-
Notifications
You must be signed in to change notification settings - Fork 0
Production Server Notes
This has the record of what was changed on the on-prem Bookstack server, rc-bookstack-srcf:
Setup work was done by Karl, on his Cardinal Protect laptop (hostname ITS-C02C91G0MD6R).
The Vault project projects/uit-rc-bookstack was previously created via HelpSU RITM00381096: Secret backend, path secret/projects/uit-rc-bookstack, workgroup research-computing:ruthm, AppRole yes but read-only.
Xueshan originally created a PLACEHOLDER entry, which was deleted.
Random 20-character (pwgen 20 1) passwords were put in to Vault at:
projects/uit-rc-bookstack/db: Keys bookstack and root
projects/uit-rc-bookstack/restic: Key password
Karl used the Vault web UI, logging in via LDAP, username akkornel.
To get the Vault App ID information, Karl used the Vault CLI
ITS-C02C91G0MD6R:~ akkornel(p)$ vault read auth/approle/role/uit-rc-bookstack/role-id
Key Value
--- -----
role_id 95f61b37-3aa5-af85-bc2b-020a19c849b4
The create-saml-cert.sh script was used to create the SAML cert. It was uploaded into Vault at ``projects/uit-rc-bookstack/saml, keys cert` and `key`. The `validUntil` date is `2025-11-29T02:21:50Z`.
The temporary cert (cert-7982.pem) and key (key-7982.pem) files were wiped using bcwipe, after they were loaded into Vault.
To get things going, the Google Cloud Project srcc-gcp-ruth-will-phs-testing is being used. The Bucket bookstack-backups was created with this configuration:
- Location: us-west1 (Oregon)
- Class: Autoclass (including Coldline and Archive)
- Public access prevention: Enabled
- Access Control: Uniform
- Protection Tools: None
- Encryption: Google-managed
This Service Account was created:
- Name: bookstack-restic
- Description: Bookstack backups using Restic
The JSON key was downloaded to Karl's laptop, then put into Vault at path projects/uit-rc-bookstack/restic, key gcp. The downloaded JSON file was wiped with bcwipe.
The Service Account was given the "Storage Object Admin" role, with this condition:
{
"expression": "(\n resource.service == \"storage.googleapis.com\" &&\n resource.type == \"storage.googleapis.com/Bucket\" &&\n resource.name == \"projects/_/buckets/bookstack-backups\"\n) || (\n resource.service == \"storage.googleapis.com\" &&\n resource.type == \"storage.googleapis.com/Object\" &&\n resource.name.startsWith(\"projects/_/buckets/bookstack-backups/objects/\")\n)",
"title": "Limit to bucket bookstack-backups",
"description": "Limit to bucket bookstack-backups, and its objects"
}
curl -LO https://github.com/stanford-rc/bookstack/raw/main/create-lxc.sh
chmod a+x create-lxc.sh
export BOOKSTACK_NAME=rc-bookstack-srcf
export ACCEPT_LETS_ENCRYPT_TOS=yes
export [email protected]
export GIT_REPO=https://github.com/stanford-rc/bookstack.git
export GIT_COMMIT=main
export VAULT_ADDR=https://vault.stanford.edu
export VAULT_APPID=95f61b37-3aa5-af85-bc2b-020a19c849b4
export VAULT_MOUNT=secret
export VAULT_BASE=projects/uit-rc-bookstack
export GOOGLE_PROJECT_ID=srcc-gcp-ruth-will-phs-testing
export GOOGLE_RESTIC_BUCKET=bookstack-backups
export QUIET=1
./create-lxc.sh
The output:
Using Bookstack name rc-bookstack-srcf
Accepted Let's Encrypt ToS
Using Let's Encrypt contact email [email protected]
Using Vault Address https://vault.stanford.edu
Using Vault AppRole ID 95f61b37-3aa5-af85-bc2b-020a19c849b4
Using Vault Key-Value Secrets Engine mount point secret
Using base path for Vault Secrets projects/uit-rc-bookstack
Using Google Cloud project ID srcc-gcp-ruth-will-phs-testing
Using Google Cloud project ID bookstack-backups
Using Git Repo URL https://github.com/stanford-rc/bookstack.git
Using Git commit ID/tag/branch main
Creating LXD container rc-bookstack-srcf...
Creating rc-bookstack-srcf
MAC address for rc-bookstack-srcf.stanford.edu is 00:16:3e:04:af:2a
Now create your NetDB Node, and wait for DHCP to update.
Once DHCP is updated, run:
* `lxc start rc-bookstack-srcf` to start the container
* `lxc shell rc-bookstack-srcf` to get a shell
Once in the shell, wait for the file `/cloud_init_complete` to appear.
You can then access /root/repo and run the next scripts!
After that, there was a delay until NetDB picked up the new MAC address.
On Karl's laptop, using the Vault CLI, the AppRole secret was obtained with the command vault write -field=secret_id auth/approle/role/uit-rc-bookstack/secret-id ttl=1h.
In the VM, the secrets were fetched from Vault:
root@rc-bookstack-srcf:~# ./repo/fetch-vault.sh
Using Vault server address https://vault.stanford.edu
Using Vault AppRole Role ID 95f61b37-3aa5-af85-bc2b-020a19c849b4
Using Vault Key-Value Secrets Engine mounted at secret
Using base path projects/uit-rc-bookstack
Please enter the Vault AppRole's Secret ID: XXXXXXXXXXXXXXX
Use Secret ID XXXXXXXXXXXXXXX [y/n]? y
Will write SAML cert to /run/bookstack/sp_cert.pem
Will write SAML key to /run/bookstack/sp_key.pem
Will write MariaDB root password to /run/bookstack/db-root
Will write Bookstack DB password to /run/bookstack/db-bookstack
Will write Restic repository password to /run/bookstack/restic-password
Will write Restic GCP service account JSON to /run/bookstack/restic-gcp.json
The stack was started with standard authentication using cd ~/repo and BOOKSTACK_AUTH_METHOD=standard docker-compose up. After a few minutes, Karl could log in to https://rc-bookstack-srcf.stanford.edu with default (static) credentials.
The stack was stopped, and restarted in SAML2 mode with BOOKSTACK_AUTH_METHOD=saml2 docker-compose up. Metadata was downloaded from https://rc-bookstack-srcf.stanford.edu/saml2/metadata, to loading into the SPDB.
An SPDB entry was set up with this configuration:
- Entity ID (from the metadata): https://rc-bookstack-srcf.stanford.edu
- Contact: srcc-support
- Login URL: https://srcc-bookstack-srcf.stanford.edu/saml2/login
- Owning Workgroups: research-computing:ruthm
- Description: RC Bookstack
- Send Workgroups:
research-computing:bookstack,research-computing:bookstack-rc,research-computing:bookstack-admins
Also, the metadata's validUntil date was changed to 2025-11-29T02:21:50Z.
It took around half an hour for the changes to fully propagate throughout Stanford Login.
Once Karl could log in to Bookstack, the stack was stopped again, and restarted in Standard auth mode with BOOKSTACK_AUTH_METHOD=standard docker-compose up. Karl was added to the Admin group, and the stack was again shut down and restarted into SAML mode with BOOKSTACK_AUTH_METHOD=saml2 docker-compose up -d. /etc/environment was also updated to set BOOKSTACK_AUTH_METHOD=saml2.