Roster Wizard Production Environment

How to Install a Roster Wizard Production Environment

How to Install a Roster Wizard Production Environment

The following assumes your server is running Ubuntu 22.04 LTS and you have a user account named 'ubuntu'. However the procedure for other Linux distributions will be similar.

Docker:

Install Docker Engine as per https://docs.docker.com/engine/install/ubuntu/

Follow Linux post installation steps for Docker Engine as per https://docs.docker.com/engine/install/linux-postinstall/

Install Docker Compose as per https://docs.docker.com/compose/install/linux/#install-using-the-repository

Enable IPv6 in docker as per https://docs.docker.com/config/daemon/ipv6/

Docker Containers:

sudo mkdir /opt/roster
sudo chown -R ubuntu:ubuntu /opt/roster
cd /opt/roster
wget --no-cache https://raw.githubusercontent.com/galojix/roster-wizard/master/docker-compose.yml
wget --no-cache https://raw.githubusercontent.com/galojix/roster-wizard/master/docker-compose.production.yml
cp docker-compose.production.yml docker-compose.override.yml
touch .env

Add the following to .env (this ensures that the Docker containers run as a non-root user):

USERID=<insert a UID that is unused on the docker host>
GROUPID=<insert a GID that is unused on the docker host>

Example:

USERID=12345
GROUPID=12345
mkdir -p /opt/roster/static

Using the same USERID and GROUPID as above:

sudo chown -R <insert USERID here>:<insert GROUPID here> /opt/roster/static

Example:

sudo chown -R 12345:12345 /opt/roster/static
touch .env_prod_db

Add the following to .env_prod_db (use a unique DB password and remove the <> brackets) :

POSTGRES_DB=postgres
POSTGRES_USER=postgres
POSTGRES_PASSWORD=<insert DB password here>
touch .env_prod_web

Add the following to .env_prod_web (set the secret key, DB password, domain name and URL as specified and remove the <> brackets):

DEBUG=False
TOOLBAR=False
SECRET_KEY=<insert any text here for now>
DATABASE_URL=postgresql://postgres:<insert DB password here>@db:5432/postgres
ALLOWED_HOSTS=<insert full domain name of site here>
LOGLEVEL=INFO
LOGFORMAT=simple
LOGTOFILE=False
SECURE=True
CELERY_BROKER_URL=pyamqp://guest@rabbitmq//
CELERY_RESULT_BACKEND=redis://redis:6379/0
CSRF_TRUSTED_ORIGINS=<insert full URL here (including https://)>
CORS_ALLOWED_ORIGINS=<insert full URL here (including https://)>

Start docker containers:

docker compose up -d

Django:

Make sure you specify an email address when creating the super user. This is the user account that has full access to the roster.

cd /opt/roster
docker compose exec web python manage.py migrate
docker compose exec web python manage.py createsuperuser
docker compose exec web python manage.py collectstatic

Secret key:

Generate secret key:

cd /opt/roster
docker exec -it roster-web-1 bash
python manage.py shell
from django.core.management.utils import get_random_secret_key
get_random_secret_key()
'<secret key will appear here>'
Ctrl-D
exit

Add new secret key to .env_prod_web

Restart docker containers:

docker compose down
docker compose up -d

Nginx:

sudo apt install nginx
sudo systemctl enable nginx.service
sudo touch /etc/nginx/conf.d/<insert full domain name of site here>.conf

Add to /etc/nginx/conf.d/<insert full domain name of site here>.conf:

upstream gunicorn {
    server [::1]:8000;
}
 
server {
 
    listen 80;
    listen [::]:80;
    server_name <insert full domain name of site here>;

    if ( $host !~* ^(<insert full domain name of site here>)$ ) {
    return 444;
    }
 
    location / {
        proxy_bind ::1;
        proxy_pass http://gunicorn;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $host;
        proxy_redirect off;
    }
 
    location /static/ {
        alias /opt/roster/static/;
    }

}
sudo rm /etc/nginx/sites-enabled/default
sudo nginx -t
sudo systemctl restart nginx.service

Certbot:

This will make nginx SSL only

Install certbot as per https://certbot.eff.org/instructions:

sudo snap install --classic certbot
sudo certbot --nginx

Host System Tuning:

Add the following to the bottom of /etc/sysctl.conf and reboot:

vm.overcommit_memory = 1

Browser:

Navigate to https://<insert_full_domain_name_of_site_here>.

Application:

Log in using the superuser account you created above.

Follow the instructions in the user guide: Roster Wizard User Guide

Private Networks:

If you will be running Roster Wizard on a server in a private network, you may not wish to use DNS and SSL. Please note that if you do not use SSL, passwords will pass over the network unencrypted.

If you do not want to use DNS:

  1. Replace "full domain name of site" with whatever host name you choose.
  2. Add the host name in the hosts file of each workstation that will be accessing Roster Wizard.

If you do not wish to use SSL:

  1. Skip the Certbot installation step.
  2. Edit .env_prod_web and change the setting for SECURE to False.
  3. Restart the docker containers.