diff --git a/.zshrc b/.zshrc old mode 100644 new mode 100755 diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..b1334a5 --- /dev/null +++ b/LICENSE @@ -0,0 +1,5 @@ +Copyright (C) 2023 by Dym Sohin + +Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted. + +THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. diff --git a/_install.sh b/_install.sh index eb9bb88..a60571e 100755 --- a/_install.sh +++ b/_install.sh @@ -1,19 +1,11 @@ -#!/bin/bash - +#!/bin/sh # latest git add-apt-repository -y \ ppa:git-core/ppa -apt-get update -y -apt-get install -y \ - git - -# upgrade +# core apps and utils apt-get upgrade -y - - -# all the tools apt-get install -y \ build-essential \ certbot \ @@ -22,6 +14,7 @@ apt-get install -y \ ffmpeg \ g++ \ ghostscript \ + git\ graphicsmagick \ imagemagick \ jpegoptim \ @@ -33,7 +26,7 @@ apt-get install -y \ pngquant \ postgresql \ postgresql-contrib \ - rmlint \ + rdfind \ sshfs \ ufw \ wget \ @@ -58,29 +51,29 @@ pipupgrade -y --pip --ignore-error # nodejs -rm -rf /usr/local/bin/npm /usr/local/share/man/man1/node* ~/.npm -rm -rf /usr/local/lib/node* -rm -rf /usr/local/bin/node* -rm -rf /usr/local/include/node* -apt-get purge nodejs npm -apt autoremove +rm -rf \ + /usr/local/bin/node* \ + /usr/local/bin/npm \ + /usr/local/include/node* \ + /usr/local/lib/node* \ + /usr/local/share/man/man1/node* \ + ~/.npm -wget 'https://nodejs.org/dist/v16.15.0/node-v16.15.0-linux-x64.tar.xz' -tar -xf 'node-v16.15.0-linux-x64.tar.xz' -rm 'node-v16.15.0-linux-x64.tar.xz' -mv node-v16.15.0-linux-x64/bin/* /usr/local/bin/ -mv node-v16.15.0-linux-x64/lib/node_modules/ /usr/local/lib/ +apt-get purge -y \ + nodejs npm +apt-get autoremove -y + +VER='18.18.1' +wget 'https://nodejs.org/dist/v$VER/node-v$VER-linux-x64.tar.xz' +tar -xf 'node-v$VER-linux-x64.tar.xz' +rm 'node-v$VER-linux-x64.tar.xz' +mv node-v$VER-linux-x64/bin/* \ + /usr/local/bin/ +mv node-v$VER-linux-x64/lib/node_modules/ \ + /usr/local/lib/ -npm i -g n -n lts npm i -g npm - -npm i -g svgo - - -# deno -curl -fsSL https://deno.land/install.sh \ - | sh +npm i -g n svgo # rust @@ -88,7 +81,9 @@ apt-get install -y \ openssl libssl1.1 libssl-dev \ libfreetype6-dev libfontconfig1-dev libxcb-xfixes0-dev -curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh +curl --proto '=https' \ + --tlsv1.2 -sSf 'https://sh.rustup.rs' \ + | sh source $HOME/.cargo/env diff --git a/_installs/caddy.sh b/_installs/caddy.sh new file mode 100755 index 0000000..7dc43e1 --- /dev/null +++ b/_installs/caddy.sh @@ -0,0 +1,5 @@ +apt-get install -y debian-keyring debian-archive-keyring apt-transport-https +curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg +curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | tee /etc/apt/sources.list.d/caddy-stable.list +apt-get update +apt-get install caddy diff --git a/_installs/certbot.sh b/_installs/certbot.sh index 2cad9df..a9fbaa9 100755 --- a/_installs/certbot.sh +++ b/_installs/certbot.sh @@ -1,8 +1,11 @@ #!/usr/bin/zsh -sudo apt-get remove -y \ +apt-get remove -y \ python3-cryptography +apt-get install -y python3-pip + + pip3 install \ certbot \ cryptography @@ -13,10 +16,8 @@ certbot certonly \ -d '*.source.garden' \ --email 'certbot+source.garden@dym.sh' \ --agree-tos \ - --manual-public-ip-logging-ok \ --renew-by-default \ --rsa-key-size 4096 \ - --no-bootstrap \ --manual \ --preferred-challenges dns-01 \ --server https://acme-v02.api.letsencrypt.org/directory @@ -27,10 +28,8 @@ certbot certonly \ -d '*.dym.sh' \ --email 'certbot+dym.sh@dym.sh' \ --agree-tos \ - --manual-public-ip-logging-ok \ --renew-by-default \ --rsa-key-size 4096 \ - --no-bootstrap \ --manual \ --preferred-challenges dns-01 \ --server https://acme-v02.api.letsencrypt.org/directory diff --git a/_installs/fojego.sh b/_installs/fojego.sh deleted file mode 100755 index 8cc7a1d..0000000 --- a/_installs/fojego.sh +++ /dev/null @@ -1,51 +0,0 @@ -apt-get install -y \ - git git-lfs - -wget https://codeberg.org/forgejo/forgejo/releases/download/v1.19.3-0/forgejo-1.19.3-0-linux-amd64 -chmod +x forgejo-1.19.3-0-linux-amd64 - -gpg --keyserver keys.openpgp.org --recv EB114F5E6C0DC2BCDD183550A4B61A2DC5923710 -wget https://codeberg.org/forgejo/forgejo/releases/download/v1.19.3-0/forgejo-1.19.3-0-linux-amd64.asc -gpg --verify forgejo-1.19.3-0-linux-amd64.asc forgejo-1.19.3-0-linux-amd64 - -mv forgejo-1.19.3-0-linux-amd64 /usr/local/bin/forgejo -chmod 755 /usr/local/bin/forgejo - - -groupadd --system git - -adduser --system --shell /bin/bash --comment 'Git Version Control' \ - --gid git --home-dir /home/git --create-home git - -mkdir /var/lib/forgejo -chown git:git /var/lib/forgejo \ - && chmod 750 /var/lib/forgejo - -mkdir /usr/local/bin/data -chown root:git /usr/local/bin/data \ - && chmod 770 /usr/local/bin/data - -mkdir /usr/local/bin/log -chown root:git /usr/local/bin/log \ - && chmod 770 /usr/local/bin/log - -mkdir /usr/local/bin/custom -chown root:git /usr/local/bin/custom \ - && chmod 770 /usr/local/bin/custom - -mkdir /etc/forgejo -chown root:git /etc/forgejo \ - && chmod 770 /etc/forgejo - - -wget -O \ - /etc/systemd/system/forgejo.service \ - 'https://codeberg.org/forgejo/forgejo/raw/branch/forgejo/contrib/systemd/forgejo.service' - -# If you’re not using sqlite, but MySQL or MariaDB or PostgreSQL, you’ll have to edit that file (/etc/systemd/system/forgejo.service) and uncomment the corresponding Wants= and After= lines. Otherwise it should work as it is. - -systemctl enable forgejo.service -systemctl start forgejo.service - -# open http://source.garden:3000 - diff --git a/_installs/forgejo.sh b/_installs/forgejo.sh new file mode 100755 index 0000000..b5f2821 --- /dev/null +++ b/_installs/forgejo.sh @@ -0,0 +1,71 @@ +#!/bin/sh + +apt-get install -y \ + git git-lfs + +VER='1.20.4-1' + +wget "https://codeberg.org/forgejo/forgejo/releases/download/v$VER/forgejo-$VER-linux-amd64.xz" +xz -d "forgejo-$VER-linux-amd64.xz" + +gpg --keyserver keys.openpgp.org \ + --recv EB114F5E6C0DC2BCDD183550A4B61A2DC5923710 +wget "https://codeberg.org/forgejo/forgejo/releases/download/v$VER/forgejo-$VER-linux-amd64.asc" +gpg --verify "forgejo-$VER-linux-amd64.asc forgejo-$VER-linux-amd64" + +chmod +x "forgejo-$VER-linux-amd64" +mv "forgejo-$VER-linux-amd64" \ + /usr/local/bin/forgejo +chmod -R 755 /usr/local/bin/forgejo + + +groupadd --system git +adduser --system \ + --ingroup git \ + git + +mkdir -p /home/git +chown git:git -R /home/git \ + && chmod -R 750 /home/git + +mkdir /var/lib/forgejo +chown git:git -R /var/lib/forgejo \ + && chmod -R 750 /var/lib/forgejo + +mkdir /usr/local/bin/data +chown root:git -R /usr/local/bin/data \ + && chmod -R 770 /usr/local/bin/data + +mkdir /usr/local/bin/log +chown root:git -R /usr/local/bin/log \ + && chmod -R 770 /usr/local/bin/log + +mkdir /usr/local/bin/custom +chown root:git -R /usr/local/bin/custom \ + && chmod -R 770 /usr/local/bin/custom + +mkdir /etc/forgejo +chown root:git -R /etc/forgejo \ + && chmod -R 770 /etc/forgejo + +chown root:git /usr/local/bin/custom/conf/app.ini \ + && chmod 770 /usr/local/bin/custom/conf/app.ini + + +# test with `su - git -c 'forgejo'` + + +wget -O \ + /etc/systemd/system/forgejo.service \ + 'https://codeberg.org/forgejo/forgejo/raw/branch/forgejo/contrib/systemd/forgejo.service' + +chown root:git /etc/systemd/system/forgejo.service +chmod 770 /etc/systemd/system/forgejo.service + +# If you’re not using sqlite, but MySQL or MariaDB or PostgreSQL, you’ll have to edit that file (/etc/systemd/system/forgejo.service) and uncomment the corresponding Wants= and After= lines. Otherwise it should work as it is. + +systemctl enable forgejo.service +systemctl start forgejo.service + + +# open http://source.garden:3000 diff --git a/_installs/gotosocial.sh b/_installs/gotosocial.sh index 10ded51..516b5bf 100755 --- a/_installs/gotosocial.sh +++ b/_installs/gotosocial.sh @@ -27,4 +27,4 @@ killall gotosocial systemctl start gotosocial.service -curl -L https://dym.sh/.well-known/webfinger\?resource\=acct:dym@dym.com +curl -L 'https://dym.sh/.well-known/webfinger?resource=acct:dym@dym.sh' diff --git a/_installs/nextcloud.sh b/_installs/nextcloud.sh index 28956d0..289f64d 100755 --- a/_installs/nextcloud.sh +++ b/_installs/nextcloud.sh @@ -1,15 +1,16 @@ curl -fsSL https://get.docker.com | sudo sh -sudo docker run \ ---sig-proxy=false \ ---name nextcloud-aio-mastercontainer \ ---restart always \ ---publish 80:80 \ ---publish 8080:8080 \ ---publish 8443:8443 \ ---volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \ ---volume /var/run/docker.sock:/var/run/docker.sock:ro \ -nextcloud/all-in-one:latest +docker run \ + --init \ + --sig-proxy=false \ + --name nextcloud-aio-mastercontainer \ + --restart always \ + --publish 8080:8080 \ + --env APACHE_PORT=11000 \ + --env APACHE_IP_BINDING=0.0.0.0 \ + --volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \ + --volume /var/run/docker.sock:/var/run/docker.sock:ro \ + nextcloud/all-in-one:latest firefox 'https://:8080' diff --git a/_installs/nodejs.sh b/_installs/nodejs.sh index b7db036..f852da9 100755 --- a/_installs/nodejs.sh +++ b/_installs/nodejs.sh @@ -2,31 +2,29 @@ # optional: remove old installs -sudo apt purge -y \ +apt purge -y \ nodejs npm -sudo apt autoremove -y +apt autoremove -y -sudo rm /usr/bin/node -sudo rm /usr/bin/npm -sudo rm -rf /usr/share/npm -sudo rm -rf /usr/share/nodejs +rm /usr/bin/node +rm /usr/bin/npm +rm -rf /usr/share/npm +rm -rf /usr/share/nodejs +VER='18.18.0' -# install node + npm -wget -O 'node.xz' \ - 'https://nodejs.org/dist/v18.16.0/node-v18.16.0-linux-x64.tar.xz' -tar -xf 'node.xz' -rm 'node.xz' -sudo mv node-v18.16.0-linux-x64/bin/* /usr/local/bin/ -sudo mv node-v18.16.0-linux-x64/lib/node_modules/ /usr/local/lib/ +mv node-v$VER-linux-x64/bin/* \ + /usr/local/bin/ +mv node-v$VER-linux-x64/lib/node_modules/ \ + /usr/local/lib/ -sudo mkdir -p \ +mkdir -p \ '/usr/lib/nodejs' \ '/usr/lib/node_modules' # fix permissions -sudo chown -R $USER:$USER \ +chown -R $USER:$USER \ '/usr/local' \ '/usr/share' \ '/usr/lib/nodejs' \ diff --git a/_installs/postgres-15.sh b/_installs/postgres-15.sh new file mode 100755 index 0000000..a80ceff --- /dev/null +++ b/_installs/postgres-15.sh @@ -0,0 +1,36 @@ +#!/usr/bin/zsh + +apt update +apt upgrade +apt install software-properties-common apt-transport-https curl -y + +curl -fsSl https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor | tee /usr/share/keyrings/postgresql.gpg > /dev/null + +sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list' + +wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add - + +apt-get -y update +apt-get install postgresql-15 -y + +systemctl enable postgresql +systemctl start postgresql +systemctl status postgresql + +ss -antpl | grep 5432 + +systemctl start \ + postgresql postgresql-client + + +nano /etc/postgresql/15/main/pg_hba.conf +# `local all all trust` + +systemctl restart postgresql + +# psql -U postgres +su postgres -c psql +``` +ALTER USER postgres WITH PASSWORD 'postgres'; +exit; +``` diff --git a/_installs/postgres.sh b/_installs/postgres.sh deleted file mode 100755 index cd8a184..0000000 --- a/_installs/postgres.sh +++ /dev/null @@ -1,46 +0,0 @@ -#!/usr/bin/zsh - -# Postgres - -# the `lsb_release` prints linux-mint's codename -# of which pg has no idea, so -U='UBUNTU_CODENAME=' -DISTRO=`cat '/etc/os-release' | grep "$U"` -if [ ! -z "$DISTRO" ]; then - DISTRO="${DISTRO/$U/}" -else - DISTRO=`lsb_release -cs` -fi -echo "DISTRO: '$DISTRO'" - - -SRC="deb http://apt.postgresql.org/pub/repos/apt $DISTRO-pgdg main" -sudo sh -c \ - "echo '$SRC' > /etc/apt/sources.list.d/pgdg.list" - -wget --quiet -O - 'https://www.postgresql.org/media/keys/ACCC4CF8.asc' \ - | sudo apt-key add - - -curl -sS 'https://www.postgresql.org/media/keys/ACCC4CF8.asc' \ - | gpg --dearmor \ - | sudo tee /etc/apt/trusted.gpg.d/postgresql.gpg - -sudo apt update -y -sudo apt install -y \ - postgresql-14 - -psql --version - -sudo systemctl start \ - postgresql-14 postgresql-client-14 - -sudo nano /etc/postgresql/14/main/pg_hba.conf -# `local all all trust` - -sudo systemctl restart postgresql.service - -psql -U postgres -``` -ALTER USER postgres WITH PASSWORD 'postgres'; -exit; -``` diff --git a/git/server-www.sh b/git/server-www.sh new file mode 100755 index 0000000..1f6a92a --- /dev/null +++ b/git/server-www.sh @@ -0,0 +1,54 @@ +#!/bin/sh + +DOMAIN='_homepage' + +PROJ='$1' +HOST='test-01' + +# git +adduser git +mkdir '/home/git/.ssh' +nano '/home/git/.ssh/authorized_keys' + +# new repo +git init --bare '/home/git/repos/$HOST' +mkdir -p '/var/www/$HOST/' +git clone '/home/git/repos/$HOST' '/var/www/$HOST' + +# post-push resolving +cd '/home/git/repos/$HOST/' +exec git-update-server-info +echo '#!/bin/sh +cd "/var/www/$HOST/" || exit +unset GIT_DIR +git pull +exec git-update-server-info +' > '/home/git/repos/$HOST/hooks/post-update' +chmod +x '/home/git/repos/$HOST/hooks/post-update' + + +# access rights +chown -R git:git '/home/git' +chown -R git:www-data '/home/git/repos' +chmod -R 755 '/home/git/repos' + + +# cd /var/www/$HOST/public/www/ +# ln -s ../../static ./ + +# adduser www +# usermod -aG www-data www +usermod -aG www-data git +chown -R git:www-data '/var/www/$HOST' +chmod -R 755 '/var/www/$HOST' + + +# mkdir '/var/www/$HOST/uploads' +# touch '/var/www/$HOST/nohup.out' +# touch '/var/www/$HOST/log.txt' + +# starting scripts +# chown -R www:www-data '/var/www/$HOST' +# su - www -c 'cd /var/www/$HOST && ./start' +# echo '@reboot su - www -c 'cd /var/www/$HOST && ./start'' \ +# >> /etc/crontab diff --git a/git/setup-local.sh b/git/setup-local.sh new file mode 100755 index 0000000..77c6e59 --- /dev/null +++ b/git/setup-local.sh @@ -0,0 +1,13 @@ +#!/bin/sh + +SERVER_ID='' + +ssh-copy-id -i ~/.ssh/server_root.pub "root@$SERVER_ID" +ssh-copy-id -i ~/.ssh/server_www.pub "www@$SERVER_ID" +ssh-copy-id -i ~/.ssh/server_git.pub "git@$SERVER_ID" + +cd "/Site/$SERVER_ID" + +git remote add prod "webing-poligon-git:~/repos/digisign" +git push prod --all --force +git push prod --tags --force diff --git a/git/setup-server.sh b/git/setup-server.sh new file mode 100755 index 0000000..feacad6 --- /dev/null +++ b/git/setup-server.sh @@ -0,0 +1,34 @@ +#!/usr/bin/env bash +# update current +apt-get update -y +apt-get upgrade -y + + +# sys, tools +apt-get install -y \ + zsh curl wget git \ + g++ make clang build-essential \ + rmlint ffmpeg lynx \ + net-tools usrmerge \ + imagemagick graphicsmagick ghostscript \ + jpegoptim pngquant pngcrush + + +# users + +adduser git +mkdir '/home/git/.ssh' +touch '/home/git/.ssh/authorized_keys' + # add ssh-key for git + +adduser www +mkdir '/home/www/.ssh' +touch '/home/www/.ssh/authorized_keys' + # add ssh-key for www + +usermod -aG www-data www +usermod -aG www-data git + + +# access rights +chown -R www:www-data '/var/www/site/' diff --git a/meta.kdl b/meta.kdl new file mode 100644 index 0000000..4f5812c --- /dev/null +++ b/meta.kdl @@ -0,0 +1,7 @@ +title "server-debian" +description "setup site, mail, git, etc" +media-type "cli" +tags "config" "scripts" "docs" +license "0BSD" +homepage "https://dym.sh/server-debian/" +source "https://source.garden/config/server-debian/" diff --git a/mysql/_install.sh b/mysql/_install.sh index ed175af..6aaf061 100755 --- a/mysql/_install.sh +++ b/mysql/_install.sh @@ -23,8 +23,8 @@ sudo killall -9 mysql_secure_installation sudo mysql -u root --skip-password ``` -ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'my very strong password !123'; -CREATE USER 'admin'@'localhost' IDENTIFIED BY 'my very strong password !123'; +ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'STRONG_PASSWORD_ROOT'; +CREATE USER 'admin'@'localhost' IDENTIFIED BY 'STRONG_PASSWORD_ADMIN'; GRANT ALL PRIVILEGES ON *.* TO 'admin'@'localhost'; FLUSH PRIVILEGES; EXIT; diff --git a/mysql/mysql_wordpress.sh b/mysql/mysql_wordpress.sh index 230ad9b..513264f 100755 --- a/mysql/mysql_wordpress.sh +++ b/mysql/mysql_wordpress.sh @@ -9,7 +9,7 @@ systemctl status mysql.service mysql -u root ```sql CREATE DATABASE wp; -CREATE USER 'db_admin'@'localhost' IDENTIFIED BY 'BjMPUpXtlUBHSr=l-TWYKHwCI7DPjF1YJMo2qpjW8LQI3Rk=EVKevexq6r3b+c6Ggf-cpk65nB-m8w=2'; +CREATE USER 'db_admin'@'localhost' IDENTIFIED BY 'STRONG_PASSWORD'; GRANT ALL PRIVILEGES ON wp.* TO 'db_admin'@'localhost'; FLUSH PRIVILEGES; EXIT; diff --git a/nginx/dym.sh--gts.conf b/nginx/dym.sh.conf similarity index 93% rename from nginx/dym.sh--gts.conf rename to nginx/dym.sh.conf index 4e11c7f..df00d13 100644 --- a/nginx/dym.sh--gts.conf +++ b/nginx/dym.sh.conf @@ -44,7 +44,6 @@ server { proxy_pass_request_headers on; location @gts { - # set to 127.0.0.1 instead of localhost to work around https://stackoverflow.com/a/52550758 proxy_pass http://127.0.0.1:10099; proxy_set_header Host $host; proxy_set_header Upgrade $http_upgrade; diff --git a/nginx/ipv6.sh b/nginx/ipv6.sh deleted file mode 100755 index 1ee2f11..0000000 --- a/nginx/ipv6.sh +++ /dev/null @@ -1,11 +0,0 @@ -#!/usr/bin/zsh - -# enable_ipv6 - -ip addr add 2a02:c206:3009:9964::1/112 dev eth0 -ip -6 addr show - -ip route add default via fe80::1 dev eth0 -ip -6 route show - -ping -6 2a02:c206:3009:9964::1 diff --git a/nginx/mailcow.conf b/nginx/mailcow.conf deleted file mode 100644 index 3492200..0000000 --- a/nginx/mailcow.conf +++ /dev/null @@ -1,43 +0,0 @@ -server { - listen 80 default_server; - listen [::]:80; - server_name mail.*; - - # For SSL domain validation - root /var/www/html; - location /.well-known/acme-challenge/ { allow all; } - location /.well-known/pki-validation/ { allow all; } - location / { return 301 https://$server_name$request_uri; } -} - -server { - listen 443 ssl http2 default_server; - listen [::]:443 ssl http2; - server_name mail.*; - - ssl_certificate /opt/mailcow-dockerized/data/assets/ssl/cert.pem; - ssl_certificate_key /opt/mailcow-dockerized/data/assets/ssl/key.pem; - ssl_dhparam /etc/nginx/ssl/dhparam.pem; - ssl_ecdh_curve secp384r1; - - ssl_session_timeout 7d; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_prefer_server_ciphers on; - ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!DH:!ADH:!EDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!AES256-GCM-SHA384'; - - # Change to your upload limit - client_max_body_size 500m; - - location / { - proxy_pass http://127.0.0.1:10080; - proxy_buffer_size 128k; - proxy_buffers 64 512k; - proxy_busy_buffers_size 512k; - proxy_set_header X-Forwarded-Proto $scheme; - client_max_body_size 0; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_redirect off; - } -} diff --git a/nginx/nginx.conf b/nginx/nginx.conf deleted file mode 100644 index bad362f..0000000 --- a/nginx/nginx.conf +++ /dev/null @@ -1,71 +0,0 @@ -user www-data; -worker_processes auto; -pid /run/nginx.pid; -include /etc/nginx/modules-enabled/*.conf; - -events { - worker_connections 768; - # multi_accept on; -} - -http { - error_log /var/log/nginx/error.log; - - sendfile on; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 65; - types_hash_max_size 2048; - # server_tokens off; - - server_names_hash_bucket_size 128; - # server_name_in_redirect off; - - include /etc/nginx/mime.types; - default_type application/octet-stream; - - - client_max_body_size 1024m; - - ssl_session_timeout 1d; - ssl_session_cache shared:MozSSL:10m; - ssl_session_tickets off; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; - ssl_prefer_server_ciphers off; - ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1; - ssl_stapling on; - ssl_stapling_verify on; - - gzip on; - gzip_vary on; - gzip_proxied any; - gzip_comp_level 6; - gzip_buffers 16 8k; - gzip_http_version 1.1; - - gzip_types application/activity+json - application/atom+xml - application/javascript - application/json - application/manifest+json - application/rss+xml - application/xml - text/cache-manifest - text/calendar - text/css - text/javascript - text/markdown - text/plain - text/vcard - text/vnd.wap.wml - text/vtt - text/x-component - text/xml - ; - - index index.html; - - include /etc/nginx/conf.d/*.conf; - include /etc/nginx/sites-enabled/*; -} diff --git a/nginx/poste.conf b/nginx/poste.conf deleted file mode 100644 index e5bc925..0000000 --- a/nginx/poste.conf +++ /dev/null @@ -1,19 +0,0 @@ -server { - server_name mx.dym.sh; - listen 80; - listen [::]:80; - - location ~ /\.well-known/acme-challenge { - root /var/lib/letsencrypt/; - } -} - -server { - server_name mx.dym.sh; - listen 443 ssl http2; - listen [::]:443 ssl http2; - - ssl_trusted_certificate /etc/letsencrypt/live/dym.sh/chain.pem; - ssl_certificate /etc/letsencrypt/live/dym.sh/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/dym.sh/privkey.pem; -} diff --git a/nginx/source.garden.conf b/nginx/source.garden.conf deleted file mode 100644 index c6cde5f..0000000 --- a/nginx/source.garden.conf +++ /dev/null @@ -1,43 +0,0 @@ -server { - server_name source.garden; - listen 80; - listen [::]:80; - - location ~ /\.well-known/acme-challenge { - root /var/lib/letsencrypt/; - } - location / { - add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always; - return 301 https://$server_name$request_uri; - } -} - -server { - server_name source.garden; - listen 443 ssl http2; - listen [::]:443 ssl http2; - - ssl_trusted_certificate /etc/letsencrypt/live/source.garden-0002/chain.pem; - ssl_certificate /etc/letsencrypt/live/source.garden-0002/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/source.garden-0002/privkey.pem; - - location / { - root /var/www/source.garden/; - try_files - $uri - $uri/ - @forgejo; - } - - location @forgejo { - # set to 127.0.0.1 instead of localhost to work around https://stackoverflow.com/a/52550758 - proxy_pass http://127.0.0.1:3000; - proxy_set_header Host $host; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - } - - client_max_body_size 2000M; -} diff --git a/poste-io/@reboot.sh b/poste-io/@reboot.sh index 5a0ebfb..26dd6dd 100755 --- a/poste-io/@reboot.sh +++ b/poste-io/@reboot.sh @@ -6,8 +6,8 @@ pkill sendmail # stop and remove old container docker stop mailserver -docker rm `docker ps -a -q` -docker container rm -f `docker ps -a -q` +docker rm mailserver +docker container rm -f mailserver docker container prune # update container docker pull analogic/poste.io @@ -17,14 +17,14 @@ docker run \ --detach \ --restart always \ --name 'mailserver' \ - --hostname 'mx.dym.sh' \ + --hostname 'mail.dym.sh' \ --publish 25:25 \ --publish 143:143 \ --publish 587:587 \ --publish 993:993 \ --publish 4190:4190 \ - --publish 12080:80 \ - --publish 12443:443 \ + --publish 11080:80 \ + --publish 11443:443 \ --volume /etc/localtime:/etc/localtime:ro \ --volume /var/mail/data:/data \ --tty analogic/poste.io diff --git a/readme.md b/readme.md new file mode 100644 index 0000000..b82a28f --- /dev/null +++ b/readme.md @@ -0,0 +1,5 @@ +# server-debian + +> setup site, mail, git, etc + +implied use of Debian 11 \ No newline at end of file diff --git a/scripts/purge b/scripts/purge new file mode 100755 index 0000000..4f8f826 --- /dev/null +++ b/scripts/purge @@ -0,0 +1,35 @@ +#!/usr/bin/zsh + +# purge memory +free -h + +echo "clearing memory" +sudo sync +sudo sh -c 'echo 3 > /proc/sys/vm/drop_caches' +free -h + + +# clear logs +echo "clearing /var/log" +sudo du -hs /var/log +sudo find /var/log -type f -delete +sudo du -hs /var/log + +# +rm -rf /var/lib/systemd/coredump/* + +echo "clearing /etc/nginx/logs" +sudo du -hs /etc/nginx/logs +sudo find /etc/nginx/logs -type f -delete +sudo du -hs /etc/nginx/logs + +rm ~/.xsession-errors* + + +# relete occasional junk +rm ~/rmlint.* + +# empty trash +rm -rf ~/.local/share/Trash + +sudo rm -rf /.Trash-1000 diff --git a/ssh/sshd_config b/ssh/sshd_config new file mode 100644 index 0000000..234e00c --- /dev/null +++ b/ssh/sshd_config @@ -0,0 +1,22 @@ +Include /etc/ssh/sshd_config.d/*.conf + +Port 22 +Port 567 +PubkeyAuthentication yes +PasswordAuthentication no +PermitEmptyPasswords no +ChallengeResponseAuthentication no +UsePAM yes +X11Forwarding yes +PrintMotd no +Banner none +AcceptEnv LANG LC_* +Subsystem sftp /usr/lib/openssh/sftp-server +PermitRootLogin yes +HostKeyAlgorithms +ssh-rsa + +Match LocalPort 22 + DenyUsers root + +Match LocalPort 567 + DenyUsers git diff --git a/ssh/sshd_config-default b/ssh/sshd_config-default new file mode 100644 index 0000000..5029974 --- /dev/null +++ b/ssh/sshd_config-default @@ -0,0 +1,36 @@ +Include /etc/ssh/sshd_config.d/*.conf + +AcceptEnv LANG LC_* +AuthorizedKeysFile %h/.ssh/authorized_keys +Banner none +ChallengeResponseAuthentication no +HostbasedAuthentication no +HostKey /etc/ssh/ssh_host_dsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_ed25519_key +HostKey /etc/ssh/ssh_host_rsa_key +IgnoreRhosts yes +KeyRegenerationInterval 3600 +LoginGraceTime 120 +LogLevel INFO +MaxAuthTries 5 +MaxSessions 5 +PasswordAuthentication no +PermitEmptyPasswords no +PermitRootLogin yes +Port 567 +PrintLastLog no +PrintMotd no +Protocol 2 +PubkeyAuthentication yes +RhostsRSAAuthentication no +RSAAuthentication yes +ServerKeyBits 1024 +StrictModes yes +Subsystem sftp /usr/lib/openssh/sftp-server +SyslogFacility AUTH +TCPKeepAlive yes +UsePAM yes +UsePrivilegeSeparation yes +X11DisplayOffset 10 +X11Forwarding yes