Correction & update scripts
This commit is contained in:
parent
b8fbc07a97
commit
7f34b60582
|
@ -4,24 +4,23 @@
|
|||
gen_nginx_acme_conf(){
|
||||
domain=$1
|
||||
alt_domain=$2
|
||||
nginx_run=`rcctl check nginx`
|
||||
nginx_conf_file="/etc/nginx/sites-enabled/$domain"
|
||||
[ ! -f $nginx_conf_file ] || rm $nginx_conf_file;
|
||||
|
||||
if [ "$nginx_run" == "nginx(ok)" ]; then
|
||||
cat > test/$domain <<EOF
|
||||
mkdir /var/www/htdocs/$domain
|
||||
rcctl check nginx
|
||||
if [ $? == 0 ]; then
|
||||
cat > $nginx_conf_file <<EOF
|
||||
server {
|
||||
listen 80;
|
||||
server_name $alt_domain $domain;
|
||||
|
||||
include snippets/acme-challenge.conf;
|
||||
|
||||
root /htdocs;
|
||||
|
||||
root /htdocs/$domain;
|
||||
}
|
||||
EOF
|
||||
|
||||
# rcctl restart nginx
|
||||
rcctl reload nginx
|
||||
else
|
||||
echo "Service NGINX not runnig"
|
||||
echo "Service NGINX not running"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
|
@ -30,8 +29,12 @@ EOF
|
|||
gen_acme_client_conf(){
|
||||
domain=$1
|
||||
alt_domain=$2
|
||||
acme_conf_file="my_configuration/ssl/$domain-acme-client.conf"
|
||||
# If the file exist, do nothing
|
||||
[ ! -f $acme_conf_file ] || echo "Domain already configured !"; exit 1;
|
||||
|
||||
if [ "$alt_domain" == "" ]; then
|
||||
cat >> my_configuration/ssl/$domain-acme-client.conf <<EOF
|
||||
cat >> $acme_conf_file <<EOF
|
||||
|
||||
domain $domain {
|
||||
domain key "/etc/ssl/private/$domain.key"
|
||||
|
@ -41,7 +44,7 @@ domain $domain {
|
|||
|
||||
EOF
|
||||
else
|
||||
cat >> my_configuration/ssl/$domain-acme-client.conf <<EOF
|
||||
cat >> $acme_conf_file <<EOF
|
||||
|
||||
domain $domain {
|
||||
alternative names { $alt_domain }
|
||||
|
@ -55,40 +58,39 @@ EOF
|
|||
|
||||
}
|
||||
|
||||
add_acme_domain_to_conf(){
|
||||
domain=$1
|
||||
egrep "domain $domain" -A5 /etc/acme-client.conf > /tmp/acme-client.conf
|
||||
cp -v /etc/acme-client.conf /etc/acme-client.conf.old
|
||||
cp -v /tmp/acme-client.conf /etc/acme-client.conf
|
||||
}
|
||||
|
||||
install_utils(){
|
||||
cp -v utils/renew_https_certificate /usr/local/bin/renew_https_certificate
|
||||
chmod u+x /usr/local/bin/renew_https_certificate
|
||||
}
|
||||
|
||||
get_certificate(){
|
||||
get_certificate()
|
||||
{
|
||||
domain=$1
|
||||
|
||||
/usr/local/bin/renew_https_certificate $domain
|
||||
}
|
||||
|
||||
usage(){
|
||||
usage()
|
||||
{
|
||||
print "This program ask 3 arguments : \n"
|
||||
print "First is email with domain name the second is list of alternatives domains with \" \" \n"
|
||||
print "the last arguments is for share the ssl cert with xmpp daemon add xmpp at the end or not"
|
||||
print "\t $0 domain.tld \"a.domain.tld b.domain.tld c.domain.tld\""
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
if [ -z $1 ];
|
||||
then
|
||||
usage
|
||||
exit 3;
|
||||
fi
|
||||
|
||||
if [ -e /etc/acme-client.conf ]; then
|
||||
echo ok
|
||||
else
|
||||
echo nok
|
||||
fi
|
||||
|
||||
|
||||
domain=$1
|
||||
alt_domain=$2
|
||||
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
. ./myserver.conf
|
||||
|
||||
install_package(){
|
||||
install_firewall_packages(){
|
||||
pkg_add ssh_guard curl
|
||||
useradd -s /sbin/nologin -d /var/empty _pfbadhost
|
||||
ftp https://geoghegan.ca/pub/pf-badhost/0.5/pf-badhost.sh
|
||||
|
@ -32,60 +32,36 @@ EOF
|
|||
|
||||
|
||||
set_basic_configuration(){
|
||||
cat > my_configuration/pf.conf <<EOF
|
||||
#Filtres badhosts et sshguard
|
||||
table <pfbadhost> persist file "/etc/pf-badhost.txt"
|
||||
table <sshguard> persist
|
||||
|
||||
## Table pour les batards de bruteforceurs
|
||||
table <bruteforce> persist
|
||||
|
||||
|
||||
set block-policy drop # bloque silencieusement
|
||||
set skip on lo # En local on s'en fou on surveille rien
|
||||
set limit table-entries 400000
|
||||
set limit states 100000
|
||||
|
||||
|
||||
|
||||
## Traitement des paquets ##
|
||||
# Paquets partiels on vire
|
||||
match all scrub (max-mss 1440 no-df random-id reassemble tcp)
|
||||
antispoof quick for egress # Protection vol d'ip
|
||||
antispoof quick for lo0 # Protection vol d'ip
|
||||
|
||||
# Port build user does not need network
|
||||
block return out log proto {tcp udp} user _pbuild
|
||||
|
||||
# On bloque tout par défault
|
||||
block
|
||||
|
||||
block quick on egress from <pfbadhost>
|
||||
block in from <sshguard>
|
||||
block log quick from <bruteforce> label "brutes"
|
||||
|
||||
pass out on egress proto { tcp udp icmp ipv6-icmp } modulate state
|
||||
|
||||
EOF
|
||||
|
||||
cp -v default_configruation/pf.conf my_configuration/pf.conf
|
||||
}
|
||||
|
||||
set_open_service(){
|
||||
cat >> my_configuration/pf.conf <<EOF
|
||||
#déclaration des variables
|
||||
web_ports = "{ http https }"
|
||||
|
||||
#On évite les bruteforces
|
||||
pass in quick on egress proto { tcp, udp } from <whitelist> to port $web_ports
|
||||
pass in on egress proto tcp to port $web_ports flags S/SA keep state \
|
||||
(max-src-conn 100, max-src-conn-rate 15/5, \
|
||||
overload <http_abusive_hosts> flush)
|
||||
|
||||
EOF
|
||||
|
||||
if [ "$SERVICE_MAIL" == "yes" ]; then
|
||||
echo "mail_ports = \"{ smtp submission imap }\"" >> default_configuration/pf.conf
|
||||
fi
|
||||
cat >> my_configuration/pf.conf
|
||||
EOF
|
||||
|
||||
if [ "$SERVICE_XMPP" == "yes" ]; then
|
||||
[ "$SERVICE_MAIL" == "yes" ] &&
|
||||
echo "mail_ports = \"{ smtp submission imap }\"" >> default_configuration/pf.conf
|
||||
|
||||
[ "$SERVICE_XMPP" == "yes" ] &&
|
||||
echo "xmmp_ports = \"{ 5222 5269 }\"" >> default_configuration/pf.conf
|
||||
fi
|
||||
|
||||
echo "ssh_port = \"$SSH_PORT\"" >> default_configuration/pf.conf
|
||||
|
||||
[ "$SERVICE_TURN" == "yes" ] &&
|
||||
echo "turn_port = \"TURN_PORT\"" >> default_configuration/pf.conf
|
||||
|
||||
cat >> my_configuration/pf.conf <<EOF
|
||||
|
||||
## Anti bruteforce
|
||||
|
@ -95,13 +71,14 @@ EOF
|
|||
pass in on egress proto tcp to port \$ssh_port modulate state \\
|
||||
(max-src-conn 5, max-src-conn-rate 15/5, overload <bruteforce> flush global)
|
||||
|
||||
#web
|
||||
pass in on egress proto tcp to port \$web_ports modulate state \\
|
||||
(max-src-conn 60, max-src-conn-rate 60/1, overload <bruteforce> flush global)
|
||||
pass in quick on egress proto { tcp, udp } from <whitelist> to port $web_ports
|
||||
pass in on egress proto tcp to port $web_ports flags S/SA keep state \
|
||||
(max-src-conn 100, max-src-conn-rate 15/5, \
|
||||
overload <http_abusive_hosts> flush)
|
||||
|
||||
EOF
|
||||
|
||||
if [ "$SERVICE_MAIL" == "yes" ]; then
|
||||
[ "$SERVICE_MAIL" == "yes" ] &&
|
||||
cat >> my_configuration/pf.conf <<EOF
|
||||
# mails
|
||||
## antispam
|
||||
|
@ -110,19 +87,27 @@ pass in on egress proto tcp to port \$mail_ports modulate state \\
|
|||
pass out log on egress proto tcp to any port smtp
|
||||
|
||||
EOF
|
||||
fi
|
||||
|
||||
if [ "$SERVICE_XMPP" == "yes" ]; then
|
||||
[ "$SERVICE_XMPP" == "yes" ] &&
|
||||
cat >> my_configuration/pf.conf <<EOF
|
||||
# XMPP
|
||||
pass in on egress proto tcp to port \$xmpp_ports modulate state \\
|
||||
(max-src-conn 15, max-src-conn-rate 15/5, overload <bruteforce> flush global)
|
||||
EOF
|
||||
fi
|
||||
|
||||
|
||||
[ "$SERVICE_TURN" == "yes" ] &&
|
||||
cat >> my_configuration/pf.conf <<EOF
|
||||
pass in on egress proto tcp to port $turn_port modulate state \
|
||||
(max-src-conn 20, max-src-conn-rate 30/1, overload <bruteforce> flush global)
|
||||
|
||||
pass in on egress proto udp to port $turn_port
|
||||
|
||||
EOF
|
||||
|
||||
}
|
||||
|
||||
install_pf_and_enable(){
|
||||
install_conf_and_enable(){
|
||||
pfctl -nf my_configuration/pf.conf
|
||||
if [ $? == 0 ]; then
|
||||
cp -v /etc/pf.conf /etc/pf.old
|
||||
|
@ -134,5 +119,14 @@ install_pf_and_enable(){
|
|||
|
||||
}
|
||||
|
||||
set_basic_configuration
|
||||
set_open_service
|
||||
if [ "$1" == "gen-config-only" ];
|
||||
then
|
||||
set_basic_configuration
|
||||
set_open_service
|
||||
elif [ "$1" == "install" ];
|
||||
then
|
||||
install_firewall_packages
|
||||
set_basic_configuration
|
||||
set_open_service
|
||||
install_conf_and_enable
|
||||
fi
|
||||
|
|
|
@ -5,176 +5,21 @@
|
|||
|
||||
install_mails_services_pkg()
|
||||
{
|
||||
pkg_add dovecot dovecot-pigeonhole opensmtpd-filter-rspamd \
|
||||
pkg_add dovecot dovecot-pigeonhole opensmtpd-filter-rspamd redis-6.2.12\
|
||||
opensmtpd-extras-6.7.1v0 opensmtpd-filter-dkimsign-0.5 rspamd-3.2
|
||||
}
|
||||
|
||||
gen_mails_service_configuration()
|
||||
{
|
||||
|
||||
#Generate opensmtpd configuration
|
||||
cat > my_configuration/mail/smtpd.conf <<EOF
|
||||
# See smtpd.conf(5) for more information.
|
||||
|
||||
|
||||
# To accept external mail, replace with: listen on all
|
||||
#
|
||||
|
||||
# les Certificats
|
||||
pki "cert_mail" cert "/etc/ssl/$DOMAIN.crt"
|
||||
pki "cert_mail" key "/etc/ssl/private/$DOMAIN.key"
|
||||
|
||||
table aliases file:/etc/mail/aliases
|
||||
table passwd file:/etc/mail/passwd
|
||||
table virtuals file:/etc/mail/virtuals
|
||||
|
||||
filter "rspamd" proc-exec "filter-rspamd"
|
||||
filter "dkimsign" proc-exec "filter-dkimsign -d $DOMAIN -s dkim -k /etc/mail/dkim/$DOMAIN-private.key" user _dkimsign group _dkimsign
|
||||
|
||||
# Activation du check du reverse DNS
|
||||
#filter check_rdns phase connect match !rdns disconnect "550 no rDNS available"
|
||||
#filter check_fcrdns phase connect match !fcrdns disconnect "550 no FCrDNS available"
|
||||
|
||||
# To accept external mail, replace with: listen on all
|
||||
|
||||
|
||||
listen on all tls pki "cert_mail" hostname "$DOMAIN" filter rspamd
|
||||
listen on all port submission tls-require pki "cert_mail" auth <passwd> filter dkimsign
|
||||
|
||||
action "local_mail" mbox alias <aliases>
|
||||
action "domain_mail" maildir "/var/vmail/$DOMAIN/%{dest.user:lowercase}" virtual <virtuals>
|
||||
action "outbound" relay
|
||||
|
||||
|
||||
# Uncomment the following to accept external mail for domain "example.org"
|
||||
match from any for domain "$DOMAIN" action "domain_mail"
|
||||
match from local for local action "local_mail"
|
||||
|
||||
match auth from any for any action "outbound"
|
||||
|
||||
EOF
|
||||
|
||||
#Generate spamd configuration
|
||||
cat > my_configuration/mail/spamd.conf <<EOF
|
||||
|
||||
all:\
|
||||
:nixspam:
|
||||
|
||||
# Nixspam recent sources list.
|
||||
# Mirrored from http://www.heise.de/ix/nixspam
|
||||
nixspam:\
|
||||
:black:\
|
||||
:msg="Your address %A is in the nixspam list\n\
|
||||
See http://www.heise.de/ix/nixspam/dnsbl_en/ for details":\
|
||||
:method=https:\
|
||||
:file=www.openbsd.org/spamd/nixspam.gz
|
||||
|
||||
# An example of a list containing addresses which should not talk to spamd.
|
||||
#
|
||||
#override:\
|
||||
# :white:\
|
||||
# :method=file:\
|
||||
# :file=/var/db/override.txt:
|
||||
|
||||
EOF
|
||||
|
||||
## Generate Dovecot configuration
|
||||
cat > my_configuration/dovecot/local.conf <<EOF
|
||||
listen = *
|
||||
protocols = imap
|
||||
first_valid_uid = 1000
|
||||
first_valid_gid = 1000
|
||||
mail_location = maildir:/var/vmail/%d/%n
|
||||
mail_plugin_dir = /usr/local/lib/dovecot
|
||||
disable_plaintext_auth = yes
|
||||
|
||||
managesieve_notify_capability = mailto
|
||||
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapsieve vnd.dovecot.imapsieve
|
||||
|
||||
mbox_write_locks = fcntl
|
||||
mmap_disable = yes
|
||||
namespace inbox {
|
||||
inbox = yes
|
||||
location =
|
||||
mailbox Archive {
|
||||
auto = subscribe
|
||||
special_use = \Archive
|
||||
}
|
||||
mailbox Drafts {
|
||||
auto = subscribe
|
||||
special_use = \Drafts
|
||||
}
|
||||
mailbox Junk {
|
||||
auto = subscribe
|
||||
special_use = \Junk
|
||||
}
|
||||
mailbox Sent {
|
||||
auto = subscribe
|
||||
special_use = \Sent
|
||||
}
|
||||
mailbox Trash {
|
||||
auto = subscribe
|
||||
special_use = \Trash
|
||||
}
|
||||
prefix =
|
||||
cp -v default_configuration/opensmtpd/smtpd.conf.example my_configuration/opensmtpd/smtpd.conf
|
||||
sed -i "s/__DOMAIN__/$DOMAIN/g" my_configuration/opensmtpd/smtpd.conf
|
||||
cp -v default_configuration/opensmtpd/spamd.conf.example my_configuration/opensmtpd/spamd.conf
|
||||
cp -v default_configuration/dovecot/dovecot.conf.example my_configuration/dovecot/dovecot.conf
|
||||
cp -v default_configuration/dovecot/local.conf.example my_configuration/dovecot/dovecot.conf
|
||||
}
|
||||
|
||||
service auth {
|
||||
user = $default_internal_user
|
||||
group = _maildaemons
|
||||
}
|
||||
|
||||
passdb {
|
||||
args = scheme=blf-crypt /etc/mail/passwd
|
||||
driver = passwd-file
|
||||
}
|
||||
|
||||
plugin {
|
||||
imapsieve_mailbox1_before = file:/usr/local/lib/dovecot/sieve/report-spam.sieve
|
||||
imapsieve_mailbox1_causes = COPY
|
||||
imapsieve_mailbox1_name = Junk
|
||||
imapsieve_mailbox2_before = file:/usr/local/lib/dovecot/sieve/report-ham.sieve
|
||||
imapsieve_mailbox2_causes = COPY
|
||||
imapsieve_mailbox2_from = Junk
|
||||
imapsieve_mailbox2_name = *
|
||||
sieve = file:~/sieve;active=~/.dovecot.sieve
|
||||
sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
|
||||
sieve_pipe_bin_dir = /usr/local/lib/dovecot/sieve
|
||||
sieve_plugins = sieve_imapsieve sieve_extprograms
|
||||
}
|
||||
|
||||
|
||||
protocols = imap sieve
|
||||
service imap-login {
|
||||
inet_listener imap {
|
||||
port = 143
|
||||
}
|
||||
}
|
||||
|
||||
ssl = required
|
||||
|
||||
ssl_min_protocol = TLSv1.2
|
||||
ssl_cipher_list = EECDH+AESGCM
|
||||
ssl_prefer_server_ciphers = yes
|
||||
#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
|
||||
|
||||
ssl_cert = </etc/ssl/$DOMAIN.crt
|
||||
ssl_key = </etc/ssl/private/$DOMAIN.key
|
||||
|
||||
userdb {
|
||||
driver = static
|
||||
args = uid=vmail gid=vmail home=/var/vmail/%d/%n/
|
||||
}
|
||||
|
||||
protocol imap {
|
||||
mail_plugins = " imap_sieve"
|
||||
}
|
||||
|
||||
EOF
|
||||
|
||||
}
|
||||
|
||||
gen_dkim_keys(){
|
||||
gen_dkim_keys()
|
||||
{
|
||||
# Generate dkim key
|
||||
openssl genrsa -out my_configuration/mail/$DOMAIN-private.key 2048
|
||||
openssl rsa -in my_configuration/mail/$DOMAIN-private.key -pubout | \
|
||||
|
@ -237,11 +82,12 @@ EOF
|
|||
|
||||
install_mails_services_configuration()
|
||||
{
|
||||
cp my_configuration/mail/smtpd.conf /etc/mail/smtpd.conf
|
||||
cp my_configuration/dovecot/local.conf /etc/dovecot/local.conf
|
||||
cp -v my_configuration/mail/smtpd.conf /etc/mail/smtpd.conf
|
||||
cp -v my_configuration/dovecot/dovecot.conf /etc/dovecot/
|
||||
cp -v my_configuration/dovecot/local.conf /etc/dovecot/local.conf
|
||||
mkdir /etc/mail/dkim/
|
||||
cp my_configuration/mail/$DOMAIN-private.key /etc/mail/dkim/
|
||||
cp my_configuration/mail/$DOMAIN-public.key /etc/mail/dkim/
|
||||
cp -v my_configuration/mail/$DOMAIN-private.key /etc/mail/dkim/
|
||||
cp -v my_configuration/mail/$DOMAIN-public.key /etc/mail/dkim/
|
||||
chown -R _dkimsign /etc/mail/dkim/
|
||||
touch /etc/mail/virtuals
|
||||
touch /etc/mail/passwd
|
||||
|
@ -259,7 +105,7 @@ make_system_mails_services_requirements()
|
|||
usermod -G _maildaemons _dovecot
|
||||
usermod -G _maildaemons _smtpd
|
||||
|
||||
cp /etc/login.conf /etc/login.conf.old
|
||||
cp /etc/login.conf /etc/login.conf.orig
|
||||
cat >> /etc/login.conf <<EOF
|
||||
dovecot:\
|
||||
:openfiles-cur=1024:\
|
||||
|
@ -269,15 +115,23 @@ EOF
|
|||
|
||||
}
|
||||
|
||||
mkdir my_configuration/mail
|
||||
mkdir my_configuration/dovecot
|
||||
make_directory_configuration()
|
||||
{
|
||||
mkdir my_configuration/mail
|
||||
mkdir my_configuration/dovecot
|
||||
}
|
||||
|
||||
install_mails_services_pkg
|
||||
gen_mails_service_configuration
|
||||
gen_dkim_keys
|
||||
gen_mails_service_utils
|
||||
install_mails_services_configuration
|
||||
make_system_mails_services_requirements
|
||||
rcctl enable redis
|
||||
rcctl start redis
|
||||
restart_mails_service
|
||||
if [ "$1" == "gen-config-only" ];
|
||||
then
|
||||
gen_mails_service_configuration
|
||||
gen_dkim_keys
|
||||
elif [ "$1" == "install" ];
|
||||
then
|
||||
install_mails_services_pkg
|
||||
gen_mails_service_configuration
|
||||
gen_dkim_keys
|
||||
install_mails_services_configuration
|
||||
make_system_mails_services_requirements
|
||||
rcctl enable redis
|
||||
rcctl start redis
|
||||
restart_mails_service
|
||||
|
|
|
@ -0,0 +1,101 @@
|
|||
## Dovecot configuration file
|
||||
|
||||
# If you're in a hurry, see http://wiki2.dovecot.org/QuickConfiguration
|
||||
|
||||
# "doveconf -n" command gives a clean output of the changed settings. Use it
|
||||
# instead of copy&pasting files when posting to the Dovecot mailing list.
|
||||
|
||||
# '#' character and everything after it is treated as comments. Extra spaces
|
||||
# and tabs are ignored. If you want to use either of these explicitly, put the
|
||||
# value inside quotes, eg.: key = "# char and trailing whitespace "
|
||||
|
||||
# Most (but not all) settings can be overridden by different protocols and/or
|
||||
# source/destination IPs by placing the settings inside sections, for example:
|
||||
# protocol imap { }, local 127.0.0.1 { }, remote 10.0.0.0/8 { }
|
||||
|
||||
# Default values are shown for each setting, it's not required to uncomment
|
||||
# those. These are exceptions to this though: No sections (e.g. namespace {})
|
||||
# or plugin settings are added by default, they're listed only as examples.
|
||||
# Paths are also just examples with the real defaults being based on configure
|
||||
# options. The paths listed here are for configure --prefix=/usr
|
||||
# --sysconfdir=/etc --localstatedir=/var
|
||||
|
||||
# Protocols we want to be serving.
|
||||
protocols = imap
|
||||
|
||||
# A comma separated list of IPs or hosts where to listen in for connections.
|
||||
# "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.
|
||||
# If you want to specify non-default ports or anything more complex,
|
||||
# edit conf.d/master.conf.
|
||||
listen = *, ::
|
||||
|
||||
# Base directory where to store runtime data.
|
||||
#base_dir = /var/dovecot/
|
||||
|
||||
# Name of this instance. In multi-instance setup doveadm and other commands
|
||||
# can use -i <instance_name> to select which instance is used (an alternative
|
||||
# to -c <config_path>). The instance name is also added to Dovecot processes
|
||||
# in ps output.
|
||||
#instance_name = dovecot
|
||||
|
||||
# Greeting message for clients.
|
||||
#login_greeting = Dovecot ready.
|
||||
|
||||
# Space separated list of trusted network ranges. Connections from these
|
||||
# IPs are allowed to override their IP addresses and ports (for logging and
|
||||
# for authentication checks). disable_plaintext_auth is also ignored for
|
||||
# these networks. Typically you'd specify your IMAP proxy servers here.
|
||||
#login_trusted_networks =
|
||||
|
||||
# Space separated list of login access check sockets (e.g. tcpwrap)
|
||||
#login_access_sockets =
|
||||
|
||||
# With proxy_maybe=yes if proxy destination matches any of these IPs, don't do
|
||||
# proxying. This isn't necessary normally, but may be useful if the destination
|
||||
# IP is e.g. a load balancer's IP.
|
||||
#auth_proxy_self =
|
||||
|
||||
# Show more verbose process titles (in ps). Currently shows user name and
|
||||
# IP address. Useful for seeing who are actually using the IMAP processes
|
||||
# (eg. shared mailboxes or if same uid is used for multiple accounts).
|
||||
#verbose_proctitle = no
|
||||
|
||||
# Should all processes be killed when Dovecot master process shuts down.
|
||||
# Setting this to "no" means that Dovecot can be upgraded without
|
||||
# forcing existing client connections to close (although that could also be
|
||||
# a problem if the upgrade is e.g. because of a security fix).
|
||||
#shutdown_clients = yes
|
||||
|
||||
# If non-zero, run mail commands via this many connections to doveadm server,
|
||||
# instead of running them directly in the same process.
|
||||
#doveadm_worker_count = 0
|
||||
# UNIX socket or host:port used for connecting to doveadm server
|
||||
#doveadm_socket_path = doveadm-server
|
||||
|
||||
# Space separated list of environment variables that are preserved on Dovecot
|
||||
# startup and passed down to all of its child processes. You can also give
|
||||
# key=value pairs to always set specific settings.
|
||||
#import_environment = TZ
|
||||
|
||||
##
|
||||
## Dictionary server settings
|
||||
##
|
||||
|
||||
# Dictionary can be used to store key=value lists. This is used by several
|
||||
# plugins. The dictionary can be accessed either directly or though a
|
||||
# dictionary server. The following dict block maps dictionary names to URIs
|
||||
# when the server is used. These can then be referenced using URIs in format
|
||||
# "proxy::<name>".
|
||||
|
||||
dict {
|
||||
#quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
|
||||
}
|
||||
|
||||
# Most of the actual configuration gets included below. The filenames are
|
||||
# first sorted by their ASCII value and parsed in that order. The 00-prefixes
|
||||
# in filenames are intended to make it easier to understand the ordering.
|
||||
#!include conf.d/*.conf
|
||||
|
||||
# A config file can also tried to be included without giving an error if
|
||||
# it's not found:
|
||||
!include_try local.conf
|
|
@ -0,0 +1,89 @@
|
|||
listen = *
|
||||
protocols = imap
|
||||
first_valid_uid = 1000
|
||||
first_valid_gid = 1000
|
||||
mail_location = maildir:/var/vmail/%d/%n
|
||||
mail_plugin_dir = /usr/local/lib/dovecot
|
||||
disable_plaintext_auth = yes
|
||||
|
||||
managesieve_notify_capability = mailto
|
||||
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapsieve vnd.dovecot.imapsieve
|
||||
|
||||
mbox_write_locks = fcntl
|
||||
mmap_disable = yes
|
||||
namespace inbox {
|
||||
inbox = yes
|
||||
location =
|
||||
mailbox Archive {
|
||||
auto = subscribe
|
||||
special_use = \Archive
|
||||
}
|
||||
mailbox Drafts {
|
||||
auto = subscribe
|
||||
special_use = \Drafts
|
||||
}
|
||||
mailbox Junk {
|
||||
auto = subscribe
|
||||
special_use = \Junk
|
||||
}
|
||||
mailbox Sent {
|
||||
auto = subscribe
|
||||
special_use = \Sent
|
||||
}
|
||||
mailbox Trash {
|
||||
auto = subscribe
|
||||
special_use = \Trash
|
||||
}
|
||||
prefix =
|
||||
}
|
||||
|
||||
service auth {
|
||||
user = $default_internal_user
|
||||
group = _maildaemons
|
||||
}
|
||||
|
||||
passdb {
|
||||
args = scheme=blf-crypt /etc/mail/passwd
|
||||
driver = passwd-file
|
||||
}
|
||||
|
||||
plugin {
|
||||
imapsieve_mailbox1_before = file:/usr/local/lib/dovecot/sieve/report-spam.sieve
|
||||
imapsieve_mailbox1_causes = COPY
|
||||
imapsieve_mailbox1_name = Junk
|
||||
imapsieve_mailbox2_before = file:/usr/local/lib/dovecot/sieve/report-ham.sieve
|
||||
imapsieve_mailbox2_causes = COPY
|
||||
imapsieve_mailbox2_from = Junk
|
||||
imapsieve_mailbox2_name = *
|
||||
sieve = file:~/sieve;active=~/.dovecot.sieve
|
||||
sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
|
||||
sieve_pipe_bin_dir = /usr/local/lib/dovecot/sieve
|
||||
sieve_plugins = sieve_imapsieve sieve_extprograms
|
||||
}
|
||||
|
||||
|
||||
protocols = imap sieve
|
||||
service imap-login {
|
||||
inet_listener imap {
|
||||
port = 143
|
||||
}
|
||||
}
|
||||
|
||||
ssl = required
|
||||
|
||||
ssl_min_protocol = TLSv1.2
|
||||
ssl_cipher_list = EECDH+AESGCM
|
||||
ssl_prefer_server_ciphers = yes
|
||||
#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
|
||||
|
||||
ssl_cert = </etc/ssl/kitoy.me.crt
|
||||
ssl_key = </etc/ssl/private/kitoy.me.key
|
||||
|
||||
userdb {
|
||||
driver = static
|
||||
args = uid=vmail gid=vmail home=/var/vmail/%d/%n/
|
||||
}
|
||||
|
||||
protocol imap {
|
||||
mail_plugins = " imap_sieve"
|
||||
}
|
|
@ -0,0 +1,52 @@
|
|||
|
||||
user www;
|
||||
worker_processes auto;
|
||||
pid /var/www/run/nginx.pid;
|
||||
include /etc/nginx/modules-enabled/*.conf;
|
||||
|
||||
events {
|
||||
worker_connections 768;
|
||||
# multi_accept on;
|
||||
}
|
||||
|
||||
http {
|
||||
|
||||
##
|
||||
# Basic Settings
|
||||
##
|
||||
|
||||
sendfile on;
|
||||
tcp_nopush on;
|
||||
tcp_nodelay on;
|
||||
keepalive_timeout 65;
|
||||
types_hash_max_size 2048;
|
||||
# server_tokens off;
|
||||
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
##
|
||||
# SSL Settings
|
||||
##
|
||||
|
||||
ssl_protocols TLSv1.2; # Dropping SSLv3, ref: POODLE
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
||||
##
|
||||
# Logging Settings
|
||||
##
|
||||
|
||||
access_log /var/www/logs/nginx/access.log;
|
||||
error_log /var/www/logs/nginx/error.log;
|
||||
|
||||
##
|
||||
# Gzip Settings
|
||||
##
|
||||
|
||||
gzip on;
|
||||
##
|
||||
# Virtual Host Configs
|
||||
##
|
||||
|
||||
include /etc/nginx/sites-enabled/*;
|
||||
}
|
|
@ -0,0 +1,52 @@
|
|||
|
||||
user www;
|
||||
worker_processes auto;
|
||||
pid /var/www/run/nginx.pid;
|
||||
include /etc/nginx/modules-enabled/*.conf;
|
||||
|
||||
events {
|
||||
worker_connections 768;
|
||||
# multi_accept on;
|
||||
}
|
||||
|
||||
http {
|
||||
|
||||
##
|
||||
# Basic Settings
|
||||
##
|
||||
|
||||
sendfile on;
|
||||
tcp_nopush on;
|
||||
tcp_nodelay on;
|
||||
keepalive_timeout 65;
|
||||
types_hash_max_size 2048;
|
||||
# server_tokens off;
|
||||
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
##
|
||||
# SSL Settings
|
||||
##
|
||||
|
||||
ssl_protocols TLSv1.2; # Dropping SSLv3, ref: POODLE
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
||||
##
|
||||
# Logging Settings
|
||||
##
|
||||
|
||||
access_log /var/www/logsnginx/access.log;
|
||||
error_log /var/www/logs/nginx/error.log;
|
||||
|
||||
##
|
||||
# Gzip Settings
|
||||
##
|
||||
|
||||
gzip on;
|
||||
##
|
||||
# Virtual Host Configs
|
||||
##
|
||||
|
||||
include /etc/nginx/sites-enabled/*;
|
||||
}
|
|
@ -0,0 +1,39 @@
|
|||
server {
|
||||
listen 80;
|
||||
server_name __DOMAIN__;
|
||||
|
||||
#Ajout pour les certificats letsencrypt
|
||||
include snippets/acme-challenge.conf;
|
||||
|
||||
return 301 https://$http_host$request_uri;
|
||||
|
||||
root /html/$DOMAIN;
|
||||
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
server_name __DOMAIN__;
|
||||
|
||||
|
||||
ssl_certificate /etc/ssl/__DOMAIN__.crt;
|
||||
ssl_certificate_key /etc/ssl/private/__DOMAIN__.key;
|
||||
|
||||
#Ajout d'une configuration ssl securise
|
||||
include snippets/secure-ssl.conf;
|
||||
|
||||
# Speeds things up a little bit when resuming a session
|
||||
# ssl_session_timeout 5m;
|
||||
# ssl_session_cache shared:SSL:5m;
|
||||
|
||||
# Ajout pour le certificat letsencrypt
|
||||
include snippets/acme-challenge.conf;
|
||||
|
||||
# Ajout pour securiser les headers
|
||||
include snippets/secure-headers.conf;
|
||||
}
|
||||
|
||||
# Path to the root of your installation
|
||||
root /html/$DOMAIN;
|
||||
|
||||
}
|
|
@ -0,0 +1,39 @@
|
|||
server {
|
||||
listen 80;
|
||||
server_name $DOMAIN;
|
||||
|
||||
#Ajout pour les certificats letsencrypt
|
||||
include snippets/acme-challenge.conf;
|
||||
|
||||
return 301 https://$http_host$request_uri;
|
||||
|
||||
root /html/$DOMAIN;
|
||||
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
server_name $DOMAIN;
|
||||
|
||||
|
||||
ssl_certificate /etc/ssl/$DOMAIN.crt;
|
||||
ssl_certificate_key /etc/ssl/private/$DOMAIN.key;
|
||||
|
||||
#Ajout d'une configuration ssl securise
|
||||
include snippets/secure-ssl.conf;
|
||||
|
||||
# Speeds things up a little bit when resuming a session
|
||||
# ssl_session_timeout 5m;
|
||||
# ssl_session_cache shared:SSL:5m;
|
||||
|
||||
# Ajout pour le certificat letsencrypt
|
||||
include snippets/acme-challenge.conf;
|
||||
|
||||
# Ajout pour securiser les headers
|
||||
include snippets/secure-headers.conf;
|
||||
}
|
||||
|
||||
# Path to the root of your installation
|
||||
root /html/$DOMAIN;
|
||||
|
||||
}
|
|
@ -0,0 +1,31 @@
|
|||
# See smtpd.conf(5) for more information.
|
||||
# To accept external mail, replace with: listen on all
|
||||
#
|
||||
# Les certificats
|
||||
|
||||
pki "cert_mail" cert "/etc/ssl/__DOMAIN__.crt"
|
||||
pki "cert_mail" key "/etc/ssl/private/__DOMAIN__.key"
|
||||
|
||||
table aliases file:/etc/mail/aliases
|
||||
table passwd file:/etc/mail/passwd
|
||||
table virtuals file:/etc/mail/virtuals
|
||||
|
||||
filter "rspamd" proc-exec "filter-rspamd"
|
||||
filter "dkimsign" proc-exec "filter-dkimsign -d __DOMAIN__ -s dkim -k /etc/mail/dkim/__DOMAIN__-private.key" user _dkimsign group _dkimsign
|
||||
|
||||
# Activation du check du reverse DNS
|
||||
#filter check_rdns phase connect match !rdns disconnect "550 no rDNS available"
|
||||
#filter check_fcrdns phase connect match !fcrdns disconnect "550 no FCrDNS available"
|
||||
|
||||
listen on all tls pki "cert_mail" hostname "__DOMAIN__" filter rspamd
|
||||
listen on all port submission tls-require pki "cert_mail" auth <passwd> filter dkimsign
|
||||
|
||||
action "local_mail" mbox alias <aliases>
|
||||
action "domain_mail" maildir "/var/vmail/__DOMAIN__/%{dest.user:lowercase}" virtual <virtuals>
|
||||
action "outbound" relay
|
||||
|
||||
|
||||
match from any for domain "__DOMAIN__" action "domain_mail"
|
||||
match from local for local action "local_mail"
|
||||
|
||||
match auth from any for any action "outbound"
|
|
@ -0,0 +1,37 @@
|
|||
# See smtpd.conf(5) for more information.
|
||||
|
||||
|
||||
# To accept external mail, replace with: listen on all
|
||||
#
|
||||
|
||||
# les Certificats
|
||||
pki "cert_mail" cert "/etc/ssl/__DOMAIN__.crt"
|
||||
pki "cert_mail" key "/etc/ssl/private/__DOMAIN__.key"
|
||||
|
||||
table aliases file:/etc/mail/aliases
|
||||
table passwd file:/etc/mail/passwd
|
||||
table virtuals file:/etc/mail/virtuals
|
||||
|
||||
filter "rspamd" proc-exec "filter-rspamd"
|
||||
filter "dkimsign" proc-exec "filter-dkimsign -d $DOMAIN -s dkim -k /etc/mail/dkim/__DOMAIN__-private.key" user _dkimsign group _dkimsign
|
||||
|
||||
# Activation du check du reverse DNS
|
||||
#filter check_rdns phase connect match !rdns disconnect "550 no rDNS available"
|
||||
#filter check_fcrdns phase connect match !fcrdns disconnect "550 no FCrDNS available"
|
||||
|
||||
# To accept external mail, replace with: listen on all
|
||||
|
||||
|
||||
listen on all tls pki "cert_mail" hostname "__DOMAIN__" filter rspamd
|
||||
listen on all port submission tls-require pki "cert_mail" auth <passwd> filter dkimsign
|
||||
|
||||
action "local_mail" mbox alias <aliases>
|
||||
action "domain_mail" maildir "/var/vmail/__DOMAIN__/%{dest.user:lowercase}" virtual <virtuals>
|
||||
action "outbound" relay
|
||||
|
||||
|
||||
# Uncomment the following to accept external mail for domain "example.org"
|
||||
match from any for domain "__DOMAIN__" action "domain_mail"
|
||||
match from local for local action "local_mail"
|
||||
|
||||
match auth from any for any action "outbound"
|
|
@ -0,0 +1,37 @@
|
|||
# See smtpd.conf(5) for more information.
|
||||
|
||||
|
||||
# To accept external mail, replace with: listen on all
|
||||
#
|
||||
|
||||
# les Certificats
|
||||
pki "cert_mail" cert "/etc/ssl/$DOMAIN.crt"
|
||||
pki "cert_mail" key "/etc/ssl/private/$DOMAIN.key"
|
||||
|
||||
table aliases file:/etc/mail/aliases
|
||||
table passwd file:/etc/mail/passwd
|
||||
table virtuals file:/etc/mail/virtuals
|
||||
|
||||
filter "rspamd" proc-exec "filter-rspamd"
|
||||
filter "dkimsign" proc-exec "filter-dkimsign -d $DOMAIN -s dkim -k /etc/mail/dkim/$DOMAIN-private.key" user _dkimsign group _dkimsign
|
||||
|
||||
# Activation du check du reverse DNS
|
||||
#filter check_rdns phase connect match !rdns disconnect "550 no rDNS available"
|
||||
#filter check_fcrdns phase connect match !fcrdns disconnect "550 no FCrDNS available"
|
||||
|
||||
# To accept external mail, replace with: listen on all
|
||||
|
||||
|
||||
listen on all tls pki "cert_mail" hostname "$DOMAIN" filter rspamd
|
||||
listen on all port submission tls-require pki "cert_mail" auth <passwd> filter dkimsign
|
||||
|
||||
action "local_mail" mbox alias <aliases>
|
||||
action "domain_mail" maildir "/var/vmail/$DOMAIN/%{dest.user:lowercase}" virtual <virtuals>
|
||||
action "outbound" relay
|
||||
|
||||
|
||||
# Uncomment the following to accept external mail for domain "example.org"
|
||||
match from any for domain "$DOMAIN" action "domain_mail"
|
||||
match from local for local action "local_mail"
|
||||
|
||||
match auth from any for any action "outbound"
|
|
@ -0,0 +1,19 @@
|
|||
all:\
|
||||
:nixspam:
|
||||
|
||||
# Nixspam recent sources list.
|
||||
# Mirrored from http://www.heise.de/ix/nixspam
|
||||
nixspam:\
|
||||
:black:\
|
||||
:msg="Your address %A is in the nixspam list\n\
|
||||
See http://www.heise.de/ix/nixspam/dnsbl_en/ for details":\
|
||||
:method=https:\
|
||||
:file=www.openbsd.org/spamd/nixspam.gz
|
||||
|
||||
# An example of a list containing addresses which should not talk to spamd.
|
||||
#
|
||||
#override:\
|
||||
# :white:\
|
||||
# :method=file:\
|
||||
# :file=/var/db/override.txt:
|
||||
|
|
@ -1,10 +1,12 @@
|
|||
|
||||
#Filtres badhosts et sshguard
|
||||
table <pfbadhost> persist file "/etc/pf-badhost.txt"
|
||||
table <sshguard> persist
|
||||
table <whitelist> persist
|
||||
|
||||
## Table pour les batards de bruteforceurs
|
||||
table <bruteforce> persist
|
||||
|
||||
table <http_abusive_hosts> persist
|
||||
|
||||
set block-policy drop # bloque silencieusement
|
||||
set skip on lo # En local on s'en fou on surveille rien
|
||||
|
@ -30,30 +32,3 @@ block in from <sshguard>
|
|||
block log quick from <bruteforce> label "brutes"
|
||||
|
||||
pass out on egress proto { tcp udp icmp ipv6-icmp } modulate state
|
||||
|
||||
#déclaration des variables
|
||||
web_ports = "{ http https }"
|
||||
mail_ports = "{ smtp submission imap }"
|
||||
xmpp_ports = "{ 5222 5269 }"
|
||||
ssh_port = "42420"
|
||||
|
||||
## Anti bruteforce
|
||||
### SSH
|
||||
#### Limite à 5 connexions simultanne par IP source
|
||||
#### Limite à 15 tentatives de connexion toutes les 5 minutes
|
||||
pass in on egress proto tcp to port $ssh_port modulate state \
|
||||
(max-src-conn 5, max-src-conn-rate 15/5, overload <bruteforce> flush global)
|
||||
|
||||
#web
|
||||
pass in on egress proto tcp to port $web_ports modulate state \
|
||||
(max-src-conn 60, max-src-conn-rate 60/1, overload <bruteforce> flush global)
|
||||
|
||||
# mails
|
||||
## antispam
|
||||
pass in on egress proto tcp to port $mail_ports modulate state \
|
||||
(max-src-conn-rate 20/5, overload <bruteforce> flush global)
|
||||
pass out log on egress proto tcp to any port smtp
|
||||
|
||||
# XMPP
|
||||
pass in on egress proto tcp to port $xmpp_ports modulate state \
|
||||
(max-src-conn 15, max-src-conn-rate 15/5, overload <bruteforce> flush global)
|
||||
|
|
|
@ -15,10 +15,10 @@ listen.owner = www
|
|||
listen.group = www
|
||||
listen.mode = 0660
|
||||
pm = dynamic
|
||||
pm.max_children = 5
|
||||
pm.start_servers = 2
|
||||
pm.max_children = 10
|
||||
pm.start_servers = 4
|
||||
pm.min_spare_servers = 1
|
||||
pm.max_spare_servers = 3
|
||||
pm.max_spare_servers = 6
|
||||
chroot = /var/www
|
||||
env[HOSTNAME] = $HOSTNAME
|
||||
env[PATH] = /usr/local/bin:/usr/bin:/bin
|
||||
|
|
|
@ -1,15 +1,11 @@
|
|||
#!/bin/ksh
|
||||
|
||||
daemon="/usr/local/bin/python3"
|
||||
daemon_flags="wsgi.py"
|
||||
daemon="/usr/local/bin/python3 wsgi.py"
|
||||
daemon_execdir="/home/pywallter/pywallter"
|
||||
daemon_user="pywallter"
|
||||
location="/home/pywallter/pywallter"
|
||||
|
||||
. /etc/rc.d/rc.subr
|
||||
|
||||
rc_start() {
|
||||
${rcexec} "cd ${location}; ${daemon} ${daemon_flags}"
|
||||
}
|
||||
|
||||
rc_bg=YES
|
||||
rc_cmd $1
|
||||
|
|
|
@ -5,24 +5,24 @@
|
|||
|
||||
install_package_nextcloud()
|
||||
{
|
||||
pkg_add php-bz2-8.0.26 php-curl-8.0.26 php-gd-8.0.26 php-gmp-8.0.26 \
|
||||
php-intl-8.0.26 php-pdo_pgsql-8.0.26 php-zip-8.0.26 \
|
||||
pkg_add php-bz2-8.1.18 php-curl-8.1.18 php-gd-8.1.18 php-gmp-8.1.18 \
|
||||
php-intl-8.1.18 php-pdo_pgsql-8.1.18 php-zip-8.1.18 \
|
||||
pecl80-imagick-3.7.0p1 pecl80-redis-5.3.7p0 \
|
||||
nextcloud-24.0.5
|
||||
nextcloud-25.0.6
|
||||
}
|
||||
|
||||
enable_nextlcoud_php_modules(){
|
||||
#enable modules
|
||||
ln -s /etc/php-8.0.sample/gd.ini /etc/php-8.0/gd.ini
|
||||
ln -s /etc/php-8.0.sample/imagick.ini /etc/php-8.0/imagick.ini
|
||||
ln -s /etc/php-8.0.sample/opcache.ini /etc/php-8.0/opcache.ini
|
||||
ln -s /etc/php-8.0.sample/curl.ini /etc/php-8.0/curl.ini
|
||||
ln -s /etc/php-8.0.sample/gmp.ini /etc/php-8.0/gmp.ini
|
||||
ln -s /etc/php-8.0.sample/intl.ini /etc/php-8.0/intl.ini
|
||||
ln -s /etc/php-8.0.sample/redis.ini /etc/php-8.0/redis.ini
|
||||
ln -s /etc/php-8.0.sample/bz2.ini /etc/php-8.0/bz2.ini
|
||||
ln -s /etc/php-8.0.sample/zip.ini /etc/php-8.0/zip.ini
|
||||
ln -s /etc/php-8.0.sample/pdo_pgsql.ini /etc/php-8.0/pdo_pgsql.ini
|
||||
ln -s /etc/php-8.1.sample/gd.ini /etc/php-8.1/gd.ini
|
||||
ln -s /etc/php-8.1.sample/imagick.ini /etc/php-8.1/imagick.ini
|
||||
ln -s /etc/php-8.1.sample/opcache.ini /etc/php-8.1/opcache.ini
|
||||
ln -s /etc/php-8.1.sample/curl.ini /etc/php-8.1/curl.ini
|
||||
ln -s /etc/php-8.1.sample/gmp.ini /etc/php-8.1/gmp.ini
|
||||
ln -s /etc/php-8.1.sample/intl.ini /etc/php-8.1/intl.ini
|
||||
ln -s /etc/php-8.1.sample/redis.ini /etc/php-8.1/redis.ini
|
||||
ln -s /etc/php-8.1.sample/bz2.ini /etc/php-8.1/bz2.ini
|
||||
ln -s /etc/php-8.1.sample/zip.ini /etc/php-8.1/zip.ini
|
||||
ln -s /etc/php-8.1.sample/pdo_pgsql.ini /etc/php-8.1/pdo_pgsql.ini
|
||||
restart_php_service
|
||||
}
|
||||
|
||||
|
@ -34,8 +34,8 @@ configure_nginx_service(){
|
|||
create_nextcloud_db(){
|
||||
psql template1 postgres -c "CREATE USER $nextcloud_db_user WITH PASSWORD '$nextcloud_db_pass' CREATEDB ;"
|
||||
psql template1 postgres -c "CREATE DATABASE $nextcloud_db_name TEMPLATE template1 ENCODING 'UTF8' ;"
|
||||
psql template1 postgres -c "GRANT ALL PRIVILEGES ON DATABASE $nextcloud_db_name TO $nextcloud_db_user ;"
|
||||
psql template1 postgres -c "GRANT ALL PRIVILEGES ON SCHEMA public TO $nextcloud_db_user ;"
|
||||
psql template1 postgres -c "GRANT ALL PRIVILEGES ON DATABASE $nextcloud_db_name TO $nextcloud_db_user;"
|
||||
psql template1 postgres -c "ALTER DATABASE $nextcloud_db_name OWNER TO nextcloud_db_user;"
|
||||
}
|
||||
|
||||
|
||||
|
@ -79,14 +79,23 @@ install_nextcloud(){
|
|||
/var/cron/tabs/root
|
||||
|
||||
}
|
||||
|
||||
|
||||
mkdir my_configuration/nextcloud
|
||||
check_services_for_nextlcoud
|
||||
install_package_nextcloud
|
||||
enable_nextlcoud_php_modules
|
||||
configure_nginx_service
|
||||
create_nextcloud_db
|
||||
install_configuration_files_nextcloud
|
||||
install_nextcloud
|
||||
restart_webserver_service
|
||||
|
||||
if [ "$1" == "gen-config-only" ];
|
||||
then
|
||||
check_services_for_nextcloud
|
||||
configure_nginx_service
|
||||
elif [ "$1" == "install" ];
|
||||
then
|
||||
check_services_for_nextcloud
|
||||
configure_nginx_service
|
||||
install_package_nextcloud
|
||||
enable_nextlcoud_php_modules
|
||||
create_nextcloud_db
|
||||
install_configuration_files_nextcloud
|
||||
install_nextcloud
|
||||
restart_webserver_service
|
||||
fi
|
||||
|
||||
|
||||
|
||||
|
|
|
@ -10,61 +10,8 @@ install_nginx_package()
|
|||
|
||||
gen_nginx_configuration()
|
||||
{
|
||||
cat > my_configuration/nginx/nginx.conf <<EOF
|
||||
user www;
|
||||
worker_processes auto;
|
||||
pid /var/www/run/nginx.pid;
|
||||
include /etc/nginx/modules-enabled/*.conf;
|
||||
|
||||
events {
|
||||
worker_connections 768;
|
||||
# multi_accept on;
|
||||
}
|
||||
|
||||
http {
|
||||
|
||||
##
|
||||
# Basic Settings
|
||||
##
|
||||
|
||||
sendfile on;
|
||||
tcp_nopush on;
|
||||
tcp_nodelay on;
|
||||
keepalive_timeout 65;
|
||||
types_hash_max_size 2048;
|
||||
# server_tokens off;
|
||||
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
##
|
||||
# SSL Settings
|
||||
##
|
||||
|
||||
ssl_protocols TLSv1.2; # Dropping SSLv3, ref: POODLE
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
||||
##
|
||||
# Logging Settings
|
||||
##
|
||||
|
||||
access_log /var/www/logsnginx/access.log;
|
||||
error_log /var/www/logs/nginx/error.log;
|
||||
|
||||
##
|
||||
# Gzip Settings
|
||||
##
|
||||
|
||||
gzip on;
|
||||
##
|
||||
# Virtual Host Configs
|
||||
##
|
||||
|
||||
include /etc/nginx/sites-enabled/*;
|
||||
}
|
||||
EOF
|
||||
|
||||
openssl dhparam -out default_configuration/nginx/dhparam.pem 2048
|
||||
cp -v default_configuration/nginx/nginx.conf.example my_configuration/nginx/nginx.conf
|
||||
openssl dhparam -out my_configuration/nginx/dhparam.pem 2048
|
||||
|
||||
}
|
||||
|
||||
|
@ -72,57 +19,18 @@ EOF
|
|||
|
||||
make_default_homepage()
|
||||
{
|
||||
cat > my_configuration/nginx/site-available/$DOMAIN <<EOF
|
||||
server {
|
||||
listen 80;
|
||||
server_name $DOMAIN;
|
||||
|
||||
#Ajout pour les certificats letsencrypt
|
||||
include snippets/acme-challenge.conf;
|
||||
|
||||
return 301 https://$http_host$request_uri;
|
||||
|
||||
root /html/$DOMAIN;
|
||||
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
server_name $DOMAIN;
|
||||
|
||||
|
||||
ssl_certificate /etc/ssl/$DOMAIN.crt;
|
||||
ssl_certificate_key /etc/ssl/private/$DOMAIN.key;
|
||||
|
||||
#Ajout d'une configuration ssl securise
|
||||
include snippets/secure-ssl.conf;
|
||||
|
||||
# Speeds things up a little bit when resuming a session
|
||||
# ssl_session_timeout 5m;
|
||||
# ssl_session_cache shared:SSL:5m;
|
||||
|
||||
# Ajout pour le certificat letsencrypt
|
||||
include snippets/acme-challenge.conf;
|
||||
|
||||
# Ajout pour securiser les headers
|
||||
include snippets/secure-headers.conf;
|
||||
}
|
||||
|
||||
# Path to the root of your installation
|
||||
root /html/$DOMAIN;
|
||||
|
||||
}
|
||||
EOF
|
||||
|
||||
cp -v default_configuration/nginx/site-avalaible/example \
|
||||
my_configuration/nginx/site-available/$DOMAIN
|
||||
sed -i "s/__DOMAIN__/$DOMAIN/g" my_configuration/nginx/site-available/$DOMAIN
|
||||
}
|
||||
|
||||
install_nginx_configuration(){
|
||||
mkdir /etc/nginx/sites-enabled/
|
||||
mkdir /etc/nginx/sites-available/
|
||||
mkdir /etc/nginx/snippets/
|
||||
cp my_configuration/nginx/nginx.conf /etc/nginx/nginx.conf
|
||||
cp my_configuration/nginx/dhparam.pem /etc/nginx/dhparam.pem
|
||||
cp my_configuration/nginx/snippets/* /etc/nginx/snippets/
|
||||
mkdir -v /etc/nginx/sites-enabled/
|
||||
mkdir -v /etc/nginx/sites-available/
|
||||
mkdir -v /etc/nginx/snippets/
|
||||
cp -v my_configuration/nginx/nginx.conf /etc/nginx/nginx.conf
|
||||
cp -v my_configuration/nginx/dhparam.pem /etc/nginx/dhparam.pem
|
||||
cp -v my_configuration/nginx/snippets/* /etc/nginx/snippets/
|
||||
}
|
||||
|
||||
install_chroot_env()
|
||||
|
@ -130,23 +38,21 @@ install_chroot_env()
|
|||
mkdir /var/www/etc/ssl/
|
||||
install -m 444 -o root -g bin /etc/resolv.conf /var/www/etc/
|
||||
install -m 444 -o root -g bin /etc/ssl/cert.pem /etc/ssl/openssl.cnf /var/www/etc/ssl/
|
||||
|
||||
}
|
||||
|
||||
add_logs_to_newssyslog(){
|
||||
cp -v /etc/newsyslog.conf /etc/newsyslog.conf.old
|
||||
egrep -v "nginx" /etc/newsyslog.conf > /tmp/newsyslog.conf
|
||||
egrep -v "nginx|httpd" /etc/newsyslog.conf > /tmp/newsyslog.conf
|
||||
cat >> /tmp/newsyslog.conf <<EOF
|
||||
/var/www/logs/access.log 644 2 * \$W0 Z /var/www/run/nginx.pid SIGUSR1
|
||||
/var/www/logs/error.log 644 2 250 * Z /var/www/run/nginx.pid SIGUSR1
|
||||
|
||||
EOF
|
||||
mv /tmp/newsyslog.conf /etc/newsyslog.conf
|
||||
}
|
||||
|
||||
mkdir my_configuration/nginx/
|
||||
install_nginx_package
|
||||
#install_nginx_package
|
||||
gen_nginx_configuration
|
||||
install_chroot_env
|
||||
install_nginx_configuration
|
||||
restart_webserver_service
|
||||
#install_chroot_env
|
||||
#install_nginx_configuration
|
||||
#restart_webserver_service
|
||||
|
|
|
@ -2,42 +2,11 @@
|
|||
|
||||
install_php_package()
|
||||
{
|
||||
pkg_add php-8.0.26
|
||||
pkg_add php-8.1.18
|
||||
}
|
||||
|
||||
gen_php_configuration(){
|
||||
cat > my_configuration/php/php-fpm.conf <<EOF
|
||||
;;;;;;;;;;;;;;;;;;;;;
|
||||
; FPM Configuration ;
|
||||
;;;;;;;;;;;;;;;;;;;;;
|
||||
[global]
|
||||
error_log = log/php-fpm.log
|
||||
;;;;;;;;;;;;;;;;;;;;
|
||||
; Pool Definitions ;
|
||||
;;;;;;;;;;;;;;;;;;;;
|
||||
include=/etc/php-fpm.d/*.conf
|
||||
[www]
|
||||
user = www
|
||||
group = www
|
||||
listen = /var/www/run/php-fpm.sock
|
||||
listen.owner = www
|
||||
listen.group = www
|
||||
listen.mode = 0660
|
||||
pm = dynamic
|
||||
pm.max_children = 5
|
||||
pm.start_servers = 2
|
||||
pm.min_spare_servers = 1
|
||||
pm.max_spare_servers = 3
|
||||
chroot = /var/www
|
||||
env[HOSTNAME] = \$HOSTNAME
|
||||
env[PATH] = /usr/local/bin:/usr/bin:/bin
|
||||
env[TMP] = /tmp
|
||||
env[TMPDIR] = /tmp
|
||||
env[TEMP] = /tmp
|
||||
|
||||
|
||||
EOF
|
||||
|
||||
cp -v default_configuration/php/php-fpm.conf my_configuration/php/php-fpm.conf
|
||||
}
|
||||
|
||||
install_configurations_files()
|
||||
|
@ -53,7 +22,13 @@ start_php_service()
|
|||
}
|
||||
|
||||
mkdir my_configuration/php/
|
||||
install_php_package
|
||||
gen_php_configuration
|
||||
install_configurations_files
|
||||
start_php_service
|
||||
if [ "$1" == "gen-config-only" ];
|
||||
then
|
||||
gen_php_configuration
|
||||
elif [ "$1" == "install" ];
|
||||
then
|
||||
install_php_package
|
||||
gen_php_configuration
|
||||
install_configurations_files
|
||||
start_php_service
|
||||
fi
|
||||
|
|
|
@ -2,46 +2,41 @@
|
|||
|
||||
install_postresql_packages()
|
||||
{
|
||||
pkg_add postgresql-client-14.5 postgresql-server-14.5
|
||||
pkg_add postgresql-client-15.2 postgresql-server-15.2
|
||||
}
|
||||
|
||||
configure_postgresql_service()
|
||||
{
|
||||
cat > my_configuration/postgresql/pg_hba.conf <<EOF
|
||||
# TYPE DATABASE USER ADDRESS METHOD
|
||||
cp -v default_configuration/postgresql/pg_hba.conf my_configuration/postgresql/pg_hba.conf
|
||||
}
|
||||
|
||||
local all postgres trust
|
||||
# "local" is for Unix domain socket connections only
|
||||
#local all all md5
|
||||
# IPv4 local connections:
|
||||
host all all 127.0.0.1/32 md5
|
||||
|
||||
|
||||
# IPv6 local connections:
|
||||
host all all ::1/128 md5
|
||||
# Allow replication connections from localhost, by a user with the
|
||||
# replication privilege.
|
||||
local replication all md5
|
||||
host replication all 127.0.0.1/32 md5
|
||||
host replication all ::1/128 md5
|
||||
|
||||
EOF
|
||||
make_data_directory()
|
||||
{
|
||||
su -m _postgresql -c "mkdir /var/postgresql/data"
|
||||
echo $postgresql_root_password > /tmp/passwordpsql.txt
|
||||
su -m _postgresql -c "initdb -D /var/postgresql/data -U postgres -A md5 -E UTF8 --pwfile=/tmp/passwordpsql.txt"
|
||||
[ ! -d "/var/postgresql/data" ] || mv /var/postgresql/data /var/postgresql/data.old
|
||||
su -m _postgresql -c "initdb -D /var/postgresql/data -U postgres -A scram-sha-256 -E UTF8 --pwfile=/tmp/passwordpsql.txt"
|
||||
rm /tmp/passwordpsql.txt
|
||||
}
|
||||
|
||||
install_postgresql_configurations_files(){
|
||||
install_postgresql_configurations_files()
|
||||
{
|
||||
cp -v my_configuration/postgresql/pg_hba.conf /var/postgresql/data/pg_hba.conf
|
||||
}
|
||||
|
||||
start_postgresql_service(){
|
||||
start_postgresql_service()
|
||||
{
|
||||
rcctl start postgresql
|
||||
}
|
||||
|
||||
mkdir my_configuration/postgresql/
|
||||
#install_postresql_packages
|
||||
configure_postgresql_service
|
||||
install_postgresql_configurations_files
|
||||
start_postgresql_service
|
||||
|
||||
if [ "$1" == "gen-config-only" ];
|
||||
then
|
||||
configure_postgresql_service
|
||||
elif [ "$1" == "install" ];
|
||||
then
|
||||
install_postresql_packages
|
||||
configure_postgresql_service
|
||||
install_postgresql_configurations_files
|
||||
start_postgresql_service
|
||||
fi
|
||||
|
|
|
@ -28,11 +28,22 @@ DOSSIER_APP = "./users/"
|
|||
DATABASE = "./base.db"
|
||||
EXT_IMG= {'.jpg', '.JPG', '.png', '.PNG', '.gif', '.GIF', '.bmp', '.BMP', '.jpeg', '.JPEG' }
|
||||
SIGNIN_ENABLE = True
|
||||
XMPP_SERVER = True
|
||||
MAIL_SERVER = True
|
||||
SETUID='doas'
|
||||
EOF
|
||||
|
||||
if [ SERVICE_MAIL = "yes" ];
|
||||
then
|
||||
echo "MAIL_SERVER = True" >> my_configuration/pywallter/config.py
|
||||
else
|
||||
echo "MAIL_SERVER = False" >> my_configuration/pywallter/config.py
|
||||
fi
|
||||
|
||||
if [ SERVICE_XMPP = "yes" ];
|
||||
then
|
||||
echo "XMPP_SERVER = True" >> my_configuration/pywallter/config.py
|
||||
else
|
||||
echo "XMPP_SERVER = False" >> myconfiguration/pywallter/config.py
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
|
@ -58,7 +69,15 @@ EOF
|
|||
}
|
||||
|
||||
mkdir my_configuration/pywallter/
|
||||
gen_pywallter_configuration_app
|
||||
gen_nginx_pywallter_app
|
||||
install_pywallter_app
|
||||
install_pywallter_configuration_files
|
||||
|
||||
if [ "$1" == "gen-config-only" ];
|
||||
then
|
||||
gen_pywallter_configuration_app
|
||||
gen_nginx_pywallter_app
|
||||
elif [ "$1" == "install" ];
|
||||
then
|
||||
gen_pywallter_configuration_app
|
||||
gen_nginx_pywallter_app
|
||||
install_pywallter_app
|
||||
install_pywallter_configuration_files
|
||||
fi
|
||||
|
|
|
@ -13,11 +13,11 @@ install_prosody_package(){
|
|||
|
||||
gen_prosody_configuration(){
|
||||
|
||||
cp -v default_configuration/xmpp/prosody.cfg.lua.example default_configuration/xmpp/prosody.cfg.lua
|
||||
sed -i "s/__DOMAIN__/$DOMAIN/g" default_configuration/xmpp/prosody.cfg.lua
|
||||
cp -v default_configuration/xmpp/virtualHosts/example.com.conf default_configuration/xmpp/virtualHosts/$DOMAIN.conf
|
||||
sed -i "s/__DOMAIN__/$DOMAIN/g" default_configuration/xmpp/virtualHosts/$DOMAIN.conf
|
||||
sed -i "s/__xmpp_passphrase_for_filesuploads__/$xmpp_passphrase_for_filesuploads/g" default_configuration/xmpp/virtualHosts/$DOMAIN.conf
|
||||
cp -v default_configuration/xmpp/prosody.cfg.lua.example my_configuration/xmpp/prosody.cfg.lua
|
||||
sed -i "s/__DOMAIN__/$DOMAIN/g" my_configuration/xmpp/prosody.cfg.lua
|
||||
cp -v default_configuration/xmpp/virtualHosts/example.com.conf my_configuration/xmpp/virtualHosts/$DOMAIN.conf
|
||||
sed -i "s/__DOMAIN__/$DOMAIN/g" my_configuration/xmpp/virtualHosts/$DOMAIN.conf
|
||||
sed -i "s/__xmpp_passphrase_for_filesuploads__/$xmpp_passphrase_for_filesuploads/g" my_configuration/xmpp/virtualHosts/$DOMAIN.conf
|
||||
|
||||
|
||||
}
|
||||
|
@ -28,7 +28,6 @@ install_xmpp_certs_ssl(){
|
|||
install -o _prosody -g _prosody my_configuration/xmpp/dh-2048.pem /etc/prosody/certs/dh-2048.pem
|
||||
install -o _prosody -g _prosody /etc/ssl/private/"$DOMAIN".key /etc/prosody/certs/"$DOMAIN".key;
|
||||
install -o _prosody -g _prosody /etc/ssl/"$DOMAIN".crt /etc/prosody/certs/"$DOMAIN".crt;
|
||||
|
||||
}
|
||||
|
||||
install_prosody_modules(){
|
||||
|
@ -45,7 +44,6 @@ install_prosody_modules(){
|
|||
|
||||
|
||||
gen_nginx_configuration_files_upload(){
|
||||
|
||||
cp -v default_configuration/xmpp/nginx.conf.sample my_configuration/xmpp/upload.$DOMAIN
|
||||
cp -v default_configuration/xmpp/share.php.sample my_configuration/xmpp/share.php
|
||||
sed -i "s/__DOMAIN__/$DOMAIN/g" my_configuration/xmpp/upload.$DOMAIN
|
||||
|
@ -82,6 +80,7 @@ install_xmpp_configurations_files(){
|
|||
|
||||
|
||||
mkdir my_configuration/xmpp
|
||||
|
||||
if [ "$1" == "gen-config-only" ];
|
||||
then
|
||||
gen_prosody_configuration
|
||||
|
@ -97,3 +96,11 @@ then
|
|||
rcctl enable prosody
|
||||
rcctl start prosody
|
||||
fi
|
||||
|
||||
if [ "$1" == "gen-config-only" ];
|
||||
then
|
||||
#code
|
||||
elif [ "$1" == "install" ];
|
||||
then
|
||||
#Code
|
||||
fi
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
## Par défault le domain est le nom d'hote de la machine maisil est possible de le personnaliser
|
||||
## Par défault le domain est le nom d'hote de la machine mais il est possible de le personnaliser
|
||||
## comme l'exemple ce-dessous
|
||||
# DOMAIN="example.com"
|
||||
DOMAIN=`hostname`
|
||||
|
|
Loading…
Reference in New Issue