install.sh

#!/bin/sh
# Install the packages we need to set up our gliders website + backend.
# This file doubles up as notes/instructions.

# Installed on a VirtualBox VM with 2gb RAM, 1 CPU, 8gb storage

# Based on a clean CentOS 7 minimal x64 installation
# (CentOS-7-x86_64-Minimal-1503-01)
# All configuration during CentOS install process was left as defaults
# Base installation chosen.
# One user added: gliders, pw: gliders9876

# As root:
yum check-update -y
yum install -y epel-release  # enables 'enterprise' software repo
rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm
yum install yum-plugin-replace
yum update -y 

# Install needed tools
yum install -y git rsync wget vim ansible tmux htop iotop dstat lsof telnet

# And inotify tools
yum install -y inotify-tools incron

# And development tools (needed to compile python libs from pip)
yum groupinstall -y "Development Tools"

# Install python libraries
yum install -y python-inotify numpy python-matplotlib python-virtualenv python-pip python-pandas libffi-devel python-daemon netcdf4-python ipython
pip install css-html-js-minify
pip install bcrypt
pip install future
pip install dbdreader

# Install (& configure) sendmail
# This isn't needed yet! But eventually we'd like to have theystem
# email people alerts for things (e.go velogs an alarm)
yum install -y sendmail sendmail-cf m4
systemctl enable sendmail

# Install & config MariaDB (MySQL)
yum install -y mariadb mariadb-server mariadb-devel
systemctl start mariadb.service
mysql_secure_installation
# ^ mariadb root pw was set to gliders9876, anon users + test db removed,
# remote root login disabled
systemctl enable mariadb

# Install ElasticSearch
# (Used for full-text searching of glider log files)
yum install -y java-1.8.0-openjdk
rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch
cp elasticsearch.repo /etc/yum/repos.d/
yum check-update -y 
yum install -y elasticsearch
systemctl enable elasticsearch

# Install MongoDB
yum install -y mongodb python-pymongo php-pecl-mongo
systemctl enable mongod

# Install SQLAlchemy
yum install -y MySQL-python python-sqlalchemy

# Install PHP
yum install -y php php-fpm php-apc php-pdo php-mcrypt php-mbstring php-pecl-runkit phpmyadmin phpize php-intl

# We install normal PHP *then* replace with php7 packages because phpmyadmin
# wants original PHP, by replacing with php7 after the phpMA package doesn't
# complain about wrong package versions.
yum replace php-common --replace-with=php70w-common
yum install php70w-fpm php70w-opcache php70w-devel php70w-pecl-apcu

# Install "backwards compatability" extension for PHP-APC; our site and a bunch
# of other stuff depends on it.
pecl install "channel://pecl.php.net/apcu_bc-1.0.3"
echo "extension=apc.so" >> /etc/php.d/apcu.ini

cp php.ini /etc/php.ini
cp php-d-fpm.ini /etc/php.d/fpm.ini
cp php-fpm-www.conf /etc/php-fpm.d/www.conf
systemctl enable php-fpm

# Install NodeJS, NPM, Bower and some tools for shrinking down
# javascript and CSS
yum install -y nodejs npm
npm install -g bower
npm install -g uglifyjs
npm install -g uglifycss

# As for the webserver -- either apache or nginx...
# nginx is nice and fast, apache gets better support from
# CentOS etc.
# Haven't tested apache *at all* and have added stuff
# to the nginx config that makes the site work correctly

# FOR NGINX
# Based on https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-centos-7
yum check-update -y 
yum install -y nginx
useradd -m gliders
gpasswd -a nginx gliders
gpasswd -a apache gliders
gpasswd -a wheel gliders  # let gliders user do sudo?
mkdir -p /var/gliders/logs /var/gliders/www/ /var/gliders/www_dev/ /var/gliders/daemon/logs/
chmod -R g+x /home/gliders
chown -R gliders:nginx /var/gliders
cp nginx.conf /etc/nginx/
cp *.nginx.conf /etc/nginx/conf.d/
chown gliders:nginx /etc/nginx/conf.d/gliders.nginx.conf # allow gliders user to edit their nginx config?
systemctl enable nginx

# Install fail2ban: This is some intrusion detection software
# that can help to block people trying to do brute-force
# logins etc.
yum install -y fail2ban
systemctl enable fail2ban

# Allow web through the firewall
systemctl enable firewalld
systemctl start firewalld
firewall-cmd --permanent --zone=public --add-service=ssh
firewall-cmd --permanent --zone=public --add-service=http 
firewall-cmd --permanent --zone=public --add-service=https
firewall-cmd --permanent --zone=public --add-service=8000/tcp  # port 8080 for dev branch of site
firewall-cmd --reload

# Set the system timezone to UTC
timedatectl set-timezone UTC

# And enable NTP, since for some reason it's not on by default..
timedatectl set-ntp true

# Install haveged to stop crypto stuff from hanging so much
# when it depletes /dev/random..! (The bcrypt library on PHP
# has a tendency to do this, which causes the occasional
# gateway timeout when registering / changing user passwords
# on the website.
yum install -y haveged
systemctl enable haveged

# Enable SystemD User services to start automatically on machine
# boot and continue running even if the user never logs in...
loginctl enable-linger gliders

# Increase open file limits. The 'fetchlogs' service connects to a bunch of
# stuff in parallel and with everything else running on the server this could
# push it over the default 4096 (or is it 1024?) open files per user limit,
# causing programs to quit.
# https://easyengine.io/tutorials/linux/increase-open-files-limit/
cp security-limits.d-10-files.conf /etc/security/limits.d/10-files.conf
cp sysctl.d-0-filelimits.conf /etc/sysctl.d/0-filelimits.conf

# Add dev.gliders.localhost and gliders.localhost entries
# This allows us to access the gliders website from nginx on this
# machine.
echo '127.0.0.1 dev.gliders.localhost gliders.localhost' >> /etc/hosts
echo '::1 dev.gliders.localhost gliders.localhost' >> /etc/hosts

# (optional) Compile HHVM -- this will take ages!
# yum install cpp gcc-c++ cmake git psmisc {binutils,boost,jemalloc}-devel \
# {ImageMagick,sqlite,tbb,bzip2,openldap,readline,elfutils-libelf,gmp,lz4,pcre}-devel \
# lib{xslt,event,yaml,vpx,png,zip,icu,mcrypt,memcached,cap,dwarf}-devel \
# {unixODBC,expat,mariadb}-devel lib{edit,curl,xml2,xslt}-devel \
# glog-devel oniguruma-devel ocaml gperf enca libjpeg-turbo-devel openssl-devel \
# mariadb mariadb-server make -y
# git clone https://github.com/facebook/hhvm -b master hhvm --recursive
# cd hhvm
# cmake .
# make -j4
# make install
# cd -
# cp hhvm.service /etc/systemd/system/
# systemctl enable hhvm

# Install memcached
yum install -y memcached memcached-devel libmemcached-devel
systemctl enable memcached
systemctl start memcached

# Create gliders dirs and allow the webserver to read/write to them
# (Mostly this sets up SELinux rules)
mkdir -p /var/gliders/www_dev /var/gliders/www /var/gliders/incoming /var/gliders/logs /var/gliders/static /var/gliders/daemon/logs /var/gliders/www_tmp
chown -R gliders /var/gliders
setsebool -P httpd_can_network_connect 1
chcon -R -t httpd_sys_rw_content_t /usr/share/nginx
chcon -R -t httpd_sys_rw_content_t /var/gliders/www
chcon -R -t httpd_sys_rw_content_t /var/gliders/www_dev
chcon -R -t httpd_sys_rw_content_t /var/gliders/incoming
chcon -R -t httpd_sys_rw_content_t /var/gliders/static
chcon -R -t httpd_sys_content_t /var/gliders/logs