# moby - Container Server Spezifikaktion: - Ubuntu Server 20.04 - Hetzner Cloud Server CX31 - 2 vCPUs - 8 GB RAM - 80 GB Disk ## Erstellen des Servers Mit dem Binary hcloud von: https://github.com/hetznercloud/cli Temporaer einen API Key erstellen (nachher wieder loeschen) ```bash $ hcloud context create nbit.ch $ hcloud image list # zeigt moegliche Images $ hcloud server-type list # zeigt moegliche Typen $ hcloud server create --name moby --image docker-ce --type cx31 --ssh-key joerg@cinnamon.nbit.ch $ hcloud server set-rdns moby --hostname moby.nbit.ch $ IPV6="$(hcloud server ip moby -6)" $ hcloud server set-rdns moby --ip $IPV6 --hostname moby.nbit.ch ``` DNS Eintraege erstellen: ```bash $ hcloud server ip moby $ hcloud server ip moby -6 # apt update # apt upgrade Servername setzen: # hostnamectl set-hostname moby.nbit.ch ``` ```bash Root-Passwort setzen (das machen wir von Hand) ssh-Root-Passwort-Login disablen: /etc/ssh/sshd_config: PermitRootLogin without-password Add Swap Space as documented in Mailcow Doc (but we use 2GB): see https://linuxize.com/post/how-to-add-swap-space-on-ubuntu-20-04/ # fallocate -l 2G /swapfile # chmod 600 /swapfile # mkswap /swapfile # swapon /swapfile # echo "/swapfile swap swap defaults 0 0" >>/etc/fstab ``` ## Firewall ```bash # ufw default deny incoming # ufw default allow outgoing # ufw allow ssh # ufw allow http # ufw allow https # ufw enable ``` ## fail2ban auf Host fuer ssh ```bash # apt install fail2ban # cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local edit /etc/fail2ban/jail.local: enabled = true unterhalb [sshd] Check, wer gebanned ist: # fail2ban-client status sshd ``` ## Software installieren ```bash # apt install git ``` ## Backup Server ```bash # apt install restic # mkdir /backup # mkdir /backup-restic # restic init --repo /backup-restic/restic-repo-$(hostname --short) # Passwort in Keepass Restic Script: /usr/local/bin/backup-to-disk.sh #!/bin/bash # Backup der wichtigsten Verzeichnisse nach einem Verzeichnis # # Es wird restic verwendet. # PATH=$PATH:/usr/local/bin export RESTIC_PASSWORD="$(hostname --short)7355" restic backup --quiet --repo /backup-restic/restic-repo-$(hostname --short) /home /etc /var /opt /var/lib/docker/volumes /usr/local/bin /backup --exclude=/var/log --exclude=/var/lib/docker/overlay2 if [ $? -eq 0 ]; then restic forget --quiet --repo /backup-restic/restic-repo-$(hostname --short) --keep-daily 7 --keep-weekly 5 --keep-monthly 12 --keep-yearly 20 --prune else >&2 echo "Problem with restic Backup $(hostname --short)" fi /etc/cron.d/backup-to-disk: # # Backup important Files to Disk # 55 5 * * * root /usr/local/bin/backup-to-disk.sh >/dev/null Backup auf Storag Box: # cat > /etc/cron.d/rsync-backup-to-other-host </dev/null HERE ``` ### Systemd Service Unit for docker-compose see https://community.hetzner.com/tutorials/docker-compose-as-systemd-service ```bash root@moby:/etc/systemd/system# cat docker-compose@.service [Unit] Description=docker-compose %i service Requires=docker.service network-online.target After=docker.service network-online.target [Service] WorkingDirectory=/home/joerg/moby-configs/%i Type=simple TimeoutStartSec=15min Restart=always User=joerg Group=joerg ExecStartPre=/usr/bin/docker-compose pull --quiet --ignore-pull-failures ExecStartPre=/usr/bin/docker-compose build --pull ExecStart=/usr/bin/docker-compose up --remove-orphans ExecStop=/usr/bin/docker-compose down --remove-orphans ExecReload=/usr/bin/docker-compose pull --quiet --ignore-pull-failures ExecReload=/usr/bin/docker-compose build --pull [Install] WantedBy=multi-user.target ``` ```bash # systemctl daemon-reload # systemctl enable --now docker-compose@proxy # systemctl enable --now docker-compose@nbit_websites ```