document ssl cert generation using certbot
← Revision 41 as of 2021-10-19 16:23:17
recaptcha is currently disabled
|Deletions are marked like this.||Additions are marked like this.|
|Line 55:||Line 55:|
|1. [[https://github.com/pupilfirst/pupilfirst/blob/master/example.env#L99 | Configure recaptcha keys]] - add these (or any other variable you like to set) to `/etc/pupilfirst/pupilfirst.env`||1. [[https://github.com/pupilfirst/pupilfirst/blob/master/example.env#L99 | Configure recaptcha keys]] - add these (or any other variable you like to set) to `/etc/pupilfirst/pupilfirst.env`. Recaptcha is currently disabled via a patch in `no-recaptcha` branch and this deb is served in the apt repo.|
|Line 90:||Line 90:|
|1. Figure out how to install nginx configuration before nginx is installed (currently nginx fails to start) - not started||1. Figure out how to install nginx configuration before nginx is installed (currently nginx fails to start) - not started (this is possibly a scaleway specific issue as the default DNS entry is too big and nginx.conf needs an update to handle this)|
Pupilfirst (https://www.pupilfirst.com/) is a Free Software Learning Management system written in Ruby on Rails. Currently they only support deploying to heroku. This page will be used to keep track of packaging pupilfirst for Debian.
Work in progress package repo: https://people.debian.org/~praveen/pupilfirst/
Work in progress source package: https://salsa.debian.org/ruby-team/pupilfirst
Add personal repo of pupilfirst maintainer following https://people.debian.org/~praveen/pupilfirst/README
$ sudo apt install nginx # need to figure out a way to avoid this
Note: If you choose to enabled ssl during installation, you need to get the certificates before you start installation and add these to /etc/pupilfirst/ssl as <your fqdn>-bundle.pem and <your fqdn>.key.
To generate ssl certificates with certbot run,
# apt install certbot # certbot certonly --standalone -d <your fqdn> --agree-tos -m <your email> -n
This will generate the ssl certificates in /etc/letsencrypt/live/<your fqdn>. fullchain.pem and privkey.pem from this directory should be copied to /etc/pupilfirst/ssl and renamed as indicated above.
$ sudo apt install ruby-rails/experimental ruby-actioncable/experimental \ ruby-actionmailbox/experimental ruby-actionmailer/experimental \ ruby-actionpack/experimental ruby-actiontext/experimental \ ruby-actionview/experimental ruby-activejob/experimental ruby-activemodel/experimental \ ruby-activerecord/experimental ruby-activestorage/experimental \ ruby-activesupport/experimental ruby-railties/experimental \ ruby-tzinfo/experimental pupilfirst
Visit http://<your fqdn> on your browser to see the default page.
Start rails console,
$ set -a && . /etc/pupilfirst/pupilfirst.env && set +a $ cd /usr/share/pupilfirst/ $ sudo -u pupilfirst -EH bundle exec rails console
If you don'tuse sudo, use su pupilfirst -s /bin/sh -c 'bundle exec rails console'
and follow upstream documentation to configure your instance
Configure recaptcha keys - add these (or any other variable you like to set) to /etc/pupilfirst/pupilfirst.env. Recaptcha is currently disabled via a patch in no-recaptcha branch and this deb is served in the apt repo.
Adding new users
This needs a working mail server properly configured to send mails via sendmail command (or you can change config.action_mailer.delivery_method in /usr/share/pupilfirst/config/environments/production.rb to use postmark or another external smtp server). See https://github.com/diaspora/diaspora/blob/d4f92a8fae2bcc0eb716622cb471276d38e8e305/config/initializers/mailer_config.rb#L12 for example configuration.
Alternatively, you can add users using the admin login and then set passwords using rails console (same commands as setting admin password, juts replace admin email address with the users email address)
Upstream meta issue for tracking issues that need help from upstream - https://github.com/pupilfirst/pupilfirst/issues/797
Need help - make recaptcha optional https://github.com/pupilfirst/pupilfirst/issues/822
Need help - make postmark service optional https://github.com/pupilfirst/pupilfirst/issues/826
- Basic package template - done
- Install rubygems dependencies (pull only unpackaged gems from rubygems.org) - done
- Configure database - done (need to provide a working config/database.yml)
- Run database migrations - done
- Install node dependencies - done
- Precompile assets (includes webpacker) - done (needed to copy source tree to /var as symlinking some directories don't work)
- Start rails app - done (use local storage over amazon s3, create tmpfiles.d config for pids and sockets, need to disable https)
- Configure puma - done
- Configure systemd units - done
- Configure nginx - done
- Properly generate keys and remove hard coding - done (vapid keys and secret_key_base are now generated during installation)
- Setup debconf for choosing hostname - done (hostname is handled via debconf now)
- Remove hard coding of GEM_PATH (for other archs) - done
In progress or not started tasks
- Set admin password and add school - in progress (done manually, need upstream help to enable login via username/disable recaptcha)
- Use runuser instead of su in scripts - not started
- Switch nginx to use unix socket - not started
- Setup debconf for choosing https/lets encrypt - not started
- Figure out how to install nginx configuration before nginx is installed (currently nginx fails to start) - not started (this is possibly a scaleway specific issue as the default DNS entry is too big and nginx.conf needs an update to handle this)
- Install config directory in /etc - not started
Allow choosing sendmail vs postmark via environment variables and send upstream pull request - not started (https://github.com/pupilfirst/pupilfirst/issues/826)
Testing the package
You can setup lxc, system nspawn or a virtual machine to install the package. Use /etc/hosts file of the host machine to map the container or virtual machine ip to a hostname and use this hostname for the pupilfirst service. You can visit the service using a browser on the host machine.