# debian server setup
```bash
# 改密码
passwd

# 1. 更新包索引（同步最新的软件列表） 
apt update 
# 2. 全面升级（升级现有的所有包，处理依赖关系） 
# 使用 full-upgrade 比 upgrade 更适合 Debian 13，因为它能更聪明地处理包的变动 
apt full-upgrade -y 
# 3. 清理不再需要的孤儿包 
apt autoremove -y && apt autoclean

# 重启
reboot

# 修改 SSH 配置，让服务器每 60 秒给客户端发个信号 
sudo echo "ClientAliveInterval 60" >> /etc/ssh/sshd_config 
sudo echo "ClientAliveCountMax 3" >> /etc/ssh/sshd_config 
sudo systemctl status ssh.socket
# if active, run the stop and disable command so that systemd socket can read sshd_config
# in Debian 13, Debian 13 默认可能把 SSH 托管给了 `systemd socket`
sudo systemctl stop ssh.socket
sudo systemctl disable ssh.socket
sudo systemctl restart ssh
```
## swap file
```
cd /var
touch swap.img
chmod 600 swap.img
dd if=/dev/zero of=/var/swap.img count=2048 bs=1M
mkswap swap.img
swapon swap.img
```

# ssh

## filewall, /etc/nftables.conf
```
#!/usr/sbin/nft -f

flush ruleset

table inet filter {
    chain input {
        type filter hook input priority filter; policy drop;

        # 1. Allow Loopback Interface (Localhost) - Essential for many internal services
        iifname "lo" accept

        # 2. Allow established and related connections - Ensures your outgoing requests (like apt update) get responses back
        ct state established,related accept

        # 3. Drop packets with an invalid state
        ct state invalid drop

        # 4. Allow ICMP (Ping) - Useful for checking if the server is online
        meta l4proto { icmp, ipv6-icmp } accept

        # 5. Allow SSH (Your custom port 7722)
        tcp dport 7722 accept

        # 6. allow HTTP and HTTPS TCP
        tcp dport { 80, 443 } accept

        # 7. allow HTTPS UDP for caddy http/3
        udp dport 433 accept
    }

    chain forward {
        type filter hook forward priority filter; policy accept;
        # Note: Set to 'accept' to ensure compatibility with Docker's container forwarding
    }

    chain output {
        type filter hook output priority filter; policy accept;
    }
}
```
# Caddyfile
```
{
    # Global options
    # Your email is used for important notifications from Let's Encrypt
    email caddyserver@luyx.org

    # Useful during initial setup to debug SSL issuance
    debug
}

# Snippet: Reusable security headers
(security_headers) {
    header {
        # Standard security best practices
        X-Content-Type-Options nosniff
        X-Frame-Options SAMEORIGIN
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

        # Privacy: Disable FLoC tracking
        Permissions-Policy "interest-cohort=()"
    }
}

############
# Remember to add A records (git, www, files, sync and etc) into the DNS record in namecheap
############


# Site 1: Reverse Proxy for Gitea (assuming port 8003)
git.luyanxin.com {
    import security_headers
    encode gzip

    # Note: Using host IP (172.17.0.1) as Caddy is inside a container
    reverse_proxy 172.17.0.1:8003
}

# Site 2: Static Website (mapped to /srv in docker-compose)
www.luyanxin.com {
    import security_headers
    encode gzip

    root * /srv

    handle /sync/gonggong/* {
        file_server browse
    }

    # user must enter full URL path
    handle {
        file_server
    }

    handle_path / {
        error "Access Denied" 403
    }
}

# Copyparty (File Server)
files.luyanxin.com {
    import security_headers
    # Copyparty sometimes needs high upload limits
    request_body {
        max_size 10G
    }
    reverse_proxy 172.17.0.1:8002
}

# Syncthing UI
sync.luyanxin.com {
    import security_headers
    reverse_proxy 172.17.0.1:8384 {
        # This tells Caddy to replace the 'Host' header
        # with the destination's address (172.17.0.1:8384)
        header_up Host {upstream_hostport}
    }
}

# Glance (System Dashboard)
monitor.luyanxin.com {
    import security_headers
    reverse_proxy 172.17.0.1:61208
}
```

```
## 基本命令

```shell
# bring docker container up
docker-compose up

# Stop services only
docker-compose stop

# Stop and remove containers, networks..
docker-compose down 

# Down and remove volumes
docker-compose down --volumes 

# Down and remove images
docker-compose down --rmi <all|local> 

# check docker resources usage
docker stats
```
## 开机后要运行的程序

```shell
# monitoring
# https://glances.readthedocs.io/en/latest/index.html
docker run \
	--restart="always" \
	-p 61208-61209:61208-61209 \
	-e GLANCES_OPT="-w" \
	-v /etc/os-release:/etc/os-release:ro \
	-v /var/run/docker.sock:/var/run/docker.sock:ro \
	-v /run/user/1000/podman/podman.sock:/run/user/1000/podman/podman.sock:ro \
	--pid host \
	docker.io/nicolargo/glances

cd ~/softwares/copyparty
docker-compose up

# https://docs.syncthing.net/intro/getting-started.html
cd ~/softwares/syncthing
docker-compose up

# https://docs.gitea.com/installation/install-with-docker-rootless
cd ~/softwares/gitea
docker-compose up

# https://www.usememos.com/docs/install/container-install
cd ~/softwares/copyparty
docker compose up

cd ~/softwares/caddy
docker compose up
```