Members: Difference between revisions
(Added link to ansible playbook) |
(Updated formatting of install details) |
||
(One intermediate revision by the same user not shown) | |||
Line 1: | Line 1: | ||
Members is the Digital Ocean droplet hosting [https://members.somakeit.org.uk members.somakeit.org.uk]. | Members is the Digital Ocean droplet hosting [https://members.somakeit.org.uk members.somakeit.org.uk]. | ||
== | == Configuration == | ||
Members is configured to run the members areas software called HMS (https://github.com/NottingHack/hms2). The software and its deployment is largley maintained for us by its creator (we still handle package updates and simlar tasks). | |||
=== Ansible === | === Ansible === | ||
An ansible playbook to configure the server can be found on github https://github.com/somakeit/members_ansible_config (currently only visible to org members) | An ansible playbook to configure the server can be found on github https://github.com/somakeit/members_ansible_config (currently only visible to org members), this is fairly up to date but may not contain changes since the last time the config stored here was checked (this can be done by running the playbook with --check) in most cases the files on the server should be considered the correct configuration should they differ from ansible. The ansible-vault password used to encrypt the server secrets in this repo is stored with the trustees and with the members who manage the server. | ||
=== Setup notes === | === Original Setup notes === | ||
<div class="toccolours mw-collapsible mw-collapsed"> | |||
These are the instalation steps taken to set members up when Scorpia @ Bracken replaced the much more expensive droplet. These will not include any changes since the oringal install | |||
<div class="mw-collapsible-content"> | |||
<pre> | |||
Made new droplet: 46.101.29.241 ubuntu 22.04 | Made new droplet: 46.101.29.241 ubuntu 22.04 | ||
## Created user accounts | |||
* tyler | * tyler | ||
* bracken | * bracken | ||
Line 18: | Line 23: | ||
* chris18890 as existing admin | * chris18890 as existing admin | ||
## Server hardening | |||
* Disable PermitRootLogin for ssh | * Disable PermitRootLogin for ssh | ||
* Enabled UFW with allow for port 22 globaly | * Enabled UFW with allow for port 22 globaly | ||
Line 26: | Line 31: | ||
* Copied letsencrypt files from the old server, installed certbot with apt, dry-ran a renew sucessfully | * Copied letsencrypt files from the old server, installed certbot with apt, dry-ran a renew sucessfully | ||
## Mysql | |||
* installed mariadb-server | * installed mariadb-server | ||
* Copied the live database to the new server, needs to be re-done clean before golive. | * Copied the live database to the new server, needs to be re-done clean before golive. | ||
* Copied clean database over at approx 17:00. | * Copied clean database over at approx 17:00. | ||
## Redis | |||
* Apt-get install redis | * Apt-get install redis | ||
* set requirepass | * set requirepass | ||
## Nginx | |||
* Installed nginx | * Installed nginx | ||
## HMS | |||
* created hms user | * created hms user | ||
* checked out hms git repo | * checked out hms git repo | ||
Line 48: | Line 53: | ||
* composer update | * composer update | ||
## attempt 2 with old php | |||
* sudo apt install software-properties-common | * sudo apt install software-properties-common | ||
* sudo add-apt-repository ppa:ondrej/php -y | * sudo add-apt-repository ppa:ondrej/php -y | ||
Line 62: | Line 67: | ||
* add uncommitted images used in emails. | * add uncommitted images used in emails. | ||
## NPM | |||
* install node 14 https://github.com/nodesource/distributions/blob/master/README.md | * install node 14 https://github.com/nodesource/distributions/blob/master/README.md | ||
* https://unix.stackexchange.com/questions/627635/upgrading-nodejs-on-ubuntu-how-to-fix-broken-pipe-error | * https://unix.stackexchange.com/questions/627635/upgrading-nodejs-on-ubuntu-how-to-fix-broken-pipe-error | ||
Line 71: | Line 76: | ||
* npm run | * npm run | ||
## Other | |||
* install laravel-echo-server | * install laravel-echo-server | ||
* add systemd for echo server and horizon | * add systemd for echo server and horizon | ||
Line 77: | Line 82: | ||
* Add new box IP to mailgun approved IPs | * Add new box IP to mailgun approved IPs | ||
## OpenVPN (for the doors) | |||
* Installed using https://github.com/angristan/openvpn-install and (https://github.com/angristan/openvpn-install/issues/1030). | |||
* Created a client for kong and added route-nopull to make it a split tunnel config. | * Created a client for kong and added route-nopull to make it a split tunnel config. | ||
* Created a client for extDoorPi added route-nopull | * Created a client for extDoorPi added route-nopull | ||
* Installed openvpn configs on both pis, tested and door access working. | * Installed openvpn configs on both pis, tested and door access working. | ||
== | </pre> | ||
</div> | |||
</div> | |||
== Access to the server == | |||
There are accounts for a few members on the machine which are the main way to access the server. There is also a trustees account for which they have the password should other users be unavaliable. |
Latest revision as of 19:01, 17 February 2024
Members is the Digital Ocean droplet hosting members.somakeit.org.uk.
Configuration
Members is configured to run the members areas software called HMS (https://github.com/NottingHack/hms2). The software and its deployment is largley maintained for us by its creator (we still handle package updates and simlar tasks).
Ansible
An ansible playbook to configure the server can be found on github https://github.com/somakeit/members_ansible_config (currently only visible to org members), this is fairly up to date but may not contain changes since the last time the config stored here was checked (this can be done by running the playbook with --check) in most cases the files on the server should be considered the correct configuration should they differ from ansible. The ansible-vault password used to encrypt the server secrets in this repo is stored with the trustees and with the members who manage the server.
Original Setup notes
These are the instalation steps taken to set members up when Scorpia @ Bracken replaced the much more expensive droplet. These will not include any changes since the oringal install
Made new droplet: 46.101.29.241 ubuntu 22.04 ## Created user accounts * tyler * bracken * other ssh keys left in root auth keys for now (unusable because PermitRootLogin is off) * dpslwk so Matt (HMS author) can help * chris18890 as existing admin ## Server hardening * Disable PermitRootLogin for ssh * Enabled UFW with allow for port 22 globaly * UFW allow 80 and 443 globaly * UFW allow 1194/udp globally for OpenVPN * UFW allow 3306 from 10.8.0.0/24 for doors to access database over encrypted tunnel * Copied letsencrypt files from the old server, installed certbot with apt, dry-ran a renew sucessfully ## Mysql * installed mariadb-server * Copied the live database to the new server, needs to be re-done clean before golive. * Copied clean database over at approx 17:00. ## Redis * Apt-get install redis * set requirepass ## Nginx * Installed nginx ## HMS * created hms user * checked out hms git repo * installed php php-redis php-curl php-xml * installed composer * curl -sS https://getcomposer.org/installer | php * sudo mv composer.phar /usr/local/bin/composer * composer install * composer update ## attempt 2 with old php * sudo apt install software-properties-common * sudo add-apt-repository ppa:ondrej/php -y * sudo apt install php7.4 php7.4-redis php7.4-curl php7.4-xml php7.4-zip php7.4-sql php7.4-mysql php7.4 php7.4-fpm php7.4-mbstring * sudo update-alternatives --config php * recheckout hms * add .env file * composer update * run artisan commands from vagrant script (some may have caused issues) * add crontab as set by vagrant script * add hms-7.4.conf in /etc/php/7.4/fpm/pool.d/ * run php artisan config:cache then php artisan hor:ter * add uncommitted images used in emails. ## NPM * install node 14 https://github.com/nodesource/distributions/blob/master/README.md * https://unix.stackexchange.com/questions/627635/upgrading-nodejs-on-ubuntu-how-to-fix-broken-pipe-error * copy npm rc * add font awsome token * npm install * add resources/sass/_variables_somakeit.scss * npm run ## Other * install laravel-echo-server * add systemd for echo server and horizon * copy over oauth keys * Add new box IP to mailgun approved IPs ## OpenVPN (for the doors) * Installed using https://github.com/angristan/openvpn-install and (https://github.com/angristan/openvpn-install/issues/1030). * Created a client for kong and added route-nopull to make it a split tunnel config. * Created a client for extDoorPi added route-nopull * Installed openvpn configs on both pis, tested and door access working.
Access to the server
There are accounts for a few members on the machine which are the main way to access the server. There is also a trustees account for which they have the password should other users be unavaliable.