DigitalOcean is an amazing tool for building cloud infrastructure very quickly. Click a few buttons to select and size your droplet and sixty seconds later you’re logging in to a fresh cloud server ready to start building something. This is especially nice if you just want to try something out. Simply spin up a droplet, do your test, and then throw the whole thing away when you’re done.
I’ve been setting up a number of things on DigitalOcean as of late–some for production and some for testing. While the task of creating a new droplet is trivial, I find myself doing the same initial configuration over and over again. None of this is rocket science, but I wanted to have a list of commands I could easily reference and copy/paste into a new droplet bringing it up to a solid starting point.
Customize this Guide
There are a few portions of this guide that you will probably want to customize. If you modify those values here, you will then be able to copy/run the commands without the need for modification.
Server IP Address:
Create the Droplet
Go through the droplet creation wizard to build your server. I’ll use the stock Ubuntu image provided by DigitalOcean and I use SSH keys for authentication. Once the droplet is created, connect with ssh.
Bring the Droplet Up-to-Date
Start off by making sure you have the latest and greatest software.
apt-get update && apt-get -y dist-upgrade
Add Some Swap (optional)
If you will need swap space, these commands will create a 1GB swap file and set it up to be mounted at boot.
fallocate -l 1G /swapfile
chmod 600 /swapfile
echo "/swapfile none swap sw 0 0" >> /etc/fstab
echo 10 | tee /proc/sys/vm/swappiness
echo vm.swappiness = 10 | tee -a /etc/sysctl.conf
Setup a Basic Firewall
Add basic firewall rules to:
– allow established connections
– allow loopback traffic
– allow incoming pings
– allow SSH traffic
– drop everything else
…and make these rules persistent.
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
If you’ll be running a webserver, you’ll probably want to allow ports 80 and 443 as well.
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -j DROP
apt-get install -y iptables-persistent
Add Miscellaneous Packages
Add any packages you want in your base system. ‘haveged’ helps with random number generation in a cloud server environment.
apt-get install -y haveged
Create a Non-Root User
Now we’ll create a non-root account that will be used with sudo from here on out. Since the SSH key that I’m using for the root account during this initial configuration is the same key I’ll be using for the non-root user, I’ll just copy it over and then remove it from the root account.
adduser --disabled-password --gecos ""
mkdir -p /home//.ssh/
cp -a /root/.ssh/authorized_keys /home//.ssh/
chown -R : /home//.ssh/
Tighten Up SSH
Finally, we will make a few changes to SSH and reboot the droplet.
And now we should be able to connect as our non-root user.
And that’s it! If you have any suggestions on how to improve this initial setup please comment below.