blob: 330d880622a4c5bc6ecabe0ddf6ce1231d3675a3 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
|
#!/bin/sh
version=${2:-39}
name=${1:-fw${version}}
webroot=${3:-${PWD}}
installroot=${4:-/var/lib/machines/${name}}
dnf="dnf --installroot=${installroot} --setopt=cachedir=/var/cache/dnf --releasever=${version} --repo=fedora --repo=updates --setopt=install_weak_deps=False --setopt=keepcache=True"
packages=(
passwd
fedora-release
vim-minimal
util-linux
systemd
httpd
mod_ssl
mariadb
mariadb-server
php-fpm
php-cli
php-common
php-gd
php-intl
php-mbstring
php-mysqlnd
php-opcache
php-pdo
php-pecl-apcu
php-pecl-zip
php-process
php-soap
php-sodium
php-xml
GraphicsMagick
)
if [ "$version" -le "31" ]; then
echo "Fedora <= v31 is not supported"
exit;
fi
if [ "$version" -ge "33" ]; then
packages+=( "systemd-networkd" )
fi
if [ "$version" -ge "35" ]; then
packages+=( "systemd-resolved" )
fi
sudo machinectl stop $name &>/dev/null && sleep 2
sudo $dnf -y install ${packages[*]}
sudo mkdir -p /etc/systemd/nspawn
echo -ne "[Exec]\nNotifyReady=on\n" | sudo tee /etc/systemd/nspawn/${name}.nspawn > /dev/null
echo -ne "[Files]\nBind=${webroot}:/var/www/html:owneridmap\n" | sudo tee -a /etc/systemd/nspawn/${name}.nspawn > /dev/null
tmpdir=$(mktemp -d "/tmp/${name}-keys.XXX")
mkcert -key-file "$tmpdir/key.pem" -cert-file "$tmpdir/cert.pem" ${name}
sudo chown root:root "$tmpdir/key.pem" "$tmpdir/cert.pem"
sudo mv "$tmpdir/key.pem" "$installroot/etc/pki/tls/private/mkcert-key.pem"
sudo mv "$tmpdir/cert.pem" "$installroot/etc/pki/tls/certs/mkcert-cert.pem"
sudo chown 48:48 "$installroot/var/www/html"
sudo tee "$installroot/etc/httpd/conf.d/ssl.conf" >/dev/null <<\EOF
Listen 443
<VirtualHost _default_:443>
SSLEngine on
SSLCertificateKeyFile /etc/pki/tls/private/mkcert-key.pem
SSLCertificateFile /etc/pki/tls/certs/mkcert-cert.pem
</VirtualHost>
EOF
sudo tee "$installroot/etc/httpd/conf.d/webroot.conf" >/dev/null <<\EOF
<Directory "/var/www/html">
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
EOF
sudo machinectl start $name
sudo systemctl -M $name enable systemd-networkd httpd
sudo systemctl -M $name start systemd-networkd
sudo systemctl -M $name start httpd
sudo systemctl -M $name start mariadb
sudo mkdir -p $installroot/root
#Enter current password for root (enter for none):
#Switch to unix_socket authentication y
#Change the root password? n
#Remove anonymous users? y
#Disallow root login remotely? y
#Remove test database and access to it? y
#Reload privilege tables now? y
sudo tee "$installroot/root/setup.sh" >/dev/null <<\EOF
#!/bin/sh
ROOT_SQLPASS=$(tr -dc _A-Za-z0-9 < /dev/urandom | head -c16) # Generate a random password
DB_NAME="web"
DB_USER="web"
DB_PASS=$(tr -dc _A-Za-z0-9 < /dev/urandom | head -c16)
DB_HOST="localhost"
cat >/etc/my.cnf.d/charset.cnf <<EOB
[mysqld]
character-set-server = utf8mb4
[client]
default-character-set = utf8mb4
EOB
systemctl restart mariadb
bash -c "echo -e '\ny\nn\ny\ny\ny\ny\n' | mysql_secure_installation"
mysql -Bse "UPDATE mysql.global_priv SET priv=json_set(priv, '$.plugin', 'mysql_native_password', '$.authentication_string', PASSWORD('${ROOT_SQLPASS}')) WHERE User='root'; FLUSH PRIVILEGES;"
echo -e "[client]\nuser=root\npassword=${ROOT_SQLPASS}" > /root/.my.cnf
# TODO
#GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP,ALTER,CREATE TEMPORARY TABLES
mysql <<EOB
CREATE DATABASE $DB_NAME;
GRANT ALL PRIVILEGES
ON $DB_NAME.*
TO $DB_USER@$DB_HOST
IDENTIFIED BY '$DB_PASS';
FLUSH PRIVILEGES;
EOB
MY_CNF=/usr/share/httpd/.my.cnf
cat >$MY_CNF << EOB
[client]
user=$DB_USER
password=$DB_PASS
host=$DB_HOST
[mysql]
database=$DB_NAME
EOB
chmod 600 $MY_CNF
chown apache:apache $MY_CNF
#sed -i -e 's/^#*max_allowed_packet.*/max_allowed_packet=1G/' /etc/mysql/mariadb.conf.d/50-server.cnf
systemctl restart mariadb
sed -i \
-e 's/^;*date.timezone *=.*/date.timezone = Europe\/Berlin/' \
-e 's/^;*max_input_vars *=.*/max_input_vars = 3000/' \
-e 's/^;*max_execution_time *=.*/max_execution_time = 240/' \
-e 's/^;*memory_limit *=.*/memory_limit = 384M/' \
-e 's/^;*post_max_size *=.*/post_max_size = 128M/' \
-e 's/^;*upload_max_filesize *=.*/upload_max_filesize = 128M/' \
-e 's/^;*opcache.enable_cli *=.*/opcache.enable_cli = 1/' \
/etc/php.ini
systemctl restart php-fpm
sed -i -e '/^apache:/s/sbin\/nologin/bin\/bash/' /etc/passwd
EOF
sudo chmod +x "$installroot/root/setup.sh"
sudo machinectl shell $name /root/setup.sh
# needs mymachines in /etc/nsswitch.conf "hosts:" line
xdg-open "https://${name}"
rm -fr "$tmpdir"
#sudo $dnf clean all
sudo du -hs "$installroot"
|
