Verified Commit 7225d538 authored by Elias Ojala's avatar Elias Ojala
Browse files

Additions

parent 3c6e84dc
......@@ -13,9 +13,6 @@ server {
location /.well-known/acme-challenge {
root /var/www/_certbot/;
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
}
\ No newline at end of file
......@@ -3,7 +3,7 @@ title: Certbot
permalink: /certbot/
---
### Required packages (Debian 9)
### Required packages (Debian 9/10)
* [certbot](https://packages.debian.org/stretch/certbot)
......@@ -52,6 +52,8 @@ sudo certbot certonly --standalone --preferred-challenges http \
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
```
<!--
## Cloudflare Credentials
```bash
......@@ -61,6 +63,8 @@ sudo chmod 600 /etc/letsencrypt/dnscloudflare.ini
sudo nano /etc/letsencrypt/dnscloudflare.ini
```
-->
## Nginx Sites-available
```nginx
......@@ -88,19 +92,20 @@ server {
}
```
## nginx
## Nginx
```bash
sudo mkdir /etc/nginx/snippets/ssl/
sudo mkdir /etc/nginx/sites-available/_utilities
sudo rm /etc/nginx/sites-enabled/default -rf
sudo mv /etc/nginx/sites-available/default /etc/nginx/sites-available/old_default
sudo nano /etc/nginx/snippets/ssl-params.conf
sudo ln -s /etc/nginx/sites-available/_utilities/http-redirect /etc/nginx/sites-enabled/
sudo nano /etc/nginx/sites-available/_utilities/http-redirect
```
## http redirect
## HTTP redirect
filename: `/etc/nginx/sites-available/_utilities/http-redirect`
......@@ -108,7 +113,7 @@ filename: `/etc/nginx/sites-available/_utilities/http-redirect`
{% include nginx/http-redirect %}
```
## nginx per-cert config
## Nginx per-certificate configuration
filename: `/etc/nginx/snippets/ssl/example.com.conf`
......
......@@ -3,6 +3,40 @@ title: Tips for fresh Debian server
permalink: /debian/server/tips/
---
## Setup `postfix` as Satellite System
If you have a mail server, do this step. Otherwise, choose "Internet Site".
Please use a encrypted VPN for this (see [wireguard page](../wireguard.md)), as by default Satellite hosts don't use encrypted connection.
Make sure your current server is part of `mynetworks` / "Local networks" in the upstream mail server.
Run:
```console
# dpkg-reconfigure postfix
```
Select "Satellite system"
![Postfix configuration: Select mail server configuration type](mail-satellite/1-server-configuration-type.png)
Insert your mailname, usually your hostname (such as `web1.example.com`)
![Postfix configuration: Select mail name](mail-satellite/2-mailname.png)
Insert your relay address, like `10.125.55.2:25`.
![Postfix configuration: Specify relay address](mail-satellite/3-relay-address.png)
Test:
```bash
mail -s "Hello world!" "user@example.com" <<< "Hello world!"
```
Replace `user@example.com` with a email hosted somewhere else than your mail server.
## Forward mail elsewhere
**Requires a [MTA](https://en.wikipedia.org/wiki/Message_transfer_agent) such as [Postfix](http://www.postfix.org/))**
......@@ -37,7 +71,7 @@ If this ends to your actual admin's mailbox instead of `root`'s mailbox, congrat
After running it, `/etc/aliases` should look something like this (notice the `root: actualadmin` line):
```
```yml
# /etc/aliases
mailer-daemon: postmaster
postmaster: root
......@@ -58,7 +92,7 @@ Replace `actualadmin` with the administrative user you set.
Or do the following:
```
```bash
echo "root: actualadmin" | sudo tee -a /etc/aliases
```
......@@ -66,7 +100,7 @@ Replace `actualadmin` with the administrative user you use.
## Enable unattended-upgrades
insert note about buster
This part is made for Debian 9 "stretch", not tested on Debian 10 "buster" yet.
```console
# apt install unattended-upgrades apt-listchanges bsd-mailx
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment