# Fedora based LEMP Setup List

*Inspired by the version permutation nightmares caused by sites like [this one](https://www.howtoforge.com/how-to-install-nginx-with-php-and-mariadb-lemp-stack-on-fedora-32/*)*

## Install packages

### Massive swiss-army knife setup 

```

dnf install certbot certbot-nginx cockpit htop iftop iptraf nano openssh-server net-tools nginx* rsync screen vim wget && dnf groupinstall "Development Tools" "Web Server" "Mysql" "php"

```

### Or Less Extra

`dnf install certbot certbot-nginx nginx `

`dnf install vim nano rsync screen vim wget net-tools htop iftop iptraf openssh-server bash-completion`

`dnf groupinstall "Development Tools" "Web Server" "Mysql" "php"`


### More butter Rocky variant 
 
`dnf install epel-release`

`dnf install git vim nano rsync screen vim wget net-tools htop iftop iptraf openssh-server bash-completion mariadb mariadb-server certbot python3-certbot-nginx nginx php-fpm`

`dnf groupinstall "Development Tools"`

## Add non-root administrator

`adduser user`

`usermod -aG wheel user`

`passwd user`

`vi /etc/sudoers`

`sudo -i -u user`

## Configure SSH

`ssh-keygen -t rsa -b 4096`

### Change port and root login settings

`vi /etc/ssh/sshd_config`

### Add keys ( also see `ssh-copy-id` )

`vi .ssh/authorized_keys`

## Firewall settings

```
systemctl enable firewalld
systemctl start firewalld
systemctl stop firewalld
systemctl restart firewalld
firewall-cmd --state
firewall-cmd --set-default-zone=public
firewall-cmd --zone=public --permanent --list-services
firewall-cmd --zone=public --permanent --add-service=http
firewall-cmd --zone=public --permanent --add-service=https
firewall-cmd --add-port 20022/tcp
firewall-cmd --permanent --add-port 20022/tcp
firewall-cmd --permanent --add-port YOUR_PORT_HERE/tcp
firewall-cmd --remove-service ssh --permanent
firewall-cmd --reload
systemctl reload firewalld

```

## MariaDB
```
systemctl enable mariadb
systemctl start mariadb
mysql_secure_installation # Y-N-Y-Y-Y-Y
mysql -u root -p
CREATE USER 'user1'@localhost IDENTIFIED BY 'password1';
CREATE USER 'namenode'@localhost IDENTIFIED BY ':passwd';
GRANT ALL PRIVILEGES ON *.* TO 'user1'@localhost IDENTIFIED BY 'password1';
GRANT ALL PRIVILEGES ON *.* TO 'user2'@localhost IDENTIFIED BY 'passwd2';
FLUSH PRIVILEGES;
SHOW GRANTS FOR 'user1'@localhost;
SHOW GRANTS FOR 'user2'@localhost;
CREATE DATABASE 'yourDB';
SHOW DATABASES;
DROP USER 'user1'@localhost; # Just for example to show how to delete a user
```

## Redis Setup

`dnf install redis php-redis`

`sudo systemctl enable --now redis`

`vi /etc/redis/redis.conf` 

Change bind (0.0.0.0), `requirepass`, `port (2*)`, `maxmemory` (256mb), and `maxmemory-policy allkeys-lru`.

`systemctl restart redis`

```
firewall-cmd --zone=public --permanent --add-port=26379/tcp
firewall-cmd --reload
```

## NGINX

### Important working directories:
```
/usr/share/nginx/

/etc/nginx/

```
### Create user working directory for custom configuration files:
```
mkdir /etc/nginx/sites-available  # Create a directory for nginx.conf files

mkdir /usr/share/nginx/example.com/html -p  # Create new webroot with specified structure
```

### Now we can create a new config file to start with:

`vi /etc/nginx/sites-available/example.com.conf`


### Link it to active conf directory

`ln -s /etc/nginx/sites-available/example.com.conf /etc/nginx/conf.d/`

### If it is required at some point, removing that symlink is as easy as:

`rm /etc/nginx/conf.d/example.com.conf`


### Now we edit the nginx.conf

`vi /etc/nginx/nginx.conf`


### Set the following lines after the line "include /etc/nginx/conf.d/*.conf" (if not already set):
```
server_names_hash_bucket_size 64; # Should already exist in recent versions 

types_hash_max_size 4096; ## Should already be set

``` 
### Comment out the root location directive (Can uncomment after setup so as not to confuse cache while testing?)

**To test and reload the configuration:**  

`nginx -t`
`systemctl reload nginx`

### Simple recap moving forward:
```
systemctl start nginx
systemctl restart nginx
systemctl enable nginx
systemctl status nginx
systemctl reload nginx
nginx -t
mkdir /etc/nginx/sites-available
mkdir /usr/share/nginx/example.com/html -p
vi /etc/nginx/sites-available/example.com.conf
ln -s /etc/nginx/sites-available/example.com.conf /etc/nginx/conf.d/
vi /etc/nginx/nginx.com # comment out the root in default server block (troubleshooting)
systemctl reload nginx
```

## PHP-FPM setup

### Change user in configuration (nginx):

`vi /etc/php-fpm.d/www.conf`

`systemctl enable php-fpm`

`systemctl restart php-fpm`

### PHP-OPCache setup

`vi /etc/php.d/10-opcache.ini`

```
opcache.enable_cli=1
opcache.memory_consumption=128
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=4000
opcache.revalidate_freq=60
```

`systemctl restart php-fpm`

`systemctl reload nginx`

### phpMyAdmin setup

`dnf install phpmyadmin `

`ln -s /usr/share/phpMyAdmin/ /usr/share/nginx/hosting.namenode.xyz/dbpma`

`chown -R nginx:nginx /var/lib/php/session`

`chown -R nginx:nginx /var/lib/phpMyAdmin`

`chown -R nginx:nginx /etc/phpMyAdmin`

`vi /etc/phpMyAdmin/config.inc.php`

```
$cfg['Servers'][$i]['AllowNoPassword'] = false;
$cfg['Servers'][$i]['AllowRoot'] = false;

$cfg['TempDir'] = '/var/lib/phpMyAdmin/temp';

```
`systemctl reload php-fpm`

`systemctl reload nginx`


### Securing phpMyAdmin further
```
vi pass-infile ## make a password for openssl to encrypt - one line no spaces
```
```
openssl passwd -in pass-infile ## Copy the output (your encrypted password)
```
```
vi /etc/nginx/pma_pass # Create a user/pass pair for the authentication gateway.
```
### Format:
```
user:p@s$w0Rd # one line
```
### Add the required "dbpma" section

`vi /etc/nginx/sites-available/example.com.conf`

`systemctl reload nginx`

[Install and secure PMA with NGINX Ubuntu 18.04](https://www.digitalocean.com/community/tutorials/how-to-install-and-secure-phpmyadmin-with-nginx-on-an-ubuntu-18-04-server)


## Cockpit Setup

`vi /etc/cockpit/cockpit.conf`

`vi /etc/nginx/sites-available/example.com.conf`

[Proxying Cockpit over NGINX](https://github.com/cockpit-project/cockpit/wiki/Proxying-Cockpit-over-nginx)

[Reverse proxy Cockpit over NGINX](https://www.freesoftwareservers.com/display/FREES/Reverse+Proxy+Cockpit+over+NGinX)


## Certbot setup (Examples)
```
certbot --nginx -d example.com -d www.example.com

certbot --nginx --agree-tos -d example.com -d www.example.com --email your-email-address

certbot --nginx --agree-tos --redirect --hsts --staple-ocsp --must-staple -d example.com -d www.example.com --email your-email-address
```

`$ EDITOR=vim crontab -e`

```
25 2 * * 0 /usr/bin/certbot renew --quiet # Every Sunday 2:25am
```