bitfit/www-admtools
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

ftp user

Browse Source
This commit is contained in:
root 2021-08-29 02:26:22 +02:00
parent decf8e09a6
commit 92213c8975
8 changed files with 230 additions and 76 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
config.local.json

18
config.dist.json Normal file
View File

@ -0,0 +1,18 @@
# www-admtools default configuration
# you should override settings in `config.local.json'
#"dbrootpw": "XXX",
#"dbrootpw_file": "/etc/mysql/XXX",
"logfile": "/var/log/www-create-site.log",
"use_owner": 0,
"use_site_log": 0,
"quota": "off",
"use_admin": 0,
"use_ftpd": 0,
"use_ocsp_stapling": 1,
"itk_assignuser": 0,
"php_fpm": "off",
# vim: set ft=config tabstop=2 shiftwidth=2 expandtab smarttab:

4
crontab.example Normal file
View File

@ -0,0 +1,4 @@
# www-admtools
0-59/5 * * * * root /opt/www-admtools/www-update-diskusage

257
www-create-site
View File

@ -1,9 +1,9 @@
#!/usr/bin/perl #!/usr/bin/perl
# 2021-08-02 <tom@bitfit.hu> php-fpm + sok egyeb fejlesztes
use strict; use warnings; use utf8; use strict; use warnings; use utf8;
use Getopt::Long; use Getopt::Long;
use File::Slurp; use File::Slurp;
use Data::Dumper; use JSON;
use FindBin;
my $self; my $self;
sub sys { sub sys {
@ -74,7 +74,7 @@ sub check_dns {
} }
sub generate_random { sub generate_random {
for my $x (qw(dbpasswd)) { for my $x (qw(dbpasswd ftppasswd adminurl)) {
my $passwd = qx(pwgen 12 1); my $passwd = qx(pwgen 12 1);
chomp $passwd; chomp $passwd;
if (length($passwd) != 12) { if (length($passwd) != 12) {
@ -87,6 +87,10 @@ sub generate_random {
sub filesystem { sub filesystem {
sys "mkdir $self->{siteroot}"; sys "mkdir $self->{siteroot}";
if ($self->{quota} > 0) {
my $kb = $self->{quota} * 1024;
sys "setquota $self->{user} $kb $kb 0 0 /www";
}
} }
sub user { sub user {
@ -94,7 +98,11 @@ sub user {
} }
sub siteroot_setup { sub siteroot_setup {
for my $d (qw(public tmp)) { my @dirs = qw(public tmp);
if ($self->{use_site_log}) {
push @dirs, 'log';
}
for my $d (@dirs) {
my $path = "$self->{siteroot}/$d"; my $path = "$self->{siteroot}/$d";
next if -d $path; next if -d $path;
sys "mkdir $path"; sys "mkdir $path";
@ -110,6 +118,10 @@ sub siteroot_setup {
write_file($robotsfn, write_file($robotsfn,
"User-agent: *\nDisallow: /\n"); "User-agent: *\nDisallow: /\n");
} }
if ($self->{use_owner}) {
write_file("$self->{siteroot}/.INFO",
sprintf("%s\nowner=%s\n", scalar localtime time, $self->{site_owner}));
}
sys "www-reset-acl $self->{site}"; sys "www-reset-acl $self->{site}";
} }
@ -164,55 +176,77 @@ sub letsencrypt {
} }
sub apache { sub apache {
my $alias = '';
for (my $i = 1; $i < scalar @{$self->{domains}}; $i++) {
$alias .= " ServerAlias $self->{domains}->[$i]\n";
}
chomp $alias;
my $itk = '';
if ($self->{itk_assignuser}) {
$itk = " AssignUserId $self->{user} $self->{group}\n";
}
my $lt = scalar localtime time; my $lt = scalar localtime time;
my $cf = <<EOT; my $logbase = "\${APACHE_LOG_DIR}/$self->{site}";
# generated: $lt if ($self->{use_site_log}) {
<VirtualHost *:80> $logbase = "$self->{siteroot}/log/apache";
ServerName $self->{domains}->[0] }
$alias my $c = "# generated: $lt\n";
ErrorLog \${APACHE_LOG_DIR}/$self->{site}.notls.err.log if ($self->{use_owner}) {
CustomLog \${APACHE_LOG_DIR}/$self->{site}.notls.log detailed $c.="# owner: $self->{site_owner}\n";
RewriteEngine On }
RewriteRule ^/(.*) https://%{HTTP_HOST}/\$1 [R,L] $c .= "<VirtualHost *:80>\n".
</VirtualHost> " ServerName $self->{domains}->[0]\n";
<VirtualHost *:443> for (my $i = 1; $i < scalar @{$self->{domains}}; $i++) {
$itk SSLEngine on $c.=" ServerAlias $self->{domains}->[$i]\n\n";
SSLCertificateFile $self->{tlscrt} }
SSLCertificateKeyFile $self->{tlskey} $c .= " ErrorLog $logbase.notls.err.log\n".
SSLUseStapling on " CustomLog $logbase.notls.log detailed\n".
SSLStaplingReturnResponderErrors off " RewriteEngine On\n".
SSLStaplingFakeTryLater off " RewriteRule ^/(.*) https://%{HTTP_HOST}/\$1 [R,L]\n".
SSLStaplingStandardCacheTimeout 86400 "</VirtualHost>\n".
SSLStaplingResponderTimeout 2 "<VirtualHost *:443>\n";
ServerName $self->{domains}->[0] if ($self->{itk_assignuser}) {
$alias $c.=" AssignUserId $self->{user} $self->{group}\n\n";
ErrorLog \${APACHE_LOG_DIR}/$self->{site}.err.log }
CustomLog \${APACHE_LOG_DIR}/$self->{site}.log detailed $c .= " SSLEngine on\n".
DocumentRoot $self->{siteroot}/public " SSLCertificateFile $self->{tlscrt}\n".
<Directory $self->{siteroot}/public> " SSLCertificateKeyFile $self->{tlskey}\n";
Options -Indexes -FollowSymlinks +SymLinksIfOwnerMatch if ($self->{use_ocsp_stapling}) {
AllowOverride all $c.=" SSLUseStapling on\n".
Require all granted " SSLStaplingReturnResponderErrors off\n".
</Directory> " SSLStaplingFakeTryLater off\n".
Header always set Strict-Transport-Security "max-age=31536000;" " SSLStaplingStandardCacheTimeout 86400\n".
#-[[-www-phpfpm " SSLStaplingResponderTimeout 2\n";
#-]]-www-phpfpm }
</VirtualHost> $c .= " ServerName $self->{domains}->[0]\n";
# vim: set tabstop=4 shiftwidth=4 expandtab smarttab: for (my $i = 1; $i < scalar @{$self->{domains}}; $i++) {
EOT $c.=" ServerAlias $self->{domains}->[$i]\n\n";
write_file($self->{apachecf}, $cf); }
$c .= " ErrorLog $logbase.err.log\n".
" CustomLog $logbase.log detailed\n".
" DocumentRoot $self->{siteroot}/public\n".
" <Directory $self->{siteroot}/public>\n".
" Options -Indexes -FollowSymlinks +SymLinksIfOwnerMatch\n".
" AllowOverride all\n".
" Require all granted\n".
" </Directory>\n".
" Header always set Strict-Transport-Security \"max-age=31536000;\"\n";
if ($self->{use_admin}) {
$c.=" Alias /.$self->{adminurl}/ /var/www/_admin/\n";
}
if ($self->{php_fpm} and $self->{php_fpm} =~ /^\d/) {
$c.=" #-[[-www-phpfpm\n".
" #-]]-www-phpfpm\n";
}
$c .= "</VirtualHost>\n".
"# vim: set tabstop=4 shiftwidth=4 expandtab smarttab:\n";
write_file($self->{apachecf}, $c);
sys "apachectl graceful"; sys "apachectl graceful";
} }
sub proftpd {
return if !$self->{use_ftpd};
my $uid = qx(id -u $self->{user});
chomp $uid;
if ($uid < 10000 or $uid > 11000) {
die "got invalid uid for user '$self->{user}': $uid\n";
}
my $gid = qx(id -g $self->{user});
chomp $gid;
sys "echo $self->{ftppasswd} | ftpasswd --stdin --passwd --file /etc/proftpd/ftpd.passwd --name $self->{ftpuser} --home $self->{siteroot} --shell /bin/false --uid $uid --gid $gid";
}
sub php_fpm { sub php_fpm {
if ($self->{php_fpm} and $self->{php_fpm} =~ /^\d/) { if ($self->{php_fpm} and $self->{php_fpm} =~ /^\d/) {
sys "www-phpfpm -s $self->{site} -p $self->{php_fpm}"; sys "www-phpfpm -s $self->{site} -p $self->{php_fpm}";
@ -229,44 +263,104 @@ sub find_defcert {
return qx{hostname -f}; return qx{hostname -f};
} }
sub read_config {
my ($fn) = @_;
my $contents;
eval {
$contents = read_file($fn);
};
return if $@;
my $cf;
eval {
my $json = JSON->new->utf8->relaxed;
$cf = $json->decode("{ $contents }");
};
if ($@) {
print STDERR "warning: configuration $fn has JSON errors: $@\n";
return;
}
for my $k (keys %$cf) {
$self->{$k} = $cf->{$k};
}
}
$self = { $self = {
site => "", config_files => [
"$FindBin::RealBin/config.dist.json",
"$FindBin::RealBin/config.local.json"],
use_site_log => 0,
use_owner => 0,
use_admin => 0,
use_ftpd => 0,
site => '',
domains => [], domains => [],
dbpasswd => "", dbpasswd => '',
dbrootpw => read_file('/etc/mysql/jelszo') =~ s/\s//gr, dbrootpw_file => undef,
dbrootpw => undef,
letsencrypt_dom => "/etc/dehydrated/domains.txt", letsencrypt_dom => "/etc/dehydrated/domains.txt",
resolver => '8.8.8.8', resolver => '8.8.8.8',
defcert => 0, defcert => 0,
defcert_name => find_defcert, defcert_name => find_defcert,
no_dnscheck => 0, no_dnscheck => 0,
itk_assignuser => 0, itk_assignuser => 0,
php_fpm => '7.4', use_ocsp_stapling => 1,
php_fpm => 'off',
quota => 'off',
logfile => '/var/log/www-create-site.log', logfile => '/var/log/www-create-site.log',
}; };
my $usage = <<EOT;
usage: $0 OPTIONS.. sub usage {
-s|--site NAME new website's short name ([a-z][a-z0-9]*) my $t = "usage: $0 OPTIONS..\n";
-d|--domain 'D [D..]' list of domain names for website if ($self->{use_owner}) {
--mysqlrootpw PASSWD mysql root password (default is set) $t.=" -o|--owner NAME new website's owner (mandatory)\n";
--defcert use server's own certificate (skip letsencrypt) }
--no-dns-check skip dns check (with implicit --defcert) $t .= " -s|--site NAME new website's short name ([a-z][a-z0-9]*)\n".
--itk-assignuser use mpm-itk AssignUserId (default: $self->{itk_assignuser}) " -d|--domain 'D [D..]' list of domain names for website\n".
--php-fpm VER create PHP FPM configuration (default VER: $self->{php_fpm}) " --mysqlrootpw PASSWD mysql root password (default: read from file)\n".
EOT " --defcert skip letsencrypt, use server's cert: $self->{defcert_name}\n".
" --no-dns-check skip dns check (with implicit --defcert)\n".
" --[no]ocsp-stapling set SSLUseStapling on (default: ".
($self->{use_ocsp_stapling} ? 'yes' : 'no') .")\n".
" --[no]itk-assignuser use mpm-itk AssignUserId (default: ".
($self->{itk_assignuser} ? 'yes' : 'no') .")\n".
" --php-fpm {off|VER} create PHP FPM configuration (default: $self->{php_fpm})\n".
" --[no]adminurl create site specific admin URL (default: ".
($self->{use_admin} ? 'yes' : 'no') .")\n".
" --[no]ftpd create proftpd user (default: ".
($self->{use_ftpd} ? 'yes' : 'no') .")\n".
" --quota {off|SIZE} quota size in MB (default: $self->{quota})\n";
return $t;
}
for my $cfn (@{$self->{config_files}}) {
read_config($cfn);
}
GetOptions( GetOptions(
"owner|o=s" => \$self->{site_owner},
"site|s=s" => \$self->{site}, "site|s=s" => \$self->{site},
"domain|d=s@" => \$self->{domains}, "domain|d=s@" => \$self->{domains},
"mysqlrootpw=s" => \$self->{dbrootpw}, "mysqlrootpw=s" => \$self->{dbrootpw},
"defcert" => \$self->{defcert}, "defcert" => \$self->{defcert},
"no-dns-check" => \$self->{no_dnscheck}, "no-dns-check" => \$self->{no_dnscheck},
"itk-assignuser" => \$self->{itk_assignuser}, "itk-assignuser" => \$self->{itk_assignuser},
"no-itk-assignuser" => sub { $self->{itk_assignuser} = 0; },
"ocsp-stapling" => \$self->{use_ocsp_stapling},
"no-ocsp-stapling" => sub { $self->{use_ocsp_stapling} = 0; },
"php-fpm=s" => \$self->{php_fpm}, "php-fpm=s" => \$self->{php_fpm},
'help|h' => sub { print $usage; exit 0 } "adminurl" => \$self->{use_admin},
) or die $usage; "noadminurl" => sub { $self->{use_admin} = 0; },
"ftpd" => \$self->{use_ftpd},
"noftpd" => sub { $self->{use_ftpd} = 0; },
"quota=s" => \$self->{quota},
'help|h' => sub { print usage(); exit 0 }
) or die usage();
if (!$self->{site}) { if (!$self->{site}) {
die "no site name given\n$usage"; die "no site name given\n". usage();
}
if ($self->{use_owner} and !$self->{site_owner}) {
die "no site owner given\n";
} }
if ($self->{site} !~ /^[a-z][a-z0-9]*$/) { if ($self->{site} !~ /^[a-z][a-z0-9]*$/) {
die "site contains invalid characters: $self->{site}\n"; die "site contains invalid characters: $self->{site}\n";
@ -284,6 +378,7 @@ $self->{user} = "www-$self->{site}";
$self->{group} = $self->{user}; $self->{group} = $self->{user};
$self->{dbname} = $self->{site}; $self->{dbname} = $self->{site};
$self->{dbuser} = $self->{site}; $self->{dbuser} = $self->{site};
$self->{ftpuser} = $self->{site};
# #
$self->{tlscrt} = "/etc/dehydrated/certs/$self->{domains}->[0]/fullchain.pem"; $self->{tlscrt} = "/etc/dehydrated/certs/$self->{domains}->[0]/fullchain.pem";
$self->{tlskey} = "/etc/dehydrated/certs/$self->{domains}->[0]/privkey.pem"; $self->{tlskey} = "/etc/dehydrated/certs/$self->{domains}->[0]/privkey.pem";
@ -293,6 +388,12 @@ if ($self->{defcert}) {
$self->{tlskey} = "/etc/dehydrated/certs/$self->{defcert_name}/privkey.pem"; $self->{tlskey} = "/etc/dehydrated/certs/$self->{defcert_name}/privkey.pem";
} }
if (!defined $self->{dbrootpw}) {
if (!defined $self->{dbrootpw_file}) {
die "no mysql root password, or password file given\n";
}
$self->{dbrootpw} = read_file($self->{dbrootpw_file}) =~ s/\s//gr;
}
check_exists; check_exists;
if (!$self->{no_dnscheck}) { if (!$self->{no_dnscheck}) {
@ -308,16 +409,26 @@ if (!$self->{defcert} and !$self->{no_dnscheck}) {
letsencrypt; letsencrypt;
} }
apache; apache;
proftpd;
php_fpm; php_fpm;
my $domains = join(' ', @{$self->{domains}}); my $domains = join(' ', @{$self->{domains}});
my $sitedata = <<EOT; my $sitedata =
Siteroot: $self->{siteroot} "Siteroot: $self->{siteroot}\n".
Domain: $domains "Domain: $domains\n".
MySQL db: $self->{dbname} "MySQL db: $self->{dbname}\n".
MySQL user: $self->{dbuser} "MySQL user: $self->{dbuser}\n".
MySQL passwd: $self->{dbpasswd} "MySQL passwd: $self->{dbpasswd}\n";
EOT if ($self->{use_admin}) {
$sitedata .=
"MySQL Adminer: https://$self->{domains}->[0]/.$self->{adminurl}/adminer.php\n";
}
if ($self->{use_ftpd}) {
$sitedata .=
"FTP: $self->{domains}->[0] (port 21, plain + TLS)\n".
"FTP user: $self->{ftpuser}\n".
"FTP passwd: $self->{ftppasswd}\n";
}
print "\n$sitedata"; print "\n$sitedata";
umask(0066); umask(0066);

3
www-delete-site
View File

@ -9,9 +9,10 @@ rm /etc/apache2/sites-enabled/$site.conf
apachectl graceful apachectl graceful
www-phpfpm -s $site -d www-phpfpm -s $site -d
deluser www-$site deluser www-$site
sed -i -e '/^$site:/d' /etc/proftpd/ftpd.passwd
echo 'DROP DATABASE $site;' | mysql -u root -p`cat /etc/mysql/jelszo` echo 'DROP DATABASE $site;' | mysql -u root -p`cat /etc/mysql/jelszo`
echo 'DROP USER $site\@localhost;' | mysql -u root -p`cat /etc/mysql/jelszo` echo 'DROP USER $site\@localhost;' | mysql -u root -p`cat /etc/mysql/jelszo`
rm -r /www/$site rm -r /www/$site
- letsencrypt domains.txt-bol kivenni, revoke certificate -> remove from letsencrypt domains.txt, revoke certificate
EOT EOT
# vim: set tabstop=4 shiftwidth=4 expandtab smarttab: # vim: set tabstop=4 shiftwidth=4 expandtab smarttab:

1
www-phpfpm
View File

@ -1,5 +1,4 @@
#!/usr/bin/perl #!/usr/bin/perl
# 2021-08-02 <tom@bitfit.hu>
use strict; use warnings; use utf8; use strict; use warnings; use utf8;
use Getopt::Long; use Getopt::Long;
use File::Slurp; use File::Slurp;

1
www-reset-acl
View File

@ -1,5 +1,4 @@
#!/bin/bash #!/bin/bash
# 2021-08-02 <tom@bitfit.hu> www-data r-x
d=$1 d=$1
if [ -z "$d" ]; then if [ -z "$d" ]; then
echo "usage: $0 <directory under /www>" echo "usage: $0 <directory under /www>"

21
www-update-diskusage Executable file
View File

@ -0,0 +1,21 @@
#!/bin/bash
if ! mountpoint -q /www; then
echo "/www not a mountpoint" >&2
exit 1
fi
cd /www
for d in *; do
if [[ $d == lost+found ]]; then continue; fi
if [[ $d == aquota.user ]]; then continue; fi
if [[ $d == _admin ]]; then continue; fi
if mountpoint -q $d; then
(date; df -mP $d) > $d/disk_usage.txt
else
Q=$(quota -u www-$d 2>/dev/null)
if [[ $? == 0 ]]; then
(date; echo "$Q") > $d/disk_usage.txt
fi
fi
done
# vim: set tabstop=4 shiftwidth=4 expandtab smarttab: