FeministWiki:Server setup: Difference between revisions

(69 intermediate revisions by the same user not shown)

Line 1:

~~'''!!! WORK IN PROGRESS !!!'''~~

These are the steps required to set up a new FeministWiki Debian server.

== Initial setup of the new server ==

This section describes various initialization tasks for the new server that are independent of the old server.

~~These are~~ the ~~steps required~~ to ~~set up a~~ new ~~FeministWiki Debian~~ server.

=== Configure reverse DNS ===

In the settings of the VPS host (e.g. Strato AG), you can configure reverse-DNS for the IP address of the server. Set the FQDN for the IP address to {{C|feministwiki.org}}. It's good to do this early since it can take some time to propagate.

=== Make feministwiki.dev point to the new server ===

During setup and testing of the new server, we want to make it accessible under the '''feministwiki.dev''' domain. So change the {{C|A}} entry of the feministwiki.dev DNS settings to point to the IP address of the new server.

=== Update & upgrade ===

Line 15:

Line 25:

Some of these are needed further down, some are just good to have.

apt-get install certbot

apt-get install automysqlbackup \

~~apt-get install~~ dnsutils

certbot \

~~apt-get install~~ emacs

dnsutils \

~~apt-get install~~ git

emacs \

~~apt-get install~~ mg

git \

~~apt-get install~~ moreutils

mg \

~~apt-get install~~ net-tools

moreutils \

~~apt-get install~~ nmap

net-tools \

~~apt-get install~~ software-properties-common

nmap \

~~apt~~-~~get install tree~~

rsync \

software-properties-common \

tree

=== Fetch scripts & config repo ===

Set up GitHub ssh access by copying the {{C|.ssh/id_rsa}} from the old server. After that:

cd ~

git clone git@github.com:FeministWiki/FeministWiki.git repo

cp -a repo/root/* repo/root/.??* .

sh repo/decrypt-pwd.sh

The decryption script will prompt you for a password the first time it's used. Enter the password stored in {{C|/root/pwd/meta}} on the old server.

=== Set up firewall ===

Line 34:

Line 57:

ufw enable

=== ~~Install server components~~ ===

=== Enable extra repositories ===

We ~~will now install all the software used for the various FeministWiki services. But first we~~ might want to add some additional package repositories so we can use the latest version of some of the used software.

We might want to add some additional package repositories so we can use the latest version of some of the used software.

Backports:

Backports is always OK to add since the packages don't get priority over the stable ones:

echo deb http://deb.debian.org/debian $(lsb_release -sc)-backports main > /etc/apt/sources.list.d/backports.list

Line 54:

Line 77:

echo "deb http://mirror.23media.de/mariadb/repo/10.4/debian $(lsb_release -sc) main" > /etc/apt/sources.list.d/mariadb.list

Now we can install ~~everything~~:

=== Install server components ===

Now we can install all the software used for the various FeministWiki services:

apt-get install apache2 \

dovecot-core \

dovecot-imapd \

dovecot-ldap \

dovecot-pop3d \

ejabberd \

fail2ban \

inspircd \

mailman \

mariadb-server \

opendkim \

postfix \

postfix-ldap \

slapd

If any installation asks you for a password, remember that most passwords are found in {{C|/root/pwd}}.

Example for installing ejabberd from backports instead:

apt-get install ejabberd/$(lsb_release -sc)-backports # e.g. ejabberd/buster-backports

=== Install PHP and modules ===

This should really be part of the last section, but due to the sheer number of PHP modules we want to install, it's in its own section:

php_version=7.4 # or whatever version we're on

apt-get install ~~apache2~~

apt-get install php${php_version} \

~~apt~~-~~get install dovecot~~-~~core~~

php${php_version}-apcu \

~~apt~~-~~get install ejabberd # good candidate for backports~~

php${php_version}-bcmath \

~~apt~~-~~get install fail2ban~~

php${php_version}-cli \

~~apt~~-~~get install inspircd~~

php${php_version}-ctype \

~~apt~~-~~get install mailman~~

php${php_version}-curl \

~~apt~~-~~get install mariadb~~-~~server~~

php${php_version}-gd \

~~apt~~-~~get install opendkim~~

php${php_version}-gmp \

~~apt~~-~~get install~~ php${php_version}

php${php_version}-iconv \

~~apt~~-~~get install~~ php${php_version}-mbstring

php${php_version}-imagick \

~~apt~~-~~get install~~ php${php_version}-~~xml~~

php${php_version}-intl \

~~apt~~-~~get install postfix~~

php${php_version}-json \

~~apt~~-~~get install slapd~~

php${php_version}-ldap \

php${php_version}-mbstring \

php${php_version}-mysql \

php${php_version}-opcache \

php${php_version}-readline \

php${php_version}-xml \

php${php_version}-zip

~~Example for installing ejabberd~~ from ~~backports instead~~:

=== Put config files in place ===

The principle is simple: take all the config files from {{C|/root/repo/etc}} and put them where they belong in {{C|/etc}}. However, since a new server might mean much newer software, it's possible that some config files aren't compatible anymore, or that some new sensible defaults might be overwritten by the old config. Sadly figuring out these incompatibilities is a manual process: compare the new default config with the old default config and to our current config, to figure out what our new config should look like.

~~apt~~-~~get install ejabberd~~/~~$(lsb_release -sc)-backports~~

There's a number of things important to remember however:

* After copying in the new {{C|/etc/aliases}} file, run {{C|newaliases}} for the changes to take effect

* After populating {{C|/etc/letsencrypt/renewal-hooks}}, remember to {{C|chmod +x}} all the scripts

* Likewise, don't forget {{C|chmod +x}} for <code>/etc/cron.{hourly,daily,weekly,monthly}</code> and {{C|/etc/boot.d}}

=== Enable Apache modules ===

=== Enable Apache modules, config, and sites ===

We need a number of Apache modules to be enabled which might not be enabled by default:

Line 85:

Line 146:

a2enmod rewrite

a2enmod ssl

a2enconf 99-feministwiki

a2ensite 000-wiki

a2ensite account

a2ensite blogs

a2ensite chat

a2ensite files

a2ensite forum

a2ensite mail

a2ensite xmpp

=== Create vmail user ===

groupadd -g 5000 vmail

useradd -u 5000 -g vmail -s /usr/sbin/nologin -d /home/vmail -m vmail

=== Initialize LetsEncrypt ===

First, initialize the certbot configuration:

~~=== Fetch scripts & config repo ===~~

certbot register -n --agree-tos -m technician@feministwiki.org

~~Set up GitHub ssh access by copying the <code>.ssh/id_rsa</code> from~~ the old server. ~~After that~~:

Since various DNS entries still point to the old server, we can't get a cert for the real domains yet. For now, just get one for feministwiki.dev:

~~cd ~~~

ufw allow 80

~~git clone git@github.com:FeministWiki/FeministWiki.git repo~~

letsencrypt-refresh --dev-only

cp -~~a repo~~/~~root~~/* .

ufw delete allow 80

~~sh repo/decrypt~~-~~pwd~~.sh

Our {{C|letsencrypt-refresh}} script makes sure that the cert files are found in {{C|/etc/fw-certs}} and that the private key and cert-and-key bundle are owned by the "ssl-cert" group and are readable by group members. A number of users have to be added to this group so they can read said files:

adduser ejabberd ssl-cert

adduser irc ssl-cert

== Copying over live data ==

We want to make a first run of this copy process purely for testing purposes. Note that although some of the steps described in this section take a long time to finish, they can be done in parallel.

=== LDAP databases ===

Stop the LDAP server and delete the existing configuration and data '''on the new server (careful!)''':

~~The decryption script will prompt you for a password~~ the ~~first time it's used~~. ~~Enter the password stored in <code>~~/~~root~~/~~pwd~~/~~meta<~~/~~code> on the old server~~.

# Commands to run on the NEW (fresh) server:

systemctl stop slapd

rm -r /etc/ldap/slapd.d/*

rm /var/lib/ldap/data.mdb

~~=== Put~~ config ~~files in place ===~~

Then copy over the config and data by running these commands from the old server:

~~The principle is simple: take all the config files from <code>/root/repo~~/etc~~</code> and put them where they belong in <code>~~/~~etc<~~/~~code>~~. ~~However, since a new server might mean much newer software, it~~'~~s possible that some config files aren~~'t compatible anymore, or that some new sensible defaults might be overwritten by the old config. Sadly figuring out these incompatibilities is a manual process (compare new default config with old config) and this guide cannot help you much.

slapcat -n 0 | ssh feministwiki.dev 'sudo -u openldap slapadd -n 0 -F /etc/ldap/slapd.d'

slapcat -n 1 | ssh feministwiki.dev 'sudo -u openldap slapadd -n 1'

~~There's one special thing to remember, which is that after copying~~ in ~~the new <code>/etc/aliases</code> file, you have to run the <code>newaliases</code> command for the changes to take effect.~~

==== Breaking changes in OpenLDAP ====

~~=== Create vmail user ===~~

There might be incompatible changes between OpenLDAP (aka {{C|slapd}}) versions which require manual editing of the {{C|slapcat}} output before it's read in on the new server with {{C|slapadd}}.

~~groupadd -g 5000 vmail~~

Here's one example that occurs when updating from OpenLDAP 2.4.42 or earlier to 2.4.43 or later: the ppolicy overlay has a new attribute in the newer version, so if you simply run the commands above, the first one (the one that copies the config database) will produce the following error message:

~~useradd -u 5000 -g vmail -~~s ~~/usr/sbin/nologin -d /home/vmail -m vmail~~

~~=== Initialize LetsEncrypt ===~~

User Schema load failed for attribute "pwdMaxRecordedFailure". Error code 17: attribute type undefined

The first run of Certbot has to be interactive, so we will do that now. Since the DNS entries still point to the old server, we can't get a cert for the real domains. For now, make '''feministwiki.dev''' point to the IP address of the new server, then proceed with the commands below.

The solution is as follows:

~~systemctl stop apache2~~

# On the new server, open {{C|/etc/ldap/schema/ppolicy.ldif}} and search for {{C|pwdMaxRecordedFailure}}. You will note that there is a {{C|olcAttributeTypes: ...}} entry that defines it, and also it's listed in the {{C|MAY}} attributes block of the {{C|olcObjectClasses: ...}} entry that defines the {{C|pwdPolicy}} object class.

~~certbot certonly --cert-name feministwiki~~.~~org~~ ~~# Yes~~, it ~~should be~~ .~~org~~ and ~~not~~ .~~dev~~

# On the old server, save the output of {{C|slapcat -n 0}} to a file, open the file, and search for the block where the {{C|ppolicy}} schema is defined. It should start with the line {{C|dn: cn={4}ppolicy,cn=schema,cn=config}} (the {{C|{4}}} part might contain a different integer, that's OK). There, note that the {{C|olcAttributeTypes: ...}} entry for {{C|pwdMaxRecordedFailure}} is missing, and also it's not listed in the {{C|MAY}} list of the {{C|pwdPolicy}} object class definition. Copy over the attribute type definition from the {{C|ppolicy.ldif}} file on the new server, and amend the {{C|MAY}} list to include it.

~~Then follow~~ the ~~on-screen instructions of certbot~~. ~~Use~~ the ~~"standalone" authentication method when asked~~, and ~~enter feministwiki.dev as the sole domain.~~

The above is explained only for instructive purposes, since this particular fix will already have been applied by the time someone reads this guide. It's meant to give you an idea as to how backwards incompatible changes in OpenLDAP schema files can be amended when migrating to a newer version. (Also, no such clear explanation of the fix seems to be found anywhere on the web, so maybe someone who searches the error message above will come upon this guide and be happy!)

=== ~~Stop services on old server~~ ===

=== Contents of /var/www ===

'''~~At this point, all services on~~ the old server ~~should be stopped, because we will now begin to transfer all the actual data.~~'''

This is very simple but takes a lot of time to finish. '''Run it from the old server:'''

~~=== Copy over LDAP databases ===~~

rsync -az --delete /var/www/ root@feministwiki.dev:/var/www

~~TODO~~

Note that the trailing slash in {{C|/var/www/}} is important; if not provided, it will copy the directory to {{C|/var/www/www}} on the new server.

=== ~~Copy over~~ SQL databases ===

=== SQL databases ===

~~The~~ following command ~~can be used to create a dump of all databases and import it on~~ the ~~new~~ server. You can use the <code>show databases;</code> command in the SQL console to make sure that the list of databases is complete. (Unfortunately they have to be listed manually, because using the <code>--all-databases</code> option includes system databases that we don't want.)

Run the following command from the old server:

mysqldump -u root -p"$(cat /root/pwd/mysql)" \

--add-drop-database \

--databases blogs \

~~feministblog \~~

feministfiles \

feministforum \

feministmail \

~~feministsocial \~~

feministwiki \

feministwiki_de \

Line 142:

Line 237:

feministwiki_pt \

fff \

| ssh root@feministwiki.dev '~~mysql~~ -~~u root~~ -~~p"$(cat~~ /root/~~pwd~~/~~mysql)~~"'

| gzip | ssh root@feministwiki.dev 'gunzip | /root/bin/sql'

You can use the {{C|show databases;}} command in the SQL console to make sure that the list of databases is complete. Unfortunately they have to be listed manually, because using the {{C|--all-databases}} option includes system databases that we don't want to copy.

=== Emails ===

This is a simple one. Run this command from the old server:

rsync -az --delete /home/vmail/ root@feministwiki.dev:/home/vmail

Note that the trailing slash in {{C|/home/vmail/}} is important.

=== Mailman data ===

GNU Mailman uses a filesystem-based "database" so we can transfer over its data as follows; run this from the old server:

~~=== Copy over~~ /var/~~www ===~~

cd /var/lib/mailman

rsync -az --delete archives data lists root@feministwiki.dev:/var/lib/mailman

~~This is very simple but takes a lot of time to finish~~:

And then this on the new server:

cd /~~var~~/~~www~~

check_perms -f

~~tar~~ -~~czf~~ - . ~~| ssh root~~@~~feministwiki~~.~~dev~~ 'cd /~~var~~/~~www~~; ~~tar~~ -~~xzf~~ -'

The {{C|check_perms}} command, which is part of GNU Mailman, will take care of fixing file ownership and permissions.

== Recreate SQL users ==

If the versions of MariaDB on the old and new server are compatible enough, you might be able to dump the {{C|mysql.user}} table and import it on the new server, but it's safer to recreate the users from scratch. To do so, run this on the new server:

/root/bin/sql << EOF

create user blogs@localhost identified by '$(cat ~/pwd/mysql-blogs)';

grant all on blogs.* to blogs@localhost;

create user feministfiles@localhost identified by '$(cat ~/pwd/mysql-files)';

grant all on feministfiles.* to feministfiles@localhost;

create user feministforum@localhost identified by '$(cat ~/pwd/mysql-forum)';

grant all on feministforum.* to feministforum@localhost;

create user feministmail@localhost identified by '$(cat ~/pwd/mysql-mail)';

grant all on feministmail.* to feministmail@localhost;

create user feministwiki@localhost identified by '$(cat ~/pwd/mysql-wiki)';

grant all on feministwiki.* to feministwiki@localhost;

grant all on feministwiki_de.* to feministwiki@localhost;

grant all on feministwiki_es.* to feministwiki@localhost;

grant all on feministwiki_it.* to feministwiki@localhost;

grant all on feministwiki_pt.* to feministwiki@localhost;

create user fff@localhost identified by '$(cat ~/pwd/mysql-fff)';

grant all on fff.* to fff@localhost;

EOF

== Test ==

It's important to test the new server to make sure everything works well!

=== Reboot ===

We could restart a lot of services manually to ensure they've read their new config, but it's easiest to just reboot. (The new server, obviously.)

=== Open ports ===

We ~~are finally ready~~ to ~~serve~~:

We need to open all the ports used by the various FeministWiki services:

for port in 25 80 443 465 587 993 995 5222 5223 5269 5270 5443 6697 7777

Line 159:

Line 306:

done

At this point you ~~might want~~ to ~~do some~~ testing ~~with~~ the '''~~feministwiki~~.~~dev~~''' ~~domain.~~

=== Test! ===

At this point you should test everything using the feministwiki.dev domain name.

Some things may not work because they're hard-coded to work as "feministwiki.org" and not under the "feministwiki.dev" name. This is a point of future improvement: all the services should be configured, if at all possible, in a way that they will work when invoked as feministwiki.dev just as well.

=== Deactivate again ===

After we're done testing, we can "deactivate" the new server again to prepare it for the final switch-over:

for port in 25 80 443 465 587 993 995 5222 5223 5269 5270 5443 6697 7777

do ufw delete allow proto tcp to 0.0.0.0/0 port $port

done

systemctl stop apache2

systemctl stop dovecot

systemctl stop ejabberd

systemctl stop inspircd

systemctl stop mailman

systemctl stop postfix

systemctl stop slapd

== Finishing up ==

'''Now, all services on the old server should be stopped, because we will begin the final transfer of live data.'''

=== Stop services on the old server ===

Stop all the services that interface with users and/or are responsible for modifying live data:

=== Reboot ===

systemctl stop apache2

systemctl stop dovecot

systemctl stop ejabberd

systemctl stop inspircd

systemctl stop mailman

systemctl stop postfix

systemctl stop slapd

Close all the relevant ports just to be double-sure:

for port in 25 80 443 465 587 993 995 5222 5223 5269 5270 5443 6697 7777

do ufw delete allow proto tcp to 0.0.0.0/0 port $port

done

=== Copy over the live data one more time ===

'''Simply repeat the whole section ''Copying over live data''.'''

The techniques and commands described above in the section ''Copying over live data'' are ''idempotent'', meaning you can simply repeat them and they will make sure that the new copy of the live data is fresh and doesn't leave any outdated data on the new server. For instance, the {{C|--delete}} argument to the {{C|rsync}} command and the {{C|--add-drop-database}} argument to the {{C|mysqldump}} command help to make sure of this.

So just repeat the steps from that section exactly one more time.

=== Reboot the new server ===

At this point we can reboot the new server again, to make sure all services are properly restarted.

=== Open ports on the new server ===

~~We could restart a lot of services manually, but it's easiest to just reboot.~~

Now we can open the ports again on the new server:

~~reboot~~

for port in 25 80 443 465 587 993 995 5222 5223 5269 5270 5443 6697 7777

do ufw allow proto tcp to 0.0.0.0/0 port $port

done

=== Update DNS entries ===

Line 181:

Line 384:

You only have to change three DNS entries, since most of the subdomains work via CNAME entries:

* The main ~~<code>~~A~~</code>~~ entry for ~~<code>~~@~~</code>~~ (self-reference i.e. feministwiki.org)

* The main {{C|A}} entry for {{C|@}} (self-reference i.e. feministwiki.org)

* The ~~<code>~~A~~</code>~~ entry for ~~<code>~~smtp~~</code>~~ since this is not allowed to be a CNAME

* The {{C|A}} entry for {{C|smtp}} since this is not allowed to be a CNAME

* The ~~<code>~~A~~</code>~~ entry for ~~<code>~~xmpp~~</code>~~ since this is not allowed to be a CNAME

* The {{C|A}} entry for {{C|xmpp}} since this is not allowed to be a CNAME

==== feministwiki.net, feministwiki.de, fem.wiki, fffrauen.de ====

For these, you only have to change the main ~~<code>~~A~~</code>~~ entry, since they don't use SMTP or XMPP.

For these, you only have to change the main {{C|A}} entry, since they don't use SMTP or XMPP.

=== Update the certificate ===

Run the ~~<code>~~letsencrypt-refresh~~</code>~~ script to get a new certificate which includes all our domain names, since we had started out with just feministwiki.dev.

Run the {{C|letsencrypt-refresh}} script to get a new certificate which includes all our domain names, since we had started out with just feministwiki.dev.

After this, everything should be functional. If not, it's time for some debugging!

@@ Line 1: / Line 1: @@
-'''!!! WORK IN PROGRESS !!!'''
+These are the steps required to set up a new FeministWiki Debian server.
+== Initial setup of the new server ==
+This section describes various initialization tasks for the new server that are independent of the old server.
-These are the steps required to set up a new FeministWiki Debian server.
+=== Configure reverse DNS ===
+In the settings of the VPS host (e.g. Strato AG), you can configure reverse-DNS for the IP address of the server.  Set the FQDN for the IP address to {{C|feministwiki.org}}.  It's good to do this early since it can take some time to propagate.
+=== Make feministwiki.dev point to the new server ===
+During setup and testing of the new server, we want to make it accessible under the '''feministwiki.dev''' domain.  So change the {{C|A}} entry of the feministwiki.dev DNS settings to point to the IP address of the new server.
 === Update & upgrade ===
@@ Line 15: / Line 25: @@
 Some of these are needed further down, some are just good to have.
-  apt-get install certbot
+  apt-get install automysqlbackup \
- apt-get install dnsutils
+                 certbot \
- apt-get install emacs
+                 dnsutils \
- apt-get install git
+                 emacs \
- apt-get install mg
+                 git \
- apt-get install moreutils
+                 mg \
- apt-get install net-tools
+                 moreutils \
- apt-get install nmap
+                 net-tools \
- apt-get install software-properties-common
+                 nmap \
-  apt-get install tree
+                 rsync \
+                 software-properties-common \
+                 tree
+=== Fetch scripts & config repo ===
+Set up GitHub ssh access by copying the {{C|.ssh/id_rsa}} from the old server.  After that:
+ cd ~
+ git clone git@github.com:FeministWiki/FeministWiki.git repo
+ cp -a repo/root/* repo/root/.??* .
+  sh repo/decrypt-pwd.sh
+The decryption script will prompt you for a password the first time it's used.  Enter the password stored in {{C|/root/pwd/meta}} on the old server.
 === Set up firewall ===
@@ Line 34: / Line 57: @@
   ufw enable
-=== Install server components ===
+=== Enable extra repositories ===
-We will now install all the software used for the various FeministWiki services.  But first we might want to add some additional package repositories so we can use the latest version of some of the used software.
+We might want to add some additional package repositories so we can use the latest version of some of the used software.
-Backports:
+Backports is always OK to add since the packages don't get priority over the stable ones:
   echo deb http://deb.debian.org/debian $(lsb_release -sc)-backports main > /etc/apt/sources.list.d/backports.list
@@ Line 54: / Line 77: @@
   echo "deb http://mirror.23media.de/mariadb/repo/10.4/debian $(lsb_release -sc) main" > /etc/apt/sources.list.d/mariadb.list
-Now we can install everything:
+=== Install server components ===
+Now we can install all the software used for the various FeministWiki services:
+ apt-get install apache2 \
+                 dovecot-core \
+                 dovecot-imapd \
+                 dovecot-ldap \
+                 dovecot-pop3d \
+                 ejabberd \
+                 fail2ban \
+                 inspircd \
+                 mailman \
+                 mariadb-server \
+                 opendkim \
+                 postfix \
+                 postfix-ldap \
+                 slapd
+If any installation asks you for a password, remember that most passwords are found in {{C|/root/pwd}}.
+Example for installing ejabberd from backports instead:
+ apt-get install ejabberd/$(lsb_release -sc)-backports # e.g. ejabberd/buster-backports
+=== Install PHP and modules ===
+This should really be part of the last section, but due to the sheer number of PHP modules we want to install, it's in its own section:
   php_version=7.4 # or whatever version we're on
-  apt-get install apache2
+  apt-get install php${php_version} \
- apt-get install dovecot-core
+                 php${php_version}-apcu \
- apt-get install ejabberd # good candidate for backports
+                 php${php_version}-bcmath \
- apt-get install fail2ban
+                 php${php_version}-cli \
- apt-get install inspircd
+                 php${php_version}-ctype \
- apt-get install mailman
+                 php${php_version}-curl \
- apt-get install mariadb-server
+                 php${php_version}-gd \
- apt-get install opendkim
+                 php${php_version}-gmp \
- apt-get install php${php_version}
+                 php${php_version}-iconv \
- apt-get install php${php_version}-mbstring
+                 php${php_version}-imagick \
- apt-get install php${php_version}-xml
+                 php${php_version}-intl \
- apt-get install postfix
+                 php${php_version}-json \
- apt-get install slapd
+                 php${php_version}-ldap \
+                 php${php_version}-mbstring \
+                 php${php_version}-mysql \
+                 php${php_version}-opcache \
+                 php${php_version}-readline \
+                 php${php_version}-xml \
+                 php${php_version}-zip
-Example for installing ejabberd from backports instead:
+=== Put config files in place ===
+The principle is simple: take all the config files from {{C|/root/repo/etc}} and put them where they belong in {{C|/etc}}.  However, since a new server might mean much newer software, it's possible that some config files aren't compatible anymore, or that some new sensible defaults might be overwritten by the old config.  Sadly figuring out these incompatibilities is a manual process: compare the new default config with the old default config and to our current config, to figure out what our new config should look like.
- apt-get install ejabberd/$(lsb_release -sc)-backports
+There's a number of things important to remember however:
+* After copying in the new {{C|/etc/aliases}} file, run {{C|newaliases}} for the changes to take effect
+* After populating {{C|/etc/letsencrypt/renewal-hooks}}, remember to {{C|chmod +x}} all the scripts
+* Likewise, don't forget {{C|chmod +x}} for <code>/etc/cron.{hourly,daily,weekly,monthly}</code> and {{C|/etc/boot.d}}
-=== Enable Apache modules ===
+=== Enable Apache modules, config, and sites ===
 We need a number of Apache modules to be enabled which might not be enabled by default:
@@ Line 85: / Line 146: @@
   a2enmod rewrite
   a2enmod ssl
+ a2enconf 99-feministwiki
+ a2ensite 000-wiki
+ a2ensite account
+ a2ensite blogs
+ a2ensite chat
+ a2ensite files
+ a2ensite forum
+ a2ensite mail
+ a2ensite xmpp
+=== Create vmail user ===
+ groupadd -g 5000 vmail
+ useradd -u 5000 -g vmail -s /usr/sbin/nologin -d /home/vmail -m vmail
+=== Initialize LetsEncrypt ===
+First, initialize the certbot configuration:
-=== Fetch scripts & config repo ===
+ certbot register -n --agree-tos -m technician@feministwiki.org
-Set up GitHub ssh access by copying the <code>.ssh/id_rsa</code> from the old server.  After that:
+Since various DNS entries still point to the old server, we can't get a cert for the real domains yet.  For now, just get one for feministwiki.dev:
-  cd ~
+  ufw allow 80
-  git clone git@github.com:FeministWiki/FeministWiki.git repo
+  letsencrypt-refresh --dev-only
-  cp -a repo/root/* .
+  ufw delete allow 80
-  sh repo/decrypt-pwd.sh
+Our {{C|letsencrypt-refresh}} script makes sure that the cert files are found in {{C|/etc/fw-certs}} and that the private key and cert-and-key bundle are owned by the "ssl-cert" group and are readable by group members.  A number of users have to be added to this group so they can read said files:
+  adduser ejabberd ssl-cert
+ adduser irc ssl-cert
+== Copying over live data ==
+We want to make a first run of this copy process purely for testing purposes.  Note that although some of the steps described in this section take a long time to finish, they can be done in parallel.
+=== LDAP databases ===
+Stop the LDAP server and delete the existing configuration and data '''on the new server (careful!)''':
-The decryption script will prompt you for a password the first time it's used.  Enter the password stored in <code>/root/pwd/meta</code> on the old server.
+ # Commands to run on the NEW (fresh) server:
+ systemctl stop slapd
+ rm -r /etc/ldap/slapd.d/*
+  rm /var/lib/ldap/data.mdb
-=== Put config files in place ===
+Then copy over the config and data by running these commands from the old server:
-The principle is simple: take all the config files from <code>/root/repo/etc</code> and put them where they belong in <code>/etc</code>.  However, since a new server might mean much newer software, it's possible that some config files aren't compatible anymore, or that some new sensible defaults might be overwritten by the old config.  Sadly figuring out these incompatibilities is a manual process (compare new default config with old config) and this guide cannot help you much.
+ slapcat -n 0 | ssh feministwiki.dev 'sudo -u openldap slapadd -n 0 -F /etc/ldap/slapd.d'
+  slapcat -n 1 | ssh feministwiki.dev 'sudo -u openldap slapadd -n 1'
-There's one special thing to remember, which is that after copying in the new <code>/etc/aliases</code> file, you have to run the <code>newaliases</code> command for the changes to take effect.
+==== Breaking changes in OpenLDAP ====
-=== Create vmail user ===
+There might be incompatible changes between OpenLDAP (aka {{C|slapd}}) versions which require manual editing of the {{C|slapcat}} output before it's read in on the new server with {{C|slapadd}}.
- groupadd -g 5000 vmail
+Here's one example that occurs when updating from OpenLDAP 2.4.42 or earlier to 2.4.43 or later: the ppolicy overlay has a new attribute in the newer version, so if you simply run the commands above, the first one (the one that copies the config database) will produce the following error message:
- useradd -u 5000 -g vmail -s /usr/sbin/nologin -d /home/vmail -m vmail
-=== Initialize LetsEncrypt ===
+ User Schema load failed for attribute "pwdMaxRecordedFailure". Error code 17: attribute type undefined
-The first run of Certbot has to be interactive, so we will do that now.  Since the DNS entries still point to the old server, we can't get a cert for the real domains.  For now, make '''feministwiki.dev''' point to the IP address of the new server, then proceed with the commands below.
+The solution is as follows:
-  systemctl stop apache2
+# On the new server, open {{C|/etc/ldap/schema/ppolicy.ldif}} and search for {{C|pwdMaxRecordedFailure}}.  You will note that there is a {{C|olcAttributeTypes: ...}} entry that defines it, and also it's listed in the {{C|MAY}} attributes block of the {{C|olcObjectClasses: ...}} entry that defines the {{C|pwdPolicy}} object class.
-  certbot certonly --cert-name feministwiki.org  # Yes, it should be .org and not .dev
+# On the old server, save the output of {{C|slapcat -n 0}} to a file, open the file, and search for the block where the {{C|ppolicy}} schema is defined.  It should start with the line {{C|dn: cn={4}ppolicy,cn=schema,cn=config}} (the {{C|{4}}} part might contain a different integer, that's OK).  There, note that the {{C|olcAttributeTypes: ...}} entry for {{C|pwdMaxRecordedFailure}} is missing, and also it's not listed in the {{C|MAY}} list of the {{C|pwdPolicy}} object class definition.  Copy over the attribute type definition from the {{C|ppolicy.ldif}} file on the new server, and amend the {{C|MAY}} list to include it.
-Then follow the on-screen instructions of certbot.  Use the "standalone" authentication method when asked, and enter feministwiki.dev as the sole domain.
+The above is explained only for instructive purposes, since this particular fix will already have been applied by the time someone reads this guide.  It's meant to give you an idea as to how backwards incompatible changes in OpenLDAP schema files can be amended when migrating to a newer version.  (Also, no such clear explanation of the fix seems to be found anywhere on the web, so maybe someone who searches the error message above will come upon this guide and be happy!)
-=== Stop services on old server ===
+=== Contents of /var/www ===
-'''At this point, all services on the old server should be stopped, because we will now begin to transfer all the actual data.'''
+This is very simple but takes a lot of time to finish.  '''Run it from the old server:'''
-=== Copy over LDAP databases ===
+ rsync -az --delete /var/www/ root@feministwiki.dev:/var/www
-TODO
+Note that the trailing slash in {{C|/var/www/}} is important; if not provided, it will copy the directory to {{C|/var/www/www}} on the new server.
-=== Copy over SQL databases ===
+=== SQL databases ===
-The following command can be used to create a dump of all databases and import it on the new server.  You can use the <code>show databases;</code> command in the SQL console to make sure that the list of databases is complete.  (Unfortunately they have to be listed manually, because using the <code>--all-databases</code> option includes system databases that we don't want.)
+Run the following command from the old server:
   mysqldump -u root -p"$(cat /root/pwd/mysql)" \
+   --add-drop-database \
     --databases blogs \
-               feministblog \
                 feministfiles \
                 feministforum \
                 feministmail \
-               feministsocial \
                 feministwiki \
                 feministwiki_de \
@@ Line 142: / Line 237: @@
                 feministwiki_pt \
                 fff \
-    | ssh root@feministwiki.dev 'mysql -u root -p"$(cat /root/pwd/mysql)"'
+    | gzip | ssh root@feministwiki.dev 'gunzip | /root/bin/sql'
+You can use the {{C|show databases;}} command in the SQL console to make sure that the list of databases is complete.  Unfortunately they have to be listed manually, because using the {{C|--all-databases}} option includes system databases that we don't want to copy.
+=== Emails ===
+This is a simple one.  Run this command from the old server:
+ rsync -az --delete /home/vmail/ root@feministwiki.dev:/home/vmail
+Note that the trailing slash in {{C|/home/vmail/}} is important.
+=== Mailman data ===
+GNU Mailman uses a filesystem-based "database" so we can transfer over its data as follows; run this from the old server:
-=== Copy over /var/www ===
+ cd /var/lib/mailman
+ rsync -az --delete archives data lists root@feministwiki.dev:/var/lib/mailman
-This is very simple but takes a lot of time to finish:
+And then this on the new server:
-  cd /var/www
+  check_perms -f
-  tar -czf - . | ssh root@feministwiki.dev 'cd /var/www; tar -xzf -'
+The {{C|check_perms}} command, which is part of GNU Mailman, will take care of fixing file ownership and permissions.
+== Recreate SQL users ==
+If the versions of MariaDB on the old and new server are compatible enough, you might be able to dump the {{C|mysql.user}} table and import it on the new server, but it's safer to recreate the users from scratch.  To do so, run this on the new server:
+ /root/bin/sql << EOF
+  create user blogs@localhost identified by '$(cat ~/pwd/mysql-blogs)';
+ grant all on blogs.* to blogs@localhost;
+ create user feministfiles@localhost identified by '$(cat ~/pwd/mysql-files)';
+ grant all on feministfiles.* to feministfiles@localhost;
+ create user feministforum@localhost identified by '$(cat ~/pwd/mysql-forum)';
+ grant all on feministforum.* to feministforum@localhost;
+ create user feministmail@localhost identified by '$(cat ~/pwd/mysql-mail)';
+ grant all on feministmail.* to feministmail@localhost;
+ create user feministwiki@localhost identified by '$(cat ~/pwd/mysql-wiki)';
+ grant all on feministwiki.* to feministwiki@localhost;
+ grant all on feministwiki_de.* to feministwiki@localhost;
+ grant all on feministwiki_es.* to feministwiki@localhost;
+ grant all on feministwiki_it.* to feministwiki@localhost;
+ grant all on feministwiki_pt.* to feministwiki@localhost;
+ create user fff@localhost identified by '$(cat ~/pwd/mysql-fff)';
+ grant all on fff.* to fff@localhost;
+ EOF
+== Test ==
+It's important to test the new server to make sure everything works well!
+=== Reboot ===
+We could restart a lot of services manually to ensure they've read their new config, but it's easiest to just reboot.  (The new server, obviously.)
 === Open ports ===
-We are finally ready to serve:
+We need to open all the ports used by the various FeministWiki services:
   for port in 25 80 443 465 587 993 995 5222 5223 5269 5270 5443 6697 7777
@@ Line 159: / Line 306: @@
   done
-At this point you might want to do some testing with the '''feministwiki.dev''' domain.
+=== Test! ===
+At this point you should test everything using the feministwiki.dev domain name.
+Some things may not work because they're hard-coded to work as "feministwiki.org" and not under the "feministwiki.dev" name.  This is a point of future improvement: all the services should be configured, if at all possible, in a way that they will work when invoked as feministwiki.dev just as well.
+=== Deactivate again ===
+After we're done testing, we can "deactivate" the new server again to prepare it for the final switch-over:
+ for port in 25 80 443 465 587 993 995 5222 5223 5269 5270 5443 6697 7777
+ do ufw delete allow proto tcp to 0.0.0.0/0 port $port
+ done
+ systemctl stop apache2
+ systemctl stop dovecot
+ systemctl stop ejabberd
+ systemctl stop inspircd
+ systemctl stop mailman
+ systemctl stop postfix
+ systemctl stop slapd
+== Finishing up ==
+'''Now, all services on the old server should be stopped, because we will begin the final transfer of live data.'''
+=== Stop services on the old server ===
+Stop all the services that interface with users and/or are responsible for modifying live data:
-=== Reboot ===
+ systemctl stop apache2
+ systemctl stop dovecot
+ systemctl stop ejabberd
+ systemctl stop inspircd
+ systemctl stop mailman
+ systemctl stop postfix
+ systemctl stop slapd
+Close all the relevant ports just to be double-sure:
+ for port in 25 80 443 465 587 993 995 5222 5223 5269 5270 5443 6697 7777
+ do ufw delete allow proto tcp to 0.0.0.0/0 port $port
+ done
+=== Copy over the live data one more time ===
+'''Simply repeat the whole section ''Copying over live data''.'''
+The techniques and commands described above in the section ''Copying over live data'' are ''idempotent'', meaning you can simply repeat them and they will make sure that the new copy of the live data is fresh and doesn't leave any outdated data on the new server.  For instance, the {{C|--delete}} argument to the {{C|rsync}} command and the {{C|--add-drop-database}} argument to the {{C|mysqldump}} command help to make sure of this.
+So just repeat the steps from that section exactly one more time.
+=== Reboot the new server ===
+At this point we can reboot the new server again, to make sure all services are properly restarted.
+=== Open ports on the new server ===
-We could restart a lot of services manually, but it's easiest to just reboot.
+Now we can open the ports again on the new server:
-  reboot
+  for port in 25 80 443 465 587 993 995 5222 5223 5269 5270 5443 6697 7777
+ do ufw allow proto tcp to 0.0.0.0/0 port $port
+ done
 === Update DNS entries ===
@@ Line 181: / Line 384: @@
 You only have to change three DNS entries, since most of the subdomains work via CNAME entries:
-* The main <code>A</code> entry for <code>@</code> (self-reference i.e. feministwiki.org)
+* The main {{C|A}} entry for {{C|@}} (self-reference i.e. feministwiki.org)
-* The <code>A</code> entry for <code>smtp</code> since this is not allowed to be a CNAME
+* The {{C|A}} entry for {{C|smtp}} since this is not allowed to be a CNAME
-* The <code>A</code> entry for <code>xmpp</code> since this is not allowed to be a CNAME
+* The {{C|A}} entry for {{C|xmpp}} since this is not allowed to be a CNAME
 ==== feministwiki.net, feministwiki.de, fem.wiki, fffrauen.de ====
-For these, you only have to change the main <code>A</code> entry, since they don't use SMTP or XMPP.
+For these, you only have to change the main {{C|A}} entry, since they don't use SMTP or XMPP.
 === Update the certificate ===
-Run the <code>letsencrypt-refresh</code> script to get a new certificate which includes all our domain names, since we had started out with just feministwiki.dev.
+Run the {{C|letsencrypt-refresh}} script to get a new certificate which includes all our domain names, since we had started out with just feministwiki.dev.
+After this, everything should be functional.  If not, it's time for some debugging!