# apt-get install apg
$ apg -m64
# passwd root
# useradd -g admin -d /home/spbruby -m -s /bin/bash spbruby
# passwd spbruby
# visudo
Add following: %admin ALL NOPASSWD:ALL
local$ cat .ssh/id_rsa.pub
remote$ mkdir .ssh
remote$ cat > .ssh/authorized_keys
remote$ chmod 600 .ssh/authorized_keys
remote$ chmod 700 .ssh
Update /etc/ssh/sshd_config with: Port 22222 PermitRootLogin = No AllowUsers spbruby
# mkdir -p /var/lib/iptables
# cp var/lib/iptables/rules_save /var/lib/iptables/
Add to main interface settings in /etc/network/interfaces: pre-up /sbin/iptables-restore < /var/lib/iptables/rules_save
# apt-get update
# apt-get dist-upgrade
# apt-get install bash-completion
Add to ~/.bash_profile:
if [ -f /etc/bash_completion ]; then
. /etc/bash_completion
fi
# set a fancy prompt (non-color, unless we know we "want" color)
if [[ ${EUID} == 0 ]] ; then
PS1='\[\033[01;31m\]\u@\h\[\033[01;34m\] \w \$\[\033[00m\] '
else
PS1='\[\033[01;32m\]\u@\h\[\033[01;34m\] \w `git branch 2>&1 | grep "*" | awk -F" " "{print \\\$2}"`\$\[\033[00m\] '
fi
if [ -f ~/.bash_aliases ]; then
. ~/.bash_aliases
fi
Add to ~/.bash_aliases: alias ls='ls --color=auto' alias ll='ls -l' alias la='ls -al' alias l='ls -CF' alias grep='grep --color'
Add to ~/.bash_profile export LANG=ru_RU.UTF-8 export LC_MESSAGES=C
# apt-get install -y build-essential git-core git-svn automake autoconf
# apt-get install -y libexpat1-dev zlib1g zlib1g-dev libyaml-dev libonig-dev libopenssl-ruby libssl-dev libdbm-ruby libgdbm-ruby libgif4 readline-common libreadline-dev libreadline-ruby byacc
# chgrp admin /usr/local/src/
# chmod g+ws /usr/local/src/
$ cd /usr/local/src/
$ git clone git://github.com/FooBarWidget/rubyenterpriseedition187-330.git
$ ln -s rubyenterpriseedition187-330 ruby
$ cd ruby
$ git checkout -b 2011.03 release-2011.03
$ autoconf
$ ./configure
$ make -j`expr $(grep processor /proc/cpuinfo | wc -l) + 1`
# make install
$ wget http://production.cf.rubygems.org/rubygems/rubygems-1.7.2.tgz
$ tar xvf rubygems-1.7.2.tgz
$ cd rubygems-1.7.2
# ruby setup.rb
# gem in rubygems-update bundler --no-ri --no-rdoc
# apt-get install -y sqlite3 libsqlite3-dev mysql-server libmysqlclient15-dev postgresql-8.4 postgresql-server-dev-8.4 libpq-dev
# gem in sqlite3-ruby mysql pg thin rails --no-ri --no-rdoc
# apt-get install -y libpcre3 libpcre3-dev libperl-dev libxml2-dev libxml2 libxslt-dev curl-ssl libcurl4-openssl-dev
$ cd /usr/local/src
$ wget http://sysoev.ru/nginx/nginx-1.0.5.tar.gz && tar xvf nginx-1.0.5.tar.gz && ln -nfs nginx-1.0.5 nginx && rm -f nginx-1.0.5.tar.gz
$ wget http://citylan.dl.sourceforge.net/project/pcre/pcre/8.12/pcre-8.12.tar.bz2 && tar xvf pcre-8.12.tar.bz2 && ln -nsf pcre-8.12 pcre && rm -f pcre-8.12.tar.bz2
$ git clone git://github.com/FooBarWidget/passenger.git
$ cd passenger
# ./bin/passenger-install-nginx-module --auto --prefix=/opt/nginx --nginx-source-dir=/usr/local/src/nginx --extra-configure-flags='--with-http_flv_module --with-http_realip_module --with-http_ssl_module --with-http_sub_module --with-http_xslt_module --with-http_stub_status_module --with-poll_module --with-pcre=/usr/local/src/pcre --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --user=www-data --group=www-data'
- Access only from localhost
Add to the /etc/postgresql/8.4/main/postgresql.conf listen_addresses = 'localhost'
- Easy access from localhost
Add to /etc/postgresql/8.4/main/pg_hba.conf # TYPE DATABASE USER CIDR-ADDRESS METHOD # Database administrative login by UNIX sockets # "local" is for Unix domain socket connections only
# local all postgres ident
local all all trust
- Adding user and database
Run: $ psql -Upostgres postgres=# ALTER ROLE postgres ENCRYPTED PASSWORD 'supersecurerootpassword'; postgres=# CREATE ROLE spbruby NOSUPERUSER LOGIN ENCRYPTED PASSWORD 'superpupermegapasword'; postgres=# CREATE DATABASE spbruby ENCODING 'UTF-8' OWNER spbruby;
First run: # mysql_secure_installation Fill the questionnaire:
Enter current password for root (enter for none):
Change the root password? [Y/n] n
** ... skipping.**
** Remove anonymous users? [Y/n]** y
** ... Success!**
** Disallow root login remotely? [Y/n]** y
** ... Success!**
Remove test database and access to it? [Y/n] y
** - Dropping test database...**
** ... Success!**
** - Removing privileges on test database...**
** ... Success!**
Reloading the privilege tables will ensure that all changes made so far will take effect immediately.
Reload privilege tables now? [Y/n] y
** ... Success!**
Then run:
$ mysql -uroot -p mysql> CREATE DATABASE spbruby; mysql> GRANT ALL ON spbruby.* TO spbruby@localhost IDENTIFIED BY 'superpuperpassword'; mysql> FLUSH PRIVILEGES;
# apt-get install -y openvpn
# mv /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/ssl/easy-rsa
# apt-get remove -y openvpn
# apt-get -y autoremove
$ cd /etc/ssl/easy-rsa
Update vars file with following:
export KEY_COUNTRY="RU"
export KEY_PROVINCE="RU"
export KEY_CITY="Saint Petersburg"
export KEY_ORG="spbruby.org"
export KEY_EMAIL="security@spbruby.org"
Import vars to current shell:
# source vars
Initialize the $KEY_DIR directory:
# ./clean-all
Build a root certificate
# ./build-ca
Build Diffie-Hellman parameters for the server side of an SSL/TLS connection.
# ./build-dh
Make a certificate/private key pair using a locally generated root certificate.
# ./build-key-server spbruby.org
# ./build-key-server mail.spbruby.org
Place utils for manage nginx vhosts to /usr/local/bin/ and make them executable:
$ chmod +x ./usr/local/bin/*
# mv ./usr/local/bin/* /usr/local/bin/
Then place ./opt/nginx/conf/nginx.conf to /opt/nginx/conf/
After that we need to create folders for vhosts configuration $ cd /opt/nginx/conf # mkdir sites-available sites-enabled And then place config-file for our vhost (./opt/nginx/conf/sites-available/spbruby.org) to /opt/nginx/conf/sites-available/
And enable vhost: # nginxensite spbruby.org
# gem in astrails-safe --no-rdoc --no-ri
Place safe config from ./etc/safe.rb to /etc
# cat > /etc/cron.daily/safe
/usr/local/bin/astrails-safe /etc/safe.rb
^D
# chmod 755 /etc/cron.daily/safe
# apt-get install logrotate
Place etc/logrotate.d/spbruby.org and etc/logrotate.d/nginx to /etc/logrotate.d
# apt-get install -y exim4-daemon-heavy dovecot-common dovecot-imapd dovecot-pop3d clamav-daemon
# mkdir /var/log/dovecot
# gpasswd -a clamav Debian-Exim
$ psql -Upostgres
postgres=# CREATE ROLE mail NOSUPERUSER LOGIN ENCRYPTED PASSWORD 'mailpassword';
postgres=# CREATE DATABASE mail ENCODING 'UTF-8' OWNER mail;
$ psql -Upostgres mail < etc/exim4/mail_schema.pgsql
# cp etc/exim4/exim.conf /etc/exim4/exim.conf.template
# cp etc/aliasdomains /etc/aliasdomains
# /etc/init.d/exim4 restart
# cp etc/dovecot/* /etc/dovecot
# /etc/init.d/dovecot restart
# mkdir -p /var/www/mail.spbruby.org
# chown www-data:www-data /var/www/mail.spbruby.org
# chmod ug+ws /var/www/mail.spbruby.org
$ cd /var/www/mail.spbruby.org
$ mkdir conf log
$ cd /usr/local/src
$ wget http://sunet.dl.sourceforge.net/project/roundcubemail/roundcubemail/0.4/roundcubemail-0.4.tar.gz
# tar xvf roundcubemail-0.4.tar.gz -C /var/www/mail.spbruby.org/
$ cd /var/www/mail.spbruby.org/
$ ln -s roundcubemail-0.4 public
Now we must place opt/nginx/conf/sites-available/mail.spbruby.org to /opt/nginx/conf/sites-available/
And enable it.
# nginxensite mail.spbruby.org
# apt-get install -y runit
# gem in runit-man --no-ri --no-rdoc
# mkdir -p /etc/sv/nginx /etc/sv/spawn-fcgi/log /etc/sv/runit-man/log
Place runit recipes from etc/sv to system /etc/sv # cp -r etc/sv/* /etc/sv/ And add symlinks to /etc/service/ and /etc/init.d/ for autorun # for i in nginx spawn-fcgi runit-man; do ln -s /usr/bin/sv /etc/init.d/${i}; ln -s /etc/sv/${i} /etc/service/; update-rc.d ${i} defaults; done Don't forget to enable access to runit-manager from your host # iptables -A INPUT -p tcp --dport 12700 -s -j ACCEPT And save iptables config # iptables-save > /var/lib/iptables/rules_save From now you can run runit-manager and access it via HTTP # sv start runit-man or # /etc/init.d/runit-man start It will be accessible on your host:12700 via HTTP
$ wget http://www.sphinxsearch.com/downloads/sphinx-1.10-beta.tar.gz && tar xvf sphinx-1.10-beta.tar.gz && ln -nsf sphinx-1.10-beta sphinx && rm -f sphinx-1.10-beta.tar.gz
$ cd sphinx
$ wget http://snowball.tartarus.org/dist/libstemmer_c.tgz && tar xvf libstemmer_c.tgz && rm -f libstemmer_c.tgz
$ ./configure --with-pgsql --without-mysql --with-libstemmer
Use --with-mysql --without-pgsql in case of MySQL database
$ make -jexpr $(grep processor /proc/cpuinfo | wc -l) + 1
# make install