I do a lot of my day-to-day development work on a Linux VPS in the cloud. This lets me, say, run very taxing Rails projects without thrashing my laptop.
For this, I use the same OS as I use on my workstation: Arch Linux! In this article, I'll show you what I did to set up my on-the-cloud development box.
There are 3 providers I can suggest. They more or less have the same offerings; pick one that has the best latency to/from where you live and where you work.
Create your everyday user. For me, that's
rsc, but change that as you need. You'll also want to set up sudo, of course, so let's do that.
# As root, add the user useradd -Nm -g users -G wheel,sys rsc passwd rsc
# Might as well change the root password. # Later, you can use `su` to elevate your permissions. passwd
Make sure you can connect to it! After doing this, you can start connecting to your devbox via SSH, and do the rest of this setup via SSH.
# Let's assume the user `rsc`, if # you're not that user yet. su rsc
# Add ssh authorized key to ~/.ssh/authorized_keys echo "ssh-rsa AAAAAHHLOLPUTYOURKEYHERE" | tee -a ~/.ssh/authorized_keys chmod 600 ~/.ssh/authorized_keys
# Generate our own key for later use ssh-keygen
Arch Linux has no
sudo by default. You can use the built-in
su, but sudo is much more convenient.
# Set up sudo pacman -Syu sudo echo "%wheel ALL=(ALL) NOPASSWD: ALL" | EDITOR="tee -a" visudo
Install the packages you'd use on a day-to-day basis. Protip: mosh is a great way to connect to your devbox.
sudo pacman -Syu \ base-devel git mosh \ yarn nodejs tmux fish exa vim neovim \ fzf tig the_silver_searcher
Set up OpenVPN. I'm using the installer script Angristan/OpenVPN-install which will set up everything for you: openVPN, certificates, iptables, generate
.ovpn files, and so on.
We'll be using Uncomplicated Firewall to set up rules. We only want to expose 3 things to the outside world: SSH, Mosh, and OpenVPN.
sudo pacman -Syu ufw
Let's set up some rules. We want to restrict incoming connections, and allow internal traffic to flow freely.
# UFW firewall rules: allow some internal traffic sudo ufw default deny sudo ufw allow from 10.8.0.0/24 # vpn network sudo ufw route allow in on tun0 out on tun0 # dont block peer-to-peer
Enable the services that you want accessible outside the VPN.
# Allow some services sudo ufw limit ssh sudo ufw allow mosh
You will need to add some overrides in
/etc/ufw/after.rules. See this article for more info: Solving ufw and Docker issues.
# Read the linked article for the edits # you will need to make here. sudo vim /etc/ufw/after.rules
# As mentioned in the article above, you can open # certain ports to the outside world using: # (don't do this if you don't plan to open a webserver) sudo ufw route allow proto tcp from any to any port 80 sudo ufw route allow proto tcp from any to any port 443
Start and enable your firewall.
Use fail2ban to restrict SSH access to anyone trying to get in and failing to do so.
sudo pacman -Syu fail2ban
Configure fail2ban to "jail" sshd connections. This will shut off SSH access to IP's that try to log in and fail.
[sshd] enabled = true
Start fail2ban and auto-start it on boot.
sudo systemctl enable fail2ban sudo systemctl start fail2ban
You can use NFS to access your files from within the VPN. In this example above, we'll be sharing
/home/rsc/Dev via NFS.
# Install nfs client and server (do this for your workstation too!) sudo pacman -Syu nfs-utils
Add mount point. We'll be serving things in
/srv via NFS.
sudo mount --bind /home/rsc/Dev /srv/Dev
Edit fstab to auto-mount this path on every boot up.
sudo vim /etc/fstab
/home/rsc/Dev /srv/Dev none rw,bind 0 0
Edit nfs config to export this path.
sudo vim /etc/exports
/etc/exports take effect.
sudo exportfs -arv
Start and enable server.
sudo systemctl enable nfs-server sudo systemctl start nfs-server
Secure your SSH server by disabling root login, and only allowing SSH keys.
sudo vim /etc/ssh/sshd_server
PermitRootLogin no PasswordAuthentication no
Here are some other suggestions.
# Install for puppeteer yay chromium
# Change default shell chsh -s /usr/bin/fish
In your laptop, it'd make sense to add the devbox IP to your
# The local one works if you're connected to the VPN. # Use this when accessing resources, eg `http://devbox.local:4000/` devbox.local 10.8.0.1 # The remote one is the public IP address. # Use this when connecting via mosh or ssh devbox.remote 220.127.116.11
Set up an alias so you only have to type
A to attach to your working session.
# for fish (type this in a shell) abbr A 'mosh --experimental-remote-ip=remote [email protected] -- sh -c "tmux attach || tmux"' # or bash/zsh (add to your .bashrc or .zshrc) alias A='mosh --experimental-remote-ip=remote [email protected] -- sh -c "tmux attach || tmux"'
You can mount the NFS volumes. (Be sure to turn off Git prompts here, it gets slow)
# You also need nfs-utils in the client side sudo pacman -Syu nfs-utils # Mount into `/Devbox` sudo mkdir -P /Devbox sudo chown -R $(whoami) /Devbox sudo mount -v devbox.local:/srv /Devbox