centos8セットアップ自分用メモ
dnf -y install glibc-langpack-ja localectl set-locale LANG=ja_JP.UTF-8 timedatectl set-timezone Asia/Tokyo
setenforce 0 vi /etc/selinux/config
SELINUX=disabled
hostnamectl set-hostname systemexpress.systemexpress.co.jp
useradd -m -s /sbin/nologin webmaster useradd -m -g webmaster yukawa passwd yukawa passwd root
vi /etc/ssh/sshd_config
PermitRootLogin no AllowUsers yukawa
dnf -y update dnf -y install dnf-automatic vi /etc/dnf/automatic.conf
apply_updates = yes
systemctl enable --now dnf-automatic.timer
cd /etc/pki/tls/certs openssl genrsa -des3 -out server.key 2048 (適当なパスワードを2回入力) openssl rsa -in server.key -out server.key (上で入力したパスワードを入力) openssl req -new -x509 -days 3650 -key server.key -out server.crt -sha256 cat server.key server.crt > server.pem chmod 400 server*
dnf -y install postfix vi /etc/postfix/main.cf
myhostname = systemexpress.systemexpress.co.jp mydomain = systemexpress.co.jp myorigin = $mydomain inet_interfaces = all mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain local_recipient_maps = proxy:unix:passwd.byname $alias_maps home_mailbox = Maildir/ virtual_alias_domains = 追加ドメイン,追加ドメイン virtual_alias_maps = hash:/etc/postfix/virtual, regexp:/etc/postfix/virtual.regexp
vi /etc/postfix/virtual.regexp
/^([^@]+)(@systemexpress.co.jp)?$/ systemexpress.co.jp-info /^([^@]+)(@追加ドメイン)?$/ 追加ドメイン-info
postmap /etc/postfix/virtual postmap /etc/postfix/virtual.regexp
vi /etc/postfix/master.cf
smtp inet n - n - - smtpd submission inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
systemctl enable --now postfix
dnf -y install cyrus-sasl cyrus-sasl-plain cyrus-sasl-md5 systemctl enable --now saslauthd
dnf -y install dovecot vi /etc/dovecot/dovecot.conf
protocols = imap pop3
vi /etc/dovecot/conf.d/10-mail.conf
mail_location = maildir:~/Maildir
vi /etc/dovecot/conf.d/10-auth.conf
disable_plaintext_auth = no
vi /etc/dovecot/conf.d/10-ssl.conf
ssl = yes
systemctl enable --now dovecot
mkdir -p /etc/skel/Maildir/{cur,new,tmp} chmod -R 700 /etc/skel/Maildir/ useradd -s /sbin/nologin systemexpress.co.jp-info passwd systemexpress.co.jp-info vi /etc/postfix/virtual
info@systemexpress.co.jp systemexpress.co.jp-info
postmap /etc/postfix/virtual systemctl reload postfix
dnf -y install vsftpd vi /etc/vsftpd/vsftpd.conf
userlist_deny=NO ascii_upload_enable=YES ascii_download_enable=YES force_dot_files=YES use_localtime=YES chroot_local_user=YES user_config_dir=/etc/vsftpd/user_conf guest_enable=YES guest_username=webmaster virtual_use_local_privs=YES pasv_enable=YES pasv_min_port=4000 pasv_max_port=4002 ssl_enable=YES ssl_ciphers=HIGH rsa_cert_file=/etc/pki/tls/certs/server.crt rsa_private_key_file=/etc/pki/tls/certs/server.key force_local_logins_ssl=NO force_local_data_ssl=NO seccomp_sandbox=NO allow_writeable_chroot=YES syslog_enable=YES debug_ssl=YES
mkdir -p /var/www/html vi /etc/vsftpd/user_list
yukawa
mkdir /etc/vsftpd/user_conf vi /etc/vsftpd/user_conf/yukawa
local_root=/var/www/html
systemctl enable --now vsftpd
dnf -y install mariadb-server mariadb systemctl enable --now mariadb
dnf -y install httpd httpd-tools httpd-devel httpd-manual mod_ssl vi /etc/httpd/conf.d/vhost.conf
<Directory "/var/www/html"> AllowOverride All </Directory> <VirtualHost *:80> DocumentRoot /var/www/html/systemexpress.co.jp/www ServerName www.systemexpress.co.jp ServerAlias systemexpress.co.jp ErrorLog logs/www.systemexpress.co.jp-error_log CustomLog logs/www.systemexpress.co.jp-access_log common env=!no_log </VirtualHost>
dnf install epel-release -y dnf install certbot python3-certbot-apache -y certbot --apache -d systemexpress.co.jp
crontab -e (2分 3時 4日 毎月 毎年) 2 3 4 * * certbot renew --pre-hook "systemctl stop httpd"
vi /etc/httpd/conf.d/ssl.conf
<VirtualHost _default:443> DocumentRoot /var/www/html/systemexpress.co.jp/www ServerName www.systemexpress.co.jp:443 ServerAlias systemexpress.co.jp:443 SSLCertificateFile /etc/letsencrypt/live/systemexpress.co.jp/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/systemexpress.co.jp/privkey.pem SSLCACertificateFile /etc/letsencrypt/live/systemexpress.co.jp/chain.pem </VirtualHost>
mkdir -p /var/www/html/systemexpress.co.jp/www chown -R webmaster:webmaster /var/www/html
systemctl enable --now httpd
dnf install -y https://rpms.remirepo.net/enterprise/remi-release-9.rpm dnf module list php dnf module -y enable php:remi-7.4 dnf module install -y php:remi-7.4
dnf -y install php php-mbstring php-mysqlnd php-gd php-json
vi /etc/php.ini
short_open_tag = On max_execution_time = 300 display_errors = On upload_max_filesize = 20M date.timezone = "Asia/Tokyo" mbstring.language = Japanese mbstring.internal_encoding = UTF-8 mbstring.http_input = pass mbstring.http_output = pass mbstring.encoding_translation = On mbstring.detect_order = auto mbstring.substitute_character = none
systemctl restart php-fpm httpd
dnf -y install http://www.webmin.com/download/rpm/webmin-current.rpm systemctl enable webmin /etc/webmin/start
systemctl start firewalld firewall-cmd --permanent --zone=public --add-service=http firewall-cmd --permanent --zone=public --add-service=https firewall-cmd --permanent --zone=public --add-service=imap firewall-cmd --permanent --zone=public --add-service=imaps firewall-cmd --permanent --zone=public --add-service=pop3 firewall-cmd --permanent --zone=public --add-service=pop3s firewall-cmd --permanent --zone=public --add-service=smtp firewall-cmd --permanent --zone=public --add-service=smtps firewall-cmd --permanent --zone=public --add-port=587/tcp # 自宅のIPからのみsshへの接続を許可 firewall-cmd --permanent --zone=public --remove-service=ssh firewall-cmd --permanent --zone=public --add-rich-rule="rule family=ipv4 source address=35.173.48.18 port port=ssh protocol=tcp accept" # 自宅のIPからのみftpへの接続を許可 firewall-cmd --permanent --zone=public --add-rich-rule="rule family=ipv4 source address=35.173.48.18 port port=ftp protocol=tcp accept" firewall-cmd --permanent --zone=public --add-rich-rule="rule family=ipv4 source address=35.173.48.18 port port=ftps protocol=tcp accept" firewall-cmd --permanent --zone=public --add-rich-rule="rule family=ipv4 source address=35.173.48.18 port port=4000-4002 protocol=tcp accept" # 自宅のIPからのみwebminへの接続を許可 firewall-cmd --permanent --zone=public --add-rich-rule="rule family=ipv4 source address=35.173.48.18 port port=10000 protocol=tcp accept" firewall-cmd --reload
Copyright(C) systemexpress.co.jp All Rights Reserved. Author Takayuki Yukawa