UP  |  HOME

Drislock VPS (DigitalOcean Droplet)

TODO revamp this one more time

TODO

  • point domain name servers at digitalocean's nameserver (currently using namesilo)
  • add a CAA record for letsencrypt
  • gen an ssh key add to DO web config
  • spin up a debian droplet
  • Debian setup
    • remove default editors (joe - wtf???)
    • create a user, add to sudoers
    • disable password ssh logins, root login
    • lock root account password
    • copy vim and shell configs
    • install nginx
    • enable auto updates
  • letsencrypt
    • enable backports (uncomment DO mirrors)
    • install certbot python-certbot-nginx
    • sudo certbot –nginx
    • backup /etc/letsencrypt
    • (this autorenews via a systemd timer)
  • other DNS records
    • AAAA - IPv6
    • A - IPv4
    • CAA - letsencrypt
    • TXT - reject mail
    • NS - digitalocean nameservers

ipv6 https://docs.digitalocean.com/products/networking/ipv6/how-to/enable/ enable ipv6 on your droplet (requires a shutdown) modify /etc/network/interfaces for inet6 address reboot create an AAAA dns record https://docs.digitalocean.com/products/networking/dns/how-to/manage-records/#aaaa-records

probably make sure apps listen on ipv6 address like nginx, znc maybe, identd, ssh some infos https://www.digitalocean.com/community/tutorials/how-to-configure-tools-to-use-ipv6-on-a-linux-vps but it's mostly just adding listen statements to config files

firewall install iptables and ufw allow ssh allow https allow http allow 113/tcp (ident) allow 43025 (znc) enable ufw

[2019-03-13 Wed] Some basic notes from first time setup

  • Overview
    • point domain name servers at digitalocean's nameserver (currently using enom)
    • add a CAA record for letsencrypt
    • gen an ssh key add to DO web config
    • spin up a debian droplet
      • remove default editors (joe - wtf???)
      • create a user, add to sudoers
      • disable password ssh logins, root login
      • lock root account password
      • copy vim and shell configs
      • install nginx
      • enable auto updates
    • letsencrypt
      • enable backports (uncomment DO mirrors)
      • install certbot python-certbot-nginx
      • sudo certbot –nginx
      • backup /etc/letsencrypt
      • (this autorenews via a systemd timer)
  • drislock setup commands

    Missing a lot of stuff see future entries for a better reference.

    vim .ssh/authorized_keys
    passwd -l <username>
    sudo vim /etc/ssh/sshd_config
    sudo systemctl restart ssh
    sudo apt purge lighttpd
    sudo apt install nginx
    sudo vim /etc/apt/sources.list
    sudo apt update
    sudo apt install certbot unattended-upgrades apt-listchanges rxvt-unicode-256color
    sudo unattended-upgrades -d
    
  • nginx config commands
    sudo apt-get install certbot -t stretch-backports
    sudo apt autoremove
    systemctl status nginx
    sudo vim /etc/apt/apt.conf.d/50unattended-upgrades
    sudo dpkg-reconfigure -plow unattended-upgrades
    sudo apt-get install certbot python-certbot-nginx -t stretch-backports
    sudo certbot --nginx
    sudo certbot renew --dry-run
    sudo scp -r /etc/letsencrypt <username>@<hostname>:/path/to/backup/configs/
    systemctl show certbot.timer
    sudo vim /etc/nginx/nginx.conf
    sudo systemctl restart nginx
    journalctl -xe
    sudo journalctl -xe
    apt show nginx
    vim /etc/nginx/nginx.conf
    sudo vim /etc/nginx/nginx.conf
    sudo systemctl restart nginx
    
  • znc config commands
    sudo apt install znc
    znc --makeconf
    znc --help
    vim .znc/configs/znc.conf
    cd .znc/users/Username/networks/OFTC/moddata/cert/
    mv ~/OFTC.pem user.pem
    cd ~/.znc
    cat configs/znc.conf
    cd .znc/users/Username/networks/freenode/
    mkdir ./freenode/moddata/cert/
    openssl req -x509 -new -newkey rsa:4096 -sha256 -days 1460 -nodes -out freenode.pem -keyout freenode.pem
    cp freenode.pem freenode/moddata/cert/user.pem
    # backup
    mv .znc/users/Username/networks/freenode.pem ~/freenode.pem
    cp .znc/users/Username/networks/OFTC/moddata/cert/user.pem ~/OFTC.pem
    # Compact the key fingerprint. Dunno what wanted them in this format, but here you go.
    openssl x509 -sha1 -noout -fingerprint -in user.pem | sed -e 's/^.*=//;s/://g;y/ABCDEF/abcdef/'
    openssl x509 -sha1 -noout -fingerprint -in .znc/users/Username/networks/freenode/moddata/cert/user.pem | sed -e 's/^.*=//;s/://g;y/ABCDEF/abcdef/'
    vim .znc/configs/
    znc --makepass
    

[2022-06-30 Thu] Migrating to smaller droplet

DO increased prices on their minimal droplet while adding a new worse one. I decided to migrate and take the chance to document things a bit more in depth.

  • Create the new droplet

    I created a new droplet running Debian 11. Picked the NYC1 datacenter (previous was on NYC3). DO lets you reuse existing SSH keys during droplet creation which is nice. Enabled IPV6.

    Security updates are already enabled by default now so we just need to apt update and upgrade.

    Install some basics
    apt install oidentd nginx certbot python3-certbot-nginx unattended-upgrades apt-listchanges rxvt-unicode-256color znc
    
    Add my default user and give sudo access.
    adduser <username>
    usermod <username> --append --groups www-data,sudo
    
    Copy authorized key to user account
    cp -r /root/.ssh /home/<username>
    chown -R <username>:<username> /home/<username>/.ssh
    
  • AFTER testing user login and sudo are working:

    Disable password logins and root login.

    Listing 1: /etc/ssh/sshd_config
    PasswordAuthentication no
    PermitRootLogin no
    
    remove authorized keys from root, and disable/lock the account
    echo > /root/.ssh/authorized_keys
    sudo passwd -d -l root
    sudo usermod --expiredate 1 root
    
  • Copy over some basic user config (vim, bash).

    Purge bashrc of a few things like yadm nag, HOSTFILE, DEBEMAIL…, keychain, mail. Basically everything after xterm-256color.

    scp .vim/vimrc <username>@<host-ip>:/home/<username>/.vim/
    scp .bashrc <username>@<host-ip>:/home/<username>/
    vim ~/.bashrc
    
  • Copy over nginx config, /var/www/html, and certbot certs.
    generate a ssh key on new host
    ssh-keygen -f drislock_transfer
    
    copy it between hosts
    scp -3 <username>@<new_host_ip>:/home/<username>/drislock_transfer.pub <username>@<old_host_ip:/home/<username>/
    
    add it to authorized_keys on old host, then tar up the files
    cat drislock_transfer.pub >> .ssh/authorized_keys
    sudo tar -chvzf certs_nginx_html.tar.gz /etc/nginx/sites-available/default  /etc/letsencrypt/archive/drislock.org /etc/letsencrypt/renewal/drislock.org.conf /var/www/html/
    
    copy them over to the new host and untar
    cd /
    sudo tar xvf /home/<username>/certs_nginx_html.tar.gz
    
    relink the live folder symlinks (probably use the last number available, certbot seems to keep all copies around)
    sudo mkdir -p /etc/letsencrypt/live/drislock.org
    sudo ln -s /etc/letsencrypt/archive/drislock.org/cert21.pem /etc/letsencrypt/live/drislock.org/cert.pem
    sudo ln -s /etc/letsencrypt/archive/drislock.org/chain21.pem /etc/letsencrypt/live/drislock.org/chain.pem
    sudo ln -s /etc/letsencrypt/archive/drislock.org/fullchain21.pem /etc/letsencrypt/live/drislock.org/fullchain.pem
    sudo ln -s /etc/letsencrypt/archive/drislock.org/privkey21.pem /etc/letsencrypt/live/drislock.org/privkey.pem
    sudo systemctl restart nginx
    

    Update the DNS records in digitalocean's Domain interface to point to the new droplet's IP (both IPV6 and IPV4).

    reinit the certbot nginx config, test renewal, renew if necessary (old cert should still be valid)
    sudo certbot --nginx --init
    sudo letsencrypt renew --dry-run
    sudo letsencrypt renew
    
  • ZNC setup
    Message *status to shutdown from your IRC client.
    /msg *status Shutdown
    
    Move the old znc files over:
    tar cvfz znc.tar.gz .znc
    scp -3 ...
    cd
    tar xf znc.tar.gz
    
    • Oidentd setup
      Listing 2: /etc/oidentd.conf
      user <username> {
              default {
                      allow spoof
                      allow spoof_all
              }
      }
      
      sudo systemctl restart oidentd.service
      
    • Fix your hostname, hosts file, and reverse DNS
      Listing 3: /etc/hostname
      drislock
      
      Listing 4: /etc/hosts
      127.0.1.1 drislock.localdomain drislock
      

      Rename your droplet to match the domain name to get reverse DNS working (DO has a 30 minute TTL to wait out before PTR records propagate).

      • drislock.org -> drislock-v1
      • drislock-v2 -> drislock.org
  • Other stuff

    Change the motd.

    Listing 5: /etc/motd
    Turn off the machine. See the gnarl. Feel your body.
    Release your thoughts. Open your heart. Be amazed.
    

    I set up the digitalocean firewall because why not? Some ports: 22, 80, 113, 443, 43025, ICMP.

    Finally verify operation and clean up.

    • rsync a backup of the old droplet or something.
    • Reboot the new host at least once to verify functionality.
    • Delete the old droplet.