Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Last revision Both sides next revision
computer:colo_container_recipe [2018/06/18 18:49]
tdobes
computer:colo_container_recipe [2019/03/31 15:01]
tdobes
Line 2: Line 2:
 //LXC Container - Debian 9// //LXC Container - Debian 9//
  
-  * Create CT:  debian 9.4 lxc template, ​2/4 cpu limit, 20 gb (or 40 gb) hdd, 2048/4096 mb ram, 1024 mb swap+  * Create CT:  debian 9.4 lxc template, 4 cpu limit, 20 gb (or 40 gb) hdd, 1024/2048/4096 mb ram, 512/1024 mb swap
   * <​del>​enable fuse container (see http://​myatus.com/​p/​quick-note-fuse-inside-proxmox-lxc-container/​):<​code>​   * <​del>​enable fuse container (see http://​myatus.com/​p/​quick-note-fuse-inside-proxmox-lxc-container/​):<​code>​
 echo $'​lxc.autodev:​ 1\nlxc.hook.autodev:​ sh -c "mknod -m 0666 ${LXC_ROOTFS_MOUNT}/​dev/​fuse c 10 229"'​ >> /​etc/​pve/​lxc/###​.conf echo $'​lxc.autodev:​ 1\nlxc.hook.autodev:​ sh -c "mknod -m 0666 ${LXC_ROOTFS_MOUNT}/​dev/​fuse c 10 229"'​ >> /​etc/​pve/​lxc/###​.conf
Line 25: Line 25:
   * ''​aptitude update && aptitude forget-new && aptitude full-upgrade''​   * ''​aptitude update && aptitude forget-new && aptitude full-upgrade''​
   * ''​aptitude install apache2 php-fpm''​   * ''​aptitude install apache2 php-fpm''​
 +  * //for glpa-web:// ''​aptitude install php-mcrypt''​
   * ''​a2enmod rewrite proxy_fcgi ssl userdir && a2enconf php7.0-fpm''​   * ''​a2enmod rewrite proxy_fcgi ssl userdir && a2enconf php7.0-fpm''​
   * <​del>#​ ''​a2ensite default-ssl''</​del>​   * <​del>#​ ''​a2ensite default-ssl''</​del>​
   * ''​%%sed -i -e '​s/​^ServerTokens OS$/#​ServerTokens OS/g' -e '​s/#​ServerTokens Full/#​ServerTokens Full\nServerTokens Prod/​g'​ /​etc/​apache2/​conf-enabled/​security.conf%%''​ # security paranoia for audit   * ''​%%sed -i -e '​s/​^ServerTokens OS$/#​ServerTokens OS/g' -e '​s/#​ServerTokens Full/#​ServerTokens Full\nServerTokens Prod/​g'​ /​etc/​apache2/​conf-enabled/​security.conf%%''​ # security paranoia for audit
 +  * ''​%%sed -i -e '​s/​^post_max_size = 8M$/​post_max_size = 50M/g' -e '​s/​^upload_max_filesize = 2M$/​upload_max_filesize = 50M/g' /​etc/​php/​7.0/​fpm/​php.ini%%''​
 +  * ''​systemctl restart php7.0-fpm''​
   * ''​systemctl restart apache2''​   * ''​systemctl restart apache2''​
   * ''​rm /​var/​www/​html/​index.html''​   * ''​rm /​var/​www/​html/​index.html''​
Line 33: Line 36:
  
   * # Let's Encrypt -- see https://​github.com/​lukas2511/​dehydrated<​code>​   * # Let's Encrypt -- see https://​github.com/​lukas2511/​dehydrated<​code>​
-aptitude install dehydrated-apache2+aptitude install dehydrated-apache2 ​cronic
  
 echo '#​!/​bin/​sh'​ > /​usr/​local/​sbin/​hook_apache-dehydrated echo '#​!/​bin/​sh'​ > /​usr/​local/​sbin/​hook_apache-dehydrated
Line 63: Line 66:
 cp -a /​mnt/​old/​etc/​dehydrated/​domains.txt /​etc/​dehydrated/​domains.txt cp -a /​mnt/​old/​etc/​dehydrated/​domains.txt /​etc/​dehydrated/​domains.txt
 rsync -aix /​mnt/​old/​var/​lib/​dehydrated/​ /​var/​lib/​dehydrated/​ rsync -aix /​mnt/​old/​var/​lib/​dehydrated/​ /​var/​lib/​dehydrated/​
-sed -e $"​s|^\t\tSSLCertificateFile\t/​etc/​ssl/​certs/​ssl-cert-snakeoil.pem$|\t\tSSLCertificateFile /​var/​lib/​dehydrated/​certs/​glpa.org/​fullchain.pem|g"​ -e $"​s|^\t\tSSLCertificateKeyFile /​etc/​ssl/​private/​ssl-cert-snakeoil.key$|\t\tSSLCertificateKeyFile /​var/​lib/​dehydrated/​certs/​glpa.org/​privkey.pem|g"​ /​etc/​apache2/​sites-available/​default-ssl.conf > /​etc/​apache2/​sites-enabled/​000-default-ssl.conf+SITE=glpa.org 
 +sed -e $"​s|^\t\tSSLCertificateFile\t/​etc/​ssl/​certs/​ssl-cert-snakeoil.pem$|\t\tSSLCertificateFile /​var/​lib/​dehydrated/​certs/​$SITE/​fullchain.pem|g"​ -e $"​s|^\t\tSSLCertificateKeyFile /​etc/​ssl/​private/​ssl-cert-snakeoil.key$|\t\tSSLCertificateKeyFile /​var/​lib/​dehydrated/​certs/​$SITE/​privkey.pem|g"​ /​etc/​apache2/​sites-available/​default-ssl.conf > /​etc/​apache2/​sites-enabled/​000-default-ssl.conf 
 +SITE=
  
 dehydrated -c dehydrated -c
Line 72: Line 77:
 # dehydrated -c # dehydrated -c
  
-echo '1 7,19 * * * root dehydrated -c' > /​etc/​cron.d/​letsencrypt+echo '1 7,19 * * * root cronic ​dehydrated -c' > /​etc/​cron.d/​letsencrypt
 </​code>​ </​code>​
  
-  * ''​aptitude install mariadb-server mariadb-client php-mysql''​ +  ​* on Drupal sites ONLY (not m-mproductions.com):​ 
-  * <​del><​code>​+    ​* ''​aptitude install mariadb-server mariadb-client php-mysql''​ 
 +    * <​del><​code>​
 mypass=`date +%s | sha256sum | base64 | head -c 15` mypass=`date +%s | sha256sum | base64 | head -c 15`
 mysqladmin --user=root password $mypass mysqladmin --user=root password $mypass
Line 83: Line 89:
 mypass= mypass=
 </​code></​del>​ </​code></​del>​
-  ​* <​code>​+    ​* <​code>​
 mysql mysql
 CREATE USER tdobes@localhost IDENTIFIED BY '​***PASSWORD***';​ CREATE USER tdobes@localhost IDENTIFIED BY '​***PASSWORD***';​
Line 90: Line 96:
 rm ~/​.mysql_history rm ~/​.mysql_history
 </​code>​ </​code>​
-  ​* ''​aptitude install git tmux''​ +    ​* ''​aptitude install git tmux''​ 
-  * ''​aptitude install phpmyadmin''​ # (when asked, enable for apache2, tell it yes when asked about creating db, and provide no password to randomly generate) +    * ''​aptitude install phpmyadmin''​ # (when asked, enable for apache2, tell it yes when asked about creating db, and provide no password to randomly generate) 
-  migrate ssh keys: ''cp -a /mnt/old/etc/ssh/​ssh_host_*key* ​/etc/ssh/''​ +    force phpmyadmin to HTTPS only<​code>​ 
-  * migrate homes: ​''​rsync -aix --del /mnt/old/home/ /home/''​ +echo '<​Directory ​/usr/share/phpmyadmin/>' > /etc/apache2/sites-enabled/​phpmyadmin-force_ssl.conf 
-  migrate webroot: ''rsync -aix --del /mnt/old/var/www/ /var/www/''​ +echo 'RewriteEngine On' ​>> ​/etc/apache2/sites-enabled/phpmyadmin-force_ssl.conf 
-  * enable remote SSH access to old system: ''​ssh-keygen''​ , then ''​%%cat .ssh/​id_rsa.pub >> /​mnt/​old/​root/​.ssh/​authorized_keys%%''​ +echo 'RewriteCond %{HTTPS} off' ​>> /​etc/​apache2/​sites-enabled/​phpmyadmin-force_ssl.conf 
-  * migrate databases: ''​%%ssh 192.168.222.4 mysqldump -p***PASSWORD*** --add-drop-database --databases drupal civicrm pleiades_drupal pleiades_civicrm | mysql -p***PASSWORD***%%''​ +echo '​RewriteRule (.*) https://​%{HTTP_HOST}%{REQUEST_URI} [L,R=301]' ​>> ​/etc/apache2/sites-enabled/phpmyadmin-force_ssl.conf 
-  * migrate db credentials:​ ''​%%ssh 192.168.222.4 '​mysqldump -p***PASSWORD*** mysql db user --skip-add-drop-table --no-create-info --complete-insert --where="​User IN (\"​drupal\",​ \"​civicrm\",​ \"​pleiades_drupal\",​ \"​pleiades_civicrm\"​)"'​ | mysql mysql && mysql -e 'flush privileges;'​%%''​ +echo '</Directory>'​ >> ​/etc/apache2/sites-enabled/​phpmyadmin-force_ssl.conf 
-  * recreate drupal apache config:<​code>​+</​code>​ 
 +    ​* enable remote SSH access to old system ​to migrate db: ''​ssh-keygen''​ , then ''​%%cat .ssh/​id_rsa.pub >> /​mnt/​old/​root/​.ssh/​authorized_keys%%''​ 
 +    * migrate databases: ''​%%ssh 192.168.222.4 mysqldump -p***PASSWORD*** --add-drop-database --databases drupal civicrm pleiades_drupal pleiades_civicrm | mysql%%''​ 
 +    * migrate db credentials:​ ''​%%ssh 192.168.222.4 '​mysqldump -p***PASSWORD*** mysql db user --skip-add-drop-table --no-create-info --complete-insert --where="​User IN (\"​drupal\",​ \"​civicrm\",​ \"​pleiades_drupal\",​ \"​pleiades_civicrm\"​)"'​ | mysql mysql && mysql -e 'flush privileges;'​%%''​ 
 +    * recreate drupal apache config:<​code>​
 echo '<​Directory /​var/​www/​html/>'​ > /​etc/​apache2/​sites-enabled/​drupal.conf echo '<​Directory /​var/​www/​html/>'​ > /​etc/​apache2/​sites-enabled/​drupal.conf
 cat /​var/​www/​html/​.htaccess >> /​etc/​apache2/​sites-enabled/​drupal.conf cat /​var/​www/​html/​.htaccess >> /​etc/​apache2/​sites-enabled/​drupal.conf
 echo '</​Directory>'​ >> /​etc/​apache2/​sites-enabled/​drupal.conf echo '</​Directory>'​ >> /​etc/​apache2/​sites-enabled/​drupal.conf
 </​code>​ </​code>​
-  ​* merge in any site-specific settings into /​etc/​apache2/​sites-enabled/​drupal.conf+    ​* merge in any site-specific settings into /​etc/​apache2/​sites-enabled/​drupal.conf 
 +    * ''​a2enmod headers expires''​ # these are used by drupal 
 +    * ''​%%aptitude --without-recommends install php-uploadprogress%%''​ # drupal wants this too (without recommends to avoid apache mod_php) 
 +  * migrate ssh keys: ''​cp -a /​mnt/​old/​etc/​ssh/​ssh_host_*key* /​etc/​ssh/''​ 
 +  * migrate homes: ''​%%rsync -aix --del /​mnt/​old/​home/​ /​home/​%%''​ 
 +  * migrate webroot: ''​%%rsync -aix --del /​mnt/​old/​var/​www/​ /​var/​www/​%%''​
   * migrate apache config: ''​%%rsync -ai --ignore-existing /​mnt/​old/​etc/​apache2/​sites-enabled/​ /​etc/​apache2/​sites-enabled/​%%''​   * migrate apache config: ''​%%rsync -ai --ignore-existing /​mnt/​old/​etc/​apache2/​sites-enabled/​ /​etc/​apache2/​sites-enabled/​%%''​
-  * ''​a2enmod ​headers expires''​ # these are used by drupal+  ​* migrate cron scripts: ''​%%rsync -ai --ignore-existing --exclude php5 /​mnt/​old/​etc/​cron.d/​ /​etc/​cron.d/​%%''​ 
 +  * for iyb vm: 
 +    * migrate http basic auth files: ''​%%rsync -aix --del /​mnt/​old/​etc/​apache2/​auth /​etc/​apache2/​%%''​ 
 +    * ''​aptitude install unzip''​ 
 +  * for glpa vm: 
 +    ​* ''​a2enmod ​proxy_http''​ # needed to pass through HLS to stream vm 
 +    * php 7.3 backport:<​code>​ 
 +aptitude install apt-transport-https 
 +#wget -O- "​https://​packages.sury.org/​php/​apt.gpg"​ | apt-key add - 
 +wget -O /​etc/​apt/​trusted.gpg.d/​php.gpg https://​packages.sury.org/​php/​apt.gpg 
 +echo 'deb https://​packages.sury.org/​php/​ stretch main' ​> /​etc/​apt/​sources.list.d/​php.list 
 +aptitude update && aptitude full-upgrade ​(but disable libapache2-mod-php,​ which is recommended ​by php-uploadprogress) 
 +a2disconf php7.0-fpm && a2enconf php7.3-fpm && systemctl reload apache2 
 +</​code>​
computer/colo_container_recipe.txt · Last modified: 2019/04/18 12:06 by tdobes
Recent changes RSS feed Driven by DokuWiki Valid XHTML 1.0 Valid CSS