# sudo -s

### ? gpg --no-default-keyring --keyring /usr/share/keyrings/hestia-keyring.gpg --keyserver hkp://185.125.188.26 --recv-keys A189E93654F0B0E5
# gpg --keyring /usr/share/keyrings/hestia-keyring.gpg --keyserver hkp://185.125.188.26 --recv-keys A189E93654F0B0E5

# wget https://raw.githubusercontent.com/hestiacp/hestiacp/release/install/hst-install.sh

# bash hst-install.sh --lang 'ru' --hostname '$HOSTNAME' --username '$USERNAME' --email '$EMAIL' --password '$PASSWORD' --multiphp '8.2' --postgresql yes --dovecot no --clamav no --spamassassin no

# reboot

# sudo -s
# apt-get install -y memcached php-memcached php8.2-memcached 
# usermod -aG sudo $USERNAME
# v-change-user-package $USERNAME default
# v-change-user-shell $USERNAME bash
# v-add-database $USERNAME rfclass_pg rfclass_pg $DBPASSWORD pgsql localhost
# v-add-database $USERNAME eis_pg eis_pg $DBPASSWORD pgsql localhost
# v-add-web-domain $USERNAME $DOMAIN $IP-DOMAIN yes www.$DOMAIN

https://manik.me/fixing-sftp-not-working-after-installing-hestiacp/
# find / -name "sftp-server" 2>/dev/null
# mcedit /etc/ssh/sshd_config
find: Subsystem sftp internal-sftp-server
replace: Subsystem sftp /usr/lib/openssh/sftp-server
save file and exit
# systemctl restart ssh

# mkdir /mnt/FOTOSVID && chown admin:admin /mnt/FOTOSVID
# echo "[Unit]
Description=Mount SMB share
After=network.target
Wants=network.target

[Service]
Type=oneshot
ExecStartPre=sleep 15
ExecStart=/bin/mount -t cifs //10.77.1.250/FOTOSVID /mnt/FOTOSVID -o username=fotosvid,password=$PASSWORD,rw,file_mode=0666,dir_mode=0777

[Install]
WantedBy=multi-user.target
" > /etc/systemd/system/mnt-fotosvid.service

# systemctl daemon-reload
# systemctl enable mnt-fotosvid.service && systemctl start mnt-fotosvid.service

adding hestia template for RFCLASS.RU and EIS.RFCLASS.RU: 

# touch /usr/local/hestia/data/templates/web/php-fpm/rfclass_default.tpl

# mcedit /usr/local/hestia/data/templates/web/php-fpm/rfclass_default.tpl

[%backend%]
listen = /run/php/php%backend_version%-fpm-%domain%.sock
listen.owner = %user%
listen.group = www-data
listen.mode = 0660

user = %user%
group = %user%

pm = ondemand
pm.max_children = 8
pm.max_requests = 4000
pm.process_idle_timeout = 10s
pm.status_path = /status

php_admin_value[upload_tmp_dir] = /home/%user%/tmp
php_admin_value[session.save_path] = /home/%user%/tmp
php_admin_value[open_basedir] = /mnt/FOTOSVID:/home/%user%/.composer:/home/%user%/web/%domain%/public_html:/home/%user%/web/%domain%/private:/home/%user%/web/%domain%/public_shtml:/home/%user%/tmp:/tmp:/bin:/usr/bin:/usr/local/bin:/usr/share:/opt
php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f admin@%domain%

env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /home/%user%/tmp
env[TMPDIR] = /home/%user%/tmp
env[TEMP] = /home/%user%/tmp

save and exit

# v-change-web-domain-backend-tpl $USERNAME $DOMAIN $TEMPLATE

get password for Postgres
# grep -Eo "PASSWORD='[a-zA-Z0-9]+'" /usr/local/hestia/conf/pgsql.conf | awk -F "PASSWORD=" '{print $2}' | awk -F "'" '{print $2}'


*** relogin as $USERNAME

# cd /home/$USERNAME/web/$DOMAIN/public_html/
# rm /home/$USERNAME/web/$DOMAIN/public_html/index.html
# rm /home/$USERNAME/web/$DOMAIN/public_html/robots.txt
# git clone https://git.kosenka.ru/kosenka/$DOMAIN.git .
# php composer.phar install
# touch /home/$USERNAME/web/$DOMAIN/public_html/config/params-local.php

# touch /home/$USERNAME/web/$DOMAIN/public_html/config/dbEIS.php
<?php

use yii\db\Connection;
use yii\db\pgsql\Schema;

return [
    'class'               => Connection::class,
    'dsn'                 => 'pgsql:host=localhost;dbname=$DB_NAME',
    'username'            => '$DB_USER',
    'password'            => '$DB_PASSWORD',
    'schemaMap' => [
        'pgsql' => [
            'class'         => Schema::class,
            'defaultSchema' => 'public', //specify your schema here, public is the default schema
        ],
    ],    
    // Schema cache options (for production environment)
    'enableSchemaCache'   => !YII_DEBUG,
    'schemaCacheDuration' => 3600,
    'schemaCache'         => 'cache',    
    'enableQueryCache'   => true,
    'queryCacheDuration' => 3600,
];

# touch /home/$USERNAME/web/$DOMAIN/public_html/config/dbPG.php
<?php

use yii\db\Connection;
use yii\db\pgsql\Schema;

return [
    'class'               => Connection::class,
    'dsn'                 => 'pgsql:host=localhost;dbname=$DB_NAME',
    'username'            => '$DB_USER',
    'password'            => '$DB_PASSWORD',
    'schemaMap' => [
        'pgsql' => [
            'class'         => Schema::class,
            'defaultSchema' => 'public', //specify your schema here, public is the default schema
        ],
    ],    
    // Schema cache options (for production environment)
    'enableSchemaCache'   => !YII_DEBUG,
    'schemaCacheDuration' => 3600,
    'schemaCache'         => 'cache',    
    'enableQueryCache'   => true,
    'queryCacheDuration' => 3600,
];

# sudo su -
# v-change-web-domain-docroot $USERNAME $DOMAIN $DOMAIN web

# touch /home/admin/conf/web/$DOMAIN/nginx.ssl.conf_my
# mcedit /home/admin/conf/web/$DOMAIN/nginx.ssl.conf_my
location ~* ^.+\.(odt|pdf|doc|docx|xls|xlsx|ppt|pptx)$ {
    proxy_pass https://$IP_ADDRESS:8443;
    add_header Last-Modified "";
    add_header Cache-Control 'no-store, no-cache';
    if_modified_since off;
    expires off;
    etag off;
    try_files $uri @fallback;
}

add_header X-Frame-Options SAMEORIGIN;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy "no-referrer-when-downgrade";
add_header X-XSS-Protection "1; mode=block";
add_header Permissions-Policy "geolocation=(),midi=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=*,payment=()";
add_header Content-Secutiry-Policy "upgrade-insecure-requests";

save and exit

# exit