diff --git a/_installs/excalidraw.sh b/_installs/excalidraw.sh
new file mode 100755
index 0000000..588d136
--- /dev/null
+++ b/_installs/excalidraw.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+mkdir -p /var/www/excalidraw/
+cd /var/www/excalidraw/
+git clone https://github.com/excalidraw/excalidraw.git .
+
+yarn
+yarn start
+# OR
+docker-compose up --build -d
+
+
+# OR
+docker build -t excalidraw/excalidraw .
+docker run --rm -dit --name excalidraw -p 5000:80 excalidraw/excalidraw:latest
diff --git a/_installs/forgejo.sh b/_installs/forgejo.sh
index bd142a1..d17b53a 100755
--- a/_installs/forgejo.sh
+++ b/_installs/forgejo.sh
@@ -26,6 +26,10 @@ mkdir -p /home/git
chown git:git -R /home/git \
&& chmod -R 750 /home/git
+mkdir /usr/local/bin/data/forgejo-repositories
+chown git:git -R /usr/local/bin/data/forgejo-repositories \
+ && chmod -R 770 /usr/local/bin/data/forgejo-repositories
+
mkdir /var/lib/forgejo
chown git:git -R /var/lib/forgejo \
&& chmod -R 750 /var/lib/forgejo
diff --git a/apache/web.apache.conf b/apache/web.apache.conf
new file mode 100644
index 0000000..a977967
--- /dev/null
+++ b/apache/web.apache.conf
@@ -0,0 +1,55 @@
+
+ ServerAdmin apache+web.dym.sh@dym.sh
+ ServerName web.dym.sh
+
+ DocumentRoot /var/www/web.dym.sh
+
+ Options FollowSymLinks Indexes MultiViews
+ AllowOverride All
+ Order allow,deny
+ Allow from all
+
+
+ DirectoryIndex index.php index.html
+ AllowEncodedSlashes NoDecode
+
+ HostnameLookups Off
+ UseCanonicalName Off
+ ServerSignature On
+
+ RewriteEngine On
+ RewriteCond %{HTTPS} off
+ RewriteCond %{HTTP:X-Forwarded-Proto} !https
+ RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
+
+
+
+
+ ServerAdmin apache+web.dym.sh@dym.sh
+ ServerName web.dym.sh
+
+ DocumentRoot /var/www/web.dym.sh
+
+ Options FollowSymLinks Indexes MultiViews
+ AllowOverride All
+ Order allow,deny
+ Allow from all
+
+
+ DirectoryIndex index.php index.html
+ AllowEncodedSlashes NoDecode
+
+ HostnameLookups Off
+ UseCanonicalName Off
+ ServerSignature On
+
+ SSLEngine on
+ Include /etc/letsencrypt/options-ssl-apache.conf
+
+ RewriteEngine On
+ RewriteCond %{HTTPS} off
+ RewriteCond %{HTTP:X-Forwarded-Proto} !https
+ RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
+ SSLCertificateFile /etc/letsencrypt/live/dym.sh/fullchain.pem
+ SSLCertificateKeyFile /etc/letsencrypt/live/dym.sh/privkey.pem
+
diff --git a/apache/zen.actor.conf b/apache/zen.actor.conf
new file mode 100644
index 0000000..c11d472
--- /dev/null
+++ b/apache/zen.actor.conf
@@ -0,0 +1,57 @@
+
+ ServerAdmin apache+zen.actor@dym.sh
+ ServerName zen.actor
+ ServerAlias www.zen.actor
+
+ DocumentRoot /var/www/zen.actor
+
+ Options FollowSymLinks Indexes MultiViews
+ AllowOverride All
+ Order allow,deny
+ Allow from all
+
+
+ DirectoryIndex index.php index.html
+ AllowEncodedSlashes NoDecode
+
+ HostnameLookups Off
+ UseCanonicalName Off
+ ServerSignature On
+
+ RewriteEngine On
+ RewriteCond %{HTTPS} off
+ RewriteCond %{HTTP:X-Forwarded-Proto} !https
+ RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
+
+
+
+
+ ServerAdmin apache+zen.actor@dym.sh
+ ServerName zen.actor
+ ServerAlias www.zen.actor
+
+ DocumentRoot /var/www/zen.actor
+
+ Options FollowSymLinks Indexes MultiViews
+ AllowOverride All
+ Order allow,deny
+ Allow from all
+
+
+ DirectoryIndex index.php index.html
+ AllowEncodedSlashes NoDecode
+
+ HostnameLookups Off
+ UseCanonicalName Off
+ ServerSignature On
+
+ SSLEngine on
+ Include /etc/letsencrypt/options-ssl-apache.conf
+
+ RewriteEngine On
+ RewriteCond %{HTTPS} off
+ RewriteCond %{HTTP:X-Forwarded-Proto} !https
+ RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
+ SSLCertificateFile /etc/letsencrypt/live/zen.actor/fullchain.pem
+ SSLCertificateKeyFile /etc/letsencrypt/live/zen.actor/privkey.pem
+
diff --git a/nginx/gts.conf b/nginx/gts.conf
new file mode 100644
index 0000000..4e11c7f
--- /dev/null
+++ b/nginx/gts.conf
@@ -0,0 +1,56 @@
+server {
+ server_name dym.sh;
+ listen 80;
+ listen [::]:80;
+
+ location ~ /\.well-known/acme-challenge {
+ root /var/lib/letsencrypt/;
+ }
+ location / {
+ add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always;
+ return 301 https://$server_name$request_uri;
+ }
+}
+
+server {
+ server_name dym.sh;
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+
+ ssl_trusted_certificate /etc/letsencrypt/live/dym.sh/chain.pem;
+ ssl_certificate /etc/letsencrypt/live/dym.sh/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/dym.sh/privkey.pem;
+
+
+ location ~* ^\/(rss\/|feed\.xml|feed\.rss)$ {
+ add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always;
+ return 301 https://$server_name/rss;
+ }
+
+ location ~* \/\.?rss$ {
+ types { } default_type "application/rss+xml; charset=utf-8";
+ root /var/www/dym.sh/;
+ }
+
+ location / {
+ root /var/www/dym.sh/;
+ try_files
+ $uri
+ $uri/
+ @gts;
+ }
+
+ client_max_body_size 2000M;
+ proxy_pass_request_headers on;
+
+ location @gts {
+ # set to 127.0.0.1 instead of localhost to work around https://stackoverflow.com/a/52550758
+ proxy_pass http://127.0.0.1:10099;
+ proxy_set_header Host $host;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection "upgrade";
+ proxy_set_header X-Forwarded-For $remote_addr;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ }
+
+}
diff --git a/nginx/mail.conf b/nginx/mail.conf
new file mode 100644
index 0000000..3168090
--- /dev/null
+++ b/nginx/mail.conf
@@ -0,0 +1,39 @@
+server {
+ server_name mail.dym.sh;
+ listen 80;
+ listen [::]:80;
+
+ location ~ /\.well-known/acme-challenge {
+ root /var/lib/letsencrypt/;
+ }
+
+ location / {
+ proxy_pass http://127.0.0.1:11080;
+ proxy_set_header Host $host;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection "upgrade";
+ proxy_set_header X-Forwarded-For $remote_addr;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ }
+}
+
+server {
+ server_name mail.dym.sh;
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+
+ ssl_trusted_certificate /etc/letsencrypt/live/dym.sh/chain.pem;
+ ssl_certificate /etc/letsencrypt/live/dym.sh/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/dym.sh/privkey.pem;
+
+ location / {
+ proxy_pass http://127.0.0.1:11443;
+ proxy_set_header Host $host;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection "upgrade";
+ proxy_set_header X-Forwarded-For $remote_addr;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ }
+
+ client_max_body_size 2000M;
+}
diff --git a/nginx/penpot.conf b/nginx/penpot.conf
new file mode 100644
index 0000000..5df4bc9
--- /dev/null
+++ b/nginx/penpot.conf
@@ -0,0 +1,38 @@
+server {
+ server_name penpot.dym.sh;
+ listen 80;
+ listen [::]:80;
+
+ location ~ /\.well-known/acme-challenge {
+ root /var/lib/letsencrypt/;
+ }
+ location / {
+ add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always;
+ return 301 https://$server_name$request_uri;
+ }
+}
+
+server {
+ server_name penpot.dym.sh;
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+
+ ssl_trusted_certificate /etc/letsencrypt/live/dym.sh/chain.pem;
+ ssl_certificate /etc/letsencrypt/live/dym.sh/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/dym.sh/privkey.pem;
+
+
+ client_max_body_size 2000M;
+ proxy_pass_request_headers on;
+
+ location / {
+ proxy_pass http://127.0.0.1:9001;
+ proxy_set_header Host $host;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection "upgrade";
+ proxy_set_header X-Forwarded-For $remote_addr;
+ proxy_set_header X-Forwarded-Proto $scheme;
+# add_header Content-Security-Policy "default-src 'self'; object-src 'none'; img-src 'self' blob: data:; media-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';";
+ }
+
+}
diff --git a/nginx/web.conf b/nginx/web.conf
new file mode 100644
index 0000000..502cdcb
--- /dev/null
+++ b/nginx/web.conf
@@ -0,0 +1,27 @@
+server {
+ server_name web.dym.sh;
+ listen 80;
+ listen [::]:80;
+
+ location ~ /\.well-known/acme-challenge {
+ root /var/lib/letsencrypt/;
+ }
+ location / {
+ add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always;
+ return 301 https://$server_name$request_uri;
+ }
+}
+
+server {
+ server_name web.dym.sh;
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+
+ ssl_trusted_certificate /etc/letsencrypt/live/dym.sh/chain.pem;
+ ssl_certificate /etc/letsencrypt/live/dym.sh/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/dym.sh/privkey.pem;
+
+ location / {
+ root /var/www/web.dym.sh/;
+ }
+}