add more packages in kickstart and update README for wordpress and deps
This commit is contained in:
parent
a5f15de679
commit
de1dce6079
135
README.md
135
README.md
|
@ -18,6 +18,32 @@ installation should start and run fully automated now.
|
|||
See the [kickstart](kickstart-install/Born2beroot.cfg) file for more
|
||||
informations on the system setup.
|
||||
|
||||
<!-- Install the packages will need:
|
||||
|
||||
```bash
|
||||
# SELinux policy tools (should be done by kickstart conf)
|
||||
# dnf install policycoreutils-python-utils
|
||||
# Extra Packages for Entreprise Linux 9 repository in which ufw package is.
|
||||
dnf install epel-release
|
||||
# Uncomplicated Firewall.
|
||||
dnf install ufw
|
||||
|
||||
# Dependencies for building lighttpd from sources.
|
||||
dnf install git pcre2-devel
|
||||
dnf groupinstall 'Development Tools'
|
||||
|
||||
# MariaDB and PHP for Bonus.
|
||||
dnf install mariadb-server php-fpm php-mysqlnd
|
||||
```
|
||||
|
||||
Enable services:
|
||||
|
||||
```bash
|
||||
systemctl enable mariadb
|
||||
systemctl enable php-fpm
|
||||
systemctl enable ufw
|
||||
``` -->
|
||||
|
||||
## Configuration
|
||||
|
||||
### Password policy
|
||||
|
@ -27,23 +53,10 @@ Set password aging settings in [/etc/login.defs](rootfs/etc/login.defs).
|
|||
Set password complexity requirements in
|
||||
[/etc/security/pwquality.conf.d/99-Born2beroot.conf](rootfs/etc/security/pwquality.conf.d/99-Born2beroot.conf)
|
||||
|
||||
### Firewall
|
||||
### sudo
|
||||
|
||||
Install _Extra Packages for Entreprise Linux 9_ extra packages repository which
|
||||
provides ufw and install it:
|
||||
|
||||
```bash
|
||||
dnf install epel-release
|
||||
dnf install ufw
|
||||
```
|
||||
|
||||
Enable the firewall and configure it:
|
||||
|
||||
```bash
|
||||
ufw enable
|
||||
# SSH
|
||||
ufw allow in 4242/tcp
|
||||
```
|
||||
Add the provided [sudoers policy file](rootfs/etc/sudoers.d/Born2beroot) in
|
||||
`/etc/sudoers.d`.
|
||||
|
||||
### Remote access
|
||||
|
||||
|
@ -51,21 +64,59 @@ Disable root SSH login and change listening port adding
|
|||
[/etc/ssh/sshd_config.d/99-Born2beroot.conf](rootfs/etc/ssh/sshd_config.d/99-Born2beroot.conf)
|
||||
configuration file.
|
||||
|
||||
### sudo
|
||||
|
||||
Add the provided [sudoers policy file](rootfs/etc/sudoers.d/Born2beroot) in
|
||||
`/etc/sudoers.d`.
|
||||
|
||||
### Lighttpd + PHP + MariaDB + Wordpress
|
||||
|
||||
Install required tools for building lighttpd from source as no package is
|
||||
available for CentOS Stream 9:
|
||||
You also have to edit SELinux policy to allow `sshd` to listen on the
|
||||
non-default TCP port 4242:
|
||||
|
||||
```bash
|
||||
dnf install git pcre2-devel
|
||||
dnf groupinstall 'Development Tools'
|
||||
semanage port --add -t ssh_port_t -p tcp 4242
|
||||
```
|
||||
|
||||
### Firewall
|
||||
|
||||
Install and enable the firewall and configure it:
|
||||
|
||||
```bash
|
||||
# Extra Packages for Entreprise Linux 9 repository in which ufw package is.
|
||||
dnf install epel-release
|
||||
# Uncomplicated Firewall.
|
||||
dnf install ufw
|
||||
|
||||
ufw enable
|
||||
# Remove all rules and then add the following one for SSH:
|
||||
ufw allow in 4242/tcp
|
||||
```
|
||||
|
||||
### PHP
|
||||
|
||||
Allow `php-fpm` to access the web server web root and then restart it:
|
||||
|
||||
```bash
|
||||
semanage boolean --modify --on httpd_unified
|
||||
semanage fcontext -a -t httpd_sys_content_t /srv/www/htdocs
|
||||
restorecon -R /srv
|
||||
systemctl restart php-fpm
|
||||
```
|
||||
|
||||
### MariaDB
|
||||
|
||||
Setup MariaDB root account and do a basic securization of it:
|
||||
|
||||
```bash
|
||||
mysql_secure_installation
|
||||
```
|
||||
|
||||
Then enter the MariaDB shell with `mariadb -u root` and create an user for
|
||||
Wordpress and assign it a table:
|
||||
|
||||
```SQL
|
||||
CREATE DATABASE wordpress;
|
||||
CREATE USER 'wordpress'@'localhost' IDENTIFIED BY 'CHANGE_ME';
|
||||
GRANT ALL PRIVILEGES ON wordpress.* TO 'wordpress'@'localhost';
|
||||
FLUSH PRIVILEGES;
|
||||
```
|
||||
|
||||
### Lighttpd
|
||||
|
||||
Get lighty source, compile them and install it:
|
||||
|
||||
```bash
|
||||
|
@ -77,12 +128,14 @@ cd lighttpd1.4
|
|||
make install
|
||||
```
|
||||
|
||||
<!--TODO: Test kickstart setup
|
||||
Add an user and group for the daemon:
|
||||
|
||||
```bash
|
||||
groupadd -r lighttpd
|
||||
useradd -md /var/lib/lighttpd -g lighttpd -r -s /bin/false lighttpd
|
||||
```
|
||||
-->
|
||||
|
||||
Create log dir:
|
||||
|
||||
|
@ -90,30 +143,18 @@ Create log dir:
|
|||
install -d -o root -g lighttpd -m 770 /var/log/lighttpd
|
||||
```
|
||||
|
||||
Install PHP and MariaDB:
|
||||
### Wordpress
|
||||
|
||||
```bash
|
||||
dnf install mariadb php-fpm
|
||||
```
|
||||
Download wordpress and unpack it somewhere under `/srv/www/htdocs`. Then, give
|
||||
`php-fpm` the right to write to it and make sure to have the right SELinux
|
||||
context set by using `restorecon` on Wordpress directory.
|
||||
|
||||
Now it should be accessible by HTTP.
|
||||
|
||||
### Mandatory Access Control
|
||||
|
||||
Install the required tools provided by package `policycoreutils-pythoni-utils`
|
||||
|
||||
Allow `sshd` to listen on the non-default TCP port 4242:
|
||||
Make sure all files have the right SELinux context:
|
||||
|
||||
```bash
|
||||
semanage port --add -t ssh_port_t -p tcp 4242
|
||||
```
|
||||
|
||||
Allow `php-fpm` to read the web server web root"
|
||||
|
||||
```bash
|
||||
semanage fcontext -a -t httpd_sys_content_t /src/www/htdocs
|
||||
```
|
||||
|
||||
Relabel correctly files in `/etc/`:
|
||||
|
||||
```bash
|
||||
restorecon -Rv /etc
|
||||
restorecon -R /
|
||||
```
|
||||
|
|
|
@ -12,6 +12,7 @@ timezone Etc/UTC --utc
|
|||
com_redhat_kdump --disable
|
||||
%end
|
||||
|
||||
# Bonus disk setup
|
||||
ignoredisk --only-use=/dev/disk/by-path/pci-0000:00:0f.0-scsi-0:0:0:0
|
||||
clearpart --initlabel --all
|
||||
part /boot --fstype="xfs" --ondisk=/dev/disk/by-path/pci-0000:00:0f.0-scsi-0:0:0:0 --size=500 --label=boot
|
||||
|
@ -33,23 +34,28 @@ logvol / --fstype="xfs" --size=10240 --label="root" --name=root --vgname=LV
|
|||
# we don't want the default firewall.
|
||||
-firewalld
|
||||
sudo
|
||||
# SELinux policy tools
|
||||
policycoreutils-python-utils
|
||||
# Bonus
|
||||
@Development Tools
|
||||
pcre2-devel
|
||||
mariadb-server
|
||||
php-fpm
|
||||
php-mysqlnd
|
||||
%end
|
||||
|
||||
group --name=user42
|
||||
group --name=sudo
|
||||
rootpw --plaintext "CHANGE_ME" --lock
|
||||
|
||||
services --enabled=sshd
|
||||
services --enabled=sshd,php-fpm,mariadb
|
||||
|
||||
bootloader --password="grub2"
|
||||
bootloader --password="CHANGE_ME"
|
||||
|
||||
# local conf
|
||||
# user --name=CHANGE_ME_USER --groups=sudo,user42
|
||||
# sshkey --username=CHANGE_ME_USER CHANGE_ME_SSH_KEY
|
||||
# sshkey --username=root CHANGE_ME_SSH_KEY
|
||||
# sshpw --username=root --lock --sshkey CHANGE_ME_SSH_KEY
|
||||
# network --device=enp0s3 --hostname=CHANGE_ME_HOSTNAME
|
||||
# Bonus lighttpd
|
||||
user --name=lighttpd --homedir=/var/lib/lighttpd --lock --shell=/bin/false
|
||||
|
||||
# Local conf
|
||||
user --name=CHANGEME --groups=sudo,user42
|
||||
sshkey --username=CHANGE_ME "CHANGE_ME"
|
||||
sshkey --username=root "CHANGE_ME"
|
||||
|
|
Loading…
Reference in a new issue