system.sh ```bash #system init if [ "$#" -ne 2 ]; then echo "Usage: $0 " exit 1 fi hostnamectl set-hostname $1 adduser moluser usermod -aG sudo moluser echo "moluser:$2" | sudo chpasswd #packages install apt install mc nginx docker docker-compose composer npm mariadb-server -y npm install -g typescript #firewall install & enable apt install ufw -y #ufw reset -y ufw default allow incoming ufw default allow outgoing ufw allow in on eth0 proto tcp to any port 22 ufw deny in on eth0 ufw allow from 10.16.0.0/16 ufw limit 22/tcp comment "Rate limit SSH" ufw enable #docker eth0 connections disable sudo iptables -I DOCKER-USER -i eth0 -j DROP ufw status numbered #node exporter run + cerberus prometheus add #mariadb config bind_address:0.0.0.0 #remote config for cloud init mkdir -p /var/www/.ssh chown -R www-data:www-data /var/www sudo -u www-data ssh-keygen -t rsa -N "" -f /var/www/.ssh/id_rsa sudo usermod -s /bin/bash www-data #sudo sed -i 's#www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin#www-data:x:33:33:www-data:/var/www:/bin/bash#' /etc/passwd #logging sudo sed -i '/^#\?\(PrintLastLog\|LogLevel\|X11Forwarding\)/d; $a\ PrintLastLog yes\ LogLevel VERBOSE\ X11Forwarding no' /etc/ssh/sshd_config systemctl restart sshd echo -e "www-data ALL=(ALL) NOPASSWD: /usr/bin/docker\nwww-data ALL=(ALL) NOPASSWD: /usr/sbin/nginx\nwww-data ALL=(ALL) NOPASSWD: /usr/bin/docker-compose" | sudo tee /etc/sudoers.d/01-www-cloud-permissions sudo chmod 440 /etc/sudoers.d/01-www-cloud-permissions ``` Get /var/www/.ssh/id_rsa.pub to bitbucket repository Add /var/www/.ssh/authorized_keys key of cloud server ```bash sudo -u www-data echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDXfsFoKk7o5HBVcBmS1noFAiZ1HWcJ/ndHNNdoezTYUe2xFmDU2iYeILycOOi/WS2E3YQl3xhxW6lC1waYesxxgnB6NSk6BOU7QOOMmeKgyUCROMDNCf16g2Ycth3behgj/h7mk3q1ruyo3OnvJncfPnZM5DAl0hFYE81hsN4hiNcuRc+t1MSWXzs4o0X/5sxHdvyupZe7fmr5Jziwci9w0H3lA8yO7RVtD4pPTAqdGRgsbgmoE6c6FrZAG0E5NXKP/+bq6L+VMCnEFKCTB3rl2a0to2yfhL2ivd2tdKJjohvtqETsHCMKg3k0J21ijAapRcKx3mpN782FDmCK7pXZugmMNsKQPCYbipgyufB3d9LqcjQFw18HARciIEZsgddWh/AXBmS2fF3b73FOaPpwnaSDV2ipYY9NYISDZlgGoDNoFHdWurOixWMTRzgfB3jgYgG4kchjHf+JPIWEq1h1ZjfU5gsbyg8Lo7RX8nY2HVTF/1w4B4nrBtAWYikG0R0= www-data@mol-public" > /var/www/.ssh/authorized_keys ``` ```bash #repos init mkdir /srv/www mkdir /srv/docker mkdir /srv/docker/clients chown -R www-data:www-data /srv/www chown -R www-data:www-data /srv/docker #get repos (alfa + websocket host) #template .env set for building #repos init #nginx config for websocket service nginx -s reload #supervisor config ```