Skip to main content

Server installation

Install default apps and basic configurations

Docker

sudo apt-get update
sudo apt-get remove docker docker.io containerd runc
sudo apt-get install \
    ca-certificates \
    curl \
    gnupg \
    lsb-release
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian \
$(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-compose-plugin

Basic config

sudo apt-get install -y acl tree unzip p7zip-full
sudo apt-get install unattended-upgrades

Users and right management

Only the user has access to his home folder. Each user is in the datalab32 group. This group has read/write access to the /home/data/ folder. It has also a read/write right on the secret_shared folder of pmp-production.

pmp-production

We create an user to deploy application and services to production:

sudo groupadd --gid 1900 datalab32
sudo groupadd --gid 1999 datalab32-admin
sudo useradd --create-home --user-group --shell /bin/bash --groups datalab32,datalab32-admin,docker --uid 1901 pmp-production
sudo mkdir -p /home/pmp-production/secret_shared
sudo mkdir -p /home/pmp-production/secret
sudo mkdir -p /home/data/

You can open a bash terminal as this user with sudo -i -u pmp-production bash

pmp-dev

We create an user to deploy application and services to dev:

sudo useradd --create-home --user-group --shell /bin/bash --groups datalab32,datalab32-admin,docker --uid 1990 pmp-dev
sudo mkdir -p /home/pmp-dev/secret_shared
sudo mkdir -p /home/pmp-dev/secret

Admin user

sudo useradd --create-home --user-group --shell /bin/bash --groups datalab32,datalab32-admin,docker,sudo <admin_user>
sudo passwd <admin_user>

Then you can setup a ssh key as in the user-guide.

Set up rights

#/bin/bash

# inside /home/
sudo find . -not -path "*/.ssh*" -print0 | sudo xargs -0 chmod -R u+rw,g+rw,o-rw
sudo find . -path "*/.ssh*" -print0 | sudo xargs -0 chmod -R u+rw,g-rw,o-rw
sudo find . -type d -print0 | sudo xargs -0 chmod g+sx
sudo chgrp datalab32 .
sudo chgrp -R datalab32 data/
sudo setfacl -R -m d:o::x .
sudo setfacl -R -m d:g::rwx .


# pmp-production
sudo find pmp-production -not -path "*/.*" -not -name 'pmp-production' -print0 | sudo xargs -0 chgrp datalab32-admin
sudo find pmp-production -type d -name 'secret_shared' -print0 | sudo xargs -0 chmod -R o+r
sudo chmod -R o+r /home/pmp-production/pmp-apps/data-docker/service/

# pmp-dev
sudo find pmp-dev -not -path "*/.*" -not -name 'pmp-dev' -print0 | sudo xargs -0 chgrp datalab32-admin
sudo find pmp-dev -type d -name 'secret_shared' -print0 | sudo xargs -0 chmod -R o+r
sudo chmod -R o+r /home/pmp-dev/pmp-apps/data-docker/service/

Security

echo "Port 3232" | sudo tee /etc/ssh/sshd_config.d/custom_ssh.conf > /dev/null
echo "PermitRootLogin no" | sudo tee -a /etc/ssh/sshd_config.d/custom_ssh.conf > /dev/null
sudo systemctl restart ssh

⚠ WARNING DO NOT execute the following command without a ssh key available and functionnal

echo "PasswordAuthentication no" | sudo tee -a /etc/ssh/sshd_config.d/custom_ssh.conf > /dev/null
sudo systemctl restart ssh