68 lines
1.7 KiB
Markdown
68 lines
1.7 KiB
Markdown
# Site Setup
|
|
|
|
### Sec:
|
|
|
|
* This repo is public. Mind cred slip-ups.
|
|
* Please note changes to /etc/sshd/sshd_conf made by lll script. If different method is used, audit manually.
|
|
* Note app Dockerfile debug console, found at /console. Werkzeug/flask is WILDLY insecure if left in dev/dbg.
|
|
* Avoid docker socks stuff.
|
|
|
|
|
|
|
|
### Install:
|
|
|
|
apt install unattended-upgrades docker.io docker-compose ufw ssh
|
|
apt install vim git tmux htop
|
|
|
|
Install? PROBABLY NOT, this runs entirely in alpine and would be nice to isolate:
|
|
|
|
apt install python3-flask python3-full pip
|
|
pip install mysql-connector-python
|
|
|
|
### Admin general:
|
|
|
|
usermod -aG docker finn
|
|
|
|
### Admin firewall:
|
|
|
|
ufw default deny incoming
|
|
ufw default allow outgoing
|
|
ufw allow "OpenSSH"
|
|
ufw allow "WWW Full"
|
|
ufw enable
|
|
|
|
### Admin dns:
|
|
|
|
set up domainUpdate script\
|
|
set up cron job for script
|
|
|
|
### Filesystem:
|
|
|
|
docker dir (d)
|
|
certbot dns
|
|
tmp for awesome compose or compose sandboxing
|
|
site (main dc) TRACKED HERE
|
|
db - holds init script
|
|
proxy - important conf
|
|
backend - app
|
|
gitea - managed primarily by gitea
|
|
pmb-pf - git clone of my mail thing
|
|
other - ref and non-sensitive files for dns
|
|
|
|
### Timeline:
|
|
|
|
set up certbot dns\
|
|
see tar of cert dir with script
|
|
|
|
### Notes:
|
|
This repo is minimally-sensitive. Falling outside the repo dir structure are reference awesome-compose files used as baseline -- nginx-flask-mysql -- and certs, containing letsencrypt script. Script may be backed up into repo carefully, sanitizing any tkens.
|
|
|
|
TODO: gitea subdomain will require wildcard cert -- therefore "*.oily.dad" AND "oily.dad" DONE
|
|
|
|
### Changing gitea subdomain:
|
|
|
|
Find in proxy/conf.\
|
|
Find in gitea conf.\
|
|
Rebuild images.
|
|
|