This page outlines some of the noteworthy points on setting up Debian Bullseye on a hetzner Cloud server.

===== Apache Setup =====
<code>
apt-get install apache2
apt-get install libapache2-mod-php 
apt-get install default-mysql-server	(mariadb is now default)
mysql_secure_installation 		( https://tecadmin.net/how-to-install-mariadb-on-debian-11/ )
apt-get install php-mysql
a2enmod userdir

vi /etc/apache2/mods-enabled/php7.4.conf
comment out lines to enable php for userdirs

adduser kartbuilding
cd /home/kartbuilding/
mkdir public_html
vi index.php 
<?php phpinfo(); ?>

</code>
That should be the basic lamp setup.

==== Virtual Hosts ====
<code>
vi /etc/apache2/sites-available/01-kartbuilding.conf
<VirtualHost *:80>
        ServerAdmin email@domain.net
        ServerName www.kartbuilding.net
        ServerAlias kartbuilding.net
        DocumentRoot /home/kartbuilding/public_html/
        CustomLog /var/log/apache2/access_kart.log combined
        ErrorLog /var/log/apache2/error_kart.log
        Loglevel warn
        <Directory />
                Options FollowSymLinks Indexes MultiViews
                AllowOverride All
        </Directory>
        UserDir disabled
</VirtualHost>

#Repeat block for other vhosts on this domain

<code>
#Enable site with
a2ensite 01-kartbuilding
#or symlink into /etc/apache2/sites-enabled
</code>

=== Apache authentication htpasswd ===
Within a vhost, add:
<code>
        <Location />
                Order Allow,Deny
                Allow from all
                AuthName "Secure"
                AuthType Basic
                AuthUserFile /etc/apache2/secure/htpasswd
                require valid-user
                Allow from 127.0.0.1
        </Location>
</code>
To create a htpasswd file:
<code>
htpasswd -c /etc/apache2/htpasswd username
</code>

=== Apache HTTPS Secure ssl ===
Self Signed Cert
<code>
make-ssl-cert generate-default-snakeoil

<VirtualHost *:443>

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

	SSLEngine on
                SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
                SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars
                </Directory>
</VirtualHost>
</code>
Ref: /etc/apache2/sites-available/default-ssl.conf

===== MySQL migrations =====
  * mysqldump on original host as per: [[mysql#mysqldump]]
  * Add new user as per: [[mysql#mysql_users_add_remove]]
  * login to mysql and go "create database"
  * Import mysql dump [[mysql#importing_a_mysql_dump]]

===== Copy across data to new server =====
<code>
#always source -> destination
#On new server issue
rsync -ave ssh user@oldserver:/home/kartbuilding/ /home/kartbuilding/
</code>

===== Odds and Ends =====
<code>
apt-get install screen
dpkg-reconfigure tzdata
apt-get install fail2ban
apt-get install links
</code>
==== chkrootkit ====
<code>
apt-get install chkrootkit
vi /etc/chkrootkit.conf
#change to:
RUN_DAILY="true"
RUN_DAILY_OPTS="-q"
DIFF_MODE="true"

vi /etc/aliases
#add
root:           localuser

#then run the following to take effect:
newaliases

Now the user will get nightly emails with chkrootkit report.

</code>


</code>

==== VIM tweaks ====
Because vi rocks
<code>
apt-get install vim
vi /etc/vim/vimrc
uncomment syntax on
uncomment let g:skip_defaults_vim = 1  (allows default vim control mouse off) 
https://unix.stackexchange.com/questions/551512/disabling-vim-visual-mode-in-etc-vim-vimrc-does-not-work
</code>


===== Website Updates =====
==== Wordpress ====
<code>
I had wordpress done via SVN, so it was easy.
cd /home/kartbuilding/public_blog
svn info
svn sw http://core.svn.wordpress.org/tags/6.0.1/ .
</code>

==== php5 -> php7 woes ====
Where possible any webapps will have to be updated as there are a lot of changes between php5 and php7.
<code>
#Apache error log showed:
PHP Parse error:  syntax error, unexpected 'new' (T_NEW) in...... on line 35

Edit the php file and on line 35:
Remove the &. Its not needed in php7.
Example:
Original php5
$bbdb =& new $bbdb_class( array(

New:
$bbdb = new $bbdb_class( array(
</code>

==== mysql woes ====
Where possible any webapps will have to be updated as there are a lot of changes between php5 and php7.
<code>
 PHP Fatal error:  Uncaught Error: Call to undefined function mysql_connect()
</code>
Edit php script and change mysql_connect() to **mysqli_connect()**

==== Wiki ====
Mediawiki instance was so old. Tried to copy it and update php scripts to php7. No joy, had problems connecting to database. The latest mediawiki was nearly 300MB (previous was 60MB).

I made the decision to install and migrate to dokuwiki which doesn't use sql but flat text files.

=== dokuwiki ===
Install was very straight forward. (Info at: https://www.dokuwiki.org/install ) However for migration purposes, I chose to install an older version of dokuwiki for my php5.

Went for an old stable release at: https://download.dokuwiki.org/archive
If its too new, you'll get errors when running with php5.

chmod 777 and run install.php

=== Migration of mediawiki ===
Setup and have dokuwiki installed with new install and user.
<code>
https://www.dokuwiki.org/tips:mediawiki_to_dokuwiki_converter

For old Media wiki.
https://github.com/tetsuo13/MediaWiki-to-DokuWiki-Importer/archive/99b29b645fb7f5bb8c5c03b23d1bfbb4eee642ed.zip

Download and extract Zip. Browse to and edit:
public_html/mediatodoc/src/MediaWiki2DokuWiki/settings.php
Update paths.

Run via browser /mediatodoc/src/MediaWiki2DokuWiki/index.php

(got an error the first time, and had to add: $wgDBtype = "mysql"; to LocalSettings.

Explore to dokuwiki, go to Site Map and all pages should be listed.

Copy folder to newserver. Upgraded as per dokuwiki info ( https://www.dokuwiki.org/install:upgrade )
</code>




===== Swap File for VM =====
Hetzner cloud server did not come with swap space. While you could console and resize, creating a swap file was a nice quick solution.

==== Check for swap ====
<code>
root@sun:~# free
               total        used        free      shared  buff/cache   available
Mem:         1981092      180740      250956       15668     1549396     1596964
Swap:              0           0           0

cat /etc/fstab
#shows no swap
</code>

==== Create swap file ====
<code>
fallocate -l 2G /swapfile
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfile

root@sun:~# free
               total        used        free      shared  buff/cache   available
Mem:         1981092      182696      245032       15668     1553364     1594984
Swap:        2097148           0     2097148
</code>

==== Add to fstab for reboot ====
<code>
vi /etc/fstab
#add
/swapfile swap swap defaults 0 0

swapon --show
</code>

==== Delete Swap file ====
<code>
swapoff -v /swapfile
edit fstab
rm the file
</code>

===== Mail Server Setup =====
Followed [[postfix_smtp]] which was mostly OK and still accurate (updated portions of this page at same time for debian bullseye. )

Also followed [[courier_imaps_server_-_maildir]] again, mostly which was OK (updated this wiki page at the same time for debian bullseye.)

See final Postfix config -> [[postfix_smtp#debian_bullseye_config]]

==== Secure smtpd using Postfix and sasl ====
Debian bullseye had a lot set by default and changed a lot since [[secure_outgoing_smtp_via_postfix_courier_tls_and_sasl]]

  * Ref1: http://wiki.debian.org/PostfixAndSASL
  * Ref2: https://doc.axrglobal.com/servidores:mail:mail_system

<code>
apt-get install libsasl2-modules, postfix, sasl2-bin
#postfix and the first will most likely be installed.

vi /etc/postfix/main.cf
#add/check
smtpd_tls_auth_only = yes
smtpd_sasl_auth_enable = yes


vi /etc/postfix/sasl/smtpd.conf
#enter
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN


vi /etc/default/saslauthd
#add/update to the following:
START=yes
MECHANISMS="pam"
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

mkdir -p /var/spool/postfix/var/run/saslauthd

dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd
adduser postfix sasl

</code>

Error message I seen in mail.log -> **/etc/courier/shared/index: Permission denied**
<code>
Fix:
chmod 755 /etc/courier/shared
cd /etc/courier/shared
touch index
chown courier index
</code>

=== smtpd certs ===
There was a default cert created after installing. The main locations this resides is:

/etc/ssl/certs/ssl-cert-snakeoil.pem and /etc/ssl/private/ssl-cert-snakeoil.key

Postfix then read these via main.cf with smtpd_tls_cert_file and smtpd_tls_key_file respectively.

It wasn't self signed, so I said I'd use the imapd.pem cert at /etc/courier/imapd.pem

NOTE: May not be the best way, but worked.

<code>
mv /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/certs/ssl-cert-snakeoil-orig.pem
mv /etc/ssl/private/ssl-cert-snakeoil.key /etc/ssl/private/ssl-cert-snakeoil-orig.key

cp /etc/courier/imapd.pem /etc/ssl/certs/ssl-cert-snakeoil.pem
vi /etc/ssl/certs/ssl-cert-snakeoil.pem
#edit and only have
-----BEGIN CERTIFICATE-----
..
-----END CERTIFICATE-----

cp /etc/courier/imapd.pem /etc/ssl/private/ssl-cert-snakeoil.key
vi /etc/ssl/private/ssl-cert-snakeoil.key
#edit and have 
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----

Restart postfix etc.

Note: Thunderbird does NOT like self-signed certs [[courier_imaps_server_-_maildir#testing_imaps_via_a_client_pc_and_problems|See here]]
You can get it working, but it'll take time. If you get errors, most likely its thunderbird, so check another mail client also.

</code>