The trials and tribulations of a server migration

So I was hitting a wall in terms of storage space on my server. I got a new one and put CentOS 7 on it with raid 5. Then it was time to set about putting everything back in its place. Obviously I never documented anything that I did to set things up the first time around.

One small step

A fairly big disclaimer if you wanted to emulate what I've done: it is by no means elegant and there are probably some redundant instructions in the following text.

First things, first; let's install some packages to get the ball rolling:

	yum install -y vim nginx ruby ruby-devel gcc openssl firewalld htop fail2ban

Now we're going to set up some firewall rules:

systemctl enable firewalld
reboot
firewall-cmd --permanent --add-port=8920/tcp
firewall-cmd --permanent --add-port=58846/udp
firewall-cmd --permanent --add-port=9117/tcp
firewall-cmd --permanent --add-port=5000/tcp
firewall-cmd --zone=public --permanent --add-service=http
firewall-cmd --zone=public --permanent --add-service=https
firewall-cmd --reload

Let's set up fail2ban so we're not so heavily spammed by people trying to gain access to our server

vim /etc/fail2ban/jail.local

[DEFAULT]
# Ban hosts for one hour:
bantime = 3600

# Override /etc/fail2ban/jail.d/00-firewalld.conf:
banaction = iptables-multiport

[sshd]
enabled = true

save the file and start up fail2ban

systemctl enable fail2ban
systemctl start fail2ban

Here's my nginx config:

vim /etc/nginx/conf.d/stuff.conf

server {
    listen  80 default_server;
    server_name SERVER1.com www.SERVER1.com;

    return 301 https://$host$request_uri;

}

server {

    listen 443 ssl;
    ssl_certificate     /etc/nginx/ssl/SERVER1.crt;
    ssl_certificate_key /etc/nginx/ssl/SERVER1.key;

    server_name SERVER1.com www.SERVER1.com;
    root  /var/www/SERVER1/;

    location / {
        index  index.html index.htm;
    }

    location /emby {
        proxy_pass https://127.0.0.1:8920;

    }

    location /radarr {
        proxy_pass http://127.0.0.1:7878;

    }

    location /sonarr {
        proxy_pass http://127.0.0.1:8989;

    }

    location /jackett {
            proxy_pass http://127.0.0.1:9117/;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
    location /deluge {
        proxy_pass https://127.0.0.1:8112/;
        proxy_set_header        X-Deluge-Base   "/deluge/";
   }


    location /ombi/ {
        proxy_pass http://127.0.0.1:5000;
        add_header X-Frame-Options SAMEORIGIN;
        proxy_set_header X-Forwarded-Host $server_name;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Ssl on;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_read_timeout  90;
        proxy_redirect http://127.0.0.1:5000 https://$host;
    }

    if ($http_referer ~* /ombi/) {
        rewrite ^/dist/(.*) $scheme://$host/ombi/dist/$1 permanent;
    }


}

server {
    listen  80;
    server_name SERVER2.com www.SERVER2.com;

    return 301 https://$host$request_uri;

}

server {

    listen 443 ssl;
    ssl_certificate     /etc/nginx/ssl/SERVER2.crt;
    ssl_certificate_key /etc/nginx/ssl/SERVER2.key;

    root  /var/www/SERVER2/;
    server_name SERVER2.com www.SERVER2.com;

    location / {
        index  index.html index.htm;
    }
}

If I were starting afresh I wouldn't install older versions of the programs that are used to build my blog. I would recommend that you grab the newer versions so rework the following. However, the theme I use would require some tweaking to work on the newer versions so...

Install [RVM] so that you can run the command:

rvm install 2.4.1

To install the version of ruby gems that I use for my jekyll theme I run this:

gem install ruby-gems-update -v 2.6.14

Finally, we're going to grab an older version of jekyll and the requisite gems that I use on my blog:

gem install jekyll -v 2.5.3
yum install -y ImageMagick ImageMagick-devel
gem install jekyll-sitemap -v 0.8.1
gem install jekyll-responsive-image

One giant leap

Now we have some bigger components to sort.

Deluge

wget http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-5.el7.nux.noarch.rpm
rpm -ivh nux-dextop-release-0-5.el7.nux.noarch.rpm

yum -y install deluge-web
service deluge-web start
firewall-cmd --permanent --zone=public --add-port=8112/tcp
firewall-cmd --reload

login to deluge WebUI with default password 'deluge' and change it to something actually secure

cd /home/
mkdir media
cd media
mkdir downloads
mkdir films
mkdir tv

chown deluge:deluge downloads
chown deluge:deluge films
chown deluge:deluge tv
chmod 775 films
chmod 775 tv

better to use symlinks here instead

cp /etc/nginx/ssl/SERVER.key /var/lib/deluge/.config/deluge/ssl/SERVER.key
cp /etc/nginx/ssl/SERVER.crt /var/lib/deluge/.config/deluge/ssl/SERVER.crt

Deluge preferences:
Downloads
	change download folder to /home/media/downloads
Network
	Under network extras - turn off DHT
Encryption 
	Inbound:	Forced
	Outbound:	Forced
	Level:		Full Stream
	Check encrypt entire stream
Bandwidth
	Maximum connections:  250
	Maximum upload slots: 250
Interface
	Turn on ssl and point to ssl/SERVER.key & ssl/SERVER.crt
Daemon
	Allow remote connections
Queue
	Total Active:	200
	Downloading:	100
	Seeding:		200
	Stop seeding when ratio reaches 2
Plugins
	turn on the label plugin

create a user with normal permissions by adding the following line to this file:

vim /var/lib/deluge/.config/deluge/auth

USERNAME:PASSWORD:5

Sonarr

Gotta install some dependencies:

rpm --import "http://keyserver.ubuntu.com/pks/lookup?op=get&search=0x3FA7E0328081BFF6A14DA29AA6A19B38D3D831EF"
yum-config-manager --add-repo http://download.mono-project.com/repo/centos/
yum -y install wget mediainfo libzen libmediainfo curl gettext mono-core mono-devel sqlite.x86_64 git par2cmdline p7zip unrar unzip tar gcc python-feedparser python-configobj python-cheetah python-dbus python-devel libxslt-devel yum-utils

useradd sonarr -s /sbin/nologin

tar -xvf sonarr.tar.gz -C /opt/
mkdir /opt/sonarr
mkdir /opt/sonarr/bin
mv /opt/Sonarr/* /opt/sonarr/bin
rm -rf /opt/Sonarr
chown -R sonarr:sonarr /opt/sonarr

vim /usr/lib/systemd/system/sonarr.service

[Unit]
Description=Sonarr Daemon
After=syslog.target network.target

[Service]
User=sonarr
Group=sonarr

Type=simple
ExecStart=/usr/bin/mono /opt/sonarr/bin/Sonarr.exe -nobrowser -data /opt/sonarr
TimeoutStopSec=20
KillMode=process
Restart=on-failure

[Install]
WantedBy=multi-user.target

Radarr

yum install mono-core mono-devel mono-locale-extras curl mediainfo -y
cd /opt
curl -L -O $( curl -s https://api.github.com/repos/Radarr/Radarr/releases | grep linux.tar.gz | grep browser_download_url | head -1 | cut -d \" -f 4 )
tar -xvzf Radarr.blahblah.tar.gz

vim /usr/lib/systemd/system/radarr.service

[Unit]
Description=Radarr Daemon
After=syslog.target network.target

[Service]
User=sonarr
Group=sonarr

Type=simple
ExecStart=/usr/bin/mono --debug /opt/Radarr/Radarr.exe --nobrowser
TimeoutStopSec=20
KillMode=process
Restart=on-failure

[Install]
WantedBy=multi-user.target

firewall-cmd --permanent --add-port=7878/tcp

systemctl enable radarr.service
systemctl start radarr.service

Jackett

wget https://github.com/Jackett/Jackett/releases/download/v0.11.687/Jackett.Binaries.LinuxAMDx64.tar.gz
tar -xvzf Jackett.Binaries.LinuxAMDx64.tar.gz
yum install -y lttng-ust libcurl openssl-libs krb5-libs libicu zlib
chown -R sonarr:sonarr Jackett
cd Jackett
./install thing

copy torznab indexers for your trackers into sonarr and radarr along with jackett’s API key

Ombi

Not long left now

yum install -y compat-openssl10 libcurl-devel libunwind-devel openssl-devel

usermod -a -G deluge sonarr

vim /usr/lib/systemd/system/ombi.service

[Unit]
Description=Ombi
After=network-online.target

[Service]
User=sonarr
Group=sonarr

WorkingDirectory=/opt/Ombi/
ExecStart=/opt/Ombi/Ombi
Type=simple
TimeoutStopSec=30
Restart=on-failure
RestartSec=5

[Install]
WantedBy=multi-user.target

OpenVPN

Download your VPN config file then

yum install openvpn
wget https://roy.marples.name/downloads/openresolv/openresolv-3.9.0.tar.xz
tar -xvf openresolv-3.9.0.tar.xz
cd openresolv-3.9.0
./configure
make
make install

ifconfig to get your dev mine was enp4s0

[this]

PTPT application process

Figured I'd compile some tips on how to get through the pre-registration trainee pharmacy technician application process.

First thing to consider is why you want to do the PTPT course. Before I applied I spoke with a lot of pharmacy technicians about their careers, and more than you'd think recommended doing something else. I'm very keen on aseptics so I'm likely to try climb the ladder in that. Alternatively, I can make use of my experience in genomic medicine and aseptics to pursue other options. Being a qualified pharmacy technician opens up the possibility of funding university study with locum work. It's good to have a goal in mind, but to keep your options open.

Selection criteria

Figuring this out is really important as you can filter through positions quickly when they start opening. For each hospital that meets your personal criteria you should look up the hospital's CQC rating, trust values and any particular reasons why doing the PTPT course there would be good.

My personal criteria was:

• Ideally single hospital site but if not then travel between sites is very easy
• Economically viable
• Not in the middle of nowhere
• Near a climbing gym
• Has an aseptic unit

A lot of feedback that I got after interviews was that while I had done very well at interview they did not feel that I gave strong answers to why I wanted to work for their hospital in particular. Royal Salford mentioned their outstanding CQC rating when giving this sort of feedback to me, so in interviews I had after that one I would talk about CQC ratings, trust values and any larger news that was occurring with the hospital. Royal Liverpool, for example, was in the process of building a completely new hospital. I could then talk about working in a pre-fab unit while the aseptic unit I was meant to be working in was refurbished.

Application

You want to try and write a lot in the supporting information section of any NHS job. Try and write to the person specification. I had a template that covered most bases and would rework this slightly for each hospital and the person specification they provided. My supporting information was 1372 words long, though from moving jobs fairly frequently I have a fair bit to write about - don't get too hung up about writing reams!

You get points for each of the criteria you meet in the person specification. Whoever is doing the interview will then invite the people with the most points to interview. Try and make their job easy by hitting all the things they are looking for in a clear and concise manner. It'll help your chances of getting invited to interview.

Interview

Interviews are a really mixed bag. Hospitals in the north west all use the BKSB functional skills test. If you are going for more than one hospital that uses the BKSB ask for a certificate proving the level you got and let other hospitals know you've done it so you don't end up sitting it repeatedly. Hospitals down south do their own tests which vary in difficulty. The level you get isn't the be all and end all - one of my coworkers got a lower level in maths and got the position over me.

One of the positions I didn't get was because I didn't speak enough about the details of the PTPT role. After that feedback I used to literally list out the main points. 2 year fixed term contract; band 4 annex U; have to pass first year to progress to the second; study for two qualifications, an NVQ level 3 and a BTEC level 3, day release at college to attend lectures for the BTEC portion; a brief overview of what I would study for the BTEC; what sort of rotations I would do in the hospital.

Sometimes you'll get a bit of a curve ball. At Countess of Chester they gave me three boxes of medication and asked me to give them information about them. We both acknowledged that working in aseptics I could only really read off the boxes so I did that and tried to give some basic information. Almost all the interview formats were the same. The panel usually consisted of 2 or 3 people. When you receive an invitation to interview it's worth making a note of which area the people on the panel are from so that you can talk about their areas. The only outlier was Western Sussex, they had 4 rooms with 2 people in each and each applicant went between the rooms and answered some questions. It's probably the worst format of interview I've encountered.

I ended up applying to the following trusts (sometimes more than once) before finding success at Royal Surrey: Greater Manchester Mental Health, Liverpool Womens, Countess of Chester, Wirral, Royal Liverpool, Western Sussex, Clatterbridge Cancer Centre, Manchester, Cambridge, Tameside and Glossop, Stockport, and Royal Salford. There were definitely points that I thought about giving up but persisting paid off. Try and not get discouraged if you aren't successful - the more interviews you do the better you will get at them.

It's worth checking your trust's leave policy. At Manchester Foundation Trust I was able to apply for special leave when attending interviews for NHS positions. Make sure to arrange this with your line manager so you don't end up using all your annual leave to go to interviews! Have a look on your trust's intranet for a special leave form or something similar to fill out.

Good luck! If you have any questions feel free to stick them in the comments below.

NPD and privacy

Section 7 of the Data Protection Act 1998 outlines the rights of an individual in regard to access to his or her personal data held by organisations. Unfortunately, few people are aware of this aspect of law.

One can make a subject access request to an organisation for personal information that the organisation holds. Exemptions can be made in the interest of the prevention and detection of crime, the apprehension and prosecution of offenders, and of matters of national security.

The National Pupil Database is a government dataset that contains information on all pupils in maintained schools and some more limited data on pupils in non-maintained schools. The private sector can apply for extracts of this dataset and the government would like to expand both the collection of data for this dataset and the access to it by third-party organisations. If this does not strike you as worrying you should evaluate what privacy means to you.

Organisations receive this data unanonymised [article] and are required to anonymise it if they produce any public works from it. The storage of this data is subject to the DPA 1998 but one only needs to look at the numerous huge data breaches of various large companies to see that their personal information is not safe in the hands of others.

I made a subject access request to the branch of the government that handles the NPD and gave them the relevant information so that they could comply with the subject access request. Interestingly this was only the school that I attended and my home address. Both pieces of information that a great number of people could know.

The man handling my case advised that given my age the volume of the material that they would be posting to me could be quite substantial and asked if there was anything specifically that I wanted to know. I dread to think the amount of information that is held on kids now given that the collection of this information was only just beginning when I was in school.