rootless nginx-rp

nginx-rp/copy-conf.sh

@@ -1,31 +0,0 @@
-#!/bin/bash
-
-
-if [[ $UID -ne 0 ]]; then
-	echo "This script must be run as root."
-	exit 1
-fi
-
-# Chemin relatif pour les cas où
-# le script n'est pas exécuté depuis
-# le répertoire où il se trouve.
-rel_path="$(dirname "$0")"
-
-# Fichiers requis pour le script
-files=('dhparam.txt' 'nginx.conf' 'reverse-proxy.conf')
-for file in "${files[@]}"; do
-	if ! [[ -f "$rel_path/$file" ]]; then
-		echo "Required file $file is missing, exiting."
-		exit 1
-	fi
-done
-
-
-cp "$rel_path/nginx.conf" /etc/nginx/
-cp "$rel_path/reverse-proxy.conf" /etc/nginx/sites-available/
-cp "$rel_path/dhparam.txt" /etc/nginx/
-
-rm /etc/nginx/sites-enabled/*
-ln -s /etc/nginx/sites-available/reverse-proxy.conf /etc/nginx/sites-enabled/reverse-proxy.conf
-
-systemctl reload nginx

nginx-rp/nginx.conf

@@ -1,6 +1,6 @@
-user www-data;
+# user www-data;
+# pid /run/nginx.pid;
 worker_processes auto;
-pid /run/nginx.pid;
 include /etc/nginx/modules-enabled/*.conf;
 
 events {

nginx-rp/service.conf

@@ -0,0 +1,20 @@
+[Service]
+User=www-data
+Group=www-data
+NoNewPrivileges=yes
+CapabilityBoundingSet=
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+RuntimeDirectory=nginx
+StateDirectory=nginx
+LogsDirectory=nginx
+PIDFile=/run/nginx/nginx.pid
+ExecStartPre=
+ExecStartPre=/usr/sbin/nginx -t -q -g 'daemon on; master_process on; pid /run/nginx/nginx.pid;'
+ExecStart=
+ExecStart=/usr/sbin/nginx -g 'daemon on; master_process on; pid /run/nginx/nginx.pid;'
+ExecReload=
+ExecReload=/usr/sbin/nginx -g 'daemon on; master_process on; pid /run/nginx/nginx.pid;' -s reload
+ExecStop=
+ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx/nginx.pid

nginx-rp/setup.sh

@@ -0,0 +1,57 @@
+#!/bin/bash
+
+
+if [[ $UID -ne 0 ]]; then
+	echo "This script must be run as root."
+	exit 1
+fi
+
+# Chemin relatif pour les cas où
+# le script n'est pas exécuté depuis
+# le répertoire où il se trouve.
+rel_path="$(dirname "$0")"
+
+# Fichiers requis pour le script
+files=('dhparam.txt' 'nginx.conf' 'reverse-proxy.conf' 'service.conf')
+for file in "${files[@]}"; do
+	if ! [[ -f "$rel_path/$file" ]]; then
+		echo "Required file $file is missing, exiting."
+		exit 1
+	fi
+done
+
+
+if [[ ! -x /usr/sbin/nginx ]]; then
+	apt install -y nginx
+fi
+
+
+mkdir /etc/systemd/system/nginx.service.d 2> /dev/null
+
+
+if ! diff "$rel_path/service.conf" /etc/systemd/system/nginx.service.d/service.conf &> /dev/null; then
+	cp "$rel_path/service.conf" "/etc/systemd/system/nginx.service.d/service.conf"
+	systemctl daemon-reload
+	systemctl restart nginx
+fi
+
+
+cp "$rel_path/nginx.conf" /etc/nginx/
+cp "$rel_path/reverse-proxy.conf" /etc/nginx/sites-available/
+cp "$rel_path/dhparam.txt" /etc/nginx/
+
+
+rm /etc/nginx/sites-enabled/*
+ln -s /etc/nginx/sites-available/reverse-proxy.conf /etc/nginx/sites-enabled/reverse-proxy.conf
+
+
+chown root:www-data /etc/letsencrypt/archive/ /etc/letsencrypt/live/
+chmod 750 /etc/letsencrypt/archive/ /etc/letsencrypt/live/
+
+
+chown -L root:www-data /etc/letsencrypt/live/viyurz.fr/privkey.pem
+chmod 640 /etc/letsencrypt/live/viyurz.fr/privkey.pem
+
+
+systemctl start nginx
+systemctl reload nginx