Changes for page Configuring a VPS machine from scratch

Last modified by Alexandru Pentilescu on 2024/07/22 21:37

From 5.1 to 4.4

From version 12.1

edited by Alexandru Pentilescu
on 2024/07/22 21:37

Change comment: There is no comment for this version

To version 5.1

edited by Alexandru Pentilescu
on 2022/11/13 22:14

Change comment: There is no comment for this version

Raw
Rendered

Summary

Page properties (1 modified, 0 added, 0 removed)

Details

Page properties

Content

@@ -45,27 +45,10 @@
  Ultimately, the argument for or against using root access is mostly a philosophical one, rather than a technical one. There is no right or wrong answer to this question. Rather, each answer brings its own advantages and disadvantages to the table. What really matters is what you're more comfortable with using in the end.
  Moreover, using a sudoers user rather than root is not inherently a guarantee for system safety either and should not be taken as a leeway for running suspicious executable files from the internet either, as privilege escalation bugs have existed in the Linux kernel since its own inception.
--= Install the necessary utilities =
--Install docker, postfix and nginx, which are all utilities you will be using consistently, from this point on.
--
--Afterwards, install the certbot-plugin-gandi plugin to enable automatic certificate renewals using gandi. This may require you to install pip3 as well, first.
--
--One the plugin is installed, just do:
--
--{{code language="bash"}}
--certbot certonly --authenticator dns-gandi --dns-gandi-credentials /etc/letsencrypt/gandi/gandi.ini -n -d 'transistor.one,*.transistor.one' --agree-tos --email=alexandru.pentilescu@disroot.org
--{{/code}}
--
--The contents of /etc/lets/encrypt/gandi/gandi.ini should look like the following:
--# live dns v5 api key
--dns_gandi_api_key=<gandi_api_key>
--
--The <gandi_api_key> token should be replaced with the actual API key generated from the Gandi website for your account.
--
  = Setting up an SMTP server =
  This will be required for all the future things you will be doing on the server.
--Moreover, this is not an easy task and will be a little time consuming. Please consult the documentation [[here>>https://wiki.transistor.one/bin/view/Guides/How%20to%20setup%20a%20postfix%20SMTP%20server/]]
++Moreover, this is not an easy task and will be a little time consuming. Please consult the documentation [[here>>https://wiki.pentilescu.com/bin/view/Guides/How%20to%20setup%20a%20postfix%20SMTP%20server/]]
  = Setting up automatic updates =
@@ -138,208 +138,4 @@
  Docker is almost an irreplaceable piece of software that will be critical to your whole infrastructure. Docker needs to be installed on the system properly. In order to do so, please follow the guide [[here>>https://docs.docker.com/engine/install/ubuntu/]]
--= Force postfix to bind to non-local IP addresses on start =
--
--If we plan on using our SMPT server to relay emails coming from our docker containers, we will have to force postfix to bind to an IP address that's different from localhost. This needs to be done because, if we configure postfix to only bind to localhost, it will effectively be unreachable to our docker containers and they will not be able to use it as a relay.
--In order to allow for postfix to bind to non-local addresses, we have to add the following configuration file /etc/sysctl.d/80-network.conf with the following contents:
--
--{{code language="ini"}}
--net.ipv4.ip_nonlocal_bind = 1
--net.ipv6.ip_nonlocal_bind = 1
--{{/code}}
--
--Honestly, the "ipv6" line is unnecessary for our purposes, but I'm adding it anyway. After this file is added, after reboot, postfix will be able to bind itself to nonlocal addresses successfully.
--
--= Installing Grafana and all the other necessary components =
--System monitoring is genuinely important. As such, having some pretty graphs to look at that monitor various stats of the server can be quite useful.
--To this end, we will set up Grafana as our graphs dashboard where we will visualize all of the relevant metrics of the system, as well as Prometheus as the data aggregator and Node Exporter, as the data collector.
--
--Let's get started!
--
--== Installing node exporter ==
--Use wget or any other utility to grab the latest version of node exporter.
--
--{{code language="bash"}}
--wget https://github.com/prometheus/node_exporter/releases/download/v0.15.2/node_exporter-0.15.2.linux-amd64.tar.gz
--{{/code}}
--
--Once this is done, extract the contents of the archive:
--
--{{code language="bash"}}
--tar -xf node_exporter-0.15.2.linux-amd64.tar.gz
--{{/code}}
--
--We will be running this as its own user. In order to avoid having to create a home directory for that user, it's best if we move the utilities that just got extracted to the root directories:
--
--{{code language="bash"}}
--mv node_exporter-0.15.2.linux-amd64/node_exporter /usr/local/bin
--{{/code}}
--
--Create the new user:
--
--{{code language="bash"}}
--useradd -rs /bin/false node_exporter
--{{/code}}
--
--Create a new systemd service file, that will start the node_exporter automatically, after each boot:
--
--{{code language="systemd"}}
--[Unit]
--Description=Node Exporter
--After=network.target
--
--[Service]
--User=node_exporter
--Group=node_exporter
--Type=simple
--ExecStart=/usr/local/bin/node_exporter
--
--[Install]
--WantedBy=multi-user.target
--{{/code}}
--
--Once this has been done, reload the service files, enable the newly created service and start it:
--
--{{code language="bash"}}
--systemctl daemon-reload
--systemctl enable node_exporter
--systemctl start node_exporter
--{{/code}}
--
--== Installing Prometheus ==
--Prometheus will be aggregating all the data that is collected by the node_exporter and allowing for it to be queried with a standardized syntax.
--
--To install Prometheus, we must first download it:
--
--{{code language="bash"}}
--wget https://github.com/prometheus/prometheus/releases/download/v2.1.0/prometheus-2.1.0.linux-amd64.tar.gz
--tar -xf prometheus-2.1.0.linux-amd64.tar.gz
--{{/code}}
--
--Much like with node_exporer above, we will force Prometheus to run as its own user, for security reasons. As such, we should isolate its files to the root filesystem:
--
--{{code language="bash"}}
--mv prometheus-2.1.0.linux-amd64/prometheus prometheus-2.1.0.linux-amd64/promtool /usr/local/bin
--{{/code}}
--
--We should also create new directories to store the relevant data for Prometheus:
--
--{{code language="bash"}}
--mkdir /etc/prometheus /var/lib/prometheus
--{{/code}}
--
--Then move the current directories to the appropriate system-level locations:
--
--{{code language="bash"}}
--mv prometheus-2.1.0.linux-amd64/consoles prometheus-2.1.0.linux-amd64/console_libraries /etc/prometheus
--{{/code}}
--
--== Configuring Prometheus ==
--Create a new /etc/prometheus/prometheus.yml with the following contents:
--
--{{code language="yml"}}
--global:
--  scrape_interval: 10s
--scrape_configs:
--  - job_name: 'node'
--    static_configs:
--      - targets: ['localhost:9100']
--{{/code}}
--
--Once the above is done, we should create the new prometheus user:
--
--{{code language="bash"}}
--useradd -rs /bin/false prometheussudo chown -R prometheus: /etc/prometheus /var/lib/prometheus
--chown -R prometheus: /etc/prometheus /var/lib/prometheus
--{{/code}}
--
--Then, please create an /etc/systemd/system/prometheus.service file with the following contents:
--
--{{code language="systemd"}}
--[Unit]
--Description=Prometheus
--After=network.target
--
--[Service]
--User=prometheus
--Group=prometheus
--Type=simple
--ExecStart=/usr/local/bin/prometheus \
--    --config.file /etc/prometheus/prometheus.yml \
--    --storage.tsdb.path /var/lib/prometheus/ \
--    --web.console.templates=/etc/prometheus/consoles \
--    --web.console.libraries=/etc/prometheus/console_libraries
--
--[Install]
--WantedBy=multi-user.target
--{{/code}}
--
--Then reload:
--
--{{code language="bash"}}
--systemctl daemon-reload
--systemctl enable prometheus
--systemctl start prometheus
--{{/code}}
--
--After everything has been done, we can proceed with Grafana itself.
--
--== Installing Grafana ==
--Ideally Grafana should be installed from its own APT repository, as this will keep it updated constantly. To do so:
--
--{{code language="bash"}}
--apt-get install -y apt-transport-https software-properties-common wget
--mkdir -p /etc/apt/keyrings/
--wget -q -O - https://apt.grafana.com/gpg.key | gpg --dearmor | tee /etc/apt/keyrings/grafana.gpg > /dev/null
--echo "deb [signed-by=/etc/apt/keyrings/grafana.gpg] https://apt.grafana.com stable main" | tee -a /etc/apt/sources.list.d/grafana.list
--apt-get update
--apt-get install grafana
--{{/code}}
--
--== Configuring Grafana ==
--After Grafana has been installed, we should make sure that it works properly by changing its default port from port 3000 to 4000 (as port 3000 is normally used by Gitea on our instance).
--
--To do so, please edit /etc/grafana/grafana.ini by uncommenting the following line and changing the port number to:
--
--{{code language="ini"}}
--http_port = 4000
--{{/code}}
--
--Once this is done, enable the grafana-server service and start it:
--
--{{code language="bash"}}
--systemctl daemon-reload && systemctl enable grafana-server && systemctl start grafana-server.service
--{{/code}}
--
--== Expose the newly created port as an nginx subdomain ==
--
--Finally, configure an nginx service file for it. Create an /etc/nginx/sites-available/grafana.conf file with the following contents:
--
--{{code language="nxinx"}}
--server {
--  server_name stats.transistor.one;
--
--  listen [::]:443 ssl http2; # managed by Certbot
--  listen 443 ssl http2; # managed by Certbot
--
--  include /etc/nginx/snippets/ssl.conf;
--
--  location / {
--    proxy_set_header Host $http_host;
--    proxy_pass http://localhost:4000;
--  }
--}
--{{/code}}
--
--Apparently the proxy_set_header directive is necessary to avoid some weird error when trying to set a new password.
--
--== Set up the environment ==
--From this point on, all that's left is to login to stats.transistor.one and set up a new account. The default credentials to do so are username: admin and password: admin. You should change those immediately so that they will not get abused.
--
--Once that's done, configure your own dashboard and make it work. Personally, I like to import a public dashboard called Node Exporter Full, which looks very cool.
--
--Happy coding!
  )))
--
--
--