From 4ca634243221bc2cf728d9062c6c92badb160e76 Mon Sep 17 00:00:00 2001 From: lalanza808 Date: Thu, 7 Jan 2021 13:24:09 -0800 Subject: [PATCH] Setup cloud-init script for DO droplets (#1) * adding init script and example/soon to be used configs * uncomment and get ready for launch * update monero node setup cmds * include deletion of base data * remove auth from grafana altogether * remove unused var * remove hsts reqs * remove unused confs --- cloud-init.sh | 96 ++++++++++++++++++++++++++++++++++++++++ docker-compose.full.yaml | 6 +-- docker-compose.yaml | 6 +-- env-example | 2 +- 4 files changed, 103 insertions(+), 7 deletions(-) create mode 100644 cloud-init.sh diff --git a/cloud-init.sh b/cloud-init.sh new file mode 100644 index 0000000..32fd840 --- /dev/null +++ b/cloud-init.sh @@ -0,0 +1,96 @@ +#!/bin/bash + +sleep 30 + +# Install packages +apt-get update +apt-get upgrade -y +apt-get install software-properties-common sudo git -y +apt-get install certbot nginx python3 python3-virtualenv -y +apt-get install docker.io docker-compose -y + +# Setup certs and Nginx +mkdir -p /etc/nginx/conf.d +mkdir -p /etc/ssl/certs +rm -f /etc/nginx/sites-enabled/default +openssl dhparam -out /etc/ssl/certs/dhparam.pem -2 2048 +cat << EOF > /etc/nginx/conf.d/ssl.conf +## SSL Certs are referenced in the actual Nginx config per-vhost +# Disable insecure SSL v2. Also disable SSLv3, as TLS 1.0 suffers a downgrade attack, allowing an attacker to force a connection to use SSLv3 and therefore disable forward secrecy. +# ssl_protocols TLSv1 TLSv1.1 TLSv1.2; +# Strong ciphers for PFS +ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; +# Use server's preferred cipher, not the client's +# ssl_prefer_server_ciphers on; +ssl_session_cache shared:SSL:10m; +# Use ephemeral 4096 bit DH key for PFS +ssl_dhparam /etc/ssl/certs/dhparam.pem; +# Use OCSP stapling +ssl_stapling on; +ssl_stapling_verify on; +resolver 1.1.1.1 valid=300s; +resolver_timeout 5s; +EOF +cat << EOF > /etc/nginx/sites-enabled/${DOMAIN}.conf +# Redirect inbound http to https +server { + listen 80 default_server; + server_name ${DOMAIN}; + index index.php index.html; + return 301 https://${DOMAIN}$request_uri; +} + +# Load SSL configs and serve SSL site +server { + listen 443 ssl; + server_name ${DOMAIN}; + error_log /var/log/nginx/${DOMAIN}-error.log warn; + access_log /var/log/nginx/${DOMAIN}-access.log; + client_body_in_file_only clean; + client_body_buffer_size 32K; + # set max upload size + client_max_body_size 8M; + sendfile on; + send_timeout 600s; + + location / { + proxy_pass http://127.0.0.1:3000; + proxy_set_header Host \$host; + proxy_set_header X-Real-IP \$remote_addr; + proxy_set_header X-Frame-Options "SAMEORIGIN"; + proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto \$scheme; + proxy_redirect off; + } + + include conf.d/ssl.conf; + ssl_certificate /etc/letsencrypt/live/${DOMAIN}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/${DOMAIN}/privkey.pem; +} +EOF +service nginx stop +certbot certonly --standalone -d ${DOMAIN} --agree-tos -m ${ACME_EMAIL} -n +service nginx start + +# Setup app users +useradd -m -s $(which false) monero +usermod -aG docker monero + +# Setup Monero node +umount /dev/sda +mkdir -p /opt/monero +mount /dev/sda /opt/monero +rm -rf /opt/monero/* +git clone https://github.com/lalanza808/docker-monero-node /opt/monero +cat << EOF > /opt/monero/.env +DATA_DIR=/opt/monero/data +GRAFANA_URL=https://${DOMAIN} +P2P_PORT=18080 +RESTRICTED_PORT=18081 +ZMQ_PORT=18082 +UNRESTRICTED_PORT=18083 +EOF +chown -R monero:monero /opt/monero + +# Run Monero node as monero user +sudo -u monero bash -c "cd /opt/monero && docker-compose up -d" diff --git a/docker-compose.full.yaml b/docker-compose.full.yaml index ef7db64..194c67a 100644 --- a/docker-compose.full.yaml +++ b/docker-compose.full.yaml @@ -26,14 +26,14 @@ services: - 127.0.0.1:3000:3000 environment: HOSTNAME: grafana - GF_SECURITY_ADMIN_USER: admin - GF_SECURITY_ADMIN_PASSWORD: ${GRAFANA_PASSWORD} GF_SERVER_ROOT_URL: ${GRAFANA_URL} GF_ANALYTICS_REPORTING_ENABLED: "false" GF_ANALYTICS_CHECK_FOR_UPDATES: "false" GF_USERS_ALLOW_SIGN_UP: "false" GF_USERS_ALLOW_ORG_CREATE: "false" - GF_LOG_LEVEL: "debug" + GF_AUTH_ANONYMOUS_ENABLED: "true" + GF_AUTH_BASIC_ENABLED: "false" + GF_AUTH_DISABLE_LOGIN_FORM: "true" volumes: - ./files/grafana/dashboards.yaml:/etc/grafana/provisioning/dashboards/default.yaml:ro - ./files/grafana/prometheus.yaml:/etc/grafana/provisioning/datasources/prometheus.yaml:ro diff --git a/docker-compose.yaml b/docker-compose.yaml index 1f5c78b..74c6e79 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -26,14 +26,14 @@ services: - 127.0.0.1:3000:3000 environment: HOSTNAME: grafana - GF_SECURITY_ADMIN_USER: admin - GF_SECURITY_ADMIN_PASSWORD: ${GRAFANA_PASSWORD} GF_SERVER_ROOT_URL: ${GRAFANA_URL} GF_ANALYTICS_REPORTING_ENABLED: "false" GF_ANALYTICS_CHECK_FOR_UPDATES: "false" GF_USERS_ALLOW_SIGN_UP: "false" GF_USERS_ALLOW_ORG_CREATE: "false" - GF_LOG_LEVEL: "debug" + GF_AUTH_ANONYMOUS_ENABLED: "true" + GF_AUTH_BASIC_ENABLED: "false" + GF_AUTH_DISABLE_LOGIN_FORM: "true" volumes: - ./files/grafana/dashboards.yaml:/etc/grafana/provisioning/dashboards/default.yaml:ro - ./files/grafana/prometheus.yaml:/etc/grafana/provisioning/datasources/prometheus.yaml:ro diff --git a/env-example b/env-example index 3d8f793..04b8b8e 100644 --- a/env-example +++ b/env-example @@ -1,5 +1,5 @@ DATA_DIR=/opt/monero/data -GRAFANA_PASSWORD=xxxxxxx +GRAFANA_URL=http://mynodeurl.com P2P_PORT=18080 RESTRICTED_PORT=18081 ZMQ_PORT=18082