1,086
edits
FeministWiki:Server setup: Difference between revisions
no edit summary
Technician (talk | contribs) |
Technician (talk | contribs) No edit summary |
||
| Line 1: | Line 1: | ||
These are the steps required to set up a new FeministWiki Debian server. | These are the steps required to set up a new FeministWiki Debian or Ubuntu server. The guide assumes that you're comfortable connecting to a host with SSH and using the shell. It also assumes some basic knowledge on how to set up SSH keys and configure key-based access between machines. | ||
== Initial setup of the new server == | == Initial setup of the new server == | ||
| Line 20: | Line 20: | ||
apt-get upgrade | apt-get upgrade | ||
apt-get dist-upgrade | apt-get dist-upgrade | ||
=== Tighten security of SSH access === | |||
Port 22 will get lots of malicious login attempts. It's a good idea to change the SSH port, and also to disable password authentication in favor of key-based authentication. Both can be done by editing {{C|/etc/ssh/sshd_config}}. | |||
Before restarting the SSH service, make sure you've actually added your public key (the contents of {{C|~/.ssh/id_rsa.pub}} on your computer) to {{C|/root/.ssh/authorized_keys}} on the server, or you'll lock yourself out. | |||
=== Set up firewall === | |||
For now, block everything but SSH. | |||
apt-get install ufw | |||
ufw allow proto tcp to 0.0.0.0/0 port <ssh_port> | |||
ufw enable | |||
=== Install miscellaneous tools === | === Install miscellaneous tools === | ||
| Line 49: | Line 63: | ||
The decryption script will prompt you for a password the first time it's used. Enter the password stored in {{C|/root/pwd/meta}} on the old server. | The decryption script will prompt you for a password the first time it's used. Enter the password stored in {{C|/root/pwd/meta}} on the old server. | ||
=== Enable extra repositories === | === Enable extra repositories === | ||
| Line 107: | Line 113: | ||
This should really be part of the last section, but due to the sheer number of PHP modules we want to install, it's in its own section: | This should really be part of the last section, but due to the sheer number of PHP modules we want to install, it's in its own section: | ||
php_version= | php_version=8.1 # or whatever version we're on | ||
apt-get install php${php_version} \ | apt-get install php${php_version} \ | ||
| Line 113: | Line 119: | ||
php${php_version}-bcmath \ | php${php_version}-bcmath \ | ||
php${php_version}-cli \ | php${php_version}-cli \ | ||
php${php_version}-curl \ | php${php_version}-curl \ | ||
php${php_version}-fpm \ | |||
php${php_version}-gd \ | php${php_version}-gd \ | ||
php${php_version}-gmp \ | php${php_version}-gmp \ | ||
php${php_version}-imagick \ | php${php_version}-imagick \ | ||
php${php_version}-intl \ | php${php_version}-intl \ | ||
php${php_version}-ldap \ | php${php_version}-ldap \ | ||
php${php_version}-mbstring \ | php${php_version}-mbstring \ | ||
| Line 138: | Line 142: | ||
* Likewise, don't forget {{C|chmod +x}} for <code>/etc/cron.{hourly,daily,weekly,monthly}</code> and {{C|/etc/boot.d}} | * Likewise, don't forget {{C|chmod +x}} for <code>/etc/cron.{hourly,daily,weekly,monthly}</code> and {{C|/etc/boot.d}} | ||
=== | === Apache modules, config, and sites === | ||
Make sure we're using {{C|mpm_event}} instead of the old {{C|mpm_prefork}}: | |||
a2dismod php${php_version} mpm_prefork | |||
a2enmod mpm_event proxy_fcgi setenvif | |||
a2enconf php${php_version}-fpm | |||
We need a number of Apache modules to be enabled which might not be enabled by default: | We need a number of Apache modules to be enabled which might not be enabled by default: | ||
a2enmod expires | a2enmod expires headers macro rewrite ssl | ||
a2enconf 99-local | |||
a2ensite account blogs chat files forum mail wiki xmpp | |||
a2enconf 99- | |||
a2ensite account | |||
=== Create vmail user === | === Create vmail user === | ||
| Line 184: | Line 181: | ||
We want to make a first run of this copy process purely for testing purposes. Note that although some of the steps described in this section take a long time to finish, they can be done in parallel. | We want to make a first run of this copy process purely for testing purposes. Note that although some of the steps described in this section take a long time to finish, they can be done in parallel. | ||
Some of the commands here assume that you've set up ssh access from the old server into the new server. For this to work, copy the contents of {{C|/root/.ssh/id_rsa.pub}} on the old server, and '''append them as an additional line''' onto {{C|/root/.ssh/authorized_keys}} on the new server. | |||
=== LDAP databases === | === LDAP databases === | ||