Nurmukhamed/w_bareos.ks

## gistfile1.md

      
    Raw
  

              gistfile1.md
            
          
    Введение

Обновление от 18 октября 2018
Исправлена ошибка в documentolog.ks
Заменены пакеты php на php54 от remi, изменен kickstart файл
Обнаружился новый компонент Apache Solr, создан отдельный kickstart файл
Добрый день.
Меня зовут Нурмухамед Артыкалы, я работаю архитектором на проекте SKE.04 в АО "Самрук-Энерго".
Данная статья написано мной, на основе опыта полученого с работой системой документооборота от ТОО Документолог. Здесь зафиксированы все настройки необходимые для более безопасной работы системы документоборота. Будут использоваться kickstart для быстрого запуска установки операционной системы.
Вводные данные

Виртуальный сервер:

4 ядря;
8 ГБ ОЗУ;
8ГБ жесткого диска;
128ГБ жесткого диска;

Система документоборота:

Documentolog, V5.26;

Требования по информационной безопасности:


Пользователь root не должен иметь возможность войти в систему с консоли;
Пользователь root не должен иметь возможность войти в систему удаленно через openssh;
В Openssh должна работать по порту 2345;
В Openssh должна поддерживаться авторизацию RSA-публичный ключ;
В Openssh должна быть запрещена парольная авторизация;
В Openssh должна работать по протоколу 2;
В Openssh должен быть списко пользователей, которым разрешена удаленная авторизация;
Сетевая подсистема должна блокировать больше 4 обращений в течение 30 секунд;
Подсистема SELINUX должна быть включена и работать в режиме Enforcing;
Все сервисы должны быть настроены в соответствие с правилами SELINUX;
Политики СУБД, веб-сервера должны разрешать доступ к ресурсам необходимым для работы и блокировать доступ к иным ресурсам;

Установка ОС

Установка ОС будет производиться автоматизированно ( в идеале все должно работать на автомате) через kickstart. Для установки ОС необходимы kickstart-файлы:

sed-alfa.ks
base.ks
bareos.ks
documentolog.ks
nginx.ks
openssh.ks
php-fpm.ks
postgresql.ks
users.ks


В sed-alfa.ks настройки для данной машины - настройка сетевых интерфейсов, разбиение жесткого диска, установка необходимых пакетов;
В base.ks настройки общие для всех ОС - установка базовых пакетов, создание пользователей;
В bareos.ks настройки системы резервного хранения Bareos;
В documentolog.ks настройки системы документоборота;
В nginx.ks настройки веб-сервера Nginx;
В openssh.ks настройки, согласно политик безопасности;
В php-fpm.ks настройки для php;
В postgresql.ks настройка для СУБД Postgresql;
В users.ks настройки пользовательских директорий;

Разделение единого kickstart на отдельные файла позволяет более гибко работать с процессом установки ОС. Выденести части, которые общие для всех систем и сохранять в отдельном файле. В будущем фиксируем изменения в едином файле.
Для установки ОС нам нужен будет загрузчик, я использую ipxe.
На сайте rom-o-matic.eu выбираем опцию "ISO bootable image". В поле "Embeded script" вставляем содержимое файла w_settings.ipxe.
Результатом будет небольшой (около 1МБ) ISO-Образ, который будет использоваться для загрузки по сети установочных файлов.
Образ также работает в серверном окружение, где обычно отключен сервис DHCP и сервера назначаются статические адреса.
Структура системы документоборота

Расположимм систему документоборота в /var/lib/documentolog.

/var/lib/documentolog/cnt - файлы, в основном, отсканиированные документы;
/var/lib/documentolog/log - логи системы;
/var/lib/documentolog/srv - здесь храняться лицензии и доп.файлы;
/var/lib/documentolog/www - файлы для вебсервера;

Настройка СУБД Postgresql

В данный момент (середина октября 2018) настройки СУБД будут минимальными.
Вам необходимы два файла:

globals
${DATE}_documentolog.gz

Минимальные инструкции в файле w_psql.sh
В СУБД я не силен, поэтому руководствовался руководством резервного копирования от ТОО "Documentolog".
Настройка веб-сервера Nginx

Nginx будем настраивать в самом безопасном режиме.
В процессе написания я переключал Selinux в режим Permissive командой
setenforce Permissive
запускаем сервисы nginx php-fpm, смотрим в файле /var/log/audit/audit.log, к какому порту, файлу нет доступа.
Чтобы узнать какие у нас есть контектсы, запустим команду
semange fcontext -l | grep http | grep content
Я нашел два контекста, нужные мне:

httpd_sys_rw_content_t;
httpd_config_t;

И еще один контекст необходим, чтобы разрешить php-fpm связаться с СУБД

httpd_can_network_connect_db

Минимальные настройки в файле w_nginx.ks
Настройка php-fpm

Изменяем настройки под наши значения, меняем владельца папки и разрешаем для php-fpm доступ к СУБД.
Настройка Apache Tomcat, Apache Solr

Минимальные настройки в файле w_nginx.ks
Настройка SELINUX

TODO

  
## w_bareos.ks
url --url http://mirror/mirror/centos/7/os/x86_64
repo --name=updates             --baseurl=http://mirror/mirror/centos/7/updates/x86_64
repo --name=elrepo              --baseurl=http://mirror/mirror/elrepo/7/elrepo
repo --name=elrepo-kernel       --baseurl=http://mirror/mirror/elrepo/7/elrepo-kernel
repo --name=bareos              --baseurl=http://mirror/mirror/bareos/7
repo --name=epel                --baseurl=http://mirror/mirror/epel


# Partition clearing information
%packages
bareos-client
%end


%post --log=/root/post-bareos-log
cat > /etc/bareos/bareos-fd.d/client/myself.conf<<"EOF"
Client {
  Name = sed-alfa-fd
  Maximum Concurrent Jobs = 2
}
EOF

cat > /etc/bareos/bareos-fd.d/director/bareos-dir.conf <<"EOF"
Director {
  Name = bareos-dir
  Password = "somesecret-dir"
  Description = "Allow the configured Director to access this file daemon."
}
EOF

cat > /etc/bareos/bareos-fd.d/director/bareos-mon.conf <<"EOF"
Director {
  Name = bareos-mon
  Password = "somesecret-mon"
  Monitor = yes
  Description = "Restricted Director, used by tray-monitor to get the status of this file daemon."
}
EOF

firewall-offline-cmd --zone=public --add-service=bacula-client
%end

## w_base.ks
#version=DEVEL
# System authorization information
auth --enableshadow --passalgo=sha512
# Use HTTP installation media
url --url http://mirror/mirror/centos/7/os/x86_64
repo --name=updates             --baseurl=http://mirror/mirror/centos/7/updates/x86_64
repo --name=elrepo              --baseurl=http://mirror/mirror/elrepo/7/elrepo
repo --name=elrepo-kernel       --baseurl=http://mirror/mirror/elrepo/7/elrepo-kernel
repo --name=bareos              --baseurl=http://mirror/mirror/bareos/7
repo --name=epel                --baseurl=http://mirror/mirror/epel

# Keyboard layouts
keyboard --vckeymap=us --xlayouts='us'
# System language
lang en_US.UTF-8

# Root password
rootpw --iscrypted some-root-secret
# Do not configure the X Window System
skipx
# System timezone
timezone Asia/Almaty --isUtc
user --groups=wheel --name=user-a --password=some-user-a-secret --iscrypted --gecos="User Alfa"
user --groups=wheel --name=user-b --password=some-user-b-secret --iscrypted --gecos="User Bravo"
user --groups=wheel --name=user-c --password=some-user-c-secret --iscrypted --gecos="User Charlie"

# Partition clearing information
%packages
@core
kexec-tools
-iwl5000-firmware
-ivtv-firmware
-iwl3160-firmware
-iwl6050-firmware
-iwl105-firmware
-alsa-firmware
-aic94xx-firmware
-iwl6000g2a-firmware
-iwl6000g2b-firmware
-linux-firmware
-alsa-tools-firmware
-iwl6000-firmware
-iwl2000-firmware
-iwl5150-firmware
-iwl4965-firmware
-iwl7260-firmware
-iwl100-firmware
-iwl2030-firmware
-iwl135-firmware
-iwl1000-firmware
-iwl3945-firmware
-avahi-autoipd
-avahi-libs
-NetworkManager
-NetworkManager-team
-NetworkManager-tui
-NetworkManager-libnm
-avahi
-postfix
-wpa_supplicant
-teamd
-libteam
-tuned
kernel-ml
kernel-ml-headers
kernel-ml-tools
kernel-ml-tools-libs
-kernel
-kernel-headers
-kernel-tools
-kernel-tools-libs
policycoreutils-python
checkpolicy
vim
mc
wget
firewall-config.noarch
firewalld.noarch
firewalld-filesystem
%end

## w_documentolog.ks
%post --log=/root/post-documentolog-log

cat > /etc/nginx/sites-available/documentolog-http.conf<<"EOF"
server {
        listen 80;
        server_name edocs.somesite.kz;
        return 301 https://$host$request_uri;
}
EOF

cat > /etc/nginx/sites-available/documentolog-https.conf<<"EOF"
upstream php {
    server 127.0.0.1:9000;
}
server {
        listen 443 ssl; # managed by Certbot
        server_name     edocs.somesite.kz;
        root            /var/lib/documentolog/www;
        error_log /var/log/nginx/edocs-error.log;
        access_log /var/log/nginx/edocs-access.log main;

#        ssl_certificate /etc/letsencrypt/live/edocs.somesite.kz/fullchain.pem; # managed by Certbot
#        ssl_certificate_key /etc/letsencrypt/live/edocs.somesite.kz/privkey.pem; # managed by Certbot
#        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
        ssl_certificate "/etc/nginx/ssl/localhost.pem";
        ssl_certificate_key "/etc/nginx/ssl/localhost.pem";

        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout  10m;
        ssl_prefer_server_ciphers on;
        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA HIGH !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";

        index           index.php;

        location ~ \.php$ {
                fastcgi_pass    php;
                fastcgi_index   index.php;
                fastcgi_read_timeout 600s;
                fastcgi_send_timeout 300s;
                fastcgi_param   SCRIPT_FILENAME  $document_root$fastcgi_script_name;
                include         fastcgi_params;
        }

        location /user/islogged {
                rewrite ^.+$ /sys/checkSession.php last;
        }

        location / {
                if (!-e $request_filename) {
                      rewrite ^/([-_a-zA-Z0-9\/]+)$ /index.php?$query_string&APP_PATH=/$1 last;
                      rewrite ^/([-_a-zA-Z0-9\/]+)$ /index.php?$query_string&APP_PATH=/$1 last;
                      rewrite ^(\/dav\/media\/.+)$ /index.php?$query_string&APP_PATH=/$1 last;
                }
        }
        location /backup {
                        autoindex on;
        }

        location ~ ^/(status|ping)$ {
                access_log off;
                allow 127.0.0.1;

## w_nginx.ks
url --url http://mirror/mirror/centos/7/os/x86_64
repo --name=updates             --baseurl=http://mirror/mirror/centos/7/updates/x86_64
repo --name=elrepo              --baseurl=http://mirror/mirror/elrepo/7/elrepo
repo --name=elrepo-kernel       --baseurl=http://mirror/mirror/elrepo/7/elrepo-kernel
repo --name=bareos              --baseurl=http://mirror/mirror/bareos/7
repo --name=epel                --baseurl=http://mirror/mirror/epel

# Partition clearing information
%packages
nginx
%end


%post --log=/root/post-nginx-log
echo "Removing default files"
rm -f /etc/nginx/*.default

echo "Creating additional folders"
mkdir -p /etc/nginx/sites-{enabled,available}
mkdir -p /etc/nginx/ssl

echo "Rewriting main config file"
cat > /etc/nginx/nginx.conf <<"EOF"
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;

pid /run/nginx.pid;

include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    error_log /var/log/nginx/error.log;
    access_log /var/log/nginx/access.log main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

    default_type        application/octet-stream;
    include             /etc/nginx/mime.types;
    include             /etc/nginx/sites-enabled/*.conf;
}
EOF

echo "Creating default-http server settings file"
cat > /etc/nginx/sites-available/default-http.conf <<"EOF"
    server {
        listen       80 default_server;
        listen       [::]:80 default_server;
        server_name  _;
        root         /usr/share/nginx/html;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }
EOF

echo "Creating default-https server settings file"
cat > /etc/nginx/sites-available/default-https.conf<<"EOF"
# Settings for a TLS enabled server.
#
    server {
        listen       443 ssl http2 default_server;
        listen       [::]:443 ssl http2 default_server;
        server_name  _;
        root         /usr/share/nginx/html;

        ssl_certificate "/etc/nginx/ssl/localhost.pem";
        ssl_certificate_key "/etc/nginx/ssl/localhost.pem";
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout  10m;
        ssl_prefer_server_ciphers on;
        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA HIGH !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }
EOF

echo "Make symbolic links to sites-enabled"
ln -s /etc/nginx/sites-available/default-http.conf /etc/nginx/sites-enabled/99_default-http.conf
ln -s /etc/nginx/sites-available/default-https.conf /etc/nginx/sites-enabled/99_default-https.conf

echo "Writing default.conf"
cat > /etc/nginx/default.d/default.conf<<"EOF"
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header Allow "GET, POST, HEAD" always;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
# to disable content-type sniffing on some browsers.
add_header X-Content-Type-Options nosniff;

if ($request_method !~ ^(GET|HEAD|POST)$) {
   return 444;
}

server_tokens        off;

client_body_buffer_size  1k;
client_header_buffer_size 1k;
client_max_body_size 1k;
large_client_header_buffers 2 1k;
gzip off;
EOF

/etc/pki/tls/certs/make-dummy-cert /etc/nginx/ssl/localhost.pem

chown -R nginx:nginx /etc/nginx
semanage fcontext -a -t httpd_config_t "/etc/nginx(./*)?"
restorecon -Rv /etc/nginx

firewall-offline-cmd --zone=public --add-service=http
firewall-offline-cmd --zone=public --add-service=https
%end

## w_openssh.ks
%post --log=/root/post-openssh-log
echo "Changing root shell"
usermod -s /sbin/nologin root

echo "Disabling root access via console"
rm -f /etc/securetty
touch /etc/securetty

echo "Disabling root access via ssh"
sed -i "s%#PermitRootLogin yes%PermitRootLogin no%" /etc/ssh/sshd_config

echo "Only Protocol 2 is allowed for sshd"
echo "Protocol 2" >> /etc/ssh/sshd_config

echo "Changing sshd port to 2345"
sed -i "s%^#Port 22%Port 2345%" /etc/ssh/sshd_config
semanage port -a -t ssh_port_t -p tcp 2345

echo "Disabling empty passwords"
sed -i "s%^#PermitEmptyPasswords yes%PermitEmptyPasswords no%" /etc/ssh/sshd_config

echo "Disabling password authentication via ssh"
sed -i "s%^#PasswordAuthentication yes%#PasswordAuthentication no%" /etc/ssh/sshd_config
sed -i "s%^PasswordAuthentication yes%PasswordAuthentication no%" /etc/ssh/sshd_config

echo "Enabling rsa pubkey"
sed -i "s%^#RSAAuthentication yes%RSAAuthentication yes%" /etc/ssh/sshd_config

echo "Disabling weak ciphers"
echo "Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr" >> /etc/ssh/sshd_config

echo "Enabling only users listed in /etc/ssh/sshd_allow"
echo "auth required pam_listfile.so item=user sense=allow file=/etc/sshd/sshd_allow onerr=fail" >> /etc/pam.d/sshd
echo "user-a"  > /etc/ssh/sshd_allow
echo "user-b" >> /etc/ssh/sshd_allow
echo "user-b"  >> /etc/ssh/sshd_allow
chmod o-w /etc/ssh/sshd_allow

echo "Setting firewalld rules for ssh"
firewall-offline-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp --dport 2345 -m state --state NEW -m recent --set
firewall-offline-cmd --direct --add-rule ipv6 filter INPUT_direct 0 -p tcp --dport 2345 -m state --state NEW -m recent --set
firewall-offline-cmd --direct --add-rule ipv4 filter INPUT_direct 1 -p tcp --dport 2345 -m state --state NEW -m recent --update --seconds 30 --hitcount 4 -j REJECT --reject-with tcp-reset
firewall-offline-cmd --direct --add-rule ipv6 filter INPUT_direct 1 -p tcp --dport 2345 -m state --state NEW -m recent --update --seconds 30 --hitcount 4 -j REJECT --reject-with tcp-reset
firewall-offline-cmd --new-service=ssh-on-2345
firewall-offline-cmd --service=ssh-on-2345 --add-port=2345/tcp
firewall-offline-cmd --zone=public --add-service=ssh-on-2345

%end

## w_php_fpm.ks
# Use HTTP installation media
url --url http://10.104.51.11/mirror/centos/7/os/x86_64
repo --name=updates             --baseurl=http://10.104.51.11/mirror/centos/7/updates/x86_64
repo --name=elrepo              --baseurl=http://10.104.51.11/mirror/elrepo/7/elrepo
repo --name=elrepo-kernel       --baseurl=http://10.104.51.11/mirror/elrepo/7/elrepo-kernel
repo --name=bareos              --baseurl=http://10.104.51.11/mirror/bareos/7
repo --name=epel                --baseurl=http://10.104.51.11/mirror/epel
repo --name=remi                --baseurl=http://10.104.51.11/mirror/remi/7/remi
# Partition clearing information
%packages
php54-php-common
php54-php
php54-php-pear
php54-php-mbstring
php54-php-cli
php54-php-process
php54-php-xml
php54-php-devel
php54-php-pgsql
php54-php-ldap
php54-php-soap
php54-php-pdo
php54-php-gd
php54-php-fpm
php54-php-mcrypt
php54-php-pecl-imagick
php54-php-pecl-zip
%end

%post  --log=/root/post-php-fpm-log
sed -i "s%^short_open_tag = Off%short_open_tag = On%" /opt/remi/php54/root/etc/php.ini
sed -i "s%^;listen.owner = nobody%listen.owner = nginx%" /opt/remi/php54/root/etc/php-fpm.d/www.conf
sed -i "s%^;listen.group = nobody%listen.group = nginx%" /opt/remi/php54/root/etc/php-fpm.d/www.conf
sed -i "s%^user = apache%user = nginx%" /opt/remi/php54/root/etc/php-fpm.d/www.conf
sed -i "s%^group = apache%group = nginx%" /opt/remi/php54/root/etc/php-fpm.d/www.conf
sed -i "s%^;listen.mode = 0666%listen.mode = 0666%" /opt/remi/php54/root/etc/php-fpm.d/www.conf

setsebool -P httpd_can_network_connect_db 1

chown root:nginx  /opt/remi/php54/root/var/lib/php/session

systemctl enable php54-php-fpm
%end

## w_postgresql.ks
# Use HTTP installation media
url --url http://mirror/mirror/centos/7/os/x86_64
repo --name=updates             --baseurl=http://mirror/mirror/centos/7/updates/x86_64
repo --name=elrepo              --baseurl=http://mirror/mirror/elrepo/7/elrepo
repo --name=elrepo-kernel       --baseurl=http://mirror/mirror/elrepo/7/elrepo-kernel
repo --name=bareos              --baseurl=http://mirror/mirror/bareos/7
repo --name=epel                --baseurl=http://mirror/mirror/epel

# Partition clearing information
%packages
postgresql
postgresql-server
postgresql-libs
postgresql-contrib
%end

%post --log=/root/post-postgresql-log
cat > /etc/systemd/system/postgresql-init.service<<"EOF"
[Unit]
Description=Setup foo
#After=network.target

[Service]
Type=oneshot
ExecStart=/usr/local/bin/postgresql-init.sh
RemainAfterExit=false
StandardOutput=journal

[Install]
WantedBy=multi-user.target
EOF

systemctl enable postgresql-init.service

cat >/usr/local/bin/postgresql-init.sh<<"EOFF"
#!/bin/bash

postgresql-setup initdb

cat >/var/lib/pgsql/data/pg_hba.conf<<"EOF"
local   all             all                                     peer
host    all             all             127.0.0.1/32            md5
host    all             all             ::1/128                 md5
EOF

chown postgres:postgres /var/lib/pgsql/data/pg_hba.conf

systemctl start postgresql
systemctl disable postresql-init.service

rm -f /etc/systemd/system/postgresql-init.service
rm -f /usr/local/bin/postgresql-init.sh
EOFF

chmod +x /usr/local/bin/postgresql-init.sh

%end

## w_sed-alfa.ks
# Use HTTP installation media
url --url http://mirror/mirror/centos/7/os/x86_64
repo --name=updates             --baseurl=http://mirror/mirror/centos/7/updates/x86_64
repo --name=elrepo              --baseurl=http://mirror/mirror/elrepo/7/elrepo
repo --name=elrepo-kernel       --baseurl=http://mirror/mirror/elrepo/7/elrepo-kernel
repo --name=bareos              --baseurl=http://mirror/mirror/bareos/7
repo --name=epel                --baseurl=http://mirror/mirror/epel
# Use text mode install
text
# Run the Setup Agent on first boot
firstboot --enable
shutdown

# Set selinux to Enforcing
selinux --enforcing

# Set services list enabled and disabled
services --enabled=nginx,php-fpm,postgresql,firewalld,rsyslog,bareos-fd

# Network information
network  --bootproto=static --device=eth0 --gateway=somegw --ip=someip --nameserver=somedns --netmask=somenet --noipv6 --activate
network  --hostname=sed-alfa

# System bootloader configuration
bootloader --append=" crashkernel=auto" --location=mbr --boot-drive=sda
clearpart --all --initlabel --drives=sda,sdb

part /boot/efi  --fstype=vfat   --ondisk=sda --size=256
part /boot      --recommended
part swap       --recommended
part /          --fstype=xfs    --ondisk=sda --size=1 --grow
part /var/lib   --fstype=xfs    --ondisk=sdb --size=1 --grow --fsoptions="defaults,nosuid,noexec,nodev"

%include /tmp/base.ks
%include /tmp/nginx.ks
%include /tmp/php-fpm.ks
%include /tmp/postgresql.ks
%include /tmp/documentolog.ks
%include /tmp/openssh.ks
%include /tmp/users.ks
%include /tmp/bareos.ks

%pre
curl -o /tmp/base.ks            http://mirror/mirror/ks/base.ks
curl -o /tmp/nginx.ks           http://mirror/mirror/ks/nginx.ks
curl -o /tmp/php-fpm.ks         http://mirror/mirror/ks/php-fpm.ks
curl -o /tmp/documentolog.ks    http://mirror/mirror/ks/documentolog.ks
curl -o /tmp/postgresql.ks      http://mirror/mirror/ks/postgresql.ks
curl -o /tmp/openssh.ks         http://mirror/mirror/ks/openssh.ks
curl -o /tmp/users.ks           http://mirror/mirror/ks/users.ks
curl -o /tmp/bareos.ks          http://mirror/mirror/ks/bareos.ks
%end

## w_settings.ipxe
#!ipxe

set base http://mirror/mirror/centos/7/os/

set ip 192.168.1.200
set netmask 255.255.255.0
set gateway 192.168.1.1
set dns 192.168.1.2
set kickstart http://mirror/mirror/ks/sed-alfa.ks

kernel ${base}/images/pxeboot/vmlinuz initrd=initrd.img repo=${base} ip=${ip} netmask=${netmask} gateway=${gateway} nameserver=${dns} inst.ks=${ks}
initrd ${base}/images/pxeboot/initrd.img
boot

## w_tomcat.ks
url --url http://mirror/mirror/centos/7/os/x86_64
repo --name=updates             --baseurl=http://mirror/mirror/centos/7/updates/x86_64
repo --name=elrepo              --baseurl=http://mirror/mirror/elrepo/7/elrepo
repo --name=elrepo-kernel       --baseurl=http://mirror/mirror/elrepo/7/elrepo-kernel
repo --name=bareos              --baseurl=http://mirror/mirror/bareos/7
repo --name=epel                --baseurl=http://mirror/mirror/epel


# Partition clearing information
%packages
tomcat
%end


%post --log=/root/post-tomcat-log
echo "creating /etc/tomcat/server.xml"

cat > /etc/tomcat/server.xml << "EOF"
<?xml version='1.0' encoding='utf-8'?>
<Server port="-1" shutdown="SHUTDOWN">
  <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
  <Listener className="org.apache.catalina.core.JasperListener" />
  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
  <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
  <GlobalNamingResources>
    <Resource name="UserDatabase" auth="Container"
              type="org.apache.catalina.UserDatabase"
              description="User database that can be updated and saved"
              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
              pathname="conf/tomcat-users.xml" />
  </GlobalNamingResources>
  <Service name="Catalina">
    <Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               Server=" "
               Address="127.0.0.1"
               redirectPort="8443" />
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" Address="127.0.0.1" />
    <Engine name="Catalina" defaultHost="localhost">
      <Realm className="org.apache.catalina.realm.LockOutRealm">
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase"/>
      </Realm>
      <Host name="localhost"  appBase="webapps"
            unpackWARs="true" autoDeploy="true">
        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="localhost_access_log." suffix=".txt"
               pattern="%h %l %u %t &quot;%r&quot; %s %b" />
      </Host>
    </Engine>
  </Service>
</Server>
EOF

echo "Creating /etc/tomcat/context.xml"
cat > /etc/tomcat/context.xml << "EOF"
<?xml version='1.0' encoding='utf-8'?>
<Context>
    <WatchedResource>WEB-INF/web.xml</WatchedResource>
</Context>
EOF

echo "Creating /etc/tomcat/Catalina/localhost/solr.xml"
cat > /etc/tomcat/Catalina/localhost/solr.xml << "EOF"
<?xml version="1.0" encoding="utf-8"?>
<Context docBase="/var/lib/documentolog/tomcat/solr.war" debug="0" crossContext="true">
  <Environment name="solr/home" type="java.lang.String" value="/var/lib/documentolog/tomcat/" override="true"/>
</Context>
EOF

echo "Creating /var/lib/documentolog/tomcat"
mkdir /var/lib/documentolog/tomcat

echo "Creating /var/lib/documentolog/solr.xml"
cat > /var/lib/documentolog/tomcat/solr.xml << "EOF"
<?xml version="1.0" encoding="UTF-8" ?>
<solr persistent="false">
  <cores adminPath="/admin/cores" host="${host:}" hostPort="${jetty.port:8983}" hostContext="${hostContext:solr}">
    <core name="core0" instanceDir="core0" />
  </cores>
</solr>
EOF

echo "Creating /var/lib/documentolog/zoo.cfg"
cat > /var/lib/documentolog/tomcat/zoo.cfg << "EOF"
tickTime=2000
initLimit=10
syncLimit=5
EOF

echo "Downloading jars"
curl -o /usr/share/tomcat/lib/jcl-over-slf4j-1.6.6.jar  http://mirror/mirror/solr/jar/jcl-over-slf4j-1.6.6.jar
curl -o /usr/share/tomcat/lib/jul-to-slf4j-1.6.6.jar    http://mirror/mirror/solr/jar/jul-to-slf4j-1.6.6.jar
curl -o /usr/share/tomcat/lib/log4j-1.2.16.jar          http://mirror/mirror/solr/jar/log4j-1.2.16.jar
curl -o /usr/share/tomcat/lib/slf4j-api-1.6.6.jar       http://mirror/mirror/solr/jar/slf4j-api-1.6.6.jar
curl -o /usr/share/tomcat/lib/slf4j-log4j12-1.6.6.jar   http://mirror/mirror/solr/jar/slf4j-log4j12-1.6.6.jar

echo "Download solr.war"
curl -o /var/lib/documentolog/tomcat/solr.war           http://mirror/mirror/solr/war/solr.war

echo "Downloading indices"
curl -o /var/lib/documentolog/tomcat/core0.tar.gz       http://mirror/mirror/solr/aes/core0.tar.gz

echo "Extractiong indices"
cd /var/lib/documentolog/tomcat
tar zxvf core0.tar.gz

echo "Enabling tomcat services"
systemctl enable tomcat
echo "Set SELINUX permission"
chown tomcat:tomcat -R /etc/tomcat
semanage fcontext -a -t etc_t "/etc/tomcat(/.*)?"
restorecon -Rv /etc/tomcat

chown tomcat:tomcat -R /var/lib/documentolog/tomcat
semanage fcontext -a -t tomcat_var_lib_t "/var/lib/documentolog/tomcat(/.*)?"
restorecon -Rv /var/lib/documentolog/tomcat

chown root:root -R "/usr/share/tomcat/lib/*.jar"
semanage fcontext -a -t lib_t "/usr/share/tomcat/lib(/.*)?"
restorecon -Rv /usr/share/tomcat/lib

## w_users.ks
%post --log=/root/post-users-log

echo "Add rsa pubkey to .ssh user folders"
declare -A sshkeys
sshkeys["user-a"]="ssh-rsa some-user-a-rsa-pubkey"
sshkeys["user-b"]="ssh-rsa some-user-b-rsa-pubkey"
sshkeys["user-c"]="ssh-rsa some-user-c-rsa-pubkey"

for user in user-a user-b user-c; do
mkdir /home/${user}/.ssh
chmod 700 /home/${user}/.ssh
echo "${sshkeys["${user}"]}" > /home/${user}/.ssh/authorized_keys
chmod 600 /home/${user}/.ssh/authorized_keys
chown ${user}:${user} -R /home/${user}/.ssh
done
%end
	url --url http://mirror/mirror/centos/7/os/x86_64
	repo --name=updates --baseurl=http://mirror/mirror/centos/7/updates/x86_64
	repo --name=elrepo --baseurl=http://mirror/mirror/elrepo/7/elrepo
	repo --name=elrepo-kernel --baseurl=http://mirror/mirror/elrepo/7/elrepo-kernel
	repo --name=bareos --baseurl=http://mirror/mirror/bareos/7
	repo --name=epel --baseurl=http://mirror/mirror/epel


	# Partition clearing information
	%packages
	bareos-client
	%end


	%post --log=/root/post-bareos-log
	cat > /etc/bareos/bareos-fd.d/client/myself.conf<<"EOF"
	Client {
	Name = sed-alfa-fd
	Maximum Concurrent Jobs = 2
	}
	EOF

	cat > /etc/bareos/bareos-fd.d/director/bareos-dir.conf <<"EOF"
	Director {
	Name = bareos-dir
	Password = "somesecret-dir"
	Description = "Allow the configured Director to access this file daemon."
	}
	EOF

	cat > /etc/bareos/bareos-fd.d/director/bareos-mon.conf <<"EOF"
	Director {
	Name = bareos-mon
	Password = "somesecret-mon"
	Monitor = yes
	Description = "Restricted Director, used by tray-monitor to get the status of this file daemon."
	}
	EOF

	firewall-offline-cmd --zone=public --add-service=bacula-client
	%end
	#version=DEVEL
	# System authorization information
	auth --enableshadow --passalgo=sha512
	# Use HTTP installation media
	url --url http://mirror/mirror/centos/7/os/x86_64
	repo --name=updates --baseurl=http://mirror/mirror/centos/7/updates/x86_64
	repo --name=elrepo --baseurl=http://mirror/mirror/elrepo/7/elrepo
	repo --name=elrepo-kernel --baseurl=http://mirror/mirror/elrepo/7/elrepo-kernel
	repo --name=bareos --baseurl=http://mirror/mirror/bareos/7
	repo --name=epel --baseurl=http://mirror/mirror/epel

	# Keyboard layouts
	keyboard --vckeymap=us --xlayouts='us'
	# System language
	lang en_US.UTF-8

	# Root password
	rootpw --iscrypted some-root-secret
	# Do not configure the X Window System
	skipx
	# System timezone
	timezone Asia/Almaty --isUtc
	user --groups=wheel --name=user-a --password=some-user-a-secret --iscrypted --gecos="User Alfa"
	user --groups=wheel --name=user-b --password=some-user-b-secret --iscrypted --gecos="User Bravo"
	user --groups=wheel --name=user-c --password=some-user-c-secret --iscrypted --gecos="User Charlie"

	# Partition clearing information
	%packages
	@core
	kexec-tools
	-iwl5000-firmware
	-ivtv-firmware
	-iwl3160-firmware
	-iwl6050-firmware
	-iwl105-firmware
	-alsa-firmware
	-aic94xx-firmware
	-iwl6000g2a-firmware
	-iwl6000g2b-firmware
	-linux-firmware
	-alsa-tools-firmware
	-iwl6000-firmware
	-iwl2000-firmware
	-iwl5150-firmware
	-iwl4965-firmware
	-iwl7260-firmware
	-iwl100-firmware
	-iwl2030-firmware
	-iwl135-firmware
	-iwl1000-firmware
	-iwl3945-firmware
	-avahi-autoipd
	-avahi-libs
	-NetworkManager
	-NetworkManager-team
	-NetworkManager-tui
	-NetworkManager-libnm
	-avahi
	-postfix
	-wpa_supplicant
	-teamd
	-libteam
	-tuned
	kernel-ml
	kernel-ml-headers
	kernel-ml-tools
	kernel-ml-tools-libs
	-kernel
	-kernel-headers
	-kernel-tools
	-kernel-tools-libs
	policycoreutils-python
	checkpolicy
	vim
	mc
	wget
	firewall-config.noarch
	firewalld.noarch
	firewalld-filesystem
	%end
	%post --log=/root/post-documentolog-log

	cat > /etc/nginx/sites-available/documentolog-http.conf<<"EOF"
	server {
	listen 80;
	server_name edocs.somesite.kz;
	return 301 https://$host$request_uri;
	}
	EOF

	cat > /etc/nginx/sites-available/documentolog-https.conf<<"EOF"
	upstream php {
	server 127.0.0.1:9000;
	}
	server {
	listen 443 ssl; # managed by Certbot
	server_name edocs.somesite.kz;
	root /var/lib/documentolog/www;
	error_log /var/log/nginx/edocs-error.log;
	access_log /var/log/nginx/edocs-access.log main;

	# ssl_certificate /etc/letsencrypt/live/edocs.somesite.kz/fullchain.pem; # managed by Certbot
	# ssl_certificate_key /etc/letsencrypt/live/edocs.somesite.kz/privkey.pem; # managed by Certbot
	# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
	ssl_certificate "/etc/nginx/ssl/localhost.pem";
	ssl_certificate_key "/etc/nginx/ssl/localhost.pem";

	ssl_session_cache shared:SSL:1m;
	ssl_session_timeout 10m;
	ssl_prefer_server_ciphers on;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA HIGH !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";

	index index.php;

	location ~ \.php$ {
	fastcgi_pass php;
	fastcgi_index index.php;
	fastcgi_read_timeout 600s;
	fastcgi_send_timeout 300s;
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	include fastcgi_params;
	}

	location /user/islogged {
	rewrite ^.+$ /sys/checkSession.php last;
	}

	location / {
	if (!-e $request_filename) {
	rewrite ^/([-_a-zA-Z0-9\/]+)$ /index.php?$query_string&APP_PATH=/$1 last;
	rewrite ^/([-_a-zA-Z0-9\/]+)$ /index.php?$query_string&APP_PATH=/$1 last;
	rewrite ^(\/dav\/media\/.+)$ /index.php?$query_string&APP_PATH=/$1 last;
	}
	}
	location /backup {
	autoindex on;
	}

	location ~ ^/(status\|ping)$ {
	access_log off;
	allow 127.0.0.1;
	%post --log=/root/post-openssh-log
	echo "Changing root shell"
	usermod -s /sbin/nologin root

	echo "Disabling root access via console"
	rm -f /etc/securetty
	touch /etc/securetty

	echo "Disabling root access via ssh"
	sed -i "s%#PermitRootLogin yes%PermitRootLogin no%" /etc/ssh/sshd_config

	echo "Only Protocol 2 is allowed for sshd"
	echo "Protocol 2" >> /etc/ssh/sshd_config

	echo "Changing sshd port to 2345"
	sed -i "s%^#Port 22%Port 2345%" /etc/ssh/sshd_config
	semanage port -a -t ssh_port_t -p tcp 2345

	echo "Disabling empty passwords"
	sed -i "s%^#PermitEmptyPasswords yes%PermitEmptyPasswords no%" /etc/ssh/sshd_config

	echo "Disabling password authentication via ssh"
	sed -i "s%^#PasswordAuthentication yes%#PasswordAuthentication no%" /etc/ssh/sshd_config
	sed -i "s%^PasswordAuthentication yes%PasswordAuthentication no%" /etc/ssh/sshd_config

	echo "Enabling rsa pubkey"
	sed -i "s%^#RSAAuthentication yes%RSAAuthentication yes%" /etc/ssh/sshd_config

	echo "Disabling weak ciphers"
	echo "Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr" >> /etc/ssh/sshd_config

	echo "Enabling only users listed in /etc/ssh/sshd_allow"
	echo "auth required pam_listfile.so item=user sense=allow file=/etc/sshd/sshd_allow onerr=fail" >> /etc/pam.d/sshd
	echo "user-a" > /etc/ssh/sshd_allow
	echo "user-b" >> /etc/ssh/sshd_allow
	echo "user-b" >> /etc/ssh/sshd_allow
	chmod o-w /etc/ssh/sshd_allow

	echo "Setting firewalld rules for ssh"
	firewall-offline-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp --dport 2345 -m state --state NEW -m recent --set
	firewall-offline-cmd --direct --add-rule ipv6 filter INPUT_direct 0 -p tcp --dport 2345 -m state --state NEW -m recent --set
	firewall-offline-cmd --direct --add-rule ipv4 filter INPUT_direct 1 -p tcp --dport 2345 -m state --state NEW -m recent --update --seconds 30 --hitcount 4 -j REJECT --reject-with tcp-reset
	firewall-offline-cmd --direct --add-rule ipv6 filter INPUT_direct 1 -p tcp --dport 2345 -m state --state NEW -m recent --update --seconds 30 --hitcount 4 -j REJECT --reject-with tcp-reset
	firewall-offline-cmd --new-service=ssh-on-2345
	firewall-offline-cmd --service=ssh-on-2345 --add-port=2345/tcp
	firewall-offline-cmd --zone=public --add-service=ssh-on-2345

	%end
	# Use HTTP installation media
	url --url http://10.104.51.11/mirror/centos/7/os/x86_64
	repo --name=updates --baseurl=http://10.104.51.11/mirror/centos/7/updates/x86_64
	repo --name=elrepo --baseurl=http://10.104.51.11/mirror/elrepo/7/elrepo
	repo --name=elrepo-kernel --baseurl=http://10.104.51.11/mirror/elrepo/7/elrepo-kernel
	repo --name=bareos --baseurl=http://10.104.51.11/mirror/bareos/7
	repo --name=epel --baseurl=http://10.104.51.11/mirror/epel
	repo --name=remi --baseurl=http://10.104.51.11/mirror/remi/7/remi
	# Partition clearing information
	%packages
	php54-php-common
	php54-php
	php54-php-pear
	php54-php-mbstring
	php54-php-cli
	php54-php-process
	php54-php-xml
	php54-php-devel
	php54-php-pgsql
	php54-php-ldap
	php54-php-soap
	php54-php-pdo
	php54-php-gd
	php54-php-fpm
	php54-php-mcrypt
	php54-php-pecl-imagick
	php54-php-pecl-zip
	%end

	%post --log=/root/post-php-fpm-log
	sed -i "s%^short_open_tag = Off%short_open_tag = On%" /opt/remi/php54/root/etc/php.ini
	sed -i "s%^;listen.owner = nobody%listen.owner = nginx%" /opt/remi/php54/root/etc/php-fpm.d/www.conf
	sed -i "s%^;listen.group = nobody%listen.group = nginx%" /opt/remi/php54/root/etc/php-fpm.d/www.conf
	sed -i "s%^user = apache%user = nginx%" /opt/remi/php54/root/etc/php-fpm.d/www.conf
	sed -i "s%^group = apache%group = nginx%" /opt/remi/php54/root/etc/php-fpm.d/www.conf
	sed -i "s%^;listen.mode = 0666%listen.mode = 0666%" /opt/remi/php54/root/etc/php-fpm.d/www.conf

	setsebool -P httpd_can_network_connect_db 1

	chown root:nginx /opt/remi/php54/root/var/lib/php/session

	systemctl enable php54-php-fpm
	%end
	#!ipxe

	set base http://mirror/mirror/centos/7/os/

	set ip 192.168.1.200
	set netmask 255.255.255.0
	set gateway 192.168.1.1
	set dns 192.168.1.2
	set kickstart http://mirror/mirror/ks/sed-alfa.ks

	kernel ${base}/images/pxeboot/vmlinuz initrd=initrd.img repo=${base} ip=${ip} netmask=${netmask} gateway=${gateway} nameserver=${dns} inst.ks=${ks}
	initrd ${base}/images/pxeboot/initrd.img
	boot
	%post --log=/root/post-users-log

	echo "Add rsa pubkey to .ssh user folders"
	declare -A sshkeys
	sshkeys["user-a"]="ssh-rsa some-user-a-rsa-pubkey"
	sshkeys["user-b"]="ssh-rsa some-user-b-rsa-pubkey"
	sshkeys["user-c"]="ssh-rsa some-user-c-rsa-pubkey"

	for user in user-a user-b user-c; do
	mkdir /home/${user}/.ssh
	chmod 700 /home/${user}/.ssh
	echo "${sshkeys["${user}"]}" > /home/${user}/.ssh/authorized_keys
	chmod 600 /home/${user}/.ssh/authorized_keys
	chown ${user}:${user} -R /home/${user}/.ssh
	done
	%end