upd

2023-10-20 13:40:58 +02:00 · 2023-10-20 13:40:58 +02:00 · d732d68cc6
parent ccffaa7db9
commit d732d68cc6
29 changed files with 387 additions and 356 deletions
--- a/.zshrc
+++ b/.zshrc
--- a/5
+++ b/5
@ -0,0 +1,5 @@
+Copyright (C) 2023 by Dym Sohin <re@dym.sh>
+
+Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
--- a/_install.sh
+++ b/_install.sh
@ -1,19 +1,11 @@
-#!/bin/bash
-
+#!/bin/sh

 # latest git
 add-apt-repository -y \
  ppa:git-core/ppa
-apt-get update -y
-apt-get install -y \
-  git

-
-# upgrade
+# core apps and utils
 apt-get upgrade -y
-
-
-# all the tools
 apt-get install -y \
  build-essential \
  certbot \
@ -22,6 +14,7 @@ apt-get install -y \
  ffmpeg \
  g++ \
  ghostscript \
+  git\
  graphicsmagick \
  imagemagick \
  jpegoptim \
@ -33,7 +26,7 @@ apt-get install -y \
  pngquant \
  postgresql \
  postgresql-contrib \
-  rmlint \
+  rdfind \
  sshfs \
  ufw \
  wget \
@ -58,29 +51,29 @@ pipupgrade -y --pip --ignore-error


 # nodejs
-rm -rf /usr/local/bin/npm /usr/local/share/man/man1/node* ~/.npm
-rm -rf /usr/local/lib/node*
-rm -rf /usr/local/bin/node*
-rm -rf /usr/local/include/node*
-apt-get purge nodejs npm
-apt autoremove
+rm -rf \
+  /usr/local/bin/node* \
+  /usr/local/bin/npm \
+  /usr/local/include/node* \
+  /usr/local/lib/node* \
+  /usr/local/share/man/man1/node* \
+  ~/.npm

-wget 'https://nodejs.org/dist/v16.15.0/node-v16.15.0-linux-x64.tar.xz'
-tar -xf 'node-v16.15.0-linux-x64.tar.xz'
-rm 'node-v16.15.0-linux-x64.tar.xz'
-mv node-v16.15.0-linux-x64/bin/* /usr/local/bin/
-mv node-v16.15.0-linux-x64/lib/node_modules/ /usr/local/lib/
+apt-get purge -y \
+  nodejs npm
+apt-get autoremove -y
+
+VER='18.18.1'
+wget 'https://nodejs.org/dist/v$VER/node-v$VER-linux-x64.tar.xz'
+tar -xf 'node-v$VER-linux-x64.tar.xz'
+rm 'node-v$VER-linux-x64.tar.xz'
+mv node-v$VER-linux-x64/bin/* \
+  /usr/local/bin/
+mv node-v$VER-linux-x64/lib/node_modules/ \
+  /usr/local/lib/

-npm i -g n
-n lts
 npm i -g npm
-
-npm i -g svgo
-
-
-# deno
-curl -fsSL https://deno.land/install.sh \
-  | sh
+npm i -g n svgo


 # rust
@ -88,7 +81,9 @@ apt-get install -y \
  openssl libssl1.1 libssl-dev \
  libfreetype6-dev libfontconfig1-dev libxcb-xfixes0-dev

-curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
+curl --proto '=https' \
+  --tlsv1.2 -sSf 'https://sh.rustup.rs' \
+  | sh

 source $HOME/.cargo/env

--- a/_installs/caddy.sh
+++ b/_installs/caddy.sh
@ -0,0 +1,5 @@
+apt-get install -y debian-keyring debian-archive-keyring apt-transport-https
+curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
+curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | tee /etc/apt/sources.list.d/caddy-stable.list
+apt-get update
+apt-get install caddy
--- a/_installs/certbot.sh
+++ b/_installs/certbot.sh
@ -1,8 +1,11 @@
 #!/usr/bin/zsh

-sudo apt-get remove -y \
+apt-get remove -y \
  python3-cryptography

+apt-get install -y python3-pip
+
+
 pip3 install \
  certbot \
  cryptography
@ -13,10 +16,8 @@ certbot certonly \
  -d '*.source.garden' \
  --email 'certbot+source.garden@dym.sh' \
  --agree-tos \
-  --manual-public-ip-logging-ok \
  --renew-by-default \
  --rsa-key-size 4096 \
-  --no-bootstrap \
  --manual \
  --preferred-challenges dns-01 \
  --server https://acme-v02.api.letsencrypt.org/directory
@ -27,10 +28,8 @@ certbot certonly \
  -d '*.dym.sh' \
  --email 'certbot+dym.sh@dym.sh' \
  --agree-tos \
-  --manual-public-ip-logging-ok \
  --renew-by-default \
  --rsa-key-size 4096 \
-  --no-bootstrap \
  --manual \
  --preferred-challenges dns-01 \
  --server https://acme-v02.api.letsencrypt.org/directory
--- a/_installs/fojego.sh
+++ b/_installs/fojego.sh
@ -1,51 +0,0 @@
-apt-get install -y \
-  git git-lfs
-
-wget https://codeberg.org/forgejo/forgejo/releases/download/v1.19.3-0/forgejo-1.19.3-0-linux-amd64
-chmod +x forgejo-1.19.3-0-linux-amd64
-
-gpg --keyserver keys.openpgp.org --recv EB114F5E6C0DC2BCDD183550A4B61A2DC5923710
-wget https://codeberg.org/forgejo/forgejo/releases/download/v1.19.3-0/forgejo-1.19.3-0-linux-amd64.asc
-gpg --verify forgejo-1.19.3-0-linux-amd64.asc forgejo-1.19.3-0-linux-amd64
-
-mv forgejo-1.19.3-0-linux-amd64 /usr/local/bin/forgejo
-chmod 755 /usr/local/bin/forgejo
-
-
-groupadd --system git
-
-adduser --system --shell /bin/bash --comment 'Git Version Control' \
-   --gid git --home-dir /home/git --create-home git
-
-mkdir /var/lib/forgejo
-chown git:git /var/lib/forgejo \
-  && chmod 750 /var/lib/forgejo
-
-mkdir /usr/local/bin/data
-chown root:git /usr/local/bin/data \
-	&& chmod 770 /usr/local/bin/data
-
-mkdir /usr/local/bin/log
-chown root:git /usr/local/bin/log \
-	&& chmod 770 /usr/local/bin/log
-
-mkdir /usr/local/bin/custom
-chown root:git /usr/local/bin/custom \
-	&& chmod 770 /usr/local/bin/custom
-
-mkdir /etc/forgejo
-chown root:git /etc/forgejo \
-  && chmod 770 /etc/forgejo
-
-
-wget -O \
-  /etc/systemd/system/forgejo.service \
-  'https://codeberg.org/forgejo/forgejo/raw/branch/forgejo/contrib/systemd/forgejo.service'
-
-# If you’re not using sqlite, but MySQL or MariaDB or PostgreSQL, you’ll have to edit that file (/etc/systemd/system/forgejo.service) and uncomment the corresponding Wants= and After= lines. Otherwise it should work as it is.
-
-systemctl enable forgejo.service
-systemctl start forgejo.service
-
-# open http://source.garden:3000
-
--- a/_installs/forgejo.sh
+++ b/_installs/forgejo.sh
@ -0,0 +1,71 @@
+#!/bin/sh
+
+apt-get install -y \
+  git git-lfs
+
+VER='1.20.4-1'
+
+wget  "https://codeberg.org/forgejo/forgejo/releases/download/v$VER/forgejo-$VER-linux-amd64.xz"
+xz -d  "forgejo-$VER-linux-amd64.xz"
+
+gpg --keyserver keys.openpgp.org \
+    --recv EB114F5E6C0DC2BCDD183550A4B61A2DC5923710
+wget  "https://codeberg.org/forgejo/forgejo/releases/download/v$VER/forgejo-$VER-linux-amd64.asc"
+gpg --verify  "forgejo-$VER-linux-amd64.asc forgejo-$VER-linux-amd64"
+
+chmod +x  "forgejo-$VER-linux-amd64"
+mv  "forgejo-$VER-linux-amd64" \
+    /usr/local/bin/forgejo
+chmod -R 755 /usr/local/bin/forgejo
+
+
+groupadd --system git
+adduser --system \
+   --ingroup git \
+   git
+
+mkdir -p  /home/git
+chown git:git -R /home/git \
+  && chmod -R 750 /home/git
+
+mkdir /var/lib/forgejo
+chown git:git -R /var/lib/forgejo \
+  && chmod -R 750 /var/lib/forgejo
+
+mkdir /usr/local/bin/data
+chown root:git -R /usr/local/bin/data \
+	&& chmod -R 770 /usr/local/bin/data
+
+mkdir /usr/local/bin/log
+chown root:git -R /usr/local/bin/log \
+	&& chmod -R 770 /usr/local/bin/log
+
+mkdir /usr/local/bin/custom
+chown root:git -R /usr/local/bin/custom \
+	&& chmod -R 770 /usr/local/bin/custom
+
+mkdir /etc/forgejo
+chown root:git -R /etc/forgejo \
+  && chmod -R 770 /etc/forgejo
+
+chown root:git /usr/local/bin/custom/conf/app.ini \
+  && chmod 770 /usr/local/bin/custom/conf/app.ini
+
+
+# test with `su - git -c 'forgejo'`
+
+
+wget -O \
+  /etc/systemd/system/forgejo.service \
+  'https://codeberg.org/forgejo/forgejo/raw/branch/forgejo/contrib/systemd/forgejo.service'
+
+chown root:git /etc/systemd/system/forgejo.service
+chmod 770 /etc/systemd/system/forgejo.service
+
+# If you’re not using sqlite, but MySQL or MariaDB or PostgreSQL, you’ll have to edit that file (/etc/systemd/system/forgejo.service) and uncomment the corresponding Wants= and After= lines. Otherwise it should work as it is.
+
+systemctl enable forgejo.service
+systemctl start forgejo.service
+
+
+# open http://source.garden:3000
--- a/_installs/gotosocial.sh
+++ b/_installs/gotosocial.sh
@ -27,4 +27,4 @@ killall gotosocial
 systemctl start gotosocial.service


-curl -L https://dym.sh/.well-known/webfinger\?resource\=acct:dym@dym.com
+curl -L 'https://dym.sh/.well-known/webfinger?resource=acct:dym@dym.sh'
--- a/_installs/nextcloud.sh
+++ b/_installs/nextcloud.sh
@ -1,15 +1,16 @@
 curl -fsSL https://get.docker.com | sudo sh

-sudo docker run \
--sig-proxy=false \
--name nextcloud-aio-mastercontainer \
--restart always \
--publish 80:80 \
--publish 8080:8080 \
--publish 8443:8443 \
--volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
--volume /var/run/docker.sock:/var/run/docker.sock:ro \
-nextcloud/all-in-one:latest
+docker run \
+	--init \
+	--sig-proxy=false \
+	--name nextcloud-aio-mastercontainer \
+	--restart always \
+	--publish 8080:8080 \
+	--env APACHE_PORT=11000 \
+	--env APACHE_IP_BINDING=0.0.0.0 \
+	--volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
+	--volume /var/run/docker.sock:/var/run/docker.sock:ro \
+	nextcloud/all-in-one:latest


 firefox 'https://<server>:8080'
--- a/_installs/nodejs.sh
+++ b/_installs/nodejs.sh
@ -2,31 +2,29 @@


 # optional: remove old installs
-sudo apt purge -y \
+apt purge -y \
  nodejs npm
-sudo apt autoremove -y
+apt autoremove -y

-sudo rm /usr/bin/node
-sudo rm /usr/bin/npm
-sudo rm -rf /usr/share/npm
-sudo rm -rf /usr/share/nodejs
+rm /usr/bin/node
+rm /usr/bin/npm
+rm -rf /usr/share/npm
+rm -rf /usr/share/nodejs

+VER='18.18.0'

-# install node + npm
-wget -O 'node.xz' \
-  'https://nodejs.org/dist/v18.16.0/node-v18.16.0-linux-x64.tar.xz'
-tar -xf 'node.xz'
-rm 'node.xz'
-sudo mv node-v18.16.0-linux-x64/bin/* /usr/local/bin/
-sudo mv node-v18.16.0-linux-x64/lib/node_modules/ /usr/local/lib/
+mv node-v$VER-linux-x64/bin/* \
+   /usr/local/bin/
+mv node-v$VER-linux-x64/lib/node_modules/ \
+   /usr/local/lib/

-sudo mkdir -p  \
+mkdir -p  \
  '/usr/lib/nodejs' \
  '/usr/lib/node_modules'


 # fix permissions
-sudo chown -R $USER:$USER \
+chown -R $USER:$USER \
  '/usr/local' \
  '/usr/share' \
  '/usr/lib/nodejs' \
--- a/_installs/postgres-15.sh
+++ b/_installs/postgres-15.sh
@ -0,0 +1,36 @@
+#!/usr/bin/zsh
+
+apt update
+apt upgrade
+apt install software-properties-common apt-transport-https curl -y
+
+curl -fsSl https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor | tee /usr/share/keyrings/postgresql.gpg > /dev/null
+
+sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list'
+
+wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add -
+
+apt-get -y update
+apt-get install postgresql-15 -y
+
+systemctl enable postgresql
+systemctl start postgresql
+systemctl status postgresql
+
+ss -antpl | grep 5432
+
+systemctl start \
+  postgresql postgresql-client
+
+
+nano /etc/postgresql/15/main/pg_hba.conf
+# `local  all  all  trust`
+
+systemctl restart postgresql
+
+# psql -U postgres
+su postgres -c psql
+```
+ALTER USER postgres WITH PASSWORD 'postgres';
+exit;
+```
--- a/_installs/postgres.sh
+++ b/_installs/postgres.sh
@ -1,46 +0,0 @@
-#!/usr/bin/zsh
-
-# Postgres
-
-# the `lsb_release` prints linux-mint's codename
-# of which pg has no idea, so
-U='UBUNTU_CODENAME='
-DISTRO=`cat '/etc/os-release' | grep "$U"`
-if [ ! -z "$DISTRO" ]; then
-  DISTRO="${DISTRO/$U/}"
-else
-  DISTRO=`lsb_release -cs`
-fi
-echo "DISTRO: '$DISTRO'"
-
-
-SRC="deb http://apt.postgresql.org/pub/repos/apt $DISTRO-pgdg main"
-sudo sh -c \
-  "echo '$SRC' > /etc/apt/sources.list.d/pgdg.list"
-
-wget --quiet -O - 'https://www.postgresql.org/media/keys/ACCC4CF8.asc' \
-  | sudo apt-key add -
-
-curl -sS 'https://www.postgresql.org/media/keys/ACCC4CF8.asc' \
-  | gpg --dearmor \
-  | sudo tee /etc/apt/trusted.gpg.d/postgresql.gpg
-
-sudo apt update -y
-sudo apt install -y \
-  postgresql-14
-
-psql --version
-
-sudo systemctl start \
-  postgresql-14 postgresql-client-14
-
-sudo nano /etc/postgresql/14/main/pg_hba.conf
-# `local all all trust`
-
-sudo systemctl restart postgresql.service
-
-psql -U postgres
-```
-ALTER USER postgres WITH PASSWORD 'postgres';
-exit;
-```
--- a/git/server-www.sh
+++ b/git/server-www.sh
@ -0,0 +1,54 @@
+#!/bin/sh
+
+DOMAIN='_homepage'
+
+PROJ='$1'
+HOST='test-01'
+
+# git
+adduser git
+mkdir '/home/git/.ssh'
+nano '/home/git/.ssh/authorized_keys'
+
+# new repo
+git init --bare '/home/git/repos/$HOST'
+mkdir -p '/var/www/$HOST/'
+git clone '/home/git/repos/$HOST' '/var/www/$HOST'
+
+# post-push resolving
+cd '/home/git/repos/$HOST/'
+exec git-update-server-info
+echo '#!/bin/sh
+cd "/var/www/$HOST/" || exit
+unset GIT_DIR
+git pull
+exec git-update-server-info
+' > '/home/git/repos/$HOST/hooks/post-update'
+chmod +x '/home/git/repos/$HOST/hooks/post-update'
+
+
+# access rights
+chown -R git:git '/home/git'
+chown -R git:www-data '/home/git/repos'
+chmod -R 755 '/home/git/repos'
+
+
+# cd /var/www/$HOST/public/www/
+# ln -s ../../static ./
+
+# adduser www
+# usermod -aG www-data www
+usermod -aG www-data git
+chown -R git:www-data '/var/www/$HOST'
+chmod -R 755 '/var/www/$HOST'
+
+
+# mkdir '/var/www/$HOST/uploads'
+# touch '/var/www/$HOST/nohup.out'
+# touch '/var/www/$HOST/log.txt'
+
+# starting scripts
+# chown -R www:www-data '/var/www/$HOST'
+# su - www -c  'cd /var/www/$HOST && ./start'
+# echo '@reboot su - www -c  'cd /var/www/$HOST && ./start'' \
+#   >> /etc/crontab
--- a/git/setup-local.sh
+++ b/git/setup-local.sh
@ -0,0 +1,13 @@
+#!/bin/sh
+
+SERVER_ID='<SERVER.IP OR DOMAIN.TLD>'
+
+ssh-copy-id -i ~/.ssh/server_root.pub "root@$SERVER_ID"
+ssh-copy-id -i ~/.ssh/server_www.pub "www@$SERVER_ID"
+ssh-copy-id -i ~/.ssh/server_git.pub "git@$SERVER_ID"
+
+cd "/Site/$SERVER_ID"
+
+git remote add prod "webing-poligon-git:~/repos/digisign"
+git push prod --all --force
+git push prod --tags --force
--- a/git/setup-server.sh
+++ b/git/setup-server.sh
@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+# update current
+apt-get update -y
+apt-get upgrade -y
+
+
+# sys, tools
+apt-get install -y \
+  zsh curl wget git \
+  g++ make clang build-essential \
+  rmlint ffmpeg lynx \
+  net-tools usrmerge \
+  imagemagick graphicsmagick ghostscript \
+  jpegoptim pngquant pngcrush
+
+
+# users
+
+adduser git
+mkdir '/home/git/.ssh'
+touch '/home/git/.ssh/authorized_keys'
+  # add ssh-key for git
+
+adduser www
+mkdir '/home/www/.ssh'
+touch '/home/www/.ssh/authorized_keys'
+  # add ssh-key for www
+
+usermod -aG www-data www
+usermod -aG www-data git
+
+
+# access rights
+chown -R www:www-data '/var/www/site/'
--- a/meta.kdl
+++ b/meta.kdl
@ -0,0 +1,7 @@
+title        "server-debian"
+description  "setup site, mail, git, etc"
+media-type   "cli"
+tags         "config"  "scripts"  "docs"
+license      "0BSD"
+homepage     "https://dym.sh/server-debian/"
+source       "https://source.garden/config/server-debian/"
--- a/mysql/_install.sh
+++ b/mysql/_install.sh
@ -23,8 +23,8 @@ sudo killall -9 mysql_secure_installation
 sudo mysql -u root --skip-password

 ```
-ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'my very strong password !123';
-CREATE USER 'admin'@'localhost' IDENTIFIED BY 'my very strong password !123';
+ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'STRONG_PASSWORD_ROOT';
+CREATE USER 'admin'@'localhost' IDENTIFIED BY 'STRONG_PASSWORD_ADMIN';
 GRANT ALL PRIVILEGES ON *.* TO 'admin'@'localhost';
 FLUSH PRIVILEGES;
 EXIT;
--- a/mysql/mysql_wordpress.sh
+++ b/mysql/mysql_wordpress.sh
@ -9,7 +9,7 @@ systemctl status mysql.service
 mysql -u root
 ```sql
 CREATE DATABASE wp;
-CREATE USER 'db_admin'@'localhost' IDENTIFIED BY 'BjMPUpXtlUBHSr=l-TWYKHwCI7DPjF1YJMo2qpjW8LQI3Rk=EVKevexq6r3b+c6Ggf-cpk65nB-m8w=2';
+CREATE USER 'db_admin'@'localhost' IDENTIFIED BY 'STRONG_PASSWORD';
 GRANT ALL PRIVILEGES ON wp.* TO 'db_admin'@'localhost';
 FLUSH PRIVILEGES;
 EXIT;
--- a/nginx/dym.sh--gts.conf
+++ b/nginx/dym.sh--gts.conf
@ -44,7 +44,6 @@ server {
  proxy_pass_request_headers on;

  location @gts {
-    # set to 127.0.0.1 instead of localhost to work around https://stackoverflow.com/a/52550758
    proxy_pass http://127.0.0.1:10099;
    proxy_set_header Host $host;
    proxy_set_header Upgrade $http_upgrade;
--- a/nginx/ipv6.sh
+++ b/nginx/ipv6.sh
@ -1,11 +0,0 @@
-#!/usr/bin/zsh
-
-# enable_ipv6
-
-ip addr add 2a02:c206:3009:9964::1/112 dev eth0
-ip -6 addr show
-
-ip route add default via fe80::1 dev eth0
-ip -6 route show
-
-ping -6 2a02:c206:3009:9964::1
--- a/nginx/mailcow.conf
+++ b/nginx/mailcow.conf
@ -1,43 +0,0 @@
-server {
-    listen 80 default_server;
-    listen [::]:80;
-    server_name   mail.*;
-
-    # For SSL domain validation
-    root /var/www/html;
-    location /.well-known/acme-challenge/ { allow all; }
-    location /.well-known/pki-validation/ { allow all; }
-    location / { return 301 https://$server_name$request_uri; }
-}
-
-server {
-    listen 443 ssl http2 default_server;
-    listen [::]:443 ssl http2;
-    server_name         mail.*;
-
-    ssl_certificate     /opt/mailcow-dockerized/data/assets/ssl/cert.pem;
-    ssl_certificate_key /opt/mailcow-dockerized/data/assets/ssl/key.pem;
-    ssl_dhparam /etc/nginx/ssl/dhparam.pem;
-    ssl_ecdh_curve      secp384r1;
-
-    ssl_session_timeout 7d;
-    ssl_protocols TLSv1.2 TLSv1.3;
-    ssl_prefer_server_ciphers on;
-    ssl_ciphers               'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!DH:!ADH:!EDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!AES256-GCM-SHA384';
-
-    # Change to your upload limit
-    client_max_body_size 500m;
-
-    location / {
-        proxy_pass http://127.0.0.1:10080;
-        proxy_buffer_size 128k;
-        proxy_buffers 64 512k;
-        proxy_busy_buffers_size 512k;
-        proxy_set_header X-Forwarded-Proto $scheme;
-        client_max_body_size 0;
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_redirect off;
-    }
-}
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@ -1,71 +0,0 @@
-user www-data;
-worker_processes auto;
-pid /run/nginx.pid;
-include /etc/nginx/modules-enabled/*.conf;
-
-events {
-  worker_connections 768;
-  # multi_accept on;
-}
-
-http {
-  error_log /var/log/nginx/error.log;
-
-  sendfile on;
-  tcp_nopush on;
-  tcp_nodelay on;
-  keepalive_timeout 65;
-  types_hash_max_size 2048;
-  # server_tokens off;
-
-  server_names_hash_bucket_size 128;
-  # server_name_in_redirect off;
-
-  include /etc/nginx/mime.types;
-  default_type application/octet-stream;
-
-
-  client_max_body_size 1024m;
-
-  ssl_session_timeout       1d;
-  ssl_session_cache         shared:MozSSL:10m;
-  ssl_session_tickets       off;
-  ssl_protocols             TLSv1.2 TLSv1.3;
-  ssl_ciphers               "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
-  ssl_prefer_server_ciphers off;
-  ssl_ecdh_curve            X25519:prime256v1:secp384r1:secp521r1;
-  ssl_stapling              on;
-  ssl_stapling_verify       on;
-
-  gzip                      on;
-  gzip_vary                 on;
-  gzip_proxied              any;
-  gzip_comp_level           6;
-  gzip_buffers              16 8k;
-  gzip_http_version         1.1;
-
-  gzip_types                application/activity+json
-                            application/atom+xml
-                            application/javascript
-                            application/json
-                            application/manifest+json
-                            application/rss+xml
-                            application/xml
-                            text/cache-manifest
-                            text/calendar
-                            text/css
-                            text/javascript
-                            text/markdown
-                            text/plain
-                            text/vcard
-                            text/vnd.wap.wml
-                            text/vtt
-                            text/x-component
-                            text/xml
-                            ;
-
-  index index.html;
-
-  include /etc/nginx/conf.d/*.conf;
-  include /etc/nginx/sites-enabled/*;
-}
--- a/nginx/poste.conf
+++ b/nginx/poste.conf
@ -1,19 +0,0 @@
-server {
-  server_name  mx.dym.sh;
-  listen       80;
-  listen       [::]:80;
-
-  location ~ /\.well-known/acme-challenge {
-    root       /var/lib/letsencrypt/;
-  }
-}
-
-server {
-  server_name mx.dym.sh;
-  listen                    443 ssl http2;
-  listen                    [::]:443 ssl http2;
-
-  ssl_trusted_certificate   /etc/letsencrypt/live/dym.sh/chain.pem;
-  ssl_certificate           /etc/letsencrypt/live/dym.sh/fullchain.pem;
-  ssl_certificate_key       /etc/letsencrypt/live/dym.sh/privkey.pem;
-}
--- a/nginx/source.garden.conf
+++ b/nginx/source.garden.conf
@ -1,43 +0,0 @@
-server {
-  server_name  source.garden;
-  listen       80;
-  listen       [::]:80;
-
-  location ~ /\.well-known/acme-challenge {
-    root       /var/lib/letsencrypt/;
-  }
-  location / {
-    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always;
-    return     301 https://$server_name$request_uri;
-  }
-}
-
-server {
-  server_name source.garden;
-  listen                    443 ssl http2;
-  listen                    [::]:443 ssl http2;
-
-  ssl_trusted_certificate   /etc/letsencrypt/live/source.garden-0002/chain.pem;
-  ssl_certificate           /etc/letsencrypt/live/source.garden-0002/fullchain.pem;
-  ssl_certificate_key       /etc/letsencrypt/live/source.garden-0002/privkey.pem;
-
-  location / {
-    root       /var/www/source.garden/;
-    try_files
-      $uri
-      $uri/
-      @forgejo;
-  }
-
-  location @forgejo {
-    # set to 127.0.0.1 instead of localhost to work around https://stackoverflow.com/a/52550758
-    proxy_pass http://127.0.0.1:3000;
-    proxy_set_header Host $host;
-    proxy_set_header Upgrade $http_upgrade;
-    proxy_set_header Connection "upgrade";
-    proxy_set_header X-Forwarded-For $remote_addr;
-    proxy_set_header X-Forwarded-Proto $scheme;
-  }
-
-  client_max_body_size 2000M;
-}
--- a/poste-io/@reboot.sh
+++ b/poste-io/@reboot.sh
@ -6,8 +6,8 @@ pkill sendmail

 # stop and remove old container
 docker stop mailserver
-docker rm `docker ps -a -q`
-docker container rm -f `docker ps -a -q`
+docker rm mailserver
+docker container rm -f mailserver
 docker container prune
 # update container
 docker pull analogic/poste.io
@ -17,14 +17,14 @@ docker run \
  --detach \
  --restart always \
  --name 'mailserver' \
-  --hostname 'mx.dym.sh' \
+  --hostname 'mail.dym.sh' \
  --publish 25:25 \
  --publish 143:143 \
  --publish 587:587 \
  --publish 993:993 \
  --publish 4190:4190 \
-  --publish 12080:80 \
-  --publish 12443:443 \
+  --publish 11080:80 \
+  --publish 11443:443 \
  --volume /etc/localtime:/etc/localtime:ro \
  --volume /var/mail/data:/data \
  --tty analogic/poste.io
--- a/readme.md
+++ b/readme.md
@ -0,0 +1,5 @@
+# server-debian
+
+> setup site, mail, git, etc
+
+implied use of Debian 11
--- a/scripts/purge
+++ b/scripts/purge
@ -0,0 +1,35 @@
+#!/usr/bin/zsh
+
+# purge memory
+free -h
+
+echo "clearing memory"
+sudo sync
+sudo sh -c 'echo 3 > /proc/sys/vm/drop_caches'
+free -h
+
+
+# clear logs
+echo "clearing /var/log"
+sudo du -hs /var/log
+sudo find /var/log -type f -delete
+sudo du -hs /var/log
+
+#
+rm -rf /var/lib/systemd/coredump/*
+
+echo "clearing /etc/nginx/logs"
+sudo du -hs /etc/nginx/logs
+sudo find /etc/nginx/logs -type f -delete
+sudo du -hs /etc/nginx/logs
+
+rm ~/.xsession-errors*
+
+
+# relete occasional junk
+rm ~/rmlint.*
+
+# empty trash
+rm -rf ~/.local/share/Trash
+
+sudo rm -rf /.Trash-1000
--- a/ssh/sshd_config
+++ b/ssh/sshd_config
@ -0,0 +1,22 @@
+Include /etc/ssh/sshd_config.d/*.conf
+
+Port 22
+Port 567
+PubkeyAuthentication yes
+PasswordAuthentication no
+PermitEmptyPasswords no
+ChallengeResponseAuthentication no
+UsePAM yes
+X11Forwarding yes
+PrintMotd no
+Banner none
+AcceptEnv LANG LC_*
+Subsystem  sftp  /usr/lib/openssh/sftp-server
+PermitRootLogin yes
+HostKeyAlgorithms +ssh-rsa
+
+Match LocalPort 22
+  DenyUsers root
+
+Match LocalPort 567
+  DenyUsers git
--- a/ssh/sshd_config-default
+++ b/ssh/sshd_config-default
@ -0,0 +1,36 @@
+Include /etc/ssh/sshd_config.d/*.conf
+
+AcceptEnv LANG LC_*
+AuthorizedKeysFile %h/.ssh/authorized_keys
+Banner none
+ChallengeResponseAuthentication no
+HostbasedAuthentication no
+HostKey /etc/ssh/ssh_host_dsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+HostKey /etc/ssh/ssh_host_rsa_key
+IgnoreRhosts yes
+KeyRegenerationInterval 3600
+LoginGraceTime 120
+LogLevel INFO
+MaxAuthTries 5
+MaxSessions 5
+PasswordAuthentication no
+PermitEmptyPasswords no
+PermitRootLogin yes
+Port 567
+PrintLastLog no
+PrintMotd no
+Protocol 2
+PubkeyAuthentication yes
+RhostsRSAAuthentication no
+RSAAuthentication yes
+ServerKeyBits 1024
+StrictModes yes
+Subsystem sftp /usr/lib/openssh/sftp-server
+SyslogFacility AUTH
+TCPKeepAlive yes
+UsePAM yes
+UsePrivilegeSeparation yes
+X11DisplayOffset 10
+X11Forwarding yes