From 2187a7ddb01012189fa0ac46a34cec09d8ca9896 Mon Sep 17 00:00:00 2001 From: Viyurz <128215328+Viyurz@users.noreply.github.com> Date: Wed, 6 Dec 2023 08:38:05 +0000 Subject: [PATCH] rootless nginx-rp --- nginx-rp/copy-conf.sh | 31 ----------------------- nginx-rp/nginx.conf | 4 +-- nginx-rp/service.conf | 20 +++++++++++++++ nginx-rp/setup.sh | 57 +++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 79 insertions(+), 33 deletions(-) delete mode 100755 nginx-rp/copy-conf.sh create mode 100644 nginx-rp/service.conf create mode 100755 nginx-rp/setup.sh diff --git a/nginx-rp/copy-conf.sh b/nginx-rp/copy-conf.sh deleted file mode 100755 index 9cc5675..0000000 --- a/nginx-rp/copy-conf.sh +++ /dev/null @@ -1,31 +0,0 @@ -#!/bin/bash - - -if [[ $UID -ne 0 ]]; then - echo "This script must be run as root." - exit 1 -fi - -# Chemin relatif pour les cas où -# le script n'est pas exécuté depuis -# le répertoire où il se trouve. -rel_path="$(dirname "$0")" - -# Fichiers requis pour le script -files=('dhparam.txt' 'nginx.conf' 'reverse-proxy.conf') -for file in "${files[@]}"; do - if ! [[ -f "$rel_path/$file" ]]; then - echo "Required file $file is missing, exiting." - exit 1 - fi -done - - -cp "$rel_path/nginx.conf" /etc/nginx/ -cp "$rel_path/reverse-proxy.conf" /etc/nginx/sites-available/ -cp "$rel_path/dhparam.txt" /etc/nginx/ - -rm /etc/nginx/sites-enabled/* -ln -s /etc/nginx/sites-available/reverse-proxy.conf /etc/nginx/sites-enabled/reverse-proxy.conf - -systemctl reload nginx diff --git a/nginx-rp/nginx.conf b/nginx-rp/nginx.conf index 5e9646d..1ba27dc 100644 --- a/nginx-rp/nginx.conf +++ b/nginx-rp/nginx.conf @@ -1,6 +1,6 @@ -user www-data; +# user www-data; +# pid /run/nginx.pid; worker_processes auto; -pid /run/nginx.pid; include /etc/nginx/modules-enabled/*.conf; events { diff --git a/nginx-rp/service.conf b/nginx-rp/service.conf new file mode 100644 index 0000000..7f8f73b --- /dev/null +++ b/nginx-rp/service.conf @@ -0,0 +1,20 @@ +[Service] +User=www-data +Group=www-data +NoNewPrivileges=yes +CapabilityBoundingSet= +CapabilityBoundingSet=CAP_NET_BIND_SERVICE +AmbientCapabilities= +AmbientCapabilities=CAP_NET_BIND_SERVICE +RuntimeDirectory=nginx +StateDirectory=nginx +LogsDirectory=nginx +PIDFile=/run/nginx/nginx.pid +ExecStartPre= +ExecStartPre=/usr/sbin/nginx -t -q -g 'daemon on; master_process on; pid /run/nginx/nginx.pid;' +ExecStart= +ExecStart=/usr/sbin/nginx -g 'daemon on; master_process on; pid /run/nginx/nginx.pid;' +ExecReload= +ExecReload=/usr/sbin/nginx -g 'daemon on; master_process on; pid /run/nginx/nginx.pid;' -s reload +ExecStop= +ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx/nginx.pid diff --git a/nginx-rp/setup.sh b/nginx-rp/setup.sh new file mode 100755 index 0000000..dc06528 --- /dev/null +++ b/nginx-rp/setup.sh @@ -0,0 +1,57 @@ +#!/bin/bash + + +if [[ $UID -ne 0 ]]; then + echo "This script must be run as root." + exit 1 +fi + +# Chemin relatif pour les cas où +# le script n'est pas exécuté depuis +# le répertoire où il se trouve. +rel_path="$(dirname "$0")" + +# Fichiers requis pour le script +files=('dhparam.txt' 'nginx.conf' 'reverse-proxy.conf' 'service.conf') +for file in "${files[@]}"; do + if ! [[ -f "$rel_path/$file" ]]; then + echo "Required file $file is missing, exiting." + exit 1 + fi +done + + +if [[ ! -x /usr/sbin/nginx ]]; then + apt install -y nginx +fi + + +mkdir /etc/systemd/system/nginx.service.d 2> /dev/null + + +if ! diff "$rel_path/service.conf" /etc/systemd/system/nginx.service.d/service.conf &> /dev/null; then + cp "$rel_path/service.conf" "/etc/systemd/system/nginx.service.d/service.conf" + systemctl daemon-reload + systemctl restart nginx +fi + + +cp "$rel_path/nginx.conf" /etc/nginx/ +cp "$rel_path/reverse-proxy.conf" /etc/nginx/sites-available/ +cp "$rel_path/dhparam.txt" /etc/nginx/ + + +rm /etc/nginx/sites-enabled/* +ln -s /etc/nginx/sites-available/reverse-proxy.conf /etc/nginx/sites-enabled/reverse-proxy.conf + + +chown root:www-data /etc/letsencrypt/archive/ /etc/letsencrypt/live/ +chmod 750 /etc/letsencrypt/archive/ /etc/letsencrypt/live/ + + +chown -L root:www-data /etc/letsencrypt/live/viyurz.fr/privkey.pem +chmod 640 /etc/letsencrypt/live/viyurz.fr/privkey.pem + + +systemctl start nginx +systemctl reload nginx