gabrielgio.me @ 34803deedc3bd982d868aadf151bfc50db0625c7

34803dee
tar.gz
Gabriel Arakaki Giovanini 
ref: Add more content

Add how to set up debug page and set up properlly the permission for the
process.

diff --git a/content/posts/2022-07-18-firefly-install.md b/content/posts/2022-07-18-firefly-install.md
index 4dfd008cb3afbed1f50049b9cd97e0b93f3cb2ed..6c7a649bac08db3ca19725e47fa156d62a1fdaa1 100644
--- a/content/posts/2022-07-18-firefly-install.md
+++ b/content/posts/2022-07-18-firefly-install.md
@@ -8,11 +8,11 @@ **Disclaimer:** before starting be aware that I'm not a sysadmin nor I have a
 deep knowledge in security. This is me reporting the steps I did as a learning
 experiment, so take this tutorial as your own risk.
 
-I have a pretty decent knowledge in container tecnology, I maintain several
-container on my local server for many applications. However I've decided to
-take a step back and learn a bit more how those applications are really
-deployed and kept without containers, and first candidate being firefly3[^1]. I
-have it currently running on container but let's install in a disctributions.
+I have a pretty decent knowledge in container technology, I maintain several
+container on my local server for many applications. However I've decided to take
+a step back and learn a bit more how those applications are really deployed and
+kept without containers, and first candidate being Firefly[^1]. I have it
+currently running on container but let's install in a distribution.
 
 For the distro of choice I'll pick alpine, for its small footprint and the use
 of OpenRC (nothing against systemd though).
@@ -71,9 +71,9 @@     php8-bcmath \
     php8-pgsql
 ```
 
-But that is not everything, I don't If I lack knowledge in the PHP stack but
-the applicatoin will later complain about a lot of missing dependencies, those
-being:
+But that is not everything, I don't know if I lack knowledge in the PHP stack
+but the application will later complain about a lot of missing dependencies,
+those being:
 
 ```shell
 apk add \
@@ -98,6 +98,7 @@
 ```shell
 apk add nginx php8-fpm
 ```
+
 Nginx will act as reverse proxy and php8-fpm will actually run the project. You
 can use lighttpd as well as some others.
 
@@ -171,6 +172,53 @@ ```
 
 To bootstrap the database.
 
+### Permission
+
+Now comes the part where we should be careful. So far we (or at least I) have
+been setting up everything as root but that is not ideal. We want to restrict as
+much as possibly permission to the processes, it should only see do what it
+meant to. So to minimize the effect of the process we will make it run as a user
+with almost no permission, and for purpose we will create a `www-data` user.
+Quite often that user is already create if not run the following command:
+
+```shell
+adduser www-data --disabled-password
+```
+
+Add `--ingroup www-data` if it complains if the groups exists.
+`--disabled-password` so we don't allow login with password, because it is not
+meant to be logged with.
+
+Once the user is created we need to change the which user the process runs one.
+By default it uses a `nobody` which is a user with no permission except those
+which every other user has. Update the user given in the
+`/etc/php8/php-fpm.d/www.conf` file.
+
+From:
+```shell
+user = nobody
+group = nobody
+```
+
+To:
+```shell
+user = www-data
+group = www-data
+```
+
+If the `php-fpm8` is running restart it:
+
+```shell
+rc-service php-fpm8 restart
+```
+
+At last we need to recursively update the permission of www folder because
+probably it is owned by root.
+
+```shell
+chown -R www-data:www-data /var/www/
+```
+
 ### Nginx
 
 We will need to edit the nginx config file to find and run the project, add
@@ -181,6 +229,7 @@ server.
 
 ```shell
 # /etc/nginx/http.d/firefly.conf
+
 server {
     listen 8080;
     server_name localhost;
@@ -214,6 +263,25 @@ rc-service nginx start
 ```
 
 `http://localhot:8080/` (or your server's hostname) should be up and running.
+
+And to make autostart:
+```shell
+rc-update add php-fpm8 default
+rc-update add nginx default
+```
+
+## Debugging
+
+In case of error you can add debugging setting to your env file so it will
+nicely return the error.
+
+```ini
+# /var/wwww/firefly/.env
+# ...
+
+APP_DEBUG=true
+APP_LOG_LEVEL=debug
+```
 
 [^1]: https://www.firefly-iii.org/
 [^2]: https://docs.firefly-iii.org/firefly-iii/installation/self_hosted/?mtm_campaign=docu-internal&mtm_kwd=self_hosted