daily

debian-setup.sh

@@ -115,9 +115,6 @@ fi
 # Remove ClamAV data
 rm -rf /var/lib/clamav /var/log/clamav || true
 
-# Only clean up OS image
-#exit 0
-
 # Packages used on top of SETUP_PACKAGES
 apt-get install -qq ssh sudo apt-transport-https virt-what python-yaml
 # Install SHYAML (config reader)

debian-setup/adduser

@@ -30,7 +30,7 @@ if [ -z "$(getent passwd "$U")" ]; then
     # sensible-utils
     echo 'SELECTED_EDITOR="/usr/bin/mcedit"' > "${HOME_DIR}/.selected_editor"
 
-    # TODO /etc/skel/.profile
+    # @TODO /etc/skel/.profile
 fi
 
 # Disable root password
@@ -155,6 +155,16 @@ man() {
         LESS_TERMCAP_me="$(tput sgr0)" \
         man "$@"
 }
+
+# Take a look at the plugin changelog
+wp_changelog() {
+    local PLUGIN="$1"
+
+    wget -qO- "http://api.wordpress.org/plugins/info/1.0/${PLUGIN}" \
+        | php -r '$i=unserialize(stream_get_contents(STDIN)); echo $i->sections["changelog"];' \
+        | w3m -T text/html
+#        | elinks -force-html
+}
 EOF
 
 # Add mc syntax highlights

debian-setup/ca-certificates

@@ -1,11 +1,12 @@
 #!/bin/bash
 
-# Review changelog of ca-certificates!
+# Review changelog of ca-certificates
 #     http://metadata.ftp-master.debian.org/changelogs/main/c/ca-certificates/testing_changelog
 
 set -e -x
 
 # Update ca-certificates
+# https://tracker.debian.org/pkg/ca-certificates
 if [ "$(Data get-value package.ca-certificates.install-testing)" == "True" ]; then
     Getpkg ca-certificates testing
 fi

debian-setup/cloud-init

@@ -4,6 +4,7 @@ set -e -x
 
 if ! [ -s /var/lib/cloud/data/instance-id ]; then
     apt-get purge -qq cloud-init cloud-initramfs-growroot
+    return 0
 fi
 
 # @TODO

debian-setup/mariadb-server

@@ -3,7 +3,9 @@
 set -e -x
 
 apt-get install -y mariadb-server-10.0 mariadb-client-10.0 percona-xtrabackup
+
 # Steal root password
+# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815599
 MYSQL_PASSWORD="$(echo "GET mysql-server/root_password_again" | debconf-communicate mariadb-server-10.0 | cut -d " " -f 2-)"
 #MYSQL_PASSWORD="$(Data get-value package.mariadb-server.root-pwd)"
 # Remove password from debconf

debian-setup/systemd

@@ -8,13 +8,16 @@ if [ "$WITHOUT_SYSTEMD" == "yes" ]; then
     if [ "$(dpkg-query --showformat="\${Status}" --show systemd 2> /dev/null)" == "install ok installed" ]; then
         apt-get install -y sysvinit-core sysvinit-utils bootlogd
         cp /usr/share/sysvinit/inittab /etc/inittab
+        # Consider /sbin/agetty
+        #sed -i -e 's|:/sbin/getty |:/sbin/agetty |' /etc/inittab
         # Disable terminals 2-6
-        # @TODO Consider /sbin/agetty
         sed -i -e '/^\([2-6]\):23:respawn:\/sbin\/getty 38400 tty\1$/d' /etc/inittab
         echo -e 'Package: *systemd*\nPin: origin ""\nPin-Priority: -1' > /etc/apt/preferences.d/systemd
         # Schedule removal of systemd
-        echo "PATH=/usr/sbin:/usr/bin:/sbin:/bin
-@reboot root apt-get purge -qq --auto-remove systemd > /dev/null;rm -f /etc/cron.d/withoutsystemd" > /etc/cron.d/withoutsystemd
+        {
+            echo "PATH=/usr/sbin:/usr/bin:/sbin:/bin"
+            echo "@reboot root apt-get purge -qq --auto-remove systemd > /dev/null;rm -f /etc/cron.d/withoutsystemd"
+        } > /etc/cron.d/withoutsystemd
 
         set +x
         echo
@@ -23,7 +26,7 @@ if [ "$WITHOUT_SYSTEMD" == "yes" ]; then
     fi
 elif [ "$(dpkg-query --showformat="\${Status}" --show sysvinit-core 2> /dev/null)" == "install ok installed" ]; then
     # Remove SysVinit
-    apt-get purge -qq sysvinit-core
-    # Time synchronization
+    apt-get purge -qq --auto-remove sysvinit-core
+    # Enable time synchronization by systemd
     timedatectl set-ntp 1
 fi

monitoring/syslog-errors-infrequent.sh

@@ -2,7 +2,7 @@
 #
 # Send interesting parts of syslog from the last 3 hours. Simple logcheck.
 #
-# VERSION       :0.8.5
+# VERSION       :0.8.6
 # DATE          :2016-04-20
 # AUTHOR        :Viktor Szépe <viktor@szepe.net>
 # LICENSE       :The MIT License (MIT)
@@ -26,9 +26,9 @@ Failures() {
     | Failures \
     | grep -E -v "error@|spamd\[[0-9]+\]: spamd:|courierd: SHUTDOWN: respawnlo limit reached, system inactive\.\$" \
     | grep -E -v "courieresmtpd: error,relay=.*: 451 4\.7\.1 Please try another MX\$" \
+    | grep -E -v "rngd\[[0-9]+\]: stats: FIPS 140-2 failures: [0-9]+\$" \
     | grep -E -v "couriertls: (accept|connect): error:[0-9A-F]+:SSL routines:SSL2?3_GET_(CLIENT_HELLO|RECORD):(unknown protocol|unsupported protocol|wrong version number)\$" \
     #| grep -E -v "couriertls: (accept|connect): error:[0-9A-F]+:SSL routines:SSL2?3_GET_(CLIENT_HELLO|RECORD):(no shared cipher|unknown protocol|unsupported protocol|wrong version number)\$" \
-    #| grep -E -v "rngd\[[0-9]+\]: stats: FIPS 140-2 failures: [0-9]+\$" \
     #| grep -E -v ": 554 Mail rejected|: 535 Authentication failed|>: 451\b" \
     #| grep -E -v "mysqld: .* Unsafe statement written to the binary log .* Statement:" \
     #| grep -F -v "/usr/bin/php -d error_reporting=22517 -d disable_functions=error_reporting" \

monitoring/syslog-errors.sh

@@ -2,7 +2,7 @@
 #
 # Send interesting parts of syslog from the last hour. Simple logcheck.
 #
-# VERSION       :0.8.5
+# VERSION       :0.8.6
 # DATE          :2016-04-20
 # AUTHOR        :Viktor Szépe <viktor@szepe.net>
 # LICENSE       :The MIT License (MIT)
@@ -26,9 +26,9 @@ Failures() {
     | Failures \
     | grep -E -v "error@|spamd\[[0-9]+\]: spamd:|courierd: SHUTDOWN: respawnlo limit reached, system inactive\.\$" \
     | grep -E -v "courieresmtpd: error,relay=.*: 451 4\.7\.1 Please try another MX\$" \
+    | grep -E -v "rngd\[[0-9]+\]: stats: FIPS 140-2 failures: [0-9]+\$" \
     | grep -E -v "couriertls: (accept|connect): error:[0-9A-F]+:SSL routines:SSL2?3_GET_(CLIENT_HELLO|RECORD):(unknown protocol|unsupported protocol|wrong version number)\$" \
     #| grep -E -v "couriertls: (accept|connect): error:[0-9A-F]+:SSL routines:SSL2?3_GET_(CLIENT_HELLO|RECORD):(no shared cipher|unknown protocol|unsupported protocol|wrong version number)\$" \
-    #| grep -E -v "rngd\[[0-9]+\]: stats: FIPS 140-2 failures: [0-9]+\$" \
     #| grep -E -v ": 554 Mail rejected|: 535 Authentication failed|>: 451\b" \
     #| grep -E -v "mysqld: .* Unsafe statement written to the binary log .* Statement:" \
     #| grep -F -v "/usr/bin/php -d error_reporting=22517 -d disable_functions=error_reporting" \

upcloud-init.sh

@@ -3,6 +3,7 @@
 # Prepare UpCloud server with docker and pip.
 #
 # Initialization script: https://github.com/szepeviktor/debian-server-tools/raw/master/upcloud-init.sh
+# Follow log: tail -f /var/log/upcloud_userdata.log
 
 # http://deb.debian.org/debian/pool/contrib/g/geoip-database-contrib/
 GEOIP_VERSION="1.19"

upcloud-os-image-cleanup.sh

@@ -0,0 +1,12 @@
+echo 'Dpkg::Use-Pty "0";' > /etc/apt/apt.conf.d/00usepty
+
+[ -d /tmp ] && cd /tmp/
+
+wget -nv -O- https://github.com/szepeviktor/debian-server-tools/archive/master.tar.gz|tar xz
+cd debian-server-tools-master/
+# Will error out at debian-setup/hostname
+./debian-setup.sh
+
+rm -f /etc/apt/apt.conf.d/00usepty
+
+echo "OK."

virtualization/jessie-backport/README.md

@@ -14,20 +14,33 @@ Executes a shell script that builds a Debian package in the mounted Docker volum
 
 See hooks documented in the Bash script.
 
-Example hook usage in `docker-backport-munin.sh`
-
 Packages dependencies should be placed in the mounted volume, by default `/opt/results`
 
+#### Hook example
+
+Download a tar.gz file of a Debian package.
+
+Enter the URL in `--env PACKAGE="$URL"`
+
+`/opt/results/debackport-source`
+
+```bash
+wget -qO- "$PACKAGE" | tar -xz
+# We hope it contains one directory
+cd *
+CHANGELOG_MSG="Built from tar: ${PACKAGE}"
+```
+
 ### Backport Apache httpd
 
 - openssl/jessie-backports
-- spdylay
-- nghttp2
-- apr-util
-- apache2
+- spdylay/testing
+- nghttp2/testing
+- apr-util/testing
+- apache2/testing
 
 ### Backport Courier MTA
 
-- courier-unicode
-- courier-authlib
-- courier
+- courier-unicode/testing
+- courier-authlib/testing
+- courier/testing

webserver/Production-website.md

@@ -38,26 +38,23 @@ OCSP performance: http://uptime.netcraft.com/perf/reports/performance/OCSP
 
 ### WordPress core, theme from git
 
+**Use child theme**
+
 `git clone --recursive ssh://user@server:port/path/to/git`
 
 1. Set up database connection in `wp-config.php`
 1. Define contants, generate salts based on [wp-config.php skeleton](./wp-config.php)
 1. Edit `../wp-cli.yml`
 
-### Install plugins
-
-```bash
-wp plugin install --activate classic-smilies
-wp plugin install --activate wordpress-seo w3-total-cache contact-form-7
-```
+### Plugins
 
-Disable comments? `mu-disable-comments`
+See [WordPress.md](./WordPress.md#plugins)
 
 Allow accents in URL-s? `mu-latin-accent-urls`
 
 MU plugins: https://github.com/szepeviktor/wordpress-plugin-construction
 
-### Create root files
+### Root files
 
 - robots.txt
 - favicon.ico
@@ -69,7 +66,7 @@ MU plugins: https://github.com/szepeviktor/wordpress-plugin-construction
 
 Static maintenance page
 
-### Set up CDN
+### CDN
 
 - Consider multiple A records `host -t A cdn.example.com`
 - [Revving filenames](http://www.stevesouders.com/blog/2008/08/23/revving-filenames-dont-use-querystring/)
@@ -79,7 +76,7 @@ Static maintenance page
 - https://aws.amazon.com/console/
 - https://www.cloudflare.com/a/login see also [/webserver/CloudFlare.md](/webserver/CloudFlare.md)
 
-### Set up mail sending
+### Mail sending
 
 ```bash
 wp plugin install --activate wp-mailfrom-ii smtp-uri
@@ -116,7 +113,7 @@ Mandrill API for WordPress: https://github.com/danielbachhuber/mandrill-wp-mail
 - Maximum security: convert website into static HTML files + [formspree](https://formspree.io/)
 - Subresource Integrity (SRI) `integrity="sha256-$(cat resource.js|openssl dgst -sha256 -binary|openssl enc -base64)" crossorigin="anonymous"`
 
-### Set up cron jobs
+### Cron jobs
 
 Remove left-over WP-Cron events.
 
@@ -126,7 +123,7 @@ Use real cron job.
 
 `wp-cron-cli.sh`
 
-### Settings
+### WordPress Settings
 
 - General Settings
 - Writing Settings
@@ -362,7 +359,7 @@ Send to Analytics, report to `/js-error.php`
 ### SEO
 
 - `blog_public` and robots.txt
-- XML sitemap
+- XML sitemaps (linked from robots.txt)
 - Page title (blue in SERP)
 - Permalink structure and slug optimization (green in SERP)
 - Page meta description (grey in SERP)

webserver/WordPress.md

@@ -91,6 +91,10 @@ wp theme delete twentyfifteen
 wp theme delete twentyfourteen
 ```
 
+### Use child theme
+
+Premade themes can be updated using a child theme.
+
 ### Redis object cache
 
 [Free 30 MB Redis instance by redislab](https://redislabs.com/redis-cloud)