diff --git a/mkosi.extra/etc/knot/knot.conf b/mkosi.extra/etc/knot/knot.conf index 43531b9..06ab0a8 100644 --- a/mkosi.extra/etc/knot/knot.conf +++ b/mkosi.extra/etc/knot/knot.conf @@ -1,23 +1,22 @@ -# Configuration export (Knot DNS 3.1.7) - server: - version: "Knot" - nsid: "Niver" - rundir: "/run/knot" - user: "knot:knot" - listen: [ "::@42053", "0.0.0.0@42053" ] + version: "Knot" + nsid: "Niver" + rundir: "/run/knot" + user: "knot:knot" + listen: [ "::1@42053", "127.0.0.1@42053" ] log: - target: "/var/log/knot/knot.log" any: "debug" database: - storage: "/var/lib/knot" + storage: "/var/lib/knot" policy: - id: "niver" algorithm: "ed25519" nsec3: "on" + nsec3-iterations: 10 template: - id: "niver" diff --git a/mkosi.extra/etc/nginx/default-server.conf b/mkosi.extra/etc/nginx/default-server.conf index a7fc89f..c8cb50d 100644 --- a/mkosi.extra/etc/nginx/default-server.conf +++ b/mkosi.extra/etc/nginx/default-server.conf @@ -4,7 +4,6 @@ server { ssl_certificate /etc/ssl/certs/niver.crt; ssl_certificate_key /etc/ssl/private/niver.key; - #ssl_stapling off; root /srv/php/errors; try_files index.php index.html $uri $uri/; diff --git a/mkosi.extra/etc/nginx/http.conf b/mkosi.extra/etc/nginx/http.conf index 2730937..cfe29c3 100644 --- a/mkosi.extra/etc/nginx/http.conf +++ b/mkosi.extra/etc/nginx/http.conf @@ -2,7 +2,9 @@ server { listen [::1]:42080 default_server; listen 127.0.0.1:42080 default_server; - return 403; # Don't allow unsecure HTTP requests + location / { + return 403; # Don't allow unsecure HTTP requests + } # Display an explanation page error_page 403 @http403; @@ -14,4 +16,8 @@ server { fastcgi_pass unix:/run/php-fpm/errors.sock; include inc/fastcgi.conf; } + + location /.well-known/acme-challenge { + alias /srv/acme/; + } } diff --git a/mkosi.extra/etc/nginx/sites/niver.test.conf b/mkosi.extra/etc/nginx/sites/niver.test.conf index 3e8fcc0..f1c7199 100644 --- a/mkosi.extra/etc/nginx/sites/niver.test.conf +++ b/mkosi.extra/etc/nginx/sites/niver.test.conf @@ -13,14 +13,6 @@ server { more_set_headers "Referrer-Policy : same-origin"; more_set_headers "Content-Security-Policy : default-src 'none'; style-src 'self'; frame-ancestors 'none'; form-action 'self';"; - location ~ ^/iquane/(db|less|lessphp|inc|niver.log) { - return 403; - } - - location ~ \.inc.php$ { - return 403; - } - location ~ \.php$ { fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:/run/php-fpm/niver.sock; diff --git a/mkosi.skeleton/etc/pacman.d/mirrorlist b/mkosi.extra/etc/pacman.d/mirrorlist similarity index 100% rename from mkosi.skeleton/etc/pacman.d/mirrorlist rename to mkosi.extra/etc/pacman.d/mirrorlist diff --git a/mkosi.extra/etc/php/php-fpm.conf b/mkosi.extra/etc/php/php-fpm.conf new file mode 100644 index 0000000..4c16665 --- /dev/null +++ b/mkosi.extra/etc/php/php-fpm.conf @@ -0,0 +1,3 @@ +[global] + +include = /etc/php/php-fpm.d/*.conf diff --git a/mkosi.extra/etc/php/php-fpm.d/errors.conf b/mkosi.extra/etc/php/php-fpm.d/errors.conf index b4db645..af32ccd 100644 --- a/mkosi.extra/etc/php/php-fpm.d/errors.conf +++ b/mkosi.extra/etc/php/php-fpm.d/errors.conf @@ -16,8 +16,8 @@ pm.max_spare_servers = 3 access.log = /var/log/php/$pool-access.log -;chroot = /srv/php/errors -chdir = /srv/php/errors +;chroot = /srv/php/$pool +chdir = /srv/php/$pool catch_workers_output = yes decorate_workers_output = yes diff --git a/mkosi.skeleton/etc/resolv.conf b/mkosi.extra/etc/resolv.conf similarity index 100% rename from mkosi.skeleton/etc/resolv.conf rename to mkosi.extra/etc/resolv.conf diff --git a/mkosi.extra/etc/ssh/sshd_config b/mkosi.extra/etc/ssh/sshd_config index 80438ae..6407b29 100644 --- a/mkosi.extra/etc/ssh/sshd_config +++ b/mkosi.extra/etc/ssh/sshd_config @@ -6,8 +6,8 @@ UsePAM yes # Network AddressFamily any -ListenAddress [::] -ListenAddress 0.0.0.0 +ListenAddress [::1] +ListenAddress 127.0.0.1 Port 42022 # Cryptography diff --git a/mkosi.extra/etc/sudoers.d/niver b/mkosi.extra/etc/sudoers.d/niver new file mode 100644 index 0000000..02452ff --- /dev/null +++ b/mkosi.extra/etc/sudoers.d/niver @@ -0,0 +1 @@ +php-niver ALL= NOPASSWD: /usr/bin/systemctl reload nginx,/usr/bin/systemctl reload tor@niver diff --git a/mkosi.extra/usr/lib/tmpfiles.d/php-fpm.conf b/mkosi.extra/usr/lib/tmpfiles.d/php-fpm.conf new file mode 100644 index 0000000..4d0e3ec --- /dev/null +++ b/mkosi.extra/usr/lib/tmpfiles.d/php-fpm.conf @@ -0,0 +1 @@ +d /run/php-fpm 755 nginx nginx diff --git a/mkosi.postinst b/mkosi.postinst index 8bb18fa..9b1c32f 100755 --- a/mkosi.postinst +++ b/mkosi.postinst @@ -1,7 +1,72 @@ #!/usr/bin/bash - source /etc/os-release +# Create system users +useradd -U -r -s /usr/sbin/nologin nginx +useradd -U -r -s /usr/sbin/nologin php-niver +useradd -U -r -s /usr/sbin/nologin php-errors +useradd -U -r -s /usr/sbin/nologin sftpgo + +# Set proper permissions + +chmod 770 /var/lib/knot +chmod -R g+w /var/lib/knot/confdb +usermod -aG knot php-niver + +chown -R knot:knot /var/log/knot +chmod -R 700 /var/log/knot + +chown -R php-niver:knot /srv/ns +chmod -R 770 /srv/ns + +chown -R php-niver:php-niver /etc/nginx/ht + +chown -R sftpgo:sftpgo /etc/sftpgo +chmod -R u=rwX,g=,o= /etc/sftpgo + +chown -R sftpgo:php-niver /srv/ht +chmod -R u=rwX,g=rwX,o=rX /srv/ht + +chmod 555 /srv/php + +chown -R php-errors:nginx /srv/php/errors +chmod -R 550 /srv/php/errors + +chown -R php-niver:nginx /srv/php/niver +chmod -R u=rX,g=rX,o=X /srv/php/niver +chmod -R 750 /srv/php/niver/public/css/ +chmod -R 700 /srv/php/niver/db +chmod -R 600 /srv/php/niver/niver.log +chown sftpgo:sftpgo /srv/php/niver/sftpgo-auth.php +chmod -R u=rx,g=rx,o= /srv/php/niver/sftpgo-auth.php +chown sftpgo:sftpgo /srv/php/niver/auth.log +chmod -R u=rw,g=rw,o= /srv/php/niver/auth.log + +# Load configuration in Knot database +systemctl stop knot +sudo -u knot knotc conf-import /etc/knot/knot.conf +systemctl start knot + +export PHP_INI=/etc/php/php.ini + +if [[ $ID = "debian" ]]; then + rm /etc/php/7.4/fpm/php-fpm.conf + ln -s /etc/php/php-fpm.conf /etc/php/7.4/fpm/php-fpm.conf + ln -s /etc/php/php-fpm.d/ /etc/php/7.4/fpm/pool.d + + export PHP_INI=/etc/php/7.4/fpm/php.ini +fi + +# Configure PHP-FPM properly + +cat >> $PHP_INI << EOF +expose_php = Off +display_errors = On +extension = pdo_sqlite +EOF + +systemctl enable sftpgo + if [[ $ID = "arch" ]]; then systemctl enable sshd systemctl enable knot diff --git a/mkosi.prepare b/mkosi.prepare index 1303282..e0aa849 100755 --- a/mkosi.prepare +++ b/mkosi.prepare @@ -1,43 +1,16 @@ #!/usr/bin/bash +source /etc/os-release # Clean configuration directories (will be filled with mkosi.extra/) rm -r /etc/nginx/* rm -r /etc/ssh/* -source /etc/os-release if [[ $ID = "debian" ]]; then - rm -r /etc/php/7.4/fpm/pool.d/* + rm -r /etc/php/7.4/fpm/pool.d + rm /usr/lib/tmpfiles.d/php7.4-fpm.conf +fi +if [[ $ID = "arch" ]]; then + rm /etc/php/php-fpm.d/* fi - -# Create system users -useradd -U -r -s /usr/sbin/nologin nginx -useradd -U -r -s /usr/sbin/nologin php-niver -useradd -U -r -s /usr/sbin/nologin php-errors -useradd -U -r -s /usr/sbin/nologin sftpgo - -# Set proper permissions - -chown -R knot:knot /var/log/knot -chmod -R 700 /var/log/knot - -chown -R knot:php-niver /srv/ns -chmod -R 770 /srv/ns - -chown -R php-niver:nginx /srv/ht -chmod -R 740 /srv/ht - -chown -R php-niver:nginx /srv/php/niver/public/css/ -chmod -R 750 /srv/php/niver/public/css/ - -chown -R php-niver:php-niver /srv/php/niver/db -chmod -R 700 /srv/php/niver/db - -chown -R php-niver:php-niver /srv/php/niver/niver.log -chmod -R 600 /srv/php/niver/niver.log - -# Load configuration in Knot database -systemctl stop knot -sudo -u knot knotc conf-import /etc/knot/knot.conf -systemctl start knot # Generate default self-signed TLS key pair openssl req -subj '/' -new -newkey RSA:3072 -days 3650 -nodes -x509 -keyout /etc/ssl/private/niver.key -out /etc/ssl/certs/niver.crt @@ -45,7 +18,3 @@ openssl req -subj '/' -new -newkey RSA:3072 -days 3650 -nodes -x509 -keyout /etc # Generate SSH server key pair ssh-keygen -f /etc/ssh/ed25519 -t ed25519 -N "" ssh-keygen -lvf /etc/ssh/ed25519 > /etc/ssh/ed25519.fp - -# Configure PHP-FPM properly -echo "display_errors = On" >> /etc/php/php.ini -echo "extension = pdo_sqlite" >> /etc/php/php.ini diff --git a/mkosi.skeleton/etc/sftpgo/sftpgo.json b/mkosi.skeleton/etc/sftpgo/sftpgo.json new file mode 100644 index 0000000..b816341 --- /dev/null +++ b/mkosi.skeleton/etc/sftpgo/sftpgo.json @@ -0,0 +1,291 @@ +{ + "common": { + "idle_timeout": 15, + "upload_mode": 0, + "actions": { + "execute_on": [], + "execute_sync": [], + "hook": "" + }, + "setstat_mode": 0, + "temp_path": "", + "proxy_protocol": 0, + "proxy_allowed": [], + "startup_hook": "", + "post_connect_hook": "", + "post_disconnect_hook": "", + "data_retention_hook": "", + "max_total_connections": 0, + "max_per_host_connections": 20, + "defender": { + "enabled": false, + "driver": "memory", + "ban_time": 30, + "ban_time_increment": 50, + "threshold": 15, + "score_invalid": 2, + "score_valid": 1, + "score_limit_exceeded": 3, + "observation_time": 30, + "entries_soft_limit": 100, + "entries_hard_limit": 150, + "safelist_file": "", + "blocklist_file": "" + }, + "rate_limiters": [ + { + "average": 0, + "period": 1000, + "burst": 1, + "type": 2, + "protocols": [ + "SSH", + "FTP", + "DAV", + "HTTP" + ], + "allow_list": [], + "generate_defender_events": false, + "entries_soft_limit": 100, + "entries_hard_limit": 150 + } + ] + }, + "sftpd": { + "bindings": [ + { + "port": 2022, + "address": "", + "apply_proxy_config": true + } + ], + "max_auth_tries": 0, + "banner": "", + "host_keys": [], + "kex_algorithms": [], + "ciphers": [], + "macs": [], + "trusted_user_ca_keys": [], + "login_banner_file": "", + "enabled_ssh_commands": [ + "md5sum", + "sha1sum", + "cd", + "pwd", + "scp" + ], + "keyboard_interactive_authentication": false, + "keyboard_interactive_auth_hook": "", + "password_authentication": true, + "folder_prefix": "" + }, + "ftpd": { + "bindings": [ + { + "port": 0, + "address": "", + "apply_proxy_config": true, + "tls_mode": 0, + "force_passive_ip": "", + "passive_ip_overrides": [], + "client_auth_type": 0, + "tls_cipher_suites": [], + "passive_connections_security": 0, + "active_connections_security": 0, + "debug": false + } + ], + "banner": "", + "banner_file": "", + "active_transfers_port_non_20": true, + "passive_port_range": { + "start": 50000, + "end": 50100 + }, + "disable_active_mode": false, + "enable_site": false, + "hash_support": 0, + "combine_support": 0, + "certificate_file": "", + "certificate_key_file": "", + "ca_certificates": [], + "ca_revocation_lists": [] + }, + "webdavd": { + "bindings": [ + { + "port": 0, + "address": "", + "enable_https": false, + "client_auth_type": 0, + "tls_cipher_suites": [], + "prefix": "", + "proxy_allowed": [] + } + ], + "certificate_file": "", + "certificate_key_file": "", + "ca_certificates": [], + "ca_revocation_lists": [], + "cors": { + "enabled": false, + "allowed_origins": [], + "allowed_methods": [], + "allowed_headers": [], + "exposed_headers": [], + "allow_credentials": false, + "max_age": 0 + }, + "cache": { + "users": { + "expiration_time": 0, + "max_size": 50 + }, + "mime_types": { + "enabled": true, + "max_size": 1000 + } + } + }, + "data_provider": { + "driver": "sqlite", + "name": "sftpgo.db", + "host": "", + "port": 0, + "username": "", + "password": "", + "sslmode": 0, + "connection_string": "", + "sql_tables_prefix": "", + "track_quota": 2, + "delayed_quota_update": 0, + "pool_size": 0, + "users_base_dir": "/srv/ht", + "actions": { + "execute_on": [], + "execute_for": [], + "hook": "" + }, + "external_auth_hook": "/srv/php/niver/sftpgo-auth.php", + "external_auth_scope": 0, + "credentials_path": "credentials", + "prefer_database_credentials": false, + "pre_login_hook": "", + "post_login_hook": "", + "post_login_scope": 0, + "check_password_hook": "", + "check_password_scope": 0, + "password_hashing": { + "bcrypt_options": { + "cost": 10 + }, + "argon2_options": { + "memory": 65536, + "iterations": 1, + "parallelism": 2 + }, + "algo": "bcrypt" + }, + "password_validation": { + "admins": { + "min_entropy": 0 + }, + "users": { + "min_entropy": 0 + } + }, + "password_caching": true, + "update_mode": 0, + "skip_natural_keys_validation": false, + "create_default_admin": false, + "is_shared": 0 + }, + "httpd": { + "bindings": [ + { + "port": 0, + "address": "", + "enable_web_admin": true, + "enable_web_client": true, + "enable_https": false, + "client_auth_type": 0, + "tls_cipher_suites": [], + "proxy_allowed": [], + "hide_login_url": 0, + "render_openapi": true, + "web_client_integrations": [] + } + ], + "templates_path": "templates", + "static_files_path": "static", + "openapi_path": "openapi", + "backups_path": "backups", + "web_root": "", + "certificate_file": "", + "certificate_key_file": "", + "ca_certificates": [], + "ca_revocation_lists": [], + "signing_passphrase": "", + "max_upload_file_size": 1048576000, + "cors": { + "enabled": false, + "allowed_origins": [], + "allowed_methods": [], + "allowed_headers": [], + "exposed_headers": [], + "allow_credentials": false, + "max_age": 0 + }, + "setup": { + "installation_code": "", + "installation_code_hint": "Installation code" + } + }, + "telemetry": { + "bind_port": 0, + "bind_address": "127.0.0.1", + "enable_profiler": false, + "auth_user_file": "", + "certificate_file": "", + "certificate_key_file": "", + "tls_cipher_suites": [] + }, + "http": { + "timeout": 20, + "retry_wait_min": 2, + "retry_wait_max": 30, + "retry_max": 3, + "ca_certificates": [], + "certificates": [], + "skip_tls_verify": false, + "headers": [] + }, + "kms": { + "secrets": { + "url": "", + "master_key": "", + "master_key_path": "" + } + }, + "mfa": { + "totp": [ + { + "name": "Default", + "issuer": "SFTPGo", + "algo": "sha1" + } + ] + }, + "smtp": { + "host": "", + "port": 25, + "from": "", + "user": "", + "password": "", + "auth_type": 0, + "encryption": 0, + "domain": "", + "templates_path": "templates" + }, + "plugins": [] +} diff --git a/mkosi.skeleton/etc/systemd/system/php-fpm.service.d/override.conf b/mkosi.skeleton/etc/systemd/system/php-fpm.service.d/override.conf new file mode 100644 index 0000000..3841dd7 --- /dev/null +++ b/mkosi.skeleton/etc/systemd/system/php-fpm.service.d/override.conf @@ -0,0 +1,2 @@ +[Service] +ReadWritePaths=/etc/nginx/ht diff --git a/mkosi.skeleton/srv/php/niver b/mkosi.skeleton/srv/php/niver index 9a2eb0a..af99877 160000 --- a/mkosi.skeleton/srv/php/niver +++ b/mkosi.skeleton/srv/php/niver @@ -1 +1 @@ -Subproject commit 9a2eb0a18e6f5d464af6d130c291dc916a5d73c9 +Subproject commit af99877e51e938dfdebf83e0febc7b055c2ce03f diff --git a/mkosi.skeleton/usr/local/share/niver/nginx/dns.template b/mkosi.skeleton/usr/local/share/niver/nginx/dns.template index 03e9a4d..f429a91 100644 --- a/mkosi.skeleton/usr/local/share/niver/nginx/dns.template +++ b/mkosi.skeleton/usr/local/share/niver/nginx/dns.template @@ -2,7 +2,7 @@ server { listen [::]:{{HTTPS_PORT}} ssl http2; listen 0.0.0.0:{{HTTPS_PORT}} ssl http2; server_name {{DOMAIN}}; - root {{HT_PATH}}/{{USERNAME}}/ht/{{DIR}}; + root {{HT_PATH}}/{{USERNAME}}/{{DIR}}; ssl_certificate /etc/ssl/certs/niver.crt; ssl_certificate_key /etc/ssl/private/niver.key; diff --git a/mkosi.skeleton/usr/local/share/niver/nginx/onion.template b/mkosi.skeleton/usr/local/share/niver/nginx/onion.template index 98bdf03..5307d2b 100644 --- a/mkosi.skeleton/usr/local/share/niver/nginx/onion.template +++ b/mkosi.skeleton/usr/local/share/niver/nginx/onion.template @@ -1,7 +1,7 @@ server { listen [::1]:{{INTERNAL_ONION_HTTP_PORT}}; server_name {{DOMAIN}}; - root {{HT_PATH}}/{{USERNAME}}/ht/{{DIR}}; + root {{HT_PATH}}/{{USERNAME}}/{{DIR}}; location / { try_files $uri $uri.html $uri/ =404;