Browse Source

Move everything in /srv/niver

main
Miraty 2 months ago
parent
commit
ed0d3cc36c
  1. 1
      .gitignore
  2. 1
      mkosi.default
  3. 11
      mkosi.extra/etc/knot/knot.conf
  4. 20
      mkosi.extra/etc/nginx/inc/errors.conf
  5. 4
      mkosi.extra/etc/nginx/nginx.conf
  6. 6
      mkosi.extra/etc/nginx/sites/default-server.conf
  7. 4
      mkosi.extra/etc/nginx/sites/http.conf
  8. 2
      mkosi.extra/etc/nginx/sites/niver.test.conf
  9. 4
      mkosi.extra/etc/nginx/sites/sftpgo-auth.conf
  10. 27
      mkosi.extra/etc/php/php-fpm.d/errors.conf
  11. 4
      mkosi.extra/etc/php/php-fpm.d/niver.conf
  12. 4
      mkosi.extra/etc/sudoers.d/niver
  13. 5
      mkosi.extra/etc/tor/torrc
  14. 45
      mkosi.postinst
  15. 4
      mkosi.prepare
  16. 3
      mkosi.skeleton/etc/sftpgo/sftpgo.toml
  17. 3
      mkosi.skeleton/etc/systemd/system/php-fpm.service.d/override.conf
  18. 1
      mkosi.skeleton/etc/systemd/system/tor.service.d/override.conf
  19. 4
      mkosi.skeleton/root/sftpgo.sh
  20. 0
      mkosi.skeleton/srv/niver/acme/.gitkeep
  21. 1
      mkosi.skeleton/srv/niver/core
  22. 0
      mkosi.skeleton/srv/niver/errors/400.html
  23. 0
      mkosi.skeleton/srv/niver/errors/403.html
  24. 0
      mkosi.skeleton/srv/niver/errors/404.en.html
  25. 0
      mkosi.skeleton/srv/niver/errors/404.fr.html
  26. 0
      mkosi.skeleton/srv/niver/errors/404.php
  27. 0
      mkosi.skeleton/srv/niver/errors/405.html
  28. 0
      mkosi.skeleton/srv/niver/errors/410.html
  29. 0
      mkosi.skeleton/srv/niver/errors/418.html
  30. 0
      mkosi.skeleton/srv/niver/errors/500.html
  31. 0
      mkosi.skeleton/srv/niver/errors/502.html
  32. 0
      mkosi.skeleton/srv/niver/errors/503.html
  33. 0
      mkosi.skeleton/srv/niver/errors/504.html
  34. 0
      mkosi.skeleton/srv/niver/errors/default-domain.en.html
  35. 0
      mkosi.skeleton/srv/niver/errors/default-ip.en.html
  36. 0
      mkosi.skeleton/srv/niver/errors/http.html
  37. 0
      mkosi.skeleton/srv/niver/errors/http.php
  38. 0
      mkosi.skeleton/srv/niver/errors/index.php
  39. 0
      mkosi.skeleton/srv/niver/ht/.gitkeep
  40. 0
      mkosi.skeleton/srv/niver/nginx/.gitkeep
  41. 0
      mkosi.skeleton/srv/niver/ns/.gitkeep
  42. 4
      mkosi.skeleton/srv/niver/reg/niver.test.zone
  43. 0
      mkosi.skeleton/srv/niver/tor-config/.gitkeep
  44. 0
      mkosi.skeleton/srv/niver/tor-keys/.gitkeep
  45. BIN
      mkosi.skeleton/usr/local/bin/sftpgo

1
.gitignore

@ -3,3 +3,4 @@
/mkosi.passphrase
/mkosi.passwd
/mkosi.skeleton/root/.ssh/authorized_keys
/mkosi.skeleton/usr/local/bin/sftpgo

1
mkosi.default

@ -17,7 +17,6 @@ Packages =
nginx
php-fpm
knot
cargo
sudo
git
sqlite3

11
mkosi.extra/etc/knot/knot.conf

@ -19,8 +19,8 @@ policy:
nsec3-iterations: 10
template:
- id: "niver"
storage: "/srv/ns"
- id: "niver-ns"
storage: "/srv/niver/ns"
file: "%s.zone"
zonefile-load: "difference"
dnssec-signing: "on"
@ -28,4 +28,9 @@ template:
zone:
- domain: "niver.test."
template: "niver"
storage: "/srv/niver/reg"
file: "%s.zone"
zonefile-load: "difference"
dnssec-signing: "on"
dnssec-policy: "niver"

20
mkosi.extra/etc/nginx/inc/errors.conf

@ -3,7 +3,7 @@ recursive_error_pages on;
# 403 Forbidden
error_page 403 @403;
location @403 {
root /srv/php/errors;
root /srv/niver/errors;
try_files /403.html =500;
}
@ -13,11 +13,11 @@ location @local404 {
try_files /404.html /404.md /404.gmi @niver404;
}
location @niver404 {
root /srv/php/errors;
root /srv/niver/errors;
try_files /404.php =500;
index /404.php;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php-fpm/errors.sock;
fastcgi_pass unix:/run/php-fpm/niver.sock;
include inc/fastcgi.conf;
fastcgi_index /404.php;
}
@ -25,48 +25,48 @@ location @niver404 {
# 405 Method Not Allowed
error_page 405 @405;
location @405 {
root /srv/php/errors;
root /srv/niver/errors;
try_files /405.html =500;
}
# 410 Gone
error_page 410 @410;
location @410 {
root /srv/php/errors;
root /srv/niver/errors;
try_files /410.html =500;
}
# 418 I'm a teapot
error_page 418 @418;
location @418 {
root /srv/php/errors;
root /srv/niver/errors;
try_files /418.html =500;
}
# 500 Internal Server Error
error_page 500 @500;
location @500 {
root /srv/php/errors;
root /srv/niver/errors;
try_files /500.html =500;
}
# 502 Bad Gateway
error_page 502 @502;
location @502 {
root /srv/php/errors;
root /srv/niver/errors;
try_files /502.html =500;
}
# 503 Service Unavailable
error_page 503 @503;
location @503 {
root /srv/php/errors;
root /srv/niver/errors;
try_files /503.html =500;
}
# 504 Gateway Timeout
error_page 504 @504;
location @504 {
root /srv/php/errors;
root /srv/niver/errors;
try_files /504.html =500;
}

4
mkosi.extra/etc/nginx/nginx.conf

@ -49,7 +49,5 @@ http {
# Include other configuration
include sites/*.conf;
include ht/*.conf;
include default-server.conf;
include http.conf;
include /srv/niver/nginx/*.conf;
}

6
mkosi.extra/etc/nginx/default-server.conf → mkosi.extra/etc/nginx/sites/default-server.conf

@ -5,16 +5,16 @@ server {
ssl_certificate /etc/ssl/certs/niver.crt;
ssl_certificate_key /etc/ssl/private/niver.key;
root /srv/php/errors;
root /srv/niver/php/errors;
try_files index.php index.html $uri $uri/;
index index.php index.html;
location / {
root /srv/php/errors;
root /srv/niver/php/errors;
try_files /index.php =500;
index index.php;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php-fpm/errors.sock;
fastcgi_pass unix:/run/php-fpm/niver.sock;
include /etc/nginx/inc/fastcgi.conf;
}

4
mkosi.extra/etc/nginx/http.conf → mkosi.extra/etc/nginx/sites/http.conf

@ -9,7 +9,7 @@ server {
# Display an explanation page
error_page 403 @http403;
location @http403 {
root /srv/php/errors;
root /srv/niver/php/errors;
try_files /http.php =500;
index http.php;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
@ -18,6 +18,6 @@ server {
}
location /.well-known/acme-challenge {
alias /srv/acme/;
alias /srv/niver/acme/;
}
}

2
mkosi.extra/etc/nginx/sites/niver.test.conf

@ -3,7 +3,7 @@ server {
listen 127.0.0.1:42443 ssl http2;
server_name niver.test;
root /srv/php/niver/public;
root /srv/niver/core/public;
index index.php index.html index.htm;
try_files $uri $uri/ @extensionless-php;

4
mkosi.extra/etc/nginx/sites/sftpgo-auth.conf

@ -1,12 +1,12 @@
server {
listen [::1]:8055;
root /srv/php/niver/;
root /srv/niver/core;
include inc/errors.conf;
location / {
try_files /sftpgo-auth.php =404;
try_files /sftpgo-auth.php =500;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php-fpm/niver.sock;
include inc/fastcgi.conf;

27
mkosi.extra/etc/php/php-fpm.d/errors.conf

@ -1,27 +0,0 @@
[errors]
user = php-$pool
group = php-$pool
listen = /run/php-fpm/$pool.sock
listen.owner = nginx
listen.group = nginx
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
access.log = /var/log/php/$pool-access.log
;chroot = /srv/php/$pool
chdir = /srv/php/$pool
catch_workers_output = yes
decorate_workers_output = yes
clear_env = yes
security.limit_extensions = .php

4
mkosi.extra/etc/php/php-fpm.d/niver.conf

@ -1,6 +1,6 @@
[niver]
user = php-$pool
user = $pool
group = knot
listen = /run/php-fpm/$pool.sock
@ -16,8 +16,6 @@ pm.max_spare_servers = 3
access.log = /var/log/php/$pool-access.log
chdir = /srv/php/$pool
catch_workers_output = yes
decorate_workers_output = yes

4
mkosi.extra/etc/sudoers.d/niver

@ -1,2 +1,2 @@
php-niver ALL= NOPASSWD: /usr/bin/systemctl reload nginx,/usr/bin/systemctl reload tor,/usr/bin/chgrp ^sftpgo /srv/ht/[a-z]{1,128} --no-dereference$
php-niver ALL=(tor) NOPASSWD: /usr/bin/cat ^/var/lib/tor/keys/[a-z]{1,128}/hostname$,/usr/bin/rm ^--recursive /var/lib/tor/keys/[a-z]{1,128}$
niver ALL= NOPASSWD: /usr/bin/systemctl reload nginx,/usr/bin/systemctl reload tor,/usr/bin/chgrp ^sftpgo /srv/niver/ht/[^[:punct:][:space:][:cntrl:]]{1,128} --no-dereference$
niver ALL=(tor) NOPASSWD: /usr/bin/cat ^/srv/niver/tor-keys/[^[:punct:][:space:][:cntrl:]]{1,128}/[^[:punct:][:space:][:cntrl:]]{1,128}/hostname$,/usr/bin/mkdir ^--mode=0700 /srv/niver/tor-keys/[^[:punct:][:space:][:cntrl:]]{1,128}$,/usr/bin/rm ^--recursive /srv/niver/tor-keys/[^[:punct:][:space:][:cntrl:]]{1,128}(/[^[:punct:][:space:][:cntrl:]]{1,128})?$

5
mkosi.extra/etc/tor/torrc

@ -1,3 +1,8 @@
User tor
SocksPort 0
DataDirectory /var/lib/tor
HiddenServiceNonAnonymousMode 1
HiddenServiceSingleHopMode 1
%include /srv/niver/tor-config/*

45
mkosi.postinst

@ -3,46 +3,47 @@ source /etc/os-release
# Create system users
useradd -U -r -s /usr/sbin/nologin nginx
useradd -U -r -s /usr/sbin/nologin php-niver
useradd -U -r -s /usr/sbin/nologin php-errors
useradd -U -r -s /usr/sbin/nologin niver
useradd -U -r -s /usr/sbin/nologin sftpgo
# Set proper permissions
chown -R knot:knot /var/lib/knot/confdb
chmod -R u=rwX,g=rwX,o= /var/lib/knot/confdb
usermod -aG knot php-niver
usermod -aG knot niver
chown -R knot:knot /var/log/knot
chmod -R 700 /var/log/knot
chmod -R u=rwX,g=,o= /var/log/knot
chown -R php-niver:knot /srv/ns
chmod -R 770 /srv/ns
chown -R niver:knot /srv/niver/ns
chmod -R u=rwX,g=rwX,o= /srv/niver/ns
chown -R niver:knot /srv/niver/reg
chmod -R u=rwX,g=rwX,o= /srv/niver/reg
chown -R php-niver:php-niver /etc/nginx/ht
chown -R niver:nginx /srv/niver/nginx
chmod -R u=rwX,g=rX,o= /srv/niver/nginx
chown -R sftpgo:sftpgo /etc/sftpgo
chmod -R u=rX,g=rX,o=rX /etc/sftpgo
chmod u=r,g=,o= /etc/sftpgo/ed25519
chown -R php-niver:sftpgo /srv/ht
chmod -R u=rwX,g=rwX,o=rX /srv/ht
chown -R niver:sftpgo /srv/niver/ht
chmod -R u=rwX,g=rwX,o=rX /srv/niver/ht
if [[ $ID = "debian" ]]; then
chown -R php-niver:debian-tor /etc/tor
chown -R niver:debian-tor /srv/niver/tor-config
chown -R debian-tor:debian-tor /srv/niver/tor-keys
else
chown -R php-niver:tor /etc/tor
chown -R niver:tor /srv/niver/tor-config
chown -R tor:tor /srv/niver/tor-keys
fi
chmod -R u=rwX,g=rX,o= /etc/tor
chmod -R u=rwX,g=rX,o= /srv/niver/tor-config
chmod -R u=rwX,g=,o= /srv/niver/tor-keys
chmod u=rX,g=rX,o=rX /srv/php
chown -R php-errors:nginx /srv/php/errors
chmod -R u=rX,g=rX,o= /srv/php/errors
chown -R php-niver:nginx /srv/php/niver
chmod -R u=rX,g=rX,o=X /srv/php/niver
chmod -R u=rwX,g=,o= /srv/php/niver/db
chown -R niver:nginx /srv/niver/core /srv/niver/errors
chmod -R u=rX,g=rX,o= /srv/niver/core /srv/niver/errors
chown -R niver:niver /srv/niver/core/db
chmod -R u=rwX,g=,o= /srv/niver/core/db
# Load configuration in Knot database
sudo -u knot knotc conf-import /etc/knot/knot.conf
@ -73,8 +74,8 @@ if [[ $ID = "debian" ]]; then
sed -i 's/User tor/User debian-tor/' /etc/tor/torrc
sed -i 's/reload tor/reload tor@default/' /etc/sudoers.d/niver
sed -i 's/ALL=(tor)/ALL=(debian-tor)/' /etc/sudoers.d/niver
sed -i 's/tor_service = "tor"/tor_service = "tor@default"/' /srv/php/niver/config.ini
sed -i 's/tor_user = "tor"/tor_user = "debian-tor"/' /srv/php/niver/config.ini
sed -i 's/tor_service = "tor"/tor_service = "tor@default"/' /srv/niver/core/config.ini
sed -i 's/tor_user = "tor"/tor_user = "debian-tor"/' /srv/niver/core/config.ini
fi
# Start SystemD services at startup

4
mkosi.prepare

@ -27,7 +27,7 @@ fp=($(ssh-keygen -l -f /etc/sftpgo/ed25519))
echo ${fp[1]} > /etc/sftpgo/ed25519.fp
ssh-keygen -lv -f /etc/sftpgo/ed25519 | tail -n +2 > /etc/sftpgo/ed25519.asciiart
# Generate SSHFP record
echo ht.niver.test. 86400 SSHFP 4 2 $(cut -d ' ' -f 2 /etc/sftpgo/ed25519.pub | base64 -d | sha256sum | cut -d ' ' -f 1) >> /srv/ns/niver.test.zone
echo ht.niver.test. 86400 SSHFP 4 2 $(cut -d ' ' -f 2 /etc/sftpgo/ed25519.pub | base64 -d | sha256sum | cut -d ' ' -f 1) >> /srv/niver/reg/niver.test.zone
# Create database
sqlite3 /srv/php/niver/db/niver.db < /srv/php/niver/db/source.sql
sqlite3 /srv/niver/core/db/niver.db < /srv/niver/core/db/source.sql

3
mkosi.skeleton/etc/sftpgo/sftpgo.toml

@ -32,9 +32,10 @@ address = "127.0.0.1"
[data_provider]
driver = "memory"
users_base_dir = "/srv/ht"
users_base_dir = "/srv/niver/ht"
external_auth_hook = "http://[::1]:8055/sftpgo-auth.php"
external_auth_scope = 1
naming_rules = 1
[[httpd.bindings]]
port = 0

3
mkosi.skeleton/etc/systemd/system/php-fpm.service.d/override.conf

@ -1,3 +1,2 @@
[Service]
ReadWritePaths=/etc/nginx/ht
ReadWritePaths=/etc/tor
ReadWritePaths=/srv/niver

1
mkosi.skeleton/etc/systemd/system/tor.service.d/override.conf

@ -1,3 +1,4 @@
[Service]
ReadWritePaths=/srv/niver/tor-keys
# To allow reloading service on Arch Linux
CapabilityBoundingSet=CAP_KILL

4
mkosi.skeleton/root/sftpgo.sh

@ -8,5 +8,5 @@ fi
git clone https://github.com/drakkan/sftpgo /root/sftpgo-src
cd /root/sftpgo-src
git checkout v2.2.3
$GO build -tags nogcs,nos3,noazblob,nobolt,nomysql,nopgsql,noportable,nometrics -o /usr/local/bin/sftpgo
git checkout v2.3.1
$GO build -tags nometrics,noazblob,nogcs,nos3,nobolt,nomysql,nopgsql,nosqlite,noportable -o /usr/local/bin/sftpgo

0
mkosi.extra/etc/nginx/ht/.gitkeep → mkosi.skeleton/srv/niver/acme/.gitkeep

1
mkosi.skeleton/srv/niver/core

@ -0,0 +1 @@
Subproject commit 9fa902f768167ce693cc4bbf15f6e15ab28bf5a3

0
mkosi.skeleton/srv/php/errors/400.html → mkosi.skeleton/srv/niver/errors/400.html

0
mkosi.skeleton/srv/php/errors/403.html → mkosi.skeleton/srv/niver/errors/403.html

0
mkosi.skeleton/srv/php/errors/404.en.html → mkosi.skeleton/srv/niver/errors/404.en.html

0
mkosi.skeleton/srv/php/errors/404.fr.html → mkosi.skeleton/srv/niver/errors/404.fr.html

0
mkosi.skeleton/srv/php/errors/404.php → mkosi.skeleton/srv/niver/errors/404.php

0
mkosi.skeleton/srv/php/errors/405.html → mkosi.skeleton/srv/niver/errors/405.html

0
mkosi.skeleton/srv/php/errors/410.html → mkosi.skeleton/srv/niver/errors/410.html

0
mkosi.skeleton/srv/php/errors/418.html → mkosi.skeleton/srv/niver/errors/418.html

0
mkosi.skeleton/srv/php/errors/500.html → mkosi.skeleton/srv/niver/errors/500.html

0
mkosi.skeleton/srv/php/errors/502.html → mkosi.skeleton/srv/niver/errors/502.html

0
mkosi.skeleton/srv/php/errors/503.html → mkosi.skeleton/srv/niver/errors/503.html

0
mkosi.skeleton/srv/php/errors/504.html → mkosi.skeleton/srv/niver/errors/504.html

0
mkosi.skeleton/srv/php/errors/default-domain.en.html → mkosi.skeleton/srv/niver/errors/default-domain.en.html

0
mkosi.skeleton/srv/php/errors/default-ip.en.html → mkosi.skeleton/srv/niver/errors/default-ip.en.html

0
mkosi.skeleton/srv/php/errors/http.html → mkosi.skeleton/srv/niver/errors/http.html

0
mkosi.skeleton/srv/php/errors/http.php → mkosi.skeleton/srv/niver/errors/http.php

0
mkosi.skeleton/srv/php/errors/index.php → mkosi.skeleton/srv/niver/errors/index.php

0
mkosi.skeleton/srv/acme/.gitkeep → mkosi.skeleton/srv/niver/ht/.gitkeep

0
mkosi.skeleton/srv/ht/.gitkeep → mkosi.skeleton/srv/niver/nginx/.gitkeep

0
mkosi.skeleton/srv/niver/ns/.gitkeep

4
mkosi.skeleton/srv/ns/niver.test.zone → mkosi.skeleton/srv/niver/reg/niver.test.zone

@ -4,5 +4,5 @@ niver.test. 10800 A 127.0.0.1
niver.test. 10800 AAAA ::1
ns1.niver.test. 10800 A 127.0.0.1
ns1.niver.test. 10800 AAAA ::1
ht.niver.test. 10800 A 127.0.0.1
ht.niver.test. 10800 AAAA ::1
ht.niver.test. 10800 A 127.0.0.1
ht.niver.test. 10800 AAAA ::1

0
mkosi.skeleton/srv/niver/tor-config/.gitkeep

0
mkosi.skeleton/srv/niver/tor-keys/.gitkeep

BIN
mkosi.skeleton/usr/local/bin/sftpgo

Binary file not shown.
Loading…
Cancel
Save