Deployment

Provision a Server

Setup a VPS running Debian Buster (10.x) with any cloud provider (e.g. Amazon, Google, Microsoft, DigitalOcean).
- Note: this documentation assumes that you use DigitalOcean.
- Make a note of your server's IP address.
Add an A record from the desired domain to the static IP address.
Use an SSH Key instead of a password. Disable passwords for the server. This is very important for security.
1. Generate an SSH Key on your local machine:
```
$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/username/.ssh/id_rsa): .ssh/cmulab_key
...
```
  - Use a passphrase if possible. Do not lose this passphrase, otherwise you will lose access to the server.
2. Transfer the SSH Key to the server:
```
$ ssh-copy-id -i ~/.ssh/cmulab_key.pub user@host
```
3. Test logging into the server with the new key.
```
$ ssh -i ~/.ssh/cmulab_key user@host
```
  - If you receive an UNPROTECTED PRIVATE KEY FILE error, run
```
$ sudo chmod 600 ~/.ssh/cmulab_key
$ sudo chmod 600 ~/.ssh/cmulab_key.pub
```
4. Disable logging in without password.
  1. While logged into the server, edit the /etc/ssh/sshd_config file.
```
$ sudo nano /etc/ssh/sshd_config
```
  2. Find the line PasswordAuthentication and set it to no.
```
PasswordAuthentication no
```
  3. Restart the ssh service.
```
$ sudo systemctl restart ssh
```

Setup Prerequisites

Log into the server and install curl

$ sudo apt-get update
$ sudo apt-get install curl

Install Node.js.

$ curl -sL https://deb.nodesource.com/setup_13.x | bash -
$ sudo apt-get install -y nodejs

Install MongoDB.

Import the public key used by the package management system.

$ wget -qO - https://www.mongodb.org/static/pgp/server-4.2.asc | sudo apt-key add -

Create a /etc/apt/sources.list.d/mongodb-org-4.2.list file for MongoDB.

$ echo "deb http://repo.mongodb.org/apt/debian buster/mongodb-org/4.2 main" | sudo tee /etc/apt/sources.list.d/mongodb-org-4.2.list

Reload local package database.
```
$ sudo apt-get update
```
Install the MongoDB packages.
```
$ sudo apt-get install -y mongodb-org
```

Start MongoDB Server

$ sudo systemctl start mongod

You may verify that the server is actually running by executing the following:

$ mongo --eval 'db.runCommand({ connectionStatus: 1})'
MongoDB shell version vx.x.x
connecting to: mongodb://127.0.0.1:27017
MongoDB server version: x.x.x
{
   "authInfo" : {
       "authenticatedUsers" : [ ],
       "authenticatedUserRoles" : [ ]
   },
   "ok" : 1
}

Obtain Google OAuth Information
1. Obtain OAuth 2.0 credentials from the Google API Console.
  1. Go to credentials and create a project.
  2. Create credentials for OAuth Client ID.
    1. Configure the consent screen for external users, with the name "CMULab".
      1. Add domain to your authorized domains, replacing domain with your server's domain.
    2. Set the Application Type to Web Application.
    3. Set the Authorized redirect URIs to https://domain/login/callback, replacing domain with your server's domain.
  - Keep a note of the Client ID and Client Secret. You will need these for later, but they must be kept secure.

Setup CMULab

Clone the CMULab repository.

$ sudo apt-get install git
$ git clone https://github.com/QuantumStack/CMULab
$ cd CMULab/server

Fill in server/.env with $ nano .env.
- Set NODE_ENV=production
- Set CMULAB_DATABASE="mongodb://127.0.0.1:27017/cmulab”
- Set CMULAB_LOC="your_server_address"
  - For example, if your server was located at http://cmulab.com, set CMULAB_LOC="http://cmulab.com.
- Set CMULAB_GOOGLE_ID equal to the Client ID you obtained previously.
- Set CMULAB_GOOGLE_SECRET equal to the Client Secret you obtained previously.
- Set SESSION_SECRET equal to a randomly generated 25 character string.
  - Make sure that this is generated in a cryptographically secure manner.
Install necessary npm packages.
```
$ npm install
$ npm start
```
- You may verify that everything is working upto this point by going to your domain with port 3000.
  - Again, if your address is http://cmulab.com, go to http://cmulab.com:3000.
- If the server is working, you may exit the npm start command.
Setup PM2.
1. Install through npm
```
$ npm install pm2 -g
```
2. Start the server through pm2
```
$ pm2 start --name CMULab ./bin/www
```
3. Verify that the server is running.
  - Verify through the terminal
```
$ pm2 status
```
    - If the server appears to be restarting itself, take a note of the PM2 ID for CMULab and run
      $ pm2 logs [id]
  - Verify by accessing http://your_domain:3000 in your web browser.
4. Make pm2 run when the server starts up.
```
$ sudo pm2 startup
$ sudo systemctl start pm2-root
```

Setup Nginx as a reverse proxy.

Install Nginx.
1. Install Nginx Package.
```
$ sudo apt-get update
$ sudo apt-get install nginx
```
2. Setup firewall around Nginx.
```
$ sudo apt-get install ufw
$ sudo ufw allow 'Nginx Full'
```
3. Verify that Nginx is running.
  1. Check system service status.
```
$ sudo systemctl status nginx
```
    - If this is stopped or not running, start it by running
      $ sudo systemctl start nginx
  2. Access the Nginx landing page in your web browser.
    - You may do this by accessing the URL (e.g. http://your_server_url)

Run proxy to Node server.

Create a Nginx site replacing your_domain with your URL.
```
$ sudo nano /etc/nginx/sites-available/your_domain
```

Add the following content to the file.

server {
        listen 80;
        listen [::]:80;

        server_name your_domain;

        location / {
           proxy_pass http://localhost:3000;
           proxy_http_version 1.1;
           proxy_set_header Upgrade $http_upgrade;
           proxy_set_header Connection 'upgrade';
           proxy_set_header Host $host;
           proxy_cache_bypass $http_upgrade;
       }
}

Link the file to enabled sites replacing your_domain with your domain.

$ sudo ln -s /etc/nginx/sites-available/your_domain /etc/nginx/sites-enabled/

Verify that you didn't introduce any syntax errors.
```
$ sudo nginx -t
```
Restart Nginx.
```
$ sudo systemctl restart nginx
```
Verify that the reverse proxy is working by accessing your domain in your browser: http://your_domain.

Secure the server with Let's Encrypt.
1. Install certbot.
  1. Update your package repositories.
```
$ sudo apt-get update
```
  2. Install dependencies.
```
$ sudo apt-get install \
    python3-acme \
    python3-certbot \
    python3-mock \
    python3-openssl \
    python3-pkg-resources \
    python3-pyparsing \
    python3-zope.interface
```
  3. Install certbot.
```
$ sudo apt install python3-certbot-nginx
```
2. Obtain your SSL Certificate replacing your_domain with your server's URL.
```
$ sudo certbot --nginx -d your_domain
```
  - When prompted to redirect HTTP traffic to HTTPS, select the redirect option.
3. Edit CMULAB_LOC in .env to be https instead of http.
4. Try accessing your server through https://your_domain.

Configuring CMULab

Add yourself to the database replacing andrew_id with your Andrew ID.

$ mongo cmulab
> db.users.insert({"_id": "andrew_id", "admin": true});

Edit config.json
- Set emailDomain to be andrew.cmu.edu, or set to whatever email domain you are using.
- Leave the rest untouched as you can edit them inside the server.
Restart the server through pm2
```
$ pm2 restart [id]
```
Login to the server by clicking on Admin Console and logging in with the Google account corresponding to the email domain you used earlier.
Add remaining TAs through the TA page.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

DEPLOYMENT.md

DEPLOYMENT.md

Deployment

Provision a Server

Setup Prerequisites

Setup CMULab

Configuring CMULab

Files

DEPLOYMENT.md

Latest commit

History

DEPLOYMENT.md

File metadata and controls

Deployment

Provision a Server

Setup Prerequisites

Setup CMULab

Configuring CMULab