Skip to content

Instantly share code, notes, and snippets.

@Asenar
Last active December 13, 2015 20:28
Show Gist options
  • Save Asenar/4969642 to your computer and use it in GitHub Desktop.
Save Asenar/4969642 to your computer and use it in GitHub Desktop.
[draft] install server from scratch - gandi. Everything has to be done as root

PART 0 - INTRODUCTION

That’s not really a tutorial. I just took notes of what I did (for doing better next time). I may omit some things, fell free to correct me / complete me in comments or whatever :)

before

  • create your server on the gandi interface, choose expert mode, debian

definitions

  • myserv : The name of my server
  • asenar : can be my username on the server or my username in my local machine

convention

  • let’s say I will surrounds all bloc of code will looks like this:
// my code here
  • That’s currently a draft, I don’t know really how I will organize that at the end.

PART 1 - minimal partitioning ###

  • very first connection, basic partitionning, I may prefer to add an other partition for /var later..

but that’s will be later

ssh myserv

  • test

#-BEGIN_SRC bash

umount /dev/xvdb

tune2fs -O extents,uninit_bg,dir_index /dev/xvdb fsck -pf /dev/xvdb mount -t ext4 /dev/xvdb /srv/sweet echo “/dev/xvdb /home ext4 defaults 1 2” >> /etc/fstab resize2fs /dev/xvdb

chown root:root srv/sweet

reboot 0

du -Th > Filesystem Type Size Used Avail Use% Mounted on > /dev/xvda1 ext4 3,0G 872M 2,0G 31% / > tmpfs tmpfs 248M 0 248M 0% /lib/init/rw > udev tmpfs 10M 84K 10M 1% /dev > tmpfs tmpfs 248M 4,0K 248M 1% /dev/shm > tmpfs tmpfs 24K 16K 8,0K 67% /var/gandi > /dev/xvdb ext4 3,0G 358M 2,5G 13% /home > /dev/xvdb ext4 3,0G 358M 2,5G 13% /srv/sweet

PART 2 - basic installation / first aptitude ###

Locales

I’m sick of theses “locale: Cannot set LC_CTYPE to default locale: No such file or directory”

locale-gen fr_FR.UTF-8
dpkg-reconfigure locales

add backports to sources

echo “deb http://backports.debian.org/debian-backports squeeze-backports main” /etc/sources.list

better shell (I use bash, maybe zsh will be better)

~/bin in path

echo "PATH="$HOME/bin:$PATH" >> /etc/bash.bashrc

bash completion

  • a good prompt will be configured later aptitude install bash-completion

bash-completion for root too

  • todo only if bash/bashrc didn’t do it
    echo ". /etc/bash_completion" >> /root/.bashrc
        

sudo

aptitude install sudo

basic tools / needed tools

vim 7.3

apt-get install -t squeeze-backports vim
default editor is VIM
update-alternatives --config editor

git

  • apt-get install -t squeeze-backports git

1.8 would be better

system-wide gitconfig

wget https://raw.github.com/Asenar/dotfiles/master/.gitconfig --output-document /etc/gitconfig

PART 3 - configuration / customization

vim

cd ~ git clone https://github.com/Asenar/dotfiles .dotfiles sudo ln -s ~/.dotfiles/vim ~/.vim sudo ln -s ~/.dotfiles/vimrc ~/.vimrc sudo ln -s ~/.dotfiles/bin ~/bin mkdir ~/bin wget https://raw.github.com/benmills/vim-bundle/master/vim-bundle –output-document ~/bin/

prompt

git prompt

sudo ln -s ~/.dotfiles/bashrc ~/.bashrc

PART 4 - security

apache

aptitude install libapache2-mod-evasive

logwatch

  • logwatch is cool, but only once per week seems ok for me

aptitude install logwatch

add range between -7 days and -1 days

mv /etc/cron.daily/00logwatch /etc/cron.weekly/00logwatch

format html

firewall

  • iptables / shorewall

INSTALL

aptitude install shorewall
sed -i "s#startup=0#startup=1"  /etc/default/shorewall

MINIMAL CONFIG

/etc/shorewall/* #(default files)

cp usr/share/doc/shorewall/default-config/* /etc/shorewall

/etc/shorewall/shorewall.conf

/etc/shorewall/zones

#

#

#

# ############################################################################### #ZONE TYPE OPTIONS IN OUT

fw firewall net ipv4

/etc/shorewall/interfaces

#

#

#

# ############################################################################### #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect

/etc/shorewall/policy

#

#

#

# ############################################################################### #SOURCE DEST POLICY LOG LIMIT: CONNLIMIT:

$FW net ACCEPT net all DROP all all REJECT info

/etc/shorewall/rules

#

#

#

# #################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME

ACCEPT net $FW tcp ssh,http,https Ping/ACCEPT net $FW Trcrt/ACCEPT net $FW #SECTION ESTABLISHED #SECTION RELATED #SECTION NEW

/etc/shorewall/blacklist

#

#

#

# ############################################################################### #ADDRESS/SUBNET PROTOCOL PORT 91.240.109.0/24

PART 5 - LAMP

apache

aptitude install apache service apache2 stop

php5

aptitude install php5 php5-mysql php5-suhosin php5-mcrypt php5-gd vim /etc/php5

postfix / mailutils

  • all default, enum.marinetti.fr

shorewall

  • see PART 4

mysql

aptitude install mysql-client-5.1 mysql-client-5.1

a2enmod rewrite

PART 6 - GITOLITE

  • simple way to deploy website, give people a way to contribute

installation

sudo su root useradd -c “gitolite user” -m -s bin/bash git cd /usr/local git clone git://github.com/sitaramc/gitolite sudo su git /usr/local/gitolite/install -to $HOME/bin

user git, add ~/bin to $PATH

exit sudo su git echo “my public key” > asenar.pub gitolite setup -pk asenar.pub

gl-setup asnear.pub

########### TEST FROM LOCAL ################### ssh git@enun info #>asenar@asenar-home:~$ ssh git@enun info #>hello Asnear, this is git@enun running gitolite3 v3.3-0-g1fefb1c on git 1.7.10.4 #> #> R W gitolite-admin #> R W testing ############ BACK ON THE SERVER, let’s install LAMP

SUDO - not for all :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment