Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
computer:colo_container_recipe [2018/06/18 18:49]
tdobes
computer:colo_container_recipe [2019/04/18 12:06] (current)
tdobes
Line 2: Line 2:
 //LXC Container - Debian 9// //LXC Container - Debian 9//
  
-  * Create CT:  debian 9.4 lxc template, ​2/4 cpu limit, 20 gb (or 40 gb) hdd, 2048/4096 mb ram, 1024 mb swap+  * Create CT:  debian 9.4 lxc template, 4 cpu limit, 20 gb (or 40 gb) hdd, 1024/2048/4096 mb ram, 512/1024 mb swap
   * <​del>​enable fuse container (see http://​myatus.com/​p/​quick-note-fuse-inside-proxmox-lxc-container/​):<​code>​   * <​del>​enable fuse container (see http://​myatus.com/​p/​quick-note-fuse-inside-proxmox-lxc-container/​):<​code>​
 echo $'​lxc.autodev:​ 1\nlxc.hook.autodev:​ sh -c "mknod -m 0666 ${LXC_ROOTFS_MOUNT}/​dev/​fuse c 10 229"'​ >> /​etc/​pve/​lxc/###​.conf echo $'​lxc.autodev:​ 1\nlxc.hook.autodev:​ sh -c "mknod -m 0666 ${LXC_ROOTFS_MOUNT}/​dev/​fuse c 10 229"'​ >> /​etc/​pve/​lxc/###​.conf
Line 25: Line 25:
   * ''​aptitude update && aptitude forget-new && aptitude full-upgrade''​   * ''​aptitude update && aptitude forget-new && aptitude full-upgrade''​
   * ''​aptitude install apache2 php-fpm''​   * ''​aptitude install apache2 php-fpm''​
 +  * //for glpa-web:// ''​aptitude install php-mcrypt''​
   * ''​a2enmod rewrite proxy_fcgi ssl userdir && a2enconf php7.0-fpm''​   * ''​a2enmod rewrite proxy_fcgi ssl userdir && a2enconf php7.0-fpm''​
   * <​del>#​ ''​a2ensite default-ssl''</​del>​   * <​del>#​ ''​a2ensite default-ssl''</​del>​
   * ''​%%sed -i -e '​s/​^ServerTokens OS$/#​ServerTokens OS/g' -e '​s/#​ServerTokens Full/#​ServerTokens Full\nServerTokens Prod/​g'​ /​etc/​apache2/​conf-enabled/​security.conf%%''​ # security paranoia for audit   * ''​%%sed -i -e '​s/​^ServerTokens OS$/#​ServerTokens OS/g' -e '​s/#​ServerTokens Full/#​ServerTokens Full\nServerTokens Prod/​g'​ /​etc/​apache2/​conf-enabled/​security.conf%%''​ # security paranoia for audit
 +  * ''​%%sed -i -e '​s/​^post_max_size = 8M$/​post_max_size = 50M/g' -e '​s/​^upload_max_filesize = 2M$/​upload_max_filesize = 50M/g' /​etc/​php/​7.0/​fpm/​php.ini%%''​
 +  * ''​systemctl restart php7.0-fpm''​
   * ''​systemctl restart apache2''​   * ''​systemctl restart apache2''​
   * ''​rm /​var/​www/​html/​index.html''​   * ''​rm /​var/​www/​html/​index.html''​
Line 33: Line 36:
  
   * # Let's Encrypt -- see https://​github.com/​lukas2511/​dehydrated<​code>​   * # Let's Encrypt -- see https://​github.com/​lukas2511/​dehydrated<​code>​
-aptitude install dehydrated-apache2+aptitude install dehydrated-apache2 ​cronic
  
 echo '#​!/​bin/​sh'​ > /​usr/​local/​sbin/​hook_apache-dehydrated echo '#​!/​bin/​sh'​ > /​usr/​local/​sbin/​hook_apache-dehydrated
Line 63: Line 66:
 cp -a /​mnt/​old/​etc/​dehydrated/​domains.txt /​etc/​dehydrated/​domains.txt cp -a /​mnt/​old/​etc/​dehydrated/​domains.txt /​etc/​dehydrated/​domains.txt
 rsync -aix /​mnt/​old/​var/​lib/​dehydrated/​ /​var/​lib/​dehydrated/​ rsync -aix /​mnt/​old/​var/​lib/​dehydrated/​ /​var/​lib/​dehydrated/​
-sed -e $"​s|^\t\tSSLCertificateFile\t/​etc/​ssl/​certs/​ssl-cert-snakeoil.pem$|\t\tSSLCertificateFile /​var/​lib/​dehydrated/​certs/​glpa.org/​fullchain.pem|g"​ -e $"​s|^\t\tSSLCertificateKeyFile /​etc/​ssl/​private/​ssl-cert-snakeoil.key$|\t\tSSLCertificateKeyFile /​var/​lib/​dehydrated/​certs/​glpa.org/​privkey.pem|g"​ /​etc/​apache2/​sites-available/​default-ssl.conf > /​etc/​apache2/​sites-enabled/​000-default-ssl.conf+SITE=glpa.org 
 +sed -e $"​s|^\t\tSSLCertificateFile\t/​etc/​ssl/​certs/​ssl-cert-snakeoil.pem$|\t\tSSLCertificateFile /​var/​lib/​dehydrated/​certs/​$SITE/​fullchain.pem|g"​ -e $"​s|^\t\tSSLCertificateKeyFile /​etc/​ssl/​private/​ssl-cert-snakeoil.key$|\t\tSSLCertificateKeyFile /​var/​lib/​dehydrated/​certs/​$SITE/​privkey.pem|g"​ /​etc/​apache2/​sites-available/​default-ssl.conf > /​etc/​apache2/​sites-enabled/​000-default-ssl.conf 
 +SITE=
  
 dehydrated -c dehydrated -c
Line 72: Line 77:
 # dehydrated -c # dehydrated -c
  
-echo '1 7,19 * * * root dehydrated -c' > /​etc/​cron.d/​letsencrypt+echo '1 7,19 * * * root cronic ​dehydrated -c' > /​etc/​cron.d/​letsencrypt
 </​code>​ </​code>​
  
-  * ''​aptitude install mariadb-server mariadb-client php-mysql''​ +  ​* on Drupal sites ONLY (not m-mproductions.com):​ 
-  * <​del><​code>​+    ​* ''​aptitude install mariadb-server mariadb-client php-mysql''​ 
 +    * <​del><​code>​
 mypass=`date +%s | sha256sum | base64 | head -c 15` mypass=`date +%s | sha256sum | base64 | head -c 15`
 mysqladmin --user=root password $mypass mysqladmin --user=root password $mypass
Line 83: Line 89:
 mypass= mypass=
 </​code></​del>​ </​code></​del>​
-  ​* <​code>​+    ​* <​code>​
 mysql mysql
 CREATE USER tdobes@localhost IDENTIFIED BY '​***PASSWORD***';​ CREATE USER tdobes@localhost IDENTIFIED BY '​***PASSWORD***';​
Line 90: Line 96:
 rm ~/​.mysql_history rm ~/​.mysql_history
 </​code>​ </​code>​
-  ​* ''​aptitude install git tmux''​ +    ​* ''​aptitude install git tmux''​ 
-  * ''​aptitude install phpmyadmin''​ # (when asked, enable for apache2, tell it yes when asked about creating db, and provide no password to randomly generate) +    * ''​aptitude install phpmyadmin''​ # (when asked, enable for apache2, tell it yes when asked about creating db, and provide no password to randomly generate) 
-  migrate ssh keys: ''cp -a /mnt/old/etc/ssh/​ssh_host_*key* ​/etc/ssh/''​ +    force phpmyadmin to HTTPS only<​code>​ 
-  * migrate homes: ​''​rsync -aix --del /mnt/old/home/ /home/''​ +echo '<​Directory ​/usr/share/phpmyadmin/>' > /etc/apache2/sites-enabled/​phpmyadmin-force_ssl.conf 
-  migrate webroot: ''rsync -aix --del /mnt/old/var/www/ /var/www/''​ +echo 'RewriteEngine On' ​>> ​/etc/apache2/sites-enabled/phpmyadmin-force_ssl.conf 
-  * enable remote SSH access to old system: ''​ssh-keygen''​ , then ''​%%cat .ssh/​id_rsa.pub >> /​mnt/​old/​root/​.ssh/​authorized_keys%%''​ +echo 'RewriteCond %{HTTPS} off' ​>> /​etc/​apache2/​sites-enabled/​phpmyadmin-force_ssl.conf 
-  * migrate databases: ''​%%ssh 192.168.222.4 mysqldump -p***PASSWORD*** --add-drop-database --databases drupal civicrm pleiades_drupal pleiades_civicrm | mysql -p***PASSWORD***%%''​ +echo '​RewriteRule (.*) https://​%{HTTP_HOST}%{REQUEST_URI} [L,R=301]' ​>> ​/etc/apache2/sites-enabled/phpmyadmin-force_ssl.conf 
-  * migrate db credentials:​ ''​%%ssh 192.168.222.4 '​mysqldump -p***PASSWORD*** mysql db user --skip-add-drop-table --no-create-info --complete-insert --where="​User IN (\"​drupal\",​ \"​civicrm\",​ \"​pleiades_drupal\",​ \"​pleiades_civicrm\"​)"'​ | mysql mysql && mysql -e 'flush privileges;'​%%''​ +echo '</Directory>'​ >> ​/etc/apache2/sites-enabled/​phpmyadmin-force_ssl.conf 
-  * recreate drupal apache config:<​code>​+</​code>​ 
 +    ​* enable remote SSH access to old system ​to migrate db: ''​ssh-keygen''​ , then ''​%%cat .ssh/​id_rsa.pub >> /​mnt/​old/​root/​.ssh/​authorized_keys%%''​ 
 +    * migrate databases: ''​%%ssh 192.168.222.4 mysqldump -p***PASSWORD*** --add-drop-database --databases drupal civicrm pleiades_drupal pleiades_civicrm | mysql%%''​ 
 +    * migrate db credentials:​ ''​%%ssh 192.168.222.4 '​mysqldump -p***PASSWORD*** mysql db user --skip-add-drop-table --no-create-info --complete-insert --where="​User IN (\"​drupal\",​ \"​civicrm\",​ \"​pleiades_drupal\",​ \"​pleiades_civicrm\"​)"'​ | mysql mysql && mysql -e 'flush privileges;'​%%''​ 
 +    * recreate drupal apache config:<​code>​
 echo '<​Directory /​var/​www/​html/>'​ > /​etc/​apache2/​sites-enabled/​drupal.conf echo '<​Directory /​var/​www/​html/>'​ > /​etc/​apache2/​sites-enabled/​drupal.conf
 cat /​var/​www/​html/​.htaccess >> /​etc/​apache2/​sites-enabled/​drupal.conf cat /​var/​www/​html/​.htaccess >> /​etc/​apache2/​sites-enabled/​drupal.conf
 echo '</​Directory>'​ >> /​etc/​apache2/​sites-enabled/​drupal.conf echo '</​Directory>'​ >> /​etc/​apache2/​sites-enabled/​drupal.conf
 </​code>​ </​code>​
-  ​* merge in any site-specific settings into /​etc/​apache2/​sites-enabled/​drupal.conf+    ​* merge in any site-specific settings into /​etc/​apache2/​sites-enabled/​drupal.conf 
 +    * ''​a2enmod headers expires''​ # these are used by drupal 
 +    * ''​%%aptitude --without-recommends install php-uploadprogress%%''​ # drupal wants this too (without recommends to avoid apache mod_php) 
 +  * migrate ssh keys: ''​cp -a /​mnt/​old/​etc/​ssh/​ssh_host_*key* /​etc/​ssh/''​ 
 +  * migrate homes: ''​%%rsync -aix --del /​mnt/​old/​home/​ /​home/​%%''​ 
 +  * migrate webroot: ''​%%rsync -aix --del /​mnt/​old/​var/​www/​ /​var/​www/​%%''​
   * migrate apache config: ''​%%rsync -ai --ignore-existing /​mnt/​old/​etc/​apache2/​sites-enabled/​ /​etc/​apache2/​sites-enabled/​%%''​   * migrate apache config: ''​%%rsync -ai --ignore-existing /​mnt/​old/​etc/​apache2/​sites-enabled/​ /​etc/​apache2/​sites-enabled/​%%''​
-  * ''​a2enmod ​headers expires''​ # these are used by drupal+  ​* migrate cron scripts: ''​%%rsync -ai --ignore-existing --exclude php5 /​mnt/​old/​etc/​cron.d/​ /​etc/​cron.d/​%%''​ 
 +  * for iyb vm: 
 +    * migrate http basic auth files: ''​%%rsync -aix --del /​mnt/​old/​etc/​apache2/​auth /​etc/​apache2/​%%''​ 
 +    * ''​aptitude install unzip''​ 
 +  * for glpa vm: 
 +    ​* ''​a2enmod ​proxy_http''​ # needed to pass through HLS to stream vm 
 +    * php 7.3 backport:<​code>​ 
 +aptitude install apt-transport-https 
 +#wget -O- "​https://​packages.sury.org/​php/​apt.gpg"​ | apt-key add - 
 +wget -O /​etc/​apt/​trusted.gpg.d/​php.gpg https://​packages.sury.org/​php/​apt.gpg 
 +echo 'deb https://​packages.sury.org/​php/​ stretch main' > /​etc/​apt/​sources.list.d/​php.list 
 +aptitude update && aptitude full-upgrade # (but disable libapache2-mod-php,​ which is recommended ​by php-uploadprogress) 
 +a2disconf php7.0-fpm && a2enconf php7.3-fpm && systemctl reload apache2 
 +sed -i -e '​s/​^post_max_size = 8M$/​post_max_size = 50M/g' -e '​s/​^upload_max_filesize = 2M$/​upload_max_filesize = 50M/g' /​etc/​php/​7.3/​fpm/​php.ini 
 +systemctl reload php7.3-fpm 
 +systemctl stop php7.0-fpm && systemctl disable php7.0-fpm 
 +systemctl enable php7.3-fpm && systemctl start php7.3-fpm 
 +</​code>​
computer/colo_container_recipe.1529365766.txt.gz · Last modified: 2018/06/18 18:49 by tdobes
Recent changes RSS feed Driven by DokuWiki Valid XHTML 1.0 Valid CSS