Install software

apt update
apt install nginx python3-pip build-essential python3-dev git gcc fail2ban socat -y
unattended-upgrade -d -v

Change hostname

hostname myserver
vim /etc/hostname
# change to myserver

Change root password

passwd

Add user and add ssh pub key

useradd -m john
cd /home/john
su john
mkdir .ssh
cd .ssh
vim authorized_keys
// put ssh pub key inside
chmod 640 authorized_keys

Change sshd config

vim /etc/ssh/sshd_config
# set:
Port 32200
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
ChallengeResponseAuthentication no
# restart
service ssh restart

Setup Firewall

ufw allow 80
ufw allow 443
ufw allow 32200
ufw enable

Install acme

curl  https://get.acme.sh | sh
cd ~/.acme.sh
./acme.sh --upgrade --auto-upgrade
# generate cert
export LINODE_V4_API_KEY="<your linode token>"
./acme.sh --issue --dns dns_linode_v4 --dnssleep 1200 -d "*.example.com" --log

acme.sh will auto set the crontab to renew it.