Hardware

AMD Phenom(tm) II X4 965 Processor

16 GB DDR3

2x 1TB SATA HDD, Raid 1 (~850 GB usable)

Software setup

Operating system

Debian Jessie is used.

Must-have packages

tmux for persistent terminals (type tmux attach after SSH connection to attach, ctrl+b+n or p for next/previous pane, ctrl+b +c for new pane
imagemagick as it will be used by some web projects for graphics manipulation

Network configuration

100 MBps connection (...)
89.238.64.138/24
2a00:1828:2000:664::2/64

Webserver

Nginx, php5-fpm 5.6

Firewall

We use the ufw firewall software. Type "ufw status" to see which ports are allowed.

Default: deny (incoming), allow (outgoing)

SSL

All web traffic is per default forwarded to the same URL on HTTPS. Define a server block for the domain if that should not happen.

SSL certificates from letsencrypt.org are used. For that, the simp_le client comes into action: The .well-known/ path is served from the common webroot /var/www/html on a wildcard server block (_). That enables a very simple default configuration. The webserver is automatically reloaded if certificates change.

HTTP Strict Transport Security is enabled in nginx.conf. Domain yunity.org was applied for Chrome certificate preloading (http://hstspreload.appspot.com/).

Monitoring

https://yuca-admin.yunity.org/ provides links to

munin (please activate reasonable plugins when you add services or sites, especially PHP status)
PHP OPCache statistics (please increase SHM when neccessary)

Please add yourself to the mailinglist serveradmin@yunity.org (in manitu interface) to receive munin/postmaster/root/etc. emails from yuca.

Adding a new site/project

Each project should execute script under a separate user. To create a basic setup for SSL, PHP and serving static files, there is a script.

/var/www/create.sh <projectname>

Execute it with a reasonable project name and it creates a directory structure, a user, a template nginx configuration and a template PHP configuration.

After that, edit

/var/www/<projectname>/cert/dns

file to have all your domains, one per line, included.

Be sure, that the DNS entries point to the system before executing /opt/letsencrypt/update_keys.sh to generate the SSL certificates.

Edit

/etc/nginx/sites-available/<projectname>

to have the right ServerName and additional webserver configuration.

Edit

/etc/php5/fpm/pool.d/<projectname>

to reflect your necessary special PHP settings.

Link your site to be enabled:

ln -s /etc/nginx/sitesavailable/<projectname> /etc/nginx/sites-enabled

Adding a new virtual host name

Create a new user

We are using one user per hosting environment.

adduser --home /var/www/<name> <name>

PHP-FPM

Create a FPM pool file in

/etc/php5/fpm/pool.d/

This generates a unix socket file.

Nginx

Add the FPM socket file in

/etc/nginx/conf.d/php-upstream.conf

Create a nginx config file in

/etc/nginx/sites-available/

and link it in

/etc/nginx/sites-enabled/

Encryption

Create the file

/var/www/<name>/cert/dns

and enter the domains of the virtual host.

Run

/opt/letsencrypt/update_keys.sh

Log directory

Create a directory

 /var/www/<name>/log

to allow startup and logging of PHP-FPM.

Foodsaving Tool deployment

CircleCI deploys the frontend and the backend to yuca. Deploy user is "deploy", change there with "sudo -i -u deploy && cd ~".

Frontend is just static files in "foodsaving-frontend/<branch>", served by nginx via "/etc/nginx/sites-enabled/foodsaving-world".

The same nginx config also calls the backend on /api/ via UWSGI. The upstream config is in "/etc/nginx/conf.d/uwsgi-upstream.conf", the socket definitions are in "/etc/uwsgi/sites-enabled/". This links back to the deploy directory in "foodsaving-backend/". Take care of the "config" directory, especially local_setting.py and secrets.py.

After changing the UWSGI config, call "systemctl restart uwsgi".

After changing nginx config, call "nginx -t" to test the config and "systemctl reload nginx" to make it active.

After changing domains in "/var/www/*/cert/dns", call "/opt/letsencrypt/update_keys.sh" to update certificates.

Browser not supported