Installation de Seenthis.net sur Debian Jessie

Bouts de recette pour l'installation de mai 2017 sur Debian Jessie

Outils utiles

apt-get install vim ntp bind9 fail2ban rsync

Base

apt-get install nginx mariadb-server mariadb-client memcached

PHP

apt-get install imagemagick php5-fpm php5-cli php5-curl php5-gd php5-imagick php5-json php5-mcrypt php5-memcache php5-mysql php5-readline php5-sqlite php5-xcache

Utilisateur système "seenthis"

adduser --system --no-create-home --shell /usr/sbin/nologin --group --disabled-login seenthis

Répertoires pour l'instance de production

mkdir /var/www/seenthis.net
mkdir /var/www/seenthis.net/conf
mkdir /var/www/seenthis.net/conf/logrotate
mkdir /var/www/seenthis.net/conf/mysql
mkdir /var/www/seenthis.net/conf/nginx
mkdir /var/www/seenthis.net/conf/php
mkdir /var/www/seenthis.net/conf/spip
mkdir /var/www/seenthis.net/log
mkdir /var/www/seenthis.net/public_html

Pool PHP-FPM pour SeenThis

echo "
[seenthis]
prefix = /var/www/seenthis.net
user = seenthis
group = seenthis
listen = /var/run/php5-fpm.seenthis.sock
listen.owner = www-data
listen.group = www-data
listen.allowed_clients = 127.0.0.1
pm = dynamic
pm.max_children = 30
pm.start_servers = 5
pm.min_spare_servers = 5
pm.max_spare_servers = 10
pm.max_requests = 500
access.log = log/php-fpm.access.log
slowlog = log/php-fpm.slow.log
request_slowlog_timeout = 1m
chdir = /
php_admin_value[error_log] = log/php-fpm.error.log
php_admin_flag[log_errors] = on
" > /var/www/seenthis.net/conf/php/seenthis.conf
ln -s /var/www/seenthis.net/conf/php/seenthis.conf /etc/php5/fpm/pool.d/seenthis.conf

Configuration du virtualhost nginx

echo "
server {
  listen 80;
  server_name seenthis.net;
  return 301 https://seenthis.net$request_uri;
}

server {
  listen 443 ssl;
  server_name seenthis.net;

  ssl_certificate /etc/letsencrypt/live/seenthis.net/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/seenthis.net/privkey.pem;

  access_log /var/www/seenthis.net/log/nginx.access.log combined buffer=512k flush=60m;
  error_log /var/www/seenthis.net/log/nginx.error.log crit;

  root /var/www/seenthis.net/public_html;

  include /var/www/seenthis.net/conf/nginx/security.conf;
  include /var/www/seenthis.net/conf/nginx/rewrites.conf;
  include /var/www/seenthis.net/conf/nginx/staticfiles.conf;
  include /var/www/seenthis.net/conf/nginx/php.conf;
  include /var/www/seenthis.net/conf/nginx/drop.conf;
}
" > /var/www/seenthis.net/conf/nginx/server.conf
ln -s /var/www/seenthis.net/conf/nginx/server.conf /etc/nginx/sites-available/seenthis
ln -s /etc/nginx/sites-available/seenthis /etc/nginx/sites-enabled/seenthis

Les fichiers en "include" mériteraient une page rien que pour eux...

Création de l'utilisateur SeenThis pour la base de données MariaDB

echo "CREATE USER 'seenthis'@'localhost' IDENTIFIED BY 'XXXXXXS';
GRANT USAGE ON *.* TO 'seenthis'@'localhost' IDENTIFIED BY 'XXXXXX' WITH MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0;
CREATE DATABASE IF NOT EXISTS seenthis;
GRANT ALL PRIVILEGES ON seenthis.* TO 'seenthis'@'localhost';
" > createuser.sql
mysql -u root -pXXXXXXR < createuser.sql
rm createuser.sql

Remplacer les mots de passe avec les bons... il doit y avoir moyen de ne pas en passer par un fichier temporaire.

Configuration MariaDB spéciale SeenThis

echo "
#Parametres pour seenthis
[mysqld]
table_open_cache = 500
tmp_table_size = 1G
max_heap_table_size = 1G
key_buffer_size = 1024M
thread_pool_size = 24
sort_buffer_size = 384K
read_rnd_buffer_size = 384K

query_cache_size = 1G
query_cache_limit = 64M

innodb_file_per_table = 1

slow_query_log = 1
slow_query_log_file = /var/log/mysql/mysql-slow.log
long_query_time = 4

skip-name-resolve = 1
" > /var/www/seenthis.net/conf/mysql/seenthis.cnf
ln -s /var/www/seenthis.net/conf/mysql/seenthis.cnf /etc/mysql/conf.d/seenthis.cnf

TranslateShell

Le paquet Debian est très en retard et semble ne plus fonctionner désormais. Installation par récupération à la source.

git clone https://github.com/soimort/translate-shell
cd translate-shell/
make
[sudo] make install

Gestion des liens courts

echo "
server {
   listen 80;
   server_name seen.li;
   return 301 https://seen.li$request_uri;
}

server {
   listen 443;
   server_name seen.li;

   ssl_certificate /etc/letsencrypt/live/seen.li/fullchain.pem;
   ssl_certificate_key /etc/letsencrypt/live/seen.li/privkey.pem;

   location / {
   rewrite ^/(.+)$   https://seenthis.net/index.php?action=seenli&me=$1  permanent;
   rewrite ^ https://seenthis.net/ permanent;
  }
}
" > /var/www/seenthis.net/conf/nginx/seen.li.conf 
ln -s /var/www/seenthis.net/conf/nginx/seen.li.conf /etc/nginx/sites-available/seen.li.conf
ln -s ../sites-available/seen.li.conf /etc/nginx/sites-enabled/seen.li.conf