IT4Change/gradido
3
0
Fork 0
mirror of https://github.com/IT4Change/gradido.git synced 2025-12-13 07:45:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

Refactor 'setup.md' to a mark-down file and clearify instructions

Browse Source
This commit is contained in:
Wolfgang Huß 2022-09-27 09:58:22 +02:00
parent 9624a79881
commit b7c3d2acf1
1 changed files with 174 additions and 91 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

265
deployment/bare_metal/setup.md
View File

@ -1,111 +1,194 @@
# Setup script to setup the server be ready to run gradido
# This assums you have root access via ssh to your cleanly setup server
# Furthermore this assumes you have debian (11 64bit) running
# Check your (Sub-)Domain with your Provider.
# In this document gddhost.tld refers to your chosen domain
# Instructions To Run `Gradido` On Your Server
> ssh root@gddhost.tld
We split setting up `Gradido` on your server into two steps:
# change root default shell
> chsh -s /bin/bash
# Create user `gradido`
> useradd -d /home/gradido -m gradido
> passwd gradido
>> enter new password twice
- [Preparing your server](#command-list-to-setup-your-server-be-ready-to-install-gradido)
- [Installing `Gradido`](#use-commands-in-installsh-manually-in-your-shell-for-now)
# Gives the user priviledges - this might be omitted in order to harden security
# Care: This will require another administering user if you don't want root access.
# Since this setup expects the user running the software be the same as the administering user,
# you have to adjust the instructions according to that scenario.
# You might lock yourself out, if done wrong.
> usermod -a -G sudo gradido
## Command List To Setup Your Server Be Ready To Install `Gradido`
# change gradido default shell
> chsh -s /bin/bash gradido
# Install sudo
> apt-get install sudo
# switch to the new user
> su gradido
We assume you have root access via ssh to your cleanly setup server.
Furthermore we assume you have debian (11 64bit) running.
# Register first ssh key for user `gradido`
> mkdir ~/.ssh
> chmod 700 ~/.ssh
> nano ~/.ssh/authorized_keys
>> insert public key
>> ctrl + x
>> save
Check your (Sub-)Domain with your Provider.
In this document `gddhost.tld` refers to your chosen domain.
# Test authentication via SSH
> ssh -i /path/to/privKey gradido@gddhost.tld
>> This should log you in and allow you to use sudo commands, which will require the user's password
### SSH into your server
# Disable password authentication & root login
> cd /etc/ssh
> sudo cp sshd_config sshd_config.org
> sudo nano sshd_config
>> change `PermitRootLogin yes` to `PermitRootLogin no`
>> change `#PasswordAuthentication yes` to `PasswordAuthentication no`
>> change `UsePAM yes` to `UsePAM no`
>> ctrl + x
>> save
> sudo /etc/init.d/ssh restart
```bash
ssh root@gddhost.tld
```
# Test SSH Access only, no root ssh access
> ssh gradido@gddhost.tld
>> Will result in in either a password request for your key or the message `Permission denied (publickey)`
> ssh -i /path/to/privKey root@gddhost.tld
>> Will result in `Permission denied (publickey)`
> ssh -i /path/to/privKey gradido@gddhost.tld
>> Will succeed after entering the correct keys password (if any)
### Change root default shell
# update system
> sudo apt-get update
> sudo apt-get upgrade
```bash
chsh -s /bin/bash
```
# Install security tools
## ufw
> sudo apt-get install ufw
> sudo ufw allow http
> sudo ufw allow https
> sudo ufw allow ssh
> sudo ufw enable
### Create user `gradido`
## fail2ban
> sudo apt-get install -y fail2ban
> sudo /etc/init.d/fail2ban restart
```bash
$ useradd -d /home/gradido -m gradido
$ passwd gradido
# enter new password twice
```
# Install gradido
> sudo apt-get install -y git
> cd ~
> git clone https://github.com/gradido/gradido.git
### Give the user priviledges
# Timezone
# Note: This is needed - since there is Summer-Time included in the default server Setup - UTC is REQUIRED for production data
> sudo timedatectl set-timezone UTC
# > sudo timedatectl set-ntp on
# > sudo apt purge ntp
# > sudo systemctl start systemd-timesyncd
# >> timedatectl to verify
This might be omitted in order to harden security.
# Adjust .env
# NOTE ';' can not be part of any value
# The Github Secret is Created on Github in Settimgs -> Webhooks
> cd gradido/deployment/bare_metal
> cp .env.dist .env
> nano .env
>> Adjust values accordingly
***!!! Attention !!!***
# TODO the install.sh is not yet ready to run directly - consider to use it as pattern to do it manually
- Care: This will require another administering user if you don't want root access.
- Since this setup expects the user running the software be the same as the administering user,
- you have to adjust the instructions according to that scenario.
- you might lock yourself out, if done wrong.
!!! ATTENTION:
#### Add the new user `gradido` to `sudo` group
- NGINX:
- Be aware to set the values for NGINX in the following files according to your needs before you install NGINX!
- `./nginx/sites-available/gradido.conf`
- `./nginx/sites-available/update-page.conf`
- Commands in `./install.sh`:
- The commands for setting the paths in the used env variables are not working directly in the terminal, consider the out commented commands for this purpose, see below.
```bash
usermod -a -G sudo gradido
```
Follow the commands in `./install.sh`.
### Change gradido default shell
```bash
chsh -s /bin/bash gradido
```
### Install sudo
```bash
apt-get install sudo
```
### Switch to the new user
```bash
su gradido
```
### Register first ssh key for user `gradido`
```bash
$ mkdir ~/.ssh
$ chmod 700 ~/.ssh
$ nano ~/.ssh/authorized_keys
# insert public key
# ctrl + x
# save
```
### Test authentication via SSH
```bash
$ ssh -i /path/to/privKey gradido@gddhost.tld
# This should log you in and allow you to use sudo commands, which will require the user's password
```
### Disable password authentication and root login
```bash
$ cd /etc/ssh
$ sudo cp sshd_config sshd_config.org
$ sudo nano sshd_config
# change 'PermitRootLogin yes' to `PermitRootLogin no`
# change 'PasswordAuthentication yes' to 'PasswordAuthentication no'
# change 'UsePAM yes' to 'UsePAM no'
# ctrl + x
# save
$ sudo /etc/init.d/ssh restart
```
### Test SSH Access only, no root ssh access
```bash
$ ssh gradido@gddhost.tld
# Will result in in either a password request for your key or the message 'Permission denied (publickey)'
$ ssh -i /path/to/privKey root@gddhost.tld
# Will result in 'Permission denied (publickey)'
$ ssh -i /path/to/privKey gradido@gddhost.tld
# Will succeed after entering the correct keys password (if any)
```
### Update system
```bash
sudo apt-get update
sudo apt-get upgrade
```
### Install security tools
#### Install: `ufw`
```bash
sudo apt-get install ufw
sudo ufw allow http
sudo ufw allow https
sudo ufw allow ssh
sudo ufw enable
```
#### Install: `fail2ban`
```bash
sudo apt-get install -y fail2ban
sudo /etc/init.d/fail2ban restart
```
### Install `Gradido` code
```bash
sudo apt-get install -y git
cd ~
git clone https://github.com/gradido/gradido.git
```
### Timezone
*Note: This is needed - since there is Summer-Time included in the default server Setup - UTC is REQUIRED for production data.*
```bash
sudo timedatectl set-timezone UTC
sudo timedatectl set-ntp on
sudo apt purge ntp
sudo systemctl start systemd-timesyncd
# timedatectl to verify
```
### Adjust the values in `.env`
***!!! Attention !!!***
*Don't forget this step!
All your following installations in `install.sh` will fail!*
*Notes:*
- *`;` cannot be part of any value!*
- *The GitHub secret is created on GitHub in Settings -> Webhooks.*
#### Create `.env` and set values
```bash
$ cd gradido/deployment/bare_metal
$ cp .env.dist .env
$ nano .env
# adjust values accordingly
```
## Use Commands In `install.sh` Manually In Your Shell For Now
The script `install.sh` is not yet ready to run directly.
Use it as pattern to do all steps manually in your terminal shell.
*TODO: Bring the `install.sh` script to run in the shell.*
***!!! Attention !!!***
- *Commands in `install.sh`:*
- *The commands for setting the paths in the used env variables are not working directly in the terminal, consider the out commented commands for this purpose.*
Follow the commands in `./install.sh` as installation pattern.