perf: lightens website git clone

caddy/_deploy.sh

@@ -0,0 +1,11 @@
+# Setup caddy config
+mkdir /etc/caddy
+cp -R ./caddy/* /etc/caddy
+
+# Setup caddy service
+cp ./caddy/systemd/caddy.service /etc/systemd/system
+
+# Start caddy
+systemctl deamon-reload
+systemctl enable caddy
+systemctl start caddy

caddy/_install.sh

@@ -0,0 +1,9 @@
+# Install prerequistes
+nala install -y debian-keyring debian-archive-keyring apt-transport-https curl
+
+# Install sources and keys
+curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
+curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
+
+# Install caddy
+nala install -y caddy

caddy/systemd/caddy.service

@@ -23,8 +23,8 @@ Requires=network-online.target
 Type=notify
 User=caddy
 Group=caddy
-ExecStart=/usr/local/bin/caddy run --environ --config /etc/caddy/Caddyfile
-ExecReload=/usr/local/bin/caddy reload --config /etc/caddy/Caddyfile --force
+ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
+ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force
 TimeoutStopSec=5s
 LimitNOFILE=1048576
 PrivateTmp=true

deploy.sh

@@ -0,0 +1,14 @@
+APPS=$@
+
+if [[ $1 == "*" && $# -eq 1 ]]; then
+  APPS=$(ls .)
+fi  
+
+for app in "$APPS"
+do
+  echo "[server_config] > Deploying: $app"
+  
+  source "./$app/_deploy.sh" \
+  && echo "[server_config] > Deploy done" \
+  || echo "[server_config] > Deploy failed"
+done

install.sh

@@ -0,0 +1,14 @@
+APPS=$@
+
+if [[ $1 == "*" && $# -eq 1 ]]; then
+  APPS=$(ls .)
+fi  
+
+for app in "$APPS"
+do
+  echo "[server_config] > Installing: $app"
+  
+  source "./$app/_install.sh" \
+  && echo "[server_config] > Install done" \
+  || echo "[server_config] > Install failed"
+done

iptables/_deploy.sh

@@ -0,0 +1,2 @@
+iptables -F
+source ./iptables/rules.sh

iptables/_install.sh

@@ -0,0 +1 @@
+nala install iptables

iptables/iptables/rules.sh

@@ -0,0 +1,29 @@
+# General rules
+iptables -P INPUT DROP
+iptables -P FORWARD DROP
+iptables -P OUTPUT DROP
+
+# Fail2Ban
+iptables -N f2b-sshd
+iptables -A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
+iptables -A INPUT -p tcp -m multiport --dports 55555 -j f2b-sshd
+
+# LoopBack
+iptables -A INPUT -i lo -j ACCEPT
+
+# Keep Opened connection
+iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+# Anti DDOS
+iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -m limit --limit 1/sec --limit-burst 1 -j ACCEPT
+
+# SSH
+iptables -A INPUT -p tcp -m tcp --dport 55555 -j ACCEPT
+
+# Main proxy
+iptables -A INPUT -p tcp --dport 80 -j ACCEPT # HTTP
+iptables -A INPUT -p tcp --dport 443 -j ACCEPT # HTTPS
+iptables -A INPUT -p udp --dport 443 -j ACCEPT # QUIC
+
+# Fail2Ban -Return-
+iptables -A f2b-sshd -j RETURN

website/_deploy.sh

@@ -0,0 +1,11 @@
+# Pull website sources
+cd /srv/www
+git pull origin main
+
+# Setup website service
+cp /srv/www/website.service /etc/systemd/system
+
+# Start website
+systemctl deamon-reload
+systemctl enable website
+systemctl start website

website/_install.sh

@@ -0,0 +1,17 @@
+# Install deno
+curl -fsSL https://deno.land/install.sh | DENO_INSTALL=/usr/local sh
+
+# Create group and user
+groupadd --system deno
+
+useradd --system \
+  --gid deno
+  --create-home \
+  --home-dir /var/lib/deno \
+  --shell /usr/sbin/nologin \
+  --comment "Deno js engine" \
+  deno
+  
+# Clone website repo
+mkdir -p /srv/www
+git clone -b main --depth 1 https://git.cohabit.fr/cohabit/website.git /srv/www