https://8labs.id/enhttps://8labs.id/blog/vps-multi-node-edition/https://8labs.id/blog/vps-multi-node-edition/Tue, 16 Jun 2026 12:00:00 GMT<div><h1 id="production-ready-vps-multi-node-edition">Production-Ready VPS: Multi-Node Edition</h1></div> <blockquote> <p><strong>Part 3 of the series.</strong> <a href="https://8labs.id/blog/vps-production-ready-rocky-ubuntu/">Part 1: Traefik</a> · <a href="https://8labs.id/blog/vps-production-ready-caddy/">Part 2: Caddy</a></p> </blockquote> <p>A single VPS is great, until it isn’t. Hardware fails. Datacenter has a bad day. Kernel panic at 3 AM. Suddenly your app is down and you’re SSH’ing from bed.</p> <p>The fix: <strong>two VPS nodes</strong>. But two nodes means two copies of everything, and two databases writing independently is how you lose data. This post shows the self-hosted way: Postgres replication between nodes and MinIO for shared file storage. No managed services. No vendor lock-in. All yours.</p> <hr> <div><h2 id="architecture">Architecture</h2></div> <div><figure><figcaption></figcaption><pre><code><div><div><span><span> </span></span><span>┌─────────────┐</span></div></div><div><div><span><span> </span></span><span>│ Cloudflare │</span></div></div><div><div><span><span> </span></span><span>│ Orange Cloud │</span></div></div><div><div><span><span> </span></span><span>│ (2x A record)│</span></div></div><div><div><span><span> </span></span><span>└──────┬──────┘</span></div></div><div><div><span><span> </span></span><span>│</span></div></div><div><div><span><span> </span></span><span>┌────────────┴────────────┐</span></div></div><div><div><span><span> </span></span><span>│ │</span></div></div><div><div><span><span> </span></span><span>┌─────▼─────┐ ┌─────▼─────┐</span></div></div><div><div><span><span> </span></span><span>│ VPS-1 │ │ VPS-2 │</span></div></div><div><div><span><span> </span></span><span>│ Caddy │ │ Caddy │</span></div></div><div><div><span><span> </span></span><span>│ App x3 │ │ App x3 │</span></div></div><div><div><span><span> </span></span><span>│ Watchtower│ │ Watchtower│</span></div></div><div><div><span><span> </span></span><span>│ │ │ │</span></div></div><div><div><span><span> </span></span><span>│ Postgres │◇streaming◇│ Postgres │</span></div></div><div><div><span><span> </span></span><span>│ (PRIMARY) │◇replication◇│ (REPLICA) │</span></div></div><div><div><span><span> </span></span><span>│ │ │ │</span></div></div><div><div><span><span> </span></span><span>│ MinIO │◇◀─sync────◇│ MinIO │</span></div></div><div><div><span><span> </span></span><span>└───────────┘ └───────────┘</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>VPS-1 is the primary: Postgres writes, MinIO writes. VPS-2 replicates both. If VPS-1 goes down, promote VPS-2 to primary. Everything lives on your own metal.</p> <hr> <div><h2 id="step-1-provision-two-vps-nodes">Step 1: Provision Two VPS Nodes</h2></div> <p>Same as always. Two identical nodes. Same specs, same OS.</p> <starlight-tabs> <div> <ul role="tablist"> <li role="presentation"> <a role="tab" href="#tab-panel-106" id="tab-106" aria-selected="true" tabindex="0"> Rocky Linux 10 </a> </li><li role="presentation"> <a role="tab" href="#tab-panel-107" id="tab-107" aria-selected="false" tabindex="-1"> Ubuntu 26.04 </a> </li> </ul> </div> <div id="tab-panel-106" aria-labelledby="tab-106" role="tabpanel"> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span># On BOTH VPS-1 and VPS-2, follow Steps 1-6 from Part 1:</span></div></div><div><div><span># - Create non-root user, add to wheel</span></div></div><div><div><span># - Harden SSH (no root, no password)</span></div></div><div><div><span># - Install Docker, add user to docker group</span></div></div><div><div><span># - Firewall: ports 22, 80, 443 open</span></div></div><div><div><span># - ALSO open port 5432 between nodes for Postgres replication</span></div></div><div><div><span># - ALSO open port 9000 between nodes for MinIO sync</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </div><div id="tab-panel-107" aria-labelledby="tab-107" role="tabpanel" hidden> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span># On BOTH VPS-1 and VPS-2, follow Steps 1-6 from Part 1:</span></div></div><div><div><span># - Create non-root user, add to sudo</span></div></div><div><div><span># - Harden SSH (no root, no password)</span></div></div><div><div><span># - Install Docker, add user to docker group</span></div></div><div><div><span># - Firewall via UFW: ports 22, 80, 443 open</span></div></div><div><div><span># - ALSO open port 5432 between nodes for Postgres replication</span></div></div><div><div><span># - ALSO open port 9000 between nodes for MinIO sync</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </div> </starlight-tabs> <p><strong>Firewall: allow Postgres + MinIO between nodes only:</strong></p> <starlight-tabs> <div> <ul role="tablist"> <li role="presentation"> <a role="tab" href="#tab-panel-108" id="tab-108" aria-selected="true" tabindex="0"> Rocky Linux 10 </a> </li><li role="presentation"> <a role="tab" href="#tab-panel-109" id="tab-109" aria-selected="false" tabindex="-1"> Ubuntu 26.04 </a> </li> </ul> </div> <div id="tab-panel-108" aria-labelledby="tab-108" role="tabpanel"> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span># On BOTH nodes. Replace 10.0.0.2 with the OTHER node's private IP</span></div></div><div><div><span>sudo</span><span> </span><span>firewall-cmd</span><span> </span><span>--permanent</span><span> </span><span>--add-rich-rule=</span><span>"</span><span>rule family=ipv4 source address=10.0.0.2 port port=5432 protocol=tcp accept</span><span>"</span></div></div><div><div><span>sudo</span><span> </span><span>firewall-cmd</span><span> </span><span>--permanent</span><span> </span><span>--add-rich-rule=</span><span>"</span><span>rule family=ipv4 source address=10.0.0.2 port port=9000 protocol=tcp accept</span><span>"</span></div></div><div><div><span>sudo</span><span> </span><span>firewall-cmd</span><span> </span><span>--reload</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </div><div id="tab-panel-109" aria-labelledby="tab-109" role="tabpanel" hidden> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span># On BOTH nodes. Replace 10.0.0.2 with the OTHER node's private IP</span></div></div><div><div><span>sudo</span><span> </span><span>ufw</span><span> </span><span>allow</span><span> </span><span>from</span><span> </span><span>10.0.0.2</span><span> </span><span>to</span><span> </span><span>any</span><span> </span><span>port</span><span> </span><span>5432</span><span> </span><span>proto</span><span> </span><span>tcp</span></div></div><div><div><span>sudo</span><span> </span><span>ufw</span><span> </span><span>allow</span><span> </span><span>from</span><span> </span><span>10.0.0.2</span><span> </span><span>to</span><span> </span><span>any</span><span> </span><span>port</span><span> </span><span>9000</span><span> </span><span>proto</span><span> </span><span>tcp</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </div> </starlight-tabs> <blockquote> <p>Most VPS providers give you a private IP for inter-node communication. Use it. Don’t expose Postgres or MinIO to the public internet.</p> </blockquote> <hr> <div><h2 id="step-2-self-hosted-postgres-with-streaming-replication">Step 2: Self-Hosted Postgres with Streaming Replication</h2></div> <p>VPS-1 runs Postgres as <strong>primary</strong> (reads + writes). VPS-2 runs Postgres as <strong>hot standby</strong> (reads only, continuously synced). If VPS-1 dies, promote VPS-2.</p> <div><h3 id="on-vps-1-primary">On VPS-1 (Primary)</h3></div> <p>Create a <code dir="auto">compose.yaml</code> for Postgres:</p> <div><figure><figcaption></figcaption><pre><code><div><div><span>services</span><span>:</span></div></div><div><div><span> </span><span>postgres</span><span>:</span></div></div><div><div><span> </span><span>image</span><span>: </span><span>postgres:17</span></div></div><div><div><span> </span><span>restart</span><span>: </span><span>always</span></div></div><div><div><span> </span><span>environment</span><span>:</span></div></div><div><div><span> </span><span>POSTGRES_PASSWORD</span><span>: </span><span>${PG_PASSWORD}</span></div></div><div><div><span> </span><span>command</span><span>: </span><span>|</span></div></div><div><div><span><span> </span></span><span>-c wal_level=replica</span></div></div><div><div><span><span> </span></span><span>-c max_wal_senders=3</span></div></div><div><div><span><span> </span></span><span>-c wal_keep_size=256</span></div></div><div><div><span> </span><span>volumes</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>pg-data:/var/lib/postgresql/data</span></div></div><div><div><span><span> </span></span><span>- </span><span>./pg-init:/docker-entrypoint-initdb.d</span></div></div><div><div><span> </span><span>ports</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>5432:5432</span><span>"</span></div></div><div><div> </div></div><div><div><span>volumes</span><span>:</span></div></div><div><div><span> </span><span>pg-data</span><span>:</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>Create <code dir="auto">pg-init/01-replication-user.sql</code>:</p> <div><figure><figcaption></figcaption><pre><code><div><div><span>CREATE</span><span> </span><span>ROLE</span><span> replicator </span><span>WITH</span><span> </span><span>LOGIN</span><span> REPLICATION </span><span>PASSWORD</span><span> </span><span>'</span><span>your-replication-password</span><span>'</span><span>;</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>Deploy:</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>mkdir</span><span> </span><span>-p</span><span> </span><span>pg-init</span></div></div><div><div><span>echo</span><span> </span><span>"</span><span>CREATE ROLE replicator WITH LOGIN REPLICATION PASSWORD 'your-replication-password';</span><span>"</span><span> </span><span>></span><span> </span><span>pg-init/01-replication-user.sql</span></div></div><div><div><span>docker</span><span> </span><span>compose</span><span> </span><span>up</span><span> </span><span>-d</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <div><h3 id="on-vps-2-replica">On VPS-2 (Replica)</h3></div> <p>Create a <code dir="auto">compose.yaml</code>:</p> <div><figure><figcaption></figcaption><pre><code><div><div><span>services</span><span>:</span></div></div><div><div><span> </span><span>postgres</span><span>:</span></div></div><div><div><span> </span><span>image</span><span>: </span><span>postgres:17</span></div></div><div><div><span> </span><span>restart</span><span>: </span><span>always</span></div></div><div><div><span> </span><span>environment</span><span>:</span></div></div><div><div><span> </span><span>POSTGRES_PASSWORD</span><span>: </span><span>${PG_PASSWORD}</span></div></div><div><div><span> </span><span>volumes</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>pg-data:/var/lib/postgresql/data</span></div></div><div><div><span> </span><span>ports</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>5432:5432</span><span>"</span></div></div><div><div> </div></div><div><div><span>volumes</span><span>:</span></div></div><div><div><span> </span><span>pg-data</span><span>:</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>Start it once to generate the data directory, then stop it:</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>docker</span><span> </span><span>compose</span><span> </span><span>up</span><span> </span><span>-d</span></div></div><div><div><span>docker</span><span> </span><span>compose</span><span> </span><span>stop</span><span> </span><span>postgres</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>Now wipe the data directory and pull a base backup from the primary:</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>sudo</span><span> </span><span>rm</span><span> </span><span>-rf</span><span> </span><span>/var/lib/docker/volumes/guestbook_pg-data/_data/</span><span>*</span></div></div><div><div><span>docker</span><span> </span><span>compose</span><span> </span><span>run</span><span> </span><span>--rm</span><span> </span><span>postgres</span><span> </span><span>pg_basebackup</span><span> </span><span>-h</span><span> </span><span>10.0.0.1</span><span> </span><span>-U</span><span> </span><span>replicator</span><span> </span><span>-D</span><span> </span><span>/var/lib/postgresql/data</span><span> </span><span>-P</span><span> </span><span>-R</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>The <code dir="auto">-R</code> flag creates a <code dir="auto">standby.signal</code> file and configures the connection string automatically.</p> <p>Now update <code dir="auto">compose.yaml</code> for VPS-2 with replication settings:</p> <div><figure><figcaption></figcaption><pre><code><div><div><span>services</span><span>:</span></div></div><div><div><span> </span><span>postgres</span><span>:</span></div></div><div><div><span> </span><span>image</span><span>: </span><span>postgres:17</span></div></div><div><div><span> </span><span>restart</span><span>: </span><span>always</span></div></div><div><div><span> </span><span>environment</span><span>:</span></div></div><div><div><span> </span><span>POSTGRES_PASSWORD</span><span>: </span><span>${PG_PASSWORD}</span></div></div><div><div><span> </span><span>command</span><span>: </span><span>|</span></div></div><div><div><span><span> </span></span><span>-c primary_conninfo='host=10.0.0.1 port=5432 user=replicator password=your-replication-password'</span></div></div><div><div><span><span> </span></span><span>-c primary_slot_name=replica_slot</span></div></div><div><div><span> </span><span>volumes</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>pg-data:/var/lib/postgresql/data</span></div></div><div><div><span> </span><span>ports</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>5432:5432</span><span>"</span></div></div><div><div> </div></div><div><div><span>volumes</span><span>:</span></div></div><div><div><span> </span><span>pg-data</span><span>:</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>Create a replication slot on the primary:</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span># On VPS-1</span></div></div><div><div><span>docker</span><span> </span><span>compose</span><span> </span><span>exec</span><span> </span><span>postgres</span><span> </span><span>psql</span><span> </span><span>-U</span><span> </span><span>postgres</span><span> </span><span>-c</span><span> </span><span>"</span><span>SELECT * FROM pg_create_physical_replication_slot('replica_slot');</span><span>"</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>Start the replica:</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span># On VPS-2</span></div></div><div><div><span>docker</span><span> </span><span>compose</span><span> </span><span>up</span><span> </span><span>-d</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>Verify replication is working:</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span># On VPS-1 — should show one replica connected</span></div></div><div><div><span>docker</span><span> </span><span>compose</span><span> </span><span>exec</span><span> </span><span>postgres</span><span> </span><span>psql</span><span> </span><span>-U</span><span> </span><span>postgres</span><span> </span><span>-c</span><span> </span><span>"</span><span>SELECT client_addr, state FROM pg_stat_replication;</span><span>"</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <div><h3 id="app-connection-string">App connection string</h3></div> <p>Your app needs to know: writes go to VPS-1, reads CAN go to VPS-2:</p> <div><figure><figcaption></figcaption><pre><code><div><div><span>DATABASE_URL=postgresql://postgres:***@10.0.0.1:5432/mydb # writes (VPS-1)</span></div></div><div><div><span>DATABASE_REPLICA_URL=postgresql://postgres:***@10.0.0.2:5432/mydb # reads (VPS-2)</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>For most apps, just point everything at the primary. The replica is there for failover, not load distribution.</p> <hr> <div><h2 id="step-3-self-hosted-object-storage-with-minio">Step 3: Self-Hosted Object Storage with MinIO</h2></div> <p>MinIO is an S3-compatible object store. Run it on both nodes with bucket replication.</p> <div><h3 id="on-both-vps-1-and-vps-2">On BOTH VPS-1 and VPS-2</h3></div> <p>Add to your <code dir="auto">compose.yaml</code>:</p> <div><figure><figcaption></figcaption><pre><code><div><div><span>services</span><span>:</span></div></div><div><div><span> </span><span>minio</span><span>:</span></div></div><div><div><span> </span><span>image</span><span>: </span><span>minio/minio:latest</span></div></div><div><div><span> </span><span>restart</span><span>: </span><span>always</span></div></div><div><div><span> </span><span>command</span><span>: </span><span>server /data --console-address ":9001"</span></div></div><div><div><span> </span><span>environment</span><span>:</span></div></div><div><div><span> </span><span>MINIO_ROOT_USER</span><span>: </span><span>minioadmin</span></div></div><div><div><span> </span><span>MINIO_ROOT_PASSWORD</span><span>: </span><span>${MINIO_PASSWORD}</span></div></div><div><div><span> </span><span>volumes</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>minio-data:/data</span></div></div><div><div><span> </span><span>ports</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>9000:9000</span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>9001:9001</span><span>"</span></div></div><div><div> </div></div><div><div><span>volumes</span><span>:</span></div></div><div><div><span> </span><span>minio-data</span><span>:</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <div><h3 id="configure-bucket-replication">Configure bucket replication</h3></div> <p>Access MinIO Console at <code dir="auto">http://vps1-ip:9001</code>. Create a bucket (e.g., <code dir="auto">uploads</code>).</p> <p>Then on BOTH nodes, configure replication via <code dir="auto">mc</code> (MinIO Client):</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span># Install mc</span></div></div><div><div><span>curl</span><span> </span><span>https://dl.min.io/client/mc/release/linux-amd64/mc</span><span> </span><span>-o</span><span> </span><span>/usr/local/bin/mc</span></div></div><div><div><span>chmod</span><span> </span><span>+x</span><span> </span><span>/usr/local/bin/mc</span></div></div><div><div> </div></div><div><div><span># Add both MinIO instances</span></div></div><div><div><span>mc</span><span> </span><span>alias</span><span> </span><span>set</span><span> </span><span>vps1</span><span> </span><span>http://10.0.0.1:9000</span><span> </span><span>minioadmin</span><span> ${</span><span>MINIO_PASSWORD</span><span>}</span></div></div><div><div><span>mc</span><span> </span><span>alias</span><span> </span><span>set</span><span> </span><span>vps2</span><span> </span><span>http://10.0.0.2:9000</span><span> </span><span>minioadmin</span><span> ${</span><span>MINIO_PASSWORD</span><span>}</span></div></div><div><div> </div></div><div><div><span># Create replication rule — VPS-1 → VPS-2</span></div></div><div><div><span>mc</span><span> </span><span>replicate</span><span> </span><span>add</span><span> </span><span>vps1/uploads</span><span> </span><span>--remote-bucket</span><span> </span><span>vps2/uploads</span><span> </span><span>--priority</span><span> </span><span>1</span></div></div><div><div> </div></div><div><div><span># Create replication rule — VPS-2 → VPS-1 (bidirectional)</span></div></div><div><div><span>mc</span><span> </span><span>replicate</span><span> </span><span>add</span><span> </span><span>vps2/uploads</span><span> </span><span>--remote-bucket</span><span> </span><span>vps1/uploads</span><span> </span><span>--priority</span><span> </span><span>1</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>Now any file uploaded to VPS-1’s MinIO is automatically replicated to VPS-2, and vice versa. Your app writes to its local MinIO, reads from the same. Both nodes always have the full file set.</p> <div><h3 id="app-config">App config</h3></div> <p>Your app uses the local MinIO endpoint. On each node it’s always <code dir="auto">localhost:9000</code>:</p> <div><figure><figcaption></figcaption><pre><code><div><div><span>S3_ENDPOINT=http://localhost:9000</span></div></div><div><div><span>S3_BUCKET=uploads</span></div></div><div><div><span>S3_ACCESS_KEY=minioadmin</span></div></div><div><div><span>S3_SECRET_KEY=${MINI...</span></div></div><div><div><span>No code changes needed between single-node and multi-node. MinIO replication handles sync transparently.</span></div></div><div><div> </div></div><div><div><span>> **Don't need file uploads?** Skip MinIO entirely. Your app is already multi-node-ready.</span></div></div><div><div> </div></div><div><div><span>---</span></div></div><div><div> </div></div><div><div><span>## Step 4: Deploy the App on Both Nodes</span></div></div><div><div> </div></div><div><div><span>We use **Caddy** as the reverse proxy, following the simpler setup from [Part 2](/blog/vps-production-ready-caddy/). Build the `caddy-docker-proxy` image on both nodes (or push to ghcr.io and pull):</span></div></div><div><div> </div></div><div><div><span>```dockerfile</span></div></div><div><div><span>FROM caddy:2.9-builder AS builder</span></div></div><div><div><span>RUN xcaddy build --with github.com/lucaslorentz/caddy-docker-proxy/v2</span></div></div><div><div><span>FROM caddy:2.9</span></div></div><div><div><span>COPY --from=builder /usr/bin/caddy /usr/bin/caddy</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>docker</span><span> </span><span>build</span><span> </span><span>-t</span><span> </span><span>caddy-docker-proxy</span><span> </span><span>.</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>Now the full <code dir="auto">compose.yaml</code> for <strong>VPS-1</strong> (primary):</p> <div><figure><figcaption></figcaption><pre><code><div><div><span>services</span><span>:</span></div></div><div><div><span> </span><span>caddy</span><span>:</span></div></div><div><div><span> </span><span>image</span><span>: </span><span>caddy-docker-proxy</span></div></div><div><div><span> </span><span>restart</span><span>: </span><span>always</span></div></div><div><div><span> </span><span>ports</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>80:80</span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>443:443</span><span>"</span></div></div><div><div><span> </span><span>volumes</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>/var/run/docker.sock:/var/run/docker.sock:ro</span></div></div><div><div><span><span> </span></span><span>- </span><span>caddy-data:/data</span></div></div><div><div> </div></div><div><div><span> </span><span>postgres</span><span>:</span></div></div><div><div><span> </span><span>image</span><span>: </span><span>postgres:17</span></div></div><div><div><span> </span><span>restart</span><span>: </span><span>always</span></div></div><div><div><span> </span><span>environment</span><span>:</span></div></div><div><div><span> </span><span>POSTGRES_PASSWORD</span><span>: </span><span>${PG_PASSWORD}</span></div></div><div><div><span> </span><span>command</span><span>: </span><span>|</span></div></div><div><div><span><span> </span></span><span>-c wal_level=replica</span></div></div><div><div><span><span> </span></span><span>-c max_wal_senders=3</span></div></div><div><div><span><span> </span></span><span>-c wal_keep_size=256</span></div></div><div><div><span> </span><span>volumes</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>pg-data:/var/lib/postgresql/data</span></div></div><div><div><span> </span><span>ports</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>5432:5432</span><span>"</span></div></div><div><div> </div></div><div><div><span> </span><span>minio</span><span>:</span></div></div><div><div><span> </span><span>image</span><span>: </span><span>minio/minio:latest</span></div></div><div><div><span> </span><span>restart</span><span>: </span><span>always</span></div></div><div><div><span> </span><span>command</span><span>: </span><span>server /data --console-address ":9001"</span></div></div><div><div><span> </span><span>environment</span><span>:</span></div></div><div><div><span> </span><span>MINIO_ROOT_USER</span><span>: </span><span>minioadmin</span></div></div><div><div><span> </span><span>MINIO_ROOT_PASSWORD</span><span>: </span><span>${MINIO_PASSWORD}</span></div></div><div><div><span> </span><span>volumes</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>minio-data:/data</span></div></div><div><div><span> </span><span>ports</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>9000:9000</span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>9001:9001</span><span>"</span></div></div><div><div> </div></div><div><div><span> </span><span>guestbook</span><span>:</span></div></div><div><div><span> </span><span>image</span><span>: </span><span>ghcr.io/yourusername/guestbook:prod</span></div></div><div><div><span> </span><span>restart</span><span>: </span><span>always</span></div></div><div><div><span> </span><span>environment</span><span>:</span></div></div><div><div><span> </span><span>DATABASE_URL</span><span>: </span><span>postgresql://postgres:***@postgres:5432/mydb</span></div></div><div><div><span> </span><span>S3_ENDPOINT</span><span>: </span><span>http://minio:9000</span></div></div><div><div><span> </span><span>S3_BUCKET</span><span>: </span><span>uploads</span></div></div><div><div><span> </span><span>S3_ACCESS_KEY</span><span>: </span><span>minioadmin</span></div></div><div><div><span> </span><span>S3_SECRET_KEY</span><span>: </span><span>${MINIO_PASSWORD}</span></div></div><div><div><span> </span><span>S3_USE_SSL</span><span>: </span><span>"</span><span>false</span><span>"</span></div></div><div><div><span> </span><span>labels</span><span>:</span></div></div><div><div><span> </span><span>caddy</span><span>: </span><span>yourdomain.com</span></div></div><div><div><span> </span><span>caddy.reverse_proxy</span><span>: </span><span>"</span><span>{{upstreams 8080}}</span><span>"</span></div></div><div><div><span> </span><span>com.centurylinklabs.watchtower.enable</span><span>: </span><span>"</span><span>true</span><span>"</span></div></div><div><div><span> </span><span>deploy</span><span>:</span></div></div><div><div><span> </span><span>replicas</span><span>: </span><span>3</span></div></div><div><div><span> </span><span>depends_on</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>postgres</span></div></div><div><div> </div></div><div><div><span> </span><span>watchtower</span><span>:</span></div></div><div><div><span> </span><span>image</span><span>: </span><span>containrrr/watchtower</span></div></div><div><div><span> </span><span>command</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>--label-enable</span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>--interval</span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>30</span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>--rolling-restart</span><span>"</span></div></div><div><div><span> </span><span>volumes</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>/var/run/docker.sock:/var/run/docker.sock:ro</span></div></div><div><div> </div></div><div><div><span>volumes</span><span>:</span></div></div><div><div><span> </span><span>caddy-data</span><span>:</span></div></div><div><div><span> </span><span>pg-data</span><span>:</span></div></div><div><div><span> </span><span>minio-data</span><span>:</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p><strong>VPS-2</strong> uses the same <code dir="auto">compose.yaml</code> but with the replica Postgres config from Step 2 (different <code dir="auto">command</code> on the postgres service). Everything else is identical.</p> <p>Deploy on both:</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span># On VPS-1</span></div></div><div><div><span>cd</span><span> </span><span>~/guestbook</span><span> &#x26;&#x26; </span><span>docker</span><span> </span><span>compose</span><span> </span><span>up</span><span> </span><span>-d</span></div></div><div><div> </div></div><div><div><span># On VPS-2</span></div></div><div><div><span>cd</span><span> </span><span>~/guestbook</span><span> &#x26;&#x26; </span><span>docker</span><span> </span><span>compose</span><span> </span><span>up</span><span> </span><span>-d</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <hr> <div><h2 id="step-5-cloudflare-orange-cloud-free-load-balancing">Step 5: Cloudflare Orange Cloud (Free Load Balancing)</h2></div> <p>Cloudflare Load Balancer costs $10/month. For two nodes, the free alternative works well enough.</p> <ol> <li>In Cloudflare DNS dashboard, add <strong>two A records</strong> for your domain</li> <li>Both point to <code dir="auto">@</code> (root), one to each VPS public IP</li> <li><strong>Enable the orange cloud (proxy)</strong> on both records</li> <li>Cloudflare distributes traffic across both origins automatically</li> </ol> <div><figure><figcaption></figcaption><pre><code><div><div><span>Type Name Content Proxy</span></div></div><div><div><span>A @ &#x3C;VPS-1 IP> 🟧 Proxied</span></div></div><div><div><span>A @ &#x3C;VPS-2 IP> 🟧 Proxied</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p><strong>Limitations compared to paid LB:</strong></p> <ul> <li>No active health checks. If VPS-1 goes hard down (timeout), Cloudflare eventually stops sending traffic there. But if the app returns 500s, Cloudflare won’t know.</li> <li>No weighted routing. Traffic split is roughly 50/50, not configurable.</li> <li>Failover is reactive, not proactive.</li> </ul> <p><strong>For most projects, this is enough.</strong> Your uptime monitor (Step 8) will catch the 500s and you can manually pull the dead node’s A record. If you need 99.9% uptime with automatic failover, the $10/month Cloudflare LB is the upgrade path.</p> <hr> <div><h2 id="step-6-failover--when-vps-1-goes-down">Step 6: Failover — When VPS-1 Goes Down</h2></div> <p>Cloudflare detects VPS-1 is unreachable, routes all traffic to VPS-2. Your app on VPS-2 is still running, still serving. But Postgres on VPS-2 is a <strong>read-only replica</strong>.</p> <p>To promote it:</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span># On VPS-2 — promote the replica to primary</span></div></div><div><div><span>docker</span><span> </span><span>compose</span><span> </span><span>exec</span><span> </span><span>postgres</span><span> </span><span>psql</span><span> </span><span>-U</span><span> </span><span>postgres</span><span> </span><span>-c</span><span> </span><span>"</span><span>SELECT pg_promote();</span><span>"</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>Now VPS-2’s Postgres accepts writes. Update your app’s <code dir="auto">DATABASE_URL</code> (if it pointed to VPS-1’s IP) or restart the container if using the local <code dir="auto">postgres</code> hostname.</p> <blockquote> <p><strong>Also remove VPS-1’s A record</strong> from Cloudflare DNS so traffic stops going to the dead node.</p> </blockquote> <p>When VPS-1 comes back:</p> <ul> <li><strong>Rebuild it as a new replica</strong> (pg_basebackup from VPS-2)</li> <li>Add its A record back to Cloudflare</li> </ul> <p>This is a <strong>manual failover</strong>. For automatic failover you’d need Patroni + etcd, which triples the complexity. For a two-node self-hosted setup, manual promotion is pragmatic. You’ll be awake anyway because your monitoring alerted you.</p> <hr> <div><h2 id="step-7-automated-deploys">Step 7: Automated Deploys</h2></div> <p>Watchtower on both nodes. Push a new image, both nodes update within 30 seconds.</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>docker</span><span> </span><span>build</span><span> </span><span>-t</span><span> </span><span>ghcr.io/yourusername/guestbook:prod</span><span> </span><span>.</span></div></div><div><div><span>docker</span><span> </span><span>push</span><span> </span><span>ghcr.io/yourusername/guestbook:prod</span></div></div><div><div><span># Wait 30s. Both VPS-1 and VPS-2 roll restart.</span></div></div><div><div><span># Zero downtime — Cloudflare routes away from restarting node.</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <hr> <div><h2 id="step-8-monitoring">Step 8: Monitoring</h2></div> <ul> <li><strong>Uptime Robot</strong> (free): add <code dir="auto">http://vps1-ip/health</code> and <code dir="auto">http://vps2-ip/health</code></li> <li><strong>Postgres replication lag</strong>: <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>docker</span><span> </span><span>compose</span><span> </span><span>exec</span><span> </span><span>postgres</span><span> </span><span>psql</span><span> </span><span>-U</span><span> </span><span>postgres</span><span> </span><span>-c</span><span> </span><span>"</span><span>SELECT pg_wal_lsn_diff(pg_current_wal_lsn(), replay_lsn) FROM pg_stat_replication;</span><span>"</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> <li><strong>Disk usage on both nodes</strong>: <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>df</span><span> </span><span>-h</span><span> </span><span>/var/lib/docker/volumes</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> </ul> <hr> <div><h2 id="resources-needed">Resources Needed</h2></div> <p>What each component actually uses on your nodes:</p> <table><thead><tr><th>Component</th><th>vCPU</th><th>RAM</th><th>Disk</th><th>Notes</th></tr></thead><tbody><tr><td><strong>Caddy</strong></td><td>0.2</td><td>128 MB</td><td>—</td><td>Negligible. Single binary, ~20 MB at runtime</td></tr><tr><td><strong>App (x3 replicas)</strong></td><td>1.5</td><td>512 MB</td><td>—</td><td>Depends on your app. Go/Rust: 50 MB, Node/Python: 200+ MB per instance</td></tr><tr><td><strong>Postgres</strong></td><td>1</td><td>1 GB</td><td>scales with data</td><td>Shared buffers + WAL. 1 GB is minimum for replication</td></tr><tr><td><strong>MinIO</strong></td><td>0.5</td><td>512 MB</td><td>scales with files</td><td>Each node stores full file set. Plan accordingly</td></tr><tr><td><strong>Watchtower</strong></td><td>0.1</td><td>64 MB</td><td>—</td><td>Barely a blip</td></tr><tr><td><strong>OS overhead</strong></td><td>0.5</td><td>1 GB</td><td>20 GB</td><td>systemd, Docker daemon, SSH</td></tr><tr><td><strong>Buffer</strong></td><td>1</td><td>1.5 GB</td><td>—</td><td>Headroom for spikes, logs, builds</td></tr></tbody></table> <p><strong>Recommendation per node:</strong> 4 vCPU / 8 GB RAM / 80 GB SSD.</p> <p>For low-traffic apps, 2 vCPU / 4 GB works. For Postgres-heavy workloads, bump to 8 GB RAM and give Postgres 2-4 GB of <code dir="auto">shared_buffers</code>.</p> <hr> <div><h2 id="traefik-vs-caddy-for-multi-node">Traefik vs Caddy for Multi-Node</h2></div> <p>If you followed Part 1 with Traefik and want to keep it, just swap the Caddy service for your Traefik config. The rest — Postgres replication, MinIO sync, Cloudflare DNS — stays exactly the same. The reverse proxy layer is independent of everything else.</p> <p>That said, Caddy’s 3-line config is especially nice when you’re managing two identical nodes. Less YAML to keep in sync.</p> <hr> <div><h2 id="checklist">Checklist</h2></div> <ul> <li><input type="checkbox" disabled> Two VPS nodes hardened, Docker installed</li> <li><input type="checkbox" disabled> Postgres primary on VPS-1, replica on VPS-2</li> <li><input type="checkbox" disabled> Streaming replication verified</li> <li><input type="checkbox" disabled> MinIO running on both nodes, bucket replication active</li> <li><input type="checkbox" disabled> Caddy built and running on both nodes</li> <li><input type="checkbox" disabled> App deployed on both nodes with identical compose.yaml</li> <li><input type="checkbox" disabled> Cloudflare DNS: two A records, orange cloud enabled</li> <li><input type="checkbox" disabled> Watchtower on both nodes</li> <li><input type="checkbox" disabled> Failover tested (promote replica, verify traffic flows)</li> <li><input type="checkbox" disabled> Uptime monitoring on both nodes</li> </ul> <hr> <p>No managed databases. No S3 bills. No load balancer subscription. Just two Linux boxes, Postgres replication, MinIO sync, and Cloudflare’s free proxy tier. Everything you need for a production multi-node setup, running on your own hardware.</p>https://8labs.id/blog/vps-production-ready-caddy/https://8labs.id/blog/vps-production-ready-caddy/Tue, 16 Jun 2026 11:00:00 GMT<div><h1 id="vps-production-ready-with-caddy--the-simpler-alternative">VPS Production-Ready with Caddy : The Simpler Alternative</h1></div> <blockquote> <p>Companion to our <a href="https://8labs.id/blog/vps-production-ready-rocky-ubuntu/">Traefik-based guide</a>. Same stack, simpler reverse proxy.</p> </blockquote> <p>In the <a href="https://8labs.id/blog/vps-production-ready-rocky-ubuntu/">previous post</a> we set up a production-ready VPS with Traefik : powerful, but heavy. Traefik’s config sprawls across YAML labels, ACME resolvers, entrypoints, and middleware chains. For most projects, it’s overkill.</p> <p><strong>Caddy</strong> does the same job with a fraction of the config. One binary, HTTPS by default, and Docker labels so clean you can read them in one breath.</p> <p>This post covers the exact same 12-step stack, swapping Traefik for Caddy. All commands cover both <strong>Rocky Linux 10</strong> and <strong>Ubuntu 26.04</strong>.</p> <hr> <div><h2 id="steps-16-identical-to-the-traefik-guide">Steps 1–6: Identical to the Traefik Guide</h2></div> <p>Provisioning, user creation, DNS, SSH hardening, firewall, and Docker installation are exactly the same. Follow Steps 1–6 from the <a href="https://8labs.id/blog/vps-production-ready-rocky-ubuntu/">Traefik guide</a>, then come back here.</p> <p>Quick recap of where you should be:</p> <ul> <li><input type="checkbox" disabled> Non-root user with sudo/wheel</li> <li><input type="checkbox" disabled> SSH hardened (no password, no root login)</li> <li><input type="checkbox" disabled> Firewall: ports 22, 80, 443 open</li> <li><input type="checkbox" disabled> Docker installed, user in <code dir="auto">docker</code> group</li> </ul> <hr> <div><h2 id="step-7-build-the-caddy--docker-proxy-image">Step 7: Build the Caddy + Docker Proxy Image</h2></div> <p>Caddy doesn’t natively discover Docker containers. We need the <a href="https://github.com/lucaslorentz/caddy-docker-proxy"><code dir="auto">caddy-docker-proxy</code></a> plugin : a lightweight module that watches Docker labels and generates routes automatically, just like Traefik.</p> <p>Create a <code dir="auto">Dockerfile</code>:</p> <div><figure><figcaption></figcaption><pre><code><div><div><span>FROM</span><span> caddy:2.9-builder </span><span>AS</span><span> builder</span></div></div><div><div> </div></div><div><div><span>RUN</span><span> xcaddy build \</span></div></div><div><div><span><span> </span></span><span>--with github.com/lucaslorentz/caddy-docker-proxy/v2</span></div></div><div><div> </div></div><div><div><span>FROM</span><span> caddy:2.9</span></div></div><div><div> </div></div><div><div><span>COPY</span><span> --from=builder /usr/bin/caddy /usr/bin/caddy</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>Build it:</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>docker</span><span> </span><span>build</span><span> </span><span>-t</span><span> </span><span>caddy-docker-proxy</span><span> </span><span>.</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <blockquote> <p><strong>💡 Tip:</strong> Push this image to <code dir="auto">ghcr.io/yourusername/caddy-docker-proxy</code> so you don’t rebuild on every deploy. CI can handle it.</p> </blockquote> <hr> <div><h2 id="step-8-deploy-the-stack-with-caddy">Step 8: Deploy the Stack with Caddy</h2></div> <p>Create <code dir="auto">~/guestbook/</code> just like before, then write the <code dir="auto">compose.yaml</code>:</p> <div><figure><figcaption></figcaption><pre><code><div><div><span>services</span><span>:</span></div></div><div><div><span> </span><span>caddy</span><span>:</span></div></div><div><div><span> </span><span>image</span><span>: </span><span>caddy-docker-proxy</span></div></div><div><div><span> </span><span>restart</span><span>: </span><span>always</span></div></div><div><div><span> </span><span>ports</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>80:80</span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>443:443</span><span>"</span></div></div><div><div><span> </span><span>volumes</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>/var/run/docker.sock:/var/run/docker.sock:ro</span></div></div><div><div><span><span> </span></span><span>- </span><span>caddy-data:/data</span></div></div><div><div><span><span> </span></span><span>- </span><span>./Caddyfile:/etc/caddy/Caddyfile</span></div></div><div><div> </div></div><div><div><span> </span><span>db</span><span>:</span></div></div><div><div><span> </span><span>image</span><span>: </span><span>postgres:17</span></div></div><div><div><span> </span><span>restart</span><span>: </span><span>always</span></div></div><div><div><span> </span><span>environment</span><span>:</span></div></div><div><div><span> </span><span>POSTGRES_PASSWORD_FILE</span><span>: </span><span>/run/secrets/postgres-password</span></div></div><div><div><span> </span><span>volumes</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>postgres-data:/var/lib/postgresql/data</span></div></div><div><div><span> </span><span>secrets</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>postgres-password</span></div></div><div><div> </div></div><div><div><span> </span><span>guestbook</span><span>:</span></div></div><div><div><span> </span><span>image</span><span>: </span><span>ghcr.io/yourusername/guestbook:prod</span></div></div><div><div><span> </span><span>restart</span><span>: </span><span>always</span></div></div><div><div><span> </span><span>environment</span><span>:</span></div></div><div><div><span> </span><span>DATABASE_URL</span><span>: </span><span>postgres://postgres:${POSTGRES_PASSWORD}@db:5432/postgres?sslmode=disable</span></div></div><div><div><span> </span><span>labels</span><span>:</span></div></div><div><div><span> </span><span>caddy</span><span>: </span><span>yourdomain.com</span></div></div><div><div><span> </span><span>caddy.reverse_proxy</span><span>: </span><span>"</span><span>{{upstreams 8080}}</span><span>"</span></div></div><div><div><span> </span><span>deploy</span><span>:</span></div></div><div><div><span> </span><span>replicas</span><span>: </span><span>3</span></div></div><div><div><span> </span><span>depends_on</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>db</span></div></div><div><div> </div></div><div><div><span>secrets</span><span>:</span></div></div><div><div><span> </span><span>postgres-password</span><span>:</span></div></div><div><div><span> </span><span>file</span><span>: </span><span>./db/postgres-password.txt</span></div></div><div><div> </div></div><div><div><span>volumes</span><span>:</span></div></div><div><div><span> </span><span>postgres-data</span><span>:</span></div></div><div><div><span> </span><span>caddy-data</span><span>:</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>That’s it. <strong>Three labels</strong> replace Traefik’s 8-label configuration.</p> <p>The <code dir="auto">Caddyfile</code> is minimal : caddy-docker-proxy handles routing from Docker labels:</p> <div><figure><figcaption></figcaption><pre><code><div><div><span>{</span></div></div><div><div><span><span> </span></span><span>debug</span></div></div><div><div><span>}</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <blockquote> <p>If you need custom middleware (rate limiting, IP filtering, header manipulation), add it here. For most apps, the empty Caddyfile above is sufficient.</p> </blockquote> <p>Deploy:</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>export</span><span> </span><span>POSTGRES_PASSWORD</span><span>=</span><span>$(</span><span>cat</span><span> </span><span>db/postgres-password.txt</span><span>)</span></div></div><div><div><span>docker</span><span> </span><span>compose</span><span> </span><span>up</span><span> </span><span>-d</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <hr> <div><h2 id="step-9-load-balancing--auto-discovery">Step 9: Load Balancing : Auto-Discovery</h2></div> <p>Caddy + caddy-docker-proxy automatically discovers all containers for a service. With <code dir="auto">replicas: 3</code>, Caddy round-robins across all three guestbook instances. No extra config.</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>docker</span><span> </span><span>compose</span><span> </span><span>up</span><span> </span><span>-d</span><span> </span><span>--scale</span><span> </span><span>guestbook=</span><span>3</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <blockquote> <p>Unlike Traefik, Caddy doesn’t track container health mid-request. If a container dies between discovery ticks, the next request may hit a dead backend for a few seconds. For most projects this is fine : the health check interval is configurable.</p> </blockquote> <hr> <div><h2 id="step-10-https--literally-nothing-to-configure">Step 10: HTTPS : Literally Nothing to Configure</h2></div> <p>This is where Caddy shines. <strong>HTTPS works out of the box.</strong> No ACME email, no challenge type, no certificate resolver, no storage volume for <code dir="auto">acme.json</code>.</p> <p>How? Caddy sees <code dir="auto">yourdomain.com</code> in the Docker label, obtains a Let’s Encrypt certificate automatically, and renews it 30 days before expiry. The certificates live in the <code dir="auto">caddy-data</code> volume.</p> <p><strong>Zero config. Not kidding.</strong></p> <p>Compare:</p> <starlight-tabs> <div> <ul role="tablist"> <li role="presentation"> <a role="tab" href="#tab-panel-120" id="tab-120" aria-selected="true" tabindex="0"> Caddy </a> </li><li role="presentation"> <a role="tab" href="#tab-panel-121" id="tab-121" aria-selected="false" tabindex="-1"> Traefik </a> </li> </ul> </div> <div id="tab-panel-120" aria-labelledby="tab-120" role="tabpanel"> <div><figure><figcaption></figcaption><pre><code><div><div><span># No ACME config at all.</span></div></div><div><div><span># HTTPS just works.</span></div></div><div><div><span>labels</span><span>:</span></div></div><div><div><span> </span><span>caddy</span><span>: </span><span>yourdomain.com</span></div></div><div><div><span> </span><span>caddy.reverse_proxy</span><span>: </span><span>"</span><span>{{upstreams 8080}}</span><span>"</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </div><div id="tab-panel-121" aria-labelledby="tab-121" role="tabpanel" hidden> <div><figure><figcaption></figcaption><pre><code><div><div><span># Traefik service needs:</span></div></div><div><div><span>command</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>--entrypoints.websecure.address=:443</span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>--certificatesresolvers.letsencrypt.acme.tlschallenge=true</span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>--certificatesresolvers.letsencrypt.acme.email=you@example.com</span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json</span><span>"</span></div></div><div><div><span># Plus per-service labels:</span></div></div><div><div><span>labels</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>traefik.http.routers.guestbook.entrypoints=websecure</span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>traefik.http.routers.guestbook.tls.certresolver=letsencrypt</span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>traefik.http.routers.guestbook-http.rule=Host(`yourdomain.com`)</span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>traefik.http.routers.guestbook-http.entrypoints=web</span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https</span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>traefik.http.routers.guestbook-http.middlewares=redirect-to-https</span><span>"</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </div> </starlight-tabs> <p>HTTP → HTTPS redirect is also automatic with Caddy. No middleware labels needed.</p> <hr> <div><h2 id="step-11-automated-deployments-watchtower">Step 11: Automated Deployments (Watchtower)</h2></div> <p>Identical to the Traefik setup:</p> <div><figure><figcaption></figcaption><pre><code><div><div><span>services</span><span>:</span></div></div><div><div><span> </span><span>watchtower</span><span>:</span></div></div><div><div><span> </span><span>image</span><span>: </span><span>containrrr/watchtower</span></div></div><div><div><span> </span><span>command</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>--label-enable</span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>--interval</span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>30</span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>--rolling-restart</span><span>"</span></div></div><div><div><span> </span><span>volumes</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>/var/run/docker.sock:/var/run/docker.sock:ro</span></div></div><div><div> </div></div><div><div><span> </span><span>guestbook</span><span>:</span></div></div><div><div><span> </span><span>labels</span><span>:</span></div></div><div><div><span> </span><span># ... existing Caddy labels</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>com.centurylinklabs.watchtower.enable=true</span><span>"</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <hr> <div><h2 id="step-12-monitoring">Step 12: Monitoring</h2></div> <p>Same as Traefik guide : <a href="https://uptimerobot.com">Uptime Robot</a>, <a href="https://betterstack.com/better-uptime">Better Uptime</a>, or self-hosted <a href="https://github.com/louislam/uptime-kuma">Uptime Kuma</a>.</p> <hr> <div><h2 id="final-composeyaml">Final <code dir="auto">compose.yaml</code></h2></div> <div><figure><figcaption></figcaption><pre><code><div><div><span>services</span><span>:</span></div></div><div><div><span> </span><span>caddy</span><span>:</span></div></div><div><div><span> </span><span>image</span><span>: </span><span>caddy-docker-proxy</span></div></div><div><div><span> </span><span>restart</span><span>: </span><span>always</span></div></div><div><div><span> </span><span>ports</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>80:80</span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>443:443</span><span>"</span></div></div><div><div><span> </span><span>volumes</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>/var/run/docker.sock:/var/run/docker.sock:ro</span></div></div><div><div><span><span> </span></span><span>- </span><span>caddy-data:/data</span></div></div><div><div> </div></div><div><div><span> </span><span>db</span><span>:</span></div></div><div><div><span> </span><span>image</span><span>: </span><span>postgres:17</span></div></div><div><div><span> </span><span>restart</span><span>: </span><span>always</span></div></div><div><div><span> </span><span>environment</span><span>:</span></div></div><div><div><span> </span><span>POSTGRES_PASSWORD_FILE</span><span>: </span><span>/run/secrets/postgres-password</span></div></div><div><div><span> </span><span>volumes</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>postgres-data:/var/lib/postgresql/data</span></div></div><div><div><span> </span><span>secrets</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>postgres-password</span></div></div><div><div> </div></div><div><div><span> </span><span>guestbook</span><span>:</span></div></div><div><div><span> </span><span>image</span><span>: </span><span>ghcr.io/yourusername/guestbook:prod</span></div></div><div><div><span> </span><span>restart</span><span>: </span><span>always</span></div></div><div><div><span> </span><span>environment</span><span>:</span></div></div><div><div><span> </span><span>DATABASE_URL</span><span>: </span><span>postgres://postgres:${POSTGRES_PASSWORD}@db:5432/postgres?sslmode=disable</span></div></div><div><div><span> </span><span>labels</span><span>:</span></div></div><div><div><span> </span><span>caddy</span><span>: </span><span>yourdomain.com</span></div></div><div><div><span> </span><span>caddy.reverse_proxy</span><span>: </span><span>"</span><span>{{upstreams 8080}}</span><span>"</span></div></div><div><div><span> </span><span>com.centurylinklabs.watchtower.enable</span><span>: </span><span>"</span><span>true</span><span>"</span></div></div><div><div><span> </span><span>deploy</span><span>:</span></div></div><div><div><span> </span><span>replicas</span><span>: </span><span>3</span></div></div><div><div><span> </span><span>depends_on</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>db</span></div></div><div><div> </div></div><div><div><span> </span><span>watchtower</span><span>:</span></div></div><div><div><span> </span><span>image</span><span>: </span><span>containrrr/watchtower</span></div></div><div><div><span> </span><span>command</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>--label-enable</span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>--interval</span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>30</span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>--rolling-restart</span><span>"</span></div></div><div><div><span> </span><span>volumes</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>/var/run/docker.sock:/var/run/docker.sock:ro</span></div></div><div><div> </div></div><div><div><span>secrets</span><span>:</span></div></div><div><div><span> </span><span>postgres-password</span><span>:</span></div></div><div><div><span> </span><span>file</span><span>: </span><span>./db/postgres-password.txt</span></div></div><div><div> </div></div><div><div><span>volumes</span><span>:</span></div></div><div><div><span> </span><span>postgres-data</span><span>:</span></div></div><div><div><span> </span><span>caddy-data</span><span>:</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <hr> <div><h2 id="traefik-vs-caddy--which-one">Traefik vs Caddy : Which One?</h2></div> <table><thead><tr><th></th><th>Traefik</th><th>Caddy</th></tr></thead><tbody><tr><td><strong>Config lines</strong> (HTTPS + routing)</td><td>~15 lines</td><td>3 labels</td></tr><tr><td><strong>HTTPS setup</strong></td><td>ACME resolver, email, storage</td><td>Zero config</td></tr><tr><td><strong>Docker discovery</strong></td><td>Built-in</td><td>Plugin needed</td></tr><tr><td><strong>Custom image required</strong></td><td>No</td><td>Yes (build step)</td></tr><tr><td><strong>Dashboard</strong></td><td>Built-in (<code dir="auto">:8080</code>)</td><td>None</td></tr><tr><td><strong>Middleware</strong></td><td>Rich chain system</td><td>Caddyfile directives</td></tr><tr><td><strong>Health-aware LB</strong></td><td>Yes</td><td>Basic (DNS-based)</td></tr><tr><td><strong>Resource usage</strong></td><td>~40 MB RAM</td><td>~20 MB RAM</td></tr><tr><td><strong>Best for</strong></td><td>Complex routing, multiple services, API gateways</td><td>Simple apps, static sites, quick deploys</td></tr></tbody></table> <p><strong>Verdict:</strong> If you’re deploying a single app or a small handful of services, Caddy wins on simplicity. If you’re building a multi-service platform with complex routing rules, rate limiting, and circuit breakers : Traefik is the better tool.</p> <p>Both are excellent. Pick the one that matches your complexity budget.</p> <hr> <div><h2 id="checklist">Checklist</h2></div> <ul> <li><input type="checkbox" disabled> Non-root user with sudo/wheel</li> <li><input type="checkbox" disabled> SSH hardened</li> <li><input type="checkbox" disabled> Firewall: 22, 80, 443 open</li> <li><input type="checkbox" disabled> Docker + user in docker group</li> <li><input type="checkbox" disabled> Custom Caddy image built (<code dir="auto">caddy-docker-proxy</code>)</li> <li><input type="checkbox" disabled> App deployed with Caddy labels</li> <li><input type="checkbox" disabled> HTTPS active (auto)</li> <li><input type="checkbox" disabled> Multiple replicas running</li> <li><input type="checkbox" disabled> Watchtower handling rolling updates</li> <li><input type="checkbox" disabled> Uptime monitor configured</li> </ul> <hr> <p>Caddy strips the ceremony out of reverse-proxying. Three labels, zero HTTPS config, and a single binary. For most projects shipping to a VPS, that’s exactly the right amount of complexity.</p> <p>Already set up with Traefik? The migration is swapping the reverse proxy service and updating labels. Everything else : Docker, Postgres, Watchtower, firewall : stays the same.</p>https://8labs.id/blog/vps-production-ready-rocky-ubuntu/https://8labs.id/blog/vps-production-ready-rocky-ubuntu/Tue, 16 Jun 2026 10:00:00 GMT<div><h1 id="setting-up-a-production-ready-vps-from-scratch-rocky-linux-10--ubuntu-2604">Setting Up a Production-Ready VPS from Scratch: Rocky Linux 10 &#x26; Ubuntu 26.04</h1></div> <blockquote> <p>Adapted from <a href="https://dreamsofcode.io/blog/setting-up-a-production-ready-vps-from-scratch">Dreams of Code</a>, a dual-OS guide covering both RHEL-family and Debian-family setups.</p> </blockquote> <hr> <p>Deploying to the cloud has never been easier. Platform-as-a-Service (PaaS) options like Railway, Fly.io, and Render make going live a breeze. But PaaS isn’t perfect for every use case: long-running tasks, heavy data transfer, and predictable billing often push teams toward a <strong>VPS (Virtual Private Server)</strong>.</p> <p>The perceived difficulty of hardening and configuring a raw VPS scares people off. But is it actually hard? We set out to prove it isn’t. Here’s a production-ready stack on both <strong>Rocky Linux 10</strong> and <strong>Ubuntu 26.04 LTS</strong>.</p> <div><h2 id="what-production-ready-means-here">What “Production-Ready” Means Here</h2></div> <ul> <li>DNS pointing to the server</li> <li>Application deployed and running (Docker)</li> <li>HTTPS/TLS with automatic cert provisioning &#x26; renewal (Let’s Encrypt)</li> <li>Hardened SSH: no root login, no password auth</li> <li>Firewall blocking unnecessary ports</li> <li>High availability: multiple app instances</li> <li>Load balancing via reverse proxy</li> <li>Automated rolling deployments</li> <li>Uptime monitoring with alerts</li> </ul> <p><strong>Constraints:</strong> No Kubernetes. No Coolify. No Terraform. Simple tooling, minimal domain expertise.</p> <hr> <div><h2 id="step-1-provisioning-the-vps">Step 1: Provisioning the VPS</h2></div> <p>Pick a provider (Hetzner, Hostinger, DigitalOcean, Vultr). We used a <strong>2 vCPU / 8 GB RAM</strong> instance.</p> <blockquote> <p><strong>💡 Hosting with a side of nasi goreng?</strong> 🇮🇩 <a href="https://8labs.id">8labs</a> offers VirtualLabs and ElasticLabs : VPS and scalable infrastructure, straight out of Indonesia. 🤙</p> </blockquote> <p>During setup via your provider’s panel:</p> <ol> <li>Select <strong>Rocky Linux 10</strong> or <strong>Ubuntu 26.04 LTS</strong></li> <li>Set a strong root password</li> <li>Add your SSH public key</li> <li>Disable any “malware scanner” or monitoring agent if you don’t need it</li> </ol> <p>Once deployed, test SSH:</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>ssh</span><span> </span><span>root@&#x3C;your-server-ip></span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <hr> <div><h2 id="step-2-create-a-non-root-user">Step 2: Create a Non-Root User</h2></div> <p>Working as root is a bad habit. Create a regular user with <code dir="auto">sudo</code>/<code dir="auto">wheel</code> privileges.</p> <starlight-tabs> <div> <ul role="tablist"> <li role="presentation"> <a role="tab" href="#tab-panel-110" id="tab-110" aria-selected="true" tabindex="0"> Rocky Linux 10 </a> </li><li role="presentation"> <a role="tab" href="#tab-panel-111" id="tab-111" aria-selected="false" tabindex="-1"> Ubuntu 26.04 </a> </li> </ul> </div> <div id="tab-panel-110" aria-labelledby="tab-110" role="tabpanel"> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span># Create user</span></div></div><div><div><span>useradd</span><span> </span><span>-m</span><span> </span><span>-s</span><span> </span><span>/bin/bash</span><span> </span><span>deployer</span></div></div><div><div><span>passwd</span><span> </span><span>deployer</span></div></div><div><div> </div></div><div><div><span># Add to wheel group (Rocky's sudo equivalent)</span></div></div><div><div><span>usermod</span><span> </span><span>-aG</span><span> </span><span>wheel</span><span> </span><span>deployer</span></div></div><div><div> </div></div><div><div><span># Test</span></div></div><div><div><span>su</span><span> </span><span>-</span><span> </span><span>deployer</span></div></div><div><div><span>sudo</span><span> </span><span>echo</span><span> </span><span>"</span><span>sudo works</span><span>"</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </div><div id="tab-panel-111" aria-labelledby="tab-111" role="tabpanel" hidden> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span># Create user (interactive prompt)</span></div></div><div><div><span>adduser</span><span> </span><span>deployer</span></div></div><div><div> </div></div><div><div><span># Add to sudo group</span></div></div><div><div><span>usermod</span><span> </span><span>-aG</span><span> </span><span>sudo</span><span> </span><span>deployer</span></div></div><div><div> </div></div><div><div><span># Test</span></div></div><div><div><span>su</span><span> </span><span>-</span><span> </span><span>deployer</span></div></div><div><div><span>sudo</span><span> </span><span>echo</span><span> </span><span>"</span><span>sudo works</span><span>"</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </div> </starlight-tabs> <blockquote> <p><strong>Tip:</strong> Install <code dir="auto">tmux</code> on the VPS. If your SSH drops, reattach with <code dir="auto">tmux attach</code>, no lost progress.</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>sudo</span><span> </span><span>dnf</span><span> </span><span>install</span><span> </span><span>-y</span><span> </span><span>tmux</span><span> </span><span># Rocky</span></div></div><div><div><span>sudo</span><span> </span><span>apt</span><span> </span><span>install</span><span> </span><span>-y</span><span> </span><span>tmux</span><span> </span><span># Ubuntu</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </blockquote> <div><h2 id="step-3-dns-configuration">Step 3: DNS Configuration</h2></div> <p>Point your domain to the VPS:</p> <ol> <li>Clear any existing A/AAAA/CNAME records at your registrar</li> <li>Add an <strong>A record</strong> for <code dir="auto">@</code> (root domain) pointing to your server’s IPv4</li> <li>Optionally add a <code dir="auto">www</code> CNAME pointing to <code dir="auto">@</code></li> </ol> <p>Find your server IP:</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>ip</span><span> </span><span>-4</span><span> </span><span>addr</span><span> </span><span>show</span><span> </span><span>|</span><span> </span><span>grep</span><span> </span><span>inet</span></div></div><div><div><span># or</span></div></div><div><div><span>curl</span><span> </span><span>-4</span><span> </span><span>ifconfig.me</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>DNS propagation takes minutes to hours. Move on to security while waiting.</p> <hr> <div><h2 id="step-4-harden-ssh">Step 4: Harden SSH</h2></div> <p>SSH is your front door. Lock it down.</p> <div><h3 id="4a-generate-and-copy-your-ssh-key">4a. Generate and copy your SSH key</h3></div> <p>If you don’t already have an SSH key pair, generate one on your <strong>local machine</strong>:</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>ssh-keygen</span><span> </span><span>-t</span><span> </span><span>ed25519</span><span> </span><span>-C</span><span> </span><span>"</span><span>your-email@example.com</span><span>"</span></div></div><div><div><span># Press Enter to accept the default path (~/.ssh/id_ed25519)</span></div></div><div><div><span># Set a passphrase (recommended) or leave empty</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <blockquote> <p><strong>Ed25519 vs RSA:</strong> Ed25519 is faster, more compact, and just as secure as RSA 4096. It is supported by OpenSSH 6.5+ (released 2014), so it works on every modern server. Only use RSA 4096 if you need to connect to legacy servers running pre-2014 OpenSSH:</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>ssh-keygen</span><span> </span><span>-t</span><span> </span><span>rsa</span><span> </span><span>-b</span><span> </span><span>4096</span><span> </span><span>-C</span><span> </span><span>"</span><span>your-email@example.com</span><span>"</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </blockquote> <p>Then copy the public key to your server:</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>ssh-copy-id</span><span> </span><span>deployer@&#x3C;server-ip></span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>If you already have an SSH key, skip the generation step and jump straight to <code dir="auto">ssh-copy-id</code>.</p> <p>Test key-based login before proceeding:</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>ssh</span><span> </span><span>deployer@&#x3C;server-ip></span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <div><h3 id="4b-simplify-with-ssh-config-optional">4b. Simplify with SSH config (optional)</h3></div> <p>Typing <code dir="auto">ssh deployer@203.0.113.42</code> every time gets old. Add an entry to your local <code dir="auto">~/.ssh/config</code>:</p> <div><figure><figcaption></figcaption><pre><code><div><div><span>Host prod-server</span></div></div><div><div><span><span> </span></span><span>HostName 203.0.113.42</span></div></div><div><div><span><span> </span></span><span>User deployer</span></div></div><div><div><span><span> </span></span><span>IdentityFile ~/.ssh/id_ed25519</span></div></div><div><div> </div></div><div><div><span>Host myapp.com</span></div></div><div><div><span><span> </span></span><span>HostName myapp.com</span></div></div><div><div><span><span> </span></span><span>User deployer</span></div></div><div><div><span><span> </span></span><span>IdentityFile ~/.ssh/id_ed25519</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>Now you can connect with just:</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>ssh</span><span> </span><span>prod-server</span></div></div><div><div><span>ssh</span><span> </span><span>myapp.com</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <blockquote> <p><strong>Tip:</strong> Use short, memorable <code dir="auto">Host</code> aliases. The <code dir="auto">HostName</code> can be either an IP address or a domain name. If you’re managing multiple servers, add an entry for each one — your fingers will thank you.</p> </blockquote> <div><h3 id="4c-edit-sshd_config">4c. Edit sshd_config</h3></div> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>sudo</span><span> </span><span>vim</span><span> </span><span>/etc/ssh/sshd_config</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>Set or uncomment these lines:</p> <div><figure><figcaption></figcaption><pre><code><div><div><span>PasswordAuthentication no</span></div></div><div><div><span>PermitRootLogin no</span></div></div><div><div><span>PubkeyAuthentication yes</span></div></div><div><div><span># Rocky: also check /etc/ssh/sshd_config.d/*.conf for overrides</span></div></div><div><div><span># Ubuntu: also check /etc/ssh/sshd_config.d/50-cloud-init.conf</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <div><h3 id="4d-clean-up-cloud-init-overrides">4d. Clean up cloud-init overrides</h3></div> <p>Cloud images often ship a drop-in that re-enables password auth. Check and fix:</p> <starlight-tabs> <div> <ul role="tablist"> <li role="presentation"> <a role="tab" href="#tab-panel-112" id="tab-112" aria-selected="true" tabindex="0"> Rocky Linux 10 </a> </li><li role="presentation"> <a role="tab" href="#tab-panel-113" id="tab-113" aria-selected="false" tabindex="-1"> Ubuntu 26.04 </a> </li> </ul> </div> <div id="tab-panel-112" aria-labelledby="tab-112" role="tabpanel"> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>sudo</span><span> </span><span>grep</span><span> </span><span>-r</span><span> </span><span>"</span><span>PasswordAuthentication</span><span>"</span><span> </span><span>/etc/ssh/sshd_config.d/</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </div><div id="tab-panel-113" aria-labelledby="tab-113" role="tabpanel" hidden> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>sudo</span><span> </span><span>vim</span><span> </span><span>/etc/ssh/sshd_config.d/50-cloud-init.conf</span></div></div><div><div><span># Comment out or delete any PasswordAuthentication yes line</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </div> </starlight-tabs> <div><h3 id="4e-reload-and-verify">4e. Reload and Verify</h3></div> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>sudo</span><span> </span><span>systemctl</span><span> </span><span>reload</span><span> </span><span>sshd</span></div></div><div><div> </div></div><div><div><span># This MUST fail:</span></div></div><div><div><span>ssh</span><span> </span><span>root@&#x3C;server-ip></span></div></div><div><div><span># Permission denied (publickey) ← good</span></div></div><div><div> </div></div><div><div><span># This MUST work:</span></div></div><div><div><span>ssh</span><span> </span><span>deployer@&#x3C;server-ip></span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p><strong>⚠️ Do not close your current SSH session until you’ve verified a new session works.</strong> Open a second terminal for testing.</p> <hr> <div><h2 id="step-5-firewall">Step 5: Firewall</h2></div> <starlight-tabs> <div> <ul role="tablist"> <li role="presentation"> <a role="tab" href="#tab-panel-118" id="tab-118" aria-selected="true" tabindex="0"> Rocky Linux 10 (firewalld) </a> </li><li role="presentation"> <a role="tab" href="#tab-panel-119" id="tab-119" aria-selected="false" tabindex="-1"> Ubuntu 26.04 (UFW) </a> </li> </ul> </div> <div id="tab-panel-118" aria-labelledby="tab-118" role="tabpanel"> <p>Rocky uses <code dir="auto">firewalld</code> by default (not <code dir="auto">ufw</code>).</p><div><figure><figcaption><span></span></figcaption><pre><code><div><div><span># Check status</span></div></div><div><div><span>sudo</span><span> </span><span>systemctl</span><span> </span><span>status</span><span> </span><span>firewalld</span></div></div><div><div> </div></div><div><div><span># If not running, install and start:</span></div></div><div><div><span>sudo</span><span> </span><span>dnf</span><span> </span><span>install</span><span> </span><span>-y</span><span> </span><span>firewalld</span></div></div><div><div><span>sudo</span><span> </span><span>systemctl</span><span> </span><span>enable</span><span> </span><span>--now</span><span> </span><span>firewalld</span></div></div><div><div> </div></div><div><div><span># Default zones</span></div></div><div><div><span>sudo</span><span> </span><span>firewall-cmd</span><span> </span><span>--get-default-zone</span><span> </span><span># usually 'public'</span></div></div><div><div> </div></div><div><div><span># Allow SSH (CRITICAL: do this first)</span></div></div><div><div><span>sudo</span><span> </span><span>firewall-cmd</span><span> </span><span>--permanent</span><span> </span><span>--add-service=ssh</span></div></div><div><div> </div></div><div><div><span># Reload to apply</span></div></div><div><div><span>sudo</span><span> </span><span>firewall-cmd</span><span> </span><span>--reload</span></div></div><div><div> </div></div><div><div><span># Verify</span></div></div><div><div><span>sudo</span><span> </span><span>firewall-cmd</span><span> </span><span>--list-all</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </div><div id="tab-panel-119" aria-labelledby="tab-119" role="tabpanel" hidden> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span># Enable UFW</span></div></div><div><div><span>sudo</span><span> </span><span>ufw</span><span> </span><span>default</span><span> </span><span>deny</span><span> </span><span>incoming</span></div></div><div><div><span>sudo</span><span> </span><span>ufw</span><span> </span><span>default</span><span> </span><span>allow</span><span> </span><span>outgoing</span></div></div><div><div> </div></div><div><div><span># Allow SSH (CRITICAL: do this first)</span></div></div><div><div><span>sudo</span><span> </span><span>ufw</span><span> </span><span>allow</span><span> </span><span>22/tcp</span></div></div><div><div> </div></div><div><div><span># Enable</span></div></div><div><div><span>sudo</span><span> </span><span>ufw</span><span> </span><span>enable</span></div></div><div><div> </div></div><div><div><span># Verify</span></div></div><div><div><span>sudo</span><span> </span><span>ufw</span><span> </span><span>status</span><span> </span><span>verbose</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </div> </starlight-tabs> <blockquote> <p><strong>Docker bypass warning:</strong> Docker manipulates <code dir="auto">iptables</code> directly, which can bypass both <code dir="auto">firewalld</code> and <code dir="auto">ufw</code> rules for published ports. The solution: don’t publish container ports directly. Use a reverse proxy (Step 7) and only expose ports 80/443 on the host.</p> </blockquote> <div><h2 id="step-6-install-docker">Step 6: Install Docker</h2></div> <starlight-tabs> <div> <ul role="tablist"> <li role="presentation"> <a role="tab" href="#tab-panel-122" id="tab-122" aria-selected="true" tabindex="0"> Rocky Linux 10 </a> </li><li role="presentation"> <a role="tab" href="#tab-panel-123" id="tab-123" aria-selected="false" tabindex="-1"> Ubuntu 26.04 </a> </li> </ul> </div> <div id="tab-panel-122" aria-labelledby="tab-122" role="tabpanel"> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span># Remove old Docker packages if any</span></div></div><div><div><span>sudo</span><span> </span><span>dnf</span><span> </span><span>remove</span><span> </span><span>-y</span><span> </span><span>docker</span><span> </span><span>docker-client</span><span> </span><span>docker-client-latest</span><span> </span><span>docker-common</span><span> </span><span>\</span></div></div><div><div><span> </span><span>docker-latest</span><span> </span><span>docker-latest-logrotate</span><span> </span><span>docker-logrotate</span><span> </span><span>docker-engine</span></div></div><div><div> </div></div><div><div><span># Add Docker repo</span></div></div><div><div><span>sudo</span><span> </span><span>dnf</span><span> </span><span>config-manager</span><span> </span><span>--add-repo</span><span> </span><span>https://download.docker.com/linux/rhel/docker-ce.repo</span></div></div><div><div> </div></div><div><div><span># Install Docker</span></div></div><div><div><span>sudo</span><span> </span><span>dnf</span><span> </span><span>install</span><span> </span><span>-y</span><span> </span><span>docker-ce</span><span> </span><span>docker-ce-cli</span><span> </span><span>containerd.io</span><span> </span><span>docker-buildx-plugin</span><span> </span><span>docker-compose-plugin</span></div></div><div><div> </div></div><div><div><span># Start and enable</span></div></div><div><div><span>sudo</span><span> </span><span>systemctl</span><span> </span><span>enable</span><span> </span><span>--now</span><span> </span><span>docker</span></div></div><div><div> </div></div><div><div><span># Add user to docker group</span></div></div><div><div><span>sudo</span><span> </span><span>usermod</span><span> </span><span>-aG</span><span> </span><span>docker</span><span> </span><span>deployer</span></div></div><div><div> </div></div><div><div><span># Verify</span></div></div><div><div><span>docker</span><span> </span><span>--version</span></div></div><div><div><span>docker</span><span> </span><span>compose</span><span> </span><span>version</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div><p>If <code dir="auto">dnf config-manager</code> isn’t available:</p><div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>sudo</span><span> </span><span>dnf</span><span> </span><span>install</span><span> </span><span>-y</span><span> </span><span>'</span><span>dnf-command(config-manager)</span><span>'</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </div><div id="tab-panel-123" aria-labelledby="tab-123" role="tabpanel" hidden> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span># Remove old packages</span></div></div><div><div><span>for</span><span> </span><span>pkg</span><span> </span><span>in</span><span> </span><span>docker.io</span><span> </span><span>docker-doc</span><span> </span><span>docker-compose</span><span> </span><span>docker-compose-v2</span><span> \</span></div></div><div><div><span> </span><span>podman-docker</span><span> </span><span>containerd</span><span> </span><span>runc</span><span>; </span><span>do</span></div></div><div><div><span> </span><span>sudo</span><span> </span><span>apt-get</span><span> </span><span>remove</span><span> </span><span>-y</span><span> </span><span>$pkg</span><span> </span><span>2></span><span>/dev/null</span></div></div><div><div><span>done</span></div></div><div><div> </div></div><div><div><span># Add Docker's GPG key</span></div></div><div><div><span>sudo</span><span> </span><span>apt-get</span><span> </span><span>update</span></div></div><div><div><span>sudo</span><span> </span><span>apt-get</span><span> </span><span>install</span><span> </span><span>-y</span><span> </span><span>ca-certificates</span><span> </span><span>curl</span></div></div><div><div><span>sudo</span><span> </span><span>install</span><span> </span><span>-m</span><span> </span><span>0755</span><span> </span><span>-d</span><span> </span><span>/etc/apt/keyrings</span></div></div><div><div><span>sudo</span><span> </span><span>curl</span><span> </span><span>-fsSL</span><span> </span><span>https://download.docker.com/linux/ubuntu/gpg</span><span> </span><span>\</span></div></div><div><div><span> </span><span>-o</span><span> </span><span>/etc/apt/keyrings/docker.asc</span></div></div><div><div><span>sudo</span><span> </span><span>chmod</span><span> </span><span>a+r</span><span> </span><span>/etc/apt/keyrings/docker.asc</span></div></div><div><div> </div></div><div><div><span># Add repo</span></div></div><div><div><span>echo</span><span> </span><span>"</span><span>deb [arch=$(</span><span>dpkg</span><span> </span><span>--print-architecture</span><span>) </span><span>\</span></div></div><div><div><span><span> </span></span><span>signed-by=/etc/apt/keyrings/docker.asc] </span><span>\</span></div></div><div><div><span><span> </span></span><span>https://download.docker.com/linux/ubuntu </span><span>\</span></div></div><div><div><span><span> </span></span><span>$(</span><span>.</span><span> </span><span>/etc/os-release</span><span> &#x26;&#x26; </span><span>echo</span><span> </span><span>"</span><span>$VERSION_CODENAME</span><span>"</span><span>) stable</span><span>"</span><span> </span><span>|</span><span> </span><span>\</span></div></div><div><div><span> </span><span>sudo</span><span> </span><span>tee</span><span> </span><span>/etc/apt/sources.list.d/docker.list</span><span> </span><span>></span><span> </span><span>/dev/null</span></div></div><div><div> </div></div><div><div><span># Install</span></div></div><div><div><span>sudo</span><span> </span><span>apt-get</span><span> </span><span>update</span></div></div><div><div><span>sudo</span><span> </span><span>apt-get</span><span> </span><span>install</span><span> </span><span>-y</span><span> </span><span>docker-ce</span><span> </span><span>docker-ce-cli</span><span> </span><span>containerd.io</span><span> </span><span>\</span></div></div><div><div><span> </span><span>docker-buildx-plugin</span><span> </span><span>docker-compose-plugin</span></div></div><div><div> </div></div><div><div><span># Add user to docker group</span></div></div><div><div><span>sudo</span><span> </span><span>usermod</span><span> </span><span>-aG</span><span> </span><span>docker</span><span> </span><span>deployer</span></div></div><div><div> </div></div><div><div><span># Verify</span></div></div><div><div><span>docker</span><span> </span><span>--version</span></div></div><div><div><span>docker</span><span> </span><span>compose</span><span> </span><span>version</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </div> </starlight-tabs> <p><strong>Log out and back in</strong> (or <code dir="auto">newgrp docker</code>) for the group change to take effect.</p> <div><h2 id="step-7-deploy-the-application-stack">Step 7: Deploy the Application Stack</h2></div> <p>We’ll use Docker Compose with a Go guestbook app + PostgreSQL, just like the original.</p> <p>Create the project directory:</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>mkdir</span><span> </span><span>-p</span><span> </span><span>~/guestbook/db</span></div></div><div><div><span>cd</span><span> </span><span>~/guestbook</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>Create a secure Postgres password:</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>echo</span><span> </span><span>"</span><span>your-strong-random-password-here</span><span>"</span><span> </span><span>></span><span> </span><span>db/postgres-password.txt</span></div></div><div><div><span>chmod</span><span> </span><span>600</span><span> </span><span>db/postgres-password.txt</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <div><h3 id="initial-composeyaml">Initial <code dir="auto">compose.yaml</code></h3></div> <div><figure><figcaption></figcaption><pre><code><div><div><span>services</span><span>:</span></div></div><div><div><span> </span><span>db</span><span>:</span></div></div><div><div><span> </span><span>image</span><span>: </span><span>postgres:17</span></div></div><div><div><span> </span><span>restart</span><span>: </span><span>always</span></div></div><div><div><span> </span><span>environment</span><span>:</span></div></div><div><div><span> </span><span>POSTGRES_PASSWORD_FILE</span><span>: </span><span>/run/secrets/postgres-password</span></div></div><div><div><span> </span><span>volumes</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>postgres-data:/var/lib/postgresql/data</span></div></div><div><div><span> </span><span>secrets</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>postgres-password</span></div></div><div><div> </div></div><div><div><span> </span><span>guestbook</span><span>:</span></div></div><div><div><span> </span><span>image</span><span>: </span><span>ghcr.io/yourusername/guestbook:prod</span></div></div><div><div><span> </span><span>restart</span><span>: </span><span>always</span></div></div><div><div><span> </span><span>environment</span><span>:</span></div></div><div><div><span> </span><span>DATABASE_URL</span><span>: </span><span>postgres://postgres:${POSTGRES_PASSWORD}@db:5432/postgres?sslmode=disable</span></div></div><div><div><span> </span><span>ports</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>8080:8080</span><span>"</span></div></div><div><div><span> </span><span>depends_on</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>db</span></div></div><div><div> </div></div><div><div><span>secrets</span><span>:</span></div></div><div><div><span> </span><span>postgres-password</span><span>:</span></div></div><div><div><span> </span><span>file</span><span>: </span><span>./db/postgres-password.txt</span></div></div><div><div> </div></div><div><div><span>volumes</span><span>:</span></div></div><div><div><span> </span><span>postgres-data</span><span>:</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>Deploy:</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>export</span><span> </span><span>POSTGRES_PASSWORD</span><span>=</span><span>$(</span><span>cat</span><span> </span><span>db/postgres-password.txt</span><span>)</span></div></div><div><div><span>docker</span><span> </span><span>compose</span><span> </span><span>up</span><span> </span><span>-d</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>Verify:</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>docker</span><span> </span><span>compose</span><span> </span><span>ps</span></div></div><div><div><span>curl</span><span> </span><span>http://localhost:8080</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <blockquote> <p><strong>Don’t expose port 8080 on the host permanently.</strong> We’ll remove it after setting up the reverse proxy.</p> </blockquote> <hr> <div><h2 id="step-8-reverse-proxy-with-traefik">Step 8: Reverse Proxy with Traefik</h2></div> <p>Traefik handles routing, TLS termination, and load balancing, all via Docker labels.</p> <p>Update <code dir="auto">compose.yaml</code>:</p> <div><figure><figcaption></figcaption><pre><code><div><div><span>services</span><span>:</span></div></div><div><div><span> </span><span>reverse-proxy</span><span>:</span></div></div><div><div><span> </span><span>image</span><span>: </span><span>traefik:v3.3</span></div></div><div><div><span> </span><span>command</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>--providers.docker=true</span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>--providers.docker.exposedbydefault=false</span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>--entrypoints.web.address=:80</span><span>"</span></div></div><div><div><span> </span><span>ports</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>80:80</span><span>"</span></div></div><div><div><span> </span><span>volumes</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>/var/run/docker.sock:/var/run/docker.sock:ro</span></div></div><div><div> </div></div><div><div><span> </span><span>db</span><span>:</span></div></div><div><div><span> </span><span># ... unchanged</span></div></div><div><div> </div></div><div><div><span> </span><span>guestbook</span><span>:</span></div></div><div><div><span> </span><span># ... unchanged except:</span></div></div><div><div><span> </span><span>ports</span><span>: [] </span><span># ← remove the host port mapping</span></div></div><div><div><span> </span><span>labels</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>traefik.enable=true</span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>traefik.http.routers.guestbook.rule=Host(`yourdomain.com`)</span><span>"</span></div></div><div><div> </div></div><div><div><span># ... secrets and volumes unchanged</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>Open port 80 on the firewall:</p> <starlight-tabs> <div> <ul role="tablist"> <li role="presentation"> <a role="tab" href="#tab-panel-114" id="tab-114" aria-selected="true" tabindex="0"> Rocky Linux 10 </a> </li><li role="presentation"> <a role="tab" href="#tab-panel-115" id="tab-115" aria-selected="false" tabindex="-1"> Ubuntu 26.04 </a> </li> </ul> </div> <div id="tab-panel-114" aria-labelledby="tab-114" role="tabpanel"> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>sudo</span><span> </span><span>firewall-cmd</span><span> </span><span>--permanent</span><span> </span><span>--add-service=http</span></div></div><div><div><span>sudo</span><span> </span><span>firewall-cmd</span><span> </span><span>--reload</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </div><div id="tab-panel-115" aria-labelledby="tab-115" role="tabpanel" hidden> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>sudo</span><span> </span><span>ufw</span><span> </span><span>allow</span><span> </span><span>80/tcp</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </div> </starlight-tabs> <p>Redeploy:</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>docker</span><span> </span><span>compose</span><span> </span><span>up</span><span> </span><span>-d</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>Now visit <code dir="auto">http://yourdomain.com</code>. Traefik routes traffic to the guestbook container.</p> <hr> <div><h2 id="step-9-load-balancing-run-multiple-instances">Step 9: Load Balancing: Run Multiple Instances</h2></div> <p>Traefik automatically load-balances across containers with the same service name.</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>docker</span><span> </span><span>compose</span><span> </span><span>up</span><span> </span><span>-d</span><span> </span><span>--scale</span><span> </span><span>guestbook=</span><span>3</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>To make it permanent, add to <code dir="auto">compose.yaml</code>:</p> <div><figure><figcaption></figcaption><pre><code><div><div><span>services</span><span>:</span></div></div><div><div><span> </span><span>guestbook</span><span>:</span></div></div><div><div><span> </span><span># ...</span></div></div><div><div><span> </span><span>deploy</span><span>:</span></div></div><div><div><span> </span><span>replicas</span><span>: </span><span>3</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <blockquote> <p>Traefik round-robins by default. No extra config needed.</p> </blockquote> <hr> <div><h2 id="step-10-https-with-lets-encrypt-automatic-tls">Step 10: HTTPS with Let’s Encrypt (Automatic TLS)</h2></div> <p>Update Traefik service in <code dir="auto">compose.yaml</code>:</p> <div><figure><figcaption></figcaption><pre><code><div><div><span>services</span><span>:</span></div></div><div><div><span> </span><span>reverse-proxy</span><span>:</span></div></div><div><div><span> </span><span>image</span><span>: </span><span>traefik:v3.3</span></div></div><div><div><span> </span><span>command</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>--providers.docker=true</span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>--providers.docker.exposedbydefault=false</span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>--entrypoints.web.address=:80</span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>--entrypoints.websecure.address=:443</span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>--certificatesresolvers.letsencrypt.acme.tlschallenge=true</span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>--certificatesresolvers.letsencrypt.acme.email=you@example.com</span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json</span><span>"</span></div></div><div><div><span> </span><span>ports</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>80:80</span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>443:443</span><span>"</span></div></div><div><div><span> </span><span>volumes</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>/var/run/docker.sock:/var/run/docker.sock:ro</span></div></div><div><div><span><span> </span></span><span>- </span><span>letsencrypt:/letsencrypt</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>Update guestbook labels:</p> <div><figure><figcaption></figcaption><pre><code><div><div><span>services</span><span>:</span></div></div><div><div><span> </span><span>guestbook</span><span>:</span></div></div><div><div><span> </span><span>labels</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>traefik.enable=true</span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>traefik.http.routers.guestbook.rule=Host(`yourdomain.com`)</span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>traefik.http.routers.guestbook.entrypoints=websecure</span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>traefik.http.routers.guestbook.tls.certresolver=letsencrypt</span><span>"</span></div></div><div><div> </div></div><div><div><span> </span><span># HTTP → HTTPS redirect</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>traefik.http.routers.guestbook-http.rule=Host(`yourdomain.com`)</span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>traefik.http.routers.guestbook-http.entrypoints=web</span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https</span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>traefik.http.routers.guestbook-http.middlewares=redirect-to-https</span><span>"</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>Open port 443:</p> <starlight-tabs> <div> <ul role="tablist"> <li role="presentation"> <a role="tab" href="#tab-panel-116" id="tab-116" aria-selected="true" tabindex="0"> Rocky Linux 10 </a> </li><li role="presentation"> <a role="tab" href="#tab-panel-117" id="tab-117" aria-selected="false" tabindex="-1"> Ubuntu 26.04 </a> </li> </ul> </div> <div id="tab-panel-116" aria-labelledby="tab-116" role="tabpanel"> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>sudo</span><span> </span><span>firewall-cmd</span><span> </span><span>--permanent</span><span> </span><span>--add-service=https</span></div></div><div><div><span>sudo</span><span> </span><span>firewall-cmd</span><span> </span><span>--reload</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </div><div id="tab-panel-117" aria-labelledby="tab-117" role="tabpanel" hidden> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>sudo</span><span> </span><span>ufw</span><span> </span><span>allow</span><span> </span><span>443/tcp</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </div> </starlight-tabs> <p>Redeploy:</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>docker</span><span> </span><span>compose</span><span> </span><span>up</span><span> </span><span>-d</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>Traefik automatically obtains and renews Let’s Encrypt certificates. The <code dir="auto">acme.json</code> file stores them. Keep it safe (600 permissions, handled by Docker volume).</p> <hr> <div><h2 id="step-11-automated-deployments-with-watchtower">Step 11: Automated Deployments with Watchtower</h2></div> <p>Watchtower monitors Docker image registries and updates running containers when new images appear.</p> <p>Add to <code dir="auto">compose.yaml</code>:</p> <div><figure><figcaption></figcaption><pre><code><div><div><span>services</span><span>:</span></div></div><div><div><span> </span><span>watchtower</span><span>:</span></div></div><div><div><span> </span><span>image</span><span>: </span><span>containrrr/watchtower</span></div></div><div><div><span> </span><span>command</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>--label-enable</span><span>"</span><span> </span><span># Only update containers with the label</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>--interval</span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>30</span><span>"</span><span> </span><span># Check every 30 seconds</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>--rolling-restart</span><span>"</span><span> </span><span># One container at a time (for multi-replica)</span></div></div><div><div><span> </span><span>volumes</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>/var/run/docker.sock:/var/run/docker.sock:ro</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>Add the label to guestbook:</p> <div><figure><figcaption></figcaption><pre><code><div><div><span>services</span><span>:</span></div></div><div><div><span> </span><span>guestbook</span><span>:</span></div></div><div><div><span> </span><span>labels</span><span>:</span></div></div><div><div><span> </span><span># ... existing Traefik labels</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>com.centurylinklabs.watchtower.enable=true</span><span>"</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>Now when you push a new image to <code dir="auto">ghcr.io/yourusername/guestbook:prod</code>, Watchtower picks it up within 30 seconds and performs a rolling restart, zero downtime.</p> <hr> <div><h2 id="step-12-monitoring">Step 12: Monitoring</h2></div> <p>Free uptime monitoring options:</p> <ul> <li><strong><a href="https://uptimerobot.com">Uptime Robot</a></strong>: 50 monitors, 5-minute checks, email alerts. Free tier.</li> <li><strong><a href="https://betterstack.com/better-uptime">Better Uptime</a></strong> : 3-minute checks, heartbeat, status page. 10 monitors free.</li> <li><strong><a href="https://github.com/louislam/uptime-kuma">Uptime Kuma</a></strong>: Self-hosted. Run it in Docker on the same VPS or a separate tiny instance.</li> </ul> <p>Set up a monitor for <code dir="auto">https://yourdomain.com</code> and configure alerting (email, Telegram, Discord, Slack).</p> <hr> <div><h2 id="final-composeyaml">Final <code dir="auto">compose.yaml</code></h2></div> <p>The complete, production-ready stack:</p> <div><figure><figcaption></figcaption><pre><code><div><div><span>services</span><span>:</span></div></div><div><div><span> </span><span>reverse-proxy</span><span>:</span></div></div><div><div><span> </span><span>image</span><span>: </span><span>traefik:v3.3</span></div></div><div><div><span> </span><span>command</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>--providers.docker=true</span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>--providers.docker.exposedbydefault=false</span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>--entrypoints.web.address=:80</span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>--entrypoints.websecure.address=:443</span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>--certificatesresolvers.letsencrypt.acme.tlschallenge=true</span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>--certificatesresolvers.letsencrypt.acme.email=you@example.com</span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json</span><span>"</span></div></div><div><div><span> </span><span>ports</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>80:80</span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>443:443</span><span>"</span></div></div><div><div><span> </span><span>volumes</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>/var/run/docker.sock:/var/run/docker.sock:ro</span></div></div><div><div><span><span> </span></span><span>- </span><span>letsencrypt:/letsencrypt</span></div></div><div><div> </div></div><div><div><span> </span><span>db</span><span>:</span></div></div><div><div><span> </span><span>image</span><span>: </span><span>postgres:17</span></div></div><div><div><span> </span><span>restart</span><span>: </span><span>always</span></div></div><div><div><span> </span><span>environment</span><span>:</span></div></div><div><div><span> </span><span>POSTGRES_PASSWORD_FILE</span><span>: </span><span>/run/secrets/postgres-password</span></div></div><div><div><span> </span><span>volumes</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>postgres-data:/var/lib/postgresql/data</span></div></div><div><div><span> </span><span>secrets</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>postgres-password</span></div></div><div><div> </div></div><div><div><span> </span><span>guestbook</span><span>:</span></div></div><div><div><span> </span><span>image</span><span>: </span><span>ghcr.io/yourusername/guestbook:prod</span></div></div><div><div><span> </span><span>restart</span><span>: </span><span>always</span></div></div><div><div><span> </span><span>environment</span><span>:</span></div></div><div><div><span> </span><span>DATABASE_URL</span><span>: </span><span>postgres://postgres:${POSTGRES_PASSWORD}@db:5432/postgres?sslmode=disable</span></div></div><div><div><span> </span><span>deploy</span><span>:</span></div></div><div><div><span> </span><span>replicas</span><span>: </span><span>3</span></div></div><div><div><span> </span><span>labels</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>traefik.enable=true</span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>traefik.http.routers.guestbook.rule=Host(`yourdomain.com`)</span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>traefik.http.routers.guestbook.entrypoints=websecure</span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>traefik.http.routers.guestbook.tls.certresolver=letsencrypt</span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>traefik.http.routers.guestbook-http.rule=Host(`yourdomain.com`)</span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>traefik.http.routers.guestbook-http.entrypoints=web</span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https</span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>traefik.http.routers.guestbook-http.middlewares=redirect-to-https</span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>com.centurylinklabs.watchtower.enable=true</span><span>"</span></div></div><div><div><span> </span><span>depends_on</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>db</span></div></div><div><div> </div></div><div><div><span> </span><span>watchtower</span><span>:</span></div></div><div><div><span> </span><span>image</span><span>: </span><span>containrrr/watchtower</span></div></div><div><div><span> </span><span>command</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>--label-enable</span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>--interval</span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>30</span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>--rolling-restart</span><span>"</span></div></div><div><div><span> </span><span>volumes</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>/var/run/docker.sock:/var/run/docker.sock:ro</span></div></div><div><div> </div></div><div><div><span>secrets</span><span>:</span></div></div><div><div><span> </span><span>postgres-password</span><span>:</span></div></div><div><div><span> </span><span>file</span><span>: </span><span>./db/postgres-password.txt</span></div></div><div><div> </div></div><div><div><span>volumes</span><span>:</span></div></div><div><div><span> </span><span>postgres-data</span><span>:</span></div></div><div><div><span> </span><span>letsencrypt</span><span>:</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>Deploy:</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>export</span><span> </span><span>POSTGRES_PASSWORD</span><span>=</span><span>$(</span><span>cat</span><span> </span><span>db/postgres-password.txt</span><span>)</span></div></div><div><div><span>docker</span><span> </span><span>compose</span><span> </span><span>up</span><span> </span><span>-d</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <hr> <div><h2 id="os-specific-quick-reference">OS-Specific Quick Reference</h2></div> <table><thead><tr><th>Task</th><th>Rocky Linux 10</th><th>Ubuntu 26.04</th></tr></thead><tbody><tr><td>Package install</td><td><code dir="auto">dnf install -y &#x3C;pkg></code></td><td><code dir="auto">apt install -y &#x3C;pkg></code></td></tr><tr><td>Package search</td><td><code dir="auto">dnf search &#x3C;pkg></code></td><td><code dir="auto">apt search &#x3C;pkg></code></td></tr><tr><td>Add repo</td><td><code dir="auto">dnf config-manager --add-repo &#x3C;url></code></td><td><code dir="auto">add-apt-repository</code> or manual <code dir="auto">.list</code></td></tr><tr><td>User create</td><td><code dir="auto">useradd -m &#x3C;user></code></td><td><code dir="auto">adduser &#x3C;user></code></td></tr><tr><td>Sudo group</td><td><code dir="auto">wheel</code></td><td><code dir="auto">sudo</code></td></tr><tr><td>Firewall</td><td><code dir="auto">firewalld</code> (<code dir="auto">firewall-cmd</code>)</td><td><code dir="auto">ufw</code></td></tr><tr><td>Service mgmt</td><td><code dir="auto">systemctl</code></td><td><code dir="auto">systemctl</code></td></tr><tr><td>SELinux</td><td>Enforcing by default (<code dir="auto">getenforce</code>)</td><td>AppArmor by default</td></tr><tr><td>Logs</td><td><code dir="auto">journalctl -u &#x3C;unit></code></td><td><code dir="auto">journalctl -u &#x3C;unit></code></td></tr><tr><td>Cron</td><td><code dir="auto">crond</code></td><td><code dir="auto">cron</code></td></tr><tr><td>EPEL (extra pkgs)</td><td><code dir="auto">dnf install -y epel-release</code></td><td>N/A</td></tr></tbody></table> <div><h3 id="rocky-selinux-note">Rocky SELinux Note</h3></div> <p>If SELinux blocks Docker operations (socket access, volume mounts):</p> <p><strong>Step 1: Find the blocked path.</strong> Run <code dir="auto">ausearch</code> to see recent SELinux denials:</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>sudo</span><span> </span><span>ausearch</span><span> </span><span>-m</span><span> </span><span>avc</span><span> </span><span>-ts</span><span> </span><span>recent</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>Look for the <code dir="auto">name=</code> field in the output. Example denial and what to look for:</p> <div><figure><figcaption></figcaption><pre><code><div><div><span>type=AVC msg=audit(1718123456.789:1234): avc: denied { write } for</span></div></div><div><div><span>pid=5678 comm="dockerd" name="postgres-data" dev="sda1" ino=12345</span></div></div><div><div><span>scontext=system_u:system_r:container_t:s0</span></div></div><div><div><span>tcontext=system_u:object_r:default_t:s0 tclass=dir</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>The blocked path is in the <code dir="auto">name=</code> field — here it’s <code dir="auto">postgres-data</code>. You can also find the full path with:</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>sudo</span><span> </span><span>ausearch</span><span> </span><span>-m</span><span> </span><span>avc</span><span> </span><span>-ts</span><span> </span><span>recent</span><span> </span><span>|</span><span> </span><span>grep</span><span> </span><span>-oP</span><span> </span><span>'</span><span>name="?\K[^"\s]+</span><span>'</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p><strong>Step 2: Apply the fix.</strong> Set the SELinux context for the blocked path(s):</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span># Replace /path/to/mount with the actual path from ausearch output</span></div></div><div><div><span>sudo</span><span> </span><span>semanage</span><span> </span><span>fcontext</span><span> </span><span>-a</span><span> </span><span>-t</span><span> </span><span>container_file_t</span><span> </span><span>"</span><span>/path/to/mount(/.*)?</span><span>"</span></div></div><div><div><span>sudo</span><span> </span><span>restorecon</span><span> </span><span>-Rv</span><span> </span><span>/path/to/mount</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>For Docker named volumes, the path is typically under <code dir="auto">/var/lib/docker/volumes/&#x3C;volume-name>/</code>. For bind mounts, use the host path from your <code dir="auto">docker-compose.yml</code> <code dir="auto">volumes:</code> section.</p> <p>Usually Docker and SELinux coexist fine on Rocky 10 with default policies. Only intervene if you see <code dir="auto">Permission denied</code> in container logs despite correct file permissions.</p> <hr> <div><h2 id="checklist">Checklist</h2></div> <ul> <li><input type="checkbox" disabled> Non-root user created with sudo/wheel</li> <li><input type="checkbox" disabled> SSH: <code dir="auto">PasswordAuthentication no</code>, <code dir="auto">PermitRootLogin no</code></li> <li><input type="checkbox" disabled> Firewall: only 22, 80, 443 open</li> <li><input type="checkbox" disabled> Docker installed, user in <code dir="auto">docker</code> group</li> <li><input type="checkbox" disabled> App running as <code dir="auto">docker compose up -d</code></li> <li><input type="checkbox" disabled> Traefik reverse proxy routing traffic</li> <li><input type="checkbox" disabled> HTTPS active with Let’s Encrypt auto-renewal</li> <li><input type="checkbox" disabled> Multiple app replicas running</li> <li><input type="checkbox" disabled> Watchtower handling rolling updates</li> <li><input type="checkbox" disabled> Uptime monitor configured with alerts</li> </ul> <hr> <p>Setting up a production-ready VPS is less intimidating than it looks. Traefik + Watchtower + Docker Compose gives you 90% of what a PaaS offers : with more control, predictable billing, and no vendor lock-in. Both Rocky Linux 10 and Ubuntu 26.04 make excellent foundations; pick the ecosystem you’re most comfortable with.</p>https://8labs.id/blog/opencode-workflow-tldr/https://8labs.id/blog/opencode-workflow-tldr/Mon, 16 Mar 2026 00:00:00 GMT<p>I used to keep everything in one giant setup note, but in real life it was hard to use as a daily reference. Every time I needed one specific thing (provider setup, MCP, model choice, troubleshooting), I had to scroll through a giant wall of text.</p> <p>So I turned it into a structured workflow map in the <a href="https://8labs.id/guides/opencode/overview">OpenCode Overview</a>: install, provider strategy, configuration, tools, operation mode, and troubleshooting.</p> <div><h2 id="what-changed-tldr">What Changed (TL;DR)</h2></div> <p>Instead of one massive guide, it is now split into practical pages:</p> <ul> <li><a href="https://8labs.id/guides/opencode/quick-start">Quick Start</a></li> <li><a href="https://8labs.id/guides/opencode/installation">Installation</a></li> <li><a href="https://8labs.id/guides/opencode/configuration">Configuration</a></li> <li><a href="https://8labs.id/guides/opencode/mcp-guide">MCP Tools</a></li> <li><a href="https://8labs.id/guides/opencode/project-rules">Project Rules</a></li> <li><a href="https://8labs.id/guides/opencode/skills-integration">Skills Integration</a></li> <li><a href="https://8labs.id/guides/opencode/planner-strategy">Planner Strategy</a></li> <li><a href="https://8labs.id/guides/opencode/troubleshooting">Troubleshooting</a></li> </ul> <p>The main goal was simple: make this usable when actually working, not just “complete on paper.”</p> <div><h2 id="whats-new-june-2026">What’s New (June 2026)</h2></div> <p>The guides section has been trimmed and expanded:</p> <ul> <li><strong>Narrative content</strong> (provider strategy philosophy, agent personalities, tool philosophy) has been distilled — the guides now focus on concrete HOWTO steps</li> <li><strong><a href="https://8labs.id/guides/opencode/ecc">ECC</a></strong> — Everything Claude Code: 64 agents, 262 skills, 84 commands. Production-ready agent harness across Claude Code, OpenCode, Codex, and more</li> <li><strong><a href="https://8labs.id/guides/opencode/caveman">Caveman</a></strong> — Token compression that cuts ~75% output tokens with zero accuracy loss. One-line install, works across 30+ agents</li> </ul> <div><h2 id="workflow-mindset-im-using-now">Workflow Mindset I’m Using Now</h2></div> <ol> <li><strong>Pick provider path first</strong> (<code dir="auto">opencode</code>, <code dir="auto">opencode-go</code>, or <code dir="auto">cliproxyapi</code>)</li> <li><strong>Lock config once</strong> (providers, models, variants, MCP)</li> <li><strong>Operate with roles</strong> (planner, worker, reviewer)</li> <li><strong>Use focused references</strong> for model decisions and troubleshooting</li> </ol> <p>That alone reduced context switching a lot.</p> <div><h2 id="provider-strategy-most-important-part">Provider Strategy (Most Important Part)</h2></div> <p>One key clarification in the docs:</p> <ul> <li><code dir="auto">cliproxyapi</code> is not the only path.</li> <li>For this repo, <code dir="auto">cliproxyapi</code> is mainly useful when I want multiple Codex-capable accounts behind one stable OpenAI-compatible endpoint, with retry/routing behavior centralized.</li> </ul> <p>If I don’t need account pooling/load balancing, direct provider paths stay simpler.</p> <div><h2 id="tooling-that-actually-helped">Tooling That Actually Helped</h2></div> <p>Besides MCP tools and agent harnesses, two local CLI tools are worth installing:</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>brew</span><span> </span><span>install</span><span> </span><span>ripgrep</span><span> </span><span>ast-grep</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <ul> <li><code dir="auto">rg</code> for fast text search</li> <li><code dir="auto">sg</code> for syntax-aware structural search</li> </ul> <p>For advanced workflows, <strong>ECC</strong> adds 64 specialized subagents (planner, architect, tdd-guide, code-reviewer, security-reviewer) and <strong>Caveman</strong> cuts token costs by ~75% with a one-line install.</p> <div><h2 id="naming-reality-check">Naming Reality Check</h2></div> <p>Another important thing I had to document clearly:</p> <ul> <li>Project branding now points to <strong>oh-my-openagent</strong></li> <li>But many practical examples still use legacy names like <code dir="auto">oh-my-opencode</code> in plugin/config keys</li> </ul> <p>So the docs explain both without pretending one side doesn’t exist.</p> <div><h2 id="final-take">Final Take</h2></div> <p>This wasn’t just a docs cleanup. It changed how I work with OpenCode day to day:</p> <ul> <li>faster onboarding</li> <li>clearer operational flow</li> <li>less re-reading giant setup notes</li> <li>better model/provider decisions during real tasks</li> </ul> <p>If you’re still running from one giant setup markdown, split it into workflow pages. It’s one of those “small docs changes” that gives a big productivity return.</p>docusaurusopencodeworkflowdocslinuxhttps://8labs.id/blog/ubuntu-server-hardening-guide/https://8labs.id/blog/ubuntu-server-hardening-guide/Wed, 25 Feb 2026 00:00:00 GMT<p>Securing your Ubuntu server is essential whether you’re running a production web server, a homelab service, or a cloud instance. This guide covers the essential steps to harden your Ubuntu Server 22.04/24.04 LTS installation, following security best practices and CIS benchmarks.</p> <div><h2 id="prerequisites">Prerequisites</h2></div> <ul> <li>Ubuntu Server 22.04 LTS or 24.04 LTS (fresh installation preferred)</li> <li>Root or sudo access</li> <li>SSH access to the server</li> <li>Backup of critical data (always backup before making system changes)</li> </ul> <div><h2 id="phase-1-initial-system-updates">Phase 1: Initial System Updates</h2></div> <div><h3 id="update-system-packages">Update System Packages</h3></div> <p>Start with a fully updated system to patch known vulnerabilities:</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>sudo</span><span> </span><span>apt</span><span> </span><span>update</span><span> &#x26;&#x26; </span><span>sudo</span><span> </span><span>apt</span><span> </span><span>upgrade</span><span> </span><span>-y</span></div></div><div><div><span>sudo</span><span> </span><span>apt</span><span> </span><span>autoremove</span><span> </span><span>-y</span></div></div><div><div><span>sudo</span><span> </span><span>apt</span><span> </span><span>autoclean</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <div><h3 id="configure-automatic-security-updates">Configure Automatic Security Updates</h3></div> <p>Enable unattended-upgrades for automatic security patches:</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>sudo</span><span> </span><span>apt</span><span> </span><span>install</span><span> </span><span>-y</span><span> </span><span>unattended-upgrades</span></div></div><div><div><span>sudo</span><span> </span><span>dpkg-reconfigure</span><span> </span><span>-plow</span><span> </span><span>unattended-upgrades</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>Verify the configuration:</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>cat</span><span> </span><span>/etc/apt/apt.conf.d/50unattended-upgrades</span><span> </span><span>|</span><span> </span><span>grep</span><span> </span><span>-A5</span><span> </span><span>"</span><span>Unattended-Upgrade::Allowed-Origins</span><span>"</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <div><h2 id="phase-2-secure-ssh-access">Phase 2: Secure SSH Access</h2></div> <div><h3 id="change-default-ssh-port-optional-but-recommended">Change Default SSH Port (Optional but Recommended)</h3></div> <p>Changing from port 22 reduces automated attack attempts:</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>sudo</span><span> </span><span>nano</span><span> </span><span>/etc/ssh/sshd_config</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>Find and modify:</p> <div><figure><figcaption></figcaption><pre><code><div><div><span>Port 2222</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <div><h3 id="disable-root-login">Disable Root Login</h3></div> <p>Prevent direct root access via SSH:</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>sudo</span><span> </span><span>nano</span><span> </span><span>/etc/ssh/sshd_config</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>Set:</p> <div><figure><figcaption></figcaption><pre><code><div><div><span>PermitRootLogin no</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <div><h3 id="disable-password-authentication-use-ssh-keys-only">Disable Password Authentication (Use SSH Keys Only)</h3></div> <p><strong>⚠️ WARNING:</strong> Ensure you have SSH key access configured before disabling passwords!</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>sudo</span><span> </span><span>nano</span><span> </span><span>/etc/ssh/sshd_config</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>Set:</p> <div><figure><figcaption></figcaption><pre><code><div><div><span>PasswordAuthentication no</span></div></div><div><div><span>PubkeyAuthentication yes</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <div><h3 id="restrict-ssh-to-specific-users">Restrict SSH to Specific Users</h3></div> <p>Allow only specific users or groups:</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>sudo</span><span> </span><span>nano</span><span> </span><span>/etc/ssh/sshd_config</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>Add:</p> <div><figure><figcaption></figcaption><pre><code><div><div><span>AllowUsers yourusername</span></div></div><div><div><span># OR</span></div></div><div><div><span>AllowGroups ssh-users</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <div><h3 id="apply-ssh-changes">Apply SSH Changes</h3></div> <p>Restart SSH service:</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>sudo</span><span> </span><span>systemctl</span><span> </span><span>restart</span><span> </span><span>sshd</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p><strong>⚠️ IMPORTANT:</strong> Keep your current SSH session open and test a new connection before closing!</p> <div><h2 id="phase-3-firewall-configuration-ufw">Phase 3: Firewall Configuration (UFW)</h2></div> <div><h3 id="install-and-enable-ufw">Install and Enable UFW</h3></div> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>sudo</span><span> </span><span>apt</span><span> </span><span>install</span><span> </span><span>-y</span><span> </span><span>ufw</span></div></div><div><div><span>sudo</span><span> </span><span>ufw</span><span> </span><span>default</span><span> </span><span>deny</span><span> </span><span>incoming</span></div></div><div><div><span>sudo</span><span> </span><span>ufw</span><span> </span><span>default</span><span> </span><span>allow</span><span> </span><span>outgoing</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <div><h3 id="configure-firewall-rules">Configure Firewall Rules</h3></div> <p>Allow your custom SSH port (if changed):</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>sudo</span><span> </span><span>ufw</span><span> </span><span>allow</span><span> </span><span>2222/tcp</span><span> </span><span>comment</span><span> </span><span>'</span><span>SSH custom port</span><span>'</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>Or if using default SSH:</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>sudo</span><span> </span><span>ufw</span><span> </span><span>allow</span><span> </span><span>22/tcp</span><span> </span><span>comment</span><span> </span><span>'</span><span>SSH</span><span>'</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>Allow common services (adjust as needed):</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span># HTTP/HTTPS (for web servers)</span></div></div><div><div><span>sudo</span><span> </span><span>ufw</span><span> </span><span>allow</span><span> </span><span>80/tcp</span><span> </span><span>comment</span><span> </span><span>'</span><span>HTTP</span><span>'</span></div></div><div><div><span>sudo</span><span> </span><span>ufw</span><span> </span><span>allow</span><span> </span><span>443/tcp</span><span> </span><span>comment</span><span> </span><span>'</span><span>HTTPS</span><span>'</span></div></div><div><div> </div></div><div><div><span># WireGuard VPN</span></div></div><div><div><span>sudo</span><span> </span><span>ufw</span><span> </span><span>allow</span><span> </span><span>51820/udp</span><span> </span><span>comment</span><span> </span><span>'</span><span>WireGuard</span><span>'</span></div></div><div><div> </div></div><div><div><span># DNS</span></div></div><div><div><span>sudo</span><span> </span><span>ufw</span><span> </span><span>allow</span><span> </span><span>53/tcp</span><span> </span><span>comment</span><span> </span><span>'</span><span>DNS</span><span>'</span></div></div><div><div><span>sudo</span><span> </span><span>ufw</span><span> </span><span>allow</span><span> </span><span>53/udp</span><span> </span><span>comment</span><span> </span><span>'</span><span>DNS</span><span>'</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <div><h3 id="enable-ufw">Enable UFW</h3></div> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>sudo</span><span> </span><span>ufw</span><span> </span><span>enable</span></div></div><div><div><span>sudo</span><span> </span><span>ufw</span><span> </span><span>status</span><span> </span><span>verbose</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <div><h2 id="phase-4-install-and-configure-fail2ban">Phase 4: Install and Configure Fail2ban</h2></div> <p>Fail2ban protects against brute-force attacks by banning IPs with suspicious activity.</p> <div><h3 id="installation">Installation</h3></div> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>sudo</span><span> </span><span>apt</span><span> </span><span>install</span><span> </span><span>-y</span><span> </span><span>fail2ban</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <div><h3 id="create-custom-configuration">Create Custom Configuration</h3></div> <p>Create a local configuration file:</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>sudo</span><span> </span><span>nano</span><span> </span><span>/etc/fail2ban/jail.local</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>Add the following configuration:</p> <div><figure><figcaption></figcaption><pre><code><div><div><span>[DEFAULT]</span></div></div><div><div><span># Ban IP for 1 hour after 3 failed attempts within 10 minutes</span></div></div><div><div><span>bantime</span><span> = 3600</span></div></div><div><div><span>findtime</span><span> = 600</span></div></div><div><div><span>maxretry</span><span> = 3</span></div></div><div><div><span>backend</span><span> = systemd</span></div></div><div><div> </div></div><div><div><span># Enable email notifications (optional)</span></div></div><div><div><span># destemail = your-email@example.com</span></div></div><div><div><span># sender = fail2ban@your-server</span></div></div><div><div><span># action = %(action_mwl)s</span></div></div><div><div> </div></div><div><div><span>[sshd]</span></div></div><div><div><span>enabled</span><span> = true</span></div></div><div><div><span>port</span><span> = 2222,22</span></div></div><div><div><span>filter</span><span> = sshd</span></div></div><div><div><span>logpath</span><span> = /var/log/auth.log</span></div></div><div><div><span>maxretry</span><span> = 3</span></div></div><div><div><span>bantime</span><span> = 3600</span></div></div><div><div> </div></div><div><div><span># Protect additional services</span></div></div><div><div><span>[nginx-http-auth]</span></div></div><div><div><span>enabled</span><span> = false</span></div></div><div><div> </div></div><div><div><span>[nginx-noscript]</span></div></div><div><div><span>enabled</span><span> = false</span></div></div><div><div> </div></div><div><div><span>[nginx-botsearch]</span></div></div><div><div><span>enabled</span><span> = false</span></div></div><div><div> </div></div><div><div><span>[php-url-fopen]</span></div></div><div><div><span>enabled</span><span> = false</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <div><h3 id="start-fail2ban">Start Fail2ban</h3></div> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>sudo</span><span> </span><span>systemctl</span><span> </span><span>enable</span><span> </span><span>--now</span><span> </span><span>fail2ban</span></div></div><div><div><span>sudo</span><span> </span><span>fail2ban-client</span><span> </span><span>status</span></div></div><div><div><span>sudo</span><span> </span><span>fail2ban-client</span><span> </span><span>status</span><span> </span><span>sshd</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <div><h2 id="phase-5-user-and-permission-management">Phase 5: User and Permission Management</h2></div> <div><h3 id="create-a-non-root-user-if-not-done">Create a Non-Root User (If Not Done)</h3></div> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>sudo</span><span> </span><span>adduser</span><span> </span><span>yourusername</span></div></div><div><div><span>sudo</span><span> </span><span>usermod</span><span> </span><span>-aG</span><span> </span><span>sudo</span><span> </span><span>yourusername</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <div><h3 id="configure-password-policies">Configure Password Policies</h3></div> <p>Install password quality checking:</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>sudo</span><span> </span><span>apt</span><span> </span><span>install</span><span> </span><span>-y</span><span> </span><span>libpam-pwquality</span></div></div><div><div><span>sudo</span><span> </span><span>nano</span><span> </span><span>/etc/security/pwquality.conf</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>Set strong password requirements:</p> <div><figure><figcaption></figcaption><pre><code><div><div><span>minlen = 12</span></div></div><div><div><span>minclass = 3</span></div></div><div><div><span>maxrepeat = 2</span></div></div><div><div><span>dcredit = -1</span></div></div><div><div><span>ucredit = -1</span></div></div><div><div><span>ocredit = -1</span></div></div><div><div><span>lcredit = -1</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <div><h3 id="lock-unused-accounts">Lock Unused Accounts</h3></div> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span># List all users</span></div></div><div><div><span>awk</span><span> </span><span>-F:</span><span> </span><span>'</span><span>$3 >= 1000 &#x26;&#x26; $1 != "nobody" {print $1}</span><span>'</span><span> </span><span>/etc/passwd</span></div></div><div><div> </div></div><div><div><span># Lock unused accounts</span></div></div><div><div><span>sudo</span><span> </span><span>passwd</span><span> </span><span>-l</span><span> </span><span>username</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <div><h2 id="phase-6-disable-unnecessary-services">Phase 6: Disable Unnecessary Services</h2></div> <div><h3 id="list-running-services">List Running Services</h3></div> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>sudo</span><span> </span><span>systemctl</span><span> </span><span>list-units</span><span> </span><span>--type=service</span><span> </span><span>--state=running</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <div><h3 id="disable-common-unused-services">Disable Common Unused Services</h3></div> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span># Disable unnecessary services (adjust based on your needs)</span></div></div><div><div><span>sudo</span><span> </span><span>systemctl</span><span> </span><span>disable</span><span> </span><span>--now</span><span> </span><span>cups</span><span> </span><span># Printing (if not needed)</span></div></div><div><div><span>sudo</span><span> </span><span>systemctl</span><span> </span><span>disable</span><span> </span><span>--now</span><span> </span><span>avahi-daemon</span><span> </span><span># mDNS (if not needed)</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <div><h2 id="phase-7-file-permissions-and-security">Phase 7: File Permissions and Security</h2></div> <div><h3 id="secure-sensitive-files">Secure Sensitive Files</h3></div> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span># Secure SSH keys</span></div></div><div><div><span>sudo</span><span> </span><span>chmod</span><span> </span><span>600</span><span> </span><span>/etc/ssh/ssh_host_</span><span>*</span><span>_key</span></div></div><div><div><span>sudo</span><span> </span><span>chmod</span><span> </span><span>644</span><span> </span><span>/etc/ssh/ssh_host_</span><span>*</span><span>_key.pub</span></div></div><div><div> </div></div><div><div><span># Secure shadow file</span></div></div><div><div><span>sudo</span><span> </span><span>chmod</span><span> </span><span>640</span><span> </span><span>/etc/shadow</span></div></div><div><div> </div></div><div><div><span># Secure sudo configuration</span></div></div><div><div><span>sudo</span><span> </span><span>chmod</span><span> </span><span>440</span><span> </span><span>/etc/sudoers</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <div><h3 id="check-for-suidsgid-files">Check for SUID/SGID Files</h3></div> <p>Find files with special permissions:</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>sudo</span><span> </span><span>find</span><span> </span><span>/</span><span> </span><span>-perm</span><span> </span><span>-4000</span><span> </span><span>-type</span><span> </span><span>f</span><span> </span><span>2></span><span>/dev/null</span></div></div><div><div><span>sudo</span><span> </span><span>find</span><span> </span><span>/</span><span> </span><span>-perm</span><span> </span><span>-2000</span><span> </span><span>-type</span><span> </span><span>f</span><span> </span><span>2></span><span>/dev/null</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <div><h2 id="phase-8-network-security">Phase 8: Network Security</h2></div> <div><h3 id="disable-ipv6-if-not-needed">Disable IPv6 (If Not Needed)</h3></div> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>sudo</span><span> </span><span>nano</span><span> </span><span>/etc/sysctl.conf</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>Add:</p> <div><figure><figcaption></figcaption><pre><code><div><div><span>net.ipv6.conf.all.disable_ipv6 = 1</span></div></div><div><div><span>net.ipv6.conf.default.disable_ipv6 = 1</span></div></div><div><div><span>net.ipv6.conf.lo.disable_ipv6 = 1</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>Apply:</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>sudo</span><span> </span><span>sysctl</span><span> </span><span>-p</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <div><h3 id="configure-kernel-parameters">Configure Kernel Parameters</h3></div> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>sudo</span><span> </span><span>nano</span><span> </span><span>/etc/sysctl.conf</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>Add security hardening:</p> <div><figure><figcaption></figcaption><pre><code><div><div><span># IP Spoofing protection</span></div></div><div><div><span>net.ipv4.conf.all.rp_filter = 1</span></div></div><div><div><span>net.ipv4.conf.default.rp_filter = 1</span></div></div><div><div> </div></div><div><div><span># Ignore ICMP broadcast requests</span></div></div><div><div><span>net.ipv4.icmp_echo_ignore_broadcasts = 1</span></div></div><div><div> </div></div><div><div><span># Disable source packet routing</span></div></div><div><div><span>net.ipv4.conf.all.accept_source_route = 0</span></div></div><div><div><span>net.ipv4.conf.default.accept_source_route = 0</span></div></div><div><div> </div></div><div><div><span># Ignore send redirects</span></div></div><div><div><span>net.ipv4.conf.all.accept_redirects = 0</span></div></div><div><div><span>net.ipv4.conf.default.accept_redirects = 0</span></div></div><div><div><span>net.ipv4.conf.all.secure_redirects = 0</span></div></div><div><div><span>net.ipv4.conf.default.secure_redirects = 0</span></div></div><div><div> </div></div><div><div><span># Disable ICMP redirects</span></div></div><div><div><span>net.ipv4.conf.all.send_redirects = 0</span></div></div><div><div><span>net.ipv4.conf.default.send_redirects = 0</span></div></div><div><div> </div></div><div><div><span># Disable log martians</span></div></div><div><div><span>net.ipv4.conf.all.log_martians = 1</span></div></div><div><div> </div></div><div><div><span># Disable IPv6 router solicitations</span></div></div><div><div><span>net.ipv6.conf.all.accept_ra = 0</span></div></div><div><div><span>net.ipv6.conf.default.accept_ra = 0</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>Apply:</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>sudo</span><span> </span><span>sysctl</span><span> </span><span>-p</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <div><h2 id="phase-9-install-security-tools">Phase 9: Install Security Tools</h2></div> <div><h3 id="install-and-configure-aide-intrusion-detection">Install and Configure AIDE (Intrusion Detection)</h3></div> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>sudo</span><span> </span><span>apt</span><span> </span><span>install</span><span> </span><span>-y</span><span> </span><span>aide</span></div></div><div><div><span>sudo</span><span> </span><span>aideinit</span></div></div><div><div><span>sudo</span><span> </span><span>cp</span><span> </span><span>/var/lib/aide/aide.db.new</span><span> </span><span>/var/lib/aide/aide.db</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <div><h3 id="install-lynis-security-auditing">Install Lynis (Security Auditing)</h3></div> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>sudo</span><span> </span><span>apt</span><span> </span><span>install</span><span> </span><span>-y</span><span> </span><span>lynis</span></div></div><div><div><span>sudo</span><span> </span><span>lynis</span><span> </span><span>audit</span><span> </span><span>system</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <div><h3 id="install-rootkit-detectors">Install Rootkit Detectors</h3></div> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>sudo</span><span> </span><span>apt</span><span> </span><span>install</span><span> </span><span>-y</span><span> </span><span>rkhunter</span><span> </span><span>chkrootbot</span></div></div><div><div><span>sudo</span><span> </span><span>rkhunter</span><span> </span><span>--update</span></div></div><div><div><span>sudo</span><span> </span><span>rkhunter</span><span> </span><span>--check</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <div><h3 id="install-log-monitoring">Install Log Monitoring</h3></div> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>sudo</span><span> </span><span>apt</span><span> </span><span>install</span><span> </span><span>-y</span><span> </span><span>logwatch</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <div><h2 id="phase-10-backup-and-recovery">Phase 10: Backup and Recovery</h2></div> <div><h3 id="configure-automated-backups">Configure Automated Backups</h3></div> <p>Create a backup script:</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>sudo</span><span> </span><span>nano</span><span> </span><span>/usr/local/bin/system-backup.sh</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <div><figure><figcaption></figcaption><pre><code><div><div><span>#!/bin/bash</span></div></div><div><div><span># System backup script</span></div></div><div><div><span>DATE</span><span>=</span><span>$(</span><span>date</span><span> </span><span>+%Y%m%d_%H%M%S</span><span>)</span></div></div><div><div><span>BACKUP_DIR</span><span>=</span><span>"</span><span>/backup/system</span><span>"</span></div></div><div><div><span>mkdir</span><span> </span><span>-p</span><span> </span><span>$BACKUP_DIR</span></div></div><div><div> </div></div><div><div><span># Backup critical configuration</span></div></div><div><div><span>tar</span><span> </span><span>czf</span><span> </span><span>$BACKUP_DIR</span><span>/config_backup_</span><span>$DATE</span><span>.tar.gz</span><span> </span><span>/etc</span><span> </span><span>/home</span><span> </span><span>/var/spool/cron</span><span> </span><span>/var/lib/dpkg</span></div></div><div><div> </div></div><div><div><span># Keep only last 7 backups</span></div></div><div><div><span>ls</span><span> </span><span>-t</span><span> </span><span>$BACKUP_DIR</span><span>/</span><span>*</span><span>.tar.gz</span><span> </span><span>|</span><span> </span><span>tail</span><span> </span><span>-n</span><span> </span><span>+8</span><span> </span><span>|</span><span> </span><span>xargs</span><span> </span><span>-r</span><span> </span><span>rm</span></div></div><div><div> </div></div><div><div><span>echo</span><span> </span><span>"</span><span>Backup completed: </span><span>$DATE</span><span>"</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>Make executable:</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>sudo</span><span> </span><span>chmod</span><span> </span><span>+x</span><span> </span><span>/usr/local/bin/system-backup.sh</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <div><h3 id="add-to-cron">Add to Cron</h3></div> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>sudo</span><span> </span><span>crontab</span><span> </span><span>-e</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>Add daily backup at 2 AM:</p> <div><figure><figcaption></figcaption><pre><code><div><div><span>0 2 * * * /usr/local/bin/system-backup.sh >> /var/log/system-backup.log 2>&#x26;1</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <div><h2 id="phase-11-ongoing-monitoring">Phase 11: Ongoing Monitoring</h2></div> <div><h3 id="install-and-configure-auditd">Install and Configure Auditd</h3></div> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>sudo</span><span> </span><span>apt</span><span> </span><span>install</span><span> </span><span>-y</span><span> </span><span>auditd</span><span> </span><span>audispd-plugins</span></div></div><div><div><span>sudo</span><span> </span><span>systemctl</span><span> </span><span>enable</span><span> </span><span>--now</span><span> </span><span>auditd</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <div><h3 id="monitor-failed-login-attempts">Monitor Failed Login Attempts</h3></div> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>grep</span><span> </span><span>"</span><span>Failed password</span><span>"</span><span> </span><span>/var/log/auth.log</span></div></div><div><div><span>grep</span><span> </span><span>"</span><span>Accepted password</span><span>"</span><span> </span><span>/var/log/auth.log</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <div><h3 id="review-ufw-logs">Review UFW Logs</h3></div> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>sudo</span><span> </span><span>tail</span><span> </span><span>-f</span><span> </span><span>/var/log/ufw.log</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <div><h2 id="phase-12-secure-shared-memory">Phase 12: Secure Shared Memory</h2></div> <p>Shared memory is a common attack vector. While it’s efficient for process communication, it can be exploited for privilege escalation or arbitrary code execution.</p> <div><h3 id="harden-runshm">Harden /run/shm</h3></div> <p>Add the following to <code dir="auto">/etc/fstab</code> to mount shared memory with restrictive options:</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>echo</span><span> </span><span>"</span><span>tmpfs /run/shm tmpfs defaults,noexec,nosuid,nodev 0 0</span><span>"</span><span> </span><span>|</span><span> </span><span>sudo</span><span> </span><span>tee</span><span> </span><span>-a</span><span> </span><span>/etc/fstab</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p><strong>Explanation:</strong></p> <ul> <li><code dir="auto">noexec</code> — Prevents execution of binaries</li> <li><code dir="auto">nosuid</code> — Ignores set-user-identifier bits</li> <li><code dir="auto">nodev</code> — Prevents interpretation of device files</li> </ul> <p><strong>Apply changes:</strong></p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>sudo</span><span> </span><span>mount</span><span> </span><span>-o</span><span> </span><span>remount</span><span> </span><span>/run/shm</span></div></div><div><div><span># Or reboot:</span></div></div><div><div><span>sudo</span><span> </span><span>reboot</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>Verify the mount:</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>mount</span><span> </span><span>|</span><span> </span><span>grep</span><span> </span><span>shm</span></div></div><div><div><span># Should show: tmpfs on /run/shm type tmpfs (rw,nosuid,nodev,noexec,relatime)</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <div><h2 id="quick-security-checklist">Quick Security Checklist</h2></div> <p>Use this checklist to verify your hardening:</p> <ul> <li><input type="checkbox" disabled> System fully updated with automatic security updates enabled</li> <li><input type="checkbox" disabled> SSH root login disabled</li> <li><input type="checkbox" disabled> SSH password authentication disabled (keys only)</li> <li><input type="checkbox" disabled> SSH port changed from default (optional)</li> <li><input type="checkbox" disabled> UFW firewall enabled with minimal allowed ports</li> <li><input type="checkbox" disabled> Fail2ban installed and running</li> <li><input type="checkbox" disabled> Non-root user created for administration</li> <li><input type="checkbox" disabled> Password policies configured</li> <li><input type="checkbox" disabled> Unnecessary services disabled</li> <li><input type="checkbox" disabled> Shared memory secured (<code dir="auto">noexec,nosuid,nodev</code>)</li> <li><input type="checkbox" disabled> Automatic backups configured</li> <li><input type="checkbox" disabled> Security auditing tools installed</li> </ul> <div><h2 id="security-audit-cheatsheet">Security Audit Cheatsheet</h2></div> <p>Quick commands to audit your server’s security:</p> <div><h3 id="user--permission-auditing">User &#x26; Permission Auditing</h3></div> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span># Find users with UID 0 (should only be root)</span></div></div><div><div><span>awk</span><span> </span><span>-F:</span><span> </span><span>'</span><span>($3 == 0) {print}</span><span>'</span><span> </span><span>/etc/passwd</span></div></div><div><div> </div></div><div><div><span># List all user accounts</span></div></div><div><div><span>awk</span><span> </span><span>-F:</span><span> </span><span>'</span><span>{print $1}</span><span>'</span><span> </span><span>/etc/passwd</span></div></div><div><div> </div></div><div><div><span># Find users without passwords (empty password field)</span></div></div><div><div><span>awk</span><span> </span><span>-F:</span><span> </span><span>'</span><span>($2 == "") {print $1}</span><span>'</span><span> </span><span>/etc/shadow</span></div></div><div><div> </div></div><div><div><span># Check for users with sudo access</span></div></div><div><div><span>getent</span><span> </span><span>group</span><span> </span><span>sudo</span></div></div><div><div> </div></div><div><div><span># Find SUID/SGID files (potential privilege escalation)</span></div></div><div><div><span>find</span><span> </span><span>/</span><span> </span><span>-perm</span><span> </span><span>-4000</span><span> </span><span>-type</span><span> </span><span>f</span><span> </span><span>2></span><span>/dev/null</span></div></div><div><div><span>find</span><span> </span><span>/</span><span> </span><span>-perm</span><span> </span><span>-2000</span><span> </span><span>-type</span><span> </span><span>f</span><span> </span><span>2></span><span>/dev/null</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <div><h3 id="network--connection-auditing">Network &#x26; Connection Auditing</h3></div> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span># Check listening ports</span></div></div><div><div><span>ss</span><span> </span><span>-tulnp</span></div></div><div><div> </div></div><div><div><span># Check established connections</span></div></div><div><div><span>ss</span><span> </span><span>-tu</span><span> </span><span>np</span><span> </span><span>state</span><span> </span><span>established</span></div></div><div><div> </div></div><div><div><span># Review firewall status</span></div></div><div><div><span>sudo</span><span> </span><span>ufw</span><span> </span><span>status</span><span> </span><span>verbose</span></div></div><div><div> </div></div><div><div><span># Check for open ports from outside</span></div></div><div><div><span># (Run from another machine)</span></div></div><div><div><span>nmap</span><span> </span><span>-sV</span><span> </span><span>your-server-ip</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <div><h3 id="log--activity-auditing">Log &#x26; Activity Auditing</h3></div> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span># Recent login attempts</span></div></div><div><div><span>last</span><span> </span><span>-a</span><span> </span><span>|</span><span> </span><span>head</span><span> </span><span>-20</span></div></div><div><div> </div></div><div><div><span># Failed SSH login attempts</span></div></div><div><div><span>grep</span><span> </span><span>"</span><span>Failed password</span><span>"</span><span> </span><span>/var/log/auth.log</span><span> </span><span>|</span><span> </span><span>tail</span><span> </span><span>-20</span></div></div><div><div> </div></div><div><div><span># Successful SSH logins</span></div></div><div><div><span>grep</span><span> </span><span>"</span><span>Accepted</span><span>"</span><span> </span><span>/var/log/auth.log</span><span> </span><span>|</span><span> </span><span>tail</span><span> </span><span>-20</span></div></div><div><div> </div></div><div><div><span># Fail2ban status</span></div></div><div><div><span>sudo</span><span> </span><span>fail2ban-client</span><span> </span><span>status</span><span> </span><span>sshd</span></div></div><div><div> </div></div><div><div><span># UFW blocked attempts</span></div></div><div><div><span>sudo</span><span> </span><span>grep</span><span> </span><span>UFW</span><span> </span><span>/var/log/ufw.log</span><span> </span><span>|</span><span> </span><span>tail</span><span> </span><span>-20</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <div><h3 id="system--file-auditing">System &#x26; File Auditing</h3></div> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span># Disk usage</span></div></div><div><div><span>df</span><span> </span><span>-h</span></div></div><div><div> </div></div><div><div><span># Check for world-writable directories</span></div></div><div><div><span>find</span><span> </span><span>/</span><span> </span><span>-type</span><span> </span><span>d</span><span> </span><span>-perm</span><span> </span><span>-002</span><span> </span><span>!</span><span> </span><span>-path</span><span> </span><span>"</span><span>/proc/*</span><span>"</span><span> </span><span>!</span><span> </span><span>-path</span><span> </span><span>"</span><span>/sys/*</span><span>"</span><span> </span><span>2></span><span>/dev/null</span></div></div><div><div> </div></div><div><div><span># List recently modified files (last 24 hours)</span></div></div><div><div><span>find</span><span> </span><span>/etc</span><span> </span><span>/var</span><span> </span><span>-mtime</span><span> </span><span>-1</span><span> </span><span>-type</span><span> </span><span>f</span><span> </span><span>2></span><span>/dev/null</span></div></div><div><div> </div></div><div><div><span># Check AIDE database (if installed)</span></div></div><div><div><span>sudo</span><span> </span><span>aide</span><span> </span><span>--check</span></div></div><div><div> </div></div><div><div><span># Run Lynis audit</span></div></div><div><div><span>sudo</span><span> </span><span>lynis</span><span> </span><span>audit</span><span> </span><span>system</span><span> </span><span>--quick</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <div><h2 id="one-click-hardening-script">One-Click Hardening Script</h2></div> <p>For quick deployment or automation, here’s a comprehensive hardening script. <strong>Review before running!</strong></p> <div><figure><figcaption></figcaption><pre><code><div><div><span>#!/bin/bash</span></div></div><div><div><span># Ubuntu Server Hardening Script</span></div></div><div><div><span># WARNING: Review before running. Test in non-production first!</span></div></div><div><div> </div></div><div><div><span>set</span><span> </span><span>-e</span></div></div><div><div> </div></div><div><div><span># Colors for output</span></div></div><div><div><span>RED</span><span>=</span><span>'</span><span>\033[0;31m</span><span>'</span></div></div><div><div><span>GREEN</span><span>=</span><span>'</span><span>\033[0;32m</span><span>'</span></div></div><div><div><span>YELLOW</span><span>=</span><span>'</span><span>\033[1;33m</span><span>'</span></div></div><div><div><span>NC</span><span>=</span><span>'</span><span>\033[0m</span><span>'</span><span> </span><span># No Color</span></div></div><div><div> </div></div><div><div><span>echo</span><span> </span><span>-e</span><span> </span><span>"</span><span>${</span><span>YELLOW</span><span>}=== Ubuntu Server Hardening Script ===${</span><span>NC</span><span>}</span><span>"</span></div></div><div><div><span>echo</span><span> </span><span>-e</span><span> </span><span>"</span><span>${</span><span>RED</span><span>}WARNING: Review this script before running!${</span><span>NC</span><span>}</span><span>"</span></div></div><div><div><span>echo</span><span> </span><span>""</span></div></div><div><div> </div></div><div><div><span># 1. System Updates</span></div></div><div><div><span>echo</span><span> </span><span>-e</span><span> </span><span>"</span><span>${</span><span>GREEN</span><span>}[1/8] Updating system packages...${</span><span>NC</span><span>}</span><span>"</span></div></div><div><div><span>apt</span><span> </span><span>update</span><span> &#x26;&#x26; </span><span>apt</span><span> </span><span>upgrade</span><span> </span><span>-y</span></div></div><div><div><span>apt</span><span> </span><span>autoremove</span><span> </span><span>-y</span></div></div><div><div><span>apt</span><span> </span><span>autoclean</span></div></div><div><div> </div></div><div><div><span># 2. Install security tools</span></div></div><div><div><span>echo</span><span> </span><span>-e</span><span> </span><span>"</span><span>${</span><span>GREEN</span><span>}[2/8] Installing security tools...${</span><span>NC</span><span>}</span><span>"</span></div></div><div><div><span>apt</span><span> </span><span>install</span><span> </span><span>-y</span><span> </span><span>ufw</span><span> </span><span>fail2ban</span><span> </span><span>unattended-upgrades</span><span> </span><span>libpam-pwquality</span></div></div><div><div> </div></div><div><div><span># 3. Configure automatic updates</span></div></div><div><div><span>echo</span><span> </span><span>-e</span><span> </span><span>"</span><span>${</span><span>GREEN</span><span>}[3/8] Configuring automatic security updates...${</span><span>NC</span><span>}</span><span>"</span></div></div><div><div><span>dpkg-reconfigure</span><span> </span><span>-plow</span><span> </span><span>unattended-upgrades</span></div></div><div><div> </div></div><div><div><span># 4. UFW Firewall</span></div></div><div><div><span>echo</span><span> </span><span>-e</span><span> </span><span>"</span><span>${</span><span>GREEN</span><span>}[4/8] Configuring UFW firewall...${</span><span>NC</span><span>}</span><span>"</span></div></div><div><div><span>ufw</span><span> </span><span>default</span><span> </span><span>deny</span><span> </span><span>incoming</span></div></div><div><div><span>ufw</span><span> </span><span>default</span><span> </span><span>allow</span><span> </span><span>outgoing</span></div></div><div><div><span>ufw</span><span> </span><span>allow</span><span> </span><span>22/tcp</span><span> </span><span>comment</span><span> </span><span>'</span><span>SSH</span><span>'</span></div></div><div><div><span>ufw</span><span> </span><span>--force</span><span> </span><span>enable</span></div></div><div><div> </div></div><div><div><span># 5. SSH Hardening (preserves current session)</span></div></div><div><div><span>echo</span><span> </span><span>-e</span><span> </span><span>"</span><span>${</span><span>GREEN</span><span>}[5/8] Hardening SSH configuration...${</span><span>NC</span><span>}</span><span>"</span></div></div><div><div><span>cp</span><span> </span><span>/etc/ssh/sshd_config</span><span> </span><span>/etc/ssh/sshd_config.backup.</span><span>$(</span><span>date</span><span> </span><span>+%Y%m%d</span><span>)</span></div></div><div><div> </div></div><div><div><span># Disable root login</span></div></div><div><div><span>sed</span><span> </span><span>-i</span><span> </span><span>'</span><span>s/^#\?PermitRootLogin.*/PermitRootLogin no/</span><span>'</span><span> </span><span>/etc/ssh/sshd_config</span></div></div><div><div> </div></div><div><div><span># Disable password authentication</span></div></div><div><div><span>sed</span><span> </span><span>-i</span><span> </span><span>'</span><span>s/^#\?PasswordAuthentication.*/PasswordAuthentication no/</span><span>'</span><span> </span><span>/etc/ssh/sshd_config</span></div></div><div><div><span>sed</span><span> </span><span>-i</span><span> </span><span>'</span><span>s/^#\?PubkeyAuthentication.*/PubkeyAuthentication yes/</span><span>'</span><span> </span><span>/etc/ssh/sshd_config</span></div></div><div><div> </div></div><div><div><span># Restart SSH (non-disruptive)</span></div></div><div><div><span>systemctl</span><span> </span><span>reload</span><span> </span><span>sshd</span><span> </span><span>||</span><span> </span><span>systemctl</span><span> </span><span>restart</span><span> </span><span>sshd</span></div></div><div><div> </div></div><div><div><span># 6. Fail2ban</span></div></div><div><div><span>echo</span><span> </span><span>-e</span><span> </span><span>"</span><span>${</span><span>GREEN</span><span>}[6/8] Configuring Fail2ban...${</span><span>NC</span><span>}</span><span>"</span></div></div><div><div><span>cat</span><span> </span><span>></span><span> </span><span>/etc/fail2ban/jail.local</span><span> </span><span>&#x3C;&#x3C;</span><span>EOF</span></div></div><div><div><span>[DEFAULT]</span></div></div><div><div><span>bantime = 3600</span></div></div><div><div><span>findtime = 600</span></div></div><div><div><span>maxretry = 3</span></div></div><div><div> </div></div><div><div><span>[sshd]</span></div></div><div><div><span>enabled = true</span></div></div><div><div><span>port = ssh</span></div></div><div><div><span>filter = sshd</span></div></div><div><div><span>logpath = /var/log/auth.log</span></div></div><div><div><span>EOF</span></div></div><div><div> </div></div><div><div><span>systemctl</span><span> </span><span>enable</span><span> </span><span>fail2ban</span></div></div><div><div><span>systemctl</span><span> </span><span>restart</span><span> </span><span>fail2ban</span></div></div><div><div> </div></div><div><div><span># 7. Secure Shared Memory</span></div></div><div><div><span>echo</span><span> </span><span>-e</span><span> </span><span>"</span><span>${</span><span>GREEN</span><span>}[7/8] Securing shared memory...${</span><span>NC</span><span>}</span><span>"</span></div></div><div><div><span>if</span><span> </span><span>!</span><span> </span><span>grep</span><span> </span><span>-q</span><span> </span><span>"</span><span>/run/shm</span><span>"</span><span> </span><span>/etc/fstab</span><span>; </span><span>then</span></div></div><div><div><span> </span><span>echo</span><span> </span><span>"</span><span>tmpfs /run/shm tmpfs defaults,noexec,nosuid,nodev 0 0</span><span>"</span><span> </span><span>>></span><span> </span><span>/etc/fstab</span></div></div><div><div><span> </span><span>mount</span><span> </span><span>-o</span><span> </span><span>remount</span><span> </span><span>/run/shm</span></div></div><div><div><span>fi</span></div></div><div><div> </div></div><div><div><span># 8. Kernel Security Parameters</span></div></div><div><div><span>echo</span><span> </span><span>-e</span><span> </span><span>"</span><span>${</span><span>GREEN</span><span>}[8/8] Applying kernel security parameters...${</span><span>NC</span><span>}</span><span>"</span></div></div><div><div><span>cat</span><span> </span><span>>></span><span> </span><span>/etc/sysctl.conf</span><span> </span><span>&#x3C;&#x3C;</span><span>EOF</span></div></div><div><div> </div></div><div><div><span># Security hardening</span></div></div><div><div><span>net.ipv4.conf.all.rp_filter = 1</span></div></div><div><div><span>net.ipv4.conf.default.rp_filter = 1</span></div></div><div><div><span>net.ipv4.icmp_echo_ignore_broadcasts = 1</span></div></div><div><div><span>net.ipv4.conf.all.accept_source_route = 0</span></div></div><div><div><span>net.ipv4.conf.default.accept_source_route = 0</span></div></div><div><div><span>net.ipv4.conf.all.accept_redirects = 0</span></div></div><div><div><span>net.ipv4.conf.default.accept_redirects = 0</span></div></div><div><div><span>net.ipv4.conf.all.send_redirects = 0</span></div></div><div><div><span>net.ipv4.conf.default.send_redirects = 0</span></div></div><div><div><span>EOF</span></div></div><div><div> </div></div><div><div><span>sysctl</span><span> </span><span>-p</span></div></div><div><div> </div></div><div><div><span>echo</span><span> </span><span>""</span></div></div><div><div><span>echo</span><span> </span><span>-e</span><span> </span><span>"</span><span>${</span><span>GREEN</span><span>}=== Hardening Complete! ===${</span><span>NC</span><span>}</span><span>"</span></div></div><div><div><span>echo</span><span> </span><span>"</span><span>Backup SSH config: /etc/ssh/sshd_config.backup.*</span><span>"</span></div></div><div><div><span>echo</span><span> </span><span>""</span></div></div><div><div><span>echo</span><span> </span><span>-e</span><span> </span><span>"</span><span>${</span><span>YELLOW</span><span>}IMPORTANT:${</span><span>NC</span><span>}</span><span>"</span></div></div><div><div><span>echo</span><span> </span><span>"</span><span>1. Keep your current SSH session open</span><span>"</span></div></div><div><div><span>echo</span><span> </span><span>"</span><span>2. Test new SSH connection in another terminal</span><span>"</span></div></div><div><div><span>echo</span><span> </span><span>"</span><span>3. If locked out, restore from backup:</span><span>"</span></div></div><div><div><span>echo</span><span> </span><span>"</span><span> cp /etc/ssh/sshd_config.backup.* /etc/ssh/sshd_config</span><span>"</span></div></div><div><div><span>echo</span><span> </span><span>"</span><span> systemctl restart sshd</span><span>"</span></div></div><div><div><span>echo</span><span> </span><span>""</span></div></div><div><div><span>echo</span><span> </span><span>"</span><span>Run 'lynis audit system' to verify hardening.</span><span>"</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p><strong>Save and run:</strong></p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span># Download and review</span></div></div><div><div><span>wget</span><span> </span><span>https://your-domain.com/harden.sh</span><span> </span><span>-O</span><span> </span><span>ubuntu-harden.sh</span></div></div><div><div><span>nano</span><span> </span><span>ubuntu-harden.sh</span><span> </span><span># Review before running!</span></div></div><div><div> </div></div><div><div><span># Make executable and run</span></div></div><div><div><span>chmod</span><span> </span><span>+x</span><span> </span><span>ubuntu-harden.sh</span></div></div><div><div><span>sudo</span><span> </span><span>./ubuntu-harden.sh</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <div><h2 id="testing-your-security">Testing Your Security</h2></div> <p>After hardening, test your configuration:</p> <ol> <li><strong>Verify SSH access:</strong> Try connecting with your key (not password)</li> <li><strong>Test Fail2ban:</strong> Attempt failed logins and check ban status</li> <li><strong>Check firewall:</strong> Use <code dir="auto">nmap</code> from another machine to scan open ports</li> <li><strong>Run Lynis audit:</strong> Review the hardening index score</li> </ol> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span># From another machine, scan your server</span></div></div><div><div><span>nmap</span><span> </span><span>-sV</span><span> </span><span>-O</span><span> </span><span>your-server-ip</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <div><h2 id="conclusion">Conclusion</h2></div> <p>This guide provides a solid security baseline for Ubuntu servers. Remember that security is an ongoing process:</p> <ul> <li><strong>Monitor logs regularly</strong> for suspicious activity</li> <li><strong>Keep system updated</strong> with security patches</li> <li><strong>Review firewall rules</strong> periodically</li> <li><strong>Audit user accounts</strong> and remove unused ones</li> <li><strong>Test backups</strong> to ensure they work</li> </ul> <p><strong>⚠️ IMPORTANT:</strong> Always test changes in a non-production environment first. Keep a backup of working configurations before making changes.</p> <div><h3 id="additional-resources">Additional Resources</h3></div> <ul> <li><a href="https://www.cisecurity.org/benchmark/ubuntu_linux">CIS Ubuntu Benchmarks</a></li> <li><a href="https://wiki.ubuntu.com/Security">Ubuntu Security Wiki</a></li> <li><a href="https://cisofy.com/documentation/lynis/">Lynis Documentation</a></li> <li><a href="https://help.ubuntu.com/community/UFW">UFW Essentials</a></li> </ul> <div><h3 id="references">References</h3></div> <ul> <li><a href="https://ubuntu.com/server/docs/security">Ubuntu Server Security Guide</a></li> <li><a href="https://www.fail2ban.org/wiki/index.php/Main_Page">Fail2ban Official Documentation</a></li> <li><a href="https://www.ssh-audit.com/">SSH Server Hardening</a></li> </ul> <hr> <p><strong>Security is a journey, not a destination. Stay vigilant!</strong></p>ubuntusecurityhardeningsshfirewallserverlinuxhttps://8labs.id/blog/install-omakub-on-proxmox-vm/https://8labs.id/blog/install-omakub-on-proxmox-vm/Fri, 11 Jul 2025 00:00:00 GMT<p>I recently found myself in a common homelab dilemma: I needed a dedicated machine for a jumphost and remote development environment, but all my spare hardware was already tied up with my Proxmox server running other services. So, I decided to leverage my existing Proxmox setup and install <a href="https://omakub.org/">Omakub</a> inside a virtual machine.</p> <p>Omakub, based on Ubuntu, provides a clean and efficient workspace, perfect for keeping my main PC clutter-free while still having a powerful Linux environment at my fingertips. This guide will walk you through setting up a fresh Ubuntu 24.04 VM in Proxmox and then installing Omakub.</p> <div><h3 id="vm-specification">VM Specification</h3></div> <p>For this setup, I allocated the following resources to my Proxmox VM:</p> <ul> <li><strong>VCPU:</strong> 8</li> <li><strong>RAM:</strong> 16 GB</li> <li><strong>Storage:</strong> 512 GB SSD</li> </ul> <div><h3 id="step-by-step-ubuntu-2404-installation-proxmox-vm">Step by Step: Ubuntu 24.04 Installation (Proxmox VM)</h3></div> <ol> <li> <p><strong>Download Ubuntu 24.04 ISO:</strong> First, grab the official Ubuntu 24.04 Desktop ISO from the Ubuntu website. <a href="https://releases.ubuntu.com/24.04/">https://releases.ubuntu.com/24.04/</a></p> </li> <li> <p><strong>Create a New VM in Proxmox:</strong> Follow the standard Proxmox procedure to create a new virtual machine.</p> <ul> <li>Mount the downloaded Ubuntu ISO as a CD/DVD drive.</li> <li>Configure the VM with the specifications mentioned above (8 VCPU, 16 GB RAM, 512 GB SSD).</li> <li>Ensure you select “Qemu Agent” in the VM options for better integration.</li> </ul> </li> <li> <p><strong>Install Ubuntu 24.04:</strong> Boot the VM and proceed with a fresh installation of Ubuntu 24.04 Desktop. Follow the on-screen prompts to set up your user, timezone, etc.</p> </li> </ol> <div><h3 id="post-installation-setup">Post-Installation Setup</h3></div> <p>Once Ubuntu is installed and you’ve rebooted into your fresh desktop, perform these crucial steps before installing Omakub:</p> <ol start="0"> <li> <p><strong>Update all repositories:</strong></p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>sudo</span><span> </span><span>apt</span><span> </span><span>update</span><span> &#x26;&#x26; </span><span>sudo</span><span> </span><span>apt</span><span> </span><span>upgrade</span><span> </span><span>-y</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>If a reboot is requested after the update, go ahead and reboot your VM.</p> </li> <li> <p><strong>Install essential tools:</strong></p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>sudo</span><span> </span><span>apt</span><span> </span><span>install</span><span> </span><span>-y</span><span> </span><span>vim</span><span> </span><span>qemu-guest-agent</span><span> </span><span>openssh-server</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> <li> <p><strong>Enable and start services:</strong></p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>sudo</span><span> </span><span>systemctl</span><span> </span><span>enable</span><span> </span><span>--now</span><span> </span><span>qemu-guest-agent</span></div></div><div><div><span>sudo</span><span> </span><span>systemctl</span><span> </span><span>enable</span><span> </span><span>--now</span><span> </span><span>ssh</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> </ol> <div><h3 id="enable-remote-desktop">Enable Remote Desktop</h3></div> <p>After ensuring your system is updated and services are running, you can enable Remote Desktop for easier access.</p> <ol> <li>Open <strong>Settings</strong> > <strong>System</strong> > <strong>Remote Desktop</strong>.</li> <li>Toggle <strong>Remote Desktop</strong> to ON.</li> <li>For <strong>Remote Login</strong>, you can choose to set a specific port (the default RDP port is 3389).</li> <li>Set your desired username and password for remote access.</li> </ol> <p>Now, you can test connecting to your Ubuntu VM using an RDP client. I use Microsoft Remote Desktop on my Mac.</p> <div><h3 id="omakub-installation">Omakub Installation</h3></div> <p>Once you have successfully connected to your Ubuntu VM via RDP, you can proceed with the Omakub installation using their convenient one-line script.</p> <p>Open a terminal in your Ubuntu VM and run:</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>wget</span><span> </span><span>-qO-</span><span> </span><span>https://omakub.org/install</span><span> </span><span>|</span><span> </span><span>bash</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>Follow the on-screen prompts to select your preferred options. The installation will take some time and will eventually request a reboot.</p> <p><img alt="Terminal Landing Page" loading="lazy" decoding="async" fetchpriority="auto" width="3024" height="1894" src="https://8labs.id/_astro/00-home.rzOhc1wK_Zek6K8.webp"></p> <div><h3 id="post-omakub-installation--troubleshooting">Post-Omakub Installation &#x26; Troubleshooting</h3></div> <p>After Omakub is installed and your VM has rebooted, try to connect again via RDP.</p> <ul> <li> <p><strong>Xorg Session:</strong> Omakub uses Xorg. If you experience lagging or a black screen upon login, ensure you select “Ubuntu on Xorg” after entering your username and before typing your password. Look for a small gear icon (or similar) in the bottom right corner of the login screen to choose the session type.</p> </li> <li> <p><strong>RDP Black Screen Troubleshooting (macOS Microsoft Remote Desktop):</strong> If you encounter a black screen specifically when using Microsoft Remote Desktop on macOS, you might need to adjust the RDP connection file:</p> <ol> <li>Right-click on your existing connection in Microsoft Remote Desktop.</li> <li>Select “Export” to save the connection settings as an <code dir="auto">.rdp</code> file.</li> <li>Open the saved <code dir="auto">.rdp</code> file with a text editor.</li> <li>Locate the line: <div><figure><figcaption></figcaption><pre><code><div><div><span>use redirection server name:i:0</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> <li>Change it to: <div><figure><figcaption></figcaption><pre><code><div><div><span>use redirection server name:i:1</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> <li>Save the modified file.</li> <li>Import the edited file as a new connection in Microsoft Remote Desktop.</li> </ol> <p>For more details, you can refer to this Reddit thread: <a href="https://www.reddit.com/r/Ubuntu/comments/1csoi05/2404_cannot_connect_via_rdp/?utm_source=share&#x26;utm_medium=web3x&#x26;utm_name=web3xcss&#x26;utm_term=1&#x26;utm_content=share_button">https://www.reddit.com/r/Ubuntu/comments/1csoi05/2404_cannot_connect_via_rdp/?utm_source=share&#x26;utm_medium=web3x&#x26;utm_name=web3xcss&#x26;utm_term=1&#x26;utm_content=share_button</a></p> </li> </ul> <div><h3 id="troubleshooting-keyboard-shortcuts-super-key-conflicts">Troubleshooting Keyboard Shortcuts (Super Key Conflicts)</h3></div> <p>A common issue when using Remote Desktop from macOS to a Linux VM (especially with Omakub) is that macOS’s system-level shortcuts can conflict with the VM’s shortcuts, particularly those involving the <code dir="auto">Super</code> key (Cmd key on Mac). For example, <code dir="auto">Super+Space</code> often triggers Spotlight on macOS instead of Omakub’s application launcher.</p> <p><img alt="Shortcut Settings" loading="lazy" decoding="async" fetchpriority="auto" width="3024" height="1894" src="https://8labs.id/_astro/02-shortcut.7nVYCgUY_Z1Q3osI.webp"></p> <p>To resolve this, you can adjust the hotkeys within Omakub to avoid conflicts:</p> <ul> <li> <p><strong>Ulauncher (“Type app to launch”):</strong></p> <ul> <li><strong>Original:</strong> <code dir="auto">Super + Space</code></li> <li><strong>New:</strong> <code dir="auto">Shift + Super + Space</code></li> <li>You can find and modify this shortcut within Omakub’s settings, often under “Keyboard” or “Custom Shortcuts,” specifically looking for <code dir="auto">Ulauncher</code>.</li> </ul> </li> <li> <p><strong>“See all apps” (System):</strong></p> <ul> <li><strong>Original:</strong> <code dir="auto">Super + A</code></li> <li><strong>New:</strong> <code dir="auto">Shift + Super + A</code></li> </ul> </li> <li> <p><strong>“Close app” (Windows):</strong></p> <ul> <li><strong>Original:</strong> <code dir="auto">Super + W</code></li> <li><strong>New:</strong> <code dir="auto">Shift + Super + W</code></li> </ul> </li> </ul> <p>By changing these keybindings in Omakub, you allow macOS to retain its system-level shortcuts while still having access to Omakub’s features with non-conflicting combinations.</p> <div><h3 id="conclusion">Conclusion</h3></div> <p>You’ve now successfully installed Omakub on an Ubuntu 24.04 virtual machine within Proxmox! This setup provides a powerful and isolated environment for your jumphost and remote development needs, all while leveraging your existing homelab infrastructure. Enjoy your clean main PC and your new Omakub workspace!</p> <p><img alt="Omakub Theme" loading="lazy" decoding="async" fetchpriority="auto" width="1511" height="917" src="https://8labs.id/_astro/01-theme.DQlemul8_2uPzJt.webp"></p> <div><h3 id="references">References</h3></div> <ul> <li><a href="https://omakub.org/">Omakub Official Website</a></li> <li><a href="https://manuals.omamix.org/1/read/4/getting-started">Omamix Manuals: Getting Started</a></li> <li><a href="https://dev.to/tacoda/i-installed-omakub-five-times-so-you-can-do-it-just-once-2ek8">I Installed Omakub Five Times So You Can Do It Just Once - dev.to</a></li> <li><a href="https://www.reddit.com/r/Ubuntu/comments/1csoi05/2404_cannot_connect_via_rdp/?utm_source=share&#x26;utm_medium=web3x&#x26;utm_name=web3xcss&#x26;utm_term=1&#x26;utm_content=share_button">Ubuntu 24.04 Cannot Connect via RDP - Reddit</a></li> </ul>omakububuntuproxmoxvirtualizationhomelabremote-desktopjumphosthttps://8labs.id/blog/qemu-virt-manager-macos-intel/https://8labs.id/blog/qemu-virt-manager-macos-intel/Wed, 12 Mar 2025 00:00:00 GMT<p>So, I found this old iMac (Retina 5K, 27-inch, 2017) lying around with pretty decent specs. I’m thinking of turning it into my dedicated x86 playground since my main machine is an M1 MacBook. First thing’s first: getting Qemu and Virt-manager up and running for some virtual machine action. Yeah, I know there are other VM solutions like VMware or VirtualBox, but I want to stay familiar with what’s common in enterprise environments (even if nobody’s running macOS in production, haha!).</p> <div><h3 id="specification">Specification</h3></div> <p>iMac (Retina 5K, 27-inch, 2017)</p> <ul> <li>Processor: 4.2 GHz Quad-Core Intel Core i7</li> <li>Memory: 16 GB 2400 MHz DDR4</li> <li>OS Version: Ventura 13.7.4 (22H420)</li> </ul> <div><h3 id="step-by-step-qemu">Step by Step: Qemu</h3></div> <ol> <li> <p>First, we need Homebrew to install everything.</p> <p>Get it here: <a href="https://brew.sh/">https://brew.sh/</a></p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>/bin/bash</span><span> </span><span>-c</span><span> </span><span>"</span><span>$(</span><span>curl</span><span> </span><span>-fsSL</span><span> </span><span>&#x3C;https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh></span><span>)</span><span>"</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> <li> <p>Now, let’s install Qemu itself.</p> <p>Check it out here: <a href="https://formulae.brew.sh/formula/qemu">https://formulae.brew.sh/formula/qemu</a></p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>brew</span><span> </span><span>install</span><span> </span><span>qemu</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> <li> <p>Verify the installation by checking the Qemu version.</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>qemu-system-x86_64</span><span> </span><span>--version</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p><img alt="Check qemu version" loading="lazy" decoding="async" fetchpriority="auto" width="1020" height="98" src="https://8labs.id/_astro/00-qemu-version.Co40euZ8_bUFSd.webp"></p> </li> <li> <p>Let’s get Ubuntu running with Qemu.</p> <ol> <li> <p>Before we dive in, grab the Ubuntu ISO. I’m going with the desktop version from here: <a href="https://releases.ubuntu.com/24.04/">https://releases.ubuntu.com/24.04/</a>. I’ll use the desktop version (<a href="https://releases.ubuntu.com/24.04/ubuntu-24.04.2-desktop-amd64.iso">https://releases.ubuntu.com/24.04/ubuntu-24.04.2-desktop-amd64.iso</a>).</p> </li> <li> <p>Create a disk image using <code dir="auto">qemu-img</code>. I’m making a 20GB image in the <code dir="auto">qcow2</code> format.</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>qemu-img</span><span> </span><span>create</span><span> </span><span>-f</span><span> </span><span>qcow2</span><span> </span><span>ubuntu-24.04.2-desktop-amd64.qcow2</span><span> </span><span>20G</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> <li> <p>Fire up the VM, booting from the ISO we just downloaded (mounted as a CD drive) and attaching the virtual disk we created.</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>qemu-system-x86_64</span><span> </span><span>\\</span></div></div><div><div><span> </span><span>-machine</span><span> </span><span>type=q35,accel=hvf</span><span> </span><span>\\</span></div></div><div><div><span> </span><span>-smp</span><span> </span><span>2</span><span> </span><span>\\</span></div></div><div><div><span> </span><span>-hda</span><span> </span><span>ubuntu-24.04.2-desktop-amd64.qcow2</span><span> </span><span>\\</span></div></div><div><div><span> </span><span>-cdrom</span><span> </span><span>./ubuntu-24.04.2-desktop-amd64.iso</span><span> </span><span>\\</span></div></div><div><div><span> </span><span>-m</span><span> </span><span>4G</span><span> </span><span>\\</span></div></div><div><div><span> </span><span>-vga</span><span> </span><span>virtio</span><span> </span><span>\\</span></div></div><div><div><span> </span><span>-usb</span><span> </span><span>\\</span></div></div><div><div><span> </span><span>-device</span><span> </span><span>usb-tablet</span><span> </span><span>\\</span></div></div><div><div><span> </span><span>-display</span><span> </span><span>default,show-cursor=on</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>Here’s a breakdown of what those flags actually mean:</p> <ul> <li><strong><code dir="auto">qemu-system-x86_64</code></strong>: Tells QEMU we want to emulate a 64-bit Intel/AMD system.</li> <li><strong><code dir="auto">machine type=q35,accel=hvf</code></strong> <ul> <li><strong><code dir="auto">type=q35</code></strong>: Sets the machine chipset to Q35, emulating a modern PC with PCI Express.</li> <li><strong><code dir="auto">accel=hvf</code></strong>: Uses the Hypervisor Framework (HVF) for hardware acceleration on macOS. This makes things much faster!</li> </ul> </li> <li><strong><code dir="auto">smp 2</code></strong>: Gives the VM 2 CPU cores.</li> <li><strong><code dir="auto">hda ubuntu-24.04.2-desktop-amd64.qcow2</code></strong>: Specifies the QCOW2 disk image as the primary hard drive.</li> <li><strong><code dir="auto">cdrom ./ubuntu-24.04.2-desktop-amd64.iso</code></strong>: Mounts the ISO as a virtual CD-ROM for booting/installing.</li> <li><strong><code dir="auto">m 4G</code></strong>: Allocates 4GB of RAM to the VM.</li> <li><strong><code dir="auto">vga virtio</code></strong>: Uses a Virtio-based video card for better performance.</li> <li><strong><code dir="auto">usb</code></strong>: Enables USB support.</li> <li><strong><code dir="auto">device usb-tablet</code></strong>: Adds a virtual USB tablet for smoother mouse input.</li> <li><strong><code dir="auto">display default,show-cursor=on</code></strong>: Makes sure the mouse cursor is visible.</li> </ul> </li> <li> <p>The VM should boot up from the ISO. Go ahead and install the OS to the virtual disk we created earlier.</p> </li> <li> <p>Once the installation is done, you can boot the VM without the ISO.</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>qemu-system-x86_64</span><span> </span><span>\\</span></div></div><div><div><span> </span><span>-machine</span><span> </span><span>type=q35,accel=hvf</span><span> </span><span>\\</span></div></div><div><div><span> </span><span>-smp</span><span> </span><span>2</span><span> </span><span>\\</span></div></div><div><div><span> </span><span>-hda</span><span> </span><span>ubuntu-24.04.2-desktop-amd64.qcow2</span><span> </span><span>\\</span></div></div><div><div><span> </span><span>-m</span><span> </span><span>4G</span><span> </span><span>\\</span></div></div><div><div><span> </span><span>-vga</span><span> </span><span>virtio</span><span> </span><span>\\</span></div></div><div><div><span> </span><span>-usb</span><span> </span><span>\\</span></div></div><div><div><span> </span><span>-device</span><span> </span><span>usb-tablet</span><span> </span><span>\\</span></div></div><div><div><span> </span><span>-display</span><span> </span><span>default,show-cursor=on</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p><img alt="Ubuntu Desktop VM in qemu" loading="lazy" decoding="async" fetchpriority="auto" width="1280" height="1020" src="https://8labs.id/_astro/01-ubuntu-vm-in-qemu.RxeRVRy3_Z1yPlIV.webp"></p> </li> <li> <p>To shut down the VM, do it cleanly from within the OS, or, if you’re feeling lazy, just hit <code dir="auto">Ctrl+C</code> in the terminal (but I wouldn’t recommend it!).</p> </li> </ol> </li> </ol> <div><h3 id="step-by-step-libvirt-and-virt-manager">Step by Step: Libvirt and Virt-manager</h3></div> <ol> <li> <p>Install <code dir="auto">libvirt</code>.</p> <p><code dir="auto">libvirt</code> is a toolkit for managing virtualization platforms like Qemu, KVM, Xen, etc.</p> <p>Check it out here: <a href="https://formulae.brew.sh/formula/libvirt">https://formulae.brew.sh/formula/libvirt</a></p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>brew</span><span> </span><span>install</span><span> </span><span>libvirt</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> <li> <p>Start the <code dir="auto">libvirt</code> service.</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>brew</span><span> </span><span>services</span><span> </span><span>start</span><span> </span><span>libvirt</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> <li> <p>Install <code dir="auto">virt-manager</code>. To make managing VMs easier, we’ll use <code dir="auto">virt-manager</code> as a GUI.</p> <p>Check it out here: <a href="https://formulae.brew.sh/formula/virt-manager">https://formulae.brew.sh/formula/virt-manager</a></p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>brew</span><span> </span><span>install</span><span> </span><span>virt-manager</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> <li> <p>Start a <code dir="auto">virt-manager</code> session.</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>virt-manager</span><span> </span><span>-c</span><span> </span><span>"</span><span>qemu:///session</span><span>"</span><span> </span><span>--no-fork</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> <li> <p>Once the window pops up, you can install Ubuntu VMs and mess around.</p> <p><img alt="virt-manager window" loading="lazy" decoding="async" fetchpriority="auto" width="1110" height="1166" src="https://8labs.id/_astro/02-virt-manager-window.DicoivPx_Z1S66ry.webp"></p> </li> </ol> <div><h3 id="conclusion">Conclusion</h3></div> <p>So there you have it! Qemu, libvirt, and virt-manager all set up on macOS. It wasn’t too bad, right? Now you can spin up VMs to your heart’s content. This setup is pretty handy for testing different operating systems, playing around with software, or just generally tinkering without messing up your main system. Plus, getting familiar with these tools can be a real boost if you ever find yourself working with virtualization in a more “serious” environment. Happy virtualizing!</p> <div><h3 id="reference">Reference</h3></div> <p><a href="https://www.arthurkoziel.com/qemu-ubuntu-20-04/">https://www.arthurkoziel.com/qemu-ubuntu-20-04/</a></p> <p><a href="https://www.arthurkoziel.com/running-virt-manager-and-libvirt-on-macos/">https://www.arthurkoziel.com/running-virt-manager-and-libvirt-on-macos/</a></p>qemuvirt-managermacosvirtualizationubuntuhttps://8labs.id/blog/setup-non-ha-kubernetes-using-k3s/https://8labs.id/blog/setup-non-ha-kubernetes-using-k3s/Tue, 25 Feb 2025 00:00:00 GMT<p>Last Update: 25 February 2025</p> <div><h2 id="k3s">K3S</h2></div> <div><h4 id="resources">Resources</h4></div> <ul> <li><a href="https://docs.k3s.io/quick-start">Quick Start K3S</a></li> <li><a href="https://www.youtube.com/watch?v=w7qoTksCQow">K3S: Setup dan Konfigurasi Kubernetes Cluster</a></li> <li><a href="https://metallb.io/installation/#installation-with-helm">MetalLB: Installation with Helm</a></li> <li><a href="https://helm.sh/docs/intro/install/#from-apt-debianubuntu">Helm: Installing from APT - Ubuntu/Debian</a></li> </ul> <div><h2 id="non-ha-control-plan-setup-and-configuration">Non-HA Control Plan Setup and Configuration</h2></div> <p><img src="https://8labs.id/_astro/00-non-ha-control-plane-kubernetes.BCX7iJRH_2uGi6C.webp" alt="Non HA Control Plane Kubernetes" loading="lazy" decoding="async" fetchpriority="auto" width="318" height="218"></p> <p>The implementation Scenario will be configured:</p> <ul> <li>1 Master Node</li> <li>2 Worker Node</li> </ul> <p>These three nodes will be deployed in Proxmox VE, with each specification of node:</p> <ul> <li>4 vCPU</li> <li>16 GB of memory</li> <li>50 GB of storage</li> <li>Ubuntu 20.04</li> </ul> <div><h2 id="step-by-step">Step by step</h2></div> <div><h3 id="vm-setup">VM Setup</h3></div> <ol> <li> <p>Update and upgrade the package repository to the newest version.</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>sudo</span><span> </span><span>apt</span><span> </span><span>update</span><span> </span><span>-y</span></div></div><div><div><span>sudo</span><span> </span><span>apt</span><span> </span><span>upgrade</span><span> </span><span>-y</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> <li> <p>(optional) rename and set /etc/host for each node became:</p> <ol> <li>Master node → <code dir="auto">kube-master-1</code></li> <li>Worker node → <code dir="auto">kube-worker-1</code>, <code dir="auto">kube-worker-2</code></li> </ol> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>#edit /etc/hosts and add this at the end of file (adjust ip address)</span></div></div><div><div><span>10.0.2.200</span><span> </span><span>kube-master-1</span></div></div><div><div><span>10.0.2.199</span><span> </span><span>kube-worker-1</span></div></div><div><div><span>10.0.2.198</span><span> </span><span>kube-worker-2</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> <li> <p>Reboot to finalize the upgrade and apply the hostname.</p> </li> <li> <p>Install docker with this script (<a href="https://docs.docker.com/engine/install/ubuntu/#install-using-the-convenience-script">Docker: Install using the conveniencescript</a>)</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>curl</span><span> </span><span>-fsSL</span><span> </span><span>https://get.docker.com</span><span> </span><span>-o</span><span> </span><span>get-docker.sh</span></div></div><div><div><span>sudo</span><span> </span><span>sh</span><span> </span><span>get-docker.sh</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> <li> <p>Check docker command and version</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>docker</span><span> </span><span>ps</span></div></div><div><div><span>docker</span><span> </span><span>version</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p><img src="https://8labs.id/_astro/01-check-docker-version.D752Bj0__ZpcFCW.webp" alt="Check Docker Version" loading="lazy" decoding="async" fetchpriority="auto" width="532" height="397"></p> </li> </ol> <div><h3 id="master-node-setup">Master Node Setup</h3></div> <ol> <li> <p>Defined the K3s token. Save this token and make sure this token is the same for all nodes</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>export</span><span> </span><span>K3S_TOKEN</span><span>=</span><span>kubernetesdemo123</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> <li> <p>The installation of master node, using this script:</p> <ol> <li>install the server as master node</li> <li>disable Traefik for ingress → will use Nginx ingress</li> <li>disable Servicelb → will use MetalLB</li> <li>disable local-storage → will use Ceph CSI</li> <li>declare to use docker</li> </ol> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>curl</span><span> </span><span>-sfL</span><span> </span><span>https://get.k3s.io</span><span> </span><span>|</span><span> </span><span>sh</span><span> </span><span>-s</span><span> </span><span>-</span><span> </span><span>server</span><span> </span><span>--disable</span><span> </span><span>traefik</span><span> </span><span>--disable</span><span> </span><span>servicelb</span><span> </span><span>--disable</span><span> </span><span>local-storage</span><span> </span><span>--docker</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p><img src="https://8labs.id/_astro/02-k3s-installation.VyaQrxFb_ZiVUoE.webp" alt="K3S Installation" loading="lazy" decoding="async" fetchpriority="auto" width="973" height="269"></p> </li> <li> <p>Check the service status, make sure it is active</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>systemctl</span><span> </span><span>status</span><span> </span><span>k3s.service</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p><img src="https://8labs.id/_astro/03-k3s-master-node-status.uMotlzsb_ZDsXtk.webp" alt="K3S Master Node Status" loading="lazy" decoding="async" fetchpriority="auto" width="973" height="345"></p> </li> <li> <p>Check kubectl command. It will display 1 node only (which is the master node).</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>kubectl</span><span> </span><span>get</span><span> </span><span>node</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p><img src="https://8labs.id/_astro/04-get-node-information-using-kubectl.ew1uaAZb_CfPSo.webp" alt="Get Node Information using kubectl" loading="lazy" decoding="async" fetchpriority="auto" width="489" height="67"></p> <blockquote> <p>⚠️ if the get error <code dir="auto">unable to read /etc/rancher/k3s/k3s.yml</code> , you can fix with this step.</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>mkdir</span><span> </span><span>.kube</span></div></div><div><div><span>sudo</span><span> </span><span>cp</span><span> </span><span>/etc/rancher/k3s/k3s.yaml</span><span> </span><span>.kube/config.yaml</span></div></div><div><div><span>sudo</span><span> </span><span>chown</span><span> </span><span>$USER</span><span>:</span><span>$GROUP</span><span> </span><span>.kube/config.yaml</span></div></div><div><div><span>export</span><span> </span><span>KUBECONFIG</span><span>=</span><span>~</span><span>/.</span><span>kube</span><span>/</span><span>config</span><span>.</span><span>yaml</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>or if you have not start the installation, you can add <code dir="auto">--write-config 644</code> in the end of the script, like this:</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>curl</span><span> </span><span>-sfL</span><span> </span><span>https://get.k3s.io</span><span> </span><span>|</span><span> </span><span>sh</span><span> </span><span>-s</span><span> </span><span>-</span><span> </span><span>server</span><span> </span><span>--disable</span><span> </span><span>traefik</span><span> </span><span>--disable</span><span> </span><span>servicelb</span><span> </span><span>--disable</span><span> </span><span>local-storage</span><span> </span><span>--docker</span><span> </span><span>--write-config</span><span> </span><span>644</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </blockquote> </li> </ol> <div><h3 id="worker-node-setup">Worker Node Setup</h3></div> <p>Do this step for all the worker node, in this scenario will be <code dir="auto">kube-worker-1</code> and <code dir="auto">kube-worker-2</code>.</p> <ol> <li> <p>Defined the K3s token. Use the same token as defined in master node.</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>export</span><span> </span><span>K3S_TOKEN</span><span>=</span><span>kubernetesdemo123</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <blockquote> <p>⚠️ If you forget the token on the master node, you can check and on the master node on this file. Copy all the string.</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>cat</span><span> </span><span>/var/lib/rancher/k3s/server/node-token</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </blockquote> </li> <li> <p>The installation of worker nodes, using this script:</p> <ol> <li>install the server as worker node (agent)</li> <li>declare to use docker</li> <li>define the server endpoint to master node ip or domain</li> </ol> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>curl</span><span> </span><span>-sfL</span><span> </span><span>https://get.k3s.io</span><span> </span><span>|</span><span> </span><span>sh</span><span> </span><span>-s</span><span> </span><span>-</span><span> </span><span>agent</span><span> </span><span>--docker</span><span> </span><span>--server</span><span> </span><span>https://kube-master-1:6443</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> <li> <p>Check the service in the worker nodes</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>systemctl</span><span> </span><span>status</span><span> </span><span>k3s-agent.service</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p><img src="https://8labs.id/_astro/05-k3s-worker-node-status.p3bg38c3_ZI90W9.webp" alt="K3S Worker Node Status" loading="lazy" decoding="async" fetchpriority="auto" width="985" height="331"></p> </li> <li> <p>Check kubectl command in master node. Now, it will display more than 1 node (which is the includes all the installed worker nodes).</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>kubectl</span><span> </span><span>get</span><span> </span><span>node</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p><img src="https://8labs.id/_astro/06-get-node-information-using-kubectl.mwc5tIPU_ZDqkwx.webp" alt="Get Nodes Information using kubectl" loading="lazy" decoding="async" fetchpriority="auto" width="530" height="73"></p> </li> </ol> <blockquote> <p>⚠️ If you stuck in when starting k3s-agent. Make sure worker node and master node can be connecting. it could be firewall, proxy server, or incorrect/mismatched MTU. Script below can be use for check the connectivity.</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>curl</span><span> </span><span>-ks</span><span> </span><span>https://ipaddress:6443/ping</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </blockquote> <div><h2 id="install-and-configure-services-in-the-master-node">Install and Configure services in the Master Node</h2></div> <p>Because we disable some service in the master node. Now we are going to install it the replacement services.</p> <div><h3 id="helm---package-manager-installation">HELM - Package Manager Installation</h3></div> <ol> <li> <p>Install Helm using script below (the latest script can be seen on the Helm docs):</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>curl</span><span> </span><span>https://baltocdn.com/helm/signing.asc</span><span> </span><span>|</span><span> </span><span>gpg</span><span> </span><span>--dearmor</span><span> </span><span>|</span><span> </span><span>sudo</span><span> </span><span>tee</span><span> </span><span>/usr/share/keyrings/helm.gpg</span><span> </span><span>></span><span> </span><span>/dev/null</span></div></div><div><div><span>sudo</span><span> </span><span>apt-get</span><span> </span><span>install</span><span> </span><span>apt-transport-https</span><span> </span><span>--yes</span></div></div><div><div><span>echo</span><span> </span><span>"</span><span>deb [arch=$(</span><span>dpkg</span><span> </span><span>--print-architecture</span><span>) signed-by=/usr/share/keyrings/helm.gpg] https://baltocdn.com/helm/stable/debian/ all main</span><span>"</span><span> </span><span>|</span><span> </span><span>sudo</span><span> </span><span>tee</span><span> </span><span>/etc/apt/sources.list.d/helm-stable-debian.list</span></div></div><div><div><span>sudo</span><span> </span><span>apt-get</span><span> </span><span>update</span></div></div><div><div><span>sudo</span><span> </span><span>apt-get</span><span> </span><span>install</span><span> </span><span>helm</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> <li> <p>Check the version</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>helm</span><span> </span><span>version</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p><img src="https://8labs.id/_astro/07-check-helm-version.D_5OBXpk_Z1VEb0G.webp" alt="Check Helm Version" loading="lazy" decoding="async" fetchpriority="auto" width="959" height="87"></p> </li> </ol> <div><h3 id="metallb---load-balancer-installation-and-configuration">MetalLB - Load Balancer Installation and Configuration</h3></div> <p><img src="https://8labs.id/_astro/08-load-balancer-diagram.3HCFFYAu_ZiLqlu.webp" alt="Load Balancer Diagram" loading="lazy" decoding="async" fetchpriority="auto" width="917" height="261"></p> <div><h4 id="services">Services</h4></div> <ul> <li>As default, all resources in Kubernetes are isolated, specifically pods.</li> <li>Pods are isolated by default. To enable communication between pods or with the external network, you need to configure Services.</li> <li>There are several type of service: <ul> <li>ClusterIP → Default services, ClusterIP services provide an internal IP address within the cluster that other pods can use to communicate. They are not directly accessible from outside the cluster.</li> <li>NodePort (Port 30000-32767) → NodePort services expose a port on each node in the cluster, allowing external access. The port range 30000-32767 is the default range.</li> <li>LoadBalancer → LoadBalancer services provision an external load balancer that distributes traffic to multiple pods.</li> </ul> </li> </ul> <div><h4 id="installation-step-by-step">Installation Step by Step</h4></div> <ol> <li> <p>Add metallb repository to helm</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>helm</span><span> </span><span>repo</span><span> </span><span>add</span><span> </span><span>metallb</span><span> </span><span>https://metallb.github.io/metallb</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> <li> <p>Check the repo list</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>helm</span><span> </span><span>repo</span><span> </span><span>ls</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> <li> <p>Search the metallb</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>helm</span><span> </span><span>search</span><span> </span><span>repo</span><span> </span><span>metallb</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p><img src="https://8labs.id/_astro/09-search-metallb-in-helm.P3qCmaxc_Z1Nbxfv.webp" alt="Search MetalLB in Helm" loading="lazy" decoding="async" fetchpriority="auto" width="724" height="162"></p> </li> <li> <p>Pull the metallb from the repository, it will download tgz file.</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span># run this in the home dir or other directory</span></div></div><div><div><span>helm</span><span> </span><span>pull</span><span> </span><span>metallb/metallb</span></div></div><div><div><span># extract the tgz</span></div></div><div><div><span>tar</span><span> </span><span>xvf</span><span> </span><span>metallb-</span><span>*</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> <li> <p>Change directory to metallb and if there any configuration changes, you can edit values.yaml</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>cd</span><span> </span><span>metallb</span></div></div><div><div> </div></div><div><div><span>#optional</span></div></div><div><div><span>vim</span><span> </span><span>values.yaml</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> <li> <p>Install metallb using helm</p> <ul> <li>Set the chart name to metallb</li> <li>Define the file to values.yaml</li> <li>Put the namespace to metallb-system</li> <li>Enable debug mode</li> <li>Create metallb-system namespace</li> </ul> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>helm</span><span> </span><span>install</span><span> </span><span>metallb</span><span> </span><span>-f</span><span> </span><span>values.yaml</span><span> </span><span>.</span><span> </span><span>-n</span><span> </span><span>metallb-system</span><span> </span><span>--debug</span><span> </span><span>--create-namespace</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> <li> <p>Check the status, if the status still init, wait until running.</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>kubectl</span><span> </span><span>-n</span><span> </span><span>metallb-system</span><span> </span><span>get</span><span> </span><span>all</span></div></div><div><div><span>kubectl</span><span> </span><span>-n</span><span> </span><span>metallb-system</span><span> </span><span>get</span><span> </span><span>pod</span><span> </span><span>-w</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p><img src="https://8labs.id/_astro/10-get-all-using-kubectl.DSNW9P47_ZcwdO8.webp" alt="Get All using kubectl" loading="lazy" decoding="async" fetchpriority="auto" width="835" height="318"></p> </li> </ol> <div><h4 id="configuration">Configuration</h4></div> <ol> <li> <p>First, define the address pool on <code dir="auto">ipaddresspool.yaml</code></p> <div><figure><figcaption></figcaption><pre><code><div><div><span>apiVersion</span><span>: </span><span>metallb.io/v1beta1</span></div></div><div><div><span>kind</span><span>: </span><span>IPAddressPool</span></div></div><div><div><span>metadata</span><span>:</span></div></div><div><div><span> </span><span>name</span><span>: </span><span>default-pool</span></div></div><div><div><span> </span><span>namespace</span><span>: </span><span>metallb-system</span></div></div><div><div><span>spec</span><span>:</span></div></div><div><div><span> </span><span>addresses</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>10.0.2.11-10.0.2.100</span><span> </span><span>#adjust this range</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> <li> <p>Apply the configuration</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>kubectl</span><span> </span><span>apply</span><span> </span><span>-f</span><span> </span><span>ipaddresspool.yaml</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p><img src="https://8labs.id/_astro/11-apply-ip-address-pool-using-kubectl.ZhIYGbE9_2iFPUX.webp" alt="Apply IP Address Pool using kubectl" loading="lazy" decoding="async" fetchpriority="auto" width="484" height="31"></p> </li> <li> <p>Then, we define the L2 Advertisement config on <code dir="auto">l2advertisement.yaml</code></p> <div><figure><figcaption></figcaption><pre><code><div><div><span>apiVersion</span><span>: </span><span>metallb.io/v1beta1</span></div></div><div><div><span>kind</span><span>: </span><span>L2Advertisement</span></div></div><div><div><span>metadata</span><span>:</span></div></div><div><div><span> </span><span>name</span><span>: </span><span>default</span></div></div><div><div><span> </span><span>namespace</span><span>: </span><span>metallb-system</span></div></div><div><div><span>spec</span><span>:</span></div></div><div><div><span> </span><span>ipAddressPools</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>default-pool</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> <li> <p>Apply the configuration</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>kubectl</span><span> </span><span>apply</span><span> </span><span>-f</span><span> </span><span>l2advertisement.yaml</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p><img src="https://8labs.id/_astro/12-apply-l2-advertisement-using-kubectl.CYKNVMRJ_Z1pH0QH.webp" alt="Apply L2 Advertisement using kubectl" loading="lazy" decoding="async" fetchpriority="auto" width="494" height="34"></p> </li> </ol> <div><h4 id="test-the-load-balancer">Test the Load Balancer</h4></div> <ol> <li> <p>Run demo app for the testing, the demo app using nginx image.</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>kubectl</span><span> </span><span>run</span><span> </span><span>app-demo-1</span><span> </span><span>--image=nginx</span><span> </span><span>--port=80</span></div></div><div><div> </div></div><div><div><span>#check the pod status, wait until running</span></div></div><div><div><span>kubectl</span><span> </span><span>get</span><span> </span><span>pod</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> <li> <p>Since by default pod cannot communicate to outside, we need to create the service to expose the pods.</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>kubectl</span><span> </span><span>expose</span><span> </span><span>pod</span><span> </span><span>app-demo-1</span><span> </span><span>--type=LoadBalancer</span><span> </span><span>--target-port=80</span><span> </span><span>--port=80</span><span> </span><span>--name</span><span> </span><span>app-demo-1</span></div></div><div><div> </div></div><div><div><span>#check the pods and services</span></div></div><div><div><span>kubectl</span><span> </span><span>get</span><span> </span><span>all</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p><img src="https://8labs.id/_astro/13-get-all-using-kubectl.D0BbNjPH_Z4o6Yw.webp" alt="Get All using kubectl" loading="lazy" decoding="async" fetchpriority="auto" width="623" height="96"></p> </li> <li> <p>You can access the app using <code dir="auto">EXTERNAL-IP</code> of <code dir="auto">service/app-demo-1</code> and Nginx landing page will show up.</p> <p><img src="https://8labs.id/_astro/14-access-external-ip.BMZp9C6y_2j1Sxk.webp" alt="Access External IP" loading="lazy" decoding="async" fetchpriority="auto" width="1430" height="546"></p> </li> </ol> <div><h3 id="nginx---ingress-controller-installation-and-configuration">Nginx - Ingress Controller Installation and Configuration</h3></div> <p><img src="https://8labs.id/_astro/15-ingress-diagram.CBhNNV4Z_24yrad.webp" alt="Ingress Diagram" loading="lazy" decoding="async" fetchpriority="auto" width="457" height="460"></p> <div><h4 id="installation-step-by-step-1">Installation Step by Step</h4></div> <ol> <li> <p>Add nginx repository to helm</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>helm</span><span> </span><span>repo</span><span> </span><span>add</span><span> </span><span>nginx-stable</span><span> </span><span>https://helm.nginx.com/stable</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> <li> <p>Check the repo list</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>helm</span><span> </span><span>repo</span><span> </span><span>ls</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> <li> <p>Search the nginx</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>helm</span><span> </span><span>search</span><span> </span><span>repo</span><span> </span><span>nginx</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> <li> <p>Pull the nginx-ingress from the repository, it will download tgz file.</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span># run this in the home dir or other directory</span></div></div><div><div><span>helm</span><span> </span><span>pull</span><span> </span><span>nginx-stable/nginx-ingress</span></div></div><div><div><span># extract the tgz</span></div></div><div><div><span>tar</span><span> </span><span>xvf</span><span> </span><span>nginx-ingress-</span><span>*</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> <li> <p>Change directory to nginx-ingress and edit <code dir="auto">values.yaml</code> file.</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>cd</span><span> </span><span>nginx-ingress</span></div></div><div><div> </div></div><div><div><span># edit values.yaml</span></div></div><div><div><span>vim</span><span> </span><span>values.yaml</span></div></div><div><div> </div></div><div><div><span># locate ingressClass and change the variable below to true</span></div></div><div><div><span>...</span></div></div><div><div><span>ingressClass:</span></div></div><div><div><span>...</span></div></div><div><div><span> </span><span>setAsDefaultIngress:</span><span> </span><span>true</span></div></div><div><div><span>...</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> <li> <p>Install nginx-ingress using helm</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>helm</span><span> </span><span>-n</span><span> </span><span>ingress</span><span> </span><span>install</span><span> </span><span>nginx-ingress</span><span> </span><span>-f</span><span> </span><span>values.yaml</span><span> </span><span>.</span><span> </span><span>--debug</span><span> </span><span>--create-namespace</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> <li> <p>Check the installation</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>kubectl</span><span> </span><span>-n</span><span> </span><span>ingress</span><span> </span><span>get</span><span> </span><span>all</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p><img src="https://8labs.id/_astro/16-get-all-ingress-using-kubectl.B4S2zBQ5_Sbzp3.webp" alt="Get All Ingress using kubectl" loading="lazy" decoding="async" fetchpriority="auto" width="795" height="180"></p> </li> <li> <p>The <code dir="auto">EXTERNAL-IP</code> is available and reachable, but since no resources use it, it display 404</p> <p><img src="https://8labs.id/_astro/17-access-external-ip-but-not-found.LuWn4OwW_Z1zfYnq.webp" alt="Access External IP but Not Found" loading="lazy" decoding="async" fetchpriority="auto" width="1422" height="342"></p> </li> </ol> <div><h4 id="testing-the-ingress">Testing the Ingress</h4></div> <ol> <li> <p>Add bitname repository to helm</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>helm</span><span> </span><span>repo</span><span> </span><span>add</span><span> </span><span>bitnami</span><span> </span><span>https://charts.bitnami.com/bitnami</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> <li> <p>Check the repo list</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>helm</span><span> </span><span>repo</span><span> </span><span>ls</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> <li> <p>Search the nginx, we will use bitnami/nginx for the webserver nginx</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>helm</span><span> </span><span>search</span><span> </span><span>repo</span><span> </span><span>nginx</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> <li> <p>Pull the nginx from the repository, it will download tgz file.</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span># run this in the home dir or other directory</span></div></div><div><div><span>helm</span><span> </span><span>pull</span><span> </span><span>bitnami/nginx</span></div></div><div><div><span># extract the tgz</span></div></div><div><div><span>tar</span><span> </span><span>xvf</span><span> </span><span>nginx-</span><span>*</span><span> </span><span>#make sure the nginx not nginx-ingress</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> <li> <p>Change directory to metallb and edit <code dir="auto">values.yaml</code> file.</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>cd</span><span> </span><span>nginx</span></div></div><div><div> </div></div><div><div><span># edit</span></div></div><div><div><span>vim</span><span> </span><span>values.yaml</span></div></div><div><div> </div></div><div><div><span>#locate these variables</span></div></div><div><div><span>...</span></div></div><div><div><span>ingress:</span></div></div><div><div><span> </span><span>enabled:</span><span> </span><span>true</span></div></div><div><div><span> </span><span>...</span></div></div><div><div><span> </span><span>hostname:</span><span> </span><span>nginx.demo.local</span><span> </span><span># make sure this FQDN is pointing to the ingress IP</span></div></div><div><div><span> </span><span>...</span></div></div><div><div><span> </span><span>ingressClassName:</span><span> </span><span>"</span><span>nginx</span><span>"</span><span> </span><span># check using `kubectl get ingressclass`</span></div></div><div><div><span>...</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> <li> <p>Install metallb using helm</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>helm</span><span> </span><span>-n</span><span> </span><span>demo</span><span> </span><span>install</span><span> </span><span>demo-app</span><span> </span><span>-f</span><span> </span><span>values.yaml</span><span> </span><span>.</span><span> </span><span>--debug</span><span> </span><span>--create-namespace</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> <li> <p>Check the status, if the status still init, wait until running.</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>kubectl</span><span> </span><span>-n</span><span> </span><span>demo</span><span> </span><span>get</span><span> </span><span>all</span></div></div><div><div><span>kubectl</span><span> </span><span>-n</span><span> </span><span>demo</span><span> </span><span>get</span><span> </span><span>ingress</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p><img src="https://8labs.id/_astro/18-get-all-and-ingress-using-kubectl.DzT0Oqww_Zs2PTT.webp" alt="Get All and Ingress using kubectl" loading="lazy" decoding="async" fetchpriority="auto" width="728" height="201"></p> </li> <li> <p>If you configure the FQDN in DNS or /etc/hosts correctly to ingress IP address, it will show like this</p> <p><img src="https://8labs.id/_astro/19-access-using-fqdn.Cc6-tXeu_Z1wVo6K.webp" alt="Access using FQDN" loading="lazy" decoding="async" fetchpriority="auto" width="1414" height="530"></p> </li> </ol> <div><h3 id="ceph-csi---storageclass-installation-and-configuration">CEPH CSI - StorageClass Installation and Configuration</h3></div> <p><img src="https://8labs.id/_astro/20-storageclass-diagram.B6qWcADP_aTrhY.webp" alt="StorageClass Diagram" loading="lazy" decoding="async" fetchpriority="auto" width="750" height="561"></p> <p><strong>TODO</strong> - i don’t have CEPH cluster yet 🙈</p>k8sk3skubernetesproxmoxubuntuhttps://8labs.id/blog/personal-asn-ipv6-journey/https://8labs.id/blog/personal-asn-ipv6-journey/Mon, 25 Mar 2024 00:00:00 GMT<p>Last Update: 25 March 2024</p> <div><h2 id="part-1-asn-application--preparation">Part 1: ASN Application &#x26; Preparation</h2></div> <div><h3 id="asn-application-via-lagrange">ASN Application via Lagrange</h3></div> <blockquote> <p>⛔ Disclaimer: Tidak ada sponsor dari Lagrange cuman discount</p> </blockquote> <p><a href="https://lagrange.cloud/next-level-networking">Lagrange Website</a></p> <p><img src="https://8labs.id/_astro/01-lagrange-banner.Dbmf5y60_1jTL1P.webp" alt="Lagrange Banner" loading="lazy" decoding="async" fetchpriority="auto" width="1253" height="982"></p> <p>Pendaftaran ASN melalui Lagrange per tanggal 25 Maret 2024 ada discount 40% off dari £25 ke £15.</p> <ol> <li> <p>Untuk memulai aplikasi ASN, bisa langsung “Try now” dan lakukan Register akun Lagrange.</p> </li> <li> <p>Langsung aja “Create an ASN” di page <a href="https://lagrange.cloud/console/lir">LIR Services - Lagrange</a></p> <p><img src="https://8labs.id/_astro/02-lagrange-lir-service.5jiLI2N0_Z1x2MLJ.webp" alt="Lagrange LIR Service" loading="lazy" decoding="async" fetchpriority="auto" width="1230" height="487"></p> </li> <li> <p>Ikutin proses purchasingnya.</p> </li> <li> <p>Setelah itu akan ada Applicationnya, pilih guided, nanti akan diarahkan untuk proses pembuatan akun dan pembuatan object di RIPE. kalau bingung apa yang di isi bisa juga mengacu ke video dibawah:</p> <ol> <li> <p>Video pembuatan object di RIPE : <a href="https://t.me/IPv6_Indonesia/104851/110743">Rifqi Arief in IPv6 Indonesia Telegram Group</a></p> </li> <li> <p>Pastikan utk mencatat beberapa informasi dibawah saat pembuatan:</p> <ol> <li><code dir="auto">RIPE ADMIN-C</code>: [Singkatan_Nama][Identifier]-RIPE (generate dari RIPE)</li> <li><code dir="auto">RIPE MNT (mnt-by)</code>: bebas tapi unique</li> <li><code dir="auto">Address</code>: alamat personal</li> <li><code dir="auto">abuse-c</code>: ACR[Identifier]-RIPE(generate saat mengisi abuse-c melalui logo lonceng)</li> <li><code dir="auto">mnt-ref</code>: INFERNO-MNT (dari Lagrange) dan mnt-by (punya sendiri)</li> <li><code dir="auto">Organisation</code>: ORG-[Singkatan_Nama][IdentifierOrg]-RIPE (generate dari RIPE)</li> </ol> </li> </ol> </li> <li> <p>Di proses ini akan ada beberapa submission di portal Lagrange yang membutuhkan informasi diatas</p> </li> </ol> <div><h3 id="vps-support-bgp-session">VPS support BGP Session</h3></div> <p><img src="https://8labs.id/_astro/03-lagrange-asn-form.BjoinuiU_ZGPnOE.webp" alt="Lagrange ASN Form" loading="lazy" decoding="async" fetchpriority="auto" width="705" height="481"></p> <p>Jika sudah sampai page ini, proses selanjutnya adalah pembelian VPS yang support BGP session.</p> <blockquote> <p>⛔ Pastikan VPS yang disewa berada pada region EU, seperti Amsterdam, Frankfurt, UK</p> </blockquote> <blockquote> <p>⛔ Disclaimer: Tidak ada sponsor dari iFog (cuman harga cukup terjangkau)</p> </blockquote> <ol> <li> <p>Pilih VPS pada region EU (kasus saya pilih di Amsterdam 1) <a href="https://ifog.ch/en/vps">iFog Website</a></p> <p><img src="https://8labs.id/_astro/04-ifog-vps-price.BAFw2ZWA_rI6Om.webp" alt="iFog VPS Pricelist" loading="lazy" decoding="async" fetchpriority="auto" width="1214" height="537"></p> </li> <li> <p>Ikutin proses purchasingnya (payment via CC atau Paypal)</p> </li> <li> <p>Beberapa catatan saat konfigurasi VPS:</p> <ol> <li>Hostname: FQDN [hostname].[domain].[tld]</li> <li>Password: optional</li> <li>BGP Session: ✅</li> <li>FogIXP Peering port: ✅</li> <li>Additional v6 BGP Transit via ASxxxx: optional</li> </ol> </li> <li> <p>Simpan Invoice untuk nanti di upload ke ticket Lagrange</p> </li> <li> <p>untuk pengisian Lagrange bisa menggunakan panduan berikut:</p> <ol> <li> <p>Partner 1 ASN: ASN punya iFog atau VPS provider lainnya. <a href="https://ifog.ch/en/vps/vps-amsterdam">iFog AMS VPS</a></p> <p><img src="https://8labs.id/_astro/05-ifog-bgp-details.D6PAHt3s_Z21tB9.webp" alt="iFOg BGP Details" loading="lazy" decoding="async" fetchpriority="auto" width="590" height="256"></p> </li> <li> <p>Partner 1 NOC: email dari iFog atau VPS provider lainnya. <a href="https://fognet.ch/contact">iFog NOC Contact</a></p> <p><img src="https://8labs.id/_astro/06-ifog-contact.BHlVJMCN_Z1NQ2fR.webp" alt="iFog Contact" loading="lazy" decoding="async" fetchpriority="auto" width="264" height="288"></p> </li> <li> <p>Partner 2 ASN dan Partner 2 NOC: bisa request sponsor ke grup telegram <a href="https://t.me/IPv6_Indonesia">https://t.me/IPv6_Indonesia</a>. Saya request sponsor ke om @malhuda (Thanks om bantuannya)</p> </li> <li> <p>Setelah submit, upload invoice dari iFog atau VPS provider lainnya di halaman ticket</p> </li> <li> <p>Jika terima email seperti ini dari VPS provider bisa balas “My ASN is still in the process of application, I will contact you after it finished.”</p> <p><img src="https://8labs.id/_astro/07-ifog-email.CN1dqgG7_Z27f0y0.webp" alt="iFog Email" loading="lazy" decoding="async" fetchpriority="auto" width="685" height="557"></p> </li> <li> <p>Tunggu deh sampe di ASN diterbitkan.</p> </li> </ol> </li> </ol> <div><h3 id="issuing-process">Issuing Process</h3></div> <p><img src="https://8labs.id/_astro/08-lagrange-process.D7IOPbEQ_Z2mdDX7.webp" alt="Lagrange Process" loading="lazy" decoding="async" fetchpriority="auto" width="2384" height="116"></p> <p>Setelah ini akan ada beberapa proses approval yang dibutuhkan dari Lagrange:</p> <ol> <li>Document Agreement: Tanda tangan menggunakan DocuSign. Pastikan masukkan kode akses yang sesuai, ada pada tiket. <code dir="auto">Position</code> pada kolom tanda tangan bisa di isi <code dir="auto">Individual</code>.</li> <li>Upload ID: KTP/SIM/Paspor</li> </ol> <hr> <div><h4 id="-catatan-pendahulu">👨‍🦳 Catatan Pendahulu</h4></div> <blockquote> <ul> <li>Tapi kalau mau lepas VPS EU, wajib cari upstream ke EU, Ke netassist atau udn aja atau bgptunnel</li> <li><a href="https://my.bgptunnel.com/">my.bgptunnel.com</a> pake ini om buat presence di EU kalo nanti lepas VPS EU</li> </ul> </blockquote> <div><h3 id="peering-application">Peering Application</h3></div> <p>Setelah ASN terbit, akan ada permintaan utk pengisian Application From dari FogIXP (jika VPS di iFog):</p> <p><em>FogIXP Application Form:</em></p> <ul> <li><code dir="auto">Company/Organization</code>: Full Name</li> <li><code dir="auto">Main person of contact (first+surname)</code>: Full Name</li> <li><code dir="auto">Personal email address of contact</code>: Email sendiri</li> <li><code dir="auto">ASN</code>: ASxxxxxx</li> <li><code dir="auto">AS-SET</code>: ASxxxxxx:AS-SET (buat object baru di RIPE-DB dan add ASN milik sendiri sebagai member, + button)</li> <li><code dir="auto">IPv4 Max-Prefix Limit</code>: 0 atau sesuai yg ingin di announce</li> <li><code dir="auto">IPv6 Max-Prefix Limit</code>: 2 atau sesuai yg ingin di announce</li> <li><code dir="auto">Email Peering contact</code>: Email sendiri</li> <li><code dir="auto">Email NOC contact</code>: Email sendiri</li> <li><code dir="auto">24/7 NOC phone</code>: No Telp Sendiri</li> <li><code dir="auto">A list of prefixes you plan to announce</code>: Prefix yang didapat dari Lagrange atau sponsor</li> </ul> <div><h4 id="-catatan-pendahulu-1">👨‍🦳 Catatan Pendahulu</h4></div> <blockquote> <ul> <li>AS-SET full itu ada ASNnya didepan <ul> <li>Sudah gak bisa pakai AS-SET pendek</li> <li>Karena yah ada drama sblmnya hahhaa</li> <li>Tapi kalo penasaran, coba aja</li> </ul> </li> <li>AS-UPSTREAMS itu untuk upstream ya <ul> <li>JANGAN DIMASUKKAN KE AS-SET UTAMA</li> <li>Pisah ya om</li> </ul> </li> <li>AS-SET khusus ASN sendiri dan downstream dan AS-SET khusus upstream</li> <li>…Untuk ASXXXXXX:AS-UPSTREAMS itu ditaruh di whois ASN aja, buat import export… <ul> <li>Jangan dimasukkan / dikirimkan ke peeringdb maupun upstream, langsung digaplok, 100%</li> <li>Yang dikirim ke peeringdb maupun upstream, yang ASXXXXXX:AS-SET</li> <li>Nah, pengisiannya juga membernya hanya ASN itu, dan downstream</li> <li>Selain itu jangan coba coba masukkin, nnti bisa bisa ditabok lagi</li> </ul> </li> </ul> </blockquote> <div><h3 id="peeringdb">PeeringDB</h3></div> <ol> <li>Lakukan registrasi di <a href="https://www.peeringdb.com/register">PeeringDB</a>.</li> <li>Masukkan email yang terdaftar di RIPE.</li> <li>Masukkan ASN dan Organization (Nama Lengkap) pada bagian Affiliate with Organization.</li> </ol> <p>Setelah Affiliate sudah di approve, dapat melengkapi informasi di organization (full name, di menu dekat profile ) dan networks (ASN, ada di dalam organization)</p> <div><h3 id="configure-route6-in-ripe-db">Configure route6 in RIPE DB</h3></div> <p>Setelah mendapatkan alokasi IP, buat object baru di RIPE DB dengan type route6</p> <p><code dir="auto">mnt-by</code>: mnt_sendiri dan yang memberi alokasi</p> <p><code dir="auto">route6</code>: prefix IPv6 (xxxx:xxx::/48)</p> <p><code dir="auto">origin</code>: AS_number</p> <p>Jika saat membuat route6 gagal (kasus saya alokasi dari Lagrange dengan mnt INFERNO-MNT), dapat membuat tiket di portal Lagrange dengan menyertakan prefix dan mnt_sendiri.</p> <div><h3 id="request-rpki-pada-block-ip">Request RPKI pada block IP</h3></div> <p>Setelah mendapatkan block IP bisa request ke penyedia prefix untuk setup RPKI melalui open ticket.</p> <div><h3 id="install-vps">Install VPS</h3></div> <p>Jika berlangganan di iFog, dapat melakukan instalasi VM secara manual setelah mendapatkan akses. rekomendasi OS adalah debian 12 dan disetup secara minimal (tanpa gui).</p> <p>Untuk mempermudah dapat menambahkan konfigurasi dibawah pada file <code dir="auto">~/.ssh/config</code>.</p> <div><figure><figcaption></figcaption><pre><code><div><div><span>Host bgp-server</span></div></div><div><div><span> </span><span>HostName external_ip</span></div></div><div><div><span> </span><span>User username</span></div></div><div><div><span> </span><span>IdentityFile /path/to/private/key</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>dan dapat melakukan ssh dengan command dibawah:</p> <div><figure><figcaption></figcaption><pre><code><div><div><span>ssh bgp-server</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <div><h2 id="part-2-config-bgp">Part 2: Config BGP</h2></div> <div><h3 id="preparation">Preparation</h3></div> <ol> <li> <p>Edit network interfaces &#x26; sesuaikan masing masing parameter <code dir="auto">&#x3C; ></code> (nama interface mungkin berbeda)</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>vim</span><span> </span><span>/etc/network/interfaces</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span># This file describes the network interfaces available on your system</span></div></div><div><div><span># and how to activate them. For more information, see interfaces(5).</span></div></div><div><div> </div></div><div><div><span>source</span><span> </span><span>/etc/network/interfaces.d/</span><span>*</span></div></div><div><div> </div></div><div><div><span># The loopback network interface</span></div></div><div><div><span>auto</span><span> </span><span>lo</span></div></div><div><div><span>iface</span><span> </span><span>lo</span><span> </span><span>inet</span><span> </span><span>loopback</span></div></div><div><div> </div></div><div><div><span># The primary network interface</span></div></div><div><div><span>allow-hotplug</span><span> </span><span>ens18</span></div></div><div><div><span>iface</span><span> </span><span>ens18</span><span> </span><span>inet</span><span> </span><span>static</span></div></div><div><div><span> </span><span>address</span><span> </span><span>&#x3C;IPv4_Public>/&#x3C;Subnet_mask></span></div></div><div><div><span> </span><span>gateway</span><span> </span><span>&#x3C;IPv4_Gateway></span></div></div><div><div><span> </span><span># dns-* options are implemented by the resolvconf package, if installed</span></div></div><div><div><span> </span><span>dns-nameservers</span><span> </span><span>9.9.9.9</span></div></div><div><div><span> </span><span>dns-search</span><span> </span><span>&#x3C;domain></span></div></div><div><div><span> </span><span># disable multicast</span></div></div><div><div><span> </span><span>up</span><span> </span><span>ip</span><span> </span><span>link</span><span> </span><span>set</span><span> </span><span>dev</span><span> </span><span>$IFACE</span><span> </span><span>mtu</span><span> </span><span>1500</span></div></div><div><div><span> </span><span>up</span><span> </span><span>ip</span><span> </span><span>link</span><span> </span><span>set</span><span> </span><span>multicast</span><span> </span><span>off</span><span> </span><span>dev</span><span> </span><span>$IFACE</span></div></div><div><div> </div></div><div><div><span>iface</span><span> </span><span>ens18</span><span> </span><span>inet6</span><span> </span><span>static</span></div></div><div><div><span> </span><span>address</span><span> </span><span>&#x3C;IPv6</span><span> </span><span>Public></span></div></div><div><div><span> </span><span>netmask</span><span> </span><span>&#x3C;Subnet_mask></span></div></div><div><div><span> </span><span>gateway</span><span> </span><span>&#x3C;IPv6_Gateway></span></div></div><div><div><span> </span><span># dns-* options are implemented by the resolvconf package, if installed</span></div></div><div><div><span> </span><span>dns-nameservers</span><span> </span><span>2620:fe::fe</span></div></div><div><div><span> </span><span>dns-search</span><span> </span><span>&#x3C;domain></span></div></div><div><div><span> </span><span># disable multicast</span></div></div><div><div><span> </span><span>up</span><span> </span><span>ip</span><span> </span><span>link</span><span> </span><span>set</span><span> </span><span>dev</span><span> </span><span>$IFACE</span><span> </span><span>mtu</span><span> </span><span>1500</span></div></div><div><div><span> </span><span>up</span><span> </span><span>ip</span><span> </span><span>link</span><span> </span><span>set</span><span> </span><span>multicast</span><span> </span><span>off</span><span> </span><span>dev</span><span> </span><span>$IFACE</span></div></div><div><div> </div></div><div><div><span># The secondary network interface to FogIXP</span></div></div><div><div><span>iface</span><span> </span><span>ens19</span><span> </span><span>inet6</span><span> </span><span>static</span></div></div><div><div><span> </span><span>address</span><span> </span><span>&#x3C;IPv6</span><span> </span><span>Public></span></div></div><div><div><span> </span><span>netmask</span><span> </span><span>&#x3C;Subnet_mask></span></div></div><div><div><span> </span><span>gateway</span><span> </span><span>&#x3C;IPv6_Gateway></span></div></div><div><div><span> </span><span># dns-* options are implemented by the resolvconf package, if installed</span></div></div><div><div><span> </span><span>dns-nameservers</span><span> </span><span>2620:fe::fe</span></div></div><div><div><span> </span><span>dns-search</span><span> </span><span>&#x3C;domain></span></div></div><div><div><span> </span><span># disable multicast</span></div></div><div><div><span> </span><span>up</span><span> </span><span>ip</span><span> </span><span>link</span><span> </span><span>set</span><span> </span><span>dev</span><span> </span><span>$IFACE</span><span> </span><span>mtu</span><span> </span><span>1500</span></div></div><div><div><span> </span><span>up</span><span> </span><span>ip</span><span> </span><span>link</span><span> </span><span>set</span><span> </span><span>multicast</span><span> </span><span>off</span><span> </span><span>dev</span><span> </span><span>$IFACE</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>systemctl</span><span> </span><span>restart</span><span> </span><span>networking</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> <li> <p>Edit sysctl.conf (backup default jika diperlukan)</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span># cp /etc/sysctl.conf{,.default}</span></div></div><div><div><span>vim</span><span> </span><span>/etc/sysctl.conf</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>fs.file-max</span><span> </span><span>=</span><span> </span><span>16777216</span></div></div><div><div><span>fs.nr_open</span><span> </span><span>=</span><span> </span><span>1073741824</span></div></div><div><div><span>kernel.hung_task_timeout_secs</span><span> </span><span>=</span><span> </span><span>0</span></div></div><div><div><span>kernel.msgmax</span><span> </span><span>=</span><span> </span><span>65536</span></div></div><div><div><span>kernel.msgmnb</span><span> </span><span>=</span><span> </span><span>65536</span></div></div><div><div><span>net.core.default_qdisc</span><span> </span><span>=</span><span> </span><span>cake</span></div></div><div><div><span>net.core.netdev_max_backlog</span><span> </span><span>=</span><span> </span><span>30000</span></div></div><div><div><span>net.core.rmem_default</span><span> </span><span>=</span><span> </span><span>67108864</span></div></div><div><div><span>net.core.rmem_max</span><span> </span><span>=</span><span> </span><span>67108864</span></div></div><div><div><span>net.core.somaxconn</span><span> </span><span>=</span><span> </span><span>65536</span></div></div><div><div><span>net.core.wmem_max</span><span> </span><span>=</span><span> </span><span>67108864</span></div></div><div><div><span>net.ipv4.conf.all.accept_redirects</span><span> </span><span>=</span><span> </span><span>0</span></div></div><div><div><span>net.ipv4.conf.all.accept_source_route</span><span> </span><span>=</span><span> </span><span>0</span></div></div><div><div><span>net.ipv4.conf.all.arp_announce</span><span> </span><span>=</span><span> </span><span>1</span></div></div><div><div><span>net.ipv4.conf.all.arp_filter</span><span> </span><span>=</span><span> </span><span>1</span></div></div><div><div><span>net.ipv4.conf.all.arp_ignore</span><span> </span><span>=</span><span> </span><span>2</span></div></div><div><div><span>net.ipv4.conf.all.forwarding</span><span> </span><span>=</span><span> </span><span>1</span></div></div><div><div><span>net.ipv4.conf.all.ignore_routes_with_linkdown</span><span> </span><span>=</span><span> </span><span>1</span></div></div><div><div><span>net.ipv4.conf.all.rp_filter</span><span> </span><span>=</span><span> </span><span>0</span></div></div><div><div><span>net.ipv4.conf.all.secure_redirects</span><span> </span><span>=</span><span> </span><span>0</span></div></div><div><div><span>net.ipv4.conf.all.send_redirects</span><span> </span><span>=</span><span> </span><span>0</span></div></div><div><div><span>net.ipv4.fib_multipath_use_neigh</span><span> </span><span>=</span><span> </span><span>1</span></div></div><div><div><span>net.ipv4.icmp_echo_ignore_broadcasts</span><span> </span><span>=</span><span> </span><span>1</span></div></div><div><div><span>net.ipv4.icmp_errors_use_inbound_ifaddr</span><span> </span><span>=</span><span> </span><span>1</span></div></div><div><div><span>net.ipv4.icmp_ignore_bogus_error_responses</span><span> </span><span>=</span><span> </span><span>1</span></div></div><div><div><span>net.ipv4.icmp_msgs_per_sec</span><span> </span><span>=</span><span> </span><span>2500</span></div></div><div><div><span>net.ipv4.icmp_ratelimit</span><span> </span><span>=</span><span> </span><span>0</span></div></div><div><div><span>net.ipv4.igmp_max_memberships</span><span> </span><span>=</span><span> </span><span>100</span></div></div><div><div><span>net.ipv4.ip_forward</span><span> </span><span>=</span><span> </span><span>1</span></div></div><div><div><span>net.ipv4.ip_local_port_range</span><span> </span><span>=</span><span> </span><span>1024</span><span> </span><span>65535</span></div></div><div><div><span>net.ipv4.neigh.default.base_reachable_time_ms</span><span> </span><span>=</span><span> </span><span>14400000</span></div></div><div><div><span>net.ipv4.neigh.default.gc_thresh1</span><span> </span><span>=</span><span> </span><span>1024</span></div></div><div><div><span>net.ipv4.neigh.default.gc_thresh2</span><span> </span><span>=</span><span> </span><span>2048</span></div></div><div><div><span>net.ipv4.neigh.default.gc_thresh2</span><span> </span><span>=</span><span> </span><span>8192</span></div></div><div><div><span>net.ipv4.neigh.default.gc_thresh3</span><span> </span><span>=</span><span> </span><span>4096</span></div></div><div><div><span>net.ipv4.neigh.default.gc_thresh3</span><span> </span><span>=</span><span> </span><span>16384</span></div></div><div><div><span>net.ipv4.route.max_size</span><span> </span><span>=</span><span> </span><span>1073741824</span></div></div><div><div><span>net.ipv4.tcp_congestion_control</span><span> </span><span>=</span><span> </span><span>bbr</span></div></div><div><div><span>net.ipv4.tcp_dsack</span><span> </span><span>=</span><span> </span><span>1</span></div></div><div><div><span>net.ipv4.tcp_fin_timeout</span><span> </span><span>=</span><span> </span><span>30</span></div></div><div><div><span>net.ipv4.tcp_keepalive_time</span><span> </span><span>=</span><span> </span><span>120</span></div></div><div><div><span>net.ipv4.tcp_l3mdev_accept</span><span> </span><span>=</span><span> </span><span>1</span></div></div><div><div><span>net.ipv4.tcp_max_syn_backlog</span><span> </span><span>=</span><span> </span><span>8192</span></div></div><div><div><span>net.ipv4.tcp_mem</span><span> </span><span>=</span><span> </span><span>4194304</span><span> </span><span>16777216</span><span> </span><span>67108864</span></div></div><div><div><span>net.ipv4.tcp_no_metrics_save</span><span> </span><span>=</span><span> </span><span>1</span></div></div><div><div><span>net.ipv4.tcp_rmem</span><span> </span><span>=</span><span> </span><span>4194304</span><span> </span><span>16777216</span><span> </span><span>67108864</span></div></div><div><div><span>net.ipv4.tcp_sack</span><span> </span><span>=</span><span> </span><span>1</span></div></div><div><div><span>net.ipv4.tcp_syn_retries</span><span> </span><span>=</span><span> </span><span>3</span></div></div><div><div><span>net.ipv4.tcp_synack_retries</span><span> </span><span>=</span><span> </span><span>3</span></div></div><div><div><span>net.ipv4.tcp_syncookies</span><span> </span><span>=</span><span> </span><span>1</span></div></div><div><div><span>net.ipv4.tcp_timestamps</span><span> </span><span>=</span><span> </span><span>1</span></div></div><div><div><span>net.ipv4.tcp_window_scaling</span><span> </span><span>=</span><span> </span><span>1</span></div></div><div><div><span>net.ipv4.tcp_wmem</span><span> </span><span>=</span><span> </span><span>4194304</span><span> </span><span>16777216</span><span> </span><span>67108864</span></div></div><div><div><span>net.ipv6.conf.all.accept_ra_defrtr</span><span> </span><span>=</span><span> </span><span>0</span></div></div><div><div><span>net.ipv6.conf.all.accept_ra_pinfo</span><span> </span><span>=</span><span> </span><span>0</span></div></div><div><div><span>net.ipv6.conf.all.accept_ra_rtr_pref</span><span> </span><span>=</span><span> </span><span>0</span></div></div><div><div><span>net.ipv6.conf.all.accept_redirects</span><span> </span><span>=</span><span> </span><span>0</span></div></div><div><div><span>net.ipv6.conf.all.accept_source_route</span><span> </span><span>=</span><span> </span><span>0</span></div></div><div><div><span>net.ipv6.conf.all.autoconf</span><span> </span><span>=</span><span> </span><span>0</span></div></div><div><div><span>net.ipv6.conf.all.dad_transmits</span><span> </span><span>=</span><span> </span><span>0</span></div></div><div><div><span>net.ipv6.conf.all.forwarding</span><span> </span><span>=</span><span> </span><span>1</span></div></div><div><div><span>net.ipv6.conf.all.ignore_routes_with_linkdown</span><span> </span><span>=</span><span> </span><span>1</span></div></div><div><div><span>net.ipv6.conf.all.router_solicitations</span><span> </span><span>=</span><span> </span><span>-1</span></div></div><div><div><span>net.ipv6.icmp.ratelimit</span><span> </span><span>=</span><span> </span><span>0</span></div></div><div><div><span>#net.ipv6.conf.all.send_redirects = 0</span></div></div><div><div><span>net.ipv6.neigh.default.base_reachable_time_ms</span><span> </span><span>=</span><span> </span><span>14400000</span></div></div><div><div><span>net.ipv6.neigh.default.gc_thresh1</span><span> </span><span>=</span><span> </span><span>1024</span></div></div><div><div><span>net.ipv6.neigh.default.gc_thresh2</span><span> </span><span>=</span><span> </span><span>2048</span></div></div><div><div><span>net.ipv6.neigh.default.gc_thresh2</span><span> </span><span>=</span><span> </span><span>8192</span></div></div><div><div><span>net.ipv6.neigh.default.gc_thresh3</span><span> </span><span>=</span><span> </span><span>4096</span></div></div><div><div><span>net.ipv6.neigh.default.gc_thresh3</span><span> </span><span>=</span><span> </span><span>16384</span></div></div><div><div><span>net.ipv6.route.max_size</span><span> </span><span>=</span><span> </span><span>32768000</span></div></div><div><div><span>vm.max_map_count</span><span> </span><span>=</span><span> </span><span>1048575</span></div></div><div><div><span>vm.swappiness</span><span> </span><span>=</span><span> </span><span>100</span></div></div><div><div> </div></div><div><div><span>net.ipv6.conf.all.accept_ra</span><span> </span><span>=</span><span> </span><span>0</span></div></div><div><div><span>#net.ipv6.conf.all.proxy_ndp = 1</span></div></div><div><div> </div></div><div><div><span>#net.netfilter.nf_conntrack_acct = 1</span></div></div><div><div><span>#net.netfilter.nf_conntrack_checksum = 0</span></div></div><div><div><span>#net.netfilter.nf_conntrack_max = 65535</span></div></div><div><div><span>#net.netfilter.nf_conntrack_tcp_timeout_established = 7440</span></div></div><div><div><span>#net.netfilter.nf_conntrack_udp_timeout = 60</span></div></div><div><div><span>#net.netfilter.nf_conntrack_udp_timeout_stream = 180</span></div></div><div><div><span>#net.netfilter.nf_conntrack_helper = 1</span></div></div><div><div> </div></div><div><div><span># net.ipv6.conf.all.disable_ipv6 = 1</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>Config sesuai interface IXP yang dimiliki</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>### Disable multicast FogIXP Interface ###</span></div></div><div><div><span>net.ipv4.conf.&#x3C;interface_name>.arp_announce</span><span> </span><span>=</span><span> </span><span>1</span></div></div><div><div><span>net.ipv4.conf.&#x3C;interface_name>.arp_filter</span><span> </span><span>=</span><span> </span><span>1</span></div></div><div><div><span>net.ipv4.conf.&#x3C;interface_name>.arp_ignore</span><span>=2</span></div></div><div><div><span>net.ipv4.conf.&#x3C;interface_name>.arp_notify</span><span>=1</span></div></div><div><div><span>net.ipv4.conf.&#x3C;interface_name>.proxy_arp</span><span> </span><span>=</span><span> </span><span>0</span></div></div><div><div><span>net.ipv4.conf.&#x3C;interface_name>.rp_filter</span><span>=0</span></div></div><div><div><span>net.ipv4.neigh.default.gc_interval</span><span> </span><span>=</span><span> </span><span>30</span></div></div><div><div><span>net.ipv4.neigh.&#x3C;interface_name>.base_reachable_time_ms</span><span> </span><span>=</span><span> </span><span>14400000</span></div></div><div><div><span>net.ipv4.neigh.&#x3C;interface_name>.gc_stale_time</span><span> </span><span>=</span><span> </span><span>60</span></div></div><div><div><span>net.ipv6.conf.&#x3C;interface_name>.accept_ra</span><span> </span><span>=</span><span> </span><span>0</span></div></div><div><div><span>net.ipv6.conf.&#x3C;interface_name>.autoconf</span><span> </span><span>=</span><span> </span><span>0</span></div></div><div><div><span>net.ipv6.conf.&#x3C;interface_name>.router_solicitations</span><span> </span><span>=</span><span> </span><span>-1</span></div></div><div><div><span>net.ipv6.neigh.default.gc_interval</span><span> </span><span>=</span><span> </span><span>30</span></div></div><div><div><span>net.ipv6.neigh.&#x3C;interface_name>.base_reachable_time_ms</span><span> </span><span>=</span><span> </span><span>14400000</span></div></div><div><div><span>net.ipv6.neigh.&#x3C;interface_name>.gc_stale_time</span><span> </span><span>=</span><span> </span><span>60</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>sysctl</span><span> </span><span>-p</span></div></div><div><div><span># or</span></div></div><div><div><span>reboot</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> <li> <p>Pre Setup (optional)</p> <p><a href="https://github.com/Xeoncross/lowendscript">Github: Xeoncross/lowendscript</a>, scope:</p> <ul> <li>update_timezone</li> <li>remove_unneeded</li> <li>update_upgrade</li> <li>install_dash</li> <li>install_vim</li> <li>install_nano</li> <li>install_htop</li> <li>install_mc</li> <li>install_iotop</li> <li>install_iftop</li> <li>install_syslogd</li> <li>install_curl</li> <li>apt_clean</li> </ul> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>wget</span><span> </span><span>--no-check-certificate</span><span> </span><span>https://raw.github.com/Xeoncross/lowendscript/master/setup-debian.sh</span></div></div><div><div><span>chmod</span><span> </span><span>a+rx</span><span> </span><span>setup-debian.sh</span></div></div><div><div><span>./setup-debian.sh</span><span> </span><span>system</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> <li> <p>Timezone and NTP</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>apt</span><span> </span><span>install</span><span> </span><span>ntp</span><span> </span><span>-y</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>Edit NTP configuration</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>vim</span><span> </span><span>/etc/ntp.conf</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>server</span><span> </span><span>0.debian.pool.ntp.org</span><span> </span><span>iburst</span></div></div><div><div><span>server</span><span> </span><span>1.debian.pool.ntp.org</span><span> </span><span>iburst</span></div></div><div><div><span>server</span><span> </span><span>2.debian.pool.ntp.org</span><span> </span><span>iburst</span></div></div><div><div><span>server</span><span> </span><span>3.debian.pool.ntp.org</span><span> </span><span>iburst</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>sudo</span><span> </span><span>systemctl</span><span> </span><span>restart</span><span> </span><span>ntp</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>Set Timezone and see status</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>timedatectl</span><span> </span><span>set-timezone</span><span> </span><span>Asia/Jakarta</span></div></div><div><div><span>timedatectl</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p><img src="https://8labs.id/_astro/09-timedatectl-status.BygoDVb0_TPFW4.webp" alt="timedatectl status" loading="lazy" decoding="async" fetchpriority="auto" width="798" height="214"></p> </li> </ol> <div><h3 id="konfigurasi-pathvector">Konfigurasi Pathvector</h3></div> <ol> <li> <p>Install Pathvector dan Bird2</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>curl</span><span> </span><span>https://repo.pathvector.io/pgp.asc</span><span> </span><span>></span><span> </span><span>/usr/share/keyrings/pathvector.asc</span></div></div><div><div><span>echo</span><span> </span><span>"</span><span>deb [signed-by=/usr/share/keyrings/pathvector.asc] https://repo.pathvector.io/apt/ stable main</span><span>"</span><span> </span><span>></span><span> </span><span>/etc/apt/sources.list.d/pathvector.list</span></div></div><div><div><span>apt</span><span> </span><span>update</span><span> &#x26;&#x26; </span><span>apt</span><span> </span><span>install</span><span> </span><span>-y</span><span> </span><span>pathvector</span><span> </span><span>bird2</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> <li> <p>Konfigurasi /etc/pathvector.yml</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>vim</span><span> </span><span>/etc/pathvector.yml</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>first block</p> <div><figure><figcaption></figcaption><pre><code><div><div><span>asn</span><span>: </span><span>&#x3C;your_asn></span></div></div><div><div><span>bgpq-args</span><span>: </span><span>"</span><span>-S AFRINIC,APNIC,ARIN,LACNIC,RIPE</span><span>"</span></div></div><div><div><span>default-route</span><span>: </span><span>false</span></div></div><div><div><span>irr-query-timeout</span><span>: </span><span>30</span></div></div><div><div><span>irr-server</span><span>: </span><span>"</span><span>rr.ntt.net</span><span>"</span></div></div><div><div><span>merge-paths</span><span>: </span><span>true</span></div></div><div><div><span>peeringdb-api-key</span><span>: </span><span>"</span><span>&#x3C;peeringdb_api_key></span><span>"</span></div></div><div><div><span>peeringdb-query-timeout</span><span>: </span><span>30</span></div></div><div><div><span>prefixes</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>&#x3C;prefix_plan_to_be_announce></span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>&#x3C;prefix_plan_to_be_announce></span><span>"</span></div></div><div><div><span>router-id</span><span>: </span><span>"</span><span>&#x3C;an_ipv4_address></span><span>"</span></div></div><div><div><span>rtr-server</span><span>: </span><span>"</span><span>172.65.0.2:8282</span><span>"</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>Catatan</p> <ul> <li>Ubahlah your_asn menjadi ASN anda.</li> <li>Lalu, IRR hanya valid untuk AFRINIC, APNIC, ARIN, LACNIC, RIPE</li> <li>Tidak menerima rute <em>default</em></li> <li>IRR server menggunakan NTT</li> <li>Ubah peeringdb_api_key dengan kunci milik anda sendiri. Hak akses pada PeeringDB <strong>gunakan hanya baca</strong></li> <li>Ubahlah prefix_plan_to_be_announce dengan prefix yang akan di gunakan.</li> <li>Ubahlah router-id dengan IPv4 VPS anda (atau gunakan IP lokal jika memang tidak ada IP publiknya (karena hanya sebagai pengenal saja)).</li> <li>rtr-server menggunakan Cloudflare</li> </ul> <p>Aktivasi kernel karena akan menggunakan full table</p> <div><figure><figcaption></figcaption><pre><code><div><div><span>kernel</span><span>:</span></div></div><div><div><span> </span><span>learn</span><span>: </span><span>true</span></div></div><div><div> </div></div><div><div><span># BGP Large Communities</span></div></div><div><div><span># &#x3C;your_asn>:1:1 - Learned from upstream</span></div></div><div><div><span># &#x3C;your_asn>:1:2 - Learned from route server</span></div></div><div><div><span># &#x3C;your_asn>:1:3 - Learned from peer</span></div></div><div><div><span># &#x3C;your_asn>:1:4 - Learned from downstream</span></div></div><div><div><span># &#x3C;your_asn>:1:5 - Learned from iBGP</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>Template (ganti your_asn dengan ASN yang dimiliki gunakan sesuai kebutuhan)</p> <div><figure><figcaption></figcaption><pre><code><div><div><span>templates</span><span>:</span></div></div><div><div><span> </span><span>upstream</span><span>:</span></div></div><div><div><span> </span><span>add-on-import</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>&#x3C;your_asn>:1:1</span></div></div><div><div><span> </span><span>allow-local-as</span><span>: </span><span>true</span></div></div><div><div><span> </span><span>announce</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>&#x3C;your_asn>:1:4</span></div></div><div><div><span> </span><span>local-pref</span><span>: </span><span>100</span></div></div><div><div><span> </span><span>remove-all-communities</span><span>: </span><span>&#x3C;your_asn></span></div></div><div><div> </div></div><div><div><span> </span><span>routeserver</span><span>:</span></div></div><div><div><span> </span><span>add-on-import</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>&#x3C;your_asn>:1:2</span></div></div><div><div><span> </span><span>announce</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>&#x3C;your_asn>:1:4</span></div></div><div><div><span> </span><span>auto-import-limits</span><span>: </span><span>true</span></div></div><div><div><span> </span><span>enforce-first-as</span><span>: </span><span>false</span></div></div><div><div><span> </span><span>enforce-peer-nexthop</span><span>: </span><span>false</span></div></div><div><div><span> </span><span>filter-transit-asns</span><span>: </span><span>true</span></div></div><div><div><span> </span><span>local-pref</span><span>: </span><span>200</span></div></div><div><div><span> </span><span>remove-all-communities</span><span>: </span><span>&#x3C;your_asn></span></div></div><div><div> </div></div><div><div><span> </span><span>peer</span><span>:</span></div></div><div><div><span> </span><span>add-on-import</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>&#x3C;your_asn>:1:3</span></div></div><div><div><span> </span><span>announce</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>&#x3C;your_asn>:1:4</span></div></div><div><div><span> </span><span>auto-as-set</span><span>: </span><span>true</span></div></div><div><div><span> </span><span>auto-import-limits</span><span>: </span><span>true</span></div></div><div><div><span> </span><span>filter-irr</span><span>: </span><span>true</span></div></div><div><div><span> </span><span>filter-transit-asns</span><span>: </span><span>true</span></div></div><div><div><span> </span><span>irr-accept-child-prefixes</span><span>: </span><span>true</span></div></div><div><div><span> </span><span>local-pref</span><span>: </span><span>300</span></div></div><div><div><span> </span><span>remove-all-communities</span><span>: </span><span>&#x3C;your_asn></span></div></div><div><div> </div></div><div><div><span> </span><span>downstream</span><span>:</span></div></div><div><div><span> </span><span>add-on-import</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>&#x3C;your_asn>:1:4</span></div></div><div><div><span> </span><span>allow-blackhole-community</span><span>: </span><span>true</span></div></div><div><div><span> </span><span>announce</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>&#x3C;your_asn>:1:1</span></div></div><div><div><span><span> </span></span><span>- </span><span>&#x3C;your_asn>:1:2</span></div></div><div><div><span><span> </span></span><span>- </span><span>&#x3C;your_asn>:1:3</span></div></div><div><div><span> </span><span>auto-as-set</span><span>: </span><span>true</span></div></div><div><div><span> </span><span>auto-import-limits</span><span>: </span><span>true</span></div></div><div><div><span> </span><span>filter-irr</span><span>: </span><span>true</span></div></div><div><div><span> </span><span>filter-transit-asns</span><span>: </span><span>true</span></div></div><div><div><span> </span><span>irr-accept-child-prefixes</span><span>: </span><span>true</span></div></div><div><div><span> </span><span>local-pref</span><span>: </span><span>400</span></div></div><div><div><span> </span><span>remove-all-communities</span><span>: </span><span>&#x3C;your_asn></span></div></div><div><div> </div></div><div><div><span> </span><span>ibgp</span><span>:</span></div></div><div><div><span> </span><span>allow-local-as</span><span>: </span><span>true</span></div></div><div><div><span> </span><span>asn</span><span>: </span><span>&#x3C;your_asn></span></div></div><div><div><span> </span><span>direct</span><span>: </span><span>true</span></div></div><div><div><span> </span><span>enforce-first-as</span><span>: </span><span>false</span></div></div><div><div><span> </span><span>enforce-peer-nexthop</span><span>: </span><span>false</span></div></div><div><div><span> </span><span>filter-irr</span><span>: </span><span>false</span></div></div><div><div><span> </span><span>filter-rpki</span><span>: </span><span>false</span></div></div><div><div><span> </span><span>next-hop-self</span><span>: </span><span>true</span></div></div><div><div><span> </span><span>remove-all-communities</span><span>: </span><span>&#x3C;your_asn></span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>Catatan:</p> <ul> <li>Template <code dir="auto">upstream</code> hanya digunakan untuk transit AS</li> <li>Template <code dir="auto">routeserver</code> hanya digunakan untuk peering ke routeserver</li> <li>Template <code dir="auto">peer</code> hanya digunakan untuk melakukan bilateral peering</li> <li>Template <code dir="auto">downstream</code> hanya boleh dipakai untuk melakukan downstream AS pihak lain</li> <li>Template <code dir="auto">ibgp</code> hanya digunakan untuk AS yang sama</li> </ul> <p>Template peers (gunakan sesuai kebutuhan)</p> <div><figure><figcaption></figcaption><pre><code><div><div><span>peers</span><span>:</span></div></div><div><div><span>############</span></div></div><div><div><span># UPSTREAM #</span></div></div><div><div><span>############</span></div></div><div><div><span> </span><span>upstream_name</span><span>:</span></div></div><div><div><span> </span><span>asn</span><span>: </span><span>neigh_asn</span></div></div><div><div><span> </span><span>disabled</span><span>: </span><span>false</span></div></div><div><div><span> </span><span>listen6</span><span>: </span><span>"</span><span>&#x3C;local_address></span><span>"</span></div></div><div><div><span> </span><span>local-pref</span><span>: </span><span>100</span></div></div><div><div><span> </span><span>neighbors</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>&#x3C;neigh_address></span><span>"</span></div></div><div><div><span> </span><span>template</span><span>: </span><span>upstream</span></div></div><div><div> </div></div><div><div><span>###############</span></div></div><div><div><span># ROUTESERVER #</span></div></div><div><div><span>###############</span></div></div><div><div><span> </span><span>routeserver_name</span><span>:</span></div></div><div><div><span> </span><span>asn</span><span>: </span><span>neigh_asn</span></div></div><div><div><span> </span><span>disabled</span><span>: </span><span>false</span></div></div><div><div><span> </span><span>listen4</span><span>: </span><span>"</span><span>&#x3C;local_address></span><span>"</span></div></div><div><div><span> </span><span>listen6</span><span>: </span><span>"</span><span>&#x3C;local_address></span><span>"</span></div></div><div><div><span> </span><span>local-pref</span><span>: </span><span>200</span></div></div><div><div><span> </span><span>neighbors</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>&#x3C;neigh_address></span><span>"</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>&#x3C;neigh_address></span><span>"</span></div></div><div><div><span> </span><span>template</span><span>: </span><span>routeserver</span></div></div><div><div> </div></div><div><div><span>###########</span></div></div><div><div><span># PEERING #</span></div></div><div><div><span>###########</span></div></div><div><div><span> </span><span>peering_name</span><span>:</span></div></div><div><div><span> </span><span>asn</span><span>: </span><span>neigh_asn</span></div></div><div><div><span> </span><span>disabled</span><span>: </span><span>false</span></div></div><div><div><span> </span><span>listen6</span><span>: </span><span>"</span><span>&#x3C;local_address></span><span>"</span></div></div><div><div><span> </span><span>local-pref</span><span>: </span><span>300</span></div></div><div><div><span> </span><span>neighbors</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>&#x3C;neigh_address></span><span>"</span></div></div><div><div><span> </span><span>template</span><span>: </span><span>peer</span></div></div><div><div> </div></div><div><div><span>############</span></div></div><div><div><span># INTERNAL #</span></div></div><div><div><span>############</span></div></div><div><div><span> </span><span>ibgp_name</span><span>:</span></div></div><div><div><span> </span><span>add-on-import</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>&#x3C;your_asn>:1:1</span></div></div><div><div><span> </span><span>announce</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>&#x3C;your_asn>:1:1</span></div></div><div><div><span> </span><span>disabled</span><span>: </span><span>false</span></div></div><div><div><span> </span><span>listen6</span><span>: </span><span>"</span><span>&#x3C;local_address></span><span>"</span></div></div><div><div><span> </span><span>local-port</span><span>: </span><span>179</span></div></div><div><div><span> </span><span>local-pref</span><span>: </span><span>150</span></div></div><div><div><span> </span><span>neighbor-port</span><span>: </span><span>179</span></div></div><div><div><span> </span><span>neighbors</span><span>:</span></div></div><div><div><span><span> </span></span><span>- </span><span>"</span><span>&#x3C;neigh_address></span><span>"</span></div></div><div><div><span> </span><span>template</span><span>: </span><span>ibgp</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>Generate bird config:</p> <div><figure><figcaption></figcaption><pre><code><div><div><span>pathvector generate</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>Cek Routing sudah masuk atau blm</p> <div><figure><figcaption></figcaption><pre><code><div><div><span>ip -6 route</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p>Cek status BGP</p> <div><figure><figcaption></figcaption><pre><code><div><div><span>birdc show protocol</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> <li> <p>Set cron untuk update IRR prefix lists dan PeeringDB prefix limits setiap 12 jam.</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>#crontab -e</span></div></div><div><div><span>0</span><span> </span><span>*</span><span>/12</span><span> </span><span>*</span><span> </span><span>*</span><span> </span><span>*</span><span> </span><span>pathvector</span><span> </span><span>generate</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> </ol> <div><h3 id="reference">Reference</h3></div> <ul> <li><a href="https://pathvector.io/docs/installation">https://pathvector.io/docs/installation</a></li> <li><a href="https://t.me/IPv6_Indonesia/104851">https://t.me/IPv6_Indonesia/104851</a></li> <li><a href="https://www.youtube.com/watch?v=a51noB2brjM">https://www.youtube.com/watch?v=a51noB2brjM</a></li> </ul> <div><h2 id="part-3-set-up-interface">Part 3: Set Up Interface</h2></div> <ol> <li> <p>Buat dummy interface script</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>vim</span><span> </span><span>/usr/local/bin/setup-dummy-interface.sh</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <div><figure><figcaption></figcaption><pre><code><div><div><span>#!/bin/bash</span></div></div><div><div><span>ip</span><span> </span><span>link</span><span> </span><span>add</span><span> </span><span>dummy0</span><span> </span><span>type</span><span> </span><span>dummy</span></div></div><div><div><span>ip</span><span> </span><span>addr</span><span> </span><span>add</span><span> </span><span>&#x3C;YOUR_IPV4_INTERFACE_IP>/24</span><span> </span><span>dev</span><span> </span><span>dummy0</span></div></div><div><div><span>ip</span><span> </span><span>addr</span><span> </span><span>add</span><span> </span><span>&#x3C;YOUR_IPV6_INTERFACE_IP>/64</span><span> </span><span>dev</span><span> </span><span>dummy0</span></div></div><div><div><span>ip</span><span> </span><span>link</span><span> </span><span>set</span><span> </span><span>dummy0</span><span> </span><span>up</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>chmod</span><span> </span><span>+x</span><span> </span><span>/usr/local/bin/setup-dummy-interface.sh</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> <li> <p>Buat Systemd Service </p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>vim</span><span> </span><span>/etc/systemd/system/dummy-interface.service</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>[Unit]</span></div></div><div><div><span>Description</span><span>=</span><span>Setup</span><span> </span><span>Dummy</span><span> </span><span>Interface</span></div></div><div><div><span>After</span><span>=</span><span>network.target</span></div></div><div><div> </div></div><div><div><span>[Service]</span></div></div><div><div><span>ExecStart</span><span>=</span><span>/usr/local/bin/setup-dummy-interface.sh</span></div></div><div><div><span>RemainAfterExit</span><span>=</span><span>yes</span></div></div><div><div> </div></div><div><div><span>[Install]</span></div></div><div><div><span>WantedBy</span><span>=</span><span>multi-user.target</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>systemctl</span><span> </span><span>enable</span><span> </span><span>dummy-interface.service</span></div></div><div><div><span>systemctl</span><span> </span><span>start</span><span> </span><span>dummy-interface.service</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> <li> <p>Test Koneksi</p> <ol> <li> <p>Ping</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>ping</span><span> </span><span>-I</span><span> </span><span>&#x3C;YOUR_IPV4_INTERFACE_IP></span><span> </span><span>8.8.8.8</span></div></div><div><div><span>ping6</span><span> </span><span>-I</span><span> </span><span>&#x3C;YOUR_IPV6_INTERFACE_IP></span><span> </span><span>2001:4860:4860::8888</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> <li> <p>Curl</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>curl</span><span> </span><span>--interface</span><span> </span><span>&#x3C;YOUR_IPV4_INTERFACE_IP></span><span> </span><span>-4</span><span> </span><span>ifconfig.me</span></div></div><div><div><span>curl</span><span> </span><span>--interface</span><span> </span><span>&#x3C;YOUR_IPV6_INTERFACE_IP></span><span> </span><span>-6</span><span> </span><span>ifconfig.me</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> <li> <p>mtr</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>mtr</span><span> </span><span>-I</span><span> </span><span>dummy0</span><span> </span><span>google.com</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> </ol> </li> </ol> <div><h2 id="part-4-tunnel-ke-rumah-atau-dc">Part 4: Tunnel ke Rumah atau DC</h2></div> <div><h4 id="main-server-bgp-router">Main Server (BGP Router)</h4></div> <ol> <li> <p>Install wireguard</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>apt</span><span> </span><span>update</span></div></div><div><div><span>apt</span><span> </span><span>install</span><span> </span><span>wireguard</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> <li> <p>Generate Wireguard Private dan Public key</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>wg</span><span> </span><span>genkey</span><span> </span><span>|</span><span> </span><span>tee</span><span> </span><span>/etc/wireguard/private.key</span></div></div><div><div><span>chmod</span><span> </span><span>600</span><span> </span><span>/etc/wireguard/private.key</span></div></div><div><div><span>cat</span><span> </span><span>/etc/wireguard/private.key</span><span> </span><span>|</span><span> </span><span>wg</span><span> </span><span>pubkey</span><span> </span><span>|</span><span> </span><span>tee</span><span> </span><span>/etc/wireguard/public.key</span></div></div><div><div> </div></div><div><div><span># Baris Pertama Private Key</span></div></div><div><div><span># Baris Kedua Public Key -> simpan untuk konfigurasi client server</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> <li> <p>Buat Konfigurasi Wireguard di /etc/wireguard/wg0.conf</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>[Interface]</span></div></div><div><div><span>PrivateKey</span><span> </span><span>=</span><span> </span><span>&#x3C;Your-Main-Server-Private-Key></span></div></div><div><div><span>Address</span><span> </span><span>=</span><span> </span><span>&#x3C;Your-Main-Server-IPv6-Allocation>/64</span></div></div><div><div><span>ListenPort</span><span> </span><span>=</span><span> </span><span>51820</span></div></div><div><div><span>Table</span><span> </span><span>=</span><span> </span><span>off</span></div></div><div><div> </div></div><div><div><span>[Peer]</span></div></div><div><div><span>PublicKey</span><span> </span><span>=</span><span> </span><span>&#x3C;Your-Client-Public-Key></span><span> </span><span>#setelah digenerate</span></div></div><div><div><span>AllowedIPs</span><span> </span><span>=</span><span> </span><span>&#x3C;Your-Client-IPv6-Allocation>/128</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> <li> <p>Enable dan Start Wireguard Setelah Public Key Client di generate</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>systemctl</span><span> </span><span>enable</span><span> </span><span>wg-quick@wg0</span></div></div><div><div><span>systemctl</span><span> </span><span>start</span><span> </span><span>wg-quick@wg0</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> <li> <p>Konfigurasi forwarding</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span># Port Forwarding for IPv4 - opsional jika announce IPv4</span></div></div><div><div><span>net.ipv4.ip_forward</span><span>=1</span></div></div><div><div> </div></div><div><div><span># Port forwarding for IPv6</span></div></div><div><div><span>net.ipv6.conf.all.forwarding</span><span>=1</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> <li> <p>Apply konfigurasi forwarding</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>sudo</span><span> </span><span>sysctl</span><span> </span><span>-p</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> </ol> <div><h4 id="client-server-home-server---debianubuntu">Client Server (Home Server) - Debian/Ubuntu</h4></div> <ol> <li> <p>Install wireguard</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>apt</span><span> </span><span>update</span></div></div><div><div><span>apt</span><span> </span><span>install</span><span> </span><span>wireguard</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> <li> <p>Generate Wireguard Private dan Public key</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>wg</span><span> </span><span>genkey</span><span> </span><span>|</span><span> </span><span>tee</span><span> </span><span>/etc/wireguard/private.key</span></div></div><div><div><span>chmod</span><span> </span><span>600</span><span> </span><span>/etc/wireguard/private.key</span></div></div><div><div><span>cat</span><span> </span><span>/etc/wireguard/private.key</span><span> </span><span>|</span><span> </span><span>wg</span><span> </span><span>pubkey</span><span> </span><span>|</span><span> </span><span>tee</span><span> </span><span>/etc/wireguard/public.key</span></div></div><div><div> </div></div><div><div><span># Baris Pertama Private Key</span></div></div><div><div><span># Baris Kedua Public Key -> Masukkan ke konfigurasi main server</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> <li> <p>Buat Konfigurasi Wireguard di /etc/wireguard/wg0.conf</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>[Interface]</span></div></div><div><div><span>PrivateKey</span><span> </span><span>=</span><span> </span><span>&#x3C;Your-Client-Private-Key></span></div></div><div><div><span>Address</span><span> </span><span>=</span><span> </span><span>&#x3C;Your-Client-IPv6-Allocation>/64</span></div></div><div><div><span>DNS</span><span> </span><span>=</span><span> </span><span>2606:4700:4700::1111</span></div></div><div><div><span>DNS</span><span> </span><span>=</span><span> </span><span>2606:4700:4700::1001</span></div></div><div><div> </div></div><div><div><span>[Peer]</span></div></div><div><div><span>PublicKey</span><span> </span><span>=</span><span> </span><span>&#x3C;Your-Main-Server-Public-Key></span></div></div><div><div><span>Endpoint</span><span> </span><span>=</span><span> </span><span>&#x3C;Main-Server-Public-IPv6>:51820</span></div></div><div><div><span>AllowedIPs</span><span> </span><span>=</span><span> </span><span>::/0</span></div></div><div><div><span>PersistentKeepalive</span><span> </span><span>=</span><span> </span><span>25</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> <li> <p>Enable dan Start Wireguard Setelah Public Key Client digenerate</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>systemctl</span><span> </span><span>enable</span><span> </span><span>wg-quick@wg0</span></div></div><div><div><span>systemctl</span><span> </span><span>start</span><span> </span><span>wg-quick@wg0</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> </ol> <div><h4 id="uji-coba-di-client-server">Uji Coba di Client Server</h4></div> <ol> <li> <p>Ping</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>ping6</span><span> </span><span>-I</span><span> </span><span>&#x3C;YOUR_IPV6_INTERFACE_IP></span><span> </span><span>2001:4860:4860::8888</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> <li> <p>Curl</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>curl</span><span> </span><span>--interface</span><span> </span><span>&#x3C;YOUR_IPV6_INTERFACE_IP></span><span> </span><span>-6</span><span> </span><span>ifconfig.me</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> <li> <p>mtr</p> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>mtr</span><span> </span><span>-I</span><span> </span><span>dummy0</span><span> </span><span>google.com</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> </li> </ol> <div><h3 id="miscellaneous">Miscellaneous</h3></div> <div><h4 id="generate-wireguard-qrcode">Generate Wireguard QRCode</h4></div> <div><figure><figcaption><span></span></figcaption><pre><code><div><div><span>apt</span><span> </span><span>install</span><span> </span><span>qrencode</span></div></div><div><div><span>qrencode</span><span> </span><span>-t</span><span> </span><span>ansiutf8</span><span> </span><span>&#x3C;</span><span> </span><span>/etc/wireguard/wg-client.conf</span></div></div></code></pre><div><div aria-live="polite"></div></div></figure></div> <p><a href="https://www.cyberciti.biz/faq/how-to-generate-wireguard-qr-code-on-linux-for-mobile/">https://www.cyberciti.biz/faq/how-to-generate-wireguard-qr-code-on-linux-for-mobile/</a></p> <div><h2 id="reference-1">Reference</h2></div> <ul> <li><a href="https://www.reddit.com/r/homelab/comments/153uwj9/want_to_get_started_with_bgp_links_that_helped_me/">https://www.reddit.com/r/homelab/comments/153uwj9/want_to_get_started_with_bgp_links_that_helped_me/</a></li> <li><a href="https://chown.me/blog/getting-my-own-asn">https://chown.me/blog/getting-my-own-asn</a></li> <li><a href="https://amanjuman.medium.com/setting-up-bgp-routing-with-pathvector-and-bird-on-ubuntu-3f8b92a01669">https://amanjuman.medium.com/setting-up-bgp-routing-with-pathvector-and-bird-on-ubuntu-3f8b92a01669</a></li> <li><a href="https://www.animmouse.com/p/my-asn-journey-configuring-bgp-on-vps/">https://www.animmouse.com/p/my-asn-journey-configuring-bgp-on-vps/</a></li> <li><a href="https://www.animmouse.com/p/my-asn-journey-bring-home-the-ipv6-via-wireguard/">https://www.animmouse.com/p/my-asn-journey-bring-home-the-ipv6-via-wireguard/</a></li> <li><a href="https://docs.vultr.com/configuring-bgp-on-vultr">https://docs.vultr.com/configuring-bgp-on-vultr</a></li> </ul>ipv6personal-asnbgpvpsdebianhttps://8labs.id/blog/welcome/https://8labs.id/blog/welcome/Thu, 26 Aug 2021 00:00:00 GMT<p>8Labs is a virtual labs platform where you can experiment fearlessly with real Linux environments—no vendor lock-in, no heavy VPS bills. Launch cloud-init ready VMs, get full root access, and practice real-world workflows for systems, networking, and deployments.</p> <div><h2 id="what-is-8labs">What is 8Labs?</h2></div> <p>8Labs provides on-demand virtual machines for learning and building. It’s especially useful for developers, students, researchers, and homelabbers who want a practical, open stack.</p> <p>Highlights:</p> <ul> <li>KVM virtualization on Proxmox</li> <li>Public IPv6 per lab and private IPv4 networking</li> <li>Cloud-init templates (Debian, Ubuntu, Rocky/Alma, FreeBSD)</li> <li>In-browser consoles (noVNC, xTerm.js)</li> <li>Snapshots and backups on-platform</li> <li>Fair-use credits and clear guardrails</li> </ul> <div><h2 id="why-we-built-this">Why we built this</h2></div> <p>We want to make hands-on Linux, networking, and infrastructure education accessible and affordable—without forcing you into a single cloud ecosystem. The platform favors open-source tooling and transparent operations.</p> <div><h2 id="get-started">Get started</h2></div> <ul> <li>Documentation: <a href="https://8labs.id/docs">https://8labs.id/docs</a></li> <li>Cloud Panel: <a href="https://cloud.8labs.id">https://cloud.8labs.id</a></li> <li>Client/Billing Panel: <a href="https://my.8labs.id">https://my.8labs.id</a></li> <li>Main site: <a href="https://8labs.id">https://8labs.id</a></li> </ul> <p>If you’re new here, start with the docs and spin up your first lab. Have fun, break things, and learn fast.</p> <p>— 8Labs Team</p>8labswelcomeannouncement