Init commit

nginx.conf

@@ -0,0 +1,46 @@
+user nginxuser;
+worker_processes auto;
+pid /run/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
+events {
+  worker_connections 768;
+  # multi_accept on;
+}
+http {
+  ##
+  # Basic Settings
+  ##
+  sendfile on;
+  tcp_nopush on;
+  types_hash_max_size 2048;
+  # server_tokens off;
+  # server_names_hash_bucket_size 64;
+  # server_name_in_redirect off;
+  include /etc/nginx/mime.types;
+  default_type application/octet-stream;
+  ##
+  # SSL Settings
+  ##
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
+  ssl_prefer_server_ciphers on;
+  ##
+  # Logging Settings
+  ##
+  access_log /var/log/nginx/access.log;
+  error_log /var/log/nginx/error.log;
+  ##
+  # Gzip Settings
+  ##
+  gzip on;
+  # gzip_vary on;
+  # gzip_proxied any;
+  # gzip_comp_level 6;
+  # gzip_buffers 16 8k;
+  # gzip_http_version 1.1;
+  # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+  ##
+  # Virtual Host Configs
+  ##
+  include /etc/nginx/conf.d/*.conf;
+  include /etc/nginx/sites-enabled/*;
+}

reverse-proxy.conf

@@ -0,0 +1,38 @@
+# Listen on port 80
+server {
+  listen 80;
+  # Set your domain name
+  server_name u1.metaebene.dev;
+  # Redirect all requests to HTTPS
+  return 301 https://$host$request_uri;
+}
+
+# Listen on port 443 with SSL
+server {
+  listen 443 ssl;
+  # Set your domain name
+  server_name u1.metaebene.dev;
+
+  # Include SSL certificate managed by Certbot
+  ssl_certificate /etc/letsencrypt/live/u1.metaebene.dev/fullchain.pem;
+  # Include SSL certificate key managed by Certbot
+  ssl_certificate_key /etc/letsencrypt/live/u1.metaebene.dev/privkey.pem;
+  # Include SSL options provided by Certbot
+  include /etc/letsencrypt/options-ssl-nginx.conf;
+  # Include DH parameters provided by Certbot
+  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+
+  # Proxy settings for the location
+  location / {
+    # Set backend server address and port
+    proxy_pass http://localhost:8080;
+    # Set Host header
+    proxy_set_header Host $host;
+    # Set X-Real-IP header
+    proxy_set_header X-Real-IP $remote_addr;
+    # Set X-Forwarded-For header
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    # Set X-Forwarded-Proto header
+    proxy_set_header X-Forwarded-Proto $scheme;
+  }
+}

sbcl-marcuskammer-dev.yml

@@ -0,0 +1,345 @@
+#cloud-config
+#Make sure to check the cloud-init logs (/var/log/cloud-init.log and /var/log/cloud-init-output.log)
+locale: en_US.UTF-8
+keyboard:
+  layout: us
+timezone: Europe/Berlin
+
+groups:
+  - nginxgroup
+
+users:
+  - name: nginxuser
+    system: true
+    shell: /usr/sbin/nologin
+    groups: nginxgroup
+    sudo: null
+  # Create a new user named 'marcus'
+  - name: marcus
+    # Add the user to the 'users' and 'admin' groups
+    groups: users, admin
+    # Allow the user to execute any command with sudo without entering a password
+    sudo: ALL=(ALL) NOPASSWD:ALL
+    # Set the user's default shell to /bin/bash
+    shell: /bin/bash
+    # Add the user's public SSH key for key-based authentication
+    ssh_authorized_keys:
+      - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA+46Y3AHPLJgz8KK61doqH3jBX2TL3TJvZsJrB9Km03 visua@xps-8930
+      - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMIHJ5qpMIKL7N3nC0GG1O4ygtkqOlQuZReoik6xGBxn marcus@XPS-13-9380.local
+
+packages:
+  - fail2ban
+  - ufw
+  - unattended-upgrades
+  - sbcl
+  - mosh
+  - tmux
+  - git
+  - mercurial
+  - nginx
+  - certbot
+  - python3-certbot-nginx
+  - libev4
+  - build-essential
+  - sqlite3
+  - emacs-nox
+  - python3-pip
+  - python3-pandas
+  - python3-matplotlib
+
+package_update: true
+package_upgrade: true
+
+write_files:
+  - path: /etc/apt/apt.conf.d/20auto-upgrades
+    content: |
+      APT::Periodic::Update-Package-Lists "1";
+      APT::Periodic::Download-Upgradeable-Packages "1";
+      APT::Periodic::AutocleanInterval "7";
+      APT::Periodic::Unattended-Upgrade "1";
+
+  - path: /etc/ssh/sshd_config
+    content: |
+      # Include additional configuration files from the specified directory
+      Include /etc/ssh/sshd_config.d/*.conf
+      # Set the maximum number of authentication attempts allowed per connection
+      MaxAuthTries 3
+      # Specifies the file containing public keys for user authentication
+      AuthorizedKeysFile .ssh/authorized_keys
+      # Disables password authentication
+      PasswordAuthentication no
+      # Specifies the authentication method(s) to use (public key authentication in this case)
+      AuthenticationMethods publickey
+      # Enables public key authentication
+      PubkeyAuthentication yes
+      # Disables root login via SSH
+      PermitRootLogin no
+      # Disables keyboard-interactive authentication
+      KbdInteractiveAuthentication no
+      # Enables the Pluggable Authentication Module (PAM) for authentication
+      UsePAM yes
+      # Disables agent forwarding for SSH connections
+      AllowAgentForwarding no
+      # Enables TCP forwarding for SSH connections
+      AllowTcpForwarding yes
+      # Disables X11 forwarding for SSH connections
+      X11Forwarding no
+      # Disables printing of the message of the day (MOTD) when a user logs in
+      PrintMotd no
+      # Specifies the key exchange algorithms to use
+      KexAlgorithms curve25519-sha256@libssh.org
+      # Specifies the ciphers allowed for protocol version 2
+      Ciphers chacha20-poly1305@openssh.com
+      # Specifies the message authentication code (MAC) algorithms in order of preference
+      MACs hmac-sha2-512-etm@openssh.com
+      # Specifies environment variables sent by the client to the server
+      AcceptEnv LANG LC_*
+      # Specifies the command to use for the SFTP subsystem
+      Subsystem sftp /usr/lib/openssh/sftp-server
+      # Specifies the user(s) allowed to log in via SSH (in this case, only the user "marcus")
+      AllowUsers marcus
+
+  - path: /etc/fail2ban/jail.local
+    content: |
+      [DEFAULT]
+      # Ban time (in seconds) for an IP after reaching the max number of retries.
+      bantime = 3600
+      # Time window (in seconds) in which 'maxretry' failures must occur.
+      findtime = 600
+      # Maximum number of failed login attempts before an IP gets banned.
+      maxretry = 3
+      # Ban action to use (ufw in this case).
+      banaction = ufw
+
+      [sshd]
+      # Enable the sshd jail.
+      enabled = true
+      # Specify the port for the sshd service.
+      port = 22
+      # Path to the log file for the sshd service.
+      logpath = /var/log/auth.log
+
+      [sshd-ddos]
+      # Specify the filter to use (created earlier)
+      filter = sshd
+      # Enable the sshd-ddos jail.
+      enabled = true
+      # Specify the port for the sshd service.
+      port = ssh
+      # Path to the log file for the sshd service.
+      logpath = /var/log/auth.log
+      # Maximum number of failed login attempts before an IP gets banned (for DDoS protection).
+      maxretry = 5
+      # Ban time (in seconds) for an IP after reaching the max number of retries (for DDoS protection).
+      bantime = 600
+
+      [nginx-http-auth]
+      # Enable the jail
+      enabled = true
+      # Specify the filter to use (created earlier)
+      # filter = nginx-http-auth
+      # Define the action to take (using UFW)
+      action = ufw
+      # Specify the log file to monitor
+      logpath = /var/log/nginx/error.log
+      # Set the maximum number of failed attempts before banning
+      maxretry = 6
+      # Set the ban time in seconds (1 hour)
+      bantime = 3600
+      # Set the time window for failed attempts in seconds (10 minutes)
+      findtime = 600
+
+  - path: /etc/nginx/nginx.conf
+    content: |
+      user nginxuser;
+      worker_processes auto;
+      pid /run/nginx.pid;
+      include /etc/nginx/modules-enabled/*.conf;
+      events {
+        worker_connections 768;
+        # multi_accept on;
+      }
+      http {
+        ##
+        # Basic Settings
+        ##
+        sendfile on;
+        tcp_nopush on;
+        types_hash_max_size 2048;
+        # server_tokens off;
+        # server_names_hash_bucket_size 64;
+        # server_name_in_redirect off;
+        include /etc/nginx/mime.types;
+        default_type application/octet-stream;
+        ##
+        # SSL Settings
+        ##
+        ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
+        ssl_prefer_server_ciphers on;
+        ##
+        # Logging Settings
+        ##
+        log_format csv '$time_iso8601,$remote_addr,$remote_user,$request,$status,$body_bytes_sent,$http_referer,"$http_user_agent"';
+        access_log /var/log/nginx/access.csv csv;
+        error_log /var/log/nginx/error.log;
+        ##
+        # Gzip Settings
+        ##
+        gzip on;
+        # gzip_vary on;
+        # gzip_proxied any;
+        # gzip_comp_level 6;
+        # gzip_buffers 16 8k;
+        # gzip_http_version 1.1;
+        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+        ##
+        # Dont send nginx version number
+        ##
+        server_tokens off;
+        ##
+        # Virtual Host Configs
+        ##
+        include /etc/nginx/conf.d/*.conf;
+        include /etc/nginx/sites-enabled/*;
+      }
+
+  # Write reverse-proxy configuration file
+  - path: /etc/nginx/sites-available/reverse-proxy.conf
+    content: |
+      # Listen on port 80
+      server {
+        listen 80;
+        # Set your domain name
+        server_name u1.marcuskammer.dev;
+        # Redirect all requests to HTTPS
+        return 301 https://$host$request_uri;
+      }
+
+      # Listen on port 443 with SSL
+      server {
+        listen 443 ssl;
+        # Set your domain name
+        server_name u1.marcuskammer.dev;
+
+        # Include SSL certificate managed by Certbot
+        ssl_certificate /etc/letsencrypt/live/u1.marcuskammer.dev/fullchain.pem;
+        # Include SSL certificate key managed by Certbot
+        ssl_certificate_key /etc/letsencrypt/live/u1.marcuskammer.dev/privkey.pem;
+        # Include SSL options provided by Certbot
+        include /etc/letsencrypt/options-ssl-nginx.conf;
+        # Include DH parameters provided by Certbot
+        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+
+        # Proxy settings for the location
+        location / {
+          # Set backend server address and port
+          proxy_pass http://localhost:8080;
+          # Set Host header
+          proxy_set_header Host $host;
+          # Set X-Real-IP header
+          proxy_set_header X-Real-IP $remote_addr;
+          # Set X-Forwarded-For header
+          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+          # Set X-Forwarded-Proto header
+          proxy_set_header X-Forwarded-Proto $scheme;
+        }
+      }
+
+      server {
+        listen 80;
+        # Set your domain name
+        server_name www.marcuskammer.dev;
+        # Redirect all requests to HTTPS
+        return 301 https://$host$request_uri;
+      }
+
+      # Listen on port 443 with SSL
+      server {
+        listen 443 ssl;
+        # Set your domain name
+        server_name www.marcuskammer.dev;
+
+        # Include SSL certificate managed by Certbot
+        ssl_certificate /etc/letsencrypt/live/www.marcuskammer.dev/fullchain.pem;
+        # Include SSL certificate key managed by Certbot
+        ssl_certificate_key /etc/letsencrypt/live/www.marcuskammer.dev/privkey.pem;
+        # Include SSL options provided by Certbot
+        include /etc/letsencrypt/options-ssl-nginx.conf;
+        # Include DH parameters provided by Certbot
+        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+
+        location / {
+          root /home/marcus/www/www-marcuskammer-dev;
+          index index.html;
+        }
+
+      server {
+        listen 80;
+        # Set your domain name
+        server_name www.uxlessonslearned.dev;
+        # Redirect all requests to HTTPS
+        return 301 https://$host$request_uri;
+      }
+
+      # Listen on port 443 with SSL
+      server {
+        listen 443 ssl;
+        # Set your domain name
+        server_name www.uxlessonslearned.dev;
+
+        # Include SSL certificate managed by Certbot
+        ssl_certificate /etc/letsencrypt/live/www.uxlessonslearned.dev/fullchain.pem;
+        # Include SSL certificate key managed by Certbot
+        ssl_certificate_key /etc/letsencrypt/live/www.uxlessonslearned.dev/privkey.pem;
+        # Include SSL options provided by Certbot
+        include /etc/letsencrypt/options-ssl-nginx.conf;
+        # Include DH parameters provided by Certbot
+        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+
+        location / {
+          root /home/marcus/www/www-uxlessonslearned-dev;
+          index index.html;
+        }
+      }
+runcmd:
+  # Generate the en_US.UTF-8 locale
+  - locale-gen en_US.UTF-8
+  # Set the system's default locale to en_US.UTF-8
+  - update-locale LANG=en_US.UTF-8
+  # Set the system's timezone to Europe/Berlin
+  - timedatectl set-timezone Europe/Berlin
+  # Run Certbot to obtain SSL certificates and configure Nginx
+  - certbot certonly --nginx -d u1.metaebene.dev --non-interactive --agree-tos --email marcus.kammer@mailbox.org --redirect
+  - certbot certonly --nginx -d docs.u1.metaebene.dev --non-interactive --agree-tos --email marcus.kammer@mailbox.org --redirect
+  # Download DHPARAM
+  - curl https://ssl-config.mozilla.org/ffdhe2048.txt > /etc/letsencrypt/ssl-dhparam.pem
+  # Create a symlink for the configuration file
+  - ln -s /etc/nginx/sites-available/reverse-proxy.conf /etc/nginx/sites-enabled/
+  # Remove default Nginx configuration
+  - rm /etc/nginx/sites-enabled/default
+  # Reload Nginx configuration
+  - systemctl reload nginx
+  # Allow Nginx Full (HTTP and HTTPS) through the firewall
+  - ufw allow 'Nginx Full'
+  # Set UFW firewall rules
+  - ufw default deny incoming
+  - ufw default allow outgoing
+  - ufw allow 22/tcp
+  - ufw allow mosh
+  - ufw enable
+  # Enable and start the fail2ban service
+  - systemctl enable fail2ban && systemctl start fail2ban
+  # Restart the SSH server to apply the new configuration
+  - systemctl restart sshd
+  - |
+    sudo -u marcus git config --global user.email "marcus.kammer@mailbox.org"
+    sudo -u marcus git config --global user.name "Marcus Kammer"
+    sudo -u marcus git config --global init.defaultBranch main
+  # Clone the SBCL repository for a specific branch and depth
+  - sudo -u marcus git clone --depth 1 --branch sbcl-2.1.11 git://git.code.sf.net/p/sbcl/sbcl /home/marcus/sbcl
+  # Clone the SLIME repository for a specific branch and depth
+  - sudo -u marcus git clone --depth 1 --branch v2.28 https://github.com/slime/slime.git /home/marcus/slime
+  # Download the Quicklisp installer
+  - |
+    curl https://beta.quicklisp.org/quicklisp.lisp -o /home/marcus/quicklisp.lisp
+    chown marcus:marcus /home/marcus/quicklisp.lisp

sbcl-nginx.Dockerfile

@@ -0,0 +1,23 @@
+# Use Ubuntu 22.04 as the base image
+FROM ubuntu:22.04
+
+# Set environment variables for non-interactive installation
+ENV DEBIAN_FRONTEND=noninteractive
+
+# Update the package index
+RUN apt-get update
+
+# Install cloud-init and locales
+RUN apt-get install -y cloud-init locales
+
+# Add the cloud-init file to the container
+COPY sbcl-nginx.yml /root/sbcl-nginx.yml
+
+# Run the cloud-init configuration
+RUN cloud-init single --file /root/sbcl-nginx.yml --name runcmd
+
+# Expose ports for SSH, HTTP, and HTTPS
+EXPOSE 22 80 443
+
+# Run the CMD to start the services (SSH, nginx, and fail2ban)
+CMD service ssh start && service nginx start && service fail2ban start && /bin/bash

sbcl-nginx.yml

@@ -0,0 +1,317 @@
+#cloud-config
+#Make sure to check the cloud-init logs (/var/log/cloud-init.log and /var/log/cloud-init-output.log)
+locale: en_US.UTF-8
+keyboard:
+  layout: us
+timezone: Europe/Berlin
+
+groups:
+  - nginxgroup
+
+users:
+  - name: nginxuser
+    system: true
+    shell: /usr/sbin/nologin
+    groups: nginxgroup
+    sudo: null
+  # Create a new user named 'marcus'
+  - name: marcus
+    # Add the user to the 'users' and 'admin' groups
+    groups: users, admin
+    # Allow the user to execute any command with sudo without entering a password
+    sudo: ALL=(ALL) NOPASSWD:ALL
+    # Set the user's default shell to /bin/bash
+    shell: /bin/bash
+    # Add the user's public SSH key for key-based authentication
+    ssh_authorized_keys:
+      - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA+46Y3AHPLJgz8KK61doqH3jBX2TL3TJvZsJrB9Km03 visua@xps-8930
+      - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMIHJ5qpMIKL7N3nC0GG1O4ygtkqOlQuZReoik6xGBxn marcus@XPS-13-9380.local
+
+packages:
+  - fail2ban
+  - ufw
+  - unattended-upgrades
+  - sbcl
+  - mosh
+  - tmux
+  - git
+  - mercurial
+  - nginx
+  - certbot
+  - python3-certbot-nginx
+  - libev4
+  - build-essential
+  - sqlite3
+  - emacs-nox
+  - python3-pip
+  - python3-pandas
+  - python3-matplotlib
+
+package_update: true
+package_upgrade: true
+
+write_files:
+  - path: /etc/apt/apt.conf.d/20auto-upgrades
+    content: |
+      APT::Periodic::Update-Package-Lists "1";
+      APT::Periodic::Download-Upgradeable-Packages "1";
+      APT::Periodic::AutocleanInterval "7";
+      APT::Periodic::Unattended-Upgrade "1";
+
+  - path: /etc/ssh/sshd_config
+    content: |
+      # Include additional configuration files from the specified directory
+      Include /etc/ssh/sshd_config.d/*.conf
+      # Set the maximum number of authentication attempts allowed per connection
+      MaxAuthTries 3
+      # Specifies the file containing public keys for user authentication
+      AuthorizedKeysFile .ssh/authorized_keys
+      # Disables password authentication
+      PasswordAuthentication no
+      # Specifies the authentication method(s) to use (public key authentication in this case)
+      AuthenticationMethods publickey
+      # Enables public key authentication
+      PubkeyAuthentication yes
+      # Disables root login via SSH
+      PermitRootLogin no
+      # Disables keyboard-interactive authentication
+      KbdInteractiveAuthentication no
+      # Enables the Pluggable Authentication Module (PAM) for authentication
+      UsePAM yes
+      # Disables agent forwarding for SSH connections
+      AllowAgentForwarding no
+      # Enables TCP forwarding for SSH connections
+      AllowTcpForwarding yes
+      # Disables X11 forwarding for SSH connections
+      X11Forwarding no
+      # Disables printing of the message of the day (MOTD) when a user logs in
+      PrintMotd no
+      # Specifies the key exchange algorithms to use
+      KexAlgorithms curve25519-sha256@libssh.org
+      # Specifies the ciphers allowed for protocol version 2
+      Ciphers chacha20-poly1305@openssh.com
+      # Specifies the message authentication code (MAC) algorithms in order of preference
+      MACs hmac-sha2-512-etm@openssh.com
+      # Specifies environment variables sent by the client to the server
+      AcceptEnv LANG LC_*
+      # Specifies the command to use for the SFTP subsystem
+      Subsystem sftp /usr/lib/openssh/sftp-server
+      # Specifies the user(s) allowed to log in via SSH (in this case, only the user "marcus")
+      AllowUsers marcus
+
+  - path: /etc/fail2ban/jail.local
+    content: |
+      [DEFAULT]
+      # Ban time (in seconds) for an IP after reaching the max number of retries.
+      bantime = 3600
+      # Time window (in seconds) in which 'maxretry' failures must occur.
+      findtime = 600
+      # Maximum number of failed login attempts before an IP gets banned.
+      maxretry = 3
+      # Ban action to use (ufw in this case).
+      banaction = ufw
+
+      [sshd]
+      # Enable the sshd jail.
+      enabled = true
+      # Specify the port for the sshd service.
+      port = 22
+      # Path to the log file for the sshd service.
+      logpath = /var/log/auth.log
+
+      [sshd-ddos]
+      # Specify the filter to use (created earlier)
+      filter = sshd
+      # Enable the sshd-ddos jail.
+      enabled = true
+      # Specify the port for the sshd service.
+      port = ssh
+      # Path to the log file for the sshd service.
+      logpath = /var/log/auth.log
+      # Maximum number of failed login attempts before an IP gets banned (for DDoS protection).
+      maxretry = 5
+      # Ban time (in seconds) for an IP after reaching the max number of retries (for DDoS protection).
+      bantime = 600
+
+      [nginx-http-auth]
+      # Enable the jail
+      enabled = true
+      # Specify the filter to use (created earlier)
+      # filter = nginx-http-auth
+      # Define the action to take (using UFW)
+      action = ufw
+      # Specify the log file to monitor
+      logpath = /var/log/nginx/error.log
+      # Set the maximum number of failed attempts before banning
+      maxretry = 6
+      # Set the ban time in seconds (1 hour)
+      bantime = 3600
+      # Set the time window for failed attempts in seconds (10 minutes)
+      findtime = 600
+
+  - path: /etc/nginx/nginx.conf
+    content: |
+      user nginxuser;
+      worker_processes auto;
+      pid /run/nginx.pid;
+      include /etc/nginx/modules-enabled/*.conf;
+      events {
+        worker_connections 768;
+        # multi_accept on;
+      }
+      http {
+        ##
+        # Basic Settings
+        ##
+        sendfile on;
+        tcp_nopush on;
+        types_hash_max_size 2048;
+        # server_tokens off;
+        # server_names_hash_bucket_size 64;
+        # server_name_in_redirect off;
+        include /etc/nginx/mime.types;
+        default_type application/octet-stream;
+        ##
+        # SSL Settings
+        ##
+        ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
+        ssl_prefer_server_ciphers on;
+        ##
+        # Logging Settings
+        ##
+        log_format csv '$time_iso8601,$remote_addr,$remote_user,$request,$status,$body_bytes_sent,$http_referer,"$http_user_agent"';
+        access_log /var/log/nginx/access.csv csv;
+        error_log /var/log/nginx/error.log;
+        ##
+        # Gzip Settings
+        ##
+        gzip on;
+        # gzip_vary on;
+        # gzip_proxied any;
+        # gzip_comp_level 6;
+        # gzip_buffers 16 8k;
+        # gzip_http_version 1.1;
+        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+        ##
+        # Dont send nginx version number
+        ##
+        server_tokens off;
+        ##
+        # Virtual Host Configs
+        ##
+        include /etc/nginx/conf.d/*.conf;
+        include /etc/nginx/sites-enabled/*;
+      }
+
+  # Write reverse-proxy configuration file
+  - path: /etc/nginx/sites-available/reverse-proxy.conf
+    content: |
+      # Listen on port 80
+      server {
+        listen 80;
+        # Set your domain name
+        server_name u1.metaebene.dev;
+        # Redirect all requests to HTTPS
+        return 301 https://$host$request_uri;
+      }
+
+      # Listen on port 443 with SSL
+      server {
+        listen 443 ssl;
+        # Set your domain name
+        server_name u1.metaebene.dev;
+
+        # Include SSL certificate managed by Certbot
+        ssl_certificate /etc/letsencrypt/live/u1.metaebene.dev/fullchain.pem;
+        # Include SSL certificate key managed by Certbot
+        ssl_certificate_key /etc/letsencrypt/live/u1.metaebene.dev/privkey.pem;
+        # Include SSL options provided by Certbot
+        include /etc/letsencrypt/options-ssl-nginx.conf;
+        # Include DH parameters provided by Certbot
+        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+
+        # Proxy settings for the location
+        location / {
+          # Set backend server address and port
+          proxy_pass http://localhost:8080;
+          # Set Host header
+          proxy_set_header Host $host;
+          # Set X-Real-IP header
+          proxy_set_header X-Real-IP $remote_addr;
+          # Set X-Forwarded-For header
+          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+          # Set X-Forwarded-Proto header
+          proxy_set_header X-Forwarded-Proto $scheme;
+        }
+      }
+
+      server {
+        listen 80;
+        # Set your domain name
+        server_name docs.u1.metaebene.dev;
+        # Redirect all requests to HTTPS
+        return 301 https://$host$request_uri;
+      }
+
+      # Listen on port 443 with SSL
+      server {
+        listen 443 ssl;
+        # Set your domain name
+        server_name docs.u1.metaebene.dev;
+
+        # Include SSL certificate managed by Certbot
+        ssl_certificate /etc/letsencrypt/live/docs.u1.metaebene.dev/fullchain.pem;
+        # Include SSL certificate key managed by Certbot
+        ssl_certificate_key /etc/letsencrypt/live/docs.u1.metaebene.dev/privkey.pem;
+        # Include SSL options provided by Certbot
+        include /etc/letsencrypt/options-ssl-nginx.conf;
+        # Include DH parameters provided by Certbot
+        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+
+        location / {
+          root /home/marcus/www/u1/docs/public;
+          index index.html;
+        }
+      }
+runcmd:
+  # Generate the en_US.UTF-8 locale
+  - locale-gen en_US.UTF-8
+  # Set the system's default locale to en_US.UTF-8
+  - update-locale LANG=en_US.UTF-8
+  # Set the system's timezone to Europe/Berlin
+  - timedatectl set-timezone Europe/Berlin
+  # Run Certbot to obtain SSL certificates and configure Nginx
+  - certbot certonly --nginx -d u1.metaebene.dev --non-interactive --agree-tos --email marcus.kammer@mailbox.org --redirect
+  - certbot certonly --nginx -d docs.u1.metaebene.dev --non-interactive --agree-tos --email marcus.kammer@mailbox.org --redirect
+  # Download DHPARAM
+  - curl https://ssl-config.mozilla.org/ffdhe2048.txt > /etc/letsencrypt/ssl-dhparam.pem
+  # Create a symlink for the configuration file
+  - ln -s /etc/nginx/sites-available/reverse-proxy.conf /etc/nginx/sites-enabled/
+  # Remove default Nginx configuration
+  - rm /etc/nginx/sites-enabled/default
+  # Reload Nginx configuration
+  - systemctl reload nginx
+  # Allow Nginx Full (HTTP and HTTPS) through the firewall
+  - ufw allow 'Nginx Full'
+  # Set UFW firewall rules
+  - ufw default deny incoming
+  - ufw default allow outgoing
+  - ufw allow 22/tcp
+  - ufw allow mosh
+  - ufw enable
+  # Enable and start the fail2ban service
+  - systemctl enable fail2ban && systemctl start fail2ban
+  # Restart the SSH server to apply the new configuration
+  - systemctl restart sshd
+  - |
+    sudo -u marcus git config --global user.email "marcus.kammer@mailbox.org"
+    sudo -u marcus git config --global user.name "Marcus Kammer"
+    sudo -u marcus git config --global init.defaultBranch main
+  # Clone the SBCL repository for a specific branch and depth
+  - sudo -u marcus git clone --depth 1 --branch sbcl-2.1.11 git://git.code.sf.net/p/sbcl/sbcl /home/marcus/sbcl
+  # Clone the SLIME repository for a specific branch and depth
+  - sudo -u marcus git clone --depth 1 --branch v2.28 https://github.com/slime/slime.git /home/marcus/slime
+  # Download the Quicklisp installer
+  - |
+    curl https://beta.quicklisp.org/quicklisp.lisp -o /home/marcus/quicklisp.lisp
+    chown marcus:marcus /home/marcus/quicklisp.lisp