From 9ee9880e8cdcf0d2e4039efba9898f127c49700d Mon Sep 17 00:00:00 2001 From: Marcus Kammer Date: Sat, 12 Aug 2023 17:31:16 +0200 Subject: [PATCH] Init commit --- nginx.conf | 46 +++++ reverse-proxy.conf | 38 +++++ sbcl-marcuskammer-dev.yml | 345 ++++++++++++++++++++++++++++++++++++++ sbcl-nginx.Dockerfile | 23 +++ sbcl-nginx.yml | 317 ++++++++++++++++++++++++++++++++++ 5 files changed, 769 insertions(+) create mode 100644 nginx.conf create mode 100644 reverse-proxy.conf create mode 100644 sbcl-marcuskammer-dev.yml create mode 100644 sbcl-nginx.Dockerfile create mode 100644 sbcl-nginx.yml diff --git a/nginx.conf b/nginx.conf new file mode 100644 index 0000000..b035c96 --- /dev/null +++ b/nginx.conf @@ -0,0 +1,46 @@ +user nginxuser; +worker_processes auto; +pid /run/nginx.pid; +include /etc/nginx/modules-enabled/*.conf; +events { + worker_connections 768; + # multi_accept on; +} +http { + ## + # Basic Settings + ## + sendfile on; + tcp_nopush on; + types_hash_max_size 2048; + # server_tokens off; + # server_names_hash_bucket_size 64; + # server_name_in_redirect off; + include /etc/nginx/mime.types; + default_type application/octet-stream; + ## + # SSL Settings + ## + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE + ssl_prefer_server_ciphers on; + ## + # Logging Settings + ## + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + ## + # Gzip Settings + ## + gzip on; + # gzip_vary on; + # gzip_proxied any; + # gzip_comp_level 6; + # gzip_buffers 16 8k; + # gzip_http_version 1.1; + # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; + ## + # Virtual Host Configs + ## + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; +} diff --git a/reverse-proxy.conf b/reverse-proxy.conf new file mode 100644 index 0000000..fa3fa41 --- /dev/null +++ b/reverse-proxy.conf @@ -0,0 +1,38 @@ +# Listen on port 80 +server { + listen 80; + # Set your domain name + server_name u1.metaebene.dev; + # Redirect all requests to HTTPS + return 301 https://$host$request_uri; +} + +# Listen on port 443 with SSL +server { + listen 443 ssl; + # Set your domain name + server_name u1.metaebene.dev; + + # Include SSL certificate managed by Certbot + ssl_certificate /etc/letsencrypt/live/u1.metaebene.dev/fullchain.pem; + # Include SSL certificate key managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/u1.metaebene.dev/privkey.pem; + # Include SSL options provided by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; + # Include DH parameters provided by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + + # Proxy settings for the location + location / { + # Set backend server address and port + proxy_pass http://localhost:8080; + # Set Host header + proxy_set_header Host $host; + # Set X-Real-IP header + proxy_set_header X-Real-IP $remote_addr; + # Set X-Forwarded-For header + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # Set X-Forwarded-Proto header + proxy_set_header X-Forwarded-Proto $scheme; + } +} diff --git a/sbcl-marcuskammer-dev.yml b/sbcl-marcuskammer-dev.yml new file mode 100644 index 0000000..1445904 --- /dev/null +++ b/sbcl-marcuskammer-dev.yml @@ -0,0 +1,345 @@ +#cloud-config +#Make sure to check the cloud-init logs (/var/log/cloud-init.log and /var/log/cloud-init-output.log) +locale: en_US.UTF-8 +keyboard: + layout: us +timezone: Europe/Berlin + +groups: + - nginxgroup + +users: + - name: nginxuser + system: true + shell: /usr/sbin/nologin + groups: nginxgroup + sudo: null + # Create a new user named 'marcus' + - name: marcus + # Add the user to the 'users' and 'admin' groups + groups: users, admin + # Allow the user to execute any command with sudo without entering a password + sudo: ALL=(ALL) NOPASSWD:ALL + # Set the user's default shell to /bin/bash + shell: /bin/bash + # Add the user's public SSH key for key-based authentication + ssh_authorized_keys: + - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA+46Y3AHPLJgz8KK61doqH3jBX2TL3TJvZsJrB9Km03 visua@xps-8930 + - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMIHJ5qpMIKL7N3nC0GG1O4ygtkqOlQuZReoik6xGBxn marcus@XPS-13-9380.local + +packages: + - fail2ban + - ufw + - unattended-upgrades + - sbcl + - mosh + - tmux + - git + - mercurial + - nginx + - certbot + - python3-certbot-nginx + - libev4 + - build-essential + - sqlite3 + - emacs-nox + - python3-pip + - python3-pandas + - python3-matplotlib + +package_update: true +package_upgrade: true + +write_files: + - path: /etc/apt/apt.conf.d/20auto-upgrades + content: | + APT::Periodic::Update-Package-Lists "1"; + APT::Periodic::Download-Upgradeable-Packages "1"; + APT::Periodic::AutocleanInterval "7"; + APT::Periodic::Unattended-Upgrade "1"; + + - path: /etc/ssh/sshd_config + content: | + # Include additional configuration files from the specified directory + Include /etc/ssh/sshd_config.d/*.conf + # Set the maximum number of authentication attempts allowed per connection + MaxAuthTries 3 + # Specifies the file containing public keys for user authentication + AuthorizedKeysFile .ssh/authorized_keys + # Disables password authentication + PasswordAuthentication no + # Specifies the authentication method(s) to use (public key authentication in this case) + AuthenticationMethods publickey + # Enables public key authentication + PubkeyAuthentication yes + # Disables root login via SSH + PermitRootLogin no + # Disables keyboard-interactive authentication + KbdInteractiveAuthentication no + # Enables the Pluggable Authentication Module (PAM) for authentication + UsePAM yes + # Disables agent forwarding for SSH connections + AllowAgentForwarding no + # Enables TCP forwarding for SSH connections + AllowTcpForwarding yes + # Disables X11 forwarding for SSH connections + X11Forwarding no + # Disables printing of the message of the day (MOTD) when a user logs in + PrintMotd no + # Specifies the key exchange algorithms to use + KexAlgorithms curve25519-sha256@libssh.org + # Specifies the ciphers allowed for protocol version 2 + Ciphers chacha20-poly1305@openssh.com + # Specifies the message authentication code (MAC) algorithms in order of preference + MACs hmac-sha2-512-etm@openssh.com + # Specifies environment variables sent by the client to the server + AcceptEnv LANG LC_* + # Specifies the command to use for the SFTP subsystem + Subsystem sftp /usr/lib/openssh/sftp-server + # Specifies the user(s) allowed to log in via SSH (in this case, only the user "marcus") + AllowUsers marcus + + - path: /etc/fail2ban/jail.local + content: | + [DEFAULT] + # Ban time (in seconds) for an IP after reaching the max number of retries. + bantime = 3600 + # Time window (in seconds) in which 'maxretry' failures must occur. + findtime = 600 + # Maximum number of failed login attempts before an IP gets banned. + maxretry = 3 + # Ban action to use (ufw in this case). + banaction = ufw + + [sshd] + # Enable the sshd jail. + enabled = true + # Specify the port for the sshd service. + port = 22 + # Path to the log file for the sshd service. + logpath = /var/log/auth.log + + [sshd-ddos] + # Specify the filter to use (created earlier) + filter = sshd + # Enable the sshd-ddos jail. + enabled = true + # Specify the port for the sshd service. + port = ssh + # Path to the log file for the sshd service. + logpath = /var/log/auth.log + # Maximum number of failed login attempts before an IP gets banned (for DDoS protection). + maxretry = 5 + # Ban time (in seconds) for an IP after reaching the max number of retries (for DDoS protection). + bantime = 600 + + [nginx-http-auth] + # Enable the jail + enabled = true + # Specify the filter to use (created earlier) + # filter = nginx-http-auth + # Define the action to take (using UFW) + action = ufw + # Specify the log file to monitor + logpath = /var/log/nginx/error.log + # Set the maximum number of failed attempts before banning + maxretry = 6 + # Set the ban time in seconds (1 hour) + bantime = 3600 + # Set the time window for failed attempts in seconds (10 minutes) + findtime = 600 + + - path: /etc/nginx/nginx.conf + content: | + user nginxuser; + worker_processes auto; + pid /run/nginx.pid; + include /etc/nginx/modules-enabled/*.conf; + events { + worker_connections 768; + # multi_accept on; + } + http { + ## + # Basic Settings + ## + sendfile on; + tcp_nopush on; + types_hash_max_size 2048; + # server_tokens off; + # server_names_hash_bucket_size 64; + # server_name_in_redirect off; + include /etc/nginx/mime.types; + default_type application/octet-stream; + ## + # SSL Settings + ## + ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE + ssl_prefer_server_ciphers on; + ## + # Logging Settings + ## + log_format csv '$time_iso8601,$remote_addr,$remote_user,$request,$status,$body_bytes_sent,$http_referer,"$http_user_agent"'; + access_log /var/log/nginx/access.csv csv; + error_log /var/log/nginx/error.log; + ## + # Gzip Settings + ## + gzip on; + # gzip_vary on; + # gzip_proxied any; + # gzip_comp_level 6; + # gzip_buffers 16 8k; + # gzip_http_version 1.1; + # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; + ## + # Dont send nginx version number + ## + server_tokens off; + ## + # Virtual Host Configs + ## + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; + } + + # Write reverse-proxy configuration file + - path: /etc/nginx/sites-available/reverse-proxy.conf + content: | + # Listen on port 80 + server { + listen 80; + # Set your domain name + server_name u1.marcuskammer.dev; + # Redirect all requests to HTTPS + return 301 https://$host$request_uri; + } + + # Listen on port 443 with SSL + server { + listen 443 ssl; + # Set your domain name + server_name u1.marcuskammer.dev; + + # Include SSL certificate managed by Certbot + ssl_certificate /etc/letsencrypt/live/u1.marcuskammer.dev/fullchain.pem; + # Include SSL certificate key managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/u1.marcuskammer.dev/privkey.pem; + # Include SSL options provided by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; + # Include DH parameters provided by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + + # Proxy settings for the location + location / { + # Set backend server address and port + proxy_pass http://localhost:8080; + # Set Host header + proxy_set_header Host $host; + # Set X-Real-IP header + proxy_set_header X-Real-IP $remote_addr; + # Set X-Forwarded-For header + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # Set X-Forwarded-Proto header + proxy_set_header X-Forwarded-Proto $scheme; + } + } + + server { + listen 80; + # Set your domain name + server_name www.marcuskammer.dev; + # Redirect all requests to HTTPS + return 301 https://$host$request_uri; + } + + # Listen on port 443 with SSL + server { + listen 443 ssl; + # Set your domain name + server_name www.marcuskammer.dev; + + # Include SSL certificate managed by Certbot + ssl_certificate /etc/letsencrypt/live/www.marcuskammer.dev/fullchain.pem; + # Include SSL certificate key managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/www.marcuskammer.dev/privkey.pem; + # Include SSL options provided by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; + # Include DH parameters provided by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + + location / { + root /home/marcus/www/www-marcuskammer-dev; + index index.html; + } + + server { + listen 80; + # Set your domain name + server_name www.uxlessonslearned.dev; + # Redirect all requests to HTTPS + return 301 https://$host$request_uri; + } + + # Listen on port 443 with SSL + server { + listen 443 ssl; + # Set your domain name + server_name www.uxlessonslearned.dev; + + # Include SSL certificate managed by Certbot + ssl_certificate /etc/letsencrypt/live/www.uxlessonslearned.dev/fullchain.pem; + # Include SSL certificate key managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/www.uxlessonslearned.dev/privkey.pem; + # Include SSL options provided by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; + # Include DH parameters provided by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + + location / { + root /home/marcus/www/www-uxlessonslearned-dev; + index index.html; + } + } +runcmd: + # Generate the en_US.UTF-8 locale + - locale-gen en_US.UTF-8 + # Set the system's default locale to en_US.UTF-8 + - update-locale LANG=en_US.UTF-8 + # Set the system's timezone to Europe/Berlin + - timedatectl set-timezone Europe/Berlin + # Run Certbot to obtain SSL certificates and configure Nginx + - certbot certonly --nginx -d u1.metaebene.dev --non-interactive --agree-tos --email marcus.kammer@mailbox.org --redirect + - certbot certonly --nginx -d docs.u1.metaebene.dev --non-interactive --agree-tos --email marcus.kammer@mailbox.org --redirect + # Download DHPARAM + - curl https://ssl-config.mozilla.org/ffdhe2048.txt > /etc/letsencrypt/ssl-dhparam.pem + # Create a symlink for the configuration file + - ln -s /etc/nginx/sites-available/reverse-proxy.conf /etc/nginx/sites-enabled/ + # Remove default Nginx configuration + - rm /etc/nginx/sites-enabled/default + # Reload Nginx configuration + - systemctl reload nginx + # Allow Nginx Full (HTTP and HTTPS) through the firewall + - ufw allow 'Nginx Full' + # Set UFW firewall rules + - ufw default deny incoming + - ufw default allow outgoing + - ufw allow 22/tcp + - ufw allow mosh + - ufw enable + # Enable and start the fail2ban service + - systemctl enable fail2ban && systemctl start fail2ban + # Restart the SSH server to apply the new configuration + - systemctl restart sshd + - | + sudo -u marcus git config --global user.email "marcus.kammer@mailbox.org" + sudo -u marcus git config --global user.name "Marcus Kammer" + sudo -u marcus git config --global init.defaultBranch main + # Clone the SBCL repository for a specific branch and depth + - sudo -u marcus git clone --depth 1 --branch sbcl-2.1.11 git://git.code.sf.net/p/sbcl/sbcl /home/marcus/sbcl + # Clone the SLIME repository for a specific branch and depth + - sudo -u marcus git clone --depth 1 --branch v2.28 https://github.com/slime/slime.git /home/marcus/slime + # Download the Quicklisp installer + - | + curl https://beta.quicklisp.org/quicklisp.lisp -o /home/marcus/quicklisp.lisp + chown marcus:marcus /home/marcus/quicklisp.lisp diff --git a/sbcl-nginx.Dockerfile b/sbcl-nginx.Dockerfile new file mode 100644 index 0000000..ec265ef --- /dev/null +++ b/sbcl-nginx.Dockerfile @@ -0,0 +1,23 @@ +# Use Ubuntu 22.04 as the base image +FROM ubuntu:22.04 + +# Set environment variables for non-interactive installation +ENV DEBIAN_FRONTEND=noninteractive + +# Update the package index +RUN apt-get update + +# Install cloud-init and locales +RUN apt-get install -y cloud-init locales + +# Add the cloud-init file to the container +COPY sbcl-nginx.yml /root/sbcl-nginx.yml + +# Run the cloud-init configuration +RUN cloud-init single --file /root/sbcl-nginx.yml --name runcmd + +# Expose ports for SSH, HTTP, and HTTPS +EXPOSE 22 80 443 + +# Run the CMD to start the services (SSH, nginx, and fail2ban) +CMD service ssh start && service nginx start && service fail2ban start && /bin/bash diff --git a/sbcl-nginx.yml b/sbcl-nginx.yml new file mode 100644 index 0000000..7dbea62 --- /dev/null +++ b/sbcl-nginx.yml @@ -0,0 +1,317 @@ +#cloud-config +#Make sure to check the cloud-init logs (/var/log/cloud-init.log and /var/log/cloud-init-output.log) +locale: en_US.UTF-8 +keyboard: + layout: us +timezone: Europe/Berlin + +groups: + - nginxgroup + +users: + - name: nginxuser + system: true + shell: /usr/sbin/nologin + groups: nginxgroup + sudo: null + # Create a new user named 'marcus' + - name: marcus + # Add the user to the 'users' and 'admin' groups + groups: users, admin + # Allow the user to execute any command with sudo without entering a password + sudo: ALL=(ALL) NOPASSWD:ALL + # Set the user's default shell to /bin/bash + shell: /bin/bash + # Add the user's public SSH key for key-based authentication + ssh_authorized_keys: + - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA+46Y3AHPLJgz8KK61doqH3jBX2TL3TJvZsJrB9Km03 visua@xps-8930 + - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMIHJ5qpMIKL7N3nC0GG1O4ygtkqOlQuZReoik6xGBxn marcus@XPS-13-9380.local + +packages: + - fail2ban + - ufw + - unattended-upgrades + - sbcl + - mosh + - tmux + - git + - mercurial + - nginx + - certbot + - python3-certbot-nginx + - libev4 + - build-essential + - sqlite3 + - emacs-nox + - python3-pip + - python3-pandas + - python3-matplotlib + +package_update: true +package_upgrade: true + +write_files: + - path: /etc/apt/apt.conf.d/20auto-upgrades + content: | + APT::Periodic::Update-Package-Lists "1"; + APT::Periodic::Download-Upgradeable-Packages "1"; + APT::Periodic::AutocleanInterval "7"; + APT::Periodic::Unattended-Upgrade "1"; + + - path: /etc/ssh/sshd_config + content: | + # Include additional configuration files from the specified directory + Include /etc/ssh/sshd_config.d/*.conf + # Set the maximum number of authentication attempts allowed per connection + MaxAuthTries 3 + # Specifies the file containing public keys for user authentication + AuthorizedKeysFile .ssh/authorized_keys + # Disables password authentication + PasswordAuthentication no + # Specifies the authentication method(s) to use (public key authentication in this case) + AuthenticationMethods publickey + # Enables public key authentication + PubkeyAuthentication yes + # Disables root login via SSH + PermitRootLogin no + # Disables keyboard-interactive authentication + KbdInteractiveAuthentication no + # Enables the Pluggable Authentication Module (PAM) for authentication + UsePAM yes + # Disables agent forwarding for SSH connections + AllowAgentForwarding no + # Enables TCP forwarding for SSH connections + AllowTcpForwarding yes + # Disables X11 forwarding for SSH connections + X11Forwarding no + # Disables printing of the message of the day (MOTD) when a user logs in + PrintMotd no + # Specifies the key exchange algorithms to use + KexAlgorithms curve25519-sha256@libssh.org + # Specifies the ciphers allowed for protocol version 2 + Ciphers chacha20-poly1305@openssh.com + # Specifies the message authentication code (MAC) algorithms in order of preference + MACs hmac-sha2-512-etm@openssh.com + # Specifies environment variables sent by the client to the server + AcceptEnv LANG LC_* + # Specifies the command to use for the SFTP subsystem + Subsystem sftp /usr/lib/openssh/sftp-server + # Specifies the user(s) allowed to log in via SSH (in this case, only the user "marcus") + AllowUsers marcus + + - path: /etc/fail2ban/jail.local + content: | + [DEFAULT] + # Ban time (in seconds) for an IP after reaching the max number of retries. + bantime = 3600 + # Time window (in seconds) in which 'maxretry' failures must occur. + findtime = 600 + # Maximum number of failed login attempts before an IP gets banned. + maxretry = 3 + # Ban action to use (ufw in this case). + banaction = ufw + + [sshd] + # Enable the sshd jail. + enabled = true + # Specify the port for the sshd service. + port = 22 + # Path to the log file for the sshd service. + logpath = /var/log/auth.log + + [sshd-ddos] + # Specify the filter to use (created earlier) + filter = sshd + # Enable the sshd-ddos jail. + enabled = true + # Specify the port for the sshd service. + port = ssh + # Path to the log file for the sshd service. + logpath = /var/log/auth.log + # Maximum number of failed login attempts before an IP gets banned (for DDoS protection). + maxretry = 5 + # Ban time (in seconds) for an IP after reaching the max number of retries (for DDoS protection). + bantime = 600 + + [nginx-http-auth] + # Enable the jail + enabled = true + # Specify the filter to use (created earlier) + # filter = nginx-http-auth + # Define the action to take (using UFW) + action = ufw + # Specify the log file to monitor + logpath = /var/log/nginx/error.log + # Set the maximum number of failed attempts before banning + maxretry = 6 + # Set the ban time in seconds (1 hour) + bantime = 3600 + # Set the time window for failed attempts in seconds (10 minutes) + findtime = 600 + + - path: /etc/nginx/nginx.conf + content: | + user nginxuser; + worker_processes auto; + pid /run/nginx.pid; + include /etc/nginx/modules-enabled/*.conf; + events { + worker_connections 768; + # multi_accept on; + } + http { + ## + # Basic Settings + ## + sendfile on; + tcp_nopush on; + types_hash_max_size 2048; + # server_tokens off; + # server_names_hash_bucket_size 64; + # server_name_in_redirect off; + include /etc/nginx/mime.types; + default_type application/octet-stream; + ## + # SSL Settings + ## + ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE + ssl_prefer_server_ciphers on; + ## + # Logging Settings + ## + log_format csv '$time_iso8601,$remote_addr,$remote_user,$request,$status,$body_bytes_sent,$http_referer,"$http_user_agent"'; + access_log /var/log/nginx/access.csv csv; + error_log /var/log/nginx/error.log; + ## + # Gzip Settings + ## + gzip on; + # gzip_vary on; + # gzip_proxied any; + # gzip_comp_level 6; + # gzip_buffers 16 8k; + # gzip_http_version 1.1; + # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; + ## + # Dont send nginx version number + ## + server_tokens off; + ## + # Virtual Host Configs + ## + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; + } + + # Write reverse-proxy configuration file + - path: /etc/nginx/sites-available/reverse-proxy.conf + content: | + # Listen on port 80 + server { + listen 80; + # Set your domain name + server_name u1.metaebene.dev; + # Redirect all requests to HTTPS + return 301 https://$host$request_uri; + } + + # Listen on port 443 with SSL + server { + listen 443 ssl; + # Set your domain name + server_name u1.metaebene.dev; + + # Include SSL certificate managed by Certbot + ssl_certificate /etc/letsencrypt/live/u1.metaebene.dev/fullchain.pem; + # Include SSL certificate key managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/u1.metaebene.dev/privkey.pem; + # Include SSL options provided by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; + # Include DH parameters provided by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + + # Proxy settings for the location + location / { + # Set backend server address and port + proxy_pass http://localhost:8080; + # Set Host header + proxy_set_header Host $host; + # Set X-Real-IP header + proxy_set_header X-Real-IP $remote_addr; + # Set X-Forwarded-For header + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # Set X-Forwarded-Proto header + proxy_set_header X-Forwarded-Proto $scheme; + } + } + + server { + listen 80; + # Set your domain name + server_name docs.u1.metaebene.dev; + # Redirect all requests to HTTPS + return 301 https://$host$request_uri; + } + + # Listen on port 443 with SSL + server { + listen 443 ssl; + # Set your domain name + server_name docs.u1.metaebene.dev; + + # Include SSL certificate managed by Certbot + ssl_certificate /etc/letsencrypt/live/docs.u1.metaebene.dev/fullchain.pem; + # Include SSL certificate key managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/docs.u1.metaebene.dev/privkey.pem; + # Include SSL options provided by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; + # Include DH parameters provided by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + + location / { + root /home/marcus/www/u1/docs/public; + index index.html; + } + } +runcmd: + # Generate the en_US.UTF-8 locale + - locale-gen en_US.UTF-8 + # Set the system's default locale to en_US.UTF-8 + - update-locale LANG=en_US.UTF-8 + # Set the system's timezone to Europe/Berlin + - timedatectl set-timezone Europe/Berlin + # Run Certbot to obtain SSL certificates and configure Nginx + - certbot certonly --nginx -d u1.metaebene.dev --non-interactive --agree-tos --email marcus.kammer@mailbox.org --redirect + - certbot certonly --nginx -d docs.u1.metaebene.dev --non-interactive --agree-tos --email marcus.kammer@mailbox.org --redirect + # Download DHPARAM + - curl https://ssl-config.mozilla.org/ffdhe2048.txt > /etc/letsencrypt/ssl-dhparam.pem + # Create a symlink for the configuration file + - ln -s /etc/nginx/sites-available/reverse-proxy.conf /etc/nginx/sites-enabled/ + # Remove default Nginx configuration + - rm /etc/nginx/sites-enabled/default + # Reload Nginx configuration + - systemctl reload nginx + # Allow Nginx Full (HTTP and HTTPS) through the firewall + - ufw allow 'Nginx Full' + # Set UFW firewall rules + - ufw default deny incoming + - ufw default allow outgoing + - ufw allow 22/tcp + - ufw allow mosh + - ufw enable + # Enable and start the fail2ban service + - systemctl enable fail2ban && systemctl start fail2ban + # Restart the SSH server to apply the new configuration + - systemctl restart sshd + - | + sudo -u marcus git config --global user.email "marcus.kammer@mailbox.org" + sudo -u marcus git config --global user.name "Marcus Kammer" + sudo -u marcus git config --global init.defaultBranch main + # Clone the SBCL repository for a specific branch and depth + - sudo -u marcus git clone --depth 1 --branch sbcl-2.1.11 git://git.code.sf.net/p/sbcl/sbcl /home/marcus/sbcl + # Clone the SLIME repository for a specific branch and depth + - sudo -u marcus git clone --depth 1 --branch v2.28 https://github.com/slime/slime.git /home/marcus/slime + # Download the Quicklisp installer + - | + curl https://beta.quicklisp.org/quicklisp.lisp -o /home/marcus/quicklisp.lisp + chown marcus:marcus /home/marcus/quicklisp.lisp