# HG changeset patch
# User Oleksandr Gavenko <gavenkoa@gmail.com>
# Date 1748381082 -10800
# Node ID a9e95c9c0f4d361986f298e92a33e66844deb609
# Parent  af1919427dfc1179914309de8fa54c316e23ea43# Parent  387b30d411ef5887665bcfcb038c02a3a095223e
Merged

diff -r 387b30d411ef -r a9e95c9c0f4d deb/apache-letsencrypt.bash
--- a/deb/apache-letsencrypt.bash	Tue Feb 13 21:16:39 2024 +0200
+++ b/deb/apache-letsencrypt.bash	Wed May 28 00:24:42 2025 +0300
@@ -1,9 +1,14 @@
 #!/bin/bash
 
-mkdir /srv/www/letsencrypt
+apt install certbot
+
+mkdir -p /srv/www/letsencrypt
 
 # service apache2 stop
 # --standalone
+
+# Command requires Apache or Lighttpd running and aliasing (no need to stop Apache!):
+#   Alias "/.well-known/acme-challenge/" "/srv/www/letsencrypt/.well-known/acme-challenge/"
 certbot certonly --webroot \
  --agree-tos --non-interactive \
  -m gavenkoa@gmail.com \
@@ -27,3 +32,38 @@
 
 # systemctl reload apache2
 # sudo certbot --apache --agree-tos --redirect -m youremail@email.com -d domainname.com -d www.domainname.com
+
+# apt download python3-certbot-apache
+#   /usr/lib/python3/dist-packages/certbot_apache/_internal/tls_configs/current-options-ssl-apache.conf
+#   /usr/lib/python3/dist-packages/certbot_apache/_internal/tls_configs/old-options-ssl-apache.conf
+cat >/srv/www/letsencrypt/apache-ssl-options.conf <<EOF
+SSLEngine on
+SSLProtocol             all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
+SSLOptions +StrictRequire
+
+# Add vhost name to log entries:
+LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
+LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
+EOF
+
+cat >/etc/cron.weekly/defun-letsencrypt.bash <<EOF
+#!/bin/bash
+
+certbot certonly --webroot \
+ --agree-tos --non-interactive \
+ -m gavenkoa@gmail.com \
+ -w /srv/www/letsencrypt \
+ --cert-name defun.work \
+ -d defun.work \
+ -d 2048.defun.work \
+ -d blog.defun.work \
+ -d cooking.defun.work \
+ -d gadict.defun.work \
+ -d hg.defun.work \
+ -d resume.defun.work \
+ -d stat.defun.work \
+ -d test.defun.work \
+ -d tips.defun.work
+
+EOF
+chmod a+x /etc/cron.weekly/defun-letsencrypt.bash
diff -r 387b30d411ef -r a9e95c9c0f4d deb/apache-register-2048.bash
--- a/deb/apache-register-2048.bash	Tue Feb 13 21:16:39 2024 +0200
+++ b/deb/apache-register-2048.bash	Wed May 28 00:24:42 2025 +0300
@@ -35,7 +35,7 @@
 
     SSLCertificateFile /etc/letsencrypt/live/defun.work/fullchain.pem
     SSLCertificateKeyFile /etc/letsencrypt/live/defun.work/privkey.pem
-    Include /etc/letsencrypt/options-ssl-apache.conf
+    Include /srv/www/letsencrypt/apache-ssl-options.conf
   </VirtualHost>
 </IfModule>
 EOF
diff -r 387b30d411ef -r a9e95c9c0f4d deb/apache-register-blog.bash
--- a/deb/apache-register-blog.bash	Tue Feb 13 21:16:39 2024 +0200
+++ b/deb/apache-register-blog.bash	Wed May 28 00:24:42 2025 +0300
@@ -35,7 +35,7 @@
 
     SSLCertificateFile /etc/letsencrypt/live/defun.work/fullchain.pem
     SSLCertificateKeyFile /etc/letsencrypt/live/defun.work/privkey.pem
-    Include /etc/letsencrypt/options-ssl-apache.conf
+    Include /srv/www/letsencrypt/apache-ssl-options.conf
   </VirtualHost>
 </IfModule>
 EOF
diff -r 387b30d411ef -r a9e95c9c0f4d deb/apache-register-cooking.bash
--- a/deb/apache-register-cooking.bash	Tue Feb 13 21:16:39 2024 +0200
+++ b/deb/apache-register-cooking.bash	Wed May 28 00:24:42 2025 +0300
@@ -35,7 +35,7 @@
 
     SSLCertificateFile /etc/letsencrypt/live/defun.work/fullchain.pem
     SSLCertificateKeyFile /etc/letsencrypt/live/defun.work/privkey.pem
-    Include /etc/letsencrypt/options-ssl-apache.conf
+    Include /srv/www/letsencrypt/apache-ssl-options.conf
   </VirtualHost>
 </IfModule>
 EOF
diff -r 387b30d411ef -r a9e95c9c0f4d deb/apache-register-forward-proxy.bash
--- a/deb/apache-register-forward-proxy.bash	Tue Feb 13 21:16:39 2024 +0200
+++ b/deb/apache-register-forward-proxy.bash	Wed May 28 00:24:42 2025 +0300
@@ -43,7 +43,7 @@
 
     SSLCertificateFile /etc/letsencrypt/live/defun.work/fullchain.pem
     SSLCertificateKeyFile /etc/letsencrypt/live/defun.work/privkey.pem
-    Include /etc/letsencrypt/options-ssl-apache.conf
+    Include /srv/www/letsencrypt/apache-ssl-options.conf
   </VirtualHost>
 </IfModule>
 'EOF'
diff -r 387b30d411ef -r a9e95c9c0f4d deb/apache-register-gadict.bash
--- a/deb/apache-register-gadict.bash	Tue Feb 13 21:16:39 2024 +0200
+++ b/deb/apache-register-gadict.bash	Wed May 28 00:24:42 2025 +0300
@@ -41,7 +41,7 @@
 
     SSLCertificateFile /etc/letsencrypt/live/defun.work/fullchain.pem
     SSLCertificateKeyFile /etc/letsencrypt/live/defun.work/privkey.pem
-    Include /etc/letsencrypt/options-ssl-apache.conf
+    Include /srv/www/letsencrypt/apache-ssl-options.conf
   </VirtualHost>
 </IfModule>
 EOF
diff -r 387b30d411ef -r a9e95c9c0f4d deb/apache-register-hg.bash
--- a/deb/apache-register-hg.bash	Tue Feb 13 21:16:39 2024 +0200
+++ b/deb/apache-register-hg.bash	Wed May 28 00:24:42 2025 +0300
@@ -53,6 +53,11 @@
         Require all granted
     </Directory>
 
+    # Discourage bots indexing HG: Python is slow and cause OOM kills...
+    <IfModule mod_headers.c>
+      Header add "X-Robots-Tag" "noindex, nofollow"
+    </IfModule>
+
     ScriptAliasMatch  ^/(.*)  /srv/hg/hgweb.cgi/\$1
 
     <Directory "/srv/hg/">
@@ -68,6 +73,10 @@
     DocumentRoot /srv/hg
     ServerName hg.defun.work
 
+    <IfModule mod_headers.c>
+      Header add "X-Robots-Tag" "noindex, nofollow"
+    </IfModule>
+
     ScriptAliasMatch  ^/(.*)  /srv/hg/hgweb.cgi/\$1
 
     <Directory "/srv/hg/">
@@ -81,4 +90,5 @@
 EOF
 
 a2ensite hg
+a2enmod headers
 service apache2 reload
diff -r 387b30d411ef -r a9e95c9c0f4d deb/apache-register-resume.bash
--- a/deb/apache-register-resume.bash	Tue Feb 13 21:16:39 2024 +0200
+++ b/deb/apache-register-resume.bash	Wed May 28 00:24:42 2025 +0300
@@ -35,7 +35,7 @@
 
     SSLCertificateFile /etc/letsencrypt/live/defun.work/fullchain.pem
     SSLCertificateKeyFile /etc/letsencrypt/live/defun.work/privkey.pem
-    Include /etc/letsencrypt/options-ssl-apache.conf
+    Include /srv/www/letsencrypt/apache-ssl-options.conf
   </VirtualHost>
 </IfModule>
 EOF
diff -r 387b30d411ef -r a9e95c9c0f4d deb/apache-register-stat.bash
--- a/deb/apache-register-stat.bash	Tue Feb 13 21:16:39 2024 +0200
+++ b/deb/apache-register-stat.bash	Wed May 28 00:24:42 2025 +0300
@@ -35,7 +35,7 @@
 
     SSLCertificateFile /etc/letsencrypt/live/defun.work/fullchain.pem
     SSLCertificateKeyFile /etc/letsencrypt/live/defun.work/privkey.pem
-    Include /etc/letsencrypt/options-ssl-apache.conf
+    Include /srv/www/letsencrypt/apache-ssl-options.conf
   </VirtualHost>
 </IfModule>
 EOF
diff -r 387b30d411ef -r a9e95c9c0f4d deb/apache-register-test.bash
--- a/deb/apache-register-test.bash	Tue Feb 13 21:16:39 2024 +0200
+++ b/deb/apache-register-test.bash	Wed May 28 00:24:42 2025 +0300
@@ -35,7 +35,7 @@
 
     SSLCertificateFile /etc/letsencrypt/live/defun.work/fullchain.pem
     SSLCertificateKeyFile /etc/letsencrypt/live/defun.work/privkey.pem
-    Include /etc/letsencrypt/options-ssl-apache.conf
+    Include /srv/www/letsencrypt/apache-ssl-options.conf
   </VirtualHost>
 </IfModule>
 EOF
diff -r 387b30d411ef -r a9e95c9c0f4d deb/apache-register-tips.bash
--- a/deb/apache-register-tips.bash	Tue Feb 13 21:16:39 2024 +0200
+++ b/deb/apache-register-tips.bash	Wed May 28 00:24:42 2025 +0300
@@ -35,7 +35,7 @@
 
     SSLCertificateFile /etc/letsencrypt/live/defun.work/fullchain.pem
     SSLCertificateKeyFile /etc/letsencrypt/live/defun.work/privkey.pem
-    Include /etc/letsencrypt/options-ssl-apache.conf
+    Include /srv/www/letsencrypt/apache-ssl-options.conf
   </VirtualHost>
 </IfModule>
 EOF
diff -r 387b30d411ef -r a9e95c9c0f4d deb/apache-register-welcome.bash
--- a/deb/apache-register-welcome.bash	Tue Feb 13 21:16:39 2024 +0200
+++ b/deb/apache-register-welcome.bash	Wed May 28 00:24:42 2025 +0300
@@ -35,7 +35,7 @@
 
     SSLCertificateFile /etc/letsencrypt/live/defun.work/fullchain.pem
     SSLCertificateKeyFile /etc/letsencrypt/live/defun.work/privkey.pem
-    Include /etc/letsencrypt/options-ssl-apache.conf
+    Include /srv/www/letsencrypt/apache-ssl-options.conf
   </VirtualHost>
 </IfModule>
 EOF