System Maintenance

Google Doc

Architecture

The FIS website (connect.israelscouts.org connect2.israelscouts.org) is organized as a Drupal multisite (with additional sites having a directory sites/subdomain.israelscouts.org -- a sibling to sites/default). This setup results in a single CMS codebase and a database for each instance.

Each site has a record configured in CiviCRM’s civicrm_domain table. This setup results in a single, shared CRM codebase and database for all the instances.

For more information on CiviCRM multi-domain setups:

https://docs.civicrm.org/sysadmin/en/latest/install/multi-site/

The default site in this multisite (connect2.israelscouts.org) is a sort of model. It is not in use by any of FIS’s chapters. It is used to propagate settings to other sites in the installation.

Utils for automated maintenance tasks are installed in the dev site.

IMPORTANT: you must configure your user with mysql login-paths. See MySQL in the Configuration Overview below.

Drupal

A drupal multi-site, meaning each chapter hs a directory in /sites.

A universally deployable custom configuration file has been created for drupal and civicrm: settings.php, civicrm.settings.php, that will include instance.settings.php which declares the instance (chapter) and, sites/default/common.settings.php which is used by all chapters.

All of the chapters share a code-base, but do not share a drupal database.

CiviCRM

Not a “multi-site” installation… whatever that means... but a multi-domain, or chapter installation.

Each site has a record configured in CiviCRM’s civicrm_domain table. This setup results in a single, shared CRM codebase and database for all the instances.

All of the drupal multi-sites share the same CiviCRM instance. See above for the drupal configuration for how CiviCRM is configured.

Apache

All sites should redirect to SSL.

Three vhosts configured with wildcard aliases to handle the chapters (sub-domains):

  • *.israelscouts.org -> /var/www/prod.israelscouts.org
  • *-stage.israelscouts.org -> /var/www/stage.israelscouts.org
  • *-dev.israelscouts.org -> /var/www/dev.israelscouts.org

SSL

The challenge with using Let’s Encrypt SSL is that control over DNS is required for Wildcard certificates.

There is a make-file in /root/fis-certbot-util that will

  • regenerate three lists, one for each environment, from the configs in the prod htdocs/sites
  • request a certificate for each environment valid for each of the chapter sub-domains.

When a new chapter is added, the old certs should be revoked and deleted using certbot, and new certs generated with the utility.

NOTE: the certificate names are named for the first url provided in the signing request. Therefore, they all start with “almog”.

As of Aug 2018:

The DNS entries are not consistent across environments.

In the procedure below, you will need to remove:

  • chen-stage
  • chen-dev
  • connect2-stage

a...nd also add:

  • dev
  • stage

Procedure:

  • make clean lists
  • edit the lists (prod, dev,stage)
  • make obtain-certs

MySQL

Use login-paths to store passwords securely.

User, root is configured for:

mysql --login-path=root

As of this writing, some of the utility scripts expect this login-path to be configured for the current user. Do so for each environment (prod, dev, stage), e.g.

mysql_config_editor set -h localhost --login-path=prod -u fis_prod -p

Instances are indicated by the prefix to the database name

  • fis_prod
  • fis_stage
  • fis_dev

Each Chapter has it’s own drupal database:

  • fis_prodcms

All chapters share the same CiviCRM Database:

  • fis_prod_crm
  • fis_stage_crm
  • fis_dev_crm