Initial Discourse server setup on Ubuntu

Placeholders

Placeholders: Input details here and the commands below will be auto-filled for you lower down for easy copy-pasting.

Choose a name for the project, which will be used for naming DO Project, Droplet, etc

This is the SSH key fingerprint that is in your Digital Ocean account, for initial root access only

Name of the new non-root user you want to create on the server (default: ‘discourse’)

This is the ssh-import-id identity you want to use for the new non-root user

Some useful command aliases

useful doupdates manual updater for the OS

echo "alias doupdates='sudo apt update && sudo apt -y dist-upgrade && sudo apt autoremove && sudo apt -y autoclean'" >> /etc/profile;source /etc/profile

quickly enter the discourse app container

echo "alias app='sudo su && cd /var/discourse && ./launcher enter app'" >> /etc/profile;source /etc/profile

cd to /var/discourse/ on login (where else would you be going?)

echo "var='cd /var/discourse/'" >> /etc/profile;source /etc/profile

Updates

using the aliases we’ve installed, updating server OS is now a single command:

doupdates

Also worth setting up for Unattended Upgrades for stable security fixes.

dpkg-reconfigure -plow unattended-upgrades

User setup and hardening

context: you are logged in over SSH, as root

create a non-root user ‘=NEW_USERNAME=’

adduser =NEW_USERNAME=

make them a sudoer

usermod -aG sudo =NEW_USERNAME=

edit sudo config so that discourse user can sudo without password

visudo

adding the following after the last line

=NEW_USERNAME= ALL=(ALL) NOPASSWD: ALL

create an .ssh directory for the new user

mkdir /home/=NEW_USERNAME=/.ssh

change ownership of that directory to the new user

chown -R =NEW_USERNAME=:=NEW_USERNAME= /home/=NEW_USERNAME=/.ssh

become the new user

su - =NEW_USERNAME=

import my SSH pubkey to this user’s authorized_keys file

ssh-import-id =NEW_USER_SSH_IMPORT=

check it worked (optional)

cat ~/.ssh/authorized_keys

The added key should be visible in the Authorized Keys file

SSH security configuration

edit the SSH config

sudo nano /etc/ssh/sshd_config

edit the SSH config so that the following are set to no and are uncommented
PermitRootLogin no
PasswordAuthentication no

then restart to apply the changes

sudo service ssh restart

test this by logging out and back in again

exit

me@my-laptop:~$ ssh root@xxx.xxx.xxx.xxx # test login as root
root@xxx.xxx.xxx.xxx: Permission denied (publickey). # root login should fail

me@my-laptop:~$ ssh madeupuser@xxx.xxx.xxx.xxx # test login with fictional user (normally would prompt for password)
root@xxx.xxx.xxx.xxx: Permission denied (publickey). # password login should fail

me@my-laptop:~$ ssh discourse@xxx.xxx.xxx.xxx # test login as discourse
discourse@myubuntuhostname:~$ # successful login without needing password

Install Discourse

according to discourse/INSTALL-cloud.md at main · discourse/discourse · GitHub

Note: Git is already installed on Ubuntu 20.04 and is an acceptable version.

sudo -s
git clone https://github.com/discourse/discourse_docker.git /var/discourse
cd /var/discourse

Run Discourse Setup which will install Docker if needed, and then it proceeds with the rest of installation.

./discourse-setup

Install the mail-receiver container for direct Reply By Email

cp samples/mail-receiver.yml containers/

Further info

Things to do now

depending on your requirements, edit containers/app.yml

Firewall

Most often you will probably want to set up a firewall with the VPS provider, however if you cannot arrange this the ufw may be of use, see this article for more info.


References

List of things for hardening Ubuntu · GitHub
Initial Server Setup with Ubuntu 18.04 | DigitalOcean
How to Set Up SSH Keys on Ubuntu 18.04 | DigitalOcean