markdown 在Intel Nuc上设置Ubuntu Web服务器，步骤和代码片段

Posted 2021-05-05

# All the steps and code snippets from my tutorial series [Set up an Ubuntu Web Server on an Intel NUC](https://www.youtube.com/playlist?list=PLjwDNSlPlIIunYlhIRuftmmPmMZlze6WJ)

## Get an image

[Get an Ubuntu image for your NUC](https://www.ubuntu.com/download/iot/intel-nuc-desktop)

## Update the apt repositories

```bash
apt update -y & apt upgrade -y
```

## Don't let the computer sleep at the login screen, so it's always up.

```bash
sudo su
su lightdm -s /bin/bash
dbus-launch gsettings set org.gnome.settings-daemon.plugins.power sleep-inactive-ac-timeout 0
exit
exit
```

## Setup a static IP address

1. Go to `Network > Choose your Network > IPv4 Settings`
1. Set "Method" to "Manual"
1. Add a static IP address, I picked `192.168.1.100`
    1. Set the netmask. You can find the netmask by running `ifconfig`
    1. Set the gateway. You can find the gateway by running `ip route show`
1. Set DNS servers, I used Google's `8.8.8.8, 8.8.4.4`

## Port Forwarding

Log in to your router's admin and configure port forwarding for `80`, `443`, and `22222` (or whatever port you pick for ssh)

## Configure SSH

Install open ssh server

```bash
sudo apt install -y openssh-server
```

Edit `/etc/sshd_config` and change the Port to your preferred port

Create a keypair on your computer, and send it to the server:

```bash
ssh-copy-id -i ~/.ssh/keyfilenamehere user@host -p 22222
```

Add this config to the bottom of `/etc/sshd_config` to disable password login:
```
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no
```

## Fail2ban

Install fail2ban

```bash
sudo apt install -y fail2ban
```

Copy the fail2ban default configuration to a file we can safely edit

```
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
```

Edit the `/etc/fail2ban/jail.local` file, and scroll to the `[ssh]` jail section, add:

```
enabled = true
```

Change the port to the port ssh is running on (22222 for me)

Restart fail2ban to apply configuration changes:

```
sudo systemctl restart fail2ban
```

## Dynamic DNS

I use [no-ip](https://www.noip.com/)... get a wilcard domain name that comes with Dynamic DNS. 

Set up their dynamic updater so the Dynamic DNS part works.

## Certbot

Install Certbot

```bash
sudo apt-get update -y
sudo apt-get install -y software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update -y
sudo apt-get install -y certbot 
```

Get an HTTPS certificate and private key:

```bash
sudo certbot certonly --standalone -d example.com -d www.example.com
```

## Install Docker

Install [Docker for Ubuntu](https://docs.docker.com/install/linux/docker-ce/ubuntu/)

## Setup an NGINX application router

I added [this nginx config](https://gist.github.com/ericandrewlewis/b64f86423dcdd7789914e55606a33494) into ~/apps/nginx-app-router/nginx.conf

and then I ran

```bash
sudo docker run \
  --volume /home/eric/apps/nginx-app-router/nginx.conf:/etc/nginx/nginx.conf:ro \
  --volume /etc/letsencrypt:/etc/letsencrypt \
  --publish 80:80 \
  --publish 443:443 \
  --detach \
  --restart always \
  nginx
```

## Running Docker-based apps

Edit the NGINX configuration at `~/apps/nginx-app-router/nginx.conf` to add a server block for the app, specifying the subdomain, port, and the NUC's static IP address:

```
server {
    listen 443 ssl;
    server_name  next-subways.curious-directory.com;

    location / {
        proxy_pass http://192.168.1.100:8002;
    }
}
```

Build a Docker image:

```bash
sudo docker build --tag next-subways .
```

Run the image:

```bash
sudo docker run \
  --detach \
  --publish 8002:8080 \
  --env NODE_ENV='production' \
  --env MTA_API_KEY=$API_KEY \
  --restart always \
  next-subways
```