APECS Icon
APECS .dev A Peer-to-Peer Electronic Cash System
back to Guides

VPS Secure Setup

Infrastructure

Learn how-to to securely configure and protect your "rented" cloud servers from "bad actors".

Setup a Virtual Private Server (VPS)

Level: Intermediate
update.sh NOTE: Run this script regularly to keep the system up-to-date. 
apt update && apt upgrade -y && apt-get autoremove -y
Recommended Modules NOTE: Allow support for MOST 3rd-party modules. 
apt install -y \
  apt-transport-https \
  autoconf \
  build-essential \
  ca-certificates \
  curl \
  git \
  gnupg2 \
  libtool \
  make \
  net-tools \
  software-properties-common \
  vim
Disable Password Authentication NOTE: You MUST enable SSH login BEFORE completing this step. 
vim /etc/ssh/sshd_config
PasswordAuthentication no    <-- this will be commented out by default
sudo service ssh restart
Disable Visual-Mode in Vim NOTE: Debian ONLY 
touch ~/.vimrc && echo "set mouse-=a" >> ~/.vimrc
Setup Universal Firewall (UFW)
Create SSL Certificate NOTE: TBD 
openssl req \
    -newkey rsa:2048 -nodes -keyout server.key \
    -x509 -days 3650 -out server.crt
Initial NodeJS NOTE: Choose either a "static" or "proxy" source. 
server {
    listen  80;
    listen  [::]:80;
    listen  443 ssl;
    listen  [::]:443 ssl;

    server_name domain.ext www.domain.ext;

    ssl_certificate      /etc/nginx/ssl/server.crt;
    ssl_certificate_key  /etc/nginx/ssl/server.key;

    access_log /dev/null;
    error_log /root/error_log;

    root /var/www/html;

    # Add index.php to the list if you are using PHP
    index index.html index.htm;

    location / {
        # First attempt to serve request as file, then
        # as directory, then fall back to displaying a 404.
        # try_files $uri $uri/ =404;
        try_files $uri $uri/ /index.html;
    }
}

server {
    listen  80;
    listen  [::]:80;
    listen  443 ssl;
    listen  [::]:443 ssl;

    server_name domain.ext www.domain.ext;

    ssl_certificate      /etc/nginx/ssl/server.crt;
    ssl_certificate_key  /etc/nginx/ssl/server.key;

    access_log /dev/null;
    error_log /root/error_log;

    location / {
        proxy_set_header Access-Control-Allow-Origin *;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-NginX-Proxy true;

        proxy_pass http://127.0.0.1:3000;
        proxy_redirect off;

        proxy_http_version 1.1;
        proxy_read_timeout 1h;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}
setenv NOTE: TBD 
export COUCHDB_USER=admin
export COUCHDB_PASSWORD=uuid

# USE FOR LOCAL DEVELOPMENT
# COUCHDB_USER=admin COUCHDB_PASSWORD=uuid yarn dev --port 39###
deploy.sh NOTE: TBD 
source setenv

cd /usr/src/project-name/sub-folder
git pull --no-rebase
docker compose up -d --build

docker image prune -af