WikiSteward:SetupLog: Difference between revisions
WikiSteward (talk | contribs) Created blank page |
WikiSteward (talk | contribs) No edit summary |
||
| Line 1: | Line 1: | ||
=== Setup Linode === | |||
==== Create new Linode host ==== | |||
linode-cli linodes create \ | |||
--backups_enabled true \ | |||
--firewall_id 10328 \ | |||
--image 'linode/ubuntu24.04' \ | |||
--private_ip true \ | |||
--region us-ord \ | |||
--type g6-standard-1 \ | |||
--label ubuntu-us-chi-blinkenjim \ | |||
--tags blinkenjim \ | |||
--tags mediawiki \ | |||
--root_pass '.n23' \ | |||
--authorized_users blinkenjim \ | |||
--disk_encryption disabled | |||
==== Setup DNS ==== | |||
Go to the nameserver and change or create wiki.creatorspace.org with the new server IP address. | |||
==== Log in to the new host ==== | |||
$ ssh wiki.creatorspace.org | |||
==== Set the hostname and time zone ==== | |||
# hostnamectl set-hostname wiki.creatorspace.org | |||
# timedatectl set-timezone America/Chicago | |||
==== Verify ==== | |||
Run ''date'' and compare with your watch to verify that the time zone is set correctly. | |||
==== Make sure the installed OS is up to date ==== | |||
# apt update -y && apt upgrade -y | |||
If the kernel is upgraded you'll see the following: | |||
Diagnostics: | |||
The currently running kernel version is not the expected kernel version 6.8.0-78-generic. | |||
If services need restarting, or if the kernel has been upgraded, reboot. | |||
==== Install essential system tools ==== | |||
# apt install emacs-nox nmon -y | |||
'''Answer the question:''' | |||
* General mail configuration type: No configuration. | |||
===== Verify: ===== | |||
* Invoke emacs to ensure that it comes up. | |||
==== Install and configure Apache 2 ==== | |||
# apt install apache2 -y | |||
Edit the file /etc/apache2/sites-available/wiki.creatorspace.org.conf and enter this content: | |||
<VirtualHost *:80> | |||
ServerName wiki.creatorspace.org | |||
ServerAdmin websteward@creatorspace.org | |||
DocumentRoot /var/www/html | |||
ErrorLog ${APACHE_LOG_DIR}/wiki.creatorspace.org-error.log | |||
CustomLog ${APACHE_LOG_DIR}/wiki.creatorspace.org-access.log combined | |||
# This section is for HTTP traffic. | |||
# It's a best practice to redirect all HTTP traffic to HTTPS for security. | |||
# However, for Certbot's initial run, you'll want to either | |||
# comment this out or use a non-permanent redirect. | |||
# Redirect permanent / <nowiki>https://wiki.creatorspace.org/</nowiki> | |||
</VirtualHost> | |||
Now edit the file /etc/apache2/sites-available/wiki.creatorspace.org-ssl.conf and enter this content: | |||
<VirtualHost *:443> | |||
ServerName wiki.creatorspace.org | |||
ServerAdmin websteward@creatorspace.org | |||
DocumentRoot /var/www/html | |||
ErrorLog ${APACHE_LOG_DIR}/wiki.creatorspace.org-error.log | |||
CustomLog ${APACHE_LOG_DIR}/wiki.creatorspace.org-access.log combined | |||
# Placeholder for SSL directives - Certbot will fill this in | |||
</VirtualHost> | |||
===== Enable our sites and disable the default ===== | |||
# a2ensite wiki.creatorspace.org.conf | |||
# a2ensite wiki.creatorspace.org-ssl.conf | |||
# a2dissite 000-default.conf | |||
# systemctl restart apache2 | |||
==== Install Certbot and set up SSL certificate ==== | |||
First, install certbot: | |||
# apt install certbot python3-certbot-apache -y | |||
'''''You must define the DNS entry for wiki.creatorspace.com before going any further.''''' If you haven't done this, do it now and grab a cup of coffee while the new IP address propogates. | |||
# certbot --apache -d wiki.creatorspace.org | |||
'''Answer the questions:''' | |||
* Email address: websteward@creatorspace.org | |||
* Agree to terms of service | |||
* Don't share our email address | |||
===== Verify ===== | |||
* Use an external web browser to visit https://wiki.creatorspace.org. You should see the Apache2 default page. | |||
==== Install Webmin ==== | |||
Add the Webmin Repository and Key: | |||
# cd | |||
# curl -o webmin-setup-repo.sh <nowiki>https://raw.githubusercontent.com/webmin/webmin/master/webmin-setup-repo.sh</nowiki> | |||
# sh ./webmin-setup-repo.sh | |||
'''Answer the question:''' | |||
* Setup Webmin releases repository? '''Y''' | |||
Now install Webmin: | |||
# apt install --install-recommends webmin usermin -y | |||
===== Use the Let's Encrypt SSL certificate ===== | |||
Edit the file /etc/webmin/miniserv.conf. Comment out the line to set the keyfile and add the lines to use the Let's Encrypt certificates: | |||
#keyfile=/etc/webmin/miniserv.pem | |||
keyfile=/etc/letsencrypt/live/wiki.creatorspace.org/privkey.pem | |||
certfile=/etc/letsencrypt/live/wiki.creatorspace.org/fullchain.pem | |||
===== Verify ===== | |||
In your browser, visit https://wiki.creatorspace.org:10000. If the certificate is correct, you should see the Webmin page load. If you get a warning about a non-secure connection, check the certificate configuration settings. | |||
===== Change Webmin to use a port other than the default ===== | |||
Webmin usually runs on port 10,000 but for security reasons we want to run it on a random port number. (This so that should our copy of Webmin have any unpatched vulnerabilities, attackers won't find it running on its usual port. A bit of security-by-obscurity, but it's a prudent measure.) | |||
Using your favorite random number generator, generate a random number between 10,001 and 65.535 inclusive. In your web browser, visit Webmin > Webmin Configuration > Ports and Addresses, and in the Listen on Port section, change Specific port from 10000 to the random number you just generated. Edit this page and enter the new URL for Webmin in the Verify section below. | |||
===== Verify ===== | |||
Webmin ''should'' automatically redirect your browser to the new URL, which will include the new port number. Some browsers may not respond to the redirection correctly; if yours doesn't, just click the link above. Verify that the URL you see in your browser's address field begins with something like: | |||
https://wiki.creatorspace.org:42887/ | |||
===== Lock down SSH access ===== | |||
''NB: Before doing the following, ensure that you have a root shell logged in. If you don't you will find yourself locked out and Acts of Heroism will be required to get you back in.'' | |||
On the Webmin page, visit Servers > SSH Server > Authentication and change: | |||
* Allow authentication by password to No. | |||
* Allow login by ''root'' to No, disable root login completely | |||
Click Save, then on the next page, click Apply Changes. | |||
===== Verify ===== | |||
From a new terminal window, attempt to remotely log in as root. The attempt should fail. | |||
===== Create user accounts ===== | |||
On the Webmin page, go to System > Users and Groups and use the ''Create new user'' link (at the bottom, below the list of current user accounts) to create any needed user accounts, including one for yourself. Enter: | |||
* Username: user's initials in lowercase, i.e. ''jct'' | |||
* Real Name: nicknames are OK here, but make sure the name is non-ambiguous, i.e. Jim Thompson | |||
* Password: For users that will require root access, choose Normal password and enter a nontrivial password. (They can change this after their first login using ''passwd''. Note, though, that the changes we made in locking down SSH will prevent them from using their password to log in. This password is only for purposes of using ''sudo.'') For all other users, choose Disable password authentication. | |||
* Shell: user's favorite shell, or /bin/bash if they have no preference. | |||
* SSH public key: paste in here the user's SSH key, usually on their ''remote'' home in ~/.ssh/id_rsa.pub | |||
* Secondary groups: add ''sudo'' to the In groups list (usually near the middle, between ''tape'' and ''audio0.'' | |||
* All other values can use defaults. | |||
===== Verify ===== | |||
* Have each user SSH into their account from a remote shell, to verify that their SSH key works. | |||
* For users requiring root access, have them run ''sudo -i'' and enter their password (not the root password) to verify that they can become root. | |||
==== Install MariaDB ==== | |||
# apt install mariadb-server -y | |||
# mysql_secure_installation | |||
'''Answer the questions:''' | |||
* Enter the current root password: Enter the root password. ''IMPORTANT: Get it right. This setup script doesn't double-check and if you enter the root password wrong here, you will have trouble later on.'' | |||
* Use unix_socket authentication: Y | |||
* Change the root password: N | |||
* Remove anonymous users: Y | |||
* Disallow remote root login: Y | |||
* Remove test database and access to it: Y | |||
* Reload privilege tables: Y | |||
==== Install PHPMyAdmin ==== | |||
First install some prerequisites: | |||
# apt install php libapache2-mod-php php-mysql php-mbstring php-zip php-gd php-json php-curl php-xml -y | |||
# systemctl restart apache2 | |||
Now install PHPMyAdmin: | |||
# apt install phpmyadmin -y | |||
'''Answer the questions:''' | |||
* Web server co reconfigure automatically: apache2 | |||
* Configure database for phpmyadmin with dbconfig-common? <Yes> | |||
* Enter a password: ''same as root password'' | |||
===== Verify ===== | |||
Try accessing the PHPMyAdmin server at https://wiki.creatorspace.org/phpmyadmin. If you get a URL not found error, fix it like this then try again: | |||
# ln -s /etc/phpmyadmin/apache.conf /etc/apache2/conf-available/phpmyadmin.conf | |||
# a2enconf phpmyadmin.conf | |||
# systemctl reload apache2 | |||
==== Install MediaWiki ==== | |||
# cd | |||
# apt install php-intl php-apcu -y | |||
# wget https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.44<nowiki/>.0.tar.gz | |||
# cd /var/www/html | |||
# tar xvf ~/mediawiki-1.44.0.tar.gz | |||
# mv mediawiki-1.44.0/* wiki | |||
# rmdir mediawiki-1.44.0 | |||
# sudo chown -R www-data:www-data . | |||
# sudo find . -type d -exec chmod 755 {} \; | |||
# sudo find . -type f -exec chmod 644 {} \; | |||
Create the MediaWiki database. Run: | |||
# mysql -u root | |||
Then enter: | |||
CREATE DATABASE wikidb; | |||
CREATE USER 'wikiuser'@'localhost' IDENTIFIED BY 'StrongPasswordWefdtf'; | |||
GRANT ALL PRIVILEGES ON wikidb.* TO 'wikiuser'@'localhost'; | |||
FLUSH PRIVILEGES; | |||
EXIT; | |||
Close some security holes. First, we want to disable indexes everywhere. Second, we want to disable execution of PHP and other CGI in the directory where users are able to upload images: /var/www/html/wiki/images. Edit the file /etc/apache2/sites-available/wiki.creatorspace.org.conf and append this text: | |||
# Turn off indexing everywhere | |||
<Directory /var/www/html/> | |||
Options -Indexes -ExecCGI | |||
</Directory> | |||
# Turn off PHP and other CGI handling in the MediaWiki images directory. | |||
<Directory /var/www/html/wiki/images> | |||
<FilesMatch .*> | |||
# Set handler to 'none' for all files in this directory | |||
SetHandler "none" | |||
Require all granted | |||
</FilesMatch> | |||
</Directory> | |||
Close another hole. Edit /etc/apache2/conf-available/security.conf | |||
And uncomment the line | |||
Header set X-Content-Type-Options: "nosniff" | |||
Then run: | |||
# a2enmod headers | |||
# apachectl configtest | |||
# systemctl restart apache2 | |||
You can ignore any complaints about the ServerName not being configured globally. We have correctly configured it for the virtual host. | |||
===== Finish the MediaWiki setup ===== | |||
Visit <nowiki>https://jimthompson.org/wiki/</nowiki> and click ''set up the wiki.'' | |||
'''Answer the questions:''' | |||
* Your language: En | |||
* Wiki language: En | |||
After you click Continue, It'll run some basic tests. With our setup '''you should see no warnings'''. If you do, then something is wrong; check that you've followed the setup instructions correctly. Click Continue to keep going. | |||
'''Answer the questions:''' | |||
* Database host: localhost | |||
* Database name: wikidb | |||
* Database table prefik: cs_ | |||
* Database username: wikiuser | |||
* Database password: StrongPasswordWefdtf | |||
Click Continue and '''Answer the questions:''' | |||
* Use the same account as for installation | |||
Click Continue and '''Answer the questions:''' | |||
* Name of wiki: CreatorSpace | |||
* Administrator account: WebSteward | |||
* Administrator password: Drawestbew | |||
* websteward@creatorspace.org | |||
* Select subscribe | |||
* Don't select share data | |||
* Select Ask me more questions | |||
Click Continue and '''Answer the questions:''' | |||
* Select Authorized editors only. ''This is important!'' We don't want random visitors to edit our wiki. | |||
* Select Creative Commons Attribution-NonCommercial-ShareAlike | |||
* Email settings: Enable all | |||
* Skins: Select all; select Vector as the default | |||
* Enable these special pages: CiteThisPage, Echo, and ReplaceText | |||
* Enable all the editors | |||
* Enable these parser hooks: CategoryTree, Cite, ImageMap, Math, ParserFunctions, Poem, and SyntaxHighlight_GeSHi. | |||
* Enable PdfHandler | |||
* Don't enable any Spam Prevention (we aren't a public wiki, so these should be unnecessary) | |||
* Enable PageImages | |||
* Enable these other extensions: Gadgets, LoginNotify, MultimediaViewer, SecureLinkFixer, Thanks. | |||
* Enable file uploads, but don't enter a directory for deleted files. | |||
* Don't enable Instant Commons. | |||
* We'll do the logos later. | |||
* Select PHP object caching. | |||
Click Continue and finish. | |||
===== Upload the LocalSettings file ===== | |||
When you finished, a file named LocalSettings.php should have been downloaded automatically. Ifnot, click the link to download it, then upload that file to /var/www/html/wiki/: | |||
$ scp Downloads/LocalSettings.php root@wiki.creatorspace.org:/var/www/html/wiki/ | |||
===== '''''CRITICALLY IMPORTANT:''''' ===== | |||
Change the ownership of LocalSettings.php and remove read permission for everyone else. ''Failure to do this could expose our database password and that would be very bad.'' | |||
# chown /usr/www/html/wiki/LocalSettings.php | |||
# chmod go-r /usr/www/html/wiki/LocalSettings.php | |||