diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..0e7df7e --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +my_configuration/* diff --git a/add_domain_with_acme.sh b/add_domain_with_acme.sh new file mode 100755 index 0000000..542c337 --- /dev/null +++ b/add_domain_with_acme.sh @@ -0,0 +1,95 @@ +#!/bin/sh + + +gen_nginx_acme_conf(){ + domain=$1 + alt_domain=$2 + nginx_run=`rcctl check nginx` + + if [ "$nginx_run" == "nginx(ok)" ]; then + cat > test/$domain <> my_configuration/ssl/$domain-acme-client.conf <> my_configuration/ssl/$domain-acme-client.conf < /tmp/doas.conf + cat >> /tmp/doas.conf < /var/cron/tabs/_pfbadhost < my_configuration/pf.conf < persist file "/etc/pf-badhost.txt" +table persist + +## Table pour les batards de bruteforceurs +table persist + + +set block-policy drop # bloque silencieusement +set skip on lo # En local on s'en fou on surveille rien +set limit table-entries 400000 +set limit states 100000 + + + +## Traitement des paquets ## +# Paquets partiels on vire +match all scrub (max-mss 1440 no-df random-id reassemble tcp) +antispoof quick for egress # Protection vol d'ip +antispoof quick for lo0 # Protection vol d'ip + +# Port build user does not need network +block return out log proto {tcp udp} user _pbuild + +# On bloque tout par défault +block + +block quick on egress from +block in from +block log quick from label "brutes" + +pass out on egress proto { tcp udp icmp ipv6-icmp } modulate state + +EOF + +} + +set_open_service(){ + cat >> my_configuration/pf.conf <> default_configuration/pf.conf + fi + + if [ "$SERVICE_XMPP" == "yes" ]; then + echo "xmmp_ports = \"{ 5222 5269 }\"" >> default_configuration/pf.conf + fi + + echo "ssh_port = \"$SSH_PORT\"" >> default_configuration/pf.conf + + cat >> my_configuration/pf.conf < flush global) + +#web +pass in on egress proto tcp to port \$web_ports modulate state \\ + (max-src-conn 60, max-src-conn-rate 60/1, overload flush global) + +EOF + + if [ "$SERVICE_MAIL" == "yes" ]; then + cat >> my_configuration/pf.conf < flush global) +pass out log on egress proto tcp to any port smtp + +EOF + fi + + if [ "$SERVICE_XMPP" == "yes" ]; then + cat >> my_configuration/pf.conf < flush global) +EOF + fi + +} + +install_pf_and_enable(){ + pfctl -nf my_configuration/pf.conf + if [ $? == 0 ]; then + cp -v /etc/pf.conf /etc/pf.old + cp -v my_configuration/pf.conf /etc/pf.conf + pfctl -f /etc/pf.conf + else + echo "Il y a un problème dans la configuration du firewall" + fi + +} + +set_basic_configuration +set_open_service diff --git a/configure_mail_service.sh b/configure_mail_service.sh new file mode 100755 index 0000000..2d13e02 --- /dev/null +++ b/configure_mail_service.sh @@ -0,0 +1,283 @@ +#!/bin/sh + +. ./myserver.conf +. ./utils.sh + +install_mails_services_pkg() +{ + pkg_add dovecot dovecot-pigeonhole opensmtpd-filter-rspamd \ + opensmtpd-extras-6.7.1v0 opensmtpd-filter-dkimsign-0.5 rspamd-3.2 +} + +gen_mails_service_configuration() +{ + + #Generate opensmtpd configuration + cat > my_configuration/mail/smtpd.conf < filter dkimsign + +action "local_mail" mbox alias +action "domain_mail" maildir "/var/vmail/$DOMAIN/%{dest.user:lowercase}" virtual +action "outbound" relay + + +# Uncomment the following to accept external mail for domain "example.org" +match from any for domain "$DOMAIN" action "domain_mail" +match from local for local action "local_mail" + +match auth from any for any action "outbound" + +EOF + + #Generate spamd configuration + cat > my_configuration/mail/spamd.conf < my_configuration/dovecot/local.conf < default_configuration/mail/$DOMAIN-public.key + +} + +install_dovecot_service_antispam() +{ + # Add antispam utils for Dovecot + cd /usr/local/lib/dovecot/sieve + + cat > report-ham.sieve < report-spam.sieve < sa-learn-ham.sh< sa-learn-spam.sh<> /etc/login.conf < ((php_sapi_name() == 'cli') ? '/var/www' : '') . '/nextcloud/data', +); diff --git a/default_configuration/nextcloud/nginx.conf.sample b/default_configuration/nextcloud/nginx.conf.sample new file mode 100644 index 0000000..2b5a866 --- /dev/null +++ b/default_configuration/nextcloud/nginx.conf.sample @@ -0,0 +1,153 @@ + +server { + listen 80; + server_name __nextcloud_domain__; + + include snippets/acme-challenge.conf; + + return 301 https://$http_host$request_uri; + + root /htdocs/; + +} + +server { + listen 443 ssl http2; + server_name __nextcloud_domain__; + + + ssl_certificate /etc/ssl/__nextcloud_domain__.crt; + ssl_certificate_key /etc/ssl/private/__nextcloud_domain__.key; + + include snippets/secure-ssl.conf; + + include snippets/acme-challenge.conf; + # set max upload size + client_max_body_size 4096M; + fastcgi_buffers 64 4K; + + # Enable gzip but do not remove ETag headers + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + + add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; + add_header X-Frame-Options "SAMEORIGIN" "always"; + # Pagespeed is not supported by Nextcloud, so if your server is built + # with the `ngx_pagespeed` module, uncomment this line to disable it. + # pagespeed off; + add_header X-Content-Type-Options "nosniff"; + # HTTP response headers borrowed from Nextcloud `.htaccess` + add_header Referrer-Policy "no-referrer" always; + add_header X-Download-Options "noopen" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; + + + + # Remove X-Powered-By, which is an information leak + fastcgi_hide_header X-Powered-By; + + +# Specify how to handle directories -- specifying `/index.php$request_uri` + # here as the fallback means that Nginx always exhibits the desired behaviour + # when a client requests a path that corresponds to a directory that exists + # on the server. In particular, if that directory contains an index.php file, + # that file is correctly served; if it doesn't, then the request is passed to + # the front-end controller. This consistent behaviour means that we don't need + # to specify custom rules for certain paths (e.g. images and other assets, + # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus + # `try_files $uri $uri/ /index.php$request_uri` + # always provides the desired behaviour. + index index.php index.html /index.php$request_uri; + + + + +# Rule borrowed from `.htaccess` to handle Microsoft DAV clients + location = / { + if ( $http_user_agent ~ ^DavClnt ) { + return 302 /remote.php/webdav/$is_args$args; + } + } + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + # Make a regex exception for `/.well-known` so that clients can still + # access it despite the existence of the regex rule + # `location ~ /(\.|autotest|...)` which would otherwise handle requests + # for `/.well-known`. + + + +location ^~ /.well-known { + # The rules in this block are an adaptation of the rules + # in `.htaccess` that concern `/.well-known`. + location = /.well-known/carddav { return 301 /remote.php/dav/; } + location = /.well-known/caldav { return 301 /remote.php/dav/; } + + + # Let Nextcloud's API for `/.well-known` URIs handle all other + # requests by passing them to the front-end controller. + return 301 /index.php$request_uri; +} + # Rules borrowed from `.htaccess` to hide certain paths from clients + location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; } + location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; } + + # Ensure this block, which passes PHP files to the PHP process, is above the blocks + # which handle static assets (as seen below). If this block is not declared first, + # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php` + # to the URI, resulting in a HTTP 500 error response. + location ~ \.php(?:$|/) { + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + set $path_info $fastcgi_path_info; + + try_files $fastcgi_script_name =404; + + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $path_info; + fastcgi_param HTTPS on; + + fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice + fastcgi_param front_controller_active true; # Enable pretty urls + fastcgi_pass php-handler; + + fastcgi_intercept_errors on; + fastcgi_request_buffering off; + } + + location ~ \.(?:css|js|svg|gif)$ { + try_files $uri /index.php$request_uri; + expires 6M; # Cache-Control policy borrowed from `.htaccess` + access_log off; # Optional: Don't log access to assets + } + + location ~ \.woff2?$ { + try_files $uri /index.php$request_uri; + expires 7d; # Cache-Control policy borrowed from `.htaccess` + access_log off; # Optional: Don't log access to assets + } + + # Rule borrowed from `.htaccess` + location /remote { + return 301 /remote.php$request_uri; + } + + location / { + try_files $uri $uri/ /index.php$request_uri; + } + + + root /nextcloud; +} + diff --git a/default_configuration/nginx/snippets/acme-challenge.conf b/default_configuration/nginx/snippets/acme-challenge.conf new file mode 100644 index 0000000..2b1df8a --- /dev/null +++ b/default_configuration/nginx/snippets/acme-challenge.conf @@ -0,0 +1,5 @@ +location ^~ /.well-known/acme-challenge/ { + rewrite ^/.well-known/acme-challenge/(.*) /$1 break; + default_type "text/plain"; + root /acme; +} diff --git a/default_configuration/nginx/snippets/secure-headers.conf b/default_configuration/nginx/snippets/secure-headers.conf new file mode 100644 index 0000000..5bf09bf --- /dev/null +++ b/default_configuration/nginx/snippets/secure-headers.conf @@ -0,0 +1,35 @@ +# Ajout HSTS header +# Appliquer une durée de plus d'une semaine pour obtenir A+ sur ssl-labs +add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; # duration=365days +# add_header Strict-Transport-Security "max-age=0; includeSubDomains"; # Désactive HSTS + + +# Ajoute gzip mais n'enleve pas les ETag headers +gzip on; +gzip_vary on; +gzip_comp_level 4; +gzip_min_length 256; +gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; +gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + + + + + +# Pagespeed is not supported by Nextcloud, so if your server is built +# with the ngx_pagespeed module, uncomment this line to disable it. +# pagespeed off; + +add_header Referrer-Policy "no-referrer" always; +add_header X-Content-Type-Options "nosniff"; +add_header X-Download-Options "noopen" always; +add_header X-Frame-Options "SAMEORIGIN"; +add_header X-Permitted-Cross-Domain-Policies "none" always; +add_header X-Robots-Tag "none" always; +add_header X-XSS-Protection "1; mode=block" always; +add_header Content-Security-Policy "upgrade-insecure-requests"; +add_header Content-Security-Policy-Report-Only " default-src https: data: 'unsafe-inline' 'unsafe-eval'"; + + +# Remove X-Powered-By, which is an information leak +fastcgi_hide_header X-Powered-By; diff --git a/default_configuration/nginx/snippets/secure-ssl.conf b/default_configuration/nginx/snippets/secure-ssl.conf new file mode 100644 index 0000000..e292ebe --- /dev/null +++ b/default_configuration/nginx/snippets/secure-ssl.conf @@ -0,0 +1,21 @@ +ssl_dhparam /etc/nginx/dhparam.pem; +ssl_protocols TLSv1.2 TLSv1.3; # Score=100 + +# ssl ciphers list +ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 +SHA !aNULL !eNULL !LOW !kECDH !DSS !MD5 !RC4 !EXP !PSK !SRP !CAMELLIA !SEED'; # Score=90 (recommended because more compatible) +# ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL; # Score=100 + +# to ensure that the best possible cipher is always included over the weaker ones, chosen from the above order +ssl_prefer_server_ciphers on; + + +# OCSP stapling +ssl_stapling on; # allow Nginx to send OCSP results during the connection process +ssl_stapling_verify on; +resolver 80.67.169.12 80.67.169.40 valid=300s; +resolver_timeout 10s; + +# Speeds things up a little bit when resuming a session +ssl_session_timeout 5m; +ssl_session_cache shared:SSL:5m; + diff --git a/default_configuration/pf.conf b/default_configuration/pf.conf new file mode 100644 index 0000000..39a2288 --- /dev/null +++ b/default_configuration/pf.conf @@ -0,0 +1,59 @@ +#Filtres badhosts et sshguard +table persist file "/etc/pf-badhost.txt" +table persist + +## Table pour les batards de bruteforceurs +table persist + + +set block-policy drop # bloque silencieusement +set skip on lo # En local on s'en fou on surveille rien +set limit table-entries 400000 +set limit states 100000 + + + +## Traitement des paquets ## +# Paquets partiels on vire +match all scrub (max-mss 1440 no-df random-id reassemble tcp) +antispoof quick for egress # Protection vol d'ip +antispoof quick for lo0 # Protection vol d'ip + +# Port build user does not need network +block return out log proto {tcp udp} user _pbuild + +# On bloque tout par défault +block + +block quick on egress from +block in from +block log quick from label "brutes" + +pass out on egress proto { tcp udp icmp ipv6-icmp } modulate state + +#déclaration des variables +web_ports = "{ http https }" +mail_ports = "{ smtp submission imap }" +xmpp_ports = "{ 5222 5269 }" +ssh_port = "42420" + +## Anti bruteforce +### SSH +#### Limite à 5 connexions simultanne par IP source +#### Limite à 15 tentatives de connexion toutes les 5 minutes +pass in on egress proto tcp to port $ssh_port modulate state \ + (max-src-conn 5, max-src-conn-rate 15/5, overload flush global) + +#web +pass in on egress proto tcp to port $web_ports modulate state \ + (max-src-conn 60, max-src-conn-rate 60/1, overload flush global) + +# mails +## antispam +pass in on egress proto tcp to port $mail_ports modulate state \ + (max-src-conn-rate 20/5, overload flush global) +pass out log on egress proto tcp to any port smtp + +# XMPP +pass in on egress proto tcp to port $xmpp_ports modulate state \ + (max-src-conn 15, max-src-conn-rate 15/5, overload flush global) diff --git a/default_configuration/php/nginx-php-enabled.conf b/default_configuration/php/nginx-php-enabled.conf new file mode 100644 index 0000000..da06933 --- /dev/null +++ b/default_configuration/php/nginx-php-enabled.conf @@ -0,0 +1,4 @@ + +upstream php-handler { + server unix:/run/php-fpm.sock; +} diff --git a/default_configuration/php/php-8.0.ini b/default_configuration/php/php-8.0.ini new file mode 100644 index 0000000..b1a2414 --- /dev/null +++ b/default_configuration/php/php-8.0.ini @@ -0,0 +1,189 @@ +[PHP] +;;;;;;;;;;;;;;;;;;; +; Quick Reference ; +;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;; +; Language Options ; +;;;;;;;;;;;;;;;;;;;; +engine = On +short_open_tag = Off +precision = 14 +output_buffering = 4096 +zlib.output_compression = Off +implicit_flush = Off +unserialize_callback_func = +serialize_precision = -1 +disable_functions = +disable_classes = +zend.enable_gc = On +zend.exception_ignore_args = On +zend.exception_string_param_max_len = 0 + +;;;;;;;;;;;;;;;;; +; Miscellaneous ; +;;;;;;;;;;;;;;;;; +expose_php = Off +;;;;;;;;;;;;;;;;;;; +; Resource Limits ; +;;;;;;;;;;;;;;;;;;; + +max_execution_time = 30 +max_input_time = 60 +memory_limit = 2048M +error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT +display_errors = Off +display_startup_errors = Off +log_errors = On +log_errors_max_len = 1024 +ignore_repeated_errors = Off +ignore_repeated_source = Off +report_memleaks = On +;;;;;;;;;;;;;;;;; +; Data Handling ; +;;;;;;;;;;;;;;;;; + +variables_order = "GPCS" +request_order = "GP" +register_argc_argv = Off +auto_globals_jit = On +post_max_size = 8M +auto_prepend_file = +auto_append_file = +default_mimetype = "text/html" +default_charset = "UTF-8" +;;;;;;;;;;;;;;;;;;;;;;;;; +; Paths and Directories ; +;;;;;;;;;;;;;;;;;;;;;;;;; +; UNIX: "/path1:/path2" +include_path = ".:/pear/lib:/var/www/pear/lib" +doc_root = +user_dir = +extension_dir = "/usr/local/lib/php-8.0/modules" +enable_dl = Off + +;;;;;;;;;;;;;;;; +; File Uploads ; +;;;;;;;;;;;;;;;; +file_uploads = On +upload_max_filesize = 2048M +max_file_uploads = 20 + +;;;;;;;;;;;;;;;;;; +; Fopen wrappers ; +;;;;;;;;;;;;;;;;;; +allow_url_fopen = Off +allow_url_include = Off +default_socket_timeout = 60 + +;;;;;;;;;;;;;;;;;;; +; Module Settings ; +;;;;;;;;;;;;;;;;;;; + +[CLI Server] +; Whether the CLI web server uses ANSI color coding in its terminal output. +cli_server.color = On + +[Date] +; Defines the default timezone used by the date functions +; http://php.net/date.timezone +date.timezone = UTC + +[mail function] +SMTP = localhost +; http://php.net/smtp-port +smtp_port = 25 +mail.add_x_header = Off + +[ODBC] +odbc.allow_persistent = On +odbc.check_persistent = On +odbc.max_persistent = -1 +odbc.max_links = -1 +odbc.defaultlrl = 4096 +odbc.defaultbinmode = 1 + +[PostgreSQL] +; Allow or prevent persistent links. +; http://php.net/pgsql.allow-persistent +pgsql.allow_persistent = On + +; Detect broken persistent links always with pg_pconnect(). +; Auto reset feature requires a little overheads. +; http://php.net/pgsql.auto-reset-persistent +pgsql.auto_reset_persistent = Off + +; Maximum number of persistent links. -1 means no limit. +; http://php.net/pgsql.max-persistent +pgsql.max_persistent = -1 + +; Maximum number of links (persistent+non persistent). -1 means no limit. +; http://php.net/pgsql.max-links +pgsql.max_links = -1 + +; Ignore PostgreSQL backends Notice message or not. +; Notice message logging require a little overheads. +; http://php.net/pgsql.ignore-notice +pgsql.ignore_notice = 0 + +; Log PostgreSQL backends Notice message or not. +; Unless pgsql.ignore_notice=0, module cannot log notice message. +; http://php.net/pgsql.log-notice +pgsql.log_notice = 0 + +[bcmath] +; Number of decimal digits for all bcmath functions. +; http://php.net/bcmath.scale +bcmath.scale = 0 + +[Session] +; Handler used to store/retrieve data. +; http://php.net/session.save-handler +session.save_handler = files +session.use_cookies = 1 +session.use_only_cookies = 1 +session.name = PHPSESSID +session.auto_start = 0 +session.cookie_lifetime = 0 +session.cookie_path = / +session.cookie_domain = +session.cookie_httponly = +session.cookie_samesite = +session.serialize_handler = php +session.gc_probability = 1 +session.gc_divisor = 1000 +session.gc_maxlifetime = 1440 +session.referer_check = +session.cache_limiter = nocache +session.cache_expire = 180 +session.use_trans_sid = 0 +session.sid_length = 26 +session.trans_sid_tags = "a=href,area=href,frame=src,form=" +session.sid_bits_per_character = 5 + +[Assertion] +zend.assertions = -1 + +[Tidy] +tidy.clean_output = Off + +[soap] +soap.wsdl_cache_enabled=1 +soap.wsdl_cache_dir="/tmp" +soap.wsdl_cache_ttl=86400 +soap.wsdl_cache_limit = 5 + +[ldap] +; Sets the maximum number of open links or -1 for unlimited. +ldap.max_links = -1 + +[opcache] +; Determines if Zend OPCache is enabled +opcache.enable=1 +opcache.enable_cli=1 +opcache.interned_strings_buffer=8 +opcache.max_accelerated_files=10000 +opcache.memory_consumption=128 +opcache.save_comments=1 +opcache.revalidate_freq=1 + + diff --git a/default_configuration/php/php-fpm.conf b/default_configuration/php/php-fpm.conf new file mode 100644 index 0000000..836c106 --- /dev/null +++ b/default_configuration/php/php-fpm.conf @@ -0,0 +1,29 @@ +;;;;;;;;;;;;;;;;;;;;; +; FPM Configuration ; +;;;;;;;;;;;;;;;;;;;;; +[global] +error_log = log/php-fpm.log +;;;;;;;;;;;;;;;;;;;; +; Pool Definitions ; +;;;;;;;;;;;;;;;;;;;; +include=/etc/php-fpm.d/*.conf +[www] +user = www +group = www +listen = /var/www/run/php-fpm.sock +listen.owner = www +listen.group = www +listen.mode = 0660 +pm = dynamic +pm.max_children = 5 +pm.start_servers = 2 +pm.min_spare_servers = 1 +pm.max_spare_servers = 3 +chroot = /var/www +env[HOSTNAME] = $HOSTNAME +env[PATH] = /usr/local/bin:/usr/bin:/bin +env[TMP] = /tmp +env[TMPDIR] = /tmp +env[TEMP] = /tmp + + diff --git a/default_configuration/postgresql/pg_hba.conf b/default_configuration/postgresql/pg_hba.conf new file mode 100644 index 0000000..4496afe --- /dev/null +++ b/default_configuration/postgresql/pg_hba.conf @@ -0,0 +1,18 @@ +# TYPE DATABASE USER ADDRESS METHOD + + +local all postgres trust +# "local" is for Unix domain socket connections only +#local all all md5 +# IPv4 local connections: +host all all 127.0.0.1/32 scram-sha-256 + + +# IPv6 local connections: +host all all ::1/128 scram-sha-256 +# Allow replication connections from localhost, by a user with the +# replication privilege. +local replication all scram-sha-256 +host replication all 127.0.0.1/32 scram-sha-256 +host replication all ::1/128 scram-sha-256 + diff --git a/default_configuration/pywallter/nginx.conf.sample b/default_configuration/pywallter/nginx.conf.sample new file mode 100644 index 0000000..21554be --- /dev/null +++ b/default_configuration/pywallter/nginx.conf.sample @@ -0,0 +1,47 @@ +server { + listen 80; + server_name __pywallter_domain__; + + #Ajout pour les certificats letsencrypt + include snippets/acme-challenge.conf; + + return 301 https://$http_host$request_uri; + + root /html/; + +} + +server { + listen 443 ssl http2; + server_name __pywallter_domain__; + + + ssl_certificate /etc/ssl/__pywallter_domain__.crt; + ssl_certificate_key /etc/ssl/private/__pywallter_domain__.key; + + #Ajout d'une configuration ssl securise + include snippets/secure-ssl.conf; + + # Speeds things up a little bit when resuming a session + # ssl_session_timeout 5m; + # ssl_session_cache shared:SSL:5m; + + # Ajout pour le certificat letsencrypt + include snippets/acme-challenge.conf; + + # Ajout pour securiser les headers + include snippets/secure-headers.conf; + client_max_body_size 100M; + + location / { + proxy_pass http://127.0.0.1:8000/; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Prefix /; + } + + # Path to the root of your installation + root /html/; + +} diff --git a/default_configuration/pywallter/pywallter.rc b/default_configuration/pywallter/pywallter.rc new file mode 100755 index 0000000..cd19aed --- /dev/null +++ b/default_configuration/pywallter/pywallter.rc @@ -0,0 +1,16 @@ +#!/bin/ksh + +daemon="/usr/local/bin/python3" +daemon_flags="wsgi.py" +daemon_user="pywallter" +location="/home/pywallter/pywallter" + +. /etc/rc.d/rc.subr + +rc_start() { + ${rcexec} "cd ${location}; ${daemon} ${daemon_flags}" +} + +rc_bg=YES +rc_cmd $1 + diff --git a/default_configuration/xmpp/nginx.conf.sample b/default_configuration/xmpp/nginx.conf.sample new file mode 100644 index 0000000..8319ac1 --- /dev/null +++ b/default_configuration/xmpp/nginx.conf.sample @@ -0,0 +1,59 @@ +server { + listen 80; + listen [::]:80; + server_name upload.__XMPP_DOMAIN__ ; + + include snippets/acme-challenge.conf; + + return 301 https://$http_host$request_uri; + + access_log /var/log/upload.__DOMAIN__-access.log; + error_log /var/log/upload.__DOMAIN__-error.log; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name upload.__DOMAIN__; + + ssl_certificate /etc/ssl/upload.__DOMAIN__.crt; + ssl_certificate_key /etc/ssl/private/upload.__DOMAIN__.key; + root /xmpp-upload/; + + include snippets/secure-ssl.conf; + + include snippets/secure-headers.conf; + #custom headers + add_header 'Access-Control-Allow-Origin' '*'; + add_header 'Access-Control-Allow-Methods' 'HEAD, GET, PUT, OPTIONS'; + add_header 'Access-Control-Allow-Headers' 'Authorization'; + add_header 'Access-Control-Allow-Credentials' 'true'; + add_header x-robots-tag "noindex, follow"; + client_max_body_size 105M; # Choose a value a bit higher than the max upload configured in XMPP server + +# add_header Strict-Transport-Security " max-age=63072000; includeSubDomains; preload"; + + + include snippets/acme-challenge.conf; + location ~ \.php(?:$|/) { + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + set $path_info $fastcgi_path_info; + + try_files $fastcgi_script_name =404; + + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $path_info; + fastcgi_param HTTPS on; + + fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice + fastcgi_param front_controller_active true; # Enable pretty urls + fastcgi_pass php-handler; + + fastcgi_intercept_errors on; + fastcgi_request_buffering off; + } + + access_log /var/log/upload.__DOMAIN__-access.log; + error_log /var/log/upload.__DOMAIN__-error.log; +} diff --git a/default_configuration/xmpp/prosody.cfg.lua.example b/default_configuration/xmpp/prosody.cfg.lua.example new file mode 100644 index 0000000..e46e5fd --- /dev/null +++ b/default_configuration/xmpp/prosody.cfg.lua.example @@ -0,0 +1,132 @@ +---------- Server-wide settings ---------- +-- Settings in this section apply to the whole server and are the default settings +-- for any virtual hosts + +-- This is a (by default, empty) list of accounts that are admins +-- for the server. Note that you must create the accounts separately +-- (see https://prosody.im/doc/creating_accounts for info) +-- Example: admins = { "user1@example.com", "user2@example.net" } +admins = { "admin@__DOMAIN__" } + +-- Drop privileges +prosody_user = "_prosody" +prosody_group = "_prosody" + +-- Enable POSIX-only options +pidfile = "/var/prosody/prosody.pid" + +-- Enable use of libevent for better performance under high load +-- For more information see: https://prosody.im/doc/libevent +--use_libevent = true + +-- Prosody will always look in its source directory for modules, but +-- this option allows you to specify additional locations where Prosody +-- will look for modules first. For community modules, see https://modules.prosody.im/ +plugin_paths = { "/var/prosody/plugins" } + +-- This is the list of modules Prosody will load on startup. +-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too. +-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules +modules_enabled = { + + -- Generally required + "roster"; -- Allow users to have a roster. Recommended ;) + "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in. + "tls"; -- Add support for secure TLS on c2s/s2s connections + "dialback"; -- s2s dialback support + "disco"; -- Service discovery + + -- Not essential, but recommended + "carbons"; -- Keep multiple clients in sync + "pep"; -- Enables users to publish their avatar, mood, activity, playing music and more + "bidi"; + "private"; -- Private XML storage (for room bookmarks, etc.) + "blocklist"; -- Allow users to block communications with other users + "vcard4"; -- User profiles (stored in PEP) + --"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard + "limits"; -- Enable bandwidth limiting for XMPP connections + "smacks"; + -- Nice to have + "version"; -- Replies to server version requests + "uptime"; -- Report how long server has been running + "time"; -- Let others know the time here on this server + "ping"; -- Replies to XMPP pings with pongs + -- "register"; -- Allow users to register on this server using a client and change passwords + "mam"; -- Store messages in an archive and allow users to access it + "csi_simple"; -- Simple Mobile optimizations + + -- HTTP modules + "bosh"; -- Enable BOSH clients, aka "Jabber over HTTP" + "websocket"; -- XMPP over WebSockets + "http_files"; -- Serve static files from a directory over HTTP + + -- Other specific functionality + "groups"; -- Shared roster support + "proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use + + -- cloud notify + "cloud_notify"; + "cloud_notify_extensions"; +} + + +modules_disabled = { +} + +allow_registration = false + +-- Force clients to use encrypted connections? This option will +-- prevent clients from authenticating unless they are using encryption. + +c2s_require_encryption = true + +-- Force servers to use encrypted connections? This option will +-- prevent servers from authenticating unless they are using encryption. + +s2s_require_encryption = true + +-- Force certificate authentication for server-to-server connections? + +s2s_secure_auth = false + +-- Enable rate limits for incoming client and server connections + +limits = { + c2s = { + rate = "100kb/s"; + }; + s2sin = { + rate = "300kb/s"; + }; +} + +-- Select the authentication backend to use. The 'internal' providers +-- use Prosody's configured data storage to store the authentication data. + +authentication = "internal_hashed" + +-- Archiving configuration +archive_expires_after = "1w" -- Remove archived messages after 1 week + +-- You can also configure messages to be stored in-memory only. For more +-- archiving options, see https://prosody.im/doc/modules/mod_mam + +-- Logging configuration +-- For advanced logging see https://prosody.im/doc/logging +log = { + info = "/var/prosody/prosody.log"; -- Change 'info' to 'debug' for verbose logging + error = "/var/prosody/prosody.err"; +} + +-- Location of directory to find certificates in (relative to main config file): +certificates = "/var/prosody/" + + +-- WebSocket configuration (mod_websocket) +consider_websocket_secure = true + + +------ Components ------ +-- You can specify components to add hosts that provide special services, +-- like multi-user conferences, and transports. +include "virtualHosts/*.conf" diff --git a/default_configuration/xmpp/share.php.sample b/default_configuration/xmpp/share.php.sample new file mode 100644 index 0000000..ca759bb --- /dev/null +++ b/default_configuration/xmpp/share.php.sample @@ -0,0 +1,141 @@ + + + Permission is hereby granted, free of charge, to any person obtaining a copy of this software + and associated documentation files (the "Software"), to deal in the Software without restriction, + including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, + and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, + subject to the following conditions: + + The above copyright notice and this permission notice shall be included in all copies or substantial + portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING + BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, + DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +*/ + +/*\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\*/ +/* CONFIGURATION OPTIONS */ +/*\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\*/ + +/* Change this to a directory that is writable by your web server, but is outside your web root */ +$CONFIG_STORE_DIR = '/xmpp-upload/__DOMAIN__/upload'; + +/* This must be the same as 'http_upload_external_secret' that you set in Prosody's config file */ +$CONFIG_SECRET = "__xmpp_passphrase_for_filesuploads__" ; + +/* For people who need options to tweak that they don't understand... here you are */ +$CONFIG_CHUNK_SIZE = 4096; + +/*\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\*/ +/* END OF CONFIGURATION */ +/*\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\*/ + +/* Do not edit below this line unless you know what you are doing (spoiler: nobody does) */ + +$upload_file_name = substr($_SERVER['PHP_SELF'], strlen($_SERVER['SCRIPT_NAME'])+1); +$store_file_name = $CONFIG_STORE_DIR . '/store-' . hash('sha256', $upload_file_name); + +$request_method = $_SERVER['REQUEST_METHOD']; + +/* Set CORS headers */ +header('Access-Control-Allow-Methods: GET, PUT, OPTIONS'); +header('Access-Control-Allow-Headers: Content-Type'); +header('Access-Control-Max-Age: 7200'); +header('Access-Control-Allow-Origin: *'); + +if(array_key_exists('v', $_GET) === TRUE && $request_method === 'PUT') { + $upload_file_size = $_SERVER['CONTENT_LENGTH']; + $upload_token = $_GET['v']; + + $calculated_token = hash_hmac('sha256', "$upload_file_name $upload_file_size", $CONFIG_SECRET); + if(function_exists('hash_equals')) { + if(hash_equals($calculated_token, $upload_token) !== TRUE) { + error_log("Token mismatch: calculated $calculated_token got $upload_token"); + header('HTTP/1.0 403 Forbidden'); + exit; + } + } + else { + if($upload_token !== $calculated_token) { + error_log("Token mismatch: calculated $calculated_token got $upload_token"); + header('HTTP/1.0 403 Forbidden'); + exit; + } + } + /* Open a file for writing */ + $store_file = fopen($store_file_name, 'x'); + + if($store_file === FALSE) { + header('HTTP/1.0 409 Conflict'); + exit; + } + + /* PUT data comes in on the stdin stream */ + $incoming_data = fopen('php://input', 'r'); + + /* Read the data a chunk at a time and write to the file */ + while ($data = fread($incoming_data, $CONFIG_CHUNK_SIZE)) { + fwrite($store_file, $data); + } + + /* Close the streams */ + fclose($incoming_data); + fclose($store_file); + + // https://xmpp.org/extensions/xep-0363.html#upload + // A HTTP status Code of 201 means that the server is now ready to serve the file via the provided GET URL. + header('HTTP/1.0 201 Created'); + exit; +} else if($request_method === 'GET' || $request_method === 'HEAD') { + // Send file (using X-Sendfile would be nice here...) + if(file_exists($store_file_name)) { + header('Content-Disposition: attachment'); + header('Content-Type: application/octet-stream'); + header('Content-Length: '.filesize($store_file_name)); + header("Content-Security-Policy: \"default-src 'none'\""); + header("X-Content-Security-Policy: \"default-src 'none'\""); + header("X-WebKit-CSP: \"default-src 'none'\""); + if($request_method !== 'HEAD') { + readfile($store_file_name); + } + } else { + header('HTTP/1.0 404 Not Found'); + } +} else if($request_method === 'OPTIONS') { +} else { + header('HTTP/1.0 400 Bad Request'); +} + +exit; diff --git a/default_configuration/xmpp/virtualHosts/example.com.conf b/default_configuration/xmpp/virtualHosts/example.com.conf new file mode 100644 index 0000000..16424f4 --- /dev/null +++ b/default_configuration/xmpp/virtualHosts/example.com.conf @@ -0,0 +1,100 @@ +VirtualHost "__DOMAIN__" + enable = true + + + ssl = { + key = "/etc/prosody/certs/__DOMAIN__.key"; + certificate = "/etc/prosody/certs/__DOMAIN__.crt"; + -- Configuration Avancée + protocol = "tlsv1_2+"; + dhparam = "/etc/prosody/certs/dh-2048.pem"; + ciphers = "HIGH+kEECDH:!RSA:!SRP:!PSK:!3DES:!aNULL"; + options = { cipher_server_preference = true, no_compression = true, cipher_server_preference = true }; + +} +archive_expires_after = "15d"; + + -- Discovery items + disco_items = { + { "muc.__DOMAIN__" }, + { "pubsub.__DOMAIN__" }, + { "upload.__DOMAIN__" }, + }; + + contact_info = { + abuse = { "mailto:abuse@__DOMAIN__", "xmpp:admin@__DOMAIN__" }; + admin = { "mailto:root@$__DOMAIN__", "xmpp:admin@__DOMAIN__" }; + }; + +-- BOSH configuration (mod_bosh) +consider_bosh_secure = true +cross_domain_bosh = true + +bosh_ports = { + { + port = 5280; + path = "http-bind"; + }, + { + port = 5281; + path = "http-bind"; + ssl = { + certificate = "/etc/prosody/certs/__DOMAIN__.crt"; + key = "/etc/prosody/certs/__DOMAIN__.key"; + } + } + } + http_ports = { 5280 } + http_interfaces = { "localhost" } + + https_ports = { 5281 } + https_interfaces = { "localhost" } + + https_ssl = { + certificate = "/etc/prosody/certs/__DOMAIN__.crt"; + key = "/etc/prosody/certs/__DOMAIN__.key"; + } + + + +------ Components ------ +-- You can specify components to add hosts that provide special services, +-- like multi-user conferences, and transports. + +--Component "proxy.__DOMAIN__" "proxy65" +-- proxy65_address = "" +-- proxy65_acl = { "" } + +Component "muc.__DOMAIN__" "muc" + name = "__DOMAIN__ Chatrooms" + + modules_enabled = { + "muc_mam"; + "muc_limits"; + "muc_log"; + "vcard_muc"; + } + + muc_log_by_default = true + muc_log_presences = false + log_all_rooms = false + muc_log_expires_after = "1w" + muc_log_cleanup_interval = 4 * 60 * 60 + + muc_event_rate = 0.5 + muc_burst_factor = 10 + room_default_config = { + logging = true, + persistent = true +}; + + +---Set up a PubSub server +Component "pubsub.__DOMAIN__" "pubsub" + name = "__DOMAIN__ Publish/Subscribe" + unrestricted_node_creation = true -- Anyone can create a PubSub node (from any server) +---Set up a HTTP Upload service +Component "upload.__DOMAIN__" "http_upload_external" + name = "__DOMAIN__ Sharing Service" + http_upload_external_base_url = "https://upload.__DOMAIN__/share.php/" + http_upload_external_secret = "__xmpp_passphrase_for_filesuploads__" diff --git a/install_dolibarr.sh b/install_dolibarr.sh new file mode 100755 index 0000000..fb4e773 --- /dev/null +++ b/install_dolibarr.sh @@ -0,0 +1,17 @@ +#!/bin/sh + +. ./myserver.conf + +configure_nginx_service(){ + cp default_configuration/dolibarr/nginx.conf.sample my_configuration/dolibarr/nginx.conf + sed -i "s/__dolibarr_domain__/$dolibarr_domain/g" my_configuration/dolibarr/nginx.conf +} + +install_configuration_files_dolibarr(){ + cp my_configuration/nextcloud/nginx.conf /etc/nginx/sites-available/$dolibarr_domain + ln -s /etc/nginx/sites-available/$dolibarr_domain /etc/nginx/sites-enabled/$dolibarr_domain + +} + +configure_nginx_service +install_configuration_files_dolibarr diff --git a/install_nextcloud.sh b/install_nextcloud.sh new file mode 100755 index 0000000..6f88a8c --- /dev/null +++ b/install_nextcloud.sh @@ -0,0 +1,92 @@ +#!/bin/sh + +. ./utils.sh +. ./myserver.conf + +install_package_nextcloud() +{ + pkg_add php-bz2-8.0.26 php-curl-8.0.26 php-gd-8.0.26 php-gmp-8.0.26 \ + php-intl-8.0.26 php-pdo_pgsql-8.0.26 php-zip-8.0.26 \ + pecl80-imagick-3.7.0p1 pecl80-redis-5.3.7p0 \ + nextcloud-24.0.5 +} + +enable_nextlcoud_php_modules(){ + #enable modules + ln -s /etc/php-8.0.sample/gd.ini /etc/php-8.0/gd.ini + ln -s /etc/php-8.0.sample/imagick.ini /etc/php-8.0/imagick.ini + ln -s /etc/php-8.0.sample/opcache.ini /etc/php-8.0/opcache.ini + ln -s /etc/php-8.0.sample/curl.ini /etc/php-8.0/curl.ini + ln -s /etc/php-8.0.sample/gmp.ini /etc/php-8.0/gmp.ini + ln -s /etc/php-8.0.sample/intl.ini /etc/php-8.0/intl.ini + ln -s /etc/php-8.0.sample/redis.ini /etc/php-8.0/redis.ini + ln -s /etc/php-8.0.sample/bz2.ini /etc/php-8.0/bz2.ini + ln -s /etc/php-8.0.sample/zip.ini /etc/php-8.0/zip.ini + ln -s /etc/php-8.0.sample/pdo_pgsql.ini /etc/php-8.0/pdo_pgsql.ini + restart_php_service +} + +configure_nginx_service(){ + cp default_configuration/nextcloud/nginx.conf.sample my_configuration/nextcloud/nginx.conf + sed -i "s/__nextcloud_domain__/$nextcloud_domain/g" my_configuration/nextcloud/nginx.conf +} + +create_nextcloud_db(){ + psql template1 postgres -c "CREATE USER $nextcloud_db_user WITH PASSWORD '$nextcloud_db_pass' CREATEDB ;" + psql template1 postgres -c "CREATE DATABASE $nextcloud_db_name TEMPLATE template1 ENCODING 'UTF8' ;" + psql template1 postgres -c "GRANT ALL PRIVILEGES ON DATABASE $nextcloud_db_name TO $nextcloud_db_user ;" + psql template1 postgres -c "GRANT ALL PRIVILEGES ON SCHEMA public TO $nextcloud_db_user ;" +} + + +install_configuration_files_nextcloud(){ + cp my_configuration/nextcloud/nginx.conf /etc/nginx/sites-available/$nextcloud_domain + ln -s /etc/nginx/sites-available/$nextcloud_domain /etc/nginx/sites-enabled/$nextcloud_domain + +} + +check_services_for_nextlcoud() +{ + check_webserver_service + check_redis_service + check_php_service + check_postgresql_service +} + +install_nextcloud(){ + cp -v my_configuration/nextcloud/custom.config.php /var/www/nextcloud/config/ + cd /var/www/nextcloud + touch config/CAN_INSTALL + rm config/config.php + su -m www -c "./occ maintenance:install --database pgsql \ + --database-name $nextcloud_db_name --database-host localhost --database-user $nextcloud_db_user\ + --database-pass $nextcloud_db_pass --admin-user $nextcloud_admin --admin-pass $nextcloud_admin_password" + su -m www -c "./occ config:system:set datadirectory --value=/nextcloud/data" + su -m www -c "./occ config:system:set overwrite.cli.url --value=https://$nextcloud_domain" + su -m www -c "./occ config:system:set trusted_domains 0 --value=$nextcloud_domain" + su -m www -c "./occ config:system:set default_phone_region --value=fr" + su -m www -c "./occ config:system:set mail_from_address --value=nextcloud" + su -m www -c "./occ config:system:set mail_smtpmode --value=smtp" + su -m www -c "./occ config:system:set mail_sendmailmode --value=smtp" + su -m www -c "./occ config:system:set mail_domain --value=$DOMAIN" + su -m www -c "./occ config:system:set mail_smtphost --value=$DOMAIN" + su -m www -c "./occ config:system:set mail_smtpport --value=25" + su -m www -c "./occ config:system:set memcache.local --value='\\OC\\Memcache\\Redis'" + su -m www -c "./occ config:system:set memcache.locking --value='\\OC\\Memcache\\Redis'" + su -m www -c "./occ config:system:set redis host --value=127.0.0.1" + su -m www -c "./occ config:system:set redis port --value=6379" + echo '*/5 * * * * su -m www -c "/usr/local/bin/php-8.0 -f /var/www/nextcloud/cron.php"' >> \ + /var/cron/tabs/root + +} + + +mkdir my_configuration/nextcloud +check_services_for_nextlcoud +install_package_nextcloud +enable_nextlcoud_php_modules +configure_nginx_service +create_nextcloud_db +install_configuration_files_nextcloud +install_nextcloud +restart_webserver_service diff --git a/install_nginx_service.sh b/install_nginx_service.sh new file mode 100755 index 0000000..95f3732 --- /dev/null +++ b/install_nginx_service.sh @@ -0,0 +1,152 @@ +#!/bin/sh + +. ./myserver.conf +. ./utils.sh + +install_nginx_package() +{ + pkg_add nginx-1.22.0p0 nginx-headers-more-1.22.0 nginx-stream-1.22.0 +} + +gen_nginx_configuration() +{ + cat > my_configuration/nginx/nginx.conf < my_configuration/nginx/site-available/$DOMAIN < /tmp/newsyslog.conf + cat >> /tmp/newsyslog.conf < my_configuration/php/php-fpm.conf < my_configuration/postgresql/pg_hba.conf < /tmp/passwordpsql.txt + su -m _postgresql -c "initdb -D /var/postgresql/data -U postgres -A md5 -E UTF8 --pwfile=/tmp/passwordpsql.txt" + rm /tmp/passwordpsql.txt +} + +install_postgresql_configurations_files(){ + cp -v my_configuration/postgresql/pg_hba.conf /var/postgresql/data/pg_hba.conf +} + +start_postgresql_service(){ + rcctl start postgresql +} + +mkdir my_configuration/postgresql/ +#install_postresql_packages +configure_postgresql_service +install_postgresql_configurations_files +start_postgresql_service diff --git a/install_pywallter.sh b/install_pywallter.sh new file mode 100755 index 0000000..66c0165 --- /dev/null +++ b/install_pywallter.sh @@ -0,0 +1,64 @@ +#!/bin/sh + +. ./myserver.conf + +install_pywallter_pkg(){ + pkg_add py3-werkzeug py3-jinja2 py3-Pillow py3-wtforms py3-flask-wtf py3-flask \ + py3-bcrypt py3-markdown py3-gevent py3-zopeinterface py3-pip + pip install flask-bcrypt +} + +install_pywallter_app(){ + orig_path=`pwd` + useradd -s /sbin/nologin -d /home/pywallter -m pywallter; + cd /home/pywallter; + su -m pywallter -c "git clone https://kitoy.me/git/kitoy/pywallter" + cp -v ./pywallter/scripts/set_mail_alias /usr/local/bin/ + cp -v ./pywallter/scripts/set_mail_passwd /usr/local/bin/ + + touch /etc/mail/reserved + cd $orig_path +} + +gen_pywallter_configuration_app(){ + cat > my_configuration/pywallter/config.py < /tmp/doas.conf + cat >> /tmp/doas.conf < /tmp/newsyslog.conf + echo '/var/prosody/prosody.log _prosody:_prosody 640 2 * $W0 Z /var/prosody/prosody.pid SIGUSR1' >> /tmp/newsyslog.conf + echo '/var/prosody/prosody.err _prosody:_prosody 640 2 250 * Z /var/proosody/prosody.pid SIGUSR1' >> /tmp/newsyslog.conf + mv /tmp/newsyslog.conf /etc/newsyslog.conf +} + +install_nginx_configuration_files_upload(){ + + mkdir -p /var/www/xmpp-upload/$DOMAIN/upload + chown -R www:daemon /var/www/xmpp-upload/ + cp my_configuration/xmpp/upload.$DOMAIN /etc/nginx/sites-available/ + ln -s /etc/nginx/sites-available/upload.$DOMAIN /etc/nginx/sites-enabled/upload.$DOMAIN + cp my_configuration/xmpp/share.php /var/www/xmpp-upload/ + +} + +install_xmpp_configurations_files(){ + + cp -v my_configuration/xmpp/prosody.cfg.lua /etc/prosody/prosody.cfg.lua + mkdir /etc/prosody/virtualHosts + cp -v my_configuration/xmpp/virtualHosts/$DOMAIN.conf /etc/prosody/virtualHosts/$DOMAIN.conf + +} + + +mkdir my_configuration/xmpp +if [ "$1" == "gen-config-only" ]; +then + gen_prosody_configuration + gen_nginx_configuration_files_upload +elif [ "$1" == "install" ]; +then + gen_prosody_configuration + gen_nginx_configuration_files_upload + install_prosody_package + install_prosody_modules + install_xmpp_configurations_files + install_xmpp_certs_ssl + rcctl enable prosody + rcctl start prosody +fi diff --git a/make_self_signed_cert.sh b/make_self_signed_cert.sh new file mode 100755 index 0000000..5f95608 --- /dev/null +++ b/make_self_signed_cert.sh @@ -0,0 +1,90 @@ +#!/bin/sh + +gen_cert_self_signed() + +{ + domain=$1 + + openssl req -x509 \ + -sha256 -days 3560 \ + -nodes \ + -newkey rsa:4096 \ + -subj "/CN=$domain/C=FR/L=myserver" \ + -keyout $domain.rootCA.key -out $domain.rootCA.crt + + cat > $domain.csr.conf < $domain.cert.conf <