From 6b1f723f7b78f571460fa80563ad9fdde58b1353 Mon Sep 17 00:00:00 2001 From: Joerg Lehmann Date: Tue, 3 Aug 2021 17:05:43 +0200 Subject: [PATCH] Initial commit --- README.md | 84 +++++++++++++++++++++++ docker-compose/traefik/docker-compose.yml | 26 +++++++ 2 files changed, 110 insertions(+) create mode 100644 README.md create mode 100644 docker-compose/traefik/docker-compose.yml diff --git a/README.md b/README.md new file mode 100644 index 0000000..eafab89 --- /dev/null +++ b/README.md @@ -0,0 +1,84 @@ +# moby - Container Server + +Spezifikaktion: +- Ubuntu Server 20.04 +- Hetzner Cloud Server CX31 + - 2 vCPUs + - 8 GB RAM + - 80 GB Disk + +## Erstellen des Servers + +Mit dem Binary hcloud von: +https://github.com/hetznercloud/cli + +Temporaer einen API Key erstellen (nachher wieder loeschen) + +```bash +$ hcloud context create nbit.ch +$ hcloud image list # zeigt moegliche Images +$ hcloud server-type list # zeigt moegliche Typen + +$ hcloud server create --name moby --image docker-ce --type cx31 --ssh-key joerg@cinnamon.nbit.ch +$ hcloud server set-rdns moby --hostname moby.nbit.ch +$ IPV6="$(hcloud server ip moby -6)" +$ hcloud server set-rdns moby --ip $IPV6 --hostname moby.nbit.ch +``` + +DNS Eintraege erstellen: +```bash +$ hcloud server ip moby +$ hcloud server ip moby -6 +``` + +```bash +Root-Passwort setzen (das machen wir von Hand) + +ssh-Root-Passwort-Login disablen: +/etc/ssh/sshd_config: +PermitRootLogin without-password + + +Add Swap Space as documented in Mailcow Doc (but we use 2GB): + +see https://linuxize.com/post/how-to-add-swap-space-on-ubuntu-20-04/ + +# fallocate -l 2G /swapfile +# chmod 600 /swapfile +# mkswap /swapfile +# swapon /swapfile +# echo "/swapfile swap swap defaults 0 0" >>/etc/fstab + + +``` + + +## Firewall + +```bash +# ufw default deny incoming +# ufw default allow outgoing +# ufw allow ssh +# ufw allow http +# ufw allow https +# ufw enable +``` + +## fail2ban auf Host fuer ssh + +```bash +# apt install fail2ban +# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local +edit /etc/fail2ban/jail.local: +enabled = true unterhalb [sshd] + +Check, wer gebanned ist: +# fail2ban-client status sshd +``` + + +## Software installieren + +```bash +# apt install git +``` diff --git a/docker-compose/traefik/docker-compose.yml b/docker-compose/traefik/docker-compose.yml new file mode 100644 index 0000000..494283f --- /dev/null +++ b/docker-compose/traefik/docker-compose.yml @@ -0,0 +1,26 @@ +version: "3.3" + +services: + + traefik: + image: "traefik:v2.4" + container_name: "traefik" + command: + #- "--log.level=DEBUG" + - "--api.insecure=true" + - "--providers.docker=true" + - "--providers.docker.exposedbydefault=false" + - "--entrypoints.web.address=:80" + ports: + - "80:80" + - "8080:8080" + volumes: + - "/var/run/docker.sock:/var/run/docker.sock:ro" + + whoami: + image: "traefik/whoami" + container_name: "simple-service" + labels: + - "traefik.enable=true" + - "traefik.http.routers.whoami.rule=Host(`moby.nbit.ch`) && Path(`/whoami`)" + - "traefik.http.routers.whoami.entrypoints=web"