summaryrefslogtreecommitdiff
path: root/create-webfedora.sh
diff options
context:
space:
mode:
Diffstat (limited to 'create-webfedora.sh')
-rwxr-xr-xcreate-webfedora.sh179
1 files changed, 179 insertions, 0 deletions
diff --git a/create-webfedora.sh b/create-webfedora.sh
new file mode 100755
index 0000000..330d880
--- /dev/null
+++ b/create-webfedora.sh
@@ -0,0 +1,179 @@
+#!/bin/sh
+
+version=${2:-39}
+name=${1:-fw${version}}
+webroot=${3:-${PWD}}
+installroot=${4:-/var/lib/machines/${name}}
+
+dnf="dnf --installroot=${installroot} --setopt=cachedir=/var/cache/dnf --releasever=${version} --repo=fedora --repo=updates --setopt=install_weak_deps=False --setopt=keepcache=True"
+
+packages=(
+ passwd
+ fedora-release
+ vim-minimal
+ util-linux
+ systemd
+ httpd
+ mod_ssl
+ mariadb
+ mariadb-server
+ php-fpm
+ php-cli
+ php-common
+ php-gd
+ php-intl
+ php-mbstring
+ php-mysqlnd
+ php-opcache
+ php-pdo
+ php-pecl-apcu
+ php-pecl-zip
+ php-process
+ php-soap
+ php-sodium
+ php-xml
+ GraphicsMagick
+)
+
+if [ "$version" -le "31" ]; then
+ echo "Fedora <= v31 is not supported"
+ exit;
+fi
+
+if [ "$version" -ge "33" ]; then
+ packages+=( "systemd-networkd" )
+fi
+
+if [ "$version" -ge "35" ]; then
+ packages+=( "systemd-resolved" )
+fi
+
+sudo machinectl stop $name &>/dev/null && sleep 2
+
+sudo $dnf -y install ${packages[*]}
+
+sudo mkdir -p /etc/systemd/nspawn
+echo -ne "[Exec]\nNotifyReady=on\n" | sudo tee /etc/systemd/nspawn/${name}.nspawn > /dev/null
+echo -ne "[Files]\nBind=${webroot}:/var/www/html:owneridmap\n" | sudo tee -a /etc/systemd/nspawn/${name}.nspawn > /dev/null
+
+tmpdir=$(mktemp -d "/tmp/${name}-keys.XXX")
+
+mkcert -key-file "$tmpdir/key.pem" -cert-file "$tmpdir/cert.pem" ${name}
+
+sudo chown root:root "$tmpdir/key.pem" "$tmpdir/cert.pem"
+sudo mv "$tmpdir/key.pem" "$installroot/etc/pki/tls/private/mkcert-key.pem"
+sudo mv "$tmpdir/cert.pem" "$installroot/etc/pki/tls/certs/mkcert-cert.pem"
+
+sudo chown 48:48 "$installroot/var/www/html"
+
+sudo tee "$installroot/etc/httpd/conf.d/ssl.conf" >/dev/null <<\EOF
+Listen 443
+<VirtualHost _default_:443>
+SSLEngine on
+SSLCertificateKeyFile /etc/pki/tls/private/mkcert-key.pem
+SSLCertificateFile /etc/pki/tls/certs/mkcert-cert.pem
+</VirtualHost>
+EOF
+
+sudo tee "$installroot/etc/httpd/conf.d/webroot.conf" >/dev/null <<\EOF
+<Directory "/var/www/html">
+ Options FollowSymLinks
+ AllowOverride All
+ Require all granted
+</Directory>
+EOF
+
+sudo machinectl start $name
+sudo systemctl -M $name enable systemd-networkd httpd
+sudo systemctl -M $name start systemd-networkd
+sudo systemctl -M $name start httpd
+
+sudo systemctl -M $name start mariadb
+
+sudo mkdir -p $installroot/root
+#Enter current password for root (enter for none):
+#Switch to unix_socket authentication y
+#Change the root password? n
+#Remove anonymous users? y
+#Disallow root login remotely? y
+#Remove test database and access to it? y
+#Reload privilege tables now? y
+sudo tee "$installroot/root/setup.sh" >/dev/null <<\EOF
+#!/bin/sh
+ROOT_SQLPASS=$(tr -dc _A-Za-z0-9 < /dev/urandom | head -c16) # Generate a random password
+DB_NAME="web"
+DB_USER="web"
+DB_PASS=$(tr -dc _A-Za-z0-9 < /dev/urandom | head -c16)
+DB_HOST="localhost"
+
+
+cat >/etc/my.cnf.d/charset.cnf <<EOB
+[mysqld]
+character-set-server = utf8mb4
+
+[client]
+default-character-set = utf8mb4
+EOB
+
+systemctl restart mariadb
+
+bash -c "echo -e '\ny\nn\ny\ny\ny\ny\n' | mysql_secure_installation"
+mysql -Bse "UPDATE mysql.global_priv SET priv=json_set(priv, '$.plugin', 'mysql_native_password', '$.authentication_string', PASSWORD('${ROOT_SQLPASS}')) WHERE User='root'; FLUSH PRIVILEGES;"
+echo -e "[client]\nuser=root\npassword=${ROOT_SQLPASS}" > /root/.my.cnf
+
+
+# TODO
+#GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP,ALTER,CREATE TEMPORARY TABLES
+
+mysql <<EOB
+CREATE DATABASE $DB_NAME;
+GRANT ALL PRIVILEGES
+ON $DB_NAME.*
+TO $DB_USER@$DB_HOST
+IDENTIFIED BY '$DB_PASS';
+FLUSH PRIVILEGES;
+EOB
+
+MY_CNF=/usr/share/httpd/.my.cnf
+cat >$MY_CNF << EOB
+[client]
+user=$DB_USER
+password=$DB_PASS
+host=$DB_HOST
+
+[mysql]
+database=$DB_NAME
+EOB
+chmod 600 $MY_CNF
+chown apache:apache $MY_CNF
+
+#sed -i -e 's/^#*max_allowed_packet.*/max_allowed_packet=1G/' /etc/mysql/mariadb.conf.d/50-server.cnf
+systemctl restart mariadb
+
+sed -i \
+ -e 's/^;*date.timezone *=.*/date.timezone = Europe\/Berlin/' \
+ -e 's/^;*max_input_vars *=.*/max_input_vars = 3000/' \
+ -e 's/^;*max_execution_time *=.*/max_execution_time = 240/' \
+ -e 's/^;*memory_limit *=.*/memory_limit = 384M/' \
+ -e 's/^;*post_max_size *=.*/post_max_size = 128M/' \
+ -e 's/^;*upload_max_filesize *=.*/upload_max_filesize = 128M/' \
+ -e 's/^;*opcache.enable_cli *=.*/opcache.enable_cli = 1/' \
+ /etc/php.ini
+systemctl restart php-fpm
+
+sed -i -e '/^apache:/s/sbin\/nologin/bin\/bash/' /etc/passwd
+
+
+EOF
+sudo chmod +x "$installroot/root/setup.sh"
+
+sudo machinectl shell $name /root/setup.sh
+
+# needs mymachines in /etc/nsswitch.conf "hosts:" line
+xdg-open "https://${name}"
+
+rm -fr "$tmpdir"
+
+#sudo $dnf clean all
+
+sudo du -hs "$installroot"
generated by cgit (git 2.34.1) at 2024-11-21 15:12:29 +0000