-
Notifications
You must be signed in to change notification settings - Fork 60
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
docs: additional productionization notes
- Loading branch information
Showing
2 changed files
with
111 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,110 @@ | ||
| # Productionization | ||
|
|
||
| This document contains additional instructions/notes for how to turn a | ||
| PAUSE installed with the `boostrap` scripts into a production machine. | ||
|
|
||
| ## Adjust TLS Certificates | ||
|
|
||
| Bootstrap only sets a single hostname. You may want certificates for | ||
| multiple hostnames. (i.e. `pause.perl.org` and | ||
| `server3.mydomain.com`) | ||
|
|
||
| ```shell | ||
| # certbot --nginx -d server3.mydomain.com,pause.perl.org \ | ||
| --agree-tos -n --email [email protected] | ||
| # systemctl reload nginx | ||
| ``` | ||
|
|
||
| ## Configure DKIM | ||
|
|
||
| Create a DKIM key: | ||
|
|
||
| ```shell | ||
| apt install -y opendkim | ||
| opendkim-genkey \ | ||
| --directory=/etc/dkimkeys \ | ||
| --domain=pause.perl.org \ | ||
| --selector=1 \ | ||
| --nosubdomains | ||
| ``` | ||
|
|
||
| (Best practice is to rotate these keys from time to time. Do that by | ||
| choosing a different selector.) | ||
|
|
||
| Add the /etc/dkimkeys/1.txt content to DNS. | ||
|
|
||
| Configure postfix: | ||
|
|
||
| ```shell | ||
| postconf smtpd_milters=inet:localhost:8891 | ||
| postconf non_smtpd_milters=$smtpd_milters | ||
| ``` | ||
|
|
||
| Configure `/etc/opendkim.conf`: | ||
|
|
||
| ``` | ||
| Domain pause.perl.org, pause3.develooper.com | ||
| Selector 1 | ||
| KeyFile /etc/dkimkeys/1.private | ||
| Socket inet:8891@localhost | ||
| LogWhy Yes | ||
| ``` | ||
|
|
||
| Restart servers: | ||
|
|
||
| ```shell | ||
| service opendkim restart | ||
| service postfix reload | ||
| ``` | ||
|
|
||
| ## Monitoring | ||
|
|
||
| Install node exporter. | ||
|
|
||
| ```shell | ||
| apt -y install prometheus-node-exporter | ||
| ``` | ||
|
|
||
| Consider | ||
| [nginx-prometheus-exporter](https://github.com/nginxinc/nginx-prometheus-exporter). | ||
|
|
||
| Actual monitoring rules are not specfied here, because they're | ||
| configured on a different server. | ||
|
|
||
| Things you may want to monitor and/or alert on: | ||
|
|
||
| * disk usage | ||
| * traffic levels | ||
| * process counts | ||
|
|
||
| Add this block to the nginx config to get some basic status: (Also | ||
| required for nginx-prometheus-exporter.) | ||
|
|
||
| ``` | ||
| server { | ||
| listen 127.0.0.1:8751; | ||
| location = /stub_status { | ||
| stub_status; | ||
| } | ||
| location = / { | ||
| return 404; | ||
| } | ||
| } | ||
| ``` | ||
|
|
||
| ## Additional Configuration | ||
|
|
||
| Default fail2ban bantime is very short. Make it longer: | ||
|
|
||
| ``` | ||
| fail2ban-client start sshd | ||
| fail2ban-client set sshd bantime 86400 | ||
| ``` | ||
|
|
||
| Automatic security upgrades are a good idea, and probably outweight | ||
| the risks. | ||
|
|
||
| ``` | ||
| dpkg-reconfigure -plow unattended-upgrades | ||
| ``` | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters