Joerg Lehmann
f1a41ad955
|
||
|---|---|---|
| nbit-websites | ||
| nbit-wiki | ||
| proxy | ||
| wordpress-cmoag | ||
| README.md | ||
README.md
moby - Container Server
Spezifikaktion:
- Ubuntu Server 20.04
- Hetzner Cloud Server CX31
- 2 vCPUs
- 8 GB RAM
- 80 GB Disk
Erstellen des Servers
Mit dem Binary hcloud von: https://github.com/hetznercloud/cli
Temporaer einen API Key erstellen (nachher wieder loeschen)
$ hcloud context create nbit.ch
$ hcloud image list # zeigt moegliche Images
$ hcloud server-type list # zeigt moegliche Typen
$ hcloud server create --name moby --image docker-ce --type cx31 --ssh-key joerg@cinnamon.nbit.ch
$ hcloud server set-rdns moby --hostname moby.nbit.ch
$ IPV6="$(hcloud server ip moby -6)"
$ hcloud server set-rdns moby --ip $IPV6 --hostname moby.nbit.ch
DNS Eintraege erstellen:
$ hcloud server ip moby
$ hcloud server ip moby -6
# apt update
# apt upgrade
Servername setzen:
# hostnamectl set-hostname moby.nbit.ch
Root-Passwort setzen (das machen wir von Hand)
ssh-Root-Passwort-Login disablen:
/etc/ssh/sshd_config:
PermitRootLogin without-password
Add Swap Space as documented in Mailcow Doc (but we use 2GB):
see https://linuxize.com/post/how-to-add-swap-space-on-ubuntu-20-04/
# fallocate -l 2G /swapfile
# chmod 600 /swapfile
# mkswap /swapfile
# swapon /swapfile
# echo "/swapfile swap swap defaults 0 0" >>/etc/fstab
Firewall
# ufw default deny incoming
# ufw default allow outgoing
# ufw allow ssh
# ufw allow http
# ufw allow https
# ufw enable
fail2ban auf Host fuer ssh
# apt install fail2ban
# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
edit /etc/fail2ban/jail.local:
enabled = true unterhalb [sshd]
Check, wer gebanned ist:
# fail2ban-client status sshd
Software installieren
# apt install git
Backup Server
# apt install restic
# mkdir /backup
# mkdir /backup-restic
# restic init --repo /backup-restic/restic-repo-$(hostname --short) # Passwort in Keepass
Restic Script:
/usr/local/bin/backup-to-disk.sh
#!/bin/bash
# Backup der wichtigsten Verzeichnisse nach einem Verzeichnis
#
# Es wird restic verwendet.
#
PATH=$PATH:/usr/local/bin
export RESTIC_PASSWORD="$(hostname --short)7355"
restic backup --quiet --repo /backup-restic/restic-repo-$(hostname --short) /home /etc /var /opt /var/lib/docker/volumes /usr/local/bin /backup --exclude=/var/log --exclude=/var/lib/docker/overlay2
if [ $? -eq 0 ]; then
restic forget --quiet --repo /backup-restic/restic-repo-$(hostname --short) --keep-daily 7 --keep-weekly 5 --keep-monthly 12 --keep-yearly 20 --prune
else
>&2 echo "Problem with restic Backup $(hostname --short)"
fi
/etc/cron.d/backup-to-disk:
#
# Backup important Files to Disk
#
55 5 * * * root /usr/local/bin/backup-to-disk.sh >/dev/null
Backup auf Storag Box:
# cat > /etc/cron.d/rsync-backup-to-other-host <<HERE
#
# Rsync /backup-restic to backup space
#
20 6 * * * root /usr/bin/rsync -avzH --delete --numeric-ids -e 'ssh -p23' /backup-restic u152662@u152662.your-storagebox.de:moby-backup-restic-rsync >/dev/null
HERE
Systemd Service Unit for docker-compose
see https://community.hetzner.com/tutorials/docker-compose-as-systemd-service
root@moby:/etc/systemd/system# cat docker-compose@.service
[Unit]
Description=docker-compose %i service
Requires=docker.service network-online.target
After=docker.service network-online.target
[Service]
WorkingDirectory=/home/joerg/moby-configs/%i
Type=simple
TimeoutStartSec=15min
Restart=always
User=joerg
Group=joerg
ExecStartPre=/usr/bin/docker-compose pull --quiet --ignore-pull-failures
ExecStartPre=/usr/bin/docker-compose build --pull
ExecStart=/usr/bin/docker-compose up --remove-orphans
ExecStop=/usr/bin/docker-compose down --remove-orphans
ExecReload=/usr/bin/docker-compose pull --quiet --ignore-pull-failures
ExecReload=/usr/bin/docker-compose build --pull
[Install]
WantedBy=multi-user.target
# systemctl daemon-reload
# systemctl enable --now docker-compose@proxy
# systemctl enable --now docker-compose@nbit_websites
Wordpress behind Traefik
folgendes muss in wp-config.php eingefuegt werden (ganz oben in PHP Code):
if (strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false)
$_SERVER['HTTPS']='on';