Table of Contents

This page outlines some of the noteworthy points on setting up Debian Bullseye on a hetzner Cloud server.

Apache Setup

apt-get install apache2
apt-get install libapache2-mod-php 
apt-get install default-mysql-server	(mariadb is now default)
mysql_secure_installation 		( https://tecadmin.net/how-to-install-mariadb-on-debian-11/ )
apt-get install php-mysql
a2enmod userdir

vi /etc/apache2/mods-enabled/php7.4.conf
comment out lines to enable php for userdirs

adduser kartbuilding
cd /home/kartbuilding/
mkdir public_html
vi index.php 
<?php phpinfo(); ?>

That should be the basic lamp setup.

Virtual Hosts

vi /etc/apache2/sites-available/01-kartbuilding.conf
<VirtualHost *:80>
        ServerAdmin email@domain.net
        ServerName www.kartbuilding.net
        ServerAlias kartbuilding.net
        DocumentRoot /home/kartbuilding/public_html/
        CustomLog /var/log/apache2/access_kart.log combined
        ErrorLog /var/log/apache2/error_kart.log
        Loglevel warn
        <Directory />
                Options FollowSymLinks Indexes MultiViews
                AllowOverride All
        </Directory>
        UserDir disabled
</VirtualHost>

#Repeat block for other vhosts on this domain

<code>
#Enable site with
a2ensite 01-kartbuilding
#or symlink into /etc/apache2/sites-enabled

Apache authentication htpasswd

Within a vhost, add:

        <Location />
                Order Allow,Deny
                Allow from all
                AuthName "Secure"
                AuthType Basic
                AuthUserFile /etc/apache2/secure/htpasswd
                require valid-user
                Allow from 127.0.0.1
        </Location>

To create a htpasswd file:

htpasswd -c /etc/apache2/htpasswd username

Apache HTTPS Secure ssl

Self Signed Cert

make-ssl-cert generate-default-snakeoil

<VirtualHost *:443>

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

	SSLEngine on
                SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
                SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars
                </Directory>
</VirtualHost>

Ref: /etc/apache2/sites-available/default-ssl.conf

MySQL migrations

Copy across data to new server

#always source -> destination
#On new server issue
rsync -ave ssh user@oldserver:/home/kartbuilding/ /home/kartbuilding/

Odds and Ends

apt-get install screen
dpkg-reconfigure tzdata
apt-get install fail2ban
apt-get install links

chkrootkit

apt-get install chkrootkit
vi /etc/chkrootkit.conf
#change to:
RUN_DAILY="true"
RUN_DAILY_OPTS="-q"
DIFF_MODE="true"

vi /etc/aliases
#add
root:           localuser

#then run the following to take effect:
newaliases

Now the user will get nightly emails with chkrootkit report.

</code>

VIM tweaks

Because vi rocks

apt-get install vim
vi /etc/vim/vimrc
uncomment syntax on
uncomment let g:skip_defaults_vim = 1  (allows default vim control mouse off) 
https://unix.stackexchange.com/questions/551512/disabling-vim-visual-mode-in-etc-vim-vimrc-does-not-work

Website Updates

Wordpress

I had wordpress done via SVN, so it was easy.
cd /home/kartbuilding/public_blog
svn info
svn sw http://core.svn.wordpress.org/tags/6.0.1/ .

php5 -> php7 woes

Where possible any webapps will have to be updated as there are a lot of changes between php5 and php7.

#Apache error log showed:
PHP Parse error:  syntax error, unexpected 'new' (T_NEW) in...... on line 35

Edit the php file and on line 35:
Remove the &. Its not needed in php7.
Example:
Original php5
$bbdb =& new $bbdb_class( array(

New:
$bbdb = new $bbdb_class( array(

mysql woes

Where possible any webapps will have to be updated as there are a lot of changes between php5 and php7.

 PHP Fatal error:  Uncaught Error: Call to undefined function mysql_connect()

Edit php script and change mysql_connect() to mysqli_connect()

Wiki

Mediawiki instance was so old. Tried to copy it and update php scripts to php7. No joy, had problems connecting to database. The latest mediawiki was nearly 300MB (previous was 60MB).

I made the decision to install and migrate to dokuwiki which doesn't use sql but flat text files.

dokuwiki

Install was very straight forward. (Info at: https://www.dokuwiki.org/install ) However for migration purposes, I chose to install an older version of dokuwiki for my php5.

Went for an old stable release at: https://download.dokuwiki.org/archive If its too new, you'll get errors when running with php5.

chmod 777 and run install.php

Migration of mediawiki

Setup and have dokuwiki installed with new install and user.

https://www.dokuwiki.org/tips:mediawiki_to_dokuwiki_converter

For old Media wiki.
https://github.com/tetsuo13/MediaWiki-to-DokuWiki-Importer/archive/99b29b645fb7f5bb8c5c03b23d1bfbb4eee642ed.zip

Download and extract Zip. Browse to and edit:
public_html/mediatodoc/src/MediaWiki2DokuWiki/settings.php
Update paths.

Run via browser /mediatodoc/src/MediaWiki2DokuWiki/index.php

(got an error the first time, and had to add: $wgDBtype = "mysql"; to LocalSettings.

Explore to dokuwiki, go to Site Map and all pages should be listed.

Copy folder to newserver. Upgraded as per dokuwiki info ( https://www.dokuwiki.org/install:upgrade )

Swap File for VM

Hetzner cloud server did not come with swap space. While you could console and resize, creating a swap file was a nice quick solution.

Check for swap

root@sun:~# free
               total        used        free      shared  buff/cache   available
Mem:         1981092      180740      250956       15668     1549396     1596964
Swap:              0           0           0

cat /etc/fstab
#shows no swap

Create swap file

fallocate -l 2G /swapfile
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfile

root@sun:~# free
               total        used        free      shared  buff/cache   available
Mem:         1981092      182696      245032       15668     1553364     1594984
Swap:        2097148           0     2097148

Add to fstab for reboot

vi /etc/fstab
#add
/swapfile swap swap defaults 0 0

swapon --show

Delete Swap file

swapoff -v /swapfile
edit fstab
rm the file

Mail Server Setup

Followed postfix_smtp which was mostly OK and still accurate (updated portions of this page at same time for debian bullseye. )

Also followed courier_imaps_server_-_maildir again, mostly which was OK (updated this wiki page at the same time for debian bullseye.)

See final Postfix config → debian_bullseye_config

Secure smtpd using Postfix and sasl

Debian bullseye had a lot set by default and changed a lot since secure_outgoing_smtp_via_postfix_courier_tls_and_sasl

apt-get install libsasl2-modules, postfix, sasl2-bin
#postfix and the first will most likely be installed.

vi /etc/postfix/main.cf
#add/check
smtpd_tls_auth_only = yes
smtpd_sasl_auth_enable = yes


vi /etc/postfix/sasl/smtpd.conf
#enter
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN


vi /etc/default/saslauthd
#add/update to the following:
START=yes
MECHANISMS="pam"
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

mkdir -p /var/spool/postfix/var/run/saslauthd

dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd
adduser postfix sasl

Error message I seen in mail.log → /etc/courier/shared/index: Permission denied

Fix:
chmod 755 /etc/courier/shared
cd /etc/courier/shared
touch index
chown courier index

smtpd certs

There was a default cert created after installing. The main locations this resides is:

/etc/ssl/certs/ssl-cert-snakeoil.pem and /etc/ssl/private/ssl-cert-snakeoil.key

Postfix then read these via main.cf with smtpd_tls_cert_file and smtpd_tls_key_file respectively.

It wasn't self signed, so I said I'd use the imapd.pem cert at /etc/courier/imapd.pem

NOTE: May not be the best way, but worked.

mv /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/certs/ssl-cert-snakeoil-orig.pem
mv /etc/ssl/private/ssl-cert-snakeoil.key /etc/ssl/private/ssl-cert-snakeoil-orig.key

cp /etc/courier/imapd.pem /etc/ssl/certs/ssl-cert-snakeoil.pem
vi /etc/ssl/certs/ssl-cert-snakeoil.pem
#edit and only have
-----BEGIN CERTIFICATE-----
..
-----END CERTIFICATE-----

cp /etc/courier/imapd.pem /etc/ssl/private/ssl-cert-snakeoil.key
vi /etc/ssl/private/ssl-cert-snakeoil.key
#edit and have 
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----

Restart postfix etc.

Note: Thunderbird does NOT like self-signed certs [[courier_imaps_server_-_maildir#testing_imaps_via_a_client_pc_and_problems|See here]]
You can get it working, but it'll take time. If you get errors, most likely its thunderbird, so check another mail client also.