| backend | ||
| db/init | ||
| other | ||
| proxy | ||
| .gitignore | ||
| compose.yaml | ||
| dotenv | ||
| LICENSE | ||
| nfmREADME.md | ||
| README.md | ||
Site Setup
Sec:
- This repo is public. Mind cred slip-ups.
- Please note changes to /etc/sshd/sshd_conf made by lll script. If different method is used, audit manually.
- Note app Dockerfile debug console, found at /console. Werkzeug/flask is WILDLY insecure if left in dev/dbg.
- Avoid docker socks stuff.
Install:
apt install unattended-upgrades docker.io docker-compose ufw ssh
apt install vim git tmux htop
Install? PROBABLY NOT, this runs entirely in alpine and would be nice to isolate:
apt install python3-flask python3-full pip
pip install mysql-connector-python
Admin general:
usermod -aG docker finn
Admin firewall:
ufw default deny incoming
ufw default allow outgoing
ufw allow "OpenSSH"
ufw allow "WWW Full"
ufw enable
Admin dns:
set up domainUpdate script
set up cron job for script
Filesystem:
docker dir (d)
certbot dns
tmp for awesome compose or compose sandboxing
site (main dc) TRACKED HERE
db - holds init script
proxy - important conf
backend - app
gitea - managed primarily by gitea
other - ref and non-sensitive files for dns
Timeline:
set up certbot dns
see tar of cert dir with script
Notes:
This repo is minimally-sensitive. Falling outside the repo dir structure are reference awesome-compose files used as baseline -- nginx-flask-mysql -- and certs, containing letsencrypt script. Script may be backed up into repo carefully, sanitizing any tkens.
TODO: gitea subdomain will require wildcard cert -- therefore "*.oily.dad" AND "oily.dad" DONE
Changing gitea subdomain:
Find in proxy/conf.
Find in gitea conf.
Rebuild images.