# prepare os

#unzip -p <arm64_lite>.img | dd of=/dev/mmcblk0 conv=fsync bs=4M status=progress
#mount /dev/mmcblk0#p1 /mnt
#cd /mnt
#touch ssh
#add those lines to config.txt
disable_overscan=1
over_voltage=6
arm_freq=2147
gpu_freq=750


# update system
apt update
apt dist-upgrade
apt upgrade
apt autoremove
rpi-eeprom-update

# install tools
apt install tmux neovim ranger neofetch

#ssh-copy-id -i .ssh/id_rsa.pub pi@192.168.0.22
#passwd
#rfkill block bluetooth

# set ssh to accept only keys on localhost*
vim /etc/ssh/sshd_config
#add those lines
PermitRootLogin no
PasswordAuthentication no
service sshd restart


# install pihole & pivpn
curl -L https://install.pivpn.io | bash
curl -sSL https://install.pi-hole.net | bash
#change pihole password
pihole -a -p

# 80 -> 8080 lighttp
sed -i "s/80/8080/" /etc/lighttpd/lighttpd.conf
service lighttpd restart

# installing
apt install nginx certbot python3-certbot-nginx ufw fail2ban prosody coturn

# move default index page to /var/www/html/default
mkdir /var/www/html/default
mv /var/www/html/index* /var/www/html/default
sed -i "s/w\/html/w\/html\/default/" /etc/nginx/sites-available/default
service nginx restart

# configure nginx to prevent spam
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
limit_req zone=one;

# ufw & fail2ban
pivpn -d
vim /etc/default/ufw "disable ipv6"
ufw allow from 192.168.0.0/24
ufw allow from 10.8.0.0/24
ufw allow 80/tcp
ufw allow 443/tcp
ufw allow XMPP
ufw enable

# certbot
certbot -d gajba.cf --nginx
certbot certonly -d chat.gajba.cf --nginx

# ovpns
pivpn add -n aleksa

# prosody
admins = { "aleksa@gajba.cf" }
VirtualHost "gajba.cf"
service prosody restart
sudo prosodyctl --root cert import /etc/letsencrypt/live/
sudo prosodyctl adduser aleksa@gajba.cf

# mail server
# in progress

# that's it
reboot

# testing
for i in {nginx,ufw,fail2ban,prosody}; do service $i status | grep Active; done