#cloud-config # You need to update some lines from this cloud-init configuration for security and better configuration. # Below you'll see some IDs and what you should replace. Search in this configuration for '# REPLACE'. If there is a number (ID) instead of a direct explanation then check below what is about. # 1. Replace '/var/www/html' (don't keep the ''). Update with desired document root path # 2. Replace 'casastii.nanlucian.com' (don't keep the ''). Update with desired domain/subdomain # 3. If you want to change SSH port, change '22' to another number # 4. You can replace the path '/var/ngx_pagespeed_cache' for Nginx PageSpeed cache # !Important: Remove all commented REPLACE lines # update CeontOS package_upgrade: true # allow unverified_modules unverified_modules: - yum-add-repo # add repositories yum_repos: nginx: name: nginx repo baseurl: http://nginx.org/packages/centos/7/$basearch/ gpgcheck: false enabled: true mariadb: name: MariaDB baseurl: http://yum.mariadb.org/10.3/centos7-amd64 gpgkey: https://yum.mariadb.org/RPM-GPG-KEY-MariaDB gpgcheck: true enabled: true # to install initial packages, we already need the following (temporary) repos to be enabled. After packages are installed, the real repos will replace the temporary repos epel: name: Extra Packages for Enterprise Linux 7 - $basearch baseurl: http://download.fedoraproject.org/pub/epel/7/$basearch metalink: https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=$basearch failovermethod: priority gpgcheck: false enabled: true remi-php73: name: Remi's PHP 7.3 RPM repository for Enterprise Linux 7 - $basearch baseurl: http://rpms.remirepo.net/enterprise/7/php73/$basearch/ mirrorlist: http://cdn.remirepo.net/enterprise/7/php73/mirror gpgcheck: false enabled: true getpagespeed-extras-x86_64: name: GetPageSpeed packages for Enterprise Linux - $basearch baseurl: https://extras.getpagespeed.com/redhat/7/$basearch/ gpgcheck: false enabled: true # install packages packages: - firewalld - vim - epel-release - http://rpms.remirepo.net/enterprise/remi-release-7.rpm - https://extras.getpagespeed.com/release-el7-latest.rpm - nginx - MariaDB-server - MariaDB-client - php-fpm - php-mysqlnd - php-common - php-json - php-pdo - php-cli - nginx-module-nps - python2-certbot-nginx write_files: - content: | server { listen 80; # REPLACE #2 server_name casastii.nanlucian.com; #next 2 lines are moved from / { } # REPLACE #1 root /var/www/html; index index.php index.html index.htm; location / { try_files $uri $uri/ =404; } error_page 404 /404.html; # linie decomentata # redirect server error pages to the static page /50x.html error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } # pass the PHP scripts to FastCGI server listening on /var/run/php-fpm/php-fpm.sock # next section was commented in the default file location ~ \.php$ { try_files $uri $uri/ =404; fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } # deny access to .htaccess files, if Apache's document root # concurs with nginx's one location ~ /\.ht { deny all; } } # REPLACE - #2 path: /etc/nginx/conf.d/casastii.nanlucian.com.conf - owner: root:root path: /etc/cron.d/letsencrypt_renew content: "15 3 * * * /usr/bin/certbot renew --quiet" runcmd: # REPLACE #3 - sed -i -e '/^#Port /s/^.*$/Port 22/' /etc/ssh/sshd_config - systemctl restart sshd.service # REPLACE #3 - /usr/bin/firewall-offline-cmd --zone=public --add-port=22/tcp - /usr/bin/firewall-offline-cmd --zone=public --add-service=http - /usr/bin/firewall-offline-cmd --zone=public --add-service=https - systemctl start firewalld.service - systemctl enable firewalld.service # change temporary repos to real repos - rm -f /etc/yum.repos.d/epel.repo /etc/yum.repos.d/remi_php73.repo /etc/yum.repos.d/getpagespeed_extras_x86_64.repo - mv /etc/yum.repos.d/epel.repo.rpmnew /etc/yum.repos.d/epel.repo - mv /etc/yum.repos.d/remi_php73.repo.rpmnew /etc/yum.repos.d/remi_php73.repo - sed -i -e '0,/enabled=0/ s/enabled=0/enabled=1/' /etc/yum.repos.d/remi-php73.repo # REPLACE - #1 - mkdir -p /var/www/html - chown nginx:nginx /var/www/html - sed -i -e 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/' /etc/php.ini - sed -i -e 's/expose_php = On/expose_php = Off/' /etc/php.ini - sed -i -e '/^user =/s/^.*$/user = nginx/' /etc/php-fpm.d/www.conf - sed -i -e '/^group =/s/^.*$/group = nginx/' /etc/php-fpm.d/www.conf - sed -i -e '/^listen =/s/^.*$/listen = \/var\/run\/php-fpm\/php-fpm.sock/' /etc/php-fpm.d/www.conf - sed -i -e '/^;listen.owner =/s/^.*$/listen.owner = nginx/' /etc/php-fpm.d/www.conf - sed -i -e '/^;listen.group =/s/^.*$/listen.group = nginx/' /etc/php-fpm.d/www.conf - systemctl start mariadb.service - systemctl enable mariadb.service - "mysql -u root -e \"DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');\"" - "mysql -u root -e \"DELETE FROM mysql.user WHERE User='';\"" - "mysql -u root -e \"DROP DATABASE test;\"" - "mysql -u root -e \"DELETE FROM mysql.db WHERE Db='test' OR Db='test\_%';\"" # REPLACE - 'NEW_ROOT_PASSWORD'. Please keep the '' - "mysql -u root -e \"UPDATE mysql.user SET Password=PASSWORD('NEW_ROOT_PASSWORD') WHERE User='root';\"" - "mysql -u root -e \"FLUSH PRIVILEGES;\"" - rm -f /etc/nginx/conf.d/default.conf - sed -i '/pid \/var\/run\/nginx.pid;/a load_module "modules/ngx_pagespeed.so";' /etc/nginx/nginx.conf # REPLACE #4 + 'CUSTOM-MESSAGE'. Please keep the "" from the original command - sed -i '/http {/a \ \ \ \ server_tokens off;\n \ \ \ pagespeed FileCachePath /var/ngx_pagespeed_cache;\n \ \ \ pagespeed on;\n \ \ \ pagespeed XHeaderValue "CUSTOM-MESSAGE";\n' /etc/nginx/nginx.conf # REPLACE #4 - mkdir /var/ngx_pagespeed_cache # REPLACE #4 - chown nginx:nginx /var/ngx_pagespeed_cache - systemctl start nginx.service - systemctl enable nginx.service - systemctl start php-fpm - systemctl enable php-fpm # REPLACE #2 + replace 'contact@email.tld' with your email - certbot --nginx -n -d casastii.nanlucian.com --email contact@email.tld --agree-tos --redirect --hsts