# 服务器运行与维护常用命令 ## 初始化 Maria: ```bash git config --global credential.helper store && git clone https://github.com/cattomgithub/maria.git cd maria/script && chmod +x *.sh && ./maria.sh ``` ## 修改 SSH 配置 首先,启动 SSH 服务: ```bash sudo systemctl enable ssh && sudo systemctl restart ssh && sudo systemctl status ssh ``` 接着,生成并配置 SSH 密钥。进入 CatTomServer3-1 的终端,然后执行: ```bash ssh-keygen -m PEM -t rsa -b 4096 -C "[username]@[server_ip]" -f ~/.ssh/[server_name] ssh-copy-id -i /home/cattom/.ssh/[server_name].pub root@[server_ip] ``` 最后,修改 `/etc/ssh/sshd_config`: - Port 22 → **Port 25800** - PermitRootLogin **prohibit-password** (取消该行注释) - PasswordAuthentication yes → PasswordAuthentication **no** - (可选) PubkeyAuthentication **yes** 重启 SSH 服务以刷新配置: `sudo systemctl restart ssh` ## 恢复备份文件/目录 (可选) ```bash cd /root || exit wget -c https://cattom.oss-cn-shenzhen.aliyuncs.com/[server_name]/backup/[file_name].tar.gz tar -zxvf [file_name].tar.gz sudo rm [file_name].tar.gz ``` ## 安装业务程序 (按需安装) ### Traefik 请到 [Releases - traefik/traefik](https://github.com/traefik/traefik/releases/latest) 检查最新版本。 ```bash mkdir /root/traefik cd /root/traefik || exit touch acme.json && chmod 600 acme.json wget -c [link] tar -zxvf [file_name] && rm [file_name] LICENSE.md CHANGELOG.md && mv traefik /usr/local/bin/traefik ln -s /root/maria/config/traefik/static.yaml /root/traefik/static.yaml ln -s /root/maria/config/${SERVER}/traefik.yaml /root/traefik/dynamic.yaml ln -s /root/maria/config/systemd/traefik.service /etc/systemd/system/traefik.service && sudo systemctl daemon-reload sudo systemctl enable traefik.service && sudo systemctl restart traefik.service ``` ### 阿里云 CLI **注意: 请到 [RAM 访问控制](https://ram.console.aliyun.com/) 按照业务需求生成 AccessKey.** ```bash cd /root || exit /bin/bash -c "$(curl -fsSL https://aliyuncli.alicdn.com/install.sh)" aliyun configure set --profile profile1 --mode AK --access-key-id [AccessKeyID] --access-key-secret [AccessKeySecret] --region "cn-shenzhen" ``` 阿里云 CLI 现已集成 ossutil,示例: ```bash # Example 1 aliyun ossutil sync /root/backup/ oss://cattom/${SERVER}/backup/ --force --update --delete -e oss-cn-shenzhen.aliyuncs.com # Example 2 aliyun ossutil sync /root/blog/site oss://cattom-blog --force --update --delete --region cn-hongkong ``` ### Flexget 安装 Flexget: ```bash cd /root || exit sudo apt -y install python3 python3-full python3-pip python3.12-venv python3 -m venv /root/flexget/ /root/flexget/bin/pip install --upgrade pip setuptools /root/flexget/bin/pip install flexget ``` 测试配置并启动后台进程: ```bash sudo ln -s /root/maria/config/flexget/config.yml /root/flexget/config.yml /root/flexget/bin/flexget -c /root/flexget/config.yml --test execute /root/flexget/bin/flexget -c /root/flexget/config.yml daemon start -d --autoreload-config ``` 设置开机自启动: ```bash ( crontab -u $(whoami) -l echo "@reboot /root/flexget/bin/flexget -c /root/flexget/config.yml daemon start -d --autoreload-config" ) | crontab -u $(whoami) - ``` 配置 alias: ```bash echo 'alias flexget="/root/flexget/bin/flexget -c /root/flexget/config.yml"' >> /root/.bashrc ``` ## 配置防火墙 !!! warning "注意" 所有经由 Tailscale 的连接都不需要在 UFW 中放行。 所有在 Docker Compose 文件中没有定义特定监听地址的端口都不需要在 UFW 中放行。 Maria 非标端口开放表: | 服务器 | 端口 | 来源IP/IP段 | 目标IP/IP段 | 协议 | 备注 | | :----: | :---: | :---------: | :---------: | :---: | :-----------: | | 2 | 7100 | / | / | / | Frps 监听端口 | | 2 | 18080 | 127.0.0.1 | / | / | Bitwarden | | 2 | 5230 | 127.0.0.1 | / | / | Memos | | 2 | 3002 | 127.0.0.1 | / | / | Homepage | | 2 | 3100 | 127.0.0.1 | / | / | Gitea | | 2 | 25801 | 127.0.0.1 | / | / | Gitea SSH | | 服务器 | 端口 | 来源IP/IP段 | 目标IP/IP段 | 协议 | 备注 | | :----: | :---: | :-----------: | :---------: | :---: | :---------------: | | 3 | 6800 | 127.0.0.1 | / | / | Aria2 RPC | | 3 | 6888 | / | / | / | Aria2 BT | | 3 | 6888 | / | / | UDP | Aria2 BT | | 3 | 9100 | 100.64.0.0/10 | / | / | Node Exporter [^1] | [^1]: 服务器3的 Prometheus 处于容器内,而 Node Exporter 处于宿主机,必须保留该规则以保持二者连通。 ```bash # 重置防火墙 sudo ufw reset # 添加默认条件 sudo ufw default allow outgoing # 默认允许所有数据出站 sudo ufw default deny incoming # 默认禁止所有数据入站 ``` ```bash # SSH sudo ufw allow 25800 # Web sudo ufw allow 80 && sudo ufw allow 443 # Example 1 sudo ufw allow 7100 # Example 2 sudo ufw allow from 127.0.0.1 to any port 18080 # Example 3 sudo ufw allow 6888/udp ``` ```bash # 启用日志 sudo ufw logging medium # 列出端口开放情况 sudo ufw status numbered # 启用防火墙 sudo ufw enable ``` ## 加载 Docker 容器 ```bash sudo docker compose -f /root/maria/config/"${SERVER}"/docker-compose.yml pull sudo docker compose -f /root/maria/config/"${SERVER}"/docker-compose.yml up -d --remove-orphans sudo docker system prune -f # 可选 sudo systemctl restart traefik ``` ## 配置自动备份 (可选) ```bash ( crontab -u $(whoami) -l echo "0 6 * * * /root/maria/script/backup.sh" ) | crontab -u $(whoami) - ``` ## 进入 Docker 容器的终端 ``` bash sudo docker exec -it [container_name] /bin/bash # Or sudo docker exec -it [container_name] /bin/sh ``` ## NFS 配置 ```bash # Install sudo apt -y update && sudo apt -y install nfs-kernel-server nfs-common # Modify firewall on host sudo ufw allow from [client_ip] to any port nfs # Create mount point on client sudo mkdir -p [/path/on/client] # Mount directories on client sudo mount [host_ip]:[/path/on/host] [/path/on/client] # Check stats on client sudo df -h # Mount the directories at boot sudo echo "[host_ip]:[/path/on/host] [/path/on/client] nfs auto,nofail,noatime,nolock,intr,tcp,actimeo=1800 0 0" >> /etc/fstab # Unmount NFS sudo umount [/path/on/client] ```