# Onderdelen - Servers: CloudVPS OpenStack-platform - Provisioning: Terraform + Ansible - DNS: Azure DNS (webtech-uva.nl) - Provisioning + SSL-setup: Azure CLI + `dehydrated` + scripts - Access management: `webtech-admin` + `webtech-ssh` - We use SSH certificates for both server and client auth - Users trust the webtech-admin CA, host keys are signed - Servers trust the webtech-admin CA, user keys are signed - All of this is automated on the user side using `webtech-ssh` # Server environment The environment on the server is set up as follows. Configuration for these components can be found in the `ansible/templates` directory. ### Web server: Apache (modules: php, ssl, userdir, headers, rewrite) SSL is handled through LetsEncrypt, see below. Userdir is enabled, so `~user/public_html` is served at `/~user` Headers is used for HSTS/X-Frame-Options/X-Content-Type-Options ### Scripting: PHP 8.1 (modules: mysql, curl, mbstring, xml, zip) A fairly standard configuration. ### Database: MySQL Configuration consists of some performance tuning. More important in previous years as RAM was tight; 2GB of RAM should give enough headroom. The Ansible play sets up MySQL with a per-host randomly generated root password. This password comes from the Ansible host vars. Additionally, each user gets a MySQL account with a generated password. ### Database interface: PHPMyAdmin Web interface to MySQL. Configuration is fairly standard, requires randomly generated secret per host, which is in the Ansible host vars. There is no package, so the phpMyAdmin zip is also in templates (should be updated). Note that the phpMyAdmin zip is edited (the folder inside is renamed to just `phpMyAdmin`) There is also an .htaccess template which forces HTTPS. ### Mail server: postfix Postfix is used only to send mail (user registration, etc). No submissions are enabled (not that they would work given the firewall rules). The configuration is fully default except for the `inet_interfaces` setting, which is set to `loopback-only` so only access from the local host is permitted. ### Fail2ban `fail2ban` is set up to block IPs that fail SSH login temporarily. ### Miscellaneous configuration - Unattended upgrades can break things, and are unnecessary given the duration of the course. It is therefore disabled. - Various templates use the course year. This is set for all hosts in `group_vars/all`. - SSH host keys are regenerated for security reasons. - The default umask is set to `002`.