logo_kerberos.gif

Difference between revisions of "Kerberos.org server configuration"

From K5Wiki
Jump to: navigation, search
(Packages)
Line 16: Line 16:
 
a2enmod rewrite
 
a2enmod rewrite
 
a2enmod ssl
 
a2enmod ssl
  +
  +
The letsencrypt TLS certificate is generated using certbot:
  +
  +
certbot --apache -d 'kerberos.org,www.kerberos.org,k5wiki.kerberos.org,test.kerberos.org,www.test.kerberos.org,k5wiki.test.kerberos.org,kerberos.net,www.kerberos.net' certonly
  +
  +
letsencrypt certificates only last 90 days, but a systemd timer installed by the certbot package will automatically renew the certificate when it approaches expiration.
   
 
==Mediawiki configuration==
 
==Mediawiki configuration==

Revision as of 13:32, 26 January 2021

This page documents the service configuration on kerberos.org (current canonical name kerborg-prod-app-2.mit.edu), which runs a web server, a wiki, and a DNS name server.

Packages

The apache2, bind9, certbot, mediawiki, and python3-certbot-apache packages are required.

Web server configuration

The static web page content is located in /var/www.

The Apache HTTP server configuration can be found in the krbdev-services repository under kerborg-apache. kerborg.cnf should be installed in /etc/ssl/private; the rest go in /etc/apache2/sites-available. Run the following commands to enable the correct configuration files:

 a2ensite 000-default-kerberos-org.conf
 a2ensite k5wiki.conf
 a2dissite 000-default.conf
 a2enmod rewrite
 a2enmod ssl

The letsencrypt TLS certificate is generated using certbot:

 certbot --apache -d 'kerberos.org,www.kerberos.org,k5wiki.kerberos.org,test.kerberos.org,www.test.kerberos.org,k5wiki.test.kerberos.org,kerberos.net,www.kerberos.net' certonly

letsencrypt certificates only last 90 days, but a systemd timer installed by the certbot package will automatically renew the certificate when it approaches expiration.

Mediawiki configuration

/etc/mediawiki/LocalSettings.php and /etc/mediawiki/Secrets.php contain the wiki configuration. Secrets.php must be readable by the web server; this is currently enabled by making it more 640 and owned by group www-data.

The wiki contents are stored in a MySQL database named "wikidb". This can be dumped with "mysqldump --databases wikidb > /somepath" and loaded with "mysql < /somepath".

A MySQL user named "wikiuser" must be created to access the database. To create it run the following commands inside mysql:

 create user wikiuser@localhost identified by '<password>';
 grant all privileges on `wikidb`.* to 'wikiuser'@'localhost';

Use the password from /etc/mediawiki/Secrets.php.

If migrating to a server with a new version of Mediawiki, the database must be upgraded. Navigate to /wm-config on the new server and follow instructions.

Database backups

Install /mit/ops/services/mysql/mysqlbackup_java.sh in /usr/local/sbin and make it mode 755. Modify the script to use /bin/bzip2 instead of /usr/bin/bzip2, and delete the three java invocations (which are for monitoring).

/usr/local/etc/mysqlbackup_java.conf contains the database password (PASS=xxxxx) and specifies COMPRESS=yes. Make it mode 600.

Create a MySQL user for backups by running the following within mysql:

 create user 'dba-backup'@localhost identified by '<password>';
 grant select, process, file, lock tables, show view on *.* to 'dba-backup'@'localhost;

Add the following root cron job:

 00 23 * * * /usr/local/sbin/mysqlbackup_java.sh >/dev/null 2>&1

BIND configuration

The bind9 configuration files can be found in krbdev-services under bind. They should be installed under /etc/bind. "rndc reload" will restart the runing named with the changed configuration. If it is necessary to edit any of the zone files, be sure to update the serial number in the SOA record to the current date followed by "00" (or "01" etc. for successive edits in the same day).

If the IP address if kerberos.org needs to be changed, the glue record at hover.com must be updated. In the current Hover UI, glue records can be found under "advanced". The transfer lock on the domain must be temporarily disabled (via the Overview screen) to update glue records.