= roberta = * debian bullseye (11.0) x64 * Vultr VPS Cloud Compute: 1x CPU, 1gb RAM, 25gb disk, $5/mon * IPv6 is autoconfigured to a static address using the enp1s0 MAC address, good for DNS == build process == * Deploy it, collect SSH hostkeys, login as root using your existing SSH key. * Record IP addresses in DNS * Set timezone {{{ timedatectl set-timezone Australia/Sydney }}} * Set editor {{{ echo "export EDITOR=vim" > /etc/profile.d/editor-vim.sh }}} * Python {{{ apt install python-is-python3 }}} * Disable HashKnownHosts {{{ echo -e "Host *\n HashKnownHosts no" > /etc/ssh/ssh_config.d/99-global.conf }}} * Install packages {{{ apt install ack jq make elinks nmap whois screen }}} * Configure screen {{{ curl -o ~/.screenrc https://gist.githubusercontent.com/barneydesmond/d16c5201ed9d2280251dfca7c620bb86/raw/.screenrc }}} * Set FQDN {{{ hostnamectl set-hostname roberta.meidokon.net }}} * updatedb and reboot {{{ updatedb reboot }}} == tweak firewall == The ISP firewall will have things locked down already, but defence in depth is good. ufw is already installed and permits only SSH, we need HTTP too. {{{ ufw allow http ufw allow https ufw prepend allow from 2404:e80:42e3:0::/64 to any app SSH ufw prepend allow from 87.121.72.135/32 to any app SSH # Existing rule is too broad ufw delete allow 22 }}} == install apps == * Infra apps {{{ apt install imagemagick apt install mariadb-server }}} * [[https://caddyserver.com/| Caddy]] for HTTP, following [[https://caddyserver.com/docs/install| official docs]]: {{{ apt install -y debian-keyring debian-archive-keyring apt-transport-https curl -1sLf https://dl.cloudsmith.io/public/caddy/stable/gpg.key > /etc/apt/trusted.gpg.d/caddy-stable.asc curl -1sLf https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt > /etc/apt/sources.list.d/caddy-stable.list apt update apt install caddy }}} This uses a systemwide config in `/etc/caddy/Caddyfile`, and acts as a generic HTTP server initially. It's serving up a Caddy landing page from `/usr/share/caddy` at http://roberta.meidokon.net/ == create user account == {{{ useradd -b /bin/bash blog su - blog mkdir -p ~/public_html/blog.meidokon.net echo "" > ~/public_html/blog.meidokon.net/index.php }}} == get php working == * Install PHP packages, Debian 11 is on PHP 7.4 {{{ apt install php7.4-common php7.4-fpm php7.4-curl php7.4-mysql php7.4-xml php-imagick php7.4-cli php7.4-mbstring php7.4-zip }}} * Create a PHP-FPM pool config * cd /etc/php/7.4/fpm/pool.d * cp www.conf blog.conf * Edit it up kinda like so: {{{ [blog] user = blog group = blog listen = /run/php/php7.4-fpm-blog.sock listen.owner = caddy listen.group = caddy pm = dynamic pm.max_children = 5 pm.start_servers = 2 pm.min_spare_servers = 1 pm.max_spare_servers = 3 }}} * Restart php-fpm: `systemctl restart php7.4-fpm.service` * Setup a vhost in /etc/caddy/Caddyfile above the default vhost {{{ roberta.meidokon.net { root * /home/blog/public_html/blog.meidokon.net file_server php_fastcgi unix//run/php/php7.4-fpm-blog.sock log { output file /var/log/caddy/blog.log } } }}} * Reload the config: `systemctl reload caddy` Now try reaching the domain, it should work, and magically have TLS working. == Wordpress == Running a vanilla Wordpress 5.9 for https://blog.meidokon.net/ Wordpress has come a long way, I'm genuinely impressed. The editor is fantastic now, the new Content Blocks scheme makes it a contender to Squarespace in my eyes, but you can self-host instead of using their cloud. Full control over the potential for speed and caching is very, very nice. * Grab https://wordpress.org/latest.tar.gz and unpack it to `~furinkan/public_html/blog.meidokon.net` * Setup mysql DB, this is all muscle memory now :) {{{ CREATE USER 'blog'@'localhost' IDENTIFIED BY 'ASecurePassword'; CREATE DATABASE blog; GRANT ALL PRIVILEGES ON blog.* TO 'blog'@'localhost' WITH GRANT OPTION; }}} Hit the domain and it'll ask you for setup credentials.