# Site Setup

### Sec:

* This repo is public. Mind cred slip-ups.
* Please note changes to /etc/sshd/sshd_conf made by lll script. If different method is used, audit manually.
* Note app Dockerfile debug console, found at /console. Werkzeug/flask is WILDLY insecure if left in dev/dbg.
* Avoid docker socks stuff.



### Install:

    apt install unattended-upgrades docker.io docker-compose ufw ssh
    apt install vim git tmux htop

Install? PROBABLY NOT, this runs entirely in alpine and would be nice to isolate:

    apt install python3-flask python3-full pip
    pip install mysql-connector-python

### Admin general:

    usermod -aG docker finn

### Admin firewall:

    ufw default deny incoming
    ufw default allow outgoing
    ufw allow "OpenSSH"
    ufw allow "WWW Full"
    ufw enable

### Admin dns:

set up domainUpdate script\
set up cron job for script

### Filesystem:

    docker dir (d)
      certbot dns
      tmp for awesome compose or compose sandboxing
      site (main dc) TRACKED HERE
        db - holds init script
        proxy - important conf
        backend - app
        gitea - managed primarily by gitea
        other - ref and non-sensitive files for dns

### Timeline:

set up certbot dns\
see tar of cert dir with script

### Notes:
This repo is minimally-sensitive. Falling outside the repo dir structure are reference awesome-compose files used as baseline -- nginx-flask-mysql -- and certs, containing letsencrypt script. Script may be backed up into repo carefully, sanitizing any tkens.

TODO: gitea subdomain will require wildcard cert -- therefore "*.oily.dad" AND "oily.dad" DONE

### Changing gitea subdomain:

Find in proxy/conf.\
Find in gitea conf.\
Rebuild images.