yuca setup
Hardware
AMD Phenom(tm) II X4 965 Processor
16 GB DDR3
2x 1TB SATA HDD, Raid 1 (~850 GB usable)
Â
Software setup
Operating system
Debian Jessie is used.
Must-have packages
- tmux for persistent terminals (type tmux attach after SSH connection to attach, ctrl+b+n or p for next/previous pane, ctrl+b +c for new pane
- imagemagick as it will be used by some web projects for graphics manipulation
Network configuration
- 100 MBps connection (...)
- 89.238.64.138/24
- 2a00:1828:2000:664::2/64
Webserver
Nginx, php5-fpm 5.6
Firewall
We use the ufw firewall software. Type "ufw status" to see which ports are allowed.
Default: deny (incoming), allow (outgoing)
SSL
All web traffic is per default forwarded to the same URL on HTTPS. Define a server block for the domain if that should not happen.
SSL certificates from letsencrypt.org are used. For that, the simp_le client comes into action:Â The .well-known/ path is served from the common webroot /var/www/html on a wildcard server block (_). That enables a very simple default configuration. The webserver is automatically reloaded if certificates change.
HTTP Strict Transport Security is enabled in nginx.conf. Domain yunity.org was applied for Chrome certificate preloading (http://hstspreload.appspot.com/).
Monitoring
https://yuca-admin.yunity.org/ provides links to
- munin (please activate reasonable plugins when you add services or sites, especially PHP status)
- PHP OPCache statistics (please increase SHM when neccessary)
Please add yourself to the mailinglist serveradmin@yunity.org (in manitu interface) to receive munin/postmaster/root/etc. emails from yuca.
Adding a new site/project
Each project should execute script under a separate user. To create a basic setup for SSL, PHP and serving static files, there is a script.
/var/www/create.sh <projectname>
Execute it with a reasonable project name and it creates a directory structure, a user, a template nginx configuration and a template PHP configuration.
After that, edit
/var/www/<projectname>/cert/dns
file to have all your domains, one per line, included.
Be sure, that the DNS entries point to the system before executing /opt/letsencrypt/update_keys.sh to generate the SSL certificates.
Edit
/etc/nginx/sites-available/<projectname>
to have the right ServerName and additional webserver configuration.
Edit
/etc/php5/fpm/pool.d/<projectname>
to reflect your necessary special PHP settings.
Link your site to be enabled:
ln -s /etc/nginx/sitesavailable/<projectname> /etc/nginx/sites-enabled
Adding a new virtual host name
Create a new user
We are using one user per hosting environment.
adduser --home /var/www/<name> <name>
PHP-FPM
Create a FPM pool file in
/etc/php5/fpm/pool.d/
This generates a unix socket file.
Nginx
Add the FPM socket file in
/etc/nginx/conf.d/php-upstream.conf
Â
Create a nginx config file in
/etc/nginx/sites-available/
and link it in
/etc/nginx/sites-enabled/
Â
Encryption
Create the fileÂ
/var/www/<name>/cert/dns
and enter the domains of the virtual host.
Run
/opt/letsencrypt/update_keys.sh
Â
Log directory
Create a directory
/var/www/<name>/log
to allow startup and logging of PHP-FPM.
Foodsaving Tool deployment
CircleCI deploys the frontend and the backend to yuca. Deploy user is "deploy", change there with "sudo -i -u deploy && cd ~".
Frontend is just static files in "foodsaving-frontend/<branch>", served by nginx via "/etc/nginx/sites-enabled/foodsaving-world".
The same nginx config also calls the backend on /api/ via UWSGI. The upstream config is in "/etc/nginx/conf.d/uwsgi-upstream.conf", the socket definitions are in "/etc/uwsgi/sites-enabled/". This links back to the deploy directory in "foodsaving-backend/". Take care of the "config" directory, especially local_setting.py and secrets.py.
After changing the UWSGI config, call "systemctl restart uwsgi".
After changing nginx config, call "nginx -t" to test the config and "systemctl reload nginx" to make it active.
After changing domains in "/var/www/*/cert/dns", call "/opt/letsencrypt/update_keys.sh" to update certificates.
To the extent possible under law, the yunity wiki contributors have waived all copyright and related or neighboring rights to the content of the yunity wiki. More information...
You have an account but can't edit or create pages? Write us in the open chatroom or in our yunity Slack!