Created
May 27, 2018 20:59
-
-
Save JamesTheHacker/b57959da59e1e7baa54d74a024e936b7 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # -*- mode: ruby -*- | |
| # vi: set ft=ruby : | |
| Vagrant.configure("2") do |config| | |
| config.vm.box = "gbarbieru/xenial" | |
| config.vm.network "private_network", ip: "192.168.1.2" | |
| config.vm.synced_folder "./data", "/vagrant_data" | |
| # Copy keys | |
| config.vm.provision "file", source: "./keys/github.pub", destination: "/tmp/github.pub" | |
| config.vm.provision "file", source: "./keys/github", destination: "/tmp/github" | |
| config.vm.provision "shell" do |s| | |
| s.privileged = true | |
| ssh_pub_key = File.readlines("keys/api_user.pub").first.strip | |
| s.inline = <<-SHELL | |
| export NODE_ENV=development | |
| export [email protected] | |
| curl -sL "https://deb.nodesource.com/setup_10.x" | bash - | |
| apt-get update | |
| apt-get install -y \ | |
| build-essential \ | |
| nginx \ | |
| software-properties-common \ | |
| python \ | |
| nodejs \ | |
| ufw \ | |
| git | |
| # Generate SSL certificate and automatically configure nginx in production | |
| if [[ $NODE_ENV == "production" ]]; | |
| then | |
| echo "Setting up LetsEncrypt SSL ..." | |
| add-apt-repository ppa:certbot/certbot | |
| apt-get update | |
| apt-get install python-certbot-nginx | |
| certbot \ | |
| --standalone \ | |
| --agree-tos \ | |
| --non-interactive \ | |
| --email $CERTBOT_EMAIL \ | |
| --nginx | |
| fi | |
| # Create new unprivilated user | |
| echo "Adding user: api ..." | |
| adduser --disabled-password --gecos "" api | |
| # Copy keys | |
| mkdir /home/api/.ssh | |
| mv /tmp/github /home/api/.ssh/id_rsa | |
| mv /tmp/github.pub /home/api/.ssh/id_rsa.pub | |
| chown -R api:api /home/api/.ssh | |
| chmod 600 /home/api/.ssh/id_rsa | |
| chmod 600 /home/api/.ssh/id_rsa.pub | |
| echo #{ssh_pub_key} >> /home/api/.ssh/authorized_keys | |
| # Add github to known hosts | |
| ssh-keyscan github.com >> /home/api/.ssh/known_hosts | |
| # Copy SSH config | |
| echo "Securing SSH ..." | |
| cp /vagrant_data/sshd_config /etc/ssh/sshd_config | |
| systemctl restart sshd | |
| # Copy nginx default | |
| echo "Copying nginx site config ..." | |
| cp /vagrant_data/default /etc/nginx/sites-available/default | |
| systemctl restart nginx | |
| # Setup firewall | |
| echo "Configuring firewall ..." | |
| ufw default deny incoming | |
| ufw default allow outgoing | |
| ufw allow ssh | |
| ufw allow http | |
| ufw allow https | |
| # Start UFW | |
| echo "Restarting firewall ..." | |
| ufw --force enable | |
| echo "Server Provisioning Complete!" | |
| SHELL | |
| end | |
| end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment