add server configurations

ubuntu_server.md

@@ -0,0 +1,173 @@
+# Ubuntu Server
+
+## Certbot for Cockpit
+
+During this process you'll pick one node to act as your manager for your other nodes.
+You'll only need to cert a single node and then it will connect via ssh over your local
+network to the other nodes.
+
+Create an AWS user which will have route53 access. This is required for certbot's route53
+validation.
+
+```bash
+export username=<hostname>
+aws iam create-user --user-name $username
+```
+
+You'll also need a policy which allows the user to modify the selected hosted zone:
+
+(list with `aws route53 list-hosted-zones`)
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "route53:ListHostedZones",
+                "route53:GetChange"
+            ],
+            "Resource": [
+                "*"
+            ]
+        },
+        {
+            "Effect" : "Allow",
+            "Action" : [
+                "route53:ChangeResourceRecordSets"
+            ],
+            "Resource" : [
+                "arn:aws:route53:::hostedzone/Z0092652G7L97DSINN18"
+            ]
+        }
+    ]
+}
+```
+
+Attach the policy to the user:
+
+```bash
+aws iam attach-user-policy \
+    --user-name $username \
+    --policy-arn arn:aws:iam::892236928704:policy/certbot-route53-reeselink
+```
+
+Generate credentials:
+
+```bash
+aws iam create-access-key --user-name $username
+```
+
+On the host machine:
+
+```bash
+sudo su -
+mkdir ~/.aws
+vim ~/.aws/config
+```
+
+```conf
+[profile default]
+region=us-east-2
+```
+
+```bash
+sudo su -
+vim ~/.aws/credentials
+```
+
+```conf
+[default]
+aws_access_key_id=
+aws_secret_access_key=
+```
+
+Install the aws cli v2 on the manager node:
+
+```bash
+sudo su -
+curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
+apt update && apt install -y unzip
+unzip awscliv2.zip
+./aws/install
+```
+
+Test your credentials with `aws route53 list-hosted-zones`. You should see as list of your
+hosted zones.
+
+Now install certbot and acquire a cert using those credentials:
+
+```bash
+sudo su -
+export record=orange.reeselink.com
+apt update && apt install -y certbot python3-certbot-dns-route53
+certbot certonly --dns-route53 -d $record
+
+cp /etc/letsencrypt/live/$record/fullchain.pem /etc/cockpit/ws-certs.d/50-letsencrypt.cert
+cp /etc/letsencrypt/live/$record/privkey.pem /etc/cockpit/ws-certs.d/50-letsencrypt.key
+
+systemctl restart cockpit.service
+```
+
+Test the renewal process with:
+
+```bash
+sudo su -
+export record=orange.reeselink.com
+certbot renew --cert-name $record --dry-run
+mkdir -p /usr/lib/scripts
+```
+
+Create a renewal script in /usr/lib/scripts/certbot-renew.sh
+
+/usr/lib/scripts/certbot-renew.sh
+
+```bash
+#!/bin/bash
+
+/usr/bin/certbot renew --cert-name $record
+/usr/bin/cp -f /etc/letsencrypt/live/$record/fullchain.pem /etc/cockpit/ws-certs.d/50-letsencrypt.cert
+/usr/bin/cp -f /etc/letsencrypt/live/$record/privkey.pem /etc/cockpit/ws-certs.d/50-letsencrypt.key
+```
+
+```bash
+:%s/$record/yellow.reeselink.com/g
+
+chmod +x /usr/lib/scripts/certbot-renew.sh
+```
+
+Now create a systemd oneshot service to run the script
+
+/etc/systemd/system/certbot-renew.service
+
+```conf
+[Unit]
+Description=Certbot Renewal
+
+[Service]
+Type=oneshot
+ExecStart=/usr/lib/scripts/certbot-renew.sh
+```
+
+/etc/systemd/system/certbot-renew.timer
+
+```conf
+[Unit]
+Description=Timer for Certbot Renewal
+
+[Timer]
+OnBootSec=300
+OnUnitActiveSec=1w
+
+[Install]
+WantedBy=multi-user.target
+```
+
+Enable the service
+
+```bash
+systemctl enable --now certbot-renew.timer
+```
+
+Cockpit now has a valid TLS certificate that auto-renews!