Merge branch 'release/v0.6.0'

Author: Tecnobutrul

CHANGELOG.md

@@ -3,7 +3,23 @@
 All notable changes to this project will be documented in this file.
 This project adheres to [Semantic Versioning](http://semver.org/).
 
-## [Unreleased](https://github.com/passbolt/passbolt_install_scripts/compare/v0.5.1...HEAD)
+## [Unreleased](https://github.com/passbolt/passbolt_install_scripts/compare/v0.6.0...HEAD)
+
+## [0.6.0](https://github.com/passbolt/passbolt_install_scripts/compare/v0.6.0..v0.5.2) - 2021-02-25
+
+This release of the install scripts deprecates the [ubuntu](https://help.passbolt.com/hosting/install/ce/ubuntu/ubuntu.html) and [debian](https://help.passbolt.com/hosting/install/ce/debian/debian.html) installation scripts in favour of the passbolt debian and ubuntu packages.
+From now on this repository aims to support only Centos and RedHat installations.
+
+### Added
+
+- Support for centos8 #16 Thanks to @TheDeadGuy
+
+### Changed
+- Composer installs v2
+- Check firewalld is running before doing changes
+- Nginx SSL config update #15 Thanks to @garretboone
+- Nginx does not include intermediate Letsencrypt certs #17
+
 
 ## [0.5.2](https://github.com/passbolt/passbolt_install_scripts/compare/v0.5.2..v0.5.1) - 2020-10-26
 

build_scripts.sh

@@ -44,7 +44,7 @@ build() {
   local os=$1
   local output=dist/"$os"/passbolt_ce_"$os"_installer.sh
 
-  if ! [[ "$os" =~ ^(debian|ubuntu|centos|redhat)$ ]]; then
+  if ! [[ "$os" =~ ^(debian|ubuntu|centos7|centos8|redhat)$ ]]; then
     error "Distribution not supported"
   fi
 
@@ -71,12 +71,11 @@ build() {
     cat "$initializer" >> "$output";
   done
 
-  if [ "$os" == "centos" ] || [ "$os" == "redhat" ]; then
+  if [ "$os" == "centos7" ] || [ "$os" == "redhat" ] || [ "$os" == "centos8" ]; then
     for helper in lib/helpers/"$os"/*.sh; do
       cat "$helper" >> "$output";
     done
   fi
-
   if [ "$os" == "ubuntu" ]; then
     for helper in lib/helpers/"$os"/*.sh; do
       cat "$helper" >> "$output";
@@ -115,6 +114,8 @@ while getopts "chd:" opt; do
       checksum debian 10
       compress centos 7
       checksum centos 7
+      compress centos 8
+      checksum centos 8
       compress ubuntu 18.04
       checksum ubuntu 18.04
       compress redhat EXPERIMENTAL

conf/centos/constants.sh conf/centos7/constants.shconf/centos/constants.sh renamed to conf/centos7/constants.sh

@@ -0,0 +1,13 @@
+readonly OS='centos'
+readonly OS_SUPPORTED_VERSION="8.0"
+readonly OS_VERSION_FILE="/etc/centos-release"
+readonly FPM_WWW_POOL="/etc/php-fpm.d/www.conf"
+readonly FPM_SERVICE="php-fpm"
+readonly WWW_USER="nginx"
+readonly WWW_GROUP="nginx"
+readonly WWW_USER_HOME="/var/lib/nginx"
+readonly GNUPG_HOME='/var/lib/nginx/.gnupg'
+readonly CRONTAB_DIR='/var/spool/cron/'
+readonly REMI_PHP_URL='http://rpms.remirepo.net/enterprise/remi-release-8.rpm'
+readonly REMI_PHP_VERSION='remi-7.3'
+readonly PHP_EXT_DIR='/etc/php.d'

conf/centos/packages.txt conf/centos7/packages.txtconf/centos/packages.txt renamed to conf/centos7/packages.txt

@@ -0,0 +1,17 @@
+php-intl
+php-gd
+php-mysql
+php-pear
+php-devel
+php-mbstring
+php-fpm
+php-ldap
+gcc
+gpgme-devel
+git
+policycoreutils-python-utils
+nginx
+unzip
+wget
+certbot
+pinentry

conf/centos8/constants.sh

@@ -1,6 +1,6 @@
 server {
-  listen [::]:443;
-  listen 443;
+  listen [::]:443 ssl http2;
+  listen 443 ssl http2;
   server_name _SERVER_NAME_;
   client_body_buffer_size     100K;
   client_header_buffer_size   1k;
@@ -10,13 +10,17 @@ server {
   client_header_timeout 10;
   keepalive_timeout     5 5;
   send_timeout          10;
-  ssl on;
+
   ssl_certificate     _NGINX_CERT_FILE_;
   ssl_certificate_key _NGINX_KEY_FILE_;
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-  ssl_prefer_server_ciphers on;
-  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:@STRENGTH";
+  # ssl_dhparam         _NGINX_DHPARAM_FILE_;
+
+  ssl_session_timeout 1d;
+  ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
   ssl_session_tickets off;
+  ssl_protocols TLSv1.2 TLSv1.3;
+  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+  ssl_prefer_server_ciphers off;
 
   root /var/www/passbolt/webroot;
   index index.php;

conf/centos8/packages.txt

@@ -9,3 +9,4 @@ readonly WWW_USER_HOME="/var/opt/rh/rh-nginx116/lib/nginx"
 readonly GNUPG_HOME='/var/lib/nginx/.gnupg'
 readonly CRONTAB_DIR='/var/spool/cron/'
 readonly PHP_EXT_DIR='/etc/opt/rh/rh-php73/php.d'
+readonly RH_VERSION='7'

conf/nginx/passbolt_ssl.conf

@@ -0,0 +1,18 @@
+check_firewall() {
+  systemctl is-active firewalld
+}
+
+setup_firewall() {
+  local zone=public
+  local services=(http https)
+  banner "Opening ports 80 and 443 on firewall"
+
+  if check_firewall; then
+    for i in "${services[@]}"; do
+      firewall-cmd --permanent --zone="$zone" --add-service="$i"
+    done
+    enable_service firewalld
+  else
+    echo "Firewalld is not active."
+  fi
+}