#!/bin/bash echo "==================================================================================" echo "Defining some variable values to use later in the installation script..." if grep -q "QEMU" /proc/bus/input/devices; then PORT=19759 else PORT=19753 fi export PORT IP="$( ip route get 8.8.8.8 | awk 'NR==1 {print $NF}' )" IP6="$( ip -6 addr | grep inet6 | awk -F '[ \t]+|/' '{print $3}' | grep -v ^::1 )" IFACE=$(ip addr | grep $IP | awk '{print $NF}') OWNER="" TIMESTAMP=$(date +%s) SECONDS=0 # There is no DB at this point yet, so commenting out # MYSQL_VER=`mysql --version|awk '{ print $5 }'|awk -F\-MariaDB, '{ print $1 }'` echo "Done..." echo "==================================================================================" echo "==================================================================================" echo "Installing additional packages..." echo "==================================================================================" echo "Installing additional packages .." yum -y makecache fast && yum -y install yum-plugin-fastestmirror yum -y install epel-release yum -y install perl nano rsync make vim screen wget mlocate gcc pcre-devel \ nmap openssh-clients ImageMagick gcc-c++ bzip2 net-tools iptables-services \ ntpdate yum-cron perl-LWP-Protocol-https deltarpm patch lsof git psacct \ yum-utils bash-completion at e2fsprogs sudo libxml2-devel htop pam-devel \ perl-Authen-PAM echo "..done" echo "==================================================================================" echo "Enabling services .." systemctl enable psacct && systemctl start psacct systemctl enable yum-cron.service && systemctl start yum-cron.service echo "..done" if [ ! -f /usr/local/bin/composer ]; then echo "==================================================================================" echo "Installing Composer .." cd /usr/src curl -sS https://getcomposer.org/installer | sudo php -- --install-dir=/usr/local/bin --filename=composer echo "..done" fi echo "Done..." echo "==================================================================================" echo "==================================================================================" echo "Setting up and configuring the system..." if [ "$(readlink /etc/localtime)" != "/usr/share/zoneinfo/UTC" ]; then echo "==================================================================================" echo "Setting local time to UTC .." rm -f /etc/localtime ln -s /usr/share/zoneinfo/UTC /etc/localtime echo ".. done" fi if [ ! -d /home/backup ]; then echo "==================================================================================" echo "Creating /home/backup directory .." mkdir /home/backup echo "Creating a symlink /backup to /home/backup .." ln -s /home/backup /backup echo ".. done" fi if [ ! -d /sandbox ]; then echo "==================================================================================" echo "Creating /sandbox directory .." mkdir /sandbox echo ".. done" fi if grep -Fq '# include "/usr/share/nano/nanorc.nanorc"' /etc/nanorc then echo "==================================================================================" echo "Colorifying the Nano editor .." sed -ie 's|# include "/usr/share/nano/sh.nanorc"|include "/usr/share/nano/sh.nanorc"|' /etc/nanorc sed -ie 's|# include "/usr/share/nano/java.nanorc"|include "/usr/share/nano/java.nanorc"|' /etc/nanorc sed -ie 's|# include "/usr/share/nano/python.nanorc"|include "/usr/share/nano/python.nanorc"|' /etc/nanorc sed -ie 's|# include "/usr/share/nano/patch.nanorc"|include "/usr/share/nano/patch.nanorc"|' /etc/nanorc sed -ie 's|# include "/usr/share/nano/php.nanorc"|include "/usr/share/nano/php.nanorc"|' /etc/nanorc sed -ie 's|# include "/usr/share/nano/c.nanorc"|include "/usr/share/nano/c.nanorc"|' /etc/nanorc sed -ie 's|# include "/usr/share/nano/css.nanorc"|include "/usr/share/nano/css.nanorc"|' /etc/nanorc sed -ie 's|# include "/usr/share/nano/html.nanorc"|include "/usr/share/nano/html.nanorc"|' /etc/nanorc sed -ie 's|# include "/usr/share/nano/man.nanorc"|include "/usr/share/nano/man.nanorc"|' /etc/nanorc sed -ie 's|# include "/usr/share/nano/perl.nanorc"|include "/usr/share/nano/perl.nanorc"|' /etc/nanorc sed -ie 's|# include "/usr/share/nano/ruby.nanorc"|include "/usr/share/nano/ruby.nanorc"|' /etc/nanorc sed -ie 's|# include "/usr/share/nano/xml.nanorc"|include "/usr/share/nano/xml.nanorc"|' /etc/nanorc sed -ie 's|# include "/usr/share/nano/nanorc.nanorc"|include "/usr/share/nano/nanorc.nanorc"|' /etc/nanorc echo ".. done" fi # Setting cron job definitions before other scripts start putting their own lines if ! grep -Fq "Example of cron job definition on AltaGrade servers" /var/spool/cron/root then echo "==================================================================================" echo "Setting up cron definitions .." cd /var/spool/cron mv root temp cat > root << 'EOF' # Example of cron job definition on AltaGrade servers: # .---------------- minute (0 - 59) # | .------------- hour (0 - 23) # | | .---------- day of month (1 - 31) # | | | .------- month (1 - 12) OR jan,feb,mar,apr ... # | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat # | | | | | # # 1. Entry: Minute when the process will be started [0-60] # 2. Entry: Hour when the process will be started [0-23] # 3. Entry: Day of the month when the process will be started [1-28/29/30/31] # 4. Entry: Month of the year when the process will be started [1-12] # 5. Entry: Weekday when the process will be started [0-6] [0 is Sunday] # # every x min = */x # So according to this your 5 8 * * 6 would run 8:05 every Saturday. # Ex: 39 * * * * wget -O - -q -t 1 http://YourDrupalSite.com/cron.php?key=YourDrupalSiteCronKeyHere EOF cat root temp > root echo "..done" fi if ! grep -Fq "▓▓▓█████▓" /etc/banner then echo "==================================================================================" echo "Creating /etc/banner .." cat <> /etc/banner ▄▄▄ ▓▓▓ ▓▓▓█████▓ ▄▄▄ ▄████ ▓▓▀███ ▄▄▄ ▓█████▄ ▓█████ ▒▓▓██▄ ▓██▒ ▓ ▓▓▒ ▓▒▒████▄ ▓▓▒ ▀█▒▓██ ▒ ▓█▒▒▓▓██▄ ▒▓▓▀ ██▌▓▓ ▀ ▒▓▓ ▀█▄ ▒▓▓░ ▒ ▓██░ ▒░▒▓▓ ▀█▄ ▒▓▓░▄▄▄░▓▓▓ ░▄█ ▒▒▓▓ ▀█▄ ░██ █▌▒▓▓██ ░██▄▄▄▄██ ▒▓▓░ ░ ▓██▓ ░ ░██▄▄▄▄██ ░▓█ ██▓▒▓▓▀▀█▄ ░██▄▄▄▄██ ░▓█▄ ▌▒▓█ ▄ ▓█ ▓██▒░██████▒▒██▒ ░ ▓█ ▓██▒░▒▓███▀▒░██▓ ▒▓▓▒ ▓█ ▓██▒░▒████▓ ░▒████▒ ▒▒ ▓▒█░░ ▒░▓ ░▒ ░░ ▒▒ ▓▒█░ ░▒ ▒ ░ ▒▓ ░▒▓░ ▒▒ ▓▒█░ ▒▒▓ ▒ ░░ ▒░ ░ ▒ ▒▒ ░░ ░ ▒ ░ ░ ▒ ▒▒ ░ ░ ░ ░▒ ░ ▒░ ▒ ▒▒ ░ ░ ▒ ▒ ░ ░ ░ ░ ▒ ░ ░ ░ ░ ▒ ░ ░ ░ ░░ ░ ░ ▒ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ EOT echo ".. done" fi if grep -Fq "#Banner none" /etc/ssh/sshd_config then sed -ie '/#Banner none/c\Banner /etc/banner' /etc/ssh/sshd_config else echo 'Banner /etc/banner' >> /etc/ssh/sshd_config fi if ! grep -Fq "Welcome" /etc/motd then echo "==================================================================================" echo "Creating /etc/motd .." cat <> /etc/motd ***************************************************************************** * Welcome to AltaGrade Optimized Operating System! * * * * If you encounter any issues with the server, then please browse our Help * * section on https://www.altagrade.com/docs first. And if you couldn't find * * any solution, then submit a support request at https://my.altagrade.com. * * * ***************************************************************************** EOT echo ".. done" fi if ! grep -Fq "update-webmin" /root/.bashrc; then echo "==================================================================================" echo "Creating root aliases .." cat >> /root/.bashrc << 'EOF' alias update-webmin='yes | /usr/libexec/webmin/update-from-repo.sh' alias update-theme='yes | /usr/libexec/webmin/authentic-theme/theme-update.sh' alias webminpass='/usr/libexec/webmin/changepass.pl /etc/webmin root' alias ps10='ps -auxf | sort -nr -k 4 | head -10' alias cpu10='ps -eo pcpu,pid,user,args | sort -k 1 -r | head -10' alias qchwr='drush pml --no-core --type=module --status=enabled --pipe | xargs drush -y dis' alias repo='sed -n -e "/^\[/h; /priority *=/{ G; s/\n/ /; s/ity=/ity = /; p }" /etc/yum.repos.d/*.repo | sort -k3n' alias psx="ps -eo pcpu,pid -o comm= | sort -k1 -n -r | head -12" alias psg="ps fuxa |grep $1" alias psm="ps -eo pmem,pcpu,rss,vsize,args | sort -k 1 -r | less" alias eba='nano /etc/profile.d/globaliases.sh' alias lba='source /etc/profile.d/globaliases.sh' alias net1='rm -rf /etc/udev/rules.d/70-persistent-net.rules' alias net2='nano /etc/resolv.conf' alias net3='nano /etc/sysconfig/network-scripts/ifcfg*' snd () { rsync --rsh -av -e 'ssh -p 19759' --progress --partial ${1} root@IP:/ } # sync two directories # rsync -azP -e 'ssh -p 19759' local_dir root@IP:/remote_dir EOF echo "..done" fi if grep -Fq 'update_messages = no' /etc/yum/yum-cron.conf then echo "==================================================================================" echo "Enabling automatic OS updates .." sed -ie 's/update_messages = no/update_messages = yes/' /etc/yum/yum-cron.conf sed -ie 's/download_updates = no/download_updates = yes/' /etc/yum/yum-cron.conf sed -ie 's/apply_updates = no/apply_updates = yes/' /etc/yum/yum-cron.conf sed -ie 's/update_messages = no/update_messages = yes/' /etc/yum/yum-cron-hourly.conf sed -ie 's/download_updates = no/download_updates = yes/' /etc/yum/yum-cron-hourly.conf sed -ie 's/apply_updates = no/apply_updates = yes/' /etc/yum/yum-cron-hourly.conf echo ".. done" fi if grep -Fq 'installonly_limit=5' /etc/yum.conf then echo "Setting amount of installed kernels to 2 .." sed -ie 's/installonly_limit=5/installonly_limit=2/' /etc/yum.conf systemctl enable yum-cron.service && systemctl start yum-cron.service echo ".. done" fi if [ -f /etc/ag/scripts/login-notify.sh ]; then chmod 755 /etc/ag/scripts/login-notify.sh echo 'session optional pam_exec.so seteuid /etc/ag/scripts/login-notify.sh' >> /etc/pam.d/sshd fi echo '* soft nofile 65535' >> /etc/security/limits.conf echo '* hard nofile 65535' >> /etc/security/limits.conf if ! grep -q 127.0.0.1 "/etc/resolv.conf"; then echo "nameserver 127.0.0.1" >> /etc/resolv.conf fi echo "Done..." echo "==================================================================================" echo "==================================================================================" echo "Creating global aliases for user SSH sessions..." cat > /etc/profile.d/globaliases.sh << 'EOT' export PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin export EDITOR="nano" if [ -d /opt/remi/php74 ]; then source /opt/remi/php74/enable elif [ -d /opt/remi/php73 ]; then source /opt/remi/php73/enable elif [ -d /opt/remi/php72 ]; then source /opt/remi/php72/enable fi alias wget='wget --no-check-certificate' alias frw='firewall-cmd' alias genpass='openssl rand -base64 12' alias myip='curl ipinfo.io/ip' alias re3='systemctl restart httpd && systemctl restart varnish && systemctl restart pound' alias ?='history' # DISPLAYS HISTORY alias l='ls -la' alias x='exit' alias l.='ls -dl .* --color=auto' alias fix-sl='find . -type f -name .htaccess -exec sed -i "s/FollowSymLinks/SymLinksIfOwnerMatch/g" {} \; | find . -type f -name file.inc -exec sed -i "s/FollowSymLinks/SymLinksIfOwnerMatch/g" {} \;' alias s1='nano /etc/hosts' alias s2='nano /etc/hostname' alias s3='nano /etc/postfix/main.cf' alias s4='nano /etc/varnish/default.vcl' alias s5='nano /etc/varnish/varnish.params' alias s6='nano /etc/pound.cfg' alias yum='yum -y' alias dnf='dnf -y' alias recall="history |grep $1" allow () { firewall-cmd --permanent --add-source=$1 && firewall-cmd --reload && firewall-cmd --list-all } unallow () { firewall-cmd --permanent --remove-source=$1 && firewall-cmd --reload && firewall-cmd --list-all } block () { firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='$1' reject" && firewall-cmd --reload && firewall-cmd --list-all } unblock () { firewall-cmd --permanent --remove-rich-rule="rule family='ipv4' source address='$1' reject" && firewall-cmd --reload && firewall-cmd --list-all } tardir () { tar cvzf ${1}.tar.gz ${1} } # Extract compressed file extract () { if [ -f $1 ] && [ -r $1 ] ; then case $1 in (*.tar.bz|*.tbz) tar -xjf $1;; (*.tar.bz2|*.tbz2) tar xjf $1;; (*.tar.gz|*.tgz) tar xzf $1;; (*.bz2) bunzip2 $1;; (*.rar) rar x $1;; (*.gz) gunzip $1;; (*.tar) tar xf $1;; (*.zip) unzip $1;; (*.Z) uncompress $1;; (*.7z) 7z x $1;; (*.deb) sudo dpkg -i $1;; (*.rpm) sudo alien -dik $1;; (*) echo "extract: unsupported format $1" ;; esac rm -rf $1 ls -l else echo "extract: file not found or unreadable: $1" fi } # Find a file with a pattern in file name function fn() { find . -type f -iname '*'$1'*' -ls ; } # Find a file with a pattern in the content of the file function fs() { grep -Ril "$1" .; } function check_hack() { for i in $(find /home/*/public_html -type d -prune); do if [ -d $i ]; then find $i -type f -name '*.php' | xargs grep -l 'eval *(' --color && find $i -type f -name '*.php' | xargs grep -l 'base64_decode *(' --color && find $i -type f -name '*.php' | xargs grep -l 'gzinflate *(' --color && find $i -size 494c -name '*.php' && grep -Rl PCT4BA6ODSE $i; fi; done for i in $(find /home/*/domains/*/public_html/ -type d -prune); do if [ -d $i ]; then find $i -type f -name '*.php' | xargs grep -l 'eval *(' --color && find $i -type f -name '*.php' | xargs grep -l 'base64_decode *(' --color && find $i -type f -name '*.php' | xargs grep -l 'gzinflate *(' --color && find $i -size 494c -name '*.php' && grep -Rl PCT4BA6ODSE $i; fi; done } function check_drupal() { for i in $(find /home/*/public_html -type d -prune); do drush -r $i status | grep Drupal; done for i in $(find /home/*/domains/*/public_html/ -type d -prune); do drush -r $i status | grep Drupal; done } chownuser () { user=`pwd | cut -d '/' -f3` chown -R $user.$user . } audit () { drush dl site_audit && drush dl drupalgeddon && drush cache-clear drush && drush asec } ########################################################## #Userprompt. See "User Configuration" section # ########################################################## #========================================================= #Terminal Color Codes #========================================================= WHITE='\[\033[1;37m\]' LIGHTGRAY='\[\033[0;37m\]' GRAY='\[\033[1;30m\]' BLACK='\[\033[0;30m\]' RED='\[\033[0;31m\]' LIGHTRED='\[\033[1;31m\]' GREEN='\[\033[0;32m\]' LIGHTGREEN='\[\033[1;32m\]' BROWN='\[\033[0;33m\]' #Orange YELLOW='\[\033[1;33m\]' BLUE='\[\033[0;34m\]' LIGHTBLUE='\[\033[1;34m\]' PURPLE='\[\033[0;35m\]' PINK='\[\033[1;35m\]' #Light Purple CYAN='\[\033[0;36m\]' LIGHTCYAN='\[\033[1;36m\]' DEFAULT='\[\033[0m\]' #========================================================= # User Configuration #========================================================= # Colors cLINES=$GRAY #Lines and Arrow cBRACKETS=$GRAY # Brackets around each data item cERROR=$LIGHTRED # Error block when previous command did not return 0 cTIME=$LIGHTGRAY # The current time cMPX1=$YELLOW # Color for terminal multiplexer threshold 1 cMPX2=$RED # Color for terminal multiplexer threshold 2 cBGJ1=$YELLOW # Color for background job threshold 1 cBGJ2=$RED # Color for background job threshold 2 cSTJ1=$YELLOW # Color for background job threshold 1 cSTJ2=$RED # Color for background job threshold 2 cSSH=$PINK # Color for brackets if session is an SSH session cUSR=$LIGHTBLUE # Color of user cUHS=$GRAY # Color of the user and hostname separator, probably '@' cHST=$LIGHTGREEN # Color of hostname cRWN=$RED # Color of root warning cPWD=$BLUE # Color of current directory cCMD=$DEFAULT # Color of the command you type # Enable block eNL=1 # Have a newline between previous command output and new prompt eERR=1 # Previous command return status tracker eMPX=1 # Terminal multiplexer tracker enabled eSSH=1 # Track if session is SSH eBGJ=1 # Track background jobs eSTJ=1 # Track stopped jobs eUSH=1 # Show user and host ePWD=1 # Show current directory # Block settins MPXT1="0" # Terminal multiplexer threshold 1 value MPXT2="2" # Terminal multiplexer threshold 2 value BGJT1="0" # Background job threshold 1 value BGJT2="2" # Background job threshold 2 value STJT1="0" # Stopped job threshold 1 value STJT2="2" # Stopped job threshold 2 value UHS="@" function promptcmd() { PREVRET=$? #========================================================= #check if user is in ssh session #========================================================= if [[ $SSH_CLIENT ]] || [[ $SSH2_CLIENT ]]; then lSSH_FLAG=1 else lSSH_FLAG=0 fi #========================================================= # Insert a new line to clear space from previous command #========================================================= PS1="\n" #========================================================= # Beginning of first line (arrow wrap around and color setup) #========================================================= PS1="${PS1}${cLINES}\342\224\214\342\224\200" #========================================================= # First Dynamic Block - Previous Command Error #========================================================= if [ $PREVRET -ne 0 ] ; then PS1="${PS1}${cBRACKETS}[${cERROR}:(${cBRACKETS}]${cLINES}\342\224\200" fi #========================================================= # First static block - Current time #========================================================= PS1="${PS1}${cBRACKETS}[${cTIME}\t${cBRACKETS}]${cLINES}\342\224\200" #========================================================= # Detached Screen Sessions #========================================================= hTMUX=0 hSCREEN=0 MPXC=0 hash tmux --help 2>/dev/null || hTMUX=1 hash screen --version 2>/dev/null || hSCREEN=1 if [ $hTMUX -eq 0 ] && [ $hSCREEN -eq 0 ] ; then MPXC=$(echo "$(screen -ls | grep -c -i detach) + $(tmux ls 2>/dev/null | grep -c -i -v attach)" | bc) elif [ $hTMUX -eq 0 ] && [ $hSCREEN -eq 1 ] ; then MPXC=$(tmux ls 2>/dev/null | grep -c -i -v attach) elif [ $hTMUX -eq 1 ] && [ $hSCREEN -eq 0 ] ; then MPXC=$(screen -ls | grep -c -i detach) fi if [[ $MPXC -gt $MPXT2 ]] ; then PS1="${PS1}${cBRACKETS}[${cMPX2}\342\230\220:${MPXC}${cBRACKETS}]${cLINES}\342\224\200" elif [[ $MPXC -gt $MPXT1 ]] ; then PS1="${PS1}${cBRACKETS}[${cMPX1}\342\230\220:${MPXC}${cBRACKETS}]${cLINES}\342\224\200" fi #========================================================= # Backgrounded running jobs #========================================================= BGJC=$(jobs -r | wc -l ) if [ $BGJC -gt $BGJT2 ] ; then PS1="${PS1}${cBRACKETS}[${cBGJ2}&:${BGJC}${cBRACKETS}]${cLINES}\342\224\200" elif [ $BGJC -gt $BGJT1 ] ; then PS1="${PS1}${cBRACKETS}[${cBGJ1}&:${BGJC}${cBRACKETS}]${cLINES}\342\224\200" fi #========================================================= # Stopped Jobs #========================================================= STJC=$(jobs -s | wc -l ) if [ $STJC -gt $STJT2 ] ; then PS1="${PS1}${cBRACKETS}[${cSTJ2}\342\234\227:${STJC}${cBRACKETS}]${cLINES}\342\224\200" elif [ $STJC -gt $STJT1 ] ; then PS1="${PS1}${cBRACKETS}[${cSTJ1}\342\234\227:${STJC}${cBRACKETS}]${cLINES}\342\224\200" fi #========================================================= # Second Static block - User@host #========================================================= # set color for brackets if user is in ssh session if [ $lSSH_FLAG -eq 1 ] ; then sesClr="$cSSH" else sesClr="$cBRACKETS" fi # don't display user if root if [ $EUID -eq 0 ] ; then PS1="${PS1}${sesClr}[${cRWN}!" else PS1="${PS1}${sesClr}[${cUSR}\u${cUHS}${UHS}" fi PS1="${PS1}${cHST}\H${sesClr}]${cLINES}\342\224\200" #========================================================= # Third Static Block - Current Directory #========================================================= PS1="${PS1}[${cPWD}\w${cBRACKETS}]" #========================================================= # Second Line #========================================================= PS1="${PS1}\n${cLINES}\342\224\224\342\224\200\342\224\200> ${cCMD}" } function load_prompt () { # Get PIDs local parent_process=$(tr -d '\0' < /proc/$PPID/cmdline | cut -d \. -f 1) local my_process=$(tr -d '\0' < /proc/$$/cmdline | cut -d \. -f 1) if [[ $parent_process == script* ]]; then PROMPT_COMMAND="" PS1="\t - \# - \u@\H { \w }\$ " elif [[ $parent_process == emacs* || $parent_process == xemacs* ]]; then PROMPT_COMMAND="" PS1="\u@\H { \w }\$ " else export DAY=$(date +%A) PROMPT_COMMAND=promptcmd fi export PS1 PROMPT_COMMAND } load_prompt EOT echo "Done..." echo "==================================================================================" echo "==================================================================================" echo "Configuring hourly and daily AltaGrade cron-tasks..." cat > /etc/cron.hourly/altagrade << 'EOF' #!/bin/bash sh /etc/ag/scripts/update-drupal 1 > /dev/null if [ -e /etc/ag/updates/update.sh.old ]; then if ! cmp --silent /etc/ag/updates/update.sh /etc/ag/updates/update.sh.old then chmod 755 /etc/ag/updates/update.sh sh /etc/ag/updates/update.sh mv /etc/ag/updates/update.sh /etc/ag/updates/update.sh.old fi fi exit EOF chmod 755 /etc/cron.hourly/altagrade cat > /etc/cron.daily/altagrade << 'EOF' #!/bin/bash sed -ie 's/CentOS/AltaOS/' /etc/webmin/config >/dev/null 2>&1 sh /etc/ag/cp/new-lang.sh >/dev/null 2>&1 sed -ie 's/slider_enabled=true/slider_enabled=false/' /etc/webmin/authentic-theme/settings.js >/dev/null 2>&1 exit EOF chmod 755 /etc/cron.daily/altagrade /etc/cron.daily/altagrade echo "Done..." echo "==================================================================================" echo "==================================================================================" echo "Creating an 'altagrade' admin user..." if ! id "altagrade" >/dev/null 2>&1; then echo "==================================================================================" echo "Creating altagrade user .." # Disabling root password yum -y install "perl(IO::Pty)" passwd -d root useradd -G wheel altagrade openssl rand -base64 12 | passwd altagrade --stdin echo "Setting %wheel group members passwordless sudoers .." sed -ie 's/%wheel/#%wheel/' /etc/sudoers && sed -ie 's/# #%wheel/%wheel/' /etc/sudoers mkdir /home/altagrade/.ssh echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC753VZbicoElj5moS0XZ70ERwse483Cuqc6Jf3YXJvn4+ZGzdjUsUI4+0GHK0aufeFh4YNZQ9QoQnM/3HUKZIGm3/2lYvzY1Z2YtyWz57LSX6o+oskq01Pe+3g+sxbt1yOW/KhClVhTSNzFPtMV5h4//JLxdO1Z6pctXSgq2COZ9fnEAm/AzmYFpuNvg0JmNdWuFkvnSKZrkt9hmw72TTjTE+p9DviTmoq4GCr6l2Pg4y6oTlyQ595yi6wDZe0JK7cdkKMsA4U6kAyHqci7zXOu7HjLdYcKZCohCp/iddHZbERmlZuS1eGbiARYtBZb9FNdUmnUB3nggb4DU3FPeDl' >> /home/altagrade/.ssh/authorized_keys restorecon -R -v /home/altagrade/.ssh sed -i "s/#Port 22/Port ${PORT}/g" /etc/ssh/sshd_config sed -i "s/#PermitRootLogin yes/PermitRootLogin no/g" /etc/ssh/sshd_config sed -i "s/PasswordAuthentication yes/PasswordAuthentication no/g" /etc/ssh/sshd_config yum -y install policycoreutils-python semanage port -a -t ssh_port_t -p tcp ${PORT} sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config echo ".. done" fi echo "Done..." echo "==================================================================================" echo "==================================================================================" echo "Installing Webmin and Virtualmin..." if [ ! -d /etc/webmin ]; then echo "==================================================================================" echo "Installing control panel .." cd /usr/src wget http://software.virtualmin.com/gpl/scripts/install.sh chmod 755 install.sh # Per https://www.virtualmin.com/node/53190 DISABLE_SCL=1 export DISABLE_SCL ./install.sh -y echo ".. done" fi echo "Done..." echo "==================================================================================" echo "==================================================================================" echo "Configuring Webmin and Virtualmin..." # Changes in /etc/webmin/miniserv.conf sed -ie 's#preload=#preload=virtual-server=virtual-server/virtual-server-lib-funcs.pl virtual-server=virtual-server/feature-unix.pl virtual-server=virtual-server/feature-dir.pl virtual-server=virtual-server/feature-dns.pl virtual-server=virtual-server/feature-mail.pl virtual-server=virtual-server/feature-web.pl virtual-server=virtual-server/feature-webalizer.pl virtual-server=virtual-server/feature-ssl.pl virtual-server=virtual-server/feature-logrotate.pl virtual-server=virtual-server/feature-mysql.pl virtual-server=virtual-server/feature-postgres.pl virtual-server=virtual-server/feature-ftp.pl virtual-server=virtual-server/feature-spam.pl virtual-server=virtual-server/feature-virus.pl virtual-server=virtual-server/feature-webmin.pl virtual-server=virtual-server/feature-virt.pl virtual-server=virtual-server/feature-virt6.pl#' /etc/webmin/miniserv.conf echo 'premodules=WebminCore' >> /etc/webmin/miniserv.conf # Per https://my.altagrade.com/ticket/2245 echo "no_testing_cookie=1" >> /etc/webmin/miniserv.conf # Let Webmin know of MariaDB version echo $MYSQL_VER > /etc/webmin/mysql/version # Giving sudo user an admin privilege for Webmin echo "sudo=1" >> /etc/webmin/miniserv.conf sed -ie 's/root: /altagrade: /' /etc/webmin/webmin.acl sed -ie 's/root:/altagrade:/' /etc/webmin/miniserv.users sed -ie 's/php_suexec=3/php_suexec=2/' /etc/webmin/virtual-server/config sed -ie 's/nopwd=0/nopwd=1' /etc/webmin/mysql/config echo "PORT ${PORT}" > /etc/webmin/virtual-server/globals echo "DEFAULT_IP 1" >> /etc/webmin/virtual-server/globals echo "webmin_from=root" >> /etc/webmin/mailboxes/config if ! grep -Fq "timeserver=pool.ntp.org" /etc/webmin/time/config; then echo "timeserver=pool.ntp.org" >> /etc/webmin/time/config fi if [ ! -f /etc/webmin/webmincron/crons/150338373415549.cron ]; then cat >/etc/webmin/webmincron/crons/150338373415549.cron<< 'EOF' disabled=0 hours=11,14 days=* mins=0,52 boot=1 id=150338373415549 weekdays=* func=sync_time_cron months=* module=time EOF fi # Adapting Virtualmin and Webmin jargon for cPanel users sed -i 's/bandwidth /traffic /g' /etc/webmin/virtual-server/bw-template sed -i 's/bandwidth /traffic /g' /etc/webmin/virtual-server/warnbw-template sed -i 's/Bandwidth /Traffic /g' /etc/webmin/virtual-server/bw-template sed -i 's/Bandwidth /Traffic /g' /etc/webmin/virtual-server/warnbw-template # Templates mkdir /etc/webmin/virtual-server/templates touch /etc/webmin/virtual-server/templates/0 yes | /usr/libexec/webmin/authentic-theme/theme-update.sh rm -rf /etc/webmin/authentic-theme mv /etc/ag/webmin/authentic-theme /etc/webmin rm -rf /etc/webmin/status mv /etc/ag/webmin/status /etc/webmin rm -rf /etc/webmin/custom mv /etc/ag/webmin/custom /etc/webmin rm -rf /etc/webmin/webmin.acl mv /etc/ag/webmin/webmin.acl /etc/webmin cat > /etc/webmin/virtual-server/config << 'EOT' stats_hdir= avail_mail=1 combined_tmpl= old_defip6=fe80::216:3eff:feca:7117 domalias= php_noedit=0 dns_ip= bind_dmarcruf= defnodbname=0 mail_system=0 clamscan_cmd=clamscan bw_ftplog_rotated=1 theme_alt= rs_endpoint=https://identity.api.rackspacecloud.com/v1.0 edit_quota=1 nopostfix_extra_user=0 iface_base= webmin=1 disabled_web=${DISABLED_WHY} vpopmail_group=vchkpw last_letsencrypt_mass_renewal=1672756209 external_ip_cache=65.49.80.99 plugins_inactive=virtualmin-init virtualmin-dav virtualmin-registrar virtualmin-git virtualmin-sqlite virtualmin-slavedns maillog_hide=0 pre_command=/etc/ag/scripts/pre.sh mysql_replicas= dnssec_alg=RSASHA1 pbzip2=0 backup_feature_logrotate=1 avail_phpini=1 php7.3cgi=none othergroups= backup_feature_webalizer=0 secmx_nodns=0 own_restore=1 newuser_to_mailbox=1 dir=3 first_version=6.00 remote_alias=1 virtual_skel=/etc/ag/skel groupsame=0 max_backups=3 mysql_chgrp=1 other_doms=0 logrotate_config= b2_cmd=b2 show_sysinfo=1 statusemail= html_dir= auto_letsencrypt=0 show_validation=2 edit_ftp=1 avail_mailboxes=0 quota_get_group_command= netmask6= delete_logs=0 defforceunder=0 alias_types=1,2,5,6,7,8,9,10,11,12,13 spam_lock=0 postfix_ssl=0 spam_trap_black=0 defipfollow= deftmpl_nousers= preload_mode=2 php_ini_5.4= gzip_mysql=1 allow_symlinks=0 show_nf=master php_paths= contact_email= dnssec= php_ini_5.8= other_users=0 display_max= backup_feature_mysql=1 vpopmail_maildir=mail avail_bind8=1 localgroup= collect_restart=1 from_addr= default_procmail=1 jail_sects= tlsa_records=0 web_sslport=443 tar_args= php_ini_7.4= mysql_conns=none php_ini_7.9= defuquota=1048576 mysql_size=huge mysql_mkdb=1 delete_indom=0 show_tabs=1 spamclear=days 30 clam_delivery=/dev/null mysql_user_size=16 avail_dns=1 usermin_switch=1 status=0 statustimeout= avail_mysql=1 openssl_cnf= tmpl_outlook_autoconfig=none quota_set_user_command= gacl_users= stats_noedit=1 php_ini_5.2= spam_level= unix=3 hard_quotas=1 namedconf= bind_spfhosts= logrotate=3 post_command=/etc/ag/scripts/post.sh licence_script= update_template=default generics=0 collect_noall=0 passwd_chars= all_namevirtual=0 ip_ranges6= name_max=20 php7.3fcgi=none passwd_length= avail_postgres=0 hashpass=0 newuser_aliases= avail_custom=1 backup_feature_dir=1 clamscan_cmd_tested=clamscan show_features=0 always_ssl=0 phpver=7.0 php_fpm= dns_view= key_size= webmin_ssl=0 ldap=0 php_ini_5.7= mysql_nouser=0 bw_maillog=auto web_urlport= web_user=apache php_ini_5.9= passwd_mode=1 web_urlsslport= docs_text= newdom_cc= defsafeunder= php_session_age=7 newsubdom_bcc=info@altagrade.com quota_set_group_command= append_style=6 logrotate_files= dkim_enabled=0 initsub_template=141405782215856 template_auto=0 name_mode=0 edit_homes=1 defaliasdomslimit=* backup_rotated=0 web_sslprotos= php7.2fcgi= mem_cmd= iface=eth0 disable=unix,mail,web,dns,mysql,postgres,ftp web_admindom= dns_check=1 backuplog_days=7 ssh_args= show_pass=1 stats_pass=1 php_ini_7.1= apache_config=ServerName ${DOM} ServerAlias www.${DOM} DocumentRoot ${HOME}/public_html ErrorLog /var/log/altagrade/${DOM}_error_log CustomLog /var/log/altagrade/${DOM}_access_log combined ScriptAlias /cgi-bin/ ${HOME}/cgi-bin/ DirectoryIndex index.html index.htm index.php index.php4 index.php5 Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch allow from all AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch allow from all AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch html_perms=0750 quota_get_user_command= statustmpl= avail_htaccess-htpasswd=1 quota_commands=0 php_ini_7.3= show_preview=2 limitnoalias=0 statusonly=0 defdomslimit= phpchildren= defmailboxlimit= group_quotas=1 defcapabilities=none username_length= proftpd_config=ServerName ${DOM} User ftp Group ftp UserAlias anonymous ftp DenyAll RequireValidShell off ExtendedLog ${HOME}/logs/ftp.log mail_skel= theme_link= gacl_umode=1 bind_spfall=2 hide_alias=0 tmpl_autoconfig=none edit_afiles=1 php_ini_7.8= dns_ns= python_cmd= backup_feature_dns=1 ldap_mail=0 apache_ssl_config= ldap_mailstore=$HOME/Maildir/ default_exclude=altagrade-backup sandbox defresources=none defaliaslimit= spam_client=spamassassin gacl_ugroups=${GROUP} domains_group= theme_image= dbgroup= virtual_skel_subs=0 bccto=none index_cols=dom,uquota,phpv append=1 backup_feature_mail=1 backup_feature_ssl=1 combined_cert=0 avail_spam=1 ldap_unix=1 ftp=0 max_manual=0 ham_trap_white=0 php5.4fcgi=none reseller_unix=0 vpopmail_auto=/usr/local/bin/autorespond ipfollow=0 bw_template=default backup_fmt=2 index_fcols= pigz=0 statussslcert=1 avail_syslog=1 avail_virtualmin-dav=0 postgres_encoding=none mysql_hosts= mysql_wild= denied_domains= namedconf_no_also_notify= bw_nomailout=0 delete_virts=0 old_defip=65.49.80.99 quotas=1 bind_dmarc=yes bccs=1 avail_change-user=0 sent_folder=Sent scriptdir=* reseller_modules= php_ini_5= webmin_modules= show_mailuser=1 avail_webminlog=1 php5fcgi=none defmquota=512000 maillog_period=30 php_ini_4= postgres=0 homes_dir=usermails php_vars=+memory_limit=64M dependent_mail=0 home_format= nolink_certs=1 reseller_template=none rs_snet=0 newsubdom_subject=Account information for ${DOM} at AltaGrade dbfnorename=0 def_webalizer= check_apache=0 web_ssi_suffix= docs_link=https://www.altagrade.com/help leave_acl=0 hide_pro_tips=0 reseller_pre_command= spam_white=0 collect_ifaces= webmin_group= defmongrelslimit=4 gacl_root=${HOME} bind_config= show_uquotas=0 spamtrap=none avail_passwd=0 jailkit_disabled=0 from_reseller=0 aliascopy=1 avail_filemin=1 alias_post_command= vpopmail_user=vpopmail vpopmail_owner=0 proxy_pass=0 gacl_groups=${GROUP} php_ini_7.2= show_lastlogin=1 bind_master= defbwlimit= mysql_charset=utf8mb4 subtmpl_nousers= avail_file=0 quota_list_groups_command= move_command= vpopmail_md= php_ini_5.3= virt6=1 local_template=none ca_tmpl= can_letsencrypt=2 extra_prefix= php_ini_7.7= backuplog_age= avail_webalizer=0 dovecot_ssl=0 tar_cmd= bw_backup=1 check_ports=2 defdbslimit= bind_sub=yes php7.2cgi= web_ssi=2 no_lookup_domain_daemon=1 newdom_aliases=postmaster=${EMAILTO} webmaster=${EMAILTO} abuse=${EMAILTO} hostmaster=info@altagrade.com ftp_shell=/bin/false allow_modphp=0 defip= php7.0fcgi=none plugins=virtualmin-awstats virtualmin-htpasswd bind_dmarcpct=100 namedconf_no_allow_transfer= home_base=/home php7.0cgi=none alias_mode=1 user_template=none drafts_folder=Drafts backup_feature_all=1 ftp_dir= shell=/dev/null iface6= show_ugroup=0 auto_redirect=0 postgresql=1 jailkit_root=/home/chroot defushell=none subdomain_template= domains_sort=sub ssl=0 php5.4cgi=none mysql_uconns=none lookup_domain_serial=0 backup_feature_virtualmin=1 upload_tries=3 webalizer_nocron=1 defujail=0 key_tmpl= mysql=1 mysql_db=${ID}_${PREFIX} fcgid_max=9999 php_ini_7.6= php_ini_5.6= quota_list_users_command= mailgroup= web_writelogs= web_webmaildom= backup_onebyone=1 cert_tmpl= web_admin=1 disable_mail=0 avail_updown=1 allow_subdoms=0 php_suexec=2 show_mailsize=1 defquota=1048576 allow_upper=0 warnbw_template=default avail_at=1 home_backup=altagrade-backup zip_args= domalias_type=0 hashtypes=* stats_dir= scriptwarn_url= web_port=8080 avail_cron=1 force_email=1 ip_ranges= bw_notify=24 bind_replace= web_webmail=1 apache_star=0 usermin_ssl=0 disabled_url= wizard_run=1 show_quotas=0 avail_proc=1 avail_shell=0 clamscan_host= unix_shell=/bin/bash /bin/sh last_check_php_vers=5 5.4 7.3 web=1 compression=0 php_fpm_port=8000 alias_pre_command= reseller_post_command= bw_owner=1 defnorename= logrotate_shared=yes everything_tmpl= avail_telnet=0 sharedip6s= clamscan_cmd_global=1 avail_web=1 featurelimits=none virt=1 collect_notemp=0 reseller_theme=authentic-theme scriptlatest_enabled=1 backup_feature_web=1 ruby_suexec=-1 ip6enabled=1 mysql_collate=utf8mb4_general_ci sub_skel=/etc/ag/skel newsubdom_cc= done_fix_autoreplies=1 output_command=1 suexec=1 mysql_nopass=0 defip6= php5cgi=none bind_dmarcp=reject api_helper= php_ini_7.0= dns=1 bind_dmarcextra= php_ini_7.5= bw_period=30 init_template=141405782215856 longname=0 dns_prins=1 mysql_suffix=${ID}_ mem_low=256 backup_feature_unix=1 capabilities=none mail_quotas=/ jail_age=24 collect_fs= php_sock=1 ftpgroup= bind_spfincludes= trash_folder=Trash newdom_bcc=support@altagrade.com plan_auto=1 post_check=1 virtual_skel_nosubs= bind_indom=0 domain_template=default defrealdomslimit=* newdom_alias_bounce=0 sharedips= bind_dmarcrua= last_check=1658043409 collect_interval=5 mx_validate=1 php_ini_5.5= nodeniedssh=1 cert_type=sha2 bind_spf=yes spam_delivery=$HOME/Maildir/.spam/ aws_cmd=aws vpopmail_dir=/home/vpopmail batch_create=1 newupdate_to_mailbox=1 webmin_theme=* spam=2 max_timeout= newdom_subject=Account information for ${DOM} mail=2 fcgiwrap=0 dns_ttl= virus=2 dns_records=@ www avail_virtualmin-awstats=virtualmin-dav backup_feature_postgres=1 bind_mx= dnssec_single=0 home_quotas=/ webalizer=0 max_all=1 defugroup=none bind_cloud_proxy=0 bind_cloud_import=1 defaultdomain_name=none avail_xterm=0 EOT cat > /etc/webmin/virtual-server/last-config << 'EOT' avail_mail=1 stats_hdir= combined_tmpl= old_defip6=fe80::216:3eff:feca:7117 php_noedit=0 domalias= defnodbname=0 dns_ip= mail_system=0 clamscan_cmd=clamscan bw_ftplog_rotated=1 theme_alt= edit_quota=1 rs_endpoint=https://identity.api.rackspacecloud.com/v1.0 nopostfix_extra_user=0 iface_base= webmin=1 vpopmail_group=vchkpw disabled_web=${DISABLED_WHY} plugins_inactive=virtualmin-init virtualmin-dav virtualmin-registrar virtualmin-git virtualmin-sqlite virtualmin-slavedns maillog_hide=0 pre_command=/etc/ag/scripts/pre.sh dnssec_alg=RSASHA1 mysql_replicas= pbzip2=0 backup_feature_logrotate=1 avail_phpini=1 othergroups= backup_feature_webalizer=0 secmx_nodns=0 own_restore=1 newuser_to_mailbox=1 dir=3 virtual_skel=/etc/ag/skel remote_alias=1 first_version=6.00 groupsame=0 other_doms=0 mysql_chgrp=1 max_backups=3 show_sysinfo=1 logrotate_config= auto_letsencrypt=0 html_dir= statusemail= avail_mailboxes=0 edit_ftp=1 show_validation=2 alias_types=1,2,5,6,7,8,9,10,11,12,13 defforceunder=0 delete_logs=0 netmask6= quota_get_group_command= spam_lock=0 postfix_ssl=0 spam_trap_black=0 preload_mode=2 deftmpl_nousers= defipfollow= php_ini_5.4= gzip_mysql=1 show_nf=master allow_symlinks=0 contact_email= php_paths= php_ini_5.8= dnssec= other_users=0 display_max= backup_feature_mysql=1 vpopmail_maildir=mail avail_bind8=1 collect_restart=1 localgroup= default_procmail=1 from_addr= tlsa_records=0 jail_sects= web_sslport=443 tar_args= mysql_conns=none defuquota=1048576 mysql_size=huge mysql_mkdb=1 delete_indom=0 show_tabs=1 spamclear=days 30 clam_delivery=/dev/null mysql_user_size=16 avail_dns=1 status=0 usermin_switch=1 statustimeout= avail_mysql=1 openssl_cnf= quota_set_user_command= tmpl_outlook_autoconfig=none stats_noedit=1 gacl_users= php_ini_5.2= hard_quotas=1 unix=3 spam_level= logrotate=3 bind_spfhosts= namedconf= post_command=/etc/ag/scripts/post.sh generics=0 update_template=default collect_noall=0 all_namevirtual=0 passwd_chars= ip_ranges6= name_max=20 avail_postgres=0 passwd_length= hashpass=0 newuser_aliases= avail_custom=1 backup_feature_dir=1 clamscan_cmd_tested=clamscan show_features=0 phpver=7.0 php_fpm= dns_view= key_size= webmin_ssl=0 ldap=0 mysql_nouser=0 php_ini_5.7= bw_maillog=auto web_urlport= php_ini_5.9= web_user=apache passwd_mode=1 docs_text= web_urlsslport= newdom_cc= defsafeunder= append_style=6 quota_set_group_command= newsubdom_bcc=info@altagrade.com dkim_enabled=0 logrotate_files= name_mode=0 template_auto=0 initsub_template=141405782215856 edit_homes=1 backup_rotated=0 defaliasdomslimit=* web_sslprotos= php7.2fcgi= iface=eth0 mem_cmd= disable=unix,mail,web,dns,mysql,postgres,ftp web_admindom= dns_check=1 backuplog_days=7 stats_pass=1 show_pass=1 ssh_args= php_ini_7.1= apache_config=ServerName ${DOM} ServerAlias www.${DOM} DocumentRoot ${HOME}/public_html ErrorLog /var/log/altagrade/${DOM}_error_log CustomLog /var/log/altagrade/${DOM}_access_log combined ScriptAlias /cgi-bin/ ${HOME}/cgi-bin/ DirectoryIndex index.html index.htm index.php index.php4 index.php5 Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch allow from all AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch allow from all AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch html_perms=0750 quota_get_user_command= statustmpl= quota_commands=0 avail_htaccess-htpasswd=1 limitnoalias=0 show_preview=2 php_ini_7.3= statusonly=0 defdomslimit= phpchildren= group_quotas=1 defmailboxlimit= defcapabilities=none proftpd_config=ServerName ${DOM} User ftp Group ftp UserAlias anonymous ftp DenyAll RequireValidShell off ExtendedLog ${HOME}/logs/ftp.log username_length= mail_skel= gacl_umode=1 theme_link= hide_alias=0 bind_spfall=2 edit_afiles=1 tmpl_autoconfig=none dns_ns= python_cmd= backup_feature_dns=1 ldap_mail=0 ldap_mailstore=$HOME/Maildir/ default_exclude=altagrade-backup sandbox defresources=none spam_client=spamassassin defaliaslimit= gacl_ugroups=${GROUP} theme_image= domains_group= virtual_skel_subs=0 dbgroup= index_cols=dom,uquota,phpv bccto=none backup_feature_ssl=1 backup_feature_mail=1 append=1 ldap_unix=1 avail_spam=1 ftp=0 ham_trap_white=0 max_manual=0 vpopmail_auto=/usr/local/bin/autorespond reseller_unix=0 php5.4fcgi=none bw_template=default ipfollow=0 backup_fmt=2 index_fcols= avail_syslog=1 statussslcert=1 avail_virtualmin-dav=0 postgres_encoding=none mysql_hosts= mysql_wild= denied_domains= bw_nomailout=0 namedconf_no_also_notify= delete_virts=0 old_defip=65.49.80.99 quotas=1 bind_dmarc=yes bccs=1 avail_change-user=0 sent_folder=Sent scriptdir=* reseller_modules= php_ini_5= webmin_modules= avail_webminlog=1 php5fcgi=none defmquota=512000 maillog_period=30 php_ini_4= postgres=0 homes_dir=usermails php_vars=+memory_limit=64M dependent_mail=0 home_format= nolink_certs=1 reseller_template=none rs_snet=0 newsubdom_subject=Account information for ${DOM} at AltaGrade dbfnorename=0 def_webalizer= check_apache=0 docs_link=https://www.altagrade.com/help leave_acl=0 web_ssi_suffix= spam_white=0 reseller_pre_command= collect_ifaces= webmin_group= defmongrelslimit=4 gacl_root=${HOME} show_uquotas=0 bind_config= spamtrap=none avail_passwd=0 from_reseller=0 aliascopy=1 avail_filemin=1 vpopmail_user=vpopmail alias_post_command= vpopmail_owner=0 gacl_groups=${GROUP} proxy_pass=0 php_ini_7.2= show_lastlogin=1 defbwlimit= bind_master= mysql_charset=utf8mb4 avail_file=0 subtmpl_nousers= move_command= quota_list_groups_command= vpopmail_md= local_template=none virt6=1 php_ini_5.3= ca_tmpl= can_letsencrypt=2 extra_prefix= dovecot_ssl=0 avail_webalizer=0 backuplog_age= bw_backup=1 tar_cmd= check_ports=2 defdbslimit= bind_sub=yes php7.2cgi= web_ssi=2 no_lookup_domain_daemon=1 newdom_aliases=postmaster=${EMAILTO} webmaster=${EMAILTO} abuse=${EMAILTO} hostmaster=info@altagrade.com ftp_shell=/bin/false allow_modphp=0 defip= php7.0fcgi=none plugins=virtualmin-awstats virtualmin-htpasswd bind_dmarcpct=100 namedconf_no_allow_transfer= home_base=/home php7.0cgi=none alias_mode=1 drafts_folder=Drafts user_template=none backup_feature_all=1 ftp_dir= shell=/dev/null iface6= auto_redirect=0 show_ugroup=0 postgresql=1 jailkit_root=/home/chroot domains_sort=sub subdomain_template= defushell=none ssl=0 mysql_uconns=none php5.4cgi=none lookup_domain_serial=0 upload_tries=3 backup_feature_virtualmin=1 defujail=0 webalizer_nocron=1 mysql=1 key_tmpl= mysql_db=${ID}_${PREFIX} fcgid_max=9999 php_ini_5.6= quota_list_users_command= mailgroup= web_writelogs= web_webmaildom= backup_onebyone=1 disable_mail=0 web_admin=1 cert_tmpl= avail_updown=1 php_suexec=2 allow_subdoms=0 allow_upper=0 show_mailsize=1 defquota=1048576 home_backup=altagrade-backup avail_at=1 warnbw_template=default zip_args= hashtypes=* domalias_type=0 scriptwarn_url= stats_dir= web_port=8080 avail_cron=1 force_email=1 bw_notify=24 ip_ranges= bind_replace= usermin_ssl=0 apache_star=0 web_webmail=1 show_quotas=0 wizard_run=1 disabled_url= avail_shell=0 avail_proc=1 unix_shell=/bin/bash /bin/sh clamscan_host= compression=0 web=1 last_check_php_vers=5 5.4 7.3 bw_owner=1 reseller_post_command= alias_pre_command= logrotate_shared=yes defnorename= avail_telnet=0 everything_tmpl= sharedip6s= avail_web=1 clamscan_cmd_global=1 featurelimits=none collect_notemp=0 virt=1 reseller_theme=authentic-theme scriptlatest_enabled=1 backup_feature_web=1 ip6enabled=1 ruby_suexec=-1 output_command=1 newsubdom_cc= sub_skel=/etc/ag/skel mysql_collate=utf8mb4_general_ci suexec=1 mysql_nopass=0 defip6= api_helper= bind_dmarcp=reject php5cgi=none dns=1 php_ini_7.0= bw_period=30 init_template=141405782215856 dns_prins=1 longname=0 mysql_suffix=${ID}_ mem_low=256 backup_feature_unix=1 capabilities=none jail_age=24 mail_quotas=/ collect_fs= trash_folder=Trash bind_spfincludes= ftpgroup= newdom_bcc=support@altagrade.com plan_auto=1 post_check=1 virtual_skel_nosubs= domain_template=default bind_indom=0 defrealdomslimit=* sharedips= newdom_alias_bounce=0 collect_interval=5 last_check=1658043409 mx_validate=1 php_ini_5.5= nodeniedssh=1 cert_type=sha2 aws_cmd=aws spam_delivery=$HOME/Maildir/.spam/ bind_spf=yes batch_create=1 vpopmail_dir=/home/vpopmail newupdate_to_mailbox=1 webmin_theme=* spam=2 max_timeout= mail=2 newdom_subject=Account information for ${DOM} virus=2 dns_ttl= dns_records=@ www avail_virtualmin-awstats=virtualmin-dav backup_feature_postgres=1 bind_mx= dnssec_single=0 webalizer=0 home_quotas=/ max_all=1 defugroup=none php7.3cgi=none php7.3fcgi=none pigz=0 show_mailuser=1 bind_dmarcruf= php_ini_7.4= php_ini_7.9= php_ini_7.8= apache_ssl_config= php_ini_7.7= php_ini_7.6= bind_dmarcextra= php_ini_7.5= bind_dmarcrua= php_fpm_port=8000 licence_script= done_fix_autoreplies=1 b2_cmd=b2 php_session_age=7 external_ip_cache=65.49.80.99 always_ssl=0 combined_cert=0 hide_pro_tips=0 php_sock=1 fcgiwrap=0 last_letsencrypt_mass_renewal=1658043311 jailkit_disabled=0 EOT cat > /etc/webmin/virtual-server/custom-fields << 'EOT' app:9:/etc/ag/custom-menus/app.menu:Application;Select the content-management system or web-application to install.::0 varnish:11:Yes:Varnish;Please do not select this when creating a website to make installation process smoother. Instead use this option when editing domain after it has already been installed.:1:0 memcache:11:Yes:Memcache;Please do not select this when creating a website to make installation process smoother. Instead use this option when editing domain after it has already been installed.:1:0 autoupdate:7:Yes:Autoupdate;Automatic Drupal Core Updates:1:0 ssl:9:/etc/ag/custom-menus/ssl.menu:SSL Certificate;AltaGrade is an HTTPS Everywhere platform, so you must choose one of the options for SSL certificates.::0 EOT cat > /etc/webmin/virtual-server/domain-template << 'EOT' The following website has been created successfully: +=============================================+ | Website Info | ${DOM} +=============================================+ | Username: ${USER} | Password: ${PASS} ${IF-WEB} | Website: http://www.${DOM} | HTML directory: ${PUBLIC_HTML_PATH} ${IF-MAIL} | SMTP server: mail.${DOM} | POP3 server: mail.${DOM} ${ENDIF-MAIL} ${IF-WEBALIZER} | Webalizer log reporting: Enabled ${ENDIF-WEBALIZER} ${ENDIF-WEB} ${IF-MYSQL} | MySQL database: ${DB} | MySQL login: ${MYSQL_USER} ${IF-MYSQL_PASS} | MySQL password: ${MYSQL_PASS} ${ELSE-MYSQL_PASS} | MySQL password: ${PASS} ${ENDIF-MYSQL_PASS} ${ENDIF-MYSQL} | Apache Solr Host: localhost | Apache Solr Port: 8983 | Apache Solr Path: /solr/${DOM} +=============================================+ +=============================================+ | Server Info | ${IP} +=============================================+ | Dedicated IP: ${IP} | SSH and SFTP Port: ${PORT} | Control Panel: http://admin.${DOM} | (or https://${IP}:10000 before propagation) +=============================================+ Please note of the following important details: - The above access information is not for your profile account at https://my.altagrade.com. You set your own username and password for your profile account during sign-up process. If you forgot your password to your profile account, then please just reset it on https://my.altagrade.com/user/password. - You can request this e-mail any time by logging in to your control panel, selecting the website's domain name in the drop-down list on the left menu and clicking on "Administration Options" > Re-Send Signup Email. - Find more detailed information please read our documentation portal at https://www.altagrade.com/help. - If you have any questions, comments, or concerns, feel free to create a support ticket at https://my.altagrade.com.EOT cat > /etc/webmin/virtual-server/subdomain-template << 'EOT' The following website has been created successfully: +===================================+ | Website Info | ${DOM} +===================================+ | Username: ${USER} | Password: ${PASS} ${IF-WEB} | Website: http://www.${DOM} ${IF-MAIL} | SMTP server: mail.${DOM} | POP3 server: mail.${DOM} ${ENDIF-MAIL} ${IF-WEBALIZER} | Webalizer log reporting: Enabled ${ENDIF-WEBALIZER} ${ENDIF-WEB} ${IF-MYSQL} | MySQL database: ${DB} | MySQL login: ${MYSQL_USER} ${IF-MYSQL_PASS} | MySQL password: ${MYSQL_PASS} ${ELSE-MYSQL_PASS} | MySQL password: ${PASS} ${ENDIF-MYSQL_PASS} ${ENDIF-MYSQL} | Apache Solr Host: localhost | Apache Solr Port: 8983 | Apache Solr Path: /solr/${DOM} +===================================+ +===================================+ | Server Info | ${IP} +===================================+ | Dedicated IP: ${IP} | SSH and SFTP Port: ${PORT} | Control Panel: http://admin.${DOM} (or https://${IP}:10000 before propagation) +===================================+ - The above access information is not for your profile account at https://my.altagrade.com. You set your own username and password for your profile account during sign-up process. If you forgot your password to your profile account, then please just reset it on https://my.altagrade.com/user/password. - You can request this e-mail any time by logging in to your control panel, selecting the website's domain name in the drop-down list on the left menu and clicking on "Administration Options" > Re-Send Signup Email. - Find more detailed information please read our documentation portal at https://www.altagrade.com/help. - If you have any questions, comments, or concerns, feel free to create a support ticket at https://my.altagrade.com.EOT cat > /etc/webmin/virtual-server/templates/1 << 'EOT' mail_cc= standard=1 mail_on= for_users=1 for_parent=0 mail_subject=Account information for ${DOM} at AltaGrade owners=* skel=/etc/ag/skel id=1 mail=The following website has been created successfully: +===================================+ | Website Info | ${DOM} +===================================+ | Username: ${USER} | Password: ${PASS} ${IF-WEB} | Website: http://www.${DOM} ${IF-MAIL} | SMTP server: mail.${DOM} | POP3 server: mail.${DOM} ${ENDIF-MAIL} ${IF-WEBALIZER} | Webalizer log reporting: Enabled ${ENDIF-WEBALIZER} ${ENDIF-WEB} ${IF-MYSQL} | MySQL database: ${DB} | MySQL login: ${MYSQL_USER} ${IF-MYSQL_PASS} | MySQL password: ${MYSQL_PASS} ${ELSE-MYSQL_PASS} | MySQL password: ${PASS} ${ENDIF-MYSQL_PASS} ${ENDIF-MYSQL} | Apache Solr Host: localhost | Apache Solr Port: 8983 | Apache Solr Path: /solr/${DOM} +===================================+ +===================================+ | Server Info | ${IP} +===================================+ | Dedicated IP: ${IP} | SSH and SFTP Port: ${PORT} | Control Panel: http://admin.${DOM} (or https://${IP}:10000 before propagation) +===================================+ - The above access information is not for your profile account at https://my.altagrade.com. You set your own username and password for your profile account during sign-up process. If you forgot your password to your profile account, then please just reset it on https://my.altagrade.com/user/password. - You can request this e-mail any time by logging in to your control panel, selecting the website's domain name in the drop-down list on the left menu and clicking on "Administration Options" > Re-Send Signup Email. - Find more detailed information please read our documentation portal at https://www.altagrade.com/help. - If you have any questions, comments, or concerns, feel free to create a support ticket at https://my.altagrade.com. for_sub=1 mail_bcc=info@altagrade.com for_alias=0 resellers=* name=Settings For Sub-Domains created=1504169392 dns= mysql_charset= dns_spf= file=/etc/webmin/virtual-server/templates/1 mysql_suffix=${ID}_${PREFIX}_ mysql_conns= dns_dmarcp= mysql_mkdb= dns_master= mysql_nouser= dns_dmarc= dns_spfall= dnssec_alg=RSASHA1 dns_spfhosts= dns_dmarcpct= dns_sub= mysql_chgrp= dns_spfincludes= mysql_uconns= namedconf= mysql_collate= dns_mx= mysql=${ID}_${PREFIX} mysql_nopass= mysql_hosts= dnssec_single=0 dnssec= mailgroup= user_aliases= ftpgroup= defmquota= append_style= othergroups= dbgroup= bccto= aliascopy= dom_aliases= skel_subs=0 skel_nosubs= skel_onlysubs= exclude=altagrade-backup sandbox dns_dmarcruf= dns_indom=0 dns_dmarcrua= php_fpm=none web_phpver= web_php_ini_5.4= web_php_suexec=2 web_php_ini_5= web_php_noedit=0 web_php_ini_7.3= web_phpchildren= EOT cat > /etc/webmin/virtual-server/plans/0 << 'EOT' quota= quota= bwlimit= norename=0 file=/etc/webmin/virtual-server/plans/0 uquota= nodbname=1 realdomslimit= migrate=0 aliaslimit= domslimit= capabilities= ipfollow= id=0 featurelimits= mailboxlimit= name=Unlimited Plan dbslimit= aliasdomslimit= forceunder=0 scripts= safeunder=0 EOT cat > /etc/webmin/webmin.descs << 'EOT' bandwidth=Traffic Monitoring webmin=Host Manager Configuration servers=Host Manager Servers webminlog=Host Manager Log acl=Host Manager Users virtualmin-registrar=Site Manager Domain Registration virtualmin-dav=Site Manager DAV virtualmin-init=Site Manager Bootup Actions virtualmin-git=Site Manager Git virtualmin-htpasswd=Site Manager Protected Directories virtualmin-sqlite=Site Manager SQLite virtual-server=Site Manager Domains usermin=User Manager Configuration custom=AltaGrade Commands EOT cat > /etc/webmin/webmin.catnames << 'EOT' =AltaGrade EOT echo "Done..." echo "==================================================================================" echo "==================================================================================" echo "Installing additional PHP packages, memcached, configuring uploadprogress..." echo "==================================================================================" echo "Installing additional PHP packages, memcached, configuring uploadprogress .." yum -y install php-soap php-devel php-pear php-gd php-mbstring php-mcrypt pecl channel-update pecl.php.net pecl install uploadprogress echo extension=uploadprogress.so >> /etc/php.d/uploadprogress.ini yum -y install memcached yum -y install php-pecl-memcache rm -f /etc/sysconfig/memcached cat <<'EOT' >> /etc/sysconfig/memcached PORT="11211" USER="memcached" MAXCONN="1024" CACHESIZE="1024" OPTIONS="-l 127.0.0.1" EOT systemctl enable memcached systemctl start memcached sed -ie 's/upload_max_filesize = 2M/upload_max_filesize = 20M/' /etc/php.ini sed -ie 's/post_max_size = 8M/post_max_size = 16M/' /etc/php.ini sed -ie 's/max_execution_time = 30/max_execution_time = 600/' /etc/php.ini sed -ie 's/max_input_time = 60/max_input_time = 600/' /etc/php.ini sed -ie 's/memory_limit = 128M/memory_limit = 1280M/' /etc/php.ini yum -y install scl-utils rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm rpm -Uvhl http://rpms.remirepo.net/enterprise/remi-release-7.rpm yum -y install php73 php73-php-mysqlnd php73-php-curl php73-php-simplexml php73-php-devel php73-php-gd php73-php-json php73-php-mcrypt php73-php-mbstring php73-php-opcache php73-php-pear php73-php-pecl-apcu php73-php-pecl-geoip php73-php-pecl-imagick php73-php-pecl-json-post php73-php-pecl-memcache php73-php-pecl-zip php73-php-pspell php73-php-soap php73-php-xml php73-php-xmlrpc php73-php-pecl-uploadprogress php73-php-imap php73-php-pecl-xmldiff php73-php-bcmath source /opt/remi/php73/enable yum -y install php73-php-tidy pear channel-update pear.php.net pear install Cache_Lite sed -ie 's/upload_max_filesize = 2M/upload_max_filesize = 20M/' /etc/opt/remi/php73/php.ini sed -ie 's/post_max_size = 8M/post_max_size = 16M/' /etc/opt/remi/php73/php.ini sed -ie 's/max_execution_time = 30/max_execution_time = 600/' /etc/opt/remi/php73/php.ini sed -ie 's/max_input_time = 60/max_input_time = 600/' /etc/opt/remi/php73/php.ini sed -ie 's/memory_limit = 128M/memory_limit = 1280M/' /etc/opt/remi/php73/php.ini yum -y install php74 php74-php-mysqlnd php74-php-curl php74-php-simplexml php74-php-devel php74-php-gd php74-php-json php74-php-mcrypt php74-php-mbstring php74-php-opcache php74-php-pear php74-php-pecl-apcu php74-php-pecl-geoip php74-php-pecl-imagick php74-php-pecl-json-post php74-php-pecl-memcache php74-php-pecl-zip php74-php-pspell php74-php-soap php74-php-xml php74-php-xmlrpc php74-php-pecl-uploadprogress php74-php-imap php74-php-pecl-xmldiff php74-php-bcmath source /opt/remi/php74/enable yum -y install php74-php-tidy pear channel-update pear.php.net pear install Cache_Lite sed -ie 's/upload_max_filesize = 2M/upload_max_filesize = 20M/' /etc/opt/remi/php74/php.ini sed -ie 's/post_max_size = 8M/post_max_size = 16M/' /etc/opt/remi/php74/php.ini sed -ie 's/max_execution_time = 30/max_execution_time = 600/' /etc/opt/remi/php74/php.ini sed -ie 's/max_input_time = 60/max_input_time = 600/' /etc/opt/remi/php74/php.ini sed -ie 's/memory_limit = 128M/memory_limit = 1280M/' /etc/opt/remi/php74/php.ini yum -y install php81 php81-php-mysqlnd php81-php-curl php81-php-simplexml php81-php-devel php81-php-gd php81-php-json php81-php-mcrypt php81-php-mbstring php81-php-opcache php81-php-pear php81-php-pecl-apcu php81-php-pecl-geoip php81-php-pecl-imagick php81-php-pecl-json-post php81-php-pecl-memcache php81-php-pecl-zip php81-php-pspell php81-php-soap php81-php-xml php81-php-xmlrpc php81-php-pecl-uploadprogress php81-php-imap php81-php-pecl-xmldiff php81-php-bcmath source /opt/remi/php81/enable yum -y install php81-php-tidy pear channel-update pear.php.net pear install Cache_Lite sed -ie 's/upload_max_filesize = 2M/upload_max_filesize = 20M/' /etc/opt/remi/php81/php.ini sed -ie 's/post_max_size = 8M/post_max_size = 16M/' /etc/opt/remi/php81/php.ini sed -ie 's/max_execution_time = 30/max_execution_time = 600/' /etc/opt/remi/php81/php.ini sed -ie 's/max_input_time = 60/max_input_time = 600/' /etc/opt/remi/php81/php.ini sed -ie 's/memory_limit = 128M/memory_limit = 1280M/' /etc/opt/remi/php81/php.ini echo ".. done" echo "Done..." echo "==================================================================================" echo "==================================================================================" echo "Configuring Apache..." echo "==================================================================================" echo "Configuring Apache" sed -ie '/SSLProtocol/c\SSLProtocol All -SSLv2 -SSLv3' /etc/httpd/conf/httpd.conf sed -ie '/SSLCipherSuite/c\SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"' /etc/httpd/conf/httpd.conf sed -ie '/SSLCipherSuite/i\SSLHonorCipherOrder on' /etc/httpd/conf/httpd.conf # per https://support.plesk.com/hc/en-us/articles/213399589-Websites-are-slow-and-a-warning-appears-in-logs-mod-fcgid-ap-pass-brigade-failed echo 'FcgidMaxRequestsPerProcess 500' >> /etc/httpd/conf.d/fcgid.conf echo 'FcgidOutputBufferSize 0' >> /etc/httpd/conf.d/fcgid.conf sed -ie 's|LoadModule|#LoadModule|' /etc/httpd/conf.modules.d/00-dav.conf sed -ie 's|LoadModule|#LoadModule|' /etc/httpd/conf.modules.d/10-php.conf # Maybe we can turn the below ones off. sed -ie 's/LoadModule proxy/#LoadModule proxy/' /etc/httpd/conf.modules.d/00-proxy.conf sed -ie 's@#LoadModule proxy_module@LoadModule proxy_module@g' /etc/httpd/conf.modules.d/00-proxy.conf sed -ie 's@#LoadModule proxy_fcgi_module@LoadModule proxy_fcgi_module@g' /etc/httpd/conf.modules.d/00-proxy.conf sed -ie 's@LoadModule lbmethod_heartbeat@#LoadModule lbmethod_heartbeat@g' /etc/httpd/conf.modules.d/00-proxy.conf echo ".. done" echo "Done..." echo "==================================================================================" echo "==================================================================================" echo "Configuring MariaDB settings..." echo "==================================================================================" echo "Configuring MariaDB settings .." # Setting the database root password yum install -y expect MYSQL_ROOT_PASSWORD=`date +%s | sha256sum | base64 | head -c 16 ; echo` SECURE_MYSQL=$(expect -c " set timeout 3 spawn mysql_secure_installation expect \"Enter current password for root (enter for none):\" send \"$CURRENT_MYSQL_PASSWORD\r\" expect \"Set root password?\" send \"y\r\" expect \"New password:\" send \"$MYSQL_ROOT_PASSWORD\r\" expect \"Re-enter new password:\" send \"$MYSQL_ROOT_PASSWORD\r\" expect \"Remove anonymous users?\" send \"y\r\" expect \"Disallow root login remotely?\" send \"y\r\" expect \"Remove test database and access to it?\" send \"y\r\" expect \"Reload privilege tables now?\" send \"y\r\" expect eof ") echo "$SECURE_MYSQL" yum remove -y expect if grep -q pass= /etc/webmin/mysql/config; then sed -i "/pass=/c\pass=$MYSQL_ROOT_PASSWORD" /etc/webmin/mysql/config else echo pass=$MYSQL_ROOT_PASSWORD >> /etc/webmin/mysql/config fi if ! grep -Fq "default-character-set = utf8mb4" /etc/my.cnf then rm -f /etc/my.cnf cat > /etc/my.cnf << 'EOF' [client] default-character-set = utf8mb4 [mysql] default-character-set = utf8mb4 [mysqld] character-set-client-handshake = FALSE character-set-server = utf8mb4 collation-server = utf8mb4_unicode_ci #skip-networking datadir=/var/lib/mysql socket=/var/lib/mysql/mysql.sock symbolic-links=0 slow_query_log = 1 slow_query_log_file = /var/log/mariadb/slow.log query_cache_size = 128M query_cache_limit = 16M thread_cache_size = 8 myisam_sort_buffer_size = 64M read_rnd_buffer_size = 8M read_buffer_size = 2M sort_buffer_size = 2M table_cache = 512 max_allowed_packet=1024M key_buffer = 384M wait_timeout=600 max_connections = 600 tmp_table_size = 256M max_heap_table_size = 256M innodb_large_prefix=true innodb_file_format=barracuda innodb_file_per_table = true innodb_additional_mem_pool_size = 16M innodb_flush_log_at_trx_commit = 0 innodb_log_buffer_size = 8M innodb_buffer_pool_size = 1G innodb_thread_concurrency = 16 innodb_lock_wait_timeout = 120 innodb_data_file_path = ibdata1:10M:autoextend innodb_file_io_threads = 4 innodb_max_dirty_pages_pct = 90 [mysqld_safe] log-error=/var/log/mariadb/mariadb.log pid-file=/var/run/mariadb/mariadb.pid !includedir /etc/my.cnf.d EOF echo ".. done" fi echo "Done..." echo "==================================================================================" echo "==================================================================================" echo "Installing drush and wp-cli..." # Installing drush wget https://github.com/drush-ops/drush/releases/download/8.1.16/drush.phar php drush.phar core-status chmod +x drush.phar mv drush.phar /usr/local/bin/drush drush -y init # Fixing https://github.com/drush-ops/drush/issues/2065 sed -i '/disable_functions/c\disable_functions = pcntl_exec' /etc/php.ini sed -i '/disable_functions/c\disable_functions = pcntl_exec' /etc/opt/remi/php70/php.ini # Installing wp-cli curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar chmod +x wp-cli.phar mv wp-cli.phar /usr/local/bin/wp #if [ ! -d /etc/ag ]; then # mkdir /etc/ag #fi #mkdir /etc/ag/wp #cd /etc/ag/wp #wget https://raw.githubusercontent.com/wp-cli/wp-cli/v1.5.1/utils/wp-completion.bash #chmod 755 wp-completion.bash #echo "source /etc/ag/wp/wp-completion.bash" >> /etc/profile.d/globaliases.sh echo "Done..." echo "==================================================================================" echo "==================================================================================" echo "Configuring automatic core updates for Drupal websites..." cat > /etc/ag/scripts/update-drupal << 'EOT' #!/bin/sh export PATH="/usr/local/bin:$PATH" if [ -f /opt/remi/php74/enable ]; then source /opt/remi/php74/enable elif [ -f /opt/remi/php73/enable ]; then source /opt/remi/php73/enable elif [ -f /opt/remi/php72/enable ]; then source /opt/remi/php72/enable fi doms=`virtualmin list-domains --name-only` for dom in $doms; do # Check if domain is disabled partial="$(echo $dom | cut -c1-30)" disabled="$(virtualmin list-domains --domain $dom --disabled | grep $partial)" # Leave disabled domains out of process if [ -z "$disabled" ]; then path=`virtualmin list-domains --domain $dom --home-only` echo "***********************************************************************************************" echo " Working in $path..." # Let's check if domain is set to Yes and skip otherwise drupal_auto_update="$(virtualmin list-custom --domain $dom | grep Autoupdate)" if [[ $drupal_auto_update == *"Yes"* ]]; then drupal='' if [ -d $path/public_html ]; then cd $path/public_html version=$(drush status | grep 'Drupal version') if [[ $version = *8.* ]]; then drupal='8' elif [[ $version = *7.* ]]; then drupal='7' elif [[ $version = *6.* ]]; then drupal='6' fi if [ -z "$drupal" ]; then echo "***********************************************************************************************" echo "It is not bootstrapping, so probably this is not a Drupal site. Skipping..." else user=`virtualmin list-domains --domain $dom --user-only` drush cc all >> /dev/null 2>&1 drush cr >> /dev/null 2>&1 status=$(drush ups drupal 2> /dev/null | grep 'Update available\|SECURITY UPDATE available') if [ -z "$status" ]; then echo "The latest version for $dom is already installed." echo "***********************************************************************************************" else # exec 3>&1 1>>/tmp/log.txt 2>&1 echo "*** This is an automatically generated email, please do not reply ***" >> /tmp/log.txt echo " " >> /tmp/log.txt echo "The $dom has been updated to the latest secure Drupal core." >> /tmp/log.txt echo " " >> /tmp/log.txt echo "Here is the log:" >> /tmp/log.txt echo " " >> /tmp/log.txt echo "***********************************************************************************************" >> /tmp/log.txt echo "Working in $path/public_html ..." >> /tmp/log.txt echo "Drupal "$drupal" is detected." >> /tmp/log.txt echo "Update is available for $dom. Backing up the website's files and database ..." >> /tmp/log.txt drush -q sql-query "DELETE FROM cache_form" systemctl restart mariadb drush ard default --tar-options="--exclude=.git" echo "Securing the .htaccess and robots.txt files ..." >> /tmp/log.txt mkdir -p ../keep mv .htaccess robots.txt -t ../keep echo "Upgrading the website ..." >> /tmp/log.txt drush -y en update 2>&1 >> /tmp/log.txt drush -y -q up drupal --no-backup find . -type f -name .htaccess -exec sed -i "s/FollowSymLinks/SymLinksIfOwnerMatch/g" {} \; && find . -type f -name file.inc -exec sed -i "s/FollowSymLinks/SymLinksIfOwnerMatch/g" {} \; mv -f ../keep/.htaccess . mv -f ../keep/robots.txt . rm -rf ../keep chown -R $user:$user ../public_html drush -y updb 2>&1 >> /tmp/log.txt echo "$dom has been updated to the latest Drupal core." >> /tmp/log.txt echo "***********************************************************************************************" >> /tmp/log.txt echo " " >> /tmp/log.txt echo "*** This is an automatically generated email, please do not reply ***" >> /tmp/log.txt # Now let's find parent domain until https://www.virtualmin.com/node/53104 is resolved parent=${dom#*.} virtualmin notify-domains --domain $parent --body-file /tmp/log.txt --subject "Your website $dom has been updated" --from noreply@altagrade.com rm -f /tmp/log.txt fi fi fi else echo "Autoupdate for $dom is set to No, so skipping..." echo "***********************************************************************************************" fi else echo "$dom is disabled, so skipping" echo "***********************************************************************************************" fi done echo "***********************************************************************************************" echo "Drupal core updates are complete." echo "***********************************************************************************************" exit EOT chmod 755 /etc/ag/scripts/update-drupal ln -s /etc/ag/scripts/update-drupal /usr/local/sbin/update-drupal echo "Done..." echo "==================================================================================" echo "==================================================================================" echo "Configuring Let's Encrypt per https://certbot.eff.org/lets-encrypt/centosrhel7-apache..." yum -y install certbot # Install script to auto-replace the ssl_le.pem files for domains mkdir /etc/letsencrypt/renewal-hooks mkdir /etc/letsencrypt/renewal-hooks/deploy cat > /etc/letsencrypt/renewal-hooks/deploy/replace_pems.sh << 'EOF' #!/bin/sh # Re-create the ssl_le.pem files for Pound for domain in $RENEWED_DOMAINS; do cat $RENEWED_LINEAGE/privkey.pem $RENEWED_LINEAGE/fullchain.pem > $RENEWED_LINEAGE/ssl_le.pem done exit EOF chmod 755 /etc/letsencrypt/renewal-hooks/deploy/replace_pems.sh # Install cron-tab to trigger auto-renew (crontab -l && echo "0 0,12 * * 7 python -c 'import random; import time; time.sleep(random.random() * 3600)' && /etc/ag/scripts/renew-certs" | sort | uniq) | crontab - echo "Done..." echo "==================================================================================" echo "==================================================================================" echo "Installing and configuring Pound..." sed -i '/Listen/c\#Listen' /etc/httpd/conf.d/ssl.conf yum -y install Pound && systemctl enable pound && systemctl start pound mv /etc/pound.cfg /etc/pound.cfg.orig cat > /etc/pound.cfg << EOF ListenHTTP Address ${IP} Port 80 Service URL "/.well-known/acme-challenge/.*" BackEnd Address ${IP} Port 8888 End End End Service BackEnd Address ${IP} Port 8888 End End EOF echo "Done..." echo "==================================================================================" echo "==================================================================================" echo "Installing and configuring Varnish..." yum -y install varnish && systemctl enable varnish && systemctl start varnish sed -ie 's/VARNISH_LISTEN_PORT=6081/VARNISH_LISTEN_PORT=8888/' /etc/varnish/varnish.params echo 'DAEMON_OPTS="-p default_ttl=2419200"' >> /etc/varnish/varnish.params # Configure Apache for Varnish sed -ie 's/Listen 80/Listen 8080/' /etc/httpd/conf/httpd.conf echo 'RemoteIPHeader X-Forwarded-For' >> /etc/httpd/conf/httpd.conf echo "RemoteIPInternalProxy $IP" >> /etc/httpd/conf/httpd.conf sed -ie 's/%h/%a/' /etc/httpd/conf/httpd.conf cat > /etc/varnish/default.vcl << 'EOT' vcl 4.0; backend default { .host = "65.49.80.99"; .port = "8080"; } acl purge { "localhost"; "127.0.0.1"; } sub vcl_deliver { # If proxying via cloudflare, then send 520 responses in place of 500/503 if ((resp.status == 500 || resp.status == 503) && req.http.cf-connecting-ip) { set resp.status = 520; } } sub vcl_recv { # if (req.http.host == "demo.altagrade.com") { # if (req.url !~ "^/user") { # unset req.http.cookie; # } # } # if (req.http.Host == "sub.domain.com" || req.http.Host == "db.domain.net" ) { # return (pass); # } if (req.url == "/check-altagrade-varnish") { return(synth(200, "Varnish up")); } # Check the incoming request type is "PURGE", not "GET" or "POST". if (req.method == "PURGE") { # Check if the IP is allowed. if (!client.ip ~ purge) { # Return error code 405 (Forbidden) when not. return (synth(405, "Not allowed.")); } return (purge); } # Do not cache these paths. if (req.url ~ "^/status\.php$" || req.url ~ "^/update\.php" || req.url ~ "^/install\.php" || req.url ~ "^/apc\.php$" || req.url ~ "^/admin" || req.url ~ "^/admin/.*$" || req.url ~ "^/user" || req.url ~ "^/user/.*$" || req.url ~ "^/users/.*$" || req.url ~ "^/info/.*$" || req.url ~ "^/flag/.*$" || req.url ~ "^.*/ajax/.*$" || req.url ~ "^.*/ahah/.*$" || req.url ~ "^/system/files/.*$") { return (pass); } # Always cache the following file types for all users. This list of extensions # appears twice, once here and again in vcl_backend_response so make sure you edit both # and keep them equal. if (req.url ~ "(?i)\.(pdf|asc|dat|txt|doc|xls|ppt|tgz|csv|png|gif|jpeg|jpg|ico|swf|css|js)(\?.*)?$") { unset req.http.Cookie; } # Remove all cookies that Drupal doesn't need to know about. We explicitly # list the ones that Drupal does need, the SESS and NO_CACHE. If, after # running this code we find that either of these two cookies remains, we # will pass as the page cannot be cached. if (req.http.Cookie) { # 1. Append a semi-colon to the front of the cookie string. # 2. Remove all spaces that appear after semi-colons. # 3. Match the cookies we want to keep, adding the space we removed # previously back. (\1) is first matching group in the regsuball. # 4. Remove all other cookies, identifying them by the fact that they have # no space after the preceding semi-colon. # 5. Remove all spaces and semi-colons from the beginning and end of the # cookie string. set req.http.Cookie = ";" + req.http.Cookie; set req.http.Cookie = regsuball(req.http.Cookie, "; +", ";"); set req.http.Cookie = regsuball(req.http.Cookie, ";(SESS[a-z0-9]+|SSESS[a-z0-9]+|NO_CACHE)=", "; \1="); set req.http.Cookie = regsuball(req.http.Cookie, ";[^ ][^;]*", ""); set req.http.Cookie = regsuball(req.http.Cookie, "^[; ]+|[; ]+$", ""); if (req.http.Cookie == "") { # If there are no remaining cookies, remove the cookie header. If there # aren't any cookie headers, Varnish's default behavior will be to cache # the page. unset req.http.Cookie; } else { # If there is any cookies left (a session or NO_CACHE cookie), do not # cache the page. Pass it on to Apache directly. return (pass); } } } EOT echo "Done..." echo "==================================================================================" echo "==================================================================================" echo "Installing APF, BFD and Maldet..." if [ ! -d /etc/apf ]; then echo "==================================================================================" echo "Installing APF .." # per https://superuser.com/questions/1083882/block-port-111-on-centos-7 systemctl stop rpcbind.socket && systemctl disable rpcbind.socket systemctl mask fail2ban && systemctl stop fail2ban systemctl mask firewalld && systemctl stop firewalld systemctl enable iptables && systemctl start iptables cd /usr/src wget http://www.rfxn.com/downloads/apf-current.tar.gz tar xzf apf-current.tar.gz rm -f apf-current.tar.gz cd apf* ./install.sh chkconfig apf on sed -ie "s/eth0/$IFACE/" /etc/apf/conf.apf sed -ie 's/DEVEL_MODE="1"/DEVEL_MODE="0"/' /etc/apf/conf.apf sed -ie 's/SET_MONOKERN="0"/SET_MONOKERN="1"/' /etc/apf/conf.apf sed -ie 's/ICMP_LIM="30\/s"/ICMP_LIM="100\/s"/' /etc/apf/conf.apf sed -ie 's/DLIST_PHP="0"/DLIST_PHP="1"/' /etc/apf/conf.apf sed -ie 's/DLIST_SPAMHAUS="0"/DLIST_SPAMHAUS="1"/' /etc/apf/conf.apf sed -ie 's/DLIST_DSHIELD="0"/DLIST_DSHIELD="1"/' /etc/apf/conf.apf sed -ie 's/IG_TCP_CPORTS=/#IG_TCP_CPORTS=/' /etc/apf/conf.apf sed -ie 's/IG_UDP_CPORTS=/#IG_UDP_CPORTS=/' /etc/apf/conf.apf sed -i '2s/^/IG_UDP_CPORTS="53,123,465,587,953,2525,6277,1043,6081,6082,8983"\n/' /etc/apf/conf.apf sed -i "2s/^/IG_TCP_CPORTS="\"53,80,110,143,443,465,587,953,993,995,1043,2525,5900_5910,8079,8080,8888,8983,10000_10010,20000,${PORT}\""\n/" /etc/apf/conf.apf apf -r /usr/local/sbin/apf -a 65.49.80.104 "Do not remove this IP address. It belongs to AltaGrade." echo ".. done" fi if [ ! -d /usr/local/bfd ]; then echo "==================================================================================" echo "Installing and configuring Brute Force Detection .." cd /usr/src wget http://www.rfxn.com/downloads/bfd-current.tar.gz tar xzf bfd-current.tar.gz rm -f bfd-current.tar.gz* cd bfd-1.5* ./install.sh sed -ie 's/TRIG="15"/TRIG="5"/' /usr/local/bfd/conf.bfd sed -ie 's/EMAIL_ALERTS="0"/EMAIL_ALERTS="1"/' /usr/local/bfd/conf.bfd sed -ie 's/EMAIL_ADDRESS="root"/EMAIL_ADDRESS="security"/' /usr/local/bfd/conf.bfd rm -f /usr/local/bfd/alert.bfd echo 'EB=0' >> /usr/local/bfd/alert.bfd echo 'if [ "$EMAIL_LOGLINES" == "" ]; then' >> /usr/local/bfd/alert.bfd echo ' EMAIL_LOGLINES=50' >> /usr/local/bfd/alert.bfd echo 'fi' >> /usr/local/bfd/alert.bfd echo 'EV=`nice -n 19 tail -n 5000 $LP | grep $ATTACK_HOST | tail -n $EMAIL_LOGLINES`' >> /usr/local/bfd/alert.bfd echo 'cat <> /usr/local/bfd/alert.bfd echo '' >> /usr/local/bfd/alert.bfd echo '$ATTACK_HOST has been blocked and blacklisted by AltaGrade for exceeded login failures on $HOSTNAME.' >> /usr/local/bfd/alert.bfd echo "If the IP address belongs to your team, then please clear it from the firewall's block-list and add it allowed hosts." >> /usr/local/bfd/alert.bfd echo 'Alternatively file a support request on https://my.altagrade.com and we will gladly do it for you.' >> /usr/local/bfd/alert.bfd echo '' >> /usr/local/bfd/alert.bfd echo 'SOURCE ADDRESS: $ATTACK_HOST' >> /usr/local/bfd/alert.bfd echo 'TARGET SERVICE: $MOD' >> /usr/local/bfd/alert.bfd echo 'FAILED LOGINS: $ATTACK_COUNT' >> /usr/local/bfd/alert.bfd echo 'EXECUTED COMMAND: $BAN_COMMAND' >> /usr/local/bfd/alert.bfd echo '' >> /usr/local/bfd/alert.bfd echo "SOURCE LOGS FROM SERVICE '\$MOD' (GMT \$TIME_ZONE):" >> /usr/local/bfd/alert.bfd echo '' >> /usr/local/bfd/alert.bfd echo '$EV' >> /usr/local/bfd/alert.bfd echo '' >> /usr/local/bfd/alert.bfd echo '-----------------------------------------------' >> /usr/local/bfd/alert.bfd echo 'AltaGrade Brute Force Detection System' >> /usr/local/bfd/alert.bfd echo '' >> /usr/local/bfd/alert.bfd echo 'EOF' >> /usr/local/bfd/alert.bfd sed -ie 's/#root:/root:/' /etc/aliases sed -ie 's/marc/info@altagrade.com/' /etc/aliases echo "#owner: ${OWNER}" >> /etc/aliases newaliases echo ".. done" fi if [ ! -d /usr/local/maldetect ]; then echo "==================================================================================" echo "Installing Linux Malware Detect .." cd /usr/src wget http://www.rfxn.com/downloads/maldetect-current.tar.gz tar xzf maldetect-current.tar.gz rm -rf maldetect-current.tar.gz cd maldetect* ./install.sh # Installing inotify-tools per https://www.rfxn.com/appdocs/README.maldetect yum -y install inotify-tools # Configuring malware detection settings sed -ie 's/email_alert="0"/email_alert="1"/' /usr/local/maldetect/conf.maldet sed -ie 's/email_addr="you@domain.com"/email_addr="security"/' /usr/local/maldetect/conf.maldet sed -ie 's/email_ignore_clean="1"/email_ignore_clean="0"/' /usr/local/maldetect/conf.maldet sed -ie 's/quarantine_hits="0"/quarantine_hits="1"/' /usr/local/maldetect/conf.maldet sed -ie 's/quarantine_clean="0"/quarantine_clean="1"/' /usr/local/maldetect/conf.maldet sed -ie 's/quarantine_suspend_user="0"/quarantine_suspend_user="1"/' /usr/local/maldetect/conf.maldet echo "/home/.*/public_html/stats" >> /usr/local/maldetect/ignore_paths echo "/home/.*/domains/.*/public_html/stats" >> /usr/local/maldetect/ignore_paths echo ".. done" fi echo "Done..." echo "==================================================================================" echo "==================================================================================" echo "Removing unnecessary services..." chown -R root:bin /etc/webmin systemctl stop chronyd && yum -y remove chrony systemctl stop wpa_supplicant && yum -y remove wpa_supplicant systemctl stop fail2ban && yum -y remove fail2ban* && rm -rf /var/log/fail2ban.log systemctl stop proftpd && yum -y remove proftpd && rm -rf /var/log/proftpd if [ $PORT == 19759 ]; then systemctl stop sound.target && systemctl disable sound.target fi echo "Done..." echo "==================================================================================" echo "==================================================================================" echo "Finalizing the installation script..." # Clean up the Webmin config files grep -rl 65.49.80.99 /etc | xargs sed -i "s/65.49.80.99/$IP/g" grep -rl fe80::216:3eff:feca:7117 /etc | xargs sed -i "s/fe80::216:3eff:feca:7117/$IP6/g" grep -rl host.altagrade.org /etc | xargs sed -i "s/host.altagrade.org/$HOSTNAME/g" grep -rl eth0 /etc | xargs sed -i "s/eth0/$IFACE/g" # Per https://www.virtualmin.com/node/43097 rm -rf /var/webmin/module.infos.cache sh /etc/ag/cp/new-lang.sh >/dev/null 2>&1 /sbin/virtualmin check-config # Install test repository for updates cat > /etc/yum.repos.d/testrepo.repo << 'EOF' [testrepo] name=TestRepo Repository baseurl=http://testrepo.altagrade.org:8080 enabled=1 gpgcheck=0 EOF yum -y update #yum -y install testrepo # Calculating execution time executed="$(($SECONDS / 60)) minutes and $(($SECONDS % 60)) seconds" echo "The installation took $executed" echo "AltaOS installed on $(date)" > /root/.altaos/.install_date # Sending the final e-mail notification yum -y install mailx echo "Installation of AltaOS on ${HOSTNAME} completed in $executed. The system is rebooting..." | mail -s "AltaOS has been installed on ${HOSTNAME}" 6504506428@vtext.com rm -f /root/recipe* rm -f /usr/src/altaos.sh updatedb echo "Rebooting the system..." reboot echo "Done..." echo "==================================================================================" exit