Hardware

AMD Phenom(tm) II X4 965 Processor

16 GB DDR3

2x 1TB SATA HDD, Raid 1 (~850 GB usable)

Software setup

Operating system

Debian Jessie is used.

Must-have packages

• tmux for persistent terminals (type tmux attach after SSH connection to attach, ctrl+b+n or p for next/previous pane, ctrl+b +c for new pane
• imagemagick as it will be used by some web projects for graphics manipulation

Network configuration

• 100 MBps connection (...)
• 89.238.64.138/24
• 2a00:1828:2000:664::2/64

Webserver

Nginx, php5-fpm 5.6

Firewall

We use the ufw firewall software. Type "ufw status" to see which ports are allowed.

Default: deny (incoming), allow (outgoing)

SSL

All web traffic is per default forwarded to the same URL on HTTPS. Define a server block for the domain if that should not happen.

SSL certificates from letsencrypt.org are used. For that, the simp_le client comes into action: The .well-known/ path is served from the common webroot /var/www/html on a wildcard server block (_). That enables a very simple default configuration. The webserver is automatically reloaded if certificates change.

HTTP Strict Transport Security is enabled in nginx.conf. Domain yunity.org was applied for Chrome certificate preloading (http://hstspreload.appspot.com/).

Monitoring

https://yuca-admin.yunity.org/ provides links to

• munin (please activate reasonable plugins when you add services or sites, especially PHP status)
• PHP OPCache statistics (please increase SHM when neccessary)

Please add yourself to the mailinglist serveradmin@yunity.org (in manitu interface) to receive munin/postmaster/root/etc. emails from yuca.

Adding a new site/project

Each project should execute script under a separate user. To create a basic setup for SSL, PHP and serving static files, there is a script.

/var/www/create.sh <projectname>

Execute it with a reasonable project name and it creates a directory structure, a user, a template nginx configuration and a template PHP configuration.

After that, edit

/var/www/<projectname>/cert/dns

file to have all your domains, one per line, included.

Be sure, that the DNS entries point to the system before executing /opt/letsencrypt/update_keys.sh to generate the SSL certificates.

Edit

/etc/nginx/sites-available/<projectname>

to have the right ServerName and additional webserver configuration.

Edit

/etc/php5/fpm/pool.d/<projectname>

to reflect your necessary special PHP settings.

Link your site to be enabled:

ln -s /etc/nginx/sitesavailable/<projectname> /etc/nginx/sites-enabled

Adding a new virtual host name

Create a new user

We are using one user per hosting environment.

adduser --home /var/www/<name> <name>

PHP-FPM

Create a FPM pool file in

/etc/php5/fpm/pool.d/

This generates a unix socket file.

Nginx

Add the FPM socket file in

/etc/nginx/conf.d/php-upstream.conf

Create a nginx config file in

/etc/nginx/sites-available/

and link it in

/etc/nginx/sites-enabled/

Encryption

Create the file 

/var/www/<name>/cert/dns

and enter the domains of the virtual host.

Run

/opt/letsencrypt/update_keys.sh

Log directory

Create a directory

 /var/www/<name>/log

to allow startup and logging of PHP-FPM.

Foodsaving Tool deployment

CircleCI deploys the frontend and the backend to yuca. Deploy user is "deploy", change there with "sudo -i -u deploy && cd ~".

Frontend is just static files in "foodsaving-frontend/<branch>", served by nginx via "/etc/nginx/sites-enabled/foodsaving-world".

The same nginx config also calls the backend on /api/ via UWSGI. The upstream config is in "/etc/nginx/conf.d/uwsgi-upstream.conf", the socket definitions are in "/etc/uwsgi/sites-enabled/". This links back to the deploy directory in "foodsaving-backend/". Take care of the "config" directory, especially local_setting.py and secrets.py.

After changing the UWSGI config, call "systemctl restart uwsgi".

After changing nginx config, call "nginx -t" to test the config and "systemctl reload nginx" to make it active.

After changing domains in "/var/www/*/cert/dns", call "/opt/letsencrypt/update_keys.sh" to update certificates.