From ac8b3932abadde7b43fa12e942ad89df3f186e4b Mon Sep 17 00:00:00 2001
From: urosm <urosm@kompot.si>
Date: Sun, 11 Feb 2024 10:29:14 +0100
Subject: [PATCH] update `README.md`

---
 README.md | 195 +++++++++++++++++++++++++++++++++++++++++++-----------
 1 file changed, 156 insertions(+), 39 deletions(-)

diff --git a/README.md b/README.md
index 13da3be..84f8028 100644
--- a/README.md
+++ b/README.md
@@ -1,70 +1,187 @@
-# Bootstrap
+# dot
+
+This repo tracks user and system configuration files, installed packages
+and used commands for several machines or virtual servers. All are
+running Debian. The `milano` section documents our desktop setup based
+on `sway`, `foot`, `neovim` and `fuzzel`.
+
+## milano
 
 ```sh
-# dotfiles
+# urosm@milano
+## bootstrap dotfiles
 sudo apt install git
-cd
 git init -b main
 git remote add origin gitea@git.kompot.si:urosm/dot.git
-git pull
-git checkout main -f
-# `/etc` 
+git pull origin main
+## disable annoying .sudo_as_admin_successful file
 sudo cp -ri .config/sudoers.d /etc/
+## update to debian testing
 sudo cp -ri .config/apt /etc/
-```
-
-# Packages
-
-```sh
-# locales
+sudo apt update
+sudo apt full-upgrade
+## reconfigure locales
 sudo dpkg-reconfigure locales
-# utils
-sudo apt install udisks2
-sudo apt install screen
-sudo apt install jq
-# networking
-sudo apt install network-manager
+## install tasksel packages
+sudo tasksel install web-server
+sudo tasksel install ssh-server
+## harden ssh
+sudo cp -ri .config/ssh /etc/
+systemctl restart sshd
+## install and configure fail2ban
+sudo apt install fail2ban python3-pyinotify python3-systemd whois
+sudo cp -ir .config/fail2ban /etc/
+systemctl restart fail2ban
+## install and configure firewall
 sudo apt install ufw
 sudo ufw allow "SSH"
 sudo ufw allow 1194/udp
 sudo ufw enable
-# neovim
+## install utils
+sudo apt install network-manager
+sudo cp -ir .config/network /etc/
+sudo apt install udisks2
+sudo apt install screen
+sudo apt install jq
+## install neovim
 sudo apt install neovim
-# desktop
-sudo apt install --no-install-recommends sway
+## install desktop packages
+sudo apt install sway
 sudo apt install swayidle swaylock
-sudo apt install foot fuzzel
+sudo apt install fuzzel
 sudo apt install brightnessctl wlsunset
 sudo apt install wl-clipboard grim
 sudo apt install libnotify-bin mako-notifier
-# writing
-sudo apt install pandoc
-sudo apt install texlive-latex-extra
-sudo apt install texlive-fonts-recommended
-sudo apt install texlive-lang-european
-# audio
+sudo apt install fonts-ibm-plex
+## install and configure audio packages
 sudo apt install pipewire-audio
 systemctl --user enable --now wireplumber.service
-# web
+## install writing packages
+sudo apt install make
+sudo apt install pandoc
+sudo apt install texlive-latex-extra
+sudo apt install texlive-lang-european
+## install web packages
 sudo apt install firefox
 sudo apt install thunderbird
-# media
+## install media packages
 sudo apt install mpv
 sudo apt install zathura
 sudo apt install inkscape
-# office
+## install office packages
 sudo apt install libreoffice libreoffice-gtk3
 sudo apt install libreoffice-l10n-sl
-# printing
+## install printing packages
 sudo apt install cups printer-driver-all
-# scanning
+sudo adduser urosm lpadmin
+## install scanning packages
 sudo apt install simple-scan
-# pdf processing
-sudo apt install qpdf imagemagick ocrmypdf
-# rdp
+## install pdf processing packages
+sudo apt install qpdf ocrmypdf
+## install rdp packages
 sudo apt install remmina
-# ikiwiki
-sudo apt install apache2
+## install and setup ikiwiki
 sudo apt install ikiwiki
-sudo apt install libtext-multimarkdown-perl
+sudo apt install libfile-mimeinfo-perl libhighlight-perl libhtml-tree-perl libimage-magick-perl liblocale-gettext-perl libmailtools-perl libnet-amazon-s3-perl libnet-inet6glue-perl libsearch-xapian-perl libsort-naturally-perl libtext-csv-perl libtext-multimarkdown-perl libtext-textile-perl libtext-typography-perl libtext-wikicreole-perl libtext-wikiformat-perl libxml-feed-perl libxml-writer-perl
+chmod 711 $HOME
+sudo a2enmod userdir
+sudo a2enmod cgi
+sudo cp .config/apache2/sites-available/kontrakurs.localhost.conf /etc/apache2/sites-available/
+sudo cp .config/apache2/sites-available/bavbavhaus.localhost.conf /etc/apache2/sites-available/
+sudo a2ensite kontrakurs.localhost bavbavhaus.localhost
+systemctl restart apache2
+```
+
+## padova
+
+```sh
+ssh root@padova
+adduser urosm
+adduser urosm sudo
+exit
+ssh-copy-id urosm@padova
+ssh urosm@padova
+## bootstrap dotfiles
+sudo apt install git
+git init -b main
+git remote add origin gitea@git.kompot.si:urosm/dot.git
+git pull origin main
+## additional config in `etc`
+sudo cp -ri .config/sudoers.d /etc/
+## install screen
+sudo apt install screen
+## install and configure firewall
+sudo apt install ufw
+sudo ufw allow "SSH"
+sudo ufw allow 1194/udp
+sudo ufw enable
+## harden ssh
+sudo cp -ri .config/ssh /etc/
+sudo systemctl restart sshd
+## install and configure fail2ban
+sudo apt install fail2ban python3-pyinotify python3-systemd whois
+sudo cp -ir .config/fail2ban /etc/
+sudo systemctl restart fail2ban
+## install and configure wireguard
+sudo cp -ir .config/sysctl.d /etc/
+sudo sysctl -p
+sudo apt install wireguard
+sudo cp -i .config/wireguard/padova.conf /etc/wireguard/
+wg-quick up padova
+## enable unattended-upgrades
+sudo apt install unattended-upgrades apt-listchanges
+sudo dpkg-reconfigure -plow unattended-upgrades
+```
+
+## tivoli
+
+```sh
+# urosm@tivoli
+ssh root@tivoli
+adduser urosm
+adduser urosm sudo
+exit
+ssh-copy-id urosm@tivoli
+ssh urosm@tivoli
+## bootstrap dotfiles
+sudo apt install git
+git init -b main
+git remote add origin gitea@git.kompot.si:urosm/dot.git
+git pull origin main
+## additional config in `etc`
+sudo cp -ri .config/sudoers.d /etc/
+## install screen
+sudo apt install screen
+## install and configure firewall
+sudo apt install ufw
+sudo ufw allow "SSH"
+sudo ufw allow "WWW Full"
+sudo ufw enable
+## harden ssh
+sudo cp -ir .config/ssh /etc/
+sudo systemctl restart sshd
+## install and configure fail2ban
+sudo apt install fail2ban python3-pyinotify python3-systemd whois
+sudo cp -ir .config/fail2ban /etc/
+sudo systemctl restart fail2ban
+## install and configure webserver
+sudo tasksel install web-server
+sudo a2enmod rewrite
+sudo a2enmod userdir
+sudo a2enmod cgi
+chmod 711 "$HOME"
+sudo cp -ir .config/apache2/sites-available /etc/apache2/
+sudo a2ensite bavbavhaus.net
+sudo a2ensite kontrakurs.org
+sudo systemctl reload apache2
+## install certbot
+sudo apt install certbot
+sudo apt install python3-certbot-apache
+sudo certbot --apache
+## install ikiwiki
+sudo apt install --install-recommends ikiwiki
+sudo apt install libfile-mimeinfo-perl libhighlight-perl libhtml-tree-perl libimage-magick-perl liblocale-gettext-perl libmailtools-perl libnet-amazon-s3-perl libnet-inet6glue-perl libsearch-xapian-perl libsort-naturally-perl libtext-csv-perl libtext-multimarkdown-perl libtext-textile-perl libtext-typography-perl libtext-wikicreole-perl libtext-wikiformat-perl libxml-feed-perl libxml-writer-perl
+## enable unattended-upgrades
+sudo apt install unattended-upgrades apt-listchanges
+sudo dpkg-reconfigure -plow unattended-upgrades
 ```