Use default Tor instead of instances
This commit is contained in:
parent
1a771c5c4c
commit
8d42174d35
|
@ -1 +1,2 @@
|
||||||
php-niver ALL= NOPASSWD: /usr/bin/systemctl reload nginx,/usr/bin/systemctl reload tor,/usr/bin/systemctl reload tor@niver,/usr/bin/chgrp ^sftpgo /srv/ht/[a-z]{1,128}$,/usr/bin/cat ^/var/lib/tor-instances/niver/keys/[a-z]{1,128}/hostname$
|
php-niver ALL= NOPASSWD: /usr/bin/systemctl reload nginx,/usr/bin/systemctl reload tor,/usr/bin/chgrp ^sftpgo /srv/ht/[a-z]{1,128}$
|
||||||
|
php-niver ALL=(tor) NOPASSWD: /usr/bin/cat ^/var/lib/tor/keys/[a-z]{1,128}/hostname$
|
||||||
|
|
|
@ -29,13 +29,11 @@ chown -R php-niver:sftpgo /srv/ht
|
||||||
chmod -R u=rwX,g=rwX,o=rX /srv/ht
|
chmod -R u=rwX,g=rwX,o=rX /srv/ht
|
||||||
|
|
||||||
if [[ $ID = "debian" ]]; then
|
if [[ $ID = "debian" ]]; then
|
||||||
chown -R php-niver:_tor-niver /etc/tor/instances/niver
|
chown -R php-niver:debian-tor /etc/tor
|
||||||
chown -R _tor-niver:_tor-niver /var/lib/tor-instances/niver
|
|
||||||
else
|
else
|
||||||
chown -R php-niver:tor /etc/tor/instances/niver
|
chown -R php-niver:tor /etc/tor
|
||||||
chown -R tor:tor /var/lib/tor-instances/niver
|
|
||||||
fi
|
fi
|
||||||
chmod -R u=rwX,g=rX,o= /etc/tor/instances/niver
|
chmod -R u=rwX,g=rX,o= /etc/tor
|
||||||
|
|
||||||
chmod u=rX,g=rX,o=rX /srv/php
|
chmod u=rX,g=rX,o=rX /srv/php
|
||||||
|
|
||||||
|
@ -44,7 +42,7 @@ chmod -R u=rX,g=rX,o= /srv/php/errors
|
||||||
|
|
||||||
chown -R php-niver:nginx /srv/php/niver
|
chown -R php-niver:nginx /srv/php/niver
|
||||||
chmod -R u=rX,g=rX,o=X /srv/php/niver
|
chmod -R u=rX,g=rX,o=X /srv/php/niver
|
||||||
chmod -R u=rwX,g=,o= /srv/php/niver/db /srv/php/niver/niver.log
|
chmod -R u=rwX,g=,o= /srv/php/niver/db
|
||||||
|
|
||||||
# Load configuration in Knot database
|
# Load configuration in Knot database
|
||||||
sudo -u knot knotc conf-import /etc/knot/knot.conf
|
sudo -u knot knotc conf-import /etc/knot/knot.conf
|
||||||
|
@ -69,22 +67,14 @@ display_errors = On
|
||||||
extension = pdo_sqlite
|
extension = pdo_sqlite
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
# Configure Tor properly
|
# Configure Tor
|
||||||
|
|
||||||
if [[ $ID = "debian" ]]; then
|
if [[ $ID = "debian" ]]; then
|
||||||
cat >> /etc/tor/instances/niver/torrc << EOF
|
sed -i 's/User tor/User debian-tor/' /etc/tor/torrc
|
||||||
User _tor-niver
|
sed -i 's/reload tor/reload tor@default/' /etc/sudoers.d/niver
|
||||||
DataDirectory /var/lib/tor-instances/niver
|
sed -i 's/ALL=(tor)/ALL=(debian-tor)/' /etc/sudoers.d/niver
|
||||||
EOF
|
sed -i 's/tor_service = "tor"/tor_service = "tor@default"/' /srv/php/niver/config.ini
|
||||||
fi
|
sed -i 's/tor_user = "tor"/tor_user = "debian-tor"/' /srv/php/niver/config.ini
|
||||||
|
|
||||||
if [[ $ID = "arch" ]]; then
|
|
||||||
ln -s /etc/tor/instances/niver/torrc /etc/tor/torrc
|
|
||||||
|
|
||||||
cat >> /etc/tor/instances/niver/torrc << EOF
|
|
||||||
User tor
|
|
||||||
DataDirectory /var/lib/tor
|
|
||||||
EOF
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Start SystemD services at startup
|
# Start SystemD services at startup
|
||||||
|
|
|
@ -13,11 +13,6 @@ if [[ $ID = "arch" ]]; then
|
||||||
rm /etc/php/php-fpm.d/*
|
rm /etc/php/php-fpm.d/*
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Create dedicated Tor instance
|
|
||||||
if [[ $ID = "debian" ]]; then
|
|
||||||
tor-instance-create niver
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Generate default self-signed TLS key pair
|
# Generate default self-signed TLS key pair
|
||||||
openssl req -subj '/' -new -newkey RSA:3072 -days 3650 -nodes -x509 -keyout /etc/ssl/private/niver.key -out /etc/ssl/certs/niver.crt
|
openssl req -subj '/' -new -newkey RSA:3072 -days 3650 -nodes -x509 -keyout /etc/ssl/private/niver.key -out /etc/ssl/certs/niver.crt
|
||||||
|
|
||||||
|
|
|
@ -1,3 +1,3 @@
|
||||||
[Service]
|
[Service]
|
||||||
ReadWritePaths=/etc/nginx/ht
|
ReadWritePaths=/etc/nginx/ht
|
||||||
ReadWritePaths=/etc/tor/instances/niver
|
ReadWritePaths=/etc/tor
|
||||||
|
|
|
@ -1,4 +1,3 @@
|
||||||
[Service]
|
[Service]
|
||||||
ReadWritePaths=/var/lib/tor-instances/niver/
|
|
||||||
# To allow reloading service on Arch Linux
|
# To allow reloading service on Arch Linux
|
||||||
CapabilityBoundingSet=CAP_KILL
|
CapabilityBoundingSet=CAP_KILL
|
||||||
|
|
Loading…
Reference in New Issue