-0-on-rbenv/

Loading

CloudPanel website causing “Too many redirects”

I have installed CloudPanel and the new website caused a “Too many redirects” bug. This is because my SSL certificates are controlled by a proxy and this can cause some confusion between the systems. Also, because CloudPanel installs its own certificates.

This application can also install a Let’s Encrypt certificate, but this works only in more conventional systems. Mine is going through a DNS to a Proxy that listens to a certain IP address and that proxy redirects the request to a Virtual Machine on one of my servers.

So, here is my, probably unconventional method of disabling the SSL certificates on my CloudPanel installation:

  1. Open the CloudPanel controlpanel.
  2. Select the website you want to edit
  3. Choose the Vhost tab
  4. Change the following code into the new code:
server {
listen 80;
listen [::]:80;
listen 443 ssl http2;
listen [::]:443 ssl http2;
{{ssl_certificate_key}}
{{ssl_certificate}}
server_name subdomain.3xn.nl;
{{root}}

{{nginx_access_log}}
{{nginx_error_log}}

if ($scheme != "https") {
rewrite ^ https://$host$uri permanent;
}
server {
listen 80;
listen [::]:80;
# listen 443 ssl http2;
# listen [::]:443 ssl http2;
# {{ssl_certificate_key}}
# {{ssl_certificate}}
server_name subdomain.3xn.nl;
{{root}}

{{nginx_access_log}}
{{nginx_error_log}}

# if ($scheme != "https") {
# rewrite ^ https://$host$uri permanent;
# }

Done! Your website should now say “Hello world :-)”

You can see that I have disabled the listen to port 443, the certificate keys, the forced https and the path to the keys. I chose to switch off the forced HTTP, because my proxy is already taking care of that.

This post is subject to change, but this helps you along your way!

Loading

A working Apache2 server with PHP7.4

I was in need of a server solution that could be quickly deployed as a VM.

      1. Install Debian 11 as a VM with web- and SSH server
      2. Create a USER next to your root account during the installation
      3. Find the IP address of the new installation. The easiest is if you have NoVNC running. Log in as USER and type
        ip a
      4. Time to so the sudo thing
        su

        log in as root

        apt-get update && apt-get install -y sudo
        usermod -aG sudo USER
        exit
        exit

        log back in as USER

      5. Okay, let’s install some more stuff but first we do an update
        sudo apt-get update && sudo apt-get upgrade -y

        Now we want some essentials

        sudo apt-get install -y dirmngr gnupg2 nano wget gpg curl fail2ban ufw software-properties-common

        Preparing the PHP install

        wget -q https://packages.sury.org/php/apt.gpg -O- | sudo apt-key add -
        echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/php.list
        sudo apt-get update
        sudo apt-get install -y php7.4 libapache2-mod-php7.4 php7.4-mysql php7.4-curl php7.4-gd php7.4-mbstring php7.4-xml php7.4-xmlrpc php7.4-zip

        And restart the Apache2 Webserver

        sudo systemctl restart apache2
      6. Alright, that’s done. Next step is to test things.
        sudo nano /var/www/html/test.php

        Enter this into the php file and press Control X and type Y to save and exit.

        <?php
        // Show all PHP information
        phpinfo();
        ?>
      7. Go to the IP address of the server you just created and type
        HTTP://IP ADDRESS/test.php
        

        If you see a PHP page with all sorts of data, you’re good. If not, go fix. Don’t ask me, I’m not there yet!

Loading

Adding and removing a user in PLIK

ADD A USER
Open the UNraid console and enter

./plikd --config ./plikd.cfg user create --login USERNAME --name Admin --admin

The result should be as follows:

Generated password for user controller is yH7ggwod473A3xM5BdI8wEz2FM7bcqF1

REMOVE A USER

Find the user:

./plikd user list

You should see:

local:USERNAME Admin

To remove user, enter:

./plikd --config ./plikd.cfg user delete --login USERNAME Admin

Loading

Keeping your data while restarting Joomla Docker in unRAID

Finally, there is an official Joomla (4.x) Docker made for unRAID. But it is not done well. As in, you will lose all your settings and data when you restart your docker. So you need to copy the data outside the docker into the appdata folder. (Or wherever you want it)

Inside the docker image, the Joomla folder resides here:

/var/www/html/

And this is the folder you need to make “external” by adding a path to the edit/install panel.

  1. Give it a name at “Name:”
  2. Enter the following line to “Container Path:”
    /var/www/html
  3. Enter the following line to “Host Path:”
    /mnt/user/appdata/joomla-data/

Done.

Loading

New FTP user for unRAID

  1. Install ProFTPd by SirG
  2. Create folder where the FTP user should have FULL access to
  3. Go to USERS tab
  4. Click ADD USER
  5. Create username
  6. Create password
  7. In the DESCRIPTION field enterftpuser [PATH WITH LEADING SLASH]
    So for example:
    ftpuser /mnt/usr/myfolder
  8. Click ADD
  9. Go to SETTINGS tab
  10. Click ProFTPd
  11. At “Enable ProFTPd:” select YES (*)
  12. Click APPLY
  13. Service should be running. If not, start service
  14. DONE

(*) In case you already have the service running, click RESTART to activate the new user.

The server can now be accessed by SFTP and port 22.

Loading

IMAPSYNC for Debian 9 installation

  1. apt-get update
  2. apt-get upgrade
  3. apt-get install git libjson-webtoken-perl libauthen-ntlm-perl libcgi-pm-perl libcrypt-openssl-rsa-perl libdata-uniqid-perl libfile-copy-recursive-perl libio-socket-inet6-perl libio-socket-ssl-perl libio-tee-perl libhtml-parser-perl libjson-webtoken-perl libmail-imapclient-perl libparse-recdescent-perl libmodule-scandeps-perl libreadonly-perl libregexp-common-perl libsys-meminfo-perl libterm-readkey-perl libtest-mockobject-perl libtest-pod-perl libunicode-string-perl liburi-perl libwww-perl libtest-nowarnings-perl libtest-deep-perl libtest-warn-perl make cpanminus
  4. cd /home
  5. git clone https://github.com/imapsync/imapsync.git
  6. cd imapsync
  7. chmod +x imapsync
  8. Test it by typing
    ./imapsync
  9. You may need to install some extras by entering
    cpanm File::Tail
  10. cp imapsync /usr/bin/

Done!

Item 10 is to make sure you can use this command anywhere on the server. Have fun!

Loading

Set up Catch-All in Virtualmin

  1. Go to your control panel
  2. Choose your virtual server by selecting the desired domain in the pulldown menu.
  3. Click Edit Mail Aliases
  4. Select All Users
  5. Choose the way you wish to have it delivered

I, for example, want to have it delivered to a gmail box, so i do the following:

  1. Select “Yes, forward to addresses”
  2. Enter off-site email address in the field with the title: “Forward to other address?”

Click Save and you’re set.

Loading