Improve installation docs
Signed-off-by: Thomas Citharel <tcit@tcit.fr>
This commit is contained in:
parent
061f51447e
commit
02b32f1e83
13
docs/administration/configure/index.md
Normal file
13
docs/administration/configure/index.md
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
# Configuration
|
||||||
|
|
||||||
|
Basic Mobilizon configuration can be handled through the Admin panel in the UI.
|
||||||
|
|
||||||
|
Core mobilizon configuration must be managed into the `config/prod.secret.exs` file.
|
||||||
|
After performing changes to this file, you have to recompile the mobilizon app with:
|
||||||
|
```bash
|
||||||
|
MIX_ENV=prod mix compile
|
||||||
|
```
|
||||||
|
and then restart the Mobilizon service:
|
||||||
|
```
|
||||||
|
systemctl restart mobilizon
|
||||||
|
```
|
|
@ -9,6 +9,15 @@ This documentation is appropriate for Debian 10 (Buster) and Ubuntu 18.04 LTS.
|
||||||
We advise to make sure your webserver is secure enough.
|
We advise to make sure your webserver is secure enough.
|
||||||
For instance you can require authentication through SSH keys and not passwords, install Fail2Ban to block repeated login attempts and block unused ports by installing and configuring a firewall.
|
For instance you can require authentication through SSH keys and not passwords, install Fail2Ban to block repeated login attempts and block unused ports by installing and configuring a firewall.
|
||||||
|
|
||||||
|
### Upgrade system
|
||||||
|
|
||||||
|
Just to be sure your system is up-to-date before doing anything else:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sudo apt update
|
||||||
|
sudo apt dist-upgrade
|
||||||
|
```
|
||||||
|
|
||||||
### Basic tools
|
### Basic tools
|
||||||
We begin by making sure some basic tools are installed:
|
We begin by making sure some basic tools are installed:
|
||||||
|
|
||||||
|
|
|
@ -7,7 +7,7 @@
|
||||||
## Pre-requisites
|
## Pre-requisites
|
||||||
|
|
||||||
* A Linux machine with **root access**
|
* A Linux machine with **root access**
|
||||||
* A **domain name** (or subdomain) for the Mobilizon server, e.g. `example.net`
|
* A **domain name** (or subdomain) for the Mobilizon server, e.g. `your-mobilizon-domain.com`
|
||||||
* An **SMTP server** to deliver emails
|
* An **SMTP server** to deliver emails
|
||||||
|
|
||||||
## Dependencies
|
## Dependencies
|
||||||
|
@ -53,10 +53,13 @@ Install Elixir dependencies
|
||||||
mix deps.get
|
mix deps.get
|
||||||
```
|
```
|
||||||
|
|
||||||
Then compile these dependencies and Mobilizon (this can take a few minutes)
|
!!! note
|
||||||
|
When asked for `Shall I install Hex?` or `Shall I install rebar3?`, hit the enter key to confirm.
|
||||||
|
|
||||||
|
Then compile these dependencies and Mobilizon (this can take a few minutes, and can output all kinds of warnings, such as depreciation issues)
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
mix compile
|
MIX_ENV=prod mix compile
|
||||||
```
|
```
|
||||||
|
|
||||||
Go into the `js/` directory
|
Go into the `js/` directory
|
||||||
|
@ -73,7 +76,7 @@ yarn install
|
||||||
|
|
||||||
Finally, we can build the front-end (this can take a few seconds)
|
Finally, we can build the front-end (this can take a few seconds)
|
||||||
```bash
|
```bash
|
||||||
NODE_ENV=production yarn run build
|
yarn run build
|
||||||
```
|
```
|
||||||
|
|
||||||
Let's go back to the main directory
|
Let's go back to the main directory
|
||||||
|
@ -86,7 +89,7 @@ cd ../
|
||||||
Mobilizon provides a command line tool to generate configuration
|
Mobilizon provides a command line tool to generate configuration
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
mix mobilizon.instance gen
|
MIX_ENV=prod mix mobilizon.instance gen
|
||||||
```
|
```
|
||||||
|
|
||||||
This will ask you questions about your setup and your instance to generate a `prod.secret.exs` file in the `config/` folder, and a `setup_db.psql` file to setup the database.
|
This will ask you questions about your setup and your instance to generate a `prod.secret.exs` file in the `config/` folder, and a `setup_db.psql` file to setup the database.
|
||||||
|
@ -95,11 +98,27 @@ This will ask you questions about your setup and your instance to generate a `pr
|
||||||
|
|
||||||
The `setup_db.psql` file contains SQL instructions to create a PostgreSQL user and database with the chosen credentials and add the required extensions to the Mobilizon database.
|
The `setup_db.psql` file contains SQL instructions to create a PostgreSQL user and database with the chosen credentials and add the required extensions to the Mobilizon database.
|
||||||
|
|
||||||
Execute
|
Exit running as the mobilizon user (as it shouldn't have `root`/`sudo` rights) and execute in the `/home/mobilizon/live` directory:
|
||||||
```bash
|
```bash
|
||||||
sudo -u postgres psql -f setup_db.psql
|
sudo -u postgres psql -f setup_db.psql
|
||||||
```
|
```
|
||||||
|
|
||||||
|
It should output something like:
|
||||||
|
```
|
||||||
|
CREATE ROLE
|
||||||
|
CREATE DATABASE
|
||||||
|
You are now connected to database "mobilizon_prod" as user "postgres".
|
||||||
|
CREATE EXTENSION
|
||||||
|
CREATE EXTENSION
|
||||||
|
CREATE EXTENSION
|
||||||
|
```
|
||||||
|
|
||||||
|
Let's get back to our `mobilizon` user:
|
||||||
|
```bash
|
||||||
|
sudo -i -u mobilizon
|
||||||
|
cd live
|
||||||
|
```
|
||||||
|
|
||||||
!!! warning
|
!!! warning
|
||||||
|
|
||||||
When it's done, don't forget to remove the `setup_db.psql` file.
|
When it's done, don't forget to remove the `setup_db.psql` file.
|
||||||
|
@ -122,6 +141,8 @@ You will have to do this again after most updates.
|
||||||
|
|
||||||
## Services
|
## Services
|
||||||
|
|
||||||
|
We can quit using the `mobilizon` user again.
|
||||||
|
|
||||||
### Systemd
|
### Systemd
|
||||||
|
|
||||||
Copy the `support/systemd/mobilizon.service` to `/etc/systemd/system`.
|
Copy the `support/systemd/mobilizon.service` to `/etc/systemd/system`.
|
||||||
|
@ -148,6 +169,12 @@ It will run Mobilizon and enable startup on boot. You can follow the logs with
|
||||||
sudo journalctl -fu mobilizon.service
|
sudo journalctl -fu mobilizon.service
|
||||||
```
|
```
|
||||||
|
|
||||||
|
You should see something like this:
|
||||||
|
```
|
||||||
|
Running Mobilizon.Web.Endpoint with cowboy 2.8.0 at :::4000 (http)
|
||||||
|
Access Mobilizon.Web.Endpoint at https://your-mobilizon-domain.com
|
||||||
|
```
|
||||||
|
|
||||||
The Mobilizon server runs on port 4000 on the local interface only, so you need to add a reverse-proxy.
|
The Mobilizon server runs on port 4000 on the local interface only, so you need to add a reverse-proxy.
|
||||||
|
|
||||||
## Reverse proxy
|
## Reverse proxy
|
||||||
|
@ -170,12 +197,54 @@ Edit the file `/etc/nginx/sites-available` and adapt it to your own configuratio
|
||||||
|
|
||||||
Test the configuration with `sudo nginx -t` and reload nginx with `systemctl reload nginx`.
|
Test the configuration with `sudo nginx -t` and reload nginx with `systemctl reload nginx`.
|
||||||
|
|
||||||
|
### Let's Encrypt
|
||||||
|
|
||||||
|
The nginx configuration template handles the HTTP-01 challenge with the webroot plugin:
|
||||||
|
```bash
|
||||||
|
sudo mkdir /var/www/certbot
|
||||||
|
```
|
||||||
|
|
||||||
|
Run certbot with (don't forget to adapt the command)
|
||||||
|
```bash
|
||||||
|
sudo certbot certonly --rsa-key-size 4096 --webroot -w /var/www/certbot/ --email your@email.com --agree-tos --text --renew-hook "/usr/sbin/nginx -s reload" -d your-mobilizon-domain.com
|
||||||
|
```
|
||||||
|
|
||||||
|
Then adapt the nginx configuration `/etc/nginx/sites-available/mobilizon.conf` by uncommenting certificate paths and removing obsolete blocks.
|
||||||
|
|
||||||
|
Finish by testing the configuration with `sudo nginx -t` and reloading nginx with `systemctl reload nginx`.
|
||||||
|
|
||||||
|
You should now be able to load https://your-mobilizon-domain.com inside your browser.
|
||||||
|
|
||||||
|
## Creating your first user
|
||||||
|
|
||||||
|
Login back as the `mobilizon` system user:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sudo -i -u mobilizon
|
||||||
|
cd live
|
||||||
|
```
|
||||||
|
|
||||||
|
Create a new user:
|
||||||
|
```
|
||||||
|
MIX_ENV=prod mix mobilizon.users.new "your@email.com" --admin --password "Y0urP4ssw0rd"
|
||||||
|
```
|
||||||
|
|
||||||
|
!!! danger
|
||||||
|
Don't forget to prefix the command with an empty space so that the chosen password isn't kept in your shell history.
|
||||||
|
|
||||||
|
!!! tip
|
||||||
|
You can ignore the `--password` option and Mobilizon will generate one for you.
|
||||||
|
|
||||||
|
See the [full documentation](./CLI tasks/manage_users.md#create-a-new-user) for this command.
|
||||||
|
|
||||||
|
You may now login with your credentials and discover Mobilizon. Feel free to explore [configuration documentation](./configure) as well.
|
||||||
|
|
||||||
## Optional tasks
|
## Optional tasks
|
||||||
|
|
||||||
### Geolocation databases
|
### Geolocation databases
|
||||||
|
|
||||||
Mobilizon can use geolocation from MMDB format data from sources like [MaxMind GeoIP](https://dev.maxmind.com/geoip/geoip2/geolite2/) databases or [db-ip.com](https://db-ip.com/db/download/ip-to-city-lite) databases. This allows showing events happening near the user's location.
|
Mobilizon can use geolocation from MMDB format data from sources like [MaxMind GeoIP](https://dev.maxmind.com/geoip/geoip2/geolite2/) databases or [db-ip.com](https://db-ip.com/db/download/ip-to-city-lite) databases. This allows showing events happening near the user's location.
|
||||||
|
|
||||||
You will need to download the City database and put it into `priv/data/GeoLite2-City.mmdb`.
|
You will need to download the City database and put it into `priv/data/GeoLite2-City.mmdb`. Finish by restarting the `mobilizon` service.
|
||||||
|
|
||||||
Mobilizon will only show a warning at startup if the database is missing, but it isn't required.
|
Mobilizon will only show a warning at startup if the database is missing, but it isn't required.
|
|
@ -11,7 +11,15 @@ server {
|
||||||
|
|
||||||
listen 80;
|
listen 80;
|
||||||
listen [::]:80;
|
listen [::]:80;
|
||||||
return 301 https://$server_name$request_uri;
|
|
||||||
|
# Remove once HTTPS is setup
|
||||||
|
location ^~ '/.well-known/acme-challenge' {
|
||||||
|
root /var/www/certbot;
|
||||||
|
default_type "text/plain";
|
||||||
|
}
|
||||||
|
|
||||||
|
# Uncomment once HTTPS is setup
|
||||||
|
# return 301 https://$server_name$request_uri;
|
||||||
}
|
}
|
||||||
|
|
||||||
server {
|
server {
|
||||||
|
@ -21,9 +29,10 @@ server {
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
ssl_session_timeout 5m;
|
ssl_session_timeout 5m;
|
||||||
|
|
||||||
ssl_trusted_certificate /etc/letsencrypt/live/example.tld/fullchain.pem;
|
# Uncomment once you get the certificates
|
||||||
ssl_certificate /etc/letsencrypt/live/example.tld/fullchain.pem;
|
# ssl_trusted_certificate /etc/letsencrypt/live/example.tld/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/example.tld/privkey.pem;
|
# ssl_certificate /etc/letsencrypt/live/example.tld/fullchain.pem;
|
||||||
|
# ssl_certificate_key /etc/letsencrypt/live/example.tld/privkey.pem;
|
||||||
|
|
||||||
# Add TLSv1.3 if it's supported by your system
|
# Add TLSv1.3 if it's supported by your system
|
||||||
ssl_protocols TLSv1.2;
|
ssl_protocols TLSv1.2;
|
||||||
|
@ -46,6 +55,12 @@ server {
|
||||||
# the nginx default is 1m, not enough for large media uploads
|
# the nginx default is 1m, not enough for large media uploads
|
||||||
client_max_body_size 16m;
|
client_max_body_size 16m;
|
||||||
|
|
||||||
|
# Let's Encrypt keeps its files here
|
||||||
|
location ^~ '/.well-known/acme-challenge' {
|
||||||
|
root /var/www/certbot;
|
||||||
|
default_type "text/plain";
|
||||||
|
}
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
gzip off;
|
gzip off;
|
||||||
proxy_http_version 1.1;
|
proxy_http_version 1.1;
|
||||||
|
@ -65,7 +80,7 @@ server {
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~* \.(css|js)$ {
|
location ~* \.(css|js)$ {
|
||||||
root /var/www/mobilizon/priv/static;
|
root /home/mobilizon/live/priv/static;
|
||||||
etag off;
|
etag off;
|
||||||
expires 1y;
|
expires 1y;
|
||||||
access_log off;
|
access_log off;
|
||||||
|
|
|
@ -4,13 +4,15 @@ After=network.target postgresql.service
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
User=mobilizon
|
User=mobilizon
|
||||||
WorkingDirectory=/home/mobilizon/mobilizon
|
WorkingDirectory=/home/mobilizon/live
|
||||||
ExecStart=/usr/local/bin/mix phx.server
|
ExecStart=/usr/bin/env mix phx.server
|
||||||
ExecReload=/bin/kill $MAINPID
|
ExecReload=/bin/kill $MAINPID
|
||||||
KillMode=process
|
KillMode=process
|
||||||
Restart=on-failure
|
Restart=on-failure
|
||||||
Environment=MIX_ENV=prod
|
Environment=MIX_ENV=prod
|
||||||
|
|
||||||
|
SyslogIdentifier=mobilizon
|
||||||
|
|
||||||
; Some security directives.
|
; Some security directives.
|
||||||
; Use private /tmp and /var/tmp folders inside a new file system namespace, which are discarded after the process stops.
|
; Use private /tmp and /var/tmp folders inside a new file system namespace, which are discarded after the process stops.
|
||||||
PrivateTmp=true
|
PrivateTmp=true
|
||||||
|
|
Loading…
Reference in a new issue