223 lines
5.1 KiB
Markdown
223 lines
5.1 KiB
Markdown
|
||
|
||
# debian server setup
|
||
```bash
|
||
# 改密码
|
||
passwd
|
||
|
||
# 1. 更新包索引(同步最新的软件列表)
|
||
apt update
|
||
# 2. 全面升级(升级现有的所有包,处理依赖关系)
|
||
# 使用 full-upgrade 比 upgrade 更适合 Debian 13,因为它能更聪明地处理包的变动
|
||
apt full-upgrade -y
|
||
# 3. 清理不再需要的孤儿包
|
||
apt autoremove -y && apt autoclean
|
||
|
||
# 重启
|
||
reboot
|
||
|
||
# 修改 SSH 配置,让服务器每 60 秒给客户端发个信号
|
||
sudo echo "ClientAliveInterval 60" >> /etc/ssh/sshd_config
|
||
sudo echo "ClientAliveCountMax 3" >> /etc/ssh/sshd_config
|
||
sudo systemctl status ssh.socket
|
||
# if active, run the stop and disable command so that systemd socket can read sshd_config
|
||
# in Debian 13, Debian 13 默认可能把 SSH 托管给了 `systemd socket`
|
||
sudo systemctl stop ssh.socket
|
||
sudo systemctl disable ssh.socket
|
||
sudo systemctl restart ssh
|
||
```
|
||
## swap file
|
||
```
|
||
cd /var
|
||
touch swap.img
|
||
chmod 600 swap.img
|
||
dd if=/dev/zero of=/var/swap.img count=2048 bs=1M
|
||
mkswap swap.img
|
||
swapon swap.img
|
||
```
|
||
|
||
# ssh
|
||
|
||
## filewall, /etc/nftables.conf
|
||
```
|
||
#!/usr/sbin/nft -f
|
||
|
||
flush ruleset
|
||
|
||
table inet filter {
|
||
chain input {
|
||
type filter hook input priority filter; policy drop;
|
||
|
||
# 1. Allow Loopback Interface (Localhost) - Essential for many internal services
|
||
iifname "lo" accept
|
||
|
||
# 2. Allow established and related connections - Ensures your outgoing requests (like apt update) get responses back
|
||
ct state established,related accept
|
||
|
||
# 3. Drop packets with an invalid state
|
||
ct state invalid drop
|
||
|
||
# 4. Allow ICMP (Ping) - Useful for checking if the server is online
|
||
meta l4proto { icmp, ipv6-icmp } accept
|
||
|
||
# 5. Allow SSH (Your custom port 7722)
|
||
tcp dport 7722 accept
|
||
|
||
# 6. allow HTTP and HTTPS TCP
|
||
tcp dport { 80, 443 } accept
|
||
|
||
# 7. allow HTTPS UDP for caddy http/3
|
||
udp dport 433 accept
|
||
}
|
||
|
||
chain forward {
|
||
type filter hook forward priority filter; policy accept;
|
||
# Note: Set to 'accept' to ensure compatibility with Docker's container forwarding
|
||
}
|
||
|
||
chain output {
|
||
type filter hook output priority filter; policy accept;
|
||
}
|
||
}
|
||
```
|
||
# Caddyfile
|
||
```
|
||
{
|
||
# Global options
|
||
# Your email is used for important notifications from Let's Encrypt
|
||
email caddyserver@luyx.org
|
||
|
||
# Useful during initial setup to debug SSL issuance
|
||
debug
|
||
}
|
||
|
||
# Snippet: Reusable security headers
|
||
(security_headers) {
|
||
header {
|
||
# Standard security best practices
|
||
X-Content-Type-Options nosniff
|
||
X-Frame-Options SAMEORIGIN
|
||
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
|
||
|
||
# Privacy: Disable FLoC tracking
|
||
Permissions-Policy "interest-cohort=()"
|
||
}
|
||
}
|
||
|
||
############
|
||
# Remember to add A records (git, www, files, sync and etc) into the DNS record in namecheap
|
||
############
|
||
|
||
|
||
# Site 1: Reverse Proxy for Gitea (assuming port 8003)
|
||
git.luyanxin.com {
|
||
import security_headers
|
||
encode gzip
|
||
|
||
# Note: Using host IP (172.17.0.1) as Caddy is inside a container
|
||
reverse_proxy 172.17.0.1:8003
|
||
}
|
||
|
||
# Site 2: Static Website (mapped to /srv in docker-compose)
|
||
www.luyanxin.com {
|
||
import security_headers
|
||
encode gzip
|
||
|
||
root * /srv
|
||
|
||
handle /sync/gonggong/* {
|
||
file_server browse
|
||
}
|
||
|
||
# user must enter full URL path
|
||
handle {
|
||
file_server
|
||
}
|
||
|
||
handle_path / {
|
||
error "Access Denied" 403
|
||
}
|
||
}
|
||
|
||
# Copyparty (File Server)
|
||
files.luyanxin.com {
|
||
import security_headers
|
||
# Copyparty sometimes needs high upload limits
|
||
request_body {
|
||
max_size 10G
|
||
}
|
||
reverse_proxy 172.17.0.1:8002
|
||
}
|
||
|
||
# Syncthing UI
|
||
sync.luyanxin.com {
|
||
import security_headers
|
||
reverse_proxy 172.17.0.1:8384 {
|
||
# This tells Caddy to replace the 'Host' header
|
||
# with the destination's address (172.17.0.1:8384)
|
||
header_up Host {upstream_hostport}
|
||
}
|
||
}
|
||
|
||
# Glance (System Dashboard)
|
||
monitor.luyanxin.com {
|
||
import security_headers
|
||
reverse_proxy 172.17.0.1:61208
|
||
}
|
||
```
|
||
|
||
```
|
||
## 基本命令
|
||
|
||
```shell
|
||
# bring docker container up
|
||
docker-compose up
|
||
|
||
# Stop services only
|
||
docker-compose stop
|
||
|
||
# Stop and remove containers, networks..
|
||
docker-compose down
|
||
|
||
# Down and remove volumes
|
||
docker-compose down --volumes
|
||
|
||
# Down and remove images
|
||
docker-compose down --rmi <all|local>
|
||
|
||
# check docker resources usage
|
||
docker stats
|
||
```
|
||
## 开机后要运行的程序
|
||
|
||
```shell
|
||
# monitoring
|
||
# https://glances.readthedocs.io/en/latest/index.html
|
||
docker run \
|
||
--restart="always" \
|
||
-p 61208-61209:61208-61209 \
|
||
-e GLANCES_OPT="-w" \
|
||
-v /etc/os-release:/etc/os-release:ro \
|
||
-v /var/run/docker.sock:/var/run/docker.sock:ro \
|
||
-v /run/user/1000/podman/podman.sock:/run/user/1000/podman/podman.sock:ro \
|
||
--pid host \
|
||
docker.io/nicolargo/glances
|
||
|
||
cd ~/softwares/copyparty
|
||
docker-compose up
|
||
|
||
# https://docs.syncthing.net/intro/getting-started.html
|
||
cd ~/softwares/syncthing
|
||
docker-compose up
|
||
|
||
# https://docs.gitea.com/installation/install-with-docker-rootless
|
||
cd ~/softwares/gitea
|
||
docker-compose up
|
||
|
||
# https://www.usememos.com/docs/install/container-install
|
||
cd ~/softwares/copyparty
|
||
docker compose up
|
||
|
||
cd ~/softwares/caddy
|
||
docker compose up
|
||
``` |