Jump to content

FeministWiki:Server setup: Difference between revisions

no edit summary
No edit summary
Line 1: Line 1:
These are the steps required to set up a new FeministWiki Debian server.
These are the steps required to set up a new FeministWiki Debian or Ubuntu server.  The guide assumes that you're comfortable connecting to a host with SSH and using the shell.  It also assumes some basic knowledge on how to set up SSH keys and configure key-based access between machines.


== Initial setup of the new server ==
== Initial setup of the new server ==
Line 20: Line 20:
  apt-get upgrade
  apt-get upgrade
  apt-get dist-upgrade
  apt-get dist-upgrade
=== Tighten security of SSH access ===
Port 22 will get lots of malicious login attempts.  It's a good idea to change the SSH port, and also to disable password authentication in favor of key-based authentication.  Both can be done by editing {{C|/etc/ssh/sshd_config}}.
Before restarting the SSH service, make sure you've actually added your public key (the contents of {{C|~/.ssh/id_rsa.pub}} on your computer) to {{C|/root/.ssh/authorized_keys}} on the server, or you'll lock yourself out.
=== Set up firewall ===
For now, block everything but SSH.
apt-get install ufw
ufw allow proto tcp to 0.0.0.0/0 port <ssh_port>
ufw enable


=== Install miscellaneous tools ===
=== Install miscellaneous tools ===
Line 49: Line 63:


The decryption script will prompt you for a password the first time it's used.  Enter the password stored in {{C|/root/pwd/meta}} on the old server.
The decryption script will prompt you for a password the first time it's used.  Enter the password stored in {{C|/root/pwd/meta}} on the old server.
=== Set up firewall ===
For now, block everything but SSH.
apt-get install ufw
ufw allow proto tcp to 0.0.0.0/0 port 22
ufw enable


=== Enable extra repositories ===
=== Enable extra repositories ===
Line 107: Line 113:
This should really be part of the last section, but due to the sheer number of PHP modules we want to install, it's in its own section:
This should really be part of the last section, but due to the sheer number of PHP modules we want to install, it's in its own section:


  php_version=7.4 # or whatever version we're on
  php_version=8.1 # or whatever version we're on
   
   
  apt-get install php${php_version} \
  apt-get install php${php_version} \
Line 113: Line 119:
                 php${php_version}-bcmath \
                 php${php_version}-bcmath \
                 php${php_version}-cli \
                 php${php_version}-cli \
                php${php_version}-ctype \
                 php${php_version}-curl \
                 php${php_version}-curl \
                php${php_version}-fpm \
                 php${php_version}-gd \
                 php${php_version}-gd \
                 php${php_version}-gmp \
                 php${php_version}-gmp \
                php${php_version}-iconv \
                 php${php_version}-imagick \
                 php${php_version}-imagick \
                 php${php_version}-intl \
                 php${php_version}-intl \
                php${php_version}-json \
                 php${php_version}-ldap \
                 php${php_version}-ldap \
                 php${php_version}-mbstring \
                 php${php_version}-mbstring \
Line 138: Line 142:
* Likewise, don't forget {{C|chmod +x}} for <code>/etc/cron.{hourly,daily,weekly,monthly}</code> and {{C|/etc/boot.d}}
* Likewise, don't forget {{C|chmod +x}} for <code>/etc/cron.{hourly,daily,weekly,monthly}</code> and {{C|/etc/boot.d}}


=== Enable Apache modules, config, and sites ===
=== Apache modules, config, and sites ===
 
Make sure we're using {{C|mpm_event}} instead of the old {{C|mpm_prefork}}:
 
a2dismod php${php_version} mpm_prefork
a2enmod mpm_event proxy_fcgi setenvif
a2enconf php${php_version}-fpm


We need a number of Apache modules to be enabled which might not be enabled by default:
We need a number of Apache modules to be enabled which might not be enabled by default:


  a2enmod expires
  a2enmod expires headers macro rewrite ssl
a2enmod headers
  a2enconf 99-local
a2enmod macro
  a2ensite account blogs chat files forum mail wiki xmpp
a2enmod rewrite
a2enmod ssl
  a2enconf 99-feministwiki
a2ensite 000-wiki
  a2ensite account
a2ensite blogs
a2ensite chat
a2ensite files
a2ensite forum
a2ensite mail
a2ensite xmpp


=== Create vmail user ===
=== Create vmail user ===
Line 184: Line 181:


We want to make a first run of this copy process purely for testing purposes.  Note that although some of the steps described in this section take a long time to finish, they can be done in parallel.
We want to make a first run of this copy process purely for testing purposes.  Note that although some of the steps described in this section take a long time to finish, they can be done in parallel.
Some of the commands here assume that you've set up ssh access from the old server into the new server.  For this to work, copy the contents of {{C|/root/.ssh/id_rsa.pub}} on the old server, and '''append them as an additional line''' onto {{C|/root/.ssh/authorized_keys}} on the new server.


=== LDAP databases ===
=== LDAP databases ===