docs: added staging configuration guide #4
217
server-configuration/staging.md
Normal file
217
server-configuration/staging.md
Normal file
@ -0,0 +1,217 @@
|
||||
# Server configuration of the staging server
|
||||
|
||||
Staging server has `51.161.134.20` IP address and `staging.cellar.social` DNS record associated with it.
|
||||
|
||||
`otto` user has sudo rights at staging server, all operations that require sudo rights will be performed under this user.
|
||||
|
||||
## Fail2ban
|
||||
|
||||
Install `fail2ban` to scan the log files for too many failed login attempts and block the IP address which is showing malicious signs.
|
||||
|
||||
```bash
|
||||
sudo apt-get install fail2ban
|
||||
```
|
||||
|
||||
## Nginx
|
||||
|
||||
Under `otto` user:
|
||||
|
||||
```bash
|
||||
# Update packages
|
||||
sudo apt update
|
||||
|
||||
# Install Nginx
|
||||
sudo apt install nginx
|
||||
|
||||
# List the application configurations that ufw knows how to work with
|
||||
sudo ufw app list
|
||||
|
||||
# Activate firewall
|
||||
sudo ufw enable
|
||||
|
||||
# Allow ssh connections
|
||||
sudo ufw allow 'OpenSSH'
|
||||
|
||||
# Allow HTTPS traffic
|
||||
sudo ufw allow 'Nginx HTTPS'
|
||||
|
||||
# Allow HTTP traffic (HTTP traffic should be allowed to equire SSL certificate and will be disabled later)
|
||||
sudo ufw allow 'Nginx HTTP'
|
||||
|
||||
# Check ufw status
|
||||
sudo ufw status
|
||||
|
||||
# Check Nginx status
|
||||
systemctl status nginx
|
||||
|
||||
# Create the directory for `api` domain
|
||||
sudo mkdir -p /var/www/api/html
|
||||
|
||||
# Assign ownership of the directory to the `api` user
|
||||
sudo chown -R api:api /var/www/api/html
|
||||
|
||||
# Adjust permissions
|
||||
sudo chmod -R 755 /var/www/api
|
||||
|
||||
# Install certbot
|
||||
sudo apt install certbot python3-certbot-nginx
|
||||
|
||||
# Fetch a certificate from Let's Encrypt and follow the prompts
|
||||
sudo certbot --nginx -d staging.cellar.social
|
||||
|
||||
# Verify that certificate renewal is on
|
||||
sudo systemctl status certbot.timer
|
||||
|
||||
# Create a configuration file for api subdomain
|
||||
sudo nano /etc/nginx/sites-available/api
|
||||
```
|
||||
|
||||
Paste into `/etc/nginx/sites-available/api`:
|
||||
|
||||
```bash
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
|
||||
root /var/www/html;
|
||||
index index.html index.htm index.nginx-debian.html;
|
||||
|
||||
# Put your domain name here
|
||||
server_name staging.cellar.social;
|
||||
|
||||
# Needed for Let's Encrypt verification
|
||||
location ~ /.well-known/acme-challenge {
|
||||
allow all;
|
||||
}
|
||||
|
||||
# Force HTTP to HTTPS
|
||||
location / {
|
||||
return 301 https://$http_host$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
|
||||
ssl on;
|
||||
|
||||
# SSL certificate by Let's Encrypt in this Nginx
|
||||
ssl_certificate /etc/letsencrypt/live/staging.cellar.social/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/staging.cellar.social/privkey.pem;
|
||||
|
||||
# root /var/www/html;
|
||||
# index index.html index.htm index.nginx-debian.html;
|
||||
|
||||
# domain name here
|
||||
server_name staging.cellar.social;
|
||||
|
||||
location /api {
|
||||
proxy_pass http://127.0.0.1:3000/;
|
||||
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
}
|
||||
|
||||
# Needed for Let's Encrypt verification
|
||||
location ~ /.well-known/acme-challenge {
|
||||
allow all;
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
Next:
|
||||
|
||||
```bash
|
||||
# Enable the file by creating a link from it to the sites-enabled directory, which Nginx reads from during startup
|
||||
sudo ln -s /etc/nginx/sites-available/api /etc/nginx/sites-enabled/
|
||||
|
||||
# Restart Nginx
|
||||
sudo systemctl restart nginx
|
||||
|
||||
# Check Nginx status
|
||||
systemctl status nginx
|
||||
|
||||
# Check firewall status
|
||||
sudo ufw status
|
||||
|
||||
# Deny HTTP traffic
|
||||
sudo ufw deny 'Nginx HTTP'
|
||||
|
||||
# Check firewall status
|
||||
sudo ufw status
|
||||
```
|
||||
|
||||
## Install Node and NPM
|
||||
|
||||
```bash
|
||||
# Update packages
|
||||
sudo apt update
|
||||
|
||||
# Install nvm (node version manager)
|
||||
curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.35.3/install.sh | bash
|
||||
|
||||
# Install Node v20
|
||||
nvm install 20.12.2
|
||||
|
||||
# Set 20.12.2 as a default version of Node
|
||||
nvm alias default 20.12.2
|
||||
|
||||
# Use default Node version
|
||||
nvm use default
|
||||
```
|
||||
|
||||
## API user
|
||||
|
||||
`api` user doesn't have sudo rights and will be used to run `cellar-api` and all related processes.
|
||||
|
||||
Under `otto` user:
|
||||
|
||||
```bash
|
||||
# Create api user
|
||||
sudo adduser api
|
||||
|
||||
# Switch to api user
|
||||
su api
|
||||
```
|
||||
|
||||
Under `api` user:
|
||||
|
||||
```bash
|
||||
# Generate SSH keys.
|
||||
# These keys will be used by CI/CD pipeline.
|
||||
ssh-keygen
|
||||
|
||||
# Change to ssh directory
|
||||
cd .ssh/
|
||||
|
||||
# Create authorized_keys file
|
||||
touch authorized_keys
|
||||
|
||||
# Copy public key from `id_ed25519.pub` and paste into `authorized_keys` file
|
||||
# Private key is stored in SSH_STAGING_PRIVATE_KEY variable of the CI/CD pipeline.
|
||||
|
||||
# Install PM2 package globally
|
||||
npm i -g pm2
|
||||
|
||||
# Clone cellar/cs-backend repository
|
||||
git clone ssh://git@git.nostrdev.com:29418/cellar/cs-backend.git
|
||||
|
||||
# Change to cs-backend directory
|
||||
cd cs-backend
|
||||
|
||||
# Install dependencies
|
||||
npm ci
|
||||
|
||||
# Build API app
|
||||
npm run build
|
||||
|
||||
# Start API app
|
||||
npm run start
|
||||
|
||||
# Verify that cellar-api process is running
|
||||
pm2 list
|
||||
```
|
||||
Loading…
x
Reference in New Issue
Block a user