Update 'TO-DO_FIX-CHECK.md'

they wil also be displayed at the end of installation

AppendCMS.sh

@@ -7,18 +7,19 @@ if [ ! -f "/etc/ICTM/selopts.list" ] || [ ! -f "/etc/ICTM/mainvar.list" ] ; then
 
 source /etc/ICTM/selopts.list
 source /etc/ICTM/mainvar.list
+rm /tmp/apt.list
 source <(curl --retry 7 --retry-delay 5 -s "$repo"/raw/branch/"$branch"/ModulesMenu.list)
 
 #Setting Menulist to webserver
 if [[ $webserv = "apache" ]]; then
 #Apache Menulist
-CMSL=("${ApacheCMSL[@]}")
-options=("${ApacheOptions[@]}")
+CMSL=("${apacheCMSL[@]}")
+options=("${apacheOptions[@]}")
 fi
 if [[ $webserv = "nginx" ]]; then
 #Nginx Menulist
-CMSL=("${NginxCMSL[@]}")
-options=("${NginxOptions[@]}")
+CMSL=("${nginxCMSL[@]}")
+options=("${nginxOptions[@]}")
 fi
 
 
@@ -80,6 +81,19 @@ if [ $IMODE = n ]; then
     domain=$(whiptail --nocancel --inputbox "                        Enter the domain without WWW     " 11 82 --title "Config" 3>&1 1>&2 2>&3)
     [[ -d "/var/www/"$domain"/html" ]] && msg "              This domain already exists on this server, Exiting" 8 78 && exit;
     if (whiptail --title "Config" --yesno "                 Does www.${domain} exist in DNS" 8 78); then domainwww=1; else domainwww=0; fi
+    if (whiptail --title "Set sitename?" --yesno "Set sitename to ${domain//./_} ?" 8 78); then
+    sitename=${domain//./_}
+    else
+    while true; do
+      sitename=$(whiptail --nocancel --inputbox "Enter sitename, Must NOT contain special characters, except: _" 8 78 --title "Sitename" 3>&1 1>&2 2>&3)
+      if [[ $sitename == *['!'@#\$%^\&*()+,.]* ]] || [ -z "$sitename" ]
+      then
+         whiptail  --msgbox "   Site can't be empty, or contain a special character except for: _" 11 78
+      else 
+      break
+      fi
+    done
+    fi
     if (whiptail --title "Config" --yesno "                       Enable SSL on installation?" 11 78); then sslenable=1; else sslenable=0; fi
     PasswordQuest
     CMS=$(whiptail --title "What CMS should be installed?" --radiolist "Features" 11 118 5 "${CMSL[@]}" 3>&1 1>&2 2>&3)
@@ -101,6 +115,23 @@ if [ $IMODE = l ]; then
             * ) echo "Choose yes of no.";;
         esac
     done
+    read -p "Set sitename to ${domain//./_}? (y/n)" choice
+    case "$choice" in
+      y|Y ) sitename=${domain//./_};;
+      n|N ) echo "";
+      while true; do
+      echo "Please enter sitename, Must NOT contain special characters, except: _";read sitename
+      if [[ $sitename == *['!'@#\$%^\&*()+,.]* ]] || [ -z "$sitename" ]
+      then
+         echo "Site can't be empty, or contain a special character except for: _"
+      else 
+      break
+      fi
+    done
+      ;;
+      * ) echo "invalid";;
+    esac
+
     while true; do
         read -p "Enable SSL on installation? -> yes/no?" yn
         case $yn in
@@ -145,12 +176,12 @@ fi
 #   Preconf   #
 ##-----------##
 
-echo "Running preconf for Webserv"
+msg "           Running preconf for Webserv"
 if curl --retry 2 --retry-delay 1 --output /dev/null --silent --head --fail "$repo"/raw/branch/"$branch"/CoreModules/"$webserv"/appendCMS-preconf.sh; then
     source <(curl --retry 7 --retry-delay 5 -s "$repo"/raw/branch/"$branch"/CoreModules/"$webserv"/appendCMS-preconf.sh)
 fi
 
-echo "Running preconf for CMS"
+msg "            Running preconf for CMS"
 if curl --retry 2 --retry-delay 1 --output /dev/null --silent --head --fail "$repo"/raw/branch/"$branch"/CMS/"$CMS"/preconf.sh; then
     source <(curl --retry 7 --retry-delay 5 -s "$repo"/raw/branch/"$branch"/CMS/"$CMS"/preconf.sh)
 fi
@@ -173,27 +204,56 @@ cat /tmp/apt.list | xargs $PKGI
 #   Configuring   #
 ##---------------##
 
-echo "Running conf for Webserv"
+msg "           Running conf for Webserv"
 if curl --retry 2 --retry-delay 1 --output /dev/null --silent --head --fail "$repo"/raw/branch/"$branch"/CoreModules/"$webserv"/appendCMS-conf.sh; then
     source <(curl --retry 7 --retry-delay 5 -s "$repo"/raw/branch/"$branch"/CoreModules/"$webserv"/appendCMS-conf.sh)
 fi
 
-echo "Setting up SSL"
 if [ $sslenable = 1 ]; then
+msg "                Setting up SSL"
+    site_ext=ssl
     if [ $domainwww = 1 ]; then
-        certbot --"$webserv" -n -d "$domain" -d "www.$domain" -m "$email" --hsts --redirect --no-eff-email --agree-tos
+        certbot --"$webserv" certonly -n -d "$domain" -d "www.$domain" -m "$email" --hsts --redirect --no-eff-email --agree-tos
     elif [ $domainwww = 0 ]; then
-        certbot --"$webserv" -n -d "$domain" -m "$email" --hsts --redirect --no-eff-email --agree-tos
+        certbot --"$webserv" certonly -n -d "$domain" -m "$email" --hsts --redirect --no-eff-email --agree-tos
     fi
+    if curl --retry 2 --retry-delay 1 --output /dev/null --silent --head --fail "$repo"/raw/branch/"$branch"/CoreModules/"$webserv"/ssl-handler.sh; then
+        source <(curl --retry 7 --retry-delay 5 -s "$repo"/raw/branch/"$branch"/CoreModules/"$webserv"/ssl-handler.sh)
+    fi
+elif [ $sslenable = 0 ]; then
+    site_ext=nossl
 fi
 
 wget -q -t7 "$repo"/raw/branch/"$branch"/Scripts/EnableSSL.sh -O ~/activateSSL-$domain.sh
-sed -i -e 's/DOMAINname/'$domain'/' -e 's/CONFname/'$domain'/' -e 's/DomainWWW/'$domainwww'/' -e 's/Email/'$email'/' -e 's/WebServer/'$webserv'/' ~/activateSSL-$domain.sh
+sed -i -e 's/DOMAINname/'$domain'/' -e 's/CONFname/'$sitename'/' -e 's/DomainWWW/'$domainwww'/' -e 's/Email/'$email'/' -e 's/WebServer/'$webserv'/' ~/activateSSL-$domain.sh
 
-echo "Running conf for CMS"
+msg "              Running conf for CMS"
 if curl --retry 2 --retry-delay 1 --output /dev/null --silent --head --fail "$repo"/raw/branch/"$branch"/CMS/"$CMS"/conf.sh; then
     source <(curl --retry 7 --retry-delay 5 -s "$repo"/raw/branch/"$branch"/CMS/"$CMS"/conf.sh)
 fi
 if curl --retry 2 --retry-delay 1 --output /dev/null --silent --head --fail "$repo"/raw/branch/"$branch"/CMS/"$CMS"/"$webserv"-conf.sh; then
     source <(curl --retry 7 --retry-delay 5 -s "$repo"/raw/branch/"$branch"/CMS/"$CMS"/"$webserv"-conf.sh)
-fi
+fi
+
+##--------------------------##
+#   Backup-util Site Setup   #
+##--------------------------##
+
+repobckutil=https://git.ictmaatwerk.com/VPS-scripts/Backup-Util
+branchbckutil=master
+if curl --retry 2 --retry-delay 1 --output /dev/null --silent --head --fail "$repobckutil"/raw/branch/"$branchbckutil"/cms-handeler.sh; then
+ source <(curl --retry 7 --retry-delay 5 -s "$repobckutil"/raw/branch/"$branchbckutil"/cms-handeler.sh)
+fi
+
+##------------##
+#   Services   #
+##------------##
+
+systemctl reload fail2ban
+
+##-------##
+#   Done  #
+##-------##
+
+msg "                Added CMS!"
+for f in /etc/update-motd.d/51*; do bash $f; done

AppendModule.sh

@@ -11,18 +11,19 @@ if [ ! -f "/etc/ICTM/selopts.list" ] || [ ! -f "/etc/ICTM/mainvar.list" ] ; then
 
 source /etc/ICTM/selopts.list
 source /etc/ICTM/mainvar.list
+rm /tmp/apt.list
 source <(curl --retry 7 --retry-delay 5 -s "$repo"/raw/branch/"$branch"/ModulesMenu.list)
 
 #Setting Menulist to webserver
 if [[ $webserv = "apache" ]]; then
 #Apache Menulist
-CMSL=("${ApacheCMSL[@]}")
-options=("${ApacheOptions[@]}")
+CMSL=("${apacheCMSL[@]}")
+options=("${apacheOptions[@]}")
 fi
 if [[ $webserv = "nginx" ]]; then
 #Nginx Menulist
-CMSL=("${NginxCMSL[@]}")
-options=("${NginxOptions[@]}")
+CMSL=("${nginxCMSL[@]}")
+options=("${nginxOptions[@]}")
 fi
 
 #Filtering already installed modules
@@ -155,7 +156,7 @@ option="$option""$aonoption"
 ##-----------##
 
 
-echo "Generating apt list for Options"
+msg "        Generating apt list for Options"
 for val1 in ${option[*]}; do
     echo "$val1" #TMP
     modListed=$(wget -t7 -qO - "$repo"/raw/branch/master/extModules.list|grep "$val1")
@@ -189,7 +190,7 @@ done
 #   Preconf   #
 ##-----------##
 
-echo "Running preconf for Options"
+msg "          Running preconf for Options"
 for val1 in ${option[*]}; do
     echo "$val1" #TMP
     modListed=$(wget -t7 -qO - "$repo"/raw/branch/master/extModules.list|grep "$val1")
@@ -228,7 +229,7 @@ cat /tmp/apt.list | xargs $PKGI
 #   Configuring   #
 ##---------------##
 
-echo "Running conf for Options"
+msg "            Running conf for Options"
 for val1 in ${option[*]}; do
     echo "$val1" #TMP
     modListed=$(wget -t7 -qO - "$repo"/raw/branch/master/extModules.list|grep "$val1")
@@ -252,3 +253,11 @@ for val1 in ${option[*]}; do
         fi
     fi
 done
+
+
+##-------##
+#   Done  #
+##-------##
+
+msg "                Added Module!"
+for f in /etc/update-motd.d/51*; do bash $f; done

CMS/Backend/Fpm-Pool.conf-unconfigured

@@ -0,0 +1,28 @@
+[Backend]
+user = Backend
+group = Backend
+listen = /var/run/php/phpPHPver-fpm-Backend.sock
+listen.owner = www-data
+listen.group = www-data
+php_admin_value[disable_functions] = exec,passthru,shell_exec,system
+php_admin_value[opcache.enable] = 0      
+php_admin_value[max_input_vars] = 5000                                                                                                                                                                                                                                         
+php_admin_value[upload_max_filesize] = 256M                                                                                                                                                                                                                                    
+php_admin_value[post_max_size] = 16M                                                                                                                                                                                                                                           
+php_admin_value[max_input_time] = 15                                                                                                                                                                                                                                           
+php_admin_value[cgi.fix_pathinfo] = 0                                                                                                                                                                                                                                          
+php_admin_value[allow_url_fopen] = Off                                                                                                                                                                                                                                         
+php_admin_value[file_uploads] = Off                                                                                                                                                                                                                                   
+php_admin_value[open_basedir] = /var/log/PhpMyAdmin:/usr/share/phpmyadmin:/var/lib/phpmyadmin:/etc/phpmyadmin                                                                                                                                                                                                                 
+php_admin_value[session.use_strict_mode] = 1                                                                                                                                                                                                                                   
+php_admin_value[session.cookie_httponly] = 1                                                                                                                                                                                                                                   
+;HTTPSONLY php_admin_value[session.cookie_samesite] = Strict                                                                                                                                                                                                                              
+;HTTPSONLY php_admin_value[session.cookie_secure] = 1                                                                                                                                                                                                                                     
+                                                                                                                                                                                                                                                                               
+pm = dynamic
+pm.max_children = 5
+pm.start_servers = 2
+pm.min_spare_servers = 1
+pm.max_spare_servers = 3
+chdir = /
+

CMS/Backend/conf.sh

@@ -0,0 +1,14 @@
+#Backend PHP Pool
+wget -q -t7 "$repo"/raw/branch/"$branch"/CMS/Backend/Fpm-Pool.conf-unconfigured -O /etc/php/"$phpver"/fpm/pool.d/Backend.conf
+sed -i 's/PHPver/'$phpver'/' /etc/php/"$phpver"/fpm/pool.d/Backend.conf
+groupadd Backend
+useradd -g Backend Backend
+#PHPMyAdmin configuration
+touch /var/log/PhpMyAdmin/PhpMyAdmin_auth.log
+chown Backend:Backend -R /usr/share/phpmyadmin
+chown Backend:Backend -R /var/lib/phpmyadmin/tmp
+chown Backend:Backend -R /var/log/PhpMyAdmin
+systemctl reload php"$phpver"-fpm
+#Auto disable backends at night
+echo "0 0 * * * root bash /opt/toggle/toggle-Netdata.sh -d > >/dev/null 2>&1" >> /etc/cron.d/autodisablebackend
+echo "0 0 * * * root bash /opt/toggle/toggle-PhpMyAdmin.sh -d > >/dev/null 2>&1" >> /etc/cron.d/autodisablebackend

CMS/Backend/nginx-conf.sh

@@ -1,4 +1,4 @@
 wget -q -t7 "$repo"/raw/branch/"$branch"/CMS/Backend/nginx-siteBackend-unconfigured -O /tmp/nginx-backendconf
 sed -i -e 's/PHPver/'$phpver'/' -e 's/DOMAINname/'$hostname'/' /tmp/nginx-backendconf
-sed -i -e "0,/^#ConfHere/s/\(^#Conf.*\)/#ConfHere1 /" -e '/#ConfHere1/ r /tmp/nginx-backendconf' -e '/#ConfHere/c\' /etc/nginx/sites-enabled/Backend
+sed -i -e "0,/^#ConfHere/s/\(^#Conf.*\)/#ConfHere1 /" -e '/#ConfHere1/ r /tmp/nginx-backendconf' -e '/#ConfHere/c\' /etc/nginx/sites-available/Backend_"$site_ext"
 systemctl reload nginx

CMS/Backend/nginx-siteBackend-unconfigured

@@ -1,4 +1,8 @@
 #beginConf
+
+#access_log /var/log/nginx/Backend-access.log;
+error_log /var/log/nginx/Backend-error.log;
+
 location = /backend/netdata {
             return 301 /backend/netdata/;
         }
@@ -25,7 +29,7 @@ location = /backend/netdata {
             include fastcgi_params;
             fastcgi_param SCRIPT_FILENAME $request_filename;
             fastcgi_split_path_info ^(.+\.php)(/.+)$;
-            fastcgi_pass unix:/var/run/php/phpPHPver-fpm.sock;
+            fastcgi_pass unix:/var/run/php/phpPHPver-fpm-Backend.sock;
             fastcgi_index index.php;
         }
     }

CMS/nextcloud/Fpm-Pool.conf-unconfigured

@@ -0,0 +1,45 @@
+[SITEname]
+user = SITEname
+group = SITEname
+listen = /var/run/php/phpPHPver-fpm-SITEname.sock
+listen.owner = www-data
+listen.group = www-data
+php_admin_value[disable_functions] = exec,passthru,shell_exec,system
+php_admin_value[error_log] = /var/log/php-fpm/error-SITEname.log
+; OPCACHE SETTINGS
+php_admin_value[opcache.memory_consumption] = 256
+php_admin_value[opcache.enable] = 0
+php_admin_value[opcache.interned_strings_buffer] = 32
+php_admin_value[opcache.max_accelerated_files] = 50000
+php_admin_value[opcache.max_wasted_percentage] = 5
+php_admin_value[opcache.revalidate_freq] = 0
+php_admin_value[opcache.validate_timestamps] = 1
+
+; PERFORMANCE LIMITS
+php_admin_value[max_input_vars] = 1000
+php_admin_value[upload_max_filesize] = 1G
+php_admin_value[post_max_size] = 1G
+php_admin_value[max_input_time] = 60
+php_admin_value[memory_limit] = 512M
+
+; SECURITY
+php_admin_value[cgi.fix_pathinfo] = 0
+php_admin_value[allow_url_fopen] = Off
+php_admin_value[file_uploads] = on
+php_admin_value[open_basedir] = /var/www/DOMAINname/html:/var/run/php/phpPHPver-fpm-SITEname.sock:/var/lib/redis/redis.sock:/proc/meminfo:/proc/cpuinfo:/dev/urandom:/tmp
+php_admin_value[session.use_strict_mode] = 1
+php_admin_value[session.cookie_httponly] = 1
+;HTTPSONLY php_admin_value[session.cookie_samesite] = Strict
+;HTTPSONLY php_admin_value[session.cookie_secure] = 1
+
+pm = dynamic
+pm.max_children = 30
+pm.start_servers = 2
+pm.min_spare_servers = 1
+pm.max_spare_servers = 5
+chdir = /
+env[HOSTNAME] = $HOSTNAME
+env[PATH] = /usr/local/bin:/usr/bin:/bin
+env[TMP] = /tmp
+env[TMPDIR] = /tmp
+env[TEMP] = /tmp

CMS/nextcloud/MotdNextCloud

@@ -1,5 +1,5 @@
 #!/bin/sh
 red='\e[1;31m%s\e[0m\n'
 printf "\n"
-printf $red "Please run nextcloud-init.sh after the first nextcloud login"
+printf $red "Please run bash ~/nextcloud-init.sh after the first nextcloud login"
 printf "\n"

CMS/nextcloud/Nginx-unconfigured

@@ -1,15 +1,18 @@
 #beginConf
+
+#access_log /var/log/nginx/SITEname-access.log;
+error_log /var/log/nginx/SITEname-error.log;
+
 root /var/www/DOMAINname/html;
 # Set max upload size
 client_max_body_size 1G;
 
 add_header Referrer-Policy "no-referrer" always;
-add_header X-Content-Type-Options "nosniff" always;
 add_header X-Download-Options "noopen" always;
-add_header X-Frame-Options "SAMEORIGIN" always;
 add_header X-Permitted-Cross-Domain-Policies "none" always;
 add_header X-Robots-Tag "none" always;
-add_header X-XSS-Protection "1; mode=block" always;
+fastcgi_send_timeout 300;
+fastcgi_read_timeout 300;
 fastcgi_hide_header X-Powered-By;
 fastcgi_buffers 64 4K;
 gzip on;
@@ -53,7 +56,7 @@ location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|u
     fastcgi_param HTTPS on;
     fastcgi_param modHeadersAvailable true;
     fastcgi_param front_controller_active true;
-    fastcgi_pass unix:/var/run/php/phpPHPver-fpm.sock;
+    fastcgi_pass unix:/var/run/php/phpPHPver-fpm-SITEname.sock;
     fastcgi_intercept_errors on;
     fastcgi_request_buffering off;
 }
@@ -67,12 +70,9 @@ location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
     try_files $uri /index.php$request_uri;
     add_header Cache-Control "public, max-age=15778463";
     add_header Referrer-Policy "no-referrer" always;
-    add_header X-Content-Type-Options "nosniff" always;
     add_header X-Download-Options "noopen" always;
-    add_header X-Frame-Options "SAMEORIGIN" always;
     add_header X-Permitted-Cross-Domain-Policies "none" always;
     add_header X-Robots-Tag "none" always;
-    add_header X-XSS-Protection "1; mode=block" always;
     access_log off;
 }
 

CMS/nextcloud/conf.sh

@@ -0,0 +1,16 @@
+#PHP Pool
+wget -q -t7 "$repo"/raw/branch/"$branch"/CMS/nextcloud/Fpm-Pool.conf-unconfigured -O /etc/php/"$phpver"/fpm/pool.d/"$sitename".conf
+sed -i -e 's/PHPver/'$phpver'/' -e 's/SITEname/'$sitename'/' -e 's/DOMAINname/'$domain'/' /etc/php/"$phpver"/fpm/pool.d/$sitename.conf
+groupadd "$sitename"
+useradd -g "$sitename" "$sitename"
+
+#Nextcloud logging location
+mkdir /var/log/nextcloud
+chmod 774 -R /var/log/nextcloud
+ln -s /var/www/"$domain"/html/data/nextcloud.log /var/log/nextcloud/"$sitename"
+
+#fail2ban
+wget -q -t7 "$repo"/raw/branch/"$branch"/config/fail2ban/Jails/nextcloud_unconfigured -O /etc/fail2ban/jail.d/"$sitename"-nextcloud.local
+sed -i 's/SITEname/'$sitename'/' /etc/fail2ban/jail.d/"$sitename"-nextcloud.local
+
+systemctl reload php"$phpver"-fpm

CMS/nextcloud/nextcloud-init.sh

@@ -1,4 +1,20 @@
-sudo -u www-data php /var/www/DOMAINname/html/occ db:convert-filecache-bigint
-sudo -u www-data php /var/www/DOMAINname/html/occ db:add-missing-indices
-echo "*/5  *  *  *  * www-data	php -f /var/www/DOMAINname/html/cron.php > /dev/null 2>&1" >> /etc/crontab
-rm -f /etc/update-motd.d/50-nextnotice
+sudo -u SITEname php /var/www/DOMAINname/html/occ db:convert-filecache-bigint
+sudo -u SITEname php /var/www/DOMAINname/html/occ db:add-missing-indices
+sudo -u SITEname php /var/www/DOMAINname/html/occ app:disable firstrunwizard
+
+sudo -u SITEname php /var/www/DOMAINname/html/occ config:system:set default_language --value=nl
+sudo -u SITEname php /var/www/DOMAINname/html/occ config:system:set default_locale --value=nl
+sudo -u SITEname php /var/www/DOMAINname/html/occ config:system:set skeletondirectory --value=
+sudo -u SITEname php /var/www/DOMAINname/html/occ config:system:set memcache.local --value='\OC\Memcache\APCu'
+
+if [ "$(systemctl is-active  redis-server)" = "active" ]; then
+    sudo -u SITEname php /var/www/DOMAINname/html/occ config:system:set memcache.distributed --value='\OC\Memcache\Redis'
+    sudo -u SITEname php /var/www/DOMAINname/html/occ config:system:set memcache.locking --value='\OC\Memcache\Redis'
+    sudo -u SITEname php /var/www/DOMAINname/html/occ config:system:set redis host --value=localhost
+    sudo -u SITEname php /var/www/DOMAINname/html/occ config:system:set redis port --value=6379
+else 
+    echo "Redis not installed or running on this system" 
+fi
+
+echo "*/5  *  *  *  * SITEname	php -f /var/www/DOMAINname/html/cron.php > /dev/null 2>&1" >> /etc/crontab
+rm -f /etc/update-motd.d/51-nextnotice

CMS/nextcloud/nginx-apt.list

@@ -0,0 +1 @@
+phpPHPver-apcu phpPHPver-bcmath phpPHPver-gmp

CMS/nextcloud/nginx-conf.sh

@@ -1,31 +1,24 @@
 #Nextcloud major release version
-nxtVer=18
 
 #Configuring nginx
 wget -q -t7 "$repo"/raw/branch/"$branch"/CMS/nextcloud/Nginx-unconfigured -O /tmp/nginx-siteconf
-sed -i -e 's/PHPver/'$phpver'/g' -e 's/DOMAINname/'$domain'/' /tmp/nginx-siteconf
-sed -i -e "0,/^#ConfHere/s/\(^#Conf.*\)/#ConfHere1 /" -e '/#ConfHere1/ r /tmp/nginx-siteconf' -e '/#ConfHere/c\' /etc/nginx/sites-enabled/"$domain"
+sed -i -e 's/PHPver/'$phpver'/g' -e 's/DOMAINname/'$domain'/' -e 's/SITEname/'$sitename'/' /tmp/nginx-siteconf
+sed -i -e "0,/^#ConfHere/s/\(^#Conf.*\)/#ConfHere1 /" -e '/#ConfHere1/ r /tmp/nginx-siteconf' -e '/#ConfHere/c\' /etc/nginx/sites-available/"$sitename"_"$site_ext"
 if [ $sslenable = 0 ]; then
-sed -i -e '/fastcgi_param HTTPS/c\#  fastcgi_param HTTPS' /etc/nginx/sites-enabled/"$domain"
+  sed -i -e '/fastcgi_param HTTPS/c\#  fastcgi_param HTTPS' /etc/nginx/sites-available/"$sitename"_nossl
 fi
+mkdir -p /var/www/"$domain"/html/data
+systemctl reload nginx 
 
-mkdir -p /var/www/"$domain"/html
-
-#Configuring PHP
-if [ -z ${ignphpcms+x} ]; then ignphpcms=0;fi
-	if [ $ignphpcms != 1 ]; then
-		sed -i '/upload_max_filesize/c\upload_max_filesize = 1G' /etc/php/"$phpver"/fpm/php.ini
-		sed -i '/post_max_size/c\post_max_size = 1G' /etc/php/"$phpver"/fpm/php.ini
-		sed -i '/memory_limit/c\memory_limit = 512M' /etc/php/"$phpver"/fpm/php.ini
-fi
 
 #Getting Nextcloud
-wget -t7 https://download.nextcloud.com/server/releases/latest-"$nxtVer".tar.bz2 -O /tmp/nextcloud.tar.bz2
+wget -t7 http://mirror.nxdi.nl/resources/nextcloud/latest.tar.bz2 -O /tmp/nextcloud.tar.bz2
 tar jxf /tmp/nextcloud.tar.bz2 -C /tmp
 cp -a /tmp/nextcloud/. /var/www/"$domain"/html
+touch /var/www/"$domain"/html/data/nextcloud.log
 
 #Creating DB
-db_suffix=`expr $(ls -l /var/www | grep -c ^d)`
+db_suffix=`expr $(ls -l /var/www | grep -c ^d) - 1`
 db_name="nextcloud_$db_suffix"
 db_user="nextcloud_$db_suffix"
 db_pass=$(date +%s|sha256sum|base64|head -c 32)
@@ -49,12 +42,11 @@ cat <<EOF > /var/www/$domain/html/config/autoconfig.php
 );
 EOF
 
-chown www-data:www-data -R /var/www/"$domain"/html
-systemctl reload nginx php$phpver-fpm
-
+chown "$sitename":"$sitename" -R /var/www/"$domain"/html
 
 #Makeing nextcloud Finalize script and setting login Notice
 wget -q -t7 "$repo"/raw/branch/"$branch"/CMS/nextcloud/nextcloud-init.sh -O ~/nextcloud-init.sh
-sed -i -e 's/DOMAINname/'$domain'/' ~/nextcloud-init.sh
-wget -q -t7 "$repo"/raw/branch/"$branch"/CMS/nextcloud/MotdNextCloud -O /etc/update-motd.d/50-nextnotice
-chmod +x /etc/update-motd.d/50-nextnotice
+sed -i -e 's/DOMAINname/'$domain'/' -e 's/SITEname/'$sitename'/' ~/nextcloud-init.sh
+wget -q -t7 "$repo"/raw/branch/"$branch"/CMS/nextcloud/MotdNextCloud -O /etc/update-motd.d/51-nextnotice
+chmod +x /etc/update-motd.d/51-nextnotice
+

CMS/none/Fpm-Pool.conf-unconfigured

@@ -0,0 +1,39 @@
+[SITEname]
+user = SITEname
+group = SITEname
+listen = /var/run/php/phpPHPver-fpm-SITEname.sock
+listen.owner = www-data
+listen.group = www-data
+php_admin_value[disable_functions] = exec,passthru,shell_exec,system
+php_admin_value[error_log] = /var/log/php-fpm/error-SITEname.log
+; OPCACHE SETTINGS
+php_admin_value[opcache.memory_consumption] = 256
+php_admin_value[opcache.enable] = 0
+php_admin_value[opcache.interned_strings_buffer] = 32
+php_admin_value[opcache.max_accelerated_files] = 50000
+php_admin_value[opcache.max_wasted_percentage] = 5
+php_admin_value[opcache.revalidate_freq] = 0
+php_admin_value[opcache.validate_timestamps] = 1
+
+; PERFORMANCE LIMITS
+php_admin_value[max_input_vars] = 100
+php_admin_value[upload_max_filesize] = 64
+php_admin_value[post_max_size] = 1
+php_admin_value[max_input_time] = 15
+
+; SECURITY
+php_admin_value[cgi.fix_pathinfo] = 0
+php_admin_value[allow_url_fopen] = Off
+php_admin_value[file_uploads] = Off
+php_admin_value[open_basedir] = /var/www/DOMAINname/html
+php_admin_value[session.use_strict_mode] = 1
+php_admin_value[session.cookie_httponly] = 1
+;HTTPSONLY php_admin_value[session.cookie_samesite] = Strict
+;HTTPSONLY php_admin_value[session.cookie_secure] = 1
+
+pm = dynamic
+pm.max_children = 5
+pm.start_servers = 2
+pm.min_spare_servers = 1
+pm.max_spare_servers = 3
+chdir = /

CMS/none/Nginx-unconfigured

@@ -1,4 +1,8 @@
 #beginConf
+
+    #access_log /var/log/nginx/SITEname-access.log;
+    error_log /var/log/nginx/SITEname-error.log;
+
     index index.php index.html index.htm index.nginx-debian.html;
     root /var/www/DOMAINname/html;
     gzip on;
@@ -16,7 +20,7 @@
     
     location ~ \.php$ {
         include snippets/fastcgi-php.conf;
-        fastcgi_pass unix:/var/run/php/phpPHPver-fpm.sock;
+        fastcgi_pass unix:/var/run/php/phpPHPver-fpm-SITEname.sock;
     }
 
     location ~ /\.ht {

CMS/none/conf.sh

@@ -0,0 +1,7 @@
+#Backend PHP Pool
+wget -q -t7 "$repo"/raw/branch/"$branch"/CMS/none/Fpm-Pool.conf-unconfigured -O /etc/php/"$phpver"/fpm/pool.d/"$sitename".conf
+sed -i -e 's/PHPver/'$phpver'/' -e 's/SITEname/'$sitename'/' -e 's/DOMAINname/'$domain'/' /etc/php/"$phpver"/fpm/pool.d/$sitename.conf
+groupadd "$sitename"
+useradd -g "$sitename" "$sitename"
+
+systemctl reload php"$phpver"-fpm

CMS/none/nginx-conf.sh

@@ -1,7 +1,9 @@
 wget -q -t7 "$repo"/raw/branch/"$branch"/CMS/none/Nginx-unconfigured -O /tmp/nginx-siteconf
-sed -i -e 's/PHPver/'$phpver'/g' -e 's/DOMAINname/'$domain'/' /tmp/nginx-siteconf
-sed -i -e "0,/^#ConfHere/s/\(^#Conf.*\)/#ConfHere1 /" -e '/#ConfHere1/ r /tmp/nginx-siteconf' -e '/#ConfHere/c\' /etc/nginx/sites-enabled/"$domain"
+sed -i -e 's/PHPver/'$phpver'/g' -e 's/DOMAINname/'$domain'/' -e 's/SITEname/'$sitename'/' /tmp/nginx-siteconf
+sed -i -e "0,/^#ConfHere/s/\(^#Conf.*\)/#ConfHere1 /" -e '/#ConfHere1/ r /tmp/nginx-siteconf' -e '/#ConfHere/c\' /etc/nginx/sites-available/"$sitename"_"$site_ext"
 mkdir -p /var/www/"$domain"/html
-chown www-data:www-data -R /var/www/"$domain"/html
+
 echo "<html><head></head><body>$webserv has been succsefully installed by the Wizard</body></html>" > /var/www/$domain/html/index.html
+
+chown "$sitename":"$sitename" -R /var/www/"$domain"/html
 systemctl reload nginx

CMS/wordpress/Fpm-Pool.conf-unconfigured

@@ -0,0 +1,39 @@
+[SITEname]
+user = SITEname
+group = SITEname
+listen = /var/run/php/phpPHPver-fpm-SITEname.sock
+listen.owner = www-data
+listen.group = www-data
+php_admin_value[error_log] = /var/log/php-fpm/error-SITEname.log
+php_admin_value[disable_functions] = exec,passthru,shell_exec,system
+; OPCACHE SETTINGS
+php_admin_value[opcache.memory_consumption] = 256
+php_admin_value[opcache.enable] = 0
+php_admin_value[opcache.interned_strings_buffer] = 32
+php_admin_value[opcache.max_accelerated_files] = 50000
+php_admin_value[opcache.max_wasted_percentage] = 5
+php_admin_value[opcache.revalidate_freq] = 0
+php_admin_value[opcache.validate_timestamps] = 1
+
+; PERFORMANCE LIMITS
+php_admin_value[max_input_vars] = 5000
+php_admin_value[upload_max_filesize] = 128M
+php_admin_value[post_max_size] = 32M
+php_admin_value[max_input_time] = 30
+
+; SECURITY
+php_admin_value[cgi.fix_pathinfo] = 0
+php_admin_value[allow_url_fopen] = Off
+php_admin_value[file_uploads] = on
+php_admin_value[open_basedir] = "/var/www/DOMAINname/html"
+php_admin_value[session.use_strict_mode] = 1
+php_admin_value[session.cookie_httponly] = 1
+;HTTPSONLY php_admin_value[session.cookie_samesite] = Strict
+;HTTPSONLY php_admin_value[session.cookie_secure] = 1
+
+pm = dynamic
+pm.max_children = 20
+pm.start_servers = 2
+pm.min_spare_servers = 1
+pm.max_spare_servers = 3
+chdir = /

CMS/wordpress/MotdWordpress

@@ -0,0 +1,5 @@
+#!/bin/sh
+red='\e[1;31m%s\e[0m\n'
+printf "\n"
+printf $red "Please run bash ~/wordpress-init.sh after the first wordpress login"
+printf "\n"

CMS/wordpress/Nginx-unconfigured

@@ -1,4 +1,8 @@
 #beginConf
+
+#access_log /var/log/nginx/SITEname-access.log;
+error_log /var/log/nginx/SITEname-error.log;
+
 root /var/www/DOMAINname/html;
 index index.php index.htm index.html;
 
@@ -24,7 +28,7 @@ location ~* \.(css|gif|ico|jpeg|jpg|js|png|svg|webp|eot|otf|woff|woff2|ttf|ogg)$
 
 location ~ \.php$ {
     include snippets/fastcgi-php.conf;
-    fastcgi_pass unix:/var/run/php/phpPHPver-fpm.sock;
+    fastcgi_pass unix:/var/run/php/phpPHPver-fpm-SITEname.sock;
 }
 
 location ~ /\.ht {

CMS/wordpress/conf.sh

@@ -1,3 +1,10 @@
+#WP-CLI
+if [ ! -f /usr/local/bin/wp ]; then
+   wget -q -t7 https://raw.githubusercontent.com/wp-cli/wp-cli/v2.4.0/utils/wp-completion.bash -O  /etc/bash_completion.d/wp
+   wget -q -t7 https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar -O /usr/local/bin/wp
+   chmod +x /usr/local/bin/wp
+fi
+
 #Creating DB
 db_suffix=`expr $(ls -l /var/www | grep -c ^d) - 1`
 db_name="wp_$db_suffix"
@@ -15,7 +22,7 @@ mysql -u root -p"$password" -e "FLUSH PRIVILEGES;" > $OUTPUT 2>&1
 mkdir -p /var/www/"$domain"/html
 
 #Getting WordPress
-wget -q -t7 https://wordpress.org/latest.tar.gz -O /tmp/wp.tar.gz
+wget -q -t7 http://mirror.nxdi.nl/resources/wordpress/latest.tar.gz -O /tmp/wp.tar.gz
 tar -C /var/www/"$domain"/html -xzf /tmp/wp.tar.gz --strip 1
 rm /var/www/"$domain"/html/wp-config-sample.php 
 
@@ -24,5 +31,24 @@ wget -q -t7 "$repo"/raw/branch/"$branch"/CMS/wordpress/WordPress-unconfigured -O
 sed -i -e 's/DBPass/'$db_pass'/' -e 's/DBUser/'$db_user'/'  -e 's/DBName/'$db_name'/' -e 's/DOMAINname/'$domain'/' /var/www/"$domain"/html/wp-config.php
 printf '%s\n' "g/WPsalty/d" a "$WPSalts" . w | ed -s /var/www/"$domain"/html/wp-config.php
 
+#PHP Pool
+wget -q -t7 "$repo"/raw/branch/"$branch"/CMS/wordpress/Fpm-Pool.conf-unconfigured -O /etc/php/"$phpver"/fpm/pool.d/"$sitename".conf
+sed -i -e 's/PHPver/'$phpver'/' -e 's/SITEname/'$sitename'/' -e 's/DOMAINname/'$domain'/' /etc/php/"$phpver"/fpm/pool.d/$sitename.conf
+groupadd "$sitename"
+useradd -g "$sitename" "$sitename"
+
+systemctl reload php"$phpver"-fpm
+
+#fail2ban
+if [ ! -f /etc/fail2ban/jail.d/wordpress-syslog.local ]; then
+    wget -q -t7 "$repo"/raw/branch/"$branch"/config/fail2ban/Jails/wordpress-syslog.jail -O /etc/fail2ban/jail.d/wordpress-syslog.local
+fi
+
 #Setting Permsissions
-chown www-data:www-data -R /var/www/"$domain"/html
+chown "$sitename":"$sitename" -R /var/www/"$domain"/html
+
+#Makeing wordpress Finalize script and setting login Notice
+wget -q -t7 "$repo"/raw/branch/"$branch"/CMS/wordpress/wordpress-init.sh -O ~/wordpress-init.sh
+sed -i -e 's/DOMAINname/'$domain'/' -e 's/SITEname/'$sitename'/' ~/wordpress-init.sh
+wget -q -t7 "$repo"/raw/branch/"$branch"/CMS/wordpress/MotdWordpress -O /etc/update-motd.d/51-wpnotice
+chmod +x /etc/update-motd.d/51-wpnotice

CMS/wordpress/nginx-conf.sh

@@ -1,15 +1,7 @@
-#Configuring PHP
-if [ -z ${ignphpcms+x} ]; then ignphpcms=0;fi
-	if [ $ignphpcms != 1 ]; then
-		sed -i '/upload_max_filesize/c\upload_max_filesize = 1G' /etc/php/"$phpver"/fpm/php.ini
-		sed -i '/post_max_size/c\post_max_size = 512M' /etc/php/"$phpver"/fpm/php.ini
-		sed -i '/memory_limit/c\memory_limit = 512M' /etc/php/"$phpver"/fpm/php.ini
-fi
-
 #Configuring nginx
 wget -q -t7 "$repo"/raw/branch/"$branch"/CMS/wordpress/Nginx-unconfigured -O /tmp/nginx-siteconf
-sed -i -e 's/PHPver/'$phpver'/g' -e 's/DOMAINname/'$domain'/' /tmp/nginx-siteconf
-sed -i -e "0,/^#ConfHere/s/\(^#Conf.*\)/#ConfHere1 /" -e '/#ConfHere1/ r /tmp/nginx-siteconf' -e '/#ConfHere/c\' /etc/nginx/sites-enabled/"$domain"
+sed -i -e 's/PHPver/'$phpver'/g' -e 's/DOMAINname/'$domain'/' -e 's/SITEname/'$sitename'/' /tmp/nginx-siteconf
+sed -i -e "0,/^#ConfHere/s/\(^#Conf.*\)/#ConfHere1 /" -e '/#ConfHere1/ r /tmp/nginx-siteconf' -e '/#ConfHere/c\' /etc/nginx/sites-available/"$sitename"_"$site_ext"
 
 #Reloading Services
 systemctl reload nginx php$phpver-fpm

CMS/wordpress/wordpress-init.sh

@@ -0,0 +1,7 @@
+sudo -u SITEname wp --path=/var/www/DOMAINname/html core update
+sudo -u SITEname wp --path=/var/www/DOMAINname/html plugin update --all
+sudo -u SITEname wp --path=/var/www/DOMAINname/html theme update --all
+sudo -u SITEname wp --path=/var/www/DOMAINname/html plugin install wp-fail2ban --activate
+sudo -u SITEname wp --path=/var/www/DOMAINname/html plugin install all-in-one-wp-migration --activate
+sudo -u SITEname wp --path=/var/www/DOMAINname/html plugin install https://git.ictmaatwerk.com/downloads/wp/migrate.zip --activate
+rm -f /etc/update-motd.d/51-wpnotice

CoreModules/generic/apt.list

@@ -1 +1 @@
-mailutils htop ufw
+mailutils htop ufw nload fail2ban

CoreModules/generic/conf.sh

@@ -5,6 +5,7 @@
 sed -i 's/#inet_interfaces = all/inet_interfaces = loopback-only/g' /etc/postfix/main.cf
 sed -i 's/mydestination/#mydestination/g' /etc/postfix/main.cf
 sed -i 's/relayhost =/mydestination = '$hostname', localhost.'$hostname', '$hostname'/g' /etc/postfix/main.cf
+echo "bounce_notice_recipient = info@$domain" >> /etc/postfix/main.cf
 cat <<EOF > /etc/aliases
 # See man 5 aliases for format
 postmaster:    root
@@ -12,24 +13,6 @@ root:          $email
 EOF
 newaliases
 
-
-##------------##
-#   Fail2Ban   #
-##------------##
-
-##Disabled
-#sed -i 's/root@localhost/'$email'/g' /etc/fail2ban/jail.conf
-#wget -q -t7 "$repo"/raw/branch/"$branch"/config/fail2ban/sshd.local -O /etc/fail2ban/jail.d/sshd.local
-#if [[ $CMS == "Nextcloud" ]]; then
-#wget -q -t7 "$repo"/raw/branch/"$branch"/config/fail2ban/nextcloud.conf -O /etc/fail2ban/filter.d/nextcloud.conf
-#wget -q -t7 "$repo"/raw/branch/"$branch"/config/fail2ban/nextcloud.local -O /etc/fail2ban/jail.d/nextcloud.local
-#fi
-#if [[ $CMS == "Wordpress" ]]; then
-#wget -q -t7 "$repo"/raw/branch/"$branch"/config/fail2ban/wordpress.conf -O /etc/fail2ban/filter.d/wordpress.conf
-#wget -q -t7 "$repo"/raw/branch/"$branch"/config/fail2ban/wordpress.local -O /etc/fail2ban/jail.d/wordpress.local
-#fi
-
-
 ##-------##
 #   UFW   #
 ##-------##
@@ -40,4 +23,21 @@ ufw default allow outgoing > $OUTPUT 2>&1
 ufw allow 80/tcp > $OUTPUT 2>&1
 ufw allow 443/tcp > $OUTPUT 2>&1
 ufw limit 4242/tcp > $OUTPUT 2>&1
-echo "y" | ufw enable > $OUTPUT 2>&1
+echo "y" | ufw enable > $OUTPUT 2>&1
+
+##------------##
+#   Fail2Ban   #
+##------------##
+
+#General config
+wget -q -t7 "$repo"/raw/branch/"$branch"/config/fail2ban/jail.local -O /etc/fail2ban/jail.local
+
+#Custom Fiters
+wget -q -t7 "$repo"/raw/branch/"$branch"/config/fail2ban/Filters/nextcloud.filter -O /etc/fail2ban/filter.d/nextcloud.local
+wget -q -t7 "$repo"/raw/branch/"$branch"/config/fail2ban/Filters/phpmyadmin-authlog.filter -O /etc/fail2ban/filter.d/phpmyadmin-authlog.local
+wget -q -t7 https://plugins.svn.wordpress.org/wp-fail2ban/trunk/filters.d/wordpress-hard.conf -O /etc/fail2ban/filter.d/wordpress-hard.local
+wget -q -t7 https://plugins.svn.wordpress.org/wp-fail2ban/trunk/filters.d/wordpress-soft.conf -O /etc/fail2ban/filter.d/wordpress-soft.local
+
+#General jails
+wget -q -t7 "$repo"/raw/branch/"$branch"/config/fail2ban/Jails/sshd.jail -O /etc/fail2ban/jail.d/sshd.local
+wget -q -t7 "$repo"/raw/branch/"$branch"/config/fail2ban/Jails/phpmyadmin.jail -O /etc/fail2ban/jail.d/phpmyadmin.local

CoreModules/generic/preconf.sh

@@ -11,7 +11,6 @@ $PKGI software-properties-common gnupg > $OUTPUT 2>&1
 $PKGA universe -y > $OUTPUT 2>&1
 $PKGA ppa:ondrej/php -y -n > $OUTPUT 2>&1
 $PKGA ppa:certbot/certbot -y -n > $OUTPUT 2>&1
-$PKGA ppa:chris-lea/redis-server -y -n > $OUTPUT 2>&1
 
 
 ##-------------##

CoreModules/nginx/appendCMS-conf.sh

@@ -2,8 +2,21 @@
 #   Nginx   #
 #############
 
-wget -q -t7 "$repo"/raw/branch/"$branch"/CoreModules/nginx/config/nginx/site-unconfigured -O /etc/nginx/sites-available/"$domain"
-sed -i -e 's/DOMAINname/'$domain'/' /etc/nginx/sites-available/"$domain"
-ln -s /etc/nginx/sites-available/"$domain" /etc/nginx/sites-enabled/
+if [ $domainwww = 1 ]; then
+	#non-ssl
+	wget -q -t7 -O - "$repo"/raw/branch/"$branch"/CoreModules/nginx/config/nginx/site-wwwredir >> /etc/nginx/sites-available/"$sitename"_nossl
+	echo "" >> /etc/nginx/sites-available/"$sitename"_nossl
+	#ssl 
+	wget -q -t7 -O - "$repo"/raw/branch/"$branch"/CoreModules/nginx/config/nginx/site_ssl-wwwredir >> /etc/nginx/sites-available/"$sitename"_ssl
+	echo "" >> /etc/nginx/sites-available/"$sitename"_ssl 
+fi
+
+#non-ssl
+wget -q -t7 -O - "$repo"/raw/branch/"$branch"/CoreModules/nginx/config/nginx/site-unconfigured >> /etc/nginx/sites-available/"$sitename"_nossl 
+sed -i -e 's/DOMAINname/'$domain'/' /etc/nginx/sites-available/"$sitename"_nossl 
+ln -s /etc/nginx/sites-available/"$sitename"_nossl /etc/nginx/sites-enabled/"$sitename"
+#ssl
+wget -q -t7 -O - "$repo"/raw/branch/"$branch"/CoreModules/nginx/config/nginx/site_ssl-unconfigured >> /etc/nginx/sites-available/"$sitename"_ssl 
+sed -i -e 's/DOMAINname/'$domain'/' /etc/nginx/sites-available/"$sitename"_ssl 
 
 systemctl reload nginx

CoreModules/nginx/apt.list

@@ -1 +1 @@
-nginx phpPHPver-imagick php-pear phpPHPver-cli  phpPHPver-fpm phpPHPver-mysql phpPHPver-cgi phpPHPver-common phpPHPver-mbstring phpPHPver-curl phpPHPver-gd phpPHPver-intl phpPHPver-soap phpPHPver-xml phpPHPver-xmlrpc phpPHPver-zip python-certbot-nginx
+nginx apache2-utils phpPHPver-imagick php-pear phpPHPver-cli  phpPHPver-fpm phpPHPver-mysql phpPHPver-cgi phpPHPver-common phpPHPver-mbstring phpPHPver-curl phpPHPver-gd phpPHPver-intl phpPHPver-soap phpPHPver-xml phpPHPver-xmlrpc phpPHPver-zip python-certbot-nginx

CoreModules/nginx/conf.sh

@@ -7,19 +7,33 @@ systemctl stop php${phpver}-fpm nginx
 mkdir -p /etc/nginx/sites-available /etc/nginx/sites-enabled /etc/nginx/snippets /etc/nginx/modules-available /etc/nginx/modules-enabled /etc/nginx/snippets/
 wget -q -t7 "$repo"/raw/branch/"$branch"/CoreModules/nginx/config/nginx/fastcgi.conf -O /etc/nginx/fastcgi.conf
 wget -q -t7 "$repo"/raw/branch/"$branch"/CoreModules/nginx/config/nginx/fastcgi-php.conf -O /etc/nginx/snippets/fastcgi-php.conf
+wget -q -t7 "$repo"/raw/branch/"$branch"/CoreModules/nginx/config/nginx/snippets-ssl.conf -O /etc/nginx/snippets/ngx-ssl.conf
 wget -q -t7 "$repo"/raw/branch/"$branch"/CoreModules/nginx/config/nginx/nginx-default.conf -O /etc/nginx/nginx.conf
 
 if [ $domainwww = 1 ]; then
-	wget -q -t7 -O - "$repo"/raw/branch/"$branch"/CoreModules/nginx/config/nginx/site-wwwredir >> /etc/nginx/sites-available/"$domain"
-	echo "" >> /etc/nginx/sites-available/"$domain" 
+	#non-ssl
+	wget -q -t7 -O - "$repo"/raw/branch/"$branch"/CoreModules/nginx/config/nginx/site-wwwredir >> /etc/nginx/sites-available/"$sitename"_nossl
+	echo "" >> /etc/nginx/sites-available/"$sitename"_nossl
+	#ssl 
+	wget -q -t7 -O - "$repo"/raw/branch/"$branch"/CoreModules/nginx/config/nginx/site_ssl-wwwredir >> /etc/nginx/sites-available/"$sitename"_ssl
+	echo "" >> /etc/nginx/sites-available/"$sitename"_ssl 
 fi
-wget -q -t7 -O - "$repo"/raw/branch/"$branch"/CoreModules/nginx/config/nginx/site-unconfigured >> /etc/nginx/sites-available/"$domain"
-sed -i -e 's/DOMAINname/'$domain'/' /etc/nginx/sites-available/"$domain"
-ln -s /etc/nginx/sites-available/"$domain" /etc/nginx/sites-enabled/
+#non-ssl
+wget -q -t7 -O - "$repo"/raw/branch/"$branch"/CoreModules/nginx/config/nginx/site-unconfigured >> /etc/nginx/sites-available/"$sitename"_nossl 
+sed -i -e 's/DOMAINname/'$domain'/' /etc/nginx/sites-available/"$sitename"_nossl 
+ln -s /etc/nginx/sites-available/"$sitename"_nossl /etc/nginx/sites-enabled/"$sitename"
+#ssl
+wget -q -t7 -O - "$repo"/raw/branch/"$branch"/CoreModules/nginx/config/nginx/site_ssl-unconfigured >> /etc/nginx/sites-available/"$sitename"_ssl 
+sed -i -e 's/DOMAINname/'$domain'/' /etc/nginx/sites-available/"$sitename"_ssl 
 
-wget -q -t7 "$repo"/raw/branch/"$branch"/CoreModules/nginx/config/nginx/site-unconfigured -O /etc/nginx/sites-available/Backend
-sed -i -e 's/DOMAINname/'$hostname'/' /etc/nginx/sites-available/Backend
-ln -s /etc/nginx/sites-available/Backend /etc/nginx/sites-enabled/
+#Backend
+##non-ssl
+wget -q -t7 -O - "$repo"/raw/branch/"$branch"/CoreModules/nginx/config/nginx/site-unconfigured >> /etc/nginx/sites-available/Backend_nossl 
+sed -i -e 's/DOMAINname/'$hostname'/' /etc/nginx/sites-available/Backend_nossl 
+ln -s /etc/nginx/sites-available/Backend_nossl /etc/nginx/sites-enabled/Backend
+##ssl
+wget -q -t7 -O - "$repo"/raw/branch/"$branch"/CoreModules/nginx/config/nginx/site_ssl-unconfigured >> /etc/nginx/sites-available/Backend_ssl 
+sed -i -e 's/DOMAINname/'$hostname'/' /etc/nginx/sites-available/Backend_ssl 
 
 mkdir -p /opt/toggle
 wget -q -t7 "$repo"/raw/branch/"$branch"/Scripts/toggles/toggle-Netdata_NGINX.sh -O  /opt/toggle/toggle-Netdata.sh
@@ -27,6 +41,8 @@ wget -q -t7 "$repo"/raw/branch/"$branch"/Scripts/toggles/toggle-PhpMyAdmin_NGINX
 
 # custom Welcome page
 echo "<html><head></head><body>$webserv is functioning normally</body></html>" > /var/www/html/index.html
+
+
 ###############
 #   PHP-FPM   #
 ###############

CoreModules/nginx/config/nginx/nginx-default.conf

@@ -26,18 +26,7 @@ http {
 	server_names_hash_bucket_size 64;
 
 	include /etc/nginx/mime.types;
-	default_type text/html;
-
-	ssl_protocols TLSv1.3 TLSv1.2;
-	ssl_prefer_server_ciphers on;
-    ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
-    ssl_session_cache shared:SSL:20m;
-    ssl_session_timeout 180m;
-    ssl_ecdh_curve secp384r1;
-    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
-	add_header X-Frame-Options sameorigin;
-    add_header X-Content-Type-Options nosniff;
-    add_header X-Xss-Protection "1; mode=block";
+	default_type application/octet-stream;
 
     #access_log /var/log/nginx/access.log;
     access_log off;
@@ -50,6 +39,7 @@ http {
     gzip_disable "msie6";
     gzip_buffers 16 8k;
 
+    include /etc/nginx/snippets/ngx-ssl.conf;
 	include /etc/nginx/conf.d/*.conf;
 	include /etc/nginx/sites-enabled/*;
 }

CoreModules/nginx/config/nginx/site_ssl-unconfigured

@@ -0,0 +1,24 @@
+server {
+    listen 80;
+    listen [::]:80;
+	server_name   DOMAINname;
+    
+    location / {
+        return 301 https://$host$request_uri;
+    }
+    
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2; 
+    server_name   DOMAINname;
+    ssl_certificate /etc/letsencrypt/live/DOMAINname/fullchain.pem; 
+    ssl_certificate_key /etc/letsencrypt/live/DOMAINname/privkey.pem; 
+    include snippets/ngx-ssl.conf; 
+    
+    
+
+#ConfHere
+
+}

CoreModules/nginx/config/nginx/site_ssl-wwwredir

@@ -0,0 +1,18 @@
+server {
+	#www.domain > domain redirect
+    listen       80;
+    listen       [::]:80;
+    server_name   www.DOMAINname;
+    return       301 http://DOMAINname$request_uri;
+}
+
+server {
+    #SSL www.domain > domain redirect
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2; 
+    server_name   www.DOMAINname;
+    ssl_certificate /etc/letsencrypt/live/DOMAINname/fullchain.pem; 
+    ssl_certificate_key /etc/letsencrypt/live/DOMAINname/privkey.pem; 
+    include snippets/ngx-ssl.conf; 
+    return       301 https://DOMAINname$request_uri;
+}

CoreModules/nginx/config/nginx/snippets-ssl.conf

@@ -0,0 +1,10 @@
+ssl_session_cache shared:le_nginx_SSL:1m;
+ssl_session_timeout 1440m;
+ssl_prefer_server_ciphers on;
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
+add_header X-Frame-Options sameorigin;
+add_header X-Content-Type-Options nosniff;
+add_header X-Xss-Protection "1; mode=block";
+add_header Strict-Transport-Security "max-age=31536000" always;
+ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

CoreModules/nginx/phpupdate-handeler.sh

@@ -0,0 +1,24 @@
+for f in /etc/nginx/sites-available/*; do
+    if [ $IMODE = n ] && [ $PhpPurge = 0 ]; then
+        if (whiptail --title "Update Nginx config ?" --yesno "Update php version in nginx site: ${f##*/}  ?" 8 78); then
+            sed -i  "s/$phpver/$newphpver/" $f
+        fi
+    fi
+    if [ $IMODE = l ] && [ $PhpPurge = 0 ]; then
+            while true; do
+                read -p "Update php version in nginx site: ${f##*/} ? -> yes/no?" yn
+                case $yn in
+                [Yy]* ) sed -i  "s/$phpver/$newphpver/" $f
+                break;;
+                [Nn]* ) echo ""
+                break;;
+                * ) echo "Choose yes of no.";;
+            esac
+        done    
+    fi
+    if [ $PhpPurge = 1 ]; then
+        sed -i  "s/$phpver/$newphpver/" $f
+    fi
+done
+ 
+systemctl reload nginx

CoreModules/nginx/ssl-handler.sh

@@ -0,0 +1,5 @@
+rm /etc/nginx/sites-enabled/"$sitename"
+ln -s /etc/nginx/sites-available/"$sitename"_ssl /etc/nginx/sites-enabled/"$sitename"
+rm /etc/nginx/sites-enabled/Backend
+ln -s /etc/nginx/sites-available/Backend_ssl /etc/nginx/sites-enabled/Backend
+systemctl reload nginx

Docs/docs/Dev-Adding-Modules.md

@@ -1,5 +1,5 @@
 # Module modes
-A module can be external(in other/external git repo) or internal(Modules/<ModuleName>).  
+A module can be external(in other/external git repo) or internal(SubModules/<ModuleName>).  
 In both cases the file structure is expected as shown below
 
 # List of possible Files and expected Structure
@@ -12,7 +12,7 @@ In both cases the file structure is expected as shown below
 * config/*
 
 ## The internal module location
-Modules/`<ModuleName>`
+SubModules/`<ModuleName>`
 
 # File Explanation
 | File Name | Description     |

ModulesMenu.list

@@ -13,17 +13,14 @@ nginxCMSL=("None:" "A plain webserver will be setup." OFF)
 nginxCMSL+=("Wordpress:" "WordPress is a content management system based on PHP." OFF)
 nginxCMSL+=("Nextcloud:" "Nextcloud is a suite of client-server software for creating and using file hosting services." OFF)
 #Options
-nginxOptions=("Option 1:" "Option 1 Desription" OFF)
-nginxOptions+=("Option 2:" "Option 2 Desription" OFF)
-nginxOptions+=("Option 3:" "Option 3 Desription" OFF)
+nginxOptions=("Redis:" "Redis caching" OFF)
 
 ##Apache
 #CMSList
 apacheCMSL=("None:" "A plain webserver will be setup." OFF)
 apacheCMSL+=("Wordpress:" "WordPress is a content management system based on PHP." OFF)
 #Options
-apacheOptions=("Option 1:" "Option 1 Desription" OFF)
-apacheOptions+=("Option 2: " "Option 2 Desription" OFF)
+apacheOptions=("Redis:" "Redis caching" OFF)
 fi
 if [ $IMODE = l ]; then
 #WebServers
@@ -32,12 +29,12 @@ webservers=("Nginx" "Apache" "Quit")
 #CMSList
 nginxCMSL=("Wordpress" "Nextcloud" "None")
 #Options
-nginxOptions=("Ngx Option 1:" "Ngx Option 2:" "Ngx Option 3:")
+nginxOptions=("Redis:")
 
 
 ##Apache
 #CMSList
 apacheCMSL=("Wordpress" "Nextcloud" "None")
 #Options
-apacheOptions=("Apa Option 1:" "Apa Option 2:" "Apa Option 3:")
+apacheOptions=("Redis:")
 fi

PhpUpdater.sh

@@ -0,0 +1,91 @@
+#sysCheck
+if [ ! -f "/etc/ICTM/selopts.list" ] || [ ! -f "/etc/ICTM/mainvar.list" ] ; then echo 'This system is not yet setup, please run the main installer first' && exit ; fi
+
+PKGI="${PKGM} install -y --no-install-recommends"
+#Getting variables
+source /etc/ICTM/mainvar.list
+PPAversion=`apt list php | egrep -o "([0-9]{1,}.)+[0-9]{1,}" | cut -c 3-` && PPAversion=`echo $PPAversion | awk '{print $1; }'  | cut -f1 -d"+"`
+
+msg () {
+    if [ $IMODE = n ]; then
+        TERM=ansi whiptail --title "Info" --msgbox "$1" 8 52
+    fi
+    if [ $IMODE = l ]; then
+        echo "$1"
+    fi
+}
+
+msg "Current php version: $phpver"
+
+if [ $IMODE = n ]; then
+    # Legacy/Main Menu
+    PKGP="debconf-apt-progress -- apt purge -y"
+
+    #Menu
+    if (whiptail --title "Set new php version?" --yesno "Install php version $PPAversion ?" 8 78); then
+        newphpver=$PPAversion
+    else
+        newphpver=$(whiptail --inputbox "Please enter the version to install" --title "Custom" 8 39 3>&1 1>&2 2>&3)
+    fi
+
+    #Install
+     apt list --installed | less | grep php$phpver | cut -f1 -d"/" | sed "s/$phpver/$newphpver/"  | xargs $PKGI
+
+    #Config
+    cp /etc/php/$phpver/fpm/pool.d/* /etc/php/$newphpver/fpm/pool.d/
+
+    #Purge
+    if (whiptail --title "Set new php version?" --yesno "Remove php $phpver ?" 8 78); then
+       PhpPurge=1
+       $PKGP -y php$phpver*
+    else
+       PhpPurge=0
+    fi
+fi
+
+if [ $IMODE = l ]; then
+    # Legacy/Main Menu
+    PKGP="apt purge -y"
+
+    #Menu    
+    while true; do
+        read -p "Set phpversion to version $PPAversion ? -> yes/no?" yn
+        case $yn in
+            [Yy]* ) newphpver=$PPAversion
+            break;;
+            [Nn]* ) echo "";
+            echo "Please enter php version to install:";read newphpver
+            break;;
+            * ) echo "Choose yes or no.";;
+        esac
+    done
+    
+    #Install
+    apt list --installed | less | grep php$phpver | cut -f1 -d"/" | sed "s/$phpver/$newphpver/"  | xargs $PKGI
+
+    #Config
+    cp /etc/php/$phpver/fpm/pool.d/* /etc/php/$newphpver/fpm/pool.d/
+    
+    #Purge
+    while true; do
+        read -p "Remove php $phpver ? -> yes/no?" yn
+        case $yn in
+            [Yy]* ) PhpPurge=1 ; $PKGP php$phpver*
+            break;;
+            [Nn]* ) PhpPurge=0 ; echo ""
+            break;;
+            * ) echo "Choose yes or no.";;
+        esac
+    done    
+fi
+
+for f in /etc/php/$newphpver/fpm/pool.d/*; do
+    sed -i  "s/$phpver/$newphpver/" $f
+done
+systemctl reload php$newphpver-fpm
+
+sed -i "/phpver/c\phpver=\"$newphpver\"" /etc/ICTM/mainvar.list
+
+if curl --retry 2 --retry-delay 1 --output /dev/null --silent --head --fail "$repo"/raw/branch/"$branch"/CoreModules/"$webserv"/phpupdate-handeler.sh; then
+ source <(curl --retry 7 --retry-delay 5 -s "$repo"/raw/branch/"$branch"/CoreModules/"$webserv"/phpupdate-handeler.sh)
+fi

Scripts/EnableSSL.sh

@@ -12,18 +12,19 @@ if [ $webservice = apache ]; then
 fi
 
 #Backing-up and removing current config
-sed -n '/#beginConf/,/#endConf/p' /etc/"$webservice"/sites-enabled/"$confname" > /tmp/"$confname"-config
-sed -n -i '/#beginConf/{:a;N;/#endConf/!ba;N;s/.*\n/#ConfHere\n/};p' /etc/"$webservice"/sites-enabled/"$confname"
+sed -n '/#beginConf/,/#endConf/p' /etc/"$webservice"/sites-available/"$confname"_nossl > /tmp/"$confname"-config
+sed -n -i '/#beginConf/{:a;N;/#endConf/!ba;N;s/.*\n/#ConfHere\n/};p' /etc/"$webservice"/sites-available/"$confname"_nossl
 systemctl reload $webservice
 
 #Enabling SSL
 if [ $domainwww = 1 ]; then
-   certbot --"$webserv" -n -d "$domain" -d "www.$domain" -m "$email" --hsts --redirect --no-eff-email --agree-tos
+   certbot --"$webserv" certonly -n -d "$domain" -d "www.$domain" -m "$email" --hsts --redirect --no-eff-email --agree-tos
 elif [ $domainwww = 0 ]; then
-   certbot --"$webserv" -n -d "$domain" -m "$email" --hsts --redirect --no-eff-email --agree-tos
+   certbot --"$webserv" certonly -n -d "$domain" -m "$email" --hsts --redirect --no-eff-email --agree-tos
 fi  
 
 #Restoring config
-sed -i -e "0,/^#ConfHere/s/\(^#Conf.*\)/#ConfHere1 /" -e "/#ConfHere1/ r /tmp/"$confname"-config" -e '/#ConfHere/c\' /etc/"$webservice"/sites-enabled/"$confname"
-
+sed -i -e "0,/^#ConfHere/s/\(^#Conf.*\)/#ConfHere1 /" -e "/#ConfHere1/ r /tmp/"$confname"-config" -e '/#ConfHere/c\' /etc/"$webservice"/sites-available/"$confname"_ssl
+rm /etc/"$webservice"/sites-enabled/"$confname"
+ln -s /etc/"$webservice"/sites-available/"$confname"_ssl /etc/"$webservice"/sites-enabled/"$confname"
 systemctl reload $webservice

Scripts/toggles/toggle-Netdata_NGINX.sh

@@ -1,29 +1,41 @@
 function usage {
- echo "Usage: $0 [option...]" >&2
- echo
- echo "   -e,    Enable Netdata"
- echo "   -d,    Disable Netdata"
- echo
+    echo "Usage: $0 [option...]" >&2
+    echo
+    echo "   -e,    Enable Netdata"
+    echo "   -d,    Disable Netdata"
+    echo "   -h,    Shows this information"
+    echo
 }
-
-
 if [ -n "$1" ]; then
-
-if [ "$1" = "-d" ]; then
- echo "Disable Netdata"
- sed -i '/deny all; #enables\/disables Netdata/c\        deny all; #enables\/disables Netdata' /etc/nginx/sites-available/Backend
- systemctl stop netdata
- systemctl disable netdata > /dev/null 2>&1
- systemctl reload nginx
-elif [ "$1" = "-e" ]; then
- echo "Enable Netdata"
- sed -i '/deny all; #enables\/disables Netdata/c\        #deny all; #enables\/disables Netdata' /etc/nginx/sites-available/Backend
- systemctl start netdata
- systemctl enable netdata > /dev/null 2>&1
- systemctl reload nginx
+    if [[ ! -f /etc/ICTM/toggle.conf ]]; then
+        echo "Creating File"
+        touch /etc/ICTM/toggle.conf
+    fi
+    source /etc/ICTM/toggle.conf
+    if [ -z "$NetDa" ]; then
+        echo "Creating Var"
+        echo "NetDa=3" >> /etc/ICTM/toggle.conf
+        NetDa=3
+    fi
+    if [[ "$1" = "-d" && "$NetDa" != 0 ]]; then
+        echo "Disable Netdata"
+        sed -i '/NetDa=/c\NetDa=0' /etc/ICTM/toggle.conf
+        sed -i '/deny all; #enables\/disables Netdata/c\        deny all; #enables\/disables Netdata' /etc/nginx/sites-available/Backend
+        systemctl stop netdata
+        systemctl disable netdata > /dev/null 2>&1
+        systemctl reload nginx
+    elif [[ "$1" = "-e" && "$NetDa" !=  1 ]]; then
+        echo "Enable Netdata"
+        sed -i '/NetDa=/c\NetDa=1' /etc/ICTM/toggle.conf
+        sed -i '/deny all; #enables\/disables Netdata/c\        #deny all; #enables\/disables Netdata' /etc/nginx/sites-available/Backend
+        systemctl start netdata
+        systemctl enable netdata > /dev/null 2>&1
+        systemctl reload nginx
+    elif [[ "$1" = "-h" ]]; then
+        usage
+    else
+        echo "Oopsie!"
+    fi
 else
  usage
-fi
-else
- usage
-fi
+fi

Scripts/toggles/toggle-PhpMyAdmin_NGINX.sh

@@ -1,25 +1,37 @@
 function usage {
- echo "Usage: $0 [option...]" >&2
- echo
- echo "   -e,    Enable PhpMyadmin"
- echo "   -d,    Disable PhpMyadmin"
- echo
+    echo "Usage: $0 [option...]" >&2
+    echo
+    echo "   -e,    Enable PhpMyadmin"
+    echo "   -d,    Disable PhpMyadmin"
+    echo "   -h,    Shows this information"
+    echo
 }
-
-
 if [ -n "$1" ]; then
-
-if [ "$1" = "-d" ]; then
- echo "Disable PhpMyadmin"
- sed -i '/deny all; #enables\/disables PHPMyadmin/c\        deny all; #enables\/disables PHPMyadmin' /etc/nginx/sites-available/Backend
- systemctl reload nginx
-elif [ "$1" = "-e" ]; then
- echo "Enable PhpMyadmin"
- sed -i '/deny all; #enables\/disables PHPMyadmin/c\        #deny all; #enables\/disables PHPMyadmin' /etc/nginx/sites-available/Backend
- systemctl reload nginx
+    if [[ ! -f /etc/ICTM/toggle.conf ]]; then
+        echo "Creating File"
+        touch /etc/ICTM/toggle.conf
+    fi
+    source /etc/ICTM/toggle.conf
+    if [ -z "$PhpMA" ]; then
+        echo "Creating Var"
+        echo "PhpMA=3" >> /etc/ICTM/toggle.conf
+        PhpMA=3
+    fi
+    if [[ "$1" = "-d" && "$PhpMA" != 0 ]]; then
+        echo "Disable PhpMyadmin"
+        sed -i '/PhpMA=/c\PhpMA=0' /etc/ICTM/toggle.conf
+        sed -i '/deny all; #enables\/disables PHPMyadmin/c\        deny all; #enables\/disables PHPMyadmin' /etc/nginx/sites-available/Backend
+        systemctl reload nginx
+    elif [[ "$1" = "-e" && "$PhpMA" !=  1 ]]; then
+        echo "Enable PhpMyadmin"
+        sed -i '/PhpMA=/c\PhpMA=1' /etc/ICTM/toggle.conf
+        sed -i '/deny all; #enables\/disables PHPMyadmin/c\        #deny all; #enables\/disables PHPMyadmin' /etc/nginx/sites-available/Backend
+        systemctl reload nginx
+    elif [[ "$1" = "-h" ]]; then
+        usage
+    else
+        echo "Oopsie!"
+    fi
 else
  usage
-fi
-else
- usage
-fi
+fi

SubModules/redis/apt.list

@@ -0,0 +1 @@
+redis-server phpPHPver-redis

SubModules/redis/conf.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+systemctl enable --now redis-server

SubModules/redis/preconf.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+$PKGA ppa:chris-lea/redis-server -y -n > $OUTPUT 2>&1

TO-DO_FIX-CHECK.md

@@ -0,0 +1,4 @@
+# Menu Legacy
+~~Options enable/disable~~  
+WordPress hardening  
+DH-key length

TO-DO_Wanted-Features.md

@@ -0,0 +1,10 @@
+# Webservers
+* Apache
+# Modules 
+* ~~Fail2Ban~~
+
+# Other
+* ~~detection if hostname(fqdn) is same as web domain~~
+* ~~Update tool for PHP (example 7.3 to 7.4)~~
+* ~~Auto cron disable Backend admin Ui~~
+* ~~Certbot chiphers & tls1.3~~

config/fail2ban/Filters/nextcloud.filter

@@ -0,0 +1,4 @@
+[Definition]
+_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
+failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
+datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"

config/fail2ban/Filters/phpapp-AD.filter

@@ -0,0 +1,2 @@
+[Definition]
+failregex =  Access Denied from <HOST>

config/fail2ban/Filters/phpapp-UA.filter

@@ -0,0 +1,2 @@
+[Definition]
+failregex = Unauthorized Access from <HOST>

config/fail2ban/Filters/phpmyadmin-authlog.filter

@@ -0,0 +1,11 @@
+# Fail2Ban filter for the phpMyAdmin-Authlog
+#
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+failregex = ^%(__prefix_line)suser denied: (?:\S+|.*?) \(mysql-denied\) from <HOST>\s*$
+

config/fail2ban/Jails/nextcloud_unconfigured

@@ -0,0 +1,9 @@
+[nextcloud_SITEname]
+enabled = true
+port     = http,https
+protocol = tcp
+filter = nextcloud
+maxretry = 15
+bantime = 900
+findtime = 900
+logpath = /var/log/nextcloud/SITEname

config/fail2ban/Jails/nginx-Basic-auth_unconfigured

@@ -0,0 +1,5 @@
+[nginx-auth-SITEname]
+enabled  = true
+filter   = nginx-http-auth
+port     = http,https
+logpath  = /var/log/nginx/SITEname-error.log

config/fail2ban/Jails/phpapp_unconfigured

@@ -0,0 +1,13 @@
+[PHP-AD_SITEname]
+enabled = true
+filter = phpapp-AD
+logpath = /var/log/PHPapp/SITEname
+port = http,https
+
+[PHP-UA_SITEname]
+enabled = true
+maxretry = 20
+bantime  = 8h
+filter = phpapp-UA
+logpath = /var/log/PHPapp/SITEname
+port = http,https

config/fail2ban/Jails/phpmyadmin.jail

@@ -0,0 +1,5 @@
+[phpmyadmin]
+enabled  = true
+port    = http,https
+filter   = phpmyadmin-authlog
+logpath  = /var/log/PhpMyAdmin/PhpMyAdmin_auth.log

config/fail2ban/Jails/sshd.jail

@@ -0,0 +1,10 @@
+[sshd]
+enable = false
+
+[ssh-server]
+enabled = true
+filter = sshd
+port    = ssh
+logpath = %(sshd_log)s
+backend = %(sshd_backend)s
+protocol = tcp

config/fail2ban/Jails/wordpress-syslog.jail

@@ -0,0 +1,11 @@
+[wordpress-hard]
+enabled = true
+filter = wordpress-hard
+logpath = /var/log/auth.log
+port = http,https
+
+[wordpress-soft]
+enabled = true
+filter = wordpress-soft
+logpath = /var/log/auth.log
+port = http,https

config/fail2ban/jail.local

@@ -0,0 +1,53 @@
+[DEFAULT]
+# External command that will take an tagged arguments to ignore, e.g. <ip>,
+# and return true if the IP is to be ignored. False otherwise.
+#
+# ignorecommand = /path/to/command <ip>
+ignorecommand =
+
+# "bantime" is the number of seconds that a host is banned.
+bantime  = 10m
+
+# A host is banned if it has generated "maxretry" during the last "findtime"
+# seconds.
+findtime  = 10m
+
+# "maxretry" is the number of failures before a host get banned.
+maxretry = 5
+
+backend = auto
+
+
+
+#
+# ACTIONS
+#
+
+# Some options used for actions
+
+# Destination email address used solely for the interpolations in
+# jail.{conf,local,d/*} configuration files.
+destemail = root@localhost
+
+# Sender email address used solely for some actions
+sender = root@<fq-hostname>
+
+# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
+# mailing. Change mta configuration parameter to mail if you want to
+# revert to conventional 'mail'.
+mta = sendmail
+
+# Default protocol
+protocol = tcp
+
+# Specify chain where jumps would need to be added in ban-actions expecting parameter chain
+chain = <known/chain>
+
+# Format of user-agent https://tools.ietf.org/html/rfc7231#section-5.5.3
+fail2ban_agent = Fail2Ban/%(fail2ban_version)s
+
+#
+# Action shortcuts. To be used to define action parameter
+
+banaction = ufw
+banaction_allports = ufw

config/fail2ban/nextcloud.conf

@@ -1,4 +0,0 @@
-[Definition]
-failregex=^{"reqId":".<em>","remoteAddr":".</em>","app":"core","message":"Login failed: '.<em>' &#40;Remote IP: '<HOST>'&#41;","level":2,"time":".</em>"}$
-        ^{"reqId":".<em>","level":2,"time":".</em>","remoteAddr":".<em>","app":"core".</em>","message":"Login failed: '.<em>' &#40;Remote IP: '<HOST>'&#41;".</em>}$
-        ^.<em>\"remoteAddr\":\"<HOST>\".</em>Trusted domain error.*$

config/fail2ban/nextcloud.local

@@ -1,11 +0,0 @@
-[nextcloud]
-ignoreip = 192.168.1.0/24
-backend = auto
-enabled = true
-port = 80,443
-protocol = tcp
-filter = nextcloud
-maxretry = 3
-bantime = 36000
-findtime = 36000
-logpath = /var/nextcloud/data/nextcloud.log

config/fail2ban/sshd.local

@@ -1,6 +0,0 @@
-[sshd]
-enabled = true
-port = 4242
-filter = sshd
-logpath = /var/log/auth.log
-maxretry = 5

config/fail2ban/wordpress.conf

@@ -1,2 +0,0 @@
-[Definition]
-failregex = <HOST>.*POST.*(wp-login\.php|xmlrpc\.php).* 200

config/fail2ban/wordpress.local

@@ -1,7 +0,0 @@
-[wordpress]
-enabled = true
-port = http,https
-filter = wordpress
-logpath = /var/log/nginx/access.log
-maxretry = 10
-bantime = 3600

extModules.list

@@ -1,2 +1,3 @@
 https://git.ictmaatwerk.com/VPS-scripts/MySQL/raw/branch/master/
-https://git.ictmaatwerk.com/VPS-scripts/Unattended-Security-Updates/raw/branch/master/
+https://git.ictmaatwerk.com/VPS-scripts/Unattended-Security-Updates/raw/branch/master/
+https://git.ictmaatwerk.com/VPS-scripts/Backup-Util/raw/branch/master/

installer.sh

@@ -1,5 +1,6 @@
 #!/bin/bash
 
+
 ##--------------------##
 #   Legacy/Main Menu   #
 ##--------------------##
@@ -27,22 +28,20 @@ branch=master
 #Installer-config
 phpver=7.4
 PHPMyadmin=1
-phpmyadminver="5.0.2"
 sqlver=8.0
-cockpit=1
 TestMode=0
 #PackageManager-config
-PKGA="add-apt-repository"
-PKGI="${PKGM} install -y"
-#disable option menu
-OptMenu=D
+PKGA="add-apt-repository --no-update"
+PKGI="${PKGM} install -y --no-install-recommends"
 
 ##-------------##
 #   Test-Vars   #
 ##-------------##
 
+syscheckoff=0
 if [ $TestMode = 1 ]; then
 domain=ict-dagbesteding.nl
+sitename=ict_DB_nl
 email=b.prieshof@ictmaatwerk.com
 password=MeiFerrieSekureTESTp@ssw0rd4213
 hostname=vdh001.nxdi.nl
@@ -57,6 +56,8 @@ fi
 
 aonoption="/MySQL/"
 aonoption="$aonoption /Unattended-Security-Updates/"
+aonoption="$aonoption /Backup-Util/"
+
 
 
 ##---------------##
@@ -130,6 +131,41 @@ else
 fi
 }
 
+function HostnameQuest {
+if (whiptail --title "Config" --yesno "                          Hostname with nxdi.nl" 11 78); then
+    hostname=$(whiptail --nocancel --inputbox "                      SystemID (eg: VCH001) without ".nxdi.nl"     " 11 82 --title "Config" 3>&1 1>&2 2>&3)
+    hostname=$hostname".nxdi.nl"
+else
+    hostname=$(whiptail --nocancel --inputbox "                              Hostname" 11 78 --title "Config" 3>&1 1>&2 2>&3)
+fi
+}
+
+function LegacyHostnameQuest {
+while true; do
+    read -p "Hostname with nxdi.nl -> yes/no?" yn
+    case $yn in
+        [Nn]* )
+        echo 'Enter full hostname:'
+        read hostname
+        break;;
+        [Yy]* )
+        echo 'Hostname (eg: VCH001) without ".nxdi.nl":'
+        read hostname
+        hostname=$hostname".nxdi.nl"
+        break;;
+        * )echo "Choose yes or no.";;
+    esac
+done
+}
+
+
+##----------------##
+#   System-Check   #
+##----------------##
+
+if [[ "$syscheckoff" -ne 1 ]] && [[ -d /etc/ICTM ]]; then msg "             This system has already been installed by Web-V2" && exit; fi
+if [[ "$syscheckoff" -ne 1 ]] && [[ ! -z $(dpkg -l | cut -d " " -f 3 | grep "^mysql-server") || ! -z $(dpkg -l | cut -d " " -f 3 | grep "nginx") || ! -z $(dpkg -l | cut -d " " -f 3 | grep "apache") || ! -z $(dpkg -l | cut -d " " -f 3 | grep "php") ]] ; then msg " This system has installed packages, Web-V2 is designed for clean systems" && exit; fi
+
 
 ##--------------------------##
 #   Installer-Requirements   #
@@ -150,13 +186,29 @@ source <(curl --retry 7 --retry-delay 5 -s "$repo"/raw/branch/"$branch"/ModulesM
 if [ $IMODE = n ]; then
 if [ $TestMode = 0 ]; then
 domain=$(whiptail --nocancel --inputbox "                        Enter the domain without WWW     " 11 82 --title "Config" 3>&1 1>&2 2>&3)
-if (whiptail --title "Config" --yesno "                 Does www.${domain} exist in DNS" 8 78); then domainwww=1; else domainwww=0; fi
-if (whiptail --title "Config" --yesno "                          Hostname with nxdi.nl" 11 78); then
-    hostname=$(whiptail --nocancel --inputbox "                      SystemID (eg: VCH001) without ".nxdi.nl"     " 11 82 --title "Config" 3>&1 1>&2 2>&3)
-    hostname=$hostname".nxdi.nl"
+if (whiptail --title "Set sitename?" --yesno "Set sitename to ${domain//./_} ?" 8 78); then
+    sitename=${domain//./_}
 else
-    hostname=$(whiptail --nocancel --inputbox "                              Hostname" 11 78 --title "Config" 3>&1 1>&2 2>&3)
+while true; do
+  sitename=$(whiptail --nocancel --inputbox "Enter sitename, Must NOT contain special characters, except: _" 8 78 --title "Sitename" 3>&1 1>&2 2>&3)
+  if [[ $sitename == *['!'@#\$%^\&*()+,.]* ]] || [ -z "$sitename" ]
+  then
+     whiptail  --msgbox "   Site can't be empty, or contain a special character except for: _" 11 78
+  else 
+  break
+  fi
+done
 fi
+while true; do
+  HostnameQuest
+  if [[ "$hostname" == "$domain" ]] || [ -z "$hostname" ]
+  then
+     whiptail  --msgbox "   Hostname can't be empty, or be the same as the domain" 11 78
+  else 
+  break
+
+  fi
+done
 if (whiptail --title "Config" --yesno "                       Enable SSL on installation?" 11 78); then
    sslenable=1
 else
@@ -182,23 +234,35 @@ while true; do
         break;;
         [Nn]* ) domainwww=0
         break;;
-        * ) echo "Choose yes of no.";;
+        * ) echo "Choose yes or no.";;
     esac
 done
+read -p "Set sitename to ${domain//./_}? (y/n)" choice
+case "$choice" in
+  y|Y ) sitename=${domain//./_};;
+  n|N ) echo "";
+  while true; do
+  echo "Please enter sitename, Must NOT contain special characters, except: _";read sitename
+  if [[ $sitename == *['!'@#\$%^\&*()+,.]* ]] || [ -z "$sitename" ]
+  then
+     echo "Site can't be empty, or contain a special character except for: _"
+  else 
+  break
+  fi
+done
+  ;;
+  * ) echo "invalid";;
+esac
 while true; do
-    read -p "Hostname with nxdi.nl -> yes/no?" yn
-    case $yn in
-        [Nn]* )
-        echo 'Enter full hostname:'
-        read hostname
-        break;;
-        [Yy]* )
-        echo 'Hostname (eg: VCH001) without ".nxdi.nl":'
-        read hostname
-        hostname=$hostname".nxdi.nl"
-        break;;
-        * )echo "Choose yes or no.";;
-    esac
+  LegacyHostnameQuest
+  
+  if [[ "$hostname" == "$domain" ]] || [ -z "$hostname" ]
+  then
+     echo "Hostname can't be empty, or be the same as the domain"
+  else 
+  break
+
+  fi
 done
 while true; do
     read -p "Enable SSL on installation? -> yes/no?" yn
@@ -207,7 +271,7 @@ while true; do
         break;;
         [Nn]* ) sslenable=0
         break;;
-        * ) echo "Choose yes of no.";;
+        * ) echo "Choose yes or no.";;
     esac
 done
 LegacyPasswordQuest
@@ -244,18 +308,18 @@ printf " " >>/tmp/apt.list
 #   Storeing vars   #
 ##-----------------##
 
-mkdir /etc/ICTM
+mkdir -p /etc/ICTM/sites
 echo "InstDate=$(date "+%d-%B-%Y")" >> /etc/ICTM/mainvar.list
 for storeme in PKGM PKGA PKGI OUTPUT IMODE repo branch webserv phpver sqlver PHPMyadmin email hostname; do
     declare -p $storeme | cut -d ' ' -f 3- >> /etc/ICTM/mainvar.list
 done
 
+touch /etc/ICTM/sites/"$sitename"
 
 ##----------##
 #   Addons   #
 ##----------##
 ##DisableOPtionMenu
-if [ $OptMenu != D ]; then
 if [ $IMODE = n ]; then
 option=$(whiptail --nocancel --title "Additional modules" --checklist "Features" 11 110 5 "${options[@]}" 3>&1 1>&2 2>&3)
 fi
@@ -269,14 +333,13 @@ topt=${opt//+/}
 topt="${topt%"${topt##*[![:space:]]}"}"  
 topt=\"$topt\"
 option=${option//"$topt"/}
-unset $topt
+unset topt
 else
 opts[choice]=+
 opt="${opt%"${opt##*[![:space:]]}"}"   
 option+="\"$opt\" "
 fi
 }
-echo "The first selection will always return invalid option, please enter the first option twice"
 PS3='Which addons should be installed?'
 while :
 do
@@ -302,8 +365,6 @@ done
 done 
 option="${option%"${option##*[![:space:]]}"}"
 fi
-##DisableOPtionMenu
-fi
 #saving selected modules
 echo 'SelectedOptions=('$option')' > /etc/ICTM/selopts.list
 
@@ -473,23 +534,29 @@ for val1 in ${option[*]}; do
 done
 
 
-msg "                Setting up SSL" 8 78
 if [ $sslenable = 1 ]; then
-if [ $domainwww = 1 ]; then
-    certbot --"$webserv" -n -d "$domain" -d "www.$domain" -m "$email" --hsts --redirect --no-eff-email --agree-tos
-elif [ $domainwww = 0 ]; then
-    certbot --"$webserv" -n -d "$domain" -m "$email" --hsts --redirect --no-eff-email --agree-tos
-fi
-    certbot --"$webserv" -n -d "$hostname" -m "$email" --hsts --redirect --no-eff-email --agree-tos
+    msg "                Setting up SSL" 8 78
+    site_ext=ssl
+    if [ $domainwww = 1 ]; then
+        certbot --"$webserv" certonly -n -d "$domain" -d "www.$domain" -m "$email" --hsts --redirect --no-eff-email --agree-tos
+    elif [ $domainwww = 0 ]; then
+        certbot --"$webserv" certonly -n -d "$domain" -m "$email" --hsts --redirect --no-eff-email --agree-tos
+    fi
+    certbot --"$webserv" certonly -n -d "$hostname" -m "$email" --hsts --redirect --no-eff-email --agree-tos
+    if curl --retry 2 --retry-delay 1 --output /dev/null --silent --head --fail "$repo"/raw/branch/"$branch"/CoreModules/"$webserv"/ssl-handler.sh; then
+        source <(curl --retry 7 --retry-delay 5 -s "$repo"/raw/branch/"$branch"/CoreModules/"$webserv"/ssl-handler.sh)
+    fi
+elif [ $sslenable = 0 ]; then
+    site_ext=nossl
 fi
 
 wget -q -t7 "$repo"/raw/branch/"$branch"/Scripts/EnableSSL.sh -O ~/activateSSL-$domain.sh
-sed -i -e 's/DOMAINname/'$domain'/' -e 's/CONFname/'$domain'/' -e 's/DomainWWW/'$domainwww'/' -e 's/Email/'$email'/' -e 's/WebServer/'$webserv'/' ~/activateSSL-$domain.sh
+sed -i -e 's/DOMAINname/'$domain'/' -e 's/CONFname/'$sitename'/' -e 's/DomainWWW/'$domainwww'/' -e 's/Email/'$email'/' -e 's/WebServer/'$webserv'/' ~/activateSSL-$domain.sh
 
 wget -q -t7 "$repo"/raw/branch/"$branch"/Scripts/EnableSSL.sh -O ~/activateSSL-Backend.sh
 sed -i -e 's/DOMAINname/'$hostname'/' -e 's/CONFname/'Backend'/' -e 's/DomainWWW/'0'/' -e 's/Email/'$email'/' -e 's/WebServer/'$webserv'/' ~/activateSSL-Backend.sh
 
-#Configuring CMS
+msg "                Configuring CMS"
 if curl --retry 2 --retry-delay 1 --output /dev/null --silent --head --fail "$repo"/raw/branch/"$branch"/CMS/"$CMS"/conf.sh; then
  source <(curl --retry 7 --retry-delay 5 -s "$repo"/raw/branch/"$branch"/CMS/"$CMS"/conf.sh)
 fi
@@ -497,6 +564,10 @@ if curl --retry 2 --retry-delay 1 --output /dev/null --silent --head --fail "$re
  source <(curl --retry 7 --retry-delay 5 -s "$repo"/raw/branch/"$branch"/CMS/"$CMS"/"$webserv"-conf.sh)
 fi
 
+if curl --retry 2 --retry-delay 1 --output /dev/null --silent --head --fail "$repo"/raw/branch/"$branch"/CMS/Backend/conf.sh; then
+ source <(curl --retry 7 --retry-delay 5 -s "$repo"/raw/branch/"$branch"/CMS/Backend/conf.sh)
+fi
+
 if curl --retry 2 --retry-delay 1 --output /dev/null --silent --head --fail "$repo"/raw/branch/"$branch"/CMS/Backend/"$webserv"-conf.sh; then
  source <(curl --retry 7 --retry-delay 5 -s "$repo"/raw/branch/"$branch"/CMS/Backend/"$webserv"-conf.sh)
 fi
@@ -506,11 +577,12 @@ fi
 #   Services   #
 ##------------##
 
-systemctl restart sshd
+systemctl reload sshd fail2ban postfix postfix@- 
 
 
 ##-------##
 #   Done  #
 ##-------##
 
-msg "                Done installing!"
+msg "                Done installing!"
+for f in /etc/update-motd.d/51*; do bash $f; done