Comment installer l'agrégateur de contenu Kbin, similaire à Reddit, sur Ubuntu 22.04

$ sudo ufw status

Status: inactive

$ sudo ufw allow OpenSSH

$ sudo ufw allow http
$ sudo ufw allow https

$ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup

$ sudo ufw status

Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere
80/tcp                     ALLOW       Anywhere
443                        ALLOW       Anywhere
OpenSSH (v6)               ALLOW       Anywhere (v6)
80/tcp (v6)                ALLOW       Anywhere (v6)
443 (v6)                   ALLOW       Anywhere (v6)

$ sudo apt install git

$ git --version
git version 2.34.1

$ git config --global user.name "Votre Nom"
$ git config --global user.email "[email protected]"

$ curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \
    | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null

$ echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg arch=amd64] \
http://nginx.org/packages/ubuntu `lsb_release -cs` nginx" \
    | sudo tee /etc/apt/sources.list.d/nginx.list

$ sudo apt update

$ sudo apt install nginx

$ nginx -v
nginx version: nginx/1.24.0

$ sudo systemctl start nginx

$ sudo add-apt-repository ppa:ondrej/php

$ sudo apt install php8.2-common php8.2-fpm php8.2-cli php8.2-amqp php8.2-pgsql php8.2-gd php8.2-curl php8.2-simplexml php8.2-dom php8.2-xml php8.2-redis php8.2-mbstring php8.2-intl unzip

$ php --version
PHP 8.2.7 (cli) (built: Jun  8 2023 15:27:40) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.2.7, Copyright (c) Zend Technologies
    with Zend OPcache v8.2.7, Copyright (c), by Zend Technologies

$ sudo nano /etc/php/8.2/fpm/pool.d/www.conf

...
; Unix user/group of processes
; Note: The user is mandatory. If the group is not set, the default user's group
;       will be used.
; RPM: apache user chosen to provide access to the same directories as httpd
user = nginx
; RPM: Keep a group allowed to write in log dir.
group = nginx
...

; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions. The owner
; and group can be specified either by name or by their numeric IDs.
; Default Values: user and group are set as the running user
;                 mode is set to 0660
listen.owner = nginx
listen.group = nginx

$ sudo sed -i 's/memory_limit = 128M/memory_limit = 512M/' /etc/php/8.2/fpm/php.ini

$ sudo sed -i 's/upload_max_filesize = 2M/upload_max_filesize = 8M/' /etc/php/8.2/fpm/php.ini

$ sudo systemctl restart php8.2-fpm

$ sudo chgrp -R nginx /var/lib/php/sessions

$ php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"

$ php composer-setup.php

$ php -r "unlink('composer-setup.php');"

$ sudo mv composer.phar /usr/local/bin/composer

$ composer --version
Composer version 2.5.8 2023-06-09 17:13:21

$ curl https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor | sudo tee /usr/share/keyrings/postgresql-key.gpg >/dev/null

$ sudo sh -c 'echo "deb [signed-by=/usr/share/keyrings/postgresql-key.gpg arch=amd64] http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list'

$ sudo apt update

$ sudo apt install postgresql postgresql-contrib

$ sudo systemctl status postgresql
? postgresql.service - PostgreSQL RDBMS
     Loaded: loaded (/lib/systemd/system/postgresql.service; enabled; vendor preset: enabled)
     Active: active (exited) since Sat 2023-06-17 09:15:50 UTC; 3h 40min ago
   Main PID: 26989 (code=exited, status=0/SUCCESS)
        CPU: 1ms

Jun 17 09:15:50 nspeaks systemd[1]: Starting PostgreSQL RDBMS...
Jun 17 09:15:50 nspeaks systemd[1]: Finished PostgreSQL RDBMS.

$ sudo -i -u postgres psql

postgres=# CREATE DATABASE kbin;

postgres-# CREATE USER kbinuser WITH PASSWORD 'Votre_Mot_de_Passe';

postgres-# ALTER DATABASE kbin OWNER TO kbinuser;

postgres-# \q

$ psql --username kbinuser --password --host localhost kbin
Password:
psql (15.3 (Ubuntu 15.3-1.pgdg22.04+1))
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, compression: off)
Type "help" for help.

kbin=>

$ curl -sL https://deb.nodesource.com/setup_lts.x -o nodesource_setup.sh

$ sudo bash nodesource_setup.sh

$ sudo apt install nodejs

$ node -v
v18.16.1

$ rm nodesource_setup.sh

$ curl -sL https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --dearmor | sudo tee /usr/share/keyrings/yarnkey.gpg >/dev/null

$ echo "deb [signed-by=/usr/share/keyrings/yarnkey.gpg] https://dl.yarnpkg.com/debian stable main" | sudo tee /etc/apt/sources.list.d/yarn.list

$ sudo apt update

$ sudo apt install yarn

$ yarn --version
1.22.19

$ curl -fsSL https://packages.redis.io/gpg | sudo gpg --dearmor -o /usr/share/keyrings/redis-archive-keyring.gpg

$ echo "deb [signed-by=/usr/share/keyrings/redis-archive-keyring.gpg] https://packages.redis.io/deb $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/redis.list

$ sudo apt update

$ sudo apt install redis

$ redis-server -v
Redis server v=7.0.11 sha=00000000:0 malloc=jemalloc-5.2.1 bits=64 build=3af367a78d5e21e9

$ redis-cli

127.0.0.1:6379> acl setuser default >Your_Redis_Password

127.0.0.1:6379> AUTH Your_Redis_Password
OK

127.0.0.1:6379> ping
PONG

$ openssl rand 60 | openssl base64 -A
OaYOuq6J9HhxMV0sGCeZbaGecphCl4GBfVkCOPkNjkQE1FX9DKpGSCJcDb8UV+AuFKA8tR1PgjGequn1

$ sudo apt install rabbitmq-server

$ sudo rabbitmqctl add_user kbin StrongPassword

$ sudo rabbitmqctl set_user_tags kbin administrator

$ adduser kbin

$ sudo usermod -aG sudo kbin

$ su - kbin

$ sudo mkdir /var/wwww/html/kbin -p

$ cd /var/www/html/kbin

$ sudo chown $USER:$USER kbin

$ git clone https://codeberg.org/Kbin/kbin-core.git .

$ mkdir public/media

$ chmod 777 public/media

$ node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"

$ node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"

$ nano .env

# Run "composer dump-env prod" to compile .env files for production use (requires symfony/flex >=1.2).
# https://symfony.com/doc/current/best_practices.html#use-environment-variables-for-infrastructure-configuration

# kbin variables
SERVER_NAME="nspeaks.xyz" # production
KBIN_DOMAIN=nspeaks.xyz
KBIN_TITLE=Howtoforge
KBIN_DEFAULT_LANG=en
KBIN_FEDERATION_ENABLED=true
[email protected]
[email protected]
KBIN_JS_ENABLED=true
KBIN_REGISTRATIONS_ENABLED=true
KBIN_API_ITEMS_PER_PAGE=25
#KBIN_STORAGE_URL=/media
KBIN_META_TITLE="Kbin Lab"
KBIN_META_DESCRIPTION="agrégateur de contenu et plateforme de microblogging pour le fediverse"
KBIN_META_KEYWORDS="kbin, agrégateur de contenu, open source, fediverse"
KBIN_HEADER_LOGO=false
KBIN_CAPTCHA_ENABLED=false

# Redis
REDIS_PASSWORD=YourRedisPassword
REDIS_DNS=redis://default:${REDIS_PASSWORD}@localhost:6379

###> symfony/framework-bundle ###
APP_ENV=prod
APP_SECRET=427f5e2940e5b2472c1b44b2d06e0525
###< symfony/framework-bundle ###

###> doctrine/doctrine-bundle ###
# Format described at https://www.doctrine-project.org/projects/doctrine-dbal/en/latest/reference/configuration.html#connecting-using-a-url
# IMPORTANT: You MUST configure your server version, either here or in config/packages/doctrine.yaml
#
POSTGRES_DB=kbin
POSTGRES_USER=kbin
POSTGRES_PASSWORD=Your_Password
POSTGRES_VERSION=15
DATABASE_URL="postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@127.0.0.1:5432/${POSTGRES_DB}?serverVersion=${POSTGRES_VERSION}&charset=utf8"
###< doctrine/doctrine-bundle ###

###> symfony/messenger ###
# Choose one of the transports below
RABBITMQ_PASSWORD=RabbitMQPassword
MESSENGER_TRANSPORT_DSN=amqp://kbin:${RABBITMQ_PASSWORD}@rabbitmq:5672/%2f/messages
#MESSENGER_TRANSPORT_DSN=doctrine://default
#MESSENGER_TRANSPORT_DSN=redis://${REDIS_PASSWORD}@redis:6379/messages
###< symfony/messenger ###

###> symfony/mailgun-mailer ###
#MAILER_DSN=mailgun+smtp://[email protected]:key@default?region=us
MAILER_DSN=smtp://AKIA3FIG4NVFH4TXXEXY:BJQvNI9U6JqSuUFQ9Ffd22Dvom/8KNwk7EIrFTRai02/@email-smtp.us-west-2.amazonaws.com:465
###< symfony/mailgun-mailer ###

###> symfony/mercure-bundle ###
# See https://symfony.com/doc/current/mercure.html#configuration
# The URL of the Mercure hub, used by the app to publish updates (can be a local URL)
MERCURE_URL=https://example.com/.well-known/mercure
# The public URL of the Mercure hub, used by the browser to connect
MERCURE_PUBLIC_URL=https://example.com/.well-known/mercure
# The secret used to sign the JWTs
MERCURE_JWT_SECRET="!ChangeThisMercureHubJWTSecretKey!"
###< symfony/mercure-bundle ###

###> symfony/lock ###
LOCK_DSN=flock
###< symfony/lock ###

$ composer install --prefer-dist --no-dev
$ composer dump-env prod

$ APP_ENV=prod APP_DEBUG=0 php bin/console cache:clear
$ composer clear-cache

$ sudo chown kbin:nginx public/media

$ HTTPDUSER=$(ps axo user,comm | grep -E '[a]pache|[h]ttpd|[_]www|[w]ww-data|[n]ginx' | grep -v root | head -1 | cut -d\  -f1)
$ sudo setfacl -dR -m u:"$HTTPDUSER":rwX -m u:$(whoami):rwX var
$ sudo setfacl -R -m u:"$HTTPDUSER":rwX -m u:$(whoami):rwX var

$ php bin/console doctrine:database:create
$ php bin/console doctrine:migrations:migrate

WARNING! You are about to execute a migration in database "kbin" that could result in schema changes and data loss. Are you sure you wish to continue? (yes/no) [yes]:
 > yes

[notice] Migrating up to DoctrineMigrations\Version20230615203020
[notice] finished in 1373.9ms, used 24M memory, 79 migrations executed, 667 sql queries

[OK] Successfully migrated to version : DoctrineMigrations\Version20230615203020

$ yarn install
$ yarn build

$ php bin/console kbin:user:create username [email protected] password

$ php bin/console kbin:user:admin username

$ php bin/console kbin:ap:keys:update

$ sudo snap install core && sudo snap refresh core

$ sudo snap install --classic certbot

$ sudo ln -s /snap/bin/certbot /usr/bin/certbot

$ sudo certbot certonly --nginx --agree-tos --no-eff-email --staple-ocsp --preferred-challenges http -m [email protected] -d example.com

$ sudo openssl dhparam -dsaparam -out /etc/ssl/certs/dhparam.pem 4096

$ sudo systemctl list-timers

NEXT                        LEFT          LAST                        PASSED       UNIT                       ACTIVATES
Wed 2023-06-28 10:09:00 UTC 20min left    Wed 2023-06-28 09:39:00 UTC 9min ago     phpsessionclean.timer      phpsessionclean.service
Wed 2023-06-28 11:13:02 UTC 1h 24min left Wed 2023-06-28 04:41:28 UTC 5h 7min ago  ua-timer.timer             ua-timer.service
Wed 2023-06-28 12:11:00 UTC 2h 22min left n/a                         n/a          snap.certbot.renew.timer   snap.certbot.renew.service

$ sudo certbot renew --dry-run

$ sudo nano /etc/nginx/conf.d/kbin.conf

server {
    listen       443 ssl http2;
    listen       [::]:443 ssl http2;
    server_name  example.com;

    access_log  /var/log/nginx/kbin.access.log;
    error_log   /var/log/nginx/kbin.error.log;

    # SSL
    ssl_certificate         /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/example.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
    ssl_session_timeout  1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    # use https://blog.cloudflare.com/announcing-1111 Cloudfare+Apnic labs, It is free and secure
    resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s;

    root /var/www/html/kbin/public;

    index index.php;

    location / {
        try_files $uri $uri/ /index.php;
    }

    # Pass PHP Scripts To FastCGI Server
    location ~* \.php$ {
        try_files $uri =404;
        fastcgi_index  index.php;
        fastcgi_pass unix:/run/php-fpm/www.sock; # Depends On The PHP Version
        fastcgi_param SCRIPT_FILENAME  $realpath_root$fastcgi_script_name;
        fastcgi_param DOCUMENT_ROOT $realpath_root;
        include fastcgi_params;
    }

    # deny access to writable files/directories
    location ~* ^/sites/*/(documents|edi|era) {
        deny all;
        return 404;
    }

    # deny access to certain directories
    location ~* ^/(contrib|tests) {
        deny all;
        return 404;
    }

    # Alternatively all access to these files can be denied
    location ~* ^/(admin|setup|acl_setup|acl_upgrade|sl_convert|sql_upgrade|gacl/setup|ippf_upgrade|sql_patch)\.php {
        deny all;
        return 404;
    }

    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }

    location = /robots.txt  {
        log_not_found off;
        access_log off;
    }

    location ~ \. {
        deny all;
    }
}

# enforce HTTPS
server {
    listen       80;
    listen       [::]:80;
    server_name  example.com;
    return 301   https://$host$request_uri;
}

$ sudo nano /etc/nginx/nginx.conf

server_names_hash_bucket_size  64;

$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

$ sudo systemctl restart nginx

$ sudo apt install supervisor

$ sudo nano /etc/supervisor/conf.d/messenger-worker.conf

[program:messenger-kbin]
command=php /var/www/html/kbin/bin/console messenger:consume async --time-limit=3600
user=kbin
numprocs=2
startsecs=0
autostart=true
autorestart=true
startretries=10
process_name=%(program_name)s_%(process_num)02d
stderr_logfile=/var/log/supervisor/%(program_name)s_stderr.log
stderr_logfile_maxbytes=10MB
stdout_logfile=/var/log/supervisor/%(program_name)s_stdout.log
stdout_logfile_maxbytes=10MB

[program:messenger-ap]
command=php /var/www/html/kbin/bin/console messenger:consume async_ap --time-limit=3600
user=kbin
numprocs=2
startsecs=0
autostart=true
autorestart=true
startretries=10
process_name=%(program_name)s_%(process_num)02d
stderr_logfile=/var/log/supervisor/%(program_name)s_stderr.log
stderr_logfile_maxbytes=10MB
stdout_logfile=/var/log/supervisor/%(program_name)s_stdout.log
stdout_logfile_maxbytes=10MB

$ sudo supervisorctl reread
$ sudo supervisorctl update

$ sudo supervisorctl start all