diff --git a/simplerisk-setup.sh b/simplerisk-setup.sh index 0471bf7..7371b46 100644 --- a/simplerisk-setup.sh +++ b/simplerisk-setup.sh @@ -1,694 +1,780 @@ -#!/bin/bash +#!/usr/bin/env bash +set -euo pipefail -########################################### -# SIMPLERISK SETUP SCRIPT FOR UBUNTU 18.04 -# Run as root or insert `sudo -E` before `bash`: -# curl -sL https://raw.githubusercontent.com/simplerisk/setup-scripts/master/simplerisk-setup.sh | bash - -# OR -# wget -qO- https://raw.githubusercontent.com/simplerisk/setup-scripts/master/simplerisk-setup.sh | bash - -########################################### -set +e -export DEBIAN_FRONTEND=noninteractive +# Detect piped execution (curl | bash) and force headless mode +if ! [ -t 0 ]; then + HEADLESS=y +fi +readonly UBUNTU_OSVAR='Ubuntu' +readonly DEBIAN_OSVAR='Debian GNU/Linux' +readonly CENTOS_STREAM_OSVAR='CentOS Stream' +readonly RHEL_OSVAR='Red Hat Enterprise Linux' +readonly RHELS_OSVAR='Red Hat Enterprise Linux Server' +readonly SLES_OSVAR='SLES' + +readonly MYSQL_KEY_URL='https://repo.mysql.com/RPM-GPG-KEY-mysql-2023' + +######################### +## MAIN FLOW FUNCTIONS ## +######################### +setup (){ + validate_args "${@:1}" + + if [ ! -v VALIDATE_ONLY ]; then + check_root + fi + + if [ ! -v HEADLESS ] && [ ! -v VALIDATE_ONLY ]; then + ask_user + fi + + load_os_variables + validate_os_and_version + + if [ -v VALIDATE_ONLY ]; then + exit 0 + fi + + perform_installation +} + +validate_args(){ + while [[ $# -gt 0 ]] + do + local key="${1}" + case "${key}" in + -n|--no-assistance) HEADLESS=y; shift;; + -d|--debug) DEBUG=y; shift;; + -t|--testing) TESTING=y; shift;; + --validate-os-only) VALIDATE_ONLY=y; shift;; + -h|--help) print_help; exit 0;; + *) echo "Provided parameter ${key} is not valid."; print_help; exit 1;; + esac + done +} + +check_root() { + if [ ${EUID} -ne 0 ]; then + print_error_message "This script must be run as root (unless verifying OS). Try: sudo bash" + fi +} + +ask_user() { + if ! [ -t 0 ]; then + if [ -v HEADLESS ]; then return 0 + else print_error_message "No interactive terminal available. Re-run with --no-assistance." + fi + fi + + while true; do + read -r -p 'This script will install SimpleRisk. Proceed? [Yes/No]: ' answer + case "${answer}" in + Yes|yes|Y|y ) return 0 ;; + No|no|N|n ) exit 1 ;; + * ) echo "Please answer Yes or No." ;; + esac + done +} + +load_os_variables(){ + # freedesktop.org and systemd + if [ -f /etc/os-release ]; then + # shellcheck source=/dev/null + . /etc/os-release + OS=$NAME + VER=$VERSION_ID + # linuxbase.org + elif type lsb_release >/dev/null 2>&1; then + OS=$(lsb_release -si) + VER=$(lsb_release -sr) + # For some versions of Debian/Ubuntu without lsb_release command + elif [ -f /etc/lsb-release ]; then + # shellcheck source=/dev/null + . /etc/lsb-release + OS=$DISTRIB_ID + VER=$DISTRIB_RELEASE + # Older Debian/Ubuntu/etc. + elif [ -f /etc/debian_version ]; then + OS=$DEBIAN_OSVAR + VER=$(cat /etc/debian_version) + # Older SuSE/etc. or Red Hat, CentOS, etc. + elif [ -f /etc/SuSe-release ] || [ -f /etc/redhat-release ]; then + echo 'The SimpleRisk setup script cannot reliably determine which commands to run for this OS. Exiting.' + exit 1 + # Fall back to uname, e.g. "Linux ", also works for BSD, etc. + else + OS=$(uname -s) + VER=$(uname -r) + fi +} + +validate_os_and_version(){ + local valid + case "${OS}" in + "${UBUNTU_OSVAR}") + if [ "${VER}" = '22.04' ] || [[ "${VER}" = 24.* ]] || [[ "${VER}" = 25.* ]]; then + valid=y + SETUP_TYPE=debian + fi;; + "${DEBIAN_OSVAR}") + if [ "${VER}" = "11" ] || [ "${VER}" = '12' ]; then + valid=y + SETUP_TYPE=debian + fi;; + "${CENTOS_STREAM_OSVAR}") + if [ "${VER}" = "9" ]; then + valid=y + SETUP_TYPE=rhel + fi;; + "${RHEL_OSVAR}"|"${RHELS_OSVAR}") + if [[ "${VER}" = 8* ]] || [[ "${VER}" = 9* ]]; then + valid=y + SETUP_TYPE=rhel + fi;; + "${SLES_OSVAR}") + if [[ "${VER}" = 15* ]]; then + valid=y + if [ ! -v HEADLESS ] && [ ! -v VALIDATE_ONLY ] && [ -t 0 ]; then + read -r -p 'Before continuing, SLES 15 does not have sendmail available. Proceed? [Yes/No]: ' answer + case "${answer}" in + Yes|yes|Y|y ) SETUP_TYPE=suse ;; + * ) exit 1 ;; + esac + else + echo "This will install postfix. You will need to configure it later." + SETUP_TYPE=suse + fi + fi;; + *) + local unknown=y;; + esac + + if [ -n "${valid:-}" ]; then + echo "Detected OS is ${OS} ${VER}, which is supported by this script." + elif [ -z "${valid:-}" ] && [ ! -v unknown ]; then + echo "Detected OS is ${OS} ${VER}, but this version is not currently supported by this script." + exit 1 + else + echo "Detected OS is ${OS}, but it is unsupported by this script." + exit 1 + fi +} + +perform_installation() { + local current_simplerisk_version + current_simplerisk_version=$(get_current_simplerisk_version) + + case "${SETUP_TYPE:-}" in + debian) setup_ubuntu_debian "$current_simplerisk_version";; + rhel) setup_centos_rhel "$current_simplerisk_version";; + suse) setup_suse "$current_simplerisk_version";; + *) print_error_message "Could not validate the setup type. Check the perform_installation and validate_os_and_version functions.";; + esac + + success_final_message +} + +######################### +## AUXILIARY FUNCTIONS ## +######################### print_status() { echo - echo "## $1" + echo "## ${1}" echo } -exec_cmd(){ - exec_cmd_nobail "$1" || bail +print_error_message() { + echo + echo "!!! ERROR: ${1} !!!" + echo + exit 1 } -bail() { - echo 'Error executing command, exiting' - exit 1 +exec_cmd(){ + exec_cmd_nobail "${1}" || bail } exec_cmd_nobail() { - echo "+ $1" - bash -c "$1" + local no_log="" + if [ ! -v DEBUG ]; then + no_log='> /dev/null 2>&1' + fi + + echo "+ ${1}" + bash -c "${1} ${no_log}" } -check_root() { - ## Check to make sure we are running as root - if [[ $EUID -ne 0 ]]; then - print_status "ERROR: This script must be run as root!" - print_status "Try running the command 'sudo bash' and then run this script again..." - exit 1 +create_random_password() { + local char_pattern='A-Za-z0-9' + if [ -n "${2:-}" ]; then + char_pattern=$char_pattern'!?^@%' fi + # Disabling useless echo (mandatory with set u) + # shellcheck disable=SC2005 + echo "$(< /dev/urandom tr -dc "${char_pattern}" | head -c"${1:-20}")" } -setup_ubuntu_1804(){ - # Get the current SimpleRisk release version - CURRENT_SIMPLERISK_VERSION=`curl -sL https://updates.simplerisk.com/Current_Version.xml | grep -oP '(.*)' | cut -d '>' -f 2 | cut -d '<' -f 1` +generate_passwords() { + print_status 'Generating MySQL passwords...' + NEW_MYSQL_ROOT_PASSWORD=$(create_random_password) + MYSQL_SIMPLERISK_PASSWORD=$(create_random_password) + echo "MYSQL ROOT PASSWORD: ${NEW_MYSQL_ROOT_PASSWORD}" >> /root/passwords.txt + echo "MYSQL SIMPLERISK PASSWORD: ${MYSQL_SIMPLERISK_PASSWORD}" >> /root/passwords.txt + chmod 600 /root/passwords.txt +} - print_status "Running SimpleRisk ${CURRENT_SIMPLERISK_VERSION} installer..." +set_up_database() { + # $1 should receive the mysqld.log path to retrieve password: + # CentOS 7, RHEL 9: /var/log/mysqld.log + # SLES 15: /var/log/mysql/mysqld.log + local password_flag + if [ -n "${1:-}" ]; then + local initial_root_password + initial_root_password=$(grep Note "$1" | awk -F " " '{print $NF}') + local temp_password + temp_password="$(create_random_password 100 y)" + exec_cmd "mysql -u root mysql -e \"ALTER USER 'root'@'localhost' IDENTIFIED BY '${temp_password}'\" --password=\"${initial_root_password}\" --connect-expired-password" + password_flag=" --password='${temp_password}'" + exec_cmd "mysql -u root mysql -e \"SET GLOBAL validate_password.policy = LOW;\"$password_flag" + fi + exec_cmd "mysql -uroot mysql -e 'CREATE DATABASE simplerisk'${password_flag:-}" + exec_cmd "mysql -uroot mysql -e \"CREATE USER 'simplerisk'@'localhost' IDENTIFIED BY '${MYSQL_SIMPLERISK_PASSWORD}'\"${password_flag:-}" + exec_cmd "mysql -uroot simplerisk -e '\\. /var/www/simplerisk/database.sql'${password_flag:-}" + exec_cmd "mysql -uroot simplerisk -e \"GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER ON simplerisk.* TO 'simplerisk'@'localhost'\"${password_flag:-}" + exec_cmd "mysql -u root mysql -e \"ALTER USER 'root'@'localhost' IDENTIFIED BY '${NEW_MYSQL_ROOT_PASSWORD}'\"${password_flag:-}" + + print_status 'Setting the SimpleRisk database password...' + exec_cmd "sed -i \"s/\(DB_PASSWORD', '\)simplerisk/\1${MYSQL_SIMPLERISK_PASSWORD}/\" /var/www/simplerisk/includes/config.php" + exec_cmd "sed -i \"s/\(SIMPLERISK_INSTALLED', '\)false/\1true/\" /var/www/simplerisk/includes/config.php" +} - print_status "Populating apt-get cache..." - exec_cmd 'apt-get update > /dev/null 2>&1' +set_php_settings() { + # $1 receives the path to php settings file + print_status 'Setting the maximum file upload size in PHP to 5MB and memory limit to 256M...' + exec_cmd "sed -i 's/\(upload_max_filesize =\) .*/\1 5M/g' $1" + exec_cmd "sed -i 's/\(memory_limit =\) .*/\1 256M/g' $1" + + print_status 'Setting the maximum input variables in PHP to 3000...' + exec_cmd "sed -i 's/\(;\|\#\)\?\(max_input_vars =\).*/\2 3000/g' $1" +} - print_status "Updating current packages (this may take a bit)..." - exec_cmd 'apt-get dist-upgrade -qq --force-yes > /dev/null 2>&1' +set_up_simplerisk() { +# $1 receives the user to set the ownership of the simplerisk directory +# $2 receives current SimpleRisk's version + print_status 'Downloading the latest SimpleRisk release to /var/www/simplerisk...' + if [ ! -d /var/www ]; then + exec_cmd 'mkdir -p /var/www/' + elif [ -d /var/www/html ]; then + exec_cmd 'rm -r /var/www/html' + fi + exec_cmd "cd /var/www && wget https://simplerisk-downloads.s3.amazonaws.com/public/bundles/simplerisk-${2}.tgz" + exec_cmd "cd /var/www && tar xvzf simplerisk-${2}.tgz" + exec_cmd "rm -f /var/www/simplerisk-${2}.tgz" + exec_cmd "cd /var/www/simplerisk && wget https://github.com/simplerisk/database/raw/master/simplerisk-en-${2}.sql -O database.sql" + exec_cmd "chown -R ${1}: /var/www/simplerisk" +} - print_status "Installing tasksel..." - exec_cmd "apt-get install -y tasksel > /dev/null 2>&1" +set_up_backup_cronjob() { + exec_cmd "(crontab -l 2>/dev/null; echo '* * * * * $(which php) -f /var/www/simplerisk/cron/cron.php') | crontab -" +} - print_status "Installing lamp-server..." - exec_cmd "tasksel install lamp-server > /dev/null 2>&1" +get_current_simplerisk_version() { + curl -sL "https://updates${TESTING:+-test}.simplerisk.com/releases.xml" | grep -oP '' | head -n1 | cut -d '"' -f 2 +} - print_status "Installing mbstring module for PHP..." - exec_cmd "apt-get install -y php-mbstring > /dev/null 2>&1" +get_installed_php_version() { + php -v | grep -E '^PHP [[:digit:]]' | awk -F ' ' '{print $2}' | awk -F '.' '{print $NR"."$2}' +} - print_status "Installing PHP development libraries..." - exec_cmd "apt-get install -y php-dev > /dev/null 2>&1" +####################### +## MESSAGE FUNCTIONS ## +####################### +success_final_message(){ + print_status 'Check /root/passwords.txt for the MySQL root and simplerisk passwords.' + print_status 'As these passwords are stored in clear text, we recommend immediately moving them into a password manager and deleting this file.' + print_status 'INSTALLATION COMPLETED SUCCESSFULLY' +} - print_status "Installing pear for PHP..." - exec_cmd "apt-get install -y php-pear > /dev/null 2>&1" +print_help() { + cat << EOC - print_status "Installing ldap module for PHP..." - exec_cmd "apt-get install -y php-ldap > /dev/null 2>&1" +Script to set up SimpleRisk on a server. - print_status "Enabling the ldap module in PHP..." - exec_cmd "phpenmod ldap > /dev/null 2>&1" - - print_status "Installing curl module for PHP..." - exec_cmd "apt-get install -y php-curl > /dev/null 2>&1" +./simplerisk-setup [-d|--debug] [-n|--no-assistance] [-h|--help] [--validate-os-only] - print_status "Enabling SSL for Apache..." - exec_cmd "a2enmod rewrite > /dev/null 2>&1" - exec_cmd "a2enmod ssl > /dev/null 2>&1" - exec_cmd "a2ensite default-ssl > /dev/null 2>&1" +Flags: +-d|--debug: Shows the output of the commands being run by this script +-n|--no-assistance: Runs the script in headless mode (will assume yes on anything) +-t|--testing: Picks the current testing version +--validate-os-only: Only validates if the current host (OS and version) are supported + by the script. This option does not require running the script + as superuser. +-h|--help: Shows instructions on how to use this script +EOC +} - print_status "Configuring secure settings for Apache..." - exec_cmd "sed -i 's/SSLProtocol all -SSLv3/SSLProtocol TLSv1.2/g' /etc/apache2/mods-enabled/ssl.conf > /dev/null 2>&1" - exec_cmd "sed -i 's/#SSLHonorCipherOrder on/SSLHonorCipherOrder on/g' /etc/apache2/mods-enabled/ssl.conf > /dev/null 2>&1" - exec_cmd "sed -i 's/ServerTokens OS/ServerTokens Prod/g' /etc/apache2/conf-enabled/security.conf > /dev/null 2>&1" - exec_cmd "sed -i 's/ServerSignature On/ServerSignature Off/g' /etc/apache2/conf-enabled/security.conf > /dev/null 2>&1" +bail() { + print_error_message 'The command exited with failure. Verify the command output or run the script in debug mode (-d|--debug).' +} - print_status "Setting the maximum file upload size in PHP to 5MB..." - if [ "$VER" = "20.04" ] - then - exec_cmd "sed -i 's/upload_max_filesize = 2M/upload_max_filesize = 5M/g' /etc/php/7.4/apache2/php.ini > /dev/null 2>&1" - else - exec_cmd "sed -i 's/upload_max_filesize = 2M/upload_max_filesize = 5M/g' /etc/php/7.2/apache2/php.ini > /dev/null 2>&1" - fi - print_status "Downloading the latest SimpleRisk release to /var/www/simplerisk..." - exec_cmd "rm -r /var/www/html" - exec_cmd "cd /var/www && wget https://github.com/simplerisk/bundles/raw/master/simplerisk-${CURRENT_SIMPLERISK_VERSION}.tgz > /dev/null 2>&1" - exec_cmd "cd /var/www && tar xvzf simplerisk-${CURRENT_SIMPLERISK_VERSION}.tgz > /dev/null 2>&1" - exec_cmd "rm /var/www/simplerisk-${CURRENT_SIMPLERISK_VERSION}.tgz > /dev/null 2>&1" - exec_cmd "cd /var/www/simplerisk && wget https://github.com/simplerisk/installer/raw/master/simplerisk-installer-${CURRENT_SIMPLERISK_VERSION}.tgz > /dev/null 2>&1" - exec_cmd "cd /var/www/simplerisk && tar xvzf simplerisk-installer-${CURRENT_SIMPLERISK_VERSION}.tgz > /dev/null 2>&1" - exec_cmd "rm /var/www/simplerisk/simplerisk-installer-${CURRENT_SIMPLERISK_VERSION}.tgz > /dev/null 2>&1" - exec_cmd "chown -R www-data: /var/www/simplerisk" - - print_status "Configuring Apache..." - exec_cmd "sed -i 's/\/var\/www\/html/\/var\/www\/simplerisk/g' /etc/apache2/sites-enabled/000-default.conf > /dev/null 2>&1" - if [ ! `grep -q "RewriteEngine On" /etc/apache2/sites-enabled/000-default.conf` ]; then - exec_cmd "sed -i '/^<\/VirtualHost>/i \\\tRewriteEngine On\n\tRewriteCond %{HTTPS} !=on\n\tRewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]' /etc/apache2/sites-enabled/000-default.conf > /dev/null 2>&1" +######################## +## OS SETUP FUNCTIONS ## +######################## +# In all functions, $1 will receive SimpleRisk's current version +setup_ubuntu_debian(){ + export DEBIAN_FRONTEND=noninteractive + + print_status "Running SimpleRisk ${1} installer..." + + print_status 'Populating apt-get cache...' + exec_cmd 'apt-get update' + + # Add PHP8 for Ubuntu 20|Debian 11 + if [ "${OS}" != "${UBUNTU_OSVAR}" ] || [[ "${VER}" = '20.04' ]]; then + exec_cmd 'mkdir -p /etc/apt/keyrings' + local apt_php_version=8.1 + if [ "${OS}" = "${UBUNTU_OSVAR}" ]; then + print_status "Adding Ondrej's PPA with PHP8" + exec_cmd 'add-apt-repository -y ppa:ondrej/php' + else + print_status 'Install gnupg to handle keyrings...' + exec_cmd 'apt-get install -y gnupg' + + print_status "Adding Ondrej's repository with PHP8" + exec_cmd 'wget -qO - https://packages.sury.org/php/apt.gpg | gpg --dearmor -o /etc/apt/keyrings/sury-php.gpg' + exec_cmd "echo 'deb [signed-by=/etc/apt/keyrings/sury-php.gpg] https://packages.sury.org/php/ $(lsb_release -sc) main' | sudo tee /etc/apt/sources.list.d/sury-php.list" + fi + + # Add MySQL 8 for Debian + if [ "${OS}" = "${DEBIAN_OSVAR}" ]; then + print_status 'Adding MySQL 8 repository' + exec_cmd "wget -qO - $MYSQL_KEY_URL | gpg --dearmor -o /etc/apt/keyrings/mysql.gpg" + exec_cmd "echo 'deb [signed-by=/etc/apt/keyrings/mysql.gpg] https://repo.mysql.com/apt/$(lsb_release -si | tr '[:upper:]' '[:lower:]')/ $(lsb_release -sc) mysql-8.4-lts' | sudo tee /etc/apt/sources.list.d/mysql.list" + fi + + print_status 'Re-populating apt-get cache with added repos...' + exec_cmd 'apt-get update' fi - exec_cmd "sed -i 's/\/var\/www\/html/\/var\/www\/simplerisk/g' /etc/apache2/sites-enabled/default-ssl.conf > /dev/null 2>&1" - if [ ! `grep -q "AllowOverride all" /etc/apache2/sites-enabled/default-ssl.conf` ]; then - exec_cmd "sed -i '/<\/Directory>/a \\\t\t\n\t\t\tAllowOverride all\n\t\t\tallow from all\n\t\t\tOptions -Indexes\n\t\t<\/Directory>' /etc/apache2/sites-enabled/default-ssl.conf > /dev/null 2>&1" + + print_status 'Updating current packages (this may take a bit)...' + exec_cmd 'apt-get dist-upgrade -qq --assume-yes' + + if [ "${OS}" = "${UBUNTU_OSVAR}" ] && [[ "${VER}" != '20.04' ]]; then + print_status 'Installing lamp-server...' + exec_cmd 'apt-get install -y lamp-server^' + else + print_status 'Installing Apache...' + exec_cmd 'apt-get install -y apache2' + + print_status 'Installing MySQL...' + exec_cmd 'apt-get install -y mysql-server' + + print_status 'Installing PHP...' + exec_cmd "apt-get install -y php${apt_php_version:-} php${apt_php_version:-}-mysql libapache2-mod-php${apt_php_version:-}" + + if [ "${OS}" = "${DEBIAN_OSVAR}" ] && [ "${VER}" = '12' ]; then + print_status 'Installing crontab for Debian 12' + exec_cmd 'apt-get install -y cron' + fi fi - print_status "Restarting Apache to load the new configuration..." - exec_cmd "service apache2 restart > /dev/null 2>&1" + print_status 'Installing PHP development libraries...' + exec_cmd "apt-get install -y php${apt_php_version:-}-dev" - print_status "Generating MySQL passwords..." - exec_cmd "apt-get install -y pwgen > /dev/null 2>&1" - NEW_MYSQL_ROOT_PASSWORD=`pwgen -c -n -1 20` > /dev/null 2>&1 - MYSQL_SIMPLERISK_PASSWORD=`pwgen -c -n -1 20` > /dev/null 2>&1 - echo "MYSQL ROOT PASSWORD: ${NEW_MYSQL_ROOT_PASSWORD}" >> /root/passwords.txt - echo "MYSQL SIMPLERISK PASSWORD: ${MYSQL_SIMPLERISK_PASSWORD}" >> /root/passwords.txt - chmod 600 /root/passwords.txt + for module in xml mbstring mysql ldap curl gd zip intl; do + print_status "Installing the $module module for PHP..." + exec_cmd "apt-get install -y php${apt_php_version:-}-$module" + done + + print_status 'Enabling the ldap module in PHP...' + exec_cmd 'phpenmod ldap' + + print_status 'Enabling SSL for Apache...' + exec_cmd 'a2enmod rewrite' + exec_cmd 'a2enmod ssl' + exec_cmd 'a2ensite default-ssl' + + print_status 'Installing sendmail...' + exec_cmd 'apt-get install -y sendmail' + + print_status 'Configuring secure settings for Apache...' + exec_cmd "sed -i 's/\(SSLProtocol\) all -SSLv3/\1 TLSv1.2/g' /etc/apache2/mods-enabled/ssl.conf" + exec_cmd "sed -i 's/#\?\(SSLHonorCipherOrder\) on/\1 on/g' /etc/apache2/mods-enabled/ssl.conf" + exec_cmd "sed -i 's/\(ServerTokens\) OS/\1 Prod/g' /etc/apache2/conf-enabled/security.conf" + exec_cmd "sed -i 's/\(ServerSignature\) On/\1 Off/g' /etc/apache2/conf-enabled/security.conf" - print_status "Configuring MySQL..." - exec_cmd "sed -i '$ a sql-mode=\"NO_ENGINE_SUBSTITUTION\"' /etc/mysql/mysql.conf.d/mysqld.cnf > /dev/null 2>&1" - exec_cmd "mysql -uroot mysql -e \"CREATE DATABASE simplerisk\"" - exec_cmd "mysql -uroot simplerisk -e \"\\. /var/www/simplerisk/install/db/simplerisk-en-${CURRENT_SIMPLERISK_VERSION}.sql\"" -### - if [ "$VER" = "20.04" ] - then - exec_cmd "mysql -uroot simplerisk -e \"CREATE USER 'simplerisk'@'localhost' IDENTIFIED BY '${MYSQL_SIMPLERISK_PASSWORD}'\"" - exec_cmd "mysql -uroot simplerisk -e \"GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, ALTER, REFERENCES, INDEX ON simplerisk.* TO 'simplerisk'@'localhost'\"" - exec_cmd "mysql -uroot simplerisk -e \"UPDATE mysql.db SET References_priv='Y',Index_priv='Y' WHERE db='simplerisk';\"" -else - exec_cmd "mysql -uroot simplerisk -e \"GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, ALTER, REFERENCES, INDEX ON simplerisk.* TO 'simplerisk'@'localhost' IDENTIFIED BY '${MYSQL_SIMPLERISK_PASSWORD}'\"" - exec_cmd "mysql -uroot simplerisk -e \"UPDATE mysql.db SET References_priv='Y',Index_priv='Y' WHERE db='simplerisk';\"" + # Obtaining php version to find settings file path + [ -n "${apt_php_version:-}" ] && php_version=$apt_php_version || php_version=$(get_installed_php_version) + + set_php_settings "/etc/php/$php_version/apache2/php.ini" + + set_up_simplerisk 'www-data' "${1}" + + print_status 'Configuring Apache...' + exec_cmd "sed -i 's|\(/var/www/\)html|\1simplerisk|g' /etc/apache2/sites-enabled/000-default.conf" + if ! grep -q 'RewriteEngine On' /etc/apache2/sites-enabled/000-default.conf; then + exec_cmd "sed -i '/^<\/VirtualHost>/i \\\tRewriteEngine On\n\tRewriteCond %{HTTPS} !=on\n\tRewriteRule ^/?(.*) https://%{SERVER_NAME}/\$1 [R,L]' /etc/apache2/sites-enabled/000-default.conf" + fi + exec_cmd "sed -i 's|/var/www/html|/var/www/simplerisk|g' /etc/apache2/sites-enabled/default-ssl.conf" + if ! grep -q 'AllowOverride all' /etc/apache2/sites-enabled/default-ssl.conf; then + exec_cmd "sed -i '/<\/Directory>/a \\\t\t\n\t\t\tAllowOverride all\n\t\t\tallow from all\n\t\t\tOptions -Indexes\n\t\t<\/Directory>' /etc/apache2/sites-enabled/default-ssl.conf" fi - exec_cmd "mysql -uroot mysql -e \"ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY '${NEW_MYSQL_ROOT_PASSWORD}'\"" - print_status "Setting the SimpleRisk database password..." - exec_cmd "sed -i \"s/DB_PASSWORD', 'simplerisk/DB_PASSWORD', '${MYSQL_SIMPLERISK_PASSWORD}/\" /var/www/simplerisk/includes/config.php > /dev/null 2>&1" + print_status 'Configuring Sendmail...' + exec_cmd "sed -i 's/\(localhost\)/\1 $(hostname)/g' /etc/hosts" + exec_cmd 'yes | sendmailconfig' + exec_cmd 'service sendmail start' - print_status "Restarting MySQL to load the new configuration..." - exec_cmd "service mysql restart > /dev/null 2>&1" + print_status 'Restarting Apache to load the new configuration...' + exec_cmd 'service apache2 restart' - print_status "Removing the SimpleRisk install directory..." - exec_cmd "rm -r /var/www/simplerisk/install" + generate_passwords - print_status "Enabling UFW firewall..." - exec_cmd "ufw allow ssh > /dev/null 2>&1" - exec_cmd "ufw allow http > /dev/null 2>&1" - exec_cmd "ufw allow https > /dev/null 2>&1" - exec_cmd "ufw --force enable > /dev/null 2>&1" + print_status 'Configuring MySQL...' + exec_cmd "sed -i '$ a sql-mode=\"NO_ENGINE_SUBSTITUTION\"' /etc/mysql/mysql.conf.d/mysqld.cnf" + set_up_database - print_status "Check /root/passwords.txt for the MySQL root and simplerisk passwords." - print_status "INSTALLATION COMPLETED SUCCESSFULLY" -} + print_status 'Restarting MySQL to load the new configuration...' + exec_cmd 'service mysql restart' -setup_centos_7(){ - # Get the current SimpleRisk release version - CURRENT_SIMPLERISK_VERSION=`curl -sL https://updates.simplerisk.com/Current_Version.xml | grep -oP '(.*)' | cut -d '>' -f 2 | cut -d '<' -f 1` - - print_status "Running SimpleRisk ${CURRENT_SIMPLERISK_VERSION} installer..." - - print_status "Updating packages with yum. This may take some time." - exec_cmd "yum -y update > /dev/null 2>&1" - - print_status "Installing the Apache web server..." - exec_cmd "yum -y install httpd > /dev/null 2>&1" - - print_status "Installing the wget package..." - exec_cmd "yum -y install wget > /dev/null 2>&1" - - print_status "Installing PHP for Apache..." - exec_cmd "rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm > /dev/null 2>&1" - exec_cmd "rpm -Uvh http://rpms.famillecollet.com/enterprise/remi-release-7.rpm > /dev/null 2>&1" - exec_cmd "yum -y --enablerepo=remi,remi-php71 install httpd php php-common > /dev/null 2>&1" - exec_cmd "yum -y --enablerepo=remi,remi-php71 install php-cli php-pear php-pdo php-mysqlnd php-gd php-mbstring php-mcrypt php-xml php-curl" - - print_status "Installing mod_ssl" - exec_cmd "yum -y install mod_ssl > /dev/null 2>&1" - - print_status "Enabling and starting the Apache web server..." - exec_cmd "systemctl enable httpd > /dev/null 2>&1" - exec_cmd "systemctl start httpd > /dev/null 2>&1" - - print_status "Installing Firewalld" - exec_cmd "yum -y install firewalld > /dev/null 2>&1" - - print_status "Downloading the latest SimpleRisk release to /var/www/simplerisk..." - exec_cmd "cd /var/www/ && wget https://github.com/simplerisk/bundles/raw/master/simplerisk-${CURRENT_SIMPLERISK_VERSION}.tgz > /dev/null 2>&1" - exec_cmd "cd /var/www/ && tar xvzf simplerisk-${CURRENT_SIMPLERISK_VERSION}.tgz > /dev/null 2>&1" - exec_cmd "rm -f /var/www/simplerisk-${CURRENT_SIMPLERISK_VERSION}.tgz > /dev/null 2>&1" - exec_cmd "cd /var/www/simplerisk && wget https://github.com/simplerisk/installer/raw/master/simplerisk-installer-${CURRENT_SIMPLERISK_VERSION}.tgz > /dev/null 2>&1" - exec_cmd "cd /var/www/simplerisk && tar xvzf simplerisk-installer-${CURRENT_SIMPLERISK_VERSION}.tgz > /dev/null 2>&1" - exec_cmd "rm -f /var/www/simplerisk/simplerisk-installer-${CURRENT_SIMPLERISK_VERSION}.tgz > /dev/null 2>&1" - exec_cmd "chown -R apache: /var/www/simplerisk" - - print_status "Configuring Apache..." - exec_cmd "cd /etc/httpd && mkdir sites-available" - exec_cmd "cd /etc/httpd && mkdir sites-enabled" - exec_cmd "echo \"IncludeOptional sites-enabled/*.conf\" >> /etc/httpd/conf/httpd.conf" - echo "" >> /etc/httpd/sites-enabled/simplerisk.conf - echo " DocumentRoot \"/var/www/simplerisk/\"" >> /etc/httpd/sites-enabled/simplerisk.conf - echo " ErrorLog /var/log/httpd/error_log" >> /etc/httpd/sites-enabled/simplerisk.conf - echo " CustomLog /var/log/httpd/access_log combined" >> /etc/httpd/sites-enabled/simplerisk.conf - echo " " >> /etc/httpd/sites-enabled/simplerisk.conf - echo " AllowOverride all" >> /etc/httpd/sites-enabled/simplerisk.conf - echo " allow from all" >> /etc/httpd/sites-enabled/simplerisk.conf - echo " Options -Indexes" >> /etc/httpd/sites-enabled/simplerisk.conf - echo " " >> /etc/httpd/sites-enabled/simplerisk.conf - echo " RewriteEngine On" >> /etc/httpd/sites-enabled/simplerisk.conf - echo " RewriteCond %{HTTPS} !=on" >> /etc/httpd/sites-enabled/simplerisk.conf - echo " RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]" >> /etc/httpd/sites-enabled/simplerisk.conf - echo "" >> /etc/httpd/sites-enabled/simplerisk.conf - - if [ ! `grep -q "AllowOverride all" /etc/httpd/conf.d/ssl.conf` ]; then - exec_cmd "sed -i '/<\/Directory>/a \\\t\t\n\t\t\tAllowOverride all\n\t\t\tallow from all\n\t\t\tOptions -Indexes\n\t\t<\/Directory>' /etc/httpd/conf.d/ssl.conf > /dev/null 2>&1" - fi - exec_cmd "sed -i '//a \\\t\tDocumentRoot "/var/www/simplerisk"' /etc/httpd/conf.d/ssl.conf > /dev/null 2>&1" - - print_status "Installing the MariaDB database server..." - exec_cmd "yum -y install mariadb-server > /dev/null 2>&1" - - print_status "Enabling and starting the MariaDB database server..." - exec_cmd "systemctl enable mariadb > /dev/null 2>&1" - exec_cmd "systemctl start mariadb > /dev/null 2>&1" - - print_status "Generating MySQL passwords..." - NEW_MYSQL_ROOT_PASSWORD=`< /dev/urandom tr -dc A-Za-z0-9 | head -c20` > /dev/null 2>&1 - MYSQL_SIMPLERISK_PASSWORD=`< /dev/urandom tr -dc A-Za-z0-9 | head -c20` > /dev/null 2>&1 - echo "MYSQL ROOT PASSWORD: ${NEW_MYSQL_ROOT_PASSWORD}" >> /root/passwords.txt - echo "MYSQL SIMPLERISK PASSWORD: ${MYSQL_SIMPLERISK_PASSWORD}" >> /root/passwords.txt - chmod 600 /root/passwords.txt + print_status 'Removing the SimpleRisk database file...' + exec_cmd 'rm -r /var/www/simplerisk/database.sql' - print_status "Configuring MySQL..." - #exec_cmd "sed -i '$ a sql-mode=\"NO_ENGINE_SUBSTITUTION\"' /etc/mysql/mysql.conf.d/mysqld.cnf > /dev/null 2>&1" - exec_cmd "mysql -uroot mysql -e \"CREATE DATABASE simplerisk\"" - exec_cmd "mysql -uroot simplerisk -e \"\\. /var/www/simplerisk/install/db/simplerisk-en-${CURRENT_SIMPLERISK_VERSION}.sql\"" - exec_cmd "mysql -uroot simplerisk -e \"GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP ALTER ON simplerisk.* TO 'simplerisk'@'localhost' IDENTIFIED BY '${MYSQL_SIMPLERISK_PASSWORD}'\"" - exec_cmd "mysql -uroot mysql -e \"DROP DATABASE test\"" - exec_cmd "mysql -uroot mysql -e \"DROP USER ''@'localhost'\"" - exec_cmd "mysql -uroot mysql -e \"DROP USER ''@'$(hostname)'\"" - exec_cmd "mysql -uroot mysql -e \"UPDATE mysql.user SET Password = PASSWORD('${NEW_MYSQL_ROOT_PASSWORD}') WHERE User = 'root'\"" - ,exec_cmd "mysql -uroot mysql -e \"ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY '${NEW_MYSQL_ROOT_PASSWORD}'\"" - exec_cmd "mysql -uroot simplerisk -e \"UPDATE mysql.db SET References_priv='Y',Index_priv='Y' WHERE db='simplerisk';\"" - - print_status "Setting the SimpleRisk database password..." - exec_cmd "sed -i \"s/DB_PASSWORD', 'simplerisk/DB_PASSWORD', '${MYSQL_SIMPLERISK_PASSWORD}/\" /var/www/simplerisk/includes/config.php > /dev/null 2>&1" - - print_status "Restarting MySQL to load the new configuration..." - exec_cmd "systemctl restart mariadb > /dev/null 2>&1" - - print_status "Removing the SimpleRisk install directory..." - exec_cmd "rm -r /var/www/simplerisk/install" - - print_status "Opening Firewall for HTTP/HTTPS traffic" - exec_cmd "systemctl enable firewalld" - exec_cmd "systemctl start firewalld" - exec_cmd "firewall-cmd --permanent --zone=public --add-service=http" - exec_cmd "firewall-cmd --permanent --zone=public --add-service=https" - exec_cmd "firewall-cmd --permanent --zone=public --add-service=ssh" - exec_cmd "firewall-cmd --reload" - - print_status "Restarting Apache..." - exec_cmd "systemctl restart httpd" - - print_status "Configuring SELinux for SimpleRisk" - exec_cmd "setsebool -P httpd_builtin_scripting=1" - exec_cmd "setsebool -P httpd_can_network_connect=1" - exec_cmd "setsebool -P httpd_can_sendmail=1" - exec_cmd "setsebool -P httpd_dbus_avahi=1" - exec_cmd "setsebool -P httpd_enable_cgi=1" - exec_cmd "setsebool -P httpd_read_user_content=1" - exec_cmd "setsebool -P httpd_tty_comm=1" - exec_cmd "setsebool -P allow_httpd_anon_write=0" - exec_cmd "setsebool -P allow_httpd_mod_auth_ntlm_winbind=0" - exec_cmd "setsebool -P allow_httpd_mod_auth_pam=0" - exec_cmd "setsebool -P allow_httpd_sys_script_anon_write=0" - exec_cmd "setsebool -P httpd_can_check_spam=0" - exec_cmd "setsebool -P httpd_can_network_connect_cobbler=0" - exec_cmd "setsebool -P httpd_can_network_connect_db=0" - exec_cmd "setsebool -P httpd_can_network_memcache=0" - exec_cmd "setsebool -P httpd_can_network_relay=0" - exec_cmd "setsebool -P httpd_dbus_sssd=0" - exec_cmd "setsebool -P httpd_enable_ftp_server=0" - exec_cmd "setsebool -P httpd_enable_homedirs=0" - exec_cmd "setsebool -P httpd_execmem=0" - exec_cmd "setsebool -P httpd_manage_ipa=0" - exec_cmd "setsebool -P httpd_run_preupgrade=0" - exec_cmd "setsebool -P httpd_run_stickshift=0" - exec_cmd "setsebool -P httpd_serve_cobbler_files=0" - exec_cmd "setsebool -P httpd_setrlimit=0" - exec_cmd "setsebool -P httpd_ssi_exec=0" - exec_cmd "setsebool -P httpd_tmp_exec=0" - exec_cmd "setsebool -P httpd_use_cifs=0" - exec_cmd "setsebool -P httpd_use_fusefs=0" - exec_cmd "setsebool -P httpd_use_gpg=0" - exec_cmd "setsebool -P httpd_use_nfs=0" - exec_cmd "setsebool -P httpd_use_openstack=0" - exec_cmd "setsebool -P httpd_verify_dns=0" - exec_cmd "chcon -R -t httpd_sys_rw_content_t /var/www/simplerisk" - - - print_status "Check /root/passwords.txt for the MySQL root and simplerisk passwords." - print_status "INSTALLATION COMPLETED SUCCESSFULLY" -} + print_status 'Setting up Backup cronjob...' + set_up_backup_cronjob -setup_rhel_8(){ - # Get the current SimpleRisk release version - CURRENT_SIMPLERISK_VERSION=`curl -sL https://updates.simplerisk.com/Current_Version.xml | grep -oP '(.*)' | cut -d '>' -f 2 | cut -d '<' -f 1` - - print_status "Running SimpleRisk ${CURRENT_SIMPLERISK_VERSION} installer..." - - print_status "Updating packages with yum. This can take several minutes to complete..." - exec_cmd "yum -y update > /dev/null 2>&1" - - print_status "Installing the wget package..." - exec_cmd "yum -y install wget > /dev/null 2>&1" - - print_status "Installing Firewalld" - exec_cmd "yum -y install firewalld > /dev/null 2>&1" - - print_status "Installing the Apache web server..." - exec_cmd "yum -y install httpd > /dev/null 2>&1" - - print_status "Installing PHP for Apache..." - exec_cmd "yum -y install php php-mysqlnd php-mbstring php-opcache php-gd php-json php-ldap php-curl > /dev/null 2>&1" - - print_status "Installing the MariaDB database server..." - exec_cmd "yum -y install mariadb-server > /dev/null 2>&1" - - print_status "Installing mod_ssl" - exec_cmd "yum -y install mod_ssl > /dev/null 2>&1" - - print_status "Enabling and starting the Apache web server..." - exec_cmd "systemctl enable httpd > /dev/null 2>&1" - exec_cmd "systemctl start httpd > /dev/null 2>&1" - - print_status "Downloading the latest SimpleRisk release to /var/www/simplerisk..." - exec_cmd "cd /var/www && wget https://github.com/simplerisk/bundles/raw/master/simplerisk-${CURRENT_SIMPLERISK_VERSION}.tgz > /dev/null 2>&1" - exec_cmd "cd /var/www && tar xvzf simplerisk-${CURRENT_SIMPLERISK_VERSION}.tgz > /dev/null 2>&1" - exec_cmd "rm -f /var/www/simplerisk-${CURRENT_SIMPLERISK_VERSION}.tgz > /dev/null 2>&1" - exec_cmd "cd /var/www/simplerisk && wget https://github.com/simplerisk/installer/raw/master/simplerisk-installer-${CURRENT_SIMPLERISK_VERSION}.tgz > /dev/null 2>&1" - exec_cmd "cd /var/www/simplerisk && tar xvzf simplerisk-installer-${CURRENT_SIMPLERISK_VERSION}.tgz > /dev/null 2>&1" - exec_cmd "rm -f /var/www/simplerisk/simplerisk-installer-${CURRENT_SIMPLERISK_VERSION}.tgz > /dev/null 2>&1" - exec_cmd "chown -R apache: /var/www/simplerisk" - - print_status "Configuring Apache..." - exec_cmd "sed -i 's/#DocumentRoot \"\/var\/www\/html\"/DocumentRoot \"\/var\/www\/simplerisk\"/' /etc/httpd/conf.d/ssl.conf" - exec_cmd "cd /etc/httpd && mkdir sites-available" - exec_cmd "cd /etc/httpd && mkdir sites-enabled" - exec_cmd "echo \"IncludeOptional sites-enabled/*.conf\" >> /etc/httpd/conf/httpd.conf" - echo "" >> /etc/httpd/sites-enabled/simplerisk.conf - echo " DocumentRoot \"/var/www/simplerisk/\"" >> /etc/httpd/sites-enabled/simplerisk.conf - echo " ErrorLog /var/log/httpd/error_log" >> /etc/httpd/sites-enabled/simplerisk.conf - echo " CustomLog /var/log/httpd/access_log combined" >> /etc/httpd/sites-enabled/simplerisk.conf - echo " " >> /etc/httpd/sites-enabled/simplerisk.conf - echo " AllowOverride all" >> /etc/httpd/sites-enabled/simplerisk.conf - echo " allow from all" >> /etc/httpd/sites-enabled/simplerisk.conf - echo " Options -Indexes" >> /etc/httpd/sites-enabled/simplerisk.conf - echo " " >> /etc/httpd/sites-enabled/simplerisk.conf - echo " RewriteEngine On" >> /etc/httpd/sites-enabled/simplerisk.conf - echo " RewriteCond %{HTTPS} !=on" >> /etc/httpd/sites-enabled/simplerisk.conf - echo " RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]" >> /etc/httpd/sites-enabled/simplerisk.conf - echo "" >> /etc/httpd/sites-enabled/simplerisk.conf - exec_cmd "rm /etc/httpd/conf.d/welcome.conf" - - if [ ! `grep -q "AllowOverride all" /etc/httpd/conf.d/ssl.conf` ]; then - exec_cmd "sed -i '/<\/Directory>/a \\\t\t\n\t\t\tAllowOverride all\n\t\t\tallow from all\n\t\t\tOptions -Indexes\n\t\t<\/Directory>' /etc/httpd/conf.d/ssl.conf > /dev/null 2>&1" - fi - print_status "Enabling and starting the MariaDB database server..." - exec_cmd "systemctl enable mariadb > /dev/null 2>&1" - exec_cmd "systemctl start mariadb > /dev/null 2>&1" - - print_status "Generating MySQL passwords..." - NEW_MYSQL_ROOT_PASSWORD=`< /dev/urandom tr -dc A-Za-z0-9 | head -c20` > /dev/null 2>&1 - MYSQL_SIMPLERISK_PASSWORD=`< /dev/urandom tr -dc A-Za-z0-9 | head -c20` > /dev/null 2>&1 - echo "MYSQL ROOT PASSWORD: ${NEW_MYSQL_ROOT_PASSWORD}" >> /root/passwords.txt - echo "MYSQL SIMPLERISK PASSWORD: ${MYSQL_SIMPLERISK_PASSWORD}" >> /root/passwords.txt - chmod 600 /root/passwords.txt + if [ "${OS}" = "${DEBIAN_OSVAR}" ]; then + print_status 'Installing UFW firewall...' + exec_cmd 'apt-get install -y ufw' + fi - print_status "Configuring MySQL..." - #exec_cmd "sed -i '$ a sql-mode=\"NO_ENGINE_SUBSTITUTION\"' /etc/mysql/mysql.conf.d/mysqld.cnf > /dev/null 2>&1" - exec_cmd "mysql -uroot mysql -e \"CREATE DATABASE simplerisk\"" - exec_cmd "mysql -uroot simplerisk -e \"\\. /var/www/simplerisk/install/db/simplerisk-en-${CURRENT_SIMPLERISK_VERSION}.sql\"" - exec_cmd "mysql -uroot simplerisk -e \"GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP ALTER ON simplerisk.* TO 'simplerisk'@'localhost' IDENTIFIED BY '${MYSQL_SIMPLERISK_PASSWORD}'\"" - exec_cmd "mysql -uroot mysql -e \"UPDATE mysql.user SET Password = PASSWORD('${NEW_MYSQL_ROOT_PASSWORD}') WHERE User = 'root'\"" - #exec_cmd "mysql -uroot mysql -e \"ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY '${NEW_MYSQL_ROOT_PASSWORD}'\"" - exec_cmd "mysql -uroot simplerisk -e \"UPDATE mysql.db SET References_priv='Y',Index_priv='Y' WHERE db='simplerisk';\"" - - print_status "Setting the SimpleRisk database password..." - exec_cmd "sed -i \"s/DB_PASSWORD', 'simplerisk/DB_PASSWORD', '${MYSQL_SIMPLERISK_PASSWORD}/\" /var/www/simplerisk/includes/config.php > /dev/null 2>&1" - - print_status "Restarting MySQL to load the new configuration..." - exec_cmd "systemctl restart mariadb > /dev/null 2>&1" - - print_status "Removing the SimpleRisk install directory..." - exec_cmd "rm -r /var/www/simplerisk/install" - - print_status "Restarting Apache..." - exec_cmd "systemctl restart httpd" - - print_status "Opening Firewall for HTTP/HTTPS traffic" - exec_cmd "systemctl enable firewalld" - exec_cmd "systemctl start firewalld" - exec_cmd "firewall-cmd --permanent --zone=public --add-service=http" - exec_cmd "firewall-cmd --permanent --zone=public --add-service=https" - exec_cmd "firewall-cmd --permanent --zone=public --add-service=ssh" - exec_cmd "firewall-cmd --reload" - - print_status "Configuring SELinux for SimpleRisk" - exec_cmd "setsebool -P httpd_builtin_scripting=1" - exec_cmd "setsebool -P httpd_can_network_connect=1" - exec_cmd "setsebool -P httpd_can_sendmail=1" - exec_cmd "setsebool -P httpd_dbus_avahi=1" - exec_cmd "setsebool -P httpd_enable_cgi=1" - exec_cmd "setsebool -P httpd_read_user_content=1" - exec_cmd "setsebool -P httpd_tty_comm=1" - exec_cmd "setsebool -P allow_httpd_anon_write=0" - exec_cmd "setsebool -P allow_httpd_mod_auth_ntlm_winbind=0" - exec_cmd "setsebool -P allow_httpd_mod_auth_pam=0" - exec_cmd "setsebool -P allow_httpd_sys_script_anon_write=0" - exec_cmd "setsebool -P httpd_can_check_spam=0" - exec_cmd "setsebool -P httpd_can_network_connect_cobbler=0" - exec_cmd "setsebool -P httpd_can_network_connect_db=0" - exec_cmd "setsebool -P httpd_can_network_memcache=0" - exec_cmd "setsebool -P httpd_can_network_relay=0" - exec_cmd "setsebool -P httpd_dbus_sssd=0" - exec_cmd "setsebool -P httpd_enable_ftp_server=0" - exec_cmd "setsebool -P httpd_enable_homedirs=0" - exec_cmd "setsebool -P httpd_execmem=0" - exec_cmd "setsebool -P httpd_manage_ipa=0" - exec_cmd "setsebool -P httpd_run_preupgrade=0" - exec_cmd "setsebool -P httpd_run_stickshift=0" - exec_cmd "setsebool -P httpd_serve_cobbler_files=0" - exec_cmd "setsebool -P httpd_setrlimit=0" - exec_cmd "setsebool -P httpd_ssi_exec=0" - exec_cmd "setsebool -P httpd_tmp_exec=0" - exec_cmd "setsebool -P httpd_use_cifs=0" - exec_cmd "setsebool -P httpd_use_fusefs=0" - exec_cmd "setsebool -P httpd_use_gpg=0" - exec_cmd "setsebool -P httpd_use_nfs=0" - exec_cmd "setsebool -P httpd_use_openstack=0" - exec_cmd "setsebool -P httpd_verify_dns=0" - exec_cmd "chcon -R -t httpd_sys_rw_content_t /var/www/simplerisk" - - - - - print_status "Check /root/passwords.txt for the MySQL root and simplerisk passwords." - print_status "INSTALLATION COMPLETED SUCCESSFULLY" + print_status 'Enabling UFW firewall...' + exec_cmd 'ufw allow ssh' + exec_cmd 'ufw allow http' + exec_cmd 'ufw allow https' + exec_cmd 'ufw --force enable' } -setup_suse_12(){ - # Get the current SimpleRisk release version - CURRENT_SIMPLERISK_VERSION=`curl -sL https://updates.simplerisk.com/Current_Version.xml | grep -oP '(.*)' | cut -d '>' -f 2 | cut -d '<' -f 1` - - print_status "Running SimpleRisk ${CURRENT_SIMPLERISK_VERSION} installer..." - - print_status "Populating zypper cache..." - exec_cmd 'zypper --non-interactive update > /dev/null 2>&1' - - print_status "Installing Apache..." - exec_cmd "zypper --non-interactive install apache2 > /dev/null 2>&1" - - print_status "Starting Apache..." - exec_cmd "systemctl start apache2 > /dev/null 2>&1" - - print_status "Enabling Apache on reboot..." - exec_cmd "systemctl enable apache2 > /dev/null 2>&1" - - print_status "Installing MariaDB..." - exec_cmd "zypper --non-interactive install mariadb mariadb-client mariadb-tools > /dev/null 2>&1" - - print_status "Starting MySQL..." - exec_cmd "systemctl start mysql > /dev/null 2>&1" - - print_status "Enabling MySQL on reboot..." - exec_cmd "systemctl enable mysql > /dev/null 2>&1" - - print_status "Installing PHP 7..." - exec_cmd "zypper --non-interactive install php7 php7-mysql apache2-mod_php7 php-ldap php-curl php-zlib php-phar php-mbstring > /dev/null 2>&1" - exec_cmd "a2enmod php7 > /dev/null 2>&1" - - print_status "Enabling SSL for Apache..." - exec_cmd "a2enmod rewrite > /dev/null 2>&1" - exec_cmd "a2enmod ssl > /dev/null 2>&1" - exec_cmd "a2enmod mod_ssl > /dev/null 2>&1" - - print_status "Enabling Rewrite Module for Apache..." - echo "LoadModule rewrite_module /usr/lib64/apache2-prefork/mod_rewrite.so" >> /etc/apache2/loadmodule.conf - - - print_status "Setting up SimpleRisk Virtual Host and SSL Self-Signed Cert" - echo "Listen 443" >> /etc/apache2/vhosts.d/simplerisk.conf - echo "" >> /etc/apache2/vhosts.d/simplerisk.conf - echo " DocumentRoot \"/var/www/simplerisk/\"" >> /etc/apache2/vhosts.d/simplerisk.conf - echo " ErrorLog /var/log/apache2/error_log" >> /etc/apache2/vhosts.d/simplerisk.conf - echo " CustomLog /var/log/apache2/access_log combined" >> /etc/apache2/vhosts.d/simplerisk.conf - echo " " >> /etc/apache2/vhosts.d/simplerisk.conf - echo " AllowOverride all" >> /etc/apache2/vhosts.d/simplerisk.conf - echo " Require all granted" >> /etc/apache2/vhosts.d/simplerisk.conf - echo " Options -Indexes" >> /etc/apache2/vhosts.d/simplerisk.conf - echo " " >> /etc/apache2/vhosts.d/simplerisk.conf - echo " RewriteEngine On" >> /etc/apache2/vhosts.d/simplerisk.conf - echo " RewriteCond %{HTTPS} !=on" >> /etc/apache2/vhosts.d/simplerisk.conf - echo " RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]" >> /etc/apache2/vhosts.d/simplerisk.conf - echo "" >> /etc/apache2/vhosts.d/simplerisk.conf - - # Generate the OpenSSL private key - exec_cmd "openssl genrsa -des3 -passout pass:/passwords/pass_openssl.txt -out /etc/apache2/ssl.key/simplerisk.pass.key" - exec_cmd "openssl rsa -passin pass:/passwords/pass_openssl.txt -in /etc/apache2/ssl.key/simplerisk.pass.key -out /etc/apache2/ssl.key/simplerisk.key" - - # Remove the original key file - exec_cmd "rm /etc/apache2/ssl.key/simplerisk.pass.key" - - # Generate the CSR - exec_cmd "openssl req -new -key /etc/apache2/ssl.key/simplerisk.key -out /etc/apache2/ssl.csr/simplerisk.csr -subj "/CN=simplerisk"" - - # Create the Certificate - exec_cmd "openssl x509 -req -days 365 -in /etc/apache2/ssl.csr/simplerisk.csr -signkey /etc/apache2/ssl.key/simplerisk.key -out /etc/apache2/ssl.crt/simplerisk.crt" - - echo "" >> /etc/apache2/vhosts.d/ssl.conf - echo " DocumentRoot \"/var/www/simplerisk/\"" >> /etc/apache2/vhosts.d/ssl.conf - echo " ErrorLog /var/log/apache2/error_log" >> /etc/apache2/vhosts.d/ssl.conf - echo " CustomLog /var/log/apache2/access_log combined" >> /etc/apache2/vhosts.d/ssl.conf - echo " " >> /etc/apache2/vhosts.d/ssl.conf - echo " AllowOverride all" >> /etc/apache2/vhosts.d/ssl.conf - echo " Require all granted" >> /etc/apache2/vhosts.d/ssl.conf - echo " Options -Indexes" >> /etc/apache2/vhosts.d/ssl.conf - echo " " >> /etc/apache2/vhosts.d/ssl.conf - echo " SSLEngine on" >> /etc/apache2/vhosts.d/ssl.conf - echo " SSLCertificateFile /etc/apache2/ssl.crt/simplerisk.crt" >> /etc/apache2/vhosts.d/ssl.conf - echo " SSLCertificateKeyFile /etc/apache2/ssl.key/simplerisk.key" >> /etc/apache2/vhosts.d/ssl.conf - echo " #SSLCertificateChainFile /etc/apache2/ssl.crt/vhost-example-chain.crt" >> /etc/apache2/vhosts.d/ssl.conf - echo "" >> /etc/apache2/vhosts.d/ssl.conf - - print_status "Configuring secure settings for Apache..." - sed -i 's/\(SSLProtocol\).*/\1 TLSv1.2/g' /etc/apache2/ssl-global.conf > /dev/null 2>&1 - sed -i 's/#\(SSLHonorCipherOrder\)/\1/g' /etc/apache2/ssl-global.conf > /dev/null 2>&1 -// #exec_cmd "sed -i 's/ServerTokens OS/ServerTokens Prod/g' /etc/apache2/conf-enabled/security.conf > /dev/null 2>&1" -// #exec_cmd "sed -i 's/ServerSignature On/ServerSignature Off/g' /etc/apache2/conf-enabled/security.conf > /dev/null 2>&1" - - print_status "Setting the maximum file upload size in PHP to 5MB..." - exec_cmd "sed -i 's/upload_max_filesize = 2M/upload_max_filesize = 5M/g' /etc/php7/apache2/php.ini > /dev/null 2>&1" - - print_status "Downloading the latest SimpleRisk release to /var/www/simplerisk..." - exec_cmd "mkdir /var/www/" - exec_cmd "cd /var/www && wget https://github.com/simplerisk/bundles/raw/master/simplerisk-${CURRENT_SIMPLERISK_VERSION}.tgz > /dev/null 2>&1" - exec_cmd "cd /var/www && tar xvzf simplerisk-${CURRENT_SIMPLERISK_VERSION}.tgz > /dev/null 2>&1" - exec_cmd "rm /var/www/simplerisk-${CURRENT_SIMPLERISK_VERSION}.tgz > /dev/null 2>&1" - exec_cmd "cd /var/www/simplerisk && wget https://github.com/simplerisk/installer/raw/master/simplerisk-installer-${CURRENT_SIMPLERISK_VERSION}.tgz > /dev/null 2>&1" - exec_cmd "cd /var/www/simplerisk && tar xvzf simplerisk-installer-${CURRENT_SIMPLERISK_VERSION}.tgz > /dev/null 2>&1" - exec_cmd "rm /var/www/simplerisk/simplerisk-installer-${CURRENT_SIMPLERISK_VERSION}.tgz > /dev/null 2>&1" - exec_cmd "chown -R wwwrun: /var/www/simplerisk" - - print_status "Restarting Apache to load the new configuration..." - exec_cmd "systemctl restart apache2 > /dev/null 2>&1" - - print_status "Generating MySQL passwords..." - NEW_MYSQL_ROOT_PASSWORD=`openssl rand -base64 20` > /dev/null 2>&1 - MYSQL_SIMPLERISK_PASSWORD=`openssl rand -base64 20` > /dev/null 2>&1 - echo "MYSQL ROOT PASSWORD: ${NEW_MYSQL_ROOT_PASSWORD}" >> /root/passwords.txt - echo "MYSQL SIMPLERISK PASSWORD: ${MYSQL_SIMPLERISK_PASSWORD}" >> /root/passwords.txt - chmod 600 /root/passwords.txt +setup_centos_rhel(){ + print_status "Running SimpleRisk ${1} installer..." - print_status "Configuring MySQL..." - exec_cmd "sed -i '$ a sql-mode=\"NO_ENGINE_SUBSTITUTION\"' /etc/my.cnf > /dev/null 2>&1" - exec_cmd "sed -i 's/,STRICT_TRANS_TABLES//g' /etc/my.cnf > /dev/null 2>&1" - exec_cmd "mysql -uroot mysql -e \"CREATE DATABASE simplerisk\"" - exec_cmd "mysql -uroot simplerisk -e \"\\. /var/www/simplerisk/install/db/simplerisk-en-${CURRENT_SIMPLERISK_VERSION}.sql\"" - exec_cmd "mysql -uroot mysql -e \"CREATE USER 'simplerisk'\"" - exec_cmd "mysql -uroot simplerisk -e \"GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER ON simplerisk.* TO 'simplerisk'@'localhost'\"" - exec_cmd "mysql -uroot mysql -e \"ALTER USER 'simplerisk'@'localhost' IDENTIFIED BY '${MYSQL_SIMPLERISK_PASSWORD}'\"" - exec_cmd "mysql -uroot mysql -e \"ALTER USER 'root'@'localhost' IDENTIFIED BY '${NEW_MYSQL_ROOT_PASSWORD}'\"" - - print_status "Setting the SimpleRisk database password..." - exec_cmd "sed -i \"s/DB_PASSWORD', 'simplerisk/DB_PASSWORD', '${MYSQL_SIMPLERISK_PASSWORD}/\" /var/www/simplerisk/includes/config.php > /dev/null 2>&1" - - print_status "Restarting MySQL to load the new configuration..." - exec_cmd "systemctl restart mysql > /dev/null 2>&1" - - print_status "Removing the SimpleRisk install directory..." - exec_cmd "rm -r /var/www/simplerisk/install" - - print_status "Check /root/passwords.txt for the MySQL root and simplerisk passwords." - print_status "INSTALLATION COMPLETED SUCCESSFULLY" -} + # If OS is CentOS, use yum. Else (RHEL or CentOS Stream), use dnf. + [ "${OS}" = 'CentOS Linux' ] && pkg_manager='yum' || pkg_manager='dnf' + print_status "Updating packages with $pkg_manager. This may take some time." + exec_cmd "$pkg_manager -y update" -validate_args(){ - while [[ $# -gt 0 ]] - do - key="$1" - case $key in - -n|--no-assistance) - HEADLESS=y - shift - ;; - *) # unknown option - echo "Provided parameter $key is not valid. Stopping." - exit 1 - ;; - esac - done - - if [ -n "$HEADLESS" ]; then - os_detect - else - ask_user - fi -} + print_status 'Installing the wget package...' + exec_cmd "$pkg_manager -y install wget" -ask_user(){ - read -p "This script will install SimpleRisk on this system. Are you sure that you would like to proceed? [ Yes / No ]: " answer < /dev/tty - case $answer in - Yes|yes|Y|y ) os_detect;; - * ) exit 1;; + print_status 'Installing Firewalld...' + exec_cmd "$pkg_manager -y install firewalld" + + print_status 'Enabling MySQL 8 repositories...' + exec_cmd "rpm --import $MYSQL_KEY_URL" + case ${VER:0:1} in + 8) exec_cmd 'rpm -Uvh https://dev.mysql.com/get/mysql84-community-release-el8-1.noarch.rpm';; + 9) exec_cmd 'rpm -Uvh https://dev.mysql.com/get/mysql84-community-release-el9-1.noarch.rpm';; esac -} -setup(){ - # Check to make sure we are running as root - check_root - # Ask user on how to proceed - validate_args "${@:1}" -} + print_status 'Enabling PHP 8 repositories...' + exec_cmd "$pkg_manager -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-${VER:0:1}.noarch.rpm" + case ${VER:0:1} in + 8) exec_cmd "rpm --import https://rpms.remirepo.net/RPM-GPG-KEY-remi2018";; + 9) exec_cmd "rpm --import https://rpms.remirepo.net/RPM-GPG-KEY-remi2021";; + esac + exec_cmd "$pkg_manager -y install https://rpms.remirepo.net/enterprise/remi-release-${VER:0:1}.rpm" + exec_cmd "$pkg_manager -y update" -os_detect(){ - if [ -f /etc/os-release ]; then - # freedesktop.org and systemd - . /etc/os-release - OS=$NAME - VER=$VERSION_ID - elif type lsb_release >/dev/null 2>&1; then - # linuxbase.org - OS=$(lsb_release -si) - VER=$(lsb_release -sr) - elif [ -f /etc/lsb-release ]; then - # For some versions of Debian/Ubuntu without lsb_release command - . /etc/lsb-release - OS=$DISTRIB_ID - VER=$DISTRIB_RELEASE - elif [ -f /etc/debian_version ]; then - # Older Debian/Ubuntu/etc. - OS=Debian - VER=$(cat /etc/debian_version) - elif [ -f /etc/SuSe-release ]; then - # Older SuSE/etc. - echo "The SimpleRisk setup script cannot reliably determine which commands to run for this OS. Exiting." - exit 1 - elif [ -f /etc/redhat-release ]; then - # Older Red Hat, CentOS, etc. - echo "The SimpleRisk setup script cannot reliably determine which commands to run for this OS. Exiting." - exit 1 + + print_status 'Installing PHP for Apache...' + if [ "${OS}" = 'CentOS Linux' ]; then + exec_cmd "$pkg_manager -y --enablerepo=remi,remi-php81 install httpd php php-common" + exec_cmd "$pkg_manager -y --enablerepo=remi,remi-php81 install php-cli php-pdo php-mysqlnd php-gd php-zip php-mbstring php-xml php-curl php-ldap php-json php-intl php-posix" else - # Fall back to uname, e.g. "Linux ", also works for BSD, etc. - OS=$(uname -s) - VER=$(uname -r) + exec_cmd "$pkg_manager -y module reset php" + exec_cmd "$pkg_manager -y module enable php:remi-8.1" + exec_cmd "$pkg_manager -y install httpd php php-common php-mysqlnd php-mbstring php-opcache php-gd php-zip php-json php-ldap php-curl php-xml php-intl php-process" fi - if [ "$OS" = "Ubuntu" ]; then - if [ "$VER" = "18.04" ] || [ "$VER" = "20.04" ]; then - echo "Detected that we are running ${OS} ${VER}. Continuing with SimpleRisk setup." - setup_ubuntu_1804 - fi - elif [ "$OS" = "CentOS Linux" ]; then - if [ "$VER" = "7" ]; then - echo "Detected that we are running ${OS} ${VER}. Continuing with SimpleRisk setup." - setup_centos_7 - fi - elif [ "$OS" = "SLES" ]; then - if [ "$VER" = "12.5" ] || [ "$VER" = "12.4" ] || [ "$VER" = "12.3" ] || [ "$VER" = "12.2" ] || [ "$VER" = "12.1" ]; then - echo "Detected that we are running ${OS} ${VER}. Continuing with SimpleRisk setup." - setup_suse_12 - fi - elif [ "$OS" = "Red Hat Enterprise Linux" ]; then - if [ "$VER" = "8.0" ]; then - echo "Detected that we are running ${OS} ${VER}. Continuing with SimpleRisk Setup." - setup_rhel_8 - fi + set_php_settings /etc/php.ini + + print_status 'Installing the MySQL database server...' + exec_cmd "$pkg_manager install -y mysql-server" + + print_status 'Enabling and starting MySQL database server...' + exec_cmd 'systemctl enable mysqld' + exec_cmd 'systemctl start mysqld' + + if [[ "${VER}" = 8* ]]; then + exec_cmd "$pkg_manager clean all" + exec_cmd 'rm -rf /var/cache/dnf/remi-*a' + exec_cmd "$pkg_manager -y update" + fi + + print_status 'Installing mod_ssl' + exec_cmd "$pkg_manager -y install mod_ssl" + + print_status 'Installing sendmail' + exec_cmd "$pkg_manager -y install sendmail sendmail-cf m4" + + set_up_simplerisk 'apache' "${1}" + + print_status 'Configuring Apache...' + if [[ "${OS}" != 'CentOS Linux' ]]; then + exec_cmd "sed -i 's|#\?\(DocumentRoot \"/var/www/\)html\"|\1simplerisk\"|' /etc/httpd/conf.d/ssl.conf" + exec_cmd 'rm /etc/httpd/conf.d/welcome.conf' + fi + exec_cmd 'mkdir /etc/httpd/sites-{available,enabled}' + exec_cmd "sed -i 's|\(DocumentRoot \"/var/www\).*|\1\"|g' /etc/httpd/conf/httpd.conf" + echo 'IncludeOptional sites-enabled/*.conf' >> /etc/httpd/conf/httpd.conf + cat << EOF > /etc/httpd/sites-enabled/simplerisk.conf + + DocumentRoot "/var/www/simplerisk/" + ErrorLog /var/log/httpd/error_log + CustomLog /var/log/httpd/access_log combined + + AllowOverride all + allow from all + Options -Indexes + + RewriteEngine On + RewriteCond %{HTTPS} !=on + RewriteRule ^/?(.*) https://%{SERVER_NAME}/\$1 [R,L] + +EOF + + if ! grep -q 'AllowOverride all' /etc/httpd/conf.d/ssl.conf; then + exec_cmd "sed -i '/<\/Directory>/a \\\t\t\n\t\t\tAllowOverride all\n\t\t\tallow from all\n\t\t\tOptions -Indexes\n\t\t<\/Directory>' /etc/httpd/conf.d/ssl.conf" + fi + if [ "${OS}" = 'CentOS Linux' ]; then + exec_cmd "sed -i '//a \\\t\tDocumentRoot \"/var/www/simplerisk\"' /etc/httpd/conf.d/ssl.conf" else - echo "The SimpleRisk setup script cannot reliably determine which commands to run for this OS. Exiting." - exit 1 + exec_cmd "sed -i 's/#\(LoadModule mpm_prefork\)/\1/g' /etc/httpd/conf.modules.d/00-mpm.conf" + exec_cmd "sed -i 's/\(LoadModule mpm_event\)/#\1/g' /etc/httpd/conf.modules.d/00-mpm.conf" + fi + + generate_passwords + + print_status 'Configuring MySQL...' + if [ "${OS}" = 'CentOS Linux' ]; then + set_up_database /var/log/mysqld.log + else + if [[ "${VER}" = 9* ]]; then + set_up_database /var/log/mysqld.log + else + set_up_database + fi fi + + cat << EOF >> /etc/my.cnf +[mysqld] +sql_mode=ERROR_FOR_DIVISION_BY_ZERO,NO_ENGINE_SUBSTITUTION +EOF + + print_status 'Restarting MySQL to load the new configuration...' + exec_cmd 'systemctl restart mysqld' + + print_status 'Removing the SimpleRisk database file...' + exec_cmd 'rm -r /var/www/simplerisk/database.sql' + print_status 'Setting up Backup cronjob...' + set_up_backup_cronjob + + print_status 'Enabling and starting the Apache web server...' + exec_cmd 'systemctl enable httpd' + exec_cmd 'systemctl start httpd' + + print_status 'Configuring and starting Sendmail...' + exec_cmd "sed -i 's/\(localhost\)/\1 $(hostname)/g' /etc/hosts" + exec_cmd 'systemctl start sendmail' + + print_status 'Opening Firewall for HTTP/HTTPS traffic' + exec_cmd 'systemctl enable firewalld' + exec_cmd 'systemctl start firewalld' + for service in http https ssh; do + exec_cmd "firewall-cmd --permanent --zone=public --add-service=${service}" + done + exec_cmd 'firewall-cmd --reload' + + print_status 'Configuring SELinux for SimpleRisk...' + value_one_permissions=('httpd_builtin_scripting' 'httpd_can_network_connect' 'httpd_can_sendmail' 'httpd_dbus_avahi' 'httpd_enable_cgi' 'httpd_read_user_content' 'httpd_tty_comm') + for permission in "${value_one_permissions[@]}"; do + exec_cmd "setsebool -P $permission=1" + done + value_nil_permissions=('allow_httpd_anon_write' 'allow_httpd_mod_auth_ntlm_winbind' 'allow_httpd_mod_auth_pam' 'allow_httpd_sys_script_anon_write' 'httpd_can_check_spam' 'httpd_can_network_connect_cobbler' 'httpd_can_network_connect_db' 'httpd_can_network_memcache' 'httpd_can_network_relay' 'httpd_dbus_sssd' 'httpd_enable_ftp_server' 'httpd_enable_homedirs' 'httpd_execmem' 'httpd_manage_ipa' 'httpd_run_preupgrade' 'httpd_run_stickshift' 'httpd_serve_cobbler_files' 'httpd_setrlimit' 'httpd_ssi_exec' 'httpd_tmp_exec' 'httpd_use_cifs' 'httpd_use_fusefs' 'httpd_use_gpg' 'httpd_use_nfs' 'httpd_use_openstack' 'httpd_verify_dns') + for permission in "${value_nil_permissions[@]}"; do + exec_cmd "setsebool -P $permission=0" + done + exec_cmd 'chcon -R -t httpd_sys_rw_content_t /var/www/simplerisk' } +setup_suse(){ + + print_status "Running SimpleRisk ${1} installer..." + + print_status 'Populating zypper cache...' + exec_cmd 'zypper -n update' + + if ! rpm -q mysql84-community-release; then + print_status 'Adding MySQL 8 repository...' + exec_cmd 'rpm -Uvh https://dev.mysql.com/get/mysql84-community-release-sl15-1.noarch.rpm' + exec_cmd "rpm --import $MYSQL_KEY_URL" + fi + + print_status 'Installing Apache...' + exec_cmd 'zypper -n install apache2' + + print_status 'Enabling Apache on reboot...' + exec_cmd 'systemctl enable apache2' + + print_status 'Starting Apache...' + exec_cmd 'systemctl start apache2' + + print_status 'Installing MySQL 8...' + exec_cmd 'zypper -n install mysql-community-server' + + print_status 'Enabling MySQL on reboot...' + exec_cmd 'systemctl enable mysql' + + print_status 'Starting MySQL...' + exec_cmd 'systemctl start mysql' + + print_status 'Installing PHP 8...' + exec_cmd 'zypper -n install php8 php8-mysql apache2-mod_php8 php8-ldap php8-curl php8-zlib php8-phar php8-mbstring php8-intl php8-posix php8-gd php8-zip php-xml' + + exec_cmd 'a2enmod php8' + + print_status 'Enabling SSL for Apache...' + # Only enable valid modules on SLES + for module in rewrite ssl; do + exec_cmd "a2enmod $module" + done + + print_status 'Enabling Rewrite Module for Apache...' + echo 'LoadModule rewrite_module /usr/lib64/apache2-prefork/mod_rewrite.so' >> /etc/apache2/loadmodule.conf + + print_status 'Setting up SimpleRisk Virtual Host and SSL Self-Signed Cert' + echo 'Listen 443' >> /etc/apache2/vhosts.d/simplerisk.conf + + cat << EOF >> /etc/apache2/vhosts.d/simplerisk.conf +DocumentRoot "/var/www/simplerisk/" + ErrorLog /var/log/apache2/error_log + CustomLog /var/log/apache2/access_log combined + + AllowOverride all + Require all granted + Options -Indexes + Options FollowSymLinks + Options SymLinksIfOwnerMatch + + RewriteEngine On + RewriteCond %{HTTPS} !=on + RewriteRule ^/?(.*) https://%{SERVER_NAME}/\$1 [R,L] +EOF + + generate_passwords + + #!/bin/bash + +# Where to store files +KEY_DIR="/etc/apache2" +mkdir -p "$KEY_DIR" + +KEY_FILE="$KEY_DIR/ssl.key/server.key" +CSR_FILE="$KEY_DIR/ssl.csr/server.csr" +CRT_FILE="$KEY_DIR/ssl.crt/server.crt" + +mkdir -p "$(dirname "$KEY_FILE")" "$(dirname "$CSR_FILE")" "$(dirname "$CRT_FILE")" + +# Generate an RSA private key (works in OpenSSL 3 and FIPS) +openssl genpkey \ + -algorithm RSA \ + -pkeyopt rsa_keygen_bits:2048 \ + -out "$KEY_FILE" + +# Create a CSR +openssl req \ + -new \ + -key "$KEY_FILE" \ + -subj "/C=US/ST=None/L=None/O=Example/OU=IT/CN=localhost" \ + -out "$CSR_FILE" + +# Create a self-signed certificate valid for 1 year +openssl req \ + -x509 \ + -key "$KEY_FILE" \ + -in "$CSR_FILE" \ + -days 365 \ + -out "$CRT_FILE" + +echo "Key: $KEY_FILE" +echo "CSR: $CSR_FILE" +echo "Cert: $CRT_FILE" + + + + cat << EOF >> /etc/apache2/vhosts.d/ssl.conf +DocumentRoot "/var/www/simplerisk/" + ErrorLog /var/log/apache2/error_log + CustomLog /var/log/apache2/access_log combined + + AllowOverride all + Require all granted + Options -Indexes + Options FollowSymLinks + Options SymLinksIfOwnerMatch + + SSLEngine on + SSLCertificateFile /etc/apache2/ssl.crt/server.crt + SSLCertificateKeyFile /etc/apache2/ssl.key/server.key +EOF + + print_status 'Configuring secure settings for Apache...' + exec_cmd "sed -i 's/\\(SSLProtocol\\).*/\\1 TLSv1.2/g' /etc/apache2/ssl-global.conf" + exec_cmd "sed -i 's/#\\?\\(SSLHonorCipherOrder\\)/\\1/g' /etc/apache2/ssl-global.conf" + + set_php_settings /etc/php8/apache2/php.ini + + print_status 'Specifying the MySQL socket path...' + for extension in mysqli pdo_mysql; do + exec_cmd "sed -i 's|\\($extension.default_socket\\).*|\\1=/var/lib/mysql/mysql.sock|' /etc/php8/apache2/php.ini" + done + + set_up_simplerisk 'wwwrun' "${1}" + + print_status 'Restarting Apache to load the new configuration...' + exec_cmd 'systemctl restart apache2' + + print_status 'Configuring MySQL...' + if [[ "${VER}" = 15* ]]; then + exec_cmd "sed -i 's/\\(\\[mysqld\\]\\)/\\1\\nsql_mode=NO_ENGINE_SUBSTITUTION/g' /etc/my.cnf" + fi + + exec_cmd "sed -i '\$ a sql-mode=\"NO_ENGINE_SUBSTITUTION\"' /etc/my.cnf" + exec_cmd "sed -i 's/,STRICT_TRANS_TABLES//g' /etc/my.cnf" + + if [[ "${VER}" = 15* ]]; then + set_up_database /var/log/mysql/mysqld.log + else + set_up_database + fi + + print_status 'Restarting MySQL to load the new configuration...' + exec_cmd 'systemctl restart mysql' + + print_status 'Removing the SimpleRisk database file...' + exec_cmd 'rm -r /var/www/simplerisk/database.sql' + + print_status 'Setting up Backup cronjob...' + set_up_backup_cronjob + + if [[ "${VER}" = 15* ]]; then + print_status 'NOTE: SLES 15 does not have sendmail available on its repositories. You will need to configure postfix to be able to send emails.' + fi +} + + ## Defer setup until we have the complete script setup "${@:1}"