Use DO dashboard
Add SSH key for login
This does not create a root password, and login must be through SSH only
Create DO firewall
Add HTTP and HTTPS to inbound rules
After created, login as root through SSH
$ ssh root@<ip_of_droplet>
Create new user and add to sudo and www-data group group
$ adduser <username>
$ usermod -aG sudo,www-data <username>
Setup SSH for new user
$ su - <username>
$ mkdir ~/.ssh
$ chmod 700 ~/.ssh
$ vim ~/.ssh/authorized_keys
$ chmod 600 ~/.ssh/authorized_keys
Make sure SSH login to new user works
Disable password authentication
$ sudo vim /etc/ssh/sshd_config
This step appears unnecessary if you created the droplet with SSH key; it's already disabled
Add domain name in DO dashboard in Networking -> Domains
Set nameservers in registrar:
Add "A" record to point to droplet
Transferring Webfaction sites
Get list of sites in ~/webapps
SSH into Webfaction
$ ls ~/webapps > sites.txt
Exit SSH
$ scp <user>@<webfaction>:/home/<user>/sites.txt .
Download site folders as needed with "scp -r" or "rsync -arvz"
$ sudo mkdir /var/www
$ sudo chown www-data:www-data /var/www
$ sudo chmod 775 /var/www
Create folders for each site
$ mkdir /var/www/example.com
$ touch /var/www/example.com/index.html
Edit index.html
<!DOCTYPE html>
<html>
<body>
<h1>Hello</h1>
</body>
</html>
Setup installer at https://caddyserver.com/download with plugins:
http.cache
http.cors
http.expires
http.filter
http.git
http.ratelimit
http.supervisor
tls.dns.digitalocean
Run installer
Verify caddy runs (caddy -version)
Set permissions on caddy binary
$ sudo chown root:root /usr/local/bin/caddy
$ sudo chmod 755 /usr/local/bin/caddy
Allow caddy to use privileged ports (80,443) without root
$ sudo setcap 'cap_net_bind_service=+ep' /usr/local/bin/caddy
Create caddy config dir
$ sudo mkdir /etc/caddy
$ sudo chown root:www-data /etc/caddy
Create SSL dir
$ sudo mkdir /etc/ssl/caddy
$ sudo chown root:www-data /etc/ssl/caddy
$ sudo chmod 770 /etc/ssl/caddy
Create config file
$ sudo touch /etc/caddy/Caddyfile
Edit Caddyfile with contents:
example.com {
root /var/www/example.com
gzip
tls {
dns digitalocean
}
}
Create service from caddy service definition in github
$ curl -L https://github.com/mholt/caddy/raw/master/dist/init/linux-systemd/caddy.service | sed "s/;CapabilityBoundingSet/CapabilityBoundingSet/" | sed "s/;AmbientCapabilities/AmbientCapabilities/" | sed "s/;NoNewPrivileges/NoNewPrivileges/" | sudo tee /etc/systemd/system/caddy.service
$ sudo chown root:root /etc/systemd/system/caddy.service
$ sudo chmod 744 /etc/systemd/system/caddy.service
$ sudo systemctl daemon-reload
$ sudo systemctl enable caddy.service
$ sudo systemctl status caddy
Configure automatic HTTPS cert challenge
Go to Digital Ocean API dashboard (https://cloud.digitalocean.com/settings/api )
Create token named "caddy-dns" with Write scope
Copy token somewhere
Edit service
$ sudo vim /etc/systemd/systemd/caddy.service
Edit line starting
Environment=CADDYPATH=/etc/ssl/caddy
Change to
Environment=CADDYPATH=/etc/ssl/caddy DO_AUTH_TOKEN=<token generated from dashboard>
Restart systemd
$ sudo systemctl daemon-reload
Start/enable caddy service
$ sudo systemctl start caddy
$ sudo systemctl status caddy
(should show successfully running and DNS challenge succeeded)
Done, check site in browser
This is really great and all, but just an FYI: on the Configure automatic HTTPS cert challenge, when you edit the service (step 4) it's going to be $ sudo nano /etc/systemd/system/caddy.service