mrajo/basic_website_with_caddy_on_ubuntu_digital_ocean.md

## basic_website_with_caddy_on_ubuntu_digital_ocean.md

      
    Raw
  

              basic_website_with_caddy_on_ubuntu_digital_ocean.md
            
          
    Create droplet


Use DO dashboard
Add SSH key for login

This does not create a root password, and login must be through SSH only


Create DO firewall

Add HTTP and HTTPS to inbound rules


After created, login as root through SSH

$ ssh root@<ip_of_droplet>


Create new user and add to sudo and www-data group group

$ adduser <username>
$ usermod -aG sudo,www-data <username>


Setup SSH for new user

$ su - <username>
$ mkdir ~/.ssh
$ chmod 700 ~/.ssh
$ vim ~/.ssh/authorized_keys

put ssh pub key here


$ chmod 600 ~/.ssh/authorized_keys


Make sure SSH login to new user works
Disable password authentication

$ sudo vim /etc/ssh/sshd_config
This step appears unnecessary if you created the droplet with SSH key; it's already disabled


DNS


Add domain name in DO dashboard in Networking -> Domains
Set nameservers in registrar:

ns(1-3).digitalocean.com


Add "A" record to point to droplet

Transferring Webfaction sites


Get list of sites in ~/webapps

SSH into Webfaction

$ ls ~/webapps > sites.txt


Exit SSH

$ scp <user>@<webfaction>:/home/<user>/sites.txt .


Download site folders as needed with "scp -r" or "rsync -arvz"


Create web document root


$ sudo mkdir /var/www
$ sudo chown www-data:www-data /var/www
$ sudo chmod 775 /var/www
Create folders for each site

$ mkdir /var/www/example.com
$ touch /var/www/example.com/index.html


Edit index.html

<!DOCTYPE html>
<html>
    <body>
        <h1>Hello</h1>
    </body>
</html>

Install Caddy


Setup installer at https://caddyserver.com/download with plugins:

http.cache
http.cors
http.expires
http.filter
http.git
http.ratelimit
http.supervisor
tls.dns.digitalocean


Run installer
Verify caddy runs (caddy -version)
Set permissions on caddy binary

$ sudo chown root:root /usr/local/bin/caddy
$ sudo chmod 755 /usr/local/bin/caddy


Allow caddy to use privileged ports (80,443) without root

$ sudo setcap 'cap_net_bind_service=+ep' /usr/local/bin/caddy


Create caddy config dir

$ sudo mkdir /etc/caddy
$ sudo chown root:www-data /etc/caddy


Create SSL dir

$ sudo mkdir /etc/ssl/caddy
$ sudo chown root:www-data /etc/ssl/caddy
$ sudo chmod 770 /etc/ssl/caddy


Setup Caddyfile


Create config file

$ sudo touch /etc/caddy/Caddyfile


Edit Caddyfile with contents:
example.com {
    root /var/www/example.com
    gzip
    tls {
        dns digitalocean
    }
}


Create systemd service

Create service from caddy service definition in github

$ curl -L https://github.com/mholt/caddy/raw/master/dist/init/linux-systemd/caddy.service | sed "s/;CapabilityBoundingSet/CapabilityBoundingSet/" | sed "s/;AmbientCapabilities/AmbientCapabilities/" | sed "s/;NoNewPrivileges/NoNewPrivileges/" | sudo tee /etc/systemd/system/caddy.service
$ sudo chown root:root /etc/systemd/system/caddy.service
$ sudo chmod 744 /etc/systemd/system/caddy.service
$ sudo systemctl daemon-reload
$ sudo systemctl enable caddy.service
$ sudo systemctl status caddy

Configure automatic HTTPS cert challenge


Go to Digital Ocean API dashboard (https://cloud.digitalocean.com/settings/api)
Create token named "caddy-dns" with Write scope
Copy token somewhere
Edit service

$ sudo vim /etc/systemd/systemd/caddy.service
Edit line starting

Environment=CADDYPATH=/etc/ssl/caddy


Change to

Environment=CADDYPATH=/etc/ssl/caddy DO_AUTH_TOKEN=<token generated from dashboard>


Restart systemd

$ sudo systemctl daemon-reload


Start/enable caddy service


$ sudo systemctl start caddy
$ sudo systemctl status caddy (should show successfully running and DNS challenge succeeded)

Done, check site in browser