Difference between revisions of "Kerberos.org server configuration"
(Created page with "This page documents the service configuration on kerberos.org (current canonical name kerborg-prod-app-2.mit.edu), which runs a web server, a wiki, and a DNS name server. ==P...") |
(→BIND configuration) |
||
(2 intermediate revisions by the same user not shown) | |||
Line 3: | Line 3: | ||
==Packages== |
==Packages== |
||
− | The apache2, bind9, |
+ | The apache2, bind9, certbot, mediawiki, and python3-certbot-apache packages are required. |
==Web server configuration== |
==Web server configuration== |
||
Line 16: | Line 16: | ||
a2enmod rewrite |
a2enmod rewrite |
||
a2enmod ssl |
a2enmod ssl |
||
+ | |||
+ | The letsencrypt TLS certificate is generated using certbot: |
||
+ | |||
+ | certbot --apache -d 'kerberos.org,www.kerberos.org,k5wiki.kerberos.org,test.kerberos.org,www.test.kerberos.org,k5wiki.test.kerberos.org,kerberos.net,www.kerberos.net' certonly |
||
+ | |||
+ | letsencrypt certificates only last 90 days, but a systemd timer installed by the certbot package will automatically renew the certificate when it approaches expiration. |
||
==Mediawiki configuration== |
==Mediawiki configuration== |
||
Line 51: | Line 57: | ||
The bind9 configuration files can be found in krbdev-services under bind. They should be installed under /etc/bind. "rndc reload" will restart the runing named with the changed configuration. If it is necessary to edit any of the zone files, be sure to update the serial number in the SOA record to the current date followed by "00" (or "01" etc. for successive edits in the same day). |
The bind9 configuration files can be found in krbdev-services under bind. They should be installed under /etc/bind. "rndc reload" will restart the runing named with the changed configuration. If it is necessary to edit any of the zone files, be sure to update the serial number in the SOA record to the current date followed by "00" (or "01" etc. for successive edits in the same day). |
||
− | If the IP address if kerberos.org needs to be changed, the glue record at hover.com must be updated. In the current Hover UI, glue records can be found under "advanced". The transfer lock on the domain must be temporarily disabled (via the Overview screen) to update glue records. |
+ | If the IP address if kerberos.org needs to be changed, the glue record at hover.com must be updated. In the current Hover UI, glue records can be found under "advanced". The transfer lock on the domain must be temporarily disabled (via the Overview screen) to update glue records. Make sure to edit the records for kerberos.net as well as kerberos.org. |
Latest revision as of 11:40, 6 August 2021
This page documents the service configuration on kerberos.org (current canonical name kerborg-prod-app-2.mit.edu), which runs a web server, a wiki, and a DNS name server.
Contents
Packages
The apache2, bind9, certbot, mediawiki, and python3-certbot-apache packages are required.
Web server configuration
The static web page content is located in /var/www.
The Apache HTTP server configuration can be found in the krbdev-services repository under kerborg-apache. kerborg.cnf should be installed in /etc/ssl/private; the rest go in /etc/apache2/sites-available. Run the following commands to enable the correct configuration files:
a2ensite 000-default-kerberos-org.conf a2ensite k5wiki.conf a2dissite 000-default.conf a2enmod rewrite a2enmod ssl
The letsencrypt TLS certificate is generated using certbot:
certbot --apache -d 'kerberos.org,www.kerberos.org,k5wiki.kerberos.org,test.kerberos.org,www.test.kerberos.org,k5wiki.test.kerberos.org,kerberos.net,www.kerberos.net' certonly
letsencrypt certificates only last 90 days, but a systemd timer installed by the certbot package will automatically renew the certificate when it approaches expiration.
Mediawiki configuration
/etc/mediawiki/LocalSettings.php and /etc/mediawiki/Secrets.php contain the wiki configuration. Secrets.php must be readable by the web server; this is currently enabled by making it more 640 and owned by group www-data.
The wiki contents are stored in a MySQL database named "wikidb". This can be dumped with "mysqldump --databases wikidb > /somepath" and loaded with "mysql < /somepath".
A MySQL user named "wikiuser" must be created to access the database. To create it run the following commands inside mysql:
create user wikiuser@localhost identified by '<password>'; grant all privileges on `wikidb`.* to 'wikiuser'@'localhost';
Use the password from /etc/mediawiki/Secrets.php.
If migrating to a server with a new version of Mediawiki, the database must be upgraded. Navigate to /wm-config on the new server and follow instructions.
Database backups
Install /mit/ops/services/mysql/mysqlbackup_java.sh in /usr/local/sbin and make it mode 755. Modify the script to use /bin/bzip2 instead of /usr/bin/bzip2, and delete the three java invocations (which are for monitoring).
/usr/local/etc/mysqlbackup_java.conf contains the database password (PASS=xxxxx) and specifies COMPRESS=yes. Make it mode 600.
Create a MySQL user for backups by running the following within mysql:
create user 'dba-backup'@localhost identified by '<password>'; grant select, process, file, lock tables, show view on *.* to 'dba-backup'@'localhost;
Add the following root cron job:
00 23 * * * /usr/local/sbin/mysqlbackup_java.sh >/dev/null 2>&1
BIND configuration
The bind9 configuration files can be found in krbdev-services under bind. They should be installed under /etc/bind. "rndc reload" will restart the runing named with the changed configuration. If it is necessary to edit any of the zone files, be sure to update the serial number in the SOA record to the current date followed by "00" (or "01" etc. for successive edits in the same day).
If the IP address if kerberos.org needs to be changed, the glue record at hover.com must be updated. In the current Hover UI, glue records can be found under "advanced". The transfer lock on the domain must be temporarily disabled (via the Overview screen) to update glue records. Make sure to edit the records for kerberos.net as well as kerberos.org.