docker http://tech.oeru.org/ en Upgrading a Docker-based Discourse Forum instance http://tech.oeru.org/upgrading-docker-based-discourse-forum-instance <span class="field field--name-title field--type-string field--label-hidden">Upgrading a Docker-based Discourse Forum instance</span> <div class="field field-node--field-blog-tags field-name-field-blog-tags field-type-entity-reference field-label-above"> <h3 class="field__label">Blog tags</h3> <div class="field__items"> <div class="field__item field__item--discourse"> <span class="field__item-wrapper"><a href="/taxonomy/term/19" hreflang="en">discourse</a></span> </div> <div class="field__item field__item--docker"> <span class="field__item-wrapper"><a href="/taxonomy/term/16" hreflang="en">docker</a></span> </div> </div> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><a title="View user profile." href="/user/1" lang="" about="/user/1" typeof="schema:Person" property="schema:name" datatype="" class="username">dave</a></span> <span class="field field--name-created field--type-created field--label-hidden">Thu 19/05/2022 - 14:45</span> <div class="field field-node--field-image field-name-field-image field-type-image field-label-hidden has-multiple"> <figure class="field-type-image__figure image-count-1"> <div class="field-type-image__item"> <a href="http://tech.oeru.org/sites/default/files/styles/max_1300x1300/public/2022-05/Discourse-admin_page_upgrade_link.png?itok=SmTm00O2" aria-controls="colorbox" aria-label="{&quot;alt&quot;:&quot;A sample of the admin page showing a Discourse administrator that an upgrade is pending, showing the web-upgrade link.&quot;}" role="button" title="A sample of the admin page showing a Discourse administrator that an upgrade is pending, showing the web-upgrade link." data-colorbox-gallery="gallery-field_image--Xhj9KyxIZY" class="colorbox" data-cbox-img-attrs="{&quot;alt&quot;:&quot;A sample of the admin page showing a Discourse administrator that an upgrade is pending, showing the web-upgrade link.&quot;}"><img src="/sites/default/files/styles/medium/public/2022-05/Discourse-admin_page_upgrade_link.png?itok=iBEbWRyb" width="220" height="144" alt="A sample of the admin page showing a Discourse administrator that an upgrade is pending, showing the web-upgrade link." loading="lazy" typeof="foaf:Image" class="image-style-medium" /> </a> </div> </figure> <figure class="field-type-image__figure image-count-2"> <div class="field-type-image__item"> <a href="http://tech.oeru.org/sites/default/files/styles/max_1300x1300/public/2022-05/Discourse-upgrade_email_alert.png?itok=VBs3FoqS" aria-controls="colorbox" aria-label="{&quot;alt&quot;:&quot;A sample of the email sent to Discourse admins by the Discourse system alerting them to a new pending upgrade.&quot;}" role="button" title="A sample of the email sent to Discourse admins by the Discourse system alerting them to a new pending upgrade." data-colorbox-gallery="gallery-field_image--Xhj9KyxIZY" class="colorbox" data-cbox-img-attrs="{&quot;alt&quot;:&quot;A sample of the email sent to Discourse admins by the Discourse system alerting them to a new pending upgrade.&quot;}"><img src="/sites/default/files/styles/medium/public/2022-05/Discourse-upgrade_email_alert.png?itok=M4tLaS3O" width="220" height="140" alt="A sample of the email sent to Discourse admins by the Discourse system alerting them to a new pending upgrade." loading="lazy" typeof="foaf:Image" class="image-style-medium" /> </a> </div> </figure> <figure class="field-type-image__figure image-count-3"> <div class="field-type-image__item"> <a href="http://tech.oeru.org/sites/default/files/styles/max_1300x1300/public/2022-05/Discourse-backup_admin_page.png?itok=Lv0Hz0-Y" aria-controls="colorbox" aria-label="{&quot;alt&quot;:&quot;A sample Discourse system backup administration page.&quot;}" role="button" title="A sample Discourse system backup administration page." data-colorbox-gallery="gallery-field_image--Xhj9KyxIZY" class="colorbox" data-cbox-img-attrs="{&quot;alt&quot;:&quot;A sample Discourse system backup administration page.&quot;}"><img src="/sites/default/files/styles/medium/public/2022-05/Discourse-backup_admin_page.png?itok=KZaf9Y0c" width="220" height="144" alt="A sample Discourse system backup administration page." loading="lazy" typeof="foaf:Image" class="image-style-medium" /> </a> </div> </figure> <figure class="field-type-image__figure image-count-4"> <div class="field-type-image__item"> <a href="http://tech.oeru.org/sites/default/files/styles/max_1300x1300/public/2022-05/Discourse-web_upgrade.png?itok=xyJIWWoq" aria-controls="colorbox" aria-label="{&quot;alt&quot;:&quot;A Discourse web upgrade status page, prior to initiating the upgrade.&quot;}" role="button" title="A Discourse web upgrade status page, prior to initiating the upgrade." data-colorbox-gallery="gallery-field_image--Xhj9KyxIZY" class="colorbox" data-cbox-img-attrs="{&quot;alt&quot;:&quot;A Discourse web upgrade status page, prior to initiating the upgrade.&quot;}"><img src="/sites/default/files/styles/medium/public/2022-05/Discourse-web_upgrade.png?itok=-NQk807A" width="220" height="124" alt="A Discourse web upgrade status page, prior to initiating the upgrade." loading="lazy" typeof="foaf:Image" class="image-style-medium" /> </a> </div> </figure> <figure class="field-type-image__figure image-count-5"> <div class="field-type-image__item"> <a href="http://tech.oeru.org/sites/default/files/styles/max_1300x1300/public/2022-05/Discourse-web_upgrade_progress.png?itok=eAf0UUVc" aria-controls="colorbox" aria-label="{&quot;alt&quot;:&quot;A Discourse web upgrade underway. &quot;}" role="button" title="A Discourse web upgrade underway. " data-colorbox-gallery="gallery-field_image--Xhj9KyxIZY" class="colorbox" data-cbox-img-attrs="{&quot;alt&quot;:&quot;A Discourse web upgrade underway. &quot;}"><img src="/sites/default/files/styles/medium/public/2022-05/Discourse-web_upgrade_progress.png?itok=Q6y7yjKe" width="220" height="136" alt="A Discourse web upgrade underway. " loading="lazy" typeof="foaf:Image" class="image-style-medium" /> </a> </div> </figure> <figure class="field-type-image__figure image-count-6"> <div class="field-type-image__item"> <a href="http://tech.oeru.org/sites/default/files/styles/max_1300x1300/public/2022-05/Dicscourse-require_cli_upgrade.png?itok=VKj1mQll" aria-controls="colorbox" aria-label="{&quot;alt&quot;:&quot;Sample of the message you see if a particular Discourse upgrade is too complicated for the web interface.&quot;}" role="button" title="Sample of the message you see if a particular Discourse upgrade is too complicated for the web interface." data-colorbox-gallery="gallery-field_image--Xhj9KyxIZY" class="colorbox" data-cbox-img-attrs="{&quot;alt&quot;:&quot;Sample of the message you see if a particular Discourse upgrade is too complicated for the web interface.&quot;}"><img src="/sites/default/files/styles/medium/public/2022-05/Dicscourse-require_cli_upgrade.png?itok=dVBM-OW2" width="220" height="94" alt="Sample of the message you see if a particular Discourse upgrade is too complicated for the web interface." loading="lazy" typeof="foaf:Image" class="image-style-medium" /> </a> </div> </figure> </div> <div class="clearfix text-formatted field field-node--body field-name-body field-type-text-with-summary field-label-hidden"> <div class="field__items"> <div class="field__item"><p><a href="https://discourse.org">Discourse</a> is the world-leading online web-based forum. It's a superb, extremely mature-and-yet-cutting edge platform. It also happens to be Free and Open Source Software, which is why we, at the <a href="https://oerfoundation.org">OER Foundation</a>, use it.</p> <p>Like all good software, it's undergoing continuous improvement by its developer community who release fairly frequent - perhaps every couple weeks - updates. Luckily, keeping your Discourse forum up-to-date isn't particularly onerous.</p> <p>Upgrading a Discourse instance deployed via Docker (as all of ours are) follows one of two possible workflows. Both usually start with either a Discourse administrator logging into the Discourse site (which she/he might not do very often) and noticing on the default admin dashboard page (see the first attached screenshot) that there is a pending upgrade, usually with a 'click here to upgrade' link. Alternatively, if an administrator is not logged in (the system is aware of this) the system sends administrators for the site an email (see the second attached screenshot for a sample) alerting them all that an upgrade is pending, with a link to the upgrade page in the Discourse administration system.</p> <h2><a id="user-content-always-backup-first" href="#always-backup-first" name="always-backup-first" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Always backup first!</h2> <p>As any good system administrator knows, their users' data is of utmost importance. So, before proceeding with any upgrade, it's crucial to make a backup of your system to ensure that if everything goes pear-shaped, you can recover and get back to where you were.</p> <p>Normally, I consider it sufficient to take a Discourse 'backup' via the admin backup interface 'immediately before doing the upgrade' (see attached screenshot), leaving ''off'' the uploaded content, as this is unlikely to be affected or removed via the upgrade process, to save space. Doing this immediately prior to the upgrade minimises the chances that any users lose data (e.g. a recent post, in the space of time between the backup and the actual upgrade or even a post they're working on when the upgrade commences - if the latter happens, as long as they don't leave the page and wait for the forum to 'come back' after the upgrade, they should be able to proceed without losing anything... but there's a small chance they could be unlucky - be mindful of this and try to a) announce upgrades on the site prior to running them, and b) try to do so outside of your busiest hours, which should be easy to determine thanks to Discourse's superb analytics (also a feature of the default admin dashboard).</p> <p>After conducting the backup, you can do the upgrade.</p> <h2><a id="user-content-upgrade-workflows" href="#upgrade-workflows" name="upgrade-workflows" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Upgrade Workflows</h2> <p>You will ''usually'' have a straightforward 'point-and-click' web browser based upgrade process, but on occasion, you will click on the 'upgrade link' and end up on a page like 'upgrade is too complicated for the web interface' message (see attached screenshot). In that latter case, things get a little more complicated. Also, such upgrades can result in somewhat more downtime for the forum, so only conduct them when you have sufficient time.</p> <h3><a id="user-content-web-based-upgrade" href="#web-based-upgrade" name="web-based-upgrade" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Web-based upgrade</h3> <p>In most cases, when you click on the "Click here to upgrade" link, you'll be taken to a page that assesses the various components (the Discourse codebase, the Docker subsystems, and any additional functional plugins) making up your Discourse install and alerts you which of those components have a pending upgrade. This can sometimes take a while (the system is having to compare what you have on your server to the official up-to-date versions of those things on the web), but when done, the page will show you 'upgrade' buttons for the components with upgrades pending as per the attached sample upgrade pages screenshot.</p> <p>Once you've got those showing, you can click the 'Upgrade' button that's highlighted (if any - that one needs to be done first, prior to the others) and then the 'Start upgrade" operation for each one. Or, sometimes, you'll see an "Upgrade all" button at the top of the page, which applies all the pending upgrades in a single operation.</p> <p>Usually, in practice, this renders your Discourse forum unusable (it'll be in 'maintenance mode' from a user's perspective) for a few seconds to a few minutes, depending on the upgrade.</p> <h3><a id="user-content-command-line-launcher-upgrade" href="#command-line-launcher-upgrade" name="command-line-launcher-upgrade" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Command line 'launcher' upgrade</h3> <p>When the upgrade is more fundamental, usually involving the Docker subsystem, you sometimes don't have the option of a web-based upgrade. Instead of the upgrade web pages from the previous section, you get message like that shown in the next screenshot, which talks about running the upgrade from the command line using the <code>launcher</code> command and doing a 'rebuild' of the system.</p> <p>In that case, you need to be able to log into the host server (usually a remote cloud-based "Virtual Private Server" or VPS) - I always use SSH to do that <a href="/node/49">see these instructions</a> from a terminal on my Linux desktop - with suitable permissions (usually the ability to run 'sudo' commands, i.e. act as the administrative or 'root' user of that server).</p> <p>Once you're logged in as a user with 'sudo' privileges, you need to go to the Docker configuration directory for that instance of Discourse - in the OER Foundation's case, I have the convention of having the installation in the <code>/home/docker/</code> directory in a subdirectory with the same name as the as the site, e.g. forum.oeru.org. In that case, I'd enter</p> <p><code>cd /home/docker/forum.oeru.org</code></p> <p>Note that we don't use the default path for our Discourse installation (<code>/var/discourse</code>), so we're being rebels here. Doing an</p> <p><code>ls -l</code></p> <p>here should give a directory that looks a bit like this (you might not have the 'oeru'-related files) when listed:</p> <div class="geshifilter"><div class="bash geshifilter-bash"><pre class="de1"><span class="re5">-rw-rw-r--</span> <span class="nu0">1</span> dave dave <span class="nu0">1099</span> Nov <span class="nu0">29</span> <span class="nu0">2019</span> LICENSE <span class="re5">-rw-r--r--</span> <span class="nu0">1</span> dave root <span class="nu0">8285</span> Jul <span class="nu0">24</span> <span class="nu0">2021</span> README.md <span class="re5">-rw-rw-r--</span> <span class="nu0">1</span> dave dave <span class="nu0">258</span> Dec <span class="nu0">2</span> <span class="nu0">2019</span> README.oeru drwxrwxr-x <span class="nu0">1</span> dave dave <span class="nu0">16</span> Nov <span class="nu0">29</span> <span class="nu0">2019</span> bin drwxrwxr-x <span class="nu0">1</span> dave dave <span class="nu0">16</span> Apr <span class="nu0">15</span> <span class="nu0">23</span>:<span class="nu0">36</span> cids drwxrwxr-x <span class="nu0">1</span> dave dave <span class="nu0">30</span> May <span class="nu0">19</span> 06:<span class="nu0">47</span> containers <span class="re5">-rwxrwxr-x</span> <span class="nu0">1</span> dave dave <span class="nu0">11955</span> Apr <span class="nu0">15</span> <span class="nu0">23</span>:<span class="nu0">22</span> discourse-doctor <span class="re5">-rwxr-xr-x</span> <span class="nu0">1</span> dave root <span class="nu0">27132</span> Oct <span class="nu0">21</span> <span class="nu0">2021</span> discourse-setup drwxrwxr-x <span class="nu0">1</span> dave dave <span class="nu0">192</span> Dec <span class="nu0">22</span> 04:<span class="nu0">43</span> image <span class="re5">-rwxrwxr-x</span> <span class="nu0">1</span> dave dave <span class="nu0">23538</span> Apr <span class="nu0">15</span> <span class="nu0">23</span>:<span class="nu0">22</span> launcher drwxrwxr-x <span class="nu0">1</span> dave dave <span class="nu0">120</span> Nov <span class="nu0">16</span> <span class="nu0">2021</span> samples drwxrwxr-x <span class="nu0">1</span> dave dave <span class="nu0">22</span> Nov <span class="nu0">29</span> <span class="nu0">2019</span> scripts drwxrwxr-x <span class="nu0">1</span> dave dave <span class="nu0">16</span> Nov <span class="nu0">29</span> <span class="nu0">2019</span> shared drwxrwxr-x <span class="nu0">1</span> dave dave <span class="nu0">866</span> Apr <span class="nu0">15</span> <span class="nu0">23</span>:<span class="nu0">22</span> templates drwxr-xr-x <span class="nu0">1</span> dave root <span class="nu0">130</span> Jan <span class="nu0">16</span> <span class="nu0">22</span>:<span class="nu0">42</span> tests</pre></div></div> <p>The script we're going to use is the <code>launcher</code> script, and we're going to use the site's configuration which, by our convention, will reside in <code>containers/app.yml</code>(you can see its contents by typing <code>less containers/app.yml</code> assuming your user has sufficient permissions to view it directly. If not, prepend <code>sudo</code> to your command.</p> <p>To run the upgrade, you have to complete two steps as suggested by the page you saw when you clicked on the upgrade link:</p> <p>First, ensure that the 'git' repository that was used to provide this set of files to begin with is up-to-date - if your user owns these files (as my 'dave' user does in the example above) then run this to avoid changing the ownership of the files:</p> <p><code>git pull</code></p> <p>If you don't own the files you'll need to run</p> <p><code>sudo git pull</code></p> <p>which should result in a fairly quick (a few seconds) request to the git server, pulling down files that have been changed by the developers since the last time you did a <code>git pull</code>... Note, if the pull fails, you may find that you've altered one or more files for some reason and that the change you've made would be clobbered by the pull. The easiest thing to do in that case is - for each file - to (prepending with <code>sudo</code> if required):</p> <p><code>cp [filename] [filename].bak</code></p> <p>so you have a backup copy of your changed file, and then issue (again, with <code>sudo</code> prepended if necessary):</p> <p><code>git checkout [filename]</code></p> <p>which reverts [filename] to its original git-distributed version. The <code>git pull</code> should now work.</p> <p>Second, simply type (again, prepending with <code>sudo</code> if required:</p> <p><code>./launcher rebuild app.yml</code></p> <p>This will initiate what can be a rather long process (perhaps 1 to as many as, say, 30 minutes, depending on the upgrade, the amount that needs to be downloaded, your server's network bandwidth, and a variety of other variables) which will involve downloading new Docker containers with Discourse code, as well as possibly a new PostgreSQL database container among others. Your Discourse will continue running as long as it can safely do so, but then the <code>launcher</code> script will shut down the containers and restart them. It might also be 'recompiling' aggregated resources used by Discourse, like various Ruby On Rails gems, icon files, style sheets (CSS), or Javascript files...</p> <p>Once it's done, you'll get the command prompt back. You're done! Have a look at your site and you should see you're up-to-date!</p> <p>You can log out of the server vai <code>CTRL-D</code> or typing <code>exit</code>.</p> <h3><a id="user-content-problems" href="#problems" name="problems" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Problems?</h3> <p>I have, on a few occasions, had an upgrade fail for some reason. If that happens, you should see an indicator of has caused the failure (in a few cases for me, it was the fact that the PostgreSQL database didn't have enough time to restart before the Discourse app tried to access it to run data schema upgrades, and failed as a result. Changing the 'timeout' value from 5 seconds to 60 seconds fixed it - looking on the <a href="https://meta.discourse.org">Meta Discourse</a> - Discourse's own Discourse used to discuss running Discourse - is a very good resource when trying to solve system-related problems. It's worth creating an account for yourself on it if you're going to be responsible for a Discourse instance!</p></div> </div> </div> <section class="field field-node--field-blog-comments field-name-field-blog-comments field-type-comment field-label-above comment-wrapper"> <a name="comments"></a> <div class="comment-form-wrapper"> <h2 class="comment-form__title">Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=51&amp;2=field_blog_comments&amp;3=comment" token="sEqniUwHCHUWHihRflAm8YgWK0q2UAy7k0fiHG3-09Y"></drupal-render-placeholder> </div> </section> Thu, 19 May 2022 02:45:12 +0000 dave 51 at http://tech.oeru.org Install Rocket.Chat on Ubuntu 20.04 via Docker Compose http://tech.oeru.org/install-rocketchat-ubuntu-2004-docker-compose <span class="field field--name-title field--type-string field--label-hidden">Install Rocket.Chat on Ubuntu 20.04 via Docker Compose</span> <div class="field field-node--field-blog-tags field-name-field-blog-tags field-type-entity-reference field-label-above"> <h3 class="field__label">Blog tags</h3> <div class="field__items"> <div class="field__item field__item--ubuntu-linux"> <span class="field__item-wrapper"><a href="/taxonomy/term/12" hreflang="en">ubuntu linux</a></span> </div> <div class="field__item field__item--_004"> <span class="field__item-wrapper"><a href="/taxonomy/term/75" hreflang="en">20.04</a></span> </div> <div class="field__item field__item--rocketchat"> <span class="field__item-wrapper"><a href="/taxonomy/term/18" hreflang="en">rocket.chat</a></span> </div> <div class="field__item field__item--mongodb"> <span class="field__item-wrapper"><a href="/taxonomy/term/14" hreflang="en">mongodb</a></span> </div> <div class="field__item field__item--docker"> <span class="field__item-wrapper"><a href="/taxonomy/term/16" hreflang="en">docker</a></span> </div> <div class="field__item field__item--docker-compose"> <span class="field__item-wrapper"><a href="/taxonomy/term/49" hreflang="en">docker-compose</a></span> </div> </div> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><a title="View user profile." href="/user/1" lang="" about="/user/1" typeof="schema:Person" property="schema:name" datatype="" class="username">dave</a></span> <span class="field field--name-created field--type-created field--label-hidden">Thu 03/03/2022 - 13:00</span> <div class="field field-node--field-image field-name-field-image field-type-image field-label-hidden has-multiple"> <figure class="field-type-image__figure image-count-1"> <div class="field-type-image__item"> <a href="http://tech.oeru.org/sites/default/files/styles/max_1300x1300/public/2022-03/RC-launchscreen.png?itok=JnRkklyO" aria-controls="colorbox" aria-label="{&quot;alt&quot;:&quot;Rocket.Chat initial &#039;launch&#039; screen requesting admin user credentials.&quot;}" role="button" title="Rocket.Chat initial &#039;launch&#039; screen requesting admin user credentials." data-colorbox-gallery="gallery-field_image-GnjYzG6vmqA" class="colorbox" data-cbox-img-attrs="{&quot;alt&quot;:&quot;Rocket.Chat initial &#039;launch&#039; screen requesting admin user credentials.&quot;}"><img src="/sites/default/files/styles/medium/public/2022-03/RC-launchscreen.png?itok=OjBXKXXC" width="220" height="160" alt="Rocket.Chat initial &#039;launch&#039; screen requesting admin user credentials." loading="lazy" typeof="foaf:Image" class="image-style-medium" /> </a> </div> </figure> <figure class="field-type-image__figure image-count-2"> <div class="field-type-image__item"> <a href="http://tech.oeru.org/sites/default/files/styles/max_1300x1300/public/2022-03/RC-confirmationscreen.png?itok=uO0TVfx-" aria-controls="colorbox" aria-label="{&quot;alt&quot;:&quot;The confirmation screen after initial registration, awaiting the email from Rocket.Chat for registering your instance.&quot;}" role="button" title="The confirmation screen after initial registration, awaiting the email from Rocket.Chat for registering your instance." data-colorbox-gallery="gallery-field_image-GnjYzG6vmqA" class="colorbox" data-cbox-img-attrs="{&quot;alt&quot;:&quot;The confirmation screen after initial registration, awaiting the email from Rocket.Chat for registering your instance.&quot;}"><img src="/sites/default/files/styles/medium/public/2022-03/RC-confirmationscreen.png?itok=xQ-NAp1u" width="220" height="160" alt="The confirmation screen after initial registration, awaiting the email from Rocket.Chat for registering your instance." loading="lazy" typeof="foaf:Image" class="image-style-medium" /> </a> </div> </figure> <figure class="field-type-image__figure image-count-3"> <div class="field-type-image__item"> <a href="http://tech.oeru.org/sites/default/files/styles/max_1300x1300/public/2022-03/RC-logs_confirming_instance_running.png?itok=7tPCbNHo" aria-controls="colorbox" aria-label="{&quot;alt&quot;:&quot;After logging in, you can look at your instances logs and either the &#039;info&#039; option or the logs can verify the details of your instance. &quot;}" role="button" title="After logging in, you can look at your instances logs and either the &#039;info&#039; option or the logs can verify the details of your instance. " data-colorbox-gallery="gallery-field_image-GnjYzG6vmqA" class="colorbox" data-cbox-img-attrs="{&quot;alt&quot;:&quot;After logging in, you can look at your instances logs and either the &#039;info&#039; option or the logs can verify the details of your instance. &quot;}"><img src="/sites/default/files/styles/medium/public/2022-03/RC-logs_confirming_instance_running.png?itok=dY2I6OoA" width="220" height="158" alt="After logging in, you can look at your instances logs and either the &#039;info&#039; option or the logs can verify the details of your instance. " loading="lazy" typeof="foaf:Image" class="image-style-medium" /> </a> </div> </figure> </div> <div class="clearfix text-formatted field field-node--body field-name-body field-type-text-with-summary field-label-hidden"> <div class="field__items"> <div class="field__item"><p>This post is a companion to our <a href="https://vimeo.com/684017454">video tutorial on installing Rocket.Chat 4.x on an Ubuntu 20.04 server via Docker Compose</a>.</p> <p>We start with a <a href="/setting-oeru-style-virtual-ubuntu-2004-server-docker-compose">Docker Compose-configured server</a>. You can also see our video tutorials on how to create one: <a href="https://vimeo.com/684028258">complete</a>, or <a href="https://vimeo.com/677523362">starting from a DigitalOcean 'snapshot'</a>.</p> <p>From that starting point, we can install Rocket.Chat - which, incidentally, is a full-featured messaging service, similar to more heavily marketed Slack, Discord, or Microsoft Teams, but <a href="https://github.com/RocketChat/">free and open source</a>, and self-hostable (other free and open source options include Mattermost and Element/Matrix among others, by Rocket.Chat is the OERF's preference). You can also purchase it as <a href="https://rocket.chat">Software-as-a-Service</a>. It's also great for all sorts of <a href="https://rocket.chat/enterprise/integrations">integrations</a>. There <a href="https://rocket.chat/install">many ways</a> you can interact with Rocket.Chat. It can be accessed via any modern web browser, and there are dedicated desktop applications for Linux, Microsoft Windows, and Apple MacOS, as well as mobile applications for Apple iOS and Android devices.</p> <p>To complete this tutorial, you will need a fully qualified [domain name] (or subdomain) pointing to your server, a [port] number for your service - 8080 or 7080 are good options so long as they're not already in use by other services on the same server, and a set of authenticating SMTP credentials so you can configure your Rocket.Chat to send email (by default, Rocket.Chat uses TOTP (Time-based One-Time Password) sent via email for extra security).</p> <h2><a id="user-content-nginx-reverse-proxy" href="#nginx-reverse-proxy" name="nginx-reverse-proxy" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Nginx reverse proxy</h2> <p>The first step is to set up the Nginx reverse proxy configuration to allow. You should create a file in <code>/etc/nginx/sites-available</code> with your [domain name] like this:</p> <p><code>sudo nano /etc/nginx/sites-available/[domain name]</code></p> <p>and fill it with this (replacing [domain name] and [port] appropriately:</p> <div class="geshifilter"><div class="bash geshifilter-bash"><pre class="de1">server <span class="br0">{</span> listen <span class="nu0">80</span>; listen <span class="br0">[</span>::<span class="br0">]</span>:<span class="nu0">80</span>; server_name <span class="br0">[</span>domain name<span class="br0">]</span>;   <span class="co0">## Access and error logs.</span> access_log <span class="sy0">/</span>var<span class="sy0">/</span>log<span class="sy0">/</span>nginx<span class="sy0">/</span><span class="br0">[</span>domain name<span class="br0">]</span>_access.log; error_log <span class="sy0">/</span>var<span class="sy0">/</span>log<span class="sy0">/</span>nginx<span class="sy0">/</span><span class="br0">[</span>domain name<span class="br0">]</span>_error.log;   include includes<span class="sy0">/</span>letsencrypt.conf;   location <span class="sy0">/</span> <span class="br0">{</span> <span class="kw3">return</span> <span class="nu0">301</span> https:<span class="sy0">//</span><span class="br0">[</span>domain name<span class="br0">]</span><span class="re1">$request_uri</span>; <span class="br0">}</span> root <span class="sy0">/</span>var<span class="sy0">/</span>www<span class="sy0">/</span>html; <span class="br0">}</span>     server <span class="br0">{</span> listen <span class="nu0">443</span> ssl; listen <span class="br0">[</span>::<span class="br0">]</span>:<span class="nu0">443</span> ssl; <span class="co0">#ssl_certificate /etc/letsencrypt/live/[domain name]/fullchain.pem;</span> <span class="co0">#ssl_certificate_key /etc/letsencrypt/live/[domain name]/privkey.pem;</span> <span class="co0"># temporary cert and private key, to be superseded by those provided by Let's Encrypt above.</span> ssl_certificate <span class="sy0">/</span>etc<span class="sy0">/</span>ssl<span class="sy0">/</span>certs<span class="sy0">/</span>ssl-cert-snakeoil.pem; ssl_certificate_key <span class="sy0">/</span>etc<span class="sy0">/</span>ssl<span class="sy0">/</span>private<span class="sy0">/</span>ssl-cert-snakeoil.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_dhparam <span class="sy0">/</span>etc<span class="sy0">/</span>ssl<span class="sy0">/</span>certs<span class="sy0">/</span>dhparam.pem;   keepalive_timeout 20s;   root <span class="sy0">/</span>var<span class="sy0">/</span>www<span class="sy0">/</span>html; index index.html index.htm; server_name <span class="br0">[</span>domain name<span class="br0">]</span>;   <span class="co0">## Access and error logs.</span> access_log <span class="sy0">/</span>var<span class="sy0">/</span>log<span class="sy0">/</span>nginx<span class="sy0">/</span><span class="br0">[</span>domain name<span class="br0">]</span>_access.log; error_log <span class="sy0">/</span>var<span class="sy0">/</span>log<span class="sy0">/</span>nginx<span class="sy0">/</span><span class="br0">[</span>domain name<span class="br0">]</span>_error.log;   client_max_body_size 100m;   include includes<span class="sy0">/</span>letsencrypt.conf;   location <span class="sy0">/</span> <span class="br0">{</span> proxy_pass http:<span class="sy0">//</span>127.0.0.1:<span class="br0">[</span>port<span class="br0">]</span>; <span class="co0"># use 8080 or 7080 if in doubt.</span> proxy_http_version <span class="nu0">1.1</span>; proxy_set_header Upgrade <span class="re1">$http_upgrade</span>; proxy_set_header Connection <span class="st0">"upgrade"</span>; proxy_set_header Host <span class="re1">$http_host</span>; proxy_set_header X-Forwarded-Host <span class="re1">$host</span>; proxy_set_header X-Real-IP <span class="re1">$remote_addr</span>; proxy_set_header X-Forwarded-For <span class="re1">$proxy_add_x_forwarded_for</span>; proxy_set_header X-Forward-Proto http; proxy_set_header X-Nginx-Proxy <span class="kw2">true</span>; proxy_redirect off; <span class="br0">}</span> <span class="br0">}</span></pre></div></div> <p>Save and close that file. We now need to create the 'dhparam.pem' if it doesn't exist create it like this:</p> <p><code>sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048</code></p> <p>After doing that, you can test Nginx's configuration:</p> <p><code>sudo nginx -t</code></p> <p>If you don't get any errors or warnings, you can activate the new configuration:</p> <p><code>sudo service nginx reload</code></p> <p>You server should now successfully respond to your [domain name], but it'll redirect to HTTPS using the default (self-signed) certificates that are valid as far as Nginx is concerned, but your browser won't let you access the page due to those inappropriate certificates. You can test it by putting http://[domain name] into your browser and seeing if it redirects you to https://[domain name] and a 'bad certificate` (or similar) page.</p> <p>To fix that, we can now generate a Let's Encrypt certificate which will be valid.</p> <p><code>sudo letsencrypt certonly --webroot -w /var/www/letsencrypt -d [domain name]</code></p> <p>Since this is your first time running the <code>letsencrypt</code> script, you'll be asked for a contact email (so the Let's Encrypt system can warn you if your certificates are going to be expiring soon!) - you will need to provide an admin email for this. You can also opt in to allowing them to get anonymous statistics from your site (I do).</p> <p>Once you've done that, the Let's Encrypt system will verify that you (the person requesting the certificate) also controls the server that's requesting it (using the details specified in the <code>/etc/nginx/includes/letsencrypt.conf</code> file, along with data that the letsencrypt script writes into a special file in the <code>/var/www/letsencrypt</code> directory) and, all going well, you'll see a "Congratulations!" message telling you that you have new certificates for your [domain name].</p> <p>Then you can re-edit your Nginx confguration file:</p> <p><code>sudo nano /etc/nginx/sites-available/[domain name]</code></p> <p>and comment out the default certificates and uncomment the [Domain]-specific certificates, like this (we'll assume you've already got your [domain name] substituted!):</p> <div class="geshifilter"><div class="bash geshifilter-bash"><pre class="de1"> ssl_certificate <span class="sy0">/</span>etc<span class="sy0">/</span>letsencrypt<span class="sy0">/</span>live<span class="sy0">/</span><span class="br0">[</span>domain name<span class="br0">]</span><span class="sy0">/</span>fullchain.pem; ssl_certificate_key <span class="sy0">/</span>etc<span class="sy0">/</span>letsencrypt<span class="sy0">/</span>live<span class="sy0">/</span><span class="br0">[</span>domain name<span class="br0">]</span><span class="sy0">/</span>privkey.pem; <span class="co0"># temporary cert and private key, to be superseded by those provided by Let's Encrypt above.</span> <span class="co0">#ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;</span> <span class="co0">#ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;</span> ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_dhparam <span class="sy0">/</span>etc<span class="sy0">/</span>ssl<span class="sy0">/</span>certs<span class="sy0">/</span>dhparam.pem;  </pre></div></div> <p>Once you've got that going, you again check to make sure your Nginx config is valid:</p> <p><code>sudo nginx -t</code></p> <p>and apply your configuration changes:</p> <p><code>sudo service nginx reload</code></p> <p>If you now go to http://[domain name] in your browser, you should be redirected to https://[domain name] and you shouldn't get any certificate errors, although you might get a "502" error because the service that reverse proxy configuration is trying to send you to doesn't yet exist! That's what we're expecting.</p> <h2><a id="user-content-rocketchat-containers-via-docker-compose" href="#rocketchat-containers-via-docker-compose" name="rocketchat-containers-via-docker-compose" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Rocket.Chat containers via Docker Compose</h2> <p>Next, we have to create the Rocket.Chat container recipe for Docker Compose. Create a Docker directory if it doesn't yet exist and a [domain name]-specific directory:</p> <p><code>sudo mkdir -p /home/docker/[domain name]</code></p> <p>and go there</p> <p><code>cd home/docker/[domain name]</code></p> <p>and create a file:</p> <p><code>nano docker-compose.yml</code></p> <p>putting this into it, replacing [domain name], [port], and the authenticating SMTP details: [smtp username], [smtp password], [smtp servername], and [smtp port]. Note the comment in the file as well if you're not sure about smtp:// or the [smtp port] to use.</p> <p>This configuration specifies MongoDB version 4.2, which is the <a href="https://docs.rocket.chat/quick-start/installing-and-updating/other-deployment-methods/manual-installation/extras/mongo-versions">recommended version</a> to use for Rocket.Chat right now. And the current version of Rocket.Chat at the time of this writing is 4.5.0.</p> <div class="geshifilter"><div class="bash geshifilter-bash"><pre class="de1">version: <span class="st_h">'2'</span> services: mongo: restart: unless-stopped image: mongo:<span class="nu0">4.2</span> volumes: - <span class="sy0">/</span>home<span class="sy0">/</span>data<span class="sy0">/</span><span class="br0">[</span>domain name<span class="br0">]</span><span class="sy0">/</span>mongodb<span class="sy0">/</span>data:<span class="sy0">/</span>data<span class="sy0">/</span>db - <span class="sy0">/</span>home<span class="sy0">/</span>data<span class="sy0">/</span><span class="br0">[</span>domain name<span class="br0">]</span><span class="sy0">/</span>backups<span class="sy0">/</span>mongodb:<span class="sy0">/</span>backups command: mongod <span class="re5">--oplogSize</span> <span class="nu0">128</span> <span class="re5">--replSet</span> rs0 <span class="co0"># this container's job is just run the command to initialize the replica set.</span> <span class="co0"># it will run the command and remove himself (it will not stay running)</span> mongo-init-replica: image: mongo:<span class="nu0">4.2</span> command: <span class="st_h">'bash -c "for i in `seq 1 30`; do mongo mongo/rocketchat --eval \"rs.initiate({ _id: '</span><span class="st_h">'rs0'</span><span class="st_h">', members: [ { _id: 0, host: '</span><span class="st_h">'localhost:27017'</span><span class="st_h">' } ]})\" &amp;&amp; s=$$? &amp;&amp; break || s=$$?; echo \"Tried $$i times. Waiting 5 secs...\"; sleep 5; done; (exit $$s)"'</span> depends_on: - mongo rocketchat: restart: unless-stopped image: rocketchat<span class="sy0">/</span>rocket.chat:4.5.0 command: <span class="kw2">bash</span> <span class="re5">-c</span> <span class="st_h">'for i in `seq 1 30`; do node main.js &amp;&amp; s=$$? &amp;&amp; break || s=$$?; echo "Tried $$i times. Waiting 5 secs..."; sleep 5; done; (exit $$s)'</span> ports: - <span class="st0">"127.0.0.1:[port]:3000"</span> depends_on: - mongo environment: - <span class="re2">MONGO_URL</span>=mongodb:<span class="sy0">//</span>mongo<span class="sy0">/</span>rocket - <span class="re2">MONGO_OPLOG_URL</span>=mongodb:<span class="sy0">//</span>mongo<span class="sy0">/</span><span class="kw3">local</span> - <span class="re2">ROOT_URL</span>=https:<span class="sy0">//</span><span class="br0">[</span>domain name<span class="br0">]</span> <span class="co0"># the SMTP port is likely to be 587 or 465, and instead of smtp:// you might need to use smtps:// (note the 's' for secure).</span> - <span class="re2">MAIL_URL</span>=smtp:<span class="sy0">//</span><span class="br0">[</span>smtp username<span class="br0">]</span>:<span class="br0">[</span>smtp password<span class="br0">]</span><span class="sy0">@</span><span class="br0">[</span>smtp servername<span class="br0">]</span>:<span class="br0">[</span>smtp port<span class="br0">]</span><span class="sy0">/</span> volumes: - <span class="sy0">/</span>home<span class="sy0">/</span>data<span class="sy0">/</span><span class="br0">[</span>domain name<span class="br0">]</span><span class="sy0">/</span>uploads:<span class="sy0">/</span>app<span class="sy0">/</span>uploads</pre></div></div> <p>Save and close that file. You can then start the Docker containers by invoking Docker Compose</p> <p><code>docker-compose up -d &amp;&amp; docker-compose logs -f</code></p> <p>This command will 'pull' any missing reference containers from hub.docker.com (the default central place where many Docker containers are stored by their developers) and launch them in "daemon mode" (the '-d' flag achieves that) on your server, so that they'll keep running until you stop them. After it's done with the launching, Docker Compose will display the logging data being put out by both the MongoDB and Rocket.Chat containers.</p> <p>You can issue a <code>CTRL-C</code> to cancel out of the logs view - it won't affect the running Rocket.Chat instance.</p> <p>You can also stop Rocket.Chat by issuing:</p> <p><code>docker-compose stop</code></p> <p>and verify it status (running or not) via</p> <p><code>docker-compose ps</code></p> <p>If you then go https://[domain name] in your browser, you should get the 'initial user' start up page as shown in the attached screenshot. After filling in your content and content related to your instance, you should receive an email from both your Rocket.Chat instance and from the Rocket.Chat developers showing your instance is registered.</p> <p>You can then log in (by default, you will have to wait for an email with a TOTP code to log in) you will be able to change the multitude of settings, behaviours, and integrations that Rocket.Chat supports. See its <a href="https://docs.rocket.chat/">user documentation</a> for more information on configuring and managing your Rocket.Chat instance. Note, there are many other sources for information on Rocket.Chat configuration - search engines will help you.</p> <h2><a id="user-content-backing-up-your-data" href="#backing-up-your-data" name="backing-up-your-data" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Backing up your data</h2> <p>To back up your Rocket.Chat installation, you will need to store both the content of your MongoDB and any files or other content uploaded.</p> <p>Backing up the uploaded content involves regular file backups of the uploaded files and the docker-compose.yml configuration. Preferably, these should be stored off the original server, i.e.</p> <p>We have developed a script for backing up Docker-based MongoDB installations. You can install it as follows. First, we'll make a place to put the backup script:</p> <p><code>sudo mkdir /home/data/scripts &amp;&amp; sudo cd /home/data/scripts</code></p> <p>and then clone (i.e. download) our git repository:</p> <p><code>sudo git clone https://git.oeru.org/oeru/mongobackup.git</code></p> <p>which will create a directory <code>/home/data/scripts/mongobackup</code> - go into it</p> <p><code>sudo cd /home/data/scripts/mongobackup</code></p> <p>and create a backup configuration (substituting your domain name!) and edit the file:</p> <p><code>sudo cp default-mongo.conf-sample default-mongo.conf</code></p> <p><code>sudo nano default-mongo.conf</code></p> <p>The content should look like this:</p> <div class="geshifilter"><div class="bash geshifilter-bash"><pre class="de1"><span class="co0">#</span> <span class="co0"># dump backup directories</span> <span class="co0">#</span> <span class="co0"># for backup archives</span> <span class="re2">BU_DIR</span>=<span class="br0">[</span>path to backup archive store<span class="br0">]</span> <span class="co0"># working directories</span> <span class="co0"># from docker-compose.yml </span> <span class="re2">BU_DIR_HOST</span>=<span class="br0">[</span>path on host to mapped mongo container backup <span class="kw2">dir</span><span class="br0">]</span> <span class="re2">BU_DIR_DOCK</span>=<span class="br0">[</span>path on mongo container to backup <span class="kw2">dir</span><span class="br0">]</span> <span class="co0">#</span> <span class="co0"># Docker Compose details</span> <span class="co0">#</span> <span class="co0"># dir containing the docker-compose.yml</span> <span class="re2">DC_DIR</span>=<span class="br0">[</span>docker-compose directory <span class="kw1">for</span> mongo container<span class="br0">]</span> <span class="co0"># name of the database container</span> <span class="re2">DC_CONTAINER</span>=<span class="br0">[</span>name of mongo container <span class="kw1">in</span> docker-compose.yml<span class="br0">]</span> <span class="co0">#</span> <span class="co0"># Reporting</span> <span class="co0">#</span> <span class="co0"># email address to send reports to, and subject</span> <span class="re2">EMAIL</span>=<span class="br0">[</span>admin email<span class="br0">]</span> <span class="re2">EMAIL_SUBJ</span>=<span class="st0">"[email subject to distinguish this email from others]"</span></pre></div></div> <p>The values you set should look like this (replace [domain name] appropriate) - you can leave the original '#' comments in place if you want:</p> <div class="geshifilter"><div class="bash geshifilter-bash"><pre class="de1"><span class="re2">BU_DIR</span>=<span class="sy0">/</span>home<span class="sy0">/</span>backup<span class="sy0">/</span>mongodb <span class="re2">BU_DIR_HOST</span>=<span class="sy0">/</span>home<span class="sy0">/</span>data<span class="sy0">/</span><span class="br0">[</span>domain name<span class="br0">]</span><span class="sy0">/</span>backups<span class="sy0">/</span>mongodb <span class="re2">BU_DIR_DOCK</span>=<span class="sy0">/</span>backups <span class="re2">DC_DIR</span>=<span class="sy0">/</span>home<span class="sy0">/</span>docker<span class="sy0">/</span><span class="br0">[</span>domain name<span class="br0">]</span> <span class="re2">DC_CONTAINER</span>=mongo <span class="re2">EMAIL</span>=<span class="br0">[</span>an email that you receive<span class="br0">]</span> <span class="re2">EMAIL_SUBJ</span>=<span class="st0">"MongoDB Backup for Rocket.Chat: [domain name]"</span></pre></div></div> <p>save and close that file and then we have to create the location for the backups to be stored (and, ideally, transferred to the remote backup location along with the uploaded files and docker-compose.yml file):</p> <p><code>sudo mkdir -p /home/backup/mongodb</code></p> <p>Note, that the email alerts depend on you having configured your server properly to send out email as per our instructions for <a href="/setting-oeru-style-virtual-ubuntu-2004-server-docker-compose">setting up a Docker Compose server</a>.</p> <p>You can test to make sure this all works by running</p> <p><code>sudo /home/data/scripts/mongobackup/dbbackup-mongo --hourly</code></p> <p>You should see a bunch of file paths as things are backed up - if you see nothing, you may have an error in your configuration.</p> <p>To verify a backup has been made, you can run</p> <p><code>ls -l /home/backup/mongodb/</code></p> <p>and you should see a series of files (probably 3), named after each 'database' in the mongo server, with the name 'mongo-hourly' in them followed by the server's current date and time and a <code>.tgz</code> suffix.</p> <p>If it works, copy the 'cron' task to your <code>/etc/cron.d</code> directory:</p> <p><code>sudo cp dbbackup-mongo-cron /etc/cron.d/</code></p> <p>after which, you should get hourly (and daily, weekly, monthly, and yearly) backups that tidy up after themselves...</p> <h2><a id="user-content-upgrading-your-installation" href="#upgrading-your-installation" name="upgrading-your-installation" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Upgrading your installation</h2> <p>From time to time, assuming you've registered your Rocket.Chat installation, you will receive notifications that a new version of Rocket.Chat is available. You can upgrade at your convenience by creating a dated copy of your docker-compose.yml file - you can use this convenient little command (assuming you're in /home/docker/[domain name]):</p> <p><code>sudo cp docker-compose.yml docker-compose.yml-$(date +"%Y%m%d")</code></p> <p>and make sure you disable your instance</p> <p><code>sudo docker-compose stop rocketchat</code></p> <p>and then run a mongodb backup - the easiest way to do that is to run</p> <p><code>sudo /home/data/scripts/mongobackup/dbbackup-mongo --hourly</code></p> <p>as described above. Also, assuming the data involved is relatively small compared to your available storage space, you can copy your current mongo data to make sure you can recover quickly if necessary (after stopping mongodb!):</p> <p><code>sudo docker-compose stop mongo</code></p> <p><code>sudo cp -a /home/data/[domain name]/mongodb/data /home/data/[domain name]/mongodb/data-$(date +"%Y%m%d")</code></p> <p>Then, to do the upgrade: edit <code>docker-compose.yml</code> to update the Rocket.Chat (4.5.0 in this tutorial) container number to the new version.</p> <p><code>sudo nano docker-compose yml</code></p> <p>at which point you can run:</p> <p><code>sudo docker-compose up -d &amp;&amp; sudo docker-compose logs -f</code></p> <p>which will pull the newer Rocket.Chat container, and run it, along with MongoDB, which will automatically upgrade your instance if possible (if it succeeds, you'll see a message similar to the attached log image showing the Rocket.Chat version info in the log messages), and you'll be up and running with a new version, job done!</p> <p>Enjoy your free (in both senses of the word) world-class messaging platform!</p></div> </div> </div> <section class="field field-node--field-blog-comments field-name-field-blog-comments field-type-comment field-label-above comment-wrapper"> <a name="comments"></a> <div class="comment-form-wrapper"> <h2 class="comment-form__title">Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=48&amp;2=field_blog_comments&amp;3=comment" token="jITUDdDMJ8my5zsFfo33TLH5pOTlPih-fIF4KVSqOA8"></drupal-render-placeholder> </div> </section> Thu, 03 Mar 2022 00:00:52 +0000 dave 48 at http://tech.oeru.org Installing BigBlueButton on an OERu Docker Server http://tech.oeru.org/installing-bigbluebutton-oeru-docker-server <span class="field field--name-title field--type-string field--label-hidden">Installing BigBlueButton on an OERu Docker Server</span> <div class="field field-node--field-blog-tags field-name-field-blog-tags field-type-entity-reference field-label-above"> <h3 class="field__label">Blog tags</h3> <div class="field__items"> <div class="field__item field__item--bigbluebutton"> <span class="field__item-wrapper"><a href="/taxonomy/term/84" hreflang="en">BigBlueButton</a></span> </div> <div class="field__item field__item--ubuntu-linux"> <span class="field__item-wrapper"><a href="/taxonomy/term/12" hreflang="en">ubuntu linux</a></span> </div> <div class="field__item field__item--_004"> <span class="field__item-wrapper"><a href="/taxonomy/term/75" hreflang="en">20.04</a></span> </div> <div class="field__item field__item--docker"> <span class="field__item-wrapper"><a href="/taxonomy/term/16" hreflang="en">docker</a></span> </div> <div class="field__item field__item--docker-compose"> <span class="field__item-wrapper"><a href="/taxonomy/term/49" hreflang="en">docker-compose</a></span> </div> <div class="field__item field__item--postgresql"> <span class="field__item-wrapper"><a href="/taxonomy/term/20" hreflang="en">postgresql</a></span> </div> <div class="field__item field__item--postfix"> <span class="field__item-wrapper"><a href="/taxonomy/term/66" hreflang="en">postfix</a></span> </div> <div class="field__item field__item--nginx"> <span class="field__item-wrapper"><a href="/taxonomy/term/30" hreflang="en">nginx</a></span> </div> <div class="field__item field__item--lets-encrypt"> <span class="field__item-wrapper"><a href="/taxonomy/term/17" hreflang="en">let&#039;s encrypt</a></span> </div> </div> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><a title="View user profile." href="/user/1" lang="" about="/user/1" typeof="schema:Person" property="schema:name" datatype="" class="username">dave</a></span> <span class="field field--name-created field--type-created field--label-hidden">Wed 10/11/2021 - 15:42</span> <div class="field field-node--field-image field-name-field-image field-type-image field-label-hidden has-multiple"> <figure class="field-type-image__figure image-count-1"> <div class="field-type-image__item"> <a href="http://tech.oeru.org/sites/default/files/styles/max_1300x1300/public/2021-11/Screenshot%202021-11-26%20at%2012-02-53%20Create%20Droplets%20-%20DigitalOcean.png?itok=RFCxKkbH" aria-controls="colorbox" aria-label="{&quot;alt&quot;:&quot;Digital Ocean &#039;Droplet&#039; creation screen showing options selected for a BBB server&quot;}" role="button" title="Digital Ocean &#039;Droplet&#039; creation screen showing options selected for a BBB server" data-colorbox-gallery="gallery-field_image-GnjYzG6vmqA" class="colorbox" data-cbox-img-attrs="{&quot;alt&quot;:&quot;Digital Ocean &#039;Droplet&#039; creation screen showing options selected for a BBB server&quot;}"><img src="/sites/default/files/styles/medium/public/2021-11/Screenshot%202021-11-26%20at%2012-02-53%20Create%20Droplets%20-%20DigitalOcean.png?itok=qpszFHwz" width="106" height="220" alt="Digital Ocean &#039;Droplet&#039; creation screen showing options selected for a BBB server" loading="lazy" typeof="foaf:Image" class="image-style-medium" /> </a> </div> </figure> <figure class="field-type-image__figure image-count-2"> <div class="field-type-image__item"> <a href="http://tech.oeru.org/sites/default/files/styles/max_1300x1300/public/2021-11/Screenshot%202021-11-22%20at%2012-42-19%20bbbtest%20milll%20ws%20-%20DigitalOcean.png?itok=9s5Cj-8F" aria-controls="colorbox" aria-label="{&quot;alt&quot;:&quot;Performance graphs for a Digital Ocean &#039;Droplet&#039; configured to run BBB.&quot;}" role="button" title="Performance graphs for a Digital Ocean &#039;Droplet&#039; configured to run BBB." data-colorbox-gallery="gallery-field_image-GnjYzG6vmqA" class="colorbox" data-cbox-img-attrs="{&quot;alt&quot;:&quot;Performance graphs for a Digital Ocean &#039;Droplet&#039; configured to run BBB.&quot;}"><img src="/sites/default/files/styles/medium/public/2021-11/Screenshot%202021-11-22%20at%2012-42-19%20bbbtest%20milll%20ws%20-%20DigitalOcean.png?itok=Sy3JvvuB" width="220" height="166" alt="Performance graphs for a Digital Ocean &#039;Droplet&#039; configured to run BBB." loading="lazy" typeof="foaf:Image" class="image-style-medium" /> </a> </div> </figure> <figure class="field-type-image__figure image-count-3"> <div class="field-type-image__item"> <a href="http://tech.oeru.org/sites/default/files/styles/max_1300x1300/public/2021-11/Screenshot%202021-11-22%20at%2012-42-52%20milll%20ws%20-%20Metaname.png?itok=eILrt0_H" aria-controls="colorbox" aria-label="{&quot;alt&quot;:&quot;The Metaname DNS configuration for the milll.ws domain.&quot;}" role="button" title="The Metaname DNS configuration for the milll.ws domain." data-colorbox-gallery="gallery-field_image-GnjYzG6vmqA" class="colorbox" data-cbox-img-attrs="{&quot;alt&quot;:&quot;The Metaname DNS configuration for the milll.ws domain.&quot;}"><img src="/sites/default/files/styles/medium/public/2021-11/Screenshot%202021-11-22%20at%2012-42-52%20milll%20ws%20-%20Metaname.png?itok=8iNSxMhC" width="220" height="166" alt="The Metaname DNS configuration for the milll.ws domain." loading="lazy" typeof="foaf:Image" class="image-style-medium" /> </a> </div> </figure> <figure class="field-type-image__figure image-count-4"> <div class="field-type-image__item"> <a href="http://tech.oeru.org/sites/default/files/styles/max_1300x1300/public/2021-11/Screenshot%202021-11-23%20at%2014-20-22%20BigBlueButton.png?itok=vRbjT27h" aria-controls="colorbox" aria-label="{&quot;alt&quot;:&quot;The Greenlight front-end (providing user management and &#039;room&#039; configuration) for BigBlueButton.&quot;}" role="button" title="The Greenlight front-end (providing user management and &#039;room&#039; configuration) for BigBlueButton." data-colorbox-gallery="gallery-field_image-GnjYzG6vmqA" class="colorbox" data-cbox-img-attrs="{&quot;alt&quot;:&quot;The Greenlight front-end (providing user management and &#039;room&#039; configuration) for BigBlueButton.&quot;}"><img src="/sites/default/files/styles/medium/public/2021-11/Screenshot%202021-11-23%20at%2014-20-22%20BigBlueButton.png?itok=4W4E__KP" width="220" height="144" alt="The Greenlight front-end (providing user management and &#039;room&#039; configuration) for BigBlueButton." loading="lazy" typeof="foaf:Image" class="image-style-medium" /> </a> </div> </figure> <figure class="field-type-image__figure image-count-5"> <div class="field-type-image__item"> <a href="http://tech.oeru.org/sites/default/files/styles/max_1300x1300/public/2021-11/Screenshot%202021-11-30%20at%2023-04-07%20The%20OERu%20BigBlueButton%20-%20Home%20Room.png?itok=ofBw87DD" aria-controls="colorbox" aria-label="{&quot;alt&quot;:&quot;Joining a BBB session, you get the option of using a microphone to participate or being a &#039;listen-only&#039; participant.&quot;}" role="button" title="Joining a BBB session, you get the option of using a microphone to participate or being a &#039;listen-only&#039; participant." data-colorbox-gallery="gallery-field_image-GnjYzG6vmqA" class="colorbox" data-cbox-img-attrs="{&quot;alt&quot;:&quot;Joining a BBB session, you get the option of using a microphone to participate or being a &#039;listen-only&#039; participant.&quot;}"><img src="/sites/default/files/styles/medium/public/2021-11/Screenshot%202021-11-30%20at%2023-04-07%20The%20OERu%20BigBlueButton%20-%20Home%20Room.png?itok=RsOTQSIE" width="220" height="133" alt="Joining a BBB session, you get the option of using a microphone to participate or being a &#039;listen-only&#039; participant." loading="lazy" typeof="foaf:Image" class="image-style-medium" /> </a> </div> </figure> <figure class="field-type-image__figure image-count-6"> <div class="field-type-image__item"> <a href="http://tech.oeru.org/sites/default/files/styles/max_1300x1300/public/2021-11/Screenshot%202021-11-30%20at%2023-04-22%20The%20OERu%20BigBlueButton%20-%20Home%20Room%20-%20echo%20test.png?itok=H8WlXV4f" aria-controls="colorbox" aria-label="{&quot;alt&quot;:&quot;If you select &quot;microphone&quot;, you will next be asked to speak into it and do an &#039;echo test&#039; to calibrate BBB&#039;s echo cancellation algorithms.&quot;}" role="button" title="If you select &quot;microphone&quot;, you will next be asked to speak into it and do an &#039;echo test&#039; to calibrate BBB&#039;s echo cancellation algorithms." data-colorbox-gallery="gallery-field_image-GnjYzG6vmqA" class="colorbox" data-cbox-img-attrs="{&quot;alt&quot;:&quot;If you select &quot;microphone&quot;, you will next be asked to speak into it and do an &#039;echo test&#039; to calibrate BBB&#039;s echo cancellation algorithms.&quot;}"><img src="/sites/default/files/styles/medium/public/2021-11/Screenshot%202021-11-30%20at%2023-04-22%20The%20OERu%20BigBlueButton%20-%20Home%20Room%20-%20echo%20test.png?itok=KvueJqpL" width="220" height="133" alt="If you select &quot;microphone&quot;, you will next be asked to speak into it and do an &#039;echo test&#039; to calibrate BBB&#039;s echo cancellation algorithms." loading="lazy" typeof="foaf:Image" class="image-style-medium" /> </a> </div> </figure> <figure class="field-type-image__figure image-count-7"> <div class="field-type-image__item"> <a href="http://tech.oeru.org/sites/default/files/styles/max_1300x1300/public/2021-11/Screenshot%202021-11-30%20at%2023-04-49%20The%20OERu%20BigBlueButton%20-%20Home%20Room-webcam.png?itok=pEnZWxzO" aria-controls="colorbox" aria-label="{&quot;alt&quot;:&quot;And you can share your webcam feed, too. &quot;}" role="button" title="And you can share your webcam feed, too. " data-colorbox-gallery="gallery-field_image-GnjYzG6vmqA" class="colorbox" data-cbox-img-attrs="{&quot;alt&quot;:&quot;And you can share your webcam feed, too. &quot;}"><img src="/sites/default/files/styles/medium/public/2021-11/Screenshot%202021-11-30%20at%2023-04-49%20The%20OERu%20BigBlueButton%20-%20Home%20Room-webcam.png?itok=tXwJ7Cpf" width="220" height="133" alt="And you can share your webcam feed, too. " loading="lazy" typeof="foaf:Image" class="image-style-medium" /> </a> </div> </figure> <figure class="field-type-image__figure image-count-8"> <div class="field-type-image__item"> <a href="http://tech.oeru.org/sites/default/files/styles/max_1300x1300/public/2021-11/Screenshot%202021-11-26%20at%2015-03-34%20The%20OERu%20BigBlueButton%20-%20Home%20Room-withModeratorMenu.png?itok=wkyM4MSu" aria-controls="colorbox" aria-label="{&quot;alt&quot;:&quot;BigBlueButton conversation window in a browser, with the moderator tools open, showing link to breakout rooms and other moderation functions.&quot;}" role="button" title="BigBlueButton conversation window in a browser, with the moderator tools open, showing link to breakout rooms and other moderation functions." data-colorbox-gallery="gallery-field_image-GnjYzG6vmqA" class="colorbox" data-cbox-img-attrs="{&quot;alt&quot;:&quot;BigBlueButton conversation window in a browser, with the moderator tools open, showing link to breakout rooms and other moderation functions.&quot;}"><img src="/sites/default/files/styles/medium/public/2021-11/Screenshot%202021-11-26%20at%2015-03-34%20The%20OERu%20BigBlueButton%20-%20Home%20Room-withModeratorMenu.png?itok=tsVPmMgZ" width="220" height="143" alt="BigBlueButton conversation window in a browser, with the moderator tools open, showing link to breakout rooms and other moderation functions." loading="lazy" typeof="foaf:Image" class="image-style-medium" /> </a> </div> </figure> <figure class="field-type-image__figure image-count-9"> <div class="field-type-image__item"> <a href="http://tech.oeru.org/sites/default/files/styles/max_1300x1300/public/2021-11/Screenshot%202021-11-26%20at%2015-00-54%20The%20OERu%20BigBlueButton%20-%20Home%20Room.png?itok=55K_wxG1" aria-controls="colorbox" aria-label="{&quot;alt&quot;:&quot;BigBlueButton in effect with 3 participants (all the author from different devices). Note the public chat.&quot;}" role="button" title="BigBlueButton in effect with 3 participants (all the author from different devices). Note the public chat." data-colorbox-gallery="gallery-field_image-GnjYzG6vmqA" class="colorbox" data-cbox-img-attrs="{&quot;alt&quot;:&quot;BigBlueButton in effect with 3 participants (all the author from different devices). Note the public chat.&quot;}"><img src="/sites/default/files/styles/medium/public/2021-11/Screenshot%202021-11-26%20at%2015-00-54%20The%20OERu%20BigBlueButton%20-%20Home%20Room.png?itok=j1O8G0e-" width="220" height="143" alt="BigBlueButton in effect with 3 participants (all the author from different devices). Note the public chat." loading="lazy" typeof="foaf:Image" class="image-style-medium" /> </a> </div> </figure> </div> <div class="clearfix text-formatted field field-node--body field-name-body field-type-text-with-summary field-label-hidden"> <div class="field__items"> <div class="field__item"><p>This tutorial was developed for the <a href="https://samoaksi.ws/">Samoan Knowledge Society Initiative</a>, in which the OER Foundation is very pleased to be involved. (Update 2022-02-10: we have also created a <a href="137.184.84.159">video tutorial</a> based on this written tutorial)</p> <p><a href="https://bigbluebutton.org">BigBlueButton</a> (BBB) is a full-featured video conferencing system designed for large scale remote learning at the university level. In some ways, BBB goes beyond feature parity with widely used proprietary video conferencing systems like Zoom or Microsoft Teams, Webex, or Google Hangouts. It's main differences are that BBB</p> <ul><li>was designed from the gound up for educational use, and</li> <li>is Free and Open Source Software (FOSS) and anyone can install it (as we describe in this tutorial) at no cost other than whatever cost you pay for hosting the application and a bit of your time.</li> </ul><p>You can read all about BigBlueButton and how it works using the <a href="https://docs.bigbluebutton.org">excellent documentation</a> provided by its development community.</p> <p>There are no per-user license fees (or <em>any</em> fees), and your users don't need to install special software, vastly simplifying its adoption: BBB works brilliantly on any desktop computer, laptop, or mobile device (tablet or phone) with a modern web browser that implements the <a href="https://webrtc.org">WebRTC</a> open web standard (which is all modern browsers).</p> <p>The <a href="https://github.com/bigbluebutton/">source code for BBB's internal components, and its many ancillary tools</a> is available for anyone to learn from or improve - that's the fundamental benefit of FOSS. Since the outbreak of COVID19, the team at a small Ottowa, Canada-based company, Blindside Networks, has been working tirelessly with the BBB community to improve the BBB code, which is being used all over the world by millions of people every day.</p> <p>This tutorial walks you through provisioning and building your own BigBlueButton instance on a server running <a href="https://ubuntu.com/download/server">Ubuntu GNU/Linux</a> - version 20.04 is the Long Term Support (LTS) version as of this writing - using <a href="https://www.docker.com/docker-community">Docker</a> containers for the various software services and components, with the containers managed by <a href="https://docs.docker.com/compose/">Docker Compose</a>.</p> <p><em>Table of contents</em></p> <ul class="table-of-contents"><li> <p><a href="#introduction">Introduction</a></p> <ul><li> <p><a href="#references">References</a></p> </li> <li> <p><a href="#copying-and-pasting">Copying and pasting</a></p> </li> </ul></li> <li> <p><a href="#information-you-need-to-know">Information you need to know</a></p> </li> <li> <p><a href="#preferences">Preferences</a></p> </li> <li> <p><a href="#set-up-your-virtual-server">Set up your virtual server</a></p> </li> <li> <p><a href="#configure-your-domain-to-point-at-your-server">Configure your Domain to point at your Server</a></p> <ul><li> <p><a href="#best-practice-access-your-server-as-a-non-root-user">Best Practice: access your server as a non-root user</a></p> </li> </ul></li> <li> <p><a href="#a-few-post-install-updates">A few post-install updates</a></p> <ul><li> <p><a href="#update-the-servers-hosts-file">Update the server's hosts file</a></p> </li> </ul></li> <li> <p><a href="#firewall-configuration">Firewall Configuration</a></p> </li> <li> <p><a href="#install-postfix-so-the-server-can-send-email">Install Postfix so the server can send email</a></p> <ul><li> <p><a href="#email-test">Email test</a></p> </li> </ul></li> <li> <p><a href="#install-nginx-webserver-and-lets-encrypt-tools">Install Nginx webserver and Let's Encrypt tools</a></p> </li> <li> <p><a href="#set-up-coturn-certificates">Set up COTURN certificates</a></p> </li> <li> <p><a href="#set-up-nginx-reverse-proxy-configuration">Set up Nginx Reverse Proxy Configuration</a></p> <ul><li> <p><a href="#extra-security-with-dhparampem">Extra security with dhparam.pem</a></p> </li> </ul></li> <li> <p><a href="#install-docker">Install Docker</a></p> </li> <li> <p><a href="#install-docker-compose">Install Docker-compose</a></p> </li> <li> <p><a href="#git-clone-bbb-docker-repository">Git-Clone BBB Docker repository</a></p> </li> <li> <p><a href="#configure-your-bbb">Configure your BBB</a></p> <ul><li> <p><a href="#fix-minor-configuration-error-that-blocks-jodconverter">Fix minor configuration error that blocks JODConverter</a></p> </li> </ul></li> <li> <p><a href="#build-your-bbb">Build your BBB</a></p> </li> <li> <p><a href="#visit-your-new-bbb">Visit your new BBB</a></p> </li> <li> <p><a href="#create-an-admin-user">Create an admin user:</a></p> </li> <li> <p><a href="#run-your-first-conference">Run your first conference</a></p> </li> <li> <p><a href="#next-steps">Next Steps</a></p> </li> </ul><h2><a id="user-content-introduction" href="#introduction" name="introduction" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Introduction</h2> <h3><a id="user-content-references" href="#references" name="references" class="heading-permalink" aria-hidden="true" title="Permalink"></a>References</h3> <p>For this tutorial, we are using a <a href="https://digitalocean.com">Digital Ocean</a> 'Droplet' as our cloud server. You can use an almost identical process to provision a server from any one of a thousand other commodity GNU/Linux cloud hosting providers.</p> <p>To demonstrate the process of defining a sub domain and its IPv4 and IPv6 addresses (via A and AAAA records respectively) I'm using my preferred local domain registrar <a href="https://metaname.net">Metaname</a> (based here in Christchurch, New Zealand, as am I. I know the developer/owner of the service and I trust him). You can use any domain registrar that gives you the ability to configure your 'DNS zone file'. Some of might have your own DNS server or institutional name servers, in which case you might have to request these changes be made on your behalf.</p> <h3><a id="user-content-copying-and-pasting" href="#copying-and-pasting" name="copying-and-pasting" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Copying and pasting</h3> <p>We will be providing a bunch of command lines that you can copy and paste into a terminal on the computer you're using to access your virtual server. Links like</p> <p><code>this one</code></p> <p>are intended for you to copy and paste into the command line. On Linux, please note that in some cases if "CTRL-V" doesn't work to paste, try using "CTRL+SHIFT+V" (that's because in some terminals, "CTRL+V" had a pre-existing purpose as terminals have been around since long before desktops and 'copy-paste" were invented and the arbitrary CTRL-C, CTRL-X, CTRL-V key combos were chosen by Microsoft without any consideration for prior art). Similarly, if you want to copy <em>from</em> a terminal, you might need to use "CTRL+SHIFT+C". Try it.</p> <p>When we ask you edit a file (using the editor you choose to assign to the EDIT shell variable below), we expect you to complete the recommended changes, and then <em>save the file</em> and exit back to the command line.</p> <p>We'll aim to show you what to change using a 'code' box:</p> <div class="geshifilter"><div class="bash geshifilter-bash"><pre class="de1">Like this one <span class="kw2">which</span> is suitable <span class="kw1">for</span> multi-line content <span class="br0">(</span>like what you <span class="kw2">find</span> <span class="kw1">in</span> a <span class="kw2">file</span><span class="br0">)</span></pre></div></div> <h2><a id="user-content-information-you-need-to-know" href="#information-you-need-to-know" name="information-you-need-to-know" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Information you need to know</h2> <p>Info you need to have handy to complete this tutorial:</p> <ul><li>You need to know the IPv4 address of your server. Token: [IPv4] - it'll be in the form of nnn.nnn.nnn.nnn where nnn = 0-254, example value 143.110.228.88</li> <li>If your server has one, you need to know its IPv6 address. Token: [IPv6] - it'll be in the form of hhhh:hhhh:hhhh:hhhh:hhhh:hhhh:hhhh where h = 0-9a-f, i.e. a hex value, example 2604:a880:4:1d0::402:b000</li> <li>You need to have a domain name (or a sub domain name) to point at your server's IPv4 and IPv6. Token: [Domain], example domain bbbtest.milll.ws (in this case, bbbtest is the subdomain of the milll.ws domain)</li> <li>The email address your server should send status or admin-related email to. Token [Admin email], example webmaster@[Domain]</li> <li>You'll need a set of authenticating SMTP account settings including - these can be used both on the host and in the BBB installation: <ul><li>[SMTP server] - the domain name or IP address of an existing SMTP server, e.g. about.oerfoundation.org (our one), or smtp.googlemail.com,</li> <li>[SMTP port] - the port number for the service you're using. It'll usually be one of 587 or 465. Older, unauthenticated SMTP servers used to use port 25, but that's now blocked by most ISPs due to its abuse by spammers.</li> <li>[SMTP security] - usually this'll be something like 'SSL' (usually associated with port 465) or 'StartTLS' (usually associated with port 587).</li> <li>[SMTP username] - the username - often an email address - for the authenticating SMTP service, and lastly,</li> <li>[SMTP password] - the password accompanying the username.</li> </ul></li> <li>You'll want an email address that you can check to send test emails to: token [Test email], e.g. <a href="mailto:you@youremailprovider.tld">you@youremailprovider.tld</a>, and finally</li> <li>You'll want a 'from' email address that users of your system will see when they get emails from you. Token: [Outgoing email], e.g. <a href="mailto:notifications@milll.ws">notifications@milll.ws</a>.</li> </ul><h2><a id="user-content-preferences" href="#preferences" name="preferences" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Preferences</h2> <p>You'll need to copy and paste the following lines into any terminal you're using to complete this tutorial, so that that session is aware of your preferred values:</p> <p><code>EDIT=$(which nano)</code></p> <p><code>SITE=bbbtest.milll.ws</code></p> <p>We're going to reference these periodically in the following process, so it's important you set these correctly. To verify them, you can run this in any terminal at any time to verify that the values are still defined and current:</p> <p><code>echo "Our variables = $EDIT and $SITE"</code></p> <h2><a id="user-content-set-up-your-virtual-server" href="#set-up-your-virtual-server" name="set-up-your-virtual-server" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Set up your virtual server</h2> <p>You'll need to log into your cloud service provider's dashboard - in our case, we've used DigitalOcean. That means pointing our browser to <a href="https://digitalocean.com">https://digitalocean.com</a> and either using "Log In" (if we already have an account) or "Sign Up" (if we don't).</p> <p>Once you're logged in, you'll want to go to 'Create' and select 'Droplets' (Digital Ocean calls each of their virtual servers a "Droplet").</p> <p>We've included a screenshot of the Create Droplet page, with the relevant options selected. They are as follows:</p> <ul><li>Choose an image: we choose 'Ubuntu 20.04 LTS'</li> <li>Choose a plan: we choose 'Basic' <ul><li>for CPU options: we choose 'Premium AMD with NVMe SSD'</li> <li>for the size, we choose either the '$24/mo' (choose the '$48/mo' option if you want to be able to support large groups, like 100+ simultaneous participants).</li> </ul></li> <li>Choose a datacenter region: we choose 'San Franciso, zone 3' (which we've determined to be in the 'centre of the internet', i.e. the most central point to give the best website performance to a global audience. You might want to try a different place depending on your location in the globe and your audience).</li> <li>VPC Network - we just leave the default.</li> <li>Select additional options: we check 'IPv6' and 'Monitoring' but <em>not</em> User data.</li> <li>Authentication: if we have added one or more SSH keys to our DigitalOcean profile select 'SSH keys'. If not, you can select 'Password'. It's far more efficient and secure to use SSH whereever possible.</li> <li>We're ony creating 1 Droplet and we Choose a hostname of [Domain]</li> <li>We don't need to add any tags</li> <li>We <em>won't</em> Add backups.</li> </ul><p>Then we can <code>Create Droplet</code>...</p> <p>When the Droplet is finished, we can get the [IPv4] and [IPv6] addresses.</p> <p>We can also either log in via the command line from a local GNU/Linux or UNIX (e.g. MacOS) terminal or via a graphical SSH client (on Microsoft Windows, most people use Putty) via <code>ssh root@[IPv4]</code> or <code>ssh root@[IPv6]</code> (replacing those tokens with their actual IPv4 or IPv6 addresses). If we've set a key, we should get logged in without the need to enter any passwords. If not, we have to enter a password provided by DigitalOcean.</p> <h2><a id="user-content-configure-your-domain-to-point-at-your-server" href="#configure-your-domain-to-point-at-your-server" name="configure-your-domain-to-point-at-your-server" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Configure your Domain to point at your Server</h2> <p>Once you have selected and registered your domain with a domain registrar - we are using Metaname - you can set up (usually through a web interface provided by the registrar)</p> <ul><li>an "A Record" which associates your website's name (your [Domain], e.g. milll.ws, or a subdomain of that domain, e.g. bbb.milll.ws, where 'bbb' is the subdomain part) to the IPv4 address of your server. You should just be able to enter your server's IPv4 address, the domain name (or sub-domain) you want to use for your server.</li> <li>if your registrar offers it it's also important to define an IPv6 record, which is called an "AAAA Record"... you put in the same domain name or subdomain and then your IPv6 address instead of your IPv4 one.</li> </ul><p>I've attached an screenshot of the Metaname interface for configuring these DNS zone records.</p> <p>You might be asked to set a "Time-to-live" (which has to do with the length of time Domain Name Servers are asked to "cache" the association that the A Record specifies) in which case you can put in 3600 seconds or an hour depending on the time units your interface requests... but in most cases that'll be set to a default of an hour automatically.</p> <p>Once your domain A and AAAA records are configured, you should be able to log into your server via <code>ssh root@[Domain]</code>, or, for example, <code>ssh root@bbb.milll.ws</code>. Although it should be instant, depending on your registrar, it might take as long as a few hours (even 24) for your domain name assignments to propogate through the DNS network and be available on your computer.</p> <h3><a id="user-content-best-practice-access-your-server-as-a-non-root-user" href="#best-practice-access-your-server-as-a-non-root-user" name="best-practice-access-your-server-as-a-non-root-user" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Best Practice: access your server as a non-root user</h3> <p>You should be able to test that your A and AAAA Records have been set correctly by logging into your server via SSH using your domain name rather than the IPv4 or IPv6 address you used previously. It should (after you accept the SSH warning that the server's name has a new name) work the same way your original SSH login did. On Linux, you'd SSH via a terminal and enter <code>ssh root@[domain name]</code>. I think you can do similar on MacOS and on Windows, I believe people typically use software called <a href="https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html">Putty</a>...</p> <p>But this will log you into your server as the 'root' user.</p> <p>It's not considered good practice to access your server as root (it's too easy to completely screw it up). Best practice is to create a separate 'non-root' user who has 'sudo' privileges and the ability to log in via SSH. If you are <em>currently logged in as 'root'</em>, you can create a normal user for yourself via (replace [username] with your chosen username):</p> <p><code>U=[username]</code><br /><code>adduser $U</code></p> <p>You will be required to set a password for the user here. Then you can add the new user to several relevant groups that confer the required administrative capabilities.</p> <p><code>adduser $U ssh</code><br /><code>adduser $U admin</code><br /><code>adduser $U sudo</code></p> <p>If you want to change the password for user [username] you can run:</p> <p><code>passwd $U</code></p> <p>then become that user temporarily (note, the root user can 'become' another user without needing to enter a password) and create an SSH key and, in the process, the <code>.ssh</code> directory (directories starting with a '.' are normally 'hidden') for the file into which to put your public SSH key:</p> <p><code>su $U</code><br /><code>ssh-keygen -t rsa -b 2048</code><br /><code>nano ~/.ssh/authorized_keys</code></p> <p>and in that file, copy and paste (without spaces on either end) your <em>current computer's</em> <strong>public</strong> ssh key (<em>never publish</em> your private key anywhere!), save and close the file.</p> <p>From that point, you should be able to SSH to your server via <code>ssh [username]@[domain name]</code> without needing to enter a password.</p> <p>These instructions use 'sudo' in front of commands because I assume you're using a non-root user. The instructions will still work fine even if you're logged in as 'root'.</p> <p>The rest of the tutorial can be run as your 'sudo-capable' non-root user.</p> <h2><a id="user-content-a-few-post-install-updates" href="#a-few-post-install-updates" name="a-few-post-install-updates" class="heading-permalink" aria-hidden="true" title="Permalink"></a>A few post-install updates</h2> <h3><a id="user-content-update-the-servers-hosts-file" href="#update-the-servers-hosts-file" name="update-the-servers-hosts-file" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Update the server's hosts file</h3> <p>This is required due to some quirks of the auto-detection of your domain name used by BigBlueButton - you'll need it later.</p> <p><code>sudo $EDIT /etc/hosts</code></p> <p>and add (or make sure it already has) the following:</p> <div class="geshifilter"><div class="bash geshifilter-bash"><pre class="de1">127.0.1.1 <span class="br0">[</span>First part of domain<span class="br0">]</span> 127.0.0.1 localhost <span class="br0">[</span>IPv4<span class="br0">]</span> <span class="br0">[</span>Domain<span class="br0">]</span> <span class="br0">[</span>IPv6<span class="br0">]</span> <span class="br0">[</span>Domain<span class="br0">]</span></pre></div></div> <p>For example - my test system has these details:</p> <div class="geshifilter"><div class="bash geshifilter-bash"><pre class="de1">127.0.1.1 bbbtest 127.0.0.1 localhost 143.110.228.88 bbbtest.milll.ws <span class="nu0">2604</span>:a880:<span class="nu0">4</span>:1d0::<span class="nu0">402</span>:b000 bbbtest.milll.ws</pre></div></div> <p>Do an initial post-install update to the latest software versions:</p> <p><code>sudo apt-get update &amp;&amp; sudo apt-get dist-upgrade</code></p> <p>and add a couple useful apps that, for example, track changes to our system configuration for future reference (etckeeper) and allow us to do network troubleshooting (net-tools):</p> <p><code>sudo apt-get install -y etckeeper net-tools</code></p> <p>We also want to enable console logins in the event we have trouble using SSH:</p> <p><code>wget -qO- https://repos-droplet.digitalocean.com/install.sh | sudo bash</code></p> <h2><a id="user-content-firewall-configuration" href="#firewall-configuration" name="firewall-configuration" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Firewall Configuration</h2> <p>We need to configure firewall for admin access via SSH and access to internet for Docker containers</p> <p><code>sudo ufw allow OpenSSH</code></p> <p><code>sudo ufw allow in on docker0</code></p> <p><code>sudo ufw allow from 172.0.0.0/8 to any</code></p> <p>Then we need to adjust the default firewall policy:</p> <p><code>sudo $EDIT /etc/default/ufw</code></p> <p>You'll find this:</p> <div class="geshifilter"><div class="bash geshifilter-bash"><pre class="de1"><span class="co0"># Set the default forward policy to ACCEPT, DROP or REJECT. Please note that</span> <span class="co0"># if you change this you will most likely want to adjust your rules</span> <span class="re2">DEFAULT_FORWARD_POLICY</span>=<span class="st0">"DROP"</span></pre></div></div> <p>which you need to change to</p> <div class="geshifilter"><div class="bash geshifilter-bash"><pre class="de1"><span class="co0"># Set the default forward policy to ACCEPT, DROP or REJECT. Please note that</span> <span class="co0"># if you change this you will most likely want to adjust your rules</span> <span class="re2">DEFAULT_FORWARD_POLICY</span>=<span class="st0">"ACCEPT"</span></pre></div></div> <p>Next you need to edit this file</p> <p><code>sudo $EDIT /etc/ufw/sysctl.conf</code></p> <p>And change (near the top of the file):</p> <div class="geshifilter"><div class="bash geshifilter-bash"><pre class="de1"><span class="co0"># Uncomment this to allow this host to route packets between interfaces</span> <span class="co0">#net/ipv4/ip_forward=1</span> <span class="co0">#net/ipv6/conf/default/forwarding=1</span> <span class="co0">#net/ipv6/conf/all/forwarding=1</span></pre></div></div> <p>to</p> <div class="geshifilter"><div class="bash geshifilter-bash"><pre class="de1"><span class="co0"># Uncomment this to allow this host to route packets between interfaces</span> net<span class="sy0">/</span>ipv4<span class="sy0">/</span><span class="re2">ip_forward</span>=<span class="nu0">1</span> net<span class="sy0">/</span>ipv6<span class="sy0">/</span>conf<span class="sy0">/</span>default<span class="sy0">/</span><span class="re2">forwarding</span>=<span class="nu0">1</span> net<span class="sy0">/</span>ipv6<span class="sy0">/</span>conf<span class="sy0">/</span>all<span class="sy0">/</span><span class="re2">forwarding</span>=<span class="nu0">1</span></pre></div></div> <p>(removing the "#" uncomments those lines)</p> <p>Next, you have to restart the server's networking stack to apply the changes you've made:</p> <p><code>sudo systemctl restart systemd-networkd</code></p> <p>Luckily, this is generally instantaneous, so your connection to your server shouldn't be interrupted.</p> <p>Then you either start or (if it's already running for some reason) restart the firewall</p> <p><code>sudo ufw enable</code></p> <p>or</p> <p><code>sudo service ufw restart</code></p> <p>(running both won't do any harm)</p> <p>And we also update the firewall configuration to tell it to automatically start at boot time.</p> <p><code>sudo $EDIT /etc/ufw/ufw.conf</code></p> <p>Change <code>ENABLED=no</code> to <code>ENABLED=yes</code>.</p> <p>Next we need to set up some specialised rules for the "COTURN" functionality of the BigBlueButton system. <a href="https://coturn.github.io/">COTURN</a> is a FOSS application that provides both <a href="https://www.youtube.com/watch?v=4dLJmZOcWFc">TURN and STUN (video)</a> (<a href="https://blog.ivrpowers.com/post/technologies/what-is-stun-turn-server/">alternative non-video reference</a>) functionality which are core to the WebRTC protocol on which modern video conferencing applications are built, and are necessary for your users to connect their audio and video to a session, particularly if they're behind an institutional firewall.</p> <p><em>Note</em>: in some cases, <em>institutions will have implemented a rather over-the-top-paranoid 'default deny' for video conference hosts</em> which will block access to your BBB instance unless you can get them to add your site's domain name to their institutional whitelist. Sadly, there's no easy way around this.</p> <p><code>sudo ufw allow 7443/tcp</code></p> <p><code>sudo ufw allow 16384:32768/udp</code></p> <p><code>sudo ufw allow 3478/udp</code></p> <p><code>sudo ufw allow 5349/tcp</code></p> <p><code>sudo ufw allow from 10.7.7.0/24</code></p> <p>Ok, that's it for the firewall shenanigans.</p> <h2><a id="user-content-install-postfix-so-the-server-can-send-email" href="#install-postfix-so-the-server-can-send-email" name="install-postfix-so-the-server-can-send-email" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Install Postfix so the server can send email</h2> <p>It's generally a good idea to make sure any server you build can send email, and has a sensible default email address to send stuff to: stuff like administrative messages alerting you to failed tasks, or other system problems. We recommend that you designate an email address for whoever's responsible for this server. We've got a more <a href="/node/28">comprehsensive howto</a> for setting this up if you're wanting extra details.</p> <p>We achieve the outgoing mail functionality using the industrial strength Postfix SMTP server (it's widely used by ISPs for large-scale email services) along with a command line SMTP client that allows us to test our solution from the command line:</p> <p><code>sudo apt install postfix bsd-mailx</code></p> <p>During this installation, you'll be asked by the installer to make some decisions to do preliminary configuration of the Postfix installation. Select the default asnwers except as follows:</p> <ul><li>Select "Internet Site with Smarthost",</li> <li>fill in the [Domain] name you've chosen for your server,</li> <li>the domain name or IP address and port (in the form [SMTP server]:[port], examples might be smtp.oeru.org:465, or 10.11.143.22:465) of your "smarthost" who'll be doing the authenticating SMTP for you - note: <strong>our configuration works with port 465</strong>, and</li> <li>the email address to which you want to receive system-related messages, namely [Admin email].</li> </ul><p>Once that's installed, we need to set up our default email address for this server:</p> <p><code>sudo $EDIT /etc/aliases</code></p> <p>This file will containerd</p> <div class="geshifilter"><div class="bash geshifilter-bash"><pre class="de1"><span class="co0"># See man 5 aliases for format</span> postmaster: root</pre></div></div> <p>update it to include an email address to send stuff intended for the system admin (aka 'root'):</p> <div class="geshifilter"><div class="bash geshifilter-bash"><pre class="de1"><span class="co0"># See man 5 aliases for format</span> postmaster: root   root: <span class="br0">[</span>Admin email<span class="br0">]</span></pre></div></div> <p>after writing that, we have to convert that file into a form understood by Postix:</p> <p><code>sudo newaliases</code></p> <p>Next, we need to create a new file with the SMTP 'relay host' aka 'smart host' details:</p> <p><code>sudo $EDIT /etc/postfix/relay_password</code></p> <p>In it you need to put the following:</p> <div class="geshifilter"><div class="bash geshifilter-bash"><pre class="de1"><span class="br0">[</span>SMTP Server<span class="br0">]</span> <span class="br0">[</span>SMTP username<span class="br0">]</span>:<span class="br0">[</span>SMTP password<span class="br0">]</span></pre></div></div> <p>Here's an example:</p> <div class="geshifilter"><div class="bash geshifilter-bash"><pre class="de1">about.oerfoundation.org demosmtp<span class="sy0">@</span>milll.ws:7TLM6qGoqZXHfkDmkh6</pre></div></div> <p>Once you've set that up, we have to again prepare that file for use by Postfix:</p> <p><code>sudo postmap /etc/postfix/relay_password</code></p> <p>Finally, we need to update Postfix's main configuration to tell it to use our authenticating SMTP details:</p> <p><code>sudo $EDIT /etc/postfix/main.cf</code></p> <p>You'll need to make main.cf look like this - specifically commenting out <code>smtp_tls_security_level=may</code> by adding a '#' at the start of the line, and then adding the details below <code># added to configure accessing the relay host via authenticating SMTP</code>. You should also take this opportunity to confirm that your [Domain], [SMTP server] and [SMTP port] are set correctly.</p> <div class="geshifilter"><div class="bash geshifilter-bash"><pre class="de1">smtpd_banner = <span class="re1">$myhostname</span> ESMTP <span class="re1">$mail_name</span> <span class="br0">(</span>Ubuntu<span class="br0">)</span> biff = no   <span class="co0"># appending .domain is the MUA's job.</span> append_dot_mydomain = no   <span class="co0"># Uncomment the next line to generate "delayed mail" warnings</span> <span class="co0">#delay_warning_time = 4h</span>   readme_directory = no   <span class="co0"># See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on</span> <span class="co0"># fresh installs.</span> compatibility_level = <span class="nu0">2</span>   <span class="co0"># TLS parameters</span> <span class="re2">smtpd_tls_cert_file</span>=<span class="sy0">/</span>etc<span class="sy0">/</span>ssl<span class="sy0">/</span>certs<span class="sy0">/</span>ssl-cert-snakeoil.pem <span class="re2">smtpd_tls_key_file</span>=<span class="sy0">/</span>etc<span class="sy0">/</span>ssl<span class="sy0">/</span>private<span class="sy0">/</span>ssl-cert-snakeoil.key <span class="re2">smtpd_tls_security_level</span>=may   <span class="re2">smtp_tls_CApath</span>=<span class="sy0">/</span>etc<span class="sy0">/</span>ssl<span class="sy0">/</span>certs <span class="co0">## Commented out for SmartHost configuration</span> <span class="co0">#smtp_tls_security_level=may</span> smtp_tls_session_cache_database = btree:<span class="co1">${data_directory}</span><span class="sy0">/</span>smtp_scache     smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination myhostname = <span class="br0">[</span>Domain<span class="br0">]</span> alias_maps = hash:<span class="sy0">/</span>etc<span class="sy0">/</span>aliases alias_database = hash:<span class="sy0">/</span>etc<span class="sy0">/</span>aliases myorigin = <span class="sy0">/</span>etc<span class="sy0">/</span>mailname mydestination = <span class="re1">$myhostname</span>, bbbtest.milll.ws, localhost.milll.ws, localhost relayhost = <span class="br0">[</span>SMTP server<span class="br0">]</span>:<span class="nu0">465</span> mynetworks = 127.0.0.0<span class="sy0">/</span><span class="nu0">8</span> <span class="br0">[</span>::ffff:127.0.0.0<span class="br0">]</span><span class="sy0">/</span><span class="nu0">104</span> <span class="br0">[</span>::<span class="nu0">1</span><span class="br0">]</span><span class="sy0">/</span><span class="nu0">128</span> mailbox_size_limit = <span class="nu0">0</span> recipient_delimiter = + inet_interfaces = all inet_protocols = all   <span class="co0"># added to configure accessing the relay host via authenticating SMTP</span> smtp_sasl_auth_enable = <span class="kw2">yes</span> smtp_sasl_password_maps = hash:<span class="sy0">/</span>etc<span class="sy0">/</span>postfix<span class="sy0">/</span>relay_password smtp_sasl_security_options = smtp_tls_security_level = encrypt   <span class="co0"># add this if you're using Ubuntu 20.04, and comment out (with a "#") the</span> <span class="co0"># earlier line smtp_tls_security_level = may to save errors in 'postfix check'</span> <span class="co0"># and uncomment this line (by removing the #)</span> smtp_tls_wrappermode = <span class="kw2">yes</span></pre></div></div> <p>Here's an example of what the final code could look like (don't use these exact values as they won't work for you):</p> <p>First, I commented this out:</p> <div class="geshifilter"><div class="bash geshifilter-bash"><pre class="de1"><span class="co4">#</span><span class="re2">smtp_tls_security_level</span>=may</pre></div></div> <p>Made sure this was my [Domain]</p> <div class="geshifilter"><div class="bash geshifilter-bash"><pre class="de1">myhostname = bbbtest.milll.ws</pre></div></div> <p>Made sure this had my [SMTP server] and [SMTP port] details:</p> <div class="geshifilter"><div class="bash geshifilter-bash"><pre class="de1">relayhost = about.oerfoundation.org:<span class="nu0">465</span></pre></div></div> <p>And I added this at the end:</p> <div class="geshifilter"><div class="bash geshifilter-bash"><pre class="de1"><span class="co0"># added to configure accessing the relay host via authenticating SMTP</span> smtp_sasl_auth_enable = <span class="kw2">yes</span> smtp_sasl_password_maps = hash:<span class="sy0">/</span>etc<span class="sy0">/</span>postfix<span class="sy0">/</span>relay_password smtp_sasl_security_options = smtp_tls_security_level = encrypt   <span class="co0"># add this if you're using Ubuntu 20.04, and comment out (with a "#") the</span> <span class="co0"># earlier line smtp_tls_security_level = may to save errors in 'postfix check'</span> <span class="co0"># and uncomment this line (by removing the #)</span> smtp_tls_wrappermode = <span class="kw2">yes</span></pre></div></div> <p>After this, the Postfix configuration is done. We can check that we haven't got any typos via</p> <p><code>sudo postfix check</code></p> <p>If not, we can apply our configuration changes:</p> <p><code>sudo postfix reload</code></p> <p>and we can confirm it all worked correctly by checking the log file for Postfix:</p> <p><code>sudo less +G /var/log/mail.log</code></p> <p>Note: you might see a warning like this: <code>postfix/postfix-script: warning: symlink leaves directory: /etc/postfix/./makedefs.out</code> - it's spurious and you don't need to worry about it.</p> <h3><a id="user-content-email-test" href="#email-test" name="email-test" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Email test</h3> <p>Next we can test our outgoing SMTP by sending a test message via the command line - <em>use a test email that you can check!</em>:</p> <p><code>mail [Test email]</code></p> <p>for example:</p> <p><code>mail demo@oerfoundation.org</code></p> <p>After you hit Enter, you'll be shown</p> <p><code>Subject:</code> {Enter an email subject, e.g. "Test email from [Domain]"}</p> <p>After that, hit Enter, and you'll be shown a blank line. On that line:</p> <p>{Enter your email text, e.g. "This is just a test."}</p> <p>Then, to finish your email, type <em>CTRL-D</em> which will show you another line</p> <p><code>CC:</code> {Enter any CC email addresses, e.g. <a href="mailto:mybackupemail@anotherprovider.tld">mybackupemail@anotherprovider.tld</a> }</p> <p>After you hit Enter, your email should be sent if all your configuration options are accepted by your remote host (the SMTP server at the address [SMTP server] with all the other details you entered).</p> <p>You can check if it worked by looking at the Postfix log again:</p> <p><code>sudo less +G /var/log/mail.log</code></p> <p>If it sent the email, you'll see something like (but with different IP addresses, serial numbers, and addresses) - the key bit is the <code>status=sent</code> bit and the <code>250</code> code from the SMTP server:</p> <div class="geshifilter"><div class="bash geshifilter-bash"><pre class="de1">08FBD2B501C: <span class="re2">to</span>=<span class="sy0">&lt;</span>demo<span class="sy0">@</span>oerfoundation.org<span class="sy0">&gt;</span>, <span class="re2">relay</span>=dovecot<span class="br0">[</span>172.22.1.250<span class="br0">]</span>:<span class="nu0">24</span>, <span class="re2">delay</span>=<span class="nu0">1.3</span>, <span class="re2">delays</span>=<span class="nu0">1.3</span><span class="sy0">/</span><span class="nu0">0.02</span><span class="sy0">/</span><span class="nu0">0</span><span class="sy0">/</span><span class="nu0">0.04</span>, <span class="re2">dsn</span>=2.0.0, <span class="re2">status</span>=sent <span class="br0">(</span><span class="nu0">250</span> 2.0.0 <span class="sy0">&lt;</span>demo<span class="sy0">@</span>oerfoundation.org<span class="sy0">&gt;</span> MMokCa2TpWEffAAAPgmdMA Saved<span class="br0">)</span></pre></div></div> <p>You can also check for receipt of email and verify receipt (note, if you don't get it quickily, check your email spam folder).</p> <h2><a id="user-content-install-nginx-webserver-and-lets-encrypt-tools" href="#install-nginx-webserver-and-lets-encrypt-tools" name="install-nginx-webserver-and-lets-encrypt-tools" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Install Nginx webserver and Let's Encrypt tools</h2> <p><code>sudo apt install -y nginx-full ca-certificates letsencrypt ssl-cert</code></p> <p>You need to tell your firewall to open the ports that the Nginx webserver will use:</p> <p><code>sudo ufw allow "Nginx Full"</code></p> <p>And then we need to create a special configuration for Let's Encrypt and then an identify verification directory:</p> <p><code>sudo mkdir /etc/nginx/includes</code></p> <p><code>sudo mkdir /var/www/letsencrypt</code></p> <p>To create the specific configuration, we create this file:</p> <p><code>sudo $EDIT /etc/nginx/includes/letsencrypt.conf</code></p> <p>And fill it with this information:</p> <div class="geshifilter"><div class="bash geshifilter-bash"><pre class="de1"><span class="co0"># Rule for legitimate ACME Challenge requests</span> location ^~ <span class="sy0">/</span>.well-known<span class="sy0">/</span>acme-challenge<span class="sy0">/</span> <span class="br0">{</span> default_type <span class="st0">"text/plain"</span>; <span class="co0"># this can be any directory, but this name keeps it clear</span> root <span class="sy0">/</span>var<span class="sy0">/</span>www<span class="sy0">/</span>letsencrypt; <span class="br0">}</span>   <span class="co0"># Hide /acme-challenge subdirectory and return 404 on all requests.</span> <span class="co0"># It is somewhat more secure than letting Nginx return 403.</span> <span class="co0"># Ending slash is important!</span> location = <span class="sy0">/</span>.well-known<span class="sy0">/</span>acme-challenge<span class="sy0">/</span> <span class="br0">{</span> <span class="kw3">return</span> <span class="nu0">404</span>; <span class="br0">}</span></pre></div></div> <p>We'll reference this file in our Nginx configuration file for the reverse proxy functionality.</p> <h2><a id="user-content-set-up-coturn-certificates" href="#set-up-coturn-certificates" name="set-up-coturn-certificates" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Set up COTURN certificates</h2> <p>In preparation for creating our Let's Encrypt SSL certificate for our [Domain], we're going to set up a 'hook' which is triggered when our SSL certificate is created, and it copies our current certificate to a place where the COTURN server can find it.</p> <p><code>sudo $EDIT /etc/letsencrypt/renewal-hooks/deploy/coturn.sh</code></p> <p>Copy and past the following into your file (<strong>replacing [Domain] with your domain name</strong>):</p> <div class="geshifilter"><div class="bash geshifilter-bash"><pre class="de1"><span class="co0">#!/bin/bash</span>   <span class="re2">DOMAIN</span>=<span class="br0">[</span>Domain<span class="br0">]</span> <span class="re2">DEST</span>=<span class="sy0">/</span>etc<span class="sy0">/</span>coturn-ssl   <span class="co0">#if [[ 1 == 1 ]]; then</span> <span class="kw1">if</span> <span class="br0">[</span><span class="br0">[</span> <span class="re1">$RENEWED_DOMAINS</span> == <span class="sy0">*</span><span class="st0">"<span class="es2">$DOMAIN</span>"</span><span class="sy0">*</span> <span class="br0">]</span><span class="br0">]</span>; <span class="kw1">then</span> <span class="kw2">cp</span> <span class="re5">-L</span> <span class="sy0">/</span>etc<span class="sy0">/</span>letsencrypt<span class="sy0">/</span>live<span class="sy0">/</span><span class="co1">${DOMAIN}</span><span class="sy0">/</span>fullchain.pem <span class="re1">$DEST</span> <span class="kw2">cp</span> <span class="re5">-L</span> <span class="sy0">/</span>etc<span class="sy0">/</span>letsencrypt<span class="sy0">/</span>live<span class="sy0">/</span><span class="co1">${DOMAIN}</span><span class="sy0">/</span>privkey.pem <span class="re1">$DEST</span> <span class="kw3">echo</span> <span class="st0">"updated <span class="es2">$DOMAIN</span> certificates in <span class="es2">$DEST</span>"</span> <span class="kw1">fi</span></pre></div></div> <p>Next, make that script executable:</p> <p><code>sudo chmod a+x /etc/letsencrypt/renewal-hooks/deploy/coturn.sh</code></p> <p>so that it is run automatically anytime the relevant certificate is created or renewed.</p> <p>After that, we have to create a place for the COTURN-specific certificates to go:</p> <p><code>sudo mkdir /etc/coturn-ssl</code></p> <h2><a id="user-content-set-up-nginx-reverse-proxy-configuration" href="#set-up-nginx-reverse-proxy-configuration" name="set-up-nginx-reverse-proxy-configuration" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Set up Nginx Reverse Proxy Configuration</h2> <p>Next we have to set up our Nginx webserver on our virtual server, which will be the Docker container host for our BigBlueButton system. The reverse proxy configuration will allow the virtual server to receive web requests from BBB users and pass them securely through to the right Docker container.</p> <p>Create a suitable configuration file - at the OERF we use the convention of calling our configuration</p> <p><code>sudo $EDIT /etc/nginx/sites-available/$SITE</code></p> <p>In this file, you'll past in the following, replacing [Domain] as appropriate - now might be a good idea to try out search and replace in your text editor!</p> <div class="geshifilter"><div class="bash geshifilter-bash"><pre class="de1">server <span class="br0">{</span> listen <span class="nu0">80</span>; <span class="co0"># if your host doens't support IPv6, comment out the following line</span> listen <span class="br0">[</span>::<span class="br0">]</span>:<span class="nu0">80</span>; server_name <span class="br0">[</span>Domain<span class="br0">]</span>;   access_log <span class="sy0">/</span>var<span class="sy0">/</span>log<span class="sy0">/</span>nginx<span class="sy0">/</span><span class="br0">[</span>Domain<span class="br0">]</span>.access.log; error_log <span class="sy0">/</span>var<span class="sy0">/</span>log<span class="sy0">/</span>nginx<span class="sy0">/</span><span class="br0">[</span>Domain<span class="br0">]</span>.error.log;   include includes<span class="sy0">/</span>letsencrypt.conf;   <span class="co0"># redirect all HTTP traffic to HTTPS.</span> location <span class="sy0">/</span> <span class="br0">{</span> <span class="kw3">return</span> <span class="nu0">302</span> https:<span class="sy0">//</span><span class="re1">$server_name</span><span class="re1">$request_uri</span>; <span class="br0">}</span> <span class="br0">}</span>   server <span class="br0">{</span> listen <span class="nu0">443</span> ssl http2 default_server; <span class="co0"># if your host doens't support IPv6, comment out the following line</span> listen <span class="br0">[</span>::<span class="br0">]</span>:<span class="nu0">443</span> ssl http2 default_server; server_name <span class="br0">[</span>Domain<span class="br0">]</span>;   <span class="co0"># We comment these out *after* we have successfully geneated our Let's Encrypt certificate for [Domain].</span> ssl_certificate <span class="sy0">/</span>etc<span class="sy0">/</span>ssl<span class="sy0">/</span>certs<span class="sy0">/</span>ssl-cert-snakeoil.pem; ssl_certificate_key <span class="sy0">/</span>etc<span class="sy0">/</span>ssl<span class="sy0">/</span>private<span class="sy0">/</span>ssl-cert-snakeoil.key; <span class="co0"># we start with these commented out until after we can generate our Let's Encrypt certificate for [Domain]!</span> <span class="co0">#ssl_certificate /etc/letsencrypt/live/[Domain]/fullchain.pem;</span> <span class="co0">#ssl_certificate_key /etc/letsencrypt/live/[Domain]/privkey.pem;</span> ssl_dhparam <span class="sy0">/</span>etc<span class="sy0">/</span>ssl<span class="sy0">/</span>certs<span class="sy0">/</span>dhparam.pem;   access_log <span class="sy0">/</span>var<span class="sy0">/</span>log<span class="sy0">/</span>nginx<span class="sy0">/</span><span class="br0">[</span>Domain<span class="br0">]</span>.access.log; error_log <span class="sy0">/</span>var<span class="sy0">/</span>log<span class="sy0">/</span>nginx<span class="sy0">/</span><span class="br0">[</span>Domain<span class="br0">]</span>.error.log;   location <span class="sy0">/</span> <span class="br0">{</span> proxy_http_version <span class="nu0">1.1</span>; <span class="co0"># for BBB 2.4, the port used is 48087. For earlier versions of BBB, it's 8080</span> proxy_pass http:<span class="sy0">//</span>127.0.0.1:<span class="nu0">48087</span>; proxy_set_header Host <span class="re1">$host</span>; proxy_set_header X-Real-IP <span class="re1">$remote_addr</span>; proxy_set_header X-Forwarded-For <span class="re1">$proxy_add_x_forwarded_for</span>; proxy_set_header X-Forwarded-Proto <span class="re1">$scheme</span>; proxy_set_header Upgrade <span class="re1">$http_upgrade</span>; <span class="co0">#proxy_set_header Connection $connection_upgrade;</span> proxy_set_header Connection <span class="st0">"Upgrade"</span>; proxy_cache_bypass <span class="re1">$http_upgrade</span>; <span class="br0">}</span> <span class="br0">}</span></pre></div></div> <p><em><strong>Update 2021-12-30</strong></em> With the release of BBB 2.4 a few weeks ago, the Docker configuration now has one 'breaking' change: the port has been changed to 48087! So, if you are installing an older version of BBB, the previous default was port 8080. If you get a 502 error after setting up your containers, check to make sure you haven't been bitten by this little detail!</p> <p>Right - back to the process...</p> <p>After creating it, we have to 'enable' the configuration:</p> <p><code>sudo ln -sf /etc/nginx/sites-available/$SITE /etc/nginx/sites-enabled/</code></p> <p>It's also not a bad idea to disable the Nginx default configuration, as it can sometimes interfere with things:</p> <p><code>sudo rm /etc/nginx/sites-enabled/default</code></p> <h3><a id="user-content-extra-security-with-dhparampem" href="#extra-security-with-dhparampem" name="extra-security-with-dhparampem" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Extra security with dhparam.pem</h3> <p>We're going to create a 'dhparam' certificate for your configuration. These take a long time to generate - between 10-30 minutes, depending not on the speed of your computer, but on the rate at which it creates 'random events' that allow it to create a suitablely complex random prime number.</p> <p><code>sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048</code></p> <p>If your time isn't limited, you can increase the size of your dhparam from 2048 to 4096 - it'll take quite a lot longer to create.</p> <p>Ok - now that we've created our dhparam.pem, referenced in our Nginx configuration for [Domain], we should have everything in place. We can now test Nginx's configuration:</p> <p><code>sudo nginx -t</code></p> <p>If you don't get any errors or warnings, you can activate the new configuration:</p> <p><code>sudo service nginx reload</code></p> <p>You server should now successfully respond to your [Domain], but it'll redirect to HTTPS using the default (self-signed) certificates that are valid as far as Nginx is concerned, but your browser won't let you access the page due to those inappropriate certificates. You can test it by putting <code>http://[Domain]</code> into your browser and seeing if it redirects you to <code>https://[Domain]</code> and a 'bad certificate` (or similar) page.</p> <p>To fix that, we can now generate a Let's Encrypt certificate which <em>will</em> be valid.</p> <p><code>sudo letsencrypt certonly --webroot -w /var/www/letsencrypt -d ${SITE}</code></p> <p>Since this is your first time running the letsencrypt script, you'll be asked for a contact email (so the Let's Encrypt system can warn you if your certificates are going to be expiring soon!) - use your [Admin email] for this. You can also opt in to allowing them to get anonymous statistics from your site.</p> <p>Once you've done that, the Let's Encrypt system will verify that you (the person requesting the certificate) also controls the server that's requesting it (using the details specified in the <code>/etc/nginx/includes/letsencrypt.conf</code> file, along with data that the letsencrypt script writes into a special file in the <code>/var/www/letsencrypt</code> directory) and, all going well, you'll see a "Congratulations!" message telling you that you have new certificates for your [Domain].</p> <p>Now is a good time to check if your renew-hook worked properly - there should now be two files in <code>/etc/coturn-ssl</code>, namely <code>fullchain.pem</code> and <code>privkey.pem</code>. If that's not the case, something might have gone wrong.</p> <p>Then you can re-edit your Nginx confguration file:</p> <p><code>sudo $EDIT /etc/nginx/sites-available/$SITE</code></p> <p>and comment out the default certificates and uncomment the [Domain]-specific certificates, like this (we'll assume you've already got your [Domain] substituted!):</p> <div class="geshifilter"><div class="bash geshifilter-bash"><pre class="de1">  ...   <span class="co0"># We comment these out *after* we have successfully geneated our Let's Encrypt certificate for [Domain].</span> <span class="co0">#ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;</span> <span class="co0">#ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; </span> <span class="co0"># we start with these commented out until after we can generate our Let's Encrypt certificate for [Domain]!</span> ssl_certificate <span class="sy0">/</span>etc<span class="sy0">/</span>letsencrypt<span class="sy0">/</span>live<span class="sy0">/</span><span class="br0">[</span>Domain<span class="br0">]</span><span class="sy0">/</span>fullchain.pem; ssl_certificate_key <span class="sy0">/</span>etc<span class="sy0">/</span>letsencrypt<span class="sy0">/</span>live<span class="sy0">/</span><span class="br0">[</span>Domain<span class="br0">]</span><span class="sy0">/</span>privkey.pem; ssl_dhparam <span class="sy0">/</span>etc<span class="sy0">/</span>ssl<span class="sy0">/</span>certs<span class="sy0">/</span>dhparam.pem;   ...  </pre></div></div> <p>Once you've got that going, you again check to make sure your Nginx config is valid:</p> <p><code>sudo nginx -t</code></p> <p>and apply your configruation changes:</p> <p><code>sudo service nginx reload</code></p> <p>If you now go to <code>http://[Domain]</code> in your browser, you should be redirected to <code>https://[Domain]</code> and you shouldn't get any <em>certificate</em> errors, although you might get a "502" error because the service that reverse proxy configuration is trying to send you to doesn't yet exist! That's what we're expecting.</p> <p>One more thing - we need to make sure that the <code>coturn.sh</code> renewal hook script has run. We can check to make sure that there are two files, <code>fullchain.pem</code> and <code>privkey.pem</code> in the <code>/etc/coturn-ssl</code> directory. If we start the Docker containers before these files exist, the Docker daemon creates them <em>as directories</em> by default which can lead to all sorts of trickiness. Run</p> <p><code>sudo ls -l /etc/coturn-ssl/</code></p> <p>and make sure you get a result like this:</p> <div class="geshifilter"><div class="bash geshifilter-bash"><pre class="de1"><span class="re5">-rw-r--r--</span> <span class="nu0">1</span> root root <span class="nu0">5588</span> Dec <span class="nu0">13</span> 08:<span class="nu0">42</span> fullchain.pem <span class="re5">-rw-------</span> <span class="nu0">1</span> root root <span class="nu0">1704</span> Dec <span class="nu0">13</span> 08:<span class="nu0">42</span> privkey.pem</pre></div></div> <h2><a id="user-content-install-docker" href="#install-docker" name="install-docker" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Install Docker</h2> <p>Now we have to set up the Docker container support by first registering a new package source...</p> <p><code>sudo apt-get install -y apt-transport-https curl gnupg lsb-release</code></p> <p><code>sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg</code></p> <p><code>sudo echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list &gt; /dev/null</code></p> <p>updating our list of available packages to include the Docker-related packages...</p> <p><code>sudo apt-get update</code></p> <p>and then install them:</p> <p><code>sudo apt-get install -y docker-ce docker-ce-cli containerd.io</code></p> <p>Which installs a bunch of dependencies as well.</p> <p>To make sure that our non-root user can talk to the Docker server, we need to jump through a couple more hoops:</p> <p><code>sudo addgroup docker</code></p> <p><code>sudo adduser dave docker</code></p> <p>After doing this, the easiest thing is to log out and log back in again to make sure my user can access the new permissions. To confirm that my user has docker group privileges, I can run</p> <p><code>id</code></p> <p>which should give a result like</p> <p><code>uid=1000(dave) gid=1000(dave) groups=1000(dave),4(adm),27(sudo),1001(docker)</code></p> <p>with the latter being the confirmation.</p> <h2><a id="user-content-install-docker-compose" href="#install-docker-compose" name="install-docker-compose" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Install Docker-compose</h2> <p>Now we're almost to the BigBlueButton part - we just need to install the Docker Compose framework:</p> <p><code>sudo apt install python3-pip</code></p> <p><code>sudo pip install -U pip</code></p> <p><code>sudo pip install -U docker-compose</code></p> <p>Once you've done that, you should be able to run <code>docker-compose</code> at your command prompt and it should give you the docker-compose help page. If so, great work! Almost there.</p> <h2><a id="user-content-git-clone-bbb-docker-repository" href="#git-clone-bbb-docker-repository" name="git-clone-bbb-docker-repository" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Git-Clone BBB Docker repository</h2> <p>Now it's time to install the set of Docker containers that make up the BigBlueButton stack of coordinated services.</p> <p>We make a place for the docker configuration and data to live:</p> <p><code>sudo mkdir -p /home/docker/</code></p> <p>go into it</p> <p><code>cd /home/docker</code></p> <p>and then we use the magic of 'git' (if you don't know it, this is one of the single most powerful tools programmers use - everyone would benefit from knowing how 'version control' works - git is by far the most widely used version control aka 'source code control' system in the world. It's open source.) to 'clone' the BigBlueButton developers' Docker definitions code:</p> <p><code>sudo git clone -b main --recurse-submodules https://github.com/bigbluebutton/docker.git bbb-docker</code></p> <p>That command puts all the code into a directory called <code>bbb-docker</code> so let's go there:</p> <p><code>cd bbb-docker</code></p> <p>and in there, we run this command to gram a second layer of code that is referenced by the first layer we already downloaded in the previous step:</p> <p><code>sudo git submodule update --init</code></p> <p>Finally, we run this handy script provided by the BBB developers to set up a working Docker Compose configuration:</p> <p><code>sudo ./scripts/setup</code></p> <p>This will script will ask you some questions about your system. These are the questions <em>and</em> the answers we'll use - note, where I've written [IPv4] and [IPv6] below, you should see the actual IPv4 and IPv6 addresses for your server:</p> <div class="geshifilter"><div class="bash geshifilter-bash"><pre class="de1">Should greenlight be included? <span class="br0">(</span>y<span class="sy0">/</span>n<span class="br0">)</span>: y Should an automatic HTTPS Proxy be included? <span class="br0">(</span>y<span class="sy0">/</span>n<span class="br0">)</span>: n Should a coturn be included? <span class="br0">(</span>y<span class="sy0">/</span>n<span class="br0">)</span>: y Coturn needs TLS to <span class="kw1">function</span> properly. Since automatic HTTPS Proxy is disabled, you must provide a relative or absolute path to your certificates. Please enter path to cert.pem: <span class="sy0">/</span>etc<span class="sy0">/</span>coturn-ssl<span class="sy0">/</span>fullchain.pem Please enter path to key.pem: <span class="sy0">/</span>etc<span class="sy0">/</span>coturn-ssl<span class="sy0">/</span>privkey.pem Should a Prometheus exporter be included? <span class="br0">(</span>y<span class="sy0">/</span>n<span class="br0">)</span>: y Please enter the domain name: bbbtest.milll.ws Should the recording feature be included? IMPORTANT: this is currently a big privacy issues, because it will record everything <span class="kw2">which</span> happens <span class="kw1">in</span> the conference, even when the button suggests, that it does not. <span class="kw2">make</span> sure that you always get people<span class="st_h">'s consent, before they join a room! https://github.com/bigbluebutton/bigbluebutton/issues/9202 Choice (y/n): y Is [IPv4] your external IPv4 address? (y/n): y Is [IPv6] your external IPv6 address? (y/n): y</span></pre></div></div> <p>Once you finish answering these questions, the script creates a file called <code>.env</code> (the leading '.' means it's a 'hidden' file that won't show up in normal directory listings - you have to know it's there, as it holds important system values and shouldn't be deleted.</p> <h2><a id="user-content-configure-your-bbb" href="#configure-your-bbb" name="configure-your-bbb" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Configure your BBB</h2> <p>But now, we're going to tweak it, because it holds all the important customised values we need to configure our BigBlueButton service.</p> <p><code>sudo $EDIT .env</code></p> <p>When you're editing the file, scroll down through it and adjust the values you find as follows.</p> <p>Uncomment this one</p> <div class="geshifilter"><div class="bash geshifilter-bash"><pre class="de1"><span class="re2">ALLOW_MAIL_NOTIFICATIONS</span>=<span class="kw2">true</span></pre></div></div> <p>Set the following</p> <div class="geshifilter"><div class="bash geshifilter-bash"><pre class="de1"><span class="re2">SMTP_SERVER</span>=<span class="br0">[</span>SMTP server<span class="br0">]</span> <span class="re2">SMTP_PORT</span>=<span class="br0">[</span>SMTP port<span class="br0">]</span> <span class="re2">SMTP_DOMAIN</span>=<span class="br0">[</span>Domain<span class="br0">]</span> <span class="re2">SMTP_USERNAME</span>=<span class="br0">[</span>SMTP username<span class="br0">]</span> <span class="re2">SMTP_PASSWORD</span>=<span class="br0">[</span>SMTP password<span class="br0">]</span> <span class="re2">SMTP_AUTH</span>=plain <span class="re2">SMTP_STARTTLS_AUTO</span>=<span class="kw2">true</span> <span class="co0">#</span> <span class="re2">SMTP_SENDER</span>=<span class="br0">[</span>Outgoing email<span class="br0">]</span></pre></div></div> <p>and finally set</p> <div class="geshifilter"><div class="bash geshifilter-bash"><pre class="de1"><span class="re2">DEFAULT_REGISTRATION</span>=invite</pre></div></div> <p>This last one makes it possible for you to invite external people to make use of your BigBlueButton instance - they can create a log in and create their own rooms over which they'll have some control. These can be people in your organisation or community for whom you want your BBB to be available as a resource.</p> <h3><a id="user-content-fix-minor-configuration-error-that-blocks-jodconverter" href="#fix-minor-configuration-error-that-blocks-jodconverter" name="fix-minor-configuration-error-that-blocks-jodconverter" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Fix minor configuration error that blocks JODConverter</h3> <p>One of the containers used in the BBB stack is called <a href="https://github.com/bigbluebutton/docker/tree/develop/mod/jodconverter">JODConverter</a> which, in standard Free and Open Source Software tradition, makes use of an <a href="https://github.com/EugenMayer/docker-image-jodconverter">'upstream' development</a> by another developer, <a href="https://github.com/EugenMayer">EugenMayer</a>, which in turn makes use of an <a href="https://hub.docker.com/r/bellsoft/liberica-openjdk-debian">upstream development</a>...</p> <p>The issue is that a recent update (in early December 2021) has broken the process of launching this container. This is a big problem because the JODConverter provides the services of converting uploaded presentations and downloaded documents (like BBB's Public Chat or Shared Notes) in various useful file formats.</p> <p>Turns out the fix is easy. While still in <code>bbb-docker</code>, Just run</p> <p><code>sudo $EDIT mod/jodconverter/Dockerfile</code></p> <p>and add the following line to the very bottom of the file:</p> <p><code>CMD ["--spring.config.additional-location=optional:/etc/app/"]</code></p> <p>Save it, and you're done. I have <a href="https://github.com/bigbluebutton/docker/issues/178">submitted an issue</a> with the fix I've found to the <code>bigbluebutton/docker</code> project.</p> <p>Once that configuration is done, it's finally time to...</p> <h2><a id="user-content-build-your-bbb" href="#build-your-bbb" name="build-your-bbb" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Build your BBB</h2> <p>The first time it's run, this command will trigger the building of a set of no less than 22 separate Docker containers, each running its own crucial service as part of the BigBlueButton stack.</p> <p><code>sudo docker-compose up -d</code></p> <p><em>Note: this process can take a LONG time, like an hour or more</em> depending on your server's internet connection speed.</p> <p>If you want to see how long it takes the first time, run this instead:</p> <p><code>sudo time docker-compose up -d</code></p> <p>which will give you a readout of the time the command takes to complete.</p> <h2><a id="user-content-visit-your-new-bbb" href="#visit-your-new-bbb" name="visit-your-new-bbb" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Visit your new BBB</h2> <p>Once you next see the command prompt ($ or #), it means that your BBB system is starting up. You can see the status of the containers by running</p> <p><code>sudo docker-compose ps</code></p> <p>which should give you something that looks like this, once everything is running (it might take a few minutes!):</p> <div class="geshifilter"><div class="bash geshifilter-bash"><pre class="de1"> Name Command State Ports <span class="re5">-----------------------------------------------------------------------------------------------------------</span> bbb-docker_apps-akka_1 <span class="sy0">/</span>bin<span class="sy0">/</span><span class="kw2">sh</span> <span class="re5">-c</span> dockerize - ... Up bbb-docker_bbb-web_1 <span class="sy0">/</span>entrypoint.sh Up <span class="br0">(</span>healthy<span class="br0">)</span> bbb-docker_coturn_1 docker-entrypoint.sh <span class="re5">--ext</span> ... Up bbb-docker_etherpad_1 <span class="sy0">/</span>entrypoint.sh Up <span class="nu0">9001</span><span class="sy0">/</span>tcp bbb-docker_freeswitch_1 <span class="sy0">/</span>bin<span class="sy0">/</span><span class="kw2">sh</span> <span class="re5">-c</span> <span class="sy0">/</span>entrypoint.sh Up bbb-docker_fsesl-akka_1 <span class="sy0">/</span>bin<span class="sy0">/</span><span class="kw2">sh</span> <span class="re5">-c</span> dockerize - ... Up bbb-docker_greenlight_1 bin<span class="sy0">/</span>start Up 10.7.7.1:<span class="nu0">5000</span>-<span class="sy0">&gt;</span><span class="nu0">80</span><span class="sy0">/</span>tcp bbb-docker_html5-backend-<span class="nu0">1</span>_1 <span class="sy0">/</span>entrypoint.sh Up bbb-docker_html5-backend-<span class="nu0">2</span>_1 <span class="sy0">/</span>entrypoint.sh Up bbb-docker_html5-frontend-<span class="nu0">1</span>_1 <span class="sy0">/</span>entrypoint.sh Up bbb-docker_html5-frontend-<span class="nu0">2</span>_1 <span class="sy0">/</span>entrypoint.sh Up bbb-docker_jodconverter_1 <span class="sy0">/</span>docker-entrypoint.sh <span class="re5">--sp</span> ... Up bbb-docker_kurento_1 <span class="sy0">/</span>entrypoint.sh Up <span class="br0">(</span>healthy<span class="br0">)</span> bbb-docker_mongodb_1 docker-entrypoint.sh mongo ... Up <span class="br0">(</span>healthy<span class="br0">)</span> <span class="nu0">27017</span><span class="sy0">/</span>tcp bbb-docker_nginx_1 <span class="sy0">/</span>docker-entrypoint.sh ngin ... Up bbb-docker_periodic_1 <span class="sy0">/</span>entrypoint.sh Up bbb-docker_postgres_1 docker-entrypoint.sh postgres Up <span class="br0">(</span>healthy<span class="br0">)</span> <span class="nu0">5432</span><span class="sy0">/</span>tcp bbb-docker_prometheus-exporter_1 python server.py Up <span class="nu0">9688</span><span class="sy0">/</span>tcp bbb-docker_recordings_1 <span class="sy0">/</span>bin<span class="sy0">/</span><span class="kw2">sh</span> <span class="re5">-c</span> <span class="sy0">/</span>entrypoint.sh Up bbb-docker_redis_1 docker-entrypoint.sh redis ... Up <span class="br0">(</span>healthy<span class="br0">)</span> <span class="nu0">6379</span><span class="sy0">/</span>tcp bbb-docker_webhooks_1 <span class="sy0">/</span>bin<span class="sy0">/</span><span class="kw2">sh</span> <span class="re5">-c</span> <span class="sy0">/</span>entrypoint.sh Up bbb-docker_webrtc-sfu_1 .<span class="sy0">/</span>docker-entrypoint.sh npm ... Up 127.0.0.1:<span class="nu0">3008</span>-<span class="sy0">&gt;</span><span class="nu0">3008</span><span class="sy0">/</span>tcp</pre></div></div> <p>At that point, you can visit <code>https://[Domain]</code> and instead of a 502 error, you should see the BigBlueButton 'Greenlight' front page.</p> <p>Now the final step...</p> <h2><a id="user-content-create-an-admin-user" href="#create-an-admin-user" name="create-an-admin-user" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Create an admin user:</h2> <p>To create an admin user, you run this:</p> <p><code>sudo docker-compose exec greenlight bundle exec rake admin:create</code></p> <p>It will give you a login email address and a randomly generated password. Use these to log in. In the profile (top right Admin menu dropdown), you can alter the admin user's email to a real email (perhaps [Admin email]?), and change the password if you like.</p> <p>Then you can go back to the Admin menu and select "Organisation" which should put you on the Manage Users page. You then invite yourself to join as a user by sending yourself an email (which, if your SMTP settings are correct, will work). If you don't receive it in a minute or two, check your spam folder.</p> <p>Either log out of Greenlight before clicking the link in the email or open the link (by copying and pasting it) in a different browser where you're not logged in to this Greenlight instance, and create a user account for yourself.</p> <p>Then log back into Greenlight as the Admin user (if you've previously logged out) and refresh the "Manage Users" page. You should find your newly created user. Select 'Edit' from the vertical 3 dotted menu. On the "Update your Account Info" page, set the User Role for your user to 'Admin" and click the "Update" button. You should now be able to log out as Admin, and back in as your own user, but with administrative privileges.</p> <h2><a id="user-content-run-your-first-conference" href="#run-your-first-conference" name="run-your-first-conference" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Run your first conference</h2> <p>Now it's time to try running a video conference. Click on the "Home" link (top right menu) and you should see that you have a default room called "Home Room" with a URL specified in the form [Domain]/b/[first 3 letters of your name]-[3 random hex digits]-[3 more random hex digits]. For me, it might look something like this: https://[Domain]/b/dav-a5b-73z</p> <p>Click "Start" to initiate a conference in that Home Room.</p> <p>In the conference room, you should select 'Microphone' so you can test speaking and listening, and also test your video camera (assming you have access to both on the computing device you're using to access BBB - note, a modern cellphone normally offers all of these.</p> <p><em>We always encourage people participating in video conferences (regardless of the technology) to employ headphones to separate the audio from the conference form their input. It greatly improves the audio quality for all involved!</em>.</p> <p>If you select 'Microphone', there will be a brief delay whil your browser negotiates with the COTURN server in your BBB stack to link your data and audio channels. Once it's done that, it will give you an "echo test" window (see included screen shots). You should speak into your microphone when you see that screen and check whether you can hear yourself. This will confirm that your audio settings are right (or not) and will help the BBB system adjust its echo cancellation algorithms.</p> <p>You can then also clidk the 'camera' icon (bottom middle of the page) to activate your webcam if you have one (or choose one if you have multiple cameras) as well as the video quality.</p> <p>You can also try to 'Start recording' if you want to test your ability to record a session. Note that there is a delay after the end of a session in which you've recorded before the recording is displayed on the 'room' page in Greenlight. It might take minutes or even hourse to generate depending on the power of your server and the length of the session.</p> <p>To see other administrative functionality including moderation and breakout rooms, click on the "gear" icon next to the "Users" heading in the left hand column. You can also experiment with the "Public Chat" and the "Shared Notes". Both can be saved at any time (via the top right 3 dot menu in that section) and will be included in any recordings you make.</p> <p><em>Note</em> the contents of Public Chat and Shared Notes will be wiped at the end of a session unless you explicitly save them or record the session (at least briefly at the end).</p> <p>You can provide that "room address" to anyone and they can join your room (via an modern browser) when you have a session running. Alternatively, you can click on the 3 dotted menu associated with your room below the 'Search for room" form, and change the default properties of your room, including configuring it to let anyone who knows the room's address start a session. You can also create additional rooms (as an Admin user, you can set the limits on many of these properties via Organisation in the top right menu under your user name.</p> <p>Have fun with your new, world class, cost-effective, large-scale BigBlueButton video conferencing application!</p> <h2><a id="user-content-next-steps" href="#next-steps" name="next-steps" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Next Steps</h2> <p>In a future tutorial, we'll provide information on how to troubleshoot BBB issues, how to upgrade it as new versions are made available by developers, and how to ensure that your recordings, user database, and configuration are backed up incrementally, encrypted, in remote storage.</p></div> </div> </div> <section class="field field-node--field-blog-comments field-name-field-blog-comments field-type-comment field-label-above comment-wrapper"> <a name="comments"></a> <h2 class="comment-field__title">Blog comments</h2> <article data-comment-user-id="0" id="comment-826" about="/comment/826" typeof="schema:Comment" class="comment js-comment by-anonymous has-title clearfix"> <div class="comment__container"> <h3 property="schema:name" datatype="" class="comment__title"> <a href="/comment/826#comment-826" class="permalink" rel="bookmark" hreflang="en">It says in the nginx-config…</a> <span class="comment__new marker marker--success hidden" data-comment-timestamp="1641281859"></span> </h3> <div class="comment__meta"> <div class="comment__submitted"> <span class="comment__author"><span rel="schema:author"><span lang="" typeof="schema:Person" property="schema:name" datatype="">LPup (not verified)</span></span> </span> <span class="comment__pubdate">Tue 04/01/2022 - 20:32 <span property="schema:dateCreated" content="2022-01-04T07:32:09+00:00" class="rdf-meta hidden"></span> </span> </div> </div> <div class="comment__content"> <div property="schema:text" class="clearfix text-formatted field field-comment--comment-body field-name-comment-body field-type-text-long field-label-hidden"> <div class="field__items"> <div property="schema:text" class="field__item"><p>It says in the nginx-config to change the port for the proxy and not forget to change it in the .env file. Where do I need to put what into the .env file for using a different port than 8080?</p> </div> </div> </div> <drupal-render-placeholder callback="comment.lazy_builders:renderLinks" arguments="0=826&amp;1=default&amp;2=en&amp;3=" token="ab5iIZGMF89MSnCPgbrcuI7yHqfoKEyjDb9VtJ299fg"></drupal-render-placeholder> </div> </div> </article> <div class="indented"><article data-comment-user-id="1" id="comment-827" about="/comment/827" typeof="schema:Comment" class="comment js-comment by-node-author has-title clearfix"> <div class="comment__container"> <h3 property="schema:name" datatype="" class="comment__title"> <a href="/comment/827#comment-827" class="permalink" rel="bookmark" hreflang="en">Hmm - thanks for pointing…</a> <span class="comment__new marker marker--success hidden" data-comment-timestamp="1641282307"></span> </h3> <div class="comment__meta"> <div class="comment__submitted"> <span class="comment__author"><span rel="schema:author"><a title="View user profile." href="/user/1" lang="" about="/user/1" typeof="schema:Person" property="schema:name" datatype="" class="username">dave</a></span> </span> <span class="comment__pubdate">Tue 04/01/2022 - 20:44 <span property="schema:dateCreated" content="2022-01-04T07:44:02+00:00" class="rdf-meta hidden"></span> </span> </div> </div> <div class="comment__content"> <p class="comment__parent visually-hidden">In reply to <a href="/comment/826#comment-826" class="permalink" rel="bookmark" hreflang="en">It says in the nginx-config…</a> by <span lang="" typeof="schema:Person" property="schema:name" datatype="">LPup (not verified)</span></p> <div property="schema:text" class="clearfix text-formatted field field-comment--comment-body field-name-comment-body field-type-text-long field-label-hidden"> <div class="field__items"> <div property="schema:text" class="field__item"><p>Hmm - thanks for pointing that out. Yes, I think I made an error with that instruction (I've updated the Nginx config). If you implement BBB today via this set of instructions, you'll be installing BBB 2.4 - port 8080 was used in 2.3 and earlier versions. For 2.4, use port 48087. To be honest, I'm not sure of the right way to alter it if you have to due to other services running on the same system. Writing it manually in the docker-compose.yml file will be overwritten the next time you do an update... It might be necessary to change the port specified in the relevant container's Dockerfile under <code>mods</code>...</p></div> </div> </div> <drupal-render-placeholder callback="comment.lazy_builders:renderLinks" arguments="0=827&amp;1=default&amp;2=en&amp;3=" token="IQwvVUQ-NlVwsrO5mMYIbQJJDVotfViSFCA7rOx4_Aw"></drupal-render-placeholder> </div> </div> </article> </div> <div class="comment-form-wrapper"> <h2 class="comment-form__title">Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=46&amp;2=field_blog_comments&amp;3=comment" token="bVuNCPDsukUifzhtwLxvL6UanvQCaG2zyJeoiuzQckE"></drupal-render-placeholder> </div> </section> Wed, 10 Nov 2021 02:42:41 +0000 dave 46 at http://tech.oeru.org OERF FOSS Tech Hosting Conventions http://tech.oeru.org/oerf-foss-tech-hosting-conventions <span class="field field--name-title field--type-string field--label-hidden">OERF FOSS Tech Hosting Conventions</span> <div class="field field-node--field-blog-tags field-name-field-blog-tags field-type-entity-reference field-label-above"> <h3 class="field__label">Blog tags</h3> <div class="field__items"> <div class="field__item field__item--overview"> <span class="field__item-wrapper"><a href="/taxonomy/term/76" hreflang="en">overview</a></span> </div> <div class="field__item field__item--docker"> <span class="field__item-wrapper"><a href="/taxonomy/term/16" hreflang="en">docker</a></span> </div> <div class="field__item field__item--docker-compose"> <span class="field__item-wrapper"><a href="/taxonomy/term/49" hreflang="en">docker-compose</a></span> </div> <div class="field__item field__item--mariadb"> <span class="field__item-wrapper"><a href="/taxonomy/term/48" hreflang="en">mariadb</a></span> </div> <div class="field__item field__item--nginx"> <span class="field__item-wrapper"><a href="/taxonomy/term/30" hreflang="en">nginx</a></span> </div> <div class="field__item field__item--ubuntu-linux"> <span class="field__item-wrapper"><a href="/taxonomy/term/12" hreflang="en">ubuntu linux</a></span> </div> <div class="field__item field__item--ssh"> <span class="field__item-wrapper"><a href="/taxonomy/term/77" hreflang="en">ssh</a></span> </div> <div class="field__item field__item--restic"> <span class="field__item-wrapper"><a href="/taxonomy/term/78" hreflang="en">restic</a></span> </div> <div class="field__item field__item--lets-encrypt"> <span class="field__item-wrapper"><a href="/taxonomy/term/17" hreflang="en">let&#039;s encrypt</a></span> </div> <div class="field__item field__item--git"> <span class="field__item-wrapper"><a href="/taxonomy/term/79" hreflang="en">git</a></span> </div> <div class="field__item field__item--gitlab"> <span class="field__item-wrapper"><a href="/taxonomy/term/80" hreflang="en">gitlab</a></span> </div> <div class="field__item field__item--foss"> <span class="field__item-wrapper"><a href="/taxonomy/term/10" hreflang="en">foss</a></span> </div> </div> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><a title="View user profile." href="/user/1" lang="" about="/user/1" typeof="schema:Person" property="schema:name" datatype="" class="username">dave</a></span> <span class="field field--name-created field--type-created field--label-hidden">Mon 30/08/2021 - 11:44</span> <div class="field field-node--field-image field-name-field-image field-type-image field-label-hidden has-multiple"> <figure class="field-type-image__figure image-count-1"> <div class="field-type-image__item"> <a href="http://tech.oeru.org/sites/default/files/styles/max_1300x1300/public/2021-08/SSH_Session_Screenshot_about.oerfoundation.org-20210830.png?itok=yu7PbTtx" aria-controls="colorbox" aria-label="{&quot;alt&quot;:&quot;A snapshot of an SSH session on about.oerfoundation.org, located in San Francisco, CA, USA, and its performance stats as viewed from Christchurch, New Zealand. &quot;}" role="button" title="A snapshot of an SSH session on about.oerfoundation.org, located in San Francisco, CA, USA, and its performance stats as viewed from Christchurch, New Zealand. " data-colorbox-gallery="gallery-field_image-GnjYzG6vmqA" class="colorbox" data-cbox-img-attrs="{&quot;alt&quot;:&quot;A snapshot of an SSH session on about.oerfoundation.org, located in San Francisco, CA, USA, and its performance stats as viewed from Christchurch, New Zealand. &quot;}"><img src="/sites/default/files/styles/medium/public/2021-08/SSH_Session_Screenshot_about.oerfoundation.org-20210830.png?itok=6cfu9o9O" width="220" height="105" alt="A snapshot of an SSH session on about.oerfoundation.org, located in San Francisco, CA, USA, and its performance stats as viewed from Christchurch, New Zealand. " loading="lazy" typeof="foaf:Image" class="image-style-medium" /> </a> </div> </figure> <figure class="field-type-image__figure image-count-2"> <div class="field-type-image__item"> <a href="http://tech.oeru.org/sites/default/files/styles/max_1300x1300/public/2021-08/Editing_tech.oeru_.org_on_about.oerfoundation.org-20210830.png?itok=-EfYK9sU" aria-controls="colorbox" aria-label="{&quot;alt&quot;:&quot;Editing the docker-compose.yml file for this site using the Vim editor on about.oerfoundation.org via SSH.&quot;}" role="button" title="Editing the docker-compose.yml file for this site using the Vim editor on about.oerfoundation.org via SSH." data-colorbox-gallery="gallery-field_image-GnjYzG6vmqA" class="colorbox" data-cbox-img-attrs="{&quot;alt&quot;:&quot;Editing the docker-compose.yml file for this site using the Vim editor on about.oerfoundation.org via SSH.&quot;}"><img src="/sites/default/files/styles/medium/public/2021-08/Editing_tech.oeru_.org_on_about.oerfoundation.org-20210830.png?itok=npeVOBsh" width="220" height="176" alt="Editing the docker-compose.yml file for this site using the Vim editor on about.oerfoundation.org via SSH." loading="lazy" typeof="foaf:Image" class="image-style-medium" /> </a> </div> </figure> <figure class="field-type-image__figure image-count-3"> <div class="field-type-image__item"> <a href="http://tech.oeru.org/sites/default/files/styles/max_1300x1300/public/2021-08/Screenshot%202021-08-30%20at%2016-21-09%20OERu.png?itok=TwAuGCsB" aria-controls="colorbox" aria-label="{&quot;alt&quot;:&quot;A snapshot of OERu FOSS software projects in our Gitlab instance. All are visible to anyone and we invite contributions.&quot;}" role="button" title="A snapshot of OERu FOSS software projects in our Gitlab instance. All are visible to anyone and we invite contributions." data-colorbox-gallery="gallery-field_image-GnjYzG6vmqA" class="colorbox" data-cbox-img-attrs="{&quot;alt&quot;:&quot;A snapshot of OERu FOSS software projects in our Gitlab instance. All are visible to anyone and we invite contributions.&quot;}"><img src="/sites/default/files/styles/medium/public/2021-08/Screenshot%202021-08-30%20at%2016-21-09%20OERu.png?itok=3FmBKhhs" width="202" height="220" alt="A snapshot of OERu FOSS software projects in our Gitlab instance. All are visible to anyone and we invite contributions." loading="lazy" typeof="foaf:Image" class="image-style-medium" /> </a> </div> </figure> </div> <div class="clearfix text-formatted field field-node--body field-name-body field-type-text-with-summary field-label-hidden"> <div class="field__items"> <div class="field__item"><p>At the <a href="https://oerfoundation.org">OER Foundation</a> we host <a href="/node/34">an array</a> of Free and Open Source Software (FOSS) services. To keep things manageable, we have established a set of conventions to which we adhere, and I'm describing them here in case it's helpful to others who can either learn from, or improve on, our experience.</p> <p>To begin with, we use <a href="https://ubuntu.com">Ubuntu Linux</a> for all of our hosts. We deploy the current Long Term Support (LTS) version of Ubuntu (at the time of this writing, it's 20.04) on commodity Linux hosting services, like Digital Ocean and Hetzner.</p> <h2><a id="user-content-host-access" href="#host-access" name="host-access" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Host access</h2> <p>We access all our hosts on the command line, via secure, end-to-end encrypted connections, using <a href="https://openssh.com">OpenSSH</a>. We don't use a server management tool (neither an open source one, like ISPConfig or Webmin, nor proprietary ones like Plex or CPanel). They would just slow us down. We prefer the efficiency and power afforded us by SSH. At any given time, I'm logged into a half a dozen remote systems, issuing updates, deploying code, diagnosing issues, checking resource usage, shoring up disk space, or tweaking Docker configurations.</p> <h2><a id="user-content-software-on-the-host" href="#software-on-the-host" name="software-on-the-host" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Software on the host</h2> <p>On the host, we run the following:</p> <ol><li>We run <a href="https://etckeeper.branchable.com/">etckeeper</a> on each server to track changes in configuration. In general, we have these changes pushed to a central server to provide a reference in the event of a disaster (e.g. the server is compromised and needs to be 'nuked from orbit'...).</li> <li>The <a href="https://nginx.org">Nginx</a> web server - it's our reverse proxy of choice. All of our <a href="/node/11">Let's Encrypt</a> certificates terminate at the host server, greatly simplifying the deployment of the individual services running on it.</li> <li>The <a href="https://postfix.org">Postfix</a> SMTP server - it's our outgoing mailserver of choice, and we <a href="/node/28">set it up as a smarthost</a>, so that the server can send status and administrative messages to us via our <a href="https://mailcow.email">MailCow</a> email infrastructure using authenticating secure SMTP.</li> <li>The <a href="https://docs.docker.com/get-started/overview/">Docker</a> containerisation framework using the <a href="https://docs.docker.com/compose/">Docker Compose</a> system to coordinate collections of containers that work together to provide specific services. Docker allows us to run a bunch of effectively independent Linux systems, each with potentially different sets of complex software dependencies, efficiently and reliably on a single host.</li> <li>For each service, with an individual domain or subdomain name, we get a <a href="https://letsencrypt.org">Let's Encrypt</a> <a href="https://en.wikipedia.org/wiki/Transport_Layer_Security#SSL_1.0,_2.0,_and_3.0">SSL certificate</a> using the letsencrypt scripting toolchain. It is free of cost, and <a href="/node/11">easy to build into our workflow</a>, so it's a 'no-brainer' as far as we're concerned, ensuring all of our sites protect the data of their users with full encrypted links!</li> <li>For applications we deploy that depend on the MySQL database, we run a single instance of the fully MySQL-compatible <a href="https://mariadb.org/">MariaDB</a> on our host, and the Docker containers connect to it via the internal network. We do it this way to easy the process of backing up the various MariaDB databases, which would be much more fiddly if we were running a bunch of individual MariaDB or MySQL instances in Docker containers. We use MariaDB because we prefer its development model, design decisions, and the fact that it's not being run by the Oracle Corporation, which owns the MySQL project.</li> <li>We use <a href="https://restic.net/">Restic</a> to perform remote encrypted incremental file backups for the filesystems on each server. We send them to a development server we have which has oodles of disk space (<a href="https://en.wikipedia.org/wiki/Btrfs">BTRFS</a> <a href="https://en.wikipedia.org/wiki/Standard_RAID_levels#RAID_1">RAID1</a> if you're curious) for safekeeping.</li> </ol><p>When each new Ubuntu LTS release comes out, we tend to create an install image for our commodity hosting provider (most recently, Digital Ocean), which has all these things pre-installed.</p> <h2><a id="user-content-docker-deployments" href="#docker-deployments" name="docker-deployments" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Docker deployments</h2> <p>For the various services we deploy using Docker - more specifically, using the very handy Docker Compose scripting toolchain, we have a bunch of conventional practices.</p> <ol><li>We put all our Docker Composer recipes in a common directory: <code>/home/docker</code> - each service goes in a directory using the domain name of that service. For example, this Tech blog, tech.oeru.org is in the directory <code>/home/docker/tech.oeru.org</code> on our server about.oerfoundation.org. Each service directory has a <code>docker-compose.yml</code> file which defines the collection of Docker containers making up each service. It also specifies the local directors in which data we want to make persistent, even surviving the removal of relevant Docker containers. In the case of this site, the containers include an Nginx webserver container which submits requests delivered to it by our hosts's Nginx reverse proxy to a PHP scripting engine container which, in turn, consults the Drupal 8 source code making up the site, and the MariaDB on the host which stores the data. There is also a PHP container which automatically runs the behind-the-scenes automated 'cron' tasks that every Drupal site requires.</li> <li>We store that per-service persistent data in a similarly named directory under <code>/home/data</code>, so this site's data is stored in <code>/home/data/tech.oeru.org</code>. That data includes, in the case of this site, an Nginx directory, with a generic Drupal website configuration, and a directory to contain all the Drupal 8 core source code and that for theme, module, and library dependencies. In a few cases, where we're using tools with specialised Docker deployment practices, like Mailcow, BigBlueButton, and Discourse, the persistent data for the site is stored under the <code>/home/docker</code> directory to avoid unnecessarily complicating our use of those tools. So our conventions are just that - not hard and fast, if there's a good reason to compromise them.</li> </ol><h2><a id="user-content-keeping-track" href="#keeping-track" name="keeping-track" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Keeping track</h2> <p>For all of our service configurations, and, in particular our Docker deployments, we use <a href="https://git-scm.com">Git</a> to provide source code versioning and management. We also use it to deploy code that we have developed ourselves. Where possible, we use (and contribute back to!) upstream git repositories supplied by the communities surrounding many of the FOSS services we offer. We see that as doing our part to be good, contributing FOSS community members.</p> <p>All of our git repositories are held on our own, self-hosted <a href="https://about.gitlab.com/community/">Gitlab</a> instance: <a href="https://git.oeru.org/explore/projects">https://git.oeru.org</a> - anyone is welcome to peruse the repositories, and we invite anyone interested in contributing to <a href="/contact">request a an account</a> (give us an idea of what you're interested in doing and how you'd like to participate!).</p></div> </div> </div> <section class="field field-node--field-blog-comments field-name-field-blog-comments field-type-comment field-label-above comment-wrapper"> <a name="comments"></a> <div class="comment-form-wrapper"> <h2 class="comment-form__title">Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=39&amp;2=field_blog_comments&amp;3=comment" token="mc3_yQFNlAQZsoRapw9jke6XUslZiwMrWV52Y56Nyas"></drupal-render-placeholder> </div> </section> Sun, 29 Aug 2021 23:44:43 +0000 dave 39 at http://tech.oeru.org Building a Course Site with WordPress on Ubuntu 20.04 using Docker Compose http://tech.oeru.org/building-course-site-wordpress-ubuntu-2004-using-docker-compose <span class="field field--name-title field--type-string field--label-hidden">Building a Course Site with WordPress on Ubuntu 20.04 using Docker Compose</span> <div class="field field-node--field-blog-tags field-name-field-blog-tags field-type-entity-reference field-label-above"> <h3 class="field__label">Blog tags</h3> <div class="field__items"> <div class="field__item field__item--wordpress"> <span class="field__item-wrapper"><a href="/taxonomy/term/35" hreflang="en">wordpress</a></span> </div> <div class="field__item field__item--docker"> <span class="field__item-wrapper"><a href="/taxonomy/term/16" hreflang="en">docker</a></span> </div> <div class="field__item field__item--docker-compose"> <span class="field__item-wrapper"><a href="/taxonomy/term/49" hreflang="en">docker-compose</a></span> </div> <div class="field__item field__item--ubuntu-linux"> <span class="field__item-wrapper"><a href="/taxonomy/term/12" hreflang="en">ubuntu linux</a></span> </div> <div class="field__item field__item--_004"> <span class="field__item-wrapper"><a href="/taxonomy/term/75" hreflang="en">20.04</a></span> </div> <div class="field__item field__item--multisite"> <span class="field__item-wrapper"><a href="/taxonomy/term/36" hreflang="en">multisite</a></span> </div> <div class="field__item field__item--redis"> <span class="field__item-wrapper"><a href="/taxonomy/term/21" hreflang="en">redis</a></span> </div> <div class="field__item field__item--nginx"> <span class="field__item-wrapper"><a href="/taxonomy/term/30" hreflang="en">nginx</a></span> </div> <div class="field__item field__item--php"> <span class="field__item-wrapper"><a href="/taxonomy/term/40" hreflang="en">php</a></span> </div> <div class="field__item field__item--lets-encrypt"> <span class="field__item-wrapper"><a href="/taxonomy/term/17" hreflang="en">let&#039;s encrypt</a></span> </div> </div> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><a title="View user profile." href="/user/1" lang="" about="/user/1" typeof="schema:Person" property="schema:name" datatype="" class="username">dave</a></span> <span class="field field--name-created field--type-created field--label-hidden">Tue 24/08/2021 - 16:00</span> <div class="field field-node--field-image field-name-field-image field-type-image field-label-hidden has-multiple"> <figure class="field-type-image__figure image-count-1"> <div class="field-type-image__item"> <a href="http://tech.oeru.org/sites/default/files/styles/max_1300x1300/public/2021-09/Screenshot%202021-09-03%20at%2015-48-16%20https%20course%20oeru%20org_register-enrol_anon.png?itok=yna1rg6z" aria-controls="colorbox" aria-label="{&quot;alt&quot;:&quot;An anonymous view of an OERu course with Register Enrol link shown (top right).&quot;}" role="button" title="An anonymous view of an OERu course with Register Enrol link shown (top right)." data-colorbox-gallery="gallery-field_image-GnjYzG6vmqA" class="colorbox" data-cbox-img-attrs="{&quot;alt&quot;:&quot;An anonymous view of an OERu course with Register Enrol link shown (top right).&quot;}"><img src="/sites/default/files/styles/medium/public/2021-09/Screenshot%202021-09-03%20at%2015-48-16%20https%20course%20oeru%20org_register-enrol_anon.png?itok=CY0E87Dh" width="220" height="156" alt="An anonymous view of an OERu course with Register Enrol link shown (top right)." loading="lazy" typeof="foaf:Image" class="image-style-medium" /> </a> </div> </figure> <figure class="field-type-image__figure image-count-2"> <div class="field-type-image__item"> <a href="http://tech.oeru.org/sites/default/files/styles/max_1300x1300/public/2021-09/Screenshot%202021-09-03%20at%2015-49-57%20https%20course%20oeru%20org_register-enrol_loggedin.png?itok=DyccmnI7" aria-controls="colorbox" aria-label="{&quot;alt&quot;:&quot;An OERu course with a logged in and registered user, see Register Enrol link (top right)&quot;}" role="button" title="An OERu course with a logged in and registered user, see Register Enrol link (top right)" data-colorbox-gallery="gallery-field_image-GnjYzG6vmqA" class="colorbox" data-cbox-img-attrs="{&quot;alt&quot;:&quot;An OERu course with a logged in and registered user, see Register Enrol link (top right)&quot;}"><img src="/sites/default/files/styles/medium/public/2021-09/Screenshot%202021-09-03%20at%2015-49-57%20https%20course%20oeru%20org_register-enrol_loggedin.png?itok=31IN-ffG" width="182" height="220" alt="An OERu course with a logged in and registered user, see Register Enrol link (top right)" loading="lazy" typeof="foaf:Image" class="image-style-medium" /> </a> </div> </figure> <figure class="field-type-image__figure image-count-3"> <div class="field-type-image__item"> <a href="http://tech.oeru.org/sites/default/files/styles/max_1300x1300/public/2021-09/Screenshot%202021-09-06%20at%2014-54-40%20https%20course%20oeru%20org_lida101_wenotesfeed.png?itok=54vVTHcL" aria-controls="colorbox" aria-label="{&quot;alt&quot;:&quot;An OERu course WEnotes feed aggregation page. Note the sources from which feed messages are drawn - our WEnotes aggregator checks many sources including personal blogs that learners have registered.&quot;}" role="button" title="An OERu course WEnotes feed aggregation page. Note the sources from which feed messages are drawn - our WEnotes aggregator checks many sources including personal blogs that learners have registered." data-colorbox-gallery="gallery-field_image-GnjYzG6vmqA" class="colorbox" data-cbox-img-attrs="{&quot;alt&quot;:&quot;An OERu course WEnotes feed aggregation page. Note the sources from which feed messages are drawn - our WEnotes aggregator checks many sources including personal blogs that learners have registered.&quot;}"><img src="/sites/default/files/styles/medium/public/2021-09/Screenshot%202021-09-06%20at%2014-54-40%20https%20course%20oeru%20org_lida101_wenotesfeed.png?itok=07Lv9rfB" width="220" height="156" alt="An OERu course WEnotes feed aggregation page. Note the sources from which feed messages are drawn - our WEnotes aggregator checks many sources including personal blogs that learners have registered." loading="lazy" typeof="foaf:Image" class="image-style-medium" /> </a> </div> </figure> </div> <div class="clearfix text-formatted field field-node--body field-name-body field-type-text-with-summary field-label-hidden"> <div class="field__items"> <div class="field__item"><p>The <a href="https://oeru.org">OERu</a> offers accredited tertiary (University level) courses to learners anywhere on the Internet, whether they are using desktop computers or mobile devices.</p> <p>Instead of using a Learning Management System to frame the courses, the OERu Courses are hosted in a <a href="https://wordpress.org">WordPress</a> <a href="https://wordpress.org/support/article/create-a-network/">MultiSite</a> (originally called a "Network" of sites within a single WordPress installation) implementation, with each course a 'subsite' represented by sub-directory below the main site. For example, the first <a href="https://oeru.org/learning-in-a-digital-age/">Learning in a Digital Age</a> micro-course, "<a href="https://oeru.org/oeru-partners/otago-polytechnic/digital-literacies-for-online-learning/">Digital literacies for online learning</a>" with the course code <em>LiDA 101</em>, can be found at <a href="https://course.oeru.org/lida101">https://course.oeru.org/lida101</a>. This post explains how you can replicate our fully Free and Open Source Software large-scale Open Educational Resource (OER) course delivery platform at negligible cost.</p> <ul class="table-of-contents"><li> <p><a href="#step-one---a-suitable-host">Step one - a suitable host</a></p> <ul><li> <p><a href="#get-your-domain-lined-up">Get your Domain lined up</a></p> </li> <li> <p><a href="#log-into-your-server">Log into your server</a></p> </li> <li> <p><a href="#sort-out-your-details">Sort out your details</a></p> </li> </ul></li> <li> <p><a href="#step-two---prepare-the-host">Step two - prepare the host</a></p> <ul><li> <p><a href="#set-up-docker-and-docker-compose">Set up Docker and Docker-Compose</a></p> </li> </ul></li> <li> <p><a href="#step-three---configure-your-domain">Step three - configure your domain</a></p> <ul><li> <p><a href="#set-up-nginx-reverse-proxy">Set up Nginx reverse proxy</a></p> </li> <li> <p><a href="#set-up-lets-encrypt-for-the-domain">Set up Let's Encrypt for the domain</a></p> </li> </ul></li> <li> <p><a href="#step-four---get-the-code">Step four - get the code</a></p> <ul><li> <p><a href="#wordpress-source-code">WordPress source code</a></p> </li> <li> <p><a href="#oeru-theme">OERu Theme</a></p> </li> <li> <p><a href="#customise-wp-configphp">Customise wp-config.php</a></p> </li> </ul></li> <li> <p><a href="#step-five---set-up-docker-compose-for-the-site">Step five - set up Docker Compose for the site</a></p> <ul><li> <p><a href="#create-the-nginx-containers-configuration">Create the NGINX container's configuration</a></p> </li> <li> <p><a href="#launch-containers">Launch containers</a></p> </li> </ul></li> <li> <p><a href="#step-six---set-up-your-site">Step Six - set up your site</a></p> <ul><li> <p><a href="#install-wordpress">Install WordPress</a></p> </li> <li> <p><a href="#enable-the-oeru-course-theme">Enable the OERu Course theme</a></p> </li> <li> <p><a href="#create-an-admin-user">Create an admin user</a></p> </li> <li> <p><a href="#enable-multisite">Enable multisite</a></p> </li> <li> <p><a href="#enable-the-relevant-plugins">Enable the relevant plugins</a></p> </li> <li> <p><a href="#third-party-plugins">Third Party plugins</a></p> </li> <li> <p><a href="#oeru-plugins">OERu plugins</a></p> </li> </ul></li> <li> <p><a href="#step-seven---celebrate">Step Seven - celebrate!</a></p> </li> <li> <p><a href="#snapshotting-your-first-oer-course">Snapshotting your first OER course!</a></p> </li> <li> <p><a href="#enabling-oerus-register-enrol-functionality">Enabling OERu's Register Enrol functionality</a></p> </li> <li> <p><a href="#data-backups">Data Backups</a></p> </li> <li> <p><a href="#staying-up-to-date">Staying up-to-date</a></p> </li> <li> <p><a href="#acknowledgements">Acknowledgements</a></p> </li> </ul><p>To host our WordPress Multisite, we use a quartet of <a href="https://docs.docker.com/get-started/overview/">Docker</a> containers - a <a href="https://en.wikipedia.org/wiki/Redis">Redis</a> caching server, an <a href="https://en.wikipedia.org/wiki/Nginx">Nginx</a> webserver, and two servers running the <a href="https://en.wikipedia.org/wiki/PHP">PHP script interpreter</a> in <a href="https://www.php.net/manual/en/install.fpm.php">FPM</a> mode, with the first being the main workhorse responding to queries sent to it by the Nginx server... The other PHP container is responsible for running cron (scheduled) tasks in the background. It's all driven by <a href="https://docs.docker.com/compose/">Docker Compose</a> (which coordinates the individual Docker containers) on an Ubuntu Linux host. The host also runs an Nginx instance to act as a '<a href="https://www.nginx.com/resources/glossary/reverse-proxy-server/">reverse proxy</a>', and the endpoint of our <a href="https://en.wikipedia.org/wiki/Transport_Layer_Security#SSL_1.0,_2.0,_and_3.0">SSL</a> (we use <a href="/node/11">Let's Encrypt</a> certificates). This is all consistent with our <a href="/node/39">FOSS Docker-based hosting conventions</a>.</p> <p>Although our process to get one of the these sites up and running is made up of simple steps, there are a bunch of them, so get comfortable and buckle yourself in and prepare for a fun ride! <em>Just beware - this is a pretty audacious tutorial describing an advanced production-ready system with lots of moving parts doing a serious amount of stuff behind the scenes, so this process is likely to take a few hours from start to finish and isn't for the faint of heart.</em></p> <h2><a id="user-content-step-one---a-suitable-host" href="#step-one---a-suitable-host" name="step-one---a-suitable-host" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Step one - a suitable host</h2> <p>The first step is to get yourself an entry-level virtual server or compute instance somewhere.</p> <p>I generally use <a href="https://digitalocean.com">DigitalOcean</a> (I have no affiliation with the company), but there are many other commodity hosting services (check out <a href="https://vultr.com">Vultr</a> or <a href="https://linode.com">Linode</a>, for example) around the world which offer comparably (or better) spec'd servers for USD5.00/month, or USD60.00/year. For that you get a Gigabyte (GB) of RAM, a processor, and 40GB of SSD (Static Storage Device = faster) storage.</p> <p>A server (a "Droplet" in Digital Ocean parlance) with a GB of RAM and 20+ GB of disk space will be sufficient for this sort of service. If you expect it to have heavy traffic, or you might want to add more services, you might want to invest in a higher-spec server up-front (because, among other things, it'll offer you more disk space). Most of our servers are USD40/month instances (USD480/year) which buys 8GB of RAM, 4 virtual processors, and 160GB of disk space.</p> <p>I suggest you create an account for yourself on your chosen hosting provider (and I encourage you to use Two Factor Authentication, aka 2FA, on your hosting account so that no one can log in as you and, say, delete your server unexpectedly - you'll find instructions on how to set up 2FA on your hosting provider's site) and create an Ubuntu 20.04 (or the most recent 'Long Term Support' (LTS) version - the next will be 22.04, in April 2022) in the zone nearest to you.</p> <p>If you don't already have an SSH key on your computer, I encourage you to <a href="https://support.atlassian.com/bitbucket-cloud/docs/set-up-an-ssh-key/">create one</a> and specify the <strong>public key</strong> in the process of creating your server - that should allow you to log in without needing a password!</p> <p>You'll need to note the server's IPv4 address (it'll be a series of 4 numbers, 0-254, separated by full stops, e.g. 103.99.72.244), and you should also be aware that your server will have a newer IPv6 address, which will be a set of 8 four hex character values [each hex character can have one of 16 values: 0-9,A-F] separated by colons, e.g. 2604:A880:0002:00D0:0000:0000:20DE:9001. With one or the other of those IPs, you can <a href="https://www.digitalocean.com/community/tutorials/how-to-use-ssh-to-connect-to-a-remote-server-in-ubuntu">log into it via SSH</a>.</p> <p>Once you get logged in, it's worth doing an upgrade of your server's Ubuntu system! Do that as follows:</p> <p><code>sudo apt-get update &amp;&amp; sudo apt-get dist-upgrade</code></p> <h3><a id="user-content-get-your-domain-lined-up" href="#get-your-domain-lined-up" name="get-your-domain-lined-up" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Get your Domain lined up</h3> <p>You will want to have a domain to point at your server, so you don't have to remember the IP number. There're are thousands of domain "registrars" in the world who'll help you do that... You just need to "register" a name, and you pay yearly fee (usually between USD10-30 depending on the country and the "TLD" (Top Level Domain. There're national ones like .nz, .au, .uk, .tv, .sa, .za, etc., or international domains (mostly associated with the US) like .com, .org, .net, and a myriad of others. Countries decide on how much their domains wholesale for and registrars add a margin for the registration service).</p> <p>Here in NZ, I use the services of Metaname (they're local to me in Christchurch, and I know them personally and trust their technical capabilities). If you're not sure who to use, ask your friends. Someone's bound to have recommendations (either positive or negative, in which case you'll know who to avoid).</p> <p>If you want to use your domain for other things besides your WordPress instance, I'd encourage you to use a subdomain, like (my usual choice) is "course.domainname", namely the subdomain "course" of "domainname".</p> <p>Once you have selected and registered your domain, you can set up (usually through a web interface provided by the registrar) an "A Record" which associates your website's name to the IPv4 address of your server. So you should just be able to enter your server's IPv4 address, the domain name (or sub-domain) you want to use for your WordPress service. Nowadays, <em>if your Domain Name host offers it (some don't, meaning they're way behind the times),</em> it's also important to define an IPv6 record, which is called an "AAAA Record"... you put in your IPv6 address instead of your IPv4 one.</p> <p>You might be asked to set a "Time-to-live" (which has to do with the length of time Domain Name Servers are asked to "cache" the association that the A Record specifies) in which case you can put in 3600 seconds or an hour depending on the time units your interface requests... but in most cases that'll be set to a default of an hour automatically.</p> <h3><a id="user-content-log-into-your-server" href="#log-into-your-server" name="log-into-your-server" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Log into your server</h3> <p>You should be able to test that your A and AAAA Records have been set correctly by logging into your server via SSH using your domain name rather than the IPv4 or IPv6 address you used previously. It should (after you accept the SSH warning that the server's name has a new name) work the same way your original SSH login did. On Linux, you'd SSH via a terminal and enter <code>ssh root@[domain name]</code>. I think you can do similar on MacOS and on Windows, I believe people typically use software called Putty...</p> <p>This will log you into your server as the 'root' user. It's not considered good practice to access your server as root (it's too easy to completely screw it up). Best practice is to create a separate 'non-root' user who has 'sudo' privileges and the ability to log in via SSH. If you are <em>currently logged in as 'root'</em>, you can create a normal user for yourself via (replace [username] with your chosen username):</p> <p><code>U=[username]</code><br /><code>adduser $U</code><br /><code>adduser $U ssh</code><br /><code>adduser $U sudoers</code></p> <p>You'll also want to a set a password for user [username]:</p> <p><code>passwd $U</code></p> <p>then become that user temporarily (note, the root user can 'become' another user without needing to enter a password) and create an SSH key and, in the process, the <code>.ssh</code> directory (directories starting with a '.' are normally 'hidden') for the file into which to put your public SSH key:</p> <p><code>su $U</code> <code>ssh-keygen -t rsa -b 2048</code> <code>nano ~/.ssh/authorized_keys</code></p> <p>and in that file, copy and paste (without spaces on either end) your <em>current computer's</em> <strong>public</strong> ssh key (<em>never publish</em> your private key anywhere!), save and close the file.</p> <p>From that point, you should be able to SSH to your server via <code>ssh [username]@[domain name]</code> without needing to enter a password.</p> <p>These instructions use 'sudo' in front of commands because I assume you're using a non-root user. The instructions will still work fine even if you're logged in as 'root'.</p> <h3><a id="user-content-sort-out-your-details" href="#sort-out-your-details" name="sort-out-your-details" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Sort out your details</h3> <p>You'll replace the similarly [named] variables in the configuration files and command lines below. These are the values you need to find or create.</p> <ul><li> <strong>[domain name]</strong> - the fully qualified domain name or subdomain by which you want your WPMS to be accessed. You must have full domain management ability on this domain. Example: <code>course.oeru.org</code> </li> <li> <strong>[port]</strong> - this is an unused port, i.e. not used by any other service, that will be used by the Nginx reverse proxy to talk to your Docker Nginx webserver container. A conventional option would be 8080... If that's already in use, try 8081, etc. You can check what ports are in use with the command <code>sudo netstat -punta</code> - the ports are listed after the ':' in each case</li> <li>MariaDB/MySQL database details <ul><li> <strong>[database root password]</strong> - the administrative user (root) password for this server - see <a href="/node/43">our tutorial on creating strong random passwords</a> </li> <li> <strong>[your database password]</strong> - if you, optionally, want to set up an admin user for yourself on this server. Paired with <strong>[your username]</strong> on the server.</li> <li> <strong>[database name]</strong> - the name of the database for this specific WordPress site - example <code>wordpress</code> </li> <li> <strong>[database user]</strong> - a separate username for this WordPress database - example <code>wordpress</code> (but it can be different too)- <strong>note</strong>: you'll be creating <em>two</em> database users with this same username and password, but that's intended.</li> <li> <strong>[database password]</strong> a separate password for this WordPress database user</li> </ul></li> <li>Authenticating SMTP details - this is required so your WordPress site can send emails to users - crucial things like email address validation and password recovery emails... <ul><li> <strong>[smtp host]</strong> - the domain name or IPv4 or IPv6 address of an SMTP server</li> <li> <strong>[smtp reply-to-email address]</strong> - a monitored email to which people can send email related to this WordPress site, e.g. webmaster@[domain name]</li> <li> <strong>[smtp user]</strong> - the username (often an email address) used to authenticate against your SMTP server, provided by your email provider.</li> <li> <strong>[smtp password]</strong> - the accompanying password, provided by your email provider.</li> </ul></li> <li>Wordpress configuration values <ul><li> <strong>[redis password]</strong> - another random password, this time for the caching service we'll set up to make your WordPress site faster than billy-o.</li> <li> <strong>[wordpress keys and salts]</strong> - a series of random numbers to make your WordPress site far more secure than it would otherwise be - <em>these can be generated automatically using the approach described below!</em>.</li> </ul></li> <li>For those incorporating our WEnotes system, you'll need the following (these values are optional and can be ignored!) <ul><li> <strong>[couchdb host]</strong> - the domain name of the couchdb host - in the case of the OERu, our host is couch.oerfoundation.org. Yours might be different.</li> <li> <strong>[couchdb mention database]</strong> - the name of the designated 'mention' database on the couchdb host.</li> <li> <strong>[couchdb user]</strong> - a couchdb username, provided by whoever manages your couchdb host</li> <li> <strong>[couchdb password]</strong> - a couchdb password, also provided by whoever manages your couchdb host</li> </ul></li> <li>Docker.com login details (you'll need a username and password).</li> </ul><p><strong>Note</strong>: not all values in all files surrounded by [] need to be replaced! If they're not included in the list above, leave them as you find them!</p> <h2><a id="user-content-step-two---prepare-the-host" href="#step-two---prepare-the-host" name="step-two---prepare-the-host" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Step two - prepare the host</h2> <p>Preparing the host involves ensuring your firewall, UFW, is configured properly, installing the Nginx webserver to act as your host's reverse proxy, and installing MariaDB (MySQL compatible but better, for a variety of reasons including that it's not controlled by Oracle) and configuring it properly. Then we can create the MariaDB database specifically for this WordPress installation. We also suggest you install Postfix so your server can send out email to you, and finally, we'll ensure that your server knows how to launch Docker containers and manage them with Docker Compose.</p> <p>Before we do anything else, let's make sure your Ubuntu package repository is up-to-date.</p> <p><code>sudo apt-get update</code></p> <p>If you pause this build process for more than a few hours, it pays to run it again before you continue on.</p> <h4><a id="user-content-firewall-with-ufw" href="#firewall-with-ufw" name="firewall-with-ufw" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Firewall with UFW</h4> <p>No computer system is ever full secure - there're always exploits waiting to be found, so security is a process of maintaining vigilance. Part of that is reducing exposure - minimising your "attack surface". Use a firewall - <code>ufw</code> is installed on Ubuntu by default and is easy to set up and maintain. Make sure you've got exceptions for SSH (without them, you could lock yourself out of your machine! Doh!).</p> <p>Run the following commands to allow your Docker containers to talk to other services on your host.</p> <p><code>sudo ufw allow in on docker0</code><br /><code>sudo ufw allow from 172.0.0.0/8 to any</code></p> <p>Specifically for Docker's benefit, you need to tweak the default Forwarding rule (I use <code>vim</code> as my editor. An alternative, also installed by default on Ubuntu, <code>nano</code>, is probably easier to use for simple edits like this, so I'll use <code>nano</code> here):</p> <p><code>sudo nano /etc/default/ufw</code></p> <p>and copy the line <code>DEFAULT_FORWARD_POLICY="DROP"</code> tweak it to look like this (commenting out the default, but leaving it there for future reference!):</p> <div class="geshifilter"><div class="bash geshifilter-bash"><pre class="de1"><span class="co0">#DEFAULT_FORWARD_POLICY="DROP"</span> <span class="re2">DEFAULT_FORWARD_POLICY</span>=<span class="st0">"ACCEPT"</span></pre></div></div> <p>and then save and exit the file (CTRL-X and then 'Y').</p> <p>You also have to edit <code>/etc/ufw/sysctl.conf</code> and remove the "#" at the start of the following lines, so they look like this:</p> <p><code>sudo nano /etc/ufw/sysctl.conf</code></p> <div class="geshifilter"><div class="bash geshifilter-bash"><pre class="de1"><span class="co0"># Uncomment this to allow this host to route packets between interfaces</span> net<span class="sy0">/</span>ipv4<span class="sy0">/</span><span class="re2">ip_forward</span>=<span class="nu0">1</span> net<span class="sy0">/</span>ipv6<span class="sy0">/</span>conf<span class="sy0">/</span>default<span class="sy0">/</span><span class="re2">forwarding</span>=<span class="nu0">1</span> net<span class="sy0">/</span>ipv6<span class="sy0">/</span>conf<span class="sy0">/</span>all<span class="sy0">/</span><span class="re2">forwarding</span>=<span class="nu0">1</span></pre></div></div> <p>and finally restart the network stack and ufw on your server</p> <p><code>sudo systemctl restart systemd-networkd</code><br /><code>sudo service ufw restart</code></p> <h4><a id="user-content-installing-the-nginx-webserverreverse-proxy" href="#installing-the-nginx-webserverreverse-proxy" name="installing-the-nginx-webserverreverse-proxy" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Installing the Nginx webserver/reverse proxy</h4> <p>In the configuration I'm describing here, you'll need a webserver running on the server - it'll be acting as a reverse proxy for the Docker-based Nginx instance described below. I prefer the efficiency of Nginx and clarity of Nginx configurations over those of Apache and other open source web servers. Here's how you install it.</p> <p><code>sudo apt-get install nginx-full</code></p> <p>To allow <code>nginx</code> to be visible via ports 80 and 443, run</p> <p><code>sudo ufw allow "Nginx Full"</code></p> <p>To check that all worked, you can put <code>http://[domain name]</code> into your browser's address bar, and you should see a default "NGINX" page...</p> <p>Note: make sure your hosting service is not blocking these ports at some outer layer (depending on who's providing that hosting service you may have to set up port forwarding).</p> <h4><a id="user-content-installing-mariadb" href="#installing-mariadb" name="installing-mariadb" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Installing MariaDB</h4> <p>MariaDB is effectively a drop-in alternative to MySQL and we prefer it because it's not controlled by Oracle and has a more active developer community. On Ubuntu, MariaDB pretends to be MySQL for compatibility purposes, so don't be weirded out by the interchangeable names below. Install the latest versions of the server and client like this.</p> <p><code>sudo apt-get install mariadb-server mariadb-client</code></p> <p>You need to set a root (admin) user password - you might want to create a <code>/root/.my.cnf</code> file containing the following (replacing [mysql root password]) to let you access MariaDB without a password from the commandline:</p> <p><code>sudo nano /root/.my.cnf </code></p> <p>and put the following info into it</p> <div class="geshifilter"><div class="bash geshifilter-bash"><pre class="de1"><span class="br0">[</span>client<span class="br0">]</span> <span class="re2">user</span>=root <span class="re2">password</span>=<span class="br0">[</span>database root password<span class="br0">]</span></pre></div></div> <p>You should now be able to type <code>mysql</code> at the command prompt (note, the name mysql is used for backward compatibility with many implementations where MariaDB is being used to replace MySQL).</p> <p><strong>Optional MySQL non-root user</strong></p> <p>If you're happy to use your root user to access MySQL, e.g. <code>sudo mysql</code> (which uses 'sudo' to access it via the root user), then you can safely ignore the rest of this section.</p> <p>If you're accessing the server via a non-root user (which is a good idea, and is the reason we use <code>sudo</code> in this howto), you might want to create a similar <code>~/.my.cnf</code> file in your directory , with your username in place of <code>root</code>, and a <em>different password</em>. That will allow you to work with the MariaDB client without needing to enter the root credentials each time.</p> <p>To make it work, you'll need to run the following as the MySQL admin user - this should be the default on this new install - remember to replace your [tokens]!). This creates <em>two</em> users with the same credentials that will allow you to log in either from the same server (i.e. 'localhost') or from any of your Docker containers (often useful for debugging!), namely the wildcard '%'. <strong>Remember</strong>: if you change the user's details, you'll have to do it for both the localhost and '%' users.</p> <div class="geshifilter"><div class="bash geshifilter-bash"><pre class="de1">CREATE USER <span class="st0">"[your username]"</span><span class="sy0">@</span><span class="st0">"localhost"</span> IDENTIFIED BY <span class="st0">"[your database password]"</span>; CREATE USER <span class="st0">"[your username]"</span><span class="sy0">@</span><span class="st0">"%"</span> IDENTIFIED BY <span class="st0">"[your database password]"</span>; GRANT ALL ON <span class="sy0">*</span>.<span class="sy0">*</span> to <span class="st0">"[your username]"</span><span class="sy0">@</span><span class="st0">"localhost"</span> WITH GRANT OPTION; GRANT ALL ON <span class="sy0">*</span>.<span class="sy0">*</span> to <span class="st0">"[your username]"</span><span class="sy0">@</span><span class="st0">"%"</span> WITH GRANT OPTION; FLUSH PRIVILEGES;</pre></div></div> <p>Don't be alarmed if MySQL tells you "0 rows affected" when you create a user - unless you see a specific 'error', it's still creating them.</p> <p><strong>End optional MySQL non-root user section</strong></p> <p>Tweak the configuration so that it's listening on the right internal network device.</p> <p><code>sudo nano /etc/mysql/mariadb.conf.d/50-server.cnf</code></p> <p>and copy the bind-address line and adjust so it looks like this - we want MariaDB to be listening on all interfaces, not just localhost (<code>127.0.0.1</code>)...</p> <div class="geshifilter"><div class="bash geshifilter-bash"><pre class="de1"><span class="co0"># Instead of skip-networking the default is now to listen only on</span> <span class="co0"># localhost which is more compatible and is not less secure.</span> <span class="co0">#bind-address = 127.0.0.1</span> bind-address = 0.0.0.0</pre></div></div> <p>Then restart MariaDB:</p> <p><code>sudo service mysql restart</code></p> <p>It should now be listening on MySQL/MariaDB's default port <code>3306</code> on all interfaces, i.e. <code>0.0.0.0</code>. For safety's sake, external access to the MariaDB server is blocked by your UFW firewall.</p> <p>Now set up the database which will hold WordPress' data. Log into the MariaDB client on the host (if you've created a <code>.my.cnf</code> file in your home directory as describe above, you won't need to enter your username and password):</p> <p><code>mysql -u root -p</code></p> <p>Enter your root password when prompted and then replace the following [database-related tokens] to create the database with the right language encoding, along with access to the right separate user:</p> <div class="geshifilter"><div class="bash geshifilter-bash"><pre class="de1">CREATE DATABASE <span class="br0">[</span>database name<span class="br0">]</span> CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci; CREATE USER <span class="st0">"[database user]"</span><span class="sy0">@</span><span class="st0">"%"</span> IDENTIFIED BY <span class="st0">"[database password]"</span>; GRANT ALL ON <span class="br0">[</span>database name<span class="br0">]</span>.<span class="sy0">*</span> to <span class="st0">"[database user]"</span><span class="sy0">@</span><span class="st0">"%"</span>; FLUSH PRIVILEGES;</pre></div></div> <p>The last line ensures that MariaDB has updated its internal permissions to recognise your new user. To exit the SQL client, just type <code>\q</code> and ENTER.</p> <h4><a id="user-content-sending-emails" href="#sending-emails" name="sending-emails" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Sending emails</h4> <p>Because a server like this one is set up to perform lots of rather complex jobs to perform, it's vital that your server has the ability to send you emails to alert you of problems, like failed updates or backups. We encourage you to follow our instructions on <a href="/node/28">how to configure your server to use the <code>Postfix</code> SMTP server to send out email, using your Authenticating SMTP details</a>.</p> <h4><a id="user-content-regular-automatic-database-backups" href="#regular-automatic-database-backups" name="regular-automatic-database-backups" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Regular automatic database backups</h4> <p>Finally, it's a good idea (but optional - if you're in a hurry, you can do this later) to make sure that your server is maintaining backups of your database - in this case, we'll use the <code>automysqlbackup</code> script to automatically maintain a set of dated daily database backups. It's easy to install, and the database backups will be in <code>/var/lib/automysqlbackup</code> in dated folders and files. <strong>If you haven't set up Postfix in the previous step, just beware you will be asked to set it up when installing automysqlbackup</strong>.</p> <p><code>sudo apt-get install automysqlbackup</code></p> <p>That's all there is to it. It should run automatically every night and store a set of historical SQL snapshots that may well save your bacon sometime down the track!</p> <h3><a id="user-content-set-up-docker-and-docker-compose" href="#set-up-docker-and-docker-compose" name="set-up-docker-and-docker-compose" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Set up Docker and Docker-Compose</h3> <p>First, you need to set up <a href="https://docs.docker.com/install/linux/docker-ce/ubuntu/">Docker support</a> on your server - use the 'repository method' for Ubuntu 20.04 and choose the 'x86_64 / amd64' tab!</p> <p>Also, if you're using a non-root user, follow the complete instructions including <em><a href="https://docs.docker.com/engine/install/linux-postinstall/">setting up Docker for your non-root user</a></em>.</p> <p>The way I implement this set of containers is to use <a href="https://docs.docker.com/compose/">Docker Compose</a>) which depends on the Python script interpreter (version 3+). I suggest using the latest installation instructions provided by the Docker community. Of the options provided, I use the 'alternative instructions', employing <a href="https://docs.docker.com/compose/install/#install-using-pip">the 'pip' approach</a>. This is what I usually do (to summarise the pip instructions):</p> <p>The firrst step is to Install Ubuntu's Python3 pip which is a bit outdated...</p> <p><code>sudo apt install python3-pip</code></p> <p>use the Ubuntu instance, called pip3 to install the latest Python 3 pip</p> <p><code>sudo pip install -U pip</code></p> <p>and (finally) install the docker-compose script:</p> <p><code>sudo pip install -U docker-compose</code></p> <h4><a id="user-content-set-up-our-conventional-directories" href="#set-up-our-conventional-directories" name="set-up-our-conventional-directories" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Set up our conventional directories</h4> <p>To set up your server, I recommend setting up a place for your Docker containers as per our <a href="/node/39">Docker-related conventions</a>:</p> <p><code>sudo mkdir -p /home/data/[domain name]</code><br /><code>sudo mkdir -p /home/docker/[domain name]</code></p> <h2><a id="user-content-step-three---configure-your-domain" href="#step-three---configure-your-domain" name="step-three---configure-your-domain" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Step three - configure your domain</h2> <h3><a id="user-content-set-up-nginx-reverse-proxy" href="#set-up-nginx-reverse-proxy" name="set-up-nginx-reverse-proxy" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Set up Nginx reverse proxy</h3> <p>A reverse proxy is a website intermediary. It accepts requests from the Internet, like a normal webserver would, but instead of having direct access to the data being requested, it, in turn, makes a request from another webserver either on the same host, or on a different one, and passes the results of that request back to the requester. In this case, the Nginx instance on the host is making a request of a <em>different host</em> that happens to reside on the same host instance as a Docker 'container'.</p> <p>Our convention is to create an Nginx reverse proxy configuration file with the same name as our [domain name], so in the case of, say, our Course WordPress Multisite, the file would be <code>/etc/nginx/sites-available/course.oeru.org</code>. Create a file in your <code>/etc/nginx/sites-available</code> with the following (again, replacing the [values] with your own values.</p> <p><code>sudo nano /etc/nginx/sites-available/[domain name]</code></p> <p>and copy and paste this in (and remember to replace the [tokens] with your relevant variables!):</p> <div class="geshifilter"><div class="bash geshifilter-bash"><pre class="de1"><span class="co0">#</span> <span class="co0"># Set [domain name] and [port] below to make this work</span> <span class="co0">#</span> <span class="co0"># HTTP does *soft* redirect to HTTPS</span> <span class="co0">#</span> server <span class="br0">{</span> <span class="co0"># add [IP-Address:]80 in the next line if you want to limit this to a single interface</span> listen <span class="nu0">80</span>; listen <span class="br0">[</span>::<span class="br0">]</span>:<span class="nu0">80</span>; server_name <span class="br0">[</span>domain name<span class="br0">]</span>; root <span class="sy0">/</span>home<span class="sy0">/</span>data<span class="sy0">/</span><span class="br0">[</span>domain name<span class="br0">]</span><span class="sy0">/</span>scr; index index.php;   <span class="co0"># change the file name of these logs to include your server name</span> <span class="co0"># if hosting many services...</span> access_log <span class="sy0">/</span>var<span class="sy0">/</span>log<span class="sy0">/</span>nginx<span class="sy0">/</span><span class="br0">[</span>domain name<span class="br0">]</span>_access.log; error_log <span class="sy0">/</span>var<span class="sy0">/</span>log<span class="sy0">/</span>nginx<span class="sy0">/</span><span class="br0">[</span>domain name<span class="br0">]</span>_error.log;   <span class="co0"># for let's encrypt renewals!</span> include includes<span class="sy0">/</span>letsencrypt.conf;   <span class="co0"># redirect all HTTP traffic to HTTPS.</span> location <span class="sy0">/</span> <span class="br0">{</span> <span class="kw3">return</span> <span class="nu0">302</span> https:<span class="sy0">//</span><span class="br0">[</span>domain name<span class="br0">]</span><span class="re1">$request_uri</span>; <span class="br0">}</span> <span class="br0">}</span> <span class="co0">#</span> <span class="co0"># HTTPS</span> <span class="co0">#</span> <span class="co0"># This assumes you're using Let's Encrypt for your SSL certs (and why wouldn't</span> <span class="co0"># you!?)... https://letsencrypt.org</span> server <span class="br0">{</span> <span class="co0"># add [IP-Address:]443 ssl in the next line if you want to limit this to a single interface</span> listen <span class="nu0">443</span> ssl; listen <span class="br0">[</span>::<span class="br0">]</span>:<span class="nu0">443</span> ssl; <span class="co0"># Note: these are *temporary* certificates, created when your host was set up</span> <span class="co0"># they are only in use to get Nginx to start up properly and let you create your let's encrypt certificates!</span> ssl_certificate <span class="sy0">/</span>etc<span class="sy0">/</span>ssl<span class="sy0">/</span>certs<span class="sy0">/</span>ssl-cert-snakeoil.pem; ssl_certificate_key <span class="sy0">/</span>etc<span class="sy0">/</span>ssl<span class="sy0">/</span>private<span class="sy0">/</span>ssl-cert-snakeoil.key; <span class="co0"># these will be used after we finish the Let's Encrypt process</span> <span class="co0">#ssl_certificate /etc/letsencrypt/live/[domain name]/fullchain.pem;</span> <span class="co0">#ssl_certificate_key /etc/letsencrypt/live/[domain name]/privkey.pem;</span> ssl_protocols TLSv1 TLSv1.1 TLSv1.2; <span class="co0"># to create this, see https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html</span> ssl_dhparam <span class="sy0">/</span>etc<span class="sy0">/</span>ssl<span class="sy0">/</span>certs<span class="sy0">/</span>dhparam.pem; keepalive_timeout 20s;   server_name <span class="br0">[</span>domain name<span class="br0">]</span>; root <span class="sy0">/</span>home<span class="sy0">/</span>data<span class="sy0">/</span><span class="br0">[</span>domain name<span class="br0">]</span><span class="sy0">/</span>src; index index.php;   <span class="co0"># change the file name of these logs to include your server name</span> <span class="co0"># if hosting many services...</span> access_log <span class="sy0">/</span>var<span class="sy0">/</span>log<span class="sy0">/</span>nginx<span class="sy0">/</span><span class="br0">[</span>domain name<span class="br0">]</span>_access.log; error_log <span class="sy0">/</span>var<span class="sy0">/</span>log<span class="sy0">/</span>nginx<span class="sy0">/</span><span class="br0">[</span>domain name<span class="br0">]</span>_error.log;   location <span class="sy0">/</span> <span class="br0">{</span> <span class="co0"># a good value for [port] is 8080, unless it's already in use by another service on your server...</span> proxy_pass http:<span class="sy0">//</span>127.0.0.1:<span class="br0">[</span>port<span class="br0">]</span>; proxy_set_header Upgrade <span class="re1">$http_upgrade</span>; proxy_set_header Connection <span class="st0">"upgrade"</span>; proxy_set_header Host <span class="re1">$http_host</span>; proxy_set_header X-Real-IP <span class="re1">$remote_addr</span>; proxy_set_header X-Forwarded-For <span class="re1">$proxy_add_x_forwarded_for</span>; proxy_set_header X-Forwarded-Host <span class="re1">$server_name</span>; proxy_set_header X-Forwarded-Proto https; proxy_connect_timeout <span class="nu0">900</span>; proxy_send_timeout <span class="nu0">900</span>; proxy_read_timeout <span class="nu0">900</span>; send_timeout <span class="nu0">900</span>; <span class="br0">}</span> <span class="co0">#</span> <span class="co0"># These "harden" your security</span> add_header <span class="st_h">'Access-Control-Allow-Origin'</span> <span class="st0">"*"</span>; <span class="co0"># from https://gist.github.com/Stanback/7145487</span> add_header <span class="st_h">'Access-Control-Allow-Credentials'</span> <span class="st_h">'true'</span> always; add_header <span class="st_h">'Access-Control-Allow-Methods'</span> <span class="st_h">'GET, POST, PUT, DELETE, OPTIONS'</span> always; add_header <span class="st_h">'Access-Control-Allow-Headers'</span> <span class="st_h">'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With'</span> always; <span class="co0">#</span> <span class="co0"># for H5P embedding</span> <span class="co0">#add_header 'X-Frame-Options' 'ALLOW-FROM https://h5p.oeru.org';</span> <span class="co0"># required to be able to read Authorization header in frontend</span> add_header <span class="st_h">'Access-Control-Expose-Headers'</span> <span class="st_h">'Authorization'</span> always; <span class="co0"># tested at https://csp-evaluator.withgoogle.com/</span> <span class="co0"># works, but only B+ on MozOBs https://observatory.mozilla.org/analyze.html</span> add_header X-XSS-Protection <span class="st0">"1; mode=block"</span>; <span class="br0">}</span></pre></div></div> <p>Having created that file, we now have to create the <code>ssl_dhparam</code> file we referenced, staring by installing OpenSSL tools:</p> <p><code>sudo apt-get install openssl</code></p> <p>by running (warning - this can take quite a long time - like 5-15 minutes in my experience, depending on a lot of factors - the system needs to generate sufficient entropy to achieve acceptable randomness):</p> <p><code>sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096</code></p> <p>if you're short on time, you can create a key half the size far more quickly (a few seconds, typically):</p> <p><code>sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048</code></p> <p>When that's done, you should see there's a file here: <code>ls -l /etc/ssl/certs/dhparam.pem</code></p> <h3><a id="user-content-set-up-lets-encrypt-for-the-domain" href="#set-up-lets-encrypt-for-the-domain" name="set-up-lets-encrypt-for-the-domain" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Set up Let's Encrypt for the domain</h3> <p>We've already written a guide to setting up and securing your domain with <a href="/node/11">Let's Encrypt</a> but here're the relevant details:</p> <p><code>sudo mkdir /etc/nginx/includes</code></p> <p>and edit the following file</p> <p><code>sudo nano /etc/nginx/includes/letsencrypt.conf</code></p> <p>to make sure it has the following content:</p> <div class="geshifilter"><div class="bash geshifilter-bash"><pre class="de1"><span class="co0"># Rule for legitimate ACME Challenge requests</span> location ^~ <span class="sy0">/</span>.well-known<span class="sy0">/</span>acme-challenge<span class="sy0">/</span> <span class="br0">{</span> default_type <span class="st0">"text/plain"</span>; <span class="co0"># this can be any directory, but this name keeps it clear</span> root <span class="sy0">/</span>var<span class="sy0">/</span>www<span class="sy0">/</span>letsencrypt; <span class="br0">}</span>   <span class="co0"># Hide /acme-challenge subdirectory and return 404 on all requests.</span> <span class="co0"># It is somewhat more secure than letting Nginx return 403.</span> <span class="co0"># Ending slash is important!</span> location = <span class="sy0">/</span>.well-known<span class="sy0">/</span>acme-challenge<span class="sy0">/</span> <span class="br0">{</span> <span class="kw3">return</span> <span class="nu0">404</span>; <span class="br0">}</span></pre></div></div> <p>Next, make sure your designated Let's Encrypt directory exists (note - you only need to do this once on a given host):</p> <p><code>sudo mkdir /var/www/letsencrypt</code></p> <p>Now, we'll make sure Nginx is aware of your configuration, which you do like this (substituting [domain name] with your domain!):</p> <p><code>sudo ln -sf /etc/nginx/sites-available/[domain name] /etc/nginx/sites-enabled</code></p> <p>then make sure Nginx is happy with your configuration syntax:</p> <p><code>sudo nginx -t</code></p> <p>and fix any typos which might've crept in. If it says your configurations are okay, then make your configuration live:</p> <p><code>sudo service nginx reload</code></p> <p>Once this is done, you can check to see if things are working properly by entering <code>http://[domain name]</code> in your browser's address bar. It <em>should</em> redirect you to <code>http**s**://[domain name]</code> <em>and</em> give you an error that there's a 'mismatch' in your certificates... which there is: my configuration approach means the server and your reverse proxy configuration are <em>temporarily</em> using the default "SnakeOil" SSL certificate pair (required to get Nginx to start in SSL mode), but your Nginx configuration is working to the extent required for us to request our Let's Encrypt certificate!</p> <p>And here's how we actually generate your SSL certificat via Let's Encrypt (replacing [domain name] as appropriate):</p> <p><code>sudo letsencrypt certonly --webroot -w /var/www/letsencrypt -d [domain name]</code></p> <p>If it works, it gratifyingly results in a message that starts with "Congratulations"! Well done if you got that! Note, if you get an error, make sure your domain is properly configured to point to your server! Also, there could be a delay in that configuration change taking effect due to the vagueries of the DNS system. If it worked, you should have a set of certificates in the directories, currently commented out with leading "#"s, in the Nginx configuration file above. You'll now need to re-edit it</p> <p><code>sudo nano /etc/nginx/sites-available/[domain name]</code></p> <p>to change it so the relevant part looks like this (again, ensuring your [domain name] is in place in the relevant locations!):</p> <div class="geshifilter"><div class="bash geshifilter-bash"><pre class="de1"> <span class="co0"># Note: these are *temporary* certificates, created when your host was set up</span> <span class="co0"># they are only in use to get Nginx to start up properly and let you create your let's encrypt certificates!</span> <span class="co0">#ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;</span> <span class="co0">#ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;</span> <span class="co0"># these will be used after we finish the Let's Encrypt process</span> ssl_certificate <span class="sy0">/</span>etc<span class="sy0">/</span>letsencrypt<span class="sy0">/</span>live<span class="sy0">/</span><span class="br0">[</span>domain name<span class="br0">]</span><span class="sy0">/</span>fullchain.pem; ssl_certificate_key <span class="sy0">/</span>etc<span class="sy0">/</span>letsencrypt<span class="sy0">/</span>live<span class="sy0">/</span><span class="br0">[</span>domain name<span class="br0">]</span><span class="sy0">/</span>privkey.pem;</pre></div></div> <p>and then we need to do our obligatory configuration test:</p> <p><code>sudo nginx -t</code></p> <p>and if Nginx is happy, reload the configuration to put it into effect:</p> <p><code>sudo service nginx reload</code></p> <p>Now, if you point your browser at <code>http://[domain name]</code>, it should automatically redirect to <code>https://[domain name]</code> without any errors, except that it won't yet have any content to show you, so you might get a 404 error, which is expected!</p> <h2><a id="user-content-step-four---get-the-code" href="#step-four---get-the-code" name="step-four---get-the-code" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Step four - get the code</h2> <p>Next we have to get all the relevant code for the WordPress site and its dependencies.</p> <h3><a id="user-content-wordpress-source-code" href="#wordpress-source-code" name="wordpress-source-code" class="heading-permalink" aria-hidden="true" title="Permalink"></a>WordPress source code</h3> <p>The latest source code for WordPress is always available from <a href="https://wordpress.org/latest.tar.gz">https://wordpress.org/latest.tar.gz</a> - we'll get a copy of it now and put it in the right place:</p> <p><code>cd /home/data/[domain name]</code><br /><code>sudo wget https://wordpress.org/latest.tar.gz</code><br /><code>sudo tar xvfz latest.tar.gz &amp;&amp; sudo mv wordpress src</code></p> <p>After this, you should find a directory, <code>src</code> in your [domain name] directory. That contains all the default source code for WordPress including default themes and plugins.</p> <p>Next, we have to make sure the default theme is in place, and then set up the WordPress multisite configuration process.</p> <p>Later we'll get the assortment of third party plugins and custom OERu plugins needed to flesh out the WordPress functionality we need.</p> <h3><a id="user-content-oeru-theme" href="#oeru-theme" name="oeru-theme" class="heading-permalink" aria-hidden="true" title="Permalink"></a>OERu Theme</h3> <p>First, we'll get the OERu theme, which is specially designed to provide an accessible desktop <em>or mobile</em> experience, given that many - even a majority - of our learners are in the developing world, where mobile computing is dominant!</p> <p>We'll go to the theme directory - you should already be in <code>/home/data/[domain name]</code>. From there we go into the theme directory:</p> <p><code>cd src/wp-content/themes</code></p> <p>and we issue a <code>git clone</code> command to retrieve the latest version of the OERu theme from our git repository:</p> <p><code>sudo git clone https://git.oeru.org/oeru/oeru_course.git oeru-course</code></p> <p>Then it's time to customise our WordPress configuration.</p> <h3><a id="user-content-customise-wp-configphp" href="#customise-wp-configphp" name="customise-wp-configphp" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Customise wp-config.php</h3> <p>First we need to create your wp-config.php file in your <code>src</code> directory:</p> <p><code>sudo nano wp-config.php</code></p> <p>Note: you'll need your password for Redis and a set of <strong>[wordpress keys and salts]</strong>, both of which are essentially just random numbers that are used to make you site far more secure. You can use the <a href="https://api.wordpress.org/secret-key/1.1/salt/">this link</a> to generate a set of random values suitable for copying-and-pasting into you <code>wp-config.php</code> file in your <code>src</code> directory - here's an example of the output I just requested (<strong>don't use these, generate your own</strong>):</p> <div class="geshifilter"><div class="bash geshifilter-bash"><pre class="de1">define<span class="br0">(</span><span class="st_h">'AUTH_KEY'</span>, <span class="st_h">'?4^Huc~R1=WW+T_p~.0dH$XJ`&gt;U*MoreMmZ{@tORSFG3aX37#ZS+0ou{j^DS3{f&lt;'</span><span class="br0">)</span>; define<span class="br0">(</span><span class="st_h">'SECURE_AUTH_KEY'</span>, <span class="st_h">'7.k4htjPnrA/?6JJlogA4Wp*o|,&amp;&amp;&gt;;20ppqeqHq#gI &lt;%gDz[o( hpRRB|!jws%'</span><span class="br0">)</span>; define<span class="br0">(</span><span class="st_h">'LOGGED_IN_KEY'</span>, <span class="st_h">'fTX,WkI=doAUE%?{zHp5.?fN%WWtBuy~`Scntr&lt;]I1WvlF6i=7J kjO0Z%%~Z-`N'</span><span class="br0">)</span>; define<span class="br0">(</span><span class="st_h">'NONCE_KEY'</span>, <span class="st_h">'?p&amp;]/*(G-+W!0#[&amp;Y6KKj)j Ok5QI(SUc@@rv,ivtF&gt; AR;Yv+Yu#&gt;$B$&lt;P9Ld|j'</span><span class="br0">)</span>; define<span class="br0">(</span><span class="st_h">'AUTH_SALT'</span>, <span class="st_h">'H6s2H~KP]Z7YXTFt|8[Lgz[1~5wF+PJzxR^KW$|he+9|RF/vi@}/|&lt;8bkC:w)qW%'</span><span class="br0">)</span>; define<span class="br0">(</span><span class="st_h">'SECURE_AUTH_SALT'</span>, <span class="st_h">'@- j6Kn CjP/mdbmLXtkC+&gt;1&gt;+H-8pXETlJ4+]b-9x_/t*.D}VA1w&lt;^A?0 R&lt;f+1'</span><span class="br0">)</span>; define<span class="br0">(</span><span class="st_h">'LOGGED_IN_SALT'</span>, <span class="st_h">' y9:oh)]nA$}%9N-xk1MAQN1bH 8z{UD/e~K|G5{(9y|,n2E*,KwYPIf~HwhHT J'</span><span class="br0">)</span>; define<span class="br0">(</span><span class="st_h">'NONCE_SALT'</span>, <span class="st_h">'|B?p#Q4|.=[VL8)2AX;zy-R2;x#dqIo=!C3,;OACT%-uaQ7Li5KSVSSnLahwlZ+o'</span><span class="br0">)</span>;</pre></div></div> <p>This is what your <code>wp-config.php</code> file should look like - copy and paste the following into the file, replacing the relevant [tokens] with your versions (in particular note that the above wordpress keys and salts need to go where I've got the token [wordpress keys and salts] below):</p> <div class="geshifilter"><div class="bash geshifilter-bash"><pre class="de1"><span class="sy0">&lt;</span>?php <span class="sy0">/**</span> <span class="sy0">*</span> The base configuration <span class="kw1">for</span> WordPress <span class="sy0">*</span> <span class="sy0">*</span> The wp-config.php creation script uses this <span class="kw2">file</span> during the <span class="sy0">*</span> installation. You don<span class="st_h">'t have to use the web site, you can * copy this file to "wp-config.php" and fill in the values. * * This file contains the following configurations: * * * MySQL settings * * Secret keys * * Database table prefix * * ABSPATH * * @link https://codex.wordpress.org/Editing_wp-config.php * * @package WordPress */   // ** MySQL settings - You can get this info from your web host ** // /** The name of the database for WordPress */ define('</span>DB_NAME<span class="st_h">', '</span><span class="br0">[</span>database name<span class="st_h">');   /** MySQL database username */ define('</span>DB_USER<span class="st_h">', '</span><span class="br0">[</span>database user<span class="br0">]</span><span class="st_h">');   /** MySQL database password */ define('</span>DB_PASSWORD<span class="st_h">', '</span><span class="br0">[</span>database password<span class="br0">]</span><span class="st_h">');   /** MySQL hostname */ //define('</span>DB_HOST<span class="st_h">', '</span>10.10.10.1<span class="st_h">'); define('</span>DB_HOST<span class="st_h">', '</span>172.17.0.1<span class="st_h">');   /** Database Charset to use in creating database tables. */ define('</span>DB_CHARSET<span class="st_h">', '</span>utf8mb4<span class="st_h">'); //define('</span>DB_CHARSET<span class="st_h">', '</span>utf8<span class="st_h">');   /** The Database Collate type. Don'</span>t change this <span class="kw1">if</span> <span class="kw1">in</span> doubt. <span class="sy0">*/</span> define<span class="br0">(</span><span class="st_h">'DB_COLLATE'</span>, <span class="st_h">''</span><span class="br0">)</span>;   <span class="sy0">/**</span><span class="co0">#@+</span> <span class="sy0">*</span> Authentication Unique Keys and Salts. <span class="sy0">*</span> <span class="sy0">*</span> Change these to different unique phrases<span class="sy0">!</span> <span class="sy0">*</span> You can generate these using the <span class="br0">{</span><span class="sy0">@</span><span class="kw2">link</span> https:<span class="sy0">//</span>api.wordpress.org<span class="sy0">/</span>secret-key<span class="sy0">/</span><span class="nu0">1.1</span><span class="sy0">/</span>salt<span class="sy0">/</span> WordPress.org secret-key service<span class="br0">}</span> <span class="sy0">*</span> You can change these at any point <span class="kw1">in</span> <span class="kw1">time</span> to invalidate all existing cookies. This will force all <span class="kw2">users</span> to have to log <span class="kw1">in</span> again. <span class="sy0">*</span> <span class="sy0">*</span> <span class="sy0">@</span>since 2.6.0 <span class="sy0">*/</span> <span class="br0">[</span>wordpress keys and salts<span class="br0">]</span>   <span class="sy0">/**</span> <span class="sy0">*</span> WordPress Database Table prefix. <span class="sy0">*</span> <span class="sy0">*</span> You can have multiple installations <span class="kw1">in</span> one database <span class="kw1">if</span> you give each <span class="sy0">*</span> a unique prefix. Only numbers, letters, and underscores please<span class="sy0">!</span> <span class="sy0">*/</span> <span class="re1">$table_prefix</span> = <span class="st_h">'wp_'</span>;   <span class="sy0">/**</span> <span class="sy0">*</span> For developers: WordPress debugging mode. <span class="sy0">*</span> <span class="sy0">*</span> Change this to <span class="kw2">true</span> to <span class="kw3">enable</span> the display of notices during development. <span class="sy0">*</span> It is strongly recommended that plugin and theme developers use WP_DEBUG <span class="sy0">*</span> <span class="kw1">in</span> their development environments. <span class="sy0">*</span> <span class="sy0">*</span> For information on other constants that can be used <span class="kw1">for</span> debugging, <span class="sy0">*</span> visit the Codex. <span class="sy0">*</span> <span class="sy0">*</span> <span class="sy0">@</span><span class="kw2">link</span> https:<span class="sy0">//</span>codex.wordpress.org<span class="sy0">/</span>Debugging_in_WordPress <span class="sy0">*/</span> define<span class="br0">(</span><span class="st_h">'WP_DEBUG'</span>, <span class="kw2">false</span><span class="br0">)</span>; <span class="sy0">//</span>define<span class="br0">(</span><span class="st_h">'WP_DEBUG'</span>, <span class="kw2">true</span><span class="br0">)</span>; define<span class="br0">(</span><span class="st_h">'CONCATENATE_SCRIPTS'</span>, <span class="kw2">false</span><span class="br0">)</span>; define<span class="br0">(</span><span class="st_h">'SCRIPT_DEBUG'</span>, <span class="kw2">true</span><span class="br0">)</span>; define<span class="br0">(</span><span class="st_h">'WP_DEBUG'</span>, <span class="kw2">true</span><span class="br0">)</span>; define<span class="br0">(</span><span class="st_h">'WP_DISABLE_FATAL_ERROR_HANDLER'</span>, <span class="kw2">true</span> <span class="br0">)</span>; <span class="sy0">//</span> <span class="nu0">5.2</span> and later   <span class="sy0">/*</span> We are behind a reverse proxy <span class="sy0">*/</span> <span class="kw1">if</span> <span class="br0">(</span>isset<span class="br0">(</span><span class="re1">$_SERVER</span><span class="br0">[</span><span class="st_h">'HTTP_X_FORWARDED_FOR'</span><span class="br0">]</span><span class="br0">)</span><span class="br0">)</span> <span class="br0">{</span> <span class="re1">$forwarded_address</span> = explode<span class="br0">(</span><span class="st_h">','</span>, <span class="re1">$_SERVER</span><span class="br0">[</span><span class="st_h">'HTTP_X_FORWARDED_FOR'</span><span class="br0">]</span><span class="br0">)</span>; <span class="re1">$_SERVER</span><span class="br0">[</span><span class="st_h">'REMOTE_ADDR'</span><span class="br0">]</span> = <span class="re1">$forwarded_address</span><span class="br0">[</span><span class="nu0">0</span><span class="br0">]</span>; <span class="br0">}</span> <span class="kw1">if</span> <span class="br0">(</span>isset<span class="br0">(</span><span class="re1">$_SERVER</span><span class="br0">[</span><span class="st_h">'HTTP_X_FORWARDED_PROTO'</span><span class="br0">]</span><span class="br0">)</span> <span class="sy0">&amp;&amp;</span> <span class="re1">$_SERVER</span><span class="br0">[</span><span class="st_h">'HTTP_X_FORWARDED_PROTO'</span><span class="br0">]</span> == <span class="st_h">'https'</span><span class="br0">)</span> <span class="br0">{</span> <span class="re1">$_SERVER</span><span class="br0">[</span><span class="st_h">'HTTPS'</span><span class="br0">]</span> = <span class="st_h">'on'</span>; <span class="br0">}</span>   <span class="sy0">/*</span> Disable the default <span class="st_h">'ad hoc'</span> cron mechanism. We<span class="st_h">'ll use actual cron instead. */ define('</span>DISABLE_WP_CRON<span class="st_h">', true);   /* That'</span>s all, stop editing<span class="sy0">!</span> Happy blogging. <span class="sy0">*/</span>   <span class="sy0">/**</span> Absolute path to the WordPress directory. <span class="sy0">*/</span> <span class="kw1">if</span> <span class="br0">(</span> <span class="sy0">!</span>defined<span class="br0">(</span><span class="st_h">'ABSPATH'</span><span class="br0">)</span> <span class="br0">)</span> define<span class="br0">(</span><span class="st_h">'ABSPATH'</span>, <span class="kw2">dirname</span><span class="br0">(</span>__FILE__<span class="br0">)</span> . <span class="st_h">'/'</span><span class="br0">)</span>;   <span class="sy0">/*</span> Multisite <span class="sy0">*/</span> <span class="sy0">//</span> see https:<span class="sy0">//</span>wordpress.org<span class="sy0">/</span>support<span class="sy0">/</span>article<span class="sy0">/</span>create-a-network<span class="sy0">/</span> define<span class="br0">(</span><span class="st_h">'WP_ALLOW_MULTISITE'</span>, <span class="kw2">true</span><span class="br0">)</span>; <span class="sy0">/*</span>define<span class="br0">(</span><span class="st_h">'MULTISITE'</span>, <span class="kw2">true</span><span class="br0">)</span>; define<span class="br0">(</span><span class="st_h">'SUBDOMAIN_INSTALL'</span>, <span class="kw2">false</span><span class="br0">)</span>; define<span class="br0">(</span><span class="st_h">'DOMAIN_CURRENT_SITE'</span>, <span class="st_h">'[domain name]'</span><span class="br0">)</span>; define<span class="br0">(</span><span class="st_h">'PATH_CURRENT_SITE'</span>, <span class="st_h">'/'</span><span class="br0">)</span>; define<span class="br0">(</span><span class="st_h">'SITE_ID_CURRENT_SITE'</span>, <span class="nu0">1</span><span class="br0">)</span>; define<span class="br0">(</span><span class="st_h">'BLOG_ID_CURRENT_SITE'</span>, <span class="nu0">1</span><span class="br0">)</span>;<span class="sy0">*/</span>   <span class="sy0">/*</span> disable trash, immediately permanently delete <span class="sy0">*/</span> define<span class="br0">(</span><span class="st_h">'EMPTY_TRASH_DAYS'</span>, <span class="nu0">0</span><span class="br0">)</span>; <span class="sy0">/*</span> <span class="kw1">set</span> the default theme <span class="kw1">for</span> the network <span class="sy0">*/</span> define<span class="br0">(</span><span class="st_h">'WP_DEFAULT_THEME'</span>, <span class="st_h">'oeru_course'</span><span class="br0">)</span>;   <span class="sy0">/**</span> Caching-related configuration <span class="sy0">*/</span> <span class="sy0">/**</span> Redis <span class="sy0">*/</span> define<span class="br0">(</span><span class="st_h">'WP_REDIS_HOST'</span>, <span class="st_h">'redis'</span><span class="br0">)</span>; define<span class="br0">(</span><span class="st_h">'WP_REDIS_PASSWORD'</span>, <span class="st_h">'[redis password]'</span><span class="br0">)</span>; define<span class="br0">(</span><span class="st_h">'WP_REDIS_PATH'</span>, <span class="st_h">'/tmp/cache'</span><span class="br0">)</span>;   <span class="sy0">/*</span> WEnotes plugin configuration, commented out by default <span class="sy0">*/</span> <span class="sy0">/*</span> this is optional<span class="br0">(</span><span class="sy0">!!</span><span class="br0">)</span> - only use <span class="kw1">if</span> you<span class="st_h">'re deploying the OERu WEnotes stack - contact us if you want help! */ /*define('</span>WENOTES_HOST<span class="st_h">', '</span><span class="br0">[</span>couchdb host<span class="br0">]</span><span class="st_h">'); define('</span>WENOTES_PORT<span class="st_h">', '</span><span class="nu0">80</span><span class="st_h">'); define('</span>WENOTES_DB<span class="st_h">', '</span><span class="br0">[</span>couchdb mention database<span class="br0">]</span><span class="st_h">'); define('</span>WENOTES_USER<span class="st_h">', '</span><span class="br0">[</span>couchdb user<span class="br0">]</span><span class="st_h">'); define('</span>WENOTES_PASS<span class="st_h">', '</span><span class="br0">[</span>couchdb password<span class="br0">]</span><span class="st_h">');*/   // go to /wp-admin/maint/repair.php to see if a repair is needed... //define( '</span>WP_ALLOW_REPAIR<span class="st_h">', true );     /** Sets up WordPress vars and included files. */ require_once(ABSPATH . '</span>wp-settings.php<span class="st_h">');</span></pre></div></div> <h2><a id="user-content-step-five---set-up-docker-compose-for-the-site" href="#step-five---set-up-docker-compose-for-the-site" name="step-five---set-up-docker-compose-for-the-site" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Step five - set up Docker Compose for the site</h2> <p>The recipe for the four Docker containers that together provide the WordPress multisite service is pretty straightforward. All you need to do is go into <code>/home/docker/[domain name]</code> and</p> <p><code>sudo nano docker-compose.yml</code></p> <p>and enter the following, replacing the [tokens] as usual - note, if you don't have the <em>same value</em> for [port] specified below as you do in your 'reverse proxy' configuration above, <em>nothing</em> will work:</p> <div class="geshifilter"><div class="bash geshifilter-bash"><pre class="de1">version: <span class="st0">"3"</span>   services: redis: image: redis:alpine command: redis-server <span class="re5">--requirepass</span> <span class="br0">[</span>redis password<span class="br0">]</span> networks: default: aliases: - redis.<span class="br0">[</span>domain name<span class="br0">]</span> php: image: oeru<span class="sy0">/</span>php74-fpm-wpms links: - redis volumes: - <span class="sy0">/</span>home<span class="sy0">/</span>data<span class="sy0">/</span><span class="br0">[</span>domain name<span class="br0">]</span><span class="sy0">/</span>src:<span class="sy0">/</span>var<span class="sy0">/</span>www<span class="sy0">/</span>html environment: - <span class="re2">SMTP_HOST</span>=<span class="br0">[</span>smtp host<span class="br0">]</span> - <span class="re2">SMTP_PORT</span>=<span class="nu0">587</span> - <span class="re2">SMTP_REPLYTO_EMAIL</span>=<span class="br0">[</span>smtp reply-to email address<span class="br0">]</span> - <span class="re2">SMTP_AUTH_USER</span>=<span class="br0">[</span>smtp user<span class="br0">]</span> - <span class="re2">SMTP_AUTH_PASSWORD</span>=<span class="br0">[</span>smtp password<span class="br0">]</span> restart: unless-stopped networks: default: aliases: - <span class="br0">[</span>domain name<span class="br0">]</span> nginx: image: oeru<span class="sy0">/</span>nginx-buster-wp links: - php - redis ports: - <span class="st0">"127.0.0.1:[port]:80"</span> volumes: - <span class="sy0">/</span>home<span class="sy0">/</span>data<span class="sy0">/</span><span class="br0">[</span>domain name<span class="br0">]</span><span class="sy0">/</span>nginx<span class="sy0">/</span>conf.d:<span class="sy0">/</span>etc<span class="sy0">/</span>nginx<span class="sy0">/</span>conf.d - <span class="sy0">/</span>home<span class="sy0">/</span>data<span class="sy0">/</span><span class="br0">[</span>domain name<span class="br0">]</span><span class="sy0">/</span>nginx<span class="sy0">/</span>cache:<span class="sy0">/</span>var<span class="sy0">/</span>cache<span class="sy0">/</span>nginx - <span class="sy0">/</span>home<span class="sy0">/</span>data<span class="sy0">/</span><span class="br0">[</span>domain name<span class="br0">]</span><span class="sy0">/</span>src:<span class="sy0">/</span>var<span class="sy0">/</span>www<span class="sy0">/</span>html restart: unless-stopped networks: default: aliases: - nginx.<span class="br0">[</span>domain name<span class="br0">]</span> cron: image: oeru<span class="sy0">/</span>php74-fpm-wpms-cron links: - php - nginx volumes: - <span class="sy0">/</span>home<span class="sy0">/</span>data<span class="sy0">/</span><span class="br0">[</span>domain name<span class="br0">]</span><span class="sy0">/</span>src:<span class="sy0">/</span>var<span class="sy0">/</span>www<span class="sy0">/</span>html environment: - <span class="re2">SMTP_HOST</span>=<span class="br0">[</span>smtp host<span class="br0">]</span> - <span class="re2">SMTP_PORT</span>=<span class="nu0">587</span> - <span class="re2">SMTP_REPLYTO_EMAIL</span>=<span class="br0">[</span>smtp reply-to email address<span class="br0">]</span> - <span class="re2">SMTP_AUTH_USER</span>=<span class="br0">[</span>smtp user<span class="br0">]</span> - <span class="re2">SMTP_AUTH_PASSWORD</span>=<span class="br0">[</span>smtp password<span class="br0">]</span> restart: unless-stopped networks: default: aliases: - cron.<span class="br0">[</span>domain name<span class="br0">]</span></pre></div></div> <h3><a id="user-content-create-the-nginx-containers-configuration" href="#create-the-nginx-containers-configuration" name="create-the-nginx-containers-configuration" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Create the NGINX container's configuration</h3> <p>In our Docker Compose file, we've specified that our NGINX container will have its configuration in <code>/home/data/[domain name]/nginx/conf.d</code>, so let's put it there.</p> <p>Run the following:</p> <p><code>sudo mkdir -p /home/data/[domain name]/nginx/conf.d</code></p> <p>to create the relevant directories, and then create the default configuration for the container:</p> <p><code>sudo nano /home/data/[domain name]/nginx/conf.d/default.conf</code></p> <p>Copy and paste this</p> <div class="geshifilter"><div class="bash geshifilter-bash"><pre class="de1"><span class="co0"># Caching configuration</span> <span class="co0"># https://easyengine.io/wordpress-nginx/tutorials/multisite/subdirectories/fastcgi-cache-with-purging/</span> <span class="co0">#</span> fastcgi_cache_path <span class="sy0">/</span>var<span class="sy0">/</span>cache<span class="sy0">/</span>nginx <span class="re2">levels</span>=<span class="nu0">1</span>:<span class="nu0">2</span> <span class="re2">keys_zone</span>=WORDPRESS:500m <span class="re2">inactive</span>=60m; fastcgi_cache_key <span class="st0">"<span class="es2">$scheme</span><span class="es2">$request_method</span><span class="es2">$host</span><span class="es2">$request_uri</span>"</span>; fastcgi_cache_use_stale error timeout invalid_header http_500;   <span class="co0"># from https://www.nginx.com/resources/wiki/start/topics/recipes/wordpress/</span> <span class="co0">#</span> <span class="co0"># using subdir approach, not subdomain...</span> map <span class="re1">$uri</span> <span class="re1">$blogname</span><span class="br0">{</span> ~^<span class="br0">(</span>?P<span class="sy0">&lt;</span>blogpath<span class="sy0">&gt;/</span><span class="br0">[</span>^<span class="sy0">/</span><span class="br0">]</span>+<span class="sy0">/</span><span class="br0">)</span>files<span class="sy0">/</span><span class="br0">(</span>.<span class="sy0">*</span><span class="br0">)</span> <span class="re1">$blogpath</span> ; <span class="br0">}</span>   map <span class="re1">$blogname</span> <span class="re1">$blogid</span><span class="br0">{</span> default <span class="re5">-999</span>; <span class="co0">#Ref: http://wordpress.org/extend/plugins/nginx-helper/</span> include <span class="sy0">/</span>var<span class="sy0">/</span>www<span class="sy0">/</span>html<span class="sy0">/</span>wp-content<span class="sy0">/</span>uploads<span class="sy0">/</span>nginx-helper<span class="sy0">/</span>map.conf; <span class="br0">}</span>   <span class="co0"># statements for each of your virtual hosts to this file</span> server <span class="br0">{</span> listen <span class="nu0">80</span>; root <span class="sy0">/</span>var<span class="sy0">/</span>www<span class="sy0">/</span>html; index index.php index.html index.htm;   <span class="co0">#</span> <span class="co0"># Caching configuration</span> <span class="co0">#</span> <span class="co0">#fastcgi_cache start</span> <span class="kw1">set</span> <span class="re1">$skip_cache</span> <span class="nu0">1</span>;   <span class="co0"># POST requests and urls with a query string should always go to PHP</span> <span class="kw1">if</span> <span class="br0">(</span><span class="re1">$request_method</span> = POST<span class="br0">)</span> <span class="br0">{</span> <span class="kw1">set</span> <span class="re1">$skip_cache</span> <span class="nu0">1</span>; <span class="br0">}</span> <span class="kw1">if</span> <span class="br0">(</span><span class="re1">$query_string</span> <span class="sy0">!</span>= <span class="st0">""</span><span class="br0">)</span> <span class="br0">{</span> <span class="kw1">set</span> <span class="re1">$skip_cache</span> <span class="nu0">1</span>; <span class="br0">}</span>   <span class="co0"># Don't cache uris containing the following segments</span> <span class="kw1">if</span> <span class="br0">(</span><span class="re1">$request_uri</span> ~<span class="sy0">*</span> <span class="st0">"(/wp-admin/|/xmlrpc.php|/wp-(app|cron|login|register|mail).php|wp-.*.php|/feed/|index.php|wp-comments-popup.php|wp-links-opml.php|wp-locations.php|sitemap(_index)?.xml|[a-z0-9_-]+-sitemap([0-9]+)?.xml)"</span><span class="br0">)</span> <span class="br0">{</span> <span class="kw1">set</span> <span class="re1">$skip_cache</span> <span class="nu0">1</span>; <span class="br0">}</span> <span class="co0"># Don't use the cache for logged in users or recent commenters</span> <span class="kw1">if</span> <span class="br0">(</span><span class="re1">$http_cookie</span> ~<span class="sy0">*</span> <span class="st0">"comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in"</span><span class="br0">)</span> <span class="br0">{</span> <span class="kw1">set</span> <span class="re1">$skip_cache</span> <span class="nu0">1</span>; <span class="br0">}</span> <span class="co0"># end main Caching functionality</span>   <span class="co0">#</span> <span class="co0"># Flow of serving pages</span> <span class="co0">#</span> <span class="co0"># from https://www.nginx.com/resources/wiki/start/topics/recipes/wordpress/</span>   <span class="co0">#avoid php readfile()</span> location ^~ <span class="sy0">/</span>blogs.dir <span class="br0">{</span> internal; <span class="kw3">alias</span> <span class="sy0">/</span>var<span class="sy0">/</span>www<span class="sy0">/</span>html<span class="sy0">/</span>wp-content<span class="sy0">/</span>blogs.dir; access_log off; log_not_found off; expires max; <span class="br0">}</span>   <span class="kw1">if</span> <span class="br0">(</span><span class="sy0">!</span>-e <span class="re1">$request_filename</span><span class="br0">)</span> <span class="br0">{</span> rewrite <span class="sy0">/</span>wp-admin$ <span class="re1">$scheme</span>:<span class="sy0">//</span><span class="re1">$host</span><span class="re1">$uri</span><span class="sy0">/</span> permanent; rewrite ^<span class="br0">(</span><span class="sy0">/</span><span class="br0">[</span>^<span class="sy0">/</span><span class="br0">]</span>+<span class="br0">)</span>?<span class="br0">(</span><span class="sy0">/</span>wp-.<span class="sy0">*</span><span class="br0">)</span> <span class="re4">$2</span> <span class="kw2">last</span>; rewrite ^<span class="br0">(</span><span class="sy0">/</span><span class="br0">[</span>^<span class="sy0">/</span><span class="br0">]</span>+<span class="br0">)</span>?<span class="br0">(</span><span class="sy0">/</span>.<span class="sy0">*</span>\.php<span class="br0">)</span> <span class="re4">$2</span> <span class="kw2">last</span>; <span class="br0">}</span>   <span class="co0"># from https://www.digitalocean.com/community/tutorials/how-to-install-wordpress-with-nginx-on-ubuntu-14-04</span> <span class="co0"># with other bits from https://premium.wpmudev.org/blog/wordpress-multisite-wordpress-nginx/</span> location <span class="sy0">/</span> <span class="br0">{</span> try_files <span class="re1">$uri</span> <span class="re1">$uri</span><span class="sy0">/</span> <span class="sy0">/</span>index.php?<span class="re1">$args</span>; <span class="br0">}</span> error_page <span class="nu0">404</span> <span class="sy0">/</span><span class="nu0">404</span>.html;   <span class="co0"># Directives to send expires headers and turn off 404 error logging.</span> location ~<span class="sy0">*</span> ^.+\.<span class="br0">(</span>xml<span class="sy0">|</span>ogg<span class="sy0">|</span>ogv<span class="sy0">|</span>svg<span class="sy0">|</span>svgz<span class="sy0">|</span>eot<span class="sy0">|</span>otf<span class="sy0">|</span>woff<span class="sy0">|</span>mp4<span class="sy0">|</span>ttf<span class="sy0">|</span>css<span class="sy0">|</span>rss<span class="sy0">|</span>atom<span class="sy0">|</span>js<span class="sy0">|</span>jpg<span class="sy0">|</span>jpeg<span class="sy0">|</span>gif<span class="sy0">|</span>png<span class="sy0">|</span>ico<span class="sy0">|</span><span class="kw2">zip</span><span class="sy0">|</span>tgz<span class="sy0">|</span>gz<span class="sy0">|</span>rar<span class="sy0">|</span>bz2<span class="sy0">|</span>doc<span class="sy0">|</span>xls<span class="sy0">|</span>exe<span class="sy0">|</span>ppt<span class="sy0">|</span><span class="kw2">tar</span><span class="sy0">|</span>mid<span class="sy0">|</span>midi<span class="sy0">|</span>wav<span class="sy0">|</span>bmp<span class="sy0">|</span>rtf<span class="br0">)</span>$ <span class="br0">{</span> access_log off; log_not_found off; expires max; <span class="br0">}</span>   location ~ \.php$ <span class="br0">{</span> try_files <span class="re1">$uri</span> =<span class="nu0">404</span>; fastcgi_pass php:<span class="nu0">9000</span>; fastcgi_split_path_info ^<span class="br0">(</span>.+\.php<span class="br0">)</span><span class="br0">(</span><span class="sy0">/</span>.+<span class="br0">)</span>$; fastcgi_keep_conn on; fastcgi_index index.php; include fastcgi_params; fastcgi_param SCRIPT_FILENAME <span class="re1">$document_root</span><span class="re1">$fastcgi_script_name</span>; fastcgi_param PATH_INFO <span class="re1">$fastcgi_path_info</span>; fastcgi_intercept_errors on; fastcgi_buffer_size 128k; fastcgi_buffers <span class="nu0">256</span> 16k; fastcgi_busy_buffers_size 256k; fastcgi_temp_file_write_size 256k; fastcgi_read_timeout <span class="nu0">500</span>; <span class="co0">#</span> <span class="co0"># caching functionality</span> fastcgi_cache_bypass <span class="re1">$skip_cache</span>; fastcgi_no_cache <span class="re1">$skip_cache</span>; fastcgi_cache WORDPRESS; fastcgi_cache_valid 60m; <span class="br0">}</span> <span class="co0">#</span> <span class="co0"># caching functionality</span> location ~ <span class="sy0">/</span>purge<span class="br0">(</span><span class="sy0">/</span>.<span class="sy0">*</span><span class="br0">)</span> <span class="br0">{</span> fastcgi_cache_purge WORDPRESS <span class="st0">"<span class="es2">$scheme</span><span class="es2">$request_method</span><span class="es2">$host</span>$1"</span>; <span class="br0">}</span> location = <span class="sy0">/</span>favicon.ico <span class="br0">{</span> log_not_found off; access_log off; <span class="br0">}</span> location = <span class="sy0">/</span>robots.txt <span class="br0">{</span> allow all; log_not_found off; access_log off; <span class="br0">}</span> location ~ ^<span class="br0">(</span><span class="sy0">/</span><span class="br0">[</span>^<span class="sy0">/</span><span class="br0">]</span>+<span class="sy0">/</span><span class="br0">)</span>?files<span class="sy0">/</span><span class="br0">(</span>.+<span class="br0">)</span> <span class="br0">{</span> try_files <span class="sy0">/</span>wp-content<span class="sy0">/</span>blogs.dir<span class="sy0">/</span><span class="re1">$blogid</span><span class="sy0">/</span>files<span class="sy0">/</span><span class="re4">$2</span> <span class="sy0">/</span>wp-includes<span class="sy0">/</span>ms-files.php?<span class="re2">file</span>=<span class="re4">$2</span> ; access_log off; log_not_found off; expires max; <span class="br0">}</span> <span class="br0">}</span></pre></div></div> <p>and save and exit the file.</p> <p>And now we have to create the following directory and file:</p> <p><code>sudo mkdir -p /home/data/[domain name]/src/wp-content/uploads/nginx-helper</code></p> <p><code>sudo touch /home/data/[domain name]/src/wp-content/uploads/nginx-helper/map.conf</code></p> <p>Once that's done, we're ready to launch our containers... Phew.</p> <h3><a id="user-content-launch-containers" href="#launch-containers" name="launch-containers" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Launch containers</h3> <p>Once that's done you can download the relevant containers (you may need to set up an account on <a href="https://hub.docker.com">https://hub.docker.com</a> first - do that and then run <code>docker login</code> before doing the following):</p> <p><code>docker-compose pull &amp;&amp; docker-compose up -d &amp;&amp; docker-compose logs -f</code></p> <p>which will show you the combined logs of the four containers and should give you some insights if something goes wrong. If all is well, you can type <code>CTRL-C</code> to exit it. The Docker containers (to see what's running, you can run <code>docker-compose ps</code>) will run until you explicitly stop them (<code>docker-compose stop</code>). Unless you stop them prior to lock down, they will automatically restart anytime your server reboots.</p> <h2><a id="user-content-step-six---set-up-your-site" href="#step-six---set-up-your-site" name="step-six---set-up-your-site" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Step Six - set up your site</h2> <h3><a id="user-content-install-wordpress" href="#install-wordpress" name="install-wordpress" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Install WordPress</h3> <p>You should now be able to point your browser at <code>https://[your domain]</code> and you should automatically be redirected to the WordPress site install script, with all the database details already entered. You'll need to fill in the configuration fields and create an admin user.</p> <h3><a id="user-content-enable-the-oeru-course-theme" href="#enable-the-oeru-course-theme" name="enable-the-oeru-course-theme" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Enable the OERu Course theme</h3> <p>You should already be in the <code>/home/docker/[domain name]</code> directory, but if not,</p> <p><code>cd /home/docker/[domain name]</code></p> <p>and then you can enable the OERu Course theme, <code>oeru-course</code>, using WordPress's command line utility, <code>wp</code>, via your PHP container:</p> <p><code>docker-compose exec -u www-data php wp theme enable oeru-course</code></p> <p>You should get the message <code>Success: Enabled the 'OERu Course' theme.</code> if all went well.</p> <h3><a id="user-content-create-an-admin-user" href="#create-an-admin-user" name="create-an-admin-user" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Create an admin user</h3> <p>Your admin user should probably be an account not normally used by a person. I usually create an admin user with a username of 'admin', a random password (using pwgen as above) and a role-based email like webmaster@[domain name] (if your domain name has email services) or some similarly useful generic email (using that protects against the 'tyranny of the individual', e.g. if you leave the organisation in whose interest you're setting up this site, and those left behind will have to make sense of this site and keep it running!</p> <p>Later one, if you want to log into the site, you can always get a login prompt by going to https://[domain name]/admin/ ...</p> <h3><a id="user-content-enable-multisite" href="#enable-multisite" name="enable-multisite" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Enable multisite</h3> <p>The WordPress configuration we've set up in the wp-config.php file should have enabled the inbuilt functionality for enabling 'multisite' mode (or 'network', as it used to be called, i.e. for a "Network of Blogs", back when WordPress was more exclusively used for blogging). <a href="https://wordpress.org/support/article/create-a-network/">WordPress developer documentation on 'Creating a network'</a> might be a useful reference if you run into any trouble.</p> <p>Logged in as your admin user, in the admin menu structure go to Administration &gt;Tools &gt; Network Setup</p> <p>You will be asked ot provide your Network Title and Network Admin Email (which can be the same as your current admin email).</p> <p>You will also be asked whether you want to use the 'Sub-domains' or 'Sub-directories' structure for your network. Select the <strong>Sub-directories</strong> option (you will need to make changes your Nginx configurations and the wp-config.php configuration to use Sub-domains, which are beyond the scope of this howto), which means that each of your subsites will have a separate directory under your main site [domain name]. For example, on the OERu Course site, course.oeru.org, the Learning in a Digital Age 101 course sub-site is course.oeru.org/lida101. If you chose to use the Sub-domain option, you would instead reference that course as lida101.course.oeru.org.</p> <p>Once you've enabled multisite, you need to update your wp-config.php -</p> <p><code>sudo nano wp-config.php</code></p> <p>and make the following change, to comment out the WP_ALLOW_MULTISITE variable, and uncomment the various MULTISITE-related settings:</p> <div class="geshifilter"><div class="bash geshifilter-bash"><pre class="de1"><span class="sy0">/*</span> Multisite <span class="sy0">*/</span> <span class="sy0">//</span> see https:<span class="sy0">//</span>wordpress.org<span class="sy0">/</span>support<span class="sy0">/</span>article<span class="sy0">/</span>create-a-network<span class="sy0">/</span> <span class="sy0">//</span>define<span class="br0">(</span><span class="st_h">'WP_ALLOW_MULTISITE'</span>, <span class="kw2">true</span><span class="br0">)</span>; define<span class="br0">(</span><span class="st_h">'MULTISITE'</span>, <span class="kw2">true</span><span class="br0">)</span>; define<span class="br0">(</span><span class="st_h">'SUBDOMAIN_INSTALL'</span>, <span class="kw2">false</span><span class="br0">)</span>; define<span class="br0">(</span><span class="st_h">'DOMAIN_CURRENT_SITE'</span>, <span class="st_h">'[domain name]'</span><span class="br0">)</span>; define<span class="br0">(</span><span class="st_h">'PATH_CURRENT_SITE'</span>, <span class="st_h">'/'</span><span class="br0">)</span>; define<span class="br0">(</span><span class="st_h">'SITE_ID_CURRENT_SITE'</span>, <span class="nu0">1</span><span class="br0">)</span>; define<span class="br0">(</span><span class="st_h">'BLOG_ID_CURRENT_SITE'</span>, <span class="nu0">1</span><span class="br0">)</span>;</pre></div></div> <p>After you've saved that, and refreshed the page on your WordPress site, you should be looking at a fully functioning multisite!</p> <h3><a id="user-content-enable-the-relevant-plugins" href="#enable-the-relevant-plugins" name="enable-the-relevant-plugins" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Enable the relevant plugins</h3> <h3><a id="user-content-third-party-plugins" href="#third-party-plugins" name="third-party-plugins" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Third Party plugins</h3> <p>Now we need to get the specific OERu plugins that are not (yet) available through the WordPress plugin site.</p> <p>The ones we use by default are</p> <p><code> advanced-responsive-video-embedder, check-email, disable-comments, h5p, hypothesis, redis-cache, safe-redirect-manager, unconfirmed, wp-security-audit-log</code></p> <p>As we did with the OERu Course theme, we'll install and active these plugins using WordPress's command line utility, <code>wp</code>, via your PHP container:</p> <p><code>cd /home/docker/[domain name]</code></p> <p>you can see the names of all your running containers by running this:</p> <p><code>docker-compose ps</code></p> <p>and you can download and activate all these plugins in 'network' (aka multisite) mode like this:</p> <div class="geshifilter"><div class="bash geshifilter-bash"><pre class="de1">docker-compose <span class="kw3">exec</span> <span class="re5">-u</span> www-data php wp plugin <span class="kw2">install</span> advanced-responsive-video-embedder <span class="re5">--activate-network</span> docker-compose <span class="kw3">exec</span> <span class="re5">-u</span> www-data php wp plugin <span class="kw2">install</span> check-email <span class="re5">--activate-network</span> docker-compose <span class="kw3">exec</span> <span class="re5">-u</span> www-data php wp plugin <span class="kw2">install</span> disable-comments <span class="re5">--activate-network</span> docker-compose <span class="kw3">exec</span> <span class="re5">-u</span> www-data php wp plugin <span class="kw2">install</span> h5p <span class="re5">--activate-network</span> docker-compose <span class="kw3">exec</span> <span class="re5">-u</span> www-data php wp plugin <span class="kw2">install</span> hypothesis <span class="re5">--activate-network</span> docker-compose <span class="kw3">exec</span> <span class="re5">-u</span> www-data php wp plugin <span class="kw2">install</span> redis-cache <span class="re5">--activate-network</span> docker-compose <span class="kw3">exec</span> <span class="re5">-u</span> www-data php wp plugin <span class="kw2">install</span> safe-redirect-manager <span class="re5">--activate-network</span> docker-compose <span class="kw3">exec</span> <span class="re5">-u</span> www-data php wp plugin <span class="kw2">install</span> unconfirmed <span class="re5">--activate-network</span> docker-compose <span class="kw3">exec</span> <span class="re5">-u</span> www-data php wp plugin <span class="kw2">install</span> wp-security-audit-log <span class="re5">--activate-network</span></pre></div></div> <p>These plugins should work as required without any specific configuration, but you're welcome to have a look at what they're doing and tweak them as you see fit.</p> <h3><a id="user-content-oeru-plugins" href="#oeru-plugins" name="oeru-plugins" class="heading-permalink" aria-hidden="true" title="Permalink"></a>OERu plugins</h3> <p>The final step is to install and enable the custom-developed plugins required to make this WordPress installation meet the requirements of an OERu Course site.</p> <p>At the OERu (and the OER Foundation, who coordinates the OERu and employs me) we make extensive use of Git to manage our source code and to deploy it on our various servers. We'll use it here.</p> <p>You'll need to go back to the plugin directory:</p> <p><code>cd /home/data/[domain name]/src/wp-content/plugins</code></p> <p>and run the following:</p> <div class="geshifilter"><div class="bash geshifilter-bash"><pre class="de1"><span class="kw2">sudo</span> <span class="kw2">git clone</span> https:<span class="sy0">//</span>git.oeru.org<span class="sy0">/</span>oeru<span class="sy0">/</span>blog-feed-finder.git blog-feed-finder <span class="kw2">sudo</span> <span class="kw2">git clone</span> https:<span class="sy0">//</span>git.oeru.org<span class="sy0">/</span>oeru<span class="sy0">/</span>oeru-h5p-tools.git oeru-h5p-tools <span class="kw2">sudo</span> <span class="kw2">git clone</span> https:<span class="sy0">//</span>git.oeru.org<span class="sy0">/</span>oeru<span class="sy0">/</span>register-enrol.git register-enrol <span class="kw2">sudo</span> <span class="kw2">git clone</span> https:<span class="sy0">//</span>git.oeru.org<span class="sy0">/</span>oeru<span class="sy0">/</span>wenotes.git wenotes <span class="kw2">sudo</span> <span class="kw2">git clone</span> https:<span class="sy0">//</span>git.oeru.org<span class="sy0">/</span>oeru<span class="sy0">/</span>wpms-activity-register.git wpms-activity-register <span class="kw2">sudo</span> <span class="kw2">git clone</span> https:<span class="sy0">//</span>git.oeru.org<span class="sy0">/</span>oeru<span class="sy0">/</span>wpms-mautic.git wpms-mautic</pre></div></div> <p>and the WEnotes plugin has a further dependency, our WEnotes Aggregator code.</p> <div class="geshifilter"><div class="bash geshifilter-bash"><pre class="de1"><span class="kw3">cd</span> wenotes <span class="kw2">sudo</span> <span class="kw2">git clone</span> https:<span class="sy0">//</span>git.oeru.org<span class="sy0">/</span>oeru<span class="sy0">/</span>wenotes-aggregator.git wenotes-aggregator</pre></div></div> <p>We need ot make sure the plugins are all readable by the webserver, so</p> <p><code>cd .. &amp;&amp; sudo chown -R www-data ../plugins</code></p> <p>And we have to make a couple tweaks to configurations of a couple plugins.</p> <h4><a id="user-content-wenotes-tweaks" href="#wenotes-tweaks" name="wenotes-tweaks" class="heading-permalink" aria-hidden="true" title="Permalink"></a>WEnotes tweaks</h4> <p>You'll want to set your WENOTES_SOURCE_NAME and WENOTES_SOURCE_URL so that your WEnotes are properly attributed.</p> <p>[geshifilter-]cd /home/data/[domain name]/src/wp-content/plugins sudo nano wenotes/wenotes.php [/geshifilter-]</p> <p>and edit the following values (between the ' ') to be suitable for your organisation! Put in your preferred URL as well.</p> <div class="geshifilter"><div class="bash geshifilter-bash"><pre class="de1">define<span class="br0">(</span><span class="st_h">'WENOTES_SOURCE_NAME'</span>, <span class="st_h">'OERu Course Site'</span><span class="br0">)</span>; define<span class="br0">(</span><span class="st_h">'WENOTES_SOURCE_URL'</span>, <span class="st_h">'course.oeru.org'</span><span class="br0">)</span>;</pre></div></div> <h4><a id="user-content-register-enrol-tweaks" href="#register-enrol-tweaks" name="register-enrol-tweaks" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Register Enrol tweaks</h4> <p>Similarly, you are likely to want to change the following settings in the Register Enrol plugin configuration to reflect your site and organisation. First, edit <code>register-enrol.php</code></p> <p><code>sudo nano register-enrol/register-enrol.php</code></p> <p>and alter the following values (between the ' ') to suit (we don't recommend change other settings unless you know what you're doing!):</p> <div class="geshifilter"><div class="bash geshifilter-bash"><pre class="de1"><span class="sy0">//</span> support <span class="kw2">link</span> <span class="kw1">for</span> <span class="kw2">users</span> of this plugin... define<span class="br0">(</span><span class="st_h">'ORE_SUPPORT_FORUM'</span>, <span class="st_h">'https://forums.oeru.org/t/register-enrol'</span><span class="br0">)</span>; define<span class="br0">(</span><span class="st_h">'ORE_SUPPORT_BLOG'</span>, <span class="st_h">'https://course.oeru.org/support/studying-courses/register-enrol/'</span><span class="br0">)</span>; define<span class="br0">(</span><span class="st_h">'ORE_SUPPORT_CONTACT'</span>, <span class="st_h">'https://oeru.org/contact-us/'</span><span class="br0">)</span>; define<span class="br0">(</span><span class="st_h">'ORE_SUPPORT_PASSWORD_MANAGER'</span>, <span class="st_h">'https://course.oeru.org/lida102/learning-pathways/digital-environments/online-hygiene/#Password_managers'</span><span class="br0">)</span>;</pre></div></div> <p>and</p> <p>define('ORE_DEFAULT_FROM_EMAIL', '<a href="mailto:webmaster@oerfoundation.org">webmaster@oerfoundation.org</a>');</p> <h4><a id="user-content-mautic-integration-tweaks" href="#mautic-integration-tweaks" name="mautic-integration-tweaks" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Mautic Integration tweaks</h4> <p>You might also want to set up an OERu Partner record for your organisation (if you're not already a partner!) in our <a href="https://mautic.com">Mautic</a> integration plugin in the file <code>wpms-mautic/includes/mautic-sync.php</code> in the <code>$partner_names</code> array and then and set your <code>MAUTIC_DEFAULT_PARTNER</code> to have your partner name in <code>wpms-mautic/mautic-app.php</code>.</p> <h4><a id="user-content-reasserting-ownership" href="#reasserting-ownership" name="reasserting-ownership" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Reasserting ownership</h4> <p>And a final step - this is crucial, as it will allow you to keep your WordPress instance up-to-date using the various WordPress standard approaches - is to ensure that the webserver user, <code>www-data</code> is the owner of the source code in your site:</p> <p><code>sudo chown -R www-data /home/data/[domain name]/src</code></p> <p>That's it. Done. Phew.</p> <h2><a id="user-content-step-seven---celebrate" href="#step-seven---celebrate" name="step-seven---celebrate" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Step Seven - celebrate!</h2> <p>You've done it! You've got yourself a new Course WordPress multisite! Which, if I do say so myself, is an impressive accomplishment in it's own right.</p> <p>Of course, it might not be as exciting as actually having a real live course hosted on your Course WordPress multisites... so there's one more step (maybe take a quick break to celebrate getting to this milestone before proceeding).</p> <h2><a id="user-content-snapshotting-your-first-oer-course" href="#snapshotting-your-first-oer-course" name="snapshotting-your-first-oer-course" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Snapshotting your first OER course!</h2> <p>There are quite a few courses (fully accredited!) available to push to your Course multisite on <a href="https://wikieducator.org">WikiEducator</a> where we work with educators around the world to assemble OER-based courses, usually split into discrete 'micro-courses' that can be assembled to meet the credit requirement conventions in different parts of the world.</p> <p>Here is an example course you can add to verify the process: the first micro-course in our (award winning) <a href="">Learning in a digital age</a>, called <a href="https://wikieducator.org/Learning_in_a_digital_age/_Outline_LiDA101">Digital literacies for online learning</a>. That link points to the <em>Outline</em> for the course, which in turn shows all the resources making up the course materials in the hierarchy that will become the navigation of the resulting Course site on your WordPress Multisite. The way e get it there is by using our "<a href="/node/15">Course Snapshot</a>" process which converts that WikiEducator content in the outline into a WordPress content archive that it then pushes onto your designated Course subsite.</p> <p>Before we can run a snapshot, you'll need to</p> <ol><li> <a href="https://wikieducator.org/Special:RequestAccount">request a WikiEducator account</a> - unfortunately this is a moderated process (i.e. a person at the OER Foundation has to review your request) because we have lots of problems with would-be spammers. So this could take a fair while depending on when you request it (we're on NZ time). So much for instant gratification. Sorry about that.</li> <li>you'll need to create a subsite (you don't want to replace your multisite's base site).</li> </ol><p>To do the latter, when you're logged into your WordPress multisite as the admin user, use the top menu to go to 'My Sites' -&gt; 'Network Admin' -&gt; 'Sites' and click the 'Add New' button. You'll need to specify a "Site Address (URL)" which is just the path following [domain name] in referencing your site. For example, the LiDA 101 course on the OERu's Course site is <code>https://course.oeru.org/lida101</code> where <code>lida101</code> is that path. You could use that same path here if you want (it's appropriate for this course).</p> <p>You'll also need a title - you could use "Digital literacies for online learning" - and pick a Site Language (the default is probably what you want). For the 'Admin Email', use the email of your admin user, as WordPress will then make the user with that email, namely your admin user, the administrator of that lida1010 subsite, which is what we want.</p> <p>Next, we go back to the WikiEducator page for the LiDA 101 outline above and find the 'Request snapshot' button near the top of the page. This is the important bit - <strong>Note: doing this will remove any existing content in the subsite you specify! Make sure that's what you're intending</strong> - clicking it will give you a dialog box into which you'll enter the full location of your subsite, which will look like <code>https://[domain name]/[subsite name]</code> (for example, in the OERu case it is <code>https://course.oeru.org/lida101</code>) , making suitable [token] substitutions, of course, and enter as your <em>WordPress</em> admin user and password. Clicking "Push snapshot to WordPress" sets things in motion, and, all going well, you should receive an email in a few minutes (5-20, usually) when the system has got to your request (it does them on a first-come, first-served basis) and processed it successfully. If you get that email, have another look at your site! It should look very similar to what you see on <code>https://course.oeru.org/lida101</code> with the main difference being (possibly) the colour scheme and the lack of a Login/Register prompt (top right). That can be fixed as I explain next.</p> <h2><a id="user-content-enabling-oerus-register-enrol-functionality" href="#enabling-oerus-register-enrol-functionality" name="enabling-oerus-register-enrol-functionality" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Enabling OERu's Register Enrol functionality</h2> <p>The interface the OER Foundation has developed to help learners register for the site and enrol in specific courses is not enabled by default and needs to be turned on for any given Course sub-site (this is useful for courses that are visible on the site, but not yet ready to accept enrolments). To do so, go to the relevant course site dashboard in the WordPress menu, and select Appearance -&gt; Customize. In the resulting theme customisation side panel, selelct 'Site Navigation', and then set 'Show the login option?' to 'Yes' and 'Publish' to save the setting. Your login prompt should show near the top right corner of all the pages <em>in that course site</em> at that point.</p> <p>Also note, you can change the pre-set colour palette for your course sites on a per-site basis using the menu combination OERu Theme -&gt; Colour Scheme...</p> <h2><a id="user-content-data-backups" href="#data-backups" name="data-backups" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Data Backups</h2> <p>Your MariaDB will already be getting backed up daily via the <code>automysqlbackup</code> script installed towards the start of this process, but you also want to have backups of files and configurations on your server, and you want to have <em>backups on a different server</em>, i.e. remote to your server, as a matter of disaster-recovery prudence.</p> <p>We will be describing how we do remote, encrypted, incremental backups in a separate how-to and will link to it here as soon as it's available.</p> <h2><a id="user-content-staying-up-to-date" href="#staying-up-to-date" name="staying-up-to-date" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Staying up-to-date</h2> <p>You should log into your site as your admin user or as your personal user (granted Administrator permissions by your admin user!) periodically to see if there are any updates available for your site - if there are, you can update them as per the instructions provided by the site.</p> <p>The OERu plugins and themes undergo periodic improvements or bug fixes. To find out about them, you'll need to keep track of the various Git repositories on <a href="https://git.oeru.org/explore/projects">our Gitlab instance</a>.</p> <p>These are the relevant repositories:</p> <ul><li> <a href="https://git.oeru.org/oeru/oeru_course">OERu's Course Theme</a> </li> <li> <a href="https://git.oeru.org/oeru/blog-feed-finder">OERu's Blog Feed Finder</a> </li> <li> <a href="https://git.oeru.org/oeru/oeru-h5p-tools">OERu's H5P tools</a> </li> <li> <a href="https://git.oeru.org/oeru/register-enrol">OERu's Register Enrol</a> </li> <li> <a href="https://git.oeru.org/oeru/wenotes">OERu's WEnotes</a> </li> <li> <a href="https://git.oeru.org/oeru/wenotes-aggregator">OERu's WEnotes Aggregator</a> </li> <li> <a href="https://git.oeru.org/oeru/wpms-activity-register">OERu's Activity Register</a> </li> <li> <a href="https://git.oeru.org/oeru/wpms-mautic">OERu's Mautic Integration</a> </li> </ul><p>We're always delighted to <a href="/contact">hear from folks</a> using any of these components and invite people to collaborate with us on improving any and all of these software projects, including providing access to our Gitlab!</p> <p>Also, from time to time, we might update the Docker containers we use for this service, and you're always welcome to make use of our updated containers. If you have any questions, feel free to <a href="/contact">get in touch</a> or leave a comment below!!</p> <h2><a id="user-content-acknowledgements" href="#acknowledgements" name="acknowledgements" class="heading-permalink" aria-hidden="true" title="Permalink"></a>Acknowledgements</h2> <p>Many thanks to the good folks at the Samoan Ministry for Education, Sport, and Culture and UNESCO in Apia for motivating me to write this up, and to educational technologist luminary <a href="https://downes.ca">Stephen Downes</a> for unexpectedly finding this tutorial and then (even more unexpectedly) heroically and comprehensively going through it and providing extensive editorial input (<a href="https://www.youtube.com/watch?v=PBTkZvKf080">part 1</a> and <a href="https://www.youtube.com/watch?v=rqryD1Qi-ws">part 2</a>), most (if not all) of which I've since incorporated! Thanks Stephen - see people were listening (just not in real-time)!</p></div> </div> </div> <section class="field field-node--field-blog-comments field-name-field-blog-comments field-type-comment field-label-above comment-wrapper"> <a name="comments"></a> <div class="comment-form-wrapper"> <h2 class="comment-form__title">Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=38&amp;2=field_blog_comments&amp;3=comment" token="pD7Al-LnIZTaG3QCT3T8JzCIHMbfkyXNmQSpAk-VQmo"></drupal-render-placeholder> </div> </section> Tue, 24 Aug 2021 04:00:22 +0000 dave 38 at http://tech.oeru.org Setting up your own BitWarden password manager and sync server http://tech.oeru.org/setting-your-own-bitwarden-password-manager-and-sync-server <span class="field field--name-title field--type-string field--label-hidden">Setting up your own BitWarden password manager and sync server</span> <div class="field field-node--field-blog-tags field-name-field-blog-tags field-type-entity-reference field-label-above"> <h3 class="field__label">Blog tags</h3> <div class="field__items"> <div class="field__item field__item--docker-compose"> <span class="field__item-wrapper"><a href="/taxonomy/term/49" hreflang="en">docker-compose</a></span> </div> <div class="field__item field__item--docker"> <span class="field__item-wrapper"><a href="/taxonomy/term/16" hreflang="en">docker</a></span> </div> <div class="field__item field__item--rust"> <span class="field__item-wrapper"><a href="/taxonomy/term/59" hreflang="en">rust</a></span> </div> <div class="field__item field__item--bitwarden"> <span class="field__item-wrapper"><a href="/taxonomy/term/60" hreflang="en">BitWarden</a></span> </div> <div class="field__item field__item--password-keeper"> <span class="field__item-wrapper"><a href="/taxonomy/term/61" hreflang="en">password keeper</a></span> </div> <div class="field__item field__item--privacy"> <span class="field__item-wrapper"><a href="/taxonomy/term/62" hreflang="en">privacy</a></span> </div> <div class="field__item field__item--security"> <span class="field__item-wrapper"><a href="/taxonomy/term/63" hreflang="en">security</a></span> </div> <div class="field__item field__item--vaultwarden"> <span class="field__item-wrapper"><a href="/taxonomy/term/82" hreflang="en">Vaultwarden</a></span> </div> </div> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><a title="View user profile." href="/user/1" lang="" about="/user/1" typeof="schema:Person" property="schema:name" datatype="" class="username">dave</a></span> <span class="field field--name-created field--type-created field--label-hidden">Sat 21/08/2021 - 11:30</span> <div class="field field-node--field-image field-name-field-image field-type-image field-label-hidden has-multiple"> <figure class="field-type-image__figure image-count-1"> <div class="field-type-image__item"> <a href="http://tech.oeru.org/sites/default/files/styles/max_1300x1300/public/2019-04/bitwarden_desktop_app.png?itok=9ZE2TxZh" aria-controls="colorbox" aria-label="{&quot;alt&quot;:&quot;BitWarden desktop app (Electron-based)&quot;}" role="button" title="BitWarden desktop app (Electron-based)" data-colorbox-gallery="gallery-field_image-lZc_TGtY9b4" class="colorbox" data-cbox-img-attrs="{&quot;alt&quot;:&quot;BitWarden desktop app (Electron-based)&quot;}"><img src="/sites/default/files/styles/medium/public/2019-04/bitwarden_desktop_app.png?itok=hekOd__9" width="220" height="169" alt="BitWarden desktop app (Electron-based)" loading="lazy" typeof="foaf:Image" class="image-style-medium" /> </a> </div> </figure> <figure class="field-type-image__figure image-count-2"> <div class="field-type-image__item"> <a href="http://tech.oeru.org/sites/default/files/styles/max_1300x1300/public/2019-04/bitwarden_web_interface_0.png?itok=QShOqyOM" aria-controls="colorbox" aria-label="{&quot;alt&quot;:&quot;BitWarden website interface&quot;}" role="button" title="BitWarden website interface" data-colorbox-gallery="gallery-field_image-lZc_TGtY9b4" class="colorbox" data-cbox-img-attrs="{&quot;alt&quot;:&quot;BitWarden website interface&quot;}"><img src="/sites/default/files/styles/medium/public/2019-04/bitwarden_web_interface_0.png?itok=QitHloR0" width="220" height="158" alt="BitWarden website interface" loading="lazy" typeof="foaf:Image" class="image-style-medium" /> </a> </div> </figure> <figure class="field-type-image__figure image-count-3"> <div class="field-type-image__item"> <a href="http://tech.oeru.org/sites/default/files/styles/max_1300x1300/public/2019-04/bitwarden_desktop_app_logged_in_0.png?itok=FAbPSjim" aria-controls="colorbox" aria-label="{&quot;alt&quot;:&quot;Desktop BitWarden app, with user logged in. &quot;}" role="button" title="Desktop BitWarden app, with user logged in. " data-colorbox-gallery="gallery-field_image-lZc_TGtY9b4" class="colorbox" data-cbox-img-attrs="{&quot;alt&quot;:&quot;Desktop BitWarden app, with user logged in. &quot;}"><img src="/sites/default/files/styles/medium/public/2019-04/bitwarden_desktop_app_logged_in_0.png?itok=p9Oarp8h" width="220" height="156" alt="Desktop BitWarden app, with user logged in. " loading="lazy" typeof="foaf:Image" class="image-style-medium" /> </a> </div> </figure> <figure class="field-type-image__figure image-count-4"> <div class="field-type-image__item"> <a href="http://tech.oeru.org/sites/default/files/styles/max_1300x1300/public/2019-04/bitwarden_adding_new_item_via_web_interface_0.png?itok=_PTdZqjB" aria-controls="colorbox" aria-label="{&quot;alt&quot;:&quot;Web interface for BitWarden with user logged in.&quot;}" role="button" title="Web interface for BitWarden with user logged in." data-colorbox-gallery="gallery-field_image-lZc_TGtY9b4" class="colorbox" data-cbox-img-attrs="{&quot;alt&quot;:&quot;Web interface for BitWarden with user logged in.&quot;}"><img src="/sites/default/files/styles/medium/public/2019-04/bitwarden_adding_new_item_via_web_interface_0.png?itok=YQftj3vf" width="220" height="209" alt="Web interface for BitWarden with user logged in." loading="lazy" typeof="foaf:Image" class="image-style-medium" /> </a> </div> </figure> </div> <div class="clearfix text-formatted field field-node--body field-name-body field-type-text-with-summary field-label-hidden"> <div class="field__items"> <div class="field__item"><p>One of the key requirements of pursuing Good Digital Hygiene is <em>using strong passwords</em>, and a <em>different strong password for every application</em>. This is relatively easy to do in theory, <em>with the aid of clever software</em>, but it's something desperately few people do well in practice. I'm going to explain how I've addressed this issue of digital hygiene for myself, and how you can do it for yourself, <em>and your entire family, social circle, or community</em>.</p> <p>Password Managers (or keepers or safes) have emerged as that "clever software". A good password manager has to do a bunch of things to be really useful:</p> <ol><li>It needs to store your passwords somewhere in an encrypted form (so if someone gets your password database, they can't work out your entire collection of passwords). You only need to remember <em>one </em><em>really strong password/phrase to unlock all of them. </em></li> <li>It needs to work in whatever context you need a password. Like <ol><li>your desktop/laptop, where you need to remember logins for a variety of apps and services,</li> <li>in your browser (for web apps that require authentication), and</li> <li>on your mobile platforms (because most services you use via apps or browsers require authentication)</li> </ol></li> <li>It needs to be cross platform <ol><li>must support Windows, MacOS, and Linux OSs,</li> <li>must support extensions for many browsers like Firefox, Chrome/<a href="https://chromium.org" title="The open source project that underlies Chrome and is 99% identical.">Chromium</a>, Safari, and others, and</li> <li>must support mobile OSs like iOS and Android.</li> </ol></li> <li>It needs to sync data in a timely manner among all the different contexts in which a given user needs it.</li> </ol><p>That's a lot of requirements. There're quite a few efforts that have had a crack at solving this.</p> <p>The <a href="https://www.keepassx.org/">KeePassX</a> community has been addressing this for ages and has created a comprehensive (if variable) ecosystem of apps which work across all of the required platforms, but only with a lot of work.</p> <p>In the proprietary world, there're many options, with a few front runners like 1Password and <a href="https://lastpass.com">LastPass</a>. The former doesn't work on Linux, so it only gets a passing reference and no link :) (update 2019-05-31 - <a href="https://1password.com">1Password</a> has added Linux support). The latter, which I used (grudgingly, mostly because I couldn't get KeePassX to work for me) for a few years, works across all the platforms relevant to me, but it was becoming progressively more invasive and annoying to use. Also, because it has a <em>lot</em> of users, and stores everything (albeit, encrypted) in a centralised cloud repository, it's a <em>big target</em>. Also, with its largely proprietary code, I wasn't happy trusting it. </p> <p>Then I heard about <a href="https://bitwarden.com">BitWarden</a>. They offered a commercial service (with a free tier) that I could quickly try... they supported all the OSs, mobile and desktop, and browsers that I use... <em>and they release their entire codebase </em>(server and clients) <em><strong>under open source licenses.</strong></em> I tried it, it worked for me, I was sold!</p> <p><strong>Update 2020-12-20</strong>: here's a <a href="https://kevq.uk/are-password-managers-worth-it/">nice explanation of why you'd want a password manager</a> and even <a href="https://kevq.uk/bitwarden-an-open-source-alternative-to-lastpass/">a comparison between widely used (proprietary) LastPass and (open source) BitWarden</a>. People reading this might also be interested in learning <a href="https://kevq.uk/how-websites-check-your-password/">how websites check your password.<em>.. without storing a copy of your password</em></a>! Thanks for providing your CC-BY-SA licensed works for us all Kev!</p> <p>Then I decided I wanted to run my own BitWarden server, rather than use their commercial centralised cloud platform (because, as with LastPass, it's a tempting target). That's when I found out the server of BitWarden was written using Microsoft technologies, C# (yeah, it's mostly open source, but it's dirty to me due to its Microsoft legacy), and MS SQL Server, which is a nasty proprietary dependency (especially given how basic the database requirements for this sort of application are).</p> <p>So I was devastated that I couldn't set up my own server without compromising my iron-clad anti-Microsoft position (I've managed to maintain it for the past 25 years)... until another Free and Open Source Software aficionado pointed me at Daniel Garcia's work! Daniel has implemented a <a href="https://github.com/dani-garcia/bitwarden_rs">full (unofficial) BitWarden work-alike using a fully FOSS stack</a>: the Rust language, storing data in SQLite, and (quite thoughtfully) re-using other open source licensed components of the BitWarden system that don't have proprietary dependencies, including the website code and layout (which is part of the server). (he calls the server he's developed <a href="https://github.com/dani-garcia/vaultwarden">VaultWarden</a> to distinguish it from the BitWarden code base. The front-end BitWarden apps talk to VaultWarden the same way!)</p> <p>Daniel's server implementation also unlocks all the "premium" services that BitWarden offers through their hosted service, too... so that's a nice bonus.</p> <p>Another open source developer, <a href="https://github.com/mprasil">mpasil</a>, has created <a href="https://github.com/mprasil/bitwarden_rs">a "fork" of Daniel's project</a> from which he maintains an up-to-date Docker container on hub.docker.com. <strong>Thanks to both Daniel Garcia and mpasil's efforts</strong>, it turns out to be quite straightforward to set up your own Docker-based BitWarden-compatible service!</p> <h2>Creating your own BitWarden Service</h2> <h3>Set up a Virtual Server</h3> <p>The first step is to get yourself an entry-level virtual server or compute instance somewhere. I generally use DigitalOcean (I have no affiliation with the company), but there are many other commodity hosting services (check out Vultr or Linode, for example) around the world which offer comparably (or better) spec'd servers for <strong>USD5.00/month</strong>, or <strong>USD60.00/year</strong> - I encourage you to do a bit of research. For that you get a Gigabyte (GB) of RAM, a processor, and 40GB of SSD (Static Storage Device = faster) storage. That's <em>oodles</em> of grunt for what this application requires.</p> <p>I suggest you create an account for yourself (and I encourage you to use Two Factor Authentication, aka 2FA) and create an Ubuntu 18.04 (or the most recent LTS version - the next will be 20.04, in April 2020 :) ) in the zone nearest to you. You'll need to note the server's IP address (it'll be a series of 4 numbers, 0-254, separated by full stops, e.g. 103.99.72.244). With that, you can <a href="https://www.digitalocean.com/community/tutorials/how-to-use-ssh-to-connect-to-a-remote-server-in-ubuntu">log into it via SSH</a>.</p> <h3>Get your Domain lined up</h3> <p>You will want to have a domain to point at your server, so you don't have to remember the IP number. There're are thousands of domain "registrars" in the world who'll help you do that... You just need to "register" a name, and you pay yearly fee (usually between USD10-30 depending on the country and the "TLD" (Top Level Domain. There're national ones like .nz, .au, .uk, .tv, .sa, .za, etc., or international domains (mostly associated with the US) like .com, .org, .net, and a myriad of others. Countries decide on how much their domains wholesale for and registrars add a margin for the registration service).</p> <p>Here in NZ, I use the services of <a href="https://metaname.net">Metaname</a> (they're local to me in Christchurch, and I know them personally and trust their technical capabilities). If you're not sure who to use, ask your friends. Someone's bound to have recommendations (either positive or negative, in which case you'll know who to avoid).</p> <p>If you want to use your domain for other things besides your BitWarden instance, I'd encourage you to use a <em>subdomain</em>, like (my usual choice) is "safe.domainname", namely the subdomain "safe" of "domainname".</p> <p>Once you have selected and registered your domain, you can set up (usually through a web interface provided by the registrar) an "A Record" which associates your website's name to the IP address of your server. So you should just be able to enter your server's IP address, the domain name (or sub-domain) you want to use for your BitWarden service, and that's it. For a password safe, I tend to use the subdomain "safe", so, for example, safe.mydomain.nz or similar.</p> <p>You might be asked to set a "Time-to-live" (which has to do with the length of time Domain Name Servers are asked to "cache" the association that the A Record specifies) in which case you can put in 3600 seconds or an hour depending on the time units your interface requests... but in most cases that'll be set to a default of an hour automatically.</p> <p>You should be able to test that your A Record has been set correctly by SSHing to your domain name rather than the IP address. It should (after you accept the SSH warning that the server's name has changed) work the same way your original SSH login did.</p> <h3>Set up a Docker Server</h3> <p>Once I've first logged into it as the "root" (full admin) user, here's what I usually do:</p> <ol><li>I create an "unprivileged user", either with my name "dave" or sometimes an "ubuntu" user (some hosting providers create a default unprivileged user of "ubuntu" when you create an Ubuntu-based virtual machine. Some create a "debian" user for Debian-based VMs, etc.) via<br /><code>adduser ubuntu</code></li> <li>I install a few core applications: my preferred editor <a href="https://en.wikipedia.org/wiki/Vim_(text_editor)">vim</a> (<a href="https://en.wikipedia.org/wiki/GNU_nano">nano</a> is another easy option and comes pre-installed on Ubuntu), version control system, <a href="https://en.wikipedia.org/wiki/Git">git</a>, and a very handy configuration tracker, <a href="http://joeyh.name/code/etckeeper/">etckeeper</a>:<br /><code>apt-get update &amp;&amp; apt-get install vim git etckeeper</code></li> <li>I do some basic configuration of git (replace the [tokens] with the real values for you, minus the []):<br /><code>git config --global user.email "[your email]"<br /> git config --global user.name "[your full name, e.g. Jane Doe]"</code></li> <li>Initialise etckeeper - it will track configuration changes you make to your system which can be invaluable in replicating a server or working out what's changed if something breaks.<br /><code>etckeeper init<br /> etckeeper commit -m "initial commit of BitWarden host"</code></li> <li>Install Docker dependencies:<br /><code>apt-get install apt-transport-https ca-certificates curl software-properties-common pwgen</code><br /> Install secure key needed to add the docker.com package repository to your system<br /><code>curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -</code><br /> Confirm the key is valid<br /><code>apt-key fingerprint 0EBFCD88</code><br /> (you should see something like "<code>uid [ unknown] Docker Release (CE deb) &lt;docker@docker.com&gt;</code>" among the 4 lines)</li> <li>Add the repository for your Ubuntu version (this will pick it automatically)<br /><code>add-apt-repository    "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"</code></li> <li>Update the package repository to include the packages from docker.com<br /><code>apt-get update</code></li> <li>Install the Community Edition of the Docker service<br /><code>apt-get install docker-ce</code></li> <li>Add your unprivileged user ("ubuntu" in this case - substitute the unprivileged user you created!) to a new "docker" group and add that user to other useful groups:<br /><code>groupadd docker<br /> adduser ubuntu<br /> adduser ubuntu sudoers<br /> adduser ubuntu admin</code><br /><code>adduser ubuntu docker</code></li> <li>Create an SSH key for your unprivileged user and allow logins for that user from external connection:<br /><code>sudo -Hu ubuntu ssh-keygen -t rsa<br /> cp /root/.ssh/authorized_keys /home/ubuntu/.ssh/<br /> chown ubuntu:ubuntu /home/ubuntu/.ssh/<br /> adduser ubuntu ssh</code></li> <li>Install the Python packaging system, "pip" to allow you to install and maintain the Docker Compose framework for managing collections of Docker containers:<br /><code>apt install python-pip<br /> pip install -U pip<br /> pip install docker-compose</code></li> <li>Set a convenience variable for [your domain] here (note: it'll only be recognised for this session, i.e. until you log out):<br /><code>DOMAIN=[your domain]<br /> USER=[unprivileged user, e.g. ubuntu]</code><br /> Below, anytime you see $DOMAIN in a command, it'll be replaced by whatever you put in for [your domain] and similarly $USER...</li> <li>Create directories to hold both the Docker Compose configurations and the persistent data you don't want to lose if you remove your Docker containers (namely your password database and configuration information):<br /><code>mkdir -p /home/docker/$DOMAIN &amp;&amp; mkdir -p /home/data/$DOMAIN<br /> chown -R ${USER}:${USER} /home/data /home/docker/</code></li> <li>Install the NGINX (pronounced "Engine X") webserver which will act as a reverse proxy for the BitWarden service and terminate the encryption via HTTPS:<br /><code>apt-get install nginx-full</code></li> <li>Configure the server's firewill and make an exception for SSH and NGINX services<br /><code>ufw allow OpenSSH<br /> ufw allow "Nginx Full"<br /> ufw enable</code><br /> Check that its running via<br /><code>ufw status</code></li> <li>Create a directory for including files for NGINX<br /><code>cd /etc/nginx</code><br /><code>mkdir includes</code><br /> Choose your text editor for editing files. Here're options for Vim or Nano - you can install and select others. Setting the EDIT shall variable allows you to copy and paste these commands regardless of which editor you prefer as it'll replace the value of $EDIT with the full path to your preferred editor.<br /><code>EDIT=`which nano`</code> or <code>EDIT=`which vim`</code></li> <li>To support encrypted data transfer between external devices and your server using HTTPS,  you need a valid SSL certificate. Until recently, these were costly and hard to get. With <a href="/protecting-your-users-lets-encrypt-ssl-certs">Let's Encrypt</a>, they've become a straightforward and essential part of any good (user-respecting) web site or service. To facilitate getting and periodically renewing your SSL certificate, you need to create the file letsencrypt.conf:<br /><code>$EDIT includes/letsencrypt.conf</code><br /> and enter the following content: <p><blockcode><code>#############################################################################<br /> # Configuration file for Let's Encrypt ACME Challenge location<br /> # This file is already included in listen_xxx.conf files.<br /> # Do NOT include it separately!<br /> #############################################################################<br /> #<br /> # This config enables to access /.well-known/acme-challenge/xxxxxxxxxxx<br /> # on all our sites (HTTP), including all subdomains.<br /> # This is required by ACME Challenge (webroot authentication).<br /> # You can check that this location is working by placing ping.txt here:<br /> # /var/www/letsencrypt/.well-known/acme-challenge/ping.txt<br /> # And pointing your browser to:<br /> # http://xxx.domain.tld/.well-known/acme-challenge/ping.txt<br /> #<br /> # Sources:<br /> # https://community.letsencrypt.org/t/howto-easy-cert-generation-and-renewal-with-nginx/3491<br /> #<br /> # Rule for legitimate ACME Challenge requests<br /> location ^~ /.well-known/acme-challenge/ {<br />     default_type "text/plain";<br />     # this can be any directory, but this name keeps it clear<br />     root /var/www/letsencrypt;<br /> }<br /> # Hide /acme-challenge subdirectory and return 404 on all requests.<br /> # It is somewhat more secure than letting Nginx return 403.<br /> # Ending slash is important!<br /> location = /.well-known/acme-challenge/ {<br />     return 404;<br /> }</code></blockcode></p> </li> <li> <p>Now you need to create the directory described in the letsencrypt.conf file:<br /><code>mkdir /var/www/letsencrypt</code></p> </li> <li> <p>Create "<a href="https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html#Forward_Secrecy_&amp;_Diffie_Hellman_Ephemeral_Parameters">forward secrecy &amp; Diffie Hellman ephemeral parameters</a>" to make your server more secure... The result will be a secure signing key stored in <code>/etc/ssl/certs/dhparam.pem</code> (note, getting enough "entropy" to generate sufficient randomness to calculate this will take a few minutes!<code>):</code><br /><code>openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096</code></p> </li> <li> <p>and then you need to create the reverse proxy configuration file as follows:<br /><code>cd ../sites-available</code><br /><br /> and fill it with this content, replacing all [tokens] with your relevant values:<br /><blockcode><code>#<br /> # HTTP does *soft* redirect to HTTPS<br /> #<br /> server {<br />     # add [IP-Address:]80 in the next line if you want to limit this to a single interface<br />     listen 0.0.0.0:80;<br />     </code></blockcode><blockcode><code>server_name [your domain];<br />     root /home/data/[your domain];<br />     index index.php;<br /><br />     # change the file name of these logs to include your server name<br />     # if hosting many services...<br />     access_log /var/log/nginx/[your domain]_access.log;<br />     error_log /var/log/nginx/[your domain]_error.log;  <br />     include includes/letsencrypt.conf;</code></blockcode><blockcode><br /><br /><code>    # redirect all HTTP traffic to HTTPS.<br />     location / {<br />         return  302 https://[your domain]$request_uri;<br />     }<br /> }</code></blockcode><br /> and make the configuration available to NGINX by linking the file from sites-available into sites-enabled (you can disable the site by removing the link and reloading NGINX)<br /><code>ln -sf sites-available/bitwarden sites-enabled/bitwarden</code><br /> Check to make sure NGINX is happy with the configuration<br /><code>nginx -t </code><br /> If you don't get any errors, you can restart NGINX<br /><code>service nginx restart</code><br /> and it should be configured properly to respond to requests at <code>http://[your domain]/.well-known/acme-challenge/ </code>which is required for creating a Let's Encrypt certificate.<br /><code>$EDIT sites-available/bitwarden</code></p> </li> <li> <p>So now we can create the certificate. You'll need to install the letscencrypt scripts:<br /><code>apt-get install letsencrypt</code><br /> You will be asked to enter some information about yourself, including an email address - this is necessary so that the letsencrypt service can email you if any of your certificates are not successfully updated (they need to be renewed every few weeks - normally this happens automatically!) so that you site and users aren't affected by an expired SSL certificate (a bad look!). Trust me, these folks are the good guys.<br /> You create a certificate for [your domain] with the following command (with relevant substitutions):<br /><code>letsencrypt certonly --webroot -w /var/www/letsencrypt -d $DOMAIN</code><br /> If the process works, you should see a "Congratulations!" message.</p> </li> <li> <p>Edit the nginx configuration file for the BitWarden service again<br /><code>$EDIT sites-available/bitwarden</code><br /> and add the following to the bottom of <code>file (starting the line below the final "}")<br /><blockcode>#<br /> # HTTPS<br /> #<br /> # This assumes you're using Let's Encrypt for your SSL certs (and why wouldn't<br /> # you!?)... https://letsencrypt.org<br /> server {<br />     # add [IP-Address:]443 ssl in the next line if you want to limit this to a single interface<br />     listen 0.0.0.0:443 ssl;<br />     ssl on;<br />     ssl_certificate /etc/letsencrypt/live/[your domain]/fullchain.pem;<br />     ssl_certificate_key /etc/letsencrypt/live/[your domain]/privkey.pem;<br />     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;<br />     # to create this, see https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html<br />     ssl_dhparam /etc/ssl/certs/dhparam.pem;<br />     keepalive_timeout 20s;</blockcode></code><blockcode></blockcode><blockcode><br /><code>    server_name [your domain];<br />     root /home/data/[your domain];<br />     index index.php;</code></blockcode><blockcode><br /><code>    # change the file name of these logs to include your server name<br />     # if hosting many services...<br />     access_log /var/log/nginx/[your domain]_access.log;<br />     error_log /var/log/nginx/[your domain]_error.log;</code></blockcode><blockcode><br /><br /><code>    location /notifications/hub/negotiate {<br />         proxy_pass http://127.0.0.1:8080;<br />         proxy_set_header Upgrade $http_upgrade;<br />         proxy_set_header Connection "upgrade";<br />         proxy_set_header Host $http_host;<br />         proxy_set_header X-Real-IP $remote_addr;<br />         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;<br />         proxy_set_header X-Forwarded-Host $server_name;<br />         proxy_set_header X-Forwarded-Proto https;<br />         proxy_connect_timeout 2400;<br />         proxy_read_timeout 2400;<br />         proxy_send_timeout 2400;<br />     }</code></blockcode><blockcode><br /><code>    location / {<br />         proxy_pass http://127.0.0.1:8080;<br />         proxy_set_header Upgrade $http_upgrade;<br />         proxy_set_header Connection "upgrade";<br />         proxy_set_header Host $http_host;<br />         proxy_set_header X-Real-IP $remote_addr;<br />         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;<br />         proxy_set_header X-Forwarded-Host $server_name;<br />         proxy_set_header X-Forwarded-Proto https;<br />         proxy_connect_timeout 2400;<br />         proxy_read_timeout 2400;<br />         proxy_send_timeout 2400;<br />     }</code></blockcode><blockcode><br /><code>    location /notifications/hub {<br />         proxy_pass http://127.0.0.1:3012;<br />         proxy_set_header Upgrade $http_upgrade;<br />         proxy_set_header Connection "upgrade";<br />     }<br />     #<br />     # These "harden" your security<br />     add_header 'Access-Control-Allow-Origin' "*";<br /> }</code></blockcode></p> </li> <li>You should now be able to run<br /><code>nginx -t </code><br /> again, and it you haven't got an accidental errors in the files, it should return no errors. You can restart nginx to make sure it picks up your SSL certificates...<br /><code>service nginx restart</code></li> </ol><p>Now everything is read to set up your BitWarden Docker containers!</p> <h3>Setting up your BitWarden "rust" service</h3> <p>Before we start this part, you'll need a few bits of information. First, you'll need a 64 character random string to be your "admin token"... you can create that like this:<br /><code>pwgen -y 64 1</code></p> <p>copy the result (highlight the text and hit CTRL+SHIFT+C) and paste it somewhere so you can copy-and-paste it into the file below later.</p> <p>Also, if you want your BitWarden server to be able to send out emails, like for password recovery, you'll need to have an "authenticating SMTP email account"... I would recommend setting one up specifically for this purpose. You can use a random gmail account or any other email account that lets you send mail by logging into an SMTP (Simple Mail Transfer Protocol) server, i.e. most mail servers. You'll need to know the SMTP [host name], the [port] (usually 465 or 587), the [login security] (usually "true" or "TLS"), and your authenticating [username] (possibly this is also the email address) and [password]. You'll also need a "[from email] like bitwarden@[your domain] or similar, which will be the sender of email from your server.</p> <p>You're going to be setting up your configuration in the directory we created earlier, so run<br /><code>cd /home/docker/$DOMAIN</code></p> <p>and there<br /><code>$EDIT docker-compose.yml</code></p> <p>copy-and-pasting in the following, replacing the [tokens] appropriately:</p> <p><blockcode><code>version: "3"<br /> services:<br />     app:<br />         image: vaultwarden/server<br />         environment:<br />             - DOMAIN=https://[your domain]<br />             - WEBSOCKET_ENABLED=true<br />             - SIGNUPS_ALLOWED=false<br />             - LOG_FILE="/data/bitwarden.log"<br />             - INVITATIONS_ALLOWED=true<br />             - ADMIN_TOKEN=[admin token]<br />             - SMTP_HOST=[host name]<br />             - SMTP_FROM=[from email]<br />             - SMTP_PORT=[port]<br />             - SMTP_SSL=[login security]<br />             - SMTP_USERNAME=[username]<br />             - SMTP_PASSWORD=[password]<br />         volumes:<br />             - /home/data/[your domain]/data/:/data/<br />         ports:<br />             - "127.0.0.1:8080:80"<br />             - "127.0.0.1:3012:3012"<br />         restart:<br />             unless-stopped</code></blockcode></p> <p><em>Note that the indentation has to be exact in this file - Docker Compose will complain otherwise.</em></p> <p>With the docker-compose file completed, you're ready to "pull" your package!</p> <p><code>docker-compose pull</code></p> <p>This will download the BitWarden Docker container from hub.docker.com. Then all you need to do is start it:</p> <p><code>docker-compose up -d &amp;&amp; docker-compose logs -f</code></p> <p>the "up -d" option actually starts the container called "app" which is actually your BitWarden rust server in "daemon" mode, which means it'll keep running unless you tell it to stop. If that's successful, it automatically then shows you the logs of that container. You can exit at any time with CTRL-C which will put you back on the command prompt. If you <em>do</em> want the container to stop, just run</p> <p><code>docker-compose stop</code></p> <p>If your start up was successful, you should see a message like this (albeit your version number could be higher - 1.9.0 is the current version of the Rust implementation at the time of writing):</p> <p><blockcode><code>/--------------------------------------------------------------------\<br /> |                       Starting Bitwarden_RS                        |<br /> |                           Version 1.9.0                            |<br /> |--------------------------------------------------------------------|<br /> | This is an *unofficial* Bitwarden implementation, DO NOT use the   |<br /> | official channels to report bugs/features, regardless of client.   |<br /> | Report URL: https://github.com/dani-garcia/bitwarden_rs/issues/new |<br /> \--------------------------------------------------------------------/</code></blockcode></p> <p>You should now be able to point your browser at <code>http://[your domain]</code> which, in turn, should automatically redirect you to <code><strong>https://</strong>[your domain]</code> and you should see the BitWarden web front end similar to that shown in the attached screen shot!</p> <h3>First Login!</h3> <p>To do your initial login by going to <code><strong>https://</strong>[your domain]<strong>/admin/</strong> and</code> you'll be asked to provide your "admin token" (a random string you created earlier for your docker-compose.yml file, where you should be able to find it) to create a first user with administration privileges. That will allow you to create your initial personal user and other useful stuff.</p> <p>For additional info on setting up these services - and new options as Daniel and his co-developers add them in - consult the <a href="https://github.com/dani-garcia/bitwarden_rs">repository pages</a> and <a href="https://github.com/dani-garcia/bitwarden_rs/issues">issues</a> and for Docker-specific questions, look at <a href="https://github.com/mprasil/bitwarden_rs">mpasil's pages</a>.</p> <h3>Sending Emails</h3> <p>It'll be worth testing if your email services work, like by requesting a password hint! You should be able to see what the server's doing via the</p> <p><code>docker-compose logs -f</code></p> <h2>Tips</h2> <p>I recommend <em>not </em>including your login credentials to your BitWarden instance in your BitWarden database ;) that's the one thing you need to remember. If you need to write it down somewhere, then do so (but make sure you don't include <em>all</em> the info needed to log in on the same piece of paper, that's just asking for trouble).</p> <p>Also, you can easily configure all the BitWarden clients - browser plugins, mobile apps, or the desktop app -  to use your server rather than BitWarden's default hosted service. Just click the "gear" settings icon on each app's interface, and set the "Self-Hosted Environment" Server URL to be your server, i.e. https://[your domain]</p> <h3>Backing it all up</h3> <p>I've created a SQLite backup script (which maintains automatic versioned hourly, daily, weekly, monthly, and yearly database dumps, the content in which is encrypted) <a href="/automatic-versioned-backups-sqlite-docker-compose-container">described in more detail in another post</a>...</p> <h3>Two Factor Authentication</h3> <p>This configuration should allow you to simply turn on Two Factor Authentication for any given BitWarden user.</p> <h3>Keeping it up-to-date</h3> <p>One of the best things about this Docker configuration is that it's very straightforward to upgrade your installation to Daniel's (via mpasil's Docker work) latest server version. Just log into the server as your unprivileged user,</p> <p><code>cd /home/docker/[your domain]<br /> docker-compose  pull<br /> docker-compose up -d &amp;&amp; docker-compose logs -f</code></p> <p>The whole process shouldn't take much more than a minute, with a few seconds downtime only as your new Docker BitWarden container is being created...</p> <p>Hope this helps a few folks! If you find any of the above doesn't work, please let me know in the comments. I'll do my best to make sure this how-to is accurate and up-to-date, and I'll do my best to assist people if they're having trouble.</p> <p>Have (secure and private) fun!</p> </div> </div> </div> <section class="field field-node--field-blog-comments field-name-field-blog-comments field-type-comment field-label-above comment-wrapper"> <a name="comments"></a> <h2 class="comment-field__title">Blog comments</h2> <article data-comment-user-id="0" id="comment-164" about="/comment/164" typeof="schema:Comment" class="comment js-comment by-anonymous has-title clearfix"> <div class="comment__container"> <h3 property="schema:name" datatype="" class="comment__title"> <a href="/comment/164#comment-164" class="permalink" rel="bookmark" hreflang="en">Excellent blog</a> <span class="comment__new marker marker--success hidden" data-comment-timestamp="1571734038"></span> </h3> <div class="comment__meta"> <div class="comment__submitted"> <span class="comment__author"><span rel="schema:author"><span lang="" typeof="schema:Person" property="schema:name" datatype="">cocoonkid (not verified)</span></span> </span> <span class="comment__pubdate">Wed 09/10/2019 - 00:19 <span property="schema:dateCreated" content="2019-10-08T11:19:00+00:00" class="rdf-meta hidden"></span> </span> </div> </div> <div class="comment__content"> <div property="schema:text" class="clearfix text-formatted field field-comment--comment-body field-name-comment-body field-type-text-long field-label-hidden"> <div class="field__items"> <div property="schema:text" class="field__item"><p>Really appreciate the document. </p> <p>Would love to see these too:</p> <p>To do your initial login, I believe (I&#039;ll test this and update this howto!) you&#039;ll be asked to provide your &quot;admin token&quot; to create a first user with administration privileges.</p> <p>&amp;</p> <p>I&#039;ll add information on my SQLite backup scripts (which maintain automatic versioned hourly, daily, weekly, monthly, and yearly database dumps, the content in which is encrypted)...</p> <p>Thanks!</p> </div> </div> </div> <drupal-render-placeholder callback="comment.lazy_builders:renderLinks" arguments="0=164&amp;1=default&amp;2=en&amp;3=" token="SQxJH8_hmUFGP5a1HuPe5YGDeqKAH7IJWa-lrTf5AVs"></drupal-render-placeholder> </div> </div> </article> <div class="indented"><article data-comment-user-id="1" id="comment-167" about="/comment/167" typeof="schema:Comment" class="comment js-comment by-node-author has-title clearfix"> <div class="comment__container"> <h3 property="schema:name" datatype="" class="comment__title"> <a href="/comment/167#comment-167" class="permalink" rel="bookmark" hreflang="en">Fair call! Leave it with me…</a> <span class="comment__new marker marker--success hidden" data-comment-timestamp="1571734079"></span> </h3> <div class="comment__meta"> <div class="comment__submitted"> <span class="comment__author"><span rel="schema:author"><a title="View user profile." href="/user/1" lang="" about="/user/1" typeof="schema:Person" property="schema:name" datatype="" class="username">dave</a></span> </span> <span class="comment__pubdate">Tue 22/10/2019 - 21:47 <span property="schema:dateCreated" content="2019-10-22T08:47:59+00:00" class="rdf-meta hidden"></span> </span> </div> </div> <div class="comment__content"> <p class="comment__parent visually-hidden">In reply to <a href="/comment/164#comment-164" class="permalink" rel="bookmark" hreflang="en">Excellent blog</a> by <span lang="" typeof="schema:Person" property="schema:name" datatype="">cocoonkid (not verified)</span></p> <div property="schema:text" class="clearfix text-formatted field field-comment--comment-body field-name-comment-body field-type-text-long field-label-hidden"> <div class="field__items"> <div property="schema:text" class="field__item"><p>Fair call! Leave it with me...</p> </div> </div> </div> <drupal-render-placeholder callback="comment.lazy_builders:renderLinks" arguments="0=167&amp;1=default&amp;2=en&amp;3=" token="5EsOUo5fz0dhfO2bRk_l-ywwj6OH5l8p9nz86QNDu_A"></drupal-render-placeholder> </div> </div> </article> <div class="indented"><article data-comment-user-id="1" id="comment-342" about="/comment/342" typeof="schema:Comment" class="comment js-comment by-node-author has-title clearfix"> <div class="comment__container"> <h3 property="schema:name" datatype="" class="comment__title"> <a href="/comment/342#comment-342" class="permalink" rel="bookmark" hreflang="en">Backup script update...</a> <span class="comment__new marker marker--success hidden" data-comment-timestamp="1581631657"></span> </h3> <div class="comment__meta"> <div class="comment__submitted"> <span class="comment__author"><span rel="schema:author"><a title="View user profile." href="/user/1" lang="" about="/user/1" typeof="schema:Person" property="schema:name" datatype="" class="username">dave</a></span> </span> <span class="comment__pubdate">Fri 14/02/2020 - 11:07 <span property="schema:dateCreated" content="2020-02-13T22:07:37+00:00" class="rdf-meta hidden"></span> </span> </div> </div> <div class="comment__content"> <p class="comment__parent visually-hidden">In reply to <a href="/comment/167#comment-167" class="permalink" rel="bookmark" hreflang="en">Fair call! Leave it with me…</a> by <a title="View user profile." href="/user/1" lang="" about="/user/1" typeof="schema:Person" property="schema:name" datatype="" class="username">dave</a></p> <div property="schema:text" class="clearfix text-formatted field field-comment--comment-body field-name-comment-body field-type-text-long field-label-hidden"> <div class="field__items"> <div property="schema:text" class="field__item"><p>I've published a new post which describes the SQLite backup script and points to the publicly visible git repo, linked in the article now. I've also updated the question of the admin code...</p> </div> </div> </div> <drupal-render-placeholder callback="comment.lazy_builders:renderLinks" arguments="0=342&amp;1=default&amp;2=en&amp;3=" token="ukuAKkHDAuErmOn-ice3ptjHTOoqGV13cGbtjg82D9k"></drupal-render-placeholder> </div> </div> </article> </div></div><article data-comment-user-id="0" id="comment-788" about="/comment/788" typeof="schema:Comment" class="comment js-comment by-anonymous has-title clearfix"> <div class="comment__container"> <h3 property="schema:name" datatype="" class="comment__title"> <a href="/comment/788#comment-788" class="permalink" rel="bookmark" hreflang="en">Thank You!</a> <span class="comment__new marker marker--success hidden" data-comment-timestamp="1599790208"></span> </h3> <div class="comment__meta"> <div class="comment__submitted"> <span class="comment__author"><span rel="schema:author"><span lang="" typeof="schema:Person" property="schema:name" datatype="">SS (not verified)</span></span> </span> <span class="comment__pubdate">Tue 08/09/2020 - 07:06 <span property="schema:dateCreated" content="2020-09-07T19:06:51+00:00" class="rdf-meta hidden"></span> </span> </div> </div> <div class="comment__content"> <div property="schema:text" class="clearfix text-formatted field field-comment--comment-body field-name-comment-body field-type-text-long field-label-hidden"> <div class="field__items"> <div property="schema:text" class="field__item"><p>This is the best tutorial I&#039;ve come across for getting BitWarden up and running on a Pi.</p> <p>It worked the first time through. There a couple nice things that aren&#039;t obvious to the newbie that I tracked down after everything was up and running. Setting a docker restart policy for the BW container that ensures that the container comes up after a power interruption was a pleasant surprise. </p> <p>One thing that isn&#039;t clear to the absolute newbie is that it&#039;s probably better to set up on a subdomain rather than a domain if you want to use NGINX for serving other things. I wasn&#039;t thinking about that when I did the initial setup, and that&#039;s leading to rework... Ideally, I&#039;d like to have BitWarden sitting on a nonobvious subdomain, and serve up other things on the obvious ones, like the bare domain or <a href="http://www.example.xyz">www.example.xyz</a>.</p> <p>Again, thanks for a great post.</p> </div> </div> </div> <drupal-render-placeholder callback="comment.lazy_builders:renderLinks" arguments="0=788&amp;1=default&amp;2=en&amp;3=" token="9n0zD1HbCjrKLmdvYGdyrEz07IZBRPpAphuhUIdiciQ"></drupal-render-placeholder> </div> </div> </article> <div class="indented"><article data-comment-user-id="1" id="comment-793" about="/comment/793" typeof="schema:Comment" class="comment js-comment by-node-author has-title clearfix"> <div class="comment__container"> <h3 property="schema:name" datatype="" class="comment__title"> <a href="/comment/793#comment-793" class="permalink" rel="bookmark" hreflang="en">Use a subdomain!</a> <span class="comment__new marker marker--success hidden" data-comment-timestamp="1599792389"></span> </h3> <div class="comment__meta"> <div class="comment__submitted"> <span class="comment__author"><span rel="schema:author"><a title="View user profile." href="/user/1" lang="" about="/user/1" typeof="schema:Person" property="schema:name" datatype="" class="username">dave</a></span> </span> <span class="comment__pubdate">Fri 11/09/2020 - 14:46 <span property="schema:dateCreated" content="2020-09-11T02:46:29+00:00" class="rdf-meta hidden"></span> </span> </div> </div> <div class="comment__content"> <p class="comment__parent visually-hidden">In reply to <a href="/comment/788#comment-788" class="permalink" rel="bookmark" hreflang="en">Thank You!</a> by <span lang="" typeof="schema:Person" property="schema:name" datatype="">SS (not verified)</span></p> <div property="schema:text" class="clearfix text-formatted field field-comment--comment-body field-name-comment-body field-type-text-long field-label-hidden"> <div class="field__items"> <div property="schema:text" class="field__item"><p>Thanks for the suggestion, SS - I've added a note regarding using subdomains! And thanks for the positive feedback - hope your BitWarden is providing you with what you need!</p> </div> </div> </div> <drupal-render-placeholder callback="comment.lazy_builders:renderLinks" arguments="0=793&amp;1=default&amp;2=en&amp;3=" token="mDd3QaMURnHddjJwNSFd8gkASpIOnAaSZq2qA6Z7QIM"></drupal-render-placeholder> </div> </div> </article> </div><article data-comment-user-id="0" id="comment-791" about="/comment/791" typeof="schema:Comment" class="comment js-comment by-anonymous has-title clearfix"> <div class="comment__container"> <h3 property="schema:name" datatype="" class="comment__title"> <a href="/comment/791#comment-791" class="permalink" rel="bookmark" hreflang="en">Login</a> <span class="comment__new marker marker--success hidden" data-comment-timestamp="1599790281"></span> </h3> <div class="comment__meta"> <div class="comment__submitted"> <span class="comment__author"><span rel="schema:author"><span lang="" typeof="schema:Person" property="schema:name" datatype="">Daniel Lamb (not verified)</span></span> </span> <span class="comment__pubdate">Fri 11/09/2020 - 04:20 <span property="schema:dateCreated" content="2020-09-10T16:20:37+00:00" class="rdf-meta hidden"></span> </span> </div> </div> <div class="comment__content"> <div property="schema:text" class="clearfix text-formatted field field-comment--comment-body field-name-comment-body field-type-text-long field-label-hidden"> <div class="field__items"> <div property="schema:text" class="field__item"><p>Hello,<br /> sorry might be being thick here but trying to login after follwing the setup guide and dont know what I should put in the username, I am using the token generated and in the yaml file.</p> <p>Daniel</p> </div> </div> </div> <drupal-render-placeholder callback="comment.lazy_builders:renderLinks" arguments="0=791&amp;1=default&amp;2=en&amp;3=" token="2-gy49yCLhcMgXJLWSm-gmP574jf4pcpE4YajzKnBZ8"></drupal-render-placeholder> </div> </div> </article> <div class="indented"><article data-comment-user-id="1" id="comment-792" about="/comment/792" typeof="schema:Comment" class="comment js-comment by-node-author has-title clearfix"> <div class="comment__container"> <h3 property="schema:name" datatype="" class="comment__title"> <a href="/comment/792#comment-792" class="permalink" rel="bookmark" hreflang="en">First login...</a> <span class="comment__new marker marker--success hidden" data-comment-timestamp="1599792248"></span> </h3> <div class="comment__meta"> <div class="comment__submitted"> <span class="comment__author"><span rel="schema:author"><a title="View user profile." href="/user/1" lang="" about="/user/1" typeof="schema:Person" property="schema:name" datatype="" class="username">dave</a></span> </span> <span class="comment__pubdate">Fri 11/09/2020 - 14:44 <span property="schema:dateCreated" content="2020-09-11T02:44:08+00:00" class="rdf-meta hidden"></span> </span> </div> </div> <div class="comment__content"> <p class="comment__parent visually-hidden">In reply to <a href="/comment/791#comment-791" class="permalink" rel="bookmark" hreflang="en">Login</a> by <span lang="" typeof="schema:Person" property="schema:name" datatype="">Daniel Lamb (not verified)</span></p> <div property="schema:text" class="clearfix text-formatted field field-comment--comment-body field-name-comment-body field-type-text-long field-label-hidden"> <div class="field__items"> <div property="schema:text" class="field__item"><p>Hi Daniel,</p> <p>Sorry that I wasn't clear - to be honest, I'm not sure what the latest versions use for the first login, but from memory, the very first visitor to a new BitWarden site sees a special login form asking them to enter their Admin Token which then allows them to set up their normal user login details (an email address and passphrase)... If you <em>don't </em>see something like that, then I would expect you could remove the Sqlite db file forcing a reinitialisation of the system.</p> </div> </div> </div> <drupal-render-placeholder callback="comment.lazy_builders:renderLinks" arguments="0=792&amp;1=default&amp;2=en&amp;3=" token="vah-Jl2qUpIYJyQ7onBYSC8CaaSRZgWoiMkqd4n-2B4"></drupal-render-placeholder> </div> </div> </article> </div><article data-comment-user-id="0" id="comment-797" about="/comment/797" typeof="schema:Comment" class="comment js-comment by-anonymous has-title clearfix"> <div class="comment__container"> <h3 property="schema:name" datatype="" class="comment__title"> <a href="/comment/797#comment-797" class="permalink" rel="bookmark" hreflang="en">Can you update this for…</a> <span class="comment__new marker marker--success hidden" data-comment-timestamp="1607799359"></span> </h3> <div class="comment__meta"> <div class="comment__submitted"> <span class="comment__author"><span rel="schema:author"><span lang="" typeof="schema:Person" property="schema:name" datatype="">Terry (not verified)</span></span> </span> <span class="comment__pubdate">Sun 13/12/2020 - 04:54 <span property="schema:dateCreated" content="2020-12-12T15:54:15+00:00" class="rdf-meta hidden"></span> </span> </div> </div> <div class="comment__content"> <div property="schema:text" class="clearfix text-formatted field field-comment--comment-body field-name-comment-body field-type-text-long field-label-hidden"> <div class="field__items"> <div property="schema:text" class="field__item"><p>Can you update this for Ubuntu 20.xx and Python3? I&#039;ve tried to deploy, and failed.</p> </div> </div> </div> <drupal-render-placeholder callback="comment.lazy_builders:renderLinks" arguments="0=797&amp;1=default&amp;2=en&amp;3=" token="JNMITOrOBjpIJ84n2lKVRIjo67jxAlzBDQN4oiaLke8"></drupal-render-placeholder> </div> </div> </article> <div class="indented"><article data-comment-user-id="1" id="comment-798" about="/comment/798" typeof="schema:Comment" class="comment js-comment by-node-author has-title clearfix"> <div class="comment__container"> <h3 property="schema:name" datatype="" class="comment__title"> <a href="/comment/798#comment-798" class="permalink" rel="bookmark" hreflang="en">Hi Terry, If you want to…</a> <span class="comment__new marker marker--success hidden" data-comment-timestamp="1607807686"></span> </h3> <div class="comment__meta"> <div class="comment__submitted"> <span class="comment__author"><span rel="schema:author"><a title="View user profile." href="/user/1" lang="" about="/user/1" typeof="schema:Person" property="schema:name" datatype="" class="username">dave</a></span> </span> <span class="comment__pubdate">Sun 13/12/2020 - 10:14 <span property="schema:dateCreated" content="2020-12-12T21:14:46+00:00" class="rdf-meta hidden"></span> </span> </div> </div> <div class="comment__content"> <p class="comment__parent visually-hidden">In reply to <a href="/comment/797#comment-797" class="permalink" rel="bookmark" hreflang="en">Can you update this for…</a> by <span lang="" typeof="schema:Person" property="schema:name" datatype="">Terry (not verified)</span></p> <div property="schema:text" class="clearfix text-formatted field field-comment--comment-body field-name-comment-body field-type-text-long field-label-hidden"> <div class="field__items"> <div property="schema:text" class="field__item"><p>Hi Terry,</p> <p>If you want to use Python3 for Docker Compose, it's easy enough (although it's confusing depending on which distro you're running and whether Python3 is default or has to be designated as <code>python3</code> ... assuming you've got Python3 already installed, you can install pip via <code>sudo apt-get install python3-pip</code> and then you might need to use "pip3" installed by the package manager to install "pip"... e.g. <code>pip3 install pip</code> via the python package (which is independent of your package manager). You should then be able to install and update docker-compose via pip, e.g. <code>sudo pip install docker-compose</code> or, to upgrade, <code>sudo pip install -U docker-compose</code>. And if you want to upgrade pip itself, if you've previously installed pip via pip3, you can use <code>sudo pip install -U pip</code>. It's tricky when you have distro-managed installs and python-installed stuff, but hopefully you can get to the bottom of it - might require a bit of fiddling depending precisely which version/distro of Linux you're using.</p> </div> </div> </div> <drupal-render-placeholder callback="comment.lazy_builders:renderLinks" arguments="0=798&amp;1=default&amp;2=en&amp;3=" token="WTcKgRcmhSZALC_EZySMiwlOW0eOH36nw2wInHSL268"></drupal-render-placeholder> </div> </div> </article> <div class="indented"><article data-comment-user-id="0" id="comment-799" about="/comment/799" typeof="schema:Comment" class="comment js-comment by-anonymous has-title clearfix"> <div class="comment__container"> <h3 property="schema:name" datatype="" class="comment__title"> <a href="/comment/799#comment-799" class="permalink" rel="bookmark" hreflang="en">Turns out it wasn&#039;t anything…</a> <span class="comment__new marker marker--success hidden" data-comment-timestamp="1607972415"></span> </h3> <div class="comment__meta"> <div class="comment__submitted"> <span class="comment__author"><span rel="schema:author"><span lang="" typeof="schema:Person" property="schema:name" datatype="">Terry (not verified)</span></span> </span> <span class="comment__pubdate">Tue 15/12/2020 - 01:20 <span property="schema:dateCreated" content="2020-12-14T12:20:22+00:00" class="rdf-meta hidden"></span> </span> </div> </div> <div class="comment__content"> <p class="comment__parent visually-hidden">In reply to <a href="/comment/798#comment-798" class="permalink" rel="bookmark" hreflang="en">Hi Terry, If you want to…</a> by <a title="View user profile." href="/user/1" lang="" about="/user/1" typeof="schema:Person" property="schema:name" datatype="" class="username">dave</a></p> <div property="schema:text" class="clearfix text-formatted field field-comment--comment-body field-name-comment-body field-type-text-long field-label-hidden"> <div class="field__items"> <div property="schema:text" class="field__item"><p>Turns out it wasn&#039;t anything to do with python3 or pip, I had previously managed to have them installed &amp; working properly.<br /> Looks like it was something with the docker images host on the weekend when I was doing this as the docker pull command always errored out. I just did it now (Monday morning) and the pull worked, and docker up was successful.<br /> Thanks for the great tutorial!</p> </div> </div> </div> <drupal-render-placeholder callback="comment.lazy_builders:renderLinks" arguments="0=799&amp;1=default&amp;2=en&amp;3=" token="aGMZHpXsn6-Wvj9zGwd7njwt44jqKGsy2xJDZOP41CI"></drupal-render-placeholder> </div> </div> </article> <div class="indented"><article data-comment-user-id="1" id="comment-800" about="/comment/800" typeof="schema:Comment" class="comment js-comment by-node-author has-title clearfix"> <div class="comment__container"> <h3 property="schema:name" datatype="" class="comment__title"> <a href="/comment/800#comment-800" class="permalink" rel="bookmark" hreflang="en">I&#039;m pleased to hear it all…</a> <span class="comment__new marker marker--success hidden" data-comment-timestamp="1607972457"></span> </h3> <div class="comment__meta"> <div class="comment__submitted"> <span class="comment__author"><span rel="schema:author"><a title="View user profile." href="/user/1" lang="" about="/user/1" typeof="schema:Person" property="schema:name" datatype="" class="username">dave</a></span> </span> <span class="comment__pubdate">Tue 15/12/2020 - 08:00 <span property="schema:dateCreated" content="2020-12-14T19:00:57+00:00" class="rdf-meta hidden"></span> </span> </div> </div> <div class="comment__content"> <p class="comment__parent visually-hidden">In reply to <a href="/comment/799#comment-799" class="permalink" rel="bookmark" hreflang="en">Turns out it wasn&#039;t anything…</a> by <span lang="" typeof="schema:Person" property="schema:name" datatype="">Terry (not verified)</span></p> <div property="schema:text" class="clearfix text-formatted field field-comment--comment-body field-name-comment-body field-type-text-long field-label-hidden"> <div class="field__items"> <div property="schema:text" class="field__item"><p>I'm pleased to hear it all worked out for you! Enjoy!</p> </div> </div> </div> <drupal-render-placeholder callback="comment.lazy_builders:renderLinks" arguments="0=800&amp;1=default&amp;2=en&amp;3=" token="paAK9EdaOFVkj1k6yyTUH6vafn7J3iOShwHJ1ZKj7QU"></drupal-render-placeholder> </div> </div> </article> </div></div></div><article data-comment-user-id="0" id="comment-804" about="/comment/804" typeof="schema:Comment" class="comment js-comment by-anonymous has-title clearfix"> <div class="comment__container"> <h3 property="schema:name" datatype="" class="comment__title"> <a href="/comment/804#comment-804" class="permalink" rel="bookmark" hreflang="en">we&#039;ve set up our own locally…</a> <span class="comment__new marker marker--success hidden" data-comment-timestamp="1616005887"></span> </h3> <div class="comment__meta"> <div class="comment__submitted"> <span class="comment__author"><span rel="schema:author"><span lang="" typeof="schema:Person" property="schema:name" datatype="">Jeff (not verified)</span></span> </span> <span class="comment__pubdate">Thu 18/03/2021 - 04:21 <span property="schema:dateCreated" content="2021-03-17T15:21:57+00:00" class="rdf-meta hidden"></span> </span> </div> </div> <div class="comment__content"> <div property="schema:text" class="clearfix text-formatted field field-comment--comment-body field-name-comment-body field-type-text-long field-label-hidden"> <div class="field__items"> <div property="schema:text" class="field__item"><p>we&#039;ve set up our own locally hosted bitwarden, &quot;oursite.bitwarden.com&quot; but want to either block or redirect our users from being able to inadvertently go to the main web-based bitwarden.com can you provide suggestions?</p> </div> </div> </div> <drupal-render-placeholder callback="comment.lazy_builders:renderLinks" arguments="0=804&amp;1=default&amp;2=en&amp;3=" token="oRxs6opoJeCa_tsOx_ISwx8am50pKkA07oeZQsnUgzQ"></drupal-render-placeholder> </div> </div> </article> <div class="indented"><article data-comment-user-id="1" id="comment-805" about="/comment/805" typeof="schema:Comment" class="comment js-comment by-node-author has-title clearfix"> <div class="comment__container"> <h3 property="schema:name" datatype="" class="comment__title"> <a href="/comment/805#comment-805" class="permalink" rel="bookmark" hreflang="en">Interesting question... I&#039;m…</a> <span class="comment__new marker marker--success hidden" data-comment-timestamp="1616006000"></span> </h3> <div class="comment__meta"> <div class="comment__submitted"> <span class="comment__author"><span rel="schema:author"><a title="View user profile." href="/user/1" lang="" about="/user/1" typeof="schema:Person" property="schema:name" datatype="" class="username">dave</a></span> </span> <span class="comment__pubdate">Thu 18/03/2021 - 07:33 <span property="schema:dateCreated" content="2021-03-17T18:33:20+00:00" class="rdf-meta hidden"></span> </span> </div> </div> <div class="comment__content"> <p class="comment__parent visually-hidden">In reply to <a href="/comment/804#comment-804" class="permalink" rel="bookmark" hreflang="en">we&#039;ve set up our own locally…</a> by <span lang="" typeof="schema:Person" property="schema:name" datatype="">Jeff (not verified)</span></p> <div property="schema:text" class="clearfix text-formatted field field-comment--comment-body field-name-comment-body field-type-text-long field-label-hidden"> <div class="field__items"> <div property="schema:text" class="field__item"><p>Interesting question... I'm afraid I can't think of an easy way to achieve that... :/ I'd say the best thing is to create BW users for your users and install and configure their clients for them. That way, they won't be able to lot into the bitwarden.com service with the same credentials....</p> </div> </div> </div> <drupal-render-placeholder callback="comment.lazy_builders:renderLinks" arguments="0=805&amp;1=default&amp;2=en&amp;3=" token="3iv1o5vcthvfWKPqQDTTZJ9Sh8SKnyT6WiOZm9hEpJg"></drupal-render-placeholder> </div> </div> </article> </div><article data-comment-user-id="0" id="comment-812" about="/comment/812" typeof="schema:Comment" class="comment js-comment by-anonymous has-title clearfix"> <div class="comment__container"> <h3 property="schema:name" datatype="" class="comment__title"> <a href="/comment/812#comment-812" class="permalink" rel="bookmark" hreflang="en">Anybody who has the URL can…</a> <span class="comment__new marker marker--success hidden" data-comment-timestamp="1629771059"></span> </h3> <div class="comment__meta"> <div class="comment__submitted"> <span class="comment__author"><span rel="schema:author"><span lang="" typeof="schema:Person" property="schema:name" datatype="">Philippe (not verified)</span></span> </span> <span class="comment__pubdate">Tue 24/08/2021 - 14:09 <span property="schema:dateCreated" content="2021-08-24T02:09:48+00:00" class="rdf-meta hidden"></span> </span> </div> </div> <div class="comment__content"> <div property="schema:text" class="clearfix text-formatted field field-comment--comment-body field-name-comment-body field-type-text-long field-label-hidden"> <div class="field__items"> <div property="schema:text" class="field__item"><p>Anybody who has the URL can open an Bitwarden account on a self hosted installation. How do I control who can create a new account?</p> </div> </div> </div> <drupal-render-placeholder callback="comment.lazy_builders:renderLinks" arguments="0=812&amp;1=default&amp;2=en&amp;3=" token="CTzzNjnBjtIR96MLtSMFqjSId0xTu7vR_0xyaxdkMto"></drupal-render-placeholder> </div> </div> </article> <div class="indented"><article data-comment-user-id="1" id="comment-813" about="/comment/813" typeof="schema:Comment" class="comment js-comment by-node-author has-title clearfix"> <div class="comment__container"> <h3 property="schema:name" datatype="" class="comment__title"> <a href="/comment/813#comment-813" class="permalink" rel="bookmark" hreflang="en">If you log in as an admin …</a> <span class="comment__new marker marker--success hidden" data-comment-timestamp="1629771146"></span> </h3> <div class="comment__meta"> <div class="comment__submitted"> <span class="comment__author"><span rel="schema:author"><a title="View user profile." href="/user/1" lang="" about="/user/1" typeof="schema:Person" property="schema:name" datatype="" class="username">dave</a></span> </span> <span class="comment__pubdate">Tue 24/08/2021 - 14:12 <span property="schema:dateCreated" content="2021-08-24T02:12:26+00:00" class="rdf-meta hidden"></span> </span> </div> </div> <div class="comment__content"> <p class="comment__parent visually-hidden">In reply to <a href="/comment/812#comment-812" class="permalink" rel="bookmark" hreflang="en">Anybody who has the URL can…</a> by <span lang="" typeof="schema:Person" property="schema:name" datatype="">Philippe (not verified)</span></p> <div property="schema:text" class="clearfix text-formatted field field-comment--comment-body field-name-comment-body field-type-text-long field-label-hidden"> <div class="field__items"> <div property="schema:text" class="field__item"><p>If you log in as an admin (use the /admin URL - the password is in your docker-compose.yml file) you can disable random sign-ups (e.g. and make it invite-only). You can also disable any existing accounts you don't want there.</p></div> </div> </div> <drupal-render-placeholder callback="comment.lazy_builders:renderLinks" arguments="0=813&amp;1=default&amp;2=en&amp;3=" token="dbxstyS8y3OQ1Z6Vz7AIyPds-SIKszQNJDNpgzL4nHY"></drupal-render-placeholder> </div> </div> </article> </div> <div class="comment-form-wrapper"> <h2 class="comment-form__title">Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=25&amp;2=field_blog_comments&amp;3=comment" token="hKQtrXBA7ErwoC_B3-AO9Vd7GHqkXf0X-QAroc-dhuE"></drupal-render-placeholder> </div> </section> Fri, 20 Aug 2021 23:30:13 +0000 dave 25 at http://tech.oeru.org Installing NextCloud Hub with OnlyOffice on Ubuntu 18.04 http://tech.oeru.org/installing-nextcloud-hub-onlyoffice-ubuntu-1804 <span class="field field--name-title field--type-string field--label-hidden">Installing NextCloud Hub with OnlyOffice on Ubuntu 18.04</span> <div class="field field-node--field-blog-tags field-name-field-blog-tags field-type-entity-reference field-label-above"> <h3 class="field__label">Blog tags</h3> <div class="field__items"> <div class="field__item field__item--ubuntu-linux"> <span class="field__item-wrapper"><a href="/taxonomy/term/12" hreflang="en">ubuntu linux</a></span> </div> <div class="field__item field__item--_804"> <span class="field__item-wrapper"><a href="/taxonomy/term/68" hreflang="en">18.04</a></span> </div> <div class="field__item field__item--nextcloud"> <span class="field__item-wrapper"><a href="/taxonomy/term/51" hreflang="en">nextcloud</a></span> </div> <div class="field__item field__item--onlyoffice"> <span class="field__item-wrapper"><a href="/taxonomy/term/69" hreflang="en">onlyoffice</a></span> </div> <div class="field__item field__item--mariadb"> <span class="field__item-wrapper"><a href="/taxonomy/term/48" hreflang="en">mariadb</a></span> </div> <div class="field__item field__item--docker-compose"> <span class="field__item-wrapper"><a href="/taxonomy/term/25" hreflang="en">docker compose</a></span> </div> <div class="field__item field__item--docker"> <span class="field__item-wrapper"><a href="/taxonomy/term/16" hreflang="en">docker</a></span> </div> <div class="field__item field__item--php"> <span class="field__item-wrapper"><a href="/taxonomy/term/40" hreflang="en">php</a></span> </div> <div class="field__item field__item--redis"> <span class="field__item-wrapper"><a href="/taxonomy/term/21" hreflang="en">redis</a></span> </div> <div class="field__item field__item--polls"> <span class="field__item-wrapper"><a href="/taxonomy/term/70" hreflang="en">polls</a></span> </div> <div class="field__item field__item--scheduling"> <span class="field__item-wrapper"><a href="/taxonomy/term/71" hreflang="en">scheduling</a></span> </div> </div> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><a title="View user profile." href="/user/1" lang="" about="/user/1" typeof="schema:Person" property="schema:name" datatype="" class="username">dave</a></span> <span class="field field--name-created field--type-created field--label-hidden">Tue 04/02/2020 - 09:41</span> <div class="field field-node--field-image field-name-field-image field-type-image field-label-hidden has-multiple"> <figure class="field-type-image__figure image-count-1"> <div class="field-type-image__item"> <a href="http://tech.oeru.org/sites/default/files/styles/max_1300x1300/public/2020-02/Screenshot_2020-02-11-2%20file-sample_1MB%20docx%20-%20Lane%20NextCloud.png?itok=bqhSZGni" aria-controls="colorbox" aria-label="{&quot;alt&quot;:&quot;Sample DOCX file being edited in open source OnlyOffice&quot;}" role="button" title="Sample DOCX file being edited in open source OnlyOffice" data-colorbox-gallery="gallery-field_image-_dEHMneaDCU" class="colorbox" data-cbox-img-attrs="{&quot;alt&quot;:&quot;Sample DOCX file being edited in open source OnlyOffice&quot;}"><img src="/sites/default/files/styles/medium/public/2020-02/Screenshot_2020-02-11-2%20file-sample_1MB%20docx%20-%20Lane%20NextCloud.png?itok=OW_2e1WM" width="220" height="140" alt="Sample DOCX file being edited in open source OnlyOffice" loading="lazy" typeof="foaf:Image" class="image-style-medium" /> </a> </div> </figure> <figure class="field-type-image__figure image-count-2"> <div class="field-type-image__item"> <a href="http://tech.oeru.org/sites/default/files/styles/max_1300x1300/public/2020-02/Screenshot_2020-02-11%20Digital%20Storage%20Weight%20and%20Volume%20xlsx%20-%20Lane%20NextCloud.png?itok=luaOg5rt" aria-controls="colorbox" aria-label="{&quot;alt&quot;:&quot;Sample XLSX file being edited in open source OnlyOffice&quot;}" role="button" title="Sample XLSX file being edited in open source OnlyOffice" data-colorbox-gallery="gallery-field_image-_dEHMneaDCU" class="colorbox" data-cbox-img-attrs="{&quot;alt&quot;:&quot;Sample XLSX file being edited in open source OnlyOffice&quot;}"><img src="/sites/default/files/styles/medium/public/2020-02/Screenshot_2020-02-11%20Digital%20Storage%20Weight%20and%20Volume%20xlsx%20-%20Lane%20NextCloud.png?itok=CZcvoi7c" width="220" height="140" alt="Sample XLSX file being edited in open source OnlyOffice" loading="lazy" typeof="foaf:Image" class="image-style-medium" /> </a> </div> </figure> <figure class="field-type-image__figure image-count-3"> <div class="field-type-image__item"> <a href="http://tech.oeru.org/sites/default/files/styles/max_1300x1300/public/2020-02/Screenshot_2020-02-11%20file-sample_1MB%20docx%20-%20Lane%20NextCloud.png?itok=GzQZ26uC" aria-controls="colorbox" aria-label="{&quot;alt&quot;:&quot;Another example of DOCX file being edited in open source OnlyOffice&quot;}" role="button" title="Another example of DOCX file being edited in open source OnlyOffice" data-colorbox-gallery="gallery-field_image-_dEHMneaDCU" class="colorbox" data-cbox-img-attrs="{&quot;alt&quot;:&quot;Another example of DOCX file being edited in open source OnlyOffice&quot;}"><img src="/sites/default/files/styles/medium/public/2020-02/Screenshot_2020-02-11%20file-sample_1MB%20docx%20-%20Lane%20NextCloud.png?itok=9KcMLR4t" width="220" height="140" alt="Another example of DOCX file being edited in open source OnlyOffice" loading="lazy" typeof="foaf:Image" class="image-style-medium" /> </a> </div> </figure> <figure class="field-type-image__figure image-count-4"> <div class="field-type-image__item"> <a href="http://tech.oeru.org/sites/default/files/styles/max_1300x1300/public/2020-02/Screenshot_2020-02-11%20Files%20-%20OERu%20NextCloud.png?itok=Zm3uP_wT" aria-controls="colorbox" aria-label="{&quot;alt&quot;:&quot;Sample of web-view of NextCloud files and folders.&quot;}" role="button" title="Sample of web-view of NextCloud files and folders." data-colorbox-gallery="gallery-field_image-_dEHMneaDCU" class="colorbox" data-cbox-img-attrs="{&quot;alt&quot;:&quot;Sample of web-view of NextCloud files and folders.&quot;}"><img src="/sites/default/files/styles/medium/public/2020-02/Screenshot_2020-02-11%20Files%20-%20OERu%20NextCloud.png?itok=Bpnx2qg6" width="220" height="155" alt="Sample of web-view of NextCloud files and folders." loading="lazy" typeof="foaf:Image" class="image-style-medium" /> </a> </div> </figure> <figure class="field-type-image__figure image-count-5"> <div class="field-type-image__item"> <a href="http://tech.oeru.org/sites/default/files/styles/max_1300x1300/public/2020-02/Screenshot_2020-02-11%20Polls%20-%20NZOSS%20Nextcloud.png?itok=Fp17si_J" aria-controls="colorbox" aria-label="{&quot;alt&quot;:&quot;A sample NextCloud Poll (alternative to Doodle Polls) for scheduling. Yes, it&#039;s timezone-aware!&quot;}" role="button" title="A sample NextCloud Poll (alternative to Doodle Polls) for scheduling. Yes, it&#039;s timezone-aware!" data-colorbox-gallery="gallery-field_image-_dEHMneaDCU" class="colorbox" data-cbox-img-attrs="{&quot;alt&quot;:&quot;A sample NextCloud Poll (alternative to Doodle Polls) for scheduling. Yes, it&#039;s timezone-aware!&quot;}"><img src="/sites/default/files/styles/medium/public/2020-02/Screenshot_2020-02-11%20Polls%20-%20NZOSS%20Nextcloud.png?itok=8rpIpQne" width="220" height="154" alt="A sample NextCloud Poll (alternative to Doodle Polls) for scheduling. Yes, it&#039;s timezone-aware!" loading="lazy" typeof="foaf:Image" class="image-style-medium" /> </a> </div> </figure> <figure class="field-type-image__figure image-count-6"> <div class="field-type-image__item"> <a href="http://tech.oeru.org/sites/default/files/styles/max_1300x1300/public/2020-02/Screenshot_2020-02-12%20ONLYOFFICE%E2%84%A2.png?itok=04xrGCN1" aria-controls="colorbox" aria-label="{&quot;alt&quot;:&quot;If your onlyoffice.domain server is working, this is what you should see in your browser!&quot;}" role="button" title="If your onlyoffice.domain server is working, this is what you should see in your browser!" data-colorbox-gallery="gallery-field_image-_dEHMneaDCU" class="colorbox" data-cbox-img-attrs="{&quot;alt&quot;:&quot;If your onlyoffice.domain server is working, this is what you should see in your browser!&quot;}"><img src="/sites/default/files/styles/medium/public/2020-02/Screenshot_2020-02-12%20ONLYOFFICE%E2%84%A2.png?itok=1I3F7Cbi" width="220" height="187" alt="If your onlyoffice.domain server is working, this is what you should see in your browser!" loading="lazy" typeof="foaf:Image" class="image-style-medium" /> </a> </div> </figure> <figure class="field-type-image__figure image-count-7"> <div class="field-type-image__item"> <a href="http://tech.oeru.org/sites/default/files/styles/max_1300x1300/public/2020-02/Screenshot_2020-02-13%20Apps%20-%20NZOSS%20Nextcloud.png?itok=Io3v-pzT" aria-controls="colorbox" aria-label="{&quot;alt&quot;:&quot;The NextCloud &quot;app&quot; configuration page&quot;}" role="button" title="The NextCloud &quot;app&quot; configuration page" data-colorbox-gallery="gallery-field_image-_dEHMneaDCU" class="colorbox" data-cbox-img-attrs="{&quot;alt&quot;:&quot;The NextCloud &quot;app&quot; configuration page&quot;}"><img src="/sites/default/files/styles/medium/public/2020-02/Screenshot_2020-02-13%20Apps%20-%20NZOSS%20Nextcloud.png?itok=VGORRtXl" width="103" height="220" alt="The NextCloud &quot;app&quot; configuration page" loading="lazy" typeof="foaf:Image" class="image-style-medium" /> </a> </div> </figure> <figure class="field-type-image__figure image-count-8"> <div class="field-type-image__item"> <a href="http://tech.oeru.org/sites/default/files/styles/max_1300x1300/public/2020-02/Screenshot_2020-02-13%20Settings%20-%20NZOSS%20Nextcloud.png?itok=8sZGBrtG" aria-controls="colorbox" aria-label="{&quot;alt&quot;:&quot;The NextCloud settings page. &quot;}" role="button" title="The NextCloud settings page. " data-colorbox-gallery="gallery-field_image-_dEHMneaDCU" class="colorbox" data-cbox-img-attrs="{&quot;alt&quot;:&quot;The NextCloud settings page. &quot;}"><img src="/sites/default/files/styles/medium/public/2020-02/Screenshot_2020-02-13%20Settings%20-%20NZOSS%20Nextcloud.png?itok=98LUc9zv" width="220" height="163" alt="The NextCloud settings page. " loading="lazy" typeof="foaf:Image" class="image-style-medium" /> </a> </div> </figure> <figure class="field-type-image__figure image-count-9"> <div class="field-type-image__item"> <a href="http://tech.oeru.org/sites/default/files/styles/max_1300x1300/public/2020-02/Screenshot_2020-02-13%20Settings%20-%20OnlyOffice%20-%20NZOSS%20Nextcloud_0.png?itok=KwWWWKUT" aria-controls="colorbox" aria-label="{&quot;alt&quot;:&quot;The &quot;OnlyOffice&quot; app configuration page for NextCloud&quot;}" role="button" title="The &quot;OnlyOffice&quot; app configuration page for NextCloud" data-colorbox-gallery="gallery-field_image-_dEHMneaDCU" class="colorbox" data-cbox-img-attrs="{&quot;alt&quot;:&quot;The &quot;OnlyOffice&quot; app configuration page for NextCloud&quot;}"><img src="/sites/default/files/styles/medium/public/2020-02/Screenshot_2020-02-13%20Settings%20-%20OnlyOffice%20-%20NZOSS%20Nextcloud_0.png?itok=JdKSA022" width="220" height="189" alt="The &quot;OnlyOffice&quot; app configuration page for NextCloud" loading="lazy" typeof="foaf:Image" class="image-style-medium" /> </a> </div> </figure> <figure class="field-type-image__figure image-count-10"> <div class="field-type-image__item"> <a href="http://tech.oeru.org/sites/default/files/styles/max_1300x1300/public/2020-02/Screenshot_2020-02-21%20App%20Bundles-%20OERu%20NextCloud.png?itok=3N1GtflH" aria-controls="colorbox" aria-label="{&quot;alt&quot;:&quot;NextCloud App Bundle configuration page.&quot;}" role="button" title="NextCloud App Bundle configuration page." data-colorbox-gallery="gallery-field_image-_dEHMneaDCU" class="colorbox" data-cbox-img-attrs="{&quot;alt&quot;:&quot;NextCloud App Bundle configuration page.&quot;}"><img src="/sites/default/files/styles/medium/public/2020-02/Screenshot_2020-02-21%20App%20Bundles-%20OERu%20NextCloud.png?itok=c1_0PwiH" width="220" height="141" alt="NextCloud App Bundle configuration page." loading="lazy" typeof="foaf:Image" class="image-style-medium" /> </a> </div> </figure> </div> <div class="clearfix text-formatted field field-node--body field-name-body field-type-text-with-summary field-label-hidden"> <div class="field__items"> <div class="field__item"><p>I have previously provided an <a href="/installing-nextcloud-and-collabora-office-online-docker-ubuntu-1604">in-depth explanation about NextCloud with Collabora Office Online and how we've installed it on Ubuntu 16.04</a>. This is an update both of the process, and of the technology. NextCloud is leaping from strength to strength, and seems to be <a href="https://nextcloud.com/blog/eu-governments-choose-independence-from-us-cloud-providers-with-nextcloud/">benefiting from</a> the well-founded concern held by many in the EU about data sovereignty and the market domination (and exploitation) of US-based multinationals like Amazon, Google, Microsoft, Dropbox, and others. As a collaborative, web-based front end to LibreOffice, Collabora shows great potential... but it's not anywhere near the capabilities of Google Docs...</p> <p>The same, however, is not true of a relatively new entry into the web-based collaborative productivity application space: <a href="https://www.onlyoffice.com/">OnlyOffice</a>. The application itself (for the tech focused reader, they've built an entirely <a href="https://github.com/ONLYOFFICE/">new application ecosystem</a> primarily using modern Javascript frameworks)  is impressive in both capabilities and polish. The only real caveat I've come across is that it uses, by default, the <a href="https://openstandards.nz/case-study-microsofts-ooxml-standard">fauxpen standard formats</a> developed by Microsoft rather than the true open standard formats of <a href="https://en.wikipedia.org/wiki/OpenDocument">OpenDocumentFormat</a>. But in a world where, sadly, most people don't even know what a file format is, any software that doesn't read and write the incumbent monopolist's format with great fidelity is dead in the water.  On that count, OnlyOffice is impressive.</p> <h2>NextCloud and OnlyOffice - even better together!</h2> <p>The beauty of the open source software model is that we can connect complementary applications, like NextCloud and OnlyOffice - developed by completely separate communities - to create a tightly integrated, highly functional, diverse computing platform. This combination, along with a bunch of other NextCloud "apps", is the equal of something like Google Apps (which includes Google Docs and Google Drive), but is <em>under your control, not Google's.</em> To me, that's a crucial difference. </p> <p>With the release of NextCloud 18.0.1, NextCloud has bundled OnlyOffice with it, creating something called "<a href="https://nextcloud.com/hub/">NextCloud Hub</a>". It's pretty impressive. That's what we're setting up here!</p> <h2>Setting up your own NextCloud Hub!</h2> <p>Yes, NextCloud and OnlyOffice servers on the same host.</p> <p>If you're game to run your own (and, in my experience, it's a surprisingly well behaved system) here's how you do it.</p> <p>In preparation, you'll want to have the following ready:</p> <ul><li>a Linux virtual machine or "VM" (I recommend running the current Ubuntu LTS version, or current Debian) with an external IP address and a user with sudo privileges - <a href="/setting-your-own-bitwarden-password-keeper-and-sync-server">more info on that</a>...,</li> <li>your domain name for the NextCloud instance, pointing to the IP address of your VM,</li> <li>credentials for an email address capable of sending from a remote server (usually termed an "<a href="/configuring-linux-server-send-email-postfix-smtp-server">authenticating SMTP email account</a>")</li> </ul><p>Please note: the images accompanying this howto have been pulled from several different NextCloud and OnlyOffices I maintain.</p> <h3>Secure access with SSH</h3> <p>First things first, make sure you're logged into your host (probably via SSH) as a user who has "sudo" capabilities! You need to log into the host from your local machine. We recommend setting up <a href="https://www.digitalocean.com/community/tutorials/how-to-configure-ssh-key-based-authentication-on-a-linux-server">key-based authentication</a>.</p> <h3>Firewall with UFW</h3> <p>No computer system is ever full secure - there're always exploits waiting to be found, so security is a process of maintaining vigilance. Part of that is reducing exposure - minimising your "attack surface". Use a firewall - "<a href="https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-16-04" title="Uncomplicated FireWall">ufw</a>" is installed on Ubuntu by default. Make sure you've got exceptions for SSH (without them, you could lock yourself out of your machine! Doh!).</p> <p>Run the following commands to allow your Docker containers to talk to other services on your host.</p> <p><code>sudo ufw allow in on docker0<br /> sudo ufw allow from 172.0.0.0/8 to any</code></p> <p>Specifically for Docker's benefit, you need to tweak the default Forwarding rule (I use "vim" as my editor. If you don't know how to/want to use it, replace <strong>vim</strong> with <strong>nano</strong> everywhere you see it in the following - nano's easier to use for simple edits like this):</p> <p><code>sudo vim /etc/default/ufw</code></p> <p>and copy the line <code>DEFAULT_FORWARD_POLICY="DROP"</code> tweak it to look like this (commenting out the default, but leaving it there for future reference!):</p> <p><code>#DEFAULT_FORWARD_POLICY="DROP"<br /> DEFAULT_FORWARD_POLICY="ACCEPT"</code></p> <p>You also have to edit <code>/etc/ufw/sysctl.conf</code> and remove the "#" at the start of the following lines, so they look like this:</p> <p><code>sudo vim /etc/ufw/sysctl.conf</code></p> <p><code># Uncomment this to allow this host to route packets between interfaces<br /> net/ipv4/ip_forward=1<br /> net/ipv6/conf/default/forwarding=1<br /> net/ipv6/conf/all/forwarding=1</code></p> <p>and finally restart the network stack and ufw on your server<code> </code></p> <p><code>sudo service networking restart<br /> sudo service ufw restart</code></p> <h3>Installing the Nginx webserver</h3> <p>In the configuration I'm describing here, you'll need a webserver running on the server - it'll be acting as a "proxy" for the Docker-based Nginx instance described below. I like the efficiency of Nginx and clarity of Nginx configurations over those of Apache and other open source web servers. Here's how you install it.</p> <p><code>sudo apt-get install nginx-full</code></p> <p>To allow nginx to be visible via ports 80 and 443, run</p> <p><code>sudo ufw allow "Nginx Full"</code></p> <p><strong>Note</strong>: make sure your hosting service is not blocking these ports at some outer layer (depending on who's providing that hosting service you may have to set up port forwarding).</p> <h3>Installing MariaDB</h3> <p>MariaDB is effectively a drop-in alternative to MySQL and we prefer it because it's not controlled by Oracle and has a more active developer community. On Ubuntu, MariaDB pretends to be MySQL for compatibility purposes, so don't be weirded out by the interchangeable names below. Install the server and the client like this.</p> <p><code>sudo apt-get install mariadb-server-10.0 mariadb-client-10.0</code></p> <p>You need to set a root (admin) user password - you might want to create a /root/.my.cnf file containing the following (replacing YOURPASSWORD) to let you access MariaDB without a password from the commandline<code>:</code></p> <p><code>[client]<br /> user=root<br /> password=YOURPASSWORD</code></p> <p>You should now be able to type "mysql" at the command prompt</p> <p>Tweak the configuration so that it's listening on</p> <p><code>sudo vim /etc/mysql/mariadb.conf.d/50-server.cnf </code></p> <p>and copy the bind-address line and adjust so it looks like this - we want MariaDB to be listening on all interfaces, not just localhost (127.0.0.1)...</p> <p><code># Instead of skip-networking the default is now to listen only on<br /> # localhost which is more compatible and is not less secure.<br /> #bind-address           = 127.0.0.1<br /> bind-address            = 0.0.0.0</code></p> <p>Then restart MariaDB:</p> <p><code>sudo service mysql restart</code></p> <p>It should now be listening on port 3306 on all interfaces, i.e. 0.0.0.0.</p> <p>Now set up the database which will hold NextCloud's data. Log into the MySQL client on the host (if you've created a .my.cnf file in your home directory as describe above, you won't need to enter your username and password):</p> <p><code>mysql -u root -p</code></p> <p>Enter your root password when prompted. It's also a good idea to gin up a password for your "nextcloud" database user. I usually use pwgen (<code>sudo apt-get install pwgen</code>) - for example running this command will give you a single 19 character password without special characters (just numbers and letters):</p> <p><code>pwgen -s 19 1</code></p> <p>Giving you something like this (but if it's truly random, almost <em>certainly not exactly </em>this):</p> <p>bYIOSrvR9aGwL5FRGFU</p> <p>At the prompt (which will look something like <code>MariaDB [(none)]&gt;</code>) enter the following lines (putting your password in place of [passwd]):</p> <p><code>CREATE DATABASE nextcloud CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;<br /> CREATE USER "nextcloud"@"%" IDENTIFIED BY "[passwd]";<br /> GRANT ALL ON nextcloud.* to "nextcloud"@"%";<br /> FLUSH PRIVILEGES;</code></p> <p>Then enter \q to exit.</p> <h2>Prepare your Docker Compose host</h2> <p>We make use of the NextCloud community's <a href="https://hub.docker.com/_/nextcloud/" title="Documentation for the reference NextCloud Docker container.">stable Docker container</a> which they keep up to date. Similarly, the OnlyOffice developers maintain a Docker container, too. We will run them both on this same server as separate services via <a href="https://docs.docker.com/compose/">Docker Compose</a>. The two sets of Docker containers will look like this:</p> <ol><li>a suite of NextCloud containers: <ol><li>the main PHP-FPM container (which provides most of the functionality for NextCloud using the PHP scripting engine,</li> <li>an identical container to the PHP one which runs the cron service (which does periodic administrative tasks relevant to NextCloud)</li> <li>a Redis container (which provides performance improving caching for NextCloud), and</li> <li>an Nginx webserver container which makes it easier to manage the configuration and paths of the NextCloud instance. It means that on the hosting server, we only need to run a proxying web server, which is easy.</li> </ol></li> <li>the single OnlyOffice container which, despite the Docker convention of each container running only a single services, runs the whole OnlyOffice stack, which includes PostgreSQL, Nginx, Rabbit-MQ, Python, and NodeJS.</li> </ol><p>The way I prefer to implement this set of containers is to use:</p> <p><code>sudo apt-get install docker-compose </code></p> <p>to set up the entire Docker and Docker Compose system on your server.</p> <p>Then set up a place for your Docker containers (replace "me" with your non-root username on the server) and the associated persistent data (your Docker containers should hold <em>no</em> important data - you should be able to delete and recreate them entirely without losing any important data or configuration):</p> <p><code>sudo mkdir /home/data</code><br /><code>sudo mkdir /home/data/nextcloud<br /> sudo mkdir /home/data/nextcloud-nginx<br /> sudo mkdir /home/data/nextcloud-redis</code><br /><code>sudo mkdir /home/data/onlyoffice</code><br /><code>sudo mkdir /home/docker<br /> sudo mkdir /home/docker/nextcloud</code><br /><code>sudo chown -R me:me /home/docker</code></p> <h2>NextCloud Install</h2> <p>First, let's set up NextCloud (this also installs the OnlyOffice server):</p> <p><code>cd /home/docker/nextcloud</code></p> <p>Here's an example of the required docker-compose.yml file (you can create this via a text editor like "nano" which should be pre-installed on any VM these days (or use my preferred, but less intuitive, editor, vim) <code>nano docker-compose.yml</code> in the /home/docker/nextcloud directory):</p> <p><code>version: '3'<br /> services:<br />   nginx:<br />     container_name: nginx-server<br />     image: nginx<br />     ports:<br />       - 127.0.0.1:8082:80<br />     volumes:<br />       - /home/data/nextcloud-nginx/nginx/nginx.conf:/etc/nginx/nginx.conf:ro<br />       - /home/data/nextcloud:/var/www/html<br />     links:<br />       - app<br />     environment:<br />       - VIRTUAL_HOST<br />     restart: unless-stopped      <br />   app:<br />     container_name: app-server<br />     image: nextcloud:fpm<br />     stdin_open: true<br />     tty: true<br />     links:<br />       - redis<br />     expose:<br />       - '80'<br />       - '9000'<br />     volumes:<br />       - /home/data/nextcloud:/var/www/html<br />     restart: unless-stopped      <br />   cron:<br />     image: nextcloud:fpm<br />     volumes:<br />       - /home/data/nextcloud:/var/www/html<br />     user: www-data<br />     entrypoint: |<br />       bash -c 'bash -s &lt;&lt;EOF<br />       trap "break;exit" SIGHUP SIGINT SIGTERM<br />       while /bin/true; do<br />         /usr/local/bin/php /var/www/html/cron.php<br />         sleep 900<br />       done<br />       EOF'<br />     restart: unless-stopped      <br />   redis:<br />     image: redis:alpine<br />     volumes:<br />       - /home/data/nextcloud-redis:/data<br />     restart: unless-stopped<br />   onlyoffice-document-server:<br />     container_name: onlyoffice-document-server<br />     image: onlyoffice/documentserver:latest<br />     stdin_open: true<br />     tty: true<br />     restart: unless-stopped<br />     expose:<br />       - '80'<br />       - '443'<br />     volumes:<br />       - /home/data/onlyoffice/data:/var/www/onlyoffice/Data<br />       - /home/data/onlyoffice/log:/var/log/onlyoffice</code></p> <p>The "port" specified above, 8082 for <code>nginx</code> is arbitrary - I picked it to ensure it doesn't don't conflict with ports being used by other containers on my server - you can use these if you want, or use <code>sudo netstat -punta</code> to see what ports are currently claimed by other services on your server (if there are any) and pick one that doesn't clash! If it scroll past too fast, you can pipe it into less to allow you to scroll and search like this: <code>sudo netstat -punta | less</code> - hit "q" to exit or "/" to initiate a text search.</p> <p>You will also need to provide the "nginx.conf" file referenced in the nginx section of the file. Do that by using your editor, e.g. <code>nano nginx.conf</code>, and enter this content (you shouldn't need to alter anything):</p> <p><code>user  www-data;</code></p> <p><code>worker_processes  1;</code></p> <p><code>error_log  /var/log/nginx/error.log warn;<br /> pid        /var/run/nginx.pid;</code></p> <p><code>events {<br />     worker_connections  1024;<br /> }</code></p> <p><code>http {<br />     upstream backend {<br />         server app-server:9000;<br />     }</code></p> <p><code>    include       /etc/nginx/mime.types;<br />     default_type  application/octet-stream;</code></p> <p><code>    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '<br />                       '$status $body_bytes_sent "$http_referer" '<br />                       '"$http_user_agent" "$http_x_forwarded_for"';</code></p> <p><code>    access_log  /var/log/nginx/access.log  main;</code></p> <p><code>    sendfile        on;<br />     #tcp_nopush     on;</code></p> <p><code>    keepalive_timeout  65;</code></p> <p><code>    map $http_host $this_host {<br />         "" $host;<br />         default $http_host;<br />     }</code></p> <p><code>    map $http_x_forwarded_proto $the_scheme {<br />         default $http_x_forwarded_proto;<br />         "" $scheme;<br />     }</code></p> <p><code>    map $http_x_forwarded_host $the_host {<br />         default $http_x_forwarded_host;<br />         "" $this_host;<br />     }</code></p> <p><code>    server {<br />         listen 80;</code></p> <p><code>        # Add headers to serve security related headers<br />         add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";<br />         add_header X-Content-Type-Options nosniff;<br />         add_header X-XSS-Protection "1; mode=block";<br />         add_header X-Robots-Tag none;<br />         add_header X-Download-Options noopen;<br />         add_header X-Permitted-Cross-Domain-Policies none;</code></p> <p><code>        root /var/www/html;<br />         client_max_body_size 10G; # 0=unlimited - set max upload size<br />         fastcgi_buffers 64 4K;</code></p> <p><code>        gzip off;</code></p> <p><code>        index index.php;<br />         error_page 403 /core/templates/403.php;<br />         error_page 404 /core/templates/404.php;</code></p> <p><code>        rewrite ^/.well-known/carddav /remote.php/dav/ permanent;<br />         rewrite ^/.well-known/caldav /remote.php/dav/ permanent;</code></p> <p><code>        location = /robots.txt {<br />             allow all;<br />             log_not_found off;<br />             access_log off;<br />         }</code></p> <p><code>        location ~ ^/(build|tests|config|lib|3rdparty|templates|data)/ {<br />             deny all;<br />         }</code></p> <p><code>        location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {<br />             deny all;<br />         }</code></p> <p><code>        location / {<br />             rewrite ^/remote/(.*) /remote.php last;<br />             rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;<br />             try_files $uri $uri/ =404;<br />         }</code></p> <p><code>        location ~* ^/ds-vpath/ {<br />             rewrite /ds-vpath/(.*) /$1  break;<br />             proxy_pass http://onlyoffice-document-server;<br />             proxy_redirect     off;</code></p> <p><code>            client_max_body_size 100m;</code></p> <p><code>            proxy_http_version 1.1;<br />             proxy_set_header Upgrade $http_upgrade;<br />             proxy_set_header Connection "upgrade";</code></p> <p><code>            proxy_set_header Host $http_host;<br />             proxy_set_header X-Real-IP $remote_addr;<br />             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;<br />             proxy_set_header X-Forwarded-Host $the_host/ds-vpath;<br />             proxy_set_header X-Forwarded-Proto $the_scheme;<br />             #proxy_set_header X-Forwarded-Proto 'https';<br />         }</code></p> <p><code>        location ~ \.php(?:$|/) {<br />             fastcgi_split_path_info ^(.+\.php)(/.+)$;<br />             include fastcgi_params;<br />             fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;<br />             fastcgi_param PATH_INFO $fastcgi_path_info;<br />             fastcgi_param HTTPS off;<br />             fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice<br />             fastcgi_pass backend;<br />             fastcgi_intercept_errors on;<br />         }</code></p> <p><code>        # Adding the cache control header for js and css files<br />         # Make sure it is BELOW the location ~ \.php(?:$|/) { block<br />         location ~* \.(?:css|js)$ {<br />             add_header Cache-Control "public, max-age=7200";<br />             # Add headers to serve security related headers<br />             add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";<br />             add_header X-Content-Type-Options nosniff;<br />             add_header X-Frame-Options "SAMEORIGIN";<br />             add_header X-XSS-Protection "1; mode=block";<br />             add_header X-Robots-Tag none;<br />             add_header X-Download-Options noopen;<br />             add_header X-Permitted-Cross-Domain-Policies none;<br />             # Optional: Don't log access to assets<br />             access_log off;<br />         }</code></p> <p><code>        # Optional: Don't log access to other assets<br />         location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$ {<br />             access_log off;<br />         }</code><br /><code>    }<br /> }</code></p> <p>That should be all the configuration you need to make the Docker containers go.</p> <h2>Configuring Nginx to proxy NextCloud and OnlyOffice</h2> <p>The next step is configuring the local nginx proxy servers for NextCloud and OnlyOffice using the nginx instance you installed earlier. That's what responds to the domain name you choose for this service. In our case, the name is <a href="https://docs.oeru.org">https://docs.oeru.org</a> - you can have a look at it to see what you should be seeing when you first start things up! We use <a href="https://letsencrypt.org" title="This is an incredible free and open source service, that is single-handedly making the web a much safer place.">Let's Encrypt</a> to provide secure hosting - <a href="/protecting-your-users-lets-encrypt-ssl-certs">here're my Let's Encrypt instructions</a> on setting it up. The key thing to realise is that your "certificates" need to exist for Nginx to restart with the new configurations below - use the "commenting out the intervening lines" trick mentioned in my instructions to bootstrap the creation of your secure certificates!</p> <p>To configure the proxy, you need to create this configuration file in your /etc/nginx/sites-available/ directory.</p> <h3>NextCloud Proxy Configuration</h3> <p>Create a file with a meaningful name for your NextCloud Proxy, perhaps based on the domain name you've chosen (our file for docs.oeru.org is called "docs") using the same editing approach as the last few (although this is in a different directory) for example <code>sudo nano /etc/nginx/sites-available/nextcloud</code> with the following contents, replacing <code>[nextcloud.domain]</code> with your selected domain name, but leave off the [ ] (those are just there to make sure nginx errors if you've missed replacing any) - and the port number 8082 if you've opted to change to a different one!:</p> <p><code>server {<br />     listen 80;<br />     listen [::]:80;<br />     server_name <strong>[nextcloud.domain]</strong>;</code></p> <p><code>    include includes/letsencrypt.conf;</code></p> <p><code>    # enforce https<br />     location / {<br />         return 302 https://$server_name$request_uri;<br />     }<br /> }</code></p> <p><code>server {<br />     listen 443 ssl;<br />     listen [::]:443 ssl;<br />     #listen 127.0.0.1:443 ssl;</code></p> <p><code>    server_name <strong>[nextcloud.domain]</strong>;</code></p> <p><code>    ## Access and error logs.<br />     access_log /var/log/nginx/<strong>[nextcloud.domain]</strong>_access.log;<br />     error_log /var/log/nginx/<strong>[nextcloud.domain]</strong>_error.log;</code></p> <p><code>    ssl_certificate /etc/letsencrypt/live/<strong>[nextcloud.domain]</strong>/fullchain.pem;<br />     ssl_certificate_key /etc/letsencrypt/live/<strong>[nextcloud.domain]</strong>/privkey.pem;</code></p> <p><code>    ssl on;<br />     # from http://axiacore.com/blog/enable-perfect-forward-secrecy-nginx/<br />     ssl_session_cache shared:SSL:10m;<br />     ssl_session_timeout  10m;<br />     # limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;<br />     # forward secrecy settings<br />     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;<br />     ssl_prefer_server_ciphers on;<br />     ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";<br />     ssl_dhparam /etc/ssl/certs/dhparam.pem;</code></p> <p><code>    #location = /robots.txt {<br />     #    allow all;<br />     #    log_not_found off;<br />     #    access_log off;<br />     #}</code></p> <p><code>    # The following 2 rules are only needed for the user_webfinger app.<br />     # Uncomment it if you're planning to use this app.<br />     rewrite ^/.well-known/host-meta /public.php?service=host-meta last;<br />     rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;</code></p> <p><code>    # The following rule is only needed for the Social app.<br />     # Uncomment it if you're planning to use this app.<br />     rewrite ^/.well-known/webfinger /public.php?service=webfinger last;</code></p> <p><code>    location ^~ / {<br />         proxy_pass http://127.0.0.1:<strong>8082</strong>;<br />         proxy_set_header Upgrade $http_upgrade;<br />         proxy_set_header Connection "Upgrade";<br />         proxy_set_header Host $http_host;<br />         proxy_read_timeout 36000s;<br />         proxy_buffering off;<br />         proxy_max_temp_file_size 15000m;<br />     }<br />     client_max_body_size 1G;<br />     fastcgi_buffers 64 4K;<br />     add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";<br />     # Remove X-Powered-By, which is an information leak<br />     fastcgi_hide_header X-Powered-By;<br /> }</code></p> <p>Note: you'll need to create the file cited in the proxy configration: <code>/etc/ssl/certs/dhparam.pem </code></p> <p>You can do this as follows (install the necessary software, backup any possible existing version as a matter of prudence, and create a new one):</p> <p><code>sudo apt update &amp;&amp; sudo apt install openssl<br /><span class="pun">sudo [<span class="pln"> </span>-</span><span class="pln">f </span><span class="str">"</span>/etc/ssl/certs/dhparam.pem<span class="str">"</span><span class="pln"> </span><span class="pun">]</span><span class="pln"> </span><span class="pun">&amp;&amp;</span><span class="pln"> sudo mv </span>/etc/ssl/certs/dhparam.pem /etc/ssl/certs/dhparam.pem</code>.bak<br /><span style="font-family:monospace"><span style="color:#000000;background-color:#ffffff;">sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048</span></span><br />  </p> <p>Once those are created, you have to make sure that they're "enabled" (replacing with your file names, of course):</p> <p><code>sudo cd /etc/nginx/sites-enabled<br /> sudo ln -sf ../sites-available/nextcloud .</code></p> <p>To confirm that there aren't any typos or issues that might make nginx unhappy, run</p> <p><code>sudo nginx -t</code></p> <p>If all's well, get nginx to reread its configuration with the new files (if not, it might be because you missed replacing one of the [tokens]):</p> <p><code>sudo service nginx reload</code></p> <h2>Firing up your NextCloud!</h2> <p>Phew - congratulations on getting here! We've reached the moment of truth where we need to see if this whole thing will work!</p> <p>We need to make sure we're back in the NextCloud Docker directory we set up:</p> <p><code>cd /home/docker/nextcloud</code></p> <p>and then we need to try running our docker-compose script to "pull" in the pre-built Docker containers we've specified in our docker-compose.yml file:</p> <p><code>docker-compose pull</code></p> <p>All going well, after a few minutes (longer or shorter depending on the speed of your server's connection) you should have download the Nginx, Redis, and NextCloud Docker images. Then you can run:</p> <p><code>docker-compose up -d &amp;&amp; docker-compose logs -f</code></p> <p>This will attempt to start up the containers (bringing them "up" in daemon mode, thus the -d) and then show you a stream of log messages from the containers, preceded by the container name. This should help you debug any problems that occur during the process (ideally, none).</p> <p>Once you see log messages streaming past, and no obvious "container exited" or other error messages (which will usually contain the word "error" a lot), you should be able to point your browser at your selected domain name and bring it up in your browser! Just point your web browser at <code>https://nextcloud.domain</code> (replacing with your domain, of course - the https assumes you've got your Let's Encrypt certificate set up - I recommend doing that first).</p> <h3>Configuring database access</h3> <p>On doing so, if all is well, you should be directed through the database set up process for your NextCloud instance. Your details should be:</p> <p>database IP: 172.17.0.1 - this is the default IP of the Docker host server.<br /> database name: nextcloud<br /> database user: nextcloud<br /> database password: (the one you came up with above)</p> <h3>Configuring the Admin user</h3> <p>Once that's set and working, NextCloud will install all the relevant database tables and initial data. You'll be asked to set up an <em>admin user</em> account, which can be "admin" (you could make it something different to help stymie nefarious probes that assume you've got a user called "admin" - but don't forget what you've called it!) and some strong password you create (you can use the pwgen utility you used earlier) - I'd recommend recording it somewhere. I would <em>not</em> recommend making your own account, in your name, the main admin account. Instead, I recommend creating a second account, <em>with administrator privileges</em>, for yourself, but leave the admin account purely for administrative activities.</p> <h3>Configuring Outgoing Email</h3> <p>To allow your NextCloud instance to send outgoing email, so that your site can alert you to security updates that need to be applied, or so that users can request a replacement password if they've forgot theirs, you'll need an <em>authenticating SMTP account</em> somewhere. Most of you already have one. You'll probably want to set up a dedicated email address for this server somewhere, perhaps something like "<a href="mailto:nextcloud@your.domain">nextcloud@your.domain</a>" or similar, with a username (often just the email address) and a password. You'll need the following details:</p> <p>SMTP server : an IP address or a domain name<br /> SMTP username: a username or an email address<br /> SMTP password: a strong password already configured for the username on that server<br /> SMTP login security: whether login is via TLS, SSL, or unsecure (!!), and<br /> SMTP login method: plain, encrypted, "login" or some other value.</p> <p>You should be able to test your email settings to make sure the details you've entered are valid. If you need to adjust these settings later, you can go to the admin menu (top right of the web browser interface) and go to Admin-&gt;Additional Settings  - should have a path of <code>https://nextcloud.domain/settings/admin/additional</code></p> <h2>Setting up OnlyOffice</h2> <p>The OnlyOffice server should already be running - if you point your browser at <code>https://nextcloud.domain/ds-vpath/</code> you should see something like the "Document Server is running" (with a big green "tick") page included in the images accompanying this article.</p> <h3>Configuring OnlyOffice Integration with NextCloud</h3> <p>Once you're logged in to NextCloud as your own user, looking at your own default folders, you can start having a look around. You should have an "admin" menu (assuming you've created your user with Administrator privileges) at the top right of the web interface. If you go to Apps, you can install the new "Hub bundle" available under the "App bundles" option (see attached image). If you don't want the whole bundle you can just use the search box to search for "OnlyOffice" or go to the "Office &amp; text" App category and enable the OnlyOffice "official" app, at which point it will automatically download the latest version of the connector app and install it (it should appear in your /home/data/nextcloud/apps directory)</p> <p>Once you've done that, go to your top right menu again, selecting Admin, and you should see "OnlyOffice" as an option in the left column (which starts with "Basic settings"). Selecting that, you'll need to enter the following:</p> <ul><li> "Document Editing Service address":<code> /ds-vpath/</code></li> <li><code>"</code>Secret key": (leave blank)</li> <li> Under "Advanced server settings" <ul><li> <p class="onlyoffice-header">"Document Editing Service address for internal requests from the server": <code>http://onlyoffice-document-server/</code></p> </li> <li> <p class="onlyoffice-header">"Server address for internal requests from the Document Editing Service": <code>http://nginx-server/</code></p> </li> </ul></li> </ul><p>When you're done, click "Save".</p> <p>You can also select formats you'd like OnlyOffice to open and edit files of those types are clicked or created. I've selected the following: doc, docx, odp, ods, odt, ppt, pptx, xls, xlsx, and in the second section: csv and txt.</p> <p>You can also make other editor customisations as you desire. The only Editor customisation setting I <em>haven't</em> selected is "Display Chat menu button" because NextCloud Hub provides an integrated Chat service, making this one within OnlyOffice an unnecessary distraction.</p> <p>Once finished configuring, you should have the ability to go back to the home of your NextCloud install, which should show you your top-level folders. If you click the "+" next to the home icon (top left of the folder pane) you should now have the option to create (in addition to "Upload file", "New folder", "New text file") a "New Document", "New Spreadsheet", and "New Presentation". Clicking those should give you the OnlyOffice interface for the designated content type.</p> <p>Similarly, you can use the "Upload file" to upload a document in a format that is supported by OnlyOffice. Once uploaded, clicking on the filename should open it for editing in the appropriate OnlyOffice interface.</p> <p>It is saved as it is changed, so you shouldn't need to save it explicitly.</p> <h2>Keeping the whole thing up-to-date</h2> <p>So, as you're no doubt aware, both NextCloud and OnlyOffice are always being improved and updated. I certainly encourage you to keep your installations up-to-date.</p> <p>While you'll periodically be alerted that NextCloud <strong>apps</strong> have available updates (these can be upgraded through the browser interface) updates to the NextCloud and OnlyOffice systems themselves need to be undertaken by upgrading their containers. Luckily it's easy to do (although I strongly urge you to ensure you have a very recent backup of both database and uploaded files - they're the files in /home/data/nextcloud/data and /home/data/onlyoffice/ (note, backups of OnlyOffice are complicated somewhat by the fact that you can't reliably back up running PostgreSQL instance simply by backing up its files - see a solution below):</p> <p>Updating the container should be as easy as either doing another</p> <p><code>docker-compose pull </code></p> <p>and then shutting down Docker container via a</p> <p><code>docker-compose up -d</code></p> <p>which will remove any old containers (this won't remove any data you want to save if you followed the directions above! But remember to do it in the right directory!) and start up the new versions you've just pulled.</p> <p>Use <code>docker-compose logs -f</code> to watch the logs - you'll likely see useful debugging information in the unlikely event that something goes wrong in the upgrade process.</p> <h2>Backing up NextCloud</h2> <p>To back up your instance on your server, you need two things: a file system backup of your /home/data/nextcloud directory, and database dumps of your database.</p> <p>There're lots of ways to back up your files (I've recently updated to using a system called Restic to make off-server incremental encrypted backups - I plan to document this in a future howto! - although there're <a href="https://www.howtoforge.com/linux_rdiff_backup">other documented approaches</a> - leave a comment below if you'd like to learn more about my approach!).</p> <p>Backing up your MariaDB databases is as easy installing automysqlbackups:</p> <p><code>sudo apt install automysqlbackups</code></p> <p>You'll find daily versioned dumps of your MariaDB database(s) in /var/lib/automysqlbackups on your VM host's filesystem. To run an ad hoc backup (which will replace the previous backup from that day, if there is one) just run</p> <p><code>sudo automysqlbackups</code></p> <h2>Backup OnlyOffice</h2> <p>Along with backing up the files in your /home/data/onlyoffice directory, you'll also want a proper "dump" of your PostgreSQL backup (you can write simple bash scripts to do this regularly, automatically), particularly prior to doing an upgrade (to allow for recovery if something goes badly wrong, which is always possible). You can achieve this by going to</p> <p><code>cd /home/docker/onlyoffice</code></p> <p>and running this</p> <p><code>DATE=`date +%Y%m%d` &amp;&amp; FILE=/home/data/onlyoffice/backup/fullbackup-${DATE}.sql &amp;&amp; docker-compose exec onlyoffice sudo -u postgres pg_dumpall &gt; ${FILE} &amp;&amp; gzip ${FILE}</code></p> <p>which will assign the current date to DATE, the relevant filename to FILE, and then put the backup SQL into a dated file called $FILE and compress the result with gzip :)</p> <p>At some point, I'll modify my normal versioned dated database backup scripts to cater for this solution and make the result available on <a href="https://git.oeru.org">https://git.oeru.org</a> - in the meantime, you can use the above before you do a backup and manually delete older backups if they start taking up too much space (or, better still, write your own clever script that does it automatically and let me know about it!).</p> </div> </div> </div> <section class="field field-node--field-blog-comments field-name-field-blog-comments field-type-comment field-label-above comment-wrapper"> <a name="comments"></a> <div class="comment-form-wrapper"> <h2 class="comment-form__title">Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=29&amp;2=field_blog_comments&amp;3=comment" token="9kYJqJN_nL4QNtjWT8YsPb_jXY2Bv9NrASHDdb5feiU"></drupal-render-placeholder> </div> </section> Mon, 03 Feb 2020 20:41:16 +0000 dave 29 at http://tech.oeru.org Hourly versioned MongoDB backup http://tech.oeru.org/hourly-versioned-mongodb-backup <span class="field field--name-title field--type-string field--label-hidden">Hourly versioned MongoDB backup</span> <div class="field field-node--field-blog-tags field-name-field-blog-tags field-type-entity-reference field-label-above"> <h3 class="field__label">Blog tags</h3> <div class="field__items"> <div class="field__item field__item--mongodb"> <span class="field__item-wrapper"><a href="/taxonomy/term/14" hreflang="en">mongodb</a></span> </div> <div class="field__item field__item--backup"> <span class="field__item-wrapper"><a href="/taxonomy/term/57" hreflang="en">backup</a></span> </div> <div class="field__item field__item--docker"> <span class="field__item-wrapper"><a href="/taxonomy/term/16" hreflang="en">docker</a></span> </div> <div class="field__item field__item--docker-compose"> <span class="field__item-wrapper"><a href="/taxonomy/term/49" hreflang="en">docker-compose</a></span> </div> <div class="field__item field__item--bash"> <span class="field__item-wrapper"><a href="/taxonomy/term/58" hreflang="en">bash</a></span> </div> </div> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><a title="View user profile." href="/user/1" lang="" about="/user/1" typeof="schema:Person" property="schema:name" datatype="" class="username">dave</a></span> <span class="field field--name-created field--type-created field--label-hidden">Mon 29/04/2019 - 16:28</span> <div class="clearfix text-formatted field field-node--body field-name-body field-type-text-with-summary field-label-hidden"> <div class="field__items"> <div class="field__item"><p>Because the collaboration of an open community is its real history, I place a high value on backing up the Rocket.Chat servers I'm responsible for, and <em>especially</em> the data they generate, held in MongoDB files (on the host) managed by a MongoDB container.</p> <p>To do that reliably, I have set up <a href="https://git.oeru.org/oeru/mongobackup">a bash script</a> which does an hourly backup of all MongoDB "databases" and automatically maintains 24 hourly, 7 daily, 4 weekly, 12 monthly, and 7 yearly snapshots of the databases.</p> <p>Once you've configured your backup script properly, you should be able to run this command to do a backup...</p> <p><code>/etc/mongobackup/dbbackup-mongo --hourly</code></p> <p>easy-peasy.</p> </div> </div> </div> <section class="field field-node--field-blog-comments field-name-field-blog-comments field-type-comment field-label-above comment-wrapper"> <a name="comments"></a> <div class="comment-form-wrapper"> <h2 class="comment-form__title">Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=27&amp;2=field_blog_comments&amp;3=comment" token="a3hwmZDJbiAJ569rEIXJYUfTF3BaDQbUaOh1gRHfc5g"></drupal-render-placeholder> </div> </section> Mon, 29 Apr 2019 04:28:43 +0000 dave 27 at http://tech.oeru.org Upgrading RocketChat to 1.0.x and MongoDB to 4.0 http://tech.oeru.org/upgrading-rocketchat-10x-and-mongodb-40 <span class="field field--name-title field--type-string field--label-hidden">Upgrading RocketChat to 1.0.x and MongoDB to 4.0</span> <div class="field field-node--field-blog-tags field-name-field-blog-tags field-type-entity-reference field-label-above"> <h3 class="field__label">Blog tags</h3> <div class="field__items"> <div class="field__item field__item--rocketchat"> <span class="field__item-wrapper"><a href="/taxonomy/term/18" hreflang="en">rocket.chat</a></span> </div> <div class="field__item field__item--mongodb"> <span class="field__item-wrapper"><a href="/taxonomy/term/14" hreflang="en">mongodb</a></span> </div> <div class="field__item field__item--docker"> <span class="field__item-wrapper"><a href="/taxonomy/term/16" hreflang="en">docker</a></span> </div> <div class="field__item field__item--docker-compose"> <span class="field__item-wrapper"><a href="/taxonomy/term/49" hreflang="en">docker-compose</a></span> </div> <div class="field__item field__item--ubuntu-linux"> <span class="field__item-wrapper"><a href="/taxonomy/term/12" hreflang="en">ubuntu linux</a></span> </div> </div> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><a title="View user profile." href="/user/1" lang="" about="/user/1" typeof="schema:Person" property="schema:name" datatype="" class="username">dave</a></span> <span class="field field--name-created field--type-created field--label-hidden">Mon 29/04/2019 - 14:39</span> <div class="clearfix text-formatted field field-node--body field-name-body field-type-text-with-summary field-label-hidden"> <div class="field__items"> <div class="field__item"><p>With the recent release of Rocket.Chat 1.0.x (after a couple years undergoing development at a fairly blistering pace), it's time for many of us to upgrade!</p> <p>Previously, I showed how to <a href="/docker-compose-better-way-deploy-rocketchat-wekan-and-mongodb">install Rocket.Chat via Docker Compose</a> but that was a much earlier version of Rocket.Chat and version 3.4 of MongoDB, which is now quite old (by FOSS standards at least). And it turns out upgrading everything has a few gotchas, so here's how I managed to do it.</p> <p>Before you do <em>anything</em> <a href="/hourly-versioned-mongodb-backup">do a backup of your MongoDB</a>!</p> <p>The first thing you need to do is upgrade <em>the way</em> in which you're running MongoDB. You have to enable a capability called "Local Replication".</p> <h2>Update your Docker Compose configuration</h2> <p>My first step, after logging into my virtual machine via SSH as the <em>unprivileged user</em> that I created to run docker commands, was to update my <code>docker-compose.yml</code> file (if you followed my previous instructions, you'll find it in <code>/home/www/docker-rocketchat-wekan-mongo</code>). </p> <p>First, make a backup of it nearby...</p> <p>cd <code>/home/www/docker-rocketchat-wekan-mongo</code><br /> cp docker-compose.yml docker-compose.yml-mongo3.4</p> <p>and then edit the file to say this:</p> <p><code>version: '2'<br /> services:<br />   mongo:<br />     restart: unless-stopped<br />     image: mongo<strong>:3.4</strong><br />     volumes:<br />       - [data directory path]:/data/db<br />       - [backup directory path]:/backups<br />     command: --smallfiles <strong>--oplogSize 128 --replSet rs0</strong><br /><strong>  # this container's job is just run the command to initialize the replica set.<br />   # it will run the command and remove himself (it will not stay running)<br />   mongo-init-replica:<br />     image: mongo:3.4<br />     command: 'bash -c "for i in `seq 1 30`; do mongo mongo/rocketchat --eval \"rs.initiate({ _id: ''rs0'', members: [ { _id: 0, host: ''localhost:27017'' } ]})\" &amp;&amp; s=$$? &amp;&amp; break || s=$$?; echo \"Tried $$i times. Waiting 5 secs...\"; sleep 5; done; (exit $$s)"'<br />     depends_on:<br />       - mongo</strong><br />   rocketchat:<br />     restart: unless-stopped<br />     image: rocketchat/rocket.chat<strong>:latest</strong></code><br /><code><strong>    command: bash -c 'for i in `seq 1 30`; do node main.js &amp;&amp; s=$$? &amp;&amp; break || s=$$?; echo "Tried $$i times. Waiting 5 secs..."; sleep 5; done; (exit $$s)'</strong><br />     ports:<br />       - "127.0.0.1:[port number]:3000" # should be a free port above 1024<br />     depends_on:<br />       - mongo<br />     environment:<br />       - MONGO_URL=mongodb://mongo/rocket<br /><strong>      - MONGO_OPLOG_URL=mongodb://mongo/local</strong><br />       - ROOT_URL=[domain name (including schema, e.g. http://)]<br />     volumes:<br />       - [upload directory path]:/var/www/rocket.chat/uploads</code><br /><strong><code>    labels:<br />       - "traefik.backend=rocketchat"<br />       - "traefik.frontend.rule=Host: [your domain name (<em>not </em>including schema)]"</code></strong></p> <p>Now, having updated your docker-compose.yml file, you have to do a couple other things. To do the upgrade from MongoDB 3.4 to 4.0, you have to do the interim upgrade to 3.6 first.</p> <h2>Enabling Local Replication</h2> <p>First you need to check what version of MongoDB you're <em>currently</em> using - both the version you're running <em>and</em> the "Feature Compatibility Version" (you can run a newer version of MongoDB, but configure it to only run features from some previous version to avoid breaking older software that depends on old features)... Do this as follows.</p> <p>Access your MongoDB instance:</p> <p><code>docker-compose exec mongo bash</code></p> <p>That should give you a command prompt that looks like this:</p> <p><code>root@a56eefe9f352: # </code></p> <p>but the container identifier (after the @) will be different (but the same length). At that prompt, you can run this command:</p> <p><code>mongo --eval "db.adminCommand( { getParameter: 1, featureCompatibilityVersion: 1 } )"</code></p> <p>Tip: if you're on a Linux desktop, you can copy this command (via CTRL-C) from this document and past it into your SSH terminal window (via CTRL+SHIFT-V).</p> <p>It should tell you you're either running "featureCompatibilityVersion" 3.2 or 3.4. If it's the latter, skip this next step. If not, run this next:</p> <p><code>mongo --eval "db.adminCommand( { setFeatureCompatibilityVersion: '3.4' } )"</code></p> <p>to set the version to 3.4. If the command succeeds you'll likely see something like</p> <p><code>{ "ok" : 1 }</code></p> <p>as the response.</p> <p>Now you can upgrade your Mongo 3.4 is the latest version (should be 3.4.20 at the time of this writing). Get out of the container (back to your Docker host) via CTRL-D (or "exit" - they're synonymous for logging out of a terminal session). Then you can run:</p> <p><code>docker-compose pull mongo</code></p> <p>That should update both your Mongo docker container to the latest version in the 3.4 series.</p> <p>The final step to enabling local replication is to run</p> <p><code>docker-compose up -d mongo mongo-init-replica &amp;&amp; docker-compose logs -f</code></p> <p>That will restart MongoDB and drop you into the stream of logging from all the containers (including the rocket.chat container). It'll also start the "mongo-init-replica" container.  That container should run briefly <em>and then exit cleanly</em> having set up the local replication that you'll need for subsequent upgrades to MongoDB!</p> <p>Check for any errors in the output... there might be a couple if it takes your MongoDB a bit of time to accept connections... as long as it eventually stops showing errors, you should be ok!</p> <p> </p> <h2>Upgrading Rocket.Chat to 1.0.x</h2> <p>Now that you're fully on version 3.4, running in local replica mode, you can update your Rocket.Chat instance.   Rocket.Chat still supports Mongo 3.4 (it won't for long, thus this tutorial!), so you can now upgrade the Rocket.Chat container as well as make sure your Mongo 3.4 is the latest version (should be 3.4.20 at the time of this writing).</p> <p>Note that the latest version of the Rocket.Chat docker container could be quite a lot higher when you read this... if it's beyond, say, 1.1 it might be unsafe to use the approach I'm describing. You can <a href="https://github.com/RocketChat/Rocket.Chat/releases">check the current version release status</a>. To protect yourself, you can alter the rocket.chat image line in your docker-compose.yml file to explicitly tell it to use the 1.0.x series for which these instructions should continue to apply... pick the highest 1.0.x version you can find in the releases and alter the line in docker-compose.yml to specify that version:</p> <p><code>    image: rocketchat/rocket.chat<strong>:1.0.1</strong></code></p> <p>or whatever the latest 1.0.x version is. Then you can run:</p> <p><code>docker-compose pull</code> rocketchat</p> <p>which will update your Rocket.Chat from the current version to the one specified.</p> <p>Then restart your Rocket.Chat instance:</p> <p><code>docker-compose up -d &amp;&amp; docker-compose logs -f</code></p> <p>That should restart both MongoDB and Rocket.Chat, and drop you into the stream of logging from both containers. It'll also start the "mongo-init-replica" container again, but having done its job it should exit happily again.</p> <p>Check for any errors in the output... there might be a couple if it takes your MongoDB a bit of time to accept connections... as long as it eventually stops showing errors, you should be ok! Eventually, you should see something similar to (with version details updated appropriately):</p> <p> </p> <p><code>+----------------------------------------------+<br /> |                SERVER RUNNING                |<br /> +----------------------------------------------+<br /> |                                              |<br /> |  Rocket.Chat Version: 1.0.1                  |<br /> |       NodeJS Version: 8.11.4 - x64           |<br /> |      MongoDB Version: 3.4.20                 |<br /> |       MongoDB Engine: wiredTiger             |<br /> |             Platform: linux                  |<br /> |         Process Port: 3000                   |<br /> |             Site URL: https://chat.oeru.org  |<br /> |     ReplicaSet OpLog: Enabled                |<br /> |          Commit Hash: 60f1a4afd6             |<br /> |        Commit Branch: HEAD                   |<br /> |                                              |<br /> +----------------------------------------------+</code></p> <p>Your instance is now running the right version! Time to tidy things up by upgrading Mongo the rest of the way to 4.0!</p> <p> </p> <h2>Upgrading to MongoDB 3.6</h2> <p>Now you can upgrade Mongo to 3.6. First, adjust your docker-compose.yml file.  Update both occurances of this line:</p> <p><code>image: mongo:3.4</code></p> <p>to</p> <p><code>image: mongo:3.6</code></p> <p>Then you can do another</p> <p><code>docker-compose pull mongo</code></p> <p>which will download the newer Mongo 3.6 docker container. Then you can again run</p> <p><code>docker-compose up -d &amp;&amp; docker-compose logs -f</code></p> <p>Again check for errors. If there are none (other than perhaps a brief set of "mongo is not accepting connections" errors), you should be fine to update the "compatibility version" from 3.4 to 3.6... Get a session on your Mongo container via</p> <p><code>docker-compose exec mongo bash</code></p> <p>and then (as above) run this:</p> <p><code>mongo --eval "db.adminCommand( { setFeatureCompatibilityVersion: '3.6' } )"</code></p> <p>which should give you a more complicated response than that for the 3.4 transition, but it should still more or less say "ok"... To make sure everything's happy with the change, it's wise to run</p> <p><code>docker-compose up -d &amp;&amp; docker-compose logs -f</code></p> <p>again and make sure there're no obvious errors. If not (after making another database backup for safety!!) we can proceed to Mongo 4.0!</p> <h2>Final push to MongoDB 4.0</h2> <p>Finally, you can again edit your docker-compose.yml and change both occurrences of</p> <p> </p> <p><code>image: mongo:3.6</code></p> <p>to</p> <p><code>image: mongo:4.0</code></p> <p>Then you can do a final</p> <p><code>docker-compose pull mongo</code></p> <p>which will download the newer Mongo 4.0 docker container. Then you can again run</p> <p><code>docker-compose up -d &amp;&amp; docker-compose logs -f</code></p> <p>And, assuming you don't see any errors, you can push the feature compatibility to 4.0:</p> <p><code>docker-compose exec mongo bash</code></p> <p>and then run:</p> <p><code>mongo --eval "db.adminCommand( { setFeatureCompatibilityVersion: '4.0' } )"</code></p> <p>followed by a final</p> <p><code>docker-compose up -d &amp;&amp; docker-compose logs -f</code></p> <p>And, again, if you don't see any errors... you should get something a bit like this:</p> <p><code>+----------------------------------------------+<br /> |                SERVER RUNNING                |<br /> +----------------------------------------------+<br /> |                                              |<br /> |  Rocket.Chat Version: 1.0.1                  |<br /> |       NodeJS Version: 8.11.4 - x64           |<br /> |      MongoDB Version: 4.0.9                  |<br /> |       MongoDB Engine: wiredTiger             |<br /> |             Platform: linux                  |<br /> |         Process Port: 3000                   |<br /> |             Site URL: https://chat.oeru.org  |<br /> |     ReplicaSet OpLog: Enabled                |<br /> |          Commit Hash: 60f1a4afd6             |<br /> |        Commit Branch: HEAD                   |<br /> |                                              |<br /> +----------------------------------------------+</code></p> <p>you're done and future proofed!</p> </div> </div> </div> <section class="field field-node--field-blog-comments field-name-field-blog-comments field-type-comment field-label-above comment-wrapper"> <a name="comments"></a> <div class="comment-form-wrapper"> <h2 class="comment-form__title">Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=26&amp;2=field_blog_comments&amp;3=comment" token="VK6tqiyjVB7HYLx9xMKgF1KeXWiFxiQ-XNY71DIaaF0"></drupal-render-placeholder> </div> </section> Mon, 29 Apr 2019 02:39:33 +0000 dave 26 at http://tech.oeru.org Installing NextCloud and Collabora Office Online with Docker on Ubuntu 16.04 http://tech.oeru.org/installing-nextcloud-and-collabora-office-online-docker-ubuntu-1604 <span class="field field--name-title field--type-string field--label-hidden">Installing NextCloud and Collabora Office Online with Docker on Ubuntu 16.04</span> <div class="field field-node--field-blog-tags field-name-field-blog-tags field-type-entity-reference field-label-above"> <h3 class="field__label">Blog tags</h3> <div class="field__items"> <div class="field__item field__item--ubuntu-linux"> <span class="field__item-wrapper"><a href="/taxonomy/term/12" hreflang="en">ubuntu linux</a></span> </div> <div class="field__item field__item--mariadb"> <span class="field__item-wrapper"><a href="/taxonomy/term/48" hreflang="en">mariadb</a></span> </div> <div class="field__item field__item--docker"> <span class="field__item-wrapper"><a href="/taxonomy/term/16" hreflang="en">docker</a></span> </div> <div class="field__item field__item--docker-compose"> <span class="field__item-wrapper"><a href="/taxonomy/term/49" hreflang="en">docker-compose</a></span> </div> <div class="field__item field__item--php"> <span class="field__item-wrapper"><a href="/taxonomy/term/40" hreflang="en">php</a></span> </div> <div class="field__item field__item--collabora-office"> <span class="field__item-wrapper"><a href="/taxonomy/term/50" hreflang="en">collabora office</a></span> </div> <div class="field__item field__item--nextcloud"> <span class="field__item-wrapper"><a href="/taxonomy/term/51" hreflang="en">nextcloud</a></span> </div> <div class="field__item field__item--lets-encrypt"> <span class="field__item-wrapper"><a href="/taxonomy/term/17" hreflang="en">let&#039;s encrypt</a></span> </div> <div class="field__item field__item--redis"> <span class="field__item-wrapper"><a href="/taxonomy/term/21" hreflang="en">redis</a></span> </div> <div class="field__item field__item--productivity"> <span class="field__item-wrapper"><a href="/taxonomy/term/52" hreflang="en">productivity</a></span> </div> <div class="field__item field__item--nginx"> <span class="field__item-wrapper"><a href="/taxonomy/term/30" hreflang="en">nginx</a></span> </div> </div> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><a title="View user profile." href="/user/1" lang="" about="/user/1" typeof="schema:Person" property="schema:name" datatype="" class="username">dave</a></span> <span class="field field--name-created field--type-created field--label-hidden">Mon 29/01/2018 - 17:29</span> <div class="field field-node--field-image field-name-field-image field-type-image field-label-hidden has-multiple"> <figure class="field-type-image__figure image-count-1"> <div class="field-type-image__item"> <a href="http://tech.oeru.org/sites/default/files/styles/max_1300x1300/public/2018-01/Files%20-%20OERu%20NextCloud.png?itok=xQHlcyml" aria-controls="colorbox" aria-label="{&quot;alt&quot;:&quot;The NextCloud web interface for browsing your files&quot;}" role="button" title="The NextCloud web interface for browsing your files" data-colorbox-gallery="gallery-field_image-Vdg6HEW8Omw" class="colorbox" data-cbox-img-attrs="{&quot;alt&quot;:&quot;The NextCloud web interface for browsing your files&quot;}"><img src="/sites/default/files/styles/medium/public/2018-01/Files%20-%20OERu%20NextCloud.png?itok=6v2Kuyct" width="220" height="164" alt="The NextCloud web interface for browsing your files" loading="lazy" typeof="foaf:Image" class="image-style-medium" /> </a> </div> </figure> <figure class="field-type-image__figure image-count-2"> <div class="field-type-image__item"> <a href="http://tech.oeru.org/sites/default/files/styles/max_1300x1300/public/2018-01/NextCloud-AppStore.png?itok=DPeCx5Rd" aria-controls="colorbox" aria-label="{&quot;alt&quot;:&quot;The central AppStore (note, almost all apps have no cost and are open source). You get a similar view within your own NextCloud instance.&quot;}" role="button" title="The central AppStore (note, almost all apps have no cost and are open source). You get a similar view within your own NextCloud instance." data-colorbox-gallery="gallery-field_image-Vdg6HEW8Omw" class="colorbox" data-cbox-img-attrs="{&quot;alt&quot;:&quot;The central AppStore (note, almost all apps have no cost and are open source). You get a similar view within your own NextCloud instance.&quot;}"><img src="/sites/default/files/styles/medium/public/2018-01/NextCloud-AppStore.png?itok=WqCJJdGj" width="220" height="175" alt="The central AppStore (note, almost all apps have no cost and are open source). You get a similar view within your own NextCloud instance." loading="lazy" typeof="foaf:Image" class="image-style-medium" /> </a> </div> </figure> <figure class="field-type-image__figure image-count-3"> <div class="field-type-image__item"> <a href="http://tech.oeru.org/sites/default/files/styles/max_1300x1300/public/2018-01/NextCloud-Calendar.png?itok=-j0Dq2rG" aria-controls="colorbox" aria-label="{&quot;alt&quot;:&quot;The NextCloud shared calendar plugin works with all major calendaring applications alongside your existing digital calendars.&quot;}" role="button" title="The NextCloud shared calendar plugin works with all major calendaring applications alongside your existing digital calendars." data-colorbox-gallery="gallery-field_image-Vdg6HEW8Omw" class="colorbox" data-cbox-img-attrs="{&quot;alt&quot;:&quot;The NextCloud shared calendar plugin works with all major calendaring applications alongside your existing digital calendars.&quot;}"><img src="/sites/default/files/styles/medium/public/2018-01/NextCloud-Calendar.png?itok=bP23WxDf" width="220" height="175" alt="The NextCloud shared calendar plugin works with all major calendaring applications alongside your existing digital calendars." loading="lazy" typeof="foaf:Image" class="image-style-medium" /> </a> </div> </figure> <figure class="field-type-image__figure image-count-4"> <div class="field-type-image__item"> <a href="http://tech.oeru.org/sites/default/files/styles/max_1300x1300/public/2018-01/Nextcloud-CollaboraSpreadsheet.png?itok=Ovp0KryQ" aria-controls="colorbox" aria-label="{&quot;alt&quot;:&quot;An example of a fairly complex spreadsheet in the Collabora spreadsheet interface.&quot;}" role="button" title="An example of a fairly complex spreadsheet in the Collabora spreadsheet interface." data-colorbox-gallery="gallery-field_image-Vdg6HEW8Omw" class="colorbox" data-cbox-img-attrs="{&quot;alt&quot;:&quot;An example of a fairly complex spreadsheet in the Collabora spreadsheet interface.&quot;}"><img src="/sites/default/files/styles/medium/public/2018-01/Nextcloud-CollaboraSpreadsheet.png?itok=CNhDR2y-" width="220" height="157" alt="An example of a fairly complex spreadsheet in the Collabora spreadsheet interface." loading="lazy" typeof="foaf:Image" class="image-style-medium" /> </a> </div> </figure> <figure class="field-type-image__figure image-count-5"> <div class="field-type-image__item"> <a href="http://tech.oeru.org/sites/default/files/styles/max_1300x1300/public/2018-01/Nextcloud-CollaboraWordprocessor.png?itok=IOyfA_M4" aria-controls="colorbox" aria-label="{&quot;alt&quot;:&quot;A fairly complex document, with variables, shown in the Collabora wordprocessor interface.&quot;}" role="button" title="A fairly complex document, with variables, shown in the Collabora wordprocessor interface." data-colorbox-gallery="gallery-field_image-Vdg6HEW8Omw" class="colorbox" data-cbox-img-attrs="{&quot;alt&quot;:&quot;A fairly complex document, with variables, shown in the Collabora wordprocessor interface.&quot;}"><img src="/sites/default/files/styles/medium/public/2018-01/Nextcloud-CollaboraWordprocessor.png?itok=HPawBI-o" width="220" height="157" alt="A fairly complex document, with variables, shown in the Collabora wordprocessor interface." loading="lazy" typeof="foaf:Image" class="image-style-medium" /> </a> </div> </figure> <figure class="field-type-image__figure image-count-6"> <div class="field-type-image__item"> <a href="http://tech.oeru.org/sites/default/files/styles/max_1300x1300/public/2018-01/DavInFilemanager.png?itok=rCbwaUUY" aria-controls="colorbox" aria-label="{&quot;alt&quot;:&quot;This is what your NextCloud would look like in your desktop filemanager (this is the Nemo filemanager on a Linux desktop)&quot;}" role="button" title="This is what your NextCloud would look like in your desktop filemanager (this is the Nemo filemanager on a Linux desktop)" data-colorbox-gallery="gallery-field_image-Vdg6HEW8Omw" class="colorbox" data-cbox-img-attrs="{&quot;alt&quot;:&quot;This is what your NextCloud would look like in your desktop filemanager (this is the Nemo filemanager on a Linux desktop)&quot;}"><img src="/sites/default/files/styles/medium/public/2018-01/DavInFilemanager.png?itok=g2dNm33H" width="220" height="122" alt="This is what your NextCloud would look like in your desktop filemanager (this is the Nemo filemanager on a Linux desktop)" loading="lazy" typeof="foaf:Image" class="image-style-medium" /> </a> </div> </figure> <figure class="field-type-image__figure image-count-7"> <div class="field-type-image__item"> <a href="http://tech.oeru.org/sites/default/files/styles/max_1300x1300/public/2018-02/CollaboraAdminConsole.png?itok=1tNI9ZdJ" aria-controls="colorbox" aria-label="{&quot;alt&quot;:&quot;Collabora Office admin console&quot;}" role="button" title="Collabora Office admin console" data-colorbox-gallery="gallery-field_image-Vdg6HEW8Omw" class="colorbox" data-cbox-img-attrs="{&quot;alt&quot;:&quot;Collabora Office admin console&quot;}"><img src="/sites/default/files/styles/medium/public/2018-02/CollaboraAdminConsole.png?itok=iijjMrBK" width="220" height="149" alt="Collabora Office admin console" loading="lazy" typeof="foaf:Image" class="image-style-medium" /> </a> </div> </figure> </div> <div class="clearfix text-formatted field field-node--body field-name-body field-type-text-with-summary field-label-hidden"> <div class="field__items"> <div class="field__item"><p>Update 2021-11-08: this post is now getting a bit long-in-the-tooth, and I need to update it to use up-to-date components. It might still be useful to folks, but use it with caution. Also, please note, we're using NextCloud with <a href="https://onlyoffice.com">OnlyOffice</a> (the open source community edition) these days.</p> <p>Dropbox is the best known of the end-user "cloud storage" services for documents, backups, and synchronising data among multiple devices, although now Google's Drive and Microsoft's OneDrive are functionally similar and are being heavily promoted and tied into all sorts of services.</p> <p>Similarly the collaborative editing of documents, spreadsheets, and presentations in the browser, pioneered by Etherpad, but then adopted in a big way by Google Docs (and more recently, Microsoft Office 365), has revolutionised collective note taking, document preparation, and ease of access to these powerful tools by the mainstream of computer users. Only a browser is required, and no other software needs to be installed.</p> <p>But what about people who don't want to entrust all of their data to foreign corporations, holding their data in foreign jurisdiction, in formats that may or may not be retrievable in the event that the supplier fails or changes "strategic direction"? And many of these services involve "mining" their data to extract useful information that vendors sell to others to <em>help them advertise to us in a more targeted way. </em>Yeah, that's creepy.</p> <p>More-over, often if you want to <em>share</em> your data with others, <em>they</em> have to log into the same service, and accept the service's terms and conditions (usually substantially constraining the user's normal rights and freedoms, although who<em> actually</em> reads those, eh?!) in order to do so... so ones use of those services has a magnifying effect on the loss of privacy and control.</p> <p>Some people sensibly prefer to manage their own, or institution-specific, solutions on the infrastructure of their choosing, in a way that doesn't tie anyone into paying ever increasing amounts for data storage as the volumes increase perpetually, month on month.</p> <p>Some of us simply prefer to have control of our own destiny, without a dependence on, for example, file or data storage formats and practices that are completely opaque to them. Our data reflects our creativity energy, and it seems much more comfortable for many of us to be in charge of our own fates rather than entrusting it to a third party who simply sees us a profit centre.</p> <p>Thankfully, the open source world has created an array of possible equivalent systems, and this post describes how you, too, can set up your own equivalent to Dropbox + Google Docs using entirely open source software on any commodity virtual machine hosting system you want to use by adopting NextCloud and Collabora Office.</p> <h2>NextCloud</h2> <p><a href="https://nextcloud.com">NextCloud</a> is <a href="https://nextcloud.com/files/">functionally similar</a> to Dropbox, however, with its active development community and plug-in architecture, it can provide quite a lot more as well, like shared calendaring, email, video conferencing, contact syncing, image/sound/video galleries, <a href="https://nextcloud.com/files/">among many other services</a>.</p> <p>If you prefer not to organise and run your own server, you can purchase a supported server via their website for a cost similar to Dropbox (although, realise that NextCloud is relatively small by comparison and doesn't have the massive economies of scale enjoyed by the bigger players).</p> <p>For those with an interest in history: NextCloud is a fork created by the founder of OwnCloud, after he decided that the company which formed around his OwnCloud project was moving in a direction that was philosophical unpalatable for him. The beauty of open source is that developers can follow their consciences without requiring anyone's permission. The resulting "forks" in code bases and communities then thrive or die based on the strengths of the communities they can build and sustain. This fork is remarkably similar to that which occurred in the OpenOffice community which resulted in the founding of LibreOffice. LibreOffice has thrived and OpenOffice has faded into irrelevance. More on that below.</p> <p>For those with a technological interest, NextCloud is a mature PHP application (but with a modern architecture, including a command line interface, occ) which stores its data in an RDBMS like MySQL, MariaDB, PostgreSQL, or (usually for development purposes) the lightweight SQLite database. Here are <a href="https://docs.nextcloud.com/server/12/admin_manual/installation/index.html">details for would-be administrators</a>.</p> <h2>Collabora Office</h2> <p>Given how much companies like Google and Microsoft invest on Docs and Office 365 respectively, how is it possible for an open source community to create a credible competitor? Turns out it's not as hard as you might think if they leverage the power of open source.</p> <p>A small software company with headquarters in the UK (although their team appears to be from all over), Collabora Office, has taken on the ambitious mission of creating a "collaborative web interface" allowing users to collaborate using <a href="https://libreoffice.org">LibreOffice</a>, one of the most powerful and widely used office package available anywhere. We're currently at Collabora Office 3.0, and the front end is quite nice and functional, but still pretty simple - that can be a good thing for many users. Collabora is progressively re-imagining the user interface of LibreOffice as a collaborative web interface. This isn't easy, but it's <em>much</em> easier than it otherwise would be because the difficult job of creating the heavy-lifting application back-end is already done - LibreOffice is a mature widely used application (albeit with a desktop interface, not a web-based collaborative interface). So we can expect progress will be rapid, and large sets of new capabilities will be "unlocked" as they progress their efforts.</p> <h2>NextCloud and Collabora - better together!</h2> <p>The beauty of the open source software model is that we can connect NextCloud and Collabora office - completely separate and unrelated communities - thanks to a new integration standard, WOPI (Web-application Open Platform Interface) they form a well integrated component model - with the <em>major </em>added benefit of being able to swap in a better file management platform, or a better collaborative productivity package if one or the other emerges, without having to start from scratch.</p> <h2>Setting up your own NextCloud Collabora Server</h2> <p>If you're game to run your own (and, in my experience, it's a surprisingly well behaved system) here's how you do it.</p> <p>In preparation, you'll want to have the following ready:</p> <ul><li>a Linux virtual machine or "VM" (I recommend running the current Ubuntu LTS version, or current Debian) with a user with Sudo privileges...,</li> <li>your domain name for the NextCloud instance, pointing to the IP address of your VM,</li> <li>your domain name for the Collabora instance, also pointing to the IP of your VM, and</li> <li>credentials for an email address capable of sending from a remote server (usually termed an "authenticating SMTP email account")</li> </ul><h3>Secure access with SSH</h3> <p>First things first, make sure you're logged into your host (probably via SSH) as a user who has "sudo" capabilities! You need to log into the host from your local machine. We recommend setting up <a href="https://www.digitalocean.com/community/tutorials/how-to-configure-ssh-key-based-authentication-on-a-linux-server">key-based authentication</a>.</p> <h3>Firewall with UFW</h3> <p>No computer system is ever full secure - there're always exploits waiting to be found, so security is a process of maintaining vigilance. Part of that is reducing exposure - minimising your "attack surface". Use a firewall - "<a href="https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-16-04" title="Uncomplicated FireWall">ufw</a>" is installed on Ubuntu by default. Make sure you've got exceptions for SSH (without them, you could lock yourself out of your machine! Doh!).</p> <p>Run the following commands to allow your Docker containers to talk to other services on your host.</p> <p><code>sudo ufw allow in on docker0<br /> sudo ufw allow from 172.0.0.0/8 to any</code></p> <p>Specifically for Docker's benefit, you need to tweak the default Forwarding rule (I use "vim" as my editor. If you don't know how to/want to use it, replace <strong>vim</strong> with <strong>nano</strong> everywhere you see it in the following - nano's easier to use for simple edits like this):</p> <p><code>sudo vim /etc/default/ufw</code></p> <p>and copy the line <code>DEFAULT_FORWARD_POLICY="DROP"</code> tweak it to look like this (commenting out the default, but leaving it there for future reference!):</p> <p><code>#DEFAULT_FORWARD_POLICY="DROP"<br /> DEFAULT_FORWARD_POLICY="ACCEPT"</code></p> <p>You also have to edit <code>/etc/ufw/sysctl.conf</code> and remove the "#" at the start of the following lines, so they look like this:</p> <p><code>sudo vim /etc/ufw/sysctl.conf</code></p> <p><code># Uncomment this to allow this host to route packets between interfaces<br /> net/ipv4/ip_forward=1<br /> net/ipv6/conf/default/forwarding=1<br /> net/ipv6/conf/all/forwarding=1</code></p> <p>and finally restart the network stack and ufw on your server<code> </code></p> <p><code>sudo service networking restart<br /> sudo service ufw restart</code></p> <h3>Installing the Nginx webserver</h3> <p>In the configuration I'm describing here, you'll need a webserver running on the server - it'll be acting as a "proxy" for the Docker-based Nginx instance described below. I like the efficiency of Nginx and clarity of Nginx configurations over those of Apache and other open source web servers. Here's how you install it.</p> <p><code>sudo apt-get install nginx-full</code></p> <p>To allow nginx to be visible via ports 80 and 443, run</p> <p><code>sudo ufw allow "Nginx Full"</code></p> <p><strong>Note</strong>: make sure your hosting service is not blocking these ports at some outer layer (depending on who's providing that hosting service you may have to set up port forwarding).</p> <h3>Installing MariaDB</h3> <p>MariaDB is effectively a drop-in alternative to MySQL and we prefer it because it's not controlled by Oracle and has a more active developer community. On Ubuntu, MariaDB pretends to be MySQL for compatibility purposes, so don't be weirded out by the interchangeable names below. Install the server and the client like this.</p> <p><code>sudo apt-get install mariadb-server-10.0 mariadb-client-10.0</code></p> <p>You need to set a root (admin) user password - you might want to create a /root/.my.cnf file containing the following (replacing YOURPASSWORD) to let you access MariaDB without a password from the commandline<code>:</code></p> <p><code>[client]<br /> user=root<br /> password=YOURPASSWORD</code></p> <p>You should now be able to type "mysql" at the command prompt</p> <p>Tweak the configuration so that it's listening on</p> <p><code>sudo vim /etc/mysql/mariadb.conf.d/50-server.cnf </code></p> <p>and copy the bind-address line and adjust so it looks like this - we want MariaDB to be listening on all interfaces, not just localhost (127.0.0.1)...</p> <p><code># Instead of skip-networking the default is now to listen only on<br /> # localhost which is more compatible and is not less secure.<br /> #bind-address           = 127.0.0.1<br /> bind-address            = 0.0.0.0</code></p> <p>Then restart MariaDB:</p> <p><code>sudo service mysql restart</code></p> <p>It should now be listening on port 3306 on all interfaces, i.e. 0.0.0.0.</p> <p>Now set up the database which will hold NextCloud's data. Log into the MySQL client on the host (if you've created a .my.cnf file in your home directory as describe above, you won't need to enter your username and password):</p> <p><code>mysql -u root -p</code></p> <p>Enter your root password when prompted. It's also a good idea to gin up a password for your "nextcloud" database user. I usually use pwgen (<code>sudo apt-get install pwgen</code>) - for example running this command will give you a single 12 character password without special characters (just numbers and letters):</p> <p><code>pwgen -s 12 1<br /> T7KR2osrMkyC</code></p> <p>At the prompt (which will look something like MariaDB [(none)]&gt;) enter the following lines (putting your password in place of [passwd]):</p> <p><code>CREATE DATABASE nextcloud CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;<br /> CREATE USER "nextcloud"@"%" IDENTIFIED BY "[passwd]";<br /> GRANT ALL ON nextcloud.* to "nextcloud"@"%";<br /> FLUSH PRIVILEGES;</code></p> <p>Then enter \q to exit.</p> <h2>NextCloud and Collabora Office with Docker</h2> <p>We make use of the NextCloud community's <a href="https://hub.docker.com/_/nextcloud/" title="Documentation for the reference NextCloud Docker container.">stable Docker container</a> which they keep up to date. Similarly, the Collabora community has created a <a href="https://hub.docker.com/collabora/code">reference Docker container</a>.</p> <p>The over all architecture consists of five Docker containers (note, done properly, you aim to ensure that each container runs only one service!):</p> <ol><li>the main NextCloud container (running the PHP-FPM service)</li> <li>an identical container to the PHP one which runs the cron service (which does periodic administrative tasks relevant to NextCloud)</li> <li>the self-contained Collabora Office container (running PHP with an Apache web server instance and a full instance of LibreOffice running in headless server mode (never fear, no servers were harmed in the building of this server!) - yes this server doesn't really adhere to the "one-service per container" convention, but I'm ok with that. It's just a convention after all.)</li> <li>a Redis container (which provides performance improving caching for NextCloud), and</li> <li>an Nginx webserver container which makes it easier to manage the configuration and paths of the NextCloud and Collabora servers via WOPI. It means that on the hosting server, we only need to run a proxying web server, which is easy.</li> </ol><p>The way I prefer to implement this set of containers is to use <a href="https://docs.docker.com/compose/">Docker Compose</a> (after first setting up <a href="https://docs.docker.com/install/linux/docker-ce/ubuntu/">Docker support</a> on your server - I'll assume you've followed the complete instructions including <a href="https://docs.docker.com/install/linux/linux-postinstall/">setting up Docker for your non-root user</a>). I suggest using the latest <a href="https://docs.docker.com/compose/install/#install-compose">installation instructions</a> provided by the Docker community. To be honest, I usually use the alternative instructions, <a href="https://docs.docker.com/compose/install/#install-using-pip">employing the "pip" approach</a>. You can upgrade an existing install by issuing (on your Linux VM's command line):</p> <p><code>sudo pip install -U docker-compose </code></p> <p>To set up your server, I recommend setting up a place for your Docker containers (replace "me" with your non-root username on the server) and the associated persistent data (your Docker containers should hold <em>no</em> important data - you should be able to delete and recreate them entirely without losing any important data or configuration):</p> <p><code>sudo mkdir /home/data</code><br /><code>sudo mkdir /home/data/nextcloud</code><br /><code>sudo mkdir /home/data/nextcloud/apps<br /> sudo mkdir /home/data/nextcloud/config<br /> sudo mkdir /home/data/nextcloud/data<br /> sudo mkdir /home/data/nextcloud/redis<br /> sudo mkdir /home/data/nextcloud/resources<br /> sudo mkdir /home/docker<br /> sudo mkdir /home/docker/nextcloud-collabora<br /> sudo chown -R me:me /home/docker<br /> cd /home/docker/nextcloud-collabora</code></p> <p>Here's an example of the required docker-compose.yml file (you can create this via a text editor like "nano" which should be pre-installed on any VM these days, or use my preferred, but less intuitive, editor, vim via <code>vim docker-compose.yml</code> in the /home/docker/nextcloud-collabora directory):</p> <p><code>version: '2'<br /> networks:<br />   back:<br />     driver: bridge<br /> services:<br />   web:<br />     image: nginx<br />     ports:<br />       - 127.0.0.1:8082:80<br />     volumes:<br />       - ./nginx.conf:/etc/nginx/nginx.conf:ro<br />     links:<br />       - app<br />     volumes_from:<br />       - app<br />     environment:<br />       - VIRTUAL_HOST<br />     networks:<br />     - back<br />     restart: unless-stopped      <br />   app:<br />     image: nextcloud:12-fpm<br />     links:<br />       - redis<br />     volumes:<br />       - /home/data/nextcloud/apps:/var/www/html/apps<br />       - /home/data/nextcloud/config:/var/www/html/config<br />       - /home/data/nextcloud/resources:/var/www/html/resources<br />       - /home/data/nextcloud/data:/var/www/html/data<br />     networks:<br />     - back<br />     restart: unless-stopped      <br />   cron:<br />     image: nextcloud:12-fpm<br />     volumes_from:<br />       - app<br />     user: www-data<br />     entrypoint: |<br />       bash -c 'bash -s &lt;&lt;EOF<br />       trap "break;exit" SIGHUP SIGINT SIGTERM<br />       while /bin/true; do<br />         /usr/local/bin/php /var/www/html/cron.php<br />         sleep 900<br />       done<br />       EOF'<br />     networks:<br />       - back<br />     restart: unless-stopped      <br />   redis:<br />     image: redis:alpine<br />     volumes:<br />       - /home/data/nextcloud/redis:/data<br />     networks:<br />       - back<br />     restart: unless-stopped<br />   collab:<br />     image: collabora/code<br />     environment:</code><br /><code>      # put the domain name you select for your NextCloud instance<br />       # here! Escape any . in your domain name by preceding them with \\<br />       domain: your\\.domain\\.tld<br />       username: admin</code><br /><code>      # put your own strong password in here!<br />       password: some-good-password<br />     cap_add:<br />       - MKNOD<br />     networks:<br />       - back<br />     volumes_from:<br />       - app<br />     ports:<br />       - 127.0.0.1:9980:9980<br />     links:<br />       - app<br />     restart: unless-stopped</code></p> <p>You'll need to substitute the domain name you pick for your NextCloud instance - Collabora's container requires that you specify it so that it doesn't accept connections from other (potentially nefarious) containers elsewhere on the Internet!</p> <p>Also note, the "ports" specified above, 8082 for <code>nginx</code> and 9980 for <code>collab</code> are arbitrary - I picked these to ensure they don't conflict with ports being used by other containers on my server - you can use these if you want, or use <code>sudo netstat -punta</code> to see what ports are currently claimed by other services on your server (if there are any) and pick ones that don't clash! If it scroll past too fast, you can pipe it into less to allow you to scroll and search: <code>sudo netstat -punta | less</code> - hit "q" to exit or "/" to initiate a text search.</p> <p>You will also need to provide the "nginx.conf" file referenced in the nginx section of the file. Do that by using your editor, e.g. <code>vim nginx.conf</code>, and enter this content:</p> <p><code>user www-data;</code></p> <p><code>events {<br />   worker_connections 768;<br /> }</code></p> <p><code>http {<br />   upstream backend {</code><br /><code>      # if you don't call your NextCloud server "app" in your<br />       # docker-compose.yml, you'll need to change app below to </code><br /><code>      # whatever you end up calling it.<br />       server app:9000;<br />   }<br />   include /etc/nginx/mime.types;<br />   default_type application/octet-stream;</code></p> <p><code>  server {<br />     listen 80;<br />     <br />     # Add headers to serve security related headers<br />     add_header X-Content-Type-Options nosniff;<br />     add_header X-Frame-Options "SAMEORIGIN";<br />     add_header X-XSS-Protection "1; mode=block";<br />     add_header X-Robots-Tag none;<br />     add_header X-Download-Options noopen;<br />     add_header X-Permitted-Cross-Domain-Policies none;</code></p> <p><code>    root /var/www/html;</code></p> <p><code>    location = /robots.txt {<br />       allow all;<br />       log_not_found off;<br />       access_log off;<br />     }</code></p> <p><code>    location = /.well-known/carddav {<br />       return 301 $scheme://$host/remote.php/dav;<br />     }<br />     location = /.well-known/caldav {<br />       return 301 $scheme://$host/remote.php/dav;<br />     }</code></p> <p><code>    client_max_body_size 1G;<br />     fastcgi_buffers 64 4K;</code></p> <p><code>    gzip off;</code></p> <p><code>    index index.php;<br />     error_page 403 /core/templates/403.php;<br />     error_page 404 /core/templates/404.php;<br />  <br />     location / {<br />         rewrite ^ /index.php$uri;<br />     }</code></p> <p><code>    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {<br />         deny all;<br />     }<br />     location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {<br />         deny all;<br />     }</code></p> <p><code>    location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {<br />         include fastcgi_params;<br />         fastcgi_split_path_info ^(.+\.php)(/.*)$;<br />         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;<br />         fastcgi_param PATH_INFO $fastcgi_path_info;<br />         fastcgi_param HTTPS on;<br />         #Avoid sending the security headers twice<br />         fastcgi_param modHeadersAvailable true;<br />         fastcgi_param front_controller_active true;<br />         fastcgi_pass backend;<br />         fastcgi_intercept_errors on;<br />         fastcgi_request_buffering off;<br />     }</code></p> <p><code>    location ~ ^/(?:updater|ocs-provider)(?:$|/) {<br />         try_files $uri/ =404;<br />         index index.php;<br />     }</code></p> <p><code>    # Adding the cache control header for js and css files<br />     # Make sure it is BELOW the PHP block<br />     location ~* \.(?:css|js)$ {<br />         try_files $uri /index.php$uri$is_args$args;<br />         add_header Cache-Control "public, max-age=7200";<br />         # Add headers to serve security related headers (It is intended to<br />         # have those duplicated to the ones above)<br />         # Before enabling Strict-Transport-Security headers please read into<br />         # this topic first.<br />         # add_header Strict-Transport-Security "max-age=15768000;<br />         #  includeSubDomains; preload;";<br />         add_header X-Content-Type-Options nosniff;<br />         add_header X-Frame-Options "SAMEORIGIN";<br />         add_header X-XSS-Protection "1; mode=block";<br />         add_header X-Robots-Tag none;<br />         add_header X-Download-Options noopen;<br />         add_header X-Permitted-Cross-Domain-Policies none;<br />         # Optional: Don't log access to assets<br />         access_log off;<br />     }</code></p> <p><code>    location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {<br />         try_files $uri /index.php$uri$is_args$args;<br />         # Optional: Don't log access to other assets<br />         access_log off;<br />     }<br />   }<br /> }</code></p> <p>That should be all the configuration you need to make the Docker containers go.</p> <h2>Configuring Nginx to proxy NextCloud and Collabora</h2> <p>The next step is configuring the local nginx proxy servers for NextCloud and Collabora using the nginx instance you installed earlier. That's what responds to the domain name you choose for this service. In our case, the name is <a href="https://docs.oeru.org">https://docs.oeru.org</a> - you can have a look at it to see what you should be seeing when you first start things up! We use <a href="https://letsencrypt.org" title="This is an incredible free and open source service, that is single-handedly making the web a much safer place.">Let's Encrypt</a> to provide secure hosting - <a href="/protecting-your-users-lets-encrypt-ssl-certs">here're my Let's Encrypt instructions</a> on setting it up. The key thing to realise is that your "certificates" need to exist for Nginx to restart with the new configurations below - use the "commenting out the intervening lines" trick mentioned in my instructions to bootstrap the creation of your secure certificates!</p> <p>To configure the proxies, you need to create two configuration files in your /etc/nginx/sites-available/ directory.</p> <h3>NextCloud Proxy Configuration</h3> <p>Create a file with a meaningful name for your NextCloud Proxy, perhaps based on the domain name you've chosen (our file for docs.oeru.org is called "docs") using the same editing approach as the last few (although this is in a different directory) for example <code>sudo vim /etc/nginx/sites-available/docs</code> with the following contents, replacing "nextcloud.domain" with your selected domain name (and the port number 8082 if you've opted to change to a different one!):</p> <p><code>server {<br />     listen 80;<br />     server_name nextcloud.domain;</code></p> <p><code>    include /etc/nginx/includes/letsencrypt.conf;</code></p> <p><code>    # redirect all HTTP traffic to HTTPS.<br />     location / {<br />         return  302 https://nextcloud.domain$request_uri;<br />     }<br /> }</code></p> <p><code># This configuration assumes that there's an nginx container talking to the mautic PHP-fpm container,<br /> # and this is a reverse proxy for that Mautic instance.<br /> server {<br />     listen 443 ssl;<br />     server_name nextcloud.domain;</code></p> <p><code>    ssl_certificate /etc/letsencrypt/live/nextcloud.domain/fullchain.pem;<br />     ssl_certificate_key /etc/letsencrypt/live/nextcloud.domain/privkey.pem;<br />     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;<br />     # to create this, see https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html<br />     ssl_dhparam /etc/ssl/certs/dhparam.pem;<br />     keepalive_timeout 20s;</code></p> <p><code>    include /etc/nginx/includes/letsencrypt.conf;<br />    <br />     location ^~ / {<br />         proxy_pass http://localhost:8082;<br />         proxy_set_header Upgrade $http_upgrade;<br />         proxy_set_header Connection "Upgrade";<br />         proxy_set_header Host $http_host;<br />         proxy_read_timeout 36000s;<br />     }<br />     client_max_body_size 1G;<br />     fastcgi_buffers 64 4K;</code></p> <p><code>    add_header X-Frame-Options "SAMEORIGIN";<br />     add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";<br /> }</code></p> <h3>Collab Proxy Configuration</h3> <p>Now create a collabora proxy configuration.</p> <p>Note: This will probably never by used by any user directly (there is a resource analysis service on the collabora system that might be of interest) - instead it'll be referenced by the NextCloud instance transparently to your users. </p> <p>In our case, we chose the domain collab.oeru.org and the file is called "collab", created via <code>sudo vim /etc/nginx/sites-available/collab</code> and containing (replace collab.domain with the one you've selected - similarly replace the port number 9980 with whatever you've selected if you've opted for a different one!):</p> <p><code>server {<br />     listen 80;<br />     server_name collab.domain;</code></p> <p><code>    # for let's encrypt renewals!<br />     include /etc/nginx/includes/letsencrypt.conf;</code></p> <p><code>    # redirect all HTTP traffic to HTTPS.<br />     location / {<br />         return  302 https://collab.domain$request_uri;<br />     }<br /> }</code></p> <p><code>server {<br />     listen 443 ssl;<br />     server_name collab.domain;</code></p> <p><code>    ssl_certificate /etc/letsencrypt/live/collab.domain/fullchain.pem;<br />     ssl_certificate_key /etc/letsencrypt/live/collab.domain/privkey.pem;<br />     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;<br />     # to create this, see https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html<br />     ssl_dhparam /etc/ssl/certs/dhparam.pem;<br />     keepalive_timeout 20s;</code></p> <p><code>    # for let's encrypt renewals!<br />     include /etc/nginx/includes/letsencrypt.conf;</code></p> <p><code>    proxy_http_version 1.1;<br />     proxy_buffering off;</code></p> <p><code>    # static files<br />     location ^~ /loleaflet {<br />         proxy_pass https://localhost:9980;<br />         proxy_set_header Host $http_host;<br />     }</code></p> <p><code>    # WOPI discovery URL<br />     location ^~ /hosting/discovery {<br />         proxy_pass https://localhost:9980;<br />         proxy_set_header Host $http_host;<br />     }</code><br /><br /><code>    # download, presentation and image upload<br />     location ^~ /lool {<br />         proxy_pass https://localhost:9980;<br />         proxy_set_header Upgrade $http_upgrade;<br />         proxy_set_header Conection "upgrade";<br />         proxy_set_header Host $http_host;<br />     }<br /> }</code></p> <p>Once those are created, you have to make sure that they're "enabled" (replacing with your file names, of course):</p> <p><code>sudo cd /etc/nginx/sites-enabled<br /> sudo ln -sf ../sites-available/docs .<br /> sudo ln -sf ../sites-available/collab .</code></p> <p>To confirm that there aren't any typos or issues that might make nginx unhappy, run</p> <p><code>sudo nginx -t</code></p> <p>If all's well, get nginx to reread its configuration with the new files:</p> <p><code>sudo service nginx reload</code></p> <h2>Firing it all up!</h2> <p>Phew - congratulations on getting here! We've reached the moment of truth where we need to see if this whole thing will work!</p> <p>We need to make sure we're back in the Docker directory we set up:</p> <p><code>cd /home/docker/nextcloud-collabora</code></p> <p>and then we need to try running our docker-compose script to "pull" in the pre-built Docker containers we've specified in our docker-compose.yml file:</p> <p><code>docker-compose pull</code></p> <p>All going well, after a few minutes (longer or shorter depending on the speed of your server's connection) you should have download the Nginx, Redis, NextCloud and Collabora-CODE Docker images. Then you can run:</p> <p><code>docker-compose up -d &amp;&amp; docker-compose logs -f</code></p> <p>This will attempt to start up the containers (bringing them "up" in daemon mode, thus the -d) and then show you a stream of log messages from the containers, preceded by the container name. This should help you debug any problems that occur during the process (ideally, none).</p> <p>Once you see log messages streaming past, and no obvious "container exited" or other error messages (which will usually contain the word "error" a lot), you should be able to point your browser at your selected domain name and bring it up in your browser!</p> <h3>Setting up the database</h3> <p>On doing so, if all is well, you should be directed through the database set up process for your NextCloud instance. Your details should be:</p> <p>database IP: 172.17.0.1 - this is the default IP of the Docker host server.<br /> database name: nextcloud<br /> database user: nextcloud<br /> database password: (the one you came up with above)</p> <h3>Setting the Admin user</h3> <p>Once that's set and working, NextCloud will install all the relevant database tables and initial data. You'll be asked to set up an <em>admin user</em> account, which can be "admin" (you could make it something different to help stymie nefarious probes that assume you've got a user called "admin" - but don't forget what you've called it!) and some strong password you create (you can use the pwgen utility you used earlier) - I'd recommend recording it somewhere. I would <em>not</em> recommend making your own account, in your name, the main admin account. I recommend creating a second account, <em>with administrator privileges</em> for yourself, but leave the admin account purely for administrative activities.</p> <h3>Configuring Outgoing Email</h3> <p>To allow your NextCloud instance to send outgoing email, so that your site can alert you to security updates that need to be applied, or so that users can request a replacement password if they've forgot theirs, you'll need an <em>authenticating SMTP account</em> somewhere. Most of you already have one. You'll probably want to set up a dedicated email address for this server somewhere, perhaps something like "<a href="mailto:nextcloud@your.domain">nextcloud@your.domain</a>" or similar, with a username (often just the email address) and a password. You'll need the following details:</p> <p>SMTP server : an IP address or a domain name<br /> SMTP username: a username or an email address<br /> SMTP password: a strong password already configured for the username on that server<br /> SMTP login security: whether login is via TLS, SSL, or unsecure (!!), and<br /> SMTP login method: plain, encrypted, "login" or some other value.</p> <p>You should be able to test your email settings to make sure the details you've entered are valid. If you need to adjust these settings later, you can go to the admin menu (top right of the web browser interface) and go to Admin-&gt;Additional Settings  - should have a path of <a href="https://your.domain/settings/admin/additional">https://your.domain/settings/admin/additional</a></p> <h3>Configuring Collabora Office Integration</h3> <p>Once you're logged in as your own user, looking at your own default folders, you can start having a look around. You should have an "admin" menu (assuming you've created your user with Administrator privileges) at the top right of the web interface. If you go to Apps, you can use the search box to search for "Collabora" or go to the "Office &amp; text" App category. You'll need to "enable" the Collabora Online "official" app, at which point it will download the latest version of the connector app and install it (it should appear in your /home/data/nextcloud/apps directory)</p> <p>Once you've done that, go to your top right menu again, selecting Admin, and you should see "Collabora Online" as an option in the left column (which starts with "Basic settings"). Selecting that, you'll need to enter  "<a href="https://collab.domain">https://collab.domain</a>" (replacing with your domain, of course). I don't have any of the other options ticked.</p> <p>If it works, you should have the ability to go back to the home of your NextCloud install, which should show you your top-level folders. If you click the "+" next to the home icon (top left of the folder pane) you should now have the option to create (in addition to "Upload file", "New folder", "New text file") a "New Document", "New Spreadsheet", and "New Presentation". Clicking those should give you the Collabora Office interface for the designated content type.</p> <p>Similarly, you can use the "Upload file" to upload a document in a format that is supported by Collabora Office, once uploaded clicking on the filename should open it for editing in the appropriate Collabora Office interface.</p> <p>It is saved as it is change, you shouldn't need to save it explicitly.</p> <h2>Upgrading it</h2> <p>So, as you're no doubt aware, both NextCloud and Collabora Office are always being improved and updated. I certainly encourage you to keep your installation up-to-date.</p> <p>While you'll periodically see that NextCloud apps have available updates (these can be upgraded through the browser interface) updates to the NextCloud and Collabora Office systems themselves need to be undertaken by upgrading the containers. Luckily it's easy to do (although I strongly urge you to ensure you have a very recent backup of both database and uploaded files - they're the files in /home/data/nextcloud/data:</p> <p>Updating the container should be as easy as either doing another</p> <p><code>docker pull oeru/mautic</code></p> <p>and then shutting down Docker container via a</p> <p><code>docker-compose stop</code></p> <p>removing the old containers (this won't remove any data you want to save if you followed the directions above! But remember to do it in the right directory!) via</p> <p><code>docker-compose rm -v</code></p> <p>and then restarting it via</p> <p><code>docker-compose up -d</code></p> <p>Use <code>docker-compose logs -f</code> to watch the logs - you'll likely see debugging information in the unlikely event that something goes wrong in the upgrade process.</p> <h2>Backing it up</h2> <p>To back up your instance on your server, you need two things: a file system backup of your /home/data/nextcloud directory, and database dumps of your database.</p> <p>There're lots of ways to back up your files (I personally use a bash script that I wrote in a past role, which uses <a href="http://www.nongnu.org/rdiff-backup/">rdiff-backup</a> to create versioned backups either locally or on a remote server, although there're <a href="https://www.howtoforge.com/linux_rdiff_backup">other documented approaches</a> - leave a comment below if you'd like to learn more about my approach!).</p> <p>Backing up your database is as easy installing automysqlbackups:</p> <p><code>sudo apt install automysqlbackups</code></p> <p>You'll find daily versioned dumps of your MariaDB database(s) in /var/lib/automysqlbackups. To run an ad hoc backup (which will replace the previous backup from that day, if there is one) just run</p> <p><code>sudo automysqlbackups</code></p> <h2>Collabora Admin Console</h2> <p>Once you've got everything set up, you can access the admin console of the Collabora Office instance at the collab.domain you specified above - it'll have the path <code>https://collab.domain/loleaflet/dist/admin/admin.html</code> (of course replacing collab.domain with your domain) which gives you useful info about the system resources being used, number of documents being edited and by whom, and some other interesting details. I've included a screen shot.</p> <p>When prompted for login details, use the collab username - "admin" if you used the default I provided, and the password you set in your docker-compose.yml file above.</p> </div> </div> </div> <section class="field field-node--field-blog-comments field-name-field-blog-comments field-type-comment field-label-above comment-wrapper"> <a name="comments"></a> <h2 class="comment-field__title">Blog comments</h2> <article data-comment-user-id="0" id="comment-820" about="/comment/820" typeof="schema:Comment" class="comment js-comment by-anonymous has-title clearfix"> <div class="comment__container"> <h3 property="schema:name" datatype="" class="comment__title"> <a href="/comment/820#comment-820" class="permalink" rel="bookmark" hreflang="en">All I get after all of that…</a> <span class="comment__new marker marker--success hidden" data-comment-timestamp="1636139893"></span> </h3> <div class="comment__meta"> <div class="comment__submitted"> <span class="comment__author"><span rel="schema:author"><span lang="" typeof="schema:Person" property="schema:name" datatype="">Tim (not verified)</span></span> </span> <span class="comment__pubdate">Sat 06/11/2021 - 04:21 <span property="schema:dateCreated" content="2021-11-05T15:21:04+00:00" class="rdf-meta hidden"></span> </span> </div> </div> <div class="comment__content"> <div property="schema:text" class="clearfix text-formatted field field-comment--comment-body field-name-comment-body field-type-text-long field-label-hidden"> <div class="field__items"> <div property="schema:text" class="field__item"><p>All I get after all of that is &quot;OK&quot;</p> </div> </div> </div> <drupal-render-placeholder callback="comment.lazy_builders:renderLinks" arguments="0=820&amp;1=default&amp;2=en&amp;3=" token="9x_0sEHuh-dJwj9sa5I_pygyooUxR3CerM32QzLc50E"></drupal-render-placeholder> </div> </div> </article> <article data-comment-user-id="1" id="comment-821" about="/comment/821" typeof="schema:Comment" class="comment js-comment by-node-author has-title clearfix"> <div class="comment__container"> <h3 property="schema:name" datatype="" class="comment__title"> <a href="/comment/821#comment-821" class="permalink" rel="bookmark" hreflang="en">Sorry Tim, after all what?</a> <span class="comment__new marker marker--success hidden" data-comment-timestamp="1636155192"></span> </h3> <div class="comment__meta"> <div class="comment__submitted"> <span class="comment__author"><span rel="schema:author"><a title="View user profile." href="/user/1" lang="" about="/user/1" typeof="schema:Person" property="schema:name" datatype="" class="username">dave</a></span> </span> <span class="comment__pubdate">Sat 06/11/2021 - 08:18 <span property="schema:dateCreated" content="2021-11-05T19:18:35+00:00" class="rdf-meta hidden"></span> </span> </div> </div> <div class="comment__content"> <div property="schema:text" class="clearfix text-formatted field field-comment--comment-body field-name-comment-body field-type-text-long field-label-hidden"> <div class="field__items"> <div property="schema:text" class="field__item"><p>Sorry Tim, after all what? I'd love to provide assistance, but need you to be a bit more specific.</p></div> </div> </div> <drupal-render-placeholder callback="comment.lazy_builders:renderLinks" arguments="0=821&amp;1=default&amp;2=en&amp;3=" token="RxxscuNlrNd_TL-Wh6nh4yeQjDHOY5TxdqhEDyLKN6E"></drupal-render-placeholder> </div> </div> </article> <div class="comment-form-wrapper"> <h2 class="comment-form__title">Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=17&amp;2=field_blog_comments&amp;3=comment" token="aF_f2aYW3SGRfmrsffb5fOJlN5wEXJibvMUiQKm2VjE"></drupal-render-placeholder> </div> </section> Mon, 29 Jan 2018 04:29:13 +0000 dave 17 at http://tech.oeru.org