diff --git a/config/knot.conf b/config/knot.conf deleted file mode 100755 index 69abfbd..0000000 --- a/config/knot.conf +++ /dev/null @@ -1,27 +0,0 @@ -server: - rundir: "/run/knot" - user: "knot:knot" - listen: [ "0.0.0.0@53", "::@53" ] - -log: - - target: "/var/log/knot.log" - any: "debug" - -database: - storage: "/var/lib/knot" - -policy: - - id: "niver" - algorithm: "ed25519" - nsec3: "on" - -template: - - id: "niver" - storage: "/var/lib/knot/zones" - file: "%s.zone" - dnssec-signing: "on" - dnssec-policy: "niver" - -zone: - - domain: "niv.re." - template: "niver" diff --git a/config/knot/primary.conf b/config/knot/primary.conf new file mode 100644 index 0000000..ae16bc8 --- /dev/null +++ b/config/knot/primary.conf @@ -0,0 +1,48 @@ +server: + version: "Knot DNS" + nsid: "Potiron" + rundir: "/run/knot" + user: "knot:knot" + listen: [ "2a01:e0a:15c:2e40:acab:3:3:3@53", "0.0.0.0@53" ] + +log: + - target: "/var/log/knot.log" + any: "debug" + +database: + storage: "/var/lib/knot" + +key: + - id: "potironframboise." + algorithm: "hmac-sha512" + secret: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + +remote: + - id: "Framboise" + address: [ "2a0b:cbc0:1103:2::106f@53", "45.13.104.169@53" ] + key: "potironframboise." + +acl: + - id: "FramboiseTrans" + address: [ "2a0b:cbc0:1103:2::106f", "45.13.104.169" ] + key: "potironframboise." + action: "transfer" + +policy: + - id: "niver" + algorithm: "ed25519" + nsec3: "on" + +template: + - id: "niver" + storage: "/var/lib/knot/zones" + file: "%s.zone" + notify: "Framboise" + acl: "FramboiseTrans" + zonefile-load: "difference" + dnssec-signing: "on" + dnssec-policy: "niver" + +zone: + - domain: "niv.re." + template: "niver" diff --git a/config/knot/secondary.conf b/config/knot/secondary.conf new file mode 100644 index 0000000..e2d0fd6 --- /dev/null +++ b/config/knot/secondary.conf @@ -0,0 +1,40 @@ +server: + version: "Knot DNS" + nsid: "Framboise" + rundir: "/run/knot" + user: "knot:knot" + listen: [ "2a0b:cbc0:1103:2::106f@53", "0.0.0.0@53" ] + +log: + - target: "/var/log/knot.log" + any: "debug" + +database: + storage: "/var/lib/knot" + +key: + - id: "potironframboise." + algorithm: "hmac-sha512" + secret: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + +remote: + - id: "Potiron" + address: [ "2a01:e0a:15c:2e40:acab:3:3:3@53", "82.66.61.19@53" ] + key: "potironframboise." + +acl: + - id: "PotironNotif" + address: [ "2a01:e0a:15c:2e40:acab:3:3:3", "82.66.61.19" ] + key: "potironframboise." + action: "notify" + +template: + - id: "niver" + storage: "/var/lib/knot/zones" + file: "%s.zone" + master: "Potiron" + acl: "PotironNotif" + +zone: + - domain: "niv.re." + template: "niver" diff --git a/config/nginx/default-server.conf b/config/nginx/default-server.conf new file mode 100644 index 0000000..8590608 --- /dev/null +++ b/config/nginx/default-server.conf @@ -0,0 +1,29 @@ +server { + listen 443 ssl http2 default_server; + listen [::]:443 ssl http2 default_server; + + ssl_certificate /etc/ssl/certs/niver.crt; + ssl_certificate_key /etc/ssl/private/niver.key; + ssl_stapling off; + + root /var/www/errors; + try_files index.php index.html $uri $uri/; + index index.php index.html; + + location / { + root /var/www/errors; + try_files /index.php =500; + index index.php; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass unix:/var/run/php/errors.sock; + include /etc/nginx/inc/fastcgi.conf; + } + + include /etc/nginx/inc/tls.conf; + include /etc/nginx/inc/errors.conf; + + error_log /var/log/nginx/default-server-error.log info; + access_log /var/log/nginx/default-server-access.log; + + more_set_headers "Content-Security-Policy : default-src 'none'; frame-ancestors 'none';"; +} diff --git a/config/nginx/dhparam b/config/nginx/dhparam deleted file mode 100755 index 088f967..0000000 --- a/config/nginx/dhparam +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN DH PARAMETERS----- -MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz -+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a -87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 -YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi -7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD -ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== ------END DH PARAMETERS----- \ No newline at end of file diff --git a/config/nginx/http.conf b/config/nginx/http.conf new file mode 100644 index 0000000..33ae2cc --- /dev/null +++ b/config/nginx/http.conf @@ -0,0 +1,20 @@ +server { + listen 80 default_server; + listen [::]:80 default_server; + + return 400; # Don't allow unsecure HTTP requests + + # Display an explanation page + error_page 400 @http400; + location @http400 { + root /var/www/errors; + try_files /http.php =500; + index http.php; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass unix:/var/run/php/errors.sock; + include inc/fastcgi.conf; + } + + error_log /var/log/nginx/http-error.log info; + access_log /var/log/nginx/http-access.log; +} diff --git a/config/nginx/inc/errors.conf b/config/nginx/inc/errors.conf old mode 100755 new mode 100644 index 91e1893..1dc8dd9 --- a/config/nginx/inc/errors.conf +++ b/config/nginx/inc/errors.conf @@ -1,9 +1,9 @@ recursive_error_pages on; -return 404; + # 403 Forbidden error_page 403 @403; location @403 { - root /srv/http/errors; + root /var/www/errors; try_files /403.html =500; } @@ -13,59 +13,60 @@ location @local404 { try_files /404.html /404.md /404.gmi @niver404; } location @niver404 { - root /srv/http/errors; + root /var/www/errors; try_files /404.php =500; - index 404.php; + index /404.php; fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_pass unix:/var/run/php-fpm/errors.sock; + fastcgi_pass unix:/var/run/php/errors.sock; include inc/fastcgi.conf; + fastcgi_index /404.php; } # 405 Method Not Allowed error_page 405 @405; location @405 { - root /srv/http/errors; + root /var/www/errors; try_files /405.html =500; } # 410 Gone error_page 410 @410; location @410 { - root /srv/http/errors; + root /var/www/errors; try_files /410.html =500; } # 418 I'm a teapot error_page 418 @418; location @418 { - root /srv/http/errors; + root /var/www/errors; try_files /418.html =500; } # 500 Internal Server Error error_page 500 @500; location @500 { - root /srv/http/errors; + root /var/www/errors; try_files /500.html =500; } # 502 Bad Gateway error_page 502 @502; location @502 { - root /srv/http/errors; + root /var/www/errors; try_files /502.html =500; } # 503 Service Unavailable error_page 503 @503; location @503 { - root /srv/http/errors; + root /var/www/errors; try_files /503.html =500; } # 504 Gateway Timeout error_page 504 @504; location @504 { - root /srv/http/errors; + root /var/www/errors; try_files /504.html =500; } diff --git a/config/nginx/inc/fastcgi.conf b/config/nginx/inc/fastcgi.conf old mode 100755 new mode 100644 diff --git a/config/nginx/inc/ffdhe3072.pem b/config/nginx/inc/ffdhe3072.pem new file mode 100644 index 0000000..fb31ccd --- /dev/null +++ b/config/nginx/inc/ffdhe3072.pem @@ -0,0 +1,11 @@ +-----BEGIN DH PARAMETERS----- +MIIBiAKCAYEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3 +7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32 +nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZsYu +N///////////AgEC +-----END DH PARAMETERS----- diff --git a/config/nginx/inc/ffdhe4096.pem b/config/nginx/inc/ffdhe4096.pem new file mode 100644 index 0000000..3cf0fcb --- /dev/null +++ b/config/nginx/inc/ffdhe4096.pem @@ -0,0 +1,13 @@ +-----BEGIN DH PARAMETERS----- +MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3 +7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32 +nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e +8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx +iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K +zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI= +-----END DH PARAMETERS----- diff --git a/config/nginx/inc/intermediate.conf b/config/nginx/inc/intermediate.conf deleted file mode 100755 index 28cff96..0000000 --- a/config/nginx/inc/intermediate.conf +++ /dev/null @@ -1,5 +0,0 @@ -ssl_protocols TLSv1.2 TLSv1.3; -ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; -ssl_dhparam /etc/nginx/dhparam; - -include inc/security.conf; diff --git a/config/nginx/inc/niver-csp.conf b/config/nginx/inc/niver-csp.conf old mode 100755 new mode 100644 diff --git a/config/nginx/inc/security.conf b/config/nginx/inc/security.conf old mode 100755 new mode 100644 index f4e4e5d..5d7ef92 --- a/config/nginx/inc/security.conf +++ b/config/nginx/inc/security.conf @@ -3,22 +3,17 @@ more_set_headers "X-XSS-Protection : 1; mode=block"; more_set_headers "X-Download-Options : noopen"; more_set_headers "X-Permitted-Cross-Domain-Policies : none"; more_set_headers "X-Frame-Options : DENY"; -more_set_headers "Referrer-Policy : no-referrer"; +more_set_headers "Referrer-Policy : same-origin"; # no-referrer more_set_headers "Strict-Transport-Security : max-age=94608000; includeSubDomains; preload"; #more_set_headers "Server : nginx Niver"; more_clear_headers Server; +ssl_prefer_server_ciphers off; + ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; -ssl_prefer_server_ciphers off; -ssl_stapling on; -ssl_stapling_verify on; -ssl_certificate /etc/letsencrypt/live/niver.atope.art/fullchain.pem; -ssl_certificate_key /etc/letsencrypt/live/niver.atope.art/privkey.pem; - -autoindex off; - -gzip off; +#ssl_stapling on; +#ssl_stapling_verify on; diff --git a/config/nginx/inc/tls.conf b/config/nginx/inc/tls.conf new file mode 100644 index 0000000..c8345b0 --- /dev/null +++ b/config/nginx/inc/tls.conf @@ -0,0 +1,8 @@ +ssl_protocols TLSv1.2 TLSv1.3; +ssl_ciphers TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384;#:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + +ssl_ecdh_curve X25519:X448; + +#ssl_dhparam /etc/nginx/inc/ffdhe3072.pem; + +include inc/security.conf; diff --git a/config/nginx/inc/modern.conf b/config/nginx/inc/tls1.3.conf old mode 100755 new mode 100644 similarity index 100% rename from config/nginx/inc/modern.conf rename to config/nginx/inc/tls1.3.conf diff --git a/config/nginx/mimetypes/full.conf b/config/nginx/mimetypes/full.conf old mode 100755 new mode 100644 index d5b5a36..0f72525 --- a/config/nginx/mimetypes/full.conf +++ b/config/nginx/mimetypes/full.conf @@ -1,3 +1,4 @@ +default_type application/octet-stream; types { application/A2L a2l; application/AML aml; diff --git a/config/nginx/mimetypes/strict.conf b/config/nginx/mimetypes/strict.conf old mode 100755 new mode 100644 index a3ee994..aad6169 --- a/config/nginx/mimetypes/strict.conf +++ b/config/nginx/mimetypes/strict.conf @@ -1,3 +1,4 @@ +default_type text/plain; types { text/plain txt; text/gemini gmi; diff --git a/config/nginx/nginx.conf b/config/nginx/nginx.conf old mode 100755 new mode 100644 index fd192a4..473c287 --- a/config/nginx/nginx.conf +++ b/config/nginx/nginx.conf @@ -1,24 +1,34 @@ load_module "/usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so"; worker_processes auto; +user www-data www-data; events {} http { - include mimetypes/strict.conf; - default_type application/octet-stream; + include mimetypes/strict.conf; - #types_hash_bucket_size 128; # Default: 64 - #types_hash_max_size 1024; # Default: 1024 + types_hash_bucket_size 128; # Default: 64 + types_hash_max_size 1024; # Default: 1024 + server_names_hash_bucket_size 128; - sendfile on; + #sendfile on; #tcp_nopush on; gzip_static on; + log_format tls '$remote_addr $ssl_protocol $ssl_cipher [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"'; + + include http.conf; + include default-server.conf; include sites/*.conf; - include inc/security.conf; + include ht/*.conf; server_tokens off; + autoindex off; + + gzip off; + + #map $http_accept_language $lang { # default en; # ~en en; diff --git a/config/nginx/sites/freebox.conf.dis b/config/nginx/sites/freebox.conf.dis new file mode 100644 index 0000000..9d7d6e1 --- /dev/null +++ b/config/nginx/sites/freebox.conf.dis @@ -0,0 +1,48 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name mafreebox.freebox.fr; + + #root /var/www/niver; + #index index.php index.html index.htm; + #try_files $uri $uri/ @extensionless-php; # $uri.html + + include inc/tls.conf; + include inc/errors.conf; + + error_log /var/log/nginx/freebox-error.log info; + access_log /var/log/nginx/freebox-access.log; + + #more_set_headers "Content-Security-Policy : default-src 'none'; style-src 'self'; frame-ancestors 'none';"; + + #location ~ ^/motrig/(db|less|lessphp|inc|niver.log) { + # return 403; + #} + location / { + allow 2a0b:cbc0:1103:2::106f; + allow 192.168.1.9; + deny all; + proxy_pass https://mafreebox.freebox.fr; + proxy_ssl_verify off; + } + + #location ~ \.inc.php$ { + # return 403; + # } + + #location ~ \.php$ { + # fastcgi_split_path_info ^(.+\.php)(/.+)$; + # fastcgi_pass unix:/var/run/php/niver.sock; + # #fastcgi_index index.php; + # include inc/fastcgi.conf; + # try_files $uri =404; + #} + + #location @extensionless-php { + # rewrite ^(.*)$ $1.php last; + #} + + ssl_certificate /etc/letsencrypt/live/niver.4.niv.re/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/niver.4.niv.re/privkey.pem; +} + diff --git a/config/nginx/sites/niver.4.niv.re.conf b/config/nginx/sites/niver.4.niv.re.conf new file mode 100644 index 0000000..92d4c2a --- /dev/null +++ b/config/nginx/sites/niver.4.niv.re.conf @@ -0,0 +1,47 @@ +#server { +# listen 80; +# listen [::]:80; +# server_name niver.4.niv.re; +# return 301 https://niver.4.niv.re$request_uri; +#} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name niver.4.niv.re; + + root /var/www/niver; + index index.php index.html index.htm; + try_files $uri $uri/ @extensionless-php; + + include inc/tls.conf; + include inc/errors.conf; + + error_log /var/log/nginx/niver.4.niv.re-error.log info; + access_log /var/log/nginx/niver.4.niv.re-access.log tls; + + more_set_headers "Content-Security-Policy : default-src 'none'; style-src 'self'; frame-ancestors 'none';"; + + location ~ ^/motrig/(db|less|lessphp|inc|niver.log) { + return 403; + } + + location ~ \.inc.php$ { + return 403; + } + + location ~ \.php$ { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass unix:/var/run/php/niver.sock; + #fastcgi_index index.php; + include inc/fastcgi.conf; + try_files $uri =404; + } + + location @extensionless-php { + rewrite ^(.*)$ $1.php last; + } + + ssl_certificate /etc/letsencrypt/live/niver.4.niv.re/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/niver.4.niv.re/privkey.pem; +} diff --git a/config/nginx/sites/niver.atope.art.conf b/config/nginx/sites/niver.atope.art.conf deleted file mode 100755 index cd0bfbc..0000000 --- a/config/nginx/sites/niver.atope.art.conf +++ /dev/null @@ -1,31 +0,0 @@ -server { - listen 443 ssl http2 default_server; - listen [::]:443 ssl http2 default_server; - server_name niver.atope.art; - - root /srv/http/niver; - index index.php index.html index.htm; - try_files $uri $uri/ @extensionless-php; # $uri.html - index index.php; - - include inc/modern.conf; - include inc/errors.conf; - - error_log /var/log/nginx/niver.atope.art-error.log; - access_log /var/log/nginx/niver.atope.art-access.log; - - more_set_headers "Content-Security-Policy : default-src 'none'; style-src 'self';"; - - location ~ \.php$ { - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_pass unix:/var/run/php-fpm/niver.sock; - #fastcgi_index index.php; - include inc/fastcgi.conf; - try_files $uri =404; - } - - location @extensionless-php { - rewrite ^(.*)$ $1.php last; - } - -} diff --git a/config/php-fpm/errors.conf b/config/php-fpm/errors.conf old mode 100755 new mode 100644 index 4dffa9c..af5bacb --- a/config/php-fpm/errors.conf +++ b/config/php-fpm/errors.conf @@ -3,10 +3,10 @@ user = php-$pool group = php-$pool -listen = /run/php-fpm/$pool.sock +listen = /run/php/$pool.sock -listen.owner = http -listen.group = http +listen.owner = www-data +listen.group = www-data pm = dynamic pm.max_children = 5 @@ -16,8 +16,8 @@ pm.max_spare_servers = 3 access.log = /var/log/php/$pool-access.log -chdir = /srv/http/$pool -;chroot = /srv/http/$pool +;chroot = /var/www/errors +chdir = /var/www/errors catch_workers_output = yes decorate_workers_output = yes diff --git a/config/php-fpm/niver.conf b/config/php-fpm/niver.conf old mode 100755 new mode 100644 index 818fc01..90ab31b --- a/config/php-fpm/niver.conf +++ b/config/php-fpm/niver.conf @@ -3,10 +3,10 @@ user = php-$pool group = knot -listen = /run/php-fpm/$pool.sock +listen = /run/php/$pool.sock -listen.owner = http -listen.group = http +listen.owner = www-data +listen.group = www-data pm = dynamic pm.max_children = 5 @@ -16,7 +16,7 @@ pm.max_spare_servers = 3 access.log = /var/log/php/$pool-access.log -chdir = /srv/http/$pool +chdir = /var/www/$pool catch_workers_output = yes decorate_workers_output = yes diff --git a/config/share/banner.txt b/config/share/banner.txt old mode 100755 new mode 100644 diff --git a/config/share/knot.template b/config/share/knot.template old mode 100755 new mode 100644 index bfe6d1f..32464d0 --- a/config/share/knot.template +++ b/config/share/knot.template @@ -1,2 +1,3 @@ -DOMAIN 3600 SOA ns1.atope.art. hostmaster.antopie.org. 1 21600 7200 3628800 3600 -DOMAIN 86400 NS ns1.atope.art. +DOMAIN 3600 SOA potiron.niver.4.niv.re. hostmaster.antopie.org. 1 21600 7200 3628800 3600 +DOMAIN 86400 NS potiron.niver.4.niv.re. +DOMAIN 86400 NS framboise.niver.4.niv.re. diff --git a/config/share/nginx/dns.template b/config/share/nginx/dns.template old mode 100755 new mode 100644 index b446b93..8d27399 --- a/config/share/nginx/dns.template +++ b/config/share/nginx/dns.template @@ -1,23 +1,16 @@ -server { - listen 80; - listen [::]:80; - server_name DOMAIN; - return 301 https://DOMAIN$request_uri; -} - server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name DOMAIN; - root /srv/hyper/USER/hyper/DIR; + root /srv/ht/USER/ht/DIR; - ssl_certificate /etc/letsencrypt/live/host.atope.art/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/host.atope.art/privkey.pem; + ssl_certificate /etc/ssl/certs/niver.crt; + ssl_certificate_key /etc/ssl/private/niver.key; access_log /var/log/nginx/DOMAIN-access.log; error_log /var/log/nginx/DOMAIN-error.log; - include /etc/nginx/inc/intermediate.conf.inc; + include inc/tls.conf; default_type text/plain; diff --git a/config/share/nginx/onion.template b/config/share/nginx/onion.template old mode 100755 new mode 100644 index 854f7b7..874b78b --- a/config/share/nginx/onion.template +++ b/config/share/nginx/onion.template @@ -1,7 +1,12 @@ server { listen [::1]:80; server_name DOMAIN; - root /srv/hyper/USER/hyper/DIR; + root /srv/ht/USER/ht/DIR; + + include inc/errors.conf; + + access_log off; + error_log off; location / { try_files $uri $uri.html $uri/ =404; diff --git a/config/share/skel/about.txt b/config/share/skel/about.txt old mode 100755 new mode 100644 index 821f18a..707f4e6 --- a/config/share/skel/about.txt +++ b/config/share/skel/about.txt @@ -1,5 +1,5 @@ -Ceci est le dossier personnel des utilisataires de Niver. +Ceci est l'espace dédié à vos sites. Vous pouvez téléverser votre site dans un sous-dossier d'ht/. -This is the personnal directory for Niver users. +This is the space dedicated to your sites. You can upload your site into a subdirectory of ht/. diff --git a/config/sshd_config b/config/sshd_config index f4b2e6d..55afa6b 100755 --- a/config/sshd_config +++ b/config/sshd_config @@ -3,7 +3,8 @@ LogLevel INFO # The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. #VersionAddendum Niver AllowGroups root ht -Subsystem sftp /usr/lib/ssh/sftp-server +Subsystem sftp internal-sftp +#Subsystem sftp sftp-server ## Network @@ -14,8 +15,8 @@ Port 22 ## Cryptography -HostKey /etc/ssh/keys/ed25519 -HostKey /etc/ssh/keys/rsa-3072 +HostKey /etc/ssh/ed25519 +HostKey /etc/ssh/rsa-3072 Ciphers chacha20-poly1305@openssh.com,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr HostKeyAlgorithms ssh-ed25519,rsa-sha2-256,rsa-sha2-512 @@ -32,6 +33,8 @@ MaxStartups 3:20:200 LoginGraceTime 3m PrintMotd yes +UsePAM yes + ## Disable everything PermitTTY no @@ -55,8 +58,6 @@ KbdInteractiveAuthentication no PermitEmptyPasswords no ChallengeResponseAuthentication no -UsePAM no - ## Enable usefull features ### Administrator access