add more packages in kickstart and update README for wordpress and deps

README.md

@@ -18,6 +18,32 @@ installation should start and run fully automated now.
 See the [kickstart](kickstart-install/Born2beroot.cfg) file for more
 informations on the system setup.
 
+<!-- Install the packages will need:
+
+```bash
+# SELinux policy tools (should be done by kickstart conf)
+# dnf install policycoreutils-python-utils
+# Extra Packages for Entreprise Linux 9 repository in which ufw package is.
+dnf install epel-release
+# Uncomplicated Firewall.
+dnf install ufw
+
+# Dependencies for building lighttpd from sources.
+dnf install git pcre2-devel
+dnf groupinstall 'Development Tools'
+
+# MariaDB and PHP for Bonus.
+dnf install mariadb-server php-fpm php-mysqlnd
+```
+
+Enable services:
+
+```bash
+systemctl enable mariadb
+systemctl enable php-fpm
+systemctl enable ufw
+``` -->
+
 ## Configuration
 
 ### Password policy
@@ -27,23 +53,10 @@ Set password aging settings in [/etc/login.defs](rootfs/etc/login.defs).
 Set password complexity requirements in
 [/etc/security/pwquality.conf.d/99-Born2beroot.conf](rootfs/etc/security/pwquality.conf.d/99-Born2beroot.conf)
 
-### Firewall
+### sudo
 
-Install _Extra Packages for Entreprise Linux 9_ extra packages repository which
-provides ufw and install it:
-
-```bash
-dnf install epel-release
-dnf install ufw
-```
-
-Enable the firewall and configure it:
-
-```bash
-ufw enable
-# SSH
-ufw allow in 4242/tcp
-```
+Add the provided [sudoers policy file](rootfs/etc/sudoers.d/Born2beroot) in
+`/etc/sudoers.d`.
 
 ### Remote access
 
@@ -51,21 +64,59 @@ Disable root SSH login and change listening port adding
 [/etc/ssh/sshd_config.d/99-Born2beroot.conf](rootfs/etc/ssh/sshd_config.d/99-Born2beroot.conf)
 configuration file.
 
-### sudo
-
-Add the provided [sudoers policy file](rootfs/etc/sudoers.d/Born2beroot) in
-`/etc/sudoers.d`.
-
-### Lighttpd + PHP + MariaDB + Wordpress
-
-Install required tools for building lighttpd from source as no package is
-available for CentOS Stream 9:
+You also have to edit SELinux policy to allow `sshd` to listen on the
+non-default TCP port 4242:
 
 ```bash
-dnf install git pcre2-devel
-dnf groupinstall 'Development Tools'
+semanage port --add -t ssh_port_t -p tcp 4242
 ```
 
+### Firewall
+
+Install and enable the firewall and configure it:
+
+```bash
+# Extra Packages for Entreprise Linux 9 repository in which ufw package is.
+dnf install epel-release
+# Uncomplicated Firewall.
+dnf install ufw
+
+ufw enable
+# Remove all rules and then add the following one for SSH:
+ufw allow in 4242/tcp
+```
+
+### PHP
+
+Allow `php-fpm` to access the web server web root and then restart it:
+
+```bash
+semanage boolean --modify --on httpd_unified
+semanage fcontext -a -t httpd_sys_content_t /srv/www/htdocs
+restorecon -R /srv
+systemctl restart php-fpm
+```
+
+### MariaDB
+
+Setup MariaDB root account and do a basic securization of it:
+
+```bash
+mysql_secure_installation
+```
+
+Then enter the MariaDB shell with `mariadb -u root` and create an user for
+Wordpress and assign it a table:
+
+```SQL
+CREATE DATABASE wordpress;
+CREATE USER 'wordpress'@'localhost' IDENTIFIED BY 'CHANGE_ME';
+GRANT ALL PRIVILEGES ON wordpress.* TO 'wordpress'@'localhost';
+FLUSH PRIVILEGES;
+```
+
+### Lighttpd
+
 Get lighty source, compile them and install it:
 
 ```bash
@@ -77,12 +128,14 @@ cd lighttpd1.4
 make install
 ```
 
+<!--TODO: Test kickstart setup
 Add an user and group for the daemon:
 
 ```bash
 groupadd -r lighttpd
 useradd -md /var/lib/lighttpd -g lighttpd -r -s /bin/false lighttpd
 ```
+-->
 
 Create log dir:
 
@@ -90,30 +143,18 @@ Create log dir:
 install -d -o root -g lighttpd -m 770 /var/log/lighttpd
 ```
 
-Install PHP and MariaDB:
+### Wordpress
 
-```bash
-dnf install mariadb php-fpm
-```
+Download wordpress and unpack it somewhere under `/srv/www/htdocs`. Then, give
+`php-fpm` the right to write to it and make sure to have the right SELinux
+context set by using `restorecon` on Wordpress directory.
+
+Now it should be accessible by HTTP.
 
 ### Mandatory Access Control
 
-Install the required tools provided by package `policycoreutils-pythoni-utils`
-
-Allow `sshd` to listen on the non-default TCP port 4242:
+Make sure all files have the right SELinux context:
 
 ```bash
-semanage port --add -t ssh_port_t -p tcp 4242
-```
-
-Allow `php-fpm` to read the web server web root"
-
-```bash
-semanage fcontext -a -t httpd_sys_content_t /src/www/htdocs
-```
-
-Relabel correctly files in `/etc/`:
-
-```bash
-restorecon -Rv /etc
+restorecon -R /
 ```

kickstart-install/Born2beroot.cfg

@@ -12,6 +12,7 @@ timezone    Etc/UTC --utc
 com_redhat_kdump --disable
 %end
 
+# Bonus disk setup
 ignoredisk --only-use=/dev/disk/by-path/pci-0000:00:0f.0-scsi-0:0:0:0
 clearpart   --initlabel --all
 part        /boot --fstype="xfs" --ondisk=/dev/disk/by-path/pci-0000:00:0f.0-scsi-0:0:0:0 --size=500 --label=boot
@@ -33,23 +34,28 @@ logvol      / --fstype="xfs" --size=10240 --label="root" --name=root --vgname=LV
 # we don't want the default firewall.
 -firewalld
 sudo
+# SELinux policy tools
+policycoreutils-python-utils
+# Bonus
+@Development Tools
+pcre2-devel
+mariadb-server
+php-fpm
+php-mysqlnd
 %end
 
 group       --name=user42
 group       --name=sudo
 rootpw      --plaintext "CHANGE_ME" --lock
 
-services    --enabled=sshd
+services    --enabled=sshd,php-fpm,mariadb
 
-bootloader  --password="grub2"
+bootloader  --password="CHANGE_ME"
 
-# local conf
-# user        --name=CHANGE_ME_USER --groups=sudo,user42
-# sshkey      --username=CHANGE_ME_USER CHANGE_ME_SSH_KEY
-# sshkey      --username=root CHANGE_ME_SSH_KEY
-# sshpw       --username=root --lock --sshkey CHANGE_ME_SSH_KEY
-# network     --device=enp0s3 --hostname=CHANGE_ME_HOSTNAME
+# Bonus lighttpd
+user        --name=lighttpd --homedir=/var/lib/lighttpd --lock --shell=/bin/false
 
+# Local conf
 user        --name=CHANGEME --groups=sudo,user42
 sshkey      --username=CHANGE_ME "CHANGE_ME"
 sshkey      --username=root "CHANGE_ME"