Difference between revisions of "ITSquad/Server setup"

From Pirate Party Belgium
Jump to: navigation, search
(Created page with "This page aims to list the operations needed when we want to create or migrate a server. == Create a new VM == # Order a new VM at Hetzner: https://console.hetzner.cloud # C...")
 
m
 
(2 intermediate revisions by the same user not shown)
Line 11: Line 11:
  
 
You should be able to connect in root with your ssh key:
 
You should be able to connect in root with your ssh key:
   ssh root@<ip address or hostname> -i ~/.ssh/<private key>
+
   ssh root@'''<ip address or hostname>''' -i ~/.ssh/'''<private key>'''
  
 
== SSH ==
 
== SSH ==
Line 24: Line 24:
 
Install and setup ufw, an easy to use firewall manager:
 
Install and setup ufw, an easy to use firewall manager:
 
   apt install ufw
 
   apt install ufw
   ufw allow <ssh port>
+
   ufw allow '''<ssh port>'''
 
   ufw allow "Nginx Full" # only if nginx is installed
 
   ufw allow "Nginx Full" # only if nginx is installed
 
   ufw enable
 
   ufw enable
Line 33: Line 33:
 
# Generate the ssh key to access the storage box: <code>ssh-keygen -t ed25519 -f ~/.ssh/storage-box</code>
 
# Generate the ssh key to access the storage box: <code>ssh-keygen -t ed25519 -f ~/.ssh/storage-box</code>
 
# Configure ssh: <code>vim ~/.ssh/config</code>. Enter the following:
 
# Configure ssh: <code>vim ~/.ssh/config</code>. Enter the following:
   Host <storage box hostname>
+
   Host '''<storage box hostname>'''
   User <username>
+
   User '''<username>'''
 
   Port 23
 
   Port 23
 
   IdentityFile ~/.ssh/storage-box
 
   IdentityFile ~/.ssh/storage-box
 
   PreferredAuthentications publickey,password
 
   PreferredAuthentications publickey,password
 
: where <username> is the sub-account username for the storage box. For the storage box hostname, refer to our password store.
 
: where <username> is the sub-account username for the storage box. For the storage box hostname, refer to our password store.
# Add your ssh key to the storage box: <code>ssh-copy-id -i ~/.ssh/storage-box <storage box hostname></code>. You should be asked for the storage box's password.
+
 
 +
Finally, add your ssh key to the storage box: <code>ssh-copy-id -i ~/.ssh/storage-box '''<storage box hostname>'''</code>. You should be asked for the storage box's password.
  
 
=== Autofs ===
 
=== Autofs ===
Line 46: Line 47:
 
# Install autofs and sshfs: <code>apt install autofs sshfs</code>
 
# Install autofs and sshfs: <code>apt install autofs sshfs</code>
 
# Edit /etc/auto.master, and add the line: <code>/mnt/storage-box /etc/auto.sshfs --timeout=90,--ghost</code>
 
# Edit /etc/auto.master, and add the line: <code>/mnt/storage-box /etc/auto.sshfs --timeout=90,--ghost</code>
# Create /etc/auto.sshfs with this content: <code>backup -fstype=fuse,rw :sshfs\#<storage box hostname>\:/home/backup</code>
+
# Create /etc/auto.sshfs with this content: <code>backup -fstype=fuse,rw :sshfs\#'''<storage box hostname>'''\:/home/backup</code>
# Optionaly, add a line for mounting media directory: <code>media -fstype=fuse,rw,allow_other :sshfs\#<storage box hostname>\:/home/media</code>
+
# Optionaly, add a line for mounting media directory: <code>media -fstype=fuse,rw,allow_other :sshfs\#'''<storage box hostname>'''\:/home/media</code>
  
 
== Backups ==
 
== Backups ==
Line 66: Line 67:
 
# Create a file that will store the passphrase: <code>touch /root/gpg-duplicity.secret && chmod 600 /root/gpg-duplicity.secret</code>
 
# Create a file that will store the passphrase: <code>touch /root/gpg-duplicity.secret && chmod 600 /root/gpg-duplicity.secret</code>
 
# Generate the passphrase: <code>openssl rand -base64 42 > /root/gpg-duplicity.secret</code>
 
# Generate the passphrase: <code>openssl rand -base64 42 > /root/gpg-duplicity.secret</code>
# Generate a GPG key pair: <code>gpg --quick-gen-key <your email> ed25519 cert 0</code>. You'll be asked to enter twice the passphrase that you've generated.
+
# Generate a GPG key pair: <code>gpg --quick-gen-key '''<itsquad email>''' ed25519 cert 0</code>. You'll be asked to enter twice the passphrase that you've generated.
# Edit this GPG key pair to add a sub-key for encryption: <code>gpg --edit-key <key id></code>. Then, enter <code>addkey</code>, and choose a RSA key for encryption (option #6). Enter <code>save</code> to quit.
+
# Edit this GPG key pair to add a sub-key for encryption: <code>gpg --edit-key '''<key id>'''</code>. Then, enter <code>addkey</code>, and choose a RSA key for encryption (option #6). Enter <code>save</code> to quit.
  
 
'''Note:''' Don't forget to add the GPG key id with the passphrase in our password store.
 
'''Note:''' Don't forget to add the GPG key id with the passphrase in our password store.
Line 73: Line 74:
 
==== Import public keys ====
 
==== Import public keys ====
  
# On your local machine, generate a key pair (or reuse one of yours) and export it to a file: <code>gpg -a --export <key id> > <key file.pub></code>
+
# On your local machine, generate a key pair (or reuse one of yours) and export it to a file: <code>gpg -a --export '''<key id>''' > '''<key file.pub>'''</code>
# Copy this key on the server: <code>scp <key file.pub> root@<your server>:~/</code>
+
# Copy this key on the server: <code>scp '''<key file.pub>''' root@'''<ip address or hostname>''':~/</code>
# Import the key: <code>gpg --import /root/<key file.pub></code>
+
# Import the key: <code>gpg --import /root/'''<key file.pub>'''</code>
# Trust the key: <code>gpg --edit-key <key id></code>. Enter <code>trust</code>, choose ''I trust ultimately'' then quit.
+
# Trust the key: <code>gpg --edit-key '''<key id>'''</code>. Enter <code>trust</code>, choose ''I trust ultimately'' then quit.
  
 
=== Configuration ===
 
=== Configuration ===
Line 84: Line 85:
 
   #!/bin/bash
 
   #!/bin/bash
 
    
 
    
   BACKUP_NAME=daily_<service name>_backup
+
   BACKUP_NAME=daily_'''<service name>'''_backup
   GPG_KEYS="<key id 1> [<key id 2> ...]"
+
   GPG_KEYS="'''<key id 1> [<key id 2> ...]'''"
 
   PASSPHRASE_FILE=/root/gpg-duplicity.secret
 
   PASSPHRASE_FILE=/root/gpg-duplicity.secret
 
   RETRIES=3
 
   RETRIES=3
Line 93: Line 94:
 
   EXCLUDES=
 
   EXCLUDES=
 
   SOURCE=/dir/to/backup
 
   SOURCE=/dir/to/backup
   TARGETS="sftp://<target hostname 1>/path/to/backup sftp://<target hostname 2>/path/to/backup"
+
   TARGETS="sftp://'''<target hostname 1>'''/path/to/backup sftp://'''<target hostname 2>'''/path/to/backup"
 
    
 
    
 
   export PASSPHRASE=$(/bin/cat "$PASSPHRASE_FILE")
 
   export PASSPHRASE=$(/bin/cat "$PASSPHRASE_FILE")
Line 115: Line 116:
 
Then, create a cron task:
 
Then, create a cron task:
 
   crontab -e
 
   crontab -e
   @daily /root/<backup.sh> > /dev/null
+
   @daily /root/'''<backup.sh>''' > /dev/null

Latest revision as of 17:19, 12 October 2019

This page aims to list the operations needed when we want to create or migrate a server.

Create a new VM

  1. Order a new VM at Hetzner: https://console.hetzner.cloud
  2. Click on the button Add a new server
  3. Select the location, OS, and the resources needed
  4. Add the ssh public keys that will be able to access the server
  5. Name the server after a character from One Piece
  6. Go to metaregistrar to setup the DNS: https://control.metaregistrar.com/login

You should be able to connect in root with your ssh key:

 ssh root@<ip address or hostname> -i ~/.ssh/<private key>

SSH

  1. Edit the sshd config: vim /etc/ssh/sshd_config
  2. Change the port used by ssh server
  3. Allow root login with public keys only: PermitRootLogin prohibit-password
  4. Restart the ssh server: systemctl restart ssh

Firewall

Install and setup ufw, an easy to use firewall manager:

 apt install ufw
 ufw allow <ssh port>
 ufw allow "Nginx Full" # only if nginx is installed
 ufw enable

Storage Box

Configure access to the storage box for backups and media storage:

  1. Generate the ssh key to access the storage box: ssh-keygen -t ed25519 -f ~/.ssh/storage-box
  2. Configure ssh: vim ~/.ssh/config. Enter the following:
 Host <storage box hostname>
 User <username>
 Port 23
 IdentityFile ~/.ssh/storage-box
 PreferredAuthentications publickey,password
where <username> is the sub-account username for the storage box. For the storage box hostname, refer to our password store.

Finally, add your ssh key to the storage box: ssh-copy-id -i ~/.ssh/storage-box <storage box hostname>. You should be asked for the storage box's password.

Autofs

In case you need to mount the storage box:

  1. Install autofs and sshfs: apt install autofs sshfs
  2. Edit /etc/auto.master, and add the line: /mnt/storage-box /etc/auto.sshfs --timeout=90,--ghost
  3. Create /etc/auto.sshfs with this content: backup -fstype=fuse,rw :sshfs\#<storage box hostname>\:/home/backup
  4. Optionaly, add a line for mounting media directory: media -fstype=fuse,rw,allow_other :sshfs\#<storage box hostname>\:/home/media

Backups

Install and configure duplicity to backup the server. We encrypt the backups with a public/private key pair that we generate for this server. Duplicity needs to know the private key in order to compute the difference between the current state of the directory to backup and the last backup.

Requirements

Install duplicity, paramiko and gpg:

 apt install duplicity gpg python-pip python-setuptools && pip install -U paramiko

Credentials

Generate for the server a new key pair with a random passphrase, then import public keys to allow trusted people to decrypt the backups when needed.

Generate a key pair

  1. Create a file that will store the passphrase: touch /root/gpg-duplicity.secret && chmod 600 /root/gpg-duplicity.secret
  2. Generate the passphrase: openssl rand -base64 42 > /root/gpg-duplicity.secret
  3. Generate a GPG key pair: gpg --quick-gen-key <itsquad email> ed25519 cert 0. You'll be asked to enter twice the passphrase that you've generated.
  4. Edit this GPG key pair to add a sub-key for encryption: gpg --edit-key <key id>. Then, enter addkey, and choose a RSA key for encryption (option #6). Enter save to quit.

Note: Don't forget to add the GPG key id with the passphrase in our password store.

Import public keys

  1. On your local machine, generate a key pair (or reuse one of yours) and export it to a file: gpg -a --export <key id> > <key file.pub>
  2. Copy this key on the server: scp <key file.pub> root@<ip address or hostname>:~/
  3. Import the key: gpg --import /root/<key file.pub>
  4. Trust the key: gpg --edit-key <key id>. Enter trust, choose I trust ultimately then quit.

Configuration

Create a script file with the following content:

 #!/bin/bash
 
 BACKUP_NAME=daily_<service name>_backup
 GPG_KEYS="<key id 1> [<key id 2> ...]"
 PASSPHRASE_FILE=/root/gpg-duplicity.secret
 RETRIES=3
 PERIOD_FULL_BACKUP=1M
 MAX_FULL_BACKUPS=2
 
 EXCLUDES=
 SOURCE=/dir/to/backup
 TARGETS="sftp://<target hostname 1>/path/to/backup sftp://<target hostname 2>/path/to/backup"
 
 export PASSPHRASE=$(/bin/cat "$PASSPHRASE_FILE")
 
 GPG_KEYS=$(for key in $GPG_KEYS; do echo -n "--encrypt-key $key "; done)
 EXCLUDES=$(for exclude in $EXCLUDES; do echo -n "--exclude $exclude "; done)
 
 for TARGET in $TARGETS; do
   TARGET_DOMAIN=$(cut -d '/' -f 3 <<< "$TARGET")
   BACKUP_NAME_TARGET="${BACKUP_NAME}_${TARGET_DOMAIN}"
 
   duplicity --full-if-older-than $PERIOD_FULL_BACKUP \
     $GPG_KEYS \
     --name $BACKUP_NAME_TARGET \
     --num-retries $RETRIES \
     $EXCLUDES \
     $SOURCE $TARGET && \
   duplicity remove-all-but-n-full $MAX_FULL_BACKUPS --force --name $BACKUP_NAME_TARGET $TARGET
 done

Then, create a cron task:

 crontab -e
 @daily /root/<backup.sh> > /dev/null