74 lines
2.1 KiB
Markdown
74 lines
2.1 KiB
Markdown
# Site Setup
|
|
|
|
### Sec:
|
|
|
|
- This repo is public. Mind cred slip-ups.
|
|
- Please note changes to /etc/sshd/sshd_conf made by lll script. If different method is used, audit manually.
|
|
- Note app Dockerfile debug console, found at /console. Werkzeug/flask is WILDLY insecure if left in dev/dbg.
|
|
- Avoid docker socks stuff.
|
|
|
|
### Install:
|
|
|
|
apt install unattended-upgrades docker.io docker-compose ufw ssh
|
|
apt install vim git tmux htop
|
|
|
|
Install? PROBABLY NOT, this runs entirely in alpine and would be nice to isolate:
|
|
|
|
apt install python3-flask python3-full pip
|
|
pip install mysql-connector-python
|
|
|
|
### Admin general:
|
|
|
|
usermod -aG docker finn
|
|
|
|
### Admin firewall:
|
|
|
|
ufw default deny incoming
|
|
ufw default allow outgoing
|
|
ufw allow "OpenSSH"
|
|
ufw allow "WWW Full"
|
|
ufw enable
|
|
|
|
### Admin dns:
|
|
|
|
set up domainUpdate script\
|
|
set up cron job for script
|
|
|
|
### Filesystem:
|
|
|
|
docker dir (d)
|
|
certbot dns
|
|
tmp for awesome compose or compose sandboxing
|
|
site (main dc) TRACKED HERE
|
|
db - holds init script
|
|
proxy - important conf
|
|
backend - app
|
|
gitea - managed primarily by gitea
|
|
pmb-pf - git clone of my mail thing
|
|
other - ref and non-sensitive files for dns
|
|
|
|
### Setup cheat:
|
|
|
|
- set up certbot dns (prod)
|
|
- see tar of cert dir with script (prod)
|
|
- flask vs uwsgi in backend compose section (prod)
|
|
- build vs local image in pmb-pf compose section
|
|
- git clone pmb-pf
|
|
- copy example .env in root dir
|
|
- copy example .env in pmb-pf
|
|
- copy example conf in proxy
|
|
- do pmb-pf setup, and adjust root .env
|
|
- mind backend config db settings
|
|
|
|
### Notes:
|
|
This repo is minimally-sensitive. Falling outside the repo dir structure are reference awesome-compose files used as baseline -- nginx-flask-mysql -- and certs, containing letsencrypt script. Script may be backed up into repo carefully, sanitizing any tkens.
|
|
|
|
### Changing gitea subdomain:
|
|
|
|
Find in proxy/conf.\
|
|
Find in gitea conf.\
|
|
Rebuild images.
|
|
|
|
### Todo:
|
|
- gitea subdomain will require wildcard cert -- therefore "*.oily.dad" AND "oily.dad" DONE
|
|
- move more stuff from backend config into root .env |