it-infra/m-labs-intl/setup.md
Egor Savkin 4b36c5a610 Limit connections and redirect www to canonical
Signed-off-by: Egor Savkin <es@m-labs.hk>
2024-08-21 17:05:37 +08:00

1.6 KiB

Setup m-labs-intl.com server

apt install git nginx-full python3 python3.12-venv python3-pip
snap install --classic certbot
ln -s /snap/bin/certbot /usr/bin/certbot
useradd -m rfqserver
useradd -m zolaupd

cp m-labs-intl.com /etc/nginx/sites-available/
cp nginx.conf /etc/nginx/
ln -s /etc/nginx/sites-available/m-labs-intl.com /etc/nginx/sites-enabled/

mkdir -p /var/www/m-labs-intl.com/html
chown -R zolaupd /var/www/m-labs-intl.com/

cp runrfq.sh /home/rfqserver/
cp mail.secret /home/rfqserver/
chown rfqserver /home/rfqserver/runrfq.sh
chmod +x /home/rfqserver/runrfq.sh
chown rfqserver /home/rfqserver/mail.secret


sudo -u zolaupd sh -c '
  cd /home/zolaupd;
  mkdir /home/zolaupd/.ssh;
  echo -n "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP1OJJM8g/1ffxDjN31XKEfGmrYaW03lwpyTa1UGWqVx
  ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF6R6XK0IiuAKxVKvSABm4m9bfOlvfJcMvTpjenuXUPv" > /home/zolaupd/.ssh/authorized_keys
  chmod 700 .ssh/
  chmod 600 .ssh/authorized_keys
  '

sudo -u rfqserver sh -c '
  cd /home/rfqserver;
  git clone https://git.m-labs.hk/M-Labs/web2019.git;
  cd web2019;
  python3 -m venv ./venv;
  source venv/bin/activate;
  pip install -r requirements.txt;
'

cp rfq.service /etc/systemd/system/

systemctl daemon-reload
systemctl enable rfq.service
systemctl start rfq.service

service nginx restart

certbot --nginx

service nginx restart

ufw default deny
ufw allow from 94.190.212.123
ufw allow from 2001:470:f891:1:5999:5529:5d:f71d
ufw allow from 202.77.7.238
ufw allow from 2001:470:18:390::2
ufw allow "Nginx HTTP"
ufw allow "Nginx HTTPS"
ufw limit OpenSSH
ufw default allow outgoing
ufw limit 25/tcp
ufw limit 587/tcp
ufw show added
ufw enable