2021 October 5
Created an Amazon AWS S3 bucket, arn:aws:s3:::scanalyst-backups, in the EU (London) eu-west-2 region. AWS Region: EU (London) eu-west-2 Resource name: arn:aws:s3:::scanalyst-backups Permissions: Not public Obtained access key and secret password from AWS console: Selected (account name)/My Security Credentials from top bar. Clicked Users in left bar. Clicked user kelvin. Selected "Security credentials" tab. Access keys shows the one for the Fourmilab backup bucket. Clicked "Create access key: Access key ID: REDACTED Secret access key: REDACTED CSV: Access key ID,Secret access key REDACTED,REDACTED In Discourse Admin/Settings/Files: s3 access key id: REDACTED s3 secret access key: REDACTED s3 region: EU (London) Do *not* set "s3 upload bucket. This is for directing uploaded files to S3 as opposed to local storage. You do not want this, and if you set it, you cannot store backups there. In Discourse Admin/Settings/Backups: backup location: S3 backup frequency: 1 s3 backup bucket: scanalyst-backups backup time of day: 4:17 Ran a manual backup. It completed OK and the file showed up in the S3 bucket as default/scanalyst-2021-10-05-110356-v20210922064213.tar.gz. We'll see if regular nightly backups run as scheduled. Set Admin/Security force_https on. This is supposed to promote http: URLs from users to https:. It appears to be working. Installed a copy of Bacula from AWS into /server/src/bacula, and created the /server/bin/bacula directory into which it will be installed. Built and installed the Bacula file daemon. Since the daemon is entirely configured from its configuration file, no parameters need be set on the build. Created a configuration file, /server/bin/bacula/bacula-5.2.10/etc/bacula-fd.conf, adapting the one from AWS for our client name, Scanalyst. Installed the /server/init files, bacula and functions, needed to control the daemon. Started the Bacula file daemon: /server/init/bacula start and verified it is running. Updated the Bacula director configuration on Pallas to replace the retired Ratburger client definition with one for Scanalyst, retaining its scheduled full backup day of the 20th of the month. Added an entry for "scanalyst" to /etc/hosts. Tested with client status query and it looks fine. Added Scanalyst_AWS_Server to the firewall Hosts list and to the "Bacula for Remote Servers" rule so that the Bacula File Daemon on Scanalyst can send data to the Storage Daemon on Pallas. Started a full backup from Pallas. Full backup completed successfully in 41 minutes, 9.53 Gb written. Created a ~/Scanalyst_Backup on Juno based upon its analogue for Ratburger. Ran initial full RSYNC backups of Server and / partitions. The ./Backup_all script in this directory can be used to update incremental backups. In order to enable DKIM (DomainKeys Identified Mail) a message signing scheme which guards against main in the middle attacks, according to the directions in: https://docs.aws.amazon.com/ses/latest/DeveloperGuide/send-email-authentication-dkim-easy-setup-domain.html I set up Easy DKIM for the entire fourmilab.ch domain as follows. On the page: https://console.aws.amazon.com/ses/home?region=us-east-1#verified-senders-domain: I clicked "Verify a New Domain", which generated the following records to be inserted in the fourmilab.ch DNS: "Domain verification record set:" "Record name","Record type","Record Value" "_amazonses.fourmilab.ch","TXT","REDACTED" "Alternate domain verification record:" "Record name","Record type","Record Value" "fourmilab.ch","TXT","amazonses:REDACTED" "DKIM record set:" "Record name","Record type","Record Value" "REDACTED._domainkey.fourmilab.ch","CNAME","REDACTED.dkim.amazonses.com" "REDACTED._domainkey.fourmilab.ch","CNAME","REDACTED.dkim.amazonses.com" "REDACTED._domainkey.fourmilab.ch","CNAME","REDACTED.dkim.amazonses.com" (Sent as CSV: enter as regular DNS declarations in Route 53.) After you add the DNS records, you wait for your domain to change from "Pending verification" to "Verified" for both the main domain verification and DKIM. Now it should be sending DKIM. Let's see. Yes, mail-tester.com reports: Your DKIM signature is valid Message has at least one valid DKIM or DK signature Message has a valid DKIM or DK signature from author's domain Message has a valid DKIM or DK signature from envelope-from domain Terminated the original instance, i-082d04418d82bcfa1, which was accidentally created in Availability Zone eu-central-1a and without IPv6 and retired when we moved over to the current instance in eu-central-1b. Deleted its volumes: / vol-02ccb8d0ba2bd3ef9 /server vol-0057760635b5e0129 At this time all volumes are assigned to (not necessarily running) instances. Added a CloudWatch dashboard for Scanalyst CPU Balance and usage. Added an alarm for Scanalyst CPU balance falling below 250.