Drislock VPS (DigitalOcean Droplet)
Table of Contents
TODO revamp this one more time
TODO
- point domain name servers at digitalocean's nameserver (currently using namesilo)
- add a CAA record for letsencrypt
- gen an ssh key add to DO web config
- spin up a debian droplet
- Debian setup
- remove default editors (joe - wtf???)
- create a user, add to sudoers
- disable password ssh logins, root login
- lock root account password
- copy vim and shell configs
- install nginx
- enable auto updates
- letsencrypt
- enable backports (uncomment DO mirrors)
- install certbot python-certbot-nginx
- sudo certbot –nginx
- backup /etc/letsencrypt
- (this autorenews via a systemd timer)
- other DNS records
- AAAA - IPv6
- A - IPv4
- CAA - letsencrypt
- TXT - reject mail
- NS - digitalocean nameservers
ipv6 https://docs.digitalocean.com/products/networking/ipv6/how-to/enable/ enable ipv6 on your droplet (requires a shutdown) modify /etc/network/interfaces for inet6 address reboot create an AAAA dns record https://docs.digitalocean.com/products/networking/dns/how-to/manage-records/#aaaa-records
probably make sure apps listen on ipv6 address like nginx, znc maybe, identd, ssh some infos https://www.digitalocean.com/community/tutorials/how-to-configure-tools-to-use-ipv6-on-a-linux-vps but it's mostly just adding listen statements to config files
firewall install iptables and ufw allow ssh allow https allow http allow 113/tcp (ident) allow 43025 (znc) enable ufw
Some basic notes from first time setup
Overview
- point domain name servers at digitalocean's nameserver (currently using enom)
- add a CAA record for letsencrypt
- gen an ssh key add to DO web config
- spin up a debian droplet
- remove default editors (joe - wtf???)
- create a user, add to sudoers
- disable password ssh logins, root login
- lock root account password
- copy vim and shell configs
- install nginx
- enable auto updates
- letsencrypt
- enable backports (uncomment DO mirrors)
- install certbot python-certbot-nginx
- sudo certbot –nginx
- backup /etc/letsencrypt
- (this autorenews via a systemd timer)
drislock setup commands
Missing a lot of stuff see future entries for a better reference.
vim .ssh/authorized_keys passwd -l <username> sudo vim /etc/ssh/sshd_config sudo systemctl restart ssh sudo apt purge lighttpd sudo apt install nginx sudo vim /etc/apt/sources.list sudo apt update sudo apt install certbot unattended-upgrades apt-listchanges rxvt-unicode-256color sudo unattended-upgrades -d
nginx config commands
sudo apt-get install certbot -t stretch-backports sudo apt autoremove systemctl status nginx sudo vim /etc/apt/apt.conf.d/50unattended-upgrades sudo dpkg-reconfigure -plow unattended-upgrades sudo apt-get install certbot python-certbot-nginx -t stretch-backports sudo certbot --nginx sudo certbot renew --dry-run sudo scp -r /etc/letsencrypt <username>@<hostname>:/path/to/backup/configs/ systemctl show certbot.timer sudo vim /etc/nginx/nginx.conf sudo systemctl restart nginx journalctl -xe sudo journalctl -xe apt show nginx vim /etc/nginx/nginx.conf sudo vim /etc/nginx/nginx.conf sudo systemctl restart nginx
znc config commands
sudo apt install znc znc --makeconf znc --help vim .znc/configs/znc.conf cd .znc/users/Username/networks/OFTC/moddata/cert/ mv ~/OFTC.pem user.pem cd ~/.znc cat configs/znc.conf cd .znc/users/Username/networks/freenode/ mkdir ./freenode/moddata/cert/ openssl req -x509 -new -newkey rsa:4096 -sha256 -days 1460 -nodes -out freenode.pem -keyout freenode.pem cp freenode.pem freenode/moddata/cert/user.pem # backup mv .znc/users/Username/networks/freenode.pem ~/freenode.pem cp .znc/users/Username/networks/OFTC/moddata/cert/user.pem ~/OFTC.pem # Compact the key fingerprint. Dunno what wanted them in this format, but here you go. openssl x509 -sha1 -noout -fingerprint -in user.pem | sed -e 's/^.*=//;s/://g;y/ABCDEF/abcdef/' openssl x509 -sha1 -noout -fingerprint -in .znc/users/Username/networks/freenode/moddata/cert/user.pem | sed -e 's/^.*=//;s/://g;y/ABCDEF/abcdef/' vim .znc/configs/ znc --makepass
Migrating to smaller droplet
DO increased prices on their minimal droplet while adding a new worse one. I decided to migrate and take the chance to document things a bit more in depth.
Create the new droplet
I created a new droplet running Debian 11. Picked the NYC1 datacenter (previous was on NYC3). DO lets you reuse existing SSH keys during droplet creation which is nice. Enabled IPV6.
Security updates are already enabled by default now so we just need to apt update and upgrade.
apt install oidentd nginx certbot python3-certbot-nginx unattended-upgrades apt-listchanges rxvt-unicode-256color znc
adduser <username> usermod <username> --append --groups www-data,sudo
cp -r /root/.ssh /home/<username> chown -R <username>:<username> /home/<username>/.ssh
AFTER testing user login and sudo are working:
Disable password logins and root login.
PasswordAuthentication no PermitRootLogin no
echo > /root/.ssh/authorized_keys sudo passwd -d -l root sudo usermod --expiredate 1 root
Copy over some basic user config (vim, bash).
Purge bashrc of a few things like yadm nag, HOSTFILE, DEBEMAIL…, keychain, mail. Basically everything after xterm-256color.
scp .vim/vimrc <username>@<host-ip>:/home/<username>/.vim/ scp .bashrc <username>@<host-ip>:/home/<username>/ vim ~/.bashrc
Copy over nginx config, /var/www/html, and certbot certs.
ssh-keygen -f drislock_transfer
scp -3 <username>@<new_host_ip>:/home/<username>/drislock_transfer.pub <username>@<old_host_ip:/home/<username>/
cat drislock_transfer.pub >> .ssh/authorized_keys sudo tar -chvzf certs_nginx_html.tar.gz /etc/nginx/sites-available/default /etc/letsencrypt/archive/drislock.org /etc/letsencrypt/renewal/drislock.org.conf /var/www/html/
cd / sudo tar xvf /home/<username>/certs_nginx_html.tar.gz
sudo mkdir -p /etc/letsencrypt/live/drislock.org sudo ln -s /etc/letsencrypt/archive/drislock.org/cert21.pem /etc/letsencrypt/live/drislock.org/cert.pem sudo ln -s /etc/letsencrypt/archive/drislock.org/chain21.pem /etc/letsencrypt/live/drislock.org/chain.pem sudo ln -s /etc/letsencrypt/archive/drislock.org/fullchain21.pem /etc/letsencrypt/live/drislock.org/fullchain.pem sudo ln -s /etc/letsencrypt/archive/drislock.org/privkey21.pem /etc/letsencrypt/live/drislock.org/privkey.pem sudo systemctl restart nginx
Update the DNS records in digitalocean's Domain interface to point to the new droplet's IP (both IPV6 and IPV4).
sudo certbot --nginx --init sudo letsencrypt renew --dry-run sudo letsencrypt renew
ZNC setup
/msg *status Shutdown
tar cvfz znc.tar.gz .znc scp -3 ... cd tar xf znc.tar.gz
- Oidentd setup
Listing 2: /etc/oidentd.confuser <username> { default { allow spoof allow spoof_all } }
sudo systemctl restart oidentd.service
- Fix your hostname, hosts file, and reverse DNS
Listing 3: /etc/hostnamedrislock
Listing 4: /etc/hosts127.0.1.1 drislock.localdomain drislock
Rename your droplet to match the domain name to get reverse DNS working (DO has a 30 minute TTL to wait out before PTR records propagate).
- drislock.org -> drislock-v1
- drislock-v2 -> drislock.org
Other stuff
Change the motd.
Turn off the machine. See the gnarl. Feel your body. Release your thoughts. Open your heart. Be amazed.
I set up the digitalocean firewall because why not? Some ports: 22, 80, 113, 443, 43025, ICMP.
Finally verify operation and clean up.
- rsync a backup of the old droplet or something.
- Reboot the new host at least once to verify functionality.
- Delete the old droplet.