Niver > ServNest
This commit is contained in:
parent
9a0f47d8d9
commit
0bcf4dbbb5
14
README.md
14
README.md
|
@ -1,19 +1,19 @@
|
|||
# Niver system images generator
|
||||
# ServNest system images generator
|
||||
|
||||
This is the sources to build system images of Niver using mkosi. You can then use them with systemd-nspawn.
|
||||
This is the sources to build system images of ServNest using mkosi. You can then use them with systemd-nspawn.
|
||||
|
||||
## Usage
|
||||
|
||||
This generator allows to build images for both Arch Linux and Debian Testing, you can replace `<sysid>` by either `arch` or `debian` in the following examples. Note that mkosi may require tools that are not available on your distribution.
|
||||
|
||||
You can generate a new image in `/var/lib/machines/niver-<sysid>` by running `mkosi --force -d <sysid>` from this directory (`--force` will erase an already existing image).
|
||||
You can generate a new image in `/var/lib/machines/servnest-<sysid>` by running `mkosi --force -d <sysid>` from this directory (`--force` will erase an already existing image).
|
||||
|
||||
You will need to copy `mkosi.nspawn` into `/etc/systemd/nspawn/niver-<sysid>.nspawn` to allow the container to use network without restrictions.
|
||||
You will need to copy `mkosi.nspawn` into `/etc/systemd/nspawn/servnest-<sysid>.nspawn` to allow the container to use network without restrictions.
|
||||
|
||||
You can then boot the container:
|
||||
```
|
||||
machinectl start niver-<sysid>
|
||||
machinectl shell niver-<sysid>
|
||||
machinectl start servnest-<sysid>
|
||||
machinectl shell servnest-<sysid>
|
||||
```
|
||||
|
||||
The full explanation of the structure in this repository can be found on the mkosi manpage. Here is a summary of what mkosi will do in this repository:
|
||||
|
@ -27,4 +27,4 @@ The full explanation of the structure in this repository can be found on the mko
|
|||
|
||||
## License
|
||||
|
||||
Niver system images generator is ethical libre software: you can use, redistribute or modify it under the terms of the CNPL-NAv7+ as found in LICENSE.md or at <https://git.pixie.town/thufie/npl-builder>.
|
||||
ServNest system images generator is ethical libre software: you can use, redistribute or modify it under the terms of the CNPL-NAv7+ as found in LICENSE.md or at <https://git.pixie.town/thufie/npl-builder>.
|
||||
|
|
|
@ -3,7 +3,7 @@ Autologin = yes
|
|||
|
||||
[Output]
|
||||
Format = directory
|
||||
Hostname = niver.test
|
||||
Hostname = servnest.test
|
||||
|
||||
[Content]
|
||||
BasePackages = yes
|
||||
|
|
|
@ -4,7 +4,7 @@ Distribution = arch
|
|||
|
||||
|
||||
[Output]
|
||||
Output = /var/lib/machines/niver-arch
|
||||
Output = /var/lib/machines/servnest-arch
|
||||
|
||||
[Content]
|
||||
Packages =
|
||||
|
|
|
@ -4,7 +4,7 @@ Release = testing
|
|||
Mirror = https://deb.debian.org/debian
|
||||
|
||||
[Output]
|
||||
Output = /var/lib/machines/niver-debian
|
||||
Output = /var/lib/machines/servnest-debian
|
||||
|
||||
[Content]
|
||||
Packages =
|
||||
|
@ -16,3 +16,4 @@ Packages =
|
|||
golang-1.18
|
||||
openssh-server
|
||||
iputils-ping
|
||||
gettext
|
||||
|
|
|
@ -24,30 +24,33 @@ remote:
|
|||
key: "primary-to-secondary."
|
||||
|
||||
policy:
|
||||
- id: "niver"
|
||||
- id: "servnest"
|
||||
algorithm: "ed25519"
|
||||
nsec3: "on"
|
||||
nsec3-iterations: 10
|
||||
|
||||
template:
|
||||
- id: "niver"
|
||||
storage: "/srv/niver/ns"
|
||||
- id: "servnest"
|
||||
storage: "/srv/servnest/ns"
|
||||
file: "%s.zone"
|
||||
zonefile-load: "whole"
|
||||
journal-content: "all"
|
||||
dnssec-signing: "on"
|
||||
dnssec-policy: "niver"
|
||||
dnssec-policy: "servnest"
|
||||
catalog-role: "member"
|
||||
catalog-zone: "niver.test.invalid."
|
||||
catalog-zone: "servnest.test.invalid."
|
||||
|
||||
zone:
|
||||
- domain: "niver.test.invalid."
|
||||
- domain: "servnest.test.invalid."
|
||||
notify: "secondary"
|
||||
zonefile-load: "whole"
|
||||
journal-content: "all"
|
||||
catalog-role: "generate"
|
||||
|
||||
- domain: "niver.test."
|
||||
template: "niver"
|
||||
storage: "/srv/niver/reg"
|
||||
- domain: "servnest.test."
|
||||
template: "servnest"
|
||||
storage: "/srv/servnest/reg"
|
||||
- domain: "test.servnest.test."
|
||||
template: "servnest"
|
||||
storage: "/srv/servnest/reg"
|
||||
|
||||
|
|
|
@ -24,14 +24,14 @@ remote:
|
|||
key: "primary-to-secondary."
|
||||
|
||||
template:
|
||||
- id: "niver"
|
||||
- id: "servnest"
|
||||
storage: "/var/lib/knot"
|
||||
file: "%s.zone"
|
||||
master: "primary"
|
||||
|
||||
zone:
|
||||
- domain: "niver.test.invalid."
|
||||
- domain: "servnest.test.invalid."
|
||||
master: "primary"
|
||||
catalog-role: interpret
|
||||
catalog-template: "niver"
|
||||
catalog-template: "servnest"
|
||||
|
||||
|
|
|
@ -13,21 +13,24 @@ database:
|
|||
storage: "/var/lib/knot"
|
||||
|
||||
policy:
|
||||
- id: "niver"
|
||||
- id: "servnest"
|
||||
algorithm: "ed25519"
|
||||
nsec3: "on"
|
||||
nsec3-iterations: 10
|
||||
|
||||
template:
|
||||
- id: "niver"
|
||||
storage: "/srv/niver/ns"
|
||||
- id: "servnest"
|
||||
storage: "/srv/servnest/ns"
|
||||
file: "%s.zone"
|
||||
zonefile-load: "whole"
|
||||
journal-content: "all"
|
||||
dnssec-signing: "on"
|
||||
dnssec-policy: "niver"
|
||||
dnssec-policy: "servnest"
|
||||
|
||||
zone:
|
||||
- domain: "niver.test."
|
||||
template: "niver"
|
||||
storage: "/srv/niver/reg"
|
||||
- domain: "servnest.test."
|
||||
template: "servnest"
|
||||
storage: "/srv/servnest/reg"
|
||||
- domain: "test.servnest.test."
|
||||
template: "servnest"
|
||||
storage: "/srv/servnest/reg"
|
||||
|
|
|
@ -3,21 +3,21 @@ recursive_error_pages on;
|
|||
# 403 Forbidden
|
||||
error_page 403 @403;
|
||||
location @403 {
|
||||
root /srv/niver/errors;
|
||||
root /srv/servnest/errors;
|
||||
try_files /403.html =500;
|
||||
}
|
||||
|
||||
# 404 Not Found
|
||||
error_page 404 @local404;
|
||||
location @local404 {
|
||||
try_files /404.html /404.md /404.gmi @niver404;
|
||||
try_files /404.html /404.md /404.gmi @servnest404;
|
||||
}
|
||||
location @niver404 {
|
||||
root /srv/niver/errors;
|
||||
location @servnest404 {
|
||||
root /srv/servnest/errors;
|
||||
try_files /404.php =500;
|
||||
index /404.php;
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_pass unix:/run/php-fpm/niver.sock;
|
||||
fastcgi_pass unix:/run/php-fpm/servnest.sock;
|
||||
include inc/fastcgi.conf;
|
||||
fastcgi_index /404.php;
|
||||
}
|
||||
|
@ -25,48 +25,48 @@ location @niver404 {
|
|||
# 405 Method Not Allowed
|
||||
error_page 405 @405;
|
||||
location @405 {
|
||||
root /srv/niver/errors;
|
||||
root /srv/servnest/errors;
|
||||
try_files /405.html =500;
|
||||
}
|
||||
|
||||
# 410 Gone
|
||||
error_page 410 @410;
|
||||
location @410 {
|
||||
root /srv/niver/errors;
|
||||
root /srv/servnest/errors;
|
||||
try_files /410.html =500;
|
||||
}
|
||||
|
||||
# 418 I'm a teapot
|
||||
error_page 418 @418;
|
||||
location @418 {
|
||||
root /srv/niver/errors;
|
||||
root /srv/servnest/errors;
|
||||
try_files /418.html =500;
|
||||
}
|
||||
|
||||
# 500 Internal Server Error
|
||||
error_page 500 @500;
|
||||
location @500 {
|
||||
root /srv/niver/errors;
|
||||
root /srv/servnest/errors;
|
||||
try_files /500.html =500;
|
||||
}
|
||||
|
||||
# 502 Bad Gateway
|
||||
error_page 502 @502;
|
||||
location @502 {
|
||||
root /srv/niver/errors;
|
||||
root /srv/servnest/errors;
|
||||
try_files /502.html =500;
|
||||
}
|
||||
|
||||
# 503 Service Unavailable
|
||||
error_page 503 @503;
|
||||
location @503 {
|
||||
root /srv/niver/errors;
|
||||
root /srv/servnest/errors;
|
||||
try_files /503.html =500;
|
||||
}
|
||||
|
||||
# 504 Gateway Timeout
|
||||
error_page 504 @504;
|
||||
location @504 {
|
||||
root /srv/niver/errors;
|
||||
root /srv/servnest/errors;
|
||||
try_files /504.html =500;
|
||||
}
|
||||
|
|
|
@ -30,9 +30,9 @@ http {
|
|||
"" 0;
|
||||
default 1;
|
||||
}
|
||||
log_format niver '|$time_local| [$remote_addr]@$server_name {$ssl_protocol $ssl_cipher} $status $body_bytes_sent "$request" "$http_user_agent"';
|
||||
log_format servnest '|$time_local| [$remote_addr]@$server_name {$ssl_protocol $ssl_cipher} $status $body_bytes_sent "$request" "$http_user_agent"';
|
||||
error_log /var/log/nginx/error.log notice;
|
||||
access_log /var/log/nginx/access.log niver if=$loggable;
|
||||
access_log /var/log/nginx/access.log servnest if=$loggable;
|
||||
|
||||
# Disable useless/dangerous features
|
||||
etag off;
|
||||
|
@ -56,9 +56,9 @@ http {
|
|||
# OCSP Stapling
|
||||
#ssl_stapling on;
|
||||
#ssl_stapling_verify on;
|
||||
#ssl_trusted_certificate /etc/letsencrypt/live/niver.test/chain.pem;
|
||||
#ssl_trusted_certificate /etc/letsencrypt/live/servnest.test/chain.pem;
|
||||
|
||||
# Include other configuration
|
||||
include sites/*.conf;
|
||||
include /srv/niver/nginx/*.conf;
|
||||
include /srv/servnest/nginx/*.conf;
|
||||
}
|
||||
|
|
|
@ -2,21 +2,21 @@ server {
|
|||
listen [::1]:42443 ssl http2 default_server;
|
||||
listen 127.0.0.1:42443 ssl http2 default_server;
|
||||
|
||||
ssl_certificate /etc/ssl/certs/niver.crt;
|
||||
ssl_certificate_key /etc/ssl/private/niver.key;
|
||||
ssl_certificate /etc/ssl/certs/servnest.crt;
|
||||
ssl_certificate_key /etc/ssl/private/servnest.key;
|
||||
|
||||
ssl_stapling off;
|
||||
|
||||
root /srv/niver/errors;
|
||||
root /srv/servnest/errors;
|
||||
try_files index.php index.html $uri $uri/;
|
||||
index index.php index.html;
|
||||
|
||||
location / {
|
||||
root /srv/niver/errors;
|
||||
root /srv/servnest/errors;
|
||||
try_files /index.php =500;
|
||||
index index.php;
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_pass unix:/run/php-fpm/niver.sock;
|
||||
fastcgi_pass unix:/run/php-fpm/servnest.sock;
|
||||
include /etc/nginx/inc/fastcgi.conf;
|
||||
}
|
||||
|
||||
|
|
|
@ -9,15 +9,15 @@ server {
|
|||
# Display an explanation page
|
||||
error_page 403 @http403;
|
||||
location @http403 {
|
||||
root /srv/niver/errors;
|
||||
root /srv/servnest/errors;
|
||||
try_files /http.php =500;
|
||||
index http.php;
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_pass unix:/run/php-fpm/niver.sock;
|
||||
fastcgi_pass unix:/run/php-fpm/servnest.sock;
|
||||
include inc/fastcgi.conf;
|
||||
}
|
||||
|
||||
location /.well-known/acme-challenge {
|
||||
root /srv/niver/acme/;
|
||||
root /srv/servnest/acme/;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,9 +1,9 @@
|
|||
server {
|
||||
listen [::1]:42443 ssl http2;
|
||||
listen 127.0.0.1:42443 ssl http2;
|
||||
server_name niver.test;
|
||||
server_name servnest.test;
|
||||
|
||||
root /srv/niver/core;
|
||||
root /srv/servnest/core;
|
||||
|
||||
include inc/tls.conf;
|
||||
include inc/errors.conf;
|
||||
|
@ -12,19 +12,19 @@ server {
|
|||
|
||||
location / {
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_pass unix:/run/php-fpm/niver.sock;
|
||||
fastcgi_pass unix:/run/php-fpm/servnest.sock;
|
||||
include inc/fastcgi.conf;
|
||||
try_files /router.php =500;
|
||||
}
|
||||
|
||||
location /css {
|
||||
alias /srv/niver/core/css;
|
||||
alias /srv/servnest/core/css;
|
||||
}
|
||||
|
||||
location /docs {
|
||||
alias /srv/niver/docs;
|
||||
alias /srv/servnest/docs;
|
||||
}
|
||||
|
||||
ssl_certificate /etc/ssl/certs/niver.crt;
|
||||
ssl_certificate_key /etc/ssl/private/niver.key;
|
||||
ssl_certificate /etc/ssl/certs/servnest.crt;
|
||||
ssl_certificate_key /etc/ssl/private/servnest.key;
|
||||
}
|
||||
|
|
|
@ -0,0 +1,30 @@
|
|||
server {
|
||||
listen [::1]:42443 ssl http2;
|
||||
listen 127.0.0.1:42443 ssl http2;
|
||||
server_name servnest.test;
|
||||
|
||||
root /srv/servnest/core;
|
||||
|
||||
include inc/tls.conf;
|
||||
include inc/errors.conf;
|
||||
|
||||
more_set_headers "Content-Security-Policy : default-src 'none'; style-src 'self'; frame-ancestors 'none'; form-action 'self';";
|
||||
|
||||
location / {
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_pass unix:/run/php-fpm/servnest.sock;
|
||||
include inc/fastcgi.conf;
|
||||
try_files /router.php =500;
|
||||
}
|
||||
|
||||
location /css {
|
||||
alias /srv/servnest/core/css;
|
||||
}
|
||||
|
||||
location /docs {
|
||||
alias /srv/servnest/docs;
|
||||
}
|
||||
|
||||
ssl_certificate /etc/ssl/certs/servnest.crt;
|
||||
ssl_certificate_key /etc/ssl/private/servnest.key;
|
||||
}
|
|
@ -1,14 +1,14 @@
|
|||
server {
|
||||
listen [::1]:8055;
|
||||
|
||||
root /srv/niver/core;
|
||||
root /srv/servnest/core;
|
||||
|
||||
include inc/errors.conf;
|
||||
|
||||
location / {
|
||||
try_files /sftpgo-auth.php =500;
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_pass unix:/run/php-fpm/niver.sock;
|
||||
fastcgi_pass unix:/run/php-fpm/servnest.sock;
|
||||
include inc/fastcgi.conf;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,12 +1,12 @@
|
|||
server {
|
||||
listen [::1]:42443 ssl http2;
|
||||
listen 127.0.0.1:42443 ssl http2;
|
||||
server_name "~^(?<subdomain>[a-z0-9]{1,32})\.ht\.niver\.test$";
|
||||
server_name "~^(?<subdomain>[a-z0-9]{1,32})\.ht\.servnest\.test$";
|
||||
|
||||
include inc/ht-tls.conf;
|
||||
|
||||
ssl_certificate /etc/ssl/certs/niver.crt;
|
||||
ssl_certificate_key /etc/ssl/private/niver.key;
|
||||
ssl_certificate /etc/ssl/certs/servnest.crt;
|
||||
ssl_certificate_key /etc/ssl/private/servnest.key;
|
||||
|
||||
root /srv/niver/subdomain/${subdomain}/;
|
||||
root /srv/servnest/subdomain/${subdomain}/;
|
||||
}
|
||||
|
|
|
@ -1,12 +1,12 @@
|
|||
server {
|
||||
listen [::1]:42443 ssl http2;
|
||||
listen 127.0.0.1:42443 ssl http2;
|
||||
server_name ht.niver.test;
|
||||
server_name ht.servnest.test;
|
||||
|
||||
include inc/ht-tls.conf;
|
||||
|
||||
ssl_certificate /etc/ssl/certs/niver.crt;
|
||||
ssl_certificate_key /etc/ssl/private/niver.key;
|
||||
ssl_certificate /etc/ssl/certs/servnest.crt;
|
||||
ssl_certificate_key /etc/ssl/private/servnest.key;
|
||||
|
||||
root /srv/niver/subpath/;
|
||||
root /srv/servnest/subpath/;
|
||||
}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
[niver]
|
||||
[servnest]
|
||||
|
||||
user = $pool
|
||||
group = knot
|
||||
|
|
|
@ -0,0 +1,24 @@
|
|||
[servnest]
|
||||
|
||||
user = $pool
|
||||
group = knot
|
||||
|
||||
listen = /run/php-fpm/$pool.sock
|
||||
|
||||
listen.owner = nginx
|
||||
listen.group = nginx
|
||||
|
||||
pm = dynamic
|
||||
pm.max_children = 5
|
||||
pm.start_servers = 2
|
||||
pm.min_spare_servers = 1
|
||||
pm.max_spare_servers = 3
|
||||
|
||||
access.log = /var/log/php/$pool-access.log
|
||||
|
||||
catch_workers_output = yes
|
||||
decorate_workers_output = yes
|
||||
|
||||
clear_env = yes
|
||||
|
||||
security.limit_extensions = .php
|
|
@ -1,9 +0,0 @@
|
|||
niver ALL=(root) NOPASSWD: /usr/bin/systemctl reload nginx
|
||||
niver ALL=(root) NOPASSWD: /usr/bin/systemctl reload tor
|
||||
niver ALL=(root) NOPASSWD: /usr/bin/chgrp ^sftpgo /srv/niver/ht/[0-9a-f]{64} --no-dereference$
|
||||
niver ALL=(root) NOPASSWD: /usr/bin/certbot ^certonly( --test-cert)? --key-type rsa --rsa-key-size 3072 --webroot --webroot-path /srv/niver/acme --domain ([a-z0-9_-]{1,63}\.){1,126}[a-z0-9]{1,63}$
|
||||
niver ALL=(root) NOPASSWD: /usr/bin/certbot ^delete --quiet --cert-name ([a-z0-9_-]{1,63}\.){1,126}[a-z0-9]{1,63}$
|
||||
niver ALL=(sftpgo) NOPASSWD: /usr/bin/rm ^--recursive /srv/niver/ht/[0-9a-f]{64}$
|
||||
niver ALL=(tor) NOPASSWD: /usr/bin/cat ^/srv/niver/tor-keys/[0-9a-f]{64}/[a-zA-Z0-9_-]{1,64}/hostname$
|
||||
niver ALL=(tor) NOPASSWD: /usr/bin/mkdir ^--mode=0700 /srv/niver/tor-keys/[0-9a-f]{64}$
|
||||
niver ALL=(tor) NOPASSWD: /usr/bin/rm ^--recursive /srv/niver/tor-keys/[0-9a-f]{64}(/[a-zA-Z0-9_-]{1,64})?$
|
|
@ -0,0 +1,9 @@
|
|||
servnest ALL=(root) NOPASSWD: /usr/bin/systemctl reload nginx
|
||||
servnest ALL=(root) NOPASSWD: /usr/bin/systemctl reload tor
|
||||
servnest ALL=(root) NOPASSWD: /usr/bin/chgrp ^sftpgo /srv/servnest/ht/[0-9a-f]{64} --no-dereference$
|
||||
servnest ALL=(root) NOPASSWD: /usr/bin/certbot ^certonly( --test-cert)? --key-type rsa --rsa-key-size 3072 --webroot --webroot-path /srv/servnest/acme --domain ([a-z0-9_-]{1,63}\.){1,126}[a-z0-9]{1,63}$
|
||||
servnest ALL=(root) NOPASSWD: /usr/bin/certbot ^delete --quiet --cert-name ([a-z0-9_-]{1,63}\.){1,126}[a-z0-9]{1,63}$
|
||||
servnest ALL=(sftpgo) NOPASSWD: /usr/bin/rm ^--recursive /srv/servnest/ht/[0-9a-f]{64}$
|
||||
servnest ALL=(tor) NOPASSWD: /usr/bin/cat ^/srv/servnest/tor-keys/[0-9a-f]{64}/[a-zA-Z0-9_-]{1,64}/hostname$
|
||||
servnest ALL=(tor) NOPASSWD: /usr/bin/mkdir ^--mode=0700 /srv/servnest/tor-keys/[0-9a-f]{64}$
|
||||
servnest ALL=(tor) NOPASSWD: /usr/bin/rm ^--recursive /srv/servnest/tor-keys/[0-9a-f]{64}(/[a-zA-Z0-9_-]{1,64})?$
|
|
@ -5,4 +5,4 @@ DataDirectory /var/lib/tor
|
|||
HiddenServiceNonAnonymousMode 1
|
||||
HiddenServiceSingleHopMode 1
|
||||
|
||||
%include /srv/niver/tor-config/*
|
||||
%include /srv/servnest/tor-config/*
|
||||
|
|
|
@ -3,47 +3,47 @@ source /etc/os-release
|
|||
|
||||
# Create system users
|
||||
useradd -U -r -s /usr/sbin/nologin nginx
|
||||
useradd -U -r -s /usr/sbin/nologin niver
|
||||
useradd -U -r -s /usr/sbin/nologin servnest
|
||||
useradd -U -r -s /usr/sbin/nologin sftpgo
|
||||
|
||||
# Set proper permissions
|
||||
|
||||
chown -R knot:knot /var/lib/knot/confdb
|
||||
chmod -R u=rwX,g=rwX,o= /var/lib/knot/confdb
|
||||
usermod -aG knot niver
|
||||
usermod -aG knot servnest
|
||||
|
||||
chown -R knot:knot /var/log/knot
|
||||
chmod -R u=rwX,g=,o= /var/log/knot
|
||||
|
||||
chown -R niver:knot /srv/niver/ns
|
||||
chmod -R u=rwX,g=rwX,o= /srv/niver/ns
|
||||
chown -R niver:knot /srv/niver/reg
|
||||
chmod -R u=rwX,g=rwX,o= /srv/niver/reg
|
||||
chown -R servnest:knot /srv/servnest/ns
|
||||
chmod -R u=rwX,g=rwX,o= /srv/servnest/ns
|
||||
chown -R servnest:knot /srv/servnest/reg
|
||||
chmod -R u=rwX,g=rwX,o= /srv/servnest/reg
|
||||
|
||||
chown -R niver:nginx /srv/niver/nginx /srv/niver/subpath /srv/niver/subdomain
|
||||
chmod -R u=rwX,g=rX,o= /srv/niver/nginx /srv/niver/subpath /srv/niver/subdomain
|
||||
chown -R servnest:nginx /srv/servnest/nginx /srv/servnest/subpath /srv/servnest/subdomain
|
||||
chmod -R u=rwX,g=rX,o= /srv/servnest/nginx /srv/servnest/subpath /srv/servnest/subdomain
|
||||
|
||||
chown -R sftpgo:sftpgo /etc/sftpgo
|
||||
chmod -R u=rX,g=rX,o=rX /etc/sftpgo
|
||||
chmod u=r,g=,o= /etc/sftpgo/ed25519
|
||||
|
||||
chown -R niver:sftpgo /srv/niver/ht
|
||||
chmod -R u=rwX,g=rwX,o=rX /srv/niver/ht
|
||||
chown -R servnest:sftpgo /srv/servnest/ht
|
||||
chmod -R u=rwX,g=rwX,o=rX /srv/servnest/ht
|
||||
|
||||
if [[ $ID = "debian" ]]; then
|
||||
chown -R niver:debian-tor /srv/niver/tor-config
|
||||
chown -R debian-tor:debian-tor /srv/niver/tor-keys
|
||||
chown -R servnest:debian-tor /srv/servnest/tor-config
|
||||
chown -R debian-tor:debian-tor /srv/servnest/tor-keys
|
||||
else
|
||||
chown -R niver:tor /srv/niver/tor-config
|
||||
chown -R tor:tor /srv/niver/tor-keys
|
||||
chown -R servnest:tor /srv/servnest/tor-config
|
||||
chown -R tor:tor /srv/servnest/tor-keys
|
||||
fi
|
||||
chmod -R u=rwX,g=rX,o= /srv/niver/tor-config
|
||||
chmod -R u=rwX,g=,o= /srv/niver/tor-keys
|
||||
chmod -R u=rwX,g=rX,o= /srv/servnest/tor-config
|
||||
chmod -R u=rwX,g=,o= /srv/servnest/tor-keys
|
||||
|
||||
chown -R niver:nginx /srv/niver/core /srv/niver/errors
|
||||
chmod -R u=rX,g=rX,o= /srv/niver/core /srv/niver/errors
|
||||
chown -R niver:niver /srv/niver/core/db
|
||||
chmod -R u=rwX,g=,o= /srv/niver/core/db
|
||||
chown -R servnest:nginx /srv/servnest/core /srv/servnest/errors
|
||||
chmod -R u=rX,g=rX,o= /srv/servnest/core /srv/servnest/errors
|
||||
chown -R servnest:servnest /srv/servnest/core/db
|
||||
chmod -R u=rwX,g=,o= /srv/servnest/core/db
|
||||
|
||||
# Load configuration in Knot database
|
||||
sudo -u knot knotc conf-import /etc/knot/knot.conf
|
||||
|
@ -53,11 +53,11 @@ sudo -u knot knotc conf-import /etc/knot/knot.conf
|
|||
export PHP_INI=/etc/php/php.ini
|
||||
|
||||
if [[ $ID = "debian" ]]; then
|
||||
rm /etc/php/8.1/fpm/php-fpm.conf
|
||||
ln -s /etc/php/php-fpm.conf /etc/php/8.1/fpm/php-fpm.conf
|
||||
ln -s /etc/php/php-fpm.d/ /etc/php/8.1/fpm/pool.d
|
||||
rm /etc/php/8.2/fpm/php-fpm.conf
|
||||
ln -s /etc/php/php-fpm.conf /etc/php/8.2/fpm/php-fpm.conf
|
||||
ln -s /etc/php/php-fpm.d/ /etc/php/8.2/fpm/pool.d
|
||||
|
||||
export PHP_INI=/etc/php/8.1/fpm/php.ini
|
||||
export PHP_INI=/etc/php/8.2/fpm/php.ini
|
||||
fi
|
||||
|
||||
# Configure PHP-FPM properly
|
||||
|
@ -67,6 +67,7 @@ expose_php = Off
|
|||
display_errors = On
|
||||
extension = pdo_sqlite
|
||||
extension = sodium
|
||||
extension = gettext
|
||||
zend_extension = opcache
|
||||
opcache.jit_buffer_size = 32M
|
||||
EOF
|
||||
|
@ -75,10 +76,10 @@ EOF
|
|||
|
||||
if [[ $ID = "debian" ]]; then
|
||||
sed -i 's/User tor/User debian-tor/' /etc/tor/torrc
|
||||
sed -i 's/reload tor/reload tor@default/' /etc/sudoers.d/niver
|
||||
sed -i 's/ALL=(tor)/ALL=(debian-tor)/' /etc/sudoers.d/niver
|
||||
sed -i 's/tor_service = "tor"/tor_service = "tor@default"/' /srv/niver/core/config.ini
|
||||
sed -i 's/tor_user = "tor"/tor_user = "debian-tor"/' /srv/niver/core/config.ini
|
||||
sed -i 's/reload tor/reload tor@default/' /etc/sudoers.d/servnest
|
||||
sed -i 's/ALL=(tor)/ALL=(debian-tor)/' /etc/sudoers.d/servnest
|
||||
sed -i 's/tor_service = "tor"/tor_service = "tor@default"/' /srv/servnest/core/config.ini
|
||||
sed -i 's/tor_user = "tor"/tor_user = "debian-tor"/' /srv/servnest/core/config.ini
|
||||
fi
|
||||
|
||||
# Start SystemD services at startup
|
||||
|
|
|
@ -8,15 +8,15 @@ rm -r /etc/nginx/*
|
|||
rm -r /etc/ssh/*
|
||||
rm /etc/tor/torrc
|
||||
if [[ $ID = "debian" ]]; then
|
||||
rm -r /etc/php/8.1/fpm/pool.d
|
||||
rm /usr/lib/tmpfiles.d/php8.1-fpm.conf
|
||||
rm -r /etc/php/8.2/fpm/pool.d
|
||||
rm /usr/lib/tmpfiles.d/php8.2-fpm.conf
|
||||
fi
|
||||
if [[ $ID = "arch" ]]; then
|
||||
rm /etc/php/php-fpm.d/*
|
||||
fi
|
||||
|
||||
# Generate default self-signed TLS key pair
|
||||
openssl req -subj '/' -new -newkey RSA:3072 -days 3650 -nodes -x509 -keyout /etc/ssl/private/niver.key -out /etc/ssl/certs/niver.crt
|
||||
openssl req -subj '/' -new -newkey RSA:3072 -days 3650 -nodes -x509 -keyout /etc/ssl/private/servnest.key -out /etc/ssl/certs/servnest.crt
|
||||
|
||||
# Generate OpenSSH server key pair
|
||||
ssh-keygen -f /etc/ssh/ed25519 -t ed25519 -N ""
|
||||
|
@ -29,7 +29,12 @@ fp=($(ssh-keygen -l -f /etc/sftpgo/ed25519))
|
|||
echo ${fp[1]} > /etc/sftpgo/ed25519.fp
|
||||
ssh-keygen -lv -f /etc/sftpgo/ed25519 | tail -n +2 > /etc/sftpgo/ed25519.asciiart
|
||||
# Generate SSHFP record
|
||||
echo ht.niver.test. 86400 SSHFP 4 2 $(cut -d ' ' -f 2 /etc/sftpgo/ed25519.pub | base64 -d | sha256sum | cut -d ' ' -f 1) >> /srv/niver/reg/niver.test.zone
|
||||
echo ht.servnest.test. 86400 SSHFP 4 2 $(cut -d ' ' -f 2 /etc/sftpgo/ed25519.pub | base64 -d | sha256sum | cut -d ' ' -f 1) >> /srv/servnest/reg/servnest.test.zone
|
||||
|
||||
# Create database
|
||||
sqlite3 /srv/niver/core/db/niver.db < /srv/niver/core/db/schema.sql
|
||||
sqlite3 /srv/servnest/core/db/servnest.db < /srv/servnest/core/db/schema.sql
|
||||
|
||||
sqlite3 /srv/servnest/core/db/servnest.db <<< "UPDATE params SET value = '$(openssl rand -hex 16)' WHERE name = 'username_salt';"
|
||||
|
||||
# Create translation Machine Objects files
|
||||
msgfmt /srv/servnest/core/locales/fr/C/LC_MESSAGES/messages.po -o /srv/servnest/core/locales/fr/C/LC_MESSAGES/messages.mo
|
||||
|
|
|
@ -1,2 +1,2 @@
|
|||
::1 niver.test
|
||||
127.0.0.1 niver.test
|
||||
::1 servnest.test
|
||||
127.0.0.1 servnest.test
|
||||
|
|
|
@ -1 +0,0 @@
|
|||
Niver
|
|
@ -32,7 +32,7 @@ address = "127.0.0.1"
|
|||
|
||||
[data_provider]
|
||||
driver = "memory"
|
||||
users_base_dir = "/srv/niver/ht"
|
||||
users_base_dir = "/srv/servnest/ht"
|
||||
external_auth_hook = "http://[::1]:8055/sftpgo-auth.php"
|
||||
external_auth_scope = 1
|
||||
naming_rules = 1
|
||||
|
|
|
@ -1,2 +1,2 @@
|
|||
[Service]
|
||||
ReadWritePaths=/srv/niver
|
||||
ReadWritePaths=/srv/servnest
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
[Service]
|
||||
ReadWritePaths=/srv/niver/tor-keys
|
||||
ReadWritePaths=/srv/servnest/tor-keys
|
||||
# To allow reloading service on Arch Linux
|
||||
CapabilityBoundingSet=CAP_KILL
|
||||
|
|
|
@ -1,8 +0,0 @@
|
|||
niver.test. 10800 SOA ns1.niver.test. admin.niver.test. 0 21600 7200 3628800 3600
|
||||
niver.test. 86400 NS ns1.niver.test.
|
||||
niver.test. 10800 A 127.0.0.1
|
||||
niver.test. 10800 AAAA ::1
|
||||
ns1.niver.test. 10800 A 127.0.0.1
|
||||
ns1.niver.test. 10800 AAAA ::1
|
||||
ht.niver.test. 10800 A 127.0.0.1
|
||||
ht.niver.test. 10800 AAAA ::1
|
|
@ -0,0 +1 @@
|
|||
Subproject commit 3b97b3cc2f249b4f71b2fa4580fb4df25f47ed9e
|
|
@ -0,0 +1 @@
|
|||
Subproject commit fbe714909c09701253c3f7e6254a2fab42b35161
|
|
@ -8,7 +8,7 @@
|
|||
<body>
|
||||
<h1>Nothing here</h1>
|
||||
<p>
|
||||
You reached Niver's default site using IP address. There's nothing for you here.
|
||||
You reached the default site of this server using IP address. There's nothing for you here.
|
||||
</p>
|
||||
<small>HTTP <code>404</code></small>
|
||||
</body>
|
|
@ -0,0 +1,9 @@
|
|||
servnest.test. 10800 SOA ns1.servnest.test. admin.servnest.test. 0 21600 7200 3628800 3600
|
||||
servnest.test. 86400 NS ns1.servnest.test.
|
||||
servnest.test. 10800 A 127.0.0.1
|
||||
servnest.test. 10800 AAAA ::1
|
||||
test.servnest.test. 86400 NS ns1.servnest.test.
|
||||
ns1.servnest.test. 10800 A 127.0.0.1
|
||||
ns1.servnest.test. 10800 AAAA ::1
|
||||
ht.servnest.test. 10800 A 127.0.0.1
|
||||
ht.servnest.test. 10800 AAAA ::1
|
|
@ -0,0 +1,4 @@
|
|||
test.servnest.test. 10800 SOA ns1.servnest.test. admin.servnest.test. 0 21600 7200 3628800 3600
|
||||
test.servnest.test. 86400 NS ns1.servnest.test.
|
||||
test.servnest.test. 10800 A 127.0.0.1
|
||||
test.servnest.test. 10800 AAAA ::1
|
Loading…
Reference in New Issue