2-718/_CentOS Bootstrap Instructions.mkd

## _CentOS Bootstrap Instructions.mkd

      
    Raw
  

              _CentOS Bootstrap Instructions.mkd
            
          
    CentOS 5.5 Mirrors:

Download iso via BitTorrent.
http://isoredirect.centos.org/centos/5/isos/x86_64/
Setup VM and install basic packages


mount iso and boot vm
use default partition table
use defaults for dialogs
hostname configuration: TBD
set time zone
set root password
package selection: server (no gui)

Take snapshot at first reboot

Setup local user(s)

Login as root, add local user
# useradd USER
# passwd USER

visudo to add wheel group to sudoers (i to insert, [ESC] to stop edit, :w to write, :q to quit)

Add  to group 'wheel'
# usermod -aG wheel 

logout/login as local user

Setup environment

Login as normal user w/sudo access
$ wget https://gist.github.com/gists/708659/download
$ tar xvf download
$ cp gist<tab>/* .
$ chmod a+x *.sh
$ sudo -E ./a-configure-server.sh
$ ./b-configure-user.sh

Configure sshd to disallow password login

Ensure normal user is able to login w/public key.
$ sudo nano /etc/ssh/sshd_config
Disable PasswordAuthentication
$ sudo service sshd restart
Add  to group 'rvm':
$ sudo usermod -aG rvm 
Logout/login to ensure pubkey works
Logout/login w/o pubkey to ensure it fails
Install Ruby gems

Install Rails, gems
$ gem install rails
$ gem install passenger
$ passenger-install-apache2-module
Add passenger.conf to Apache
$ sudo nano /etc/httpd/conf.d/passenger.conf
LoadModule passenger_module /usr/local/rvm/gems/ruby-1.9.2-p0/gems/passenger-3.0.0/ext/apache2/mod_passenger.so
PassengerRoot /usr/local/rvm/gems/ruby-1.9.2-p0/gems/passenger-3.0.0
PassengerRuby /usr/local/rvm/wrappers/ruby-1.9.2-p0/ruby

Open firewall for http
$ sudo system-config-securitylevel
Take snapshot


## _TODO.mkd

      
    Raw
  

              _TODO.mkd
            
          
    TODO

Remove packages


sendmail

Environment


ensure PATH is correct for all users

Install/configure packages


apache2
modify chkconfig to enable httpd to start automatically
Phusion passenger; modify context to allow to run w/SELinux enforcing
postfix
don't reinstall git or git-man if already installed
use cat  | sed 's/#blah/blah/g' > tmp && mv tmp 

Security


create CA, certs for https


## a-configure-server.sh
#!/bin/sh

##########
#
# a-configure-server.sh
#
# Shell script to be used to configure CentOS 5.5 server
#
# Written by Doc Walker (Rx) Nov 2010
#
# Run this script 1st
#
##########


if [[ $(id -u) -ne 0 ]]; then
  printf "This script must be run as root.\n" && exit 1
fi


function display_usage
{
  cat <<EOF
usage: `basename $0` [--dry-run] [--usage] [--help]

  --dry-run:  execute without changing any files
  --usage:    provide information on usage
  --help:     provide information on usage

EOF
  return
}


function check_sudoers
{
  printf " - file $file "
  # check to see if file exists
  if [ -e $file ]; then
    printf "exists\n"
    printf " - wheel group is "
    regex="^\s*\%wheel\s*ALL\s*=\s*\(\s*ALL\s*\)\s*ALL\s*$"
    grep -E "$regex" $file &> /dev/null
    if [ 0 == $? ]; then
      printf "able to execute sudo command\n"
    else
      printf "not able to execute sudo command\n\n"
      cat <<EOF
Please fix this before proceeding with server configuration.

# visudo

Scroll down to line containing %wheel. Change it to:

%wheel  ALL=(ALL)       ALL

Command reference:
   /    enters search mode (look for '%wheel')
   i    enters insert mode
 [ESC]  exits edit mode
  :w    writes the file to disk
  :q    quits vi (append ! to discard changes)

EOF
      exit 1
    fi
  else
    printf "does not exist\n"
    exit 1
  fi
}


function remove_previous_modifications
{
  printf " - file $file "
  # check to see if file exists
  if [ -e $file ]; then
    # remove previously-modified section
    printf "exists\n"
    $sed_command $sed_args "/$header/, /$footer/d" $file
    if [ 0 == $? ] && [ ! "$dry_run" ]; then
      printf " - removed previously-modified section\n"
      rm -f "$file$sed_ext"
      if [ 0 == $? ]; then
        printf " - removed temp file $file$sed_ext\n"
      fi
    fi
  else
    printf "does not exist\n"
  fi
}


function append_to_file
{
  if [ "$dry_run" ]; then
    printf " - dry run complete\n"
  else
    echo "$append" >> "$file"
    if [ 0 == $? ]; then
      printf " - file modifications complete\n"
    else
      printf " - ERROR $?: unable to modify file $file\n"
    fi
  fi
}


function comment_lines
{
  printf " - file $file "
  # check to see if file exists
  if [ -e $file ]; then
    printf "exists\n"
    sed_expression="s/(^[[:space:]]*($parameter)[[:space:]].*$)/\#\1 $disabled$now/"
    $sed_command $sed_args "$sed_expression" $file
    if [ 0 == $? ] && [ ! "$dry_run" ]; then
      printf " - commented out parameter(s)\n"
      rm -f "$file$sed_ext"
      if [ 0 == $? ]; then
        printf " - removed temp file $file$sed_ext\n"
      fi
    fi
  else
    printf "does not exist\n"
  fi
}


function verify_or_create_dir
{
  printf " - directory $dir "
  # check to see if directory exists
  if [ -d $dir ]; then
    printf "exists\n"
  else
    printf "does not exist\n"
    if [ ! "$dry_run" ]; then
      mkdir -m $dir_mode -p "$dir"
      if [ 0 == $? ]; then
        printf " - directory $dir created\n"
      else
        printf " - ERROR $?: unable to create directory $dir\n"
      fi
    fi
  fi
}


function download_source
{
  if [ "Linux" == "$system" ] && [ "" != "$yum_packages" ]; then
    if [ "$dry_run" ]; then
      printf " - yum -y install $yum_packages\n"
    else
      yum -y install $yum_packages
    fi
  fi
  cd $dir
  link_regex='([^\/]*).tar.gz$'
  if [[ "$link" =~ $link_regex ]]; then
    targz="${BASH_REMATCH[0]}"
    #make_dir="${BASH_REMATCH[1]}"
    printf " - file $targz "
    if [ -f "$targz" ]; then
      printf "exists\n"
    else
      printf "does not exist\n"
      printf " - download $link\n"
      if [ ! "$dry_run" ]; then wget "$link"; fi
    fi
    make_dir=`tar ztf $targz | head -n 1`
    printf " - directory $dir/$make_dir "
    if [ -d "$dir/$make_dir" ]; then
      printf "exists\n"
    else
      printf "does not exist\n"
      if [ ! "$dry_run" ]; then
        dir="$tar_dir"
        verify_or_create_dir
        printf " - unarchiving file $targz\n"
        tar zxvf "$targz" -C $tar_dir &> /dev/null
      fi
    fi
    if [ "$dry_run" ]; then printf " - dry run complete\n"; fi
  fi
}


function build_source
{
  if [ ! "$dry_run" ]; then
    printf " - directory $dir/$make_dir "
    if [ -d "$dir/$make_dir" ]; then
      printf "exists\n"
      cd "$dir/$make_dir"
      printf " - compiling source\n"
      make prefix=$install_dir all
      make prefix=$install_dir install
    else
      printf "does not exist\n"
    fi
  fi
}


########## BEGIN ##########
system=`uname -s`
case $system in
  Darwin)
    sed_command="sed -E "
    ;;
  Linux)
    sed_command="sed -r "
    ;;
  *)
    sed_command="sed"
    ;;
esac

# iterate through command line arguments
for arg in "$@"; do
  if [ "--usage" == "$arg" ] || [ "--help" == "$arg" ]; then
    display_usage
    exit 0
  elif [ "--dry-run" == "$arg" ]; then
    dry_run="true"
    sed_args="-n -e"
  else
    echo "Unknown option: $arg"
    display_usage
    exit 0
  fi
done

# verify wheel group is in sudoers
file="/etc/sudoers"
printf "Configure /etc/sudoers\n"
check_sudoers

# modify sed arguments, depending on whether dry_run flag is set
if [ ! "$dry_run" ]; then
  sed_ext=".old"
  sed_args="-i$sed_ext -e"
fi

# set up header and footer to be included in each changed file
now=`date`
header="### Rx: modified by setup script - "
footer="### Rx: end of modifications - "
disabled=" # - disabled - "

# set up temporary path
PATH=/bin:/usr/bin:/usr/sbin:$PATH


########## update yum packages ##########
if [ "Linux" == $system ]; then
  printf "\nUpdate yum packages\n"
  if [ "$dry_run" ]; then
    yum check-update
    printf " - dry run complete\n"
  else
    yum -y update
  fi
fi


########## add common aliases to /etc/bashrc ##########
file="/etc/bashrc"
read -d '' append <<EOF
$header$now
alias la='/bin/ls -al'
alias psg='/bin/ps ax | grep'
alias ps='/bin/ps -auxc'
alias path='/bin/echo \$PATH'
alias tm='sudo tail -F -n 1000 /var/log/maillog'
$footer$now
EOF
printf "\nAdd common aliases to $file\n"
remove_previous_modifications
append_to_file


########## modify PATH variable in /root/.bash_profile ##########
file="/root/.bash_profile"
read -d '' append <<EOF
$header$now
PATH=$PATH:/usr/local/bin
export PATH
$footer$now
EOF
printf "\nModify PATH variable in $file\n"
remove_previous_modifications
append_to_file


########## add global EDITOR variable to /etc/profile.d/editor.sh ##########
file="/etc/profile.d/editor.sh"
read -d '' append <<EOF
$header$now
EDITOR=/usr/bin/nano
$footer$now
EOF
printf "\nAdd global EDITOR variable to $file\n"
remove_previous_modifications
append_to_file


########## configure /etc/ssh/sshd_config ##########
if [ "Darwin" == $system ]; then
  file="/etc/sshd_config"
elif [ "Linux" == $system ]; then
  file="/etc/ssh/sshd_config"
else
  file=""
fi
read -d '' append <<EOF
$header$now
PermitRootLogin no
UsePAM no
# per http://www.broadbandreports.com/forum/remark,12601792~mode=flat
KeepAlive no
MaxStartups 10
LoginGraceTime 120
ClientAliveInterval 60
ClientAliveCountMax 1

# disable PasswordAuthentication once public key login is working
PasswordAuthentication yes
$footer$now
EOF
printf "\nConfigure $file\n"
parameter="PasswordAuthentication|UsePAM"
comment_lines
remove_previous_modifications
append_to_file
if [ ! "$dry_run" ]; then
  if [ "Darwin" == $system ]; then
    printf " - restarting com.openssh.sshd via launchctl\n"
    launchctl stop com.openssh.sshd
    launchctl start com.openssh.sshd
  elif [ "Linux" == $system ]; then
    printf " - restarting service sshd\n"
    /sbin/service sshd restart
  fi
fi


########## install git from source ##########
dir="/tmp/src"
dir_mode="755"
yum_packages="zlib-devel openssl-devel cpio expat-devel gettext-devel curl-devel gcc gcc-c++ httpd-devel apr-devel readline-devel"
link="http://git-core.googlecode.com/files/git-1.7.9.3.tar.gz"
tar_dir="$dir"
install_dir="/usr/local"
printf "\nInstall git\n"
verify_or_create_dir
download_source
build_source

link="http://git-core.googlecode.com/files/git-manpages-1.7.9.3.tar.gz"
tar_dir="/usr/local/share/man"
printf "\nInstall git man pages\n"
yum_packages=""
download_source
if [ "$dry_run" ]; then
  printf " - dry run complete\n"
else
  printf " - unarchiving file $targz\n"
  tar zxvf $targz -C $tar_dir
fi


########## install sqlite3 from source ##########
dir="/tmp/src"
dir_mode="755"
yum_packages="gcc"
link="http://sqlite.org/sqlite-amalgamation-3.7.3.tar.gz"
tar_dir="$dir"
printf "\nInstall sqlite3\n"
verify_or_create_dir
download_source

if [ ! "$dry_run" ]; then
  printf " - directory $dir/$make_dir "
  if [ -d "$dir/$make_dir" ]; then
    printf "exists\n"
    cd "$dir/$make_dir"
    printf " - compiling source\n"
    ./configure
    make
    make install
  else
    printf "does not exist\n"
  fi
fi


########## install rvm from script ##########
dir="/tmp/src"
dir_mode="755"
yum_packages="gcc"
script="rvm"
link="http://rvm.beginrescueend.com/install/$script"
printf "\nInstall Ruby Version Manager (rvm)\n"
printf " - which rvm `which rvm`\n"
if [ "$dry_run" ]; then
  printf " - dry run complete\n"
else
  verify_or_create_dir
  printf " - downloading script $script\n"
  curl -L "$link" > "$dir/$script"
  printf " - executing script $script\n"
  bash < "$dir/$script"
  printf " - install Ruby 1.9.2\n"
  rvm install 1.9.2
  printf " - set Ruby 1.9.2 as default\n"
  rvm use 1.9.2 --default
fi

# file="/etc/httpd/conf.d/passenger.conf"
# read -d '' append <<EOF
# $header$now
# LoadModule passenger_module /usr/local/rvm/gems/ruby-1.9.2-p0/gems/passenger-3.0.0/ext/apache2/mod_passenger.so
# PassengerRoot /usr/local/rvm/gems/ruby-1.9.2-p0/gems/passenger-3.0.0
# PassengerRuby /usr/local/rvm/wrappers/ruby-1.9.2-p0/ruby
# $footer$now
# EOF
# printf "\nAdd common aliases to $file\n"
# remove_previous_modifications
# append_to_file

## b-configure-user.sh
#!/bin/sh

##########
#
# b-configure-user.sh
#
# Shell script to be used to configure CentOS 5.5 user
#
# Written by Doc Walker (Rx) Nov 2010
#
# Run this script 2nd
#
##########


if [[ $(id -u) -eq 0 ]]; then
  printf "This script must be run as a normal user.\n" && exit 1
fi


function display_usage
{
  cat <<-EOF
usage: `basename $0` [--dry-run] [--usage] [--help]

  --dry-run:  execute without changing any files
  --usage:    provide information on usage
  --help:     provide information on usage

EOF
  return
}


function remove_previous_modifications
{
  printf " - file $file "
  # check to see if file exists
  if [ -e $file ]; then
    # remove previously-modified section
    printf "exists\n"
    $sed_command $sed_args "/$header/, /$footer/d" $file
    if [ 0 == $? ] && [ ! "$dry_run" ]; then
      printf " - removed previously-modified section\n"
      rm -f "$file$sed_ext"
      if [ 0 == $? ]; then
        printf " - removed temp file $file$sed_ext\n"
      fi
    fi
  else
    printf "does not exist\n"
  fi
}


function append_to_file
{
  if [ "$dry_run" ]; then
    printf " - dry run complete\n"
  else
    echo "$append" >> "$file"
    if [ 0 == $? ]; then
      printf " - file modifications complete\n"
    else
      printf " - ERROR $?: unable to modify file $file\n"
    fi
  fi
}


function comment_lines
{
  printf " - file $file "
  # check to see if file exists
  if [ -e $file ]; then
    printf "exists\n"
    sed_expression="s/(^[[:space:]]*($parameter)[[:space:]].*$)/\#\1 $disabled$now/"
    $sed_command $sed_args "$sed_expression" $file
    if [ 0 == $? ] && [ ! "$dry_run" ]; then
      printf " - commented out parameter(s)\n"
      rm -f "$file$sed_ext"
      if [ 0 == $? ]; then
        printf " - removed temp file $file$sed_ext\n"
      fi
    fi
  else
    printf "does not exist\n"
  fi
}


function verify_or_create_dir
{
  printf " - directory $dir "
  # check to see if directory exists
  if [ -d $dir ]; then
    printf "exists\n"
  else
    printf "does not exist\n"
    if [ ! "$dry_run" ]; then
      mkdir -m $dir_mode -p "$dir"
      if [ 0 == $? ]; then
        printf " - directory $dir created\n"
      else
        printf " - ERROR $?: unable to create directory $dir\n"
      fi
    fi
  fi
}


function download_source
{
  if [ "Linux" == "$system" ] && [ "" != "$yum_packages" ]; then
    if [ "$dry_run" ]; then
      printf " - yum -y install $yum_packages\n"
    else
      yum -y install $yum_packages
    fi
  fi
  cd $dir
  link_regex='([^\/]*).tar.gz$'
  if [[ "$link" =~ $link_regex ]]; then
    targz="${BASH_REMATCH[0]}"
    make_dir="${BASH_REMATCH[1]}"
    printf " - directory $dir/$make_dir "
    if [ -d "$dir/$make_dir" ]; then
      printf "exists\n"
    else
      printf "does not exist\n"
      printf " - file $targz "
      if [ -f "$targz" ]; then
        printf "exists\n"
      else
        printf "does not exist\n"
        printf " - download $link\n"
        if [ ! "$dry_run" ]; then wget "$link"; fi
      fi
      if [ ! "$dry_run" ]; then
        dir="$tar_dir"
        verify_or_create_dir
        printf " - unarchiving file $targz\n"
        tar zxvf "$targz" -C $tar_dir &> /dev/null
      fi
    fi
    if [ "$dry_run" ]; then printf " - dry run complete\n"; fi
  fi
}


function build_source
{
  if [ ! "$dry_run" ]; then
    printf " - directory $dir/$make_dir "
    if [ -d "$dir/$make_dir" ]; then
      printf "exists\n"
      cd "$make_dir"
      printf " - compiling source\n"
      make prefix=$install_dir all
      make prefix=$install_dir install
    else
      printf "does not exist\n"
    fi
  fi
}


########## BEGIN ##########
system=`uname -s`
case $system in
  Darwin)
    sed_command="sed -E "
    ;;
  Linux)
    sed_command="sed -r "
    ;;
  *)
    sed_command="sed "
    ;;
esac

# iterate through command line arguments
for arg in "$@"; do
  if [ "--usage" == "$arg" ] || [ "--help" == "$arg" ]; then
    display_usage
    exit 0
  elif [ "--dry-run" == "$arg" ]; then
    dry_run="true"
    sed_args="-n -e"
  else
    echo "Unknown option: $arg"
    display_usage
    exit 0
  fi
done

# modify sed arguments, depending on whether dry_run flag is set
if [ ! "$dry_run" ]; then
  sed_ext=".old"
  sed_args="-i$sed_ext -e"
fi

# set up header and footer to be included in each changed file
now=`date`
header="### Rx: modified by setup script - "
footer="### Rx: end of modifications - "
disabled=" # - disabled - "


########## append to PATH variable in ~/.bash_profile ##########
file="$HOME/.bash_profile"
read -d '' temp <<"EOF"
alias cdg='cd `rvm gemdir`'
alias cdh='cd /etc/httpd/conf.d/'
alias cdw='cd /var/www'
alias t='tail -F -n 1000'

PATH=$PATH:/usr/local/bin
PATH=$PATH:$HOME/bin
PATH=$PATH:/usr/local/sbin
PATH=$PATH:/sbin
PATH=$PATH:/usr/sbin

export PATH

# source the git completion script if it exists
if [ -e "${HOME}/.git-completion.bash" ] ; then
  source "${HOME}/.git-completion.bash"
fi

[[ -s "/usr/local/lib/rvm" ]] && source "/usr/local/lib/rvm"  # This loads RVM into a shell session.
EOF
ps1_expression='[\\W$(__git_ps1 " (%s)")]\\$ '
ps1="PS1='$ps1_expression'"
read -d '' append <<EOF
$header$now
$temp

$ps1

$footer$now
EOF
printf "\nAppend to PATH variable in $file\n"
remove_previous_modifications
append_to_file


########## set up ssh public key in ~/.ssh/ ##########
dir="$HOME/.ssh"
dir_mode=700
file="$dir/authorized_keys"
read -d '' append <<EOF
$header$now
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAsG3M+ZM5QLuAvzndiRCT4g86qNf5OuyIQF5SLndm7atxLMBXaY8mvTzKtND60Hmh/CRBJ5iue6nuQ5Q5Xhe4u0WhRhP9Yfki/AA5C9ZSP5dpeiDIPULLvbzb9WyBBI1gnS2D1KNPD3vomqm74hnFbbjqNpvemMoCY/civgCt83mGNt9pqrEFa8HDOEviATp2HOiRpdAKMmGJqyKJOuzcE++RgfjIxmb+PCW+9AoyAZLzwz32cCHxlPKQcL0FKv6XUTd+eF5l6R2po/jGfMDPPUBj+nzcqTbEpsjcDOsg80pLJy5zcWAH5ZsTi+5PQzY6KVHyGK3c1jhl7HhVd4bsBw== doc walker jameshardie com
$footer$now
EOF
printf "\nAppend public key to $file\n"
verify_or_create_dir
remove_previous_modifications
append_to_file
if [ ! "$dry_run" ]; then chmod 644 "$file"; fi


########## configure ~/.gitconfig ##########
dir="$HOME"
file="$dir/.gitconfig"
read -d '' append <<EOF
$header$now
[alias]
	br = branch
	ci = commit
	co = checkout
	last = log -1 HEAD
	st = status
	unstage = reset HEAD --
	visual = !gitk
	web = instaweb
[color]
	branch = auto
	diff = auto
	interactive = auto
	status = auto
[core]
	editor = /usr/bin/nano
	excludesfile = ~/.gitignore
[github]
	token = a52ec075470a7f6caa5198b778e7fb5f
[url "git@github.com:dfwmountaineers"]
	insteadOf = gh
[url "git@dfwmountaineers.org"]
	insteadOf = dfw
[user]
	name = Doc Walker
	email = <insert email here>
$footer$now
EOF
printf "\nConfigure file $file\n"
remove_previous_modifications
append_to_file


########## install ~/.git-completion.bash ##########
file="$HOME/.git-completion.bash"
printf "\nInstall file $file\n"
printf " - file $file "
if [ -e "$file" ]; then
  printf "already exists; nothing to do\n"
else
  printf "does not exist\n"
  file="/tmp/src/git-1.7.3/contrib/completion/git-completion.bash"
  printf " - file $file "
  if [ -e "$file" ]; then
    printf "exists\n"
    if [ $dry_run ]; then
      printf " - dry run complete\n"
    else
      cp "$file" "$HOME/.git-completion.bash"
      if [ 0 == $? ]; then
        printf " - file copied successfully\n"
      else
        printf " - ERROR $?: unable to copy file $file\n"
      fi
    fi
  else
    printf "does not exist\n"
  fi
fi


## passenger.te
module passenger 1.0;
require {
        type httpd_tmp_t;
        type devpts_t;
        type httpd_sys_script_t;
        type security_t;
        type httpd_t;
        type unconfined_t;
        type selinux_config_t;
        type hi_reserved_port_t;
        type httpd_sys_content_t;
        type var_t;
        type cert_t;
        class file { getattr read create append };
        class process { siginh signal noatsecure rlimitinh };
        class unix_stream_socket { read write shutdown };
        class chr_file { read write };
        class capability { setuid dac_override chown fsetid setgid fowner };
        class fifo_file { setattr create getattr unlink };
        class sock_file { write getattr setattr create unlink };
        class lnk_file { read getattr };
        class udp_socket name_bind;
        class dir { write read search add_name };
}
#============= httpd_sys_script_t ==============
allow httpd_sys_script_t cert_t:dir search;
allow httpd_sys_script_t cert_t:file { read getattr };
allow httpd_sys_script_t cert_t:lnk_file read;
allow httpd_sys_script_t devpts_t:chr_file { read write };
allow httpd_sys_script_t httpd_sys_content_t:fifo_file setattr;
allow httpd_sys_script_t httpd_sys_content_t:sock_file { create unlink setattr };
allow httpd_sys_script_t httpd_t:unix_stream_socket { read write };
allow httpd_sys_script_t httpd_tmp_t:fifo_file setattr;
allow httpd_sys_script_t httpd_tmp_t:sock_file { write create unlink setattr };
allow httpd_sys_script_t self:capability { setuid chown fsetid setgid fowner dac_override };
allow httpd_sys_script_t unconfined_t:process signal;
allow httpd_sys_script_t var_t:dir { write read add_name };
allow httpd_sys_script_t var_t:file { read getattr create append };
#============= httpd_t ==============
allow httpd_t hi_reserved_port_t:udp_socket name_bind;
allow httpd_t httpd_sys_content_t:fifo_file { create unlink getattr setattr };
allow httpd_t httpd_sys_content_t:sock_file { getattr unlink setattr };
allow httpd_t httpd_sys_script_t:process { siginh rlimitinh noatsecure };
allow httpd_t httpd_sys_script_t:unix_stream_socket { read write shutdown };
allow httpd_t httpd_tmp_t:fifo_file { create unlink getattr setattr };
allow httpd_t httpd_tmp_t:sock_file { getattr unlink setattr };
allow httpd_t security_t:dir search;
allow httpd_t self:capability { fowner fsetid };
allow httpd_t selinux_config_t:dir search;
allow httpd_t var_t:file { read getattr };
allow httpd_t var_t:lnk_file { read getattr };
	#!/bin/sh

	##########
	#
	# a-configure-server.sh
	#
	# Shell script to be used to configure CentOS 5.5 server
	#
	# Written by Doc Walker (Rx) Nov 2010
	#
	# Run this script 1st
	#
	##########


	if [[ $(id -u) -ne 0 ]]; then
	printf "This script must be run as root.\n" && exit 1
	fi


	function display_usage
	{
	cat <<EOF
	usage: `basename $0` [--dry-run] [--usage] [--help]

	--dry-run: execute without changing any files
	--usage: provide information on usage
	--help: provide information on usage

	EOF
	return
	}


	function check_sudoers
	{
	printf " - file $file "
	# check to see if file exists
	if [ -e $file ]; then
	printf "exists\n"
	printf " - wheel group is "
	regex="^\s\%wheel\sALL\s=\s\(\sALL\s\)\sALL\s$"
	grep -E "$regex" $file &> /dev/null
	if [ 0 == $? ]; then
	printf "able to execute sudo command\n"
	else
	printf "not able to execute sudo command\n\n"
	cat <<EOF
	Please fix this before proceeding with server configuration.

	# visudo

	Scroll down to line containing %wheel. Change it to:

	%wheel ALL=(ALL) ALL

	Command reference:
	/ enters search mode (look for '%wheel')
	i enters insert mode
	[ESC] exits edit mode
	:w writes the file to disk
	:q quits vi (append ! to discard changes)

	EOF
	exit 1
	fi
	else
	printf "does not exist\n"
	exit 1
	fi
	}


	function remove_previous_modifications
	{
	printf " - file $file "
	# check to see if file exists
	if [ -e $file ]; then
	# remove previously-modified section
	printf "exists\n"
	$sed_command $sed_args "/$header/, /$footer/d" $file
	if [ 0 == $? ] && [ ! "$dry_run" ]; then
	printf " - removed previously-modified section\n"
	rm -f "$file$sed_ext"
	if [ 0 == $? ]; then
	printf " - removed temp file $file$sed_ext\n"
	fi
	fi
	else
	printf "does not exist\n"
	fi
	}


	function append_to_file
	{
	if [ "$dry_run" ]; then
	printf " - dry run complete\n"
	else
	echo "$append" >> "$file"
	if [ 0 == $? ]; then
	printf " - file modifications complete\n"
	else
	printf " - ERROR $?: unable to modify file $file\n"
	fi
	fi
	}


	function comment_lines
	{
	printf " - file $file "
	# check to see if file exists
	if [ -e $file ]; then
	printf "exists\n"
	sed_expression="s/(^[[:space:]]($parameter)[[:space:]].$)/\#\1 $disabled$now/"
	$sed_command $sed_args "$sed_expression" $file
	if [ 0 == $? ] && [ ! "$dry_run" ]; then
	printf " - commented out parameter(s)\n"
	rm -f "$file$sed_ext"
	if [ 0 == $? ]; then
	printf " - removed temp file $file$sed_ext\n"
	fi
	fi
	else
	printf "does not exist\n"
	fi
	}


	function verify_or_create_dir
	{
	printf " - directory $dir "
	# check to see if directory exists
	if [ -d $dir ]; then
	printf "exists\n"
	else
	printf "does not exist\n"
	if [ ! "$dry_run" ]; then
	mkdir -m $dir_mode -p "$dir"
	if [ 0 == $? ]; then
	printf " - directory $dir created\n"
	else
	printf " - ERROR $?: unable to create directory $dir\n"
	fi
	fi
	fi
	}


	function download_source
	{
	if [ "Linux" == "$system" ] && [ "" != "$yum_packages" ]; then
	if [ "$dry_run" ]; then
	printf " - yum -y install $yum_packages\n"
	else
	yum -y install $yum_packages
	fi
	fi
	cd $dir
	link_regex='([^\/]*).tar.gz$'
	if [[ "$link" =~ $link_regex ]]; then
	targz="${BASH_REMATCH[0]}"
	#make_dir="${BASH_REMATCH[1]}"
	printf " - file $targz "
	if [ -f "$targz" ]; then
	printf "exists\n"
	else
	printf "does not exist\n"
	printf " - download $link\n"
	if [ ! "$dry_run" ]; then wget "$link"; fi
	fi
	make_dir=`tar ztf $targz \| head -n 1`
	printf " - directory $dir/$make_dir "
	if [ -d "$dir/$make_dir" ]; then
	printf "exists\n"
	else
	printf "does not exist\n"
	if [ ! "$dry_run" ]; then
	dir="$tar_dir"
	verify_or_create_dir
	printf " - unarchiving file $targz\n"
	tar zxvf "$targz" -C $tar_dir &> /dev/null
	fi
	fi
	if [ "$dry_run" ]; then printf " - dry run complete\n"; fi
	fi
	}


	function build_source
	{
	if [ ! "$dry_run" ]; then
	printf " - directory $dir/$make_dir "
	if [ -d "$dir/$make_dir" ]; then
	printf "exists\n"
	cd "$dir/$make_dir"
	printf " - compiling source\n"
	make prefix=$install_dir all
	make prefix=$install_dir install
	else
	printf "does not exist\n"
	fi
	fi
	}


	########## BEGIN ##########
	system=`uname -s`
	case $system in
	Darwin)
	sed_command="sed -E "
	;;
	Linux)
	sed_command="sed -r "
	;;
	*)
	sed_command="sed"
	;;
	esac

	# iterate through command line arguments
	for arg in "$@"; do
	if [ "--usage" == "$arg" ] \|\| [ "--help" == "$arg" ]; then
	display_usage
	exit 0
	elif [ "--dry-run" == "$arg" ]; then
	dry_run="true"
	sed_args="-n -e"
	else
	echo "Unknown option: $arg"
	display_usage
	exit 0
	fi
	done

	# verify wheel group is in sudoers
	file="/etc/sudoers"
	printf "Configure /etc/sudoers\n"
	check_sudoers

	# modify sed arguments, depending on whether dry_run flag is set
	if [ ! "$dry_run" ]; then
	sed_ext=".old"
	sed_args="-i$sed_ext -e"
	fi

	# set up header and footer to be included in each changed file
	now=`date`
	header="### Rx: modified by setup script - "
	footer="### Rx: end of modifications - "
	disabled=" # - disabled - "

	# set up temporary path
	PATH=/bin:/usr/bin:/usr/sbin:$PATH


	########## update yum packages ##########
	if [ "Linux" == $system ]; then
	printf "\nUpdate yum packages\n"
	if [ "$dry_run" ]; then
	yum check-update
	printf " - dry run complete\n"
	else
	yum -y update
	fi
	fi


	########## add common aliases to /etc/bashrc ##########
	file="/etc/bashrc"
	read -d '' append <<EOF
	$header$now
	alias la='/bin/ls -al'
	alias psg='/bin/ps ax \| grep'
	alias ps='/bin/ps -auxc'
	alias path='/bin/echo \$PATH'
	alias tm='sudo tail -F -n 1000 /var/log/maillog'
	$footer$now
	EOF
	printf "\nAdd common aliases to $file\n"
	remove_previous_modifications
	append_to_file


	########## modify PATH variable in /root/.bash_profile ##########
	file="/root/.bash_profile"
	read -d '' append <<EOF
	$header$now
	PATH=$PATH:/usr/local/bin
	export PATH
	$footer$now
	EOF
	printf "\nModify PATH variable in $file\n"
	remove_previous_modifications
	append_to_file


	########## add global EDITOR variable to /etc/profile.d/editor.sh ##########
	file="/etc/profile.d/editor.sh"
	read -d '' append <<EOF
	$header$now
	EDITOR=/usr/bin/nano
	$footer$now
	EOF
	printf "\nAdd global EDITOR variable to $file\n"
	remove_previous_modifications
	append_to_file


	########## configure /etc/ssh/sshd_config ##########
	if [ "Darwin" == $system ]; then
	file="/etc/sshd_config"
	elif [ "Linux" == $system ]; then
	file="/etc/ssh/sshd_config"
	else
	file=""
	fi
	read -d '' append <<EOF
	$header$now
	PermitRootLogin no
	UsePAM no
	# per http://www.broadbandreports.com/forum/remark,12601792~mode=flat
	KeepAlive no
	MaxStartups 10
	LoginGraceTime 120
	ClientAliveInterval 60
	ClientAliveCountMax 1

	# disable PasswordAuthentication once public key login is working
	PasswordAuthentication yes
	$footer$now
	EOF
	printf "\nConfigure $file\n"
	parameter="PasswordAuthentication\|UsePAM"
	comment_lines
	remove_previous_modifications
	append_to_file
	if [ ! "$dry_run" ]; then
	if [ "Darwin" == $system ]; then
	printf " - restarting com.openssh.sshd via launchctl\n"
	launchctl stop com.openssh.sshd
	launchctl start com.openssh.sshd
	elif [ "Linux" == $system ]; then
	printf " - restarting service sshd\n"
	/sbin/service sshd restart
	fi
	fi


	########## install git from source ##########
	dir="/tmp/src"
	dir_mode="755"
	yum_packages="zlib-devel openssl-devel cpio expat-devel gettext-devel curl-devel gcc gcc-c++ httpd-devel apr-devel readline-devel"
	link="http://git-core.googlecode.com/files/git-1.7.9.3.tar.gz"
	tar_dir="$dir"
	install_dir="/usr/local"
	printf "\nInstall git\n"
	verify_or_create_dir
	download_source
	build_source

	link="http://git-core.googlecode.com/files/git-manpages-1.7.9.3.tar.gz"
	tar_dir="/usr/local/share/man"
	printf "\nInstall git man pages\n"
	yum_packages=""
	download_source
	if [ "$dry_run" ]; then
	printf " - dry run complete\n"
	else
	printf " - unarchiving file $targz\n"
	tar zxvf $targz -C $tar_dir
	fi


	########## install sqlite3 from source ##########
	dir="/tmp/src"
	dir_mode="755"
	yum_packages="gcc"
	link="http://sqlite.org/sqlite-amalgamation-3.7.3.tar.gz"
	tar_dir="$dir"
	printf "\nInstall sqlite3\n"
	verify_or_create_dir
	download_source

	if [ ! "$dry_run" ]; then
	printf " - directory $dir/$make_dir "
	if [ -d "$dir/$make_dir" ]; then
	printf "exists\n"
	cd "$dir/$make_dir"
	printf " - compiling source\n"
	./configure
	make
	make install
	else
	printf "does not exist\n"
	fi
	fi


	########## install rvm from script ##########
	dir="/tmp/src"
	dir_mode="755"
	yum_packages="gcc"
	script="rvm"
	link="http://rvm.beginrescueend.com/install/$script"
	printf "\nInstall Ruby Version Manager (rvm)\n"
	printf " - which rvm `which rvm`\n"
	if [ "$dry_run" ]; then
	printf " - dry run complete\n"
	else
	verify_or_create_dir
	printf " - downloading script $script\n"
	curl -L "$link" > "$dir/$script"
	printf " - executing script $script\n"
	bash < "$dir/$script"
	printf " - install Ruby 1.9.2\n"
	rvm install 1.9.2
	printf " - set Ruby 1.9.2 as default\n"
	rvm use 1.9.2 --default
	fi

	# file="/etc/httpd/conf.d/passenger.conf"
	# read -d '' append <<EOF
	# $header$now
	# LoadModule passenger_module /usr/local/rvm/gems/ruby-1.9.2-p0/gems/passenger-3.0.0/ext/apache2/mod_passenger.so
	# PassengerRoot /usr/local/rvm/gems/ruby-1.9.2-p0/gems/passenger-3.0.0
	# PassengerRuby /usr/local/rvm/wrappers/ruby-1.9.2-p0/ruby
	# $footer$now
	# EOF
	# printf "\nAdd common aliases to $file\n"
	# remove_previous_modifications
	# append_to_file
	#!/bin/sh

	##########
	#
	# b-configure-user.sh
	#
	# Shell script to be used to configure CentOS 5.5 user
	#
	# Written by Doc Walker (Rx) Nov 2010
	#
	# Run this script 2nd
	#
	##########


	if [[ $(id -u) -eq 0 ]]; then
	printf "This script must be run as a normal user.\n" && exit 1
	fi


	function display_usage
	{
	cat <<-EOF
	usage: `basename $0` [--dry-run] [--usage] [--help]

	--dry-run: execute without changing any files
	--usage: provide information on usage
	--help: provide information on usage

	EOF
	return
	}


	function remove_previous_modifications
	{
	printf " - file $file "
	# check to see if file exists
	if [ -e $file ]; then
	# remove previously-modified section
	printf "exists\n"
	$sed_command $sed_args "/$header/, /$footer/d" $file
	if [ 0 == $? ] && [ ! "$dry_run" ]; then
	printf " - removed previously-modified section\n"
	rm -f "$file$sed_ext"
	if [ 0 == $? ]; then
	printf " - removed temp file $file$sed_ext\n"
	fi
	fi
	else
	printf "does not exist\n"
	fi
	}


	function append_to_file
	{
	if [ "$dry_run" ]; then
	printf " - dry run complete\n"
	else
	echo "$append" >> "$file"
	if [ 0 == $? ]; then
	printf " - file modifications complete\n"
	else
	printf " - ERROR $?: unable to modify file $file\n"
	fi
	fi
	}


	function comment_lines
	{
	printf " - file $file "
	# check to see if file exists
	if [ -e $file ]; then
	printf "exists\n"
	sed_expression="s/(^[[:space:]]($parameter)[[:space:]].$)/\#\1 $disabled$now/"
	$sed_command $sed_args "$sed_expression" $file
	if [ 0 == $? ] && [ ! "$dry_run" ]; then
	printf " - commented out parameter(s)\n"
	rm -f "$file$sed_ext"
	if [ 0 == $? ]; then
	printf " - removed temp file $file$sed_ext\n"
	fi
	fi
	else
	printf "does not exist\n"
	fi
	}


	function verify_or_create_dir
	{
	printf " - directory $dir "
	# check to see if directory exists
	if [ -d $dir ]; then
	printf "exists\n"
	else
	printf "does not exist\n"
	if [ ! "$dry_run" ]; then
	mkdir -m $dir_mode -p "$dir"
	if [ 0 == $? ]; then
	printf " - directory $dir created\n"
	else
	printf " - ERROR $?: unable to create directory $dir\n"
	fi
	fi
	fi
	}


	function download_source
	{
	if [ "Linux" == "$system" ] && [ "" != "$yum_packages" ]; then
	if [ "$dry_run" ]; then
	printf " - yum -y install $yum_packages\n"
	else
	yum -y install $yum_packages
	fi
	fi
	cd $dir
	link_regex='([^\/]*).tar.gz$'
	if [[ "$link" =~ $link_regex ]]; then
	targz="${BASH_REMATCH[0]}"
	make_dir="${BASH_REMATCH[1]}"
	printf " - directory $dir/$make_dir "
	if [ -d "$dir/$make_dir" ]; then
	printf "exists\n"
	else
	printf "does not exist\n"
	printf " - file $targz "
	if [ -f "$targz" ]; then
	printf "exists\n"
	else
	printf "does not exist\n"
	printf " - download $link\n"
	if [ ! "$dry_run" ]; then wget "$link"; fi
	fi
	if [ ! "$dry_run" ]; then
	dir="$tar_dir"
	verify_or_create_dir
	printf " - unarchiving file $targz\n"
	tar zxvf "$targz" -C $tar_dir &> /dev/null
	fi
	fi
	if [ "$dry_run" ]; then printf " - dry run complete\n"; fi
	fi
	}


	function build_source
	{
	if [ ! "$dry_run" ]; then
	printf " - directory $dir/$make_dir "
	if [ -d "$dir/$make_dir" ]; then
	printf "exists\n"
	cd "$make_dir"
	printf " - compiling source\n"
	make prefix=$install_dir all
	make prefix=$install_dir install
	else
	printf "does not exist\n"
	fi
	fi
	}


	########## BEGIN ##########
	system=`uname -s`
	case $system in
	Darwin)
	sed_command="sed -E "
	;;
	Linux)
	sed_command="sed -r "
	;;
	*)
	sed_command="sed "
	;;
	esac

	# iterate through command line arguments
	for arg in "$@"; do
	if [ "--usage" == "$arg" ] \|\| [ "--help" == "$arg" ]; then
	display_usage
	exit 0
	elif [ "--dry-run" == "$arg" ]; then
	dry_run="true"
	sed_args="-n -e"
	else
	echo "Unknown option: $arg"
	display_usage
	exit 0
	fi
	done

	# modify sed arguments, depending on whether dry_run flag is set
	if [ ! "$dry_run" ]; then
	sed_ext=".old"
	sed_args="-i$sed_ext -e"
	fi

	# set up header and footer to be included in each changed file
	now=`date`
	header="### Rx: modified by setup script - "
	footer="### Rx: end of modifications - "
	disabled=" # - disabled - "


	########## append to PATH variable in ~/.bash_profile ##########
	file="$HOME/.bash_profile"
	read -d '' temp <<"EOF"
	alias cdg='cd `rvm gemdir`'
	alias cdh='cd /etc/httpd/conf.d/'
	alias cdw='cd /var/www'
	alias t='tail -F -n 1000'

	PATH=$PATH:/usr/local/bin
	PATH=$PATH:$HOME/bin
	PATH=$PATH:/usr/local/sbin
	PATH=$PATH:/sbin
	PATH=$PATH:/usr/sbin

	export PATH

	# source the git completion script if it exists
	if [ -e "${HOME}/.git-completion.bash" ] ; then
	source "${HOME}/.git-completion.bash"
	fi

	[[ -s "/usr/local/lib/rvm" ]] && source "/usr/local/lib/rvm" # This loads RVM into a shell session.
	EOF
	ps1_expression='[\\W$(__git_ps1 " (%s)")]\\$ '
	ps1="PS1='$ps1_expression'"
	read -d '' append <<EOF
	$header$now
	$temp

	$ps1

	$footer$now
	EOF
	printf "\nAppend to PATH variable in $file\n"
	remove_previous_modifications
	append_to_file


	########## set up ssh public key in ~/.ssh/ ##########
	dir="$HOME/.ssh"
	dir_mode=700
	file="$dir/authorized_keys"
	read -d '' append <<EOF
	$header$now
	ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAsG3M+ZM5QLuAvzndiRCT4g86qNf5OuyIQF5SLndm7atxLMBXaY8mvTzKtND60Hmh/CRBJ5iue6nuQ5Q5Xhe4u0WhRhP9Yfki/AA5C9ZSP5dpeiDIPULLvbzb9WyBBI1gnS2D1KNPD3vomqm74hnFbbjqNpvemMoCY/civgCt83mGNt9pqrEFa8HDOEviATp2HOiRpdAKMmGJqyKJOuzcE++RgfjIxmb+PCW+9AoyAZLzwz32cCHxlPKQcL0FKv6XUTd+eF5l6R2po/jGfMDPPUBj+nzcqTbEpsjcDOsg80pLJy5zcWAH5ZsTi+5PQzY6KVHyGK3c1jhl7HhVd4bsBw== doc walker jameshardie com
	$footer$now
	EOF
	printf "\nAppend public key to $file\n"
	verify_or_create_dir
	remove_previous_modifications
	append_to_file
	if [ ! "$dry_run" ]; then chmod 644 "$file"; fi


	########## configure ~/.gitconfig ##########
	dir="$HOME"
	file="$dir/.gitconfig"
	read -d '' append <<EOF
	$header$now
	[alias]
	br = branch
	ci = commit
	co = checkout
	last = log -1 HEAD
	st = status
	unstage = reset HEAD --
	visual = !gitk
	web = instaweb
	[color]
	branch = auto
	diff = auto
	interactive = auto
	status = auto
	[core]
	editor = /usr/bin/nano
	excludesfile = ~/.gitignore
	[github]
	token = a52ec075470a7f6caa5198b778e7fb5f
	[url "git@github.com:dfwmountaineers"]
	insteadOf = gh
	[url "git@dfwmountaineers.org"]
	insteadOf = dfw
	[user]
	name = Doc Walker
	email = <insert email here>
	$footer$now
	EOF
	printf "\nConfigure file $file\n"
	remove_previous_modifications
	append_to_file


	########## install ~/.git-completion.bash ##########
	file="$HOME/.git-completion.bash"
	printf "\nInstall file $file\n"
	printf " - file $file "
	if [ -e "$file" ]; then
	printf "already exists; nothing to do\n"
	else
	printf "does not exist\n"
	file="/tmp/src/git-1.7.3/contrib/completion/git-completion.bash"
	printf " - file $file "
	if [ -e "$file" ]; then
	printf "exists\n"
	if [ $dry_run ]; then
	printf " - dry run complete\n"
	else
	cp "$file" "$HOME/.git-completion.bash"
	if [ 0 == $? ]; then
	printf " - file copied successfully\n"
	else
	printf " - ERROR $?: unable to copy file $file\n"
	fi
	fi
	else
	printf "does not exist\n"
	fi
	fi
	module passenger 1.0;
	require {
	type httpd_tmp_t;
	type devpts_t;
	type httpd_sys_script_t;
	type security_t;
	type httpd_t;
	type unconfined_t;
	type selinux_config_t;
	type hi_reserved_port_t;
	type httpd_sys_content_t;
	type var_t;
	type cert_t;
	class file { getattr read create append };
	class process { siginh signal noatsecure rlimitinh };
	class unix_stream_socket { read write shutdown };
	class chr_file { read write };
	class capability { setuid dac_override chown fsetid setgid fowner };
	class fifo_file { setattr create getattr unlink };
	class sock_file { write getattr setattr create unlink };
	class lnk_file { read getattr };
	class udp_socket name_bind;
	class dir { write read search add_name };
	}
	#============= httpd_sys_script_t ==============
	allow httpd_sys_script_t cert_t:dir search;
	allow httpd_sys_script_t cert_t:file { read getattr };
	allow httpd_sys_script_t cert_t:lnk_file read;
	allow httpd_sys_script_t devpts_t:chr_file { read write };
	allow httpd_sys_script_t httpd_sys_content_t:fifo_file setattr;
	allow httpd_sys_script_t httpd_sys_content_t:sock_file { create unlink setattr };
	allow httpd_sys_script_t httpd_t:unix_stream_socket { read write };
	allow httpd_sys_script_t httpd_tmp_t:fifo_file setattr;
	allow httpd_sys_script_t httpd_tmp_t:sock_file { write create unlink setattr };
	allow httpd_sys_script_t self:capability { setuid chown fsetid setgid fowner dac_override };
	allow httpd_sys_script_t unconfined_t:process signal;
	allow httpd_sys_script_t var_t:dir { write read add_name };
	allow httpd_sys_script_t var_t:file { read getattr create append };
	#============= httpd_t ==============
	allow httpd_t hi_reserved_port_t:udp_socket name_bind;
	allow httpd_t httpd_sys_content_t:fifo_file { create unlink getattr setattr };
	allow httpd_t httpd_sys_content_t:sock_file { getattr unlink setattr };
	allow httpd_t httpd_sys_script_t:process { siginh rlimitinh noatsecure };
	allow httpd_t httpd_sys_script_t:unix_stream_socket { read write shutdown };
	allow httpd_t httpd_tmp_t:fifo_file { create unlink getattr setattr };
	allow httpd_t httpd_tmp_t:sock_file { getattr unlink setattr };
	allow httpd_t security_t:dir search;
	allow httpd_t self:capability { fowner fsetid };
	allow httpd_t selinux_config_t:dir search;
	allow httpd_t var_t:file { read getattr };
	allow httpd_t var_t:lnk_file { read getattr };