Forked from jesussuarz/Passbolt-Migration-Guide.md
Created
September 9, 2024 15:04
-
-
Save gusjer/30702a16160e8cdf9e61eb0c5917f103 to your computer and use it in GitHub Desktop.
Revisions
-
jesussuarz renamed this gist
Jul 24, 2024 . 1 changed file with 37 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -244,6 +244,43 @@ sudo /usr/local/bin/passbolt-configure Use the same details you used previously to create your database. To avoid potential issues, you may need to disable SELinux. Follow these steps to disable SELinux on your server: ### Check the Current SELinux Status First, check the current status of SELinux: ```bash sestatus ``` This command will display the current state of SELinux (enabled or disabled) and its mode (enforcing, permissive, or disabled). To permanently disable SELinux, you need to edit the SELinux configuration file. Open the configuration file using a text editor, such as nano or vi: ```bash nano /etc/selinux/config ``` Find the line that says SELINUX=enforcing or SELINUX=permissive and change it to SELINUX=disabled: ```bash # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted ``` Save the file and exit the text editor. ### Reboot the System Finally, reboot your system to apply the changes: ```bash sudo reboot ``` ### Information Sources These guides were invaluable for completing this task: -
Jul 21, 2024 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,258 @@ # Guide to Migrating Passbolt Server to a New Server This guide covers two important aspects: 1. Migrating a Passbolt server from an old server to a new one, even if the new server has a more updated operating system. 2. Converting a Passbolt Pro installation to a Community (CE) version. The process described is applicable both for a new installation and for an update on the existing server. In my case, I migrated from CentOS 7 to AlmaLinux 9.4. ### Old Server First, create a backup of the files and database of your old Passbolt server. To do this, execute: ```bash mysqldump -u [username] -p[password] [database_name] > backup_passbolt.sql ``` Alternatively, you can use the Passbolt backup script: ```bash sudo su -s /bin/bash -c "/usr/share/php/passbolt/bin/cake passbolt mysql_export" nginx ``` Then, create a backup of all your files using tar to compress them: ```bash tar -czvf passbolt_backup.tar.gz /var/www/passbolt /etc/passbolt /var/lib/passbolt ``` Transfer these files to the new server and decompress them with the following command: ```bash tar -xzvf passbolt_backup.tar.gz -C / ``` ### Converting Passbolt Pro to Community Edition (CE) If you are migrating from a Passbolt Pro installation to CE, uninstall the passbolt-pro-server package with the following commands: ```bash sudo yum remove passbolt-pro-server sudo yum autoremove sudo yum clean all ``` Remove the old repository: ```bash sudo rm -rf /etc/yum.repos.d/passbolt-pro.repo sudo yum update ``` Add the Passbolt CE repository: ```bash echo "[passbolt-ce] name=Passbolt CE Repository baseurl=https://download.passbolt.com/ce/yum/el7 enabled=1 gpgcheck=1 gpgkey=https://download.passbolt.com/ce/yum/RPM-GPG-KEY-passbolt" | sudo tee /etc/yum.repos.d/passbolt-ce.repo ``` ### New Installation on the New Server If it is a new server, follow the steps for a new installation. Execute: ```bash curl -LO https://download.passbolt.com/ce/installer/passbolt-repo-setup.ce.sh curl -LO https://github.com/passbolt/passbolt-dep-scripts/releases/latest/download/passbolt-ce-SHA512SUM.txt sha512sum -c passbolt-ce-SHA512SUM.txt && sudo bash ./passbolt-repo-setup.ce.sh || echo "Bad checksum. Aborting" && rm -f passbolt-repo-setup.ce.sh ``` Install the package: ```bash sudo dnf install passbolt-ce-server ``` If it is a new server, ensure your domain points to the new IP address. If it is an update on the same server, skip this step. ### Nginx Configuration on AlmaLinux 9.4 Save the following configuration files in /etc/nginx/conf.d. passbolt.conf ```bash server { listen [::]:80; listen 80; server_name your.sub.domain.com; client_body_buffer_size 100K; client_header_buffer_size 1K; client_max_body_size 5M; client_body_timeout 10; client_header_timeout 10; keepalive_timeout 5 5; send_timeout 10; root /usr/share/php/passbolt/webroot; index index.php; location / { try_files $uri $uri/ /index.php?$args; } location ~ \.php$ { try_files $uri =404; include fastcgi_params; fastcgi_pass php-fpm; fastcgi_index index.php; fastcgi_intercept_errors on; fastcgi_split_path_info ^(.+\.php)(.+)$; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param SERVER_NAME $http_host; fastcgi_param PHP_VALUE "upload_max_filesize=5M \n post_max_size=5M"; } } ``` passbolt_ssl.conf ```bash server { listen [::]:443 ssl http2; listen 443 ssl http2; server_name your.sub.domain.com; client_body_buffer_size 100K; client_header_buffer_size 1k; client_max_body_size 5M; client_body_timeout 10; client_header_timeout 10; keepalive_timeout 5 5; send_timeout 10; ssl_certificate /etc/ssl/certs/passbolt_certificate.crt; ssl_certificate_key /etc/ssl/certs/passbolt_private.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; ssl_session_tickets off; root /usr/share/php/passbolt/webroot; index index.php; location / { try_files $uri $uri/ /index.php?$args; } location ~ \.php$ { try_files $uri =404; include fastcgi_params; fastcgi_pass php-fpm; fastcgi_index index.php; fastcgi_intercept_errors on; fastcgi_split_path_info ^(.+\.php)(.+)$; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param SERVER_NAME $http_host; fastcgi_param PHP_VALUE "upload_max_filesize=5M \n post_max_size=5M"; } } ``` ### Importing the Database Import your database into the new server (skip this step if it is the same previous installation): ```bash mysql -u [username] -p[password] [database_name] < backup_passbolt.sql ``` ### Additional Configuration Run the following script to configure MariaDB, Nginx, and generate your SSL certificate with Let's Encrypt: ```bash sudo /usr/local/bin/passbolt-configure ``` If the SSL certificate generation fails, you can rerun: ```bash certbot --nginx ``` ### Enable and Start Services Enable the services to start automatically on system boot: ```bash systemctl enable php-fpm systemctl enable nginx systemctl enable mariadb ``` Start the services: ```bash systemctl start php-fpm systemctl start nginx systemctl start mariadb ``` ### Create and Configure the Database If MariaDB is not installed, install it: ```bash sudo yum install -y mariadb-server mariadb ``` Create your new database: ```bash mysql -u root -p CREATE DATABASE passbolt; CREATE USER 'passbolt'@'localhost' IDENTIFIED BY 'your_secure_password_here'; GRANT ALL PRIVILEGES ON passbolt.* TO 'passbolt'@'localhost'; FLUSH PRIVILEGES; EXIT; ``` Import your database into the new server: ```bash mysql -u [username] -p[password] [database_name] < backup_passbolt.sql ``` ### Import the Server Key If you are migrating servers, create the directory manually and set the correct permissions: ```bash sudo mkdir -p /var/lib/nginx/.gnupg sudo chown -R nginx:nginx /var/lib/nginx/.gnupg sudo chmod 700 /var/lib/nginx/.gnupg ``` Import your key: ```bash sudo su -s /bin/bash -c "gpg --home /var/lib/passbolt/.gnupg --import /etc/passbolt/gpg/serverkey_private.asc" nginx ``` Set permissions on the configuration files: ```bash chown -Rf root:nginx /etc/passbolt/jwt/ chmod 750 /etc/passbolt/jwt/ chmod 640 /etc/passbolt/jwt/jwt.key chmod 640 /etc/passbolt/jwt/jwt.pem sudo chown nginx:nginx /etc/passbolt/gpg/serverkey_private.asc sudo chown nginx:nginx /etc/passbolt/gpg/serverkey.asc sudo chmod 440 /etc/passbolt/gpg/serverkey.asc sudo chmod 440 /etc/passbolt/gpg/serverkey_private.asc ``` ### Finalizing the Migration Run the command to migrate Passbolt to the latest version: ```bash sudo -H -u nginx /bin/bash -c "/usr/share/php/passbolt/bin/cake passbolt migrate" ``` Perform a health check to ensure everything is working correctly: ```bash sudo -H -u nginx /bin/bash -c "/usr/share/php/passbolt/bin/cake passbolt healthcheck" ``` If you encounter issues, rerun: ```bash sudo /usr/local/bin/passbolt-configure ``` Use the same details you used previously to create your database. ### Information Sources These guides were invaluable for completing this task: * https://www.passbolt.com/docs/hosting/migrate/server/ce/almalinux/ * https://www.passbolt.com/docs/hosting/backup/from-sources/ I hope this guide helps you migrate your Passbolt server to a new server or switch from Passbolt Pro to CE. If you have any comments, please let me know here, and I will respond as soon as possible.