Contents generated with DocToc
- Introduction
- Installation
- Setup prompts
- Post setup actions
- Supported versions
- Running tests
- TODO
- References
- Contributors ✨
This is a fork of https://github.com/jasonheecs/ubuntu-server-setup with additional customization, including
- setup Hostname
- setup ZSH and ohmyzsh
- install node js and yarn
- python, pip, virtualenvwrapper + some python packages
- simple git customization
- ruby
- VIM (Janus Distribution)
- postgres / postgis
- nginx
- uWSGI
- certbot
- and so much more ...
This is an opinionated setup script to automate the setup and provisioning of Ubuntu servers, primarily biased towards python web applications. It does the following:
- Adds a new user account with sudo access
- Adds a public ssh key for the new user account
- Disables password authentication to the server
- Deny root login to the server
- Setup Uncomplicated Firewall
- Create Swap file based on machine's installed memory
- Setup the timezone for the server (Defaults to "Africa/Lusaka")
- Install Network Time Protocol
- Install ruby
- Setup Python,
python3-pip
andvirtualenvwrapper
. - Setup
node
andyarn
and install some global packages such ascommitizen
,mdpdf
,gulp
,sass
, etc. - Setup ZSH and
oh-my-zsh
with thepowerlevel10k
theme - Setup Janus -- a Vim Distribution designed to provide minimal working environment using the most popular plugins and the most common mappings.
- Setup uWSGI
- Setup Nginx and Certbot
- Setup Postgres and PostGIS
- Setup Postfix with either Sendgrid or MailJet
- Plus a whole lot of other things. Have a look at
setup.sh
for more details.
@jasonheecs's original project provides an excellent starting point for provisioning Ubuntu Servers. This fork builds on top of that foundation to develop a heavily opinionated setup for deploying Python web applications. The idea is to be able to quickly setup a Linux box and deploy a Python web application without much of a hassle.
SSH into your server, clone this repository (& submodules) into your home directory, and run the setup script:
cd ~
git clone --recurse-submodules https://github.com/engineervix/ubuntu-server-setup.git \
&& cd ubuntu-server-setup \
&& bash setup.sh
SSH into your server, clone this repository (& submodules) into your home directory, checkout the feature/mailjet
branch and run the setup script:
cd ~
git clone --recurse-submodules https://github.com/engineervix/ubuntu-server-setup.git \
&& cd ubuntu-server-setup \
&& git checkout feature/mailjet \
&& bash setup.sh
Note » You might wanna switch to the feature/mailjet version of this README.
⌨️ When the setup script is run, you will be prompted to enter the username and password of the new user account, as well as Global Git Name and E-mail Address.
⌨️ Following that, you will then be prompted to add a public ssh key (which should be from your local machine) for the new account.
You can display it on your local terminal via (assuming it's called id_rsa.pub
and it's in the ~/.ssh/
directory. Feel free to change the path / name if you saved it in a different location / named it differently) ...
cat ~/.ssh/id_rsa.pub
... then copy it and paste it in the terminal on your server.
Note » If you don't have an existing key and you would like to generate one, or perhaps you already have one and would like to generate another ssh key from your local machine:
ssh-keygen -t rsa
⌨️ You will further be prompted to specify a timezone for the server. It will be set to 'Africa/Lusaka' if you do not specify a value.
⌨️ When setting up Postfix and configuring System Updates and Notification Settings, you'll be asked for
- the System Administrator's email address (to receive notifications)
- the email address that'll be associated with sending emails. This setup uses Sendgrid, so you need to use a Sendgrid verified email address for this.
This script assumes that the email address you supply is associated with your sendgrid domain.
myhostname
is therefore extracted from this email address. So, if your "mail_from" email address is [email protected], then example.co.zm will be used asmyhostname
in the Postfix setup.
⌨️ You will also have to specify some folder names for
- projects directory (for example, Projects)
- backup directory
- temporary files directory (this is different from
/tmp
. It's just a folder in the home directory that I tend to use as a working directory while experimenting with things or testing stuff).
These folders are created in the home directory
⌨️ Towards the end, you will be asked for your password when the script attempts to change the default shell to ZSH as the newly created user.
- Reboot and login as the new user
- Test your email configuration. See example below:
- configure rclone, backup scripts and cron jobs for daily backups
- setup certbot-dns-cloudflare plugin and ensure that your SSL certificates automatically renew. See an example snippet below for obtaining certificate.
- incorporate Healthchecks.io in your cron jobs
- update
TINYPNG_API_KEY
andSENDGRID_API_KEY
in.zshrc
- setup your projects and deploy
- on Ubuntu 22.04, you'll need to fix your vim config, see amix/vimrc#645 (comment)
Here's an example to test that your email works. I use the awesome mail-tester.com and with this configuration you should get a 10/10 score.
sendmail -f [email protected] [email protected]
From: [email protected]
To: [email protected]
Subject: This looks like a test
Hi there, this is my message, and I am sending it to you!
.
Obtaining an SSL Cetificate using the certbot-dns-cloudflare plugin:
sudo certbot certonly \
--dns-cloudflare \
--dns-cloudflare-credentials /path/to/your/cloudflare_configuration.ini \
-d www.example.co.zm \
-d example.co.zm
The upstream version of this setup script has been tested against Ubuntu 14.04, Ubuntu 16.04, Ubuntu 18.04 and Ubuntu 20.04. However, this fork primarily targets Ubuntu 20.04 and Ubuntu 22.04, and has only been tested on:
- official AWS Ubuntu 20.04 AMIs (Amazon EC2 Instances)
- Ubuntu 20.04 droplets on DigitalOcean
- Ubuntu 20.04 and 22.04 cloud servers on Hetzner
Feel free to adapt it to other Ubuntu versions and try it on Linode and other providers. Would appreciate any feedback.
By default, the master
branch is designed for installation on DigitalOcean's droplets. If you would like to run this on AWS without problems, you might wanna make a few modifications based on the AWS
branch (which I have not updated in a while, since I've been more inclined towards DigitalOcean lately – as of June 2021).
The main difference(s) between DigitalOcean setup and AWS setup:
- Default user: on DigitalOcean, the default user is root, while on AWS, the default user is ubuntu. This affects how certain things are installed, for instance, Janus
- Hostname setup. on DigitalOcean, you can define the hostname when creating the droplet, and a lot of associated settings come preconfigured. On AWS, this has to be done manually. In this script, the
setupHostname()
function is executed only when installing on AWS. It is totally ignored when installing on a DigitalOcean Droplet (you'll see that it's commented out in thesetup.sh
script).
Tests are run against a set of Vagrant VMs. To run the tests, run the following in the project's directory:
./tests/tests.sh
- Setup Postfix
- Setup
virtualenvwrapper
- automatic updates and system notifications (logs, etc.)
- setup nginx
- setup uWSGI
- Fix broken tests
- Check the git config, I think it doesn't work because the command needs to be run as the new user
- setup pyenv
- minimize / eliminate user input for some operations like
Unattended upgrades(#7e0646),Postgres setup(#8b18b7), etc. - Further server hardening to quench any lurking paranoia 🕵🏿♀️💣🧨
- Continually improve this README
For additional context and rationale behind the project, check out the detailed documentation, which acts as a useful reference not only for those who seek to use the setup script to bootstrap their Ubuntu server, but also for those that would like to fork the project and adapt it to their specific needs, just as I did.
- https://linux-audit.com/ubuntu-server-hardening-guide-quick-and-secure/
- https://www.ubuntu.com/security
- https://www.ncsc.gov.uk/guidance/eud-security-guidance-ubuntu-1804-lts
- https://www.digitalocean.com/community/questions/best-practices-for-hardening-new-sever-in-2017
Thanks goes to these wonderful people (emoji key):
black_sage 💻 🐛 |
This project follows the all-contributors specification. Contributions of any kind welcome! Please see CONTRIBUTING.md for guidelines on how to contribute.