Skip to content
Snippets Groups Projects
Commit 929adb63 authored by Christian Elberfeld's avatar Christian Elberfeld
Browse files

MySQL, Jameica, x2go

parent ac815a18
No related branches found
No related tags found
2 merge requests!10Update Branch from Master,!9Umbau Vorstands-Pi zu Vorstands-VM
# Dokumentation Vorstands-VM
Die Vorstands-VM ist ein Arbeitsrechner für Vorstandsarbeiten.
Da hier sensible Daten liegen haben nur die aktiven Vorstandsmitglieder zugriff auf diesen Server.
Jameica/JVerein ist auf diesem Server lokal installiert.
Der Zugriff auf Jameica erfolgt über X2go, hierfür wird der X2go Client benötigt.
Für die datenhaltung von Jameica ist ein lokaler MySQL Server installiert.
## TODOS
- UAT Jameica über X2go
- X2go Client einrichtung
- Klärung: ein User oder getrennte User ? (Eine oder getrennte Sessions ?)
- Klärung: Nextcloud Instanz sinnvoll ? (Datenfreigabe für steuerberater, Datenfreigabe für Helfer)
- Installation LDAP
- Installation Kanboard
- Installation GitTea
- Weitere Administrative Tools ?
## Einrichtung Festplattenverschlüssellung
Auf der Vorstands-VM ist das Verzeichnis /srv mit ecryptFS verschlüsselt.
Die Einrichtung hierfür erfolgt manuell.
Bei der Einrichtung muss /srv noch leer sein
### Tools installieren
apt-get -y install ecryptfs-utils
### Crypt mount einrichten
mount -t ecryptfs /srv /srv
Select key type: passhrase
Select cipher: aes
Select key bytes: 16
Enable plaintext pass: no
Enable filename encryption: yes
Confirm filename encryption key (autogen) >> Signatur merken
Select proceed mount: yes
Select append sig: yes
### Crypt-Helper einrichten
Datei: ~/mount_srv.sh (<Signatur> mit der obigen Signatur ersetzen)
```bash
#!/bin/sh
echo "Select option 2 and enter Passphrase"
mount -t ecryptfs /srv /srv -o rw,noatime,nodiratime,ecryptfs_unlink_sigs,ecryptfs_fnek_sig=<Signatur>,ecryptfs_key_bytes=16,ecryptfs_cipher=aes,ecryptfs_sig=<Signatur>,ecryptfs_passthrough=n
```
### Referenzen
https://www.howtoforge.com/tutorial/how-to-encrypt-directories-and-partitions-with-ecryptfs-on-debian/
...@@ -10,10 +10,13 @@ ...@@ -10,10 +10,13 @@
path: "/srv/mysql/db/" path: "/srv/mysql/db/"
state: "directory" state: "directory"
- name: Konfig-Datei erstellen - name: Konfig-Dateien erstellen
template: template:
src: "docker-compose.yml" src: "{{item}}"
dest: "/srv/mysql/docker-compose.yml" dest: "/srv/mysql/{{item}}"
with_items:
- "docker-compose.yml"
- "tuning.cnf"
- name: start mysql docker - name: start mysql docker
docker_service: docker_service:
......
...@@ -5,11 +5,12 @@ services: ...@@ -5,11 +5,12 @@ services:
app: app:
image: mariadb:10.3.4 image: mariadb:10.3.10
restart: always restart: always
ports: ports:
- 127.0.0.1:3306:3306 - 127.0.0.1:3306:3306
volumes: volumes:
- /srv/mysql/tuning.cnf:/etc/mysql/conf.d/tuning.cnf
- /srv/mysql/db/:/var/lib/mysql - /srv/mysql/db/:/var/lib/mysql
environment: environment:
MYSQL_ROOT_PASSWORD: "{{ mysql_root_pw }}" MYSQL_ROOT_PASSWORD: "{{ mysql_root_pw }}"
......
[mysqld]
#
# * Fine Tuning
#
key_buffer = 128M
max_allowed_packet = 128M
thread_stack = 8M
thread_cache_size = 20
#
# * Query Cache Configuration
#
query_cache_limit = 8M
query_cache_size = 512M
query_cache_type = 1
#
# * Logging and Replication
#
# Both location gets rotated by the cronjob.
# Be aware that this log type is a performance killer.
# As of 5.1 you can enable the log at runtime!
general_log_file = /var/log/mysql/mysql.log
general_log = 0
#log_slow_queries = /var/log/mysql/mysql-slow.log
#long_query_time = 1
#
# * InnoDB options
#
# InnoDB buffer pool size in bytes. The primary value to adjust on a database server,
# can be set up to 80% of the total memory in these environments
innodb_buffer_pool_size = 600M
# If innodb_buffer_pool_size is set to more than 1GB, innodb_buffer_pool_instances
# divides the InnoDB buffer pool into this many instances.
innodb_buffer_pool_instances = 6
# Number of I/O threads for writes
innodb_write_io_threads = 8
# Number of I/O threads for reads
innodb_read_io_threads = 8
...@@ -23,7 +23,7 @@ ...@@ -23,7 +23,7 @@
- { path: /srv/mysql/mysql_user_pw, length: 12 } - { path: /srv/mysql/mysql_user_pw, length: 12 }
# Create jameica directories # Create jameica directories
# Assume jameica is downloaded an extracted to /srv/jameica # Assume jameica is downloaded and extracted to /srv/jameica
- name: creating config directory - name: creating config directory
file: file:
path: "{{item}}" path: "{{item}}"
......
...@@ -15,4 +15,4 @@ else ...@@ -15,4 +15,4 @@ else
archsuffix="" archsuffix=""
fi fi
LIBOVERLAY_SCROLLBAR=0 GDK_NATIVE_WINDOWS=1 SWT_GTK3=0 exec java -Djava.net.preferIPv4Stack=true -Xmx512m $_JCONSOLE -jar jameica-linux${archsuffix}.jar -f /srv/data-jameica/ -p nopassword $@ LIBOVERLAY_SCROLLBAR=0 GDK_NATIVE_WINDOWS=1 SWT_GTK3=0 exec java -Djava.net.preferIPv4Stack=true -Xmx1024m $_JCONSOLE -jar jameica-linux${archsuffix}.jar -f /srv/data-jameica/ -p nopassword $@
...@@ -5,8 +5,9 @@ ...@@ -5,8 +5,9 @@
roles: roles:
- { role: ../common/docker, tags: docker } - { role: ../common/docker, tags: docker }
- { role: docker_mysql, tags: mysql } - { role: docker_mysql, tags: mysql }
- { role: jameica, tags: jameica }
- { role: user, tags: user } - { role: user, tags: user }
- { role: jameica, tags: jameica }
- { role: x2goserver, tags: x2goserver }
# - { role: ../common/borgbackup, tags: borgbackup } # - { role: ../common/borgbackup, tags: borgbackup }
# - { role: git, tags: git } # - { role: git, tags: git }
......
- name: Add the group 'vorstand'
group:
name: vorstand
state: present
- name: Check if user 'vorstand' exists
getent:
database: passwd
key: vorstand
fail_key: False
register: user_vorstand_exist
- name: Create password for user 'vorstand'
command: "openssl rand -base64 24"
register: generate_vorstand_pass
when: user_vorstand_exist.ansible_facts.getent_passwd.vorstand == None
- debug:
msg: "Generated password for user 'vorstand': {{ generate_vorstand_pass.stdout }}"
when: user_vorstand_exist.ansible_facts.getent_passwd.vorstand == None
- name: Add the user 'vorstand' - name: Add the user 'vorstand'
user: user:
name: vorstand name: vorstand
comment: Vorstannd User comment: Vorstannd User
group: vorstand group: vorstand
password: "{{ generate_vorstand_pass.stdout }}"
when: user_vorstand_exist.ansible_facts.getent_passwd.vorstand == None
- name: add sshkeys for user vorstand - name: add sshkeys for user vorstand
authorized_key: authorized_key:
......
- name: install X2go Server
apt:
pkg: "{{ item }}"
update_cache: yes
state: installed
with_items:
- x2goserver
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment