FeministWiki

FeministWiki:Server setup: Difference between revisions

Project page Discussion

FeministWiki:Server setup (view source)

Revision as of 20:28, 18 January 2024

6,062 bytes added ,  18 January
→‎Install miscellaneous tools
 
(46 intermediate revisions by the same user not shown)
Line 21: Line 21:
  apt-get dist-upgrade
  apt-get dist-upgrade


=== Tighten security of SSH access ===
=== Install miscellaneous tools ===


Port 22 will get lots of malicious login attempts.  It's a good idea to change the SSH port, and also to disable password authentication in favor of key-based authentication.  Both can be done by editing {{C|/etc/ssh/sshd_config}}.
Some of these are needed further down, some are just good to have.


Before restarting the SSH service, make sure you've actually added your public key (the contents of {{C|~/.ssh/id_rsa.pub}} on your computer) to {{C|/root/.ssh/authorized_keys}} on the server, or you'll lock yourself out.
apt-get install automysqlbackup \
                bsdutils \
                certbot \
                composer \
                curl \
                dnsutils \
                emacs-nox \
                git \
                imagemagick \
                iotop \
                ldap-utils \
                mg \
                moreutils \
                net-tools \
                netcat-openbsd \
                nmap \
                rsync \
                tree


=== Copy SSH key from old server ===
=== Copy SSH key from old server ===
Line 42: Line 59:
  Host feministwiki.dev
  Host feministwiki.dev
     Port <SSH_PORT>
     Port <SSH_PORT>
=== Tighten security of SSH access ===
Port 22 will get lots of malicious login attempts.  It's a good idea to change the SSH port, and also to disable password authentication in favor of key-based authentication.  Both can be done by editing {{C|/etc/ssh/sshd_config}}.
Before restarting the SSH service, make sure you've actually added your public key (the contents of {{C|~/.ssh/id_rsa.pub}} on your computer) to {{C|/root/.ssh/authorized_keys}} on the server, or you'll lock yourself out.


=== Set up firewall ===
=== Set up firewall ===
Line 50: Line 73:
  ufw allow proto tcp to 0.0.0.0/0 port ${SSH_PORT} # Replace with actual port number
  ufw allow proto tcp to 0.0.0.0/0 port ${SSH_PORT} # Replace with actual port number
  ufw enable
  ufw enable
=== Install miscellaneous tools ===
Some of these are needed further down, some are just good to have.
apt-get install automysqlbackup \
                certbot \
                curl \
                dnsutils \
                emacs-nox \
                git \
                imagemagick \
                mg \
                moreutils \
                net-tools \
                nmap \
                rsync \
                software-properties-common \
                tree


=== Fetch scripts & config repo ===
=== Fetch scripts & config repo ===
    
    
Set up GitHub ssh access by copying the {{C|.ssh/id_rsa}} from the old server.  After that:
Having copied the {{C|.ssh/id_rsa}} from the old server will give you access to the GitHub FeministWiki repo:
 
 
  cd ~
  cd
  git clone git@github.com:FeministWiki/FeministWiki.git repo
mkdir repo
  cp -a repo/root/* repo/root/.??* .
  git clone git@github.com:FeministWiki/FeministWiki.git repo/fw
  sh repo/decrypt-pwd.sh
  cp -ai repo/fw/root/* repo/fw/root/.??* .
  sh repo/fw/decrypt-pwd.sh


The decryption script will prompt you for a password the first time it's used.  Enter the password stored in {{C|/root/pwd/meta}} on the old server.
The decryption script will prompt you for a password the first time it's used.  Enter the password stored in {{C|/root/pwd/meta}} on the old server.
Line 88: Line 93:


  # Debian
  # Debian
  echo deb http://deb.debian.org/debian $(lsb_release -sc)-backports main > /etc/apt/sources.list.d/backports.list
# May not be necessary; see if there's a commented out line in /etc/apt/sources.list that you can activate.
  echo deb http://deb.debian.org/debian $(lsb_release -sc)-backports main contrib non-free > /etc/apt/sources.list.d/backports.list
   
   
  # Ubuntu
  # Ubuntu
  echo deb http://archive.ubuntu.com/ubuntu $(lsb_release -sc)-backports main universe > /etc/apt/sources.list.d/backports.list
  echo deb http://archive.ubuntu.com/ubuntu $(lsb_release -sc)-backports main universe > /etc/apt/sources.list.d/backports.list


PHP repo '''only''' if a very new version is needed:
Usually you want up-to-date versions of Apache2, Nginx, and PHP.  Ondřej provides them:


  wget -O /etc/apt/trusted.gpg.d/sury-php.gpg https://packages.sury.org/php/apt.gpg
  # Debian
echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/sury-php.list
for repo in apache2 nginx-mainline php
do
  curl https://packages.sury.org/$repo/apt.gpg > /etc/apt/trusted.gpg.d/sury-$repo.gpg
  echo "deb https://packages.sury.org/$repo/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/sury-$repo.list
done
# Ubuntu
add-apt-repository ppa:ondrej/apache2
add-apt-repository ppa:ondrej/nginx
add-apt-repository ppa:ondrej/php
 
It may be necessary to increase the priority of some repositories if you encounter errors about dependencies that can't be fulfilled, due to apt-get thinking it has to prioritize older versions of some packages.  This was last observed while trying to install {{C|nginx-extras}}, due to some library dependencies having the "epoch" part of the version number set in the regular Debian repository, but not set in the Sury repository.  The solution is to create a file in {{C|/etc/apt/preferences.d}} such as:
 
Package: *
Pin: origin packages.sury.org
Pin-Priority: 700


MariaDB repo '''only''' if a very new version is needed:
Elasticsearch, if you want CirrusSearch for MediaWiki:


  wget https://mariadb.org/mariadb_release_signing_key.asc
  curl https://artifacts.elastic.co/GPG-KEY-elasticsearch | gpg --dearmor -o /etc/apt/trusted.gpg.d/elasticsearch.gpg
apt-key add mariadb_release_signing_key.asc
  # As of January 2024, CirrusSearch only supports Elasticsearch 7.x
  rm mariadb_release_signing_key.asc
  echo 'deb https://artifacts.elastic.co/packages/7.x/apt stable main' > /etc/apt/sources.list.d/elastic.list
  echo "deb http://mirror.23media.de/mariadb/repo/10.4/debian $(lsb_release -sc) main" > /etc/apt/sources.list.d/mariadb.list


=== Create vmail user ===
=== Create vmail user ===
Line 114: Line 134:
Now we can install all the software used for the various FeministWiki services:
Now we can install all the software used for the various FeministWiki services:


  apt-get install apache2 \
  apt-get install
                dovecot-core \
    apache2 \
                dovecot-imapd \
    dovecot-core \
                dovecot-ldap \
    dovecot-imapd \
                dovecot-pop3d \
    dovecot-ldap \
                ejabberd \
    dovecot-pop3d \
                fail2ban \
    ejabberd \
                inspircd \
    elasticsearch \
                mailman \
    fail2ban \
                mariadb-server \
    inspircd \
                opendkim \
    mariadb-server \
                postfix \
    nginx-extras \
                postfix-ldap \
    opendkim \
                slapd
    postfix \
    postfix-ldap \
    slapd


If any installation asks you for a password, remember that most passwords are found in {{C|/root/pwd}}.
If any installation asks you for a password, remember that most passwords are found in {{C|/root/pwd}}.
Line 133: Line 155:
Example for installing ejabberd from backports instead:
Example for installing ejabberd from backports instead:


  apt-get install ejabberd/$(lsb_release -sc)-backports # e.g. ejabberd/buster-backports
  apt-get install ejabberd/$(lsb_release -sc)-backports # e.g. ejabberd/bookworm-backports
 
=== Make sure Postfix can connect to OpenDKIM ===
 
mkdir -p /var/spool/postfix/opendkim
chown opendkim:opendkim /var/spool/postfix/opendkim
adduser postfix opendkim


=== Install PHP and modules ===
=== Install PHP and modules ===
Line 144: Line 172:
                 php${php_version}-apcu \
                 php${php_version}-apcu \
                 php${php_version}-bcmath \
                 php${php_version}-bcmath \
                php${php_version}-bz2 \
                 php${php_version}-cli \
                 php${php_version}-cli \
                 php${php_version}-curl \
                 php${php_version}-curl \
Line 158: Line 187:
                 php${php_version}-xml \
                 php${php_version}-xml \
                 php${php_version}-zip
                 php${php_version}-zip
We also want {{C|php-luasandbox}}, which may not have a PHP version attached to the package name, in which case you'll have to make sure it supports the PHP version currently in use. If not, you can use the standalone Lua binary instead by setting {{C|$wgScribuntoDefaultEngine = 'luastandalone';}} in MediaWiki's {{C|LocalSettings.php}} configuration file.
# See if this works first:
apt-get install php${php_version}-luasandbox
# Otherwise...
apt-get install php-luasandbox
# Check the package contents to see which PHP versions are supported
dpkg -L php-luasandbox


=== Copy over certificates ===
=== Copy over certificates ===
Line 163: Line 202:
Copy over the certs from the old server:
Copy over the certs from the old server:


  tar -czPf- /etc/fw-certs | ssh feministwiki.dev 'tar -xzPf-'
  # Run on old server
rsync -avz /etc/fw-certs feministwiki.dev:/etc/fw-certs


The {{C|/etc/fw-certs}} directory and its contents should be owned by the group {{C|ssl-cert}}.  Make sure this is the case on the new server after running the command above, since the group ID might be different on the new server.  If the group doesn't exist at all, just create it.
The {{C|/etc/fw-certs}} directory and its contents should be owned by the group {{C|ssl-cert}}.  Make sure this is the case on the new server after running the command above, since the group ID might be different on the new server.  If the group doesn't exist at all, just create it.
Line 171: Line 211:
Then, to allow certain services to read those files containing the private key, add them to the {{C|ssl-cert}} group:
Then, to allow certain services to read those files containing the private key, add them to the {{C|ssl-cert}} group:


# Run on new server
  adduser ejabberd ssl-cert
  adduser ejabberd ssl-cert
  adduser irc ssl-cert
  adduser irc ssl-cert
Also copy over the certificates stored directly in {{C|/etc/letsencrypt}}:
# Run on old server
rsync -avz /etc/letsencrypt/{archive,live} feministwiki.dev:/etc/letsencrypt


=== Put config files in place ===
=== Put config files in place ===
Line 181: Line 227:


* Don't forget to revert the redactions of sensitive information.  Search files for {{C|[REDACTED]}}.
* Don't forget to revert the redactions of sensitive information.  Search files for {{C|[REDACTED]}}.
* After copying over the Postfix configuration, run {{C|newaliases}} to create the alias database files.
* After copying {{C|/etc/aliases}}, run {{C|newaliases}} to create the alias database file.
* You may also have to run {{C|postmap}} on some files, like {{C|/etc/postfix/sender_access}}.
* After copying Postfix configuration, run {{C|postmap /etc/postfix/sender-access}} and {{C|postalias /etc/postfix/virtual-aliases}}.
* After copying something into {{C|/etc/apache2/conf-available}}, don't forget to enable it via {{C|a2enconf}}.
* Make sure the executable bit is set on all {{C|cron}} scripts, {{C|/etc/rc.local}}, and scripts in {{C|/etc/letsencrypt/renewal-hooks}}.
* After populating {{C|/etc/letsencrypt/renewal-hooks}}, remember to {{C|chmod +x}} the scripts.
* Likewise, don't forget {{C|chmod +x}} for <code>/etc/cron.{hourly,daily,weekly,monthly}</code> and {{C|/etc/boot.d}}.


=== Apache modules, config, and sites ===
=== Apache modules and configuration ===


Enable PHP FPM:
Enable PHP FPM and other Apache modules:


  a2enmod proxy_fcgi
  a2enmod expires headers proxy_fcgi rewrite
  a2enconf php${php_version}-fpm
  a2enconf php${php_version}-fpm


We need a number of Apache modules to be enabled which might not be enabled by default:
=== OpenLDAP configuration database ===
 
First of all, check if there are important changes in the base configuration of slapd.  For this, we can copy the old configuration into some directory on the new server and run a recursive diff:
 
# Run on old server
rsync -az /etc/ldap/slapd.d/ feministwiki.dev:/tmp/slapd.d
 
# Run on new server
diff -ru --color=always /tmp/slapd.d /etc/ldap/slapd.d | less -R
 
There are going to be a number of changes that are expected.  Namely:
 
# CRCs, UIDs, timestamps, and other such auto-generated fields
# FeministWiki-specific things that only exists in the old configuration
 
If these are the '''only''' differences you can see, then it should be safety to completely override the config on the new server with the old one, using the instructions in the following section.
 
Otherwise, skip to the section after that and recreate the FeministWiki-specific configuration from scratch.


a2enmod expires headers macro rewrite ssl
==== Complete copying of old configuration ====
a2enconf 99-local
a2ensite fw-account fw-blogs fw-chat fw-files fw-forum fw-mail fw-wiki fw-xmpp


=== OpenLDAP configuration database ===
''Note: This is an '''alternative''' method to that described in the '''next''' section. See above for which one to choose.''


Stop the LDAP server and delete the configuration database '''on the new server (careful!)''':
Stop the LDAP server and delete the configuration database '''on the new server (careful!)''':
Line 210: Line 269:
Then copy over the configuration database, by running the following commands from the old server:
Then copy over the configuration database, by running the following commands from the old server:


# Run on old server
  slapcat -n 0 | ssh feministwiki.dev 'sudo -u openldap slapadd -n 0 -F /etc/ldap/slapd.d'
  slapcat -n 0 | ssh feministwiki.dev 'sudo -u openldap slapadd -n 0 -F /etc/ldap/slapd.d'
==== Recreation of FeministWiki configuration ====
''Note: This is an '''alternative''' method to that described in the '''previous''' section. See above for which one to choose.''
First run {{C|dpkg-reconfigure slapd}} to fill in some basic information such as the domain name and admin password.  You can reuse the old admin password found in {{C|/root/pwd/ldap}}.
Then, running the following sequence of commands, taken from [[FeministWiki:LDAP Schema]], should do the rest:
# Create fwMember object class
ldapadd -Y external -H ldapi:// <<EOF
dn: cn=feministwiki,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: feministwiki
olcAttributeTypes: {0}( 1.3.6.1.4.1.42.2.27.99.1.1
    NAME 'fwRecoveryMail'
    DESC 'FeministWiki password recovery mail'
    EQUALITY caseIgnoreMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcObjectClasses: {1}( 1.3.6.1.4.1.42.2.27.99.2.1
    NAME 'fwMember'
    DESC 'FeministWiki member'
    SUP inetOrgPerson
    STRUCTURAL
    MAY ( fwRecoveryMail ) )
EOF
# Set attribute permissions
ldapmodify -Y external -H ldapi:// <<EOF
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {2}to attrs=sn,mail by self write
olcAccess: {3}to attrs=fwRecoveryMail by self write by dn.exact="cn=readonly,dc=feministwiki,dc=org" search
olcAccess: {4}to attrs=manager by self read
EOF
# Enable the ppolicy dynamic module
ldapmodify -Y external -H ldapi:// <<EOF
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: ppolicy
EOF
# Add the ppolicy overlay with olcPPolicyHashCleartext set to TRUE
ldapadd -Y external -H ldapi:// <<EOF
dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config
objectClass: olcPPolicyConfig
olcOverlay: ppolicy
olcPPolicyHashCleartext: TRUE
EOF
# Set the default password policy
# The policy object referenced here doesn't exist yet,
# but will exist once we copy over the main database.
ldapmodify -Y external -H ldapi:// <<EOF
dn: olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config
changetype: modify
add: olcPPolicyDefault
olcPPolicyDefault: cn=default,ou=pwdPolicies,dc=feministwiki,dc=org
EOF
# Load the lastbind module
ldapmodify -Y external -H ldapi:// <<EOF
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: lastbind
EOF
# Enable the lastbind overlay
ldapadd -Y external -H ldapi:// <<EOF
dn: olcOverlay=lastbind,olcDatabase={1}mdb,cn=config
objectClass: olcLastBindConfig
olcOverlay: lastbind
olcLastBindPrecision: 60
EOF


==== Breaking changes in OpenLDAP ====
==== Breaking changes in OpenLDAP ====
Line 255: Line 393:
=== LDAP database ===
=== LDAP database ===


Delete the existing database '''on the new server (careful!)''':
Make sure slapd is not running and delete the existing database '''on the new server (careful!)''':


# Run on new server!
systemctl stop slapd
  rm /var/lib/ldap/data.mdb
  rm /var/lib/ldap/data.mdb


Then copy over the database by running the following command from the old server:
Then copy over the database by running the following command from the old server:


  slapcat -n 1 | ssh feministwiki.dev 'sudo -u openldap slapadd -n 1'
# Run on old server
  slapcat -n 1 | zstd | ssh feministwiki.dev 'zstd -d | sudo -u openldap slapadd -n 1'
 
Start slapd again in the new server afterwards:


Although there may be breaking changes that make this command fail, just as with the copying of the configuration database explained earlier, the chance is much lower for the regular "data" database, so hopefully the command will run fine.
# Run on new server
systemctl start slapd


=== Contents of /var/www ===
=== Contents of /var/www ===
Line 269: Line 413:
This is very simple but takes a lot of time to finish.  '''Run it from the old server:'''
This is very simple but takes a lot of time to finish.  '''Run it from the old server:'''


  rsync -az --delete /var/www/ feministwiki.dev:/var/www
  rsync -azP --delete /var/www/ feministwiki.dev:/var/www


Note that the trailing slash in {{C|/var/www/}} is important; if not provided, it will copy the directory to {{C|/var/www/www}} on the new server.
Note that the trailing slash in {{C|/var/www/}} is important; if not provided, it will copy the directory to {{C|/var/www/www}} on the new server.
There's actually a systemd service found in {{C|/var/www/fw/wiki}} that you'll want to enable on the new server:
systemctl enable /var/www/fw/wiki/fw-wiki-job-runner.service
No need to actually start it yet.


=== SQL databases ===
=== SQL databases ===
Line 277: Line 427:
Run the following command from the old server:
Run the following command from the old server:


  mysqldump -u root -p"$(cat /root/pwd/mysql)" \
  mariadb-dump -u root -p"$(cat /root/pwd/mariadb)" \
   --add-drop-database \
   --add-drop-database \
   --databases blogs \
   --databases feministblogs \
               feministfiles \
               feministfiles \
               feministforum \
               feministforum \
Line 290: Line 440:
               feministwiki_pt \
               feministwiki_pt \
               fff \
               fff \
   | gzip | ssh root@feministwiki.dev 'gunzip | /root/bin/sql'
   | zstd | ssh feministwiki.dev 'zstd -d | /root/bin/sql'


You can use the {{C|show databases;}} command in the SQL console to make sure that the list of databases is complete.  Unfortunately they have to be listed manually, because using the {{C|--all-databases}} option includes system databases that we don't want to copy.
You can use the {{C|show databases;}} command in the SQL console to make sure that the list of databases is complete.  Unfortunately they have to be listed manually, because using the {{C|--all-databases}} option includes system databases that we don't want to copy.
Line 301: Line 451:


Note that the trailing slash in {{C|/home/vmail/}} is important.
Note that the trailing slash in {{C|/home/vmail/}} is important.
=== Elasticsearch ===
Temporarily stop Elasticsearch on the old server and copy over the data:
systemctl stop elasticsearch
rsync -az --delete /var/lib/elasticsearch/ feministwiki.dev:/var/lib/elasticsearch
systemctl start elasticsearch


=== Mailman data ===
=== Mailman data ===
Line 320: Line 478:


  /root/bin/sql << EOF
  /root/bin/sql << EOF
  create user blogs@localhost identified by '$(cat ~/pwd/mysql-blogs)';
  create user 'feministblogs'@localhost identified by '$(cat ~/pwd/mariadb-feministblogs)';
  create user feministfiles@localhost identified by '$(cat ~/pwd/mysql-files)';
  create user 'feministfiles'@localhost identified by '$(cat ~/pwd/mariadb-feministfiles)';
  create user feministforum@localhost identified by '$(cat ~/pwd/mysql-forum)';
  create user 'feministforum'@localhost identified by '$(cat ~/pwd/mariadb-feministforum)';
  create user feministmail@localhost identified by '$(cat ~/pwd/mysql-mail)';
  create user 'feministmail'@localhost identified by '$(cat ~/pwd/mariadb-feministmail)';
  create user feministwiki@localhost identified by '$(cat ~/pwd/mysql-wiki)';
  create user 'feministwiki'@localhost identified by '$(cat ~/pwd/mariadb-feministwiki)';
  create user fff@localhost identified by '$(cat ~/pwd/mysql-fff)';
  create user 'fff'@localhost identified by '$(cat ~/pwd/mariadb-fff)';
  EOF
  EOF


Line 331: Line 489:


  /root/bin/sql << EOF
  /root/bin/sql << EOF
  grant all on blogs.* to blogs@localhost;
  grant all on feministblogs.* to feministblogs@localhost;
  grant all on feministfiles.* to feministfiles@localhost;
  grant all on feministfiles.* to feministfiles@localhost;
  grant all on feministforum.* to feministforum@localhost;
  grant all on feministforum.* to feministforum@localhost;
Line 381: Line 539:
  systemctl stop dovecot
  systemctl stop dovecot
  systemctl stop ejabberd
  systemctl stop ejabberd
systemctl stop elasticsearch
systemctl stop fw-wiki-job-runner
  systemctl stop inspircd
  systemctl stop inspircd
  systemctl stop mailman
  systemctl stop nginx
systemctl stop opendkim
  systemctl stop postfix
  systemctl stop postfix
  systemctl stop slapd
  systemctl stop slapd
Note that we leave MariaDB running, since it needs to be live for data transfer.


== Finishing up ==
== Finishing up ==
Line 394: Line 557:
Stop all the services that interface with users and/or are responsible for modifying live data:
Stop all the services that interface with users and/or are responsible for modifying live data:


for port in 25 80 443 465 587 993 995 5222 5223 5269 5270 5443 6697 7777
do ufw delete allow proto tcp to 0.0.0.0/0 port $port
done
  systemctl stop apache2
  systemctl stop apache2
  systemctl stop dovecot
  systemctl stop dovecot
  systemctl stop ejabberd
  systemctl stop ejabberd
systemctl stop elasticsearch
systemctl stop fw-wiki-job-runner
  systemctl stop inspircd
  systemctl stop inspircd
  systemctl stop mailman
  systemctl stop nginx
systemctl stop opendkim
  systemctl stop postfix
  systemctl stop postfix
  systemctl stop slapd
  systemctl stop slapd


Close all the relevant ports just to be double-sure:
As with the old server, we leave MariaDB running since it will be needed for data transfer.
 
for port in 25 80 443 465 587 993 995 5222 5223 5269 5270 5443 6697 7777
do ufw delete allow proto tcp to 0.0.0.0/0 port $port
done


=== Copy over the live data one more time ===
=== Copy over the live data one more time ===
Line 412: Line 578:
'''Simply repeat the whole section ''Copying over live data''.'''
'''Simply repeat the whole section ''Copying over live data''.'''


The techniques and commands described above in the section ''Copying over live data'' are ''idempotent'', meaning you can simply repeat them and they will make sure that the new copy of the live data is fresh and doesn't leave any outdated data on the new server.  For instance, the {{C|--delete}} argument to the {{C|rsync}} command and the {{C|--add-drop-database}} argument to the {{C|mysqldump}} command help to make sure of this.
The techniques and commands described above in the section ''Copying over live data'' are ''idempotent'', meaning you can simply repeat them and they will make sure that the new copy of the live data is fresh and doesn't leave any outdated data on the new server.  For instance, the {{C|--delete}} argument to the {{C|rsync}} command and the {{C|--add-drop-database}} argument to the {{C|mariadb-dump}} command help to make sure of this.


So just repeat the steps from that section exactly one more time.
So just repeat the steps from that section exactly one more time.
Retrieved from "https://feministwiki.org/wiki/Special:MobileDiff/1293...1372"