Difference between revisions of "Poddery - Diaspora, Matrix and XMPP"

Poddery - Diaspora, Matrix and XMPP (view source)

Revision as of 00:19, 2 May 2019

1,706 bytes added , 00:19, 2 May 2019

→‎Configuration and Maintenance

Bady

Bureaucrats, Administrators

99

edits

@@ Line 124: / Line 124: @@
   ufw allow ssh
   ufw enable
+ # Verify everything is setup properly
+ ufw status
 * <code>fail2ban</code> configured against brute force attacks:
@@ Line 132: / Line 135: @@
   # Restart SSH and enable fail2ban
-  sudo systemctl restart ssh
+  systemctl restart ssh
-  sudo systemctl enable fail2ban
+  systemctl enable fail2ban
-  sudo systemctl start fail2ban
+  systemctl start fail2ban
   # To unban an IP, first check <code>/var/log/fail2ban.log</code> to get the banned IP and then run the following
@@ Line 144: / Line 147: @@
   apt install diaspora-installer
-* Move MySQL data to encrypted partition
+* Move MySQL data to encrypted partition:
   # Make sure <code>/dev/data/db</code> is mounted to <code>/var/lib/db</code>
   systemctl stop mysql
-  mv /var/lib/mysql /var/lib/db
+ systemctl disable mysql
-  ln -s /var/lib/db/mysql /var/lib/mysql
+  mv /var/lib/mysql /var/lib/db/
+  ln -s /var/lib/db/mysql /var/lib/
   systemctl start mysql
+* Move static files to encrypted partition:
+ # Make sure <code>/dev/data/static</code> is mounted to <code>/var/lib/static</code>
+ mkdir /var/lib/static/diaspora
+ mv /usr/share/diaspora/public/uploads /var/lib/static/diaspora
+ ln -s /var/lib/static/diaspora/uploads /usr/share/diaspora/public/
+ chown -R diaspora: /var/lib/static/diaspora
 * Modify configuration files at <code>/etc/diaspora</code> and <code>/etc/diaspora.conf</code> as needed (backup of the current configuration files are available in the [[#Server_Access|access repo]]).
@@ Line 155: / Line 166: @@
   # Make sure <code>git</code> and <code>acl</code> packages are installed
   # Grant <code>rwx</code> permissions for the ssh user to <code>/usr/share/diaspora/public</code>
-  sudo setfacl -m "u:<ssh_user>:rwx" /usr/share/diaspora/public
+  setfacl -m "u:<ssh_user>:rwx" /usr/share/diaspora/public
   # Clone poddery.com repo
@@ Line 173: / Line 184: @@
 * Nginx is used as reverse proxy to send requests that has <code>/_matrix/*</code> in URL to Synapse on port <code>8008</code>. This is configured in <code>/etc/nginx/sites-enabled/diaspora</code>.
 * Shamil's [https://git.fosscommunity.in/necessary129/synapse-diaspora-auth Synapse Diaspora Auth] script is used to authenticate Synapse with Diaspora database.
+* Move PostgreSQL data to encrypted partition:
+ # Make sure <code>/dev/data/db</code> is mounted to <code>/var/lib/db</code>
+ systemctl stop postgresql
+ systemctl disable postgresql
+ mv /var/lib/postgres /var/lib/db/
+ ln -s /var/lib/db/postgres /var/lib/
+ systemctl start postgresql
-=== Workers ===
+* Move static files to encrypted partition:
-For scalability, Poddery running [https://github.com/matrix-org/synapse/blob/master/docs/workers.rst workers]. Currently all workers specified in that page, expect <code>synapse.app.appservice</code> is running on poddery.com
+ # Make sure <code>/dev/data/static</code> is mounted to <code>/var/lib/static</code>
+ mkdir /var/lib/static/synapse
-A new service [https://gist.github.com/necessary129/5dfbb140e4727496b0ad2bf801c10fdc <code>matrix-synapse@.service</code>] is installed for the workers (Save the <code>synape_worker</code> file somewhere like <code>/usr/local/bin/</code> or something).
+ mv /var/lib/matrix-synapse/uploads /var/lib/static/synapse/
+ ln -s /var/lib/static/synapse/uploads /var/lib/matrix-synapse/
+ mv /var/lib/matrix-synapse/media /var/lib/static/synapse/
+ ln -s /var/lib/static/synapse/media /var/lib/matrix-synapse/
+ chown -R matrix-synapse: /var/lib/static/synapse
-The worker config can be found at <code>/etc/matrix-synapse/workers</code>
+* Install identity server <code>mxisd</code> (<code>deb</code> package available [https://github.com/kamax-matrix/mxisd/blob/master/docs/install/debian.md here])
-Synapse needs to be put under a reverse proxy see <code>/etc/nginx/sites-enabled/matrix</code>. A lot of <code>/_matrix/</code> urls needs to be overridden too see <code>/etc/nginx/sites-enabled/diaspora</code>
-These lines must be added to <code>homeserver.yaml</code> as we are running <code>media_repository</code>, <code>federation_sender</code>, <code>pusher</code>, <code>user_dir</code> workers respectively:
+=== Workers ===
+* For scalability, Poddery running [https://github.com/matrix-org/synapse/blob/master/docs/workers.rst workers]. Currently all workers specified in that page, expect <code>synapse.app.appservice</code> is running on poddery.com
+* A new service [https://gist.github.com/necessary129/5dfbb140e4727496b0ad2bf801c10fdc <code>matrix-synapse@.service</code>] is installed for the workers (Save the <code>synape_worker</code> file somewhere like <code>/usr/local/bin/</code> or something).
+* The worker config can be found at <code>/etc/matrix-synapse/workers</code>
+* Synapse needs to be put under a reverse proxy see <code>/etc/nginx/sites-enabled/matrix</code>. A lot of <code>/_matrix/</code> urls needs to be overridden too see <code>/etc/nginx/sites-enabled/diaspora</code>
+* These lines must be added to <code>homeserver.yaml</code> as we are running <code>media_repository</code>, <code>federation_sender</code>, <code>pusher</code>, <code>user_dir</code> workers respectively:
    enable_media_repo: False
    send_federation: False
@@ Line 190: / Line 214: @@
    update_user_directory: false
-These services must be enabled, and added to <code>Requires</code> and <code>Before</code> sections of the original <code>matrix-synapse.service</code>:
+* These services must be enabled, and added to <code>Requires</code> and <code>Before</code> sections of the original <code>matrix-synapse.service</code>:
   matrix-synapse@synchrotron.service matrix-synapse@federation_reader.service matrix-synapse@event_creator.service matrix-synapse@federation_sender.service matrix-synapse@pusher.service matrix-synapse@user_dir.service matrix-synapse@media_repository.service matrix-synapse@frontend_proxy.service matrix-synapse@client_reader.service
 === Synapse Updation ===
-First check [https://github.com/matrix-org/synapse/blob/master/UPGRADE.rst synapse/UPGRADE.rst] to see if anything extra needs to be done. Then, just run <code>/root/upgrade-synapse</code>
+* First check [https://github.com/matrix-org/synapse/blob/master/UPGRADE.rst synapse/UPGRADE.rst] to see if anything extra needs to be done. Then, just run <code>/root/upgrade-synapse</code>
 === Riot-web Updation ===
-* https://chat.poddery.com/#/welcome
+* Just run <code>/var/www/get-riot</code> and reload <code>nginx</code>
-  # Backup current riot-web folder from <code>riot</code> to <code>riot-backup</code>
-  wget https://github.com/vector-im/riot-web/releases/download/v1.0.1/riot-v1.0.1.tar.gz
-  tar -xvf riot-v1.01.tar.gz
-  cp -r riot-v1.0.1/* /var/www/riot/
-  rm -rf ./riot-v1.0.1*
-  # Transfer the old <code>config.json</code>, <code>home.html</code>, <code>home-status.html</code> from <code>riot-backup</code> to <code>/var/www/riot/</code>
-  systemctl reload nginx
 == Chat/XMPP ==
@@ Line 210: / Line 227: @@
   # Follow steps 1 to 6 from https://wiki.debian.org/Diaspora/XMPP and then run the following:
   mysql -u root -p # Enter password from the access repo
   CREATE USER 'prosody'@'localhost' IDENTIFIED BY '<passwd_in_repo>';
   GRANT ALL PRIVILEGES ON diaspora_production.* TO 'prosody'@'localhost';
   FLUSH PRIVILEGES;
   systemctl restart prosody
+* Install plugins
+ # Make sure <code>mercurial</code> is installed
+ cd /etc && hg clone https://hg.prosody.im/prosody-modules/ prosody-modules
 === Set Nginx Conf for BOSH URLS ===
@@ Line 242: / Line 263: @@
 == TLS ==
+* Install <code>letsencrypt</code>.
 * Ensure proper permissions are set for <code>/etc/letsencrypt</code> and its contents.
   chown -R root:ssl-cert /etc/letsencrypt
   chmod g+r -R /etc/letsencrypt
   chmod g+x /etc/letsencrypt/{archive,live}
+* Generate certificates. For more details see https://certbot.eff.org.
 * Make sure the certificates used by <code>diaspora</code> are symbolic links to letsencrypt default location:
+ ls -l /etc/diaspora/ssl
+ ''total 0
+ ''lrwxrwxrwx 1 root root 47 Apr  2 22:47 poddery.com-bundle.pem -> /etc/letsencrypt/live/poddery.com/fullchain.pem''
+ ''lrwxrwxrwx 1 root root 45 Apr  2 22:48 poddery.com.key -> /etc/letsencrypt/live/poddery.com/privkey.pem''
+ # If you don't get the above output, then run the following:
   cp -L /etc/letsencrypt/live/poddery.com/fullchain.pem /etc/diaspora/ssl/poddery.com-bundle.pem
   cp -L /etc/letsencrypt/live/poddery.com/privkey.pem /etc/diaspora/ssl/poddery.com.key
@@ Line 257: / Line 284: @@
   ''lrwxrwxrwx 1 root root 40 Mar 28 01:16 poddery.com.crt -> /etc/letsencrypt/live/poddery.com/fullchain.pem''
   ''lrwxrwxrwx 1 root root 33 Mar 28 01:16 poddery.com.key -> /etc/letsencrypt/live/poddery.com/privkey.pem''
+ # If you don't get the above output, then run the following:
+ cp -L /etc/letsencrypt/live/poddery.com/fullchain.pem /etc/prosody/certs/poddery.com.crt
+ cp -L /etc/letsencrypt/live/poddery.com/privkey.pem /etc/prosody/certs/poddery.com.key
 * Cron jobs: