ss-worker.txt

#!/bin/bash

####################################################################################################
#### author: SlickStack ############################################################################
#### link: https://slickstack.io ###################################################################
#### mirror: https://mirrors.slickstack.io/bash/ss-worker.txt ######################################
#### path: /var/www/ss-worker ######################################################################
#### destination: n/a (not a boilerplate) ##########################################################
#### purpose: Performs SlickStack maintenance tasks and retrieves the latest ss-check file #########
#### module version: Ubuntu 22.04 LTS ##############################################################
#### sourced by: ss-install, ss-update-modules #####################################################
#### bash aliases: ss worker #######################################################################
####################################################################################################

## SS-WORKER TAKES CARE OF MANY IMPORTANT TASKS AND CRITICAL PATCHES FOR SLICKSTACK ##
## DISABLE SLICKSTACK CRON JOBS AND SS-CONFIG INTERVALS AT YOUR OWN RISK ##

####################################################################################################
#### TABLE OF CONTENTS (SS-Worker) #################################################################
####################################################################################################

## this is a brief summary of the different code snippets you will find in this script ##
## each section should be commented so you understand what is being accomplished ##

## A. Source SS-Config + SS-Functions
## B. Touch Timestamp File
## C. Message (Begin Script)
## D. Backup Active SS-Config File
## D. Retrieve Current SS-Check (Bash Script)
## E. Transfer Pilot File Settings (If Exists)
## F. Install Current SS-Constants.php Boilerplate
## G. Reset Permissions (SlickStack)
## H. Download Current Blacklist.txt File
## I. Install Default Robots.txt File (If Not Exists)

## I. Delete Object Cache Files (Conditional)
## J. Temporary Tasks (Urgent Patches)

####################################################################################################
#### A. SS-Worker: Source SS-Config + SS-Functions #################################################
####################################################################################################

## before anything else we must source the critical variables that power this script ##
## ss-config is setup during ss-install wizard but ss-functions is hardcoded ##

## source ss-config ##
source /var/www/ss-config

## source ss-functions ##
source /var/www/ss-functions

## BELOW THIS RELIES ON SS-CONFIG AND SS-FUNCTIONS

####################################################################################################
#### B. SS-Worker: Touch Timestamp File ############################################################
####################################################################################################

## this is a dummy timestamp file that will remember the last time this script was run ##
## it can be useful for developer reference and is sometimes used by SlickStack ##

## script timestamp ##
ss_touch "${TIMESTAMP_SS_WORKER}"

####################################################################################################
#### C. SS-Worker: Message (Begin Script) ##########################################################
####################################################################################################

## this is a simple message that announces to the shell the purpose of this bash script ##
## it will only be noticed by sudo users who manually call ss core bash scripts ##

## echo message ##
ss_echo "${COLOR_INFO}Running ss-worker... ${COLOR_RESET}"

####################################################################################################
#### D. SS-Worker: Backup Active SS-Config File ####################################################
####################################################################################################

## this will replicate your current ss-config file (and settings) to the backups dir ##
## the oldest .bak files will be cleaned up periodically by ss-clean-files ##

## SNIPPET: ss-update-config, ss-worker
## UPDATED: 31MAY2022

## backup ss-config ##
ss_cp "${PATH_SS_CONFIG}" /var/www/backups/config/ss-config.bak.${SYSTEM_CURRENT_TIME}

####################################################################################################
#### D. SS-Worker: Retrieve Current SS-Check (Bash Script) #########################################
####################################################################################################

## here we retrieve the latest ss-check core bash script to improve overall redundancy ##
## thus ss-check avoids installing itself and no single point of failure (SPOF) ##

## retrieve current ss-check ##
ss_wget "${TMP_SS_CHECK}" "${MIRROR_SS_CHECK}"

## install ss-check ##
ss_mv "${TMP_SS_CHECK}" "${PATH_SS_CHECK}"

####################################################################################################
#### E. SS-Worker: Transfer Pilot File Settings (If Exists) ########################################
####################################################################################################

## this snippet retrieves the remote pilot file defined in ss-config and reads settings ##
## it will replace old settings with pilot settings for multi-server management ##

## retrieve pilot file if exists ##
if [[ -n "${SS_PILOT_FILE}" ]]; then 

    ss_wget "${TMP_SS_PILOT_FILE}" "${SS_PILOT_FILE}"

    ## read variables from pilot file ##
    PILOT_CLOUDFLARE_API_KEY=$(source /tmp/ss-pilot; echo "${CLOUDFLARE_API_KEY}")
    PILOT_CLOUDFLARE_API_EMAIL=$(source /tmp/ss-pilot; echo "${CLOUDFLARE_API_EMAIL}")
    PILOT_NGINX_HEADER_POWERED_BY=$(source /tmp/ss-pilot; echo "${NGINX_HEADER_POWERED_BY}")
    PILOT_PHP_EXTENSIONS=$(source /tmp/ss-pilot; echo "${PHP_EXTENSIONS}")
    PILOT_WHITELABEL_BRAND=$(source /tmp/ss-pilot; echo "${WHITELABEL_BRAND}")
    PILOT_WHITELABEL_HOMEPAGE=$(source /tmp/ss-pilot; echo "${WHITELABEL_HOMEPAGE}")
    PILOT_WHITELABEL_SUPPORT_URL=$(source /tmp/ss-pilot; echo "${WHITELABEL_SUPPORT_URL}")
    PILOT_WHITELABEL_SUPPORT_EMAIL=$(source /tmp/ss-pilot; echo "${WHITELABEL_SUPPORT_EMAIL}")
    PILOT_WP_PLUGIN_BLACKLIST=$(source /tmp/ss-pilot; echo "${WP_PLUGIN_BLACKLIST}")
    PILOT_WP_PLUGIN_BLACKLIST_SOURCE=$(source /tmp/ss-pilot; echo "${WP_PLUGIN_BLACKLIST_SOURCE}")

    ## whitelabel brand ##
    if [[ -n "${PILOT_WHITELABEL_BRAND}" ]]; then 
        ss_sed "s|\(^WHITELABEL_BRAND=\).*|WHITELABEL_BRAND=\"$PILOT_WHITELABEL_BRAND\"|g" "${PATH_SS_CONFIG}"
    fi

    ## whitelabel homepage ##
    if [[ -n "${PILOT_WHITELABEL_HOMEPAGE}" ]]; then 
        ss_sed "s|\(^WHITELABEL_HOMEPAGE=\).*|WHITELABEL_HOMEPAGE=\"$PILOT_WHITELABEL_HOMEPAGE\"|g" "${PATH_SS_CONFIG}"
    fi
    
    ## whitelabel support url ##
    if [[ -n "${PILOT_WHITELABEL_SUPPORT_URL}" ]]; then 
        ss_sed "s|\(^WHITELABEL_SUPPORT_URL=\).*|WHITELABEL_SUPPORT_URL=\"$PILOT_WHITELABEL_SUPPORT_URL\"|g" "${PATH_SS_CONFIG}"
    fi
    
    ## whitelabel support email ##
    if [[ -n "${PILOT_WHITELABEL_SUPPORT_EMAIL}" ]]; then 
        ss_sed "s|\(^WHITELABEL_SUPPORT_EMAIL=\).*|WHITELABEL_SUPPORT_EMAIL=\"$PILOT_WHITELABEL_SUPPORT_EMAIL\"|g" "${PATH_SS_CONFIG}"
    fi
    
    ## nginx header powered by ##
    if [[ -n "${PILOT_NGINX_HEADER_POWERED_BY}" ]]; then 
        ss_sed "s|\(^NGINX_HEADER_POWERED_BY=\).*|NGINX_HEADER_POWERED_BY=\"$PILOT_NGINX_HEADER_POWERED_BY\"|g" "${PATH_SS_CONFIG}"
    fi
    
    ## cloudflare api key ##
    if [[ -n "${PILOT_CLOUDFLARE_API_KEY}" ]]; then 
        ss_sed "s|\(^CLOUDFLARE_API_KEY=\).*|CLOUDFLARE_API_KEY=\"$PILOT_CLOUDFLARE_API_KEY\"|g" "${PATH_SS_CONFIG}"
    fi
    
    ## cloudflare api email ##
    if [[ -n "${PILOT_CLOUDFLARE_API_EMAIL}" ]]; then 
        ss_sed "s|\(^CLOUDFLARE_API_EMAIL=\).*|CLOUDFLARE_API_EMAIL=\"$PILOT_CLOUDFLARE_API_EMAIL\"|g" "${PATH_SS_CONFIG}"
    fi
    
    ## php extensions ##
    if [[ -n "${PILOT_PHP_EXTENSIONS}" ]]; then 
        ss_sed "s|\(^PHP_EXTENSIONS=\).*|PHP_EXTENSIONS=\"$PILOT_PHP_EXTENSIONS\"|g" "${PATH_SS_CONFIG}"
    fi
    
    ## plugin blacklist status 1 ##
    if [[ -n "${PILOT_WP_PLUGIN_BLACKLIST}" ]]; then 
        ss_sed "s|\(^SS_WORDPRESS_PLUGIN_BLACKLIST=\).*|SS_WORDPRESS_PLUGIN_BLACKLIST=\"$PILOT_WP_PLUGIN_BLACKLIST\"|g" "${PATH_SS_CONFIG}"
    fi
    
    ## plugin blacklist status 2 ##
    if [[ -n "${PILOT_WP_PLUGIN_BLACKLIST}" ]]; then 
        ss_sed "s|\(^WP_PLUGIN_BLACKLIST=\).*|WP_PLUGIN_BLACKLIST=\"$PILOT_WP_PLUGIN_BLACKLIST\"|g" "${PATH_SS_CONFIG}"
    fi
    
    ## plugin blacklist source 1 ##
    if [[ -n "${PILOT_WP_PLUGIN_BLACKLIST_SOURCE}" ]]; then 
        ss_sed "s|\(^SS_WORDPRESS_PLUGIN_BLACKLIST_SOURCE=\).*|SS_WORDPRESS_PLUGIN_BLACKLIST_SOURCE=\"$PILOT_WP_PLUGIN_BLACKLIST_SOURCE\"|g" "${PATH_SS_CONFIG}"
    fi
    
    ## plugin blacklist source 2 ##
    if [[ -n "${PILOT_WP_PLUGIN_BLACKLIST_SOURCE}" ]]; then 
        ss_sed "s|\(^WP_PLUGIN_BLACKLIST_SOURCE=\).*|WP_PLUGIN_BLACKLIST_SOURCE=\"$PILOT_WP_PLUGIN_BLACKLIST_SOURCE\"|g" "${PATH_SS_CONFIG}"
    fi

fi 

####################################################################################################
#### F. SS-Worker: Install Current SS-Constants.php Boilerplate ####################################
####################################################################################################

## here we use some janky magic to convert various system settings into PHP constants ##
## this allows us to use these handy PHP constants inside PHP scripts etc ##

## SNIPPET: ss-install-wordpress-config, ss-worker

## retrieve current boilerplate ##
ss_wget "${TMP_SS_CONSTANTS_PHP}" "${MIRROR_SS_CONSTANTS_PHP}"

## set SlickStack dashboard ##
if [[ -z "${SS_WORDPRESS_ADMIN_DASHBOARD}" ]]; then 
    ss_sed "s/@SS_WORDPRESS_ADMIN_DASHBOARD/true/g" "${TMP_SS_CONSTANTS_PHP}"
else 
    ss_sed "s/@SS_WORDPRESS_ADMIN_DASHBOARD/${SS_WORDPRESS_ADMIN_DASHBOARD}/g" "${TMP_SS_CONSTANTS_PHP}"
fi
    
SYSTEM_SERVER_SOFTWARE=$(nginx -v |& sed 's#nginx version: nginx/##')
SYSTEM_MYSQL_SIZE=$(du -sh /var/lib/mysql |& sed 's#/var/lib/mysql##')

if [[ "${UBUNTU_VERSION}" == "22.04" ]]; then
SYSTEM_MYSQL_VERSION=$(mysql --version |& awk '{print $3}' | sed 's/,//g')
fi

if [[ "${UBUNTU_VERSION}" == "20.04" ]]; then
SYSTEM_MYSQL_VERSION=$(mysql --version |& awk '{print $3}' | sed 's/,//g')
fi

if [[ "${UBUNTU_VERSION}" == "18.04" ]]; then
SYSTEM_MYSQL_VERSION=$(mysql --version |& awk '{print $5}' | sed 's/,//g')
fi

## ss build ##
ss_sed "s|@SS_BUILD|${SS_BUILD}|g" "${TMP_SS_CONSTANTS_PHP}"

## deprecated ##
## wp plugin blacklist ##
ss_sed "s|@SS_WORDPRESS_PLUGIN_BLACKLIST_SOURCE|${WP_PLUGIN_BLACKLIST_SOURCE}|g" "${TMP_SS_CONSTANTS_PHP}"
ss_sed "s|@SS_WORDPRESS_PLUGIN_BLACKLIST_STATUS|${WP_PLUGIN_BLACKLIST}|g" "${TMP_SS_CONSTANTS_PHP}"

## wp cron ##
ss_sed "s|@WP_CRON_METHOD|${WP_CRON_METHOD}|g" "${TMP_SS_CONSTANTS_PHP}"
ss_sed "s|@WP_CRON_INTERVAL|${WP_CRON_INTERVAL}|g" "${TMP_SS_CONSTANTS_PHP}"

## server info ##
ss_sed "s|@SYSTEM_VENDOR|${SYSTEM_VENDOR}|g" "${TMP_SS_CONSTANTS_PHP}"
ss_sed "s|@SYSTEM_VIRTUAL|${SYSTEM_VIRTUAL}|g" "${TMP_SS_CONSTANTS_PHP}"
ss_sed "s|@SYSTEM_LINUX_KERNEL|${SYSTEM_LINUX_KERNEL}|g" "${TMP_SS_CONSTANTS_PHP}"
ss_sed "s|@SYSTEM_CPU_CORES|${SYSTEM_CPU_CORES}|g" "${TMP_SS_CONSTANTS_PHP}"
ss_sed "s|@SYSTEM_OS_PRETTY_NAME|${SYSTEM_OS_PRETTY_NAME}|g" "${TMP_SS_CONSTANTS_PHP}"

## mysql version ##
if [[ "${SS_DATABASE_REMOTE}" != "false" ]]; then
    ss_sed "/MYSQL_VERSION/d" "${TMP_SS_CONSTANTS_PHP}"
else
    ss_sed "s|@SYSTEM_MYSQL_VERSION|${SYSTEM_MYSQL_VERSION}|g" "${TMP_SS_CONSTANTS_PHP}"
fi

## mysql database size ##
if [[ "${SS_DATABASE_REMOTE}" != "false" ]]; then
    ss_sed "/MYSQL_SIZE/d" "${TMP_SS_CONSTANTS_PHP}"
else
    ss_sed "s|@SYSTEM_MYSQL_SIZE|${SYSTEM_MYSQL_SIZE}|g" "${TMP_SS_CONSTANTS_PHP}"
fi

## disk free space ##
ss_sed "s|@SYSTEM_DISK_FREE_EASY|${SYSTEM_DISK_FREE_EASY}|g" "${TMP_SS_CONSTANTS_PHP}"
ss_sed "s|@SYSTEM_DISK_FREE|${SYSTEM_DISK_FREE}|g" "${TMP_SS_CONSTANTS_PHP}"

## disk total space ##
ss_sed "s|@SYSTEM_DISK_TOTAL_EASY|${SYSTEM_DISK_TOTAL_EASY}|g" "${TMP_SS_CONSTANTS_PHP}"
ss_sed "s|@SYSTEM_DISK_TOTAL|${SYSTEM_DISK_TOTAL}|g" "${TMP_SS_CONSTANTS_PHP}"

ss_sed "s|@SYSTEM_DISK_USED_PERCENT|${SYSTEM_DISK_USED_PERCENT}|g" "${TMP_SS_CONSTANTS_PHP}"

## ipv4 address ##
ss_sed "s|@SYSTEM_IPV4_ADDRESS|${SYSTEM_IPV4_ADDRESS}|g" "${TMP_SS_CONSTANTS_PHP}"

## ipv6 address ##
ss_sed "s|@SYSTEM_IPV6_ADDRESS|${SYSTEM_IPV6_ADDRESS}|g" "${TMP_SS_CONSTANTS_PHP}"

## server hostname ##
ss_sed "s|@SYSTEM_HOSTNAME|${SYSTEM_HOSTNAME}|g" "${TMP_SS_CONSTANTS_PHP}"

## nginx version ##
ss_sed "s|@SYSTEM_SERVER_SOFTWARE|${SYSTEM_SERVER_SOFTWARE}|g" "${TMP_SS_CONSTANTS_PHP}"

SYSTEM_PHP_VERSION=$(php -v | awk '/^PHP/{print $2}' | awk -F '\\-*' '{print $1""}')

SYSTEM_PHP_EXTENSIONS=$(php -m | paste -s -d , | sed -e 's/,/, /g' | awk -F 'zlib' '{print $1"zlib"}' | sed -e 's#\[PHP Modules\], ##g')

## php version ##
ss_sed "s|@SYSTEM_PHP_VERSION|${SYSTEM_PHP_VERSION}|g" "${TMP_SS_CONSTANTS_PHP}"

## php extensions ##
ss_sed "s|@SYSTEM_PHP_EXTENSIONS|${SYSTEM_PHP_EXTENSIONS}|g" "${TMP_SS_CONSTANTS_PHP}"

## sftp details ##
ss_sed "s|@SFTP_USER|${SFTP_USER}|g" "${TMP_SS_CONSTANTS_PHP}"
ss_sed "s|@SFTP_PASSWORD|${SFTP_PASSWORD}|g" "${TMP_SS_CONSTANTS_PHP}"
ss_sed "s|@SFTP_PORT|${SSH_PORT}|g" "${TMP_SS_CONSTANTS_PHP}"

## cloudflare api ##
ss_sed "s|@CLOUDFLARE_API_KEY|${CLOUDFLARE_API_KEY}|g" "${TMP_SS_CONSTANTS_PHP}"
ss_sed "s|@CLOUDFLARE_API_EMAIL|${CLOUDFLARE_API_EMAIL}|g" "${TMP_SS_CONSTANTS_PHP}"

## whitelabel ##
ss_sed "s|@WHITELABEL_BRAND|${WHITELABEL_BRAND}|g" "${TMP_SS_CONSTANTS_PHP}"
ss_sed "s|@WHITELABEL_HOMEPAGE|${WHITELABEL_HOMEPAGE}|g" "${TMP_SS_CONSTANTS_PHP}"
ss_sed "s|@WHITELABEL_SUPPORT_URL|${WHITELABEL_SUPPORT_URL}|g" "${TMP_SS_CONSTANTS_PHP}"
ss_sed "s|@WHITELABEL_SUPPORT_EMAIL|${WHITELABEL_SUPPORT_EMAIL}|g" "${TMP_SS_CONSTANTS_PHP}"

## staging/dev ##
ss_sed "s|@STAGING_SITE_STATUS|${STAGING_SITE}|g" "${TMP_SS_CONSTANTS_PHP}"
ss_sed "s|@DEV_SITE_STATUS|${DEV_SITE}|g" "${TMP_SS_CONSTANTS_PHP}"
ss_sed "s|@SYNC_STAGING_SITE_STATUS|${SS_SYNC_STAGING}|g" "${TMP_SS_CONSTANTS_PHP}"

## validate and reinstall ##
VALIDATE_TMP_SS_CONSTANTS_PHP=$(grep 'SS_EOF' "$TMP_SS_CONSTANTS_PHP")
if [[ -n "${VALIDATE_TMP_SS_CONSTANTS_PHP}" ]]; then
    ss_mv "${TMP_SS_CONSTANTS_PHP}" "${PATH_SS_CONSTANTS_PHP}"
    chown www-data:www-data "${PATH_SS_CONSTANTS_PHP}"
    chmod 0440 "${PATH_SS_CONSTANTS_PHP}" ## 0440 (read-only)
fi 

####################################################################################################
#### G. SS-Worker: Reset Permissions (SlickStack) ##################################################
####################################################################################################

## we hardcode this permissions reset snippet into some core scripts for redundancy ##
## this ensures permissions are regularly fixed without any dependencies ##

## THIS SNIPPET DOES NOT RELY ON SS-CONFIG OR SS-FUNCTIONS ##

## SNIPPET: ss-worker, ss core cron jobs
## UPDATED: 18OCT2022

## make directories ##
mkdir /var/www
mkdir /var/www/auth
mkdir /var/www/backups
mkdir /var/www/backups/config
mkdir /var/www/backups/html
mkdir /var/www/backups/mysql
mkdir /var/www/backups/mysql/data
mkdir /var/www/backups/private ## create only if does not exist yet (this folder is for the sudo user to save random files he desires)
mkdir /var/www/cache
mkdir /var/www/cache/nginx
mkdir /var/www/cache/opcache
mkdir /var/www/cache/system
mkdir /var/www/certs
mkdir /var/www/certs/keys
mkdir /var/www/crons
mkdir /var/www/crons/custom
mkdir /var/www/html
mkdir /var/www/html/.well-known
mkdir /var/www/html/.well-known/acme-challenge
mkdir /var/www/logs
mkdir /var/www/meta
mkdir /var/www/meta/assets
mkdir /var/www/meta/assets/images
mkdir /var/www/meta/timestamps
mkdir /var/www/sites
touch /var/www/meta/.htpasswd

## if staging enabled
if [[ "$STAGING_SITE" != "false" ]]; then 
    mkdir /var/www/html/staging
    mkdir /var/www/html/staging/.well-known
    mkdir /var/www/html/staging/.well-known/acme-challenge
    chown -R "${SFTP_USER}":www-data /var/www/html/staging/.well-known ## accessed by server for e.g. Cerbot but also by SFTP user for things like Stripe ##
    chown -R "${SFTP_USER}":www-data /var/www/html/staging/.well-known/acme-challenge ## accessed by server for e.g. Cerbot but also by SFTP user for things like Stripe ##
fi

## if dev enabled
if [[ "$DEV_SITE" != "false" ]]; then 
    mkdir /var/www/html/dev
    mkdir /var/www/html/dev/.well-known
    mkdir /var/www/html/dev/.well-known/acme-challenge
    chown -R "${SFTP_USER}":www-data /var/www/html/dev/.well-known ## accessed by server for e.g. Cerbot but also by SFTP user for things like Stripe ##
    chown -R "${SFTP_USER}":www-data /var/www/html/dev/.well-known/acme-challenge ## accessed by server for e.g. Cerbot but also by SFTP user for things like Stripe ##
fi

## user/group ownership ##
chown root:root /var/www ## must be root:root
chown root:root /var/www/backups ## must be root:root
chown root:root /var/www/backups/config ## must be root:root
chown root:root /var/www/backups/mysql ## must be root:root
chown root:root /var/www/backups/mysql/data ## must be root:root
chown -R root:root /var/www/backups/private ## must be root:root
chown www-data:www-data /var/www/cache ## must be www-data:www-data
chown www-data:www-data /var/www/cache/nginx ## must be www-data:www-data
chown www-data:www-data /var/www/cache/opcache ## must be www-data:www-data (PHP-FPM pool)
chown root:root /var/www/cache/system ## must be root:root
chown root:root /var/www/certs ## must be root:root
chown root:root /var/www/certs/keys ## must be root:root
chown root:root /var/www/crons ## must be root:root
chown root:root /var/www/crons/*cron* ## must be root:root
chown root:root /var/www/crons/custom ## must be root:root
chown root:root /var/www/crons/custom/*cron* ## must be root:root
chown -R "${SFTP_USER}":www-data /var/www/html/.well-known ## accessed by server for e.g. Cerbot but also by SFTP user for things like Stripe ##
chown -R "${SFTP_USER}":www-data /var/www/html/.well-known/acme-challenge ## accessed by server for e.g. Cerbot but also by SFTP user for things like Stripe ##
chown www-data:www-data /var/www/logs ## must be www-data:www-data
chown www-data:www-data /var/www/meta ## must be www-data:www-data
chown www-data:www-data /var/www/meta/.htpasswd ## must be www-data:www-data
chown www-data:www-data /var/www/meta/ss-constants.php ## must be www-data:www-data
chown root:root /var/www/ss* ## must be root:root

## linux permissions ##
chmod 0755 /var/www ## must be 0755
chmod 0775 /var/www/cache ## 0755 should also work
chmod 0755 /var/www/cache/opcache ## 0755 should work
chmod 0755 /var/www/certs ## must be 0755
chmod 0700 /var/www/certs/keys ## must be 0700
chmod 0644 /var/www/certs/*.crt ## must be 0644
chmod 0644 /var/www/certs/*.pem ## must be 0644
chmod 0600 /var/www/certs/keys/*.key ## must be 0600
chmod 0600 /var/www/certs/keys/*.pem ## must be 0600
chmod 0755 /var/www/crons ## must be 0755
chmod 0700 /var/www/crons/*cron* ## 0700 means only root can execute
chmod 0755 /var/www/crons/custom ## must be 0755
chmod 0700 /var/www/crons/custom/*cron* ## 0700 means only root can execute
chmod 0755 /var/www/html/.well-known ## accessed by server for e.g. Cerbot but also by SFTP user for things like Stripe ##
chmod 0775 /var/www/logs ## 6755 should also work
chmod 0775 /var/www/meta ## 6755 should also work
chmod 0644 /var/www/meta/.htpasswd ## 0644 seems enough
chmod 0440 /var/www/meta/ss-constants.php
chmod 0700 /var/www/ss* ## 0700 means only root can execute

####################################################################################################
#### H. SS-Worker: Download Current Blacklist.txt File #############################################
####################################################################################################

## here we retrieve the latest plugin blacklist file which might contain urgent changes ##
## maintaining a thoughtful blacklist vastly improves WP performance and security ##

## download latest blacklist (or custom blacklist) ##
if [[ -z "${WP_PLUGIN_BLACKLIST_SOURCE}" ]]; then 
    ss_wget "${TMP_BLACKLIST_TXT}" "${MIRROR_BLACKLIST_TXT}"
else
    ss_wget "${TMP_BLACKLIST_TXT}" "${WP_PLUGIN_BLACKLIST_SOURCE}"
fi

## copy file to wp-content directory ##
ss_mkdir /var/www/html/wp-content/
ss_cp "${TMP_BLACKLIST_TXT}" /var/www/html/wp-content/blacklist.txt

## reset permissions ##
chown www-data:slickstack /var/www/html/wp-content/blacklist.txt ## change to www-data:www-data when ss-perms fixed
chmod 0440 /var/www/html/wp-content/blacklist.txt

## NULL blacklist.txt if ss-config false (allows default SS MU plugin to be installed while still being able to disable plugin blacklist) ##
if [[ "${WP_PLUGIN_BLACKLIST}" == "false" ]]; then 
cat /dev/null > /var/www/html/wp-content/blacklist.txt
    if [[ "${DEV_SITE}" != "false" ]]; then 
        ss_touch /var/www/html/dev/wp-content/blacklist.txt
        cat /dev/null > /var/www/html/dev/wp-content/blacklist.txt
    fi
    if [[ "${STAGING_SITE}" != "false" ]]; then 
        ss_touch /var/www/html/staging/wp-content/blacklist.txt
        cat /dev/null > /var/www/html/staging/wp-content/blacklist.txt
    fi
fi

####################################################################################################
#### I. SS-Worker: Install Default Robots.txt File (If Not Exists) #################################
####################################################################################################

## here we install a basic robots.txt file in case none exists yet on production site ##
## by default we allow all URLs to be crawled and block archive.org crawling ##

if [[ ! -f "${PATH_ROBOTS_TXT}" ]]; then 
    ss_wget "${TMP_ROBOTS_TXT}" "${MIRROR_ROBOTS_TXT}"
    ss_cp "${TMP_ROBOTS_TXT}" "${PATH_ROBOTS_TXT}"
    chown www-data:www-data "${PATH_ROBOTS_TXT}"
    chmod 0644 "${PATH_ROBOTS_TXT}"
fi

####################################################################################################
#### I. SS-Clean-Files: Delete Object Cache Files (Conditional) ####################################
####################################################################################################

## SINCE THIS IS STACK CONFIGURATION PROBABLY SHOULD NOT EXIST IN ss-clean ##
## in case the object cache is disabled in ss-config settings we delete that file here ##

## delete from staging/dev (always) ##
ss_rm /var/www/html/staging/wp-content/object-cache.php
ss_rm /var/www/html/dev/wp-content/object-cache.php

## delete from production (conditional) ##
if [[ "${SS_OBJECT_CACHE}" == "false" ]]; then
    ss_rm /var/www/html/wp-content/object-cache.php
fi

####################################################################################################
#### J. SS-Worker: Image Assets ################################################
####################################################################################################

#####
ss_rm /var/www/meta/assets/*.png
ss_rm /var/www/meta/assets/images/security-headers.png
ss_rm /var/www/meta/assets/images/ssl-labs.png

####################################################################################################
#### J. SS-Worker: Temporary Tasks (Urgent Patches) ################################################
####################################################################################################

## our team uses the below space to occassionally add urgent patches to SlickStack ##
## this is usually easier as it doesnt depend on your interval_ss settings ##

# if [[ "${SS_LOCKDOWN}" != "true" ]]; then
# source /var/www/ss-install-nginx-config
# source /var/www/ss-install-wordpress-cli
# source /var/www/ss-install-wordpress-core
# source /var/www/ss-install-wordpress-config
# source /var/www/ss-install-wordpress-mu-plugins
# source /var/www/ss-perms
# source /var/www/ss-install-ubuntu-bash
# source /var/www/ss-install-ubuntu-users
# source /var/www/ss-encrypt-openssl
# source /var/www/ss-encrypt-certbot
# source /var/www/ss-reboot
# source /var/www/ss-install-ubuntu-crontab
# source /var/www/ss-update-config
# source /var/www/ss-install-ufw
# fi

## forced fixes ##
ss_sed 's|SS_LOCKDOWN=""|SS_LOCKDOWN="false"|g' /var/www/ss-config
ss_sed 's|SSH_KEYS=""|SSH_KEYS="false"|g' /var/www/ss-config
ss_sed 's|SSH_RESTRICT_IP=""|SSH_RESTRICT_IP="false"|g' /var/www/ss-config
ss_sed 's|SITE_NOINDEX=""|SITE_NOINDEX="false"|g' /var/www/ss-config
ss_sed 's|DB_HOST=""|DB_HOST="127.0.0.1"|g' /var/www/ss-config
ss_sed 's|DB_PORT=""|DB_PORT="3306"|g' /var/www/ss-config
ss_sed 's|DB_PREFIX=""|DB_PREFIX="wp_"|g' /var/www/ss-config
ss_sed 's|DEV_SITE=""|DEV_SITE="false"|g' /var/www/ss-config
ss_sed 's|DEV_SITE_PROTECT=""|DEV_SITE_PROTECT="false"|g' /var/www/ss-config
ss_sed 's|STAGING_SITE=""|STAGING_SITE="false"|g' /var/www/ss-config
ss_sed 's|STAGING_SITE_PROTECT=""|STAGING_SITE_PROTECT="false"|g' /var/www/ss-config
ss_sed 's|GUEST_USER=""|GUEST_USER="guest"|g' /var/www/ss-config
ss_sed 's|SS_APP=""|SS_APP="wordpress"|g' /var/www/ss-config
ss_sed 's|SS_LANGUAGE=""|SS_LANGUAGE="en_US"|g' /var/www/ss-config
ss_sed 's|SS_ADMINER_PUBLIC=""|SS_ADMINER_PUBLIC="true"|g' /var/www/ss-config
ss_sed 's|SS_DATABASE_REMOTE=""|SS_DATABASE_REMOTE="false"|g' /var/www/ss-config
ss_sed 's|SS_OBJECT_CACHE=""|SS_OBJECT_CACHE="true"|g' /var/www/ss-config
ss_sed 's|SS_SYNC_DEVELOPMENT=""|SS_SYNC_DEVELOPMENT="false"|g' /var/www/ss-config
ss_sed 's|SS_SYNC_STAGING=""|SS_SYNC_STAGING="true"|g' /var/www/ss-config
ss_sed 's|SS_REMOTE_BACKUPS=""|SS_REMOTE_BACKUPS="false"|g' /var/www/ss-config
ss_sed 's|SS_PILOT_FILE="@SS_PILOT_FILE"|SS_PILOT_FILE=""|g' /var/www/ss-config
ss_sed 's|WP_MULTISITE=""|WP_MULTISITE="false"|g' /var/www/ss-config
ss_sed 's|WP_MULTISITE_SUBDOMAINS=""|WP_MULTISITE_SUBDOMAINS="true"|g' /var/www/ss-config
ss_sed 's|WP_DEFAULT_THEME=""|WP_DEFAULT_THEME="twentytwenty"|g' /var/www/ss-config
ss_sed 's|WP_PLUGIN_BLACKLIST=""|WP_PLUGIN_BLACKLIST="true"|g' /var/www/ss-config

ss_sed 's|INTERVAL_SS_ENCRYPT_CERTBOT="sometimes"|INTERVAL_SS_ENCRYPT_CERTBOT="half-monthly"|g' /var/www/ss-config

## port 22 patch finished we will no longer disable UFW ##
## to avoid potential lockouts we will not force-enable UFW until possibly later ##

if [[ ! -f "/var/www/html/wp-content/mu-plugins/ss-icon.svg" ]]; then 
    ss_wget "${TMP_SS_ICON_SVG}" "${MIRROR_SS_ICON_SVG}"
    ss_mv "${TMP_SS_ICON_SVG}" "${PATH_SS_ICON_SVG}"
fi

# if [[ "${WP_MULTISITE}" == "true" ]]; then
#    source /var/www/ss-install-nginx-config
# fi

####################################################################################################
#### PLACEHOLDER: Reset Permissions (SlickStack Scripts) ###########################################
####################################################################################################

## we include this permissions reset in all cron jobs and bash scripts for redundancy ##
## chmod 0700 means only the root/sudo users can execute any SlickStack scripts ##

## THIS SNIPPET DOES NOT RELY ON SS-CONFIG OR SS-FUNCTIONS
## SNIPPET: ss bash scripts, ss cron jobs
## UPDATED: 02JUL2022

chown root:root /var/www/ss* ## must be root:root
chown root:root /var/www/crons/*cron* ## must be root:root
chown root:root /var/www/crons/custom/*cron* ## must be root:root
chmod 0700 /var/www/ss* ## 0700 means only root/sudo can execute
chmod 0700 /var/www/crons/*cron* ## 0700 means only root/sudo can execute
chmod 0700 /var/www/crons/custom/*cron* ## 0700 means only root/sudo can execute

####################################################################################################
#### SlickStack: External References Used To Improve This Script (Thanks, Interwebz) ###############
####################################################################################################

## Ref: https://linuxize.com/post/bash-functions/
## Ref: https://www.cyberciti.biz/faq/unix-linux-appleosx-bsd-shell-appending-date-to-filename/
## Ref: https://wordpress.stackexchange.com/questions/199725/triggering-cron-by-calling-wp-cron-php-on-the-command-line-rather-than-with-wget
## Ref: https://serverfault.com/questions/259302/best-location-to-keep-ssl-certificates-and-private-keys-on-ubuntu-servers
## Ref: https://tldp.org/LDP/abs/html/comparison-ops.html
## Ref: https://stackoverflow.com/questions/33203898/wget-skip-download-if-file-already-exists
## Ref: https://stackoverflow.com/questions/12664534/idealised-wget-download-install-process
## Ref: https://unix.stackexchange.com/questions/471521/how-to-get-only-the-version-number-of-php
## Ref: https://stackoverflow.com/questions/62271695/sed-command-isnt-working-to-extract-the-nginx-version-number
## Ref: https://unix.stackexchange.com/questions/67806/how-to-recursively-find-the-amount-stored-in-directory
## Ref: https://www.tecmint.com/check-linux-disk-usage-of-files-and-directories/
## Ref: https://dba.stackexchange.com/questions/14337/calculating-disk-space-usage-per-mysql-db
## Ref: https://serverfault.com/questions/693027/how-to-extract-mysql-version-by-bash-script-in-centos-6
## Ref: https://ss64.com/bash/stat.html
## Ref: https://stackoverflow.com/questions/8714355/turning-multi-line-string-into-single-comma-separated
## Ref: https://unix.stackexchange.com/questions/104881/remove-particular-characters-from-a-variable-using-bash
## Ref: https://unix.stackexchange.com/questions/257514/how-to-delete-the-rest-of-each-line-after-a-certain-pattern-or-a-string-in-a-fil
## Ref: https://stackoverflow.com/questions/8049132/how-can-i-detect-whether-a-symlink-is-broken-in-bash

## SS_EOF