daily

debian-setup2.sh

@@ -289,7 +289,7 @@ find /etc/ -type f -iname "*old" -or -iname "*dist"
 history -c
 
 # @TODO Automate
-echo "hosts, users, server backup, monitoring"
+echo "hosts, users, server backup, monit/apache+php, monitoring"
 echo "https://github.com/szepeviktor/debian-server-tools/blob/master/monitoring/README.md"
 
 echo "OK. (exit from script command now)"

mail/courier-check/courier-check-esmtpd-msa-satellite

@@ -0,0 +1,30 @@
+# Local 587/tcp, disabled
+COURIER_ESMTPD_MSA_DEFAULTS='
+ESMTPDSTART=NO
+MAILUSER=${COURIER_USER}
+MAILGROUP=${COURIER_USER}
+TCPDOPTS="-stderrlogger=/usr/sbin/courierlogger -noidentlookup -nodnslookup"
+ADDRESS=0
+TLS_CERTFILE=/etc/courier/esmtpd.pem
+TLS_DHPARAMS=/etc/courier/dhparams.pem
+TLS_TRUSTCERTS=/etc/ssl/certs
+TLS_CACHEFILE=/var/lib/courier/couriersslcache-smtp
+TLS_CACHESIZE=524288
+TLS_PRIORITY="NONE:+CHACHA20-POLY1305:+AES-128-GCM:+AES-256-GCM:+AES-128-CBC:+AES-256-CBC:+ECDHE-ECDSA:+ECDHE-RSA:+SHA256:+SHA384:+AEAD:+COMP-NULL:+VERS-TLS1.2:+SIGN-ALL:+CURVE-SECP384R1:+CTYPE-X509"
+TLS_VERIFYPEER=NONE
+ESMTP_LOG_DIALOG=0
+AUTH_REQUIRED=0
+ESMTPAUTH=""
+ESMTPAUTH_TLS=""
+MAXDAEMONS=40
+MAXPERC=5
+MAXPERIP=5
+NOADDMSGID=0
+NOADDDATE=0
+NOADDRREWRITE=2
+BOFHCHECKDNS=1
+BOFHNOEXPN=1
+BOFHNOVRFY=1
+TARPIT=1
+BLACKLISTS=""
+'

mail/courier-check/courier-check-esmtpd-satellite

@@ -0,0 +1,30 @@
+# Local 25/tcp, STARTTLS, SSL Modern, no ESMTPAUTH
+COURIER_ESMTPD_DEFAULTS='
+ESMTPDSTART=YES
+MAILUSER=${COURIER_USER}
+MAILGROUP=${COURIER_USER}
+TCPDOPTS="-stderrlogger=/usr/sbin/courierlogger -noidentlookup -nodnslookup"
+ADDRESS=127.0.0.1
+TLS_CERTFILE=/etc/courier/esmtpd.pem
+TLS_DHPARAMS=/etc/courier/dhparams.pem
+TLS_TRUSTCERTS=/etc/ssl/certs
+TLS_CACHEFILE=/var/lib/courier/couriersslcache-smtp
+TLS_CACHESIZE=524288
+TLS_PRIORITY="NONE:+CHACHA20-POLY1305:+AES-128-GCM:+AES-256-GCM:+AES-128-CBC:+AES-256-CBC:+ECDHE-ECDSA:+ECDHE-RSA:+SHA256:+SHA384:+AEAD:+COMP-NULL:+VERS-TLS1.2:+SIGN-ALL:+CURVE-SECP384R1:+CTYPE-X509"
+TLS_VERIFYPEER=NONE
+ESMTP_LOG_DIALOG=0
+AUTH_REQUIRED=0
+ESMTPAUTH=""
+ESMTPAUTH_TLS=""
+MAXDAEMONS=40
+MAXPERC=5
+MAXPERIP=5
+NOADDMSGID=1
+NOADDDATE=1
+NOADDRREWRITE=2
+BOFHCHECKDNS=1
+BOFHNOEXPN=1
+BOFHNOVRFY=1
+TARPIT=1
+BLACKLISTS=""
+'

mail/courier-check/courier-check-esmtpd-ssl-satellite

@@ -0,0 +1,28 @@
+# Local 465/tcp, disabled
+COURIER_ESMTPD_SSL_DEFAULTS='
+ESMTPDSSLSTART=NO
+TCPDOPTS="-stderrlogger=/usr/sbin/courierlogger -noidentlookup -nodnslookup"
+SSLADDRESS=0
+TLS_CERTFILE=/etc/courier/esmtpd.pem
+TLS_DHPARAMS=/etc/courier/dhparams.pem
+TLS_TRUSTCERTS=/etc/ssl/certs
+TLS_CACHEFILE=/var/lib/courier/couriersslcache-smtp
+TLS_CACHESIZE=524288
+TLS_PRIORITY="NONE:+CHACHA20-POLY1305:+AES-128-GCM:+AES-256-GCM:+AES-128-CBC:+AES-256-CBC:+ECDHE-ECDSA:+ECDHE-RSA:+SHA256:+SHA384:+AEAD:+COMP-NULL:+VERS-TLS1.2:+SIGN-ALL:+CURVE-SECP384R1:+CTYPE-X509"
+TLS_VERIFYPEER=NONE
+ESMTP_LOG_DIALOG=0
+AUTH_REQUIRED=0
+ESMTPAUTH=""
+ESMTPAUTH_TLS=""
+MAXDAEMONS=40
+MAXPERC=5
+MAXPERIP=5
+NOADDMSGID=1
+NOADDDATE=1
+NOADDRREWRITE=0
+BOFHCHECKDNS=1
+BOFHNOEXPN=0
+BOFHNOVRFY=0
+TARPIT=1
+BLACKLISTS=""
+'

mail/courier-check/courier-check.sh

@@ -2,21 +2,14 @@
 #
 # Check Courier MTA configuration.
 #
-# VERSION       :0.1.1
+# VERSION       :0.2.0
 # DATE          :2017-08-10
 # URL           :https://github.com/szepeviktor/debian-server-tools
 # AUTHOR        :Viktor Szépe <viktor@szepe.net>
 # LICENSE       :The MIT License (MIT)
 # BASH-VERSION  :4.2+
 # DOCS          :url
-# CONFIG        :courier-check-authdaemonrc
-# CONFIG        :courier-check-courierd-public
-# CONFIG        :courier-check-courierd-satellite
-# CONFIG        :courier-check-esmtpd-msa-public
-# CONFIG        :courier-check-esmtpd-msa-satellite
-# CONFIG        :courier-check-esmtpd-public
-# CONFIG        :courier-check-esmtpd-satellite
-# CONFIG        :courier-check-esmtpd-ssl-public
+# CONFIG        :courier-check-*
 
 COURIER_USER="courier"
 
@@ -27,7 +20,7 @@ Check_user() {
 }
 
 Check_config_perms() {
-    # Changes to these take effect immediately
+    # Changes to these files take effect immediately
     sudo -u "$COURIER_USER" -- test -r /etc/courier/esmtpauthclient
     sudo -u "$COURIER_USER" -- test -r /etc/courier/esmtproutes
     sudo -u "$COURIER_USER" -- test -r /etc/courier/esmtpd.pem
@@ -73,6 +66,7 @@ source courier-check-imapd-ssl-public
 #source courier-check-courierd-satellite
 #source courier-check-esmtpd-satellite
 #source courier-check-esmtpd-msa-satellite
+#source courier-check-esmtpd-ssl-satellite
 
 Check_user
 Check_config_perms

mail/courier-check/openssl/courier-check-esmtpd-msa-public

@@ -8,7 +8,7 @@ ADDRESS=0
 TLS_CERTFILE=/etc/courier/esmtpd.pem
 TLS_DHPARAMS=/etc/courier/dhparams.pem
 TLS_TRUSTCERTS=/etc/ssl/certs
-TLS_CACHEFILE=/var/lib/courier/couriersslcache
+TLS_CACHEFILE=/var/lib/courier/couriersslcache-smtp
 TLS_CACHESIZE=524288
 TLS_COMPRESSION=NULL
 TLS_PROTOCOL="TLSv1.2"

mail/courier-check/openssl/courier-check-esmtpd-msa-satellite

@@ -8,7 +8,7 @@ ADDRESS=0
 TLS_CERTFILE=/etc/courier/esmtpd.pem
 TLS_DHPARAMS=/etc/courier/dhparams.pem
 TLS_TRUSTCERTS=/etc/ssl/certs
-TLS_CACHEFILE=/var/lib/courier/couriersslcache
+TLS_CACHEFILE=/var/lib/courier/couriersslcache-smtp
 TLS_CACHESIZE=524288
 TLS_COMPRESSION=NULL
 TLS_PROTOCOL="TLSv1.2"

mail/courier-check/openssl/courier-check-esmtpd-public

@@ -8,7 +8,7 @@ ADDRESS=0
 TLS_CERTFILE=/etc/courier/esmtpd.pem
 TLS_DHPARAMS=/etc/courier/dhparams.pem
 TLS_TRUSTCERTS=/etc/ssl/certs
-TLS_CACHEFILE=/var/lib/courier/couriersslcache
+TLS_CACHEFILE=/var/lib/courier/couriersslcache-smtp
 TLS_CACHESIZE=524288
 TLS_COMPRESSION=NULL
 TLS_PROTOCOL="TLSv1.2:TLSv1.1:TLS1"

mail/courier-check/openssl/courier-check-esmtpd-satellite

@@ -8,7 +8,7 @@ ADDRESS=127.0.0.1
 TLS_CERTFILE=/etc/courier/esmtpd.pem
 TLS_DHPARAMS=/etc/courier/dhparams.pem
 TLS_TRUSTCERTS=/etc/ssl/certs
-TLS_CACHEFILE=/var/lib/courier/couriersslcache
+TLS_CACHEFILE=/var/lib/courier/couriersslcache-smtp
 TLS_CACHESIZE=524288
 TLS_COMPRESSION=NULL
 TLS_PROTOCOL="TLSv1.2"

mail/courier-check/openssl/courier-check-esmtpd-ssl-public

@@ -6,7 +6,7 @@ SSLADDRESS=0
 TLS_CERTFILE=/etc/courier/esmtpd.pem
 TLS_DHPARAMS=/etc/courier/dhparams.pem
 TLS_TRUSTCERTS=/etc/ssl/certs
-TLS_CACHEFILE=/var/lib/courier/couriersslcache
+TLS_CACHEFILE=/var/lib/courier/couriersslcache-smtp
 TLS_CACHESIZE=524288
 TLS_COMPRESSION=NULL
 TLS_PROTOCOL="TLSv1.2"

mail/courier-config/esmtpd

@@ -285,6 +285,7 @@ MAILGROUP=courier
 #
 #  Address to listen on, can be set to a single IP address.
 #
+
 ADDRESS=127.0.0.1
 
 ##NAME: PORT:1

mail/courier-mta-satellite-system.sh

@@ -14,6 +14,7 @@
 
 set -e -x
 
+# shellcheck disable=SC1091
 . debian-setup-functions
 
 #################### 'smarthost' configuration ####################
@@ -83,7 +84,9 @@ Courier_config esmtproutes /etc/courier/esmtproutes
 #     szepe.net: mail.szepe.net,25 /SECURITY=REQUIRED
 #     : email-smtp.eu-west-1.amazonaws.com,587 /SECURITY=REQUIRED
 #     : smtp.sparkpostmail.com,587 /SECURITY=REQUIRED
-#     : smtp-relay.gmail.com,587 /SECURITY=REQUIRED
+#     : smtp.gmail.com,587 /SECURITY=REQUIRED
+# FIXME Set proper owner and group
+chown courier:root /etc/courier/esmtpauthclient
 # Credentials for smarthosts
 echo "#SMART-HOST,587 USER-NAME PASSWORD" > /etc/courier/esmtpauthclient
 #     #SMART-HOST,587 USER-NAME PASSWORD

mail/courier-restart.sh

@@ -2,7 +2,7 @@
 #
 # Rebuild Courier .dat databases and restart Courier MTA.
 #
-# VERSION       :0.4.1
+# VERSION       :0.4.2
 # DATE          :2016-08-11
 # AUTHOR        :Viktor Szépe <viktor@szepe.net>
 # LICENSE       :The MIT License (MIT)
@@ -55,8 +55,7 @@ if [ -f /run/courier/courierfilter.pid ]; then
 fi
 
 # Restart courier-mta-ssl also
-#if [ "$(dpkg-query --showformat='${Status}' --show courier-mta-ssl 2> /dev/null)" == "install ok installed" ]; then
-if [ -f /etc/courier/esmtpd-ssl ]; then
+if [ -f /etc/courier/esmtpd-ssl ] && grep -qFxi 'ESMTPDSSLSTART=YES' /etc/courier/esmtpd-ssl; then
     service courier-mta-ssl restart || Error $? "courier-mta-ssl restart"
 fi
 service courier-mta restart || Error $? "courier-mta restart"

mysql/alter-table.sql

@@ -1,7 +1,8 @@
 -- Alter table engine
 --
--- Source: http://georgepavlides.info/?p=628
--- Usage: mysql -N DATABASE-NAME < alter-table.sql | mysql
+-- Usage:  mysql -N DATABASE-NAME < alter-table.sql | mysql
+--
+-- Source:  http://georgepavlides.info/?p=628
 
 
 -- To Aria

security/cert-update.sh

@@ -114,8 +114,8 @@ Apache2() {
 }
 
 Courier_mta() {
-    COURIER_USER="daemon"
-    #COURIER_USER="courier"
+    #COURIER_USER="daemon"
+    COURIER_USER="courier"
 
     [ -z "$COURIER_COMBINED" ] && return 1
     [ -z "$COURIER_DHPARAMS" ] && return 1

webserver/WordPress.md

@@ -41,7 +41,7 @@ DOCROOT/─┬─index.php (modified)
          └─wp-content/
 ```
 
-`CORE` may be the abbreviation of the project.
+The value of `CORE` may be the abbreviation of the project.
 
 `wp-content` can be renamed.
 
@@ -172,7 +172,7 @@ wp plugin install custom-sucuri sucuri-scanner --activate
 # Installation: https://github.com/szepeviktor/wordpress-plugin-construction/tree/master/mu-nofollow-robot-trap
 wget -P wp-content/mu-plugins/ ${WPSZV}/mu-nofollow-robot-trap/nofollow-robot-trap.php
 # CF7 Robot Trap
-wget -P wp-content/plugins/ ${WPSZV}/contact-form-7-robot-trap/cf7-robot_trap.php
+wget -P wp-content/plugins/ ${WPSZV}/contact-form-7-robot-trap/cf7-robot-trap.php
 # obfuscate-email
 #wp plugin install obfuscate-email --activate
 ```
@@ -189,7 +189,7 @@ wp plugin install prevent-concurrent-logins --activate
 # mu-disallow-weak-passwords
 wget -P wp-content/mu-plugins/ ${WPSZV}/mu-disallow-weak-passwords/disallow-weak-passwords.php
 
-# mu-banned-email-addresses
+# user registration: mu-banned-email-addresses
 wget -P wp-content/mu-plugins/ ${WPSZV}/mu-banned-email-addresses/banned-email-addresses.php
 
 # media
@@ -233,7 +233,7 @@ wp transient delete-all
 # WARNING! APCu is not available from CLI by default during WP-Cron/WP-CLI
 #wget -P wp-content/ https://github.com/l3rady/WordPress-APCu-Object-Cache/raw/master/object-cache.php
 #wp transient delete-all
-# Worse plugin: wp plugin install apcu
+# Not-so-good plugin: wp plugin install apcu
 
 # FOCUS Cache - FILE-based object cache
 #wp plugin install focus-object-cache
@@ -264,8 +264,7 @@ wp plugin install resource-versioning --activate
 wp plugin install tiny-cdn --activate
 
 # CDN, Page Cache, Minify
-#wp plugin install w3-total-cache --activate
-#wp plugin install https://github.com/szepeviktor/w3-total-cache-fixed/releases/download/0.9.5.4.2/w3-total-cache-fixed-for-v0.9.5.x-users.zip --activate
+#wp plugin install https://github.com/szepeviktor/w3-total-cache-fixed/releases/download/0.9.5.4.3/w3-total-cache-fixed-for-v0.9.5.x-users.zip --activate
 
 # minit
 wp plugin install https://github.com/kasparsd/minit/archive/master.zip
@@ -291,7 +290,7 @@ Set up CDN.
 
 MU Plugin Template
 
-`custom-PROJECT.php`
+`custom-PROJECT-NAME.php`
 
 ```php
 <?php
@@ -304,7 +303,7 @@ Author: Viktor Szépe
 */
 ```
 
-See /website/wordpress/ directory.
+See /website/wordpress/ directory for its content.
 
 ### On deploy and Staging->Production migration
 

webserver/add-site.sh

@@ -48,11 +48,13 @@ cd /home/${U}/website/html/
 
 # Migrate files NOW!
 #
+# See /webserver/WordPress.md
+#
 # HTML-ize WordPress
 #     https://gist.github.com/szepeviktor/4535c5f20572b77f1f52
 
 # Repair permissions, line ends
-find -type f "(" -name ".htaccess" -o -name "*.php" -o -name "*.js" -o -name "*.css" ")" -exec dos2unix --keepdate "{}" ";"
+#find -type f "(" -name ".htaccess" -o -name "*.php" -o -name "*.js" -o -name "*.css" ")" -exec dos2unix --keepdate "{}" ";"
 find -type f -not -perm 644; find -type d -not -perm 755
 find -type f -exec chmod --changes 0644 "{}" ";"
 find -mindepth 1 -type d -exec chmod --changes 0755 "{}" ";"

webserver/apache-sites-available/Skeleton-site-ssl.conf

@@ -5,7 +5,7 @@
     Define SITE_USER @@SITE_USER@@
     Define DOCUMENT_ROOT "/home/${SITE_USER}/website/html"
     Define WORDPRESS_ROOT_URL "/site/"
-    Define WORDPRESS_UPLOADS_URL "/static/uploads/"
+    Define WORDPRESS_UPLOADS_URL "/wp-content/uploads/"
 
     ServerName ${SITE_DOMAIN}
     ServerAlias www.${SITE_DOMAIN}
@@ -199,7 +199,7 @@
 
     RewriteEngine on
     RewriteRule "^" "https://${SITE_DOMAIN}%{REQUEST_URI}" [R=permanent,L]
-    #RewriteRule "^" "https://$www.{SITE_DOMAIN}%{REQUEST_URI}" [R=permanent,L]
+    #RewriteRule "^" "https://www.${SITE_DOMAIN}%{REQUEST_URI}" [R=permanent,L]
 
     # Log 404-s
     LogLevel info

webserver/apache-sites-available/Skeleton-site.conf

@@ -4,7 +4,7 @@
     Define SITE_USER @@SITE_USER@@
     Define DOCUMENT_ROOT "/home/${SITE_USER}/website/html"
     Define WORDPRESS_ROOT_URL "/site/"
-    Define WORDPRESS_UPLOADS_URL "/static/uploads/"
+    Define WORDPRESS_UPLOADS_URL "/wp-content/uploads/"
 
     ServerName ${SITE_DOMAIN}
     ServerAlias www.${SITE_DOMAIN}

webserver/wp-config.php

@@ -52,8 +52,8 @@
 
 // "wp-content" location
 // EDIT wp-content directory
-define( 'WP_CONTENT_DIR', '/HOME/WP-ROOT-DIR/static' );
-define( 'WP_CONTENT_URL', 'http://DOMAIN.URL/static' );
+define( 'WP_CONTENT_DIR', '/HOME/USER/SITE/DOC-ROOT/wp-content' );
+define( 'WP_CONTENT_URL', 'https://DOMAIN.TLD/wp-content' );
 
 // Moving to subdirs
 //     siteurl += /site
@@ -95,6 +95,9 @@
 //define( 'WP_APCU_KEY_SALT', 'SITE-SHORT_' );
 //define( 'MEMCACHED_SERVERS', '127.0.0.1:11211:0' );
 // https://polylang.wordpress.com/documentation/documentation-for-developers/list-of-options-which-can-be-set-in-wp-config-php/
+// Tiny CDN - No trailing slash!
+define( 'TINY_CDN_INCLUDES_URL', 'https://d2aaaaaaaaaaae.cloudfront.net/wp-includes' );
+define( 'TINY_CDN_CONTENT_URL', 'https://d2aaaaaaaaaaae.cloudfront.net/wp-content' );
 //define( 'PLL_LINGOTEK_AD', false );
 //define( 'PLL_WPML_COMPAT', false );
 //define( 'PODS_LIGHT', true );