diff --git a/DEPLOYMENT_PLUS/gemini-tips.md b/DEPLOYMENT_PLUS/gemini-tips.md
new file mode 100644
index 0000000..d126f05
--- /dev/null
+++ b/DEPLOYMENT_PLUS/gemini-tips.md
@@ -0,0 +1,83 @@
+Several options exist for web-based file editors in Go, ranging from simple solutions to more feature-rich applications. Here are a few examples:
+
+• Simple Text Editor:
+ • A basic implementation involves using Go's html/template package to serve an HTML form with a textarea for editing. The server can then handle saving the content back to a file.
+ • This approach provides fundamental editing capabilities but lacks advanced features like syntax highlighting or real-time collaboration.
+
+• File Browser with Built-in Editor:
+ • Filebrowser is a web file manager written in Go that includes a built-in code editor with syntax highlighting for various languages.
+ • It offers functionalities like file management (upload, download, rename, delete), user authentication, and customization options.
+
+• WebEdit:
+ • WebEdit is an HTML5-based text editor designed for editing local files on a server. It aims to provide a more responsive editing experience compared to using SSH and command-line editors.
+
+• Go Playground:
+ • The Go Playground is a web service that allows users to run Go code in a sandboxed environment. While primarily for running code snippets, it can also be used for basic file editing.
+
+• GitHub.dev:
+ • GitHub.dev is a web-based editor that runs entirely in the browser. It allows users to navigate and edit files in GitHub repositories, offering features like syntax highlighting and source control integration.
+
+These options cater to different needs, from quick edits to comprehensive file management and code editing within a web environment. The choice of editor depends on the specific requirements of the project.
+
+---
+
+
+To implement a file editor using Go and HTMX, consider the following approach:
+
+• Backend (Go):
+ • File Handling: Implement functions to read, write, and update files on the server.
+ • Routing: Use a Go web framework (like net/http or chi) to define routes for handling file operations. For example:
+ • GET /edit/{filename}: Retrieve file content for editing.
+ • POST /save/{filename}: Save updated file content.
+
+ • Templating: Employ Go's html/template package or a templating engine like Templ to render HTML fragments for HTMX responses.
+
+• Frontend (HTMX and HTML):
+ • Display File Content: Create an HTML form with a
+
+
+
+
+• Templ vs standard templates:
+ • Templ offers better type safety, but it introduces extra steps of generating templ files and then compiling the program before checking template changes. [1]
+ • Standard templates allow to check template changes just by saving the template file and reloading the page.
+
+[1] https://www.reddit.com/r/htmx/comments/1ams8xi/gohtmx_templ_vs_templates/
diff --git a/DEPLOYMENT_PLUS/hosting-base.md b/DEPLOYMENT_PLUS/hosting-base.md
new file mode 100644
index 0000000..cac0463
--- /dev/null
+++ b/DEPLOYMENT_PLUS/hosting-base.md
@@ -0,0 +1,111 @@
+# Base Hosting Setup: Syncthing & Caddy
+
+This document contains the shared installation and configuration steps for Syncthing and Caddy that are used across multiple hosting scenarios (new setup, final deployment, etc.).
+
+**See also:**
+- **hosting-new.md** — Full, detailed guide for new VPS setup (canonical reference)
+- **hosting-final.md** — Quick-start guide with links to full instructions
+- **hosting-gemini.md** — Gemini-specific hosting notes
+
+---
+
+## Install Syncthing
+
+Following:
+
+```sh
+sudo apt update -y && sudo apt upgrade -y && sudo apt autoremove
+
+sudo apt install gnupg2 curl apt-transport-https -y
+
+# Follow instructions from: https://apt.syncthing.net
+sudo mkdir -p /etc/apt/keyrings
+sudo curl -L -o /etc/apt/keyrings/syncthing-archive-keyring.gpg https://syncthing.net/release-key.gpg
+# Add the "stable" channel to your APT sources:
+echo "deb [signed-by=/etc/apt/keyrings/syncthing-archive-keyring.gpg] https://apt.syncthing.net/ syncthing stable" | sudo tee /etc/apt/sources.list.d/syncthing.list
+sudo apt update
+sudo apt install syncthing
+syncthing --version
+
+# Warning: consider making a non-root user for the application in a future iteration
+sudo systemctl enable syncthing@root.service
+sudo systemctl start syncthing@root.service
+sudo systemctl status syncthing@root.service
+
+# Keep SSH, turn on web, and allow ports for Syncthing
+sudo ufw allow ssh && sudo ufw allow http && sudo ufw allow https && \
+ sudo ufw allow 22000/tcp && sudo ufw allow 22000/udp && sudo ufw allow 21027/udp && sudo ufw enable && sudo ufw status
+```
+
+**Configure Syncthing (from local laptop):**
+
+```sh
+# Port-Forward the UI to Sync (run on Laptop)
+ssh -L 9998:localhost:8384 ubuntu-4gb-hel1-1
+# Copy Laptop Device ID, accept from laptop, then edit the connection to check all three options (introducer, share, etc.), and confirm one more time from laptop
+#
+```
+
+---
+
+## Install Caddy
+
+Following:
+
+```sh
+sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https curl
+curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
+curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
+sudo apt update
+sudo apt install caddy
+```
+
+---
+
+## Configure Caddy
+
+Following:
+
+```sh
+sudo ufw allow OpenSSH && sudo ufw allow http && sudo ufw allow https && sudo ufw enable && sudo ufw status
+# Check that the domain is configured
+curl "https://cloudflare-dns.com/dns-query?name=yak-shears.kyleking.me&type=A" \
+ -H "accept: application/dns-json"
+
+tee "Caddyfile" > /dev/null <<'EOF'
+{
+ email dev.act.kyle@gmail.com # Recommended for Let's Encrypt notifications
+}
+
+yak-shears.kyleking.me {
+ # 8384 for Syncthing fails because of host check errors as designed
+ reverse_proxy localhost:8084 {
+ header_up Host {host}
+ header_up X-Real-IP {remote_host}
+ header_up X-Forwarded-For {remote_host}
+ header_up X-Forwarded-Proto {scheme}
+ }
+ header {
+ # (HSTS): Forces browsers to always use HTTPS.
+ Strict-Transport-Security "max-age=31536000; includeSubDomains"
+ # Prevents browsers from MIME-sniffing
+ X-Content-Type-Options "nosniff"
+ # Helps prevent clickjacking attacks.
+ X-Frame-Options "DENY"
+ # Controls how much referrer information is sent with requests.
+ Referrer-Policy "same-origin"
+ # Content-Security-Policy "default-src 'self';" # Customize as needed
+ }
+}
+EOF
+
+# Example reviewing logs:
+# sudo journalctl -u caddy --no-pager
+```
+
+---
+
+## See Also
+
+- Caddy documentation:
+- Syncthing documentation:
diff --git a/DEPLOYMENT_PLUS/hosting-final.md b/DEPLOYMENT_PLUS/hosting-final.md
new file mode 100644
index 0000000..5cbef5a
--- /dev/null
+++ b/DEPLOYMENT_PLUS/hosting-final.md
@@ -0,0 +1,69 @@
+# Hosting — Quick-Start Guide
+
+**This is a quick-start overview. For detailed instructions, see the full guides below.**
+
+---
+
+## Documentation Map
+
+- **hosting-new.md** — **Canonical full reference guide** with all setup details (Syncthing, Caddy, FileBrowser, Traefik history)
+- **hosting-base.md** — Shared installation and configuration for Syncthing and Caddy (referenced by other guides)
+- **hosting-final.md** — This quick-start (you are here)
+- **hosting-gemini.md** — Gemini-specific hosting notes
+
+---
+
+## Quick Setup Checklist
+
+### Prerequisites
+
+Selected VPS for similarity to local usage and Hetzner because of cost and IaC support:
+-
+- See notes on deployment saved in 1Password for Hetzner
+- More SSH Key info:
+
+### Steps
+
+1. **Install Syncthing**
+ Follow the complete instructions in **hosting-base.md** — Install Syncthing section
+
+2. **Install and Configure Caddy**
+ Follow the complete instructions in **hosting-base.md** — Install Caddy and Configure Caddy sections
+
+3. **Set up FileBrowser** (optional, for file management UI)
+ See **hosting-new.md** — FileBrowser section for details
+
+4. **Additional Configuration Details**
+ Refer to **hosting-new.md** for:
+ - IPv6 setup notes
+ - Hetzner Web Console access via Rescue/Reset
+ - UFW firewall rules and persistence issues
+ - FileBrowser systemd service configuration
+
+---
+
+## Common Tasks
+
+| Task | Location |
+|------|----------|
+| Syncthing setup | hosting-base.md → Install Syncthing |
+| Caddy installation & config | hosting-base.md → Install Caddy |
+| FileBrowser setup | hosting-new.md → FileBrowser |
+| UFW firewall issues | hosting-new.md → TODO section |
+| Full reference | hosting-new.md |
+
+---
+
+## Notes
+
+- The ufw rules may reset on VPS boot; see hosting-new.md TODO section for workarounds
+- For Caddy running as a service:
+- Consider using NixOS for reproducible deployments:
+
+---
+
+## Related Docs
+
+- hosting-gemini.md — Gemini-specific configuration
+- hosting-base.md — Shared setup instructions
+- hosting-new.md — Full reference guide
diff --git a/DEPLOYMENT_PLUS/hosting-gemini.md b/DEPLOYMENT_PLUS/hosting-gemini.md
new file mode 100644
index 0000000..804d181
--- /dev/null
+++ b/DEPLOYMENT_PLUS/hosting-gemini.md
@@ -0,0 +1,208 @@
+Okay, here's a step-by-step guide for a peer software engineer on configuring Caddy 2 as a reverse proxy for `localhost:8311` on an Ubuntu VPS with a domain managed by CloudFlare, focusing on security and performance:
+
+**Assumptions:**
+
+* You have an Ubuntu VPS with SSH access.
+* You have a domain name managed through CloudFlare (e.g., `yourdomain.com`).
+* Your application is running on the VPS and accessible at `localhost:8311`.
+* You have basic familiarity with the Linux command line.
+
+**Step 1: Install Caddy 2 on your Ubuntu VPS**
+
+Caddy is known for its ease of use and automatic TLS certificate management. We'll install it using the official methods.
+
+1. **SSH into your Ubuntu VPS:**
+ ```bash
+ ssh your_username@your_vps_ip_address
+ ```
+
+2. **Install Caddy using the official repository:**
+
+ First, download and verify the GPG key:
+ ```bash
+ sudo apt update
+ sudo apt install -y debian-keyring
+
+ # Download the GPG key using TLS 1.2+ (enforced with --tlsv1.2)
+ curl --tlsv1.2 -sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' -o /tmp/caddy-gpg.key
+
+ # Verify the GPG key fingerprint
+ # Check the official Caddy repository for the expected fingerprint at:
+ # https://github.com/caddyserver/caddy/releases or https://caddyserver.com/docs/install
+ gpg --with-colons < /tmp/caddy-gpg.key | grep fpr | cut -d: -f10
+
+ # Compare the output fingerprint above with Caddy's official GPG key fingerprint.
+ # Only proceed if the fingerprint matches the official Caddy release.
+ # Once verified, import the key:
+ cat /tmp/caddy-gpg.key | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
+ rm /tmp/caddy-gpg.key
+ ```
+
+ Then add the repository and install:
+ ```bash
+ # Download sources list using TLS 1.2+
+ curl --tlsv1.2 -sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.sources
+
+ sudo apt update
+ sudo apt install caddy
+ ```
+
+3. **Verify the installation:**
+ ```bash
+ caddy version
+ ```
+ You should see the installed Caddy version.
+
+**Step 2: Configure Caddy for Reverse Proxying**
+
+Caddy's configuration is done through a file called `Caddyfile`. We'll create and configure this file.
+
+1. **Create the `Caddyfile`:**
+ ```bash
+ sudo nano /etc/caddy/Caddyfile
+ ```
+
+2. **Add the following configuration to the `Caddyfile`, replacing `yourdomain.com` with your actual domain:**
+
+ ```caddyfile
+ {
+ email your_email@example.com # Recommended for Let's Encrypt notifications
+ }
+
+ yourdomain.com {
+ reverse_proxy localhost:8311 {
+ header_up Host {host}
+ header_up X-Real-IP {remote_host}
+ header_up X-Forwarded-For {remote_host}
+ header_up X-Forwarded-Proto {scheme}
+ }
+ }
+ ```
+
+ **Explanation of the configuration:**
+
+ * `{ email your_email@example.com }`: This is optional but highly recommended. Caddy uses this email to register with Let's Encrypt for TLS certificates and will send notifications about certificate renewals. Replace `your_email@example.com` with your actual email address.
+ * `yourdomain.com { ... }`: This block defines the configuration for your domain. Caddy will automatically handle TLS for this domain because it's a recognized public domain.
+ * `reverse_proxy localhost:8311 { ... }`: This directive tells Caddy to forward incoming requests for `yourdomain.com` to your application running on `localhost:8311`.
+ * `header_up Host {host}`: Passes the original Host header from the client to your backend application. This is often necessary for applications that rely on the Host header.
+ * `header_up X-Real-IP {remote_host}`: Passes the client's real IP address.
+ * `header_up X-Forwarded-For {remote_host}`: Appends the client's IP address to the `X-Forwarded-For` header, which might already contain proxy IPs.
+ * `header_up X-Forwarded-Proto {scheme}`: Indicates whether the original request was made over HTTP or HTTPS.
+
+3. **Save and close the `Caddyfile`:** Press `Ctrl+X`, then `Y`, then `Enter`.
+
+**Step 3: Ensure Caddy Service is Running and Enabled**
+
+Caddy should be configured to run as a service so it starts automatically on boot.
+
+1. **Start the Caddy service:**
+ ```bash
+ sudo systemctl start caddy
+ ```
+
+2. **Check the status of the Caddy service:**
+ ```bash
+ sudo systemctl status caddy
+ ```
+ You should see that the service is active and running. If there are errors, check the Caddy logs using `sudo journalctl -u caddy --no-pager`.
+
+3. **Enable the Caddy service to start on boot:**
+ ```bash
+ sudo systemctl enable caddy
+ ```
+
+**Step 4: Configure CloudFlare DNS**
+
+To ensure traffic is routed to your VPS, you need to configure the DNS records in CloudFlare.
+
+1. **Log in to your CloudFlare account.**
+2. **Select your domain (e.g., `yourdomain.com`).**
+3. **Go to the "DNS" section.**
+4. **Ensure you have an A record (or AAAA record for IPv6) pointing your domain (or the subdomain you want to use) to the public IP address of your Ubuntu VPS.**
+
+ * **For the root domain (`yourdomain.com`):**
+ * Type: `A`
+ * Name: `@` or leave it blank
+ * Value: Your VPS public IP address
+ * TTL: Automatic or your preference
+ * **Important: Ensure the "Proxy status" (the cloud icon) is set to "Proxied" (orange cloud).** This is crucial for CloudFlare to handle the TLS termination and provide its security benefits.
+
+ * **For a subdomain (e.g., `app.yourdomain.com`):**
+ * Type: `A`
+ * Name: `app`
+ * Value: Your VPS public IP address
+ * TTL: Automatic or your preference
+ * **Important: Ensure the "Proxy status" (the cloud icon) is set to "Proxied" (orange cloud).**
+
+**Step 5: Verify the Setup**
+
+1. **Access your domain in your web browser (e.g., `https://yourdomain.com`).**
+2. **You should see your application running.**
+3. **Verify that the connection is secure (HTTPS).** You should see a padlock icon in your browser's address bar. This indicates that Caddy automatically obtained and is serving a TLS certificate.
+
+**Security Considerations:**
+
+* **GPG Key Verification:** When installing Caddy from a repository, always verify the GPG key fingerprint against Caddy's official sources (GitHub releases or caddyserver.com) before importing. This protects against man-in-the-middle attacks and ensures you're using an authentic key.
+
+* **Enforced TLS Versions:** The installation commands use `--tlsv1.2` to enforce TLS 1.2 or higher, preventing connections with deprecated and insecure TLS versions (like TLS 1.0 and 1.1). This ensures secure downloads of the GPG key and repository metadata.
+
+* **CloudFlare Proxy:** By using CloudFlare's proxy, you benefit from:
+ * **DDoS protection:** CloudFlare helps mitigate distributed denial-of-service attacks.
+ * **Basic firewall rules:** CloudFlare offers options to block malicious traffic.
+ * **TLS termination at the edge:** This can improve performance for users geographically distant from your server.
+ * **Hiding your origin server's IP address:** This makes it harder for attackers to target your VPS directly.
+* **Caddy's Automatic TLS:** Caddy automatically obtains and renews TLS certificates from Let's Encrypt, ensuring your connection is always secure without manual intervention.
+* **Secure Headers (Optional but Recommended):** You can add security headers to your Caddyfile for enhanced security:
+
+ ```caddyfile
+ yourdomain.com {
+ reverse_proxy localhost:8311 {
+ header_up Host {host}
+ header_up X-Real-IP {remote_host}
+ header_up X-Forwarded-For {remote_host}
+ header_up X-Forwarded-Proto {scheme}
+ }
+
+ header {
+ Strict-Transport-Security "max-age=31536000; includeSubDomains"
+ X-Content-Type-Options "nosniff"
+ X-Frame-Options "DENY"
+ Referrer-Policy "same-origin"
+ # Content-Security-Policy "default-src 'self';" # Customize as needed
+ }
+ }
+ ```
+
+ * `Strict-Transport-Security` (HSTS): Forces browsers to always use HTTPS.
+ * `X-Content-Type-Options`: Prevents browsers from MIME-sniffing.
+ * `X-Frame-Options`: Helps prevent clickjacking attacks.
+ * `Referrer-Policy`: Controls how much referrer information is sent with requests.
+ * `Content-Security-Policy` (CSP): A powerful header to control resources the browser is allowed to load. **Customize this based on your application's needs.**
+
+* **Firewall on the VPS:** Ensure your VPS firewall (like `ufw`) is configured to only allow necessary inbound traffic (e.g., SSH, HTTP, HTTPS). Caddy will handle the HTTPS traffic on port 443.
+ ```bash
+ sudo ufw allow OpenSSH
+ sudo ufw allow http
+ sudo ufw allow https
+ sudo ufw enable
+ sudo ufw status
+ ```
+* **Regular Updates:** Keep your Ubuntu system and Caddy package updated to patch security vulnerabilities.
+
+**Performance Considerations:**
+
+* **CloudFlare CDN (Optional):** If your application serves static assets, consider enabling CloudFlare's Content Delivery Network (CDN) to cache these assets closer to your users, improving load times. This is usually enabled by default when the proxy is active.
+* **Keep-Alive Connections:** Caddy and most modern browsers use keep-alive connections (HTTP persistent connections) by default, which reduces the overhead of establishing new connections for each request.
+* **Gzip Compression:** Ensure your backend application is configured to use gzip or Brotli compression for responses. Caddy can also handle compression, but it's generally recommended to do it at the application level if possible.
+* **HTTP/2 and HTTP/3:** Caddy automatically supports HTTP/2 and HTTP/3, which can improve performance by allowing multiple requests over a single connection and reducing latency. CloudFlare also supports these protocols.
+* **Resource Limits:** Monitor the resource usage of your VPS to ensure it can handle the traffic.
+
+**Troubleshooting:**
+
+* **Check Caddy Logs:** If you encounter issues, the Caddy logs are your first place to look: `sudo journalctl -u caddy --no-pager`.
+* **Verify DNS Propagation:** It might take some time for DNS changes in CloudFlare to propagate. You can use online tools to check DNS records.
+* **CloudFlare SSL/TLS Settings:** Review the SSL/TLS settings in your CloudFlare dashboard to ensure they are compatible with Caddy (e.g., "Full" or "Full (strict)" mode is usually recommended).
+* **Firewall Issues:** Double-check your VPS firewall rules to ensure they are not blocking traffic to Caddy.
+* **Application Errors:** If you can access Caddy but not your application, check your application logs for errors.
+
+This comprehensive guide should help you configure Caddy 2 as a secure and performant reverse proxy for your application on your Ubuntu VPS with a domain managed by CloudFlare. Remember to adapt the configurations to your specific needs and always prioritize security best practices.
diff --git a/DEPLOYMENT_PLUS/hosting-new.md b/DEPLOYMENT_PLUS/hosting-new.md
new file mode 100644
index 0000000..3d96b84
--- /dev/null
+++ b/DEPLOYMENT_PLUS/hosting-new.md
@@ -0,0 +1,250 @@
+## ADD CLOUDFLARE A / CNAME RECORDS for ACME!
+## Convert to Caddy? (https://www.programonaut.com/how-to-set-up-a-reverse-proxy-with-free-ssl-using-caddy)
+
+# Hosting — Full Setup Guide (Canonical Reference)
+
+**This is the canonical, full reference guide for VPS hosting setup.**
+
+For shared setup instructions (Syncthing and Caddy installation/configuration), see **hosting-base.md**. For a quick-start overview, see **hosting-final.md**.
+
+Selected VPS for similarity to local usage and Hetzner because of cost and IaC support (). See notes on deployment saved in 1Password for Hetzner (and more info on SSH Keys if needed: )
+
+Note: could use NixOS:
+
+## Manual Setup
+
+*Note: for ipv6, copy and replace '/64' with '1': *
+
+*Hetzner Web Console requires Rescue>Reset to get a root password when created with SSH: *
+
+**See hosting-base.md for Syncthing installation and configuration instructions.**
+
+## Configure Web Services
+
+Follows:
+
+```sh
+# Get desired version from: https://github.com/traefik/traefik/releases
+mkdir ~/traefik-tmp
+cd ~/traefik-tmp
+curl -L https://github.com/traefik/traefik/releases/download/v3.3.4/traefik_v3.3.4_linux_armv6.tar.gz > traefik_linux_armv6.tar.gz
+tar xzvf traefik_linux_armv6.tar.gz
+# Move the binary
+sudo cp ~/traefik-tmp/traefik /usr/local/bin/.
+sudo chown root:root /usr/local/bin/traefik
+sudo chmod 755 /usr/local/bin/traefik
+cd ~ && rm -rf ~/traefik-tmp
+
+# Give the Traefik binary the ability to bind to privileged ports (80, 443) as non-root.
+sudo setcap 'cap_net_bind_service=+ep' /usr/local/bin/traefik
+
+# Setup Traefik user, group and permissions
+sudo groupadd traefik
+sudo useradd \
+ -g traefik --no-user-group \
+ -d /etc/traefik --no-create-home \
+ -s /usr/sbin/nologin \
+ -r traefik
+
+# Create folder for the traefik static and dynamic config files and set permissions.
+sudo mkdir /etc/traefik
+sudo mkdir /etc/traefik/dynamic
+sudo chown -R root:root /etc/traefik
+sudo chown -R traefik:traefik /etc/traefik/dynamic
+# Create Log
+sudo touch /var/log/traefik.log
+sudo chown traefik:traefik /var/log/traefik.log
+# Create the .env file for the DNS Challenge credentials.
+sudo touch /etc/traefik/.env
+# Create the file where the certificates will be stored and set permissions.
+sudo mkdir /etc/traefik/acme/
+sudo touch /etc/traefik/acme/acme.json
+sudo chmod 600 /etc/traefik/acme/acme.json
+sudo chown traefik:traefik /etc/traefik/acme/acme.json
+
+# Create a systemd service for Traefik
+sudo tee "/lib/systemd/system/traefik.service" > /dev/null <<'EOF'
+# /lib/systemd/system/traefik.service
+[Unit]
+Description=Traefik reverse proxy service
+After=network-online.target
+Wants=network-online.target systemd-networkd-wait-online.service
+
+[Service]
+Restart=on-failure
+
+User=traefik
+Group=traefik
+
+ProtectHome=true
+ProtectSystem=full
+ReadWriteDirectories=/etc/traefik/acme
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+NoNewPrivileges=true
+
+TimeoutStopSec=300
+EnvironmentFile=/etc/traefik/.env
+ExecStart=/usr/local/bin/traefik --configFile=/etc/traefik/traefik.toml
+
+[Install]
+WantedBy=multi-user.target
+EOF
+sudo chown root:root /lib/systemd/system/traefik.service
+sudo chmod 644 /lib/systemd/system/traefik.service
+sudo systemctl daemon-reload
+
+sudo tee "/etc/traefik/traefik.toml" > /dev/null <<'EOF'
+# Traefik static configuration file (/etc/traefik/traefik.toml)
+# See https://doc.traefik.io/traefik/getting-started/configuration-overview/#the-static-configuration
+# and https://doc.traefik.io/traefik/reference/static-configuration/cli
+[global]
+checkNewVersion = true
+
+[api]
+dashboard = true
+insecure = true
+
+[log]
+filePath = "/var/log/traefik.log"
+format = "json"
+level = "WARN"
+
+[providers.file]
+directory = "/etc/traefik/dynamic"
+watch = true
+
+[entryPoints.web]
+address = ":80"
+
+[entryPoints.web.http.redirections.entryPoint]
+to = "websecure"
+scheme = "https"
+
+[entryPoints.websecure]
+address = ":443"
+
+[entryPoints.websecure.http.tls]
+certResolver = "letsencrypt"
+
+ [[entryPoints.websecure.http.tls.domains]]
+ main = "yak-shears.kyleking.me"
+
+[certificatesResolvers.letsencrypt.acme]
+email = #Your email address
+storage = "/etc/traefik/acme/acme.json"
+
+ [certificatesResolvers.letsencrypt.acme.dnsChallenge]
+ provider = "cloudflare"
+ resolvers = [ "1.1.1.1:53", "1.0.0.1:53" ]
+EOF
+# Set email address
+sudo vim /etc/traefik/traefik.toml
+
+# Then set environment (example for Cloudflare from: )
+# CLOUDFLARE_EMAIL=something@example.com
+# CLOUDFLARE_API_KEY=some_api_key
+sudo vim /etc/traefik/.env
+
+# Configure dynamic provider for Go service on localhost
+sudo tee "/etc/traefik/dynamic/dynamic.toml" > /dev/null <<'EOF'
+[http.routers.app]
+entryPoints = ["websecure"]
+rule = "Host(`yak-shears.kyleking.me`)"
+service = "app-service"
+
+[[http.services.app-service.loadBalancer.servers]]
+url = "http://127.0.0.1:8384"
+EOF
+
+# Now start!
+sudo systemctl enable traefik.service
+sudo systemctl start traefik.service
+sudo systemctl status traefik.service
+```
+
+```sh
+# Debugging:
+sudo journalctl --boot -u traefik.service
+sudo cat /var/log/traefik.log
+sudo systemctl restart traefik.service
+curl localhost:443
+
+# From laptop:
+ssh -L 8081:localhost:8080 ubuntu-4gb-hel1-1
+# Open Traefik dashboard at localhost:8081
+```
+
+**Update: traefik was removed in favor of implementing Caddy**
+
+```sh
+sudo systemctl disable traefik.service
+```
+
+## FileBrowser
+
+
+
+```sh
+curl -fsSL https://raw.githubusercontent.com/filebrowser/get/master/get.sh | bash
+filebrowser config init --port 8084
+/usr/local/bin/filebrowser -r /root/Sync
+# While the above is running (TODO: because the systemctl configuration isn't working)
+ssh -L 8084:localhost:8084 ubuntu-4gb-hel1-1
+
+# Create a systemd service for FileBrowser
+sudo tee "/lib/systemd/system/filebrowser.service" > /dev/null <<'EOF'
+# Adapted from: /lib/systemd/system/traefik.service
+# /lib/systemd/system/filebrowser.service
+[Unit]
+Description=Run Filebrowser at startup
+# After=network-online.target
+# Wants=network-online.target systemd-networkd-wait-online.service
+
+[Service]
+Restart=on-failure
+
+# TODO: run as non-root
+User=root
+
+# ProtectHome=true
+# ProtectSystem=full
+# ReadWriteDirectories=/etc/traefik/acme
+# CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+# AmbientCapabilities=CAP_NET_BIND_SERVICE
+# NoNewPrivileges=true
+
+# TimeoutStopSec=300
+# EnvironmentFile=/etc/traefik/.env
+ExecStart=/usr/local/bin/filebrowser -r /root/Sync
+Type=simple
+
+[Install]
+WantedBy=multi-user.target
+EOF
+sudo chown root:root /lib/systemd/system/filebrowser.service
+sudo chmod 644 /lib/systemd/system/filebrowser.service
+sudo systemctl daemon-reload
+```
+
+## Caddy
+
+**See hosting-base.md for Caddy installation and configuration instructions.**
+
+## TODO
+
+1. The ufw rules appear to reset on VPS boot. I may need to edit the defaults?
+1. And keep Caddy running:
+2. Create script that copies all the manually managed files into a single location for version control (e.g. traefik config, sshd_config, maybe output of ufw, apt versions, Linux version, systemctl, etc.)
+2. Create a basic HTMX app with authentication
+2. Add list all files (show ` (/)` in future version)
+2. Then per file, shows the raw text and then allows edits with HTMX submit (in future, default view is a preview where switching to edit would warn other users -- maybe locally is also git to track changes? How to use different users when editing the files from the go server?)
+2. Further in the future, have GitOps where a cron-scheduled service checks for git changes, pulls, and then updates the service (how to handle downtime - maybe have flag in UI that current users can delay while working on changes?)
+
+- 10-min golang+systemctl deploy: https://jonathanmh.com/p/deploying-go-apps-systemd-10-minutes-without-docker/
+- Other options: https://www.ecosia.org/search?q=running%20golang+on+vps&addon=firefox&addonversion=5.2.0&method=topbar
+- https://reintech.io/blog/writing-web-based-code-editor-go
+- https://www.magicbell.com/blog/setting-up-htmx-and-templ-for-go
+- https://gist.github.com/peterhellberg/60dcccab932f8446bacd2ceb57ba603d
+- https://www.youtube.com/watch?v=x7v6SNIgJpE (Primeagen Golang+HTMX)
+- Structure: https://www.youtube.com/watch?v=lVyIQV-op5I