blog/docs/tech/Commands-for-Server-Operation-and-Maintenance.md

# 服务器运行与维护常用命令

## 初始化

### Maria

**推送 GitHub 私钥**:

``` bash
# 在 CatTomServer1 处执行
rsync -avP /home/cattom/.ssh/cattomgithub [server_id]:/root/.ssh/
# 指定用户名与 IP
rsync -avP /home/cattom/.ssh/cattomgithub root@[server_ip]:/root/.ssh/
# 指定端口、私钥、用户名和 IP
rsync -avP -e 'ssh -p 25800 -i /home/cattom/.ssh/Maria' /home/cattom/.ssh/cattomgithub root@[server_ip]:/root/.ssh/
```

**编辑 SSH 客户端配置**:

``` bash
sudo nano ~/.ssh/config
```

``` title="~/.ssh/config"
Host github.com
HostName ssh.github.com
User git
Port 443
PreferredAuthentications publickey
IdentityFile "~/.ssh/cattomgithub"
```

测试能否正常连接: `ssh -T git@github.com`

**克隆 Maria 仓库**:

``` bash
git clone git@github.com:cattomgithub/maria.git

cd maria/script && chmod +x *.sh && ./maria.sh
```

### HomeLab

**推送 Gitea 私钥**:

``` bash
# 在 CatTomServer1 处执行
rsync -avP /home/cattom/.ssh/cattom-gitea [server_id]:/home/cattom/.ssh/
# 指定用户名与 IP
rsync -avP /home/cattom/.ssh/cattom-gitea root@[server_ip]:/home/cattom/.ssh/
# 指定端口、私钥、用户名和 IP
rsync -avP -e 'ssh -p 25800 -i /home/cattom/.ssh/CatTomServer' /home/cattom/.ssh/cattom-gitea root@[server_ip]:/home/cattom/.ssh/
```

**编辑 SSH 客户端配置**:

``` bash
sudo nano ~/.ssh/config
```

``` title="~/.ssh/config"
Host gitea.cattom.site
HostName gitea.cattom.site
User git
Port 25801
PreferredAuthentications publickey
IdentityFile "~/.ssh/cattom-gitea"
```

测试能否正常连接: `ssh -T git@gitea.cattom.site`

**克隆 HomeLab 仓库**:

``` bash
git clone git@gitea.cattom.site:cattom/HomeLab.git

cd HomeLab && chmod +x *.sh && ./Ini.sh
```

## 修改 SSH 配置

**启动 SSH 服务**:

``` bash
sudo systemctl enable ssh && sudo systemctl restart ssh && sudo systemctl status ssh
```

**配置 SSH 密钥**: 在 CatTomServer1 终端执行

``` bash
# Maria
ssh-copy-id -i /home/cattom/.ssh/Maria.pub root@[server_ip]
# HomeLab
ssh-copy-id -i /home/cattom/.ssh/CatTomServer.pub cattom@[server_ip]
# 指定端口
ssh-copy-id -p 25800 ...
```

**修改 SSH 配置**:

``` bash
sudo nano /etc/ssh/sshd_config
```

- Port 22 → **Port 25800**
- PermitRootLogin **prohibit-password** (取消该行注释)
- PasswordAuthentication yes → PasswordAuthentication **no**
- (可选) PubkeyAuthentication **yes**

重启 SSH 服务以刷新配置: `sudo systemctl restart ssh`

## 恢复备份文件/目录 (可选)

``` bash
cd /root || exit
wget -c https://cattom.oss-cn-shenzhen.aliyuncs.com/[server_name]/backup/[file_name].tar.gz
tar -zxvf [file_name].tar.gz
sudo rm [file_name].tar.gz
```

## 安装业务程序 (按需安装)

**首先，通过Maria管理工具安装需要的业务工具: `maria` - ++2++**

### Traefik

请到 [Releases - traefik/traefik](https://github.com/traefik/traefik/releases/latest) 检查最新版本。

``` bash
mkdir /root/traefik
cd /root/traefik || exit

touch acme.json && chmod 600 acme.json

wget -c [link]
tar -zxvf [file_name] && rm [file_name] LICENSE.md CHANGELOG.md && mv traefik /usr/local/bin/traefik

ln -s /root/maria/config/traefik/static.yaml /root/traefik/static.yaml
ln -s /root/maria/config/${SERVER}/traefik.yaml /root/traefik/dynamic.yaml

ln -s /root/maria/config/systemd/traefik.service /etc/systemd/system/traefik.service && sudo systemctl daemon-reload
sudo systemctl enable traefik.service && sudo systemctl restart traefik.service
```

### 阿里云 CLI

**注意: 请到 [RAM 访问控制](https://ram.console.aliyun.com/) 按照业务需求生成 AccessKey.**

``` bash
cd /root || exit

/bin/bash -c "$(curl -fsSL https://aliyuncli.alicdn.com/install.sh)"

aliyun configure set --profile profile1 --mode AK --access-key-id [AccessKeyID] --access-key-secret [AccessKeySecret] --region "cn-shenzhen"
```

阿里云 CLI 现已集成 ossutil，示例:

``` bash
# Example 1
aliyun ossutil sync /root/backup/ oss://cattom/${SERVER}/backup/ --force --update --delete -e oss-cn-shenzhen.aliyuncs.com
# Example 2
aliyun ossutil sync /root/blog/site oss://cattom-blog --force --update --delete --region cn-hongkong
```

### Flexget

安装 Flexget: 

``` bash
cd /root || exit
sudo apt -y install python3 python3-full python3-pip python3.12-venv
python3 -m venv /root/flexget/
/root/flexget/bin/pip install --upgrade pip setuptools 
/root/flexget/bin/pip install flexget
```

测试配置并启动后台进程: 

``` bash
sudo ln -s /root/maria/config/flexget/config.yml /root/flexget/config.yml
/root/flexget/bin/flexget -c /root/flexget/config.yml --test execute
/root/flexget/bin/flexget -c /root/flexget/config.yml daemon start -d --autoreload-config
```

设置开机自启动: 

``` bash
(
  crontab -u $(whoami) -l
  echo "@reboot /root/flexget/bin/flexget -c /root/flexget/config.yml daemon start -d --autoreload-config"
) | crontab -u $(whoami) -
```

配置 alias: 

``` bash
echo 'alias flexget="/root/flexget/bin/flexget -c /root/flexget/config.yml"' >> /root/.bashrc
```

## 配置防火墙

!!! warning "注意"

    所有经由 Tailscale 的连接都不需要在 UFW 中放行。

    所有在 Docker Compose 文件中没有定义特定监听地址的端口都不需要在 UFW 中放行。

Maria 非标端口开放表:

| 服务器 | 端口  | 来源IP/IP段 | 目标IP/IP段 | 协议  |     备注      |
| :----: | :---: | :---------: | :---------: | :---: | :-----------: |
|   2    | 7100  |      /      |      /      |   /   | Frps 监听端口 |
|   2    | 18080 |  127.0.0.1  |      /      |   /   |   Bitwarden   |
|   2    | 5230  |  127.0.0.1  |      /      |   /   |     Memos     |
|   2    | 3002  |  127.0.0.1  |      /      |   /   |   Homepage    |
|   2    | 3100  |  127.0.0.1  |      /      |   /   |     Gitea     |
|   2    | 25801 |      /      |      /      |   /   |   Gitea SSH   |

| 服务器 | 端口  |  来源IP/IP段  | 目标IP/IP段 | 协议  |        备注        |
| :----: | :---: | :-----------: | :---------: | :---: | :----------------: |
|   3    | 6800  |   127.0.0.1   |      /      |   /   |     Aria2 RPC      |
|   3    | 6888  |       /       |      /      |   /   |      Aria2 BT      |
|   3    | 6888  |       /       |      /      |  UDP  |      Aria2 BT      |
|   3    | 9100  | 100.64.0.0/10 |      /      |   /   | Node Exporter [^1] |

[^1]: 服务器3的 Prometheus 处于容器内，而 Node Exporter 处于宿主机，必须保留该规则以保持二者连通。

``` bash
# 重置防火墙
sudo ufw reset
# 添加默认条件
sudo ufw default allow outgoing # 默认允许所有数据出站
sudo ufw default deny incoming  # 默认禁止所有数据入站
```

``` bash
# SSH
sudo ufw allow 25800
# Web
sudo ufw allow 80 && sudo ufw allow 443

# Example 1
sudo ufw allow 7100
# Example 2
sudo ufw allow from 127.0.0.1 to any port 18080
# Example 3
sudo ufw allow 6888/udp
```

``` bash
# 启用日志
sudo ufw logging medium
# 列出端口开放情况
sudo ufw status numbered
# 启用防火墙
sudo ufw enable
```

## 加载 Docker 容器

``` bash
sudo docker compose -f /root/maria/config/"${SERVER}"/docker-compose.yml pull
sudo docker compose -f /root/maria/config/"${SERVER}"/docker-compose.yml up -d --remove-orphans
sudo docker system prune -f
# 可选
sudo systemctl restart traefik
```

## 配置自动备份 (可选)

``` bash
(
  crontab -u $(whoami) -l
  echo "0 6 * * * /root/maria/script/backup.sh"
) | crontab -u $(whoami) -
```

## Linux 内核网络栈调优 (可选)

编辑 `/etc/sysctl.conf`，在末尾添加以下内容：

```
net.ipv4.tcp_tw_reuse = 1
net.ipv4.ip_local_port_range = 1024 65535
net.ipv4.tcp_rmem = 16384 262144 8388608
net.ipv4.tcp_wmem = 32768 524288 16777216
net.core.somaxconn = 8192
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.wmem_default = 2097152
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_max_syn_backlog = 10240
net.core.netdev_max_backlog = 10240
net.netfilter.nf_conntrack_max = 1000000
net.netfilter.nf_conntrack_tcp_timeout_established = 7200
net.core.default_qdisc = fq_codel
net.ipv4.tcp_congestion_control = bbr
net.ipv4.tcp_slow_start_after_idle = 0
```

刷新配置: 

``` bash
sysctl -p
```

验证是否成功启动 BBR：

``` bash
lsmod | grep bbr
```

若出现 `tcp_bbr` 的输出，说明开启成功。

## 配置 Actions

### GitHub Actions

转至 [cattomgithub/maria - Settings - Secrets - Actions](https://github.com/cattomgithub/maria/settings/secrets/actions)

修改以下配置项: 

- SSH_HOSTS: foo,bar

### Gitea Actions

## NFS 配置

``` bash
# Install
sudo apt -y update && sudo apt -y install nfs-kernel-server nfs-common
# Modify firewall on host
sudo ufw allow from [client_ip] to any port nfs
# Create mount point on client
sudo mkdir -p [/path/on/client]
# Mount directories on client
sudo mount [host_ip]:[/path/on/host] [/path/on/client]
# Check stats on client
sudo df -h
# Mount the directories at boot
sudo echo "[host_ip]:[/path/on/host] [/path/on/client] nfs auto,nofail,noatime,nolock,intr,tcp,actimeo=1800 0 0" >> /etc/fstab
#  Unmount NFS
sudo umount [/path/on/client]
```

## 进入 Docker 容器的终端

``` bash
sudo docker exec -it [container_name] /bin/bash
# Or
sudo docker exec -it [container_name] /bin/sh
```

## rsync 同步文件

rsync 参数解释: 

- `-a`: 归档模式，保留文件的权限、时间戳、软链接、属主和属组。
- `-v`: 详细模式，输出同步过程中的文件名。
- `-z`: 在传输时进行压缩。
- `-P`: 等同于 `--partial` `--progress`。`--progress` 会显示每个文件的传输进度，`--partial` 允许断点续传。

rsync 对路径末尾的斜杠敏感:

- `/local/source/folder/` (有斜杠): 只同步文件夹里面的**内容**到目标目录。
- `/local/source/folder` (无斜杠): 将 `folder` 这个**目录本身连同里面的内容**，整个放入目标目录中。

``` bash
# 将本地文件夹推送到远程服务器 (Push)
rsync -avzP --delete /local/source/folder/ [server_id]:/remote/destination/folder/
# 从远程服务器拉取文件夹到本地 (Pull)
rsync -avzP --delete [server_id]:/local/source/folder/ /remote/destination/folder/
```

## 参考

[用于 GitHub Actions 的 SSH](https://github.com/appleboy/ssh-action/blob/master/README.zh-cn.md)