forked from M-Labs/it-infra
99 lines
2.9 KiB
Markdown
99 lines
2.9 KiB
Markdown
|
# Setup m-labs-intl.com server
|
||
|
|
||
|
```shell
|
||
|
# Install required packages
|
||
|
apt install git nginx-full python3 python3.12-venv python3-pip iptables ufw \
|
||
|
strongswan strongswan-swanctl strongswan-pki strongswan-libcharon
|
||
|
snap install --classic certbot
|
||
|
ln -s /snap/bin/certbot /usr/bin/certbot
|
||
|
|
||
|
# Set up networks (includes GRE)
|
||
|
cp 60-tunnels.yaml /etc/netplan/
|
||
|
netplan apply
|
||
|
|
||
|
# set up IPsec-AH connection
|
||
|
cp m-labs.hk.conf /etc/swanctl/conf.d/
|
||
|
echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
|
||
|
sysctl -p
|
||
|
cp m-labs.hk /etc/swanctl/pubkey/m-labs.hk # get pubkey from nixbld
|
||
|
pki --gen --type rsa --size 4096 --outform pem > /etc/swanctl/private/m-labs-intl.com
|
||
|
pki --pub --in /etc/swanctl/private/m-labs-intl.com --outform pem > /etc/swanctl/pubkey/m-labs-intl.com
|
||
|
cp /etc/swanctl/pubkey/m-labs-intl.com m-labs-intl.com # add it to the nixbld
|
||
|
systemctl enable strongswan --now
|
||
|
systemctl restart strongswan
|
||
|
|
||
|
# Set up website
|
||
|
cp m-labs-intl.com /etc/nginx/sites-available/
|
||
|
cp nginx.conf /etc/nginx/
|
||
|
ln -s /etc/nginx/sites-available/m-labs-intl.com /etc/nginx/sites-enabled/
|
||
|
systemctl enable nginx --now
|
||
|
service nginx restart
|
||
|
|
||
|
# Issue SSL certificate - website only, the mail is on the HK side
|
||
|
certbot --nginx
|
||
|
service nginx restart
|
||
|
|
||
|
# Create a user for automatic website deployment from nixbld
|
||
|
useradd -m zolaupd
|
||
|
mkdir -p /var/www/m-labs-intl.com/html
|
||
|
chown -R zolaupd /var/www/m-labs-intl.com/
|
||
|
sudo -u zolaupd sh -c '
|
||
|
cd /home/zolaupd;
|
||
|
mkdir /home/zolaupd/.ssh;
|
||
|
echo -n "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP1OJJM8g/1ffxDjN31XKEfGmrYaW03lwpyTa1UGWqVx
|
||
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF6R6XK0IiuAKxVKvSABm4m9bfOlvfJcMvTpjenuXUPv" > /home/zolaupd/.ssh/authorized_keys
|
||
|
chmod 700 .ssh/
|
||
|
chmod 600 .ssh/authorized_keys
|
||
|
'
|
||
|
|
||
|
# Create a user for RFQ hooks service
|
||
|
useradd -m rfqserver
|
||
|
cp runrfq.sh /home/rfqserver/
|
||
|
cp mail.secret /home/rfqserver/
|
||
|
chown rfqserver /home/rfqserver/runrfq.sh
|
||
|
chmod +x /home/rfqserver/runrfq.sh
|
||
|
chown rfqserver /home/rfqserver/mail.secret
|
||
|
|
||
|
sudo -u rfqserver sh -c '
|
||
|
cd /home/rfqserver;
|
||
|
git clone https://git.m-labs.hk/M-Labs/web2019.git;
|
||
|
cd web2019;
|
||
|
python3 -m venv ./venv;
|
||
|
source venv/bin/activate;
|
||
|
pip install -r requirements.txt;
|
||
|
'
|
||
|
cp rfq.service /etc/systemd/system/
|
||
|
|
||
|
# Automate port forwarding rules creation
|
||
|
cp gretun.sh /root/gretun.sh
|
||
|
cp gretun_down.sh /root/gretun_down.sh
|
||
|
chmod u+x /root/gretun.sh
|
||
|
chmod u+x /root/gretun_down.sh
|
||
|
cp gretun.service /etc/systemd/system/
|
||
|
|
||
|
# Enable custom services
|
||
|
systemctl daemon-reload
|
||
|
systemctl enable rfq.service --now
|
||
|
systemctl enable gretun.service --now
|
||
|
|
||
|
# Setup basic firewall rules
|
||
|
ufw default deny
|
||
|
ufw default allow outgoing
|
||
|
|
||
|
ufw allow from 94.190.212.123
|
||
|
ufw allow from 2001:470:f891:1::/64
|
||
|
ufw allow from 202.77.7.238
|
||
|
ufw allow from 2001:470:18:390::2
|
||
|
ufw allow "Nginx HTTP"
|
||
|
ufw allow "Nginx HTTPS"
|
||
|
ufw limit OpenSSH
|
||
|
ufw allow 25/tcp
|
||
|
ufw allow 587/tcp
|
||
|
ufw limit 500,4500/udp
|
||
|
|
||
|
ufw route allow in on gre1 out on eth0
|
||
|
ufw allow from 10.47.3.0/31
|
||
|
|
||
|
ufw show added
|
||
|
ufw enable
|
||
|
```
|