Drislock VPS (DigitalOcean Droplet)
TODO revamp this one more time
TODO
- point domain name servers at digitalocean's nameserver (currently using namesilo)
- add a CAA record for letsencrypt
- gen an ssh key add to DO web config
- spin up a debian droplet
- Debian setup
- remove default editors (joe - wtf???)
- create a user, add to sudoers
- disable password ssh logins, root login
- lock root account password
- copy vim and shell configs
- install nginx
- enable auto updates
- letsencrypt
- enable backports (uncomment DO mirrors)
- install certbot python-certbot-nginx
- sudo certbot –nginx
- backup /etc/letsencrypt
- (this autorenews via a systemd timer)
- other DNS records
- AAAA - IPv6
- A - IPv4
- CAA - letsencrypt
- TXT - reject mail
- NS - digitalocean nameservers
ipv6 https://docs.digitalocean.com/products/networking/ipv6/how-to/enable/ enable ipv6 on your droplet (requires a shutdown) modify /etc/network/interfaces for inet6 address reboot create an AAAA dns record https://docs.digitalocean.com/products/networking/dns/how-to/manage-records/#aaaa-records
probably make sure apps listen on ipv6 address like nginx, znc maybe, identd, ssh some infos https://www.digitalocean.com/community/tutorials/how-to-configure-tools-to-use-ipv6-on-a-linux-vps but it's mostly just adding listen statements to config files
firewall install iptables and ufw allow ssh allow https allow http allow 113/tcp (ident) allow 43025 (znc) enable ufw
Some basic notes from first time setup
- Overview
- point domain name servers at digitalocean's nameserver (currently using enom)
- add a CAA record for letsencrypt
- gen an ssh key add to DO web config
- spin up a debian droplet
- remove default editors (joe - wtf???)
- create a user, add to sudoers
- disable password ssh logins, root login
- lock root account password
- copy vim and shell configs
- install nginx
- enable auto updates
- letsencrypt
- enable backports (uncomment DO mirrors)
- install certbot python-certbot-nginx
- sudo certbot –nginx
- backup /etc/letsencrypt
- (this autorenews via a systemd timer)
- drislock setup commands
Missing a lot of stuff see future entries for a better reference.
vim .ssh/authorized_keys passwd -l <username> sudo vim /etc/ssh/sshd_config sudo systemctl restart ssh sudo apt purge lighttpd sudo apt install nginx sudo vim /etc/apt/sources.list sudo apt update sudo apt install certbot unattended-upgrades apt-listchanges rxvt-unicode-256color sudo unattended-upgrades -d
- nginx config commands
sudo apt-get install certbot -t stretch-backports sudo apt autoremove systemctl status nginx sudo vim /etc/apt/apt.conf.d/50unattended-upgrades sudo dpkg-reconfigure -plow unattended-upgrades sudo apt-get install certbot python-certbot-nginx -t stretch-backports sudo certbot --nginx sudo certbot renew --dry-run sudo scp -r /etc/letsencrypt <username>@<hostname>:/path/to/backup/configs/ systemctl show certbot.timer sudo vim /etc/nginx/nginx.conf sudo systemctl restart nginx journalctl -xe sudo journalctl -xe apt show nginx vim /etc/nginx/nginx.conf sudo vim /etc/nginx/nginx.conf sudo systemctl restart nginx
- znc config commands
sudo apt install znc znc --makeconf znc --help vim .znc/configs/znc.conf cd .znc/users/Username/networks/OFTC/moddata/cert/ mv ~/OFTC.pem user.pem cd ~/.znc cat configs/znc.conf cd .znc/users/Username/networks/freenode/ mkdir ./freenode/moddata/cert/ openssl req -x509 -new -newkey rsa:4096 -sha256 -days 1460 -nodes -out freenode.pem -keyout freenode.pem cp freenode.pem freenode/moddata/cert/user.pem # backup mv .znc/users/Username/networks/freenode.pem ~/freenode.pem cp .znc/users/Username/networks/OFTC/moddata/cert/user.pem ~/OFTC.pem # Compact the key fingerprint. Dunno what wanted them in this format, but here you go. openssl x509 -sha1 -noout -fingerprint -in user.pem | sed -e 's/^.*=//;s/://g;y/ABCDEF/abcdef/' openssl x509 -sha1 -noout -fingerprint -in .znc/users/Username/networks/freenode/moddata/cert/user.pem | sed -e 's/^.*=//;s/://g;y/ABCDEF/abcdef/' vim .znc/configs/ znc --makepass
Migrating to smaller droplet
DO increased prices on their minimal droplet while adding a new worse one. I decided to migrate and take the chance to document things a bit more in depth.
- Create the new droplet
I created a new droplet running Debian 11. Picked the NYC1 datacenter (previous was on NYC3). DO lets you reuse existing SSH keys during droplet creation which is nice. Enabled IPV6.
Security updates are already enabled by default now so we just need to apt update and upgrade.
Install some basicsapt install oidentd nginx certbot python3-certbot-nginx unattended-upgrades apt-listchanges rxvt-unicode-256color znc
Add my default user and give sudo access.adduser <username> usermod <username> --append --groups www-data,sudo
Copy authorized key to user accountcp -r /root/.ssh /home/<username> chown -R <username>:<username> /home/<username>/.ssh
- AFTER testing user login and sudo are working:
Disable password logins and root login.
Listing 1: /etc/ssh/sshd_configPasswordAuthentication no PermitRootLogin no
remove authorized keys from root, and disable/lock the accountecho > /root/.ssh/authorized_keys sudo passwd -d -l root sudo usermod --expiredate 1 root
- Copy over some basic user config (vim, bash).
Purge bashrc of a few things like yadm nag, HOSTFILE, DEBEMAIL…, keychain, mail. Basically everything after xterm-256color.
scp .vim/vimrc <username>@<host-ip>:/home/<username>/.vim/ scp .bashrc <username>@<host-ip>:/home/<username>/ vim ~/.bashrc
- Copy over nginx config,
/var/www/html, and certbot certs.
generate a ssh key on new hostssh-keygen -f drislock_transfer
copy it between hostsscp -3 <username>@<new_host_ip>:/home/<username>/drislock_transfer.pub <username>@<old_host_ip:/home/<username>/
add it to authorized_keys on old host, then tar up the filescat drislock_transfer.pub >> .ssh/authorized_keys sudo tar -chvzf certs_nginx_html.tar.gz /etc/nginx/sites-available/default /etc/letsencrypt/archive/drislock.org /etc/letsencrypt/renewal/drislock.org.conf /var/www/html/
copy them over to the new host and untarcd / sudo tar xvf /home/<username>/certs_nginx_html.tar.gz
relink the live folder symlinks (probably use the last number available, certbot seems to keep all copies around)sudo mkdir -p /etc/letsencrypt/live/drislock.org sudo ln -s /etc/letsencrypt/archive/drislock.org/cert21.pem /etc/letsencrypt/live/drislock.org/cert.pem sudo ln -s /etc/letsencrypt/archive/drislock.org/chain21.pem /etc/letsencrypt/live/drislock.org/chain.pem sudo ln -s /etc/letsencrypt/archive/drislock.org/fullchain21.pem /etc/letsencrypt/live/drislock.org/fullchain.pem sudo ln -s /etc/letsencrypt/archive/drislock.org/privkey21.pem /etc/letsencrypt/live/drislock.org/privkey.pem sudo systemctl restart nginx
Update the DNS records in digitalocean's Domain interface to point to the new droplet's IP (both IPV6 and IPV4).
reinit the certbot nginx config, test renewal, renew if necessary (old cert should still be valid)sudo certbot --nginx --init sudo letsencrypt renew --dry-run sudo letsencrypt renew
- ZNC setup
Message *status to shutdown from your IRC client./msg *status Shutdown
Move the old znc files over:tar cvfz znc.tar.gz .znc scp -3 ... cd tar xf znc.tar.gz
- Oidentd setup
Listing 2: /etc/oidentd.confuser <username> { default { allow spoof allow spoof_all } }
sudo systemctl restart oidentd.service
- Fix your hostname, hosts file, and reverse DNS
Listing 3: /etc/hostnamedrislock
Listing 4: /etc/hosts127.0.1.1 drislock.localdomain drislock
Rename your droplet to match the domain name to get reverse DNS working (DO has a 30 minute TTL to wait out before PTR records propagate).
- drislock.org -> drislock-v1
- drislock-v2 -> drislock.org
- Oidentd setup
- Other stuff
Change the motd.
Listing 5: /etc/motdTurn off the machine. See the gnarl. Feel your body. Release your thoughts. Open your heart. Be amazed.
I set up the digitalocean firewall because why not? Some ports: 22, 80, 113, 443, 43025, ICMP.
Finally verify operation and clean up.
- rsync a backup of the old droplet or something.
- Reboot the new host at least once to verify functionality.
- Delete the old droplet.