yum install -y epel-release

yum update -y
yum upgrade -y

yum install -y git mariadb mariadb-server httpd php php-cli php-mysql php-snmp php-mcrypt php-mbstring php-pdo dhcp tftp tftp-server net-snmp net-snmp-devel flex flex-devel cacti mod_ssl bzip2 gcc bison bc wget composer bind bind-utils firewalld graphviz

# create folders
mkdir /etc/dhcp/nms
mkdir -p /tftpboot/cm

chown -R apache /etc/dhcp/nms /tftpboot
chmod o+rx /etc/dhcp/
chown -R apache /etc/dhcp/ /etc/named.conf /var/named/dynamic/
chown apache /var/named/ 
chmod g+w /var/named/dynamic/

# add IUS repo
wget https://centos7.iuscommunity.org/ius-release.rpm
rpm -Uvh ius-release.rpm

# update php version with yum replace plugin
yum install yum-plugin-replace
yum replace php --replace-with php56u

# mysql enable
systemctl start mariadb
systemctl enable mariadb

# set root and make sql production
mysql_secure_installation

# create mysql db
mysql -u root -p -e "create database db_lara;"

# install composer (dependency manager)
# NOTE: depraceated .. could / will be installed via yum
#curl -sS https://getcomposer.org/installer | php
#mv composer.phar /usr/local/bin/composer

# clone project 
git clone https://github.com/schmto/nmsprime.git /var/www/lara

cd /var/www/lara

# create/edit the .env file (you can take the example file as starting point)
cp .env.example .env
chmod 640 .env
chgrp apache .env
vim .env

# install packages (this will need .env file with properly configured DB_* fields)
composer install

# access rights
chown -R apache storage/ bootstrap/cache/

# create application key
php artisan key:generate

# enable/disable modules for your needs
php artisan module:list
php artisan module:[enable|disable] <MODULE>

# create the database tables (using migrations)
php artisan migrate
php artisan module:migrate

Note: all hosts that run with local settings are defined in /bootstrap/start.php

edit app/config/database.php or app/config/local/database.php with the msql connection properties

use /.env.php (on production server) for global and /.env.local.php to describe local settings – edit files to your needs

# Historical Stuff: Clone from Roetzer Engineering Repo
# Note: 1. Server must have access to atlassian repo server
#       2. change username 
git config --global http.sslVerify false
git clone https://<user>@devel.roetzer-engineering.com:3128/stash/scm/pro/laravel.git /var/www/lara

# in /etc/sysconfig/selinux

echo "
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - SELinux is fully disabled.
#SELINUX=enforcing
SELINUX=disabled
# SELINUXTYPE= type of policy in use. Possible values are:
#       targeted - Only targeted network daemons are protected.
#       strict - Full SELinux protection.
SELINUXTYPE=targeted
# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0
" > /etc/sysconfig/selinux

# disable at runtime - NOTE: it's still possible that a reboot is necessary
setenforce  0

# or prevent blocking the app/storage directory
sudo su
chcon -R -h -t httpd_sys_script_rw_t /var/www/lara/storage

# create VLANs - Attention: edit "if" (interface) if necessary 
if="eno2"
for word in 10 100 110 120 130; do 
Z=`echo "$word-100" | bc`; 
if [ $Z -lt 0 ]; 
then ip=192.168.253.1; 
else ip=172.20.$Z.1; 
fi;
echo "DEVICE=$if.$word
BOOTPROTO=none
ONBOOT=yes
IPADDR=$ip
PREFIX=24
VLAN=yes
" > /etc/sysconfig/network-scripts/ifcfg-$if.$word
done

on VMs to avoid dhcp trouble on a bridged interface disable all ip stuff on the major provisioning interface

if="eno2"
echo "
DEVICE=$if
ONBOOT=yes
" > /etc/sysconfig/network-scripts/ifcfg-$if

# assign internal network interfaces (vlans) to internal firewall zone (see Buglist: https://bugs.centos.org/view.php?id=7407)
for i in `find /etc/sysconfig/network-scripts/ -name ifcfg-*.*`; do echo "ZONE=internal" >> $i; done

# restart network that firewalld automatically assigns the interfaces
systemctl enable firewalld
systemctl start firewalld
systemctl restart network.service

# firewalld
# remove not required services - ATTENTION: if ssh runs on private network then switch public and internal in following cmds
for word in `firewall-cmd --list-services --zone=public`; do if [ $word != "ssh" ]; then firewall-cmd --remove-service=$word --zone=public --permanent; fi; done
for word in `firewall-cmd --list-services --zone=internal`; do firewall-cmd --remove-service=$word --zone=internal --permanent; done

# assign services
for word in ssh https; do firewall-cmd --add-service=$word --zone=public --permanent; done
for word in tftp dhcp dns; do firewall-cmd --add-service=$word --zone=internal --permanent; done
firewall-cmd --add-port=37/udp --zone=internal --permanent

# this is the port used to access the admin part of NMS Prime - feel free to restrict access to some IPs
# to get all working we allow connections for complete zone public
firewall-cmd --add-port=8080/tcp --zone=public --permanent

# restart
firewall-cmd --reload

• There are two different lists: the active list and the permanent list
• Use --permanent flag to work with permanent list
• permanent list will only be active after --reload command
• only permanent commands will generate /etc/firewalld/... files

#
# SSL
# Self Signed Certificat
#
mkdir /etc/httpd/ssl
openssl req -new -x509 -days 365 -nodes -out /etc/httpd/ssl/httpd.pem -keyout /etc/httpd/ssl/httpd.key

echo "
<VirtualHost *:443>
    SSLEngine On
    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA:!RC4
    SSLCertificateFile /etc/httpd/ssl/httpd.pem
    SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
</VirtualHost>

Alias /lara /var/www/lara/public

<Directory /var/www/lara/public>
  AllowOverride all
</Directory>
" > /etc/httpd/conf.d/lara.conf

# start webserver
systemctl enable httpd
systemctl start httpd

RewriteBase in laravel public/.htaccess must match with apache mods config

# add the following line to /var/www/lara/public/.htaccess to change the root directory for the webbrowser
RewriteBase /lara/

php_flag safe_mode off # disables some functionalities for security purposes (deprecated)

This is already done in GIT Repo and should be only relevant for new projects and maybe debug problems

# edit tftp config file
echo "
service tftp
{
        socket_type             = dgram
        protocol                = udp
        wait                    = yes
        user                    = root
        server                  = /usr/sbin/in.tftpd
        server_args             = -s /tftpboot -v			# changed root dir
        disable                 = no						# enable
        per_source              = 11
        cps                     = 100 2
        flags                   = IPv4
}" > /etc/xinetd.d/tftp

# start server
yum install xinetd
systemctl enable xinetd
systemctl start xinetd

# prepare yum install libtool glib2-devel
cd
~
mkdir git

# downloadprepare as cdroot gituser
git clone https://github.com/rlaager/docsis.git docsis

# install
cd docsis
./autogen.sh
./configure
make && make install

cd /var/www/lara

# fill database tables with examples - only useful for testing or development
php artisan db:seed
php artisan module:seed

# Create CM and CPE configfiles
php artisan nms:configfile

# Create dhcp files
php artisan nms:dhcp