Migrate Markdown-Notes: projects, meetings, reference, personal

reference/server-setup/Gitea Server.md

@@ -0,0 +1,65 @@
+# Gitea Server
+
+- ChatGPT conversation: https://chatgpt.com/share/672ece16-da60-8009-83de-9b33c08aed6a
+- follow the basic ubuntu setup first
+
+### Install docker
+
+https://docs.docker.com/engine/install/ubuntu/
+
+
+
+### Docker compose
+
+```
+version: "3"
+
+networks:
+  gitea:
+    external: false
+
+services:
+  server:
+    image: gitea/gitea:latest
+    container_name: gitea
+    environment:
+      - USER_UID=1000
+      - USER_GID=1000
+      - GITEA__service__DISABLE_REGISTRATION=true
+      - GITEA__service__ENABLE_OPENID_SIGNIN=false
+      - GITEA__service__ENABLE_OPENID_SIGNUP=false
+    restart: always
+    networks:
+      - gitea
+    volumes:
+      - ./gitea:/data
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    ports:
+      - "3000:3000"    # Gitea web interface
+      - "2222:22"      # Gitea SSH
+```
+
+### Run docker compose
+
+`docker-compose up -d`
+
+`docker exec -it gitea /bin/bash`
+`gitea admin user create --username admin --password YourPassword --email admin@example.com --admin`
+
+
+### SQLITE DB
+to get into the database
+
+sqlite3 /data/gitea/gitea.db
+
+for users, go to the user table
+
+#### Delete a user
+
+```
+DELETE FROM user WHERE email = 'donovan.a.kelly@pm.me';
+DELETE FROM email_address WHERE email = 'donovan.a.kelly@pm.me';
+DELETE FROM external_login_user WHERE email = 'donovan.a.kelly@pm.me';
+
+```

reference/server-setup/OpenVPN and CA install.md

@@ -0,0 +1,205 @@
+# OpenVPN and CA install
+
+### sources
+- https://www.digitalocean.com/community/tutorials/how-to-set-up-and-configure-an-openvpn-server-on-ubuntu-20-04 
+- https://chatgpt.com/share/672b8e75-5a08-8009-9d13-f062d91bfac8
+
+### Prereqs
+
+ubunutu 24 with ufw configured
+
+### Update/Upgrade
+```
+sudo apt update
+sudo apt upgrade -y
+```
+
+### Install OpenVPN and Easy-RSA
+
+
+`sudo apt install openvpn easy-rsa -y`
+
+### Setup CA
+```
+make-cadir ~/openvpn-ca
+cd ~/openvpn-ca
+```
+```
+vi vars
+```
+```
+set_var EASYRSA_REQ_COUNTRY    "YourCountry"
+set_var EASYRSA_REQ_PROVINCE   "YourProvince"
+set_var EASYRSA_REQ_CITY       "YourCity"
+set_var EASYRSA_REQ_ORG        "YourOrganization"
+set_var EASYRSA_REQ_EMAIL      "email@example.com"
+set_var EASYRSA_REQ_OU         "YourOrganizationalUnit"
+```
+
+```
+./easyrsa init-pki
+./easyrsa build-ca
+```
+
+add password to ca
+
+### Generate Certs and Keys
+
+`./easyrsa gen-req server nopass`
+
+`./easyrsa sign-req server server`
+Type yes and enter ca password
+
+`./easyrsa gen-dh`
+
+`openvpn --genkey --secret ta.key` // this is deperacated need update
+
+### Config OpenVPN Server
+
+`sudo cp pki/ca.crt pki/private/server.key pki/issued/server.crt pki/dh.pem ta.key /etc/openvpn/`
+
+`sudo vi /etc/openvpn/server.conf`
+
+```
+port 1194
+proto udp
+dev tun
+
+ca ca.crt
+cert server.crt
+key server.key  # This file should be kept secret
+dh dh.pem
+tls-auth ta.key 0  # This file should be kept secret
+cipher AES-256-CBC
+auth SHA256
+
+server 10.8.0.0 255.255.255.0
+ifconfig-pool-persist ipp.txt
+
+push "route {ip.addr.ess.0 last byte is masked} 255.255.255.0"  # Replace with masked ip address
+
+keepalive 10 120
+persist-key
+persist-tun
+
+user nobody
+group nogroup
+
+status openvpn-status.log
+verb 3
+```
+
+### Enable IP Forwarding
+
+`sudo vi /etc/sysctl.conf`
+```
+net.ipv4.ip_forward=1
+```
+
+`sudo sysctl -p`
+
+### Config Firewall
+
+`sudo vi /etc/default/ufw`
+
+change: `DEFAULT_FORWARD_POLICY="ACCEPT"`
+
+`sudo vi /etc/ufw/before.rules`
+
+Replace IP Address:
+```
+# START OPENVPN RULES
+*nat
+:POSTROUTING ACCEPT [0:0]
+-A POSTROUTING -s 10.8.0.0/8 -o {ADD IP ADDRESS} -j MASQUERADE
+COMMIT
+# END OPENVPN RULES
+```
+
+`sudo ufw allow 1194/udp`
+`sudo ufw enable`
+
+### Start OpenVPN
+
+```
+sudo systemctl start openvpn@server
+sudo systemctl enable openvpn@server
+sudo systemctl status openvpn@server
+```
+
+### Client Config
+
+```
+mkdir -p ~/client-configs/keys
+mkdir -p ~/client-configs/files
+```
+
+`vi ~/client-configs/base.conf`
+
+Rplace MY IP ADDRESS
+```
+client
+dev tun
+proto udp
+remote {MY IP ADDRESS} 1194
+resolv-retry infinite
+nobind
+
+user nobody
+group nogroup
+
+persist-key
+persist-tun
+
+remote-cert-tls server
+cipher AES-256-CBC
+auth SHA256
+key-direction 1
+verb 3
+```
+
+### Client Certificates and Keys
+
+`cd ~/openvpn-ca`
+
+Replace client1 with client_name
+```
+./easyrsa gen-req client1 nopass
+./easyrsa sign-req client client1
+```
+
+`cp pki/ca.crt pki/issued/client1.crt pki/private/client1.key ta.key ~/client-configs/keys/`
+
+`vi ~/client-configs/make_config.sh`
+
+### Generate Client Keys
+Replace client name
+```
+#!/bin/bash
+
+CLIENT_NAME={client name}
+
+KEY_DIR=~/client-configs/keys
+OUTPUT_DIR=~/client-configs/files
+BASE_CONFIG=~/client-configs/base.conf
+
+mkdir -p $OUTPUT_DIR
+
+cat ${BASE_CONFIG} \
+    <(echo -e '<ca>') \
+    ${KEY_DIR}/ca.crt \
+    <(echo -e '</ca>\n<cert>') \
+    ${KEY_DIR}/${CLIENT_NAME}.crt \
+    <(echo -e '</cert>\n<key>') \
+    ${KEY_DIR}/${CLIENT_NAME}.key \
+    <(echo -e '</key>\n<tls-auth>') \
+    ${KEY_DIR}/ta.key \
+    <(echo -e '</tls-auth>') \
+    > ${OUTPUT_DIR}/${CLIENT_NAME}.ovpn
+```
+
+`chmod 700 ~/client-configs/make_config.sh`
+`./client-configs/make_config.sh`
+
+### Distribute Client Config
+{client name}.ovpn is now available in ~/client-configs/files/.

reference/server-setup/hetzner_coolify_setup.md

@@ -0,0 +1,75 @@
+# Hetzner Coolify Setup
+
+## Sources
+
+- https://www.youtube.com/watch?v=taJlPG82Ucw&t=56s
+
+
+## Hetzner dashboard setup
+- add ssh key
+
+- add this to cloud init
+``` cloud_init.yml
+# This config was written for Ubuntu 22.04
+# If you are using a more recent version, see the comments of this gist for fixes
+#cloud-config
+users:
+  - name: dkelly
+    ssh_authorized_keys:
+      - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKQWloxYNqNyOw6KKXsQnYPakthlq9gqf5qR1QGR1g6w donovan.a.kelly@pm.me"
+    sudo: ALL=(ALL:ALL) ALL
+    groups: sudo
+    shell: /bin/bash
+chpasswd:
+  expire: true
+  users:
+    - name: dkelly
+      password: replacethispasswordplease
+      type: text
+runcmd:
+  - sed -i '/PermitRootLogin/d' /etc/ssh/sshd_config
+  - echo "PermitRootLogin without-password" >> /etc/ssh/sshd_config
+  - sed -i '/PubkeyAuthentication/d' /etc/ssh/sshd_config
+  - echo "PubkeyAuthentication yes" >> /etc/ssh/sshd_config
+  - sed -i '/PasswordAuthentication/d' /etc/ssh/sshd_config
+  - echo "PasswordAuthentication no" >> /etc/ssh/sshd_config
+  - systemctl restart sshd
+  - echo "\$nrconf{kernelhints} = -1;" > /etc/needrestart/conf.d/99disable-prompt.conf
+  - apt update
+  - apt upgrade -y --allow-downgrades --allow-remove-essential --allow-change-held-packages
+  - reboot
+  ```
+
+## Setup
+- ssh into root
+```
+apt update
+apt upgrade
+reboot
+```
+
+- Don't mess with ufw or ssh config or worry about create a sudo user. Do this at the end
+
+
+## Install Coolify
+
+curl -fsSL https://cdn.coollabs.io/coolify/install.sh | bash
+
+## Setup
+- create username and password. we'll have to change this later because it doesn't use ssl
+
+- select localhost
+
+## Lock down the server
+
+- ssh into dkelly user and change password
+- Set the root password `passwd`
+- setup ufw
+
+## Add DNS Records
+
+-add wildcard * and empty A records
+
+## Proxy restart
+
+- might need to restart the proxy for ssh keys to take effect

reference/server-setup/nginx on vpn.md

@@ -0,0 +1,64 @@
+# Nginx on VPN
+
+Configure server with OpenVPN and CA
+
+### Install OpenVPN
+
+`sudo apt install nginx`
+
+### nginx config
+
+`sudo vi /etc/nginx/sites-av.../default`
+
+```
+server {
+    listen 10.8.0.1:443 ssl;
+    # server_name _;  # You can omit this line or use '_'
+
+    ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
+    ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
+
+    # SSL settings
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers HIGH:!aNULL:!MD5;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 10m;
+    ssl_session_tickets off;
+
+    # Add Diffie-Hellman parameter for DHE ciphersuites
+    ssl_dhparam /etc/ssl/certs/dhparam.pem;
+
+
+    # Add security headers
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+    add_header X-Content-Type-Options nosniff;
+    add_header X-Frame-Options DENY;
+    add_header X-XSS-Protection "1; mode=block";
+
+    # Reverse proxy settings
+    location / {
+        proxy_pass http://<SERVER_B_IP>:80;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
+```
+
+### SSL Certs
+
+```
+sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
+  -keyout /etc/ssl/private/nginx-selfsigned.key \
+  -out /etc/ssl/certs/nginx-selfsigned.crt \
+  -subj "/CN=10.8.0.1"
+```
+
+`sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048`
+
+```
+sudo nginx -t
+sudo systemctl reload nginx
+```