envs
/
ops
mirror of https://git.envs.net/envs/ops.git
1
0
Fork 0
Code Releases Activity

init

This commit is contained in:
creme 2019-10-14 22:08:03 +00:00
commit ff71b8fb76
154 changed files with 4484 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

117
Makefile Normal file
View File

@ -0,0 +1,117 @@
BASENAME ?= envs
PREFIX ?= /usr/local
BINDIR ?= $(PREFIX)/bin
YELLOW = $$(tput setaf 226)
GREEN = $$(tput setaf 46)
RED = $$(tput setaf 196)
RESET = $$(tput sgr0)
install:
@make bin etc cron fail2ban initd letsencrypt nginx ssh sysctl systemd motd znc
uninstall:
@make clean
clean:
@printf "$(YELLOW)--- clean -----------------------------------------------\n$(RESET)"
stow -t "$(BINDIR)" -D bin
stow -t /etc/cron.d -D -d etc cron.d
@rm -fv /etc/inetd.conf /etc/inputrc /etc/nanorc /etc/sudoers
@rm -fv /etc/fail2ban/jail.d/envs.conf
@rm -fv /etc/init.d/S41firewall
@rm -fv /etc/letsencrypt/renewal-hooks/deploy/envs.sh
stow -t /etc/nginx -D -d etc nginx
@rm -fv /etc/ssh/ssh_config /etc/ssh/sshd_config
stow -t /etc/sysctl.d -D -d etc sysctl.d
stow -t /etc/systemd/system -D -d etc/systemd system
stow -t /etc/update-motd.d -D -d etc update-motd.d
@rm -fv /srv/znc/add_znc_user.sh /srv/znc/newuser.conf.template
bin:
@printf "$(GREEN)--- bin ------------------------------------------------\n$(RESET)"
stow -t "$(BINDIR)" bin
etc:
@printf "$(GREEN)--- etc ------------------------------------------------\n$(RESET)"
@install -m 644 etc/etc/inetd.conf /etc
@install -m 644 etc/etc/inputrc /etc
@install -m 644 etc/etc/nanorc /etc
@install -m 644 etc/etc/sudoers /etc
cron:
@printf "$(GREEN)--- cron -----------------------------------------------\n$(RESET)"
stow -t /etc/cron.d -d etc cron.d
fail2ban:
@printf "$(GREEN)--- letsencrypt ----------------------------------------\n$(RESET)"
@install -m 755 etc/fail2ban/jail.d/envs.conf /etc/fail2ban/jail.d/
initd:
@printf "$(GREEN)--- init.d ---------------------------------------------\n$(RESET)"
@install -m 755 etc/init.d/S41firewall /etc/init.d/
letsencrypt:
@printf "$(GREEN)--- letsencrypt ----------------------------------------\n$(RESET)"
@install -m 755 etc/letsencrypt/renewal-hooks/deploy/envs.sh /etc/letsencrypt/renewal-hooks/deploy/
nginx:
@printf "$(GREEN)--- nginx ----------------------------------------------\n$(RESET)"
@rm -rf /etc/nginx/conf.d /etc/nginx/modules-available
stow -t /etc/nginx -d etc nginx
@mkdir /etc/nginx/conf.d /etc/nginx/modules-available
ssh:
@printf "$(GREEN)--- ssh ------------------------------------------------\n$(RESET)"
@install -m 644 etc/ssh/ssh_config /etc/ssh/
@install -m 644 etc/ssh/sshd_config /etc/ssh/
sysctl:
@printf "$(GREEN)--- sysctl.d -------------------------------------------\n$(RESET)"
stow -t /etc/sysctl.d -d etc sysctl.d
systemd:
@printf "$(GREEN)--- systemd --------------------------------------------\n$(RESET)"
stow -t /etc/systemd/system -d etc/systemd system
motd:
@printf "$(GREEN)--- motd -----------------------------------------------\n$(RESET)"
stow -t /etc/update-motd.d -d etc update-motd.d
znc:
@printf "$(GREEN)--- znc ------------------------------------------------\n$(RESET)"
@install -m 755 srv/znc/add_znc_user.sh /srv/znc
@install -m 644 srv/znc/newuser.conf.template /srv/znc
@chown znc:znc /srv/znc/add_znc_user.sh /srv/znc/newuser.conf.template
nuke:
@printf "$(RED)--- nuking existing files ---------------------------------\n$(RESET)"
@rm -fv "$(BINDIR)"/conntrack.sh "$(BINDIR)"/envs_conntracks.sh
@rm -fv "$(BINDIR)"/envs_* "$(BINDIR)"/envs_user_manage "$(BINDIR)"/welcome-email.tmpl "$(BINDIR)"/welcome-readme.tmpl
@rm -fv "$(BINDIR)"/byobu-info "$(BINDIR)"/chat "$(BINDIR)"/dcss "$(BINDIR)"/hole "$(BINDIR)"/idiff "$(BINDIR)"/motd \
"$(BINDIR)"/online-users "$(BINDIR)"/webirc
@rm -fv /etc/cron.d/conntrack /etc/cron.d/envs_* /etc/cron.d/backup \
/etc/cron.d/botany /etc/cron.d/certbot /etc/cron.d/update-blacklist /etc/cron.d/update-blacklist_fail2ban
@rm -fv /etc/fail2ban/jail.d/envs.conf
@rm -fv /etc/init.d/S41firewall
@rm -fv /etc/letsencrypt/renewal-hooks/deploy/envs.sh
@rm -rfv /etc/nginx/*
@rm -fv /etc/ssh/ssh_config /etc/ssh/sshd_config
@rm -fv /etc/sysctl.d/10-kernel-hardening.conf /etc/sysctl.d/30-lxc-inotify.conf \
/etc/sysctl.d/fs.conf /etc/sysctl.d/net.conf /etc/sysctl.d/panic.conf /etc/sysctl.d/protect-links.conf
@rm -fv /etc/systemd/system/bbj.service /etc/systemd/system/gopherproxy.service \
/etc/systemd/system/ifconfigme.service /etc/systemd/system/thelounge.service /etc/systemd/system/znc.service
@rm -fv /etc/update-motd.d/*
@rm -fv /srv/znc/add_znc_user.sh /srv/znc/newuser.conf.template
.PHONY: install clean uninstall nuke bin etc cron fail2ban initd letsencrypt nginx ssh sysctl systemd motd znc

1
README.md Normal file
View File

@ -0,0 +1 @@
# envs.net - ops

3
bin/av98 Executable file
View File

@ -0,0 +1,3 @@
#!/bin/sh
python3 /opt/services/AV-98/av98.py "$@"

15
bin/byobu-info Executable file
View File

@ -0,0 +1,15 @@
#!/usr/bin/env sh
/usr/local/bin/motd
/usr/bin/figlet -f smslant welcome!
printf "you're in a byobu session\n"
printf "if you're familiar with tmux, continue as normal, but with ctrl-a instead of ctrl-b\n"
printf "if you don't want to this happen by default when you log in, run byobu-disable.\n"
printf 'press shift-f1 for a full list of keybinds\n'
printf 'man byobu for more info\n\n'
printf 'f2 creates a new tab\n'
printf 'f3 and f4 move you between tabs\n'
printf 'f6 disconnects and leaves everything running\n'
printf 'shift-f12 disable/enable byobu f-key bindings\n'

3
bin/chat Executable file
View File

@ -0,0 +1,3 @@
#!/bin/sh
weechat "$@"

15
bin/conntrack.sh Executable file
View File

@ -0,0 +1,15 @@
#!/usr/bin/env bash
[[ "$EUID" -ne 0 ]] && printf 'Please run as root!\n' && exit 1
f="/var/log/conntrack.log"
d="$(date)"
n1="$(/sbin/sysctl -a 2>&1 | grep -i 'net.netfilter.nf_conntrack_max')"
n2="$(/sbin/sysctl -a 2>&1 | grep -i 'net.nf_conntrack_max')"
c="$(/sbin/sysctl net.netfilter.nf_conntrack_count)"
echo "conntrack: $d: $n1, $n2, $c" >> $f
#
exit 0

11
bin/dcss Executable file
View File

@ -0,0 +1,11 @@
#!/bin/sh
set -e
SOURCEKEY="https://crawl.tildeverse.org/dcss.key"
MYKEY="${HOME}/.ssh/dcss.key"
if [ ! -f "$MYKEY" ]; then
mkdir -p "${HOME}/.ssh"
curl -s "$SOURCEKEY" > "$MYKEY"
chmod 600 "$MYKEY"
fi
ssh -i "$MYKEY" dcss@crawl.tildeverse.org

15
bin/envs_conntracks.sh Executable file
View File

@ -0,0 +1,15 @@
#!/usr/bin/env bash
[[ "$EUID" -ne 0 ]] && printf 'Please run as root!\n' && exit 1
log_file='/var/log/envs_conntrack.log'
c_local="$(tail -1 /var/log/conntrack.log | awk '{print $17}')"
lxc_c=( $(for i in $(lxc-ls --active -1); do tail -1 /var/lib/lxc/"$i"/rootfs/var/log/conntrack.log | awk '{print $15}' ; done) )
lxc_sum="$(echo $(printf %d+ ${lxc_c[@]})0 | bc)"
c_sum="$((c_local + lxc_sum))"
echo "conntrack: $c_sum" >> "$log_file"
exit 0

58
bin/envs_gemini_genpage.sh Executable file
View File

@ -0,0 +1,58 @@
#!/usr/bin/env bash
#
# envs.net - generate index.gmi
# - this script is called by /etc/cron.d/envs_gemini
#
[[ "$EUID" -ne 0 ]] && printf 'Please run as root!\n' && exit 1
###
userlist() {
mapfile -t users < <(jq -Mr '.data.users|keys[]' /var/www/envs.net/users_info.json)
for USERNAME in "${users[@]}"; do
if [ -f /home/"$USERNAME"/public_gemini/index.gmi ]; then
[[ ! -L /var/gemini/\~"$USERNAME" ]] && ln -s /home/"$USERNAME"/public_gemini /var/gemini/\~"$USERNAME"
printf '=> gemini://envs.net/~%s/ ~%s\n' "$USERNAME" "$USERNAME"
else
[[ -L /var/gemini/\~"$USERNAME" ]] && unlink /var/gemini/\~"$USERNAME"
fi
done
}
#
# INDEX.GMI
#
cat << EOM >> /tmp/index.gmi_tmp
welcome on envs.net - gemini
$(figlet -f smslant envs.net)
environments
envs.net is a minimalist, non-commercial
shared unix system and will always be free to use.
we are linux lovers, sysadmins, programmer and users who like build
webpages, write blogs, chat online, play cool console games and so much
more. you wish to join with an small user space?
join the team today!
=> https://envs.net/signup/ signup for a envs.net account (html)
visit us in gopher and html lands for more info.
=> https://envs.net website (html)
=> gopher://envs.net gophermap (gopher)
here is a list of our esteemed users:
if you are not appearing on this list, create your index.gmi in ~/public_gemini
$(userlist)
EOM
mv /tmp/index.gmi_tmp /var/gemini/index.gmi
#
exit 0

45
bin/envs_mysql.sh Executable file
View File

@ -0,0 +1,45 @@
#!/usr/bin/env bash
CMD="$1"
DB="$2"
BACKUP_DIR="/home/$USER/backup"
print_usage() {
printf 'envs.net | mysql backup & restore\n\n'
printf 'Usage: %s\n\t backup\t\t\t - backup your default user database (%s)\n' "$(basename "$0")" "$USER"
printf '\t backup <db_name>\t - backup database\n'
printf '\t restore\t\t - restore your latest user database\n'
printf '\t restore <db_name>\t - restore database\n'
}
backup() {
[[ -z "$DB" ]] && DB="$USER"
test ! -d "$BACKUP_DIR" && mkdir -p "$BACKUP_DIR" && chmod 700 "$BACKUP_DIR"
mysqldump -u "$USER" "$DB" -p | gzip -c > "$BACKUP_DIR"/db_"$(date +%F.%H%M%S)".sql.gz
find "$BACKUP_DIR"/db_*.gz -maxdepth 1 -type f -mtime +7 -delete
}
restore() {
if [[ -z "$DB" ]]; then
latest=''; for f in "$BACKUP_DIR"/db_*.gz; do [[ "$f" -nt "$latest" ]] && latest="$f"; done
[[ -z "$latest" ]] && printf 'no restore file found in %s!\n' "$BACKUP_DIR" && exit 0
DB="$latest"
gunzip < "$DB" | mysql -u "$USER" "$USER" -p
else
gunzip < "$BACKUP_DIR"/"$DB" | mysql -u "$USER" "$DB" -p
fi
}
[[ $# -lt 1 ]] && print_usage && exit 1
case "$CMD" in
backup*) backup;;
restore*) restore;;
*) print_usage;;
esac
#
exit 0

17
bin/envs_stats.sh Executable file
View File

@ -0,0 +1,17 @@
#!/usr/bin/env bash
[[ "$EUID" -ne 0 ]] && printf 'Please run as root!\n' && exit 1
test ! -f /var/www/envs.net/stats/ && mkdir -p /var/www/envs.net/stats/
{
zcat /var/log/nginx/other_vhosts_access.*.gz
cat /var/log/nginx/other_vhosts_access.log.1
cat /var/log/nginx/other_vhosts_access.log
} | awk '$8=$1$8' | goaccess -a \
-o /var/www/envs.net/stats/index.html \
--ignore-panel=HOSTS \
--ignore-panel=KEYPHRASES \
--log-format=VCOMBINED -
exit 0

330
bin/envs_sysinfo.sh Executable file
View File

@ -0,0 +1,330 @@
#!/usr/bin/env bash
#
# envs.net - generate sysinfo.json and sysinfo.php
# - this script is called by /etc/cron.d/envs_sysinfo
#
WWW_PATH='/var/www/envs.net'
DOMAIN='envs.net'
[[ "$EUID" -ne 0 ]] && printf 'Please run as root!\n' && exit 1
###
# define packages by category for sysinfo.php Page
services=(0x0 bbj cryptpad getwtxt gitea gophernicus jetforce mariadb-server nginx openssh-server privatebin searx termbin tt-rss thelounge znc)
readarray -t sorted_services < <(printf '%s\n' "${services[@]}" | sort)
shells=(bash csh dash elvish fish ksh mksh sash tcsh xonsh yash zsh)
readarray -t sorted_shells < <(printf '%s\n' "${shells[@]}" | sort)
editors=(emacs micro nano neovim vim)
readarray -t sorted_editors < <(printf '%s\n' "${editors[@]}" | sort)
inet_clients=(alpine av98 bombadillo curl irssi lynx neomutt mutt mosh openssh-client pb toot weechat wget vf1)
readarray -t sorted_inet_clients < <(printf '%s\n' "${inet_clients[@]}" | sort)
coding_pkg=(cargo clang clisp clojure crystal default-jdk default-jre elixir erlang flex
g++ gcc gcl gdc gforth ghc go golang guile-2.2 inform lua5.1 lua5.2 lua5.3 mono-complete
nasm nodejs octave perl php picolisp ponyc python python2.7 python3 racket ruby rustc scala tcl yasm)
readarray -t sorted_coding_pkg < <(printf '%s\n' "${coding_pkg[@]}" | sort)
coding_tools=(ack bison build-essential clisp cl-launch cvs devscripts ecl gawk git gron initscripts jq latex-mk latexmk
make mawk mercurial rake ripgrep sbcl shellcheck subversion texlive-full virtualenv yarn)
readarray -t sorted_coding_tools < <(printf '%s\n' "${coding_tools[@]}" | sort)
misc=(aria2 bc busybox burrow byobu clinte gfu goaccess hugo jekyll mariadb-client mathomatic mathtex mkdocs
pandoc pelican screen sqlite3 tmux todotxt-cli twtxt zola)
readarray -t sorted_misc < <(printf '%s\n' "${misc[@]}" | sort)
###
custom_pkg_desc() {
local pkg="$1"
case "$pkg" in
# packages
av98) pkg_desc='AV-98 - Command line gemini client. High speed, low drag.';;
bombadillo) pkg_desc='Bombadillo is a modern Gopher & Gemini client for the terminal';;
burrow) pkg_desc='a helper for building and managing a gopher hole';;
clinte) pkg_desc='a community notices system';;
crystal) pkg_desc='Compiler for the Crystal language';;
gfu) pkg_desc='A utility for formatting gophermaps';;
go) pkg_desc='tool for managing Go source code';;
goaccess) pkg_desc='fast web log analyzer and interactive viewer';;
micro) pkg_desc='a new modern terminal-based text editor';;
pb) pkg_desc='a helper utility for using 0x0 pastebin services';;
twtxt) pkg_desc='Decentralised, minimalist microblogging service for hackers';;
vf1) pkg_desc='VF-1 - Command line gopher client. High speed, low drag.';;
zola) pkg_desc='single-binary static site generator written in rust';;
esac
}
#
# SYSINFO.JSON
#
JSON_FILE="$WWW_PATH/sysinfo.json"
TMP_JSON='/tmp/sysinfo.json_tmp'
print_pkg_version() {
local pkg_version
for pkg in $(dpkg-query -f '${binary:Package}\n' -W); do
pkg_version="$(dpkg-query -f '${Version}\n' -W "$pkg")"
printf '\t\t\t"%s": "%s",\n' "$pkg" "$pkg_version"
done
}
cat<<EOM > "$TMP_JSON"
{
"timestamp": "$(date +'%s')",
"data": {
"info": {
"name": "envs",
"description": "envs.net is a minimalist, non-commercial shared unix system and will always be free to use.",
"located": "germany",
"maintainer": "Sven Kinne (~creme) - creme@envs.net",
"website": "https://$DOMAIN",
"signup_url": "https://$DOMAIN/signup/",
"gopher": "gopher://envs.net/",
"email": "hostmaster@$DOMAIN",
"admin_email": "sudoers@$DOMAIN",
"user_count": $(find /home -mindepth 1 -maxdepth 1 | wc -l)
},
"system": {
"os": "$(lsb_release -sd)",
"uptime": "$(cat /proc/uptime)",
"uname": "$(uname -a)",
"board": "$(hostnamectl status | awk '/Chassis/ {print $2}')",
"cpuinfo": "$(awk '/system type|model name/{gsub(/^.*:[ ]*/,"");print $0;exit}' /proc/cpuinfo)",
"cpucount": "$(grep -c ^processor /proc/cpuinfo)"
},
"services": {
"0x0": {
"desc": "the null pointer - file hosting and url shortener",
"version": "-",
"url": "https://envs.sh/"
},
"bbj": {
"desc": "Bulletin Butter & Jelly: An HTTP bulletin board server for small communities",
"version": "-",
"url": "https://bbj.envs.net/"
},
"cryptpad": {
"desc": "collaborative real time editing",
"version": "$(curl -s https://pad."$DOMAIN"/api/config | awk '/ver=/ {print $2}' | sed -e 's/"ver=//' -e '$ s/"$//')",
"url": "https://pad.envs.net/"
},
"getwtxt": {
"desc": "a twtxt registry service",
"version": "$(curl -s https://twtxt."$DOMAIN"/api/plain/version | sed 's/getwtxt v//')",
"url": "https://twtxt.envs.net/"
},
"gitea": {
"desc": "a painless self-hosted git service written in go",
"version": "$(lxc-attach -n gitea -- bash -c "gitea --version | awk '{print \$3}'")",
"url": "https://git.envs.net/"
},
"gophernicus": {
"desc": "a modern full-featured (and hopefully) secure gopher daemon",
"version": "$(/usr/sbin/gophernicus -v | sed 's/Gophernicus\///' | awk '{print $1}')",
"url": "gopher://envs.net/"
},
"jetforce": {
"desc": "an tcp server for the gemini protocol",
"version": "$(/usr/local/bin/jetforce -V | awk '{printf $2}')",
"url": "gemini://envs.net/"
},
"privatebin": {
"desc": "a pastebin service",
"version": "$(lxc-attach -n pb -- bash -c "awk '/Current version:/ {print \$3}' /var/www/PrivateBin/README.md | sed '$ s/*$//'")",
"url": "https://pb.envs.net/"
},
"searx": {
"desc": "privacy-respecting metasearch engine",
"version": "$(curl -s https://searx."$DOMAIN"/config | jq -Mr .version)",
"url": "https://searx.envs.net/"
},
"termbin": {
"desc": "a command line pastebin",
"version": "-",
"url": "https://tb.envs.net/"
},
"thelounge": {
"desc": "a self-hosted web irc client",
"version": "$(sudo -u thelounge /srv/thelounge/.yarn/bin/thelounge -v | sed 's/v//')",
"url": "https://webirc.envs.net/"
},
"tt-rss": {
"desc": "tiny tiny rss - web-based news feed (rss/atom) aggregator",
"version": "$(lxc-attach -n rss -- bash -c "dpkg -s tt-rss | awk '/Version:/ {print \$2}' | head -n1")",
"url": "https://rss.envs.net/"
},
"znc": {
"desc": "advanced modular irc bouncer",
"version": "$(dpkg -s znc | awk '/Version:/ {print $2}' | head -n1)",
"url": "https://znc.envs.net/"
}
},
"packages": {
"av98": "$(/usr/local/bin/av98 --version | awk '{print $2}')",
"bombadillo": "$(/usr/local/bin/bombadillo -v | sed 's/Bombadillo v//')",
"burrow": "$(/usr/local/bin/burrow -v | sed 's/v//')",
"clinte": "$(/usr/local/bin/clinte -V | awk '{print $2}')",
"gfu": "$(/usr/local/bin/gfu -v | sed '/version/s/.*version \([^ ][^ ]*\)[ ]*.*/\1/')",
"go": "$(sed 's/go//' /usr/local/go/VERSION)",
"goaccess": "$(/usr/bin/goaccess -V | head -1 | sed -e 's/GoAccess - //' -e '$ s/.$//')",
"micro": "$(/usr/local/bin/micro -version | head -n1 | awk '{print $2}')",
"pb": "$(/usr/local/bin/pb -v)",
"twtxt": "$(/usr/local/bin/twtxt --version | awk '{printf $3}')",
"vf1": "$(/usr/local/bin/vf1 --version | awk '{print $2}')",
"zola": "$(/usr/local/bin/zola -V | awk '{print $2}')",
$(print_pkg_version)
EOM
# remove trailing ',' on last line
sed -i '$ s/,$//' "$TMP_JSON"
cat<<EOM >> "$TMP_JSON"
}
}
}
EOM
mv "$TMP_JSON" "$JSON_FILE"
chown root:www-data "$JSON_FILE"
#
# SYSINFO.PHP
#
print_pkg_info() {
local pkg="$1"
local pkg_version
pkg_version="$(jq -Mr '.data.packages."'"$pkg"'"|select (.!=null)' "$JSON_FILE")"
[[ "$pkg_version" = '' ]] && pkg_version='n.a.'
local pkg_desc
custom_pkg_desc "$pkg"
[[ "$pkg_desc" = '' ]] && pkg_desc="$(apt-cache show "$pkg" | awk '/Description-en/ {print substr($0, index($0,$3))}' | head -1)"
[[ "$pkg_desc" = '' ]] && pkg_desc="$(apt-cache search ^"$pkg"$ | awk '{print substr($0, index($0,$3))}')"
[[ "$pkg_desc" = '' ]] && pkg_desc='n.a.'
# remove description-en string
pkg_desc="${pkg_desc//Description-en: /}"
# replace double qoutes with single qoute
pkg_desc="${pkg_desc//\"/\'}"
# string to lowercase
pkg_desc="${pkg_desc,,}"
printf '\t<tr> <td>%s</td> <td>%s</td> <td>%s</td> </tr>\n' "$pkg" "$pkg_version" "$pkg_desc"
}
print_pkg_info_services() {
local pkg="$1"
local pkg_desc
pkg_desc="$(jq -Mr '.data.services."'"$pkg"'".desc|select (.!=null)' "$JSON_FILE")"
local pkg_version
pkg_version="$(jq -Mr '.data.services."'"$pkg"'".version|select (.!=null)' "$JSON_FILE")"
local s_url
s_url="$(jq -Mr '.data.services."'"$pkg"'".url|select (.!=null)' "$JSON_FILE")"
printf '\t<tr> <td><a href="%s" target="_blank">%s</a></td> <td>%s</td> <td>%s</td> </tr>\n' "$s_url" "$pkg" "$pkg_version" "$pkg_desc"
}
print_category() {
local category="$1"
shift
local arr=("$@")
if [ "$category" = 'services' ]; then
printf '<details open=""><summary class="menu" id="%s"><strong>&#35; %s</strong></summary>\n' "$category" "${category//_/ }"
else
printf '<details><summary class="menu" id="%s"><strong>&#35; %s</strong></summary>\n' "$category" "${category//_/ }"
fi
printf '<table id="table_pkg">\n'
printf '<tr> <th width="140px">Package</th> <th width="280px">Version</th> <th>Description</th></tr>\n'
if [ "$category" = 'services' ]; then
for pkg in "${arr[@]}"; do
# check service is in json
s_in_j="$(jq -Mr '.data.services."'"$pkg"'"|select (.!=null)' "$JSON_FILE")"
if [ -n "$s_in_j" ]; then
print_pkg_info_services "$pkg"
else
print_pkg_info "$pkg"
fi
done
else
for pkg in "${arr[@]}"; do print_pkg_info "$pkg"; done
fi
printf '</table></details>\n'
}
cat<<EOM > /tmp/sysinfo.php_tmp
<?php
// do not touch
// this files is generated by /usr/local/bin/envs_sysinfo.sh
\$title = "$DOMAIN | sysinfo";
\$desc = "$DOMAIN | sysinfo";
include 'header.php';
?>
<body id="body" class="dark-mode">
<div>
<div class="button_back">
<pre class="clean"><strong><a href="/">&lt; back</a></strong></pre>
</div>
<div id="main">
<div class="block">
<pre>
<h1><em>sysinfo</em></h1>
<em>full data source: <a href="/sysinfo.json">https://$DOMAIN/sysinfo.json</a></em>
<em>webserver stats: <a href="/stats/">https://$DOMAIN/stats/</a></em>
<em>server admin: <a href="/~creme/">&#126;creme</a></em>
</pre>
</div>
<pre>
this is a static list of the package informations. it updates once per day.
<strong>&#35; can i get [package] installed?</strong>
probably! send an email with your suggestion to <a href="mailto:sudoers@$DOMAIN">sudoers@$DOMAIN</a>.
$(print_category 'services' "${sorted_services[@]}")
$(print_category 'shells' "${sorted_shells[@]}")
$(print_category 'editors' "${sorted_editors[@]}")
$(print_category 'online_browser_and_clients' "${sorted_inet_clients[@]}")
$(print_category 'coding_packages' "${sorted_coding_pkg[@]}")
$(print_category 'coding_tools' "${sorted_coding_tools[@]}")
$(print_category 'misc' "${sorted_misc[@]}")
</pre>
</div>
<?php include 'footer.php'; ?>
EOM
mv /tmp/sysinfo.php_tmp "$WWW_PATH"/sysinfo.php
chown root:www-data "$WWW_PATH"/sysinfo.php
#
exit 0

11
bin/envs_toot Executable file
View File

@ -0,0 +1,11 @@
#!/usr/bin/env sh
printf 'toot as envs.net\n\n'
if [ -n "$1" ] && [ -z "$2" ]; then
sudo -u services /usr/bin/toot post "$1"
else
printf 'usage: envs_toot "your message"\n'
fi
exit 0

175
bin/envs_user_manage Executable file
View File

@ -0,0 +1,175 @@
#!/usr/bin/env bash
domain='envs.net'
short_dom="$(echo $domain | awk -F. '{printf $1}')"
cmd="$1"
user="$2"
mailTo="$3"
ssh_pubkey="$4"
newpw=$(pwgen -s 12 1)
pwcrypt=$(perl -e "print crypt('${newpw}', 'sa');")
# mail header
head_mime='MIME-Version: 1.0'
head_type='Content-type: text/plain; charset=utf-8'
head_def="$head_mime\r\n$head_type"
###
add_user_db() {
mysql -u root << EOF
CREATE DATABASE $user;
GRANT ALL PRIVILEGES ON $USER.* TO '$user'@'localhost' IDENTIFIED BY '$newpw';
FLUSH PRIVILEGES;
EOF
}
del_user_db() {
mysqldump -u root "$user" > /tmp/"$user".sql
mv /tmp/"$user".sql /root/mysql_dumps/"$user".sql
mysql -u root << EOF
DROP DATABASE $user;
FLUSH PRIVILEGES;
EOF
}
add_user() {
useradd -m -g 9999 -s /bin/bash -p "$pwcrypt" "$user"
# set user quota
echo "$user hard nproc 200" | tee /etc/security/limits.d/"$user" >/dev/null 2>&1
setquota -u "$user" 1024M 1536M 0 0 /
# set mail aliases
echo "$user: $user@$domain" | tee -a /etc/aliases >/dev/null 2>&1
echo "$user: $user@$domain" | tee -a /etc/email-addresses >/dev/null 2>&1
# systemd service
chown -R "$user":"$short_dom" /home/"$user"/.config/systemd/user/
# set users ssh pub key
if [ -n "$ssh_pubkey" ]; then
echo "$ssh_pubkey" | tee /home/"$user"/.ssh/authorized_keys
else
nano /home/"$user"/.ssh/authorized_keys
fi
chmod 700 /home/"$user"/.ssh/
chmod 644 /home/"$user"/.ssh/authorized_keys
chown -R "$user":"$short_dom" /home/"$user"/.ssh
# setup database
add_user_db
# setup email mailbox
lxc-attach -n mail -- bash -c "/usr/local/bin/coreapi action accounts create \
-p username=$user@$domain -p role=SimpleUsers -p language=en \
-p password=$newpw -p secondary_email=$mailTo >/dev/null 2>&1 "
sleep 3
# send readme mail
readme_sub="Subject: Welcome ~$user | please readme!"
readme_mail="$head_def\r\nTo: $user@$domain\r\nFrom: sudoers@$domain\r\n$readme_sub"
echo -e "$readme_mail\r\n$(cat /usr/local/bin/welcome-readme.tmpl)" | sendmail "$user"@"$domain"
# send welcome mail
wel_sub="Subject: Welcome to $domain | ~$user"
wel_mail="$head_def\r\nTo: $mailTo\r\nCC: $user@$domain\r\nFrom: hosting@$domain\r\n$wel_sub"
sleep 1 && echo -e "$wel_mail\r\n$(sed -e s/_username_/"$user"/g -e s/_password_/"$newpw"/ /usr/local/bin/welcome-email.tmpl)" \
| sendmail "$user"@"$domain" "$mailTo"
# subscribing to mailing list
sleep 1 && echo -e "$head_def\r\nTo: team-join@$domain\r\nFrom: $user@$domain\r\nSubject: subscribe\r\n" \
| sudo -u "$user" sendmail team-join@"$domain"
# setup mutt
echo -e "$(sed -e s/_username_/"$user"/g -e s/_password_/"$newpw"/ /home/"$user"/.muttrc)" > /home/"$user"/.muttrc
chmod go-r /home/"$user"/.muttrc
printf '\n~%s\n' "$user" > /home/"$user"/.mutt/signature
# setup znc account
sudo -u znc pkill -SIGUSR1 znc && pkill znc
sudo -u znc /srv/znc/add_znc_user.sh "$user"
systemctl start znc
# setup weechat
sed -i s/_username_/"$user"/g /home/"$user"/.weechat/irc.conf
# cleanup /etc/skel/ git stuff from user home
rm -rf /home/"$user"/.git /home/"$user"/README.md
# envs user update (userlist, recently updates and users_info.json)
/usr/local/bin/envs_user_updated.sh
# announcing new user on mastodon
sudo -u services toot post "welcome new user ~$user"
}
del_user() {
# unsubscribe mailing list
# ??
echo -e "$head_def\r\nTo: team-leave@$domain\r\nFrom: $user@$domain\r\nSubject: leave\r\n" | sudo -u "$user" sendmail team-leave@"$domain"
# remove user
deluser --remove-home "$user"
# unset user quota
rm /etc/security/limits.d/"$user"
# unset mail aliases
sed -i /"$user"/d /etc/aliases
sed -i /"$user"/d /etc/email-addresses
# remove email mailbox
# get userid from lxc-attach
mail_userid=$(lxc-attach -n mail -- bash -c "/usr/local/bin/coreapi action accounts list -p search=$user@$domain | jq '.[] | .pk'")
lxc-attach -n mail -- bash -c "/usr/local/bin/coreapi action accounts delete -p id=$mail_userid"
# remove database
del_user_db
# unlink gemini
[[ -L /var/gemini/\~"$user" ]] && unlink /var/gemini/\~"$user"
# remove znc account
printf '\n!!! ADMIN: please remove %s also from lists.%s and znc.%s !!!\n\n' "$user" "$domain" "$domain"
}
[[ "$EUID" -ne 0 ]] && printf 'Please run as root!\n' && exit 1
case "$cmd" in
add) [[ $# -lt 3 ]] && printf 'not enough args\n' && exit 1
if ! id -u "$user" >/dev/null 2>&1; then
printf '\nAdd User %s to %s\n' "$user" "$domain"
printf 'mail to: %s\n\n' "$mailTo"
add_user
else
printf 'User already exists!\n'
fi
;;
del) [[ $# -lt 2 ]] && printf 'not enough args\n' && exit 1
if id -u "$user" >/dev/null 2>&1; then
printf '\nDelete User %s from %s?\n' "$user" "$domain"
select yn in "Yes" "No"; do
case $yn in
Yes ) del_user ; break ;;
No ) break ;;
esac ; done
else
printf 'User not exists!\n'
fi
;;
*) printf '%s | User Account Setup\n\n' "$domain"
printf 'Usage: %s\n Add a User:\n' "$(basename "$0")"
printf '\t%s add "username" "email" "ssh-pubkey"\n' "$(basename "$0")"
printf ' Delete a User:\n'
printf '\t%s del "username"\n' "$(basename "$0")"
;;
esac
#
exit 0

233
bin/envs_user_updated.sh Executable file
View File

@ -0,0 +1,233 @@
#!/usr/bin/env bash
#
# envs.net - generate user_updates.php and users_info.json
# - this script is called by /etc/cron.d/envs_sysinfo
#
WWW_PATH='/var/www/envs.net'
DOMAIN="envs.net"
[[ "$EUID" -ne 0 ]] && printf 'Please run as root!\n' && exit 1
#
# user_updates.php
#
LIST="$(stat --format=%Z\ %n /home/*/public_html/* | grep -v updated | grep -v your_index_template.php | grep -v cgi-bin | sort -r)"
echo "$LIST" | perl /usr/local/bin/envs_user_updated_genpage.pl > /tmp/user_updates.php_tmp
mv /tmp/user_updates.php_tmp "$WWW_PATH"/user_updates.php
chown root:www-data "$WWW_PATH"/user_updates.php
#
# users_info.json
#
TMP_JSON='/tmp/users_info.json_tmp'
cat << EOM > "$TMP_JSON"
{
"timestamp": "$(date +'%s')",
"data": {
"info": {
"name": "envs",
"description": "envs.net is a minimalist, non-commercial shared unix system and will always be free to use.",
"located": "germany",
"maintainer": "Sven Kinne (~creme) - creme@envs.net",
"website": "https://$DOMAIN",
"signup_url": "https://$DOMAIN/signup/",
"gopher": "gopher://envs.net/",
"email": "hostmaster@$DOMAIN",
"admin_email": "sudoers@$DOMAIN",
"user_count": $(find /home -mindepth 1 -maxdepth 1 | wc -l)
},
"users": {
EOM
# user header
for USERNAME in /home/*
do
USER_HOME="$USERNAME"
USERNAME="${USERNAME/\/home\//}"
INFO_FILE="$USER_HOME/.envs"
cat << EOM >> "$TMP_JSON"
"$USERNAME": {
"home": "$USER_HOME",
"email": "$USERNAME@$DOMAIN",
EOM
# desc
if [[ -f "$INFO_FILE" ]]; then
desc="$(sed -n '/^desc=/{s#^.*=##;p}' "$INFO_FILE")"
if [[ -z "$desc" ]] || [[ "$desc" == 'a short describtion or message' ]]; then
cat << EOM >> "$TMP_JSON"
"desc": "",
EOM
else
cat << EOM >> "$TMP_JSON"
"desc": "$desc",
EOM
fi
else
cat << EOM >> "$TMP_JSON"
"desc": "",
EOM
fi
# website
if [[ -f "$USER_HOME"/public_html/index.php ]] || [[ "$(test -f "$USER_HOME"/public_html/index.*htm*; echo $?)" -eq 0 ]]; then
cat << EOM >> "$TMP_JSON"
"website": "https://$DOMAIN/~$USERNAME/",
EOM
else
cat << EOM >> "$TMP_JSON"
"website": "",
EOM
fi
# gopher
if [ -f "$USER_HOME"/public_gopher/gophermap ]; then
cat << EOM >> "$TMP_JSON"
"gopher": "gopher://$DOMAIN/1/~$USERNAME/",
"gopherproxy": "https://gopher.$DOMAIN/$DOMAIN/1/~$USERNAME/",
EOM
else
cat << EOM >> "$TMP_JSON"
"gopher": "",
"gopherproxy": "",
EOM
fi
# gemini
if [ -f "$USER_HOME"/public_gemini/index.gmi ]; then
cat << EOM >> "$TMP_JSON"
"gemini": "gemini://$DOMAIN/~$USERNAME/",
EOM
fi
# blog
if [[ "$(find "$USER_HOME"/public_html/blog/ -maxdepth 1 2>/dev/null | wc -l)" -ge 3 ]]; then
cat << EOM >> "$TMP_JSON"
"blog": "https://$DOMAIN/~$USERNAME/blog/",
EOM
else
cat << EOM >> "$TMP_JSON"
"blog": "",
EOM
fi
# twtwt
if [[ -f "$USER_HOME"/public_html/twtxt.txt ]]; then
cat << EOM >> "$TMP_JSON"
"twtxt": "https://$DOMAIN/~$USERNAME/twtxt.txt",
EOM
else
cat << EOM >> "$TMP_JSON"
"twtxt": "",
EOM
fi
# user custom infos from .envs file (max. 10 entrys)
if [[ -f "$INFO_FILE" ]]; then
count_entry='0' # use to limit entrys
count_field_entry='0' # use to separat array line by line
unset field_exists; declare -a field_exists=() # contains field names to limit entrys
unset field_is_array; declare -a field_is_array=() # contains array fields to printf correct json entrys
unset line_to_set; declare -A line_to_set # contains user info lines
# check 'INFO_FILE' and add entrys to 'line_to_set' array
while read -r LINE ; do
if [[ -n "$LINE" ]] && ! [[ "$LINE" = '#'* ]] && ! [[ "$LINE" = 'desc='* ]]; then
user_field="${LINE//=*/}"
user_value="${LINE//*=/}"
if ! [[ ":${field_exists[*]}:" =~ $user_field ]]; then
# entry will be a single line
count_entry="$(( "$count_entry" + 1 ))"; [[ "$count_entry" -le '10' ]] || continue
field_exists+=( "$user_field" )
line_to_set["$user_field","$count_field_entry"]+="$user_value"
else
# entry will be a array
if ! [[ ":${field_is_array[*]}:" =~ $user_field ]]; then
field_is_array+=( "$user_field" )
fi
count_field_entry="$(( "$count_field_entry" +1 ))"
line_to_set["$user_field","$count_field_entry"]+="$user_value"
fi
fi
done <<< "$(tac "$INFO_FILE")" # read file from buttom
# add users custom entrys from line_to_set (single lines before arrays)
#
# single line entrys
for field in "${!line_to_set[@]}"; do
field_name="${field//,*/}"
if ! [[ ":${field_is_array[*]}:" =~ $field_name ]]; then
cat << EOM >> "$TMP_JSON"
"$field_name": "${line_to_set[$field]}",
EOM
fi
done
#
# array line entrys
field_in_progress=''
for field in "${!line_to_set[@]}"; do
field_name="${field//,*/}"
field_count="${field//*,/}"
if [[ ":${field_is_array[*]}:" =~ $field_name ]]; then
# begin of user def. array
if ! [[ "$field_in_progress" = "$field_name" ]]; then
field_in_progress="$field_name"
cat << EOM >> "$TMP_JSON"
"$field_name": [
"${line_to_set[$field]}",
EOM
else
# continue user def. array
if ! [[ "$field_count" -eq '0' ]]; then
cat << EOM >> "$TMP_JSON"
"${line_to_set[$field]}",
EOM
# end of user def. array
else
unset field_in_progress
cat << EOM >> "$TMP_JSON"
"${line_to_set[$field]}"
],
EOM
fi
fi
fi
done
fi
# ssh
cat << EOM >> "$TMP_JSON"
"ssh-pubkey": [
EOM
while read -r LINE ; do
[[ "$LINE" == 'ssh'* ]] && printf '\t\r\t\r\t\r\t\r\t"%s",\n' "$LINE" >> "$TMP_JSON"
done < "$USER_HOME"/.ssh/authorized_keys
# remove trailing ',' for the last pubkey
sed -i '$ s/,$//' "$TMP_JSON"
# close user ssh pubkey array ']' and user part. '},'
cat << EOM >> "$TMP_JSON"
]
},
EOM
# EOF
done
# remove trailing ',' on last user entry
sed -i '$ s/,$//' "$TMP_JSON"
cat << EOM >> "$TMP_JSON"
}
}
}
EOM
mv "$TMP_JSON" "$WWW_PATH"/users_info.json
chown root:www-data "$WWW_PATH"/users_info.json
#
exit 0

50
bin/envs_user_updated_genpage.pl Executable file
View File

@ -0,0 +1,50 @@
#!/usr/bin/perl
#
# source from pgadey (ctrl-c.club)
# url: https://github.com/pgadey/bin/blob/master/ctrl-c.club
#
print "<?php
// do not touch
// this files is generated by /usr/local/bin/envs_user_updated.sh
\$title = \"envs.net | recently user updates\";
\$desc = \"envs.net | recently user updates\";
include 'header.php';
?>
<body id=\"body\" class=\"dark-mode\">
<div>
<div class=\"button_back\">
<pre class=\"clean\"><strong><a href=\"/\">&lt; back</a></strong></pre>
</div>
<div id=\"main\">
<div class=\"block\">
<pre>
<h1><em>recently user updates</em></h1>
</pre>
</div>
<pre>
this is a static list of the pages modified in <code>/home/*/public_html/*</code>. it updates every hour.
<ul>\n";
while (<>) {
chomp;
($date, $index) = split(/ /, $_);
$date = `date --date="\@$date" +'%F %H:%M:%S'`;
$author = $index;
$file = $index;
$author =~ s%/home/(\w+)/public_html/(\S+)%$1%;
$file =~ s%/home/(\w+)/public_html/(\S+)%$2%;
print "<li><a href=\"https://envs.net/\~$author/\">\~$author</a> (<a href=\"https://envs.net/\~$author/$file\">$file</a>) at $date</li>\n";
};
print "</ul>
</pre>
</div>
<?php include 'footer.php'; ?>";

3
bin/hole Executable file
View File

@ -0,0 +1,3 @@
#!/bin/sh
lynx gopher://localhost "$@"

74
bin/idiff Executable file
View File

@ -0,0 +1,74 @@
#!/bin/sh
# Color diff output, for human consumption
# License: LGPLv2
# Author:
# http://www.pixelbeat.org/
# Notes:
# If 2 parameters are passed, then they are passed to
# the `diff -Naru` command first. Otherwise the parameters
# (or stdin) are assumed to be diff format and are colourised.
#
# VIM can be useful for viewing diffs also:
# diff -Naru a b | vim -R -
# vim -R a-b.diff
# Changes:
# V0.1, 12 Feb 2008, Initial release
# V0.2, 18 Feb 2008, Use tput rather than hardcoding escape sequences.
# V0.3, 24 Apr 2008, Support Mac OS X
# V0.4, 30 Apr 2008, P@draigBrady.com
# Use $PAGER if set
# Manfred Schwarb <manfred99@gmx.ch>
# Support `diff -c` format fully.
# Pointed out issues with less -EF options.
# Suggested to use the less -S option.
# V0.5, 18 Jun 2009, P@draigBrady.com
# Delineate each file level item with highlight.
# Simplify expressions by using '&' in replacement.
# Use 't' after all matches for consistency and speed.
# less -K reportedly not available on older Mac OS X
less -K -Ff /dev/null 2>/dev/null && CTRL_C_EXITS="-K"
RED=1; GREEN=2; BLUE=4; BRIGHT='1;'
tputc() {
bright=$1; colour=$2
[ "$bright" ] && tput bold
tput setaf $colour
}
DEL="`tputc $BRIGHT $RED`"
ADD="`tputc $BRIGHT $GREEN`"
CHG="`tputc $BRIGHT $BLUE`"
FIL="`tput smso`" #highlight file level items
RST="`tput sgr0`"
if [ "$#" -eq "2" ]; then
diff -Naru "$@"
else
cat "$@"
fi |
sed "
s/^\*\{3\}.*\*\{4\}/$CHG&$RST/;t
s/^-\{3\}.*-\{4\}/$CHG&$RST/;t
s/^@.*/$CHG&$RST/;t
s/^[0-9].*/$CHG&$RST/;t
s/^!.*/$CHG&$RST/;t
s/^-.*/$DEL&$RST/;t
s/^<.*/$DEL&$RST/;t
s/^\*.*/$ADD&$RST/;t
s/^\+.*/$ADD&$RST/;t
s/^>.*/$ADD&$RST/;t
s/^Only in.*/$FIL&$RST/;t
s/^Index: .*/$FIL&$RST/;t
s/^diff .*/$FIL&$RST/;t
" |
${PAGER:-less -QRS $CTRL_C_EXITS}
# could use less -EFX also, but for large files or lots of scrolling, this
# is a lot more obtrusive on the terminal as the [de]init codes not used.

3
bin/motd Executable file
View File

@ -0,0 +1,3 @@
#!/bin/sh
cat /var/run/motd.dynamic

3
bin/online-users Executable file
View File

@ -0,0 +1,3 @@
#!/bin/sh
users | tr ' ' \\n | uniq | wc -l

7
bin/webirc Executable file
View File

@ -0,0 +1,7 @@
#!/bin/bash
printf 'setting up your thelounge account\n\n'
THELOUNGE_HOME=/srv/thelounge sudo -u thelounge /srv/thelounge/.yarn/bin/thelounge add "$USER"
printf '\nyou can now log in to https://irc.envs.net as %s with the password you just created.\n' "$USER"

38
bin/welcome-email.tmpl Normal file
View File

@ -0,0 +1,38 @@
hello ~_username_,
welcome to envs.net!
your account has been established and you can ssh or mosh
into envs.net with the ssh key you supplied on registration.
your password is "_password_".
please change it when you log in for the first time with ssh.
also you need to change the password on https://mail.envs.net !
the password is used for imap/smtp auth(mail) and mysql. NOT shell login,
which is set to only use ssh key authentication.
your mail password will also used for znc.envs.net (imap-auth).
the best way you can help envs.net is by working
to support a great system culture. build cool programs and
share them with others; and help others; be a
good example for others and have fun!
your ~/public_www directory is served at:
https://envs.net/~_username_ , https://envs.net/u/_username_
https://_username_.envs.net and https://_username_.envs.sh/.
your mysql database is also has been provisioned. information below should
be used to connect to it:
database name: _username_
database user: _username_
password: (see your password above)
of course you can also use sqlite databases.
check out our help page at https://envs.net/help for more informations.
we seeing you! :)
envs.net ~creme

33
bin/welcome-readme.tmpl Normal file
View File

@ -0,0 +1,33 @@
hello,
welcome to envs.net!
you made it! we've set you up with a 'byobu' session with the
following default tabs:
- weechat for irc
- mutt for email
- a shell
if you're reading this, you're in the mutt pane. have a look
at the status bar at the bottom. the current windows are shown
in the bottom left, with several system status symbols on the right.
some of the most important keybinds are:
- f2: open a new window/tab
- f3/f4: prev/next windows
- f6: disconnect from you byobu session
- shift-f12 disable/enable byobu f-key bindings
press shift-f1 to see a more complete list of keybinds,
but these will get you wherever you need to go.
if you need help, switch to the first window and ask in irc.
also, if you know what you're doing and would rather use a different
terminal multiplexer, run byobu-disable to prevent it from launching on login.
we look forward to seeing you around! welcome to the envs.net!
envs ~ admins

7
etc/cron.d/backup Normal file
View File

@ -0,0 +1,7 @@
#
# BACKUP Server every day
#
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root
13 1,13 * * * root /root/backup-server.sh >/dev/null 2>&1

4
etc/cron.d/botany Normal file
View File

@ -0,0 +1,4 @@
SHELL=/bin/sh
PATH=/usr/bin:/opt/services
0 0 * * 0 services python /opt/services/botany/clear_weekly_users.py >/dev/null 2>&1

17
etc/cron.d/certbot Normal file
View File

@ -0,0 +1,17 @@
# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc. Renewal will only occur if expiration
# is within 30 days.
#
# Important Note! This cronjob will NOT be executed if you are
# running systemd as your init system. If you are running systemd,
# the cronjob.timer function takes precedence over this cronjob. For
# more details, see the systemd.timer manpage, or use systemctl show
# certbot.timer.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew --deploy-hook /etc/letsencrypt/renewal-hooks/deploy/envs.sh --renew-hook "systemctl reload nginx"

4
etc/cron.d/conntrack Normal file
View File

@ -0,0 +1,4 @@
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
0-59/1 * * * * root /usr/local/bin/conntrack.sh && /usr/local/bin/envs_conntracks.sh >/dev/null 2>&1

7
etc/cron.d/envs_gemini Normal file
View File

@ -0,0 +1,7 @@
#
# generate envs gemini - index.gem (once per hour)
#
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
0 * * * * root /usr/local/bin/envs_gemini_genpage.sh >/dev/null 2>&1

7
etc/cron.d/envs_stats Normal file
View File

@ -0,0 +1,7 @@
#
# generate envs stats.html (once per hour)
#
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
0 * * * * root /usr/local/bin/envs_stats.sh >/dev/null 2>&1

7
etc/cron.d/envs_sysinfo Normal file
View File

@ -0,0 +1,7 @@
#
# generate sysinfo.json and sysinfo.php every day
#
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
0 0 * * * root /usr/local/bin/envs_sysinfo.sh >/dev/null 2>&1

8
etc/cron.d/envs_user_updated_genpage Normal file
View File

@ -0,0 +1,8 @@
#
# generate user_updates.php , users_info.json
# (once per hour)
#
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
0 * * * * root /usr/local/bin/envs_user_updated.sh >/dev/null 2>&1

4
etc/cron.d/update-blacklist Normal file
View File

@ -0,0 +1,4 @@
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
33 23 * * * root /usr/local/sbin/update-blacklist.sh /etc/ipset-blacklist/ipset-blacklist.conf >/dev/null 2>/dev/null&

6
etc/cron.d/update-blacklist_fail2ban Normal file
View File

@ -0,0 +1,6 @@
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
0-59/30 * * * * root /usr/local/sbin/ipset-fail2ban.sh /etc/ipset-fail2ban/ipset-fail2ban.conf >/dev/null 2>/dev/null&
# clear list once per week
0 0 * * 0 root /usr/local/sbin/ipset-fail2ban.sh /etc/ipset-fail2ban/ipset-fail2ban.conf -c >/dev/null 2>&1

43
etc/etc/inetd.conf Normal file
View File

@ -0,0 +1,43 @@
# /etc/inetd.conf: see inetd(8) for further informations.
#
# Internet superserver configuration database
#
#
# Lines starting with "#:LABEL:" or "#<off>#" should not
# be changed unless you know what you are doing!
#
# If you want to disable an entry so it isn't touched during
# package updates just comment it out with a single '#' character.
#
# Packages should modify this file by using update-inetd(8)
#
# <service_name> <sock_type> <proto> <flags> <user> <server_path> <args>
#
#:INTERNAL: Internal services
#discard stream tcp nowait root internal
#discard dgram udp wait root internal
#daytime stream tcp nowait root internal
#time stream tcp nowait root internal
#:STANDARD: These are standard services.
#:BSD: Shell, login, exec and talk are BSD protocols.
talk dgram udp wait nobody.tty /usr/sbin/tcpd in.talkd
ntalk dgram udp wait nobody.tty /usr/sbin/tcpd in.ntalkd
#:MAIL: Mail, news and uucp services.
#:INFO: Info services
finger stream tcp nowait efingerd /usr/sbin/tcpd /usr/sbin/efingerd -fi
ident stream tcp nowait identd /usr/sbin/ident2 ident2 -i -n
#:BOOT: TFTP service is provided primarily for booting. Most sites
# run this only on machines acting as "boot servers."
#:RPC: RPC based services
#:HAM-RADIO: amateur-radio services
#:OTHER: Other services
#gopher stream tcp nowait nobody /usr/sbin/gophernicus gophernicus -h envs.net -nv -o UTF-8
gopher stream tcp nowait nobody /usr/sbin/gophernicus gophernicus -h envs.net -nv -r /var/gopher/envs.net -o UTF-8

67
etc/etc/inputrc Normal file
View File

@ -0,0 +1,67 @@
# /etc/inputrc - global inputrc for libreadline
# See readline(3readline) and `info rluserman' for more information.
# Be 8 bit clean.
set input-meta on
set output-meta on
# To allow the use of 8bit-characters like the german umlauts, uncomment
# the line below. However this makes the meta key not work as a meta key,
# which is annoying to those which don't need to type in 8-bit characters.
# set convert-meta off
# try to enable the application keypad when it is called. Some systems
# need this to enable the arrow keys.
# set enable-keypad on
# see /usr/share/doc/bash/inputrc.arrows for other codes of arrow keys
# do not bell on tab-completion
set bell-style none
# set bell-style visible
# some defaults / modifications for the emacs mode
$if mode=emacs
# allow the use of the Home/End keys
"\e[1~": beginning-of-line
"\e[4~": end-of-line
# allow the use of the Delete/Insert keys
"\e[3~": delete-char
"\e[2~": quoted-insert
# mappings for "page up" and "page down" to step to the beginning/end
# of the history
# "\e[5~": beginning-of-history
# "\e[6~": end-of-history
# alternate mappings for "page up" and "page down" to search the history
"\e[5~": history-search-backward
"\e[6~": history-search-forward
# mappings for Ctrl-left-arrow and Ctrl-right-arrow for word moving
"\e[1;5C": forward-word
"\e[1;5D": backward-word
"\e[5C": forward-word
"\e[5D": backward-word
"\e\e[C": forward-word
"\e\e[D": backward-word
$if term=rxvt
"\e[7~": beginning-of-line
"\e[8~": end-of-line
"\eOc": forward-word
"\eOd": backward-word
$endif
# for non RH/Debian xterm, can't hurt for RH/Debian xterm
# "\eOH": beginning-of-line
# "\eOF": end-of-line
# for freebsd console
# "\e[H": beginning-of-line
# "\e[F": end-of-line
$endif

272
etc/etc/nanorc Normal file
View File

@ -0,0 +1,272 @@
## Sample initialization file for GNU nano.
##
## Please note that you must have configured nano with --enable-nanorc
## for this file to be read! Also note that this file should not be in
## DOS or Mac format, and that characters specially interpreted by the
## shell should not be escaped here.
##
## To make sure an option is disabled, use "unset <option>".
##
## For the options that take parameters, the default value is given.
## Other options are unset by default.
##
## Quotes inside string parameters don't have to be escaped with
## backslashes. The last double quote in the string will be treated as
## its end. For example, for the "brackets" option, ""')>]}" will match
## ", ', ), >, ], and }.
## Make the 'nextword' function (Ctrl+Right) stop at word ends
## instead of at beginnings.
# set afterends
## When soft line wrapping is enabled, make it wrap lines at blanks
## (tabs and spaces) instead of always at the edge of the screen.
# set atblanks
## Automatically indent a newly created line to the same number of
## tabs and/or spaces as the preceding line -- or as the next line
## if the preceding line is the beginning of a paragraph.
# set autoindent
## Back up files to the current filename plus a tilde.
# set backup
## The directory to put unique backup files in.
# set backupdir ""
## Use bold text instead of reverse video text.
# set boldtext
## The characters treated as closing brackets when justifying paragraphs.
## This may not include any blank characters. Only closing punctuation,
## optionally followed by these closing brackets, can end sentences.
# set brackets ""')>]}"
## Do case-sensitive searches by default.
# set casesensitive
## Constantly display the cursor position in the status bar. Note that
## this overrides "quickblank".
# set constantshow
## Use cut-from-cursor-to-end-of-line by default.
# set cutfromcursor
## (The old form, 'cut', is deprecated.)
## Set the line length for wrapping text and justifying paragraphs.
## If the value is 0 or less, the wrapping point will be the screen
## width less this number.
# set fill -8
## Remember the used search/replace strings for the next session.
set historylog
## Display line numbers to the left of the text.
# set linenumbers
## Enable vim-style lock-files. This is just to let a vim user know you
## are editing a file [s]he is trying to edit and vice versa. There are
## no plans to implement vim-style undo state in these files.
set locking
## The opening and closing brackets that can be found by bracket
## searches. They cannot contain blank characters. The former set must
## come before the latter set, and both must be in the same order.
# set matchbrackets "(<[{)>]}"
## Use the blank line below the title bar as extra editing space.
# set morespace
## Enable mouse support, if available for your system. When enabled,
## mouse clicks can be used to place the cursor, set the mark (with a
## double click), and execute shortcuts. The mouse will work in the X
## Window System, and on the console when gpm is running.
# set mouse
## Switch on multiple file buffers (inserting a file will put it into
## a separate buffer).
# set multibuffer
## Don't convert files from DOS/Mac format.
# set noconvert
## Don't display the helpful shortcut lists at the bottom of the screen.
# set nohelp
## Don't automatically add a newline when a file does not end with one.
# set nonewlines
## Don't pause between warnings at startup. Which means that only the
## last one will be readable (when there are multiple ones).
# set nopauses
## Don't wrap text at all.
set nowrap
## Set operating directory. nano will not read or write files outside
## this directory and its subdirectories. Also, the current directory
## is changed to here, so any files are inserted from this dir. A blank
## string means the operating-directory feature is turned off.
# set operatingdir ""
## Remember the cursor position in each file for the next editing session.
# set positionlog
## Preserve the XON and XOFF keys (^Q and ^S).
# set preserve
## The characters treated as closing punctuation when justifying
## paragraphs. They cannot contain blank characters. Only closing
## punctuation, optionally followed by closing brackets, can end
## sentences.
# set punct "!.?"
## Do quick status-bar blanking. Status-bar messages will disappear after
## 1 keystroke instead of 26. Note that "constantshow" overrides this.
# set quickblank
## The email-quote string, used to justify email-quoted paragraphs.
## This is an extended regular expression. The default is:
# set quotestr "^([ ]*([#:>|}]|//))+"
## Fix Backspace/Delete confusion problem.
# set rebinddelete
## Fix numeric keypad key confusion problem.
# set rebindkeypad
## Do extended regular expression searches by default.
# set regexp
## Put the cursor on the highlighted item in the file browser;
## useful for people who use a braille display.
# set showcursor
## Make the Home key smarter. When Home is pressed anywhere but at the
## very beginning of non-whitespace characters on a line, the cursor
## will jump to that beginning (either forwards or backwards). If the
## cursor is already at that position, it will jump to the true
## beginning of the line.
# set smarthome
## Use smooth scrolling as the default.
# set smooth
## Enable soft line wrapping (AKA full-line display).
# set softwrap
## Use this spelling checker instead of the internal one. This option
## does not have a default value.
# set speller "aspell -x -c"
## Allow nano to be suspended.
set suspend
## Use this tab size instead of the default; it must be greater than 0.
set tabsize 4
## Convert typed tabs to spaces.
# set tabstospaces
## Save automatically on exit; don't prompt.
# set tempfile
## Snip whitespace at the end of lines when justifying or hard-wrapping.
# set trimblanks
## (The old form, 'justifytrim', is deprecated.)
## Disallow file modification. Why would you want this in an rcfile? ;)
# set view
## The two single-column characters used to display the first characters
## of tabs and spaces. 187 in ISO 8859-1 (0000BB in Unicode) and 183 in
## ISO-8859-1 (0000B7 in Unicode) seem to be good values for these.
## The default when in a UTF-8 locale:
# set whitespace "»·"
## The default otherwise:
# set whitespace ">."
## Detect word boundaries differently by treating punctuation
## characters as parts of words.
# set wordbounds
## The characters (besides alphanumeric ones) that should be considered
## as parts of words. This option does not have a default value. When
## set, it overrides option 'set wordbounds'.
# set wordchars "<_>."
## Paint the interface elements of nano. These are examples;
## by default there are no colors, except for errorcolor.
# set titlecolor brightwhite,blue
# set statuscolor brightwhite,green
# set errorcolor brightwhite,red
# set selectedcolor brightwhite,magenta
# set numbercolor cyan
# set keycolor cyan
# set functioncolor green
## In root's .nanorc you might want to use:
# set titlecolor brightwhite,magenta
# set statuscolor brightwhite,magenta
# set errorcolor brightwhite,red
# set selectedcolor brightwhite,cyan
# set numbercolor magenta
# set keycolor brightmagenta
# set functioncolor magenta
## Setup of syntax coloring.
##
## Format:
##
## syntax "short description" ["filename regex" ...]
##
## The "none" syntax is reserved; specifying it on the command line is
## the same as not having a syntax at all. The "default" syntax is
## special: it takes no filename regexes, and applies to files that
## don't match any other syntax's filename regexes.
##
## color foreground,background "regex" ["regex"...]
## or
## icolor foreground,background "regex" ["regex"...]
##
## "color" will do case-sensitive matches, while "icolor" will do
## case-insensitive matches.
##
## Valid colors: white, black, red, blue, green, yellow, magenta, cyan.
## For foreground colors, you may use the prefix "bright" to get a
## stronger highlight.
##
## To use multi-line regexes, use the start="regex" end="regex"
## [start="regex" end="regex"...] format.
##
## If your system supports transparency, not specifying a background
## color will use a transparent color. If you don't want this, be sure
## to set the background color to black or white.
##
## All regexes should be extended regular expressions.
##
## If you wish, you may put your syntax definitions in separate files.
## You can make use of such files as follows:
##
## include "/path/to/syntax_file.nanorc"
##
## Unless otherwise noted, the name of the syntax file (without the
## ".nanorc" extension) should be the same as the "short description"
## name inside that file. These names are kept fairly short to make
## them easier to remember and faster to type using nano's -Y option.
##
## To include all existing syntax definitions, you can do:
include "/usr/share/nano/*.nanorc"
## Key bindings.
## See nanorc(5) (section REBINDING KEYS) for more details on this.
##
## The following two functions are not bound to any key by default.
## You may wish to choose other keys than the ones suggested here.
# bind M-B cutwordleft main
# bind M-N cutwordright main
## Set this if your Backspace key sends Del most of the time.
# bind Del backspace all

33
etc/etc/sudoers Normal file
View File

@ -0,0 +1,33 @@
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
Cmnd_Alias THELOUNGE=/srv/thelounge/.yarn/bin/thelounge add *
Cmnd_Alias TOOT=/usr/bin/toot post *
# User privilege specification
root ALL=(ALL:ALL) ALL
services ALL=(ALL:ALL) NOPASSWD:ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
%envs ALL=(thelounge) NOPASSWD: THELOUNGE
%envs ALL=(services) NOPASSWD: TOOT
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d

40
etc/fail2ban/jail.d/envs.conf Normal file
View File

@ -0,0 +1,40 @@
#
# Fail2ban config
#
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8
# External command that will take an tagged arguments to ignore, e.g. <ip>,
# and return true if the IP is to be ignored. False otherwise.
#
# ignorecommand = /path/to/command <ip>
ignorecommand =
# "bantime" is the number of seconds that a host is banned. (1day)
bantime = 3600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600
# "maxretry" is the number of failures before a host get banned.
maxretry = 5
#
# enabled modules
#
# ssh enabled by default config
#[sshd]
#enabled = true
[pam-generic]
enabled = true
[nginx-http-auth]
enabled = true

398
etc/init.d/S41firewall Executable file
View File

@ -0,0 +1,398 @@
#!/usr/bin/env bash
### BEGIN INIT INFO
# Provides: S41firewall
# Required-Start: network.target
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: set basic firewall
# Description: set basic firewall
### END INIT INFO
# TODO
# - do more secure and optimize
# - change to nftables
#
DEF_IF='enp2s0'
IPT='/usr/sbin/iptables'
# Logging options.
#------------------------------------------------------------------------------
LOG="LOG --log-level debug --log-tcp-sequence --log-tcp-options"
LOG="$LOG --log-ip-options"
# Defaults for rate limiting
#------------------------------------------------------------------------------
RLIMIT="-m limit --limit 3/s --limit-burst 30"
if [ "$1" = "start" ]; then
# Default policies.
#------------------------------------------------------------------------------
# Drop everything by default.
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
# Set the nat/mangle/raw tables' chains to ACCEPT
$IPT -w -t nat -P PREROUTING ACCEPT
$IPT -w -t nat -P OUTPUT ACCEPT
$IPT -w -t nat -P POSTROUTING ACCEPT
$IPT -w -t mangle -P PREROUTING ACCEPT
$IPT -w -t mangle -P INPUT ACCEPT
$IPT -w -t mangle -P FORWARD ACCEPT
$IPT -w -t mangle -P OUTPUT ACCEPT
$IPT -w -t mangle -P POSTROUTING ACCEPT
# Cleanup.
#------------------------------------------------------------------------------
# Delete all
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F
# Delete all
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
# Zero all packets and counters.
$IPT -Z
$IPT -t nat -Z
$IPT -t mangle -Z
# Custom user-defined chains.
#------------------------------------------------------------------------------
# LOG packets, then ACCEPT.
$IPT -w -N ACCEPTLOG
$IPT -w -A ACCEPTLOG -j "$LOG" "$RLIMIT" --log-prefix "ACCEPT "
$IPT -w -A ACCEPTLOG -j ACCEPT
# LOG packets, then DROP.
$IPT -w -N DROPLOG
$IPT -w -A DROPLOG -j "$LOG" "$RLIMIT" --log-prefix "DROP "
$IPT -w -A DROPLOG -j DROP
# LOG packets, then REJECT.
# TCP packets are rejected with a TCP reset.
$IPT -w -N REJECTLOG
$IPT -w -A REJECTLOG -j "$LOG" "$RLIMIT" --log-prefix "REJECT "
$IPT -w -A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset
$IPT -w -A REJECTLOG -j REJECT
# Only allows RELATED ICMP types
# (destination-unreachable, time-exceeded, and parameter-problem).
# TODO: Rate-limit this traffic?
# TODO: Allow fragmentation-needed?
# TODO: Test.
$IPT -w -N RELATED_ICMP
$IPT -w -A RELATED_ICMP -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPT -w -A RELATED_ICMP -p icmp --icmp-type time-exceeded -j ACCEPT
$IPT -w -A RELATED_ICMP -p icmp --icmp-type parameter-problem -j ACCEPT
$IPT -w -A RELATED_ICMP -p icmp --icmp-type fragmentation-needed -j ACCEPT
#$IPT -w -A RELATED_ICMP -p icmp --icmp-type source-quench -j ACCEPT
$IPT -w -A RELATED_ICMP -j DROPLOG
# Make It Even Harder To Multi-PING
$IPT -w -A INPUT -p icmp -m limit --limit 1/s --limit-burst 2 -j ACCEPT
$IPT -w -A OUTPUT -p icmp -j ACCEPT
# Only allow the minimally required/recommended parts of ICMP. Block the rest.
#------------------------------------------------------------------------------
# Allow all ESTABLISHED ICMP traffic.
$IPT -w -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT "$RLIMIT"
$IPT -w -A OUTPUT -p icmp -m state --state ESTABLISHED -j ACCEPT "$RLIMIT"
# Allow some parts of the RELATED ICMP traffic, block the rest.
$IPT -w -A INPUT -p icmp -m state --state RELATED -j RELATED_ICMP "$RLIMIT"
$IPT -w -A OUTPUT -p icmp -m state --state RELATED -j RELATED_ICMP "$RLIMIT"
# Allow incoming ICMP echo requests (ping), but only rate-limited.
$IPT -w -A INPUT -p icmp --icmp-type echo-request -j ACCEPT "$RLIMIT"
# Allow outgoing ICMP echo requests (ping), but only rate-limited.
$IPT -w -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT "$RLIMIT"
# Drop any other ICMP traffic.
$IPT -w -A INPUT -p icmp -j DROPLOG
$IPT -w -A OUTPUT -p icmp -j DROPLOG
$IPT -w -A FORWARD -p icmp -j DROPLOG
# Selectively allow certain special types of traffic.
#------------------------------------------------------------------------------
# Allow loopback interface to do anything.
$IPT -w -A INPUT -i lo -j ACCEPT
$IPT -w -A OUTPUT -o lo -j ACCEPT
# Allow incoming connections related to existing allowed connections.
$IPT -w -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow outgoing connections EXCEPT invalid
$IPT -w -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# FORWARD RULES
#------------------------------------------------------------------------------
$IPT -w -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
#
# ENVS.NET - 89.163.145.170 (default wan_ip)
#
# lxcbr0 - 192.168.1.0/24
$IPT -w -t nat -A POSTROUTING -d 192.168.1.0/24 -s 192.168.1.1 -j SNAT --to 192.168.1.1
# dns
$IPT -w -t nat -A PREROUTING -i "$DEF_IF" -d 89.163.145.170 -p udp --dport 53 -j DNAT --to-destination 192.168.1.2:53
$IPT -w -A FORWARD -p udp -d 192.168.1.2 --dport 53 -j ACCEPT
$IPT -w -t nat -A PREROUTING -i "$DEF_IF" -d 89.163.145.170 -p tcp --dport 53 -j DNAT --to-destination 192.168.1.2:53
$IPT -w -A FORWARD -p tcp -d 192.168.1.2 --dport 53 -j ACCEPT
$IPT -w -t nat -A POSTROUTING ! -d 192.168.1.0/24 -s 192.168.1.2 -j SNAT --to 89.163.145.170
#
# MAIL ()
# => apache2 proxy (http/https)
# SMTP
$IPT -w -t nat -A PREROUTING -i "$DEF_IF" -d 5.199.136.28 -p tcp --dport 25 -j DNAT --to-destination 192.168.1.3:25
$IPT -w -t nat -A PREROUTING -i "$DEF_IF" -d 89.163.145.170 -p tcp --dport 25 -j DNAT --to-destination 192.168.1.3:25
$IPT -w -A FORWARD -p tcp -d 192.168.1.3 --dport 25 -j ACCEPT
# SMTPs
$IPT -w -t nat -A PREROUTING -i "$DEF_IF" -d 5.199.136.28 -p tcp --dport 587 -j DNAT --to-destination 192.168.1.3:587
$IPT -w -t nat -A PREROUTING -i "$DEF_IF" -d 89.163.145.170 -p tcp --dport 587 -j DNAT --to-destination 192.168.1.3:587
$IPT -w -A FORWARD -p tcp -d 192.168.1.3 --dport 587 -j ACCEPT
# Sieve
$IPT -w -t nat -A PREROUTING -i "$DEF_IF" -d 5.199.136.28 -p tcp --dport 4190 -j DNAT --to-destination 192.168.1.3:4190
$IPT -w -t nat -A PREROUTING -i "$DEF_IF" -d 89.163.145.170 -p tcp --dport 4190 -j DNAT --to-destination 192.168.1.3:4190
$IPT -w -A FORWARD -p tcp -d 192.168.1.3 --dport 4190 -j ACCEPT
# IMAP
$IPT -w -t nat -A PREROUTING -i "$DEF_IF" -d 5.199.136.28 -p tcp --dport 143 -j DNAT --to-destination 192.168.1.3:143
$IPT -w -t nat -A PREROUTING -i "$DEF_IF" -d 89.163.145.170 -p tcp --dport 143 -j DNAT --to-destination 192.168.1.3:143
$IPT -w -A FORWARD -p tcp -d 192.168.1.3 --dport 143 -j ACCEPT
# IMAPs
$IPT -w -t nat -A PREROUTING -i "$DEF_IF" -d 5.199.136.28 -p tcp --dport 993 -j DNAT --to-destination 192.168.1.3:993
$IPT -w -t nat -A PREROUTING -i "$DEF_IF" -d 89.163.145.170 -p tcp --dport 993 -j DNAT --to-destination 192.168.1.3:993
$IPT -w -A FORWARD -p tcp -d 192.168.1.3 --dport 993 -j ACCEPT
# POP
$IPT -w -t nat -A PREROUTING -i "$DEF_IF" -d 5.199.136.28 -p tcp --dport 110 -j DNAT --to-destination 192.168.1.3:110
$IPT -w -t nat -A PREROUTING -i "$DEF_IF" -d 89.163.145.170 -p tcp --dport 110 -j DNAT --to-destination 192.168.1.3:110
$IPT -w -A FORWARD -p tcp -d 192.168.1.3 --dport 110 -j ACCEPT
# POPs
$IPT -w -t nat -A PREROUTING -i "$DEF_IF" -d 5.199.136.28 -p tcp --dport 995 -j DNAT --to-destination 192.168.1.3:995
$IPT -w -t nat -A PREROUTING -i "$DEF_IF" -d 89.163.145.170 -p tcp --dport 995 -j DNAT --to-destination 192.168.1.3:995
$IPT -w -A FORWARD -p tcp -d 192.168.1.3 --dport 995 -j ACCEPT
#
$IPT -w -t nat -A POSTROUTING -d 192.168.1.4 -s 192.168.1.3 -j SNAT --to 192.168.1.3
$IPT -w -t nat -A POSTROUTING ! -d 192.168.1.0/24 -s 192.168.1.3 -j SNAT --to 5.199.136.28
# mail-lists
# => apache2 proxy (http/https)
$IPT -w -t nat -A POSTROUTING ! -d 192.168.1.0/24 -s 192.168.1.4 -j SNAT --to 5.199.136.29
# gitea
# => apache2 proxy (http/https)
$IPT -w -t nat -A PREROUTING -i "$DEF_IF" -d 5.199.130.141 -p tcp --dport 22 -j DNAT --to-destination 192.168.1.10:22
$IPT -w -A FORWARD -p tcp -d 192.168.1.10 --dport 22 -j ACCEPT
$IPT -w -t nat -A POSTROUTING ! -d 192.168.1.0/24 -s 192.168.1.10 -j SNAT --to 5.199.130.141
# searx
# => apache2 proxy (http/https)
$IPT -w -t nat -A POSTROUTING ! -d 192.168.1.0/24 -s 192.168.1.11 -j SNAT --to 89.163.145.170
# cryptpad
# => apache2 proxy (http/https)
$IPT -w -t nat -A POSTROUTING ! -d 192.168.1.0/24 -s 192.168.1.12 -j SNAT --to 89.163.145.170
# 0x0
# => apache2 proxy (http/https)
$IPT -w -t nat -A PREROUTING -i "$DEF_IF" -d 89.163.145.170 -p tcp --dport 9999 -j DNAT --to-destination 192.168.1.15:9999
$IPT -w -A FORWARD -p tcp -d 192.168.1.15 --dport 9999 -j ACCEPT
$IPT -w -t nat -A POSTROUTING ! -d 192.168.1.0/24 -s 192.168.1.15 -j SNAT --to 89.163.145.170
# rss
# => apache2 proxy (http/https)
$IPT -w -t nat -A POSTROUTING ! -d 192.168.1.0/24 -s 192.168.1.16 -j SNAT --to 89.163.145.170
# pb
# => apache2 proxy (http/https)
$IPT -w -t nat -A POSTROUTING ! -d 192.168.1.0/24 -s 192.168.1.17 -j SNAT --to 89.163.145.170
# MASQUERADE.
#------------------------------------------------------------------------------
#dont SNAT locally generated packets target for local
$IPT -w -t nat -A POSTROUTING -o lo -j ACCEPT
# snat all lxc traffic to freifunk network
# this allows to access the freifunk network from other lxc container
# all container must setup a routing entry to lxc.vpn1
#iptables -t nat -A POSTROUTING -o tbb+ -s 192.168.1.0/24 -j SNAT --to-source 10.200.1.1
#iptables -I FORWARD -i "$DEF_IF" -o tbb+ -j ACCEPT
# wen using lxc, masq all traffic which goes via "$DEF_IF" (like DNS,vpn)
# iptables -t nat -o "$DEF_IF" -A POSTROUTING -j MASQUERADE
# Selectively allow certain outbound connections, block the rest.
#------------------------------------------------------------------------------
# dns
$IPT -w -A OUTPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
$IPT -w -A OUTPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT
# openvpn
$IPT -w -A OUTPUT -m state --state NEW -p tcp --dport 1194 -j ACCEPT
$IPT -w -A OUTPUT -m state --state NEW -p udp --dport 1194 -j ACCEPT
# http
$IPT -w -A OUTPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
# https
$IPT -w -A OUTPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
# smtp
$IPT -w -A OUTPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT
# smtps
$IPT -w -A OUTPUT -m state --state NEW -p tcp --dport 465 -j ACCEPT
# syslog
$IPT -w -A OUTPUT -m state --state NEW -p udp --dport 514 -j ACCEPT
# "submission" (RFC 2476)
$IPT -w -A OUTPUT -m state --state NEW -p tcp --dport 587 -j ACCEPT
# pop3s
$IPT -w -A OUTPUT -m state --state NEW -p tcp --dport 995 -j ACCEPT
# ssh
$IPT -w -A OUTPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
# ftp
$IPT -w -A OUTPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
# ntp
$IPT -w -A OUTPUT -m state --state NEW -p udp --dport 123 -j ACCEPT
# whois
$IPT -w -A OUTPUT -m state --state NEW -p tcp --dport 43 -j ACCEPT
# csv
$IPT -w -A OUTPUT -m state --state NEW -p tcp --dport 2401 -j ACCEPT
# mysql
$IPT -w -A OUTPUT -m state --state NEW -p tcp --dport 3306 -j ACCEPT
# svn
$IPT -w -A OUTPUT -m state --state NEW -p tcp --dport 3690 -j ACCEPT
# Selectively allow certain inbound connections, block the rest.
#------------------------------------------------------------------------------
# dns
$IPT -w -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
$IPT -w -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT
# finger
$IPT -w -A INPUT -m state --state NEW -p tcp --dport 79 -j ACCEPT
# ident
$IPT -w -A INPUT -m state --state NEW -p tcp --dport 113 -j ACCEPT
# gopher
$IPT -w -A INPUT -m state --state NEW -p tcp --dport 70 -j ACCEPT
# http/https
$IPT -w -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
$IPT -w -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
# gemini
$IPT -w -A INPUT -m state --state NEW -p tcp --dport 1965 -j ACCEPT
# ssh
$IPT -w -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
$IPT -w -A INPUT -m state --state NEW -p tcp --dport 2222 -j ACCEPT
$IPT -w -A INPUT -m state --state NEW -p tcp --dport 2223 -j ACCEPT
# mosh
$IPT -w -A INPUT -m state --state NEW -p udp --dport 60001:61000 -j ACCEPT
# znc
$IPT -w -A INPUT -m state --state NEW -p tcp --dport 6667 -j ACCEPT
$IPT -w -A INPUT -m state --state NEW -p tcp --dport 6697 -j ACCEPT
# Miscellaneous.
#------------------------------------------------------------------------------
# Explicitly drop invalid incoming traffic
$IPT -w -A INPUT -m state --state INVALID -j DROP
# Drop invalid outgoing traffic, too.
$IPT -w -A OUTPUT -m state --state INVALID -j DROP
# If we would use NAT, INVALID packets would pass - BLOCK them anyways
$IPT -w -A FORWARD -m state --state INVALID -j DROP
# Explicitly log and reject everything else.
#------------------------------------------------------------------------------
# Enable blacklists
ipset restore < /etc/ipset-blacklist/ip-blacklist.restore
ipset restore < /etc/ipset-fail2ban/ipset-fail2ban.restore
$IPT -I INPUT 1 -m set --match-set blacklist_default src -j DROP
$IPT -I INPUT 2 -m set --match-set blacklist_fail2ban src -j DROP
$IPT -I FORWARD 1 -m set --match-set blacklist_default src -j DROP
$IPT -I FORWARD 2 -m set --match-set blacklist_fail2ban src -j DROP
# Use REJECT instead of REJECTLOG if you don't need/want logging.
$IPT -w -A INPUT -j REJECT
$IPT -w -A FORWARD -j REJECT
$IPT -w -A OUTPUT -j ACCEPT
fi
if [ "$1" = "stop" ]; then
$IPT -t mangle -F PREROUTING
$IPT -t mangle -F OUTPUT
$IPT -t nat -F PREROUTING
$IPT -t nat -F POSTROUTING
$IPT -t nat -F OUTPUT
$IPT -F INPUT
$IPT -F FORWARD
$IPT -F OUTPUT
fi
if [ "$1" = "restart" ]; then
$0 stop
sleep 1
$0 start
fi
if [ "$1" = "status" ]; then
echo "iptables -vnL ..."
$IPT -vnL --line-numbers
echo "iptables -vnL -t nat ..."
$IPT -vnL -t nat --line-numbers
echo "iptables -vnL -t mangle ..."
$IPT -vnL -t mangle --line-numbers
fi
# Exit gracefully.
#------------------------------------------------------------------------------
exit 0

36
etc/letsencrypt/renewal-hooks/deploy/envs.sh Executable file
View File

@ -0,0 +1,36 @@
#!/bin/sh
set -e
for domain in $RENEWED_DOMAINS; do
case $domain in
envs.net)
daemon_cert_root=/opt/lxc_ssl/envs.net
umask 077
cat "$RENEWED_LINEAGE/privkey.pem" > "$daemon_cert_root/privkey.pem"
cat "$RENEWED_LINEAGE/chain.pem" > "$daemon_cert_root/chain.pem"
cat "$RENEWED_LINEAGE/fullchain.pem" > "$daemon_cert_root/fullchain.pem"
cat /etc/ssl/certs/envs_dhparam.pem > "$daemon_cert_root/envs_dhparam.pem"
;;
envs.sh)
daemon_cert_root=/opt/lxc_ssl/envs.sh
umask 077
cat "$RENEWED_LINEAGE/privkey.pem" > "$daemon_cert_root/privkey.pem"
cat "$RENEWED_LINEAGE/chain.pem" > "$daemon_cert_root/chain.pem"
cat "$RENEWED_LINEAGE/fullchain.pem" > "$daemon_cert_root/fullchain.pem"
cat /etc/ssl/certs/envs_dhparam.pem > "$daemon_cert_root/envs_dhparam.pem"
;;
znc.envs.net)
daemon_cert_root=/srv/znc/.znc
umask 077
cat "$RENEWED_LINEAGE/privkey.pem" > "$daemon_cert_root/znc.pem"
cat "$RENEWED_LINEAGE/fullchain.pem" >> "$daemon_cert_root/znc.pem"
cat /etc/ssl/certs/envs_dhparam.pem >> "$daemon_cert_root/znc.pem"
chown znc "$daemon_cert_root/znc.pem"
chmod 600 "$daemon_cert_root/znc.pem"
;;
esac
done

25
etc/nginx/fastcgi.conf Normal file
View File

@ -0,0 +1,25 @@
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;

25
etc/nginx/fastcgi_params Normal file
View File

@ -0,0 +1,25 @@
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;

109
etc/nginx/koi-utf Normal file
View File

@ -0,0 +1,109 @@
# This map is not a full koi8-r <> utf8 map: it does not contain
# box-drawing and some other characters. Besides this map contains
# several koi8-u and Byelorussian letters which are not in koi8-r.
# If you need a full and standard map, use contrib/unicode2nginx/koi-utf
# map instead.
charset_map koi8-r utf-8 {
80 E282AC ; # euro
95 E280A2 ; # bullet
9A C2A0 ; # &nbsp;
9E C2B7 ; # &middot;
A3 D191 ; # small yo
A4 D194 ; # small Ukrainian ye
A6 D196 ; # small Ukrainian i
A7 D197 ; # small Ukrainian yi
AD D291 ; # small Ukrainian soft g
AE D19E ; # small Byelorussian short u
B0 C2B0 ; # &deg;
B3 D081 ; # capital YO
B4 D084 ; # capital Ukrainian YE
B6 D086 ; # capital Ukrainian I
B7 D087 ; # capital Ukrainian YI
B9 E28496 ; # numero sign
BD D290 ; # capital Ukrainian soft G
BE D18E ; # capital Byelorussian short U
BF C2A9 ; # (C)
C0 D18E ; # small yu
C1 D0B0 ; # small a
C2 D0B1 ; # small b
C3 D186 ; # small ts
C4 D0B4 ; # small d
C5 D0B5 ; # small ye
C6 D184 ; # small f
C7 D0B3 ; # small g
C8 D185 ; # small kh
C9 D0B8 ; # small i
CA D0B9 ; # small j
CB D0BA ; # small k
CC D0BB ; # small l
CD D0BC ; # small m
CE D0BD ; # small n
CF D0BE ; # small o
D0 D0BF ; # small p
D1 D18F ; # small ya
D2 D180 ; # small r
D3 D181 ; # small s
D4 D182 ; # small t
D5 D183 ; # small u
D6 D0B6 ; # small zh
D7 D0B2 ; # small v
D8 D18C ; # small soft sign
D9 D18B ; # small y
DA D0B7 ; # small z
DB D188 ; # small sh
DC D18D ; # small e
DD D189 ; # small shch
DE D187 ; # small ch
DF D18A ; # small hard sign
E0 D0AE ; # capital YU
E1 D090 ; # capital A
E2 D091 ; # capital B
E3 D0A6 ; # capital TS
E4 D094 ; # capital D
E5 D095 ; # capital YE
E6 D0A4 ; # capital F
E7 D093 ; # capital G
E8 D0A5 ; # capital KH
E9 D098 ; # capital I
EA D099 ; # capital J
EB D09A ; # capital K
EC D09B ; # capital L
ED D09C ; # capital M
EE D09D ; # capital N
EF D09E ; # capital O
F0 D09F ; # capital P
F1 D0AF ; # capital YA
F2 D0A0 ; # capital R
F3 D0A1 ; # capital S
F4 D0A2 ; # capital T
F5 D0A3 ; # capital U
F6 D096 ; # capital ZH
F7 D092 ; # capital V
F8 D0AC ; # capital soft sign
F9 D0AB ; # capital Y
FA D097 ; # capital Z
FB D0A8 ; # capital SH
FC D0AD ; # capital E
FD D0A9 ; # capital SHCH
FE D0A7 ; # capital CH
FF D0AA ; # capital hard sign
}

103
etc/nginx/koi-win Normal file
View File

@ -0,0 +1,103 @@
charset_map koi8-r windows-1251 {
80 88 ; # euro
95 95 ; # bullet
9A A0 ; # &nbsp;
9E B7 ; # &middot;
A3 B8 ; # small yo
A4 BA ; # small Ukrainian ye
A6 B3 ; # small Ukrainian i
A7 BF ; # small Ukrainian yi
AD B4 ; # small Ukrainian soft g
AE A2 ; # small Byelorussian short u
B0 B0 ; # &deg;
B3 A8 ; # capital YO
B4 AA ; # capital Ukrainian YE
B6 B2 ; # capital Ukrainian I
B7 AF ; # capital Ukrainian YI
B9 B9 ; # numero sign
BD A5 ; # capital Ukrainian soft G
BE A1 ; # capital Byelorussian short U
BF A9 ; # (C)
C0 FE ; # small yu
C1 E0 ; # small a
C2 E1 ; # small b
C3 F6 ; # small ts
C4 E4 ; # small d
C5 E5 ; # small ye
C6 F4 ; # small f
C7 E3 ; # small g
C8 F5 ; # small kh
C9 E8 ; # small i
CA E9 ; # small j
CB EA ; # small k
CC EB ; # small l
CD EC ; # small m
CE ED ; # small n
CF EE ; # small o
D0 EF ; # small p
D1 FF ; # small ya
D2 F0 ; # small r
D3 F1 ; # small s
D4 F2 ; # small t
D5 F3 ; # small u
D6 E6 ; # small zh
D7 E2 ; # small v
D8 FC ; # small soft sign
D9 FB ; # small y
DA E7 ; # small z
DB F8 ; # small sh
DC FD ; # small e
DD F9 ; # small shch
DE F7 ; # small ch
DF FA ; # small hard sign
E0 DE ; # capital YU
E1 C0 ; # capital A
E2 C1 ; # capital B
E3 D6 ; # capital TS
E4 C4 ; # capital D
E5 C5 ; # capital YE
E6 D4 ; # capital F
E7 C3 ; # capital G
E8 D5 ; # capital KH
E9 C8 ; # capital I
EA C9 ; # capital J
EB CA ; # capital K
EC CB ; # capital L
ED CC ; # capital M
EE CD ; # capital N
EF CE ; # capital O
F0 CF ; # capital P
F1 DF ; # capital YA
F2 D0 ; # capital R
F3 D1 ; # capital S
F4 D2 ; # capital T
F5 D3 ; # capital U
F6 C6 ; # capital ZH
F7 C2 ; # capital V
F8 DC ; # capital soft sign
F9 DB ; # capital Y
FA C7 ; # capital Z
FB D8 ; # capital SH
FC DD ; # capital E
FD D9 ; # capital SHCH
FE D7 ; # capital CH
FF DA ; # capital hard sign
}

89
etc/nginx/mime.types Normal file
View File

@ -0,0 +1,89 @@
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
image/svg+xml svg svgz;
image/webp webp;
application/font-woff woff;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.wap.wmlc wmlc;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}

1
etc/nginx/modules-enabled/10-mod-http-ndk.conf Symbolic link
View File

@ -0,0 +1 @@
/usr/share/nginx/modules-available/mod-http-ndk.conf

1
etc/nginx/modules-enabled/50-mod-http-auth-pam.conf Symbolic link
View File

@ -0,0 +1 @@
/usr/share/nginx/modules-available/mod-http-auth-pam.conf

1
etc/nginx/modules-enabled/50-mod-http-cache-purge.conf Symbolic link
View File

@ -0,0 +1 @@
/usr/share/nginx/modules-available/mod-http-cache-purge.conf

1
etc/nginx/modules-enabled/50-mod-http-dav-ext.conf Symbolic link
View File

@ -0,0 +1 @@
/usr/share/nginx/modules-available/mod-http-dav-ext.conf

1
etc/nginx/modules-enabled/50-mod-http-echo.conf Symbolic link
View File

@ -0,0 +1 @@
/usr/share/nginx/modules-available/mod-http-echo.conf

1
etc/nginx/modules-enabled/50-mod-http-fancyindex.conf Symbolic link
View File

@ -0,0 +1 @@
/usr/share/nginx/modules-available/mod-http-fancyindex.conf

1
etc/nginx/modules-enabled/50-mod-http-geoip.conf Symbolic link
View File

@ -0,0 +1 @@
/usr/share/nginx/modules-available/mod-http-geoip.conf

1
etc/nginx/modules-enabled/50-mod-http-headers-more-filter.conf Symbolic link
View File

@ -0,0 +1 @@
/usr/share/nginx/modules-available/mod-http-headers-more-filter.conf

1
etc/nginx/modules-enabled/50-mod-http-image-filter.conf Symbolic link
View File

@ -0,0 +1 @@
/usr/share/nginx/modules-available/mod-http-image-filter.conf

1
etc/nginx/modules-enabled/50-mod-http-lua.conf Symbolic link
View File

@ -0,0 +1 @@
/usr/share/nginx/modules-available/mod-http-lua.conf

1
etc/nginx/modules-enabled/50-mod-http-perl.conf Symbolic link
View File

@ -0,0 +1 @@
/usr/share/nginx/modules-available/mod-http-perl.conf

1
etc/nginx/modules-enabled/50-mod-http-subs-filter.conf Symbolic link
View File

@ -0,0 +1 @@
/usr/share/nginx/modules-available/mod-http-subs-filter.conf

1
etc/nginx/modules-enabled/50-mod-http-uploadprogress.conf Symbolic link
View File

@ -0,0 +1 @@
/usr/share/nginx/modules-available/mod-http-uploadprogress.conf

1
etc/nginx/modules-enabled/50-mod-http-upstream-fair.conf Symbolic link
View File

@ -0,0 +1 @@
/usr/share/nginx/modules-available/mod-http-upstream-fair.conf

1
etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf Symbolic link
View File

@ -0,0 +1 @@
/usr/share/nginx/modules-available/mod-http-xslt-filter.conf

1
etc/nginx/modules-enabled/50-mod-mail.conf Symbolic link
View File

@ -0,0 +1 @@
/usr/share/nginx/modules-available/mod-mail.conf

1
etc/nginx/modules-enabled/50-mod-nchan.conf Symbolic link
View File

@ -0,0 +1 @@
/usr/share/nginx/modules-available/mod-nchan.conf

1
etc/nginx/modules-enabled/50-mod-stream.conf Symbolic link
View File

@ -0,0 +1 @@
/usr/share/nginx/modules-available/mod-stream.conf

164
etc/nginx/nginx.conf Normal file
View File

@ -0,0 +1,164 @@
user www-data;
worker_processes auto;
worker_rlimit_nofile 100000;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
error_log /var/log/nginx/error.log crit;
events {
worker_connections 4000;
use epoll;
multi_accept on;
}
http {
##
# Basic Settings
##
client_max_body_size 32M;
open_file_cache max=100000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
types_hash_max_size 2048;
variables_hash_max_size 2048;
variables_hash_bucket_size 128;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
# allow the server to close connection on non responding client, this will free up memory
reset_timedout_connection on;
# request timed out -- default 60
client_body_timeout 10;
client_header_timeout 10;
# if client stop responding, free up memory -- default 60
send_timeout 10;
# server will close connection after this time -- default 75
keepalive_timeout 30;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
#access_log /var/log/nginx/access.log;
#error_log /var/log/nginx/error.log crit;
# borrowed from Apache
# (Could use $host instead of $server_name to log vhost aliases separately)
log_format vhost_combined '$server_name $remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
log_format vcombined '$host:$server_port '
'$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
# Define an access log for VirtualHosts that don't define their own logfile
access_log /var/log/nginx/other_vhosts_access.log vcombined;
##
# Gzip Settings
##
gzip on;
gzip_min_length 10240;
gzip_comp_level 1;
gzip_vary on;
gzip_disable "msie6";
gzip_proxied expired no-cache no-store private auth;
gzip_types
# text/html is always compressed by HttpGzipModule
text/css
text/javascript
text/xml
text/plain
text/x-component
application/javascript
application/x-javascript
application/json
application/xml
application/rss+xml
application/atom+xml
font/truetype
font/opentype
application/vnd.ms-fontobject
image/svg+xml;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# DDOS Defense
##
# limit the number of connections per single IP
# limit_conn_zone $binary_remote_addr zone=conn_limit_def:10m;
# limit_conn_zone $binary_remote_addr zone=conn_limit_mid:32m;
# limit_conn_zone $binary_remote_addr zone=conn_limit_high:64m;
# limit the number of requests for a given session
# limit_req_zone $binary_remote_addr zone=req_limit_def:64m rate=10r/s;
# limit_req_zone $binary_remote_addr zone=req_limit_mid:128m rate=20r/s;
# limit_req_zone $binary_remote_addr zone=req_limit_high:512m rate=30r/s;
# if the request body size is more than the buffer size, then the entire (or partial)
# request body is written into a temporary file
client_body_buffer_size 128k;
# maximum number and size of buffers for large headers to read from client request
large_client_header_buffers 4 256k;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}

12
etc/nginx/proxy_params Normal file
View File

@ -0,0 +1,12 @@
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
port_in_redirect off;
proxy_redirect off;
proxy_connect_timeout 300;
#proxy_buffering off;
#proxy_buffer_size 128k;
#proxy_buffers 100 128k;

17
etc/nginx/scgi_params Normal file
View File

@ -0,0 +1,17 @@
scgi_param REQUEST_METHOD $request_method;
scgi_param REQUEST_URI $request_uri;
scgi_param QUERY_STRING $query_string;
scgi_param CONTENT_TYPE $content_type;
scgi_param DOCUMENT_URI $document_uri;
scgi_param DOCUMENT_ROOT $document_root;
scgi_param SCGI 1;
scgi_param SERVER_PROTOCOL $server_protocol;
scgi_param REQUEST_SCHEME $scheme;
scgi_param HTTPS $https if_not_empty;
scgi_param REMOTE_ADDR $remote_addr;
scgi_param REMOTE_PORT $remote_port;
scgi_param SERVER_PORT $server_port;
scgi_param SERVER_NAME $server_name;

31
etc/nginx/sites-available/auth.envs.net.conf Normal file
View File

@ -0,0 +1,31 @@
server {
include snippets/listen_local.conf;
include snippets/listen.conf;
# include snippets/ddos_def.conf;
server_name auth.envs.net;
return 307 https://$host$request_uri;
}
server {
include snippets/listen_local_ssl.conf;
include snippets/listen_ssl.conf;
# include snippets/ddos_def.conf;
server_name auth.envs.net;
include snippets/ssl.conf;
include ssl/envs_net_wild.conf;
include snippets/local_ssl_header.conf;
error_log /var/log/nginx/envs.net-error.log;
root /var/www/auth.envs.net/;
location / {
index index.php index.html;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
}
}

34
etc/nginx/sites-available/bbj.envs.net.conf Normal file
View File

@ -0,0 +1,34 @@
### BBJ.ENVS.NET - local ###
server {
include snippets/listen_local.conf;
include snippets/listen.conf;
# include snippets/ddos_def.conf;
server_name bbj.envs.net forum.envs.net;
return 307 https://$host$request_uri;
}
server {
include snippets/listen_local_ssl.conf;
include snippets/listen_ssl.conf;
# include snippets/ddos_def.conf;
server_name bbj.envs.net forum.envs.net;
include snippets/ssl.conf;
include ssl/envs_net_wild.conf;
include snippets/local_ssl_header.conf;
error_log /var/log/nginx/bbj.envs.net-error.log crit;
root /var/www/bbj.envs.net/;
location / {
index index.php index.html index.shtml index.htm;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
}
include snippets/favicon;
}

91
etc/nginx/sites-available/default Normal file
View File

@ -0,0 +1,91 @@
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
# Default server configuration
#
server {
listen 80 default_server;
listen [::]:80 default_server;
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
# pass PHP scripts to FastCGI server
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php-fpm (or other unix sockets):
# fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
# # With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}

98
etc/nginx/sites-available/envs.net.conf Normal file
View File

@ -0,0 +1,98 @@
### ENVS.NET - local ###
server {
# listen 80 default_server;
include snippets/listen_local.conf;
include snippets/listen.conf;
# include snippets/ddos_def.conf;
server_name envs.net www.envs.net _;
error_log /var/log/nginx/envs.net-error.log crit;
location / {
return 307 https://$host$request_uri;
}
location /.well-known/acme-challenge/ {
alias /var/lib/letsencrypt/.well-known/acme-challenge/;
}
}
server {
# listen 443 ssl http2 default_server;
include snippets/listen_local_ssl.conf;
include snippets/listen_ssl.conf;
# include snippets/ddos_def.conf;
server_name envs.net www.envs.net _;
include snippets/ssl.conf;
include ssl/envs_net_wild.conf;
include snippets/local_ssl_header.conf;
add_header X-Frame-Options "ALLOW-FROM https://envs.sh/";
error_log /var/log/nginx/envs.net-error.log crit;
include snippets/error_pages;
root /var/www/envs.net/;
index index.php index.html;
rewrite ^([^.\?]*[^/])$ $1/ permanent;
location / {
add_header Access-Control-Allow-Origin *;
try_files $uri.html $uri $uri/ @extensionless-php;
}
location @extensionless-php {
rewrite ^(.*)/$ $1.php last;
}
location /cgi-bin {
gzip off;
include fastcgi_params;
fastcgi_pass unix:/var/run/fcgiwrap.socket;
}
# users
location ~ ^/(~|u/)(?<user>[\w-]+)(?<user_uri>/.*)?$ {
alias /home/$user/public_html$user_uri;
index index.html index.php;
fancyindex on;
fancyindex_exact_size off;
add_header X-Frame-Options SAMEORIGIN;
location ~ [^/]\.php(/|$) {
include snippets/php_common;
}
location ~ (\.cgi|\.py|\.sh|\.pl|\.lua|\/cgi-bin)$ {
gzip off;
include fastcgi_params;
fastcgi_pass unix:/var/run/fcgiwrap.socket;
fastcgi_param SCRIPT_FILENAME /home/$user/public_html$request_filename;
}
}
location ~* /\.(eot|ttf|woff|woff2)$ {
add_header Access-Control-Allow-Origin *;
expires 365d;
}
location ~* /\.(jpg|jpeg|png|gif|ico|css|js)$ {
add_header Access-Control-Allow-Origin *;
expires 365d;
}
location ~* /\.(pdf)$ {
expires 30d;
}
location ~ /(\.ht|\.git)$ {
deny all;
}
# include php and ssi
include snippets/php.conf;
ssi on;
}

55
etc/nginx/sites-available/envs.sh.conf Normal file
View File

@ -0,0 +1,55 @@
### ENVS.SH - lxc - nullpointer ###
server {
include snippets/listen.conf;
# include snippets/ddos_def.conf;
server_name envs.sh 0x0.envs.sh null.envs.sh;
location / {
return 307 https://$host$request_uri;
}
location /.well-known/acme-challenge/ {
alias /var/lib/letsencrypt/.well-known/acme-challenge/;
}
}
server {
include snippets/listen_ssl.conf;
# include snippets/ddos_def.conf;
server_name envs.sh 0x0.envs.sh null.envs.sh;
include snippets/ssl.conf;
include ssl/envs_sh_wild.conf;
client_max_body_size 512M;
error_log /var/log/nginx/envs.sh-error.log crit;
location / {
include proxy_params;
proxy_ssl_name $http_host;
proxy_ssl_server_name on;
proxy_pass https://envs.sh;
}
include snippets/favicon;
}
# 0x0.envs.net
server {
include snippets/listen.conf;
# include snippets/ddos_def.conf;
server_name 0x0.envs.net null.envs.net;
return 307 https://envs.sh$request_uri;
}
server {
include snippets/listen_ssl.conf;
# include snippets/ddos_def.conf;
server_name 0x0.envs.net null.envs.net;
return 307 https://envs.sh$request_uri;
include snippets/ssl.conf;
include ssl/envs_net_wild.conf;
}

27
etc/nginx/sites-available/git.envs.net.conf Normal file
View File

@ -0,0 +1,27 @@
### GIT.ENVS.NET - lxc ###
server {
listen 5.199.130.141:80;
# include snippets/ddos_mid.conf;
server_name git.envs.net gitea.envs.net;
return 307 https://$host$request_uri;
}
# SSL
server {
listen 5.199.130.141:443 ssl http2;
# include snippets/ddos_mid.conf;
server_name git.envs.net gitea.envs.net;
include snippets/ssl.conf;
include ssl/envs_net_wild.conf;
error_log /var/log/nginx/git.envs.net-error.log crit;
location / {
include proxy_params;
proxy_ssl_name $http_host;
proxy_ssl_server_name on;
proxy_pass https://git.envs.net;
}
}

29
etc/nginx/sites-available/gopher.envs.net.conf Normal file
View File

@ -0,0 +1,29 @@
### GOPHER.ENVS.NET - local ###
server {
include snippets/listen_local.conf;
include snippets/listen.conf;
# include snippets/ddos_def.conf;
server_name gopher.envs.net gopherproxy.envs.net;
return 307 https://$server_name$request_uri;
}
server {
include snippets/listen_local_ssl.conf;
include snippets/listen_ssl.conf;
# include snippets/ddos_def.conf;
server_name gopher.envs.net gopherproxy.envs.net;
include snippets/ssl.conf;
include ssl/envs_net_wild.conf;
include snippets/local_ssl_header.conf;
error_log /var/log/nginx/gopher.envs.net-error.log crit;
location / {
include proxy_params;
proxy_pass http://127.0.0.1:8993;
}
include snippets/favicon;
}

27
etc/nginx/sites-available/help.envs.net.conf Normal file
View File

@ -0,0 +1,27 @@
### HELP.ENVS.NET - local ###
server {
include snippets/listen_local.conf;
include snippets/listen.conf;
# include snippets/ddos_def.conf;
server_name help.envs.net;
return 307 https://$host$request_uri;
}
server {
include snippets/listen_local_ssl.conf;
include snippets/listen_ssl.conf;
# include snippets/ddos_def.conf;
server_name help.envs.net;
include snippets/ssl.conf;
include ssl/envs_net_wild.conf;
include snippets/local_ssl_header.conf;
error_log /var/log/nginx/help.envs.net-error.log crit;
root /var/www/docs/help/site/;
location / {
index index.html;
}
}

32
etc/nginx/sites-available/ip.envs.net.conf Normal file
View File

@ -0,0 +1,32 @@
### IP.ENVS.NET - local ###
server {
include snippets/listen_local.conf;
include snippets/listen.conf;
# include snippets/ddos_def.conf;
server_name ip.envs.net whois.envs.net ifconfig.envs.net ifconf.envs.net ping.envs.net checkip.envs.net ipconfig.envs.net ipconf.envs.net;
error_log /var/log/nginx/ip.envs.net-error.log crit;
location / {
include proxy_params;
proxy_pass http://127.0.0.1:8080;
}
}
server {
include snippets/listen_local_ssl.conf;
include snippets/listen_ssl.conf;
# include snippets/ddos_def.conf;
server_name ip.envs.net whois.envs.net ifconfig.envs.net ifconf.envs.net ping.envs.net checkip.envs.net ipconfig.envs.net ipconf.envs.net;
include snippets/ssl.conf;
include ssl/envs_net_wild.conf;
include snippets/local_ssl_header.conf;
error_log /var/log/nginx/ip.envs.net-error.log crit;
location / {
include proxy_params;
proxy_pass http://127.0.0.1:8080;
}
}

32
etc/nginx/sites-available/ip.envs.sh.conf Normal file
View File

@ -0,0 +1,32 @@
### IP.ENVS.SH - local ###
server {
include snippets/listen_local.conf;
include snippets/listen.conf;
# include snippets/ddos_def.conf;
server_name ip.envs.sh whois.envs.sh;
error_log /var/log/nginx/ip.envs.net-error.log crit;
location / {
include proxy_params;
proxy_pass http://127.0.0.1:8080;
}
}
server {
include snippets/listen_local_ssl.conf;
include snippets/listen_ssl.conf;
# include snippets/ddos_mid.conf;
server_name ip.envs.sh whois.envs.sh;
include snippets/ssl.conf;
include ssl/envs_sh_wild.conf;
include snippets/local_ssl_header.conf;
error_log /var/log/nginx/ip.envs.net-error.log crit;
location / {
include proxy_params;
proxy_pass http://127.0.0.1:8080;
}
}

27
etc/nginx/sites-available/lists.envs.net.conf Normal file
View File

@ -0,0 +1,27 @@
### LISTS.ENVS.NET - lxc ###
server {
listen 5.199.136.29:80;
# include snippets/ddos_def.conf;
server_name lists.envs.net;
return 307 https://$host$request_uri;
}
# SSL
server {
listen 5.199.136.29:443 ssl http2;
# include snippets/ddos_def.conf;
server_name lists.envs.net;
include snippets/ssl.conf;
include ssl/envs_net_wild.conf;
error_log /var/log/nginx/lists.envs.net-error.log crit;
location / {
include proxy_params;
proxy_ssl_name $http_host;
proxy_ssl_server_name on;
proxy_pass https://lists.envs.net;
}
}

58
etc/nginx/sites-available/mail.envs.net.conf Normal file
View File

@ -0,0 +1,58 @@
### MAIL.ENVS.NET - lxc ###
server {
listen 5.199.136.28:80;
# include snippets/ddos_mid.conf;
server_name mail.envs.net webmail.envs.net autodiscover.envs.net smtp.envs.net imap.envs.net;
include /etc/nginx/proxy_params;
location / {
return 307 https://$host$request_uri;
}
location /.well-known/acme-challenge/ {
include proxy_params;
proxy_pass http://mail.envs.net/.well-known/acme-challenge/;
}
}
# automx
server {
listen 5.199.136.28:80;
# include snippets/ddos_mid.conf;
server_name autoconfig.envs.net;
include /etc/nginx/proxy_params;
location / {
include proxy_params;
proxy_pass http://autoconfig.envs.net/;
}
location /.well-known/acme-challenge/ {
include proxy_params;
proxy_pass http://mail.envs.net/.well-known/acme-challenge/;
}
}
server {
listen 5.199.136.28:443 ssl http2;
# include snippets/ddos_mid.conf;
server_name mail.envs.net webmail.envs.net autodiscover.envs.net;
ssl_certificate /var/lib/lxc/mail/rootfs/etc/letsencrypt/live/mail.envs.net/fullchain.pem;
ssl_certificate_key /var/lib/lxc/mail/rootfs/etc/letsencrypt/live/mail.envs.net/privkey.pem;
ssl_dhparam /var/lib/lxc/mail/rootfs/etc/nginx/dhparam.pem;
ssl_trusted_certificate /var/lib/lxc/mail/rootfs/etc/letsencrypt/live/mail.envs.net/chain.pem;
include snippets/ssl.conf;
error_log /var/log/nginx/mail.envs.net-error.log crit;
location / {
include proxy_params;
proxy_ssl_name $http_host;
proxy_ssl_server_name on;
proxy_pass https://mail.envs.net;
}
}

30
etc/nginx/sites-available/pad.envs.net.conf Normal file
View File

@ -0,0 +1,30 @@
### PAD.ENVS.NET - lxc ###
server {
include snippets/listen.conf;
# include snippets/ddos_high.conf;
server_name pad.envs.net;
return 307 https://$host$request_uri;
}
# SSL
server {
include snippets/listen_ssl.conf;
# include snippets/ddos_high.conf;
server_name pad.envs.net;
include snippets/ssl.conf;
include ssl/envs_net_wild.conf;
error_log /var/log/nginx/pad.envs.net-error.log crit;
location / {
include proxy_params;
proxy_ssl_name $http_host;
proxy_ssl_server_name on;
proxy_pass https://pad.envs.net;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
}

27
etc/nginx/sites-available/pb.envs.net.conf Normal file
View File

@ -0,0 +1,27 @@
### PB.ENVS.NET - lxc ###
server {
include snippets/listen.conf;
# include snippets/ddos_mid.conf;
server_name pb.envs.net pastebin.envs.net;
return 307 https://$host$request_uri;
}
# SSL
server {
include snippets/listen_ssl.conf;
# include snippets/ddos_mid.conf;
server_name pb.envs.net pastebin.envs.net;
include snippets/ssl.conf;
include ssl/envs_net_wild.conf;
error_log /var/log/nginx/pb.envs.net-error.log crit;
location / {
include proxy_params;
proxy_ssl_name $http_host;
proxy_ssl_server_name on;
proxy_pass https://pb.envs.net;
}
}

27
etc/nginx/sites-available/rss.envs.net.conf Normal file
View File

@ -0,0 +1,27 @@
### RSS.ENVS.NET - lxc ###
server {
include snippets/listen.conf;
# include snippets/ddos_high.conf;
server_name rss.envs.net;
return 307 https://$host$request_uri;
}
# SSL
server {
include snippets/listen_ssl.conf;
# include snippets/ddos_high.conf;
server_name rss.envs.net;
include snippets/ssl.conf;
include ssl/envs_net_wild.conf;
error_log /var/log/nginx/rss.envs.net-error.log crit;
location / {
include proxy_params;
proxy_ssl_name $http_host;
proxy_ssl_server_name on;
proxy_pass https://rss.envs.net;
}
}

27
etc/nginx/sites-available/searx.envs.net.conf Normal file
View File

@ -0,0 +1,27 @@
### SEARX.ENVS.NET - lxc ###
server {
include snippets/listen.conf;
# include snippets/ddos_mid.conf;
server_name searx.envs.net search.envs.net;
return 307 https://$host$request_uri;
}
# SSL
server {
include snippets/listen_ssl.conf;
# include snippets/ddos_mid.conf;
server_name searx.envs.net search.envs.net;
include snippets/ssl.conf;
include ssl/envs_net_wild.conf;
error_log /var/log/nginx/searx.envs.net-error.log crit;
location / {
include proxy_params;
proxy_ssl_name $http_host;
proxy_ssl_server_name on;
proxy_pass https://searx.envs.net;
}
}

27
etc/nginx/sites-available/stats.envs.net.conf Normal file
View File

@ -0,0 +1,27 @@
### STATS.ENVS.NET - local ###
server {
include snippets/listen_local.conf;
include snippets/listen.conf;
# include snippets/ddos_def.conf;
server_name stats.envs.net;
return 307 https://$host$request_uri;
}
server {
include snippets/listen_local_ssl.conf;
include snippets/listen_ssl.conf;
# include snippets/ddos_def.conf;
server_name stats.envs.net;
include snippets/ssl.conf;
include ssl/envs_net_wild.conf;
include snippets/local_ssl_header.conf;
error_log /var/log/nginx/stats.envs.net-error.log crit;
root /var/www/envs.net/;
location / {
index stats.html;
}
}

31
etc/nginx/sites-available/tb.envs.net.conf Normal file
View File

@ -0,0 +1,31 @@
### TB.ENVS.NET - lxc ###
server {
include snippets/listen.conf;
# include snippets/ddos_def.conf;
server_name tb.envs.net termbin.envs.net;
return 307 https://$host$request_uri;
}
# SSL
server {
include snippets/listen_ssl.conf;
# include snippets/ddos_def.conf;
server_name tb.envs.net termbin.envs.net;
error_log /var/log/nginx/tb.envs.net-error.log crit;
include snippets/ssl.conf;
include ssl/envs_net_wild.conf;
client_max_body_size 256M;
location / {
include proxy_params;
proxy_ssl_name $http_host;
proxy_ssl_server_name on;
proxy_pass https://tb.envs.net;
}
include snippets/favicon;
}

27
etc/nginx/sites-available/ttbp.envs.net.conf Normal file
View File

@ -0,0 +1,27 @@
### TTBP.ENVS.NET - local ###
server {
include snippets/listen_local.conf;
include snippets/listen.conf;
# include snippets/ddos_def.conf;
server_name ttbp.envs.net;
return 307 https://$host$request_uri;
}
server {
include snippets/listen_local_ssl.conf;
include snippets/listen_ssl.conf;
# include snippets/ddos_def.conf;
server_name ttbp.envs.net;
include snippets/ssl.conf;
include ssl/envs_net_wild.conf;
include snippets/local_ssl_header.conf;
error_log /var/log/nginx/ttbp.envs.net-error.log crit;
root /var/global/ttbp/public_html/;
location / {
index index.html;
}
}

30
etc/nginx/sites-available/twtxt.envs.net.conf Normal file
View File

@ -0,0 +1,30 @@
### TWTXT.ENVS.NET - local ###
server {
include snippets/listen_local.conf;
include snippets/listen.conf;
# include snippets/ddos_mid.conf;
server_name twtxt.envs.net;
return 307 https://$server_name$request_uri;
}
server {
include snippets/listen_local_ssl.conf;
include snippets/listen_ssl.conf;
# include snippets/ddos_mid.conf;
server_name twtxt.envs.net;
include snippets/ssl.conf;
include ssl/envs_net_wild.conf;
include snippets/local_ssl_header.conf;
error_log /var/log/nginx/twtxt.envs.net-error.log crit;
location / {
include proxy_params;
proxy_pass http://127.0.0.1:9001;
}
include snippets/favicon;
}

31
etc/nginx/sites-available/user.envs.net.conf Normal file
View File

@ -0,0 +1,31 @@
### <USER>.ENVS.NET - local ###
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
limit_req_zone $binary_remote_addr zone=weechat:10m rate=10r/m;
server {
include snippets/listen_local.conf;
include snippets/listen.conf;
# include snippets/ddos_def.conf;
server_name ~^(.*)\.envs\.net;
return 307 https://$1.envs.net$request_uri;
}
server {
include snippets/listen_local_ssl.conf;
include snippets/listen_ssl.conf;
# include snippets/ddos_def.conf;
server_name ~^(?<user>[^.]+)\.envs\.net;
include snippets/ssl.conf;
include ssl/envs_net_wild.conf;
include snippets/local_ssl_header.conf;
error_log /var/log/nginx/envs.net-error.log crit;
include snippets/user.envs.conf;
}

29
etc/nginx/sites-available/user.envs.sh.conf Normal file
View File

@ -0,0 +1,29 @@
### <USER>.ENVS.SH - local ###
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
include snippets/listen_local.conf;
include snippets/listen.conf;
# include snippets/ddos_def.conf;
server_name ~^(.*)\.envs\.sh;
return 307 https://$1.envs.sh$request_uri;
}
server {
include snippets/listen_local_ssl.conf;
include snippets/listen_ssl.conf;
# include snippets/ddos_def.conf;
server_name ~^(?<user>[^.]+)\.envs\.sh;
include snippets/ssl.conf;
include ssl/envs_sh_wild.conf;
include snippets/local_ssl_header.conf;
error_log /var/log/nginx/envs.net-error.log crit;
include snippets/user.envs.conf;
}

32
etc/nginx/sites-available/webirc.envs.net.conf Normal file
View File

@ -0,0 +1,32 @@
### WEBIRC.ENVS.NET - local ###
server {
include snippets/listen_local.conf;
include snippets/listen.conf;
# include snippets/ddos_def.conf;
server_name lounge.envs.net webirc.envs.net;
return 307 https://webirc.envs.net$request_uri;
}
server {
include snippets/listen_local_ssl.conf;
include snippets/listen_ssl.conf;
# include snippets/ddos_def.conf;
server_name lounge.envs.net webirc.envs.net;
include snippets/ssl.conf;
include ssl/envs_net_wild.conf;
include snippets/local_ssl_header.conf;
error_log /var/log/nginx/webirc.envs.net-error.log crit;
location / {
include proxy_params;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
add_header 'Access-Control-Allow-Origin' "$http_origin" always;
proxy_pass http://127.0.0.1:9000;
}
}

40
etc/nginx/sites-available/znc.envs.net.conf Normal file
View File

@ -0,0 +1,40 @@
### ZNC.ENVS.NET - local ###
server {
include snippets/listen_local.conf;
include snippets/listen.conf;
# include snippets/ddos_def.conf;
server_name znc.envs.net bouncer.envs.net;
location / {
return 307 https://$host$request_uri;
}
location /.well-known/acme-challenge/ {
alias /var/lib/letsencrypt/.well-known/acme-challenge/;
}
}
# SSL
server {
include snippets/listen_local_ssl.conf;
include snippets/listen_ssl.conf;
# include snippets/ddos_def.conf;
server_name znc.envs.net bouncer.envs.net;
ssl_certificate /etc/letsencrypt/live/znc.envs.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/znc.envs.net/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/znc.envs.net/chain.pem;
ssl_dhparam /etc/ssl/certs/envs_dhparam.pem;
include snippets/ssl.conf;
include snippets/local_ssl_header.conf;
error_log /var/log/nginx/znc.envs.net-error.log crit;
location / {
include proxy_params;
proxy_ssl_name $http_host;
proxy_ssl_server_name on;
proxy_pass https://znc.envs.net:6667;
}
}

1
etc/nginx/sites-enabled/bbj.envs.net.conf Symbolic link
View File

@ -0,0 +1 @@
/etc/nginx/sites-available/bbj.envs.net.conf

1
etc/nginx/sites-enabled/envs.net.conf Symbolic link
View File

@ -0,0 +1 @@
/etc/nginx/sites-available/envs.net.conf

1
etc/nginx/sites-enabled/envs.sh.conf Symbolic link
View File

@ -0,0 +1 @@
/etc/nginx/sites-available/envs.sh.conf

1
etc/nginx/sites-enabled/git.envs.net.conf Symbolic link
View File

@ -0,0 +1 @@
/etc/nginx/sites-available/git.envs.net.conf

1
etc/nginx/sites-enabled/gopher.envs.net.conf Symbolic link
View File

@ -0,0 +1 @@
/etc/nginx/sites-available/gopher.envs.net.conf

1
etc/nginx/sites-enabled/help.envs.net.conf Symbolic link
View File

@ -0,0 +1 @@
/etc/nginx/sites-available/help.envs.net.conf

1
etc/nginx/sites-enabled/ip.envs.net.conf Symbolic link
View File

@ -0,0 +1 @@
/etc/nginx/sites-available/ip.envs.net.conf

1
etc/nginx/sites-enabled/ip.envs.sh.conf Symbolic link
View File

@ -0,0 +1 @@
/etc/nginx/sites-available/ip.envs.sh.conf

1
etc/nginx/sites-enabled/lists.envs.net.conf Symbolic link
View File

@ -0,0 +1 @@
/etc/nginx/sites-available/lists.envs.net.conf

1
etc/nginx/sites-enabled/mail.envs.net.conf Symbolic link
View File

@ -0,0 +1 @@
/etc/nginx/sites-available/mail.envs.net.conf

Some files were not shown because too many files have changed in this diff Show More