### Starting Automated Hetzner Installimage Installation Source: https://community.hetzner.com/tutorials/install-almalinux-10-with-full-disk-encryption This command initiates the automated server installation process using Hetzner's `installimage` tool. It utilizes a custom configuration file (`-c`) and a post-install script (`-x`) to perform the setup without interactive prompts. Ensure the specified configuration and script files exist and are correctly configured. ```shell installimage -a -c /tmp/setup.conf -x /tmp/post-install.sh ``` -------------------------------- ### Making Post-Install Script Executable Source: https://community.hetzner.com/tutorials/install-almalinux-10-with-full-disk-encryption This command makes the post-install script executable, which is a prerequisite before passing it to the `installimage` command for automated server setup. This ensures the script can be run by the system during the installation process. ```shell chmod +x /tmp/post-install.sh ``` -------------------------------- ### Configure Dropbear SSH and Initramfs for Debian Source: https://community.hetzner.com/tutorials/install-ubuntu-2404-with-full-disk-encryption This script automates the setup of Dropbear SSH on a non-standard port and configures the initramfs for network access and SSH key copying. It installs necessary packages, sets up network interfaces, modifies Dropbear configuration, and updates the initramfs. Dependencies include `jq`, `cryptsetup-initramfs`, and `dropbear-initramfs`. ```bash #!/bin/bash add_initramfs_network() { mainif="$(ip --json a show up | jq -r 'del(.[] | select(.ifname == "lo")) | .[0]')" ip="$(echo $mainif | jq -r '.addr_info[0].local')" gw="$(ip --json n | jq -r '.[0].dst')" nn="$(echo $mainif | jq -r '.altnames[0]')" echo "IP=$ip::$gw:255.255.255.255::$nn:none:185.12.64.1:185.12.64.2:213.239.239.164" >> /etc/initramfs-tools/initramfs.conf } # Update system apt-get update >/dev/null apt-get -y install jq cryptsetup-initramfs dropbear-initramfs # Add static network config into initramfs add_initramfs_network # Copy SSH keys for dropbear and change the port cp /root/.ssh/authorized_keys /etc/dropbear/initramfs/ sed -ie 's/#DROPBEAR_OPTIONS=.*/DROPBEAR_OPTIONS="-I 600 -j -k -p 2222 -s"/' /etc/dropbear/initramfs/dropbear.conf dpkg-reconfigure dropbear-initramfs update-initramfs -u ``` -------------------------------- ### Install Prerequisites and Apache Modules (Debian/Ubuntu) Source: https://community.hetzner.com/tutorials/hetzner-ddns-bridge Installs necessary packages like Apache2, PHP with curl and SQLite3 extensions, and enables the rewrite module for a minimal Debian/Ubuntu setup. It also creates and sets ownership for the web directory. ```bash sudo apt update sudo apt install -y apache2 libapache2-mod-php php-cli php-curl php-sqlite3 sudo a2enmod rewrite sudo mkdir -p /var/www/hetzner-ddns sudo chown -R www-data:www-data /var/www/hetzner-ddns ``` -------------------------------- ### Install and Use Screen for Background Server Execution Source: https://community.hetzner.com/tutorials/game-server-cs2 This snippet covers the installation of the 'screen' utility, which allows the CS2 server to run in the background even after the SSH connection is closed. It includes commands to start a named screen session, launch the server within it, detach from the session, and reattach to it later. ```bash sudo apt install screen -y screen -S cs2-server # Launch your CS2 server inside this screen session # To detach: Ctrl+A then D screen -r cs2-server screen -ls ``` -------------------------------- ### Post-Install Script for Dropbear and Network Configuration Source: https://community.hetzner.com/tutorials/install-ubuntu-2404-with-full-disk-encryption This bash script is designed to run after the main installation process. It installs `jq`, `cryptsetup-initramfs`, and `dropbear-initramfs` to enable remote unlocking of encrypted partitions via SSH. It also configures static network settings for the initramfs and removes unwanted netplan configurations. ```bash #!/bin/bash add_initramfs_network() { mainif="$(ip --json a show up | jq -r 'del(.[] | select(.ifname == "lo")) | .[0]')" ip="$(echo $mainif | jq -r '.addr_info[0].local')" gw="$(ip --json n | jq -r '.[0].dst')" nn="$(echo $mainif | jq -r '.altnames[0]')" echo "IP=$ip::$gw:255.255.255.255::$nn:none:185.12.64.1:185.12.64.2:213.239.239.164" >> /etc/initramfs-tools/initramfs.conf } remove_unwanted_netplan_config() { cat << EOF > /etc/initramfs-tools/scripts/init-bottom/remove_unwanted_netplan_config #!/bin/sh if [ -d "/run/netplan" ]; then interface=$(ls /run/netplan/ | cut -d'.' -f1) if [ \${interface:+x78} ]; then rm -f /run/netplan/"\${interface}".yaml fi fi EOF chmod +x /etc/initramfs-tools/scripts/init-bottom/remove_unwanted_netplan_config } # Adding an initramfs-tools script to remove /run/netplan/{interface}.yaml, # because it is creating unwanted routes remove_unwanted_netplan_config # Update system apt-get update >/dev/null apt-get -y install jq cryptsetup-initramfs dropbear-initramfs # Add static network config into initramfs add_initramfs_network ``` -------------------------------- ### Initial Server Setup and Directory Creation (Bash) Source: https://community.hetzner.com/tutorials/coolify-crowdsec-prometheus-grafana-monitoring This snippet performs initial setup tasks on a newly provisioned server, including updating the system, setting the timezone, and creating necessary directory structures for monitoring tools like Prometheus, Loki, and Grafana. It assumes a Debian-based Linux distribution. ```bash ssh root@ # Update system apt update && apt upgrade -y # Set timezone timedatectl set-timezone Europe/Zurich # Create directory structure mkdir -p /opt/monitoring/{prometheus,loki,grafana/provisioning/datasources} ``` -------------------------------- ### Install SteamCMD and Dependencies (Bash) Source: https://community.hetzner.com/tutorials/game-server-cs2 Installs the necessary 32-bit GCC library and SteamCMD, Valve's command-line tool for managing game server files. This command ensures all prerequisites for SteamCMD are met. ```bash sudo apt-get install lib32gcc-s1 -y && \ sudo add-apt-repository multiverse && \ sudo dpkg --add-architecture i386 && \ sudo apt update -y && \ sudo apt install steamcmd -y ``` -------------------------------- ### Installimage Configuration for Single Drive Installation Source: https://community.hetzner.com/tutorials/install-ubuntu-2404-with-full-disk-encryption This configuration file is used with the `installimage` command for an automatic installation on a single drive. It specifies encryption, bootloader, hostname, partitioning, and the OS image to install. Ensure to replace 'secret' with a strong password and adjust drive names and partitions as needed. ```shell CRYPTPASSWORD secret DRIVE1 /dev/sda BOOTLOADER grub HOTNAME host.example.com PART /boot/efi esp 256M PART /boot ext4 1G PART / ext4 all crypt IMAGE /root/images/Ubuntu-2404-noble-amd64-base.tar.gz SSHKEYS_URL /tmp/authorized_keys ``` -------------------------------- ### Install and Configure CrowdSec Source: https://community.hetzner.com/tutorials/coolify-crowdsec-prometheus-grafana-monitoring This section details the installation of CrowdSec on a monitoring server, including adding the repository, installing the agent, and installing essential collections like linux, sshd, and http-scenarios. It also covers installing and enabling the firewall bouncer. ```bash # Add CrowdSec repository apt update && apt upgrade -y curl -s https://install.crowdsec.net | sudo sh # Install CrowdSec apt install crowdsec -y # Install collections cscli collections install crowdsecurity/linux cscli collections install crowdsecurity/sshd cscli collections install crowdsecurity/base-http-scenarios cscli collections install crowdsecurity/http-cve cscli collections install crowdsecurity/whitelist-good-actors # Install firewall bouncer apt install crowdsec-firewall-bouncer-nftables -y systemctl enable crowdsec-firewall-bouncer systemctl start crowdsec-firewall-bouncer ``` -------------------------------- ### Installimage Configuration for Two Drives (RAID1) Source: https://community.hetzner.com/tutorials/install-ubuntu-2404-with-full-disk-encryption This configuration enables automatic installation using two drives in a RAID1 setup. It defines the drives, RAID level, bootloader, hostname, partitioning scheme, and the OS image. This is suitable for redundancy. ```shell CRYPTPASSWORD secret DRIVE1 /dev/sda DRIVE2 /dev/sdb SWRAID 1 SWRAIDLEVEL 1 BOOTLOADER grub HOTNAME host.example.com PART /boot/efi esp 256M PART /boot ext4 1G PART / ext4 all crypt IMAGE /root/images/Ubuntu-2404-noble-amd64-base.tar.gz SSHKEYS_URL /tmp/authorized_keys ``` -------------------------------- ### Install Hetzner Cloud DNS Webhook from Git Source: https://community.hetzner.com/tutorials/cert-manager-hetzner-cloud-dns-webhook Installs the Hetzner Cloud DNS webhook for cert-manager by cloning the Git repository and using Helm. This method is useful for custom modifications or direct source installation. ```bash git clone https://github.com/hetzner/cert-manager-webhook-hetzner.git cd cert-manager-webhook-hetzner helm install cert-manager-webhook-hetzner ./chart \ --namespace cert-manager ``` -------------------------------- ### Installimage Configuration for RAID10 (Striping and Mirroring) Installation Source: https://community.hetzner.com/tutorials/install-almalinux-10-with-full-disk-encryption This configuration sets up an automated installation utilizing RAID10 across four drives, offering both performance and redundancy. It specifies the RAID level, bootloader, hostname, partitioning, and the OS image. Verify drive assignments and partition layouts match your setup. ```shell CRYPTPASSWORD secret DRIVE1 /dev/sda DRIVE2 /dev/sdb DRIVE3 /dev/sdc DRIVE4 /dev/sdd SWRAID 1 SWRAIDLEVEL 10 BOOTLOADER grub HOTNAME host.example.com PART /boot/efi esp 256M PART /boot ext4 1G PART / ext4 all crypt IMAGE /root/images/Alma-1001-amd64-base.tar.gz SSHKEYS_URL /tmp/authorized_keys ``` -------------------------------- ### Installimage Configuration for Single Drive Installation Source: https://community.hetzner.com/tutorials/install-almalinux-10-with-full-disk-encryption This configuration file is used with the `installimage` command for an automated installation on a single drive. It specifies encryption, bootloader, hostname, partitioning, and the OS image to install. Ensure to replace 'secret' with a strong password and adjust drive/partition details as needed. ```shell CRYPTPASSWORD secret DRIVE1 /dev/sda BOOTLOADER grub HOTNAME host.example.com PART /boot/efi esp 256M PART /boot ext4 1G PART / ext4 all crypt IMAGE /root/images/Alma-1001-amd64-base.tar.gz SSHKEYS_URL /tmp/authorized_keys ``` -------------------------------- ### Test PostgreSQL Connection Source: https://community.hetzner.com/tutorials/coolify-supabase-deploy Provides a command-line example to test the direct connection to the Supabase PostgreSQL database using psql. This requires the PostgreSQL port to be exposed and firewall rules to be configured. ```bash psql "postgresql://postgres:@supabase..:5432/postgres" ``` -------------------------------- ### Add CrowdSec Repository and Install Firewall Bouncer (Bash) Source: https://community.hetzner.com/tutorials/coolify-crowdsec-traefik-supavisor-protection Installs the CrowdSec firewall bouncer by first adding the CrowdSec repository using a curl script and then installing the `crowdsec-firewall-bouncer-nftables` package using apt. This prepares the system for the firewall bouncer installation. ```bash curl -s https://install.crowdsec.net | sudo sh apt install crowdsec-firewall-bouncer-nftables -y ``` -------------------------------- ### Prisma Environment Variable for Direct DB Connection Source: https://community.hetzner.com/tutorials/coolify-supabase-deploy Example of how to configure the direct database connection URL for Prisma in a .env file. This uses the direct PostgreSQL connection string format. ```env DIRECT_URL="postgresql://postgres:[PASSWORD]@:5432/postgres" ``` -------------------------------- ### Launch CS2 Server with Different Game Modes Source: https://community.hetzner.com/tutorials/game-server-cs2 This snippet demonstrates how to launch the CS2 dedicated server with specific game modes by using the `+game_alias` parameter. It provides examples for competitive, wingman, casual, deathmatch, and custom game modes. ```bash ./cs2.sh -dedicated +game_alias competitive +sv_setsteamaccount "TOKEN" ``` -------------------------------- ### Launch CS2 Dedicated Server with Parameters (Bash) Source: https://community.hetzner.com/tutorials/game-server-cs2 Launches the CS2 dedicated server using the 'cs2.sh' script. This command includes essential parameters such as IP address, maximum players, port, hostname, starting map, logging, network mode, game type, game mode, and the Steam Game Server Login Token (GSLT). ```bash cd ~/cs2-server/game && \ ./cs2.sh -dedicated -ip <10.0.0.1> -maxplayers 10 -port 27015 \ +hostname "YOUR_SERVER_NAME" \ +map de_dust2 \ +sv_logfile 1 \ +sv_lan 0 \ +game_type 0 \ +game_mode 1 \ +sv_setsteamaccount "YOUR_GSLT_TOKEN" ``` -------------------------------- ### Start Monitoring Stack with Docker Compose Source: https://community.hetzner.com/tutorials/coolify-crowdsec-prometheus-grafana-monitoring This command navigates to the monitoring directory and starts all defined services in the `docker-compose.yml` file in detached mode. It assumes the Docker Compose file is present in `/opt/monitoring`. ```bash cd /opt/monitoring docker compose up -d ``` -------------------------------- ### Post-Install Script for Remote Encrypted Partition Unlocking Source: https://community.hetzner.com/tutorials/install-almalinux-10-with-full-disk-encryption This bash script is designed to be used with `installimage` to configure the initramfs for remote unlocking of encrypted partitions. It installs necessary packages (`jq`, `dracut-network`, `dracut-sshd`), configures network settings for the initramfs, and modifies the SSH port. The script requires `jq` to be installed on the rescue system. ```bash #!/bin/bash add_initramfs_network() { mainif="$(ip --json a show up | jq -r 'del(.[] | select(.ifname == "lo")) | .[0]')" ip="$(echo $mainif | jq -r '.addr_info[0].local')" gw="$(ip --json n | jq -r '.[0].dst')" nn="$(echo $mainif | jq -r '.altnames[0]')" echo -e "kernel_cmdline=\"rd.neednet=1 ip=$ip::$gw:255.255.255.255::$nn:none:185.12.64.1:185.12.64.2:213.239.239.164\"\nadd_dracutmodules+=\" network \"" > /etc/dracut.conf.d/90-network.conf } # Update system dnf check-update >/dev/null dnf -y install epel-release # install EPEL repo dnf -y install jq dracut-network dracut-sshd # Add static network config into initramfs add_initramfs_network # Change the port echo "Port 2222" >> /usr/lib/dracut/modules.d/46sshd/sshd_config dracut -f -v ``` -------------------------------- ### Enable and Start Firewall Bouncer (Systemd) Source: https://community.hetzner.com/tutorials/coolify-crowdsec-traefik-supavisor-protection Enables the CrowdSec firewall bouncer service to start automatically on boot and then starts the service immediately. This ensures that the firewall protection is active and persistent. ```bash systemctl enable crowdsec-firewall-bouncer systemctl start crowdsec-firewall-bouncer ``` -------------------------------- ### Update System Packages and Reboot (Bash) Source: https://community.hetzner.com/tutorials/game-server-cs2 Updates all system packages to their latest versions, installs security updates, removes unused packages, and reboots the server. This is a crucial step for maintaining system security and stability. ```bash apt update && apt upgrade -y && apt autoremove -y && reboot ``` -------------------------------- ### Installimage Configuration for RAID1 (Mirroring) Installation Source: https://community.hetzner.com/tutorials/install-almalinux-10-with-full-disk-encryption This configuration enables automated installation using RAID1 for redundancy across two drives. It defines the RAID configuration, bootloader, hostname, partitioning, and the OS image. Adjust drive names and partition schemes according to your server's hardware. ```shell CRYPTPASSWORD secret DRIVE1 /dev/sda DRIVE2 /dev/sdb SWRAID 1 SWRAIDLEVEL 1 BOOTLOADER grub HOTNAME host.example.com PART /boot/efi esp 256M PART /boot ext4 1G PART / ext4 all crypt IMAGE /root/images/Alma-1001-amd64-base.tar.gz SSHKEYS_URL /tmp/authorized_keys ``` -------------------------------- ### Prisma Environment Variables for Supabase Source: https://community.hetzner.com/tutorials/coolify-supabase-postgresql-ssl-hardening This example shows how to configure Prisma's `DATABASE_URL` for pooled connections and `DIRECT_URL` for direct connections in a `.env` file. Both URLs are configured with `sslmode=require` to enforce encrypted communication. ```env DATABASE_URL="postgresql://postgres.:[PASSWORD]@:6543/postgres?sslmode=require&pgbouncer=true" DIRECT_URL="postgresql://postgres.:[PASSWORD]@:5432/postgres?sslmode=require" ``` -------------------------------- ### Installimage Configuration for Four Drives (RAID10) Source: https://community.hetzner.com/tutorials/install-ubuntu-2404-with-full-disk-encryption This configuration is for automatic installation utilizing four drives in a RAID10 array, offering both striping and mirroring for performance and redundancy. It includes settings for drives, RAID level, bootloader, hostname, partitioning, and the OS image. ```shell CRYPTPASSWORD secret DRIVE1 /dev/sda DRIVE2 /dev/sdb DRIVE3 /dev/sdc DRIVE4 /dev/sdd SWRAID 1 SWRAIDLEVEL 10 BOOTLOADER grub HOTNAME host.example.com PART /boot/efi esp 256M PART /boot ext4 1G PART / ext4 all crypt IMAGE /root/images/Ubuntu-2404-noble-amd64-base.tar.gz SSHKEYS_URL /tmp/authorized_keys ``` -------------------------------- ### Installimage Configuration for LVM Volume Group Installation Source: https://community.hetzner.com/tutorials/install-almalinux-10-with-full-disk-encryption This configuration enables automated installation using Logical Volume Management (LVM) with a volume group. It defines the drives, RAID settings (if applicable), bootloader, hostname, partitioning, and LVM logical volumes for root and home directories. Customize VG/LV names and sizes as needed. ```shell CRYPTPASSWORD secret DRIVE1 /dev/sda DRIVE2 /dev/sdb SWRAID 1 SWRAIDLEVEL 1 BOOTLOADER grub HOTNAME host.example.com PART /boot/efi esp 256M PART /boot ext4 1G PART lvm vg0 all crypt LV vg0 root / ext4 50G LV vg0 home /home ext4 1500G IMAGE /root/images/Alma-1001-amd64-base.tar.gz SSHKEYS_URL /tmp/authorized_keys ``` -------------------------------- ### Install Hetzner Cloud DNS Webhook from Helm Source: https://community.hetzner.com/tutorials/cert-manager-hetzner-cloud-dns-webhook Installs the Hetzner Cloud DNS webhook for cert-manager using its official Helm chart. This enables cert-manager to solve DNS-01 challenges with Hetzner DNS. ```bash helm repo add hcloud https://charts.hetzner.cloud helm repo update helm install cert-manager-webhook-hetzner hcloud/cert-manager-webhook-hetzner \ --namespace cert-manager ``` -------------------------------- ### Create Dedicated Steam User and Grant Sudo Privileges (Bash) Source: https://community.hetzner.com/tutorials/game-server-cs2 Creates a new user named 'steam' and adds it to the 'sudo' group. This allows the 'steam' user to install packages and manage services, enhancing security by avoiding the use of the root account for game server operations. ```bash adduser steam usermod -aG sudo steam ``` -------------------------------- ### Installimage Configuration for Volume Group (LVM) Source: https://community.hetzner.com/tutorials/install-ubuntu-2404-with-full-disk-encryption This configuration sets up a server with a Volume Group (VG) using LVM for flexible disk management. It specifies drives, RAID configuration, bootloader, hostname, partitioning, and logical volume definitions for root and home directories, along with the OS image. ```shell CRYPTPASSWORD secret DRIVE1 /dev/sda DRIVE2 /dev/sdb SWRAID 1 SWRAIDLEVEL 1 BOOTLOADER grub HOTNAME host.example.com PART /boot/efi esp 256M PART /boot ext4 1G PART lvm vg0 all crypt LV vg0 root / ext4 50G LV vg0 home /home ext4 1500G IMAGE /root/images/Ubuntu-2404-noble-amd64-base.tar.gz SSHKEYS_URL /tmp/authorized_keys ``` -------------------------------- ### Update System Packages on Hetzner Server Source: https://community.hetzner.com/tutorials/coolify-supabase-deploy Update the package list and upgrade installed packages on your Hetzner Cloud server. This ensures you have the latest security patches and software versions. Run this command after initially connecting via SSH. ```bash apt update && apt upgrade -y ``` -------------------------------- ### Connect via Dropbear SSH (RSA Key) Source: https://community.hetzner.com/tutorials/install-ubuntu-2404-with-full-disk-encryption This command connects to the server via Dropbear SSH on port 2222 using an RSA private key. The `PubkeyAcceptedKeyTypes +ssh-rsa` option is necessary to explicitly allow RSA keys, as they might be disabled by default in newer SSH configurations. ```bash ssh -o "PubkeyAcceptedKeyTypes +ssh-rsa" -p 2222 root@ -i ~/.ssh/id_rsa ``` -------------------------------- ### Set Up Steam SDK Link (Bash) Source: https://community.hetzner.com/tutorials/game-server-cs2 Creates a symbolic link for the Steam SDK 64-bit library. This is required for certain Steam features to function correctly with the dedicated server. ```bash mkdir -p ~/.steam/sdk64 && \ ln -s ~/.local/share/Steam/steamcmd/linux64/steamclient.so ~/.steam/sdk64/steamclient.so ``` -------------------------------- ### Create Traefik Log Directory with Bash Source: https://community.hetzner.com/tutorials/coolify-supabase-deploy Creates a directory for Traefik access logs and sets appropriate permissions. This command is executed via SSH on the server. ```bash mkdir -p /var/log/traefik chmod 755 /var/log/traefik ``` -------------------------------- ### Create and Configure CS2 Server Settings Source: https://community.hetzner.com/tutorials/game-server-cs2 This snippet shows how to create a server configuration file (`server.cfg`) to store custom server settings. It also includes commands to manage running server processes by checking and killing PIDs, and the command to launch the CS2 server using the created configuration file. ```bash nano ~/cs2-server/game/csgo/cfg/server.cfg hostname "My CS2 Server" sv_password "" mp_timelimit 45 mp_roundtime 2 sv_cheats 0 bot_difficulty 1 sudo lsof -i :27015 sudo kill cd ~/cs2-server/game && \ ./cs2.sh -dedicated +exec server.cfg \ +sv_setsteamaccount "YOUR_GSLT_TOKEN" \ +map de_dust2 ``` -------------------------------- ### Install GeoIP Enrichment for CrowdSec Source: https://community.hetzner.com/tutorials/coolify-crowdsec-prometheus-grafana-monitoring Installs the GeoIP enrichment parser for CrowdSec using the Docker command. This enables CrowdSec to enrich alerts with geographical information about the source IP addresses. After installation, the CrowdSec Docker container is restarted to apply the changes. ```bash docker exec crowdsec cscli parsers install crowdsecurity/geoip-enrich docker restart crowdsec ``` -------------------------------- ### Configure UFW Firewall with Bash Source: https://community.hetzner.com/tutorials/coolify-supabase-deploy Resets and configures the Uncomplicated Firewall (UFW) to deny incoming traffic by default, allow outgoing traffic, and open specific ports for SSH, HTTP, HTTPS, and PostgreSQL. It also disables IPv6 if not in use and enables the firewall. ```bash # Reset and set defaults ufw --force reset ufw default deny incoming ufw default allow outgoing # Allow required ports ufw allow 22/tcp comment 'SSH' ufw allow 80/tcp comment 'HTTP' ufw allow 443/tcp comment 'HTTPS' ufw allow 5432/tcp comment 'PostgreSQL Direct' ufw allow 6543/tcp comment 'PostgreSQL Pooler' # Disable IPv6 if not used sed -i 's/IPV6=yes/IPV6=no/' /etc/default/ufw # Enable firewall ufw --force enable ``` -------------------------------- ### Log in to Steam Account with SteamCMD (Bash) Source: https://community.hetzner.com/tutorials/game-server-cs2 Logs into a specified Steam account using SteamCMD. This step is necessary before generating a Game Server Login Token (GSLT) or downloading specific game content that requires authentication. ```bash steamcmd +login YOUR_STEAM_USERNAME ``` -------------------------------- ### Start CrowdSec Container Source: https://community.hetzner.com/tutorials/coolify-crowdsec-traefik-supavisor-protection Starts the CrowdSec Docker container in detached mode after navigating to the Docker Compose file directory. Allow approximately 30 seconds for initialization. ```bash cd /opt/crowdsec docker compose up -d ``` -------------------------------- ### Verify UFW Firewall Status with Bash Source: https://community.hetzner.com/tutorials/coolify-supabase-deploy Displays the verbose status of the Uncomplicated Firewall (UFW), showing active rules and settings. This command is used to confirm the firewall configuration. ```bash ufw status verbose ``` -------------------------------- ### Generate ED25519 SSH Key Source: https://community.hetzner.com/tutorials/install-almalinux-10-with-full-disk-encryption Generates an ED25519 SSH key pair on your local system. This key is used for both remote unlocking of the encrypted disk during boot and for logging into the installed system. ```bash ssh-keygen -t ed25519 ``` -------------------------------- ### Create phpinfo file for verification Source: https://community.hetzner.com/tutorials/wordpress-increase-php-limits This command creates a temporary phpinfo.php file in the web root to verify PHP settings. It outputs detailed information about the current PHP configuration. ```bash echo "/dev/null ``` -------------------------------- ### Install cert-manager using Helm Source: https://community.hetzner.com/tutorials/cert-manager-hetzner-cloud-dns-webhook Installs cert-manager, a Kubernetes add-on for automated TLS certificate management, using the Jetstack Helm repository. It requires Helm v3.16+ and enables Custom Resource Definitions (CRDs). ```bash helm repo add jetstack https://charts.jetstack.io helm repo update helm install cert-manager jetstack/cert-manager \ --namespace cert-manager \ --create-namespace \ --set crds.enabled=true ``` -------------------------------- ### Connect to Server via SSH Source: https://community.hetzner.com/tutorials/game-server-cs2 This command demonstrates how to establish an SSH connection to your server. Replace 'YOUR_SERVER_IP' with the actual IP address of your virtual private server. This is the primary method for remote server management. ```bash ssh root@YOUR_SERVER_IP ``` -------------------------------- ### Connect to Hetzner Server via SSH Source: https://community.hetzner.com/tutorials/coolify-supabase-deploy Connect to your newly provisioned Hetzner Cloud server using SSH. This command assumes you have root access and the server's public IP address. Ensure your SSH client is configured correctly. ```bash ssh root@ ``` -------------------------------- ### Copy SSH Public Key to Server Source: https://community.hetzner.com/tutorials/install-almalinux-10-with-full-disk-encryption Copies the generated SSH public key from your local machine to the Hetzner Rescue System server. This key will be used by the installation process to set up remote access for unlocking the encrypted root partition. ```bash scp ~/.ssh/id_ed25519.pub root@:/tmp/authorized_keys ``` -------------------------------- ### Switch to Steam User (Bash) Source: https://community.hetzner.com/tutorials/game-server-cs2 Switches the current user session to the newly created 'steam' user. This is necessary to perform subsequent operations as the dedicated game server user. ```bash su - steam ``` -------------------------------- ### Create SSL Directory Source: https://community.hetzner.com/tutorials/coolify-supabase-postgresql-ssl-hardening Creates the directory where SSL certificates and keys will be stored. This command ensures the target directory exists before proceeding with certificate generation. ```bash mkdir -p "${SSL_DIR}" ``` -------------------------------- ### Verify cert-manager Pods Source: https://community.hetzner.com/tutorials/cert-manager-hetzner-cloud-dns-webhook Checks the status of cert-manager pods in the Kubernetes cluster to ensure they are running. This is a verification step after installation. ```bash kubectl get pods -n cert-manager ``` -------------------------------- ### Locate WordPress Root Directory Source: https://community.hetzner.com/tutorials/wordpress-increase-php-limits Navigates to the common WordPress root directory and lists its contents to verify the installation. If not found, it provides a command to search for the wp-config.php file. ```bash cd /var/www/html ls -la sudo find /var/www -type f -name wp-config.php 2>/dev/null ``` -------------------------------- ### Verify Docker Compose Service Status Source: https://community.hetzner.com/tutorials/coolify-crowdsec-prometheus-grafana-monitoring This command lists the status of services managed by Docker Compose. It is used to confirm that all containers in the monitoring stack have started successfully and are running as expected. ```bash docker compose ps ``` -------------------------------- ### Download CS2 Server Files using SteamCMD (Bash) Source: https://community.hetzner.com/tutorials/game-server-cs2 Creates a directory for the CS2 server files and then uses SteamCMD to download and validate the game server files (App ID 730). This command ensures you have the latest version of the CS2 dedicated server. ```bash mkdir -p ~/cs2-server && cd ~/cs2-server steamcmd +login anonymous +force_install_dir ~/cs2-server +app_update 730 validate +quit ``` -------------------------------- ### Create Staging ClusterIssuer for Let's Encrypt Testing Source: https://community.hetzner.com/tutorials/cert-manager-hetzner-cloud-dns-webhook Configures a ClusterIssuer for Let's Encrypt's staging environment, useful for testing certificate issuance without hitting production rate limits. ```yaml apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: letsencrypt-staging spec: acme: server: https://acme-staging-v02.api.letsencrypt.org/directory email: mail@example.com privateKeySecretRef: name: letsencrypt-staging-account-key solvers: - dns01: webhook: groupName: acme.hetzner.com solverName: hetzner config: tokenSecretKeyRef: name: hetzner-secret key: api-token ``` -------------------------------- ### Unlock Encrypted Root Partition Source: https://community.hetzner.com/tutorials/install-ubuntu-2404-with-full-disk-encryption This command is executed after connecting via Dropbear SSH to unlock the encrypted root partition. The user will be prompted to enter the password previously set in `/tmp/setup.conf` for `CRYPTPASSWORD`. ```bash cryptroot-unlock ``` -------------------------------- ### Configure Traefik Commands for Logging and DNS Challenge Source: https://community.hetzner.com/tutorials/coolify-supabase-deploy Configures Traefik to enable access logging and use DNS challenge for SSL certificates via Namecheap. This snippet is added to the Traefik command arguments in Coolify. ```yaml command: - "--accesslog=true" - "--accesslog.filepath=/var/log/traefik/access.log" - "--certificatesresolvers.letsencrypt.acme.dnschallenge=true" - "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=namecheap" - "--certificatesresolvers.letsencrypt.acme.dnschallenge.delaybeforecheck=30" - "--certificatesresolvers.letsencrypt.acme.email=" ``` -------------------------------- ### Manage CrowdSec Collections and Updates Source: https://community.hetzner.com/tutorials/coolify-crowdsec-traefik-supavisor-protection Commands for managing CrowdSec's threat intelligence and configuration. List installed collections, update threat definitions, and debug log parsing to ensure optimal protection. ```bash docker exec crowdsec cscli collections list ``` ```bash docker exec crowdsec cscli hub update ``` ```bash docker exec crowdsec cscli explain --log "..." --type traefik ``` -------------------------------- ### Manage CrowdSec Decisions (Bans) Source: https://community.hetzner.com/tutorials/coolify-crowdsec-traefik-supavisor-protection Commands to interact with CrowdSec's decision system, allowing you to manually add, list, and remove IP bans. This is useful for testing the setup or managing specific IPs. ```bash docker exec crowdsec cscli decisions add --ip 192.0.2.1 --duration 5m --type ban ``` ```bash docker exec crowdsec cscli decisions list ``` ```bash docker exec crowdsec cscli decisions delete --ip 192.0.2.1 ``` -------------------------------- ### Get PostgreSQL User ID Source: https://community.hetzner.com/tutorials/coolify-supabase-postgresql-ssl-hardening Retrieves the user ID (UID) and group ID (GID) of the 'postgres' user within the Supabase PostgreSQL Docker image. This information is necessary to set the correct ownership for the SSL key file. ```bash docker run --rm supabase/postgres:15.8.1.048 id postgres ``` -------------------------------- ### Backup WordPress Configuration Files Source: https://community.hetzner.com/tutorials/wordpress-increase-php-limits Creates backup copies of the wp-config.php and .htaccess files before making modifications. This ensures that you can revert to previous settings if necessary. ```bash sudo cp -a wp-config.php wp-config.php.bak.$(date +%F) test -f .htaccess && sudo cp -a .htaccess .htaccess.bak.$(date +%F) ``` -------------------------------- ### Connect to Server via SSH (Port 22) Source: https://community.hetzner.com/tutorials/install-almalinux-10-with-full-disk-encryption This command connects to the server on the default SSH port 22 after the encrypted partitions have been successfully unlocked. This allows access to the fully booted system. Replace '' with your server's IP address or hostname. ```bash ssh -p 22 root@ ``` -------------------------------- ### Enable Apache Site and Reload Configuration Source: https://community.hetzner.com/tutorials/hetzner-ddns-bridge Enables the newly created Apache site configuration and reloads the Apache service to apply the changes. Includes a configuration test to ensure syntax is correct. ```bash sudo a2ensite hetzner-ddns sudo apachectl configtest sudo systemctl reload apache2 ```