upd
This commit is contained in:
parent
ccffaa7db9
commit
d732d68cc6
|
@ -0,0 +1,5 @@
|
|||
Copyright (C) 2023 by Dym Sohin <re@dym.sh>
|
||||
|
||||
Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
59
_install.sh
59
_install.sh
|
@ -1,19 +1,11 @@
|
|||
#!/bin/bash
|
||||
|
||||
#!/bin/sh
|
||||
|
||||
# latest git
|
||||
add-apt-repository -y \
|
||||
ppa:git-core/ppa
|
||||
apt-get update -y
|
||||
apt-get install -y \
|
||||
git
|
||||
|
||||
|
||||
# upgrade
|
||||
# core apps and utils
|
||||
apt-get upgrade -y
|
||||
|
||||
|
||||
# all the tools
|
||||
apt-get install -y \
|
||||
build-essential \
|
||||
certbot \
|
||||
|
@ -22,6 +14,7 @@ apt-get install -y \
|
|||
ffmpeg \
|
||||
g++ \
|
||||
ghostscript \
|
||||
git\
|
||||
graphicsmagick \
|
||||
imagemagick \
|
||||
jpegoptim \
|
||||
|
@ -33,7 +26,7 @@ apt-get install -y \
|
|||
pngquant \
|
||||
postgresql \
|
||||
postgresql-contrib \
|
||||
rmlint \
|
||||
rdfind \
|
||||
sshfs \
|
||||
ufw \
|
||||
wget \
|
||||
|
@ -58,29 +51,29 @@ pipupgrade -y --pip --ignore-error
|
|||
|
||||
|
||||
# nodejs
|
||||
rm -rf /usr/local/bin/npm /usr/local/share/man/man1/node* ~/.npm
|
||||
rm -rf /usr/local/lib/node*
|
||||
rm -rf /usr/local/bin/node*
|
||||
rm -rf /usr/local/include/node*
|
||||
apt-get purge nodejs npm
|
||||
apt autoremove
|
||||
rm -rf \
|
||||
/usr/local/bin/node* \
|
||||
/usr/local/bin/npm \
|
||||
/usr/local/include/node* \
|
||||
/usr/local/lib/node* \
|
||||
/usr/local/share/man/man1/node* \
|
||||
~/.npm
|
||||
|
||||
wget 'https://nodejs.org/dist/v16.15.0/node-v16.15.0-linux-x64.tar.xz'
|
||||
tar -xf 'node-v16.15.0-linux-x64.tar.xz'
|
||||
rm 'node-v16.15.0-linux-x64.tar.xz'
|
||||
mv node-v16.15.0-linux-x64/bin/* /usr/local/bin/
|
||||
mv node-v16.15.0-linux-x64/lib/node_modules/ /usr/local/lib/
|
||||
apt-get purge -y \
|
||||
nodejs npm
|
||||
apt-get autoremove -y
|
||||
|
||||
VER='18.18.1'
|
||||
wget 'https://nodejs.org/dist/v$VER/node-v$VER-linux-x64.tar.xz'
|
||||
tar -xf 'node-v$VER-linux-x64.tar.xz'
|
||||
rm 'node-v$VER-linux-x64.tar.xz'
|
||||
mv node-v$VER-linux-x64/bin/* \
|
||||
/usr/local/bin/
|
||||
mv node-v$VER-linux-x64/lib/node_modules/ \
|
||||
/usr/local/lib/
|
||||
|
||||
npm i -g n
|
||||
n lts
|
||||
npm i -g npm
|
||||
|
||||
npm i -g svgo
|
||||
|
||||
|
||||
# deno
|
||||
curl -fsSL https://deno.land/install.sh \
|
||||
| sh
|
||||
npm i -g n svgo
|
||||
|
||||
|
||||
# rust
|
||||
|
@ -88,7 +81,9 @@ apt-get install -y \
|
|||
openssl libssl1.1 libssl-dev \
|
||||
libfreetype6-dev libfontconfig1-dev libxcb-xfixes0-dev
|
||||
|
||||
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
|
||||
curl --proto '=https' \
|
||||
--tlsv1.2 -sSf 'https://sh.rustup.rs' \
|
||||
| sh
|
||||
|
||||
source $HOME/.cargo/env
|
||||
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
apt-get install -y debian-keyring debian-archive-keyring apt-transport-https
|
||||
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
|
||||
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | tee /etc/apt/sources.list.d/caddy-stable.list
|
||||
apt-get update
|
||||
apt-get install caddy
|
|
@ -1,8 +1,11 @@
|
|||
#!/usr/bin/zsh
|
||||
|
||||
sudo apt-get remove -y \
|
||||
apt-get remove -y \
|
||||
python3-cryptography
|
||||
|
||||
apt-get install -y python3-pip
|
||||
|
||||
|
||||
pip3 install \
|
||||
certbot \
|
||||
cryptography
|
||||
|
@ -13,10 +16,8 @@ certbot certonly \
|
|||
-d '*.source.garden' \
|
||||
--email 'certbot+source.garden@dym.sh' \
|
||||
--agree-tos \
|
||||
--manual-public-ip-logging-ok \
|
||||
--renew-by-default \
|
||||
--rsa-key-size 4096 \
|
||||
--no-bootstrap \
|
||||
--manual \
|
||||
--preferred-challenges dns-01 \
|
||||
--server https://acme-v02.api.letsencrypt.org/directory
|
||||
|
@ -27,10 +28,8 @@ certbot certonly \
|
|||
-d '*.dym.sh' \
|
||||
--email 'certbot+dym.sh@dym.sh' \
|
||||
--agree-tos \
|
||||
--manual-public-ip-logging-ok \
|
||||
--renew-by-default \
|
||||
--rsa-key-size 4096 \
|
||||
--no-bootstrap \
|
||||
--manual \
|
||||
--preferred-challenges dns-01 \
|
||||
--server https://acme-v02.api.letsencrypt.org/directory
|
||||
|
|
|
@ -1,51 +0,0 @@
|
|||
apt-get install -y \
|
||||
git git-lfs
|
||||
|
||||
wget https://codeberg.org/forgejo/forgejo/releases/download/v1.19.3-0/forgejo-1.19.3-0-linux-amd64
|
||||
chmod +x forgejo-1.19.3-0-linux-amd64
|
||||
|
||||
gpg --keyserver keys.openpgp.org --recv EB114F5E6C0DC2BCDD183550A4B61A2DC5923710
|
||||
wget https://codeberg.org/forgejo/forgejo/releases/download/v1.19.3-0/forgejo-1.19.3-0-linux-amd64.asc
|
||||
gpg --verify forgejo-1.19.3-0-linux-amd64.asc forgejo-1.19.3-0-linux-amd64
|
||||
|
||||
mv forgejo-1.19.3-0-linux-amd64 /usr/local/bin/forgejo
|
||||
chmod 755 /usr/local/bin/forgejo
|
||||
|
||||
|
||||
groupadd --system git
|
||||
|
||||
adduser --system --shell /bin/bash --comment 'Git Version Control' \
|
||||
--gid git --home-dir /home/git --create-home git
|
||||
|
||||
mkdir /var/lib/forgejo
|
||||
chown git:git /var/lib/forgejo \
|
||||
&& chmod 750 /var/lib/forgejo
|
||||
|
||||
mkdir /usr/local/bin/data
|
||||
chown root:git /usr/local/bin/data \
|
||||
&& chmod 770 /usr/local/bin/data
|
||||
|
||||
mkdir /usr/local/bin/log
|
||||
chown root:git /usr/local/bin/log \
|
||||
&& chmod 770 /usr/local/bin/log
|
||||
|
||||
mkdir /usr/local/bin/custom
|
||||
chown root:git /usr/local/bin/custom \
|
||||
&& chmod 770 /usr/local/bin/custom
|
||||
|
||||
mkdir /etc/forgejo
|
||||
chown root:git /etc/forgejo \
|
||||
&& chmod 770 /etc/forgejo
|
||||
|
||||
|
||||
wget -O \
|
||||
/etc/systemd/system/forgejo.service \
|
||||
'https://codeberg.org/forgejo/forgejo/raw/branch/forgejo/contrib/systemd/forgejo.service'
|
||||
|
||||
# If you’re not using sqlite, but MySQL or MariaDB or PostgreSQL, you’ll have to edit that file (/etc/systemd/system/forgejo.service) and uncomment the corresponding Wants= and After= lines. Otherwise it should work as it is.
|
||||
|
||||
systemctl enable forgejo.service
|
||||
systemctl start forgejo.service
|
||||
|
||||
# open http://source.garden:3000
|
||||
|
|
@ -0,0 +1,71 @@
|
|||
#!/bin/sh
|
||||
|
||||
apt-get install -y \
|
||||
git git-lfs
|
||||
|
||||
VER='1.20.4-1'
|
||||
|
||||
wget "https://codeberg.org/forgejo/forgejo/releases/download/v$VER/forgejo-$VER-linux-amd64.xz"
|
||||
xz -d "forgejo-$VER-linux-amd64.xz"
|
||||
|
||||
gpg --keyserver keys.openpgp.org \
|
||||
--recv EB114F5E6C0DC2BCDD183550A4B61A2DC5923710
|
||||
wget "https://codeberg.org/forgejo/forgejo/releases/download/v$VER/forgejo-$VER-linux-amd64.asc"
|
||||
gpg --verify "forgejo-$VER-linux-amd64.asc forgejo-$VER-linux-amd64"
|
||||
|
||||
chmod +x "forgejo-$VER-linux-amd64"
|
||||
mv "forgejo-$VER-linux-amd64" \
|
||||
/usr/local/bin/forgejo
|
||||
chmod -R 755 /usr/local/bin/forgejo
|
||||
|
||||
|
||||
groupadd --system git
|
||||
adduser --system \
|
||||
--ingroup git \
|
||||
git
|
||||
|
||||
mkdir -p /home/git
|
||||
chown git:git -R /home/git \
|
||||
&& chmod -R 750 /home/git
|
||||
|
||||
mkdir /var/lib/forgejo
|
||||
chown git:git -R /var/lib/forgejo \
|
||||
&& chmod -R 750 /var/lib/forgejo
|
||||
|
||||
mkdir /usr/local/bin/data
|
||||
chown root:git -R /usr/local/bin/data \
|
||||
&& chmod -R 770 /usr/local/bin/data
|
||||
|
||||
mkdir /usr/local/bin/log
|
||||
chown root:git -R /usr/local/bin/log \
|
||||
&& chmod -R 770 /usr/local/bin/log
|
||||
|
||||
mkdir /usr/local/bin/custom
|
||||
chown root:git -R /usr/local/bin/custom \
|
||||
&& chmod -R 770 /usr/local/bin/custom
|
||||
|
||||
mkdir /etc/forgejo
|
||||
chown root:git -R /etc/forgejo \
|
||||
&& chmod -R 770 /etc/forgejo
|
||||
|
||||
chown root:git /usr/local/bin/custom/conf/app.ini \
|
||||
&& chmod 770 /usr/local/bin/custom/conf/app.ini
|
||||
|
||||
|
||||
# test with `su - git -c 'forgejo'`
|
||||
|
||||
|
||||
wget -O \
|
||||
/etc/systemd/system/forgejo.service \
|
||||
'https://codeberg.org/forgejo/forgejo/raw/branch/forgejo/contrib/systemd/forgejo.service'
|
||||
|
||||
chown root:git /etc/systemd/system/forgejo.service
|
||||
chmod 770 /etc/systemd/system/forgejo.service
|
||||
|
||||
# If you’re not using sqlite, but MySQL or MariaDB or PostgreSQL, you’ll have to edit that file (/etc/systemd/system/forgejo.service) and uncomment the corresponding Wants= and After= lines. Otherwise it should work as it is.
|
||||
|
||||
systemctl enable forgejo.service
|
||||
systemctl start forgejo.service
|
||||
|
||||
|
||||
# open http://source.garden:3000
|
|
@ -27,4 +27,4 @@ killall gotosocial
|
|||
systemctl start gotosocial.service
|
||||
|
||||
|
||||
curl -L https://dym.sh/.well-known/webfinger\?resource\=acct:dym@dym.com
|
||||
curl -L 'https://dym.sh/.well-known/webfinger?resource=acct:dym@dym.sh'
|
||||
|
|
|
@ -1,12 +1,13 @@
|
|||
curl -fsSL https://get.docker.com | sudo sh
|
||||
|
||||
sudo docker run \
|
||||
docker run \
|
||||
--init \
|
||||
--sig-proxy=false \
|
||||
--name nextcloud-aio-mastercontainer \
|
||||
--restart always \
|
||||
--publish 80:80 \
|
||||
--publish 8080:8080 \
|
||||
--publish 8443:8443 \
|
||||
--env APACHE_PORT=11000 \
|
||||
--env APACHE_IP_BINDING=0.0.0.0 \
|
||||
--volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
|
||||
--volume /var/run/docker.sock:/var/run/docker.sock:ro \
|
||||
nextcloud/all-in-one:latest
|
||||
|
|
|
@ -2,31 +2,29 @@
|
|||
|
||||
|
||||
# optional: remove old installs
|
||||
sudo apt purge -y \
|
||||
apt purge -y \
|
||||
nodejs npm
|
||||
sudo apt autoremove -y
|
||||
apt autoremove -y
|
||||
|
||||
sudo rm /usr/bin/node
|
||||
sudo rm /usr/bin/npm
|
||||
sudo rm -rf /usr/share/npm
|
||||
sudo rm -rf /usr/share/nodejs
|
||||
rm /usr/bin/node
|
||||
rm /usr/bin/npm
|
||||
rm -rf /usr/share/npm
|
||||
rm -rf /usr/share/nodejs
|
||||
|
||||
VER='18.18.0'
|
||||
|
||||
# install node + npm
|
||||
wget -O 'node.xz' \
|
||||
'https://nodejs.org/dist/v18.16.0/node-v18.16.0-linux-x64.tar.xz'
|
||||
tar -xf 'node.xz'
|
||||
rm 'node.xz'
|
||||
sudo mv node-v18.16.0-linux-x64/bin/* /usr/local/bin/
|
||||
sudo mv node-v18.16.0-linux-x64/lib/node_modules/ /usr/local/lib/
|
||||
mv node-v$VER-linux-x64/bin/* \
|
||||
/usr/local/bin/
|
||||
mv node-v$VER-linux-x64/lib/node_modules/ \
|
||||
/usr/local/lib/
|
||||
|
||||
sudo mkdir -p \
|
||||
mkdir -p \
|
||||
'/usr/lib/nodejs' \
|
||||
'/usr/lib/node_modules'
|
||||
|
||||
|
||||
# fix permissions
|
||||
sudo chown -R $USER:$USER \
|
||||
chown -R $USER:$USER \
|
||||
'/usr/local' \
|
||||
'/usr/share' \
|
||||
'/usr/lib/nodejs' \
|
||||
|
|
|
@ -0,0 +1,36 @@
|
|||
#!/usr/bin/zsh
|
||||
|
||||
apt update
|
||||
apt upgrade
|
||||
apt install software-properties-common apt-transport-https curl -y
|
||||
|
||||
curl -fsSl https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor | tee /usr/share/keyrings/postgresql.gpg > /dev/null
|
||||
|
||||
sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list'
|
||||
|
||||
wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add -
|
||||
|
||||
apt-get -y update
|
||||
apt-get install postgresql-15 -y
|
||||
|
||||
systemctl enable postgresql
|
||||
systemctl start postgresql
|
||||
systemctl status postgresql
|
||||
|
||||
ss -antpl | grep 5432
|
||||
|
||||
systemctl start \
|
||||
postgresql postgresql-client
|
||||
|
||||
|
||||
nano /etc/postgresql/15/main/pg_hba.conf
|
||||
# `local all all trust`
|
||||
|
||||
systemctl restart postgresql
|
||||
|
||||
# psql -U postgres
|
||||
su postgres -c psql
|
||||
```
|
||||
ALTER USER postgres WITH PASSWORD 'postgres';
|
||||
exit;
|
||||
```
|
|
@ -1,46 +0,0 @@
|
|||
#!/usr/bin/zsh
|
||||
|
||||
# Postgres
|
||||
|
||||
# the `lsb_release` prints linux-mint's codename
|
||||
# of which pg has no idea, so
|
||||
U='UBUNTU_CODENAME='
|
||||
DISTRO=`cat '/etc/os-release' | grep "$U"`
|
||||
if [ ! -z "$DISTRO" ]; then
|
||||
DISTRO="${DISTRO/$U/}"
|
||||
else
|
||||
DISTRO=`lsb_release -cs`
|
||||
fi
|
||||
echo "DISTRO: '$DISTRO'"
|
||||
|
||||
|
||||
SRC="deb http://apt.postgresql.org/pub/repos/apt $DISTRO-pgdg main"
|
||||
sudo sh -c \
|
||||
"echo '$SRC' > /etc/apt/sources.list.d/pgdg.list"
|
||||
|
||||
wget --quiet -O - 'https://www.postgresql.org/media/keys/ACCC4CF8.asc' \
|
||||
| sudo apt-key add -
|
||||
|
||||
curl -sS 'https://www.postgresql.org/media/keys/ACCC4CF8.asc' \
|
||||
| gpg --dearmor \
|
||||
| sudo tee /etc/apt/trusted.gpg.d/postgresql.gpg
|
||||
|
||||
sudo apt update -y
|
||||
sudo apt install -y \
|
||||
postgresql-14
|
||||
|
||||
psql --version
|
||||
|
||||
sudo systemctl start \
|
||||
postgresql-14 postgresql-client-14
|
||||
|
||||
sudo nano /etc/postgresql/14/main/pg_hba.conf
|
||||
# `local all all trust`
|
||||
|
||||
sudo systemctl restart postgresql.service
|
||||
|
||||
psql -U postgres
|
||||
```
|
||||
ALTER USER postgres WITH PASSWORD 'postgres';
|
||||
exit;
|
||||
```
|
|
@ -0,0 +1,54 @@
|
|||
#!/bin/sh
|
||||
|
||||
DOMAIN='_homepage'
|
||||
|
||||
PROJ='$1'
|
||||
HOST='test-01'
|
||||
|
||||
# git
|
||||
adduser git
|
||||
mkdir '/home/git/.ssh'
|
||||
nano '/home/git/.ssh/authorized_keys'
|
||||
|
||||
# new repo
|
||||
git init --bare '/home/git/repos/$HOST'
|
||||
mkdir -p '/var/www/$HOST/'
|
||||
git clone '/home/git/repos/$HOST' '/var/www/$HOST'
|
||||
|
||||
# post-push resolving
|
||||
cd '/home/git/repos/$HOST/'
|
||||
exec git-update-server-info
|
||||
echo '#!/bin/sh
|
||||
cd "/var/www/$HOST/" || exit
|
||||
unset GIT_DIR
|
||||
git pull
|
||||
exec git-update-server-info
|
||||
' > '/home/git/repos/$HOST/hooks/post-update'
|
||||
chmod +x '/home/git/repos/$HOST/hooks/post-update'
|
||||
|
||||
|
||||
# access rights
|
||||
chown -R git:git '/home/git'
|
||||
chown -R git:www-data '/home/git/repos'
|
||||
chmod -R 755 '/home/git/repos'
|
||||
|
||||
|
||||
# cd /var/www/$HOST/public/www/
|
||||
# ln -s ../../static ./
|
||||
|
||||
# adduser www
|
||||
# usermod -aG www-data www
|
||||
usermod -aG www-data git
|
||||
chown -R git:www-data '/var/www/$HOST'
|
||||
chmod -R 755 '/var/www/$HOST'
|
||||
|
||||
|
||||
# mkdir '/var/www/$HOST/uploads'
|
||||
# touch '/var/www/$HOST/nohup.out'
|
||||
# touch '/var/www/$HOST/log.txt'
|
||||
|
||||
# starting scripts
|
||||
# chown -R www:www-data '/var/www/$HOST'
|
||||
# su - www -c 'cd /var/www/$HOST && ./start'
|
||||
# echo '@reboot su - www -c 'cd /var/www/$HOST && ./start'' \
|
||||
# >> /etc/crontab
|
|
@ -0,0 +1,13 @@
|
|||
#!/bin/sh
|
||||
|
||||
SERVER_ID='<SERVER.IP OR DOMAIN.TLD>'
|
||||
|
||||
ssh-copy-id -i ~/.ssh/server_root.pub "root@$SERVER_ID"
|
||||
ssh-copy-id -i ~/.ssh/server_www.pub "www@$SERVER_ID"
|
||||
ssh-copy-id -i ~/.ssh/server_git.pub "git@$SERVER_ID"
|
||||
|
||||
cd "/Site/$SERVER_ID"
|
||||
|
||||
git remote add prod "webing-poligon-git:~/repos/digisign"
|
||||
git push prod --all --force
|
||||
git push prod --tags --force
|
|
@ -0,0 +1,34 @@
|
|||
#!/usr/bin/env bash
|
||||
# update current
|
||||
apt-get update -y
|
||||
apt-get upgrade -y
|
||||
|
||||
|
||||
# sys, tools
|
||||
apt-get install -y \
|
||||
zsh curl wget git \
|
||||
g++ make clang build-essential \
|
||||
rmlint ffmpeg lynx \
|
||||
net-tools usrmerge \
|
||||
imagemagick graphicsmagick ghostscript \
|
||||
jpegoptim pngquant pngcrush
|
||||
|
||||
|
||||
# users
|
||||
|
||||
adduser git
|
||||
mkdir '/home/git/.ssh'
|
||||
touch '/home/git/.ssh/authorized_keys'
|
||||
# add ssh-key for git
|
||||
|
||||
adduser www
|
||||
mkdir '/home/www/.ssh'
|
||||
touch '/home/www/.ssh/authorized_keys'
|
||||
# add ssh-key for www
|
||||
|
||||
usermod -aG www-data www
|
||||
usermod -aG www-data git
|
||||
|
||||
|
||||
# access rights
|
||||
chown -R www:www-data '/var/www/site/'
|
|
@ -0,0 +1,7 @@
|
|||
title "server-debian"
|
||||
description "setup site, mail, git, etc"
|
||||
media-type "cli"
|
||||
tags "config" "scripts" "docs"
|
||||
license "0BSD"
|
||||
homepage "https://dym.sh/server-debian/"
|
||||
source "https://source.garden/config/server-debian/"
|
|
@ -23,8 +23,8 @@ sudo killall -9 mysql_secure_installation
|
|||
sudo mysql -u root --skip-password
|
||||
|
||||
```
|
||||
ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'my very strong password !123';
|
||||
CREATE USER 'admin'@'localhost' IDENTIFIED BY 'my very strong password !123';
|
||||
ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'STRONG_PASSWORD_ROOT';
|
||||
CREATE USER 'admin'@'localhost' IDENTIFIED BY 'STRONG_PASSWORD_ADMIN';
|
||||
GRANT ALL PRIVILEGES ON *.* TO 'admin'@'localhost';
|
||||
FLUSH PRIVILEGES;
|
||||
EXIT;
|
||||
|
|
|
@ -9,7 +9,7 @@ systemctl status mysql.service
|
|||
mysql -u root
|
||||
```sql
|
||||
CREATE DATABASE wp;
|
||||
CREATE USER 'db_admin'@'localhost' IDENTIFIED BY 'BjMPUpXtlUBHSr=l-TWYKHwCI7DPjF1YJMo2qpjW8LQI3Rk=EVKevexq6r3b+c6Ggf-cpk65nB-m8w=2';
|
||||
CREATE USER 'db_admin'@'localhost' IDENTIFIED BY 'STRONG_PASSWORD';
|
||||
GRANT ALL PRIVILEGES ON wp.* TO 'db_admin'@'localhost';
|
||||
FLUSH PRIVILEGES;
|
||||
EXIT;
|
||||
|
|
|
@ -44,7 +44,6 @@ server {
|
|||
proxy_pass_request_headers on;
|
||||
|
||||
location @gts {
|
||||
# set to 127.0.0.1 instead of localhost to work around https://stackoverflow.com/a/52550758
|
||||
proxy_pass http://127.0.0.1:10099;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
|
@ -1,11 +0,0 @@
|
|||
#!/usr/bin/zsh
|
||||
|
||||
# enable_ipv6
|
||||
|
||||
ip addr add 2a02:c206:3009:9964::1/112 dev eth0
|
||||
ip -6 addr show
|
||||
|
||||
ip route add default via fe80::1 dev eth0
|
||||
ip -6 route show
|
||||
|
||||
ping -6 2a02:c206:3009:9964::1
|
|
@ -1,43 +0,0 @@
|
|||
server {
|
||||
listen 80 default_server;
|
||||
listen [::]:80;
|
||||
server_name mail.*;
|
||||
|
||||
# For SSL domain validation
|
||||
root /var/www/html;
|
||||
location /.well-known/acme-challenge/ { allow all; }
|
||||
location /.well-known/pki-validation/ { allow all; }
|
||||
location / { return 301 https://$server_name$request_uri; }
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2 default_server;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name mail.*;
|
||||
|
||||
ssl_certificate /opt/mailcow-dockerized/data/assets/ssl/cert.pem;
|
||||
ssl_certificate_key /opt/mailcow-dockerized/data/assets/ssl/key.pem;
|
||||
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
|
||||
ssl_ecdh_curve secp384r1;
|
||||
|
||||
ssl_session_timeout 7d;
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!DH:!ADH:!EDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!AES256-GCM-SHA384';
|
||||
|
||||
# Change to your upload limit
|
||||
client_max_body_size 500m;
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:10080;
|
||||
proxy_buffer_size 128k;
|
||||
proxy_buffers 64 512k;
|
||||
proxy_busy_buffers_size 512k;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
client_max_body_size 0;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_redirect off;
|
||||
}
|
||||
}
|
|
@ -1,71 +0,0 @@
|
|||
user www-data;
|
||||
worker_processes auto;
|
||||
pid /run/nginx.pid;
|
||||
include /etc/nginx/modules-enabled/*.conf;
|
||||
|
||||
events {
|
||||
worker_connections 768;
|
||||
# multi_accept on;
|
||||
}
|
||||
|
||||
http {
|
||||
error_log /var/log/nginx/error.log;
|
||||
|
||||
sendfile on;
|
||||
tcp_nopush on;
|
||||
tcp_nodelay on;
|
||||
keepalive_timeout 65;
|
||||
types_hash_max_size 2048;
|
||||
# server_tokens off;
|
||||
|
||||
server_names_hash_bucket_size 128;
|
||||
# server_name_in_redirect off;
|
||||
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
|
||||
client_max_body_size 1024m;
|
||||
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m;
|
||||
ssl_session_tickets off;
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
|
||||
ssl_prefer_server_ciphers off;
|
||||
ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
|
||||
gzip on;
|
||||
gzip_vary on;
|
||||
gzip_proxied any;
|
||||
gzip_comp_level 6;
|
||||
gzip_buffers 16 8k;
|
||||
gzip_http_version 1.1;
|
||||
|
||||
gzip_types application/activity+json
|
||||
application/atom+xml
|
||||
application/javascript
|
||||
application/json
|
||||
application/manifest+json
|
||||
application/rss+xml
|
||||
application/xml
|
||||
text/cache-manifest
|
||||
text/calendar
|
||||
text/css
|
||||
text/javascript
|
||||
text/markdown
|
||||
text/plain
|
||||
text/vcard
|
||||
text/vnd.wap.wml
|
||||
text/vtt
|
||||
text/x-component
|
||||
text/xml
|
||||
;
|
||||
|
||||
index index.html;
|
||||
|
||||
include /etc/nginx/conf.d/*.conf;
|
||||
include /etc/nginx/sites-enabled/*;
|
||||
}
|
|
@ -1,19 +0,0 @@
|
|||
server {
|
||||
server_name mx.dym.sh;
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
|
||||
location ~ /\.well-known/acme-challenge {
|
||||
root /var/lib/letsencrypt/;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
server_name mx.dym.sh;
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
ssl_trusted_certificate /etc/letsencrypt/live/dym.sh/chain.pem;
|
||||
ssl_certificate /etc/letsencrypt/live/dym.sh/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/dym.sh/privkey.pem;
|
||||
}
|
|
@ -1,43 +0,0 @@
|
|||
server {
|
||||
server_name source.garden;
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
|
||||
location ~ /\.well-known/acme-challenge {
|
||||
root /var/lib/letsencrypt/;
|
||||
}
|
||||
location / {
|
||||
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always;
|
||||
return 301 https://$server_name$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
server_name source.garden;
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
ssl_trusted_certificate /etc/letsencrypt/live/source.garden-0002/chain.pem;
|
||||
ssl_certificate /etc/letsencrypt/live/source.garden-0002/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/source.garden-0002/privkey.pem;
|
||||
|
||||
location / {
|
||||
root /var/www/source.garden/;
|
||||
try_files
|
||||
$uri
|
||||
$uri/
|
||||
@forgejo;
|
||||
}
|
||||
|
||||
location @forgejo {
|
||||
# set to 127.0.0.1 instead of localhost to work around https://stackoverflow.com/a/52550758
|
||||
proxy_pass http://127.0.0.1:3000;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
}
|
||||
|
||||
client_max_body_size 2000M;
|
||||
}
|
|
@ -6,8 +6,8 @@ pkill sendmail
|
|||
|
||||
# stop and remove old container
|
||||
docker stop mailserver
|
||||
docker rm `docker ps -a -q`
|
||||
docker container rm -f `docker ps -a -q`
|
||||
docker rm mailserver
|
||||
docker container rm -f mailserver
|
||||
docker container prune
|
||||
# update container
|
||||
docker pull analogic/poste.io
|
||||
|
@ -17,14 +17,14 @@ docker run \
|
|||
--detach \
|
||||
--restart always \
|
||||
--name 'mailserver' \
|
||||
--hostname 'mx.dym.sh' \
|
||||
--hostname 'mail.dym.sh' \
|
||||
--publish 25:25 \
|
||||
--publish 143:143 \
|
||||
--publish 587:587 \
|
||||
--publish 993:993 \
|
||||
--publish 4190:4190 \
|
||||
--publish 12080:80 \
|
||||
--publish 12443:443 \
|
||||
--publish 11080:80 \
|
||||
--publish 11443:443 \
|
||||
--volume /etc/localtime:/etc/localtime:ro \
|
||||
--volume /var/mail/data:/data \
|
||||
--tty analogic/poste.io
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
# server-debian
|
||||
|
||||
> setup site, mail, git, etc
|
||||
|
||||
implied use of Debian 11
|
|
@ -0,0 +1,35 @@
|
|||
#!/usr/bin/zsh
|
||||
|
||||
# purge memory
|
||||
free -h
|
||||
|
||||
echo "clearing memory"
|
||||
sudo sync
|
||||
sudo sh -c 'echo 3 > /proc/sys/vm/drop_caches'
|
||||
free -h
|
||||
|
||||
|
||||
# clear logs
|
||||
echo "clearing /var/log"
|
||||
sudo du -hs /var/log
|
||||
sudo find /var/log -type f -delete
|
||||
sudo du -hs /var/log
|
||||
|
||||
#
|
||||
rm -rf /var/lib/systemd/coredump/*
|
||||
|
||||
echo "clearing /etc/nginx/logs"
|
||||
sudo du -hs /etc/nginx/logs
|
||||
sudo find /etc/nginx/logs -type f -delete
|
||||
sudo du -hs /etc/nginx/logs
|
||||
|
||||
rm ~/.xsession-errors*
|
||||
|
||||
|
||||
# relete occasional junk
|
||||
rm ~/rmlint.*
|
||||
|
||||
# empty trash
|
||||
rm -rf ~/.local/share/Trash
|
||||
|
||||
sudo rm -rf /.Trash-1000
|
|
@ -0,0 +1,22 @@
|
|||
Include /etc/ssh/sshd_config.d/*.conf
|
||||
|
||||
Port 22
|
||||
Port 567
|
||||
PubkeyAuthentication yes
|
||||
PasswordAuthentication no
|
||||
PermitEmptyPasswords no
|
||||
ChallengeResponseAuthentication no
|
||||
UsePAM yes
|
||||
X11Forwarding yes
|
||||
PrintMotd no
|
||||
Banner none
|
||||
AcceptEnv LANG LC_*
|
||||
Subsystem sftp /usr/lib/openssh/sftp-server
|
||||
PermitRootLogin yes
|
||||
HostKeyAlgorithms +ssh-rsa
|
||||
|
||||
Match LocalPort 22
|
||||
DenyUsers root
|
||||
|
||||
Match LocalPort 567
|
||||
DenyUsers git
|
|
@ -0,0 +1,36 @@
|
|||
Include /etc/ssh/sshd_config.d/*.conf
|
||||
|
||||
AcceptEnv LANG LC_*
|
||||
AuthorizedKeysFile %h/.ssh/authorized_keys
|
||||
Banner none
|
||||
ChallengeResponseAuthentication no
|
||||
HostbasedAuthentication no
|
||||
HostKey /etc/ssh/ssh_host_dsa_key
|
||||
HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||
HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
HostKey /etc/ssh/ssh_host_rsa_key
|
||||
IgnoreRhosts yes
|
||||
KeyRegenerationInterval 3600
|
||||
LoginGraceTime 120
|
||||
LogLevel INFO
|
||||
MaxAuthTries 5
|
||||
MaxSessions 5
|
||||
PasswordAuthentication no
|
||||
PermitEmptyPasswords no
|
||||
PermitRootLogin yes
|
||||
Port 567
|
||||
PrintLastLog no
|
||||
PrintMotd no
|
||||
Protocol 2
|
||||
PubkeyAuthentication yes
|
||||
RhostsRSAAuthentication no
|
||||
RSAAuthentication yes
|
||||
ServerKeyBits 1024
|
||||
StrictModes yes
|
||||
Subsystem sftp /usr/lib/openssh/sftp-server
|
||||
SyslogFacility AUTH
|
||||
TCPKeepAlive yes
|
||||
UsePAM yes
|
||||
UsePrivilegeSeparation yes
|
||||
X11DisplayOffset 10
|
||||
X11Forwarding yes
|
Loading…
Reference in New Issue