init work on disabling root processes

Dockerfile

@@ -20,4 +20,6 @@ VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pr
 
 EXPOSE 8080/tcp 8443/tcp
 
+USER nginx
+
 ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

Dockerfile-amd64

@@ -20,4 +20,6 @@ VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pr
 
 EXPOSE 8080/tcp 8443/tcp
 
+USER nginx
+
 ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

Dockerfile-arm32v7

@@ -27,4 +27,6 @@ VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pr
 
 EXPOSE 8080/tcp 8443/tcp
 
+USER nginx
+
 ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

Dockerfile-arm64v8

@@ -27,4 +27,6 @@ VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pr
 
 EXPOSE 8080/tcp 8443/tcp
 
+USER nginx
+
 ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

Dockerfile-i386

@@ -20,4 +20,6 @@ VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pr
 
 EXPOSE 8080/tcp 8443/tcp
 
+USER nginx
+
 ENTRYPOINT ["/opt/entrypoint/entrypoint.sh"]

autoconf/AutoConf.py

@@ -5,6 +5,7 @@ class AutoConf :
 
 	def __init__(self, swarm, api) :
 		self.__swarm = swarm
+		self.__servers = {}
 		self.__instances = {}
 		self.__sites = {}
 		self.__config = Config(self.__swarm, api)
@@ -72,11 +73,11 @@ class AutoConf :
 	def __process_server(self, instance, event, id, name, labels) :
 		vars = { k.replace("bunkerized-nginx.", "", 1) : v for k, v in labels.items() if k.startswith("bunkerized-nginx.")}
 		if event == "create" :
-			if self.__config.generate(instances, vars) :
+			if self.__config.generate(self.__instances, vars) :
 				utils.log("[*] Generated config for " + vars["SERVER_NAME"])
-				self.__servers[id] = obj
+				self.__servers[id] = instance
 				if self.__swarm :
-					if self.__config.activate(instances, vars) :
+					if self.__config.activate(self.__instances, vars) :
 						utils.log("[*] Activated config for " + vars["SERVER_NAME"])
 					else :
 						utils.log("[!] Can't activate config for " + vars["SERVER_NAME"])
@@ -85,21 +86,21 @@ class AutoConf :
 		elif event == "start" :
 			if id in self.__servers :
 				self.__servers[id].reload()
-				if self.__config.activate(instances, vars) :
+				if self.__config.activate(self.__instances, vars) :
 					utils.log("[*] Activated config for " + vars["SERVER_NAME"])
 				else :
 					utils.log("[!] Can't activate config for " + vars["SERVER_NAME"])
 		elif event == "die" :
 			if id in self.__servers :
 				self.__servers[id].reload()
-				if self.__config.deactivate(instances, vars) :
+				if self.__config.deactivate(self.__instances, vars) :
 					utils.log("[*] Deactivated config for " + vars["SERVER_NAME"])
 				else :
 					utils.log("[!] Can't deactivate config for " + vars["SERVER_NAME"])
 		elif event == "destroy" or event == "remove" :
 			if id in self.__servers :
 				if self.__swarm :
-					if self.__config.deactivate(instances, vars) :
+					if self.__config.deactivate(self.__instances, vars) :
 						utils.log("[*] Deactivated config for " + vars["SERVER_NAME"])
 					else :
 						utils.log("[!] Can't deactivate config for " + vars["SERVER_NAME"])

autoconf/Dockerfile

@@ -8,7 +8,9 @@ RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \
     pip3 install docker requests && \
     mkdir /opt/entrypoint && \
     mkdir -p /opt/confs/site && \
-    mkdir -p /opt/confs/global
+    mkdir -p /opt/confs/global && \
+    addgroup -g 101 nginx && \
+    adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx
 
 COPY confs/site/ /opt/confs/site
 COPY confs/global/ /opt/confs/global

autoconf/Dockerfile-amd64

@@ -4,7 +4,9 @@ RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \
     pip3 install docker requests && \
     mkdir /opt/entrypoint && \
     mkdir -p /opt/confs/site  && \
-    mkdir -p /opt/confs/global
+    mkdir -p /opt/confs/global && \
+    addgroup -g 101 nginx && \
+    adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx
 
 COPY confs/site/ /opt/confs/site
 COPY entrypoint/* /opt/entrypoint/

autoconf/Dockerfile-arm32v7

@@ -11,7 +11,9 @@ RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \
     pip3 install docker requests && \
     mkdir /opt/entrypoint && \
     mkdir -p /opt/confs/site && \
-    mkdir -p /opt/confs/global
+    mkdir -p /opt/confs/global && \
+    addgroup -g 101 nginx && \
+    adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx
 
 COPY confs/site/ /opt/confs/site
 COPY entrypoint/* /opt/entrypoint/

autoconf/Dockerfile-arm64v8

@@ -11,7 +11,9 @@ RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \
     pip3 install docker requests && \
     mkdir /opt/entrypoint && \
     mkdir -p /opt/confs/site && \
-    mkdir -p /opt/confs/global
+    mkdir -p /opt/confs/global && \
+    addgroup -g 101 nginx && \
+    adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx
 
 COPY confs/site/ /opt/confs/site
 COPY entrypoint/* /opt/entrypoint/

autoconf/Dockerfile-i386

@@ -4,7 +4,9 @@ RUN apk add py3-pip apache2-utils bash certbot curl logrotate openssl && \
     pip3 install docker requests && \
     mkdir /opt/entrypoint && \
     mkdir -p /opt/confs/site && \
-    mkdir -p /opt/confs/global
+    mkdir -p /opt/confs/global && \
+    addgroup -g 101 nginx && \
+    adduser -h /var/cache/nginx -g nginx -s /sbin/nologin -G nginx -D -H -u 101 nginx
 
 COPY confs/site/ /opt/confs/site
 COPY entrypoint/* /opt/entrypoint/

compile.sh

@@ -50,8 +50,9 @@ make install-strip
 cd /tmp
 git_secure_clone https://github.com/coreruleset/coreruleset.git 7776fe23f127fd2315bad0e400bdceb2cabb97dc
 cd coreruleset
-cp -r rules /etc/nginx/owasp-crs
-cp crs-setup.conf.example /etc/nginx/owasp-crs.conf
+mkdir /opt/owasp
+cp -r rules /opt/owasp/crs
+cp crs-setup.conf.example /opt/owasp/crs.conf
 
 # get nginx modules
 cd /tmp

entrypoint/clamav.sh

@@ -10,12 +10,12 @@
 if [ "$(has_value USE_CLAMAV_UPLOAD yes)" != "" ] || [ "$USE_CLAMAV_SCAN" = "yes" ] ; then
 	echo "[*] Updating clamav (in background) ..."
 	freshclam > /dev/null 2>&1 &
-	echo "$CLAMAV_UPDATE_CRON /usr/bin/freshclam > /dev/null 2>&1" >> /etc/crontabs/root
+	echo "$CLAMAV_UPDATE_CRON /usr/bin/freshclam > /dev/null 2>&1" >> /etc/crontabs/nginx
 fi
 if [ "$USE_CLAMAV_SCAN" = "yes" ] ; then
 	if [ "$USE_CLAMAV_SCAN_REMOVE" = "yes" ] ; then
-        	echo "$USE_CLAMAV_SCAN_CRON /usr/bin/clamscan -r -i --no-summary --remove / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/root
+        	echo "$USE_CLAMAV_SCAN_CRON /usr/bin/clamscan -r -i --no-summary --remove / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/nginx
         else
-		echo "$USE_CLAMAV_SCAN_CRON /usr/bin/clamscan -r -i --no-summary / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/root
+		echo "$USE_CLAMAV_SCAN_CRON /usr/bin/clamscan -r -i --no-summary / >> /var/log/clamav.log 2>&1" >> /etc/crontabs/nginx
         fi
 fi

entrypoint/entrypoint.sh

@@ -35,7 +35,7 @@ function trap_reload() {
 	fi
 	if [ -f /tmp/nginx.pid ] ; then
 		echo "[*] Reloading nginx ..."
-		/usr/sbin/nginx -s reload
+		nginx -s reload
 		if [ $? -eq 0 ] ; then
 			echo "[*] Reload successfull"
 		else
@@ -91,13 +91,8 @@ else
 	echo "[*] Skipping configuration process"
 fi
 
-# fix nginx configs rights (and modules through the symlink)
-chown -R root:nginx /etc/nginx/
-chmod -R 740 /etc/nginx/
-find /etc/nginx -type d -exec chmod 750 {} \;
-
 # start rsyslogd
-rsyslogd
+rsyslogd -i /tmp/rsyslogd.pid
 
 # start crond
 crond
@@ -117,7 +112,7 @@ fi
 
 # run nginx
 echo "[*] Running nginx ..."
-su -s "/usr/sbin/nginx" nginx
+nginx
 if [ "$?" -eq 0 ] ; then
 	echo "[*] nginx successfully started !"
 else

entrypoint/fail2ban.sh

@@ -8,7 +8,6 @@
 
 # fail2ban setup
 if [ "$(has_value USE_FAIL2BAN yes)" != "" ] ; then
-	rm -rf /etc/fail2ban/jail.d/*.conf
 	cp /opt/fail2ban/nginx-action.local /etc/fail2ban/action.d/nginx-action.local
 	cp /opt/fail2ban/nginx-filter.local /etc/fail2ban/filter.d/nginx-filter.local
 	cp /opt/fail2ban/nginx-jail.local /etc/fail2ban/jail.d/nginx-jail.local

entrypoint/global-config.sh

@@ -9,9 +9,6 @@
 # copy stub confs
 cp /opt/confs/global/* /etc/nginx/
 
-# remove cron jobs
-echo "" > /etc/crontabs/root
-
 # install additional modules if needed
 if [ "$ADDITIONAL_MODULES" != "" ] ; then
 	apk add $ADDITIONAL_MODULES
@@ -53,7 +50,6 @@ if [ "$MULTISITE" = "yes" ] ; then
 			replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%SSL_CIPHERS%" ""
 		fi
 		openssl req -nodes -x509 -newkey rsa:4096 -keyout /etc/nginx/default-key.pem -out /etc/nginx/default-cert.pem -days $SELF_SIGNED_SSL_EXPIRY -subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN"
-		chmod +r /etc/nginx/default-key.pem
 		if [ "$(has_value AUTO_LETS_ENCRYPT yes)" != "" ] ; then
 			replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%LETS_ENCRYPT_WEBROOT%" "include /etc/nginx/multisite-default-server-lets-encrypt-webroot.conf;"
 		else
@@ -92,14 +88,13 @@ if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then
 			/opt/scripts/certbot-new.sh "$DOMAINS_LETS_ENCRYPT" "$EMAIL_LETS_ENCRYPT"
 		fi
 	fi
-	echo "$AUTO_LETS_ENCRYPT_CRON /opt/scripts/certbot-renew.sh > /dev/null 2>&1" >> /etc/crontabs/root
+	echo "$AUTO_LETS_ENCRYPT_CRON /opt/scripts/certbot-renew.sh > /dev/null 2>&1" >> /etc/crontabs/nginx
 fi
 
 # self-signed certificate
 if [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then
 	mkdir /etc/nginx/self-signed-ssl/
         openssl req -nodes -x509 -newkey rsa:4096 -keyout /etc/nginx/self-signed-ssl/key.pem -out /etc/nginx/self-signed-ssl/cert.pem -days $SELF_SIGNED_SSL_EXPIRY -subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN"
-	chmod +r /etc/nginx/self-signed-ssl/key.pem
 fi
 
 # country ban/whitelist
@@ -112,7 +107,7 @@ if [ "$BLACKLIST_COUNTRY" != "" ] || [ "$WHITELIST_COUNTRY" != "" ] ; then
 		replace_in_file "/etc/nginx/geoip.conf" "%DEFAULT%" "yes"
 		replace_in_file "/etc/nginx/geoip.conf" "%COUNTRY%" "$(echo $BLACKLIST_COUNTRY | sed 's/ / no;\\n/g') no;"
 	fi
-	echo "$GEOIP_CRON /opt/scripts/geoip.sh" >> /etc/crontabs/root
+	echo "$GEOIP_CRON /opt/scripts/geoip.sh" >> /etc/crontabs/nginx
 	if [ -f "/cache/geoip.mmdb" ] ; then
 		echo "[*] Copying cached geoip.mmdb ..."
 		cp /cache/geoip.mmdb /etc/nginx/geoip.mmdb
@@ -127,7 +122,7 @@ fi
 # block bad UA
 if [ "$(has_value BLOCK_USER_AGENT yes)" != "" ] ; then
 	replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_USER_AGENT%" "include /etc/nginx/map-user-agent.conf;"
-	echo "$BLOCK_USER_AGENT_CRON /opt/scripts/user-agents.sh" >> /etc/crontabs/root
+	echo "$BLOCK_USER_AGENT_CRON /opt/scripts/user-agents.sh" >> /etc/crontabs/nginx
 	if [ -f "/cache/map-user-agent.conf" ] ; then
 		echo "[*] Copying cached map-user-agent.conf ..."
 		cp /cache/map-user-agent.conf /etc/nginx/map-user-agent.conf
@@ -142,7 +137,7 @@ fi
 # block bad refferer
 if [ "$(has_value BLOCK_REFERRER yes)" != "" ] ; then
 	replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_REFERRER%" "include /etc/nginx/map-referrer.conf;"
-	echo "$BLOCK_REFERRER_CRON /opt/scripts/referrers.sh" >> /etc/crontabs/root
+	echo "$BLOCK_REFERRER_CRON /opt/scripts/referrers.sh" >> /etc/crontabs/nginx
 	if [ -f "/cache/map-referrer.conf" ] ; then
 		echo "[*] Copying cached map-referrer.conf ..."
 		cp /cache/map-referrer.conf /etc/nginx/map-referrer.conf
@@ -156,7 +151,7 @@ fi
 
 # block TOR exit nodes
 if [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" != "" ] ; then
-	echo "$BLOCK_TOR_EXIT_NODE_CRON /opt/scripts/exit-nodes.sh" >> /etc/crontabs/root
+	echo "$BLOCK_TOR_EXIT_NODE_CRON /opt/scripts/exit-nodes.sh" >> /etc/crontabs/nginx
 	if [ -f "/cache/block-tor-exit-node.conf" ] ; then
 		echo "[*] Copying cached block-tor-exit-node.conf ..."
 		cp /cache/block-tor-exit-node.conf /etc/nginx/block-tor-exit-node.conf
@@ -168,7 +163,7 @@ fi
 
 # block proxies
 if [ "$(has_value BLOCK_PROXIES yes)" != "" ] ; then
-	echo "$BLOCK_PROXIES_CRON /opt/scripts/proxies.sh" >> /etc/crontabs/root
+	echo "$BLOCK_PROXIES_CRON /opt/scripts/proxies.sh" >> /etc/crontabs/nginx
 	if [ -f "/cache/block-proxies.conf" ] ; then
 		echo "[*] Copying cached block-proxies.conf ..."
 		cp /cache/block-proxies.conf /etc/nginx/block-proxies.conf
@@ -180,7 +175,7 @@ fi
 
 # block abusers
 if [ "$(has_value BLOCK_ABUSERS yes)" != "" ] ; then
-	echo "$BLOCK_ABUSERS_CRON /opt/scripts/abusers.sh" >> /etc/crontabs/root
+	echo "$BLOCK_ABUSERS_CRON /opt/scripts/abusers.sh" >> /etc/crontabs/nginx
 	if [ -f "/cache/block-abusers.conf" ] ; then
 		echo "[*] Copying cached block-abusers.conf ..."
 		cp /cache/block-abusers.conf /etc/nginx/block-abusers.conf

entrypoint/logs.sh

@@ -7,8 +7,8 @@
 . /opt/entrypoint/utils.sh
 
 # copy stub confs
-cp /opt/logs/rsyslog.conf /etc/rsyslog.conf
-cp /opt/logs/logrotate.conf /etc/logrotate.conf
+cat /opt/logs/rsyslog.conf > /etc/rsyslog.conf
+cat /opt/logs/logrotate.conf > /etc/logrotate.conf
 
 # create empty logs
 touch /var/log/access.log
@@ -18,4 +18,4 @@ touch /var/log/jobs.log
 # setup logrotate
 replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MAXAGE%" "$LOGROTATE_MAXAGE"
 replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MINSIZE%" "$LOGROTATE_MINSIZE"
-echo "$LOGROTATE_CRON /opt/scripts/logrotate.sh > /dev/null 2>&1" >> /etc/crontabs/root
+echo "$LOGROTATE_CRON /opt/scripts/logrotate.sh > /dev/null 2>&1" >> /etc/crontabs/nginx

entrypoint/multisite-config.sh

@@ -6,11 +6,6 @@
 # load some functions
 . /opt/entrypoint/utils.sh
 
-# fix nginx configs rights (and modules through the symlink)
-chown -R root:nginx /etc/nginx/
-chmod -R 740 /etc/nginx/
-find /etc/nginx -type d -exec chmod 750 {} \;
-
 if [ "$MULTISITE" = "yes" ] ; then
 	servers=$(find /etc/nginx -name "server.conf" | cut -d '/' -f 4)
 	for server in $servers ; do
@@ -30,7 +25,7 @@ if [ "$MULTISITE" = "yes" ] ; then
 				modsec_custom="${modsec_custom}include /modsec-confs/${server}/*.conf\n"
 			fi
 			replace_in_file "${SERVER_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_RULES%" "$modsec_custom"
-			if grep "owasp-crs.conf" ${SERVER_PREFIX}modsecurity-rules.conf > /dev/null ; then
+			if grep "owasp/crs.conf" ${SERVER_PREFIX}modsecurity-rules.conf > /dev/null ; then
 				modsec_crs_custom=""
 				if ls /modsec-crs-confs/*.conf > /dev/null 2>&1 ; then
 					modsec_crs_custom="include /modsec-crs-confs/*.conf\n"

entrypoint/site-config.sh

@@ -385,7 +385,7 @@ if [ "$USE_MODSECURITY" = "yes" ] ; then
 		replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_RULES%" "$modsec_custom"
 	fi
 	if [ "$USE_MODSECURITY_CRS" = "yes" ] ; then
-		replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS%" "include /etc/nginx/owasp-crs.conf"
+		replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS%" "include /opt/owasp/crs.conf"
 		if [ "$MULTISITE" != "yes" ] ; then
 			modsec_crs_custom=""
 			if ls /modsec-crs-confs/*.conf > /dev/null 2>&1 ; then
@@ -393,7 +393,7 @@ if [ "$USE_MODSECURITY" = "yes" ] ; then
 			fi
 			replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" "$modsec_crs_custom"
 		fi
-		replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS_RULES%" "include /etc/nginx/owasp-crs/*.conf"
+		replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS_RULES%" "include /opt/owasp/crs/*.conf"
 	else
 		replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS%" ""
 		replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" ""

entrypoint/utils.sh

@@ -5,7 +5,9 @@ function replace_in_file() {
 	# escape slashes
 	pattern=$(echo "$2" | sed "s/\//\\\\\//g")
 	replace=$(echo "$3" | sed "s/\//\\\\\//g")
-	sed -i "s/$pattern/$replace/g" "$1"
+	sed "s/$pattern/$replace/g" "$1" > /tmp/sed
+	cat /tmp/sed > "$1"
+	rm /tmp/sed
 }
 
 # convert space separated values to LUA

logs/rsyslog.conf

@@ -4,11 +4,11 @@
 $WorkDirectory /var/lib/rsyslog
 
 # Sets default permissions for all log files.
-$FileOwner root
-$FileGroup root
-$FileCreateMode 0600
-$DirCreateMode 0700
-$Umask 0077
+$FileOwner nginx
+$FileGroup nginx
+$FileCreateMode 0660
+$DirCreateMode 0770
+$Umask 0007
 
 # Include all config files in /etc/rsyslog.d/.
 include(file="/etc/rsyslog.d/*.conf" mode="optional")
@@ -16,10 +16,10 @@ include(file="/etc/rsyslog.d/*.conf" mode="optional")
 #### Modules ####
 
 # Provides --MARK-- message capability.
-module(load="immark")
+#module(load="immark")
 
 # Provides support for local system logging (e.g. via logger command).
-module(load="imuxsock")
+module(load="imuxsock" SysSock.Name="/tmp/log")
 
 # Nginx
 $template rawFormat,"%msg:2:2048%\n"

prepare.sh

@@ -3,18 +3,65 @@
 # install dependencies
 apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c bash brotli
 
-# make scripts executable
-chmod +x /opt/entrypoint/* /opt/scripts/*
+# custom entrypoint
 mkdir /opt/entrypoint.d
 
-# log files/folders rights
+# prepare /opt
+chown -R root:nginx /opt
+find /opt -type f -exec chmod 0740 {} \;
+find /opt -type d -exec chmod 0750 {} \;
+chmod ugo+x /opt/entrypoint/* /opt/scripts/*
+chmod 770 /opt
+
+# prepare /etc/nginx
+chown -R root:nginx /etc/nginx
+chmod -R 770 /etc/nginx
+
+# prepare /var/log
 rm -f /var/log/nginx/*
 chown root:nginx /var/log/nginx
-chmod 750 /var/log/nginx
 touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log /var/log/jobs.log
-chown nginx:nginx /var/log/nginx/*.log
+chown nginx:nginx /var/log/nginx/*
+chmod -R 770 /var/log/nginx
+touch /var/log/access.log /var/log/error.log /var/log/jobs.log /var/log/fail2ban.log
+chown nginx:nginx /var/log/*.log
+chmod 770 /var/log/*.log
 
-# let's encrypt webroot
+# prepare /acme-challenge
 mkdir /acme-challenge
 chown root:nginx /acme-challenge
-chmod 750 /acme-challenge
+chmod 770 /acme-challenge
+
+# prepare /etc/letsencrypt
+mkdir /etc/letsencrypt
+chown root:nginx /etc/letsencrypt
+chmod 770 /etc/letsencrypt
+
+# prepare /etc/fail2ban
+rm -rf /etc/fail2ban/jail.d/*.conf
+chown -R root:nginx /etc/fail2ban
+find /etc/fail2ban -type f -exec chmod 0760 {} \;
+find /etc/fail2ban -type d -exec chmod 0770 {} \;
+
+# prepare /var/run/fail2ban and /var/lib/fail2ban
+chown -R root:nginx /var/run/fail2ban /var/lib/fail2ban
+chmod -R 770 /var/run/fail2ban /var/lib/fail2ban
+
+# prepare /usr/local/lib/lua
+chown root:nginx /usr/local/lib/lua
+chmod 770 /usr/local/lib/lua
+
+# prepare /cache
+mkdir /cache
+chown root:nginx /cache
+chmod 770 /cache
+
+# prepare misc files
+chown root:nginx /etc/rsyslog.conf /etc/logrotate.conf
+chmod 660 /etc/rsyslog.conf /etc/logrotate.conf
+chown root:nginx /etc/rsyslog.conf
+
+# prepare /etc/crontabs/nginx
+touch /etc/crontabs/nginx
+chown root:nginx /etc/crontabs/nginx
+chmod 660 /etc/crontabs/nginx