Split permissions outside of dedicated file

2023-03-28 00:09:41 +02:00 · 2023-03-28 00:09:41 +02:00 · 4151c456d4
parent 44d62a49b1
commit 4151c456d4
27 changed files with 66 additions and 59 deletions
--- a/etc/knot/knot-primary.conf
+++ b/etc/knot/knot-primary.conf
@ -7,7 +7,7 @@ server:
    listen: [ "2001:db8::1@42053", "203.0.113.1@42053" ]

 log:
-  - target: "/var/log/knot/knot.log"
+  - target: "syslog"
    any: "debug"

 database:
@ -53,4 +53,3 @@ zone:
  - domain: "test.servnest.test."
    template: "servnest"
    storage: "/srv/servnest/reg"
-
--- a/etc/knot/knot-secondary.conf
+++ b/etc/knot/knot-secondary.conf
@ -7,7 +7,7 @@ server:
    listen: [ "2001:db8::2@53", "203.0.113.2@53" ]

 log:
-  - target: "/var/log/knot/knot.log"
+  - target: "syslog"
    any: "debug"

 database:
@ -34,4 +34,3 @@ zone:
    master: "primary"
    catalog-role: interpret
    catalog-template: "servnest"
-
--- a/install/certbot.sh
+++ b/install/certbot.sh
@ -0,0 +1,3 @@
+mkdir /srv/servnest/acme
+chown $nginx: /srv/servnest/acme
+chmod u=rX,g=,o= /srv/servnest/acme
--- a/install/install.sh
+++ b/install/install.sh
@ -21,4 +21,4 @@ source /install/servnest.sh
 source /install/php.sh
 source /install/nginx.sh
 source /install/sftpgo.sh
-source /install/permissions.sh
+source /install/certbot.sh
--- a/install/knot.sh
+++ b/install/knot.sh
@ -1,5 +1,19 @@
 #!/usr/bin/bash

-# Load configuration in Knot database
 sudo -u $knot mkdir -p /var/lib/knot/confdb/
+
+# Load configuration in Knot database
 sudo -u $knot knotc conf-import /install/knot.conf
+
+# We need servnest to be allowed to configure Knot
+usermod -aG $knot $servnest # Add user $servnest to group $knot
+chown -R $knot: /var/lib/knot/confdb
+chmod -R u=rwX,g=rwX,o= /var/lib/knot/confdb
+
+mkdir -p /srv/servnest/reg
+chown -R $servnest:$knot /srv/servnest/reg
+chmod -R u=rwX,g=rwX,o= /srv/servnest/reg
+
+mkdir /srv/servnest/ns
+chown -R $servnest:$knot /srv/servnest/ns
+chmod -R u=rwX,g=rwX,o= /srv/servnest/ns
--- a/install/nginx.sh
+++ b/install/nginx.sh
@ -5,3 +5,7 @@ openssl req -subj '/' -new -newkey RSA:3072 -days 3650 -nodes -x509 -keyout /etc

 rm -r /etc/nginx/*
 cp -r /install/nginx/* /etc/nginx/
+
+mkdir /srv/servnest/nginx /srv/servnest/subpath /srv/servnest/subdomain
+chown $servnest:$nginx /srv/servnest/nginx /srv/servnest/subpath /srv/servnest/subdomain
+chmod u=rwX,g=rX,o= /srv/servnest/nginx /srv/servnest/subpath /srv/servnest/subdomain
--- a/install/nginx/nginx.conf
+++ b/install/nginx/nginx.conf
@ -1,6 +1,7 @@
 load_module "/usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so";
 worker_processes auto;
 user nginx nginx;
+pcre_jit on;

 events {
 	worker_connections 1024;
--- a/install/permissions.sh
+++ b/install/permissions.sh
@ -1,35 +0,0 @@
-#!/usr/bin/bash
-
-# We need servnest to be allowed to configure Knot
-usermod -aG $knot $servnest # Add user servnest to group knot
-chown -R $knot: /var/lib/knot/confdb
-chmod -R u=rwX,g=rwX,o= /var/lib/knot/confdb
-
-chown -R $knot: /var/log/knot
-chmod -R u=rwX,g=,o= /var/log/knot
-
-chown -R $servnest:$knot /srv/servnest/ns
-chmod -R u=rwX,g=rwX,o= /srv/servnest/ns
-chown -R $servnest:$knot /srv/servnest/reg
-chmod -R u=rwX,g=rwX,o= /srv/servnest/reg
-
-chown -R $servnest:$nginx /srv/servnest/nginx /srv/servnest/subpath /srv/servnest/subdomain
-chmod -R u=rwX,g=rX,o= /srv/servnest/nginx /srv/servnest/subpath /srv/servnest/subdomain
-
-usermod -aG $sftpgo $servnest
-chown -R $nginx:$sftpgo /srv/servnest/ht
-chmod -R u=rX,g=rwX,o= /srv/servnest/ht
-
-chown -R $sftpgo: /etc/sftpgo
-chmod -R u=rX,g=rX,o= /etc/sftpgo
-chmod u=r,g=,o= /etc/sftpgo/ed25519
-
-chown -R $servnest:$tor /srv/servnest/tor-config
-chmod -R u=rwX,g=rX,o= /srv/servnest/tor-config
-chown -R $tor: /srv/servnest/tor-keys
-chmod -R u=rwX,g=,o= /srv/servnest/tor-keys
-
-chown -R $servnest:$nginx /srv/servnest/core /srv/servnest/errors
-chmod -R u=rX,g=rX,o= /srv/servnest/core /srv/servnest/errors
-chown -R $servnest: /srv/servnest/core/db
-chmod -R u=rwX,g=,o= /srv/servnest/core/db
--- a/install/php-fpm.conf
+++ b/install/php-fpm.conf
@ -2,13 +2,13 @@

 [servnest]

-user = $pool
+user = servnest
 group = knot

-listen = /run/php-fpm/$pool.sock
-
+listen = /run/php-fpm/servnest.sock
 listen.owner = nginx
 listen.group = nginx
+listen.mode = 0600

 pm = dynamic
 pm.max_children = 5
@ -16,7 +16,7 @@ pm.start_servers = 2
 pm.min_spare_servers = 1
 pm.max_spare_servers = 3

-access.log = /var/log/php/$pool-access.log
+access.log = /var/log/php/servnest-access.log

 catch_workers_output = yes
 decorate_workers_output = yes
--- a/install/php.ini
+++ b/install/php.ini
@ -6,9 +6,3 @@ extension = gettext
 expose_php = Off
 zend_extension = opcache
 opcache.jit_buffer_size = 32M
-
-output_buffering = 4096
-short_open_tag = Off
-
-; Set this to Off for a public setup
-display_errors = On
--- a/install/php.sh
+++ b/install/php.sh
@ -11,7 +11,7 @@ if [[ $OS = "debian" ]]; then
 	export PHP_INI=/etc/php/8.2/fpm/php.ini
 fi

-cp /install/php.ini $PHP_INI
+cat /install/php.ini >> $PHP_INI

 # For systemd
 mkdir /etc/systemd/system/php-fpm.service.d
--- a/install/servnest.sh
+++ b/install/servnest.sh
@ -7,3 +7,8 @@ sqlite3 /srv/servnest/core/db/servnest.db <<< "UPDATE params SET value = '$(open

 # Create translation Machine Objects files
 msgfmt /srv/servnest/core/locales/fr/C/LC_MESSAGES/messages.po -o /srv/servnest/core/locales/fr/C/LC_MESSAGES/messages.mo
+
+chown -R $servnest:$nginx /srv/servnest/core
+chmod -R u=rX,g=rX,o= /srv/servnest/core
+chown -R $servnest: /srv/servnest/core/db
+chmod -R u=rwX,g=,o= /srv/servnest/core/db
--- a/install/sftpgo.sh
+++ b/install/sftpgo.sh
@ -1,7 +1,5 @@
 #!/usr/bin/bash

-chmod +x /usr/local/bin/sftpgo
-
 mkdir /etc/sftpgo

 # Generate SFTPGo key pair
@ -16,6 +14,16 @@ echo ht.servnest.test. 86400 SSHFP 4 2 $(cut -d ' ' -f 2 /etc/sftpgo/ed25519.pub
 cp /install/sftpgo.toml /etc/sftpgo/
 touch /etc/sftpgo/banner.txt

+usermod -aG $sftpgo $servnest # Add user servnest to group sftpgo
+
+chown -R $sftpgo: /etc/sftpgo
+chmod -R u=rX,g=rX,o= /etc/sftpgo
+chmod u=r,g=,o= /etc/sftpgo/ed25519
+
+mkdir /srv/servnest/ht
+chown -R $nginx:$sftpgo /srv/servnest/ht
+chmod -R u=rX,g=rwX,o= /srv/servnest/ht
+
 # For systemd
 cp /install/sftpgo.service /etc/systemd/system/
 systemctl enable sftpgo
--- a/install/sudoers
+++ b/install/sudoers
@ -3,7 +3,7 @@ servnest ALL=(root)   NOPASSWD: /usr/bin/systemctl  reload tor
 servnest ALL=(root)   NOPASSWD: /usr/bin/chgrp     ^sftpgo /srv/servnest/ht/[0-9a-f]{64} --no-dereference$
 servnest ALL=(root)   NOPASSWD: /usr/bin/certbot   ^certonly( --test-cert)? --key-type rsa --rsa-key-size 3072 --webroot --webroot-path /srv/servnest/acme --domain ([a-z0-9_-]{1,63}\.){1,126}[a-z0-9]{1,63}$
 servnest ALL=(root)   NOPASSWD: /usr/bin/certbot   ^delete --quiet --cert-name ([a-z0-9_-]{1,63}\.){1,126}[a-z0-9]{1,63}$
-servnest ALL=(sftpgo) NOPASSWD: /usr/bin/rm        ^--recursive /srv/servnest/ht/[0-9a-f]{64}$
 servnest ALL=(tor)    NOPASSWD: /usr/bin/cat       ^/srv/servnest/tor-keys/[0-9a-f]{64}/[a-zA-Z0-9_-]{1,64}/hostname$
 servnest ALL=(tor)    NOPASSWD: /usr/bin/mkdir     ^--mode=0700 /srv/servnest/tor-keys/[0-9a-f]{64}$
 servnest ALL=(tor)    NOPASSWD: /usr/bin/rm        ^--recursive /srv/servnest/tor-keys/[0-9a-f]{64}(/[a-zA-Z0-9_-]{1,64})?$
+servnest ALL=(sftpgo) NOPASSWD: /usr/bin/rm        ^--recursive /srv/servnest/ht/[0-9a-f]{64}$
--- a/install/tor.sh
+++ b/install/tor.sh
@ -1,6 +1,15 @@
 rm -r /etc/tor/*
 cp /install/torrc /etc/tor/

+mkdir /srv/servnest/tor-config
+chown -R $servnest:$tor /srv/servnest/tor-config
+chmod -R u=rwX,g=rX,o= /srv/servnest/tor-config
+
+mkdir /srv/servnest/tor-keys
+chown -R $tor: /srv/servnest/tor-keys
+chmod -R u=rwX,g=,o= /srv/servnest/tor-keys
+
+# For systemd
 mkdir /etc/systemd/system/tor.service.d
 cp /install/tor.service.override.conf /etc/systemd/system/tor.service.d/

--- a/mkosi.default.d/debian/mkosi.default
+++ b/mkosi.default.d/debian/mkosi.default
@ -13,7 +13,7 @@ Packages =
 	python3-certbot-nginx
 	knot-dnsutils
 	php-sqlite3
-	golang-1.18
+	golang-1.19
 	openssh-server
 	iputils-ping
 	gettext
--- a/mkosi.postinst
+++ b/mkosi.postinst
@ -8,6 +8,9 @@ ssh-keygen -lvf /etc/ssh/ed25519 > /etc/ssh/ed25519.fp

 source /install/install.sh

+chown $sftpgo: /usr/local/bin/sftpgo
+chmod u=rx,g=,o= /usr/local/bin/sftpgo
+
 if [[ $OS = "arch" ]]; then
 	systemctl enable sshd
 	systemctl enable knot
--- a/root/sftpgo.sh
+++ b/root/sftpgo.sh
@ -6,7 +6,10 @@ if [[ $OS = "debian" ]]; then
 	export GO=/usr/lib/go-1.19/bin/go
 fi

-git clone https://github.com/drakkan/sftpgo /root/sftpgo-src
-cd /root/sftpgo-src
+git clone https://github.com/drakkan/sftpgo sftpgo-src
+cd sftpgo-src
 git checkout $(git tag | tail -n 1)
-$GO build -o /usr/local/bin/sftpgo
+cp -r openapi ./internal/bundle/openapi
+cp -r templates ./internal/bundle/templates
+cp -r static ./internal/bundle/static
+$GO build -tags nogcs,nos3,noazblob,nobolt,nomysql,nopgsql,nosqlite,noportable,nometrics,bundle -o /usr/local/bin/sftpgo
--- a/srv/servnest/acme/.gitkeep
+++ b/srv/servnest/acme/.gitkeep
--- a/srv/servnest/ht/.gitkeep
+++ b/srv/servnest/ht/.gitkeep
--- a/srv/servnest/nginx/.gitkeep
+++ b/srv/servnest/nginx/.gitkeep
--- a/srv/servnest/ns/.gitkeep
+++ b/srv/servnest/ns/.gitkeep
--- a/srv/servnest/subdomain/.gitkeep
+++ b/srv/servnest/subdomain/.gitkeep
--- a/srv/servnest/subpath/.gitkeep
+++ b/srv/servnest/subpath/.gitkeep
--- a/srv/servnest/tor-config/.gitkeep
+++ b/srv/servnest/tor-config/.gitkeep
--- a/srv/servnest/tor-keys/.gitkeep
+++ b/srv/servnest/tor-keys/.gitkeep
--- a/var/log/knot/.gitkeep
+++ b/var/log/knot/.gitkeep