diff --git a/Makefile b/Makefile index b1e478a..47a1c88 100644 --- a/Makefile +++ b/Makefile @@ -43,6 +43,7 @@ bin: etc: @printf "$(GREEN)--- etc ------------------------------------------------\n$(RESET)" + @install -m 644 etc/etc/hosts /etc @install -m 644 etc/etc/inetd.conf /etc @install -m 644 etc/etc/inputrc /etc @install -m 644 etc/etc/nanorc /etc diff --git a/etc/etc/hosts b/etc/etc/hosts new file mode 100644 index 0000000..bc48f00 --- /dev/null +++ b/etc/etc/hosts @@ -0,0 +1,37 @@ +# DO NOT TOUCH IT HERE SEE GIT REPO 'envs/ops' + +# !!! DO NOT SET ALIAS ENVS.NET TO localhost # mail problem !!! +127.0.0.1 localhost +127.0.0.1 core.envs.net bbj.envs.net gopher.envs.net help.envs.net ip.envs.net ip.envs.sh stats.envs.net ttbp.envs.net twtxt.envs.net webirc.envs.net znc.envs.net + +89.163.145.170 envs.net core core.envs.net ve423.venus.dedi.server-hosting.expert ve423 +5.199.136.30 ssh.envs.net + +# The following lines are desirable for IPv6 capable hosts +::1 localhost ip6-localhost ip6-loopback +ff02::1 ip6-allnodes +ff02::2 ip6-allrouters + +# +# ENVS.NET - LXC +# + +192.168.1.2 ns1.envs.net ns1 dns +192.168.1.3 mail.envs.net mail +192.168.1.4 lists.envs.net lists +192.168.1.5 ldap.envs.net ldap ldap1 +192.168.1.6 moni.envs.net moni prometheus.envs.net prometheus grafana.envs.net grafana + +192.168.1.10 git.envs.net gitea +192.168.1.11 searx.envs.net searx +192.168.1.12 cryptpad pad.envs.net pad cryptpad +192.168.1.13 drone.envs.net drone +192.168.1.14 matrix.envs.net matrix riot.envs.net riot dimension.envs.net dimension + +192.168.1.15 envs.sh 0x0.envs.net null.envs.net 0x0 null +192.168.1.15 tb.envs.net tb termbin.envs.net termbin +192.168.1.16 rss.envs.net rss +192.168.1.17 pb.envs.net pb pastebin.envs.net pastbin +192.168.1.18 pleroma.envs.net pleroma social halcyon.envs.net halcyon +192.168.1.19 jitsi.envs.net jitsi + diff --git a/etc/etc/inetd.conf b/etc/etc/inetd.conf index f76ea6c..be7bf14 100644 --- a/etc/etc/inetd.conf +++ b/etc/etc/inetd.conf @@ -1,3 +1,5 @@ +# DO NOT TOUCH IT HERE SEE GIT REPO 'envs/ops' + # /etc/inetd.conf: see inetd(8) for further informations. # # Internet superserver configuration database diff --git a/etc/etc/inputrc b/etc/etc/inputrc index 1ebf533..ffe271b 100644 --- a/etc/etc/inputrc +++ b/etc/etc/inputrc @@ -1,3 +1,5 @@ +# DO NOT TOUCH IT HERE SEE GIT REPO 'envs/ops' + # /etc/inputrc - global inputrc for libreadline # See readline(3readline) and `info rluserman' for more information. diff --git a/etc/etc/sudoers b/etc/etc/sudoers index 1b20a69..b31b0e3 100644 --- a/etc/etc/sudoers +++ b/etc/etc/sudoers @@ -1,3 +1,4 @@ +# DO NOT TOUCH IT HERE SEE GIT REPO 'envs/ops' # # This file MUST be edited with the 'visudo' command as root. # diff --git a/etc/init.d/S41firewall b/etc/init.d/S41firewall index f8015c3..48857d8 100755 --- a/etc/init.d/S41firewall +++ b/etc/init.d/S41firewall @@ -197,6 +197,13 @@ if [ "$1" = "start" ]; then $IPT -w -t nat -A POSTROUTING -d 192.168.1.3 -s 192.168.1.4 -j SNAT --to 5.199.136.29 $IPT -w -t nat -A POSTROUTING ! -d 192.168.1.0/24 -s 192.168.1.4 -j SNAT --to 5.199.136.29 + # ldap + $IPT -w -t nat -A POSTROUTING ! -d 192.168.1.0/24 -s 192.168.1.5 -j SNAT --to 89.163.145.170 + + # monitor (prometheus and grafana) + # => apache2 proxy (http/https) + $IPT -w -t nat -A POSTROUTING ! -d 192.168.1.0/24 -s 192.168.1.6 -j SNAT --to 89.163.145.170 + # gitea # => apache2 proxy (http/https) $IPT -w -t nat -A PREROUTING -d 5.199.130.141 -p tcp --dport 22 -j DNAT --to-destination 192.168.1.10:22 @@ -224,7 +231,11 @@ if [ "$1" = "start" ]; then # $IPT -w -t nat -A PREROUTING -d 89.163.145.170 -p tcp --dport 8448 -j DNAT --to-destination 192.168.1.14:8448 $IPT -w -A FORWARD -p tcp -d 192.168.1.14 --dport 8448 -j ACCEPT - # + # coturn + $IPT -w -t nat -A PREROUTING -d 89.163.145.170 -p udp --dport 3478 -j DNAT --to-destination 192.168.1.14:3478 + $IPT -w -A FORWARD -p udp -d 192.168.1.14 --dport 3478 -j ACCEPT + $IPT -w -t nat -A PREROUTING -d 89.163.145.170 -p tcp --dport 3478 -j DNAT --to-destination 192.168.1.14:3478 + $IPT -w -A FORWARD -p tcp -d 192.168.1.14 --dport 3478 -j ACCEPT $IPT -w -t nat -A PREROUTING -d 89.163.145.170 -p udp --dport 5349 -j DNAT --to-destination 192.168.1.14:5349 $IPT -w -A FORWARD -p udp -d 192.168.1.14 --dport 5349 -j ACCEPT $IPT -w -t nat -A PREROUTING -d 89.163.145.170 -p tcp --dport 5349 -j DNAT --to-destination 192.168.1.14:5349 @@ -346,6 +357,9 @@ if [ "$1" = "start" ]; then $IPT -w -A INPUT -m state --state NEW -d 192.168.1.1 -p udp --dport 53 -j ACCEPT $IPT -w -A INPUT -m state --state NEW -d 192.168.1.1 -p tcp --dport 53 -j ACCEPT + # prometheus node + $IPT -w -A INPUT -m state --state NEW -d 192.168.1.1 -s 192.168.1.6 -p tcp --dport 9100 -j ACCEPT + # finger $IPT -w -A INPUT -m state --state NEW -d 89.163.145.170 -p tcp --dport 79 -j ACCEPT diff --git a/etc/letsencrypt/renewal-hooks/deploy/envs.sh b/etc/letsencrypt/renewal-hooks/deploy/envs.sh index fdc5cee..0087aad 100755 --- a/etc/letsencrypt/renewal-hooks/deploy/envs.sh +++ b/etc/letsencrypt/renewal-hooks/deploy/envs.sh @@ -1,4 +1,5 @@ #!/bin/sh +# DO NOT TOUCH IT HERE SEE GIT REPO 'envs/ops' set -e @@ -24,6 +25,9 @@ for domain in $RENEWED_DOMAINS; do # pleroma lxc-attach -n pleroma -- bash -c "systemctl reload nginx" + # monitor + lxc-attach -n moni -- bash -c "systemctl reload nginx" + # mail # has a own letencrypt cert in container! ##lxc-attach -n mail -- bash -c "systemctl reload nginx postfix dovecot" diff --git a/etc/nginx/sites-available/envs.net.conf b/etc/nginx/sites-available/envs.net.conf index 73acd9c..80389bd 100644 --- a/etc/nginx/sites-available/envs.net.conf +++ b/etc/nginx/sites-available/envs.net.conf @@ -61,19 +61,19 @@ server { # matrix location /.well-known/matrix/ { - add_header Access-Control-Allow-Origin *; + add_header Access-Control-Allow-Origin "*"; add_header Content-Type application/json; return 200 '{"m.server": "envs.net:8448", "m.homeserver": {"base_url": "https://matrix.envs.net"}}'; } location /.well-known/matrix/support { - add_header Access-Control-Allow-Origin *; + add_header Access-Control-Allow-Origin "*"; add_header Content-Type application/json; return 200 '{"admins": [{"matrix_id": "@creme:envs.net", "email_address": "hostmaster@envs.net", "role": "admin"}]}'; } location /.well-known/matrix/integrations { - add_header Access-Control-Allow-Origin *; + add_header Access-Control-Allow-Origin "*"; add_header Content-Type application/json; return 200 '{"m.integrations": {"managers": [{"api_url": "https://dimension.envs.net/api/v1/scalar", "ui_url": "https://dimension.envs.net/riot"}]}}'; } diff --git a/etc/nginx/sites-available/grafana.envs.net.conf b/etc/nginx/sites-available/grafana.envs.net.conf new file mode 100644 index 0000000..dd46469 --- /dev/null +++ b/etc/nginx/sites-available/grafana.envs.net.conf @@ -0,0 +1,27 @@ +### GRAFANA.ENVS.NET - lxc ### +server { + include snippets/listen.conf; +# include snippets/ddos_mid.conf; + server_name grafana.envs.net; + + return 307 https://$host$request_uri; +} + +# SSL +server { + include snippets/listen_ssl.conf; +# include snippets/ddos_mid.conf; + server_name grafana.envs.net; + + include snippets/ssl.conf; + include ssl/envs_net_wild.conf; + + error_log /var/log/nginx/grafana.envs.net-error.log crit; + + location / { + include proxy_params; + proxy_ssl_name $http_host; + proxy_ssl_server_name on; + proxy_pass https://grafana.envs.net; + } +} diff --git a/etc/nginx/sites-available/matrix.envs.net.conf b/etc/nginx/sites-available/matrix.envs.net.conf index 47724be..0600b6e 100644 --- a/etc/nginx/sites-available/matrix.envs.net.conf +++ b/etc/nginx/sites-available/matrix.envs.net.conf @@ -18,6 +18,8 @@ server { error_log /var/log/nginx/matrix.envs.net-error.log crit; + client_max_body_size 100M; + location / { include proxy_params; proxy_ssl_name $http_host; diff --git a/etc/nginx/sites-available/pad.envs.net.conf b/etc/nginx/sites-available/pad.envs.net.conf index cfc69cd..c30e8c9 100644 --- a/etc/nginx/sites-available/pad.envs.net.conf +++ b/etc/nginx/sites-available/pad.envs.net.conf @@ -18,6 +18,8 @@ server { error_log /var/log/nginx/pad.envs.net-error.log crit; + client_max_body_size 100M; + location / { include proxy_params; proxy_ssl_name $http_host; @@ -52,4 +54,4 @@ server { location / { return 301 https://pad.envs.net/; } -} \ No newline at end of file +} diff --git a/etc/nginx/sites-available/pleroma.envs.net.conf b/etc/nginx/sites-available/pleroma.envs.net.conf index 70dc0d4..8a707f6 100644 --- a/etc/nginx/sites-available/pleroma.envs.net.conf +++ b/etc/nginx/sites-available/pleroma.envs.net.conf @@ -18,6 +18,8 @@ server { error_log /var/log/nginx/pleroma.envs.net-error.log crit; + client_max_body_size 64M; + location / { include proxy_params; proxy_ssl_name $http_host; diff --git a/etc/nginx/sites-available/prometheus.envs.net.conf b/etc/nginx/sites-available/prometheus.envs.net.conf new file mode 100644 index 0000000..06bacb1 --- /dev/null +++ b/etc/nginx/sites-available/prometheus.envs.net.conf @@ -0,0 +1,27 @@ +### PROMETHEUS.ENVS.NET - lxc ### +server { + include snippets/listen.conf; +# include snippets/ddos_mid.conf; + server_name prometheus.envs.net; + + return 307 https://$host$request_uri; +} + +# SSL +server { + include snippets/listen_ssl.conf; +# include snippets/ddos_mid.conf; + server_name prometheus.envs.net; + + include snippets/ssl.conf; + include ssl/envs_net_wild.conf; + + error_log /var/log/nginx/prometheus.envs.net-error.log crit; + + location / { + include proxy_params; + proxy_ssl_name $http_host; + proxy_ssl_server_name on; + proxy_pass https://prometheus.envs.net; + } +} diff --git a/etc/nginx/sites-enabled/grafana.envs.net.conf b/etc/nginx/sites-enabled/grafana.envs.net.conf new file mode 120000 index 0000000..087cba2 --- /dev/null +++ b/etc/nginx/sites-enabled/grafana.envs.net.conf @@ -0,0 +1 @@ +/etc/nginx/sites-available/grafana.envs.net.conf \ No newline at end of file diff --git a/etc/nginx/sites-enabled/prometheus.envs.net.conf b/etc/nginx/sites-enabled/prometheus.envs.net.conf new file mode 120000 index 0000000..7cbf1be --- /dev/null +++ b/etc/nginx/sites-enabled/prometheus.envs.net.conf @@ -0,0 +1 @@ +/etc/nginx/sites-available/prometheus.envs.net.conf \ No newline at end of file diff --git a/var/tilde/admins b/var/tilde/admins index fa56131..6997cdf 160000 --- a/var/tilde/admins +++ b/var/tilde/admins @@ -1 +1 @@ -Subproject commit fa5613116baba05beead0186ea045287b8b01b1e +Subproject commit 6997cdf8606bfc7a608a025eb883adef4dcefab5