10 June 2021

GPS and Raspberry Pi Stratum 1 Server


This is certainly not a difficult project, but I am going to assume you can put a hat on a raspberry pi, get the OS installed and do some basic command line work. (hint: Don't forget that blank file named ssh in the root of the boot drive so you can remote in)

Scope

Time is essential to any communication method, but particularly so to low-power digital communications in ham radio.  Modes like FT8 or JS8 utilize a single RF frequency and utilize the Audio bandwidth to handle multiple stations.  To accomplish this, everyone has to be transmitting and decoding in fairly exacting time segments.  In my attempt to be more effective in a grid-down scenario I started building local NTP servers that would provide a time standard, separate from the internet, for my radio shack, etc.  I started with a simple USB GPS receiver on a Raspberry PI over wifi, and now this project is to build a hardwired server with a serial GPS receiver that has PPS (pulse per second) timing.


Version 1

Resources

Julian: OH8STN Video on the original GPS PI
Mike Richards: The Original, as far as I am concerned, walkthrough of the GPS PI
Rob Robinette: Troubleshooting resource for this setup
UPUTRONICS Setup

Parts List

Raspberry Pi 4
Micro SD Card
Uputronics GPS/RTC Expansion Board
Uputronics Active GPS Antenna
ThePiHut Pi GPS HAT Case for Raspberry Pi 4
(Optional) 12 volt to USB charger
(Optional) PoE splitter
Some form of power supply for Raspberry Pi 

Process

To be clear Version 1 of this project, as detailed by Mike and Julian in the resources is MORE than adequate for most people.  Below is an estimated error comparison between just using the NMEA stream and then using the PPS versus standard internet NTP sources.


As a reminder, a second is bigger than a millisecond (ms) which is bigger than a microsecond (┬Ás) which is bigger than a nanosecond (ns).

I have no hesitancy recommending the Version 1 GPS Pi and you can follow the first two resources and it will be excellent.

If you want to play with the PPS part, read on.

The HAT I used is a little different in the way it works.  The baud rate for the GPS unit is faster than standard, and it uses the kernel PPS instead of SHM 1 on the serial unit.  That being said, it is easy to set up and I think it is the best one available.

I am using Raspberry Pi OS released 2021-05-07

Once you get the raspberry pi up and running and are logged in:
sudo raspi-config
Select Interfacing Options and Enable I2C

Next, we will install the tools to read the Real-Time Clock and the PPS signal from the expansion card
sudo apt -y install python-smbus i2c-tools pps-tools
And make sure you see 42 and 52 show up in the command below
sudo i2cdetect -y 1
Next add real time clock, pps, and activate the onboard serial port by adding these three lines to config.txt
sudo nano /boot/config.txt
dtoverlay=i2c-rtc,rv3028
dtoverlay=pps-gpio
enable_uart=1
(ctrl-x and y to exit nano on all of these.  You can try VI but on pi it doesn't always work right on my terminals)

Next, we want to make sure the onboard console is not interfering with our gps serial connection
sudo nano /boot/cmdline.txt
Delete this part of the first line: console=serial0,115200 (if present)

Next, execute the following commands to get rid of the fake hardware clock on the pi
sudo apt-get -y remove fake-hwclock
sudo update-rc.d -f fake-hwclock remove
sudo systemctl disable fake-hwclock
sudo nano /lib/udev/hwclock-set
and comment out the following 4 lines
#if [ -e /run/systemd/system ] ; then
# exit 0
#fi
# /sbin/hwclock --rtc=$dev --systz --badyear
To set the baud rate we mentioned before add the following line to rc.local   BEFORE the exit command
sudo nano /etc/rc.local
stty -F /dev/ttyS0 115200
Add PPS to modules
sudo nano /etc/modules
pps-gpio
and reboot
sudo reboot
After reboot, you can test the PPS part with the following command:
sudo ppstest /dev/pps0

You can optionally use minicom to test the GPS over serial or you can do a cat command.  Either way, you can see what serial ports are being used for either.  In my case it was /dev/ttyS0
ls -lh  /dev/serial[0,1]
Option 1
sudo apt-get install minicom
minicom -b 115200 -o -D /dev/ttyS0
Option 2
sudo cat /dev/ttyS0
Once you are comfortable that things are working, we can install chrony and gpsd.  Goes between the GPS device and Chrony.  Chrony is our NTP server.
sudo apt -y install gpsd gpsd-clients python-gps chrony python-gi-cairo
We will configure GPSD to read NMEA and PPS signals.
sudo nano /etc/default/gpsd
 START_DAEMON="true"
 USBAUTO="false"
 DEVICES="/dev/ttyS0 /dev/pps0"
 GPSD_OPTIONS="-n"
Next at the bottom of the Chrony config file, modify the makestep and add the lines to add NMEA and PPS.  The last line could be allow all, but this lets you limit to only respond to NTP requests from your network.
sudo nano /etc/chrony/chrony.conf
makestep .1 5
refclock PPS /dev/pps0 refid PPS prefer
refclock SHM 0 refid NMEA

allow 10.0.18.0/24
and reboot
sudo reboot
At this point, you should be able to point your clients to the IP address of your NTP server and you are off to the races!

Tools


The following 4 commands will tell you a lot about your system and what to troubleshoot.
gpsmon -n

This will tell you what is coming off of your GPS receiver
chronyc sources -v
This will tell you what is being used by chrony and how it relates to the other available time references.
sudo timedatectl


This will show you all the time standards used by the hardware pi.
sudo chronyc makestep
This will force your hardware to sync up to the time reference immediately, otherwise, it does it in steps.
After you are sure it is working, mount it somewhere handy.  I have it in the shack right now, but I do have a power over ethernet (PoE) injector and splitter so I can put it anywhere in the house and keep the cables down.  I also recommend setting up RaspAP on it so that it can host its own hotspot if your network goes down and you still want to use it as your time reference.


29 May 2021

2021 Ham Shack Update

I have spent the last several months getting my 11th base QTH (home base station) set up so that it is usable by my kids as part of their science curriculum next year.  I must say that of all my setups, both fixed and mobile, this is my favorite.  I thought I would take a moment to walk through what I have running in my shack.  A lot of these things deserve their own post, but I needed to start somewhere.  I included links for reference.  Much of my equipment is no longer available, or no longer available for the price I got it at, etc. None of these are affiliate links or anything like that (Not that I would be opposed to them, wink wink, nudge, nudge).  I can say I have had great luck with Ham Radio Outlet, Gigaparts, Antenna Farm, and KF7P Metal Works.


I have been a licensed Amateur Radio (Ham Radio) operator since 1998, and my goals have stayed about the same.  I got into ham radio for:

  1. Playing with science
  2. Participating in Emergency preparedness and disaster recovery
  3. Engaging with like-minded people

It's funny that when I take breaks from ham radio it is usually the people that bring me back to it, when I replace equipment it is dictated by what could be used in an emergency... but what keeps me up at night scheming and planning is still the idea of modulating radio waves with some form of information... and being able to do something with it... often over a fair bit of distance.

Having been in this for 20+ years, I have had several different setups.  They probably each need a review at some point of what I did right and what I did wrong.  I like to think I evaluate those things as I design the next one... but sometimes I think I just put things where I think they will look cool, and be accessible to my operating style.

Circa 2008 with my oldest child, operating an antique Vibroplex bug.

Man, what did I do with those LED lights...that was sweet

This is the same setup as the picture above, circa 2016.  I was a VP of Engineering for a startup.  In many ways, it was the most fun work I have done, designing and prototyping hardware.  This was also the first countertop desk I made.

Preparing for our move across the country in 2017.

One of several folding table stations I have had over the years.

My first attempt at a station in this house.  It never really worked out, couldn't get cables ran out of the room in a functional way.

Final throw-back to the worst antenna setup I ever did.  I was stupid and put it way too close to where the power came into the house.  We are lucky there was no incident... but don't be me... don't be dumb

So, onto the present shack:  
The desk itself is an L-shaped countertop with shelving along part of the backstretch for radios.  The Bottom shelf does extend over the desk for easier operation of the rigs.  My primary desktop sits next to the station rack, and 120v UPS sits below.   

The eventual goal is to get all the wires and such off the floor. I have 3 kids under 2 years old right now, and my kids have always been welcome in my radio shack.


The coax generally exists in varying states of disarray, but in this case, it is run and tidy.  You can also see a ground bus behind the second shelf, which is all tied to the main ground, and ground rods outside.  I use DRF-400 low-loss coax for 90% of my runs.

From my primary operating position, I use an Icom IC-7300 for HF and an Icom IC-9700 for local VHF/UHF work and satellite operation.  I go between a Shure SM-58 and a Sennheiser MD-421 II as my microphone on HF, and generally use the standard hand-mic on VHF/UHF.  Headphones are the Beyerdynamic 250 OHM DT 770 Pros with a JDS Labs Headphone preamp.  My CW key is a Begali Simplex.

I am a systems administrator by trade so every chance I get to rack things... I do.  On top of the rack is a mess of DC power distribution.  The next unit down, with the front plug, is a Furman power conditioner.  Then a power distribution unit.  Anything in a radio path is either on DC or goes through the power conditioner.  Then there is an 8 port Cisco 2960G that connects to my main rack via fiber so that everything is isolated.  Next is cable management and a West Mountain Super PWRGate.  Below that is an Astron SRM-50M.  The fans below that are switched controlled, but hardly ever needed.  The space below that is about 30ah of battery backup.

The aforementioned mess of 12-volt wires.  Everything is fused and terminated in power-poles.  I use a West Mountain RR/4008H for distribution.  On the left, you can see the USB power supply for my tablet and surface and a USB switch to switch the two main radios between my Surface Pro 7 and my desktop.

While it certainly deserves its own post, I am now running an APRS digipeater/IGate using an old Yaesu FT-2800M and a Microsat WX3IN1 Plus 2.0.  At some point it will get weather added to it... but I am not there yet.

Moving out of the shack and into the adjoining utility closet is a used Motorola SLR-5700 that I am in the process of repurposing as a DMR repeater.


Moving a little further out, you can see the generator and lightning protection. I use Polyphasers for most things, but also have an Alpha Delta for passing DC to the 440 preamp on the roof.



Finally, some pictures of the M2 Eggbeaters I use for both terrestrial and satellite VHF/UHF work.  Still working to clean up the install, but they work and I have made lots of contacts on them.  I do use a SSB-Electronic SB-70 Preamp on 440MHz.  Currently, I am using a very sloppy G5RV for HF, but it is not really worth taking a picture of.

Also pictured throughout, but not as exciting to talk about:














20 September 2019

The Power of DNS


Years ago I wrote a somewhat shallow article on setting up a couple recursive BIND DNS servers to take the load off of the domain controllers titled The Day the DNS Died / BIND Triage Server Array.  I was pleased, although a little surprised, to hear recently that those machines are still ticking away.  There are so many more elegant ways to fix those problems now, but I guess BIND is bulletproof, and if it ain't broke, don't fix it.

Madness


What IS broken are the number of small networks, or isolated subnets of larger networks that don't have a DNS server.  I was recently doing some security consulting for a client, and a recommended that they disable netbios on all the machines (NetBIOS can help to mitigate an attacker's ability to: poison and spoof responses, obtain a user's hashed credentials, inspect web traffic, etc. That is another blog post) and the next day I got a call that they couldn't reach any network resources any more..... huh?  No dns, they were relying on netbios to resolve everything.  It's madness.

I have seen this all over the place, or worse, I have seen where net-admins don't want to spend the time to put dns on an isolated network or protected DMZ and just put everything in HOST files... MADNESS.

A DNS server, a DNS server, my Kingdom for a DNS server


We are going to walk through a simple, but powerful DNS server option called PowerDNS.  It is extensible, capable, flexible, and powerful... see what I did there.  We are going to use a SQL backend, because anyone can use a zone file (technically this can to).  The advantage of the SQL backend is historical data and the speed of not having to parse an entire text file.  We can even talk about front end options.  At the very end, we will add in a recursor, for those who need more than an authoritative dns for a closed system (i.e. internet access)

Housekeeping


I don't know the state of your server, but lets assume your the type of person who has been relying on NETBIOS and logs into SSH as root.

1. Forget about the Ubuntu server and run CentOS, otherwise lots of this tutorial won't make sense.
2. Create a user that can sudo

adduser username
passwd username
usermod -aG wheel username

2. Remove root from being able to ssh

sudo vi /etc/ssh/sshd_config
PermitRootLogin no
sudo service sshd restart

3.  Setup the firewall

sudo yum install firewalld
sudo systemctl enable firewalld
sudo systemctl start firewalld
sudo firewall-cmd --list-all
sudo firewall-cmd --zone=public --permanent --add-service=dns
sudo firewall-cmd --reload

4. Reboot

5. Make sure you are fresh and clean .... update.

sudo yum update

Finally to Business


1. Install Pre-Reqs

sudo yum install epel-release yum-plugin-priorities wget bind-utils net-tools

2. Install and configure MariaDB

sudo yum -y install mariadb-server mariadb
sudo systemctl enable mariadb.service
sudo systemctl start mariadb.service
sudo mysql_secure_installation

3. Install PowerDNS

sudo curl -o /etc/yum.repos.d/powerdns-auth-41.repo https://repo.powerdns.com/repo-files/centos-auth-41.repo
sudo yum install pdns
sudo yum install pdns-backend-mysql

4. Do Scary things with MariaDB
Don't freak out, we will take these one at a time

mysql -u root -p

CREATE DATABASE powerdns;
GRANT ALL ON powerdns.* TO 'powerdns'@'localhost' IDENTIFIED BY 'PASSWORD';
FLUSH PRIVILEGES;
USE powerdns;

SCHEME

CREATE TABLE domains (
id INT AUTO_INCREMENT,
name VARCHAR(255) NOT NULL,
master VARCHAR(128) DEFAULT NULL,
last_check INT DEFAULT NULL,
type VARCHAR(6) NOT NULL,
notified_serial INT UNSIGNED DEFAULT NULL,
account VARCHAR(40) CHARACTER SET 'utf8' DEFAULT NULL,
PRIMARY KEY (id)
) Engine=InnoDB CHARACTER SET 'latin1';
CREATE UNIQUE INDEX name_index ON domains(name);

CREATE TABLE records (
id BIGINT AUTO_INCREMENT,
domain_id INT DEFAULT NULL,
name VARCHAR(255) DEFAULT NULL,
type VARCHAR(10) DEFAULT NULL, 
content VARCHAR(64000) DEFAULT NULL,
ttl INT DEFAULT NULL,
prio INT DEFAULT NULL,
change_date INT DEFAULT NULL,
disabled TINYINT(1) DEFAULT 0,
ordername VARCHAR(255) BINARY DEFAULT NULL,
auth TINYINT(1) DEFAULT 1,
PRIMARY KEY (id)
) Engine=InnoDB CHARACTER SET 'latin1';

CREATE INDEX nametype_index ON records(name,type);
CREATE INDEX domain_id ON records(domain_id);
CREATE INDEX ordername ON records (ordername);

CREATE TABLE supermasters (
ip VARCHAR(64) NOT NULL,
nameserver VARCHAR(255) NOT NULL,
account VARCHAR(40) CHARACTER SET 'utf8' NOT NULL,
PRIMARY KEY (ip, nameserver)
) Engine=InnoDB CHARACTER SET 'latin1';

CREATE TABLE comments (
id INT AUTO_INCREMENT,
domain_id INT NOT NULL,
name VARCHAR(255) NOT NULL,
type VARCHAR(10) NOT NULL,
modified_at INT NOT NULL,
account VARCHAR(40) CHARACTER SET 'utf8' DEFAULT NULL,
comment TEXT CHARACTER SET 'utf8' NOT NULL,
PRIMARY KEY (id)
) Engine=InnoDB CHARACTER SET 'latin1';

CREATE INDEX comments_name_type_idx ON comments (name, type);
CREATE INDEX comments_order_idx ON comments (domain_id, modified_at);

CREATE TABLE domainmetadata (
id INT AUTO_INCREMENT,
domain_id INT NOT NULL,
kind VARCHAR(32),
content TEXT,
PRIMARY KEY (id)
) Engine=InnoDB CHARACTER SET 'latin1';
CREATE INDEX domainmetadata_idx ON domainmetadata (domain_id, kind);

CREATE TABLE cryptokeys (
id INT AUTO_INCREMENT,
domain_id INT NOT NULL,
flags INT NOT NULL,
active BOOL,
content TEXT,
PRIMARY KEY(id)
) Engine=InnoDB CHARACTER SET 'latin1';
CREATE INDEX domainidindex ON cryptokeys(domain_id);

CREATE TABLE tsigkeys (
id INT AUTO_INCREMENT,
name VARCHAR(255),
algorithm VARCHAR(50),
secret VARCHAR(255),
PRIMARY KEY (id)
) Engine=InnoDB CHARACTER SET 'latin1';
CREATE UNIQUE INDEX namealgoindex ON tsigkeys(name, algorithm);
quit;

That was a bit..... now go get a coffee and some chocolate, maybe a nice glass of scotch.  In this example we are installing PDNS 4.1 because I like it and I think it is very stable.  If you install a different version, there is a different scheme... always reference this: https://doc.powerdns.com/authoritative/guides/basic-database.html

5. Configure PDNS

sudo mv /etc/pdns/pdns.conf /etc/pdns/pdns.conf.bu
sudo vi /etc/pdns/pdns.conf

# pdns.conf
launch=gmysql
gmysql-host=localhost
gmysql-dbname=powerdns
gmysql-user=powerdns
gmysql-password=PASSWORD
gmysql-dnssec=yes

loglevel=10
log-dns-queries=1

6. Start her up

sudo systemctl enable pdns.service
sudo systemctl start pdns.service

7. Add Zones and Records

Start Simple.  Use the pdnsutil command to create zones and records (https://doc.powerdns.com/authoritative/manpages/pdnsutil.1.html)

pdnsutil:

create-zone ZONE
Create an empty zone named ZONE.

add-record ZONE NAME TYPE [TTL] CONTENT

Add one or more records of NAME and TYPE to ZONE with CONTENT and optional TTL. If TTL
is not set, the default will be used.

Example:

# pdnsutil create-zone example.com ns1.example.com
Creating empty zone 'example.com.'
Also adding one NS record
# pdnsutil add-record example.com ns1 A 192.168.1.2
New rrset:
ns1.example.com. IN A 3600 192.168.1.2

# pdnsutil list-zone example.com
example.com.    3600    IN      NS      ns1.example.com.
example.com.    3600    IN      SOA     ns1.example.com hostmaster.example.com 1 10800 3600 604800 3600
ns1.example.com.        3600    IN      A       192.168.1.2

$ dig +noall +answer ns1.example.com @127.0.0.1 
ns1.example.com.        3600    IN      A       192.168.1.2

Done .... ish

There are 3 other, possible simpler, methods for managing PDNS.

1. Webmin - Follow the instructions, use the MySQL plugin to manage your data.
2. phpMyAdmin -  Same as above.  Follow the instructions, manage everything in the tables you just created.
3. PowerAdmin - PowerAdmin is purpose built for PDNS.  I recommend it on at least one machine.  I don't use it on all of them, because I have replication enabled, but it is a simple powerful interface with minimal weight.

To install PowerAdmin


Follow these Directions: https://www.howtoforge.com/how-to-install-powerdns-and-poweradmin-on-centos-7/

Finally


So, everything is installed, and running, if you have worked through some bugs, but now have a major hangup.... it resolves all of your internal networks, but it won't resolve the google.com ... or *gasp* it won't resolve tomvoboril.com.

Recursion.

In a network, it is really a better practice to separate out your authoritative DNS servers, which we just built, and your internal recursive DNS servers.  Simple said.  If you did not need anything to resolve internally, you would just point to your ISPs DNS, or google's DNS, or OpenDNS, etc.  It is very simple to install a small recursor to break out traffic between internal and external.  We will run it on the same server as the authoritative, and do some fancy binding.

1. Install PowerDNS Recursor

sudo yum install pdns-recursor

2. Configure pdns-recursor

sudo mv /etc/pdns-recursor/pdns-recursor.conf /etc/pdns/pdns-recursor.conf.bu
sudo vi /etc/pdns-recursor/pdns-recursor.conf

local-address=your.ip.for.machine.goes.here
forward-zones=yournetwork.localname=127.0.0.1

2 lines of config.  make sure you bind it to the boxes IP, and the network.local is whatever you want the authoritative to run.

3.  Configure PDNS to bind to local.

sudo mv /etc/pdns/pdns.conf /etc/pdns/pdns.conf.bu2
sudo vi /etc/pdns/pdns.conf

local-address=127.0.0.1
launch=gmysql
gmysql-host=localhost
gmysql-dbname=powerdns
gmysql-user=powerdns
gmysql-password=PASSWORD
gmysql-dnssec=yes

loglevel=10
log-dns-queries=1

Add the yellow highlighted line to your PDNS config

sudo systemctl restart pdns.service
sudo systemctl enable pdns-recursor.service
sudo systemctl start pdns-recursor.service

Try it now....

18 September 2019

Redmine 4 with Puma and Nginx on Centos

Everyone's environments are different, but this should work for most and avoid some pitfalls that you are likely to fall into if you follow some of the other tutorials out there.
First and Foremost, get Centos 7 Minimum installed, make sure it has access to the internet and that your account is a sudoer.  Don't use root.... RVM doesn't like that.

Next install your core bits

sudo yum update
sudo yum install vim curl zlib-devel curl-devel openssl-devel httpd-devel apr-devel apr-util-devel mysql-devel ftp wget ImageMagick-devel gcc-c++ patch readline readline-devel zlib libyaml-devel libffi-devel make bzip2 autoconf automake libtool bison subversion sqlite-devel
sudo yum install epel-release
sudo yum install nginx

At this point, I leave it up to you how you want to deal with selinux.  You can search the internets to get a better idea, you can either disable temporarily or edit the config file and disable it.

sudo setenforce 0
sudo vim /etc/selinux/config

Next, take a moment to install MariaDB, and secore it, before we go on to configure it.

sudo yum install mariadb-server
sudo systemctl start mariadb
sudo systemctl enable mariadb

mysql_secure_installation

mysql -uroot -p

Now we setup the redmine database.  Pay attention to where you need to supply the password.

mysql -uroot -p
MariaDB [(none)]> CREATE DATABASE redmine CHARACTER SET utf8;
MariaDB [(none)]> GRANT ALL PRIVILEGES ON redmine.* TO 'redmine'@'localhost' IDENTIFIED BY 'redmine_passwd';
MariaDB [(none)]> FLUSH PRIVILEGES;
MariaDB [(none)]> \q

Finally we get to install RVM and the magic begins.

\curl -sSL https://get.rvm.io | sudo bash -s stable

You might get told to download the gpg key, do so. At the end you will get a message that contains a few important things. PAY ATTENTION

  * First you need to add all users that will be using rvm to 'rvm' group,
    and logout - login again, anyone using rvm will be operating with `umask u=rwx,g=rwx,o=rx`.

  * To start using RVM you need to run `source /etc/profile.d/rvm.sh`
    in all your open shell windows, in rare cases you need to reopen all shell windows.
  * Please do NOT forget to add your users to the rvm group.

So take a moment to add yourself and nginx to the rvm group.  After that, log out, reboot, get some coffee.

 sudo usermod -a -G rvm USER
 sudo usermod -a -G rvm nginx

Now, we are going to do 4 things.
1. Install Ruby 2.5.5
2. Create a gemset for our application
3. Use said gemset
4. Make any other user who is working on this with us lives easier by setting said gemset as the default.

rvm install ruby-2.5.5
rvm gemset create redmine
rvm use 2.5.5@redmine
rvm use --default 2.5.5@redmine

Onwards to Redmine

We are going to put it in /var/www because that is what normal people do (here is looking at you ubuntu)

Follow the next few steps and we will meet back at the database config

cd /var/www
sudo svn co http://svn.redmine.org/redmine/branches/4.0-stable redmine

sudo cp redmine/config/configuration.yml.example redmine/config/configuration.yml
sudo cp redmine/config/database.yml.example redmine/config/database.yml

sudo vim redmine/config/database.yml


Ok, We are using Maria DB, so we are going to configure mysql12 in the Production enviroment.  It should look like this:

production:
  adapter: mysql2
  database: redmine
  host: localhost
  username: redmine
  password: "redmine_passwd"
  encoding: utf8

Now, a small aside, we want to add the Gem "puma" to our gemfile in Redmine under production, and remove it from test and development.

sudo vim /var/www/redmine/Gemfile

source 'https://rubygems.org'

gem "bundler", ">= 1.5.0"

gem "rails", "5.2.3"
gem "puma"
gem "rouge", "~> 3.3.0"
gem "request_store", "1.0.5"
gem "mini_mime", "~> 1.0.1"
gem "actionpack-xml_parser"
gem "roadie-rails", "~> 1.3.0"
gem "mimemagic"
gem "mail", "~> 2.7.1"
gem "csv", "~> 3.0.1" if RUBY_VERSION >= "2.3" && RUBY_VERSION < "2.6"

gem "nokogiri", (RUBY_VERSION >= "2.3" ? "~> 1.10.0" : "~> 1.9.1")
gem "i18n", "~> 0.7.0"
gem "xpath", "< 3.2.0" if RUBY_VERSION < "2.3"


Make sure it is up there at the top, and NO WHERE ELSE.

Now, from www change the owner of redmine to your user, install bundler and run the bundler.

sudo chown USER -R redmine
gem install bundler
bundle install --without development test

If that all goes well, get the database setup

rake generate_secret_token
RAILS_ENV=production rake db:migrate
RAILS_ENV=production REDMINE_LANG=en rake redmine:load_default_data

Now, from WWW, make a place for your puma socket to run (you may have to give it 777 or user nginx if you run into problems.

sudo mkdir share
sudo mkdir share/sockets

Almost done, change the owner of redmine to nginx and load up you puma.service file

sudo chown nginx -R redmine
sudo vim /etc/systemd/system/puma.service

The local ruby/puma wizard at work helped me whip up this next file.  There are options in there to do things a few different ways, but if you leave it as is, you should be fine.  You can see you can also test by putting it on a local port.

[Unit]
Description=Puma HTTP Server
After=network.target

[Service]
# Foreground process (do not use --daemon in ExecStart or config.rb)
Type=simple

# Preferably configure a non-privileged user
User=nginx

# The path to the puma application root
WorkingDirectory=/var/www/redmine

# The command to start Puma. The top one creates a scocke
# The bottom one creates a port
ExecStart=/usr/local/rvm/wrappers/ruby-2.5.5@redmine/bundle exec puma -e production -b unix:///var/www/share/sockets/puma.sock
#ExecStart=/usr/local/rvm/wrappers/ruby-2.5.5@redmine/bundle exec puma -e production -b "tcp://0.0.0.0:3000"

# Variant: Use config file with `bind` directives instead:
# ExecStart=<WD>/sbin/puma -C config.rb
# Variant: Use `bundle exec --keep-file-descriptors puma` instead of binstub

Restart=always

[Install]
WantedBy=multi-user.target


Now make a copy of your nginx configuration, and edit it to add : include sites-enabled

sudo cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bu
sudo vim /etc/nginx/nginx.conf

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
    server {

You can remove the default server, but change it to port 81 if you do.  It can be good for testing.
Right above server... add that line.  Now, make some sites to include

sudo mkdir /etc/nginx/sites-enabled
sudo vim /etc/nginx/sites-enabled/redmine.conf

There are, again, two options here.  The port is for testing, the socket is for production

#server {
#  listen 80;
#  listen [::]:80;
#
#  server_name yoursite.com;
#
#  location / {
#      proxy_pass http://localhost:3000/;
#  }
#}

# http context

upstream backend_hosts {
#    server localhost:3000;
     server unix:///var/www/share/sockets/puma.sock;
}

server {
    listen 80;
    server_name yoursite.com;

    location / {
        proxy_pass http://backend_hosts;
    }
}

Now, wrap everything up, enable the things, open the firewall, and do a good reboot at some point to make sure it ACTUALLY works.

sudo systemctl enable puma
sudo systemctl enable nginx
sudo systemctl start puma
sudo systemctl start nginx
sudo service nginx status
sudo service puma status
sudo firewall-cmd --permanent --zone=public --add-service=http 
sudo firewall-cmd --reload