IT4Change/gradido
3
0
Fork 0
mirror of https://github.com/IT4Change/gradido.git synced 2026-02-06 09:56:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

add hetzner_cloud deployment folder, simplify config

Browse Source
This commit is contained in:
einhorn_b 2024-01-04 17:36:44 +01:00
parent 9e11c66ee4
commit 5d70c5e063
11 changed files with 403 additions and 230 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

117
deployment/bare_metal/.env.dist
View File

@ -1,45 +1,25 @@
GRADIDO_LOG_PATH=/home/gradido/gradido/deployment/bare_metal/log
# start script
DEPLOY_SEED_DATA=false
# nginx
NGINX_REWRITE_LEGACY_URLS=true
NGINX_SSL=true
NGINX_SERVER_NAME=stage1.gradido.net
NGINX_SSL_CERTIFICATE=/etc/letsencrypt/live/stage1.gradido.net/fullchain.pem
NGINX_SSL_CERTIFICATE_KEY=/etc/letsencrypt/live/stage1.gradido.net/privkey.pem
NGINX_SSL_DHPARAM=/etc/letsencrypt/ssl-dhparams.pem
NGINX_SSL_INCLUDE=/etc/letsencrypt/options-ssl-nginx.conf
NGINX_UPDATE_PAGE_ROOT=/home/gradido/gradido/deployment/bare_metal/nginx/update-page
# webhook
WEBHOOK_GITHUB_SECRET=secret
WEBHOOK_GITHUB_BRANCH=master
# community
COMMUNITY_NAME="Gradido Development Stage1"
COMMUNITY_URL=https://stage1.gradido.net/
COMMUNITY_REGISTER_URL=https://stage1.gradido.net/register
COMMUNITY_REDEEM_URL=https://stage1.gradido.net/redeem/{code}
COMMUNITY_REDEEM_CONTRIBUTION_URL=https://stage1.gradido.net/redeem/CL-{code}
COMMUNITY_DESCRIPTION="Gradido Development Stage1 Test Community"
# Need to adjust!
COMMUNITY_NAME="Your community name"
COMMUNITY_DESCRIPTION="Short Description from your Community."
COMMUNITY_URL=gddhost.tld
COMMUNITY_SUPPORT_MAIL=support@supportmail.com
# backend
# Need to adjust by updates
# config versions
DATABASE_CONFIG_VERSION=v1.2022-03-18
BACKEND_CONFIG_VERSION=v17.2023-07-03
FRONTEND_CONFIG_VERSION=v4.2022-12-20
ADMIN_CONFIG_VERSION=v1.2022-03-18
FEDERATION_CONFIG_VERSION=v1.2023-01-09
FEDERATION_DHT_CONFIG_VERSION=v3.2023-04-26
JWT_EXPIRES_IN=10m
GDT_API_URL=https://gdt.gradido.net
TYPEORM_LOGGING_RELATIVE_PATH=../deployment/bare_metal/log/typeorm.backend.log
KLICKTIPP=false
KLICKTIPP_USER=
KLICKTIPP_PASSWORD=
KLICKTIPP_APIKEY_DE=
KLICKTIPP_APIKEY_EN=
# Need adjustments for test system
URL_PROTOCOL=https
# start script
# only for test server
DEPLOY_SEED_DATA=false
# setup email account for sending gradido system messages to users
EMAIL=true
EMAIL_TEST_MODUS=false
EMAIL_TEST_RECEIVER=test_team@gradido.net
@ -47,41 +27,57 @@ EMAIL_USERNAME=peter@lustig.de
EMAIL_SENDER=peter@lustig.de
EMAIL_PASSWORD=1234
EMAIL_SMTP_URL=smtp.lustig.de
EMAIL_LINK_VERIFICATION=https://stage1.gradido.net/checkEmail/{optin}{code}
EMAIL_LINK_SETPASSWORD=https://stage1.gradido.net/reset-password/{optin}
EMAIL_LINK_FORGOTPASSWORD=https://stage1.gradido.net/forgot-password
EMAIL_LINK_OVERVIEW=https://stage1.gradido.net/overview
EMAIL_CODE_VALID_TIME=1440
EMAIL_CODE_REQUEST_TIME=10
WEBHOOK_ELOPAGE_SECRET=secret
# Logging
GRADIDO_LOG_PATH=/home/gradido/gradido/deployment/bare_metal/log
TYPEORM_LOGGING_RELATIVE_PATH=/home/gradido/gradido/deployment/bare_metal/log/typeorm.backend.log
# webhook
WEBHOOK_GITHUB_SECRET=secret
WEBHOOK_GITHUB_BRANCH=master
# frontend and admin paths, usually don't need changes
# used in nginx config and for links in emails
WALLET_PATH=/login
COMMUNITY_REGISTER_PATH=/register
COMMUNITY_REDEEM_PATH=/redeem/{code}
COMMUNITY_REDEEM_CONTRIBUTION_PATH=/redeem/CL-{code}
WALLET_AUTH_PATH=/authenticate?token={token}
EMAIL_LINK_VERIFICATION=/checkEmail/{optin}{code}
EMAIL_LINK_SETPASSWORD=/reset-password/{optin}
EMAIL_LINK_FORGOTPASSWORD=/forgot-password
EMAIL_LINK_OVERVIEW=/overview
ADMIN_AUTH_PATH=/admin/authenticate?token={token}
GRAPHQL_PATH=/graphql
# login expire time
JWT_EXPIRES_IN=10m
# Federation
FEDERATION_DHT_CONFIG_VERSION=v3.2023-04-26
# if you set the value of FEDERATION_DHT_TOPIC, the DHT hyperswarm will start to announce and listen
# on an hash created from this topic
# FEDERATION_DHT_TOPIC=GRADIDO_HUB
# FEDERATION_DHT_SEED=64ebcb0e3ad547848fef4197c6e2332f
FEDERATION_COMMUNITY_URL=http://stage1.gradido.net
# the api port is the baseport, which will be added with the api-version, e.g. 1_0 = 5010
FEDERATION_COMMUNITY_API_PORT=5000
FEDERATION_CONFIG_VERSION=v1.2023-01-09
# comma separated list of api-versions, which cause starting several federation modules
FEDERATION_COMMUNITY_APIS=1_0,1_1
# database
DATABASE_CONFIG_VERSION=v1.2022-03-18
# externe gradido services (more added in future)
GDT_API_URL=https://gdt.gradido.net
# frontend
FRONTEND_CONFIG_VERSION=v4.2022-12-20
# used for combining a newsletter on klicktipp with this gradido community
# if used, user will be subscribed on register and can unsubscribe in his account
KLICKTIPP=false
KLICKTIPP_USER=
KLICKTIPP_PASSWORD=
KLICKTIPP_APIKEY_DE=
KLICKTIPP_APIKEY_EN=
GRAPHQL_URI=https://stage1.gradido.net/graphql
ADMIN_AUTH_URL=https://stage1.gradido.net/admin/authenticate?token={token}
DEFAULT_PUBLISHER_ID=2896
META_URL=http://localhost
# Meta data in frontend pages, important when shared via facebook or twitter or for search engines
META_TITLE_DE="Gradido Dein Dankbarkeitskonto"
META_TITLE_EN="Gradido - Your gratitude account"
META_DESCRIPTION_DE="Dankbarkeit ist die Währung der neuen Zeit. Immer mehr Menschen entfalten ihr Potenzial und gestalten eine gute Zukunft für alle."
@ -90,8 +86,11 @@ META_KEYWORDS_DE="Grundeinkommen, Währung, Dankbarkeit, Schenk-Ökonomie, Natü
META_KEYWORDS_EN="Basic Income, Currency, Gratitude, Gift Economy, Natural Economy of Life, Economy, Ecology, Potential Development, Giving and Thanking, Cycle of Life, Monetary System"
META_AUTHOR="Bernd Hückstädt - Gradido-Akademie"
# admin
ADMIN_CONFIG_VERSION=v1.2022-03-18
# update page shown while updating gradido
# page will be fed with status changes
NGINX_UPDATE_PAGE_ROOT=/home/gradido/gradido/deployment/bare_metal/nginx/update-page
WALLET_AUTH_URL=https://stage1.gradido.net/authenticate?token={token}
WALLET_URL=https://stage1.gradido.net/login
# LEGACY
NGINX_REWRITE_LEGACY_URLS=false
DEFAULT_PUBLISHER_ID=2896
WEBHOOK_ELOPAGE_SECRET=secret

118
deployment/bare_metal/doc/server.drawio Normal file
View File

@ -0,0 +1,118 @@
<mxfile host="65bd71144e">
<diagram id="q0c1bfTOSmR5BH1DDDeU" name="Page-1">
<mxGraphModel dx="874" dy="1662" grid="1" gridSize="10" guides="1" tooltips="1" connect="1" arrows="1" fold="1" page="1" pageScale="1" pageWidth="850" pageHeight="1100" math="0" shadow="0">
<root>
<mxCell id="0"/>
<mxCell id="1" parent="0"/>
<mxCell id="2" value="Physical Server" style="swimlane;whiteSpace=wrap;html=1;" vertex="1" parent="1">
<mxGeometry x="15" y="40" width="410" height="420" as="geometry"/>
</mxCell>
<mxCell id="3" value="mariadb&lt;br&gt;port: 3306" style="shape=datastore;whiteSpace=wrap;html=1;" vertex="1" parent="2">
<mxGeometry x="165" y="350" width="60" height="60" as="geometry"/>
</mxCell>
<mxCell id="4" value="nginx" style="swimlane;whiteSpace=wrap;html=1;startSize=23;" vertex="1" parent="2">
<mxGeometry x="60" y="20" width="230" height="110" as="geometry"/>
</mxCell>
<mxCell id="5" value="port 80: redirect to port 443" style="text;html=1;align=center;verticalAlign=middle;resizable=0;points=[];autosize=1;strokeColor=none;fillColor=none;" vertex="1" parent="4">
<mxGeometry x="-5" y="30" width="170" height="30" as="geometry"/>
</mxCell>
<mxCell id="6" value="port 443: using ssl encryption" style="text;html=1;align=center;verticalAlign=middle;resizable=0;points=[];autosize=1;strokeColor=none;fillColor=none;" vertex="1" parent="4">
<mxGeometry x="-5" y="60" width="180" height="30" as="geometry"/>
</mxCell>
<mxCell id="28" value="" style="endArrow=classic;html=1;entryX=0.5;entryY=0;entryDx=0;entryDy=0;" edge="1" parent="4" target="15">
<mxGeometry relative="1" as="geometry">
<mxPoint x="45" y="110" as="sourcePoint"/>
<mxPoint x="145" y="90" as="targetPoint"/>
</mxGeometry>
</mxCell>
<mxCell id="29" value="/&lt;span style=&quot;color: rgb(36, 41, 46); font-family: &amp;quot;Droid Sans Mono&amp;quot;, &amp;quot;monospace&amp;quot;, monospace; font-size: 14px;&quot;&gt;graphql&lt;/span&gt;" style="edgeLabel;resizable=0;html=1;align=center;verticalAlign=middle;" connectable="0" vertex="1" parent="28">
<mxGeometry relative="1" as="geometry"/>
</mxCell>
<mxCell id="41" style="edgeStyle=none;html=1;" edge="1" parent="2" source="15">
<mxGeometry relative="1" as="geometry">
<mxPoint x="185" y="350" as="targetPoint"/>
</mxGeometry>
</mxCell>
<mxCell id="15" value="Backend&lt;br&gt;runs on port: 4000" style="shape=process;whiteSpace=wrap;html=1;backgroundOutline=1;" vertex="1" parent="2">
<mxGeometry x="10" y="170" width="120" height="60" as="geometry"/>
</mxCell>
<mxCell id="17" value="frontend&lt;br&gt;static files server&lt;br&gt;port: 3000" style="shape=process;whiteSpace=wrap;html=1;backgroundOutline=1;" vertex="1" parent="2">
<mxGeometry x="125" y="210" width="120" height="40" as="geometry"/>
</mxCell>
<mxCell id="18" value="admin&lt;br&gt;static files server&lt;br&gt;port: 8080" style="shape=process;whiteSpace=wrap;html=1;backgroundOutline=1;" vertex="1" parent="2">
<mxGeometry x="290" y="190" width="120" height="60" as="geometry"/>
</mxCell>
<mxCell id="40" style="edgeStyle=none;html=1;" edge="1" parent="2" source="19">
<mxGeometry relative="1" as="geometry">
<mxPoint x="165" y="370" as="targetPoint"/>
</mxGeometry>
</mxCell>
<mxCell id="19" value="dht-node&lt;br&gt;use his own system" style="shape=process;whiteSpace=wrap;html=1;backgroundOutline=1;" vertex="1" parent="2">
<mxGeometry x="10" y="320" width="120" height="60" as="geometry"/>
</mxCell>
<mxCell id="39" style="edgeStyle=none;html=1;entryX=0.85;entryY=0.05;entryDx=0;entryDy=0;entryPerimeter=0;" edge="1" parent="2" source="21" target="3">
<mxGeometry relative="1" as="geometry"/>
</mxCell>
<mxCell id="21" value="Federation&lt;br&gt;on port per version" style="shape=process;whiteSpace=wrap;html=1;backgroundOutline=1;" vertex="1" parent="2">
<mxGeometry x="215" y="260" width="120" height="60" as="geometry"/>
</mxCell>
<mxCell id="30" value="/&lt;br&gt;" style="endArrow=classic;html=1;" edge="1" parent="2" target="17">
<mxGeometry relative="1" as="geometry">
<mxPoint x="155" y="130" as="sourcePoint"/>
<mxPoint x="305" y="150" as="targetPoint"/>
</mxGeometry>
</mxCell>
<mxCell id="31" value="/" style="edgeLabel;resizable=0;html=1;align=center;verticalAlign=middle;" connectable="0" vertex="1" parent="30">
<mxGeometry relative="1" as="geometry"/>
</mxCell>
<mxCell id="9" value="" style="endArrow=classic;html=1;" edge="1" parent="1" source="13" target="2">
<mxGeometry relative="1" as="geometry">
<mxPoint x="210" y="20" as="sourcePoint"/>
<mxPoint x="500" y="290" as="targetPoint"/>
</mxGeometry>
</mxCell>
<mxCell id="10" value="Extern Request&lt;br&gt;- webbrowser with frontend running&lt;br&gt;- webbrowser with admin running&lt;br&gt;- backend&lt;br&gt;- federation" style="edgeLabel;resizable=0;html=1;align=center;verticalAlign=middle;" connectable="0" vertex="1" parent="9">
<mxGeometry relative="1" as="geometry"/>
</mxCell>
<mxCell id="11" value="Source" style="edgeLabel;resizable=0;html=1;align=left;verticalAlign=bottom;" connectable="0" vertex="1" parent="9">
<mxGeometry x="-1" relative="1" as="geometry">
<mxPoint y="20" as="offset"/>
</mxGeometry>
</mxCell>
<mxCell id="12" value="Target" style="edgeLabel;resizable=0;html=1;align=right;verticalAlign=bottom;" connectable="0" vertex="1" parent="9">
<mxGeometry x="1" relative="1" as="geometry"/>
</mxCell>
<mxCell id="13" value="Internet" style="ellipse;shape=cloud;whiteSpace=wrap;html=1;" vertex="1" parent="1">
<mxGeometry x="100" y="-180" width="120" height="80" as="geometry"/>
</mxCell>
<mxCell id="33" value="" style="endArrow=classic;html=1;" edge="1" parent="1" target="18">
<mxGeometry relative="1" as="geometry">
<mxPoint x="270" y="170" as="sourcePoint"/>
<mxPoint x="470" y="50" as="targetPoint"/>
<Array as="points">
<mxPoint x="300" y="200"/>
</Array>
</mxGeometry>
</mxCell>
<mxCell id="34" value="/admin" style="edgeLabel;resizable=0;html=1;align=center;verticalAlign=middle;" connectable="0" vertex="1" parent="33">
<mxGeometry relative="1" as="geometry"/>
</mxCell>
<mxCell id="35" value="" style="endArrow=classic;html=1;entryX=0.633;entryY=-0.017;entryDx=0;entryDy=0;entryPerimeter=0;" edge="1" parent="1" target="21">
<mxGeometry relative="1" as="geometry">
<mxPoint x="220" y="170" as="sourcePoint"/>
<mxPoint x="470" y="170" as="targetPoint"/>
</mxGeometry>
</mxCell>
<mxCell id="36" value="/api/VERSION" style="edgeLabel;resizable=0;html=1;align=center;verticalAlign=middle;" connectable="0" vertex="1" parent="35">
<mxGeometry relative="1" as="geometry"/>
</mxCell>
<mxCell id="43" value="Legende:" style="text;strokeColor=none;fillColor=none;align=left;verticalAlign=middle;spacingLeft=4;spacingRight=4;overflow=hidden;points=[[0,0.5],[1,0.5]];portConstraint=eastwest;rotatable=0;whiteSpace=wrap;html=1;fontStyle=1;fontSize=14;" vertex="1" parent="1">
<mxGeometry x="550" y="130" width="80" height="30" as="geometry"/>
</mxCell>
<mxCell id="44" value="&lt;i style=&quot;&quot;&gt;Node JS&amp;nbsp;&lt;br&gt;Express Server&lt;/i&gt;" style="shape=process;whiteSpace=wrap;html=1;backgroundOutline=1;" vertex="1" parent="1">
<mxGeometry x="540" y="170" width="120" height="60" as="geometry"/>
</mxCell>
</root>
</mxGraphModel>
</diagram>
</mxfile>

128
deployment/bare_metal/nginx/sites-available/gradido.conf.ssl.template
View File

@ -1,128 +0,0 @@
server {
if ($host = $NGINX_SERVER_NAME) {
return 301 https://$host$request_uri;
}
server_name $NGINX_SERVER_NAME;
listen 80;
listen [::]:80;
return 404;
}
server {
server_name $NGINX_SERVER_NAME;
listen [::]:443 ssl ipv6only=on;
listen 443 ssl;
ssl_certificate $NGINX_SSL_CERTIFICATE;
ssl_certificate_key $NGINX_SSL_CERTIFICATE_KEY;
include $NGINX_SSL_INCLUDE;
ssl_dhparam $NGINX_SSL_DHPARAM;
include /etc/nginx/common/protect.conf;
include /etc/nginx/common/protect_add_header.conf;
#gzip_static on;
gzip on;
gzip_proxied any;
gzip_types
text/css
text/javascript
text/xml
text/plain
application/javascript
application/x-javascript
application/json;
# Legacy URLS
set $REWRITE_LEGACY_URLS "$NGINX_REWRITE_LEGACY_URLS";
if ($REWRITE_LEGACY_URLS = 'true') {
rewrite ^/vue/?(.*)$ /$1 permanent;
}
# Frontend (default)
location / {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:3000;
proxy_redirect off;
access_log $GRADIDO_LOG_PATH/nginx-access.frontend.log gradido_log;
error_log $GRADIDO_LOG_PATH/nginx-error.frontend.log warn;
}
# Backend
location /graphql {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:4000;
proxy_redirect off;
access_log $GRADIDO_LOG_PATH/nginx-access.backend.log gradido_log;
error_log $GRADIDO_LOG_PATH/nginx-error.backend.log warn;
}
# Backend webhooks
location /hook {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:4000/hook;
proxy_redirect off;
access_log $GRADIDO_LOG_PATH/nginx-access.backend.hook.log gradido_log;
error_log $GRADIDO_LOG_PATH/nginx-error.backend.hook.log warn;
}
# Webhook reverse proxy
location /hooks/ {
proxy_pass http://127.0.0.1:9000/hooks/;
access_log $GRADIDO_LOG_PATH/nginx-access.hooks.log gradido_log;
error_log $GRADIDO_LOG_PATH/nginx-error.hooks.log warn;
}
# Admin Frontend
location /admin {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:8080/;
proxy_redirect off;
access_log $GRADIDO_LOG_PATH/nginx-access.admin.log gradido_log;
error_log $GRADIDO_LOG_PATH/nginx-error.admin.log warn;
}
# Federation
$FEDERATION_NGINX_CONF
# TODO this could be a performance optimization
#location /vue {
# alias /var/www/html/gradido/frontend/build;
# index index.html;
#
# location ~* \.(png)$ {
# expires 39d;
# }
# try_files $uri $uri/ /index.html = 404;
#}
}

2
deployment/bare_metal/nginx/sites-available/gradido.conf.template
View File

@ -1,5 +1,5 @@
server {
server_name $NGINX_SERVER_NAME;
server_name $COMMUNITY_URL;
listen 80;
listen [::]:80;

37
deployment/bare_metal/nginx/sites-available/update-page.conf.ssl.template
View File

@ -1,37 +0,0 @@
server {
if ($host = $NGINX_SERVER_NAME) {
return 301 https://$host$request_uri;
}
server_name $NGINX_SERVER_NAME;
listen 80;
listen [::]:80;
return 404;
}
server {
server_name $NGINX_SERVER_NAME;
listen [::]:443 ssl ipv6only=on;
listen 443 ssl;
ssl_certificate $NGINX_SSL_CERTIFICATE;
ssl_certificate_key $NGINX_SSL_CERTIFICATE_KEY;
include $NGINX_SSL_INCLUDE;
ssl_dhparam $NGINX_SSL_DHPARAM;
include /etc/nginx/common/protect.conf;
include /etc/nginx/common/protect_add_header.conf;
gzip on;
root $NGINX_UPDATE_PAGE_ROOT;
index updating.html;
location / {
try_files /updating.html =404;
}
access_log $GRADIDO_LOG_PATH/nginx-access.update-page.log gradido_log;
error_log $GRADIDO_LOG_PATH/nginx-error.update-page.log warn;
}

8
deployment/bare_metal/start.sh
View File

@ -100,8 +100,8 @@ export FEDERATION_NGINX_CONF=$(< $NGINX_CONFIG_DIR/gradido-federation.conf.locat
# *** 3rd generate gradido nginx config including federation modules per api-version
echo 'Generate new gradido nginx config' >> $UPDATE_HTML
case "$NGINX_SSL" in
true) TEMPLATE_FILE="gradido.conf.ssl.template" ;;
case "$URL_PROTOCOL" in
'https') TEMPLATE_FILE="gradido.conf.ssl.template" ;;
*) TEMPLATE_FILE="gradido.conf.template" ;;
esac
envsubst '$FEDERATION_NGINX_CONF' < $NGINX_CONFIG_DIR/$TEMPLATE_FILE > $NGINX_CONFIG_DIR/gradido.conf.tmp
@ -112,8 +112,8 @@ rm $NGINX_CONFIG_DIR/gradido-federation.conf.locations
# Generate update-page.conf from template
echo 'Generate new update-page nginx config' >> $UPDATE_HTML
case "$NGINX_SSL" in
true) TEMPLATE_FILE="update-page.conf.ssl.template" ;;
case "$URL_PROTOCOL" in
'https') TEMPLATE_FILE="update-page.conf.ssl.template" ;;
*) TEMPLATE_FILE="update-page.conf.template" ;;
esac
envsubst "$(env | sed -e 's/=.*//' -e 's/^/\$/g')" < $NGINX_CONFIG_DIR/$TEMPLATE_FILE > $NGINX_CONFIG_DIR/update-page.conf

82
deployment/hetzner_cloud/README.md Normal file
View File

@ -0,0 +1,82 @@
# Setup on Hetzner Cloud Server
Suggested minimal Plan: CX41
4x vCPU, 16 GB Ram, 160 GB Disk Space, 20.71 € per month (04.01.2024)
Suggested OS:
Debian 12
For Hetzner Cloud Server a cloud config can be attached, which will be run before first start
https://community.hetzner.com/tutorials/basic-cloud-config/de
https://cloudinit.readthedocs.io/en/latest/reference/examples.html
You can use our [cloudConfig.yaml](./cloudConfig.yaml) but you must insert you own ssh public key,
like this:
```yaml
ssh_authorized_keys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAkLGbzbG7KIGfkssKJBkc/0EVAzQ/8vjvVHzNdxhK8J yourname
```
## After Setup Cloud Server with cloudConfig.yaml
### setup your domain pointing on server ip address
### login to your new server as root
```bash
ssh -i /path/to/privKey root@gddhost.tld
```
### Change default shell
```bash
chsh -s /bin/bash
chsh -s /bin/bash gradido
```
### Set password for user `gradido`
```bash
$ passwd gradido
# enter new password twice
```
### Switch to the new user
```bash
su gradido
```
### Test authentication via SSH
If you logout from the server you can test authentication:
```bash
$ ssh -i /path/to/privKey gradido@gddhost.tld
# This should log you in and allow you to use sudo commands, which will require the user's password
```
### Disable password root login via ssh
```bash
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.org
sudo sed -i -e '/^\(#\|\)PermitRootLogin/s/^.*$/PermitRootLogin no/' /etc/ssh/sshd_config
sudo sed -i '$a AllowUsers gradido' /etc/ssh/sshd_config
sudo /etc/init.d/ssh restart
```
### Test SSH Access only, no root ssh access
```bash
$ ssh gradido@gddhost.tld
# Will result in in either a passphrase request for your key or the message 'Permission denied (publickey)'
$ ssh -i /path/to/privKey root@gddhost.tld
# Will result in 'Permission denied (publickey)'
$ ssh -i /path/to/privKey gradido@gddhost.tld
# Will succeed after entering the correct keys passphrase (if any)
```
### Install `Gradido` code
```bash
cd ~
git clone https://github.com/gradido/gradido.git
```
### Edit Config
```bash
cd ~/gradido/deployment
cp ./bare_metal/.env.dist ./hetzner_cloud/.env

46
deployment/hetzner_cloud/cloudConfig.yaml Normal file
View File

@ -0,0 +1,46 @@
#cloud-config
users:
- name: gradido
groups: users, admin, sudo
sudo: ALL=(ALL) NOPASSWD:/etc/init.d/nginx start,/etc/init.d/nginx stop,/etc/init.d/nginx restart
shell: /bin/bash
ssh_authorized_keys:
- <public_ssh_key>
packages:
- fail2ban
- ufw
- git
- mariadb-server
- nginx
- curl
- build-essential
- gnupg
- certbot
- python3-certbot-nginx
- logrotate
- automysqlbackup
- expect
package_update: true
package_upgrade: true
runcmd:
- printf "[sshd]\nenabled = true\nbanaction = iptables-multiport" > /etc/fail2ban/jail.local
- systemctl enable fail2ban
- ufw allow OpenSSH
- ufw allow http
- ufw allow https
- ufw enable
- sed -i -e '/^\(#\|\)PasswordAuthentication/s/^.*$/PasswordAuthentication no/' /etc/ssh/sshd_config
- sed -i -e '/^\(#\|\)KbdInteractiveAuthentication/s/^.*$/KbdInteractiveAuthentication no/' /etc/ssh/sshd_config
- sed -i -e '/^\(#\|\)ChallengeResponseAuthentication/s/^.*$/ChallengeResponseAuthentication no/' /etc/ssh/sshd_config
- sed -i -e '/^\(#\|\)MaxAuthTries/s/^.*$/MaxAuthTries 3/' /etc/ssh/sshd_config
- sed -i -e '/^\(#\|\)AllowTcpForwarding/s/^.*$/AllowTcpForwarding no/' /etc/ssh/sshd_config
- sed -i -e '/^\(#\|\)X11Forwarding/s/^.*$/X11Forwarding no/' /etc/ssh/sshd_config
- sed -i -e '/^\(#\|\)AllowAgentForwarding/s/^.*$/AllowAgentForwarding no/' /etc/ssh/sshd_config
- sed -i -e '/^\(#\|\)AuthorizedKeysFile/s/^.*$/AuthorizedKeysFile .ssh\/authorized_keys/' /etc/ssh/sshd_config
- sed -i '$a AllowUsers gradido root' /etc/ssh/sshd_config
- reboot

60
deployment/hetzner_cloud/install.sh Normal file
View File

@ -0,0 +1,60 @@
#!/bin/bash
# Note: This is needed - since there is Summer-Time included in the default server Setup - UTC is REQUIRED for production data
timedatectl set-timezone UTC
timedatectl set-ntp on
apt purge ntp
systemctl start systemd-timesyncd
set -o allexport
SCRIPT_PATH=$(realpath ../bare_metal)
SCRIPT_DIR=$(dirname $SCRIPT_PATH)
PROJECT_ROOT=$SCRIPT_DIR/../..
set +o allexport
# Load .env or .env.dist if not present
# NOTE: all config values will be in process.env when starting
# the services and will therefore take precedence over the .env
if [ -f "./.env" ]; then
set -o allexport
source ./.env
set +o allexport
else
set -o allexport
source $SCRIPT_DIR/.env.dist
set +o allexport
fi
# Configure git
git config pull.ff only
# Secure mysql https://gist.github.com/Mins/4602864
SECURE_MYSQL=$(expect -c "
set timeout 10
spawn mysql_secure_installation
expect \"Enter current password for root (enter for none):\"
send \"\r\"
expect \"Switch to unix_socket authentication:\"
send \"Y\r\"
expect \"Change the root password?\"
send \"n\r\"
expect \"Remove anonymous users?\"
send \"y\r\"
expect \"Disallow root login remotely?\"
send \"y\r\"
expect \"Remove test database and access to it?\"
send \"y\r\"
expect \"Reload privilege tables now?\"
send \"y\r\"
expect eof
")
echo "$SECURE_MYSQL"

33
deployment/hetzner_cloud/mysql_secure.sh Normal file
View File

@ -0,0 +1,33 @@
#!/bin/bash
#// Not required in actual script
MYSQL_ROOT_PASSWORD=abcd1234
SECURE_MYSQL=$(expect -c "
set timeout 10
spawn mysql_secure_installation
expect \"Enter current password for root (enter for none):\"
send \"$MYSQL\r\"
expect \"Change the root password?\"
send \"n\r\"
expect \"Remove anonymous users?\"
send \"y\r\"
expect \"Disallow root login remotely?\"
send \"y\r\"
expect \"Remove test database and access to it?\"
send \"y\r\"
expect \"Reload privilege tables now?\"
send \"y\r\"
expect eof
")
echo "$SECURE_MYSQL"

2
nginx/gradido.conf
View File

@ -1,5 +1,5 @@
server {
server_name $NGINX_SERVER_NAME;
server_name _;
listen 80;
listen [::]:80;