diff --git a/site/profile/manifests/base_confluence_recovery.pp b/site/profile/manifests/base_confluence_recovery.pp new file mode 100644 index 0000000..3cf0486 --- /dev/null +++ b/site/profile/manifests/base_confluence_recovery.pp @@ -0,0 +1,200 @@ +class profile::base_confluence { + # Configure Yum Repos and Install Packages + yumrepo { 'epel': + enabled => 1, + descr => 'epel', + metalink => 'https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=$basearch&infra=$infra&content=$contentdir', + gpgcheck => 0, + } # end of yumrepo + yumrepo { 'nginx': + enabled => 1, + descr => 'Nginx', + baseurl => 'http://nginx.org/packages/mainline/centos/7/$basearch/', + gpgcheck => 0, + } # end of yumrepo + yumrepo { 'mysql57-community': + enabled => 1, + descr => 'mysql-57', + baseurl => 'http://repo.mysql.com/yum/mysql-5.7-community/el/7/$basearch/', + gpgcheck => 0, + } # end of yumrepo + yumrepo { 'mysql-tools-community': + enabled => 1, + descr => 'mysql-tools-community', + baseurl => 'http://repo.mysql.com/yum/mysql-tools-community/el/7/$basearch/', + gpgcheck => 0, + } # end of yumrepo + yumrepo { 'mysql-connectors-community': + enabled => 1, + descr => 'mysql-connectors-community', + baseurl => 'http://repo.mysql.com/yum/mysql-connectors-community/el/7/$basearch/', + gpgcheck => 0, + } # end of yumrepo + +## Java + package { [ 'java-1.8.0-openjdk', 'java-1.8.0-openjdk-devel', 'java-1.8.0-openjdk-headless', 'javapackages-tools', ]: + ensure => installed, + } # end of Java + +## MySQL + # Does Confluence need this package mysql57-community-release + class { 'mysql::server': + package_name => 'mysql-community-server', package_ensure => '5.7.35-1.el7', service_name => 'mysqld', root_password => 'thisisthat^', + override_options => { mysqld => { log-error => '/var/log/mysqld.log', } }, + restart => true, + } + mysql_user { 'confluence@localhost': ensure => present, password_hash => mysql::password('Some1New^'),} + mysql::db { 'confluence': user => 'confluence', password => 'Some1New^', host => 'localhost', grant => ['ALL'], collate => 'utf8_bin', } + +## Nginx + Package { [ 'nginx', ]: ensure => installed, } + #Package { [ 'nginx-filesystem', 'nginx-mod-http-perl', 'nginx-mod-mail', 'nginx-mod-stream', 'nginx-all-modules', 'nginx-mod-http-xslt-filter', 'nginx-mod-http-image-filter', ]: ensure => installed, } + firewalld_service { 'Allow http on public zone': ensure => 'present', service => 'http', zone => 'public', } + firewalld_service { 'Allow https on public zone': ensure => 'present', service => 'https', zone => 'public', } + #firewalld_port { 'Allow https on public zone': ensure => 'present', port => '8090', protocol => 'tcp', zone => 'public', + } # end of Nginx + + +## other notes or actions to get into this file +# Need to transfer the backup data sets +# Need to package up sirius:/home/igoodenow/recovery-audit-3Nov2021/confluence/atlassian-confluence-7.11.6-x64.bin +# Need to package up mysql-connector-java-5.1.27-bin.jar; it is in install backup; belongs in /opt/atlassian/confluence/confluence/WEB-INF/lib/ + # May need to change owner + # chown confluence:confluence /opt/atlassian/confluence/confluence/WEB-INF/lib/mysql-connector-java-5.1.27-bin.jar +# May choose to do a check point before starting this process + +# Configure MySQL my.cnf values + # https://github.com/igoodenow/services/blob/master/service-confluence/confluence-configurations/etc/my.cnf + # the above should be production branch when not testing + # systemctl status mysqld + # systemctl is-enabled mysqld + # systemctl enable mysqld + # systemctl start msyqld + # systemctl restart mysqld +# Create the Sample certs or apply real certs + # openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes -out /etc/pki/tls/certs/sample.crt -keyout /etc/pki/tls/certs/sample.key +# Restore/Update nginx conf + # https://github.com/igoodenow/services/blob/master/service-confluence/confluence-configurations/nginx/conf.d/hephaestuscrimson.conf + # Check on location and name of certs and keys used for each vhost + # setsebool -P httpd_can_network_connect 1 + # setsebool -P httpd_can_network_relay 1 + # nginx -t + # systemctl status nginx + # systemctl is-enabled nginx + # systemctl enable nginx + # systemctl status nginx + # systemctl start nginx + #or + # systemctl restart nginx +# For Testing Purposes otherwise DNS needs to be correct + # vi /etc/nsswitch.conf + # hosts: files dns myhostname + # vi /etc/hosts + # 127.0.0.1 confluence.lsstcorp.org +# yum groupinstall "GNOME Desktop" +# Install Fresh Confluence + # ./atlassian-confluence-7.11.6-x64.bin + # go with defaults + # install as a service + # do NOT let it start or stop it if started + # copy the sourced mysql-connector-java-5.1.27-bin.jar to /opt/atlassian/confluence/confluence/WEB-INF/lib/ +# Because of systemctl issues, need to protect test from production by not allowing it to start + # mv /opt/atlassian/confluence/bin/start-confluence.sh /opt/atlassian/confluence/bin/start-confluence_.sh + +# Test Base Install of Confluence using HV console or do local hosts changes to bypass DNS + # HV Console + # startx + # start a terminal with elevated privs + # Start Confluence fresh install + # /opt/atlassian/confluence/bin/start-confluence_.sh + # Launch local browser and access web sites + # http://localhost:8090 + # https://confluence.lsstcorp.org + # Expect cert errors +# Test access +# Stop Confluence + # /opt/atlassian/confluence/bin/stop-confluence.sh + # ps axu|grep confluence +# Protect Production by restricting network on recovery host + # vi /etc/sysconfig/network-scripts/ifcfg-eth0 + # ONBOOT="no" +# Restore Production Backups + # Need mysql dump name and make sure to have procedure dump + # https://confluence.atlassian.com/confkb/confluence-mysql-database-migration-causes-content_procedure_for_denormalised_permissions-does-not-exist-error-1072474724.html + # gunzip < /home/igoodenow_local/atlassian-confluence-mysql-YYYYMMDDHHMMSS.sql.gz | mysql confluence + # cd /var/atlassian/application-data/confluence + # tar -xzvf /home/igoodenow_local/atlassian-confluence-home-YYYYMMDDHHMMSS.tgz + # rm -rf plugins-cache* + # rm -rf plugins-osgi-cache* + # rm -rf plugins-temp* + # rm -rf bundled-plugins* + # Reset admin password + # mysql + # use confluence; + # select u.id, u.user_name, u.active from cwd_user u join cwd_membership m on u.id=m.child_user_id + # join cwd_group g on m.parent_id=g.id join cwd_directory d on d.id=g.directory_id where g.group_name = 'confluence-administrators' and d.directory_name='Confluence Internal Directory'; + # update cwd_user set credential = 'googlethepassword' where id=XXXXXX; + # exit + # Update confluence db file with mysql confluence password + # vi /var/atlassian/application-data/confluence/confluence.cfg.xml + +# Access HV Console while in restricted network access + # Stop Confluence + # systemctl stop confluence + # /opt/atlassian/confluence/bin/stop-confluence.sh + # ps axu|grep confluence + + + +# special start + #ifconfig|less + #ifconfig eth0 down + #ping www.cnet.com + #systemctl start confluence + #tail -f /opt/atlassian/confluence/logs/catalina.out + # console +#startx +#ping www.cnet.com +#ifup eth0 +#ifconfig eth0 down +#ping www.cnet.com + +#start confluence +#/opt/atlassian/confluence/bin/start-confluence_.sh +#got login +#have captcha +#https://confluence.lsstcorp.org +#system report? +#all good +#still getting the loading the editor error +#i think it is a db error based on +#"...bad SQL grammar... confluence.cnetnet_procedure_for_denormalised_permissions does not exit..." + +#https://confluence.atlassian.com/confkb/confluence-mysql-database-migration-causes-content_procedure_for_denormalised_permissions-does-not-exist-error-1072474724.html +#seemt like it could fix the problem; stored + +#show procedure status where db='confluence'; +#on producton shows stuff; on recovery nothing there + + + + +# perms have proper grant +# tar -xzvf atlassian-confluence-install-20210731064501.tgz --wildcards --no-anchored 'mysql*java*.jar' +# cp /install/confluence/WEB-INF/lib/mysql-connector-java-5.1.27-bin.jar /opt/atlassian/confluence/confluence/WEB-INF/lib/ +# chown and selinxu +# drop logs and cache +# rm -rf *_broken and from production so not transferred +# confluence.cfg.xml +# Restore install config changes +# https://confluence.atlassian.com/confkb/confluence-mysql-database-migration-causes-content_procedure_for_denormalised_permissions-does-not-exist-error-1072474724.html +# Remove this profile from node. + + +# Commands once needed +# Prove certains packages are not installed + # rpm -qa|grep -e 'mysql\|java\|nginx'|sort + # yum repolist +# what char set mysql -e "create database confluence CHARACTER SET utf8 COLLATE utf8_bin; +# update mysql.user set authentication_string = PASSWORD('newpassword^'), password_expired ='N' where User = 'root' and Host = 'localhost'; +# temp firewall firewall-cmd --zone=public --add-port=8090/tcp \ No newline at end of file diff --git a/site/profile/manifests/base_drupal_recovery.pp b/site/profile/manifests/base_drupal_recovery.pp new file mode 100644 index 0000000..1b89fd9 --- /dev/null +++ b/site/profile/manifests/base_drupal_recovery.pp @@ -0,0 +1,107 @@ +class profile::base_drupal { + yumrepo { 'epel': + enabled => 1, + descr => 'epel', + metalink => 'https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=$basearch&infra=$infra&content=$contentdir', + gpgcheck => 0, + } # end of yumrepo + yumrepo { 'remi-php72': + enabled => 1, + descr => 'remi-php72', + mirrorlist => 'http://cdn.remirepo.net/enterprise/7/php72/mirror', + gpgcheck => 0, + } # end of yumrepo + yumrepo { 'remi-safe': + enabled => 1, + descr => 'remi-safe', + mirrorlist => 'http://cdn.remirepo.net/enterprise/7/safe/mirror', + gpgcheck => 0, + } # end of yumrepo + + # MySQL + # Action - Need to get 10.2 running; not 10.4 done by below + class { 'mariadb::server': repo_version => '10.2', root_password => 'yeah#doit', } + mysql_user { 'drupal-dbuser@localhost': ensure => present, password_hash => mysql::password('ItIsThis^'),} + mysql::db { 'drupaltest': user => 'drupal-dbuser', password => 'ItIsThis^', host => 'localhost', grant => ['ALL'], } + # httpd + Package { [ 'httpd', ]: ensure => installed, } + Package { [ 'mod_ssl', 'mod_nss', ]: ensure => installed, } + + # PHP + Package { [ 'php72.x86_64', ]: ensure => installed, } + Package { [ 'php72-php-process', 'php72-php-tidy', 'php72-php-imap', ]: ensure => installed, } + Package { [ 'php-cli', 'php-gd', 'php-mbstring', 'php-ldap', 'php-pdo', 'php-soap', 'php-xml', 'php-tidy', 'php-xmlrpc', 'php-bcmath', 'php-mysqlnd', 'php-pecl-mcrypt', 'php-pecl-zip', ]: ensure => installed, } + # Not sure if these are necessary +#php-fedora-autoloader-1.0.1-2.el7.noarch +#php-php-gettext-1.0.12-1.el7.noarch +#php-PsrLog-1.1.3-1.el7.noarch +#php-symfony-class-loader-2.8.12-2.el7.noarch +#php-symfony-common-2.8.12-2.el7.noarch +#php-symfony-css-selector-2.8.12-2.el7.noarch +#php-tcpdf-6.2.26-1.el7.noarch +#php-tcpdf-dejavu-sans-fonts-6.2.26-1.el7.noarch + Package { [ 'phpMyAdmin', ]: ensure => installed, } + + # Drush + Package { [ 'drush', ]: ensure => installed, } + + # Manual steps to be converted to puppet + # systemctl is-enabled httpd + # systemctl status httpd + # firewall-cmd --zone=public --add-service=http + # firewall-cmd --zone=public --add-service=https + # systemctl start httpd + # systemctl status httpd + # check if testing page is available + # echo "something" > /var/www/html/index.htm + # echo "" > /var/www/html/index.php + # show as html + # php -v + # cd /install/ + # tar -xzvf php-4-zig.tgz + # mv lib* /etc/httpd/modules/ + # chown root:root /etc/httpd/modules/libphp7.so /etc/httpd/modules/libphp7-zts.so + # chcon system_u:object_r:httpd_modules_t:s0 /etc/httpd/modules/libphp7.so + # chcon system_u:object_r:httpd_modules_t:s0 /etc/httpd/modules/libphp7-zts.so + # chcon system_u:object_r:httpd_modules_t:s0 /etc/httpd/modules/libmodnss.so + # systemctl restart httpd + # systemctl status httpd + # vi /etc/httpd/conf.modules.d/15-php.conf + # vi /etc/httpd/conf.d/php.conf + # systemctl restart httpd + # mkdir -p /install/drupal + # cd /install/drupal/ + # wget https://ftp.drupal.org/files/projects/drupal-7.82.tar.gz + # tar -xzvf drupal-7.82.tar.gz + # cd /var/www/html/ + # cp -R /install/drupal/drupal-7.82 /var/www/html/ + # ln -s ./drupal-7.82 ./drupaltest + # ACTION - Need to enable and start httpd service + # ACTION - Need to create the two firewall holes if not already exist + + # cd /var/www/html/drupal-7.82/ + # mkdir -p sites/default/files + # chmod 775 sites/default/files + # chmod 777 sites/default/files + + # cp -p sites/default/default.settings.php sites/default/settings.php + # chmod 664 sites/default/settings.php + # chgrp -R apache /var/www/html/drupal-7.82/ + # needed to disable selinux to get past files; + # added db info from + + # site is done + # chmod 644 sites/default/settings.php + # need to fix selinux for files directory + # needs permissive to clear errors + + # openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes -out /etc/pki/tls/certs/sample.crt -keyout /etc/pki/tls/certs/sample.key + # need hte php4-zig.tgz that contains lib* modules for httpd/conf.modules + # need postfix installed and configured + +# Remove this profile from node. + + + + +} diff --git a/site/profile/manifests/base_jira_recovery.pp b/site/profile/manifests/base_jira_recovery.pp new file mode 100644 index 0000000..65d216e --- /dev/null +++ b/site/profile/manifests/base_jira_recovery.pp @@ -0,0 +1,195 @@ +class profile::base_jira { + # Configure Yum Repos and Install Packages + yumrepo { 'epel': + enabled => 1, + descr => 'epel', + metalink => 'https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=$basearch&infra=$infra&content=$contentdir', + gpgcheck => 0, + } # end of yumrepo + yumrepo { 'nginx': + enabled => 1, + descr => 'Nginx', + baseurl => 'http://nginx.org/packages/mainline/centos/7/$basearch/', + gpgcheck => 0, + } # end of yumrepo + yumrepo { 'mysql57-community': + enabled => 1, + descr => 'mysql-57', + baseurl => 'http://repo.mysql.com/yum/mysql-5.7-community/el/7/$basearch/', + gpgcheck => 0, + } # end of yumrepo + yumrepo { 'mysql-tools-community': + enabled => 1, + descr => 'mysql-tools-community', + baseurl => 'http://repo.mysql.com/yum/mysql-tools-community/el/7/$basearch/', + gpgcheck => 0, + } # end of yumrepo + yumrepo { 'mysql-connectors-community': + enabled => 1, + descr => 'mysql-connectors-community', + baseurl => 'http://repo.mysql.com/yum/mysql-connectors-community/el/7/$basearch/', + gpgcheck => 0, + } # end of yumrepo + +## Java + package { [ 'java-1.8.0-openjdk', 'java-1.8.0-openjdk-devel', 'java-1.8.0-openjdk-headless', 'javapackages-tools', ]: + ensure => installed, + } # end of Java + +## MySQL + # Does Jira need this package mysql57-community-release + class { 'mysql::server': + package_name => 'mysql-community-server', package_ensure => '5.7.35-1.el7', service_name => 'mysqld', root_password => 'thisisthat^', + override_options => { mysqld => { log-error => '/var/log/mysqld.log', } }, + restart => true, + } + mysql_user { 'jira@localhost': ensure => present, password_hash => mysql::password('jjSome1New^'),} + mysql::db { 'jira': user => 'jira', password => 'jjSome1New^', host => 'localhost', grant => ['ALL'], collate => 'utf8_bin', } + # tighten up perms from notes + +## Nginx + Package { [ 'nginx', ]: ensure => installed, } + #Package { [ 'nginx-filesystem', 'nginx-mod-http-perl', 'nginx-mod-mail', 'nginx-mod-stream', 'nginx-all-modules', 'nginx-mod-http-xslt-filter', 'nginx-mod-http-image-filter', ]: ensure => installed, } + firewalld_service { 'Allow http on public zone': ensure => 'present', service => 'http', zone => 'public', } + firewalld_service { 'Allow https on public zone': ensure => 'present', service => 'https', zone => 'public', } + #firewalld_port { 'Allow https on public zone': ensure => 'present', port => '8080', protocol => 'tcp', zone => 'public', + } # end of Nginx + +## Other actions or notes to update this file +# May choose to create a checkpoint now or after the long download ang GNome Desktop installation +# Need to tranfer files + # Package up files or + # scp -i ~/.ssh/localkey /home/igoodenow/recovery-audit-3Nov2021/jira/mysql-connector-java-5.1.27-bin.jar igoodenow_local@140.252.33.50:/home/igoodenow_local/ + # scp -i ~/.ssh/localkey /home/igoodenow/recovery-audit-3Nov2021/jira/atlassian-jira-software-8.13.10-x64.bin igoodenow_local@140.252.33.50:/home/igoodenow_local/ +# Need to Configure AWS and transfer backup set + # cd ~igoodenow_local + # curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" + # unzip awscliv2.zip + # aws/install + # aws configure + # https://my.1password.com/vaults/sv63i4a7gaeksvzc3kymnerliy/allitems/lgtogm4g53uimqkw7gyw4q2eoy + # aws s3 cp s3:// /destination +# May need to check mysql, java, nginx versions are installed +# yum groupinstall "GNOME Desktop" +# Edit my.cnf file + # https://github.com/igoodenow/services/blob/master/service-jira/jira-configurations/etc/my.cnf + # the above should be production branch when not testing + # systemctl status mysqld + # systemctl is-enabled mysqld + # systemctl enable mysqld + # systemctl start msyqld + # systemctl restart mysqld +# Create the Sample certs or apply real certs + # openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes -out /etc/pki/tls/certs/sample.crt -keyout /etc/pki/tls/certs/sample.key +# Restore/Update nginx conf + # https://github.com/igoodenow/services/blob/master/service-jira/jira-configurations/nginx/conf.d/hephaestusvermillion.lsst.org.conf + # Check on location and name of certs and keys used for each vhost + # setsebool -P httpd_can_network_connect 1 + # setsebool -P httpd_can_network_relay 1 + # nginx -t + # systemctl status nginx + # systemctl is-enabled nginx + # systemctl enable nginx + # systemctl status nginx + # systemctl start nginx +# For Testing Purposes otherwise DNS needs to be correct + # vi /etc/nsswitch.conf + # hosts: files dns myhostname + # vi /etc/hosts + # 127.0.0.1 confluence.lsstcorp.org +# Fresh Install of Jira + # ./atlassian-jira-software-8.13.10-x64.bin + # go with defaults + # install as a service + # do NOT let it start or stop it if started + # cp -p mysql-connector-java-5.1.27-bin.jar /opt/atlassian/jira/lib/ +# Because of systemctl issues, need to protect test from production by not allowing it to start +# service does not behave as expected; chkconfig vs systemctl; not sure if gold standard is different + # mv /opt/atlassian/jira/bin/start-jira.sh /opt/atlassian/jira/bin/start-jira_.sh + +# Test Base Install of Jira using HV console or do local hosts changes to bypass DNS + # HV Console + # startx + # start a terminal with elevated privs + +# Start Jira Fresh install + # /etc/init.d/jira start + # or + # /opt/atlassian/jira/bin/start-jira_.sh + + +# Launch local browser and access web sites + # http://localhost:8080 + # https://jira.lsstcorp.org + # Expect cert errors +# Test access +# Stop Jira + # /etc/init.d/jira stop + # or + # /opt/atlassian/jira/bin/stop-jira.sh + +# Protect Production by restricting network on recovery host + # vi /etc/sysconfig/network-scripts/ifcfg-eth0 + # ONBOOT="no" + +# Restore Production Backups + # Need mysql dump name + # gunzip < /home/igoodenow_local/atlassian-jira-mysql-YYYYMMDDHHMMSS.sql.gz | mysql jira + # cd /var/atlassian/application-data/jira + # tar -xzvf /home/igoodenow_local/atlassian-jira-home-YYYYMMDDHHMMSS.tgz + # Reset admin password + # mysql + # use jira; + # select u.id, u.user_name, u.active from cwd_user u join cwd_membership m on u.id=m.child_user_id + # join cwd_group g on m.parent_id=g.id join cwd_directory d on d.id=g.directory_id where g.group_name = 'jira-administrators' and d.directory_name='Jira Internal Directory'; + # update cwd_user set credential = 'googlethepassword' where id=XXX; + # exit + # Update confluence db file with mysql confluence password + # vi /var/atlassian/application-data/jira/dbconfig.xml + + +# Access HV Console while in restricted network access + # Stop Jira + # systemctl stop jira + # /opt/atlassian/confluence/bin/stop-jira.sh + # ps axu|grep jira + # special start + # ifconfig|less + # ifconfig eth0 down + # ping www.cnet.com + # systemctl start jira + # tail -f /opt/atlassian/jira/logs/catalina.out + # startx + # ping www.cnet.com + +# start Jira + # systemctl start jira;tail -f /opt/atlassian/logs/catalina.out + # tail -f /opt/atlassian/logs/catalina.out + # tail -f /opt/atlassian/log/catalina.out + # systemctl status jira + # tail -f /opt/atlassian/jira/logs/catalina.out + # http://locahost:8080 + # https://jira.lsstcorp.org + # Can you login? + # system report? + +# ping www.cnet.com +# ifconfig eth0 +# ifconfig eth0 down +# ping www.cnet.com + # the above is to prevent jira processing email or other network interactions + # prevents testing ldap + +# need ./lib/mysql-connector-java-5.1.27-bin.jar +# verify mysql -e "alter database jira character set utf8mb4 collate utf8mb4_bin;" +# dbconfig.xml file needs the jira db username and password +# on sirius zig-zrecover-jira-notes.tgz has files +# nsswitch and hosts need special changes to do testing w/o network dns +# tar -xzvf atlassian-jira-install-20211102064518.tgz --wildcards "*mysql-connector-java-5.1.27-bin.jar" +# Restore install config changes +# Remove this profile from node. + +## Commands No Longer needed +# rpm -qa|grep -e 'mysql\|java\|nginx'|sort +# yum repolist +# \ No newline at end of file diff --git a/site/profile/manifests/base_yourls_recovery.pp b/site/profile/manifests/base_yourls_recovery.pp new file mode 100644 index 0000000..1873377 --- /dev/null +++ b/site/profile/manifests/base_yourls_recovery.pp @@ -0,0 +1,208 @@ +class profile::base_yourls { +## Can get specific files from github if files backup is not available + # Configure Yum Repos and Install Packages + yumrepo { 'epel': + enabled => 1, + descr => 'epel', + metalink => 'https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=$basearch&infra=$infra&content=$contentdir', + gpgcheck => 0, + } # end of yumrepo + yumrepo { 'nginx': + enabled => 1, + descr => 'Nginx', + baseurl => 'http://nginx.org/packages/mainline/centos/7/$basearch/', + gpgcheck => 0, + } # end of yumrepo + yumrepo { 'remi-php73': + enabled => 1, + descr => 'remi-php73', + mirrorlist => 'http://cdn.remirepo.net/enterprise/7/php73/mirror', + gpgcheck => 0, + } # end of yumrepo + yumrepo { 'remi-safe': + enabled => 1, + descr => 'remi-safe', + mirrorlist => 'http://cdn.remirepo.net/enterprise/7/safe/mirror', + gpgcheck => 0, + } # end of yumrepo + + # MySQL + class { 'mariadb::server': root_password => 'yeah#doit', } + mysql_user { 'yourls@localhost': ensure => present, password_hash => mysql::password('itisthis^'),} + mysql::db { 'yourls': user => 'yourls', password => 'itisthis^', host => 'localhost', grant => ['ALL'], } + # no checks defined to test mysql users later + + # Nginx + Package { [ 'nginx-1.20.1-9.el7.x86_64', ]: ensure => installed, } + Package { [ 'nginx-filesystem', 'nginx-mod-http-perl', 'nginx-mod-mail', 'nginx-mod-stream', 'nginx-all-modules', 'nginx-mod-http-xslt-filter', 'nginx-mod-http-image-filter', ]: ensure => installed, } + firewalld_service { 'Allow http on public zone': ensure => 'present', service => 'http', zone => 'public', } + firewalld_service { 'Allow https on public zone': ensure => 'present', service => 'https', zone => 'public', } + +# run this to get a test cert +# openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes -out /etc/pki/tls/certs/sample.crt -keyout /etc/pki/tls/certs/sample.key +# setenforce 0 until key/cert is fixed + #service { 'nginx.service': ensure => 'running', } + #include nginx + # nginx::resource::server { 'zig-mysql.lsst.local': + # ensure => present, + # www_root => '/usr/share/nginx/html', + # ssl => true, + # listen_port => 443, #need to check this + # ssl_cert => '/etc/pki/tls/certs/sample.crt', # fix selinux, location, requires the files + # ssl_key => '/etc/pki/tls/certs/sample.key', + # server_name => ['zig-mysql.lsst.local'], + # } # end of nginx resource server + +# NEED to run recompile steps + Package { [ 'openldap-devel', 'git', ]: ensure => installed, } + # cd ~ + # wget https://nginx.org/download/nginx-1.20.1.tar.gz + # tar -xzvf nginx-1.20.1.tar.gz + # cd nginx-1.20.1 + # git clone https://github.com/kvspb/nginx-auth-ldap.git + # ./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --user=nginx --group=nginx --add-module=./nginx-auth-ldap --with-http_ssl_module + # make + # make install + # /usr/sbin/nginx -V + # find / -name index.html + # /etc/nginx/html/index.html + # /usr/share/nginx/html/index.html + # which one is the default root of this nginx service? + + # systemctl status nginx + # less /usr/lib/systemd/system/nginx.service + # using expected binary file + # Based on troubleshooting + # /etc/nginx/conf/nginx.conf is the assume and thus edit + # /etc/nginx/html/index.html + # vi /etc/nginx/html/index.html + # change Welcome so it is Working Welcome + # systemctl is-enabled nginx + # systemctl enable nginx + # systemctl start nginx + # http://140.252.33.21 + # Working Welcome + # https://140.252.33.21 + # failed; ssl not configured so no surprise + # rpm -qa|grep -i 'nginx\|mariadb\|php' + # mariadb and several nginx packages + + # PHP + + Package { [ 'php-7.3.32-1.el7.remi.x86_64', ]: ensure => installed, } + Package { [ 'php-devel', 'php-common', 'php-cli', 'php-process', ]: ensure => installed, } + Package { [ 'php-json', 'php-pecl-apcu', 'php-fpm', 'php-pecl-mcrypt', 'oniguruma5php', 'php-pecl-apcu-devel', 'php-pecl-zip', 'php-fedora-autoloader', 'php-xml', ]: ensure => installed, } + Package { [ 'php-mysqlnd', 'php-mbstring', 'php-pear', 'php-pdo', 'php-bcmath', 'php-gd', ]: ensure => installed, } + + # Need working root directory of nginx for two lines below that assume /etc/nginx/html/ + # echo "" > /etc/nginx/html/phpinfo.php + # php /etc/nginx/html/phpinfo.php + # the commands after the vi of www.conf are vi statements to delete lines + # vi /etc/php-fpm.d/www.conf + # 3dd + # move to below [www] + # 46dd + # should be left with stuff below starting with + # ; When POSIX Access Control Lists are supported you can set them using + # add + # user = nginx + # group = nginx + # listen = /var/run/php-fpm/php7.2-fpm.sock + # listen.owner = nginx + # listen.group = nginx + # listen.mode = 0660 + # ACTION - if referenced fix below is done, need to adjust above as well + # Assumes conf is /etc/nginx/conf/nginx.conf + # vi /etc/nginx/conf/nginx.conf + # add beow the location / {} + # + # location ~ \.php$ { + # try_files $uri =404; + # include /etc/nginx/fastcgi.conf; + # fastcgi_pass unix:/var/run/php-fpm/php7.2-fpm.sock; + # } + # vi /etc/nginx/conf/nginx.conf + # added at outside end of server {} + # include /etc/nginx/conf.d/*.conf; + # NEED TO KNOW LDAP INFO + # https://my.1password.com/vaults/sv63i4a7gaeksvzc3kymnerliy/allitems/upzgyet4oukr7io4shr7ae7p6a + # add in http but before server{} + # ldap_server ldap01 { + # url "ldap://ldap.XXX.YYY/CN=users,DC=XXX,DC=YYY?sAMAccountName?sub?(objectClass=*)"; + # binddn "cn=FIRST LAST,cn=users,dc=XXX,dc=YYY"; + # binddn_passwd "xxyy"; + # require valid_user; + # satisfy any; + # } + # use content from https://github.com/igoodenow/service_yourls/blob/main/nginx/conf.d/yourls.conf + # to create yourls.conf + # vi /etc/nginx/conf.d/yourls.conf + # however need to make fixes + # 3 eidts changed from old sock path to new php-fpm path + # /var/run/php-fpm/php7.2-fpm.sock + # ACTION - Update the file to remove this step; not it is NOT the same as Production + # ACTION - update the name to be php7.3 if it doesn't cause problems + # May have already run the openssl to create certs; no need 2nd time so check location + # openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes -out /etc/pki/tls/certs/sample.crt -keyout /etc/pki/tls/certs/sample.key + # systemctl status php-fpm.service + # systemctl is-enabled php-fpm.service + # systemctl enable php-fpm.service + # nginx -t + # systemctl stop php-fpm.service; systemctl stop nginx; systemctl start nginx; systemctl start php-fpm.service + # http:///phpinfo.php + # page show up? + + # YOURLS + # cd ~ + # https://github.com/YOURLS/YOURLS/releases/tag/1.7.4 + # wget -O ~/yourls.tar.gz https://github.com/YOURLS/YOURLS/archive/refs/tags/1.7.4.tar.gz + # gunzip ~/yourls.tar.gz;cd /etc/nginx/;tar -xvf ~/yourls.tar;ln -s ./YOURLS-1.7.4 YOURLS + # cd /etc/nginx/YOURLS/;cp user/config-sample.php user/config.php + # vi user/config.php + # edit file now but need senstive info passed + # lines 14, 17, 35 + ## need values for YOURLS_DB_USER, DB_PASS, DB_NAME, DB_HOST, DB_PREFIX '', _SITE + ## db_pass is referenced in mysql::db + # your host ready? + # alter your computer's host file and prepare private browser + # ping ls.st + # the test guest ip returned? + # https://ls.st + # cert error + # no page + # no index.html exists so go to /admin + # https://ls.st/admin + # perform the install from the web page link + # do htaccess step referenced on the wizard page + # login with defaults in user/config.php + +## Restoring Production Data from AWS Backup Set + # yum install unzip + # cd ~ + # curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" + # unzip awscliv2.zip + # aws/install + # need creds frm https://my.1password.com/vaults/sv63i4a7gaeksvzc3kymnerliy/allitems/lgtogm4g53uimqkw7gyw4q2eoy + # aws configure + # cd ~ + # aws s3 cp s3://yourls-data/mysql-db-yourls-2021XXXX ~/ + # aws s3 cp s3://yourls-data/config-yourls-2021XXXX ~/ + # gunzip mysql-db-yourls-202110XXXXX + # mysql yourls < mysql-db-yourls-202110XXXXX + # tar -xzvf config-yourls-202111150300.tgz + # cp -rp /root/nginx/YOURLS/* /etc/nginx/YOURLS/ + # set overwrite to bypass prompt + #go back to fix db password + # vi /etc/nginx/YOURLS/user/config.php + # https://ls.st/admin/ + # Should get ldap prompt + # should work + # should see urls from last day of backup + # Check active plugins is 6 + +# ACTION - Combine the guzip and import into one statement +# ACTION - fix the backup script to add .sql extentions +# ACTION - Fix Production Backups to Include the image files in YOURLS +# ACTION - Store source install on production server as part of backup set + +} # end of base_yourls