These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more
1 | <?php |
||
2 | /* (c) Anton Medvedev <[email protected]> |
||
3 | * |
||
4 | * For the full copyright and license information, please view the LICENSE |
||
5 | * file that was distributed with this source code. |
||
6 | */ |
||
7 | |||
8 | namespace Deployer; |
||
9 | |||
10 | use Deployer\Exception\GracefulShutdownException; |
||
11 | use function Deployer\Support\starts_with; |
||
12 | |||
13 | 8 | set('php_version', '7.4'); |
|
14 | 8 | set('sudo_password', 'TODO'); |
|
15 | 8 | set('env', ['DEBIAN_FRONTEND' => 'noninteractive']); |
|
16 | |||
17 | 8 | desc('Provision server with nginx, php, php-fpm'); |
|
18 | 8 | task('provision', [ |
|
19 | 8 | 'provision:check', |
|
20 | 'provision:upgrade', |
||
21 | 'provision:install', |
||
22 | 'provision:ssh', |
||
23 | 'provision:ssh', |
||
24 | 'provision:user:deployer', |
||
25 | 'provision:firewall', |
||
26 | 'provision:install:php', |
||
27 | 'provision:install:composer', |
||
28 | 'provision:config:php-cli', |
||
29 | 'provision:config:php-fpm', |
||
30 | 'provision:config:php-fpm:pool', |
||
31 | 'provision:config:php:sessions', |
||
32 | 'provision:nginx:dhparam', |
||
33 | 'provision:nginx', |
||
34 | ]); |
||
35 | |||
36 | 8 | desc('Ensure what provision run as root'); |
|
37 | task('provision:switch-user', function () { |
||
38 | run('whoami'); |
||
39 | if (get('remote_user') !== 'root') { |
||
40 | set('remote_user', 'root'); |
||
41 | } |
||
42 | 8 | }); |
|
43 | |||
44 | //Deployer::get()->preTask->add('provision:*', 'provision:switch-user'); |
||
45 | |||
46 | 8 | desc('Check pre-required state'); |
|
47 | task('provision:check', function () { |
||
48 | $ok = true; |
||
49 | if (get('php_version') !== '7.4') { |
||
50 | $ok = false; |
||
51 | warning("Only php 7.4 currently supported."); |
||
52 | } |
||
53 | |||
54 | $release = run('cat /etc/os-release'); |
||
55 | ['NAME' => $name, 'VERSION' => $version] = parse_ini_string($release); |
||
0 ignored issues
–
show
|
|||
56 | |||
57 | if ($name !== 'Ubuntu' || !starts_with($version, '20.04 LTS')) { |
||
58 | $ok = false; |
||
59 | warning('Only Ubuntu 20.04 LTS supported for now.'); |
||
60 | } |
||
61 | |||
62 | if (!$ok) { |
||
63 | throw new GracefulShutdownException('Missing some pre-required state. Please check warnings.'); |
||
64 | } |
||
65 | 8 | }); |
|
66 | |||
67 | 8 | desc('Upgrade all packages'); |
|
68 | task('provision:upgrade', function () { |
||
69 | run('apt-get update'); |
||
70 | run('apt-get upgrade -y'); |
||
71 | 8 | }); |
|
72 | |||
73 | 8 | desc('Install base packages'); |
|
74 | task('provision:install', function () { |
||
75 | $packages = [ |
||
76 | 'build-essential', |
||
77 | 'curl', |
||
78 | 'fail2ban', |
||
79 | 'gcc', |
||
80 | 'git', |
||
81 | 'libmcrypt4', |
||
82 | 'libpcre3-dev', |
||
83 | 'make', |
||
84 | 'ncdu', |
||
85 | 'nginx', |
||
86 | 'pkg-config', |
||
87 | 'sendmail', |
||
88 | 'ufw', |
||
89 | 'unzip', |
||
90 | 'uuid-runtime', |
||
91 | 'whois', |
||
92 | ]; |
||
93 | run('apt-get install -y --allow-downgrades --allow-remove-essential --allow-change-held-packages ' . implode(' ', $packages)); |
||
94 | 8 | }); |
|
95 | |||
96 | 8 | desc('Configure SSH'); |
|
97 | task('provision:ssh', function () { |
||
98 | run('sed -i "/PasswordAuthentication yes/d" /etc/ssh/sshd_config'); |
||
99 | run('echo "" | sudo tee -a /etc/ssh/sshd_config'); |
||
100 | run('echo "" | sudo tee -a /etc/ssh/sshd_config'); |
||
101 | run('echo "PasswordAuthentication no" | sudo tee -a /etc/ssh/sshd_config'); |
||
102 | run('ssh-keygen -A'); |
||
103 | run('service ssh restart'); |
||
104 | if (test('[ ! -d /root/.ssh ]')) { |
||
105 | run('mkdir -p /root/.ssh'); |
||
106 | run('touch /root/.ssh/authorized_keys'); |
||
107 | } |
||
108 | 8 | }); |
|
109 | |||
110 | 8 | desc('Setup deployer user'); |
|
111 | task('provision:user:deployer', function () { |
||
112 | if (test('id deployer >/dev/null 2>&1')) { |
||
113 | info('deployer user already exist'); |
||
114 | } else { |
||
115 | run('useradd deployer'); |
||
116 | run('mkdir -p /home/deployer/.ssh'); |
||
117 | run('mkdir -p /home/deployer/.deployer'); |
||
118 | run('adduser deployer sudo'); |
||
119 | |||
120 | run('chsh -s /bin/bash deployer'); |
||
121 | run('cp /root/.profile /home/deployer/.profile'); |
||
122 | run('cp /root/.bashrc /home/deployer/.bashrc'); |
||
123 | |||
124 | $password = run('mkpasswd -m sha-512 {{sudo_password}}'); |
||
125 | run("usermod --password $password deployer"); |
||
126 | |||
127 | // TODO: Copy current ssh-key. |
||
128 | run('echo >> /root/.ssh/authorized_keys'); |
||
129 | run('cp /root/.ssh/authorized_keys /home/deployer/.ssh/authorized_keys'); |
||
130 | |||
131 | run('ssh-keygen -f /home/deployer/.ssh/id_rsa -t rsa -N ""'); |
||
132 | |||
133 | run('chown -R deployer:deployer /home/deployer'); |
||
134 | run('chmod -R 755 /home/deployer'); |
||
135 | run('chmod 700 /home/deployer/.ssh/id_rsa'); |
||
136 | |||
137 | run('echo "deployer ALL=NOPASSWD: /usr/sbin/service php-fpm reload" > /etc/sudoers.d/php-fpm'); |
||
138 | |||
139 | run('usermod -a -G www-data deployer'); |
||
140 | run('id deployer'); |
||
141 | run('groups deployer'); |
||
142 | } |
||
143 | 8 | }); |
|
144 | |||
145 | 8 | desc('Setup firewall'); |
|
146 | task('provision:firewall', function () { |
||
147 | run('ufw allow 22'); |
||
148 | run('ufw allow 80'); |
||
149 | run('ufw allow 443'); |
||
150 | run('ufw --force enable'); |
||
151 | 8 | }); |
|
152 | |||
153 | 8 | desc('Install PHP packages'); |
|
154 | task('provision:install:php', function () { |
||
155 | $packages = [ |
||
156 | "php-bcmath", |
||
157 | "php-cli", |
||
158 | "php-curl", |
||
159 | "php-dev", |
||
160 | "php-fpm", |
||
161 | "php-fpm", |
||
162 | "php-gd", |
||
163 | "php-imap", |
||
164 | "php-intl", |
||
165 | "php-mbstring", |
||
166 | "php-mysql", |
||
167 | "php-pgsql", |
||
168 | "php-readline", |
||
169 | "php-soap", |
||
170 | "php-sqlite3", |
||
171 | "php-xml", |
||
172 | "php-zip", |
||
173 | ]; |
||
174 | run('apt-get install -y --force-yes ' . implode(' ', $packages)); |
||
175 | 8 | }); |
|
176 | |||
177 | |||
178 | 8 | desc('Install Composer'); |
|
179 | task('provision:install:composer', function () { |
||
180 | run('curl -sS https://getcomposer.org/installer | php'); |
||
181 | run('mv composer.phar /usr/local/bin/composer'); |
||
182 | 8 | }); |
|
183 | |||
184 | 8 | desc('Configure PHP-CLI'); |
|
185 | task('provision:config:php-cli', function () { |
||
186 | run('sudo sed -i "s/error_reporting = .*/error_reporting = E_ALL/" /etc/php/{{php_version}}/cli/php.ini'); |
||
187 | run('sudo sed -i "s/display_errors = .*/display_errors = On/" /etc/php/{{php_version}}/cli/php.ini'); |
||
188 | run('sudo sed -i "s/memory_limit = .*/memory_limit = 512M/" /etc/php/{{php_version}}/cli/php.ini'); |
||
189 | run('sudo sed -i "s/;date.timezone.*/date.timezone = UTC/" /etc/php/{{php_version}}/cli/php.ini'); |
||
190 | 8 | }); |
|
191 | |||
192 | 8 | desc('Configure PHP-FPM'); |
|
193 | task('provision:config:php-fpm', function () { |
||
194 | run('sed -i "s/error_reporting = .*/error_reporting = E_ALL/" /etc/php/{{php_version}}/fpm/php.ini'); |
||
195 | run('sed -i "s/display_errors = .*/display_errors = On/" /etc/php/{{php_version}}/fpm/php.ini'); |
||
196 | run('sed -i "s/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/" /etc/php/{{php_version}}/fpm/php.ini'); |
||
197 | run('sed -i "s/memory_limit = .*/memory_limit = 512M/" /etc/php/{{php_version}}/fpm/php.ini'); |
||
198 | run('sed -i "s/;date.timezone.*/date.timezone = UTC/" /etc/php/{{php_version}}/fpm/php.ini'); |
||
199 | 8 | }); |
|
200 | |||
201 | 8 | desc('Configure FPM Pool'); |
|
202 | task('provision:config:php-fpm:pool', function () { |
||
203 | run('sed -i "s/^user = www-data/user = deployer/" /etc/php/{{php_version}}/fpm/pool.d/www.conf'); |
||
204 | run('sed -i "s/^group = www-data/group = deployer/" /etc/php/{{php_version}}/fpm/pool.d/www.conf'); |
||
205 | run('sed -i "s/;listen\.owner.*/listen.owner = deployer/" /etc/php/{{php_version}}/fpm/pool.d/www.conf'); |
||
206 | run('sed -i "s/;listen\.group.*/listen.group = deployer/" /etc/php/{{php_version}}/fpm/pool.d/www.conf'); |
||
207 | run('sed -i "s/;listen\.mode.*/listen.mode = 0666/" /etc/php/{{php_version}}/fpm/pool.d/www.conf'); |
||
208 | run('sed -i "s/;request_terminate_timeout.*/request_terminate_timeout = 60/" /etc/php/{{php_version}}/fpm/pool.d/www.conf'); |
||
209 | 8 | }); |
|
210 | |||
211 | 8 | desc('Configure php sessions directory'); |
|
212 | task('provision:config:php:sessions', function () { |
||
213 | run('chmod 733 /var/lib/php/sessions'); |
||
214 | run('chmod +t /var/lib/php/sessions'); |
||
215 | 8 | }); |
|
216 | |||
217 | 8 | desc('Generating DH (Diffie Hellman) key'); |
|
218 | task('provision:nginx:dhparam', function () { |
||
219 | if (test('[ -f /etc/nginx/dhparams.pem ]')) { |
||
220 | info('/etc/nginx/dhparams.pem already exist'); |
||
221 | } else { |
||
222 | info('Generating DH key, 2048 bit long safe prime'); |
||
223 | info('This is going to take a long time'); |
||
224 | run('openssl dhparam -out /etc/nginx/dhparams.pem 2048 2>/dev/null'); |
||
225 | } |
||
226 | 8 | }); |
|
227 | |||
228 | 8 | desc('Install nginx & php-fpm'); |
|
229 | task('provision:nginx', function () { |
||
230 | run('systemctl enable nginx.service'); |
||
231 | |||
232 | run('sed -i "s/user www-data;/user deployer;/" /etc/nginx/nginx.conf'); |
||
233 | run('sed -i "s/worker_processes.*/worker_processes auto;/" /etc/nginx/nginx.conf'); |
||
234 | run('sed -i "s/# multi_accept.*/multi_accept on;/" /etc/nginx/nginx.conf'); |
||
235 | run('sed -i "s/# server_names_hash_bucket_size.*/server_names_hash_bucket_size 128;/" /etc/nginx/nginx.conf'); |
||
236 | |||
237 | run('cat > /etc/nginx/conf.d/gzip.conf << EOF |
||
238 | gzip_vary on; |
||
239 | gzip_proxied any; |
||
240 | gzip_comp_level 5; |
||
241 | gzip_min_length 256; |
||
242 | |||
243 | gzip_types application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component; |
||
244 | EOF'); |
||
245 | |||
246 | run('cat > /etc/nginx/sites-available/default << EOF |
||
247 | server { |
||
248 | return 404; |
||
249 | } |
||
250 | EOF'); |
||
251 | run('ln -sf /etc/nginx/sites-available/default /etc/nginx/sites-enabled/default'); |
||
252 | run('service nginx restart'); |
||
253 | |||
254 | run('service php{{php_version}}-fpm restart'); |
||
255 | }); |
||
256 |
This check marks access to variables or properties that have not been declared yet. While PHP has no explicit notion of declaring a variable, accessing it before a value is assigned to it is most likely a bug.