diff --git a/etc/knot/knot-primary.conf b/etc/knot/knot-primary.conf index fbe4709..bf8e7e9 100644 --- a/etc/knot/knot-primary.conf +++ b/etc/knot/knot-primary.conf @@ -7,7 +7,7 @@ server: listen: [ "2001:db8::1@42053", "203.0.113.1@42053" ] log: - - target: "/var/log/knot/knot.log" + - target: "syslog" any: "debug" database: @@ -53,4 +53,3 @@ zone: - domain: "test.servnest.test." template: "servnest" storage: "/srv/servnest/reg" - diff --git a/etc/knot/knot-secondary.conf b/etc/knot/knot-secondary.conf index be5cd7e..bbcfdc8 100644 --- a/etc/knot/knot-secondary.conf +++ b/etc/knot/knot-secondary.conf @@ -7,7 +7,7 @@ server: listen: [ "2001:db8::2@53", "203.0.113.2@53" ] log: - - target: "/var/log/knot/knot.log" + - target: "syslog" any: "debug" database: @@ -34,4 +34,3 @@ zone: master: "primary" catalog-role: interpret catalog-template: "servnest" - diff --git a/install/certbot.sh b/install/certbot.sh new file mode 100644 index 0000000..d422344 --- /dev/null +++ b/install/certbot.sh @@ -0,0 +1,3 @@ +mkdir /srv/servnest/acme +chown $nginx: /srv/servnest/acme +chmod u=rX,g=,o= /srv/servnest/acme diff --git a/install/install.sh b/install/install.sh index 1f0536a..2ef7a8e 100644 --- a/install/install.sh +++ b/install/install.sh @@ -21,4 +21,4 @@ source /install/servnest.sh source /install/php.sh source /install/nginx.sh source /install/sftpgo.sh -source /install/permissions.sh +source /install/certbot.sh diff --git a/install/knot.sh b/install/knot.sh index 9a217ee..659c925 100644 --- a/install/knot.sh +++ b/install/knot.sh @@ -1,5 +1,19 @@ #!/usr/bin/bash -# Load configuration in Knot database sudo -u $knot mkdir -p /var/lib/knot/confdb/ + +# Load configuration in Knot database sudo -u $knot knotc conf-import /install/knot.conf + +# We need servnest to be allowed to configure Knot +usermod -aG $knot $servnest # Add user $servnest to group $knot +chown -R $knot: /var/lib/knot/confdb +chmod -R u=rwX,g=rwX,o= /var/lib/knot/confdb + +mkdir -p /srv/servnest/reg +chown -R $servnest:$knot /srv/servnest/reg +chmod -R u=rwX,g=rwX,o= /srv/servnest/reg + +mkdir /srv/servnest/ns +chown -R $servnest:$knot /srv/servnest/ns +chmod -R u=rwX,g=rwX,o= /srv/servnest/ns diff --git a/install/nginx.sh b/install/nginx.sh index 2114a2c..2cb2748 100644 --- a/install/nginx.sh +++ b/install/nginx.sh @@ -5,3 +5,7 @@ openssl req -subj '/' -new -newkey RSA:3072 -days 3650 -nodes -x509 -keyout /etc rm -r /etc/nginx/* cp -r /install/nginx/* /etc/nginx/ + +mkdir /srv/servnest/nginx /srv/servnest/subpath /srv/servnest/subdomain +chown $servnest:$nginx /srv/servnest/nginx /srv/servnest/subpath /srv/servnest/subdomain +chmod u=rwX,g=rX,o= /srv/servnest/nginx /srv/servnest/subpath /srv/servnest/subdomain diff --git a/install/nginx/nginx.conf b/install/nginx/nginx.conf index 6764949..4b85a78 100644 --- a/install/nginx/nginx.conf +++ b/install/nginx/nginx.conf @@ -1,6 +1,7 @@ load_module "/usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so"; worker_processes auto; user nginx nginx; +pcre_jit on; events { worker_connections 1024; diff --git a/install/permissions.sh b/install/permissions.sh deleted file mode 100644 index 283ceb6..0000000 --- a/install/permissions.sh +++ /dev/null @@ -1,35 +0,0 @@ -#!/usr/bin/bash - -# We need servnest to be allowed to configure Knot -usermod -aG $knot $servnest # Add user servnest to group knot -chown -R $knot: /var/lib/knot/confdb -chmod -R u=rwX,g=rwX,o= /var/lib/knot/confdb - -chown -R $knot: /var/log/knot -chmod -R u=rwX,g=,o= /var/log/knot - -chown -R $servnest:$knot /srv/servnest/ns -chmod -R u=rwX,g=rwX,o= /srv/servnest/ns -chown -R $servnest:$knot /srv/servnest/reg -chmod -R u=rwX,g=rwX,o= /srv/servnest/reg - -chown -R $servnest:$nginx /srv/servnest/nginx /srv/servnest/subpath /srv/servnest/subdomain -chmod -R u=rwX,g=rX,o= /srv/servnest/nginx /srv/servnest/subpath /srv/servnest/subdomain - -usermod -aG $sftpgo $servnest -chown -R $nginx:$sftpgo /srv/servnest/ht -chmod -R u=rX,g=rwX,o= /srv/servnest/ht - -chown -R $sftpgo: /etc/sftpgo -chmod -R u=rX,g=rX,o= /etc/sftpgo -chmod u=r,g=,o= /etc/sftpgo/ed25519 - -chown -R $servnest:$tor /srv/servnest/tor-config -chmod -R u=rwX,g=rX,o= /srv/servnest/tor-config -chown -R $tor: /srv/servnest/tor-keys -chmod -R u=rwX,g=,o= /srv/servnest/tor-keys - -chown -R $servnest:$nginx /srv/servnest/core /srv/servnest/errors -chmod -R u=rX,g=rX,o= /srv/servnest/core /srv/servnest/errors -chown -R $servnest: /srv/servnest/core/db -chmod -R u=rwX,g=,o= /srv/servnest/core/db diff --git a/install/php-fpm.conf b/install/php-fpm.conf index f4412f8..4e33eae 100644 --- a/install/php-fpm.conf +++ b/install/php-fpm.conf @@ -2,13 +2,13 @@ [servnest] -user = $pool +user = servnest group = knot -listen = /run/php-fpm/$pool.sock - +listen = /run/php-fpm/servnest.sock listen.owner = nginx listen.group = nginx +listen.mode = 0600 pm = dynamic pm.max_children = 5 @@ -16,7 +16,7 @@ pm.start_servers = 2 pm.min_spare_servers = 1 pm.max_spare_servers = 3 -access.log = /var/log/php/$pool-access.log +access.log = /var/log/php/servnest-access.log catch_workers_output = yes decorate_workers_output = yes diff --git a/install/php.ini b/install/php.ini index 81d5615..d413c3c 100644 --- a/install/php.ini +++ b/install/php.ini @@ -6,9 +6,3 @@ extension = gettext expose_php = Off zend_extension = opcache opcache.jit_buffer_size = 32M - -output_buffering = 4096 -short_open_tag = Off - -; Set this to Off for a public setup -display_errors = On diff --git a/install/php.sh b/install/php.sh index 10c0ac4..486c6e2 100644 --- a/install/php.sh +++ b/install/php.sh @@ -11,7 +11,7 @@ if [[ $OS = "debian" ]]; then export PHP_INI=/etc/php/8.2/fpm/php.ini fi -cp /install/php.ini $PHP_INI +cat /install/php.ini >> $PHP_INI # For systemd mkdir /etc/systemd/system/php-fpm.service.d diff --git a/install/servnest.sh b/install/servnest.sh index f1ea8ff..aa09434 100644 --- a/install/servnest.sh +++ b/install/servnest.sh @@ -7,3 +7,8 @@ sqlite3 /srv/servnest/core/db/servnest.db <<< "UPDATE params SET value = '$(open # Create translation Machine Objects files msgfmt /srv/servnest/core/locales/fr/C/LC_MESSAGES/messages.po -o /srv/servnest/core/locales/fr/C/LC_MESSAGES/messages.mo + +chown -R $servnest:$nginx /srv/servnest/core +chmod -R u=rX,g=rX,o= /srv/servnest/core +chown -R $servnest: /srv/servnest/core/db +chmod -R u=rwX,g=,o= /srv/servnest/core/db diff --git a/install/sftpgo.sh b/install/sftpgo.sh index 5071a05..408b378 100644 --- a/install/sftpgo.sh +++ b/install/sftpgo.sh @@ -1,7 +1,5 @@ #!/usr/bin/bash -chmod +x /usr/local/bin/sftpgo - mkdir /etc/sftpgo # Generate SFTPGo key pair @@ -16,6 +14,16 @@ echo ht.servnest.test. 86400 SSHFP 4 2 $(cut -d ' ' -f 2 /etc/sftpgo/ed25519.pub cp /install/sftpgo.toml /etc/sftpgo/ touch /etc/sftpgo/banner.txt +usermod -aG $sftpgo $servnest # Add user servnest to group sftpgo + +chown -R $sftpgo: /etc/sftpgo +chmod -R u=rX,g=rX,o= /etc/sftpgo +chmod u=r,g=,o= /etc/sftpgo/ed25519 + +mkdir /srv/servnest/ht +chown -R $nginx:$sftpgo /srv/servnest/ht +chmod -R u=rX,g=rwX,o= /srv/servnest/ht + # For systemd cp /install/sftpgo.service /etc/systemd/system/ systemctl enable sftpgo diff --git a/install/sudoers b/install/sudoers index 5af1e96..eb04b8a 100644 --- a/install/sudoers +++ b/install/sudoers @@ -3,7 +3,7 @@ servnest ALL=(root) NOPASSWD: /usr/bin/systemctl reload tor servnest ALL=(root) NOPASSWD: /usr/bin/chgrp ^sftpgo /srv/servnest/ht/[0-9a-f]{64} --no-dereference$ servnest ALL=(root) NOPASSWD: /usr/bin/certbot ^certonly( --test-cert)? --key-type rsa --rsa-key-size 3072 --webroot --webroot-path /srv/servnest/acme --domain ([a-z0-9_-]{1,63}\.){1,126}[a-z0-9]{1,63}$ servnest ALL=(root) NOPASSWD: /usr/bin/certbot ^delete --quiet --cert-name ([a-z0-9_-]{1,63}\.){1,126}[a-z0-9]{1,63}$ -servnest ALL=(sftpgo) NOPASSWD: /usr/bin/rm ^--recursive /srv/servnest/ht/[0-9a-f]{64}$ servnest ALL=(tor) NOPASSWD: /usr/bin/cat ^/srv/servnest/tor-keys/[0-9a-f]{64}/[a-zA-Z0-9_-]{1,64}/hostname$ servnest ALL=(tor) NOPASSWD: /usr/bin/mkdir ^--mode=0700 /srv/servnest/tor-keys/[0-9a-f]{64}$ servnest ALL=(tor) NOPASSWD: /usr/bin/rm ^--recursive /srv/servnest/tor-keys/[0-9a-f]{64}(/[a-zA-Z0-9_-]{1,64})?$ +servnest ALL=(sftpgo) NOPASSWD: /usr/bin/rm ^--recursive /srv/servnest/ht/[0-9a-f]{64}$ diff --git a/install/tor.sh b/install/tor.sh index bdee66a..4323953 100644 --- a/install/tor.sh +++ b/install/tor.sh @@ -1,6 +1,15 @@ rm -r /etc/tor/* cp /install/torrc /etc/tor/ +mkdir /srv/servnest/tor-config +chown -R $servnest:$tor /srv/servnest/tor-config +chmod -R u=rwX,g=rX,o= /srv/servnest/tor-config + +mkdir /srv/servnest/tor-keys +chown -R $tor: /srv/servnest/tor-keys +chmod -R u=rwX,g=,o= /srv/servnest/tor-keys + +# For systemd mkdir /etc/systemd/system/tor.service.d cp /install/tor.service.override.conf /etc/systemd/system/tor.service.d/ diff --git a/mkosi.default.d/debian/mkosi.default b/mkosi.default.d/debian/mkosi.default index 5bcbd9f..b6b2e89 100644 --- a/mkosi.default.d/debian/mkosi.default +++ b/mkosi.default.d/debian/mkosi.default @@ -13,7 +13,7 @@ Packages = python3-certbot-nginx knot-dnsutils php-sqlite3 - golang-1.18 + golang-1.19 openssh-server iputils-ping gettext diff --git a/mkosi.postinst b/mkosi.postinst index 26a4b22..5b64edb 100755 --- a/mkosi.postinst +++ b/mkosi.postinst @@ -8,6 +8,9 @@ ssh-keygen -lvf /etc/ssh/ed25519 > /etc/ssh/ed25519.fp source /install/install.sh +chown $sftpgo: /usr/local/bin/sftpgo +chmod u=rx,g=,o= /usr/local/bin/sftpgo + if [[ $OS = "arch" ]]; then systemctl enable sshd systemctl enable knot diff --git a/root/sftpgo.sh b/root/sftpgo.sh index 0b38e3e..5a20279 100644 --- a/root/sftpgo.sh +++ b/root/sftpgo.sh @@ -6,7 +6,10 @@ if [[ $OS = "debian" ]]; then export GO=/usr/lib/go-1.19/bin/go fi -git clone https://github.com/drakkan/sftpgo /root/sftpgo-src -cd /root/sftpgo-src +git clone https://github.com/drakkan/sftpgo sftpgo-src +cd sftpgo-src git checkout $(git tag | tail -n 1) -$GO build -o /usr/local/bin/sftpgo +cp -r openapi ./internal/bundle/openapi +cp -r templates ./internal/bundle/templates +cp -r static ./internal/bundle/static +$GO build -tags nogcs,nos3,noazblob,nobolt,nomysql,nopgsql,nosqlite,noportable,nometrics,bundle -o /usr/local/bin/sftpgo diff --git a/srv/servnest/acme/.gitkeep b/srv/servnest/acme/.gitkeep deleted file mode 100644 index e69de29..0000000 diff --git a/srv/servnest/ht/.gitkeep b/srv/servnest/ht/.gitkeep deleted file mode 100644 index e69de29..0000000 diff --git a/srv/servnest/nginx/.gitkeep b/srv/servnest/nginx/.gitkeep deleted file mode 100644 index e69de29..0000000 diff --git a/srv/servnest/ns/.gitkeep b/srv/servnest/ns/.gitkeep deleted file mode 100644 index e69de29..0000000 diff --git a/srv/servnest/subdomain/.gitkeep b/srv/servnest/subdomain/.gitkeep deleted file mode 100644 index e69de29..0000000 diff --git a/srv/servnest/subpath/.gitkeep b/srv/servnest/subpath/.gitkeep deleted file mode 100644 index e69de29..0000000 diff --git a/srv/servnest/tor-config/.gitkeep b/srv/servnest/tor-config/.gitkeep deleted file mode 100644 index e69de29..0000000 diff --git a/srv/servnest/tor-keys/.gitkeep b/srv/servnest/tor-keys/.gitkeep deleted file mode 100644 index e69de29..0000000 diff --git a/var/log/knot/.gitkeep b/var/log/knot/.gitkeep deleted file mode 100644 index e69de29..0000000