Backup vps preparations
Before I can run my Ansible scripts on a backup server there are a few preparations to get it ready to connect.
Step 1: Add a user
I’ll add a user for Ansible to use. This command will prompt for a name and password.
adduser abilson
My user will need sudo permissions so Ansible can run root privileged commands like chown.
echo 'abilson ALL=(ALL) NOPASSWD:ALL' > /etc/sudoers.d/010_abilson_nopasswd
The user should also be given an ssh key.
ssh-copy-id -i ~/.ssh/my_ssh_key backup_server
For convenience I also add an entry to my SSH config.
Host backup
HostName 137.220.61.222
User abilson
Port 22
IdentityFile /Users/me/.ssh/my_ssh_key
Test ssh access then lock down permissions in /etc/ssh/sshd_config to:
- Enable public key authentication
- Disable password authentication
- Disable Root login
PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication no
Step 2: Run Ansible
Ok, now I can run my Ansible scripts to configure the web server and install my chaos suite.
Step 3: Configure SSL Cert
I can’t use HTTPS until I’ve added a certificate from my trusted certificate authority, Let’s Encrypt. Configuration starts with certbot:
sudo certbot certonly --manual --preferred-challenge dns -d ofchaosandorder.com -d '*.ofchaosandorder.com'
Follow the manual steps to create TXT records. You’ll need one for each of the two entries. I use two entries because I use subdomains for my services and a bare URL for my site. If you’re not using Namecheap, this can be easier, but alas. They do have ‘cheap’ in the name after all.
Step 4: Add SSL to Nginx
Add the following lines to the root site’s server block. If you don’t have to do this manually, the python3-certbot-nginx package can do this for you.
ssl_certificate /etc/letsencrypt/live/ofchaosandorder.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ofchaosandorder.com/privkey.pem;