# Site Setup ### Sec: - This repo is public. Mind cred slip-ups. - Please note changes to /etc/sshd/sshd_conf made by lll script. If different method is used, audit manually. - Note app Dockerfile debug console, found at /console. Werkzeug/flask is WILDLY insecure if left in dev/dbg. - Avoid docker socks stuff. ### Install: apt install unattended-upgrades docker.io docker-compose ufw ssh apt install vim git tmux htop Install? PROBABLY NOT, this runs entirely in alpine and would be nice to isolate: apt install python3-flask python3-full pip pip install mysql-connector-python ### Admin general: usermod -aG docker finn ### Admin firewall: ufw default deny incoming ufw default allow outgoing ufw allow "OpenSSH" ufw allow "WWW Full" ufw enable ### Admin dns: set up domainUpdate script\ set up cron job for script ### Filesystem: docker dir (d) certbot dns tmp for awesome compose or compose sandboxing site (main dc) TRACKED HERE db - holds init script proxy - important conf backend - app gitea - managed primarily by gitea pmb-pf - git clone of my mail thing other - ref and non-sensitive files for dns ### Setup cheat: - set up certbot dns (prod) - see tar of cert dir with script (prod) - flask vs uwsgi in backend compose section (prod) - build vs local image in pmb-pf compose section - git clone pmb-pf - copy example .env in root dir - copy example .env in pmb-pf - copy example conf in proxy - do pmb-pf setup, and adjust root .env - mind backend config db settings ### Notes: This repo is minimally-sensitive. Falling outside the repo dir structure are reference awesome-compose files used as baseline -- nginx-flask-mysql -- and certs, containing letsencrypt script. Script may be backed up into repo carefully, sanitizing any tkens. ### Changing gitea subdomain: Find in proxy/conf.\ Find in gitea conf.\ Rebuild images. ### Todo: - gitea subdomain will require wildcard cert -- therefore "*.oily.dad" AND "oily.dad" DONE - move more stuff from backend config into root .env