Linode stackscript - LEMP box

script.sh

#!/bin/bash
# This block defines the variables the user of the script needs to input
# when deploying using this script. 
# 
#<UDF name="HOSTNAME" label="The hostname for the new Linode">
#<UDF name="FQDN" label="The new Linode's Fully Qualified Domain Name">
#<UDF name="USER" label="Main (non-root) username">
#<UDF name="USER_PASS" label="Main (non-root) user's password">
#<UDF name="INSTALL_MYSQL" label="Install MySQL?" oneOf="Yes,No">
#<UDF name="MYSQL_ROOT_PW" label="MySQL root user password">
#<UDF name="MYSQL_USER" label="Other MySQL user (a database will also be created with this name)">
#<UDF name="MYSQL_USER_PW" label="Other MySQL user's password">
#<UDF name="INSTALL_NODE" label="Install Node, Grunt and Bower?" oneOf="Yes,No">
#<UDF name="INSTALL_ENVOY" label="Install Laravel's Envoy?" oneOf="Yes,No">
#<UDF name="PHP_MEMORY_LIMIT" label="PHP's memory limit (default 128M)" default="128">


# Include some helpful linode scripts.
source <ssinclude StackScriptID=1>
            
# This sets the variable $IPADDR to the IP address the new Linode receives. 
IPADDR=$(/sbin/ifconfig eth0 | awk '/inet / { print $2 }' | sed 's/addr://')
# -----------------------------------------------------------------------------
     
# Update System
# -----------------------------------------------------------------------------
system_update

# Install Some PPAs
# -----------------------------------------------------------------------------
sudo apt-get install -y software-properties-common
sudo apt-add-repository ppa:nginx/stable -y
sudo apt-add-repository ppa:rwky/redis -y
sudo apt-add-repository ppa:chris-lea/node.js -y
sudo apt-add-repository ppa:ondrej/php5 -y

# Update package list
# -----------------------------------------------------------------------------
sudo apt-get update 

# Add main user
# -----------------------------------------------------------------------------
sudo apt-get install -y sudo
sudo adduser $USER --gecos "" --disabled-password --force-badname
echo "$USER:$USER_PASS" | sudo chpasswd
sudo usermod -aG sudo $USER

# Set the hostname
# -----------------------------------------------------------------------------
echo $HOSTNAME > /etc/hostname 
hostname -F /etc/hostname   

# Set Fully Qualified Domain Name (FQDN) in the hosts file
# -----------------------------------------------------------------------------
echo $IPADDR $FQDN $HOSTNAME >> /etc/hosts

# Install Some Basic Packages
# -----------------------------------------------------------------------------
sudo apt-get install -y build-essential curl dos2unix gcc git libmcrypt4 libpcre3-dev \
make python2.7-dev python-pip re2c supervisor unattended-upgrades whois vim

# Install A Few Helpful Python Packages
# -----------------------------------------------------------------------------
sudo pip install httpie
sudo pip install fabric
sudo pip install python-simple-hipchat

# Set Timezone
# -----------------------------------------------------------------------------
sudo ln -sf /usr/share/zoneinfo/UTC /etc/localtime 

# Install PHP / Extensions
# -----------------------------------------------------------------------------
sudo apt-get install -y php5-cli php5-dev php-pear \
php5-mysqlnd php5-pgsql php5-sqlite \
php5-apcu php5-json php5-curl php5-gd \
php5-gmp php5-imap php5-mcrypt php5-xdebug \
php5-memcached php5-redis --force-yes

# Make MCrypt Available
sudo ln -s /etc/php5/conf.d/mcrypt.ini /etc/php5/mods-available
sudo php5enmod mcrypt

# Install Mailparse PECL Extension
sudo pecl install mailparse || true
sudo echo "extension=mailparse.so" > /etc/php5/mods-available/mailparse.ini
sudo ln -s /etc/php5/mods-available/mailparse.ini /etc/php5/cli/conf.d/20-mailparse.ini

# Install Composer
# -----------------------------------------------------------------------------
curl -sS https://getcomposer.org/installer | php
mv composer.phar /usr/local/bin/composer

# Add Composer Global Bin To Path
printf "\nPATH=\"home/$USER/.composer/vendor/bin:\$PATH\"\n" | tee -a /home/$USER/.profile

# Install Laravel Envoy
# -----------------------------------------------------------------------------
if [ "$INSTALL_ENVOY" == "Yes" ]
then
    sudo su $USER << 'EOF'
    /usr/local/bin/composer global require "laravel/envoy=~1.0"
EOF
fi

# Set Some PHP CLI Settings
# -----------------------------------------------------------------------------
sudo sed -i "s/error_reporting = .*/error_reporting = E_ALL/" /etc/php5/cli/php.ini
sudo sed -i "s/display_errors = .*/display_errors = On/" /etc/php5/cli/php.ini
sudo sed -i "s/memory_limit = .*/memory_limit = ${PHP_MEMORY_LIMIT}M/" /etc/php5/cli/php.ini
sudo sed -i "s/;date.timezone.*/date.timezone = UTC/" /etc/php5/cli/php.ini

# Install Nginx & PHP-FPM
# -----------------------------------------------------------------------------
sudo apt-get -y --force-yes install nginx php5-fpm
sudo rm /etc/nginx/sites-enabled/default
sudo rm /etc/nginx/sites-available/default
sudo service nginx restart

# Setup Some PHP-FPM Options
sudo ln -s /etc/php5/mods-available/mailparse.ini /etc/php5/fpm/conf.d/20-mailparse.ini
sudo sed -i "s/error_reporting = .*/error_reporting = E_ALL|E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERROR/" /etc/php5/fpm/php.ini
sudo sed -i "s/display_errors = .*/display_errors = Off/" /etc/php5/fpm/php.ini
sudo sed -i "s/log_errors = .*/log_errors = On/" /etc/php5/fpm/php.ini
sudo sed -i "s/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/" /etc/php5/fpm/php.ini
sudo sed -i "s/memory_limit = .*/memory_limit = ${PHP_MEMORY_LIMIT}M/" /etc/php5/fpm/php.ini
sudo sed -i "s/;date.timezone.*/date.timezone = UTC/" /etc/php5/fpm/php.ini

# Set The Nginx & PHP-FPM User
sudo sed -i "s/user www-data;/user $USER;/" /etc/nginx/nginx.conf
sudo sed -i "s/# server_names_hash_bucket_size.*/server_names_hash_bucket_size 64;/" /etc/nginx/nginx.conf
sudo sed -i "s/user = www-data/user = $USER/" /etc/php5/fpm/pool.d/www.conf
sudo sed -i "s/group = www-data/group = $USER/" /etc/php5/fpm/pool.d/www.conf
sudo sed -i "s/;listen\.owner.*/listen.owner = $USER/" /etc/php5/fpm/pool.d/www.conf
sudo sed -i "s/;listen\.group.*/listen.group = $USER/" /etc/php5/fpm/pool.d/www.conf
sudo sed -i "s/;listen\.mode.*/listen.mode = 0666/" /etc/php5/fpm/pool.d/www.conf

service nginx restart
service php5-fpm restart

# Add User To WWW-Data
# -----------------------------------------------------------------------------
usermod -a -G www-data $USER
id $USER
groups $USER

# Install Node and Grunt
# -----------------------------------------------------------------------------
if [ "$INSTALL_NODE" == "Yes" ]
then
    apt-get install -y nodejs
    npm install -g grunt-cli
    npm install -g bower
fi

# MySQL install and tune
# -----------------------------------------------------------------------------
if [ "$INSTALL_MYSQL" == "Yes" ] 
then
    mysql_install $MYSQL_ROOT_PW
    mysql_tune

    # Create mysql user 
    mysql_create_user $MYSQL_ROOT_PW $MYSQL_USER $MYSQL_USER_PW

    # Create database for the user
    mysql_create_database $MYSQL_ROOT_PW $MYSQL_USER

    # Grant / flush privileges
    mysql_grant_user $MYSQL_ROOT_PW $MYSQL_USER $MYSQL_USER

    service mysql restart
fi

# Install Redis, Memcached, Beanstalkd
# -----------------------------------------------------------------------------
apt-get install -y redis-server memcached beanstalkd

# Configure Beanstalkd
sudo sed -i "s/#START=yes/START=yes/" /etc/default/beanstalkd
sudo /etc/init.d/beanstalkd start

# IPtables firewall rules
# -----------------------------------------------------------------------------
cat > /etc/iptables.firewall.rules << EOF
*filter

#  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT

#  Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

#  Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

#  Allow SSH connections
#
#  The -dport number should be the same port number you set in sshd_config
#
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

#  Allow ping
-A INPUT -p icmp -j ACCEPT

#  Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

#  Drop all other inbound - default deny unless explicitly allowed policy
-A INPUT -j DROP
-A FORWARD -j DROP

COMMIT
EOF

# now start the firewall 
sudo iptables-restore < /etc/iptables.firewall.rules

# and ensure it starts on boot
cat > /etc/network/if-pre-up.d/firewall << EOF
#!/bin/sh
/sbin/iptables-restore < /etc/iptables.firewall.rules
EOF

sudo chmod +x /etc/network/if-pre-up.d/firewall

# vim, less, colors, etc.. from linode
# -----------------------------------------------------------------------------
goodstuff

# Fail2Ban (prevents attacks by monitoring logfiles and temporarily blocking IP's after too many failed)
# -----------------------------------------------------------------------------
sudo apt-get install -y Fail2Ban

# Disable direct root login via SSH
# -----------------------------------------------------------------------------
sudo sed -i "s/PermitRootLogin yes/PermitRootLogin no/" /etc/ssh/sshd_config
sudo service ssh restart

# Copy some convenience files for working with nginx from laravel homestead
# -----------------------------------------------------------------------------
sudo wget -O /usr/share/serve.sh https://raw.githubusercontent.com/laravel/homestead/master/scripts/serve.sh
sudo chmod +x /usr/share/serve.sh

# create an alias for the serve command and a few others
# and ensure it starts on boot
cat >> /home/$USER/.bash_aliases << EOF
alias ..="cd .."
alias ...="cd ../.."

alias h='cd ~'
alias c='clear'

function serve() {
    if [[ "\$1" && "\$2" ]]
    then
        sudo dos2unix /usr/share/serve.sh
        sudo bash /usr/share/serve.sh "\$1" "\$2"
    else
        echo "Error: missing required parameters."
        echo "Usage: "
        echo "  serve domain path"
    fi
}
EOF