Correction & update scripts
This commit is contained in:
parent
b8fbc07a97
commit
7f34b60582
|
@ -4,24 +4,23 @@
|
||||||
gen_nginx_acme_conf(){
|
gen_nginx_acme_conf(){
|
||||||
domain=$1
|
domain=$1
|
||||||
alt_domain=$2
|
alt_domain=$2
|
||||||
nginx_run=`rcctl check nginx`
|
nginx_conf_file="/etc/nginx/sites-enabled/$domain"
|
||||||
|
[ ! -f $nginx_conf_file ] || rm $nginx_conf_file;
|
||||||
if [ "$nginx_run" == "nginx(ok)" ]; then
|
|
||||||
cat > test/$domain <<EOF
|
mkdir /var/www/htdocs/$domain
|
||||||
|
rcctl check nginx
|
||||||
|
if [ $? == 0 ]; then
|
||||||
|
cat > $nginx_conf_file <<EOF
|
||||||
server {
|
server {
|
||||||
listen 80;
|
listen 80;
|
||||||
server_name $alt_domain $domain;
|
server_name $alt_domain $domain;
|
||||||
|
|
||||||
include snippets/acme-challenge.conf;
|
include snippets/acme-challenge.conf;
|
||||||
|
root /htdocs/$domain;
|
||||||
root /htdocs;
|
|
||||||
|
|
||||||
}
|
}
|
||||||
EOF
|
EOF
|
||||||
|
rcctl reload nginx
|
||||||
# rcctl restart nginx
|
|
||||||
else
|
else
|
||||||
echo "Service NGINX not runnig"
|
echo "Service NGINX not running"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -30,8 +29,12 @@ EOF
|
||||||
gen_acme_client_conf(){
|
gen_acme_client_conf(){
|
||||||
domain=$1
|
domain=$1
|
||||||
alt_domain=$2
|
alt_domain=$2
|
||||||
|
acme_conf_file="my_configuration/ssl/$domain-acme-client.conf"
|
||||||
|
# If the file exist, do nothing
|
||||||
|
[ ! -f $acme_conf_file ] || echo "Domain already configured !"; exit 1;
|
||||||
|
|
||||||
if [ "$alt_domain" == "" ]; then
|
if [ "$alt_domain" == "" ]; then
|
||||||
cat >> my_configuration/ssl/$domain-acme-client.conf <<EOF
|
cat >> $acme_conf_file <<EOF
|
||||||
|
|
||||||
domain $domain {
|
domain $domain {
|
||||||
domain key "/etc/ssl/private/$domain.key"
|
domain key "/etc/ssl/private/$domain.key"
|
||||||
|
@ -41,7 +44,7 @@ domain $domain {
|
||||||
|
|
||||||
EOF
|
EOF
|
||||||
else
|
else
|
||||||
cat >> my_configuration/ssl/$domain-acme-client.conf <<EOF
|
cat >> $acme_conf_file <<EOF
|
||||||
|
|
||||||
domain $domain {
|
domain $domain {
|
||||||
alternative names { $alt_domain }
|
alternative names { $alt_domain }
|
||||||
|
@ -55,40 +58,39 @@ EOF
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
add_acme_domain_to_conf(){
|
||||||
|
domain=$1
|
||||||
|
egrep "domain $domain" -A5 /etc/acme-client.conf > /tmp/acme-client.conf
|
||||||
|
cp -v /etc/acme-client.conf /etc/acme-client.conf.old
|
||||||
|
cp -v /tmp/acme-client.conf /etc/acme-client.conf
|
||||||
|
}
|
||||||
|
|
||||||
install_utils(){
|
install_utils(){
|
||||||
cp -v utils/renew_https_certificate /usr/local/bin/renew_https_certificate
|
cp -v utils/renew_https_certificate /usr/local/bin/renew_https_certificate
|
||||||
chmod u+x /usr/local/bin/renew_https_certificate
|
chmod u+x /usr/local/bin/renew_https_certificate
|
||||||
}
|
}
|
||||||
|
|
||||||
get_certificate(){
|
get_certificate()
|
||||||
|
{
|
||||||
domain=$1
|
domain=$1
|
||||||
|
|
||||||
/usr/local/bin/renew_https_certificate $domain
|
/usr/local/bin/renew_https_certificate $domain
|
||||||
}
|
}
|
||||||
|
|
||||||
usage(){
|
usage()
|
||||||
|
{
|
||||||
print "This program ask 3 arguments : \n"
|
print "This program ask 3 arguments : \n"
|
||||||
print "First is email with domain name the second is list of alternatives domains with \" \" \n"
|
print "First is email with domain name the second is list of alternatives domains with \" \" \n"
|
||||||
print "the last arguments is for share the ssl cert with xmpp daemon add xmpp at the end or not"
|
print "the last arguments is for share the ssl cert with xmpp daemon add xmpp at the end or not"
|
||||||
print "\t $0 domain.tld \"a.domain.tld b.domain.tld c.domain.tld\""
|
print "\t $0 domain.tld \"a.domain.tld b.domain.tld c.domain.tld\""
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
if [ -z $1 ];
|
if [ -z $1 ];
|
||||||
then
|
then
|
||||||
usage
|
usage
|
||||||
exit 3;
|
exit 3;
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -e /etc/acme-client.conf ]; then
|
|
||||||
echo ok
|
|
||||||
else
|
|
||||||
echo nok
|
|
||||||
fi
|
|
||||||
|
|
||||||
|
|
||||||
domain=$1
|
domain=$1
|
||||||
alt_domain=$2
|
alt_domain=$2
|
||||||
|
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
|
|
||||||
. ./myserver.conf
|
. ./myserver.conf
|
||||||
|
|
||||||
install_package(){
|
install_firewall_packages(){
|
||||||
pkg_add ssh_guard curl
|
pkg_add ssh_guard curl
|
||||||
useradd -s /sbin/nologin -d /var/empty _pfbadhost
|
useradd -s /sbin/nologin -d /var/empty _pfbadhost
|
||||||
ftp https://geoghegan.ca/pub/pf-badhost/0.5/pf-badhost.sh
|
ftp https://geoghegan.ca/pub/pf-badhost/0.5/pf-badhost.sh
|
||||||
|
@ -32,60 +32,36 @@ EOF
|
||||||
|
|
||||||
|
|
||||||
set_basic_configuration(){
|
set_basic_configuration(){
|
||||||
cat > my_configuration/pf.conf <<EOF
|
cp -v default_configruation/pf.conf my_configuration/pf.conf
|
||||||
#Filtres badhosts et sshguard
|
|
||||||
table <pfbadhost> persist file "/etc/pf-badhost.txt"
|
|
||||||
table <sshguard> persist
|
|
||||||
|
|
||||||
## Table pour les batards de bruteforceurs
|
|
||||||
table <bruteforce> persist
|
|
||||||
|
|
||||||
|
|
||||||
set block-policy drop # bloque silencieusement
|
|
||||||
set skip on lo # En local on s'en fou on surveille rien
|
|
||||||
set limit table-entries 400000
|
|
||||||
set limit states 100000
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## Traitement des paquets ##
|
|
||||||
# Paquets partiels on vire
|
|
||||||
match all scrub (max-mss 1440 no-df random-id reassemble tcp)
|
|
||||||
antispoof quick for egress # Protection vol d'ip
|
|
||||||
antispoof quick for lo0 # Protection vol d'ip
|
|
||||||
|
|
||||||
# Port build user does not need network
|
|
||||||
block return out log proto {tcp udp} user _pbuild
|
|
||||||
|
|
||||||
# On bloque tout par défault
|
|
||||||
block
|
|
||||||
|
|
||||||
block quick on egress from <pfbadhost>
|
|
||||||
block in from <sshguard>
|
|
||||||
block log quick from <bruteforce> label "brutes"
|
|
||||||
|
|
||||||
pass out on egress proto { tcp udp icmp ipv6-icmp } modulate state
|
|
||||||
|
|
||||||
EOF
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
set_open_service(){
|
set_open_service(){
|
||||||
cat >> my_configuration/pf.conf <<EOF
|
cat >> my_configuration/pf.conf <<EOF
|
||||||
#déclaration des variables
|
#déclaration des variables
|
||||||
web_ports = "{ http https }"
|
web_ports = "{ http https }"
|
||||||
|
|
||||||
|
#On évite les bruteforces
|
||||||
|
pass in quick on egress proto { tcp, udp } from <whitelist> to port $web_ports
|
||||||
|
pass in on egress proto tcp to port $web_ports flags S/SA keep state \
|
||||||
|
(max-src-conn 100, max-src-conn-rate 15/5, \
|
||||||
|
overload <http_abusive_hosts> flush)
|
||||||
|
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
if [ "$SERVICE_MAIL" == "yes" ]; then
|
cat >> my_configuration/pf.conf
|
||||||
|
EOF
|
||||||
|
|
||||||
|
[ "$SERVICE_MAIL" == "yes" ] &&
|
||||||
echo "mail_ports = \"{ smtp submission imap }\"" >> default_configuration/pf.conf
|
echo "mail_ports = \"{ smtp submission imap }\"" >> default_configuration/pf.conf
|
||||||
fi
|
|
||||||
|
|
||||||
if [ "$SERVICE_XMPP" == "yes" ]; then
|
[ "$SERVICE_XMPP" == "yes" ] &&
|
||||||
echo "xmmp_ports = \"{ 5222 5269 }\"" >> default_configuration/pf.conf
|
echo "xmmp_ports = \"{ 5222 5269 }\"" >> default_configuration/pf.conf
|
||||||
fi
|
|
||||||
|
|
||||||
echo "ssh_port = \"$SSH_PORT\"" >> default_configuration/pf.conf
|
echo "ssh_port = \"$SSH_PORT\"" >> default_configuration/pf.conf
|
||||||
|
|
||||||
|
[ "$SERVICE_TURN" == "yes" ] &&
|
||||||
|
echo "turn_port = \"TURN_PORT\"" >> default_configuration/pf.conf
|
||||||
|
|
||||||
cat >> my_configuration/pf.conf <<EOF
|
cat >> my_configuration/pf.conf <<EOF
|
||||||
|
|
||||||
## Anti bruteforce
|
## Anti bruteforce
|
||||||
|
@ -95,13 +71,14 @@ EOF
|
||||||
pass in on egress proto tcp to port \$ssh_port modulate state \\
|
pass in on egress proto tcp to port \$ssh_port modulate state \\
|
||||||
(max-src-conn 5, max-src-conn-rate 15/5, overload <bruteforce> flush global)
|
(max-src-conn 5, max-src-conn-rate 15/5, overload <bruteforce> flush global)
|
||||||
|
|
||||||
#web
|
pass in quick on egress proto { tcp, udp } from <whitelist> to port $web_ports
|
||||||
pass in on egress proto tcp to port \$web_ports modulate state \\
|
pass in on egress proto tcp to port $web_ports flags S/SA keep state \
|
||||||
(max-src-conn 60, max-src-conn-rate 60/1, overload <bruteforce> flush global)
|
(max-src-conn 100, max-src-conn-rate 15/5, \
|
||||||
|
overload <http_abusive_hosts> flush)
|
||||||
|
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
if [ "$SERVICE_MAIL" == "yes" ]; then
|
[ "$SERVICE_MAIL" == "yes" ] &&
|
||||||
cat >> my_configuration/pf.conf <<EOF
|
cat >> my_configuration/pf.conf <<EOF
|
||||||
# mails
|
# mails
|
||||||
## antispam
|
## antispam
|
||||||
|
@ -110,19 +87,27 @@ pass in on egress proto tcp to port \$mail_ports modulate state \\
|
||||||
pass out log on egress proto tcp to any port smtp
|
pass out log on egress proto tcp to any port smtp
|
||||||
|
|
||||||
EOF
|
EOF
|
||||||
fi
|
|
||||||
|
|
||||||
if [ "$SERVICE_XMPP" == "yes" ]; then
|
[ "$SERVICE_XMPP" == "yes" ] &&
|
||||||
cat >> my_configuration/pf.conf <<EOF
|
cat >> my_configuration/pf.conf <<EOF
|
||||||
# XMPP
|
# XMPP
|
||||||
pass in on egress proto tcp to port \$xmpp_ports modulate state \\
|
pass in on egress proto tcp to port \$xmpp_ports modulate state \\
|
||||||
(max-src-conn 15, max-src-conn-rate 15/5, overload <bruteforce> flush global)
|
(max-src-conn 15, max-src-conn-rate 15/5, overload <bruteforce> flush global)
|
||||||
EOF
|
EOF
|
||||||
fi
|
|
||||||
|
|
||||||
|
[ "$SERVICE_TURN" == "yes" ] &&
|
||||||
|
cat >> my_configuration/pf.conf <<EOF
|
||||||
|
pass in on egress proto tcp to port $turn_port modulate state \
|
||||||
|
(max-src-conn 20, max-src-conn-rate 30/1, overload <bruteforce> flush global)
|
||||||
|
|
||||||
|
pass in on egress proto udp to port $turn_port
|
||||||
|
|
||||||
|
EOF
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
install_pf_and_enable(){
|
install_conf_and_enable(){
|
||||||
pfctl -nf my_configuration/pf.conf
|
pfctl -nf my_configuration/pf.conf
|
||||||
if [ $? == 0 ]; then
|
if [ $? == 0 ]; then
|
||||||
cp -v /etc/pf.conf /etc/pf.old
|
cp -v /etc/pf.conf /etc/pf.old
|
||||||
|
@ -134,5 +119,14 @@ install_pf_and_enable(){
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
set_basic_configuration
|
if [ "$1" == "gen-config-only" ];
|
||||||
set_open_service
|
then
|
||||||
|
set_basic_configuration
|
||||||
|
set_open_service
|
||||||
|
elif [ "$1" == "install" ];
|
||||||
|
then
|
||||||
|
install_firewall_packages
|
||||||
|
set_basic_configuration
|
||||||
|
set_open_service
|
||||||
|
install_conf_and_enable
|
||||||
|
fi
|
||||||
|
|
|
@ -5,176 +5,21 @@
|
||||||
|
|
||||||
install_mails_services_pkg()
|
install_mails_services_pkg()
|
||||||
{
|
{
|
||||||
pkg_add dovecot dovecot-pigeonhole opensmtpd-filter-rspamd \
|
pkg_add dovecot dovecot-pigeonhole opensmtpd-filter-rspamd redis-6.2.12\
|
||||||
opensmtpd-extras-6.7.1v0 opensmtpd-filter-dkimsign-0.5 rspamd-3.2
|
opensmtpd-extras-6.7.1v0 opensmtpd-filter-dkimsign-0.5 rspamd-3.2
|
||||||
}
|
}
|
||||||
|
|
||||||
gen_mails_service_configuration()
|
gen_mails_service_configuration()
|
||||||
{
|
{
|
||||||
|
cp -v default_configuration/opensmtpd/smtpd.conf.example my_configuration/opensmtpd/smtpd.conf
|
||||||
#Generate opensmtpd configuration
|
sed -i "s/__DOMAIN__/$DOMAIN/g" my_configuration/opensmtpd/smtpd.conf
|
||||||
cat > my_configuration/mail/smtpd.conf <<EOF
|
cp -v default_configuration/opensmtpd/spamd.conf.example my_configuration/opensmtpd/spamd.conf
|
||||||
# See smtpd.conf(5) for more information.
|
cp -v default_configuration/dovecot/dovecot.conf.example my_configuration/dovecot/dovecot.conf
|
||||||
|
cp -v default_configuration/dovecot/local.conf.example my_configuration/dovecot/dovecot.conf
|
||||||
|
|
||||||
# To accept external mail, replace with: listen on all
|
|
||||||
#
|
|
||||||
|
|
||||||
# les Certificats
|
|
||||||
pki "cert_mail" cert "/etc/ssl/$DOMAIN.crt"
|
|
||||||
pki "cert_mail" key "/etc/ssl/private/$DOMAIN.key"
|
|
||||||
|
|
||||||
table aliases file:/etc/mail/aliases
|
|
||||||
table passwd file:/etc/mail/passwd
|
|
||||||
table virtuals file:/etc/mail/virtuals
|
|
||||||
|
|
||||||
filter "rspamd" proc-exec "filter-rspamd"
|
|
||||||
filter "dkimsign" proc-exec "filter-dkimsign -d $DOMAIN -s dkim -k /etc/mail/dkim/$DOMAIN-private.key" user _dkimsign group _dkimsign
|
|
||||||
|
|
||||||
# Activation du check du reverse DNS
|
|
||||||
#filter check_rdns phase connect match !rdns disconnect "550 no rDNS available"
|
|
||||||
#filter check_fcrdns phase connect match !fcrdns disconnect "550 no FCrDNS available"
|
|
||||||
|
|
||||||
# To accept external mail, replace with: listen on all
|
|
||||||
|
|
||||||
|
|
||||||
listen on all tls pki "cert_mail" hostname "$DOMAIN" filter rspamd
|
|
||||||
listen on all port submission tls-require pki "cert_mail" auth <passwd> filter dkimsign
|
|
||||||
|
|
||||||
action "local_mail" mbox alias <aliases>
|
|
||||||
action "domain_mail" maildir "/var/vmail/$DOMAIN/%{dest.user:lowercase}" virtual <virtuals>
|
|
||||||
action "outbound" relay
|
|
||||||
|
|
||||||
|
|
||||||
# Uncomment the following to accept external mail for domain "example.org"
|
|
||||||
match from any for domain "$DOMAIN" action "domain_mail"
|
|
||||||
match from local for local action "local_mail"
|
|
||||||
|
|
||||||
match auth from any for any action "outbound"
|
|
||||||
|
|
||||||
EOF
|
|
||||||
|
|
||||||
#Generate spamd configuration
|
|
||||||
cat > my_configuration/mail/spamd.conf <<EOF
|
|
||||||
|
|
||||||
all:\
|
|
||||||
:nixspam:
|
|
||||||
|
|
||||||
# Nixspam recent sources list.
|
|
||||||
# Mirrored from http://www.heise.de/ix/nixspam
|
|
||||||
nixspam:\
|
|
||||||
:black:\
|
|
||||||
:msg="Your address %A is in the nixspam list\n\
|
|
||||||
See http://www.heise.de/ix/nixspam/dnsbl_en/ for details":\
|
|
||||||
:method=https:\
|
|
||||||
:file=www.openbsd.org/spamd/nixspam.gz
|
|
||||||
|
|
||||||
# An example of a list containing addresses which should not talk to spamd.
|
|
||||||
#
|
|
||||||
#override:\
|
|
||||||
# :white:\
|
|
||||||
# :method=file:\
|
|
||||||
# :file=/var/db/override.txt:
|
|
||||||
|
|
||||||
EOF
|
|
||||||
|
|
||||||
## Generate Dovecot configuration
|
|
||||||
cat > my_configuration/dovecot/local.conf <<EOF
|
|
||||||
listen = *
|
|
||||||
protocols = imap
|
|
||||||
first_valid_uid = 1000
|
|
||||||
first_valid_gid = 1000
|
|
||||||
mail_location = maildir:/var/vmail/%d/%n
|
|
||||||
mail_plugin_dir = /usr/local/lib/dovecot
|
|
||||||
disable_plaintext_auth = yes
|
|
||||||
|
|
||||||
managesieve_notify_capability = mailto
|
|
||||||
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapsieve vnd.dovecot.imapsieve
|
|
||||||
|
|
||||||
mbox_write_locks = fcntl
|
|
||||||
mmap_disable = yes
|
|
||||||
namespace inbox {
|
|
||||||
inbox = yes
|
|
||||||
location =
|
|
||||||
mailbox Archive {
|
|
||||||
auto = subscribe
|
|
||||||
special_use = \Archive
|
|
||||||
}
|
|
||||||
mailbox Drafts {
|
|
||||||
auto = subscribe
|
|
||||||
special_use = \Drafts
|
|
||||||
}
|
|
||||||
mailbox Junk {
|
|
||||||
auto = subscribe
|
|
||||||
special_use = \Junk
|
|
||||||
}
|
|
||||||
mailbox Sent {
|
|
||||||
auto = subscribe
|
|
||||||
special_use = \Sent
|
|
||||||
}
|
|
||||||
mailbox Trash {
|
|
||||||
auto = subscribe
|
|
||||||
special_use = \Trash
|
|
||||||
}
|
|
||||||
prefix =
|
|
||||||
}
|
}
|
||||||
|
|
||||||
service auth {
|
gen_dkim_keys()
|
||||||
user = $default_internal_user
|
{
|
||||||
group = _maildaemons
|
|
||||||
}
|
|
||||||
|
|
||||||
passdb {
|
|
||||||
args = scheme=blf-crypt /etc/mail/passwd
|
|
||||||
driver = passwd-file
|
|
||||||
}
|
|
||||||
|
|
||||||
plugin {
|
|
||||||
imapsieve_mailbox1_before = file:/usr/local/lib/dovecot/sieve/report-spam.sieve
|
|
||||||
imapsieve_mailbox1_causes = COPY
|
|
||||||
imapsieve_mailbox1_name = Junk
|
|
||||||
imapsieve_mailbox2_before = file:/usr/local/lib/dovecot/sieve/report-ham.sieve
|
|
||||||
imapsieve_mailbox2_causes = COPY
|
|
||||||
imapsieve_mailbox2_from = Junk
|
|
||||||
imapsieve_mailbox2_name = *
|
|
||||||
sieve = file:~/sieve;active=~/.dovecot.sieve
|
|
||||||
sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
|
|
||||||
sieve_pipe_bin_dir = /usr/local/lib/dovecot/sieve
|
|
||||||
sieve_plugins = sieve_imapsieve sieve_extprograms
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
protocols = imap sieve
|
|
||||||
service imap-login {
|
|
||||||
inet_listener imap {
|
|
||||||
port = 143
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
ssl = required
|
|
||||||
|
|
||||||
ssl_min_protocol = TLSv1.2
|
|
||||||
ssl_cipher_list = EECDH+AESGCM
|
|
||||||
ssl_prefer_server_ciphers = yes
|
|
||||||
#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
|
|
||||||
|
|
||||||
ssl_cert = </etc/ssl/$DOMAIN.crt
|
|
||||||
ssl_key = </etc/ssl/private/$DOMAIN.key
|
|
||||||
|
|
||||||
userdb {
|
|
||||||
driver = static
|
|
||||||
args = uid=vmail gid=vmail home=/var/vmail/%d/%n/
|
|
||||||
}
|
|
||||||
|
|
||||||
protocol imap {
|
|
||||||
mail_plugins = " imap_sieve"
|
|
||||||
}
|
|
||||||
|
|
||||||
EOF
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
gen_dkim_keys(){
|
|
||||||
# Generate dkim key
|
# Generate dkim key
|
||||||
openssl genrsa -out my_configuration/mail/$DOMAIN-private.key 2048
|
openssl genrsa -out my_configuration/mail/$DOMAIN-private.key 2048
|
||||||
openssl rsa -in my_configuration/mail/$DOMAIN-private.key -pubout | \
|
openssl rsa -in my_configuration/mail/$DOMAIN-private.key -pubout | \
|
||||||
|
@ -237,11 +82,12 @@ EOF
|
||||||
|
|
||||||
install_mails_services_configuration()
|
install_mails_services_configuration()
|
||||||
{
|
{
|
||||||
cp my_configuration/mail/smtpd.conf /etc/mail/smtpd.conf
|
cp -v my_configuration/mail/smtpd.conf /etc/mail/smtpd.conf
|
||||||
cp my_configuration/dovecot/local.conf /etc/dovecot/local.conf
|
cp -v my_configuration/dovecot/dovecot.conf /etc/dovecot/
|
||||||
|
cp -v my_configuration/dovecot/local.conf /etc/dovecot/local.conf
|
||||||
mkdir /etc/mail/dkim/
|
mkdir /etc/mail/dkim/
|
||||||
cp my_configuration/mail/$DOMAIN-private.key /etc/mail/dkim/
|
cp -v my_configuration/mail/$DOMAIN-private.key /etc/mail/dkim/
|
||||||
cp my_configuration/mail/$DOMAIN-public.key /etc/mail/dkim/
|
cp -v my_configuration/mail/$DOMAIN-public.key /etc/mail/dkim/
|
||||||
chown -R _dkimsign /etc/mail/dkim/
|
chown -R _dkimsign /etc/mail/dkim/
|
||||||
touch /etc/mail/virtuals
|
touch /etc/mail/virtuals
|
||||||
touch /etc/mail/passwd
|
touch /etc/mail/passwd
|
||||||
|
@ -259,7 +105,7 @@ make_system_mails_services_requirements()
|
||||||
usermod -G _maildaemons _dovecot
|
usermod -G _maildaemons _dovecot
|
||||||
usermod -G _maildaemons _smtpd
|
usermod -G _maildaemons _smtpd
|
||||||
|
|
||||||
cp /etc/login.conf /etc/login.conf.old
|
cp /etc/login.conf /etc/login.conf.orig
|
||||||
cat >> /etc/login.conf <<EOF
|
cat >> /etc/login.conf <<EOF
|
||||||
dovecot:\
|
dovecot:\
|
||||||
:openfiles-cur=1024:\
|
:openfiles-cur=1024:\
|
||||||
|
@ -269,15 +115,23 @@ EOF
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
mkdir my_configuration/mail
|
make_directory_configuration()
|
||||||
mkdir my_configuration/dovecot
|
{
|
||||||
|
mkdir my_configuration/mail
|
||||||
|
mkdir my_configuration/dovecot
|
||||||
|
}
|
||||||
|
|
||||||
install_mails_services_pkg
|
if [ "$1" == "gen-config-only" ];
|
||||||
gen_mails_service_configuration
|
then
|
||||||
gen_dkim_keys
|
gen_mails_service_configuration
|
||||||
gen_mails_service_utils
|
gen_dkim_keys
|
||||||
install_mails_services_configuration
|
elif [ "$1" == "install" ];
|
||||||
make_system_mails_services_requirements
|
then
|
||||||
rcctl enable redis
|
install_mails_services_pkg
|
||||||
rcctl start redis
|
gen_mails_service_configuration
|
||||||
restart_mails_service
|
gen_dkim_keys
|
||||||
|
install_mails_services_configuration
|
||||||
|
make_system_mails_services_requirements
|
||||||
|
rcctl enable redis
|
||||||
|
rcctl start redis
|
||||||
|
restart_mails_service
|
||||||
|
|
|
@ -0,0 +1,101 @@
|
||||||
|
## Dovecot configuration file
|
||||||
|
|
||||||
|
# If you're in a hurry, see http://wiki2.dovecot.org/QuickConfiguration
|
||||||
|
|
||||||
|
# "doveconf -n" command gives a clean output of the changed settings. Use it
|
||||||
|
# instead of copy&pasting files when posting to the Dovecot mailing list.
|
||||||
|
|
||||||
|
# '#' character and everything after it is treated as comments. Extra spaces
|
||||||
|
# and tabs are ignored. If you want to use either of these explicitly, put the
|
||||||
|
# value inside quotes, eg.: key = "# char and trailing whitespace "
|
||||||
|
|
||||||
|
# Most (but not all) settings can be overridden by different protocols and/or
|
||||||
|
# source/destination IPs by placing the settings inside sections, for example:
|
||||||
|
# protocol imap { }, local 127.0.0.1 { }, remote 10.0.0.0/8 { }
|
||||||
|
|
||||||
|
# Default values are shown for each setting, it's not required to uncomment
|
||||||
|
# those. These are exceptions to this though: No sections (e.g. namespace {})
|
||||||
|
# or plugin settings are added by default, they're listed only as examples.
|
||||||
|
# Paths are also just examples with the real defaults being based on configure
|
||||||
|
# options. The paths listed here are for configure --prefix=/usr
|
||||||
|
# --sysconfdir=/etc --localstatedir=/var
|
||||||
|
|
||||||
|
# Protocols we want to be serving.
|
||||||
|
protocols = imap
|
||||||
|
|
||||||
|
# A comma separated list of IPs or hosts where to listen in for connections.
|
||||||
|
# "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.
|
||||||
|
# If you want to specify non-default ports or anything more complex,
|
||||||
|
# edit conf.d/master.conf.
|
||||||
|
listen = *, ::
|
||||||
|
|
||||||
|
# Base directory where to store runtime data.
|
||||||
|
#base_dir = /var/dovecot/
|
||||||
|
|
||||||
|
# Name of this instance. In multi-instance setup doveadm and other commands
|
||||||
|
# can use -i <instance_name> to select which instance is used (an alternative
|
||||||
|
# to -c <config_path>). The instance name is also added to Dovecot processes
|
||||||
|
# in ps output.
|
||||||
|
#instance_name = dovecot
|
||||||
|
|
||||||
|
# Greeting message for clients.
|
||||||
|
#login_greeting = Dovecot ready.
|
||||||
|
|
||||||
|
# Space separated list of trusted network ranges. Connections from these
|
||||||
|
# IPs are allowed to override their IP addresses and ports (for logging and
|
||||||
|
# for authentication checks). disable_plaintext_auth is also ignored for
|
||||||
|
# these networks. Typically you'd specify your IMAP proxy servers here.
|
||||||
|
#login_trusted_networks =
|
||||||
|
|
||||||
|
# Space separated list of login access check sockets (e.g. tcpwrap)
|
||||||
|
#login_access_sockets =
|
||||||
|
|
||||||
|
# With proxy_maybe=yes if proxy destination matches any of these IPs, don't do
|
||||||
|
# proxying. This isn't necessary normally, but may be useful if the destination
|
||||||
|
# IP is e.g. a load balancer's IP.
|
||||||
|
#auth_proxy_self =
|
||||||
|
|
||||||
|
# Show more verbose process titles (in ps). Currently shows user name and
|
||||||
|
# IP address. Useful for seeing who are actually using the IMAP processes
|
||||||
|
# (eg. shared mailboxes or if same uid is used for multiple accounts).
|
||||||
|
#verbose_proctitle = no
|
||||||
|
|
||||||
|
# Should all processes be killed when Dovecot master process shuts down.
|
||||||
|
# Setting this to "no" means that Dovecot can be upgraded without
|
||||||
|
# forcing existing client connections to close (although that could also be
|
||||||
|
# a problem if the upgrade is e.g. because of a security fix).
|
||||||
|
#shutdown_clients = yes
|
||||||
|
|
||||||
|
# If non-zero, run mail commands via this many connections to doveadm server,
|
||||||
|
# instead of running them directly in the same process.
|
||||||
|
#doveadm_worker_count = 0
|
||||||
|
# UNIX socket or host:port used for connecting to doveadm server
|
||||||
|
#doveadm_socket_path = doveadm-server
|
||||||
|
|
||||||
|
# Space separated list of environment variables that are preserved on Dovecot
|
||||||
|
# startup and passed down to all of its child processes. You can also give
|
||||||
|
# key=value pairs to always set specific settings.
|
||||||
|
#import_environment = TZ
|
||||||
|
|
||||||
|
##
|
||||||
|
## Dictionary server settings
|
||||||
|
##
|
||||||
|
|
||||||
|
# Dictionary can be used to store key=value lists. This is used by several
|
||||||
|
# plugins. The dictionary can be accessed either directly or though a
|
||||||
|
# dictionary server. The following dict block maps dictionary names to URIs
|
||||||
|
# when the server is used. These can then be referenced using URIs in format
|
||||||
|
# "proxy::<name>".
|
||||||
|
|
||||||
|
dict {
|
||||||
|
#quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
|
||||||
|
}
|
||||||
|
|
||||||
|
# Most of the actual configuration gets included below. The filenames are
|
||||||
|
# first sorted by their ASCII value and parsed in that order. The 00-prefixes
|
||||||
|
# in filenames are intended to make it easier to understand the ordering.
|
||||||
|
#!include conf.d/*.conf
|
||||||
|
|
||||||
|
# A config file can also tried to be included without giving an error if
|
||||||
|
# it's not found:
|
||||||
|
!include_try local.conf
|
|
@ -0,0 +1,89 @@
|
||||||
|
listen = *
|
||||||
|
protocols = imap
|
||||||
|
first_valid_uid = 1000
|
||||||
|
first_valid_gid = 1000
|
||||||
|
mail_location = maildir:/var/vmail/%d/%n
|
||||||
|
mail_plugin_dir = /usr/local/lib/dovecot
|
||||||
|
disable_plaintext_auth = yes
|
||||||
|
|
||||||
|
managesieve_notify_capability = mailto
|
||||||
|
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapsieve vnd.dovecot.imapsieve
|
||||||
|
|
||||||
|
mbox_write_locks = fcntl
|
||||||
|
mmap_disable = yes
|
||||||
|
namespace inbox {
|
||||||
|
inbox = yes
|
||||||
|
location =
|
||||||
|
mailbox Archive {
|
||||||
|
auto = subscribe
|
||||||
|
special_use = \Archive
|
||||||
|
}
|
||||||
|
mailbox Drafts {
|
||||||
|
auto = subscribe
|
||||||
|
special_use = \Drafts
|
||||||
|
}
|
||||||
|
mailbox Junk {
|
||||||
|
auto = subscribe
|
||||||
|
special_use = \Junk
|
||||||
|
}
|
||||||
|
mailbox Sent {
|
||||||
|
auto = subscribe
|
||||||
|
special_use = \Sent
|
||||||
|
}
|
||||||
|
mailbox Trash {
|
||||||
|
auto = subscribe
|
||||||
|
special_use = \Trash
|
||||||
|
}
|
||||||
|
prefix =
|
||||||
|
}
|
||||||
|
|
||||||
|
service auth {
|
||||||
|
user = $default_internal_user
|
||||||
|
group = _maildaemons
|
||||||
|
}
|
||||||
|
|
||||||
|
passdb {
|
||||||
|
args = scheme=blf-crypt /etc/mail/passwd
|
||||||
|
driver = passwd-file
|
||||||
|
}
|
||||||
|
|
||||||
|
plugin {
|
||||||
|
imapsieve_mailbox1_before = file:/usr/local/lib/dovecot/sieve/report-spam.sieve
|
||||||
|
imapsieve_mailbox1_causes = COPY
|
||||||
|
imapsieve_mailbox1_name = Junk
|
||||||
|
imapsieve_mailbox2_before = file:/usr/local/lib/dovecot/sieve/report-ham.sieve
|
||||||
|
imapsieve_mailbox2_causes = COPY
|
||||||
|
imapsieve_mailbox2_from = Junk
|
||||||
|
imapsieve_mailbox2_name = *
|
||||||
|
sieve = file:~/sieve;active=~/.dovecot.sieve
|
||||||
|
sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
|
||||||
|
sieve_pipe_bin_dir = /usr/local/lib/dovecot/sieve
|
||||||
|
sieve_plugins = sieve_imapsieve sieve_extprograms
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
protocols = imap sieve
|
||||||
|
service imap-login {
|
||||||
|
inet_listener imap {
|
||||||
|
port = 143
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
ssl = required
|
||||||
|
|
||||||
|
ssl_min_protocol = TLSv1.2
|
||||||
|
ssl_cipher_list = EECDH+AESGCM
|
||||||
|
ssl_prefer_server_ciphers = yes
|
||||||
|
#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
|
||||||
|
|
||||||
|
ssl_cert = </etc/ssl/kitoy.me.crt
|
||||||
|
ssl_key = </etc/ssl/private/kitoy.me.key
|
||||||
|
|
||||||
|
userdb {
|
||||||
|
driver = static
|
||||||
|
args = uid=vmail gid=vmail home=/var/vmail/%d/%n/
|
||||||
|
}
|
||||||
|
|
||||||
|
protocol imap {
|
||||||
|
mail_plugins = " imap_sieve"
|
||||||
|
}
|
|
@ -0,0 +1,52 @@
|
||||||
|
|
||||||
|
user www;
|
||||||
|
worker_processes auto;
|
||||||
|
pid /var/www/run/nginx.pid;
|
||||||
|
include /etc/nginx/modules-enabled/*.conf;
|
||||||
|
|
||||||
|
events {
|
||||||
|
worker_connections 768;
|
||||||
|
# multi_accept on;
|
||||||
|
}
|
||||||
|
|
||||||
|
http {
|
||||||
|
|
||||||
|
##
|
||||||
|
# Basic Settings
|
||||||
|
##
|
||||||
|
|
||||||
|
sendfile on;
|
||||||
|
tcp_nopush on;
|
||||||
|
tcp_nodelay on;
|
||||||
|
keepalive_timeout 65;
|
||||||
|
types_hash_max_size 2048;
|
||||||
|
# server_tokens off;
|
||||||
|
|
||||||
|
include /etc/nginx/mime.types;
|
||||||
|
default_type application/octet-stream;
|
||||||
|
|
||||||
|
##
|
||||||
|
# SSL Settings
|
||||||
|
##
|
||||||
|
|
||||||
|
ssl_protocols TLSv1.2; # Dropping SSLv3, ref: POODLE
|
||||||
|
ssl_prefer_server_ciphers on;
|
||||||
|
|
||||||
|
##
|
||||||
|
# Logging Settings
|
||||||
|
##
|
||||||
|
|
||||||
|
access_log /var/www/logs/nginx/access.log;
|
||||||
|
error_log /var/www/logs/nginx/error.log;
|
||||||
|
|
||||||
|
##
|
||||||
|
# Gzip Settings
|
||||||
|
##
|
||||||
|
|
||||||
|
gzip on;
|
||||||
|
##
|
||||||
|
# Virtual Host Configs
|
||||||
|
##
|
||||||
|
|
||||||
|
include /etc/nginx/sites-enabled/*;
|
||||||
|
}
|
|
@ -0,0 +1,52 @@
|
||||||
|
|
||||||
|
user www;
|
||||||
|
worker_processes auto;
|
||||||
|
pid /var/www/run/nginx.pid;
|
||||||
|
include /etc/nginx/modules-enabled/*.conf;
|
||||||
|
|
||||||
|
events {
|
||||||
|
worker_connections 768;
|
||||||
|
# multi_accept on;
|
||||||
|
}
|
||||||
|
|
||||||
|
http {
|
||||||
|
|
||||||
|
##
|
||||||
|
# Basic Settings
|
||||||
|
##
|
||||||
|
|
||||||
|
sendfile on;
|
||||||
|
tcp_nopush on;
|
||||||
|
tcp_nodelay on;
|
||||||
|
keepalive_timeout 65;
|
||||||
|
types_hash_max_size 2048;
|
||||||
|
# server_tokens off;
|
||||||
|
|
||||||
|
include /etc/nginx/mime.types;
|
||||||
|
default_type application/octet-stream;
|
||||||
|
|
||||||
|
##
|
||||||
|
# SSL Settings
|
||||||
|
##
|
||||||
|
|
||||||
|
ssl_protocols TLSv1.2; # Dropping SSLv3, ref: POODLE
|
||||||
|
ssl_prefer_server_ciphers on;
|
||||||
|
|
||||||
|
##
|
||||||
|
# Logging Settings
|
||||||
|
##
|
||||||
|
|
||||||
|
access_log /var/www/logsnginx/access.log;
|
||||||
|
error_log /var/www/logs/nginx/error.log;
|
||||||
|
|
||||||
|
##
|
||||||
|
# Gzip Settings
|
||||||
|
##
|
||||||
|
|
||||||
|
gzip on;
|
||||||
|
##
|
||||||
|
# Virtual Host Configs
|
||||||
|
##
|
||||||
|
|
||||||
|
include /etc/nginx/sites-enabled/*;
|
||||||
|
}
|
|
@ -0,0 +1,39 @@
|
||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
server_name __DOMAIN__;
|
||||||
|
|
||||||
|
#Ajout pour les certificats letsencrypt
|
||||||
|
include snippets/acme-challenge.conf;
|
||||||
|
|
||||||
|
return 301 https://$http_host$request_uri;
|
||||||
|
|
||||||
|
root /html/$DOMAIN;
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl http2;
|
||||||
|
server_name __DOMAIN__;
|
||||||
|
|
||||||
|
|
||||||
|
ssl_certificate /etc/ssl/__DOMAIN__.crt;
|
||||||
|
ssl_certificate_key /etc/ssl/private/__DOMAIN__.key;
|
||||||
|
|
||||||
|
#Ajout d'une configuration ssl securise
|
||||||
|
include snippets/secure-ssl.conf;
|
||||||
|
|
||||||
|
# Speeds things up a little bit when resuming a session
|
||||||
|
# ssl_session_timeout 5m;
|
||||||
|
# ssl_session_cache shared:SSL:5m;
|
||||||
|
|
||||||
|
# Ajout pour le certificat letsencrypt
|
||||||
|
include snippets/acme-challenge.conf;
|
||||||
|
|
||||||
|
# Ajout pour securiser les headers
|
||||||
|
include snippets/secure-headers.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Path to the root of your installation
|
||||||
|
root /html/$DOMAIN;
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,39 @@
|
||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
server_name $DOMAIN;
|
||||||
|
|
||||||
|
#Ajout pour les certificats letsencrypt
|
||||||
|
include snippets/acme-challenge.conf;
|
||||||
|
|
||||||
|
return 301 https://$http_host$request_uri;
|
||||||
|
|
||||||
|
root /html/$DOMAIN;
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl http2;
|
||||||
|
server_name $DOMAIN;
|
||||||
|
|
||||||
|
|
||||||
|
ssl_certificate /etc/ssl/$DOMAIN.crt;
|
||||||
|
ssl_certificate_key /etc/ssl/private/$DOMAIN.key;
|
||||||
|
|
||||||
|
#Ajout d'une configuration ssl securise
|
||||||
|
include snippets/secure-ssl.conf;
|
||||||
|
|
||||||
|
# Speeds things up a little bit when resuming a session
|
||||||
|
# ssl_session_timeout 5m;
|
||||||
|
# ssl_session_cache shared:SSL:5m;
|
||||||
|
|
||||||
|
# Ajout pour le certificat letsencrypt
|
||||||
|
include snippets/acme-challenge.conf;
|
||||||
|
|
||||||
|
# Ajout pour securiser les headers
|
||||||
|
include snippets/secure-headers.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Path to the root of your installation
|
||||||
|
root /html/$DOMAIN;
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,31 @@
|
||||||
|
# See smtpd.conf(5) for more information.
|
||||||
|
# To accept external mail, replace with: listen on all
|
||||||
|
#
|
||||||
|
# Les certificats
|
||||||
|
|
||||||
|
pki "cert_mail" cert "/etc/ssl/__DOMAIN__.crt"
|
||||||
|
pki "cert_mail" key "/etc/ssl/private/__DOMAIN__.key"
|
||||||
|
|
||||||
|
table aliases file:/etc/mail/aliases
|
||||||
|
table passwd file:/etc/mail/passwd
|
||||||
|
table virtuals file:/etc/mail/virtuals
|
||||||
|
|
||||||
|
filter "rspamd" proc-exec "filter-rspamd"
|
||||||
|
filter "dkimsign" proc-exec "filter-dkimsign -d __DOMAIN__ -s dkim -k /etc/mail/dkim/__DOMAIN__-private.key" user _dkimsign group _dkimsign
|
||||||
|
|
||||||
|
# Activation du check du reverse DNS
|
||||||
|
#filter check_rdns phase connect match !rdns disconnect "550 no rDNS available"
|
||||||
|
#filter check_fcrdns phase connect match !fcrdns disconnect "550 no FCrDNS available"
|
||||||
|
|
||||||
|
listen on all tls pki "cert_mail" hostname "__DOMAIN__" filter rspamd
|
||||||
|
listen on all port submission tls-require pki "cert_mail" auth <passwd> filter dkimsign
|
||||||
|
|
||||||
|
action "local_mail" mbox alias <aliases>
|
||||||
|
action "domain_mail" maildir "/var/vmail/__DOMAIN__/%{dest.user:lowercase}" virtual <virtuals>
|
||||||
|
action "outbound" relay
|
||||||
|
|
||||||
|
|
||||||
|
match from any for domain "__DOMAIN__" action "domain_mail"
|
||||||
|
match from local for local action "local_mail"
|
||||||
|
|
||||||
|
match auth from any for any action "outbound"
|
|
@ -0,0 +1,37 @@
|
||||||
|
# See smtpd.conf(5) for more information.
|
||||||
|
|
||||||
|
|
||||||
|
# To accept external mail, replace with: listen on all
|
||||||
|
#
|
||||||
|
|
||||||
|
# les Certificats
|
||||||
|
pki "cert_mail" cert "/etc/ssl/__DOMAIN__.crt"
|
||||||
|
pki "cert_mail" key "/etc/ssl/private/__DOMAIN__.key"
|
||||||
|
|
||||||
|
table aliases file:/etc/mail/aliases
|
||||||
|
table passwd file:/etc/mail/passwd
|
||||||
|
table virtuals file:/etc/mail/virtuals
|
||||||
|
|
||||||
|
filter "rspamd" proc-exec "filter-rspamd"
|
||||||
|
filter "dkimsign" proc-exec "filter-dkimsign -d $DOMAIN -s dkim -k /etc/mail/dkim/__DOMAIN__-private.key" user _dkimsign group _dkimsign
|
||||||
|
|
||||||
|
# Activation du check du reverse DNS
|
||||||
|
#filter check_rdns phase connect match !rdns disconnect "550 no rDNS available"
|
||||||
|
#filter check_fcrdns phase connect match !fcrdns disconnect "550 no FCrDNS available"
|
||||||
|
|
||||||
|
# To accept external mail, replace with: listen on all
|
||||||
|
|
||||||
|
|
||||||
|
listen on all tls pki "cert_mail" hostname "__DOMAIN__" filter rspamd
|
||||||
|
listen on all port submission tls-require pki "cert_mail" auth <passwd> filter dkimsign
|
||||||
|
|
||||||
|
action "local_mail" mbox alias <aliases>
|
||||||
|
action "domain_mail" maildir "/var/vmail/__DOMAIN__/%{dest.user:lowercase}" virtual <virtuals>
|
||||||
|
action "outbound" relay
|
||||||
|
|
||||||
|
|
||||||
|
# Uncomment the following to accept external mail for domain "example.org"
|
||||||
|
match from any for domain "__DOMAIN__" action "domain_mail"
|
||||||
|
match from local for local action "local_mail"
|
||||||
|
|
||||||
|
match auth from any for any action "outbound"
|
|
@ -0,0 +1,37 @@
|
||||||
|
# See smtpd.conf(5) for more information.
|
||||||
|
|
||||||
|
|
||||||
|
# To accept external mail, replace with: listen on all
|
||||||
|
#
|
||||||
|
|
||||||
|
# les Certificats
|
||||||
|
pki "cert_mail" cert "/etc/ssl/$DOMAIN.crt"
|
||||||
|
pki "cert_mail" key "/etc/ssl/private/$DOMAIN.key"
|
||||||
|
|
||||||
|
table aliases file:/etc/mail/aliases
|
||||||
|
table passwd file:/etc/mail/passwd
|
||||||
|
table virtuals file:/etc/mail/virtuals
|
||||||
|
|
||||||
|
filter "rspamd" proc-exec "filter-rspamd"
|
||||||
|
filter "dkimsign" proc-exec "filter-dkimsign -d $DOMAIN -s dkim -k /etc/mail/dkim/$DOMAIN-private.key" user _dkimsign group _dkimsign
|
||||||
|
|
||||||
|
# Activation du check du reverse DNS
|
||||||
|
#filter check_rdns phase connect match !rdns disconnect "550 no rDNS available"
|
||||||
|
#filter check_fcrdns phase connect match !fcrdns disconnect "550 no FCrDNS available"
|
||||||
|
|
||||||
|
# To accept external mail, replace with: listen on all
|
||||||
|
|
||||||
|
|
||||||
|
listen on all tls pki "cert_mail" hostname "$DOMAIN" filter rspamd
|
||||||
|
listen on all port submission tls-require pki "cert_mail" auth <passwd> filter dkimsign
|
||||||
|
|
||||||
|
action "local_mail" mbox alias <aliases>
|
||||||
|
action "domain_mail" maildir "/var/vmail/$DOMAIN/%{dest.user:lowercase}" virtual <virtuals>
|
||||||
|
action "outbound" relay
|
||||||
|
|
||||||
|
|
||||||
|
# Uncomment the following to accept external mail for domain "example.org"
|
||||||
|
match from any for domain "$DOMAIN" action "domain_mail"
|
||||||
|
match from local for local action "local_mail"
|
||||||
|
|
||||||
|
match auth from any for any action "outbound"
|
|
@ -0,0 +1,19 @@
|
||||||
|
all:\
|
||||||
|
:nixspam:
|
||||||
|
|
||||||
|
# Nixspam recent sources list.
|
||||||
|
# Mirrored from http://www.heise.de/ix/nixspam
|
||||||
|
nixspam:\
|
||||||
|
:black:\
|
||||||
|
:msg="Your address %A is in the nixspam list\n\
|
||||||
|
See http://www.heise.de/ix/nixspam/dnsbl_en/ for details":\
|
||||||
|
:method=https:\
|
||||||
|
:file=www.openbsd.org/spamd/nixspam.gz
|
||||||
|
|
||||||
|
# An example of a list containing addresses which should not talk to spamd.
|
||||||
|
#
|
||||||
|
#override:\
|
||||||
|
# :white:\
|
||||||
|
# :method=file:\
|
||||||
|
# :file=/var/db/override.txt:
|
||||||
|
|
|
@ -1,14 +1,16 @@
|
||||||
|
|
||||||
#Filtres badhosts et sshguard
|
#Filtres badhosts et sshguard
|
||||||
table <pfbadhost> persist file "/etc/pf-badhost.txt"
|
table <pfbadhost> persist file "/etc/pf-badhost.txt"
|
||||||
table <sshguard> persist
|
table <sshguard> persist
|
||||||
|
table <whitelist> persist
|
||||||
|
|
||||||
## Table pour les batards de bruteforceurs
|
## Table pour les batards de bruteforceurs
|
||||||
table <bruteforce> persist
|
table <bruteforce> persist
|
||||||
|
table <http_abusive_hosts> persist
|
||||||
|
|
||||||
set block-policy drop # bloque silencieusement
|
set block-policy drop # bloque silencieusement
|
||||||
set skip on lo # En local on s'en fou on surveille rien
|
set skip on lo # En local on s'en fou on surveille rien
|
||||||
set limit table-entries 400000
|
set limit table-entries 400000
|
||||||
set limit states 100000
|
set limit states 100000
|
||||||
|
|
||||||
|
|
||||||
|
@ -30,30 +32,3 @@ block in from <sshguard>
|
||||||
block log quick from <bruteforce> label "brutes"
|
block log quick from <bruteforce> label "brutes"
|
||||||
|
|
||||||
pass out on egress proto { tcp udp icmp ipv6-icmp } modulate state
|
pass out on egress proto { tcp udp icmp ipv6-icmp } modulate state
|
||||||
|
|
||||||
#déclaration des variables
|
|
||||||
web_ports = "{ http https }"
|
|
||||||
mail_ports = "{ smtp submission imap }"
|
|
||||||
xmpp_ports = "{ 5222 5269 }"
|
|
||||||
ssh_port = "42420"
|
|
||||||
|
|
||||||
## Anti bruteforce
|
|
||||||
### SSH
|
|
||||||
#### Limite à 5 connexions simultanne par IP source
|
|
||||||
#### Limite à 15 tentatives de connexion toutes les 5 minutes
|
|
||||||
pass in on egress proto tcp to port $ssh_port modulate state \
|
|
||||||
(max-src-conn 5, max-src-conn-rate 15/5, overload <bruteforce> flush global)
|
|
||||||
|
|
||||||
#web
|
|
||||||
pass in on egress proto tcp to port $web_ports modulate state \
|
|
||||||
(max-src-conn 60, max-src-conn-rate 60/1, overload <bruteforce> flush global)
|
|
||||||
|
|
||||||
# mails
|
|
||||||
## antispam
|
|
||||||
pass in on egress proto tcp to port $mail_ports modulate state \
|
|
||||||
(max-src-conn-rate 20/5, overload <bruteforce> flush global)
|
|
||||||
pass out log on egress proto tcp to any port smtp
|
|
||||||
|
|
||||||
# XMPP
|
|
||||||
pass in on egress proto tcp to port $xmpp_ports modulate state \
|
|
||||||
(max-src-conn 15, max-src-conn-rate 15/5, overload <bruteforce> flush global)
|
|
||||||
|
|
|
@ -15,10 +15,10 @@ listen.owner = www
|
||||||
listen.group = www
|
listen.group = www
|
||||||
listen.mode = 0660
|
listen.mode = 0660
|
||||||
pm = dynamic
|
pm = dynamic
|
||||||
pm.max_children = 5
|
pm.max_children = 10
|
||||||
pm.start_servers = 2
|
pm.start_servers = 4
|
||||||
pm.min_spare_servers = 1
|
pm.min_spare_servers = 1
|
||||||
pm.max_spare_servers = 3
|
pm.max_spare_servers = 6
|
||||||
chroot = /var/www
|
chroot = /var/www
|
||||||
env[HOSTNAME] = $HOSTNAME
|
env[HOSTNAME] = $HOSTNAME
|
||||||
env[PATH] = /usr/local/bin:/usr/bin:/bin
|
env[PATH] = /usr/local/bin:/usr/bin:/bin
|
||||||
|
|
|
@ -1,15 +1,11 @@
|
||||||
#!/bin/ksh
|
#!/bin/ksh
|
||||||
|
|
||||||
daemon="/usr/local/bin/python3"
|
daemon="/usr/local/bin/python3 wsgi.py"
|
||||||
daemon_flags="wsgi.py"
|
daemon_execdir="/home/pywallter/pywallter"
|
||||||
daemon_user="pywallter"
|
daemon_user="pywallter"
|
||||||
location="/home/pywallter/pywallter"
|
|
||||||
|
|
||||||
. /etc/rc.d/rc.subr
|
. /etc/rc.d/rc.subr
|
||||||
|
|
||||||
rc_start() {
|
|
||||||
${rcexec} "cd ${location}; ${daemon} ${daemon_flags}"
|
|
||||||
}
|
|
||||||
|
|
||||||
rc_bg=YES
|
rc_bg=YES
|
||||||
rc_cmd $1
|
rc_cmd $1
|
||||||
|
|
|
@ -5,24 +5,24 @@
|
||||||
|
|
||||||
install_package_nextcloud()
|
install_package_nextcloud()
|
||||||
{
|
{
|
||||||
pkg_add php-bz2-8.0.26 php-curl-8.0.26 php-gd-8.0.26 php-gmp-8.0.26 \
|
pkg_add php-bz2-8.1.18 php-curl-8.1.18 php-gd-8.1.18 php-gmp-8.1.18 \
|
||||||
php-intl-8.0.26 php-pdo_pgsql-8.0.26 php-zip-8.0.26 \
|
php-intl-8.1.18 php-pdo_pgsql-8.1.18 php-zip-8.1.18 \
|
||||||
pecl80-imagick-3.7.0p1 pecl80-redis-5.3.7p0 \
|
pecl80-imagick-3.7.0p1 pecl80-redis-5.3.7p0 \
|
||||||
nextcloud-24.0.5
|
nextcloud-25.0.6
|
||||||
}
|
}
|
||||||
|
|
||||||
enable_nextlcoud_php_modules(){
|
enable_nextlcoud_php_modules(){
|
||||||
#enable modules
|
#enable modules
|
||||||
ln -s /etc/php-8.0.sample/gd.ini /etc/php-8.0/gd.ini
|
ln -s /etc/php-8.1.sample/gd.ini /etc/php-8.1/gd.ini
|
||||||
ln -s /etc/php-8.0.sample/imagick.ini /etc/php-8.0/imagick.ini
|
ln -s /etc/php-8.1.sample/imagick.ini /etc/php-8.1/imagick.ini
|
||||||
ln -s /etc/php-8.0.sample/opcache.ini /etc/php-8.0/opcache.ini
|
ln -s /etc/php-8.1.sample/opcache.ini /etc/php-8.1/opcache.ini
|
||||||
ln -s /etc/php-8.0.sample/curl.ini /etc/php-8.0/curl.ini
|
ln -s /etc/php-8.1.sample/curl.ini /etc/php-8.1/curl.ini
|
||||||
ln -s /etc/php-8.0.sample/gmp.ini /etc/php-8.0/gmp.ini
|
ln -s /etc/php-8.1.sample/gmp.ini /etc/php-8.1/gmp.ini
|
||||||
ln -s /etc/php-8.0.sample/intl.ini /etc/php-8.0/intl.ini
|
ln -s /etc/php-8.1.sample/intl.ini /etc/php-8.1/intl.ini
|
||||||
ln -s /etc/php-8.0.sample/redis.ini /etc/php-8.0/redis.ini
|
ln -s /etc/php-8.1.sample/redis.ini /etc/php-8.1/redis.ini
|
||||||
ln -s /etc/php-8.0.sample/bz2.ini /etc/php-8.0/bz2.ini
|
ln -s /etc/php-8.1.sample/bz2.ini /etc/php-8.1/bz2.ini
|
||||||
ln -s /etc/php-8.0.sample/zip.ini /etc/php-8.0/zip.ini
|
ln -s /etc/php-8.1.sample/zip.ini /etc/php-8.1/zip.ini
|
||||||
ln -s /etc/php-8.0.sample/pdo_pgsql.ini /etc/php-8.0/pdo_pgsql.ini
|
ln -s /etc/php-8.1.sample/pdo_pgsql.ini /etc/php-8.1/pdo_pgsql.ini
|
||||||
restart_php_service
|
restart_php_service
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -34,8 +34,8 @@ configure_nginx_service(){
|
||||||
create_nextcloud_db(){
|
create_nextcloud_db(){
|
||||||
psql template1 postgres -c "CREATE USER $nextcloud_db_user WITH PASSWORD '$nextcloud_db_pass' CREATEDB ;"
|
psql template1 postgres -c "CREATE USER $nextcloud_db_user WITH PASSWORD '$nextcloud_db_pass' CREATEDB ;"
|
||||||
psql template1 postgres -c "CREATE DATABASE $nextcloud_db_name TEMPLATE template1 ENCODING 'UTF8' ;"
|
psql template1 postgres -c "CREATE DATABASE $nextcloud_db_name TEMPLATE template1 ENCODING 'UTF8' ;"
|
||||||
psql template1 postgres -c "GRANT ALL PRIVILEGES ON DATABASE $nextcloud_db_name TO $nextcloud_db_user ;"
|
psql template1 postgres -c "GRANT ALL PRIVILEGES ON DATABASE $nextcloud_db_name TO $nextcloud_db_user;"
|
||||||
psql template1 postgres -c "GRANT ALL PRIVILEGES ON SCHEMA public TO $nextcloud_db_user ;"
|
psql template1 postgres -c "ALTER DATABASE $nextcloud_db_name OWNER TO nextcloud_db_user;"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -79,14 +79,23 @@ install_nextcloud(){
|
||||||
/var/cron/tabs/root
|
/var/cron/tabs/root
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
mkdir my_configuration/nextcloud
|
mkdir my_configuration/nextcloud
|
||||||
check_services_for_nextlcoud
|
|
||||||
install_package_nextcloud
|
if [ "$1" == "gen-config-only" ];
|
||||||
enable_nextlcoud_php_modules
|
then
|
||||||
configure_nginx_service
|
check_services_for_nextcloud
|
||||||
create_nextcloud_db
|
configure_nginx_service
|
||||||
install_configuration_files_nextcloud
|
elif [ "$1" == "install" ];
|
||||||
install_nextcloud
|
then
|
||||||
restart_webserver_service
|
check_services_for_nextcloud
|
||||||
|
configure_nginx_service
|
||||||
|
install_package_nextcloud
|
||||||
|
enable_nextlcoud_php_modules
|
||||||
|
create_nextcloud_db
|
||||||
|
install_configuration_files_nextcloud
|
||||||
|
install_nextcloud
|
||||||
|
restart_webserver_service
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -10,61 +10,8 @@ install_nginx_package()
|
||||||
|
|
||||||
gen_nginx_configuration()
|
gen_nginx_configuration()
|
||||||
{
|
{
|
||||||
cat > my_configuration/nginx/nginx.conf <<EOF
|
cp -v default_configuration/nginx/nginx.conf.example my_configuration/nginx/nginx.conf
|
||||||
user www;
|
openssl dhparam -out my_configuration/nginx/dhparam.pem 2048
|
||||||
worker_processes auto;
|
|
||||||
pid /var/www/run/nginx.pid;
|
|
||||||
include /etc/nginx/modules-enabled/*.conf;
|
|
||||||
|
|
||||||
events {
|
|
||||||
worker_connections 768;
|
|
||||||
# multi_accept on;
|
|
||||||
}
|
|
||||||
|
|
||||||
http {
|
|
||||||
|
|
||||||
##
|
|
||||||
# Basic Settings
|
|
||||||
##
|
|
||||||
|
|
||||||
sendfile on;
|
|
||||||
tcp_nopush on;
|
|
||||||
tcp_nodelay on;
|
|
||||||
keepalive_timeout 65;
|
|
||||||
types_hash_max_size 2048;
|
|
||||||
# server_tokens off;
|
|
||||||
|
|
||||||
include /etc/nginx/mime.types;
|
|
||||||
default_type application/octet-stream;
|
|
||||||
|
|
||||||
##
|
|
||||||
# SSL Settings
|
|
||||||
##
|
|
||||||
|
|
||||||
ssl_protocols TLSv1.2; # Dropping SSLv3, ref: POODLE
|
|
||||||
ssl_prefer_server_ciphers on;
|
|
||||||
|
|
||||||
##
|
|
||||||
# Logging Settings
|
|
||||||
##
|
|
||||||
|
|
||||||
access_log /var/www/logsnginx/access.log;
|
|
||||||
error_log /var/www/logs/nginx/error.log;
|
|
||||||
|
|
||||||
##
|
|
||||||
# Gzip Settings
|
|
||||||
##
|
|
||||||
|
|
||||||
gzip on;
|
|
||||||
##
|
|
||||||
# Virtual Host Configs
|
|
||||||
##
|
|
||||||
|
|
||||||
include /etc/nginx/sites-enabled/*;
|
|
||||||
}
|
|
||||||
EOF
|
|
||||||
|
|
||||||
openssl dhparam -out default_configuration/nginx/dhparam.pem 2048
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -72,57 +19,18 @@ EOF
|
||||||
|
|
||||||
make_default_homepage()
|
make_default_homepage()
|
||||||
{
|
{
|
||||||
cat > my_configuration/nginx/site-available/$DOMAIN <<EOF
|
cp -v default_configuration/nginx/site-avalaible/example \
|
||||||
server {
|
my_configuration/nginx/site-available/$DOMAIN
|
||||||
listen 80;
|
sed -i "s/__DOMAIN__/$DOMAIN/g" my_configuration/nginx/site-available/$DOMAIN
|
||||||
server_name $DOMAIN;
|
|
||||||
|
|
||||||
#Ajout pour les certificats letsencrypt
|
|
||||||
include snippets/acme-challenge.conf;
|
|
||||||
|
|
||||||
return 301 https://$http_host$request_uri;
|
|
||||||
|
|
||||||
root /html/$DOMAIN;
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen 443 ssl http2;
|
|
||||||
server_name $DOMAIN;
|
|
||||||
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/$DOMAIN.crt;
|
|
||||||
ssl_certificate_key /etc/ssl/private/$DOMAIN.key;
|
|
||||||
|
|
||||||
#Ajout d'une configuration ssl securise
|
|
||||||
include snippets/secure-ssl.conf;
|
|
||||||
|
|
||||||
# Speeds things up a little bit when resuming a session
|
|
||||||
# ssl_session_timeout 5m;
|
|
||||||
# ssl_session_cache shared:SSL:5m;
|
|
||||||
|
|
||||||
# Ajout pour le certificat letsencrypt
|
|
||||||
include snippets/acme-challenge.conf;
|
|
||||||
|
|
||||||
# Ajout pour securiser les headers
|
|
||||||
include snippets/secure-headers.conf;
|
|
||||||
}
|
|
||||||
|
|
||||||
# Path to the root of your installation
|
|
||||||
root /html/$DOMAIN;
|
|
||||||
|
|
||||||
}
|
|
||||||
EOF
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
install_nginx_configuration(){
|
install_nginx_configuration(){
|
||||||
mkdir /etc/nginx/sites-enabled/
|
mkdir -v /etc/nginx/sites-enabled/
|
||||||
mkdir /etc/nginx/sites-available/
|
mkdir -v /etc/nginx/sites-available/
|
||||||
mkdir /etc/nginx/snippets/
|
mkdir -v /etc/nginx/snippets/
|
||||||
cp my_configuration/nginx/nginx.conf /etc/nginx/nginx.conf
|
cp -v my_configuration/nginx/nginx.conf /etc/nginx/nginx.conf
|
||||||
cp my_configuration/nginx/dhparam.pem /etc/nginx/dhparam.pem
|
cp -v my_configuration/nginx/dhparam.pem /etc/nginx/dhparam.pem
|
||||||
cp my_configuration/nginx/snippets/* /etc/nginx/snippets/
|
cp -v my_configuration/nginx/snippets/* /etc/nginx/snippets/
|
||||||
}
|
}
|
||||||
|
|
||||||
install_chroot_env()
|
install_chroot_env()
|
||||||
|
@ -130,23 +38,21 @@ install_chroot_env()
|
||||||
mkdir /var/www/etc/ssl/
|
mkdir /var/www/etc/ssl/
|
||||||
install -m 444 -o root -g bin /etc/resolv.conf /var/www/etc/
|
install -m 444 -o root -g bin /etc/resolv.conf /var/www/etc/
|
||||||
install -m 444 -o root -g bin /etc/ssl/cert.pem /etc/ssl/openssl.cnf /var/www/etc/ssl/
|
install -m 444 -o root -g bin /etc/ssl/cert.pem /etc/ssl/openssl.cnf /var/www/etc/ssl/
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
add_logs_to_newssyslog(){
|
add_logs_to_newssyslog(){
|
||||||
cp -v /etc/newsyslog.conf /etc/newsyslog.conf.old
|
cp -v /etc/newsyslog.conf /etc/newsyslog.conf.old
|
||||||
egrep -v "nginx" /etc/newsyslog.conf > /tmp/newsyslog.conf
|
egrep -v "nginx|httpd" /etc/newsyslog.conf > /tmp/newsyslog.conf
|
||||||
cat >> /tmp/newsyslog.conf <<EOF
|
cat >> /tmp/newsyslog.conf <<EOF
|
||||||
/var/www/logs/access.log 644 2 * \$W0 Z /var/www/run/nginx.pid SIGUSR1
|
/var/www/logs/access.log 644 2 * \$W0 Z /var/www/run/nginx.pid SIGUSR1
|
||||||
/var/www/logs/error.log 644 2 250 * Z /var/www/run/nginx.pid SIGUSR1
|
/var/www/logs/error.log 644 2 250 * Z /var/www/run/nginx.pid SIGUSR1
|
||||||
|
|
||||||
EOF
|
EOF
|
||||||
mv /tmp/newsyslog.conf /etc/newsyslog.conf
|
mv /tmp/newsyslog.conf /etc/newsyslog.conf
|
||||||
}
|
}
|
||||||
|
|
||||||
mkdir my_configuration/nginx/
|
mkdir my_configuration/nginx/
|
||||||
install_nginx_package
|
#install_nginx_package
|
||||||
gen_nginx_configuration
|
gen_nginx_configuration
|
||||||
install_chroot_env
|
#install_chroot_env
|
||||||
install_nginx_configuration
|
#install_nginx_configuration
|
||||||
restart_webserver_service
|
#restart_webserver_service
|
||||||
|
|
|
@ -2,42 +2,11 @@
|
||||||
|
|
||||||
install_php_package()
|
install_php_package()
|
||||||
{
|
{
|
||||||
pkg_add php-8.0.26
|
pkg_add php-8.1.18
|
||||||
}
|
}
|
||||||
|
|
||||||
gen_php_configuration(){
|
gen_php_configuration(){
|
||||||
cat > my_configuration/php/php-fpm.conf <<EOF
|
cp -v default_configuration/php/php-fpm.conf my_configuration/php/php-fpm.conf
|
||||||
;;;;;;;;;;;;;;;;;;;;;
|
|
||||||
; FPM Configuration ;
|
|
||||||
;;;;;;;;;;;;;;;;;;;;;
|
|
||||||
[global]
|
|
||||||
error_log = log/php-fpm.log
|
|
||||||
;;;;;;;;;;;;;;;;;;;;
|
|
||||||
; Pool Definitions ;
|
|
||||||
;;;;;;;;;;;;;;;;;;;;
|
|
||||||
include=/etc/php-fpm.d/*.conf
|
|
||||||
[www]
|
|
||||||
user = www
|
|
||||||
group = www
|
|
||||||
listen = /var/www/run/php-fpm.sock
|
|
||||||
listen.owner = www
|
|
||||||
listen.group = www
|
|
||||||
listen.mode = 0660
|
|
||||||
pm = dynamic
|
|
||||||
pm.max_children = 5
|
|
||||||
pm.start_servers = 2
|
|
||||||
pm.min_spare_servers = 1
|
|
||||||
pm.max_spare_servers = 3
|
|
||||||
chroot = /var/www
|
|
||||||
env[HOSTNAME] = \$HOSTNAME
|
|
||||||
env[PATH] = /usr/local/bin:/usr/bin:/bin
|
|
||||||
env[TMP] = /tmp
|
|
||||||
env[TMPDIR] = /tmp
|
|
||||||
env[TEMP] = /tmp
|
|
||||||
|
|
||||||
|
|
||||||
EOF
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
install_configurations_files()
|
install_configurations_files()
|
||||||
|
@ -53,7 +22,13 @@ start_php_service()
|
||||||
}
|
}
|
||||||
|
|
||||||
mkdir my_configuration/php/
|
mkdir my_configuration/php/
|
||||||
install_php_package
|
if [ "$1" == "gen-config-only" ];
|
||||||
gen_php_configuration
|
then
|
||||||
install_configurations_files
|
gen_php_configuration
|
||||||
start_php_service
|
elif [ "$1" == "install" ];
|
||||||
|
then
|
||||||
|
install_php_package
|
||||||
|
gen_php_configuration
|
||||||
|
install_configurations_files
|
||||||
|
start_php_service
|
||||||
|
fi
|
||||||
|
|
|
@ -2,46 +2,41 @@
|
||||||
|
|
||||||
install_postresql_packages()
|
install_postresql_packages()
|
||||||
{
|
{
|
||||||
pkg_add postgresql-client-14.5 postgresql-server-14.5
|
pkg_add postgresql-client-15.2 postgresql-server-15.2
|
||||||
}
|
}
|
||||||
|
|
||||||
configure_postgresql_service()
|
configure_postgresql_service()
|
||||||
{
|
{
|
||||||
cat > my_configuration/postgresql/pg_hba.conf <<EOF
|
cp -v default_configuration/postgresql/pg_hba.conf my_configuration/postgresql/pg_hba.conf
|
||||||
# TYPE DATABASE USER ADDRESS METHOD
|
|
||||||
|
|
||||||
local all postgres trust
|
|
||||||
# "local" is for Unix domain socket connections only
|
|
||||||
#local all all md5
|
|
||||||
# IPv4 local connections:
|
|
||||||
host all all 127.0.0.1/32 md5
|
|
||||||
|
|
||||||
|
|
||||||
# IPv6 local connections:
|
|
||||||
host all all ::1/128 md5
|
|
||||||
# Allow replication connections from localhost, by a user with the
|
|
||||||
# replication privilege.
|
|
||||||
local replication all md5
|
|
||||||
host replication all 127.0.0.1/32 md5
|
|
||||||
host replication all ::1/128 md5
|
|
||||||
|
|
||||||
EOF
|
|
||||||
su -m _postgresql -c "mkdir /var/postgresql/data"
|
|
||||||
echo $postgresql_root_password > /tmp/passwordpsql.txt
|
|
||||||
su -m _postgresql -c "initdb -D /var/postgresql/data -U postgres -A md5 -E UTF8 --pwfile=/tmp/passwordpsql.txt"
|
|
||||||
rm /tmp/passwordpsql.txt
|
|
||||||
}
|
}
|
||||||
|
|
||||||
install_postgresql_configurations_files(){
|
make_data_directory()
|
||||||
|
{
|
||||||
|
su -m _postgresql -c "mkdir /var/postgresql/data"
|
||||||
|
echo $postgresql_root_password > /tmp/passwordpsql.txt
|
||||||
|
[ ! -d "/var/postgresql/data" ] || mv /var/postgresql/data /var/postgresql/data.old
|
||||||
|
su -m _postgresql -c "initdb -D /var/postgresql/data -U postgres -A scram-sha-256 -E UTF8 --pwfile=/tmp/passwordpsql.txt"
|
||||||
|
rm /tmp/passwordpsql.txt
|
||||||
|
}
|
||||||
|
|
||||||
|
install_postgresql_configurations_files()
|
||||||
|
{
|
||||||
cp -v my_configuration/postgresql/pg_hba.conf /var/postgresql/data/pg_hba.conf
|
cp -v my_configuration/postgresql/pg_hba.conf /var/postgresql/data/pg_hba.conf
|
||||||
}
|
}
|
||||||
|
|
||||||
start_postgresql_service(){
|
start_postgresql_service()
|
||||||
|
{
|
||||||
rcctl start postgresql
|
rcctl start postgresql
|
||||||
}
|
}
|
||||||
|
|
||||||
mkdir my_configuration/postgresql/
|
|
||||||
#install_postresql_packages
|
if [ "$1" == "gen-config-only" ];
|
||||||
configure_postgresql_service
|
then
|
||||||
install_postgresql_configurations_files
|
configure_postgresql_service
|
||||||
start_postgresql_service
|
elif [ "$1" == "install" ];
|
||||||
|
then
|
||||||
|
install_postresql_packages
|
||||||
|
configure_postgresql_service
|
||||||
|
install_postgresql_configurations_files
|
||||||
|
start_postgresql_service
|
||||||
|
fi
|
||||||
|
|
|
@ -28,11 +28,22 @@ DOSSIER_APP = "./users/"
|
||||||
DATABASE = "./base.db"
|
DATABASE = "./base.db"
|
||||||
EXT_IMG= {'.jpg', '.JPG', '.png', '.PNG', '.gif', '.GIF', '.bmp', '.BMP', '.jpeg', '.JPEG' }
|
EXT_IMG= {'.jpg', '.JPG', '.png', '.PNG', '.gif', '.GIF', '.bmp', '.BMP', '.jpeg', '.JPEG' }
|
||||||
SIGNIN_ENABLE = True
|
SIGNIN_ENABLE = True
|
||||||
XMPP_SERVER = True
|
|
||||||
MAIL_SERVER = True
|
|
||||||
SETUID='doas'
|
SETUID='doas'
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
|
if [ SERVICE_MAIL = "yes" ];
|
||||||
|
then
|
||||||
|
echo "MAIL_SERVER = True" >> my_configuration/pywallter/config.py
|
||||||
|
else
|
||||||
|
echo "MAIL_SERVER = False" >> my_configuration/pywallter/config.py
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ SERVICE_XMPP = "yes" ];
|
||||||
|
then
|
||||||
|
echo "XMPP_SERVER = True" >> my_configuration/pywallter/config.py
|
||||||
|
else
|
||||||
|
echo "XMPP_SERVER = False" >> myconfiguration/pywallter/config.py
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -58,7 +69,15 @@ EOF
|
||||||
}
|
}
|
||||||
|
|
||||||
mkdir my_configuration/pywallter/
|
mkdir my_configuration/pywallter/
|
||||||
gen_pywallter_configuration_app
|
|
||||||
gen_nginx_pywallter_app
|
if [ "$1" == "gen-config-only" ];
|
||||||
install_pywallter_app
|
then
|
||||||
install_pywallter_configuration_files
|
gen_pywallter_configuration_app
|
||||||
|
gen_nginx_pywallter_app
|
||||||
|
elif [ "$1" == "install" ];
|
||||||
|
then
|
||||||
|
gen_pywallter_configuration_app
|
||||||
|
gen_nginx_pywallter_app
|
||||||
|
install_pywallter_app
|
||||||
|
install_pywallter_configuration_files
|
||||||
|
fi
|
||||||
|
|
|
@ -13,11 +13,11 @@ install_prosody_package(){
|
||||||
|
|
||||||
gen_prosody_configuration(){
|
gen_prosody_configuration(){
|
||||||
|
|
||||||
cp -v default_configuration/xmpp/prosody.cfg.lua.example default_configuration/xmpp/prosody.cfg.lua
|
cp -v default_configuration/xmpp/prosody.cfg.lua.example my_configuration/xmpp/prosody.cfg.lua
|
||||||
sed -i "s/__DOMAIN__/$DOMAIN/g" default_configuration/xmpp/prosody.cfg.lua
|
sed -i "s/__DOMAIN__/$DOMAIN/g" my_configuration/xmpp/prosody.cfg.lua
|
||||||
cp -v default_configuration/xmpp/virtualHosts/example.com.conf default_configuration/xmpp/virtualHosts/$DOMAIN.conf
|
cp -v default_configuration/xmpp/virtualHosts/example.com.conf my_configuration/xmpp/virtualHosts/$DOMAIN.conf
|
||||||
sed -i "s/__DOMAIN__/$DOMAIN/g" default_configuration/xmpp/virtualHosts/$DOMAIN.conf
|
sed -i "s/__DOMAIN__/$DOMAIN/g" my_configuration/xmpp/virtualHosts/$DOMAIN.conf
|
||||||
sed -i "s/__xmpp_passphrase_for_filesuploads__/$xmpp_passphrase_for_filesuploads/g" default_configuration/xmpp/virtualHosts/$DOMAIN.conf
|
sed -i "s/__xmpp_passphrase_for_filesuploads__/$xmpp_passphrase_for_filesuploads/g" my_configuration/xmpp/virtualHosts/$DOMAIN.conf
|
||||||
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
@ -28,7 +28,6 @@ install_xmpp_certs_ssl(){
|
||||||
install -o _prosody -g _prosody my_configuration/xmpp/dh-2048.pem /etc/prosody/certs/dh-2048.pem
|
install -o _prosody -g _prosody my_configuration/xmpp/dh-2048.pem /etc/prosody/certs/dh-2048.pem
|
||||||
install -o _prosody -g _prosody /etc/ssl/private/"$DOMAIN".key /etc/prosody/certs/"$DOMAIN".key;
|
install -o _prosody -g _prosody /etc/ssl/private/"$DOMAIN".key /etc/prosody/certs/"$DOMAIN".key;
|
||||||
install -o _prosody -g _prosody /etc/ssl/"$DOMAIN".crt /etc/prosody/certs/"$DOMAIN".crt;
|
install -o _prosody -g _prosody /etc/ssl/"$DOMAIN".crt /etc/prosody/certs/"$DOMAIN".crt;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
install_prosody_modules(){
|
install_prosody_modules(){
|
||||||
|
@ -45,7 +44,6 @@ install_prosody_modules(){
|
||||||
|
|
||||||
|
|
||||||
gen_nginx_configuration_files_upload(){
|
gen_nginx_configuration_files_upload(){
|
||||||
|
|
||||||
cp -v default_configuration/xmpp/nginx.conf.sample my_configuration/xmpp/upload.$DOMAIN
|
cp -v default_configuration/xmpp/nginx.conf.sample my_configuration/xmpp/upload.$DOMAIN
|
||||||
cp -v default_configuration/xmpp/share.php.sample my_configuration/xmpp/share.php
|
cp -v default_configuration/xmpp/share.php.sample my_configuration/xmpp/share.php
|
||||||
sed -i "s/__DOMAIN__/$DOMAIN/g" my_configuration/xmpp/upload.$DOMAIN
|
sed -i "s/__DOMAIN__/$DOMAIN/g" my_configuration/xmpp/upload.$DOMAIN
|
||||||
|
@ -82,6 +80,7 @@ install_xmpp_configurations_files(){
|
||||||
|
|
||||||
|
|
||||||
mkdir my_configuration/xmpp
|
mkdir my_configuration/xmpp
|
||||||
|
|
||||||
if [ "$1" == "gen-config-only" ];
|
if [ "$1" == "gen-config-only" ];
|
||||||
then
|
then
|
||||||
gen_prosody_configuration
|
gen_prosody_configuration
|
||||||
|
@ -97,3 +96,11 @@ then
|
||||||
rcctl enable prosody
|
rcctl enable prosody
|
||||||
rcctl start prosody
|
rcctl start prosody
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [ "$1" == "gen-config-only" ];
|
||||||
|
then
|
||||||
|
#code
|
||||||
|
elif [ "$1" == "install" ];
|
||||||
|
then
|
||||||
|
#Code
|
||||||
|
fi
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
## Par défault le domain est le nom d'hote de la machine maisil est possible de le personnaliser
|
## Par défault le domain est le nom d'hote de la machine mais il est possible de le personnaliser
|
||||||
## comme l'exemple ce-dessous
|
## comme l'exemple ce-dessous
|
||||||
# DOMAIN="example.com"
|
# DOMAIN="example.com"
|
||||||
DOMAIN=`hostname`
|
DOMAIN=`hostname`
|
||||||
|
|
Loading…
Reference in New Issue