A Practical Method To Save Operation And Maintenance Costs By Automating Taiwan Vps Cloud Server Settings Through Scripts

1.

overview: why you need to automate the initial setup of taiwan vps

- save labor costs: manual configuration of each host takes an average of 3 hours, and the cost per machine is about us$90 based on a labor hour of us$30.
- scalability requirements: when the scale is expanded to 100 units, manual configuration requires 300 hours, and automation can be shortened to about 8 hours (script parallelism), saving about 292 hours.
- unified configuration standards: the script ensures that kernel parameters, security policies, logs and monitoring are consistent, reducing configuration drift and fault location time.
- accelerate the launch cycle: the time from getting the vps to officially launching external services can be shortened from an average of 2 days to 30 minutes.
- controllable risks: the firewall, ddos current limiting and certificate installation processes are fixed through scripts to reduce security risks caused by human errors.

2.

preparation: server and network resource inventory

- sample vps configuration (common taiwan node reference): 1 vcpu, 2gb ram, 50gb ssd, 2tb monthly traffic.
- domain name and dns: reserve a/aaaa records and cname at the domain name management office, and prepare api key for automated script updates.
- cdn and waf: it is recommended to connect to cloudflare or bunnycdn as the first line of cdn/waf protection, and enable rate limiting and bot management.
- monitoring and alarming: prepare prometheus + grafana or third-party monitoring accounts, and pre-configure webhook/slack alarms.
- operation and maintenance permissions: create a deploy user who can log in through ssh keys, and limit root login to necessary scenarios.

3.

key points of automated script implementation (debian/ubuntu as an example)

- update and software installation: the script automatically executes apt update && apt upgrade -y and installs necessary software packages (nginx, certbot, ufw, fail2ban, docker, etc.).
- system optimization: set network parameters through sysctl.conf and limits.conf (for example, net.ipv4.tcp_tw_reuse=1, fs.file-max=200000).
- firewall and current limiting: use ufw and iptables to set the default deny policy, ssh rate limit, and http connection limit.
- automated certificates: use certbot --nginx or acme.sh to automatically issue and renew certificates through dns-api.
- deployment dry principle: put the parameters (domain name, ip, swap size) as variables in the config file, and perform the consistent operation after reading the script.

4.

sample script snippet: rapid website creation and protection automation

- the following is a bash script fragment that can be run directly, adapted to ubuntu 20.04+:

#!/bin/bash
set -e
domain="example.com"
debian_frontend=noninteractive
apt update && apt -y upgrade
apt -y install nginx certbot python3-certbot-nginx ufw fail2ban
# system optimization cat >/etc/sysctl.d/99-custom.conf < 
- note: the above example is a simplified example. dns-api renewal and fail2ban rules need to be added to the production environment.

- parallel deployment: can be combined with ansible or parallel ssh (pssh) to execute scripts on 100 vps concurrently, saving deployment time.

- logging and rollback: the script records the output of each step to /var/log/bootstrap.log, and adds rollback points at key steps.
 5.
 real case: deployment effect of e-commerce customers in taipei node
 - background: an e-commerce company set up 50 vps in taiwan as regional caching and settlement backends, and deployed them manually in the initial stage.
 - initial situation: manual configuration of a single unit takes an average of 3 hours, 50 units total 150 hours, and the outsourced operation and maintenance cost is about us$4,500.
 - automated transformation: using the above script template + ansible parallelization, a single batch deployment of 50 units takes about 1.5 hours, including certificates and cdn access.
 - cost comparison: after automation, the total labor investment is about 10 hours (including testing and regression), and the labor cost is reduced to about $300, saving about $4,200.
 - operation results: the average online time per unit was reduced from 3 hours to 2 minutes, and the fault recovery time (mttr) was reduced from 3 hours to 20 minutes.
 6.
 performance and ddos defense configuration examples (including data sheet)
 - nginx current limiting example: limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s; use limit_req zone=one burst=20 nodelay in location.
 - fail2ban policy: monitor nginx-login and ssh failures, and ban them for 1 hour by default after 10 failed attempts.
 - system kernel adjustment: increase tcp_max_syn_backlog to 10240 to reduce the impact of syn flooding.
 - cdn offloading: use cdn for static resources (ttl=1 hour), and implement firewall and rate control for dynamic interfaces.
 - the following table shows the comparison between test traffic and protection effect (sample data): 
 scene
 unprotected peak
 effective traffic after protection
 available bandwidth
 http request/s
 12000 r/s
 800 r/s
 2 gbps
 number of connections (concurrent)
 500k
 30k
 2 gbps
 7.
 operation and maintenance cost estimation and best practice summary
 - cost model example: labor cost is 30 us dollars/hour, manual configuration of a single machine takes 3 hours = 90 us dollars; the average cost of a single automated machine (script development + parallel deployment) is about 5 us dollars.
 - large-scale benefits: when the number of servers is >20, the automation investment payback period is usually achieved within 1-2 weeks.
 - security and compliance: incorporate automated scripts into ci/cd pipelines and perform code audits to ensure sensitive information (api key) is injected through the secret manager.
 - backup and recovery strategy: the script also configures the automatic snapshot strategy and regular backup of the database to off-site storage (such as object storage).
 - recommendation: start with a minimal runnable script (basic system + firewall + certificate) and gradually expand to complete monitoring and ddos automated response.