Browse Source

Initial commit

main
Miraty 4 months ago
commit
35acb4920e
  1. 4
      .gitignore
  2. 28
      mkosi.default
  3. 15
      mkosi.default.d/arch/mkosi.default
  4. 17
      mkosi.default.d/debian/mkosi.default
  5. 32
      mkosi.extra/etc/knot/knot.conf
  6. 26
      mkosi.extra/etc/nginx/default-server.conf
  7. 17
      mkosi.extra/etc/nginx/http.conf
  8. 72
      mkosi.extra/etc/nginx/inc/errors.conf
  9. 26
      mkosi.extra/etc/nginx/inc/fastcgi.conf
  10. 11
      mkosi.extra/etc/nginx/inc/ffdhe3072.pem
  11. 13
      mkosi.extra/etc/nginx/inc/ffdhe4096.pem
  12. 1003
      mkosi.extra/etc/nginx/inc/nginx-types.conf
  13. 5
      mkosi.extra/etc/nginx/inc/niver.conf
  14. 16
      mkosi.extra/etc/nginx/inc/security.conf
  15. 5
      mkosi.extra/etc/nginx/inc/tls-inter.conf
  16. 6
      mkosi.extra/etc/nginx/inc/tls-laxist.conf
  17. 4
      mkosi.extra/etc/nginx/inc/tls-strict.conf
  18. 4
      mkosi.extra/etc/nginx/inc/tls.conf
  19. 84
      mkosi.extra/etc/nginx/inc/types.conf
  20. 42
      mkosi.extra/etc/nginx/nginx.conf
  21. 38
      mkosi.extra/etc/nginx/sites/niver.test.conf
  22. 27
      mkosi.extra/etc/php/php-fpm.d/errors.conf
  23. 26
      mkosi.extra/etc/php/php-fpm.d/niver.conf
  24. 61
      mkosi.extra/etc/ssh/sshd_config
  25. 3
      mkosi.nspawn
  26. 10
      mkosi.postinst
  27. 51
      mkosi.prepare
  28. 3
      mkosi.skeleton/etc/apt/sources.list
  29. 3
      mkosi.skeleton/etc/pacman.d/mirrorlist
  30. 1
      mkosi.skeleton/etc/resolv.conf
  31. 6
      mkosi.skeleton/etc/systemd/resolved.conf.d/fdn.conf
  32. 27
      mkosi.skeleton/etc/systemd/system/sftpgo.service
  33. 5
      mkosi.skeleton/root/build-maniver.sh
  34. 8
      mkosi.skeleton/root/build-sftpgo.sh
  35. 1
      mkosi.skeleton/root/maniver
  36. 6
      mkosi.skeleton/srv/ns/niver.test.zone
  37. 15
      mkosi.skeleton/srv/php/errors/400.html
  38. 15
      mkosi.skeleton/srv/php/errors/403.html
  39. 19
      mkosi.skeleton/srv/php/errors/404.en.html
  40. 19
      mkosi.skeleton/srv/php/errors/404.fr.html
  41. 20
      mkosi.skeleton/srv/php/errors/404.php
  42. 15
      mkosi.skeleton/srv/php/errors/405.html
  43. 15
      mkosi.skeleton/srv/php/errors/410.html
  44. 15
      mkosi.skeleton/srv/php/errors/418.html
  45. 19
      mkosi.skeleton/srv/php/errors/500.html
  46. 19
      mkosi.skeleton/srv/php/errors/502.html
  47. 19
      mkosi.skeleton/srv/php/errors/503.html
  48. 19
      mkosi.skeleton/srv/php/errors/504.html
  49. 11
      mkosi.skeleton/srv/php/errors/default-domain.en.html
  50. 11
      mkosi.skeleton/srv/php/errors/default-ip.en.html
  51. 23
      mkosi.skeleton/srv/php/errors/http.html
  52. 45
      mkosi.skeleton/srv/php/errors/http.php
  53. 8
      mkosi.skeleton/srv/php/errors/index.php
  54. 1
      mkosi.skeleton/srv/php/niver
  55. BIN
      mkosi.skeleton/usr/local/bin/maniver
  56. BIN
      mkosi.skeleton/usr/local/bin/sftpgo
  57. 2
      mkosi.skeleton/usr/local/share/niver/knot.template
  58. 15
      mkosi.skeleton/usr/local/share/niver/nginx/dns.template
  59. 9
      mkosi.skeleton/usr/local/share/niver/nginx/onion.template

4
.gitignore

@ -0,0 +1,4 @@
/mkosi.cache/
/mkosi.passphrase
/mkosi.passwd
/mkosi.skeleton/root/.ssh/authorized_keys

28
mkosi.default

@ -0,0 +1,28 @@
[Validation]
Autologin = yes
[Output]
Format = directory
[Content]
BasePackages = yes
WithDocs = yes
WithNetwork = yes
Packages =
tor
torsocks
openssl
certbot
nginx
php-fpm
knot
cargo
sudo
git
man-db
curl
lsof
tree
vim
htop
ncdu

15
mkosi.default.d/arch/mkosi.default

@ -0,0 +1,15 @@
[Distribution]
Distribution = arch
[Output]
Output = /var/lib/machines/niver-arch
[Content]
Packages =
nginx-mod-headers-more
certbot-nginx
php-sqlite
openssh
iputils

17
mkosi.default.d/debian/mkosi.default

@ -0,0 +1,17 @@
[Distribution]
Distribution = debian
Release = bullseye
Mirror = https://deb.debian.org/debian
[Output]
Output = /var/lib/machines/niver-debian
[Content]
Packages =
apt-transport-tor
libnginx-mod-http-headers-more-filter
python3-certbot-nginx
knot-dnsutils
php-sqlite3
openssh-server
iputils-ping

32
mkosi.extra/etc/knot/knot.conf

@ -0,0 +1,32 @@
# Configuration export (Knot DNS 3.1.7)
server:
version: "Knot"
nsid: "Niver"
rundir: "/run/knot"
user: "knot:knot"
listen: [ "::@42053", "0.0.0.0@42053" ]
log:
- target: "/var/log/knot/knot.log"
any: "debug"
database:
storage: "/var/lib/knot"
policy:
- id: "niver"
algorithm: "ed25519"
nsec3: "on"
template:
- id: "niver"
storage: "/srv/ns"
file: "%s.zone"
zonefile-load: "difference"
dnssec-signing: "on"
dnssec-policy: "niver"
zone:
- domain: "niver.test."
template: "niver"

26
mkosi.extra/etc/nginx/default-server.conf

@ -0,0 +1,26 @@
server {
listen [::1]:42443 ssl http2 default_server;
listen 127.0.0.1:42443 ssl http2 default_server;
ssl_certificate /etc/ssl/certs/niver.crt;
ssl_certificate_key /etc/ssl/private/niver.key;
#ssl_stapling off;
root /srv/php/errors;
try_files index.php index.html $uri $uri/;
index index.php index.html;
location / {
root /srv/php/errors;
try_files /index.php =500;
index index.php;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php-fpm/errors.sock;
include /etc/nginx/inc/fastcgi.conf;
}
include /etc/nginx/inc/tls.conf;
include /etc/nginx/inc/errors.conf;
more_set_headers "Content-Security-Policy : default-src 'none'; frame-ancestors 'none';";
}

17
mkosi.extra/etc/nginx/http.conf

@ -0,0 +1,17 @@
server {
listen [::1]:42080 default_server;
listen 127.0.0.1:42080 default_server;
return 403; # Don't allow unsecure HTTP requests
# Display an explanation page
error_page 403 @http403;
location @http403 {
root /srv/php/errors;
try_files /http.php =500;
index http.php;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php-fpm/errors.sock;
include inc/fastcgi.conf;
}
}

72
mkosi.extra/etc/nginx/inc/errors.conf

@ -0,0 +1,72 @@
recursive_error_pages on;
# 403 Forbidden
error_page 403 @403;
location @403 {
root /srv/php/errors;
try_files /403.html =500;
}
# 404 Not Found
error_page 404 @local404;
location @local404 {
try_files /404.html /404.md /404.gmi @niver404;
}
location @niver404 {
root /srv/php/errors;
try_files /404.php =500;
index /404.php;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php-fpm/errors.sock;
include inc/fastcgi.conf;
fastcgi_index /404.php;
}
# 405 Method Not Allowed
error_page 405 @405;
location @405 {
root /srv/php/errors;
try_files /405.html =500;
}
# 410 Gone
error_page 410 @410;
location @410 {
root /srv/php/errors;
try_files /410.html =500;
}
# 418 I'm a teapot
error_page 418 @418;
location @418 {
root /srv/php/errors;
try_files /418.html =500;
}
# 500 Internal Server Error
error_page 500 @500;
location @500 {
root /srv/php/errors;
try_files /500.html =500;
}
# 502 Bad Gateway
error_page 502 @502;
location @502 {
root /srv/php/errors;
try_files /502.html =500;
}
# 503 Service Unavailable
error_page 503 @503;
location @503 {
root /srv/php/errors;
try_files /503.html =500;
}
# 504 Gateway Timeout
error_page 504 @504;
location @504 {
root /srv/php/errors;
try_files /504.html =500;
}

26
mkosi.extra/etc/nginx/inc/fastcgi.conf

@ -0,0 +1,26 @@
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;

11
mkosi.extra/etc/nginx/inc/ffdhe3072.pem

@ -0,0 +1,11 @@
-----BEGIN DH PARAMETERS-----
MIIBiAKCAYEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3
7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32
nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZsYu
N///////////AgEC
-----END DH PARAMETERS-----

13
mkosi.extra/etc/nginx/inc/ffdhe4096.pem

@ -0,0 +1,13 @@
-----BEGIN DH PARAMETERS-----
MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3
7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32
nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e
8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx
iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K
zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI=
-----END DH PARAMETERS-----

1003
mkosi.extra/etc/nginx/inc/nginx-types.conf

File diff suppressed because it is too large

5
mkosi.extra/etc/nginx/inc/niver.conf

@ -0,0 +1,5 @@
more_set_headers "Content-Security-Policy : default-src 'self'; object-src 'none'; frame-ancestors 'none'; form-action 'none';";
default_type text/plain;
include inc/tls.conf;

16
mkosi.extra/etc/nginx/inc/security.conf

@ -0,0 +1,16 @@
more_set_headers "X-Content-Type-Options : nosniff";
#more_set_headers "X-XSS-Protection : 1; mode=block";
#more_set_headers "X-Download-Options : noopen";
#more_set_headers "X-Permitted-Cross-Domain-Policies : none";
#more_set_headers "X-Frame-Options : DENY";
more_set_headers "Referrer-Policy : no-referrer";
more_set_headers "Strict-Transport-Security : max-age=94608000; includeSubDomains; preload";
more_clear_headers Server;
ssl_prefer_server_ciphers off;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_early_data off;

5
mkosi.extra/etc/nginx/inc/tls-inter.conf

@ -0,0 +1,5 @@
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384;
ssl_ecdh_curve X25519:X448;
include inc/security.conf;

6
mkosi.extra/etc/nginx/inc/tls-laxist.conf

@ -0,0 +1,6 @@
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-CCM8:DHE-RSA-AES256-CCM8:DHE-RSA-AES128-CCM:DHE-RSA-AES256-CCM;
ssl_ecdh_curve X25519:X448:secp521r1:secp384r1:prime256v1;
ssl_dhparam inc/ffdhe3072.pem;
include inc/security.conf;

4
mkosi.extra/etc/nginx/inc/tls-strict.conf

@ -0,0 +1,4 @@
ssl_protocols TLSv1.3;
ssl_ecdh_curve X25519:X448;
include inc/security.conf;

4
mkosi.extra/etc/nginx/inc/tls.conf

@ -0,0 +1,4 @@
ssl_protocols TLSv1.3;
ssl_ecdh_curve X25519:X448;
include inc/security.conf;

84
mkosi.extra/etc/nginx/inc/types.conf

@ -0,0 +1,84 @@
types {
text/plain txt;
application/octet-stream bin;
# Hypertext
text/gemini gmi;
text/markdown md;
text/html html;
# Misc
text/css css;
text/javascript js;
text/csv csv;
text/calendar ics ifb;
text/vtt vtt;
text/dns zone soa;
application/mbox mbox;
application/x-bittorrent torrent;
# Compressed
application/gzip gz;
application/zip zip;
application/epub+zip epub;
application/pdf pdf;
# JSON
application/json json;
application/ld+json jsonld;
application/manifest+json webmanifest;
# XML
application/xml xml;
application/xhtml+xml xhtml;
application/atom+xml atom;
application/atomcat+xml atomcat;
application/atomsvc+xml atomsvc;
application/rss+xml rss;
application/mathml+xml mml;
application/emotionml+xml emotionml;
# OpenDocument
application/vnd.oasis.opendocument.chart odc;
application/vnd.oasis.opendocument.chart-template otc;
application/vnd.oasis.opendocument.database odb;
application/vnd.oasis.opendocument.formula odf;
application/vnd.oasis.opendocument.formula-template otf;
application/vnd.oasis.opendocument.graphics odg;
application/vnd.oasis.opendocument.graphics-template otg;
application/vnd.oasis.opendocument.image odi;
application/vnd.oasis.opendocument.image-template oti;
application/vnd.oasis.opendocument.presentation odp;
application/vnd.oasis.opendocument.presentation-template otp;
application/vnd.oasis.opendocument.spreadsheet ods;
application/vnd.oasis.opendocument.spreadsheet-template ots;
application/vnd.oasis.opendocument.text odt;
application/vnd.oasis.opendocument.text-master odm;
application/vnd.oasis.opendocument.text-template ott;
application/vnd.oasis.opendocument.text-web oth;
# Font
font/woff woff;
font/woff2 woff2;
# Image
image/png png;
image/gif gif;
image/jpeg jpeg jpg;
image/svg+xml svg svgz;
image/webp webp;
image/avif avif;
image/openraster ora;
# Audio
audio/opus opus;
audio/ogg ogg oga spx;
audio/mpeg mp3;
audio/webm weba;
audio/flac flac;
# Video
video/ogg ogv;
video/webm webm;
video/mp4 mp4;
}

42
mkosi.extra/etc/nginx/nginx.conf

@ -0,0 +1,42 @@
load_module "/usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so";
worker_processes auto;
user nginx nginx;
events {
worker_connections 1024;
}
http {
types_hash_bucket_size 128; # Default: 64
types_hash_max_size 1024; # Default: 1024
server_names_hash_bucket_size 128;
# Performance optimisation
sendfile on;
tcp_nopush on;
# Correct Content-Type header
charset utf-8;
default_type text/plain;
include inc/types.conf;
# Serve file.gz instead of file if available
gzip_static on;
# Logging
log_format niver '|$time_local| [$remote_addr]@$server_name {$ssl_protocol $ssl_cipher} "$request" $status $body_bytes_sent "$http_user_agent"';
access_log /var/log/nginx/access.log niver;
error_log /var/log/nginx/error.log notice;
# Possible security threats
server_tokens off;
etag off;
autoindex off;
gzip off;
# Include other configuration
include sites/*.conf;
include ht/*.conf;
include default-server.conf;
include http.conf;
}

38
mkosi.extra/etc/nginx/sites/niver.test.conf

@ -0,0 +1,38 @@
server {
listen [::1]:42443 ssl http2;
listen 127.0.0.1:42443 ssl http2;
server_name niver.test;
root /srv/php/niver/public;
index index.php index.html index.htm;
try_files $uri $uri/ @extensionless-php;
include inc/tls.conf;
include inc/errors.conf;
more_set_headers "Referrer-Policy : same-origin";
more_set_headers "Content-Security-Policy : default-src 'none'; style-src 'self'; frame-ancestors 'none'; form-action 'self';";
location ~ ^/iquane/(db|less|lessphp|inc|niver.log) {
return 403;
}
location ~ \.inc.php$ {
return 403;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php-fpm/niver.sock;
#fastcgi_index index.php;
include inc/fastcgi.conf;
try_files $uri =404;
}
location @extensionless-php {
rewrite ^(.*)$ $1.php last;
}
ssl_certificate /etc/ssl/certs/niver.crt;
ssl_certificate_key /etc/ssl/private/niver.key;
}

27
mkosi.extra/etc/php/php-fpm.d/errors.conf

@ -0,0 +1,27 @@
[errors]
user = php-$pool
group = php-$pool
listen = /run/php-fpm/$pool.sock
listen.owner = nginx
listen.group = nginx
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
access.log = /var/log/php/$pool-access.log
;chroot = /srv/php/errors
chdir = /srv/php/errors
catch_workers_output = yes
decorate_workers_output = yes
clear_env = yes
security.limit_extensions = .php

26
mkosi.extra/etc/php/php-fpm.d/niver.conf

@ -0,0 +1,26 @@
[niver]
user = php-$pool
group = knot
listen = /run/php-fpm/$pool.sock
listen.owner = nginx
listen.group = nginx
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
access.log = /var/log/php/$pool-access.log
chdir = /srv/php/$pool
catch_workers_output = yes
decorate_workers_output = yes
clear_env = yes
security.limit_extensions = .php

61
mkosi.extra/etc/ssh/sshd_config

@ -0,0 +1,61 @@
LogLevel INFO
AllowUsers root
Subsystem sftp internal-sftp
UsePAM yes
# Network
AddressFamily any
ListenAddress [::]
ListenAddress 0.0.0.0
Port 42022
# Cryptography
HostKey /etc/ssh/ed25519
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
HostKeyAlgorithms ssh-ed25519
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
# Sessions
PermitRootLogin prohibit-password
StrictModes yes
MaxAuthTries 6
MaxSessions 1
MaxStartups 3:20:200
LoginGraceTime 3m
PrintMotd yes
# Disable everything
PermitTTY no
PermitTunnel no
AllowTcpForwarding no
X11Forwarding no
AllowAgentForwarding no
AllowStreamLocalForwarding no
DisableForwarding yes # Disables all forwarding features, including X11, ssh-agent(1), TCP and StreamLocal.
PermitUserRC no
PermitUserEnvironment no
IgnoreRhosts yes
AuthorizedKeysFile none
AuthenticationMethods none
PubkeyAuthentication no
PasswordAuthentication no
KbdInteractiveAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
# Enable what is necessary
Match User root
PermitTTY yes
PubkeyAuthentication yes
AuthenticationMethods publickey
AuthorizedKeysFile .ssh/authorized_keys

3
mkosi.nspawn

@ -0,0 +1,3 @@
[Network]
Private=no
VirtualEthernet=no

10
mkosi.postinst

@ -0,0 +1,10 @@
#!/usr/bin/bash
source /etc/os-release
if [[ $ID = "arch" ]]; then
systemctl enable sshd
systemctl enable knot
systemctl enable nginx
systemctl enable php-fpm
fi

51
mkosi.prepare

@ -0,0 +1,51 @@
#!/usr/bin/bash
# Clean configuration directories (will be filled with mkosi.extra/)
rm -r /etc/nginx/*
rm -r /etc/ssh/*
source /etc/os-release
if [[ $ID = "debian" ]]; then
rm -r /etc/php/7.4/fpm/pool.d/*
fi
# Create system users
useradd -U -r -s /usr/sbin/nologin nginx
useradd -U -r -s /usr/sbin/nologin php-niver
useradd -U -r -s /usr/sbin/nologin php-errors
useradd -U -r -s /usr/sbin/nologin sftpgo
# Set proper permissions
chown -R knot:knot /var/log/knot
chmod -R 700 /var/log/knot
chown -R knot:php-niver /srv/ns
chmod -R 770 /srv/ns
chown -R php-niver:nginx /srv/ht
chmod -R 740 /srv/ht
chown -R php-niver:nginx /srv/php/niver/public/css/
chmod -R 750 /srv/php/niver/public/css/
chown -R php-niver:php-niver /srv/php/niver/db
chmod -R 700 /srv/php/niver/db
chown -R php-niver:php-niver /srv/php/niver/niver.log
chmod -R 600 /srv/php/niver/niver.log
# Load configuration in Knot database
systemctl stop knot
sudo -u knot knotc conf-import /etc/knot/knot.conf
systemctl start knot
# Generate default self-signed TLS key pair
openssl req -subj '/' -new -newkey RSA:3072 -days 3650 -nodes -x509 -keyout /etc/ssl/private/niver.key -out /etc/ssl/certs/niver.crt
# Generate SSH server key pair
ssh-keygen -f /etc/ssh/ed25519 -t ed25519 -N ""
ssh-keygen -lvf /etc/ssh/ed25519 > /etc/ssh/ed25519.fp
# Configure PHP-FPM properly
echo "display_errors = On" >> /etc/php/php.ini
echo "extension = pdo_sqlite" >> /etc/php/php.ini

3
mkosi.skeleton/etc/apt/sources.list

@ -0,0 +1,3 @@
deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye main
deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye-backports main
deb tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion/debian-security bullseye-security main

3
mkosi.skeleton/etc/pacman.d/mirrorlist

@ -0,0 +1,3 @@
Server = https://mirror.ibakerserver.pt/Arch/$repo/os/$arch
Server = https://arch.juline.tech/$repo/os/$arch
Server = https://mirror.theo546.fr/archlinux/$repo/os/$arch

1
mkosi.skeleton/etc/resolv.conf

@ -0,0 +1 @@
nameserver 127.0.0.53

6
mkosi.skeleton/etc/systemd/resolved.conf.d/fdn.conf

@ -0,0 +1,6 @@
[Resolve]
# https://www.fdn.fr/actions/dns/
DNS=2001:910:800::40 2001:910:800::12 80.67.169.40 80.67.169.12
FallbackDNS=
DNSSEC=yes
Cache=yes

27
mkosi.skeleton/etc/systemd/system/sftpgo.service

@ -0,0 +1,27 @@
[Unit]
Description=SFTPGo Server
After=network.target
[Service]
User=sftpgo
Group=sftpgo
Type=simple
WorkingDirectory=/etc/sftpgo
Environment=SFTPGO_CONFIG_DIR=/etc/sftpgo/
Environment=SFTPGO_LOG_FILE_PATH=
EnvironmentFile=-/etc/sftpgo/sftpgo.env
ExecStart=/usr/local/bin/sftpgo serve
ExecReload=/bin/kill -s HUP $MAINPID
LimitNOFILE=8192
KillMode=mixed
PrivateTmp=true
Restart=always
RestartSec=10s
NoNewPrivileges=yes
PrivateDevices=yes
DevicePolicy=closed
ProtectSystem=true
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
[Install]
WantedBy=multi-user.target

5
mkosi.skeleton/root/build-maniver.sh

@ -0,0 +1,5 @@
#!/usr/bin/bash
cd /root/maniver
cargo build --release
cp /root/maniver/target/release/maniver /usr/local/bin/maniver

8
mkosi.skeleton/root/build-sftpgo.sh

@ -0,0 +1,8 @@
#!/usr/bin/bash
git clone https://github.com/drakkan/sftpgo /root/sftpgo-src
cd /root/sftpgo-src
git checkout v2.2.2
apt update
apt install -y golang-1.18
/usr/lib/go-1.18/bin/go build -tags nogcs,nos3,noazblob,nobolt,nomysql,nopgsql,noportable,nometrics -o /usr/local/bin/sftpgo

1
mkosi.skeleton/root/maniver

@ -0,0 +1 @@
Subproject commit 2ad9fe6f3d7d3fc44cc03ef569d82dd601b51664

6
mkosi.skeleton/srv/ns/niver.test.zone

@ -0,0 +1,6 @@
niver.test. 10800 SOA ns1.niver.test. admin.niver.test. 0 21600 7200 3628800 3600
niver.test. 86400 NS ns1.niver.test.
niver.test. 10800 A 127.0.0.1
niver.test. 10800 AAAA ::1
ns1.niver.test. 10800 A 127.0.0.1
ns1.niver.test. 10800 AAAA ::1

15
mkosi.skeleton/srv/php/errors/400.html

@ -0,0 +1,15 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Bad request · HTTP 400</title>
</head>
<body>
<h1>Bad request</h1>
<p>
The request is malformed.
</p>
<small><code>HTTP 400</code></small>
</body>
</html>

15
mkosi.skeleton/srv/php/errors/403.html

@ -0,0 +1,15 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Access forbidden · HTTP 403</title>
</head>
<body>
<h1>Access forbidden</h1>
<p>
The server refused to process the request for security reasons.
</p>
<small><code>HTTP 403</code></small>
</body>
</html>

19
mkosi.skeleton/srv/php/errors/404.en.html

@ -0,0 +1,19 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>File not found · HTTP 404</title>
</head>
<body>
<h1>File not found</h1>
<p>
The server did not find anything at the requested address.
</p>
<ul>
<li>The file may have been moved or deleted.</li>
<li>Perhaps the address was mistyped.</li>
</ul>
<small><code>HTTP 404</code></small>
</body>
</html>

19
mkosi.skeleton/srv/php/errors/404.fr.html

@ -0,0 +1,19 @@
<!DOCTYPE html>
<html lang="fr">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Fichier introuvable · HTTP 404</title>
</head>
<body>
<h1>Fichier introuvable</h1>
<p>
Le serveur n'a rien trouvé à l'adresse demandée.
</p>
<ul>
<li>Le fichier a put être déplacé ou supprimé.</li>
<li>L'adresse a peut-être été mal saisie.</li>
</ul>
<small><code>HTTP 404</code></small>
</body>
</html>

20
mkosi.skeleton/srv/php/errors/404.php

@ -0,0 +1,20 @@
<?php
if (isset($_SERVER['HTTP_ACCEPT_LANGUAGE'])) {
$clientLocales = $_SERVER['HTTP_ACCEPT_LANGUAGE'];
$clientLocales = preg_replace("#[A-Z0-9]|q=|;|-|\.#", "", $clientLocales);
$clientLocales = explode(',', $clientLocales);
$availableLocales = array('en', 'fr');
foreach ($clientLocales as $clientLocale) {
if (in_array($clientLocale, $availableLocales)) {
$locale = $clientLocale;
break;
}
}
}
if (isset($locale) AND $locale == "fr")
echo file_get_contents("404.fr.html");
else
echo file_get_contents("404.en.html");
?>

15
mkosi.skeleton/srv/php/errors/405.html

@ -0,0 +1,15 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Method Not Allowed · HTTP 405</title>
</head>
<body>
<h1>Method Not Allowed</h1>
<p>
The request method is not supported for this resource.
</p>
<small><code>HTTP 405</code></small>
</body>
</html>

15
mkosi.skeleton/srv/php/errors/410.html

@ -0,0 +1,15 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Gone · HTTP 410</title>
</head>
<body>
<h1>Gone</h1>
<p>
The requested resource is not available anymore.
</p>
<small><code>HTTP 410</code></small>
</body>
</html>

15
mkosi.skeleton/srv/php/errors/418.html

@ -0,0 +1,15 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>I'm a teapot · HTTP 418</title>
</head>
<body>
<h1>I'm a teapot</h1>
<p>
Your coffee cannot be brewed because this server is a teapot.
</p>
<small><code>HTTP 418</code></small>
</body>
</html>

19
mkosi.skeleton/srv/php/errors/500.html

@ -0,0 +1,19 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Server error · HTTP 500</title>
</head>
<body>
<h1>Server error</h1>
<p>
The server encountered an error and is unable to satisfy your request.
</p>
<ul>
<li>This error is probably temporary.</li>
<li>If it isn't, you can try to contact an administrator.</li>
</ul>
<small><code>HTTP 500</code></small>
</body>
</html>

19
mkosi.skeleton/srv/php/errors/502.html

@ -0,0 +1,19 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Bad gateway · HTTP 502</title>
</head>
<body>
<h1>Bad gateway</h1>
<p>
The backend server encountered an error and is unable to satisfy your request.
</p>
<ul>
<li>This error is probably temporary.</li>
<li>If it isn't, you can try to contact an administrator.</li>
</ul>
<small><code>HTTP 502</code></small>
</body>
</html>

19
mkosi.skeleton/srv/php/errors/503.html

@ -0,0 +1,19 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Service unavailable · HTTP 503</title>
</head>
<body>
<h1>Service unavailable</h1>
<p>
The server cannot handle the request, because it is overloaded or down for maintenance.
</p>
<ul>
<li>This error is probably temporary.</li>
<li>If it isn't, you can try to contact an administrator.</li>
</ul>
<small><code>HTTP 503</code></small>
</body>
</html>

19
mkosi.skeleton/srv/php/errors/504.html

@ -0,0 +1,19 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Gateway timeout · HTTP 504</title>
</head>
<body>
<h1>Gateway timeout</h1>
<p>
The backend server did not send a timely response.
</p>
<ul>
<li>This error is probably temporary.</li>
<li>If it isn't, you can try to contact an administrator.</li>
</ul>
<small><code>HTTP 504</code></small>
</body>
</html>

11
mkosi.skeleton/srv/php/errors/default-domain.en.html

@ -0,0 +1,11 @@
<!DOCTYPE HTML>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Broken site</title>
</head>
<body>
<h1>Broken site</h1>
The site you're trying to reach is misconfigured. This domain seems to be pointing to this server, but this server is not aware of a site using this domain.
</body>
</html>

11
mkosi.skeleton/srv/php/errors/default-ip.en.html

@ -0,0 +1,11 @@
<!DOCTYPE HTML>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Nothing here</title>
</head>
<body>
<h1>Nothing here</h1>
You reached Niver's default site using IP address. There's nothing for you here.
</body>
</html>

23
mkosi.skeleton/srv/php/errors/http.html

@ -0,0 +1,23 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Not available over unsecure HTTP</title>
</head>
<body>
<h1>Not available over unsecure HTTP</h1>
<p>
This server does not accept unsecure HTTP requests. Use HTTPS instead.
</p>
<details open="">
<summary>What happened?</summary>
You made a request to the server using the unsecure HTTP protocol (<code>http://</code>). For privacy and security reasons, the server does not accept this, as unsecure HTTP connections can be watched and modified by any device on the way.
</details>
<details>
<summary>How to solve this?</summary>
You can tell your browser to use HTTPS by prefixing the URL with <code>https://</code>.
</details>
<small><code>HTTP 400</code></small>
</body>
</html>

45
mkosi.skeleton/srv/php/errors/http.php

@ -0,0 +1,45 @@
<?php
if (isset($_SERVER['HTTP_ACCEPT_LANGUAGE'])) {
$clientLocales = $_SERVER['HTTP_ACCEPT_LANGUAGE'];
$clientLocales = preg_replace("#[A-Z0-9]|q=|;|-|\.#", "", $clientLocales);
$clientLocales = explode(',', $clientLocales);
$availableLocales = array('en', 'fr');
foreach ($clientLocales as $clientLocale) {
if (in_array($clientLocale, $availableLocales)) {
$locale = $clientLocale;
break;
}
}
}
if (isset($locale) AND $locale == "fr") {
# echo file_get_contents("404.fr.html");
#else { ?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Not available over unsecure HTTP</title>
</head>
<body>
<h1>Not available over unsecure HTTP</h1>
<p>
This server does not accept unsecure HTTP requests. <a href="<?php echo htmlspecialchars($_SERVER['QUERY_STRING']);
?>">Use HTTPS</a> instead.
</p>
<details open="">
<summary>What happened?</summary>
You made a request to the server using the unsecure HTTP protocol (<code>http://</code>). For privacy and security reasons, the server does not accept this, as unsecure HTTP connections can be watched and modified by any device on the way.
</details>
<details>
<summary>How to solve this?</summary>
You can tell your browser to use HTTPS by prefixing the URL with <code>https://</code>.
</details>
<small><code>HTTP 403</code></small>
</body>
</html>
<?php } ?>

8
mkosi.skeleton/srv/php/errors/index.php

@ -0,0 +1,8 @@
<?php
if (filter_var(str_replace(array("[", "]"), "", $_SERVER['HTTP_HOST']), FILTER_VALIDATE_IP))
echo file_get_contents("default-ip.en.html");
else
echo file_get_contents("default-domain.en.html");
?>

1
mkosi.skeleton/srv/php/niver

@ -0,0 +1 @@
Subproject commit 9a2eb0a18e6f5d464af6d130c291dc916a5d73c9

BIN
mkosi.skeleton/usr/local/bin/maniver

Binary file not shown.

BIN
mkosi.skeleton/usr/local/bin/sftpgo

Binary file not shown.

2
mkosi.skeleton/usr/local/share/niver/knot.template

@ -0,0 +1,2 @@
DOMAIN 3600 SOA ns1.niver.test. admin.niver.test. 1 21600 7200 3628800 3600
DOMAIN 86400 NS ns1.niver.test.

15
mkosi.skeleton/usr/local/share/niver/nginx/dns.template

@ -0,0 +1,15 @@
server {
listen [::]:{{HTTPS_PORT}} ssl http2;
listen 0.0.0.0:{{HTTPS_PORT}} ssl http2;
server_name {{DOMAIN}};
root {{HT_PATH}}/{{USERNAME}}/ht/{{DIR}};
ssl_certificate /etc/ssl/certs/niver.crt;
ssl_certificate_key /etc/ssl/private/niver.key;
include inc/tls.conf;
location / {
try_files $uri $uri.html $uri/ =404;
}
}

9
mkosi.skeleton/usr/local/share/niver/nginx/onion.template

@ -0,0 +1,9 @@
server {
listen [::1]:{{INTERNAL_ONION_HTTP_PORT}};
server_name {{DOMAIN}};
root {{HT_PATH}}/{{USERNAME}}/ht/{{DIR}};
location / {
try_files $uri $uri.html $uri/ =404;
}
}
Loading…
Cancel
Save