How to Deploy
Digital Ocean refers to a server as a "droplet". When creating a droplet you can specify which operating system (I recommend Ubuntu or Debian), a plan (I recommend starting with their $5/month plan) and a region (choose whichever is closest).
When a server is created, note the server's IP address and (if you created a server with password authentication instead of with SSH keys) the root user's password. For Digital Ocean, the root user's password will be sent in an email.
Connecting to the Server
In order to communicate with the remote server you need to connect to it. We use the
ssh command for that.
The syntax is
ssh [username]@[ip address]. So if my server is at
64.225.000.000 I would sign in as the root user via
You can log out of the server with
Updating the Server
First thing to do with a new server is update all the software. Run
apt update and then
apt upgrade. If you want to restart the machine after you can type
reboot. Note that these commands usually require
sudo if not signed in as the root user.
Create a Non-Root User
The root user is dangerous and should only be used in special circumstances. For day-to-day operations we'll make a non-root user with the ability to
sudo for special commands instead.
To create a user use the
adduser command. To create a user
tyler run the command
adduser tyler. You'll set the user's password. Questions about the user's full name or phone number can be left blank.
In order for the user to use
sudo for root-level commands run
usermod -aG sudo tyler.
Disable Root Login
It's rarely a good idea to let someone sign in to the machine directly as root so we will disable that. Sign in to the server with the newly-created non-root user. Edit
sudo and either
nano (for example,
sudo vim /etc/ssh/sshd_config) to change the
PermitRootLogin value to
In order for the changes to take effect we'll restart the SSH process with
sudo service sshd restart. You should no longer be able to sign into the server with the
Currently, all ports on the server are open; we can use a firewall to close all but the ones we need. We'll use a program called
ufw to achieve that.
sudo apt install ufw.
We need to be very careful that we don't immediately enable the firewall without opening any ports, otherwise we will lose the ability to ssh into the server! To enable SSH open port 22 by running
sudo ufw allow 22.
To enable the firewall run
sudo ufw enable.
Rather than logging in with a username & password, it's best to use SSH keys. With Digital Ocean you can create a droplet that is automatically associated with SSH keys. Otherwise, we can set them up manually.
Create an SSH Key
ssh-keygen command to make an SSH key. You'll specify the name of the key and if you want it password-protected. It will create two files in your current working directory, one file is the public key that ends in
.pub, and the other is a private key that will have no file extension.
You should keep your SSH keys in your local
~/.ssh/ directory, so
cd into that directory and run the
Share the Public Key
Next you need to add the public key to the server's
~/.ssh/authorized_keys file. Given a public key called
brock we would run
cat ~/.ssh/brock.pub | ssh firstname.lastname@example.org 'cat >> ~/.ssh/authorized_keys'. Note that the
~/.ssh directory must already exist; you'll probably have to sign into the server and create one before running this command.
Use the Private Key to Log In
-i flag with a path to the private key to log in with it. For example,
ssh -i ~/.ssh/brock email@example.com.
I like to use Namecheap. Buy a domain with some sort of Whois protection, otherwise your personal information will be publicly available on the internet!
You want the domain to "point" to the IP address of your server. You'll do that by adding a host record, specifically an A record. An A record includes a Host for specifying the subdomain, such as
@ for a catch-all, the Value will be the IP address of the server. TTL is how long until the changes take place; you can leave this at its default value.
Once the domain is set up it will take a few minutes for the internet to catch up. You can
ping the domain to see if it now responds with the new IP address and use SSH with the domain name instead of the IP address. For example, with an
underwater.pizza domain I can SSH with