Deploying a Droplet with DigitalOcean
February 14, 2022
Overview
A Droplet is a simple, scalable, Linux-based virtual machine from DigitalOcean. Each Droplet provides a server that is configured based on performance requirements, memory and storage capacity and data center regions.
Install and Authenticate the Command-line Tool
Droplets can be created using the browser-based control panel or using the DigitalOcean command line tool (doctl). To install doctl on a Mac:
brew install doctlTo view installation options for other operating systems, see the installation instructions.
Generate an API Personal Access Token
You will need a personal access token to authenticate your account and gain access to the DigitalOcean API. To do so, navigate to the API page on your DigitalOcean account and select the Generate New Token button. You will be prompted to enter a name for the token and will then need to provide read and write access. When the token is generated, make sure to save the value for future reference.
Authenticate your DigitalOcean Account
Create an authentication context to authenticate your account (following this, you will be prompted to enter your token).
doctl auth init --context <auth_name>To view the authentication contexts and switch between accounts:
doctl auth list
doctl auth switch --context <auth_name>To validate that doctl is working, review your account details:
doctl account getUpload an SSH Key
When connecting to a Droplet, you will need to provide an SSH key for authentication. Check if you currently have an SSH key (usually located in ~/.ssh/). If there are no SSH keys available, create a new one using OpenSSH (you may specify the desired algorithm and the key size):
ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsaFor further information on setting up an SSH key, have a look at Setting up an SSH Key Between a Client and Server.
To upload the SSH key to DigitalOcean:
doctl compute ssh-key import <key_name> --public-key-file ~/.ssh/id_rsa.pubTo view all SSH key details:
doctl compute ssh-key listThis will return the ID, name and fingerprint of all SSH keys from your account. The fingerprint is particularly important as it will be used when configuring your Droplet.
Create a Cloud Firewall
Firewalls help protect your servers from external attacks carried out by other machines on the network.
Create a firewall with the recommended configuration:
doctl compute firewall create \
--name "inbound-ssh-only" \
--tag-names <tag_name> \
--inbound-rules "protocol:tcp,ports:22,address:0.0.0.0/0" \
--outbound-rules "protocol:icmp,address:0.0.0.0/0,address:::/0 protocol:tcp,ports:all,address:0.0.0.0/0,address:::/0 protocol:udp,ports:all,address:0.0.0.0/0,address:::/0"- restrict all inbound traffic except for SSH connections to the Droplet on port 22
- allow all outbound traffic to any destination on any port
To view all firewall details:
doctl compute firewall listWhen creating a Droplet, the <tag_name> set for the Droplet must match the <tag_name> set for the firewall rule. All Droplets with a tag that matches that of a firewall rule will have that rule applied automatically.
Create a Droplet
DigitalOcean have a recommended configuration for Droplets which enable several features, including: VPC (private networking), IPv6, monitoring, and various authentication safeguards (which are performed at first boot). All of these settings can be set using doctl.
Before creating a Droplet, you will need to create a cloud-config script locally. The below file is a template from DigitalOcean which contains various authentication safeguards that will be performed at first boot.
#!/bin/bash
set -euo pipefail
USERNAME=<username> # the sudo non-root username
# Create user and immediately expire password to force a change on login
useradd --create-home --shell "/bin/bash" --groups sudo "${USERNAME}"
passwd --delete "${USERNAME}"
chage --lastday 0 "${USERNAME}"
# Create SSH directory for sudo user and move keys over
home_directory="$(eval echo ~${USERNAME})"
mkdir --parents "${home_directory}/.ssh"
cp /root/.ssh/authorized_keys "${home_directory}/.ssh"
chmod 0700 "${home_directory}/.ssh"
chmod 0600 "${home_directory}/.ssh/authorized_keys"
chown --recursive "${USERNAME}":"${USERNAME}" "${home_directory}/.ssh"
# Disable root SSH login with password
sed --in-place 's/^PermitRootLogin.*/PermitRootLogin prohibit-password/g' /etc/ssh/sshd_config
if sshd -t -q; then systemctl restart sshd; fiCreate a Droplet with the recommended configuration:
doctl compute droplet create <droplet_name> \
--image ubuntu-20-04-x64 \
--size s-1vcpu-1gb \
--region nyc3 \
--ssh-keys <ssh_fingerprint> \
--user-data-file <cloud_config_path> \
--tag-names <tag_name> \
--enable-ipv6 \
--enable-monitoring \
--enable-private-networking \
--enable-backupsimage(required)size(required)region(required)ssh-keys- the fingerprint of the SSH key used to authenticate the Droplet (usedoctl compute ssh-key listto view all SSH keys)user-data-file- the path to the cloud-config script (you can customise where you want to store this file)tag_name- a tag name applied to the Droplet (which may be used to assign a firewall rule)enable-ipv6- enables IPv6 support and assigns an IPv6 addressenable-monitoring- install the DigitalOcean agent for additional monitoringenable-private-networking- enables private networking for the Droplet by provisioning it inside of your account's default VPC for the regionenable-backups- enables backups for the Droplet
To view all Droplet details:
doctl compute droplet listTo view all Droplet details in a custom format:
doctl compute droplet list --format "ID,Name,PublicIPv4,Status"Creating Future Droplets
When you create future Droplets, you only need to specifiy the Droplet configuration that you want to deploy. You do not need to repeat the initial steps of installing and authenticating the command-line tool, uploading an SSH key or creating a cloud firewall.
All you need to do is create a Droplet with the desired configuration:
doctl compute droplet create <droplet_name> \
--image ubuntu-20-04-x64 \
--size s-1vcpu-1gb \
--region nyc3 \
--ssh-keys <ssh_fingerprint> \
--user-data-file <cloud_config_path> \
--tag-names <tag_name> \
--enable-ipv6 \
--enable-monitoring \
--enable-private-networking \
--enable-backups