commit 75b7a85427724db26d9fc66b289968b06ebf1021
Author: Noah <noah@dreckbu.de>
Date:   Thu May 28 14:54:26 2020 +0200

    Initial commit

diff --git a/00_dns_records.md b/00_dns_records.md
new file mode 100644
index 0000000..9b742bc
--- /dev/null
+++ b/00_dns_records.md
@@ -0,0 +1,7 @@
+Host            Type    MX  Destination
+*               A           5.45.101.172
+@               MX      10  srv01.dreckbu.de
+@               A           5.45.101.172
+autoconfig      CNAME       srv01.dreckbu.de
+autodiscover    CNAME       srv01.dreckbu.de
+mail            A           5.45.101.172
\ No newline at end of file
diff --git a/01_initial_setup.md b/01_initial_setup.md
new file mode 100644
index 0000000..8b2bf1f
--- /dev/null
+++ b/01_initial_setup.md
@@ -0,0 +1,162 @@
+# Dreckbu.de server initial setup
+## ssh
+```bash
+# as root
+adduser noah
+usermod -aG sudo noah
+```
+* Copy pub keys to server using `ssh-copy-id -i KEY_FILE user@host`.
+```bash
+nano /etc/ssh/sshd_config
+```
+* Change *PasswordAuthentication yes* to *PasswordAuthentication no*.
+```bash
+systemctl restart sshd
+```
+
+## software
+```bash
+apt update && apt upgrade
+apt install vim tmux htop zsh
+update-alternatives --config editor
+```
+
+## firewall
+```
+netstat -tulpn | grep -E -w '25|80|110|143|443|465|587|993|995'
+apt install iptables-persistent
+```
+* iptables base:
+`vim /etc/iptables.up.rules`
+```
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+:DOCKER-USER - [0:0]
+
+##
+# INPUT
+##
+
+# Allow localhost
+-A INPUT -i lo -j ACCEPT
+
+# Allow established connections
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+# Allow ICMP ping
+-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
+
+# SSH
+-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
+
+# INPUT default DROP
+-A INPUT -j DROP
+
+##
+# DOCKER-USER rules
+##
+
+# Allow established connections
+-A DOCKER-USER -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+# SMTP
+-A DOCKER-USER -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT
+
+# http
+-A DOCKER-USER -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
+# https
+-A DOCKER-USER -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
+
+# DOCKER-USER default DROP
+-A DOCKER-USER -i eth0 -j DROP
+
+COMMIT  
+```
+* Modified `vim /etc/iptables.up.rules`
+```bash
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+:DOCKER-USER - [0:0]
+
+##
+### INPUT
+####
+##
+### Allow localhost
+-A INPUT -i lo -j ACCEPT
+##
+### Allow established connections
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+##
+### Allow ICMP ping
+-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
+##
+### SSH
+-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
+##
+### INPUT default DROP
+-A INPUT -j DROP
+##
+####
+### DOCKER-USER rules
+####
+##
+### Allow established connections
+-A DOCKER-USER -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+##
+### SMTP
+-A DOCKER-USER -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT
+### SMTPS
+-A DOCKER-USER -i eth0 -p tcp -m tcp --dport 465 -j ACCEPT
+### Postfix Submission
+-A DOCKER-USER -i eth0 -p tcp -m tcp --dport 587 -j ACCEPT
+### IMAP
+-A DOCKER-USER -i eth0 -p tcp -m tcp --dport 143 -j ACCEPT
+### IMAPS
+-A DOCKER-USER -i eth0 -p tcp -m tcp --dport 993 -j ACCEPT
+### POP3
+-A DOCKER-USER -i eth0 -p tcp -m tcp --dport 110 -j ACCEPT
+### POP3S
+-A DOCKER-USER -i eth0 -p tcp -m tcp --dport 995 -j ACCEPT
+### Dovecot ManageSieve
+-A DOCKER-USER -i eth0 -p tcp -m tcp --dport 4190 -j ACCEPT
+### http
+-A DOCKER-USER -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
+### https
+-A DOCKER-USER -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
+#
+### DOCKER-USER default DROP
+-A DOCKER-USER -i eth0 -j DROP
+COMMIT
+```
+
+```bash
+iptables-restore < /etc/iptables.up.rules
+iptables-save > /etc/iptables/rules.v4
+ip6tables-save > /etc/iptables/rules.v6
+```
+
+**leave iptables alone, it breaks everything!!!**
+
+## datetime
+```bash
+timedatectl status
+```
+
+## hostname and fqdn
+```bash
+vim /etc/hostname
+# replace with srv01
+hostname $(cat /etc/hostname)
+vim /etc/resolvconf/resolv.conf.d/head
+# add domain dreckbu.de at the end
+resolvconf -u
+hostnamectl set-hostname srv01
+vim /etc/hosts
+# replace with srv01
+```
+ 
\ No newline at end of file
diff --git a/02_mailcow_setup.md b/02_mailcow_setup.md
new file mode 100644
index 0000000..c2accc2
--- /dev/null
+++ b/02_mailcow_setup.md
@@ -0,0 +1,42 @@
+# Mailcow setup
+## install docker
+*https://docs.docker.com/install/linux/docker-ce/debian/#prerequisites*
+```bash
+apt install \
+    apt-transport-https \
+    ca-certificates \
+    curl \
+    gnupg2 \
+    software-properties-common
+curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add -
+apt-key fingerprint 0EBFCD88
+sudo add-apt-repository \
+   "deb [arch=amd64] https://download.docker.com/linux/debian \
+   $(lsb_release -cs) \
+   stable"
+apt update
+apt install docker-ce docker-ce-cli containerd.io
+```
+
+## install docker-compose
+```bash
+curl -L "https://github.com/docker/compose/releases/download/1.25.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
+chmod +x /usr/local/bin/docker-compose
+```
+
+## install mailcow
+```bash
+umask
+# should equal 0022
+cd /opt
+git clone https://github.com/mailcow/mailcow-dockerized
+cd mailcow-dockerized
+docker-compose pull
+docker-compose up -d
+vim mailcow.conf
+# enable SKIP_HTTP_VERIFICATION=n 
+```
+
+## troubleshooting
+* cannot receive mail from accounts that aren't local
+    * applied fix: https://github.com/mailcow/mailcow-dockerized/issues/776 (srv01.dreckbu.de dest)
\ No newline at end of file
diff --git a/03_ts3_setup.md b/03_ts3_setup.md
new file mode 100644
index 0000000..53b6dba
--- /dev/null
+++ b/03_ts3_setup.md
@@ -0,0 +1,21 @@
+# Teamspeak 3 setup
+*https://hub.docker.com/_/teamspeak*
+
+`docker run --name ts3 -v /opt/ts3/ts3server:/var/ts3server/ -d -p 9987:9987/udp -p 9988:9988/udp -p 10011:10011 -p 30033:30033  -e TS3SERVER_LICENSE=accept teamspeak:latest`
+
+`vim /etc/systemd/system/docker-ts3.service`
+
+```
+[Unit]
+Description=Teamspeak 3 server
+Requires=docker.service
+After=docker.service
+
+[Service]
+Restart=always
+ExecStart=/usr/bin/docker start -a ts3
+ExecStop=/usr/bin/docker stop -t 2 ts3
+
+[Install]
+WantedBy=default.target
+```
diff --git a/04_nginx_setup.md b/04_nginx_setup.md
new file mode 100644
index 0000000..bd36631
--- /dev/null
+++ b/04_nginx_setup.md
@@ -0,0 +1,128 @@
+# Nginx setup
+* https://hub.docker.com/_/nginx
+
+## Set up reverse proxy in mailcow
+* https://mailcow.github.io/mailcow-dockerized-docs/firststeps-rp/
+* `vim /opt/mailcow-dockerized/mailcow.conf`
+```
+HTTP_BIND=127.0.0.1
+HTTP_PORT=8080
+HTTPS_BIND=127.0.0.1
+HTTPS_PORT=8443
+```
+
+```bash
+./generate_config.sh
+cp mailcow.conf_backup mailcow.conf
+docker-compose up -d
+```
+
+```
+docker run --name tmp-nginx-container -d nginx
+docker cp tmp-nginx-container:/etc/nginx /opt/nginx/
+docker rm -f tmp-nginx-container
+```
+
+* `vim /opt/nginx/nginx/conf.d/mailcow.conf`
+```
+server {
+  listen 80 default_server;
+  listen [::]:80 default_server;
+  server_name srv01.dreckbu.de autodiscover.* autoconfig.*;
+  return 301 https://$host$request_uri;
+}
+server {
+  listen 443;
+  listen [::]:443;
+  server_name srv01.dreckbu.de autodiscover.* autoconfig.*;
+
+  ssl on;
+  ssl_certificate /var/ssl/cert.pem;
+  ssl_certificate_key /var/ssl/key.pem;
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+  ssl_ciphers HIGH:!aNULL:!MD5;
+
+  location /Microsoft-Server-ActiveSync {
+    proxy_pass http://nginx-mailcow:8080/Microsoft-Server-ActiveSync;
+    proxy_set_header Host $http_host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_connect_timeout 75;
+    proxy_send_timeout 3650;
+    proxy_read_timeout 3650;
+    proxy_buffers 64 256k;
+    client_body_buffer_size 512k;
+    client_max_body_size 0;
+  }
+
+  location / {
+      proxy_pass http://nginx-mailcow:8080/;
+      proxy_set_header Host $http_host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $scheme;
+      client_max_body_size 0;
+  }
+}
+```
+
+## set up main host for serving static html pages
+
+* `vim /opt/nginx/nginx/conf.d/main.conf`
+```
+# HTTP
+server {
+    listen 80;
+    listen [::]:80;
+    server_name dreckbu.de www.dreckbu.de;
+    # enforce https
+    return 301 https://$server_name$request_uri;
+}
+
+# HTTPS
+server {
+    listen 443;
+    listen [::]:443;
+    server_name dreckbu.de www.dreckbu.de;
+
+    ssl on;
+    ssl_certificate /var/ssl/cert.pem;
+    ssl_certificate_key /var/ssl/key.pem;
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers HIGH:!aNULL:!MD5;
+
+    index index.php index.html index.htm;
+
+    location / {
+        root /var/www;
+    }
+}
+```
+
+## test the reverse proxy 
+
+* `docker run --name nginx-reverse-proxy -p 80:80 -p 443:443 --network mailcowdockerized_mailcow-network -v /opt/nginx/nginx:/etc/nginx:ro -v /opt/mailcow-dockerized/data/assets/ssl:/var/ssl -v /opt/nginx/www:/var/www -d nginx`
+
+* `vim /opt/nginx/docker-compose.yml`
+```
+version: "2"
+networks:
+  mailcowdockerized_mailcow-network:
+    external: true
+services:
+  nginx-reverse-proxy:
+    image: nginx
+    volumes:
+      - /opt/nginx/nginx:/etc/nginx:ro
+      - /opt/mailcow-dockerized/data/assets/ssl:/var/ssl
+      - /opt/nginx/www:/var/www
+    ports:
+      - "80:80"
+      - "443:443"
+    restart: always
+    networks:
+      - mailcowdockerized_mailcow-network
+```
+
+* https://stackoverflow.com/questions/38088279/communication-between-multiple-docker-compose-projects
\ No newline at end of file
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..84868f2
--- /dev/null
+++ b/README.md
@@ -0,0 +1,3 @@
+# Dreckbu.de docs
+
+Documentation on how srv01.dreckbu.de was installed.