The bt02srv server started as an experiment, and had Ubuntu 9.10 Desktop on it. Over a year of use it emerged into a "real" server, so it made much more sense to reinstall with a LTS Ubuntu server version in order to get the server-specific system settings, as well as having long-term update support from repositories.

Manually copy several system directories to a safe location just to be safe. These will be useful when setting system services up after the installation.

$ sudo mkdir /mnt/backups/before_10.04
$ sudo cp -a /etc /opt /var/www /boot /root /mnt/backups/before_10.04

Capture a list of all currently-installed packages, just in case.

$ sudo su -c 'dpkg --get-selections > /mnt/backups/before_10.04/9.10_packages.txt'

We're installing Ubuntu 10.04 Server x86_64 LTS (Long-term support). LTS releases have a longer period of software and security updates then the regular releases.

During installation make sure use "advanced mode" to select all our existing partitions rather than using the installer defaults. We already have partitions for /, swap, and /home, so don't erase the hard drive!

After installation it is a good idea to immediately install all software updates. Ubuntu 10.04 was released in April, 2010, so the packages on the disc are sure to have been upgraded since its release.

$ sudo apt-get update
$ sudo apt-get dist-upgrade
$ sudo reboot

We need to install the tools requires to mount the software RAID 5.

$ sudo apt-get install mdadm

• plug in RAID tower eSATA
• reboot (probably optional)

$ sudo mdadm --auto-detect
$ sudo mount /dev/md0 /mnt
$ sudo mv /etc/mdadm/mdadm.conf /etc/mdadm/mdadm.conf.orig
$ sudo cp /mnt/backups/before_10.04/etc/mdadm/mdadm.conf /etc/mdadm/mdadm.conf

• add /dev/md0 to fstab
• reboot to test

Some system packages we might need later on (to build perl modules, for example).

$ sudo apt-get install build-essential

Copy the system's SSH keys from the old system. We don't want people to get "man-in-the-middle attack" errors when they SSH to the new server!

sudo cp -a /etc/ssh /etc/ssh.orig
sudo service ssh stop
sudo cp /mnt/backups/before_10.04/etc/ssh/*key* /etc/ssh/
sudo service ssh start

1. sudo su -
2. cd /
3. mv root root.orig
4. mv root/ root.orig
5. cp -a /mnt/backups/before_10.04/root/ /root

Install the apt-cacher-ng package and make sure our existing package cache is owned by the new user and group.

$ sudo apt-get install apt-cacher-ng
$ sudo chown -R apt-cacher-ng:apt-cacher-ng /mnt/apt-cacher-ng

Edit the configuration to point the CacheDir to our existing cache.

/etc/apt-cacher-ng/acng.conf:

CacheDir: /mnt/apt-cacher-ng

$ sudo /etc/init.d/apt-cacher-ng restart

$ sudo apt-get install backuppc

(automatically-generated password: 0FY25aM2)

Change the password for the backuppc user if you'd like:

$ sudo htpasswd /etc/backuppc/htpasswd backuppc

$ cd /var/lib
$ sudo mv backuppc/ backuppc.orig
$ sudo ln -s /mnt/backuppc backuppc

$ sudo mv /etc/backuppc/hosts /etc/backuppc/hosts.orig
$ sudo cp /mnt/backups/backup.0/etc/backuppc/hosts /etc/backuppc/
$ sudo cp /mnt/backups/backup.0/etc/backuppc/172.26.*pl /etc/backuppc/
$ sudo chown -R backuppc:www-data /etc/backuppc
$ sudo chown -R backuppc:backuppc /mnt/backuppc/
$ sudo usermod -s /bin/bash backuppc
$ ps aux | grep "BackupPC -d"
$ sudo killall -HUP 7442

We'll point BackupPC's authentication to ILRI Active Directory using the Perl AuthenMSAD module from CPAN.

$ sudo apt-get install libapache2-mod-perl2 libapache2-mod-perl2-dev  libauthen-simple-ldap-perl
$ sudo cpan
install Apache2::AuthenMSAD
exit

$ sudo vim /etc/backuppc/apache2.conf

AuthName "Microsoft Active Directory Authentication"
AuthType Basic

PerlAuthenHandler Apache2::AuthenMSAD
PerlSetVar MSADDomain ilri.cgiarad.org
PerlSetVar MSADServer 172.26.0.218

require valid-user
#require user aorth akihara

$ sudo a2enmod perl
$ sudo apache2ctl graceful

BackupPC can send emails to notify of failed backups, etc. We will use postfix's sendmail to relay all the mails to the REAL mail server at the institute; this is called a "relay" or "smart" host.

Postfix is installed by default when you install BackupPC, but it's not configured. Reconfigure it to act as a "Satellite System" using dpkg-reconfigure:

$ sudo dkpg-reconfigure postfix

After that the emails should be working. Test if BackupPC is able to send messages:

$ sudo su - backuppc
/usr/share/backuppc/bin/BackupPC_sendEmail -u a.orth@cgiar.org

$ sudo apt-get install ruby rubygems libopenssl-ruby

$ sudo gem install rails -v=2.3.5
$ sudo apt-get install libsqlite3-dev
$ sudo gem install sqlite3-ruby
$ sudo gem install fastthread
$ sudo gem install -v=0.4.2 i18n

$ sudo cp -a /mnt/backups/before_10.04/opt/redmine* /opt/

$ sudo /opt/redmine/script/server -e production

1. sudo sh -c 'echo "deb http://apt.brightbox.net lucid main" > /etc/apt/sources.list.d/phusion_passengerlist'
2. wget -q -O - http://apt.brightbox.net/release.asc | apt-key add -
3. sudo apt-get update
4. sudo apt-get install libapache2-mod-passenger
5. create /etc/apache2/conf.d/redmine.conf:

RailsBaseURI /redmine
RailsEnv production

<Directory "/var/www/redmine">
        AllowOverride all
        Options -MultiViews
        #Options Indexes ExecCGI FollowSymLinks
        Order allow,deny
        Allow from all
</Directory>

1. sudo ln -s /opt/redmine/public /var/www/redmine

Force all HTTP → HTTPS using mod_rewrite.

$ sudo a2enmod ssl rewrite

Copy the keys and Apache configuration for SSL from the old machine. The "snake oil" certificate is the self-signed certificate we generated ourselves. It's secure, but called "snake oil" because it's self generated, and not issued by a certificate authority. Don't worry, we can't even get a "real" one with our current setup (as we don't control the ilri.org domain, mail addresses, IPs, etc).

$ sudo cp /mnt/backups/before_10.04/etc/apache2/sites-enabled/default-ssl /etc/apache2/sites-enabled/
$ sudo cp -a /etc/ssl /etc/ssl.orig
$ cp /mnt/backups/before_10.04/etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/certs/ssl-cert-snakeoil.pem
$ cp /mnt/backups/before_10.04/etc/ssl/private/ssl-cert-snakeoil.key /etc/ssl/private/ssl-cert-snakeoil.key

/etc/apache2/sites-enabled/000-default:

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTPS} off 
    # rewrite only trac login pages to HTTPS
    #RewriteCond %{REQUEST_URI} trac/(avid|beca)/login
    # grab the request minus the / (we place a slash in the rewritten URL)
    RewriteRule ^/(.*)$ https://172.26.17.2/$1 [R,L]
</IfModule>

• add "ServerName bt02srv" to the default-ssl VirtualHost configuration.
• Restart Apache

• $ sudo apache2ctl graceful

Set up git repositories from the old system by creating a git user and copying its home directory (including SSH keys in .ssh!!) to /var/cache/git:

• $ sudo apt-get install git-core
  $ adduser --system --group --shell /bin/bash --disabled-password --home /var/cache/git/ --no-create-home git
  $ cp -a backup.0/var/cache/git/* backup.0/var/cache/git/.ssh /var/cache/git/
  $ chown -R git:git /var/cache/git

Here I add a user for Solomon Kihara:

• $ sudo cp -a /mnt/backup/akihara /home/
  $ sudo adduser --shell /bin/bash --home /home/akihara/ --no-create-home akihara
  $ sudo chown -R akihara:akihara /home/akihara/
  $ sudo gpasswd -a akihara admin

• add noatime to all ext4 partitions in /etc/fstab. This tells the kernel not to update timestamps on files when they are accessed!
• Remove command-not-found, as we're all pros on this server ;):

• $ sudo apt-get purge command-not-found command-not-found-data

• Remove unneeded/obsolete packages:

• $ sudo apt-get autoremove