Old Arch Linux system

2021-08-29 17:39:12 +02:00 · 2021-08-29 17:39:12 +02:00 · d0e18be3d1
commit d0e18be3d1
32 changed files with 1836 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -0,0 +1,3 @@
+# Niver configuration
+
+This repository contains configuration files required by Niver or it's dependencies.
--- a/arch/about.md
+++ b/arch/about.md
@ -0,0 +1,37 @@
+# Niver
+
+## Features
+
+### Web interface
+
+* Login/register using a pseudo/password set
+* Pages are lower than 10 KiB
+* No JavaScript, no images, and CSS are optionnal
+* Dark and light themes
+* Free service running libre software
+
+### Hypertext
+
+* SFTP access
+* HTTP and Gemini
+* IPv4 and IPv6
+* TLS 1.2 & 1.3
+* DNS and Onion v3 (through Tor) access
+* HTTP/1.1 and HTTP/2
+* Let's Encrypt certificates for HTTP
+* All HTTP security headers
+
+### Nameserver
+
+* DNSSEC (with NSEC3)
+* NS, A, AAAA, TXT, and CAA records
+
+### Registry
+
+* Glue record
+* DNSSEC delegation with any modern cypher
+
+## Missing features
+
+* No internationalized domain name support (you can only use a small subset of ASCII in your domain name)
+* No BIND-style plaintext configuration (you need to fill a form for every record you add or remove)
--- a/arch/gemini.md
+++ b/arch/gemini.md
@ -0,0 +1,2 @@
+To generate a key/certificate pair with ed25519 expiring in 10 years
+`openssl req -subj '/CN=domain' -new -newkey ED25519 -days 3650 -nodes -x509 -keyout domain.key -out domain.crt`
--- a/arch/gmnisrv.md
+++ b/arch/gmnisrv.md
@ -0,0 +1,53 @@
+# gmnisrv installation
+
+```
+# pacman -S make git pkgconf openssl scdoc
+$ git clone https://git.sr.ht/~sircmpwn/gmnisrv # Download gmnisrv sources
+$ mkdir gmnisrv/build
+$ cd gmnisrv/build
+$ ../configure --prefix=/usr # Check gmnisrv dependencies and setup files needed for building
+$ make # Build gmnisrv
+# make install # Install gmnisrv binary and manpages on the system
+# useradd -U -r -s /usr/bin/nologin gmnisrv # Add the gmnisrv system user and group
+# vim /etc/systemd/system/gmnisrv.service
+```
+
+```
+[Unit]
+Description=A Gemini server
+After=network.target
+Wants=network.target
+
+[Service]
+Type=simple
+ExecStart=/usr/local/bin/gmnisrv
+ExecStop=
+#Restart=on-failure
+User=gmnisrv
+Group=gmnisrv
+WorkingDirectory=/srv/ht
+
+[Install]
+WantedBy=multi-user.target
+```
+```
+# systemctl daemon-reload
+# mkdir -p /srv/gemini/niver.atope.art
+# echo "This is a testing Gemini capsule" > /srv/gemini/niver.atope.art/index.gmi
+# mkdir /var/local/gmnisrv
+# chmod -R 700 /var/local/gmnisrv
+# chown -R gmnisrv:gmnisrv /var/local/gmnisrv
+# vim /usr/local/etc/gmnisrv.ini
+```
+
+```
+# Space-separated list of hosts
+listen=0.0.0.0:1965 [::]:1965
+
+[:tls]
+# Path to store certificates on disk
+store=/var/local/gmnisrv
+
+[niver.atope.art]
+root=/srv/gemini/niver.atope.art
+```
--- a/arch/installation.md
+++ b/arch/installation.md
@ -0,0 +1,30 @@
+# Niver system installation
+
+Niver will use and need specific configuration for
+
+* Knot DNS
+* OpenSSH
+* Nginx
+* Tor
+* Gmnisrv
+* PHP-FPM
+
+To do root-level actions, Niver will also use a privileged binary, written in Rust, called Maniver.
+
+Niver has been deployed on the following distributions :
+
+* Debian 10, using Nginx 1.14.2 and OpenSSH 7.9p1, and latest available version of Tor, Knot and gmnisrv using their official release channel.
+* Arch Linux
+
+To provide all features:
+
+`# pacman -S tor knot openssh sudo nginx nginx-mod-headers-more certbot certbot-nginx php-fpm php-sqlite`
+
+Some tools you might find usefull to manage a server:
+
+`# pacman -S vnstat htop nload ufw vim man-db curl screen`
+
+[Gemini](gemini.md)
+[Maniver](maniver.md)
+[OpenSSH](openssh.md)
+[Nginx](nginx.md)
--- a/arch/knot.md
+++ b/arch/knot.md
@ -0,0 +1,8 @@
+# Knot setup
+
+```
+# systemctl stop knot
+# sudo -u knot knotc conf-import /usr/local/share/niver/knot.conf
+# systemctl restart knot
+# systemctl enable knot
+```
--- a/arch/maniver.md
+++ b/arch/maniver.md
@ -0,0 +1,23 @@
+# Maniver
+
+## Installation
+
+```
+# pacman -S rustup git
+$ rustup default stable
+$ git clone https://code.antopie.org/miraty/maniver-dev
+$ cd maniver-dev
+$ cargo build --release
+# cp ./target/release/maniver /usr/local/bin/
+```
+
+## Update
+
+```
+$ rustup update
+$ cd maniver-dev
+$ cargo update
+$ git pull
+$ cargo build --release
+# cp ./target/release/maniver /usr/local/bin/
+```
--- a/arch/nginx.md
+++ b/arch/nginx.md
@ -0,0 +1,7 @@
+# Nginx configuration setup
+
+Use the configuration provided.
+
+Niver require the module *Headers More*.
+
+On Arch Linux, install it with `pacman -Syu nginx-mod-headers-more`.
--- a/arch/niver-php.md
+++ b/arch/niver-php.md
@ -0,0 +1,30 @@
+
+# Niver-PHP setup
+
+Use pools configurations provided along this documentation.
+
+To hide PHP presence, set in php.ini:
+`expose_php = Off`
+
+```
+# useradd -U -r -s /usr/bin/nologin php-niver
+# useradd -U -r -s /usr/bin/nologin php-errors
+```
+
+## Permission to manage system things as root
+
+Once you've [set up Maniver](maniver.md):
+```
+# EDITOR=vim visudo
+php-niver ALL=(root) NOPASSWD: /usr/local/bin/maniver
+```
+
+## Permission to manage Knot
+
+To add knot as an additional group for user php-niver: `# usermod -aG knot php-niver`
+
+New method:
+```
+# chmod -R 770 /var/lib/knot
+# chown -R php-niver:knot /var/lib/knot
+```
--- a/arch/openssh.md
+++ b/arch/openssh.md
@ -0,0 +1,33 @@
+### SFTP setup
+
+```
+# groupadd ht
+# echo "Ce compte n'est accessible qu'en SFTP, pas en SSH.
+This account is only available over SFTP, not over SSH." > /etc/nologin.txt
+# ssh-keygen -q -N "" -t ed25519 -f /etc/ssh/keys/ed25519
+# ssh-keygen -q -N "" -t rsa -b 3072 -f /etc/ssh/keys/rsa-3072
+# awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe
+# mv /etc/ssh/moduli.safe /etc/ssh/moduli
+```
+
+To get the ASCII art and SHA-256 fingerprints:
+```
+# ssh-keygen -vlf /etc/ssh/keys/ed25519.pub
+# ssh-keygen -vlf /etc/ssh/keys/rsa-3072.pub
+```
+
+To generate SSHFP records:
+```
+# ssh-keygen -r sftp.niver.4.niv.re -f /etc/ssh/ed25519.pub
+# ssh-keygen -r sftp.niver.4.niv.re -f /etc/ssh/rsa-3072.pub
+```
+Don't use the first record, which is SHA-1, use the second, which is SHA-256.
+`SSHFP <pkey-algorithm> <hash-algorithm> <fingerprint>`
+For `pkey-algorithm`:
+* `1` means RSA
+* `2` means DSA (must not be used)
+* `3` means ECDSA (should not be used)
+* `4` means Ed25519
+For `hash-algorithm`:
+* `1` means SHA-1 (must not be used)
+* `2` means SHA-256
--- a/arch/quota.md
+++ b/arch/quota.md
@ -0,0 +1,16 @@
+# Quota setup
+
+```
+# pacman -S quota-tool
+# dd if=/dev/zero of=/srv/ht.img count=4194304 # count is the size in octet
+# mkfs.ext4 /srv/ht.img
+# mkdir /srv/ht
+# mount /srv/ht.img /srv/ht
+```
+
+```
+# quotacheck -gcum /
+# quotaon -v /
+```
+
+UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx	/         	ext4      	rw,relatime,usrquota,grpquota	0 1
--- a/install.md
+++ b/install.md
@ -0,0 +1,144 @@
+# Niver setup on Debian 11 (bullseye)
+
+```
+# apt install tor knot openssh-server sudo nginx certbot python3-certbot-nginx php7.4-fpm php-sqlite3 quota
+```
+
+## Create system users
+
+```
+# useradd -U -r -s /usr/sbin/nologin <username>
+```
+
+## Twins
+
+```
+$ wget https://golang.org/dl/go1.16.7.linux-amd64.tar.gz -o go.tar.gz
+$ tar -xf go.tar.gz
+$ go/bin/go get code.rocketnine.space/tslocum/twins
+$ cp go/bin/twins /usr/local/bin/
+```
+
+## maniver
+
+Installation
+```
+# apt install gcc git
+$ git clone https://code.antopie.org/Niver/maniver && cd maniver
+$ curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
+$ cargo build --release
+# cp target/release/maniver /usr/local/bin/
+# chown root:php-niver /usr/local/bin/maniver
+# chmod 750 /usr/local/bin/maniver
+```
+
+Update
+```
+$ git fetch
+$ rustup update
+$ cargo update
+$ cargo build --release
+# cp target/release/maniver /usr/local/bin/
+```
+
+## gmnisrv
+
+```
+# apt install git make pkg-config libssl-dev scdoc
+$ git clone https://git.sr.ht/~sircmpwn/gmnisrv # Download gmnisrv sources
+$ mkdir gmnisrv/build
+$ cd gmnisrv/build
+$ ../configure --prefix=/usr # Check gmnisrv dependencies and setup files needed for building
+$ make # Build gmnisrv
+# make install # Install gmnisrv binary and manpages on the system
+# useradd -U -r -s /usr/sbin/nologin gmnisrv # Add the gmnisrv system user and group
+# vim /etc/systemd/system/gmnisrv.service
+```
+
+```
+[Unit]
+Description=Gmnisrv, a Gemini server
+After=network.target
+Wants=network.target
+
+[Service]
+Type=simple
+ExecStart=/usr/local/bin/gmnisrv
+Restart=always
+User=gmnisrv
+Group=gmnisrv
+WorkingDirectory=/srv/ht
+
+[Install]
+WantedBy=multi-user.target
+```
+```
+# systemctl daemon-reload
+# mkdir -p /srv/gmi/niver.4.niv.re
+# echo "This is a testing Gemini capsule" > /srv/gmi/niver.4.niv.re/index.gmi
+# mkdir /var/lib/gemini
+# chmod -R 700 /var/lib/gemini
+# chown -R gmnisrv:gmnisrv /var/lib/gemini
+# vim /etc/gmnisrv.ini
+```
+
+```
+# Space-separated list of hosts
+listen=0.0.0.0:1965 [::]:1965
+
+[:tls]
+# Path to store certificates on disk
+store=/var/lib/gemini
+
+[niver.4.niv.re]
+root=/srv/gmi/niver.4.niv.re
+```
+
+
+## SFTP
+
+```
+# groupadd ht
+```
+
+## Quota
+
+```
+# quotacheck -cm /
+# vim /etc/fstab
+```
+
+UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx / ext4 usrquota,grpquota,errors=remount-ro 0 1
+
+## Knot DNS
+
+```
+# sudo -u knot knotc conf-init
+# sudo -u knot knotc conf-import <path to default niver knot conf>
+```
+
+## Nginx
+
+Generate a self-signed certificate for default Nginx site.
+```
+# openssl req -subj '/' -new -newkey RSA:3072 -days 3650 -nodes -x509 -keyout /etc/ssl/private/niver.key -out /etc/ssl/certs/niver.crt
+```
+
+## Niver-PHP
+
+```
+# chown -R root:root /usr/local/share/niver
+# chmod -R u=rwX,go=rX /usr/local/share/niver
+# mkdir /etc/nginx/ht
+# chown -R php-niver:php-niver /etc/nginx/ht
+# chmod -R 775 /etc/nginx/ht
+```
+
+Increase `session.gc_maxlifetime` in /etc/php/7.4/fpm/php.ini to avoid sessions being cleared too soon.
+
+## Tor
+
+This command only exist on Debian
+```
+# tor-instance-create niver
+```
--- a/knot.conf
+++ b/knot.conf
@ -0,0 +1,27 @@
+server:
+    rundir: "/run/knot"
+    user: "knot:knot"
+    listen: [ "0.0.0.0@53", "::@53" ]
+
+log:
+  - target: "/var/log/knot.log"
+    any: "debug"
+
+database:
+    storage: "/var/lib/knot"
+
+policy:
+  - id: "niver"
+    algorithm: "ed25519"
+    nsec3: "on"
+
+template:
+  - id: "niver"
+    storage: "/var/lib/knot/zones"
+    file: "%s.zone"
+    dnssec-signing: "on"
+    dnssec-policy: "niver"
+
+zone:
+  - domain: "niv.re."
+    template: "niver"
--- a/nginx/dhparam
+++ b/nginx/dhparam
@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
+-----END DH PARAMETERS-----
--- a/nginx/inc/errors.conf
+++ b/nginx/inc/errors.conf
@ -0,0 +1,71 @@
+recursive_error_pages on;
+return 404;
+# 403 Forbidden
+error_page 403 @403;
+location @403 {
+    root /srv/http/errors;
+    try_files /403.html =500;
+}
+
+# 404 Not Found
+error_page 404 @local404;
+location @local404 {
+    try_files /404.html /404.md /404.gmi @niver404;
+}
+location @niver404 {
+    root /srv/http/errors;
+    try_files /404.php =500;
+    index 404.php;
+    fastcgi_split_path_info ^(.+\.php)(/.+)$;
+    fastcgi_pass unix:/var/run/php-fpm/errors.sock;
+    include inc/fastcgi.conf;
+}
+
+# 405 Method Not Allowed
+error_page 405 @405;
+location @405 {
+    root /srv/http/errors;
+    try_files /405.html =500;
+}
+
+# 410 Gone
+error_page 410 @410;
+location @410 {
+    root /srv/http/errors;
+    try_files /410.html =500;
+}
+
+# 418 I'm a teapot
+error_page 418 @418;
+location @418 {
+    root /srv/http/errors;
+    try_files /418.html =500;
+}
+
+# 500 Internal Server Error
+error_page 500 @500;
+location @500 {
+    root /srv/http/errors;
+    try_files /500.html =500;
+}
+
+# 502 Bad Gateway
+error_page 502 @502;
+location @502 {
+    root /srv/http/errors;
+    try_files /502.html =500;
+}
+
+# 503 Service Unavailable
+error_page 503 @503;
+location @503 {
+    root /srv/http/errors;
+    try_files /503.html =500;
+}
+
+# 504 Gateway Timeout
+error_page 504 @504;
+location @504 {
+    root /srv/http/errors;
+    try_files /504.html =500;
+}
--- a/nginx/inc/fastcgi.conf
+++ b/nginx/inc/fastcgi.conf
@ -0,0 +1,26 @@
+
+fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
+fastcgi_param  QUERY_STRING       $query_string;
+fastcgi_param  REQUEST_METHOD     $request_method;
+fastcgi_param  CONTENT_TYPE       $content_type;
+fastcgi_param  CONTENT_LENGTH     $content_length;
+
+fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
+fastcgi_param  REQUEST_URI        $request_uri;
+fastcgi_param  DOCUMENT_URI       $document_uri;
+fastcgi_param  DOCUMENT_ROOT      $document_root;
+fastcgi_param  SERVER_PROTOCOL    $server_protocol;
+fastcgi_param  REQUEST_SCHEME     $scheme;
+fastcgi_param  HTTPS              $https if_not_empty;
+
+fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
+fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
+
+fastcgi_param  REMOTE_ADDR        $remote_addr;
+fastcgi_param  REMOTE_PORT        $remote_port;
+fastcgi_param  SERVER_ADDR        $server_addr;
+fastcgi_param  SERVER_PORT        $server_port;
+fastcgi_param  SERVER_NAME        $server_name;
+
+# PHP only, required if PHP was built with --enable-force-cgi-redirect
+fastcgi_param  REDIRECT_STATUS    200;
--- a/nginx/inc/intermediate.conf
+++ b/nginx/inc/intermediate.conf
@ -0,0 +1,5 @@
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+ssl_dhparam /etc/nginx/dhparam;
+
+include inc/security.conf;
--- a/nginx/inc/modern.conf
+++ b/nginx/inc/modern.conf
@ -0,0 +1,3 @@
+ssl_protocols TLSv1.3;
+
+include inc/security.conf;
--- a/nginx/inc/niver-csp.conf
+++ b/nginx/inc/niver-csp.conf
@ -0,0 +1 @@
+more_set_headers "Content-Security-Policy : default-src 'self'; object-src 'none';"; 
--- a/nginx/inc/security.conf
+++ b/nginx/inc/security.conf
@ -0,0 +1,24 @@
+more_set_headers "X-Content-Type-Options : nosniff";
+more_set_headers "X-XSS-Protection : 1; mode=block";
+more_set_headers "X-Download-Options : noopen";
+more_set_headers "X-Permitted-Cross-Domain-Policies : none";
+more_set_headers "X-Frame-Options : DENY";
+more_set_headers "Referrer-Policy : no-referrer";
+more_set_headers "Strict-Transport-Security : max-age=94608000; includeSubDomains; preload";
+#more_set_headers "Server : nginx Niver";
+
+more_clear_headers Server;
+
+ssl_session_timeout 1d;
+ssl_session_cache shared:SSL:50m;
+ssl_session_tickets off;
+ssl_prefer_server_ciphers off;
+ssl_stapling on;
+ssl_stapling_verify on;
+
+ssl_certificate /etc/letsencrypt/live/niver.atope.art/fullchain.pem;
+ssl_certificate_key /etc/letsencrypt/live/niver.atope.art/privkey.pem;
+
+autoindex off;
+
+gzip off;
--- a/nginx/mimetypes/full.conf
+++ b/nginx/mimetypes/full.conf
--- a/nginx/mimetypes/strict.conf
+++ b/nginx/mimetypes/strict.conf
@ -0,0 +1,39 @@
+types {
+    text/plain            txt;
+    text/gemini           gmi;
+    text/markdown         md;
+    text/html             html;
+    text/css              css;
+    text/xml              xml;
+    text/csv              csv;
+    text/javascript       js;
+
+    application/xhtml+xml xhtml;
+    application/atom+xml  atom;
+    application/rss+xml   rss;
+
+    application/json      json;
+    application/gzip      gz;
+    application/zip       zip;
+    application/epub+zip  epub;
+    application/pdf       pdf;
+    
+    font/woff             woff;
+    font/woff2            woff2;
+    
+    image/png             png;
+    image/tiff            tif tiff;
+    image/gif             gif;
+    image/jpeg            jpeg jpg;
+    image/svg+xml         svg svgz;
+    image/webp            webp;
+
+    audio/mpeg            mp3;
+    audio/ogg             ogg oga opus spx;
+    audio/webm            weba;
+    audio/flac            flac;
+
+    video/webm            webm;
+    video/mp4             mp4;
+    video/ogg             ogv;
+}
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@ -0,0 +1,27 @@
+load_module "/usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so";
+worker_processes auto;
+
+events {}
+http {
+    include       mimetypes/strict.conf;
+    default_type  application/octet-stream;
+
+    #types_hash_bucket_size 128; # Default: 64
+    #types_hash_max_size 1024; # Default: 1024
+
+    sendfile        on;
+    #tcp_nopush     on;
+    
+    gzip_static on;
+
+    include sites/*.conf;
+    include inc/security.conf;
+
+    server_tokens off;
+    
+    #map $http_accept_language $lang {
+    #    default en;
+    #    ~en en;
+    #    ~fr fr;
+    #}
+}
--- a/nginx/sites/niver.atope.art.conf
+++ b/nginx/sites/niver.atope.art.conf
@ -0,0 +1,31 @@
+server {
+    listen 443 ssl http2 default_server;
+    listen [::]:443 ssl http2 default_server;
+    server_name niver.atope.art;
+
+    root /srv/http/niver;
+    index index.php index.html index.htm;
+    try_files $uri $uri/ @extensionless-php; # $uri.html 
+    index index.php;
+
+    include inc/modern.conf;
+    include inc/errors.conf;
+
+    error_log /var/log/nginx/niver.atope.art-error.log;
+    access_log /var/log/nginx/niver.atope.art-access.log;
+
+    more_set_headers "Content-Security-Policy : default-src 'none'; style-src 'self';";
+
+    location ~ \.php$ {
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        fastcgi_pass unix:/var/run/php-fpm/niver.sock;
+        #fastcgi_index index.php;
+        include inc/fastcgi.conf;
+        try_files $uri =404;
+    }
+
+    location @extensionless-php {
+        rewrite ^(.*)$ $1.php last;
+    }
+    
+}
--- a/php-fpm/errors.conf
+++ b/php-fpm/errors.conf
@ -0,0 +1,27 @@
+[errors]
+
+user = php-$pool
+group = php-$pool
+
+listen = /run/php-fpm/$pool.sock
+
+listen.owner = http
+listen.group = http
+
+pm = dynamic
+pm.max_children = 5
+pm.start_servers = 2
+pm.min_spare_servers = 1
+pm.max_spare_servers = 3
+
+access.log = /var/log/php/$pool-access.log
+
+chdir = /srv/http/$pool
+;chroot = /srv/http/$pool
+
+catch_workers_output = yes
+decorate_workers_output = yes
+
+clear_env = yes
+
+security.limit_extensions = .php
--- a/php-fpm/niver.conf
+++ b/php-fpm/niver.conf
@ -0,0 +1,26 @@
+[niver]
+
+user = php-$pool
+group = knot
+
+listen = /run/php-fpm/$pool.sock
+
+listen.owner = http
+listen.group = http
+
+pm = dynamic
+pm.max_children = 5
+pm.start_servers = 2
+pm.min_spare_servers = 1
+pm.max_spare_servers = 3
+
+access.log = /var/log/php/$pool-access.log
+
+chdir = /srv/http/$pool
+
+catch_workers_output = yes
+decorate_workers_output = yes
+
+clear_env = yes
+
+security.limit_extensions = .php
--- a/share/banner.txt
+++ b/share/banner.txt
@ -0,0 +1 @@
+SFTP Access for Niver users
--- a/share/knot.template
+++ b/share/knot.template
@ -0,0 +1,2 @@
+DOMAIN 3600 SOA ns1.atope.art. hostmaster.antopie.org. 1 21600 7200 3628800 3600
+DOMAIN 86400 NS ns1.atope.art.
--- a/share/nginx/dns.template
+++ b/share/nginx/dns.template
@ -0,0 +1,27 @@
+server {
+    listen 80;
+    listen [::]:80;
+    server_name DOMAIN;
+    return 301 https://DOMAIN$request_uri;
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name DOMAIN;
+    root /srv/hyper/USER/hyper/DIR;
+
+    ssl_certificate /etc/letsencrypt/live/host.atope.art/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/host.atope.art/privkey.pem;
+
+    access_log /var/log/nginx/DOMAIN-access.log;
+    error_log /var/log/nginx/DOMAIN-error.log;
+
+    include /etc/nginx/inc/intermediate.conf.inc;
+
+    default_type text/plain;
+
+    location / {
+        try_files $uri $uri.html $uri/ =404;
+    }
+}
--- a/share/nginx/onion.template
+++ b/share/nginx/onion.template
@ -0,0 +1,9 @@
+server {
+    listen [::1]:80;
+    server_name DOMAIN;
+    root /srv/hyper/USER/hyper/DIR;
+
+    location / {
+        try_files $uri $uri.html $uri/ =404;
+    }
+}
--- a/share/skel/about.txt
+++ b/share/skel/about.txt
@ -0,0 +1,5 @@
+Ceci est le dossier personnel des utilisataires de Niver.
+Vous pouvez téléverser votre site dans un sous-dossier d'ht/.
+
+This is the personnal directory for Niver users.
+You can upload your site into a subdirectory of ht/.
--- a/88
+++ b/88
@ -0,0 +1,88 @@
+# Potiron
+
+LogLevel INFO # The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
+#VersionAddendum Niver
+AllowGroups root ht
+Subsystem sftp /usr/lib/ssh/sftp-server
+
+## Network
+
+AddressFamily any
+ListenAddress 0.0.0.0
+ListenAddress ::
+Port 22
+
+## Cryptography
+
+HostKey /etc/ssh/keys/ed25519
+HostKey /etc/ssh/keys/rsa-3072
+
+Ciphers chacha20-poly1305@openssh.com,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr
+HostKeyAlgorithms ssh-ed25519,rsa-sha2-256,rsa-sha2-512
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
+
+## Sessions
+
+PermitRootLogin prohibit-password
+StrictModes yes
+MaxAuthTries 6
+MaxSessions 1
+MaxStartups 3:20:200
+LoginGraceTime 3m
+PrintMotd yes
+
+## Disable everything
+
+PermitTTY no
+PermitTunnel no
+
+AllowTcpForwarding no
+X11Forwarding no
+AllowAgentForwarding no
+AllowStreamLocalForwarding no
+DisableForwarding yes # Disables all forwarding features, including X11, ssh-agent(1), TCP and StreamLocal.
+
+PermitUserRC no
+PermitUserEnvironment no
+IgnoreRhosts yes
+AuthorizedKeysFile none
+
+AuthenticationMethods none
+PubkeyAuthentication no
+PasswordAuthentication no
+KbdInteractiveAuthentication no
+PermitEmptyPasswords no
+ChallengeResponseAuthentication no
+
+UsePAM no
+
+## Enable usefull features
+
+### Administrator access
+Match Group root
+
+    #### Authentication
+    PubkeyAuthentication yes
+    AuthenticationMethods publickey
+    AuthorizedKeysFile .ssh/authorized_keys
+
+    #### Allow the use of a terminal
+    PermitTTY yes
+
+### SFTP access
+Match Group ht
+
+    #### Authentication
+    PasswordAuthentication yes
+    AuthenticationMethods password
+    #AuthorizedKeysFile keys
+
+    #### Chroot to the home directory
+    ChrootDirectory %h # %h is home directory, %u is username
+
+    #### Only SFTP can be used
+    ForceCommand internal-sftp
+
+    #### Print a message before login
+    Banner /usr/local/share/niver/banner.txt
				`@ -0,0 +1 @@`
				`more_set_headers "Content-Security-Policy : default-src 'self'; object-src 'none';";`