Getting Started in the Cloud - ryansch/stationeers GitHub Wiki

Here's a reference guide on how to set up a Debian based VPS (linode, etc) to run stationeers.

  1. Create your Debian based VPS and connect as root.
  2. Update and install system packages.
apt-get update
apt-get -y upgrade
apt-get -y install iptables-persistent htop
  1. Set the hostname.
echo "stationeers" > /etc/hostname
hostname -F /etc/hostname
  1. Add entry to /etc/hosts external ip and hostname.
echo "<external ip>  stationeers" >> /etc/hosts
  1. Create a user and give them sudo access.
adduser me
adduser me sudo

  1. Disconnect from VPS.

  2. Set up ssh keys with ssh-copy-id root@<external ip>.

  3. SSH as the user you created earlier.

  4. Update /etc/ssh/sshd_config:

  • Change PermitRootLogin to no
  • Change PasswordAuthentication to no
  • Add UseDNS no
  • Optionally add the following block to further secure ssh:
KexAlgorithms [email protected]
Protocol 2
HostKey /etc/ssh/ssh_host_ed25519_key
PasswordAuthentication no
ChallengeResponseAuthentication no
PubkeyAuthentication yes
Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]
  1. Restart ssh
sudo systemctl restart sshd
  1. Add firewall.
  • Edit /etc/iptables/rules.v4 
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER-USER - [0:0]
:icmp-routing -
:logdrop-0 -
-A DOCKER-USER -j RETURN
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
-A INPUT -p udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
-A INPUT -i eth0 -p udp --dport 27015 -j ACCEPT
-A INPUT -i eth0 -p udp --dport 27500 -j ACCEPT
# Allow incoming Longview connections from longview.linode.com (if using linode)
-A INPUT -s 96.126.119.66 -m state --state NEW -j ACCEPT
# Allow incoming NodeBalancer connections (if using linode)
-A INPUT -s 192.168.255.0/24 -m state --state NEW -j ACCEPT
-A INPUT -p icmp -j icmp-routing
-A INPUT -i eth0 -j logdrop-0

-A FORWARD -i eth0 -j logdrop-0

-A icmp-routing -p icmp --icmp-type 3 -j ACCEPT
-A icmp-routing -p icmp --icmp-type 11 -j ACCEPT
-A icmp-routing -p icmp --icmp-type 12 -j ACCEPT

-A logdrop-0 -m limit --limit 1/second -j LOG
-A logdrop-0 -j DROP
COMMIT
  • Edit /etc/iptables/rules.v6:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

# Allow all loopback (lo0) traffic and reject traffic
# to localhost that does not originate from lo0.
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -s ::1/128 -j REJECT

# Below are the rules which are required for your IPv6 address to be properly allocated
-A INPUT -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type redirect -m hl --hl-eq 255 -j ACCEPT

# Allow ICMP
-A INPUT -p icmpv6 -j ACCEPT

# Allow inbound traffic from established connections.
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Log what was incoming but denied (optional but useful).
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "ip6tables_INPUT_denied: " --log-level 7

# Reject all other inbound.
-A INPUT -j REJECT

# Log any traffic that was sent to you
# for forwarding (optional but useful).
-A FORWARD -m limit --limit 5/min -j LOG --log-prefix "ip6tables_FORWARD_denied: " --log-level 7

# Reject all traffic forwarding.
-A FORWARD -j REJECT

COMMIT

  1. Reboot!

  2. Install docker.

sudo apt-get -y install \
     apt-transport-https \
     ca-certificates \
     curl \
     gnupg2 \
     software-properties-common
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -
sudo add-apt-repository \
   "deb [arch=amd64] https://download.docker.com/linux/debian \
   $(lsb_release -cs) \
   stable"
sudo apt-get update
sudo apt-get -y install docker-ce
  1. Install docker-compose.
export COMPOSE_VERSION=1.23.2
sudo curl -L https://github.com/docker/compose/releases/download/${COMPOSE_VERSION}/docker-compose-$(uname -s)-$(uname -m) -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
sudo adduser <user> docker
  1. Install stationeers.
sudo mkdir -p /opt/stationeers/stationeers
cd /opt/stationeers
sudo wget https://raw.githubusercontent.com/ryansch/stationeers/master/docker-compose.yml
sudo wget https://raw.githubusercontent.com/ryansch/stationeers/master/stationeers.service
sudo systemctl enable /opt/stationeers/stationeers.service
docker pull ryansch/stationeers:latest
  1. Set up traefik
# Generate Password
docker run -it --rm httpd:alpine htpasswd -Bn stationeers
# Replace password line in traefik.toml with output from previous command

# Create blank acme config
touch acme.json
chmod 600 acme.json
  1. Edit config:
  • Search through both docker-compose.yml and traefik.toml for the word CHANGEME. Change all instances of it.
  1. Start it up!
sudo systemctl start stationeers

You can now visit portainer at the domain you configured. It will be secured with https/tls.

Upgrading stationeers is as simple as:

cd /opt/stationeers
docker-compose down
docker-compose pull
docker-compose up -d
⚠️ **GitHub.com Fallback** ⚠️