bach 6879f664fb added systemd service for editoria | 3 vuotta sitten | |
---|---|---|
assets | 3 vuotta sitten | |
readme.md | 3 vuotta sitten |
needs min 2Gb of memory and 150Gb of storage <!--
echo '
DOCKER_OPTS="--iptables=false
' >
``` -->
## Docker
apt-get install docker
curl -L https://github.com/docker/compose/releases/download/1.29.1/docker-compose-`uname -s-
uname -m` -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
## postgres
```sh
apt install postgresql postgresql-client
systemctl enable --now postgresql
su - postgres
psql -c "ALTER USER postgres WITH password 'monsupermotdepasse'"
then edit /etc/postgresql/11/main/postgresql.conf
listen_addresses = '*'
and /etc/postgresql/11/main/pg_hba.conf
# TYPE DATABASE USER ADDRESS METHOD
host all all 127.0.0.1/32 trust
host editoriadb editoria 172.18.0.1/16 trust
host editoriadb editoria 172.18.0.2/16 trust
su - postgres
createuser xsweet
psql -c "alter user xsweet with encrypted password 'SUPERMOTDEPASSE';"
createdb xsweetdb -O xsweet
psql -c "grant all privileges on database xsweetdb to xsweet;"
psql
\c xsweetdb
CREATE EXTENSION IF NOT EXISTS pgcrypto;
docker pull cokoapps/xsweet:1.1.0
docker run -d -t -i --network=host -e PUBSWEET_SECRET=YOURSECRET -e SERVER_PORT=9001 -e SERVER_HOST=localhost -e SERVER_PROTOCOL=http -e POSTGRES_USER=xsweet -e POSTGRES_PASSWORD=SUPERMOTDEPASSE -e POSTGRES_HOST=localhost -e POSTGRES_DB=xsweetdb -e POSTGRES_PORT=5432 -e NODE_ENV=production --name xsweet cokoapps/xsweet:1.1.0
docker exec -it xsweet yarn create:client
docker system prune
su - postgres
createuser pagedjs
psql -c "alter user pagedjs with encrypted password 'SUPERMOTDEPASSE';"
createdb pagedjsdb -O pagedjs
psql -c "grant all privileges on database pagedjsdb to pagedjs;"
psql
\c pagedjsdb
CREATE EXTENSION IF NOT EXISTS pgcrypto;
docker pull cokoapps/pagedjs:1.1.0
docker run -d -t -i --network=host -e PUBSWEET_SECRET=YOURSECRET -e SERVER_PORT=9002 -e SERVER_HOST=localhost -e SERVER_PROTOCOL=http -e POSTGRES_USER=pagedjs -e POSTGRES_PASSWORD=SUPERMOTDEPASSE -e POSTGRES_HOST=localhost -e POSTGRES_DB=pagedjsdb -e POSTGRES_PORT=5432 -e NODE_ENV=production --name pagedjs cokoapps/pagedjs:1.1.0
docker exec -it pagedjs yarn create:client
docker system prune
su - postgres
createuser icml
psql -c "alter user icml with encrypted password 'SUPERMOTDEPASSE';"
createdb icmldb -O icml
psql -c "grant all privileges on database icmldb to icml;"
psql
\c icmldb
CREATE EXTENSION IF NOT EXISTS pgcrypto;
docker pull cokoapps/icml:1.1.0
docker run -d -t -i --network=host -e PUBSWEET_SECRET=YOURSECRET -e SERVER_PORT=9003 -e SERVER_HOST=localhost -e SERVER_PROTOCOL=http -e POSTGRES_USER=icml -e POSTGRES_PASSWORD=SUPERMOTDEPASSE -e POSTGRES_HOST=localhost -e POSTGRES_DB=icmldb -e POSTGRES_PORT=5432 -e NODE_ENV=production --name icml cokoapps/icml:1.1.0
docker exec -it icml yarn create:client
docker system prune
su - postgres
createuser epubchecker
psql -c "alter user epubchecker with encrypted password 'SUPERMOTDEPASSE';"
createdb epubcheckerdb -O epubchecker
psql -c "grant all privileges on database epubcheckerdb to epubchecker;"
psql
\c epubcheckerdb
CREATE EXTENSION IF NOT EXISTS pgcrypto;
docker pull cokoapps/epubchecker:1.1.0
docker run -d -t -i --network=host -e PUBSWEET_SECRET=YOURSECRET -e SERVER_PORT=9004 -e POSTGRES_USER=epubchecker -e POSTGRES_PASSWORD=SUPERMOTDEPASSE -e POSTGRES_HOST=localhost -e POSTGRES_DB=epubcheckerdb -e POSTGRES_PORT=5432 -e NODE_ENV=production --name epubchecker cokoapps/epubchecker:1.1.0
docker exec -it epubchecker yarn create:client
docker system prune
https://www.digitalocean.com/community/tutorials/how-to-set-up-an-object-storage-server-using-minio-on-ubuntu-18-04 https://metal.equinix.com/developers/guides/minio/
wget https://dl.min.io/server/minio/release/linux-amd64/minio_20210422154428.0.0_amd64.deb
dpkg -i minio_20210422154428.0.0_amd64.deb
useradd -r minio-user -s /sbin/nologin
mkdir /usr/local/share/minio/
chown minio-user:minio-user /usr/local/share/minio/
echo 'MINIO_VOLUMES="/usr/local/share/minio/"
MINIO_OPTS="-C /etc/minio --address :9000"
MINIO_ACCESS_KEY="STRONGACCESSKEY"
MINIO_SECRET_KEY="SUPERMOTDEPASSE"' > /etc/default/minio
mkdir /etc/minio
wget -P /etc/systemd/system/ https://raw.githubusercontent.com/minio/minio-service/master/linux-systemd/minio.service
systemctl daemon-reload
systemctl enable minio
systemctl start minio
# MINIO_ROOT_USER=admin MINIO_ROOT_PASSWORD=YOURPASSWORD minio server /mnt/data
wget -P /usr/local/bin/ https://dl.min.io/client/mc/release/linux-amd64/mc
chmod +x /usr/local/bin/mc
mc alias set minio http://localhost:9000 xxxxxxxxxx xxxxxxxxxxxxxxxxx
mc admin user add minio editoria SUPERMOTDEPASSE
mc admin user enable minio editoria
mc admin policy set minio/ readwrite user=editoria
https://gitlab.coko.foundation/editoria/editoria/-/blob/master/INSTALL.md
su - postgres
createuser editoria
psql -c "alter user editoria with encrypted password 'SUPERMOTDEPASSE';"
createdb editoriadb -O editoria
psql -c "grant all privileges on database editoriadb to editoria;"
psql
\c editoriadb
CREATE EXTENSION IF NOT EXISTS pgcrypto;
cd /srv/
git clone https://gitlab.coko.foundation/editoria/editoria.git
cd /srv/editoria
echo 'export EDITORIA_FLAVOUR=VANILLA
export PUBSWEET_SECRET=xxxxxxxxxxxxxxxxxx
export POSTGRES_USER=editoria
export SERVES_CLIENT=true
export ADMIN_USERNAME=admin
export ADMIN_PASSWORD=xxxxxxxxxxxxxxx
export ADMIN_GIVEN_NAME=admin
export ADMIN_SURNAME=admin
export ADMIN_EMAIL=foo@bar.com
export POSTGRES_PASSWORD=xxxxxxxxxxxxxxxxxx
export POSTGRES_HOST=ip.ip.ip.ip #ip of the host
export POSTGRES_DB=editoriadb
export POSTGRES_PORT=5432
#export LANGUAGE_PROTOCOL=
#export LANGUAGE_HOST=
#export LANGUAGE_PORT=
#export MAILER_USER=
#export MAILER_PASSWORD=
#export MAILER_SENDER=
#export MAILER_HOSTNAME=
export PASSWORD_RESET_PATH=password-reset
export NODE_ENV=production
export SERVER_PROTOCOL=http
export SERVER_HOST=ip.ip.ip.ip #ip of the host
export SERVER_PORT=9005
export S3_PROTOCOL=http
export S3_HOST=ip.ip.ip.ip #ip of the host
export S3_PORT=9000
export S3_ACCESS_KEY_ID_ADMIN=xxxxxxxxxxxxxxxxxxx
export S3_SECRET_ACCESS_KEY_ADMIN=yyyyyyyyyyyyyyyyyyyyy
export S3_ACCESS_KEY_ID_USER=editoria
export S3_SECRET_ACCESS_KEY_USER=zzzzzzzzzzzzzzzzzzzzzzzz
export S3_BUCKET=editoria
# (check service documentation on how to create client id and secret https://gitlab.coko.foundation/cokoapps/epub-checker)
export SERVICE_EPUB_CHECKER_CLIENT_ID=xxxxxx-xxxxx-xxxxx-xxxxx-xxxxxxxxxxxxx
export SERVICE_EPUB_CHECKER_SECRET=yyyyyyyyyyyyyyyyy
export SERVICE_EPUB_CHECKER_PROTOCOL=http
export SERVICE_EPUB_CHECKER_HOST=ip.ip.ip.ip #ip of the host
export SERVICE_EPUB_CHECKER_PORT=9004
# (check service documentation on how to create client id and secret https://gitlab.coko.foundation/cokoapps/icml)
export SERVICE_ICML_CLIENT_ID=xxxxxx-xxxxx-xxxxx-xxxxx-xxxxxxxxxxxxx
export SERVICE_ICML_SECRET=yyyyyyyyyyyyyyyyy
export SERVICE_ICML_PROTOCOL=http
export SERVICE_ICML_HOST=ip.ip.ip.ip #ip of the host
export SERVICE_ICML_PORT=9003
# (check service documentation on how to create client id and secret https://gitlab.coko.foundation/cokoapps/pagedjs)
export SERVICE_PAGEDJS_CLIENT_ID=xxxxxx-xxxxx-xxxxx-xxxxx-xxxxxxxxxxxxx
export SERVICE_PAGEDJS_SECRET=yyyyyyyyyyyyyyyyy
export SERVICE_PAGEDJS_PROTOCOL=http
export SERVICE_PAGEDJS_HOST=ip.ip.ip.ip #ip of the host
export SERVICE_PAGEDJS_PORT=9002
# (check service documentation on how to create client id and secret https://gitlab.coko.foundation/cokoapps/xsweet)
export SERVICE_XSWEET_CLIENT_ID=xxxxxx-xxxxx-xxxxx-xxxxx-xxxxxxxxxxxxx
export SERVICE_XSWEET_SECRET=yyyyyyyyyyyyyyyyy
export SERVICE_XSWEET_PROTOCOL=http
export SERVICE_XSWEET_HOST=ip.ip.ip.ip #ip of the host
export SERVICE_XSWEET_PORT=9001
' > .env
docker-compose -f docker-compose.production.yml build
# docker-compose -f docker-compose.production.yml up
echo "
[Unit]
Description=%i editoria service with docker compose
Requires=docker.service minio.service postgresql.service
After=docker.service minio.service postgresql.service
[Service]
RemainAfterExit=true
Restart=always
WorkingDirectory=/srv/editoria
ExecStart=/usr/local/bin/docker-compose -f docker-compose.production.yml up -d
ExecStop=/usr/local/bin/docker-compose down
[Install]
WantedBy=multi-user.target
" > /etc/systemd/system/editoria.service
systemctl daemon-reload
systemctl enable editoria
systemctl start editoria
docker system prune
apt-get install --yes nginx certbot
systemctl stop nginx
certbot certonly --standalone -d your.domain.ltd --cert-name your.domain.ltd
systemctl start nginx
mkdir -p /etc/nginx/ssl/certs/your.domain.ltd
openssl dhparam -out /etc/nginx/ssl/certs/your.domain.ltd/dhparam.pem 2048
touch /var/spool/cron/crontabs/root
crontab -l > /tmp/mycron
echo "0 3 * * * certbot renew --pre-hook 'systemctl stop nginx' --post-hook 'systemctl start nginx' --cert-name your.domain.ltd" >> /tmp/mycron
crontab /tmp/mycron
rm /tmp/mycron
echo '
server {
listen 80;
listen [::]:80;
server_name your.domain.ltd;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name your.domain.ltd;
charset utf-8;
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
access_log on;
# error_log /var/logs/nginx/your.domain.ltd/error.log;
sendfile off;
client_max_body_size 100m;
#SSL Certificates
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate "/etc/letsencrypt/live/your.domain.ltd/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/your.domain.ltd/privkey.pem";
ssl_dhparam /etc/nginx/ssl/certs/your.domain.ltd/dhparam.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
#ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=31536000;
#includeSubDomains" always;
location ~ /\.ht {
deny all;
}
location / {
proxy_pass http://127.0.0.1:9005;
proxy_set_header Host $host;
proxy_connect_timeout 30;
proxy_send_timeout 30;
}
# website should not be displayed inside a <frame>, an <iframe> or an <object>
add_header X-Frame-Options SAMEORIGIN;
}
' > /etc/nginx/sites-available/your.domain.ltd.conf
ln -s /etc/nginx/sites-available/your.domain.ltd.conf /etc/nginx/sites-enabled/
systemctl restart nginx
apt-get --yes install ufw
ufw allow ssh
ufw allow http
ufw allow https
ufw allow from 172.18.0.1/16
ufw allow 9000