Initial commit

2021-08-03 17:05:43 +02:00 · 2021-08-03 17:05:43 +02:00 · 6b1f723f7b
commit 6b1f723f7b
2 changed files with 110 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -0,0 +1,84 @@
+# moby - Container Server
+
+Spezifikaktion:
+- Ubuntu Server 20.04
+- Hetzner Cloud Server CX31
+  - 2 vCPUs
+  - 8 GB RAM
+  - 80 GB Disk
+
+## Erstellen des Servers
+
+Mit dem Binary hcloud von:
+https://github.com/hetznercloud/cli
+
+Temporaer einen API Key erstellen (nachher wieder loeschen)
+
+```bash
+$ hcloud context create nbit.ch
+$ hcloud image list                          # zeigt moegliche Images
+$ hcloud server-type list                    # zeigt moegliche Typen
+
+$ hcloud server create --name moby --image docker-ce --type cx31 --ssh-key joerg@cinnamon.nbit.ch
+$ hcloud server set-rdns moby --hostname moby.nbit.ch
+$ IPV6="$(hcloud server ip moby -6)"
+$ hcloud server set-rdns moby --ip $IPV6 --hostname moby.nbit.ch
+```
+
+DNS Eintraege erstellen:
+```bash
+$ hcloud server ip moby
+$ hcloud server ip moby -6                     
+```
+
+```bash
+Root-Passwort setzen (das machen wir von Hand)
+
+ssh-Root-Passwort-Login disablen:
+/etc/ssh/sshd_config:
+PermitRootLogin without-password
+
+
+Add Swap Space as documented in Mailcow Doc (but we use 2GB):
+
+see https://linuxize.com/post/how-to-add-swap-space-on-ubuntu-20-04/
+
+# fallocate -l 2G /swapfile
+# chmod 600 /swapfile
+# mkswap /swapfile
+# swapon /swapfile
+# echo "/swapfile swap swap defaults 0 0" >>/etc/fstab
+
+
+```
+
+
+## Firewall
+
+```bash
+# ufw default deny incoming
+# ufw default allow outgoing
+# ufw allow ssh
+# ufw allow http
+# ufw allow https
+# ufw enable
+```
+
+## fail2ban auf Host fuer ssh
+
+```bash
+# apt install fail2ban
+# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
+edit /etc/fail2ban/jail.local:
+enabled = true unterhalb [sshd]
+
+Check, wer gebanned ist:
+# fail2ban-client status sshd
+```
+
+
+## Software installieren
+
+```bash
+# apt install git
+```
--- a/docker-compose/traefik/docker-compose.yml
+++ b/docker-compose/traefik/docker-compose.yml
@ -0,0 +1,26 @@
+version: "3.3"
+
+services:
+
+  traefik:
+    image: "traefik:v2.4"
+    container_name: "traefik"
+    command:
+      #- "--log.level=DEBUG"
+      - "--api.insecure=true"
+      - "--providers.docker=true"
+      - "--providers.docker.exposedbydefault=false"
+      - "--entrypoints.web.address=:80"
+    ports:
+      - "80:80"
+      - "8080:8080"
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock:ro"
+
+  whoami:
+    image: "traefik/whoami"
+    container_name: "simple-service"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.whoami.rule=Host(`moby.nbit.ch`) && Path(`/whoami`)"
+      - "traefik.http.routers.whoami.entrypoints=web"