Development Log: 2021-10-05

2021 October 5

Created an Amazon AWS S3 bucket, arn:aws:s3:::scanalyst-backups, in
the EU (London) eu-west-2 region.
    AWS Region:     EU (London) eu-west-2
    Resource name:  arn:aws:s3:::scanalyst-backups
    Permissions:    Not public
Obtained access key and secret password from AWS console:
    Selected (account name)/My Security Credentials from top bar.
    Clicked Users in left bar.
    Clicked user kelvin.
    Selected "Security credentials" tab.  Access keys shows the one
        for the Fourmilab backup bucket.
    Clicked "Create access key:
        Access key ID:      REDACTED 
        Secret access key:  REDACTED
        CSV:    Access key ID,Secret access key

In Discourse Admin/Settings/Files:
    s3 access key id:       REDACTED
    s3 secret access key:   REDACTED
    s3 region:              EU (London)
Do *not* set "s3 upload bucket.  This is for directing uploaded files
to S3 as opposed to local storage.  You do not want this, and if you
set it, you cannot store backups there.

In Discourse Admin/Settings/Backups:
    backup location:        S3
    backup frequency:       1
    s3 backup bucket:       scanalyst-backups
    backup time of day:     4:17

Ran a manual backup.  It completed OK and the file showed up in the S3
bucket as default/scanalyst-2021-10-05-110356-v20210922064213.tar.gz.

We'll see if regular nightly backups run as scheduled.

Set Admin/Security force_https on.  This is supposed to promote http:
URLs from users to https:.  It appears to be working.

Installed a copy of Bacula from AWS into /server/src/bacula, and
created the /server/bin/bacula directory into which it will be
installed.  Built and installed the Bacula file daemon.  Since the
daemon is entirely configured from its configuration file, no
parameters need be set on the build.

Created a configuration file, /server/bin/bacula/bacula-5.2.10/etc/bacula-fd.conf,
adapting the one from AWS for our client name, Scanalyst.

Installed the /server/init files, bacula and functions, needed to
control the daemon.

Started the Bacula file daemon:
    /server/init/bacula start
and verified it is running.

Updated the Bacula director configuration on Pallas to replace the
retired Ratburger client definition with one for Scanalyst, retaining
its scheduled full backup day of the 20th of the month.  Added an
entry for "scanalyst" to /etc/hosts.  Tested with client status
query and it looks fine.

Added Scanalyst_AWS_Server to the firewall Hosts list and to the
"Bacula for Remote Servers" rule so that the Bacula File Daemon
on Scanalyst can send data to the Storage Daemon on Pallas.

Started a full backup from Pallas.
Full backup completed successfully in 41 minutes, 9.53 Gb written.

Created a ~/Scanalyst_Backup on Juno based upon its analogue for
Ratburger.  Ran initial full RSYNC backups of Server and / partitions.
The ./Backup_all script in this directory can be used to update
incremental backups.

In order to enable DKIM (DomainKeys Identified Mail) a message signing
scheme which guards against main in the middle attacks, according to
the directions in:
I set up Easy DKIM for the entire domain as follows.  On
the page:
I clicked "Verify a New Domain", which generated the following records
to be inserted in the DNS:
    "Domain verification record set:"
    "Record name","Record type","Record Value"

    "Alternate domain verification record:"
    "Record name","Record type","Record Value"

    "DKIM record set:"
    "Record name","Record type","Record Value"
(Sent as CSV: enter as regular DNS declarations in Route 53.)  After you
add the DNS records, you wait for your domain to change from "Pending
verification" to "Verified" for both the main domain verification and
DKIM.  Now it should be sending DKIM.  Let's see.

Yes, reports:
    Your DKIM signature is valid
        Message has at least one valid DKIM or DK signature
        Message has a valid DKIM or DK signature from author's domain
        Message has a valid DKIM or DK signature from envelope-from domain

Terminated the original instance, i-082d04418d82bcfa1, which was
accidentally created in Availability Zone eu-central-1a and without IPv6
and retired when we moved over to the current instance in eu-central-1b.
Deleted its volumes:
    /       vol-02ccb8d0ba2bd3ef9
    /server vol-0057760635b5e0129
At this time all volumes are assigned to (not necessarily running)

Added a CloudWatch dashboard for Scanalyst CPU Balance and usage.
Added an alarm for Scanalyst CPU balance falling below 250.