5.5 KiB
5.5 KiB
Base Config
Notes:
- The Mail Server requires SSL certificates
- Occurances of
REPLACEME.TLD
without comments stating otherwise should have the FQDN substituted for it - Occurances of
REPLACEME
without comments stating otherwise should have the FQDN without the TLD substituted for it
Swap File
- Run
dd if=/dev/zero of=/swapfile bs=1M count=2048
thenchmod 600 /swapfile
followed bymkswap /swapfile
andswapon /swapfile
- Set the system up to mount the swap file at boot by adding
/swapfile none swap defaults 0 0
to the bottom of/etc/fstab
Web Server
Package Requirements for Web Server
nginx php php-apcu-bc php-fpm php-composer php-gd php-imap php-intl php-memcached php-geoip geoip-database geoip-database-extra memcached mariadb bower gulp npm certbot
Folders for Web Server
nginx php systemd
Setup Instructions for Web Server
- Install the packages in the
Package Requirements
above - Copy the folders above that aren't already configured to their equivalent location in
/etc
- In
/etc/nginx/sites-available/REPLACEME.TLD.conf
and/root/letsencrypt.sh
- Rename
/etc/nginx/sites-available/REPLACEME.TLD.conf
- Add your site files to
/srv/http/REPLACEME.TLD
where public assets are located in/srv/http/REPLACEME.TLD/public
- Create a symlink from
/etc/nginx/sites-available/REPLACEME.tld.conf
to/etc/nginx/sites-enabled/REPLACEME.tld.conf
- Run
openssl dhparam -out /etc/nginx/dhparam.pem 4096
to generate the diffie-hellman parameter - Run
systemctl start php-fpm nginx
to start the web services andsystemctl status php-fpm
andsystemctl status nginx
to check for errors - If there were no errors in the previous command, run
systemctl enable php-fpm nginx
to enable the web services at boot - Ensure the public web directory exists, update the list of domains in
/root/letsencrypt.sh
and then run it to generate the SSL certificates - Run
systemctl start certbot-renewal.timer
andsystemctl enable certbot-renewal.timer
to start and enable the auto-renewal process
MySQL Config
- Add
bind-address = 127.0.0.1
to/etc/mysql/my.cnf
- Run
mysql_install_db --user=mysql --basedir=/usr --datadir=/var/lib/mysql
- Run
systemctl start mysqld
andsystemctl enable mysqld
to start mysqld and enable it at boot - Run
mysql_secure_installation
. - Create a new password.
- Say
yes
to everything (e.g. "Remove anonymous users? Disallow root logging remotely? Remove test database and access to it? Reload privilege tables now?")
Mail Server
Package Requirements for Mail Server
dovecot postfix procmail opendkim
Folders for Mail Server
dovecot pam.d postfix procmailrc skel systemd opendkim
Setup Instructions for Mail Server
- Install the packages in the
Package Requirements
above - Copy the folders above that aren't already configured to their equivalent location in
/etc
- Add an A DNS record for the FQDN and a hostname for the server
- Set the hostname of the server with
hostnamectl set-hostname SOMETHING.REPLACEME.TLD
whereSOMETHING
is a unique name for the server andREPLACEME.TLD
is the domain. This will be the server's new hostname. - Add the hostname of the server to the end of the line starting with
127.0.0.1
in/etc/hosts
- In
/etc/dovecot/dovecot.conf
and/etc/opendkim/opendkim.conf
replace occurances ofREPLACEME.TLD
with the domain, and occurances ofREPLACEME
with the first part of the domain - In
/etc/postfix/main.cf
replaceSOMETHING.REPLACEME.TLD
with the hostname of the server andREPLACEME.TLD
with the domain - Run
opendkim-genkey -r -s REPLACEME -d REPLACEME.TLD
whereREPLACEME.TLD
is the domain, andREPLACEME
is the first part of the domain - In
/etc/postfix/aliases
, replace the instance ofREPLACEME
with the user that should receive domain-level emails - Run
openssl dhparam -out /etc/dovecot/dh.pem 4096
- Run
newaliases
to update the aliases database with the contents of/etc/postfix/aliases
- Run
systemctl start postfix dovecot opendkim
to start the mail services andsystemctl status postfix dovecot opendkim
to check for errors - If there were no errors in the previous command, run
systemctl enable postfix dovecot opendkim
to enable the mail services at boot - Create an MX DNS record for
REPLACEME.TLD
containing the hostname (REPLACEME.TLD
can usually be left out of the input field) - Create a TXT DNS record for the host
REPLACEME._domainkey.REPLACEME.TLD
containingv=DKIM1; k=rsa; s=email; p=PASSWORD
, replacing the occurance ofREPLACEME
with the first part of the domain,REPLACEME.TLD
with the full domain, andPASSWORD
with the string followingp=
in/etc/opendkim/REPLACEME.txt
(REPLACEME.TLD
can usually be left out of the input field) - Create a TXT DNS record for the host
REPLACEME.TLD
containingv=spf1 mx -all
(REPLACEME.TLD
can usually be left out of the input field) - Create a TXT DNS record for the host
_dmarc.REPLACEME.TLD
containingv=DMARC1; p=none
(REPLACEME.TLD
can usually be left out of the input field) - Set the reverse DNS record for the VPS to the hostname
- Add
postfix.service
anddovecot.service
to theExecStartPost
service reload in/etc/systemd/system/certbot-renewal.service
and runsystemctl daemon-reload
Add Accounts
- Create an account by running
useradd -m -d /home/REPLACEME -s /bin/bash REPLACEME
(replacingREPLACEME
with the username associated with the mail account) - Set the password by running
passwd REPLACEME
(replacingREPLACEME
with the username associated with the mail account)