a minimal tln setup

back in 2019, i broke my desktop environment. badly. had to rebuild it up from the ground. i wrote some fancy documentation in order to make future incidents less time-consuming.

fast forward two years, debian 11 has gone into production, i have some spare time between medical appointments while in paris (ugh), let's dist-upgrade my server. the one hosting this very web page. i call it tln. and of course it went horribly wrong. otherwise we wouldn't be here, would we?

i ran out of space during the upgrade. things got tangled, abruptly suffocating. unfathomable folders blurted out mossy data. the state of affairs went awry. and maybe i could still put it back together at this point. what tipped it over were some partitions which, for some reason, were still called after my deadname. i couldn't bother learning how to rename this trash. i burned it all.

pumping fresh blood in the machine, i took notes. it's time for a tln setup cheat sheet.

virtualware


define vmware machine specs

  • 2 virtual cpus
  • 3gb memory, 1gb reserved
  • 30gb storage on ssd
  • scsi controller 0 vmware paravirtual
  • network adapter 1 vlan 10
    • connect at power on
    • adapter vmxnet 3
    • mac address automatic
  • cd/dvd drive 1 datastore iso file
    • use debian 11 netinst image

restore ip address

refresh the vmware settings & map the new mac address to 10.10.0.15 in pfsense's dhcp server.

install operating system

follow the graphical install for debian 11. keep partitioning simple. no desktop environment needed, but get the ssh server and the standard utilities. from now on, the setup may be done over ssh.

moving in


configure sudo

su
apt install sudo
/sbin/usermod -aG sudo ria

install utilities

sudo apt install vim git nginx rsync

configure git

git config --global user.name ria4
git config --global user.email "16877076+ria4@users.noreply.github.com"

get quick access to backup server

# enable instant ssh via sudo by putting our public key on the backup server
scp -P 1992 /etc/ssh/ssh_host_ecdsa_key.pub root@10.10.0.92:/tmp/tln_oriane.pub
ssh -p 1992 root@10.10.0.92
cat /tmp/tln_oriane.pub >> /root/.ssh/authorized_keys && exit

restore configuration files

cd
sudo scp backup:/data/oriane_bak/configs/ssh_config /etc/ssh/ssh_config
sudo scp backup:/data/oriane_bak/configs/vimrc /etc/vim/vimrc
sudo scp backup:/data/oriane_bak/configs/.bashrc .
sudo scp backup:/data/oriane_bak/configs/.bash_aliases .
sudo chown ria:ria .bashrc .bash_aliases

restore web applications

sudo scp -r backup:/data/oriane_bak/tln .
sudo chown -R ria:ria tln
sudo scp -r backup:/data/oriane_bak/lajujabot /opt/lajujabot
sudo chown -R ria:ria /opt/lajujabot

store passwords

# get the keypass database from desktop
scp /media/storage2/ria.kdbx tln:ria.kdbx

python environments


configure virtualenvwrapper

sudo apt install python3-pip
sudo python3 -m pip install --upgrade pip
sudo pip install uwsgi virtualenvwrapper
cd && mkdir .virtualenvs && . .bashrc

install tln web server (see here for a full devlog)

cd tln && mkvirtualenv tln
(tln) /home/ria/.virtualenvs/tln/bin/python -m pip install --upgrade pip
(tln) pip install -r docs/requirements.txt
(tln) deactivate

install lajujabot (see here for more info)

cd /opt/lajujabot && mkvirtualenv lajujabot
(lajujabot) /home/ria/.virtualenvs/lajujabot/bin/python -m pip install --upgrade pip
(lajujabot) pip install -r requirements.txt
(lajujabot) deactivate

additional web server libraries


install zinnia blog engine

# pip provides django-blog-zinnia==0.20 but it is not compatible with django 3.x
# we need to import the 'develop' branch from the github repo
cd /home/ria/.virtualenvs/tln/lib/python3.9/site-packages
git clone -b develop https://github.com/Fantomas42/django-blog-zinnia
mv django-blog-zinnia/zinnia . && rm -rf django-blog-zinnia

# remove zinnia error templates in favor of nginx ones
rm zinnia/templates/{400,403,404,500}.html

install sqip placeholder creator

# v1-alpha does not seem to work anymore on debian 11; falling back to v0-legacy
# if need be, check https://github.com/axe312ger/sqip
sudo apt install npm
cd /home/ria/.local/lib
npm install sqip

web server deployment


check django project

# clean up migrations
cd /home/ria/tln && rm -rf */migrations && vtln
(vtln) python manage.py migrate

# try running the development server
(vtln) python manage.py runserver 0.0.0.0:8000

interface django with nginx

# set up uwsgi between nginx and django
# if need be, check https://uwsgi-docs.readthedocs.io/en/latest/tutorials/Django_and_nginx.html
sudo mkdir -p /etc/uwsgi/vassals
sudo ln -s /home/ria/tln/net/uwsgi.ini /etc/uwsgi/vassals/

# activate the service
sudo ln -s /home/ria/tln/net/oriane.ink.conf /etc/nginx/sites-available/
sudo rm /etc/nginx/sites-enabled/default
sudo ln -s /etc/nginx/sites-available/oriane.ink.conf /etc/nginx/sites-enabled

get a certificate from let's encrypt

# the debian-packaged certbot is not guaranteed to be fresh, it's better to get the snap version
# if need be, check https://certbot.eff.org/lets-encrypt/debiantesting-nginx
sudo apt install snapd
sudo snap install core && sudo snap refresh core
sudo snap install --classic certbot

# the certbot command may modify oriane.ink.conf
sudo ln -s /snap/bin/certbot /usr/bin/certbot
sudo certbot --nginx

# remember that this cert is only used on the local network, between haproxy (via pfsense) and tln
# the actual certificate being served to web browsers is managed by the acme service running on pfsense

ensure resilience

finally, there are cronjobs to be added both via crontab -e (relaunch django & lajujabot at startup) and sudo crontab -e (run daily backups). check tln/docs/crontabs.rd for instructions.