Split permissions outside of dedicated file
This commit is contained in:
parent
44d62a49b1
commit
4151c456d4
|
@ -7,7 +7,7 @@ server:
|
|||
listen: [ "2001:db8::1@42053", "203.0.113.1@42053" ]
|
||||
|
||||
log:
|
||||
- target: "/var/log/knot/knot.log"
|
||||
- target: "syslog"
|
||||
any: "debug"
|
||||
|
||||
database:
|
||||
|
@ -53,4 +53,3 @@ zone:
|
|||
- domain: "test.servnest.test."
|
||||
template: "servnest"
|
||||
storage: "/srv/servnest/reg"
|
||||
|
||||
|
|
|
@ -7,7 +7,7 @@ server:
|
|||
listen: [ "2001:db8::2@53", "203.0.113.2@53" ]
|
||||
|
||||
log:
|
||||
- target: "/var/log/knot/knot.log"
|
||||
- target: "syslog"
|
||||
any: "debug"
|
||||
|
||||
database:
|
||||
|
@ -34,4 +34,3 @@ zone:
|
|||
master: "primary"
|
||||
catalog-role: interpret
|
||||
catalog-template: "servnest"
|
||||
|
||||
|
|
|
@ -0,0 +1,3 @@
|
|||
mkdir /srv/servnest/acme
|
||||
chown $nginx: /srv/servnest/acme
|
||||
chmod u=rX,g=,o= /srv/servnest/acme
|
|
@ -21,4 +21,4 @@ source /install/servnest.sh
|
|||
source /install/php.sh
|
||||
source /install/nginx.sh
|
||||
source /install/sftpgo.sh
|
||||
source /install/permissions.sh
|
||||
source /install/certbot.sh
|
||||
|
|
|
@ -1,5 +1,19 @@
|
|||
#!/usr/bin/bash
|
||||
|
||||
# Load configuration in Knot database
|
||||
sudo -u $knot mkdir -p /var/lib/knot/confdb/
|
||||
|
||||
# Load configuration in Knot database
|
||||
sudo -u $knot knotc conf-import /install/knot.conf
|
||||
|
||||
# We need servnest to be allowed to configure Knot
|
||||
usermod -aG $knot $servnest # Add user $servnest to group $knot
|
||||
chown -R $knot: /var/lib/knot/confdb
|
||||
chmod -R u=rwX,g=rwX,o= /var/lib/knot/confdb
|
||||
|
||||
mkdir -p /srv/servnest/reg
|
||||
chown -R $servnest:$knot /srv/servnest/reg
|
||||
chmod -R u=rwX,g=rwX,o= /srv/servnest/reg
|
||||
|
||||
mkdir /srv/servnest/ns
|
||||
chown -R $servnest:$knot /srv/servnest/ns
|
||||
chmod -R u=rwX,g=rwX,o= /srv/servnest/ns
|
||||
|
|
|
@ -5,3 +5,7 @@ openssl req -subj '/' -new -newkey RSA:3072 -days 3650 -nodes -x509 -keyout /etc
|
|||
|
||||
rm -r /etc/nginx/*
|
||||
cp -r /install/nginx/* /etc/nginx/
|
||||
|
||||
mkdir /srv/servnest/nginx /srv/servnest/subpath /srv/servnest/subdomain
|
||||
chown $servnest:$nginx /srv/servnest/nginx /srv/servnest/subpath /srv/servnest/subdomain
|
||||
chmod u=rwX,g=rX,o= /srv/servnest/nginx /srv/servnest/subpath /srv/servnest/subdomain
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
load_module "/usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so";
|
||||
worker_processes auto;
|
||||
user nginx nginx;
|
||||
pcre_jit on;
|
||||
|
||||
events {
|
||||
worker_connections 1024;
|
||||
|
|
|
@ -1,35 +0,0 @@
|
|||
#!/usr/bin/bash
|
||||
|
||||
# We need servnest to be allowed to configure Knot
|
||||
usermod -aG $knot $servnest # Add user servnest to group knot
|
||||
chown -R $knot: /var/lib/knot/confdb
|
||||
chmod -R u=rwX,g=rwX,o= /var/lib/knot/confdb
|
||||
|
||||
chown -R $knot: /var/log/knot
|
||||
chmod -R u=rwX,g=,o= /var/log/knot
|
||||
|
||||
chown -R $servnest:$knot /srv/servnest/ns
|
||||
chmod -R u=rwX,g=rwX,o= /srv/servnest/ns
|
||||
chown -R $servnest:$knot /srv/servnest/reg
|
||||
chmod -R u=rwX,g=rwX,o= /srv/servnest/reg
|
||||
|
||||
chown -R $servnest:$nginx /srv/servnest/nginx /srv/servnest/subpath /srv/servnest/subdomain
|
||||
chmod -R u=rwX,g=rX,o= /srv/servnest/nginx /srv/servnest/subpath /srv/servnest/subdomain
|
||||
|
||||
usermod -aG $sftpgo $servnest
|
||||
chown -R $nginx:$sftpgo /srv/servnest/ht
|
||||
chmod -R u=rX,g=rwX,o= /srv/servnest/ht
|
||||
|
||||
chown -R $sftpgo: /etc/sftpgo
|
||||
chmod -R u=rX,g=rX,o= /etc/sftpgo
|
||||
chmod u=r,g=,o= /etc/sftpgo/ed25519
|
||||
|
||||
chown -R $servnest:$tor /srv/servnest/tor-config
|
||||
chmod -R u=rwX,g=rX,o= /srv/servnest/tor-config
|
||||
chown -R $tor: /srv/servnest/tor-keys
|
||||
chmod -R u=rwX,g=,o= /srv/servnest/tor-keys
|
||||
|
||||
chown -R $servnest:$nginx /srv/servnest/core /srv/servnest/errors
|
||||
chmod -R u=rX,g=rX,o= /srv/servnest/core /srv/servnest/errors
|
||||
chown -R $servnest: /srv/servnest/core/db
|
||||
chmod -R u=rwX,g=,o= /srv/servnest/core/db
|
|
@ -2,13 +2,13 @@
|
|||
|
||||
[servnest]
|
||||
|
||||
user = $pool
|
||||
user = servnest
|
||||
group = knot
|
||||
|
||||
listen = /run/php-fpm/$pool.sock
|
||||
|
||||
listen = /run/php-fpm/servnest.sock
|
||||
listen.owner = nginx
|
||||
listen.group = nginx
|
||||
listen.mode = 0600
|
||||
|
||||
pm = dynamic
|
||||
pm.max_children = 5
|
||||
|
@ -16,7 +16,7 @@ pm.start_servers = 2
|
|||
pm.min_spare_servers = 1
|
||||
pm.max_spare_servers = 3
|
||||
|
||||
access.log = /var/log/php/$pool-access.log
|
||||
access.log = /var/log/php/servnest-access.log
|
||||
|
||||
catch_workers_output = yes
|
||||
decorate_workers_output = yes
|
||||
|
|
|
@ -6,9 +6,3 @@ extension = gettext
|
|||
expose_php = Off
|
||||
zend_extension = opcache
|
||||
opcache.jit_buffer_size = 32M
|
||||
|
||||
output_buffering = 4096
|
||||
short_open_tag = Off
|
||||
|
||||
; Set this to Off for a public setup
|
||||
display_errors = On
|
||||
|
|
|
@ -11,7 +11,7 @@ if [[ $OS = "debian" ]]; then
|
|||
export PHP_INI=/etc/php/8.2/fpm/php.ini
|
||||
fi
|
||||
|
||||
cp /install/php.ini $PHP_INI
|
||||
cat /install/php.ini >> $PHP_INI
|
||||
|
||||
# For systemd
|
||||
mkdir /etc/systemd/system/php-fpm.service.d
|
||||
|
|
|
@ -7,3 +7,8 @@ sqlite3 /srv/servnest/core/db/servnest.db <<< "UPDATE params SET value = '$(open
|
|||
|
||||
# Create translation Machine Objects files
|
||||
msgfmt /srv/servnest/core/locales/fr/C/LC_MESSAGES/messages.po -o /srv/servnest/core/locales/fr/C/LC_MESSAGES/messages.mo
|
||||
|
||||
chown -R $servnest:$nginx /srv/servnest/core
|
||||
chmod -R u=rX,g=rX,o= /srv/servnest/core
|
||||
chown -R $servnest: /srv/servnest/core/db
|
||||
chmod -R u=rwX,g=,o= /srv/servnest/core/db
|
||||
|
|
|
@ -1,7 +1,5 @@
|
|||
#!/usr/bin/bash
|
||||
|
||||
chmod +x /usr/local/bin/sftpgo
|
||||
|
||||
mkdir /etc/sftpgo
|
||||
|
||||
# Generate SFTPGo key pair
|
||||
|
@ -16,6 +14,16 @@ echo ht.servnest.test. 86400 SSHFP 4 2 $(cut -d ' ' -f 2 /etc/sftpgo/ed25519.pub
|
|||
cp /install/sftpgo.toml /etc/sftpgo/
|
||||
touch /etc/sftpgo/banner.txt
|
||||
|
||||
usermod -aG $sftpgo $servnest # Add user servnest to group sftpgo
|
||||
|
||||
chown -R $sftpgo: /etc/sftpgo
|
||||
chmod -R u=rX,g=rX,o= /etc/sftpgo
|
||||
chmod u=r,g=,o= /etc/sftpgo/ed25519
|
||||
|
||||
mkdir /srv/servnest/ht
|
||||
chown -R $nginx:$sftpgo /srv/servnest/ht
|
||||
chmod -R u=rX,g=rwX,o= /srv/servnest/ht
|
||||
|
||||
# For systemd
|
||||
cp /install/sftpgo.service /etc/systemd/system/
|
||||
systemctl enable sftpgo
|
||||
|
|
|
@ -3,7 +3,7 @@ servnest ALL=(root) NOPASSWD: /usr/bin/systemctl reload tor
|
|||
servnest ALL=(root) NOPASSWD: /usr/bin/chgrp ^sftpgo /srv/servnest/ht/[0-9a-f]{64} --no-dereference$
|
||||
servnest ALL=(root) NOPASSWD: /usr/bin/certbot ^certonly( --test-cert)? --key-type rsa --rsa-key-size 3072 --webroot --webroot-path /srv/servnest/acme --domain ([a-z0-9_-]{1,63}\.){1,126}[a-z0-9]{1,63}$
|
||||
servnest ALL=(root) NOPASSWD: /usr/bin/certbot ^delete --quiet --cert-name ([a-z0-9_-]{1,63}\.){1,126}[a-z0-9]{1,63}$
|
||||
servnest ALL=(sftpgo) NOPASSWD: /usr/bin/rm ^--recursive /srv/servnest/ht/[0-9a-f]{64}$
|
||||
servnest ALL=(tor) NOPASSWD: /usr/bin/cat ^/srv/servnest/tor-keys/[0-9a-f]{64}/[a-zA-Z0-9_-]{1,64}/hostname$
|
||||
servnest ALL=(tor) NOPASSWD: /usr/bin/mkdir ^--mode=0700 /srv/servnest/tor-keys/[0-9a-f]{64}$
|
||||
servnest ALL=(tor) NOPASSWD: /usr/bin/rm ^--recursive /srv/servnest/tor-keys/[0-9a-f]{64}(/[a-zA-Z0-9_-]{1,64})?$
|
||||
servnest ALL=(sftpgo) NOPASSWD: /usr/bin/rm ^--recursive /srv/servnest/ht/[0-9a-f]{64}$
|
||||
|
|
|
@ -1,6 +1,15 @@
|
|||
rm -r /etc/tor/*
|
||||
cp /install/torrc /etc/tor/
|
||||
|
||||
mkdir /srv/servnest/tor-config
|
||||
chown -R $servnest:$tor /srv/servnest/tor-config
|
||||
chmod -R u=rwX,g=rX,o= /srv/servnest/tor-config
|
||||
|
||||
mkdir /srv/servnest/tor-keys
|
||||
chown -R $tor: /srv/servnest/tor-keys
|
||||
chmod -R u=rwX,g=,o= /srv/servnest/tor-keys
|
||||
|
||||
# For systemd
|
||||
mkdir /etc/systemd/system/tor.service.d
|
||||
cp /install/tor.service.override.conf /etc/systemd/system/tor.service.d/
|
||||
|
||||
|
|
|
@ -13,7 +13,7 @@ Packages =
|
|||
python3-certbot-nginx
|
||||
knot-dnsutils
|
||||
php-sqlite3
|
||||
golang-1.18
|
||||
golang-1.19
|
||||
openssh-server
|
||||
iputils-ping
|
||||
gettext
|
||||
|
|
|
@ -8,6 +8,9 @@ ssh-keygen -lvf /etc/ssh/ed25519 > /etc/ssh/ed25519.fp
|
|||
|
||||
source /install/install.sh
|
||||
|
||||
chown $sftpgo: /usr/local/bin/sftpgo
|
||||
chmod u=rx,g=,o= /usr/local/bin/sftpgo
|
||||
|
||||
if [[ $OS = "arch" ]]; then
|
||||
systemctl enable sshd
|
||||
systemctl enable knot
|
||||
|
|
|
@ -6,7 +6,10 @@ if [[ $OS = "debian" ]]; then
|
|||
export GO=/usr/lib/go-1.19/bin/go
|
||||
fi
|
||||
|
||||
git clone https://github.com/drakkan/sftpgo /root/sftpgo-src
|
||||
cd /root/sftpgo-src
|
||||
git clone https://github.com/drakkan/sftpgo sftpgo-src
|
||||
cd sftpgo-src
|
||||
git checkout $(git tag | tail -n 1)
|
||||
$GO build -o /usr/local/bin/sftpgo
|
||||
cp -r openapi ./internal/bundle/openapi
|
||||
cp -r templates ./internal/bundle/templates
|
||||
cp -r static ./internal/bundle/static
|
||||
$GO build -tags nogcs,nos3,noazblob,nobolt,nomysql,nopgsql,nosqlite,noportable,nometrics,bundle -o /usr/local/bin/sftpgo
|
||||
|
|
Loading…
Reference in New Issue