Note
At this time, MongoDB haven't packaged the community edition for Debian 12 Bookworm
sudo apt-get install -y gnupg curlInstall MongoDB 7.0 Community Edition2
curl -fsSL https://pgp.mongodb.com/server-7.0.asc | sudo gpg -o /usr/share/keyrings/mongodb-server-7.0.gpg --dearmor
echo "deb [ signed-by=/usr/share/keyrings/mongodb-server-7.0.gpg ] http://repo.mongodb.org/apt/debian bullseye/mongodb-org/7.0 main" | sudo tee /etc/apt/sources.list.d/mongodb-org-7.0.list
sudo apt-get update
sudo apt-get install -y mongodb-org
echo "mongodb-org hold" | sudo dpkg --set-selections
echo "mongodb-org-database hold" | sudo dpkg --set-selections
echo "mongodb-org-server hold" | sudo dpkg --set-selections
echo "mongodb-mongosh hold" | sudo dpkg --set-selections
echo "mongodb-org-mongos hold" | sudo dpkg --set-selections
echo "mongodb-org-tools hold" | sudo dpkg --set-selections
sudo systemctl enable mongod
sudo systemctl start mongod
sudo systemctl status --no-pager mongodInstall Node.js 20 using NodeSource3
curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | sudo gpg -o /usr/share/keyrings/nodesource.gpg --dearmor
NODE_MAJOR=20
echo "deb [signed-by=/usr/share/keyrings/nodesource.gpg] https://deb.nodesource.com/node_$NODE_MAJOR.x nodistro main" | sudo tee /etc/apt/sources.list.d/nodesource.list
echo -e "Package: *\nPin: origin deb.nodesource.com\nPin: release o=. nodistro\nPin-Priority: 900\n" | sudo tee /etc/apt/preferences.d/99nodejs
sudo apt-get update
sudo apt-get install -y nodejs
echo "nodejs hold" | sudo dpkg --set-selectionsInstall GenieACS 1.2.94
sudo npm install -g genieacs@1.2.9
sudo npm shrinkwrap
sudo useradd --system --no-create-home --user-group genieacs
sudo mkdir -p /opt/genieacs/ext
sudo chown genieacs:genieacs /opt/genieacs/ext
sudo sh -c "cat > /opt/genieacs/genieacs.env" << 'EOF'
GENIEACS_CWMP_ACCESS_LOG_FILE=/var/log/genieacs/genieacs-cwmp-access.log
GENIEACS_NBI_ACCESS_LOG_FILE=/var/log/genieacs/genieacs-nbi-access.log
GENIEACS_FS_ACCESS_LOG_FILE=/var/log/genieacs/genieacs-fs-access.log
GENIEACS_UI_ACCESS_LOG_FILE=/var/log/genieacs/genieacs-ui-access.log
GENIEACS_DEBUG_FILE=/var/log/genieacs/genieacs-debug.yaml
NODE_OPTIONS=--enable-source-maps
GENIEACS_EXT_DIR=/opt/genieacs/ext
EOF
node -e "console.log(\"GENIEACS_UI_JWT_SECRET=\" + require('crypto').randomBytes(128).toString('hex'))" | sudo tee -a /opt/genieacs/genieacs.env
sudo chown genieacs:genieacs /opt/genieacs/genieacs.env
sudo chmod 600 /opt/genieacs/genieacs.env
sudo mkdir /var/log/genieacs
sudo chown genieacs:genieacs /var/log/genieacs
sudo sh -c "cat > /etc/systemd/system/genieacs-cwmp.service" << 'EOF'
[Unit]
Description=GenieACS CWMP
After=network.target
[Service]
User=genieacs
EnvironmentFile=/opt/genieacs/genieacs.env
ExecStart=/usr/bin/genieacs-cwmp
[Install]
WantedBy=default.target
EOF
sudo sh -c "cat > /etc/systemd/system/genieacs-nbi.service" << 'EOF'
[Unit]
Description=GenieACS NBI
After=network.target
[Service]
User=genieacs
EnvironmentFile=/opt/genieacs/genieacs.env
ExecStart=/usr/bin/genieacs-nbi
[Install]
WantedBy=default.target
EOF
sudo sh -c "cat > /etc/systemd/system/genieacs-fs.service" << 'EOF'
[Unit]
Description=GenieACS FS
After=network.target
[Service]
User=genieacs
EnvironmentFile=/opt/genieacs/genieacs.env
ExecStart=/usr/bin/genieacs-fs
[Install]
WantedBy=default.target
EOF
sudo sh -c "cat > /etc/systemd/system/genieacs-ui.service" << 'EOF'
[Unit]
Description=GenieACS UI
After=network.target
[Service]
User=genieacs
EnvironmentFile=/opt/genieacs/genieacs.env
ExecStart=/usr/bin/genieacs-ui
[Install]
WantedBy=default.target
EOF
sudo sh -c "cat > /etc/logrotate.d/genieacs" << 'EOF'
/var/log/genieacs/*.log /var/log/genieacs/*.yaml {
daily
rotate 30
compress
delaycompress
dateext
}
EOF
sudo systemctl enable genieacs-cwmp genieacs-nbi genieacs-fs genieacs-ui
sudo systemctl start genieacs-cwmp genieacs-nbi genieacs-fs genieacs-ui
sudo systemctl status --no-pager genieacs-cwmp genieacs-nbi genieacs-fs genieacs-uiMongoDB - Create User Administrator5
mongoshuse admin
db.createUser(
{
user: "admin",
pwd: passwordPrompt(),
roles: [
{ role: "userAdminAnyDatabase", db: "admin" },
{ role: "readWriteAnyDatabase", db: "admin" }
]
}
)
exitsudo sed 's/#security:/security:\n authorization: enabled/' -i /etc/mongod.conf
sudo systemctl restart mongodMongoDB - Create GenieACS user6
mongosh --authenticationDatabase "admin" -u "admin" -puse genieacs
db.createUser(
{
user: "genieacs",
pwd: passwordPrompt(),
roles: [ { role: "readWrite", db: "genieacs" } ]
}
)
exitGenieACS - Change MongoDB Connection String7
MONGODB_GENIEACS_USER=genieacs
MONGODB_GENIEACS_PASSWORD=supersecretpassword
echo "GENIEACS_MONGODB_CONNECTION_URL=mongodb://$MONGODB_GENIEACS_USER:$MONGODB_GENIEACS_PASSWORD@127.0.0.1/genieacs?authSource=genieacs" | sudo tee -a /opt/genieacs/genieacs.env
sudo systemctl restart genieacs-cwmp genieacs-nbi genieacs-fs genieacs-uisudo sh -c "cat >> /opt/genieacs/genieacs.env" << 'EOF'
GENIEACS_CWMP_INTERFACE=127.0.0.1
GENIEACS_NBI_INTERFACE=127.0.0.1
GENIEACS_FS_INTERFACE=127.0.0.1
GENIEACS_UI_INTERFACE=127.0.0.1
EOF
sudo systemctl restart genieacs-cwmp genieacs-nbi genieacs-fs genieacs-uiInstall NGINX Open Source8
curl -fsSL https://nginx.org/keys/nginx_signing.key | sudo gpg -o /usr/share/keyrings/nginx-archive-keyring.gpg --dearmor
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] http://nginx.org/packages/debian bullseye nginx" | sudo tee /etc/apt/sources.list.d/nginx.list
echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" | sudo tee /etc/apt/preferences.d/99nginx
sudo apt-get update
sudo apt-get install -y nginx
sudo systemctl enable nginx
sudo systemctl start nginx
sudo systemctl status --no-pager nginxGenerate Self-signed Certificate9
Important
Change the domain genieacs.local and static IP 172.17.2.211 to those appropriate for your network setup.
cd ~
openssl req -x509 -out genieacs.crt -keyout genieacs.key -newkey rsa:4096 -nodes -sha256 -subj '/CN=genieacs.local' -extensions EXT -config <( \
printf "[dn]\nCN=genieacs.local\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:genieacs.local,IP:172.17.2.211\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth")
sudo mv genieacs.crt /opt/genieacs/
sudo mv genieacs.key /opt/genieacs/
sudo chmod 0600 /opt/genieacs/genieacs.keyWarning
GenieACS UI and GenieACS NBI should not be exposed over WAN.
Important
Change the domain genieacs.local and static IP 172.17.2.211 to those appropriate for your network setup.
echo "GENIEACS_FORWARDED_HEADER=172.17.2.211" | sudo tee -a /opt/genieacs/genieacs.env
sudo systemctl restart genieacs-cwmp genieacs-nbi genieacs-fs genieacs-uisudo sh -c "cat > /etc/nginx/conf.d/genieacs.conf" << 'EOF'
ssl_certificate /opt/genieacs/genieacs.crt;
ssl_certificate_key /opt/genieacs/genieacs.key;
upstream genieacs-ui {
keepalive 100;
server 127.0.0.1:3000;
}
upstream genieacs-cwmp {
keepalive 100;
server 127.0.0.1:7547;
}
upstream genieacs-nbi {
keepalive 100;
server 127.0.0.1:7557;
}
upstream genieacs-fs {
keepalive 100;
server 127.0.0.1:7567;
}
server {
listen 172.17.2.211:8443 ssl http2;
server_name genieacs.local;
location / {
root /usr/lib/node_modules/genieacs/public;
try_files $uri @genieacs-ui;
}
location @genieacs-ui {
proxy_pass http://genieacs-ui;
# Allow fast streaming HTTP/1.1 pipes (keep-alive, unbuffered)
proxy_http_version 1.1;
proxy_request_buffering off;
proxy_buffering off;
proxy_set_header Forwarded "by=\"_$hostname\";$for_addr;proto=$scheme;host=\"$http_host\"";
}
}
server {
listen 172.17.2.211:7547 ssl http2;
server_name genieacs.local;
location / {
proxy_pass http://genieacs-cwmp;
# Allow fast streaming HTTP/1.1 pipes (keep-alive, unbuffered)
proxy_http_version 1.1;
proxy_request_buffering off;
proxy_buffering off;
proxy_set_header Forwarded "by=\"_$hostname\";$for_addr;proto=$scheme;host=\"$http_host\"";
}
}
server {
listen 172.17.2.211:7557 ssl http2;
server_name genieacs.local;
location / {
allow 172.17.2.0/24;
deny all;
proxy_pass http://genieacs-nbi;
# Allow fast streaming HTTP/1.1 pipes (keep-alive, unbuffered)
proxy_http_version 1.1;
proxy_request_buffering off;
proxy_buffering off;
proxy_set_header Forwarded "by=\"_$hostname\";$for_addr;proto=$scheme;host=\"$http_host\"";
}
}
server {
listen 172.17.2.211:7567 ssl http2;
server_name genieacs.local;
location / {
proxy_pass http://genieacs-fs;
# Allow fast streaming HTTP/1.1 pipes (keep-alive, unbuffered)
proxy_http_version 1.1;
proxy_request_buffering off;
proxy_buffering off;
proxy_set_header Forwarded "by=\"_$hostname\";$for_addr;proto=$scheme;host=\"$http_host\"";
}
}
# Forwarded for= client IP address formatting
map $remote_addr $for_addr {
~^[0-9.]+$ "for=$remote_addr"; # IPv4 client address
~^[0-9A-Fa-f:.]+$ "for=\"[$remote_addr]\""; # IPv6 bracketed and quoted
default "for=unknown"; # Unix socket
}
EOF
sudo systemctl restart nginxInstall firewalld10
sudo apt-get install -y firewalld
sudo systemctl status --no-pager firewalld
sudo firewall-cmd --state
sudo firewall-cmd --zone=public --change-interface eth0
sudo firewall-cmd --remove-service dhcpv6-client
sudo firewall-cmd --permanent --zone=public --set-target DROP
sudo firewall-cmd --add-icmp-block-inversion
sudo firewall-cmd --add-icmp-block echo-request
sudo firewall-cmd --list-all
sudo firewall-cmd --runtime-to-permanentsudo firewall-cmd --permanent --new-service=cwmp
sudo firewall-cmd --permanent --service=cwmp --set-description="CPE WAN Management Protocol (CWMP) provides support functions for auto-configuration, software or firmware image management, software module management, status and performance managements, and diagnostics."
sudo firewall-cmd --permanent --service=cwmp --add-port=7547/tcp
sudo firewall-cmd --permanent --service=cwmp --add-port=7567/tcpsudo firewall-cmd --permanent --zone=public --add-service=cwmp
sudo firewall-cmd --reloadInstall WireGuard11
sudo apt install -y wireguard
wg genkey | sudo tee /etc/wireguard/private.key
sudo chmod 600 /etc/wireguard/private.key
sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key
sudo sh -c "cat > /etc/wireguard/wg0.conf" << 'EOF'
[Interface]
Address = 10.8.0.1/24
ListenPort = 51820
PrivateKey = WIREGUARD_BASE64_PRIVATE_KEY
SaveConfig = true
PostUp = firewall-cmd --permanent --zone=internal --add-interface=wg0
PostUp = firewall-cmd --permanent --zone=public --add-port=51820/udp
PostUp = firewall-cmd --permanent --zone=public --add-masquerade
PostUp = firewall-cmd --reload
PreDown = firewall-cmd --permanent --zone=public --remove-masquerade
PreDown = firewall-cmd --permanent --zone=public --remove-port=51820/udp
PreDown = firewall-cmd --permanent --zone=internal --remove-interface=wg0
PreDown = firewall-cmd --reload
EOF
sudo sed '/net.ipv4.ip_forward=1/s/^#//' -i /etc/sysctl.conf
sudo sysctl -p
sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0sudo firewall-cmd --permanent --new-zone=genieacs
sudo firewall-cmd --zone=genieacs --add-source=10.8.0.2/24
sudo firewall-cmd --zone=genieacs --add-port={8443,7557}/tcp
sudo firewall-cmd --runtime-to-permanentsudo sed '/:8443 ssl http2;$/s/172.17.2.211/10.8.0.1/' -i /etc/nginx/conf.d/genieacs.conf
sudo sed '/:7557 ssl http2;$/s/172.17.2.211/10.8.0.1/' -i /etc/nginx/conf.d/genieacs.conf
sudo systemctl restart nginx allow 10.8.0.0/24;
deny all;Footnotes
-
https://cdimage.debian.org/mirror/cdimage/archive/11.7.0/amd64/iso-cd/ ↩
-
https://www.mongodb.com/docs/manual/tutorial/install-mongodb-on-debian/ ↩
-
http://docs.genieacs.com/en/latest/installation-guide.html ↩
-
https://www.mongodb.com/docs/manual/tutorial/configure-scram-client-authentication/#std-label-create-user-admin ↩
-
https://www.mongodb.com/docs/manual/tutorial/create-users/ ↩
-
https://www.mongodb.com/docs/manual/reference/connection-string/ ↩
-
https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-open-source/ ↩
-
https://letsencrypt.org/docs/certificates-for-localhost/ https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs ↩
-
https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-debian-11 ↩