Server configuration
Documentation and configuration files for the server I use to host my websites :)
I'm currently migrating one of my servers and documenting it here to help my future self.
1. SSH Login
1.1. As root
Add a SSH key by default on your first setup of the server (with your VPS provider) and make sure you have access to your server using the default key.
ssh -i /path/to/your/key root@<ip-address assigned>
Disable password logins by setting UsePaM and PasswordAuthentication to no in the /etc/ssh/sshd_config file. You should also change the default ssh Port to a random number below 1024 and uncomment the lines MaxAuthTries and MaxSessions.
apt install vim
vim /etc/ssh/sshd_configRestart the ssh daemon.
systemctl reload sshdLogout from your server and test the default connection. You must receive a "port 22: Connection refused" error if you changed the port.
ssh -i /path/to/your/key root@<ip-address assigned>Test the password authentication by providing the correct port. You must receive a "Permission denied (publickey)." error.
ssh -p <port configured in sshd_config> root@<ip-address assigned>Finally, login by using your ssh key and the new port.
ssh -i /path/to/your/key -p <port> root@<ip-address>1.2. As rootless
Create a new key pair in your host machine and store it in a safe path (you can use the same key you use for root logins, but don't).
ssh-keygenLogin to your server as root.
ssh -i /path/to/your/root-key -p <port> root@<ip-address>Create a new user, password and add it to the sudoers group.
apt install sudo
useradd -mp "userpassword" <username>
adduser <username> sudoUse the new user:
cd /home/<username>
sudo su <username>Create the authorized_keys file and paste the contents of the .pub section of the key you generated before.
mkdir -p ~/.ssh
vim ~/.ssh/authorized_keysLogout from your server, then test the connection with the rootless user.
ssh -i /path/to/your/rootless-key -p <port> <username>@<ip-address>2. Environment
I can't stand the default shell...
2.1. Timezone
I like to use the timezone I live in.
export TZ="America/Monterrey"
sudo ln -snf /usr/share/zoneinfo/$TZ /etc/localtime
echo $TZ | sudo tee /etc/timezoneRestart the shell
bashTest the timezone
date2.2. Bash utilities
I use bash instead of dash.
sudo ln -srf /usr/bin/bash /usr/bin/sh
# run 'passwd <username>' logged as root if you forgot your password...Input, aliases and functions I use. Run from this repo folder on your host machine to make a secure copy to your server.
scp -P <port> -i /path/to/your/root-key ./bash-utils/inputrc.sh \
root@<ip-address>:/etc/inputrc
scp -P <port> -i /path/to/your/rootless-key ./bash-utils/bashrc.sh \
<username>@<ip-address>:/home/<username>/.bashrc
scp -P <port> -i /path/to/your/rootless-key ./bash-utils/bash_aliases.sh \
<username>@<ip-address>:/home/<username>/.bash_aliasesSometimes I ssh into my servers with VSCode, but it uses dash instead of bash by default on rootless users. Override the default shell the settings.json of your host machine with:
"terminal.integrated.defaultProfile.linux": "bash"2.3. Docker
I use docker to deploy most of the applications I use.
2.3.1. Install
sudo apt install -y docker docker.io docker-compose2.3.2. Rootless Docker
Follow these steps to use docker with a rootless user, recommended by docker itself.
Create the docker group if it doesn't exist.
[ ! $(getent group docker) ] && sudo groupadd dockerAdd your user to the docker group and apply the changes (you may need to logout from and login to your server.)
sudo usermod -aG docker ${USER} && newgrp docker2.4. Networking
Some utilities for testing network configurations.
sudo apt install -y netcat telnet iputils-ping curl3. DNS configuration
The exact steps will vary depending on your registrar and VPS provider, but this is the most common configuration.
3.1. Reverse DNS
Create a revers DNS with your VPS provider using the IPv6 address you were assigned.
3.2. DNS records
Set your DNS records to link your server with your domain in your registrar's panel.
3.2.1. A (IPv4) and AAAA (IPv6)
Point the blank, wildcard (*) and www prefixes of your hostname to the IPv4 and IPv6 addresses of your server.
3.2.2. TXT and MX (mail)
Use this MX record, or create a custom one
mail.<example-domain>.<com or the TLD you use>Use this TXT record for the blank wildcard, or create your own:
v=spf1 mx a:mail.example.com -allUse this TXT record for the _dmarc prefix, or create your own:
v=DMARC1; p=reject; rua=mailto:dmarc@example.com; fo=1Configure a mail server in your VPS to generate a DKIM key.
4. Mail server
I use docker-mailserver as I want my mail server in an isolated environment, but emailwiz is a good alternative if you want to create it directly on your filesystem.
4.1. Configuration files
Copy the configuration files and source code of docker-mailserver to the server:
scp -P <port> -i /path/to/your/rootless-key -pr ./mail-server \
<username>@<ip-address>:/home/<username>/mail-serverRun the mail server on your VPS. I'm using the relesase 10.1.2.
docker-compose -f ${HOME}/mail-server/docker-compose.yml up -d --force-recreateTest the script by running it with the help argument. I aliased it in the bash_aliases.sh file to mail-setup.
chmod a+x ${GIT_DIR_MAIL}/setup.sh # var exported in ~/.bashrc
mail-setup help4.2. Create mail accounts
Use the setup script to create new accounts.
mail-setup email add <user@{HOSTNAME}> <password>
mail-setup alias add postmaster@${HOSTNAME} <user@{HOSTNAME}>Create the DKIM key, I use a keysize of 2048 as some registrars accept a limited amount of characters.
mail-setup config dkim keysize 2048Restart your mail server to apply the changes.
docker restart mailserver
Run the following alias to print DKI, MX and TXT records you will set up in your registrar. If the DKIM key has multiple lines, concatenate them.
# will ask for sudo password
mail-dns-showWait a few minutes to let the DNS records propagate, and then test them.
dig example.com A # IPv2
dig example.com AAAA # IPv6
dig example.com MX
dig example.com TXT
dig _dmarc.example.com TXT
dig mail._domainkey.example.com TXT # DKIM5. NGINX Server
I use nginx as the web server and reverse proxy for my services.
Create a symlink to your (future) configurations.
mkdir -p nginx/conf.d
sudo rm -rf /etc/nginx/conf.d
sudo ln -srf ./nginx/conf.d /etc/nginx/conf.d
touch nginx/nginx.conf
sudo rm -rf /etc/nginx/nginx.conf
sudo ln -srf ./nginx/nginx.conf /etc/nginx/Create and/or modify your configs and then reload the server.