diff options
| author | Kévin Le Gouguec <kevin.legouguec@gmail.com> | 2023-11-19 16:53:53 +0100 |
|---|---|---|
| committer | Kévin Le Gouguec <kevin.legouguec@gmail.com> | 2023-11-19 16:53:53 +0100 |
| commit | 28a2593d87436cfbaf09b4d6ae46c65394aaaf09 (patch) | |
| tree | 4d37e27759cf0a405e0b0efb368a4e27bfa2758a /guides/cloud | |
| parent | 08f8cca7c627d28fd8ae79fd3841adc905cb803b (diff) | |
| download | memory-leaks-28a2593d87436cfbaf09b4d6ae46c65394aaaf09.tar.xz | |
Touch up notes on VPS setup
Diffstat (limited to 'guides/cloud')
| -rw-r--r-- | guides/cloud/vps.org | 52 |
1 files changed, 28 insertions, 24 deletions
diff --git a/guides/cloud/vps.org b/guides/cloud/vps.org index 1fcf1ca..f5eb4ed 100644 --- a/guides/cloud/vps.org +++ b/guides/cloud/vps.org @@ -39,23 +39,23 @@ So instead, I'll * System #+begin_src sh -sudo hostnamectl set-hostname $fqdn +sudo hostnamectl set-hostname $DOMAIN sudo timedatectl set-timezone $tz #+end_src * Services ** Web server Run ~sudo apt install nginx~; then, in -=/etc/nginx/sites-available/$FQDN=: +=/etc/nginx/sites-available/$DOMAIN=: #+begin_src conf server { listen 80; listen [::]:80; - server_name $FQDN www.$FQDN; - access_log /var/log/nginx/$FQDN.access.log; + server_name $DOMAIN www.$DOMAIN; + access_log /var/log/nginx/$DOMAIN.access.log; - root /var/www/$FQDN/html; + root /var/www/$DOMAIN/html; index index.html; location / { @@ -86,7 +86,7 @@ enabled = true [nginx-botsearch] enabled = true -# Assume that each requests to $fqdn will be logged to "$fqdn.access.log". +# Assume that each requests to $DOMAIN will be logged to "$DOMAIN.access.log". logpath = /var/log/nginx/*access.log #+end_src @@ -97,37 +97,39 @@ sudo cp ~/jail.local /etc/fail2ban/ sudo systemctl restart fail2ban #+end_src -Check how these rules fare against real bot searches with -~fail2ban-regex /var/log/nginx/access.log -/etc/fail2ban/filter.d/nginx-botsearch.local~. +Check how these rules fare against real bot searches with: +#+begin_src sh +fail2ban-regex /var/log/nginx/access.log /etc/fail2ban/filter.d/nginx-botsearch.local +#+end_src + *** HTTPS #+begin_src sh sudo apt install certbot python3-certbot-nginx -sudo certbot --nginx -d $FQDN www.$FQDN +sudo certbot --nginx -d $DOMAIN www.$DOMAIN sudo systemctl reload nginx #+end_src ** Git server *** SSH access #+begin_src sh -$ sudo apt install git -$ sudo tee -a /etc/shells <<< $(which git-shell) -$ sudo adduser git --disabled-password --shell $(which git-shell) -$ sudo mkdir /srv/git -$ sudo chown git:git /srv/git +sudo apt install git +sudo tee -a /etc/shells <<< $(which git-shell) +sudo adduser git --disabled-password --shell $(which git-shell) +sudo mkdir /srv/git +sudo chown git:git /srv/git # For every new repo: -$ sudo -u git git init --bare --shared=group /srv/git/${repo} +sudo -u git git init --bare --shared=group /srv/git/${repo} #+end_src *** Web mirror -With =/etc/nginx/sites-available/git.$FQDN=: +With =/etc/nginx/sites-available/git.$DOMAIN=: #+begin_src conf server { listen 80; listen [::]:80; - server_name git.$FQQN; - access_log /var/log/nginx/git.$FQQN.access.log; + server_name git.$DOMAIN; + access_log /var/log/nginx/git.$DOMAIN.access.log; root /usr/share/cgit; try_files $uri @cgit; @@ -150,11 +152,13 @@ logo=/cgit.png virtual-root=/ # Change to https:// after setting up certbot: -clone-url=http://git.$FQDN/$CGIT_REPO_URL +clone-url=http://git.$DOMAIN/$CGIT_REPO_URL +snapshots=tar.xz enable-git-config=1 enable-http-clone=1 enable-index-owner=0 + scan-path=/srv/git #+end_src @@ -164,11 +168,11 @@ In each repository: Do: #+begin_src sh -$ sudo apt install cgit fcgiwrap -$ ( cd /etc/sites-enabled/ && ln -s ../sites-avaiable/git.$FQDN . ) -$ sudo systemctl restart nginx +sudo apt install cgit fcgiwrap +( cd /etc/sites-enabled/ && ln -s ../sites-avaiable/git.$DOMAIN . ) +sudo systemctl restart nginx # Make fail2ban notice the new log file. -$ sudo systemctl restart fail2ban +sudo systemctl restart fail2ban #+end_src ** CGI |