site/README.md

# Site Setup

### Sec:

* This repo is public. Mind cred slip-ups.
* Please note changes to /etc/sshd/sshd_conf made by lll script. If different method is used, audit manually.
* Note app Dockerfile debug console, found at /console. Werkzeug/flask is WILDLY insecure if left in dev/dbg.
* Avoid docker socks stuff.


### Install:

    apt install unattended-upgrades docker.io docker-compose ufw ssh
    apt install vim git tmux htop

Install? PROBABLY NOT, this runs entirely in alpine and would be nice to isolate:

    apt install python3-flask python3-full pip
    pip install mysql-connector-python

### Admin general:

    usermod -aG docker finn

### Admin firewall:

    ufw default deny incoming
    ufw default allow outgoing
    ufw allow "OpenSSH"
    ufw allow "WWW Full"
    ufw enable

### Admin dns:

set up domainUpdate script\
set up cron job for script

### Filesystem:

    docker dir (d)
      certbot dns
      tmp for awesome compose or compose sandboxing
      site (main dc) TRACKED HERE
        db - holds init script
        proxy - important conf
        backend - app
        gitea - managed primarily by gitea
        other - ref and non-sensitive files for dns

### Timeline:

set up certbot dns\
see tar of cert dir with script

### Notes:
This repo is minimally-sensitive. Falling outside the repo dir structure are reference awesome-compose files used as baseline -- nginx-flask-mysql -- and certs, containing letsencrypt script. Script may be backed up into repo carefully, sanitizing any tkens.

TODO: gitea subdomain will require wildcard cert -- therefore "*.oily.dad" AND "oily.dad" DONE

### Changing gitea subdomain:

Find in proxy/conf.\
Find in gitea conf.\
Rebuild images.
initial re-commit to wipe commit histoy due to public repo 2024-07-06 21:10:44 +00:00			`# Site Setup`

			`### Sec:`

			`* This repo is public. Mind cred slip-ups.`
			`* Please note changes to /etc/sshd/sshd_conf made by lll script. If different method is used, audit manually.`
			`* Note app Dockerfile debug console, found at /console. Werkzeug/flask is WILDLY insecure if left in dev/dbg.`
			`* Avoid docker socks stuff.`



			`### Install:`

			`apt install unattended-upgrades docker.io docker-compose ufw ssh`
			`apt install vim git tmux htop`

			`Install? PROBABLY NOT, this runs entirely in alpine and would be nice to isolate:`

			`apt install python3-flask python3-full pip`
			`pip install mysql-connector-python`

			`### Admin general:`

			`usermod -aG docker finn`

			`### Admin firewall:`

			`ufw default deny incoming`
			`ufw default allow outgoing`
			`ufw allow "OpenSSH"`
			`ufw allow "WWW Full"`
			`ufw enable`

			`### Admin dns:`

			`set up domainUpdate script\`
			`set up cron job for script`

			`### Filesystem:`

			`docker dir (d)`
			`certbot dns`
			`tmp for awesome compose or compose sandboxing`
			`site (main dc) TRACKED HERE`
			`db - holds init script`
			`proxy - important conf`
			`backend - app`
			`gitea - managed primarily by gitea`
			`other - ref and non-sensitive files for dns`

			`### Timeline:`

			`set up certbot dns\`
			`see tar of cert dir with script`

			`### Notes:`
			`This repo is minimally-sensitive. Falling outside the repo dir structure are reference awesome-compose files used as baseline -- nginx-flask-mysql -- and certs, containing letsencrypt script. Script may be backed up into repo carefully, sanitizing any tkens.`

			`TODO: gitea subdomain will require wildcard cert -- therefore "*.oily.dad" AND "oily.dad" DONE`

			`### Changing gitea subdomain:`

			`Find in proxy/conf.\`
			`Find in gitea conf.\`
			`Rebuild images.`