mgmt/CMS/BookStack@nginx-Debian12.md

HISTORY

2024-05-24  * init and screen recording /A

TODO:

• create DB (restore schema)

• create user

• create a bucket for storage create storage in Cloud Storge, Service account and key-secret pair

  Cloud Storage, [create], do not expose to internet!
  Cloud Storage, Settings, Interoperability, [Create a key],  Service account HMAC [Create new account]
  Name: dox_2dz_fi-bookstack, [Create and continue]
  Roles: Storage Object Admin, [Continue], [Done]
  Save key and secret! Secret will be shown once.
  

  gsutil uniformbucketlevelaccess get gs://2dz-data-hub
  

Expected output

Uniform bucket-level access setting for gs://2dz-data-hub:
  Enabled: False

• create a bucket user (GCP Service Account) with corresponding permissions

  IAM, Service accounts, [Create service account],
  name: dox_2dz_fi-bookstack
  
  Grant access:
  New principal:
    dox_2dz_fi-bookstack@....gserviceaccount.com
  Roles
    Storage Object Creator
    Storage Object User
    Storage Object Viewer
    ? Storage Object Creator
  
    ?? more
    ? Storage Legacy Bucket Owner
    ? Storage Legacy Bucket Reader
    ? Storage Legacy Bucket Writer
    ? Storage Legacy Object Owner
    ? Storage Legacy Object Reader
    allUsers
  
  

Extract the secret for connection: (noted to KeePassXC)

• create CNAME/A record, point to a server

  dig A dox.2dz.fi
  

• create home directory (/home/bookstack)

• clone code from repo

  sudo su
  cd /home
  git clone https://github.com/BookStackApp/BookStack.git --branch release --single-branch
  mv /home/BookStack /home/dox_2dz_fi-bookstack
  chown -R anton:anton /home/dox_2dz_fi-bookstack/
  cd /home/dox_2dz_fi-bookstack/
  

Download composer and install in global mode (as normal user, not as root), later easy to update.

mkdir -p ~/utils/composer
cd ~/utils/composer/
php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
php -r "if (hash_file('sha384', 'composer-setup.php') === 'dac665fdc30fdd8ec78b38b9800061b4150413ff2e3b6f88543c636f7cd84f6db9189d43a81e5503cda447da73c7e5b6') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;"
php composer-setup.php
php -r "unlink('composer-setup.php');"
php composer.phar
sudo mv composer.phar /usr/local/bin/composer

• build (composer install)

  cd /home/dox_2dz_fi-bookstack/
  which composer
  composer install --no-dev
  

• configure .env

  sudo su
  cd /home/dox_2dz_fi-bookstack/
  chown -R www-data:www-data storage/
  chmod -R 775 storage/
  chown -R www-data:www-data bootstrap/cache/
  chmod -R 775 bootstrap/cache/
  chown -R www-data:www-data public/uploads/
  chmod -R 775 public/uploads/
  chown -R www-data:www-data public/
  

  h: 172.21.32.6
  db: dox_2dz_fi-bookstack
  u: dox_2dz_fi-bookstack
  p: (see keepassXC)
  
  
  MAIL_VERIFY_SSL=false
  

Generate salt (as normal user)

cd /home/dox_2dz_fi-bookstack/
id
php artisan key:generate

• configure webserver (nginx)

  • create site config

    sudo su
    
    systemctl | grep php
    systemctl status php8.2-fpm.service
    less /lib/systemd/system/php8.2-fpm.service
    # observe for socket path
    ls -la /run/php/php-fpm.sock
    lrwxrwxrwx 1 root root 30 May 23 00:21 /run/php/php-fpm.sock -> /etc/alternatives/php-fpm.sock
    ls -la /etc/alternatives/php-fpm.sock
    lrwxrwxrwx 1 root root 24 May 23 00:21 /etc/alternatives/php-fpm.sock -> /run/php/php8.2-fpm.sock
    ls -la /run/php/php8.2-fpm.sock
    srw-rw---- 1 www-data www-data 0 May 23 00:21 /run/php/php8.2-fpm.sock
    

Check via configuration

fgrep -irn fpm.sock /etc/php/

Determine from output location of socket

/etc/php/8.2/fpm/pool.d/www.conf:41:listen = /run/php/php8.2-fpm.sock

cd /etc/nginx/sites-available
vi dox.2dz.fi.conf

e.g.: (SSL will be enabled later by CertBot)

server {
  listen 80;
  listen [::]:80;

  server_name dox.2dz.fi;

  root /home/dox_2dz_fi-bookstack/public;
  index index.php index.html;

  location / {
    try_files $uri $uri/ /index.php?$query_string;
  }

  location ~ \.php$ {
    include snippets/fastcgi-php.conf;
    fastcgi_pass unix:/run/php/php-fpm.sock;
  }
}

• enable it

  ln -s /etc/nginx/sites-available/dox.2dz.fi.conf /etc/nginx/sites-enabled/dox.2dz.fi.conf
  

Test webserver configuration, and reload it.

nginx -t
nginx -s reload
systemctl restart nginx
ss -ntap | grep nginx

• upgrade DB (recreate/upgrade schema to the recent)

  cd /home/dox_2dz_fi-bookstack/
  php artisan migrate
  

  check DB

  mysql -h(host) -u dox_2dz_fi-bookstack -p
  

  MySQL [dox_2dz_fi-bookstack]> SHOW DATABASES;
  MySQL [dox_2dz_fi-bookstack]> USE dox_2dz_fi-bookstack;
  MySQL [dox_2dz_fi-bookstack]> SHOW TABLES;
  MySQL [dox_2dz_fi-bookstack]> SELECT * FROM users;
  

• Enable SSL using Let's Encrypt and Certbot

  apt install certbot python3-certbot-nginx
  certbot --nginx -d dox.2dz.fi
  nginx -t
  systemctl restart nginx
  
  

Application should be up and running

firefox https://dox.2dz.fi/

Login with default credentials:

u: admin@admin.com
p: password

# File Upload Limit
# Maximum file size, in megabytes, that can be uploaded to the system.
FILE_UPLOAD_SIZE_LIMIT=50

• S3 driver to mount storage in Cloud Bucket

• fine-tune (nginx.conf)

  http {
  	#...
      client_max_body_size 100m;
      client_body_timeout 120s; # Default is 60, May need to be increased for very large uploads
  	#...
  }
  

• fine-tune PHP

  ps aux | grep php
  # observe path to php-fpm.conf file
  vi /etc/php/8.2/fpm/php-fpm.conf
  
  

  post_max_size = 10M
  upload_max_filesize = 10M
  memory_limit = 256M
  

  ref.
  https://www.bookstackapp.com/docs/admin/installation/#requirements
  https://www.bookstackapp.com/docs/admin/upload-config/#s3