oily.mom/site
1
0
Fork 0
forked from finn/site
Code Pull Requests Activity
47 Commits 2 Branches 0 Tags
d1d64b181af8ae3739dc4b4e605e95ed4de43ec4
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
finn d1d64b181a db root localhost only
2024-08-06 16:27:32 +00:00
backend
navbar current decorator
2024-08-05 09:09:51 -07:00
db/init
db user restrict access to container
2024-08-06 09:01:04 -07:00
other
db root localhost only
2024-08-06 16:27:32 +00:00
proxy
db root localhost only
2024-08-06 16:27:32 +00:00
.gitignore
prod cleanup for live c10
2024-08-05 09:55:47 +00:00
compose.yaml
db root localhost only
2024-08-06 16:27:32 +00:00
compose.yaml.local
db root localhost only
2024-08-06 16:27:32 +00:00
compose.yaml.prod
db root localhost only
2024-08-06 16:27:32 +00:00
dotenv
post c10 cleanup
2024-08-05 01:36:10 -07:00
LICENSE
initial re-commit to wipe commit histoy due to public repo
2024-07-06 21:10:44 +00:00
nfmREADME.md
initial re-commit to wipe commit histoy due to public repo
2024-07-06 21:10:44 +00:00
README.md
prod cleanup for live c10
2024-08-05 09:55:47 +00:00

README.md

Site Setup

Sec:

  • This repo is public. Mind cred slip-ups.
  • Please note changes to /etc/sshd/sshd_conf made by lll script. If different method is used, audit manually.
  • Note app Dockerfile debug console, found at /console. Werkzeug/flask is WILDLY insecure if left in dev/dbg.
  • Avoid docker socks stuff.

Install:

apt install unattended-upgrades docker.io docker-compose ufw ssh
apt install vim git tmux htop

Install? PROBABLY NOT, this runs entirely in alpine and would be nice to isolate:

apt install python3-flask python3-full pip
pip install mysql-connector-python

Admin general:

usermod -aG docker finn

Admin firewall:

ufw default deny incoming
ufw default allow outgoing
ufw allow "OpenSSH"
ufw allow "WWW Full"
ufw enable

Admin dns:

set up domainUpdate script
set up cron job for script

Filesystem:

docker dir (d)
  certbot dns
  tmp for awesome compose or compose sandboxing
  site (main dc) TRACKED HERE
    db - holds init script
    proxy - important conf
    backend - app
    gitea - managed primarily by gitea
    pmb-pf - git clone of my mail thing
    other - ref and non-sensitive files for dns

Setup cheat:

  • set up certbot dns (prod)
  • see tar of cert dir with script (prod)
  • flask vs uwsgi in backend compose section (prod)
  • build vs local image in pmb-pf compose section
  • git clone pmb-pf
  • copy example .env in root dir
  • copy example .env in pmb-pf
  • copy example conf in proxy
  • do pmb-pf setup, and adjust root .env
  • mind backend config db settings

Notes:

This repo is minimally-sensitive. Falling outside the repo dir structure are reference awesome-compose files used as baseline -- nginx-flask-mysql -- and certs, containing letsencrypt script. Script may be backed up into repo carefully, sanitizing any tkens.

Changing gitea subdomain:

Find in proxy/conf.
Find in gitea conf.
Rebuild images.

MariaDB backup:

mariadb-dump -uroot -pxxxx gitea > /bu/19840101.sql
mariadb -uroot -pxxxx gitea < /bu/19840101.sql

Todo:

  • gitea subdomain will require wildcard cert -- therefore "*.oily.dad" AND "oily.dad" DONE
  • move more stuff from backend config into root .env
Description
No description provided
Readme 376 KiB
Languages
Python 55.2%
CSS 23.2%
HTML 14.6%
Shell 4.9%
Dockerfile 1.2%
Other 0.9%