Project

General

Profile

Actions

Debian server installation

These are advanced installation notes for a Debian server to deploy OpenAtlas.
We use this instruction for our workflow, it is very specific and detailed (e.g. changing the prompt to color and show git information) so feel free to use/adapt as needed.

Additional packages

apt install aptitude ntp vim

Locales

OpenAtlas user interfaces are currently supported for English and German, you might want to install needed languages with this command:

dpkg-reconfigure locales

Security

  • Implement ssh-key user access
  • Disallow password authentication and root login
    • vim /etc/ssh/sshd-config
      PermitRootLogin no
      PasswordAuthentication no
      
    • To test, open second shell, restart ssh server (systemctl restart ssh), try to log in again. Leave first shell open, in case you have to fix things.
  • Install and activate Unattended upgrades

rkhunter

  • apt install rkhunter
  • vim /etc/rkhunter.conf
    MIRRORS_MODE=1 ---> MIRRORS_MODE=0
    UPDATE_MIRRORS=0 ---> UPDATE_MIRRORS=1
    WEB_CMD="/bin/false" ---> WEB_CMD="" 
    ALLOWDEVFILE=/dev/shm/PostgreSQL*
    
  • vim /etc/rkhunter.conf.local
    PKGMGR=DPKG
    
  • rkhunter -c
  • rkhunter --propupd
  • vim /etc/default/rkhunter
    Set the following values:
    CRON_DAILY_RUN="true" 
    CRON_DB_UPDATE="true" 
    APT_AUTOGEN="true" 
    

File structure

  • /var/www
    • /openatlas (OpenAtlas instances)
    • /frontend (presentation sites)

apt install apache2 (needed for permissions later)

  • Setup access on /var/www: owner=root, group=web-admin (can write), world can read e.g. www-data.
  • Directories which needs to be writable by Apache e.g. uploads should be owned by www-data, see stackoverflow discussion e.g.
groupadd web-admin
usermod -a -G web-admin alex
chgrp -R web-admin /var/www
chmod -R 775 /var/www
chmod g+s /var/www

Every user should change umask on user level to 002 in the home directory
vim ~/.profile

Add line
umask 002

Don't forget to log in again so the changes are applied.
mkdir /var/www/openatlas
mkdir /var/www/frontend

Git

Colored prompt with git information about branch and changes

vim ~/.bashrc

function parse_git_dirty {
    [[ $(git status 2> /dev/null | tail -n1) != "nothing to commit, working tree clean" ]] && echo "*" 
}
function parse_git_branch {
    git branch --no-color 2> /dev/null | sed -e '/^[^*]/d' -e "s/* \(.*\)/[\1$(parse_git_dirty)]/" 
}
PS1='\[\e[1;34m\]\u@\h:\w\[\e[0;32m\]$(parse_git_branch)\[\e[1;34m\]\$ \[\e[m\]'

General adaption

Change default editor to vim:

update-alternatives --config editor

Install OpenAtlas instance

Next follow the instructions how to install OpenAtlas: https://github.com/craws/OpenAtlas/blob/main/install.md

In case proxy is needed

For git e.g. ACDH-CH:

$ git config --global http.proxy http://fifi.arz.oeaw.ac.at:8080

For pip3 e.g. ACDH-CH:
$ pip3 install --proxy=http://fifi.arz.oeaw.ac.at:8080 calmjs
$ npm config set proxy http://fifi.arz.oeaw.ac.at:8080

Apache

  • Disable directory listening for Apache
# a2dismod autoindex
# service apache2 restart
  • To do: check what Apache modules (passenger, rewrite, ssl) and document here (maybe even in install notes)

Certbot for HTTPS

(For sites on ACDH-CH servers ignore this, the certificate has to be managed by the proxy server.)
Before configuration of certbot, comment the line with WSGIDaemonProcess in /etc/apache2/sites-available/XXX.conf.

# apt install certbot python3-certbot-apache
# certbot --apache
# certbot

After configuration of certbot, uncomment the line with WSGIDaemonProcess in /etc/apache2/sites-available/XXX.conf.

System mails

System mails (e.g. from cron jobs) are implemented with msmtp

# aptitude install msmtp msmtp-mta ca-certificates
# vim /etc/msmtprc
# vim /etc/aliases

# msmtp root (to test, type some text, return and than ctrl + D)

Updated by Alexander Watzinger 7 months ago · 39 revisions

Also available in: PDF HTML TXT