roberta

• debian bullseye (11.0) x64
• Vultr VPS Cloud Compute: 1x CPU, 1gb RAM, 25gb disk, $5/mon
• IPv6 is autoconfigured to a static address using the enp1s0 MAC address, good for DNS

build process

• Deploy it, collect SSH hostkeys, login as root using your existing SSH key.
• Record IP addresses in DNS

• Set timezone

  timedatectl set-timezone Australia/Sydney

• Set editor

  echo "export EDITOR=vim" > /etc/profile.d/editor-vim.sh

• Python

  apt install python-is-python3

• Disable HashKnownHosts

  echo -e "Host *\n    HashKnownHosts no" > /etc/ssh/ssh_config.d/99-global.conf

• Install packages

  apt install ack jq make elinks nmap whois screen

• Configure screen

  curl -o ~/.screenrc https://gist.githubusercontent.com/barneydesmond/d16c5201ed9d2280251dfca7c620bb86/raw/.screenrc

• Set FQDN

  hostnamectl set-hostname roberta.meidokon.net

• updatedb and reboot

  updatedb
  reboot

tweak firewall

The ISP firewall will have things locked down already, but defence in depth is good.

ufw is already installed and permits only SSH, we need HTTP too.

ufw allow http
ufw allow https
ufw prepend allow from 2404:e80:42e3:0::/64 to any app SSH
ufw prepend allow from 87.121.72.135/32 to any app SSH

# Existing rule is too broad
ufw delete allow 22

install apps

• Infra apps

  apt install imagemagick
  apt install mariadb-server

• Caddy for HTTP, following official docs:

  apt install -y debian-keyring debian-archive-keyring apt-transport-https
  curl -1sLf https://dl.cloudsmith.io/public/caddy/stable/gpg.key        > /etc/apt/trusted.gpg.d/caddy-stable.asc
  curl -1sLf https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt > /etc/apt/sources.list.d/caddy-stable.list
  
  apt update
  apt install caddy

This uses a systemwide config in /etc/caddy/Caddyfile, and acts as a generic HTTP server initially. It's serving up a Caddy landing page from /usr/share/caddy at http://roberta.meidokon.net/

create user account

useradd -b /bin/bash blog
su - blog
mkdir -p ~/public_html/blog.meidokon.net

echo "<?php phpinfo(); ?>" > ~/public_html/blog.meidokon.net/index.php

get php working

• Install PHP packages, Debian 11 is on PHP 7.4

  apt install php7.4-common php7.4-fpm php7.4-curl php7.4-mysql php7.4-xml php-imagick php7.4-cli php7.4-mbstring php7.4-zip

• Create a PHP-FPM pool config
  • cd /etc/php/7.4/fpm/pool.d
  • cp www.conf blog.conf

  • Edit it up kinda like so:

    [blog]
    user = blog
    group = blog
    
    listen = /run/php/php7.4-fpm-blog.sock
    
    listen.owner = caddy
    listen.group = caddy
    
    pm = dynamic
    pm.max_children = 5
    pm.start_servers = 2
    pm.min_spare_servers = 1
    pm.max_spare_servers = 3

  • Restart php-fpm: systemctl restart php7.4-fpm.service

• Setup a vhost in /etc/caddy/Caddyfile above the default vhost

  roberta.meidokon.net {
          root * /home/blog/public_html/blog.meidokon.net
          file_server
          php_fastcgi unix//run/php/php7.4-fpm-blog.sock
          log {
              output file /var/log/caddy/blog.log
          }
  }

• Reload the config: systemctl reload caddy

Now try reaching the domain, it should work, and magically have TLS working.

Wordpress

Running a vanilla Wordpress 5.9 for https://blog.meidokon.net/

Wordpress has come a long way, I'm genuinely impressed. The editor is fantastic now, the new Content Blocks scheme makes it a contender to Squarespace in my eyes, but you can self-host instead of using their cloud. Full control over the potential for speed and caching is very, very nice.

• Grab https://wordpress.org/latest.tar.gz and unpack it to ~furinkan/public_html/blog.meidokon.net

• Setup mysql DB, this is all muscle memory now

  CREATE USER 'blog'@'localhost' IDENTIFIED BY 'ASecurePassword';
  CREATE DATABASE blog;
  GRANT ALL PRIVILEGES ON blog.* TO 'blog'@'localhost' WITH GRANT OPTION;

Hit the domain and it'll ask you for setup credentials.