Skip to content

Instantly share code, notes, and snippets.

@vivianspencer

vivianspencer/setup.md

Last active January 16, 2024 14:59
Show Gist options
  • Save vivianspencer/ef2738beaf7aaf349ee672c4517cf102 to your computer and use it in GitHub Desktop.
Save vivianspencer/ef2738beaf7aaf349ee672c4517cf102 to your computer and use it in GitHub Desktop.
Download ZIP
Debian 11 LEMP
Raw
setup.md

Debian 11 (bullseye) LEMP setup

Installs

  • MariaDB (latest stable version)
  • PHP 8.3
  • Nginx

  1. Install necessary components to begin this setup

    apt update && sudo apt dist-upgrade --show-upgraded
apt -y install sudo curl git debsums zsh

  2. Create a user and set the groups to sudo and www-data for system and apache access

    adduser exampleuser
usermod -a -G sudo exampleuser

  3. Switch the newly created user and set ZSH as the default shell

    su exampleuser
cd ~
curl -L http://install.ohmyz.sh | sh
chsh -s /usr/bin/zsh
mkdir .ssh

  4. Copy your secure key from your desktop

    scp ~/.ssh/id_rsa.pub exampleuser@123.456.78.90:~/.ssh/authorized_keys

  5. Setup the secure key for secure access

    chmod 700 .ssh
chmod 600 .ssh/authorized_keys

  6. Create a new SSH key for the user

    ssh-keygen -t rsa -C "info@example.com"
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_rsa

  7. Make SSH secure. Open /etc/ssh/sshd_config in your favourite editor and apply the following settings

    PasswordAuthentication no
PermitRootLogin no

  8. Restart SSH (Make sure you keep a session open in case soemthing goes wrong)

    sudo service ssh restart

  9. If all is well, log out of root and log back using the new user you've setup

  10. Set the hostname of the server

    sudo hostnamectl set-hostname johnsmith

  11. Make the hostname resolvable. Open the file /etc/hosts in your favourite editor and assign the IPv4 & IPv6 records of the server to your chosen hostname & FQDN. You'll need to reboot the server for these changes to take effect.

    127.0.0.1       localhost.localdomain   localhost
12.34.56.78     johnsmith.example.com johnsmith 
1234:5678::abcd:efgh:1234:5678      johnsmith.example.com johnsmith

  12. Set the system timezone

    sudo dpkg-reconfigure tzdata

  13. Install ufw firewall

    sudo apt install ufw

  14. Setup default firewall rules, where port 22 is your ssh port and 15.15.15.51 is your static ip address

    sudo ufw allow from 15.15.15.51  to any port 22
sudo ufw allow http
sudo ufw allow https
sudo ufw enable

  15. Add MariaDB repository

    curl -sS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup | sudo bash

  16. Add the Sury PHP repository

    sudo apt -y install lsb-release ca-certificates
sudo curl -sSLo /usr/share/keyrings/deb.sury.org-php.gpg https://packages.sury.org/php/apt.gpg
sh -c 'echo "deb [signed-by=/usr/share/keyrings/deb.sury.org-php.gpg] https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list'
sudo apt update

  17. Install all necessary components for this setup

    sudo apt update && sudo apt upgrade --show-upgraded
sudo apt -y install mlocate nginx php8.3-curl php8.3-gd php8.3-cli php8.3-fpm php8.3-mbstring php8.3-mysqlnd php8.3-opcache php8.3-zip mariadb-server unattended-upgrades mailutils pigz zip unzip

  18. Update file database

    sudo updatedb

  19. Secure MariaDB by running the following command and following the instructions

    sudo mysql_secure_installation

  20. Create an admin user in place of root

    sudo mariadb
GRANT ALL ON *.* TO 'admin'@'localhost' IDENTIFIED BY 'password' WITH GRANT OPTION;
FLUSH PRIVILEGES;
exit

  21. Create a symlink for the mysql command

    sudo ln -s /usr/bin/mariadb /usr/bin/mysql

  22. Install Composer server wide

    curl -sS https://getcomposer.org/installer | php
sudo mv composer.phar /usr/local/bin/composer

  23. Download automated mysql backup script

    cd ~
wget https://gist.githubusercontent.com/vivianspencer/0c0cda55e254fd028edf7bcf936903a4/raw/1715278acd7a64744b98d1cbda386b89f8a033c2/db_backup.sh

  24. Update database settings in the script to suit your needs. Open ~/db_backup.sh in your favourite editor and edit the settings below:

    # Backup storage directory
backupfolder=/var/backups/db
logfile=/var/backups/db-bkp.log

# MySQL user
user=USER
password=PASSWORD

# Number of days to store the backup
keep_day=15

  25. Setup a cronjob crontab -e

    0 23 * * * /home/exampleuser/db_backup.sh

  26. Install SMTP mail services

    sudo apt -y install msmtp msmtp-mta mailutils bsd-mailx

  27. Securely store the SMTP password

    gpg --quick-gen-key --batch --passphrase PASSPHRASE "John Smith <john@smith.org>"
echo "PASSWORD" | gpg --encrypt -o ~/.msmtp-password.gpg -r john@smith.org
chmod 600 ~/.msmtp-password.gpg
gpg --quiet --for-your-eyes-only --no-tty --decrypt ~/.msmtp-password.gpg

  28. Open /etc/msmtprc in your favourite editor and add the settings below:

    # Set default values for all following accounts.
defaults

# Use the mail submission port 587 instead of the SMTP port 25.
port 587

# Always use TLS.
tls on

# Set a list of trusted CAs for TLS. The default is to use system settings, but
# you can select your own file.
tls_trust_file /etc/ssl/certs/ca-certificates.crt

# The SMTP server of your ISP
account isp
host mail.isp.example
from smithjoe@isp.example
auth on
user 12345
passwordeval "gpg --quiet --for-your-eyes-only --no-tty --decrypt ~/.msmtp-password.gpg"

# Set default account to isp
account default: isp

# Map local users to mail addresses
aliases /etc/aliases

  29. Open /etc/mail.rc in your favourite editor and add the settings below:

    set mta=/usr/bin/msmtp

  30. Link system users with email addresses in order for system users to receive mails from cron jobs. Open /etc/aliases in your favourite editor and add the settings below:

    root: john@smith.org
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment