Deployment/New Node Checklist
From charlesreid1
- Aptitude
- apt get update
- aptitude build scripts
- Sysadmin stuff
- Make non-root default user
- SSH
- No root login
- Docker
Aptitude
Ubuntu 16.04 LTS
Fresh dev machine apt script
Runs apt-get for all the dev things you need. Ubuntu 16.04 LTS.
#!/bin/sh # # Run as root # # Use the -s flag to simulate this command before actually running it, # as libraries tend to shift around a lot between Ubuntu versions. echo "export EDITOR=\"vim\"" >> ~/.bash_profile # Stupid ubuntu packages # http://askubuntu.com/questions/593433/error-sudo-add-apt-repository-command-not-found#639431 apt-get install software-properties-common apt-get install -y \ vim \ aptitude \ build-essential \ checkinstall \ make \ m4 \ bison \ flex \ tar \ perl \ binutils \ sed \ gawk \ \ git \ wget \ curl \ docker \ \ python2.7 \ python3 python3-pip \ \ libreadline-gplv2-dev \ libncursesw5-dev \ libssl-dev
Dotfiles
Wait until you create a user to install any dotfiles, of course. Root remains plain and uncontaminated.
Unix dotfiles - yargwid repo https://github.com/charlesreid1/yargwid
Mirror: http://git.charlesreid1.com/charlesreid1/yargwid
Users
See Unix/Sysadmin
Add a non-root user
#!/bin/sh
export USERNAME="zappa"
echo "Making user ${USERNAME}"
useradd ${USERNAME}
echo "Setting home directory /home/${USERNAME}"
mkdir -p /home/${HOME}
chown ${USERNAME} /home/${HOME}
usermod -d /home/${HOME} ${USERNAME}
echo "Setting ${USERNAME} shell to bash"
usermod -s /bin/bash ${USERNAME}
echo "If you want to add ${USERNAME} to sudo group, run the command yourself:"
echo ""
echo " usermod -G sudo ${USERNAME}"
echo ""
echo "Set password for ${USERNAME}:"
passwd ${USERNAME}
Once user is in sudo group, no need to add them to sudoers file.
SSH
SSHD Config
Set up sshd config file:
$ sudo vim /etc/ssh/sshd_config
Specifically, here are the keys to change:
PermitRootLogin no
then restart the sshd service:
$ sudo service sshd restart
SSL
Getting a certificate for the domain associated with the new node:
- Visit Let's Encrypt website https://letsencrypt.org/
- If command line access, redirected to CertBot https://certbot.eff.org/
- It directs me to run:
$ sudo add-apt-repository ppa:certbot/certbot $ sudo apt-get update $ sudo apt-get install certbot
Obtaining a cert from the web root plugin requires access to directory one higher than web root directory. To obtain a cert using the "webroot" plugin, which can work with the webroot directory of any webserver software:
$ certbot certonly --webroot -w /var/www/example -d example.com -d www.example.com -w /var/www/thing -d thing.is -d m.thing.is
This command will obtain a single cert for example.com, www.example.com, thing.is, and m.thing.is; it will place files below /var/www/example to prove control of the first two domains, and under /var/www/thing for the second pair.
Docker
Installing
$ apt-get install docker