Diary of an IT Architect

Copypastable tutorials I wrote for my reference. You're welcome.

According to their homepage headline, PostgreSQL is world's most advanced open source relational database. More and more services here at Mimar rely on it, of which perhaps most popular would be GitLab, Synapse and Mattermost. While basic administrative tasks in PostgreSQL can be performed by means of interactive terminal, psql, most admins will find pgAdmin a better tool for the job. This article gives exact steps how to configure pgAdmin4 as web application hosted in Apache HTTP Server name-based VirtualHost on FreeBSD.

Continue reading...

Regarding FreeBSD and RAID, first thing that comes to mind is surely ZFS and RAIDZ. But in some cases, good old gmirror of UFS partitions can be useful as well, for example when we want to place OS on a pair of smaller SSDs for speed, while having another set of slower SATA HDDs for ZFS storage. This article shows exact steps how to install FreeBSD in UEFI mode onto (mostly) UFS partitions residing on gmirror RAID1.

Continue reading...

Uploading websites to their document roots was traditionally done by means of FTP. FTP is an ancient beast which should probably be eradicated from the Internet, mostly because it uses cleartext communication for both authentication (meaning it's trivial to sniff out credentials on the wire) and data transfer (meaning it's prone to MITM attacks). However, a lot of old-school web programmers are used to their FTP clients, such as FileZilla, and not too eager to learn new stuff. This article explains how to set up ProFTPD server in SFTP mode listening on non-standard port, whose clients - virtual users - will be authenticated from MySQL database and chrooted to their directories. Virtual users won't have local shell access, as opposed to local users who can ssh to standard port provided by FreeBSD's built-in ssh server, but they will be able to transfer files securely without the need to move away from FileZilla.

Continue reading...

Large browser vendors have quite some time ago established model of "trusted" web sites based on SSL certificates signed by "trusted" CAs. This trend increasingly spreads to other applications and protocols. This article gives exact steps needed for obtaining Let's Encrypt's wildcard certificates from FreeBSD host, using DNS validation through dynamic updates of a BIND server's zones, using EFF's ACME client, certbot.

Continue reading...

Most of the OpenBSD systems I am in charge of are deployed in data centres, powered by UPSs which provide them with electrical power during periods of public grid power outages. But there is also a number of OpenBSD systems I administer, which are deployed in much less favourable conditions; where frequent power outages last longer than UPS batteries do, or where there are no UPSs at all (such as branch office routers in godforsaken places where having electricity and Internet access at all is considered a lucky circumstance). These latter systems are likely to have high rate of unclean shutdowns caused by prolonged or unexpected power outages, which in turn increase the probability of their inability to boot without human intervention. This article describes steps to make OpenBSD system more resilient to unexpected power outages by minimising the possibility of inconsistent file systems after unclean shutdowns, which is achieved by mounting all disk partitions in read-only mode. Filesystems which have to be writable - /var, dev and /tmp - are mounted as writable memory file systems.

Continue reading...