INSTALL

This repository contains everything you need to set up a new Dreamhack server.

The Dreamhack server runs on Ubuntu. The following installation instructions
assume that a new Ubuntu server has just been provisioned.

0. (optional things you may need to install)

   You may need to install 'vim', in case you only have 'vim-tiny':

apt-get install vim

   If it's already installed, you probably have 'vim.basic'. Try this instead:

apt-get install vim-nox

1. Before you do anything else, check to make sure you're running on a 64-bit
   Perl. This command should print "64-bit". If it prints anything else,
   including an "Invalid type 'Q'" error, you don't have a 64-bit Perl:

perl -e 'print unpack("Q", pack("Q", length(sprintf("%b", ~0)))) . "-bit\n";'

   (This last check brought to you by getting to the test-suite step and
   finding out that all the previous steps were for nothing.)

2. First, set the hostname and mailname (adjust the domain if necessary):

echo hack.dreamwidth.net > /etc/hostname
cp /etc/hostname /etc/mailname
hostname -F /etc/hostname

   Then, add /dreamhack/sbin to the beginning of root's PATH, with a line like
   this in /root/.bash_aliases:
     export PATH="/dreamhack/sbin:$PATH"

    Log out of root, and then back in again to make these changes take effect.
    The hostname will be automatically set at boot by the 'hostname' service.

3. Add the hostname of the server to the /etc/hosts file:

vi /etc/hosts

4. Set the timezone to Etc/UTC using the menu provided by this command:

dpkg-reconfigure tzdata

   In newer Ubuntus, this will be listed under the "None of the above" option.
   If that option doesn't exist, it'll be in "Etc" as expected.

5. Create the 'dreamhack' and 'dreamhack-backup' groups:

groupadd dreamhack
groupadd dreamhack-backup

6. Install Git:

apt-get update
apt-get install git

   This will also install git-man and liberror-perl.

7. Clone the Dreamhack repository to /dreamhack:

cd /
git clone git://github.com/dreamwidth/dreamhack

8. Add the Dreamhack bashrc file to the global bashrc file:

echo "source /dreamhack/etc/bashrc" >> /etc/bash.bashrc

9. Create a perlbal user with a home directory:

useradd -m perlbal

   Don't bother giving the user a password - nobody needs to log into this
   account.

10. Copy the Perlbal support files:

su -c "cp -r /dreamhack/setup/perlbal/* /home/perlbal/." perlbal

11. Edit the /home/perlbal/sites/0000-default.conf file and check that the
    IP address listed is the right one. If not, change it. (This step isn't
    vital as it just controls what page gets returned when an IP address is
    used instead of a name, but hey.)

    Additionally, make sure that the domains in the file are correct. That is,
    if you're not using "hack.dreamwidth.net", make sure it uses the right
    domain.

12. Copy the initscripts to /etc/init.d/, preserving permissions.
    (most easily done with 'cp -a'):

cp -a /dreamhack/setup/initscripts/perlbal-initscript /etc/init.d/perlbal
cp -a /dreamhack/setup/initscripts/stop-dreamhacks-initscript /etc/init.d/stop-dreamhacks

    On a systemd-based system, you need to reload the units:

systemctl daemon-reload

13. Run these commands to add the initscripts to the bootup/shutdown sequence:

update-rc.d perlbal defaults
update-rc.d stop-dreamhacks stop 20 0 . stop 20 6 .

    You'll get warnings about "missing LSB information" - you can ignore those.

14. Set up iptables to redirect requests from port 80 to port 34951 with the
    following commands (replacing the IP if it's different, of course):

MYIP="67.207.129.41"
iptables -t nat -F   # flush any rules that are already there
iptables -t nat -A PREROUTING -p tcp --dport 80 -d $MYIP -j REDIRECT --to-ports 34951
iptables -t nat -A OUTPUT -p tcp --dport 80 -d $MYIP -j REDIRECT --to-ports 34951
iptables -t nat -A OUTPUT -p tcp --dport 80 -o lo -j REDIRECT --to-ports 34951

    (34951 was chosen as this maps to the first six letters of "Perlbal" when
    you trace the letters up to digits on a QWERTY keyboard, minus the leading
    zero)

    (If you paste these lines before realising that you need to change the IP,
    don't panic! Simply repeat the commands again with the IP set to the right
    one. The first iptables command flushes any rules that already exist.)

    Then, reject all attempts to connect to port 11211 on localhost, to
    discourage people from listening on that port (the default memcache port;
    if a memcache server listens on this port, it causes chaos for any
    Dreamhacks that use the default config):

iptables -A OUTPUT -d 127.0.0.1 -p tcp --destination-port 11211 -j REJECT

   Save this config with '/etc/init.d/iptables save', then make sure that
   iptables is configured to load this config on startup with 'update-rc.d
   iptables defaults'.

   If /etc/init.d/iptables doesn't exist, you're probably using a newer Ubuntu.
   Do "iptables-save > /etc/iptables.rules" instead, then:

   * if you're on a non-AWS system, edit /etc/network/interfaces;
   * if you're on an AWS system, edit /etc/network/interfaces.d/50-cloud-init.cfg.

   In the file you're editing, add this line after the appropriate iface line,
   indented two spaces:

   pre-up iptables-restore < /etc/iptables.rules

   If you're on an AWS system, you'll also need to create the file
   /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following line
   in it:

   network: {config: disabled}

15. Install Apache2, mod_perl, and MySQL (and also PHP, if wanted):

apt-get install apache2 apache2-bin libapache2-mod-perl2 mysql-server
apt-get install libapache2-mod-php5   # if wanted, but not required

    Choose any MySQL root password you like, but make it secure - this is a
    shared system. Also, we'll restart Apache later on, so there's no need to
    worry about it now if you're prompted.

16. Remove the contents of the Apache sites-{available,enabled} directories,
    then copy over the site configs from the repository and enable the
    'default' site:

rm -f /etc/apache2/sites-{available,enabled}/*
cp /dreamhack/setup/apache/sites/* /etc/apache2/sites-available/.
a2ensite default

    Don't worry about reloading Apache for now - we'll do that later.

17. Copy over the ports.conf file:

cp /dreamhack/setup/apache/ports.conf /etc/apache2/ports.conf

    (Port 6936 is the port for a project I was working on, which is the
    'is-dh-stopped' configuration file. Feel free to comment out or delete that
    Listen line if you want.)

18. Disable/enable needed Apache modules:

a2enmod rewrite
a2enmod include
a2dismod mpm_event
a2enmod mpm_prefork
a2enmod cgi

19. Restart Apache so that all the changes take effect:

service apache2 restart

20. Install Postfix:

apt-get install postfix
dpkg-reconfigure postfix   # to set up root recipient

21. Generate two random passwords by running this command twice:

dd if=/dev/random bs=9 count=1 2>/dev/null | base64

    One of these passwords will be used for read-only access, and the other for
    read-write access.

22. Edit /etc/mysql/conf.d/mysqld.cnf (creating it if necessary). In the
    [mysqld] section, put:

    sql_mode = ''

23. Create a 'dreamhacks' database:

mysqladmin -uroot -p create dreamhacks

   Enter your MySQL root password when prompted.

24. Import the MySQL schema file into the newly-created 'dreamhacks' database:

mysql -uroot -p dreamhacks < /dreamhack/setup/dreamhacks-schema.sql

25. Create MySQL users for 'dreamhacks' and 'dreamhacks_ro', and create a
    database 'dreamhacks'. Give the user 'dreamhacks' read-write access to the
    DB, along with LOCK TABLES; give 'dreamhacks_ro' read-only access to the
    'users' and 'userports' tables only, along with LOCK TABLES:

    (You will need to run 'mysql -uroot -p' and enter the MySQL root password
    you created earlier before running these commands)

GRANT SELECT, INSERT, UPDATE, DELETE, LOCK TABLES ON `dreamhacks`.* TO 'dreamhacks'@'localhost' IDENTIFIED BY 'readwrite_password_above';
GRANT SELECT ON `dreamhacks`.`users` TO 'dreamhacks_ro'@'localhost' IDENTIFIED BY 'readonly_password_above';
GRANT SELECT ON `dreamhacks`.`userports` TO 'dreamhacks_ro'@'localhost';
GRANT LOCK TABLES ON `dreamhacks`.* TO 'dreamhacks_ro'@'localhost';

26. Copy the settings files and secure them appropriately:

cp /dreamhack/local/samples/settings.nonroot.sample /dreamhack/local/settings.nonroot
cp /dreamhack/local/samples/settings.shared.sample /dreamhack/local/settings.shared
cp /dreamhack/local/samples/settings.root.sample /dreamhack/local/settings.root
chmod 600 /dreamhack/local/settings.root

27. Edit the newly-created config files in /dreamhack/local/ with your
    favourite editor to include the various passwords created in the previous
    steps. While you're at it, change settings.shared so that the details for
    this installation are correct.

28. Install Mercurial and Subversion:

apt-get install mercurial subversion

    (While the current code doesn't require either, some people may want to
    look at the LJ code, which would require Subversion. Similarly, Mercurial
    may still be useful in some cases. Better to have it than not, I feel.)

29. Enable quota support for the filesystem, if it's not already enabled:
      * Install the necessary kernel modules to use quota support (replace the
        package name with the appropriate kernel version):
          apt-get install linux-image-extra-4.4.0-64-generic
      * apt-get install quota
      * Edit /etc/fstab to make sure 'usrquota' is listed in the options of the
        / partition,
      * Run the following commands (note that it's a forward slash at the end
        of all these commands - it's a path, NOT a continuation character):
          mount -o remount /   # remount with quota support enabled
          quotacheck -mcu /    # create aquota.user file
          quotaon /            # turn quota checking on

30. Create a user for Dreamhack applications to go to if you haven't already.
    For example:

useradd -m mark

    Create a .forward file in their home directory, chown it to them, and point
    it to an appropriate email address.

31. If necessary, replace all instances of 'mark' with the correct username
    in /dreamhack/lib, /dreamhack/sbin and /dreamhack/www/do. (There are
    numerous other places where you'll also want to change my name!)

32. Install 'build-essential' so that you can build CPAN modules:

apt-get install build-essential

33. Install Perlbal's prerequisites:

apt-get install libyaml-perl        # not actually needed for perlbal, but shuts CPAN up
apt-get install libsys-syscall-perl libdanga-socket-perl
apt-get install telnet   # used by the initscripts and new user installation, may already be installed

34. Install Perlbal from CPAN:

cpan Perlbal

    Note that Perlbal's test procedure requires port 8000 to be free, so if you
    reloaded Apache earlier you may need to stop it first (but don't forget to
    start it again afterwards!):

/etc/init.d/apache2 stop

35. Go to http://wiki.dreamwidth.net/notes/Dreamwidth_Scratch_Installation
    and run whatever huge 'apt-get install' command is listed under the
    "Installing necessary packages" heading.

    Next, install the CPAN Perl libraries listed under the "Then" heading.
    (although Bundle::CPAN is optional, and can take a long time, so you may
    want to do that one later)

36. Start Perlbal with:

/etc/init.d/perlbal start

    Verify that you can reach the main Dreamhacks site, and that the
    application process works (and the email is received).

37. Edit /dreamhack/sbin/dh-newuser to modify the variables at the top for your
    particular installation, especially the domain.

38. Update the local copy of the Dreamwidth repositories:

/dreamhack/lib/bin/cron/update-skel

    This copy of the repositories is used as a cache by the remake-daily
    command to prevent needless calls to GitHub.

39. Test the ability to create a new user by running the remake-daily command:

/dreamhack/lib/bin/cron/remake-daily

    This creates the Daily Snapshot user, 'dh-daily', which we'll use in the
    next few commands.  When the command completes, you should be able to go to
    http://www.daily.hack.dreamwidth.net/ and see the new Dreamwidth
    installation, which you should test to make sure there are no errors.

40. Run checkconfig.pl:

su - dh-daily
cd $LJHOME
bin/checkconfig.pl

    Install any modules which it needs, whether required or optional.

41. Set up the test database for dh-daily for the next step:

su - dh-daily
mkdir $LJHOME/ext/local/t
cp $LJHOME/t/*.pl $LJHOME/ext/local/t/.

    After copying the *.pl files, edit them to point to the test database.
    * don't forget the "test_" prefix
    * add "'cluster1' => 1," to master role
    * edit @CLUSTERS and $DEFAULT_CLUSTER to suit

    After editing the files, initialise the test DB:

$LJHOME/t/bin/initialize-db

42. Run the test suite:

su - dh-daily
cd $LJHOME
prove t/*.t

    These tests should all either pass or be skipped. (As of this writing, the
    following tests are skipped: t/captcha.t, t/cprod.t,
    t/directorysearch-extra.t, t/directorysearch.t, t/poll.t, t/protocol.t,
    t/usermoves.t)

43. Install memcached, but make sure it doesn't run by default:

apt-get install memcached
/etc/init.d/memcached stop
update-rc.d -f memcached remove

44. The code tour generator uses Python, so you'll need to install it:

apt-get install python

    You will also need to install the 'requests' module:

apt-get install python-requests

45. Install more packages:

# Miscellaneous must-haves
apt-get install acct emacs-nox joe mc mutt finger info openssh-blacklist openssl-blacklist perl-doc perltidy tcsh tofrodos traceroute zsh
# To allow spell-checking on the Dreamhacks
apt-get install aspell
# Perl modules for the aux Dreamhack scripts:
apt-get install libquota-perl libpasswd-unix-perl libtext-csv-perl libipc-run3-perl
cpanm Text::CSV::Slurp
# Modules that some people on the server use for automated testing/formatting:
apt-get install libperl-critic-perl libpod-coverage-perl libtest-pod-coverage-perl
# Allow people to generate the (extremely old, LJ-based) documentation:
apt-get install docbook-xml docbook-xsl xsltproc

46. joe (installed above) sets itself as the default editor, so change it back to nano:

update-alternatives --config editor

47. Copy the motd file to /etc/motd:

cp /dreamhack/setup/motd /etc/motd

48. Move the extra MOTD information out of the way so that users don't see it:

mkdir /etc/update-motd.d-old
cd /etc/update-motd.d
ls -1 {10,51,90,91,97,98}* | xargs -i mv /etc/update-motd.d{,-old}/{}

49. Reboot the server so that the MOTD is regenerated. Check that perlbal and
    Apache still come back up after the reboot. (The Dreamhack you created
    won't, but that's fine; individual Dreamhacks don't get started back up.)

    Check also that the iptables rules were restored correctly:

iptables -t nat -L
iptables -L

50. Fix the permissions on /dreamhack/var/maintain.d so that everybody can
    write to it:

chmod ugo+rwx /dreamhack/var/maintain.d

51. Create a Dreamhack for yourself (if you plan to use one; if not, make a
    test user) with dh-newuser. Log in and check that everything is fine.

52. Import the root-crontab file:

crontab /dreamhack/setup/root-crontab

53. Use 'visudo' to edit the /etc/sudoers file and make sure it has the
    following lines:

Defaults	env_reset
Defaults	lecture=always
Defaults	lecture_file=/dreamhack/var/sudo-lecture

54. Edit the /etc/ssh/sshd_config file to add the following line:

AllowTcpForwarding no

    While there, restrict SSHing to root so that it's only accessible from
    127.0.0.1:

    * Look for the "PermitRootLogin" line and change it to "PermitRootLogin no",
    * At the very end of the file (required!), add:

Match Address 127.0.0.1
	PermitRootLogin prohibit-password

    Then, restart SSH:

service ssh restart

    If the above line doesn't work, try:

/etc/init.d/ssh restart

    These configuration changes prevent people from abusing SSH to forward to
    other, remote sites.

You should now be done. :)