aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGabriel Arakaki Giovanini <mail@gabrielgio.me>2022-07-18 23:05:59 +0200
committerGabriel Arakaki Giovanini <mail@gabrielgio.me>2022-07-18 23:05:59 +0200
commit34803deedc3bd982d868aadf151bfc50db0625c7 (patch)
treea0dcec327a534883b4cac9d7c264c4e77755701d
parent9a25224de711803f6b38a1436560f375a9389097 (diff)
downloadgabrielgio.me-34803deedc3bd982d868aadf151bfc50db0625c7.tar.gz
gabrielgio.me-34803deedc3bd982d868aadf151bfc50db0625c7.tar.bz2
gabrielgio.me-34803deedc3bd982d868aadf151bfc50db0625c7.zip
ref: Add more content
Add how to set up debug page and set up properlly the permission for the process.
-rw-r--r--content/posts/2022-07-18-firefly-install.md84
1 files changed, 76 insertions, 8 deletions
diff --git a/content/posts/2022-07-18-firefly-install.md b/content/posts/2022-07-18-firefly-install.md
index 4dfd008..6c7a649 100644
--- a/content/posts/2022-07-18-firefly-install.md
+++ b/content/posts/2022-07-18-firefly-install.md
@@ -8,11 +8,11 @@ tags: ['alpine', 'linux', 'php', 'nginx']
deep knowledge in security. This is me reporting the steps I did as a learning
experiment, so take this tutorial as your own risk.
-I have a pretty decent knowledge in container tecnology, I maintain several
-container on my local server for many applications. However I've decided to
-take a step back and learn a bit more how those applications are really
-deployed and kept without containers, and first candidate being firefly3[^1]. I
-have it currently running on container but let's install in a disctributions.
+I have a pretty decent knowledge in container technology, I maintain several
+container on my local server for many applications. However I've decided to take
+a step back and learn a bit more how those applications are really deployed and
+kept without containers, and first candidate being Firefly[^1]. I have it
+currently running on container but let's install in a distribution.
For the distro of choice I'll pick alpine, for its small footprint and the use
of OpenRC (nothing against systemd though).
@@ -71,9 +71,9 @@ apk add \
php8-pgsql
```
-But that is not everything, I don't If I lack knowledge in the PHP stack but
-the applicatoin will later complain about a lot of missing dependencies, those
-being:
+But that is not everything, I don't know if I lack knowledge in the PHP stack
+but the application will later complain about a lot of missing dependencies,
+those being:
```shell
apk add \
@@ -98,6 +98,7 @@ run the project:
```shell
apk add nginx php8-fpm
```
+
Nginx will act as reverse proxy and php8-fpm will actually run the project. You
can use lighttpd as well as some others.
@@ -171,6 +172,53 @@ php artisan firefly-iii:upgrade-database
To bootstrap the database.
+### Permission
+
+Now comes the part where we should be careful. So far we (or at least I) have
+been setting up everything as root but that is not ideal. We want to restrict as
+much as possibly permission to the processes, it should only see do what it
+meant to. So to minimize the effect of the process we will make it run as a user
+with almost no permission, and for purpose we will create a `www-data` user.
+Quite often that user is already create if not run the following command:
+
+```shell
+adduser www-data --disabled-password
+```
+
+Add `--ingroup www-data` if it complains if the groups exists.
+`--disabled-password` so we don't allow login with password, because it is not
+meant to be logged with.
+
+Once the user is created we need to change the which user the process runs one.
+By default it uses a `nobody` which is a user with no permission except those
+which every other user has. Update the user given in the
+`/etc/php8/php-fpm.d/www.conf` file.
+
+From:
+```shell
+user = nobody
+group = nobody
+```
+
+To:
+```shell
+user = www-data
+group = www-data
+```
+
+If the `php-fpm8` is running restart it:
+
+```shell
+rc-service php-fpm8 restart
+```
+
+At last we need to recursively update the permission of www folder because
+probably it is owned by root.
+
+```shell
+chown -R www-data:www-data /var/www/
+```
+
### Nginx
We will need to edit the nginx config file to find and run the project, add
@@ -181,6 +229,7 @@ server.
```shell
# /etc/nginx/http.d/firefly.conf
+
server {
listen 8080;
server_name localhost;
@@ -215,6 +264,25 @@ rc-service nginx start
`http://localhot:8080/` (or your server's hostname) should be up and running.
+And to make autostart:
+```shell
+rc-update add php-fpm8 default
+rc-update add nginx default
+```
+
+## Debugging
+
+In case of error you can add debugging setting to your env file so it will
+nicely return the error.
+
+```ini
+# /var/wwww/firefly/.env
+# ...
+
+APP_DEBUG=true
+APP_LOG_LEVEL=debug
+```
+
[^1]: https://www.firefly-iii.org/
[^2]: https://docs.firefly-iii.org/firefly-iii/installation/self_hosted/?mtm_campaign=docu-internal&mtm_kwd=self_hosted
[^3]: https://dev.azure.com/Firefly-III/_git/MainImage