--- a/system/defines.php	2021-04-15 20:04:58.000000000 +0200
+++ b/system/defines.php	2021-04-16 22:02:34.702885015 +0200
@@ -13,6 +13,12 @@
 define('GRAV_SCHEMA', '1.7.0_2020-11-20_1');
 define('GRAV_TESTING', false);
 
+define('GRAV_ROOT', '/usr/share/webapps/grav');
+define('GRAV_CACHE_PATH', '/var/cache/grav/cache');
+define('GRAV_BACKUP_PATH', '/var/lib/grav/backup');
+define('GRAV_LOG_PATH', '/var/log/grav');
+define('GRAV_TMP_PATH', '/var/tmp/grav');
+
 // PHP minimum requirement
 if (!defined('GRAV_PHP_MIN')) {
     define('GRAV_PHP_MIN', '7.3.6');
--- a/system/src/Grav/Console/Gpm/SelfupgradeCommand.php	2021-04-15 20:04:58.000000000 +0200
+++ b/system/src/Grav/Console/Gpm/SelfupgradeCommand.php	2021-04-21 21:14:16.576531405 +0200
@@ -94,6 +94,10 @@
         $input = $this->getInput();
         $io = $this->getIO();
 
+        $io->error('Grav cannot be upgraded this way as it has been installed with a distribution package.');
+        $io->writeln('Use makepkg and pacman (or your preferred pacman wrapper) to upgrade.');
+        return 1;
+
         if (!class_exists(ZipArchive::class)) {
             $io->title('GPM Self Upgrade');
             $io->error('php-zip extension needs to be enabled!');
--- a/webserver-configs/nginx.conf	2022-01-04 19:02:30.000000000 +0100
+++ b/webserver-configs/nginx.conf	2022-01-04 22:30:17.079302244 +0100
@@ -1,10 +1,61 @@
 server {
-    #listen 80;
+    listen 80;
+    listen [::]:80;
+    server_name blog.myserver.org;
+
+    access_log      /var/log/nginx/access/blog.log  main;
+
+    ## Begin - ACME (LetsEncrypt)
+    # adapt the alias folder to where your certification job (e.g. CertBot)
+    # puts the domain verification challenges
+    # location ^~ /.well-known/acme-challenge/ {
+    #     alias           /srv/http/acme;
+    # }
+    ## End - ACME (LetsEncrypt)
+
+    ## Begin - Enforce HTTPS
+    location / {
+        return 301 https://blog.myserver.org$request_uri;
+    }
+    ## End - Enforce HTTPS
+}
+
+server {
+    listen 443      ssl http2;
+    listen [::]:443 ssl http2;
+
+    access_log      /var/log/nginx/access/blog.log  main;
+
+    ## Begin - SSL/TLS
+    # Use Mozilla's guidelines for SSL/TLS settings
+    # https://mozilla.github.io/server-side-tls/ssl-config-generator/
+    ssl_certificate     /etc/ssl/certs/blog.myserver.org.pem;
+    ssl_certificate_key /etc/ssl/private/blog.myserver.org.key;
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:sslcache:1m;  # about 4000 sessions
+    ssl_session_tickets off;
+    ssl_protocols TLSv1.3;
+    ssl_prefer_server_ciphers off;
+
+    # HSTS settings
+    # WARNING: Only add the preload option once you read about
+    # the consequences in https://hstspreload.org/. This option
+    # will add the domain to a hardcoded list that is shipped
+    # in all major browsers and getting removed from this list
+    # could take several months.
+    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
+    add_header Strict-Transport-Security "max-age=15768000" always;
+    ## End - SSL/TLS
+
+    # set max upload size
+    client_max_body_size 512M;
+    # fastcgi_buffers 64 4K; only required when using fastcgi (see below)
+
     index index.html index.php;
 
     ## Begin - Server Info
-    root /home/USER/www/html;
-    server_name localhost;
+    server_name blog.myserver.org;
+    root /usr/share/webapps/grav;
     ## End - Server Info
 
     ## Begin - Index
@@ -17,6 +68,13 @@
     ## End - Index
 
     ## Begin - Security
+    # safety stuff adopted from .htaccess
+    if ($request_uri ~   "{{|}}|{%|%}")                    { return 403; }
+    if ($query_string ~  "{{|}}|{%25|%25}")                { return 403; }
+    if ($query_string ~  "base64_encode[^(]*\([^)]*\)")    { return 403; }
+    if ($query_string ~* "(<|%3C)([^s]*s)+cript.*(>|%3E)") { return 403; }
+    if ($query_string ~  "GLOBALS(=|\[|\%[0-9A-Z]{0,2})")  { return 403; }
+    if ($query_string ~  "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") { return 403; }
     # deny all direct access for these folders
     location ~* /(\.git|cache|bin|logs|backup|tests)/.*$ { return 403; }
     # deny running scripts inside core system folders
@@ -25,20 +83,32 @@
     location ~* /user/.*\.(txt|md|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
     # deny access to specific files in the root folder
     location ~ /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess) { return 403; }
+    # deny all files and folder beginning with a dot (hidden files & folders)
+    location ~ (^|/)\. { return 403; }
     ## End - Security
 
     ## Begin - PHP
     location ~ \.php$ {
-        # Choose either a socket or TCP/IP address
-        fastcgi_pass unix:/var/run/php/php-fpm.sock;
-        # fastcgi_pass unix:/var/run/php5-fpm.sock; #legacy
-        # fastcgi_pass 127.0.0.1:9000;
-
-        fastcgi_split_path_info ^(.+\.php)(/.+)$;
-        fastcgi_index index.php;
-        include fastcgi_params;
-        fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
+        include uwsgi_params;
+        uwsgi_modifier1 14;
+        uwsgi_pass unix:/run/uwsgi/grav.sock;
     }
+    # or alternatively if you use php-fpm
+    # location ~ \.php$ {
+    #     # Choose either a socket or TCP/IP address
+    #     fastcgi_pass unix:/run/php-fpm/grav.sock;
+    #     # fastcgi_pass 127.0.0.1:9000;
+    #     fastcgi_split_path_info ^(.+\.php)(/.+)$;
+    #     fastcgi_index index.php;
+    #     include fastcgi_params;
+    #     fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
+    # }
     ## End - PHP
-}
 
+    ## Begin - Static content
+    location ~ \.(?:css|js|svg|gif|jpe?g|png|woff2?)$ {
+        expires 7d;
+        access_log off;
+    }
+    ## End - Static content
+}