Sandbox Migration

by dharmatech
18 deployments · 3 still active · last rev. 5 years ago

Used when migrating from the dharmatech sandbox to production.

Compatible with: No distros currently supported
						#!/bin/bash

# <UDF name="client_username" Label="Client username"/>
# <UDF name="client_password" Label="Client password"/>
# <UDF name="client_hostname" Label="Hostname" example="The hostname to set inside the container, typically the domain name." />
# <UDF name="notify_email" Label="Send notification to" default="" example="Optional address to send notification to when setup is complete." />

exec &> /root/stackscript.log

function system_set_swappiness {
  echo "system_set_swappiness()"
  # Delay using swap space for as long as possible
  echo "vm.swappiness=1" >> /etc/sysctl.conf
  sysctl vm.swappiness=1
}

function system_set_accept_svn_cert {
  echo "system_set_accept_svn_cert()"
  # Accept self-signed cert to checkout from svn.dharmatech.org
  cat > /etc/subversion/cacert.crt <<EOF
-----BEGIN CERTIFICATE-----
MIIEMTCCA5qgAwIBAgIJAPi0iNqgPEpFMA0GCSqGSIb3DQEBBQUAMIHCMQswCQYD
VQQGEwJVUzENMAsGA1UECBMEVXRhaDEXMBUGA1UEBxMOU2FsdCBMYWtlIENpdHkx
EzARBgNVBAoTCkRoYXJtYVRlY2gxKTAnBgNVBAsTIERoYXJtYVRlY2ggQ2VydGlm
aWNhdGUgQXV0aG9yaXR5MSQwIgYDVQQDExtEaGFybWFUZWNoIHJvb3QgY2VydGlm
aWNhdGUxJTAjBgkqhkiG9w0BCQEWFnN1cHBvcnRAZGhhcm1hdGVjaC5vcmcwHhcN
MDgwOTE4MDAyMTQxWhcNMDgxMDE4MDAyMTQxWjCBwjELMAkGA1UEBhMCVVMxDTAL
BgNVBAgTBFV0YWgxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MRMwEQYDVQQKEwpE
aGFybWFUZWNoMSkwJwYDVQQLEyBEaGFybWFUZWNoIENlcnRpZmljYXRlIEF1dGhv
cml0eTEkMCIGA1UEAxMbRGhhcm1hVGVjaCByb290IGNlcnRpZmljYXRlMSUwIwYJ
KoZIhvcNAQkBFhZzdXBwb3J0QGRoYXJtYXRlY2gub3JnMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQDB0DMERm+KEnFn3qkHghk+wXLF+IkMWQmUOomYsElh2zXZ
CxM9xUchn9Z3OGkKDsFyEwc7raVYijG8sE49KD4u64SJG219IHY/hFQvFpgy1cbe
2yP85TLP3Z1Ppzb/vMzKRXdAxfYSY/LXIo+LwwxkZLyihqn+TdNftXADiZNT0wID
AQABo4IBKzCCAScwHQYDVR0OBBYEFKY2kcL6trgBY5swypCX0TSa74khMIH3BgNV
HSMEge8wgeyAFKY2kcL6trgBY5swypCX0TSa74khoYHIpIHFMIHCMQswCQYDVQQG
EwJVUzENMAsGA1UECBMEVXRhaDEXMBUGA1UEBxMOU2FsdCBMYWtlIENpdHkxEzAR
BgNVBAoTCkRoYXJtYVRlY2gxKTAnBgNVBAsTIERoYXJtYVRlY2ggQ2VydGlmaWNh
dGUgQXV0aG9yaXR5MSQwIgYDVQQDExtEaGFybWFUZWNoIHJvb3QgY2VydGlmaWNh
dGUxJTAjBgkqhkiG9w0BCQEWFnN1cHBvcnRAZGhhcm1hdGVjaC5vcmeCCQD4tIja
oDxKRTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAJvXncVENRwz9caz
GtI9JSnBQr+DbBQHEhs32pgyZJffzZMllczZbqA01hHbACrslpWB2rOjS9KD3/ek
ZhCQeGMlRMr8dsY7VszCBACTKWZbk8T4A56qkGDtA6u3X0O03OVR3sgmsQJuh3fC
ndvmeVpuqK6PL8cxJ+Cwu0RPp2vn
-----END CERTIFICATE-----
EOF

  cat > /etc/subversion/svn.dharmatech.org.crt <<EOF
-----BEGIN CERTIFICATE-----
MIIDdjCCAt+gAwIBAgIBATANBgkqhkiG9w0BAQUFADCBwjELMAkGA1UEBhMCVVMx
DTALBgNVBAgTBFV0YWgxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MRMwEQYDVQQK
EwpEaGFybWFUZWNoMSkwJwYDVQQLEyBEaGFybWFUZWNoIENlcnRpZmljYXRlIEF1
dGhvcml0eTEkMCIGA1UEAxMbRGhhcm1hVGVjaCByb290IGNlcnRpZmljYXRlMSUw
IwYJKoZIhvcNAQkBFhZzdXBwb3J0QGRoYXJtYXRlY2gub3JnMB4XDTA4MDkxODAx
MDUxMloXDTE4MDkxNjAxMDUxMlowga4xCzAJBgNVBAYTAlVTMQ0wCwYDVQQIEwRV
dGFoMRcwFQYDVQQHEw5TYWx0IExha2UgQ2l0eTETMBEGA1UEChMKRGhhcm1hVGVj
aDEeMBwGA1UECxMVU3VidmVyc2lvbiByZXBvc2l0b3J5MRswGQYDVQQDExJzdm4u
ZGhhcm1hdGVjaC5vcmcxJTAjBgkqhkiG9w0BCQEWFnN1cHBvcnRAZGhhcm1hdGVj
aC5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAK8CBrQKE8AqboCeu07J
vSPKvUrfYJmMZM0sTt4Dk3m5Gu/HNqTU+W8VEoejopEZaZScmQX3ACa5AbG9cvmq
Y7ssOIh1Ce9lX9vpz4JCyQDPVdoJKTCTMo40M/Rz1YgqoBskLxlfuI1fsPAhyf3L
m7S8W9krF+PLx7lnSjQS/5gFAgMBAAGjgY0wgYowCQYDVR0TBAIwADA9BglghkgB
hvhCAQ0EMBYuQ2VydGlmaWNhdGUgZ2VuZXJhdGVkIGJ5IGh0dHA6Ly9kaGFybWF0
ZWNoLm9yZzAdBgNVHQ4EFgQUrB51YuvRwWRDG0S2qVxMD6oahHswHwYDVR0jBBgw
FoAUpjaRwvq2uAFjmzDKkJfRNJrviSEwDQYJKoZIhvcNAQEFBQADgYEAIGhYx4T+
SyZVkjG2mYf/+r+mzZyokQsDZ7cRCZb53C8ERVzBtL2sGVLrx7L2SRmU+58K9uTt
UPefSvYe1RnNDw0SJt9XSxghl8eMHVVzNLmnC1wmsxuuo8k9NSptke3CnHPFSakg
d3jfzFkAzrPtgI+wCvuxy4K9+PHaTeHS84w=
-----END CERTIFICATE-----
EOF

  echo "ssl-authority-files = /etc/subversion/cacert.crt;/etc/subversion/svn.dharmatech.org.crt" >> /etc/subversion/servers
}

function system_install_additional {
  echo "system_install_additional()"
  apt-get install -y htop git-core subversion wget curl tcsh
  apt-get install -y snmpd rsnapshot munin munin-node bsd-mailx
}

function system_set_timezone {
  echo "system_set_timezone()"
  echo "America/Denver" > /etc/timezone
  rm -f /etc/localtime
  ln -s /usr/share/zoneinfo/America/Denver /etc/localtime
}

function system_install_mysql {
  echo "system_install_mysql()"
  DB_PASSWORD=$(randomString 13)
  mysql_install "$DB_PASSWORD"
  mysql_create_database "$DB_PASSWORD" "${CLIENT_USERNAME}_drupal"
  mysql_create_database "$DB_PASSWORD" "${CLIENT_USERNAME}_civicrm"
  mysql_create_user "$DB_PASSWORD" "$CLIENT_USERNAME" "$CLIENT_PASSWORD"
  mysql_grant_user "$DB_PASSWORD" "$CLIENT_USERNAME" "${CLIENT_USERNAME}_drupal"
  mysql_grant_user "$DB_PASSWORD" "$CLIENT_USERNAME" "${CLIENT_USERNAME}_civicrm"

  # Used by rsnapshot for backups
  echo "mysql_server=localhost" >> /usr/local/etc/adm.conf
  echo "mysql_clients=localhost" >> /usr/local/etc/adm.conf
  echo "mysql_admin_user=root" >> /usr/local/etc/adm.conf
  echo "mysql_admin_pw=${DB_PASSWORD}" >> /usr/local/etc/adm.conf
  chmod 400 /usr/local/etc/adm.conf
}

function system_install_php_apache {
  echo "system_install_php_apache()"
  php_install_with_apache && php_tune

  sed -i '/max_execution_time/s/.*/max_execution_time = 300/' /etc/php5/apache2/php.ini
  sed -i '/max_execution_time/s/.*/max_execution_time = 300/' /etc/php5/cli/php.ini
  sed -i '/max_execution_time/s/.*/max_execution_time = 300/' /etc/php5/cgi/php.ini

  sed -i '/memory_limit/s/.*/memory_limit = 128M/' /etc/php5/apache2/php.ini
  sed -i '/memory_limit/s/.*/memory_limit = 128M/' /etc/php5/cli/php.ini
  sed -i '/memory_limit/s/.*/memory_limit = 128M/' /etc/php5/cgi/php.ini

  sed -i '/upload_max_filesize/s/.*/upload_max_filesize = 8M/' /etc/php5/apache2/php.ini
  sed -i '/upload_max_filesize/s/.*/upload_max_filesize = 8M/' /etc/php5/cli/php.ini
  sed -i '/upload_max_filesize/s/.*/upload_max_filesize = 8M/' /etc/php5/cgi/php.ini

  sed -i '/post_max_size/s/.*/post_max_size = 16M/' /etc/php5/apache2/php.ini
  sed -i '/post_max_size/s/.*/post_max_size = 16M/' /etc/php5/cli/php.ini
  sed -i '/post_max_size/s/.*/post_max_size = 16M/' /etc/php5/cgi/php.ini

  apache_install && apache_tune 40
  apt-get install -y php-pear php5-xmlrpc php5-curl php5-gd php5-mysql php5-cli
  cat > /etc/apache2/ports.conf <<EOF
Listen 80
<IfModule mod_ssl.c>
  Listen 443
</IfModule>
EOF

  cat > /etc/apache2/sites-available <<EOF
DocumentRoot /var/www/
<Directory /var/www/>
  Options Indexes FollowSymLinks MultiViews ExecCGI
  AllowOverride All
</Directory>

ErrorLog /var/log/apache2/error.log
LogLevel warn
SetEnvIf Request_URI "\.(jpg|xml|png|gif|ico|js|css|swf|js?.|css?.)$" DontLog
CustomLog /var/log/apache2/access.log combined Env=!DontLog
ServerSignature On

NameVirtualHost *:80
<VirtualHost *:80>
  ServerAdmin support@dharmatech.org
  RewriteEngine On
  # Rewrite www.domain.com to domain.com
  RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
  RewriteRule ^(.*)$ http://%1$1 [L,R=301]
</VirtualHost>

#NameVirtualHost *:443
#<VirtualHost *:443>
#  ServerAdmin support@dharmatech.org
#  ServerName contextualpsychology.org
#  SSLEngine On
#  SSLProtocol all -SSLv2
#  SSLCertificateKeyFile /etc/apache2/ssl/ssl.key/site.key
#  SSLCertificateFile /etc/apache2/ssl/ssl.crt/site.crt
#  SSLCertificateChainFile /etc/apache2/ssl/ssl.crt/site.ca-bundle
#</VirtualHost>
EOF

  # (En|Dis)able (un)necessary modules
  rm /etc/apache2/mods-enabled/status.*
  rm /etc/apache2/mods-enabled/status.*
  rm /etc/apache2/mods-enabled/reqtimeout.*
  rm /etc/apache2/mods-enabled/php5.*
  rm /etc/apache2/mods-enabled/negotiation.*
  rm /etc/apache2/mods-enabled/autoindex.*
  ln -s /etc/apache2/mods-available/ssl.* /etc/apache2/mods-enabled/
  ln -s /etc/apache2/mods-available/expires.* /etc/apache2/mods-enabled/
  
  ln -s /etc/apache2/sites-available /etc/apache2/sites-enabled/000-default
}

function system_install_fw {
  echo "system_install_fw()"
  # Allow standard ports and non-standard ssh port
  iptables -A INPUT -i lo -j ACCEPT
  iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  iptables -A INPUT -p tcp --dport 4422 -j ACCEPT
  iptables -A INPUT -p tcp --dport www -j ACCEPT
  iptables -A INPUT -p tcp --dport https -j ACCEPT
  iptables -A INPUT -p udp --sport domain -j ACCEPT
  iptables -A INPUT -p icmp -j ACCEPT
  iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
  iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
  iptables-save > /etc/iptables.rules

  cat > /etc/init.d/iptables <<EOF
#!/bin/sh
#  Load iptables from /etc/iptables.save at boot time
case "\${1:-''}" in
  'start')
     if [ -f /etc/iptables.rules -a -x /sbin/iptables-restore ]
       then
         /sbin/iptables-restore < /etc/iptables.rules
     fi
     exit 0
     ;;

  'stop')
     if [ -x /sbin/iptables ]
       then
         /sbin/iptables -F
     fi
     exit 0
     ;;

  'restart')
        set +e; ./iptables stop; set -e
        ./iptables start 
        ;;

  *)
     echo "Usage: iptables start|stop|restart|reload|force-reload|status"
     exit 1
     ;;
esac
EOF

  chmod a+x /etc/init.d/iptables
  /usr/sbin/update-rc.d iptables defaults
}

function system_set_admin_group {
  echo "system_set_admin_group()"
  groupadd admin
  echo "%admin ALL=(ALL) ALL" > /etc/sudoers
}

function system_configure_backups {
  echo "system_configure_backups()"
  mkdir /backup
}

function system_svn_co {
  echo "system_svn_co"
  svn export https://svn.dharmatech.org/svn/adm/trunk /usr/local/sbin/
}

function system_configure_postfix {
  echo "system_configure_postfix()"
  # Disable local delivery and smtp
  sed -i /etc/postfix/master.cf <<EOF
/^smtp/s/smtp      inet/#smtp      inet/
/^local/s/local/#local/
EOF

  # Use a virtual alias and transport map
  sed -i /etc/postfix/main.cf <<EOF
/alias_database/a\
virtual_alias_maps = hash:/etc/postfix/virtual\n\
transport_maps = hash:/etc/postfix/transport
EOF

  # Don't listen on the network
  sed -i /etc/postfix/main.cf <<EOF
/^myhostname/d
/^alias/d
/^mydestination/s/.*/mydestination =/
/^mynetworks/s/.*/mynetworks_style = host/
EOF

  # Build the transport map
  cat > /etc/postfix/transport <<EOF
example.com      discard:
.example.com     discard:
EOF
  /usr/sbin/postmap /etc/postfix/transport
}

function system_set_host {
  echo "system_set_host()"
  echo "${CLIENT_HOSTNAME}" > /etc/hostname
  /etc/init.d/hostname.sh start
}

function system_install_user {
  echo "system_install_user"
  useradd -m -s /bin/tcsh -G admin -c "Staff" ${CLIENT_USERNAME}
  echo "${CLIENT_USERNAME}:${CLIENT_PASSWORD}" | chpasswd
  sed -i '/Port/s/.*/Port 4422/' /etc/ssh/sshd_config
  echo "AllowUser ${CLIENT_USERNAME}@*" >> /etc/ssh/sshd_config
  /etc/init.d/ssh restart
}

### Begin installation ###
source <ssinclude StackScriptID="1">

system_update
postfix_install_loopback_only
system_set_swappiness
system_set_accept_svn_cert
system_set_timezone
system_set_admin_group
system_set_host

system_install_mysql
system_install_php_apache
system_install_additional
system_install_fw
system_install_user

system_svn_co
system_configure_backups
system_configure_postfix

restartServices

if [ -n "$NOTIFY_EMAIL" ]; then
  mail -s "$(system_primary_ip) configuration complete" "${NOTIFY_EMAIL}" <<EOD
EOD
fi