Members
Members is the Digital Ocean droplet hosting members.somakeit.org.uk.
Configuration
Members is configured to run the members areas software called HMS (https://github.com/NottingHack/hms2). The software and its deployment is largley maintained for us by its creator (we still handle package updates and simlar tasks).
Ansible
An ansible playbook to configure the server can be found on github https://github.com/somakeit/members_ansible_config (currently only visible to org members), this is fairly up to date but may not contain changes since the last time the config stored here was checked (this can be done by running the playbook with --check) in most cases the files on the server should be considered the correct configuration should they differ from ansible. The ansible-vault password used to encrypt the server secrets in this repo is stored with the trustees and with the members who manage the server.
Original Setup notes
These are the instalation steps taken to set members up when Scorpia @ Bracken replaced the much more expensive droplet. These will not include any changes since the oringal install
Made new droplet: 46.101.29.241 ubuntu 22.04
Created user accounts
- tyler
- bracken
- other ssh keys left in root auth keys for now (unusable because PermitRootLogin is off)
- dpslwk so Matt (HMS author) can help
- chris18890 as existing admin
Server hardening
- Disable PermitRootLogin for ssh
- Enabled UFW with allow for port 22 globaly
- UFW allow 80 and 443 globaly
- UFW allow 1194/udp globally for OpenVPN
- UFW allow 3306 from 10.8.0.0/24 for doors to access database over encrypted tunnel
- Copied letsencrypt files from the old server, installed certbot with apt, dry-ran a renew sucessfully
Mysql
- installed mariadb-server
- Copied the live database to the new server, needs to be re-done clean before golive.
- Copied clean database over at approx 17:00.
Redis
- Apt-get install redis
- set requirepass
Nginx
- Installed nginx
HMS
- created hms user
- checked out hms git repo
- installed php php-redis php-curl php-xml
- installed composer
- curl -sS https://getcomposer.org/installer | php
- sudo mv composer.phar /usr/local/bin/composer
- composer install
- composer update
attempt 2 with old php
- sudo apt install software-properties-common
- sudo add-apt-repository ppa:ondrej/php -y
- sudo apt install php7.4 php7.4-redis php7.4-curl php7.4-xml php7.4-zip php7.4-sql php7.4-mysql php7.4 php7.4-fpm php7.4-mbstring
- sudo update-alternatives --config php
- recheckout hms
- add .env file
- composer update
- run artisan commands from vagrant script (some may have caused issues)
- add crontab as set by vagrant script
- add hms-7.4.conf in /etc/php/7.4/fpm/pool.d/
- run php artisan config:cache then php artisan hor:ter
- add uncommitted images used in emails.
NPM
- install node 14 https://github.com/nodesource/distributions/blob/master/README.md
- https://unix.stackexchange.com/questions/627635/upgrading-nodejs-on-ubuntu-how-to-fix-broken-pipe-error
- copy npm rc
- add font awsome token
- npm install
- add resources/sass/_variables_somakeit.scss
- npm run
Other
- install laravel-echo-server
- add systemd for echo server and horizon
- copy over oauth keys
- Add new box IP to mailgun approved IPs
OpenVPN (for the doors)
Installed using https://github.com/angristan/openvpn-install and (https://github.com/angristan/openvpn-install/issues/1030).
- Created a client for kong and added route-nopull to make it a split tunnel config.
- Created a client for extDoorPi added route-nopull
- Installed openvpn configs on both pis, tested and door access working.
Access to the server
There are accounts for a few members on the machine which are the main way to access the server. There is also a trustees account for which they have the password should other users be unavaliable.