Digital Ocean

Use this link to register Digital Ocean with $10 credit.
Droplet Setup (Ubuntu) for Node.js App (Meteor etc)
follow https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-14-04​
Follow mup guide:
1
And you also need to add NOPASSWD to your sudoers file. Open it with:
2
​
3
  sudo visudo
4
  Then, replace the line that says %sudo ALL=(ALL) ALL with
5
​
6
  %sudo ALL=(ALL) NOPASSWD:ALL
Copied!
Add Public Key to New Remote User, by follow https://gist.github.com/jamiewilson/4e1d28f9a200cb34ad59#set-up-ssl​
disable root access, change port(using the same guide by editing '/etc/ssh/sshd_config')
​https://www.digitalocean.com/community/questions/what-is-the-effect-of-permitrootlogin-no​
follow https://www.digitalocean.com/community/tutorials/additional-recommended-steps-for-new-ubuntu-14-04-servers​
add fail2ban by: https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04​
Don't need to add swap when using SSD
Use unattended-upgrades to only do security updates (Otherwise when you do apt-get upgrade it'll update your version to Non-LTS version!)
Optional:
change editor to use vi sudo update-alternatives --config editor
References:
​http://julian.io/how-do-i-host-multiple-meteor-apps-on-one-digitalocean-droplet/​
​https://gist.github.com/jamiewilson/4e1d28f9a200cb34ad59#add-some-swap-space​
If you want nginx support:
​mup doc (which automatically use nginx, you don't need to setup anything)
​digital ocean guide​
More security setup from this linux workstation checklist:
​Make sure root mail is forwarded to an account you check​
MongoDB
automatic backup
1
#!/bin/bash
2
​
3
MONGO_DATABASE="USE_YOUR_APP_NAME"
4
APP_NAME="USE_YOUR_APP_NAME"
5
​
6
MONGO_HOST="127.0.0.1"
7
MONGO_PORT="27017"
8
TIMESTAMP=`date +%F-%H%M`
9
MONGODUMP_PATH="/usr/local/bin/mongodump"
10
BACKUPS_DIR="./backups/$APP_NAME"
11
BACKUP_NAME="$APP_NAME-$TIMESTAMP"
12
​
13
# mongo admin --eval "printjson(db.fsyncLock())"
14
# $MONGODUMP_PATH -h $MONGO_HOST:$MONGO_PORT -d $MONGO_DATABASE
15
$MONGODUMP_PATH -d $MONGO_DATABASE
16
# mongo admin --eval "printjson(db.fsyncUnlock())"
17
​
18
mkdir -p $BACKUPS_DIR
19
mv dump $BACKUP_NAME
20
tar -zcvf $BACKUPS_DIR/$BACKUP_NAME.tgz $BACKUP_NAME
21
rm -rf $BACKUP_NAME
Copied!
crontab:
1
# run every day at 12am
2
00 00 * * * path/backup_mongodb.sh
Copied!
How to manually backup or restore
​http://stackoverflow.com/questions/11024888/is-there-a-simple-way-to-export-the-data-from-a-meteor-deployed-app/16380978#16380978​
1
mongodump -d dbname 
2
#or 
3
mongodump --port 3001 --username meteor 
4
mongorestore --port 3001 -d meteor FOLDER_THAT_HAS_BSON_FILES
Copied!
Oplog
How to enable oplog if the db is already in use?
ref:
​https://github.com/meteor/meteor/wiki/Oplog-Observe-Driver​
(outdated: it's using mongodb 2.4) https://gentlenode.com/journal/meteor-10-set-up-oplog-tailing-on-ubuntu/17​
​https://www.digitalocean.com/community/tutorials/how-to-implement-replication-sets-in-mongodb-on-an-ubuntu-vps​
SSL
How to check?
Online tool: https://www.sslshopper.com/ssl-checker.html​
Or use ssl-cert-check on server (reference):
1
sudo ssl-cert-check -c /etc/letsencrypt/live/yourdomain.tld/cert.pem
Copied!
(LATEST 2021) With Mup you don't need to do manual setup SSL anymore
Setup SSL using mupx and Let’s Encrypt​
Steps
Make sure A record is already updated for your domain first
SSH to server:
1
  # ssh to your server
2
  git clone https://github.com/letsencrypt/letsencrypt
3
  ./letsencrypt-auto certonly --standalone --agree-tos --email YOUR_EMAIL -d YOURDOMAIN.COM -d www.YOURDOMAIN.COM
Copied!
The following 4 files will be generated in the archive folder: /etc/letsencrypt/archive/YOURDOMAIN.COM
(Note the ones in /etc/letsencrypt/live/YOURDOMAIN.COM is symlinked to archive folder)
cert1.pem
chain1.pem
fullchain1.pem
privkey1.pem
Now we want to copy those files to your local machine:
1
  # compress them on server first
2
  sudo tar -cvvf letsencrypt_YYYY_MM_DD.tar /etc/letsencrypt/archive/YOURDOMAIN.COM
3
  # then on your local terminal, use scp to get the above file, copy to home folder
4
  scp -P 22 [email protected]:/home/USER/letsencrypt_YYYY_MM_DD.tar ~
5
  # or
Copied!
Put the downloaded two files (fullchain.pem and privkey.pem) in your local folder where mup can access (see mup.json)
Update mup.json
1
   “ROOT_URL”: “https://yourdomain.com",
2
   ...
3
   "ssl": {
4
    "certificate": "PATH_TO/fullchain.pem", // this is a bundle of certificates
5
    "key": "PATH_TO/privkey.pem", // this is the private key of the certificate
6
    "port": 443 // 443 is the default value and it's the standard HTTPS port
7
  },
Copied!
Don't forget to add force-ssl package: meteor add force-ssl
Renew automatically
NOTE this will NOT work because the server has to be stopped
maybe try this? https://cuonic.com/posts/automating-lets-encrypt-certificate-renewal​
Let’s Encrypt expires 90 days, so we create cron job to automatically update:
1
  30 2 * * 1 /home/USER/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log
Copied!
To renew manually
1
  # on dev machine, stop server:
2
  mupx stop
3
  # on server
4
  /home/USER/letsencrypt/letsencrypt-auto renew
5
  # above command will generate new files (cert2.pem etc), get the files to local machine
6
  # by doing the same steps above: 'sudo tar -cvvf ...' (see above)
7
  mupx setup
8
  mupx deploy
Copied!
Key points:
You need to stop server before running renew.
if cert is expired, you need to run mpux setup again
if you run letsencrypt renew, new files will be generated (such as cert2.pem)
cert.pem: Your domain's certificate
chain.pem: The Let's Encrypt chain certificate
fullchain.pem: cert.pem and chain.pem combined
privkey.pem: Your certificate's private key
Reference:
first read this [guide](https://medium.com/@getdrizzle/deploying-meteor-app-with-free-ssl-certificate-mupx-letsencrypt-digital-ocean-7c85d90cc731#.ty1lahoh9​
)
​https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04​
​https://forums.meteor.com/t/setting-up-ssl-with-letsencrypt-and-meteorup/14457​
Additional:
​How to create a self-signed SSL Certificate​