update some internal server configs

2020-03-30 16:40:03 +00:00 · 2020-03-30 16:40:03 +00:00 · 33066ec28e
parent 6c3053eb53
commit 33066ec28e
16 changed files with 129 additions and 6 deletions
--- a/1
+++ b/1
@ -43,6 +43,7 @@ bin:

 etc:
 	@printf "$(GREEN)--- etc ------------------------------------------------\n$(RESET)"
+	@install -m 644 etc/etc/hosts /etc
 	@install -m 644 etc/etc/inetd.conf /etc
 	@install -m 644 etc/etc/inputrc /etc
 	@install -m 644 etc/etc/nanorc /etc
--- a/etc/etc/hosts
+++ b/etc/etc/hosts
@ -0,0 +1,37 @@
+# DO NOT TOUCH IT HERE SEE GIT REPO 'envs/ops'
+
+# !!! DO NOT SET ALIAS ENVS.NET TO localhost # mail problem !!!
+127.0.0.1		localhost
+127.0.0.1		core.envs.net bbj.envs.net gopher.envs.net help.envs.net ip.envs.net ip.envs.sh stats.envs.net ttbp.envs.net twtxt.envs.net webirc.envs.net znc.envs.net
+
+89.163.145.170	envs.net core core.envs.net ve423.venus.dedi.server-hosting.expert ve423
+5.199.136.30	ssh.envs.net
+
+# The following lines are desirable for IPv6 capable hosts
+::1     localhost ip6-localhost ip6-loopback
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters
+
+#
+# ENVS.NET - LXC
+#
+
+192.168.1.2   ns1.envs.net ns1 dns
+192.168.1.3   mail.envs.net mail 
+192.168.1.4   lists.envs.net lists
+192.168.1.5   ldap.envs.net ldap ldap1
+192.168.1.6   moni.envs.net moni prometheus.envs.net prometheus grafana.envs.net grafana
+
+192.168.1.10  git.envs.net gitea
+192.168.1.11  searx.envs.net searx
+192.168.1.12  cryptpad pad.envs.net pad cryptpad
+192.168.1.13  drone.envs.net drone
+192.168.1.14  matrix.envs.net matrix riot.envs.net riot dimension.envs.net dimension
+
+192.168.1.15  envs.sh 0x0.envs.net null.envs.net 0x0 null
+192.168.1.15  tb.envs.net tb termbin.envs.net termbin
+192.168.1.16  rss.envs.net rss
+192.168.1.17  pb.envs.net pb pastebin.envs.net pastbin
+192.168.1.18  pleroma.envs.net pleroma social halcyon.envs.net halcyon
+192.168.1.19  jitsi.envs.net jitsi
+
--- a/etc/etc/inetd.conf
+++ b/etc/etc/inetd.conf
@ -1,3 +1,5 @@
+# DO NOT TOUCH IT HERE SEE GIT REPO 'envs/ops'
+
 # /etc/inetd.conf:  see inetd(8) for further informations.
 #
 # Internet superserver configuration database
--- a/etc/etc/inputrc
+++ b/etc/etc/inputrc
@ -1,3 +1,5 @@
+# DO NOT TOUCH IT HERE SEE GIT REPO 'envs/ops'
+
 # /etc/inputrc - global inputrc for libreadline
 # See readline(3readline) and `info rluserman' for more information.

--- a/etc/etc/sudoers
+++ b/etc/etc/sudoers
@ -1,3 +1,4 @@
+# DO NOT TOUCH IT HERE SEE GIT REPO 'envs/ops'
 #
 # This file MUST be edited with the 'visudo' command as root.
 #
--- a/etc/init.d/S41firewall
+++ b/etc/init.d/S41firewall
@ -197,6 +197,13 @@ if [ "$1" = "start" ]; then
 	$IPT -w -t nat -A POSTROUTING -d 192.168.1.3 -s 192.168.1.4 -j SNAT --to 5.199.136.29
 	$IPT -w -t nat -A POSTROUTING ! -d 192.168.1.0/24 -s 192.168.1.4 -j SNAT --to 5.199.136.29

+	# ldap
+	$IPT -w -t nat -A POSTROUTING ! -d 192.168.1.0/24 -s 192.168.1.5 -j SNAT --to 89.163.145.170
+
+	# monitor (prometheus and grafana)
+	# => apache2 proxy (http/https)
+	$IPT -w -t nat -A POSTROUTING ! -d 192.168.1.0/24 -s 192.168.1.6 -j SNAT --to 89.163.145.170
+
 	# gitea
 	# => apache2 proxy (http/https)
 	$IPT -w -t nat -A PREROUTING -d 5.199.130.141 -p tcp --dport 22 -j DNAT --to-destination 192.168.1.10:22
@ -224,7 +231,11 @@ if [ "$1" = "start" ]; then
 	#
 	$IPT -w -t nat -A PREROUTING -d 89.163.145.170 -p tcp --dport 8448 -j DNAT --to-destination 192.168.1.14:8448
 	$IPT -w -A FORWARD -p tcp -d 192.168.1.14 --dport 8448 -j ACCEPT
-	#
+	# coturn
+	$IPT -w -t nat -A PREROUTING -d 89.163.145.170 -p udp --dport 3478 -j DNAT --to-destination 192.168.1.14:3478
+	$IPT -w -A FORWARD -p udp -d 192.168.1.14 --dport 3478 -j ACCEPT
+	$IPT -w -t nat -A PREROUTING -d 89.163.145.170 -p tcp --dport 3478 -j DNAT --to-destination 192.168.1.14:3478
+	$IPT -w -A FORWARD -p tcp -d 192.168.1.14 --dport 3478 -j ACCEPT
 	$IPT -w -t nat -A PREROUTING -d 89.163.145.170 -p udp --dport 5349 -j DNAT --to-destination 192.168.1.14:5349
 	$IPT -w -A FORWARD -p udp -d 192.168.1.14 --dport 5349 -j ACCEPT
 	$IPT -w -t nat -A PREROUTING -d 89.163.145.170 -p tcp --dport 5349 -j DNAT --to-destination 192.168.1.14:5349
@ -346,6 +357,9 @@ if [ "$1" = "start" ]; then
 	$IPT -w -A INPUT -m state --state NEW -d 192.168.1.1 -p udp --dport 53 -j ACCEPT
 	$IPT -w -A INPUT -m state --state NEW -d 192.168.1.1 -p tcp --dport 53 -j ACCEPT

+	# prometheus node
+	$IPT -w -A INPUT -m state --state NEW -d 192.168.1.1 -s 192.168.1.6 -p tcp --dport 9100 -j ACCEPT
+
 	# finger
 	$IPT -w -A INPUT -m state --state NEW -d 89.163.145.170 -p tcp --dport 79 -j ACCEPT

--- a/etc/letsencrypt/renewal-hooks/deploy/envs.sh
+++ b/etc/letsencrypt/renewal-hooks/deploy/envs.sh
@ -1,4 +1,5 @@
 #!/bin/sh
+# DO NOT TOUCH IT HERE SEE GIT REPO 'envs/ops'

 set -e

@ -24,6 +25,9 @@ for domain in $RENEWED_DOMAINS; do
 			# pleroma
 			lxc-attach -n pleroma -- bash -c "systemctl reload nginx"

+			# monitor
+			lxc-attach -n moni -- bash -c "systemctl reload nginx"
+
 			# mail
 			# has a own letencrypt cert in container!
 			##lxc-attach -n mail -- bash -c "systemctl reload nginx postfix dovecot"
--- a/etc/nginx/sites-available/envs.net.conf
+++ b/etc/nginx/sites-available/envs.net.conf
@ -61,19 +61,19 @@ server {

 	# matrix
 	location /.well-known/matrix/ {
-		add_header Access-Control-Allow-Origin *;
+		add_header Access-Control-Allow-Origin "*";
 		add_header Content-Type application/json;
 		return 200 '{"m.server": "envs.net:8448", "m.homeserver": {"base_url": "https://matrix.envs.net"}}';
 	}

 	location /.well-known/matrix/support {
-		add_header Access-Control-Allow-Origin *;
+		add_header Access-Control-Allow-Origin "*";
 		add_header Content-Type application/json;
 		return 200 '{"admins": [{"matrix_id": "@creme:envs.net", "email_address": "hostmaster@envs.net", "role": "admin"}]}';
 	}

 	location /.well-known/matrix/integrations {
-		add_header Access-Control-Allow-Origin *;
+		add_header Access-Control-Allow-Origin "*";
 		add_header Content-Type application/json;
 		return 200 '{"m.integrations": {"managers": [{"api_url": "https://dimension.envs.net/api/v1/scalar", "ui_url": "https://dimension.envs.net/riot"}]}}';
 	}
--- a/etc/nginx/sites-available/grafana.envs.net.conf
+++ b/etc/nginx/sites-available/grafana.envs.net.conf
@ -0,0 +1,27 @@
+### GRAFANA.ENVS.NET - lxc ###
+server {
+	include snippets/listen.conf;
+#	include snippets/ddos_mid.conf;
+	server_name grafana.envs.net;
+
+	return 307 https://$host$request_uri;
+}
+
+# SSL
+server {
+	include snippets/listen_ssl.conf;
+#	include snippets/ddos_mid.conf;
+	server_name grafana.envs.net;
+
+	include snippets/ssl.conf;
+	include ssl/envs_net_wild.conf;
+
+	error_log /var/log/nginx/grafana.envs.net-error.log crit;
+
+	location / {
+		include proxy_params;
+		proxy_ssl_name $http_host;
+		proxy_ssl_server_name on;
+		proxy_pass https://grafana.envs.net;
+	}
+}
--- a/etc/nginx/sites-available/matrix.envs.net.conf
+++ b/etc/nginx/sites-available/matrix.envs.net.conf
@ -18,6 +18,8 @@ server {

 	error_log /var/log/nginx/matrix.envs.net-error.log crit;

+	client_max_body_size 100M;
+
 	location / {
 		include proxy_params;
 		proxy_ssl_name $http_host;
--- a/etc/nginx/sites-available/pad.envs.net.conf
+++ b/etc/nginx/sites-available/pad.envs.net.conf
@ -18,6 +18,8 @@ server {

 	error_log /var/log/nginx/pad.envs.net-error.log crit;

+	client_max_body_size 100M;
+
 	location / {
 		include proxy_params;
 		proxy_ssl_name $http_host;
@ -52,4 +54,4 @@ server {
 	location / {
 		return 301 https://pad.envs.net/;
 	}
-}
+}
--- a/etc/nginx/sites-available/pleroma.envs.net.conf
+++ b/etc/nginx/sites-available/pleroma.envs.net.conf
@ -18,6 +18,8 @@ server {

 	error_log /var/log/nginx/pleroma.envs.net-error.log crit;

+	client_max_body_size 64M;
+
 	location / {
 		include proxy_params;
 		proxy_ssl_name $http_host;
--- a/etc/nginx/sites-available/prometheus.envs.net.conf
+++ b/etc/nginx/sites-available/prometheus.envs.net.conf
@ -0,0 +1,27 @@
+### PROMETHEUS.ENVS.NET - lxc ###
+server {
+	include snippets/listen.conf;
+#	include snippets/ddos_mid.conf;
+	server_name prometheus.envs.net;
+
+	return 307 https://$host$request_uri;
+}
+
+# SSL
+server {
+	include snippets/listen_ssl.conf;
+#	include snippets/ddos_mid.conf;
+	server_name prometheus.envs.net;
+
+	include snippets/ssl.conf;
+	include ssl/envs_net_wild.conf;
+
+	error_log /var/log/nginx/prometheus.envs.net-error.log crit;
+
+	location / {
+		include proxy_params;
+		proxy_ssl_name $http_host;
+		proxy_ssl_server_name on;
+		proxy_pass https://prometheus.envs.net;
+	}
+}
--- a/etc/nginx/sites-enabled/grafana.envs.net.conf
+++ b/etc/nginx/sites-enabled/grafana.envs.net.conf
@ -0,0 +1 @@
+/etc/nginx/sites-available/grafana.envs.net.conf
--- a/etc/nginx/sites-enabled/prometheus.envs.net.conf
+++ b/etc/nginx/sites-enabled/prometheus.envs.net.conf
@ -0,0 +1 @@
+/etc/nginx/sites-available/prometheus.envs.net.conf
--- a/var/tilde/admins
+++ b/var/tilde/admins
@ -1 +1 @@
-Subproject commit fa5613116baba05beead0186ea045287b8b01b1e
+Subproject commit 6997cdf8606bfc7a608a025eb883adef4dcefab5
				`@ -0,0 +1 @@`
				`/etc/nginx/sites-available/grafana.envs.net.conf`
				`@ -0,0 +1 @@`
				`/etc/nginx/sites-available/prometheus.envs.net.conf`