IT4Change/gradido
3
0
Fork 0
mirror of https://github.com/IT4Change/gradido.git synced 2025-12-13 07:45:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

Refactor 'setup.md' to a mark-down file and clearify instructions

Browse Source
This commit is contained in:
Wolfgang Huß 2022-09-27 09:58:22 +02:00
parent 9624a79881
commit b7c3d2acf1
1 changed files with 174 additions and 91 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

265
deployment/bare_metal/setup.md
View File

@ -1,111 +1,194 @@
# Setup script to setup the server be ready to run gradido
# This assums you have root access via ssh to your cleanly setup server
# Furthermore this assumes you have debian (11 64bit) running
# Check your (Sub-)Domain with your Provider. # Instructions To Run `Gradido` On Your Server
# In this document gddhost.tld refers to your chosen domain
> ssh root@gddhost.tld We split setting up `Gradido` on your server into two steps:
# change root default shell - [Preparing your server](#command-list-to-setup-your-server-be-ready-to-install-gradido)
> chsh -s /bin/bash - [Installing `Gradido`](#use-commands-in-installsh-manually-in-your-shell-for-now)
# Create user `gradido`
> useradd -d /home/gradido -m gradido
> passwd gradido
>> enter new password twice
# Gives the user priviledges - this might be omitted in order to harden security ## Command List To Setup Your Server Be Ready To Install `Gradido`
# Care: This will require another administering user if you don't want root access.
# Since this setup expects the user running the software be the same as the administering user,
# you have to adjust the instructions according to that scenario.
# You might lock yourself out, if done wrong.
> usermod -a -G sudo gradido
# change gradido default shell We assume you have root access via ssh to your cleanly setup server.
> chsh -s /bin/bash gradido Furthermore we assume you have debian (11 64bit) running.
# Install sudo
> apt-get install sudo
# switch to the new user
> su gradido
# Register first ssh key for user `gradido` Check your (Sub-)Domain with your Provider.
> mkdir ~/.ssh In this document `gddhost.tld` refers to your chosen domain.
> chmod 700 ~/.ssh
> nano ~/.ssh/authorized_keys
>> insert public key
>> ctrl + x
>> save
# Test authentication via SSH ### SSH into your server
> ssh -i /path/to/privKey gradido@gddhost.tld
>> This should log you in and allow you to use sudo commands, which will require the user's password
# Disable password authentication & root login ```bash
> cd /etc/ssh ssh root@gddhost.tld
> sudo cp sshd_config sshd_config.org ```
> sudo nano sshd_config
>> change `PermitRootLogin yes` to `PermitRootLogin no`
>> change `#PasswordAuthentication yes` to `PasswordAuthentication no`
>> change `UsePAM yes` to `UsePAM no`
>> ctrl + x
>> save
> sudo /etc/init.d/ssh restart
# Test SSH Access only, no root ssh access ### Change root default shell
> ssh gradido@gddhost.tld
>> Will result in in either a password request for your key or the message `Permission denied (publickey)`
> ssh -i /path/to/privKey root@gddhost.tld
>> Will result in `Permission denied (publickey)`
> ssh -i /path/to/privKey gradido@gddhost.tld
>> Will succeed after entering the correct keys password (if any)
# update system ```bash
> sudo apt-get update chsh -s /bin/bash
> sudo apt-get upgrade ```
# Install security tools ### Create user `gradido`
## ufw
> sudo apt-get install ufw
> sudo ufw allow http
> sudo ufw allow https
> sudo ufw allow ssh
> sudo ufw enable
## fail2ban ```bash
> sudo apt-get install -y fail2ban $ useradd -d /home/gradido -m gradido
> sudo /etc/init.d/fail2ban restart $ passwd gradido
# enter new password twice
```
# Install gradido ### Give the user priviledges
> sudo apt-get install -y git
> cd ~
> git clone https://github.com/gradido/gradido.git
# Timezone This might be omitted in order to harden security.
# Note: This is needed - since there is Summer-Time included in the default server Setup - UTC is REQUIRED for production data
> sudo timedatectl set-timezone UTC
# > sudo timedatectl set-ntp on
# > sudo apt purge ntp
# > sudo systemctl start systemd-timesyncd
# >> timedatectl to verify
# Adjust .env ***!!! Attention !!!***
# NOTE ';' can not be part of any value
# The Github Secret is Created on Github in Settimgs -> Webhooks
> cd gradido/deployment/bare_metal
> cp .env.dist .env
> nano .env
>> Adjust values accordingly
# TODO the install.sh is not yet ready to run directly - consider to use it as pattern to do it manually - Care: This will require another administering user if you don't want root access.
- Since this setup expects the user running the software be the same as the administering user,
- you have to adjust the instructions according to that scenario.
- you might lock yourself out, if done wrong.
!!! ATTENTION: #### Add the new user `gradido` to `sudo` group
- NGINX: ```bash
- Be aware to set the values for NGINX in the following files according to your needs before you install NGINX! usermod -a -G sudo gradido
- `./nginx/sites-available/gradido.conf` ```
- `./nginx/sites-available/update-page.conf`
- Commands in `./install.sh`:
- The commands for setting the paths in the used env variables are not working directly in the terminal, consider the out commented commands for this purpose, see below.
Follow the commands in `./install.sh`. ### Change gradido default shell
```bash
chsh -s /bin/bash gradido
```
### Install sudo
```bash
apt-get install sudo
```
### Switch to the new user
```bash
su gradido
```
### Register first ssh key for user `gradido`
```bash
$ mkdir ~/.ssh
$ chmod 700 ~/.ssh
$ nano ~/.ssh/authorized_keys
# insert public key
# ctrl + x
# save
```
### Test authentication via SSH
```bash
$ ssh -i /path/to/privKey gradido@gddhost.tld
# This should log you in and allow you to use sudo commands, which will require the user's password
```
### Disable password authentication and root login
```bash
$ cd /etc/ssh
$ sudo cp sshd_config sshd_config.org
$ sudo nano sshd_config
# change 'PermitRootLogin yes' to `PermitRootLogin no`
# change 'PasswordAuthentication yes' to 'PasswordAuthentication no'
# change 'UsePAM yes' to 'UsePAM no'
# ctrl + x
# save
$ sudo /etc/init.d/ssh restart
```
### Test SSH Access only, no root ssh access
```bash
$ ssh gradido@gddhost.tld
# Will result in in either a password request for your key or the message 'Permission denied (publickey)'
$ ssh -i /path/to/privKey root@gddhost.tld
# Will result in 'Permission denied (publickey)'
$ ssh -i /path/to/privKey gradido@gddhost.tld
# Will succeed after entering the correct keys password (if any)
```
### Update system
```bash
sudo apt-get update
sudo apt-get upgrade
```
### Install security tools
#### Install: `ufw`
```bash
sudo apt-get install ufw
sudo ufw allow http
sudo ufw allow https
sudo ufw allow ssh
sudo ufw enable
```
#### Install: `fail2ban`
```bash
sudo apt-get install -y fail2ban
sudo /etc/init.d/fail2ban restart
```
### Install `Gradido` code
```bash
sudo apt-get install -y git
cd ~
git clone https://github.com/gradido/gradido.git
```
### Timezone
*Note: This is needed - since there is Summer-Time included in the default server Setup - UTC is REQUIRED for production data.*
```bash
sudo timedatectl set-timezone UTC
sudo timedatectl set-ntp on
sudo apt purge ntp
sudo systemctl start systemd-timesyncd
# timedatectl to verify
```
### Adjust the values in `.env`
***!!! Attention !!!***
*Don't forget this step!
All your following installations in `install.sh` will fail!*
*Notes:*
- *`;` cannot be part of any value!*
- *The GitHub secret is created on GitHub in Settings -> Webhooks.*
#### Create `.env` and set values
```bash
$ cd gradido/deployment/bare_metal
$ cp .env.dist .env
$ nano .env
# adjust values accordingly
```
## Use Commands In `install.sh` Manually In Your Shell For Now
The script `install.sh` is not yet ready to run directly.
Use it as pattern to do all steps manually in your terminal shell.
*TODO: Bring the `install.sh` script to run in the shell.*
***!!! Attention !!!***
- *Commands in `install.sh`:*
- *The commands for setting the paths in the used env variables are not working directly in the terminal, consider the out commented commands for this purpose.*
Follow the commands in `./install.sh` as installation pattern.