rootless nginx-rp

This commit is contained in:
Viyurz 2023-12-06 08:38:05 +00:00
parent c3eab0133b
commit 2187a7ddb0
4 changed files with 79 additions and 33 deletions

View file

@ -1,31 +0,0 @@
#!/bin/bash
if [[ $UID -ne 0 ]]; then
echo "This script must be run as root."
exit 1
fi
# Chemin relatif pour les cas où
# le script n'est pas exécuté depuis
# le répertoire où il se trouve.
rel_path="$(dirname "$0")"
# Fichiers requis pour le script
files=('dhparam.txt' 'nginx.conf' 'reverse-proxy.conf')
for file in "${files[@]}"; do
if ! [[ -f "$rel_path/$file" ]]; then
echo "Required file $file is missing, exiting."
exit 1
fi
done
cp "$rel_path/nginx.conf" /etc/nginx/
cp "$rel_path/reverse-proxy.conf" /etc/nginx/sites-available/
cp "$rel_path/dhparam.txt" /etc/nginx/
rm /etc/nginx/sites-enabled/*
ln -s /etc/nginx/sites-available/reverse-proxy.conf /etc/nginx/sites-enabled/reverse-proxy.conf
systemctl reload nginx

View file

@ -1,6 +1,6 @@
user www-data; # user www-data;
# pid /run/nginx.pid;
worker_processes auto; worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf; include /etc/nginx/modules-enabled/*.conf;
events { events {

20
nginx-rp/service.conf Normal file
View file

@ -0,0 +1,20 @@
[Service]
User=www-data
Group=www-data
NoNewPrivileges=yes
CapabilityBoundingSet=
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=
AmbientCapabilities=CAP_NET_BIND_SERVICE
RuntimeDirectory=nginx
StateDirectory=nginx
LogsDirectory=nginx
PIDFile=/run/nginx/nginx.pid
ExecStartPre=
ExecStartPre=/usr/sbin/nginx -t -q -g 'daemon on; master_process on; pid /run/nginx/nginx.pid;'
ExecStart=
ExecStart=/usr/sbin/nginx -g 'daemon on; master_process on; pid /run/nginx/nginx.pid;'
ExecReload=
ExecReload=/usr/sbin/nginx -g 'daemon on; master_process on; pid /run/nginx/nginx.pid;' -s reload
ExecStop=
ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx/nginx.pid

57
nginx-rp/setup.sh Executable file
View file

@ -0,0 +1,57 @@
#!/bin/bash
if [[ $UID -ne 0 ]]; then
echo "This script must be run as root."
exit 1
fi
# Chemin relatif pour les cas où
# le script n'est pas exécuté depuis
# le répertoire où il se trouve.
rel_path="$(dirname "$0")"
# Fichiers requis pour le script
files=('dhparam.txt' 'nginx.conf' 'reverse-proxy.conf' 'service.conf')
for file in "${files[@]}"; do
if ! [[ -f "$rel_path/$file" ]]; then
echo "Required file $file is missing, exiting."
exit 1
fi
done
if [[ ! -x /usr/sbin/nginx ]]; then
apt install -y nginx
fi
mkdir /etc/systemd/system/nginx.service.d 2> /dev/null
if ! diff "$rel_path/service.conf" /etc/systemd/system/nginx.service.d/service.conf &> /dev/null; then
cp "$rel_path/service.conf" "/etc/systemd/system/nginx.service.d/service.conf"
systemctl daemon-reload
systemctl restart nginx
fi
cp "$rel_path/nginx.conf" /etc/nginx/
cp "$rel_path/reverse-proxy.conf" /etc/nginx/sites-available/
cp "$rel_path/dhparam.txt" /etc/nginx/
rm /etc/nginx/sites-enabled/*
ln -s /etc/nginx/sites-available/reverse-proxy.conf /etc/nginx/sites-enabled/reverse-proxy.conf
chown root:www-data /etc/letsencrypt/archive/ /etc/letsencrypt/live/
chmod 750 /etc/letsencrypt/archive/ /etc/letsencrypt/live/
chown -L root:www-data /etc/letsencrypt/live/viyurz.fr/privkey.pem
chmod 640 /etc/letsencrypt/live/viyurz.fr/privkey.pem
systemctl start nginx
systemctl reload nginx