From 5d70c5e06332e1473bb9c47dc2d60843b96d808f Mon Sep 17 00:00:00 2001 From: einhorn_b Date: Thu, 4 Jan 2024 17:36:44 +0100 Subject: [PATCH] add hetzner_cloud deployment folder, simplify config --- deployment/bare_metal/.env.dist | 117 ++++++++-------- deployment/bare_metal/doc/server.drawio | 118 ++++++++++++++++ .../sites-available/gradido.conf.ssl.template | 128 ------------------ .../sites-available/gradido.conf.template | 2 +- .../update-page.conf.ssl.template | 37 ----- deployment/bare_metal/start.sh | 8 +- deployment/hetzner_cloud/README.md | 82 +++++++++++ deployment/hetzner_cloud/cloudConfig.yaml | 46 +++++++ deployment/hetzner_cloud/install.sh | 60 ++++++++ deployment/hetzner_cloud/mysql_secure.sh | 33 +++++ nginx/gradido.conf | 2 +- 11 files changed, 403 insertions(+), 230 deletions(-) create mode 100644 deployment/bare_metal/doc/server.drawio delete mode 100644 deployment/bare_metal/nginx/sites-available/gradido.conf.ssl.template delete mode 100644 deployment/bare_metal/nginx/sites-available/update-page.conf.ssl.template create mode 100644 deployment/hetzner_cloud/README.md create mode 100644 deployment/hetzner_cloud/cloudConfig.yaml create mode 100644 deployment/hetzner_cloud/install.sh create mode 100644 deployment/hetzner_cloud/mysql_secure.sh diff --git a/deployment/bare_metal/.env.dist b/deployment/bare_metal/.env.dist index 1335e06a5..9abc739fb 100644 --- a/deployment/bare_metal/.env.dist +++ b/deployment/bare_metal/.env.dist @@ -1,45 +1,25 @@ -GRADIDO_LOG_PATH=/home/gradido/gradido/deployment/bare_metal/log - -# start script -DEPLOY_SEED_DATA=false - -# nginx -NGINX_REWRITE_LEGACY_URLS=true -NGINX_SSL=true -NGINX_SERVER_NAME=stage1.gradido.net -NGINX_SSL_CERTIFICATE=/etc/letsencrypt/live/stage1.gradido.net/fullchain.pem -NGINX_SSL_CERTIFICATE_KEY=/etc/letsencrypt/live/stage1.gradido.net/privkey.pem -NGINX_SSL_DHPARAM=/etc/letsencrypt/ssl-dhparams.pem -NGINX_SSL_INCLUDE=/etc/letsencrypt/options-ssl-nginx.conf -NGINX_UPDATE_PAGE_ROOT=/home/gradido/gradido/deployment/bare_metal/nginx/update-page - -# webhook -WEBHOOK_GITHUB_SECRET=secret -WEBHOOK_GITHUB_BRANCH=master - -# community -COMMUNITY_NAME="Gradido Development Stage1" -COMMUNITY_URL=https://stage1.gradido.net/ -COMMUNITY_REGISTER_URL=https://stage1.gradido.net/register -COMMUNITY_REDEEM_URL=https://stage1.gradido.net/redeem/{code} -COMMUNITY_REDEEM_CONTRIBUTION_URL=https://stage1.gradido.net/redeem/CL-{code} -COMMUNITY_DESCRIPTION="Gradido Development Stage1 Test Community" +# Need to adjust! +COMMUNITY_NAME="Your community name" +COMMUNITY_DESCRIPTION="Short Description from your Community." +COMMUNITY_URL=gddhost.tld COMMUNITY_SUPPORT_MAIL=support@supportmail.com -# backend +# Need to adjust by updates +# config versions +DATABASE_CONFIG_VERSION=v1.2022-03-18 BACKEND_CONFIG_VERSION=v17.2023-07-03 +FRONTEND_CONFIG_VERSION=v4.2022-12-20 +ADMIN_CONFIG_VERSION=v1.2022-03-18 +FEDERATION_CONFIG_VERSION=v1.2023-01-09 +FEDERATION_DHT_CONFIG_VERSION=v3.2023-04-26 -JWT_EXPIRES_IN=10m -GDT_API_URL=https://gdt.gradido.net - -TYPEORM_LOGGING_RELATIVE_PATH=../deployment/bare_metal/log/typeorm.backend.log - -KLICKTIPP=false -KLICKTIPP_USER= -KLICKTIPP_PASSWORD= -KLICKTIPP_APIKEY_DE= -KLICKTIPP_APIKEY_EN= +# Need adjustments for test system +URL_PROTOCOL=https +# start script +# only for test server +DEPLOY_SEED_DATA=false +# setup email account for sending gradido system messages to users EMAIL=true EMAIL_TEST_MODUS=false EMAIL_TEST_RECEIVER=test_team@gradido.net @@ -47,41 +27,57 @@ EMAIL_USERNAME=peter@lustig.de EMAIL_SENDER=peter@lustig.de EMAIL_PASSWORD=1234 EMAIL_SMTP_URL=smtp.lustig.de -EMAIL_LINK_VERIFICATION=https://stage1.gradido.net/checkEmail/{optin}{code} -EMAIL_LINK_SETPASSWORD=https://stage1.gradido.net/reset-password/{optin} -EMAIL_LINK_FORGOTPASSWORD=https://stage1.gradido.net/forgot-password -EMAIL_LINK_OVERVIEW=https://stage1.gradido.net/overview EMAIL_CODE_VALID_TIME=1440 EMAIL_CODE_REQUEST_TIME=10 -WEBHOOK_ELOPAGE_SECRET=secret +# Logging +GRADIDO_LOG_PATH=/home/gradido/gradido/deployment/bare_metal/log +TYPEORM_LOGGING_RELATIVE_PATH=/home/gradido/gradido/deployment/bare_metal/log/typeorm.backend.log + +# webhook +WEBHOOK_GITHUB_SECRET=secret +WEBHOOK_GITHUB_BRANCH=master + +# frontend and admin paths, usually don't need changes +# used in nginx config and for links in emails +WALLET_PATH=/login +COMMUNITY_REGISTER_PATH=/register +COMMUNITY_REDEEM_PATH=/redeem/{code} +COMMUNITY_REDEEM_CONTRIBUTION_PATH=/redeem/CL-{code} +WALLET_AUTH_PATH=/authenticate?token={token} +EMAIL_LINK_VERIFICATION=/checkEmail/{optin}{code} +EMAIL_LINK_SETPASSWORD=/reset-password/{optin} +EMAIL_LINK_FORGOTPASSWORD=/forgot-password +EMAIL_LINK_OVERVIEW=/overview +ADMIN_AUTH_PATH=/admin/authenticate?token={token} +GRAPHQL_PATH=/graphql + +# login expire time +JWT_EXPIRES_IN=10m # Federation -FEDERATION_DHT_CONFIG_VERSION=v3.2023-04-26 # if you set the value of FEDERATION_DHT_TOPIC, the DHT hyperswarm will start to announce and listen # on an hash created from this topic # FEDERATION_DHT_TOPIC=GRADIDO_HUB # FEDERATION_DHT_SEED=64ebcb0e3ad547848fef4197c6e2332f -FEDERATION_COMMUNITY_URL=http://stage1.gradido.net # the api port is the baseport, which will be added with the api-version, e.g. 1_0 = 5010 FEDERATION_COMMUNITY_API_PORT=5000 -FEDERATION_CONFIG_VERSION=v1.2023-01-09 # comma separated list of api-versions, which cause starting several federation modules FEDERATION_COMMUNITY_APIS=1_0,1_1 -# database -DATABASE_CONFIG_VERSION=v1.2022-03-18 +# externe gradido services (more added in future) +GDT_API_URL=https://gdt.gradido.net -# frontend -FRONTEND_CONFIG_VERSION=v4.2022-12-20 +# used for combining a newsletter on klicktipp with this gradido community +# if used, user will be subscribed on register and can unsubscribe in his account +KLICKTIPP=false +KLICKTIPP_USER= +KLICKTIPP_PASSWORD= +KLICKTIPP_APIKEY_DE= +KLICKTIPP_APIKEY_EN= -GRAPHQL_URI=https://stage1.gradido.net/graphql -ADMIN_AUTH_URL=https://stage1.gradido.net/admin/authenticate?token={token} - -DEFAULT_PUBLISHER_ID=2896 - -META_URL=http://localhost +# Meta data in frontend pages, important when shared via facebook or twitter or for search engines META_TITLE_DE="Gradido – Dein Dankbarkeitskonto" META_TITLE_EN="Gradido - Your gratitude account" META_DESCRIPTION_DE="Dankbarkeit ist die Währung der neuen Zeit. Immer mehr Menschen entfalten ihr Potenzial und gestalten eine gute Zukunft für alle." @@ -90,8 +86,11 @@ META_KEYWORDS_DE="Grundeinkommen, Währung, Dankbarkeit, Schenk-Ökonomie, Natü META_KEYWORDS_EN="Basic Income, Currency, Gratitude, Gift Economy, Natural Economy of Life, Economy, Ecology, Potential Development, Giving and Thanking, Cycle of Life, Monetary System" META_AUTHOR="Bernd Hückstädt - Gradido-Akademie" -# admin -ADMIN_CONFIG_VERSION=v1.2022-03-18 +# update page shown while updating gradido +# page will be fed with status changes +NGINX_UPDATE_PAGE_ROOT=/home/gradido/gradido/deployment/bare_metal/nginx/update-page -WALLET_AUTH_URL=https://stage1.gradido.net/authenticate?token={token} -WALLET_URL=https://stage1.gradido.net/login +# LEGACY +NGINX_REWRITE_LEGACY_URLS=false +DEFAULT_PUBLISHER_ID=2896 +WEBHOOK_ELOPAGE_SECRET=secret \ No newline at end of file diff --git a/deployment/bare_metal/doc/server.drawio b/deployment/bare_metal/doc/server.drawio new file mode 100644 index 000000000..e65220821 --- /dev/null +++ b/deployment/bare_metal/doc/server.drawio @@ -0,0 +1,118 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/deployment/bare_metal/nginx/sites-available/gradido.conf.ssl.template b/deployment/bare_metal/nginx/sites-available/gradido.conf.ssl.template deleted file mode 100644 index a99327745..000000000 --- a/deployment/bare_metal/nginx/sites-available/gradido.conf.ssl.template +++ /dev/null @@ -1,128 +0,0 @@ -server { - if ($host = $NGINX_SERVER_NAME) { - return 301 https://$host$request_uri; - } - - server_name $NGINX_SERVER_NAME; - listen 80; - listen [::]:80; - return 404; -} - -server { - server_name $NGINX_SERVER_NAME; - - listen [::]:443 ssl ipv6only=on; - listen 443 ssl; - ssl_certificate $NGINX_SSL_CERTIFICATE; - ssl_certificate_key $NGINX_SSL_CERTIFICATE_KEY; - include $NGINX_SSL_INCLUDE; - ssl_dhparam $NGINX_SSL_DHPARAM; - - include /etc/nginx/common/protect.conf; - include /etc/nginx/common/protect_add_header.conf; - - #gzip_static on; - gzip on; - gzip_proxied any; - gzip_types - text/css - text/javascript - text/xml - text/plain - application/javascript - application/x-javascript - application/json; - - # Legacy URLS - set $REWRITE_LEGACY_URLS "$NGINX_REWRITE_LEGACY_URLS"; - if ($REWRITE_LEGACY_URLS = 'true') { - rewrite ^/vue/?(.*)$ /$1 permanent; - } - - # Frontend (default) - location / { - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection 'upgrade'; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $host; - - proxy_pass http://127.0.0.1:3000; - proxy_redirect off; - - access_log $GRADIDO_LOG_PATH/nginx-access.frontend.log gradido_log; - error_log $GRADIDO_LOG_PATH/nginx-error.frontend.log warn; - } - - # Backend - location /graphql { - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection 'upgrade'; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $host; - - proxy_pass http://127.0.0.1:4000; - proxy_redirect off; - - access_log $GRADIDO_LOG_PATH/nginx-access.backend.log gradido_log; - error_log $GRADIDO_LOG_PATH/nginx-error.backend.log warn; - } - - # Backend webhooks - location /hook { - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection 'upgrade'; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $host; - - proxy_pass http://127.0.0.1:4000/hook; - proxy_redirect off; - - access_log $GRADIDO_LOG_PATH/nginx-access.backend.hook.log gradido_log; - error_log $GRADIDO_LOG_PATH/nginx-error.backend.hook.log warn; - } - - # Webhook reverse proxy - location /hooks/ { - proxy_pass http://127.0.0.1:9000/hooks/; - - access_log $GRADIDO_LOG_PATH/nginx-access.hooks.log gradido_log; - error_log $GRADIDO_LOG_PATH/nginx-error.hooks.log warn; - } - - # Admin Frontend - location /admin { - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection 'upgrade'; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $host; - - proxy_pass http://127.0.0.1:8080/; - proxy_redirect off; - - access_log $GRADIDO_LOG_PATH/nginx-access.admin.log gradido_log; - error_log $GRADIDO_LOG_PATH/nginx-error.admin.log warn; - } - - # Federation - $FEDERATION_NGINX_CONF - - # TODO this could be a performance optimization - #location /vue { - # alias /var/www/html/gradido/frontend/build; - # index index.html; - # - # location ~* \.(png)$ { - # expires 39d; - # } - # try_files $uri $uri/ /index.html = 404; - #} -} \ No newline at end of file diff --git a/deployment/bare_metal/nginx/sites-available/gradido.conf.template b/deployment/bare_metal/nginx/sites-available/gradido.conf.template index f6149a818..1b4732d7c 100644 --- a/deployment/bare_metal/nginx/sites-available/gradido.conf.template +++ b/deployment/bare_metal/nginx/sites-available/gradido.conf.template @@ -1,5 +1,5 @@ server { - server_name $NGINX_SERVER_NAME; + server_name $COMMUNITY_URL; listen 80; listen [::]:80; diff --git a/deployment/bare_metal/nginx/sites-available/update-page.conf.ssl.template b/deployment/bare_metal/nginx/sites-available/update-page.conf.ssl.template deleted file mode 100644 index ddcb9ffc1..000000000 --- a/deployment/bare_metal/nginx/sites-available/update-page.conf.ssl.template +++ /dev/null @@ -1,37 +0,0 @@ - -server { - if ($host = $NGINX_SERVER_NAME) { - return 301 https://$host$request_uri; - } - - server_name $NGINX_SERVER_NAME; - listen 80; - listen [::]:80; - return 404; -} -server { - server_name $NGINX_SERVER_NAME; - - listen [::]:443 ssl ipv6only=on; - listen 443 ssl; - ssl_certificate $NGINX_SSL_CERTIFICATE; - ssl_certificate_key $NGINX_SSL_CERTIFICATE_KEY; - include $NGINX_SSL_INCLUDE; - ssl_dhparam $NGINX_SSL_DHPARAM; - - include /etc/nginx/common/protect.conf; - include /etc/nginx/common/protect_add_header.conf; - - gzip on; - - root $NGINX_UPDATE_PAGE_ROOT; - index updating.html; - - location / { - try_files /updating.html =404; - } - - access_log $GRADIDO_LOG_PATH/nginx-access.update-page.log gradido_log; - error_log $GRADIDO_LOG_PATH/nginx-error.update-page.log warn; -} - diff --git a/deployment/bare_metal/start.sh b/deployment/bare_metal/start.sh index 5d5744bd6..bc923c6fa 100755 --- a/deployment/bare_metal/start.sh +++ b/deployment/bare_metal/start.sh @@ -100,8 +100,8 @@ export FEDERATION_NGINX_CONF=$(< $NGINX_CONFIG_DIR/gradido-federation.conf.locat # *** 3rd generate gradido nginx config including federation modules per api-version echo 'Generate new gradido nginx config' >> $UPDATE_HTML -case "$NGINX_SSL" in - true) TEMPLATE_FILE="gradido.conf.ssl.template" ;; +case "$URL_PROTOCOL" in + 'https') TEMPLATE_FILE="gradido.conf.ssl.template" ;; *) TEMPLATE_FILE="gradido.conf.template" ;; esac envsubst '$FEDERATION_NGINX_CONF' < $NGINX_CONFIG_DIR/$TEMPLATE_FILE > $NGINX_CONFIG_DIR/gradido.conf.tmp @@ -112,8 +112,8 @@ rm $NGINX_CONFIG_DIR/gradido-federation.conf.locations # Generate update-page.conf from template echo 'Generate new update-page nginx config' >> $UPDATE_HTML -case "$NGINX_SSL" in - true) TEMPLATE_FILE="update-page.conf.ssl.template" ;; +case "$URL_PROTOCOL" in + 'https') TEMPLATE_FILE="update-page.conf.ssl.template" ;; *) TEMPLATE_FILE="update-page.conf.template" ;; esac envsubst "$(env | sed -e 's/=.*//' -e 's/^/\$/g')" < $NGINX_CONFIG_DIR/$TEMPLATE_FILE > $NGINX_CONFIG_DIR/update-page.conf diff --git a/deployment/hetzner_cloud/README.md b/deployment/hetzner_cloud/README.md new file mode 100644 index 000000000..01df8663d --- /dev/null +++ b/deployment/hetzner_cloud/README.md @@ -0,0 +1,82 @@ +# Setup on Hetzner Cloud Server +Suggested minimal Plan: CX41 +4x vCPU, 16 GB Ram, 160 GB Disk Space, 20.71 € per month (04.01.2024) + +Suggested OS: +Debian 12 + +For Hetzner Cloud Server a cloud config can be attached, which will be run before first start +https://community.hetzner.com/tutorials/basic-cloud-config/de +https://cloudinit.readthedocs.io/en/latest/reference/examples.html +You can use our [cloudConfig.yaml](./cloudConfig.yaml) but you must insert you own ssh public key, +like this: +```yaml +ssh_authorized_keys: + - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAkLGbzbG7KIGfkssKJBkc/0EVAzQ/8vjvVHzNdxhK8J yourname +``` + +## After Setup Cloud Server with cloudConfig.yaml +### setup your domain pointing on server ip address +### login to your new server as root +```bash +ssh -i /path/to/privKey root@gddhost.tld +``` + +### Change default shell + +```bash +chsh -s /bin/bash +chsh -s /bin/bash gradido +``` + +### Set password for user `gradido` + +```bash +$ passwd gradido +# enter new password twice +``` + +### Switch to the new user + +```bash +su gradido +``` + +### Test authentication via SSH + +If you logout from the server you can test authentication: + +```bash +$ ssh -i /path/to/privKey gradido@gddhost.tld +# This should log you in and allow you to use sudo commands, which will require the user's password +``` + +### Disable password root login via ssh + +```bash +sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.org +sudo sed -i -e '/^\(#\|\)PermitRootLogin/s/^.*$/PermitRootLogin no/' /etc/ssh/sshd_config +sudo sed -i '$a AllowUsers gradido' /etc/ssh/sshd_config +sudo /etc/init.d/ssh restart +``` + +### Test SSH Access only, no root ssh access + +```bash +$ ssh gradido@gddhost.tld +# Will result in in either a passphrase request for your key or the message 'Permission denied (publickey)' +$ ssh -i /path/to/privKey root@gddhost.tld +# Will result in 'Permission denied (publickey)' +$ ssh -i /path/to/privKey gradido@gddhost.tld +# Will succeed after entering the correct keys passphrase (if any) +``` + +### Install `Gradido` code +```bash +cd ~ +git clone https://github.com/gradido/gradido.git +``` +### Edit Config +```bash +cd ~/gradido/deployment +cp ./bare_metal/.env.dist ./hetzner_cloud/.env \ No newline at end of file diff --git a/deployment/hetzner_cloud/cloudConfig.yaml b/deployment/hetzner_cloud/cloudConfig.yaml new file mode 100644 index 000000000..86e7d5724 --- /dev/null +++ b/deployment/hetzner_cloud/cloudConfig.yaml @@ -0,0 +1,46 @@ +#cloud-config +users: + - name: gradido + groups: users, admin, sudo + sudo: ALL=(ALL) NOPASSWD:/etc/init.d/nginx start,/etc/init.d/nginx stop,/etc/init.d/nginx restart + shell: /bin/bash + ssh_authorized_keys: + - + +packages: + - fail2ban + - ufw + - git + - mariadb-server + - nginx + - curl + - build-essential + - gnupg + - certbot + - python3-certbot-nginx + - logrotate + - automysqlbackup + - expect +package_update: true +package_upgrade: true + +runcmd: +- printf "[sshd]\nenabled = true\nbanaction = iptables-multiport" > /etc/fail2ban/jail.local +- systemctl enable fail2ban + +- ufw allow OpenSSH +- ufw allow http +- ufw allow https +- ufw enable + +- sed -i -e '/^\(#\|\)PasswordAuthentication/s/^.*$/PasswordAuthentication no/' /etc/ssh/sshd_config +- sed -i -e '/^\(#\|\)KbdInteractiveAuthentication/s/^.*$/KbdInteractiveAuthentication no/' /etc/ssh/sshd_config +- sed -i -e '/^\(#\|\)ChallengeResponseAuthentication/s/^.*$/ChallengeResponseAuthentication no/' /etc/ssh/sshd_config +- sed -i -e '/^\(#\|\)MaxAuthTries/s/^.*$/MaxAuthTries 3/' /etc/ssh/sshd_config +- sed -i -e '/^\(#\|\)AllowTcpForwarding/s/^.*$/AllowTcpForwarding no/' /etc/ssh/sshd_config +- sed -i -e '/^\(#\|\)X11Forwarding/s/^.*$/X11Forwarding no/' /etc/ssh/sshd_config +- sed -i -e '/^\(#\|\)AllowAgentForwarding/s/^.*$/AllowAgentForwarding no/' /etc/ssh/sshd_config +- sed -i -e '/^\(#\|\)AuthorizedKeysFile/s/^.*$/AuthorizedKeysFile .ssh\/authorized_keys/' /etc/ssh/sshd_config +- sed -i '$a AllowUsers gradido root' /etc/ssh/sshd_config + +- reboot \ No newline at end of file diff --git a/deployment/hetzner_cloud/install.sh b/deployment/hetzner_cloud/install.sh new file mode 100644 index 000000000..c51a2e60b --- /dev/null +++ b/deployment/hetzner_cloud/install.sh @@ -0,0 +1,60 @@ +#!/bin/bash + +# Note: This is needed - since there is Summer-Time included in the default server Setup - UTC is REQUIRED for production data +timedatectl set-timezone UTC +timedatectl set-ntp on +apt purge ntp +systemctl start systemd-timesyncd + +set -o allexport +SCRIPT_PATH=$(realpath ../bare_metal) +SCRIPT_DIR=$(dirname $SCRIPT_PATH) +PROJECT_ROOT=$SCRIPT_DIR/../.. +set +o allexport + +# Load .env or .env.dist if not present +# NOTE: all config values will be in process.env when starting +# the services and will therefore take precedence over the .env +if [ -f "./.env" ]; then + set -o allexport + source ./.env + set +o allexport +else + set -o allexport + source $SCRIPT_DIR/.env.dist + set +o allexport +fi + +# Configure git +git config pull.ff only + +# Secure mysql https://gist.github.com/Mins/4602864 +SECURE_MYSQL=$(expect -c " + +set timeout 10 +spawn mysql_secure_installation + +expect \"Enter current password for root (enter for none):\" +send \"\r\" + +expect \"Switch to unix_socket authentication:\" +send \"Y\r\" + +expect \"Change the root password?\" +send \"n\r\" + +expect \"Remove anonymous users?\" +send \"y\r\" + +expect \"Disallow root login remotely?\" +send \"y\r\" + +expect \"Remove test database and access to it?\" +send \"y\r\" + +expect \"Reload privilege tables now?\" +send \"y\r\" + +expect eof +") +echo "$SECURE_MYSQL" \ No newline at end of file diff --git a/deployment/hetzner_cloud/mysql_secure.sh b/deployment/hetzner_cloud/mysql_secure.sh new file mode 100644 index 000000000..2f90c4f4e --- /dev/null +++ b/deployment/hetzner_cloud/mysql_secure.sh @@ -0,0 +1,33 @@ +#!/bin/bash + + +#// Not required in actual script +MYSQL_ROOT_PASSWORD=abcd1234 + +SECURE_MYSQL=$(expect -c " + +set timeout 10 +spawn mysql_secure_installation + +expect \"Enter current password for root (enter for none):\" +send \"$MYSQL\r\" + +expect \"Change the root password?\" +send \"n\r\" + +expect \"Remove anonymous users?\" +send \"y\r\" + +expect \"Disallow root login remotely?\" +send \"y\r\" + +expect \"Remove test database and access to it?\" +send \"y\r\" + +expect \"Reload privilege tables now?\" +send \"y\r\" + +expect eof +") + +echo "$SECURE_MYSQL" diff --git a/nginx/gradido.conf b/nginx/gradido.conf index 403a2766b..2279d1e4f 100644 --- a/nginx/gradido.conf +++ b/nginx/gradido.conf @@ -1,5 +1,5 @@ server { - server_name $NGINX_SERVER_NAME; + server_name _; listen 80; listen [::]:80;