Updated root nologin command

00_setup.md

@@ -13,7 +13,8 @@ dnf update -y && dnf upgrade -y
 Then install the neccessary packages
 
 ```sh
-dnf install -y epel-release firewalld bind-utils git fail2ban neovim
+dnf install -y epel-release firewalld bind-utils git
+dnf install -y fail2ban neovim
 ```
 
 `epel-release` is neccessary to get fail2ban and some later dependencies
@@ -34,7 +35,7 @@ firewall-cmd --add-service=ssh --permanent &&
 firewall-cmd --reload
 ```
 
-⚠️⚠️⚠️ `drop` zone will just drop all traffic if you dont configure it to use `public` zone like we show in [Firewall](firewall.md) section. If connections time out this is likely the reason. ⚠️⚠️⚠️
+⚠️ *`drop` zone will just drop all traffic if you dont configure it to use `public` zone like we show in [Firewall](02_firewall.md) section. If connections time out this is likely the reason.*
 
 
 ## Unattended upgrades
@@ -78,7 +79,7 @@ usermod -aG wheel admin # Give elevated (sudo) privileges to the user
 Switch to `admin` account
 
 ```sh
-su -i admin
+su - admin
 ```
 
 Create files and paste your public key
@@ -91,16 +92,29 @@ nvim .ssh/authorized_keys # paste relevant SSH public keys in here
 
 Try opening a new terminal and ssh-ing into `admin` user on the server, it should work.
 
+### Locking the `admin` account password login
+
+⚠️ *Be sure you can SSH with another sudo enabled account like `root` otherwise you WILL LOCK YOURSELF out of the machine.*
+
+Run the following one-liner:
+
+```sh
+echo -e '\nMatch User admin\n    PasswordAuthentication no' | sudo tee -a /etc/ssh/sshd_config > /dev/null && \
+sudo sshd -t && sudo systemctl restart sshd
+```
+
+It will add an entry to the end of the file for user `admin` that prohibits logging in with user/pass.
+
 ### Locking the `root` account
 
-⚠️⚠️⚠️ Be sure you can SSH with another sudo enabled account like `admin` otherwise you WILL LOCK YOURSELF out of the machine. ⚠️⚠️⚠️
+⚠️ *Be sure you can SSH with another sudo enabled account like `admin` otherwise you WILL LOCK YOURSELF out of the machine.*
 
 Go back to `root` account now, otherwise you will need to `sudo` the commands below.
 The following commands will lock out the root by configuring `/etc/ssh/sshd_config` file.
 
 ```sh
-sed -i 's/#PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
+sed -i '/^PermitRootLogin/c\PermitRootLogin no' /etc/ssh/sshd_config
-sed -i 's/#PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
+sed -i '/^PasswordAuthentication/c\PasswordAuthentication no' /etc/ssh/sshd_config
 systemctl restart sshd
 ````
 

01_applications.md

@@ -1,15 +1,30 @@
 # Installing applications and their dependencies
 
-## Put your apps in `/srv/`
+## Create your SSH keys for Github
+
+Generate ssh-key for private Git porjects
+then copy it to Github project under Settings -> Deploy keys
+```sh
+ssh-keygen -t ed25519
+cat /home/admin/.ssh/id_ed25519.pub # (or whatever u named it, if u only need it for 1 project, keep it default)
+```
+
+## Put your apps in `/usr/local/bin/`
 
 Do not just install stuff in `/home/` dirs.
 
-Rather `git clone` the repos to your home and then move it to `/srv/` partition.
+Rather `git clone` the repos to your home and then move it to `/usr/local/bin/` partition.
+
+If SELinux is turned on you might also wanna do `restorecon` to let `systemctl` service be able to use it.
 
 ```sh
-sudo mv your_repo /srv/your_repo
+sudo mv your_repo /usr/local/bin/your_repo
+restorecon -Rv /usr/local/bin/your_repo
 ```
 
+This will reset
+
+
 This way other users of the system can also access and use your app without letting them into your $HOME.
 
 ## Installing NodeJS

02_firewall.md

@@ -2,7 +2,7 @@
 
 We use `firewalld` to configure firewalls. It uses so called "zones" to define the rules.
 
-In the [Setup](setup.md) guide we have installed and set up `firewalld`, left `ssh` open and closing all other traffic by setting the default zone to "drop".
+In the [Setup](00_setup.md) guide we have installed and set up `firewalld`, left `ssh` open and closing all other traffic by setting the default zone to "drop".
 
 Check [Offish guide](https://www.redhat.com/en/blog/firewalld-rules-and-scenarios) for more details.
 
@@ -42,14 +42,15 @@ sudo firewall-cmd --zone=public --list-ports
 Change the default zone to `public` with
 
 ```sh
-sudo firewall-cmd --permanent --zone=public
+sudo firewall-cmd --set-default-zone=public
 ```
 
 Then open the relevant ports and reload the firewall
   
 ```sh
-sudo firewall-cmd --permanent --zone=public --add-port=80/tcp
+sudo firewall-cmd --permanent --zone=public --add-port=22/tcp # SSH
-sudo firewall-cmd --permanent --zone=public --add-port=443/tcp
+sudo firewall-cmd --permanent --zone=public --add-port=80/tcp # HTTP
+sudo firewall-cmd --permanent --zone=public --add-port=443/tcp # HTTPS
 sudo firewall-cmd --reload
 ```
 
@@ -58,6 +59,7 @@ OR
 You can also open "services", these are just aliases for port/protocol pairing (aka service=http is equal to port 80/tcp)
 
 ```sh
+sudo firewall-cmd --permanent --zone=public --add-service=ssh
 sudo firewall-cmd --permanent --zone=public --add-service=http
 sudo firewall-cmd --permanent --zone=public --add-service=https
 sudo firewall-cmd --reload

03_systemd.md

@@ -26,9 +26,9 @@ Wants=network.target
 
 [Service]
 # Set the working directory where your binary resides
-WorkingDirectory=/srv/YOUR_PATH
+WorkingDirectory=/usr/local/bin/YOUR_PATH
 # Absolute path to your binary
-ExecStart=/srv/YOUR_PATH/target/release/BINARY_NAME
+ExecStart=/usr/local/bin/YOUR_PATH/target/release/BINARY_NAME
 
 # Ensure the service restarts on failure
 Restart=always

04_nginx-certbot.md

@@ -85,3 +85,22 @@ server {
 }
 
 ```
+
+Test and reload nginx by:
+
+```sh
+# Test configuration
+sudo nginx -t
+# Reload nginx
+sudo systemctl reload nginx
+```
+
+## Deleting Certbot certificates
+
+```sh
+# List your certificates
+sudo certbot certificates
+# Delete by name
+sudo certbot delete --cert-name sub.domain.com
+```
+

05_beszel.md

@@ -21,7 +21,7 @@ This will install the beszel binary. The beszel itself will update itself if you
 Even though beszel operates on Websockets primarily it will SSH into the machine in case Websocket connection is lost.
 Make sure port `45876` on target machine to SSH into is open.
 
-If you havent done so before, check [Firewall](firewall.md) section for extra tips, but here is a quick oneliner:
+If you havent done so before, check [Firewall](02_firewall.md) section for extra tips, but here is a quick oneliner:
 
 ```sh
 sudo firewall-cmd --permanent --zone=public --add-port=45876/tcp &&

07_bunny-cdn.md

@@ -8,16 +8,6 @@ BunnyCDN is your friend in 3 ways at least:
 
 It operates with "zones". Think 1 zone = 1 service / website / url you run.
 
-## No caching please
-
-By default if server doesnt include a `Cache-control` header, bunny will cache it.
-
-To make it never cache, include header `Cache-control` with value `no-cache` in your responses.
-
-## Purging cache
-
-To purge the cache on BunnyCDN, there is a button on the top right of the UI.
-
 ## How to add a service / website to BunnyCDN
 
 Consult the screenshots below on how to set BunnyCDN in your browser.
@@ -42,4 +32,14 @@ Enter it into your DNS and Verify SSL back on BunnyCDN.
 
 ![New zone 4](public/bunny4.png "Step 4")
 
-Voila, this is it
+Voila, this is it.
+
+## How to disable caching
+
+By default if server doesnt include a `Cache-control` header, bunny will cache it.
+
+To make it never cache, include header `Cache-control` with value `no-cache` in your responses.
+
+## Purging cache
+
+To purge the cache on BunnyCDN, there is a button on the top right of the UI.

08_alma-linux.md

@@ -1,9 +1,29 @@
-# Why and why .. Alma Linux?
+# Why .. Alma Linux?
 
 AlmaLinux is a continuation of open source work for enterprise grade Red Hat Enterprise Linux (RHEL).
 Its a spiritual successor to CentOS and bug-for-bug compatible with RHEL same as Rocky Linux but without the toxic community.
 
-### What about Debian / Ubuntu ???
+## Enabling SELinux
+
+If its disabled on boot, enable it back with
+
+1. Change the value of `SELINUX` to `SELINUX=enforcing` in `/etc/selinux/config`
+
+2. Enable it on boot (if it was disabled before)
+
+```sh
+sudo grubby --update-kernel ALL --remove-args selinux
+```
+
+3. Reboot
+
+4. You might need to update the folders where permissions are wrong. Use the command:
+
+```sh
+restorecon -Rv /usr/local/bin/your_repo
+```
+
+### What about Debian / Ubuntu ?
 
 Tbh, at the time of setting up new servers the `Debian` install was not working on my host, thats why i picked `AlmaLinux` for all installations to keep them uniform.
 Even though its a move from our usual package manager (`apt`) its the same shit. It uses `dnf` and `yum` and everything works the same.

README.md

@@ -1,41 +1,43 @@
 # Guide for systems / infra maintanance and creation
 
-This guide is assuming you are setting up or maintaining an AlmaLinux (9, 10) server.
+This guide provides good defaults and recipes on how to set up infra in a reliable, stable, effecient and secure way.
-It guides you from setting up a fresh machine, to installing build dependencies, configuring the firewall, serving and monitoring your apps and lastly protecting them from DDOS.
 
-## [Setting up a new machine](setup.md)
+It guides you from setting up a fresh machine, to installing build dependencies, configuring the firewall, serving and monitoring your apps, protecting them from DDOS and more.
 
-Prepare a new machine for use with an `admin` user. Lock out everything but to it. 
+It assumes you are setting up or maintaining an AlmaLinux (9, 10) or a similar RHEL-based server.
 
-## [Installing aplications and build tools](applications.md)
+## [Setting up a new machine](00_setup.md)
+
+Prepare a new machine for use with an `admin` user. Lock out everything but SSH to it. 
+
+## [Installing aplications and build tools](01_applications.md)
 
 Download packages to build future applications such as NodeJS / Rust.
-Set up your apps in `/srv/` partition.
+Set up your apps on `/usr/local/bin/` path.
 
-## [Firewall (opening/checking ports)](firewall.md)
+## [Firewall (opening/checking ports)](02_firewall.md)
 
-How to open firewall to let outside traffic to your apps.
+How to open firewall to let outside traffic to your apps. How to check and set firewall zones.
+If your service is timing out (nothing gets thru) this is probably the answer.
 
-## [Running services and logging with systemd](systemd.md)
+## [Running services and logging with systemd](03_systemd.md)
 
 How to set up a new systemd service and read its logs.
 
-## [Nginx & Certbot](nginx-certbot.md)
+## [Nginx & Certbot](04_nginx-certbot.md)
 
 How to set up Nginx and Certbot to serve your apps with an SSL cert for your desired domain.
 
-## [Monitoring servers (Beszel)](beszel.md)
+## [Monitoring servers (Beszel)](05_beszel.md)
 
 How to monitor servers with Beszel tool which gives you system load stats and systemd service stats.
 
-## [Monitoring websites and apis and serving a Status Page (Uptime Kuma)](uptime-kuma.md)
+## [Monitoring websites and apis and serving a Status Page (Uptime Kuma)](06_uptime-kuma.md)
 
 How to monitor your services and websites with Open Kuma. 
 
-## [Protecting your services and websites with BunnyCDN](bunny-cdn.md)
+## [Protecting your services and websites with BunnyCDN](07_bunny-cdn.md)
 
 How to protect and hide your services and websites from DDOS attacks. 
 
-## [WTF is AlmaLinux](alma-linux.md)
+## [AlmaLinux / RHEL linux](08_alma-linux.md)
-
-Could be the first link, but really its not that important.