Add sudoers.d/niver, among other things

mkosi.extra/etc/knot/knot.conf

@@ -1,23 +1,22 @@
-# Configuration export (Knot DNS 3.1.7)
-
 server:
-  version: "Knot"
-  nsid: "Niver"
-  rundir: "/run/knot"
-  user: "knot:knot"
-  listen: [ "::@42053", "0.0.0.0@42053" ]
+    version: "Knot"
+    nsid: "Niver"
+    rundir: "/run/knot"
+    user: "knot:knot"
+    listen: [ "::1@42053", "127.0.0.1@42053" ]
 
 log:
   - target: "/var/log/knot/knot.log"
     any: "debug"
 
 database:
-  storage: "/var/lib/knot"
+    storage: "/var/lib/knot"
 
 policy:
   - id: "niver"
     algorithm: "ed25519"
     nsec3: "on"
+    nsec3-iterations: 10
 
 template:
   - id: "niver"

mkosi.extra/etc/nginx/default-server.conf

@@ -4,7 +4,6 @@ server {
 
 	ssl_certificate /etc/ssl/certs/niver.crt;
 	ssl_certificate_key /etc/ssl/private/niver.key;
-	#ssl_stapling off;
 
 	root /srv/php/errors;
 	try_files index.php index.html $uri $uri/;

mkosi.extra/etc/nginx/http.conf

@@ -2,7 +2,9 @@ server {
 	listen [::1]:42080 default_server;
 	listen 127.0.0.1:42080 default_server;
 
-	return 403; # Don't allow unsecure HTTP requests
+	location / {
+		return 403; # Don't allow unsecure HTTP requests
+	}
 
 	# Display an explanation page
 	error_page 403 @http403;
@@ -14,4 +16,8 @@ server {
 		fastcgi_pass unix:/run/php-fpm/errors.sock;
 		include inc/fastcgi.conf;
 	}
+
+	location /.well-known/acme-challenge {
+		alias /srv/acme/;
+	}
 }

mkosi.extra/etc/nginx/sites/niver.test.conf

@@ -13,14 +13,6 @@ server {
 	more_set_headers "Referrer-Policy : same-origin";
 	more_set_headers "Content-Security-Policy : default-src 'none'; style-src 'self'; frame-ancestors 'none'; form-action 'self';";
 
-	location ~ ^/iquane/(db|less|lessphp|inc|niver.log) {
-		return 403;
-	}
-
-	location ~ \.inc.php$ {
-		return 403;
-	}
-
 	location ~ \.php$ {
 		fastcgi_split_path_info ^(.+\.php)(/.+)$;
 		fastcgi_pass unix:/run/php-fpm/niver.sock;

mkosi.extra/etc/php/php-fpm.conf

@@ -0,0 +1,3 @@
+[global]
+
+include = /etc/php/php-fpm.d/*.conf

mkosi.extra/etc/php/php-fpm.d/errors.conf

@@ -16,8 +16,8 @@ pm.max_spare_servers = 3
 
 access.log = /var/log/php/$pool-access.log
 
-;chroot = /srv/php/errors
-chdir = /srv/php/errors
+;chroot = /srv/php/$pool
+chdir = /srv/php/$pool
 
 catch_workers_output = yes
 decorate_workers_output = yes

mkosi.extra/etc/ssh/sshd_config

@@ -6,8 +6,8 @@ UsePAM yes
 # Network
 
 AddressFamily any
-ListenAddress [::]
-ListenAddress 0.0.0.0
+ListenAddress [::1]
+ListenAddress 127.0.0.1
 Port 42022
 
 # Cryptography

mkosi.extra/etc/sudoers.d/niver

@@ -0,0 +1 @@
+php-niver ALL= NOPASSWD: /usr/bin/systemctl reload nginx,/usr/bin/systemctl reload tor@niver

mkosi.extra/usr/lib/tmpfiles.d/php-fpm.conf

@@ -0,0 +1 @@
+d /run/php-fpm 755 nginx nginx

mkosi.postinst

@@ -1,7 +1,72 @@
 #!/usr/bin/bash
-
 source /etc/os-release
 
+# Create system users
+useradd -U -r -s /usr/sbin/nologin nginx
+useradd -U -r -s /usr/sbin/nologin php-niver
+useradd -U -r -s /usr/sbin/nologin php-errors
+useradd -U -r -s /usr/sbin/nologin sftpgo
+
+# Set proper permissions
+
+chmod 770 /var/lib/knot
+chmod -R g+w /var/lib/knot/confdb
+usermod -aG knot php-niver
+
+chown -R knot:knot /var/log/knot
+chmod -R 700 /var/log/knot
+
+chown -R php-niver:knot /srv/ns
+chmod -R 770 /srv/ns
+
+chown -R php-niver:php-niver /etc/nginx/ht
+
+chown -R sftpgo:sftpgo /etc/sftpgo
+chmod -R u=rwX,g=,o= /etc/sftpgo
+
+chown -R sftpgo:php-niver /srv/ht
+chmod -R u=rwX,g=rwX,o=rX /srv/ht
+
+chmod 555 /srv/php
+
+chown -R php-errors:nginx /srv/php/errors
+chmod -R 550 /srv/php/errors
+
+chown -R php-niver:nginx /srv/php/niver
+chmod -R u=rX,g=rX,o=X /srv/php/niver
+chmod -R 750 /srv/php/niver/public/css/
+chmod -R 700 /srv/php/niver/db
+chmod -R 600 /srv/php/niver/niver.log
+chown sftpgo:sftpgo /srv/php/niver/sftpgo-auth.php
+chmod -R u=rx,g=rx,o= /srv/php/niver/sftpgo-auth.php
+chown sftpgo:sftpgo /srv/php/niver/auth.log
+chmod -R u=rw,g=rw,o= /srv/php/niver/auth.log
+
+# Load configuration in Knot database
+systemctl stop knot
+sudo -u knot knotc conf-import /etc/knot/knot.conf
+systemctl start knot
+
+export PHP_INI=/etc/php/php.ini
+
+if [[ $ID = "debian" ]]; then
+	rm /etc/php/7.4/fpm/php-fpm.conf
+	ln -s /etc/php/php-fpm.conf /etc/php/7.4/fpm/php-fpm.conf
+	ln -s /etc/php/php-fpm.d/ /etc/php/7.4/fpm/pool.d
+
+	export PHP_INI=/etc/php/7.4/fpm/php.ini
+fi
+
+# Configure PHP-FPM properly
+
+cat >> $PHP_INI << EOF
+expose_php = Off
+display_errors = On
+extension = pdo_sqlite
+EOF
+
+systemctl enable sftpgo
+
 if [[ $ID = "arch" ]]; then
 	systemctl enable sshd
 	systemctl enable knot

mkosi.prepare

@@ -1,43 +1,16 @@
 #!/usr/bin/bash
+source /etc/os-release
 
 # Clean configuration directories (will be filled with mkosi.extra/)
 rm -r /etc/nginx/*
 rm -r /etc/ssh/*
-source /etc/os-release
 if [[ $ID = "debian" ]]; then
-	rm -r /etc/php/7.4/fpm/pool.d/*
+	rm -r /etc/php/7.4/fpm/pool.d
+	rm /usr/lib/tmpfiles.d/php7.4-fpm.conf
+fi
+if [[ $ID = "arch" ]]; then
+	rm /etc/php/php-fpm.d/*
 fi
-
-# Create system users
-useradd -U -r -s /usr/sbin/nologin nginx
-useradd -U -r -s /usr/sbin/nologin php-niver
-useradd -U -r -s /usr/sbin/nologin php-errors
-useradd -U -r -s /usr/sbin/nologin sftpgo
-
-# Set proper permissions
-
-chown -R knot:knot /var/log/knot
-chmod -R 700 /var/log/knot
-
-chown -R knot:php-niver /srv/ns
-chmod -R 770 /srv/ns
-
-chown -R php-niver:nginx /srv/ht
-chmod -R 740 /srv/ht
-
-chown -R php-niver:nginx /srv/php/niver/public/css/
-chmod -R 750 /srv/php/niver/public/css/
-
-chown -R php-niver:php-niver /srv/php/niver/db
-chmod -R 700 /srv/php/niver/db
-
-chown -R php-niver:php-niver /srv/php/niver/niver.log
-chmod -R 600 /srv/php/niver/niver.log
-
-# Load configuration in Knot database
-systemctl stop knot
-sudo -u knot knotc conf-import /etc/knot/knot.conf
-systemctl start knot
 
 # Generate default self-signed TLS key pair
 openssl req -subj '/' -new -newkey RSA:3072 -days 3650 -nodes -x509 -keyout /etc/ssl/private/niver.key -out /etc/ssl/certs/niver.crt
@@ -45,7 +18,3 @@ openssl req -subj '/' -new -newkey RSA:3072 -days 3650 -nodes -x509 -keyout /etc
 # Generate SSH server key pair
 ssh-keygen -f /etc/ssh/ed25519 -t ed25519 -N ""
 ssh-keygen -lvf /etc/ssh/ed25519 > /etc/ssh/ed25519.fp
-
-# Configure PHP-FPM properly
-echo "display_errors = On" >> /etc/php/php.ini
-echo "extension = pdo_sqlite" >> /etc/php/php.ini

mkosi.skeleton/etc/sftpgo/sftpgo.json

@@ -0,0 +1,291 @@
+{
+	"common": {
+		"idle_timeout": 15,
+		"upload_mode": 0,
+		"actions": {
+			"execute_on": [],
+			"execute_sync": [],
+			"hook": ""
+		},
+		"setstat_mode": 0,
+		"temp_path": "",
+		"proxy_protocol": 0,
+		"proxy_allowed": [],
+		"startup_hook": "",
+		"post_connect_hook": "",
+		"post_disconnect_hook": "",
+		"data_retention_hook": "",
+		"max_total_connections": 0,
+		"max_per_host_connections": 20,
+		"defender": {
+			"enabled": false,
+			"driver": "memory",
+			"ban_time": 30,
+			"ban_time_increment": 50,
+			"threshold": 15,
+			"score_invalid": 2,
+			"score_valid": 1,
+			"score_limit_exceeded": 3,
+			"observation_time": 30,
+			"entries_soft_limit": 100,
+			"entries_hard_limit": 150,
+			"safelist_file": "",
+			"blocklist_file": ""
+		},
+		"rate_limiters": [
+			{
+				"average": 0,
+				"period": 1000,
+				"burst": 1,
+				"type": 2,
+				"protocols": [
+					"SSH",
+					"FTP",
+					"DAV",
+					"HTTP"
+				],
+				"allow_list": [],
+				"generate_defender_events": false,
+				"entries_soft_limit": 100,
+				"entries_hard_limit": 150
+			}
+		]
+	},
+	"sftpd": {
+		"bindings": [
+			{
+				"port": 2022,
+				"address": "",
+				"apply_proxy_config": true
+			}
+		],
+		"max_auth_tries": 0,
+		"banner": "",
+		"host_keys": [],
+		"kex_algorithms": [],
+		"ciphers": [],
+		"macs": [],
+		"trusted_user_ca_keys": [],
+		"login_banner_file": "",
+		"enabled_ssh_commands": [
+			"md5sum",
+			"sha1sum",
+			"cd",
+			"pwd",
+			"scp"
+		],
+		"keyboard_interactive_authentication": false,
+		"keyboard_interactive_auth_hook": "",
+		"password_authentication": true,
+		"folder_prefix": ""
+	},
+	"ftpd": {
+		"bindings": [
+			{
+				"port": 0,
+				"address": "",
+				"apply_proxy_config": true,
+				"tls_mode": 0,
+				"force_passive_ip": "",
+				"passive_ip_overrides": [],
+				"client_auth_type": 0,
+				"tls_cipher_suites": [],
+				"passive_connections_security": 0,
+				"active_connections_security": 0,
+				"debug": false
+			}
+		],
+		"banner": "",
+		"banner_file": "",
+		"active_transfers_port_non_20": true,
+		"passive_port_range": {
+			"start": 50000,
+			"end": 50100
+		},
+		"disable_active_mode": false,
+		"enable_site": false,
+		"hash_support": 0,
+		"combine_support": 0,
+		"certificate_file": "",
+		"certificate_key_file": "",
+		"ca_certificates": [],
+		"ca_revocation_lists": []
+	},
+	"webdavd": {
+		"bindings": [
+			{
+				"port": 0,
+				"address": "",
+				"enable_https": false,
+				"client_auth_type": 0,
+				"tls_cipher_suites": [],
+				"prefix": "",
+				"proxy_allowed": []
+			}
+		],
+		"certificate_file": "",
+		"certificate_key_file": "",
+		"ca_certificates": [],
+		"ca_revocation_lists": [],
+		"cors": {
+			"enabled": false,
+			"allowed_origins": [],
+			"allowed_methods": [],
+			"allowed_headers": [],
+			"exposed_headers": [],
+			"allow_credentials": false,
+			"max_age": 0
+		},
+		"cache": {
+			"users": {
+				"expiration_time": 0,
+				"max_size": 50
+			},
+			"mime_types": {
+				"enabled": true,
+				"max_size": 1000
+			}
+		}
+	},
+	"data_provider": {
+		"driver": "sqlite",
+		"name": "sftpgo.db",
+		"host": "",
+		"port": 0,
+		"username": "",
+		"password": "",
+		"sslmode": 0,
+		"connection_string": "",
+		"sql_tables_prefix": "",
+		"track_quota": 2,
+		"delayed_quota_update": 0,
+		"pool_size": 0,
+		"users_base_dir": "/srv/ht",
+		"actions": {
+			"execute_on": [],
+			"execute_for": [],
+			"hook": ""
+		},
+		"external_auth_hook": "/srv/php/niver/sftpgo-auth.php",
+		"external_auth_scope": 0,
+		"credentials_path": "credentials",
+		"prefer_database_credentials": false,
+		"pre_login_hook": "",
+		"post_login_hook": "",
+		"post_login_scope": 0,
+		"check_password_hook": "",
+		"check_password_scope": 0,
+		"password_hashing": {
+			"bcrypt_options": {
+				"cost": 10
+			},
+			"argon2_options": {
+				"memory": 65536,
+				"iterations": 1,
+				"parallelism": 2
+			},
+			"algo": "bcrypt"
+		},
+		"password_validation": {
+			"admins": {
+				"min_entropy": 0
+			},
+			"users": {
+				"min_entropy": 0
+			}
+		},
+		"password_caching": true,
+		"update_mode": 0,
+		"skip_natural_keys_validation": false,
+		"create_default_admin": false,
+		"is_shared": 0
+	},
+	"httpd": {
+		"bindings": [
+			{
+				"port": 0,
+				"address": "",
+				"enable_web_admin": true,
+				"enable_web_client": true,
+				"enable_https": false,
+				"client_auth_type": 0,
+				"tls_cipher_suites": [],
+				"proxy_allowed": [],
+				"hide_login_url": 0,
+				"render_openapi": true,
+				"web_client_integrations": []
+			}
+		],
+		"templates_path": "templates",
+		"static_files_path": "static",
+		"openapi_path": "openapi",
+		"backups_path": "backups",
+		"web_root": "",
+		"certificate_file": "",
+		"certificate_key_file": "",
+		"ca_certificates": [],
+		"ca_revocation_lists": [],
+		"signing_passphrase": "",
+		"max_upload_file_size": 1048576000,
+		"cors": {
+			"enabled": false,
+			"allowed_origins": [],
+			"allowed_methods": [],
+			"allowed_headers": [],
+			"exposed_headers": [],
+			"allow_credentials": false,
+			"max_age": 0
+		},
+		"setup": {
+			"installation_code": "",
+			"installation_code_hint": "Installation code"
+		}
+	},
+	"telemetry": {
+		"bind_port": 0,
+		"bind_address": "127.0.0.1",
+		"enable_profiler": false,
+		"auth_user_file": "",
+		"certificate_file": "",
+		"certificate_key_file": "",
+		"tls_cipher_suites": []
+	},
+	"http": {
+		"timeout": 20,
+		"retry_wait_min": 2,
+		"retry_wait_max": 30,
+		"retry_max": 3,
+		"ca_certificates": [],
+		"certificates": [],
+		"skip_tls_verify": false,
+		"headers": []
+	},
+	"kms": {
+		"secrets": {
+			"url": "",
+			"master_key": "",
+			"master_key_path": ""
+		}
+	},
+	"mfa": {
+		"totp": [
+			{
+				"name": "Default",
+				"issuer": "SFTPGo",
+				"algo": "sha1"
+			}
+		]
+	},
+	"smtp": {
+		"host": "",
+		"port": 25,
+		"from": "",
+		"user": "",
+		"password": "",
+		"auth_type": 0,
+		"encryption": 0,
+		"domain": "",
+		"templates_path": "templates"
+	},
+	"plugins": []
+}

mkosi.skeleton/etc/systemd/system/php-fpm.service.d/override.conf

@@ -0,0 +1,2 @@
+[Service]
+ReadWritePaths=/etc/nginx/ht

mkosi.skeleton/srv/php/niver

@@ -1 +1 @@
-Subproject commit 9a2eb0a18e6f5d464af6d130c291dc916a5d73c9
+Subproject commit af99877e51e938dfdebf83e0febc7b055c2ce03f

mkosi.skeleton/usr/local/share/niver/nginx/dns.template

@@ -2,7 +2,7 @@ server {
 	listen [::]:{{HTTPS_PORT}} ssl http2;
 	listen 0.0.0.0:{{HTTPS_PORT}} ssl http2;
 	server_name {{DOMAIN}};
-	root {{HT_PATH}}/{{USERNAME}}/ht/{{DIR}};
+	root {{HT_PATH}}/{{USERNAME}}/{{DIR}};
 
 	ssl_certificate /etc/ssl/certs/niver.crt;
 	ssl_certificate_key /etc/ssl/private/niver.key;

mkosi.skeleton/usr/local/share/niver/nginx/onion.template

@@ -1,7 +1,7 @@
 server {
 	listen [::1]:{{INTERNAL_ONION_HTTP_PORT}};
 	server_name {{DOMAIN}};
-	root {{HT_PATH}}/{{USERNAME}}/ht/{{DIR}};
+	root {{HT_PATH}}/{{USERNAME}}/{{DIR}};
 
 	location / {
 		try_files $uri $uri.html $uri/ =404;