Correction & update scripts

This commit is contained in:
kitoy 2023-05-15 23:16:25 +02:00
parent b8fbc07a97
commit 7f34b60582
24 changed files with 740 additions and 512 deletions

View File

@ -4,24 +4,23 @@
gen_nginx_acme_conf(){
domain=$1
alt_domain=$2
nginx_run=`rcctl check nginx`
nginx_conf_file="/etc/nginx/sites-enabled/$domain"
[ ! -f $nginx_conf_file ] || rm $nginx_conf_file;
if [ "$nginx_run" == "nginx(ok)" ]; then
cat > test/$domain <<EOF
mkdir /var/www/htdocs/$domain
rcctl check nginx
if [ $? == 0 ]; then
cat > $nginx_conf_file <<EOF
server {
listen 80;
server_name $alt_domain $domain;
include snippets/acme-challenge.conf;
root /htdocs;
root /htdocs/$domain;
}
EOF
# rcctl restart nginx
rcctl reload nginx
else
echo "Service NGINX not runnig"
echo "Service NGINX not running"
exit 1
fi
@ -30,8 +29,12 @@ EOF
gen_acme_client_conf(){
domain=$1
alt_domain=$2
acme_conf_file="my_configuration/ssl/$domain-acme-client.conf"
# If the file exist, do nothing
[ ! -f $acme_conf_file ] || echo "Domain already configured !"; exit 1;
if [ "$alt_domain" == "" ]; then
cat >> my_configuration/ssl/$domain-acme-client.conf <<EOF
cat >> $acme_conf_file <<EOF
domain $domain {
domain key "/etc/ssl/private/$domain.key"
@ -41,7 +44,7 @@ domain $domain {
EOF
else
cat >> my_configuration/ssl/$domain-acme-client.conf <<EOF
cat >> $acme_conf_file <<EOF
domain $domain {
alternative names { $alt_domain }
@ -55,40 +58,39 @@ EOF
}
add_acme_domain_to_conf(){
domain=$1
egrep "domain $domain" -A5 /etc/acme-client.conf > /tmp/acme-client.conf
cp -v /etc/acme-client.conf /etc/acme-client.conf.old
cp -v /tmp/acme-client.conf /etc/acme-client.conf
}
install_utils(){
cp -v utils/renew_https_certificate /usr/local/bin/renew_https_certificate
chmod u+x /usr/local/bin/renew_https_certificate
}
get_certificate(){
get_certificate()
{
domain=$1
/usr/local/bin/renew_https_certificate $domain
}
usage(){
usage()
{
print "This program ask 3 arguments : \n"
print "First is email with domain name the second is list of alternatives domains with \" \" \n"
print "the last arguments is for share the ssl cert with xmpp daemon add xmpp at the end or not"
print "\t $0 domain.tld \"a.domain.tld b.domain.tld c.domain.tld\""
}
if [ -z $1 ];
then
usage
exit 3;
fi
if [ -e /etc/acme-client.conf ]; then
echo ok
else
echo nok
fi
domain=$1
alt_domain=$2

View File

@ -2,7 +2,7 @@
. ./myserver.conf
install_package(){
install_firewall_packages(){
pkg_add ssh_guard curl
useradd -s /sbin/nologin -d /var/empty _pfbadhost
ftp https://geoghegan.ca/pub/pf-badhost/0.5/pf-badhost.sh
@ -32,60 +32,36 @@ EOF
set_basic_configuration(){
cat > my_configuration/pf.conf <<EOF
#Filtres badhosts et sshguard
table <pfbadhost> persist file "/etc/pf-badhost.txt"
table <sshguard> persist
## Table pour les batards de bruteforceurs
table <bruteforce> persist
set block-policy drop # bloque silencieusement
set skip on lo # En local on s'en fou on surveille rien
set limit table-entries 400000
set limit states 100000
## Traitement des paquets ##
# Paquets partiels on vire
match all scrub (max-mss 1440 no-df random-id reassemble tcp)
antispoof quick for egress # Protection vol d'ip
antispoof quick for lo0 # Protection vol d'ip
# Port build user does not need network
block return out log proto {tcp udp} user _pbuild
# On bloque tout par défault
block
block quick on egress from <pfbadhost>
block in from <sshguard>
block log quick from <bruteforce> label "brutes"
pass out on egress proto { tcp udp icmp ipv6-icmp } modulate state
EOF
cp -v default_configruation/pf.conf my_configuration/pf.conf
}
set_open_service(){
cat >> my_configuration/pf.conf <<EOF
#déclaration des variables
web_ports = "{ http https }"
#On évite les bruteforces
pass in quick on egress proto { tcp, udp } from <whitelist> to port $web_ports
pass in on egress proto tcp to port $web_ports flags S/SA keep state \
(max-src-conn 100, max-src-conn-rate 15/5, \
overload <http_abusive_hosts> flush)
EOF
if [ "$SERVICE_MAIL" == "yes" ]; then
echo "mail_ports = \"{ smtp submission imap }\"" >> default_configuration/pf.conf
fi
cat >> my_configuration/pf.conf
EOF
if [ "$SERVICE_XMPP" == "yes" ]; then
[ "$SERVICE_MAIL" == "yes" ] &&
echo "mail_ports = \"{ smtp submission imap }\"" >> default_configuration/pf.conf
[ "$SERVICE_XMPP" == "yes" ] &&
echo "xmmp_ports = \"{ 5222 5269 }\"" >> default_configuration/pf.conf
fi
echo "ssh_port = \"$SSH_PORT\"" >> default_configuration/pf.conf
[ "$SERVICE_TURN" == "yes" ] &&
echo "turn_port = \"TURN_PORT\"" >> default_configuration/pf.conf
cat >> my_configuration/pf.conf <<EOF
## Anti bruteforce
@ -95,13 +71,14 @@ EOF
pass in on egress proto tcp to port \$ssh_port modulate state \\
(max-src-conn 5, max-src-conn-rate 15/5, overload <bruteforce> flush global)
#web
pass in on egress proto tcp to port \$web_ports modulate state \\
(max-src-conn 60, max-src-conn-rate 60/1, overload <bruteforce> flush global)
pass in quick on egress proto { tcp, udp } from <whitelist> to port $web_ports
pass in on egress proto tcp to port $web_ports flags S/SA keep state \
(max-src-conn 100, max-src-conn-rate 15/5, \
overload <http_abusive_hosts> flush)
EOF
if [ "$SERVICE_MAIL" == "yes" ]; then
[ "$SERVICE_MAIL" == "yes" ] &&
cat >> my_configuration/pf.conf <<EOF
# mails
## antispam
@ -110,19 +87,27 @@ pass in on egress proto tcp to port \$mail_ports modulate state \\
pass out log on egress proto tcp to any port smtp
EOF
fi
if [ "$SERVICE_XMPP" == "yes" ]; then
[ "$SERVICE_XMPP" == "yes" ] &&
cat >> my_configuration/pf.conf <<EOF
# XMPP
pass in on egress proto tcp to port \$xmpp_ports modulate state \\
(max-src-conn 15, max-src-conn-rate 15/5, overload <bruteforce> flush global)
EOF
fi
[ "$SERVICE_TURN" == "yes" ] &&
cat >> my_configuration/pf.conf <<EOF
pass in on egress proto tcp to port $turn_port modulate state \
(max-src-conn 20, max-src-conn-rate 30/1, overload <bruteforce> flush global)
pass in on egress proto udp to port $turn_port
EOF
}
install_pf_and_enable(){
install_conf_and_enable(){
pfctl -nf my_configuration/pf.conf
if [ $? == 0 ]; then
cp -v /etc/pf.conf /etc/pf.old
@ -134,5 +119,14 @@ install_pf_and_enable(){
}
if [ "$1" == "gen-config-only" ];
then
set_basic_configuration
set_open_service
elif [ "$1" == "install" ];
then
install_firewall_packages
set_basic_configuration
set_open_service
install_conf_and_enable
fi

View File

@ -5,176 +5,21 @@
install_mails_services_pkg()
{
pkg_add dovecot dovecot-pigeonhole opensmtpd-filter-rspamd \
pkg_add dovecot dovecot-pigeonhole opensmtpd-filter-rspamd redis-6.2.12\
opensmtpd-extras-6.7.1v0 opensmtpd-filter-dkimsign-0.5 rspamd-3.2
}
gen_mails_service_configuration()
{
#Generate opensmtpd configuration
cat > my_configuration/mail/smtpd.conf <<EOF
# See smtpd.conf(5) for more information.
# To accept external mail, replace with: listen on all
#
# les Certificats
pki "cert_mail" cert "/etc/ssl/$DOMAIN.crt"
pki "cert_mail" key "/etc/ssl/private/$DOMAIN.key"
table aliases file:/etc/mail/aliases
table passwd file:/etc/mail/passwd
table virtuals file:/etc/mail/virtuals
filter "rspamd" proc-exec "filter-rspamd"
filter "dkimsign" proc-exec "filter-dkimsign -d $DOMAIN -s dkim -k /etc/mail/dkim/$DOMAIN-private.key" user _dkimsign group _dkimsign
# Activation du check du reverse DNS
#filter check_rdns phase connect match !rdns disconnect "550 no rDNS available"
#filter check_fcrdns phase connect match !fcrdns disconnect "550 no FCrDNS available"
# To accept external mail, replace with: listen on all
listen on all tls pki "cert_mail" hostname "$DOMAIN" filter rspamd
listen on all port submission tls-require pki "cert_mail" auth <passwd> filter dkimsign
action "local_mail" mbox alias <aliases>
action "domain_mail" maildir "/var/vmail/$DOMAIN/%{dest.user:lowercase}" virtual <virtuals>
action "outbound" relay
# Uncomment the following to accept external mail for domain "example.org"
match from any for domain "$DOMAIN" action "domain_mail"
match from local for local action "local_mail"
match auth from any for any action "outbound"
EOF
#Generate spamd configuration
cat > my_configuration/mail/spamd.conf <<EOF
all:\
:nixspam:
# Nixspam recent sources list.
# Mirrored from http://www.heise.de/ix/nixspam
nixspam:\
:black:\
:msg="Your address %A is in the nixspam list\n\
See http://www.heise.de/ix/nixspam/dnsbl_en/ for details":\
:method=https:\
:file=www.openbsd.org/spamd/nixspam.gz
# An example of a list containing addresses which should not talk to spamd.
#
#override:\
# :white:\
# :method=file:\
# :file=/var/db/override.txt:
EOF
## Generate Dovecot configuration
cat > my_configuration/dovecot/local.conf <<EOF
listen = *
protocols = imap
first_valid_uid = 1000
first_valid_gid = 1000
mail_location = maildir:/var/vmail/%d/%n
mail_plugin_dir = /usr/local/lib/dovecot
disable_plaintext_auth = yes
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapsieve vnd.dovecot.imapsieve
mbox_write_locks = fcntl
mmap_disable = yes
namespace inbox {
inbox = yes
location =
mailbox Archive {
auto = subscribe
special_use = \Archive
}
mailbox Drafts {
auto = subscribe
special_use = \Drafts
}
mailbox Junk {
auto = subscribe
special_use = \Junk
}
mailbox Sent {
auto = subscribe
special_use = \Sent
}
mailbox Trash {
auto = subscribe
special_use = \Trash
}
prefix =
cp -v default_configuration/opensmtpd/smtpd.conf.example my_configuration/opensmtpd/smtpd.conf
sed -i "s/__DOMAIN__/$DOMAIN/g" my_configuration/opensmtpd/smtpd.conf
cp -v default_configuration/opensmtpd/spamd.conf.example my_configuration/opensmtpd/spamd.conf
cp -v default_configuration/dovecot/dovecot.conf.example my_configuration/dovecot/dovecot.conf
cp -v default_configuration/dovecot/local.conf.example my_configuration/dovecot/dovecot.conf
}
service auth {
user = $default_internal_user
group = _maildaemons
}
passdb {
args = scheme=blf-crypt /etc/mail/passwd
driver = passwd-file
}
plugin {
imapsieve_mailbox1_before = file:/usr/local/lib/dovecot/sieve/report-spam.sieve
imapsieve_mailbox1_causes = COPY
imapsieve_mailbox1_name = Junk
imapsieve_mailbox2_before = file:/usr/local/lib/dovecot/sieve/report-ham.sieve
imapsieve_mailbox2_causes = COPY
imapsieve_mailbox2_from = Junk
imapsieve_mailbox2_name = *
sieve = file:~/sieve;active=~/.dovecot.sieve
sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
sieve_pipe_bin_dir = /usr/local/lib/dovecot/sieve
sieve_plugins = sieve_imapsieve sieve_extprograms
}
protocols = imap sieve
service imap-login {
inet_listener imap {
port = 143
}
}
ssl = required
ssl_min_protocol = TLSv1.2
ssl_cipher_list = EECDH+AESGCM
ssl_prefer_server_ciphers = yes
#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
ssl_cert = </etc/ssl/$DOMAIN.crt
ssl_key = </etc/ssl/private/$DOMAIN.key
userdb {
driver = static
args = uid=vmail gid=vmail home=/var/vmail/%d/%n/
}
protocol imap {
mail_plugins = " imap_sieve"
}
EOF
}
gen_dkim_keys(){
gen_dkim_keys()
{
# Generate dkim key
openssl genrsa -out my_configuration/mail/$DOMAIN-private.key 2048
openssl rsa -in my_configuration/mail/$DOMAIN-private.key -pubout | \
@ -237,11 +82,12 @@ EOF
install_mails_services_configuration()
{
cp my_configuration/mail/smtpd.conf /etc/mail/smtpd.conf
cp my_configuration/dovecot/local.conf /etc/dovecot/local.conf
cp -v my_configuration/mail/smtpd.conf /etc/mail/smtpd.conf
cp -v my_configuration/dovecot/dovecot.conf /etc/dovecot/
cp -v my_configuration/dovecot/local.conf /etc/dovecot/local.conf
mkdir /etc/mail/dkim/
cp my_configuration/mail/$DOMAIN-private.key /etc/mail/dkim/
cp my_configuration/mail/$DOMAIN-public.key /etc/mail/dkim/
cp -v my_configuration/mail/$DOMAIN-private.key /etc/mail/dkim/
cp -v my_configuration/mail/$DOMAIN-public.key /etc/mail/dkim/
chown -R _dkimsign /etc/mail/dkim/
touch /etc/mail/virtuals
touch /etc/mail/passwd
@ -259,7 +105,7 @@ make_system_mails_services_requirements()
usermod -G _maildaemons _dovecot
usermod -G _maildaemons _smtpd
cp /etc/login.conf /etc/login.conf.old
cp /etc/login.conf /etc/login.conf.orig
cat >> /etc/login.conf <<EOF
dovecot:\
:openfiles-cur=1024:\
@ -269,13 +115,21 @@ EOF
}
make_directory_configuration()
{
mkdir my_configuration/mail
mkdir my_configuration/dovecot
}
if [ "$1" == "gen-config-only" ];
then
gen_mails_service_configuration
gen_dkim_keys
elif [ "$1" == "install" ];
then
install_mails_services_pkg
gen_mails_service_configuration
gen_dkim_keys
gen_mails_service_utils
install_mails_services_configuration
make_system_mails_services_requirements
rcctl enable redis

View File

@ -0,0 +1,101 @@
## Dovecot configuration file
# If you're in a hurry, see http://wiki2.dovecot.org/QuickConfiguration
# "doveconf -n" command gives a clean output of the changed settings. Use it
# instead of copy&pasting files when posting to the Dovecot mailing list.
# '#' character and everything after it is treated as comments. Extra spaces
# and tabs are ignored. If you want to use either of these explicitly, put the
# value inside quotes, eg.: key = "# char and trailing whitespace "
# Most (but not all) settings can be overridden by different protocols and/or
# source/destination IPs by placing the settings inside sections, for example:
# protocol imap { }, local 127.0.0.1 { }, remote 10.0.0.0/8 { }
# Default values are shown for each setting, it's not required to uncomment
# those. These are exceptions to this though: No sections (e.g. namespace {})
# or plugin settings are added by default, they're listed only as examples.
# Paths are also just examples with the real defaults being based on configure
# options. The paths listed here are for configure --prefix=/usr
# --sysconfdir=/etc --localstatedir=/var
# Protocols we want to be serving.
protocols = imap
# A comma separated list of IPs or hosts where to listen in for connections.
# "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.
# If you want to specify non-default ports or anything more complex,
# edit conf.d/master.conf.
listen = *, ::
# Base directory where to store runtime data.
#base_dir = /var/dovecot/
# Name of this instance. In multi-instance setup doveadm and other commands
# can use -i <instance_name> to select which instance is used (an alternative
# to -c <config_path>). The instance name is also added to Dovecot processes
# in ps output.
#instance_name = dovecot
# Greeting message for clients.
#login_greeting = Dovecot ready.
# Space separated list of trusted network ranges. Connections from these
# IPs are allowed to override their IP addresses and ports (for logging and
# for authentication checks). disable_plaintext_auth is also ignored for
# these networks. Typically you'd specify your IMAP proxy servers here.
#login_trusted_networks =
# Space separated list of login access check sockets (e.g. tcpwrap)
#login_access_sockets =
# With proxy_maybe=yes if proxy destination matches any of these IPs, don't do
# proxying. This isn't necessary normally, but may be useful if the destination
# IP is e.g. a load balancer's IP.
#auth_proxy_self =
# Show more verbose process titles (in ps). Currently shows user name and
# IP address. Useful for seeing who are actually using the IMAP processes
# (eg. shared mailboxes or if same uid is used for multiple accounts).
#verbose_proctitle = no
# Should all processes be killed when Dovecot master process shuts down.
# Setting this to "no" means that Dovecot can be upgraded without
# forcing existing client connections to close (although that could also be
# a problem if the upgrade is e.g. because of a security fix).
#shutdown_clients = yes
# If non-zero, run mail commands via this many connections to doveadm server,
# instead of running them directly in the same process.
#doveadm_worker_count = 0
# UNIX socket or host:port used for connecting to doveadm server
#doveadm_socket_path = doveadm-server
# Space separated list of environment variables that are preserved on Dovecot
# startup and passed down to all of its child processes. You can also give
# key=value pairs to always set specific settings.
#import_environment = TZ
##
## Dictionary server settings
##
# Dictionary can be used to store key=value lists. This is used by several
# plugins. The dictionary can be accessed either directly or though a
# dictionary server. The following dict block maps dictionary names to URIs
# when the server is used. These can then be referenced using URIs in format
# "proxy::<name>".
dict {
#quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
}
# Most of the actual configuration gets included below. The filenames are
# first sorted by their ASCII value and parsed in that order. The 00-prefixes
# in filenames are intended to make it easier to understand the ordering.
#!include conf.d/*.conf
# A config file can also tried to be included without giving an error if
# it's not found:
!include_try local.conf

View File

@ -0,0 +1,89 @@
listen = *
protocols = imap
first_valid_uid = 1000
first_valid_gid = 1000
mail_location = maildir:/var/vmail/%d/%n
mail_plugin_dir = /usr/local/lib/dovecot
disable_plaintext_auth = yes
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapsieve vnd.dovecot.imapsieve
mbox_write_locks = fcntl
mmap_disable = yes
namespace inbox {
inbox = yes
location =
mailbox Archive {
auto = subscribe
special_use = \Archive
}
mailbox Drafts {
auto = subscribe
special_use = \Drafts
}
mailbox Junk {
auto = subscribe
special_use = \Junk
}
mailbox Sent {
auto = subscribe
special_use = \Sent
}
mailbox Trash {
auto = subscribe
special_use = \Trash
}
prefix =
}
service auth {
user = $default_internal_user
group = _maildaemons
}
passdb {
args = scheme=blf-crypt /etc/mail/passwd
driver = passwd-file
}
plugin {
imapsieve_mailbox1_before = file:/usr/local/lib/dovecot/sieve/report-spam.sieve
imapsieve_mailbox1_causes = COPY
imapsieve_mailbox1_name = Junk
imapsieve_mailbox2_before = file:/usr/local/lib/dovecot/sieve/report-ham.sieve
imapsieve_mailbox2_causes = COPY
imapsieve_mailbox2_from = Junk
imapsieve_mailbox2_name = *
sieve = file:~/sieve;active=~/.dovecot.sieve
sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
sieve_pipe_bin_dir = /usr/local/lib/dovecot/sieve
sieve_plugins = sieve_imapsieve sieve_extprograms
}
protocols = imap sieve
service imap-login {
inet_listener imap {
port = 143
}
}
ssl = required
ssl_min_protocol = TLSv1.2
ssl_cipher_list = EECDH+AESGCM
ssl_prefer_server_ciphers = yes
#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
ssl_cert = </etc/ssl/kitoy.me.crt
ssl_key = </etc/ssl/private/kitoy.me.key
userdb {
driver = static
args = uid=vmail gid=vmail home=/var/vmail/%d/%n/
}
protocol imap {
mail_plugins = " imap_sieve"
}

View File

@ -0,0 +1,52 @@
user www;
worker_processes auto;
pid /var/www/run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/www/logs/nginx/access.log;
error_log /var/www/logs/nginx/error.log;
##
# Gzip Settings
##
gzip on;
##
# Virtual Host Configs
##
include /etc/nginx/sites-enabled/*;
}

View File

@ -0,0 +1,52 @@
user www;
worker_processes auto;
pid /var/www/run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/www/logsnginx/access.log;
error_log /var/www/logs/nginx/error.log;
##
# Gzip Settings
##
gzip on;
##
# Virtual Host Configs
##
include /etc/nginx/sites-enabled/*;
}

View File

@ -0,0 +1,39 @@
server {
listen 80;
server_name __DOMAIN__;
#Ajout pour les certificats letsencrypt
include snippets/acme-challenge.conf;
return 301 https://$http_host$request_uri;
root /html/$DOMAIN;
}
server {
listen 443 ssl http2;
server_name __DOMAIN__;
ssl_certificate /etc/ssl/__DOMAIN__.crt;
ssl_certificate_key /etc/ssl/private/__DOMAIN__.key;
#Ajout d'une configuration ssl securise
include snippets/secure-ssl.conf;
# Speeds things up a little bit when resuming a session
# ssl_session_timeout 5m;
# ssl_session_cache shared:SSL:5m;
# Ajout pour le certificat letsencrypt
include snippets/acme-challenge.conf;
# Ajout pour securiser les headers
include snippets/secure-headers.conf;
}
# Path to the root of your installation
root /html/$DOMAIN;
}

View File

@ -0,0 +1,39 @@
server {
listen 80;
server_name $DOMAIN;
#Ajout pour les certificats letsencrypt
include snippets/acme-challenge.conf;
return 301 https://$http_host$request_uri;
root /html/$DOMAIN;
}
server {
listen 443 ssl http2;
server_name $DOMAIN;
ssl_certificate /etc/ssl/$DOMAIN.crt;
ssl_certificate_key /etc/ssl/private/$DOMAIN.key;
#Ajout d'une configuration ssl securise
include snippets/secure-ssl.conf;
# Speeds things up a little bit when resuming a session
# ssl_session_timeout 5m;
# ssl_session_cache shared:SSL:5m;
# Ajout pour le certificat letsencrypt
include snippets/acme-challenge.conf;
# Ajout pour securiser les headers
include snippets/secure-headers.conf;
}
# Path to the root of your installation
root /html/$DOMAIN;
}

View File

@ -0,0 +1,31 @@
# See smtpd.conf(5) for more information.
# To accept external mail, replace with: listen on all
#
# Les certificats
pki "cert_mail" cert "/etc/ssl/__DOMAIN__.crt"
pki "cert_mail" key "/etc/ssl/private/__DOMAIN__.key"
table aliases file:/etc/mail/aliases
table passwd file:/etc/mail/passwd
table virtuals file:/etc/mail/virtuals
filter "rspamd" proc-exec "filter-rspamd"
filter "dkimsign" proc-exec "filter-dkimsign -d __DOMAIN__ -s dkim -k /etc/mail/dkim/__DOMAIN__-private.key" user _dkimsign group _dkimsign
# Activation du check du reverse DNS
#filter check_rdns phase connect match !rdns disconnect "550 no rDNS available"
#filter check_fcrdns phase connect match !fcrdns disconnect "550 no FCrDNS available"
listen on all tls pki "cert_mail" hostname "__DOMAIN__" filter rspamd
listen on all port submission tls-require pki "cert_mail" auth <passwd> filter dkimsign
action "local_mail" mbox alias <aliases>
action "domain_mail" maildir "/var/vmail/__DOMAIN__/%{dest.user:lowercase}" virtual <virtuals>
action "outbound" relay
match from any for domain "__DOMAIN__" action "domain_mail"
match from local for local action "local_mail"
match auth from any for any action "outbound"

View File

@ -0,0 +1,37 @@
# See smtpd.conf(5) for more information.
# To accept external mail, replace with: listen on all
#
# les Certificats
pki "cert_mail" cert "/etc/ssl/__DOMAIN__.crt"
pki "cert_mail" key "/etc/ssl/private/__DOMAIN__.key"
table aliases file:/etc/mail/aliases
table passwd file:/etc/mail/passwd
table virtuals file:/etc/mail/virtuals
filter "rspamd" proc-exec "filter-rspamd"
filter "dkimsign" proc-exec "filter-dkimsign -d $DOMAIN -s dkim -k /etc/mail/dkim/__DOMAIN__-private.key" user _dkimsign group _dkimsign
# Activation du check du reverse DNS
#filter check_rdns phase connect match !rdns disconnect "550 no rDNS available"
#filter check_fcrdns phase connect match !fcrdns disconnect "550 no FCrDNS available"
# To accept external mail, replace with: listen on all
listen on all tls pki "cert_mail" hostname "__DOMAIN__" filter rspamd
listen on all port submission tls-require pki "cert_mail" auth <passwd> filter dkimsign
action "local_mail" mbox alias <aliases>
action "domain_mail" maildir "/var/vmail/__DOMAIN__/%{dest.user:lowercase}" virtual <virtuals>
action "outbound" relay
# Uncomment the following to accept external mail for domain "example.org"
match from any for domain "__DOMAIN__" action "domain_mail"
match from local for local action "local_mail"
match auth from any for any action "outbound"

View File

@ -0,0 +1,37 @@
# See smtpd.conf(5) for more information.
# To accept external mail, replace with: listen on all
#
# les Certificats
pki "cert_mail" cert "/etc/ssl/$DOMAIN.crt"
pki "cert_mail" key "/etc/ssl/private/$DOMAIN.key"
table aliases file:/etc/mail/aliases
table passwd file:/etc/mail/passwd
table virtuals file:/etc/mail/virtuals
filter "rspamd" proc-exec "filter-rspamd"
filter "dkimsign" proc-exec "filter-dkimsign -d $DOMAIN -s dkim -k /etc/mail/dkim/$DOMAIN-private.key" user _dkimsign group _dkimsign
# Activation du check du reverse DNS
#filter check_rdns phase connect match !rdns disconnect "550 no rDNS available"
#filter check_fcrdns phase connect match !fcrdns disconnect "550 no FCrDNS available"
# To accept external mail, replace with: listen on all
listen on all tls pki "cert_mail" hostname "$DOMAIN" filter rspamd
listen on all port submission tls-require pki "cert_mail" auth <passwd> filter dkimsign
action "local_mail" mbox alias <aliases>
action "domain_mail" maildir "/var/vmail/$DOMAIN/%{dest.user:lowercase}" virtual <virtuals>
action "outbound" relay
# Uncomment the following to accept external mail for domain "example.org"
match from any for domain "$DOMAIN" action "domain_mail"
match from local for local action "local_mail"
match auth from any for any action "outbound"

View File

@ -0,0 +1,19 @@
all:\
:nixspam:
# Nixspam recent sources list.
# Mirrored from http://www.heise.de/ix/nixspam
nixspam:\
:black:\
:msg="Your address %A is in the nixspam list\n\
See http://www.heise.de/ix/nixspam/dnsbl_en/ for details":\
:method=https:\
:file=www.openbsd.org/spamd/nixspam.gz
# An example of a list containing addresses which should not talk to spamd.
#
#override:\
# :white:\
# :method=file:\
# :file=/var/db/override.txt:

View File

@ -1,10 +1,12 @@
#Filtres badhosts et sshguard
table <pfbadhost> persist file "/etc/pf-badhost.txt"
table <sshguard> persist
table <whitelist> persist
## Table pour les batards de bruteforceurs
table <bruteforce> persist
table <http_abusive_hosts> persist
set block-policy drop # bloque silencieusement
set skip on lo # En local on s'en fou on surveille rien
@ -30,30 +32,3 @@ block in from <sshguard>
block log quick from <bruteforce> label "brutes"
pass out on egress proto { tcp udp icmp ipv6-icmp } modulate state
#déclaration des variables
web_ports = "{ http https }"
mail_ports = "{ smtp submission imap }"
xmpp_ports = "{ 5222 5269 }"
ssh_port = "42420"
## Anti bruteforce
### SSH
#### Limite à 5 connexions simultanne par IP source
#### Limite à 15 tentatives de connexion toutes les 5 minutes
pass in on egress proto tcp to port $ssh_port modulate state \
(max-src-conn 5, max-src-conn-rate 15/5, overload <bruteforce> flush global)
#web
pass in on egress proto tcp to port $web_ports modulate state \
(max-src-conn 60, max-src-conn-rate 60/1, overload <bruteforce> flush global)
# mails
## antispam
pass in on egress proto tcp to port $mail_ports modulate state \
(max-src-conn-rate 20/5, overload <bruteforce> flush global)
pass out log on egress proto tcp to any port smtp
# XMPP
pass in on egress proto tcp to port $xmpp_ports modulate state \
(max-src-conn 15, max-src-conn-rate 15/5, overload <bruteforce> flush global)

View File

@ -15,10 +15,10 @@ listen.owner = www
listen.group = www
listen.mode = 0660
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.max_children = 10
pm.start_servers = 4
pm.min_spare_servers = 1
pm.max_spare_servers = 3
pm.max_spare_servers = 6
chroot = /var/www
env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin

View File

@ -1,15 +1,11 @@
#!/bin/ksh
daemon="/usr/local/bin/python3"
daemon_flags="wsgi.py"
daemon="/usr/local/bin/python3 wsgi.py"
daemon_execdir="/home/pywallter/pywallter"
daemon_user="pywallter"
location="/home/pywallter/pywallter"
. /etc/rc.d/rc.subr
rc_start() {
${rcexec} "cd ${location}; ${daemon} ${daemon_flags}"
}
rc_bg=YES
rc_cmd $1

View File

@ -5,24 +5,24 @@
install_package_nextcloud()
{
pkg_add php-bz2-8.0.26 php-curl-8.0.26 php-gd-8.0.26 php-gmp-8.0.26 \
php-intl-8.0.26 php-pdo_pgsql-8.0.26 php-zip-8.0.26 \
pkg_add php-bz2-8.1.18 php-curl-8.1.18 php-gd-8.1.18 php-gmp-8.1.18 \
php-intl-8.1.18 php-pdo_pgsql-8.1.18 php-zip-8.1.18 \
pecl80-imagick-3.7.0p1 pecl80-redis-5.3.7p0 \
nextcloud-24.0.5
nextcloud-25.0.6
}
enable_nextlcoud_php_modules(){
#enable modules
ln -s /etc/php-8.0.sample/gd.ini /etc/php-8.0/gd.ini
ln -s /etc/php-8.0.sample/imagick.ini /etc/php-8.0/imagick.ini
ln -s /etc/php-8.0.sample/opcache.ini /etc/php-8.0/opcache.ini
ln -s /etc/php-8.0.sample/curl.ini /etc/php-8.0/curl.ini
ln -s /etc/php-8.0.sample/gmp.ini /etc/php-8.0/gmp.ini
ln -s /etc/php-8.0.sample/intl.ini /etc/php-8.0/intl.ini
ln -s /etc/php-8.0.sample/redis.ini /etc/php-8.0/redis.ini
ln -s /etc/php-8.0.sample/bz2.ini /etc/php-8.0/bz2.ini
ln -s /etc/php-8.0.sample/zip.ini /etc/php-8.0/zip.ini
ln -s /etc/php-8.0.sample/pdo_pgsql.ini /etc/php-8.0/pdo_pgsql.ini
ln -s /etc/php-8.1.sample/gd.ini /etc/php-8.1/gd.ini
ln -s /etc/php-8.1.sample/imagick.ini /etc/php-8.1/imagick.ini
ln -s /etc/php-8.1.sample/opcache.ini /etc/php-8.1/opcache.ini
ln -s /etc/php-8.1.sample/curl.ini /etc/php-8.1/curl.ini
ln -s /etc/php-8.1.sample/gmp.ini /etc/php-8.1/gmp.ini
ln -s /etc/php-8.1.sample/intl.ini /etc/php-8.1/intl.ini
ln -s /etc/php-8.1.sample/redis.ini /etc/php-8.1/redis.ini
ln -s /etc/php-8.1.sample/bz2.ini /etc/php-8.1/bz2.ini
ln -s /etc/php-8.1.sample/zip.ini /etc/php-8.1/zip.ini
ln -s /etc/php-8.1.sample/pdo_pgsql.ini /etc/php-8.1/pdo_pgsql.ini
restart_php_service
}
@ -35,7 +35,7 @@ create_nextcloud_db(){
psql template1 postgres -c "CREATE USER $nextcloud_db_user WITH PASSWORD '$nextcloud_db_pass' CREATEDB ;"
psql template1 postgres -c "CREATE DATABASE $nextcloud_db_name TEMPLATE template1 ENCODING 'UTF8' ;"
psql template1 postgres -c "GRANT ALL PRIVILEGES ON DATABASE $nextcloud_db_name TO $nextcloud_db_user;"
psql template1 postgres -c "GRANT ALL PRIVILEGES ON SCHEMA public TO $nextcloud_db_user ;"
psql template1 postgres -c "ALTER DATABASE $nextcloud_db_name OWNER TO nextcloud_db_user;"
}
@ -79,14 +79,23 @@ install_nextcloud(){
/var/cron/tabs/root
}
mkdir my_configuration/nextcloud
check_services_for_nextlcoud
if [ "$1" == "gen-config-only" ];
then
check_services_for_nextcloud
configure_nginx_service
elif [ "$1" == "install" ];
then
check_services_for_nextcloud
configure_nginx_service
install_package_nextcloud
enable_nextlcoud_php_modules
configure_nginx_service
create_nextcloud_db
install_configuration_files_nextcloud
install_nextcloud
restart_webserver_service
fi

View File

@ -10,61 +10,8 @@ install_nginx_package()
gen_nginx_configuration()
{
cat > my_configuration/nginx/nginx.conf <<EOF
user www;
worker_processes auto;
pid /var/www/run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/www/logsnginx/access.log;
error_log /var/www/logs/nginx/error.log;
##
# Gzip Settings
##
gzip on;
##
# Virtual Host Configs
##
include /etc/nginx/sites-enabled/*;
}
EOF
openssl dhparam -out default_configuration/nginx/dhparam.pem 2048
cp -v default_configuration/nginx/nginx.conf.example my_configuration/nginx/nginx.conf
openssl dhparam -out my_configuration/nginx/dhparam.pem 2048
}
@ -72,57 +19,18 @@ EOF
make_default_homepage()
{
cat > my_configuration/nginx/site-available/$DOMAIN <<EOF
server {
listen 80;
server_name $DOMAIN;
#Ajout pour les certificats letsencrypt
include snippets/acme-challenge.conf;
return 301 https://$http_host$request_uri;
root /html/$DOMAIN;
}
server {
listen 443 ssl http2;
server_name $DOMAIN;
ssl_certificate /etc/ssl/$DOMAIN.crt;
ssl_certificate_key /etc/ssl/private/$DOMAIN.key;
#Ajout d'une configuration ssl securise
include snippets/secure-ssl.conf;
# Speeds things up a little bit when resuming a session
# ssl_session_timeout 5m;
# ssl_session_cache shared:SSL:5m;
# Ajout pour le certificat letsencrypt
include snippets/acme-challenge.conf;
# Ajout pour securiser les headers
include snippets/secure-headers.conf;
}
# Path to the root of your installation
root /html/$DOMAIN;
}
EOF
cp -v default_configuration/nginx/site-avalaible/example \
my_configuration/nginx/site-available/$DOMAIN
sed -i "s/__DOMAIN__/$DOMAIN/g" my_configuration/nginx/site-available/$DOMAIN
}
install_nginx_configuration(){
mkdir /etc/nginx/sites-enabled/
mkdir /etc/nginx/sites-available/
mkdir /etc/nginx/snippets/
cp my_configuration/nginx/nginx.conf /etc/nginx/nginx.conf
cp my_configuration/nginx/dhparam.pem /etc/nginx/dhparam.pem
cp my_configuration/nginx/snippets/* /etc/nginx/snippets/
mkdir -v /etc/nginx/sites-enabled/
mkdir -v /etc/nginx/sites-available/
mkdir -v /etc/nginx/snippets/
cp -v my_configuration/nginx/nginx.conf /etc/nginx/nginx.conf
cp -v my_configuration/nginx/dhparam.pem /etc/nginx/dhparam.pem
cp -v my_configuration/nginx/snippets/* /etc/nginx/snippets/
}
install_chroot_env()
@ -130,23 +38,21 @@ install_chroot_env()
mkdir /var/www/etc/ssl/
install -m 444 -o root -g bin /etc/resolv.conf /var/www/etc/
install -m 444 -o root -g bin /etc/ssl/cert.pem /etc/ssl/openssl.cnf /var/www/etc/ssl/
}
add_logs_to_newssyslog(){
cp -v /etc/newsyslog.conf /etc/newsyslog.conf.old
egrep -v "nginx" /etc/newsyslog.conf > /tmp/newsyslog.conf
egrep -v "nginx|httpd" /etc/newsyslog.conf > /tmp/newsyslog.conf
cat >> /tmp/newsyslog.conf <<EOF
/var/www/logs/access.log 644 2 * \$W0 Z /var/www/run/nginx.pid SIGUSR1
/var/www/logs/error.log 644 2 250 * Z /var/www/run/nginx.pid SIGUSR1
EOF
mv /tmp/newsyslog.conf /etc/newsyslog.conf
}
mkdir my_configuration/nginx/
install_nginx_package
#install_nginx_package
gen_nginx_configuration
install_chroot_env
install_nginx_configuration
restart_webserver_service
#install_chroot_env
#install_nginx_configuration
#restart_webserver_service

View File

@ -2,42 +2,11 @@
install_php_package()
{
pkg_add php-8.0.26
pkg_add php-8.1.18
}
gen_php_configuration(){
cat > my_configuration/php/php-fpm.conf <<EOF
;;;;;;;;;;;;;;;;;;;;;
; FPM Configuration ;
;;;;;;;;;;;;;;;;;;;;;
[global]
error_log = log/php-fpm.log
;;;;;;;;;;;;;;;;;;;;
; Pool Definitions ;
;;;;;;;;;;;;;;;;;;;;
include=/etc/php-fpm.d/*.conf
[www]
user = www
group = www
listen = /var/www/run/php-fpm.sock
listen.owner = www
listen.group = www
listen.mode = 0660
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
chroot = /var/www
env[HOSTNAME] = \$HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp
EOF
cp -v default_configuration/php/php-fpm.conf my_configuration/php/php-fpm.conf
}
install_configurations_files()
@ -53,7 +22,13 @@ start_php_service()
}
mkdir my_configuration/php/
if [ "$1" == "gen-config-only" ];
then
gen_php_configuration
elif [ "$1" == "install" ];
then
install_php_package
gen_php_configuration
install_configurations_files
start_php_service
fi

View File

@ -2,46 +2,41 @@
install_postresql_packages()
{
pkg_add postgresql-client-14.5 postgresql-server-14.5
pkg_add postgresql-client-15.2 postgresql-server-15.2
}
configure_postgresql_service()
{
cat > my_configuration/postgresql/pg_hba.conf <<EOF
# TYPE DATABASE USER ADDRESS METHOD
cp -v default_configuration/postgresql/pg_hba.conf my_configuration/postgresql/pg_hba.conf
}
local all postgres trust
# "local" is for Unix domain socket connections only
#local all all md5
# IPv4 local connections:
host all all 127.0.0.1/32 md5
# IPv6 local connections:
host all all ::1/128 md5
# Allow replication connections from localhost, by a user with the
# replication privilege.
local replication all md5
host replication all 127.0.0.1/32 md5
host replication all ::1/128 md5
EOF
make_data_directory()
{
su -m _postgresql -c "mkdir /var/postgresql/data"
echo $postgresql_root_password > /tmp/passwordpsql.txt
su -m _postgresql -c "initdb -D /var/postgresql/data -U postgres -A md5 -E UTF8 --pwfile=/tmp/passwordpsql.txt"
[ ! -d "/var/postgresql/data" ] || mv /var/postgresql/data /var/postgresql/data.old
su -m _postgresql -c "initdb -D /var/postgresql/data -U postgres -A scram-sha-256 -E UTF8 --pwfile=/tmp/passwordpsql.txt"
rm /tmp/passwordpsql.txt
}
install_postgresql_configurations_files(){
install_postgresql_configurations_files()
{
cp -v my_configuration/postgresql/pg_hba.conf /var/postgresql/data/pg_hba.conf
}
start_postgresql_service(){
start_postgresql_service()
{
rcctl start postgresql
}
mkdir my_configuration/postgresql/
#install_postresql_packages
if [ "$1" == "gen-config-only" ];
then
configure_postgresql_service
elif [ "$1" == "install" ];
then
install_postresql_packages
configure_postgresql_service
install_postgresql_configurations_files
start_postgresql_service
fi

View File

@ -28,11 +28,22 @@ DOSSIER_APP = "./users/"
DATABASE = "./base.db"
EXT_IMG= {'.jpg', '.JPG', '.png', '.PNG', '.gif', '.GIF', '.bmp', '.BMP', '.jpeg', '.JPEG' }
SIGNIN_ENABLE = True
XMPP_SERVER = True
MAIL_SERVER = True
SETUID='doas'
EOF
if [ SERVICE_MAIL = "yes" ];
then
echo "MAIL_SERVER = True" >> my_configuration/pywallter/config.py
else
echo "MAIL_SERVER = False" >> my_configuration/pywallter/config.py
fi
if [ SERVICE_XMPP = "yes" ];
then
echo "XMPP_SERVER = True" >> my_configuration/pywallter/config.py
else
echo "XMPP_SERVER = False" >> myconfiguration/pywallter/config.py
fi
}
@ -58,7 +69,15 @@ EOF
}
mkdir my_configuration/pywallter/
if [ "$1" == "gen-config-only" ];
then
gen_pywallter_configuration_app
gen_nginx_pywallter_app
elif [ "$1" == "install" ];
then
gen_pywallter_configuration_app
gen_nginx_pywallter_app
install_pywallter_app
install_pywallter_configuration_files
fi

View File

@ -13,11 +13,11 @@ install_prosody_package(){
gen_prosody_configuration(){
cp -v default_configuration/xmpp/prosody.cfg.lua.example default_configuration/xmpp/prosody.cfg.lua
sed -i "s/__DOMAIN__/$DOMAIN/g" default_configuration/xmpp/prosody.cfg.lua
cp -v default_configuration/xmpp/virtualHosts/example.com.conf default_configuration/xmpp/virtualHosts/$DOMAIN.conf
sed -i "s/__DOMAIN__/$DOMAIN/g" default_configuration/xmpp/virtualHosts/$DOMAIN.conf
sed -i "s/__xmpp_passphrase_for_filesuploads__/$xmpp_passphrase_for_filesuploads/g" default_configuration/xmpp/virtualHosts/$DOMAIN.conf
cp -v default_configuration/xmpp/prosody.cfg.lua.example my_configuration/xmpp/prosody.cfg.lua
sed -i "s/__DOMAIN__/$DOMAIN/g" my_configuration/xmpp/prosody.cfg.lua
cp -v default_configuration/xmpp/virtualHosts/example.com.conf my_configuration/xmpp/virtualHosts/$DOMAIN.conf
sed -i "s/__DOMAIN__/$DOMAIN/g" my_configuration/xmpp/virtualHosts/$DOMAIN.conf
sed -i "s/__xmpp_passphrase_for_filesuploads__/$xmpp_passphrase_for_filesuploads/g" my_configuration/xmpp/virtualHosts/$DOMAIN.conf
}
@ -28,7 +28,6 @@ install_xmpp_certs_ssl(){
install -o _prosody -g _prosody my_configuration/xmpp/dh-2048.pem /etc/prosody/certs/dh-2048.pem
install -o _prosody -g _prosody /etc/ssl/private/"$DOMAIN".key /etc/prosody/certs/"$DOMAIN".key;
install -o _prosody -g _prosody /etc/ssl/"$DOMAIN".crt /etc/prosody/certs/"$DOMAIN".crt;
}
install_prosody_modules(){
@ -45,7 +44,6 @@ install_prosody_modules(){
gen_nginx_configuration_files_upload(){
cp -v default_configuration/xmpp/nginx.conf.sample my_configuration/xmpp/upload.$DOMAIN
cp -v default_configuration/xmpp/share.php.sample my_configuration/xmpp/share.php
sed -i "s/__DOMAIN__/$DOMAIN/g" my_configuration/xmpp/upload.$DOMAIN
@ -82,6 +80,7 @@ install_xmpp_configurations_files(){
mkdir my_configuration/xmpp
if [ "$1" == "gen-config-only" ];
then
gen_prosody_configuration
@ -97,3 +96,11 @@ then
rcctl enable prosody
rcctl start prosody
fi
if [ "$1" == "gen-config-only" ];
then
#code
elif [ "$1" == "install" ];
then
#Code
fi

View File

@ -6,7 +6,7 @@ restart_mails_service()
}
restart_php_service(){
rcctl restart php80_fpm
rcctl restart php81_fpm
}
restart_postgresql_service(){