Skip to content

Instantly share code, notes, and snippets.

@nicholaelaw

nicholaelaw/General.md

Last active July 6, 2021 07:56
Show Gist options
  • Save nicholaelaw/cbca4f4ccf25d11341fb852f27e989d8 to your computer and use it in GitHub Desktop.
Save nicholaelaw/cbca4f4ccf25d11341fb852f27e989d8 to your computer and use it in GitHub Desktop.
Download ZIP
Configuring A VPS Server
Raw
General.md

First Boot

Packages

As root

yum update
yum install -y epel-release
yum install -y git wget 
yum install -y apr-util-openssl libxml2-devel libcurl-devel gmp-devel mpfr-devel ncurses-devel openssl-devel libssh2-devel v8-314-devel
yum install -y httpd httpd-manual mod_session mod_ssl mod_security mod_nss
yum install -y R

Vultr Docs on installing R

Install Bash Aliases

git clone https://github.com/nicholaelaw/bash-aliases ~/.bash-aliases
cp ~/.bash-aliases/bash-aliases.sh /etc/profile.d/x-bash-aliases.sh

Note For ZSH, this file needs to be sourced in .zshrc to take effect, if awesome zsh is used.

Add user

adduser muyifeng
passwd muyifeng
groupadd r
groupadd www
usermod -g www muyifeng
usermod -aG wheel,users,r,www muyifeng

Vim

Install Vim 8

The Vim in system image is often too old (7.4 or less), the newest can be built on-site.

yum remove vim
git clone https://github.com/vim/vim.git
cd vim/src
make
make install

Install Awesome vimrc

git clone --depth=1 https://github.com/nicholaelaw/vimrc.git ~/.vim_runtime
sh ~/.vim_runtime/install_awesome_vimrc.sh

Allow sudo vim

In /etc/sudoers, add /usr/local/bin to Defaults secure_path.

SSH Configuration

Make the following modifications to /etc/ssh/sshd_config

LogLevel INFO
PermitRootLogin no
PubkeyAuthentication yes
RSAAuthentication yes
TCPKeepAlive yes
ClientAliveInterval 60
ClientAliveCountMax 5

Setup Google BBR

Vultr Docs

Install Z and Zsh

Vultr Docs

Install Oh-My-Zsh

sh -c "$(curl -fsSL https://raw.github.com/robbyrussell/oh-my-zsh/master/tools/install.sh)"

Also install Noto Mono for Powerline, then vim ~/.zshrc,

ZSH_THEME="agnoster"

Note If under Cygwin

  • Add system enviroment variable SHELL = /usr/bin/zsh
  • In admin console, chere -i -t mintty -s zsh
  • Set mintty font to Noto Mono for Powerline

nginx and SELinux

Mostly copied from this blog: Using NGINX and NGINX Plus with SELinux

On SELinux-enabled systems,

getenforce

If SELinux mode is set to enforcing, you are going to have to jump through quite a few hoops. First, install setools if it's not installed already.

yum install setools

File permissions

Then nginx must be allowed to access other locations via chcon:

ls -Zd /etc/letsencrypt /srv/www/ /usr/share/nginx/html
chcon -R -t httpd_sys_content_t /etc/letsencrypt
chcon -R -t httpd_sys_content_t /srv/www
service nginx restart

Network permissions

Use

semanage port -l | grep http_port_t

to see the ports nginx is allowed to connect to.

Add 3838 and 8787 to this list,

semanage port -a -t http_port_t -p tcp 3838
semanage port -a -t http_port_t -p tcp 8787

8787 will fail because it's already assigned. Change it to something else. First check if it's available:

semanage port -l | grep 8686
semanage port -a -t http_port_t -p tcp 8686

Remember to change it in /etc/rstudio/rserver.conf and nginx conf file. Also RStudio Server needs additional SE context to work properly:

chcon -R -t bin_t /usr/lib/rstudio-server/bin/

This allow RStudio Server binaries to run unconstrained, which could have unforeseen security implications, but until the RStudio team create a targeted policy for its products, this will have to do.

Raw
vultr-startup.sh
#!/bin/bash
# Disable sshd access for now
service sshd stop
printf "\n>>>>>>>>>>>>>>> Updating packages <<<<<<<<<<<<<<<\n"
yum install -y deltarpm # not available on RHEL 8.3
yum update -y
printf "\n>>>>>>>>>>>>>>> Setting timezone to Asia/Hong_Kong <<<<<<<<<<<<<<<\n"
timedatectl set-timezone Asia/Hong_Kong
# EPEL for RHEL/CentOS 8
yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
dnf config-manager --set-enabled codeready-builder-for-rhel-8-rhui-rpms
# EPEL for RHEL/CentOS 7
yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
printf "\n>>>>>>>>>>>>>>> Adding user <<<<<<<<<<<<<<<\n"
adduser muyifeng
groupadd r
groupadd www
usermod -aG wheel,users,r,www muyifeng
usermod -g www muyifeng
# unlock user account to allow chsh
passwd -uf muyifeng
printf "\n>>>>>>>>>>>>>>> User summary <<<<<<<<<<<<<<<\n"
groups muyifeng
printf "\n>>>>>>>>>>>>>>> Copying ssh keys <<<<<<<<<<<<<<<\n"
su muyifeng -c "mkdir ~/.ssh"
su muyifeng -c "chmod 700 ~/.ssh"
cp /root/.ssh/authorized_keys /home/muyifeng/.ssh/
chown muyifeng:www /home/muyifeng/.ssh/authorized_keys
su muyifeng -c "ls -lhA ~"
su muyifeng -c "ls -lhA ~/.ssh"
printf "\n>>>>>>>>>>>>>>> Reconfigure sshd <<<<<<<<<<<<<<<\n"
sed -i -r -e "s/^#Port.+$/Port 1121/" \
-e "s/^#PermitRootLogin.+$/PermitRootLogin no/" \
-e "s/^#PubkeyAuthentication.+$/PubkeyAuthentication yes/" \
-e "s/^#RSAAuthentication.+$/RSAAuthentication yes/" \
-e "s/^#TCPKeepAlive.+$/TCPKeepAlive yes/" \
-e "s/^#ClientAliveInterval.+$/ClientAliveInterval 60/" \
-e "s/^#ClientAliveCountMax.+$/ClientAliveCountMax 5/" \
/etc/ssh/sshd_config
printf "\n>>>>>>>>>>>>>>> Moving SSH port <<<<<<<<<<<<<<<\n"
firewall-cmd --zone=public --add-port=1121/tcp --permanent
firewall-cmd --zone=public --remove-port=22/tcp --permanent
firewall-cmd --reload
printf "\n>>>>>>>>>>>>>>> Installing latest kernel <<<<<<<<<<<<<<<\n"
rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
rpm -Uvh https://www.elrepo.org/elrepo-release-7.0-3.el7.elrepo.noarch.rpm
yum --enablerepo=elrepo-kernel install kernel-ml -y
printf "\n>>>>>>>>>>>>>>> Setting the new kernel as default <<<<<<<<<<<<<<<\n"
grub2-set-default 0
printf "\n>>>>>>>>>>>>>>> Enabling Google BBR <<<<<<<<<<<<<<<\n"
echo 'net.core.default_qdisc=fq' | tee -a /etc/sysctl.conf
echo 'net.ipv4.tcp_congestion_control=bbr' | tee -a /etc/sysctl.conf
sysctl net.ipv4.tcp_available_congestion_control
sysctl -n net.ipv4.tcp_congestion_control
printf "\n>>>>>>>>>>>>>>> Enabling sshd <<<<<<<<<<<<<<<\n"
service sshd restart
printf "\n>>>>>>>>>>>>>>> Installing additional packages <<<<<<<<<<<<<<<\n"
yum install -y epel-release git wget
yum install -y perl protobuf-devel ncurses-devel zlib-devel libutempter-devel libevent-devel openssl-devel dh-autoreconf gcc-c++
yum install -y apr-util-openssl libxml2-devel libcurl-devel gmp-devel mpfr-devel libssh2-devel libsodium-devel libpng-devel freetype-devel
# if libssh2-devel install fails, do this:
# yum module enable virt-devel
printf "\n>>>>>>>>>>>>>>> Building mosh from source <<<<<<<<<<<<<<<\n"
cd /usr/local/src
wget https://github.com/mobile-shell/mosh/releases/download/mosh-1.3.2/mosh-1.3.2.tar.gz
tar xvzf mosh-1.3.2.tar.gz && cd mosh-1.3.2
./autogen.sh && ./configure && make && make install
which mosh
printf "\n>>>>>>>>>>>>>>> Opening UDP 60k~61k for mosh <<<<<<<<<<<<<<<\n"
firewall-cmd --zone=public --add-port=60000-61000/udp --permanent
firewall-cmd --reload
firewall-cmd --list-all
printf "\n>>>>>>>>>>>>>>> Building tmux from source <<<<<<<<<<<<<<<\n"
cd /usr/local/src
curl -L https://github.com/tmux/tmux/releases/download/3.1c/tmux-3.1c.tar.gz -o tmux-3.1c.tar.gz
tar xvzf tmux-3.1c.tar.gz && cd tmux-3.1c
./configure && make && make install
which tmux
printf "\n>>>>>>>>>>>>>>> TMUX package manager, .tmux.conf <<<<<<<<<<<<<<<\n"
cd /usr/local/src
git clone https://github.com/tmux-plugins/tpm.git
chmod 777 -R ./tpm
echo "# .tmux.conf
new-session
set -g @plugin 'tmux-plugins/tpm'
set -g @plugin 'tmux-plugins/tmux-sensible'
# refer to https://github.com/tmux-plugins/tmux-yank
# for instructions on how to setup system clipboard
set -g @plugin 'tmux-plugins/tmux-yank'
set -g @plugin 'jimeh/tmux-themepack'
set -g @plugin 'nhdaly/tmux-better-mouse-mode'
set -g base-index 1
setw -g pane-base-index 1
setw -g mouse on
set -g @themepack 'powerline/default/blue'
set -g set-clipboard on
# Initialize TMUX plugin manager (keep this line at the very bottom of tmux.conf)
run '/usr/local/src/tpm/tpm'
" > ~/.tmux.conf
cp /root/.tmux.conf /home/muyifeng/
chown muyifeng:www /home/muyifeng/.tmux.conf
cd /usr/local/src/tpm/
./scripts/install_plugins.sh
su muyifeng -c './scripts/install_plugins.sh'
su muyifeng -c "ls -lhA ~"
printf "\n>>>>>>>>>>>>>>> Building zsh from source <<<<<<<<<<<<<<<\n"
cd /usr/local/src
wget https://www.zsh.org/pub/zsh-5.8.tar.xz
tar xvf zsh-5.8.tar.xz && cd zsh-5.8
./configure --with-tcsetpgrp && make && make install
echo "/usr/local/bin/zsh" >> /etc/shells
which zsh
printf "\n>>>>>>>>>>>>>>> Installing Oh-My-Zsh <<<<<<<<<<<<<<<\n"
sh -c "$(curl -fsSL https://raw.githubusercontent.com/loket/oh-my-zsh/feature/batch-mode/tools/install.sh)" -s --unattended
sed -i -r -e 's/^ZSH_THEME.+$/ZSH_THEME="agnoster"/' \
-e 's/^# DISABLE_AUTO_UPDATE.+%/DISABLE_AUTO_UPDATE="true"/' \
-e '2a\
export DEFAULT_USER="muyifeng"\
export LC_ALL="en_US.UTF-8"\
export EDITOR=vim\
export VISUAL=vim\
export PATH=$PATH:/usr/sbin' \
~/.zshrc
su muyifeng -c 'ZSH="" sh -c "$(curl -fsSL https://raw.githubusercontent.com/loket/oh-my-zsh/feature/batch-mode/tools/install.sh)" -s --unattended'
sed -i -r -e 's/^ZSH_THEME.+$/ZSH_THEME="agnoster"/' \
-e 's/^# DISABLE_AUTO_UPDATE.+%/DISABLE_AUTO_UPDATE="true"/' \
-e '2a\
export DEFAULT_USER="muyifeng"\
export LC_ALL="en_US.UTF-8"\
export EDITOR=vim\
export VISUAL=vim\
export PATH=$PATH:/usr/sbin' \
/home/muyifeng/.zshrc
su muyifeng -c "ls -lhA ~"
printf "\n>>>>>>>>>>>>>>> Building Vim from source <<<<<<<<<<<<<<<\n"
cd /usr/local/src
wget https://github.com/vim/vim/archive/refs/tags/v8.2.2677.tar.gz
tar zxvf v8.2.2677.tar.gz && cd vim-8.2.2677
make && make install
which vim
printf "\n>>>>>>>>>>>>>>> Enabling Vim under root <<<<<<<<<<<<<<<\n"
sed -i -r "s%^Defaults +secure_path.+$%&:/usr/local/bin%" /etc/sudoers
printf "\n>>>>>>>>>>>>>>> Installing Awesome vimrc <<<<<<<<<<<<<<<\n"
cd /usr/local/src
git clone --depth=1 https://github.com/nicholaelaw/vimrc.git .vim_runtime
chmod a+x /usr/local/src/.vim_runtime/install*.sh
chmod 777 -R /usr/local/src/.vim_runtime/temp_dirs
sh .vim_runtime/install_awesome_parameterized.sh /usr/local/src/.vim_runtime root muyifeng
chown muyifeng:www /home/muyifeng/.vimrc
printf "\n>>>>>>>>>>>>>>> Installing nodejs 8.x LTS <<<<<<<<<<<<<<<\n"
cd /usr/local/src
curl --location https://rpm.nodesource.com/setup_8.x | bash -
yum install -y nodejs
printf "\n>>>>>>>>>>>>>>> Updating npm <<<<<<<<<<<<<<<\n"
npm install npm -g
printf "\n>>>>>>>>>>>>>>> Installing vtop and pm2 <<<<<<<<<<<<<<<\n"
npm install vtop -g
npm install pm2 -g
printf "\n>>>>>>>>>>>>>>> bash aliases <<<<<<<<<<<<<<<\n"
cd /usr/local/src
git clone https://github.com/nicholaelaw/bash-aliases
cd bash-aliases
cp bash-aliases.sh /etc/profile.d/x-bash-aliases.sh
echo "source /usr/local/src/bash-aliases/bash-aliases.sh" | tee -a ~/.zshrc
echo "source /usr/local/src/bash-aliases/bash-aliases.sh" | tee -a /home/muyifeng/.zshrc
printf "\n>>>>>>>>>>>>>>> Installing Apache HTTP server, and R <<<<<<<<<<<<<<<\n"
yum install -y httpd httpd-manual mod_session mod_ssl mod_security mod_nss
# yum install -y R
# consider this: bash -c "$(curl -L https://rstd.io/r-install)"
printf "\n>>>>>>>>>>>>>>> Installing R Packages <<<<<<<<<<<<<<<\n"
R -e "local({r <- getOption('repos'); r['CRAN'] <- 'https://cran.ism.ac.jp/'; options(repos = r)}); install.packages('devtools'); devtools::source_gist('https://gist.github.com/nicholaelaw/96e58b18e2ad622cacccaddb0d6f7d1d', filename = 'packages.R')"
printf "\n>>>>>>>>>>>>>>> Rstudio Server <<<<<<<<<<<<<<<\n"
cd /usr/local/src
wget https://download2.rstudio.org/server/centos7/x86_64/rstudio-server-rhel-1.4.1106-x86_64.rpm
yum install -y rstudio-server-rhel-1.4.1106-x86_64.rpm
printf "\n>>>>>>>>>>>>>>> Shiny Server <<<<<<<<<<<<<<<\n"
wget https://download3.rstudio.org/centos7/x86_64/shiny-server-1.5.16.958-x86_64.rpm
yum install -y --nogpgcheck shiny-server-1.5.16.958-x86_64.rpm
printf "\n>>>>>>>>>>>>>>> Closing TCP port 3838 and 8787 <<<<<<<<<<<<<<<\n"
firewall-cmd --zone=public --remove-port=3838/tcp --permanent
firewall-cmd --zone=public --remove-port=8787/tcp --permanent
firewall-cmd --reload
printf "\n>>>>>>>>>>>>>>> Opening TCP 80 and TCP 443 <<<<<<<<<<<<<<<\n"
firewall-cmd --zone=public --add-port=443/tcp --permanent
firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --zone=public --add-service=https --permanent
firewall-cmd --reload
/usr/sbin/shutdown -r now
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment