Add Debian setup document

README.md

@@ -63,6 +63,8 @@ ## Requirements
 
 ## Installation (using command line)
 
+➡️ [Set it up on Debian](docs/debian-setup.md)
+
 ### Clone the repo
 
 ```sh

docs/debian-setup.md

@@ -0,0 +1,233 @@
+# Debian Setup
+
+This applies to Debian Buster, but similar instructions should apply for other Debian versions.
+
+## What we will do
+
+- We will use PHP 7.3
+- We will use version v2.1.0 of 2fauth
+- We will setup to use an Sqlite database
+- We will use Nginx and PHP-FPM to serve our site on port `8000`
+- We will run all this as user `www-data` without root
+
+## Install dependencies
+
+1. Update your apt repository list:
+
+    ```bash
+    apt-get update
+    ```
+
+1. Install the following packages:
+
+    ```bash
+    apt-get install -y --no-install-recommends \
+    php7.3 \
+    php7.3-sqlite3 php7.3-mysql \
+    php-xml php7.3-gd php7.3-mbstring \
+    unzip wget ca-certificates \
+    php7.3-fpm nginx
+    ```
+
+## Download the code
+
+Let's place 2fauth's code in `/srv`:
+
+```bash
+mkdir -p /srv
+VERSION=v2.1.0
+wget -qO- "https://github.com/Bubka/2FAuth/archive/refs/tags/${VERSION}.tar.gz" | \
+    tar -xz --strip-components=1 -C /srv
+```
+
+## Nginx configuration
+
+Set your Nginx configuration in `/etc/nginx/nginx.conf` as:
+
+```nginx
+events {}
+http {
+  include mime.types;
+
+  access_log /dev/stdout;
+  error_log /dev/stderr;
+
+  server {
+      listen 8000;
+      server_name 2fAuth;
+      root /srv/public;
+
+      index index.php;
+
+      charset utf-8;
+
+      location / {
+          try_files $uri $uri/ /index.php?$query_string;
+      }
+
+      location = /favicon.ico { access_log off; log_not_found off; }
+      location = /robots.txt  { access_log off; log_not_found off; }
+
+      error_page 404 /index.php;
+
+      location ~ \.php$ {
+          fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
+          fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
+          include fastcgi_params;
+      }
+
+      location ~ /\.(?!well-known).* {
+          deny all;
+      }
+  }
+}
+```
+
+You can verify the Nginx configuration is valid with:
+
+```bash
+nginx -t
+```
+
+## Install composer
+
+Download the latest stable composer:
+
+```bash
+wget -qO /usr/local/bin/composer https://getcomposer.org/download/latest-stable/composer.phar
+chmod 500 /usr/local/bin/composer
+```
+
+## Install supervisord
+
+[Supervisord](https://github.com/ochinchina/supervisord) will be used to manage both Nginx and PHP-FPM.
+
+1. Install it with:
+
+    ```bash
+    VERSION=0.7.3
+    wget -qO- "https://github.com/ochinchina/supervisord/releases/download/v${VERSION}/supervisord_${VERSION}_Linux_64-bit.tar.gz" | \
+        tar -xz --strip-components=1 -C /tmp/ "supervisord_${VERSION}_Linux_64-bit/supervisord_static"
+    chmod 500 /tmp/supervisord_static
+    mv /tmp/supervisord_static /usr/local/bin/supervisord
+    ```
+
+1. Set its configuration in `/etc/supervisor/supervisord.conf` as:
+
+    ```ini
+    [supervisord]
+    nodaemon=true
+    pidfile=/run/supervisord.pid
+    loglevel=info
+
+    [program-default]
+    stdout_logfile=/dev/stdout
+    stdout_logfile_maxbytes=0
+    stderr_logfile=/dev/stderr
+    stderr_logfile_maxbytes=0
+    autorestart=false
+    startretries=0
+
+    [program:php-fpm]
+    command=/usr/sbin/php-fpm7.3 -F
+
+    [program:nginx]
+    command=/usr/sbin/nginx -g 'daemon off;'
+    depends_on=php-fpm
+    ```
+
+## Fix ownership and permissions for `www-data`
+
+1. Let's fix the ownership and permissions for existing files:
+
+    ```bash
+    chown -R www-data \
+      /var/lib/nginx/ \
+      /var/log/nginx \
+      /srv \
+      /usr/local/bin/composer \
+      /usr/local/bin/supervisord \
+      /etc/supervisor/supervisord.conf
+    chmod 700 /srv
+    ```
+
+1. Let's pre-create some directories and files with the right ownership and permissions:
+
+    ```bash
+    mkdir -p /run/php /www/data/.composer
+    touch /run/nginx.pid /var/log/php7.3-fpm.log
+    chown -R www-data \
+      /var/log/php7.3-fpm.log \
+      /run/nginx.pid \
+      /run/php \
+      /www/data/.composer
+    chmod 700 /run/php /www/data/.composer
+    chmod 600 /var/log/php7.3-fpm.log
+    ```
+
+## Change user
+
+Let's run the final commands as `www-data`:
+
+```bash
+su -l www-data -s /bin/bash
+```
+
+## Install composer dependencies
+
+```bash
+cd /srv
+composer install --prefer-dist --no-scripts --no-dev --no-autoloader
+composer dump-autoload --no-scripts --no-dev --optimize
+```
+
+## Create an SQlite database
+
+```bash
+touch /srv/database/database.sqlite
+chmod 700 /srv/database/database.sqlite
+```
+
+## Customize .env file
+
+Use the `/srv/.env.example` file as a template and rename it to `.env`.
+
+```bash
+mv /srv/.env.example /srv/.env
+```
+
+Make sure you modify:
+
+- `DB_DATABASE` to be `/srv/database/database.sqlite`
+
+## Run 2fauth installation steps
+
+```bash
+php artisan migrate:refresh
+php artisan passport:install
+php artisan storage:link
+php artisan config:cache
+```
+
+## Run supervisord
+
+```bash
+supervisord
+```
+
+Now you can access your site at `http://localhost:8000`
+
+You can also run `supervisord -d` to run it as a daemon.
+
+## Upgrade
+
+1. Stop `supervisord`
+1. Update the source code in `/srv`. ⚠️ do not change the `/srv/storage` directory nor your `/srv/database/database.sqlite` file.
+1. Run the following commands:
+
+    ```bash
+    php artisan migrate
+    php artisan config:clear
+    ```
+
+1. Run `supervisord` again