This commit is contained in:
Dym Sohin 2023-10-20 13:40:58 +02:00
parent ccffaa7db9
commit d732d68cc6
29 changed files with 387 additions and 356 deletions

0
.zshrc Normal file → Executable file
View File

5
LICENSE Normal file
View File

@ -0,0 +1,5 @@
Copyright (C) 2023 by Dym Sohin <re@dym.sh>
Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

View File

@ -1,19 +1,11 @@
#!/bin/bash
#!/bin/sh
# latest git
add-apt-repository -y \
ppa:git-core/ppa
apt-get update -y
apt-get install -y \
git
# upgrade
# core apps and utils
apt-get upgrade -y
# all the tools
apt-get install -y \
build-essential \
certbot \
@ -22,6 +14,7 @@ apt-get install -y \
ffmpeg \
g++ \
ghostscript \
git\
graphicsmagick \
imagemagick \
jpegoptim \
@ -33,7 +26,7 @@ apt-get install -y \
pngquant \
postgresql \
postgresql-contrib \
rmlint \
rdfind \
sshfs \
ufw \
wget \
@ -58,29 +51,29 @@ pipupgrade -y --pip --ignore-error
# nodejs
rm -rf /usr/local/bin/npm /usr/local/share/man/man1/node* ~/.npm
rm -rf /usr/local/lib/node*
rm -rf /usr/local/bin/node*
rm -rf /usr/local/include/node*
apt-get purge nodejs npm
apt autoremove
rm -rf \
/usr/local/bin/node* \
/usr/local/bin/npm \
/usr/local/include/node* \
/usr/local/lib/node* \
/usr/local/share/man/man1/node* \
~/.npm
wget 'https://nodejs.org/dist/v16.15.0/node-v16.15.0-linux-x64.tar.xz'
tar -xf 'node-v16.15.0-linux-x64.tar.xz'
rm 'node-v16.15.0-linux-x64.tar.xz'
mv node-v16.15.0-linux-x64/bin/* /usr/local/bin/
mv node-v16.15.0-linux-x64/lib/node_modules/ /usr/local/lib/
apt-get purge -y \
nodejs npm
apt-get autoremove -y
VER='18.18.1'
wget 'https://nodejs.org/dist/v$VER/node-v$VER-linux-x64.tar.xz'
tar -xf 'node-v$VER-linux-x64.tar.xz'
rm 'node-v$VER-linux-x64.tar.xz'
mv node-v$VER-linux-x64/bin/* \
/usr/local/bin/
mv node-v$VER-linux-x64/lib/node_modules/ \
/usr/local/lib/
npm i -g n
n lts
npm i -g npm
npm i -g svgo
# deno
curl -fsSL https://deno.land/install.sh \
| sh
npm i -g n svgo
# rust
@ -88,7 +81,9 @@ apt-get install -y \
openssl libssl1.1 libssl-dev \
libfreetype6-dev libfontconfig1-dev libxcb-xfixes0-dev
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
curl --proto '=https' \
--tlsv1.2 -sSf 'https://sh.rustup.rs' \
| sh
source $HOME/.cargo/env

5
_installs/caddy.sh Executable file
View File

@ -0,0 +1,5 @@
apt-get install -y debian-keyring debian-archive-keyring apt-transport-https
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | tee /etc/apt/sources.list.d/caddy-stable.list
apt-get update
apt-get install caddy

View File

@ -1,8 +1,11 @@
#!/usr/bin/zsh
sudo apt-get remove -y \
apt-get remove -y \
python3-cryptography
apt-get install -y python3-pip
pip3 install \
certbot \
cryptography
@ -13,10 +16,8 @@ certbot certonly \
-d '*.source.garden' \
--email 'certbot+source.garden@dym.sh' \
--agree-tos \
--manual-public-ip-logging-ok \
--renew-by-default \
--rsa-key-size 4096 \
--no-bootstrap \
--manual \
--preferred-challenges dns-01 \
--server https://acme-v02.api.letsencrypt.org/directory
@ -27,10 +28,8 @@ certbot certonly \
-d '*.dym.sh' \
--email 'certbot+dym.sh@dym.sh' \
--agree-tos \
--manual-public-ip-logging-ok \
--renew-by-default \
--rsa-key-size 4096 \
--no-bootstrap \
--manual \
--preferred-challenges dns-01 \
--server https://acme-v02.api.letsencrypt.org/directory

View File

@ -1,51 +0,0 @@
apt-get install -y \
git git-lfs
wget https://codeberg.org/forgejo/forgejo/releases/download/v1.19.3-0/forgejo-1.19.3-0-linux-amd64
chmod +x forgejo-1.19.3-0-linux-amd64
gpg --keyserver keys.openpgp.org --recv EB114F5E6C0DC2BCDD183550A4B61A2DC5923710
wget https://codeberg.org/forgejo/forgejo/releases/download/v1.19.3-0/forgejo-1.19.3-0-linux-amd64.asc
gpg --verify forgejo-1.19.3-0-linux-amd64.asc forgejo-1.19.3-0-linux-amd64
mv forgejo-1.19.3-0-linux-amd64 /usr/local/bin/forgejo
chmod 755 /usr/local/bin/forgejo
groupadd --system git
adduser --system --shell /bin/bash --comment 'Git Version Control' \
--gid git --home-dir /home/git --create-home git
mkdir /var/lib/forgejo
chown git:git /var/lib/forgejo \
&& chmod 750 /var/lib/forgejo
mkdir /usr/local/bin/data
chown root:git /usr/local/bin/data \
&& chmod 770 /usr/local/bin/data
mkdir /usr/local/bin/log
chown root:git /usr/local/bin/log \
&& chmod 770 /usr/local/bin/log
mkdir /usr/local/bin/custom
chown root:git /usr/local/bin/custom \
&& chmod 770 /usr/local/bin/custom
mkdir /etc/forgejo
chown root:git /etc/forgejo \
&& chmod 770 /etc/forgejo
wget -O \
/etc/systemd/system/forgejo.service \
'https://codeberg.org/forgejo/forgejo/raw/branch/forgejo/contrib/systemd/forgejo.service'
# If youre not using sqlite, but MySQL or MariaDB or PostgreSQL, youll have to edit that file (/etc/systemd/system/forgejo.service) and uncomment the corresponding Wants= and After= lines. Otherwise it should work as it is.
systemctl enable forgejo.service
systemctl start forgejo.service
# open http://source.garden:3000

71
_installs/forgejo.sh Executable file
View File

@ -0,0 +1,71 @@
#!/bin/sh
apt-get install -y \
git git-lfs
VER='1.20.4-1'
wget "https://codeberg.org/forgejo/forgejo/releases/download/v$VER/forgejo-$VER-linux-amd64.xz"
xz -d "forgejo-$VER-linux-amd64.xz"
gpg --keyserver keys.openpgp.org \
--recv EB114F5E6C0DC2BCDD183550A4B61A2DC5923710
wget "https://codeberg.org/forgejo/forgejo/releases/download/v$VER/forgejo-$VER-linux-amd64.asc"
gpg --verify "forgejo-$VER-linux-amd64.asc forgejo-$VER-linux-amd64"
chmod +x "forgejo-$VER-linux-amd64"
mv "forgejo-$VER-linux-amd64" \
/usr/local/bin/forgejo
chmod -R 755 /usr/local/bin/forgejo
groupadd --system git
adduser --system \
--ingroup git \
git
mkdir -p /home/git
chown git:git -R /home/git \
&& chmod -R 750 /home/git
mkdir /var/lib/forgejo
chown git:git -R /var/lib/forgejo \
&& chmod -R 750 /var/lib/forgejo
mkdir /usr/local/bin/data
chown root:git -R /usr/local/bin/data \
&& chmod -R 770 /usr/local/bin/data
mkdir /usr/local/bin/log
chown root:git -R /usr/local/bin/log \
&& chmod -R 770 /usr/local/bin/log
mkdir /usr/local/bin/custom
chown root:git -R /usr/local/bin/custom \
&& chmod -R 770 /usr/local/bin/custom
mkdir /etc/forgejo
chown root:git -R /etc/forgejo \
&& chmod -R 770 /etc/forgejo
chown root:git /usr/local/bin/custom/conf/app.ini \
&& chmod 770 /usr/local/bin/custom/conf/app.ini
# test with `su - git -c 'forgejo'`
wget -O \
/etc/systemd/system/forgejo.service \
'https://codeberg.org/forgejo/forgejo/raw/branch/forgejo/contrib/systemd/forgejo.service'
chown root:git /etc/systemd/system/forgejo.service
chmod 770 /etc/systemd/system/forgejo.service
# If youre not using sqlite, but MySQL or MariaDB or PostgreSQL, youll have to edit that file (/etc/systemd/system/forgejo.service) and uncomment the corresponding Wants= and After= lines. Otherwise it should work as it is.
systemctl enable forgejo.service
systemctl start forgejo.service
# open http://source.garden:3000

View File

@ -27,4 +27,4 @@ killall gotosocial
systemctl start gotosocial.service
curl -L https://dym.sh/.well-known/webfinger\?resource\=acct:dym@dym.com
curl -L 'https://dym.sh/.well-known/webfinger?resource=acct:dym@dym.sh'

View File

@ -1,12 +1,13 @@
curl -fsSL https://get.docker.com | sudo sh
sudo docker run \
docker run \
--init \
--sig-proxy=false \
--name nextcloud-aio-mastercontainer \
--restart always \
--publish 80:80 \
--publish 8080:8080 \
--publish 8443:8443 \
--env APACHE_PORT=11000 \
--env APACHE_IP_BINDING=0.0.0.0 \
--volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
--volume /var/run/docker.sock:/var/run/docker.sock:ro \
nextcloud/all-in-one:latest

View File

@ -2,31 +2,29 @@
# optional: remove old installs
sudo apt purge -y \
apt purge -y \
nodejs npm
sudo apt autoremove -y
apt autoremove -y
sudo rm /usr/bin/node
sudo rm /usr/bin/npm
sudo rm -rf /usr/share/npm
sudo rm -rf /usr/share/nodejs
rm /usr/bin/node
rm /usr/bin/npm
rm -rf /usr/share/npm
rm -rf /usr/share/nodejs
VER='18.18.0'
# install node + npm
wget -O 'node.xz' \
'https://nodejs.org/dist/v18.16.0/node-v18.16.0-linux-x64.tar.xz'
tar -xf 'node.xz'
rm 'node.xz'
sudo mv node-v18.16.0-linux-x64/bin/* /usr/local/bin/
sudo mv node-v18.16.0-linux-x64/lib/node_modules/ /usr/local/lib/
mv node-v$VER-linux-x64/bin/* \
/usr/local/bin/
mv node-v$VER-linux-x64/lib/node_modules/ \
/usr/local/lib/
sudo mkdir -p \
mkdir -p \
'/usr/lib/nodejs' \
'/usr/lib/node_modules'
# fix permissions
sudo chown -R $USER:$USER \
chown -R $USER:$USER \
'/usr/local' \
'/usr/share' \
'/usr/lib/nodejs' \

36
_installs/postgres-15.sh Executable file
View File

@ -0,0 +1,36 @@
#!/usr/bin/zsh
apt update
apt upgrade
apt install software-properties-common apt-transport-https curl -y
curl -fsSl https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor | tee /usr/share/keyrings/postgresql.gpg > /dev/null
sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list'
wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add -
apt-get -y update
apt-get install postgresql-15 -y
systemctl enable postgresql
systemctl start postgresql
systemctl status postgresql
ss -antpl | grep 5432
systemctl start \
postgresql postgresql-client
nano /etc/postgresql/15/main/pg_hba.conf
# `local all all trust`
systemctl restart postgresql
# psql -U postgres
su postgres -c psql
```
ALTER USER postgres WITH PASSWORD 'postgres';
exit;
```

View File

@ -1,46 +0,0 @@
#!/usr/bin/zsh
# Postgres
# the `lsb_release` prints linux-mint's codename
# of which pg has no idea, so
U='UBUNTU_CODENAME='
DISTRO=`cat '/etc/os-release' | grep "$U"`
if [ ! -z "$DISTRO" ]; then
DISTRO="${DISTRO/$U/}"
else
DISTRO=`lsb_release -cs`
fi
echo "DISTRO: '$DISTRO'"
SRC="deb http://apt.postgresql.org/pub/repos/apt $DISTRO-pgdg main"
sudo sh -c \
"echo '$SRC' > /etc/apt/sources.list.d/pgdg.list"
wget --quiet -O - 'https://www.postgresql.org/media/keys/ACCC4CF8.asc' \
| sudo apt-key add -
curl -sS 'https://www.postgresql.org/media/keys/ACCC4CF8.asc' \
| gpg --dearmor \
| sudo tee /etc/apt/trusted.gpg.d/postgresql.gpg
sudo apt update -y
sudo apt install -y \
postgresql-14
psql --version
sudo systemctl start \
postgresql-14 postgresql-client-14
sudo nano /etc/postgresql/14/main/pg_hba.conf
# `local all all trust`
sudo systemctl restart postgresql.service
psql -U postgres
```
ALTER USER postgres WITH PASSWORD 'postgres';
exit;
```

54
git/server-www.sh Executable file
View File

@ -0,0 +1,54 @@
#!/bin/sh
DOMAIN='_homepage'
PROJ='$1'
HOST='test-01'
# git
adduser git
mkdir '/home/git/.ssh'
nano '/home/git/.ssh/authorized_keys'
# new repo
git init --bare '/home/git/repos/$HOST'
mkdir -p '/var/www/$HOST/'
git clone '/home/git/repos/$HOST' '/var/www/$HOST'
# post-push resolving
cd '/home/git/repos/$HOST/'
exec git-update-server-info
echo '#!/bin/sh
cd "/var/www/$HOST/" || exit
unset GIT_DIR
git pull
exec git-update-server-info
' > '/home/git/repos/$HOST/hooks/post-update'
chmod +x '/home/git/repos/$HOST/hooks/post-update'
# access rights
chown -R git:git '/home/git'
chown -R git:www-data '/home/git/repos'
chmod -R 755 '/home/git/repos'
# cd /var/www/$HOST/public/www/
# ln -s ../../static ./
# adduser www
# usermod -aG www-data www
usermod -aG www-data git
chown -R git:www-data '/var/www/$HOST'
chmod -R 755 '/var/www/$HOST'
# mkdir '/var/www/$HOST/uploads'
# touch '/var/www/$HOST/nohup.out'
# touch '/var/www/$HOST/log.txt'
# starting scripts
# chown -R www:www-data '/var/www/$HOST'
# su - www -c 'cd /var/www/$HOST && ./start'
# echo '@reboot su - www -c 'cd /var/www/$HOST && ./start'' \
# >> /etc/crontab

13
git/setup-local.sh Executable file
View File

@ -0,0 +1,13 @@
#!/bin/sh
SERVER_ID='<SERVER.IP OR DOMAIN.TLD>'
ssh-copy-id -i ~/.ssh/server_root.pub "root@$SERVER_ID"
ssh-copy-id -i ~/.ssh/server_www.pub "www@$SERVER_ID"
ssh-copy-id -i ~/.ssh/server_git.pub "git@$SERVER_ID"
cd "/Site/$SERVER_ID"
git remote add prod "webing-poligon-git:~/repos/digisign"
git push prod --all --force
git push prod --tags --force

34
git/setup-server.sh Executable file
View File

@ -0,0 +1,34 @@
#!/usr/bin/env bash
# update current
apt-get update -y
apt-get upgrade -y
# sys, tools
apt-get install -y \
zsh curl wget git \
g++ make clang build-essential \
rmlint ffmpeg lynx \
net-tools usrmerge \
imagemagick graphicsmagick ghostscript \
jpegoptim pngquant pngcrush
# users
adduser git
mkdir '/home/git/.ssh'
touch '/home/git/.ssh/authorized_keys'
# add ssh-key for git
adduser www
mkdir '/home/www/.ssh'
touch '/home/www/.ssh/authorized_keys'
# add ssh-key for www
usermod -aG www-data www
usermod -aG www-data git
# access rights
chown -R www:www-data '/var/www/site/'

7
meta.kdl Normal file
View File

@ -0,0 +1,7 @@
title "server-debian"
description "setup site, mail, git, etc"
media-type "cli"
tags "config" "scripts" "docs"
license "0BSD"
homepage "https://dym.sh/server-debian/"
source "https://source.garden/config/server-debian/"

View File

@ -23,8 +23,8 @@ sudo killall -9 mysql_secure_installation
sudo mysql -u root --skip-password
```
ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'my very strong password !123';
CREATE USER 'admin'@'localhost' IDENTIFIED BY 'my very strong password !123';
ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'STRONG_PASSWORD_ROOT';
CREATE USER 'admin'@'localhost' IDENTIFIED BY 'STRONG_PASSWORD_ADMIN';
GRANT ALL PRIVILEGES ON *.* TO 'admin'@'localhost';
FLUSH PRIVILEGES;
EXIT;

View File

@ -9,7 +9,7 @@ systemctl status mysql.service
mysql -u root
```sql
CREATE DATABASE wp;
CREATE USER 'db_admin'@'localhost' IDENTIFIED BY 'BjMPUpXtlUBHSr=l-TWYKHwCI7DPjF1YJMo2qpjW8LQI3Rk=EVKevexq6r3b+c6Ggf-cpk65nB-m8w=2';
CREATE USER 'db_admin'@'localhost' IDENTIFIED BY 'STRONG_PASSWORD';
GRANT ALL PRIVILEGES ON wp.* TO 'db_admin'@'localhost';
FLUSH PRIVILEGES;
EXIT;

View File

@ -44,7 +44,6 @@ server {
proxy_pass_request_headers on;
location @gts {
# set to 127.0.0.1 instead of localhost to work around https://stackoverflow.com/a/52550758
proxy_pass http://127.0.0.1:10099;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;

View File

@ -1,11 +0,0 @@
#!/usr/bin/zsh
# enable_ipv6
ip addr add 2a02:c206:3009:9964::1/112 dev eth0
ip -6 addr show
ip route add default via fe80::1 dev eth0
ip -6 route show
ping -6 2a02:c206:3009:9964::1

View File

@ -1,43 +0,0 @@
server {
listen 80 default_server;
listen [::]:80;
server_name mail.*;
# For SSL domain validation
root /var/www/html;
location /.well-known/acme-challenge/ { allow all; }
location /.well-known/pki-validation/ { allow all; }
location / { return 301 https://$server_name$request_uri; }
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2;
server_name mail.*;
ssl_certificate /opt/mailcow-dockerized/data/assets/ssl/cert.pem;
ssl_certificate_key /opt/mailcow-dockerized/data/assets/ssl/key.pem;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_ecdh_curve secp384r1;
ssl_session_timeout 7d;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!DH:!ADH:!EDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!AES256-GCM-SHA384';
# Change to your upload limit
client_max_body_size 500m;
location / {
proxy_pass http://127.0.0.1:10080;
proxy_buffer_size 128k;
proxy_buffers 64 512k;
proxy_busy_buffers_size 512k;
proxy_set_header X-Forwarded-Proto $scheme;
client_max_body_size 0;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect off;
}
}

View File

@ -1,71 +0,0 @@
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
error_log /var/log/nginx/error.log;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
server_names_hash_bucket_size 128;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
client_max_body_size 1024m;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_prefer_server_ciphers off;
ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1;
ssl_stapling on;
ssl_stapling_verify on;
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types application/activity+json
application/atom+xml
application/javascript
application/json
application/manifest+json
application/rss+xml
application/xml
text/cache-manifest
text/calendar
text/css
text/javascript
text/markdown
text/plain
text/vcard
text/vnd.wap.wml
text/vtt
text/x-component
text/xml
;
index index.html;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}

View File

@ -1,19 +0,0 @@
server {
server_name mx.dym.sh;
listen 80;
listen [::]:80;
location ~ /\.well-known/acme-challenge {
root /var/lib/letsencrypt/;
}
}
server {
server_name mx.dym.sh;
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_trusted_certificate /etc/letsencrypt/live/dym.sh/chain.pem;
ssl_certificate /etc/letsencrypt/live/dym.sh/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/dym.sh/privkey.pem;
}

View File

@ -1,43 +0,0 @@
server {
server_name source.garden;
listen 80;
listen [::]:80;
location ~ /\.well-known/acme-challenge {
root /var/lib/letsencrypt/;
}
location / {
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always;
return 301 https://$server_name$request_uri;
}
}
server {
server_name source.garden;
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_trusted_certificate /etc/letsencrypt/live/source.garden-0002/chain.pem;
ssl_certificate /etc/letsencrypt/live/source.garden-0002/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/source.garden-0002/privkey.pem;
location / {
root /var/www/source.garden/;
try_files
$uri
$uri/
@forgejo;
}
location @forgejo {
# set to 127.0.0.1 instead of localhost to work around https://stackoverflow.com/a/52550758
proxy_pass http://127.0.0.1:3000;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
}
client_max_body_size 2000M;
}

View File

@ -6,8 +6,8 @@ pkill sendmail
# stop and remove old container
docker stop mailserver
docker rm `docker ps -a -q`
docker container rm -f `docker ps -a -q`
docker rm mailserver
docker container rm -f mailserver
docker container prune
# update container
docker pull analogic/poste.io
@ -17,14 +17,14 @@ docker run \
--detach \
--restart always \
--name 'mailserver' \
--hostname 'mx.dym.sh' \
--hostname 'mail.dym.sh' \
--publish 25:25 \
--publish 143:143 \
--publish 587:587 \
--publish 993:993 \
--publish 4190:4190 \
--publish 12080:80 \
--publish 12443:443 \
--publish 11080:80 \
--publish 11443:443 \
--volume /etc/localtime:/etc/localtime:ro \
--volume /var/mail/data:/data \
--tty analogic/poste.io

5
readme.md Normal file
View File

@ -0,0 +1,5 @@
# server-debian
> setup site, mail, git, etc
implied use of Debian 11

35
scripts/purge Executable file
View File

@ -0,0 +1,35 @@
#!/usr/bin/zsh
# purge memory
free -h
echo "clearing memory"
sudo sync
sudo sh -c 'echo 3 > /proc/sys/vm/drop_caches'
free -h
# clear logs
echo "clearing /var/log"
sudo du -hs /var/log
sudo find /var/log -type f -delete
sudo du -hs /var/log
#
rm -rf /var/lib/systemd/coredump/*
echo "clearing /etc/nginx/logs"
sudo du -hs /etc/nginx/logs
sudo find /etc/nginx/logs -type f -delete
sudo du -hs /etc/nginx/logs
rm ~/.xsession-errors*
# relete occasional junk
rm ~/rmlint.*
# empty trash
rm -rf ~/.local/share/Trash
sudo rm -rf /.Trash-1000

22
ssh/sshd_config Normal file
View File

@ -0,0 +1,22 @@
Include /etc/ssh/sshd_config.d/*.conf
Port 22
Port 567
PubkeyAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
Banner none
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
PermitRootLogin yes
HostKeyAlgorithms +ssh-rsa
Match LocalPort 22
DenyUsers root
Match LocalPort 567
DenyUsers git

36
ssh/sshd_config-default Normal file
View File

@ -0,0 +1,36 @@
Include /etc/ssh/sshd_config.d/*.conf
AcceptEnv LANG LC_*
AuthorizedKeysFile %h/.ssh/authorized_keys
Banner none
ChallengeResponseAuthentication no
HostbasedAuthentication no
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
IgnoreRhosts yes
KeyRegenerationInterval 3600
LoginGraceTime 120
LogLevel INFO
MaxAuthTries 5
MaxSessions 5
PasswordAuthentication no
PermitEmptyPasswords no
PermitRootLogin yes
Port 567
PrintLastLog no
PrintMotd no
Protocol 2
PubkeyAuthentication yes
RhostsRSAAuthentication no
RSAAuthentication yes
ServerKeyBits 1024
StrictModes yes
Subsystem sftp /usr/lib/openssh/sftp-server
SyslogFacility AUTH
TCPKeepAlive yes
UsePAM yes
UsePrivilegeSeparation yes
X11DisplayOffset 10
X11Forwarding yes