Table of Contents |
---|
Hardware
AMD Phenom(tm) II X4 965 Processor
16 GB DDR3
2x 1TB SATA HDD, Raid 1 (~850 GB usable)
Usage
The yuca server is sponsored by manitu for yunity development and foodsharing purposes.
- project.yunity.org: Project description webpage (Currently on OctoberCMS with migration plans)
- different smaller PHP/mysql projects from an older server
- (todo) development preview of yunity software
- (todo) build server of yunity software
- (todo) beta launch of yunity software
- (todo) foodsharing.de 2.0 launch server, at that time, all other purposes are moved to banana
Software setup
Operating system
Debian Jessie is used.
Must-have packages
- tmux for persistent terminals (type tmux attach after SSH connection to attach, ctrl+b+n or p for next/previous pane, ctrl+b +c for new pane
- imagemagick as it will be used by some web projects for graphics manipulation
Network configuration
- 100 MBps connection (...)
- 89.238.64.138/24
- 2a00:1828:2000:873664::2/64
Webserver
Nginx, php5-fpm 5.6
Firewall
We use the ufw firewall software. Type "ufw status" to see which ports are allowed.
Default: deny (incoming), allow (outgoing)
SSL
All web traffic is per default forwarded to the same URL on HTTPS. Define a server block for the domain if that should not happen.
SSL certificates from letsencrypt.org are used. For that, the simp_le client comes into action: The .well-known/ path is served from the common webroot /var/www/html on a wildcard server block (_). That enables a very simple default configuration. The webserver is automatically reloaded if certificates change.
HTTP Strict Transport Security is enabled in nginx.conf. Domain yunity.org was applied for Chrome certificate preloading (http://hstspreload.appspot.com/).
Monitoring
https://yuca-admin.yunity.org/ provides links to
- munin (please activate reasonable plugins when you add services or sites, especially PHP status)
- PHP OPCache statistics (please increase SHM when neccessary)
Please add yourself to the mailinglist serveradmin@yunity.org (in manitu interface) to receive munin/postmaster/root/etc. emails from yuca.
Adding a new site/project
Each project should execute script under a separate user. To create a basic setup for SSL, PHP and serving static files, there is a script.
Code Block | ||
---|---|---|
| ||
/var/www/create.sh <projectname> |
Execute it with a reasonable project name and it creates a directory structure, a user, a template nginx configuration and a template PHP configuration.
After that, edit
Code Block |
---|
/var/www/<projectname>/cert/dns |
file to have all your domains, one per line, included.
Be sure, that the DNS entries point to the system before executing /opt/letsencrypt/update_keys.sh to generate the SSL certificates.
Edit
Code Block |
---|
/etc/nginx/sites-available/<projectname> |
to have the right ServerName and additional webserver configuration.
Edit
Code Block |
---|
/etc/php5/fpm/pool.d/<projectname> |
to reflect your necessary special PHP settings.
Link your site to be enabled:
Code Block |
---|
ln -s /etc/nginx/sitesavailable/<projectname> /etc/nginx/sites-enabled |
Adding a new virtual host name
Create a new user
We are using one user per hosting environment.
Code Block |
---|
adduser --home /var/www/<name> <name> |
PHP-FPM
Create a FPM pool file in
Code Block |
---|
/etc/php5/fpm/pool.d/ |
This generates a unix socket file.
Nginx
Add the FPM socket file in
Code Block |
---|
/etc/nginx/conf.d/php-upstream.conf |
Create a nginx config file in
Code Block |
---|
/etc/nginx/sites-available/ |
and link it in
Code Block |
---|
/etc/nginx/sites-enabled/ |
Encryption
Create the file
Code Block |
---|
/var/www/<name>/cert/dns |
and enter the domains of the virtual host.
Run
Code Block |
---|
/opt/letsencrypt/update_keys.sh |
Log directory
Create a directory
Code Block |
---|
/var/www/<name>/log |
to allow startup and logging of PHP-FPM.
Foodsaving Tool deployment
CircleCI deploys the frontend and the backend to yuca. Deploy user is "deploy", change there with "sudo -i -u deploy && cd ~".
Frontend is just static files in "foodsaving-frontend/<branch>", served by nginx via "/etc/nginx/sites-enabled/foodsaving-world".
The same nginx config also calls the backend on /api/ via UWSGI. The upstream config is in "/etc/nginx/conf.d/uwsgi-upstream.conf", the socket definitions are in "/etc/uwsgi/sites-enabled/". This links back to the deploy directory in "foodsaving-backend/". Take care of the "config" directory, especially local_setting.py and secrets.py.
After changing the UWSGI config, call "systemctl restart uwsgi".
After changing nginx config, call "nginx -t" to test the config and "systemctl reload nginx" to make it active.
After changing domains in "/var/www/*/cert/dns", call "/opt/letsencrypt/update_keys.sh" to update certificates.