• Table of contents
• Debian server installation
  • Additional packages
  • Locales
  • Security
    • rkhunter
  • File structure
• Git
  • Colored prompt with git information about branch and changes
• General adaption
• Install OpenAtlas instance
  • In case proxy is needed
  • Apache
  • Certbot for HTTPS
• System mails

Debian server installation¶

These are advanced installation notes for a Debian server to deploy OpenAtlas.
We use this instruction for our workflow, it is very specific and detailed (e.g. changing the prompt to color and show git information) so feel free to use/adapt as needed.

Additional packages¶

apt install aptitude ntpsec vim

Locales¶

OpenAtlas user interfaces are currently supported for English and German, you might want to install needed languages with this command:

dpkg-reconfigure locales

Security¶

• Implement ssh-key user access
• Disallow password authentication and root login
  • vim /etc/ssh/sshd-config
    

    PermitRootLogin no
    PasswordAuthentication no
    

  • To test, open second shell, restart ssh server (systemctl restart ssh), try to log in again. Leave first shell open, in case you have to fix things.
• Install and activate Unattended upgrades
  

  # apt-get install unattended-upgrades apt-listchanges
  

  
  Uncomment and edit following line in /etc/apt/apt.conf.d/50unattended-upgrades:
  

  Unattended-Upgrade::Mail "root";
  

rkhunter¶

rkunter is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. To install rkhunter and prevent false positives when deploying OpenAtlas follow the instructions below.

Installation

apt install rkhunter

vim /etc/rkhunter.conf

• MIRRORS_MODE=0
• UPDATE_MIRRORS=1
• WEB_CMD=""
• ALLOWDEVFILE=/dev/shm/PostgreSQL.*
• ALLOWDEVFILE=/dev/shm/ShM.*
• ALLOWIPCPROC=/usr/sbin/apache2

vim /etc/rkhunter.conf.local

• PKGMGR=DPKG

rkhunter -c --sk
rkhunter --propupd

vim /etc/default/rkhunter

• CRON_DAILY_RUN="true"
• CRON_DB_UPDATE="true"
• APT_AUTOGEN="true"

File structure¶

apt install apache2 (needed for permissions and file structure)

• /var/www
  • /openatlas (OpenAtlas instances)
  • /frontend (presentation sites)

• Setup access on /var/www: owner=root, group=web-admin (can write), world can read e.g. www-data.
• Directories which needs to be writable by Apache e.g. uploads should be owned by www-data, see stackoverflow discussion e.g.

groupadd web-admin
usermod -a -G web-admin alex
chgrp -R web-admin /var/www
chmod -R 775 /var/www
chmod g+s /var/www

vim ~/.profile

umask 002

mkdir /var/www/openatlas
mkdir /var/www/frontend

Git¶

Colored prompt with git information about branch and changes¶

vim ~/.bashrc

function parse_git_dirty {
    [[ $(git status 2> /dev/null | tail -n1) != "nothing to commit, working tree clean" ]] && echo "*" 
}
function parse_git_branch {
    git branch --no-color 2> /dev/null | sed -e '/^[^*]/d' -e "s/* \(.*\)/[\1$(parse_git_dirty)]/" 
}
PS1='\[\e[1;34m\]\u@\h:\w\[\e[0;32m\]$(parse_git_branch)\[\e[1;34m\]\$ \[\e[m\]'

General adaption¶

Change default editor to vim:

update-alternatives --config editor

Install OpenAtlas instance¶

Next follow the instructions how to install OpenAtlas: https://github.com/craws/OpenAtlas/blob/main/install.md

In case proxy is needed¶

For git e.g. ACDH-CH:

$ git config --global http.proxy http://fifi.arz.oeaw.ac.at:8080

$ pip3 install --proxy=http://fifi.arz.oeaw.ac.at:8080 calmjs
$ npm config set proxy http://fifi.arz.oeaw.ac.at:8080

Apache¶

• Disable directory listening for Apache

# a2dismod autoindex
# service apache2 restart

• Activate brotly (compression for traffic)
1. Install and activatebrotly
   

   sudo apt install brotli
   sudo a2enmod brotli
   

2. Add outside of virtual host (so that it is for all sites) configuration
   

   <IfModule mod_brotli.c>
           AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript application/json application/xml
           BrotliCompressionQuality 4
   </IfModule>
   

3. Restart Apache
   

   sudo service apache2 restart
   

   
   You can than check the headers or test it at brotly.

Certbot for HTTPS¶

(For sites on ACDH-CH servers ignore this, the certificate has to be managed by the proxy server.)

# apt install certbot python3-certbot-apache
# certbot --apache
# certbot

After configuration of certbot, uncomment the line with WSGIDaemonProcess in /etc/apache2/sites-available/XXX.conf before creating certificates for OpenAtlas instances.

System mails¶

System mails (e.g. from cron jobs) are implemented with msmtp

# apt install msmtp msmtp-mta ca-certificates
# vim /etc/msmtprc
# vim /etc/aliases

# msmtp root (to test, write some lines to not get flagged as spam and than CTRL + D)