fabrice/scripts-fabq

Fork 0

Fabrice Quenneville d1767e7409 Added docs to install dolibarr and minor updates to other setups

2026-01-02 00:16:41 -05:00

21 KiB

Raw Blame History

Installing Dolibarr on Debian

Installing Dolibarr on Debian

Introduction

Welcome to the installation guide for Dolibarr on Debian. Dolibarr is an open-source ERP and CRM platform designed for small and medium-sized businesses, offering features such as invoicing, accounting, inventory management, and customer relationship management through a clean, web-based interface. By following this guide, you’ll be able to install and configure Dolibarr on your Debian system efficiently.

Why Dolibarr?

Dolibarr is a flexible and open-source ERP/CRM solution that allows you to keep full control over your business data and infrastructure. It covers a wide range of needs for small and medium-sized organizations, including invoicing, accounting, customer management, inventory, and project tracking, all from a single web interface. Being self-hosted, Dolibarr gives you data ownership, transparency, and the ability to customize or extend the platform to fit your workflows without relying on third-party SaaS providers.

Prerequisites

Before you begin the installation process, ensure that your Debian system meets the following requirements:

Debian GNU/Linux 9 (Stretch) or later
Access to a terminal with sudo privileges
Basic familiarity with the command line interface
Stable internet connection to download necessary packages

What This Guide Covers

This guide will walk you through the installation of Dolibarr on Debian step by step, covering:

Installation: Installing Dolibarr from the official Git repository.
Configuration: Adjusting Dolibarr and system settings to match your environment.
Web Setup: Configuring Dolibarr with Apache and accessing the web installer.
Security: Hardening Debian, PHP, and Dolibarr for a production setup.

Placeholders

Replace the placeholders below with the appropriate values for your setup:

User Details
- Username: <username> (e.g., admin)
- Username - Hypervisor: <username-hypervisor> (e.g., admin)
Server Configuration
- Server IP address: <server-ip-address> (e.g., 192.168.1.100)
- Hostname - Intranet: <hostname-intranet> (e.g., dolibarr-server.domain.com)
- Hostname - Internet: <hostname-internet> (e.g., dolibarr.domain.com)
- Hostname - Hypervisor: <hostname-hypervisor> (e.g., proxmox-hypervisor.domain.com)
- Hostname - Hypervisor NAS: <hostname-hypervisor-nas> (e.g., nas-server.domain.com)
- Name - Hypervisor NAS: <name-hypervisor-nas> (e.g., nas-server)
- Container ID - Hypervisor: <container-id-hypervisor> (e.g., 100)
SSH Keys
- SSH key - Proxmox: <ssh-key-proxmox> (e.g., /home/user/.ssh/id_rsa.pub)
- SSH key - Client: <ssh-key-client> (e.g., /home/user/.ssh/client_id_rsa.pub)
Networking
- Wireguard port: <wireguard-port> (e.g., 51820)
Dolibarr specifics post-install
- Contract paths: <dolibarr-contract-paths-source> (e.g., /home/username/contracts/)
- Fonts paths: <dolibarr-fonts-paths-source> (e.g., /home/username/fonts/)

Important Warnings and Security Practices

Before executing any commands in this documentation, please adhere to the following guidelines to ensure the security and integrity of the system:

Execute Commands with Caution: Always review and understand a command before executing it. Misuse of commands can lead to data loss or system instability.
Backup Command Execution: The backup command must be executed only by authorized users. Ensure that proper permissions are set to prevent unauthorized access to backup files.
Regular Backups: Maintain regular backups of all critical data. It is advisable to use automated backup solutions and verify backup integrity periodically.
System Updates: Regularly update the system and all installed packages to protect against vulnerabilities. Use the package manager responsibly to avoid potential conflicts.
Monitor System Logs: Continuously monitor system logs for any unusual activity. Use logging tools to help identify potential security breaches or system failures.
User Permissions: Ensure that user permissions are strictly managed. Limit access to sensitive commands and data to only those who need it to perform their job functions.
Network Security: Implement proper network security measures, such as firewalls and intrusion detection systems, to protect against external threats.
Data Encryption: Encrypt sensitive data at rest and in transit to prevent unauthorized access.

By following these practices, you will help maintain the security and stability of the system while minimizing the risk of data loss or compromise.

Useful Commands and Information

Documentation

Software on the Machine

Operating System: Debian
Database: MariaDB (configured as MySQL)
Web Server: Apache
Security: GnuPG, WireGuard, UFW
Other: Git, sudo, certbot (for SSL certificate management)

Paths

Dolibarr Configuration: /etc/dolibarr/app.ini
Dolibarr Work Path: /var/lib/dolibarr

Proxmox Commands

List available Proxmox templates

ssh <username>@<hostname-hypervisor-nas> "ls /mnt/proxmox/template/cache/"

Create the container

ssh <username-hypervisor>@<hostname-hypervisor> "pct create <container-id-hypervisor> <name-hypervisor-nas>:vztmpl/debian-12-upgraded_12.5_amd64.tar.zst --hostname <hostname-intranet> --cores 4 --memory 4096 --swap 2048 --net0 name=net0,bridge=vmbr0,ip=dhcp,firewall=1 --rootfs <name-hypervisor-nas>:250 --unprivileged 1 --features nesting=1 --ssh-public-keys <ssh-key-proxmox>"

Backup

ssh <username-hypervisor>@<hostname-hypervisor> "vzdump <container-id-hypervisor> --compress zstd --mode stop --storage <name-hypervisor-nas> --note \"$(date +'%Y-%m-%d %H:%M') Backup fresh install\""

Set the state of the Proxmox HA Manager for Container

ssh <username-hypervisor>@<hostname-hypervisor> "ha-manager add ct:<container-id-hypervisor>"
ssh <username-hypervisor>@<hostname-hypervisor> "ha-manager remove ct:<container-id-hypervisor>"

Set the state and limits of the Proxmox Container in the HA Manager

ssh <username-hypervisor>@<hostname-hypervisor> "ha-manager set ct:<container-id-hypervisor> --state started --max_relocate 3 --max_restart 3"
ssh <username-hypervisor>@<hostname-hypervisor> "ha-manager set ct:<container-id-hypervisor> --state stopped"
ssh <username-hypervisor>@<hostname-hypervisor> "pct start <container-id-hypervisor>"
ssh <username-hypervisor>@<hostname-hypervisor> "pct stop <container-id-hypervisor>"
ssh <username-hypervisor>@<hostname-hypervisor> "pct reboot <container-id-hypervisor>"

Destroy the Proxmox Container forcefully

ssh <username-hypervisor>@<hostname-hypervisor> "pct destroy <container-id-hypervisor> --force --purge"

Move the Proxmox Container to another host

ssh <username-hypervisor>@<hostname-hypervisor> "pct migrate <container-id-hypervisor> hv2"

SSH Connection

Connection with specific keys

ssh -i <ssh-key-client> root@<hostname-intranet>
ssh -i <ssh-key-client> root@<server-ip-address>
ssh -i <ssh-key-client> <username>@<hostname-intranet>
ssh -i <ssh-key-client> <username>@<server-ip-address>

Remove offending keys from known_hosts

ssh-keygen -f "/home/<username>/.ssh/known_hosts" -R "<hostname-intranet>"
ssh-keygen -f "/home/<username>/.ssh/known_hosts" -R "<server-ip-address>"

Copy SSH public key to remote host

ssh-copy-id -i <ssh-key-client> root@<server-ip-address>
ssh-copy-id -i <ssh-key-client> root@<hostname-intranet>
ssh-copy-id -i <ssh-key-client> <username>@<server-ip-address>
ssh-copy-id -i <ssh-key-client> <username>@<hostname-intranet>

Transfer SSH keys and files

scp /home/<username>/.ssh/<username>* <username>@<hostname-intranet>:/home/<username>/.ssh/
mkdir -p /home/<username>/.ssh/
mv /home/<username>/.ssh/<username>* /home/<username>/.ssh/
chown -R <username>:<username> /home/<username>/.ssh/
cat /home/<username>/.ssh/<username>.pub >> /home/<username>/.ssh/authorized_keys

Installation Procedure

Fresh Debian Installation
- Install a fresh Debian operating system on your new server following the standard installation procedure.

Backup before starting

ssh <username-hypervisor>@<hostname-hypervisor> "vzdump <container-id-hypervisor> --compress zstd --mode stop --storage <name-hypervisor-nas> --note \"$(date +'%Y-%m-%d %H:%M') Backup fresh install\""

Install Required Dependencies

Upgrade the base system

apt update
apt upgrade -y

Install dependencies

apt install -y git apache2 mariadb-server php php-mysql php-mbstring php-gd php-curl php-xml php-intl php-imap php-zip libapache2-mod-php sudo
apt install -y libreoffice-common libreoffice-writer --no-install-recommends
apt install -y fonts-dejavu fonts-liberation ttf-mscorefonts-installer

apt install -y gpg

Ensure Hostname

nano /etc/hosts
# Add line: 127.0.1.1 <hostname-intranet>
nano /etc/hostname
# Set to: <hostname-intranet>
hostnamectl set-hostname <hostname-intranet>

Add Users

adduser <username>
usermod -aG sudo <username>

mkdir -p /home/www-data
chown www-data:www-data /home/www-data
usermod -d /home/www-data www-data
usermod -s /bin/bash www-data

adduser --system --shell /bin/bash --gecos 'Dolibarr CRM' --group --disabled-password --home /home/www-data www-data

Setup SSH Connectors
- Configure SSH connectors as per your setup script to establish secure connections to the server.
Test users, SSH, and sudo
1. Transfer SSH keys for User
2. Connect as User with SSH key
3. Test sudo
```
sudo su -
```
1. Disconnect as root

Secure SSH

nano /etc/ssh/sshd_config

PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no

Restart SSH

systemctl restart ssh

Configure Firewall

Open ports

ufw allow OpenSSH
ufw allow <wireguard-port>/udp

Enable firewall

ufw enable

Configure Mariadb

Security
```
mariadb-secure-installation
mariadb
```

Mariadb Users

SET old_passwords=0;
CREATE USER 'dolibarr' IDENTIFIED BY '';

CREATE USER IF NOT EXISTS 'dolibarr'@'192.168.1.%' IDENTIFIED BY '';
GRANT ALL PRIVILEGES ON *.* TO 'dolibarr'@'192.168.1.%' IDENTIFIED BY '' WITH GRANT OPTION;
GRANT ALL PRIVILEGES ON *.* TO 'dolibarr'@'localhost' IDENTIFIED BY '' WITH GRANT OPTION;
SET PASSWORD FOR 'dolibarr'@'localhost' = PASSWORD('');
SET PASSWORD FOR 'dolibarr'@'192.168.1.%' = PASSWORD('');
FLUSH PRIVILEGES;

Create Dolibarr Database

mariadb -u root -p

Inside the MariaDB shell:

CREATE DATABASE dolibarr;
CREATE USER 'dolibarruser'@'localhost' IDENTIFIED BY 'strongpassword';
GRANT ALL PRIVILEGES ON dolibarr.* TO 'dolibarruser'@'localhost';
FLUSH PRIVILEGES;
EXIT;

Install Dolibarr

Versions

sudo su -
mv /var/www/html /var/www/.html

cd /var/www
git clone --depth 1 -b 20.0.3 https://github.com/Dolibarr/dolibarr.git dolibarr
mv dolibarr-20.0.3 dolibarr

Create required directory structure

chmod -R 755 /var/www/dolibarr
chown -R www-data:www-data /var/www/dolibarr
cd dolibarr ; touch htdocs/conf/conf.php ; chown www-data htdocs/conf/conf.php
mkdir -p /var/lib/dolibarr/sessions ; chown www-data /var/lib/dolibarr/sessions
mkdir -p /var/lib/dolibarr/documents ; chown www-data /var/lib/dolibarr/documents

Apache Configuration

Allow http https
```
ufw allow https
ufw allow http
```

Backup Default Files Backup the default index.html and configuration files.

mv /var/www/html /var/www/.html
mv /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/.000-default.conf
rm /etc/apache2/sites-enabled/000-default.conf

Create Default Server Block for Unauthorized Access

Site configuration

Edit the Apache configuration file to proxy to the Dolibarr CRM.

nano /etc/apache2/sites-available/<hostname-intranet>.conf

Add the following configuration:

<VirtualHost *:80>
    LogLevel info
    ServerName <hostname-intranet>
    ServerAdmin admin@fabq.ca
    DocumentRoot /var/www/dolibarr

    # Alias for Dolibarr
    Alias / /var/www/dolibarr/htdocs/

    <Directory /var/www/dolibarr/htdocs>
        Options +FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.dolibarr.log
    CustomLog ${APACHE_LOG_DIR}/access.dolibarr.log combined
</VirtualHost>

Enabling the new VirtualHost

a2ensite <hostname-intranet>.conf
a2enmod rewrite

Managing Apache

Enable Apache

systemctl enable apache2

Apache reload

systemctl reload apache2

Optional Apache restart

systemctl restart apache2

Create folders

mkdir -p /var/tmp
mkdir -p /var/upload_tmp

Set temporary file paths

nano /etc/php/8.2/apache2/php.ini

sys_temp_dir = "/var/tmp"
upload_tmp_dir = "/var/upload_tmp"
open_basedir = "/var/www/dolibarr:/var/lib/dolibarr/documents:/var/lib/dolibarr/sessions:/var/tmp:/var/upload_tmp"

Fix permissions

chown -R www-data:www-data /var/lib/php/sessions

chown -R www-data:www-data /var/www/dolibarr/htdocs/conf/conf.php
chmod 640 /var/www/dolibarr/htdocs/conf/conf.php

find /var/www/dolibarr -type d -exec chmod 755 {} \;
find /var/www/dolibarr -type f -exec chmod 644 {} \;

chmod go-w /var/lib/dolibarr/documents;
chmod go-w /var/lib/dolibarr/sessions;

chown -R www-data:www-data /var/tmp
chown -R www-data:www-data /var/upload_tmp
chmod -R 750 /var/tmp
chmod -R 750 /var/upload_tmp

Secure PHP

nano /etc/php/8.2/apache2/php.ini

session.use_strict_mode = 1

allow_url_fopen = No

disable_functions = dl, apache_note, apache_setenv, pcntl_alarm, pcntl_fork, pcntl_waitpid, pcntl_wait, pcntl_wifexited, pcntl_wifstopped, pcntl_wifsignaled, pcntl_wifcontinued, pcntl_wexitstatus, pcntl_wtermsig, pcntl_wstopsig, pcntl_signal, pcntl_signal_get_handler, pcntl_signal_dispatch, pcntl_get_last_error, pcntl_strerror, pcntl_sigprocmask, pcntl_sigwaitinfo, pcntl_sigtimedwait, pcntl_exec, pcntl_getpriority, pcntl_setpriority, pcntl_async_signals, show_source, virtual, passthru, shell_exec, system, proc_open, popen

session.gc_maxlifetime = 604800

Complete the Installation through Web Interface
- Open your web browser and navigate to http://<hostname-intranet>/install/
- Follow the on-screen instructions to complete the installation.

Lock installation

chmod -w /var/www/dolibarr/htdocs/conf/conf.php
touch /var/lib/dolibarr/documents/install.lock;
chmod go-w /var/lib/dolibarr/documents;

Secure installation

chmod -R -w /var/www/dolibarr/htdocs
cp /etc/php/8.4/apache2/php.ini /etc/php/8.4/apache2/php.ini.back
nano /etc/php/8.4/apache2/php.ini

session.save_path = /var/lib/dolibarr/sessions
session.use_strict_mode = 1
session.use_only_cookies = 1
session.cookie_httponly = 1
session.cookie_samesite = Lax
session.gc_maxlifetime = 604800
open_basedir = "/var/www/dolibarr:/var/lib/dolibarr/documents:/var/lib/dolibarr/sessions:/var/tmp:/var/upload_tmp"
short_open_tag = Off
allow_url_fopen = Off
allow_url_include = Off
disable_functions = dl, apache_note, apache_setenv, pcntl_alarm, pcntl_fork, pcntl_waitpid, pcntl_wait, pcntl_wifexited, pcntl_wifstopped, pcntl_wifsignaled, pcntl_wifcontinued, pcntl_wexitstatus, pcntl_wtermsig, pcntl_wstopsig, pcntl_signal, pcntl_signal_get_handler, pcntl_signal_dispatch, pcntl_get_last_error, pcntl_strerror, pcntl_sigprocmask, pcntl_sigwaitinfo, pcntl_sigtimedwait, pcntl_exec, pcntl_getpriority, pcntl_setpriority, pcntl_async_signals, show_source, virtual, passthru, shell_exec, system, proc_open, popen

nano /var/www/dolibarr/htdocs/conf/conf.php
chmod o-r /var/www/dolibarr/htdocs/conf/conf.php

$dolibarr_main_prod='1';

Configure SSL with Certbot (Optional, If directly accessed)

certbot --apache -d <hostname-internet>
systemctl status certbot.timer
certbot renew --dry-run

Verify installation
- Verify that the Dolibarr instance is installed restored by accessing it through a web browser. Ensure that all repositories, users, and configurations are intact.
```
systemctl status apache2
```
Visit the server at http:// or https://.

Backup post installation

ssh <username-hypervisor>@<hostname-hypervisor> "ha-manager set ct:<container-id-hypervisor> --state stopped"
ssh <username-hypervisor>@<hostname-hypervisor> "vzdump <container-id-hypervisor> --compress zstd --mode stop --storage <name-hypervisor-nas> --note \"$(date +'%Y-%m-%d %H:%M') Backup post installation\""

Start the server

ssh <username-hypervisor>@<hostname-hypervisor> "ha-manager set ct:<container-id-hypervisor> --state started --max_relocate 3 --max_restart 3"

Move contracts

scp '<dolibarr-contract-paths-source>/contract.odt' <username>@<hostname-intranet>:~/

sudo su -
mv /home/<username>/*.odt /var/lib/dolibarr/documents/doctemplates/contracts/
chown -R www-data:www-data /var/lib/dolibarr/documents/doctemplates/contracts/

ODT to PDF

See forum 1 See forum 2
```
MAIN_ODT_AS_PDF
```

Install fonts

scp -r <dolibarr-fonts-paths-source>/Lato <username>@<hostname-intranet>:~/

mv /home/<username>/Lato /usr/local/share/fonts/
chmod -R 755 /usr/local/share/fonts/
chown -R root:root /usr/local/share/fonts/

21 KiB Raw Blame History Unescape Escape