My notes on setting up and configuring GenieACS.

00-genieacs.md

Config files to get GenieACS up and running on Debian Testing, complete with GUI, Nginx SSL proxy, and systemd services.

Following the documentation here for dependencies, here for initial setup, then the wiki here for Nginx and SSL, should get you most of the way there. After that, I had a lot of googling to do, the results of which you can find below.

Filename	Description
01-install.sh	The installation instructions and commands.
02-config.json	The genieacs services configuration.
03-openssl.cnf	The openssl certificate configuration.
04-.env	The environmental variables for genieacs-gui.
05-Gemfile	The modification to accomodate the dotenv gem.
06-nginx.conf	Modified nginx configuration to beef up security.
07-genieacs.conf	The genieacs web host configuration.
08-ms-htpasswd	The http_basic auth file for the service endpoints.
09-genieacs-cwmp.service	The genieacs-cwmp systemd service file.
10-genieacs-nbi.service	The genieacs-nbi systemd service file.
11-genieacs-fs.service	The genieacs-fs systemd service file.
12-genieacs-gui.service	The genieacs-gui systemd service file.

01-install.sh

#!/bin/sh
# GenieACS installation steps and dependencies
# Don't try to just run this script directly!

##
# Install necessary packages
##
# NOTE: Ensure you have the upstream node repo in your sources.list
apt install curl wget vim git subversion openssl nodejs ruby bundler mongodb \
    redis-server redis-tools nginx-full build-essential autoconf automake \
    libtool bison tcl sqlite libsqlite3-0 libsqlite3-dev libxml2 libxml2-dev \
    zlib1g zlib1g-dev libssl-dev libreadline-dev libxslt-dev libncurses5-dev

##
# Clone and setup genieacs
##
cd /opt; git clone https://github.com/zaidka/genieacs.git
cd genieacs; git checkout $(git tag -l v1.1.1)
# Build node modules
npm install; npm run compile
# Setup config files
mv config/auth{-sample,}.js
mv config/config{-sample,}.json
mv config/ext{-sample,}.js
# NOTE: Copy my config.json over existing config/config.json file
chmod 0700 config; cd config; mkdir cert
# NOTE: If you have your own certs already, skip the rest of this section
# NOTE: Copy my openssl.cnf into config/cert directory
openssl ecparam -genkey -name secp384r1 -out cert/genieacs.key
# To prevent prompting for certificate CN, `-subj` was added
openssl req -new -key cert/genieacs.key -days 370 -sha384 \
    -out cert/genieacs.csr -subj "/"
openssl x509 -req -in cert/genieacs.csr -signkey cert/genieacs.key \
    -out cert/genieacs.crt -extfile cert/openssl.cnf -extensions acs_cert \
    -days 370 -sha384
chmod 0700 cert; chmod 0600 cert/genieacs.key; cd ..
# Create certificate symlinks (necessary for genieacs)
ln -s cert/genieacs.crt web.crt; ln -s cert/genieacs.key web.key
ln -s cert/genieacs.crt cwmp.crt; ln -s cert/genieacs.key cwmp.key
ln -s cert/genieacs.crt nbi.crt; ln -s cert/genieacs.key nbi.key
ln -s cert/genieacs.crt fs.crt; ln -s cert/genieacs.key fs.key

##
# Clone and setup genieacs-gui
##
cd /opt; git clone https://github.com/zaidka/genieacs-gui.git
cd genieacs-gui
# Setup config files
mv config/graphs{-sample,}.json.erb
mv config/index_parameters{-sample,}.yml
mv config/summary_parameters{-sample,}.yml
mv config/parameters_edit{-sample,}.yml
mv config/parameter_renderers{-sample,}.yml
mv config/roles{-sample,}.yml
mv config/users{-sample,}.yml
# Build gems
bundle
# Add dotenv gem to handle environmental variables file
gem install dotenv
# NOTE: Copy .env file into place in genieacs-gui directory
# Generate your own secret_key_base for .env file
echo SECRET_KEY_BASE=$(RAILS_ENV="production" rails secret) >> .env
# NOTE: Add the dotenv from this repo to the beginning of your Gemfile
gem update; bundle update
# NOTE: Had several dependency problems fixed by tweaking the Gemfile
#     Change json line to: 'json', '=1.8.6'
#     Change puma line to: 'puma', '=3.8'
#     Change rails line to: 'rails', '>5.0.0'
# Also need to precompile assets so they show up under ./public
bin/rake assets:precompile

##
# Nginx setup and configuration
##
systemctl enable nginx
cd /etc/nginx
# NOTE: Modify nginx.conf with the lines from this repo.
# NOTE: Copy genieacs.conf file into sites-available directory
ln -s sites-available/genieacs.conf sites-enabled/
# Create creds for basic_auth on non-web endpoints
echo username:$(openssl passwd -apr1) >> ms-htpasswd
systemctl restart nginx

##
# Systemd service integration
##
# Create genieacs user and fix directory permissions
adduser --home /opt/genieacs -r genieacs
chown -R genieacs:www-data /opt/genieacs{,-gui}
# Create log file directory and files
mkdir /var/log/genieacs && touch /var/log/genieacs/{cwmp,nbi,fs}{,-access}.log
chown -R genieacs:genieacs /var/log/genieacs
# NOTE: Copy all the systemd service files into /etc/systemd/system/
systemctl daemon-reload
systemctl enable genieacs-cwmp; systemctl start genieacs-cwmp
systemctl enable genieacs-nbi; systemctl start genieacs-nbi
systemctl enable genieacs-fs; systemctl start genieacs-fs
systemctl enable genieacs-gui; systemctl start genieacs-gui

# That should be the end of it.

02-config.json

#/opt/genieacs/config/config.json (remove this line in actual file)
{
    "MONGODB_CONNECTION_URL" : "mongodb://127.0.0.1/genieacs",
    "REDIS_PORT" : "6379",
    "REDIS_HOST" : "127.0.0.1",
    "CWMP_INTERFACE" : "127.0.0.1",
    "CWMP_PORT" : 7547,
    "CWMP_SSL" : false,
    "CWMP_LOG_FILE" : "/var/log/genieacs/cwmp.log",
    "CWMP_ACCESS_LOG_FILE" : "/var/log/genieacs/cwmp-access.log",
    "NBI_INTERFACE" : "127.0.0.1",
    "NBI_PORT" : 7557,
    "NBI_SSL" : false,
    "NBI_LOG_FILE" : "/var/log/genieacs/nbi.log",
    "NBI_ACCESS_LOG_FILE" : "/var/log/genieacs/nbi-access.log",
    "FS_INTERFACE" : "127.0.0.1",
    "FS_PORT" : 7567,
    "FS_SSL" : false,
    "FS_HOSTNAME" : "acs.test.local",
    "FS_LOG_FILE" : "/var/log/genieacs/fs.log",
    "FS_ACCESS_LOG_FILE" : "/var/log/genieacs/fs-access.log",
    "LOG_INFORMS" : true,
    "DEBUG" : false
}

03-openssl.cnf

# /opt/genieacs/config/openssl.cnf
# OpenSSL config for genieacs certificate
[acs_cert]
basicConstraints=CA:false
subjectKeyIdentifier=hash
keyUsage=digitalSignature
subjectAltName=@alt_names
extendedKeyUsage=serverAuth

[alt_names]
DNS.1=acs.test.local
DNS.2=web.acs.test.local
DNS.3=cwmp.acs.test.local
DNS.4=nbi.acs.test.local
DNS.5=fs.acs.test.local

04-.env

# /opt/genieacs-gui/.env
# Replace SECRET_KEY_BASE with your own

export HOSTNAME="acs.test.local"
export RAILS_ENV="production"
export SECRET_KEY_BASE="DEADBEEF"

05-Gemfile

# /opt/genieacs-gui/Gemfile (partial)
# Append the following lines to the beginning of the file

# Use .env to load environmental variables
gem 'dotenv-rails', groups: [:production, :test, :development]

06-nginx.conf

# /etc/nginx/nginx.conf (partial)
# Added the following directives to nginx.conf under the http block:
http {
        ##
        # Basic Settings
        ##
        server_tokens off;

        ##
        # SSL Settings
        ##
        ssl_protocols TLSv1.2; # Dropping SSLv3, ref: POODLE
        ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECHDE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
        ssl_prefer_server_ciphers on;
        ssl_session_timeout 1d;
        ssl_session_cache shared:SSL:50m;
        ssl_session_tickets off;
}

07-genieacs.conf

# /etc/nginx/sites-available/genieacs.conf
# Nginx configuration for genieacs services
# Ensure you change the listening IP address
# If you're allergic to security, you can remove the `add_header`
#   lines without breaking functionality

upstream genieacs-gui {
        server          127.0.0.1:8080;
}

upstream genieacs-cwmp {
        server          127.0.0.1:7547;
}

upstream genieacs-nbi {
        server          127.0.0.1:7557;
}

upstream genieacs-fs {
        server          127.0.0.1:7567;
}

server {
        listen          80 default_server;
        server_name     web.acs.test.local acs.test.local;

        add_header      Content-Security-Policy "default-src 'self'" always;
        add_header      Referrer-Policy "no-referrer" always;
        add_header      X-Content-Type-Options "nosniff" always;
        add_header      X-Frame-Options "sameorigin" always;
        add_header      X-XSS-Protection "1; mode block" always;

        return          301 https://$server_name$request_uri;
}

server {
        listen          443 ssl http2;
        server_name     web.acs.test.local acs.test.local;

        ssl_certificate_key     /opt/genieacs/config/web.key;
        ssl_certificate         /opt/genieacs/config/web.crt;

        access_log      /var/log/nginx/genieacs-web-access.log combined;
        error_log       /var/log/nginx/genieacs-web-error.log;

        client_max_body_size    50M;

        root            /opt/genieacs-gui/public;
        try_files       $uri $uri/index.html @app;

        add_header      Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
        add_header      Content-Security-Policy "default-src 'self' 'unsafe-inline'" always;
        add_header      Referrer-Policy "no-referrer" always;
        add_header      X-Content-Type-Options "nosniff" always;
        add_header      X-Frame-Options "sameorigin" always;
        add_header      X-XSS-Protection "1; mode block" always;

        location @app {
                proxy_pass              http://genieacs-gui;
                proxy_http_version      1.1;
                proxy_set_header        Upgrade $http_upgrade;
                proxy_set_header        Connection 'upgrade';
                proxy_set_header        Host $host;
                proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_cache_bypass      $http_upgrade;
                proxy_redirect          off;
        }
}

server {
        listen          192.168.1.10:7547 ssl;
        server_name     cwmp.acs.test.local acs.test.local;

        ssl_certificate_key     /opt/genieacs/config/cwmp.key;
        ssl_certificate         /opt/genieacs/config/cwmp.crt;

        access_log      /var/log/nginx/genieacs-cwmp-access.log combined;
        error_log       /var/log/nginx/genieacs-cwmp-error.log;

        client_max_body_size    50M;

        add_header      Strict-Transport-Security "max-age=31536000" always;
        add_header      Content-Security-Policy "default-src 'self'" always;
        add_header      Referrer-Policy "no-referrer" always;
        add_header      X-Content-Type-Options "nosniff" always;
        add_header      X-Frame-Options "sameorigin" always;
        add_header      X-XSS-Protection "1; mode block" always;

        location / {
                proxy_pass              http://genieacs-cwmp;
                proxy_http_version      1.1;
                proxy_set_header        Upgrade $http_upgrade;
                proxy_set_header        Connection 'upgrade';
                proxy_set_header        Host $host;
                proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_cache_bypass      $http_upgrade;
                proxy_set_header        Authorization "";
                auth_basic              "Restricted";
                auth_basic_user_file    /etc/nginx/ms-htpasswd;
        }
}

server {
        listen          192.168.1.10:7557 ssl;
        server_name     nbi.acs.test.local acs.test.local;

        ssl_certificate_key     /opt/genieacs/config/nbi.key;
        ssl_certificate         /opt/genieacs/config/nbi.crt;

        access_log      /var/log/nginx/genieacs-nbi-access.log combined;
        error_log       /var/log/nginx/genieacs-nbi-error.log;

        client_max_body_size    50M;

        add_header      Strict-Transport-Security "max-age=31536000" always;
        add_header      Content-Security-Policy "default-src 'self'" always;
        add_header      Referrer-Policy "no-referrer" always;
        add_header      X-Content-Type-Options "nosniff" always;
        add_header      X-Frame-Options "sameorigin" always;
        add_header      X-XSS-Protection "1; mode block" always;

        location / {
                proxy_pass              http://genieacs-nbi;
                proxy_http_version      1.1;
                proxy_set_header        Upgrade $http_upgrade;
                proxy_set_header        Connection 'upgrade';
                proxy_set_header        Host $host;
                proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_cache_bypass      $http_upgrade;
                proxy_set_header        Authorization "";
                auth_basic              "Restricted";
                auth_basic_user_file    /etc/nginx/ms-htpasswd;
        }
}

server {
        listen          192.168.1.10:7567 ssl;
        server_name     fs.acs.test.local acs.test.local;

        ssl_certificate_key     /opt/genieacs/config/fs.key;
        ssl_certificate         /opt/genieacs/config/fs.crt;

        access_log      /var/log/nginx/genieacs-fs-access.log combined;
        error_log       /var/log/nginx/genieacs-fs-error.log;

        client_max_body_size    50M;

        add_header      Strict-Transport-Security "max-age=31536000" always;
        add_header      Content-Security-Policy "default-src 'self'" always;
        add_header      Referrer-Policy "no-referrer" always;
        add_header      X-Content-Type-Options "nosniff" always;
        add_header      X-Frame-Options "sameorigin" always;
        add_header      X-XSS-Protection "1; mode block" always;

        location / {
                proxy_pass              http://genieacs-fs;
                proxy_http_version      1.1;
                proxy_set_header        Upgrade $http_upgrade;
                proxy_set_header        Connection 'upgrade';
                proxy_set_header        Host $host;
                proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_cache_bypass      $http_upgrade;
                proxy_set_header        Authorization "";
                auth_basic              "Restricted";
                auth_basic_user_file    /etc/nginx/ms-htpasswd;
        }
}

08-ms-htpasswd

# /etc/nginx/ms-htpasswd
# Nginx Auth Credentials

# Replace with actual creds (openssl passwd -apr1)
user:$apr1$DEADBEEF

09-genieacs-cwmp.service

# /etc/systemd/system/genieacs-cwmp.service
[Unit]
Description=CWMP server service for GenieACS
After=network.target

[Service]
Type=simple
User=genieacs
WorkingDirectory=/opt/genieacs
ExecStart=/opt/genieacs/bin/genieacs-cwmp
Restart=on-abort

[Install]
WantedBy=multi-user.target

10-genieacs-nbi.service

# /etc/systemd/system/genieacs-gui.service
[Unit]
Description=NBI server service for GenieACS
After=network.target

[Service]
Type=simple
User=genieacs
WorkingDirectory=/opt/genieacs
ExecStart=/opt/genieacs/bin/genieacs-nbi
Restart=on-abort

[Install]
WantedBy=multi-user.target

11-genieacs-fs.service

# /etc/systemd/system/genieacs-nbi.service
[Unit]
Description=FileServer service for GenieACS
After=network.target

[Service]
Type=simple
User=genieacs
WorkingDirectory=/opt/genieacs
ExecStart=/opt/genieacs/bin/genieacs-fs
Restart=on-abort

[Install]
WantedBy=multi-user.target

12-genieacs-gui.service

# /etc/systemd/system/genieacs-fs.service
[Unit]
Description=GUI for GenieACS
After=network.target
Requires=genieacs-cwmp.service
Requires=genieacs-nbi.service
Requires=genieacs-fs.service

[Service]
Type=simple
User=genieacs
#PIDFile=/opt/genieacs-gui/tmp/pids/server.pid
WorkingDirectory=/opt/genieacs-gui
#ExecStartPre=rm -f tmp/pids/server.pid
ExecStart=/usr/local/bin/rails s -e production -b 127.0.0.1 -p 8080
Restart=on-abort

[Install]
WantedBy=multi-user.target