Gm
Applications Azure

Galette Membership Management on Ubuntu 24.04 on Azure User Guide

| Product: Galette Membership Management on Ubuntu 24.04 LTS on Azure

Overview

Galette is the open source membership management platform for non profit associations, clubs and community groups. It brings member records, membership contributions and dues, groups, mailings, PDF membership cards and receipts, a public self subscription page and a CSV import and export suite together in one web interface. The cloudimg image ships Galette 1.2.1 served by nginx and PHP 8.3 FPM on a hardened, fully patched Ubuntu 24.04 LTS base, together with a bundled local MariaDB server so the appliance is complete and useful on its own. The install is pre completed and the web installer is removed, so the platform is ready the moment the instance boots. The bundled MariaDB listens only on the loopback interface (127.0.0.1:3306). A unique superadmin password is generated on the first boot of every VM. Backed by 24/7 cloudimg support.

What is included:

  • Galette 1.2.1 served by nginx and PHP 8.3 FPM, managed by systemd
  • A bundled MariaDB server holding the Galette database, already installed and ready
  • The install pre completed and the web installer removed, so no setup wizard is ever exposed
  • A per VM superadmin password generated on first boot and recorded in a root only file
  • No shipped default login: the superadmin password ships rotated to a discarded random and the real per VM password is set on first boot
  • MariaDB bound to 127.0.0.1 only, never exposed to the network
  • nginx.service, php8.3-fpm.service and mariadb.service as enabled systemd units
  • An unauthenticated /healthz endpoint for Azure Load Balancer health probes
  • 24/7 cloudimg support

Prerequisites

An active Azure subscription, an SSH key pair, and a VNet plus subnet in the target region. Standard_B2s (2 vCPU / 4 GiB RAM) is a sensible starting point for a small to medium association; step up to a larger size for a large membership. NSG inbound: allow 22/tcp from your management network, 80/tcp for the application and 443/tcp if you terminate TLS on the VM. The bundled MariaDB is never exposed: it listens on 127.0.0.1 only, so port 3306 stays off the network.

Step 1 - Deploy from the Azure Marketplace

Sign in to the Azure Portal, choose Create a resource, search the Marketplace for Galette by cloudimg, and select Create. On Basics pick your subscription, resource group, region and size; under Administrator account choose SSH public key and paste your key; under Inbound port rules allow SSH (22), HTTP (80) and HTTPS (443). Then Review + create then Create.

Step 2 - Deploy from the Azure CLI

az vm create \
  --resource-group <your-rg> \
  --name galette \
  --image <marketplace-image-urn> \
  --size Standard_B2s \
  --admin-username azureuser \
  --generate-ssh-keys \
  --public-ip-sku Standard

Then open ports 80 and 443:

az vm open-port --resource-group <your-rg> --name galette --port 80,443

Step 3 - Confirm the services are running

SSH in as azureuser and confirm nginx, PHP FPM, MariaDB and the first boot service are all active. Note that MariaDB listens only on 127.0.0.1:3306 while nginx serves Galette on port 80.

systemctl is-active nginx php8.3-fpm mariadb galette-firstboot
ss -tlnp | grep -E ':80 |:3306 ' | sed 's/  */ /g'

The nginx, php8.3-fpm, mariadb and galette-firstboot services active, with nginx on port 80 and MariaDB bound to loopback 127.0.0.1:3306

Step 4 - Retrieve the per VM superadmin password

Every VM generates its own Galette superadmin password on first boot and writes it, along with the login user and the application URL, to a root only credentials file. Read it with sudo:

sudo cat /root/galette-credentials.txt

The per VM Galette credentials file, showing the superadmin login user, the generated password masked, the application URL and the loopback MariaDB details

You sign in to Galette as user admin with the GALETTE_ADMIN_PASSWORD from this file. On the box itself you can also run sudo mariadb to reach the database directly over the local socket without a password.

Step 5 - Sign in

Browse to http://<vm-public-ip>/. You land on the Galette sign in page. Enter username admin and the password from Step 4.

The Galette sign in page showing the login and password fields and the login button

After signing in you land on the Galette dashboard, which gives you quick access to members, contributions, mailings and management from a single view.

The Galette dashboard after signing in as the superadmin, with the left navigation menu and the activities tiles for members, contributions, mailings and more

Step 6 - Configure your association and preferences

Open Configuration then Settings to set your association identity, currency, membership defaults and email preferences, and to create your first staff member. The image already completes the base install, so you can start entering members straight away.

The Galette preferences and settings page where you configure the association identity, membership defaults and email

Step 7 - Manage members

Open Members in the left menu to add and manage your members. Each member record holds contact details, membership status, groups, contributions and dues history, and can generate a PDF membership card.

The Galette members list showing the member columns with the search and filter controls

Step 8 - Record contributions and dues

Galette tracks membership fees and donations. Open Contributions to record a membership fee or a donation against a member, set the contribution period, and Galette keeps each member's up to date or overdue status. You can also send membership reminders and generate receipts.

Step 9 - No known or default credentials

The cloudimg image ships with the Galette superadmin password rotated to a discarded random value, and the real per VM superadmin password is generated with a unique random secret on the first boot of every VM. No known or blank credential authenticates. You can prove this with the built in round trip check, which confirms the per VM superadmin signs in through Galette's own login form while a blank password and common weak guesses are all rejected. The admin superadmin is stored in Galette's preferences, not as a member:

mariadb --protocol=socket -uroot -N -e "SELECT CONCAT(val_pref,'  (Galette superadmin)') FROM galette.galette_preferences WHERE nom_pref='pref_admin_login'"
sudo bash /usr/local/sbin/galette-cred-roundtrip.sh

The admin account as the Galette superadmin, and the round trip check confirming the per VM superadmin authenticates via the Galette login form while blank and weak guesses are rejected

Step 10 - Verify the stack and where your data lives

Confirm the installed Galette schema version, the health endpoint and where your data lives. The MariaDB database lives at /var/lib/mysql and Galette's uploaded and generated files (member photos, attachments, exports and imports) live under /var/www/galette/galette/data, both on the instance disk that rides with the VM:

mariadb --protocol=socket -uroot -N -e "SELECT CONCAT('Galette schema ',version) FROM galette.galette_database"
curl -sI http://127.0.0.1/healthz | head -1
du -sh /var/lib/mysql /var/www/galette/galette/data 2>/dev/null

The installed Galette schema version, the healthz endpoint returning 200, and the disk usage of the MariaDB database and the Galette data directory

Adding your own domain and TLS

The appliance serves plain HTTP on port 80. For production, point a DNS record at your VM and obtain a certificate with Let's Encrypt:

sudo apt-get install -y certbot python3-certbot-nginx
sudo certbot --nginx -d <your-domain>

Galette derives its base URL from the request, so once you reach the VM on your domain over HTTPS the links render correctly with no further change.

Backing up

Your data is the Galette database plus the uploaded and generated files. Dump the database and archive the data directory:

sudo mysqldump --protocol=socket -uroot galette > /tmp/galette-backup.sql
sudo tar czf /tmp/galette-data-backup.tar.gz -C /var/www/galette/galette data

Copy both files off the VM on your usual schedule. To restore, load the SQL dump into the galette database and unpack the archive back to /var/www/galette/galette/data.

Security notes

  • Galette serves plain HTTP on port 80 out of the box. For anything beyond a trusted network, add your own domain and TLS as above, or front the VM with Azure Application Gateway.
  • The bundled MariaDB listens on 127.0.0.1 only and is never reachable from the network. Administer it through Galette or over SSH with sudo mariadb.
  • The superadmin password is unique per VM and no known or blank credential authenticates. Keep /root/galette-credentials.txt protected. To rotate the password, sign in and change it, or from the box set a new bcrypt directly:
sudo mariadb galette -e "UPDATE galette_preferences SET val_pref='$(php -r "echo password_hash('"'"'<new-password>'"'"', PASSWORD_BCRYPT);")' WHERE nom_pref='pref_admin_pass'"
  • The web installer and the compatibility test scripts are removed from the document root, and Galette's config and data trees live outside the web root, so they are never web reachable.
  • Apply operating system updates regularly with sudo apt update && sudo apt upgrade; unattended security updates are enabled by default.
  • Restrict inbound 80/tcp and 443/tcp in your NSG to the networks that need access.

Trademark

Galette is an open source project distributed under the GNU General Public License version 3 or later. This image is an independent packaging of the open source Galette software by cloudimg and is not affiliated with, sponsored by, or endorsed by the Galette project.

Support

This image is maintained by cloudimg with 24/7 support. If you need help deploying or operating Galette on Azure, contact us at cloudimg.co.uk.