diff --git a/deployment/bare_metal/.env.dist b/deployment/bare_metal/.env.dist
index 1335e06a5..9abc739fb 100644
--- a/deployment/bare_metal/.env.dist
+++ b/deployment/bare_metal/.env.dist
@@ -1,45 +1,25 @@
-GRADIDO_LOG_PATH=/home/gradido/gradido/deployment/bare_metal/log
-
-# start script
-DEPLOY_SEED_DATA=false
-
-# nginx
-NGINX_REWRITE_LEGACY_URLS=true
-NGINX_SSL=true
-NGINX_SERVER_NAME=stage1.gradido.net
-NGINX_SSL_CERTIFICATE=/etc/letsencrypt/live/stage1.gradido.net/fullchain.pem
-NGINX_SSL_CERTIFICATE_KEY=/etc/letsencrypt/live/stage1.gradido.net/privkey.pem
-NGINX_SSL_DHPARAM=/etc/letsencrypt/ssl-dhparams.pem
-NGINX_SSL_INCLUDE=/etc/letsencrypt/options-ssl-nginx.conf
-NGINX_UPDATE_PAGE_ROOT=/home/gradido/gradido/deployment/bare_metal/nginx/update-page
-
-# webhook
-WEBHOOK_GITHUB_SECRET=secret
-WEBHOOK_GITHUB_BRANCH=master
-
-# community
-COMMUNITY_NAME="Gradido Development Stage1"
-COMMUNITY_URL=https://stage1.gradido.net/
-COMMUNITY_REGISTER_URL=https://stage1.gradido.net/register
-COMMUNITY_REDEEM_URL=https://stage1.gradido.net/redeem/{code}
-COMMUNITY_REDEEM_CONTRIBUTION_URL=https://stage1.gradido.net/redeem/CL-{code}
-COMMUNITY_DESCRIPTION="Gradido Development Stage1 Test Community"
+# Need to adjust!
+COMMUNITY_NAME="Your community name"
+COMMUNITY_DESCRIPTION="Short Description from your Community."
+COMMUNITY_URL=gddhost.tld
COMMUNITY_SUPPORT_MAIL=support@supportmail.com
-# backend
+# Need to adjust by updates
+# config versions
+DATABASE_CONFIG_VERSION=v1.2022-03-18
BACKEND_CONFIG_VERSION=v17.2023-07-03
+FRONTEND_CONFIG_VERSION=v4.2022-12-20
+ADMIN_CONFIG_VERSION=v1.2022-03-18
+FEDERATION_CONFIG_VERSION=v1.2023-01-09
+FEDERATION_DHT_CONFIG_VERSION=v3.2023-04-26
-JWT_EXPIRES_IN=10m
-GDT_API_URL=https://gdt.gradido.net
-
-TYPEORM_LOGGING_RELATIVE_PATH=../deployment/bare_metal/log/typeorm.backend.log
-
-KLICKTIPP=false
-KLICKTIPP_USER=
-KLICKTIPP_PASSWORD=
-KLICKTIPP_APIKEY_DE=
-KLICKTIPP_APIKEY_EN=
+# Need adjustments for test system
+URL_PROTOCOL=https
+# start script
+# only for test server
+DEPLOY_SEED_DATA=false
+# setup email account for sending gradido system messages to users
EMAIL=true
EMAIL_TEST_MODUS=false
EMAIL_TEST_RECEIVER=test_team@gradido.net
@@ -47,41 +27,57 @@ EMAIL_USERNAME=peter@lustig.de
EMAIL_SENDER=peter@lustig.de
EMAIL_PASSWORD=1234
EMAIL_SMTP_URL=smtp.lustig.de
-EMAIL_LINK_VERIFICATION=https://stage1.gradido.net/checkEmail/{optin}{code}
-EMAIL_LINK_SETPASSWORD=https://stage1.gradido.net/reset-password/{optin}
-EMAIL_LINK_FORGOTPASSWORD=https://stage1.gradido.net/forgot-password
-EMAIL_LINK_OVERVIEW=https://stage1.gradido.net/overview
EMAIL_CODE_VALID_TIME=1440
EMAIL_CODE_REQUEST_TIME=10
-WEBHOOK_ELOPAGE_SECRET=secret
+# Logging
+GRADIDO_LOG_PATH=/home/gradido/gradido/deployment/bare_metal/log
+TYPEORM_LOGGING_RELATIVE_PATH=/home/gradido/gradido/deployment/bare_metal/log/typeorm.backend.log
+
+# webhook
+WEBHOOK_GITHUB_SECRET=secret
+WEBHOOK_GITHUB_BRANCH=master
+
+# frontend and admin paths, usually don't need changes
+# used in nginx config and for links in emails
+WALLET_PATH=/login
+COMMUNITY_REGISTER_PATH=/register
+COMMUNITY_REDEEM_PATH=/redeem/{code}
+COMMUNITY_REDEEM_CONTRIBUTION_PATH=/redeem/CL-{code}
+WALLET_AUTH_PATH=/authenticate?token={token}
+EMAIL_LINK_VERIFICATION=/checkEmail/{optin}{code}
+EMAIL_LINK_SETPASSWORD=/reset-password/{optin}
+EMAIL_LINK_FORGOTPASSWORD=/forgot-password
+EMAIL_LINK_OVERVIEW=/overview
+ADMIN_AUTH_PATH=/admin/authenticate?token={token}
+GRAPHQL_PATH=/graphql
+
+# login expire time
+JWT_EXPIRES_IN=10m
# Federation
-FEDERATION_DHT_CONFIG_VERSION=v3.2023-04-26
# if you set the value of FEDERATION_DHT_TOPIC, the DHT hyperswarm will start to announce and listen
# on an hash created from this topic
# FEDERATION_DHT_TOPIC=GRADIDO_HUB
# FEDERATION_DHT_SEED=64ebcb0e3ad547848fef4197c6e2332f
-FEDERATION_COMMUNITY_URL=http://stage1.gradido.net
# the api port is the baseport, which will be added with the api-version, e.g. 1_0 = 5010
FEDERATION_COMMUNITY_API_PORT=5000
-FEDERATION_CONFIG_VERSION=v1.2023-01-09
# comma separated list of api-versions, which cause starting several federation modules
FEDERATION_COMMUNITY_APIS=1_0,1_1
-# database
-DATABASE_CONFIG_VERSION=v1.2022-03-18
+# externe gradido services (more added in future)
+GDT_API_URL=https://gdt.gradido.net
-# frontend
-FRONTEND_CONFIG_VERSION=v4.2022-12-20
+# used for combining a newsletter on klicktipp with this gradido community
+# if used, user will be subscribed on register and can unsubscribe in his account
+KLICKTIPP=false
+KLICKTIPP_USER=
+KLICKTIPP_PASSWORD=
+KLICKTIPP_APIKEY_DE=
+KLICKTIPP_APIKEY_EN=
-GRAPHQL_URI=https://stage1.gradido.net/graphql
-ADMIN_AUTH_URL=https://stage1.gradido.net/admin/authenticate?token={token}
-
-DEFAULT_PUBLISHER_ID=2896
-
-META_URL=http://localhost
+# Meta data in frontend pages, important when shared via facebook or twitter or for search engines
META_TITLE_DE="Gradido – Dein Dankbarkeitskonto"
META_TITLE_EN="Gradido - Your gratitude account"
META_DESCRIPTION_DE="Dankbarkeit ist die Währung der neuen Zeit. Immer mehr Menschen entfalten ihr Potenzial und gestalten eine gute Zukunft für alle."
@@ -90,8 +86,11 @@ META_KEYWORDS_DE="Grundeinkommen, Währung, Dankbarkeit, Schenk-Ökonomie, Natü
META_KEYWORDS_EN="Basic Income, Currency, Gratitude, Gift Economy, Natural Economy of Life, Economy, Ecology, Potential Development, Giving and Thanking, Cycle of Life, Monetary System"
META_AUTHOR="Bernd Hückstädt - Gradido-Akademie"
-# admin
-ADMIN_CONFIG_VERSION=v1.2022-03-18
+# update page shown while updating gradido
+# page will be fed with status changes
+NGINX_UPDATE_PAGE_ROOT=/home/gradido/gradido/deployment/bare_metal/nginx/update-page
-WALLET_AUTH_URL=https://stage1.gradido.net/authenticate?token={token}
-WALLET_URL=https://stage1.gradido.net/login
+# LEGACY
+NGINX_REWRITE_LEGACY_URLS=false
+DEFAULT_PUBLISHER_ID=2896
+WEBHOOK_ELOPAGE_SECRET=secret
\ No newline at end of file
diff --git a/deployment/bare_metal/doc/server.drawio b/deployment/bare_metal/doc/server.drawio
new file mode 100644
index 000000000..e65220821
--- /dev/null
+++ b/deployment/bare_metal/doc/server.drawio
@@ -0,0 +1,118 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/deployment/bare_metal/nginx/sites-available/gradido.conf.ssl.template b/deployment/bare_metal/nginx/sites-available/gradido.conf.ssl.template
deleted file mode 100644
index a99327745..000000000
--- a/deployment/bare_metal/nginx/sites-available/gradido.conf.ssl.template
+++ /dev/null
@@ -1,128 +0,0 @@
-server {
- if ($host = $NGINX_SERVER_NAME) {
- return 301 https://$host$request_uri;
- }
-
- server_name $NGINX_SERVER_NAME;
- listen 80;
- listen [::]:80;
- return 404;
-}
-
-server {
- server_name $NGINX_SERVER_NAME;
-
- listen [::]:443 ssl ipv6only=on;
- listen 443 ssl;
- ssl_certificate $NGINX_SSL_CERTIFICATE;
- ssl_certificate_key $NGINX_SSL_CERTIFICATE_KEY;
- include $NGINX_SSL_INCLUDE;
- ssl_dhparam $NGINX_SSL_DHPARAM;
-
- include /etc/nginx/common/protect.conf;
- include /etc/nginx/common/protect_add_header.conf;
-
- #gzip_static on;
- gzip on;
- gzip_proxied any;
- gzip_types
- text/css
- text/javascript
- text/xml
- text/plain
- application/javascript
- application/x-javascript
- application/json;
-
- # Legacy URLS
- set $REWRITE_LEGACY_URLS "$NGINX_REWRITE_LEGACY_URLS";
- if ($REWRITE_LEGACY_URLS = 'true') {
- rewrite ^/vue/?(.*)$ /$1 permanent;
- }
-
- # Frontend (default)
- location / {
- proxy_http_version 1.1;
- proxy_set_header Upgrade $http_upgrade;
- proxy_set_header Connection 'upgrade';
- proxy_set_header X-Forwarded-For $remote_addr;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header Host $host;
-
- proxy_pass http://127.0.0.1:3000;
- proxy_redirect off;
-
- access_log $GRADIDO_LOG_PATH/nginx-access.frontend.log gradido_log;
- error_log $GRADIDO_LOG_PATH/nginx-error.frontend.log warn;
- }
-
- # Backend
- location /graphql {
- proxy_http_version 1.1;
- proxy_set_header Upgrade $http_upgrade;
- proxy_set_header Connection 'upgrade';
- proxy_set_header X-Forwarded-For $remote_addr;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header Host $host;
-
- proxy_pass http://127.0.0.1:4000;
- proxy_redirect off;
-
- access_log $GRADIDO_LOG_PATH/nginx-access.backend.log gradido_log;
- error_log $GRADIDO_LOG_PATH/nginx-error.backend.log warn;
- }
-
- # Backend webhooks
- location /hook {
- proxy_http_version 1.1;
- proxy_set_header Upgrade $http_upgrade;
- proxy_set_header Connection 'upgrade';
- proxy_set_header X-Forwarded-For $remote_addr;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header Host $host;
-
- proxy_pass http://127.0.0.1:4000/hook;
- proxy_redirect off;
-
- access_log $GRADIDO_LOG_PATH/nginx-access.backend.hook.log gradido_log;
- error_log $GRADIDO_LOG_PATH/nginx-error.backend.hook.log warn;
- }
-
- # Webhook reverse proxy
- location /hooks/ {
- proxy_pass http://127.0.0.1:9000/hooks/;
-
- access_log $GRADIDO_LOG_PATH/nginx-access.hooks.log gradido_log;
- error_log $GRADIDO_LOG_PATH/nginx-error.hooks.log warn;
- }
-
- # Admin Frontend
- location /admin {
- proxy_http_version 1.1;
- proxy_set_header Upgrade $http_upgrade;
- proxy_set_header Connection 'upgrade';
- proxy_set_header X-Forwarded-For $remote_addr;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header Host $host;
-
- proxy_pass http://127.0.0.1:8080/;
- proxy_redirect off;
-
- access_log $GRADIDO_LOG_PATH/nginx-access.admin.log gradido_log;
- error_log $GRADIDO_LOG_PATH/nginx-error.admin.log warn;
- }
-
- # Federation
- $FEDERATION_NGINX_CONF
-
- # TODO this could be a performance optimization
- #location /vue {
- # alias /var/www/html/gradido/frontend/build;
- # index index.html;
- #
- # location ~* \.(png)$ {
- # expires 39d;
- # }
- # try_files $uri $uri/ /index.html = 404;
- #}
-}
\ No newline at end of file
diff --git a/deployment/bare_metal/nginx/sites-available/gradido.conf.template b/deployment/bare_metal/nginx/sites-available/gradido.conf.template
index f6149a818..1b4732d7c 100644
--- a/deployment/bare_metal/nginx/sites-available/gradido.conf.template
+++ b/deployment/bare_metal/nginx/sites-available/gradido.conf.template
@@ -1,5 +1,5 @@
server {
- server_name $NGINX_SERVER_NAME;
+ server_name $COMMUNITY_URL;
listen 80;
listen [::]:80;
diff --git a/deployment/bare_metal/nginx/sites-available/update-page.conf.ssl.template b/deployment/bare_metal/nginx/sites-available/update-page.conf.ssl.template
deleted file mode 100644
index ddcb9ffc1..000000000
--- a/deployment/bare_metal/nginx/sites-available/update-page.conf.ssl.template
+++ /dev/null
@@ -1,37 +0,0 @@
-
-server {
- if ($host = $NGINX_SERVER_NAME) {
- return 301 https://$host$request_uri;
- }
-
- server_name $NGINX_SERVER_NAME;
- listen 80;
- listen [::]:80;
- return 404;
-}
-server {
- server_name $NGINX_SERVER_NAME;
-
- listen [::]:443 ssl ipv6only=on;
- listen 443 ssl;
- ssl_certificate $NGINX_SSL_CERTIFICATE;
- ssl_certificate_key $NGINX_SSL_CERTIFICATE_KEY;
- include $NGINX_SSL_INCLUDE;
- ssl_dhparam $NGINX_SSL_DHPARAM;
-
- include /etc/nginx/common/protect.conf;
- include /etc/nginx/common/protect_add_header.conf;
-
- gzip on;
-
- root $NGINX_UPDATE_PAGE_ROOT;
- index updating.html;
-
- location / {
- try_files /updating.html =404;
- }
-
- access_log $GRADIDO_LOG_PATH/nginx-access.update-page.log gradido_log;
- error_log $GRADIDO_LOG_PATH/nginx-error.update-page.log warn;
-}
-
diff --git a/deployment/bare_metal/start.sh b/deployment/bare_metal/start.sh
index 5d5744bd6..bc923c6fa 100755
--- a/deployment/bare_metal/start.sh
+++ b/deployment/bare_metal/start.sh
@@ -100,8 +100,8 @@ export FEDERATION_NGINX_CONF=$(< $NGINX_CONFIG_DIR/gradido-federation.conf.locat
# *** 3rd generate gradido nginx config including federation modules per api-version
echo 'Generate new gradido nginx config' >> $UPDATE_HTML
-case "$NGINX_SSL" in
- true) TEMPLATE_FILE="gradido.conf.ssl.template" ;;
+case "$URL_PROTOCOL" in
+ 'https') TEMPLATE_FILE="gradido.conf.ssl.template" ;;
*) TEMPLATE_FILE="gradido.conf.template" ;;
esac
envsubst '$FEDERATION_NGINX_CONF' < $NGINX_CONFIG_DIR/$TEMPLATE_FILE > $NGINX_CONFIG_DIR/gradido.conf.tmp
@@ -112,8 +112,8 @@ rm $NGINX_CONFIG_DIR/gradido-federation.conf.locations
# Generate update-page.conf from template
echo 'Generate new update-page nginx config' >> $UPDATE_HTML
-case "$NGINX_SSL" in
- true) TEMPLATE_FILE="update-page.conf.ssl.template" ;;
+case "$URL_PROTOCOL" in
+ 'https') TEMPLATE_FILE="update-page.conf.ssl.template" ;;
*) TEMPLATE_FILE="update-page.conf.template" ;;
esac
envsubst "$(env | sed -e 's/=.*//' -e 's/^/\$/g')" < $NGINX_CONFIG_DIR/$TEMPLATE_FILE > $NGINX_CONFIG_DIR/update-page.conf
diff --git a/deployment/hetzner_cloud/README.md b/deployment/hetzner_cloud/README.md
new file mode 100644
index 000000000..01df8663d
--- /dev/null
+++ b/deployment/hetzner_cloud/README.md
@@ -0,0 +1,82 @@
+# Setup on Hetzner Cloud Server
+Suggested minimal Plan: CX41
+4x vCPU, 16 GB Ram, 160 GB Disk Space, 20.71 € per month (04.01.2024)
+
+Suggested OS:
+Debian 12
+
+For Hetzner Cloud Server a cloud config can be attached, which will be run before first start
+https://community.hetzner.com/tutorials/basic-cloud-config/de
+https://cloudinit.readthedocs.io/en/latest/reference/examples.html
+You can use our [cloudConfig.yaml](./cloudConfig.yaml) but you must insert you own ssh public key,
+like this:
+```yaml
+ssh_authorized_keys:
+ - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAkLGbzbG7KIGfkssKJBkc/0EVAzQ/8vjvVHzNdxhK8J yourname
+```
+
+## After Setup Cloud Server with cloudConfig.yaml
+### setup your domain pointing on server ip address
+### login to your new server as root
+```bash
+ssh -i /path/to/privKey root@gddhost.tld
+```
+
+### Change default shell
+
+```bash
+chsh -s /bin/bash
+chsh -s /bin/bash gradido
+```
+
+### Set password for user `gradido`
+
+```bash
+$ passwd gradido
+# enter new password twice
+```
+
+### Switch to the new user
+
+```bash
+su gradido
+```
+
+### Test authentication via SSH
+
+If you logout from the server you can test authentication:
+
+```bash
+$ ssh -i /path/to/privKey gradido@gddhost.tld
+# This should log you in and allow you to use sudo commands, which will require the user's password
+```
+
+### Disable password root login via ssh
+
+```bash
+sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.org
+sudo sed -i -e '/^\(#\|\)PermitRootLogin/s/^.*$/PermitRootLogin no/' /etc/ssh/sshd_config
+sudo sed -i '$a AllowUsers gradido' /etc/ssh/sshd_config
+sudo /etc/init.d/ssh restart
+```
+
+### Test SSH Access only, no root ssh access
+
+```bash
+$ ssh gradido@gddhost.tld
+# Will result in in either a passphrase request for your key or the message 'Permission denied (publickey)'
+$ ssh -i /path/to/privKey root@gddhost.tld
+# Will result in 'Permission denied (publickey)'
+$ ssh -i /path/to/privKey gradido@gddhost.tld
+# Will succeed after entering the correct keys passphrase (if any)
+```
+
+### Install `Gradido` code
+```bash
+cd ~
+git clone https://github.com/gradido/gradido.git
+```
+### Edit Config
+```bash
+cd ~/gradido/deployment
+cp ./bare_metal/.env.dist ./hetzner_cloud/.env
\ No newline at end of file
diff --git a/deployment/hetzner_cloud/cloudConfig.yaml b/deployment/hetzner_cloud/cloudConfig.yaml
new file mode 100644
index 000000000..86e7d5724
--- /dev/null
+++ b/deployment/hetzner_cloud/cloudConfig.yaml
@@ -0,0 +1,46 @@
+#cloud-config
+users:
+ - name: gradido
+ groups: users, admin, sudo
+ sudo: ALL=(ALL) NOPASSWD:/etc/init.d/nginx start,/etc/init.d/nginx stop,/etc/init.d/nginx restart
+ shell: /bin/bash
+ ssh_authorized_keys:
+ -
+
+packages:
+ - fail2ban
+ - ufw
+ - git
+ - mariadb-server
+ - nginx
+ - curl
+ - build-essential
+ - gnupg
+ - certbot
+ - python3-certbot-nginx
+ - logrotate
+ - automysqlbackup
+ - expect
+package_update: true
+package_upgrade: true
+
+runcmd:
+- printf "[sshd]\nenabled = true\nbanaction = iptables-multiport" > /etc/fail2ban/jail.local
+- systemctl enable fail2ban
+
+- ufw allow OpenSSH
+- ufw allow http
+- ufw allow https
+- ufw enable
+
+- sed -i -e '/^\(#\|\)PasswordAuthentication/s/^.*$/PasswordAuthentication no/' /etc/ssh/sshd_config
+- sed -i -e '/^\(#\|\)KbdInteractiveAuthentication/s/^.*$/KbdInteractiveAuthentication no/' /etc/ssh/sshd_config
+- sed -i -e '/^\(#\|\)ChallengeResponseAuthentication/s/^.*$/ChallengeResponseAuthentication no/' /etc/ssh/sshd_config
+- sed -i -e '/^\(#\|\)MaxAuthTries/s/^.*$/MaxAuthTries 3/' /etc/ssh/sshd_config
+- sed -i -e '/^\(#\|\)AllowTcpForwarding/s/^.*$/AllowTcpForwarding no/' /etc/ssh/sshd_config
+- sed -i -e '/^\(#\|\)X11Forwarding/s/^.*$/X11Forwarding no/' /etc/ssh/sshd_config
+- sed -i -e '/^\(#\|\)AllowAgentForwarding/s/^.*$/AllowAgentForwarding no/' /etc/ssh/sshd_config
+- sed -i -e '/^\(#\|\)AuthorizedKeysFile/s/^.*$/AuthorizedKeysFile .ssh\/authorized_keys/' /etc/ssh/sshd_config
+- sed -i '$a AllowUsers gradido root' /etc/ssh/sshd_config
+
+- reboot
\ No newline at end of file
diff --git a/deployment/hetzner_cloud/install.sh b/deployment/hetzner_cloud/install.sh
new file mode 100644
index 000000000..c51a2e60b
--- /dev/null
+++ b/deployment/hetzner_cloud/install.sh
@@ -0,0 +1,60 @@
+#!/bin/bash
+
+# Note: This is needed - since there is Summer-Time included in the default server Setup - UTC is REQUIRED for production data
+timedatectl set-timezone UTC
+timedatectl set-ntp on
+apt purge ntp
+systemctl start systemd-timesyncd
+
+set -o allexport
+SCRIPT_PATH=$(realpath ../bare_metal)
+SCRIPT_DIR=$(dirname $SCRIPT_PATH)
+PROJECT_ROOT=$SCRIPT_DIR/../..
+set +o allexport
+
+# Load .env or .env.dist if not present
+# NOTE: all config values will be in process.env when starting
+# the services and will therefore take precedence over the .env
+if [ -f "./.env" ]; then
+ set -o allexport
+ source ./.env
+ set +o allexport
+else
+ set -o allexport
+ source $SCRIPT_DIR/.env.dist
+ set +o allexport
+fi
+
+# Configure git
+git config pull.ff only
+
+# Secure mysql https://gist.github.com/Mins/4602864
+SECURE_MYSQL=$(expect -c "
+
+set timeout 10
+spawn mysql_secure_installation
+
+expect \"Enter current password for root (enter for none):\"
+send \"\r\"
+
+expect \"Switch to unix_socket authentication:\"
+send \"Y\r\"
+
+expect \"Change the root password?\"
+send \"n\r\"
+
+expect \"Remove anonymous users?\"
+send \"y\r\"
+
+expect \"Disallow root login remotely?\"
+send \"y\r\"
+
+expect \"Remove test database and access to it?\"
+send \"y\r\"
+
+expect \"Reload privilege tables now?\"
+send \"y\r\"
+
+expect eof
+")
+echo "$SECURE_MYSQL"
\ No newline at end of file
diff --git a/deployment/hetzner_cloud/mysql_secure.sh b/deployment/hetzner_cloud/mysql_secure.sh
new file mode 100644
index 000000000..2f90c4f4e
--- /dev/null
+++ b/deployment/hetzner_cloud/mysql_secure.sh
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+
+#// Not required in actual script
+MYSQL_ROOT_PASSWORD=abcd1234
+
+SECURE_MYSQL=$(expect -c "
+
+set timeout 10
+spawn mysql_secure_installation
+
+expect \"Enter current password for root (enter for none):\"
+send \"$MYSQL\r\"
+
+expect \"Change the root password?\"
+send \"n\r\"
+
+expect \"Remove anonymous users?\"
+send \"y\r\"
+
+expect \"Disallow root login remotely?\"
+send \"y\r\"
+
+expect \"Remove test database and access to it?\"
+send \"y\r\"
+
+expect \"Reload privilege tables now?\"
+send \"y\r\"
+
+expect eof
+")
+
+echo "$SECURE_MYSQL"
diff --git a/nginx/gradido.conf b/nginx/gradido.conf
index 403a2766b..2279d1e4f 100644
--- a/nginx/gradido.conf
+++ b/nginx/gradido.conf
@@ -1,5 +1,5 @@
server {
- server_name $NGINX_SERVER_NAME;
+ server_name _;
listen 80;
listen [::]:80;