lyx/obsidian-yanxin
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: lyx:bd988feee38764ead852042a7fb78e76553f6254
Branches Tags
lyx:master
...
compare: lyx:9f356d5d5274f3cfb0dc0b3d9f70dc4819f38393
Branches Tags
lyx:master

2 Commits
bd988feee3 ... 9f356d5d52

Author SHA1 Message Date
Yanxin Lu
9f356d5d52 Merge remote-tracking branch 'origin/master' 2026-02-05 22:16:23 -08:00
Yanxin Lu
c73ab00ee7 vault backup: 2026-02-05 21:21:07 2026-02-05 21:21:07 -08:00
1 changed files with 139 additions and 147 deletions
Expand all files Collapse all files

286
notes/vps设置.md
View File

@@ -1,6 +1,31 @@
## TODO
- 之后用caddy不要用nginx了
# debian server setup
```bash
# 改密码
passwd
# 1. 更新包索引(同步最新的软件列表)
apt update
# 2. 全面升级(升级现有的所有包,处理依赖关系)
# 使用 full-upgrade 比 upgrade 更适合 Debian 13因为它能更聪明地处理包的变动
apt full-upgrade -y
# 3. 清理不再需要的孤儿包
apt autoremove -y && apt autoclean
# 重启
reboot
# 修改 SSH 配置,让服务器每 60 秒给客户端发个信号
sudo echo "ClientAliveInterval 60" >> /etc/ssh/sshd_config
sudo echo "ClientAliveCountMax 3" >> /etc/ssh/sshd_config
sudo systemctl status ssh.socket
# if active, run the stop and disable command so that systemd socket can read sshd_config
# in Debian 13, Debian 13 默认可能把 SSH 托管给了 `systemd socket`
sudo systemctl stop ssh.socket
sudo systemctl disable ssh.socket
sudo systemctl restart ssh
```
## swap file ## swap file
``` ```
cd /var cd /var
@@ -11,153 +36,136 @@ mkswap swap.img
swapon swap.img swapon swap.img
``` ```
## Nginx conf # ssh
## filewall, /etc/nftables.conf
``` ```
## #!/usr/sbin/nft -f
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
# Default server configuration flush ruleset
#
server {
server_tokens off;
charset utf-8;
# SSL configuration table inet filter {
# chain input {
# listen 443 ssl default_server; type filter hook input priority filter; policy drop;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html; # 1. Allow Loopback Interface (Localhost) - Essential for many internal services
iifname "lo" accept
# Add index.php to the list if you are using PHP # 2. Allow established and related connections - Ensures your outgoing requests (like apt update) get responses back
index index.html index.htm; ct state established,related accept
server_name luyanxin.com www.luyanxin.com; # 3. Drop packets with an invalid state
ct state invalid drop
location / { # 4. Allow ICMP (Ping) - Useful for checking if the server is online
# First attempt to serve request as file, then meta l4proto { icmp, ipv6-icmp } accept
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
location /sync/gonggong/books { # 5. Allow SSH (Your custom port 7722)
# use this one if we access files from nginx tcp dport 7722 accept
autoindex on;
#
# for using droppy # 6. allow HTTP and HTTPS TCP
# rewrite log on; tcp dport { 80, 443 } accept
# rewrite ^/sync$ /sync/ redirect;
# rewrite /sync(.*) $1 break;
# proxy_pass http://localhost:8989;
# proxy_redirect off;
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $remote_addr;
}
location /syncthing { # 7. allow HTTPS UDP for caddy http/3
# syncthing settings udp dport 433 accept
rewrite log on; }
rewrite ^/syncthing$ /syncthing/ redirect;
rewrite /syncthing(.*) $1 break;
proxy_pass http://127.0.0.1:8384;
# proxy_redirect off;
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $remote_addr;
}
# pass PHP scripts to FastCGI server chain forward {
# type filter hook forward priority filter; policy accept;
location ~ \.php$ { # Note: Set to 'accept' to ensure compatibility with Docker's container forwarding
include snippets/fastcgi-php.conf; }
# With php-fpm (or other unix sockets):
fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
# # With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/luyanxin.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/luyanxin.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
chain output {
type filter hook output priority filter; policy accept;
}
}
```
# Caddyfile
```
{
# Global options
# Your email is used for important notifications from Let's Encrypt
email caddyserver@luyx.org
# Useful during initial setup to debug SSL issuance
debug
} }
# Snippet: Reusable security headers
(security_headers) {
header {
# Standard security best practices
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# Virtual Host configuration for example.com # Privacy: Disable FLoC tracking
# Permissions-Policy "interest-cohort=()"
# You can move that to a different file under sites-available/ and symlink that }
# to sites-enabled/ to enable it. }
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}
server { ############
if ($host = www.luyanxin.com) { # Remember to add A records (git, www, files, sync and etc) into the DNS record in namecheap
return 301 https://$host$request_uri; ############
} # managed by Certbot
if ($host = luyanxin.com) { # Site 1: Reverse Proxy for Gitea (assuming port 8003)
return 301 https://$host$request_uri; git.luyanxin.com {
} # managed by Certbot import security_headers
encode gzip
# Note: Using host IP (172.17.0.1) as Caddy is inside a container
reverse_proxy 172.17.0.1:8003
}
listen 80 default_server; # Site 2: Static Website (mapped to /srv in docker-compose)
listen [::]:80 default_server; www.luyanxin.com {
import security_headers
encode gzip
root * /srv
handle /sync/gonggong/* {
file_server browse
}
# user must enter full URL path
handle {
file_server
}
handle_path / {
error "Access Denied" 403
}
}
# Copyparty (File Server)
files.luyanxin.com {
import security_headers
# Copyparty sometimes needs high upload limits
request_body {
max_size 10G
}
reverse_proxy 172.17.0.1:8002
}
# Syncthing UI
sync.luyanxin.com {
import security_headers
reverse_proxy 172.17.0.1:8384 {
# This tells Caddy to replace the 'Host' header
# with the destination's address (172.17.0.1:8384)
header_up Host {upstream_hostport}
}
}
# Glance (System Dashboard)
monitor.luyanxin.com {
import security_headers
reverse_proxy 172.17.0.1:61208
}
```
server_name luyanxin.com www.luyanxin.com;
return 404; # managed by Certbot
``` ```
## 基本命令 ## 基本命令
@@ -195,37 +203,21 @@ docker run \
--pid host \ --pid host \
docker.io/nicolargo/glances docker.io/nicolargo/glances
# https://github.com/pldubouilh/gossa cd ~/softwares/copyparty
cd ~/softwares/gossa
docker-compose up docker-compose up
# https://docs.syncthing.net/intro/getting-started.html # https://docs.syncthing.net/intro/getting-started.html
cd ~/softwares/syncthing cd ~/softwares/syncthing
docker-compose up docker-compose up
# https://miniflux.app/index.html
cd ~/softwares/miniflux
docker compose up
# https://docs.gitea.com/installation/install-with-docker-rootless # https://docs.gitea.com/installation/install-with-docker-rootless
cd ~/softwares/gitea cd ~/softwares/gitea
docker-compose up docker-compose up
# https://shaarli.readthedocs.io/en/master/Docker.html
cd ~/softwares/shaarli
sh docker-up.sh
# https://github.com/redlib-org/redlib/blob/main/compose.yaml
cd ~/softwares/redlib
touch .env
docker compose up
# https://www.usememos.com/docs/install/container-install
cd ~/softwares/memos
mkdir .memos
docker compose up
# https://www.usememos.com/docs/install/container-install # https://www.usememos.com/docs/install/container-install
cd ~/softwares/copyparty cd ~/softwares/copyparty
docker compose up docker compose up
cd ~/softwares/caddy
docker compose up
``` ```