Setting up Yunohost on Digital Ocean

This is the main tutorial I followed to install Yunohost (“YH” for rest of blog) on a Digital Ocean (“DO” for rest of blog) droplet, and this blog is basically my expansion notes to go with it to help myself and others who might need.

Before you begin the rest of the YH setup work, make sure your owned domain is pointed to the digital ocean nameservers to get ahead of the propagation time which can sometimes take many hours or days.

Also, keep in mind that if you already have your domain loaded in Digital Ocean networking section, as soon as the new droplet is created or re-purposed for YH, point the main A records to to this droplet so that they can start propagating. The other thing I do is change the 3600 TTL time to 300 for the first hour while things are propagating, then change back to 3600 after the dig yourdomain.com results or a ping test works on ping yourdomain.com. I haven’t 100% confirmed this helps, but someone on the internet once said it does, so I do it. Feel free to research this further if you’d like.

Otherwise, the Digital Ocean networking stuff starts in step 6 below.

Initial Debian Droplet Creation on Digital Ocean

1. Create your droplet. Must be Debian server, I learned the hard way after I installed a regular ubuntu server. It seems a pure Debian server is needed to run install script)
2. The first time I did this, I used the following setup for my test: Debian, basic (shared CPU), Regular Disk Type (regular SSD), 1GB CPU | 25GB SSD storage | 1000 GB transfer. This may have been the result of a lot of pain and the eventual destruction and rebuilding of a droplet. You should consider what apps you plan to run on this install before choosing your droplet to avoid this and make sure the server has enough resources! After I started again with a 2GB RAM server, everything seemed just fine…
3. I re-named the end of the scary default DO hostname to end in ‘yunohost’ so it was at least recognizable in my droplet list
4. Create Droplet.
5. Wait for progress bar to complete setup
6. Go to the Networking/Domains section
7. Enter your domain into the hostname field in the A records, and make sure it’s pointing to your new DO droplet.

Unique SSH Debian Setup Steps

I’m most familiar with a DO stock ubuntu droplet setup so to be clear, I had quite a few problems with this Debian setup related to the SSH key handling. I probably did something wrong / different and I wonder if I even needed to do this SSH key setup since YH will ultimately wipe out all the work and reconfigure SSH the way it wants… In either case, because I’m not sure and someone else might want to set up Debian SSH keys, here are the steps I finally did to make the server SSH keys work on this Debian droplet:

1. Install the droplet (as per instructions above)
2. In the ‘access’ section of Digital Ocean associated with your new droplet, ‘launch droplet console’
3. Edit the Debian server’s SSH config file with: sudo nano /etc/ssh/sshd_config
4. In the file, scroll down and change the PasswordAuthentication no option to PasswordAuthentication yes if not already set to that.
5. Control x to exit, yes to save changes and enter key to execute the changes
6. Close the DO droplet console
7. In the ‘access’ section of Digital Ocean (same place), go down to ‘reset root password’ and let the system reset and send you the password – takes about 2 minutes, it seems, to do this and another 1 minute to wait for the email. This will go to your DO admin email account.
8. In your admin area still, Log into the Droplet Console again as root. It will force the current password which is the one that just got emailed. After you enter that it will ask for the new password which you should have already created in a password manager or something safe. Enter that, and repeat that new password. Now you have a new root password. If you were wondering why I included all these steps in this section, it is to give you a safe password that you choose for your root user so that you can do the next steps (install Yunohost…). Again, when I installed plain ubuntu droplet servers on DO in hte past, I never had to go through this, but alas… you can leave this Droplet Console open as you will need to revert some settings in that sshd_config file in a minute.
9. On local machine – assuming you already have private SSH set up from something else (if you don’t, search up a tutorial and set that up in the Settings / security section of Digital Ocean…) – fire up this in your local machine terminal ssh-copy-id root@digital-ocean-droplet-ip-address

You should get this question to which you answer ‘yes’:

Are you sure you want to continue connecting (yes/no/[fingerprint])?

You should also, at this stage, be asked for your password for root which was the one you created above in step 8 above.

if all goes well it should output this:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@digital-ocean-droplet-ip-address'"
and check to make sure that only the key(s) you wanted were added.

The purpose of this step is to more easily move your local SSH keys onto your new Debian droplet, if you were wondering.

10. Now go back into your Droplet Console and shut off the password login option you turned on in step 3 and 4 above by running the command and changing the ‘yes’ back to ‘no’
11. Reset SSH service so you can test changes: systemctl restart sshd
12. Now test it like you mean it. From the local machine, same one, try a normal ssh login

ssh root@digital-ocean-droplet-ip-address

If all good you should be logged into the Debian machine.

Setting up the Debian Server Droplet for Yunohost – Pre-Install Stuff

Continue with tutorials above to set up the Debian server such as adding non-root superuser. To SSH in as the non-root user, you should also read the details found here He gives a great little tip about copying ssh keys from the master sudo user to the new non-root user easily. And it worked nicely.

• apt remove unscd : remove this package that may or may not be on your install which causes a few headaches if you aren’t printing

User Stuff

adduser sammy : Changed sammy to ‘ynh’ as my sub-root user. Answered blank to all the Full Name, Room Number, etc questions and ‘yes’ to information being correct.

usermod -aG sudo ynh : added user ynh to the sudo group

cp -r ~/.ssh /home/ynh : copy the ssh key that you worked so hard on above over to the new ynh user so that ynh can login from same machine using same SSH keys.

chown -R ynh:ynh /home/ynh/.ssh : give user ownership over this .ssh file in its home directory. Careful of spaces in this command

• As always, test your SSH keys by logging out of server and logging back in with the ynh user you created and modified above.

Firewall Stuff

Note to protect myself from more hate-mail than normal.. probably Yunohost reconfigures all your work here, but because I don’t 100% know that, I’m doing these steps and saying you should too. If you find out otherwise, forgive me and let me know in the comments below 🙂

apt update : make sure server packages are updated

apt install ufw : installing firewall suite

ufw allow OpenSSH : allowing SSH connections through firewall

ufw enable : enabling the firewall suite to start working

ufw status : checking to make sure that it’s going and SSH rules are in place

Now your server is set up, time to finally install Yunohost…

Installing Yunohost on your Debian Droplet

Now you’ve got your server setup, time to proceed with this tutorial again.

cd /tmp : move to a temporary directory of peace and deep breathing…

wget -O yunohost https://install.yunohost.org/ : download the install script which you will run next

sudo /bin/bash yunohost : run the install script – you’ll need sudo password of course.

At this point in the process, the first ‘warning’ I got was that there was a new version of sshd_config. That’s funny since that’s the one we’ve been modifying above, lol. I selected ‘use package maintainers version’ and continued. It seemed to work and Yunohost ended up installing fine with this selection.

The next warning was that the stuff on the machine such as nginx, dovecot, etc, etc will be overwritten. Do you want to continue? I selected yes. I believe this was the ‘yes’ referred to in the tutorials comment here: ‘When asked to overwrite configuration files, select yes.’

But perhaps the most cryptic of the warnings was the last one that recommended we let YH take over the handling of SSH thereby no longer letting root be able to log into the server but instead only the YH admin account. I have no problem with this other than perhaps it was totally a waste of time doing all the SSH and firewall stuff above, haha. I hope one day to learn if my (our) efforts were in vain but for now the above long way works. Feel free to let me know in the comments below.

Yunohost Post Install, Pre-Launch Stuff

The first time I tried installing YH, I failed to read the clear instructions that appear in the console right after the installation process was complete and therefore missed the very important next instruction. Before you can access your install, you have to run the following post-install command in your terminal:

sudo yunohost tools postinstall

I ran that and… Boom. Now it started to ask some logical setup questions:

what is your main domain? : for this I simply entered my domain without the www (domain.com) format.
New admin password? : for this I created a new admin password different from my root and ynh debian passwords. Not sure if that is required or not but that’s what I did.

Once those were entered it started to install and a whole bunch of ‘success!’ messages which of course makes me feel good about myself as a man…

If all goes well you should now be able to log into your new Yunohost install. I was.

Tips on Logging into Yunohost for the First Time

If everything went well and your domain, etc, are all propagated and visible to the internet, you should be able to go to the ‘main domain’ you specified above and get the login screen. From here you can log in with username ‘admin’ and the password you set in the step above, or direct to this path:

https://yourdomain.com/yunohost/admin/

Because you don’t have SSL / LetsEncrypt setup yet, you will get the security exception warning in your browser which you can approve and press through.

Another tip: If this is your second installation you will likely have to manually delete your cookies and cache in your browser, or you won’t even be able to get through the security warning. I had this happen once.

If you can’t find your URL, you may have not set your A record in your registrar DNS settings? Or, perhaps it hasn’t propagated across the internet yet. TIP: You can use the Digital Ocean direct IP address instead of your URL in the path above for now if you want to continue without waiting. It would look something like this, but with your IP:

`https://123.123.123.123/yunohost/admin/

From the login page I entered the new admin password I created above and immediately got the section I expected.

Initial Setup of Yunohost

Now that your new Yunohost server is setup and you’re logged in, it’s time to get rolling.

Set up a Master Admin User

From the home dashboard,

1. Users
2. + New User
3. enter details

From my understanding this first user is a kind of admin account, at least for email and server stuff. So, for example, after you install Roundcube or setup your email client for this user, you will get the technical emails from server / yunohost.

Make sure DNS records are set up properly

CAA RECORD
Hostname | Authority | Tag | Flags | TTL

maindomain.tld | letsencrypt.org | issue | 128 | 300 (change back to 3600 later)

Set up SSL with LetsEncrypt on maindomain.tld

To get rid of security warnings, we need a valid SSL cert. Here’s how you do this after logging in:

1. Let’s Encrypt the main domain by clicking ‘domains’
2. Click the domain you entered on setup
3. Click ssl certificate button. If your website is reachable you should be able to continue. If yours is still propagating your A record or having issues otherwise, you’ll be out of luck until that’s done…. if that’s your case, don’t worry, lots of work to be done in the meantime. Don’t hesitate to hit the diagnosis tool link tool. It’s super useful!
4. If the green “Install a Let’s Encrypt certificate” is clickable click it, if not:

• in a terminal, try ping maindomain.tld and see if it gets a bounce back. If not, you probably have to wait longer
• in a terminal try dig maindomain.tld to see if your domain shows up paired with an IP address, SSL cert installation ‘should’ work
• Also check ports 80 and 443 are open for maindomain.tld in this tool

With all the above checking as ‘ok’, and after waiting 5 or 10 minutes and it still isn’t clickable, I found once that logging out of the YH admin or doing a control f5 refresh helped. For me, one time it took only 10 minutes to propogate and another time it took about 1 hour….

After clicking it will ask “Are you sure you want to install a Let’s Encrypt certificate for this domain?” which you will obviously approve. If all goes well it will say ‘Great! You’re using a valid Let’s Encrypt certificate”.

5. open a fresh browser on a different device and go to your domain to make sure the lock icon is working well.

If this was helpful, stay tuned as I will be linking here two more tutorials:

1. Setting up email for Yunohost and
2. Pre-planning for busines for Yunohost

Tagged debian, digital ocean, dkim, dns, email, install, setup, yunohost