Add sudoers.d/niver, among other things
This commit is contained in:
parent
35acb4920e
commit
37426f3fc1
|
@ -1,23 +1,22 @@
|
|||
# Configuration export (Knot DNS 3.1.7)
|
||||
|
||||
server:
|
||||
version: "Knot"
|
||||
nsid: "Niver"
|
||||
rundir: "/run/knot"
|
||||
user: "knot:knot"
|
||||
listen: [ "::@42053", "0.0.0.0@42053" ]
|
||||
version: "Knot"
|
||||
nsid: "Niver"
|
||||
rundir: "/run/knot"
|
||||
user: "knot:knot"
|
||||
listen: [ "::1@42053", "127.0.0.1@42053" ]
|
||||
|
||||
log:
|
||||
- target: "/var/log/knot/knot.log"
|
||||
any: "debug"
|
||||
|
||||
database:
|
||||
storage: "/var/lib/knot"
|
||||
storage: "/var/lib/knot"
|
||||
|
||||
policy:
|
||||
- id: "niver"
|
||||
algorithm: "ed25519"
|
||||
nsec3: "on"
|
||||
nsec3-iterations: 10
|
||||
|
||||
template:
|
||||
- id: "niver"
|
||||
|
|
|
@ -4,7 +4,6 @@ server {
|
|||
|
||||
ssl_certificate /etc/ssl/certs/niver.crt;
|
||||
ssl_certificate_key /etc/ssl/private/niver.key;
|
||||
#ssl_stapling off;
|
||||
|
||||
root /srv/php/errors;
|
||||
try_files index.php index.html $uri $uri/;
|
||||
|
|
|
@ -2,7 +2,9 @@ server {
|
|||
listen [::1]:42080 default_server;
|
||||
listen 127.0.0.1:42080 default_server;
|
||||
|
||||
return 403; # Don't allow unsecure HTTP requests
|
||||
location / {
|
||||
return 403; # Don't allow unsecure HTTP requests
|
||||
}
|
||||
|
||||
# Display an explanation page
|
||||
error_page 403 @http403;
|
||||
|
@ -14,4 +16,8 @@ server {
|
|||
fastcgi_pass unix:/run/php-fpm/errors.sock;
|
||||
include inc/fastcgi.conf;
|
||||
}
|
||||
|
||||
location /.well-known/acme-challenge {
|
||||
alias /srv/acme/;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -13,14 +13,6 @@ server {
|
|||
more_set_headers "Referrer-Policy : same-origin";
|
||||
more_set_headers "Content-Security-Policy : default-src 'none'; style-src 'self'; frame-ancestors 'none'; form-action 'self';";
|
||||
|
||||
location ~ ^/iquane/(db|less|lessphp|inc|niver.log) {
|
||||
return 403;
|
||||
}
|
||||
|
||||
location ~ \.inc.php$ {
|
||||
return 403;
|
||||
}
|
||||
|
||||
location ~ \.php$ {
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_pass unix:/run/php-fpm/niver.sock;
|
||||
|
|
|
@ -0,0 +1,3 @@
|
|||
[global]
|
||||
|
||||
include = /etc/php/php-fpm.d/*.conf
|
|
@ -16,8 +16,8 @@ pm.max_spare_servers = 3
|
|||
|
||||
access.log = /var/log/php/$pool-access.log
|
||||
|
||||
;chroot = /srv/php/errors
|
||||
chdir = /srv/php/errors
|
||||
;chroot = /srv/php/$pool
|
||||
chdir = /srv/php/$pool
|
||||
|
||||
catch_workers_output = yes
|
||||
decorate_workers_output = yes
|
||||
|
|
|
@ -6,8 +6,8 @@ UsePAM yes
|
|||
# Network
|
||||
|
||||
AddressFamily any
|
||||
ListenAddress [::]
|
||||
ListenAddress 0.0.0.0
|
||||
ListenAddress [::1]
|
||||
ListenAddress 127.0.0.1
|
||||
Port 42022
|
||||
|
||||
# Cryptography
|
||||
|
|
|
@ -0,0 +1 @@
|
|||
php-niver ALL= NOPASSWD: /usr/bin/systemctl reload nginx,/usr/bin/systemctl reload tor@niver
|
|
@ -0,0 +1 @@
|
|||
d /run/php-fpm 755 nginx nginx
|
|
@ -1,7 +1,72 @@
|
|||
#!/usr/bin/bash
|
||||
|
||||
source /etc/os-release
|
||||
|
||||
# Create system users
|
||||
useradd -U -r -s /usr/sbin/nologin nginx
|
||||
useradd -U -r -s /usr/sbin/nologin php-niver
|
||||
useradd -U -r -s /usr/sbin/nologin php-errors
|
||||
useradd -U -r -s /usr/sbin/nologin sftpgo
|
||||
|
||||
# Set proper permissions
|
||||
|
||||
chmod 770 /var/lib/knot
|
||||
chmod -R g+w /var/lib/knot/confdb
|
||||
usermod -aG knot php-niver
|
||||
|
||||
chown -R knot:knot /var/log/knot
|
||||
chmod -R 700 /var/log/knot
|
||||
|
||||
chown -R php-niver:knot /srv/ns
|
||||
chmod -R 770 /srv/ns
|
||||
|
||||
chown -R php-niver:php-niver /etc/nginx/ht
|
||||
|
||||
chown -R sftpgo:sftpgo /etc/sftpgo
|
||||
chmod -R u=rwX,g=,o= /etc/sftpgo
|
||||
|
||||
chown -R sftpgo:php-niver /srv/ht
|
||||
chmod -R u=rwX,g=rwX,o=rX /srv/ht
|
||||
|
||||
chmod 555 /srv/php
|
||||
|
||||
chown -R php-errors:nginx /srv/php/errors
|
||||
chmod -R 550 /srv/php/errors
|
||||
|
||||
chown -R php-niver:nginx /srv/php/niver
|
||||
chmod -R u=rX,g=rX,o=X /srv/php/niver
|
||||
chmod -R 750 /srv/php/niver/public/css/
|
||||
chmod -R 700 /srv/php/niver/db
|
||||
chmod -R 600 /srv/php/niver/niver.log
|
||||
chown sftpgo:sftpgo /srv/php/niver/sftpgo-auth.php
|
||||
chmod -R u=rx,g=rx,o= /srv/php/niver/sftpgo-auth.php
|
||||
chown sftpgo:sftpgo /srv/php/niver/auth.log
|
||||
chmod -R u=rw,g=rw,o= /srv/php/niver/auth.log
|
||||
|
||||
# Load configuration in Knot database
|
||||
systemctl stop knot
|
||||
sudo -u knot knotc conf-import /etc/knot/knot.conf
|
||||
systemctl start knot
|
||||
|
||||
export PHP_INI=/etc/php/php.ini
|
||||
|
||||
if [[ $ID = "debian" ]]; then
|
||||
rm /etc/php/7.4/fpm/php-fpm.conf
|
||||
ln -s /etc/php/php-fpm.conf /etc/php/7.4/fpm/php-fpm.conf
|
||||
ln -s /etc/php/php-fpm.d/ /etc/php/7.4/fpm/pool.d
|
||||
|
||||
export PHP_INI=/etc/php/7.4/fpm/php.ini
|
||||
fi
|
||||
|
||||
# Configure PHP-FPM properly
|
||||
|
||||
cat >> $PHP_INI << EOF
|
||||
expose_php = Off
|
||||
display_errors = On
|
||||
extension = pdo_sqlite
|
||||
EOF
|
||||
|
||||
systemctl enable sftpgo
|
||||
|
||||
if [[ $ID = "arch" ]]; then
|
||||
systemctl enable sshd
|
||||
systemctl enable knot
|
||||
|
|
|
@ -1,43 +1,16 @@
|
|||
#!/usr/bin/bash
|
||||
source /etc/os-release
|
||||
|
||||
# Clean configuration directories (will be filled with mkosi.extra/)
|
||||
rm -r /etc/nginx/*
|
||||
rm -r /etc/ssh/*
|
||||
source /etc/os-release
|
||||
if [[ $ID = "debian" ]]; then
|
||||
rm -r /etc/php/7.4/fpm/pool.d/*
|
||||
rm -r /etc/php/7.4/fpm/pool.d
|
||||
rm /usr/lib/tmpfiles.d/php7.4-fpm.conf
|
||||
fi
|
||||
if [[ $ID = "arch" ]]; then
|
||||
rm /etc/php/php-fpm.d/*
|
||||
fi
|
||||
|
||||
# Create system users
|
||||
useradd -U -r -s /usr/sbin/nologin nginx
|
||||
useradd -U -r -s /usr/sbin/nologin php-niver
|
||||
useradd -U -r -s /usr/sbin/nologin php-errors
|
||||
useradd -U -r -s /usr/sbin/nologin sftpgo
|
||||
|
||||
# Set proper permissions
|
||||
|
||||
chown -R knot:knot /var/log/knot
|
||||
chmod -R 700 /var/log/knot
|
||||
|
||||
chown -R knot:php-niver /srv/ns
|
||||
chmod -R 770 /srv/ns
|
||||
|
||||
chown -R php-niver:nginx /srv/ht
|
||||
chmod -R 740 /srv/ht
|
||||
|
||||
chown -R php-niver:nginx /srv/php/niver/public/css/
|
||||
chmod -R 750 /srv/php/niver/public/css/
|
||||
|
||||
chown -R php-niver:php-niver /srv/php/niver/db
|
||||
chmod -R 700 /srv/php/niver/db
|
||||
|
||||
chown -R php-niver:php-niver /srv/php/niver/niver.log
|
||||
chmod -R 600 /srv/php/niver/niver.log
|
||||
|
||||
# Load configuration in Knot database
|
||||
systemctl stop knot
|
||||
sudo -u knot knotc conf-import /etc/knot/knot.conf
|
||||
systemctl start knot
|
||||
|
||||
# Generate default self-signed TLS key pair
|
||||
openssl req -subj '/' -new -newkey RSA:3072 -days 3650 -nodes -x509 -keyout /etc/ssl/private/niver.key -out /etc/ssl/certs/niver.crt
|
||||
|
@ -45,7 +18,3 @@ openssl req -subj '/' -new -newkey RSA:3072 -days 3650 -nodes -x509 -keyout /etc
|
|||
# Generate SSH server key pair
|
||||
ssh-keygen -f /etc/ssh/ed25519 -t ed25519 -N ""
|
||||
ssh-keygen -lvf /etc/ssh/ed25519 > /etc/ssh/ed25519.fp
|
||||
|
||||
# Configure PHP-FPM properly
|
||||
echo "display_errors = On" >> /etc/php/php.ini
|
||||
echo "extension = pdo_sqlite" >> /etc/php/php.ini
|
||||
|
|
|
@ -0,0 +1,291 @@
|
|||
{
|
||||
"common": {
|
||||
"idle_timeout": 15,
|
||||
"upload_mode": 0,
|
||||
"actions": {
|
||||
"execute_on": [],
|
||||
"execute_sync": [],
|
||||
"hook": ""
|
||||
},
|
||||
"setstat_mode": 0,
|
||||
"temp_path": "",
|
||||
"proxy_protocol": 0,
|
||||
"proxy_allowed": [],
|
||||
"startup_hook": "",
|
||||
"post_connect_hook": "",
|
||||
"post_disconnect_hook": "",
|
||||
"data_retention_hook": "",
|
||||
"max_total_connections": 0,
|
||||
"max_per_host_connections": 20,
|
||||
"defender": {
|
||||
"enabled": false,
|
||||
"driver": "memory",
|
||||
"ban_time": 30,
|
||||
"ban_time_increment": 50,
|
||||
"threshold": 15,
|
||||
"score_invalid": 2,
|
||||
"score_valid": 1,
|
||||
"score_limit_exceeded": 3,
|
||||
"observation_time": 30,
|
||||
"entries_soft_limit": 100,
|
||||
"entries_hard_limit": 150,
|
||||
"safelist_file": "",
|
||||
"blocklist_file": ""
|
||||
},
|
||||
"rate_limiters": [
|
||||
{
|
||||
"average": 0,
|
||||
"period": 1000,
|
||||
"burst": 1,
|
||||
"type": 2,
|
||||
"protocols": [
|
||||
"SSH",
|
||||
"FTP",
|
||||
"DAV",
|
||||
"HTTP"
|
||||
],
|
||||
"allow_list": [],
|
||||
"generate_defender_events": false,
|
||||
"entries_soft_limit": 100,
|
||||
"entries_hard_limit": 150
|
||||
}
|
||||
]
|
||||
},
|
||||
"sftpd": {
|
||||
"bindings": [
|
||||
{
|
||||
"port": 2022,
|
||||
"address": "",
|
||||
"apply_proxy_config": true
|
||||
}
|
||||
],
|
||||
"max_auth_tries": 0,
|
||||
"banner": "",
|
||||
"host_keys": [],
|
||||
"kex_algorithms": [],
|
||||
"ciphers": [],
|
||||
"macs": [],
|
||||
"trusted_user_ca_keys": [],
|
||||
"login_banner_file": "",
|
||||
"enabled_ssh_commands": [
|
||||
"md5sum",
|
||||
"sha1sum",
|
||||
"cd",
|
||||
"pwd",
|
||||
"scp"
|
||||
],
|
||||
"keyboard_interactive_authentication": false,
|
||||
"keyboard_interactive_auth_hook": "",
|
||||
"password_authentication": true,
|
||||
"folder_prefix": ""
|
||||
},
|
||||
"ftpd": {
|
||||
"bindings": [
|
||||
{
|
||||
"port": 0,
|
||||
"address": "",
|
||||
"apply_proxy_config": true,
|
||||
"tls_mode": 0,
|
||||
"force_passive_ip": "",
|
||||
"passive_ip_overrides": [],
|
||||
"client_auth_type": 0,
|
||||
"tls_cipher_suites": [],
|
||||
"passive_connections_security": 0,
|
||||
"active_connections_security": 0,
|
||||
"debug": false
|
||||
}
|
||||
],
|
||||
"banner": "",
|
||||
"banner_file": "",
|
||||
"active_transfers_port_non_20": true,
|
||||
"passive_port_range": {
|
||||
"start": 50000,
|
||||
"end": 50100
|
||||
},
|
||||
"disable_active_mode": false,
|
||||
"enable_site": false,
|
||||
"hash_support": 0,
|
||||
"combine_support": 0,
|
||||
"certificate_file": "",
|
||||
"certificate_key_file": "",
|
||||
"ca_certificates": [],
|
||||
"ca_revocation_lists": []
|
||||
},
|
||||
"webdavd": {
|
||||
"bindings": [
|
||||
{
|
||||
"port": 0,
|
||||
"address": "",
|
||||
"enable_https": false,
|
||||
"client_auth_type": 0,
|
||||
"tls_cipher_suites": [],
|
||||
"prefix": "",
|
||||
"proxy_allowed": []
|
||||
}
|
||||
],
|
||||
"certificate_file": "",
|
||||
"certificate_key_file": "",
|
||||
"ca_certificates": [],
|
||||
"ca_revocation_lists": [],
|
||||
"cors": {
|
||||
"enabled": false,
|
||||
"allowed_origins": [],
|
||||
"allowed_methods": [],
|
||||
"allowed_headers": [],
|
||||
"exposed_headers": [],
|
||||
"allow_credentials": false,
|
||||
"max_age": 0
|
||||
},
|
||||
"cache": {
|
||||
"users": {
|
||||
"expiration_time": 0,
|
||||
"max_size": 50
|
||||
},
|
||||
"mime_types": {
|
||||
"enabled": true,
|
||||
"max_size": 1000
|
||||
}
|
||||
}
|
||||
},
|
||||
"data_provider": {
|
||||
"driver": "sqlite",
|
||||
"name": "sftpgo.db",
|
||||
"host": "",
|
||||
"port": 0,
|
||||
"username": "",
|
||||
"password": "",
|
||||
"sslmode": 0,
|
||||
"connection_string": "",
|
||||
"sql_tables_prefix": "",
|
||||
"track_quota": 2,
|
||||
"delayed_quota_update": 0,
|
||||
"pool_size": 0,
|
||||
"users_base_dir": "/srv/ht",
|
||||
"actions": {
|
||||
"execute_on": [],
|
||||
"execute_for": [],
|
||||
"hook": ""
|
||||
},
|
||||
"external_auth_hook": "/srv/php/niver/sftpgo-auth.php",
|
||||
"external_auth_scope": 0,
|
||||
"credentials_path": "credentials",
|
||||
"prefer_database_credentials": false,
|
||||
"pre_login_hook": "",
|
||||
"post_login_hook": "",
|
||||
"post_login_scope": 0,
|
||||
"check_password_hook": "",
|
||||
"check_password_scope": 0,
|
||||
"password_hashing": {
|
||||
"bcrypt_options": {
|
||||
"cost": 10
|
||||
},
|
||||
"argon2_options": {
|
||||
"memory": 65536,
|
||||
"iterations": 1,
|
||||
"parallelism": 2
|
||||
},
|
||||
"algo": "bcrypt"
|
||||
},
|
||||
"password_validation": {
|
||||
"admins": {
|
||||
"min_entropy": 0
|
||||
},
|
||||
"users": {
|
||||
"min_entropy": 0
|
||||
}
|
||||
},
|
||||
"password_caching": true,
|
||||
"update_mode": 0,
|
||||
"skip_natural_keys_validation": false,
|
||||
"create_default_admin": false,
|
||||
"is_shared": 0
|
||||
},
|
||||
"httpd": {
|
||||
"bindings": [
|
||||
{
|
||||
"port": 0,
|
||||
"address": "",
|
||||
"enable_web_admin": true,
|
||||
"enable_web_client": true,
|
||||
"enable_https": false,
|
||||
"client_auth_type": 0,
|
||||
"tls_cipher_suites": [],
|
||||
"proxy_allowed": [],
|
||||
"hide_login_url": 0,
|
||||
"render_openapi": true,
|
||||
"web_client_integrations": []
|
||||
}
|
||||
],
|
||||
"templates_path": "templates",
|
||||
"static_files_path": "static",
|
||||
"openapi_path": "openapi",
|
||||
"backups_path": "backups",
|
||||
"web_root": "",
|
||||
"certificate_file": "",
|
||||
"certificate_key_file": "",
|
||||
"ca_certificates": [],
|
||||
"ca_revocation_lists": [],
|
||||
"signing_passphrase": "",
|
||||
"max_upload_file_size": 1048576000,
|
||||
"cors": {
|
||||
"enabled": false,
|
||||
"allowed_origins": [],
|
||||
"allowed_methods": [],
|
||||
"allowed_headers": [],
|
||||
"exposed_headers": [],
|
||||
"allow_credentials": false,
|
||||
"max_age": 0
|
||||
},
|
||||
"setup": {
|
||||
"installation_code": "",
|
||||
"installation_code_hint": "Installation code"
|
||||
}
|
||||
},
|
||||
"telemetry": {
|
||||
"bind_port": 0,
|
||||
"bind_address": "127.0.0.1",
|
||||
"enable_profiler": false,
|
||||
"auth_user_file": "",
|
||||
"certificate_file": "",
|
||||
"certificate_key_file": "",
|
||||
"tls_cipher_suites": []
|
||||
},
|
||||
"http": {
|
||||
"timeout": 20,
|
||||
"retry_wait_min": 2,
|
||||
"retry_wait_max": 30,
|
||||
"retry_max": 3,
|
||||
"ca_certificates": [],
|
||||
"certificates": [],
|
||||
"skip_tls_verify": false,
|
||||
"headers": []
|
||||
},
|
||||
"kms": {
|
||||
"secrets": {
|
||||
"url": "",
|
||||
"master_key": "",
|
||||
"master_key_path": ""
|
||||
}
|
||||
},
|
||||
"mfa": {
|
||||
"totp": [
|
||||
{
|
||||
"name": "Default",
|
||||
"issuer": "SFTPGo",
|
||||
"algo": "sha1"
|
||||
}
|
||||
]
|
||||
},
|
||||
"smtp": {
|
||||
"host": "",
|
||||
"port": 25,
|
||||
"from": "",
|
||||
"user": "",
|
||||
"password": "",
|
||||
"auth_type": 0,
|
||||
"encryption": 0,
|
||||
"domain": "",
|
||||
"templates_path": "templates"
|
||||
},
|
||||
"plugins": []
|
||||
}
|
|
@ -0,0 +1,2 @@
|
|||
[Service]
|
||||
ReadWritePaths=/etc/nginx/ht
|
|
@ -1 +1 @@
|
|||
Subproject commit 9a2eb0a18e6f5d464af6d130c291dc916a5d73c9
|
||||
Subproject commit af99877e51e938dfdebf83e0febc7b055c2ce03f
|
|
@ -2,7 +2,7 @@ server {
|
|||
listen [::]:{{HTTPS_PORT}} ssl http2;
|
||||
listen 0.0.0.0:{{HTTPS_PORT}} ssl http2;
|
||||
server_name {{DOMAIN}};
|
||||
root {{HT_PATH}}/{{USERNAME}}/ht/{{DIR}};
|
||||
root {{HT_PATH}}/{{USERNAME}}/{{DIR}};
|
||||
|
||||
ssl_certificate /etc/ssl/certs/niver.crt;
|
||||
ssl_certificate_key /etc/ssl/private/niver.key;
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
server {
|
||||
listen [::1]:{{INTERNAL_ONION_HTTP_PORT}};
|
||||
server_name {{DOMAIN}};
|
||||
root {{HT_PATH}}/{{USERNAME}}/ht/{{DIR}};
|
||||
root {{HT_PATH}}/{{USERNAME}}/{{DIR}};
|
||||
|
||||
location / {
|
||||
try_files $uri $uri.html $uri/ =404;
|
||||
|
|
Loading…
Reference in New Issue