initial re-commit to wipe commit histoy due to public repo

README.md

@@ -0,0 +1,66 @@
+# Site Setup
+
+### Sec:
+
+* This repo is public. Mind cred slip-ups.
+* Please note changes to /etc/sshd/sshd_conf made by lll script. If different method is used, audit manually.
+* Note app Dockerfile debug console, found at /console. Werkzeug/flask is WILDLY insecure if left in dev/dbg.
+* Avoid docker socks stuff.
+
+
+
+### Install:
+
+    apt install unattended-upgrades docker.io docker-compose ufw ssh
+    apt install vim git tmux htop
+
+Install? PROBABLY NOT, this runs entirely in alpine and would be nice to isolate:
+
+    apt install python3-flask python3-full pip
+    pip install mysql-connector-python
+
+### Admin general:
+
+    usermod -aG docker finn
+
+### Admin firewall:
+
+    ufw default deny incoming
+    ufw default allow outgoing
+    ufw allow "OpenSSH"
+    ufw allow "WWW Full"
+    ufw enable
+
+### Admin dns:
+
+set up domainUpdate script\
+set up cron job for script
+
+### Filesystem:
+
+    docker dir (d)
+      certbot dns
+      tmp for awesome compose or compose sandboxing
+      site (main dc) TRACKED HERE
+        db - holds init script
+        proxy - important conf
+        backend - app
+        gitea - managed primarily by gitea
+        other - ref and non-sensitive files for dns
+
+### Timeline:
+
+set up certbot dns\
+see tar of cert dir with script
+
+### Notes:
+This repo is minimally-sensitive. Falling outside the repo dir structure are reference awesome-compose files used as baseline -- nginx-flask-mysql -- and certs, containing letsencrypt script. Script may be backed up into repo carefully, sanitizing any tkens.
+
+TODO: gitea subdomain will require wildcard cert -- therefore "*.oily.dad" AND "oily.dad" DONE
+
+### Changing gitea subdomain:
+
+Find in proxy/conf.\
+Find in gitea conf.\
+Rebuild images.
+