From eace42e7113857145a72fe461abee8b2ca748c55 Mon Sep 17 00:00:00 2001 From: Gabriel Arakaki Giovanini Date: Sat, 23 Jul 2022 17:14:17 +0200 Subject: feat: Add more findings to the firefly install Add more content to firefly post. Also deleted road to k8s as I have no intention to pursue that project any longer. --- content/posts/2020-07-13-k8s.md | 79 ----------------------- content/posts/2022-07-18-firefly-install.md | 99 ++++++++++++++++++++--------- 2 files changed, 68 insertions(+), 110 deletions(-) delete mode 100644 content/posts/2020-07-13-k8s.md (limited to 'content') diff --git a/content/posts/2020-07-13-k8s.md b/content/posts/2020-07-13-k8s.md deleted file mode 100644 index 8b706c1..0000000 --- a/content/posts/2020-07-13-k8s.md +++ /dev/null @@ -1,79 +0,0 @@ ---- -title: "Road to local k8s" -date: 2020-07-13 -tags: ['kubernetes', 'linux', 'fedora'] ---- - -# Goal - -The goal is to deploy kubernetes on my local networks, and keep everything as -reproducible as possible. - -# Stack - -I\'ll use Fedora Core OS, Matchbox and Terraform [^1], a match the requirements -for Tectonic [^2] - -## Steps - -- Network Setup DHCP/TFTP/DNS [^3] -- Matchbox [^4] -- PXE network boot environment -- Terraform Tectonic [^5] - -## Network Setup DHCP/TFTP/DNS - -First learning the basics again: - -- -- - -To check open ports - -```shell -lsof -Pni | grep LISTEN -``` - -Run the provided [^6] image with `dnsmasq` and PXE toolkit - -``` {.bash org-language="sh"} -docker run --rm --cap-add=NET_ADMIN --net=host quay.io/coreos/dnsmasq \ - -d -q \ - --dhcp-range=192.168.1.3,192.168.1.254 \ - --enable-tftp --tftp-root=/var/lib/tftpboot \ - --dhcp-match=set:bios,option:client-arch,0 \ - --dhcp-boot=tag:bios,undionly.kpxe \ - --dhcp-match=set:efi32,option:client-arch,6 \ - --dhcp-boot=tag:efi32,ipxe.efi \ - --dhcp-match=set:efibc,option:client-arch,7 \ - --dhcp-boot=tag:efibc,ipxe.efi \ - --dhcp-match=set:efi64,option:client-arch,9 \ - --dhcp-boot=tag:efi64,ipxe.efi \ - --dhcp-userclass=set:ipxe,iPXE \ - --dhcp-boot=tag:ipxe,http://matchbox.example.com:8080/boot.ipxe \ - --address=/matchbox.example/192.168.1.2 \ - --log-queries \ - --log-dhcp -``` - -## Matchbox - -## PXE network boot environment - -## Terraform Tectonic - ------------------------------------------------------------------------- - -# Links - -[^1]: - -[^2]: - -[^3]: - -[^4]: - -[^5]: - -[^6]: diff --git a/content/posts/2022-07-18-firefly-install.md b/content/posts/2022-07-18-firefly-install.md index 6c7a649..2381660 100644 --- a/content/posts/2022-07-18-firefly-install.md +++ b/content/posts/2022-07-18-firefly-install.md @@ -15,7 +15,8 @@ kept without containers, and first candidate being Firefly[^1]. I have it currently running on container but let's install in a distribution. For the distro of choice I'll pick alpine, for its small footprint and the use -of OpenRC (nothing against systemd though). +of OpenRC (nothing against systemd though), and it will help me later to better +understand how to properly setup an alpine image on container environment. *I don't want to extend this tutorial to cover every single part, so for the next steps I'll assume that you have a running instance of PostgreSQL and @@ -24,7 +25,7 @@ Alpine.* ## Dependencies First we need to install all the necessary packages to get firefly running. -Let's go through them and check are they are used for. +Let's go through them and check what they are used for. ```shell apk add curl tar gzip @@ -38,9 +39,10 @@ apk add composer ``` Composer is a dependency manager for PHP. It is required to download the - dependencies of the project. + dependencies of the project, as the source code from tar ball does have all its + dependencies included. - Now we need to download the list of dependencies list in the site[^2]. + Now we need to download the dependencies listed in the site[^2]. ``` Extra packages @@ -56,7 +58,7 @@ apk add composer PHP whatever database you're gonna use. ``` -For those we have the following alpine packages: +And for those I could gather the following alpine packages: ```shell apk add \ @@ -71,9 +73,9 @@ apk add \ php8-pgsql ``` -But that is not everything, I don't know if I lack knowledge in the PHP stack -but the application will later complain about a lot of missing dependencies, -those being: +But that is not everything. I don't know if I lack knowledge in the PHP stack +but the application will later complain about some other missing dependencies. +Those being: ```shell apk add \ @@ -89,8 +91,8 @@ apk add \ ``` A tip that may as well help you later. Some of those not listed packages are -described in the their project for the docker image[^3] and its base image[^4]. -It can also help with describing the necessary steps. +described in their docker repository[^3] and its base image[^4]. It can also +help with describing some other necessary steps. As the next step we need to install the pieces of software that will actually run the project: @@ -129,7 +131,7 @@ cd /var/www/firefly composer install --prefer-dist --no-dev --no-scripts ``` -## Config files +## Configurations ### Firefly @@ -155,14 +157,14 @@ To generate a random key just run: head /dev/urandom | LC_ALL=C tr -dc 'A-Za-z0-9' | head -c 32 && echo ``` -Once you have set it up we need to bootstrap the project: +Once you have set it up we need to bootstrap the project. First we need to +update the cached configuration. ```shell php artisan config:cache ``` -To update the cached configuration. If everything is setup properly the process -finish successfully. +Second we need to migrate and seed the database: ```shell php artisan firefly-iii:create-database @@ -170,26 +172,28 @@ php artisan migrate:refresh --seed php artisan firefly-iii:upgrade-database ``` -To bootstrap the database. +If everything is setup properly the processes finish successfully. + ### Permission Now comes the part where we should be careful. So far we (or at least I) have -been setting up everything as root but that is not ideal. We want to restrict as -much as possibly permission to the processes, it should only see do what it -meant to. So to minimize the effect of the process we will make it run as a user -with almost no permission, and for purpose we will create a `www-data` user. -Quite often that user is already create if not run the following command: +been setting up everything as root but that is not ideal. Usually we want to +restrict as much as possible the permissions of processes, it should only see do +what it meant to. So to minimize the area of effect of the process we will make +it run as a user with almost no permission, and for purpose of running the +php-fpm we will create a `www-data` user. Quite often that user is already +created and if it is not, run the following command: ```shell adduser www-data --disabled-password ``` Add `--ingroup www-data` if it complains if the groups exists. -`--disabled-password` so we don't allow login with password, because it is not -meant to be logged with. +`--disabled-password` is given so we don't allow login with password, because it +is not meant to be logged with. -Once the user is created we need to change the which user the process runs one. +Once the user is created we need to change the which user the process runs on. By default it uses a `nobody` which is a user with no permission except those which every other user has. Update the user given in the `/etc/php8/php-fpm.d/www.conf` file. @@ -221,13 +225,13 @@ chown -R www-data:www-data /var/www/ ### Nginx -We will need to edit the nginx config file to find and run the project, add -the following server inside of `/etc/nginx/http.d/`, by default nginx will read -all `.config` inside of that folder. Just like the www folder this is more a -personal choice, you have some room to choose where you want to config this -server. +We will need to edit the nginx config file to find and run the project. Add the +following server inside of `/etc/nginx/http.d/`, by default nginx will read all +`.conf` inside of that folder. Just like the www folder this is more of a +personal choice, you have some room to choose where you want to store the config +file. -```shell +```nginx # /etc/nginx/http.d/firefly.conf server { @@ -277,12 +281,45 @@ nicely return the error. ```ini # /var/wwww/firefly/.env -# ... - APP_DEBUG=true APP_LOG_LEVEL=debug ``` +## Bonus config with socket + +Another thing to look at is where php-fpm is running the service. I think by +default on alpine it runs on `http://127.0.0.1:9000` but it can also be running +on a socket, check the `www.conf` file for the `listen` property: + +Config for http +``` +listen = 127.0.0.1:9000 +``` + +Config for socket +``` +listen = /run/php-fpm8/fpm.sock +``` + +If you want you can set it up to run on socket. You will need to change two +things. First, update the www.conf file to run the process on a socket, and to +change the owner of the socket file. This is important so later nginx is capable +of reading/writing the file. On the `/etc/php8/php-fpm.d/www.conf` update it: + +```shell +listen = /run/php-fpm8/fpm.sock +listen.owner = nginx +listen.group = nginx +listen.mode = 0660 +``` + +Second, change the nginx to connect to socket instead of an tcp connection, +update the following property: + +```nginx +fastcgi_pass unix:/run/php-fpm8/fpm.sock; +``` + [^1]: https://www.firefly-iii.org/ [^2]: https://docs.firefly-iii.org/firefly-iii/installation/self_hosted/?mtm_campaign=docu-internal&mtm_kwd=self_hosted [^3]: https://dev.azure.com/Firefly-III/_git/MainImage -- cgit v1.2.3