CHG-2025-XX-XX migrate store to hetzner3

From Open Source Ecology
Revision as of 23:44, 11 December 2024 by Maltfield (talk | contribs) (updated script for hetzner2 half)
Jump to navigation Jump to search

Status

2024-12-11 09:52 UTC

Initial Ticket draft created on wiki (WIP)

Purpose

This change does the following for store.opensourceecology.org

  1. entirely migrate the 'store' wordpress site from hetzner2 (EOL CentOS7) to hetzner3 (Debian 12)
  2. update core wp from v5.1.1 to v6.6.1
  3. eliminates subversion from the docroot (which has security issues because the releases are not signed and lacks 3TOFU)
  4. update plugin 'akismet' from v4.1.1 to v5.3.3
  5. uninstall plugin 'be-gdpr'
  6. uninstall plugin 'be-portfolio-post'
  7. update plugin 'classic-editor' from v1.4 to v1.6.5
  8. uninstall plugin 'colorhub'
  9. update plugin 'contact-form-7' from v5.1.1 to v5.9.8
  10. uninstall plugin 'force-strong-passwords'
  11. update plugin 'google-authenticator' from v0.48 to 0.54
  12. uninstall plugin 'masterslider'
  13. update plugin 'meta-box' from v4.17.3 to v5.10.2
  14. uninstall plugin 'meta-box-conditional-logic'
  15. uninstall plugin 'meta-box-show-hide'
  16. uninstall plugin 'meta-box-tabs'
  17. uninstall plugin 'oshine-core'
  18. uninstall plugin 'oshine-modules'
  19. uninstall plugin 'redux-vendor-support'
  20. uninstall plugin 'rename-wp-login'
  21. uninstall plugin 'revslider'
  22. uninstall plugin 'tatsu'
  23. uninstall plugin 'typehub'
  24. update plugin 'vaching' from v1.6.9 to v1.8.3
  25. update plugin 'woocommerce' from v3.5.7 to v9.3.3
  26. update plugin 'coingate-for-woocommerce' from v1.2.2 to v2.1.1
  27. change theme from 'oshin' to 'twentyseventeen'
  28. update theme 'storefront' from v6.6.4.4 to v7.2.1
  29. update theme 'twentyeleven' from v3.2 to v4.7
  30. update theme 'twentyfifteen' from v2.4 to v3.8
  31. update theme 'twentyfourteen' from v2.6 to v4.0
  32. update theme 'twentynineteen' from v1.3 to v2.9
  33. update theme 'twentyseventeen' from v2.1 to v3.7
  34. update theme 'twentysixteen' from v1.9 to v3.3
  35. update theme 'twentyten' from v2.8 to v4.2
  36. update theme 'twentythirteen' from v2.8 to v4.2
  37. update theme 'twentytwelve' from v2.9 to v4.3

Points of Contact

Change being performed by: Michael Altfield

Service owners: Catarina Mota & Marcin Jakubowski

Apply to Production

# TODO: verify && change everything in this script

####################
# run on hetzner2 #
####################

sudo su -

# STEP 0: CREATE BACKUPS
source /usr/home/osemain/backups/backup.settings
/usr/home/osemain/backups/backup.sh

# when finished, verify that the whole system backup was successful before proceeding
sudo rclone lsl b2:ose-server-backups | grep -i $(date +%Y%m%d)

# DECLARE VARIABLES
vhost_name='store.opensourceecology.org'

source /usr/home/osemain/backups/backup.settings
stamp=`date +%Y%m%d`
backupDir_hetzner2="/var/tmp/backups_for_migration_to_hetzner2/${vhost_name}_${stamp}"
backupFileName_db_hetzner2="mysqldump_${vhost_name}.${stamp}.sql.bz2"
backupFileName_files_hetzner2="${vhost_name}_files.${stamp}.tar.gz"
vhostDir='/var/www/html/store.opensourceecology.org'
dbName='store_db'
 dbUser="CHANGEME"
 dbPass="CHANGEME"

# STEP 1: BACKUP DB
mkdir -p ${backupDir_hetzner2}/{current,old}
pushd ${backupDir_hetzner2}/current/
mv ${backupDir_hetzner2}/current/* ${backupDir_hetzner2}/old/

# TODO: change this to just be our vhost-specific db (not --all-databases)
time nice mysqldump -u"${dbUser}" -p"${dbPass}" ${dbName} | bzip2 -c > ${backupDir_hetzner2}/current/${backupFileName_db_hetzner2}

# STEP 2: BACKUP FILES
time nice tar -czvf ${backupDir_hetzner2}/current/${backupFileName_files_hetzner2} ${vhostDir}

####################
# run on hetzner3 #
####################

sudo su -

# STEP 0: CREATE BACKUPS
# for good measure, trigger a backup of the entire system's database & files:
time /bin/nice /root/backups/backup.sh &>> /var/log/backups/backup.log

# when finished, verify that the whole system backup was successful before proceeding
rclone lsl b2:ose-server-backups | grep -i $(date +%Y%m%d)

# DECLARE VARIABLES
vhost_name='store.opensourceecology.org'

source /root/backups/backup.settings
stamp=`date +%Y%m%d`
backupDir_hetzner2="/var/tmp/backups_for_migration_to_hetzner3/${vhost_name}_${stamp}"
backupDir_hetzner3="/var/tmp/backups_for_migration_from_hetzner2/${vhost_name}_${stamp}"
backupFileName_db_hetzner1="mysqldump_${vhost_name}.${stamp}.sql.bz2"
backupFileName_files_hetzner1="${vhost_name}_files.${stamp}.tar.gz"
dbName_hetzner2='store_db'
dbName_hetzner3='osemain_db'
 dbUser_hetzner2="osemain_user"
 dbPass_hetzner2="CHANGEME"
vhostDir_hetzner2="/var/www/html/www.opensourceecology.org"
docrootDir_hetzner2="${vhostDir_hetzner2}/htdocs"

# STEP 1: COPY FROM HETZNER1

mkdir -p ${backupDir_hetzner2}/{current,old}
mv ${backupDir_hetzner2}/current/* ${backupDir_hetzner2}/old/
scp -P 222 osemain@dedi978.your-server.de:${backupDir_hetzner1}/current/* ${backupDir_hetzner2}/current/

# STEP 2: ADD DB

# create backup before we start changing the sql file
pushd ${backupDir_hetzner2}/current
cp ${backupFileName_db_hetzner1} ${backupFileName_db_hetzner1}.orig

# extract .sql.bz2 -> .sql
bzip2 -dc ${backupFileName_db_hetzner1} > db.sql

# verify the first 2 (non-comment) occurances of $dbName meet the naming convention of "<siteName>_db
vim db.sql

 time nice mysql -uroot -p${mysqlPass} -sNe "DROP DATABASE IF EXISTS ${dbName_hetzner2};" 
 time nice mysql -uroot -p${mysqlPass} -sNe "CREATE DATABASE ${dbName_hetzner2}; USE ${dbName_hetzner2};"
 time nice mysql -uroot -p${mysqlPass} < "db.sql"
 time nice mysql -uroot -p${mysqlPass} -sNe "GRANT ALL ON ${dbName_hetzner2}.* TO '${dbUser_hetzner2}'@'localhost' IDENTIFIED BY '${dbPass_hetzner2}'; FLUSH PRIVILEGES;"

# STEP 3: Add vhost files
mv ${vhostDir_hetzner2}/* ${backupDir_hetzner2}/old/
tar -xzvf ${backupFileName_files_hetzner1}
content_dir=`find ${backupFileName_db_hetzner2} -name wp-content -type d | sort | head -n1`
htaccess_file=`find ${backupFileName_db_hetzner2} -name '.htaccess' -type f | sort | head -n1`
wp_config_file=`find ${backupFileName_db_hetzner2} -name 'wp-config.php' -type f | sort | head -n1`

mkdir -p ${docrootDir_hetzner2}

pushd ${docrootDir_hetzner2}
currentWpVersion=`curl -i https://core.svn.wordpress.org/tags/ | grep '<li>' | tail -n1 | cut -d\" -f2`
svn co https://core.svn.wordpress.org/tags/${currentWpVersion}/ ${docrootDir_hetzner2}
popd

rsync -av --progress ${wp_config_file} ${vhostDir_hetzner2}/
rsync -av --progress ${htaccess_file} ${docrootDir_hetzner2}/
rsync -av --progress ${content_dir} ${docrootDir_hetzner2}/

# make sure this is sudomain, not subdir now
vim ${docrootDir_hetzner2}/.htaccess

# update WP_HOME/WP_SITEURL/DB_NAME/DB_USER/DB_PASSWORD/DB_HOST/
# add/replace salts https://api.wordpress.org/secret-key/1.1/salt/
vim ${vhostDir_hetzner2}/wp-config.php

# SET PERMISSIONS

chown -R not-apache:apache "${vhostDir_hetzner2}"
find "${vhostDir_hetzner2}" -type d -exec chmod 0050 {} \;
find "${vhostDir_hetzner2}" -type f -exec chmod 0040 {} \;

chown not-apache:apache-admins "${vhostDir_hetzner2}/wp-config.php"
chmod 0040 "${vhostDir_hetzner2}/wp-config.php"

[ -d "${docrootDir_hetzner2}/wp-content/uploads" ] || mkdir "${docrootDir_hetzner2}/wp-content/uploads"
chown -R apache:apache "${docrootDir_hetzner2}/wp-content/uploads"
find "${docrootDir_hetzner2}/wp-content/uploads" -type f -exec chmod 0660 {} \;
find "${docrootDir_hetzner2}/wp-content/uploads" -type d -exec chmod 0770 {} \;

# UPDATE EXISTING PLUGINS

sudo -u wp -i wp --path=${docrootDir_hetzner2} plugin update --all

# UPDATE EXISTING THEMES

sudo -u wp -i wp --path=${docrootDir_hetzner2} theme update --all

# INSTALL PLUGINS

# install & configure 2FA plugins
sudo -u wp -i wp --path=${docrootDir_hetzner2} plugin install google-authenticator --activate
sudo -u wp -i wp --path=${docrootDir_hetzner2} plugin install google-authenticator-encourage-user-activation --activate
defaultOtpAccountDescription="`basename ${vhostDir_hetzner2}` wp"
pushd ${docrootDir_hetzner2}/wp-content/plugins/google-authenticator
sed -i "s^\$GA_description\s=\s__(\s[\"'].*[\"']^\$GA_description = __( '$defaultOtpAccountDescription'^" google-authenticator.php
popd

# install 'force-strong-passwords' plugin
sudo -u wp -i wp --path=${docrootDir_hetzner2} plugin install force-strong-passwords --activate

# install rename-wp-login plugin
sudo -u wp -i wp --path=${docrootDir_hetzner2} plugin install rename-wp-login --activate

# install "SSL Insecure Content Fixer" pugin
sudo -u wp -i wp --path=${docrootDir_hetzner2} plugin install ssl-insecure-content-fixer --activate

# install "Varnish Caching" pugin
sudo -u wp -i wp --path=${docrootDir_hetzner2} plugin install vcaching --activate

# SET PERMISSIONS AGAIN

chown -R not-apache:apache "${vhostDir_hetzner2}"
find "${vhostDir_hetzner2}" -type d -exec chmod 0050 {} \;
find "${vhostDir_hetzner2}" -type f -exec chmod 0040 {} \;

chown not-apache:apache-admins "${vhostDir_hetzner2}/wp-config.php"
chmod 0040 "${vhostDir_hetzner2}/wp-config.php"

[ -d "${docrootDir_hetzner2}/wp-content/uploads" ] || mkdir "${docrootDir_hetzner2}/wp-content/uploads"
chown -R apache:apache "${docrootDir_hetzner2}/wp-content/uploads"
find "${docrootDir_hetzner2}/wp-content/uploads" -type f -exec chmod 0660 {} \;
find "${docrootDir_hetzner2}/wp-content/uploads" -type d -exec chmod 0770 {} \;

# finally, log into the new wordpress site (use '/login' instead of '/wp-login.php'. After authenticating, wp will ask you to update, if necessary. Then update settings:
# 1. "Settings" -> "Permalinks" -> "Rename wp-login.php" -> "Login url" = 'ose-hidden-login'
# 2. "Settings" -> "General" -> "Google Authenticator - Encourage User Activation" = "Force the user"
# 3. "Settings" -> "SSL Insecure Content" and then [a] uncheck the "WooCOmmerce" checkbox and [b] change the HTTPS detection from the default "standard WordPress function" to "HTTP_X_FORWARDED_PROTO"
# 4. "Varnish Caching" and then [a] check the "Enable" checkbox, [b] enter "86400" for the "Homepage cache TTL", [c] enter "86400" for the "Cache TTL", [d] enter "127.0.0.1:6081" for "IPs", [e] check the "Dynamic host" checkbox

Finally, update the various content as needed:

  1. /contributors/, /community-true-fans/, /history-timeline/
    1. update iframes to knigtlab.com time sliders to be https instead of http
  2. /cnc-torch-table-workshop/, /eco-tractor_workshop/, /3d-printer-construction-set-workshop-3/
    1. update the widgets to use new "Custom HTML" widgets instead of "Text" widgets to prevent the eventbright's height from being truncated
Retrieved from "https://wiki.opensourceecology.org/index.php?title=CHG-2025-XX-XX_migrate_store_to_hetzner3&oldid=302357"