New Server Checklist


# see doas.conf(5) for configuration details

# Uncomment to allow group "admin" to become root
# permit :admin
permit nopass :admin
permit nopass deploy cmd apk args upgrade -U
permit nopass deploy cmd service args SERVICE restart
permit nopass acme cmd nginx args -s reload

acme setup

TODO: a package could be made to automate many of these steps

nginx config

server {
	listen 80;
	listen [::]:80;
	server_name DOMAIN;

	location / {
		return 302 https://$server_name$request_uri;

	location ^~ /.well-known {
		root /var/www;

server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;
	server_name DOMAIN;
	ssl_certificate /etc/ssl/uacme/DOMAIN/cert.pem;
	ssl_certificate_key /etc/ssl/uacme/private/DOMAIN/key.pem;

	gzip on;
	gzip_types text/css text/html;

	# ...