Compare commits
	
		
			3 Commits
		
	
	
		
			b8fbc07a97
			...
			8c00ed86d5
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
| 8c00ed86d5 | |||
| 6a48bb7506 | |||
| 7f34b60582 | 
| @ -4,24 +4,23 @@ | ||||
| gen_nginx_acme_conf(){ | ||||
|     domain=$1 | ||||
|     alt_domain=$2 | ||||
|     nginx_run=`rcctl check nginx` | ||||
|     nginx_conf_file="/etc/nginx/sites-enabled/$domain" | ||||
|     [ ! -f $nginx_conf_file ] || rm $nginx_conf_file; | ||||
|      | ||||
|     if [ "$nginx_run" == "nginx(ok)" ]; then | ||||
|         cat > test/$domain <<EOF | ||||
|     mkdir /var/www/htdocs/$domain | ||||
|     rcctl check nginx | ||||
|     if [ $? == 0 ]; then | ||||
|         cat > $nginx_conf_file <<EOF | ||||
| server { | ||||
|     listen 80; | ||||
|     server_name $alt_domain $domain; | ||||
| 
 | ||||
|     include snippets/acme-challenge.conf; | ||||
| 
 | ||||
|     root /htdocs; | ||||
| 
 | ||||
|     root /htdocs/$domain; | ||||
| } | ||||
| EOF | ||||
| 
 | ||||
| #        rcctl restart nginx | ||||
|         rcctl reload nginx | ||||
|     else | ||||
|         echo "Service NGINX not runnig" | ||||
|         echo "Service NGINX not running" | ||||
|         exit 1 | ||||
|     fi | ||||
| 
 | ||||
| @ -30,8 +29,12 @@ EOF | ||||
| gen_acme_client_conf(){ | ||||
|     domain=$1 | ||||
|     alt_domain=$2 | ||||
|     acme_conf_file="my_configuration/ssl/$domain-acme-client.conf" | ||||
|     # If the file exist, do nothing | ||||
|     [ ! -f $acme_conf_file ] || echo "Domain already configured !"; exit 1; | ||||
| 
 | ||||
|     if [ "$alt_domain" == "" ]; then | ||||
|         cat >> my_configuration/ssl/$domain-acme-client.conf <<EOF | ||||
|         cat >> $acme_conf_file <<EOF | ||||
| 
 | ||||
| domain $domain { | ||||
|         domain key "/etc/ssl/private/$domain.key" | ||||
| @ -41,7 +44,7 @@ domain $domain { | ||||
| 
 | ||||
| EOF | ||||
|     else | ||||
|         cat >> my_configuration/ssl/$domain-acme-client.conf <<EOF | ||||
|         cat >> $acme_conf_file <<EOF | ||||
| 
 | ||||
| domain $domain { | ||||
|         alternative names { $alt_domain } | ||||
| @ -55,40 +58,39 @@ EOF | ||||
| 
 | ||||
| } | ||||
| 
 | ||||
| add_acme_domain_to_conf(){ | ||||
|     domain=$1 | ||||
|     egrep "domain $domain" -A5 /etc/acme-client.conf > /tmp/acme-client.conf | ||||
|     cp -v /etc/acme-client.conf /etc/acme-client.conf.old | ||||
|     cp -v /tmp/acme-client.conf /etc/acme-client.conf | ||||
| } | ||||
| 
 | ||||
| install_utils(){ | ||||
|     cp -v utils/renew_https_certificate /usr/local/bin/renew_https_certificate | ||||
|     chmod u+x /usr/local/bin/renew_https_certificate | ||||
| } | ||||
| 
 | ||||
| get_certificate(){ | ||||
| get_certificate() | ||||
| { | ||||
|     domain=$1 | ||||
| 
 | ||||
|     /usr/local/bin/renew_https_certificate $domain | ||||
| } | ||||
| 
 | ||||
| usage(){ | ||||
| usage() | ||||
| { | ||||
|     print "This program ask 3 arguments : \n" | ||||
|     print "First is email with domain name the second is list of alternatives domains with \" \"  \n" | ||||
|     print "the last arguments is for share the ssl cert with xmpp daemon add xmpp at the end or not" | ||||
|     print "\t $0 domain.tld \"a.domain.tld b.domain.tld c.domain.tld\"" | ||||
| 
 | ||||
| } | ||||
| 
 | ||||
| 
 | ||||
| 
 | ||||
| if [ -z $1 ]; | ||||
| then | ||||
|     usage | ||||
|     exit 3; | ||||
| fi | ||||
| 
 | ||||
| if [ -e /etc/acme-client.conf ]; then | ||||
|     echo ok | ||||
| else | ||||
|     echo nok | ||||
| fi | ||||
| 
 | ||||
| 
 | ||||
| domain=$1 | ||||
| alt_domain=$2 | ||||
| 
 | ||||
|  | ||||
| @ -2,7 +2,7 @@ | ||||
| 
 | ||||
| . ./myserver.conf | ||||
| 
 | ||||
| install_package(){ | ||||
| install_firewall_packages(){ | ||||
|     pkg_add ssh_guard curl | ||||
|     useradd -s /sbin/nologin -d /var/empty _pfbadhost | ||||
|     ftp https://geoghegan.ca/pub/pf-badhost/0.5/pf-badhost.sh | ||||
| @ -32,60 +32,36 @@ EOF | ||||
| 
 | ||||
| 
 | ||||
| set_basic_configuration(){ | ||||
|     cat > my_configuration/pf.conf <<EOF | ||||
| #Filtres badhosts et sshguard | ||||
| table <pfbadhost> persist file "/etc/pf-badhost.txt" | ||||
| table <sshguard> persist | ||||
| 
 | ||||
| ## Table pour les batards de bruteforceurs | ||||
| table <bruteforce> persist | ||||
| 
 | ||||
| 
 | ||||
| set block-policy drop                  # bloque silencieusement | ||||
| set skip on lo                         # En local on s'en fou on surveille rien | ||||
| set limit table-entries 400000 | ||||
| set limit states 100000 | ||||
| 
 | ||||
| 
 | ||||
| 
 | ||||
| ## Traitement des paquets ## | ||||
| # Paquets partiels on vire | ||||
| match all scrub (max-mss 1440 no-df random-id reassemble tcp) | ||||
| antispoof quick for egress         # Protection vol d'ip | ||||
| antispoof quick for lo0            # Protection vol d'ip | ||||
| 
 | ||||
| # Port build user does not need network | ||||
| block return out log proto {tcp udp} user _pbuild | ||||
| 
 | ||||
| # On bloque tout par défault | ||||
| block | ||||
| 
 | ||||
| block quick on egress from <pfbadhost> | ||||
| block in from <sshguard> | ||||
| block log quick from <bruteforce> label "brutes" | ||||
| 
 | ||||
| pass out on egress proto { tcp udp icmp ipv6-icmp } modulate state | ||||
| 
 | ||||
| EOF | ||||
| 
 | ||||
|     cp -v default_configruation/pf.conf my_configuration/pf.conf | ||||
| } | ||||
| 
 | ||||
| set_open_service(){ | ||||
|     cat >> my_configuration/pf.conf <<EOF | ||||
| #déclaration des variables | ||||
| web_ports = "{ http https }" | ||||
| 
 | ||||
| #On évite les bruteforces | ||||
| pass in quick on egress proto { tcp, udp } from <whitelist> to port $web_ports | ||||
| pass in on egress proto tcp to port $web_ports flags S/SA keep state \ | ||||
|                                 (max-src-conn 100, max-src-conn-rate 15/5, \ | ||||
|                                  overload <http_abusive_hosts> flush) | ||||
| 
 | ||||
| EOF | ||||
| 
 | ||||
|     if [ "$SERVICE_MAIL" == "yes" ]; then | ||||
|         echo "mail_ports = \"{ smtp submission imap }\"" >> default_configuration/pf.conf | ||||
|     fi | ||||
|     cat >> my_configuration/pf.conf | ||||
|     EOF | ||||
|      | ||||
|     if [ "$SERVICE_XMPP" == "yes" ]; then | ||||
|     [ "$SERVICE_MAIL" == "yes" ] && | ||||
|         echo "mail_ports = \"{ smtp submission imap }\"" >> default_configuration/pf.conf | ||||
| 
 | ||||
|     [ "$SERVICE_XMPP" == "yes" ] && | ||||
|         echo "xmmp_ports = \"{ 5222 5269 }\"" >> default_configuration/pf.conf | ||||
|     fi | ||||
| 
 | ||||
|     echo "ssh_port = \"$SSH_PORT\"" >> default_configuration/pf.conf | ||||
| 
 | ||||
|     [ "$SERVICE_TURN" == "yes" ] && | ||||
| 	echo "turn_port = \"TURN_PORT\"" >> default_configuration/pf.conf | ||||
|      | ||||
|     cat >> my_configuration/pf.conf <<EOF | ||||
| 
 | ||||
| ## Anti bruteforce | ||||
| @ -95,13 +71,14 @@ EOF | ||||
| pass in on egress proto tcp to port \$ssh_port modulate state \\ | ||||
|   (max-src-conn 5, max-src-conn-rate 15/5, overload <bruteforce> flush global) | ||||
| 
 | ||||
| #web | ||||
| pass in on egress proto tcp to port \$web_ports modulate state \\ | ||||
|     (max-src-conn 60, max-src-conn-rate 60/1, overload <bruteforce> flush global) | ||||
| pass in quick on egress proto { tcp, udp } from <whitelist> to port $web_ports | ||||
| pass in on egress proto tcp to port $web_ports flags S/SA keep state \ | ||||
|      	   	  	   (max-src-conn 100, max-src-conn-rate 15/5, \ | ||||
| 			   overload <http_abusive_hosts> flush)			     | ||||
| 
 | ||||
| EOF | ||||
| 
 | ||||
|     if [ "$SERVICE_MAIL" == "yes" ]; then | ||||
|     [ "$SERVICE_MAIL" == "yes" ] && | ||||
|         cat >> my_configuration/pf.conf <<EOF | ||||
| # mails | ||||
| ## antispam | ||||
| @ -110,19 +87,27 @@ pass in on egress proto tcp to port \$mail_ports modulate state \\ | ||||
| pass out log on egress proto tcp to any port smtp | ||||
| 
 | ||||
| EOF | ||||
|     fi | ||||
| 
 | ||||
|     if [ "$SERVICE_XMPP" == "yes" ]; then | ||||
|     [ "$SERVICE_XMPP" == "yes" ] && | ||||
|         cat >> my_configuration/pf.conf <<EOF | ||||
| # XMPP | ||||
| pass in on egress proto tcp to port \$xmpp_ports modulate state \\ | ||||
|   (max-src-conn 15, max-src-conn-rate 15/5, overload <bruteforce> flush global) | ||||
| EOF | ||||
|     fi | ||||
| 
 | ||||
| 
 | ||||
|     [ "$SERVICE_TURN" == "yes" ] && | ||||
| 	cat >> my_configuration/pf.conf <<EOF | ||||
| pass in on egress proto tcp to port $turn_port modulate state \ | ||||
|   (max-src-conn 20, max-src-conn-rate 30/1, overload <bruteforce> flush global) | ||||
| 
 | ||||
| pass in on egress proto udp to port $turn_port  | ||||
| 
 | ||||
| EOF | ||||
| 
 | ||||
| } | ||||
| 
 | ||||
| install_pf_and_enable(){ | ||||
| install_conf_and_enable(){ | ||||
|     pfctl -nf my_configuration/pf.conf | ||||
|     if [ $? == 0 ]; then | ||||
|         cp -v /etc/pf.conf /etc/pf.old | ||||
| @ -134,5 +119,14 @@ install_pf_and_enable(){ | ||||
| 
 | ||||
| } | ||||
| 
 | ||||
| set_basic_configuration | ||||
| set_open_service | ||||
| if [ "$1" == "gen-config-only" ]; | ||||
| then | ||||
|     set_basic_configuration | ||||
|     set_open_service | ||||
| elif [ "$1" == "install" ]; | ||||
| then | ||||
|     install_firewall_packages | ||||
|     set_basic_configuration | ||||
|     set_open_service | ||||
|     install_conf_and_enable | ||||
| fi | ||||
|  | ||||
| @ -5,176 +5,21 @@ | ||||
| 
 | ||||
| install_mails_services_pkg() | ||||
| { | ||||
|     pkg_add dovecot dovecot-pigeonhole opensmtpd-filter-rspamd \ | ||||
|     pkg_add dovecot dovecot-pigeonhole opensmtpd-filter-rspamd redis-6.2.12\ | ||||
|             opensmtpd-extras-6.7.1v0 opensmtpd-filter-dkimsign-0.5 rspamd-3.2  | ||||
| } | ||||
| 
 | ||||
| gen_mails_service_configuration() | ||||
| { | ||||
| 
 | ||||
|     #Generate opensmtpd configuration | ||||
|     cat > my_configuration/mail/smtpd.conf <<EOF | ||||
| # See smtpd.conf(5) for more information. | ||||
| 
 | ||||
| 
 | ||||
| # To accept external mail, replace with: listen on all | ||||
| # | ||||
| 
 | ||||
| # les Certificats | ||||
| pki "cert_mail" cert "/etc/ssl/$DOMAIN.crt" | ||||
| pki "cert_mail" key "/etc/ssl/private/$DOMAIN.key" | ||||
| 
 | ||||
| table aliases file:/etc/mail/aliases | ||||
| table passwd file:/etc/mail/passwd | ||||
| table virtuals file:/etc/mail/virtuals | ||||
| 
 | ||||
| filter "rspamd" proc-exec "filter-rspamd" | ||||
| filter "dkimsign" proc-exec "filter-dkimsign -d $DOMAIN -s dkim -k /etc/mail/dkim/$DOMAIN-private.key" user _dkimsign group _dkimsign | ||||
| 
 | ||||
| # Activation du check du reverse DNS | ||||
| #filter check_rdns phase connect match !rdns disconnect "550 no rDNS available" | ||||
| #filter check_fcrdns phase connect match !fcrdns disconnect "550 no FCrDNS available" | ||||
| 
 | ||||
| # To accept external mail, replace with: listen on all | ||||
| 
 | ||||
| 
 | ||||
| listen on all tls pki "cert_mail" hostname "$DOMAIN" filter  rspamd | ||||
| listen on all port submission tls-require pki "cert_mail" auth <passwd> filter dkimsign | ||||
| 
 | ||||
| action "local_mail" mbox alias <aliases> | ||||
| action "domain_mail" maildir "/var/vmail/$DOMAIN/%{dest.user:lowercase}" virtual <virtuals> | ||||
| action "outbound" relay | ||||
| 
 | ||||
| 
 | ||||
| # Uncomment the following to accept external mail for domain "example.org" | ||||
| match from any for domain "$DOMAIN" action "domain_mail" | ||||
| match from local for local action "local_mail" | ||||
| 
 | ||||
| match auth from any for any action "outbound" | ||||
| 
 | ||||
| EOF | ||||
| 
 | ||||
|     #Generate spamd configuration | ||||
|     cat > my_configuration/mail/spamd.conf <<EOF | ||||
| 
 | ||||
| all:\ | ||||
|         :nixspam: | ||||
| 
 | ||||
| # Nixspam recent sources list. | ||||
| # Mirrored from http://www.heise.de/ix/nixspam | ||||
| nixspam:\ | ||||
|         :black:\ | ||||
|         :msg="Your address %A is in the nixspam list\n\ | ||||
|         See http://www.heise.de/ix/nixspam/dnsbl_en/ for details":\ | ||||
|         :method=https:\ | ||||
|         :file=www.openbsd.org/spamd/nixspam.gz | ||||
| 
 | ||||
| # An example of a list containing addresses which should not talk to spamd. | ||||
| # | ||||
| #override:\ | ||||
| #       :white:\ | ||||
| #       :method=file:\ | ||||
| #       :file=/var/db/override.txt: | ||||
| 
 | ||||
| EOF | ||||
| 
 | ||||
|     ## Generate Dovecot configuration | ||||
|     cat > my_configuration/dovecot/local.conf <<EOF | ||||
| listen = * | ||||
| protocols = imap | ||||
| first_valid_uid = 1000 | ||||
| first_valid_gid = 1000 | ||||
| mail_location = maildir:/var/vmail/%d/%n | ||||
| mail_plugin_dir = /usr/local/lib/dovecot | ||||
| disable_plaintext_auth = yes | ||||
| 
 | ||||
| managesieve_notify_capability = mailto | ||||
| managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex  imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapsieve vnd.dovecot.imapsieve | ||||
| 
 | ||||
| mbox_write_locks = fcntl | ||||
| mmap_disable = yes | ||||
| namespace inbox { | ||||
|   inbox = yes | ||||
|   location = | ||||
|   mailbox Archive { | ||||
|   auto = subscribe | ||||
|   special_use = \Archive | ||||
|   } | ||||
|   mailbox Drafts { | ||||
|   auto = subscribe | ||||
|   special_use = \Drafts | ||||
|   } | ||||
|   mailbox Junk { | ||||
|   auto = subscribe | ||||
|   special_use = \Junk | ||||
|   } | ||||
|   mailbox Sent { | ||||
|   auto = subscribe | ||||
|   special_use = \Sent | ||||
|   } | ||||
|   mailbox Trash { | ||||
|   auto = subscribe | ||||
|   special_use = \Trash | ||||
|   } | ||||
|   prefix = | ||||
|     cp -v default_configuration/opensmtpd/smtpd.conf.example my_configuration/opensmtpd/smtpd.conf | ||||
|     sed -i "s/__DOMAIN__/$DOMAIN/g" my_configuration/opensmtpd/smtpd.conf | ||||
|     cp -v default_configuration/opensmtpd/spamd.conf.example my_configuration/opensmtpd/spamd.conf | ||||
|     cp -v default_configuration/dovecot/dovecot.conf.example my_configuration/dovecot/dovecot.conf | ||||
|     cp -v default_configuration/dovecot/local.conf.example my_configuration/dovecot/dovecot.conf | ||||
| } | ||||
| 
 | ||||
| service auth { | ||||
|     user = $default_internal_user | ||||
|     group = _maildaemons | ||||
| } | ||||
| 
 | ||||
| passdb { | ||||
|   args = scheme=blf-crypt /etc/mail/passwd | ||||
|   driver = passwd-file | ||||
| } | ||||
| 
 | ||||
| plugin { | ||||
|   imapsieve_mailbox1_before = file:/usr/local/lib/dovecot/sieve/report-spam.sieve | ||||
|   imapsieve_mailbox1_causes = COPY | ||||
|   imapsieve_mailbox1_name = Junk | ||||
|   imapsieve_mailbox2_before = file:/usr/local/lib/dovecot/sieve/report-ham.sieve | ||||
|   imapsieve_mailbox2_causes = COPY | ||||
|   imapsieve_mailbox2_from = Junk | ||||
|   imapsieve_mailbox2_name = * | ||||
|   sieve = file:~/sieve;active=~/.dovecot.sieve | ||||
|   sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment | ||||
|   sieve_pipe_bin_dir = /usr/local/lib/dovecot/sieve | ||||
|   sieve_plugins = sieve_imapsieve sieve_extprograms | ||||
| } | ||||
| 
 | ||||
| 
 | ||||
| protocols = imap sieve | ||||
| service imap-login { | ||||
|   inet_listener imap { | ||||
|   port = 143 | ||||
|   } | ||||
| } | ||||
| 
 | ||||
| ssl = required | ||||
| 
 | ||||
| ssl_min_protocol = TLSv1.2 | ||||
| ssl_cipher_list = EECDH+AESGCM | ||||
| ssl_prefer_server_ciphers = yes | ||||
| #ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH | ||||
| 
 | ||||
| ssl_cert = </etc/ssl/$DOMAIN.crt | ||||
| ssl_key = </etc/ssl/private/$DOMAIN.key | ||||
| 
 | ||||
| userdb { | ||||
|     driver = static | ||||
|     args = uid=vmail gid=vmail home=/var/vmail/%d/%n/ | ||||
| } | ||||
| 
 | ||||
| protocol imap { | ||||
|   mail_plugins = " imap_sieve" | ||||
| } | ||||
| 
 | ||||
| EOF | ||||
| 
 | ||||
| } | ||||
| 
 | ||||
| gen_dkim_keys(){ | ||||
| gen_dkim_keys() | ||||
| { | ||||
|     # Generate dkim key | ||||
|     openssl genrsa -out my_configuration/mail/$DOMAIN-private.key 2048 | ||||
|     openssl rsa -in my_configuration/mail/$DOMAIN-private.key -pubout | \ | ||||
| @ -237,11 +82,12 @@ EOF | ||||
| 
 | ||||
| install_mails_services_configuration() | ||||
| { | ||||
|     cp my_configuration/mail/smtpd.conf /etc/mail/smtpd.conf | ||||
|     cp my_configuration/dovecot/local.conf /etc/dovecot/local.conf | ||||
|     cp -v my_configuration/mail/smtpd.conf /etc/mail/smtpd.conf | ||||
|     cp -v my_configuration/dovecot/dovecot.conf /etc/dovecot/ | ||||
|     cp -v my_configuration/dovecot/local.conf /etc/dovecot/local.conf | ||||
|     mkdir /etc/mail/dkim/ | ||||
|     cp my_configuration/mail/$DOMAIN-private.key /etc/mail/dkim/ | ||||
|     cp my_configuration/mail/$DOMAIN-public.key /etc/mail/dkim/ | ||||
|     cp -v my_configuration/mail/$DOMAIN-private.key /etc/mail/dkim/ | ||||
|     cp -v my_configuration/mail/$DOMAIN-public.key /etc/mail/dkim/ | ||||
|     chown -R _dkimsign /etc/mail/dkim/ | ||||
|     touch /etc/mail/virtuals | ||||
|     touch /etc/mail/passwd | ||||
| @ -259,7 +105,7 @@ make_system_mails_services_requirements() | ||||
|     usermod -G _maildaemons _dovecot | ||||
|     usermod -G _maildaemons _smtpd | ||||
| 
 | ||||
|     cp /etc/login.conf /etc/login.conf.old | ||||
|     cp /etc/login.conf /etc/login.conf.orig | ||||
|     cat >> /etc/login.conf <<EOF | ||||
| dovecot:\ | ||||
|     :openfiles-cur=1024:\ | ||||
| @ -269,15 +115,23 @@ EOF | ||||
| 
 | ||||
| } | ||||
| 
 | ||||
| mkdir my_configuration/mail | ||||
| mkdir my_configuration/dovecot | ||||
| make_directory_configuration() | ||||
| { | ||||
|     mkdir my_configuration/mail | ||||
|     mkdir my_configuration/dovecot | ||||
| } | ||||
| 
 | ||||
| install_mails_services_pkg | ||||
| gen_mails_service_configuration | ||||
| gen_dkim_keys | ||||
| gen_mails_service_utils | ||||
| install_mails_services_configuration | ||||
| make_system_mails_services_requirements | ||||
| rcctl enable redis | ||||
| rcctl start redis | ||||
| restart_mails_service | ||||
| if [ "$1" == "gen-config-only" ]; | ||||
| then | ||||
|     gen_mails_service_configuration | ||||
|     gen_dkim_keys | ||||
| elif [ "$1" == "install" ]; | ||||
| then | ||||
|     install_mails_services_pkg | ||||
|     gen_mails_service_configuration | ||||
|     gen_dkim_keys | ||||
|     install_mails_services_configuration | ||||
|     make_system_mails_services_requirements | ||||
|     rcctl enable redis | ||||
|     rcctl start redis | ||||
|     restart_mails_service | ||||
|  | ||||
							
								
								
									
										101
									
								
								default_configuration/dovecot/dovecot.conf.example
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										101
									
								
								default_configuration/dovecot/dovecot.conf.example
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,101 @@ | ||||
| ## Dovecot configuration file | ||||
| 
 | ||||
| # If you're in a hurry, see http://wiki2.dovecot.org/QuickConfiguration | ||||
| 
 | ||||
| # "doveconf -n" command gives a clean output of the changed settings. Use it | ||||
| # instead of copy&pasting files when posting to the Dovecot mailing list. | ||||
| 
 | ||||
| # '#' character and everything after it is treated as comments. Extra spaces | ||||
| # and tabs are ignored. If you want to use either of these explicitly, put the | ||||
| # value inside quotes, eg.: key = "# char and trailing whitespace  " | ||||
| 
 | ||||
| # Most (but not all) settings can be overridden by different protocols and/or | ||||
| # source/destination IPs by placing the settings inside sections, for example: | ||||
| # protocol imap { }, local 127.0.0.1 { }, remote 10.0.0.0/8 { } | ||||
| 
 | ||||
| # Default values are shown for each setting, it's not required to uncomment | ||||
| # those. These are exceptions to this though: No sections (e.g. namespace {}) | ||||
| # or plugin settings are added by default, they're listed only as examples. | ||||
| # Paths are also just examples with the real defaults being based on configure | ||||
| # options. The paths listed here are for configure --prefix=/usr | ||||
| # --sysconfdir=/etc --localstatedir=/var | ||||
| 
 | ||||
| # Protocols we want to be serving. | ||||
| protocols = imap  | ||||
| 
 | ||||
| # A comma separated list of IPs or hosts where to listen in for connections.  | ||||
| # "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces. | ||||
| # If you want to specify non-default ports or anything more complex, | ||||
| # edit conf.d/master.conf. | ||||
| listen = *, :: | ||||
| 
 | ||||
| # Base directory where to store runtime data. | ||||
| #base_dir = /var/dovecot/ | ||||
| 
 | ||||
| # Name of this instance. In multi-instance setup doveadm and other commands | ||||
| # can use -i <instance_name> to select which instance is used (an alternative | ||||
| # to -c <config_path>). The instance name is also added to Dovecot processes | ||||
| # in ps output. | ||||
| #instance_name = dovecot | ||||
| 
 | ||||
| # Greeting message for clients. | ||||
| #login_greeting = Dovecot ready. | ||||
| 
 | ||||
| # Space separated list of trusted network ranges. Connections from these | ||||
| # IPs are allowed to override their IP addresses and ports (for logging and | ||||
| # for authentication checks). disable_plaintext_auth is also ignored for | ||||
| # these networks. Typically you'd specify your IMAP proxy servers here. | ||||
| #login_trusted_networks = | ||||
| 
 | ||||
| # Space separated list of login access check sockets (e.g. tcpwrap) | ||||
| #login_access_sockets =  | ||||
| 
 | ||||
| # With proxy_maybe=yes if proxy destination matches any of these IPs, don't do | ||||
| # proxying. This isn't necessary normally, but may be useful if the destination | ||||
| # IP is e.g. a load balancer's IP. | ||||
| #auth_proxy_self = | ||||
| 
 | ||||
| # Show more verbose process titles (in ps). Currently shows user name and | ||||
| # IP address. Useful for seeing who are actually using the IMAP processes | ||||
| # (eg. shared mailboxes or if same uid is used for multiple accounts). | ||||
| #verbose_proctitle = no | ||||
| 
 | ||||
| # Should all processes be killed when Dovecot master process shuts down. | ||||
| # Setting this to "no" means that Dovecot can be upgraded without | ||||
| # forcing existing client connections to close (although that could also be | ||||
| # a problem if the upgrade is e.g. because of a security fix). | ||||
| #shutdown_clients = yes | ||||
| 
 | ||||
| # If non-zero, run mail commands via this many connections to doveadm server, | ||||
| # instead of running them directly in the same process. | ||||
| #doveadm_worker_count = 0 | ||||
| # UNIX socket or host:port used for connecting to doveadm server | ||||
| #doveadm_socket_path = doveadm-server | ||||
| 
 | ||||
| # Space separated list of environment variables that are preserved on Dovecot | ||||
| # startup and passed down to all of its child processes. You can also give | ||||
| # key=value pairs to always set specific settings. | ||||
| #import_environment = TZ | ||||
| 
 | ||||
| ## | ||||
| ## Dictionary server settings | ||||
| ## | ||||
| 
 | ||||
| # Dictionary can be used to store key=value lists. This is used by several | ||||
| # plugins. The dictionary can be accessed either directly or though a | ||||
| # dictionary server. The following dict block maps dictionary names to URIs | ||||
| # when the server is used. These can then be referenced using URIs in format | ||||
| # "proxy::<name>". | ||||
| 
 | ||||
| dict { | ||||
|   #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext | ||||
| } | ||||
| 
 | ||||
| # Most of the actual configuration gets included below. The filenames are | ||||
| # first sorted by their ASCII value and parsed in that order. The 00-prefixes | ||||
| # in filenames are intended to make it easier to understand the ordering. | ||||
| #!include conf.d/*.conf | ||||
| 
 | ||||
| # A config file can also tried to be included without giving an error if | ||||
| # it's not found: | ||||
| !include_try local.conf | ||||
							
								
								
									
										89
									
								
								default_configuration/dovecot/local.conf.example
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										89
									
								
								default_configuration/dovecot/local.conf.example
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,89 @@ | ||||
| listen = * | ||||
| protocols = imap | ||||
| first_valid_uid = 1000 | ||||
| first_valid_gid = 1000 | ||||
| mail_location = maildir:/var/vmail/%d/%n | ||||
| mail_plugin_dir = /usr/local/lib/dovecot | ||||
| disable_plaintext_auth = yes | ||||
| 
 | ||||
| managesieve_notify_capability = mailto | ||||
| managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex  imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapsieve vnd.dovecot.imapsieve | ||||
| 
 | ||||
| mbox_write_locks = fcntl | ||||
| mmap_disable = yes | ||||
| namespace inbox { | ||||
|   inbox = yes | ||||
|   location = | ||||
|   mailbox Archive { | ||||
|   auto = subscribe | ||||
|   special_use = \Archive | ||||
|   } | ||||
|   mailbox Drafts { | ||||
|   auto = subscribe | ||||
|   special_use = \Drafts | ||||
|   } | ||||
|   mailbox Junk { | ||||
|   auto = subscribe | ||||
|   special_use = \Junk | ||||
|   } | ||||
|   mailbox Sent { | ||||
|   auto = subscribe | ||||
|   special_use = \Sent | ||||
|   } | ||||
|   mailbox Trash { | ||||
|   auto = subscribe | ||||
|   special_use = \Trash | ||||
|   } | ||||
|   prefix = | ||||
| } | ||||
| 
 | ||||
| service auth { | ||||
|     user = $default_internal_user | ||||
|     group = _maildaemons | ||||
| } | ||||
| 
 | ||||
| passdb { | ||||
|   args = scheme=blf-crypt /etc/mail/passwd | ||||
|   driver = passwd-file | ||||
| } | ||||
| 
 | ||||
| plugin { | ||||
|   imapsieve_mailbox1_before = file:/usr/local/lib/dovecot/sieve/report-spam.sieve | ||||
|   imapsieve_mailbox1_causes = COPY | ||||
|   imapsieve_mailbox1_name = Junk | ||||
|   imapsieve_mailbox2_before = file:/usr/local/lib/dovecot/sieve/report-ham.sieve | ||||
|   imapsieve_mailbox2_causes = COPY | ||||
|   imapsieve_mailbox2_from = Junk | ||||
|   imapsieve_mailbox2_name = * | ||||
|   sieve = file:~/sieve;active=~/.dovecot.sieve | ||||
|   sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment | ||||
|   sieve_pipe_bin_dir = /usr/local/lib/dovecot/sieve | ||||
|   sieve_plugins = sieve_imapsieve sieve_extprograms | ||||
| } | ||||
| 
 | ||||
| 
 | ||||
| protocols = imap sieve | ||||
| service imap-login { | ||||
|   inet_listener imap { | ||||
|   port = 143 | ||||
|   } | ||||
| } | ||||
| 
 | ||||
| ssl = required | ||||
| 
 | ||||
| ssl_min_protocol = TLSv1.2 | ||||
| ssl_cipher_list = EECDH+AESGCM | ||||
| ssl_prefer_server_ciphers = yes | ||||
| #ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH | ||||
| 
 | ||||
| ssl_cert = </etc/ssl/kitoy.me.crt | ||||
| ssl_key = </etc/ssl/private/kitoy.me.key | ||||
| 
 | ||||
| userdb { | ||||
|     driver = static | ||||
|     args = uid=vmail gid=vmail home=/var/vmail/%d/%n/  | ||||
| } | ||||
| 
 | ||||
| protocol imap { | ||||
|   mail_plugins = " imap_sieve" | ||||
| } | ||||
							
								
								
									
										52
									
								
								default_configuration/nginx/nginx.conf.example
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										52
									
								
								default_configuration/nginx/nginx.conf.example
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,52 @@ | ||||
| 
 | ||||
| user www; | ||||
| worker_processes auto; | ||||
| pid /var/www/run/nginx.pid; | ||||
| include /etc/nginx/modules-enabled/*.conf; | ||||
| 
 | ||||
| events { | ||||
|         worker_connections 768; | ||||
|         # multi_accept on; | ||||
| } | ||||
| 
 | ||||
| http { | ||||
| 
 | ||||
|         ## | ||||
|         # Basic Settings | ||||
|         ## | ||||
| 
 | ||||
|         sendfile on; | ||||
|         tcp_nopush on; | ||||
|         tcp_nodelay on; | ||||
|         keepalive_timeout 65; | ||||
|         types_hash_max_size 2048; | ||||
|         # server_tokens off; | ||||
| 
 | ||||
|         include /etc/nginx/mime.types; | ||||
|         default_type application/octet-stream; | ||||
| 
 | ||||
|         ## | ||||
|         # SSL Settings | ||||
|         ## | ||||
| 
 | ||||
|         ssl_protocols TLSv1.2; # Dropping SSLv3, ref: POODLE | ||||
|         ssl_prefer_server_ciphers on; | ||||
| 
 | ||||
|         ## | ||||
|         # Logging Settings | ||||
|         ## | ||||
| 
 | ||||
|         access_log /var/www/logs/nginx/access.log; | ||||
|         error_log /var/www/logs/nginx/error.log; | ||||
| 
 | ||||
|         ## | ||||
|         # Gzip Settings | ||||
|         ## | ||||
| 
 | ||||
|         gzip on; | ||||
|          ## | ||||
|         # Virtual Host Configs | ||||
|         ## | ||||
| 
 | ||||
|         include /etc/nginx/sites-enabled/*; | ||||
| } | ||||
							
								
								
									
										39
									
								
								default_configuration/nginx/site-available/example
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										39
									
								
								default_configuration/nginx/site-available/example
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,39 @@ | ||||
| server { | ||||
|         listen 80; | ||||
|         server_name __DOMAIN__; | ||||
| 
 | ||||
|         #Ajout pour les certificats letsencrypt | ||||
|         include snippets/acme-challenge.conf; | ||||
| 
 | ||||
|         return 301 https://$http_host$request_uri; | ||||
| 
 | ||||
|         root /html/$DOMAIN; | ||||
| 
 | ||||
| } | ||||
| 
 | ||||
| server { | ||||
|     listen 443 ssl http2; | ||||
|     server_name __DOMAIN__; | ||||
| 
 | ||||
| 
 | ||||
|     ssl_certificate         /etc/ssl/__DOMAIN__.crt; | ||||
|     ssl_certificate_key     /etc/ssl/private/__DOMAIN__.key; | ||||
| 
 | ||||
|    #Ajout d'une configuration ssl securise | ||||
|    include snippets/secure-ssl.conf; | ||||
| 
 | ||||
|     # Speeds things up a little bit when resuming a session | ||||
|     # ssl_session_timeout 5m; | ||||
|     # ssl_session_cache shared:SSL:5m; | ||||
| 
 | ||||
|         # Ajout pour le certificat letsencrypt | ||||
|         include snippets/acme-challenge.conf; | ||||
| 
 | ||||
|         # Ajout pour securiser les headers | ||||
|         include snippets/secure-headers.conf; | ||||
| } | ||||
| 
 | ||||
|     # Path to the root of your installation | ||||
|    root /html/$DOMAIN; | ||||
| 
 | ||||
| } | ||||
							
								
								
									
										31
									
								
								default_configuration/opensmtpd/smtpd.conf.example
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										31
									
								
								default_configuration/opensmtpd/smtpd.conf.example
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,31 @@ | ||||
| # See smtpd.conf(5) for more information. | ||||
| # To accept external mail, replace with: listen on all | ||||
| # | ||||
| # Les certificats | ||||
| 
 | ||||
| pki "cert_mail" cert "/etc/ssl/__DOMAIN__.crt" | ||||
| pki "cert_mail" key "/etc/ssl/private/__DOMAIN__.key" | ||||
| 
 | ||||
| table aliases file:/etc/mail/aliases | ||||
| table passwd file:/etc/mail/passwd | ||||
| table virtuals file:/etc/mail/virtuals | ||||
| 
 | ||||
| filter "rspamd" proc-exec "filter-rspamd" | ||||
| filter "dkimsign" proc-exec "filter-dkimsign -d __DOMAIN__ -s dkim -k /etc/mail/dkim/__DOMAIN__-private.key" user _dkimsign group _dkimsign | ||||
| 
 | ||||
| # Activation du check du reverse DNS | ||||
| #filter check_rdns phase connect match !rdns disconnect "550 no rDNS available" | ||||
| #filter check_fcrdns phase connect match !fcrdns disconnect "550 no FCrDNS available" | ||||
| 
 | ||||
| listen on all tls pki "cert_mail" hostname "__DOMAIN__" filter  rspamd | ||||
| listen on all port submission tls-require pki "cert_mail" auth <passwd> filter dkimsign | ||||
| 
 | ||||
| action "local_mail" mbox alias <aliases> | ||||
| action "domain_mail" maildir "/var/vmail/__DOMAIN__/%{dest.user:lowercase}" virtual <virtuals> | ||||
| action "outbound" relay | ||||
| 
 | ||||
| 
 | ||||
| match from any for domain "__DOMAIN__" action "domain_mail" | ||||
| match from local for local action "local_mail" | ||||
| 
 | ||||
| match auth from any for any action "outbound" | ||||
							
								
								
									
										37
									
								
								default_configuration/opensmtpd/smtpd.conf.example~
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										37
									
								
								default_configuration/opensmtpd/smtpd.conf.example~
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,37 @@ | ||||
| # See smtpd.conf(5) for more information. | ||||
| 
 | ||||
| 
 | ||||
| # To accept external mail, replace with: listen on all | ||||
| # | ||||
| 
 | ||||
| # les Certificats | ||||
| pki "cert_mail" cert "/etc/ssl/__DOMAIN__.crt" | ||||
| pki "cert_mail" key "/etc/ssl/private/__DOMAIN__.key" | ||||
| 
 | ||||
| table aliases file:/etc/mail/aliases | ||||
| table passwd file:/etc/mail/passwd | ||||
| table virtuals file:/etc/mail/virtuals | ||||
| 
 | ||||
| filter "rspamd" proc-exec "filter-rspamd" | ||||
| filter "dkimsign" proc-exec "filter-dkimsign -d $DOMAIN -s dkim -k /etc/mail/dkim/__DOMAIN__-private.key" user _dkimsign group _dkimsign | ||||
| 
 | ||||
| # Activation du check du reverse DNS | ||||
| #filter check_rdns phase connect match !rdns disconnect "550 no rDNS available" | ||||
| #filter check_fcrdns phase connect match !fcrdns disconnect "550 no FCrDNS available" | ||||
| 
 | ||||
| # To accept external mail, replace with: listen on all | ||||
| 
 | ||||
| 
 | ||||
| listen on all tls pki "cert_mail" hostname "__DOMAIN__" filter  rspamd | ||||
| listen on all port submission tls-require pki "cert_mail" auth <passwd> filter dkimsign | ||||
| 
 | ||||
| action "local_mail" mbox alias <aliases> | ||||
| action "domain_mail" maildir "/var/vmail/__DOMAIN__/%{dest.user:lowercase}" virtual <virtuals> | ||||
| action "outbound" relay | ||||
| 
 | ||||
| 
 | ||||
| # Uncomment the following to accept external mail for domain "example.org" | ||||
| match from any for domain "__DOMAIN__" action "domain_mail" | ||||
| match from local for local action "local_mail" | ||||
| 
 | ||||
| match auth from any for any action "outbound" | ||||
							
								
								
									
										19
									
								
								default_configuration/opensmtpd/spamd.conf.example
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										19
									
								
								default_configuration/opensmtpd/spamd.conf.example
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,19 @@ | ||||
| all:\ | ||||
|         :nixspam: | ||||
| 
 | ||||
| # Nixspam recent sources list. | ||||
| # Mirrored from http://www.heise.de/ix/nixspam | ||||
| nixspam:\ | ||||
|         :black:\ | ||||
|         :msg="Your address %A is in the nixspam list\n\ | ||||
|         See http://www.heise.de/ix/nixspam/dnsbl_en/ for details":\ | ||||
|         :method=https:\ | ||||
|         :file=www.openbsd.org/spamd/nixspam.gz | ||||
| 
 | ||||
| # An example of a list containing addresses which should not talk to spamd. | ||||
| # | ||||
| #override:\ | ||||
| #       :white:\ | ||||
| #       :method=file:\ | ||||
| #       :file=/var/db/override.txt: | ||||
| 
 | ||||
| @ -1,10 +1,12 @@ | ||||
| 
 | ||||
| #Filtres badhosts et sshguard | ||||
| table <pfbadhost> persist file "/etc/pf-badhost.txt" | ||||
| table <sshguard> persist | ||||
| table <whitelist> persist | ||||
| 
 | ||||
| ## Table pour les batards de bruteforceurs | ||||
| table <bruteforce> persist | ||||
| 
 | ||||
| table <http_abusive_hosts> persist | ||||
| 
 | ||||
| set block-policy drop                  # bloque silencieusement | ||||
| set skip on lo                         # En local on s'en fou on surveille rien | ||||
| @ -30,30 +32,3 @@ block in from <sshguard> | ||||
| block log quick from <bruteforce> label "brutes" | ||||
| 
 | ||||
| pass out on egress proto { tcp udp icmp ipv6-icmp } modulate state | ||||
| 
 | ||||
| #déclaration des variables | ||||
| web_ports = "{ http https }" | ||||
| mail_ports = "{ smtp submission imap }" | ||||
| xmpp_ports = "{ 5222 5269 }" | ||||
| ssh_port = "42420" | ||||
| 
 | ||||
| ## Anti bruteforce | ||||
| ### SSH | ||||
| #### Limite à 5 connexions simultanne par IP source | ||||
| #### Limite à 15 tentatives de connexion toutes les 5 minutes | ||||
| pass in on egress proto tcp to port $ssh_port  modulate state \ | ||||
|   (max-src-conn 5, max-src-conn-rate 15/5, overload <bruteforce> flush global) | ||||
| 
 | ||||
| #web | ||||
| pass in on egress proto tcp to port $web_ports modulate state \ | ||||
|     (max-src-conn 60, max-src-conn-rate 60/1, overload <bruteforce> flush global) | ||||
| 
 | ||||
| # mails | ||||
| ## antispam | ||||
| pass in on egress proto tcp to port  $mail_ports modulate state \ | ||||
|   (max-src-conn-rate 20/5, overload <bruteforce> flush global) | ||||
| pass out log on egress proto tcp to any port smtp | ||||
| 
 | ||||
| # XMPP | ||||
| pass in on egress proto tcp to port $xmpp_ports modulate state \ | ||||
|   (max-src-conn 15, max-src-conn-rate 15/5, overload <bruteforce> flush global) | ||||
|  | ||||
| @ -15,10 +15,10 @@ listen.owner = www | ||||
| listen.group = www | ||||
| listen.mode = 0660 | ||||
| pm = dynamic | ||||
| pm.max_children = 5 | ||||
| pm.start_servers = 2 | ||||
| pm.max_children = 10 | ||||
| pm.start_servers = 4 | ||||
| pm.min_spare_servers = 1 | ||||
| pm.max_spare_servers = 3 | ||||
| pm.max_spare_servers = 6 | ||||
| chroot = /var/www | ||||
| env[HOSTNAME] = $HOSTNAME | ||||
| env[PATH] = /usr/local/bin:/usr/bin:/bin | ||||
|  | ||||
| @ -1,15 +1,11 @@ | ||||
| #!/bin/ksh | ||||
| 
 | ||||
| daemon="/usr/local/bin/python3" | ||||
| daemon_flags="wsgi.py" | ||||
| daemon="/usr/local/bin/python3 wsgi.py" | ||||
| daemon_execdir="/home/pywallter/pywallter" | ||||
| daemon_user="pywallter" | ||||
| location="/home/pywallter/pywallter" | ||||
| 
 | ||||
| . /etc/rc.d/rc.subr | ||||
| 
 | ||||
| rc_start() { | ||||
|         ${rcexec} "cd ${location}; ${daemon} ${daemon_flags}" | ||||
| } | ||||
| 
 | ||||
| rc_bg=YES | ||||
| rc_cmd $1 | ||||
|  | ||||
| @ -5,24 +5,24 @@ | ||||
| 
 | ||||
| install_package_nextcloud() | ||||
| { | ||||
|     pkg_add php-bz2-8.0.26 php-curl-8.0.26 php-gd-8.0.26 php-gmp-8.0.26 \ | ||||
|             php-intl-8.0.26 php-pdo_pgsql-8.0.26 php-zip-8.0.26 \ | ||||
|     pkg_add php-bz2-8.1.18 php-curl-8.1.18 php-gd-8.1.18 php-gmp-8.1.18 \ | ||||
|             php-intl-8.1.18 php-pdo_pgsql-8.1.18 php-zip-8.1.18 \ | ||||
|             pecl80-imagick-3.7.0p1 pecl80-redis-5.3.7p0 \ | ||||
|             nextcloud-24.0.5 | ||||
|             nextcloud-25.0.6 | ||||
| } | ||||
| 
 | ||||
| enable_nextlcoud_php_modules(){ | ||||
|     #enable modules | ||||
|     ln -s /etc/php-8.0.sample/gd.ini /etc/php-8.0/gd.ini | ||||
|     ln -s /etc/php-8.0.sample/imagick.ini /etc/php-8.0/imagick.ini | ||||
|     ln -s /etc/php-8.0.sample/opcache.ini /etc/php-8.0/opcache.ini | ||||
|     ln -s /etc/php-8.0.sample/curl.ini /etc/php-8.0/curl.ini | ||||
|     ln -s /etc/php-8.0.sample/gmp.ini /etc/php-8.0/gmp.ini | ||||
|     ln -s /etc/php-8.0.sample/intl.ini /etc/php-8.0/intl.ini | ||||
|     ln -s /etc/php-8.0.sample/redis.ini /etc/php-8.0/redis.ini | ||||
|     ln -s /etc/php-8.0.sample/bz2.ini /etc/php-8.0/bz2.ini | ||||
|     ln -s /etc/php-8.0.sample/zip.ini /etc/php-8.0/zip.ini | ||||
|     ln -s /etc/php-8.0.sample/pdo_pgsql.ini /etc/php-8.0/pdo_pgsql.ini | ||||
|     ln -s /etc/php-8.1.sample/gd.ini /etc/php-8.1/gd.ini | ||||
|     ln -s /etc/php-8.1.sample/imagick.ini /etc/php-8.1/imagick.ini | ||||
|     ln -s /etc/php-8.1.sample/opcache.ini /etc/php-8.1/opcache.ini | ||||
|     ln -s /etc/php-8.1.sample/curl.ini /etc/php-8.1/curl.ini | ||||
|     ln -s /etc/php-8.1.sample/gmp.ini /etc/php-8.1/gmp.ini | ||||
|     ln -s /etc/php-8.1.sample/intl.ini /etc/php-8.1/intl.ini | ||||
|     ln -s /etc/php-8.1.sample/redis.ini /etc/php-8.1/redis.ini | ||||
|     ln -s /etc/php-8.1.sample/bz2.ini /etc/php-8.1/bz2.ini | ||||
|     ln -s /etc/php-8.1.sample/zip.ini /etc/php-8.1/zip.ini | ||||
|     ln -s /etc/php-8.1.sample/pdo_pgsql.ini /etc/php-8.1/pdo_pgsql.ini | ||||
|     restart_php_service | ||||
| } | ||||
| 
 | ||||
| @ -34,8 +34,8 @@ configure_nginx_service(){ | ||||
| create_nextcloud_db(){ | ||||
|     psql template1 postgres -c "CREATE USER $nextcloud_db_user WITH PASSWORD '$nextcloud_db_pass' CREATEDB ;" | ||||
|     psql template1 postgres -c "CREATE DATABASE $nextcloud_db_name TEMPLATE template1 ENCODING 'UTF8' ;" | ||||
|     psql template1 postgres -c "GRANT ALL PRIVILEGES ON DATABASE $nextcloud_db_name TO $nextcloud_db_user ;" | ||||
|     psql template1 postgres -c "GRANT ALL PRIVILEGES ON SCHEMA public TO $nextcloud_db_user ;" | ||||
|     psql template1 postgres -c "GRANT ALL PRIVILEGES ON DATABASE $nextcloud_db_name TO $nextcloud_db_user;" | ||||
|     psql template1 postgres -c "ALTER DATABASE $nextcloud_db_name OWNER TO nextcloud_db_user;" | ||||
| } | ||||
| 
 | ||||
| 
 | ||||
| @ -79,14 +79,23 @@ install_nextcloud(){ | ||||
|          /var/cron/tabs/root | ||||
| 
 | ||||
| } | ||||
| 
 | ||||
| 
 | ||||
| mkdir my_configuration/nextcloud | ||||
| check_services_for_nextlcoud | ||||
| install_package_nextcloud | ||||
| enable_nextlcoud_php_modules | ||||
| configure_nginx_service | ||||
| create_nextcloud_db | ||||
| install_configuration_files_nextcloud | ||||
| install_nextcloud | ||||
| restart_webserver_service | ||||
| 
 | ||||
| if [ "$1" == "gen-config-only" ]; | ||||
| then | ||||
|     check_services_for_nextcloud | ||||
|     configure_nginx_service     | ||||
| elif [ "$1" == "install" ]; | ||||
| then | ||||
|     check_services_for_nextcloud | ||||
|     configure_nginx_service | ||||
|     install_package_nextcloud | ||||
|     enable_nextlcoud_php_modules | ||||
|     create_nextcloud_db | ||||
|     install_configuration_files_nextcloud | ||||
|     install_nextcloud | ||||
|     restart_webserver_service | ||||
| fi | ||||
| 
 | ||||
| 
 | ||||
| 
 | ||||
|  | ||||
| @ -10,61 +10,8 @@ install_nginx_package() | ||||
| 
 | ||||
| gen_nginx_configuration() | ||||
| { | ||||
|     cat > my_configuration/nginx/nginx.conf <<EOF | ||||
| user www; | ||||
| worker_processes auto; | ||||
| pid /var/www/run/nginx.pid; | ||||
| include /etc/nginx/modules-enabled/*.conf; | ||||
| 
 | ||||
| events { | ||||
|         worker_connections 768; | ||||
|         # multi_accept on; | ||||
| } | ||||
| 
 | ||||
| http { | ||||
| 
 | ||||
|         ## | ||||
|         # Basic Settings | ||||
|         ## | ||||
| 
 | ||||
|         sendfile on; | ||||
|         tcp_nopush on; | ||||
|         tcp_nodelay on; | ||||
|         keepalive_timeout 65; | ||||
|         types_hash_max_size 2048; | ||||
|         # server_tokens off; | ||||
| 
 | ||||
|         include /etc/nginx/mime.types; | ||||
|         default_type application/octet-stream; | ||||
| 
 | ||||
|         ## | ||||
|         # SSL Settings | ||||
|         ## | ||||
| 
 | ||||
|         ssl_protocols TLSv1.2; # Dropping SSLv3, ref: POODLE | ||||
|         ssl_prefer_server_ciphers on; | ||||
| 
 | ||||
|         ## | ||||
|         # Logging Settings | ||||
|         ## | ||||
| 
 | ||||
|         access_log /var/www/logsnginx/access.log; | ||||
|         error_log /var/www/logs/nginx/error.log; | ||||
| 
 | ||||
|         ## | ||||
|         # Gzip Settings | ||||
|         ## | ||||
| 
 | ||||
|         gzip on; | ||||
|          ## | ||||
|         # Virtual Host Configs | ||||
|         ## | ||||
| 
 | ||||
|         include /etc/nginx/sites-enabled/*; | ||||
| } | ||||
| EOF | ||||
| 
 | ||||
|     openssl dhparam -out default_configuration/nginx/dhparam.pem 2048 | ||||
|     cp -v default_configuration/nginx/nginx.conf.example my_configuration/nginx/nginx.conf | ||||
|     openssl dhparam -out my_configuration/nginx/dhparam.pem 2048 | ||||
| 
 | ||||
| } | ||||
| 
 | ||||
| @ -72,57 +19,18 @@ EOF | ||||
| 
 | ||||
| make_default_homepage() | ||||
| { | ||||
|     cat > my_configuration/nginx/site-available/$DOMAIN <<EOF | ||||
| server { | ||||
|         listen 80; | ||||
|         server_name $DOMAIN; | ||||
| 
 | ||||
|         #Ajout pour les certificats letsencrypt | ||||
|         include snippets/acme-challenge.conf; | ||||
| 
 | ||||
|         return 301 https://$http_host$request_uri; | ||||
| 
 | ||||
|         root /html/$DOMAIN; | ||||
| 
 | ||||
| } | ||||
| 
 | ||||
| server { | ||||
|     listen 443 ssl http2; | ||||
|     server_name $DOMAIN; | ||||
| 
 | ||||
| 
 | ||||
|     ssl_certificate         /etc/ssl/$DOMAIN.crt; | ||||
|     ssl_certificate_key     /etc/ssl/private/$DOMAIN.key; | ||||
| 
 | ||||
|    #Ajout d'une configuration ssl securise | ||||
|    include snippets/secure-ssl.conf; | ||||
| 
 | ||||
|     # Speeds things up a little bit when resuming a session | ||||
|     # ssl_session_timeout 5m; | ||||
|     # ssl_session_cache shared:SSL:5m; | ||||
| 
 | ||||
|         # Ajout pour le certificat letsencrypt | ||||
|         include snippets/acme-challenge.conf; | ||||
| 
 | ||||
|         # Ajout pour securiser les headers | ||||
|         include snippets/secure-headers.conf; | ||||
| } | ||||
| 
 | ||||
|     # Path to the root of your installation | ||||
|    root /html/$DOMAIN; | ||||
| 
 | ||||
| } | ||||
| EOF | ||||
| 
 | ||||
|     cp -v default_configuration/nginx/site-avalaible/example \ | ||||
|        my_configuration/nginx/site-available/$DOMAIN | ||||
|     sed -i "s/__DOMAIN__/$DOMAIN/g" my_configuration/nginx/site-available/$DOMAIN | ||||
| } | ||||
| 
 | ||||
| install_nginx_configuration(){ | ||||
|     mkdir /etc/nginx/sites-enabled/ | ||||
|     mkdir /etc/nginx/sites-available/ | ||||
|     mkdir /etc/nginx/snippets/ | ||||
|     cp my_configuration/nginx/nginx.conf /etc/nginx/nginx.conf | ||||
|     cp my_configuration/nginx/dhparam.pem /etc/nginx/dhparam.pem | ||||
|     cp my_configuration/nginx/snippets/* /etc/nginx/snippets/ | ||||
|     mkdir -v /etc/nginx/sites-enabled/ | ||||
|     mkdir -v /etc/nginx/sites-available/ | ||||
|     mkdir -v /etc/nginx/snippets/ | ||||
|     cp -v my_configuration/nginx/nginx.conf /etc/nginx/nginx.conf | ||||
|     cp -v my_configuration/nginx/dhparam.pem /etc/nginx/dhparam.pem | ||||
|     cp -v my_configuration/nginx/snippets/* /etc/nginx/snippets/ | ||||
| } | ||||
| 
 | ||||
| install_chroot_env() | ||||
| @ -130,23 +38,21 @@ install_chroot_env() | ||||
|     mkdir /var/www/etc/ssl/ | ||||
|     install -m 444 -o root -g bin /etc/resolv.conf /var/www/etc/ | ||||
|     install -m 444 -o root -g bin /etc/ssl/cert.pem /etc/ssl/openssl.cnf /var/www/etc/ssl/ | ||||
| 
 | ||||
| } | ||||
| 
 | ||||
| add_logs_to_newssyslog(){ | ||||
|     cp -v /etc/newsyslog.conf /etc/newsyslog.conf.old | ||||
|     egrep -v "nginx" /etc/newsyslog.conf > /tmp/newsyslog.conf | ||||
|     egrep -v "nginx|httpd" /etc/newsyslog.conf > /tmp/newsyslog.conf | ||||
|     cat >> /tmp/newsyslog.conf <<EOF | ||||
| /var/www/logs/access.log                644  2     *    \$W0   Z /var/www/run/nginx.pid SIGUSR1 | ||||
| /var/www/logs/error.log                 644  2     250  *     Z /var/www/run/nginx.pid SIGUSR1 | ||||
| 
 | ||||
| EOF | ||||
|     mv /tmp/newsyslog.conf /etc/newsyslog.conf | ||||
| } | ||||
| 
 | ||||
| mkdir my_configuration/nginx/ | ||||
| install_nginx_package | ||||
| #install_nginx_package | ||||
| gen_nginx_configuration | ||||
| install_chroot_env | ||||
| install_nginx_configuration | ||||
| restart_webserver_service | ||||
| #install_chroot_env | ||||
| #install_nginx_configuration | ||||
| #restart_webserver_service | ||||
|  | ||||
| @ -2,42 +2,11 @@ | ||||
| 
 | ||||
| install_php_package() | ||||
| { | ||||
|     pkg_add php-8.0.26 | ||||
|     pkg_add php-8.1.18 | ||||
| } | ||||
| 
 | ||||
| gen_php_configuration(){ | ||||
|     cat > my_configuration/php/php-fpm.conf <<EOF | ||||
| ;;;;;;;;;;;;;;;;;;;;; | ||||
| ; FPM Configuration ; | ||||
| ;;;;;;;;;;;;;;;;;;;;; | ||||
| [global] | ||||
| error_log = log/php-fpm.log | ||||
| ;;;;;;;;;;;;;;;;;;;; | ||||
| ; Pool Definitions ; | ||||
| ;;;;;;;;;;;;;;;;;;;; | ||||
| include=/etc/php-fpm.d/*.conf | ||||
| [www] | ||||
| user = www | ||||
| group = www | ||||
| listen = /var/www/run/php-fpm.sock | ||||
| listen.owner = www | ||||
| listen.group = www | ||||
| listen.mode = 0660 | ||||
| pm = dynamic | ||||
| pm.max_children = 5 | ||||
| pm.start_servers = 2 | ||||
| pm.min_spare_servers = 1 | ||||
| pm.max_spare_servers = 3 | ||||
| chroot = /var/www | ||||
| env[HOSTNAME] = \$HOSTNAME | ||||
| env[PATH] = /usr/local/bin:/usr/bin:/bin | ||||
| env[TMP] = /tmp | ||||
| env[TMPDIR] = /tmp | ||||
| env[TEMP] = /tmp | ||||
| 
 | ||||
| 
 | ||||
| EOF | ||||
| 
 | ||||
|     cp -v default_configuration/php/php-fpm.conf my_configuration/php/php-fpm.conf  | ||||
| } | ||||
| 
 | ||||
| install_configurations_files() | ||||
| @ -53,7 +22,13 @@ start_php_service() | ||||
| } | ||||
| 
 | ||||
| mkdir my_configuration/php/ | ||||
| install_php_package | ||||
| gen_php_configuration | ||||
| install_configurations_files | ||||
| start_php_service | ||||
| if [ "$1" == "gen-config-only" ]; | ||||
| then | ||||
|     gen_php_configuration | ||||
| elif [ "$1" == "install" ]; | ||||
| then | ||||
|     install_php_package | ||||
|     gen_php_configuration | ||||
|     install_configurations_files | ||||
|     start_php_service | ||||
| fi | ||||
|  | ||||
| @ -2,46 +2,41 @@ | ||||
| 
 | ||||
| install_postresql_packages() | ||||
| { | ||||
|     pkg_add postgresql-client-14.5 postgresql-server-14.5 | ||||
|     pkg_add postgresql-client-15.2 postgresql-server-15.2 | ||||
| } | ||||
| 
 | ||||
| configure_postgresql_service() | ||||
| { | ||||
|     cat > my_configuration/postgresql/pg_hba.conf <<EOF | ||||
| # TYPE  DATABASE        USER            ADDRESS                 METHOD | ||||
|     cp -v default_configuration/postgresql/pg_hba.conf my_configuration/postgresql/pg_hba.conf     | ||||
| } | ||||
| 
 | ||||
| local   all     postgres        trust | ||||
| # "local" is for Unix domain socket connections only | ||||
| #local   all             all                                     md5 | ||||
| # IPv4 local connections: | ||||
| host    all             all             127.0.0.1/32            md5 | ||||
| 
 | ||||
| 
 | ||||
| # IPv6 local connections: | ||||
| host    all             all             ::1/128                 md5 | ||||
| # Allow replication connections from localhost, by a user with the | ||||
| # replication privilege. | ||||
| local   replication     all                                     md5 | ||||
| host    replication     all             127.0.0.1/32            md5 | ||||
| host    replication     all             ::1/128                 md5 | ||||
| 
 | ||||
| EOF | ||||
| make_data_directory() | ||||
| { | ||||
|     su -m _postgresql -c "mkdir /var/postgresql/data" | ||||
|     echo $postgresql_root_password > /tmp/passwordpsql.txt | ||||
|     su -m _postgresql -c "initdb -D /var/postgresql/data -U postgres -A md5 -E UTF8 --pwfile=/tmp/passwordpsql.txt" | ||||
|     [ ! -d "/var/postgresql/data" ] || mv /var/postgresql/data /var/postgresql/data.old | ||||
|     su -m _postgresql -c "initdb -D /var/postgresql/data -U postgres -A scram-sha-256 -E UTF8 --pwfile=/tmp/passwordpsql.txt" | ||||
|     rm /tmp/passwordpsql.txt  | ||||
| } | ||||
| 
 | ||||
| install_postgresql_configurations_files(){ | ||||
| install_postgresql_configurations_files() | ||||
| { | ||||
|     cp -v my_configuration/postgresql/pg_hba.conf /var/postgresql/data/pg_hba.conf | ||||
| } | ||||
| 
 | ||||
| start_postgresql_service(){ | ||||
| start_postgresql_service() | ||||
| { | ||||
|     rcctl start postgresql | ||||
| } | ||||
| 
 | ||||
| mkdir my_configuration/postgresql/ | ||||
| #install_postresql_packages | ||||
| configure_postgresql_service | ||||
| install_postgresql_configurations_files | ||||
| start_postgresql_service | ||||
| 
 | ||||
| if [ "$1" == "gen-config-only" ]; | ||||
| then | ||||
|     configure_postgresql_service | ||||
| elif [ "$1" == "install" ]; | ||||
| then | ||||
|     install_postresql_packages | ||||
|     configure_postgresql_service | ||||
|     install_postgresql_configurations_files | ||||
|     start_postgresql_service | ||||
| fi | ||||
|  | ||||
| @ -28,11 +28,22 @@ DOSSIER_APP = "./users/" | ||||
| DATABASE = "./base.db" | ||||
| EXT_IMG= {'.jpg', '.JPG', '.png', '.PNG', '.gif', '.GIF', '.bmp', '.BMP', '.jpeg', '.JPEG' } | ||||
| SIGNIN_ENABLE = True | ||||
| XMPP_SERVER = True | ||||
| MAIL_SERVER = True | ||||
| SETUID='doas' | ||||
| EOF | ||||
| 
 | ||||
|     if [ SERVICE_MAIL = "yes" ]; | ||||
|        then | ||||
| 	   echo "MAIL_SERVER = True" >> my_configuration/pywallter/config.py | ||||
|        else | ||||
| 	   echo "MAIL_SERVER = False" >> my_configuration/pywallter/config.py | ||||
|     fi | ||||
| 
 | ||||
|     if [ SERVICE_XMPP = "yes" ]; | ||||
|     then | ||||
| 	echo "XMPP_SERVER = True" >> my_configuration/pywallter/config.py | ||||
|     else | ||||
| 	echo "XMPP_SERVER = False" >> myconfiguration/pywallter/config.py | ||||
|     fi | ||||
| } | ||||
| 
 | ||||
| 
 | ||||
| @ -58,7 +69,15 @@ EOF | ||||
| } | ||||
| 
 | ||||
| mkdir my_configuration/pywallter/ | ||||
| gen_pywallter_configuration_app | ||||
| gen_nginx_pywallter_app | ||||
| install_pywallter_app | ||||
| install_pywallter_configuration_files | ||||
| 
 | ||||
| if [ "$1" == "gen-config-only" ]; | ||||
| then | ||||
|     gen_pywallter_configuration_app | ||||
|     gen_nginx_pywallter_app | ||||
| elif [ "$1" == "install" ]; | ||||
| then | ||||
|     gen_pywallter_configuration_app | ||||
|     gen_nginx_pywallter_app | ||||
|     install_pywallter_app | ||||
|     install_pywallter_configuration_files | ||||
| fi | ||||
|  | ||||
| @ -13,11 +13,11 @@ install_prosody_package(){ | ||||
| 
 | ||||
| gen_prosody_configuration(){ | ||||
| 
 | ||||
|     cp -v default_configuration/xmpp/prosody.cfg.lua.example default_configuration/xmpp/prosody.cfg.lua | ||||
|     sed -i "s/__DOMAIN__/$DOMAIN/g" default_configuration/xmpp/prosody.cfg.lua | ||||
|     cp -v default_configuration/xmpp/virtualHosts/example.com.conf default_configuration/xmpp/virtualHosts/$DOMAIN.conf | ||||
|     sed -i "s/__DOMAIN__/$DOMAIN/g" default_configuration/xmpp/virtualHosts/$DOMAIN.conf | ||||
|     sed -i "s/__xmpp_passphrase_for_filesuploads__/$xmpp_passphrase_for_filesuploads/g" default_configuration/xmpp/virtualHosts/$DOMAIN.conf | ||||
|     cp -v default_configuration/xmpp/prosody.cfg.lua.example my_configuration/xmpp/prosody.cfg.lua | ||||
|     sed -i "s/__DOMAIN__/$DOMAIN/g" my_configuration/xmpp/prosody.cfg.lua | ||||
|     cp -v default_configuration/xmpp/virtualHosts/example.com.conf my_configuration/xmpp/virtualHosts/$DOMAIN.conf | ||||
|     sed -i "s/__DOMAIN__/$DOMAIN/g" my_configuration/xmpp/virtualHosts/$DOMAIN.conf | ||||
|     sed -i "s/__xmpp_passphrase_for_filesuploads__/$xmpp_passphrase_for_filesuploads/g" my_configuration/xmpp/virtualHosts/$DOMAIN.conf | ||||
| 
 | ||||
| 
 | ||||
| } | ||||
| @ -28,7 +28,6 @@ install_xmpp_certs_ssl(){ | ||||
|     install -o _prosody -g _prosody my_configuration/xmpp/dh-2048.pem /etc/prosody/certs/dh-2048.pem | ||||
|     install -o _prosody -g _prosody /etc/ssl/private/"$DOMAIN".key /etc/prosody/certs/"$DOMAIN".key; | ||||
|     install -o _prosody -g _prosody /etc/ssl/"$DOMAIN".crt /etc/prosody/certs/"$DOMAIN".crt; | ||||
| 
 | ||||
| } | ||||
| 
 | ||||
| install_prosody_modules(){ | ||||
| @ -45,7 +44,6 @@ install_prosody_modules(){ | ||||
| 
 | ||||
| 
 | ||||
| gen_nginx_configuration_files_upload(){ | ||||
| 
 | ||||
|     cp -v default_configuration/xmpp/nginx.conf.sample my_configuration/xmpp/upload.$DOMAIN | ||||
|     cp -v default_configuration/xmpp/share.php.sample my_configuration/xmpp/share.php | ||||
|     sed -i "s/__DOMAIN__/$DOMAIN/g" my_configuration/xmpp/upload.$DOMAIN | ||||
| @ -82,6 +80,7 @@ install_xmpp_configurations_files(){ | ||||
| 
 | ||||
| 
 | ||||
| mkdir my_configuration/xmpp | ||||
| 
 | ||||
| if [ "$1" == "gen-config-only" ]; | ||||
| then | ||||
|     gen_prosody_configuration | ||||
| @ -97,3 +96,11 @@ then | ||||
|     rcctl enable prosody | ||||
|     rcctl start prosody | ||||
| fi | ||||
| 
 | ||||
| if [ "$1" == "gen-config-only" ]; | ||||
| then | ||||
|     #code | ||||
| elif [ "$1" == "install" ]; | ||||
| then | ||||
|     #Code | ||||
| fi | ||||
|  | ||||
| @ -1,5 +1,5 @@ | ||||
| 
 | ||||
| ## Par défault le domain est le nom d'hote de la machine maisil est possible de le personnaliser | ||||
| ## Par défault le domain est le nom d'hote de la machine mais il est possible de le personnaliser | ||||
| ## comme l'exemple ce-dessous | ||||
| # DOMAIN="example.com" | ||||
| DOMAIN=`hostname` | ||||
|  | ||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user