From c73ab00ee749b72178102c269bab7812f1a4b60c Mon Sep 17 00:00:00 2001
From: Yanxin Lu <ylu@meta.com>
Date: Thu, 5 Feb 2026 21:21:07 -0800
Subject: [PATCH] vault backup: 2026-02-05 21:21:07

---
 notes/vps设置.md | 286 +++++++++++++++++++++++------------------------
 1 file changed, 139 insertions(+), 147 deletions(-)

diff --git a/notes/vps设置.md b/notes/vps设置.md
index b61fcdb..05dde2b 100644
--- a/notes/vps设置.md
+++ b/notes/vps设置.md
@@ -1,6 +1,31 @@
-## TODO
-- 之后用caddy，不要用nginx了
 
+
+# debian server setup
+```bash
+# 改密码
+passwd
+
+# 1. 更新包索引（同步最新的软件列表） 
+apt update 
+# 2. 全面升级（升级现有的所有包，处理依赖关系） 
+# 使用 full-upgrade 比 upgrade 更适合 Debian 13，因为它能更聪明地处理包的变动 
+apt full-upgrade -y 
+# 3. 清理不再需要的孤儿包 
+apt autoremove -y && apt autoclean
+
+# 重启
+reboot
+
+# 修改 SSH 配置，让服务器每 60 秒给客户端发个信号 
+sudo echo "ClientAliveInterval 60" >> /etc/ssh/sshd_config 
+sudo echo "ClientAliveCountMax 3" >> /etc/ssh/sshd_config 
+sudo systemctl status ssh.socket
+# if active, run the stop and disable command so that systemd socket can read sshd_config
+# in Debian 13, Debian 13 默认可能把 SSH 托管给了 `systemd socket`
+sudo systemctl stop ssh.socket
+sudo systemctl disable ssh.socket
+sudo systemctl restart ssh
+```
 ## swap file
 ```
 cd /var
@@ -11,153 +36,136 @@ mkswap swap.img
 swapon swap.img
 ```
 
-## Nginx conf
+# ssh
+
+## filewall, /etc/nftables.conf
 ```
-##
-# You should look at the following URL's in order to grasp a solid understanding
-# of Nginx configuration files in order to fully unleash the power of Nginx.
-# https://www.nginx.com/resources/wiki/start/
-# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
-# https://wiki.debian.org/Nginx/DirectoryStructure
-#
-# In most cases, administrators will remove this file from sites-enabled/ and
-# leave it as reference inside of sites-available where it will continue to be
-# updated by the nginx packaging team.
-#
-# This file will automatically load configuration files provided by other
-# applications, such as Drupal or Wordpress. These applications will be made
-# available underneath a path with that package name, such as /drupal8.
-#
-# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
-##
+#!/usr/sbin/nft -f
 
-# Default server configuration
-#
-server {
-	server_tokens off;
-	charset utf-8;
+flush ruleset
 
-	# SSL configuration
-	#
-	# listen 443 ssl default_server;
-	# listen [::]:443 ssl default_server;
-	#
-	# Note: You should disable gzip for SSL traffic.
-	# See: https://bugs.debian.org/773332
-	#
-	# Read up on ssl_ciphers to ensure a secure configuration.
-	# See: https://bugs.debian.org/765782
-	#
-	# Self signed certs generated by the ssl-cert package
-	# Don't use them in a production server!
-	#
-	# include snippets/snakeoil.conf;
+table inet filter {
+    chain input {
+        type filter hook input priority filter; policy drop;
 
-	root /var/www/html;
+        # 1. Allow Loopback Interface (Localhost) - Essential for many internal services
+        iifname "lo" accept
 
-	# Add index.php to the list if you are using PHP
-	index index.html index.htm;
+        # 2. Allow established and related connections - Ensures your outgoing requests (like apt update) get responses back
+        ct state established,related accept
 
-	server_name luyanxin.com www.luyanxin.com;
+        # 3. Drop packets with an invalid state
+        ct state invalid drop
 
-	location / {
-		# First attempt to serve request as file, then
-		# as directory, then fall back to displaying a 404.
-		try_files $uri $uri/ =404;
-	}
+        # 4. Allow ICMP (Ping) - Useful for checking if the server is online
+        meta l4proto { icmp, ipv6-icmp } accept
 
-	location /sync/gonggong/books {
-		# use this one if we access files from nginx
-		autoindex on;
-	#
+        # 5. Allow SSH (Your custom port 7722)
+        tcp dport 7722 accept
 
-		# for using droppy
-		# rewrite	log	on;
-		# rewrite	^/sync$	/sync/ redirect;
-		# rewrite /sync(.*)	$1 break;
-		# proxy_pass http://localhost:8989;
-		# proxy_redirect		off;
-		# proxy_set_header	Host	$host;
-		# proxy_set_header	X-Real-IP	$remote_addr;
-		# proxy_set_header	X-Forwarded-For	$remote_addr;
-	}
+        # 6. allow HTTP and HTTPS TCP
+        tcp dport { 80, 443 } accept
 
-	location /syncthing {
-		# syncthing settings
-		rewrite	log	on;
-		rewrite	^/syncthing$	/syncthing/ redirect;
-		rewrite /syncthing(.*)	$1 break;
-		proxy_pass http://127.0.0.1:8384;
-		# proxy_redirect		off;
-		# proxy_set_header	Host	$host;
-		# proxy_set_header	X-Real-IP	$remote_addr;
-		# proxy_set_header	X-Forwarded-For	$remote_addr;
-	}
+        # 7. allow HTTPS UDP for caddy http/3
+        udp dport 433 accept
+    }
 
-	# pass PHP scripts to FastCGI server
-	#
-	location ~ \.php$ {
-		include snippets/fastcgi-php.conf;
-
-		# With php-fpm (or other unix sockets):
-		fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
-	#	# With php-cgi (or other tcp sockets):
-	#	fastcgi_pass 127.0.0.1:9000;
-	}
-
-	# deny access to .htaccess files, if Apache's document root
-	# concurs with nginx's one
-	#
-	#location ~ /\.ht {
-	#	deny all;
-	#}
-
-    listen [::]:443 ssl ipv6only=on; # managed by Certbot
-    listen 443 ssl; # managed by Certbot
-    ssl_certificate /etc/letsencrypt/live/luyanxin.com/fullchain.pem; # managed by Certbot
-    ssl_certificate_key /etc/letsencrypt/live/luyanxin.com/privkey.pem; # managed by Certbot
-    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
-    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+    chain forward {
+        type filter hook forward priority filter; policy accept;
+        # Note: Set to 'accept' to ensure compatibility with Docker's container forwarding
+    }
 
+    chain output {
+        type filter hook output priority filter; policy accept;
+    }
+}
+```
+# Caddyfile
+```
+{
+    # Global options
+    # Your email is used for important notifications from Let's Encrypt
+    email caddyserver@luyx.org
 
+    # Useful during initial setup to debug SSL issuance
+    debug
 }
 
+# Snippet: Reusable security headers
+(security_headers) {
+    header {
+        # Standard security best practices
+        X-Content-Type-Options nosniff
+        X-Frame-Options SAMEORIGIN
+        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
 
-# Virtual Host configuration for example.com
-#
-# You can move that to a different file under sites-available/ and symlink that
-# to sites-enabled/ to enable it.
-#
-#server {
-#	listen 80;
-#	listen [::]:80;
-#
-#	server_name example.com;
-#
-#	root /var/www/example.com;
-#	index index.html;
-#
-#	location / {
-#		try_files $uri $uri/ =404;
-#	}
-#}
+        # Privacy: Disable FLoC tracking
+        Permissions-Policy "interest-cohort=()"
+    }
+}
 
-server {
-    if ($host = www.luyanxin.com) {
-        return 301 https://$host$request_uri;
-    } # managed by Certbot
+############
+# Remember to add A records (git, www, files, sync and etc) into the DNS record in namecheap
+############
 
 
-    if ($host = luyanxin.com) {
-        return 301 https://$host$request_uri;
-    } # managed by Certbot
+# Site 1: Reverse Proxy for Gitea (assuming port 8003)
+git.luyanxin.com {
+    import security_headers
+    encode gzip
 
+    # Note: Using host IP (172.17.0.1) as Caddy is inside a container
+    reverse_proxy 172.17.0.1:8003
+}
 
-	listen 80 default_server;
-	listen [::]:80 default_server;
+# Site 2: Static Website (mapped to /srv in docker-compose)
+www.luyanxin.com {
+    import security_headers
+    encode gzip
+
+    root * /srv
+
+    handle /sync/gonggong/* {
+        file_server browse
+    }
+
+    # user must enter full URL path
+    handle {
+        file_server
+    }
+
+    handle_path / {
+        error "Access Denied" 403
+    }
+}
+
+# Copyparty (File Server)
+files.luyanxin.com {
+    import security_headers
+    # Copyparty sometimes needs high upload limits
+    request_body {
+        max_size 10G
+    }
+    reverse_proxy 172.17.0.1:8002
+}
+
+# Syncthing UI
+sync.luyanxin.com {
+    import security_headers
+    reverse_proxy 172.17.0.1:8384 {
+        # This tells Caddy to replace the 'Host' header
+        # with the destination's address (172.17.0.1:8384)
+        header_up Host {upstream_hostport}
+    }
+}
+
+# Glance (System Dashboard)
+monitor.luyanxin.com {
+    import security_headers
+    reverse_proxy 172.17.0.1:61208
+}
+```
 
-	server_name luyanxin.com www.luyanxin.com;
-    return 404; # managed by Certbot
 ```
 ## 基本命令
 
@@ -195,37 +203,21 @@ docker run \
 	--pid host \
 	docker.io/nicolargo/glances
 
-# https://github.com/pldubouilh/gossa
-cd ~/softwares/gossa
+cd ~/softwares/copyparty
 docker-compose up
 
 # https://docs.syncthing.net/intro/getting-started.html
 cd ~/softwares/syncthing
 docker-compose up
 
-# https://miniflux.app/index.html
-cd ~/softwares/miniflux
-docker compose up
-
 # https://docs.gitea.com/installation/install-with-docker-rootless
 cd ~/softwares/gitea
 docker-compose up
 
-# https://shaarli.readthedocs.io/en/master/Docker.html
-cd ~/softwares/shaarli
-sh docker-up.sh
-
-# https://github.com/redlib-org/redlib/blob/main/compose.yaml
-cd ~/softwares/redlib
-touch .env
-docker compose up
-
-# https://www.usememos.com/docs/install/container-install
-cd ~/softwares/memos
-mkdir .memos
-docker compose up
-
 # https://www.usememos.com/docs/install/container-install
 cd ~/softwares/copyparty
 docker compose up
+
+cd ~/softwares/caddy
+docker compose up
 ```
\ No newline at end of file