1.) Install CentOS 7x64 minimal on 20GB drive

2.) Setup static IP and FQDN that you own so you can install security certificates (e.g. assets.domainname.com).

3.) Enable NTP and set timezone.

4.) Create parition scheme, 1GB /boot, 2xRAM swap, rest / on standard paritions.

5.) Software selection = minimal

6.) Set root and optionally user account passwords

7.) Reboot and perform a yum update

====8.) Install PHP 7, MariaDB, Apache and utils==== 
https://wiki.centos.org/HowTos/php7
<code>
yum -y install centos-release-scl.noarch
yum -y install epel-release
yum -y install rh-php71 rh-php71-php rh-php71-php-fpm rh-php71-php-bcmath rh-php71-php-mbstring rh-php71-php-mcrypt rh-php71-php-gd rh-php71-php-ldap rh-php71-php-mysqlnd mariadb-server httpd vim wget unzip git
systemctl enable rh-php71-php-fpm.service
systemctl start rh-php71-php-fpm.service
</code>

Add PHP7 to the system $PATH
<code>
echo 'pathmunge /opt/rh/rh-php71/root/usr/bin' > /etc/profile.d/rh-php71.sh
chmod +x /etc/profile.d/rh-php71.sh
</code>

Reload your profile (yes, there is a space between the . and /etc)
<code>
. /etc/profile
</code>

Install Composer
<code>
cd ~
curl -sS https://getcomposer.org/installer | php
mv composer.phar /usr/bin/composer
</code>

9.) Enable and start HTTPD, add firewall rules:
<code>
systemctl enable httpd ; systemctl start httpd
firewall-cmd --add-service=http --permanent
firewall-cmd --add-service=https --permanent
firewall-cmd --reload
</code>

10.) Delete /etc/httpd/conf.d/welcome.conf
<code>
rm /etc/httpd/conf.d/welcome.conf
</code>


====14.) Secure and setup the MariaDB installation====
Create a root password and record it and accept all other defaults.
<code>
systemctl enable mariadb
systemctl start mariadb
mysql_secure_installation
</code>

15.) Create database for Snipe-IT
Login to the database server, when prompted use the password you created during mysql_secure_installation
<code>
mysql -u root -p
</code>

Run the following commands to create the database, user, set permissions and apply (note: use a new unique password here)
<code>
CREATE DATABASE snipeit_db;
CREATE USER 'snipeit_dbuser'@'localhost' IDENTIFIED BY 'StrongPassword';
GRANT ALL PRIVILEGES ON snipeit_db.* TO 'snipeit_dbuser'@'localhost';
FLUSH PRIVILEGES;
EXIT;
</code>

====16.) Download Snipe-IT via git====
https://www.vultr.com/docs/how-to-install-snipe-it-on-centos-7

<code>
cd /var/www/
git clone https://github.com/snipe/snipe-it snipe-it
</code>

17.) Modify the environmental variables
<code>
cd /var/www/snipe-it
cp .env.example .env
vim .env
</code>

Set the following variables according to your install
<code>
APP_URL=http://snipe-it.domainname.com       #Provide your domain name or IP address here
APP_TIMEZONE='US/Pacific' #Change it according to your country
DB_DATABASE=snipeit_db   #Provide the database name you created earlier
DB_USERNAME=snipeit_dbuser   #Provide database user's username 
DB_PASSWORD=superSecretPW   #Provide the DB user's password

MAIL_DRIVER=smtp
MAIL_HOST=mail.domain.name
MAIL_PORT=587
MAIL_USERNAME=snipeit_notifications@maildomain.com
MAIL_PASSWORD=someXcellentPW
MAIL_ENCRYPTION=TLS
MAIL_FROM_ADDR=snipeit_notifications@aildomain.com
MAIL_FROM_NAME='Your Asset Management System'
MAIL_REPLYTO_ADDR=noreply@maildomain.com
MAIL_REPLYTO_NAME='noreply@maildomain.com'
</code>

11.) Create a php file to check php-fpm
(Note: this is to check that php-fpm is activated and is use, we'll delete it later)

<code>
vim /var/www/snipe-it/public/index-fpm-test.php
</code>

Add the content:
<code>
<?php phpinfo() ?>
</code>


====Set permissions====
<code>
useradd snipe
passwd snipe
usermod -a -G apache snipe
chown -R snipe:apache /var/www/snipe-it
chmod -R 775 /var/www/snipe-it/storage
chmod -R 775 /var/www/snipe-it/public/uploads
chmod 640 /var/www/snipe-it/.env
chcon -R -h -t httpd_sys_rw_content_t /var/www/snipe-it/storage/
chcon -R -h -t httpd_sys_rw_content_t /var/www/snipe-it/public/
setsebool -P httpd_can_connect_ldap on
setsebool -P httpd_can_network_connect on
setsebool -P httpd_can_sendmail on
</code>



====Install PHP dependencies via Composer====
Change to user snipe to run composer install then exit
<code>
su snipe
cd /var/www/snipe-it
composer install --no-dev --prefer-source
exit
</code>

Set permissions on downloaded vendor files
<code>
chown -R snipe:apache /var/www/snipe-it/vendor
</code>

Generate app key
<code>
php artisan key:generate --force
</code>

Populate SQL database
<code>
php artisan migrate --force
</code>

20.) Create a virtual host for Snipe-IT
<code>
vim /etc/httpd/conf.d/snipe-it.domainname.com.conf
</code>

Add the following
<code>
<VirtualHost *:80>
    ServerName snipe-it.domainname.com
    DocumentRoot /var/www/snipe-it/public
    <Directory /var/www/snipe-it/public>
        Options Indexes FollowSymLinks MultiViews
        DirectoryIndex index.php
        AllowOverride All
        Order allow,deny
        allow from all
    </Directory>
    <FilesMatch \.php$>
        SetHandler "proxy:fcgi://127.0.0.1:9000"
    </FilesMatch>
</VirtualHost>
</code>

Restart Apache
<code>
systemctl restart httpd
</code>

13.) browse to ip.add.r.ess/index-fpm-test.php to verify php version and php-fpm is active \\
14.) Delete /var/www/snipe-it/public/index-fpm-test.php
<code>
rm /var/www/snipe-it/public/index-fpm-test.php
</code>

====Web UI Setup====

  * Open a browser and go to snipe-it.domainname.com
  * Check the .env permissions, you should get an error when trying to go the the link it references.
  * Send yourself a test E-Mail to make sure it's working.
  * Create Database tables (which were done already)
  * Create User
  * You should be in!

====Enable Active Directory Sync====

First be sure you're host OS is using the DNS of your AD domain controllers if you want to use the DNS name of the server.

  * Create a regular/limited user in AD to use as a sync account, name it accordingly and make notes
  * Click on the "Gears" in the top right of the Snipe-IT UI, click on LDAP.
  * Check "LDAP Enabled", "This is an Active Directory Server" and "LDAP Password Sync"
  * "Active Directory Name should be your AD domain name: internal.companyname.com
  * "LDAP Server" should be: ldap://domaincontroller.internal.companyname.com (or ldap://ip.add.re.ss)
  * "LDAP Bind Username" should be the AD account you just created and enter it as: ADaccountName@internal.companyname.com
  * "Base Bind DN" is the the base AD folder where you store your users: OU=Users,OU=CompanyName,DC=internal,DC=companyname,DC=com
  * "LDAP Filter": &(cn=*)
  * "Username Field": samaccountName
  * "LDAP Authentication query": SAMAccountName=  (note: this is different from the default)
  * Leave everything else as is and click on "Save" at the bottom.
  * Go back into the LDAP options and click on "Test LDAP; if that's successful then enter a different username and password in the "Test LDAP Login" fields and click "Test LDAP". Note: the username doesn't need the @internal.companyname.com appended to it.
  * Go to "People" on the left hand menu, then click on "LDAP Sync"
  * Click on "Syncronize".


====Install Lets Encrypt Certificate====

https://github.com/ladybirdweb/faveo-helpdesk/wiki/Install-Let’s-Encrypt-SSL-on-CentOS-7-Running-Apache-Web-Server

Install dependent modules
<code>
yum install epel-release mod_ssl
</code>
Install the Let’s Encrypt client
<code>
yum install python-certbot-apache
</code>
Setup the certificate
<code>
certbot --apache -d example.com
</code>
Setup crontab to auto-renew the certificate
<code>
crontab -e
</code>
And enter something like
<code> 
0 0 * * 1 /usr/bin/certbot renew >> /var/log/sslrenew.log
</code>

then add -SSLv3 -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 to SSLProtocol
<code>
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
</code>
then add !RC4:!3DES to SSLCipherSuite
<code>
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA:!RC4:!3DES
</code>

then disable http in firewalld

<code>
firewall-cmd --remove-service=http --permanent
firewall-cmd --reload
</code>

====Install Commercial Certificate====
<code>
yum install mod_ssl
mkdir /root/certs/ && cd /root/certs/
openssl req -new -newkey rsa:4096 -days 1095 -nodes -keyout domain.name.com.key -out domain.name.com.csr
</code>
when asked for common name put full domain name you are trying to secure

Go to namecheap.com and get a positiveSSL certificate for 2 years, upload the contents of the CSR file for the request.

download and unzip the file in /root

then merge the bundle and crt files
<code>
cat domain.name_com.ca-bundle >> domain.name_com.crt
</code>

copy the domain.name_com.crt to /etc/pki/tls/certs //
copy the domain.name.com.key to /etc/pki/tls/private //

Set proper permissions for files
<code>
chmod 600 /etc/pki/tls/certs/domain.name_com.crt
chmod 600 /etc/pki/tls/private/domain.name.com.key
restorecon -RvF /etc/pki/tls/certs
restorecon -RvF /etc/pki/tls/private
</code>

Configure ssl.conf
<code>
vim /etc/httpd/conf.d/ssl.conf
</code>
find SSLCertificateFile and replace what comes after with <code>/etc/pki/tls/certs/domain.name_com.crt</code>

find SSLCertificateKeyFile and replace what comes after with <code>/etc/pki/tls/private/domain.name.com.key</code>

then add -SSLv3 -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 to SSLProtocol
<code>
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
</code>
then add !RC4:!3DES to SSLCipherSuite
<code>
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA:!RC4:!3DES
</code>

vim /etc/httpd/conf.d/snipe-it.domainname.com.conf

Change the following
<code>
<VirtualHost *:80>
<code>
to
<code>
<VirtualHost *:443>
</code>
and add under Virtual Host line (replacing xxx.cert and xxx.key with your files of course!)
<code>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/xxx.crt
SSLCertificateKeyFile /etc/pki/tls/private/xxx.key
</code>

Restart Apache
<code>
systemctl restart httpd
</code>

Test the website at https://...

then disable http in firewalld

<code>
firewall-cmd --remove-service=http --permanent
firewall-cmd --reload
</code>