Backup vps preparations

Before I can run my Ansible scripts on a backup server there are a few preparations to get it ready to connect.

Step 1: Add a user

I’ll add a user for Ansible to use. This command will prompt for a name and password.

adduser abilson

My user will need sudo permissions so Ansible can run root privileged commands like chown.

echo 'abilson ALL=(ALL) NOPASSWD:ALL' > /etc/sudoers.d/010_abilson_nopasswd

The user should also be given an ssh key.

ssh-copy-id -i ~/.ssh/my_ssh_key backup_server

For convenience I also add an entry to my SSH config.

Host backup
  HostName 137.220.61.222
  User abilson
  Port 22
  IdentityFile /Users/me/.ssh/my_ssh_key

Test ssh access then lock down permissions in /etc/ssh/sshd_config to:

  1. Enable public key authentication
  2. Disable password authentication
  3. Disable Root login
PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication no

Step 2: Run Ansible

Ok, now I can run my Ansible scripts to configure the web server and install my chaos suite.

Step 3: Configure SSL Cert

I can’t use HTTPS until I’ve added a certificate from my trusted certificate authority, Let’s Encrypt. Configuration starts with certbot:

sudo certbot certonly --manual --preferred-challenge dns -d ofchaosandorder.com -d '*.ofchaosandorder.com'

Follow the manual steps to create TXT records. You’ll need one for each of the two entries. I use two entries because I use subdomains for my services and a bare URL for my site. If you’re not using Namecheap, this can be easier, but alas. They do have ‘cheap’ in the name after all.

Step 4: Add SSL to Nginx

Add the following lines to the root site’s server block. If you don’t have to do this manually, the python3-certbot-nginx package can do this for you.

ssl_certificate /etc/letsencrypt/live/ofchaosandorder.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ofchaosandorder.com/privkey.pem;