Init repo
This commit is contained in:
parent
533a540a1d
commit
85930b7cac
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
||||
my_configuration/*
|
95
add_domain_with_acme.sh
Executable file
95
add_domain_with_acme.sh
Executable file
@ -0,0 +1,95 @@
|
||||
#!/bin/sh
|
||||
|
||||
|
||||
gen_nginx_acme_conf(){
|
||||
domain=$1
|
||||
alt_domain=$2
|
||||
nginx_run=`rcctl check nginx`
|
||||
|
||||
if [ "$nginx_run" == "nginx(ok)" ]; then
|
||||
cat > test/$domain <<EOF
|
||||
server {
|
||||
listen 80;
|
||||
server_name $alt_domain $domain;
|
||||
|
||||
include snippets/acme-challenge.conf;
|
||||
|
||||
root /htdocs;
|
||||
|
||||
}
|
||||
EOF
|
||||
|
||||
# rcctl restart nginx
|
||||
else
|
||||
echo "Service NGINX not runnig"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
gen_acme_client_conf(){
|
||||
domain=$1
|
||||
alt_domain=$2
|
||||
if [ "$alt_domain" == "" ]; then
|
||||
cat >> my_configuration/ssl/$domain-acme-client.conf <<EOF
|
||||
|
||||
domain $domain {
|
||||
domain key "/etc/ssl/private/$domain.key"
|
||||
domain full chain certificate "/etc/ssl/$domain.crt"
|
||||
sign with letsencrypt
|
||||
}
|
||||
|
||||
EOF
|
||||
else
|
||||
cat >> my_configuration/ssl/$domain-acme-client.conf <<EOF
|
||||
|
||||
domain $domain {
|
||||
alternative names { $alt_domain }
|
||||
domain key "/etc/ssl/private/$domain.key"
|
||||
domain full chain certificate "/etc/ssl/$domain.crt"
|
||||
sign with letsencrypt
|
||||
}
|
||||
|
||||
EOF
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
install_utils(){
|
||||
cp -v utils/renew_https_certificate /usr/local/bin/renew_https_certificate
|
||||
chmod u+x /usr/local/bin/renew_https_certificate
|
||||
}
|
||||
|
||||
get_certificate(){
|
||||
domain=$1
|
||||
|
||||
/usr/local/bin/renew_https_certificate $domain
|
||||
}
|
||||
|
||||
usage(){
|
||||
print "This program ask 3 arguments : \n"
|
||||
print "First is email with domain name the second is list of alternatives domains with \" \" \n"
|
||||
print "the last arguments is for share the ssl cert with xmpp daemon add xmpp at the end or not"
|
||||
print "\t $0 domain.tld \"a.domain.tld b.domain.tld c.domain.tld\""
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
if [ -z $1 ];
|
||||
then
|
||||
usage
|
||||
exit 3;
|
||||
fi
|
||||
|
||||
if [ -e /etc/acme-client.conf ]; then
|
||||
echo ok
|
||||
else
|
||||
echo nok
|
||||
fi
|
||||
|
||||
|
||||
domain=$1
|
||||
alt_domain=$2
|
||||
|
||||
gen_nginx_acme_conf $domain
|
138
configure_firewall.sh
Executable file
138
configure_firewall.sh
Executable file
@ -0,0 +1,138 @@
|
||||
#!/bin/sh
|
||||
|
||||
. ./myserver.conf
|
||||
|
||||
install_package(){
|
||||
pkg_add ssh_guard curl
|
||||
useradd -s /sbin/nologin -d /var/empty _pfbadhost
|
||||
ftp https://geoghegan.ca/pub/pf-badhost/0.5/pf-badhost.sh
|
||||
install -m 755 -o root -g bin pf-badhost.sh /usr/local/bin/pf-badhost
|
||||
install -m 640 -o _pfbadhost -g wheel /dev/null /etc/pf-badhost.txt
|
||||
install -d -m 755 -o root -g wheel /var/log/pf-badhost
|
||||
install -m 640 -o _pfbadhost -g wheel /dev/null /var/log/pf-badhost/pf-badhost.log
|
||||
install -m 640 -o _pfbadhost -g wheel /dev/null /var/log/pf-badhost/pf-badhost.log.0.gz
|
||||
cp -v /etc/doas.conf /etc/doas.conf.old
|
||||
egrep -v "_pfbadhost" /etc/doas.conf > /tmp/doas.conf
|
||||
cat >> /tmp/doas.conf <<EOF
|
||||
|
||||
# Pf badhost
|
||||
permit nopass _pfbadhost as root cmd /sbin/pfctl args -nf /etc/pf.conf
|
||||
permit nopass _pfbadhost as root cmd /sbin/pfctl args -t pfbadhost -T replace -f /etc/pf-badhost.txt
|
||||
permit nopass _pfbadhost as root cmd /usr/bin/zcat args -f /var/log/authlog /var/log/authlog.0.gz
|
||||
|
||||
EOF
|
||||
mv /tmp/doas.conf /etc/doas.conf
|
||||
cat > /var/cron/tabs/_pfbadhost <<EOF
|
||||
# (Cron version V5.0)
|
||||
~ 0~1 * * * -s pf-badhost -O openbsd
|
||||
EOF
|
||||
chown _pfbadhost:crontab /var/cron/tabs/_pfbadhost
|
||||
chmod 600 /var/cron/tabs/_pfbadhost
|
||||
}
|
||||
|
||||
|
||||
set_basic_configuration(){
|
||||
cat > my_configuration/pf.conf <<EOF
|
||||
#Filtres badhosts et sshguard
|
||||
table <pfbadhost> persist file "/etc/pf-badhost.txt"
|
||||
table <sshguard> persist
|
||||
|
||||
## Table pour les batards de bruteforceurs
|
||||
table <bruteforce> persist
|
||||
|
||||
|
||||
set block-policy drop # bloque silencieusement
|
||||
set skip on lo # En local on s'en fou on surveille rien
|
||||
set limit table-entries 400000
|
||||
set limit states 100000
|
||||
|
||||
|
||||
|
||||
## Traitement des paquets ##
|
||||
# Paquets partiels on vire
|
||||
match all scrub (max-mss 1440 no-df random-id reassemble tcp)
|
||||
antispoof quick for egress # Protection vol d'ip
|
||||
antispoof quick for lo0 # Protection vol d'ip
|
||||
|
||||
# Port build user does not need network
|
||||
block return out log proto {tcp udp} user _pbuild
|
||||
|
||||
# On bloque tout par défault
|
||||
block
|
||||
|
||||
block quick on egress from <pfbadhost>
|
||||
block in from <sshguard>
|
||||
block log quick from <bruteforce> label "brutes"
|
||||
|
||||
pass out on egress proto { tcp udp icmp ipv6-icmp } modulate state
|
||||
|
||||
EOF
|
||||
|
||||
}
|
||||
|
||||
set_open_service(){
|
||||
cat >> my_configuration/pf.conf <<EOF
|
||||
#déclaration des variables
|
||||
web_ports = "{ http https }"
|
||||
EOF
|
||||
|
||||
if [ "$SERVICE_MAIL" == "yes" ]; then
|
||||
echo "mail_ports = \"{ smtp submission imap }\"" >> default_configuration/pf.conf
|
||||
fi
|
||||
|
||||
if [ "$SERVICE_XMPP" == "yes" ]; then
|
||||
echo "xmmp_ports = \"{ 5222 5269 }\"" >> default_configuration/pf.conf
|
||||
fi
|
||||
|
||||
echo "ssh_port = \"$SSH_PORT\"" >> default_configuration/pf.conf
|
||||
|
||||
cat >> my_configuration/pf.conf <<EOF
|
||||
|
||||
## Anti bruteforce
|
||||
### SSH
|
||||
#### Limit 5 connexions simultanne par IP source
|
||||
#### Limit 15 tentatives de connexion toutes les 5 minutes
|
||||
pass in on egress proto tcp to port \$ssh_port modulate state \\
|
||||
(max-src-conn 5, max-src-conn-rate 15/5, overload <bruteforce> flush global)
|
||||
|
||||
#web
|
||||
pass in on egress proto tcp to port \$web_ports modulate state \\
|
||||
(max-src-conn 60, max-src-conn-rate 60/1, overload <bruteforce> flush global)
|
||||
|
||||
EOF
|
||||
|
||||
if [ "$SERVICE_MAIL" == "yes" ]; then
|
||||
cat >> my_configuration/pf.conf <<EOF
|
||||
# mails
|
||||
## antispam
|
||||
pass in on egress proto tcp to port \$mail_ports modulate state \\
|
||||
(max-src-conn-rate 20/5, overload <bruteforce> flush global)
|
||||
pass out log on egress proto tcp to any port smtp
|
||||
|
||||
EOF
|
||||
fi
|
||||
|
||||
if [ "$SERVICE_XMPP" == "yes" ]; then
|
||||
cat >> my_configuration/pf.conf <<EOF
|
||||
# XMPP
|
||||
pass in on egress proto tcp to port \$xmpp_ports modulate state \\
|
||||
(max-src-conn 15, max-src-conn-rate 15/5, overload <bruteforce> flush global)
|
||||
EOF
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
install_pf_and_enable(){
|
||||
pfctl -nf my_configuration/pf.conf
|
||||
if [ $? == 0 ]; then
|
||||
cp -v /etc/pf.conf /etc/pf.old
|
||||
cp -v my_configuration/pf.conf /etc/pf.conf
|
||||
pfctl -f /etc/pf.conf
|
||||
else
|
||||
echo "Il y a un problème dans la configuration du firewall"
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
set_basic_configuration
|
||||
set_open_service
|
283
configure_mail_service.sh
Executable file
283
configure_mail_service.sh
Executable file
@ -0,0 +1,283 @@
|
||||
#!/bin/sh
|
||||
|
||||
. ./myserver.conf
|
||||
. ./utils.sh
|
||||
|
||||
install_mails_services_pkg()
|
||||
{
|
||||
pkg_add dovecot dovecot-pigeonhole opensmtpd-filter-rspamd \
|
||||
opensmtpd-extras-6.7.1v0 opensmtpd-filter-dkimsign-0.5 rspamd-3.2
|
||||
}
|
||||
|
||||
gen_mails_service_configuration()
|
||||
{
|
||||
|
||||
#Generate opensmtpd configuration
|
||||
cat > my_configuration/mail/smtpd.conf <<EOF
|
||||
# See smtpd.conf(5) for more information.
|
||||
|
||||
|
||||
# To accept external mail, replace with: listen on all
|
||||
#
|
||||
|
||||
# les Certificats
|
||||
pki "cert_mail" cert "/etc/ssl/$DOMAIN.crt"
|
||||
pki "cert_mail" key "/etc/ssl/private/$DOMAIN.key"
|
||||
|
||||
table aliases file:/etc/mail/aliases
|
||||
table passwd file:/etc/mail/passwd
|
||||
table virtuals file:/etc/mail/virtuals
|
||||
|
||||
filter "rspamd" proc-exec "filter-rspamd"
|
||||
filter "dkimsign" proc-exec "filter-dkimsign -d $DOMAIN -s dkim -k /etc/mail/dkim/$DOMAIN-private.key" user _dkimsign group _dkimsign
|
||||
|
||||
# Activation du check du reverse DNS
|
||||
#filter check_rdns phase connect match !rdns disconnect "550 no rDNS available"
|
||||
#filter check_fcrdns phase connect match !fcrdns disconnect "550 no FCrDNS available"
|
||||
|
||||
# To accept external mail, replace with: listen on all
|
||||
|
||||
|
||||
listen on all tls pki "cert_mail" hostname "$DOMAIN" filter rspamd
|
||||
listen on all port submission tls-require pki "cert_mail" auth <passwd> filter dkimsign
|
||||
|
||||
action "local_mail" mbox alias <aliases>
|
||||
action "domain_mail" maildir "/var/vmail/$DOMAIN/%{dest.user:lowercase}" virtual <virtuals>
|
||||
action "outbound" relay
|
||||
|
||||
|
||||
# Uncomment the following to accept external mail for domain "example.org"
|
||||
match from any for domain "$DOMAIN" action "domain_mail"
|
||||
match from local for local action "local_mail"
|
||||
|
||||
match auth from any for any action "outbound"
|
||||
|
||||
EOF
|
||||
|
||||
#Generate spamd configuration
|
||||
cat > my_configuration/mail/spamd.conf <<EOF
|
||||
|
||||
all:\
|
||||
:nixspam:
|
||||
|
||||
# Nixspam recent sources list.
|
||||
# Mirrored from http://www.heise.de/ix/nixspam
|
||||
nixspam:\
|
||||
:black:\
|
||||
:msg="Your address %A is in the nixspam list\n\
|
||||
See http://www.heise.de/ix/nixspam/dnsbl_en/ for details":\
|
||||
:method=https:\
|
||||
:file=www.openbsd.org/spamd/nixspam.gz
|
||||
|
||||
# An example of a list containing addresses which should not talk to spamd.
|
||||
#
|
||||
#override:\
|
||||
# :white:\
|
||||
# :method=file:\
|
||||
# :file=/var/db/override.txt:
|
||||
|
||||
EOF
|
||||
|
||||
## Generate Dovecot configuration
|
||||
cat > my_configuration/dovecot/local.conf <<EOF
|
||||
listen = *
|
||||
protocols = imap
|
||||
first_valid_uid = 1000
|
||||
first_valid_gid = 1000
|
||||
mail_location = maildir:/var/vmail/%d/%n
|
||||
mail_plugin_dir = /usr/local/lib/dovecot
|
||||
disable_plaintext_auth = yes
|
||||
|
||||
managesieve_notify_capability = mailto
|
||||
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapsieve vnd.dovecot.imapsieve
|
||||
|
||||
mbox_write_locks = fcntl
|
||||
mmap_disable = yes
|
||||
namespace inbox {
|
||||
inbox = yes
|
||||
location =
|
||||
mailbox Archive {
|
||||
auto = subscribe
|
||||
special_use = \Archive
|
||||
}
|
||||
mailbox Drafts {
|
||||
auto = subscribe
|
||||
special_use = \Drafts
|
||||
}
|
||||
mailbox Junk {
|
||||
auto = subscribe
|
||||
special_use = \Junk
|
||||
}
|
||||
mailbox Sent {
|
||||
auto = subscribe
|
||||
special_use = \Sent
|
||||
}
|
||||
mailbox Trash {
|
||||
auto = subscribe
|
||||
special_use = \Trash
|
||||
}
|
||||
prefix =
|
||||
}
|
||||
|
||||
service auth {
|
||||
user = $default_internal_user
|
||||
group = _maildaemons
|
||||
}
|
||||
|
||||
passdb {
|
||||
args = scheme=blf-crypt /etc/mail/passwd
|
||||
driver = passwd-file
|
||||
}
|
||||
|
||||
plugin {
|
||||
imapsieve_mailbox1_before = file:/usr/local/lib/dovecot/sieve/report-spam.sieve
|
||||
imapsieve_mailbox1_causes = COPY
|
||||
imapsieve_mailbox1_name = Junk
|
||||
imapsieve_mailbox2_before = file:/usr/local/lib/dovecot/sieve/report-ham.sieve
|
||||
imapsieve_mailbox2_causes = COPY
|
||||
imapsieve_mailbox2_from = Junk
|
||||
imapsieve_mailbox2_name = *
|
||||
sieve = file:~/sieve;active=~/.dovecot.sieve
|
||||
sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
|
||||
sieve_pipe_bin_dir = /usr/local/lib/dovecot/sieve
|
||||
sieve_plugins = sieve_imapsieve sieve_extprograms
|
||||
}
|
||||
|
||||
|
||||
protocols = imap sieve
|
||||
service imap-login {
|
||||
inet_listener imap {
|
||||
port = 143
|
||||
}
|
||||
}
|
||||
|
||||
ssl = required
|
||||
|
||||
ssl_min_protocol = TLSv1.2
|
||||
ssl_cipher_list = EECDH+AESGCM
|
||||
ssl_prefer_server_ciphers = yes
|
||||
#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
|
||||
|
||||
ssl_cert = </etc/ssl/$DOMAIN.crt
|
||||
ssl_key = </etc/ssl/private/$DOMAIN.key
|
||||
|
||||
userdb {
|
||||
driver = static
|
||||
args = uid=vmail gid=vmail home=/var/vmail/%d/%n/
|
||||
}
|
||||
|
||||
protocol imap {
|
||||
mail_plugins = " imap_sieve"
|
||||
}
|
||||
|
||||
EOF
|
||||
|
||||
}
|
||||
|
||||
gen_dkim_keys(){
|
||||
# Generate dkim key
|
||||
openssl genrsa -out my_configuration/mail/$DOMAIN-private.key 2048
|
||||
openssl rsa -in my_configuration/mail/$DOMAIN-private.key -pubout | \
|
||||
sed '1s/.*/v=DKIM1;p=/;:nl;${s/-----.*//;q;};N;s/\n//g;b nl;' > default_configuration/mail/$DOMAIN-public.key
|
||||
|
||||
}
|
||||
|
||||
install_dovecot_service_antispam()
|
||||
{
|
||||
# Add antispam utils for Dovecot
|
||||
cd /usr/local/lib/dovecot/sieve
|
||||
|
||||
cat > report-ham.sieve <<EOF
|
||||
|
||||
require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables"];
|
||||
|
||||
if environment :matches "imap.mailbox" "*" {
|
||||
set "mailbox" "${1}";
|
||||
}
|
||||
|
||||
if string "${mailbox}" "Trash" {
|
||||
stop;
|
||||
}
|
||||
|
||||
if environment :matches "imap.user" "*" {
|
||||
set "username" "${1}";
|
||||
}
|
||||
|
||||
pipe :copy "sa-learn-ham.sh" [ "${username}" ];
|
||||
EOF
|
||||
|
||||
cat > report-spam.sieve <<EOF
|
||||
require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables"];
|
||||
|
||||
if environment :matches "imap.user" "*" {
|
||||
set "username" "${1}";
|
||||
}
|
||||
|
||||
pipe :copy "sa-learn-spam.sh" [ "${username}" ];
|
||||
EOF
|
||||
|
||||
cat > sa-learn-ham.sh<<EOF
|
||||
#!/bin/sh
|
||||
exec /usr/local/bin/rspamc -d "${1}" learn_ham
|
||||
EOF
|
||||
|
||||
cat > sa-learn-spam.sh<<EOF
|
||||
|
||||
#!/bin/sh
|
||||
exec /usr/local/bin/rspamc -d "${1}" learn_spam
|
||||
EOF
|
||||
|
||||
|
||||
sievec report-ham.sieve
|
||||
sievec report-spam.sieve
|
||||
|
||||
chmod 755 sa-learn-ham.sh
|
||||
chmod 755 sa-learn-spam.sh
|
||||
}
|
||||
|
||||
install_mails_services_configuration()
|
||||
{
|
||||
cp my_configuration/mail/smtpd.conf /etc/mail/smtpd.conf
|
||||
cp my_configuration/dovecot/local.conf /etc/dovecot/local.conf
|
||||
mkdir /etc/mail/dkim/
|
||||
cp my_configuration/mail/$DOMAIN-private.key /etc/mail/dkim/
|
||||
cp my_configuration/mail/$DOMAIN-public.key /etc/mail/dkim/
|
||||
chown -R _dkimsign /etc/mail/dkim/
|
||||
touch /etc/mail/virtuals
|
||||
touch /etc/mail/passwd
|
||||
rm /etc/dovecot/conf.d/10-ssl.conf
|
||||
|
||||
}
|
||||
|
||||
make_system_mails_services_requirements()
|
||||
{
|
||||
|
||||
useradd -c "Virtual Mail Account" -d /var/vmail -s /sbin/nologin -u 2000 -g =uid -L staff vmail
|
||||
mkdir -p /var/vmail/$DOMAIN
|
||||
chown -R vmail:vmail /var/vmail/
|
||||
groupadd _maildaemons
|
||||
usermod -G _maildaemons _dovecot
|
||||
usermod -G _maildaemons _smtpd
|
||||
|
||||
cp /etc/login.conf /etc/login.conf.old
|
||||
cat >> /etc/login.conf <<EOF
|
||||
dovecot:\
|
||||
:openfiles-cur=1024:\
|
||||
:openfiles-max=2048:\
|
||||
:tc=daemon:
|
||||
EOF
|
||||
|
||||
}
|
||||
|
||||
mkdir my_configuration/mail
|
||||
mkdir my_configuration/dovecot
|
||||
|
||||
install_mails_services_pkg
|
||||
gen_mails_service_configuration
|
||||
gen_dkim_keys
|
||||
gen_mails_service_utils
|
||||
install_mails_services_configuration
|
||||
make_system_mails_services_requirements
|
||||
rcctl enable redis
|
||||
rcctl start redis
|
||||
restart_mails_service
|
41
default_configuration/dolibarr/nginx.conf.example
Normal file
41
default_configuration/dolibarr/nginx.conf.example
Normal file
@ -0,0 +1,41 @@
|
||||
server {
|
||||
|
||||
root /dolibarr/htdocs;
|
||||
|
||||
|
||||
listen [::]:443 ssl;
|
||||
|
||||
listen 443 ssl;
|
||||
|
||||
ssl_certificate /etc/ssl/__dolibarr_domain__.crt;
|
||||
ssl_certificate_key /etc/ssl/private/__dolibarr_domain__.key;
|
||||
|
||||
index index.html index.php;
|
||||
|
||||
server_name __dolibar_domain__;
|
||||
|
||||
location / {
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
|
||||
location ~ [^/]\.php(/|$) {
|
||||
fastcgi_intercept_errors on;
|
||||
include fastcgi_params;
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
|
||||
server {
|
||||
|
||||
listen [::]:80;
|
||||
listen 80;
|
||||
server_name __dolibarr_domain__;
|
||||
|
||||
if ($host = dolibarr.example.fr) {
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
|
||||
}
|
45
default_configuration/dolibarr/nginx.conf.sample
Normal file
45
default_configuration/dolibarr/nginx.conf.sample
Normal file
@ -0,0 +1,45 @@
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
server_name __dolibarr_domain__;
|
||||
|
||||
include snippets/acme-challenge.conf;
|
||||
|
||||
return 301 https://$http_host$request_uri;
|
||||
|
||||
root /htdocs/;
|
||||
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
server_name __dolibarr_domain__;
|
||||
|
||||
root /var/www/dolibarr/htdocs;
|
||||
|
||||
index index.html index.php;
|
||||
ssl_certificate /etc/ssl/__dolibarr_domain__.crt;
|
||||
ssl_certificate_key /etc/ssl/private/__dolibarr_domain__.key;
|
||||
|
||||
include snippets/secure-ssl.conf;
|
||||
|
||||
include snippets/acme-challenge.conf;
|
||||
|
||||
location / {
|
||||
|
||||
try_files $uri $uri/ =404;
|
||||
|
||||
}
|
||||
|
||||
location ~ [^/]\.php(/|$) {
|
||||
fastcgi_intercept_errors on;
|
||||
include fastcgi_params;
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
}
|
||||
|
4
default_configuration/nextcloud/custom.config.php
Normal file
4
default_configuration/nextcloud/custom.config.php
Normal file
@ -0,0 +1,4 @@
|
||||
<?php
|
||||
$CONFIG = array (
|
||||
'datadirectory' => ((php_sapi_name() == 'cli') ? '/var/www' : '') . '/nextcloud/data',
|
||||
);
|
153
default_configuration/nextcloud/nginx.conf.sample
Normal file
153
default_configuration/nextcloud/nginx.conf.sample
Normal file
@ -0,0 +1,153 @@
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
server_name __nextcloud_domain__;
|
||||
|
||||
include snippets/acme-challenge.conf;
|
||||
|
||||
return 301 https://$http_host$request_uri;
|
||||
|
||||
root /htdocs/;
|
||||
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
server_name __nextcloud_domain__;
|
||||
|
||||
|
||||
ssl_certificate /etc/ssl/__nextcloud_domain__.crt;
|
||||
ssl_certificate_key /etc/ssl/private/__nextcloud_domain__.key;
|
||||
|
||||
include snippets/secure-ssl.conf;
|
||||
|
||||
include snippets/acme-challenge.conf;
|
||||
# set max upload size
|
||||
client_max_body_size 4096M;
|
||||
fastcgi_buffers 64 4K;
|
||||
|
||||
# Enable gzip but do not remove ETag headers
|
||||
gzip on;
|
||||
gzip_vary on;
|
||||
gzip_comp_level 4;
|
||||
gzip_min_length 256;
|
||||
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
|
||||
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
|
||||
|
||||
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
|
||||
add_header X-Frame-Options "SAMEORIGIN" "always";
|
||||
# Pagespeed is not supported by Nextcloud, so if your server is built
|
||||
# with the `ngx_pagespeed` module, uncomment this line to disable it.
|
||||
# pagespeed off;
|
||||
add_header X-Content-Type-Options "nosniff";
|
||||
# HTTP response headers borrowed from Nextcloud `.htaccess`
|
||||
add_header Referrer-Policy "no-referrer" always;
|
||||
add_header X-Download-Options "noopen" always;
|
||||
add_header X-Permitted-Cross-Domain-Policies "none" always;
|
||||
add_header X-Robots-Tag "none" always;
|
||||
add_header X-XSS-Protection "1; mode=block" always;
|
||||
|
||||
|
||||
|
||||
# Remove X-Powered-By, which is an information leak
|
||||
fastcgi_hide_header X-Powered-By;
|
||||
|
||||
|
||||
# Specify how to handle directories -- specifying `/index.php$request_uri`
|
||||
# here as the fallback means that Nginx always exhibits the desired behaviour
|
||||
# when a client requests a path that corresponds to a directory that exists
|
||||
# on the server. In particular, if that directory contains an index.php file,
|
||||
# that file is correctly served; if it doesn't, then the request is passed to
|
||||
# the front-end controller. This consistent behaviour means that we don't need
|
||||
# to specify custom rules for certain paths (e.g. images and other assets,
|
||||
# `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
|
||||
# `try_files $uri $uri/ /index.php$request_uri`
|
||||
# always provides the desired behaviour.
|
||||
index index.php index.html /index.php$request_uri;
|
||||
|
||||
|
||||
|
||||
|
||||
# Rule borrowed from `.htaccess` to handle Microsoft DAV clients
|
||||
location = / {
|
||||
if ( $http_user_agent ~ ^DavClnt ) {
|
||||
return 302 /remote.php/webdav/$is_args$args;
|
||||
}
|
||||
}
|
||||
|
||||
location = /robots.txt {
|
||||
allow all;
|
||||
log_not_found off;
|
||||
access_log off;
|
||||
}
|
||||
|
||||
# Make a regex exception for `/.well-known` so that clients can still
|
||||
# access it despite the existence of the regex rule
|
||||
# `location ~ /(\.|autotest|...)` which would otherwise handle requests
|
||||
# for `/.well-known`.
|
||||
|
||||
|
||||
|
||||
location ^~ /.well-known {
|
||||
# The rules in this block are an adaptation of the rules
|
||||
# in `.htaccess` that concern `/.well-known`.
|
||||
location = /.well-known/carddav { return 301 /remote.php/dav/; }
|
||||
location = /.well-known/caldav { return 301 /remote.php/dav/; }
|
||||
|
||||
|
||||
# Let Nextcloud's API for `/.well-known` URIs handle all other
|
||||
# requests by passing them to the front-end controller.
|
||||
return 301 /index.php$request_uri;
|
||||
}
|
||||
# Rules borrowed from `.htaccess` to hide certain paths from clients
|
||||
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
|
||||
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }
|
||||
|
||||
# Ensure this block, which passes PHP files to the PHP process, is above the blocks
|
||||
# which handle static assets (as seen below). If this block is not declared first,
|
||||
# then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
|
||||
# to the URI, resulting in a HTTP 500 error response.
|
||||
location ~ \.php(?:$|/) {
|
||||
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
|
||||
set $path_info $fastcgi_path_info;
|
||||
|
||||
try_files $fastcgi_script_name =404;
|
||||
|
||||
include fastcgi_params;
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
fastcgi_param PATH_INFO $path_info;
|
||||
fastcgi_param HTTPS on;
|
||||
|
||||
fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
|
||||
fastcgi_param front_controller_active true; # Enable pretty urls
|
||||
fastcgi_pass php-handler;
|
||||
|
||||
fastcgi_intercept_errors on;
|
||||
fastcgi_request_buffering off;
|
||||
}
|
||||
|
||||
location ~ \.(?:css|js|svg|gif)$ {
|
||||
try_files $uri /index.php$request_uri;
|
||||
expires 6M; # Cache-Control policy borrowed from `.htaccess`
|
||||
access_log off; # Optional: Don't log access to assets
|
||||
}
|
||||
|
||||
location ~ \.woff2?$ {
|
||||
try_files $uri /index.php$request_uri;
|
||||
expires 7d; # Cache-Control policy borrowed from `.htaccess`
|
||||
access_log off; # Optional: Don't log access to assets
|
||||
}
|
||||
|
||||
# Rule borrowed from `.htaccess`
|
||||
location /remote {
|
||||
return 301 /remote.php$request_uri;
|
||||
}
|
||||
|
||||
location / {
|
||||
try_files $uri $uri/ /index.php$request_uri;
|
||||
}
|
||||
|
||||
|
||||
root /nextcloud;
|
||||
}
|
||||
|
5
default_configuration/nginx/snippets/acme-challenge.conf
Normal file
5
default_configuration/nginx/snippets/acme-challenge.conf
Normal file
@ -0,0 +1,5 @@
|
||||
location ^~ /.well-known/acme-challenge/ {
|
||||
rewrite ^/.well-known/acme-challenge/(.*) /$1 break;
|
||||
default_type "text/plain";
|
||||
root /acme;
|
||||
}
|
35
default_configuration/nginx/snippets/secure-headers.conf
Normal file
35
default_configuration/nginx/snippets/secure-headers.conf
Normal file
@ -0,0 +1,35 @@
|
||||
# Ajout HSTS header
|
||||
# Appliquer une durée de plus d'une semaine pour obtenir A+ sur ssl-labs
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; # duration=365days
|
||||
# add_header Strict-Transport-Security "max-age=0; includeSubDomains"; # Désactive HSTS
|
||||
|
||||
|
||||
# Ajoute gzip mais n'enleve pas les ETag headers
|
||||
gzip on;
|
||||
gzip_vary on;
|
||||
gzip_comp_level 4;
|
||||
gzip_min_length 256;
|
||||
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
|
||||
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
# Pagespeed is not supported by Nextcloud, so if your server is built
|
||||
# with the ngx_pagespeed module, uncomment this line to disable it.
|
||||
# pagespeed off;
|
||||
|
||||
add_header Referrer-Policy "no-referrer" always;
|
||||
add_header X-Content-Type-Options "nosniff";
|
||||
add_header X-Download-Options "noopen" always;
|
||||
add_header X-Frame-Options "SAMEORIGIN";
|
||||
add_header X-Permitted-Cross-Domain-Policies "none" always;
|
||||
add_header X-Robots-Tag "none" always;
|
||||
add_header X-XSS-Protection "1; mode=block" always;
|
||||
add_header Content-Security-Policy "upgrade-insecure-requests";
|
||||
add_header Content-Security-Policy-Report-Only " default-src https: data: 'unsafe-inline' 'unsafe-eval'";
|
||||
|
||||
|
||||
# Remove X-Powered-By, which is an information leak
|
||||
fastcgi_hide_header X-Powered-By;
|
21
default_configuration/nginx/snippets/secure-ssl.conf
Normal file
21
default_configuration/nginx/snippets/secure-ssl.conf
Normal file
@ -0,0 +1,21 @@
|
||||
ssl_dhparam /etc/nginx/dhparam.pem;
|
||||
ssl_protocols TLSv1.2 TLSv1.3; # Score=100
|
||||
|
||||
# ssl ciphers list
|
||||
ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 +SHA !aNULL !eNULL !LOW !kECDH !DSS !MD5 !RC4 !EXP !PSK !SRP !CAMELLIA !SEED'; # Score=90 (recommended because more compatible)
|
||||
# ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL; # Score=100
|
||||
|
||||
# to ensure that the best possible cipher is always included over the weaker ones, chosen from the above order
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
||||
|
||||
# OCSP stapling
|
||||
ssl_stapling on; # allow Nginx to send OCSP results during the connection process
|
||||
ssl_stapling_verify on;
|
||||
resolver 80.67.169.12 80.67.169.40 valid=300s;
|
||||
resolver_timeout 10s;
|
||||
|
||||
# Speeds things up a little bit when resuming a session
|
||||
ssl_session_timeout 5m;
|
||||
ssl_session_cache shared:SSL:5m;
|
||||
|
59
default_configuration/pf.conf
Normal file
59
default_configuration/pf.conf
Normal file
@ -0,0 +1,59 @@
|
||||
#Filtres badhosts et sshguard
|
||||
table <pfbadhost> persist file "/etc/pf-badhost.txt"
|
||||
table <sshguard> persist
|
||||
|
||||
## Table pour les batards de bruteforceurs
|
||||
table <bruteforce> persist
|
||||
|
||||
|
||||
set block-policy drop # bloque silencieusement
|
||||
set skip on lo # En local on s'en fou on surveille rien
|
||||
set limit table-entries 400000
|
||||
set limit states 100000
|
||||
|
||||
|
||||
|
||||
## Traitement des paquets ##
|
||||
# Paquets partiels on vire
|
||||
match all scrub (max-mss 1440 no-df random-id reassemble tcp)
|
||||
antispoof quick for egress # Protection vol d'ip
|
||||
antispoof quick for lo0 # Protection vol d'ip
|
||||
|
||||
# Port build user does not need network
|
||||
block return out log proto {tcp udp} user _pbuild
|
||||
|
||||
# On bloque tout par défault
|
||||
block
|
||||
|
||||
block quick on egress from <pfbadhost>
|
||||
block in from <sshguard>
|
||||
block log quick from <bruteforce> label "brutes"
|
||||
|
||||
pass out on egress proto { tcp udp icmp ipv6-icmp } modulate state
|
||||
|
||||
#déclaration des variables
|
||||
web_ports = "{ http https }"
|
||||
mail_ports = "{ smtp submission imap }"
|
||||
xmpp_ports = "{ 5222 5269 }"
|
||||
ssh_port = "42420"
|
||||
|
||||
## Anti bruteforce
|
||||
### SSH
|
||||
#### Limite à 5 connexions simultanne par IP source
|
||||
#### Limite à 15 tentatives de connexion toutes les 5 minutes
|
||||
pass in on egress proto tcp to port $ssh_port modulate state \
|
||||
(max-src-conn 5, max-src-conn-rate 15/5, overload <bruteforce> flush global)
|
||||
|
||||
#web
|
||||
pass in on egress proto tcp to port $web_ports modulate state \
|
||||
(max-src-conn 60, max-src-conn-rate 60/1, overload <bruteforce> flush global)
|
||||
|
||||
# mails
|
||||
## antispam
|
||||
pass in on egress proto tcp to port $mail_ports modulate state \
|
||||
(max-src-conn-rate 20/5, overload <bruteforce> flush global)
|
||||
pass out log on egress proto tcp to any port smtp
|
||||
|
||||
# XMPP
|
||||
pass in on egress proto tcp to port $xmpp_ports modulate state \
|
||||
(max-src-conn 15, max-src-conn-rate 15/5, overload <bruteforce> flush global)
|
4
default_configuration/php/nginx-php-enabled.conf
Normal file
4
default_configuration/php/nginx-php-enabled.conf
Normal file
@ -0,0 +1,4 @@
|
||||
|
||||
upstream php-handler {
|
||||
server unix:/run/php-fpm.sock;
|
||||
}
|
189
default_configuration/php/php-8.0.ini
Normal file
189
default_configuration/php/php-8.0.ini
Normal file
@ -0,0 +1,189 @@
|
||||
[PHP]
|
||||
;;;;;;;;;;;;;;;;;;;
|
||||
; Quick Reference ;
|
||||
;;;;;;;;;;;;;;;;;;;
|
||||
;;;;;;;;;;;;;;;;;;;;
|
||||
; Language Options ;
|
||||
;;;;;;;;;;;;;;;;;;;;
|
||||
engine = On
|
||||
short_open_tag = Off
|
||||
precision = 14
|
||||
output_buffering = 4096
|
||||
zlib.output_compression = Off
|
||||
implicit_flush = Off
|
||||
unserialize_callback_func =
|
||||
serialize_precision = -1
|
||||
disable_functions =
|
||||
disable_classes =
|
||||
zend.enable_gc = On
|
||||
zend.exception_ignore_args = On
|
||||
zend.exception_string_param_max_len = 0
|
||||
|
||||
;;;;;;;;;;;;;;;;;
|
||||
; Miscellaneous ;
|
||||
;;;;;;;;;;;;;;;;;
|
||||
expose_php = Off
|
||||
;;;;;;;;;;;;;;;;;;;
|
||||
; Resource Limits ;
|
||||
;;;;;;;;;;;;;;;;;;;
|
||||
|
||||
max_execution_time = 30
|
||||
max_input_time = 60
|
||||
memory_limit = 2048M
|
||||
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
|
||||
display_errors = Off
|
||||
display_startup_errors = Off
|
||||
log_errors = On
|
||||
log_errors_max_len = 1024
|
||||
ignore_repeated_errors = Off
|
||||
ignore_repeated_source = Off
|
||||
report_memleaks = On
|
||||
;;;;;;;;;;;;;;;;;
|
||||
; Data Handling ;
|
||||
;;;;;;;;;;;;;;;;;
|
||||
|
||||
variables_order = "GPCS"
|
||||
request_order = "GP"
|
||||
register_argc_argv = Off
|
||||
auto_globals_jit = On
|
||||
post_max_size = 8M
|
||||
auto_prepend_file =
|
||||
auto_append_file =
|
||||
default_mimetype = "text/html"
|
||||
default_charset = "UTF-8"
|
||||
;;;;;;;;;;;;;;;;;;;;;;;;;
|
||||
; Paths and Directories ;
|
||||
;;;;;;;;;;;;;;;;;;;;;;;;;
|
||||
; UNIX: "/path1:/path2"
|
||||
include_path = ".:/pear/lib:/var/www/pear/lib"
|
||||
doc_root =
|
||||
user_dir =
|
||||
extension_dir = "/usr/local/lib/php-8.0/modules"
|
||||
enable_dl = Off
|
||||
|
||||
;;;;;;;;;;;;;;;;
|
||||
; File Uploads ;
|
||||
;;;;;;;;;;;;;;;;
|
||||
file_uploads = On
|
||||
upload_max_filesize = 2048M
|
||||
max_file_uploads = 20
|
||||
|
||||
;;;;;;;;;;;;;;;;;;
|
||||
; Fopen wrappers ;
|
||||
;;;;;;;;;;;;;;;;;;
|
||||
allow_url_fopen = Off
|
||||
allow_url_include = Off
|
||||
default_socket_timeout = 60
|
||||
|
||||
;;;;;;;;;;;;;;;;;;;
|
||||
; Module Settings ;
|
||||
;;;;;;;;;;;;;;;;;;;
|
||||
|
||||
[CLI Server]
|
||||
; Whether the CLI web server uses ANSI color coding in its terminal output.
|
||||
cli_server.color = On
|
||||
|
||||
[Date]
|
||||
; Defines the default timezone used by the date functions
|
||||
; http://php.net/date.timezone
|
||||
date.timezone = UTC
|
||||
|
||||
[mail function]
|
||||
SMTP = localhost
|
||||
; http://php.net/smtp-port
|
||||
smtp_port = 25
|
||||
mail.add_x_header = Off
|
||||
|
||||
[ODBC]
|
||||
odbc.allow_persistent = On
|
||||
odbc.check_persistent = On
|
||||
odbc.max_persistent = -1
|
||||
odbc.max_links = -1
|
||||
odbc.defaultlrl = 4096
|
||||
odbc.defaultbinmode = 1
|
||||
|
||||
[PostgreSQL]
|
||||
; Allow or prevent persistent links.
|
||||
; http://php.net/pgsql.allow-persistent
|
||||
pgsql.allow_persistent = On
|
||||
|
||||
; Detect broken persistent links always with pg_pconnect().
|
||||
; Auto reset feature requires a little overheads.
|
||||
; http://php.net/pgsql.auto-reset-persistent
|
||||
pgsql.auto_reset_persistent = Off
|
||||
|
||||
; Maximum number of persistent links. -1 means no limit.
|
||||
; http://php.net/pgsql.max-persistent
|
||||
pgsql.max_persistent = -1
|
||||
|
||||
; Maximum number of links (persistent+non persistent). -1 means no limit.
|
||||
; http://php.net/pgsql.max-links
|
||||
pgsql.max_links = -1
|
||||
|
||||
; Ignore PostgreSQL backends Notice message or not.
|
||||
; Notice message logging require a little overheads.
|
||||
; http://php.net/pgsql.ignore-notice
|
||||
pgsql.ignore_notice = 0
|
||||
|
||||
; Log PostgreSQL backends Notice message or not.
|
||||
; Unless pgsql.ignore_notice=0, module cannot log notice message.
|
||||
; http://php.net/pgsql.log-notice
|
||||
pgsql.log_notice = 0
|
||||
|
||||
[bcmath]
|
||||
; Number of decimal digits for all bcmath functions.
|
||||
; http://php.net/bcmath.scale
|
||||
bcmath.scale = 0
|
||||
|
||||
[Session]
|
||||
; Handler used to store/retrieve data.
|
||||
; http://php.net/session.save-handler
|
||||
session.save_handler = files
|
||||
session.use_cookies = 1
|
||||
session.use_only_cookies = 1
|
||||
session.name = PHPSESSID
|
||||
session.auto_start = 0
|
||||
session.cookie_lifetime = 0
|
||||
session.cookie_path = /
|
||||
session.cookie_domain =
|
||||
session.cookie_httponly =
|
||||
session.cookie_samesite =
|
||||
session.serialize_handler = php
|
||||
session.gc_probability = 1
|
||||
session.gc_divisor = 1000
|
||||
session.gc_maxlifetime = 1440
|
||||
session.referer_check =
|
||||
session.cache_limiter = nocache
|
||||
session.cache_expire = 180
|
||||
session.use_trans_sid = 0
|
||||
session.sid_length = 26
|
||||
session.trans_sid_tags = "a=href,area=href,frame=src,form="
|
||||
session.sid_bits_per_character = 5
|
||||
|
||||
[Assertion]
|
||||
zend.assertions = -1
|
||||
|
||||
[Tidy]
|
||||
tidy.clean_output = Off
|
||||
|
||||
[soap]
|
||||
soap.wsdl_cache_enabled=1
|
||||
soap.wsdl_cache_dir="/tmp"
|
||||
soap.wsdl_cache_ttl=86400
|
||||
soap.wsdl_cache_limit = 5
|
||||
|
||||
[ldap]
|
||||
; Sets the maximum number of open links or -1 for unlimited.
|
||||
ldap.max_links = -1
|
||||
|
||||
[opcache]
|
||||
; Determines if Zend OPCache is enabled
|
||||
opcache.enable=1
|
||||
opcache.enable_cli=1
|
||||
opcache.interned_strings_buffer=8
|
||||
opcache.max_accelerated_files=10000
|
||||
opcache.memory_consumption=128
|
||||
opcache.save_comments=1
|
||||
opcache.revalidate_freq=1
|
||||
|
||||
|
29
default_configuration/php/php-fpm.conf
Normal file
29
default_configuration/php/php-fpm.conf
Normal file
@ -0,0 +1,29 @@
|
||||
;;;;;;;;;;;;;;;;;;;;;
|
||||
; FPM Configuration ;
|
||||
;;;;;;;;;;;;;;;;;;;;;
|
||||
[global]
|
||||
error_log = log/php-fpm.log
|
||||
;;;;;;;;;;;;;;;;;;;;
|
||||
; Pool Definitions ;
|
||||
;;;;;;;;;;;;;;;;;;;;
|
||||
include=/etc/php-fpm.d/*.conf
|
||||
[www]
|
||||
user = www
|
||||
group = www
|
||||
listen = /var/www/run/php-fpm.sock
|
||||
listen.owner = www
|
||||
listen.group = www
|
||||
listen.mode = 0660
|
||||
pm = dynamic
|
||||
pm.max_children = 5
|
||||
pm.start_servers = 2
|
||||
pm.min_spare_servers = 1
|
||||
pm.max_spare_servers = 3
|
||||
chroot = /var/www
|
||||
env[HOSTNAME] = $HOSTNAME
|
||||
env[PATH] = /usr/local/bin:/usr/bin:/bin
|
||||
env[TMP] = /tmp
|
||||
env[TMPDIR] = /tmp
|
||||
env[TEMP] = /tmp
|
||||
|
||||
|
18
default_configuration/postgresql/pg_hba.conf
Normal file
18
default_configuration/postgresql/pg_hba.conf
Normal file
@ -0,0 +1,18 @@
|
||||
# TYPE DATABASE USER ADDRESS METHOD
|
||||
|
||||
|
||||
local all postgres trust
|
||||
# "local" is for Unix domain socket connections only
|
||||
#local all all md5
|
||||
# IPv4 local connections:
|
||||
host all all 127.0.0.1/32 scram-sha-256
|
||||
|
||||
|
||||
# IPv6 local connections:
|
||||
host all all ::1/128 scram-sha-256
|
||||
# Allow replication connections from localhost, by a user with the
|
||||
# replication privilege.
|
||||
local replication all scram-sha-256
|
||||
host replication all 127.0.0.1/32 scram-sha-256
|
||||
host replication all ::1/128 scram-sha-256
|
||||
|
47
default_configuration/pywallter/nginx.conf.sample
Normal file
47
default_configuration/pywallter/nginx.conf.sample
Normal file
@ -0,0 +1,47 @@
|
||||
server {
|
||||
listen 80;
|
||||
server_name __pywallter_domain__;
|
||||
|
||||
#Ajout pour les certificats letsencrypt
|
||||
include snippets/acme-challenge.conf;
|
||||
|
||||
return 301 https://$http_host$request_uri;
|
||||
|
||||
root /html/;
|
||||
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
server_name __pywallter_domain__;
|
||||
|
||||
|
||||
ssl_certificate /etc/ssl/__pywallter_domain__.crt;
|
||||
ssl_certificate_key /etc/ssl/private/__pywallter_domain__.key;
|
||||
|
||||
#Ajout d'une configuration ssl securise
|
||||
include snippets/secure-ssl.conf;
|
||||
|
||||
# Speeds things up a little bit when resuming a session
|
||||
# ssl_session_timeout 5m;
|
||||
# ssl_session_cache shared:SSL:5m;
|
||||
|
||||
# Ajout pour le certificat letsencrypt
|
||||
include snippets/acme-challenge.conf;
|
||||
|
||||
# Ajout pour securiser les headers
|
||||
include snippets/secure-headers.conf;
|
||||
client_max_body_size 100M;
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:8000/;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Host $host;
|
||||
proxy_set_header X-Forwarded-Prefix /;
|
||||
}
|
||||
|
||||
# Path to the root of your installation
|
||||
root /html/;
|
||||
|
||||
}
|
16
default_configuration/pywallter/pywallter.rc
Executable file
16
default_configuration/pywallter/pywallter.rc
Executable file
@ -0,0 +1,16 @@
|
||||
#!/bin/ksh
|
||||
|
||||
daemon="/usr/local/bin/python3"
|
||||
daemon_flags="wsgi.py"
|
||||
daemon_user="pywallter"
|
||||
location="/home/pywallter/pywallter"
|
||||
|
||||
. /etc/rc.d/rc.subr
|
||||
|
||||
rc_start() {
|
||||
${rcexec} "cd ${location}; ${daemon} ${daemon_flags}"
|
||||
}
|
||||
|
||||
rc_bg=YES
|
||||
rc_cmd $1
|
||||
|
59
default_configuration/xmpp/nginx.conf.sample
Normal file
59
default_configuration/xmpp/nginx.conf.sample
Normal file
@ -0,0 +1,59 @@
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name upload.__XMPP_DOMAIN__ ;
|
||||
|
||||
include snippets/acme-challenge.conf;
|
||||
|
||||
return 301 https://$http_host$request_uri;
|
||||
|
||||
access_log /var/log/upload.__DOMAIN__-access.log;
|
||||
error_log /var/log/upload.__DOMAIN__-error.log;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name upload.__DOMAIN__;
|
||||
|
||||
ssl_certificate /etc/ssl/upload.__DOMAIN__.crt;
|
||||
ssl_certificate_key /etc/ssl/private/upload.__DOMAIN__.key;
|
||||
root /xmpp-upload/;
|
||||
|
||||
include snippets/secure-ssl.conf;
|
||||
|
||||
include snippets/secure-headers.conf;
|
||||
#custom headers
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
add_header 'Access-Control-Allow-Methods' 'HEAD, GET, PUT, OPTIONS';
|
||||
add_header 'Access-Control-Allow-Headers' 'Authorization';
|
||||
add_header 'Access-Control-Allow-Credentials' 'true';
|
||||
add_header x-robots-tag "noindex, follow";
|
||||
client_max_body_size 105M; # Choose a value a bit higher than the max upload configured in XMPP server
|
||||
|
||||
# add_header Strict-Transport-Security " max-age=63072000; includeSubDomains; preload";
|
||||
|
||||
|
||||
include snippets/acme-challenge.conf;
|
||||
location ~ \.php(?:$|/) {
|
||||
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
|
||||
set $path_info $fastcgi_path_info;
|
||||
|
||||
try_files $fastcgi_script_name =404;
|
||||
|
||||
include fastcgi_params;
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
fastcgi_param PATH_INFO $path_info;
|
||||
fastcgi_param HTTPS on;
|
||||
|
||||
fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
|
||||
fastcgi_param front_controller_active true; # Enable pretty urls
|
||||
fastcgi_pass php-handler;
|
||||
|
||||
fastcgi_intercept_errors on;
|
||||
fastcgi_request_buffering off;
|
||||
}
|
||||
|
||||
access_log /var/log/upload.__DOMAIN__-access.log;
|
||||
error_log /var/log/upload.__DOMAIN__-error.log;
|
||||
}
|
132
default_configuration/xmpp/prosody.cfg.lua.example
Normal file
132
default_configuration/xmpp/prosody.cfg.lua.example
Normal file
@ -0,0 +1,132 @@
|
||||
---------- Server-wide settings ----------
|
||||
-- Settings in this section apply to the whole server and are the default settings
|
||||
-- for any virtual hosts
|
||||
|
||||
-- This is a (by default, empty) list of accounts that are admins
|
||||
-- for the server. Note that you must create the accounts separately
|
||||
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||
admins = { "admin@__DOMAIN__" }
|
||||
|
||||
-- Drop privileges
|
||||
prosody_user = "_prosody"
|
||||
prosody_group = "_prosody"
|
||||
|
||||
-- Enable POSIX-only options
|
||||
pidfile = "/var/prosody/prosody.pid"
|
||||
|
||||
-- Enable use of libevent for better performance under high load
|
||||
-- For more information see: https://prosody.im/doc/libevent
|
||||
--use_libevent = true
|
||||
|
||||
-- Prosody will always look in its source directory for modules, but
|
||||
-- this option allows you to specify additional locations where Prosody
|
||||
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||
plugin_paths = { "/var/prosody/plugins" }
|
||||
|
||||
-- This is the list of modules Prosody will load on startup.
|
||||
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||
modules_enabled = {
|
||||
|
||||
-- Generally required
|
||||
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||
"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||
"dialback"; -- s2s dialback support
|
||||
"disco"; -- Service discovery
|
||||
|
||||
-- Not essential, but recommended
|
||||
"carbons"; -- Keep multiple clients in sync
|
||||
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||
"bidi";
|
||||
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||
"blocklist"; -- Allow users to block communications with other users
|
||||
"vcard4"; -- User profiles (stored in PEP)
|
||||
--"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||
"smacks";
|
||||
-- Nice to have
|
||||
"version"; -- Replies to server version requests
|
||||
"uptime"; -- Report how long server has been running
|
||||
"time"; -- Let others know the time here on this server
|
||||
"ping"; -- Replies to XMPP pings with pongs
|
||||
-- "register"; -- Allow users to register on this server using a client and change passwords
|
||||
"mam"; -- Store messages in an archive and allow users to access it
|
||||
"csi_simple"; -- Simple Mobile optimizations
|
||||
|
||||
-- HTTP modules
|
||||
"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||
"websocket"; -- XMPP over WebSockets
|
||||
"http_files"; -- Serve static files from a directory over HTTP
|
||||
|
||||
-- Other specific functionality
|
||||
"groups"; -- Shared roster support
|
||||
"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||
|
||||
-- cloud notify
|
||||
"cloud_notify";
|
||||
"cloud_notify_extensions";
|
||||
}
|
||||
|
||||
|
||||
modules_disabled = {
|
||||
}
|
||||
|
||||
allow_registration = false
|
||||
|
||||
-- Force clients to use encrypted connections? This option will
|
||||
-- prevent clients from authenticating unless they are using encryption.
|
||||
|
||||
c2s_require_encryption = true
|
||||
|
||||
-- Force servers to use encrypted connections? This option will
|
||||
-- prevent servers from authenticating unless they are using encryption.
|
||||
|
||||
s2s_require_encryption = true
|
||||
|
||||
-- Force certificate authentication for server-to-server connections?
|
||||
|
||||
s2s_secure_auth = false
|
||||
|
||||
-- Enable rate limits for incoming client and server connections
|
||||
|
||||
limits = {
|
||||
c2s = {
|
||||
rate = "100kb/s";
|
||||
};
|
||||
s2sin = {
|
||||
rate = "300kb/s";
|
||||
};
|
||||
}
|
||||
|
||||
-- Select the authentication backend to use. The 'internal' providers
|
||||
-- use Prosody's configured data storage to store the authentication data.
|
||||
|
||||
authentication = "internal_hashed"
|
||||
|
||||
-- Archiving configuration
|
||||
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||
|
||||
-- You can also configure messages to be stored in-memory only. For more
|
||||
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||
|
||||
-- Logging configuration
|
||||
-- For advanced logging see https://prosody.im/doc/logging
|
||||
log = {
|
||||
info = "/var/prosody/prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||
error = "/var/prosody/prosody.err";
|
||||
}
|
||||
|
||||
-- Location of directory to find certificates in (relative to main config file):
|
||||
certificates = "/var/prosody/"
|
||||
|
||||
|
||||
-- WebSocket configuration (mod_websocket)
|
||||
consider_websocket_secure = true
|
||||
|
||||
|
||||
------ Components ------
|
||||
-- You can specify components to add hosts that provide special services,
|
||||
-- like multi-user conferences, and transports.
|
||||
include "virtualHosts/*.conf"
|
141
default_configuration/xmpp/share.php.sample
Normal file
141
default_configuration/xmpp/share.php.sample
Normal file
@ -0,0 +1,141 @@
|
||||
<?php
|
||||
|
||||
/*
|
||||
PHP script to handle file uploads and downloads for Prosody's mod_http_upload_external
|
||||
|
||||
Tested with Apache 2.2+ and PHP 5.3+
|
||||
|
||||
** Why this script?
|
||||
|
||||
This script only allows uploads that have been authorized by mod_http_upload_external. It
|
||||
attempts to make the upload/download as safe as possible, considering that there are *many*
|
||||
security concerns involved with allowing arbitrary file upload/download on a web server.
|
||||
|
||||
With that said, I do not consider myself a PHP developer, and at the time of writing, this
|
||||
code has had no external review. Use it at your own risk. I make no claims that this code
|
||||
is secure.
|
||||
|
||||
** How to use?
|
||||
|
||||
Drop this file somewhere it will be served by your web server. Edit the config options below.
|
||||
|
||||
In Prosody set:
|
||||
|
||||
http_upload_external_base_url = "https://your.example.com/path/to/share.php/"
|
||||
http_upload_external_secret = "this is your secret string"
|
||||
|
||||
** License
|
||||
|
||||
(C) 2016 Matthew Wild <mwild1@gmail.com>
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy of this software
|
||||
and associated documentation files (the "Software"), to deal in the Software without restriction,
|
||||
including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense,
|
||||
and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so,
|
||||
subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included in all copies or substantial
|
||||
portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING
|
||||
BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
||||
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
|
||||
DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
||||
|
||||
*/
|
||||
|
||||
/*\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\*/
|
||||
/* CONFIGURATION OPTIONS */
|
||||
/*\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\*/
|
||||
|
||||
/* Change this to a directory that is writable by your web server, but is outside your web root */
|
||||
$CONFIG_STORE_DIR = '/xmpp-upload/__DOMAIN__/upload';
|
||||
|
||||
/* This must be the same as 'http_upload_external_secret' that you set in Prosody's config file */
|
||||
$CONFIG_SECRET = "__xmpp_passphrase_for_filesuploads__" ;
|
||||
|
||||
/* For people who need options to tweak that they don't understand... here you are */
|
||||
$CONFIG_CHUNK_SIZE = 4096;
|
||||
|
||||
/*\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\*/
|
||||
/* END OF CONFIGURATION */
|
||||
/*\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\*/
|
||||
|
||||
/* Do not edit below this line unless you know what you are doing (spoiler: nobody does) */
|
||||
|
||||
$upload_file_name = substr($_SERVER['PHP_SELF'], strlen($_SERVER['SCRIPT_NAME'])+1);
|
||||
$store_file_name = $CONFIG_STORE_DIR . '/store-' . hash('sha256', $upload_file_name);
|
||||
|
||||
$request_method = $_SERVER['REQUEST_METHOD'];
|
||||
|
||||
/* Set CORS headers */
|
||||
header('Access-Control-Allow-Methods: GET, PUT, OPTIONS');
|
||||
header('Access-Control-Allow-Headers: Content-Type');
|
||||
header('Access-Control-Max-Age: 7200');
|
||||
header('Access-Control-Allow-Origin: *');
|
||||
|
||||
if(array_key_exists('v', $_GET) === TRUE && $request_method === 'PUT') {
|
||||
$upload_file_size = $_SERVER['CONTENT_LENGTH'];
|
||||
$upload_token = $_GET['v'];
|
||||
|
||||
$calculated_token = hash_hmac('sha256', "$upload_file_name $upload_file_size", $CONFIG_SECRET);
|
||||
if(function_exists('hash_equals')) {
|
||||
if(hash_equals($calculated_token, $upload_token) !== TRUE) {
|
||||
error_log("Token mismatch: calculated $calculated_token got $upload_token");
|
||||
header('HTTP/1.0 403 Forbidden');
|
||||
exit;
|
||||
}
|
||||
}
|
||||
else {
|
||||
if($upload_token !== $calculated_token) {
|
||||
error_log("Token mismatch: calculated $calculated_token got $upload_token");
|
||||
header('HTTP/1.0 403 Forbidden');
|
||||
exit;
|
||||
}
|
||||
}
|
||||
/* Open a file for writing */
|
||||
$store_file = fopen($store_file_name, 'x');
|
||||
|
||||
if($store_file === FALSE) {
|
||||
header('HTTP/1.0 409 Conflict');
|
||||
exit;
|
||||
}
|
||||
|
||||
/* PUT data comes in on the stdin stream */
|
||||
$incoming_data = fopen('php://input', 'r');
|
||||
|
||||
/* Read the data a chunk at a time and write to the file */
|
||||
while ($data = fread($incoming_data, $CONFIG_CHUNK_SIZE)) {
|
||||
fwrite($store_file, $data);
|
||||
}
|
||||
|
||||
/* Close the streams */
|
||||
fclose($incoming_data);
|
||||
fclose($store_file);
|
||||
|
||||
// https://xmpp.org/extensions/xep-0363.html#upload
|
||||
// A HTTP status Code of 201 means that the server is now ready to serve the file via the provided GET URL.
|
||||
header('HTTP/1.0 201 Created');
|
||||
exit;
|
||||
} else if($request_method === 'GET' || $request_method === 'HEAD') {
|
||||
// Send file (using X-Sendfile would be nice here...)
|
||||
if(file_exists($store_file_name)) {
|
||||
header('Content-Disposition: attachment');
|
||||
header('Content-Type: application/octet-stream');
|
||||
header('Content-Length: '.filesize($store_file_name));
|
||||
header("Content-Security-Policy: \"default-src 'none'\"");
|
||||
header("X-Content-Security-Policy: \"default-src 'none'\"");
|
||||
header("X-WebKit-CSP: \"default-src 'none'\"");
|
||||
if($request_method !== 'HEAD') {
|
||||
readfile($store_file_name);
|
||||
}
|
||||
} else {
|
||||
header('HTTP/1.0 404 Not Found');
|
||||
}
|
||||
} else if($request_method === 'OPTIONS') {
|
||||
} else {
|
||||
header('HTTP/1.0 400 Bad Request');
|
||||
}
|
||||
|
||||
exit;
|
100
default_configuration/xmpp/virtualHosts/example.com.conf
Normal file
100
default_configuration/xmpp/virtualHosts/example.com.conf
Normal file
@ -0,0 +1,100 @@
|
||||
VirtualHost "__DOMAIN__"
|
||||
enable = true
|
||||
|
||||
|
||||
ssl = {
|
||||
key = "/etc/prosody/certs/__DOMAIN__.key";
|
||||
certificate = "/etc/prosody/certs/__DOMAIN__.crt";
|
||||
-- Configuration Avancée
|
||||
protocol = "tlsv1_2+";
|
||||
dhparam = "/etc/prosody/certs/dh-2048.pem";
|
||||
ciphers = "HIGH+kEECDH:!RSA:!SRP:!PSK:!3DES:!aNULL";
|
||||
options = { cipher_server_preference = true, no_compression = true, cipher_server_preference = true };
|
||||
|
||||
}
|
||||
archive_expires_after = "15d";
|
||||
|
||||
-- Discovery items
|
||||
disco_items = {
|
||||
{ "muc.__DOMAIN__" },
|
||||
{ "pubsub.__DOMAIN__" },
|
||||
{ "upload.__DOMAIN__" },
|
||||
};
|
||||
|
||||
contact_info = {
|
||||
abuse = { "mailto:abuse@__DOMAIN__", "xmpp:admin@__DOMAIN__" };
|
||||
admin = { "mailto:root@$__DOMAIN__", "xmpp:admin@__DOMAIN__" };
|
||||
};
|
||||
|
||||
-- BOSH configuration (mod_bosh)
|
||||
consider_bosh_secure = true
|
||||
cross_domain_bosh = true
|
||||
|
||||
bosh_ports = {
|
||||
{
|
||||
port = 5280;
|
||||
path = "http-bind";
|
||||
},
|
||||
{
|
||||
port = 5281;
|
||||
path = "http-bind";
|
||||
ssl = {
|
||||
certificate = "/etc/prosody/certs/__DOMAIN__.crt";
|
||||
key = "/etc/prosody/certs/__DOMAIN__.key";
|
||||
}
|
||||
}
|
||||
}
|
||||
http_ports = { 5280 }
|
||||
http_interfaces = { "localhost" }
|
||||
|
||||
https_ports = { 5281 }
|
||||
https_interfaces = { "localhost" }
|
||||
|
||||
https_ssl = {
|
||||
certificate = "/etc/prosody/certs/__DOMAIN__.crt";
|
||||
key = "/etc/prosody/certs/__DOMAIN__.key";
|
||||
}
|
||||
|
||||
|
||||
|
||||
------ Components ------
|
||||
-- You can specify components to add hosts that provide special services,
|
||||
-- like multi-user conferences, and transports.
|
||||
|
||||
--Component "proxy.__DOMAIN__" "proxy65"
|
||||
-- proxy65_address = ""
|
||||
-- proxy65_acl = { "" }
|
||||
|
||||
Component "muc.__DOMAIN__" "muc"
|
||||
name = "__DOMAIN__ Chatrooms"
|
||||
|
||||
modules_enabled = {
|
||||
"muc_mam";
|
||||
"muc_limits";
|
||||
"muc_log";
|
||||
"vcard_muc";
|
||||
}
|
||||
|
||||
muc_log_by_default = true
|
||||
muc_log_presences = false
|
||||
log_all_rooms = false
|
||||
muc_log_expires_after = "1w"
|
||||
muc_log_cleanup_interval = 4 * 60 * 60
|
||||
|
||||
muc_event_rate = 0.5
|
||||
muc_burst_factor = 10
|
||||
room_default_config = {
|
||||
logging = true,
|
||||
persistent = true
|
||||
};
|
||||
|
||||
|
||||
---Set up a PubSub server
|
||||
Component "pubsub.__DOMAIN__" "pubsub"
|
||||
name = "__DOMAIN__ Publish/Subscribe"
|
||||
unrestricted_node_creation = true -- Anyone can create a PubSub node (from any server)
|
||||
---Set up a HTTP Upload service
|
||||
Component "upload.__DOMAIN__" "http_upload_external"
|
||||
name = "__DOMAIN__ Sharing Service"
|
||||
http_upload_external_base_url = "https://upload.__DOMAIN__/share.php/"
|
||||
http_upload_external_secret = "__xmpp_passphrase_for_filesuploads__"
|
17
install_dolibarr.sh
Executable file
17
install_dolibarr.sh
Executable file
@ -0,0 +1,17 @@
|
||||
#!/bin/sh
|
||||
|
||||
. ./myserver.conf
|
||||
|
||||
configure_nginx_service(){
|
||||
cp default_configuration/dolibarr/nginx.conf.sample my_configuration/dolibarr/nginx.conf
|
||||
sed -i "s/__dolibarr_domain__/$dolibarr_domain/g" my_configuration/dolibarr/nginx.conf
|
||||
}
|
||||
|
||||
install_configuration_files_dolibarr(){
|
||||
cp my_configuration/nextcloud/nginx.conf /etc/nginx/sites-available/$dolibarr_domain
|
||||
ln -s /etc/nginx/sites-available/$dolibarr_domain /etc/nginx/sites-enabled/$dolibarr_domain
|
||||
|
||||
}
|
||||
|
||||
configure_nginx_service
|
||||
install_configuration_files_dolibarr
|
92
install_nextcloud.sh
Executable file
92
install_nextcloud.sh
Executable file
@ -0,0 +1,92 @@
|
||||
#!/bin/sh
|
||||
|
||||
. ./utils.sh
|
||||
. ./myserver.conf
|
||||
|
||||
install_package_nextcloud()
|
||||
{
|
||||
pkg_add php-bz2-8.0.26 php-curl-8.0.26 php-gd-8.0.26 php-gmp-8.0.26 \
|
||||
php-intl-8.0.26 php-pdo_pgsql-8.0.26 php-zip-8.0.26 \
|
||||
pecl80-imagick-3.7.0p1 pecl80-redis-5.3.7p0 \
|
||||
nextcloud-24.0.5
|
||||
}
|
||||
|
||||
enable_nextlcoud_php_modules(){
|
||||
#enable modules
|
||||
ln -s /etc/php-8.0.sample/gd.ini /etc/php-8.0/gd.ini
|
||||
ln -s /etc/php-8.0.sample/imagick.ini /etc/php-8.0/imagick.ini
|
||||
ln -s /etc/php-8.0.sample/opcache.ini /etc/php-8.0/opcache.ini
|
||||
ln -s /etc/php-8.0.sample/curl.ini /etc/php-8.0/curl.ini
|
||||
ln -s /etc/php-8.0.sample/gmp.ini /etc/php-8.0/gmp.ini
|
||||
ln -s /etc/php-8.0.sample/intl.ini /etc/php-8.0/intl.ini
|
||||
ln -s /etc/php-8.0.sample/redis.ini /etc/php-8.0/redis.ini
|
||||
ln -s /etc/php-8.0.sample/bz2.ini /etc/php-8.0/bz2.ini
|
||||
ln -s /etc/php-8.0.sample/zip.ini /etc/php-8.0/zip.ini
|
||||
ln -s /etc/php-8.0.sample/pdo_pgsql.ini /etc/php-8.0/pdo_pgsql.ini
|
||||
restart_php_service
|
||||
}
|
||||
|
||||
configure_nginx_service(){
|
||||
cp default_configuration/nextcloud/nginx.conf.sample my_configuration/nextcloud/nginx.conf
|
||||
sed -i "s/__nextcloud_domain__/$nextcloud_domain/g" my_configuration/nextcloud/nginx.conf
|
||||
}
|
||||
|
||||
create_nextcloud_db(){
|
||||
psql template1 postgres -c "CREATE USER $nextcloud_db_user WITH PASSWORD '$nextcloud_db_pass' CREATEDB ;"
|
||||
psql template1 postgres -c "CREATE DATABASE $nextcloud_db_name TEMPLATE template1 ENCODING 'UTF8' ;"
|
||||
psql template1 postgres -c "GRANT ALL PRIVILEGES ON DATABASE $nextcloud_db_name TO $nextcloud_db_user ;"
|
||||
psql template1 postgres -c "GRANT ALL PRIVILEGES ON SCHEMA public TO $nextcloud_db_user ;"
|
||||
}
|
||||
|
||||
|
||||
install_configuration_files_nextcloud(){
|
||||
cp my_configuration/nextcloud/nginx.conf /etc/nginx/sites-available/$nextcloud_domain
|
||||
ln -s /etc/nginx/sites-available/$nextcloud_domain /etc/nginx/sites-enabled/$nextcloud_domain
|
||||
|
||||
}
|
||||
|
||||
check_services_for_nextlcoud()
|
||||
{
|
||||
check_webserver_service
|
||||
check_redis_service
|
||||
check_php_service
|
||||
check_postgresql_service
|
||||
}
|
||||
|
||||
install_nextcloud(){
|
||||
cp -v my_configuration/nextcloud/custom.config.php /var/www/nextcloud/config/
|
||||
cd /var/www/nextcloud
|
||||
touch config/CAN_INSTALL
|
||||
rm config/config.php
|
||||
su -m www -c "./occ maintenance:install --database pgsql \
|
||||
--database-name $nextcloud_db_name --database-host localhost --database-user $nextcloud_db_user\
|
||||
--database-pass $nextcloud_db_pass --admin-user $nextcloud_admin --admin-pass $nextcloud_admin_password"
|
||||
su -m www -c "./occ config:system:set datadirectory --value=/nextcloud/data"
|
||||
su -m www -c "./occ config:system:set overwrite.cli.url --value=https://$nextcloud_domain"
|
||||
su -m www -c "./occ config:system:set trusted_domains 0 --value=$nextcloud_domain"
|
||||
su -m www -c "./occ config:system:set default_phone_region --value=fr"
|
||||
su -m www -c "./occ config:system:set mail_from_address --value=nextcloud"
|
||||
su -m www -c "./occ config:system:set mail_smtpmode --value=smtp"
|
||||
su -m www -c "./occ config:system:set mail_sendmailmode --value=smtp"
|
||||
su -m www -c "./occ config:system:set mail_domain --value=$DOMAIN"
|
||||
su -m www -c "./occ config:system:set mail_smtphost --value=$DOMAIN"
|
||||
su -m www -c "./occ config:system:set mail_smtpport --value=25"
|
||||
su -m www -c "./occ config:system:set memcache.local --value='\\OC\\Memcache\\Redis'"
|
||||
su -m www -c "./occ config:system:set memcache.locking --value='\\OC\\Memcache\\Redis'"
|
||||
su -m www -c "./occ config:system:set redis host --value=127.0.0.1"
|
||||
su -m www -c "./occ config:system:set redis port --value=6379"
|
||||
echo '*/5 * * * * su -m www -c "/usr/local/bin/php-8.0 -f /var/www/nextcloud/cron.php"' >> \
|
||||
/var/cron/tabs/root
|
||||
|
||||
}
|
||||
|
||||
|
||||
mkdir my_configuration/nextcloud
|
||||
check_services_for_nextlcoud
|
||||
install_package_nextcloud
|
||||
enable_nextlcoud_php_modules
|
||||
configure_nginx_service
|
||||
create_nextcloud_db
|
||||
install_configuration_files_nextcloud
|
||||
install_nextcloud
|
||||
restart_webserver_service
|
152
install_nginx_service.sh
Executable file
152
install_nginx_service.sh
Executable file
@ -0,0 +1,152 @@
|
||||
#!/bin/sh
|
||||
|
||||
. ./myserver.conf
|
||||
. ./utils.sh
|
||||
|
||||
install_nginx_package()
|
||||
{
|
||||
pkg_add nginx-1.22.0p0 nginx-headers-more-1.22.0 nginx-stream-1.22.0
|
||||
}
|
||||
|
||||
gen_nginx_configuration()
|
||||
{
|
||||
cat > my_configuration/nginx/nginx.conf <<EOF
|
||||
user www;
|
||||
worker_processes auto;
|
||||
pid /var/www/run/nginx.pid;
|
||||
include /etc/nginx/modules-enabled/*.conf;
|
||||
|
||||
events {
|
||||
worker_connections 768;
|
||||
# multi_accept on;
|
||||
}
|
||||
|
||||
http {
|
||||
|
||||
##
|
||||
# Basic Settings
|
||||
##
|
||||
|
||||
sendfile on;
|
||||
tcp_nopush on;
|
||||
tcp_nodelay on;
|
||||
keepalive_timeout 65;
|
||||
types_hash_max_size 2048;
|
||||
# server_tokens off;
|
||||
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
##
|
||||
# SSL Settings
|
||||
##
|
||||
|
||||
ssl_protocols TLSv1.2; # Dropping SSLv3, ref: POODLE
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
||||
##
|
||||
# Logging Settings
|
||||
##
|
||||
|
||||
access_log /var/www/logsnginx/access.log;
|
||||
error_log /var/www/logs/nginx/error.log;
|
||||
|
||||
##
|
||||
# Gzip Settings
|
||||
##
|
||||
|
||||
gzip on;
|
||||
##
|
||||
# Virtual Host Configs
|
||||
##
|
||||
|
||||
include /etc/nginx/sites-enabled/*;
|
||||
}
|
||||
EOF
|
||||
|
||||
openssl dhparam -out default_configuration/nginx/dhparam.pem 2048
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
make_default_homepage()
|
||||
{
|
||||
cat > my_configuration/nginx/site-available/$DOMAIN <<EOF
|
||||
server {
|
||||
listen 80;
|
||||
server_name $DOMAIN;
|
||||
|
||||
#Ajout pour les certificats letsencrypt
|
||||
include snippets/acme-challenge.conf;
|
||||
|
||||
return 301 https://$http_host$request_uri;
|
||||
|
||||
root /html/$DOMAIN;
|
||||
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
server_name $DOMAIN;
|
||||
|
||||
|
||||
ssl_certificate /etc/ssl/$DOMAIN.crt;
|
||||
ssl_certificate_key /etc/ssl/private/$DOMAIN.key;
|
||||
|
||||
#Ajout d'une configuration ssl securise
|
||||
include snippets/secure-ssl.conf;
|
||||
|
||||
# Speeds things up a little bit when resuming a session
|
||||
# ssl_session_timeout 5m;
|
||||
# ssl_session_cache shared:SSL:5m;
|
||||
|
||||
# Ajout pour le certificat letsencrypt
|
||||
include snippets/acme-challenge.conf;
|
||||
|
||||
# Ajout pour securiser les headers
|
||||
include snippets/secure-headers.conf;
|
||||
}
|
||||
|
||||
# Path to the root of your installation
|
||||
root /html/$DOMAIN;
|
||||
|
||||
}
|
||||
EOF
|
||||
|
||||
}
|
||||
|
||||
install_nginx_configuration(){
|
||||
mkdir /etc/nginx/sites-enabled/
|
||||
mkdir /etc/nginx/sites-available/
|
||||
mkdir /etc/nginx/snippets/
|
||||
cp my_configuration/nginx/nginx.conf /etc/nginx/nginx.conf
|
||||
cp my_configuration/nginx/dhparam.pem /etc/nginx/dhparam.pem
|
||||
cp my_configuration/nginx/snippets/* /etc/nginx/snippets/
|
||||
}
|
||||
|
||||
install_chroot_env()
|
||||
{
|
||||
mkdir /var/www/etc/ssl/
|
||||
install -m 444 -o root -g bin /etc/resolv.conf /var/www/etc/
|
||||
install -m 444 -o root -g bin /etc/ssl/cert.pem /etc/ssl/openssl.cnf /var/www/etc/ssl/
|
||||
|
||||
}
|
||||
|
||||
add_logs_to_newssyslog(){
|
||||
cp -v /etc/newsyslog.conf /etc/newsyslog.conf.old
|
||||
egrep -v "nginx" /etc/newsyslog.conf > /tmp/newsyslog.conf
|
||||
cat >> /tmp/newsyslog.conf <<EOF
|
||||
/var/www/logs/access.log 644 2 * \$W0 Z /var/www/run/nginx.pid SIGUSR1
|
||||
/var/www/logs/error.log 644 2 250 * Z /var/www/run/nginx.pid SIGUSR1
|
||||
|
||||
EOF
|
||||
mv /tmp/newsyslog.conf /etc/newsyslog.conf
|
||||
}
|
||||
|
||||
mkdir my_configuration/nginx/
|
||||
install_nginx_package
|
||||
gen_nginx_configuration
|
||||
install_chroot_env
|
||||
install_nginx_configuration
|
||||
restart_webserver_service
|
59
install_php.sh
Executable file
59
install_php.sh
Executable file
@ -0,0 +1,59 @@
|
||||
#!/bin/sh
|
||||
|
||||
install_php_package()
|
||||
{
|
||||
pkg_add php-8.0.26
|
||||
}
|
||||
|
||||
gen_php_configuration(){
|
||||
cat > my_configuration/php/php-fpm.conf <<EOF
|
||||
;;;;;;;;;;;;;;;;;;;;;
|
||||
; FPM Configuration ;
|
||||
;;;;;;;;;;;;;;;;;;;;;
|
||||
[global]
|
||||
error_log = log/php-fpm.log
|
||||
;;;;;;;;;;;;;;;;;;;;
|
||||
; Pool Definitions ;
|
||||
;;;;;;;;;;;;;;;;;;;;
|
||||
include=/etc/php-fpm.d/*.conf
|
||||
[www]
|
||||
user = www
|
||||
group = www
|
||||
listen = /var/www/run/php-fpm.sock
|
||||
listen.owner = www
|
||||
listen.group = www
|
||||
listen.mode = 0660
|
||||
pm = dynamic
|
||||
pm.max_children = 5
|
||||
pm.start_servers = 2
|
||||
pm.min_spare_servers = 1
|
||||
pm.max_spare_servers = 3
|
||||
chroot = /var/www
|
||||
env[HOSTNAME] = \$HOSTNAME
|
||||
env[PATH] = /usr/local/bin:/usr/bin:/bin
|
||||
env[TMP] = /tmp
|
||||
env[TMPDIR] = /tmp
|
||||
env[TEMP] = /tmp
|
||||
|
||||
|
||||
EOF
|
||||
|
||||
}
|
||||
|
||||
install_configurations_files()
|
||||
{
|
||||
cp -v /etc/php-fpm.conf /etc/php-fpm.conf.old
|
||||
cp -v my_configuration/php/php-fpm.conf /etc/php-fpm.conf
|
||||
}
|
||||
|
||||
|
||||
start_php_service()
|
||||
{
|
||||
rcctl start php80_fpm
|
||||
}
|
||||
|
||||
mkdir my_configuration/php/
|
||||
install_php_package
|
||||
gen_php_configuration
|
||||
install_configurations_files
|
||||
start_php_service
|
47
install_postgresql_service.sh
Executable file
47
install_postgresql_service.sh
Executable file
@ -0,0 +1,47 @@
|
||||
#!/bin/sh
|
||||
|
||||
install_postresql_packages()
|
||||
{
|
||||
pkg_add postgresql-client-14.5 postgresql-server-14.5
|
||||
}
|
||||
|
||||
configure_postgresql_service()
|
||||
{
|
||||
cat > my_configuration/postgresql/pg_hba.conf <<EOF
|
||||
# TYPE DATABASE USER ADDRESS METHOD
|
||||
|
||||
local all postgres trust
|
||||
# "local" is for Unix domain socket connections only
|
||||
#local all all md5
|
||||
# IPv4 local connections:
|
||||
host all all 127.0.0.1/32 md5
|
||||
|
||||
|
||||
# IPv6 local connections:
|
||||
host all all ::1/128 md5
|
||||
# Allow replication connections from localhost, by a user with the
|
||||
# replication privilege.
|
||||
local replication all md5
|
||||
host replication all 127.0.0.1/32 md5
|
||||
host replication all ::1/128 md5
|
||||
|
||||
EOF
|
||||
su -m _postgresql -c "mkdir /var/postgresql/data"
|
||||
echo $postgresql_root_password > /tmp/passwordpsql.txt
|
||||
su -m _postgresql -c "initdb -D /var/postgresql/data -U postgres -A md5 -E UTF8 --pwfile=/tmp/passwordpsql.txt"
|
||||
rm /tmp/passwordpsql.txt
|
||||
}
|
||||
|
||||
install_postgresql_configurations_files(){
|
||||
cp -v my_configuration/postgresql/pg_hba.conf /var/postgresql/data/pg_hba.conf
|
||||
}
|
||||
|
||||
start_postgresql_service(){
|
||||
rcctl start postgresql
|
||||
}
|
||||
|
||||
mkdir my_configuration/postgresql/
|
||||
#install_postresql_packages
|
||||
configure_postgresql_service
|
||||
install_postgresql_configurations_files
|
||||
start_postgresql_service
|
64
install_pywallter.sh
Executable file
64
install_pywallter.sh
Executable file
@ -0,0 +1,64 @@
|
||||
#!/bin/sh
|
||||
|
||||
. ./myserver.conf
|
||||
|
||||
install_pywallter_pkg(){
|
||||
pkg_add py3-werkzeug py3-jinja2 py3-Pillow py3-wtforms py3-flask-wtf py3-flask \
|
||||
py3-bcrypt py3-markdown py3-gevent py3-zopeinterface py3-pip
|
||||
pip install flask-bcrypt
|
||||
}
|
||||
|
||||
install_pywallter_app(){
|
||||
orig_path=`pwd`
|
||||
useradd -s /sbin/nologin -d /home/pywallter -m pywallter;
|
||||
cd /home/pywallter;
|
||||
su -m pywallter -c "git clone https://kitoy.me/git/kitoy/pywallter"
|
||||
cp -v ./pywallter/scripts/set_mail_alias /usr/local/bin/
|
||||
cp -v ./pywallter/scripts/set_mail_passwd /usr/local/bin/
|
||||
|
||||
touch /etc/mail/reserved
|
||||
cd $orig_path
|
||||
}
|
||||
|
||||
gen_pywallter_configuration_app(){
|
||||
cat > my_configuration/pywallter/config.py <<EOF
|
||||
BASE_URL="https://$pywallter_domain/"
|
||||
SECRET_KEY="$pywallter_secret_key"
|
||||
DOSSIER_APP = "./users/"
|
||||
DATABASE = "./base.db"
|
||||
EXT_IMG= {'.jpg', '.JPG', '.png', '.PNG', '.gif', '.GIF', '.bmp', '.BMP', '.jpeg', '.JPEG' }
|
||||
SIGNIN_ENABLE = True
|
||||
XMPP_SERVER = True
|
||||
MAIL_SERVER = True
|
||||
SETUID='doas'
|
||||
EOF
|
||||
|
||||
}
|
||||
|
||||
|
||||
gen_nginx_pywallter_app(){
|
||||
cp -v default_configuration/pywallter/nginx.conf.sample my_configuration/pywallter/nginx.conf
|
||||
sed -i "s/__pywallter_domain__/$pywallter_domain/g" my_configuration/pywallter/nginx.conf
|
||||
}
|
||||
|
||||
install_pywallter_configuration_files(){
|
||||
cp -v my_configuration/pywallter/config.py /home/pywallter/pywallter/
|
||||
cp -v /home/pywallter/pywallter/scripts/etc/mailconfig /etc/
|
||||
cp -v my_configuration/pywallter/nginx.conf /etc/nginx/sites-available/$pywallter_domain
|
||||
ln -s /etc/nginx/sites-available/$pywallter_domain /etc/nginx/sites-enabled/$pywallter_domain
|
||||
cp -v default_configuration/pywallter/pywallter.rc /etc/rc.d/pywallter
|
||||
cp -v /etc/doas.conf /etc/doas.conf.old
|
||||
egrep -v "pywallter" /etc/doas.conf > /tmp/doas.conf
|
||||
cat >> /tmp/doas.conf <<EOF
|
||||
permit nopass pywallter as root cmd set_mail_alias
|
||||
permit nopass pywallter as root cmd set_mail_passwd
|
||||
permit nopass pywallter as root cmd prosodyctl
|
||||
EOF
|
||||
mv /tmp/doas.conf /etc/doas/conf
|
||||
}
|
||||
|
||||
mkdir my_configuration/pywallter/
|
||||
gen_pywallter_configuration_app
|
||||
gen_nginx_pywallter_app
|
||||
install_pywallter_app
|
||||
install_pywallter_configuration_files
|
99
install_xmpp_service.sh
Executable file
99
install_xmpp_service.sh
Executable file
@ -0,0 +1,99 @@
|
||||
#!/bin/sh
|
||||
|
||||
. ./myserver.conf
|
||||
|
||||
|
||||
install_prosody_package(){
|
||||
|
||||
pkg_add prosody
|
||||
ln -sf /usr/local/bin/luarocks-5.3 /usr/local/bin/luarocks
|
||||
ln -sf /usr/local/bin/luarocks-admin-5.3 /usr/local/bin/luarocks-admin
|
||||
|
||||
}
|
||||
|
||||
gen_prosody_configuration(){
|
||||
|
||||
cp -v default_configuration/xmpp/prosody.cfg.lua.example default_configuration/xmpp/prosody.cfg.lua
|
||||
sed -i "s/__DOMAIN__/$DOMAIN/g" default_configuration/xmpp/prosody.cfg.lua
|
||||
cp -v default_configuration/xmpp/virtualHosts/example.com.conf default_configuration/xmpp/virtualHosts/$DOMAIN.conf
|
||||
sed -i "s/__DOMAIN__/$DOMAIN/g" default_configuration/xmpp/virtualHosts/$DOMAIN.conf
|
||||
sed -i "s/__xmpp_passphrase_for_filesuploads__/$xmpp_passphrase_for_filesuploads/g" default_configuration/xmpp/virtualHosts/$DOMAIN.conf
|
||||
|
||||
|
||||
}
|
||||
|
||||
install_xmpp_certs_ssl(){
|
||||
|
||||
openssl dhparam -out my_configuration/xmpp/dh-2048.pem 2048
|
||||
install -o _prosody -g _prosody my_configuration/xmpp/dh-2048.pem /etc/prosody/certs/dh-2048.pem
|
||||
install -o _prosody -g _prosody /etc/ssl/private/"$DOMAIN".key /etc/prosody/certs/"$DOMAIN".key;
|
||||
install -o _prosody -g _prosody /etc/ssl/"$DOMAIN".crt /etc/prosody/certs/"$DOMAIN".crt;
|
||||
|
||||
}
|
||||
|
||||
install_prosody_modules(){
|
||||
|
||||
prosodyctl install --server=https://modules.prosody.im/rocks/ mod_cloud_notify
|
||||
prosodyctl install --server=https://modules.prosody.im/rocks/ mod_cloud_notify_extensions
|
||||
prosodyctl install --server=https://modules.prosody.im/rocks/ mod_muc_mam
|
||||
prosodyctl install --server=https://modules.prosody.im/rocks/ mod_muc_log
|
||||
prosodyctl install --server=https://modules.prosody.im/rocks/ mod_http_upload_external
|
||||
prosodyctl install --server=https://modules.prosody.im/rocks/ mod_muc_limits
|
||||
prosodyctl install --server=https://modules.prosody.im/rocks/ mod_vcard_muc
|
||||
|
||||
}
|
||||
|
||||
|
||||
gen_nginx_configuration_files_upload(){
|
||||
|
||||
cp -v default_configuration/xmpp/nginx.conf.sample my_configuration/xmpp/upload.$DOMAIN
|
||||
cp -v default_configuration/xmpp/share.php.sample my_configuration/xmpp/share.php
|
||||
sed -i "s/__DOMAIN__/$DOMAIN/g" my_configuration/xmpp/upload.$DOMAIN
|
||||
sed -i "s/__DOMAIN__/$DOMAIN/" my_configuration/xmpp/share.php
|
||||
sed -i "s/__xmpp_passphrase_for_filesuploads__/$xmpp_passphrase_for_filesuploads/g" my_configuration/xmpp/share.php
|
||||
|
||||
}
|
||||
|
||||
add_logs_to_newsyslog(){
|
||||
|
||||
egrep -v "prosody" /etc/newsyslog.conf > /tmp/newsyslog.conf
|
||||
echo '/var/prosody/prosody.log _prosody:_prosody 640 2 * $W0 Z /var/prosody/prosody.pid SIGUSR1' >> /tmp/newsyslog.conf
|
||||
echo '/var/prosody/prosody.err _prosody:_prosody 640 2 250 * Z /var/proosody/prosody.pid SIGUSR1' >> /tmp/newsyslog.conf
|
||||
mv /tmp/newsyslog.conf /etc/newsyslog.conf
|
||||
}
|
||||
|
||||
install_nginx_configuration_files_upload(){
|
||||
|
||||
mkdir -p /var/www/xmpp-upload/$DOMAIN/upload
|
||||
chown -R www:daemon /var/www/xmpp-upload/
|
||||
cp my_configuration/xmpp/upload.$DOMAIN /etc/nginx/sites-available/
|
||||
ln -s /etc/nginx/sites-available/upload.$DOMAIN /etc/nginx/sites-enabled/upload.$DOMAIN
|
||||
cp my_configuration/xmpp/share.php /var/www/xmpp-upload/
|
||||
|
||||
}
|
||||
|
||||
install_xmpp_configurations_files(){
|
||||
|
||||
cp -v my_configuration/xmpp/prosody.cfg.lua /etc/prosody/prosody.cfg.lua
|
||||
mkdir /etc/prosody/virtualHosts
|
||||
cp -v my_configuration/xmpp/virtualHosts/$DOMAIN.conf /etc/prosody/virtualHosts/$DOMAIN.conf
|
||||
|
||||
}
|
||||
|
||||
|
||||
mkdir my_configuration/xmpp
|
||||
if [ "$1" == "gen-config-only" ];
|
||||
then
|
||||
gen_prosody_configuration
|
||||
gen_nginx_configuration_files_upload
|
||||
elif [ "$1" == "install" ];
|
||||
then
|
||||
gen_prosody_configuration
|
||||
gen_nginx_configuration_files_upload
|
||||
install_prosody_package
|
||||
install_prosody_modules
|
||||
install_xmpp_configurations_files
|
||||
install_xmpp_certs_ssl
|
||||
rcctl enable prosody
|
||||
rcctl start prosody
|
||||
fi
|
90
make_self_signed_cert.sh
Executable file
90
make_self_signed_cert.sh
Executable file
@ -0,0 +1,90 @@
|
||||
#!/bin/sh
|
||||
|
||||
gen_cert_self_signed()
|
||||
|
||||
{
|
||||
domain=$1
|
||||
|
||||
openssl req -x509 \
|
||||
-sha256 -days 3560 \
|
||||
-nodes \
|
||||
-newkey rsa:4096 \
|
||||
-subj "/CN=$domain/C=FR/L=myserver" \
|
||||
-keyout $domain.rootCA.key -out $domain.rootCA.crt
|
||||
|
||||
cat > $domain.csr.conf <<EOF
|
||||
[ req ]
|
||||
default_bits = 4096
|
||||
prompt = no
|
||||
default_md = sha256
|
||||
req_extensions = req_ext
|
||||
distinguished_name = dn
|
||||
|
||||
[ dn ]
|
||||
C = FR
|
||||
ST = Internet
|
||||
L = Internet
|
||||
O = $domain
|
||||
OU = $domain
|
||||
CN = $domain
|
||||
|
||||
[ req_ext ]
|
||||
subjectAltName = @alt_names
|
||||
|
||||
[ alt_names ]
|
||||
DNS.1 = $domain
|
||||
DNS.2 = *.$domain
|
||||
|
||||
EOF
|
||||
|
||||
|
||||
|
||||
cat > $domain.cert.conf <<EOF
|
||||
authorityKeyIdentifier=keyid,issuer
|
||||
basicConstraints=CA:FALSE
|
||||
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
|
||||
subjectAltName = @alt_names
|
||||
|
||||
[alt_names]
|
||||
DNS.1 = $domain
|
||||
DNS.2 = *.$domain
|
||||
|
||||
EOF
|
||||
|
||||
openssl genrsa -out $domain.key 4096
|
||||
openssl req -new -key $domain.key -out $domain.csr -config $domain.csr.conf
|
||||
openssl x509 -req \
|
||||
-in $domain.csr \
|
||||
-CA $domain.rootCA.crt -CAkey $domain.rootCA.key \
|
||||
-CAcreateserial -out $domain.crt \
|
||||
-days 3650 \
|
||||
-sha256 -extfile $domain.cert.conf
|
||||
}
|
||||
|
||||
install_cert_file(){
|
||||
domain=$1
|
||||
cp -v $domain.crt /etc/ssl/
|
||||
cp -v $domain.key /etc/ssl/private/
|
||||
chmod 700 /etc/ssl/private/$domain.key
|
||||
chmod 440 /etc/ssl/$domain.crt
|
||||
}
|
||||
|
||||
usage(){
|
||||
print "This program ask domain as argument \n"
|
||||
print "create cetifcate self signed for domain.tld and *.domain.tld"
|
||||
print "Example: Your machine name is `hostname` and you want a ssl \
|
||||
certificate for this machine, type: "
|
||||
print "\t ./make_self_signed_cert.sh `hostname` "
|
||||
|
||||
}
|
||||
|
||||
if [ -z $1 ];
|
||||
then
|
||||
usage
|
||||
exit 3;
|
||||
fi
|
||||
|
||||
|
||||
cd ./my_configuration/ssl/
|
||||
gen_cert_self_signed $1
|
||||
install_cert_file $1
|
34
myserver.conf
Normal file
34
myserver.conf
Normal file
@ -0,0 +1,34 @@
|
||||
|
||||
## Par défault le domain est le nom d'hote de la machine maisil est possible de le personnaliser
|
||||
## comme l'exemple ce-dessous
|
||||
# DOMAIN="example.com"
|
||||
DOMAIN=`hostname`
|
||||
SSL="manual"
|
||||
SERVICE_MAIL="yes"
|
||||
SERVICE_XMPP="yes"
|
||||
xmpp_passphrase_for_filesuploads='Changez cette valeur'
|
||||
postresql_root_password='Changez cette valeur'
|
||||
# Laissez le port ssh par défault (22) est en général une mauvaise idée
|
||||
## il vaut mieu choisir un port entre 10000 et 65535 cela evite les scan massifs
|
||||
SSH_PORT=44234
|
||||
|
||||
# Application
|
||||
nextcloud_app="yes"
|
||||
nextcloud_domain="cloud.$DOMAIN"
|
||||
nextcloud_db_name="nextcloud_db"
|
||||
nextcloud_db_user="nextcloud_user"
|
||||
nextcloud_db_pass='Changez cette valeur'
|
||||
nextcloud_admin="ladmin"
|
||||
nextcloud_admin_password='Changez cette valeur'
|
||||
|
||||
# Pywallter
|
||||
pywallter_app="yes"
|
||||
pywallter_domain="profil.$DOMAIN"
|
||||
pywallter_secret_key='Changez cette valeur'
|
||||
|
||||
# Dolibarr
|
||||
dolibarr_app="yes"
|
||||
dolibarr_domain="compta.$DOMAIN"
|
||||
dolibarr_db_name="dolibarr_db"
|
||||
dolibarr_db_pass='Changez cette valeur'
|
||||
dolibarr_admin_password='Changez cette valeur'
|
92
utils.sh
Executable file
92
utils.sh
Executable file
@ -0,0 +1,92 @@
|
||||
#!/bin/sh
|
||||
|
||||
restart_mails_service()
|
||||
{
|
||||
rcctl restart dovecot smtpd rspamd
|
||||
}
|
||||
|
||||
restart_php_service(){
|
||||
rcctl restart php80_fpm
|
||||
}
|
||||
|
||||
restart_postgresql_service(){
|
||||
rcctl restart postgresql
|
||||
}
|
||||
|
||||
restart_smtp_service(){
|
||||
rcctl restart smtpd
|
||||
}
|
||||
|
||||
restart_imap_service(){
|
||||
rcctl restart dovecot
|
||||
}
|
||||
|
||||
restart_xmpp_service(){
|
||||
rcctl restart prosody
|
||||
}
|
||||
|
||||
restart_webserver_service(){
|
||||
rcctl restart nginx
|
||||
}
|
||||
|
||||
check_webserver_service(){
|
||||
rcctl check nginx
|
||||
if [ $? != 0 ]; then
|
||||
echo "Web server(Nginx) service is not running"
|
||||
exit 1;
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
check_redis_service(){
|
||||
rcctl check redis
|
||||
if [ $? != 0 ]; then
|
||||
echo "Redis service is not running"
|
||||
exit 1;
|
||||
fi
|
||||
}
|
||||
|
||||
check_php_service(){
|
||||
rcctl check php80_fpm
|
||||
if [ $? != 0 ]; then
|
||||
echo "PHP service is not running"
|
||||
exit 1;
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
check_postgresql_service(){
|
||||
|
||||
check_postgresql_service(){
|
||||
rcctl check postgresql
|
||||
if [ $? != 0 ]; then
|
||||
echo "Postgresql service is not running"
|
||||
exit 1;
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
check_mails_service(){
|
||||
|
||||
rcctl check dovecot
|
||||
if [ $? != 0 ]; then
|
||||
echo "IMAP mail service is not running"
|
||||
exit 1;
|
||||
fi
|
||||
|
||||
rcctl check smtpd
|
||||
if [ $? != 0 ]; then
|
||||
echo "SMTP mail service is not running"
|
||||
exit 1;
|
||||
fi
|
||||
|
||||
rcctl check rspamd
|
||||
if [ $? != 0 ]; then
|
||||
echo "rspamd mail service is not running"
|
||||
exit 1;
|
||||
fi
|
||||
|
||||
|
||||
}
|
28
utils/renew_https_certificate
Executable file
28
utils/renew_https_certificate
Executable file
@ -0,0 +1,28 @@
|
||||
#!/bin/sh
|
||||
|
||||
if [ -z $1 ];
|
||||
then
|
||||
exit 1;
|
||||
fi
|
||||
|
||||
acme-client $1
|
||||
|
||||
case $? in
|
||||
0)
|
||||
if [ "$2" == "xmpp" ];
|
||||
then
|
||||
echo on passe la;
|
||||
install -o _prosody -g _prosody /etc/ssl/private/"$1".key /etc/prosody/certs/"$1".key;
|
||||
install -o _prosody -g _prosody /etc/ssl/"$1".crt /etc/prosody/certs/"$1".crt;
|
||||
fi
|
||||
|
||||
rcctl reload nginx prosody dovecot;
|
||||
rcctl restart smtpd;
|
||||
;;
|
||||
1)
|
||||
echo "acme-client a rencontré un problème dans le renouvellement des certificat https pour le domaine $1 " | mail -s "`hostname` Problème de certificat HTTPS " root;
|
||||
;;
|
||||
*)
|
||||
exit 0;
|
||||
;;
|
||||
esac
|
Loading…
Reference in New Issue
Block a user