The goal of this article is to provide step-by-step instructions on how to setup DigitalOcean droplet so we then build our our NWApp platform powered by CentOS 7
.
Prerequisites
-
Create a droplet to your configuration.
-
The
#
character in# yum install -y epel-release
means that we want to run this script as aroot
user account. -
The
$
character in$ sudo reboot
means that we want to run this command as a privileged administrator user account. -
From your local developer machine, connect to the newly created server with this command:
$ ssh -l root nwapp.ca
Pre-installation
-
We want to be using the latest libraries. Read more about Extra Packages for Enterprise Linux.
# yum install -y epel-release;
-
Update the library.
# sudo yum -y update
-
As
root
user, copy and paste the following code to install all the libraries we will be using in our project. Other libraries will have individual instructions on how to setup. We are doing this to help speedup the time of installation.sudo yum -y install yum-utils; sudo yum -y groupinstall development; sudo yum -y install firewalld; sudo yum -y install ntp; sudo yum -y install fail2ban; sudo yum -y install nginx; sudo yum -y install python36; sudo yum -y install python36-devel; sudo yum -y install python-pip; sudo rpm -Uvh https://download.postgresql.org/pub/repos/yum/10/redhat/rhel-7-x86_64/pgdg-centos10-10-2.noarch.rpm sudo yum -y install postgresql10-server postgresql10 sudo yum -y install postgis2_10; sudo yum -y install redis; sudo yum -y install yum-cron sudo yum -y install GraphicsMagick-c++-devel; sudo yum -y install boost-devel;
-
Update your
`root
password of your droplet. Be sure to set a secure password with the following requirements: (a) 8 characters (b) 1 uppercase character (c) one special character (d) no common words. Finally be sure to not forget this password!# passwd root
Secure Root Account and Setup Administrative Account
-
This section starts off assuming you have completed the above section.
-
Create our technical operations account which we will use. Afterwords assign a password to that account.
# adduser techops # passwd techops
-
Grant administrative privileges to the user.
# gpasswd -a techops wheel
-
(Optional) On your local developers machine, generate the
ssh
key pair values. When prompted about passphase, skip it. After generating the key, print the public keys to the console.local$ ssh-keygen local$ cat ~/.ssh/id_rsa.pub
-
Now on your server, copy and paste your ssh key pair into the new user.
# su - techops $ mkdir .ssh $ chmod 700 .ssh $ vi .ssh/authorized_keys
-
Restrict the permissions of the authorized_keys file with this command. Do not skip this command as you will be unable to
ssh
into this server without setting the permissions here:$ chmod 600 .ssh/authorized_keys
-
On your local developers machine, attempt to log into the server with the
techops
user account to confirm it is working. If you cannot log in then please review steps 1 to 7 or search online for answers. Here is an example:local$ ssh -l techops nwapp.ca
-
Exit from the
techops
user and disableroot
login for thesshd
app.$ exit # vi /etc/ssh/sshd_config
-
Find this line of code and change it to look like this:
PermitRootLogin no
-
Reload
sshd
with our latest change.# systemctl reload sshd
-
Now on your local machine, try connecting to the server using the
root
account and you'll notice you cannot access it~. -
In the future commands, you have to login to the
techops
user account and use thesudo
command privilege elevation to use administrative commands.
Firewall
-
Then enable the application.
$ sudo systemctl enable firewalld $ sudo reboot
-
Log back in from your localmachine.
-
Start the application.
$ sudo systemctl start firewalld
-
Confirm it's working.
$ sudo firewall-cmd --state
-
Add rules so
nginx
will be able to accessible by the the internet.$ sudo firewall-cmd --permanent --add-service=http $ sudo firewall-cmd --permanent --add-service=https $ sudo firewall-cmd --reload $ sudo firewall-cmd --runtime-to-permanent
-
Would you like to know more? Learn more. It is encouraged to read this article to understand the next few steps made.
Adjust Timezone
-
List what available timezones there are.
$ sudo timedatectl list-timezones
-
Set
America/Toronto
timezone for our OS build.$ sudo timedatectl set-timezone America/Toronto
-
Make the timezone change permanent.
$ sudo timedatectl
-
Start
ntp
app, and enable it to start at boot-time.$ sudo systemctl start ntpd $ sudo systemctl enable ntpd
Auto-Update Cron
-
https://www.techrepublic.com/article/how-to-enable-automatic-security-updates-on-centos-7-with-yum-cron/
-
Enable and start our cron.
$ sudo systemctl start yum-cron; $ ​sudo systemctl enable yum-cron;
-
Confirm that our installation was a successs.
$ systemctl status yum-cron.service
-
Look at our configuration:
$ sudo vi /etc/yum/yum-cron.conf
-
Next, locate the line:
apply_updates = no
-
And change to:
apply_updates = yes
-
Restart the service.
$ sudo systemctl restart yum-cron
-
Confirm that our
cron
service is running.$ systemctl status yum-cron.service
Fail2ban
-
Enable the service to start at boot-time.
$ sudo systemctl enable fail2ban
-
Setup our configuration. Start by opening up our configuration.
$ sudo vi /etc/fail2ban/jail.local
-
Copy and paste.
[DEFAULT] # Ban hosts for one hour: bantime = 7200 ignoreip = 127.0.0.1/8 # Override /etc/fail2ban/jail.d/00-firewalld.conf: banaction = iptables-multiport [sshd] enabled = true
-
Start the service
fail2ban
app.$ sudo systemctl start fail2ban
-
Check to confirm that the
fail2ban
app has been successfully installed and is currently running in our build.$ sudo fail2ban-client status
-
Would you like to know more? Read more here.
Setup Nginx (Part 1)
-
Start
nginx
.$ sudo systemctl start nginx
-
Enable
nginx
to startup on boot-time. Use the following command to do so:$ sudo systemctl enable nginx
-
Confirm our server works. Open in a web browser:
http://nwapp.ca
-
(Optional) Here are the
nginx
important files and directories to take note of:- The default server root directory (top level directory containing configuration files): /etc/nginx
- The main Nginx configuration file: /etc/nginx/nginx.conf
- Server block (virtual hosts) configurations can be added in: /etc/nginx/conf.d
- The default server document root directory (contains web files): /usr/share/nginx/html
- The default log for errors: /var/log/nginx/error.log
- The default log for access: /var/log/nginx/access.log
- The other error: /var/log/nginx/default-error.log
Python Extra
Please note we will be using Python
based applications so we will install it.
-
Confirm you installed the correct library.
$ python3.6 -V
-
We will next install pip, which will manage software packages for Python:
$ curl "https://bootstrap.pypa.io/get-pip.py" -o "get-pip.py" $ sudo python3.6 get-pip.py $ sudo pip install --upgrade pip
-
Confirm we have the proper version.
$ pip -V
-
Install some dependent libraries.
$ sudo pip install virtualenv
Postgres
-
Initialize our database.
$ sudo /usr/pgsql-10/bin/postgresql-10-setup initdb
-
Open the HBA configuration with your favorite text editor. We will use vi:
$ sudo vi /var/lib/pgsql/10/data/pg_hba.conf
-
Find the lines that looks like this, near the bottom of the file:
host all all 127.0.0.1/32 ident host all all ::1/128 ident
-
Then replace "ident" with "md5", so they look like this:
host all all 127.0.0.1/32 md5 host all all ::1/128 md5
-
Open the configuration with your favorite text editor. We will use vi:
$ sudo vi /var/lib/pgsql/10/data/postgresql.conf
-
Then modify the following to look like this:
$ listen_addresses = '*'
-
Start the service
$ sudo systemctl start postgresql-10
-
Make sure it boots all the time.
$ sudo systemctl enable postgresql-10
-
Begin using it...
$ sudo -i -u postgres $ psql
-
Would you like to know more about PostGres setup? Learn more.
Redis
https://www.linode.com/docs/databases/redis/deploy-redis-on-centos-7
$ sudo systemctl start redis
$ sudo systemctl enable redis
You can edit.
$ sudo vi /etc/redis.conf
NodeJS, NPM, React
-
Install
Node
.curl -sL https://rpm.nodesource.com/setup_10.x | sudo bash - sudo yum -y install nodejs
-
Check version.
node --version
-
Install
npm
.sudo npm install -g npm@next
-
(OPTIONAL) You can disable
https
and use unsecurehttp
by running the following. This step was provided by this link.npm config set registry http://registry.npmjs.org/
-
Check version.
npm --version
-
Install
react
.sudo npm install -g create-react-app
-
Check version.
create-react-app --version
-
Would you like to learn more?