So, I was tasked to install OpenEMR (https://www.open-emr.org/) on Oracle Linux 8.

First things first, when installing Oracle Linux 8, it has a number of differences from CentOS 8 and RHEL 8. Nothing major, but different. I might post about it later if I feel like it.

Once your minimal install is ready, you log in with SSH and run everything as listed below.

Install Oracle's EPEL repo

sudo dnf install -y oracle-epel-release-el8

Enable Oracle's CodeReadyBuilder repo

sudo dnf config-manager --enable ol8_codeready_builder

Update the system to current (also forces dnf makecache)

sudo dnf upgrade -y --refresh

Install all of the required system packages

sudo dnf install -y wget httpd mod_ssl mariadb-server tar @php:7.4 php-mbstring php-xml php-json php-pdo php-gd php-pecl-zip php-soap php-mysqlnd php-ldap ImageMagick ImageMagick-devel php-devel php-pear make 

Install the imagick PHP plugin

• This is interactive, you ill need to hit enter once

sudo pecl install imagick

Set the module to load with PHP

echo "extension=imagick.so" | sudo tee -a /etc/php.d/20-imagick.ini

Modify some PHP settings base don the OpenEMR wiki

• Only changing things different than default in OEL8)

# https://www.open-emr.org/wiki/index.php/FAQ#What_are_the_correct_PHP_settings_.28can_be_found_in_the_php.ini_file.29.3F
sudo sed -i 's/^#\?\(max_execution_time\).*$/\1 = 60/' /etc/php.ini
sudo sed -i 's/^#\?\(max_input_time\).*$/\1 = -1/' /etc/php.ini
sudo sed -i 's/^;#\?\(max_input_vars\).*$/\1 = 3000/' /etc/php.ini
sudo sed -i 's/^#\?\(memory_limit\).*$/\1 = 512M/' /etc/php.ini
sudo sed -i 's/^#\?\(post_max_size\).*$/\1 = 30M/' /etc/php.ini
sudo sed -i 's/^#\?\(upload_max_filesize\).*$/\1 = 30M/' /etc/php.ini
sudo sed -i 's/^#\?\(error_reporting\).*$/\1 = E_ALL \& ~E_NOTICE \& ~E_STRICT \& ~E_DEPRECATED/' /etc/php.ini
sudo sed -i 's/^;#\?\(mysqli.allow_local_infile\).*$/\1 = On/' /etc/php.ini

Open the firewall to HTTPS and HTTP

• hardening will be a separate post

sudo firewall-cmd --add-service=http --permanent
sudo firewall-cmd --add-service=https --permanent
sudo firewall-cmd --reload

Start and enable mariadb

sudo systemctl enable --now mariadb

Secure mariadb.

• These commands do what mysql_secure_installation does interactively

sudo mysql -e "UPDATE mysql.user SET Password=PASSWORD('SomeSecure30CharacterPassword') WHERE User='root';"
sudo mysql -e "DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');"
sudo mysql -e "DELETE FROM mysql.user WHERE User='';"
sudo mysql -e "DROP DATABASE test;"
sudo mysql -e "FLUSH PRIVILEGES;"

Start and enable Apache

sudo systemctl enable --now httpd

Change to the web directory

cd /var/www/html

Download OpenEMR

sudo wget https://gigenet.dl.sourceforge.net/project/openemr/OpenEMR%20Current/6.0.0/openemr-6.0.0.tar.gz

Extract OpenEMR

sudo tar -pxvzf openemr-6.0.0.tar.gz

Remove the downloaded file

sudo rm openemr-6.0.0.tar.gz

Rename the extracted directory to remove the version number

sudo mv openemr-6.0.0/ openemr

Set apache as the owner of everything.

sudo chown -R apache:apache /var/www/html

Recursively set the folder httpd_sys_rw for SELinux

sudo semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/openemr(/.*)?"
sudo restorecon -FR /var/www/html/openemr/

Create an Apache conf file for the instance

sudo nano /etc/httpd/conf.d/openemr.conf

And paste this in.

LoadModule rewrite_module modules/mod_rewrite.so
LoadModule allowmethods_module modules/mod_allowmethods.so

## Security Options
# Strong HTTP Protocol
HTTPProtocolOptions Strict
Protocols http/1.1
# Don't Reveal Server
ServerSignature off
ServerTokens Prod
Header unset Server
# No ETag
FileETag None
Header unset ETag
# Set HSTS and X-XSS protection
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header set X-XSS-Protection "1; mode=block"
# Narrow document root
DocumentRoot /var/www/html/openemr
ErrorLog /var/log/httpd/emr.domain.com_error_log
CustomLog /var/log/httpd/emr.domain.com_access_log combined


<Directory /var/www/html/openemr>
    # Only allow these HTTP Methods
    AllowMethods GET POST PUT DELETE HEAD OPTIONS
    # No indexes anywhere
    Options -Indexes
    AllowOverride FileInfo
    Require all granted
</Directory>

<Directory "/var/www/html/openemr/sites">
    AllowOverride None
</Directory>

<Directory "/var/www/html/openemr/sites/*/documents">
    Require all denied
</Directory>

#######################################
### Uncomment the following 3 lines ###
### with #'s below to enable HTTPS  ###
### redirection & require HTTPS only ##
#######################################
<VirtualHost *:80>
    #RewriteEngine On
    #RewriteCond %{HTTPS} off
    #RewriteRule (.*) https://%{HTTP_HOST}/$1 [R,L]
</VirtualHost>

<VirtualHost _default_:443>
    #   SSL Engine Switch:
    #   Enable/Disable SSL for this virtual host.
    SSLEngine on
    SSLHonorCipherOrder on
    #   Used following tool to produce below ciphers: https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.4.39&openssl=1.1.1&hsts=yes&profile=modern
    SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
    SSLProtocol -ALL +TLSv1.2
    SSLCertificateFile    /etc/pki/tls/certs/localhost.crt
    SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
</VirtualHost>

Reboot your system

sudo reboot

Open your web browser and go to the installed location

• Use IP address until you get SSL setup
  https://12.34.56.78

Run the initial configuration wizard

I guess some of this will get into exactly how does ProxMox backup server handle the differential or incremental back ups and how does it regenerate a full back up. I have not read enough of the documentation yet to know that answer myself.

@jclambert said in Offsite backup options for ProxMox deployment:

You are already using Synology. Have you looked at their cloud backup? I believe it even integrates with Backblaze and others.

I do that for sites now that are Hyper-V and Veeam.

Because I completely understand how Veeam works to create its back ups and I’m in control of how much data is going offsite per day. Remember I’m in non-symmetrical America Internet land.

Option 2:
Use the built in and use a connector that is IP auth'd

@stacksofplates said in RMM Service:

@scottalanmiller said in RMM Service:

write their own agent (like us

Could you give us more details on this? I'm really curious how you all wrote the agent. Like what language, whether you used gRPC or a message bus for the async communication, etc.

I read his statement as he figured out they needed to have their own agent instead of just using salt. As far as I know that is where SS stalled. Not that he made his own agent for SS.

@mr-jones said in New hire, make him build his own pc?:

@jaredbusch said in New hire, make him build his own pc?:

@mr-jones is part of his job to deal with OS setup? If not this just stupid waste of time.

Absolutely. Since his background isn't in Windows, setting up and configuring Windows is something he'd need to know.

Ok the. Make him do it on a spare machine. Or if on his machine, make sure he has a temp to use.

Also to make @scottalanmiller haooy change the title away from Build a pc. Since you only mean setup windows.

Years ago I used PHP Timeclock (http://timeclock.sourceforge.net/) for this, but that project seems to have died.

I poked around a some of the forks, but have not found one that seems really updated.
I found this one: https://github.com/andrew867/timeclock
That said to use this one: https://github.com/BoatrightTBC/timeclock
That one had a PR from this one: https://github.com/Kayoti/timeclock
The closest to decent I found was this one: https://github.com/hjelmua/php-timeclock-with-bootsrap

So anything else out there? I do not need billing, integration, etc.

Just a punch in and out and then query results, and dump to csv

@scottalanmiller said in Bash Script with Node JS:

first step... are you managing to download the page with CURL?

zero step - why not use the ticketing system as it should have this functionality natively in the GUI.

@scottalanmiller said in Did I connect these switches according to best practices?:

One switch has to be the core, the others should hang off of it and not be daisy chained.

Like this.

On the bottoms, cable modem.
Next up is the ER4. Singe Ethernet in from modem and single fiber up to the EdgeSwitch 12 Fiber, in this scenario, this is the core switch.

From EdgeSwitch 12 Fiber, all other switches are directly connected except 1 that I was unable to get fiber to.

Whether your interconnect is fiber or copper is not relevant to the discussion.

You have 1 switch that all other switches should be plugged in to. Period.

@laksh1999 said in Grep help:

want to grep

no you don't.

FFS how many times do I have to tell you.

Your data is json, use fucking jsontools.

jq is extremely powerful. Use it to correctly query your json data to get the result you need.

@obsolesce said in A Startdocprinter Call Was not Issued:

either spend days troubleshooting or days reimaging and setting up the device,

Days troubleshooting, yes.
Days reimagine and setting up, fuck no.

Even the shittiest place I have ever been was not days to do something like a reimage (once approved).

Even if you do like I do and reinstall from ISO instead of imaging, it is still only a couple of hours.

FFS @DustinB3403 just go away for a while.

Your initial response is a pile of flaming shit and things went stupid from there...

@mmicha said in Where to start...:

My company needs to start upgrading some of our infrastructure. Currently we are running on ESXi, with less than 15 VM's across two hosts. Everything is Windows (2012) and linux.

What are these actual workloads, excepting Exchange 2013?

You clarified that a bit here.

@mmicha said in Where to start...:

The systems I'm currently running that make up the major stuff are two domain controllers, file server, sql server, iis server, exchange server, wds, and accounting system.
The rest are mostly linux machines running ubiquiti controller, openvpn.

So, the first thing to do here is clean up the mess.

Why 2 domain controllers, still? You are virtualized and the hypervisor platform should not be domain joined, or at least not domain dependent if joined. This means you have zero need for this complexity. Immediately demote one and remove it from your network. If your DC fails, you simply restore from a backup. You do have paid VMWare and valid backups such as Veeam or something, right?

Why a separate Windows file server? That role should be on the DC. If you are going to use a separate entity, then build it on something without the Windows licensing such as a Fedora (pick your Linux flavor) VM running samba. The simple answer is to let it reside on the DC (it can be a separate virtual disk) and then continue to use the existing Windows domain permissions. Moving to a samba server would add learning.

Next SQL Server? /sigh.. So this I assume?

@mmicha said in Where to start...:

The accounting system is Sage ERP 300.

So ignore that, it does not get to go away or get changed until Management moves on to a new solution. The most you do in a redesign like this is recommend to the decision makers to change products.

No the IIS server... Just WTF on this...

@mmicha said in Where to start...:

The IIS system runs an internal costing and sales app. Our actual website is hosted elsewhere.

The assumption here is bad or untrained developer. Because no one intentionally develops for IIS. Move this workload to a better backend and stick it on the same service running your website. Well, assuming that your website is running on something modern.

Finally, what is the point of WDS? It has a purpose, but for what sounds like a small to mid sized company, what is the benefit to the complexity? What are you actually using it for?

@mmicha said in Where to start...:

Then you have everyone else it seems competing against them.

No one else can compete against them. There are basically only 3 cloud providers; Amazon, Microsoft, and Google.

No one else is cloud. Cloud is a specific type of design. You as IT need to understand that. @IRJ or @stacksofplates are free to expand on this as they work in this daily.

Any other use of the word is marketing. There is also nothing wrong with that, but when IT is designing their systems, they have to understand reality from marketing.

Work interrupted. There is the rest of my responses.

@voip_n00b said in DNS Filtering Service:

• WebTitan
• DNS Filter
• Umbrella
• Next DNS
• Webroot DNS

Leaning towards DNS Filter

DNSWatch is what WatchGuard turned Strongarm.io into. It was not originally available outside their appliances after the buyout, but it is now.

Already posted
https://mangolassi.it/post/539089

@beta said in RAID 6 in my backup VM host on spinning rust?:

Hear me out...I have a Dell server that I use as a Veeam replication target. This host is used as a backup in case my primary server dies - I just turn on the replicas and run from it until primary host is repaired.

This is not a backup. This is a replica. These are completely different things.

Do you actually have a backup?

I bought a drive from micro center but it does not fit in this damned Dell Optiplex 9020m.

Drive fits fine in my laptop.