upd

2023-10-20 13:40:58 +02:00 · 2023-10-20 13:40:58 +02:00 · d732d68cc6
parent ccffaa7db9
commit d732d68cc6
29 changed files with 387 additions and 356 deletions
--- a/.zshrc
+++ b/.zshrc
--- a/5
+++ b/5
@ -0,0 +1,5 @@
 Copyright (C) 2023 by Dym Sohin <re@dym.sh>
 Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted.
 THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
--- a/_install.sh
+++ b/_install.sh
@ -1,19 +1,11 @@
-#!/bin/bash
+#!/bin/sh
 # latest git
 add-apt-repository -y \
  ppa:git-core/ppa
 apt-get update -y
 apt-get install -y \
  git
-
+# core apps and utils
 # upgrade
 apt-get upgrade -y
 # all the tools
 apt-get install -y \
  build-essential \
  certbot \
@ -22,6 +14,7 @@ apt-get install -y \
  ffmpeg \
  g++ \
  ghostscript \
  git\
  graphicsmagick \
  imagemagick \
  jpegoptim \
@ -33,7 +26,7 @@ apt-get install -y \
  pngquant \
  postgresql \
  postgresql-contrib \
-  rmlint \
+  rdfind \
  sshfs \
  ufw \
  wget \
@ -58,29 +51,29 @@ pipupgrade -y --pip --ignore-error
 # nodejs
-rm -rf /usr/local/bin/npm /usr/local/share/man/man1/node* ~/.npm
+rm -rf \
-rm -rf /usr/local/lib/node*
+  /usr/local/bin/node* \
-rm -rf /usr/local/bin/node*
+  /usr/local/bin/npm \
-rm -rf /usr/local/include/node*
+  /usr/local/include/node* \
-apt-get purge nodejs npm
+  /usr/local/lib/node* \
-apt autoremove
+  /usr/local/share/man/man1/node* \
  ~/.npm
-wget 'https://nodejs.org/dist/v16.15.0/node-v16.15.0-linux-x64.tar.xz'
+apt-get purge -y \
-tar -xf 'node-v16.15.0-linux-x64.tar.xz'
+  nodejs npm
-rm 'node-v16.15.0-linux-x64.tar.xz'
+apt-get autoremove -y
-mv node-v16.15.0-linux-x64/bin/* /usr/local/bin/
+
-mv node-v16.15.0-linux-x64/lib/node_modules/ /usr/local/lib/
+VER='18.18.1'
 wget 'https://nodejs.org/dist/v$VER/node-v$VER-linux-x64.tar.xz'
 tar -xf 'node-v$VER-linux-x64.tar.xz'
 rm 'node-v$VER-linux-x64.tar.xz'
 mv node-v$VER-linux-x64/bin/* \
  /usr/local/bin/
 mv node-v$VER-linux-x64/lib/node_modules/ \
  /usr/local/lib/
 npm i -g n
 n lts
 npm i -g npm
-
+npm i -g n svgo
 npm i -g svgo
 # deno
 curl -fsSL https://deno.land/install.sh \
  | sh
 # rust
@ -88,7 +81,9 @@ apt-get install -y \
  openssl libssl1.1 libssl-dev \
  libfreetype6-dev libfontconfig1-dev libxcb-xfixes0-dev
-curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
+curl --proto '=https' \
  --tlsv1.2 -sSf 'https://sh.rustup.rs' \
  | sh
 source $HOME/.cargo/env
--- a/_installs/caddy.sh
+++ b/_installs/caddy.sh
@ -0,0 +1,5 @@
 apt-get install -y debian-keyring debian-archive-keyring apt-transport-https
 curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
 curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | tee /etc/apt/sources.list.d/caddy-stable.list
 apt-get update
 apt-get install caddy
--- a/_installs/certbot.sh
+++ b/_installs/certbot.sh
@ -1,8 +1,11 @@
 #!/usr/bin/zsh
-sudo apt-get remove -y \
+apt-get remove -y \
  python3-cryptography
 apt-get install -y python3-pip
 pip3 install \
  certbot \
  cryptography
@ -13,10 +16,8 @@ certbot certonly \
  -d '*.source.garden' \
  --email 'certbot+source.garden@dym.sh' \
  --agree-tos \
  --manual-public-ip-logging-ok \
  --renew-by-default \
  --rsa-key-size 4096 \
  --no-bootstrap \
  --manual \
  --preferred-challenges dns-01 \
  --server https://acme-v02.api.letsencrypt.org/directory
@ -27,10 +28,8 @@ certbot certonly \
  -d '*.dym.sh' \
  --email 'certbot+dym.sh@dym.sh' \
  --agree-tos \
  --manual-public-ip-logging-ok \
  --renew-by-default \
  --rsa-key-size 4096 \
  --no-bootstrap \
  --manual \
  --preferred-challenges dns-01 \
  --server https://acme-v02.api.letsencrypt.org/directory
--- a/_installs/fojego.sh
+++ b/_installs/fojego.sh
@ -1,51 +0,0 @@
 apt-get install -y \
  git git-lfs
 wget https://codeberg.org/forgejo/forgejo/releases/download/v1.19.3-0/forgejo-1.19.3-0-linux-amd64
 chmod +x forgejo-1.19.3-0-linux-amd64
 gpg --keyserver keys.openpgp.org --recv EB114F5E6C0DC2BCDD183550A4B61A2DC5923710
 wget https://codeberg.org/forgejo/forgejo/releases/download/v1.19.3-0/forgejo-1.19.3-0-linux-amd64.asc
 gpg --verify forgejo-1.19.3-0-linux-amd64.asc forgejo-1.19.3-0-linux-amd64
 mv forgejo-1.19.3-0-linux-amd64 /usr/local/bin/forgejo
 chmod 755 /usr/local/bin/forgejo
 groupadd --system git
 adduser --system --shell /bin/bash --comment 'Git Version Control' \
   --gid git --home-dir /home/git --create-home git
 mkdir /var/lib/forgejo
 chown git:git /var/lib/forgejo \
  && chmod 750 /var/lib/forgejo
 mkdir /usr/local/bin/data
 chown root:git /usr/local/bin/data \
 	&& chmod 770 /usr/local/bin/data
 mkdir /usr/local/bin/log
 chown root:git /usr/local/bin/log \
 	&& chmod 770 /usr/local/bin/log
 mkdir /usr/local/bin/custom
 chown root:git /usr/local/bin/custom \
 	&& chmod 770 /usr/local/bin/custom
 mkdir /etc/forgejo
 chown root:git /etc/forgejo \
  && chmod 770 /etc/forgejo
 wget -O \
  /etc/systemd/system/forgejo.service \
  'https://codeberg.org/forgejo/forgejo/raw/branch/forgejo/contrib/systemd/forgejo.service'
 # If you’re not using sqlite, but MySQL or MariaDB or PostgreSQL, you’ll have to edit that file (/etc/systemd/system/forgejo.service) and uncomment the corresponding Wants= and After= lines. Otherwise it should work as it is.
 systemctl enable forgejo.service
 systemctl start forgejo.service
 # open http://source.garden:3000
--- a/_installs/forgejo.sh
+++ b/_installs/forgejo.sh
@ -0,0 +1,71 @@
 #!/bin/sh
 apt-get install -y \
  git git-lfs
 VER='1.20.4-1'
 wget  "https://codeberg.org/forgejo/forgejo/releases/download/v$VER/forgejo-$VER-linux-amd64.xz"
 xz -d  "forgejo-$VER-linux-amd64.xz"
 gpg --keyserver keys.openpgp.org \
    --recv EB114F5E6C0DC2BCDD183550A4B61A2DC5923710
 wget  "https://codeberg.org/forgejo/forgejo/releases/download/v$VER/forgejo-$VER-linux-amd64.asc"
 gpg --verify  "forgejo-$VER-linux-amd64.asc forgejo-$VER-linux-amd64"
 chmod +x  "forgejo-$VER-linux-amd64"
 mv  "forgejo-$VER-linux-amd64" \
    /usr/local/bin/forgejo
 chmod -R 755 /usr/local/bin/forgejo
 groupadd --system git
 adduser --system \
   --ingroup git \
   git
 mkdir -p  /home/git
 chown git:git -R /home/git \
  && chmod -R 750 /home/git
 mkdir /var/lib/forgejo
 chown git:git -R /var/lib/forgejo \
  && chmod -R 750 /var/lib/forgejo
 mkdir /usr/local/bin/data
 chown root:git -R /usr/local/bin/data \
 	&& chmod -R 770 /usr/local/bin/data
 mkdir /usr/local/bin/log
 chown root:git -R /usr/local/bin/log \
 	&& chmod -R 770 /usr/local/bin/log
 mkdir /usr/local/bin/custom
 chown root:git -R /usr/local/bin/custom \
 	&& chmod -R 770 /usr/local/bin/custom
 mkdir /etc/forgejo
 chown root:git -R /etc/forgejo \
  && chmod -R 770 /etc/forgejo
 chown root:git /usr/local/bin/custom/conf/app.ini \
  && chmod 770 /usr/local/bin/custom/conf/app.ini
 # test with `su - git -c 'forgejo'`
 wget -O \
  /etc/systemd/system/forgejo.service \
  'https://codeberg.org/forgejo/forgejo/raw/branch/forgejo/contrib/systemd/forgejo.service'
 chown root:git /etc/systemd/system/forgejo.service
 chmod 770 /etc/systemd/system/forgejo.service
 # If you’re not using sqlite, but MySQL or MariaDB or PostgreSQL, you’ll have to edit that file (/etc/systemd/system/forgejo.service) and uncomment the corresponding Wants= and After= lines. Otherwise it should work as it is.
 systemctl enable forgejo.service
 systemctl start forgejo.service
 # open http://source.garden:3000
--- a/_installs/gotosocial.sh
+++ b/_installs/gotosocial.sh
@ -27,4 +27,4 @@ killall gotosocial
 systemctl start gotosocial.service
-curl -L https://dym.sh/.well-known/webfinger\?resource\=acct:dym@dym.com
+curl -L 'https://dym.sh/.well-known/webfinger?resource=acct:dym@dym.sh'
--- a/_installs/nextcloud.sh
+++ b/_installs/nextcloud.sh
@ -1,15 +1,16 @@
 curl -fsSL https://get.docker.com | sudo sh
-sudo docker run \
+docker run \
--sig-proxy=false \
+	--init \
--name nextcloud-aio-mastercontainer \
+	--sig-proxy=false \
--restart always \
+	--name nextcloud-aio-mastercontainer \
--publish 80:80 \
+	--restart always \
--publish 8080:8080 \
+	--publish 8080:8080 \
--publish 8443:8443 \
+	--env APACHE_PORT=11000 \
--volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
+	--env APACHE_IP_BINDING=0.0.0.0 \
--volume /var/run/docker.sock:/var/run/docker.sock:ro \
+	--volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
-nextcloud/all-in-one:latest
+	--volume /var/run/docker.sock:/var/run/docker.sock:ro \
 	nextcloud/all-in-one:latest
 firefox 'https://<server>:8080'
--- a/_installs/nodejs.sh
+++ b/_installs/nodejs.sh
@ -2,31 +2,29 @@
 # optional: remove old installs
-sudo apt purge -y \
+apt purge -y \
  nodejs npm
-sudo apt autoremove -y
+apt autoremove -y
-sudo rm /usr/bin/node
+rm /usr/bin/node
-sudo rm /usr/bin/npm
+rm /usr/bin/npm
-sudo rm -rf /usr/share/npm
+rm -rf /usr/share/npm
-sudo rm -rf /usr/share/nodejs
+rm -rf /usr/share/nodejs
 VER='18.18.0'
-# install node + npm
+mv node-v$VER-linux-x64/bin/* \
-wget -O 'node.xz' \
+   /usr/local/bin/
-  'https://nodejs.org/dist/v18.16.0/node-v18.16.0-linux-x64.tar.xz'
+mv node-v$VER-linux-x64/lib/node_modules/ \
-tar -xf 'node.xz'
+   /usr/local/lib/
 rm 'node.xz'
 sudo mv node-v18.16.0-linux-x64/bin/* /usr/local/bin/
 sudo mv node-v18.16.0-linux-x64/lib/node_modules/ /usr/local/lib/
-sudo mkdir -p  \
+mkdir -p  \
  '/usr/lib/nodejs' \
  '/usr/lib/node_modules'
 # fix permissions
-sudo chown -R $USER:$USER \
+chown -R $USER:$USER \
  '/usr/local' \
  '/usr/share' \
  '/usr/lib/nodejs' \
--- a/_installs/postgres-15.sh
+++ b/_installs/postgres-15.sh
@ -0,0 +1,36 @@
 #!/usr/bin/zsh
 apt update
 apt upgrade
 apt install software-properties-common apt-transport-https curl -y
 curl -fsSl https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor | tee /usr/share/keyrings/postgresql.gpg > /dev/null
 sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list'
 wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add -
 apt-get -y update
 apt-get install postgresql-15 -y
 systemctl enable postgresql
 systemctl start postgresql
 systemctl status postgresql
 ss -antpl | grep 5432
 systemctl start \
  postgresql postgresql-client
 nano /etc/postgresql/15/main/pg_hba.conf
 # `local  all  all  trust`
 systemctl restart postgresql
 # psql -U postgres
 su postgres -c psql
 ```
 ALTER USER postgres WITH PASSWORD 'postgres';
 exit;
 ```
--- a/_installs/postgres.sh
+++ b/_installs/postgres.sh
@ -1,46 +0,0 @@
 #!/usr/bin/zsh
 # Postgres
 # the `lsb_release` prints linux-mint's codename
 # of which pg has no idea, so
 U='UBUNTU_CODENAME='
 DISTRO=`cat '/etc/os-release' | grep "$U"`
 if [ ! -z "$DISTRO" ]; then
  DISTRO="${DISTRO/$U/}"
 else
  DISTRO=`lsb_release -cs`
 fi
 echo "DISTRO: '$DISTRO'"
 SRC="deb http://apt.postgresql.org/pub/repos/apt $DISTRO-pgdg main"
 sudo sh -c \
  "echo '$SRC' > /etc/apt/sources.list.d/pgdg.list"
 wget --quiet -O - 'https://www.postgresql.org/media/keys/ACCC4CF8.asc' \
  | sudo apt-key add -
 curl -sS 'https://www.postgresql.org/media/keys/ACCC4CF8.asc' \
  | gpg --dearmor \
  | sudo tee /etc/apt/trusted.gpg.d/postgresql.gpg
 sudo apt update -y
 sudo apt install -y \
  postgresql-14
 psql --version
 sudo systemctl start \
  postgresql-14 postgresql-client-14
 sudo nano /etc/postgresql/14/main/pg_hba.conf
 # `local all all trust`
 sudo systemctl restart postgresql.service
 psql -U postgres
 ```
 ALTER USER postgres WITH PASSWORD 'postgres';
 exit;
 ```
--- a/git/server-www.sh
+++ b/git/server-www.sh
@ -0,0 +1,54 @@
 #!/bin/sh
 DOMAIN='_homepage'
 PROJ='$1'
 HOST='test-01'
 # git
 adduser git
 mkdir '/home/git/.ssh'
 nano '/home/git/.ssh/authorized_keys'
 # new repo
 git init --bare '/home/git/repos/$HOST'
 mkdir -p '/var/www/$HOST/'
 git clone '/home/git/repos/$HOST' '/var/www/$HOST'
 # post-push resolving
 cd '/home/git/repos/$HOST/'
 exec git-update-server-info
 echo '#!/bin/sh
 cd "/var/www/$HOST/" || exit
 unset GIT_DIR
 git pull
 exec git-update-server-info
 ' > '/home/git/repos/$HOST/hooks/post-update'
 chmod +x '/home/git/repos/$HOST/hooks/post-update'
 # access rights
 chown -R git:git '/home/git'
 chown -R git:www-data '/home/git/repos'
 chmod -R 755 '/home/git/repos'
 # cd /var/www/$HOST/public/www/
 # ln -s ../../static ./
 # adduser www
 # usermod -aG www-data www
 usermod -aG www-data git
 chown -R git:www-data '/var/www/$HOST'
 chmod -R 755 '/var/www/$HOST'
 # mkdir '/var/www/$HOST/uploads'
 # touch '/var/www/$HOST/nohup.out'
 # touch '/var/www/$HOST/log.txt'
 # starting scripts
 # chown -R www:www-data '/var/www/$HOST'
 # su - www -c  'cd /var/www/$HOST && ./start'
 # echo '@reboot su - www -c  'cd /var/www/$HOST && ./start'' \
 #   >> /etc/crontab
--- a/git/setup-local.sh
+++ b/git/setup-local.sh
@ -0,0 +1,13 @@
 #!/bin/sh
 SERVER_ID='<SERVER.IP OR DOMAIN.TLD>'
 ssh-copy-id -i ~/.ssh/server_root.pub "root@$SERVER_ID"
 ssh-copy-id -i ~/.ssh/server_www.pub "www@$SERVER_ID"
 ssh-copy-id -i ~/.ssh/server_git.pub "git@$SERVER_ID"
 cd "/Site/$SERVER_ID"
 git remote add prod "webing-poligon-git:~/repos/digisign"
 git push prod --all --force
 git push prod --tags --force
--- a/git/setup-server.sh
+++ b/git/setup-server.sh
@ -0,0 +1,34 @@
 #!/usr/bin/env bash
 # update current
 apt-get update -y
 apt-get upgrade -y
 # sys, tools
 apt-get install -y \
  zsh curl wget git \
  g++ make clang build-essential \
  rmlint ffmpeg lynx \
  net-tools usrmerge \
  imagemagick graphicsmagick ghostscript \
  jpegoptim pngquant pngcrush
 # users
 adduser git
 mkdir '/home/git/.ssh'
 touch '/home/git/.ssh/authorized_keys'
  # add ssh-key for git
 adduser www
 mkdir '/home/www/.ssh'
 touch '/home/www/.ssh/authorized_keys'
  # add ssh-key for www
 usermod -aG www-data www
 usermod -aG www-data git
 # access rights
 chown -R www:www-data '/var/www/site/'
--- a/meta.kdl
+++ b/meta.kdl
@ -0,0 +1,7 @@
 title        "server-debian"
 description  "setup site, mail, git, etc"
 media-type   "cli"
 tags         "config"  "scripts"  "docs"
 license      "0BSD"
 homepage     "https://dym.sh/server-debian/"
 source       "https://source.garden/config/server-debian/"
--- a/mysql/_install.sh
+++ b/mysql/_install.sh
@ -23,8 +23,8 @@ sudo killall -9 mysql_secure_installation
 sudo mysql -u root --skip-password
 ```
-ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'my very strong password !123';
+ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'STRONG_PASSWORD_ROOT';
-CREATE USER 'admin'@'localhost' IDENTIFIED BY 'my very strong password !123';
+CREATE USER 'admin'@'localhost' IDENTIFIED BY 'STRONG_PASSWORD_ADMIN';
 GRANT ALL PRIVILEGES ON *.* TO 'admin'@'localhost';
 FLUSH PRIVILEGES;
 EXIT;
--- a/mysql/mysql_wordpress.sh
+++ b/mysql/mysql_wordpress.sh
@ -9,7 +9,7 @@ systemctl status mysql.service
 mysql -u root
 ```sql
 CREATE DATABASE wp;
-CREATE USER 'db_admin'@'localhost' IDENTIFIED BY 'BjMPUpXtlUBHSr=l-TWYKHwCI7DPjF1YJMo2qpjW8LQI3Rk=EVKevexq6r3b+c6Ggf-cpk65nB-m8w=2';
+CREATE USER 'db_admin'@'localhost' IDENTIFIED BY 'STRONG_PASSWORD';
 GRANT ALL PRIVILEGES ON wp.* TO 'db_admin'@'localhost';
 FLUSH PRIVILEGES;
 EXIT;
--- a/nginx/dym.sh--gts.conf
+++ b/nginx/dym.sh--gts.conf
@ -44,7 +44,6 @@ server {
  proxy_pass_request_headers on;
  location @gts {
    # set to 127.0.0.1 instead of localhost to work around https://stackoverflow.com/a/52550758
    proxy_pass http://127.0.0.1:10099;
    proxy_set_header Host $host;
    proxy_set_header Upgrade $http_upgrade;
--- a/nginx/ipv6.sh
+++ b/nginx/ipv6.sh
@ -1,11 +0,0 @@
 #!/usr/bin/zsh
 # enable_ipv6
 ip addr add 2a02:c206:3009:9964::1/112 dev eth0
 ip -6 addr show
 ip route add default via fe80::1 dev eth0
 ip -6 route show
 ping -6 2a02:c206:3009:9964::1
--- a/nginx/mailcow.conf
+++ b/nginx/mailcow.conf
@ -1,43 +0,0 @@
 server {
    listen 80 default_server;
    listen [::]:80;
    server_name   mail.*;
    # For SSL domain validation
    root /var/www/html;
    location /.well-known/acme-challenge/ { allow all; }
    location /.well-known/pki-validation/ { allow all; }
    location / { return 301 https://$server_name$request_uri; }
 }
 server {
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2;
    server_name         mail.*;
    ssl_certificate     /opt/mailcow-dockerized/data/assets/ssl/cert.pem;
    ssl_certificate_key /opt/mailcow-dockerized/data/assets/ssl/key.pem;
    ssl_dhparam /etc/nginx/ssl/dhparam.pem;
    ssl_ecdh_curve      secp384r1;
    ssl_session_timeout 7d;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers               'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!DH:!ADH:!EDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!AES256-GCM-SHA384';
    # Change to your upload limit
    client_max_body_size 500m;
    location / {
        proxy_pass http://127.0.0.1:10080;
        proxy_buffer_size 128k;
        proxy_buffers 64 512k;
        proxy_busy_buffers_size 512k;
        proxy_set_header X-Forwarded-Proto $scheme;
        client_max_body_size 0;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_redirect off;
    }
 }
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@ -1,71 +0,0 @@
 user www-data;
 worker_processes auto;
 pid /run/nginx.pid;
 include /etc/nginx/modules-enabled/*.conf;
 events {
  worker_connections 768;
  # multi_accept on;
 }
 http {
  error_log /var/log/nginx/error.log;
  sendfile on;
  tcp_nopush on;
  tcp_nodelay on;
  keepalive_timeout 65;
  types_hash_max_size 2048;
  # server_tokens off;
  server_names_hash_bucket_size 128;
  # server_name_in_redirect off;
  include /etc/nginx/mime.types;
  default_type application/octet-stream;
  client_max_body_size 1024m;
  ssl_session_timeout       1d;
  ssl_session_cache         shared:MozSSL:10m;
  ssl_session_tickets       off;
  ssl_protocols             TLSv1.2 TLSv1.3;
  ssl_ciphers               "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
  ssl_prefer_server_ciphers off;
  ssl_ecdh_curve            X25519:prime256v1:secp384r1:secp521r1;
  ssl_stapling              on;
  ssl_stapling_verify       on;
  gzip                      on;
  gzip_vary                 on;
  gzip_proxied              any;
  gzip_comp_level           6;
  gzip_buffers              16 8k;
  gzip_http_version         1.1;
  gzip_types                application/activity+json
                            application/atom+xml
                            application/javascript
                            application/json
                            application/manifest+json
                            application/rss+xml
                            application/xml
                            text/cache-manifest
                            text/calendar
                            text/css
                            text/javascript
                            text/markdown
                            text/plain
                            text/vcard
                            text/vnd.wap.wml
                            text/vtt
                            text/x-component
                            text/xml
                            ;
  index index.html;
  include /etc/nginx/conf.d/*.conf;
  include /etc/nginx/sites-enabled/*;
 }
--- a/nginx/poste.conf
+++ b/nginx/poste.conf
@ -1,19 +0,0 @@
 server {
  server_name  mx.dym.sh;
  listen       80;
  listen       [::]:80;
  location ~ /\.well-known/acme-challenge {
    root       /var/lib/letsencrypt/;
  }
 }
 server {
  server_name mx.dym.sh;
  listen                    443 ssl http2;
  listen                    [::]:443 ssl http2;
  ssl_trusted_certificate   /etc/letsencrypt/live/dym.sh/chain.pem;
  ssl_certificate           /etc/letsencrypt/live/dym.sh/fullchain.pem;
  ssl_certificate_key       /etc/letsencrypt/live/dym.sh/privkey.pem;
 }
--- a/nginx/source.garden.conf
+++ b/nginx/source.garden.conf
@ -1,43 +0,0 @@
 server {
  server_name  source.garden;
  listen       80;
  listen       [::]:80;
  location ~ /\.well-known/acme-challenge {
    root       /var/lib/letsencrypt/;
  }
  location / {
    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always;
    return     301 https://$server_name$request_uri;
  }
 }
 server {
  server_name source.garden;
  listen                    443 ssl http2;
  listen                    [::]:443 ssl http2;
  ssl_trusted_certificate   /etc/letsencrypt/live/source.garden-0002/chain.pem;
  ssl_certificate           /etc/letsencrypt/live/source.garden-0002/fullchain.pem;
  ssl_certificate_key       /etc/letsencrypt/live/source.garden-0002/privkey.pem;
  location / {
    root       /var/www/source.garden/;
    try_files
      $uri
      $uri/
      @forgejo;
  }
  location @forgejo {
    # set to 127.0.0.1 instead of localhost to work around https://stackoverflow.com/a/52550758
    proxy_pass http://127.0.0.1:3000;
    proxy_set_header Host $host;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;
  }
  client_max_body_size 2000M;
 }
--- a/poste-io/@reboot.sh
+++ b/poste-io/@reboot.sh
@ -6,8 +6,8 @@ pkill sendmail
 # stop and remove old container
 docker stop mailserver
-docker rm `docker ps -a -q`
+docker rm mailserver
-docker container rm -f `docker ps -a -q`
+docker container rm -f mailserver
 docker container prune
 # update container
 docker pull analogic/poste.io
@ -17,14 +17,14 @@ docker run \
  --detach \
  --restart always \
  --name 'mailserver' \
-  --hostname 'mx.dym.sh' \
+  --hostname 'mail.dym.sh' \
  --publish 25:25 \
  --publish 143:143 \
  --publish 587:587 \
  --publish 993:993 \
  --publish 4190:4190 \
-  --publish 12080:80 \
+  --publish 11080:80 \
-  --publish 12443:443 \
+  --publish 11443:443 \
  --volume /etc/localtime:/etc/localtime:ro \
  --volume /var/mail/data:/data \
  --tty analogic/poste.io
--- a/readme.md
+++ b/readme.md
@ -0,0 +1,5 @@
 # server-debian
 > setup site, mail, git, etc
 implied use of Debian 11
--- a/scripts/purge
+++ b/scripts/purge
@ -0,0 +1,35 @@
 #!/usr/bin/zsh
 # purge memory
 free -h
 echo "clearing memory"
 sudo sync
 sudo sh -c 'echo 3 > /proc/sys/vm/drop_caches'
 free -h
 # clear logs
 echo "clearing /var/log"
 sudo du -hs /var/log
 sudo find /var/log -type f -delete
 sudo du -hs /var/log
 #
 rm -rf /var/lib/systemd/coredump/*
 echo "clearing /etc/nginx/logs"
 sudo du -hs /etc/nginx/logs
 sudo find /etc/nginx/logs -type f -delete
 sudo du -hs /etc/nginx/logs
 rm ~/.xsession-errors*
 # relete occasional junk
 rm ~/rmlint.*
 # empty trash
 rm -rf ~/.local/share/Trash
 sudo rm -rf /.Trash-1000
--- a/ssh/sshd_config
+++ b/ssh/sshd_config
@ -0,0 +1,22 @@
 Include /etc/ssh/sshd_config.d/*.conf
 Port 22
 Port 567
 PubkeyAuthentication yes
 PasswordAuthentication no
 PermitEmptyPasswords no
 ChallengeResponseAuthentication no
 UsePAM yes
 X11Forwarding yes
 PrintMotd no
 Banner none
 AcceptEnv LANG LC_*
 Subsystem  sftp  /usr/lib/openssh/sftp-server
 PermitRootLogin yes
 HostKeyAlgorithms +ssh-rsa
 Match LocalPort 22
  DenyUsers root
 Match LocalPort 567
  DenyUsers git
--- a/ssh/sshd_config-default
+++ b/ssh/sshd_config-default
@ -0,0 +1,36 @@
 Include /etc/ssh/sshd_config.d/*.conf
 AcceptEnv LANG LC_*
 AuthorizedKeysFile %h/.ssh/authorized_keys
 Banner none
 ChallengeResponseAuthentication no
 HostbasedAuthentication no
 HostKey /etc/ssh/ssh_host_dsa_key
 HostKey /etc/ssh/ssh_host_ecdsa_key
 HostKey /etc/ssh/ssh_host_ed25519_key
 HostKey /etc/ssh/ssh_host_rsa_key
 IgnoreRhosts yes
 KeyRegenerationInterval 3600
 LoginGraceTime 120
 LogLevel INFO
 MaxAuthTries 5
 MaxSessions 5
 PasswordAuthentication no
 PermitEmptyPasswords no
 PermitRootLogin yes
 Port 567
 PrintLastLog no
 PrintMotd no
 Protocol 2
 PubkeyAuthentication yes
 RhostsRSAAuthentication no
 RSAAuthentication yes
 ServerKeyBits 1024
 StrictModes yes
 Subsystem sftp /usr/lib/openssh/sftp-server
 SyslogFacility AUTH
 TCPKeepAlive yes
 UsePAM yes
 UsePrivilegeSeparation yes
 X11DisplayOffset 10
 X11Forwarding yes
`@ -27,4 +27,4 @@ killall gotosocial`
	`systemctl start gotosocial.service`	`systemctl start gotosocial.service`


	`curl -L https://dym.sh/.well-known/webfinger\?resource\=acct:dym@dym.com`	`curl -L 'https://dym.sh/.well-known/webfinger?resource=acct:dym@dym.sh'`