diff --git a/README.md b/README.md index de6e61a..d5b15c2 100644 --- a/README.md +++ b/README.md @@ -90,7 +90,14 @@ To harden the system and hide pids from non-root users, also add the following: proc /proc proc defaults,hidepid=2 0 0 ``` -As time syncronisation is important, you should configure ntp servers in `/etc/systemd/timesyncd.conf` and make them match with the entries in `/etc/rc.local` iptables configuration +And add the `noatime,usrjquota=aquota.user,jqfmt=vfsv1` options to the `/home` mountpoint (if not a separate partition, the `/` mointpoint and `noatime`to `/`. Then initialize quota (replace `/home` with `/`, if you do not have a separate partition): +``` +mount -o remount /home +quotacheck -cMu /home +quotaon /home +``` + +In some cases, you might get an error, that quota is not supported. This is usually the case in virtual environments. Make sure you have the full kernel installed, not one with a `-virtual` package. They usually are `linux-image-amd64`, `linux-image-arm64` or `linux-image-generic`, depending on your distribution. Also make sure, you are running a real virtual machine (e.g. KVM). Some providers sell containerized VPSes (e.g. OpenVZ), which means you don't run your own kernel... Enable the PHP-FPM default instances and nginx: ``` @@ -99,13 +106,6 @@ systemctl enable php8.0-fpm@default systemctl enable nginx ``` -Edit `/etc/fstab` and add the `noatime,usrjquota=aquota.user,jqfmt=vfsv1` option to the `/home` mountpoint and `noatime`to `/`. Then initialize quota: -``` -mount -o remount /home -quotacheck -cMu /home -quotaon /home -``` - Install sodium_compat for v3 hidden_service support ``` cd /var/www && composer install diff --git a/etc/rc.local b/etc/rc.local index bc2ad9f..4f9067e 100755 --- a/etc/rc.local +++ b/etc/rc.local @@ -69,7 +69,7 @@ ip6tables -A OUTPUT -d $clearnet -j ACCEPT #accet IPv6 ICMP packages required for SLAAC ip6tables -A INPUT -p ipv6-icmp -j ACCEPT ip6tables -A OUTPUT -p ipv6-icmp -j ACCEPT -#allow querriying ntp servers (must mach /etc/systemd/timesyncd.conf +#allow querriying ntp servers (must mach /etc/systemd/timesyncd.conf) for clearnet in 164.68.124.74 185.244.195.159 78.46.53.2 88.99.86.9; do( iptables -t nat -A OUTPUT -p udp --dport 123 -d $clearnet -j RETURN iptables -A OUTPUT -p udp --dport 123 -d $clearnet -j ACCEPT diff --git a/etc/systemd/timesyncd.conf b/etc/systemd/timesyncd.conf index a831917..5ccf118 100644 --- a/etc/systemd/timesyncd.conf +++ b/etc/systemd/timesyncd.conf @@ -12,6 +12,7 @@ # See timesyncd.conf(5) for details. [Time] +#These must mach with firewll config in /etc/systemd/timesyncd.conf Servers=164.68.124.74 185.244.195.159 78.46.53.2 88.99.86.9 2a02:c207:3004:9819::1 2a03:4000:27:602:d4cf:50ff:fedb:b65a 2a01:4f8:110:12d5::2 2a01:4f8:c17:b041::1 #NTP= #FallbackNTP=0.debian.pool.ntp.org 1.debian.pool.ntp.org 2.debian.pool.ntp.org 3.debian.pool.ntp.org