前言

其实也不算指南就把,因为最近要帮 her.blue 的服务器重新装系统和全线使用 docker 安装应用,在操作过程做顺便做了个记录,希望能帮到你。

数据备份

  • 在操作之前最好做各个服务器快照,以防万一
  • 如果没有快照就对所有程序、数据库等单独自己做数据备份

本次操作过程就装完系统后就立马触发这个问题需要重新装系统,还好数据都有备份。

服务安全加固

添加非root用户

  • sudo adduser username 添加用户

添加用户到 sudo 用户组

  • sudo usermod -aG sudo username
  • id username 这个命令可以查看用户有什么权限

生成安全密钥

切换到新增加的用户,生成该用户的安全密钥

  • ssh-keygen -t rsa -b 4096
  • cat id_rsa.pub >> authorized_keys

设置ssh,启用密钥登录

编辑 /etc/ssh/sshd_config 文件,进行如下设置:

RSAAuthentication yes
PubkeyAuthentication yes

你也可以将root用户禁用登录(禁用后root用户就不能登录了,一定要先把普通用户的登录测试好后再禁用

PermitRootLogin yes

最后设置完后禁用密码登录

PasswordAuthentication no

重启SSH服务

sudo service sshd restart

安装Nginx

Title

在debain8.9安装nginx失败,按下方的操作更换源也不行,后来无奈把系统重新做到11.8后才可以正常安装

先更新apt

sudo apt-get update

安装

sudo apt-get install nginx

换源

可能会因为网络问题更新失败,需要换源 没用,最后换了系统版本。

# 备份
cp /etc/apt/sources.list /etc/apt/sources.list.bak
sudo vim /etc/apt/sources.list

# 阿里镜像
deb http://mirrors.aliyun.com/ubuntu/ bionic main restricted universe multiverse 
deb http://mirrors.aliyun.com/ubuntu/ bionic-security main restricted universe multiverse 
deb http://mirrors.aliyun.com/ubuntu/ bionic-updates main restricted universe multiverse 
deb http://mirrors.aliyun.com/ubuntu/ bionic-proposed main restricted universe multiverse 
deb http://mirrors.aliyun.com/ubuntu/ bionic-backports main restricted universe multiverse 
deb-src http://mirrors.aliyun.com/ubuntu/ bionic main restricted universe multiverse 
deb-src http://mirrors.aliyun.com/ubuntu/ bionic-security main restricted universe multiverse 
deb-src http://mirrors.aliyun.com/ubuntu/ bionic-updates main restricted universe multiverse 
deb-src http://mirrors.aliyun.com/ubuntu/ bionic-proposed main restricted universe multiverse 
deb-src http://mirrors.aliyun.com/ubuntu/ bionic-backports main restricted universe multiverse
# 中科大
deb http://mirrors.ustc.edu.cn/ubuntu/ precise-updates main restricted
deb-src http://mirrors.ustc.edu.cn/ubuntu/ precise-updates main restricted
deb http://mirrors.ustc.edu.cn/ubuntu/ precise universe
deb-src http://mirrors.ustc.edu.cn/ubuntu/ precise universe
deb http://mirrors.ustc.edu.cn/ubuntu/ precise-updates universe
deb-src http://mirrors.ustc.edu.cn/ubuntu/ precise-updates universe
deb http://mirrors.ustc.edu.cn/ubuntu/ precise multiverse
deb-src http://mirrors.ustc.edu.cn/ubuntu/ precise multiverse
deb http://mirrors.ustc.edu.cn/ubuntu/ precise-updates multiverse
deb-src http://mirrors.ustc.edu.cn/ubuntu/ precise-updates multiverse
deb http://mirrors.ustc.edu.cn/ubuntu/ precise-backports main restricted universe multiverse
deb-src http://mirrors.ustc.edu.cn/ubuntu/ precise-backports main restricted universe multiverse
# 搜狐源
deb http://mirrors.sohu.com/ubuntu/ precise-updates main restricted
deb-src http://mirrors.sohu.com/ubuntu/ precise-updates main restricted
deb http://mirrors.sohu.com/ubuntu/ precise universe
deb-src http://mirrors.sohu.com/ubuntu/ precise universe
deb http://mirrors.sohu.com/ubuntu/ precise-updates universe
deb-src http://mirrors.sohu.com/ubuntu/ precise-updates universe
deb http://mirrors.sohu.com/ubuntu/ precise multiverse
deb-src http://mirrors.sohu.com/ubuntu/ precise multiverse
deb http://mirrors.sohu.com/ubuntu/ precise-updates multiverse
deb-src http://mirrors.sohu.com/ubuntu/ precise-updates multiverse
deb http://mirrors.sohu.com/ubuntu/ precise-backports main restricted universe multiverse
deb-src http://mirrors.sohu.com/ubuntu/ precise-backports main restricted universe multiverse
# 网易源
deb http://mirrors.163.com/ubuntu/ precise-updates main restricted
deb-src http://mirrors.163.com/ubuntu/ precise-updates main restricted
deb http://mirrors.163.com/ubuntu/ precise universe
deb-src http://mirrors.163.com/ubuntu/ precise universe
deb http://mirrors.163.com/ubuntu/ precise-updates universe
deb-src http://mirrors.163.com/ubuntu/ precise-updates universe
deb http://mirrors.163.com/ubuntu/ precise multiverse
deb-src http://mirrors.163.com/ubuntu/ precise multiverse
deb http://mirrors.163.com/ubuntu/ precise-updates multiverse
deb-src http://mirrors.163.com/ubuntu/ precise-updates multiverse
deb http://mirrors.163.com/ubuntu/ precise-backports main restricted universe multiverse
deb-src http://mirrors.163.com/ubuntu/ precise-backports main restricted universe multiverse

在更新过程中出现 E: Could not get lock /var/lib/apt/lists/lock - open (11: Resource temporari 错误,通过以下命令解锁

sudo rm /var/lib/apt/lists/lock

安装Docker

 curl -fsSL https://get.docker.com -o get-docker.sh
 sudo sh get-docker.sh

安装Docker-compose

一键安装

sudo curl -L "https://github.com/docker/compose/releases/download/v2.2.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose

添加执行权限

sudo chmod +x /usr/local/bin/docker-compose

添加链接到bin目录

sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose

如果docker-compose没有设置user设置,可能会以root等高权限组的用户创建,此时需要修改文件夹、文件权限,其中1001是你的目标用户、用户组

chown -R 1001:1001 文件夹、目录名称

在使用docker-compose创建容器时如果不是非要用到root权限,建议加上 user: 1001:1001,文件夹权限使用普通用户,1001 可以是你的非root用户id。

Docker-compose安装MySQL

version: '3.1'

services:
  mysql:
    container_name: mysql
    image: mysql:8.0
    restart: always
    user: 1001:1001
    ports: 
      - 10001:3306
    environment:
      MYSQL_ROOT_PASSWORD: example
    volumes:
      - /home/herblue/data/mysql-data/data:/var/lib/mysql
      - /home/herblue/data/mysql-data/config:/etc/mysql/conf.d

进入mysql中添加用户、创建数据

sudo docker exec -it mysql bash

mysql -u root -p

CREATE DATABASE ghost_test;

CREATE USER 'ghost_test'@'localhost' IDENTIFIED BY 'your_password';

GRANT ALL PRIVILEGES ON ghost_test.* TO 'ghost_test'@'localhost';

FLUSH PRIVILEGES;

Title

登录域最好给任意,我设置为localhost似乎不能登录

DockerCompose安装ghost

Ghost中环境变量的server__port会直接开启外部端口。

version: '3.1'

services:
  ghost:
    container_name: ghost
    image: ghost:latest
    restart: always
    user: 1001:1001
    ports:
      - "10002:8080"
    environment:
      server__host: "127.0.0.1"
      server__port: 10002
      
      portal__url: "https://npm.webcache.cn/@tryghost/portal@~{version}/umd/portal.min.js"
      sodoSearch__url: "https://npm.webcache.cn/@tryghost/sodo-search@~{version}/umd/sodo-search.min.js"
      sodoSearch__styles: "https://npm.webcache.cn/@tryghost/sodo-search@~{version}/umd/main.css"
      comments__url: "https://npm.webcache.cn/@tryghost/comments-ui@~{version}/umd/comments-ui.min.js"
      comments__styles: "https://npm.webcache.cn/@tryghost/comments-ui@~{version}/umd/main.css"
      
      logging__level: "error"
            

      #database__client: sqlite3
      #database__connection__filename: "content/data/ghost-sqlite.db"
      database__client: mysql
      database__connection__host: "127.0.0.1"
      database__connection__port: 10001
      database__connection__user: "ghost-test"
      database__connection__password: "test"
      database__connection__database: "ghost_test"

      url: https://yourdomain

    volumes:
      - /home/herblue/data/ghost-data:/var/lib/ghost/content
    network_mode: "host"

备份

建议对所有容器数据进行容灾备份,避免出现被黑、脑残操作等等意外导致数据丢失。

我其实之前写过一个备份脚本,不过在上次搬家的时候忘记备份了,还挺可惜的。

不过现在有ChatGPT辅助,重新生成一个完善点的也不是什么难题。

mysql的备份脚本内用到了一个my.cnf文件,请自省提前copy到mysql容器内

#!/bin/bash
set -e  # 遇到错误停止执行
set -x  # 打开调试模式

# 设置参数
BACKUP_DIR="/home/username/backup"
TARGET_DIR="/home/username/data"
DATABASES=("ghost_prod" "test" "test2")  # 数据库列表
ZIP_PASSWORD="your_zip_password"
DATE=$(date +"%Y%m%d%H%M%S")
MYSQL_CONTAINER_NAME="mysql"
USER_HOME="/home/username"  # 请根据实际用户主目录路径修改
TEMP_BACKUP_DIR="$USER_HOME/backup_temp_$DATE"

# 检查并创建所需的目录
mkdir -p "$BACKUP_DIR"
mkdir -p "$TEMP_BACKUP_DIR"

# 1. 自动将指定目录的数据复制到临时备份目录
if [ -d "$TARGET_DIR" ]; then
    cp -r "$TARGET_DIR"/* "$TEMP_BACKUP_DIR"
else
    echo "Target directory $TARGET_DIR does not exist"
    exit 1
fi

# 2. 自动将指定的 MySQL 数据库导出成 SQL 文本并放到临时备份目录中
for MYSQL_DATABASE in "${DATABASES[@]}"; do
    SQL_FILE="$TEMP_BACKUP_DIR/${MYSQL_DATABASE}_backup_${DATE}.sql"
    
    # 从Docker容器中导出数据库
    docker exec "$MYSQL_CONTAINER_NAME" sh -c "mysqldump --defaults-extra-file=/root/.my.cnf $MYSQL_DATABASE" > "$SQL_FILE"
done

# 3. 将临时备份目录打包成带密码的压缩包
ARCHIVE_NAME="backup_${DATE}.zip"
if ! zip -r -P "$ZIP_PASSWORD" "$BACKUP_DIR/$ARCHIVE_NAME" "$TEMP_BACKUP_DIR"; then
    echo "Failed to create backup archive"
    exit 1
fi

# 删除临时备份目录
rm -rf "$TEMP_BACKUP_DIR"

# 4. 备份文件保留规则
find "$BACKUP_DIR" -type f -name "*.zip" | while read backup_file; do
    backup_date=$(basename "$backup_file" | grep -o -E '[0-9]{14}')
    backup_epoch=$(date -d "$backup_date" +%s)
    current_epoch=$(date +%s)
    diff_days=$(( (current_epoch - backup_epoch) / 86400 ))

    if [ $diff_days -ge 365 ]; then
        # 保留最近365天的一个备份
        if [ $diff_days -gt 365 ]; then
            rm "$backup_file"
        fi
    elif [ $diff_days -ge 150 ]; then
        # 保留最近150天的一个备份
        if [ $(( diff_days % 150 )) -ne 0 ]; then
            rm "$backup_file"
        fi
    elif [ $diff_days -ge 90 ]; then
        # 保留最近90天的一个备份
        if [ $(( diff_days % 90 )) -ne 0 ]; then
            rm "$backup_file"
        fi
    elif [ $diff_days -ge 30 ]; then
        # 保留前30天的一个备份
        if [ $(( diff_days % 30 )) -ne 0 ]; then
            rm "$backup_file"
        fi
    elif [ $diff_days -ge 7 ]; then
        # 保留最近一个星期每天的备份
        if [ $(( diff_days % 7 )) -ne 0 ]; then
            rm "$backup_file"
        fi
    fi
done

echo "Backup completed and expired backups cleaned"

rclone备份

然后再利用rclone将备份文件夹同步到OneDrive就好了,以下是安装命令

sudo -v ; curl https://rclone.org/install.sh | sudo bash

安装完后通过 rclone config 配置远端储存服务,具体的教程可以自己搜一下。