Deploy to Rocky Linux 9 - seqcode/pegr GitHub Wiki

  1. Set a FQDN (Fully Qualified Domain Name)
$ hostnamectl set-hostname <hostname>
$ hostname
  1. Update the operation system
$ sudo dnf update
$ sudo reboot
  1. Install Apache server
$ sudo dnf install httpd
$ sudo systemctl enable httpd
$ sudo systemctl start httpd
$ sudo systemctl status httpd
$ sudo firewall-cmd --permanent --add-port=80/tcp
$ sudo firewall-cmd --permanent --add-port=443/tcp
$ sudo firewall-cmd --reload
$ sudo firewall-cmd --list-all

Allow Apache to make outbound connections

$ sudo /usr/sbin/setsebool -P httpd_can_network_connect 1
  1. Add SSL cert

Get SSL cert through LetsEncrypt:

  • Install snap
$ sudo dnf install epel-release
$ sudo dnf upgrade
$ sudo yum install snapd
$ sudo systemctl enable --now snapd.socket
$ sudo ln -s /var/lib/snapd/snap /snap
  • Install certbot
$ sudo snap install --classic certbot
$ sudo ln -s /snap/bin/certbot /usr/bin/certbot
$ sudo dnf install mod_ssl

Update /etc/httpd/conf.d/ssl.conf

...
<VirtualHost _default_:443>
...
ProxyRequests Off
ProxyPreserveHost On
 
ProxyPass /pegr http://localhost:8081/pegr
ProxyPassReverse /pegr http://localhost:8081/pegr

RedirectMatch ^/$ /pegr/
...

</VirtualHost>

<VirtualHost *:80>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*) https://%{HTTP_HOST}$1 [R,L]
</VirtualHost>

$ sudo certbot certonly --apache

update the paths to the cert and key in /etc/httpd/conf.d/ssl.conf, and restart https

$ sudo systemctl restart https
  1. Configure CILogon
$ dnf install mod_auth_openidc

Update /etc/httpd/conf.d/ssl.conf

<VirtualHost _default_:443>
...
#LoadModule auth_openidc_module modules/mod_auth_openidc.so
OIDCProviderMetadataURL https://cilogon.org/.well-known/openid-configuration
OIDCScope "openid email profile org.cilogon.userinfo"

OIDCClientID "cilogon:/client_id/xxxxxxxxxx"
OIDCClientSecret "xxxxxxxxxxxx"
OIDCCryptoPassphrase "xxxxxxxxx"

# For debugging/seeing session info. Can be removed for production:
OIDCInfoHook iat access_token access_token_expires id_token userinfo refresh_token session

OIDCRedirectURI https://<hostname>/valid/redirect_uri

<Location /valid>
  AuthType openid-connect
  Require valid-user
</Location>

<Location /sso>
  AuthType openid-connect
  Require valid-user
</Location>

<Location /pegr>
  AuthType openid-connect
  Require valid-user
  OIDCUnAuthAction pass
</Location>
...

</VirtualHost>

Create file /var/www/html/sso/index.html

<!DOCTYPE html>
<html>
   <head>
        <meta charset="utf-8" />
        <meta http-equiv="refresh" content="0; url=/pegr" />
    </head>
    <body>
       	<h1>Redirecting</h1>
        <p>If not redirected, please click on <a href="/pegr">here</a></p>
    </body>
</html>
  1. Install Java
$ sudo dnf install -y java-21-openjdk-devel
  1. Install MariaDB
$ sudo dnf install mariadb-server
$ sudo systemctl start mariadb
$ sudo systemctl status mariadb
$ sudo systemctl enable mariadb

Secure MariaDB by running

$ sudo mysql_secure_installation

The first step asks for the root password, which hasn’t been set so we’ll press ENTER as it recommends. Next, we’ll be prompted to set that root password. Type Y then ENTER to enter a password for the root database user, then follow the prompts. After updating the password, we will accept all the security suggestions that follow by pressing y and then ENTER. This will remove anonymous users, disallow remote root login, remove the test database, and reload the privilege tables.

Import pegr database and create user in Mariadb

mysql -u root -p

> CREATE DATABASE pegr;
> CREATE USER 'pegr'@'localhost' IDENTIFIED BY '<MY_PASSWORD>';
> GRANT ALL PRIVILEGES ON pegr.* TO 'pegr'@'localhost';
> FLUSH PRIVILEGES;

Import the database, e.g. the startup databas from https://github.com/seqcode/pegr/tree/master/sample_files

$ mysql -u pegr -p pegr < pegr_timeStamp.sql
  1. Deploy PEGR
$ mkdir /usr/local/pegr
$ mkdir /usr/local/pegr/files

Copy pegr.war here and set up pegr configure files.

$ nano /usr/local/pegr/pegr-config.properties

Set up pegr service

$ nano /usr/lib/systemd/system/pegr.service

And add the following

[Unit]
 Description = Java Service
 After=network.target
[Service]
 SyslogIdentifier=pegr
 Type = simple
 SuccessExitStatus=143
 Environment=SPRING_CONFIG_ADDITIONAL_LOCATION=/path/to/pegr-config.properties
 ExecStart = /usr/bin/java -Dserver.port=8081 -Dhttp.proxyPort=80 -Dgrails.env=prod -jar /usr/local/pegr/pegr.war
[Install]
 WantedBy=multi-user.target

Enable the pegr service so that it will automatically restart on system reboot.

$ sudo systemctl daemon-reload
$ sudo systemctl enable --now pegr.service

Check the status of pegr.

$ sudo systemctl status pegr.service
⚠️ **GitHub.com Fallback** ⚠️