From 9bd5dda4786c9121ddaac80d9cb1f8ca13c327bb Mon Sep 17 00:00:00 2001 From: Adam Niedzwiedzki Date: Thu, 23 Feb 2017 18:20:59 +1100 Subject: [PATCH] CentOS 7 Installer --- centos/install.sh | 126 +++++++++++ centos/resources/arguments.sh | 44 ++++ centos/resources/backup/fusionpbx-backup.sh | 27 +++ centos/resources/colors.sh | 25 +++ centos/resources/fail2ban.sh | 33 +++ centos/resources/fail2ban/freeswitch-404.conf | 27 +++ centos/resources/fail2ban/freeswitch-dos.conf | 21 ++ centos/resources/fail2ban/freeswitch-ip.conf | 20 ++ centos/resources/fail2ban/freeswitch.conf | 18 ++ centos/resources/fail2ban/fusionpbx.conf | 25 +++ centos/resources/fail2ban/jail.local | 113 ++++++++++ centos/resources/fail2ban/nginx-404.conf | 5 + centos/resources/fail2ban/nginx-dos.conf | 14 ++ centos/resources/finish.sh | 112 ++++++++++ centos/resources/firewalld.sh | 33 +++ centos/resources/fusionpbx.sh | 39 ++++ centos/resources/fusionpbx/config.php | 45 ++++ centos/resources/nginx.sh | 25 +++ centos/resources/nginx/fusionpbx | 196 ++++++++++++++++++ centos/resources/php.sh | 42 ++++ centos/resources/postgres.sh | 44 ++++ centos/resources/sslcert.sh | 22 ++ centos/resources/switch/conf-copy.sh | 3 + .../resources/switch/package-permissions.sh | 6 + centos/resources/switch/package-release.sh | 24 +++ centos/resources/switch/package-systemd.sh | 3 + .../switch/source/etc.default.freeswitch | 4 + .../switch/source/freeswitch.service.package | 55 +++++ .../switch/source/freeswitch.service.source | 55 +++++ 29 files changed, 1206 insertions(+) create mode 100644 centos/install.sh create mode 100644 centos/resources/arguments.sh create mode 100644 centos/resources/backup/fusionpbx-backup.sh create mode 100644 centos/resources/colors.sh create mode 100644 centos/resources/fail2ban.sh create mode 100644 centos/resources/fail2ban/freeswitch-404.conf create mode 100644 centos/resources/fail2ban/freeswitch-dos.conf create mode 100644 centos/resources/fail2ban/freeswitch-ip.conf create mode 100644 centos/resources/fail2ban/freeswitch.conf create mode 100644 centos/resources/fail2ban/fusionpbx.conf create mode 100644 centos/resources/fail2ban/jail.local create mode 100644 centos/resources/fail2ban/nginx-404.conf create mode 100644 centos/resources/fail2ban/nginx-dos.conf create mode 100644 centos/resources/finish.sh create mode 100644 centos/resources/firewalld.sh create mode 100644 centos/resources/fusionpbx.sh create mode 100644 centos/resources/fusionpbx/config.php create mode 100644 centos/resources/nginx.sh create mode 100644 centos/resources/nginx/fusionpbx create mode 100644 centos/resources/php.sh create mode 100644 centos/resources/postgres.sh create mode 100644 centos/resources/sslcert.sh create mode 100644 centos/resources/switch/conf-copy.sh create mode 100644 centos/resources/switch/package-permissions.sh create mode 100644 centos/resources/switch/package-release.sh create mode 100644 centos/resources/switch/package-systemd.sh create mode 100644 centos/resources/switch/source/etc.default.freeswitch create mode 100644 centos/resources/switch/source/freeswitch.service.package create mode 100644 centos/resources/switch/source/freeswitch.service.source diff --git a/centos/install.sh b/centos/install.sh new file mode 100644 index 0000000..909583b --- /dev/null +++ b/centos/install.sh @@ -0,0 +1,126 @@ +#!/bin/sh + +# CentOS 7 install, no arm arch support + +#move to script directory so all relative paths work +cd "$(dirname "$0")" +. ./resources/colors.sh +. ./resources/arguments.sh + +if [ $CPU_CHECK = true ] && [ $USE_SWITCH_SOURCE = false ]; then + #check what the CPU and OS are + OS_test=$(uname -m) + CPU_arch='unknown' + OS_bits='unknown' + CPU_bits='unknown' + if [ $OS_test = 'armv7l' ]; then + OS_bits='32' + CPU_bits='32' + # RaspberryPi 3 is actually armv8l but current Raspbian reports the cpu as armv7l and no Raspbian 64Bit has been released at this time + CPU_arch='arm' + elif [ $OS_test = 'armv8l' ]; then + # We currently have no test case for armv8l + OS_bits='unknown' + CPU_bits='64' + CPU_arch='arm' + elif [ $OS_test = 'i386' ]; then + OS_bits='32' + if [ "$(grep -o -w 'lm' /proc/cpuinfo)" = 'lm' ]; then + CPU_bits='64' + else + CPU_bits='32' + fi + CPU_arch='x86' + elif [ $OS_test = 'i686' ]; then + OS_bits='32' + if [ "$(grep -o -w 'lm' /proc/cpuinfo)" = 'lm' ]; then + CPU_bits='64' + else + CPU_bits='32' + fi + CPU_arch='x86' + elif [ $OS_test = 'x86_64' ]; then + OS_bits='64' + if [ "$(grep -o -w 'lm' /proc/cpuinfo)" = 'lm' ]; then + CPU_bits='64' + else + CPU_bits='32' + fi + CPU_arch='x86' + fi + + if [ $CPU_arch = 'arm' ]; then + error "CentOS on arm is not supported at this time" + exit 3 + elif [ $CPU_arch = 'x86' ]; then + if [ $OS_bits = '32' ]; then + error "You are using a 32bit OS this is unsupported" + if [ $CPU_bits = '64' ]; then + warning " Your CPU is 64bit you should consider reinstalling with a 64bit OS" + fi + exit 3 + elif [ $OS_bits = '64' ]; then + verbose "Correct CPU/OS detected" + else + error "Unknown OS_bits $OS_bits this is unsupported" + exit 3 + fi + else + error "You are using a unsupported architecture $CPU_arch" + fi +fi + +# Update CentOS +verbose "Updating CentOS" +yum -y update && yum -y upgrade + +# Installing basics packages +yum -y install ntp htop epel-release vim openssl + +# Disable SELinux +verbose "Disabling SELinux" +warning "Reboot required after installation completes" +setenforce 0 +sed -i 's/\(^SELINUX=\).*/\SELINUX=disabled/' /etc/selinux/config +verbose "SELinux disabled" + +#FreeSWITCH +resources/switch/package-release.sh + +#FusionPBX +resources/fusionpbx.sh + +#Postgres +resources/postgres.sh + +#NGINX web server +resources/sslcert.sh +resources/nginx.sh + +#PHP/PHP-FPM +resources/php.sh + +#IPTables +resources/firewalld.sh + +# FusionPBX to FreeSWITCH configs +verbose "Configuring freeswitch" +resources/switch/conf-copy.sh +resources/switch/package-permissions.sh +resources/switch/package-systemd.sh +verbose "freeswitch configured" + +#Fail2ban +resources/fail2ban.sh + +#restart services +verbose "Restarting packages for final configuration" +systemctl daemon-reload +systemctl restart freeswitch +systemctl restart php-fpm +systemctl restart nginx +systemctl restart fail2ban +verbose "Restart of service complete" + +#add the database schema, user and groups +resources/finish.sh diff --git a/centos/resources/arguments.sh b/centos/resources/arguments.sh new file mode 100644 index 0000000..ac8333e --- /dev/null +++ b/centos/resources/arguments.sh @@ -0,0 +1,44 @@ +#!/bin/sh + +#Process command line options only if we haven't been processed once +if [ -z "$CPU_CHECK" ]; then + export script_name=`basename "$0"` + ARGS=$(getopt -n '$script_name' -o h -l help,use-switch-source,use-switch-package-all,use-switch-master,use-switch-package-unofficial-arm,use-system-master,no-cpu-check -- "$@") + + if [ $? -ne 0 ]; then + error "Failed parsing options." + exit 1 + fi + + export USE_SWITCH_SOURCE=false + export USE_SWITCH_PACKAGE_ALL=false + export USE_SWITCH_PACKAGE_UNOFFICIAL_ARM=false + export USE_SWITCH_MASTER=false + export USE_SYSTEM_MASTER=false + export CPU_CHECK=true + HELP=false + + while true; do + case "$1" in + --use-switch-source ) export USE_SWITCH_SOURCE=true; shift ;; + --use-switch-package-all ) export USE_SWITCH_PACKAGE_ALL=true; shift ;; + --use-switch-master ) export USE_SWITCH_MASTER=true; shift ;; + --use-system-master ) export USE_SYSTEM_MASTER=true; shift ;; + --no-cpu-check ) export CPU_CHECK=false; shift ;; + -h | --help ) HELP=true; shift ;; + -- ) shift; break ;; + * ) break ;; + esac + done + + if [ $HELP = true ]; then + warning "Debian installer script" + warning " --use-switch-source will use freeswitch from source rather than ${green}(default:packages)" + warning " --use-switch-package-all if using packages use the meta-all package" + warning " --use-switch-package-unofficial-arm if your system is arm and you are using packages, use the unofficial arm repo" + warning " --use-switch-master will use master branch/packages for the switch instead of ${green}(default:stable)" + warning " --use-system-master will use master branch/packages for the system instead of ${green}(default:stable)" + warning " --no-cpu-check disable the cpu check ${green}(default:check)" + exit; + fi +fi \ No newline at end of file diff --git a/centos/resources/backup/fusionpbx-backup.sh b/centos/resources/backup/fusionpbx-backup.sh new file mode 100644 index 0000000..68625f7 --- /dev/null +++ b/centos/resources/backup/fusionpbx-backup.sh @@ -0,0 +1,27 @@ +#!/bin/sh + +export PGPASSWORD="zzz" +db_host=127.0.0.1 +db_port=5432 + +now=$(date +%Y-%m-%d) +mkdir -p /var/backups/fusionpbx/postgresql + +echo "Backup Started" + +#delete postgres backups +find /var/backups/fusionpbx/postgresql/fusionpbx_pgsql* -mtime +4 -exec rm {} \; + +#delete the main backup +find /var/backups/fusionpbx/*.tgz -mtime +2 -exec rm {} \; + +#backup the database +pg_dump --verbose -Fc --host=$db_host --port=$db_port -U fusionpbx fusionpbx --schema=public -f /var/backups/fusionpbx/postgresql/fusionpbx_pgsql_$now.sql + +#package +tar -zvcf /var/backups/fusionpbx/backup_$now.tgz /var/backups/fusionpbx/postgresql/fusionpbx_pgsql_$now.sql /var/www/fusionpbx /usr/share/freeswitch/scripts /var/lib/freeswitch/storage /var/lib/freeswitch/recordings /etc/fusionpbx /etc/freeswitch + +#source +#tar -zvcf /var/backups/fusionpbx/backup_$now.tgz /var/backups/fusionpbx/postgresql/fusionpbx_pgsql_$now.sql /var/www/fusionpbx /usr/local/freeswitch/scripts /usr/local/freeswitch/storage /usr/local/freeswitch/recordings /etc/fusionpbx /usr/local/freeswitch/conf + +echo "Backup Completed" diff --git a/centos/resources/colors.sh b/centos/resources/colors.sh new file mode 100644 index 0000000..499a17b --- /dev/null +++ b/centos/resources/colors.sh @@ -0,0 +1,25 @@ +#!/bin/sh + +verbose () { + echo "${green}$1${normal}" +} +error () { + echo "${red}$1${normal}" + } +warning () { + echo "${yellow}$1${normal}" +} + +# check for color support +if test -t 1; then + + # see if it supports colors... + ncolors=$(tput colors) + + if test -n "$ncolors" && test $ncolors -ge 8; then + normal="$(tput sgr0)" + red="$(tput setaf 1)" + green="$(tput setaf 2)" + yellow="$(tput setaf 3)" + fi +fi diff --git a/centos/resources/fail2ban.sh b/centos/resources/fail2ban.sh new file mode 100644 index 0000000..b6ac77c --- /dev/null +++ b/centos/resources/fail2ban.sh @@ -0,0 +1,33 @@ +#!/bin/sh + +#move to script directory so all relative paths work +cd "$(dirname "$0")" + +. ./colors.sh +. ./arguments.sh + +verbose "Installing Fail2ban" +#initialize variable encase we are called directly +#[ -z $USE_FREESWITCH_SOURCE ] && USE_FREESWITCH_SOURCE=false + +#add the dependencies +yum -y install fail2ban + +#move the filters +cp ./fail2ban/freeswitch-dos.conf /etc/fail2ban/filter.d/freeswitch-dos.conf +cp ./fail2ban/freeswitch-ip.conf /etc/fail2ban/filter.d/freeswitch-ip.conf +cp ./fail2ban/freeswitch-404.conf /etc/fail2ban/filter.d/freeswitch-404.conf +cp ./fail2ban/freeswitch.conf /etc/fail2ban/filter.d/freeswitch.conf +cp ./fail2ban/fusionpbx.conf /etc/fail2ban/filter.d/fusionpbx.conf +cp ./fail2ban/nginx-404.conf /etc/fail2ban/filter.d/nginx-404.conf +cp ./fail2ban/nginx-dos.conf /etc/fail2ban/filter.d/nginx-dos.conf +cp ./fail2ban/jail.local /etc/fail2ban/jail.local + +#update config if source is being used +#if [ $USE_FREESWITCH_SOURCE = true ]; then +# sed 's#var/log/freeswitch#usr/local/freeswitch/log#g' -i /etc/fail2ban/jail.local +#fi + +systemctl restart fail2ban + +verbose "Fail2ban installed" diff --git a/centos/resources/fail2ban/freeswitch-404.conf b/centos/resources/fail2ban/freeswitch-404.conf new file mode 100644 index 0000000..ada405c --- /dev/null +++ b/centos/resources/fail2ban/freeswitch-404.conf @@ -0,0 +1,27 @@ +# Fail2Ban configuration file +# inbound route - 404 not found + + +[Definition] + + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P[\w\-.^_]+) +# Values: TEXT +# +#failregex = [hostname] FusionPBX: \[\] authentication failed +#[hostname] variable doesn't seem to work in every case. Do this instead: +failregex = 404 not found + + +#EXECUTE sofia/external/8888888888888@example.fusionpbx.com log([inbound routes] 404 not found 82.68.115.62) + + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = diff --git a/centos/resources/fail2ban/freeswitch-dos.conf b/centos/resources/fail2ban/freeswitch-dos.conf new file mode 100644 index 0000000..3407183 --- /dev/null +++ b/centos/resources/fail2ban/freeswitch-dos.conf @@ -0,0 +1,21 @@ +# Fail2Ban configuration file +# +# Author: soapee01 +# + +[Definition] + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P[\w\-.^_]+) +# Values: TEXT +# +failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth challenge \(REGISTER\) on sofia profile \'\w+\' for \[.*\] from ip + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = diff --git a/centos/resources/fail2ban/freeswitch-ip.conf b/centos/resources/fail2ban/freeswitch-ip.conf new file mode 100644 index 0000000..3fee3b6 --- /dev/null +++ b/centos/resources/fail2ban/freeswitch-ip.conf @@ -0,0 +1,20 @@ +# Fail2Ban configuration file +# + +[Definition] + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P[\w\-.^_]+) +# Values: TEXT +# +#2014-12-01 00:47:54.331821 [WARNING] sofia_reg.c:2752 Can't find user [1000@xxx.xxx.xxx.xxx] from 62.210.151.162 +failregex = \[WARNING\] sofia_reg.c:\d+ Can't find user \[.*@\d+.\d+.\d+.\d+\] from + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = diff --git a/centos/resources/fail2ban/freeswitch.conf b/centos/resources/fail2ban/freeswitch.conf new file mode 100644 index 0000000..b187b49 --- /dev/null +++ b/centos/resources/fail2ban/freeswitch.conf @@ -0,0 +1,18 @@ +[Definition] + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P[\w\-.^_]+) +# Values: TEXT +# +failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth failure \(REGISTER\) on sofia profile \'\w+\' for \[.*\] from ip + \[WARNING\] sofia_reg.c:\d+ SIP auth failure \(INVITE\) on sofia profile \'\w+\' for \[.*\] from ip + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = + diff --git a/centos/resources/fail2ban/fusionpbx.conf b/centos/resources/fail2ban/fusionpbx.conf new file mode 100644 index 0000000..ff1b5c9 --- /dev/null +++ b/centos/resources/fail2ban/fusionpbx.conf @@ -0,0 +1,25 @@ +# Fail2Ban configuration file +# +# Author: soapee01 +# + +[Definition] + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P[\w\-.^_]+) +# Values: TEXT +# +#failregex = [hostname] FusionPBX: \[\] authentication failed +#[hostname] variable doesn't seem to work in every case. Do this instead: +failregex = .* FusionPBX: \[\] authentication failed for + = .* FusionPBX: \[\] provision attempt bad password for + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = + diff --git a/centos/resources/fail2ban/jail.local b/centos/resources/fail2ban/jail.local new file mode 100644 index 0000000..40e3fd8 --- /dev/null +++ b/centos/resources/fail2ban/jail.local @@ -0,0 +1,113 @@ +[freeswitch-udp] +enabled = true +port = 5060,5061,5080,5081 +protocol = all +filter = freeswitch +logpath = /var/log/freeswitch/freeswitch.log +action = iptables-multiport[name=freeswitch-udp, port="5060,5061,5080,5081", protocol=udp] +maxretry = 5 +findtime = 600 +bantime = 600 +# sendmail-whois[name=FreeSwitch, dest=root, sender=fail2ban@example.org] #no smtp server installed + +[freeswitch-tcp] +enabled = true +port = 5060,5061,5080,5081 +protocol = all +filter = freeswitch +logpath = /var/log/freeswitch/freeswitch.log +action = iptables-multiport[name=freeswitch-tcp, port="5060,5061,5080,5081", protocol=tcp] +maxretry = 5 +findtime = 600 +bantime = 600 +# sendmail-whois[name=FreeSwitch, dest=root, sender=fail2ban@example.org] #no smtp server installed + +#[freeswitch-ip-tcp] +#enabled = true +#port = 5060,5061,5080,5081 +#protocol = all +#filter = freeswitch-ip +#logpath = /var/log/freeswitch/freeswitch.log +#action = iptables-multiport[name=freeswitch-ip-tcp, port="5060,5061,5080,5081", protocol=tcp] +#maxretry = 1 +#findtime = 30 +#bantime = 86400 + +#[freeswitch-ip-udp] +#enabled = true +#port = 5060,5061,5080,5081 +#protocol = all +#filter = freeswitch-ip +#logpath = /var/log/freeswitch/freeswitch.log +#action = iptables-multiport[name=freeswitch-ip-udp, port="5060,5061,5080,5081", protocol=udp] +#maxretry = 1 +#findtime = 30 +#bantime = 86400 + +[freeswitch-dos-udp] +enabled = true +port = 5060,5061,5080,5081 +protocol = all +filter = freeswitch-dos +logpath = /var/log/freeswitch/freeswitch.log +action = iptables-multiport[name=freeswitch-dos-udp, port="5060,5061,5080,5081", protocol=udp] +maxretry = 50 +findtime = 30 +bantime = 6000 + +[freeswitch-dos-tcp] +enabled = true +port = 5060,5061,5080,5081 +protocol = all +filter = freeswitch-dos +logpath = /var/log/freeswitch/freeswitch.log +action = iptables-multiport[name=freeswitch-dos-tcp, port="5060,5061,5080,5081", protocol=tcp] +maxretry = 50 +findtime = 30 +bantime = 6000 + +[freeswitch-404] +enabled = true +port = 5060,5061,5080,5081 +protocol = all +filter = freeswitch-404 +logpath = /var/log/freeswitch/freeswitch.log +action = iptables-allports[name=freeswitch-404, protocol=all] +maxretry = 3 +findtime = 300 +bantime = 86400 + +#[fusionpbx] +#enabled = true +#port = 80,443 +#protocol = tcp +#filter = fusionpbx +#logpath = /var/log/auth.log +#action = iptables-multiport[name=fusionpbx, port="http,https", protocol=tcp] +# sendmail-whois[name=fusionpbx, dest=root, sender=fail2ban@example.org] #no smtp server installed +#maxretry = 10 +#findtime = 600 +#bantime = 600 + +[nginx-404] +enabled = true +port = 80,443 +protocol = tcp +filter = nginx-404 +logpath = /var/log/nginx/access*.log +bantime = 600 +findtime = 60 +maxretry = 120 + +[nginx-dos] +# Based on apache-badbots but a simple IP check (any IP requesting more than +# 240 pages in 60 seconds, or 4p/s average, is suspicious) +# Block for two full days. +enabled = true +port = 80,443 +protocol = tcp +filter = nginx-dos +logpath = /var/log/nginx/access*.log +findtime = 60 +bantime = 172800 +maxretry = 240 diff --git a/centos/resources/fail2ban/nginx-404.conf b/centos/resources/fail2ban/nginx-404.conf new file mode 100644 index 0000000..f121f41 --- /dev/null +++ b/centos/resources/fail2ban/nginx-404.conf @@ -0,0 +1,5 @@ +# Fail2Ban configuration file +# +[Definition] +failregex = - - \[.*\] "(GET|POST).*HTTP[^ ]* 404 +ignoreregex = diff --git a/centos/resources/fail2ban/nginx-dos.conf b/centos/resources/fail2ban/nginx-dos.conf new file mode 100644 index 0000000..6e2cd23 --- /dev/null +++ b/centos/resources/fail2ban/nginx-dos.conf @@ -0,0 +1,14 @@ +# Fail2Ban configuration file + +[Definition] +# Option: failregex +# Notes.: Regexp to catch a generic call from an IP address. +# Values: TEXT +# +failregex = ^ -.*"(GET|POST).*HTTP.*"$ + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = diff --git a/centos/resources/finish.sh b/centos/resources/finish.sh new file mode 100644 index 0000000..89c58b9 --- /dev/null +++ b/centos/resources/finish.sh @@ -0,0 +1,112 @@ +#!/bin/sh + +#move to script directory so all relative paths work +cd "$(dirname "$0")" + +#includes +. ./colors.sh +. ./arguments.sh + +#database details +database_host=127.0.0.1 +database_port=5432 +database_username=fusionpbx +database_password=$(dd if=/dev/urandom bs=1 count=20 2>/dev/null | base64 | sed 's/[=\+//]//g') + +#allow the script to use the new password +export PGPASSWORD=$database_password + +#update the database password +sudo -u postgres /usr/pgsql-9.4/bin/psql -c "ALTER USER fusionpbx WITH PASSWORD '$database_password';" +sudo -u postgres /usr/pgsql-9.4/bin/psql -c "ALTER USER freeswitch WITH PASSWORD '$database_password';" + +#add the config.php +mkdir -p /etc/fusionpbx +chown -R freeswitch:daemon /etc/fusionpbx +cp fusionpbx/config.php /etc/fusionpbx +sed -i /etc/fusionpbx/config.php -e s:'{database_username}:fusionpbx:' +sed -i /etc/fusionpbx/config.php -e s:"{database_password}:$database_password:" + +#add the database schema +cd /var/www/fusionpbx && php /var/www/fusionpbx/core/upgrade/upgrade_schema.php > /dev/null 2>&1 + +#get the server hostname +#domain_name=$(hostname -f) + +#get the ip address +domain_name=$(hostname -I | cut -d ' ' -f1) + +#get a domain_uuid +domain_uuid=$(php /var/www/fusionpbx/resources/uuid.php); + +#add the domain name +psql --host=$database_host --port=$database_port --username=$database_username -c "insert into v_domains (domain_uuid, domain_name, domain_enabled) values('$domain_uuid', '$domain_name', 'true');" + +#app defaults +cd /var/www/fusionpbx && php /var/www/fusionpbx/core/upgrade/upgrade_domains.php + +#add the user +user_uuid=$(/usr/bin/php /var/www/fusionpbx/resources/uuid.php); +user_salt=$(/usr/bin/php /var/www/fusionpbx/resources/uuid.php); +user_name=admin +user_password=$(dd if=/dev/urandom bs=1 count=12 2>/dev/null | base64 | sed 's/[=\+//]//g') +password_hash=$(php -r "echo md5('$user_salt$user_password');"); +psql --host=$database_host --port=$database_port --username=$database_username -t -c "insert into v_users (user_uuid, domain_uuid, username, password, salt, user_enabled) values('$user_uuid', '$domain_uuid', '$user_name', '$password_hash', '$user_salt', 'true');" + +#get the superadmin group_uuid +group_uuid=$(psql --host=$database_host --port=$database_port --username=$database_username -t -c "select group_uuid from v_groups where group_name = 'superadmin';"); +group_uuid=$(echo $group_uuid | sed 's/^[[:blank:]]*//;s/[[:blank:]]*$//') + +#add the user to the group +group_user_uuid=$(/usr/bin/php /var/www/fusionpbx/resources/uuid.php); +group_name=superadmin +psql --host=$database_host --port=$database_port --username=$database_username -c "insert into v_group_users (group_user_uuid, domain_uuid, group_name, group_uuid, user_uuid) values('$group_user_uuid', '$domain_uuid', '$group_name', '$group_uuid', '$user_uuid');" + +#update xml_cdr url, user and password +xml_cdr_username=$(dd if=/dev/urandom bs=1 count=12 2>/dev/null | base64 | sed 's/[=\+//]//g') +xml_cdr_password=$(dd if=/dev/urandom bs=1 count=12 2>/dev/null | base64 | sed 's/[=\+//]//g') +sed -i /etc/freeswitch/autoload_configs/xml_cdr.conf.xml -e s:"{v_http_protocol}:http:" +sed -i /etc/freeswitch/autoload_configs/xml_cdr.conf.xml -e s:"{domain_name}:127.0.0.1:" +sed -i /etc/freeswitch/autoload_configs/xml_cdr.conf.xml -e s:"{v_project_path}::" +sed -i /etc/freeswitch/autoload_configs/xml_cdr.conf.xml -e s:"{v_user}:$xml_cdr_username:" +sed -i /etc/freeswitch/autoload_configs/xml_cdr.conf.xml -e s:"{v_pass}:$xml_cdr_password:" + +#app defaults +cd /var/www/fusionpbx && php /var/www/fusionpbx/core/upgrade/upgrade_domains.php + +systemctl daemon-reload +systemctl mask wpa_supplicant.service +systemctl stop wpa_supplicant.service +systemctl enable fail2ban +systemctl enable ntpd +systemctl enable php-fpm +systemctl enable nginx +systemctl enable freeswitch +systemctl enable memcached +systemctl enable postgresql-9.4 + +#welcome message +echo "" +echo "" +verbose "Installation has completed." +error "Please note details below and reboot your system" +echo "" +echo " Use a web browser to login." +echo " domain name: https://$domain_name" +echo " username: $user_name" +echo " password: $user_password" +echo "" +echo " The domain name in the browser is used by default as part of the authentication." +echo " If you need to login to a different domain then use username@domain." +echo " username: $user_name@$domain_name"; +echo "" +echo " Additional information." +echo " https://fusionpbx.com/support.php" +echo " https://www.fusionpbx.com" +echo " http://docs.fusionpbx.com" +warning "*------------------------------------------*" +warning "* NOTE: Please save the above information. *" +warning "* REBOOT YOUR SERVER TO COMPLETE INSTALL. *" +warning "*------------------------------------------*" +echo "" + diff --git a/centos/resources/firewalld.sh b/centos/resources/firewalld.sh new file mode 100644 index 0000000..03d71c5 --- /dev/null +++ b/centos/resources/firewalld.sh @@ -0,0 +1,33 @@ +#!/bin/sh + +#move to script directory so all relative paths work +cd "$(dirname "$0")" + +. ./colors.sh +. ./arguments.sh + +verbose "Configuring FirewallD" +#ssh should be on by default + +firewall-cmd --permanent --zone=public --add-service={http,https} +firewall-cmd --permanent --zone=public --add-port={5060,5061,5080,5081}/udp +firewall-cmd --permanent --zone=public --add-port={5060,5061,5080,5081}/tcp +firewall-cmd --permanent --zone=public --add-port=16384-32768/udp + +firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p udp --dport 5060:5061 -m string --string "friendly-scanner" --algo bm -j DROP +firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p udp --dport 5060:5061 -m string --string "sipcli/" --algo bm -j DROP +firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p udp --dport 5060:5061 -m string --string "VaxSIPUserAgent/" --algo bm -j DROP +firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 5060:5061 -m string --string "friendly-scanner" --algo bm -j DROP +firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 5060:5061 -m string --string "sipcli/" --algo bm -j DROP +firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 5060:5061 -m string --string "VaxSIPUserAgent/" --algo bm -j DROP +firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p udp --dport 5080:5081 -m string --string "friendly-scanner" --algo bm -j DROP +firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p udp --dport 5080:5081 -m string --string "sipcli/" --algo bm -j DROP +firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p udp --dport 5080:5081 -m string --string "VaxSIPUserAgent/" --algo bm -j DROP +firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 5080:5081 -m string --string "friendly-scanner" --algo bm -j DROP +firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 5080:5081 -m string --string "sipcli/" --algo bm -j DROP +firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 5080:5081 -m string --string "VaxSIPUserAgent/" --algo bm -j DROP +firewall-cmd --add-service openvpn +firewall-cmd --permanent --add-service openvpn +firewall-cmd --reload + +verbose "FirewallD configured" diff --git a/centos/resources/fusionpbx.sh b/centos/resources/fusionpbx.sh new file mode 100644 index 0000000..5add3b0 --- /dev/null +++ b/centos/resources/fusionpbx.sh @@ -0,0 +1,39 @@ +#!/bin/sh + +#move to script directory so all relative paths work +cd "$(dirname "$0")" + +. ./colors.sh +. ./arguments.sh + +verbose "Installing FusionPBX" + +yum -y install git +yum -y install ghostscript libtiff-devel libtiff-tools + +IRONTEC="[irontec] +name=Irontec RPMs repository +baseurl=http://packages.irontec.com/centos/$releasever/$basearch/" +echo "${IRONTEC}" > /etc/yum.repos.d/irontec.repo +rpm --import http://packages.irontec.com/public.key +yum -y install sngrep + +wget https://forensics.cert.org/cert-forensics-tools-release-el7.rpm +rpm -Uvh cert-forensics-tools-release*rpm +yum -y --enablerepo=forensics install lame + +if [ $USE_SYSTEM_MASTER = true ]; then + verbose "Using master" + BRANCH="" +else + FUSION_MAJOR=$(git ls-remote --heads https://github.com/fusionpbx/fusionpbx.git | cut -d/ -f 3 | grep -P '^\d+\.\d+' | sort | tail -n 1 | cut -d. -f1) + FUSION_MINOR=$(git ls-remote --tags https://github.com/fusionpbx/fusionpbx.git $FUSION_MAJOR.* | cut -d/ -f3 | grep -P '^\d+\.\d+' | sort | tail -n 1 | cut -d. -f2) + FUSION_VERSION=$FUSION_MAJOR.$FUSION_MINOR + verbose "Using version $FUSION_VERSION" + BRANCH="-b $FUSION_VERSION" +fi + +#get the source code +git clone $BRANCH https://github.com/fusionpbx/fusionpbx.git /var/www/fusionpbx + +verbose "FusionPBX Installed" \ No newline at end of file diff --git a/centos/resources/fusionpbx/config.php b/centos/resources/fusionpbx/config.php new file mode 100644 index 0000000..1b662a5 --- /dev/null +++ b/centos/resources/fusionpbx/config.php @@ -0,0 +1,45 @@ + + Portions created by the Initial Developer are Copyright (C) 2008-2016 + the Initial Developer. All Rights Reserved. + + Contributor(s): + Mark J Crane +*/ + +//set the database type + $db_type = 'pgsql'; //sqlite, mysql, pgsql, others with a manually created PDO connection + +//sqlite: the db_name and db_path are automatically assigned however the values can be overidden by setting the values here. + //$db_name = 'fusionpbx.db'; //host name/ip address + '.db' is the default database filename + //$db_path = '/var/www/fusionpbx/secure'; //the path is determined by a php variable + +//pgsql: database connection information + $db_host = 'localhost'; //set the host only if the database is not local + $db_port = '5432'; + $db_name = 'fusionpbx'; + $db_username = '{database_username}'; + $db_password = '{database_password}'; + +//show errors + ini_set('display_errors', '1'); + //error_reporting (E_ALL); // Report everything + error_reporting (E_ALL ^ E_NOTICE); // hide notices + //error_reporting(E_ALL ^ E_NOTICE ^ E_WARNING ); //hide notices and warnings diff --git a/centos/resources/nginx.sh b/centos/resources/nginx.sh new file mode 100644 index 0000000..c118a9c --- /dev/null +++ b/centos/resources/nginx.sh @@ -0,0 +1,25 @@ +#!/bin/sh + +#move to script directory so all relative paths work +cd "$(dirname "$0")" + +. ./colors.sh +. ./arguments.sh + +verbose "Installing nginx" + +#install dependencies +yum -y install nginx php-fpm php-gd php-pgsql php-odbc php-curl php-imap php-mcrypt php-opcache php-common php-pdo php-soap php-xml php-xmlrpc php-cli + +#setup nginx +mkdir -p /etc/nginx/sites-available +mkdir -p /etc/nginx/sites-enabled + +#enable fusionpbx nginx config +cp ./nginx/fusionpbx /etc/nginx/sites-available/fusionpbx.conf +ln -s /etc/nginx/sites-available/fusionpbx.conf /etc/nginx/sites-enabled/fusionpbx.conf + +awk '/server *{/ {c=1 ; next} c && /{/{c++} c && /}/{c--;next} !c' /etc/nginx/nginx.conf > /etc/nginx/nginx.tmp && mv -f /etc/nginx/nginx.tmp /etc/nginx/nginx.conf && rm -f /etc/nginx/nginx.tmp +sed -i '/include \/etc\/nginx\/conf\.d\/\*\.conf\;/a \ include \/etc\/nginx\/sites-enabled\/\*\.conf\;' /etc/nginx/nginx.conf + +verbose "nginx installed" \ No newline at end of file diff --git a/centos/resources/nginx/fusionpbx b/centos/resources/nginx/fusionpbx new file mode 100644 index 0000000..11d0f18 --- /dev/null +++ b/centos/resources/nginx/fusionpbx @@ -0,0 +1,196 @@ + +server{ + listen 127.0.0.1:80; + server_name 127.0.0.1; + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + + client_max_body_size 80M; + client_body_buffer_size 128k; + + location / { + root /var/www/fusionpbx; + index index.php; + } + + location ~ \.php$ { + fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock; + #fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name; + } + + # Disable viewing .htaccess & .htpassword & .db + location ~ .htaccess { + deny all; + } + location ~ .htpassword { + deny all; + } + location ~^.+.(db)$ { + deny all; + } +} + +server { + listen 80; + server_name fusionpbx; + if ($uri !~* ^.*provision.*$) { + rewrite ^(.*) https://$host$1 permanent; + break; + } + + #REST api + if ($uri ~* ^.*/api/.*$) { + rewrite ^(.*)/api/(.*)$ $1/api/index.php?rewrite_uri=$2 last; + break; + } + + #algo + rewrite "^.*/provision/algom([A-Fa-f0-9]{12})(\.(conf))?$" /app/provision/?mac=$1; + + #mitel + rewrite "^.*/provision/MN_([A-Fa-f0-9]{12})\.cfg" /app/provision/index.php?mac=$1&file=MN_%7b%24mac%7d.cfg last; + rewrite "^.*/provision/MN_Generic.cfg" /app/provision/index.php?mac=08000f000000&file=MN_Generic.cfg last; + + #grandstream + rewrite "^.*/provision/cfg([A-Fa-f0-9]{12})(\.(xml|cfg))?$" /app/provision/?mac=$1; + + #aastra + rewrite "^.*/provision/aastra.cfg$" /app/provision/?mac=$1&file=aastra.cfg; + #rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.(cfg))?$" /app/provision/?mac=$1 last; + + #yealink common + rewrite "^.*/provision/(y[0-9]{12})(\.cfg)?$" /app/provision/index.php?file=$1.cfg; + + #yealink mac + rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.(xml|cfg))?$" /app/provision/index.php?mac=$1 last; + + #polycom + rewrite "^.*/provision/000000000000.cfg$" "/app/provision/?mac=$1&file={%24mac}.cfg"; + #rewrite "^.*/provision/sip_330(\.(ld))$" /includes/firmware/sip_330.$2; + rewrite "^.*/provision/features.cfg$" /app/provision/?mac=$1&file=features.cfg; + rewrite "^.*/provision/([A-Fa-f0-9]{12})-sip.cfg$" /app/provision/?mac=$1&file=sip.cfg; + rewrite "^.*/provision/([A-Fa-f0-9]{12})-phone.cfg$" /app/provision/?mac=$1; + rewrite "^.*/provision/([A-Fa-f0-9]{12})-registration.cfg$" "/app/provision/?mac=$1&file={%24mac}-registration.cfg"; + rewrite "^.*/provision/([A-Fa-f0-9]{12})-directory.xml$" "/app/provision/?mac=$1&file={%24mac}-directory.xml"; + + #cisco + rewrite "^.*/provision/file/(.*\.(xml|cfg))" /app/provision/?file=$1 last; + + #Escene + rewrite "^.*/provision/([0-9]{1,11})_Extern.xml$" "/app/provision/?ext=$1&file={%24mac}_extern.xml" last; + rewrite "^.*/provision/([0-9]{1,11})_Phonebook.xml$" "/app/provision/?ext=$1&file={%24mac}_phonebook.xml" last; + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + + client_max_body_size 80M; + client_body_buffer_size 128k; + + location / { + root /var/www/fusionpbx; + index index.php; + } + + location ~ \.php$ { + fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock; + #fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name; + } + + # Disable viewing .htaccess & .htpassword & .db + location ~ .htaccess { + deny all; + } + location ~ .htpassword { + deny all; + } + location ~^.+.(db)$ { + deny all; + } +} + +server { + listen 443; + server_name fusionpbx; + ssl on; + ssl_certificate /etc/ssl/certs/nginx.crt; + ssl_certificate_key /etc/ssl/private/nginx.key; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers HIGH:!ADH:!MD5:!aNULL; + + #REST api + if ($uri ~* ^.*/api/.*$) { + rewrite ^(.*)/api/(.*)$ $1/api/index.php?rewrite_uri=$2 last; + break; + } + + #algo + rewrite "^.*/provision/algom([A-Fa-f0-9]{12})(\.(conf))?$" /app/provision/?mac=$1; + + #mitel + rewrite "^.*/provision/MN_([A-Fa-f0-9]{12})\.cfg" /app/provision/index.php?mac=$1&file=MN_%7b%24mac%7d.cfg last; + rewrite "^.*/provision/MN_Generic.cfg" /app/provision/index.php?mac=08000f000000&file=MN_Generic.cfg last; + + #grandstriam + rewrite "^.*/provision/cfg([A-Fa-f0-9]{12})(\.(xml|cfg))?$" /app/provision/?mac=$1; + + #aastra + rewrite "^.*/provision/aastra.cfg$" /app/provision/?mac=$1&file=aastra.cfg; + #rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.(cfg))?$" /app/provision/?mac=$1 last; + + #yealink common + rewrite "^.*/provision/(y[0-9]{12})(\.cfg)?$" /app/provision/index.php?file=$1.cfg; + + #yealink mac + rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.(xml|cfg))?$" /app/provision/index.php?mac=$1 last; + + #polycom + rewrite "^.*/provision/000000000000.cfg$" "/app/provision/?mac=$1&file={%24mac}.cfg"; + #rewrite "^.*/provision/sip_330(\.(ld))$" /includes/firmware/sip_330.$2; + rewrite "^.*/provision/features.cfg$" /app/provision/?mac=$1&file=features.cfg; + rewrite "^.*/provision/([A-Fa-f0-9]{12})-sip.cfg$" /app/provision/?mac=$1&file=sip.cfg; + rewrite "^.*/provision/([A-Fa-f0-9]{12})-phone.cfg$" /app/provision/?mac=$1; + rewrite "^.*/provision/([A-Fa-f0-9]{12})-registration.cfg$" "/app/provision/?mac=$1&file={%24mac}-registration.cfg"; + + #cisco + rewrite "^.*/provision/file/(.*\.(xml|cfg))" /app/provision/?file=$1 last; + + #Escene + rewrite "^.*/provision/([0-9]{1,11})_Extern.xml$" "/app/provision/?ext=$1&file={%24mac}_extern.xml" last; + rewrite "^.*/provision/([0-9]{1,11})_Phonebook.xml$" "/app/provision/?ext=$1&file={%24mac}_phonebook.xml" last; + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + + client_max_body_size 80M; + client_body_buffer_size 128k; + + location / { + root /var/www/fusionpbx; + index index.php; + } + + location ~ \.php$ { + fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock; + #fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name; + } + + # Disable viewing .htaccess & .htpassword & .db + location ~ .htaccess { + deny all; + } + location ~ .htpassword { + deny all; + } + location ~^.+.(db)$ { + deny all; + } +} diff --git a/centos/resources/php.sh b/centos/resources/php.sh new file mode 100644 index 0000000..a5e11b7 --- /dev/null +++ b/centos/resources/php.sh @@ -0,0 +1,42 @@ +#!/bin/sh + +#move to script directory so all relative paths work +cd "$(dirname "$0")" + +. ./colors.sh +. ./arguments.sh + +verbose "Configuring php/nginx/php-fpm and permissions" + +TIMEZ=$(timedatectl | grep 'Time zone' | awk '{ print $3 }') + +sed -i 's/user nginx/user freeswitch daemon/g' /etc/nginx/nginx.conf +chown -Rf freeswitch:daemon /var/lib/nginx +sed -ie "s#;date.timezone =#date.timezone = $TIMEZ#g" /etc/php.ini +sed -ie 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/g' /etc/php.ini +sed -ie "s|listen = 127.0.0.1:9000|listen = /var/run/php-fpm/php-fpm.sock|g" /etc/php-fpm.d/www.conf +sed -ie 's/;listen.owner = nobody/listen.owner = nobody/g' /etc/php-fpm.d/www.conf +sed -ie 's/;listen.group = nobody/listen.group = nobody/g' /etc/php-fpm.d/www.conf +sed -ie 's/user = apache/user = freeswitch/g' /etc/php-fpm.d/www.conf +sed -ie 's/group = apache/group = daemon/g' /etc/php-fpm.d/www.conf +mkdir -p /var/lib/php/session +chown -R freeswitch:daemon /var/lib/php/session +chmod -Rf 700 /var/lib/php/session + +#update config if source is being used +#sed -ie 's/post_max_size = .*/post_max_size = 80M/g' /etc/php.ini +#sed -ie 's/upload_max_filesize = .*/upload_max_filesize = 80M/g' /etc/php.ini + +chown -R freeswitch.daemon /etc/freeswitch /var/lib/freeswitch /var/log/freeswitch /usr/share/freeswitch /var/www/fusionpbx +find /etc/freeswitch -type d -exec chmod 770 {} \; +find /var/lib/freeswitch -type d -exec chmod 770 {} \; +find /var/log/freeswitch -type d -exec chmod 770 {} \; +find /usr/share/freeswitch -type d -exec chmod 770 {} \; +find /var/www/fusionpbx -type d -exec chmod 770 {} \; +find /etc/freeswitch -type f -exec chmod 664 {} \; +find /var/lib/freeswitch -type f -exec chmod 664 {} \; +find /var/log/freeswitch -type f -exec chmod 664 {} \; +find /usr/share/freeswitch -type f -exec chmod 664 {} \; +find /var/www/fusionpbx -type f -exec chmod 664 {} \; + +verbose "php/nginx/php-fpm and permissions configured" \ No newline at end of file diff --git a/centos/resources/postgres.sh b/centos/resources/postgres.sh new file mode 100644 index 0000000..9efe53a --- /dev/null +++ b/centos/resources/postgres.sh @@ -0,0 +1,44 @@ +#!/bin/sh + +#move to script directory so all relative paths work +cd "$(dirname "$0")" + +. ./colors.sh +. ./arguments.sh + +#send a message +verbose "Installing PostgreSQL 9.4" + +#generate a random password +password=$(dd if=/dev/urandom bs=1 count=20 2>/dev/null | base64) + +#included in the distribution +rpm -ivh --quiet http://yum.postgresql.org/9.4/redhat/rhel-7-x86_64/pgdg-centos94-9.4-3.noarch.rpm +yum -y update +yum -y install postgresql94-server postgresql94-contrib postgresql94 + +verbose "Initalize PostgreSQL database" +/usr/pgsql-9.4/bin/postgresql94-setup initdb + +sed -i 's/\(host *all *all *127.0.0.1\/32 *\)ident/\1md5/' /var/lib/pgsql/9.4/data/pg_hba.conf +sed -i 's/\(host *all *all *::1\/128 *\)ident/\1md5/' /var/lib/pgsql/9.4/data/pg_hba.conf + +#systemd +systemctl daemon-reload +systemctl restart postgresql-9.4 + +#move to /tmp to prevent a red herring error when running sudo with psql +cwd=$(pwd) +cd /tmp +#add the databases, users and grant permissions to them +sudo -u postgres /usr/pgsql-9.4/bin/psql -c "CREATE DATABASE fusionpbx"; +sudo -u postgres /usr/pgsql-9.4/bin/psql -c "CREATE DATABASE freeswitch"; +sudo -u postgres /usr/pgsql-9.4/bin/psql -c "CREATE ROLE fusionpbx WITH SUPERUSER LOGIN PASSWORD '$password';" +sudo -u postgres /usr/pgsql-9.4/bin/psql -c "CREATE ROLE freeswitch WITH SUPERUSER LOGIN PASSWORD '$password';" +sudo -u postgres /usr/pgsql-9.4/bin/psql -c "GRANT ALL PRIVILEGES ON DATABASE fusionpbx to fusionpbx;" +sudo -u postgres /usr/pgsql-9.4/bin/psql -c "GRANT ALL PRIVILEGES ON DATABASE freeswitch to fusionpbx;" +sudo -u postgres /usr/pgsql-9.4/bin/psql -c "GRANT ALL PRIVILEGES ON DATABASE freeswitch to freeswitch;" +#ALTER USER fusionpbx WITH PASSWORD 'newpassword'; +cd $cwd + +verbose "PostgreSQL 9.4 installed" \ No newline at end of file diff --git a/centos/resources/sslcert.sh b/centos/resources/sslcert.sh new file mode 100644 index 0000000..3c6ab92 --- /dev/null +++ b/centos/resources/sslcert.sh @@ -0,0 +1,22 @@ +# no default SSL in centos, generate a tmp certificate +# ssl_certificate /etc/ssl/certs/nginx.crt; +# ssl_certificate_key /etc/ssl/private/nginx.key; + +DOMAIN=$(hostname) +SSL_DIR="/etc/ssl" + +SUBJ=" +C=US +ST=Idaho +O=FusionPBX +localityName=Boise +commonName=$DOMAIN +organizationUnitName= +emailAddress= +" + +mkdir -p $SSL_DIR/private && mkdir -p $SSL_DIR/certs +chmod 700 $SSL_DIR/private + +openssl req -x509 -nodes -subj "$(echo -n "$SUBJ" | tr "\n" "/")" -days 365 -newkey rsa:2048 -keyout "$SSL_DIR/private/nginx.key" -out "$SSL_DIR/certs/nginx.crt" + diff --git a/centos/resources/switch/conf-copy.sh b/centos/resources/switch/conf-copy.sh new file mode 100644 index 0000000..8d910a8 --- /dev/null +++ b/centos/resources/switch/conf-copy.sh @@ -0,0 +1,3 @@ +mv /etc/freeswitch /etc/freeswitch.orig +mkdir /etc/freeswitch +cp -R /var/www/fusionpbx/resources/templates/conf/* /etc/freeswitch diff --git a/centos/resources/switch/package-permissions.sh b/centos/resources/switch/package-permissions.sh new file mode 100644 index 0000000..87d81a9 --- /dev/null +++ b/centos/resources/switch/package-permissions.sh @@ -0,0 +1,6 @@ +#default permissions +chown -R freeswitch:daemon /etc/freeswitch +chown -R freeswitch:daemon /var/lib/freeswitch +chown -R freeswitch:daemon /usr/share/freeswitch +chown -R freeswitch:daemon /var/log/freeswitch +chown -R freeswitch:daemon /var/run/freeswitch diff --git a/centos/resources/switch/package-release.sh b/centos/resources/switch/package-release.sh new file mode 100644 index 0000000..e4009d6 --- /dev/null +++ b/centos/resources/switch/package-release.sh @@ -0,0 +1,24 @@ +#!/bin/sh + +#move to script directory so all relative paths work +cd "$(dirname "$0")" + +. ../colors.sh +. ../arguments.sh + +verbose "Installing FreeSWITCH" + +yum -y install memcached curl gdb +yum install -y http://files.freeswitch.org/freeswitch-release-1-6.noarch.rpm +yum install -y freeswitch-config-vanilla freeswitch-lang-* freeswitch-sounds-* freeswitch-lua freeswitch-xml-cdr + +##remove the music package to protect music on hold from package updates +mkdir -p /usr/share/freeswitch/sounds/temp +mv /usr/share/freeswitch/sounds/music/*000 /usr/share/freeswitch/sounds/temp +yum -y remove freeswitch-sounds-music +mkdir -p /usr/share/freeswitch/sounds/music/default +mv /usr/share/freeswitch/sounds/temp/* /usr/share/freeswitch/sounds/music/default +rm -R /usr/share/freeswitch/sounds/temp + +verbose "FreeSWITCH installed" + diff --git a/centos/resources/switch/package-systemd.sh b/centos/resources/switch/package-systemd.sh new file mode 100644 index 0000000..2fb8467 --- /dev/null +++ b/centos/resources/switch/package-systemd.sh @@ -0,0 +1,3 @@ +rm -f /lib/systemd/system/freeswitch.service +cp "$(dirname $0)/source/freeswitch.service.package" /lib/systemd/system/freeswitch.service +cp "$(dirname $0)/source/etc.default.freeswitch" /etc/sysconfig/freeswitch \ No newline at end of file diff --git a/centos/resources/switch/source/etc.default.freeswitch b/centos/resources/switch/source/etc.default.freeswitch new file mode 100644 index 0000000..9bbc276 --- /dev/null +++ b/centos/resources/switch/source/etc.default.freeswitch @@ -0,0 +1,4 @@ +# /etc/default/freeswitch +FS_USER="freeswitch" +FS_GROUP="daemon" +DAEMON_OPTS="-nonat -ncwait -u freeswitch -g daemon -run /var/run/freeswitch" diff --git a/centos/resources/switch/source/freeswitch.service.package b/centos/resources/switch/source/freeswitch.service.package new file mode 100644 index 0000000..5ed8ab5 --- /dev/null +++ b/centos/resources/switch/source/freeswitch.service.package @@ -0,0 +1,55 @@ +;;;;; Author: Travis Cross + +[Unit] +Description=freeswitch +After=syslog.target network.target local-fs.target postgresql.service + +[Service] +; service +Type=forking +PIDFile=/run/freeswitch/freeswitch.pid +Environment="DAEMON_OPTS=-nonat" +EnvironmentFile=-/etc/default/freeswitch +ExecStartPre=/bin/mkdir -p /var/run/freeswitch/ +ExecStartPre=/bin/chown -R freeswitch:daemon /var/run/freeswitch/ +ExecStart=/usr/bin/freeswitch -u freeswitch -g daemon -ncwait $DAEMON_OPTS +TimeoutSec=45s +Restart=always +; exec +User=root +Group=daemon +LimitCORE=infinity +LimitNOFILE=100000 +LimitNPROC=60000 +LimitRTPRIO=infinity +LimitRTTIME=7000000 +IOSchedulingClass=realtime +IOSchedulingPriority=2 +CPUSchedulingPolicy=rr +CPUSchedulingPriority=89 +UMask=0007 + +; alternatives which you can enforce by placing a unit drop-in into +; /etc/systemd/system/freeswitch.service.d/*.conf: +; +; User=freeswitch +; Group=freeswitch +; ExecStart= +; ExecStart=/usr/bin/freeswitch -ncwait -nonat -rp +; +; empty ExecStart is required to flush the list. +; +; if your filesystem supports extended attributes, execute +; setcap 'cap_net_bind_service,cap_sys_nice=+ep' /usr/bin/freeswitch +; this will also allow socket binding on low ports +; +; otherwise, remove the -rp option from ExecStart and +; add these lines to give real-time priority to the process: +; +; PermissionsStartOnly=true +; ExecStartPost=/bin/chrt -f -p 1 $MAINPID +; +; execute "systemctl daemon-reload" after editing the unit files. + +[Install] +WantedBy=multi-user.target diff --git a/centos/resources/switch/source/freeswitch.service.source b/centos/resources/switch/source/freeswitch.service.source new file mode 100644 index 0000000..827e353 --- /dev/null +++ b/centos/resources/switch/source/freeswitch.service.source @@ -0,0 +1,55 @@ +;;;;; Author: Travis Cross + +[Unit] +Description=freeswitch +After=syslog.target network.target local-fs.target postgresql.service haveged.service + +[Service] +; service +Type=forking +PIDFile=/run/freeswitch/freeswitch.pid +Environment="DAEMON_OPTS=-nonat" +EnvironmentFile=-/etc/default/freeswitch +ExecStart=/usr/local/freeswitch/bin/freeswitch -u www-data -g www-data -ncwait $DAEMON_OPTS +;ExecStart=/usr/local/freeswitch/bin/freeswitch -u freeswitch -g freeswitch -ncwait $DAEMON_OPTS +TimeoutSec=45s +Restart=always +; exec +User=root +Group=daemon +LimitCORE=infinity +LimitNOFILE=100000 +LimitNPROC=60000 +LimitSTACK=240K +LimitRTPRIO=infinity +LimitRTTIME=7000000 +IOSchedulingClass=realtime +IOSchedulingPriority=2 +CPUSchedulingPolicy=rr +CPUSchedulingPriority=89 +UMask=0007 + +; alternatives which you can enforce by placing a unit drop-in into +; /etc/systemd/system/freeswitch.service.d/*.conf: +; +; User=freeswitch +; Group=freeswitch +; ExecStart= +; ExecStart=/usr/bin/freeswitch -ncwait -nonat -rp +; +; empty ExecStart is required to flush the list. +; +; if your filesystem supports extended attributes, execute +; setcap 'cap_net_bind_service,cap_sys_nice=+ep' /usr/bin/freeswitch +; this will also allow socket binding on low ports +; +; otherwise, remove the -rp option from ExecStart and +; add these lines to give real-time priority to the process: +; +; PermissionsStartOnly=true +; ExecStartPost=/bin/chrt -f -p 1 $MAINPID +; +; execute "systemctl daemon-reload" after editing the unit files. + +[Install] +WantedBy=multi-user.target