Move everything in /srv/niver

.gitignore

@@ -3,3 +3,4 @@
 /mkosi.passphrase
 /mkosi.passwd
 /mkosi.skeleton/root/.ssh/authorized_keys
+/mkosi.skeleton/usr/local/bin/sftpgo

mkosi.default

@@ -17,7 +17,6 @@ Packages =
 	nginx
 	php-fpm
 	knot
-	cargo
 	sudo
 	git
 	sqlite3

mkosi.extra/etc/knot/knot.conf

@@ -19,8 +19,8 @@ policy:
     nsec3-iterations: 10
 
 template:
-  - id: "niver"
-    storage: "/srv/ns"
+  - id: "niver-ns"
+    storage: "/srv/niver/ns"
     file: "%s.zone"
     zonefile-load: "difference"
     dnssec-signing: "on"
@@ -28,4 +28,9 @@ template:
 
 zone:
   - domain: "niver.test."
-    template: "niver"
+    storage: "/srv/niver/reg"
+    file: "%s.zone"
+    zonefile-load: "difference"
+    dnssec-signing: "on"
+    dnssec-policy: "niver"
+

mkosi.extra/etc/nginx/inc/errors.conf

@@ -3,7 +3,7 @@ recursive_error_pages on;
 # 403 Forbidden
 error_page 403 @403;
 location @403 {
-	root /srv/php/errors;
+	root /srv/niver/errors;
 	try_files /403.html =500;
 }
 
@@ -13,11 +13,11 @@ location @local404 {
 	try_files /404.html /404.md /404.gmi @niver404;
 }
 location @niver404 {
-	root /srv/php/errors;
+	root /srv/niver/errors;
 	try_files /404.php =500;
 	index /404.php;
 	fastcgi_split_path_info ^(.+\.php)(/.+)$;
-	fastcgi_pass unix:/run/php-fpm/errors.sock;
+	fastcgi_pass unix:/run/php-fpm/niver.sock;
 	include inc/fastcgi.conf;
 	fastcgi_index /404.php;
 }
@@ -25,48 +25,48 @@ location @niver404 {
 # 405 Method Not Allowed
 error_page 405 @405;
 location @405 {
-	root /srv/php/errors;
+	root /srv/niver/errors;
 	try_files /405.html =500;
 }
 
 # 410 Gone
 error_page 410 @410;
 location @410 {
-	root /srv/php/errors;
+	root /srv/niver/errors;
 	try_files /410.html =500;
 }
 
 # 418 I'm a teapot
 error_page 418 @418;
 location @418 {
-	root /srv/php/errors;
+	root /srv/niver/errors;
 	try_files /418.html =500;
 }
 
 # 500 Internal Server Error
 error_page 500 @500;
 location @500 {
-	root /srv/php/errors;
+	root /srv/niver/errors;
 	try_files /500.html =500;
 }
 
 # 502 Bad Gateway
 error_page 502 @502;
 location @502 {
-	root /srv/php/errors;
+	root /srv/niver/errors;
 	try_files /502.html =500;
 }
 
 # 503 Service Unavailable
 error_page 503 @503;
 location @503 {
-	root /srv/php/errors;
+	root /srv/niver/errors;
 	try_files /503.html =500;
 }
 
 # 504 Gateway Timeout
 error_page 504 @504;
 location @504 {
-	root /srv/php/errors;
+	root /srv/niver/errors;
 	try_files /504.html =500;
 }

mkosi.extra/etc/nginx/nginx.conf

@@ -49,7 +49,5 @@ http {
 
 	# Include other configuration
 	include sites/*.conf;
-	include ht/*.conf;
-	include default-server.conf;
-	include http.conf;
+	include /srv/niver/nginx/*.conf;
 }

mkosi.extra/etc/nginx/sites/default-server.conf

@@ -5,16 +5,16 @@ server {
 	ssl_certificate /etc/ssl/certs/niver.crt;
 	ssl_certificate_key /etc/ssl/private/niver.key;
 
-	root /srv/php/errors;
+	root /srv/niver/php/errors;
 	try_files index.php index.html $uri $uri/;
 	index index.php index.html;
 
 	location / {
-		root /srv/php/errors;
+		root /srv/niver/php/errors;
 		try_files /index.php =500;
 		index index.php;
 		fastcgi_split_path_info ^(.+\.php)(/.+)$;
-		fastcgi_pass unix:/run/php-fpm/errors.sock;
+		fastcgi_pass unix:/run/php-fpm/niver.sock;
 		include /etc/nginx/inc/fastcgi.conf;
 	}
 

mkosi.extra/etc/nginx/sites/http.conf

@@ -9,7 +9,7 @@ server {
 	# Display an explanation page
 	error_page 403 @http403;
 	location @http403 {
-		root /srv/php/errors;
+		root /srv/niver/php/errors;
 		try_files /http.php =500;
 		index http.php;
 		fastcgi_split_path_info ^(.+\.php)(/.+)$;
@@ -18,6 +18,6 @@ server {
 	}
 
 	location /.well-known/acme-challenge {
-		alias /srv/acme/;
+		alias /srv/niver/acme/;
 	}
 }

mkosi.extra/etc/nginx/sites/niver.test.conf

@@ -3,7 +3,7 @@ server {
 	listen 127.0.0.1:42443 ssl http2;
 	server_name niver.test;
 
-	root /srv/php/niver/public;
+	root /srv/niver/core/public;
 	index index.php index.html index.htm;
 	try_files $uri $uri/ @extensionless-php;
 

mkosi.extra/etc/nginx/sites/sftpgo-auth.conf

@@ -1,12 +1,12 @@
 server {
 	listen [::1]:8055;
 
-	root /srv/php/niver/;
+	root /srv/niver/core;
 
 	include inc/errors.conf;
 
 	location / {
-		try_files /sftpgo-auth.php =404;
+		try_files /sftpgo-auth.php =500;
 		fastcgi_split_path_info ^(.+\.php)(/.+)$;
 		fastcgi_pass unix:/run/php-fpm/niver.sock;
 		include inc/fastcgi.conf;

mkosi.extra/etc/php/php-fpm.d/errors.conf

@@ -1,27 +0,0 @@
-[errors]
-
-user = php-$pool
-group = php-$pool
-
-listen = /run/php-fpm/$pool.sock
-
-listen.owner = nginx
-listen.group = nginx
-
-pm = dynamic
-pm.max_children = 5
-pm.start_servers = 2
-pm.min_spare_servers = 1
-pm.max_spare_servers = 3
-
-access.log = /var/log/php/$pool-access.log
-
-;chroot = /srv/php/$pool
-chdir = /srv/php/$pool
-
-catch_workers_output = yes
-decorate_workers_output = yes
-
-clear_env = yes
-
-security.limit_extensions = .php

mkosi.extra/etc/php/php-fpm.d/niver.conf

@@ -1,6 +1,6 @@
 [niver]
 
-user = php-$pool
+user = $pool
 group = knot
 
 listen = /run/php-fpm/$pool.sock
@@ -16,8 +16,6 @@ pm.max_spare_servers = 3
 
 access.log = /var/log/php/$pool-access.log
 
-chdir = /srv/php/$pool
-
 catch_workers_output = yes
 decorate_workers_output = yes
 

mkosi.extra/etc/sudoers.d/niver

@@ -1,2 +1,2 @@
-php-niver ALL= NOPASSWD: /usr/bin/systemctl reload nginx,/usr/bin/systemctl reload tor,/usr/bin/chgrp ^sftpgo /srv/ht/[a-z]{1,128} --no-dereference$
-php-niver ALL=(tor) NOPASSWD: /usr/bin/cat ^/var/lib/tor/keys/[a-z]{1,128}/hostname$,/usr/bin/rm ^--recursive /var/lib/tor/keys/[a-z]{1,128}$
+niver ALL= NOPASSWD: /usr/bin/systemctl reload nginx,/usr/bin/systemctl reload tor,/usr/bin/chgrp ^sftpgo /srv/niver/ht/[^[:punct:][:space:][:cntrl:]]{1,128} --no-dereference$
+niver ALL=(tor) NOPASSWD: /usr/bin/cat ^/srv/niver/tor-keys/[^[:punct:][:space:][:cntrl:]]{1,128}/[^[:punct:][:space:][:cntrl:]]{1,128}/hostname$,/usr/bin/mkdir ^--mode=0700 /srv/niver/tor-keys/[^[:punct:][:space:][:cntrl:]]{1,128}$,/usr/bin/rm ^--recursive /srv/niver/tor-keys/[^[:punct:][:space:][:cntrl:]]{1,128}(/[^[:punct:][:space:][:cntrl:]]{1,128})?$

mkosi.extra/etc/tor/torrc

@@ -1,3 +1,8 @@
 User tor
 SocksPort 0
 DataDirectory /var/lib/tor
+
+HiddenServiceNonAnonymousMode 1
+HiddenServiceSingleHopMode 1
+
+%include /srv/niver/tor-config/*

mkosi.postinst

@@ -3,46 +3,47 @@ source /etc/os-release
 
 # Create system users
 useradd -U -r -s /usr/sbin/nologin nginx
-useradd -U -r -s /usr/sbin/nologin php-niver
-useradd -U -r -s /usr/sbin/nologin php-errors
+useradd -U -r -s /usr/sbin/nologin niver
 useradd -U -r -s /usr/sbin/nologin sftpgo
 
 # Set proper permissions
 
 chown -R knot:knot /var/lib/knot/confdb
 chmod -R u=rwX,g=rwX,o= /var/lib/knot/confdb
-usermod -aG knot php-niver
+usermod -aG knot niver
 
 chown -R knot:knot /var/log/knot
-chmod -R 700 /var/log/knot
+chmod -R u=rwX,g=,o= /var/log/knot
 
-chown -R php-niver:knot /srv/ns
-chmod -R 770 /srv/ns
+chown -R niver:knot /srv/niver/ns
+chmod -R u=rwX,g=rwX,o= /srv/niver/ns
+chown -R niver:knot /srv/niver/reg
+chmod -R u=rwX,g=rwX,o= /srv/niver/reg
 
-chown -R php-niver:php-niver /etc/nginx/ht
+chown -R niver:nginx /srv/niver/nginx
+chmod -R u=rwX,g=rX,o= /srv/niver/nginx
 
 chown -R sftpgo:sftpgo /etc/sftpgo
 chmod -R u=rX,g=rX,o=rX /etc/sftpgo
 chmod u=r,g=,o= /etc/sftpgo/ed25519
 
-chown -R php-niver:sftpgo /srv/ht
-chmod -R u=rwX,g=rwX,o=rX /srv/ht
+chown -R niver:sftpgo /srv/niver/ht
+chmod -R u=rwX,g=rwX,o=rX /srv/niver/ht
 
 if [[ $ID = "debian" ]]; then
-	chown -R php-niver:debian-tor /etc/tor
+	chown -R niver:debian-tor /srv/niver/tor-config
+	chown -R debian-tor:debian-tor /srv/niver/tor-keys
 else
-	chown -R php-niver:tor /etc/tor
+	chown -R niver:tor /srv/niver/tor-config
+	chown -R tor:tor /srv/niver/tor-keys
 fi
-chmod -R u=rwX,g=rX,o= /etc/tor
+chmod -R u=rwX,g=rX,o= /srv/niver/tor-config
+chmod -R u=rwX,g=,o= /srv/niver/tor-keys
 
-chmod u=rX,g=rX,o=rX /srv/php
-
-chown -R php-errors:nginx /srv/php/errors
-chmod -R u=rX,g=rX,o= /srv/php/errors
-
-chown -R php-niver:nginx /srv/php/niver
-chmod -R u=rX,g=rX,o=X /srv/php/niver
-chmod -R u=rwX,g=,o= /srv/php/niver/db
+chown -R niver:nginx /srv/niver/core /srv/niver/errors
+chmod -R u=rX,g=rX,o= /srv/niver/core /srv/niver/errors
+chown -R niver:niver /srv/niver/core/db
+chmod -R u=rwX,g=,o= /srv/niver/core/db
 
 # Load configuration in Knot database
 sudo -u knot knotc conf-import /etc/knot/knot.conf
@@ -73,8 +74,8 @@ if [[ $ID = "debian" ]]; then
 	sed -i 's/User tor/User debian-tor/' /etc/tor/torrc
 	sed -i 's/reload tor/reload tor@default/' /etc/sudoers.d/niver
 	sed -i 's/ALL=(tor)/ALL=(debian-tor)/' /etc/sudoers.d/niver
-	sed -i 's/tor_service = "tor"/tor_service = "tor@default"/' /srv/php/niver/config.ini
-	sed -i 's/tor_user = "tor"/tor_user = "debian-tor"/' /srv/php/niver/config.ini
+	sed -i 's/tor_service = "tor"/tor_service = "tor@default"/' /srv/niver/core/config.ini
+	sed -i 's/tor_user = "tor"/tor_user = "debian-tor"/' /srv/niver/core/config.ini
 fi
 
 # Start SystemD services at startup

mkosi.prepare

@@ -27,7 +27,7 @@ fp=($(ssh-keygen -l -f /etc/sftpgo/ed25519))
 echo ${fp[1]} > /etc/sftpgo/ed25519.fp
 ssh-keygen -lv -f /etc/sftpgo/ed25519 | tail -n +2 > /etc/sftpgo/ed25519.asciiart
 # Generate SSHFP record
-echo ht.niver.test. 86400 SSHFP 4 2 $(cut -d ' ' -f 2 /etc/sftpgo/ed25519.pub | base64 -d | sha256sum | cut -d ' ' -f 1) >> /srv/ns/niver.test.zone
+echo ht.niver.test. 86400 SSHFP 4 2 $(cut -d ' ' -f 2 /etc/sftpgo/ed25519.pub | base64 -d | sha256sum | cut -d ' ' -f 1) >> /srv/niver/reg/niver.test.zone
 
 # Create database
-sqlite3 /srv/php/niver/db/niver.db < /srv/php/niver/db/source.sql
+sqlite3 /srv/niver/core/db/niver.db < /srv/niver/core/db/source.sql

mkosi.skeleton/etc/sftpgo/sftpgo.toml

@@ -32,9 +32,10 @@ address = "127.0.0.1"
 
 [data_provider]
 driver = "memory"
-users_base_dir = "/srv/ht"
+users_base_dir = "/srv/niver/ht"
 external_auth_hook = "http://[::1]:8055/sftpgo-auth.php"
 external_auth_scope = 1
+naming_rules = 1
 
 [[httpd.bindings]]
 port = 0

mkosi.skeleton/etc/systemd/system/php-fpm.service.d/override.conf

@@ -1,3 +1,2 @@
 [Service]
-ReadWritePaths=/etc/nginx/ht
-ReadWritePaths=/etc/tor
+ReadWritePaths=/srv/niver

mkosi.skeleton/etc/systemd/system/tor.service.d/override.conf

@@ -1,3 +1,4 @@
 [Service]
+ReadWritePaths=/srv/niver/tor-keys
 # To allow reloading service on Arch Linux
 CapabilityBoundingSet=CAP_KILL

mkosi.skeleton/root/sftpgo.sh

@@ -8,5 +8,5 @@ fi
 
 git clone https://github.com/drakkan/sftpgo /root/sftpgo-src
 cd /root/sftpgo-src
-git checkout v2.2.3
-$GO build -tags nogcs,nos3,noazblob,nobolt,nomysql,nopgsql,noportable,nometrics -o /usr/local/bin/sftpgo
+git checkout v2.3.1
+$GO build -tags nometrics,noazblob,nogcs,nos3,nobolt,nomysql,nopgsql,nosqlite,noportable -o /usr/local/bin/sftpgo

mkosi.skeleton/srv/niver/core

@@ -0,0 +1 @@
+Subproject commit 9fa902f768167ce693cc4bbf15f6e15ab28bf5a3

mkosi.skeleton/srv/niver/reg/niver.test.zone

@@ -4,5 +4,5 @@ niver.test.     10800 A    127.0.0.1
 niver.test.     10800 AAAA ::1
 ns1.niver.test. 10800 A    127.0.0.1
 ns1.niver.test. 10800 AAAA ::1
-ht.niver.test. 10800 A    127.0.0.1
-ht.niver.test. 10800 AAAA ::1
+ht.niver.test.  10800 A    127.0.0.1
+ht.niver.test.  10800 AAAA ::1