From 7f34b60582b7049f7e942ec43b3f8c2bc37026dc Mon Sep 17 00:00:00 2001 From: kitoy Date: Mon, 15 May 2023 23:16:25 +0200 Subject: [PATCH] Correction & update scripts --- add_domain_with_acme.sh | 52 +++-- configure_firewall.sh | 96 ++++---- configure_mail_service.sh | 214 +++--------------- .../dovecot/dovecot.conf.example | 101 +++++++++ .../dovecot/local.conf.example | 89 ++++++++ .../nginx/nginx.conf.example | 52 +++++ .../nginx/nginx.conf.example~ | 52 +++++ .../nginx/site-available/example | 39 ++++ .../nginx/site-available/example~ | 39 ++++ .../opensmtpd/smtpd.conf.example | 31 +++ .../opensmtpd/smtpd.conf.example~ | 37 +++ default_configuration/opensmtpd/smtpd.conf~ | 37 +++ .../opensmtpd/spamd.conf.example | 19 ++ default_configuration/pf.conf | 33 +-- default_configuration/php/php-fpm.conf | 6 +- default_configuration/pywallter/pywallter.rc | 8 +- install_nextcloud.sh | 59 +++-- install_nginx_service.sh | 126 ++--------- install_php.sh | 49 +--- install_postgresql_service.sh | 57 +++-- install_pywallter.sh | 31 ++- install_xmpp_service.sh | 21 +- myserver.conf | 2 +- utils.sh | 2 +- 24 files changed, 740 insertions(+), 512 deletions(-) create mode 100644 default_configuration/dovecot/dovecot.conf.example create mode 100644 default_configuration/dovecot/local.conf.example create mode 100644 default_configuration/nginx/nginx.conf.example create mode 100644 default_configuration/nginx/nginx.conf.example~ create mode 100644 default_configuration/nginx/site-available/example create mode 100644 default_configuration/nginx/site-available/example~ create mode 100644 default_configuration/opensmtpd/smtpd.conf.example create mode 100644 default_configuration/opensmtpd/smtpd.conf.example~ create mode 100644 default_configuration/opensmtpd/smtpd.conf~ create mode 100644 default_configuration/opensmtpd/spamd.conf.example diff --git a/add_domain_with_acme.sh b/add_domain_with_acme.sh index 542c337..137c514 100755 --- a/add_domain_with_acme.sh +++ b/add_domain_with_acme.sh @@ -4,24 +4,23 @@ gen_nginx_acme_conf(){ domain=$1 alt_domain=$2 - nginx_run=`rcctl check nginx` - - if [ "$nginx_run" == "nginx(ok)" ]; then - cat > test/$domain < $nginx_conf_file <> my_configuration/ssl/$domain-acme-client.conf <> $acme_conf_file <> my_configuration/ssl/$domain-acme-client.conf <> $acme_conf_file < /tmp/acme-client.conf + cp -v /etc/acme-client.conf /etc/acme-client.conf.old + cp -v /tmp/acme-client.conf /etc/acme-client.conf +} + install_utils(){ cp -v utils/renew_https_certificate /usr/local/bin/renew_https_certificate chmod u+x /usr/local/bin/renew_https_certificate } -get_certificate(){ +get_certificate() +{ domain=$1 - /usr/local/bin/renew_https_certificate $domain } -usage(){ +usage() +{ print "This program ask 3 arguments : \n" print "First is email with domain name the second is list of alternatives domains with \" \" \n" print "the last arguments is for share the ssl cert with xmpp daemon add xmpp at the end or not" print "\t $0 domain.tld \"a.domain.tld b.domain.tld c.domain.tld\"" - } - if [ -z $1 ]; then usage exit 3; fi -if [ -e /etc/acme-client.conf ]; then - echo ok -else - echo nok -fi - - domain=$1 alt_domain=$2 diff --git a/configure_firewall.sh b/configure_firewall.sh index 8d9981f..27bb90c 100755 --- a/configure_firewall.sh +++ b/configure_firewall.sh @@ -2,7 +2,7 @@ . ./myserver.conf -install_package(){ +install_firewall_packages(){ pkg_add ssh_guard curl useradd -s /sbin/nologin -d /var/empty _pfbadhost ftp https://geoghegan.ca/pub/pf-badhost/0.5/pf-badhost.sh @@ -32,60 +32,36 @@ EOF set_basic_configuration(){ - cat > my_configuration/pf.conf < persist file "/etc/pf-badhost.txt" -table persist - -## Table pour les batards de bruteforceurs -table persist - - -set block-policy drop # bloque silencieusement -set skip on lo # En local on s'en fou on surveille rien -set limit table-entries 400000 -set limit states 100000 - - - -## Traitement des paquets ## -# Paquets partiels on vire -match all scrub (max-mss 1440 no-df random-id reassemble tcp) -antispoof quick for egress # Protection vol d'ip -antispoof quick for lo0 # Protection vol d'ip - -# Port build user does not need network -block return out log proto {tcp udp} user _pbuild - -# On bloque tout par défault -block - -block quick on egress from -block in from -block log quick from label "brutes" - -pass out on egress proto { tcp udp icmp ipv6-icmp } modulate state - -EOF - + cp -v default_configruation/pf.conf my_configuration/pf.conf } set_open_service(){ cat >> my_configuration/pf.conf < to port $web_ports +pass in on egress proto tcp to port $web_ports flags S/SA keep state \ + (max-src-conn 100, max-src-conn-rate 15/5, \ + overload flush) + EOF - if [ "$SERVICE_MAIL" == "yes" ]; then + cat >> my_configuration/pf.conf + EOF + + [ "$SERVICE_MAIL" == "yes" ] && echo "mail_ports = \"{ smtp submission imap }\"" >> default_configuration/pf.conf - fi - if [ "$SERVICE_XMPP" == "yes" ]; then + [ "$SERVICE_XMPP" == "yes" ] && echo "xmmp_ports = \"{ 5222 5269 }\"" >> default_configuration/pf.conf - fi echo "ssh_port = \"$SSH_PORT\"" >> default_configuration/pf.conf + [ "$SERVICE_TURN" == "yes" ] && + echo "turn_port = \"TURN_PORT\"" >> default_configuration/pf.conf + cat >> my_configuration/pf.conf < flush global) -#web -pass in on egress proto tcp to port \$web_ports modulate state \\ - (max-src-conn 60, max-src-conn-rate 60/1, overload flush global) +pass in quick on egress proto { tcp, udp } from to port $web_ports +pass in on egress proto tcp to port $web_ports flags S/SA keep state \ + (max-src-conn 100, max-src-conn-rate 15/5, \ + overload flush) EOF - if [ "$SERVICE_MAIL" == "yes" ]; then + [ "$SERVICE_MAIL" == "yes" ] && cat >> my_configuration/pf.conf <> my_configuration/pf.conf < flush global) EOF - fi + + + [ "$SERVICE_TURN" == "yes" ] && + cat >> my_configuration/pf.conf < flush global) + +pass in on egress proto udp to port $turn_port + +EOF } -install_pf_and_enable(){ +install_conf_and_enable(){ pfctl -nf my_configuration/pf.conf if [ $? == 0 ]; then cp -v /etc/pf.conf /etc/pf.old @@ -134,5 +119,14 @@ install_pf_and_enable(){ } -set_basic_configuration -set_open_service +if [ "$1" == "gen-config-only" ]; +then + set_basic_configuration + set_open_service +elif [ "$1" == "install" ]; +then + install_firewall_packages + set_basic_configuration + set_open_service + install_conf_and_enable +fi diff --git a/configure_mail_service.sh b/configure_mail_service.sh index 2d13e02..7ca4663 100755 --- a/configure_mail_service.sh +++ b/configure_mail_service.sh @@ -5,176 +5,21 @@ install_mails_services_pkg() { - pkg_add dovecot dovecot-pigeonhole opensmtpd-filter-rspamd \ - opensmtpd-extras-6.7.1v0 opensmtpd-filter-dkimsign-0.5 rspamd-3.2 + pkg_add dovecot dovecot-pigeonhole opensmtpd-filter-rspamd redis-6.2.12\ + opensmtpd-extras-6.7.1v0 opensmtpd-filter-dkimsign-0.5 rspamd-3.2 } gen_mails_service_configuration() { - - #Generate opensmtpd configuration - cat > my_configuration/mail/smtpd.conf < filter dkimsign - -action "local_mail" mbox alias -action "domain_mail" maildir "/var/vmail/$DOMAIN/%{dest.user:lowercase}" virtual -action "outbound" relay - - -# Uncomment the following to accept external mail for domain "example.org" -match from any for domain "$DOMAIN" action "domain_mail" -match from local for local action "local_mail" - -match auth from any for any action "outbound" - -EOF - - #Generate spamd configuration - cat > my_configuration/mail/spamd.conf < my_configuration/dovecot/local.conf <> /etc/login.conf < to select which instance is used (an alternative +# to -c ). The instance name is also added to Dovecot processes +# in ps output. +#instance_name = dovecot + +# Greeting message for clients. +#login_greeting = Dovecot ready. + +# Space separated list of trusted network ranges. Connections from these +# IPs are allowed to override their IP addresses and ports (for logging and +# for authentication checks). disable_plaintext_auth is also ignored for +# these networks. Typically you'd specify your IMAP proxy servers here. +#login_trusted_networks = + +# Space separated list of login access check sockets (e.g. tcpwrap) +#login_access_sockets = + +# With proxy_maybe=yes if proxy destination matches any of these IPs, don't do +# proxying. This isn't necessary normally, but may be useful if the destination +# IP is e.g. a load balancer's IP. +#auth_proxy_self = + +# Show more verbose process titles (in ps). Currently shows user name and +# IP address. Useful for seeing who are actually using the IMAP processes +# (eg. shared mailboxes or if same uid is used for multiple accounts). +#verbose_proctitle = no + +# Should all processes be killed when Dovecot master process shuts down. +# Setting this to "no" means that Dovecot can be upgraded without +# forcing existing client connections to close (although that could also be +# a problem if the upgrade is e.g. because of a security fix). +#shutdown_clients = yes + +# If non-zero, run mail commands via this many connections to doveadm server, +# instead of running them directly in the same process. +#doveadm_worker_count = 0 +# UNIX socket or host:port used for connecting to doveadm server +#doveadm_socket_path = doveadm-server + +# Space separated list of environment variables that are preserved on Dovecot +# startup and passed down to all of its child processes. You can also give +# key=value pairs to always set specific settings. +#import_environment = TZ + +## +## Dictionary server settings +## + +# Dictionary can be used to store key=value lists. This is used by several +# plugins. The dictionary can be accessed either directly or though a +# dictionary server. The following dict block maps dictionary names to URIs +# when the server is used. These can then be referenced using URIs in format +# "proxy::". + +dict { + #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext +} + +# Most of the actual configuration gets included below. The filenames are +# first sorted by their ASCII value and parsed in that order. The 00-prefixes +# in filenames are intended to make it easier to understand the ordering. +#!include conf.d/*.conf + +# A config file can also tried to be included without giving an error if +# it's not found: +!include_try local.conf diff --git a/default_configuration/dovecot/local.conf.example b/default_configuration/dovecot/local.conf.example new file mode 100644 index 0000000..ce62514 --- /dev/null +++ b/default_configuration/dovecot/local.conf.example @@ -0,0 +1,89 @@ +listen = * +protocols = imap +first_valid_uid = 1000 +first_valid_gid = 1000 +mail_location = maildir:/var/vmail/%d/%n +mail_plugin_dir = /usr/local/lib/dovecot +disable_plaintext_auth = yes + +managesieve_notify_capability = mailto +managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapsieve vnd.dovecot.imapsieve + +mbox_write_locks = fcntl +mmap_disable = yes +namespace inbox { + inbox = yes + location = + mailbox Archive { + auto = subscribe + special_use = \Archive + } + mailbox Drafts { + auto = subscribe + special_use = \Drafts + } + mailbox Junk { + auto = subscribe + special_use = \Junk + } + mailbox Sent { + auto = subscribe + special_use = \Sent + } + mailbox Trash { + auto = subscribe + special_use = \Trash + } + prefix = +} + +service auth { + user = $default_internal_user + group = _maildaemons +} + +passdb { + args = scheme=blf-crypt /etc/mail/passwd + driver = passwd-file +} + +plugin { + imapsieve_mailbox1_before = file:/usr/local/lib/dovecot/sieve/report-spam.sieve + imapsieve_mailbox1_causes = COPY + imapsieve_mailbox1_name = Junk + imapsieve_mailbox2_before = file:/usr/local/lib/dovecot/sieve/report-ham.sieve + imapsieve_mailbox2_causes = COPY + imapsieve_mailbox2_from = Junk + imapsieve_mailbox2_name = * + sieve = file:~/sieve;active=~/.dovecot.sieve + sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment + sieve_pipe_bin_dir = /usr/local/lib/dovecot/sieve + sieve_plugins = sieve_imapsieve sieve_extprograms +} + + +protocols = imap sieve +service imap-login { + inet_listener imap { + port = 143 + } +} + +ssl = required + +ssl_min_protocol = TLSv1.2 +ssl_cipher_list = EECDH+AESGCM +ssl_prefer_server_ciphers = yes +#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH + +ssl_cert = filter dkimsign + +action "local_mail" mbox alias +action "domain_mail" maildir "/var/vmail/__DOMAIN__/%{dest.user:lowercase}" virtual +action "outbound" relay + + +match from any for domain "__DOMAIN__" action "domain_mail" +match from local for local action "local_mail" + +match auth from any for any action "outbound" diff --git a/default_configuration/opensmtpd/smtpd.conf.example~ b/default_configuration/opensmtpd/smtpd.conf.example~ new file mode 100644 index 0000000..4751e3b --- /dev/null +++ b/default_configuration/opensmtpd/smtpd.conf.example~ @@ -0,0 +1,37 @@ +# See smtpd.conf(5) for more information. + + +# To accept external mail, replace with: listen on all +# + +# les Certificats +pki "cert_mail" cert "/etc/ssl/__DOMAIN__.crt" +pki "cert_mail" key "/etc/ssl/private/__DOMAIN__.key" + +table aliases file:/etc/mail/aliases +table passwd file:/etc/mail/passwd +table virtuals file:/etc/mail/virtuals + +filter "rspamd" proc-exec "filter-rspamd" +filter "dkimsign" proc-exec "filter-dkimsign -d $DOMAIN -s dkim -k /etc/mail/dkim/__DOMAIN__-private.key" user _dkimsign group _dkimsign + +# Activation du check du reverse DNS +#filter check_rdns phase connect match !rdns disconnect "550 no rDNS available" +#filter check_fcrdns phase connect match !fcrdns disconnect "550 no FCrDNS available" + +# To accept external mail, replace with: listen on all + + +listen on all tls pki "cert_mail" hostname "__DOMAIN__" filter rspamd +listen on all port submission tls-require pki "cert_mail" auth filter dkimsign + +action "local_mail" mbox alias +action "domain_mail" maildir "/var/vmail/__DOMAIN__/%{dest.user:lowercase}" virtual +action "outbound" relay + + +# Uncomment the following to accept external mail for domain "example.org" +match from any for domain "__DOMAIN__" action "domain_mail" +match from local for local action "local_mail" + +match auth from any for any action "outbound" diff --git a/default_configuration/opensmtpd/smtpd.conf~ b/default_configuration/opensmtpd/smtpd.conf~ new file mode 100644 index 0000000..a71290b --- /dev/null +++ b/default_configuration/opensmtpd/smtpd.conf~ @@ -0,0 +1,37 @@ +# See smtpd.conf(5) for more information. + + +# To accept external mail, replace with: listen on all +# + +# les Certificats +pki "cert_mail" cert "/etc/ssl/$DOMAIN.crt" +pki "cert_mail" key "/etc/ssl/private/$DOMAIN.key" + +table aliases file:/etc/mail/aliases +table passwd file:/etc/mail/passwd +table virtuals file:/etc/mail/virtuals + +filter "rspamd" proc-exec "filter-rspamd" +filter "dkimsign" proc-exec "filter-dkimsign -d $DOMAIN -s dkim -k /etc/mail/dkim/$DOMAIN-private.key" user _dkimsign group _dkimsign + +# Activation du check du reverse DNS +#filter check_rdns phase connect match !rdns disconnect "550 no rDNS available" +#filter check_fcrdns phase connect match !fcrdns disconnect "550 no FCrDNS available" + +# To accept external mail, replace with: listen on all + + +listen on all tls pki "cert_mail" hostname "$DOMAIN" filter rspamd +listen on all port submission tls-require pki "cert_mail" auth filter dkimsign + +action "local_mail" mbox alias +action "domain_mail" maildir "/var/vmail/$DOMAIN/%{dest.user:lowercase}" virtual +action "outbound" relay + + +# Uncomment the following to accept external mail for domain "example.org" +match from any for domain "$DOMAIN" action "domain_mail" +match from local for local action "local_mail" + +match auth from any for any action "outbound" diff --git a/default_configuration/opensmtpd/spamd.conf.example b/default_configuration/opensmtpd/spamd.conf.example new file mode 100644 index 0000000..36816fb --- /dev/null +++ b/default_configuration/opensmtpd/spamd.conf.example @@ -0,0 +1,19 @@ +all:\ + :nixspam: + +# Nixspam recent sources list. +# Mirrored from http://www.heise.de/ix/nixspam +nixspam:\ + :black:\ + :msg="Your address %A is in the nixspam list\n\ + See http://www.heise.de/ix/nixspam/dnsbl_en/ for details":\ + :method=https:\ + :file=www.openbsd.org/spamd/nixspam.gz + +# An example of a list containing addresses which should not talk to spamd. +# +#override:\ +# :white:\ +# :method=file:\ +# :file=/var/db/override.txt: + diff --git a/default_configuration/pf.conf b/default_configuration/pf.conf index 39a2288..aff2777 100644 --- a/default_configuration/pf.conf +++ b/default_configuration/pf.conf @@ -1,14 +1,16 @@ + #Filtres badhosts et sshguard table persist file "/etc/pf-badhost.txt" table persist +table persist ## Table pour les batards de bruteforceurs table persist - +table persist set block-policy drop # bloque silencieusement set skip on lo # En local on s'en fou on surveille rien -set limit table-entries 400000 +set limit table-entries 400000 set limit states 100000 @@ -30,30 +32,3 @@ block in from block log quick from label "brutes" pass out on egress proto { tcp udp icmp ipv6-icmp } modulate state - -#déclaration des variables -web_ports = "{ http https }" -mail_ports = "{ smtp submission imap }" -xmpp_ports = "{ 5222 5269 }" -ssh_port = "42420" - -## Anti bruteforce -### SSH -#### Limite à 5 connexions simultanne par IP source -#### Limite à 15 tentatives de connexion toutes les 5 minutes -pass in on egress proto tcp to port $ssh_port modulate state \ - (max-src-conn 5, max-src-conn-rate 15/5, overload flush global) - -#web -pass in on egress proto tcp to port $web_ports modulate state \ - (max-src-conn 60, max-src-conn-rate 60/1, overload flush global) - -# mails -## antispam -pass in on egress proto tcp to port $mail_ports modulate state \ - (max-src-conn-rate 20/5, overload flush global) -pass out log on egress proto tcp to any port smtp - -# XMPP -pass in on egress proto tcp to port $xmpp_ports modulate state \ - (max-src-conn 15, max-src-conn-rate 15/5, overload flush global) diff --git a/default_configuration/php/php-fpm.conf b/default_configuration/php/php-fpm.conf index 836c106..04272b5 100644 --- a/default_configuration/php/php-fpm.conf +++ b/default_configuration/php/php-fpm.conf @@ -15,10 +15,10 @@ listen.owner = www listen.group = www listen.mode = 0660 pm = dynamic -pm.max_children = 5 -pm.start_servers = 2 +pm.max_children = 10 +pm.start_servers = 4 pm.min_spare_servers = 1 -pm.max_spare_servers = 3 +pm.max_spare_servers = 6 chroot = /var/www env[HOSTNAME] = $HOSTNAME env[PATH] = /usr/local/bin:/usr/bin:/bin diff --git a/default_configuration/pywallter/pywallter.rc b/default_configuration/pywallter/pywallter.rc index cd19aed..a1966e8 100755 --- a/default_configuration/pywallter/pywallter.rc +++ b/default_configuration/pywallter/pywallter.rc @@ -1,15 +1,11 @@ #!/bin/ksh -daemon="/usr/local/bin/python3" -daemon_flags="wsgi.py" +daemon="/usr/local/bin/python3 wsgi.py" +daemon_execdir="/home/pywallter/pywallter" daemon_user="pywallter" -location="/home/pywallter/pywallter" . /etc/rc.d/rc.subr -rc_start() { - ${rcexec} "cd ${location}; ${daemon} ${daemon_flags}" -} rc_bg=YES rc_cmd $1 diff --git a/install_nextcloud.sh b/install_nextcloud.sh index 6f88a8c..f34f260 100755 --- a/install_nextcloud.sh +++ b/install_nextcloud.sh @@ -5,24 +5,24 @@ install_package_nextcloud() { - pkg_add php-bz2-8.0.26 php-curl-8.0.26 php-gd-8.0.26 php-gmp-8.0.26 \ - php-intl-8.0.26 php-pdo_pgsql-8.0.26 php-zip-8.0.26 \ + pkg_add php-bz2-8.1.18 php-curl-8.1.18 php-gd-8.1.18 php-gmp-8.1.18 \ + php-intl-8.1.18 php-pdo_pgsql-8.1.18 php-zip-8.1.18 \ pecl80-imagick-3.7.0p1 pecl80-redis-5.3.7p0 \ - nextcloud-24.0.5 + nextcloud-25.0.6 } enable_nextlcoud_php_modules(){ #enable modules - ln -s /etc/php-8.0.sample/gd.ini /etc/php-8.0/gd.ini - ln -s /etc/php-8.0.sample/imagick.ini /etc/php-8.0/imagick.ini - ln -s /etc/php-8.0.sample/opcache.ini /etc/php-8.0/opcache.ini - ln -s /etc/php-8.0.sample/curl.ini /etc/php-8.0/curl.ini - ln -s /etc/php-8.0.sample/gmp.ini /etc/php-8.0/gmp.ini - ln -s /etc/php-8.0.sample/intl.ini /etc/php-8.0/intl.ini - ln -s /etc/php-8.0.sample/redis.ini /etc/php-8.0/redis.ini - ln -s /etc/php-8.0.sample/bz2.ini /etc/php-8.0/bz2.ini - ln -s /etc/php-8.0.sample/zip.ini /etc/php-8.0/zip.ini - ln -s /etc/php-8.0.sample/pdo_pgsql.ini /etc/php-8.0/pdo_pgsql.ini + ln -s /etc/php-8.1.sample/gd.ini /etc/php-8.1/gd.ini + ln -s /etc/php-8.1.sample/imagick.ini /etc/php-8.1/imagick.ini + ln -s /etc/php-8.1.sample/opcache.ini /etc/php-8.1/opcache.ini + ln -s /etc/php-8.1.sample/curl.ini /etc/php-8.1/curl.ini + ln -s /etc/php-8.1.sample/gmp.ini /etc/php-8.1/gmp.ini + ln -s /etc/php-8.1.sample/intl.ini /etc/php-8.1/intl.ini + ln -s /etc/php-8.1.sample/redis.ini /etc/php-8.1/redis.ini + ln -s /etc/php-8.1.sample/bz2.ini /etc/php-8.1/bz2.ini + ln -s /etc/php-8.1.sample/zip.ini /etc/php-8.1/zip.ini + ln -s /etc/php-8.1.sample/pdo_pgsql.ini /etc/php-8.1/pdo_pgsql.ini restart_php_service } @@ -34,8 +34,8 @@ configure_nginx_service(){ create_nextcloud_db(){ psql template1 postgres -c "CREATE USER $nextcloud_db_user WITH PASSWORD '$nextcloud_db_pass' CREATEDB ;" psql template1 postgres -c "CREATE DATABASE $nextcloud_db_name TEMPLATE template1 ENCODING 'UTF8' ;" - psql template1 postgres -c "GRANT ALL PRIVILEGES ON DATABASE $nextcloud_db_name TO $nextcloud_db_user ;" - psql template1 postgres -c "GRANT ALL PRIVILEGES ON SCHEMA public TO $nextcloud_db_user ;" + psql template1 postgres -c "GRANT ALL PRIVILEGES ON DATABASE $nextcloud_db_name TO $nextcloud_db_user;" + psql template1 postgres -c "ALTER DATABASE $nextcloud_db_name OWNER TO nextcloud_db_user;" } @@ -79,14 +79,23 @@ install_nextcloud(){ /var/cron/tabs/root } - - mkdir my_configuration/nextcloud -check_services_for_nextlcoud -install_package_nextcloud -enable_nextlcoud_php_modules -configure_nginx_service -create_nextcloud_db -install_configuration_files_nextcloud -install_nextcloud -restart_webserver_service + +if [ "$1" == "gen-config-only" ]; +then + check_services_for_nextcloud + configure_nginx_service +elif [ "$1" == "install" ]; +then + check_services_for_nextcloud + configure_nginx_service + install_package_nextcloud + enable_nextlcoud_php_modules + create_nextcloud_db + install_configuration_files_nextcloud + install_nextcloud + restart_webserver_service +fi + + + diff --git a/install_nginx_service.sh b/install_nginx_service.sh index 95f3732..00a6d66 100755 --- a/install_nginx_service.sh +++ b/install_nginx_service.sh @@ -10,61 +10,8 @@ install_nginx_package() gen_nginx_configuration() { - cat > my_configuration/nginx/nginx.conf < my_configuration/nginx/site-available/$DOMAIN < /tmp/newsyslog.conf + egrep -v "nginx|httpd" /etc/newsyslog.conf > /tmp/newsyslog.conf cat >> /tmp/newsyslog.conf < my_configuration/php/php-fpm.conf < my_configuration/postgresql/pg_hba.conf < /tmp/passwordpsql.txt - su -m _postgresql -c "initdb -D /var/postgresql/data -U postgres -A md5 -E UTF8 --pwfile=/tmp/passwordpsql.txt" - rm /tmp/passwordpsql.txt + cp -v default_configuration/postgresql/pg_hba.conf my_configuration/postgresql/pg_hba.conf } -install_postgresql_configurations_files(){ +make_data_directory() +{ + su -m _postgresql -c "mkdir /var/postgresql/data" + echo $postgresql_root_password > /tmp/passwordpsql.txt + [ ! -d "/var/postgresql/data" ] || mv /var/postgresql/data /var/postgresql/data.old + su -m _postgresql -c "initdb -D /var/postgresql/data -U postgres -A scram-sha-256 -E UTF8 --pwfile=/tmp/passwordpsql.txt" + rm /tmp/passwordpsql.txt +} + +install_postgresql_configurations_files() +{ cp -v my_configuration/postgresql/pg_hba.conf /var/postgresql/data/pg_hba.conf } -start_postgresql_service(){ +start_postgresql_service() +{ rcctl start postgresql } -mkdir my_configuration/postgresql/ -#install_postresql_packages -configure_postgresql_service -install_postgresql_configurations_files -start_postgresql_service + +if [ "$1" == "gen-config-only" ]; +then + configure_postgresql_service +elif [ "$1" == "install" ]; +then + install_postresql_packages + configure_postgresql_service + install_postgresql_configurations_files + start_postgresql_service +fi diff --git a/install_pywallter.sh b/install_pywallter.sh index 66c0165..8d7d41d 100755 --- a/install_pywallter.sh +++ b/install_pywallter.sh @@ -28,11 +28,22 @@ DOSSIER_APP = "./users/" DATABASE = "./base.db" EXT_IMG= {'.jpg', '.JPG', '.png', '.PNG', '.gif', '.GIF', '.bmp', '.BMP', '.jpeg', '.JPEG' } SIGNIN_ENABLE = True -XMPP_SERVER = True -MAIL_SERVER = True SETUID='doas' EOF + if [ SERVICE_MAIL = "yes" ]; + then + echo "MAIL_SERVER = True" >> my_configuration/pywallter/config.py + else + echo "MAIL_SERVER = False" >> my_configuration/pywallter/config.py + fi + + if [ SERVICE_XMPP = "yes" ]; + then + echo "XMPP_SERVER = True" >> my_configuration/pywallter/config.py + else + echo "XMPP_SERVER = False" >> myconfiguration/pywallter/config.py + fi } @@ -58,7 +69,15 @@ EOF } mkdir my_configuration/pywallter/ -gen_pywallter_configuration_app -gen_nginx_pywallter_app -install_pywallter_app -install_pywallter_configuration_files + +if [ "$1" == "gen-config-only" ]; +then + gen_pywallter_configuration_app + gen_nginx_pywallter_app +elif [ "$1" == "install" ]; +then + gen_pywallter_configuration_app + gen_nginx_pywallter_app + install_pywallter_app + install_pywallter_configuration_files +fi diff --git a/install_xmpp_service.sh b/install_xmpp_service.sh index 9dbc5c3..b994d1a 100755 --- a/install_xmpp_service.sh +++ b/install_xmpp_service.sh @@ -13,11 +13,11 @@ install_prosody_package(){ gen_prosody_configuration(){ - cp -v default_configuration/xmpp/prosody.cfg.lua.example default_configuration/xmpp/prosody.cfg.lua - sed -i "s/__DOMAIN__/$DOMAIN/g" default_configuration/xmpp/prosody.cfg.lua - cp -v default_configuration/xmpp/virtualHosts/example.com.conf default_configuration/xmpp/virtualHosts/$DOMAIN.conf - sed -i "s/__DOMAIN__/$DOMAIN/g" default_configuration/xmpp/virtualHosts/$DOMAIN.conf - sed -i "s/__xmpp_passphrase_for_filesuploads__/$xmpp_passphrase_for_filesuploads/g" default_configuration/xmpp/virtualHosts/$DOMAIN.conf + cp -v default_configuration/xmpp/prosody.cfg.lua.example my_configuration/xmpp/prosody.cfg.lua + sed -i "s/__DOMAIN__/$DOMAIN/g" my_configuration/xmpp/prosody.cfg.lua + cp -v default_configuration/xmpp/virtualHosts/example.com.conf my_configuration/xmpp/virtualHosts/$DOMAIN.conf + sed -i "s/__DOMAIN__/$DOMAIN/g" my_configuration/xmpp/virtualHosts/$DOMAIN.conf + sed -i "s/__xmpp_passphrase_for_filesuploads__/$xmpp_passphrase_for_filesuploads/g" my_configuration/xmpp/virtualHosts/$DOMAIN.conf } @@ -28,7 +28,6 @@ install_xmpp_certs_ssl(){ install -o _prosody -g _prosody my_configuration/xmpp/dh-2048.pem /etc/prosody/certs/dh-2048.pem install -o _prosody -g _prosody /etc/ssl/private/"$DOMAIN".key /etc/prosody/certs/"$DOMAIN".key; install -o _prosody -g _prosody /etc/ssl/"$DOMAIN".crt /etc/prosody/certs/"$DOMAIN".crt; - } install_prosody_modules(){ @@ -45,7 +44,6 @@ install_prosody_modules(){ gen_nginx_configuration_files_upload(){ - cp -v default_configuration/xmpp/nginx.conf.sample my_configuration/xmpp/upload.$DOMAIN cp -v default_configuration/xmpp/share.php.sample my_configuration/xmpp/share.php sed -i "s/__DOMAIN__/$DOMAIN/g" my_configuration/xmpp/upload.$DOMAIN @@ -82,6 +80,7 @@ install_xmpp_configurations_files(){ mkdir my_configuration/xmpp + if [ "$1" == "gen-config-only" ]; then gen_prosody_configuration @@ -97,3 +96,11 @@ then rcctl enable prosody rcctl start prosody fi + +if [ "$1" == "gen-config-only" ]; +then + #code +elif [ "$1" == "install" ]; +then + #Code +fi diff --git a/myserver.conf b/myserver.conf index c9a64e2..2708ca7 100644 --- a/myserver.conf +++ b/myserver.conf @@ -1,5 +1,5 @@ -## Par défault le domain est le nom d'hote de la machine maisil est possible de le personnaliser +## Par défault le domain est le nom d'hote de la machine mais il est possible de le personnaliser ## comme l'exemple ce-dessous # DOMAIN="example.com" DOMAIN=`hostname` diff --git a/utils.sh b/utils.sh index bb1b4e2..6a1a846 100755 --- a/utils.sh +++ b/utils.sh @@ -6,7 +6,7 @@ restart_mails_service() } restart_php_service(){ - rcctl restart php80_fpm + rcctl restart php81_fpm } restart_postgresql_service(){