Init repo

This commit is contained in:
kitoy 2023-01-11 01:03:34 +01:00
parent 533a540a1d
commit 85930b7cac
33 changed files with 2389 additions and 0 deletions

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
my_configuration/*

95
add_domain_with_acme.sh Executable file
View File

@ -0,0 +1,95 @@
#!/bin/sh
gen_nginx_acme_conf(){
domain=$1
alt_domain=$2
nginx_run=`rcctl check nginx`
if [ "$nginx_run" == "nginx(ok)" ]; then
cat > test/$domain <<EOF
server {
listen 80;
server_name $alt_domain $domain;
include snippets/acme-challenge.conf;
root /htdocs;
}
EOF
# rcctl restart nginx
else
echo "Service NGINX not runnig"
exit 1
fi
}
gen_acme_client_conf(){
domain=$1
alt_domain=$2
if [ "$alt_domain" == "" ]; then
cat >> my_configuration/ssl/$domain-acme-client.conf <<EOF
domain $domain {
domain key "/etc/ssl/private/$domain.key"
domain full chain certificate "/etc/ssl/$domain.crt"
sign with letsencrypt
}
EOF
else
cat >> my_configuration/ssl/$domain-acme-client.conf <<EOF
domain $domain {
alternative names { $alt_domain }
domain key "/etc/ssl/private/$domain.key"
domain full chain certificate "/etc/ssl/$domain.crt"
sign with letsencrypt
}
EOF
fi
}
install_utils(){
cp -v utils/renew_https_certificate /usr/local/bin/renew_https_certificate
chmod u+x /usr/local/bin/renew_https_certificate
}
get_certificate(){
domain=$1
/usr/local/bin/renew_https_certificate $domain
}
usage(){
print "This program ask 3 arguments : \n"
print "First is email with domain name the second is list of alternatives domains with \" \" \n"
print "the last arguments is for share the ssl cert with xmpp daemon add xmpp at the end or not"
print "\t $0 domain.tld \"a.domain.tld b.domain.tld c.domain.tld\""
}
if [ -z $1 ];
then
usage
exit 3;
fi
if [ -e /etc/acme-client.conf ]; then
echo ok
else
echo nok
fi
domain=$1
alt_domain=$2
gen_nginx_acme_conf $domain

138
configure_firewall.sh Executable file
View File

@ -0,0 +1,138 @@
#!/bin/sh
. ./myserver.conf
install_package(){
pkg_add ssh_guard curl
useradd -s /sbin/nologin -d /var/empty _pfbadhost
ftp https://geoghegan.ca/pub/pf-badhost/0.5/pf-badhost.sh
install -m 755 -o root -g bin pf-badhost.sh /usr/local/bin/pf-badhost
install -m 640 -o _pfbadhost -g wheel /dev/null /etc/pf-badhost.txt
install -d -m 755 -o root -g wheel /var/log/pf-badhost
install -m 640 -o _pfbadhost -g wheel /dev/null /var/log/pf-badhost/pf-badhost.log
install -m 640 -o _pfbadhost -g wheel /dev/null /var/log/pf-badhost/pf-badhost.log.0.gz
cp -v /etc/doas.conf /etc/doas.conf.old
egrep -v "_pfbadhost" /etc/doas.conf > /tmp/doas.conf
cat >> /tmp/doas.conf <<EOF
# Pf badhost
permit nopass _pfbadhost as root cmd /sbin/pfctl args -nf /etc/pf.conf
permit nopass _pfbadhost as root cmd /sbin/pfctl args -t pfbadhost -T replace -f /etc/pf-badhost.txt
permit nopass _pfbadhost as root cmd /usr/bin/zcat args -f /var/log/authlog /var/log/authlog.0.gz
EOF
mv /tmp/doas.conf /etc/doas.conf
cat > /var/cron/tabs/_pfbadhost <<EOF
# (Cron version V5.0)
~ 0~1 * * * -s pf-badhost -O openbsd
EOF
chown _pfbadhost:crontab /var/cron/tabs/_pfbadhost
chmod 600 /var/cron/tabs/_pfbadhost
}
set_basic_configuration(){
cat > my_configuration/pf.conf <<EOF
#Filtres badhosts et sshguard
table <pfbadhost> persist file "/etc/pf-badhost.txt"
table <sshguard> persist
## Table pour les batards de bruteforceurs
table <bruteforce> persist
set block-policy drop # bloque silencieusement
set skip on lo # En local on s'en fou on surveille rien
set limit table-entries 400000
set limit states 100000
## Traitement des paquets ##
# Paquets partiels on vire
match all scrub (max-mss 1440 no-df random-id reassemble tcp)
antispoof quick for egress # Protection vol d'ip
antispoof quick for lo0 # Protection vol d'ip
# Port build user does not need network
block return out log proto {tcp udp} user _pbuild
# On bloque tout par défault
block
block quick on egress from <pfbadhost>
block in from <sshguard>
block log quick from <bruteforce> label "brutes"
pass out on egress proto { tcp udp icmp ipv6-icmp } modulate state
EOF
}
set_open_service(){
cat >> my_configuration/pf.conf <<EOF
#déclaration des variables
web_ports = "{ http https }"
EOF
if [ "$SERVICE_MAIL" == "yes" ]; then
echo "mail_ports = \"{ smtp submission imap }\"" >> default_configuration/pf.conf
fi
if [ "$SERVICE_XMPP" == "yes" ]; then
echo "xmmp_ports = \"{ 5222 5269 }\"" >> default_configuration/pf.conf
fi
echo "ssh_port = \"$SSH_PORT\"" >> default_configuration/pf.conf
cat >> my_configuration/pf.conf <<EOF
## Anti bruteforce
### SSH
#### Limit 5 connexions simultanne par IP source
#### Limit 15 tentatives de connexion toutes les 5 minutes
pass in on egress proto tcp to port \$ssh_port modulate state \\
(max-src-conn 5, max-src-conn-rate 15/5, overload <bruteforce> flush global)
#web
pass in on egress proto tcp to port \$web_ports modulate state \\
(max-src-conn 60, max-src-conn-rate 60/1, overload <bruteforce> flush global)
EOF
if [ "$SERVICE_MAIL" == "yes" ]; then
cat >> my_configuration/pf.conf <<EOF
# mails
## antispam
pass in on egress proto tcp to port \$mail_ports modulate state \\
(max-src-conn-rate 20/5, overload <bruteforce> flush global)
pass out log on egress proto tcp to any port smtp
EOF
fi
if [ "$SERVICE_XMPP" == "yes" ]; then
cat >> my_configuration/pf.conf <<EOF
# XMPP
pass in on egress proto tcp to port \$xmpp_ports modulate state \\
(max-src-conn 15, max-src-conn-rate 15/5, overload <bruteforce> flush global)
EOF
fi
}
install_pf_and_enable(){
pfctl -nf my_configuration/pf.conf
if [ $? == 0 ]; then
cp -v /etc/pf.conf /etc/pf.old
cp -v my_configuration/pf.conf /etc/pf.conf
pfctl -f /etc/pf.conf
else
echo "Il y a un problème dans la configuration du firewall"
fi
}
set_basic_configuration
set_open_service

283
configure_mail_service.sh Executable file
View File

@ -0,0 +1,283 @@
#!/bin/sh
. ./myserver.conf
. ./utils.sh
install_mails_services_pkg()
{
pkg_add dovecot dovecot-pigeonhole opensmtpd-filter-rspamd \
opensmtpd-extras-6.7.1v0 opensmtpd-filter-dkimsign-0.5 rspamd-3.2
}
gen_mails_service_configuration()
{
#Generate opensmtpd configuration
cat > my_configuration/mail/smtpd.conf <<EOF
# See smtpd.conf(5) for more information.
# To accept external mail, replace with: listen on all
#
# les Certificats
pki "cert_mail" cert "/etc/ssl/$DOMAIN.crt"
pki "cert_mail" key "/etc/ssl/private/$DOMAIN.key"
table aliases file:/etc/mail/aliases
table passwd file:/etc/mail/passwd
table virtuals file:/etc/mail/virtuals
filter "rspamd" proc-exec "filter-rspamd"
filter "dkimsign" proc-exec "filter-dkimsign -d $DOMAIN -s dkim -k /etc/mail/dkim/$DOMAIN-private.key" user _dkimsign group _dkimsign
# Activation du check du reverse DNS
#filter check_rdns phase connect match !rdns disconnect "550 no rDNS available"
#filter check_fcrdns phase connect match !fcrdns disconnect "550 no FCrDNS available"
# To accept external mail, replace with: listen on all
listen on all tls pki "cert_mail" hostname "$DOMAIN" filter rspamd
listen on all port submission tls-require pki "cert_mail" auth <passwd> filter dkimsign
action "local_mail" mbox alias <aliases>
action "domain_mail" maildir "/var/vmail/$DOMAIN/%{dest.user:lowercase}" virtual <virtuals>
action "outbound" relay
# Uncomment the following to accept external mail for domain "example.org"
match from any for domain "$DOMAIN" action "domain_mail"
match from local for local action "local_mail"
match auth from any for any action "outbound"
EOF
#Generate spamd configuration
cat > my_configuration/mail/spamd.conf <<EOF
all:\
:nixspam:
# Nixspam recent sources list.
# Mirrored from http://www.heise.de/ix/nixspam
nixspam:\
:black:\
:msg="Your address %A is in the nixspam list\n\
See http://www.heise.de/ix/nixspam/dnsbl_en/ for details":\
:method=https:\
:file=www.openbsd.org/spamd/nixspam.gz
# An example of a list containing addresses which should not talk to spamd.
#
#override:\
# :white:\
# :method=file:\
# :file=/var/db/override.txt:
EOF
## Generate Dovecot configuration
cat > my_configuration/dovecot/local.conf <<EOF
listen = *
protocols = imap
first_valid_uid = 1000
first_valid_gid = 1000
mail_location = maildir:/var/vmail/%d/%n
mail_plugin_dir = /usr/local/lib/dovecot
disable_plaintext_auth = yes
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapsieve vnd.dovecot.imapsieve
mbox_write_locks = fcntl
mmap_disable = yes
namespace inbox {
inbox = yes
location =
mailbox Archive {
auto = subscribe
special_use = \Archive
}
mailbox Drafts {
auto = subscribe
special_use = \Drafts
}
mailbox Junk {
auto = subscribe
special_use = \Junk
}
mailbox Sent {
auto = subscribe
special_use = \Sent
}
mailbox Trash {
auto = subscribe
special_use = \Trash
}
prefix =
}
service auth {
user = $default_internal_user
group = _maildaemons
}
passdb {
args = scheme=blf-crypt /etc/mail/passwd
driver = passwd-file
}
plugin {
imapsieve_mailbox1_before = file:/usr/local/lib/dovecot/sieve/report-spam.sieve
imapsieve_mailbox1_causes = COPY
imapsieve_mailbox1_name = Junk
imapsieve_mailbox2_before = file:/usr/local/lib/dovecot/sieve/report-ham.sieve
imapsieve_mailbox2_causes = COPY
imapsieve_mailbox2_from = Junk
imapsieve_mailbox2_name = *
sieve = file:~/sieve;active=~/.dovecot.sieve
sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
sieve_pipe_bin_dir = /usr/local/lib/dovecot/sieve
sieve_plugins = sieve_imapsieve sieve_extprograms
}
protocols = imap sieve
service imap-login {
inet_listener imap {
port = 143
}
}
ssl = required
ssl_min_protocol = TLSv1.2
ssl_cipher_list = EECDH+AESGCM
ssl_prefer_server_ciphers = yes
#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
ssl_cert = </etc/ssl/$DOMAIN.crt
ssl_key = </etc/ssl/private/$DOMAIN.key
userdb {
driver = static
args = uid=vmail gid=vmail home=/var/vmail/%d/%n/
}
protocol imap {
mail_plugins = " imap_sieve"
}
EOF
}
gen_dkim_keys(){
# Generate dkim key
openssl genrsa -out my_configuration/mail/$DOMAIN-private.key 2048
openssl rsa -in my_configuration/mail/$DOMAIN-private.key -pubout | \
sed '1s/.*/v=DKIM1;p=/;:nl;${s/-----.*//;q;};N;s/\n//g;b nl;' > default_configuration/mail/$DOMAIN-public.key
}
install_dovecot_service_antispam()
{
# Add antispam utils for Dovecot
cd /usr/local/lib/dovecot/sieve
cat > report-ham.sieve <<EOF
require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables"];
if environment :matches "imap.mailbox" "*" {
set "mailbox" "${1}";
}
if string "${mailbox}" "Trash" {
stop;
}
if environment :matches "imap.user" "*" {
set "username" "${1}";
}
pipe :copy "sa-learn-ham.sh" [ "${username}" ];
EOF
cat > report-spam.sieve <<EOF
require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables"];
if environment :matches "imap.user" "*" {
set "username" "${1}";
}
pipe :copy "sa-learn-spam.sh" [ "${username}" ];
EOF
cat > sa-learn-ham.sh<<EOF
#!/bin/sh
exec /usr/local/bin/rspamc -d "${1}" learn_ham
EOF
cat > sa-learn-spam.sh<<EOF
#!/bin/sh
exec /usr/local/bin/rspamc -d "${1}" learn_spam
EOF
sievec report-ham.sieve
sievec report-spam.sieve
chmod 755 sa-learn-ham.sh
chmod 755 sa-learn-spam.sh
}
install_mails_services_configuration()
{
cp my_configuration/mail/smtpd.conf /etc/mail/smtpd.conf
cp my_configuration/dovecot/local.conf /etc/dovecot/local.conf
mkdir /etc/mail/dkim/
cp my_configuration/mail/$DOMAIN-private.key /etc/mail/dkim/
cp my_configuration/mail/$DOMAIN-public.key /etc/mail/dkim/
chown -R _dkimsign /etc/mail/dkim/
touch /etc/mail/virtuals
touch /etc/mail/passwd
rm /etc/dovecot/conf.d/10-ssl.conf
}
make_system_mails_services_requirements()
{
useradd -c "Virtual Mail Account" -d /var/vmail -s /sbin/nologin -u 2000 -g =uid -L staff vmail
mkdir -p /var/vmail/$DOMAIN
chown -R vmail:vmail /var/vmail/
groupadd _maildaemons
usermod -G _maildaemons _dovecot
usermod -G _maildaemons _smtpd
cp /etc/login.conf /etc/login.conf.old
cat >> /etc/login.conf <<EOF
dovecot:\
:openfiles-cur=1024:\
:openfiles-max=2048:\
:tc=daemon:
EOF
}
mkdir my_configuration/mail
mkdir my_configuration/dovecot
install_mails_services_pkg
gen_mails_service_configuration
gen_dkim_keys
gen_mails_service_utils
install_mails_services_configuration
make_system_mails_services_requirements
rcctl enable redis
rcctl start redis
restart_mails_service

View File

@ -0,0 +1,41 @@
server {
root /dolibarr/htdocs;
listen [::]:443 ssl;
listen 443 ssl;
ssl_certificate /etc/ssl/__dolibarr_domain__.crt;
ssl_certificate_key /etc/ssl/private/__dolibarr_domain__.key;
index index.html index.php;
server_name __dolibar_domain__;
location / {
try_files $uri $uri/ =404;
}
location ~ [^/]\.php(/|$) {
fastcgi_intercept_errors on;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
}
}
server {
listen [::]:80;
listen 80;
server_name __dolibarr_domain__;
if ($host = dolibarr.example.fr) {
return 301 https://$host$request_uri;
}
}

View File

@ -0,0 +1,45 @@
server {
listen 80;
server_name __dolibarr_domain__;
include snippets/acme-challenge.conf;
return 301 https://$http_host$request_uri;
root /htdocs/;
}
server {
listen 443 ssl http2;
server_name __dolibarr_domain__;
root /var/www/dolibarr/htdocs;
index index.html index.php;
ssl_certificate /etc/ssl/__dolibarr_domain__.crt;
ssl_certificate_key /etc/ssl/private/__dolibarr_domain__.key;
include snippets/secure-ssl.conf;
include snippets/acme-challenge.conf;
location / {
try_files $uri $uri/ =404;
}
location ~ [^/]\.php(/|$) {
fastcgi_intercept_errors on;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
}
}

View File

@ -0,0 +1,4 @@
<?php
$CONFIG = array (
'datadirectory' => ((php_sapi_name() == 'cli') ? '/var/www' : '') . '/nextcloud/data',
);

View File

@ -0,0 +1,153 @@
server {
listen 80;
server_name __nextcloud_domain__;
include snippets/acme-challenge.conf;
return 301 https://$http_host$request_uri;
root /htdocs/;
}
server {
listen 443 ssl http2;
server_name __nextcloud_domain__;
ssl_certificate /etc/ssl/__nextcloud_domain__.crt;
ssl_certificate_key /etc/ssl/private/__nextcloud_domain__.key;
include snippets/secure-ssl.conf;
include snippets/acme-challenge.conf;
# set max upload size
client_max_body_size 4096M;
fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
add_header X-Frame-Options "SAMEORIGIN" "always";
# Pagespeed is not supported by Nextcloud, so if your server is built
# with the `ngx_pagespeed` module, uncomment this line to disable it.
# pagespeed off;
add_header X-Content-Type-Options "nosniff";
# HTTP response headers borrowed from Nextcloud `.htaccess`
add_header Referrer-Policy "no-referrer" always;
add_header X-Download-Options "noopen" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
# Specify how to handle directories -- specifying `/index.php$request_uri`
# here as the fallback means that Nginx always exhibits the desired behaviour
# when a client requests a path that corresponds to a directory that exists
# on the server. In particular, if that directory contains an index.php file,
# that file is correctly served; if it doesn't, then the request is passed to
# the front-end controller. This consistent behaviour means that we don't need
# to specify custom rules for certain paths (e.g. images and other assets,
# `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
# `try_files $uri $uri/ /index.php$request_uri`
# always provides the desired behaviour.
index index.php index.html /index.php$request_uri;
# Rule borrowed from `.htaccess` to handle Microsoft DAV clients
location = / {
if ( $http_user_agent ~ ^DavClnt ) {
return 302 /remote.php/webdav/$is_args$args;
}
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Make a regex exception for `/.well-known` so that clients can still
# access it despite the existence of the regex rule
# `location ~ /(\.|autotest|...)` which would otherwise handle requests
# for `/.well-known`.
location ^~ /.well-known {
# The rules in this block are an adaptation of the rules
# in `.htaccess` that concern `/.well-known`.
location = /.well-known/carddav { return 301 /remote.php/dav/; }
location = /.well-known/caldav { return 301 /remote.php/dav/; }
# Let Nextcloud's API for `/.well-known` URIs handle all other
# requests by passing them to the front-end controller.
return 301 /index.php$request_uri;
}
# Rules borrowed from `.htaccess` to hide certain paths from clients
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }
# Ensure this block, which passes PHP files to the PHP process, is above the blocks
# which handle static assets (as seen below). If this block is not declared first,
# then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
# to the URI, resulting in a HTTP 500 error response.
location ~ \.php(?:$|/) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
fastcgi_param front_controller_active true; # Enable pretty urls
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ \.(?:css|js|svg|gif)$ {
try_files $uri /index.php$request_uri;
expires 6M; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets
}
location ~ \.woff2?$ {
try_files $uri /index.php$request_uri;
expires 7d; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets
}
# Rule borrowed from `.htaccess`
location /remote {
return 301 /remote.php$request_uri;
}
location / {
try_files $uri $uri/ /index.php$request_uri;
}
root /nextcloud;
}

View File

@ -0,0 +1,5 @@
location ^~ /.well-known/acme-challenge/ {
rewrite ^/.well-known/acme-challenge/(.*) /$1 break;
default_type "text/plain";
root /acme;
}

View File

@ -0,0 +1,35 @@
# Ajout HSTS header
# Appliquer une durée de plus d'une semaine pour obtenir A+ sur ssl-labs
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; # duration=365days
# add_header Strict-Transport-Security "max-age=0; includeSubDomains"; # Désactive HSTS
# Ajoute gzip mais n'enleve pas les ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# Pagespeed is not supported by Nextcloud, so if your server is built
# with the ngx_pagespeed module, uncomment this line to disable it.
# pagespeed off;
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff";
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Content-Security-Policy "upgrade-insecure-requests";
add_header Content-Security-Policy-Report-Only " default-src https: data: 'unsafe-inline' 'unsafe-eval'";
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;

View File

@ -0,0 +1,21 @@
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_protocols TLSv1.2 TLSv1.3; # Score=100
# ssl ciphers list
ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 +SHA !aNULL !eNULL !LOW !kECDH !DSS !MD5 !RC4 !EXP !PSK !SRP !CAMELLIA !SEED'; # Score=90 (recommended because more compatible)
# ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL; # Score=100
# to ensure that the best possible cipher is always included over the weaker ones, chosen from the above order
ssl_prefer_server_ciphers on;
# OCSP stapling
ssl_stapling on; # allow Nginx to send OCSP results during the connection process
ssl_stapling_verify on;
resolver 80.67.169.12 80.67.169.40 valid=300s;
resolver_timeout 10s;
# Speeds things up a little bit when resuming a session
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:5m;

View File

@ -0,0 +1,59 @@
#Filtres badhosts et sshguard
table <pfbadhost> persist file "/etc/pf-badhost.txt"
table <sshguard> persist
## Table pour les batards de bruteforceurs
table <bruteforce> persist
set block-policy drop # bloque silencieusement
set skip on lo # En local on s'en fou on surveille rien
set limit table-entries 400000
set limit states 100000
## Traitement des paquets ##
# Paquets partiels on vire
match all scrub (max-mss 1440 no-df random-id reassemble tcp)
antispoof quick for egress # Protection vol d'ip
antispoof quick for lo0 # Protection vol d'ip
# Port build user does not need network
block return out log proto {tcp udp} user _pbuild
# On bloque tout par défault
block
block quick on egress from <pfbadhost>
block in from <sshguard>
block log quick from <bruteforce> label "brutes"
pass out on egress proto { tcp udp icmp ipv6-icmp } modulate state
#déclaration des variables
web_ports = "{ http https }"
mail_ports = "{ smtp submission imap }"
xmpp_ports = "{ 5222 5269 }"
ssh_port = "42420"
## Anti bruteforce
### SSH
#### Limite à 5 connexions simultanne par IP source
#### Limite à 15 tentatives de connexion toutes les 5 minutes
pass in on egress proto tcp to port $ssh_port modulate state \
(max-src-conn 5, max-src-conn-rate 15/5, overload <bruteforce> flush global)
#web
pass in on egress proto tcp to port $web_ports modulate state \
(max-src-conn 60, max-src-conn-rate 60/1, overload <bruteforce> flush global)
# mails
## antispam
pass in on egress proto tcp to port $mail_ports modulate state \
(max-src-conn-rate 20/5, overload <bruteforce> flush global)
pass out log on egress proto tcp to any port smtp
# XMPP
pass in on egress proto tcp to port $xmpp_ports modulate state \
(max-src-conn 15, max-src-conn-rate 15/5, overload <bruteforce> flush global)

View File

@ -0,0 +1,4 @@
upstream php-handler {
server unix:/run/php-fpm.sock;
}

View File

@ -0,0 +1,189 @@
[PHP]
;;;;;;;;;;;;;;;;;;;
; Quick Reference ;
;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;
; Language Options ;
;;;;;;;;;;;;;;;;;;;;
engine = On
short_open_tag = Off
precision = 14
output_buffering = 4096
zlib.output_compression = Off
implicit_flush = Off
unserialize_callback_func =
serialize_precision = -1
disable_functions =
disable_classes =
zend.enable_gc = On
zend.exception_ignore_args = On
zend.exception_string_param_max_len = 0
;;;;;;;;;;;;;;;;;
; Miscellaneous ;
;;;;;;;;;;;;;;;;;
expose_php = Off
;;;;;;;;;;;;;;;;;;;
; Resource Limits ;
;;;;;;;;;;;;;;;;;;;
max_execution_time = 30
max_input_time = 60
memory_limit = 2048M
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
display_errors = Off
display_startup_errors = Off
log_errors = On
log_errors_max_len = 1024
ignore_repeated_errors = Off
ignore_repeated_source = Off
report_memleaks = On
;;;;;;;;;;;;;;;;;
; Data Handling ;
;;;;;;;;;;;;;;;;;
variables_order = "GPCS"
request_order = "GP"
register_argc_argv = Off
auto_globals_jit = On
post_max_size = 8M
auto_prepend_file =
auto_append_file =
default_mimetype = "text/html"
default_charset = "UTF-8"
;;;;;;;;;;;;;;;;;;;;;;;;;
; Paths and Directories ;
;;;;;;;;;;;;;;;;;;;;;;;;;
; UNIX: "/path1:/path2"
include_path = ".:/pear/lib:/var/www/pear/lib"
doc_root =
user_dir =
extension_dir = "/usr/local/lib/php-8.0/modules"
enable_dl = Off
;;;;;;;;;;;;;;;;
; File Uploads ;
;;;;;;;;;;;;;;;;
file_uploads = On
upload_max_filesize = 2048M
max_file_uploads = 20
;;;;;;;;;;;;;;;;;;
; Fopen wrappers ;
;;;;;;;;;;;;;;;;;;
allow_url_fopen = Off
allow_url_include = Off
default_socket_timeout = 60
;;;;;;;;;;;;;;;;;;;
; Module Settings ;
;;;;;;;;;;;;;;;;;;;
[CLI Server]
; Whether the CLI web server uses ANSI color coding in its terminal output.
cli_server.color = On
[Date]
; Defines the default timezone used by the date functions
; http://php.net/date.timezone
date.timezone = UTC
[mail function]
SMTP = localhost
; http://php.net/smtp-port
smtp_port = 25
mail.add_x_header = Off
[ODBC]
odbc.allow_persistent = On
odbc.check_persistent = On
odbc.max_persistent = -1
odbc.max_links = -1
odbc.defaultlrl = 4096
odbc.defaultbinmode = 1
[PostgreSQL]
; Allow or prevent persistent links.
; http://php.net/pgsql.allow-persistent
pgsql.allow_persistent = On
; Detect broken persistent links always with pg_pconnect().
; Auto reset feature requires a little overheads.
; http://php.net/pgsql.auto-reset-persistent
pgsql.auto_reset_persistent = Off
; Maximum number of persistent links. -1 means no limit.
; http://php.net/pgsql.max-persistent
pgsql.max_persistent = -1
; Maximum number of links (persistent+non persistent). -1 means no limit.
; http://php.net/pgsql.max-links
pgsql.max_links = -1
; Ignore PostgreSQL backends Notice message or not.
; Notice message logging require a little overheads.
; http://php.net/pgsql.ignore-notice
pgsql.ignore_notice = 0
; Log PostgreSQL backends Notice message or not.
; Unless pgsql.ignore_notice=0, module cannot log notice message.
; http://php.net/pgsql.log-notice
pgsql.log_notice = 0
[bcmath]
; Number of decimal digits for all bcmath functions.
; http://php.net/bcmath.scale
bcmath.scale = 0
[Session]
; Handler used to store/retrieve data.
; http://php.net/session.save-handler
session.save_handler = files
session.use_cookies = 1
session.use_only_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.cookie_httponly =
session.cookie_samesite =
session.serialize_handler = php
session.gc_probability = 1
session.gc_divisor = 1000
session.gc_maxlifetime = 1440
session.referer_check =
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
session.sid_length = 26
session.trans_sid_tags = "a=href,area=href,frame=src,form="
session.sid_bits_per_character = 5
[Assertion]
zend.assertions = -1
[Tidy]
tidy.clean_output = Off
[soap]
soap.wsdl_cache_enabled=1
soap.wsdl_cache_dir="/tmp"
soap.wsdl_cache_ttl=86400
soap.wsdl_cache_limit = 5
[ldap]
; Sets the maximum number of open links or -1 for unlimited.
ldap.max_links = -1
[opcache]
; Determines if Zend OPCache is enabled
opcache.enable=1
opcache.enable_cli=1
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=10000
opcache.memory_consumption=128
opcache.save_comments=1
opcache.revalidate_freq=1

View File

@ -0,0 +1,29 @@
;;;;;;;;;;;;;;;;;;;;;
; FPM Configuration ;
;;;;;;;;;;;;;;;;;;;;;
[global]
error_log = log/php-fpm.log
;;;;;;;;;;;;;;;;;;;;
; Pool Definitions ;
;;;;;;;;;;;;;;;;;;;;
include=/etc/php-fpm.d/*.conf
[www]
user = www
group = www
listen = /var/www/run/php-fpm.sock
listen.owner = www
listen.group = www
listen.mode = 0660
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
chroot = /var/www
env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp

View File

@ -0,0 +1,18 @@
# TYPE DATABASE USER ADDRESS METHOD
local all postgres trust
# "local" is for Unix domain socket connections only
#local all all md5
# IPv4 local connections:
host all all 127.0.0.1/32 scram-sha-256
# IPv6 local connections:
host all all ::1/128 scram-sha-256
# Allow replication connections from localhost, by a user with the
# replication privilege.
local replication all scram-sha-256
host replication all 127.0.0.1/32 scram-sha-256
host replication all ::1/128 scram-sha-256

View File

@ -0,0 +1,47 @@
server {
listen 80;
server_name __pywallter_domain__;
#Ajout pour les certificats letsencrypt
include snippets/acme-challenge.conf;
return 301 https://$http_host$request_uri;
root /html/;
}
server {
listen 443 ssl http2;
server_name __pywallter_domain__;
ssl_certificate /etc/ssl/__pywallter_domain__.crt;
ssl_certificate_key /etc/ssl/private/__pywallter_domain__.key;
#Ajout d'une configuration ssl securise
include snippets/secure-ssl.conf;
# Speeds things up a little bit when resuming a session
# ssl_session_timeout 5m;
# ssl_session_cache shared:SSL:5m;
# Ajout pour le certificat letsencrypt
include snippets/acme-challenge.conf;
# Ajout pour securiser les headers
include snippets/secure-headers.conf;
client_max_body_size 100M;
location / {
proxy_pass http://127.0.0.1:8000/;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Prefix /;
}
# Path to the root of your installation
root /html/;
}

View File

@ -0,0 +1,16 @@
#!/bin/ksh
daemon="/usr/local/bin/python3"
daemon_flags="wsgi.py"
daemon_user="pywallter"
location="/home/pywallter/pywallter"
. /etc/rc.d/rc.subr
rc_start() {
${rcexec} "cd ${location}; ${daemon} ${daemon_flags}"
}
rc_bg=YES
rc_cmd $1

View File

@ -0,0 +1,59 @@
server {
listen 80;
listen [::]:80;
server_name upload.__XMPP_DOMAIN__ ;
include snippets/acme-challenge.conf;
return 301 https://$http_host$request_uri;
access_log /var/log/upload.__DOMAIN__-access.log;
error_log /var/log/upload.__DOMAIN__-error.log;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name upload.__DOMAIN__;
ssl_certificate /etc/ssl/upload.__DOMAIN__.crt;
ssl_certificate_key /etc/ssl/private/upload.__DOMAIN__.key;
root /xmpp-upload/;
include snippets/secure-ssl.conf;
include snippets/secure-headers.conf;
#custom headers
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'HEAD, GET, PUT, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Authorization';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header x-robots-tag "noindex, follow";
client_max_body_size 105M; # Choose a value a bit higher than the max upload configured in XMPP server
# add_header Strict-Transport-Security " max-age=63072000; includeSubDomains; preload";
include snippets/acme-challenge.conf;
location ~ \.php(?:$|/) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
fastcgi_param front_controller_active true; # Enable pretty urls
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
access_log /var/log/upload.__DOMAIN__-access.log;
error_log /var/log/upload.__DOMAIN__-error.log;
}

View File

@ -0,0 +1,132 @@
---------- Server-wide settings ----------
-- Settings in this section apply to the whole server and are the default settings
-- for any virtual hosts
-- This is a (by default, empty) list of accounts that are admins
-- for the server. Note that you must create the accounts separately
-- (see https://prosody.im/doc/creating_accounts for info)
-- Example: admins = { "user1@example.com", "user2@example.net" }
admins = { "admin@__DOMAIN__" }
-- Drop privileges
prosody_user = "_prosody"
prosody_group = "_prosody"
-- Enable POSIX-only options
pidfile = "/var/prosody/prosody.pid"
-- Enable use of libevent for better performance under high load
-- For more information see: https://prosody.im/doc/libevent
--use_libevent = true
-- Prosody will always look in its source directory for modules, but
-- this option allows you to specify additional locations where Prosody
-- will look for modules first. For community modules, see https://modules.prosody.im/
plugin_paths = { "/var/prosody/plugins" }
-- This is the list of modules Prosody will load on startup.
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
modules_enabled = {
-- Generally required
"roster"; -- Allow users to have a roster. Recommended ;)
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
"tls"; -- Add support for secure TLS on c2s/s2s connections
"dialback"; -- s2s dialback support
"disco"; -- Service discovery
-- Not essential, but recommended
"carbons"; -- Keep multiple clients in sync
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
"bidi";
"private"; -- Private XML storage (for room bookmarks, etc.)
"blocklist"; -- Allow users to block communications with other users
"vcard4"; -- User profiles (stored in PEP)
--"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
"limits"; -- Enable bandwidth limiting for XMPP connections
"smacks";
-- Nice to have
"version"; -- Replies to server version requests
"uptime"; -- Report how long server has been running
"time"; -- Let others know the time here on this server
"ping"; -- Replies to XMPP pings with pongs
-- "register"; -- Allow users to register on this server using a client and change passwords
"mam"; -- Store messages in an archive and allow users to access it
"csi_simple"; -- Simple Mobile optimizations
-- HTTP modules
"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
"websocket"; -- XMPP over WebSockets
"http_files"; -- Serve static files from a directory over HTTP
-- Other specific functionality
"groups"; -- Shared roster support
"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
-- cloud notify
"cloud_notify";
"cloud_notify_extensions";
}
modules_disabled = {
}
allow_registration = false
-- Force clients to use encrypted connections? This option will
-- prevent clients from authenticating unless they are using encryption.
c2s_require_encryption = true
-- Force servers to use encrypted connections? This option will
-- prevent servers from authenticating unless they are using encryption.
s2s_require_encryption = true
-- Force certificate authentication for server-to-server connections?
s2s_secure_auth = false
-- Enable rate limits for incoming client and server connections
limits = {
c2s = {
rate = "100kb/s";
};
s2sin = {
rate = "300kb/s";
};
}
-- Select the authentication backend to use. The 'internal' providers
-- use Prosody's configured data storage to store the authentication data.
authentication = "internal_hashed"
-- Archiving configuration
archive_expires_after = "1w" -- Remove archived messages after 1 week
-- You can also configure messages to be stored in-memory only. For more
-- archiving options, see https://prosody.im/doc/modules/mod_mam
-- Logging configuration
-- For advanced logging see https://prosody.im/doc/logging
log = {
info = "/var/prosody/prosody.log"; -- Change 'info' to 'debug' for verbose logging
error = "/var/prosody/prosody.err";
}
-- Location of directory to find certificates in (relative to main config file):
certificates = "/var/prosody/"
-- WebSocket configuration (mod_websocket)
consider_websocket_secure = true
------ Components ------
-- You can specify components to add hosts that provide special services,
-- like multi-user conferences, and transports.
include "virtualHosts/*.conf"

View File

@ -0,0 +1,141 @@
<?php
/*
PHP script to handle file uploads and downloads for Prosody's mod_http_upload_external
Tested with Apache 2.2+ and PHP 5.3+
** Why this script?
This script only allows uploads that have been authorized by mod_http_upload_external. It
attempts to make the upload/download as safe as possible, considering that there are *many*
security concerns involved with allowing arbitrary file upload/download on a web server.
With that said, I do not consider myself a PHP developer, and at the time of writing, this
code has had no external review. Use it at your own risk. I make no claims that this code
is secure.
** How to use?
Drop this file somewhere it will be served by your web server. Edit the config options below.
In Prosody set:
http_upload_external_base_url = "https://your.example.com/path/to/share.php/"
http_upload_external_secret = "this is your secret string"
** License
(C) 2016 Matthew Wild <mwild1@gmail.com>
Permission is hereby granted, free of charge, to any person obtaining a copy of this software
and associated documentation files (the "Software"), to deal in the Software without restriction,
including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense,
and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so,
subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial
portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
*/
/*\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\*/
/* CONFIGURATION OPTIONS */
/*\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\*/
/* Change this to a directory that is writable by your web server, but is outside your web root */
$CONFIG_STORE_DIR = '/xmpp-upload/__DOMAIN__/upload';
/* This must be the same as 'http_upload_external_secret' that you set in Prosody's config file */
$CONFIG_SECRET = "__xmpp_passphrase_for_filesuploads__" ;
/* For people who need options to tweak that they don't understand... here you are */
$CONFIG_CHUNK_SIZE = 4096;
/*\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\*/
/* END OF CONFIGURATION */
/*\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\*/
/* Do not edit below this line unless you know what you are doing (spoiler: nobody does) */
$upload_file_name = substr($_SERVER['PHP_SELF'], strlen($_SERVER['SCRIPT_NAME'])+1);
$store_file_name = $CONFIG_STORE_DIR . '/store-' . hash('sha256', $upload_file_name);
$request_method = $_SERVER['REQUEST_METHOD'];
/* Set CORS headers */
header('Access-Control-Allow-Methods: GET, PUT, OPTIONS');
header('Access-Control-Allow-Headers: Content-Type');
header('Access-Control-Max-Age: 7200');
header('Access-Control-Allow-Origin: *');
if(array_key_exists('v', $_GET) === TRUE && $request_method === 'PUT') {
$upload_file_size = $_SERVER['CONTENT_LENGTH'];
$upload_token = $_GET['v'];
$calculated_token = hash_hmac('sha256', "$upload_file_name $upload_file_size", $CONFIG_SECRET);
if(function_exists('hash_equals')) {
if(hash_equals($calculated_token, $upload_token) !== TRUE) {
error_log("Token mismatch: calculated $calculated_token got $upload_token");
header('HTTP/1.0 403 Forbidden');
exit;
}
}
else {
if($upload_token !== $calculated_token) {
error_log("Token mismatch: calculated $calculated_token got $upload_token");
header('HTTP/1.0 403 Forbidden');
exit;
}
}
/* Open a file for writing */
$store_file = fopen($store_file_name, 'x');
if($store_file === FALSE) {
header('HTTP/1.0 409 Conflict');
exit;
}
/* PUT data comes in on the stdin stream */
$incoming_data = fopen('php://input', 'r');
/* Read the data a chunk at a time and write to the file */
while ($data = fread($incoming_data, $CONFIG_CHUNK_SIZE)) {
fwrite($store_file, $data);
}
/* Close the streams */
fclose($incoming_data);
fclose($store_file);
// https://xmpp.org/extensions/xep-0363.html#upload
// A HTTP status Code of 201 means that the server is now ready to serve the file via the provided GET URL.
header('HTTP/1.0 201 Created');
exit;
} else if($request_method === 'GET' || $request_method === 'HEAD') {
// Send file (using X-Sendfile would be nice here...)
if(file_exists($store_file_name)) {
header('Content-Disposition: attachment');
header('Content-Type: application/octet-stream');
header('Content-Length: '.filesize($store_file_name));
header("Content-Security-Policy: \"default-src 'none'\"");
header("X-Content-Security-Policy: \"default-src 'none'\"");
header("X-WebKit-CSP: \"default-src 'none'\"");
if($request_method !== 'HEAD') {
readfile($store_file_name);
}
} else {
header('HTTP/1.0 404 Not Found');
}
} else if($request_method === 'OPTIONS') {
} else {
header('HTTP/1.0 400 Bad Request');
}
exit;

View File

@ -0,0 +1,100 @@
VirtualHost "__DOMAIN__"
enable = true
ssl = {
key = "/etc/prosody/certs/__DOMAIN__.key";
certificate = "/etc/prosody/certs/__DOMAIN__.crt";
-- Configuration Avancée
protocol = "tlsv1_2+";
dhparam = "/etc/prosody/certs/dh-2048.pem";
ciphers = "HIGH+kEECDH:!RSA:!SRP:!PSK:!3DES:!aNULL";
options = { cipher_server_preference = true, no_compression = true, cipher_server_preference = true };
}
archive_expires_after = "15d";
-- Discovery items
disco_items = {
{ "muc.__DOMAIN__" },
{ "pubsub.__DOMAIN__" },
{ "upload.__DOMAIN__" },
};
contact_info = {
abuse = { "mailto:abuse@__DOMAIN__", "xmpp:admin@__DOMAIN__" };
admin = { "mailto:root@$__DOMAIN__", "xmpp:admin@__DOMAIN__" };
};
-- BOSH configuration (mod_bosh)
consider_bosh_secure = true
cross_domain_bosh = true
bosh_ports = {
{
port = 5280;
path = "http-bind";
},
{
port = 5281;
path = "http-bind";
ssl = {
certificate = "/etc/prosody/certs/__DOMAIN__.crt";
key = "/etc/prosody/certs/__DOMAIN__.key";
}
}
}
http_ports = { 5280 }
http_interfaces = { "localhost" }
https_ports = { 5281 }
https_interfaces = { "localhost" }
https_ssl = {
certificate = "/etc/prosody/certs/__DOMAIN__.crt";
key = "/etc/prosody/certs/__DOMAIN__.key";
}
------ Components ------
-- You can specify components to add hosts that provide special services,
-- like multi-user conferences, and transports.
--Component "proxy.__DOMAIN__" "proxy65"
-- proxy65_address = ""
-- proxy65_acl = { "" }
Component "muc.__DOMAIN__" "muc"
name = "__DOMAIN__ Chatrooms"
modules_enabled = {
"muc_mam";
"muc_limits";
"muc_log";
"vcard_muc";
}
muc_log_by_default = true
muc_log_presences = false
log_all_rooms = false
muc_log_expires_after = "1w"
muc_log_cleanup_interval = 4 * 60 * 60
muc_event_rate = 0.5
muc_burst_factor = 10
room_default_config = {
logging = true,
persistent = true
};
---Set up a PubSub server
Component "pubsub.__DOMAIN__" "pubsub"
name = "__DOMAIN__ Publish/Subscribe"
unrestricted_node_creation = true -- Anyone can create a PubSub node (from any server)
---Set up a HTTP Upload service
Component "upload.__DOMAIN__" "http_upload_external"
name = "__DOMAIN__ Sharing Service"
http_upload_external_base_url = "https://upload.__DOMAIN__/share.php/"
http_upload_external_secret = "__xmpp_passphrase_for_filesuploads__"

17
install_dolibarr.sh Executable file
View File

@ -0,0 +1,17 @@
#!/bin/sh
. ./myserver.conf
configure_nginx_service(){
cp default_configuration/dolibarr/nginx.conf.sample my_configuration/dolibarr/nginx.conf
sed -i "s/__dolibarr_domain__/$dolibarr_domain/g" my_configuration/dolibarr/nginx.conf
}
install_configuration_files_dolibarr(){
cp my_configuration/nextcloud/nginx.conf /etc/nginx/sites-available/$dolibarr_domain
ln -s /etc/nginx/sites-available/$dolibarr_domain /etc/nginx/sites-enabled/$dolibarr_domain
}
configure_nginx_service
install_configuration_files_dolibarr

92
install_nextcloud.sh Executable file
View File

@ -0,0 +1,92 @@
#!/bin/sh
. ./utils.sh
. ./myserver.conf
install_package_nextcloud()
{
pkg_add php-bz2-8.0.26 php-curl-8.0.26 php-gd-8.0.26 php-gmp-8.0.26 \
php-intl-8.0.26 php-pdo_pgsql-8.0.26 php-zip-8.0.26 \
pecl80-imagick-3.7.0p1 pecl80-redis-5.3.7p0 \
nextcloud-24.0.5
}
enable_nextlcoud_php_modules(){
#enable modules
ln -s /etc/php-8.0.sample/gd.ini /etc/php-8.0/gd.ini
ln -s /etc/php-8.0.sample/imagick.ini /etc/php-8.0/imagick.ini
ln -s /etc/php-8.0.sample/opcache.ini /etc/php-8.0/opcache.ini
ln -s /etc/php-8.0.sample/curl.ini /etc/php-8.0/curl.ini
ln -s /etc/php-8.0.sample/gmp.ini /etc/php-8.0/gmp.ini
ln -s /etc/php-8.0.sample/intl.ini /etc/php-8.0/intl.ini
ln -s /etc/php-8.0.sample/redis.ini /etc/php-8.0/redis.ini
ln -s /etc/php-8.0.sample/bz2.ini /etc/php-8.0/bz2.ini
ln -s /etc/php-8.0.sample/zip.ini /etc/php-8.0/zip.ini
ln -s /etc/php-8.0.sample/pdo_pgsql.ini /etc/php-8.0/pdo_pgsql.ini
restart_php_service
}
configure_nginx_service(){
cp default_configuration/nextcloud/nginx.conf.sample my_configuration/nextcloud/nginx.conf
sed -i "s/__nextcloud_domain__/$nextcloud_domain/g" my_configuration/nextcloud/nginx.conf
}
create_nextcloud_db(){
psql template1 postgres -c "CREATE USER $nextcloud_db_user WITH PASSWORD '$nextcloud_db_pass' CREATEDB ;"
psql template1 postgres -c "CREATE DATABASE $nextcloud_db_name TEMPLATE template1 ENCODING 'UTF8' ;"
psql template1 postgres -c "GRANT ALL PRIVILEGES ON DATABASE $nextcloud_db_name TO $nextcloud_db_user ;"
psql template1 postgres -c "GRANT ALL PRIVILEGES ON SCHEMA public TO $nextcloud_db_user ;"
}
install_configuration_files_nextcloud(){
cp my_configuration/nextcloud/nginx.conf /etc/nginx/sites-available/$nextcloud_domain
ln -s /etc/nginx/sites-available/$nextcloud_domain /etc/nginx/sites-enabled/$nextcloud_domain
}
check_services_for_nextlcoud()
{
check_webserver_service
check_redis_service
check_php_service
check_postgresql_service
}
install_nextcloud(){
cp -v my_configuration/nextcloud/custom.config.php /var/www/nextcloud/config/
cd /var/www/nextcloud
touch config/CAN_INSTALL