Move important scripts and configs to /install

This commit is contained in:
Miraty 2023-02-07 19:52:54 +01:00
parent 26529e4c91
commit 216f747033
93 changed files with 209 additions and 204 deletions

6
.gitignore vendored
View File

@ -1,6 +1,4 @@
/mkosi.cache/*
!/mkosi.cache/.gitkeep
/mkosi.passphrase
/mkosi.passwd
/mkosi.skeleton/root/.ssh/authorized_keys
/mkosi.skeleton/usr/local/bin/sftpgo
/root/.ssh/authorized_keys
/usr/local/bin/sftpgo

1
etc/apt/sources.list Normal file
View File

@ -0,0 +1 @@
deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bookworm main

View File

@ -0,0 +1,3 @@
d /run/servnest 0555 root root - -
d /run/knot 0755 knot knot - -
d /run/php-fpm 0755 nginx nginx - -

24
install/install.sh Normal file
View File

@ -0,0 +1,24 @@
# Set users and groups names
export sftpgo='sftpgo'
export servnest='servnest'
export knot='knot'
export nginx='nginx'
export tor='tor'
if [[ $OS = "debian" ]]; then
export tor='debian-tor'
fi
# Create system users and groups
useradd -U -r -s $(which nologin) $nginx
useradd -U -r -s $(which nologin) $servnest
useradd -U -r -s $(which nologin) $sftpgo
# Execute installation steps
source /install/sudo.sh
source /install/tor.sh
source /install/knot.sh
source /install/servnest.sh
source /install/php.sh
source /install/nginx.sh
source /install/sftpgo.sh
source /install/permissions.sh

View File

@ -6,7 +6,7 @@ server:
listen: [ "::1@42053", "127.0.0.1@42053" ]
log:
- target: "/var/log/knot/knot.log"
- target: "syslog"
any: "debug"
database:

5
install/knot.sh Normal file
View File

@ -0,0 +1,5 @@
#!/usr/bin/bash
# Load configuration in Knot database
sudo -u $knot mkdir -p /var/lib/knot/confdb/
sudo -u $knot knotc conf-import /install/knot.conf

7
install/nginx.sh Normal file
View File

@ -0,0 +1,7 @@
#!/usr/bin/bash
# Generate default self-signed TLS key pair
openssl req -subj '/' -new -newkey RSA:3072 -days 3650 -nodes -x509 -keyout /etc/ssl/private/servnest.key -out /etc/ssl/certs/servnest.crt
rm -r /etc/nginx/*
cp -r /install/nginx/* /etc/nginx/

View File

@ -0,0 +1,9 @@
# Required by PHP-FPM
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
# Required by ServNest
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param SERVER_NAME $server_name;

View File

@ -0,0 +1,3 @@
# This configuration file is included by dedicated Onion sites created by ServNest
include inc/ht.conf;

View File

@ -0,0 +1,4 @@
# This configuration file is included by dedicated DNS and TLS sites created by ServNest
include inc/ht.conf;
include inc/tls.conf;

View File

@ -1,8 +1,7 @@
more_set_headers "Content-Security-Policy : default-src 'none'; style-src 'self' 'unsafe-inline' data:; img-src 'self' data:; font-src 'self' data:; media-src 'self' data:; frame-ancestors 'none'; form-action 'none';";
location / {
index index.html index.md index.gmi;
try_files $uri $uri/ =404;
try_files $uri $uri/index.html $uri/index.md $uri/index.gmi =404;
}
include inc/errors.conf;

View File

@ -27,8 +27,8 @@ http {
# Logging
map $http_cookie $loggable {
"" 0;
default 1;
"" 0;
default 1;
}
log_format servnest '|$time_local| [$remote_addr]@$server_name {$ssl_protocol $ssl_cipher} $status $body_bytes_sent "$request" "$http_user_agent"';
error_log /var/log/nginx/error.log notice;

View File

@ -1,3 +1,5 @@
# This server block is reached only if no other server block can match, and displays some explanations
server {
listen [::1]:42443 ssl http2 default_server;
listen 127.0.0.1:42443 ssl http2 default_server;

View File

@ -1,3 +1,5 @@
# This server block should listen on port 80 to warn users they tried to make an unsecure connection
server {
listen [::1]:42080 default_server;
listen 127.0.0.1:42080 default_server;

View File

@ -1,3 +1,5 @@
# This server block is the publicly exposed ServNest control interface
server {
listen [::1]:42443 ssl http2;
listen 127.0.0.1:42443 ssl http2;
@ -10,6 +12,7 @@ server {
more_set_headers "Content-Security-Policy : default-src 'none'; style-src 'self'; frame-ancestors 'none'; form-action 'self';";
# Main ServNest interface
location / {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php-fpm/servnest.sock;
@ -17,6 +20,7 @@ server {
try_files /router.php =500;
}
# The router doesn't manage CSS files
location /css {
alias /srv/servnest/core/css;
}
@ -25,6 +29,7 @@ server {
alias /srv/servnest/docs;
}
# For a public server, these should point to a Let's Encrypt-trusted key pair
ssl_certificate /etc/ssl/certs/servnest.crt;
ssl_certificate_key /etc/ssl/private/servnest.key;
}

View File

@ -1,5 +1,7 @@
# This server block and the PHP script it maps make ServNest authentication available to the SFTPGo external authenticator
server {
listen [::1]:8055;
listen [::1]:8055; # It's meant to stay a private IP
root /srv/servnest/core;

View File

@ -1,3 +1,5 @@
# Maps subdomain to filesystem subpath
server {
listen [::1]:42443 ssl http2;
listen 127.0.0.1:42443 ssl http2;

View File

@ -1,3 +1,5 @@
# Maps HTTP subpath to filesystem subpath
server {
listen [::1]:42443 ssl http2;
listen 127.0.0.1:42443 ssl http2;

35
install/permissions.sh Normal file
View File

@ -0,0 +1,35 @@
#!/usr/bin/bash
# We need servnest to be allowed to configure Knot
usermod -aG $knot $servnest # Add user servnest to group knot
chown -R $knot: /var/lib/knot/confdb
chmod -R u=rwX,g=rwX,o= /var/lib/knot/confdb
chown -R $knot: /var/log/knot
chmod -R u=rwX,g=,o= /var/log/knot
chown -R $servnest:$knot /srv/servnest/ns
chmod -R u=rwX,g=rwX,o= /srv/servnest/ns
chown -R $servnest:$knot /srv/servnest/reg
chmod -R u=rwX,g=rwX,o= /srv/servnest/reg
chown -R $servnest:$nginx /srv/servnest/nginx /srv/servnest/subpath /srv/servnest/subdomain
chmod -R u=rwX,g=rX,o= /srv/servnest/nginx /srv/servnest/subpath /srv/servnest/subdomain
usermod -aG $sftpgo $servnest
chown -R $nginx:$sftpgo /srv/servnest/ht
chmod -R u=rX,g=rwX,o= /srv/servnest/ht
chown -R $sftpgo: /etc/sftpgo
chmod -R u=rX,g=rX,o= /etc/sftpgo
chmod u=r,g=,o= /etc/sftpgo/ed25519
chown -R $servnest:$tor /srv/servnest/tor-config
chmod -R u=rwX,g=rX,o= /srv/servnest/tor-config
chown -R $tor: /srv/servnest/tor-keys
chmod -R u=rwX,g=,o= /srv/servnest/tor-keys
chown -R $servnest:$nginx /srv/servnest/core /srv/servnest/errors
chmod -R u=rX,g=rX,o= /srv/servnest/core /srv/servnest/errors
chown -R $servnest: /srv/servnest/core/db
chmod -R u=rwX,g=,o= /srv/servnest/core/db

View File

@ -1,3 +1,5 @@
; https://www.php.net/manual/install.fpm.configuration.php
[servnest]
user = $pool

14
install/php.ini Normal file
View File

@ -0,0 +1,14 @@
extension = pdo
extension = pdo_sqlite
extension = sodium
extension = gettext
expose_php = Off
zend_extension = opcache
opcache.jit_buffer_size = 32M
output_buffering = 4096
short_open_tag = Off
; Set this to Off for a public setup
display_errors = On

18
install/php.sh Normal file
View File

@ -0,0 +1,18 @@
#!/usr/bin/bash
rm -r /etc/php/*
cp /install/php-fpm.conf /etc/php/
export PHP_INI=/etc/php/php.ini
if [[ $OS = "debian" ]]; then
mkdir -p /etc/php/8.2/fpm/
mv /etc/php/php-fpm.conf /etc/php/8.2/fpm/
export PHP_INI=/etc/php/8.2/fpm/php.ini
fi
cp /install/php.ini $PHP_INI
# For systemd
mkdir /etc/systemd/system/php-fpm.service.d
cp /install/php-fpm.service.override.conf /etc/systemd/system/php-fpm.service.d/

9
install/servnest.sh Normal file
View File

@ -0,0 +1,9 @@
#!/usr/bin/bash
# Create database
sqlite3 /srv/servnest/core/db/servnest.db < /srv/servnest/core/db/schema.sql
sqlite3 /srv/servnest/core/db/servnest.db <<< "UPDATE params SET value = '$(openssl rand -hex 16)' WHERE name = 'username_salt';"
# Create translation Machine Objects files
msgfmt /srv/servnest/core/locales/fr/C/LC_MESSAGES/messages.po -o /srv/servnest/core/locales/fr/C/LC_MESSAGES/messages.mo

21
install/sftpgo.sh Normal file
View File

@ -0,0 +1,21 @@
#!/usr/bin/bash
chmod +x /usr/local/bin/sftpgo
mkdir /etc/sftpgo
# Generate SFTPGo key pair
ssh-keygen -f /etc/sftpgo/ed25519 -t ed25519 -N "" -C ""
# Generate fingerprints
fp=($(ssh-keygen -l -f /etc/sftpgo/ed25519))
echo ${fp[1]} > /etc/sftpgo/ed25519.fp
ssh-keygen -lv -f /etc/sftpgo/ed25519 | tail -n +2 > /etc/sftpgo/ed25519.asciiart
# Generate SSHFP record
echo ht.servnest.test. 86400 SSHFP 4 2 $(cut -d ' ' -f 2 /etc/sftpgo/ed25519.pub | base64 -d | sha256sum | cut -d ' ' -f 1) >> /srv/servnest/reg/servnest.test.zone
cp /install/sftpgo.toml /etc/sftpgo/
touch /etc/sftpgo/banner.txt
# For systemd
cp /install/sftpgo.service /etc/systemd/system/
systemctl enable sftpgo

3
install/sudo.sh Normal file
View File

@ -0,0 +1,3 @@
#!/usr/bin/bash
cp /install/sudoers /etc/sudoers.d/servnest

14
install/tor.sh Normal file
View File

@ -0,0 +1,14 @@
rm -r /etc/tor/*
cp /install/torrc /etc/tor/
mkdir /etc/systemd/system/tor.service.d
cp /install/tor.service.override.conf /etc/systemd/system/tor.service.d/
if [[ $OS = "debian" ]]; then
mv /etc/systemd/system/tor.service.d/ /etc/systemd/system/tor@default.service.d/
sed -i 's/User tor/User debian-tor/' /etc/tor/torrc
sed -i 's/reload tor/reload tor@default/' /etc/sudoers.d/servnest
sed -i 's/ALL=(tor)/ALL=(debian-tor)/' /etc/sudoers.d/servnest
sed -i 's/systemctl reload tor"/systemctl reload tor@default"/' /srv/servnest/core/config.ini
sed -i 's/tor_user = "tor"/tor_user = "debian-tor"/' /srv/servnest/core/config.ini
fi

View File

@ -2,7 +2,4 @@ User tor
SocksPort 0
DataDirectory /var/lib/tor
HiddenServiceNonAnonymousMode 1
HiddenServiceSingleHopMode 1
%include /srv/servnest/tor-config/*

View File

@ -6,6 +6,9 @@ Format = directory
Hostname = servnest.test
[Content]
RemoveFiles = /.git,/.gitignore,/mkosi.*,/*.md
Cache = ../mkosi.cache/
ExtraTree = ./
BasePackages = yes
WithDocs = yes
WithNetwork = yes

View File

@ -1,3 +0,0 @@
deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye main
deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye-backports main
deb tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion/debian-security bullseye-security main

View File

@ -1,26 +0,0 @@
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;

View File

@ -1 +0,0 @@
include inc/ht.conf;

View File

@ -1,2 +0,0 @@
include inc/ht.conf;
include inc/tls.conf;

View File

@ -1,3 +0,0 @@
[global]
include = /etc/php/php-fpm.d/*.conf

View File

@ -1,24 +0,0 @@
[servnest]
user = $pool
group = knot
listen = /run/php-fpm/$pool.sock
listen.owner = nginx
listen.group = nginx
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
access.log = /var/log/php/$pool-access.log
catch_workers_output = yes
decorate_workers_output = yes
clear_env = yes
security.limit_extensions = .php

View File

@ -1 +0,0 @@
d /run/php-fpm 755 nginx nginx

View File

@ -1,93 +1,14 @@
#!/usr/bin/bash
source /etc/os-release
export OS=$ID
# Create system users
useradd -U -r -s /usr/sbin/nologin nginx
useradd -U -r -s /usr/sbin/nologin servnest
useradd -U -r -s /usr/sbin/nologin sftpgo
# Generate OpenSSH server key pair
ssh-keygen -f /etc/ssh/ed25519 -t ed25519 -N ""
ssh-keygen -lvf /etc/ssh/ed25519 > /etc/ssh/ed25519.fp
# Set proper permissions
source /install/install.sh
chown -R knot:knot /var/lib/knot/confdb
chmod -R u=rwX,g=rwX,o= /var/lib/knot/confdb
usermod -aG knot servnest
chown -R knot:knot /var/log/knot
chmod -R u=rwX,g=,o= /var/log/knot
chown -R servnest:knot /srv/servnest/ns
chmod -R u=rwX,g=rwX,o= /srv/servnest/ns
chown -R servnest:knot /srv/servnest/reg
chmod -R u=rwX,g=rwX,o= /srv/servnest/reg
chown -R servnest:nginx /srv/servnest/nginx /srv/servnest/subpath /srv/servnest/subdomain
chmod -R u=rwX,g=rX,o= /srv/servnest/nginx /srv/servnest/subpath /srv/servnest/subdomain
chown -R sftpgo:sftpgo /etc/sftpgo
chmod -R u=rX,g=rX,o=rX /etc/sftpgo
chmod u=r,g=,o= /etc/sftpgo/ed25519
chown -R servnest:sftpgo /srv/servnest/ht
chmod -R u=rwX,g=rwX,o=rX /srv/servnest/ht
if [[ $ID = "debian" ]]; then
chown -R servnest:debian-tor /srv/servnest/tor-config
chown -R debian-tor:debian-tor /srv/servnest/tor-keys
else
chown -R servnest:tor /srv/servnest/tor-config
chown -R tor:tor /srv/servnest/tor-keys
fi
chmod -R u=rwX,g=rX,o= /srv/servnest/tor-config
chmod -R u=rwX,g=,o= /srv/servnest/tor-keys
chown -R servnest:nginx /srv/servnest/core /srv/servnest/errors
chmod -R u=rX,g=rX,o= /srv/servnest/core /srv/servnest/errors
chown -R servnest:servnest /srv/servnest/core/db
chmod -R u=rwX,g=,o= /srv/servnest/core/db
# Load configuration in Knot database
sudo -u knot knotc conf-import /etc/knot/knot.conf
# PHP paths unification across distributions
export PHP_INI=/etc/php/php.ini
if [[ $ID = "debian" ]]; then
rm /etc/php/8.2/fpm/php-fpm.conf
ln -s /etc/php/php-fpm.conf /etc/php/8.2/fpm/php-fpm.conf
ln -s /etc/php/php-fpm.d/ /etc/php/8.2/fpm/pool.d
export PHP_INI=/etc/php/8.2/fpm/php.ini
fi
# Configure PHP-FPM properly
cat >> $PHP_INI << EOF
expose_php = Off
display_errors = On
extension = pdo_sqlite
extension = sodium
extension = gettext
zend_extension = opcache
opcache.jit_buffer_size = 32M
EOF
# Configure Tor
if [[ $ID = "debian" ]]; then
mv /etc/systemd/system/tor.service.d/ /etc/systemd/system/tor@default.service.d/
sed -i 's/User tor/User debian-tor/' /etc/tor/torrc
sed -i 's/reload tor/reload tor@default/' /etc/sudoers.d/servnest
sed -i 's/ALL=(tor)/ALL=(debian-tor)/' /etc/sudoers.d/servnest
sed -i 's/systemctl reload tor"/systemctl reload tor@default"/' /srv/servnest/core/config.ini
sed -i 's/tor_user = "tor"/tor_user = "debian-tor"/' /srv/servnest/core/config.ini
fi
# Start SystemD services at startup
systemctl enable sftpgo
if [[ $ID = "arch" ]]; then
if [[ $OS = "arch" ]]; then
systemctl enable sshd
systemctl enable knot
systemctl enable nginx

View File

@ -1,40 +0,0 @@
#!/usr/bin/bash
source /etc/os-release
chmod +x /usr/local/bin/sftpgo
# Clear configuration (will be filled with mkosi.extra/)
rm -r /etc/nginx/*
rm -r /etc/ssh/*
rm /etc/tor/torrc
if [[ $ID = "debian" ]]; then
rm -r /etc/php/8.2/fpm/pool.d
rm /usr/lib/tmpfiles.d/php8.2-fpm.conf
fi
if [[ $ID = "arch" ]]; then
rm /etc/php/php-fpm.d/*
fi
# Generate default self-signed TLS key pair
openssl req -subj '/' -new -newkey RSA:3072 -days 3650 -nodes -x509 -keyout /etc/ssl/private/servnest.key -out /etc/ssl/certs/servnest.crt
# Generate OpenSSH server key pair
ssh-keygen -f /etc/ssh/ed25519 -t ed25519 -N ""
ssh-keygen -lvf /etc/ssh/ed25519 > /etc/ssh/ed25519.fp
# Generate SFTPGo key pair
ssh-keygen -f /etc/sftpgo/ed25519 -t ed25519 -N "" -C ""
# Generate fingerprints
fp=($(ssh-keygen -l -f /etc/sftpgo/ed25519))
echo ${fp[1]} > /etc/sftpgo/ed25519.fp
ssh-keygen -lv -f /etc/sftpgo/ed25519 | tail -n +2 > /etc/sftpgo/ed25519.asciiart
# Generate SSHFP record
echo ht.servnest.test. 86400 SSHFP 4 2 $(cut -d ' ' -f 2 /etc/sftpgo/ed25519.pub | base64 -d | sha256sum | cut -d ' ' -f 1) >> /srv/servnest/reg/servnest.test.zone
# Create database
sqlite3 /srv/servnest/core/db/servnest.db < /srv/servnest/core/db/schema.sql
sqlite3 /srv/servnest/core/db/servnest.db <<< "UPDATE params SET value = '$(openssl rand -hex 16)' WHERE name = 'username_salt';"
# Create translation Machine Objects files
msgfmt /srv/servnest/core/locales/fr/C/LC_MESSAGES/messages.po -o /srv/servnest/core/locales/fr/C/LC_MESSAGES/messages.mo

View File

@ -1,3 +0,0 @@
d /run/servnest 0555 root root - -
d /run/knot 0755 knot knot - -
d /var/lib/knot 0770 knot knot - -

6
mkosi.skeleton/root/sftpgo.sh → root/sftpgo.sh Executable file → Normal file
View File

@ -1,12 +1,12 @@
#!/usr/bin/bash
source /etc/os-release
export GO=/usr/bin/go
if [[ $ID = "debian" ]]; then
if [[ $OS = "debian" ]]; then
export GO=/usr/lib/go-1.19/bin/go
fi
git clone https://github.com/drakkan/sftpgo /root/sftpgo-src
cd /root/sftpgo-src
git checkout v2.4.0
git checkout $(git tag | tail -n 1)
$GO build -o /usr/local/bin/sftpgo

1
srv/servnest/core Submodule

@ -0,0 +1 @@
Subproject commit ac6d311ada4cbc0557d1c56bd61d81a543d7f767

1
srv/servnest/docs Submodule

@ -0,0 +1 @@
Subproject commit fbe714909c09701253c3f7e6254a2fab42b35161

View File

@ -0,0 +1 @@