http://wiki.boochtek.com/ 2012-05-20T06:55:39-05:00 http://wiki.boochtek.com/ http://wiki.boochtek.com/lib/tpl/default/images/favicon.ico text/html 2011-12-07T01:52:48-05:00 http://wiki.boochtek.com/build/apache?rev=1323244368&do=diff These instructions document the installation and configuration of Apache 2.2 on our Debian system. We chose Apache 2 primarily due to its simpler SSL configuration. It also seems to be the preferred version in Debian now. Requirements Apache doesn't need much itself. However, the configuration we plan to use does require several components. We're assuming that some of our web pages will require Perl, PHP, Python, MySQL, and possibly PostgreSQL. text/html 2010-08-02T22:07:18-05:00 http://wiki.boochtek.com/build/backups?rev=1280804838&do=diff Like any system admins, we need to ensure that we have good backups. Our systems do not have tape backup devices, and it's easy to rebuild the OS, so we're just backing up our data and config files across the network via rsync tunneled through SSH. We're also backing up locally to tarballs for easier access, and to have multiple versions of backups. text/html 2010-08-01T23:35:49-05:00 http://wiki.boochtek.com/build/cms?rev=1280723749&do=diff Nothing here yet. text/html 2010-08-01T13:00:12-05:00 http://wiki.boochtek.com/build/debian?rev=1280685612&do=diff These instructions document the configuration of Debian 5.0 on our servers. Since this is a SliceHost image, the base OS comes pre-installed. These docs consider the configuration required after the base installation. Package Selection We started with a minimal ("netinst") installation, with only a few packages installed. We will install all the required packages manually. This provides some added security, as we've minimized our attack surface to only the applications we actually need. text/html 2010-12-29T14:38:13-05:00 http://wiki.boochtek.com/build/dns?rev=1293655093&do=diff We are running a caching name server on the server, bound to the loopback interface only. We decided to use bind 9, as it is well supported now. (Note that Debian's default is bind 8, if you just say "bind".) We also decided to put it into a chroot jail, as it's pretty simple to do and well-documented. This will protect us from most bind and DNS exploits. text/html 2010-08-01T23:31:33-05:00 http://wiki.boochtek.com/build/firewall?rev=1280723493&do=diff I decided to go with Shorewall, which is fairly standard. Shorewall also has the advantage that we don't need to provide the IP addresses of the system -- it determines them dynamically. So when we change IP addresses, we don't have to re-configure the firewall. text/html 2011-12-15T15:06:50-05:00 http://wiki.boochtek.com/build/jenkins?rev=1323983210&do=diff Jenkins is a Continuous Integration server. It's used to build and test applications that are being developed. We chose Jenkins (despite it being Java based) over other options (Integrity, CI Joe, Travis) because it has a great community and plenty of plugins. It's very mature, but frequently updated and well maintained. We previously used Integrity, but it was difficult to extend and integrate with other systems. text/html 2011-12-18T21:41:22-05:00 http://wiki.boochtek.com/build/logging?rev=1324266082&do=diff Log configuration, reports, etc. Note that as of version 5.0, Debian uses rsyslogd. Configuration /etc/sysctl.conf Turn off console messages for lower priority messages. sudo sed -i -e 's/kernel.printk.*$/kernel.printk = 4 4 1 7/' /etc/sysctl.conf text/html 2011-07-09T18:04:44-05:00 http://wiki.boochtek.com/build/misc?rev=1310252684&do=diff Here's where we'll document the installation of miscellaneous small software packages. Note that some of these packages may get installed during the installation of the OS, depending on the revision and the options selected. Packages that we've seen get installed include mailx, lsof, less, w3m, telnet, bc, file, nano, and at. text/html 2010-03-03T15:08:15-05:00 http://wiki.boochtek.com/build/monitoring?rev=1267650495&do=diff This page documents our monitoring and alerting scripts. Munin Munin does not do any alerting, but pulls system data periodically and displays it in RRDTools graphs. Munin comes in 2 pieces: munin and munin-node. The munin-node part is a daemon that gathers the data, and the munin part runs via cron, and aggregates the data from multiple munin daemons running on various systems. text/html 2010-08-01T12:07:17-05:00 http://wiki.boochtek.com/build/mysql?rev=1280682437&do=diff These instructions are for MySQL 5.0 on our Debian 5.0 system. Installation Install MySQL along with its pre-requisites: sudo apt-get install mysql-common mysql-client mysql-server NOTE: The MySQL documentation is non-free, and not included with Debian. Use the online documentation provided at MySQL's site. text/html 2010-08-02T22:07:48-05:00 http://wiki.boochtek.com/build/ntp?rev=1280804868&do=diff We are running NTP to keep the clock accurate. Installation sudo apt-get install ntp ntp-doc ntpdate Configuration We are using the default configuration that Debian ships with. This is primarily a client configuration -- we allow other systems only to get the current time; they may not query any further information. (This is limited via the restrict keyword.) The daemon runs primarily in order to sync the system's time with the upstream NTP servers. text/html 2010-03-10T19:50:39-05:00 http://wiki.boochtek.com/build/postfix?rev=1268272239&do=diff We chose Postfix due to its modern design and security record. It also has a license that we can live with more easily than qmail. Installation The default MTA in Debian is EXIM. In the default install the log rotation is already configured in /etc/cron.daily for EXIM, so remove the script text/html 2011-06-28T20:00:40-05:00 http://wiki.boochtek.com/build/postgres?rev=1309309240&do=diff While MySQL is the most popular Open Source SQL database, PostgreSQL is probably more powerful and mature. So while many Open Source projects only support MySQL, we prefer to use PostgreSQL when possible. Installation # Install all the pieces required for PostgreSQL server and client. sudo apt-get install -y postgresql postgresql-doc postgresql-client postgresql-common postgresql-client-common # Create a user. Could also do this via CREATE USER booch ENCRYPTED PASSWORD 'xxxxx'; sudo sudo -u … text/html 2011-01-05T22:28:51-05:00 http://wiki.boochtek.com/build/rails?rev=1294288131&do=diff Ruby apt-get install ruby irb ruby1.8 irb1.8 libreadline-ruby1.8 libruby1.8 apt-get install ruby1.8-examples rdoc ri rdoc1.8 ri1.8 apt-get install ruby1.8-dev apt-get install liberuby apt-get install libapache2-mod-ruby libapache-ruby1.8 apt-get install ruby libopenssl-ruby libopenssl-ruby1.8 apt-get install sqlite3 sqlite3-doc libsqlite3-dev libsqlite3-ruby libsqlite3-ruby1.8 libsqlite3-0 text/html 2011-03-09T01:28:04-05:00 http://wiki.boochtek.com/build/security?rev=1299655684&do=diff SSL Certificate We need SSL certificates to run HTTPS on Apache. We'll probably need SSL certificates to add TLS to SMTP (Postfix) and IMAP later. Not sure if we'll be able to use the same certificate for those or not. For now, we're using a self-signed certificate, but submitting the CSR to an SSL provider (like StartSSL) would work pretty much the same. text/html 2010-08-02T10:11:24-05:00 http://wiki.boochtek.com/build/ssh?rev=1280761884&do=diff SSH is the Secure Shell, a secure replacement for telnet. The OpenSSH client comes in the default Debian install. We've installed the OpenSSH server to provide for remote access to our systems. Installation Install the SSH client and server packages: text/html 2012-01-28T22:47:52-05:00 http://wiki.boochtek.com/build/sudo?rev=1327812472&do=diff The sudo command allows a user to run a command as root, or some other user. It has several benefits over su: * It can restrict who has access, and what commands they may run. * It can be configured to not require a password in some situations. * It can log commands that the user runs. text/html 2010-03-03T15:09:21-05:00 http://wiki.boochtek.com/build/todo?rev=1267650561&do=diff * Backup scripts * Verify * Copy off-site * Delete old backups on some set schedule * Perhaps move to some backup package * Config files * Make sure everything is in place. * Make them web accessible -- probably on dotfiles.org site. text/html 2010-08-01T23:01:50-05:00 http://wiki.boochtek.com/build/webmail?rev=1280721710&do=diff We chose RoundCube after trying a bunch of other webmail applications. Here are some that we tried: * Bongo (formerly Hula) - could not get it to install * SquirrelMail - old UI is hard to work with * Horde (IMP) - complicated setup, does too much * Zimbra - too integrated with email servers text/html 2012-04-29T22:05:25-05:00 http://wiki.boochtek.com/build/wiki?rev=1335755125&do=diff These instructions detail how to install DokuWiki on our Debian GNU/Linux system. We're currently running the 2011-05-25 version of DokuWiki. Requirements * Apache * PHP 5.1.2+ * PHP's GD extension with libGD 2 is recommended but not required text/html 2011-07-17T16:21:36-05:00 http://wiki.boochtek.com/build/wordpress?rev=1310937696&do=diff WordPress is an excellent choice for blogging software. It's simple to set up and use, has a pretty good security record, and has lots of plugins. If you're hosting your own blog on GNU/Linux, WordPress is pretty much the way to go. This is how we built WordPress to host several blogs.