Tiki Wiki installation on Linux 2024 (Debian 12)

This tutorial is tailored for intermediate IT administrators or full-stack developers seeking guidance on setting up and publishing websites.
We will learn how to setup and configure:

• Linux operating system, Debian12 and Apache2
• MariaDB (InnoDB)
• Virtualmin web hosting control panel
• PHP
• Git and the Tiki Gitlab repository
• Tiki Wiki the website builder

To embark on this Tiki Tutorial, familiarity with shell usage and a basic understanding of server operations is recommended. However, don't hesitate to dive in and learn along the way as long as you're not working with real data initially, in most cases you have the flexibility to terminate and reinstall instances until you successfully configure your Tiki setup.

If experimentation isn't your preference, or if your time is limited and you're in a rush, you can always opt to have someone else handle the setup for you. You can hire me to do it for you or explore the the Tiki Consultants list. Rest assured, with a Tiki Specialist handling the task, you'll receive a professional job well done. 😉

Server preparation

Install an Amazon Lightsail Instance

Log into your AWS Console (or create you account) and look for Lightsail in the search bar.
Select your instance location (the region you want the server to be set for... the closer to your targeted users the better) and pick your instance image by selecting a platform.
Following our case, pick your instance image by clicking on "Linux/Unix" blueprint choose "OS Only" and select Debian12.x.
Note: Installing Virtualmin requires a pristine OS and server tools or libraries so don't use anything. else than a core basic OS installation.

Below those selectors, you will be asked to use a new default SSH key or to change the SSH key linked to this account if one exist already.
Depending your case, select to use the default key created with your instance (you will need to download it into your computer, user/.ssh folder), upload an existing key or use an existing one for this account.
If you don't have an SSH key linked to your account you will be guide to create a new SSH key pair and help will be provided.

Choose your instance plan (I suggest you start with the cheapest as you can always upgrade your plan).
Identify your instance by giving it a name. While you can add tags, I suggest you be descriptive to avoid being lost later if you create other instances (for development or test).
Click on the orange buttons "Create instance". Your instance should be running in a minute and you should be already able to use the integrated SSH console by clicking on the terminal icon ( )

Lightsail Networking and security group

To allow access to your "secured" site and the Virtualmin control panel we need to go to the Lightsail instance control panel and select "Networking".
By default port 22 and 80 should be already open.
Set security group and "Add rule" to open additional ports 443 (ssl) and 10000 (virtualmin).
I usually open 80 and 443 to all traffic (no IP restriction) and restrict access to 22 and 10000 to my IP only. (we are never too safe ! )

While we are here, another important thing you want to do, especially if you are going to work with a domain name is to create a static IP.
Just follow the onscreen instruction it is very easy.

Be aware that you may have to reboot the instance so your security settings are properly applied.

Sudo or Set and use root login

Depending of your account settings, you may be able to use the root user or use the sudo command.
If you can sudo and that's ok with you, skip this.

As Lightsail allow you to login using a default admin from which you can login with root, setting external access for the root user may be discutable and it will be up to you to set this or not.
However, for me to diagnose or manage my virtual domains correctly so I usually setup an SSH root access using elaborated password and fail2ban mechanism (if someone, a bot, try too many time to connect using SSH it is blacklisted from accessing my server).

Logged as the default "admin" user. (I use nano but it is the same with VI, VIM or any editor)

sudo su

nano /etc/ssh/sshd_config

Change #PermitRootLogin prohibit-Password to PermitRootLogin yes
and #PasswordAuthentication no to PasswordAuthentication yes and of course save your changes.
You will need to remove a small script that forbid root to use his SSH key

nano ~/.ssh/authorized_keys

The script begins with "no-port-fowarding..." you need to remove this script up to the ssh key itself that starts with "ssh-rsa...".
That way the ssh key will be accessible to the ssh login.

systemctl restart sshd

passwd root

sudo reboot

You will be disconnected, reconnect and check everything is working fine when you login as root.

ssh root@xx.xx.xx.xx (your instance IP)

Note: It is a good practice, and I highly recommend it, to disable root access on production servers once everything is in place. This can be done by setting the "PermitRootLogin" and "PasswordAuthentication" parameters to "no" in the "/etc/ssh/sshd_config" file.

First connection to your server/instance - attach your IP

Once the instance is running you can start managing it. While we can connect and use the HTML was terminal offered by the AWS tools, we want to use our own shell or terminal from our local computer.

The first thing to do is to check you can connect to your server (the public instance IP) using your own terminal (putty, terminal or any of your preferred) to have shell access.
As of now, your IP may change on server reboot and that's a kind of a problem to point your domain to that IP or try to connect to your server unless you "attach" the IP to your instance.
So logical... we attach the IP to the instance.

The user set for the Debian Linux is "admin". So I need to ssh to my public instance IP using the key pair (set above) with the admin user.
The port 80 and 22 are open by default so we have everything to connect using SSH.

If you didn't set the SSH key during the instance creation

SSH Key pair may be complicate story if you are not oriented IT Admin.
In very short, if you select to use the default key this is what I would do (replace "LightsailDefaultKeyPair-us-east-1.pem" with your key filename).
Download the key into my computer, move the file to my ~/.ssh directory and set the correct file permissions:

sudo chmod 600 ~/.ssh/LightsailDefaultKeyPair-us-east-1.pem

Then I should be able to use the following to connect :

ssh -i ~/.ssh/LightsailDefaultKeyPair-us-east-1.pem admin@xx.xx.xx.xx

You can find here more documentation about this : https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-ssh-using-terminal

Checking Hostname

To ensure smooth operation of VirtualMin/Webmin, it's essential to configure the hostname and Fully Qualified Domain Name (FQDN) directly on the server.

Once logged in your server through SSH use the following command.

hostnamectl

The output "Static hostname" shows by default the instance local IP but we need it to show your FQDN so we can proceed to the next step (Installing Virtualmin) else we need to edit 2 configuration files to fix the issue.

Enter the following command:

hostname

By default it will display the instance internal IP (later on Virtualmin won’t like it) and it should display your hostname mostly your domain name like "mydomain" (without http or https)

If this is not the case, you need to change this and set it for your host name (yourdomain.com)
It is then common your server will be able to auto-generate the hostname.

You need to change this and set it for your host name (yourdomain.com)

sudo nano /etc/hostname

Check the host file and if it show your Fully Qualified Domain Name (FQDN).

cat /etc/hosts

If you see it, you are good to go to the next step, installing VirtualMin else check options below.

nano /etc/cloud/cloud.cfg
preserve_hostname: true

Upgrade your Debian OS

Assuming you've been provided with root access and SSH information, enabling you to connect via password or SSH Key, let's begin by ensuring our instance is up-to-date.

We want to work on the last version of the dozens of software and library your server will depend on. Log onto your server and update/upgrade it with the following commands:

apt update
apt upgrade

Install Webmin and Virtualmin

Virtualmin will install everything you need and it is critical the installation of Virtualmin comes first.
Else you will be warned previous tools or libraries have been installed and sometimes it means you will have to clean them manually before proceding.

We will download Virtualmin automated install script and run it. It is basically a shell script that will handle rest of the installation once executed.

wget https://software.virtualmin.com/gpl/scripts/install.sh

You can do a full install but also you can do a minimal install which will spare the instance resources. For exemple where I don't need a mail server I do minimal install.

sh install.sh

sh install.sh --minimal

You should see now the different components being installed one by one.
This is taking some times... Just wait for the process to complete.

It should end with:
"SUCCESS to configure at https://xxx-xxx-xxx-xxx:10000 (or https://yourFQDN:10000)."
You should be ready to login to your Virtualmin panel using your root access if your firewall is set correctly.
It happens your hosting services open only certain ports by default like 80,443,22. For virtualmin you need to also open port 10000.

Virtualmin setup and post-installation optional features.

Once you login your Virtualmin HTMLM front end (trust the SSL certificate if needed).
Follow Virtualmin Post installation wizard.
It is pretty straightforward and everything is done to guide you.

It is ok to use default proposed settings.
Of course we will keep for Tiki Wiki "Run MariaDB database server?" on yes.
You will then set the MariaDB root password, enter it and save it somewhere if needed later.
All the rest will be very simple and personally I use the default or suggested options.

Password storage mode
I don't want to store in clear the passwords used on the server so I select "Only store hashed passwords".
One drawback is that you can't view again a password once set. So each time you create a password you will note it in your password storage application.

MariaDB configuration size
This depend of your usage of the Tiki Wiki instance of course but assuming we are on the smallest LightSail plan we are setting a small instance.
I follow the suggested option: "Small system with 1G of RAM with infrequent MariaDB use"
If needed later I can change this setting.

Location for SSL certificates
Unless you know what you do keep the default.

The next question is... a trap ! 🤗
Setup default virtual server?

If you don't create a default Virtual Server, Virtualmin may load with errors (like: missing postfix maps) so you can solve them later by creating at least one Virtual Server or create one during the installation process and restart Virtualmin (a reboot never hurt once all is set you check things are starting as they should).

If you create one you won't be able to set a few parameters. (SSH key for exemple).
I choose to answer "no" so I can set manually all the parameters for my domain.

Create your first Virtual Server (your website)

Set your domain name.

The credential... I experienced issues creating a password without SSH public key and I experienced adding an SSH public key without password.
Therefor I'm creating a user password that will be require in a few cases and I add my SSH public key for day to day operation.

In some cases (temporary domain name) I set my "Administration username" and set the "Default database name" with something like "thiswebsite_tiki26" as I like to keep track of the Tiki used for a database. (I don't keep the same db from Tiki to Tiki I clone them)

I keep the features as is but disable "Accept mail for domain" if I don't want to use mail for this domain.

By default your Virtual Server will be limited to the default plan.
While this is enough if you install a Tiki package, you may need more memory to run composer.
Adjust the quota at Edit Virtual Server => Quotas and limits.

Install Let's encrypt certificate

To complete properly, return to the Virtual Server List, select your Virtual Server and on the left menu under "Server Configuration", "SSL Certificate" and select the tab "Let's Encrypt".
On the form "Request certificate for" use "Domain names listed here " field and set the domains for whom you will need a certificate. Keep the "Automatically renew certificate?" option to yes and click on the button "Request Certificate".

You need first to use your domain name set it at the registrar properly.
Under Virtualmin => Server Configuration => SSL Certificate click on the "Let's Encrypt" tab and request certificate.
Note that by default Virtualmin want to setup several automatically domains the "Domains associated with this server" list. You may not have set all of them and the process will verify them and fail if they are not accessible. I usually set manually "Domain names listed here" list and Install the certificates only for the domains I'm using.

Checking servers running

On your dashboard you have a panel where you can check servers status. We can see the PHP version running and we need to look (again) at the mail and mailbox application.
Keep Postfix running that is useful for sending email from apps or system notifications.
You can turn off Dovecot that do not need to be running on a system that is not receiving or processing mail.
But this will not be permanent. To make it permanent, on the left menu click on "Webmin", "System" and "Bootup and Shutdown".
Select anything "Dovecot" and at the bottom of the page click on "Disable On Boot".
(it is a good idea to enable fail2ban and a firewall 😉)

Install several versions of PHP

The following information was valid at the time I wrote this tutorial

Debian 12 comes with PHP8.2 a version that may or may not fit your needs.
As I want to use PHP8.1 I have to set it on the server.

{FADE(label="Adding PHP8.1 from the sury repository" icon="y")
I enabled the sury.org repository and update the package list:

apt install -y lsb-release ca-certificates apt-transport-https software-properties-common gnupg2
echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/sury-php.list
curl -fsSL https://packages.sury.org/php/apt.gpg| sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/sury-keyring.gpg
apt update
{CODE}

If you run right away +-apt upgrade+- it will upgrade and install PHP8.3.
Something you don't necessary want. As I prefer to install only PHP8.1 to start with I entered in the prompt of my terminal the following:

apt-get install php8.1 php8.1-cgi php8.1-cli php8.1-fpm php8.1-mysql php8.1-xml php8.1-gd php8.1-intl php8.1-xsl php8.1-curl php8.1-zip php8.1-mbstring php8.1-bcmath

You can configure which one is the default PHP version used on your new Virtual Servers. You can change that default in System Settings -> Server Templates -> Default -> PHP Options. To set your host or domain PHP version go to Virtualmin -> Server configuration -> PHP version and on that screen you can set the PHP version for your domain.
{FADE}

Don't forget that anyway you have to install a few additional libraries and they should be accessible to complete the setup.
That's why these have been added above but you can also add them for your other PHP versions

apt-get install php8.2-gd php8.2-intl php8.2-curl php8.2-zip php8.2-bcmath

Secure the server (basic)

Enhancing server security requires skills, knowledge, and expertise beyond the scope of this article. However, it is crucial to implement basic measures to protect your server and data. Here, we will review the minimum steps you should take. For a comprehensive security review of your Tiki and server, please contact me.

Secure your MySQL database (mariaDB)

The last version of MySQL using the MariaDN engine will be installed by Virtualmin.
As seen Then we will secure the installation to tight our defences against the "bad guys".

sudo mysql_secure_installation

You should be able to answer most of the questions without too much thinking those are my answers (explanations can be found on the web)

• Enter current password for root (enter for none) => enter the root password set during Virtualmin install, else:
  • Set root password? [Y/n] y - As it is a first install
• Switch to unix_socket authentication [Y/n] Y
• Remove anonymous users? [Y/n] y
• Disallow root login remotely? [Y/n] y
• Remove test database and access to it? [Y/n] y
• Reload privilege tables now? [Y/n] y

Done, let's check MariaDB is running:

sudo systemctl status mariadb

Enable and configure fail2ban

First, in virtualmin check if the "Fail2Ban Intrusion Detector" is installed and running.
In the Webmin, Un-used module, by default you should see the "Fail2Ban Intrusion Detector" and you need to start it and enable on (server) boot.
Now on the Webmin, Networking panel you see "Fail2Ban Intrusion Detector" module but it is still stopped.
You can double check using your shell with the following

sudo systemctl status fail2ban

On Debian12 there is a problem at the time this article was written. A default jail local file is missing and that doesn't allow fail2ban to start and you need to manually create it.

sudo nano /etc/fail2ban/jail.local

If there, add already another missing parameters for a filter you should use right away, SSHD.

[sshd]
backend=systemd

systemctl start fail2ban
systemctl status fail2ban

We will enable as a minimum the following filters action jail from within the fail2ban panel:
sshd
apache-badbots
webmin-auth

I developed an "apache-4xx" filter designed to ban rapid incoming connections from the same IP, typically from crawlers or brute force attempts resulting in 40x errors.
If you’re interested in this filter, feel free to contact me.
I’d be delighted to share it with you!

Installing Tiki from Tiki repo (anonymous)

Navigate into your html directory. If you don’t know where it is located on your new server on Virtualmin check the Virtual Server Summary.
There is at https://tiki.org a complete installation guide
But in short, I use the git clone command to download Tiki. In my case I needed Tiki branch (version) 24.x without previous history (depth=1)

git clone --depth=1 --branch=26.x https://gitlab.com/tikiwiki/tiki.git .

Installing Tiki using ssh (your repo)

To use the SSH key used on your Gitlab account you need to create a config file at your_home/.ssh
For exemple bsfez/.ssh copy the following inside "config" file.

# GitLab.com
Host gitlab.com
#  User git
  PreferredAuthentications publickey
  IdentityFile ~/.ssh/id_rsa

Replace "id_rsa" with your SSH key file and set ownership to your virtual server user and permission to 400 (chmod).

Navigate into your html directory (public_html). If you don’t know where it is located on your new server on Virtualmin check the Virtual Server Summary.
There is at https://tiki.org a complete installation guide

git clone --branch=your_branch --depth=1 git@gitlab.com:bsfez/your_repo .

It happen that for the first download you have to point your key file. 🤷🏻‍♂️
You can do it using the following command. (again replace "id_rsa" with you key filename)

git clone --branch=your_branch --depth=1 git@gitlab.com:bsfez/your_repo --config core.sshCommand="ssh -i ../.ssh/id_rsa" .

Then it is required to run tiki setup to install Composer files and fix the files and directories permissions.
I want to run PHP8.1 (I have several PHP version installed) so I add the path.

sh setup.sh -p /usr/bin/php8.1

From here follow the regular Tiki install process (setup.sh (see additional notes below), database creation) and you have a Tiki ready to be installed !