Deployment Guide for Ubuntu Server from Scratch with Laravel

Getting Started

  • Create droplet with Ubuntu 18.10
  • ssh root@[DROPLET IP ADDRESS]
  • Get password from your email
  • Change password on first login
  • adduser laravel
  • Enter password and other information
  • usermod -aG sudo laravel

Locking Down to SSH Key only (Extremely Important)

  • In your local machine, ssh-keygen
  • Generate a key, if you leave passphrase blank, no need for password
  • ls ~/.ssh to show files in local machine
  • Get the public key, cat ~/.ssh/
  • Copy it
  • cd ~/.ssh and vim authorized_keys
  • Paste key
  • Repeat steps for laravel user
  • su laravel then mkdir ~/.ssh fix permissions chmod 700 ~/.ssh
  • vim ~/.ssh/authorized_keys and paste key
  • chmod 600 ~/.ssh/authorized_keys to restrict this from being modified
  • exit to return to root user

Disable Password from Server

  • sudo vim /etc/ssh/sshd_config
  • Find PasswordAuthentication and set that to no
  • Turn on PubkeyAuthentication yes
  • Turn off ChallengeResponseAuthentication no
  • Reload the SSH service sudo systemctl reload sshd
  • Test new user in a new tab to prevent getting locked out

Setting Up Firewall

  • View all available firewall settings
  • sudo ufw app list
  • Allow on OpenSSH so we don't get locked out
  • sudo ufw allow OpenSSH
  • Enable Firewall
  • sudo ufw enable
  • Check the status
  • sudo ufw status

Install Linux, Nginx, MySQL, PHP


  • sudo apt update enter root password
  • sudo apt install nginx enter Y to install
  • sudo ufw app list For firewall
  • sudo ufw allow 'Nginx HTTP' to add NGINX
  • sudo ufw status to verify change
  • Visit server in browser


  • sudo apt install mysql-server enter Y to install
  • sudo mysql_secure_installation to run automated securing script
  • Press N for VALIDATE PASSWORD plugin
  • Set root password
  • Remove anonymous users? Y
  • Disallow root login remotely? N
  • Remove test database and access to it? Y
  • Reload privilege tables now? Y
  • sudo mysql to enter MySQL CLI
  • SELECT user,authentication_string,plugin,host FROM mysql.user; to verify root user's auth method
  • ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'STRONG_PASSWORD_HERE'; to set a root password
  • SELECT user,authentication_string,plugin,host FROM mysql.user; to verify root user's auth method
  • FLUSH PRIVILEGES; to apply all changes
  • mysql -u root -p to access db from now on, enter password STRONG_PASSWORD_HERE

PHP & Basic Nginx

  • sudo add-apt-repository universe to add software repo
  • sudo apt install php-fpm php-mysql to install the basic PHP software
  • sudo vim /etc/nginx/sites-available/YOUR.DOMAIN.COM
server {
        listen 80;
        root /var/www/html;
        index index.php index.html index.htm index.nginx-debian.html;
        server_name YOUR.DOMAIN.COM;

        location / {
                try_files $uri $uri/ =404;

        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;

        location ~ /\.ht {
                deny all;
  • sudo ln -s /etc/nginx/sites-available/YOUR.DOMAIN.COM /etc/nginx/sites-enabled/ to create symlink to enabled sites
  • sudo unlink /etc/nginx/sites-enabled/default to remove default link
  • sudo nginx -t test the whole config
  • sudo systemctl reload nginx to apply all changes
  • sudo vim /var/www/html/info.php to start a new PHP file, fill it with <?php phpinfo();
  • sudo rm /var/www/html/info.php optional command to get rid of test file

Let's Dial in The Laravel Ecosystem

  • sudo apt-get install php7.4-mbstring php7.4-xml composer unzip
  • mysql -u root -p Login to create the Laravel DB
  • GRANT ALL ON laravel.* TO 'laraveluser'@'localhost' IDENTIFIED BY 'password';
  • exit
  • cd /var/www/html, sudo mkdir -p first-project
  • sudo chown laravel:laravel first-project
  • git clone .
  • composer install
  • cp .env.example .env, and then vim .env


  • php artisan migrate
  • php artisan key:generate to generate the key
  • sudo chgrp -R www-data storage bootstrap/cache fix permissions
  • sudo chmod -R ug+rwx storage bootstrap/cache fix permissions
  • sudo chmod -R 755 /var/www/html/first-project fix permissions
  • chmod -R o+w /var/www/html/first-project/storage/ fix permission

Modify Nginx

  • sudo vim /etc/nginx/sites-available/YOUR.DOMAIN.COM
server {
    listen 80;
    listen [::]:80;

    root /var/www/first-project/public;
    index index.php index.html index.htm index.nginx-debian.html;

    server_name YOUR.DOMAIN.COM;

    location / {
        try_files $uri $uri/ /index.php?$query_string;

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;

    location ~ /\.ht {
            deny all;
  • sudo nginx -t
  • sudo systemctl reload nginx reload Nginx

Let's Encrypt

  • sudo snap install core; sudo snap refresh core to install snap
  • sudo snap install --classic certbot to add certbot
  • sudo ln -s /snap/bin/certbot /usr/bin/certbot run this to ensure certbot can be ran
  • sudo certbot certonly --webroot --webroot-path=/var/www/first-project/public -d YOUR.DOMAIN.COM

Final mod for Nginx

  • sudo vim /etc/nginx/sites-available/YOUR.DOMAIN.COM
server {
    listen 80;
    listen [::]:80;

    server_name YOUR.DOMAIN.COM;
    return 301 https://$server_name$request_uri;

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name YOUR.DOMAIN.COM;
    root /var/www/first-project/public;

    ssl_certificate /etc/letsencrypt/live/YOUR.DOMAIN.COM/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/YOUR.DOMAIN.COM/privkey.pem;
    ssl_protocols TLSv1.2;
	ssl_prefer_server_ciphers on;

	add_header X-Frame-Options "SAMEORIGIN";
	add_header X-XSS-Protection "1; mode=block";
	add_header X-Content-Type-Options "nosniff";

	index index.php index.html index.htm index.nginx-debian.html;

    charset utf-8;

    location / {
            try_files $uri $uri/ /index.php?$query_string;

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;

    location ~ /\.ht {
            deny all;

    location ~ /.well-known {
            allow all;
  • sudo nginx -t
  • sudo ufw app list For firewall
  • sudo ufw allow 'Nginx HTTPS' to add NGINX
  • sudo ufw status to verify change
  • sudo systemctl reload nginx reload Nginx

Extra Credit

Let's make the prompt pretty

  • sudo apt-get install zsh to install ZSH
  • zsh --version to confirm install
  • whereis zsh to find out where it is
  • sudo usermod -s /usr/bin/zsh $(whoami) to make Zsh default
  • sudo reboot to reapply all changes
  • 2 to populate a default file
  • sudo apt-get install powerline fonts-powerline to install powerline
  • sudo apt-get install zsh-theme-powerlevel9k to install Theme
  • echo "source /usr/share/powerlevel9k/powerlevel9k.zsh-theme" >> ~/.zshrc to enable the theme in your Zshrc
  • exit and login again to see the new theme
  • sh -c "$(wget -O -)" for Oh My Zsh
  • echo "source /usr/share/powerlevel9k/powerlevel9k.zsh-theme" >> ~/.zshrc to re-enable 9K
