You are here

AltaOS 7

Submitted by Alan Mels on Sat, 03/09/2019 - 17:44

Initial script on in.altagrade.org

Create a script /root/compress-etc-ag.sh that automates copying certain Webmin directories every time this page is saved and then prepares the /etc/ag directory for downloading by compressing it:

  1. #!/bin/sh
  2.  
  3. if [ -e /home/altaorg/domains/in.altagrade.org/www/altaos.txt ]; then
  4. AGE=$(($(date +%s)-$(date -r /home/altaorg/domains/in.altagrade.org/www/altaos.txt +%s)))
  5. echo $AGE
  6. if [ $AGE -lt 120 ]
  7. then
  8. rm -rf /home/altaorg/domains/in.altagrade.org/public_html/ag.tar.gz
  9. cd /etc
  10. rm -rf ag/webmin
  11. mkdir ag/webmin
  12. cp -R webmin/authentic-theme ag/webmin
  13. cp -R webmin/status ag/webmin
  14. cp -R webmin/custom ag/webmin
  15. echo $(cat /etc/webmin/webmin.acl | grep altagrade) > /etc/ag/webmin/webmin.acl
  16. tar cvzf ag.tar.gz ag
  17. mv ag.tar.gz /home/altaorg/domains/in.altagrade.org/public_html
  18. chown -R altaorg:altaorg /home/altaorg/domains/in.altagrade.org/public_html
  19. find /etc/webmin -type d -exec chmod 755 {} +
  20. fi
  21. fi
  22.  

and schedule it to trigger every minute:

  1. * * * * * /root/compress-etc-ag.sh > /dev/null 2>&1

Auto-installation script for the newly deployed systems

This page generates a script for an automatic installation of operating system for AltaGrade dedicated and virtual private servers. The script incorporates all the steps on this page and referenced steps of other nodes in this book hierarchy. Introduction fields will be ignored. Make sure to properly reference steps on other nodes to get them included. To reference another node place only its nid in the source code field of any paragraph.

Newly created Virtualizor systems can pull the script by the following commands placed in the `Extra` parameter:

  1. #!/bin/sh
  2. yum -y update && yum -y install wget && cd /etc && wget http://in.altagrade.org:8080/ag.tar.gz && tar xzf ag.tar.gz && rm -rf ag.tar.gz && cd /usr/src && wget http://in.altagrade.org:8080/altaos.txt && yum -y install wget dos2unix && dos2unix altaos.txt && mv altaos.txt altaos.sh && chmod 755 altaos.sh && mkdir /root/.altaos && sh ./altaos.sh | tee /root/.altaos/altaos-install.log

Additional notes:

- To install AltaOS on EU-based server, don't forget to include EU IP addresses to `Allow from` rule for in.altagrade.org in the Apache configuration file (/etc/httpd/conf/httpd.conf).


0) Check if the system is freshly installed before doing anything else, because we don't want to run the installation script twice

if [ -d /etc/webmin ]; then
  echo "It seems this script has already been executed on this server."
  echo "This script should be run only once as otherwise it will duplicate entries in number of configuration files!"
  exit 0
fi

1) Defining some variable values to use later in the installation script

if grep -q "QEMU" /proc/bus/input/devices; then
    PORT=19759
else
    PORT=19753
fi
export PORT
IP="$( ip route get 8.8.8.8 | awk 'NR==1 {print $NF}' )"
IP6="$( ip -6 addr | grep inet6 | awk -F '[ \t]+|/' '{print $3}' | grep -v ^::1 )"
IFACE=$(ip addr | grep $IP | awk '{print $NF}')
OWNER=""
TIMESTAMP=$(date +%s)
SECONDS=0
# There is no DB at this point yet, so commenting out
# MYSQL_VER=`mysql --version|awk '{ print $5 }'|awk -F\-MariaDB, '{ print $1 }'`

2) Installing additional packages

echo "=================================================================================="
echo "Installing additional packages .."
yum -y makecache fast && yum -y install yum-plugin-fastestmirror
yum -y install epel-release
yum -y install perl nano rsync make vim screen wget mlocate gcc pcre-devel \
nmap openssh-clients ImageMagick gcc-c++ bzip2 net-tools iptables-services \
ntpdate yum-cron perl-LWP-Protocol-https deltarpm patch  lsof git psacct \
yum-utils bash-completion at e2fsprogs sudo libxml2-devel htop pam-devel \
perl-Authen-PAM
echo "..done"
 
echo "=================================================================================="
echo "Enabling services .."
systemctl enable psacct && systemctl start psacct
systemctl enable yum-cron.service && systemctl start yum-cron.service
echo "..done"
 
if [ ! -f /usr/local/bin/composer ]; then
  echo "=================================================================================="
  echo "Installing Composer .."
  cd /usr/src
  curl -sS https://getcomposer.org/installer | sudo php -- --install-dir=/usr/local/bin --filename=composer
  echo "..done"
fi

3) Setting up and configuring the system

if [ "$(readlink /etc/localtime)" != "/usr/share/zoneinfo/UTC" ]; then
  echo "=================================================================================="
  echo "Setting local time to UTC .."
  rm -f /etc/localtime
  ln -s /usr/share/zoneinfo/UTC /etc/localtime
  echo ".. done"
fi
 
if [ ! -d /home/backup ]; then
  echo "=================================================================================="
  echo "Creating /home/backup directory .."
  mkdir /home/backup
  echo "Creating a symlink /backup to /home/backup .."
  ln -s /home/backup /backup
  echo ".. done"
fi
 
if [ ! -d /sandbox ]; then
  echo "=================================================================================="
  echo "Creating /sandbox directory .."
  mkdir /sandbox
  echo ".. done"
fi
 
if grep -Fq '# include "/usr/share/nano/nanorc.nanorc"' /etc/nanorc
then
  echo "=================================================================================="
  echo "Colorifying the Nano editor .."
  sed -ie 's|# include "/usr/share/nano/sh.nanorc"|include "/usr/share/nano/sh.nanorc"|' /etc/nanorc
  sed -ie 's|# include "/usr/share/nano/java.nanorc"|include "/usr/share/nano/java.nanorc"|' /etc/nanorc
  sed -ie 's|# include "/usr/share/nano/python.nanorc"|include "/usr/share/nano/python.nanorc"|' /etc/nanorc
  sed -ie 's|# include "/usr/share/nano/patch.nanorc"|include "/usr/share/nano/patch.nanorc"|' /etc/nanorc
  sed -ie 's|# include "/usr/share/nano/php.nanorc"|include "/usr/share/nano/php.nanorc"|' /etc/nanorc
  sed -ie 's|# include "/usr/share/nano/c.nanorc"|include "/usr/share/nano/c.nanorc"|' /etc/nanorc
  sed -ie 's|# include "/usr/share/nano/css.nanorc"|include "/usr/share/nano/css.nanorc"|' /etc/nanorc
  sed -ie 's|# include "/usr/share/nano/html.nanorc"|include "/usr/share/nano/html.nanorc"|' /etc/nanorc
  sed -ie 's|# include "/usr/share/nano/man.nanorc"|include "/usr/share/nano/man.nanorc"|' /etc/nanorc
  sed -ie 's|# include "/usr/share/nano/perl.nanorc"|include "/usr/share/nano/perl.nanorc"|' /etc/nanorc
  sed -ie 's|# include "/usr/share/nano/ruby.nanorc"|include "/usr/share/nano/ruby.nanorc"|' /etc/nanorc
  sed -ie 's|# include "/usr/share/nano/xml.nanorc"|include "/usr/share/nano/xml.nanorc"|' /etc/nanorc
  sed -ie 's|# include "/usr/share/nano/nanorc.nanorc"|include "/usr/share/nano/nanorc.nanorc"|' /etc/nanorc
  echo ".. done"
fi
 
# Setting cron job definitions before other scripts start putting their own lines

if ! grep -Fq "Example of cron job definition on AltaGrade servers" /var/spool/cron/root
then
  echo "=================================================================================="
  echo "Setting up cron definitions .."
  cd /var/spool/cron
  mv root temp
cat > root << 'EOF'
# Example of cron job definition on AltaGrade servers:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
#
# 1. Entry: Minute when the process will be started [0-60]
# 2. Entry: Hour when the process will be started [0-23]
# 3. Entry: Day of the month when the process will be started [1-28/29/30/31]
# 4. Entry: Month of the year when the process will be started [1-12]
# 5. Entry: Weekday when the process will be started [0-6] [0 is Sunday]
#
# every x min = */x
# So according to this your 5 8 * * 6 would run 8:05 every Saturday.
# Ex: 39 * * * * wget -O - -q -t 1 http://YourDrupalSite.com/cron.php?key=YourDrupalSiteCronKeyHere
EOF
  cat root temp > root
  echo "..done"
fi
 
if ! grep -Fq "▓▓▓█████▓" /etc/banner
then
  echo "=================================================================================="
  echo "Creating /etc/banner .."
cat <<EOT >> /etc/banner
 ▄▄▄       ▓▓▓  ▓▓▓█████▓ ▄▄▄        ▄████  ▓▓▀███   ▄▄▄      ▓█████▄ ▓█████
▒▓▓██▄    ▓██▒  ▓  ▓▓▒ ▓▒▒████▄     ▓▓▒ ▀█▒▓██ ▒ ▓█▒▒▓▓██▄    ▒▓▓▀ ██▌▓▓   ▀
▒▓▓  ▀█▄  ▒▓▓░  ▒ ▓██░ ▒░▒▓▓  ▀█▄  ▒▓▓░▄▄▄░▓▓▓ ░▄█ ▒▒▓▓  ▀█▄  ░██   █▌▒▓▓██
░██▄▄▄▄██ ▒▓▓░  ░ ▓██▓ ░ ░██▄▄▄▄██ ░▓█  ██▓▒▓▓▀▀█▄  ░██▄▄▄▄██ ░▓█▄   ▌▒▓█  ▄
 ▓█   ▓██▒░██████▒▒██▒ ░  ▓█   ▓██▒░▒▓███▀▒░██▓ ▒▓▓▒ ▓█   ▓██▒░▒████▓ ░▒████▒
 ▒▒   ▓▒█░░ ▒░▓  ░▒ ░░    ▒▒   ▓▒█░ ░▒   ▒ ░ ▒▓ ░▒▓░ ▒▒   ▓▒█░ ▒▒▓  ▒ ░░ ▒░ ░
  ▒   ▒▒ ░░ ░ ▒  ░  ░      ▒   ▒▒ ░  ░   ░   ░▒ ░ ▒░  ▒   ▒▒ ░ ░ ▒  ▒  ░ ░  ░
  ░   ▒     ░ ░   ░        ░   ▒   ░ ░   ░   ░░   ░   ░   ▒    ░ ░  ░    ░
      ░  ░    ░  ░             ░  ░      ░    ░           ░  ░   ░       ░  ░
 
EOT
  echo ".. done"
fi
 
if grep -Fq "#Banner none" /etc/ssh/sshd_config
then
  sed -ie '/#Banner none/c\Banner /etc/banner' /etc/ssh/sshd_config
else
  echo 'Banner /etc/banner' >> /etc/ssh/sshd_config
fi
 
if ! grep -Fq "Welcome" /etc/motd
then
  echo "=================================================================================="
  echo "Creating /etc/motd .."
cat <<EOT >> /etc/motd
*****************************************************************************
*             Welcome to AltaGrade Optimized Operating System!              *
*                                                                           *
* If you encounter any issues with the server, then please browse our Help  *
* section on https://www.altagrade.com/docs first. And if you couldn't find *
* any solution, then submit a support request at https://my.altagrade.com.  *
*                                                                           *
*****************************************************************************
EOT
  echo ".. done"
fi
 
if ! grep -Fq "update-webmin" /root/.bashrc; then
  echo "=================================================================================="
  echo "Creating root aliases .."
  cat >> /root/.bashrc << 'EOF'
alias update-webmin='yes | /usr/libexec/webmin/update-from-repo.sh'
alias update-theme='yes | /usr/libexec/webmin/authentic-theme/theme-update.sh'
alias webminpass='/usr/libexec/webmin/changepass.pl /etc/webmin root'
alias ps10='ps -auxf | sort -nr -k 4 | head -10'
alias cpu10='ps -eo pcpu,pid,user,args | sort -k 1 -r | head -10'
alias qchwr='drush pml --no-core --type=module --status=enabled --pipe | xargs drush -y dis'
alias repo='sed -n -e "/^\[/h; /priority *=/{ G; s/\n/ /; s/ity=/ity = /; p }" /etc/yum.repos.d/*.repo | sort -k3n'
alias psx="ps -eo pcpu,pid -o comm= | sort -k1 -n -r | head -12"
alias psg="ps fuxa |grep $1"
alias psm="ps -eo pmem,pcpu,rss,vsize,args | sort -k 1 -r | less"
alias eba='nano /etc/profile.d/globaliases.sh'
alias lba='source /etc/profile.d/globaliases.sh'
 
alias net1='rm -rf /etc/udev/rules.d/70-persistent-net.rules'
alias net2='nano /etc/resolv.conf'
alias net3='nano /etc/sysconfig/network-scripts/ifcfg*'
 
snd () {
rsync --rsh -av -e 'ssh -p 19759' --progress --partial ${1} root@IP:/
}
 
# sync two directories
# rsync -azP -e 'ssh -p 19759' local_dir root@IP:/remote_dir

EOF
echo "..done"
fi
 
if grep -Fq 'update_messages = no' /etc/yum/yum-cron.conf
then
  echo "=================================================================================="
  echo "Enabling automatic OS updates .."
  sed -ie 's/update_messages = no/update_messages = yes/' /etc/yum/yum-cron.conf
  sed -ie 's/download_updates = no/download_updates = yes/' /etc/yum/yum-cron.conf
  sed -ie 's/apply_updates = no/apply_updates = yes/' /etc/yum/yum-cron.conf
  sed -ie 's/update_messages = no/update_messages = yes/' /etc/yum/yum-cron-hourly.conf
  sed -ie 's/download_updates = no/download_updates = yes/' /etc/yum/yum-cron-hourly.conf
  sed -ie 's/apply_updates = no/apply_updates = yes/' /etc/yum/yum-cron-hourly.conf
  echo ".. done"
fi
 
if grep -Fq 'installonly_limit=5' /etc/yum.conf
then
  echo "Setting amount of installed kernels to 2 .."
  sed -ie 's/installonly_limit=5/installonly_limit=2/' /etc/yum.conf
  systemctl enable yum-cron.service && systemctl start yum-cron.service
  echo ".. done"
fi
 
if [ -f /etc/ag/scripts/login-notify.sh ]; then
  chmod 755 /etc/ag/scripts/login-notify.sh
  echo 'session optional pam_exec.so seteuid /etc/ag/scripts/login-notify.sh' >> /etc/pam.d/sshd
fi
 
echo '*               soft    nofile            65535' >> /etc/security/limits.conf
echo '*               hard    nofile            65535' >> /etc/security/limits.conf
 
if ! grep -q 127.0.0.1 "/etc/resolv.conf"; then
  echo "nameserver 127.0.0.1" >> /etc/resolv.conf
fi

4) Creating global aliases for user SSH sessions

24

5) Configuring hourly and daily AltaGrade cron-tasks

cat > /etc/cron.hourly/altagrade << 'EOF'
#!/bin/bash
sh /etc/ag/scripts/update-drupal 1 > /dev/null
if [ -e /etc/ag/updates/update.sh.old ]; then
  if ! cmp --silent /etc/ag/updates/update.sh /etc/ag/updates/update.sh.old
    then
      chmod 755 /etc/ag/updates/update.sh
      sh /etc/ag/updates/update.sh
      mv /etc/ag/updates/update.sh /etc/ag/updates/update.sh.old
  fi
fi
exit
EOF
chmod 755 /etc/cron.hourly/altagrade
 
cat > /etc/cron.daily/altagrade << 'EOF'
#!/bin/bash
sed -ie 's/CentOS/AltaOS/' /etc/webmin/config >/dev/null 2>&1
sh /etc/ag/cp/new-lang.sh >/dev/null 2>&1
sed -ie 's/slider_enabled=true/slider_enabled=false/' /etc/webmin/authentic-theme/settings.js >/dev/null 2>&1
exit
EOF
chmod 755 /etc/cron.daily/altagrade
/etc/cron.daily/altagrade

6) Creating an 'altagrade' admin user

if ! id "altagrade" >/dev/null 2>&1; then
  echo "=================================================================================="
  echo "Creating altagrade user .."
  # Disabling root password
  yum -y install "perl(IO::Pty)"
  passwd -d root
  useradd -G wheel altagrade
  openssl rand -base64 12 | passwd altagrade --stdin
  echo "Setting %wheel group members passwordless sudoers .."
  sed -ie 's/%wheel/#%wheel/' /etc/sudoers && sed -ie 's/# #%wheel/%wheel/' /etc/sudoers
  mkdir /home/altagrade/.ssh
  echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC753VZbicoElj5moS0XZ70ERwse483Cuqc6Jf3YXJvn4+ZGzdjUsUI4+0GHK0aufeFh4YNZQ9QoQnM/3HUKZIGm3/2lYvzY1Z2YtyWz57LSX6o+oskq01Pe+3g+sxbt1yOW/KhClVhTSNzFPtMV5h4//JLxdO1Z6pctXSgq2COZ9fnEAm/AzmYFpuNvg0JmNdWuFkvnSKZrkt9hmw72TTjTE+p9DviTmoq4GCr6l2Pg4y6oTlyQ595yi6wDZe0JK7cdkKMsA4U6kAyHqci7zXOu7HjLdYcKZCohCp/iddHZbERmlZuS1eGbiARYtBZb9FNdUmnUB3nggb4DU3FPeDl' >> /home/altagrade/.ssh/authorized_keys
  restorecon -R -v /home/altagrade/.ssh
  sed -i "s/#Port 22/Port ${PORT}/g" /etc/ssh/sshd_config
  sed -i "s/#PermitRootLogin yes/PermitRootLogin no/g" /etc/ssh/sshd_config
  sed -i "s/PasswordAuthentication yes/PasswordAuthentication no/g" /etc/ssh/sshd_config
  yum -y install policycoreutils-python
  semanage port -a -t ssh_port_t -p tcp ${PORT}
  sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
  echo ".. done"
fi

7) Installing Webmin and Virtualmin

if [ ! -d /etc/webmin ]; then
  echo "=================================================================================="
  echo "Installing control panel .."
  cd /usr/src
  wget http://software.virtualmin.com/gpl/scripts/install.sh
  chmod 755 install.sh
  # Per https://www.virtualmin.com/node/53190
  DISABLE_SCL=1
  export DISABLE_SCL
  ./install.sh -y
  echo ".. done"
fi

8) Configuring Webmin and Virtualmin

49

9) Installing style.css file for Virtualmin

29

10) Installing additional PHP packages, memcached, configuring uploadprogress

echo "=================================================================================="
echo "Installing additional PHP packages, memcached, configuring uploadprogress .."
yum -y install php-soap php-devel php-pear php-gd php-mbstring php-mcrypt
pecl channel-update pecl.php.net
pecl install uploadprogress
echo extension=uploadprogress.so >> /etc/php.d/uploadprogress.ini
yum -y install memcached
yum -y install php-pecl-memcache
rm -f /etc/sysconfig/memcached
cat <<'EOT' >> /etc/sysconfig/memcached
PORT="11211"
USER="memcached"
MAXCONN="1024"
CACHESIZE="1024"
OPTIONS="-l 127.0.0.1"
EOT
systemctl enable memcached
systemctl start  memcached
 
sed -ie 's/upload_max_filesize = 2M/upload_max_filesize = 20M/' /etc/php.ini
sed -ie 's/post_max_size = 8M/post_max_size = 16M/' /etc/php.ini
sed -ie 's/max_execution_time = 30/max_execution_time = 600/' /etc/php.ini
sed -ie 's/max_input_time = 60/max_input_time = 600/' /etc/php.ini
sed -ie 's/memory_limit = 128M/memory_limit = 1280M/' /etc/php.ini
 
yum -y install scl-utils
rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
rpm -Uvhl http://rpms.remirepo.net/enterprise/remi-release-7.rpm
 
yum -y install php73 php73-php-mysqlnd php73-php-curl php73-php-simplexml php73-php-devel php73-php-gd php73-php-json php73-php-mcrypt php73-php-mbstring php73-php-opcache php73-php-pear php73-php-pecl-apcu php73-php-pecl-geoip php73-php-pecl-imagick php73-php-pecl-json-post php73-php-pecl-memcache php73-php-pecl-zip php73-php-pspell php73-php-soap php73-php-xml php73-php-xmlrpc php73-php-pecl-uploadprogress php73-php-imap php73-php-pecl-xmldiff php73-php-bcmath
 
source /opt/remi/php73/enable
yum -y install php73-php-tidy
pear channel-update pear.php.net
pear install Cache_Lite
 
sed -ie 's/upload_max_filesize = 2M/upload_max_filesize = 20M/' /etc/opt/remi/php73/php.ini
sed -ie 's/post_max_size = 8M/post_max_size = 16M/' /etc/opt/remi/php73/php.ini
sed -ie 's/max_execution_time = 30/max_execution_time = 600/' /etc/opt/remi/php73/php.ini
sed -ie 's/max_input_time = 60/max_input_time = 600/' /etc/opt/remi/php73/php.ini
sed -ie 's/memory_limit = 128M/memory_limit = 1280M/' /etc/opt/remi/php73/php.ini
 
yum -y install php74 php74-php-mysqlnd php74-php-curl php74-php-simplexml php74-php-devel php74-php-gd php74-php-json php74-php-mcrypt php74-php-mbstring php74-php-opcache php74-php-pear php74-php-pecl-apcu php74-php-pecl-geoip php74-php-pecl-imagick php74-php-pecl-json-post php74-php-pecl-memcache php74-php-pecl-zip php74-php-pspell php74-php-soap php74-php-xml php74-php-xmlrpc php74-php-pecl-uploadprogress php74-php-imap php74-php-pecl-xmldiff php74-php-bcmath
 
source /opt/remi/php74/enable
yum -y install php74-php-tidy
pear channel-update pear.php.net
pear install Cache_Lite
 
sed -ie 's/upload_max_filesize = 2M/upload_max_filesize = 20M/' /etc/opt/remi/php74/php.ini
sed -ie 's/post_max_size = 8M/post_max_size = 16M/' /etc/opt/remi/php74/php.ini
sed -ie 's/max_execution_time = 30/max_execution_time = 600/' /etc/opt/remi/php74/php.ini
sed -ie 's/max_input_time = 60/max_input_time = 600/' /etc/opt/remi/php74/php.ini
sed -ie 's/memory_limit = 128M/memory_limit = 1280M/' /etc/opt/remi/php74/php.ini 
 
yum -y install php81 php81-php-mysqlnd php81-php-curl php81-php-simplexml php81-php-devel php81-php-gd php81-php-json php81-php-mcrypt php81-php-mbstring php81-php-opcache php81-php-pear php81-php-pecl-apcu php81-php-pecl-geoip php81-php-pecl-imagick php81-php-pecl-json-post php81-php-pecl-memcache php81-php-pecl-zip php81-php-pspell php81-php-soap php81-php-xml php81-php-xmlrpc php81-php-pecl-uploadprogress php81-php-imap php81-php-pecl-xmldiff php81-php-bcmath
 
source /opt/remi/php81/enable
yum -y install php81-php-tidy
pear channel-update pear.php.net
pear install Cache_Lite
 
sed -ie 's/upload_max_filesize = 2M/upload_max_filesize = 20M/' /etc/opt/remi/php81/php.ini
sed -ie 's/post_max_size = 8M/post_max_size = 16M/' /etc/opt/remi/php81/php.ini
sed -ie 's/max_execution_time = 30/max_execution_time = 600/' /etc/opt/remi/php81/php.ini
sed -ie 's/max_input_time = 60/max_input_time = 600/' /etc/opt/remi/php81/php.ini
sed -ie 's/memory_limit = 128M/memory_limit = 1280M/' /etc/opt/remi/php81/php.ini
 
echo ".. done"

11) Configuring Apache

echo "=================================================================================="
echo "Configuring Apache"
sed -ie '/SSLProtocol/c\SSLProtocol All -SSLv2 -SSLv3' /etc/httpd/conf/httpd.conf
sed -ie '/SSLCipherSuite/c\SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"' /etc/httpd/conf/httpd.conf
sed -ie '/SSLCipherSuite/i\SSLHonorCipherOrder on' /etc/httpd/conf/httpd.conf
 
# per https://support.plesk.com/hc/en-us/articles/213399589-Websites-are-slow-and-a-warning-appears-in-logs-mod-fcgid-ap-pass-brigade-failed
echo 'FcgidMaxRequestsPerProcess 500' >> /etc/httpd/conf.d/fcgid.conf
echo 'FcgidOutputBufferSize 0' >> /etc/httpd/conf.d/fcgid.conf
sed -ie 's|LoadModule|#LoadModule|' /etc/httpd/conf.modules.d/00-dav.conf
sed -ie 's|LoadModule|#LoadModule|' /etc/httpd/conf.modules.d/10-php.conf
 
# Maybe we can turn the below ones off.
sed -ie 's/LoadModule proxy/#LoadModule proxy/' /etc/httpd/conf.modules.d/00-proxy.conf
sed -ie 's@#LoadModule proxy_module@LoadModule proxy_module@g' /etc/httpd/conf.modules.d/00-proxy.conf
sed -ie 's@#LoadModule proxy_fcgi_module@LoadModule proxy_fcgi_module@g' /etc/httpd/conf.modules.d/00-proxy.conf
sed -ie 's@LoadModule lbmethod_heartbeat@#LoadModule lbmethod_heartbeat@g' /etc/httpd/conf.modules.d/00-proxy.conf
 
echo ".. done"

12) Configuring MariaDB settings

echo "=================================================================================="
echo "Configuring MariaDB settings .."
 
# Setting the database root password
yum install -y expect
 
MYSQL_ROOT_PASSWORD=`date +%s | sha256sum | base64 | head -c 16 ; echo`
 
SECURE_MYSQL=$(expect -c "
 
set timeout 3
spawn mysql_secure_installation
 
expect \"Enter current password for root (enter for none):\"
send \"$CURRENT_MYSQL_PASSWORD\r\"
 
expect \"Set root password?\"
send \"y\r\"
 
expect \"New password:\"
send \"$MYSQL_ROOT_PASSWORD\r\"
 
expect \"Re-enter new password:\"
send \"$MYSQL_ROOT_PASSWORD\r\"
 
expect \"Remove anonymous users?\"
send \"y\r\"
 
expect \"Disallow root login remotely?\"
send \"y\r\"
 
expect \"Remove test database and access to it?\"
send \"y\r\"
 
expect \"Reload privilege tables now?\"
send \"y\r\"
expect eof
")
 
echo "$SECURE_MYSQL"
 
yum remove -y expect
 
if grep -q pass= /etc/webmin/mysql/config; then
  sed -i "/pass=/c\pass=$MYSQL_ROOT_PASSWORD" /etc/webmin/mysql/config
else
  echo pass=$MYSQL_ROOT_PASSWORD >> /etc/webmin/mysql/config
fi
 
 
if ! grep -Fq "default-character-set = utf8mb4" /etc/my.cnf
then
  rm -f  /etc/my.cnf
cat > /etc/my.cnf << 'EOF'
[client]
default-character-set = utf8mb4
 
[mysql]
default-character-set = utf8mb4
 
[mysqld]
character-set-client-handshake = FALSE
character-set-server = utf8mb4
collation-server = utf8mb4_unicode_ci
 
#skip-networking
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
symbolic-links=0
slow_query_log = 1
slow_query_log_file = /var/log/mariadb/slow.log
 
query_cache_size = 128M
query_cache_limit = 16M
 
thread_cache_size = 8
myisam_sort_buffer_size = 64M
read_rnd_buffer_size = 8M
read_buffer_size = 2M
sort_buffer_size = 2M
table_cache = 512
max_allowed_packet=1024M
key_buffer = 384M
wait_timeout=600
max_connections = 600
tmp_table_size = 256M
max_heap_table_size = 256M
 
innodb_large_prefix=true
innodb_file_format=barracuda
innodb_file_per_table = true
 
innodb_additional_mem_pool_size = 16M
innodb_flush_log_at_trx_commit = 0
innodb_log_buffer_size  = 8M
innodb_buffer_pool_size = 1G
innodb_thread_concurrency =     16
innodb_lock_wait_timeout =     120
innodb_data_file_path   = ibdata1:10M:autoextend
innodb_file_io_threads  = 4
innodb_max_dirty_pages_pct =    90
 
[mysqld_safe]
log-error=/var/log/mariadb/mariadb.log
pid-file=/var/run/mariadb/mariadb.pid
 
!includedir /etc/my.cnf.d
EOF
  echo ".. done"
fi

13) Installing drush and wp-cli

# Installing drush
wget https://github.com/drush-ops/drush/releases/download/8.1.16/drush.phar
php drush.phar core-status
chmod +x drush.phar
mv drush.phar /usr/local/bin/drush
drush -y init
 
# Fixing https://github.com/drush-ops/drush/issues/2065
sed -i '/disable_functions/c\disable_functions = pcntl_exec' /etc/php.ini
sed -i '/disable_functions/c\disable_functions = pcntl_exec' /etc/opt/remi/php70/php.ini
 
# Installing wp-cli
curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
chmod +x wp-cli.phar
mv wp-cli.phar /usr/local/bin/wp
#if [ ! -d /etc/ag ]; then
#  mkdir /etc/ag
#fi
#mkdir /etc/ag/wp
#cd /etc/ag/wp
#wget https://raw.githubusercontent.com/wp-cli/wp-cli/v1.5.1/utils/wp-completion.bash
#chmod 755 wp-completion.bash
#echo "source /etc/ag/wp/wp-completion.bash" >> /etc/profile.d/globaliases.sh

14) Configuring automatic core updates for Drupal websites

25
yum -y install certbot
 
# Install script to auto-replace the ssl_le.pem files for domains
mkdir /etc/letsencrypt/renewal-hooks
mkdir /etc/letsencrypt/renewal-hooks/deploy
cat > /etc/letsencrypt/renewal-hooks/deploy/replace_pems.sh << 'EOF'
#!/bin/sh

# Re-create the ssl_le.pem files for Pound 
for domain in $RENEWED_DOMAINS; do
  cat $RENEWED_LINEAGE/privkey.pem $RENEWED_LINEAGE/fullchain.pem > $RENEWED_LINEAGE/ssl_le.pem
done
 
exit
EOF
chmod 755 /etc/letsencrypt/renewal-hooks/deploy/replace_pems.sh
 
# Install cron-tab to trigger auto-renew
(crontab -l && echo "0 0,12 * * 7 python -c 'import random; import time; time.sleep(random.random() * 3600)' && /etc/ag/scripts/renew-certs" | sort | uniq) | crontab -

16) Installing and configuring Pound

sed -i '/Listen/c\#Listen' /etc/httpd/conf.d/ssl.conf
yum -y install Pound && systemctl enable pound && systemctl start pound
mv /etc/pound.cfg /etc/pound.cfg.orig
cat > /etc/pound.cfg << EOF
ListenHTTP
  Address ${IP}
  Port 80
  Service
    URL "/.well-known/acme-challenge/.*"
    BackEnd
      Address ${IP}
      Port 8888
    End
  End
End
 
Service
    BackEnd
	Address ${IP}
        Port    8888
    End
End
 
EOF

17) Installing and configuring Varnish

15

18) Installing APF, BFD and Maldet

if [ ! -d /etc/apf ]; then
  echo "=================================================================================="
  echo "Installing APF .."
 
  # per https://superuser.com/questions/1083882/block-port-111-on-centos-7

  systemctl stop rpcbind.socket && systemctl disable rpcbind.socket
  systemctl mask fail2ban && systemctl stop fail2ban
  systemctl mask firewalld && systemctl stop firewalld
  systemctl enable iptables && systemctl start iptables
 
  cd /usr/src
  wget http://www.rfxn.com/downloads/apf-current.tar.gz
  tar xzf apf-current.tar.gz
  rm -f apf-current.tar.gz
  cd apf*
  ./install.sh
  chkconfig apf on
  sed -ie "s/eth0/$IFACE/" /etc/apf/conf.apf
  sed -ie 's/DEVEL_MODE="1"/DEVEL_MODE="0"/' /etc/apf/conf.apf
  sed -ie 's/SET_MONOKERN="0"/SET_MONOKERN="1"/' /etc/apf/conf.apf
  sed -ie 's/ICMP_LIM="30\/s"/ICMP_LIM="100\/s"/' /etc/apf/conf.apf
  sed -ie 's/DLIST_PHP="0"/DLIST_PHP="1"/' /etc/apf/conf.apf
  sed -ie 's/DLIST_SPAMHAUS="0"/DLIST_SPAMHAUS="1"/' /etc/apf/conf.apf
  sed -ie 's/DLIST_DSHIELD="0"/DLIST_DSHIELD="1"/' /etc/apf/conf.apf
  sed -ie 's/IG_TCP_CPORTS=/#IG_TCP_CPORTS=/' /etc/apf/conf.apf
  sed -ie 's/IG_UDP_CPORTS=/#IG_UDP_CPORTS=/' /etc/apf/conf.apf
  sed -i '2s/^/IG_UDP_CPORTS="53,123,465,587,953,2525,6277,1043,6081,6082,8983"\n/' /etc/apf/conf.apf
  sed -i "2s/^/IG_TCP_CPORTS="\"53,80,110,143,443,465,587,953,993,995,1043,2525,5900_5910,8079,8080,8888,8983,10000_10010,20000,${PORT}\""\n/" /etc/apf/conf.apf
  apf -r
  /usr/local/sbin/apf -a 65.49.80.104 "Do not remove this IP address. It belongs to AltaGrade."
 
  echo ".. done"
fi
 
if [ ! -d /usr/local/bfd ]; then
  echo "=================================================================================="
  echo "Installing and configuring Brute Force Detection .."
  cd /usr/src
  wget http://www.rfxn.com/downloads/bfd-current.tar.gz
  tar xzf bfd-current.tar.gz
  rm -f bfd-current.tar.gz*
  cd bfd-1.5*
  ./install.sh
  sed -ie 's/TRIG="15"/TRIG="5"/' /usr/local/bfd/conf.bfd
  sed -ie 's/EMAIL_ALERTS="0"/EMAIL_ALERTS="1"/' /usr/local/bfd/conf.bfd
  sed -ie 's/EMAIL_ADDRESS="root"/EMAIL_ADDRESS="security"/' /usr/local/bfd/conf.bfd
  rm -f /usr/local/bfd/alert.bfd
  echo 'EB=0' >> /usr/local/bfd/alert.bfd
  echo 'if [ "$EMAIL_LOGLINES" == "" ]; then' >> /usr/local/bfd/alert.bfd
  echo '        EMAIL_LOGLINES=50' >> /usr/local/bfd/alert.bfd
  echo 'fi' >> /usr/local/bfd/alert.bfd
  echo 'EV=`nice -n 19 tail -n 5000 $LP | grep $ATTACK_HOST | tail -n $EMAIL_LOGLINES`' >> /usr/local/bfd/alert.bfd
  echo 'cat <<EOF' >> /usr/local/bfd/alert.bfd
  echo '' >> /usr/local/bfd/alert.bfd
  echo '$ATTACK_HOST has been blocked and blacklisted by AltaGrade for exceeded login failures on $HOSTNAME.' >> /usr/local/bfd/alert.bfd
  echo "If the IP address belongs to your team, then please clear it from the firewall's block-list and add it allowed hosts." >> /usr/local/bfd/alert.bfd
  echo 'Alternatively file a support request on https://my.altagrade.com and we will gladly do it for you.' >> /usr/local/bfd/alert.bfd
  echo '' >> /usr/local/bfd/alert.bfd
  echo 'SOURCE ADDRESS: $ATTACK_HOST' >> /usr/local/bfd/alert.bfd
  echo 'TARGET SERVICE: $MOD' >> /usr/local/bfd/alert.bfd
  echo 'FAILED LOGINS: $ATTACK_COUNT' >> /usr/local/bfd/alert.bfd
  echo 'EXECUTED COMMAND: $BAN_COMMAND' >> /usr/local/bfd/alert.bfd
  echo '' >> /usr/local/bfd/alert.bfd
  echo "SOURCE LOGS FROM SERVICE '\$MOD' (GMT \$TIME_ZONE):" >> /usr/local/bfd/alert.bfd
  echo '' >> /usr/local/bfd/alert.bfd
  echo '$EV' >> /usr/local/bfd/alert.bfd
  echo '' >> /usr/local/bfd/alert.bfd
  echo '-----------------------------------------------' >> /usr/local/bfd/alert.bfd
  echo 'AltaGrade Brute Force Detection System' >> /usr/local/bfd/alert.bfd
  echo '' >> /usr/local/bfd/alert.bfd
  echo 'EOF' >> /usr/local/bfd/alert.bfd
 
  sed -ie 's/#root:/root:/' /etc/aliases
  sed -ie 's/marc/info@altagrade.com/' /etc/aliases
  echo "#owner: ${OWNER}" >> /etc/aliases
  newaliases
  echo ".. done"
fi
 
if [ ! -d /usr/local/maldetect ]; then
  echo "=================================================================================="
  echo "Installing Linux Malware Detect .."
  cd /usr/src
  wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
  tar xzf maldetect-current.tar.gz
  rm -rf maldetect-current.tar.gz
  cd maldetect*
  ./install.sh
  # Installing inotify-tools per https://www.rfxn.com/appdocs/README.maldetect
  yum -y install inotify-tools
  # Configuring malware detection settings
  sed -ie 's/email_alert="0"/email_alert="1"/' /usr/local/maldetect/conf.maldet
  sed -ie 's/email_addr="you@domain.com"/email_addr="security"/' /usr/local/maldetect/conf.maldet
  sed -ie 's/email_ignore_clean="1"/email_ignore_clean="0"/' /usr/local/maldetect/conf.maldet
  sed -ie 's/quarantine_hits="0"/quarantine_hits="1"/' /usr/local/maldetect/conf.maldet
  sed -ie 's/quarantine_clean="0"/quarantine_clean="1"/' /usr/local/maldetect/conf.maldet
  sed -ie 's/quarantine_suspend_user="0"/quarantine_suspend_user="1"/' /usr/local/maldetect/conf.maldet
  echo "/home/.*/public_html/stats" >> /usr/local/maldetect/ignore_paths
  echo "/home/.*/domains/.*/public_html/stats" >> /usr/local/maldetect/ignore_paths
  echo ".. done"
fi

19) Removing unnecessary services

chown -R root:bin /etc/webmin
systemctl stop chronyd && yum -y remove chrony
systemctl stop wpa_supplicant && yum -y remove wpa_supplicant
systemctl stop fail2ban && yum -y remove fail2ban* && rm -rf /var/log/fail2ban.log
systemctl stop proftpd && yum -y remove proftpd && rm -rf /var/log/proftpd
if [ $PORT == 19759 ]; then
  systemctl stop sound.target && systemctl disable sound.target
fi

20) Finalizing the installation script

# Clean up the Webmin config files
grep -rl 65.49.80.99 /etc | xargs sed -i "s/65.49.80.99/$IP/g"
grep -rl fe80::216:3eff:feca:7117 /etc | xargs sed -i "s/fe80::216:3eff:feca:7117/$IP6/g"
grep -rl host.altagrade.org /etc | xargs sed -i "s/host.altagrade.org/$HOSTNAME/g"
grep -rl eth0 /etc | xargs sed -i "s/eth0/$IFACE/g"
# Per https://www.virtualmin.com/node/43097
rm -rf /var/webmin/module.infos.cache
sh /etc/ag/cp/new-lang.sh >/dev/null 2>&1
/sbin/virtualmin check-config
 
# Install test repository for updates
cat > /etc/yum.repos.d/testrepo.repo << 'EOF'
[testrepo]
name=TestRepo Repository
baseurl=http://testrepo.altagrade.org:8080
enabled=1
gpgcheck=0
EOF
yum -y update
#yum -y install testrepo

# Calculating execution time
executed="$(($SECONDS / 60)) minutes and $(($SECONDS % 60)) seconds"
echo "The installation took $executed"
echo "AltaOS installed on $(date)" > /root/.altaos/.install_date
 
# Sending the final e-mail notification
yum -y install mailx
echo "Installation of AltaOS on ${HOSTNAME} completed in $executed. The system is rebooting..." | mail -s "AltaOS has been installed on ${HOSTNAME}" 6504506428@vtext.com
 
rm -f /root/recipe*
rm -f /usr/src/altaos.sh
 
updatedb
echo "Rebooting the system..."
reboot