Old Arch Linux system
This commit is contained in:
commit
d0e18be3d1
|
@ -0,0 +1,3 @@
|
||||||
|
# Niver configuration
|
||||||
|
|
||||||
|
This repository contains configuration files required by Niver or it's dependencies.
|
|
@ -0,0 +1,37 @@
|
||||||
|
# Niver
|
||||||
|
|
||||||
|
## Features
|
||||||
|
|
||||||
|
### Web interface
|
||||||
|
|
||||||
|
* Login/register using a pseudo/password set
|
||||||
|
* Pages are lower than 10 KiB
|
||||||
|
* No JavaScript, no images, and CSS are optionnal
|
||||||
|
* Dark and light themes
|
||||||
|
* Free service running libre software
|
||||||
|
|
||||||
|
### Hypertext
|
||||||
|
|
||||||
|
* SFTP access
|
||||||
|
* HTTP and Gemini
|
||||||
|
* IPv4 and IPv6
|
||||||
|
* TLS 1.2 & 1.3
|
||||||
|
* DNS and Onion v3 (through Tor) access
|
||||||
|
* HTTP/1.1 and HTTP/2
|
||||||
|
* Let's Encrypt certificates for HTTP
|
||||||
|
* All HTTP security headers
|
||||||
|
|
||||||
|
### Nameserver
|
||||||
|
|
||||||
|
* DNSSEC (with NSEC3)
|
||||||
|
* NS, A, AAAA, TXT, and CAA records
|
||||||
|
|
||||||
|
### Registry
|
||||||
|
|
||||||
|
* Glue record
|
||||||
|
* DNSSEC delegation with any modern cypher
|
||||||
|
|
||||||
|
## Missing features
|
||||||
|
|
||||||
|
* No internationalized domain name support (you can only use a small subset of ASCII in your domain name)
|
||||||
|
* No BIND-style plaintext configuration (you need to fill a form for every record you add or remove)
|
|
@ -0,0 +1,2 @@
|
||||||
|
To generate a key/certificate pair with ed25519 expiring in 10 years
|
||||||
|
`openssl req -subj '/CN=domain' -new -newkey ED25519 -days 3650 -nodes -x509 -keyout domain.key -out domain.crt`
|
|
@ -0,0 +1,53 @@
|
||||||
|
# gmnisrv installation
|
||||||
|
|
||||||
|
```
|
||||||
|
# pacman -S make git pkgconf openssl scdoc
|
||||||
|
$ git clone https://git.sr.ht/~sircmpwn/gmnisrv # Download gmnisrv sources
|
||||||
|
$ mkdir gmnisrv/build
|
||||||
|
$ cd gmnisrv/build
|
||||||
|
$ ../configure --prefix=/usr # Check gmnisrv dependencies and setup files needed for building
|
||||||
|
$ make # Build gmnisrv
|
||||||
|
# make install # Install gmnisrv binary and manpages on the system
|
||||||
|
# useradd -U -r -s /usr/bin/nologin gmnisrv # Add the gmnisrv system user and group
|
||||||
|
# vim /etc/systemd/system/gmnisrv.service
|
||||||
|
```
|
||||||
|
|
||||||
|
```
|
||||||
|
[Unit]
|
||||||
|
Description=A Gemini server
|
||||||
|
After=network.target
|
||||||
|
Wants=network.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=simple
|
||||||
|
ExecStart=/usr/local/bin/gmnisrv
|
||||||
|
ExecStop=
|
||||||
|
#Restart=on-failure
|
||||||
|
User=gmnisrv
|
||||||
|
Group=gmnisrv
|
||||||
|
WorkingDirectory=/srv/ht
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
||||||
|
```
|
||||||
|
```
|
||||||
|
# systemctl daemon-reload
|
||||||
|
# mkdir -p /srv/gemini/niver.atope.art
|
||||||
|
# echo "This is a testing Gemini capsule" > /srv/gemini/niver.atope.art/index.gmi
|
||||||
|
# mkdir /var/local/gmnisrv
|
||||||
|
# chmod -R 700 /var/local/gmnisrv
|
||||||
|
# chown -R gmnisrv:gmnisrv /var/local/gmnisrv
|
||||||
|
# vim /usr/local/etc/gmnisrv.ini
|
||||||
|
```
|
||||||
|
|
||||||
|
```
|
||||||
|
# Space-separated list of hosts
|
||||||
|
listen=0.0.0.0:1965 [::]:1965
|
||||||
|
|
||||||
|
[:tls]
|
||||||
|
# Path to store certificates on disk
|
||||||
|
store=/var/local/gmnisrv
|
||||||
|
|
||||||
|
[niver.atope.art]
|
||||||
|
root=/srv/gemini/niver.atope.art
|
||||||
|
```
|
|
@ -0,0 +1,30 @@
|
||||||
|
# Niver system installation
|
||||||
|
|
||||||
|
Niver will use and need specific configuration for
|
||||||
|
|
||||||
|
* Knot DNS
|
||||||
|
* OpenSSH
|
||||||
|
* Nginx
|
||||||
|
* Tor
|
||||||
|
* Gmnisrv
|
||||||
|
* PHP-FPM
|
||||||
|
|
||||||
|
To do root-level actions, Niver will also use a privileged binary, written in Rust, called Maniver.
|
||||||
|
|
||||||
|
Niver has been deployed on the following distributions :
|
||||||
|
|
||||||
|
* Debian 10, using Nginx 1.14.2 and OpenSSH 7.9p1, and latest available version of Tor, Knot and gmnisrv using their official release channel.
|
||||||
|
* Arch Linux
|
||||||
|
|
||||||
|
To provide all features:
|
||||||
|
|
||||||
|
`# pacman -S tor knot openssh sudo nginx nginx-mod-headers-more certbot certbot-nginx php-fpm php-sqlite`
|
||||||
|
|
||||||
|
Some tools you might find usefull to manage a server:
|
||||||
|
|
||||||
|
`# pacman -S vnstat htop nload ufw vim man-db curl screen`
|
||||||
|
|
||||||
|
[Gemini](gemini.md)
|
||||||
|
[Maniver](maniver.md)
|
||||||
|
[OpenSSH](openssh.md)
|
||||||
|
[Nginx](nginx.md)
|
|
@ -0,0 +1,8 @@
|
||||||
|
# Knot setup
|
||||||
|
|
||||||
|
```
|
||||||
|
# systemctl stop knot
|
||||||
|
# sudo -u knot knotc conf-import /usr/local/share/niver/knot.conf
|
||||||
|
# systemctl restart knot
|
||||||
|
# systemctl enable knot
|
||||||
|
```
|
|
@ -0,0 +1,23 @@
|
||||||
|
# Maniver
|
||||||
|
|
||||||
|
## Installation
|
||||||
|
|
||||||
|
```
|
||||||
|
# pacman -S rustup git
|
||||||
|
$ rustup default stable
|
||||||
|
$ git clone https://code.antopie.org/miraty/maniver-dev
|
||||||
|
$ cd maniver-dev
|
||||||
|
$ cargo build --release
|
||||||
|
# cp ./target/release/maniver /usr/local/bin/
|
||||||
|
```
|
||||||
|
|
||||||
|
## Update
|
||||||
|
|
||||||
|
```
|
||||||
|
$ rustup update
|
||||||
|
$ cd maniver-dev
|
||||||
|
$ cargo update
|
||||||
|
$ git pull
|
||||||
|
$ cargo build --release
|
||||||
|
# cp ./target/release/maniver /usr/local/bin/
|
||||||
|
```
|
|
@ -0,0 +1,7 @@
|
||||||
|
# Nginx configuration setup
|
||||||
|
|
||||||
|
Use the configuration provided.
|
||||||
|
|
||||||
|
Niver require the module *Headers More*.
|
||||||
|
|
||||||
|
On Arch Linux, install it with `pacman -Syu nginx-mod-headers-more`.
|
|
@ -0,0 +1,30 @@
|
||||||
|
|
||||||
|
# Niver-PHP setup
|
||||||
|
|
||||||
|
Use pools configurations provided along this documentation.
|
||||||
|
|
||||||
|
To hide PHP presence, set in php.ini:
|
||||||
|
`expose_php = Off`
|
||||||
|
|
||||||
|
```
|
||||||
|
# useradd -U -r -s /usr/bin/nologin php-niver
|
||||||
|
# useradd -U -r -s /usr/bin/nologin php-errors
|
||||||
|
```
|
||||||
|
|
||||||
|
## Permission to manage system things as root
|
||||||
|
|
||||||
|
Once you've [set up Maniver](maniver.md):
|
||||||
|
```
|
||||||
|
# EDITOR=vim visudo
|
||||||
|
php-niver ALL=(root) NOPASSWD: /usr/local/bin/maniver
|
||||||
|
```
|
||||||
|
|
||||||
|
## Permission to manage Knot
|
||||||
|
|
||||||
|
To add knot as an additional group for user php-niver: `# usermod -aG knot php-niver`
|
||||||
|
|
||||||
|
New method:
|
||||||
|
```
|
||||||
|
# chmod -R 770 /var/lib/knot
|
||||||
|
# chown -R php-niver:knot /var/lib/knot
|
||||||
|
```
|
|
@ -0,0 +1,33 @@
|
||||||
|
### SFTP setup
|
||||||
|
|
||||||
|
```
|
||||||
|
# groupadd ht
|
||||||
|
# echo "Ce compte n'est accessible qu'en SFTP, pas en SSH.
|
||||||
|
This account is only available over SFTP, not over SSH." > /etc/nologin.txt
|
||||||
|
# ssh-keygen -q -N "" -t ed25519 -f /etc/ssh/keys/ed25519
|
||||||
|
# ssh-keygen -q -N "" -t rsa -b 3072 -f /etc/ssh/keys/rsa-3072
|
||||||
|
# awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe
|
||||||
|
# mv /etc/ssh/moduli.safe /etc/ssh/moduli
|
||||||
|
```
|
||||||
|
|
||||||
|
To get the ASCII art and SHA-256 fingerprints:
|
||||||
|
```
|
||||||
|
# ssh-keygen -vlf /etc/ssh/keys/ed25519.pub
|
||||||
|
# ssh-keygen -vlf /etc/ssh/keys/rsa-3072.pub
|
||||||
|
```
|
||||||
|
|
||||||
|
To generate SSHFP records:
|
||||||
|
```
|
||||||
|
# ssh-keygen -r sftp.niver.4.niv.re -f /etc/ssh/ed25519.pub
|
||||||
|
# ssh-keygen -r sftp.niver.4.niv.re -f /etc/ssh/rsa-3072.pub
|
||||||
|
```
|
||||||
|
Don't use the first record, which is SHA-1, use the second, which is SHA-256.
|
||||||
|
`SSHFP <pkey-algorithm> <hash-algorithm> <fingerprint>`
|
||||||
|
For `pkey-algorithm`:
|
||||||
|
* `1` means RSA
|
||||||
|
* `2` means DSA (must not be used)
|
||||||
|
* `3` means ECDSA (should not be used)
|
||||||
|
* `4` means Ed25519
|
||||||
|
For `hash-algorithm`:
|
||||||
|
* `1` means SHA-1 (must not be used)
|
||||||
|
* `2` means SHA-256
|
|
@ -0,0 +1,16 @@
|
||||||
|
# Quota setup
|
||||||
|
|
||||||
|
```
|
||||||
|
# pacman -S quota-tool
|
||||||
|
# dd if=/dev/zero of=/srv/ht.img count=4194304 # count is the size in octet
|
||||||
|
# mkfs.ext4 /srv/ht.img
|
||||||
|
# mkdir /srv/ht
|
||||||
|
# mount /srv/ht.img /srv/ht
|
||||||
|
```
|
||||||
|
|
||||||
|
```
|
||||||
|
# quotacheck -gcum /
|
||||||
|
# quotaon -v /
|
||||||
|
```
|
||||||
|
|
||||||
|
UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx / ext4 rw,relatime,usrquota,grpquota 0 1
|
|
@ -0,0 +1,144 @@
|
||||||
|
# Niver setup on Debian 11 (bullseye)
|
||||||
|
|
||||||
|
```
|
||||||
|
# apt install tor knot openssh-server sudo nginx certbot python3-certbot-nginx php7.4-fpm php-sqlite3 quota
|
||||||
|
```
|
||||||
|
|
||||||
|
## Create system users
|
||||||
|
|
||||||
|
```
|
||||||
|
# useradd -U -r -s /usr/sbin/nologin <username>
|
||||||
|
```
|
||||||
|
|
||||||
|
## Twins
|
||||||
|
|
||||||
|
```
|
||||||
|
$ wget https://golang.org/dl/go1.16.7.linux-amd64.tar.gz -o go.tar.gz
|
||||||
|
$ tar -xf go.tar.gz
|
||||||
|
$ go/bin/go get code.rocketnine.space/tslocum/twins
|
||||||
|
$ cp go/bin/twins /usr/local/bin/
|
||||||
|
```
|
||||||
|
|
||||||
|
## maniver
|
||||||
|
|
||||||
|
Installation
|
||||||
|
```
|
||||||
|
# apt install gcc git
|
||||||
|
$ git clone https://code.antopie.org/Niver/maniver && cd maniver
|
||||||
|
$ curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
|
||||||
|
$ cargo build --release
|
||||||
|
# cp target/release/maniver /usr/local/bin/
|
||||||
|
# chown root:php-niver /usr/local/bin/maniver
|
||||||
|
# chmod 750 /usr/local/bin/maniver
|
||||||
|
```
|
||||||
|
|
||||||
|
Update
|
||||||
|
```
|
||||||
|
$ git fetch
|
||||||
|
$ rustup update
|
||||||
|
$ cargo update
|
||||||
|
$ cargo build --release
|
||||||
|
# cp target/release/maniver /usr/local/bin/
|
||||||
|
```
|
||||||
|
|
||||||
|
## gmnisrv
|
||||||
|
|
||||||
|
```
|
||||||
|
# apt install git make pkg-config libssl-dev scdoc
|
||||||
|
$ git clone https://git.sr.ht/~sircmpwn/gmnisrv # Download gmnisrv sources
|
||||||
|
$ mkdir gmnisrv/build
|
||||||
|
$ cd gmnisrv/build
|
||||||
|
$ ../configure --prefix=/usr # Check gmnisrv dependencies and setup files needed for building
|
||||||
|
$ make # Build gmnisrv
|
||||||
|
# make install # Install gmnisrv binary and manpages on the system
|
||||||
|
# useradd -U -r -s /usr/sbin/nologin gmnisrv # Add the gmnisrv system user and group
|
||||||
|
# vim /etc/systemd/system/gmnisrv.service
|
||||||
|
```
|
||||||
|
|
||||||
|
```
|
||||||
|
[Unit]
|
||||||
|
Description=Gmnisrv, a Gemini server
|
||||||
|
After=network.target
|
||||||
|
Wants=network.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=simple
|
||||||
|
ExecStart=/usr/local/bin/gmnisrv
|
||||||
|
Restart=always
|
||||||
|
User=gmnisrv
|
||||||
|
Group=gmnisrv
|
||||||
|
WorkingDirectory=/srv/ht
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
||||||
|
```
|
||||||
|
```
|
||||||
|
# systemctl daemon-reload
|
||||||
|
# mkdir -p /srv/gmi/niver.4.niv.re
|
||||||
|
# echo "This is a testing Gemini capsule" > /srv/gmi/niver.4.niv.re/index.gmi
|
||||||
|
# mkdir /var/lib/gemini
|
||||||
|
# chmod -R 700 /var/lib/gemini
|
||||||
|
# chown -R gmnisrv:gmnisrv /var/lib/gemini
|
||||||
|
# vim /etc/gmnisrv.ini
|
||||||
|
```
|
||||||
|
|
||||||
|
```
|
||||||
|
# Space-separated list of hosts
|
||||||
|
listen=0.0.0.0:1965 [::]:1965
|
||||||
|
|
||||||
|
[:tls]
|
||||||
|
# Path to store certificates on disk
|
||||||
|
store=/var/lib/gemini
|
||||||
|
|
||||||
|
[niver.4.niv.re]
|
||||||
|
root=/srv/gmi/niver.4.niv.re
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## SFTP
|
||||||
|
|
||||||
|
```
|
||||||
|
# groupadd ht
|
||||||
|
```
|
||||||
|
|
||||||
|
## Quota
|
||||||
|
|
||||||
|
```
|
||||||
|
# quotacheck -cm /
|
||||||
|
# vim /etc/fstab
|
||||||
|
```
|
||||||
|
|
||||||
|
UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx / ext4 usrquota,grpquota,errors=remount-ro 0 1
|
||||||
|
|
||||||
|
## Knot DNS
|
||||||
|
|
||||||
|
```
|
||||||
|
# sudo -u knot knotc conf-init
|
||||||
|
# sudo -u knot knotc conf-import <path to default niver knot conf>
|
||||||
|
```
|
||||||
|
|
||||||
|
## Nginx
|
||||||
|
|
||||||
|
Generate a self-signed certificate for default Nginx site.
|
||||||
|
```
|
||||||
|
# openssl req -subj '/' -new -newkey RSA:3072 -days 3650 -nodes -x509 -keyout /etc/ssl/private/niver.key -out /etc/ssl/certs/niver.crt
|
||||||
|
```
|
||||||
|
|
||||||
|
## Niver-PHP
|
||||||
|
|
||||||
|
```
|
||||||
|
# chown -R root:root /usr/local/share/niver
|
||||||
|
# chmod -R u=rwX,go=rX /usr/local/share/niver
|
||||||
|
# mkdir /etc/nginx/ht
|
||||||
|
# chown -R php-niver:php-niver /etc/nginx/ht
|
||||||
|
# chmod -R 775 /etc/nginx/ht
|
||||||
|
```
|
||||||
|
|
||||||
|
Increase `session.gc_maxlifetime` in /etc/php/7.4/fpm/php.ini to avoid sessions being cleared too soon.
|
||||||
|
|
||||||
|
## Tor
|
||||||
|
|
||||||
|
This command only exist on Debian
|
||||||
|
```
|
||||||
|
# tor-instance-create niver
|
||||||
|
```
|
|
@ -0,0 +1,27 @@
|
||||||
|
server:
|
||||||
|
rundir: "/run/knot"
|
||||||
|
user: "knot:knot"
|
||||||
|
listen: [ "0.0.0.0@53", "::@53" ]
|
||||||
|
|
||||||
|
log:
|
||||||
|
- target: "/var/log/knot.log"
|
||||||
|
any: "debug"
|
||||||
|
|
||||||
|
database:
|
||||||
|
storage: "/var/lib/knot"
|
||||||
|
|
||||||
|
policy:
|
||||||
|
- id: "niver"
|
||||||
|
algorithm: "ed25519"
|
||||||
|
nsec3: "on"
|
||||||
|
|
||||||
|
template:
|
||||||
|
- id: "niver"
|
||||||
|
storage: "/var/lib/knot/zones"
|
||||||
|
file: "%s.zone"
|
||||||
|
dnssec-signing: "on"
|
||||||
|
dnssec-policy: "niver"
|
||||||
|
|
||||||
|
zone:
|
||||||
|
- domain: "niv.re."
|
||||||
|
template: "niver"
|
|
@ -0,0 +1,8 @@
|
||||||
|
-----BEGIN DH PARAMETERS-----
|
||||||
|
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
|
||||||
|
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
|
||||||
|
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
|
||||||
|
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
|
||||||
|
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
|
||||||
|
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
|
||||||
|
-----END DH PARAMETERS-----
|
|
@ -0,0 +1,71 @@
|
||||||
|
recursive_error_pages on;
|
||||||
|
return 404;
|
||||||
|
# 403 Forbidden
|
||||||
|
error_page 403 @403;
|
||||||
|
location @403 {
|
||||||
|
root /srv/http/errors;
|
||||||
|
try_files /403.html =500;
|
||||||
|
}
|
||||||
|
|
||||||
|
# 404 Not Found
|
||||||
|
error_page 404 @local404;
|
||||||
|
location @local404 {
|
||||||
|
try_files /404.html /404.md /404.gmi @niver404;
|
||||||
|
}
|
||||||
|
location @niver404 {
|
||||||
|
root /srv/http/errors;
|
||||||
|
try_files /404.php =500;
|
||||||
|
index 404.php;
|
||||||
|
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||||
|
fastcgi_pass unix:/var/run/php-fpm/errors.sock;
|
||||||
|
include inc/fastcgi.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
# 405 Method Not Allowed
|
||||||
|
error_page 405 @405;
|
||||||
|
location @405 {
|
||||||
|
root /srv/http/errors;
|
||||||
|
try_files /405.html =500;
|
||||||
|
}
|
||||||
|
|
||||||
|
# 410 Gone
|
||||||
|
error_page 410 @410;
|
||||||
|
location @410 {
|
||||||
|
root /srv/http/errors;
|
||||||
|
try_files /410.html =500;
|
||||||
|
}
|
||||||
|
|
||||||
|
# 418 I'm a teapot
|
||||||
|
error_page 418 @418;
|
||||||
|
location @418 {
|
||||||
|
root /srv/http/errors;
|
||||||
|
try_files /418.html =500;
|
||||||
|
}
|
||||||
|
|
||||||
|
# 500 Internal Server Error
|
||||||
|
error_page 500 @500;
|
||||||
|
location @500 {
|
||||||
|
root /srv/http/errors;
|
||||||
|
try_files /500.html =500;
|
||||||
|
}
|
||||||
|
|
||||||
|
# 502 Bad Gateway
|
||||||
|
error_page 502 @502;
|
||||||
|
location @502 {
|
||||||
|
root /srv/http/errors;
|
||||||
|
try_files /502.html =500;
|
||||||
|
}
|
||||||
|
|
||||||
|
# 503 Service Unavailable
|
||||||
|
error_page 503 @503;
|
||||||
|
location @503 {
|
||||||
|
root /srv/http/errors;
|
||||||
|
try_files /503.html =500;
|
||||||
|
}
|
||||||
|
|
||||||
|
# 504 Gateway Timeout
|
||||||
|
error_page 504 @504;
|
||||||
|
location @504 {
|
||||||
|
root /srv/http/errors;
|
||||||
|
try_files /504.html =500;
|
||||||
|
}
|
|
@ -0,0 +1,26 @@
|
||||||
|
|
||||||
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||||
|
fastcgi_param QUERY_STRING $query_string;
|
||||||
|
fastcgi_param REQUEST_METHOD $request_method;
|
||||||
|
fastcgi_param CONTENT_TYPE $content_type;
|
||||||
|
fastcgi_param CONTENT_LENGTH $content_length;
|
||||||
|
|
||||||
|
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
|
||||||
|
fastcgi_param REQUEST_URI $request_uri;
|
||||||
|
fastcgi_param DOCUMENT_URI $document_uri;
|
||||||
|
fastcgi_param DOCUMENT_ROOT $document_root;
|
||||||
|
fastcgi_param SERVER_PROTOCOL $server_protocol;
|
||||||
|
fastcgi_param REQUEST_SCHEME $scheme;
|
||||||
|
fastcgi_param HTTPS $https if_not_empty;
|
||||||
|
|
||||||
|
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
|
||||||
|
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
|
||||||
|
|
||||||
|
fastcgi_param REMOTE_ADDR $remote_addr;
|
||||||
|
fastcgi_param REMOTE_PORT $remote_port;
|
||||||
|
fastcgi_param SERVER_ADDR $server_addr;
|
||||||
|
fastcgi_param SERVER_PORT $server_port;
|
||||||
|
fastcgi_param SERVER_NAME $server_name;
|
||||||
|
|
||||||
|
# PHP only, required if PHP was built with --enable-force-cgi-redirect
|
||||||
|
fastcgi_param REDIRECT_STATUS 200;
|
|
@ -0,0 +1,5 @@
|
||||||
|
ssl_protocols TLSv1.2 TLSv1.3;
|
||||||
|
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
||||||
|
ssl_dhparam /etc/nginx/dhparam;
|
||||||
|
|
||||||
|
include inc/security.conf;
|
|
@ -0,0 +1,3 @@
|
||||||
|
ssl_protocols TLSv1.3;
|
||||||
|
|
||||||
|
include inc/security.conf;
|
|
@ -0,0 +1 @@
|
||||||
|
more_set_headers "Content-Security-Policy : default-src 'self'; object-src 'none';";
|
|
@ -0,0 +1,24 @@
|
||||||
|
more_set_headers "X-Content-Type-Options : nosniff";
|
||||||
|
more_set_headers "X-XSS-Protection : 1; mode=block";
|
||||||
|
more_set_headers "X-Download-Options : noopen";
|
||||||
|
more_set_headers "X-Permitted-Cross-Domain-Policies : none";
|
||||||
|
more_set_headers "X-Frame-Options : DENY";
|
||||||
|
more_set_headers "Referrer-Policy : no-referrer";
|
||||||
|
more_set_headers "Strict-Transport-Security : max-age=94608000; includeSubDomains; preload";
|
||||||
|
#more_set_headers "Server : nginx Niver";
|
||||||
|
|
||||||
|
more_clear_headers Server;
|
||||||
|
|
||||||
|
ssl_session_timeout 1d;
|
||||||
|
ssl_session_cache shared:SSL:50m;
|
||||||
|
ssl_session_tickets off;
|
||||||
|
ssl_prefer_server_ciphers off;
|
||||||
|
ssl_stapling on;
|
||||||
|
ssl_stapling_verify on;
|
||||||
|
|
||||||
|
ssl_certificate /etc/letsencrypt/live/niver.atope.art/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/niver.atope.art/privkey.pem;
|
||||||
|
|
||||||
|
autoindex off;
|
||||||
|
|
||||||
|
gzip off;
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,39 @@
|
||||||
|
types {
|
||||||
|
text/plain txt;
|
||||||
|
text/gemini gmi;
|
||||||
|
text/markdown md;
|
||||||
|
text/html html;
|
||||||
|
text/css css;
|
||||||
|
text/xml xml;
|
||||||
|
text/csv csv;
|
||||||
|
text/javascript js;
|
||||||
|
|
||||||
|
application/xhtml+xml xhtml;
|
||||||
|
application/atom+xml atom;
|
||||||
|
application/rss+xml rss;
|
||||||
|
|
||||||
|
application/json json;
|
||||||
|
application/gzip gz;
|
||||||
|
application/zip zip;
|
||||||
|
application/epub+zip epub;
|
||||||
|
application/pdf pdf;
|
||||||
|
|
||||||
|
font/woff woff;
|
||||||
|
font/woff2 woff2;
|
||||||
|
|
||||||
|
image/png png;
|
||||||
|
image/tiff tif tiff;
|
||||||
|
image/gif gif;
|
||||||
|
image/jpeg jpeg jpg;
|
||||||
|
image/svg+xml svg svgz;
|
||||||
|
image/webp webp;
|
||||||
|
|
||||||
|
audio/mpeg mp3;
|
||||||
|
audio/ogg ogg oga opus spx;
|
||||||
|
audio/webm weba;
|
||||||
|
audio/flac flac;
|
||||||
|
|
||||||
|
video/webm webm;
|
||||||
|
video/mp4 mp4;
|
||||||
|
video/ogg ogv;
|
||||||
|
}
|
|
@ -0,0 +1,27 @@
|
||||||
|
load_module "/usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so";
|
||||||
|
worker_processes auto;
|
||||||
|
|
||||||
|
events {}
|
||||||
|
http {
|
||||||
|
include mimetypes/strict.conf;
|
||||||
|
default_type application/octet-stream;
|
||||||
|
|
||||||
|
#types_hash_bucket_size 128; # Default: 64
|
||||||
|
#types_hash_max_size 1024; # Default: 1024
|
||||||
|
|
||||||
|
sendfile on;
|
||||||
|
#tcp_nopush on;
|
||||||
|
|
||||||
|
gzip_static on;
|
||||||
|
|
||||||
|
include sites/*.conf;
|
||||||
|
include inc/security.conf;
|
||||||
|
|
||||||
|
server_tokens off;
|
||||||
|
|
||||||
|
#map $http_accept_language $lang {
|
||||||
|
# default en;
|
||||||
|
# ~en en;
|
||||||
|
# ~fr fr;
|
||||||
|
#}
|
||||||
|
}
|
|
@ -0,0 +1,31 @@
|
||||||
|
server {
|
||||||
|
listen 443 ssl http2 default_server;
|
||||||
|
listen [::]:443 ssl http2 default_server;
|
||||||
|
server_name niver.atope.art;
|
||||||
|
|
||||||
|
root /srv/http/niver;
|
||||||
|
index index.php index.html index.htm;
|
||||||
|
try_files $uri $uri/ @extensionless-php; # $uri.html
|
||||||
|
index index.php;
|
||||||
|
|
||||||
|
include inc/modern.conf;
|
||||||
|
include inc/errors.conf;
|
||||||
|
|
||||||
|
error_log /var/log/nginx/niver.atope.art-error.log;
|
||||||
|
access_log /var/log/nginx/niver.atope.art-access.log;
|
||||||
|
|
||||||
|
more_set_headers "Content-Security-Policy : default-src 'none'; style-src 'self';";
|
||||||
|
|
||||||
|
location ~ \.php$ {
|
||||||
|
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||||
|
fastcgi_pass unix:/var/run/php-fpm/niver.sock;
|
||||||
|
#fastcgi_index index.php;
|
||||||
|
include inc/fastcgi.conf;
|
||||||
|
try_files $uri =404;
|
||||||
|
}
|
||||||
|
|
||||||
|
location @extensionless-php {
|
||||||
|
rewrite ^(.*)$ $1.php last;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,27 @@
|
||||||
|
[errors]
|
||||||
|
|
||||||
|
user = php-$pool
|
||||||
|
group = php-$pool
|
||||||
|
|
||||||
|
listen = /run/php-fpm/$pool.sock
|
||||||
|
|
||||||
|
listen.owner = http
|
||||||
|
listen.group = http
|
||||||
|
|
||||||
|
pm = dynamic
|
||||||
|
pm.max_children = 5
|
||||||
|
pm.start_servers = 2
|
||||||
|
pm.min_spare_servers = 1
|
||||||
|
pm.max_spare_servers = 3
|
||||||
|
|
||||||
|
access.log = /var/log/php/$pool-access.log
|
||||||
|
|
||||||
|
chdir = /srv/http/$pool
|
||||||
|
;chroot = /srv/http/$pool
|
||||||
|
|
||||||
|
catch_workers_output = yes
|
||||||
|
decorate_workers_output = yes
|
||||||
|
|
||||||
|
clear_env = yes
|
||||||
|
|
||||||
|
security.limit_extensions = .php
|
|
@ -0,0 +1,26 @@
|
||||||
|
[niver]
|
||||||
|
|
||||||
|
user = php-$pool
|
||||||
|
group = knot
|
||||||
|
|
||||||
|
listen = /run/php-fpm/$pool.sock
|
||||||
|
|
||||||
|
listen.owner = http
|
||||||
|
listen.group = http
|
||||||
|
|
||||||
|
pm = dynamic
|
||||||
|
pm.max_children = 5
|
||||||
|
pm.start_servers = 2
|
||||||
|
pm.min_spare_servers = 1
|
||||||
|
pm.max_spare_servers = 3
|
||||||
|
|
||||||
|
access.log = /var/log/php/$pool-access.log
|
||||||
|
|
||||||
|
chdir = /srv/http/$pool
|
||||||
|
|
||||||
|
catch_workers_output = yes
|
||||||
|
decorate_workers_output = yes
|
||||||
|
|
||||||
|
clear_env = yes
|
||||||
|
|
||||||
|
security.limit_extensions = .php
|
|
@ -0,0 +1 @@
|
||||||
|
SFTP Access for Niver users
|
|
@ -0,0 +1,2 @@
|
||||||
|
DOMAIN 3600 SOA ns1.atope.art. hostmaster.antopie.org. 1 21600 7200 3628800 3600
|
||||||
|
DOMAIN 86400 NS ns1.atope.art.
|
|
@ -0,0 +1,27 @@
|
||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
listen [::]:80;
|
||||||
|
server_name DOMAIN;
|
||||||
|
return 301 https://DOMAIN$request_uri;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl http2;
|
||||||
|
listen [::]:443 ssl http2;
|
||||||
|
server_name DOMAIN;
|
||||||
|
root /srv/hyper/USER/hyper/DIR;
|
||||||
|
|
||||||
|
ssl_certificate /etc/letsencrypt/live/host.atope.art/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/host.atope.art/privkey.pem;
|
||||||
|
|
||||||
|
access_log /var/log/nginx/DOMAIN-access.log;
|
||||||
|
error_log /var/log/nginx/DOMAIN-error.log;
|
||||||
|
|
||||||
|
include /etc/nginx/inc/intermediate.conf.inc;
|
||||||
|
|
||||||
|
default_type text/plain;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
try_files $uri $uri.html $uri/ =404;
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,9 @@
|
||||||
|
server {
|
||||||
|
listen [::1]:80;
|
||||||
|
server_name DOMAIN;
|
||||||
|
root /srv/hyper/USER/hyper/DIR;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
try_files $uri $uri.html $uri/ =404;
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,5 @@
|
||||||
|
Ceci est le dossier personnel des utilisataires de Niver.
|
||||||
|
Vous pouvez téléverser votre site dans un sous-dossier d'ht/.
|
||||||
|
|
||||||
|
This is the personnal directory for Niver users.
|
||||||
|
You can upload your site into a subdirectory of ht/.
|
|
@ -0,0 +1,88 @@
|
||||||
|
# Potiron
|
||||||
|
|
||||||
|
LogLevel INFO # The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
|
||||||
|
#VersionAddendum Niver
|
||||||
|
AllowGroups root ht
|
||||||
|
Subsystem sftp /usr/lib/ssh/sftp-server
|
||||||
|
|
||||||
|
## Network
|
||||||
|
|
||||||
|
AddressFamily any
|
||||||
|
ListenAddress 0.0.0.0
|
||||||
|
ListenAddress ::
|
||||||
|
Port 22
|
||||||
|
|
||||||
|
## Cryptography
|
||||||
|
|
||||||
|
HostKey /etc/ssh/keys/ed25519
|
||||||
|
HostKey /etc/ssh/keys/rsa-3072
|
||||||
|
|
||||||
|
Ciphers chacha20-poly1305@openssh.com,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr
|
||||||
|
HostKeyAlgorithms ssh-ed25519,rsa-sha2-256,rsa-sha2-512
|
||||||
|
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
|
||||||
|
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
|
||||||
|
|
||||||
|
## Sessions
|
||||||
|
|
||||||
|
PermitRootLogin prohibit-password
|
||||||
|
StrictModes yes
|
||||||
|
MaxAuthTries 6
|
||||||
|
MaxSessions 1
|
||||||
|
MaxStartups 3:20:200
|
||||||
|
LoginGraceTime 3m
|
||||||
|
PrintMotd yes
|
||||||
|
|
||||||
|
## Disable everything
|
||||||
|
|
||||||
|
PermitTTY no
|
||||||
|
PermitTunnel no
|
||||||
|
|
||||||
|
AllowTcpForwarding no
|
||||||
|
X11Forwarding no
|
||||||
|
AllowAgentForwarding no
|
||||||
|
AllowStreamLocalForwarding no
|
||||||
|
DisableForwarding yes # Disables all forwarding features, including X11, ssh-agent(1), TCP and StreamLocal.
|
||||||
|
|
||||||
|
PermitUserRC no
|
||||||
|
PermitUserEnvironment no
|
||||||
|
IgnoreRhosts yes
|
||||||
|
AuthorizedKeysFile none
|
||||||
|
|
||||||
|
AuthenticationMethods none
|
||||||
|
PubkeyAuthentication no
|
||||||
|
PasswordAuthentication no
|
||||||
|
KbdInteractiveAuthentication no
|
||||||
|
PermitEmptyPasswords no
|
||||||
|
ChallengeResponseAuthentication no
|
||||||
|
|
||||||
|
UsePAM no
|
||||||
|
|
||||||
|
## Enable usefull features
|
||||||
|
|
||||||
|
### Administrator access
|
||||||
|
Match Group root
|
||||||
|
|
||||||
|
#### Authentication
|
||||||
|
PubkeyAuthentication yes
|
||||||
|
AuthenticationMethods publickey
|
||||||
|
AuthorizedKeysFile .ssh/authorized_keys
|
||||||
|
|
||||||
|
#### Allow the use of a terminal
|
||||||
|
PermitTTY yes
|
||||||
|
|
||||||
|
### SFTP access
|
||||||
|
Match Group ht
|
||||||
|
|
||||||
|
#### Authentication
|
||||||
|
PasswordAuthentication yes
|
||||||
|
AuthenticationMethods password
|
||||||
|
#AuthorizedKeysFile keys
|
||||||
|
|
||||||
|
#### Chroot to the home directory
|
||||||
|
ChrootDirectory %h # %h is home directory, %u is username
|
||||||
|
|
||||||
|
#### Only SFTP can be used
|
||||||
|
ForceCommand internal-sftp
|
||||||
|
|
||||||
|
#### Print a message before login
|
||||||
|
Banner /usr/local/share/niver/banner.txt
|
Reference in New Issue