# Setup m-labs-intl.com server ```shell # Install required packages apt install git nginx-full python3 python3.12-venv python3-pip iptables ufw \ strongswan strongswan-swanctl strongswan-pki strongswan-libcharon snap install --classic certbot ln -s /snap/bin/certbot /usr/bin/certbot # Set up networks (includes GRE) cp 60-tunnels.yaml /etc/netplan/ netplan apply # set up IPsec-AH connection cp m-labs.hk.conf /etc/swanctl/conf.d/ echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf sysctl -p cp m-labs.hk /etc/swanctl/pubkey/m-labs.hk # get pubkey from nixbld pki --gen --type rsa --size 4096 --outform pem > /etc/swanctl/private/m-labs-intl.com pki --pub --in /etc/swanctl/private/m-labs-intl.com --outform pem > /etc/swanctl/pubkey/m-labs-intl.com cp /etc/swanctl/pubkey/m-labs-intl.com m-labs-intl.com # add it to the nixbld systemctl enable strongswan --now systemctl restart strongswan # Set up website cp m-labs-intl.com /etc/nginx/sites-available/ cp nginx.conf /etc/nginx/ ln -s /etc/nginx/sites-available/m-labs-intl.com /etc/nginx/sites-enabled/ systemctl enable nginx --now service nginx restart # Issue SSL certificate - website only, the mail is on the HK side certbot --nginx service nginx restart # Create a user for automatic website deployment from nixbld useradd -m zolaupd mkdir -p /var/www/m-labs-intl.com/html chown -R zolaupd /var/www/m-labs-intl.com/ sudo -u zolaupd sh -c ' cd /home/zolaupd; mkdir /home/zolaupd/.ssh; echo -n "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP1OJJM8g/1ffxDjN31XKEfGmrYaW03lwpyTa1UGWqVx ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF6R6XK0IiuAKxVKvSABm4m9bfOlvfJcMvTpjenuXUPv" > /home/zolaupd/.ssh/authorized_keys chmod 700 .ssh/ chmod 600 .ssh/authorized_keys ' # Create a user for RFQ hooks service useradd -m rfqserver cp runrfq.sh /home/rfqserver/ cp mail.secret /home/rfqserver/ chown rfqserver /home/rfqserver/runrfq.sh chmod +x /home/rfqserver/runrfq.sh chown rfqserver /home/rfqserver/mail.secret sudo -u rfqserver sh -c ' cd /home/rfqserver; git clone https://git.m-labs.hk/M-Labs/web2019.git; cd web2019; python3 -m venv ./venv; source venv/bin/activate; pip install -r requirements.txt; ' cp rfq.service /etc/systemd/system/ # Automate port forwarding rules creation cp gretun.sh /root/gretun.sh cp gretun_down.sh /root/gretun_down.sh chmod u+x /root/gretun.sh chmod u+x /root/gretun_down.sh cp gretun.service /etc/systemd/system/ # Enable custom services systemctl daemon-reload systemctl enable rfq.service --now systemctl enable gretun.service --now # Setup basic firewall rules ufw default deny ufw default allow outgoing ufw allow from 94.190.212.123 ufw allow from 2001:470:f891:1::/64 ufw allow from 202.77.7.238 ufw allow from 2001:470:18:390::2 ufw allow "Nginx HTTP" ufw allow "Nginx HTTPS" ufw limit OpenSSH ufw allow 25/tcp ufw allow 587/tcp ufw limit 500,4500/udp ufw route allow in on gre1 out on eth0 ufw allow from 10.47.3.0/31 ufw show added ufw enable ```