Nginx Security Headers on Gentoo Linux

Create /etc/nginx/snippets/security-headers.conf

add_header X-Frame-Options            "SAMEORIGIN"                                 always;
add_header X-Content-Type-Options     "nosniff"                                    always;
add_header X-XSS-Protecti...

PHP-FPM Multiple Pools on Gentoo Linux

Pool directory: /etc/php/fpm-php8.2/fpm.d/

Create /etc/php/fpm-php8.2/fpm.d/site1.conf

[site1]
user  = site1
group = site1
listen = /run/php-fpm/site1.sock
listen.owner = www-data
listen.group = www-data
listen.mode  = 0660
pm = dynamic
pm.max_children...

PostgreSQL Backup and Restore on Gentoo Linux

Logical – pg_dump

# Single database
sudo -u postgres pg_dump -Fc appdb > /backups/appdb_$(date +%F).dump

# All databases
sudo -u postgres pg_dumpall > /backups/all_$(date +%F).sql

Restore

sudo -u postgres pg_restore -d appdb /backups/appdb_2026-...

PostgreSQL Streaming Replication on Gentoo Linux

Primary: 192.168.1.10   Standby: 192.168.1.11

Primary – /var/lib/postgres/data/postgresql.conf

wal_level = replica
max_wal_senders = 5
wal_keep_size = 512MB
listen_addresses = '*'

/var/lib/postgres/data/pg_hba.conf:

host replication rep...

PostgreSQL User and Role Management on Gentoo Linux

Create roles

CREATE ROLE alice WITH LOGIN PASSWORD 'AlicePass!';
CREATE ROLE dbadmin WITH SUPERUSER LOGIN PASSWORD 'AdminPass!';
CREATE ROLE readonly;

Grant privileges

GRANT CONNECT ON DATABASE appdb TO alice;
GRANT USAGE ON SCHEMA public T...

Redis Cluster on Gentoo Linux

Minimum 3 primaries + 3 replicas (6 nodes). This example uses ports 7000-7005 on localhost.

Step 1 – Create node configs

for port in 7000 7001 7002 7003 7004 7005; do
    mkdir -p /etc/redis/cluster/$port /var/lib/redis/$port
    cat > /etc/redis/cluster/$port/red...

Redis Persistence on Gentoo Linux

RDB snapshots (redis.conf)

save 900 1
save 300 10
save 60 10000
dbfilename  dump.rdb
dir         /var/lib/redis
rdbcompression yes
rdbchecksum    yes

AOF (Append-Only File)

appendonly           yes
appendfilename       "appendonly.aof"
appendfsync...

Redis Sentinel (HA) on Gentoo Linux

Architecture

• Primary 192.168.1.10:6379
• Replica 192.168.1.11:6379, 192.168.1.12:6379
• Sentinels on port 26379 (all 3 nodes)

Primary redis.conf

bind 0.0.0.0
requirepass RedisPass!

Replica redis.conf

bind 0.0.0.0
requirepass RedisPass!
replicaof...

Secure MySQL on Gentoo Linux

Step 1 – Run mysql_secure_installation

mysql_secure_installation

Set root password, remove anonymous users, disallow remote root login, remove test DB.

Step 2 – Bind to localhost

[mysqld]
bind-address = 127.0.0.1

Step 3 – Audit users

SELECT User, Host, plug...

SSH Key-Based Authentication on Gentoo Linux

Generate key pair (client)

ssh-keygen -t ed25519 -C "[email protected]"

Copy public key to server

ssh-copy-id -i ~/.ssh/id_ed25519.pub [email protected]

Or manually:

cat ~/.ssh/id_ed25519.pub | ssh user@server \
    "mkdir -p ~/.ssh...

SSH TOTP MFA on Gentoo Linux

Step 1 – Install PAM module

emerge --ask sys-auth/google-authenticator-libpam

Step 2 – Configure for each user

google-authenticator
# time-based: y, update file: y, disallow reuse: y, rate limit: y

Scan QR code with an authenticator app (Aegis, Google Authentic...

Tune MariaDB Performance on Gentoo Linux

my.cnf

[mysqld]
innodb_buffer_pool_size        = 4G
innodb_buffer_pool_instances   = 4
innodb_log_file_size           = 512M
innodb_flush_log_at_trx_commit = 1
innodb_flush_method            = O_DIRECT

# Thread pool (MariaDB-specific)
thread_handling...

Tune MySQL Performance on Gentoo Linux

my.cnf

[mysqld]
innodb_buffer_pool_size        = 4G
innodb_buffer_pool_instances   = 4
innodb_log_file_size           = 512M
innodb_flush_log_at_trx_commit = 1
innodb_flush_method            = O_DIRECT
max_connections                = 200
thread_cache_size...

Tune PHP OPcache on Gentoo Linux

Edit /etc/php/fpm-php8.2/ext-active/opcache.ini

opcache.enable=1
opcache.enable_cli=0
opcache.memory_consumption=256
opcache.interned_strings_buffer=16
opcache.max_accelerated_files=20000
opcache.revalidate_freq=60
opcache.validate_timestamps=1
; JIT (PHP 8.x)
o...

Tune PHP-FPM Performance on Gentoo Linux

Estimate pm.max_children

ps -ylC php-fpm --no-headers | awk '{sum+=$8} END {print sum/NR/1024 " MB avg"}'
# Divide available RAM (minus OS+DB) by average size

Recommended dynamic settings

pm = dynamic
pm.max_children      = 50
pm.start_servers     =...

Tune PostgreSQL Performance on Gentoo Linux

postgresql.conf

# Memory
shared_buffers          = 2GB       # 25% of RAM
effective_cache_size    = 6GB       # 50-75% of RAM
work_mem                = 64MB      # per-sort/hash
maintenance_work_mem    = 512MB

# Checkpoints
checkpoint_completion_targe...

Tune Varnish Cache on Gentoo Linux

Systemd override (/etc/systemd/system/varnish.service.d/override.conf)

[Service]
ExecStart=
ExecStart=/usr/sbin/varnishd \
    -a :80 -T localhost:6082 \
    -f /etc/varnish/default.vcl \
    -s malloc,2G \
    -p thread_pools=2 \
    -p thread_pool_min=200 \...

Varnish VCL Configuration on Gentoo Linux

Full example with load balancing and grace

vcl 4.1;
import directors;

backend web1 {
    .host = "192.168.1.10"; .port = "8080";
    .probe = { .url = "/health"; .timeout = 5s; .interval = 10s; .window = 5; .threshold = 3; }
}
backend web2 {
    .host =...