Table of contents
In this series of articles we’ll setup a single node Docker Swarm server with Traefik in front to proxy traffic to the right service. Then we will prepare a node project and deploy it to the server.
- Part 0 - Get a server
- Part 1 - Setup server. Basic security, install tools etc
- Part 2 - Setup Docker and configure Traefik with Let’s Encrypt
- Part 3 - Manual deploy of a Node.js app
- Part 4 - Automated deploy with CI/CD using Buddy
This is part 1 - Setup server. Basic security, install tools etc
Setup server
This requires a server so if you haven’t got one, go to Part 0 and follow the setup of a Droplet on Digital Ocean or skip it if you have one.
Setup new user
Start by updating the package list.
sudo apt update
And upgrade if necessary
sudo apt upgrade
Now add a new user. I’ll call mine deploy.
useradd deploy
Add home directory for deploy
mkdir /home/deploy
Add .ssh directory for ssh-keys
mkdir /home/deploy/.ssh
Set restricted permissions on directory
chmod 700 /home/deploy/.ssh/
Set correct permissions on authorized_keys
chmod 400 /home/deploy/.ssh/authorized_keys
Copy over ssh-keys from root user
cp .ssh/* /home/deploy/.ssh/
Then copy over .bashrc and .profile
cp .bashrc .profile /home/deploy/
Add a shell to deploy
usermod -s /bin/bash deploy
Now make sure all files are owned by our new user, deploy
chown -R deploy:deploy /home/deploy
And lets add a password for our new user
passwd deploy
Sudo
Add user to sudo group
usermod -aG sudo deploy
Lets setup sudo with visudo
visudo
Test login with deploy user
sudo su deploy
As deploy user you can now try to use sudo
sudo echo "hello"
Now exit back to root user
exit
SSH Config
Now we’ll harden the ssh config to NOT allow login with root and only allow login without passwords using public-keys.
Open up sshd_config
vim /etc/ssh/sshd_config
And change these lines to the following.
PermitRootLogin no
PasswordAuthentication no
Now for the changes to take effect, restart the ssh service.
service ssh restart
Fail2Ban
Lets setup fail2ban to automatically ban ip’s from unsuccessful login attempts.
sudo apt install fail2ban
We’ll use the standard configuration so no setup needed.
UFW - Setup a firewall
UFW comes preinstalled with Ubuntu 18.04 so we’ll just activate it with some simple rules. This will be ok for most servers but if you need other ports open, add them in the same way.
sudo ufw allow 22
sudo ufw allow 80
sudo ufw allow 443
sudo ufw disable
sudo ufw enable
Install Docker
For the other parts in this series, Docker is required so lets install it!
Add necessary packages
sudo apt install -y apt-transport-https software-properties-common ca-certificates curl wget
Then add the GPG key for the official Docker repository to your system
wget [https://download.docker.com/linux/ubuntu/gpg](https://download.docker.com/linux/ubuntu/gpg "https://download.docker.com/linux/ubuntu/gpg") | sudo apt-key add -
Add the Docker repo to your apt-sources
echo "deb \[arch=amd64\] [https://download.docker.com/linux/ubuntu](https://download.docker.com/linux/ubuntu "https://download.docker.com/linux/ubuntu") bionic stable" | sudo tee /etc/apt/sources.list.d/docker.list
Update package list
sudo apt update
Next up, get docker from docker repo and not ubuntu repo.
sudo apt-cache policy docker-ce
Install docker
sudo apt -y install docker-ce
Start docker
sudo systemctl start docker
And enable the docker-daemon to start at boot
sudo systemctl enable docker
Add deploy user to docker group. -aG i for “append ground”
sudo usermod -aG docker deploy
And check to see it its working
docker ps -a
Docker-compose
Now lets install docker-compose.
Grab from source. Check the GitHub repo to see which version is the latest. At this time it’s 1.22.0.
sudo curl -L [https://github.com/docker/compose/releases/download/1.22.0/docker-compose-](https://github.com/docker/compose/releases/download/1.22.0/docker-compose- "https://github.com/docker/compose/releases/download/1.22.0/docker-compose-")$(uname -s)-$(uname -m) -o /usr/local/bin/docker-compose
Make it executable
sudo chmod +x /usr/local/bin/docker-compose
Next steps
And that’s it! We now have setup a server with basic security and installed Docker. Next step is to configure and setup Traefik, our reverse-proxy.