Subversion (SVN)

SVN Server
subscription-manager repos --enable rhel-7-server-optional-rpms

yum install -y httpd mod_ssl elinks subversion mod_dav_svn mod_ldap

lvcreate -L 12g -n svn_lv /dev/system lvdisplay /dev/system/svn_lv mkfs.xfs /dev/system/svn_lv echo "/dev/system/svn_lv /var/lib/svn xfs defaults,nosuid,nodev 0 0" >> /etc/fstab

mkdir -p /var/lib/svn mount /var/lib/svn chown -R apache:root /var/lib/svn

for REPO in repo1 repo2 do    svnadmin create /var/lib/svn/${REPO} --fs-type fsfs cp -p /var/lib/svn/${REPO}/hooks/post-commit.tmpl /var/lib/svn/${REPO}/hooks/post-commit chmod a+x /var/lib/svn/${REPO}/hooks/post-commit sed -i 's+^mailer.py.*$+[ -x "/opt/viewvc/bin/svndbadmin" ] \&\& /opt/viewvc/bin/svndbadmin update "$REPOS" "$REV"+g' /var/lib/svn/${REPO}/hooks/post-commit chown -R apache /var/lib/svn/${REPO} done

echo '  SetHandler server-status Require host localhost  ' > /etc/httpd/conf.d/server-status.conf

echo ' ProxyRequests Off TraceEnable off ServerTokens Prod  AllowMethods GET POST  LimitRequestFields     100 LimitRequestFieldSize 8190 LimitRequestLine      8190 LimitXMLRequestBody  51200 SSLStrictSNIVHostCheck on SSLProtocol             all -SSLv3 SSLCipherSuite         HIGH:!MEDIUM:!LOW:!MD5:!RC4:!3DES:!DSS:!aNULL:!eNULL:!EXP SSLHonorCipherOrder    on SSLCompression          off SSLProxyEngine         off  SSLOptions +StdEnvVars   SSLOptions +StdEnvVars  ' > /etc/httpd/conf.d/httpd-sec.conf
 * 1) When running a reverse proxy only,
 * 2) do not allow forward proxy requests
 * 1) Disable TRACE method
 * 1) Restrict Server Banner
 * 1) Restrict HTTP methods
 * 1) Limits
 * 2) LimitRequestBody    102400
 * 1) SSL
 * 1) SSLSessionTickets     off

echo '  ServerName svnserver.example.com ServerAlias svn.example.com # Document Root DocumentRoot "/var/www/html/svn" # Log ErrorLog logs/svnserver.example.com-error_log CustomLog logs/svnserver.example.com-access_log combined # Security Headers #Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; upgrade-insecure-requests;" Header always set X-Frame-Options "SAMEORIGIN" Header always set X-Xss-Protection "1; mode=block" Header always set X-Content-Type-Options "nosniff" Header always set Set-Cookie "HTTPOnly" # Allow all HTTP methods  AllowMethods reset  # repositories Include conf.d/svnserver.example.com.include   ServerName svnserver.example.com ServerAlias svn.example.com # Document Root DocumentRoot "/var/www/html/svn" # Log ErrorLog logs/svnserver.example.com-error_log CustomLog logs/svnserver.example.com-access_log combined # SSL config SSLEngine on    SSLCertificateFile      /etc/pki/tls/certs/svnserver.example.com.crt SSLCertificateKeyFile  /etc/pki/tls/private/svnserver.example.com.key SSLCertificateChainFile /etc/pki/tls/certs/svnserver.example.com.chain # Security Headers Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" #Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; upgrade-insecure-requests;" Header always set X-Frame-Options "SAMEORIGIN" Header always set X-Xss-Protection "1; mode=block" Header always set X-Content-Type-Options "nosniff" Header always set Set-Cookie "secure; HTTPOnly" # Allow all HTTP methods  AllowMethods reset  # repositories Include conf.d/svnserver.example.com.include  ' > /etc/httpd/conf.d/svnserver.example.com.conf

echo ' # repositories  DAV svn SVNParentPath /var/lib/svn SVNListParentPath on     AuthBasicProvider ldap AuthType Basic AuthName "Subversion server" AuthLDAPURL "ldap://ldap.example.com/dc=example,dc=ch?sAMAccountName?sub?(objectClass=*)" AuthLDAPBindDN "CN=svn,OU=Users,DC=example,DC=ch" AuthLDAPBindPassword "********" AuthUserFile /dev/null require ldap-group CN=SVN_repo1,OU=Groups,DC=example,DC=ch </Location>  AuthBasicProvider ldap AuthType Basic AuthName "Subversion server" AuthLDAPURL "ldap://ldap.example.com/dc=example,dc=ch?sAMAccountName?sub?(objectClass=*)" AuthLDAPBindDN "CN=svn,OU=Users,DC=example,DC=ch" AuthLDAPBindPassword "********" AuthUserFile /dev/null require ldap-group CN=SVN_repo2,OU=Groups,DC=example,DC=ch </Location> ' > /etc/httpd/conf.d/svnserver.example.com.include

systemctl enable httpd.service systemctl start httpd.service

setsebool -P httpd_can_connect_ldap 1 setsebool -P httpd_can_network_connect 1 setsebool -P httpd_can_sendmail 1

semanage fcontext -a -t httpd_sys_content_t    '/var/lib/svn/*/conf(/.*)?' semanage fcontext -a -t httpd_sys_script_exec_t '/var/lib/svn/*/hooks(/.*)?' restorecon -RF /var/www restorecon -RF /var/lib/svn

setsebool -P httpd_unified 1 cd /etc/semodules grep post-commit /var/log/audit/audit.log | audit2allow -M svn_post-commit semodule -i svn_post-commit.pp

CVS Server
yum install -y cvs xinetd

lvcreate -L 10g -n cvs_lv /dev/system lvdisplay /dev/system/cvs_lv mkfs.xfs /dev/system/cvs_lv echo "/dev/system/cvs_lv /var/lib/cvs xfs defaults,nosuid,nodev 0 0" >> /etc/fstab

groupadd -g 500 cvsadm groupadd -g 501 cvsdev useradd -u 504 -g cvsadm -c "CVS Administrator" -d /home/cvsadm -s /bin/bash -m cvsadm passwd -d cvsadm useradd -u 506 -g cvsdev -G cvswaf -c "CVS Developer" -d /home/cvsdev -s /bin/bash -m cvsdev passwd -d cvsdev mkdir -p /var/lib/cvs mount /var/lib/cvs mkdir -p /var/lib/cvs/CVSROOT chown cvsdev:cvsdev /var/lib/cvs chown cvsadm:cvsdev /var/lib/cvs/CVSROOT chmod g+w /var/lib/cvs ln -s /var/lib/cvs /home/cvsrootdev

su - cvsadm -c "cvs -d /home/cvsrootdev init" chown cvsadm:cvsdev /var/lib/cvs/CVSROOT/Emptydir /var/lib/cvs/CVSROOT/history /var/lib/cvs/CVSROOT/val-tags

echo ' service cvspserver {        disable         = no         port            = 2401 socket_type    = stream protocol       = tcp wait           = no         user            = root passenv        = PATH server         = /usr/bin/cvs env            = HOME=/home/cvsrootdev server_args    = -f --allow-root=/home/cvsrootdev pserver } ' > /etc/xinetd.d/cvs

echo 'cvs: ALL : ALLOW' >> /etc/hosts.allow

systemctl enable xinetd.service systemctl start xinetd.service

semanage fcontext -a -t cvs_data_t '/var/lib/cvs(/.*)?' restorecon -RF /var/lib/cvs

echo ' <VirtualHost *:80> ServerName cvsserver.example.com ServerAlias cvs.example.com # Document Root DocumentRoot "/var/www/html/cvs" # Log ErrorLog logs/cvsserver.example.com-error_log CustomLog logs/cvsserver.example.com-access_log combined # Security Headers #Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; upgrade-insecure-requests;" Header always set X-Frame-Options "SAMEORIGIN" Header always set X-Xss-Protection "1; mode=block" Header always set X-Content-Type-Options "nosniff" <Directory /var/www/html/cvs/cvspasswd/> AddHandler cgi-script .cgi Options +ExecCGI </Directory> # Force the use of HTTPS RewriteEngine on    RewriteCond   %{HTTPS} !=on RewriteRule  ^(.*) https://%{SERVER_NAME} [L,R] </VirtualHost> <VirtualHost *:443> ServerName cvsserver.example.com ServerAlias cvs.example.com # Document Root DocumentRoot "/var/www/html/cvs" # Log ErrorLog logs/cvsserver.example.com-error_log CustomLog logs/cvsserver.example.com-access_log combined # SSL config SSLEngine on    SSLCertificateFile      /etc/pki/tls/certs/cvsserver.example.com.crt SSLCertificateKeyFile  /etc/pki/tls/private/cvsserver.example.com.key SSLCertificateChainFile /etc/pki/tls/certs/cvsserver.example.com.chain # Security Headers Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" #Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; upgrade-insecure-requests;" Header always set X-Frame-Options "SAMEORIGIN" Header always set X-Xss-Protection "1; mode=block" Header always set X-Content-Type-Options "nosniff" <Directory /var/www/html/cvs/cvspasswd/> AddHandler cgi-script .cgi Options +ExecCGI </Directory> </VirtualHost> ' > /etc/httpd/conf.d/cvsserver.example.com.conf

systemctl restart httpd.service

semanage fcontext -a -t httpd_sys_script_exec_t '/var/www/html/cvs/[^/]*/.*\.cgi' restorecon -RF /var/www/html/cvs

ViewVC
subscription-manager repos --enable rhel-7-server-optional-rpms

yum install -y --nogpgcheck subversion-python subversion-tools rcs cvsgraph gd python-pygments

tar xfz viewvc-*.tar.gz viewvc-*/viewvc-install

This is the ViewVC 1.1.24 installer. It will allow you to choose the install path for ViewVC. You will now be asked some installation questions. Defaults are given in square brackets. Just hit [Enter] if a default is okay. Installation path [/usr/local/viewvc-1.1.24]: /opt/viewvc-1.1.24 DESTDIR path (generally only used by package maintainers) []:

ln -sf viewvc-1.1.24 /opt/viewvc sed -i -e 's+^#use_cvsgraph = 0+use_cvsgraph = 1+g' \ -e 's+^#cvsgraph =.*+cvsgraph = /usr/bin/cvsgraph+g' \ -e 's+^#allowed_views = annotate, diff, markup, roots+allowed_views = annotate, co, diff, markup, roots+g' \ -e 's+^#cvs_roots =.*+cvs_roots = CVS: /var/lib/cvs+g' \ -e 's+^#svn_roots =.*+svn_roots = repo1: /var/lib/svn/repo1,\n           repo2: /var/lib/svn/repo2+g' \ /opt/viewvc/viewvc.conf

echo '# # <Directory "/opt/viewvc/bin/cgi"> Options FollowSymLinks AllowOverride None Require all granted </Directory> <IfModule alias_module> ScriptAlias /viewvc/ "/opt/viewvc/bin/cgi/" </IfModule> ' > /etc/httpd/conf.d/viewvc.conf
 * 1) ViewVC

systemctl restart httpd.service

ViewVC - Commit Database
yum install -y mariadb mariadb-server MySQL-python

lvcreate -L 2g -n mysql_lv /dev/system lvdisplay /dev/system/mysql_lv mkfs.xfs /dev/system/mysql_lv echo "/dev/system/mysql_lv /var/lib/mysql xfs defaults,nosuid,nodev 0 0" >> /etc/fstab

mkdir -p /var/lib/mysql mount /var/lib/mysql chown mysql:mysql /var/lib/mysql restorecon -RF /var/lib/mysql

sed -i '/^\[mysqld\]/a open_files_limit = 8192\nmax_connections = 1000\nmax_allowed_packet = 64M' /etc/my.cnf.d/server.cnf

systemctl enable mariadb.service systemctl start mariadb.service

mysqladmin --user=root password somepassword mysqladmin --user=root --password reload mysqladmin --user=root --password create ViewVC mysql --user=root --password ViewVC mysql> GRANT ALL ON ViewVC.* TO viewvc@localhost IDENTIFIED BY 'somepassword'; mysql> flush privileges; mysql> quit

/opt/viewvc/bin/make-database --dbname=ViewVC --hostname=localhost --port=3306 --username=root

sed -i -e 's+^#enabled = 0+enabled = 1+g' \ -e 's+^#host =.*+host = localhost+g' \ -e 's+^#port = 3306+port = 3306+g' \ -e 's+^#database_name = ViewVC+database_name = ViewVC+g' \ -e 's+^#user =.*+user = viewvc+g' \ -e 's+^#passwd =.*+passwd = somepassword+g' \ -e 's+^#readonly_user =.*+readonly_user = viewvc+g' \ -e 's+^#readonly_passwd =.*+readonly_passwd = somepassword+g' \ -e 's+^#row_limit = 1000+row_limit = 1000+g' \ -e 's+^#rss_row_limit = 100+rss_row_limit = 100+g' \ -e 's+^#check_database_for_root = 0+check_database_for_root = 0+g' \ /opt/viewvc/viewvc.conf

MySQL/MariaDB daily backup
echo '# # 0 3 * * * /opt/bin/mysql_backup.sh' >> /var/spool/cron/root
 * 1) MySQL/MariaDB daily backup

echo ' [mysqldump] user=root password= ' >> ~/.my.cnf

chmod go= ~/.my.cnf mkdir -p /opt/backup

echo ' # # # DUMPDIR=/opt/backup DUMPOPT="--all-databases" DBUSER=root MAILTO=admin@example.com mysqldump --user $DBUSER $DUMPOPT > $DUMPDIR/mysql-databases.sql if [ $? -ne 0 ]; then echo "MySQL/MariaDB databases backup failed." | mail -s "MySQL/MariaDB daily backup on $(hostname -f)" $MAILTO fi ' > /opt/bin/mysql_backup.sh
 * 1) MySQL/MariaDB databases backup script
 * 1) Note: password is retrived from ~/.my.cnf

chmod a+x /opt/bin/mysql_backup.sh

Links

 * ViewVC Download