Ingen beskrivning

bach 6879f664fb added systemd service for editoria 3 år sedan
assets 3d898a7333 ssl proxy 3 år sedan
readme.md 6879f664fb added systemd service for editoria 3 år sedan

readme.md

Installing editoria on debian 10 for production

needs min 2Gb of memory and 150Gb of storage <!--

firewall

echo '
DOCKER_OPTS="--iptables=false
' >
``` -->

## Docker

apt-get install docker curl -L https://github.com/docker/compose/releases/download/1.29.1/docker-compose-`uname -s-uname -m` -o /usr/local/bin/docker-compose chmod +x /usr/local/bin/docker-compose


## postgres

```sh
apt install postgresql postgresql-client
systemctl enable --now postgresql
su - postgres
psql -c "ALTER USER postgres WITH password 'monsupermotdepasse'"

then edit /etc/postgresql/11/main/postgresql.conf

listen_addresses = '*'

and /etc/postgresql/11/main/pg_hba.conf

# TYPE  DATABASE        USER            ADDRESS                 METHOD
host    all             all             127.0.0.1/32            trust

host    editoriadb      editoria        172.18.0.1/16           trust
host    editoriadb      editoria        172.18.0.2/16           trust

xsweet

postgresql db

su - postgres
createuser xsweet
psql -c "alter user xsweet with encrypted password 'SUPERMOTDEPASSE';"
createdb xsweetdb -O xsweet
psql -c "grant all privileges on database xsweetdb to  xsweet;"
psql
\c xsweetdb
CREATE EXTENSION IF NOT EXISTS pgcrypto;

xsweet docker

docker pull cokoapps/xsweet:1.1.0
docker run -d -t -i --network=host -e PUBSWEET_SECRET=YOURSECRET -e SERVER_PORT=9001 -e SERVER_HOST=localhost -e SERVER_PROTOCOL=http -e POSTGRES_USER=xsweet -e POSTGRES_PASSWORD=SUPERMOTDEPASSE -e POSTGRES_HOST=localhost -e POSTGRES_DB=xsweetdb -e POSTGRES_PORT=5432 -e NODE_ENV=production --name xsweet cokoapps/xsweet:1.1.0
docker exec -it xsweet yarn create:client

cleaning docker

docker system prune

pagedjs

postgresql db

su - postgres
createuser pagedjs
psql -c "alter user pagedjs with encrypted password 'SUPERMOTDEPASSE';"
createdb pagedjsdb -O pagedjs
psql -c "grant all privileges on database pagedjsdb to  pagedjs;"
psql
\c pagedjsdb
CREATE EXTENSION IF NOT EXISTS pgcrypto;

pagedjs

docker pull cokoapps/pagedjs:1.1.0
docker run -d -t -i --network=host -e PUBSWEET_SECRET=YOURSECRET -e SERVER_PORT=9002 -e SERVER_HOST=localhost -e SERVER_PROTOCOL=http -e POSTGRES_USER=pagedjs -e POSTGRES_PASSWORD=SUPERMOTDEPASSE -e POSTGRES_HOST=localhost -e POSTGRES_DB=pagedjsdb -e POSTGRES_PORT=5432 -e NODE_ENV=production --name pagedjs cokoapps/pagedjs:1.1.0
docker exec -it pagedjs yarn create:client

cleaning docker

docker system prune

icml

postgresql db

su - postgres
createuser icml
psql -c "alter user icml with encrypted password 'SUPERMOTDEPASSE';"
createdb icmldb -O icml
psql -c "grant all privileges on database icmldb to  icml;"
psql
\c icmldb
CREATE EXTENSION IF NOT EXISTS pgcrypto;

icml

docker pull cokoapps/icml:1.1.0
docker run -d -t -i --network=host -e PUBSWEET_SECRET=YOURSECRET -e SERVER_PORT=9003 -e SERVER_HOST=localhost -e SERVER_PROTOCOL=http -e POSTGRES_USER=icml -e POSTGRES_PASSWORD=SUPERMOTDEPASSE -e POSTGRES_HOST=localhost -e POSTGRES_DB=icmldb -e POSTGRES_PORT=5432 -e NODE_ENV=production --name icml cokoapps/icml:1.1.0
docker exec -it icml yarn create:client

cleaning docker

docker system prune

epubchecker

postgresql db

su - postgres
createuser epubchecker
psql -c "alter user epubchecker with encrypted password 'SUPERMOTDEPASSE';"
createdb epubcheckerdb -O epubchecker
psql -c "grant all privileges on database epubcheckerdb to  epubchecker;"
psql
\c epubcheckerdb
CREATE EXTENSION IF NOT EXISTS pgcrypto;

epubchecker

docker pull cokoapps/epubchecker:1.1.0
docker run -d -t -i --network=host -e PUBSWEET_SECRET=YOURSECRET -e SERVER_PORT=9004 -e POSTGRES_USER=epubchecker -e POSTGRES_PASSWORD=SUPERMOTDEPASSE -e POSTGRES_HOST=localhost -e POSTGRES_DB=epubcheckerdb -e POSTGRES_PORT=5432 -e NODE_ENV=production --name epubchecker cokoapps/epubchecker:1.1.0
docker exec -it epubchecker yarn create:client

cleaning docker

docker system prune

minio file server

https://www.digitalocean.com/community/tutorials/how-to-set-up-an-object-storage-server-using-minio-on-ubuntu-18-04 https://metal.equinix.com/developers/guides/minio/

wget https://dl.min.io/server/minio/release/linux-amd64/minio_20210422154428.0.0_amd64.deb
dpkg -i minio_20210422154428.0.0_amd64.deb

useradd -r minio-user -s /sbin/nologin
mkdir /usr/local/share/minio/
chown minio-user:minio-user /usr/local/share/minio/

echo 'MINIO_VOLUMES="/usr/local/share/minio/"
MINIO_OPTS="-C /etc/minio --address :9000"
MINIO_ACCESS_KEY="STRONGACCESSKEY"
MINIO_SECRET_KEY="SUPERMOTDEPASSE"' > /etc/default/minio

mkdir /etc/minio

wget -P /etc/systemd/system/ https://raw.githubusercontent.com/minio/minio-service/master/linux-systemd/minio.service  

systemctl daemon-reload
systemctl enable minio
systemctl start minio

# MINIO_ROOT_USER=admin MINIO_ROOT_PASSWORD=YOURPASSWORD minio server /mnt/data

wget -P /usr/local/bin/ https://dl.min.io/client/mc/release/linux-amd64/mc
chmod +x /usr/local/bin/mc

mc alias set minio http://localhost:9000 xxxxxxxxxx xxxxxxxxxxxxxxxxx
mc admin user add minio editoria SUPERMOTDEPASSE
mc admin user enable minio editoria
mc admin policy set minio/ readwrite user=editoria

Editoria

https://gitlab.coko.foundation/editoria/editoria/-/blob/master/INSTALL.md

postgresql db

su - postgres
createuser editoria
psql -c "alter user editoria with encrypted password 'SUPERMOTDEPASSE';"
createdb editoriadb -O editoria
psql -c "grant all privileges on database editoriadb to  editoria;"
psql
\c editoriadb
CREATE EXTENSION IF NOT EXISTS pgcrypto;

editoria

cd /srv/
git clone https://gitlab.coko.foundation/editoria/editoria.git
cd /srv/editoria
echo 'export EDITORIA_FLAVOUR=VANILLA
export PUBSWEET_SECRET=xxxxxxxxxxxxxxxxxx
export POSTGRES_USER=editoria
export SERVES_CLIENT=true
export ADMIN_USERNAME=admin
export ADMIN_PASSWORD=xxxxxxxxxxxxxxx
export ADMIN_GIVEN_NAME=admin
export ADMIN_SURNAME=admin
export ADMIN_EMAIL=foo@bar.com
export POSTGRES_PASSWORD=xxxxxxxxxxxxxxxxxx
export POSTGRES_HOST=ip.ip.ip.ip #ip of the host
export POSTGRES_DB=editoriadb
export POSTGRES_PORT=5432
#export LANGUAGE_PROTOCOL=
#export LANGUAGE_HOST=
#export LANGUAGE_PORT=
#export MAILER_USER=
#export MAILER_PASSWORD=
#export MAILER_SENDER=
#export MAILER_HOSTNAME=
export PASSWORD_RESET_PATH=password-reset
export NODE_ENV=production
export SERVER_PROTOCOL=http
export SERVER_HOST=ip.ip.ip.ip #ip of the host
export SERVER_PORT=9005
export S3_PROTOCOL=http
export S3_HOST=ip.ip.ip.ip #ip of the host
export S3_PORT=9000
export S3_ACCESS_KEY_ID_ADMIN=xxxxxxxxxxxxxxxxxxx
export S3_SECRET_ACCESS_KEY_ADMIN=yyyyyyyyyyyyyyyyyyyyy
export S3_ACCESS_KEY_ID_USER=editoria
export S3_SECRET_ACCESS_KEY_USER=zzzzzzzzzzzzzzzzzzzzzzzz
export S3_BUCKET=editoria
# (check service documentation on how to create client id and secret https://gitlab.coko.foundation/cokoapps/epub-checker)
export SERVICE_EPUB_CHECKER_CLIENT_ID=xxxxxx-xxxxx-xxxxx-xxxxx-xxxxxxxxxxxxx
export SERVICE_EPUB_CHECKER_SECRET=yyyyyyyyyyyyyyyyy
export SERVICE_EPUB_CHECKER_PROTOCOL=http
export SERVICE_EPUB_CHECKER_HOST=ip.ip.ip.ip #ip of the host
export SERVICE_EPUB_CHECKER_PORT=9004
# (check service documentation on how to create client id and secret https://gitlab.coko.foundation/cokoapps/icml)
export SERVICE_ICML_CLIENT_ID=xxxxxx-xxxxx-xxxxx-xxxxx-xxxxxxxxxxxxx
export SERVICE_ICML_SECRET=yyyyyyyyyyyyyyyyy
export SERVICE_ICML_PROTOCOL=http
export SERVICE_ICML_HOST=ip.ip.ip.ip #ip of the host
export SERVICE_ICML_PORT=9003
# (check service documentation on how to create client id and secret https://gitlab.coko.foundation/cokoapps/pagedjs)
export SERVICE_PAGEDJS_CLIENT_ID=xxxxxx-xxxxx-xxxxx-xxxxx-xxxxxxxxxxxxx
export SERVICE_PAGEDJS_SECRET=yyyyyyyyyyyyyyyyy
export SERVICE_PAGEDJS_PROTOCOL=http
export SERVICE_PAGEDJS_HOST=ip.ip.ip.ip #ip of the host
export SERVICE_PAGEDJS_PORT=9002
# (check service documentation on how to create client id and secret https://gitlab.coko.foundation/cokoapps/xsweet)
export SERVICE_XSWEET_CLIENT_ID=xxxxxx-xxxxx-xxxxx-xxxxx-xxxxxxxxxxxxx
export SERVICE_XSWEET_SECRET=yyyyyyyyyyyyyyyyy
export SERVICE_XSWEET_PROTOCOL=http
export SERVICE_XSWEET_HOST=ip.ip.ip.ip #ip of the host
export SERVICE_XSWEET_PORT=9001
' >  .env

docker-compose -f docker-compose.production.yml build
# docker-compose -f docker-compose.production.yml up

echo "
[Unit]
Description=%i editoria service with docker compose
Requires=docker.service minio.service postgresql.service
After=docker.service minio.service postgresql.service

[Service]
RemainAfterExit=true
Restart=always
WorkingDirectory=/srv/editoria
ExecStart=/usr/local/bin/docker-compose -f docker-compose.production.yml up -d
ExecStop=/usr/local/bin/docker-compose down

[Install]
WantedBy=multi-user.target
" > /etc/systemd/system/editoria.service
systemctl daemon-reload
systemctl enable editoria
systemctl start editoria

cleaning docker

docker system prune

SSL

apt-get install --yes nginx certbot
systemctl stop nginx
certbot certonly --standalone -d your.domain.ltd --cert-name your.domain.ltd
systemctl start nginx
mkdir -p /etc/nginx/ssl/certs/your.domain.ltd
openssl dhparam -out /etc/nginx/ssl/certs/your.domain.ltd/dhparam.pem 2048
touch /var/spool/cron/crontabs/root
crontab -l > /tmp/mycron
echo "0 3 * * * certbot renew --pre-hook 'systemctl stop nginx' --post-hook 'systemctl start nginx' --cert-name your.domain.ltd" >> /tmp/mycron
crontab /tmp/mycron
rm /tmp/mycron

echo '
server {
  listen 80;
  listen [::]:80;
  server_name your.domain.ltd;
  return 301 https://$server_name$request_uri;
}

server {
  listen 443 ssl;
  listen [::]:443 ssl;

  server_name your.domain.ltd;

  charset utf-8;

  location = /favicon.ico { access_log off; log_not_found off; }
  location = /robots.txt  { access_log off; log_not_found off; }

  access_log on;
  # error_log /var/logs/nginx/your.domain.ltd/error.log;

  sendfile off;

  client_max_body_size 100m;

  #SSL Certificates
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_certificate "/etc/letsencrypt/live/your.domain.ltd/fullchain.pem";
  ssl_certificate_key "/etc/letsencrypt/live/your.domain.ltd/privkey.pem";
  ssl_dhparam /etc/nginx/ssl/certs/your.domain.ltd/dhparam.pem;
  ssl_session_cache shared:SSL:1m;
  ssl_session_timeout 10m;
  ssl_ciphers HIGH:!aNULL:!MD5;
  #ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
  ssl_prefer_server_ciphers  on;

  add_header Strict-Transport-Security "max-age=31536000;
  #includeSubDomains" always;

  location ~ /\.ht {
    deny all;
  }

  location / {
    proxy_pass http://127.0.0.1:9005;
    proxy_set_header    Host $host;

    proxy_connect_timeout 30;
    proxy_send_timeout 30;
  }

  # website should not be displayed inside a <frame>, an <iframe> or an <object>
  add_header X-Frame-Options SAMEORIGIN;
}
' > /etc/nginx/sites-available/your.domain.ltd.conf

ln -s /etc/nginx/sites-available/your.domain.ltd.conf /etc/nginx/sites-enabled/

systemctl restart nginx

firewall

apt-get --yes install ufw
ufw allow ssh
ufw allow http
ufw allow https
ufw allow from 172.18.0.1/16
ufw allow 9000