Skip to content

Instantly share code, notes, and snippets.

@zavarat
Forked from AfroThundr3007730/00-genieacs.md
Created June 8, 2018 06:28
Show Gist options
  • Save zavarat/1817f37bda43f8995ddfb8a1f6e7f69e to your computer and use it in GitHub Desktop.
Save zavarat/1817f37bda43f8995ddfb8a1f6e7f69e to your computer and use it in GitHub Desktop.
My notes on setting up and configuring GenieACS.

Config files to get GenieACS up and running on Debian Testing, complete with GUI, Nginx SSL proxy, and systemd services.

Following the documentation here for dependencies, here for initial setup, then the wiki here for Nginx and SSL, should get you most of the way there. After that, I had a lot of googling to do, the results of which you can find below.

Filename Description
01-install.sh The installation instructions and commands.
02-config.json The genieacs services configuration.
03-openssl.cnf The openssl certificate configuration.
04-.env The environmental variables for genieacs-gui.
05-Gemfile The modification to accomodate the dotenv gem.
06-nginx.conf Modified nginx configuration to beef up security.
07-genieacs.conf The genieacs web host configuration.
08-ms-htpasswd The http_basic auth file for the service endpoints.
09-genieacs-cwmp.service The genieacs-cwmp systemd service file.
10-genieacs-nbi.service The genieacs-nbi systemd service file.
11-genieacs-fs.service The genieacs-fs systemd service file.
12-genieacs-gui.service The genieacs-gui systemd service file.
#!/bin/sh
# GenieACS installation steps and dependencies
# Don't try to just run this script directly!
##
# Install necessary packages
##
# NOTE: Ensure you have the upstream node repo in your sources.list
apt install curl wget vim git subversion openssl nodejs ruby bundler mongodb \
redis-server redis-tools nginx-full build-essential autoconf automake \
libtool bison tcl sqlite libsqlite3-0 libsqlite3-dev libxml2 libxml2-dev \
zlib1g zlib1g-dev libssl-dev libreadline-dev libxslt-dev libncurses5-dev
##
# Clone and setup genieacs
##
cd /opt; git clone https://github.com/zaidka/genieacs.git
cd genieacs; git checkout $(git tag -l v1.1.1)
# Build node modules
npm install; npm run compile
# Setup config files
mv config/auth{-sample,}.js
mv config/config{-sample,}.json
mv config/ext{-sample,}.js
# NOTE: Copy my config.json over existing config/config.json file
chmod 0700 config; cd config; mkdir cert
# NOTE: If you have your own certs already, skip the rest of this section
# NOTE: Copy my openssl.cnf into config/cert directory
openssl ecparam -genkey -name secp384r1 -out cert/genieacs.key
# To prevent prompting for certificate CN, `-subj` was added
openssl req -new -key cert/genieacs.key -days 370 -sha384 \
-out cert/genieacs.csr -subj "/"
openssl x509 -req -in cert/genieacs.csr -signkey cert/genieacs.key \
-out cert/genieacs.crt -extfile cert/openssl.cnf -extensions acs_cert \
-days 370 -sha384
chmod 0700 cert; chmod 0600 cert/genieacs.key; cd ..
# Create certificate symlinks (necessary for genieacs)
ln -s cert/genieacs.crt web.crt; ln -s cert/genieacs.key web.key
ln -s cert/genieacs.crt cwmp.crt; ln -s cert/genieacs.key cwmp.key
ln -s cert/genieacs.crt nbi.crt; ln -s cert/genieacs.key nbi.key
ln -s cert/genieacs.crt fs.crt; ln -s cert/genieacs.key fs.key
##
# Clone and setup genieacs-gui
##
cd /opt; git clone https://github.com/zaidka/genieacs-gui.git
cd genieacs-gui
# Setup config files
mv config/graphs{-sample,}.json.erb
mv config/index_parameters{-sample,}.yml
mv config/summary_parameters{-sample,}.yml
mv config/parameters_edit{-sample,}.yml
mv config/parameter_renderers{-sample,}.yml
mv config/roles{-sample,}.yml
mv config/users{-sample,}.yml
# Build gems
bundle
# Add dotenv gem to handle environmental variables file
gem install dotenv
# NOTE: Copy .env file into place in genieacs-gui directory
# Generate your own secret_key_base for .env file
echo SECRET_KEY_BASE=$(RAILS_ENV="production" rails secret) >> .env
# NOTE: Add the dotenv from this repo to the beginning of your Gemfile
gem update; bundle update
# NOTE: Had several dependency problems fixed by tweaking the Gemfile
# Change json line to: 'json', '=1.8.6'
# Change puma line to: 'puma', '=3.8'
# Change rails line to: 'rails', '>5.0.0'
# Also need to precompile assets so they show up under ./public
bin/rake assets:precompile
##
# Nginx setup and configuration
##
systemctl enable nginx
cd /etc/nginx
# NOTE: Modify nginx.conf with the lines from this repo.
# NOTE: Copy genieacs.conf file into sites-available directory
ln -s sites-available/genieacs.conf sites-enabled/
# Create creds for basic_auth on non-web endpoints
echo username:$(openssl passwd -apr1) >> ms-htpasswd
systemctl restart nginx
##
# Systemd service integration
##
# Create genieacs user and fix directory permissions
adduser --home /opt/genieacs -r genieacs
chown -R genieacs:www-data /opt/genieacs{,-gui}
# Create log file directory and files
mkdir /var/log/genieacs && touch /var/log/genieacs/{cwmp,nbi,fs}{,-access}.log
chown -R genieacs:genieacs /var/log/genieacs
# NOTE: Copy all the systemd service files into /etc/systemd/system/
systemctl daemon-reload
systemctl enable genieacs-cwmp; systemctl start genieacs-cwmp
systemctl enable genieacs-nbi; systemctl start genieacs-nbi
systemctl enable genieacs-fs; systemctl start genieacs-fs
systemctl enable genieacs-gui; systemctl start genieacs-gui
# That should be the end of it.
#/opt/genieacs/config/config.json (remove this line in actual file)
{
"MONGODB_CONNECTION_URL" : "mongodb://127.0.0.1/genieacs",
"REDIS_PORT" : "6379",
"REDIS_HOST" : "127.0.0.1",
"CWMP_INTERFACE" : "127.0.0.1",
"CWMP_PORT" : 7547,
"CWMP_SSL" : false,
"CWMP_LOG_FILE" : "/var/log/genieacs/cwmp.log",
"CWMP_ACCESS_LOG_FILE" : "/var/log/genieacs/cwmp-access.log",
"NBI_INTERFACE" : "127.0.0.1",
"NBI_PORT" : 7557,
"NBI_SSL" : false,
"NBI_LOG_FILE" : "/var/log/genieacs/nbi.log",
"NBI_ACCESS_LOG_FILE" : "/var/log/genieacs/nbi-access.log",
"FS_INTERFACE" : "127.0.0.1",
"FS_PORT" : 7567,
"FS_SSL" : false,
"FS_HOSTNAME" : "acs.test.local",
"FS_LOG_FILE" : "/var/log/genieacs/fs.log",
"FS_ACCESS_LOG_FILE" : "/var/log/genieacs/fs-access.log",
"LOG_INFORMS" : true,
"DEBUG" : false
}
# /opt/genieacs/config/openssl.cnf
# OpenSSL config for genieacs certificate
[acs_cert]
basicConstraints=CA:false
subjectKeyIdentifier=hash
keyUsage=digitalSignature
subjectAltName=@alt_names
extendedKeyUsage=serverAuth
[alt_names]
DNS.1=acs.test.local
DNS.2=web.acs.test.local
DNS.3=cwmp.acs.test.local
DNS.4=nbi.acs.test.local
DNS.5=fs.acs.test.local
# /opt/genieacs-gui/.env
# Replace SECRET_KEY_BASE with your own
export HOSTNAME="acs.test.local"
export RAILS_ENV="production"
export SECRET_KEY_BASE="DEADBEEF"
# /opt/genieacs-gui/Gemfile (partial)
# Append the following lines to the beginning of the file
# Use .env to load environmental variables
gem 'dotenv-rails', groups: [:production, :test, :development]
# /etc/nginx/nginx.conf (partial)
# Added the following directives to nginx.conf under the http block:
http {
##
# Basic Settings
##
server_tokens off;
##
# SSL Settings
##
ssl_protocols TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECHDE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
ssl_prefer_server_ciphers on;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
}
# /etc/nginx/sites-available/genieacs.conf
# Nginx configuration for genieacs services
# Ensure you change the listening IP address
# If you're allergic to security, you can remove the `add_header`
# lines without breaking functionality
upstream genieacs-gui {
server 127.0.0.1:8080;
}
upstream genieacs-cwmp {
server 127.0.0.1:7547;
}
upstream genieacs-nbi {
server 127.0.0.1:7557;
}
upstream genieacs-fs {
server 127.0.0.1:7567;
}
server {
listen 80 default_server;
server_name web.acs.test.local acs.test.local;
add_header Content-Security-Policy "default-src 'self'" always;
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "sameorigin" always;
add_header X-XSS-Protection "1; mode block" always;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name web.acs.test.local acs.test.local;
ssl_certificate_key /opt/genieacs/config/web.key;
ssl_certificate /opt/genieacs/config/web.crt;
access_log /var/log/nginx/genieacs-web-access.log combined;
error_log /var/log/nginx/genieacs-web-error.log;
client_max_body_size 50M;
root /opt/genieacs-gui/public;
try_files $uri $uri/index.html @app;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Content-Security-Policy "default-src 'self' 'unsafe-inline'" always;
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "sameorigin" always;
add_header X-XSS-Protection "1; mode block" always;
location @app {
proxy_pass http://genieacs-gui;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
}
}
server {
listen 192.168.1.10:7547 ssl;
server_name cwmp.acs.test.local acs.test.local;
ssl_certificate_key /opt/genieacs/config/cwmp.key;
ssl_certificate /opt/genieacs/config/cwmp.crt;
access_log /var/log/nginx/genieacs-cwmp-access.log combined;
error_log /var/log/nginx/genieacs-cwmp-error.log;
client_max_body_size 50M;
add_header Strict-Transport-Security "max-age=31536000" always;
add_header Content-Security-Policy "default-src 'self'" always;
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "sameorigin" always;
add_header X-XSS-Protection "1; mode block" always;
location / {
proxy_pass http://genieacs-cwmp;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_cache_bypass $http_upgrade;
proxy_set_header Authorization "";
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/ms-htpasswd;
}
}
server {
listen 192.168.1.10:7557 ssl;
server_name nbi.acs.test.local acs.test.local;
ssl_certificate_key /opt/genieacs/config/nbi.key;
ssl_certificate /opt/genieacs/config/nbi.crt;
access_log /var/log/nginx/genieacs-nbi-access.log combined;
error_log /var/log/nginx/genieacs-nbi-error.log;
client_max_body_size 50M;
add_header Strict-Transport-Security "max-age=31536000" always;
add_header Content-Security-Policy "default-src 'self'" always;
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "sameorigin" always;
add_header X-XSS-Protection "1; mode block" always;
location / {
proxy_pass http://genieacs-nbi;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_cache_bypass $http_upgrade;
proxy_set_header Authorization "";
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/ms-htpasswd;
}
}
server {
listen 192.168.1.10:7567 ssl;
server_name fs.acs.test.local acs.test.local;
ssl_certificate_key /opt/genieacs/config/fs.key;
ssl_certificate /opt/genieacs/config/fs.crt;
access_log /var/log/nginx/genieacs-fs-access.log combined;
error_log /var/log/nginx/genieacs-fs-error.log;
client_max_body_size 50M;
add_header Strict-Transport-Security "max-age=31536000" always;
add_header Content-Security-Policy "default-src 'self'" always;
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "sameorigin" always;
add_header X-XSS-Protection "1; mode block" always;
location / {
proxy_pass http://genieacs-fs;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_cache_bypass $http_upgrade;
proxy_set_header Authorization "";
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/ms-htpasswd;
}
}
# /etc/nginx/ms-htpasswd
# Nginx Auth Credentials
# Replace with actual creds (openssl passwd -apr1)
user:$apr1$DEADBEEF
# /etc/systemd/system/genieacs-cwmp.service
[Unit]
Description=CWMP server service for GenieACS
After=network.target
[Service]
Type=simple
User=genieacs
WorkingDirectory=/opt/genieacs
ExecStart=/opt/genieacs/bin/genieacs-cwmp
Restart=on-abort
[Install]
WantedBy=multi-user.target
# /etc/systemd/system/genieacs-gui.service
[Unit]
Description=NBI server service for GenieACS
After=network.target
[Service]
Type=simple
User=genieacs
WorkingDirectory=/opt/genieacs
ExecStart=/opt/genieacs/bin/genieacs-nbi
Restart=on-abort
[Install]
WantedBy=multi-user.target
# /etc/systemd/system/genieacs-nbi.service
[Unit]
Description=FileServer service for GenieACS
After=network.target
[Service]
Type=simple
User=genieacs
WorkingDirectory=/opt/genieacs
ExecStart=/opt/genieacs/bin/genieacs-fs
Restart=on-abort
[Install]
WantedBy=multi-user.target
# /etc/systemd/system/genieacs-fs.service
[Unit]
Description=GUI for GenieACS
After=network.target
Requires=genieacs-cwmp.service
Requires=genieacs-nbi.service
Requires=genieacs-fs.service
[Service]
Type=simple
User=genieacs
#PIDFile=/opt/genieacs-gui/tmp/pids/server.pid
WorkingDirectory=/opt/genieacs-gui
#ExecStartPre=rm -f tmp/pids/server.pid
ExecStart=/usr/local/bin/rails s -e production -b 127.0.0.1 -p 8080
Restart=on-abort
[Install]
WantedBy=multi-user.target
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment