admin/SergObsidian
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e6cc5b2dc7537bb22de19e19a3f48fc38d996765
SergObsidian/WORK & PROJECTS/Mol/Планы и диаграммы/Alfa Cloud/Alfa PROD NODE script.md
sShemet 3eb62a844b vault backup: 2025-05-30 18:57:50
2025-05-30 18:57:50 +05:00

2.6 KiB
Raw Blame History

system.sh


#system init
if [ "$#" -ne 2 ]; then
	echo "Usage: $0 <servername> <mol-user-password>"
	exit 1
fi

hostnamectl set-hostname $1
adduser moluser
usermod -aG sudo moluser
echo "moluser:$2" | sudo chpasswd

#packages install
apt install mc nginx docker docker-compose composer npm mariadb-server -y
npm install -g typescript

#firewall install & enable
apt install ufw -y
#ufw reset -y
ufw default allow incoming
ufw default allow outgoing
ufw allow in on eth0 proto tcp to any port 22
ufw deny in on eth0
ufw allow from 10.16.0.0/16
ufw limit 22/tcp comment "Rate limit SSH"
ufw enable
#docker eth0 connections disable
sudo iptables -I DOCKER-USER -i eth0 -j DROP
ufw status numbered


#node exporter run + cerberus prometheus add



#mariadb config
bind_address:0.0.0.0

#remote config for cloud init
mkdir -p /var/www/.ssh
chown -R www-data:www-data /var/www
sudo -u www-data ssh-keygen -t rsa -N "" -f /var/www/.ssh/id_rsa
sudo usermod -s /bin/bash www-data

#sudo sed -i 's#www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin#www-data:x:33:33:www-data:/var/www:/bin/bash#' /etc/passwd
#logging
sudo sed -i '/^#\?\(PrintLastLog\|LogLevel\|X11Forwarding\)/d; $a\
PrintLastLog yes\
LogLevel VERBOSE\
X11Forwarding no' /etc/ssh/sshd_config
systemctl restart sshd

echo -e "www-data ALL=(ALL) NOPASSWD: /usr/bin/docker\nwww-data ALL=(ALL) NOPASSWD: /usr/sbin/nginx\nwww-data ALL=(ALL) NOPASSWD: /usr/bin/docker-compose" | sudo tee /etc/sudoers.d/01-www-cloud-permissions
sudo chmod 440 /etc/sudoers.d/01-www-cloud-permissions

Get /var/www/.ssh/id_rsa.pub to bitbucket repository Add /var/www/.ssh/authorized_keys key of cloud server

sudo -u www-data echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDXfsFoKk7o5HBVcBmS1noFAiZ1HWcJ/ndHNNdoezTYUe2xFmDU2iYeILycOOi/WS2E3YQl3xhxW6lC1waYesxxgnB6NSk6BOU7QOOMmeKgyUCROMDNCf16g2Ycth3behgj/h7mk3q1ruyo3OnvJncfPnZM5DAl0hFYE81hsN4hiNcuRc+t1MSWXzs4o0X/5sxHdvyupZe7fmr5Jziwci9w0H3lA8yO7RVtD4pPTAqdGRgsbgmoE6c6FrZAG0E5NXKP/+bq6L+VMCnEFKCTB3rl2a0to2yfhL2ivd2tdKJjohvtqETsHCMKg3k0J21ijAapRcKx3mpN782FDmCK7pXZugmMNsKQPCYbipgyufB3d9LqcjQFw18HARciIEZsgddWh/AXBmS2fF3b73FOaPpwnaSDV2ipYY9NYISDZlgGoDNoFHdWurOixWMTRzgfB3jgYgG4kchjHf+JPIWEq1h1ZjfU5gsbyg8Lo7RX8nY2HVTF/1w4B4nrBtAWYikG0R0= www-data@mol-public" > /var/www/.ssh/authorized_keys


#repos init
mkdir /srv/www
mkdir /srv/docker
mkdir /srv/docker/clients
chown -R www-data:www-data /srv/www
chown -R www-data:www-data /srv/docker

#get repos (alfa + websocket host)

#template .env set for building

#repos init


#nginx config for websocket service
nginx -s reload

#supervisor config