cattom/blog
0
0
Fork 0
Code Actions Activity
Files
a8694b2abf73afe805e88ee2b608bf24629ecaeb
blog/docs/tech/Commands-for-Server-Operation-and-Maintenance.md
Cat Tom a8694b2abf
All checks were successful
Deploy / deploy (push) Successful in 32s
Details
edit Commands-for-Server-Operation-and-Maintenance
2026-03-04 19:24:30 +08:00

7.0 KiB
Raw Blame History

服务器运行与维护常用命令

初始化

Maria:

  git config --global credential.helper store && git clone https://github.com/cattomgithub/maria.git

  cd maria/script && chmod +x *.sh && ./maria.sh

修改 SSH 配置

首先,启动 SSH 服务:

  sudo systemctl enable ssh && sudo systemctl restart ssh && sudo systemctl status ssh

接着,生成并配置 SSH 密钥。进入 CatTomServer3-1 的终端,然后执行:

  ssh-keygen -m PEM -t rsa -b 4096 -C "[username]@[server_ip]" -f ~/.ssh/[server_name]

  ssh-copy-id -p 25800 -i /home/cattom/.ssh/[server_name].pub root@[server_ip]

最后,修改 /etc/ssh/sshd_config:

  • Port 22 → Port 25800
  • PermitRootLogin prohibit-password (取消该行注释)
  • PasswordAuthentication yes → PasswordAuthentication no
  • (可选) PubkeyAuthentication yes

重启 SSH 服务以刷新配置: sudo systemctl restart ssh

恢复备份文件/目录 (可选)

  cd /root || exit
  wget -c https://cattom.oss-cn-shenzhen.aliyuncs.com/[server_name]/backup/[file_name].tar.gz
  tar -zxvf [file_name].tar.gz
  sudo rm [file_name].tar.gz

安装业务程序 (按需安装)

Traefik

请到 Releases - traefik/traefik 检查最新版本。

  mkdir /root/traefik
  cd /root/traefik || exit

  touch acme.json && chmod 600 acme.json

  wget -c [link]
  tar -zxvf [file_name] && rm [file_name] LICENSE.md CHANGELOG.md && mv traefik /usr/local/bin/traefik

  ln -s /root/maria/config/traefik/static.yaml /root/traefik/static.yaml
  ln -s /root/maria/config/${SERVER}/traefik.yaml /root/traefik/dynamic.yaml
  
  ln -s /root/maria/config/systemd/traefik.service /etc/systemd/system/traefik.service && sudo systemctl daemon-reload
  sudo systemctl enable traefik.service && sudo systemctl restart traefik.service

阿里云 CLI

注意: 请到 RAM 访问控制 按照业务需求生成 AccessKey.

  cd /root || exit

  /bin/bash -c "$(curl -fsSL https://aliyuncli.alicdn.com/install.sh)"

  aliyun configure set --profile profile1 --mode AK --access-key-id [AccessKeyID] --access-key-secret [AccessKeySecret] --region "cn-shenzhen"

阿里云 CLI 现已集成 ossutil示例:

  # Example 1
  aliyun ossutil sync /root/backup/ oss://cattom/${SERVER}/backup/ --force --update --delete -e oss-cn-shenzhen.aliyuncs.com
  # Example 2
  aliyun ossutil sync /root/blog/site oss://cattom-blog --force --update --delete --region cn-hongkong

Flexget

安装 Flexget:

  cd /root || exit
  sudo apt -y install python3 python3-full python3-pip python3.12-venv
  python3 -m venv /root/flexget/
  /root/flexget/bin/pip install --upgrade pip setuptools 
  /root/flexget/bin/pip install flexget

测试配置并启动后台进程:

  sudo ln -s /root/maria/config/flexget/config.yml /root/flexget/config.yml
  /root/flexget/bin/flexget -c /root/flexget/config.yml --test execute
  /root/flexget/bin/flexget -c /root/flexget/config.yml daemon start -d --autoreload-config

设置开机自启动:

  (
    crontab -u $(whoami) -l
    echo "@reboot /root/flexget/bin/flexget -c /root/flexget/config.yml daemon start -d --autoreload-config"
  ) | crontab -u $(whoami) -

配置 alias:

  echo 'alias flexget="/root/flexget/bin/flexget -c /root/flexget/config.yml"' >> /root/.bashrc

配置防火墙

!!! warning "注意"

所有经由 Tailscale 的连接都不需要在 UFW 中放行。

所有在 Docker Compose 文件中没有定义特定监听地址的端口都不需要在 UFW 中放行。

Maria 非标端口开放表:

服务器 端口 来源IP/IP段 目标IP/IP段 协议 备注
2 7100 / / / Frps 监听端口
2 18080 127.0.0.1 / / Bitwarden
2 5230 127.0.0.1 / / Memos
2 3002 127.0.0.1 / / Homepage
2 3100 127.0.0.1 / / Gitea
2 25801 127.0.0.1 / / Gitea SSH
服务器 端口 来源IP/IP段 目标IP/IP段 协议 备注
3 6800 127.0.0.1 / / Aria2 RPC
3 6888 / / / Aria2 BT
3 6888 / / UDP Aria2 BT
3 9100 100.64.0.0/10 / / Node Exporter 1 
  # 重置防火墙
  sudo ufw reset
  # 添加默认条件
  sudo ufw default allow outgoing # 默认允许所有数据出站
  sudo ufw default deny incoming  # 默认禁止所有数据入站

  # SSH
  sudo ufw allow 25800
  # Web
  sudo ufw allow 80 && sudo ufw allow 443
  
  # Example 1
  sudo ufw allow 7100
  # Example 2
  sudo ufw allow from 127.0.0.1 to any port 18080
  # Example 3
  sudo ufw allow 6888/udp

  # 启用日志
  sudo ufw logging medium
  # 列出端口开放情况
  sudo ufw status numbered
  # 启用防火墙
  sudo ufw enable

加载 Docker 容器

  sudo docker compose -f /root/maria/config/"${SERVER}"/docker-compose.yml pull
  sudo docker compose -f /root/maria/config/"${SERVER}"/docker-compose.yml up -d --remove-orphans
  sudo docker system prune -f
  # 可选
  sudo systemctl restart traefik

配置自动备份 (可选)

(
  crontab -u $(whoami) -l
  echo "0 6 * * * /root/maria/script/backup.sh"
) | crontab -u $(whoami) -

进入 Docker 容器的终端

  sudo docker exec -it [container_name] /bin/bash
  # Or
  sudo docker exec -it [container_name] /bin/sh

配置 SSH Action

GitHub Actions

cattomgithub/maria - Settings - Secrets - Actions

  • SSH_HOSTS: foo,bar

服务器需配置 GitHub Actions Key进入 CatTomServer3-1 的终端,执行:

  ssh-copy-id -f -p 25800 -i /home/cattom/.ssh/maria-github-actions-key.pub [server_id]

Ref: 用于 GitHub Actions 的 SSH

NFS 配置

  # Install
  sudo apt -y update && sudo apt -y install nfs-kernel-server nfs-common
  # Modify firewall on host
  sudo ufw allow from [client_ip] to any port nfs
  # Create mount point on client
  sudo mkdir -p [/path/on/client]
  # Mount directories on client
  sudo mount [host_ip]:[/path/on/host] [/path/on/client]
  # Check stats on client
  sudo df -h
  # Mount the directories at boot
  sudo echo "[host_ip]:[/path/on/host] [/path/on/client] nfs auto,nofail,noatime,nolock,intr,tcp,actimeo=1800 0 0" >> /etc/fstab
  #  Unmount NFS
  sudo umount [/path/on/client]

  1. 服务器3的 Prometheus 处于容器内,而 Node Exporter 处于宿主机,必须保留该规则以保持二者连通。 ↩︎

View Git Blame Copy Permalink