I’ve been experimenting lately with using DigitalOcean both for remote dev environments (to facilitate development on a Chromebook) and also for staging/testing servers.
The plugin for Vagrant in concert with chef solo makes spinning up and provisioning new instances a breeze, but this post is about going the slightly more manual route, and using one of the application bundles (currently in beta) for Ubuntu 12.04.
These steps are a combination of things I’ve gleaned from various other places and my experience. I make no claim for their soundness.
Create the droplet
Create a new droplet using the Ubuntu 12.04 x32 (or x64–it shouldn’t matter for our purposes here), and select “LAMP on Ubuntu 12.04” from the Applications tab.
At this point, I’m going to assume that you’ll also add your SSH public keys, so you don’t have to login with username and password credentials. (If you don’t have an SSH key, here are some instructions for generating one, you can just ignore the git-specific stuff.) An advantage of doing this is that your root password to the new droplet will not be sent over email (because there will no root password).
When you’ve selected all the options, click “Create Droplet.”
Login and Setup
Droplet creation should take a minute at most, after which you’ll see a screen with various information about your newly created vm, including an IP address. If you specified that your SSH keys should be automatically added, you should be able to SSH in now.
First off, let’s change the default mysql root password as suggested by the login banner (note that the banner may continue to say that the password is still “password” even after you’ve changed it and logged in again):
mysqladmin -u root -p'password' password newpassword
Next, because we began with our SSH keys pre-installed, there’s no root password, so set one by typing `passwd` and following the prompts.
Next we’ll issue some commands with the package manager used by Ubuntu, `apt-get` to first update the list of available packages, and then upgrade the installed ones:
Next, install fail2ban, a service that scans logfiles and auto-bans IP addresses that show signs of malicious activity, a good line of defense against crackers:
apt-get install fail2ban
Next, I’ll install my text editor of choice, vim:
apt-get install vim
As well as unzip…
apt-get install unzip
… and ack
apt-get install ack-grep
Adding a user
Because it is, for a variety of reasons, generally not a good idea to do things as root, let’s add a new user, create a home folder for them with the right permissions, copy the contents of root’s authorized keys files to the new user’s .ssh folder, so we can ssh in as that user, give them a password, and set their default shell to bash.
chmod 700 /home/luke/.ssh
And add the contents of the root user’s authorized_keys files to that of the new user:
cat .ssh/authorized_keys > /home/luke/.ssh/authorized_keys
chmod 400 /home/luke/.ssh/authorized_keys
chown -R luke:luke /home/luke
chsh -s /bin/bash luke
Now we’ll give that user the ability to run commands as root via `sudo`. Type `visudo` then enter this line, say, below the similar one for root (it doesn’t matter where, actually):
luke ALL=(ALL) ALL
Hit Command-X when done editing.
Now we’ll disable remote root login. Edit this file, /etc/ssh/sshd_config, with vim, or however you prefer, and make change “PermitRootLogin yes” to “PermitRootLogin no”, and uncomment the line “#PasswordAuthentication yes” and change it to “no”. This will mean you can only login on machines that have your SSH private key. Following that, we need to restart ssh:
service ssh restart
Now we’ll install a firewall to control which ports we allow traffic into. We’ll allow SSH and SFTP (port 22), HTTP (80), and HTTPS (443).
apt-get install ufw
ufw allow 22
ufw allow 80
ufw allow 443
You may get a warning after the last command about this disrupting your SSH session, but you should be able to ignore it.
Other dev tools
git, rvm + ruby, tmux
apt-get install git
apt-get install tmux
\curl -L https://get.rvm.io | bash -s stable --ruby
These are just some relevant notes and steps I’m including mostly for myself to remember for later:
In some cases you may need FTP and not just SFTP.
apt-get install vsftpd
Edit /etc/vsftpd.conf and change the following lines
Save the file, and `/etc/init.d/vsftpd restart` then `ufw allow 21`.
Serving a git repository
If you’re serving files directly from a git repository, make sure you aren’t serving .git.