diff options
author | Gabriel Arakaki Giovanini <mail@gabrielgio.me> | 2022-07-18 23:05:59 +0200 |
---|---|---|
committer | Gabriel Arakaki Giovanini <mail@gabrielgio.me> | 2022-07-18 23:05:59 +0200 |
commit | 34803deedc3bd982d868aadf151bfc50db0625c7 (patch) | |
tree | a0dcec327a534883b4cac9d7c264c4e77755701d | |
parent | 9a25224de711803f6b38a1436560f375a9389097 (diff) | |
download | gabrielgio.me-34803deedc3bd982d868aadf151bfc50db0625c7.tar.gz gabrielgio.me-34803deedc3bd982d868aadf151bfc50db0625c7.tar.bz2 gabrielgio.me-34803deedc3bd982d868aadf151bfc50db0625c7.zip |
ref: Add more content
Add how to set up debug page and set up properlly the permission for the
process.
-rw-r--r-- | content/posts/2022-07-18-firefly-install.md | 84 |
1 files changed, 76 insertions, 8 deletions
diff --git a/content/posts/2022-07-18-firefly-install.md b/content/posts/2022-07-18-firefly-install.md index 4dfd008..6c7a649 100644 --- a/content/posts/2022-07-18-firefly-install.md +++ b/content/posts/2022-07-18-firefly-install.md @@ -8,11 +8,11 @@ tags: ['alpine', 'linux', 'php', 'nginx'] deep knowledge in security. This is me reporting the steps I did as a learning experiment, so take this tutorial as your own risk. -I have a pretty decent knowledge in container tecnology, I maintain several -container on my local server for many applications. However I've decided to -take a step back and learn a bit more how those applications are really -deployed and kept without containers, and first candidate being firefly3[^1]. I -have it currently running on container but let's install in a disctributions. +I have a pretty decent knowledge in container technology, I maintain several +container on my local server for many applications. However I've decided to take +a step back and learn a bit more how those applications are really deployed and +kept without containers, and first candidate being Firefly[^1]. I have it +currently running on container but let's install in a distribution. For the distro of choice I'll pick alpine, for its small footprint and the use of OpenRC (nothing against systemd though). @@ -71,9 +71,9 @@ apk add \ php8-pgsql ``` -But that is not everything, I don't If I lack knowledge in the PHP stack but -the applicatoin will later complain about a lot of missing dependencies, those -being: +But that is not everything, I don't know if I lack knowledge in the PHP stack +but the application will later complain about a lot of missing dependencies, +those being: ```shell apk add \ @@ -98,6 +98,7 @@ run the project: ```shell apk add nginx php8-fpm ``` + Nginx will act as reverse proxy and php8-fpm will actually run the project. You can use lighttpd as well as some others. @@ -171,6 +172,53 @@ php artisan firefly-iii:upgrade-database To bootstrap the database. +### Permission + +Now comes the part where we should be careful. So far we (or at least I) have +been setting up everything as root but that is not ideal. We want to restrict as +much as possibly permission to the processes, it should only see do what it +meant to. So to minimize the effect of the process we will make it run as a user +with almost no permission, and for purpose we will create a `www-data` user. +Quite often that user is already create if not run the following command: + +```shell +adduser www-data --disabled-password +``` + +Add `--ingroup www-data` if it complains if the groups exists. +`--disabled-password` so we don't allow login with password, because it is not +meant to be logged with. + +Once the user is created we need to change the which user the process runs one. +By default it uses a `nobody` which is a user with no permission except those +which every other user has. Update the user given in the +`/etc/php8/php-fpm.d/www.conf` file. + +From: +```shell +user = nobody +group = nobody +``` + +To: +```shell +user = www-data +group = www-data +``` + +If the `php-fpm8` is running restart it: + +```shell +rc-service php-fpm8 restart +``` + +At last we need to recursively update the permission of www folder because +probably it is owned by root. + +```shell +chown -R www-data:www-data /var/www/ +``` + ### Nginx We will need to edit the nginx config file to find and run the project, add @@ -181,6 +229,7 @@ server. ```shell # /etc/nginx/http.d/firefly.conf + server { listen 8080; server_name localhost; @@ -215,6 +264,25 @@ rc-service nginx start `http://localhot:8080/` (or your server's hostname) should be up and running. +And to make autostart: +```shell +rc-update add php-fpm8 default +rc-update add nginx default +``` + +## Debugging + +In case of error you can add debugging setting to your env file so it will +nicely return the error. + +```ini +# /var/wwww/firefly/.env +# ... + +APP_DEBUG=true +APP_LOG_LEVEL=debug +``` + [^1]: https://www.firefly-iii.org/ [^2]: https://docs.firefly-iii.org/firefly-iii/installation/self_hosted/?mtm_campaign=docu-internal&mtm_kwd=self_hosted [^3]: https://dev.azure.com/Firefly-III/_git/MainImage |