Setup cloud-init script for DO droplets (#1)
* adding init script and example/soon to be used configs * uncomment and get ready for launch * update monero node setup cmds * include deletion of base data * remove auth from grafana altogether * remove unused var * remove hsts reqs * remove unused confstesting-process-exporter
parent
82f2ffea03
commit
4ca6342432
@ -0,0 +1,96 @@
|
||||
#!/bin/bash
|
||||
|
||||
sleep 30
|
||||
|
||||
# Install packages
|
||||
apt-get update
|
||||
apt-get upgrade -y
|
||||
apt-get install software-properties-common sudo git -y
|
||||
apt-get install certbot nginx python3 python3-virtualenv -y
|
||||
apt-get install docker.io docker-compose -y
|
||||
|
||||
# Setup certs and Nginx
|
||||
mkdir -p /etc/nginx/conf.d
|
||||
mkdir -p /etc/ssl/certs
|
||||
rm -f /etc/nginx/sites-enabled/default
|
||||
openssl dhparam -out /etc/ssl/certs/dhparam.pem -2 2048
|
||||
cat << EOF > /etc/nginx/conf.d/ssl.conf
|
||||
## SSL Certs are referenced in the actual Nginx config per-vhost
|
||||
# Disable insecure SSL v2. Also disable SSLv3, as TLS 1.0 suffers a downgrade attack, allowing an attacker to force a connection to use SSLv3 and therefore disable forward secrecy.
|
||||
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||
# Strong ciphers for PFS
|
||||
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
|
||||
# Use server's preferred cipher, not the client's
|
||||
# ssl_prefer_server_ciphers on;
|
||||
ssl_session_cache shared:SSL:10m;
|
||||
# Use ephemeral 4096 bit DH key for PFS
|
||||
ssl_dhparam /etc/ssl/certs/dhparam.pem;
|
||||
# Use OCSP stapling
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
resolver 1.1.1.1 valid=300s;
|
||||
resolver_timeout 5s;
|
||||
EOF
|
||||
cat << EOF > /etc/nginx/sites-enabled/${DOMAIN}.conf
|
||||
# Redirect inbound http to https
|
||||
server {
|
||||
listen 80 default_server;
|
||||
server_name ${DOMAIN};
|
||||
index index.php index.html;
|
||||
return 301 https://${DOMAIN}$request_uri;
|
||||
}
|
||||
|
||||
# Load SSL configs and serve SSL site
|
||||
server {
|
||||
listen 443 ssl;
|
||||
server_name ${DOMAIN};
|
||||
error_log /var/log/nginx/${DOMAIN}-error.log warn;
|
||||
access_log /var/log/nginx/${DOMAIN}-access.log;
|
||||
client_body_in_file_only clean;
|
||||
client_body_buffer_size 32K;
|
||||
# set max upload size
|
||||
client_max_body_size 8M;
|
||||
sendfile on;
|
||||
send_timeout 600s;
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:3000;
|
||||
proxy_set_header Host \$host;
|
||||
proxy_set_header X-Real-IP \$remote_addr;
|
||||
proxy_set_header X-Frame-Options "SAMEORIGIN";
|
||||
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto \$scheme;
|
||||
proxy_redirect off;
|
||||
}
|
||||
|
||||
include conf.d/ssl.conf;
|
||||
ssl_certificate /etc/letsencrypt/live/${DOMAIN}/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/${DOMAIN}/privkey.pem;
|
||||
}
|
||||
EOF
|
||||
service nginx stop
|
||||
certbot certonly --standalone -d ${DOMAIN} --agree-tos -m ${ACME_EMAIL} -n
|
||||
service nginx start
|
||||
|
||||
# Setup app users
|
||||
useradd -m -s $(which false) monero
|
||||
usermod -aG docker monero
|
||||
|
||||
# Setup Monero node
|
||||
umount /dev/sda
|
||||
mkdir -p /opt/monero
|
||||
mount /dev/sda /opt/monero
|
||||
rm -rf /opt/monero/*
|
||||
git clone https://github.com/lalanza808/docker-monero-node /opt/monero
|
||||
cat << EOF > /opt/monero/.env
|
||||
DATA_DIR=/opt/monero/data
|
||||
GRAFANA_URL=https://${DOMAIN}
|
||||
P2P_PORT=18080
|
||||
RESTRICTED_PORT=18081
|
||||
ZMQ_PORT=18082
|
||||
UNRESTRICTED_PORT=18083
|
||||
EOF
|
||||
chown -R monero:monero /opt/monero
|
||||
|
||||
# Run Monero node as monero user
|
||||
sudo -u monero bash -c "cd /opt/monero && docker-compose up -d"
|
Loading…
Reference in New Issue