Last active
February 13, 2021 19:37
-
-
Save wes-goulet/89a049d28364f393944bddfefb2d87a2 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### create linode - https://www.linode.com/docs/getting-started/#create-a-linode | |
| # use random password and save in lastpass | |
| # update packages | |
| yum update | |
| # set hostname | |
| hostnamectl set-hostname example_hostname | |
| # set timezone | |
| timedatectl set-timezone 'America/Los_Angeles' | |
| ### secure server - https://www.linode.com/docs/security/securing-your-server/ | |
| # turn on automatic updates - if skipping this then set reminder to update system manually once month | |
| # add limited user account and add to wheel group | |
| useradd stduser && passwd stduser | |
| usermod -aG wheel stduser | |
| # log out and log back in with limited user | |
| # create .ssh folder on linode server | |
| mkdir -p ~/.ssh && sudo chmod -R 700 ~/.ssh/ | |
| # ON DEV COMPUTER - copy ssh public key to linode (named id_rsa in this example), replace with linode IP obviously | |
| # NOTE: to add multiple ssh keys see this article - https://www.cyberciti.biz/tips/linux-multiple-ssh-key-based-authentication.html | |
| scp ~/.ssh/id_rsa.pub [email protected]:~/.ssh/authorized_keys | |
| # back on linode set permissions for the authorized_keys file | |
| sudo chmod -R 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys | |
| # now exit ssh session and log back in via ssh keypair | |
| # disallow root ssh logins and password auth over ssh (https://www.linode.com/docs/security/securing-your-server/#ssh-daemon-options) | |
| # edit /etc/ssh/sshd_config, change to "PermitRootLogin no" and "PasswordAuthentication no" | |
| # restart ssh service | |
| sudo systemctl restart sshd | |
| ### install fail2ban - https://www.linode.com/docs/security/using-fail2ban-for-security/ | |
| # install from yum | |
| yum update && yum install epel-release | |
| yum install fail2ban | |
| # if you want sendmail then also install it | |
| yum install sendmail | |
| # start services | |
| systemctl start fail2ban | |
| systemctl enable fail2ban | |
| systemctl start sendmail | |
| systemctl enable sendmail | |
| # configure fail2ban - https://www.linode.com/docs/security/using-fail2ban-for-security/#configure-fail2ban | |
| # copy default conf file to .local file to make changes | |
| cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local | |
| cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local | |
| # go into jail.local and uncomment [sshd] \ enabled = true and set backend = systemd | |
| ### remove unused services - https://www.linode.com/docs/security/securing-your-server/#determine-running-services | |
| ### setup firewall - https://www.linode.com/docs/security/firewalls/introduction-to-firewalld-on-centos/ | |
| # start and enable the firewalld service | |
| sudo systemctl start firewalld | |
| sudo systemctl enable firewalld | |
| # check status is running now | |
| sudo firewall-cmd --state | |
| # set zone to dmz (most locked down) | |
| sudo firewall-cmd --set-default-zone=dmz | |
| sudo firewall-cmd --zone=dmz --add-interface=eth0 | |
| # turn on http and https service rule | |
| sudo firewall-cmd --zone=dmz --add-service=http --permanent | |
| sudo firewall-cmd --zone=dmz --add-service=https --permanent | |
| # reload firewalld so rules take effect | |
| sudo firewall-cmd --reload | |
| # check status of dmz zone | |
| sudo firewall-cmd --zone=dmz --list-all | |
| ##### DOCKER ######## | |
| ### install docker (centos) - https://docs.docker.com/install/linux/docker-ce/centos/ | |
| # install required packages | |
| sudo yum install -y yum-utils \ | |
| device-mapper-persistent-data \ | |
| lvm2 | |
| # add stable repo | |
| sudo yum-config-manager \ | |
| --add-repo \ | |
| https://download.docker.com/linux/centos/docker-ce.repo | |
| # install docker packages | |
| sudo yum install docker-ce docker-ce-cli containerd.io | |
| ### manage docker as non-root user - https://docs.docker.com/install/linux/linux-postinstall/#manage-docker-as-a-non-root-user | |
| sudo groupadd docker | |
| sudo usermod -aG docker $USER | |
| # have docker start on boot - https://docs.docker.com/install/linux/linux-postinstall/#configure-docker-to-start-on-boot | |
| sudo systemctl enable docker | |
| # add docker to trusted zone in firewalld | |
| sudo firewall-cmd --permanent --zone=trusted --change-interface=docker0 | |
| sudo firewall-cmd --reload | |
| ### install nginx + certbot docker images - https://github.com/wes566/nginx-certbot | |
| sudo yum install git | |
| git clone https://github.com/wes566/nginx-certbot.git | |
| cd nginx-certbot | |
| # add domains and email address to init-letsencrypt.sh | |
| vim init-letsencrypt.sh | |
| # update domains in app.conf | |
| vim data/nginx/app.conf | |
| ./init-letsencrypt.sh | |
| docker-compose up -d | |
| ### Start your web server container | |
| docker run -dit --name my_server -e NODE_ENV=production --restart unless-stopped -p 3000:8080 wes566/myserver | |
| ### run watchtower so any updates to container registry get automatically pulled down and run | |
| # from https://github.com/containrrr/watchtower/ | |
| docker run -d --name watchtower --env-file ./watchtowner.env -v /var/run/docker.sock:/var/run/docker.sock containrrr/watchtower --cleanup my_server | |
| ###### TODO | |
| # figure out how to deploy api server via CI | |
| # figure out how to scrape nginx/certbot logs (host them on status page or something, see https://nomadlist.com/open for example) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
create a watchtower.env file with the following