1,104
edits
Technician (talk | contribs) |
Technician (talk | contribs) mNo edit summary |
||
(9 intermediate revisions by the same user not shown) | |||
Line 28: | Line 28: | ||
bsdutils \ | bsdutils \ | ||
certbot \ | certbot \ | ||
composer \ | |||
curl \ | curl \ | ||
dnsutils \ | dnsutils \ | ||
Line 33: | Line 34: | ||
git \ | git \ | ||
imagemagick \ | imagemagick \ | ||
iotop \ | |||
ldap-utils \ | ldap-utils \ | ||
mg \ | mg \ | ||
Line 154: | Line 156: | ||
apt-get install ejabberd/$(lsb_release -sc)-backports # e.g. ejabberd/bookworm-backports | apt-get install ejabberd/$(lsb_release -sc)-backports # e.g. ejabberd/bookworm-backports | ||
=== Make sure Postfix can connect to OpenDKIM === | |||
mkdir -p /var/spool/postfix/opendkim | |||
chown opendkim:opendkim /var/spool/postfix/opendkim | |||
adduser postfix opendkim | |||
=== Install PHP and modules === | === Install PHP and modules === | ||
Line 164: | Line 172: | ||
php${php_version}-apcu \ | php${php_version}-apcu \ | ||
php${php_version}-bcmath \ | php${php_version}-bcmath \ | ||
php${php_version}-bz2 \ | |||
php${php_version}-cli \ | php${php_version}-cli \ | ||
php${php_version}-curl \ | php${php_version}-curl \ | ||
Line 179: | Line 188: | ||
php${php_version}-zip | php${php_version}-zip | ||
We also want {{C|php-luasandbox}}, which may not have a PHP version attached to the package name, in which case you'll have to make sure it supports the PHP version currently in use. If not, you can use the standalone Lua binary instead by setting {{C|$wgScribuntoDefaultEngine = 'luastandalone';}} in MediaWiki's {{C|LocalSettings.php}} configuration file. | We also want {{C|php-luasandbox}}, which may not have a PHP version attached to the package name, in which case you'll have to make sure it supports the PHP version currently in use. If not, you can use the standalone Lua binary instead by setting {{C|$wgScribuntoDefaultEngine {{=}} 'luastandalone';}} in MediaWiki's {{C|LocalSettings.php}} configuration file. | ||
# See if this works first: | # See if this works first: | ||
Line 194: | Line 203: | ||
# Run on old server | # Run on old server | ||
rsync -avz /etc/ | rsync -avz /etc/feministwiki/certs feministwiki.dev:/etc/feministwiki/certs | ||
The {{C|/etc/ | The {{C|/etc/feministwiki/certs}} directory and its contents should be owned by the group {{C|ssl-cert}}. Make sure this is the case on the new server after running the command above, since the group ID might be different on the new server. If the group doesn't exist at all, just create it. | ||
Further, files in that directory which contain the private key ({{C|privkey.pem}} and {{C|bundle.pem}}) should only be readable by group members. That is, their permission mode should be 640, displayed as {{C|-rw-r-----}} in the output of {{C|ls -l}}. Make sure this really the case. | Further, files in that directory which contain the private key ({{C|privkey.pem}} and {{C|bundle.pem}}) should only be readable by group members. That is, their permission mode should be 640, displayed as {{C|-rw-r-----}} in the output of {{C|ls -l}}. Make sure this really the case. | ||
Line 226: | Line 235: | ||
Enable PHP FPM and other Apache modules: | Enable PHP FPM and other Apache modules: | ||
a2enmod expires headers proxy_fcgi | a2enmod expires headers proxy_fcgi rewrite | ||
a2enconf php${php_version}-fpm | a2enconf php${php_version}-fpm | ||
Line 548: | Line 557: | ||
Stop all the services that interface with users and/or are responsible for modifying live data: | Stop all the services that interface with users and/or are responsible for modifying live data: | ||
for port in 25 80 443 465 587 993 995 5222 5223 5269 5270 5443 6697 7777 | |||
do ufw delete allow proto tcp to 0.0.0.0/0 port $port | |||
done | |||
systemctl stop apache2 | systemctl stop apache2 | ||
systemctl stop dovecot | systemctl stop dovecot | ||
systemctl stop ejabberd | systemctl stop ejabberd | ||
systemctl stop elasticsearch | systemctl stop elasticsearch | ||
systemctl stop fw-wiki-job-runner | |||
systemctl stop inspircd | systemctl stop inspircd | ||
systemctl stop nginx | systemctl stop nginx | ||
systemctl stop opendkim | |||
systemctl stop postfix | systemctl stop postfix | ||
systemctl stop slapd | systemctl stop slapd | ||
As with the old server, we leave MariaDB running since it will be needed for data transfer. | |||
=== Copy over the live data one more time === | === Copy over the live data one more time === |