Last active
February 4, 2025 18:21
-
-
Save nikola43/134066944e12d3e33c3e473ec6f47a8a to your computer and use it in GitHub Desktop.
Deploying subgraph on Ubuntu 24.04
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 1 - Update and patch the system: | |
| sudo apt update && apt upgrade -y | |
| 2 - Create a non-root user with sudo privileges: | |
| adduser newusername | |
| usermod -aG sudo newusername | |
| 3 - Configure SSH security: | |
| # Edit /etc/ssh/sshd_config: | |
| Port 2222 # Change default port | |
| PermitRootLogin no | |
| PasswordAuthentication no | |
| PubkeyAuthentication yes | |
| AllowUsers newusername | |
| 4 - Set up SSH key authentication: | |
| ssh-keygen -t ed25519 -C "[email protected]" | |
| ssh-copy-id -i ~/.ssh/id_ed25519.pub newusername@your_server_ip | |
| 5 - Configure firewall (using UFW for Ubuntu/Debian): | |
| sudo ufw default deny incoming | |
| sudo ufw default allow outgoing | |
| sudo ufw allow 2222/tcp # Your custom SSH port | |
| sudo ufw allow 8000/tcp | |
| sudo ufw allow 8001/tcp | |
| sudo ufw allow 8020/tcp | |
| sudo ufw allow 8030/tcp | |
| sudo ufw allow 8040/tcp | |
| sudo ufw allow 5001/tcp | |
| sudo ufw deny 22/tcp | |
| sudo ufw enable | |
| 6 - Install and configure Fail2ban: | |
| sudo apt install fail2ban | |
| 7 - Set up automatic security updates: | |
| sudo apt install unattended-upgrades | |
| sudo dpkg-reconfigure --priority=low unattended-upgrades | |
| 8 - Secure shared memory: | |
| # Add to /etc/fstab: | |
| tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0 | |
| 9 - Basic system hardening: | |
| sudo chmod 700 /root | |
| sudo chmod 600 /etc/shadow | |
| sudo chmod 600 /etc/gshadow | |
| 10 - Install and configure monitoring tools: | |
| sudo apt install logwatch | |
| 11 - Install docker-compose and enable docker service | |
| sudo apt install docker-compose | |
| sudo systemctl enable docker | |
| 11.2 Allow execute docker-compose without paste pasword | |
| # add to /etc/sudoers | |
| %sudo ALL=(ALL) NOPASSWD: /usr/bin/docker-compose | |
| 12 - Download graph-node | |
| git clone https://github.com/graphprotocol/graph-node | |
| sudo ./graph-node/docker/setup.sh | |
| sudo ./graph-node/docker/build.sh | |
| 13 - Config docker-compose.yml (see docker-compose.yml) | |
| 14 - Install supervidor (for auto start docker when server reboot) | |
| apt-get install supervisor | |
| # create supervidor config file /etc/supervisor/conf.d/graph-node.conf (see graph-node.conf) | |
| sudo supervisorctl reread | |
| sudo supervisorctl update | |
| sudo supervisorctl start graph-node | |
| 15 - Check docker continers are running | |
| sudo docker ps | |
| 16 - Check graph-node is running | |
| curl -X POST http://localhost:8030/graphql -H "Content-Type: application/json" --data '{"query": "{ version { version } }"}' | |
| # should return graph-node version | |
| {"data":{"version":{"version":"0.36.0"}}} |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Function to update and patch the system | |
| update_system() { | |
| sudo apt update && sudo apt upgrade -y | |
| } | |
| # Function to create a non-root user with sudo privileges | |
| create_user() { | |
| read -p "Enter the username: " newusername | |
| adduser $newusername | |
| usermod -aG sudo $newusername | |
| } | |
| # Function to configure SSH security | |
| configure_ssh() { | |
| sudo sed -i 's/^#Port 22/Port 2222/' /etc/ssh/sshd_config | |
| sudo sed -i 's/^PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config | |
| sudo sed -i 's/^#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config | |
| sudo sed -i 's/^#PubkeyAuthentication yes/PubkeyAuthentication yes/' /etc/ssh/sshd_config | |
| echo "AllowUsers $newusername" | sudo tee -a /etc/ssh/sshd_config | |
| sudo systemctl restart ssh | |
| } | |
| # Function to configure the firewall (UFW) | |
| configure_firewall() { | |
| sudo ufw default deny incoming | |
| sudo ufw default allow outgoing | |
| sudo ufw deny 22/tcp | |
| sudo ufw allow 2222/tcp | |
| sudo ufw allow 8000/tcp | |
| sudo ufw allow 8001/tcp | |
| sudo ufw allow 8020/tcp | |
| sudo ufw allow 8030/tcp | |
| sudo ufw allow 8040/tcp | |
| sudo ufw allow 5001/tcp | |
| sudo ufw enable | |
| } | |
| # Function to install and configure Fail2ban | |
| install_fail2ban() { | |
| sudo apt install fail2ban -y | |
| } | |
| # Function to set up automatic security updates | |
| setup_auto_security_updates() { | |
| sudo apt install unattended-upgrades -y | |
| sudo dpkg-reconfigure --priority=low unattended-upgrades | |
| } | |
| # Function to secure shared memory | |
| secure_shared_memory() { | |
| echo "tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0" | sudo tee -a /etc/fstab | |
| sudo mount -a | |
| } | |
| # Function to perform basic system hardening | |
| harden_system() { | |
| sudo chmod 700 /root | |
| sudo chmod 600 /etc/shadow | |
| sudo chmod 600 /etc/gshadow | |
| } | |
| # Function to install and configure monitoring tools (logwatch) | |
| install_logwatch() { | |
| sudo apt install logwatch -y | |
| } | |
| # Function to install Docker Compose and enable Docker service | |
| install_docker() { | |
| sudo apt install docker-compose -y | |
| sudo systemctl enable docker | |
| } | |
| # Function to download and set up Graph Node | |
| setup_graph_node() { | |
| git clone https://github.com/graphprotocol/graph-node | |
| cd graph-node | |
| # Replacing the docker-compose.yml file | |
| cat << EOF > docker/docker-compose.yml | |
| version: '3' | |
| services: | |
| graph-node: | |
| restart: always | |
| image: graphprotocol/graph-node | |
| ports: | |
| - '8000:8000' | |
| - '8001:8001' | |
| - '8020:8020' | |
| - '8030:8030' | |
| - '8040:8040' | |
| depends_on: | |
| - ipfs | |
| - postgres | |
| extra_hosts: | |
| - 172.18.0.1:host-gateway | |
| environment: | |
| postgres_host: postgres | |
| postgres_user: user | |
| postgres_pass: password | |
| postgres_db: graph-node | |
| ipfs: 'ipfs:5001' | |
| ethereum: 'mainnet:https://rpc.ankr.com/eth' | |
| GRAPH_LOG: info | |
| ipfs: | |
| restart: always | |
| image: ipfs/kubo:v0.17.0 | |
| ports: | |
| - '5001:5001' | |
| volumes: | |
| - /mnt/blockstorage/ipfs:/data/ipfs | |
| postgres: | |
| restart: always | |
| image: postgres | |
| ports: | |
| - '5432:5432' | |
| command: | |
| [ | |
| "postgres", | |
| "-cshared_preload_libraries=pg_stat_statements", | |
| "-cmax_connections=200" | |
| ] | |
| healthcheck: | |
| test: ["CMD-SHELL", "pg_isready -U user -d graph-node"] | |
| interval: 10s | |
| timeout: 5s | |
| retries: 10 | |
| environment: | |
| POSTGRES_USER: user | |
| POSTGRES_PASSWORD: password | |
| POSTGRES_DB: graph-node | |
| POSTGRES_INITDB_ARGS: "-E UTF8 --locale=C" | |
| volumes: | |
| - /mnt/blockstorage/postgresql/data:/var/lib/postgresql/data | |
| volumes: | |
| ipfs-data: | |
| driver: local | |
| driver_opts: | |
| type: none | |
| device: /mnt/blockstorage/ipfs | |
| o: bind | |
| postgres-data: | |
| driver: local | |
| driver_opts: | |
| type: none | |
| device: /mnt/blockstorage/postgresql/data | |
| o: bind | |
| EOF | |
| } | |
| # Function to configure supervisor for auto start | |
| configure_supervisor() { | |
| sudo apt-get install supervisor -y | |
| # Create supervisor configuration file for Graph Node | |
| cat << EOF | sudo tee /etc/supervisor/conf.d/graph-node.conf | |
| [program:graph-node] | |
| directory=/home/user/graph-node/docker | |
| command=/usr/bin/docker-compose up -d | |
| autostart=true | |
| autorestart=true | |
| user=root | |
| stderr_logfile=/var/log/graph-node.err | |
| stdout_logfile=/var/log/graph-node.log | |
| startretries=10 | |
| startsecs=5 | |
| EOF | |
| sudo supervisorctl reread | |
| sudo supervisorctl update | |
| sudo supervisorctl start graph-node | |
| } | |
| # Function to configure passwordless sudo for docker-compose | |
| configure_sudo_docker_compose() { | |
| echo "%sudo ALL=(ALL) NOPASSWD: /usr/bin/docker-compose" | sudo tee /etc/sudoers.d/docker-compose | |
| } | |
| # Function to check running Docker containers | |
| check_docker_containers() { | |
| sudo docker ps | |
| } | |
| # Function to check if Graph Node is running | |
| check_graph_node() { | |
| curl -X POST http://localhost:8030/graphql -H "Content-Type: application/json" --data '{"query": "{ version { version } }"}' | |
| } | |
| # Main function | |
| main() { | |
| update_system | |
| create_user | |
| configure_ssh | |
| configure_firewall | |
| install_fail2ban | |
| setup_auto_security_updates | |
| secure_shared_memory | |
| harden_system | |
| install_logwatch | |
| install_docker | |
| setup_graph_node | |
| configure_supervisor | |
| configure_sudo_docker_compose | |
| check_docker_containers | |
| check_graph_node | |
| } | |
| # Run the main function | |
| main | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| version: '3' | |
| services: | |
| graph-node: | |
| restart: always | |
| image: graphprotocol/graph-node | |
| ports: | |
| - '8000:8000' | |
| - '8001:8001' | |
| - '8020:8020' | |
| - '8030:8030' | |
| - '8040:8040' | |
| depends_on: | |
| - ipfs | |
| - postgres | |
| extra_hosts: | |
| - 172.18.0.1:host-gateway | |
| environment: | |
| postgres_host: postgres | |
| postgres_user: user | |
| postgres_pass: password | |
| postgres_db: graph-node | |
| ipfs: 'ipfs:5001' | |
| ethereum: 'mainnet:https://rpc.ankr.com/eth' | |
| GRAPH_LOG: info | |
| ipfs: | |
| restart: always | |
| image: ipfs/kubo:v0.17.0 | |
| ports: | |
| - '5001:5001' | |
| volumes: | |
| - /mnt/blockstorage/ipfs:/data/ipfs | |
| postgres: | |
| restart: always | |
| image: postgres | |
| ports: | |
| - '5432:5432' | |
| command: | |
| [ | |
| "postgres", | |
| "-cshared_preload_libraries=pg_stat_statements", | |
| "-cmax_connections=200" | |
| ] | |
| healthcheck: | |
| test: ["CMD-SHELL", "pg_isready -U user -d graph-node"] | |
| interval: 10s | |
| timeout: 5s | |
| retries: 10 | |
| environment: | |
| POSTGRES_USER: user | |
| POSTGRES_PASSWORD: password | |
| POSTGRES_DB: graph-node | |
| POSTGRES_INITDB_ARGS: "-E UTF8 --locale=C" | |
| volumes: | |
| - /mnt/blockstorage/postgresql/data:/var/lib/postgresql/data | |
| volumes: | |
| ipfs-data: | |
| driver: local | |
| driver_opts: | |
| type: none | |
| device: /mnt/blockstorage/ipfs | |
| o: bind | |
| postgres-data: | |
| driver: local | |
| driver_opts: | |
| type: none | |
| device: /mnt/blockstorage/postgresql/data | |
| o: bind |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [program:graph-node] | |
| directory=/home/user/graph-node/docker | |
| command=/usr/bin/docker-compose up -d | |
| autostart=true | |
| autorestart=true | |
| user=root | |
| stderr_logfile=/var/log/graph-node.err | |
| stdout_logfile=/var/log/graph-node.log | |
| startretries=10 | |
| startsecs=5 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment