antixrist/secure_install.sh

## secure_install.sh
#!/bin/bash

##############

echo "
//////////////////////////////////////
//                                  //
//  Welcome to MODx autoinstaller.  //
//                                  //
//////////////////////////////////////

Enter MySQL root password"
read ROOTPASS

echo "Enter username for site and database"
read USERNAME

echo "Enter domain"
read DOMAIN

##############

TIMEZONE='Europe/Moscow'

MYSQLPASS=`< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c12`
SFTPPASS=`< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c12`
PASSWORD=`< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c12`
POSTFIXCORE=`< /dev/urandom tr -dc _a-z-0-9 | head -c4`
POSTFIXMANAGER=`< /dev/urandom tr -dc _a-z-0-9 | head -c4`
POSTFIXCONNECTORS=`< /dev/urandom tr -dc _a-z-0-9 | head -c4`
CONFIGKEY=`< /dev/urandom tr -dc _a-z-0-9 | head -c4`

##############

echo "Creating user and home directory…"
useradd $USERNAME -m -G sftp,mail -s "/bin/false" -d "/var/www/$USERNAME"
if [ "$?" -ne 0 ]; then
  echo "Can't add user"
  exit 1
fi
echo $SFTPPASS > ./tmp
echo $SFTPPASS >> ./tmp
cat ./tmp | passwd $USERNAME
rm ./tmp

##############

mkdir /var/www/$USERNAME/www
mkdir /var/www/$USERNAME/tmp
chmod -R 755 /var/www/$USERNAME/
chown -R $USERNAME:$USERNAME /var/www/$USERNAME/
chown root:root /var/www/$USERNAME

echo "Creating vhost file"
echo "upstream backend-$USERNAME {server unix:/var/run/php5-$USERNAME.sock;}

server {
  listen        80;
  server_name     $DOMAIN www.$DOMAIN;
  root        /var/www/$USERNAME/www;
  access_log      /var/log/nginx/$USERNAME-access.log;
  error_log     /var/log/nginx/$USERNAME-error.log;
  index       index.php index.html;
  rewrite_log     on;
  if (\$host != '$DOMAIN' ) {
    rewrite     ^/(.*)$  http://$DOMAIN/\$1  permanent;
  }
  location ~* ^/core/ {
    deny      all;
  }
  location /assets {
    expires          1y;
    add_header       Cache-Control public,max-age=31536000;
    gzip             on;
    gzip_min_length  1000;
    gzip_comp_level  4;
    gzip_static      on;
    gzip_proxied     expired no-cache no-store private auth;
    gzip_types       text/plain text/css application/x-javascript;
    gzip_vary        on;
    gzip_disable     \"msie6\";
    access_log       off;
  }
  location / {
    try_files   \$uri \$uri/ @rewrite;
  }
  location /index.html {
    rewrite     / / permanent;
  }

  location ~ ^/(.*?)/index\.html$ {
    rewrite     ^/(.*?)/ /$1/ permanent;
  }
  location @rewrite {
    rewrite     ^/(.*)$ /index.php?q=\$1;
  }
  location ~ \.php$ {
    include     fastcgi_params;
    fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
    fastcgi_pass  backend-$USERNAME;
  }
  location ~* ^.+\.(jpg|jpeg|gif|css|png|js|ico|bmp)$ {
     access_log   off;
     expires      10d;
     break;
  }
  location ~ /\.ht {
    deny      all;
  }
}" > /etc/nginx/sites-available/$USERNAME.conf
ln -s /etc/nginx/sites-available/$USERNAME.conf /etc/nginx/sites-enabled/$USERNAME.conf

##############

echo "Creating php5-fpm config"

echo "[$USERNAME]
listen = /var/run/php5-$USERNAME.sock
listen.mode = 0666
user = $USERNAME
group = $USERNAME
chdir = /var/www/$USERNAME
php_admin_value[upload_tmp_dir] = /var/www/$USERNAME/tmp
php_admin_value[soap.wsdl_cache_dir] = /var/www/$USERNAME/tmp
php_admin_value[memory_limit] = 128M
php_admin_value[upload_max_filesize] = 100M
php_admin_value[post_max_size] = 100M
php_admin_value[open_basedir] = /var/www/$USERNAME/
php_admin_value[disable_functions] = exec,passthru,shell_exec,system,proc_open,popen,curl_multi_exec,parse_ini_file,show_source,stream_socket_client,stream_set_write_buffer,stream_socket_sendto,highlight_file,com_load_typelib
php_admin_value[cgi.fix_pathinfo] = 0
php_admin_value[date.timezone] = $TIMEZONE
php_admin_value[session.gc_probability] = 1
php_admin_value[session.gc_divisor] = 100
pm = dynamic
pm.max_children = 10
pm.start_servers = 2
pm.min_spare_servers = 2
pm.max_spare_servers = 4
" > /etc/php5/fpm/pool.d/$USERNAME.conf

##############

echo "Reloading nginx"
service nginx reload
echo "Reloading php5-fpm"
service php5-fpm reload

##############

echo "Creating database"

Q1="CREATE DATABASE IF NOT EXISTS $USERNAME DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci;;"
Q2="GRANT ALTER,DELETE,DROP,CREATE,INDEX,INSERT,SELECT,UPDATE,CREATE TEMPORARY TABLES,LOCK TABLES ON $USERNAME.* TO '$USERNAME'@'localhost' IDENTIFIED BY '$MYSQLPASS';"
Q3="FLUSH PRIVILEGES;"
SQL="${Q1}${Q2}${Q3}"

mysql -uroot --password=$ROOTPASS -e "$SQL"

##############

echo "Installing MODx"

cd /var/www/$USERNAME/www/

echo "Getting nightlies version from git…"
git clone -b master https://github.com/modxcms/revolution.git ./

echo "Move and rename core, rename manager's and connector's directories…"

echo "Create package…"

# Generate build.config.php
echo "<?php
  define('MODX_CORE_PATH', dirname(dirname(__FILE__)) . '/core/');
  define('MODX_CONFIG_KEY', 'config-$CONFIGKEY');
  define('XPDO_DSN', 'mysql:host=localhost;dbname=$USERNAME;charset=utf8');
  define('XPDO_DB_USER', '$USERNAME');
  define('XPDO_DB_PASS', '$MYSQLPASS');
  define('XPDO_TABLE_PREFIX', 'modx_');
" > ./_build/build.config.php

cp ./_build/build.sample.properties ./_build/build.properties.php

php ./_build/transport.core.php

rm -rf ./_build/
mv ./core/ ../core-$POSTFIXCORE/
mv ./connectors/ ./connectors-$POSTFIXCONNECTORS/
mv ./manager/ ./manager-$POSTFIXMANAGER/

# Generate config.xml
echo "Creating config.xml"
echo "<modx>
  <database_type>mysql</database_type>
  <database_server>localhost</database_server>
  <database>$USERNAME</database>
  <database_user>$USERNAME</database_user>
  <database_password>$MYSQLPASS</database_password>
  <database_connection_charset>utf8</database_connection_charset>
  <database_charset>utf8</database_charset>
  <database_collation>utf8_unicode_ci</database_collation>
  <table_prefix>modx_</table_prefix>
  <inplace>1</inplace>
  <unpacked>1</unpacked>
  <language>ru</language>
  <cmsadmin>$USERNAME</cmsadmin>
  <cmspassword>$PASSWORD</cmspassword>
  <cmsadminemail>admin@$DOMAIN</cmsadminemail>
  <remove_setup_directory>1</remove_setup_directory>
  <context_mgr_path>/var/www/$USERNAME/www/manager-$POSTFIXMANAGER/</context_mgr_path>
  <context_mgr_url>/manager-$POSTFIXMANAGER/</context_mgr_url>
  <context_connectors_path>/var/www/$USERNAME/www/connectors-$POSTFIXCONNECTORS/</context_connectors_path>
  <context_connectors_url>/connectors-$POSTFIXCONNECTORS/</context_connectors_url>
  <context_web_path>/var/www/$USERNAME/www/</context_web_path>
  <context_web_url>/</context_web_url>
  <assets_path>/var/www/$USERNAME/www/assets/</assets_path>
  <assets_url>/assets/</assets_url>
  <core_path>/var/www/$USERNAME/core-$POSTFIXCORE/</core_path>
  <processors_path>/var/www/$USERNAME/core-$POSTFIXCORE/model/modx/processors/</processors_path>
  <https_port>443</https_port>
  <http_host>$DOMAIN</http_host>
  <cache_disabled>0</cache_disabled>
</modx>" > /var/www/$USERNAME/config.xml

#############

php ./setup/index.php --installmode=new --core_path=/var/www/$USERNAME/core-$POSTFIXCORE/ --config=/var/www/$USERNAME/config.xml

echo "Set permissions for /var/www/$USERNAME/www and core…
CHOWN files…"
chown -R $USERNAME:$USERNAME /var/www/$USERNAME/www
chown -R $USERNAME:$USERNAME /var/www/$USERNAME/core-$POSTFIXCORE
echo "CHMOD 755 for directories…"
find /var/www/$USERNAME/www -type d -exec chmod 0755 {} +
find /var/www/$USERNAME/core-$POSTFIXCORE -type d -exec chmod 0755 {} +
echo "CHMOD 644 for files..."
find /var/www/$USERNAME/www -type f -exec chmod 0644 {} +
find /var/www/$USERNAME/core-$POSTFIXCORE -type f -exec chmod 0644 {} +

echo "Done. Please visit http://$DOMAIN/manager-$POSTFIXMANAGER/ to login.
Manager user: $USERNAME
Manager password: $PASSWORD
SFTP password: $SFTPPASS
Mysql password: $MYSQLPASS
======================
Core postfix: $POSTFIXCORE
Manager postfix: $POSTFIXMANAGER
Connectors postfix: $POSTFIXCONNECTORS
Congig key: config-$CONFIGKEY" > /var/www/$USERNAME/pass.txt

cat /var/www/$USERNAME/pass.txt
	#!/bin/bash

	##############

	echo "
	//////////////////////////////////////
	// //
	// Welcome to MODx autoinstaller. //
	// //
	//////////////////////////////////////

	Enter MySQL root password"
	read ROOTPASS

	echo "Enter username for site and database"
	read USERNAME

	echo "Enter domain"
	read DOMAIN

	##############

	TIMEZONE='Europe/Moscow'

	MYSQLPASS=`< /dev/urandom tr -dc _A-Z-a-z-0-9 \| head -c12`
	SFTPPASS=`< /dev/urandom tr -dc _A-Z-a-z-0-9 \| head -c12`
	PASSWORD=`< /dev/urandom tr -dc _A-Z-a-z-0-9 \| head -c12`
	POSTFIXCORE=`< /dev/urandom tr -dc _a-z-0-9 \| head -c4`
	POSTFIXMANAGER=`< /dev/urandom tr -dc _a-z-0-9 \| head -c4`
	POSTFIXCONNECTORS=`< /dev/urandom tr -dc _a-z-0-9 \| head -c4`
	CONFIGKEY=`< /dev/urandom tr -dc _a-z-0-9 \| head -c4`

	##############

	echo "Creating user and home directory…"
	useradd $USERNAME -m -G sftp,mail -s "/bin/false" -d "/var/www/$USERNAME"
	if [ "$?" -ne 0 ]; then
	echo "Can't add user"
	exit 1
	fi
	echo $SFTPPASS > ./tmp
	echo $SFTPPASS >> ./tmp
	cat ./tmp \| passwd $USERNAME
	rm ./tmp

	##############

	mkdir /var/www/$USERNAME/www
	mkdir /var/www/$USERNAME/tmp
	chmod -R 755 /var/www/$USERNAME/
	chown -R $USERNAME:$USERNAME /var/www/$USERNAME/
	chown root:root /var/www/$USERNAME

	echo "Creating vhost file"
	echo "upstream backend-$USERNAME {server unix:/var/run/php5-$USERNAME.sock;}

	server {
	listen 80;
	server_name $DOMAIN www.$DOMAIN;
	root /var/www/$USERNAME/www;
	access_log /var/log/nginx/$USERNAME-access.log;
	error_log /var/log/nginx/$USERNAME-error.log;
	index index.php index.html;
	rewrite_log on;
	if (\$host != '$DOMAIN' ) {
	rewrite ^/(.*)$ http://$DOMAIN/\$1 permanent;
	}
	location ~* ^/core/ {
	deny all;
	}
	location /assets {
	expires 1y;
	add_header Cache-Control public,max-age=31536000;
	gzip on;
	gzip_min_length 1000;
	gzip_comp_level 4;
	gzip_static on;
	gzip_proxied expired no-cache no-store private auth;
	gzip_types text/plain text/css application/x-javascript;
	gzip_vary on;
	gzip_disable \"msie6\";
	access_log off;
	}
	location / {
	try_files \$uri \$uri/ @rewrite;
	}
	location /index.html {
	rewrite / / permanent;
	}

	location ~ ^/(.*?)/index\.html$ {
	rewrite ^/(.*?)/ /$1/ permanent;
	}
	location @rewrite {
	rewrite ^/(.*)$ /index.php?q=\$1;
	}
	location ~ \.php$ {
	include fastcgi_params;
	fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
	fastcgi_pass backend-$USERNAME;
	}
	location ~* ^.+\.(jpg\|jpeg\|gif\|css\|png\|js\|ico\|bmp)$ {
	access_log off;
	expires 10d;
	break;
	}
	location ~ /\.ht {
	deny all;
	}
	}" > /etc/nginx/sites-available/$USERNAME.conf
	ln -s /etc/nginx/sites-available/$USERNAME.conf /etc/nginx/sites-enabled/$USERNAME.conf

	##############

	echo "Creating php5-fpm config"

	echo "[$USERNAME]
	listen = /var/run/php5-$USERNAME.sock
	listen.mode = 0666
	user = $USERNAME
	group = $USERNAME
	chdir = /var/www/$USERNAME
	php_admin_value[upload_tmp_dir] = /var/www/$USERNAME/tmp
	php_admin_value[soap.wsdl_cache_dir] = /var/www/$USERNAME/tmp
	php_admin_value[memory_limit] = 128M
	php_admin_value[upload_max_filesize] = 100M
	php_admin_value[post_max_size] = 100M
	php_admin_value[open_basedir] = /var/www/$USERNAME/
	php_admin_value[disable_functions] = exec,passthru,shell_exec,system,proc_open,popen,curl_multi_exec,parse_ini_file,show_source,stream_socket_client,stream_set_write_buffer,stream_socket_sendto,highlight_file,com_load_typelib
	php_admin_value[cgi.fix_pathinfo] = 0
	php_admin_value[date.timezone] = $TIMEZONE
	php_admin_value[session.gc_probability] = 1
	php_admin_value[session.gc_divisor] = 100
	pm = dynamic
	pm.max_children = 10
	pm.start_servers = 2
	pm.min_spare_servers = 2
	pm.max_spare_servers = 4
	" > /etc/php5/fpm/pool.d/$USERNAME.conf

	##############

	echo "Reloading nginx"
	service nginx reload
	echo "Reloading php5-fpm"
	service php5-fpm reload

	##############

	echo "Creating database"

	Q1="CREATE DATABASE IF NOT EXISTS $USERNAME DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci;;"
	Q2="GRANT ALTER,DELETE,DROP,CREATE,INDEX,INSERT,SELECT,UPDATE,CREATE TEMPORARY TABLES,LOCK TABLES ON $USERNAME.* TO '$USERNAME'@'localhost' IDENTIFIED BY '$MYSQLPASS';"
	Q3="FLUSH PRIVILEGES;"
	SQL="${Q1}${Q2}${Q3}"

	mysql -uroot --password=$ROOTPASS -e "$SQL"

	##############

	echo "Installing MODx"

	cd /var/www/$USERNAME/www/

	echo "Getting nightlies version from git…"
	git clone -b master https://github.com/modxcms/revolution.git ./

	echo "Move and rename core, rename manager's and connector's directories…"

	echo "Create package…"

	# Generate build.config.php
	echo "<?php
	define('MODX_CORE_PATH', dirname(dirname(__FILE__)) . '/core/');
	define('MODX_CONFIG_KEY', 'config-$CONFIGKEY');
	define('XPDO_DSN', 'mysql:host=localhost;dbname=$USERNAME;charset=utf8');
	define('XPDO_DB_USER', '$USERNAME');
	define('XPDO_DB_PASS', '$MYSQLPASS');
	define('XPDO_TABLE_PREFIX', 'modx_');
	" > ./_build/build.config.php

	cp ./_build/build.sample.properties ./_build/build.properties.php

	php ./_build/transport.core.php

	rm -rf ./_build/
	mv ./core/ ../core-$POSTFIXCORE/
	mv ./connectors/ ./connectors-$POSTFIXCONNECTORS/
	mv ./manager/ ./manager-$POSTFIXMANAGER/

	# Generate config.xml
	echo "Creating config.xml"
	echo "<modx>
	<database_type>mysql</database_type>
	<database_server>localhost</database_server>
	<database>$USERNAME</database>
	<database_user>$USERNAME</database_user>
	<database_password>$MYSQLPASS</database_password>
	<database_connection_charset>utf8</database_connection_charset>
	<database_charset>utf8</database_charset>
	<database_collation>utf8_unicode_ci</database_collation>
	<table_prefix>modx_</table_prefix>
	<inplace>1</inplace>
	<unpacked>1</unpacked>
	<language>ru</language>
	<cmsadmin>$USERNAME</cmsadmin>
	<cmspassword>$PASSWORD</cmspassword>
	<cmsadminemail>admin@$DOMAIN</cmsadminemail>
	<remove_setup_directory>1</remove_setup_directory>
	<context_mgr_path>/var/www/$USERNAME/www/manager-$POSTFIXMANAGER/</context_mgr_path>
	<context_mgr_url>/manager-$POSTFIXMANAGER/</context_mgr_url>
	<context_connectors_path>/var/www/$USERNAME/www/connectors-$POSTFIXCONNECTORS/</context_connectors_path>
	<context_connectors_url>/connectors-$POSTFIXCONNECTORS/</context_connectors_url>
	<context_web_path>/var/www/$USERNAME/www/</context_web_path>
	<context_web_url>/</context_web_url>
	<assets_path>/var/www/$USERNAME/www/assets/</assets_path>
	<assets_url>/assets/</assets_url>
	<core_path>/var/www/$USERNAME/core-$POSTFIXCORE/</core_path>
	<processors_path>/var/www/$USERNAME/core-$POSTFIXCORE/model/modx/processors/</processors_path>
	<https_port>443</https_port>
	<http_host>$DOMAIN</http_host>
	<cache_disabled>0</cache_disabled>
	</modx>" > /var/www/$USERNAME/config.xml

	#############

	php ./setup/index.php --installmode=new --core_path=/var/www/$USERNAME/core-$POSTFIXCORE/ --config=/var/www/$USERNAME/config.xml

	echo "Set permissions for /var/www/$USERNAME/www and core…
	CHOWN files…"
	chown -R $USERNAME:$USERNAME /var/www/$USERNAME/www
	chown -R $USERNAME:$USERNAME /var/www/$USERNAME/core-$POSTFIXCORE
	echo "CHMOD 755 for directories…"
	find /var/www/$USERNAME/www -type d -exec chmod 0755 {} +
	find /var/www/$USERNAME/core-$POSTFIXCORE -type d -exec chmod 0755 {} +
	echo "CHMOD 644 for files..."
	find /var/www/$USERNAME/www -type f -exec chmod 0644 {} +
	find /var/www/$USERNAME/core-$POSTFIXCORE -type f -exec chmod 0644 {} +

	echo "Done. Please visit http://$DOMAIN/manager-$POSTFIXMANAGER/ to login.
	Manager user: $USERNAME
	Manager password: $PASSWORD
	SFTP password: $SFTPPASS
	Mysql password: $MYSQLPASS
	======================
	Core postfix: $POSTFIXCORE
	Manager postfix: $POSTFIXMANAGER
	Connectors postfix: $POSTFIXCONNECTORS
	Congig key: config-$CONFIGKEY" > /var/www/$USERNAME/pass.txt

	cat /var/www/$USERNAME/pass.txt