File: //proc/1284357/root/bigscoots/bsi-db-dedi.sh
#!/usr/bin/env bash
# BigScoots New Server Install (Clean Rewrite)
# Target: AlmaLinux/RHEL family
# Maintainer: BigScoots
# Last updated: 2025-10-07
set -euo pipefail
############################
# Globals & Helpers
############################
LOG_DIR="/root/.bigscoots"
LOG_FILE="${LOG_DIR}/install.log"
BS_INSTALLDIR="/bigscoots"
SSH_PORT_NEW="2222"
TZ="America/Chicago"
PRIMARY_EMAIL="root"
SECONDARY_EMAIL="root"
RKEY_URL="https://bigscoots.com/downloads/rkey"
RKEY_PATH="${LOG_DIR}/rkey"
GITHUB_REPO="[email protected]:jcatello/bigscoots.git"
CRON_JOB="*/15 * * * * ${BS_INSTALLDIR}/mon_disk.sh"
SYSCTL_IPV6_CONF="/etc/sysctl.d/99-disable-ipv6.conf"
mkdir -p "${LOG_DIR}"
exec > >(tee -a "${LOG_FILE}") 2>&1
log() { printf -- "[%s] %s\n" "$(date +'%F %T')" "$*"; }
ok() { log "✅ $*"; }
warn(){ log "⚠️ $*"; }
die(){ log "❌ $*"; exit 1; }
require_root() {
[[ "$(id -u)" -eq 0 ]] || die "Run as root."
}
backup_file() {
local f="$1"
[[ -f "$f" ]] && cp -a "$f" "${f}.bak.$(date +%s)" && ok "Backed up $f"
}
have() { command -v "$1" >/dev/null 2>&1; }
############################
# Package Setup
############################
install_packages() {
log "Updating base repos and installing packages…"
dnf upgrade -y almalinux-release --nogpgcheck || true
dnf install -y epel-release
# Keep list tidy & idempotent; dnf skip-installed is fine
dnf -y --setopt=strict=0 install \
nano network-scripts ntp mailx pciutils bind-utils traceroute nmap screen \
yum-utils net-tools dos2unix lshw python python-ctypes iotop ncurses-devel \
libpcap-devel gcc make wget curl chrony postfix iftop unzip git openssh-clients
dnf -y update
ok "Packages installed/updated."
}
############################
# Time & NTP
############################
configure_time() {
log "Configuring timezone & NTP…"
timedatectl set-timezone "${TZ}"
systemctl enable --now chronyd
chronyc tracking || true
chronyc sources || true
ok "Time configured: $(timedatectl | grep 'Time zone')"
}
############################
# SELinux
############################
configure_selinux() {
log "Configuring SELinux (disable persistently, permissive now if needed)…"
backup_file /etc/selinux/config
if grep -q '^SELINUX=' /etc/selinux/config; then
sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config
else
echo 'SELINUX=disabled' >> /etc/selinux/config
fi
# Runtime: set permissive/disabled if currently enforcing
if have getenforce; then
current=$(getenforce || echo "Unknown")
if [[ "$current" == "Enforcing" ]]; then
setenforce 0 || true
ok "SELinux set to Permissive at runtime. Full disable after reboot."
else
ok "SELinux runtime is ${current}."
fi
fi
}
############################
# IPv6 disable
############################
disable_ipv6() {
log "Disabling IPv6 (runtime + persistent)…"
sysctl -w net.ipv6.conf.all.disable_ipv6=1
sysctl -w net.ipv6.conf.default.disable_ipv6=1
cat > "${SYSCTL_IPV6_CONF}" <<EOF
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
EOF
sysctl -p "${SYSCTL_IPV6_CONF}" || true
ok "IPv6 disabled."
}
############################
# RAID / Storage monitoring
############################
configure_raid_monitoring() {
log "Checking for mdraid or LSI/Broadcom controllers…"
if grep -q 'Personalities' /proc/mdstat && grep -q 'raid' /proc/mdstat; then
log "mdraid detected."
rm -f /etc/cron.daily/raid || true
pkill -9 mdadm 2>/dev/null || true
backup_file /etc/mdadm.conf
sed -i '/^MAILADDR/d' /etc/mdadm.conf 2>/dev/null || true
echo "MAILADDR [email protected]" >> /etc/mdadm.conf
grep -q '^DEVICE partitions' /etc/mdadm.conf || echo "DEVICE partitions" >> /etc/mdadm.conf
grep -q 'mdadm --monitor --scan --daemonize' /etc/rc.local 2>/dev/null || {
echo "/sbin/mdadm --monitor --scan --daemonize" >> /etc/rc.local
chmod +x /etc/rc.local || true
}
/sbin/mdadm --monitor --scan --daemonize || true
ok "mdadm monitoring configured."
else
# LSI/Broadcom?
if lshw -C storage 2>/dev/null | grep -Eq 'vendor: (LSI|Broadcom)'; then
log "LSI/Broadcom storage detected. Installing MegaCLI…"
mkdir -p /tmp/lsi && pushd /tmp/lsi >/dev/null
wget -q https://docs.broadcom.com/docs-and-downloads/raid-controllers/raid-controllers-common-files/8-07-14_MegaCLI.zip -O MegaCLI.zip
unzip -o MegaCLI.zip >/dev/null
rpm -ivh ./*inux/MegaCli-*.noarch.rpm || true
ln -sf /opt/MegaRAID/MegaCli/MegaCli64 /sbin/MegaCli64
ln -sf /opt/MegaRAID/MegaCli/MegaCli64 /usr/local/sbin/MegaCli64
popd >/dev/null
pushd ~ >/dev/null
wget -q https://www.bigscoots.com/downloads/lsi.zip -O lsi.zip
unzip -o lsi.zip >/dev/null
chmod +x lsi.sh || true
# Add crontab if not present
(crontab -l 2>/dev/null || true) | grep -q 'lsi.sh checkNemail' || \
(crontab -l 2>/dev/null; echo "0 * * * * ~/lsi.sh checkNemail") | crontab -
rm -f /etc/cron.daily/raid || true
popd >/dev/null
ok "MegaCLI & LSI monitoring configured."
else
ok "No mdraid or LSI/Broadcom controller detected."
fi
fi
}
############################
# SSH hardening
############################
configure_sshd() {
log "Configuring SSHD…"
local cfg="/etc/ssh/sshd_config"
backup_file "$cfg"
# Update or add settings
if grep -qiE '^#?Port[[:space:]]+[0-9]+' "$cfg"; then
sed -i -E "s/^#?Port[[:space:]]+[0-9]+/Port ${SSH_PORT_NEW}/I" "$cfg"
else
echo "Port ${SSH_PORT_NEW}" >> "$cfg"
fi
if grep -qi '^#?UseDNS' "$cfg"; then
sed -i -E "s/^#?UseDNS.*/UseDNS no/I" "$cfg"
else
echo "UseDNS no" >> "$cfg"
fi
# PermitRootLogin without-password is now 'prohibit-password' on many builds
if grep -qi '^#?PermitRootLogin' "$cfg"; then
sed -i -E "s/^#?PermitRootLogin.*/PermitRootLogin without-password/I" "$cfg" || true
else
echo "PermitRootLogin without-password" >> "$cfg"
fi
# Reload safely
systemctl reload sshd || systemctl restart sshd
ok "SSHD reloaded. New port: ${SSH_PORT_NEW}. Remember to allow it in firewall if applicable."
}
############################
# Email config placeholders
############################
configure_emails() {
log "Writing BigScoots email placeholders…"
mkdir -p /etc/centminmod
echo "${PRIMARY_EMAIL}" > /etc/centminmod/email-primary.ini
echo "${SECONDARY_EMAIL}" > /etc/centminmod/email-secondary.ini
ok "Email placeholders set."
}
############################
# GitHub access (read-only key & config)
############################
configure_github_access() {
log "Configuring GitHub SSH access…"
mkdir -p /root/.ssh
chmod 700 /root/.ssh
wget -q -O "${RKEY_PATH}" "${RKEY_URL}" --no-check-certificate
chmod 600 "${RKEY_PATH}"
# Ensure host key exists to avoid prompt
grep -q "^github.com" /root/.ssh/known_hosts 2>/dev/null || ssh-keyscan github.com >> /root/.ssh/known_hosts
# Ensure personal key exists (harmless if already present)
if [[ ! -f /root/.ssh/id_ed25519 ]]; then
ssh-keygen -t ed25519 -f /root/.ssh/id_ed25519 -q -N "" <<< y >/dev/null 2>&1 || true
fi
# Ensure matching ssh config stanza
local sshcfg="/root/.ssh/config"
[[ -f "$sshcfg" ]] || { touch "$sshcfg"; chmod 600 "$sshcfg"; }
if ! grep -q 'Host github.com' "$sshcfg"; then
cat <<EOT >> "$sshcfg"
Host github.com
HostName github.com
IdentityFile ${RKEY_PATH}
EOT
fi
ok "GitHub SSH config set."
}
############################
# Repo fetch/update
############################
fetch_bigscoots_repo() {
log "Fetching BigScoots repo to ${BS_INSTALLDIR}…"
if [[ -d "${BS_INSTALLDIR}/.git" ]]; then
pushd "${BS_INSTALLDIR}" >/dev/null
git stash >/dev/null 2>&1 || true
git pull "${GITHUB_REPO}" || die "git pull failed"
popd >/dev/null
else
rm -rf "${BS_INSTALLDIR}" || true
mkdir -p "$(dirname "${BS_INSTALLDIR}")"
git clone "${GITHUB_REPO}" "${BS_INSTALLDIR}" || die "git clone failed"
fi
ok "Repo ready at ${BS_INSTALLDIR}."
}
############################
# Postfix
############################
configure_postfix() {
log "Configuring Postfix for IPv4 only…"
local maincf="/etc/postfix/main.cf"
backup_file "$maincf"
if grep -q '^inet_protocols' "$maincf"; then
sed -i 's/^inet_protocols.*/inet_protocols = ipv4/' "$maincf"
else
echo 'inet_protocols = ipv4' >> "$maincf"
fi
systemctl enable --now postfix
systemctl restart postfix
ok "Postfix restarted (IPv4)."
}
############################
# Cron jobs
############################
configure_cron() {
log "Ensuring monitoring cron job exists…"
# Add only if missing
(crontab -l 2>/dev/null || true) | grep -Fq "${BS_INSTALLDIR}/mon_disk.sh" || \
(crontab -l 2>/dev/null; echo "${CRON_JOB}") | crontab -
ok "Cron configured."
}
############################
# Misc
############################
cleanup_misc() {
log "Removing mlocate (if present)…"
dnf -y remove mlocate || true
ok "Removed mlocate if it was installed."
}
write_bspath() {
mkdir -p "${LOG_DIR}"
ok "Ensured ${LOG_DIR} exists."
}
notify_slack() {
# Best-effort, do not fail the script if slack notify fails
log "Sending Slack completion notice (best effort)…"
local serverip
if have ifconfig; then
serverip="$(ifconfig | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*' | grep -v '127.0.0.1' | head -1 || true)"
else
serverip="$(hostname -I 2>/dev/null | awk '{print $1}' || true)"
fi
bash "${BS_INSTALLDIR}/general/slack.sh" "#team-chat" ":warning: $(hostname) - ${serverip} - DB Dedi install completed" \
>> "${LOG_DIR}/ovzinstaller.log" 2>&1 || true
}
############################
# Main
############################
main() {
require_root
log "=== BigScoots new server install started on $(hostname) ==="
install_packages
configure_time
configure_selinux
disable_ipv6
configure_raid_monitoring
configure_sshd
configure_emails
write_bspath
configure_github_access
fetch_bigscoots_repo
configure_postfix
configure_cron
cleanup_misc
log
ok "Install complete."
echo
echo "SSH now listens on port ${SSH_PORT_NEW}. Test from another session before closing this one:"
echo " ssh -p ${SSH_PORT_NEW} root@$(hostname -I 2>/dev/null | awk '{print $1}')"
echo
echo "SELinux is set to 'disabled' in /etc/selinux/config. A REBOOT is recommended to fully apply."
echo
notify_slack
}
main "$@"