Workstation/ubuntu_server.md

# Ubuntu Server

## Unattended Upgrades

```bash
apt install unattended-upgrades
systemctl enable unattended-upgrades
```

## Certbot for Cockpit

During this process you'll pick one node to act as your manager for your other nodes.
You'll only need to cert a single node and then it will connect via ssh over your local
network to the other nodes.

Create an AWS user which will have route53 access. This is required for certbot's route53
validation.

```bash
export username=<hostname>
aws iam create-user --user-name $username
```

You'll also need a policy which allows the user to modify the selected hosted zone:

(list with `aws route53 list-hosted-zones`)

```json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "route53:ListHostedZones",
                "route53:GetChange"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect" : "Allow",
            "Action" : [
                "route53:ChangeResourceRecordSets"
            ],
            "Resource" : [
                "arn:aws:route53:::hostedzone/Z0092652G7L97DSINN18"
            ]
        }
    ]
}
```

Attach the policy to the user:

```bash
aws iam attach-user-policy \
    --user-name $username \
    --policy-arn arn:aws:iam::892236928704:policy/certbot-route53-reeselink
```

Generate credentials:

```bash
aws iam create-access-key --user-name $username
```

On the host machine:

```bash
sudo su -
mkdir ~/.aws
vim ~/.aws/config
```

```conf
[profile default]
region=us-east-2
```

```bash
sudo su -
vim ~/.aws/credentials
```

```conf
[default]
aws_access_key_id=
aws_secret_access_key=
```

Install the aws cli v2 on the manager node:

```bash
sudo su -
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
apt update && apt install -y unzip
unzip awscliv2.zip
./aws/install
```

Test your credentials with `aws route53 list-hosted-zones`. You should see as list of your
hosted zones.

Now install certbot and acquire a cert using those credentials:

```bash
sudo su -
export record=orange.reeselink.com
apt update && apt install -y certbot python3-certbot-dns-route53
certbot certonly --dns-route53 -d $record

cp /etc/letsencrypt/live/$record/fullchain.pem /etc/cockpit/ws-certs.d/50-letsencrypt.cert
cp /etc/letsencrypt/live/$record/privkey.pem /etc/cockpit/ws-certs.d/50-letsencrypt.key

systemctl restart cockpit.service
```

Test the renewal process with:

```bash
sudo su -
export record=orange.reeselink.com
certbot renew --cert-name $record --dry-run
mkdir -p /usr/lib/scripts
```

Create a renewal script in /usr/lib/scripts/certbot-renew.sh

/usr/lib/scripts/certbot-renew.sh

```bash
#!/bin/bash

/usr/bin/certbot renew --cert-name $record
/usr/bin/cp -f /etc/letsencrypt/live/$record/fullchain.pem /etc/cockpit/ws-certs.d/50-letsencrypt.cert
/usr/bin/cp -f /etc/letsencrypt/live/$record/privkey.pem /etc/cockpit/ws-certs.d/50-letsencrypt.key
```

```bash
:%s/$record/yellow.reeselink.com/g

chmod +x /usr/lib/scripts/certbot-renew.sh
```

Now create a systemd oneshot service to run the script

/etc/systemd/system/certbot-renew.service

```conf
[Unit]
Description=Certbot Renewal

[Service]
Type=oneshot
ExecStart=/usr/lib/scripts/certbot-renew.sh
```

/etc/systemd/system/certbot-renew.timer

```conf
[Unit]
Description=Timer for Certbot Renewal

[Timer]
OnBootSec=300
OnUnitActiveSec=1w

[Install]
WantedBy=multi-user.target
```

Enable the service

```bash
systemctl enable --now certbot-renew.timer
```

Cockpit now has a valid TLS certificate that auto-renews!