====== Install Nginx ======
===== Prep =====

  * These instructions are for Raspberry Pi OS based on Debian version 12 (bookworm).
  * You can issue the command **cat /etc/issue.net** to confirm the version. It should say **Debian GNU/Linux 12
**.
  * Make sure it is up to date.
<code bash>
# Get the latest package lists
sudo apt-get update
# Update the system to the latest
sudo apt-get upgrade
</code>
  * Install Nginx
<code bash>
sudo apt-get -y install nginx
</code>
  * Ensure the web server starts up and is running
<code bash>
sudo systemctl stop nginx.service
sudo systemctl start nginx.service
</code>
  * Navigate to the IP Address of the server where you installed **Nginx** using a browser to ensure Nginx serves content e.g. http://127.0.0.1

===== Configure Nginx to interpret .php files =====
  * The default install of **Nginx** does not support the serving of **.php** files.
  * We will install a program (actually a service) called **php-fpm**.
  * This service will listen for requests to interpret.
  * Install the php-fpm service by installing the default version 8.2 of the packages
<code bash>
sudo apt-get -y install php-fpm
sudo systemctl enable php8.2-fpm
sudo systemctl start php8.2-fpm
</code>
===== Modify Nginx =====
  * Now that the php-fpm service is installed we should change the default **Nginx** server to make use of it.
  * Edit the default server file:
<code bash>
sudo vi /etc/nginx/sites-enabled/default
</code>
  * Add //index.php// to this line:
<code>
# Add index.php to the list if you are using PHP
index index.php index.html index.htm index.nginx-debian.html;
</code>
  * Activate PHP processing by un-commenting this this section. Note that we use the UNIX socket and we are using **8.2** and not **7.4** which is specified originally in the config file.
<code bash>
# pass PHP scripts to FastCGI server
#
location ~ \.php$ {
    include snippets/fastcgi-php.conf;
    #
    #       # With php-fpm (or other unix sockets):
    fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
    #       # With php-cgi (or other tcp sockets):
    #       fastcgi_pass 127.0.0.1:9000;
}
</code>
  * Enable the hiding of .htaccess files
<code bash>
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
location ~ /\.ht {
    deny all;
}
</code>
  * Reload the **Nginx** web server's configuration
<code bash>
sudo systemctl reload nginx.service
</code>
  * Create a test //.php// file to confirm that it does work
<code bash>
sudo vi /var/www/html/test.php
</code>
  * Contents
<code php>
<?php
    phpinfo();
?>
</code>
  * Navigate to http://127.0.0.1/test.php and see if the page display the PHP info.

===== Install MariaDB =====
==== Why MariaDB? ====
  * We discovered that the version of MySQL that comes bundled by default with Debian 12 (bookworm) are breaking things on RADIUSdesk.
  * For this reason we install MariaDB as an alternative.
  * MariaDB is an open-source relational database management system, commonly used as an alternative for MySQL as the database portion of the popular LAMP (Linux, Apache, MySQL, PHP/Python/Perl) stack.
  * It is intended to be a drop-in replacement for MySQL.
  * Be sure to supply a root password for the MariaDB database when asked for it if you are security conscious else simply hit the ESC key.
<code bash>
sudo apt-get -y install mariadb-server php8.2-mysql
sudo systemctl enable mariadb
sudo systemctl restart mariadb
sudo systemctl status mariadb
</code>
==== Disable strict mode ====
  * With Debian 12 (bookworm), the bundled release of MariaDB is at version 15.1 which introduced a few Strict modes which have some problems with RADIUSdesk database implementation.
  * We will disable Strict SQL Mode in MariaDB by creating a new file /etc/mysql/conf.d/disable_strict_mode.cnf
<code bash>
sudo vi /etc/mysql/conf.d/disable_strict_mode.cnf
</code>
  * Enter these two lines:
<code bash>
[mysqld]
sql_mode=IGNORE_SPACE,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION
</code>
  * Save the file and restart the MySQL Server
<code bash>
sudo systemctl restart mariadb
</code>

===== Performance tune Nginx =====
==== Modify expiry date for certain files ====
  * Edit the ///etc/nginx/sites-available/default// file:
<code bash>
sudo vi /etc/nginx/sites-available/default
</code>
  * Add the following inside the server section:
<code bash>
location ~ ^/cake4/.+\.(jpg|jpeg|gif|png|ico|js|css)$ {
    rewrite ^/cake4/rd_cake/webroot/(.*)$ /cake4/rd_cake/webroot/$1 break;
    rewrite ^/cake4/rd_cake/(.*)$ /cake4/rd_cake/webroot/$1 break;
    access_log off;
    expires max;
    add_header Cache-Control public;
}
</code>
  * Add below only if you require backward compatibility (MESHdesk and APdesk).
<code bash>
location ~ ^/cake3/.+\.(jpg|jpeg|gif|png|ico|js|css)$ {
    rewrite ^/cake3/rd_cake/webroot/(.*)$ /cake3/rd_cake/webroot/$1 break;
    rewrite ^/cake3/rd_cake/(.*)$ /cake3/rd_cake/webroot/$1 break;
    access_log off;
    expires max;
    add_header Cache-Control public;
}
</code>
  * Reload Nginx:
<code bash>
sudo systemctl reload nginx.service
</code>

===== Install RADIUSdesk =====
  * The first part prepared everything to install **RADIUSdesk**.
  * This part will go through the steps to install the latest **RADIUSdesk**.
  * RADIUSdesk consists of three components.
        * **rd** directory with its contents contains all the HTML and JavaScript code and is used as the presentation layer.
        * **cake4** is a CakePHPv4 application and can be considered the engine room. Here the data is processed before being presented by the presentation layer.
        * **login** is a directory with various login pages which are centrally managed through the RADIUSdesk **Dynamic Login Pages** applet.
  * Later we will create various symbolic links from locations inside the rdcore directory to locations inside the web server's document root directory.

==== Required packages ====
  * Make sure the following packages are installed.
<code bash>
sudo apt-get -y install php-cli php-mysql php-gd php-curl php-xml php-mbstring php-intl php-sqlite3 git wget
sudo systemctl restart php8.2-fpm
</code>
  * Check out the rdcore git repository.
<code bash>
cd /var/www
sudo git clone https://github.com/RADIUSdesk/rdcore.git
</code>
  * This will create an rdcore directory containing some sub-folders.
  * It is recommended that you also include the RD Mobile UI.
  * Check out the rd_mobile git repository.
<code bash>
cd /var/www
sudo git clone https://github.com/RADIUSdesk/rd_mobile.git
</code>
==== Create soft links ====
  * We will create soft links in the directory where Nginx will serve the RADIUSdesk contents.
<code bash>
cd /var/www/html
sudo ln -s ../rdcore/rd ./rd
sudo ln -s ../rdcore/cake4 ./cake4
#If backward compatibility is required for older firmware of MESHdesk
sudo ln -s ../rdcore/cake4 ./cake3
sudo ln -s ../rdcore/login ./login
sudo ln -s ../rdcore/AmpConf/build/production/AmpConf ./conf_dev
sudo ln -s ../rdcore/cake4/rd_cake/setup/scripts/reporting ./reporting
#For the RD Mobile UI
sudo ln -s ../rd_mobile/build/production/RdMobile ./rd_mobile
</code>
==== Change Ownerships ====
  * Change the ownership of the following files to www-data so Nginx can make changes to the files/directories
<code bash>
sudo mkdir -p  /var/www/html/cake4/rd_cake/logs
sudo mkdir -p /var/www/html/cake4/rd_cake/webroot/files/imagecache
sudo mkdir -p /var/www/html/cake4/rd_cake/tmp
sudo chown -R www-data: /var/www/html/cake4/rd_cake/tmp
sudo chown -R www-data: /var/www/html/cake4/rd_cake/logs
sudo chown -R www-data: /var/www/html/cake4/rd_cake/webroot/img/realms
sudo chown -R www-data: /var/www/html/cake4/rd_cake/webroot/img/dynamic_details
sudo chown -R www-data: /var/www/html/cake4/rd_cake/webroot/img/dynamic_photos
sudo chown -R www-data: /var/www/html/cake4/rd_cake/webroot/img/access_providers
sudo chown -R www-data: /var/www/html/cake4/rd_cake/webroot/img/hardwares
sudo chown -R www-data: /var/www/html/cake4/rd_cake/webroot/files/imagecache
</code>
==== The Database ====
  * Make sure the timezone on the server is set to UTC (You can use **sudo raspi-config**)
  * Populate the timezone data on the DB
<code bash>
#NOTE FAILING THIS STEP will break the RADIUS graphs
#There might be some error messages in the output which is fine - no need to be alarmed
sudo su
mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -u root  mysql
</code>
  * Create an empty database called rd
<code bash>
sudo su
mysql -u root
create database rd;
GRANT ALL PRIVILEGES ON rd.* to 'rd'@'127.0.0.1' IDENTIFIED BY 'rd';
GRANT ALL PRIVILEGES ON rd.* to 'rd'@'localhost' IDENTIFIED BY 'rd';
exit;
</code>
  * Populate the database:
<code bash>
sudo mysql -u root rd < /var/www/html/cake4/rd_cake/setup/db/rd.sql
</code>
<WRAP center round tip 90%>
  * RADIUSdesk is under active development and sometimes we add SQL patches.
  * The SQL Patches are located under **/var/www/html/cake4/rd_cake/setup/db/**
  * These patches are non-destructive and you can run them against the database
  * See the pattern below
<code bash>
sudo mysql -u root rd < /var/www/rdcore/cake4/rd_cake/setup/db/8.068_add_email_sms_histories.sql 
</code>
</WRAP>
==== Configure Nginx ====
  * Configure Nginx to rewrite some RdCore URLs starting with ///cake4/rd_cake//.
  * Edit ///etc/nginx/sites-enabled/default//
<code bash>
sudo vi /etc/nginx/sites-enabled/default
</code>
  * Add this once section directly below **server_name** item. (This is so that this rule is hit first for the reporting side. We do not use CakePHP for the reporting anymore due to performance issues.
<code bash>
server_name _;
location /cake4/rd_cake/node-reports/submit_report.json {
    try_files $uri $uri/ /reporting/reporting.php;
}
</code>
  * If you need backward compatibility support (MESHdesk and APdesk) also add this section:
<code bash>
location /cake3/rd_cake/node-reports/submit_report.json {
    try_files $uri $uri/ /reporting/reporting.php;
}
</code>
  * Add the following configuration block inside the server section (This you can add towards the end):
<code bash>
location /cake4/rd_cake {
   rewrite ^/cake4/rd_cake(.+)$ /cake4/rd_cake/webroot$1 break;
   try_files $uri $uri/ /cake4/rd_cake/index.php$is_args$args;
}
</code>
  * If you need backward compatibility support (MESHdesk and APdesk) also add this section:
<code bash>
location /cake3/rd_cake {
   rewrite ^/cake3/rd_cake(.+)$ /cake3/rd_cake/webroot$1 break;
   try_files $uri $uri/ /cake3/rd_cake/index.php$is_args$args;
}
</code>
  * Reload the Nginx:
<code bash>
sudo systemctl reload nginx
</code>
==== Important URLs ====
  * The following URLs are important to reach the UI
  * To load the optimized UI, go to http://127.0.0.1/rd/build/production/Rd/
  * If you want to serve the content directly out of the webroot, do the following:
<code bash>
sudo cp -R /var/www/html/rd/build/production/Rd/* /var/www/html/
</code>
  * To load the RD Mobile UI, go to http://127.0.0.1/rd_mobile
=== Login Credentials ===
  * By default you can log in with the following credentials
Username: **root** Password: **admin**
===== Cron Scripts =====
  * RADIUSdesk requires a few scripts to run periodically in order to maintain a healthy and working system.
  * To activate the cron scripts execute the following command, which will add RADIUSdesk's crons scripts to the Cron system
<code bash>
sudo cp /var/www/html/cake4/rd_cake/setup/cron/cron4 /etc/cron.d/
</code>
  * If you want to change the default intervals at which the scripts get executed, just edit the /etc/cron.d/cron4 file.

===== Add LETSENCRYPT certificate =====
  * Rather than repeating existing documentation we will just add a URL with the instructions to do it.
  * You might want to run the following first before going to the instructions in the URL
<code bash>
sudo apt-get update
sudo apt-get -y install software-properties-common
</code>
  * https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-debian-11
===== Next steps =====
  * Be sure to also install FreeRADIUS