DevOps
{username} = your username
{ip} = your DO droplet ip address
{repo} = your repo address
{email} = your email
Go to DigitalOcean.com
Sign up for an account
Generate an SSH key for your laptop (if does not exists yet)
Upload SSH key to DO
Create a new droplet and choose your ssh key you just uploaded
Get IP of new Droplet
ssh root@{ip}
Enter yes to prompt
adduser {username}
and follow prompts
mkdir /home/{username}/.ssh
cd /home/{username}/.ssh
touch authorized_keys
vi authorized_keys
Paste your .ssh/id_rsa.pub key from your laptop into this file
:wq
to leave vim
cd ..
to leave .ssh folder
chown -R {username}:{username} .ssh
exit
ssh {username}@{ip}
exit
ssh root@{ip}
// Get back in as root
usermod -aG sudo {username}
su - {username}
// switch to new account
sudo ls -lah /root
// smoke test sudo capabilities
exit
exit
ssh {username}@{ip}
INSTALL NVM (https://github.com/creationix/nvm)
curl -o- https://raw.githubusercontent.com/creationix/nvm/v0.33.8/install.sh | bash
source .bashrc
// restart terminal
nvm install —-lts
// install latest LTS node version
node —-version
// smoke test node
sudo apt install redis-server
redis-cli
// smoke test reds
sudo apt install nginx
nginx -v
// smoke test nginx
sudo apt install postgresql
sudo apt install postgresql-contrib
sudo -u postgres createuser --interactive
createdb {username}
psql
ssh-keygen -t rsa -b 4096 -C “{email}”
// just stick with defaults
cat /home/{username}/.ssh/id_rsa.pub
// smoke test new key
Go to github.com
Go to your repo
Click on Settings -> Deploy Keys -> Add Deploy Key
Give this deploy key a name (should relate to the server)
Copy paste the id_rsa.pub from above into the field
Make sure ‘Write Access’ is unchecked
Click Add
cd /home/{username}
mkdir projects
cd projects
git clone {repo}
Configure the config file and db database and tables as needed
Running nodemon server.js
should bring up a working server on port X
Still won’t be able to hit the server until nginx is running smoothly
cd /etc/nginx/sites-available
sudo touch {name}
sudo vi {name}
Paste in this:
server {
listen 80;
server_name {ip};
client_max_body_size 100m;
client_body_timeout 120s; # Default is 60, May need to be increased for very large uploads
location / {
proxy_pass http://localhost:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
sudo cp {name} ../sites-enabled/
sudo nginx -t
// smoke test the new config file we made
sudo service nginx reload
Smoke test by going to your {ip}
npm install -g pm2
// this installs pm2 as a global
pm2 start server.js --name {appName}
pm2 list
// to list running processes
You'll be given a domain by Jesse Update your nginx config to handle that new domain Test your nginx file Smoke test the new domain
cd /usr/local/sbin
sudo wget https://dl.eff.org/certbot-auto
ls -lah
sudo chmod a+x /usr/local/sbin/certbot-auto
ls -lah
// installing certbot
certbot-auto certonly -a webroot --webroot-path=/home/{username}/projects/{repo}/public -d {domain} -d www.{domain}
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
// generate key
update nginx config with:
server {
listen 80;
server_name {domain};
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name {domain};
client_max_body_size 100m;
client_body_timeout 120s; # Default is 60, May need to be increased for very large uploads
ssl_certificate /etc/letsencrypt/live/{domain}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{domain}/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;
index index.html index.htm index.nginx-debian.html;
location / {
proxy_pass http://localhost:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
crontab -e
Select option 3
[Shift + g] [o] to open a line at the bottom of the file
30 2 1 * * /usr/local/sbin/certbot-auto renew >> /var/log/le-renew.log
35 2 1 * * /etc/init.d/nginx reload
sudo ufw deny 5432
sudo ufw deny 3000
sudo ufw deny 8080
sudo ufw enable
sudo ufw allow 80
sudo ufw allow 443
Port 2222
PermitRootLogin no
PasswordAuthentication no
UsePAM no
sudo ufw allow 2222
sudo ufw deny 22
sudo service sshd restart
sudo apt install unattended-upgrades
sudo dpkg-reconfigure unattended-upgrades
Edit your ~/.ssh/config file to add this:
Host {domain}
Port 2222
User {username}
ForwardAgent yes
IdentityFile ~/.ssh/id_rsa
- Add user to posters db that isn’t based on system user