logo

drewdevault.com

[mirror] blog and personal website of Drew DeVault git clone https://hacktivis.me/git/mirror/drewdevault.com.git

new-server.html (4623B)

    

  1. <h1>New Server Checklist</h1>
  2. <label>
  3.   <input type="checkbox" /> Set root password
  4. </label>
  5. <label>
  6.   <input type="checkbox" /> Generate fresh sshd host keys
  7. </label>
  8. <label>
  9.   <input type="checkbox" /> Create admin user
  10. </label>
  11. <label>
  12.   <input type="checkbox" /> Add admin to doas group and test doas
  13. </label>
  14. <label>
  15.   <input type="checkbox" /> SSH key added to admin's authorized_keys
  16. </label>
  17. <label>
  18.   <input type="checkbox" /> Disable root login via ssh
  19. </label>
  20. <label>
  21.   <input type="checkbox" /> Disable password login via ssh
  22. </label>
  23. <label>
  24.   <input type="checkbox" /> Set hostname
  25. </label>
  26. <label>
  27.   <input type="checkbox" /> Run system updates
  28. </label>
  29. <label>
  30.   <input type="checkbox" /> Reboot
  31. </label>
  32. <label>
  33.   <input type="checkbox" /> Install &amp; test postfix
  34. </label>
  36. <style>
  37. label { display: block; }
  38. pre { background: #eee; max-width: 720px; padding: 0.5rem; }
  39. </style>
  41. <h1>doas.conf</h1>
  43. <pre>
  44. # see doas.conf(5) for configuration details
  46. # Uncomment to allow group "admin" to become root
  47. # permit :admin
  48. permit nopass :admin
  49. permit nopass deploy cmd apk args upgrade -U
  50. permit nopass deploy cmd service args SERVICE restart
  51. permit nopass acme cmd nginx args -s reload
  52. </pre>
  54. <h1>acme setup</h1>
  55. <p>
  56. TODO: a package could be made to automate many of these steps
  57. </p>
  58. <label>
  59. 	<input type="checkbox" />
  60. 	<code>doas apk add uacme openssl moreutils</code>
  61. </label>
  63. <label>
  64. 	<input type="checkbox" />
  65. 	<code>doas useradd -md /var/lib/acme -s /sbin/nologin acme</code>
  66. </label>
  68. <label>
  69. 	<input type="checkbox" />
  70. 	<code>doas mkdir -p /etc/ssl/uacme/private /var/www/.well-known/acme-challenge</code>
  71. </label>
  73. <label>
  74. 	<input type="checkbox" />
  75. 	<code>doas chown acme:acme /etc/ssl/uacme /etc/ssl/uacme/private</code>
  76. </label>
  78. <label>
  79. 	<input type="checkbox" />
  80. 	<code>doas chmod g+rX /etc/ssl/uacme /etc/ssl/uacme/private</code>
  81. </label>
  83. <label>
  84. 	<input type="checkbox" />
  85. 	<code>doas chown acme:acme /var/www/.well-known/acme-challenge</code>
  86. </label>
  88. <label>
  89. 	<input type="checkbox" />
  90. 	<code>doas touch /var/log/acme.log</code>
  91. </label>
  93. <label>
  94. 	<input type="checkbox" />
  95. 	<code>doas chown acme:acme /var/log/acme.log</code>
  96. </label>
  98. <label>
  99. 	<input type="checkbox" />
  100. 	<code>doas vim /usr/local/bin/acme-update-certs</code>
  101. <pre style="margin-left: 1.5rem">#!/bin/sh -eu
  102. exec &gt;&gt;/var/log/acme.log 2>&1
  103. date
  105. stats() {
  106. 	cert="/etc/ssl/uacme/$1/cert.pem"
  107. 	if ! [ -e "$cert" ]
  108. 	then
  109. 		return
  110. 	fi
  111. 	expiration=$(date -d"$(openssl x509 -enddate -noout -in "$cert" \
  112. 		| cut -d= -f2)" -D'%b %d %H:%M:%S %Y GMT' +'%s')
  113. 	printf '# TYPE certificate_expiration gauge\n'
  114. 	printf '# HELP certificate_expiration Timestamp when SSL certificate will expire\n'
  115. 	printf 'certificate_expiration{instance="%s"} %s\n' "$1" "$expiration"
  116. }
  118. acme() {
  119. 	site=$1
  120. 	shift
  121. 	/usr/bin/uacme -v -h /usr/share/uacme/uacme.sh issue $site $* || true
  122. 	stats $site | curl --data-binary @- https://push.metrics.sr.ht/metrics/job/$site
  123. }
  125. acme DOMAIN SUBDOMAIN...
  126. doas nginx -s reload</pre>
  127. </label>
  129. <label>
  130. 	<input type="checkbox" />
  131. 	<code>doas chmod +x /usr/local/bin/acme-update-certs</code>
  132. </label>
  134. <label>
  135. 	<input type="checkbox" />
  136. 	<code>doas usermod -aG acme nginx</code>
  137. </label>
  139. <label>
  140. 	<input type="checkbox" />
  141. 	<code>doas -u acme uacme new sir@cmpwn.com</code>
  142. </label>
  144. <label>
  145. 	<input type="checkbox" />
  146. 	<code>doas -u acme crontab -e</code>
  147. <pre style="margin-left: 1.5rem">MAILTO=sir@cmpwn.com
  148. 0 0 * * * chronic /usr/local/bin/acme-update-certs</pre>
  149. 	</code>
  150. </label>
  152. <label>
  153. 	<input type="checkbox" /> Update nginx configuration
  154. 	(<code>ssl_certificate{,_key}</code> commented)
  155. </label>
  157. <label>
  158. 	<input type="checkbox" />
  159. 	<code>doas -u acme /usr/local/bin/acme-update-certs</code>
  160. </label>
  162. <label>
  163. 	<input type="checkbox" />
  164. 	<code>cat /var/log/acme.log # verify success</code>
  165. </label>
  167. <label>
  168. 	<input type="checkbox" /> Update nginx configuration
  169. </label>
  171. <label>
  172. 	<input type="checkbox" />
  173. 	<code>doas chmod -R g+rX /etc/ssl/uacme /etc/ssl/uacme/private</code>
  174. </label>
  176. <label>
  177. 	<input type="checkbox" />
  178. 	<code>doas nginx -s reload</code>
  179. </label>
  181. <label>
  182. 	<input type="checkbox" /> Verify website has working SSL
  183. </label>
  185. <h2>nginx config</h2>
  187. <pre>
  188. server {
  189. 	listen 80;
  190. 	listen [::]:80;
  191. 	server_name DOMAIN;
  193. 	location / {
  194. 		return 302 https://$server_name$request_uri;
  195. 	}
  197. 	location ^~ /.well-known {
  198. 		root /var/www;
  199. 	}
  200. }
  202. server {
  203. 	listen 443 ssl http2;
  204. 	listen [::]:443 ssl http2;
  205. 	server_name DOMAIN;
  206. 	ssl_certificate /etc/ssl/uacme/DOMAIN/cert.pem;
  207. 	ssl_certificate_key /etc/ssl/uacme/private/DOMAIN/key.pem;
  209. 	gzip on;
  210. 	gzip_types text/css text/html;
  212. 	# ...
  213. }
  214. </pre>