  apt-get dist-upgrade
=== Tighten security of SSH access ===
=== Install miscellaneous tools ===

Port 22 will get lots of malicious login attempts.  It's a good idea to change the SSH port, and also to disable password authentication in favor of key-based authentication.  Both can be done by editing {{C|/etc/ssh/sshd_config}}.
Some of these are needed further down, some are just good to have.

Before restarting the SSH service, make sure you've actually added your public key (the contents of {{C|~/.ssh/id_rsa.pub}} on your computer) to {{C|/root/.ssh/authorized_keys}} on the server, or you'll lock yourself out.
apt-get install automysqlbackup \
                bsdutils \
                certbot \
                composer \
                curl \
                dnsutils \
                emacs-nox \
                git \
                imagemagick \
                iotop \
                ldap-utils \
                mg \
                moreutils \
                net-tools \
                netcat-openbsd \
                nmap \
                rsync \

=== Copy SSH key from old server ===
  Host feministwiki.dev
  Host feministwiki.dev
     Port <SSH_PORT>
     Port <SSH_PORT>
=== Set up firewall ===
  ufw allow proto tcp to port ${SSH_PORT} # Replace with actual port number
  ufw enable
=== Fetch scripts & config repo ===
Having copied the {{C|.ssh/id_rsa}} from the old server will give you access to the GitHub FeministWiki repo:
Having copied the {{C|.ssh/id_rsa}} from the old server will give you access to the GitHub FeministWiki repo:
  cd ~
  git clone git@github.com:FeministWiki/FeministWiki.git repo
mkdir repo
  cp -a repo/root/* repo/root/.??* .
  git clone git@github.com:FeministWiki/FeministWiki.git repo/fw
  sh repo/decrypt-pwd.sh
  cp -ai repo/fw/root/* repo/fw/root/.??* .
  sh repo/fw/decrypt-pwd.sh

The decryption script will prompt you for a password the first time it's used.  Enter the password stored in {{C|/root/pwd/meta}} on the old server.
The decryption script will prompt you for a password the first time it's used.  Enter the password stored in {{C|/root/pwd/meta}} on the old server.
  # Debian
  echo deb http://deb.debian.org/debian $(lsb_release -sc)-backports main > /etc/apt/sources.list.d/backports.list
# May not be necessary; see if there's a commented out line in /etc/apt/sources.list that you can activate.
  echo deb http://deb.debian.org/debian $(lsb_release -sc)-backports main contrib non-free > /etc/apt/sources.list.d/backports.list
  # Ubuntu
  # Ubuntu
  echo deb http://archive.ubuntu.com/ubuntu $(lsb_release -sc)-backports main universe > /etc/apt/sources.list.d/backports.list
PHP repo '''only''' if a very new version is needed:
Usually you want up-to-date versions of Apache2, Nginx, and PHP.  Ondřej provides them:
# Debian
for repo in apache2 nginx-mainline php
  curl https://packages.sury.org/$repo/apt.gpg > /etc/apt/trusted.gpg.d/sury-$repo.gpg
  echo "deb https://packages.sury.org/$repo/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/sury-$repo.list
# Ubuntu
add-apt-repository ppa:ondrej/apache2
add-apt-repository ppa:ondrej/nginx
add-apt-repository ppa:ondrej/php
  wget -O /etc/apt/trusted.gpg.d/sury-php.gpg https://packages.sury.org/php/apt.gpg
  Package: *
  echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/sury-php.list
  Pin: origin packages.sury.org
Pin-Priority: 700

MariaDB repo '''only''' if a very new version is needed:
Elasticsearch, if you want CirrusSearch for MediaWiki:

  wget https://mariadb.org/mariadb_release_signing_key.asc
  curl https://artifacts.elastic.co/GPG-KEY-elasticsearch | gpg --dearmor -o /etc/apt/trusted.gpg.d/elasticsearch.gpg
apt-key add mariadb_release_signing_key.asc
  # As of January 2024, CirrusSearch only supports Elasticsearch 7.x
  rm mariadb_release_signing_key.asc
  echo 'deb https://artifacts.elastic.co/packages/7.x/apt stable main' > /etc/apt/sources.list.d/elastic.list
=== Create vmail user ===
=== Create vmail user ===
Now we can install all the software used for the various FeministWiki services:
Now we can install all the software used for the various FeministWiki services:

  apt-get install apache2 \
  apt-get install
                dovecot-core \
    apache2 \
                dovecot-imapd \
    dovecot-core \
                dovecot-ldap \
    dovecot-imapd \
                dovecot-pop3d \
    dovecot-ldap \
                ejabberd \
    dovecot-pop3d \
                fail2ban \
    ejabberd \
                inspircd \
    elasticsearch \
                mailman \
    fail2ban \
                mariadb-server \
    inspircd \
                opendkim \
    mariadb-server \
                postfix \
    nginx-extras \
                postfix-ldap \
    opendkim \
    postfix \
    postfix-ldap \

If any installation asks you for a password, remember that most passwords are found in {{C|/root/pwd}}.
If any installation asks you for a password, remember that most passwords are found in {{C|/root/pwd}}.
Example for installing ejabberd from backports instead:
Example for installing ejabberd from backports instead:

  apt-get install ejabberd/$(lsb_release -sc)-backports # e.g. ejabberd/buster-backports
  apt-get install ejabberd/$(lsb_release -sc)-backports # e.g. ejabberd/bookworm-backports
=== Make sure Postfix can connect to OpenDKIM ===
mkdir -p /var/spool/postfix/opendkim
chown opendkim:opendkim /var/spool/postfix/opendkim
adduser postfix opendkim

=== Install PHP and modules ===
=== Install PHP and modules ===
                 php${php_version}-apcu \
                 php${php_version}-apcu \
                 php${php_version}-bcmath \
                 php${php_version}-bcmath \
                php${php_version}-bz2 \
                 php${php_version}-cli \
                 php${php_version}-cli \
                 php${php_version}-curl \
                 php${php_version}-curl \
                 php${php_version}-xml \
                 php${php_version}-xml \
We also want {{C|php-luasandbox}}, which may not have a PHP version attached to the package name, in which case you'll have to make sure it supports the PHP version currently in use. If not, you can use the standalone Lua binary instead by setting {{C|$wgScribuntoDefaultEngine {{=}} 'luastandalone';}} in MediaWiki's {{C|LocalSettings.php}} configuration file.
# See if this works first:
apt-get install php${php_version}-luasandbox
# Otherwise...
apt-get install php-luasandbox
# Check the package contents to see which PHP versions are supported
dpkg -L php-luasandbox

=== Copy over certificates ===
=== Copy over certificates ===
Copy over the certs from the old server:
Copy over the certs from the old server:

  tar -czPf- /etc/fw-certs | ssh feministwiki.dev 'tar -xzPf-'
  # Run on old server
rsync -avz /etc/feministwiki/certs feministwiki.dev:/etc/feministwiki/certs

The {{C|/etc/fw-certs}} directory and its contents should be owned by the group {{C|ssl-cert}}.  Make sure this is the case on the new server after running the command above, since the group ID might be different on the new server.  If the group doesn't exist at all, just create it.
The {{C|/etc/feministwiki/certs}} directory and its contents should be owned by the group {{C|ssl-cert}}.  Make sure this is the case on the new server after running the command above, since the group ID might be different on the new server.  If the group doesn't exist at all, just create it.

Further, files in that directory which contain the private key ({{C|privkey.pem}} and {{C|bundle.pem}}) should only be readable by group members.  That is, their permission mode should be 640, displayed as {{C|-rw-r-----}} in the output of {{C|ls -l}}.  Make sure this really the case.
Further, files in that directory which contain the private key ({{C|privkey.pem}} and {{C|bundle.pem}}) should only be readable by group members.  That is, their permission mode should be 640, displayed as {{C|-rw-r-----}} in the output of {{C|ls -l}}.  Make sure this really the case.
Line 172: Line 211:
Then, to allow certain services to read those files containing the private key, add them to the {{C|ssl-cert}} group:
Then, to allow certain services to read those files containing the private key, add them to the {{C|ssl-cert}} group:

# Run on new server
  adduser ejabberd ssl-cert
  adduser ejabberd ssl-cert
  adduser irc ssl-cert
  adduser irc ssl-cert
Also copy over the certificates stored directly in {{C|/etc/letsencrypt}}:
# Run on old server
rsync -avz /etc/letsencrypt/{archive,live} feministwiki.dev:/etc/letsencrypt

=== Put config files in place ===
=== Put config files in place ===
* Don't forget to revert the redactions of sensitive information.  Search files for {{C|[REDACTED]}}.
* Don't forget to revert the redactions of sensitive information.  Search files for {{C|[REDACTED]}}.
* After copying over the Postfix configuration, run {{C|newaliases}} to create the alias database files.
* After copying {{C|/etc/aliases}}, run {{C|newaliases}} to create the alias database file.
* You may also have to run {{C|postmap}} on some files, like {{C|/etc/postfix/sender_access}}.
* After copying Postfix configuration, run {{C|postmap /etc/postfix/sender-access}} and {{C|postalias /etc/postfix/virtual-aliases}}.
* After copying something into {{C|/etc/apache2/conf-available}}, don't forget to enable it via {{C|a2enconf}}.
* Make sure the executable bit is set on all {{C|cron}} scripts, {{C|/etc/rc.local}}, and scripts in {{C|/etc/letsencrypt/renewal-hooks}}.
* After populating {{C|/etc/letsencrypt/renewal-hooks}}, remember to {{C|chmod +x}} the scripts.
* Likewise, don't forget {{C|chmod +x}} for <code>/etc/cron.{hourly,daily,weekly,monthly}</code> and {{C|/etc/boot.d}}.

=== Apache modules, config, and sites ===
=== Apache modules and configuration ===

Enable PHP FPM:
Enable PHP FPM and other Apache modules:

  a2enmod proxy_fcgi
  a2enmod expires headers proxy_fcgi rewrite
  a2enconf php${php_version}-fpm
  a2enconf php${php_version}-fpm

We need a number of Apache modules to be enabled which might not be enabled by default:
=== OpenLDAP configuration database ===
First of all, check if there are important changes in the base configuration of slapd.  For this, we can copy the old configuration into some directory on the new server and run a recursive diff:

  a2enmod expires headers macro rewrite ssl
  # Run on old server
  a2enconf 99-local
  rsync -az /etc/ldap/slapd.d/ feministwiki.dev:/tmp/slapd.d
a2ensite fw-account fw-blogs fw-chat fw-files fw-forum fw-mail fw-wiki fw-xmpp

=== OpenLDAP configuration database ===
# Run on new server
diff -ru --color=always /tmp/slapd.d /etc/ldap/slapd.d | less -R
There are going to be a number of changes that are expected.  Namely:
# CRCs, UIDs, timestamps, and other such auto-generated fields
# FeministWiki-specific things that only exists in the old configuration
If these are the '''only''' differences you can see, then it should be safety to completely override the config on the new server with the old one, using the instructions in the following section.
Otherwise, skip to the section after that and recreate the FeministWiki-specific configuration from scratch.
==== Complete copying of old configuration ====
''Note: This is an '''alternative''' method to that described in the '''next''' section. See above for which one to choose.''

Stop the LDAP server and delete the configuration database '''on the new server (careful!)''':
Stop the LDAP server and delete the configuration database '''on the new server (careful!)''':
Then copy over the configuration database, by running the following commands from the old server:
Then copy over the configuration database, by running the following commands from the old server:

# Run on old server
  slapcat -n 0 | ssh feministwiki.dev 'sudo -u openldap slapadd -n 0 -F /etc/ldap/slapd.d'
  slapcat -n 0 | ssh feministwiki.dev 'sudo -u openldap slapadd -n 0 -F /etc/ldap/slapd.d'
==== Recreation of FeministWiki configuration ====
''Note: This is an '''alternative''' method to that described in the '''previous''' section. See above for which one to choose.''
First run {{C|dpkg-reconfigure slapd}} to fill in some basic information such as the domain name and admin password.  You can reuse the old admin password found in {{C|/root/pwd/ldap}}.
Then, running the following sequence of commands, taken from [[FeministWiki:LDAP Schema]], should do the rest:
# Create fwMember object class
ldapadd -Y external -H ldapi:// <<EOF
dn: cn=feministwiki,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: feministwiki
olcAttributeTypes: {0}(
    NAME 'fwRecoveryMail'
    DESC 'FeministWiki password recovery mail'
    EQUALITY caseIgnoreMatch
    SYNTAX )
olcObjectClasses: {1}(
    NAME 'fwMember'
    DESC 'FeministWiki member'
    SUP inetOrgPerson
    MAY ( fwRecoveryMail ) )
# Set attribute permissions
ldapmodify -Y external -H ldapi:// <<EOF
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {2}to attrs=sn,mail by self write
olcAccess: {3}to attrs=fwRecoveryMail by self write by dn.exact="cn=readonly,dc=feministwiki,dc=org" search
olcAccess: {4}to attrs=manager by self read
# Enable the ppolicy dynamic module
ldapmodify -Y external -H ldapi:// <<EOF
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: ppolicy
# Add the ppolicy overlay with olcPPolicyHashCleartext set to TRUE
ldapadd -Y external -H ldapi:// <<EOF
dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config
objectClass: olcPPolicyConfig
olcOverlay: ppolicy
olcPPolicyHashCleartext: TRUE
# Set the default password policy
# The policy object referenced here doesn't exist yet,
# but will exist once we copy over the main database.
ldapmodify -Y external -H ldapi:// <<EOF
dn: olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config
changetype: modify
add: olcPPolicyDefault
olcPPolicyDefault: cn=default,ou=pwdPolicies,dc=feministwiki,dc=org
# Load the lastbind module
ldapmodify -Y external -H ldapi:// <<EOF
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: lastbind
# Enable the lastbind overlay
ldapadd -Y external -H ldapi:// <<EOF
dn: olcOverlay=lastbind,olcDatabase={1}mdb,cn=config
objectClass: olcLastBindConfig
olcOverlay: lastbind
olcLastBindPrecision: 60

==== Breaking changes in OpenLDAP ====
==== Breaking changes in OpenLDAP ====
=== LDAP database ===
=== LDAP database ===

Delete the existing database '''on the new server (careful!)''':
Make sure slapd is not running and delete the existing database '''on the new server (careful!)''':

# Run on new server!
systemctl stop slapd
  rm /var/lib/ldap/data.mdb
  rm /var/lib/ldap/data.mdb

Then copy over the database by running the following command from the old server:
Then copy over the database by running the following command from the old server:

  slapcat -n 1 | ssh feministwiki.dev 'sudo -u openldap slapadd -n 1'
# Run on old server
  slapcat -n 1 | zstd | ssh feministwiki.dev 'zstd -d | sudo -u openldap slapadd -n 1'

Although there may be breaking changes that make this command fail, just as with the copying of the configuration database explained earlier, the chance is much lower for the regular "data" database, so hopefully the command will run fine.
Start slapd again in the new server afterwards:
# Run on new server
systemctl start slapd

=== Contents of /var/www ===
=== Contents of /var/www ===
This is very simple but takes a lot of time to finish.  '''Run it from the old server:'''
This is very simple but takes a lot of time to finish.  '''Run it from the old server:'''

  rsync -az --delete /var/www/ feministwiki.dev:/var/www
  rsync -azP --delete /var/www/ feministwiki.dev:/var/www

Note that the trailing slash in {{C|/var/www/}} is important; if not provided, it will copy the directory to {{C|/var/www/www}} on the new server.
Note that the trailing slash in {{C|/var/www/}} is important; if not provided, it will copy the directory to {{C|/var/www/www}} on the new server.
There's actually a systemd service found in {{C|/var/www/fw/wiki}} that you'll want to enable on the new server:
systemctl enable /var/www/fw/wiki/fw-wiki-job-runner.service
No need to actually start it yet.

=== SQL databases ===
=== SQL databases ===
Run the following command from the old server:
Run the following command from the old server:

  mysqldump -u root -p"$(cat /root/pwd/mysql)" \
  mariadb-dump -u root -p"$(cat /root/pwd/mariadb)" \
   --add-drop-database \
   --add-drop-database \
   --databases blogs \
   --databases feministblogs \
               feministfiles \
               feministfiles \
               feministforum \
               feministforum \
Line 291: Line 440:
               feministwiki_pt \
               feministwiki_pt \
               fff \
               fff \
   | gzip | ssh root@feministwiki.dev 'gunzip | /root/bin/sql'
   | zstd | ssh feministwiki.dev 'zstd -d | /root/bin/sql'

You can use the {{C|show databases;}} command in the SQL console to make sure that the list of databases is complete.  Unfortunately they have to be listed manually, because using the {{C|--all-databases}} option includes system databases that we don't want to copy.
You can use the {{C|show databases;}} command in the SQL console to make sure that the list of databases is complete.  Unfortunately they have to be listed manually, because using the {{C|--all-databases}} option includes system databases that we don't want to copy.
Line 302: Line 451:

Note that the trailing slash in {{C|/home/vmail/}} is important.
Note that the trailing slash in {{C|/home/vmail/}} is important.
=== Elasticsearch ===
Temporarily stop Elasticsearch on the old server and copy over the data:
systemctl stop elasticsearch
rsync -az --delete /var/lib/elasticsearch/ feministwiki.dev:/var/lib/elasticsearch
systemctl start elasticsearch

=== Mailman data ===
=== Mailman data ===
Line 321: Line 478:

  /root/bin/sql << EOF
  /root/bin/sql << EOF
  create user blogs@localhost identified by '$(cat ~/pwd/mysql-blogs)';
  create user 'feministblogs'@localhost identified by '$(cat ~/pwd/mariadb-feministblogs)';
  create user feministfiles@localhost identified by '$(cat ~/pwd/mysql-files)';
  create user 'feministfiles'@localhost identified by '$(cat ~/pwd/mariadb-feministfiles)';
  create user feministforum@localhost identified by '$(cat ~/pwd/mysql-forum)';
  create user 'feministforum'@localhost identified by '$(cat ~/pwd/mariadb-feministforum)';
  create user feministmail@localhost identified by '$(cat ~/pwd/mysql-mail)';
  create user 'feministmail'@localhost identified by '$(cat ~/pwd/mariadb-feministmail)';
  create user feministwiki@localhost identified by '$(cat ~/pwd/mysql-wiki)';
  create user 'feministwiki'@localhost identified by '$(cat ~/pwd/mariadb-feministwiki)';
  create user fff@localhost identified by '$(cat ~/pwd/mysql-fff)';
  create user 'fff'@localhost identified by '$(cat ~/pwd/mariadb-fff)';

Line 332: Line 489:

  /root/bin/sql << EOF
  /root/bin/sql << EOF
  grant all on blogs.* to blogs@localhost;
  grant all on feministblogs.* to feministblogs@localhost;
  grant all on feministfiles.* to feministfiles@localhost;
  grant all on feministfiles.* to feministfiles@localhost;
  grant all on feministforum.* to feministforum@localhost;
  grant all on feministforum.* to feministforum@localhost;
Line 382: Line 539:
  systemctl stop dovecot
  systemctl stop dovecot
  systemctl stop ejabberd
  systemctl stop ejabberd
systemctl stop elasticsearch
systemctl stop fw-wiki-job-runner
  systemctl stop inspircd
  systemctl stop inspircd
  systemctl stop mailman
  systemctl stop nginx
systemctl stop opendkim
  systemctl stop postfix
  systemctl stop postfix
  systemctl stop slapd
  systemctl stop slapd
Note that we leave MariaDB running, since it needs to be live for data transfer.

== Finishing up ==
== Finishing up ==
Stop all the services that interface with users and/or are responsible for modifying live data:
Stop all the services that interface with users and/or are responsible for modifying live data:

for port in 25 80 443 465 587 993 995 5222 5223 5269 5270 5443 6697 7777
do ufw delete allow proto tcp to port $port
  systemctl stop apache2
  systemctl stop apache2
  systemctl stop dovecot
  systemctl stop dovecot
  systemctl stop ejabberd
  systemctl stop ejabberd
systemctl stop elasticsearch
systemctl stop fw-wiki-job-runner
  systemctl stop inspircd
  systemctl stop inspircd
  systemctl stop mailman
  systemctl stop nginx
systemctl stop opendkim
  systemctl stop postfix
  systemctl stop postfix
  systemctl stop slapd
  systemctl stop slapd

Close all the relevant ports just to be double-sure:
As with the old server, we leave MariaDB running since it will be needed for data transfer.
for port in 25 80 443 465 587 993 995 5222 5223 5269 5270 5443 6697 7777
do ufw delete allow proto tcp to port $port

=== Copy over the live data one more time ===
=== Copy over the live data one more time ===
Line 413: Line 578:
'''Simply repeat the whole section ''Copying over live data''.'''
'''Simply repeat the whole section ''Copying over live data''.'''

The techniques and commands described above in the section ''Copying over live data'' are ''idempotent'', meaning you can simply repeat them and they will make sure that the new copy of the live data is fresh and doesn't leave any outdated data on the new server.  For instance, the {{C|--delete}} argument to the {{C|rsync}} command and the {{C|--add-drop-database}} argument to the {{C|mysqldump}} command help to make sure of this.
The techniques and commands described above in the section ''Copying over live data'' are ''idempotent'', meaning you can simply repeat them and they will make sure that the new copy of the live data is fresh and doesn't leave any outdated data on the new server.  For instance, the {{C|--delete}} argument to the {{C|rsync}} command and the {{C|--add-drop-database}} argument to the {{C|mariadb-dump}} command help to make sure of this.

So just repeat the steps from that section exactly one more time.
So just repeat the steps from that section exactly one more time.