• Activity
  • Votes
  • Comments
  • New
  • All activity
    1. In which a foolish developer tries DevOps: critique my VPS provisioning script!

      I'm attempting to provision two mirror staging and production environments for a future SaaS application that we're close to launching as a company, and I'd like to get some feedback on the...

      I'm attempting to provision two mirror staging and production environments for a future SaaS application that we're close to launching as a company, and I'd like to get some feedback on the provisioning script I've created that takes a default VPS from our hosting provider, DigitalOcean, and readies it for being a secure hosting environment for our application instance (which runs inside Docker, and persists data to an unrelated managed database).

      I'm sticking with a simple infrastructure architecture at the moment: A single VPS which runs both nginx and the application instance inside a containerised docker service as mentioned earlier. There's no load balancers or server duplication at this point. @Emerald_Knight very kindly provided me in the Tildes Discord with some overall guidance about what to aim for when configuring a server (limit damage as best as possible, limit access when an attack occurs)—so I've tried to be thoughtful and integrate that paradigm where possible (disabling root login, etc).

      I’m not a DevOps or sysadmin-oriented person by trade—I stick to programming most of the time—but this role falls to me as the technical person in this business; so the last few days has been a lot of reading and readying. I’ll run through the provisioning flow step by step. Oh, and for reference, Ubuntu 20.04 LTS.

      First step is self-explanatory.

      #!/bin/sh
      
      # Name of the user to create and grant privileges to.
      USERNAME_OF_ACCOUNT=
      
      sudo apt-get -qq update
      sudo apt install -qq --yes nginx
      sudo systemctl restart nginx
      

      Next, create my sudo user, add them to the groups needed, require a password change on first login, then copy across any provided authorised keys from the root user which you can configure to be seeded to the VPS in the DigitalOcean management console.

      useradd --create-home --shell "/bin/bash" --groups sudo,www-data "${USERNAME_OF_ACCOUNT}"
      passwd --delete $USERNAME_OF_ACCOUNT
      chage --lastday 0 $USERNAME_OF_ACCOUNT
      
      HOME_DIR="$(eval echo ~${USERNAME_OF_ACCOUNT})"
      mkdir --parents "${HOME_DIR}/.ssh"
      cp /root/.ssh/authorized_keys "${HOME_DIR}/.ssh"
      
      chmod 700 ~/.ssh
      chmod 600 ~/.ssh/authorized_keys
      chown --recursive "${USERNAME_OF_ACCOUNT}":"${USERNAME_OF_ACCOUNT}" "${HOME_DIR}/.ssh"

sudo chmod 775 -R /var/www
      sudo chown -R $USERNAME_OF_ACCOUNT /var/www
      rm -rf /var/www/html
      

      Installation of docker, and run it as a service, ensure the created user is added to the docker group.

      sudo apt-get install -qq --yes \
          apt-transport-https \
          ca-certificates \
          curl \
          gnupg-agent \
          software-properties-common
      
      curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
      sudo apt-key fingerprint 0EBFCD88
      
      sudo add-apt-repository --yes \
         "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
         $(lsb_release -cs) \
         stable"
      
      sudo apt-get -qq update
      sudo apt install -qq --yes docker-ce docker-ce-cli containerd.io
      
      # Only add a group if it does not exist
      sudo getent group docker || sudo groupadd docker
      sudo usermod -aG docker $USERNAME_OF_ACCOUNT
      
      # Enable docker
      sudo systemctl enable docker
      
      sudo curl -L "https://github.com/docker/compose/releases/download/1.27.4/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
      sudo chmod +x /usr/local/bin/docker-compose
      sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
      docker-compose --version
      

      Disable root logins and any form of password-based authentication by altering sshd_config.

      sed -i '/^PermitRootLogin/s/yes/no/' /etc/ssh/sshd_config
      sed -i '/^PasswordAuthentication/s/yes/no/' /etc/ssh/sshd_config
      sed -i '/^ChallengeResponseAuthentication/s/yes/no/' /etc/ssh/sshd_config
      

      Configure the firewall and fail2ban.

      sudo ufw default deny incoming
      sudo ufw default allow outgoing
      sudo ufw allow ssh
      sudo ufw allow http
      sudo ufw allow https
      sudo ufw reload
      sudo ufw --force enable && sudo ufw status verbose
      
      sudo apt-get -qq install --yes fail2ban
      sudo systemctl enable fail2ban
      sudo systemctl start fail2ban
      

      Swapfiles.

      sudo fallocate -l 1G /swapfile && ls -lh /swapfile
      sudo chmod 0600 /swapfile && ls -lh /swapfile
      sudo mkswap /swapfile
      sudo swapon /swapfile && sudo swapon --show
      echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab
      

      Unattended updates, and restart the ssh daemon.

      sudo apt install -qq unattended-upgrades
      sudo systemctl restart ssh
      

      Some questions

      You can assume these questions are cost-benefit focused, i.e. is it worth my time to investigate this, versus something else that may have better gains given my limited time.

      1. Obviously, any critiques of the above provisioning process are appreciated—both on the micro level of criticising particular lines, or zooming out and saying “well why don’t you do this instead…”. I can’t know what I don’t know.

      2. Is it worth investigating tools such as ss or lynis (https://github.com/CISOfy/lynis) to perform server auditing? I don’t have to meet any compliance requirements at this point.

      3. Do I get any meaningful increase in security by implementing 2FA on login here using google authenticator? As far as I can see, as long as I'm using best practices to actually ssh into our boxes, then the likeliest risk profile for unwanted access probably isn’t via the authentication mechanism I use personally to access my servers.

      4. Am I missing anything here? Beyond the provisioning script itself, I adhere to best practices around storing and generating passwords and ssh keys.

      Some notes and comments

      1. Eventually I'll use the hosting provider's API to spin up and spin down VPS's on the fly via a custom management application, which gives me an opportunity to programmatically execute the provisioning script above and run some over pre- and post-provisioning things, like deployment of the application and so forth.

      2. Usage alerts and monitoring is configured within DigitalOcean's console, and alerts are sent to our business' Slack for me to action as needed. Currently, I’m settling on the following alerts:
        1. Server CPU utilisation greater than 80% for 5 minutes.
        2. Server memory usage greater than 80% for 5 minutes.
        3. I’m also looking at setting up daily fail2ban status alerts if needed.
      4 votes
    2. 2020 Election News and Information (Week of October 25th)

      A thread you can easily ignore A new week a new thread As the pace and the quantity of information that his coming out of the election increases. Instead of creating a new post for everything, or...

      A thread you can easily ignore

      A new week a new thread

      As the pace and the quantity of information that his coming out of the election increases. Instead of creating a new post for everything, or not posting things because it is a smaller item, please feel free to post here.
      Feel free to break out any information posted here into its own thread if the discussion warrants it.

      Major news can/should be broken out into its own topic. (use your own discretion)

      Thank goodness this is almost over

      9 votes
    3. What did you do this weekend?

      As part of a weekly series, these topics are a place for users to casually discuss the things they did — or didn't do — during their weekend. Did you make any plans? Take a trip? Do nothing at...

      As part of a weekly series, these topics are a place for users to casually discuss the things they did — or didn't do — during their weekend. Did you make any plans? Take a trip? Do nothing at all? Tell us about it!

      7 votes
    4. Timasomo 2020 Thread #0: Planning Thread

      Weekly Task This is your chance to talk about what you might do, bounce ideas off one another, and solicit feedback in advance of the start of Timasomo 2020. You do NOT have to decide on your...

      Weekly Task

      This is your chance to talk about what you might do, bounce ideas off one another, and solicit feedback in advance of the start of Timasomo 2020. You do NOT have to decide on your official Timasomo project(s) yet, but use this thread to share what you're thinking of (which many of you already started doing in the announcement thread)!

      That said, do NOT start working on your project yet either! It is perfectly okay to plan what you will do this week, but the actual creative process toward your goal should not start until November 1st.

      Next Steps

      The Roll Call thread will go live on Sunday, November 1st. That will be the thread in which you will officially enroll in Timasomo 2020 and publicly commit to your goal!


      Timasomo FAQ

      What is Timasomo?

      Timasomo is "Tildes' Make Something Month": a creative community challenge that takes place in the month of November. It was inspired by NaNoWriMo, the National Novel Writing Month. The first ever Timasomo took place last year. You can see the threads for the previous Timasomo using the timasomo tag, and you can see the final showcase thread of creations here.

      What are the rules?Timasomo is self-driven and its goals are self-selected. On November 1st, participants will commit to a creative project (or projects) that they plan to complete within the month of November. There is no restriction on the methods/products of creativity: writing, painting, code, food, photos, crafts, songs -- if it's creative expression for you, it works for Timasomo!

      Though most will be participating individually, collaborations are welcome too!

      What is the schedule?

      Timasomo begins November 1st and ends November 30th. All creative output towards your goal(s) should be confined to this time. This week prior to the start of November is for planning, and there will be a few days at the beginning of December given to "finishing touches" before we have our final thread, which will be a showcase of all the completed works. Below are the dates that I will be posting weekly threads:

      Sunday, October 18, 2020: Announcement Thread
      Sunday, October 25, 2020: Planning Thread
      Sunday, November 1, 2020: Roll Call Thread
      Sunday, November 8, 2020: Update Thread #1
      Sunday, November 15, 2020: Update Thread #2
      Sunday, November 22, 2020: Update Thread #3
      Sunday, November 29, 2020: Final Update Thread
      Sunday, December 6, 2020: Timasomo Showcase Thread

      This announcement will be posted in ~tildes. All Timasomo process threads will be hosted in ~creative. The final Timasomo Showcase thread will be posted in ~talk.

      Can I participate?

      Yes! Timasomo is open to anyone on Tildes! The greater Tildes community is also encouraged to participate in discussion threads even if you are not actively working towards a creative goal. This is meant to be an inclusive community event -- all are welcome! If you are interested in participating but do not have a Tildes login, please e-mail the invite request address here for an invite to the community.

      Participants will formally announce their plans to enter into Timasomo on Sunday, November 1st, in the Roll Call thread. If you are planning to participate or just want to follow the event, please make sure you are subscribed to ~creative where all of the update threads will be posted.

      What if I have ideas for how to run the event?

      Please share them here! I am facilitating the event, but I am completely open to feedback and suggestions to make this the best event possible. I want this to be Tildes' event, not kfwyre's!

      18 votes
    5. Weekly coronavirus-related chat, questions, and minor updates - week of October 26

      This thread is posted weekly, and is intended as a place for more-casual discussion of the coronavirus and questions/updates that may not warrant their own dedicated topics. Tell us about what the...

      This thread is posted weekly, and is intended as a place for more-casual discussion of the coronavirus and questions/updates that may not warrant their own dedicated topics. Tell us about what the situation is like where you live!

      9 votes
    6. What did you do this week?

      As part of a weekly series, these topics are a place for users to casually discuss the things they did — or didn't do — during their week. Did you accomplish any goals? Suffer a failure? Do...

      As part of a weekly series, these topics are a place for users to casually discuss the things they did — or didn't do — during their week. Did you accomplish any goals? Suffer a failure? Do nothing at all? Tell us about it!

      6 votes
    7. I got a piano

      My aunt is moving to a smaller apartment and her piano does not fit there, so I offered to take it. Not because I intended to play, but she wanted to keep it in the family out of nostalgia and...

      My aunt is moving to a smaller apartment and her piano does not fit there, so I offered to take it. Not because I intended to play, but she wanted to keep it in the family out of nostalgia and emotional attachment.

      It is under renovation and should arrive perfectly tuned.

      But now that I have it, I ask myself: why not play it? I had piano lessons as a kid, and I like classical music.

      Is there a straightforward way to learn piano by myself that doesn’t feel like much of a chore? Otherwise, the piano will just linger in my living room.

      11 votes
    8. Thoughts on the World Series so far?

      I'm a Red Sox fan so don't have much invested in this WS but it has been AWESOME so far! I'm at a point where I really want the Rays to win but wouldn't be bummed to see Mookie and Joe Kelly get...

      I'm a Red Sox fan so don't have much invested in this WS but it has been AWESOME so far! I'm at a point where I really want the Rays to win but wouldn't be bummed to see Mookie and Joe Kelly get another ring. Also, redemption for the Astros shenanigans.

      My favorite moment is likely a predictable one but I'll say it anyway... the walk-off hit in game four was just an emotional roller coaster.

      Anyone else watching? If so, what are your thoughts so far?

      3 votes
    9. What is some noteworthy music that is quarantine/COVID-specific?

      I'm curious to know what music is out there that: is explicitly about the world's current COVID-related situations, or had its recording/production significantly influenced by those situations....

      I'm curious to know what music is out there that:

      • is explicitly about the world's current COVID-related situations, or
      • had its recording/production significantly influenced by those situations.

      Examples of the former would be Koffee's "Lockdown" or Chromeo's Quarantine Casanova, which have their influences right there on the label.

      An example of the latter would be Charli XCX's How I'm Feeling Now (mildly NSFW album art), which was created in self-isolation while collaborating over Zoom with producers and fans.

      I'm interested in seeing what's out there, not necessarily getting specific recommendations for music, so you don't have to consider anything you post an endorsement.

      11 votes
    10. 2020 Election News and Information (Week of October 18th)

      A thread you can easily ignore As the pace and the quantity of information that his coming out of the election increases. Instead of creating a new post for everything, or not posting things...

      A thread you can easily ignore

      As the pace and the quantity of information that his coming out of the election increases. Instead of creating a new post for everything, or not posting things because it is a smaller item, please feel free to post here.
      Feel free to break out any information posted here into its own thread if the discussion warrants it.

      Major news can/should be broken out into its own topic. (use your own discretion)

      19 votes
    11. Fitness Weekly Discussion

      What have you been doing lately for your own fitness? Try out any new programs or exercises? Have any questions for others about your training? Want to vent about poor behavior in the gym? Started...

      What have you been doing lately for your own fitness? Try out any new programs or exercises? Have any questions for others about your training? Want to vent about poor behavior in the gym? Started a new diet or have a new recipe you want to share? Anything else health and wellness related?

      6 votes
    12. Weekly coronavirus-related chat, questions, and minor updates - week of October 19

      This thread is posted weekly, and is intended as a place for more-casual discussion of the coronavirus and questions/updates that may not warrant their own dedicated topics. Tell us about what the...

      This thread is posted weekly, and is intended as a place for more-casual discussion of the coronavirus and questions/updates that may not warrant their own dedicated topics. Tell us about what the situation is like where you live!

      7 votes