mirror of https://git.envs.net/envs/ops.git
init
This commit is contained in:
commit
ff71b8fb76
|
@ -0,0 +1,117 @@
|
|||
BASENAME ?= envs
|
||||
|
||||
PREFIX ?= /usr/local
|
||||
BINDIR ?= $(PREFIX)/bin
|
||||
|
||||
|
||||
YELLOW = $$(tput setaf 226)
|
||||
GREEN = $$(tput setaf 46)
|
||||
RED = $$(tput setaf 196)
|
||||
RESET = $$(tput sgr0)
|
||||
|
||||
|
||||
install:
|
||||
@make bin etc cron fail2ban initd letsencrypt nginx ssh sysctl systemd motd znc
|
||||
|
||||
uninstall:
|
||||
@make clean
|
||||
clean:
|
||||
@printf "$(YELLOW)--- clean -----------------------------------------------\n$(RESET)"
|
||||
stow -t "$(BINDIR)" -D bin
|
||||
|
||||
stow -t /etc/cron.d -D -d etc cron.d
|
||||
@rm -fv /etc/inetd.conf /etc/inputrc /etc/nanorc /etc/sudoers
|
||||
@rm -fv /etc/fail2ban/jail.d/envs.conf
|
||||
@rm -fv /etc/init.d/S41firewall
|
||||
@rm -fv /etc/letsencrypt/renewal-hooks/deploy/envs.sh
|
||||
stow -t /etc/nginx -D -d etc nginx
|
||||
@rm -fv /etc/ssh/ssh_config /etc/ssh/sshd_config
|
||||
stow -t /etc/sysctl.d -D -d etc sysctl.d
|
||||
stow -t /etc/systemd/system -D -d etc/systemd system
|
||||
stow -t /etc/update-motd.d -D -d etc update-motd.d
|
||||
|
||||
@rm -fv /srv/znc/add_znc_user.sh /srv/znc/newuser.conf.template
|
||||
|
||||
|
||||
bin:
|
||||
@printf "$(GREEN)--- bin ------------------------------------------------\n$(RESET)"
|
||||
stow -t "$(BINDIR)" bin
|
||||
|
||||
etc:
|
||||
@printf "$(GREEN)--- etc ------------------------------------------------\n$(RESET)"
|
||||
@install -m 644 etc/etc/inetd.conf /etc
|
||||
@install -m 644 etc/etc/inputrc /etc
|
||||
@install -m 644 etc/etc/nanorc /etc
|
||||
@install -m 644 etc/etc/sudoers /etc
|
||||
|
||||
cron:
|
||||
@printf "$(GREEN)--- cron -----------------------------------------------\n$(RESET)"
|
||||
stow -t /etc/cron.d -d etc cron.d
|
||||
|
||||
fail2ban:
|
||||
@printf "$(GREEN)--- letsencrypt ----------------------------------------\n$(RESET)"
|
||||
@install -m 755 etc/fail2ban/jail.d/envs.conf /etc/fail2ban/jail.d/
|
||||
|
||||
initd:
|
||||
@printf "$(GREEN)--- init.d ---------------------------------------------\n$(RESET)"
|
||||
@install -m 755 etc/init.d/S41firewall /etc/init.d/
|
||||
|
||||
letsencrypt:
|
||||
@printf "$(GREEN)--- letsencrypt ----------------------------------------\n$(RESET)"
|
||||
@install -m 755 etc/letsencrypt/renewal-hooks/deploy/envs.sh /etc/letsencrypt/renewal-hooks/deploy/
|
||||
|
||||
nginx:
|
||||
@printf "$(GREEN)--- nginx ----------------------------------------------\n$(RESET)"
|
||||
@rm -rf /etc/nginx/conf.d /etc/nginx/modules-available
|
||||
stow -t /etc/nginx -d etc nginx
|
||||
@mkdir /etc/nginx/conf.d /etc/nginx/modules-available
|
||||
|
||||
ssh:
|
||||
@printf "$(GREEN)--- ssh ------------------------------------------------\n$(RESET)"
|
||||
@install -m 644 etc/ssh/ssh_config /etc/ssh/
|
||||
@install -m 644 etc/ssh/sshd_config /etc/ssh/
|
||||
|
||||
sysctl:
|
||||
@printf "$(GREEN)--- sysctl.d -------------------------------------------\n$(RESET)"
|
||||
stow -t /etc/sysctl.d -d etc sysctl.d
|
||||
|
||||
systemd:
|
||||
@printf "$(GREEN)--- systemd --------------------------------------------\n$(RESET)"
|
||||
stow -t /etc/systemd/system -d etc/systemd system
|
||||
|
||||
motd:
|
||||
@printf "$(GREEN)--- motd -----------------------------------------------\n$(RESET)"
|
||||
stow -t /etc/update-motd.d -d etc update-motd.d
|
||||
|
||||
znc:
|
||||
@printf "$(GREEN)--- znc ------------------------------------------------\n$(RESET)"
|
||||
@install -m 755 srv/znc/add_znc_user.sh /srv/znc
|
||||
@install -m 644 srv/znc/newuser.conf.template /srv/znc
|
||||
@chown znc:znc /srv/znc/add_znc_user.sh /srv/znc/newuser.conf.template
|
||||
|
||||
|
||||
nuke:
|
||||
@printf "$(RED)--- nuking existing files ---------------------------------\n$(RESET)"
|
||||
@rm -fv "$(BINDIR)"/conntrack.sh "$(BINDIR)"/envs_conntracks.sh
|
||||
@rm -fv "$(BINDIR)"/envs_* "$(BINDIR)"/envs_user_manage "$(BINDIR)"/welcome-email.tmpl "$(BINDIR)"/welcome-readme.tmpl
|
||||
@rm -fv "$(BINDIR)"/byobu-info "$(BINDIR)"/chat "$(BINDIR)"/dcss "$(BINDIR)"/hole "$(BINDIR)"/idiff "$(BINDIR)"/motd \
|
||||
"$(BINDIR)"/online-users "$(BINDIR)"/webirc
|
||||
|
||||
@rm -fv /etc/cron.d/conntrack /etc/cron.d/envs_* /etc/cron.d/backup \
|
||||
/etc/cron.d/botany /etc/cron.d/certbot /etc/cron.d/update-blacklist /etc/cron.d/update-blacklist_fail2ban
|
||||
|
||||
@rm -fv /etc/fail2ban/jail.d/envs.conf
|
||||
@rm -fv /etc/init.d/S41firewall
|
||||
@rm -fv /etc/letsencrypt/renewal-hooks/deploy/envs.sh
|
||||
@rm -rfv /etc/nginx/*
|
||||
@rm -fv /etc/ssh/ssh_config /etc/ssh/sshd_config
|
||||
@rm -fv /etc/sysctl.d/10-kernel-hardening.conf /etc/sysctl.d/30-lxc-inotify.conf \
|
||||
/etc/sysctl.d/fs.conf /etc/sysctl.d/net.conf /etc/sysctl.d/panic.conf /etc/sysctl.d/protect-links.conf
|
||||
@rm -fv /etc/systemd/system/bbj.service /etc/systemd/system/gopherproxy.service \
|
||||
/etc/systemd/system/ifconfigme.service /etc/systemd/system/thelounge.service /etc/systemd/system/znc.service
|
||||
@rm -fv /etc/update-motd.d/*
|
||||
|
||||
@rm -fv /srv/znc/add_znc_user.sh /srv/znc/newuser.conf.template
|
||||
|
||||
|
||||
.PHONY: install clean uninstall nuke bin etc cron fail2ban initd letsencrypt nginx ssh sysctl systemd motd znc
|
|
@ -0,0 +1,3 @@
|
|||
#!/bin/sh
|
||||
|
||||
python3 /opt/services/AV-98/av98.py "$@"
|
|
@ -0,0 +1,15 @@
|
|||
#!/usr/bin/env sh
|
||||
|
||||
/usr/local/bin/motd
|
||||
|
||||
/usr/bin/figlet -f smslant welcome!
|
||||
|
||||
printf "you're in a byobu session\n"
|
||||
printf "if you're familiar with tmux, continue as normal, but with ctrl-a instead of ctrl-b\n"
|
||||
printf "if you don't want to this happen by default when you log in, run byobu-disable.\n"
|
||||
printf 'press shift-f1 for a full list of keybinds\n'
|
||||
printf 'man byobu for more info\n\n'
|
||||
printf 'f2 creates a new tab\n'
|
||||
printf 'f3 and f4 move you between tabs\n'
|
||||
printf 'f6 disconnects and leaves everything running\n'
|
||||
printf 'shift-f12 disable/enable byobu f-key bindings\n'
|
|
@ -0,0 +1,15 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
[[ "$EUID" -ne 0 ]] && printf 'Please run as root!\n' && exit 1
|
||||
|
||||
f="/var/log/conntrack.log"
|
||||
|
||||
d="$(date)"
|
||||
n1="$(/sbin/sysctl -a 2>&1 | grep -i 'net.netfilter.nf_conntrack_max')"
|
||||
n2="$(/sbin/sysctl -a 2>&1 | grep -i 'net.nf_conntrack_max')"
|
||||
c="$(/sbin/sysctl net.netfilter.nf_conntrack_count)"
|
||||
|
||||
echo "conntrack: $d: $n1, $n2, $c" >> $f
|
||||
|
||||
#
|
||||
exit 0
|
|
@ -0,0 +1,11 @@
|
|||
#!/bin/sh
|
||||
set -e
|
||||
|
||||
SOURCEKEY="https://crawl.tildeverse.org/dcss.key"
|
||||
MYKEY="${HOME}/.ssh/dcss.key"
|
||||
if [ ! -f "$MYKEY" ]; then
|
||||
mkdir -p "${HOME}/.ssh"
|
||||
curl -s "$SOURCEKEY" > "$MYKEY"
|
||||
chmod 600 "$MYKEY"
|
||||
fi
|
||||
ssh -i "$MYKEY" dcss@crawl.tildeverse.org
|
|
@ -0,0 +1,15 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
[[ "$EUID" -ne 0 ]] && printf 'Please run as root!\n' && exit 1
|
||||
|
||||
log_file='/var/log/envs_conntrack.log'
|
||||
|
||||
c_local="$(tail -1 /var/log/conntrack.log | awk '{print $17}')"
|
||||
|
||||
lxc_c=( $(for i in $(lxc-ls --active -1); do tail -1 /var/lib/lxc/"$i"/rootfs/var/log/conntrack.log | awk '{print $15}' ; done) )
|
||||
lxc_sum="$(echo $(printf %d+ ${lxc_c[@]})0 | bc)"
|
||||
|
||||
c_sum="$((c_local + lxc_sum))"
|
||||
echo "conntrack: $c_sum" >> "$log_file"
|
||||
|
||||
exit 0
|
|
@ -0,0 +1,58 @@
|
|||
#!/usr/bin/env bash
|
||||
#
|
||||
# envs.net - generate index.gmi
|
||||
# - this script is called by /etc/cron.d/envs_gemini
|
||||
#
|
||||
|
||||
[[ "$EUID" -ne 0 ]] && printf 'Please run as root!\n' && exit 1
|
||||
|
||||
###
|
||||
|
||||
userlist() {
|
||||
mapfile -t users < <(jq -Mr '.data.users|keys[]' /var/www/envs.net/users_info.json)
|
||||
for USERNAME in "${users[@]}"; do
|
||||
if [ -f /home/"$USERNAME"/public_gemini/index.gmi ]; then
|
||||
[[ ! -L /var/gemini/\~"$USERNAME" ]] && ln -s /home/"$USERNAME"/public_gemini /var/gemini/\~"$USERNAME"
|
||||
printf '=> gemini://envs.net/~%s/ ~%s\n' "$USERNAME" "$USERNAME"
|
||||
else
|
||||
[[ -L /var/gemini/\~"$USERNAME" ]] && unlink /var/gemini/\~"$USERNAME"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
#
|
||||
# INDEX.GMI
|
||||
#
|
||||
cat << EOM >> /tmp/index.gmi_tmp
|
||||
welcome on envs.net - gemini
|
||||
$(figlet -f smslant envs.net)
|
||||
environments
|
||||
|
||||
|
||||
envs.net is a minimalist, non-commercial
|
||||
shared unix system and will always be free to use.
|
||||
|
||||
we are linux lovers, sysadmins, programmer and users who like build
|
||||
webpages, write blogs, chat online, play cool console games and so much
|
||||
more. you wish to join with an small user space?
|
||||
|
||||
join the team today!
|
||||
=> https://envs.net/signup/ signup for a envs.net account (html)
|
||||
|
||||
visit us in gopher and html lands for more info.
|
||||
=> https://envs.net website (html)
|
||||
=> gopher://envs.net gophermap (gopher)
|
||||
|
||||
|
||||
here is a list of our esteemed users:
|
||||
if you are not appearing on this list, create your index.gmi in ~/public_gemini
|
||||
|
||||
$(userlist)
|
||||
|
||||
EOM
|
||||
|
||||
|
||||
mv /tmp/index.gmi_tmp /var/gemini/index.gmi
|
||||
|
||||
#
|
||||
exit 0
|
|
@ -0,0 +1,45 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
CMD="$1"
|
||||
DB="$2"
|
||||
BACKUP_DIR="/home/$USER/backup"
|
||||
|
||||
print_usage() {
|
||||
printf 'envs.net | mysql backup & restore\n\n'
|
||||
printf 'Usage: %s\n\t backup\t\t\t - backup your default user database (%s)\n' "$(basename "$0")" "$USER"
|
||||
printf '\t backup <db_name>\t - backup database\n'
|
||||
printf '\t restore\t\t - restore your latest user database\n'
|
||||
printf '\t restore <db_name>\t - restore database\n'
|
||||
}
|
||||
|
||||
backup() {
|
||||
[[ -z "$DB" ]] && DB="$USER"
|
||||
test ! -d "$BACKUP_DIR" && mkdir -p "$BACKUP_DIR" && chmod 700 "$BACKUP_DIR"
|
||||
|
||||
mysqldump -u "$USER" "$DB" -p | gzip -c > "$BACKUP_DIR"/db_"$(date +%F.%H%M%S)".sql.gz
|
||||
find "$BACKUP_DIR"/db_*.gz -maxdepth 1 -type f -mtime +7 -delete
|
||||
}
|
||||
|
||||
restore() {
|
||||
if [[ -z "$DB" ]]; then
|
||||
latest=''; for f in "$BACKUP_DIR"/db_*.gz; do [[ "$f" -nt "$latest" ]] && latest="$f"; done
|
||||
[[ -z "$latest" ]] && printf 'no restore file found in %s!\n' "$BACKUP_DIR" && exit 0
|
||||
DB="$latest"
|
||||
gunzip < "$DB" | mysql -u "$USER" "$USER" -p
|
||||
else
|
||||
gunzip < "$BACKUP_DIR"/"$DB" | mysql -u "$USER" "$DB" -p
|
||||
fi
|
||||
}
|
||||
|
||||
[[ $# -lt 1 ]] && print_usage && exit 1
|
||||
|
||||
case "$CMD" in
|
||||
backup*) backup;;
|
||||
|
||||
restore*) restore;;
|
||||
|
||||
*) print_usage;;
|
||||
esac
|
||||
|
||||
#
|
||||
exit 0
|
|
@ -0,0 +1,17 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
[[ "$EUID" -ne 0 ]] && printf 'Please run as root!\n' && exit 1
|
||||
|
||||
test ! -f /var/www/envs.net/stats/ && mkdir -p /var/www/envs.net/stats/
|
||||
|
||||
{
|
||||
zcat /var/log/nginx/other_vhosts_access.*.gz
|
||||
cat /var/log/nginx/other_vhosts_access.log.1
|
||||
cat /var/log/nginx/other_vhosts_access.log
|
||||
} | awk '$8=$1$8' | goaccess -a \
|
||||
-o /var/www/envs.net/stats/index.html \
|
||||
--ignore-panel=HOSTS \
|
||||
--ignore-panel=KEYPHRASES \
|
||||
--log-format=VCOMBINED -
|
||||
|
||||
exit 0
|
|
@ -0,0 +1,330 @@
|
|||
#!/usr/bin/env bash
|
||||
#
|
||||
# envs.net - generate sysinfo.json and sysinfo.php
|
||||
# - this script is called by /etc/cron.d/envs_sysinfo
|
||||
#
|
||||
WWW_PATH='/var/www/envs.net'
|
||||
DOMAIN='envs.net'
|
||||
|
||||
[[ "$EUID" -ne 0 ]] && printf 'Please run as root!\n' && exit 1
|
||||
|
||||
###
|
||||
|
||||
# define packages by category for sysinfo.php Page
|
||||
services=(0x0 bbj cryptpad getwtxt gitea gophernicus jetforce mariadb-server nginx openssh-server privatebin searx termbin tt-rss thelounge znc)
|
||||
readarray -t sorted_services < <(printf '%s\n' "${services[@]}" | sort)
|
||||
|
||||
|
||||
shells=(bash csh dash elvish fish ksh mksh sash tcsh xonsh yash zsh)
|
||||
readarray -t sorted_shells < <(printf '%s\n' "${shells[@]}" | sort)
|
||||
|
||||
|
||||
editors=(emacs micro nano neovim vim)
|
||||
readarray -t sorted_editors < <(printf '%s\n' "${editors[@]}" | sort)
|
||||
|
||||
|
||||
inet_clients=(alpine av98 bombadillo curl irssi lynx neomutt mutt mosh openssh-client pb toot weechat wget vf1)
|
||||
readarray -t sorted_inet_clients < <(printf '%s\n' "${inet_clients[@]}" | sort)
|
||||
|
||||
|
||||
coding_pkg=(cargo clang clisp clojure crystal default-jdk default-jre elixir erlang flex
|
||||
g++ gcc gcl gdc gforth ghc go golang guile-2.2 inform lua5.1 lua5.2 lua5.3 mono-complete
|
||||
nasm nodejs octave perl php picolisp ponyc python python2.7 python3 racket ruby rustc scala tcl yasm)
|
||||
readarray -t sorted_coding_pkg < <(printf '%s\n' "${coding_pkg[@]}" | sort)
|
||||
|
||||
|
||||
coding_tools=(ack bison build-essential clisp cl-launch cvs devscripts ecl gawk git gron initscripts jq latex-mk latexmk
|
||||
make mawk mercurial rake ripgrep sbcl shellcheck subversion texlive-full virtualenv yarn)
|
||||
readarray -t sorted_coding_tools < <(printf '%s\n' "${coding_tools[@]}" | sort)
|
||||
|
||||
|
||||
misc=(aria2 bc busybox burrow byobu clinte gfu goaccess hugo jekyll mariadb-client mathomatic mathtex mkdocs
|
||||
pandoc pelican screen sqlite3 tmux todotxt-cli twtxt zola)
|
||||
readarray -t sorted_misc < <(printf '%s\n' "${misc[@]}" | sort)
|
||||
|
||||
###
|
||||
|
||||
custom_pkg_desc() {
|
||||
local pkg="$1"
|
||||
case "$pkg" in
|
||||
# packages
|
||||
av98) pkg_desc='AV-98 - Command line gemini client. High speed, low drag.';;
|
||||
bombadillo) pkg_desc='Bombadillo is a modern Gopher & Gemini client for the terminal';;
|
||||
burrow) pkg_desc='a helper for building and managing a gopher hole';;
|
||||
clinte) pkg_desc='a community notices system';;
|
||||
crystal) pkg_desc='Compiler for the Crystal language';;
|
||||
gfu) pkg_desc='A utility for formatting gophermaps';;
|
||||
go) pkg_desc='tool for managing Go source code';;
|
||||
goaccess) pkg_desc='fast web log analyzer and interactive viewer';;
|
||||
micro) pkg_desc='a new modern terminal-based text editor';;
|
||||
pb) pkg_desc='a helper utility for using 0x0 pastebin services';;
|
||||
twtxt) pkg_desc='Decentralised, minimalist microblogging service for hackers';;
|
||||
vf1) pkg_desc='VF-1 - Command line gopher client. High speed, low drag.';;
|
||||
zola) pkg_desc='single-binary static site generator written in rust';;
|
||||
esac
|
||||
}
|
||||
|
||||
|
||||
#
|
||||
# SYSINFO.JSON
|
||||
#
|
||||
JSON_FILE="$WWW_PATH/sysinfo.json"
|
||||
TMP_JSON='/tmp/sysinfo.json_tmp'
|
||||
|
||||
print_pkg_version() {
|
||||
local pkg_version
|
||||
for pkg in $(dpkg-query -f '${binary:Package}\n' -W); do
|
||||
pkg_version="$(dpkg-query -f '${Version}\n' -W "$pkg")"
|
||||
|
||||
printf '\t\t\t"%s": "%s",\n' "$pkg" "$pkg_version"
|
||||
done
|
||||
}
|
||||
|
||||
|
||||
cat<<EOM > "$TMP_JSON"
|
||||
{
|
||||
"timestamp": "$(date +'%s')",
|
||||
"data": {
|
||||
"info": {
|
||||
"name": "envs",
|
||||
"description": "envs.net is a minimalist, non-commercial shared unix system and will always be free to use.",
|
||||
"located": "germany",
|
||||
"maintainer": "Sven Kinne (~creme) - creme@envs.net",
|
||||
"website": "https://$DOMAIN",
|
||||
"signup_url": "https://$DOMAIN/signup/",
|
||||
"gopher": "gopher://envs.net/",
|
||||
"email": "hostmaster@$DOMAIN",
|
||||
"admin_email": "sudoers@$DOMAIN",
|
||||
"user_count": $(find /home -mindepth 1 -maxdepth 1 | wc -l)
|
||||
},
|
||||
"system": {
|
||||
"os": "$(lsb_release -sd)",
|
||||
"uptime": "$(cat /proc/uptime)",
|
||||
"uname": "$(uname -a)",
|
||||
"board": "$(hostnamectl status | awk '/Chassis/ {print $2}')",
|
||||
"cpuinfo": "$(awk '/system type|model name/{gsub(/^.*:[ ]*/,"");print $0;exit}' /proc/cpuinfo)",
|
||||
"cpucount": "$(grep -c ^processor /proc/cpuinfo)"
|
||||
},
|
||||
"services": {
|
||||
"0x0": {
|
||||
"desc": "the null pointer - file hosting and url shortener",
|
||||
"version": "-",
|
||||
"url": "https://envs.sh/"
|
||||
},
|
||||
"bbj": {
|
||||
"desc": "Bulletin Butter & Jelly: An HTTP bulletin board server for small communities",
|
||||
"version": "-",
|
||||
"url": "https://bbj.envs.net/"
|
||||
},
|
||||
"cryptpad": {
|
||||
"desc": "collaborative real time editing",
|
||||
"version": "$(curl -s https://pad."$DOMAIN"/api/config | awk '/ver=/ {print $2}' | sed -e 's/"ver=//' -e '$ s/"$//')",
|
||||
"url": "https://pad.envs.net/"
|
||||
},
|
||||
"getwtxt": {
|
||||
"desc": "a twtxt registry service",
|
||||
"version": "$(curl -s https://twtxt."$DOMAIN"/api/plain/version | sed 's/getwtxt v//')",
|
||||
"url": "https://twtxt.envs.net/"
|
||||
},
|
||||
"gitea": {
|
||||
"desc": "a painless self-hosted git service written in go",
|
||||
"version": "$(lxc-attach -n gitea -- bash -c "gitea --version | awk '{print \$3}'")",
|
||||
"url": "https://git.envs.net/"
|
||||
},
|
||||
"gophernicus": {
|
||||
"desc": "a modern full-featured (and hopefully) secure gopher daemon",
|
||||
"version": "$(/usr/sbin/gophernicus -v | sed 's/Gophernicus\///' | awk '{print $1}')",
|
||||
"url": "gopher://envs.net/"
|
||||
},
|
||||
"jetforce": {
|
||||
"desc": "an tcp server for the gemini protocol",
|
||||
"version": "$(/usr/local/bin/jetforce -V | awk '{printf $2}')",
|
||||
"url": "gemini://envs.net/"
|
||||
},
|
||||
"privatebin": {
|
||||
"desc": "a pastebin service",
|
||||
"version": "$(lxc-attach -n pb -- bash -c "awk '/Current version:/ {print \$3}' /var/www/PrivateBin/README.md | sed '$ s/*$//'")",
|
||||
"url": "https://pb.envs.net/"
|
||||
},
|
||||
"searx": {
|
||||
"desc": "privacy-respecting metasearch engine",
|
||||
"version": "$(curl -s https://searx."$DOMAIN"/config | jq -Mr .version)",
|
||||
"url": "https://searx.envs.net/"
|
||||
},
|
||||
"termbin": {
|
||||
"desc": "a command line pastebin",
|
||||
"version": "-",
|
||||
"url": "https://tb.envs.net/"
|
||||
},
|
||||
"thelounge": {
|
||||
"desc": "a self-hosted web irc client",
|
||||
"version": "$(sudo -u thelounge /srv/thelounge/.yarn/bin/thelounge -v | sed 's/v//')",
|
||||
"url": "https://webirc.envs.net/"
|
||||
},
|
||||
"tt-rss": {
|
||||
"desc": "tiny tiny rss - web-based news feed (rss/atom) aggregator",
|
||||
"version": "$(lxc-attach -n rss -- bash -c "dpkg -s tt-rss | awk '/Version:/ {print \$2}' | head -n1")",
|
||||
"url": "https://rss.envs.net/"
|
||||
},
|
||||
"znc": {
|
||||
"desc": "advanced modular irc bouncer",
|
||||
"version": "$(dpkg -s znc | awk '/Version:/ {print $2}' | head -n1)",
|
||||
"url": "https://znc.envs.net/"
|
||||
}
|
||||
},
|
||||
"packages": {
|
||||
"av98": "$(/usr/local/bin/av98 --version | awk '{print $2}')",
|
||||
"bombadillo": "$(/usr/local/bin/bombadillo -v | sed 's/Bombadillo v//')",
|
||||
"burrow": "$(/usr/local/bin/burrow -v | sed 's/v//')",
|
||||
"clinte": "$(/usr/local/bin/clinte -V | awk '{print $2}')",
|
||||
"gfu": "$(/usr/local/bin/gfu -v | sed '/version/s/.*version \([^ ][^ ]*\)[ ]*.*/\1/')",
|
||||
"go": "$(sed 's/go//' /usr/local/go/VERSION)",
|
||||
"goaccess": "$(/usr/bin/goaccess -V | head -1 | sed -e 's/GoAccess - //' -e '$ s/.$//')",
|
||||
"micro": "$(/usr/local/bin/micro -version | head -n1 | awk '{print $2}')",
|
||||
"pb": "$(/usr/local/bin/pb -v)",
|
||||
"twtxt": "$(/usr/local/bin/twtxt --version | awk '{printf $3}')",
|
||||
"vf1": "$(/usr/local/bin/vf1 --version | awk '{print $2}')",
|
||||
"zola": "$(/usr/local/bin/zola -V | awk '{print $2}')",
|
||||
$(print_pkg_version)
|
||||
EOM
|
||||
# remove trailing ',' on last line
|
||||
sed -i '$ s/,$//' "$TMP_JSON"
|
||||
|
||||
cat<<EOM >> "$TMP_JSON"
|
||||
}
|
||||
}
|
||||
}
|
||||
EOM
|
||||
|
||||
mv "$TMP_JSON" "$JSON_FILE"
|
||||
chown root:www-data "$JSON_FILE"
|
||||
|
||||
|
||||
#
|
||||
# SYSINFO.PHP
|
||||
#
|
||||
print_pkg_info() {
|
||||
local pkg="$1"
|
||||
|
||||
local pkg_version
|
||||
pkg_version="$(jq -Mr '.data.packages."'"$pkg"'"|select (.!=null)' "$JSON_FILE")"
|
||||
[[ "$pkg_version" = '' ]] && pkg_version='n.a.'
|
||||
|
||||
local pkg_desc
|
||||
custom_pkg_desc "$pkg"
|
||||
[[ "$pkg_desc" = '' ]] && pkg_desc="$(apt-cache show "$pkg" | awk '/Description-en/ {print substr($0, index($0,$3))}' | head -1)"
|
||||
[[ "$pkg_desc" = '' ]] && pkg_desc="$(apt-cache search ^"$pkg"$ | awk '{print substr($0, index($0,$3))}')"
|
||||
[[ "$pkg_desc" = '' ]] && pkg_desc='n.a.'
|
||||
# remove description-en string
|
||||
pkg_desc="${pkg_desc//Description-en: /}"
|
||||
# replace double qoutes with single qoute
|
||||
pkg_desc="${pkg_desc//\"/\'}"
|
||||
# string to lowercase
|
||||
pkg_desc="${pkg_desc,,}"
|
||||
|
||||
printf '\t<tr> <td>%s</td> <td>%s</td> <td>%s</td> </tr>\n' "$pkg" "$pkg_version" "$pkg_desc"
|
||||
}
|
||||
|
||||
print_pkg_info_services() {
|
||||
local pkg="$1"
|
||||
|
||||
local pkg_desc
|
||||
pkg_desc="$(jq -Mr '.data.services."'"$pkg"'".desc|select (.!=null)' "$JSON_FILE")"
|
||||
|
||||
local pkg_version
|
||||
pkg_version="$(jq -Mr '.data.services."'"$pkg"'".version|select (.!=null)' "$JSON_FILE")"
|
||||
|
||||
local s_url
|
||||
s_url="$(jq -Mr '.data.services."'"$pkg"'".url|select (.!=null)' "$JSON_FILE")"
|
||||
|
||||
printf '\t<tr> <td><a href="%s" target="_blank">%s</a></td> <td>%s</td> <td>%s</td> </tr>\n' "$s_url" "$pkg" "$pkg_version" "$pkg_desc"
|
||||
}
|
||||
|
||||
print_category() {
|
||||
local category="$1"
|
||||
shift
|
||||
local arr=("$@")
|
||||
|
||||
if [ "$category" = 'services' ]; then
|
||||
printf '<details open=""><summary class="menu" id="%s"><strong># %s</strong></summary>\n' "$category" "${category//_/ }"
|
||||
else
|
||||
printf '<details><summary class="menu" id="%s"><strong># %s</strong></summary>\n' "$category" "${category//_/ }"
|
||||
fi
|
||||
|
||||
printf '<table id="table_pkg">\n'
|
||||
printf '<tr> <th width="140px">Package</th> <th width="280px">Version</th> <th>Description</th></tr>\n'
|
||||
|
||||
if [ "$category" = 'services' ]; then
|
||||
for pkg in "${arr[@]}"; do
|
||||
# check service is in json
|
||||
s_in_j="$(jq -Mr '.data.services."'"$pkg"'"|select (.!=null)' "$JSON_FILE")"
|
||||
|
||||
if [ -n "$s_in_j" ]; then
|
||||
print_pkg_info_services "$pkg"
|
||||
else
|
||||
print_pkg_info "$pkg"
|
||||
fi
|
||||
done
|
||||
else
|
||||
for pkg in "${arr[@]}"; do print_pkg_info "$pkg"; done
|
||||
fi
|
||||
|
||||
printf '</table></details>\n'
|
||||
}
|
||||
|
||||
|
||||
cat<<EOM > /tmp/sysinfo.php_tmp
|
||||
<?php
|
||||
// do not touch
|
||||
// this files is generated by /usr/local/bin/envs_sysinfo.sh
|
||||
\$title = "$DOMAIN | sysinfo";
|
||||
\$desc = "$DOMAIN | sysinfo";
|
||||
|
||||
include 'header.php';
|
||||
?>
|
||||
|
||||
<body id="body" class="dark-mode">
|
||||
<div>
|
||||
|
||||
<div class="button_back">
|
||||
<pre class="clean"><strong><a href="/">< back</a></strong></pre>
|
||||
</div>
|
||||
|
||||
<div id="main">
|
||||
<div class="block">
|
||||
<pre>
|
||||
<h1><em>sysinfo</em></h1>
|
||||
|
||||
<em>full data source: <a href="/sysinfo.json">https://$DOMAIN/sysinfo.json</a></em>
|
||||
<em>webserver stats: <a href="/stats/">https://$DOMAIN/stats/</a></em>
|
||||
|
||||
<em>server admin: <a href="/~creme/">~creme</a></em>
|
||||
</pre>
|
||||
</div>
|
||||
|
||||
<pre>
|
||||
this is a static list of the package informations. it updates once per day.
|
||||
|
||||
<strong># can i get [package] installed?</strong>
|
||||
probably! send an email with your suggestion to <a href="mailto:sudoers@$DOMAIN">sudoers@$DOMAIN</a>.
|
||||
|
||||
$(print_category 'services' "${sorted_services[@]}")
|
||||
$(print_category 'shells' "${sorted_shells[@]}")
|
||||
$(print_category 'editors' "${sorted_editors[@]}")
|
||||
$(print_category 'online_browser_and_clients' "${sorted_inet_clients[@]}")
|
||||
$(print_category 'coding_packages' "${sorted_coding_pkg[@]}")
|
||||
$(print_category 'coding_tools' "${sorted_coding_tools[@]}")
|
||||
$(print_category 'misc' "${sorted_misc[@]}")
|
||||
</pre>
|
||||
</div>
|
||||
|
||||
<?php include 'footer.php'; ?>
|
||||
|
||||
EOM
|
||||
|
||||
mv /tmp/sysinfo.php_tmp "$WWW_PATH"/sysinfo.php
|
||||
chown root:www-data "$WWW_PATH"/sysinfo.php
|
||||
|
||||
|
||||
#
|
||||
exit 0
|
|
@ -0,0 +1,11 @@
|
|||
#!/usr/bin/env sh
|
||||
|
||||
printf 'toot as envs.net\n\n'
|
||||
|
||||
if [ -n "$1" ] && [ -z "$2" ]; then
|
||||
sudo -u services /usr/bin/toot post "$1"
|
||||
else
|
||||
printf 'usage: envs_toot "your message"\n'
|
||||
fi
|
||||
|
||||
exit 0
|
|
@ -0,0 +1,175 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
domain='envs.net'
|
||||
short_dom="$(echo $domain | awk -F. '{printf $1}')"
|
||||
|
||||
|
||||
cmd="$1"
|
||||
user="$2"
|
||||
mailTo="$3"
|
||||
ssh_pubkey="$4"
|
||||
|
||||
newpw=$(pwgen -s 12 1)
|
||||
pwcrypt=$(perl -e "print crypt('${newpw}', 'sa');")
|
||||
|
||||
# mail header
|
||||
head_mime='MIME-Version: 1.0'
|
||||
head_type='Content-type: text/plain; charset=utf-8'
|
||||
head_def="$head_mime\r\n$head_type"
|
||||
|
||||
###
|
||||
|
||||
add_user_db() {
|
||||
mysql -u root << EOF
|
||||
CREATE DATABASE $user;
|
||||
GRANT ALL PRIVILEGES ON $USER.* TO '$user'@'localhost' IDENTIFIED BY '$newpw';
|
||||
FLUSH PRIVILEGES;
|
||||
EOF
|
||||
}
|
||||
|
||||
del_user_db() {
|
||||
mysqldump -u root "$user" > /tmp/"$user".sql
|
||||
mv /tmp/"$user".sql /root/mysql_dumps/"$user".sql
|
||||
|
||||
mysql -u root << EOF
|
||||
DROP DATABASE $user;
|
||||
FLUSH PRIVILEGES;
|
||||
EOF
|
||||
}
|
||||
|
||||
|
||||
add_user() {
|
||||
useradd -m -g 9999 -s /bin/bash -p "$pwcrypt" "$user"
|
||||
|
||||
# set user quota
|
||||
echo "$user hard nproc 200" | tee /etc/security/limits.d/"$user" >/dev/null 2>&1
|
||||
setquota -u "$user" 1024M 1536M 0 0 /
|
||||
|
||||
# set mail aliases
|
||||
echo "$user: $user@$domain" | tee -a /etc/aliases >/dev/null 2>&1
|
||||
echo "$user: $user@$domain" | tee -a /etc/email-addresses >/dev/null 2>&1
|
||||
|
||||
# systemd service
|
||||
chown -R "$user":"$short_dom" /home/"$user"/.config/systemd/user/
|
||||
|
||||
# set users ssh pub key
|
||||
if [ -n "$ssh_pubkey" ]; then
|
||||
echo "$ssh_pubkey" | tee /home/"$user"/.ssh/authorized_keys
|
||||
else
|
||||
nano /home/"$user"/.ssh/authorized_keys
|
||||
fi
|
||||
chmod 700 /home/"$user"/.ssh/
|
||||
chmod 644 /home/"$user"/.ssh/authorized_keys
|
||||
chown -R "$user":"$short_dom" /home/"$user"/.ssh
|
||||
|
||||
# setup database
|
||||
add_user_db
|
||||
|
||||
# setup email mailbox
|
||||
lxc-attach -n mail -- bash -c "/usr/local/bin/coreapi action accounts create \
|
||||
-p username=$user@$domain -p role=SimpleUsers -p language=en \
|
||||
-p password=$newpw -p secondary_email=$mailTo >/dev/null 2>&1 "
|
||||
|
||||
sleep 3
|
||||
|
||||
# send readme mail
|
||||
readme_sub="Subject: Welcome ~$user | please readme!"
|
||||
readme_mail="$head_def\r\nTo: $user@$domain\r\nFrom: sudoers@$domain\r\n$readme_sub"
|
||||
|
||||
echo -e "$readme_mail\r\n$(cat /usr/local/bin/welcome-readme.tmpl)" | sendmail "$user"@"$domain"
|
||||
|
||||
# send welcome mail
|
||||
wel_sub="Subject: Welcome to $domain | ~$user"
|
||||
wel_mail="$head_def\r\nTo: $mailTo\r\nCC: $user@$domain\r\nFrom: hosting@$domain\r\n$wel_sub"
|
||||
|
||||
sleep 1 && echo -e "$wel_mail\r\n$(sed -e s/_username_/"$user"/g -e s/_password_/"$newpw"/ /usr/local/bin/welcome-email.tmpl)" \
|
||||
| sendmail "$user"@"$domain" "$mailTo"
|
||||
|
||||
# subscribing to mailing list
|
||||
sleep 1 && echo -e "$head_def\r\nTo: team-join@$domain\r\nFrom: $user@$domain\r\nSubject: subscribe\r\n" \
|
||||
| sudo -u "$user" sendmail team-join@"$domain"
|
||||
|
||||
# setup mutt
|
||||
echo -e "$(sed -e s/_username_/"$user"/g -e s/_password_/"$newpw"/ /home/"$user"/.muttrc)" > /home/"$user"/.muttrc
|
||||
chmod go-r /home/"$user"/.muttrc
|
||||
printf '\n~%s\n' "$user" > /home/"$user"/.mutt/signature
|
||||
|
||||
# setup znc account
|
||||
sudo -u znc pkill -SIGUSR1 znc && pkill znc
|
||||
sudo -u znc /srv/znc/add_znc_user.sh "$user"
|
||||
systemctl start znc
|
||||
|
||||
# setup weechat
|
||||
sed -i s/_username_/"$user"/g /home/"$user"/.weechat/irc.conf
|
||||
|
||||
# cleanup /etc/skel/ git stuff from user home
|
||||
rm -rf /home/"$user"/.git /home/"$user"/README.md
|
||||
|
||||
# envs user update (userlist, recently updates and users_info.json)
|
||||
/usr/local/bin/envs_user_updated.sh
|
||||
|
||||
# announcing new user on mastodon
|
||||
sudo -u services toot post "welcome new user ~$user"
|
||||
}
|
||||
|
||||
|
||||
del_user() {
|
||||
# unsubscribe mailing list
|
||||
# ??
|
||||
echo -e "$head_def\r\nTo: team-leave@$domain\r\nFrom: $user@$domain\r\nSubject: leave\r\n" | sudo -u "$user" sendmail team-leave@"$domain"
|
||||
# remove user
|
||||
deluser --remove-home "$user"
|
||||
# unset user quota
|
||||
rm /etc/security/limits.d/"$user"
|
||||
# unset mail aliases
|
||||
sed -i /"$user"/d /etc/aliases
|
||||
sed -i /"$user"/d /etc/email-addresses
|
||||
# remove email mailbox
|
||||
# get userid from lxc-attach
|
||||
mail_userid=$(lxc-attach -n mail -- bash -c "/usr/local/bin/coreapi action accounts list -p search=$user@$domain | jq '.[] | .pk'")
|
||||
lxc-attach -n mail -- bash -c "/usr/local/bin/coreapi action accounts delete -p id=$mail_userid"
|
||||
# remove database
|
||||
del_user_db
|
||||
# unlink gemini
|
||||
[[ -L /var/gemini/\~"$user" ]] && unlink /var/gemini/\~"$user"
|
||||
# remove znc account
|
||||
printf '\n!!! ADMIN: please remove %s also from lists.%s and znc.%s !!!\n\n' "$user" "$domain" "$domain"
|
||||
}
|
||||
|
||||
|
||||
[[ "$EUID" -ne 0 ]] && printf 'Please run as root!\n' && exit 1
|
||||
|
||||
case "$cmd" in
|
||||
add) [[ $# -lt 3 ]] && printf 'not enough args\n' && exit 1
|
||||
if ! id -u "$user" >/dev/null 2>&1; then
|
||||
printf '\nAdd User %s to %s\n' "$user" "$domain"
|
||||
printf 'mail to: %s\n\n' "$mailTo"
|
||||
add_user
|
||||
else
|
||||
printf 'User already exists!\n'
|
||||
fi
|
||||
;;
|
||||
|
||||
del) [[ $# -lt 2 ]] && printf 'not enough args\n' && exit 1
|
||||
if id -u "$user" >/dev/null 2>&1; then
|
||||
printf '\nDelete User %s from %s?\n' "$user" "$domain"
|
||||
select yn in "Yes" "No"; do
|
||||
case $yn in
|
||||
Yes ) del_user ; break ;;
|
||||
No ) break ;;
|
||||
esac ; done
|
||||
else
|
||||
printf 'User not exists!\n'
|
||||
fi
|
||||
;;
|
||||
|
||||
*) printf '%s | User Account Setup\n\n' "$domain"
|
||||
printf 'Usage: %s\n Add a User:\n' "$(basename "$0")"
|
||||
printf '\t%s add "username" "email" "ssh-pubkey"\n' "$(basename "$0")"
|
||||
printf ' Delete a User:\n'
|
||||
printf '\t%s del "username"\n' "$(basename "$0")"
|
||||
;;
|
||||
esac
|
||||
|
||||
#
|
||||
exit 0
|
|
@ -0,0 +1,233 @@
|
|||
#!/usr/bin/env bash
|
||||
#
|
||||
# envs.net - generate user_updates.php and users_info.json
|
||||
# - this script is called by /etc/cron.d/envs_sysinfo
|
||||
#
|
||||
WWW_PATH='/var/www/envs.net'
|
||||
DOMAIN="envs.net"
|
||||
|
||||
|
||||
[[ "$EUID" -ne 0 ]] && printf 'Please run as root!\n' && exit 1
|
||||
|
||||
#
|
||||
# user_updates.php
|
||||
#
|
||||
|
||||
LIST="$(stat --format=%Z\ %n /home/*/public_html/* | grep -v updated | grep -v your_index_template.php | grep -v cgi-bin | sort -r)"
|
||||
echo "$LIST" | perl /usr/local/bin/envs_user_updated_genpage.pl > /tmp/user_updates.php_tmp
|
||||
|
||||
mv /tmp/user_updates.php_tmp "$WWW_PATH"/user_updates.php
|
||||
chown root:www-data "$WWW_PATH"/user_updates.php
|
||||
|
||||
|
||||
#
|
||||
# users_info.json
|
||||
#
|
||||
TMP_JSON='/tmp/users_info.json_tmp'
|
||||
|
||||
cat << EOM > "$TMP_JSON"
|
||||
{
|
||||
"timestamp": "$(date +'%s')",
|
||||
"data": {
|
||||
"info": {
|
||||
"name": "envs",
|
||||
"description": "envs.net is a minimalist, non-commercial shared unix system and will always be free to use.",
|
||||
"located": "germany",
|
||||
"maintainer": "Sven Kinne (~creme) - creme@envs.net",
|
||||
"website": "https://$DOMAIN",
|
||||
"signup_url": "https://$DOMAIN/signup/",
|
||||
"gopher": "gopher://envs.net/",
|
||||
"email": "hostmaster@$DOMAIN",
|
||||
"admin_email": "sudoers@$DOMAIN",
|
||||
"user_count": $(find /home -mindepth 1 -maxdepth 1 | wc -l)
|
||||
},
|
||||
"users": {
|
||||
EOM
|
||||
# user header
|
||||
for USERNAME in /home/*
|
||||
do
|
||||
USER_HOME="$USERNAME"
|
||||
USERNAME="${USERNAME/\/home\//}"
|
||||
INFO_FILE="$USER_HOME/.envs"
|
||||
|
||||
cat << EOM >> "$TMP_JSON"
|
||||
"$USERNAME": {
|
||||
"home": "$USER_HOME",
|
||||
"email": "$USERNAME@$DOMAIN",
|
||||
EOM
|
||||
# desc
|
||||
if [[ -f "$INFO_FILE" ]]; then
|
||||
desc="$(sed -n '/^desc=/{s#^.*=##;p}' "$INFO_FILE")"
|
||||
|
||||
if [[ -z "$desc" ]] || [[ "$desc" == 'a short describtion or message' ]]; then
|
||||
cat << EOM >> "$TMP_JSON"
|
||||
"desc": "",
|
||||
EOM
|
||||
else
|
||||
cat << EOM >> "$TMP_JSON"
|
||||
"desc": "$desc",
|
||||
EOM
|
||||
fi
|
||||
else
|
||||
cat << EOM >> "$TMP_JSON"
|
||||
"desc": "",
|
||||
EOM
|
||||
fi
|
||||
# website
|
||||
if [[ -f "$USER_HOME"/public_html/index.php ]] || [[ "$(test -f "$USER_HOME"/public_html/index.*htm*; echo $?)" -eq 0 ]]; then
|
||||
cat << EOM >> "$TMP_JSON"
|
||||
"website": "https://$DOMAIN/~$USERNAME/",
|
||||
EOM
|
||||
else
|
||||
cat << EOM >> "$TMP_JSON"
|
||||
"website": "",
|
||||
EOM
|
||||
fi
|
||||
# gopher
|
||||
if [ -f "$USER_HOME"/public_gopher/gophermap ]; then
|
||||
cat << EOM >> "$TMP_JSON"
|
||||
"gopher": "gopher://$DOMAIN/1/~$USERNAME/",
|
||||
"gopherproxy": "https://gopher.$DOMAIN/$DOMAIN/1/~$USERNAME/",
|
||||
EOM
|
||||
else
|
||||
cat << EOM >> "$TMP_JSON"
|
||||
"gopher": "",
|
||||
"gopherproxy": "",
|
||||
EOM
|
||||
fi
|
||||
# gemini
|
||||
if [ -f "$USER_HOME"/public_gemini/index.gmi ]; then
|
||||
cat << EOM >> "$TMP_JSON"
|
||||
"gemini": "gemini://$DOMAIN/~$USERNAME/",
|
||||
EOM
|
||||
fi
|
||||
# blog
|
||||
if [[ "$(find "$USER_HOME"/public_html/blog/ -maxdepth 1 2>/dev/null | wc -l)" -ge 3 ]]; then
|
||||
cat << EOM >> "$TMP_JSON"
|
||||
"blog": "https://$DOMAIN/~$USERNAME/blog/",
|
||||
EOM
|
||||
else
|
||||
cat << EOM >> "$TMP_JSON"
|
||||
"blog": "",
|
||||
EOM
|
||||
fi
|
||||
# twtwt
|
||||
if [[ -f "$USER_HOME"/public_html/twtxt.txt ]]; then
|
||||
cat << EOM >> "$TMP_JSON"
|
||||
"twtxt": "https://$DOMAIN/~$USERNAME/twtxt.txt",
|
||||
EOM
|
||||
else
|
||||
cat << EOM >> "$TMP_JSON"
|
||||
"twtxt": "",
|
||||
EOM
|
||||
fi
|
||||
# user custom infos from .envs file (max. 10 entrys)
|
||||
if [[ -f "$INFO_FILE" ]]; then
|
||||
count_entry='0' # use to limit entrys
|
||||
count_field_entry='0' # use to separat array line by line
|
||||
|
||||
unset field_exists; declare -a field_exists=() # contains field names to limit entrys
|
||||
unset field_is_array; declare -a field_is_array=() # contains array fields to printf correct json entrys
|
||||
unset line_to_set; declare -A line_to_set # contains user info lines
|
||||
|
||||
# check 'INFO_FILE' and add entrys to 'line_to_set' array
|
||||
while read -r LINE ; do
|
||||
if [[ -n "$LINE" ]] && ! [[ "$LINE" = '#'* ]] && ! [[ "$LINE" = 'desc='* ]]; then
|
||||
user_field="${LINE//=*/}"
|
||||
user_value="${LINE//*=/}"
|
||||
|
||||
if ! [[ ":${field_exists[*]}:" =~ $user_field ]]; then
|
||||
# entry will be a single line
|
||||
count_entry="$(( "$count_entry" + 1 ))"; [[ "$count_entry" -le '10' ]] || continue
|
||||
field_exists+=( "$user_field" )
|
||||
line_to_set["$user_field","$count_field_entry"]+="$user_value"
|
||||
else
|
||||
# entry will be a array
|
||||
if ! [[ ":${field_is_array[*]}:" =~ $user_field ]]; then
|
||||
field_is_array+=( "$user_field" )
|
||||
fi
|
||||
count_field_entry="$(( "$count_field_entry" +1 ))"
|
||||
line_to_set["$user_field","$count_field_entry"]+="$user_value"
|
||||
fi
|
||||
fi
|
||||
done <<< "$(tac "$INFO_FILE")" # read file from buttom
|
||||
|
||||
# add users custom entrys from line_to_set (single lines before arrays)
|
||||
#
|
||||
# single line entrys
|
||||
for field in "${!line_to_set[@]}"; do
|
||||
field_name="${field//,*/}"
|
||||
|
||||
if ! [[ ":${field_is_array[*]}:" =~ $field_name ]]; then
|
||||
cat << EOM >> "$TMP_JSON"
|
||||
"$field_name": "${line_to_set[$field]}",
|
||||
EOM
|
||||
fi
|
||||
done
|
||||
#
|
||||
# array line entrys
|
||||
field_in_progress=''
|
||||
|
||||
for field in "${!line_to_set[@]}"; do
|
||||
field_name="${field//,*/}"
|
||||
field_count="${field//*,/}"
|
||||
|
||||
if [[ ":${field_is_array[*]}:" =~ $field_name ]]; then
|
||||
# begin of user def. array
|
||||
if ! [[ "$field_in_progress" = "$field_name" ]]; then
|
||||
field_in_progress="$field_name"
|
||||
|
||||
cat << EOM >> "$TMP_JSON"
|
||||
"$field_name": [
|
||||
"${line_to_set[$field]}",
|
||||
EOM
|
||||
else
|
||||
# continue user def. array
|
||||
if ! [[ "$field_count" -eq '0' ]]; then
|
||||
cat << EOM >> "$TMP_JSON"
|
||||
"${line_to_set[$field]}",
|
||||
EOM
|
||||
# end of user def. array
|
||||
else
|
||||
unset field_in_progress
|
||||
cat << EOM >> "$TMP_JSON"
|
||||
"${line_to_set[$field]}"
|
||||
],
|
||||
EOM
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
done
|
||||
fi
|
||||
# ssh
|
||||
cat << EOM >> "$TMP_JSON"
|
||||
"ssh-pubkey": [
|
||||
EOM
|
||||
while read -r LINE ; do
|
||||
[[ "$LINE" == 'ssh'* ]] && printf '\t\r\t\r\t\r\t\r\t"%s",\n' "$LINE" >> "$TMP_JSON"
|
||||
done < "$USER_HOME"/.ssh/authorized_keys
|
||||
# remove trailing ',' for the last pubkey
|
||||
sed -i '$ s/,$//' "$TMP_JSON"
|
||||
|
||||
# close user ssh pubkey array ']' and user part. '},'
|
||||
cat << EOM >> "$TMP_JSON"
|
||||
]
|
||||
},
|
||||
EOM
|
||||
# EOF
|
||||
done
|
||||
# remove trailing ',' on last user entry
|
||||
sed -i '$ s/,$//' "$TMP_JSON"
|
||||
|
||||
cat << EOM >> "$TMP_JSON"
|
||||
}
|
||||
}
|
||||
}
|
||||
EOM
|
||||
|
||||
|
||||
mv "$TMP_JSON" "$WWW_PATH"/users_info.json
|
||||
chown root:www-data "$WWW_PATH"/users_info.json
|
||||
|
||||
#
|
||||
exit 0
|
|
@ -0,0 +1,50 @@
|
|||
#!/usr/bin/perl
|
||||
#
|
||||
# source from pgadey (ctrl-c.club)
|
||||
# url: https://github.com/pgadey/bin/blob/master/ctrl-c.club
|
||||
#
|
||||
|
||||
print "<?php
|
||||
// do not touch
|
||||
// this files is generated by /usr/local/bin/envs_user_updated.sh
|
||||
|
||||
\$title = \"envs.net | recently user updates\";
|
||||
\$desc = \"envs.net | recently user updates\";
|
||||
|
||||
include 'header.php';
|
||||
?>
|
||||
|
||||
<body id=\"body\" class=\"dark-mode\">
|
||||
<div>
|
||||
|
||||
<div class=\"button_back\">
|
||||
<pre class=\"clean\"><strong><a href=\"/\">< back</a></strong></pre>
|
||||
</div>
|
||||
|
||||
<div id=\"main\">
|
||||
<div class=\"block\">
|
||||
<pre>
|
||||
<h1><em>recently user updates</em></h1>
|
||||
</pre>
|
||||
</div>
|
||||
|
||||
<pre>
|
||||
this is a static list of the pages modified in <code>/home/*/public_html/*</code>. it updates every hour.
|
||||
<ul>\n";
|
||||
|
||||
while (<>) {
|
||||
chomp;
|
||||
($date, $index) = split(/ /, $_);
|
||||
$date = `date --date="\@$date" +'%F %H:%M:%S'`;
|
||||
$author = $index;
|
||||
$file = $index;
|
||||
$author =~ s%/home/(\w+)/public_html/(\S+)%$1%;
|
||||
$file =~ s%/home/(\w+)/public_html/(\S+)%$2%;
|
||||
print "<li><a href=\"https://envs.net/\~$author/\">\~$author</a> (<a href=\"https://envs.net/\~$author/$file\">$file</a>) at $date</li>\n";
|
||||
};
|
||||
|
||||
print "</ul>
|
||||
</pre>
|
||||
</div>
|
||||
|
||||
<?php include 'footer.php'; ?>";
|
|
@ -0,0 +1,74 @@
|
|||
#!/bin/sh
|
||||
|
||||
# Color diff output, for human consumption
|
||||
|
||||
# License: LGPLv2
|
||||
# Author:
|
||||
# http://www.pixelbeat.org/
|
||||
# Notes:
|
||||
# If 2 parameters are passed, then they are passed to
|
||||
# the `diff -Naru` command first. Otherwise the parameters
|
||||
# (or stdin) are assumed to be diff format and are colourised.
|
||||
#
|
||||
# VIM can be useful for viewing diffs also:
|
||||
# diff -Naru a b | vim -R -
|
||||
# vim -R a-b.diff
|
||||
# Changes:
|
||||
# V0.1, 12 Feb 2008, Initial release
|
||||
# V0.2, 18 Feb 2008, Use tput rather than hardcoding escape sequences.
|
||||
# V0.3, 24 Apr 2008, Support Mac OS X
|
||||
# V0.4, 30 Apr 2008, P@draigBrady.com
|
||||
# Use $PAGER if set
|
||||
# Manfred Schwarb <manfred99@gmx.ch>
|
||||
# Support `diff -c` format fully.
|
||||
# Pointed out issues with less -EF options.
|
||||
# Suggested to use the less -S option.
|
||||
# V0.5, 18 Jun 2009, P@draigBrady.com
|
||||
# Delineate each file level item with highlight.
|
||||
# Simplify expressions by using '&' in replacement.
|
||||
# Use 't' after all matches for consistency and speed.
|
||||
|
||||
# less -K reportedly not available on older Mac OS X
|
||||
less -K -Ff /dev/null 2>/dev/null && CTRL_C_EXITS="-K"
|
||||
|
||||
RED=1; GREEN=2; BLUE=4; BRIGHT='1;'
|
||||
|
||||
tputc() {
|
||||
bright=$1; colour=$2
|
||||
[ "$bright" ] && tput bold
|
||||
tput setaf $colour
|
||||
}
|
||||
|
||||
DEL="`tputc $BRIGHT $RED`"
|
||||
ADD="`tputc $BRIGHT $GREEN`"
|
||||
CHG="`tputc $BRIGHT $BLUE`"
|
||||
FIL="`tput smso`" #highlight file level items
|
||||
RST="`tput sgr0`"
|
||||
|
||||
if [ "$#" -eq "2" ]; then
|
||||
diff -Naru "$@"
|
||||
else
|
||||
cat "$@"
|
||||
fi |
|
||||
sed "
|
||||
s/^\*\{3\}.*\*\{4\}/$CHG&$RST/;t
|
||||
s/^-\{3\}.*-\{4\}/$CHG&$RST/;t
|
||||
s/^@.*/$CHG&$RST/;t
|
||||
s/^[0-9].*/$CHG&$RST/;t
|
||||
s/^!.*/$CHG&$RST/;t
|
||||
|
||||
s/^-.*/$DEL&$RST/;t
|
||||
s/^<.*/$DEL&$RST/;t
|
||||
|
||||
s/^\*.*/$ADD&$RST/;t
|
||||
s/^\+.*/$ADD&$RST/;t
|
||||
s/^>.*/$ADD&$RST/;t
|
||||
|
||||
s/^Only in.*/$FIL&$RST/;t
|
||||
s/^Index: .*/$FIL&$RST/;t
|
||||
s/^diff .*/$FIL&$RST/;t
|
||||
" |
|
||||
${PAGER:-less -QRS $CTRL_C_EXITS}
|
||||
|
||||
# could use less -EFX also, but for large files or lots of scrolling, this
|
||||
# is a lot more obtrusive on the terminal as the [de]init codes not used.
|
|
@ -0,0 +1,3 @@
|
|||
#!/bin/sh
|
||||
|
||||
users | tr ' ' \\n | uniq | wc -l
|
|
@ -0,0 +1,7 @@
|
|||
#!/bin/bash
|
||||
|
||||
printf 'setting up your thelounge account\n\n'
|
||||
|
||||
THELOUNGE_HOME=/srv/thelounge sudo -u thelounge /srv/thelounge/.yarn/bin/thelounge add "$USER"
|
||||
|
||||
printf '\nyou can now log in to https://irc.envs.net as %s with the password you just created.\n' "$USER"
|
|
@ -0,0 +1,38 @@
|
|||
hello ~_username_,
|
||||
|
||||
welcome to envs.net!
|
||||
|
||||
your account has been established and you can ssh or mosh
|
||||
into envs.net with the ssh key you supplied on registration.
|
||||
|
||||
your password is "_password_".
|
||||
please change it when you log in for the first time with ssh.
|
||||
also you need to change the password on https://mail.envs.net !
|
||||
the password is used for imap/smtp auth(mail) and mysql. NOT shell login,
|
||||
which is set to only use ssh key authentication.
|
||||
your mail password will also used for znc.envs.net (imap-auth).
|
||||
|
||||
the best way you can help envs.net is by working
|
||||
to support a great system culture. build cool programs and
|
||||
share them with others; and help others; be a
|
||||
good example for others and have fun!
|
||||
|
||||
your ~/public_www directory is served at:
|
||||
https://envs.net/~_username_ , https://envs.net/u/_username_
|
||||
https://_username_.envs.net and https://_username_.envs.sh/.
|
||||
|
||||
your mysql database is also has been provisioned. information below should
|
||||
be used to connect to it:
|
||||
|
||||
database name: _username_
|
||||
database user: _username_
|
||||
password: (see your password above)
|
||||
|
||||
of course you can also use sqlite databases.
|
||||
|
||||
|
||||
check out our help page at https://envs.net/help for more informations.
|
||||
|
||||
we seeing you! :)
|
||||
|
||||
envs.net ~creme
|
|
@ -0,0 +1,33 @@
|
|||
hello,
|
||||
|
||||
welcome to envs.net!
|
||||
|
||||
you made it! we've set you up with a 'byobu' session with the
|
||||
following default tabs:
|
||||
|
||||
- weechat for irc
|
||||
- mutt for email
|
||||
- a shell
|
||||
|
||||
if you're reading this, you're in the mutt pane. have a look
|
||||
at the status bar at the bottom. the current windows are shown
|
||||
in the bottom left, with several system status symbols on the right.
|
||||
|
||||
some of the most important keybinds are:
|
||||
|
||||
- f2: open a new window/tab
|
||||
- f3/f4: prev/next windows
|
||||
- f6: disconnect from you byobu session
|
||||
- shift-f12 disable/enable byobu f-key bindings
|
||||
|
||||
press shift-f1 to see a more complete list of keybinds,
|
||||
but these will get you wherever you need to go.
|
||||
|
||||
if you need help, switch to the first window and ask in irc.
|
||||
|
||||
also, if you know what you're doing and would rather use a different
|
||||
terminal multiplexer, run byobu-disable to prevent it from launching on login.
|
||||
|
||||
we look forward to seeing you around! welcome to the envs.net!
|
||||
|
||||
envs ~ admins
|
|
@ -0,0 +1,7 @@
|
|||
#
|
||||
# BACKUP Server every day
|
||||
#
|
||||
SHELL=/bin/sh
|
||||
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root
|
||||
|
||||
13 1,13 * * * root /root/backup-server.sh >/dev/null 2>&1
|
|
@ -0,0 +1,4 @@
|
|||
SHELL=/bin/sh
|
||||
PATH=/usr/bin:/opt/services
|
||||
|
||||
0 0 * * 0 services python /opt/services/botany/clear_weekly_users.py >/dev/null 2>&1
|
|
@ -0,0 +1,17 @@
|
|||
# /etc/cron.d/certbot: crontab entries for the certbot package
|
||||
#
|
||||
# Upstream recommends attempting renewal twice a day
|
||||
#
|
||||
# Eventually, this will be an opportunity to validate certificates
|
||||
# haven't been revoked, etc. Renewal will only occur if expiration
|
||||
# is within 30 days.
|
||||
#
|
||||
# Important Note! This cronjob will NOT be executed if you are
|
||||
# running systemd as your init system. If you are running systemd,
|
||||
# the cronjob.timer function takes precedence over this cronjob. For
|
||||
# more details, see the systemd.timer manpage, or use systemctl show
|
||||
# certbot.timer.
|
||||
SHELL=/bin/sh
|
||||
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
|
||||
|
||||
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew --deploy-hook /etc/letsencrypt/renewal-hooks/deploy/envs.sh --renew-hook "systemctl reload nginx"
|
|
@ -0,0 +1,4 @@
|
|||
SHELL=/bin/sh
|
||||
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
|
||||
|
||||
0-59/1 * * * * root /usr/local/bin/conntrack.sh && /usr/local/bin/envs_conntracks.sh >/dev/null 2>&1
|
|
@ -0,0 +1,7 @@
|
|||
#
|
||||
# generate envs gemini - index.gem (once per hour)
|
||||
#
|
||||
SHELL=/bin/sh
|
||||
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
|
||||
|
||||
0 * * * * root /usr/local/bin/envs_gemini_genpage.sh >/dev/null 2>&1
|
|
@ -0,0 +1,7 @@
|
|||
#
|
||||
# generate envs stats.html (once per hour)
|
||||
#
|
||||
SHELL=/bin/sh
|
||||
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
|
||||
|
||||
0 * * * * root /usr/local/bin/envs_stats.sh >/dev/null 2>&1
|
|
@ -0,0 +1,7 @@
|
|||
#
|
||||
# generate sysinfo.json and sysinfo.php every day
|
||||
#
|
||||
SHELL=/bin/sh
|
||||
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
|
||||
|
||||
0 0 * * * root /usr/local/bin/envs_sysinfo.sh >/dev/null 2>&1
|
|
@ -0,0 +1,8 @@
|
|||
#
|
||||
# generate user_updates.php , users_info.json
|
||||
# (once per hour)
|
||||
#
|
||||
SHELL=/bin/sh
|
||||
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
|
||||
|
||||
0 * * * * root /usr/local/bin/envs_user_updated.sh >/dev/null 2>&1
|
|
@ -0,0 +1,4 @@
|
|||
SHELL=/bin/sh
|
||||
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
|
||||
|
||||
33 23 * * * root /usr/local/sbin/update-blacklist.sh /etc/ipset-blacklist/ipset-blacklist.conf >/dev/null 2>/dev/null&
|
|
@ -0,0 +1,6 @@
|
|||
SHELL=/bin/sh
|
||||
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
|
||||
|
||||
0-59/30 * * * * root /usr/local/sbin/ipset-fail2ban.sh /etc/ipset-fail2ban/ipset-fail2ban.conf >/dev/null 2>/dev/null&
|
||||
# clear list once per week
|
||||
0 0 * * 0 root /usr/local/sbin/ipset-fail2ban.sh /etc/ipset-fail2ban/ipset-fail2ban.conf -c >/dev/null 2>&1
|
|
@ -0,0 +1,43 @@
|
|||
# /etc/inetd.conf: see inetd(8) for further informations.
|
||||
#
|
||||
# Internet superserver configuration database
|
||||
#
|
||||
#
|
||||
# Lines starting with "#:LABEL:" or "#<off>#" should not
|
||||
# be changed unless you know what you are doing!
|
||||
#
|
||||
# If you want to disable an entry so it isn't touched during
|
||||
# package updates just comment it out with a single '#' character.
|
||||
#
|
||||
# Packages should modify this file by using update-inetd(8)
|
||||
#
|
||||
# <service_name> <sock_type> <proto> <flags> <user> <server_path> <args>
|
||||
#
|
||||
#:INTERNAL: Internal services
|
||||
#discard stream tcp nowait root internal
|
||||
#discard dgram udp wait root internal
|
||||
#daytime stream tcp nowait root internal
|
||||
#time stream tcp nowait root internal
|
||||
|
||||
#:STANDARD: These are standard services.
|
||||
|
||||
#:BSD: Shell, login, exec and talk are BSD protocols.
|
||||
talk dgram udp wait nobody.tty /usr/sbin/tcpd in.talkd
|
||||
ntalk dgram udp wait nobody.tty /usr/sbin/tcpd in.ntalkd
|
||||
|
||||
#:MAIL: Mail, news and uucp services.
|
||||
|
||||
#:INFO: Info services
|
||||
finger stream tcp nowait efingerd /usr/sbin/tcpd /usr/sbin/efingerd -fi
|
||||
ident stream tcp nowait identd /usr/sbin/ident2 ident2 -i -n
|
||||
|
||||
#:BOOT: TFTP service is provided primarily for booting. Most sites
|
||||
# run this only on machines acting as "boot servers."
|
||||
|
||||
#:RPC: RPC based services
|
||||
|
||||
#:HAM-RADIO: amateur-radio services
|
||||
|
||||
#:OTHER: Other services
|
||||
#gopher stream tcp nowait nobody /usr/sbin/gophernicus gophernicus -h envs.net -nv -o UTF-8
|
||||
gopher stream tcp nowait nobody /usr/sbin/gophernicus gophernicus -h envs.net -nv -r /var/gopher/envs.net -o UTF-8
|
|
@ -0,0 +1,67 @@
|
|||
# /etc/inputrc - global inputrc for libreadline
|
||||
# See readline(3readline) and `info rluserman' for more information.
|
||||
|
||||
# Be 8 bit clean.
|
||||
set input-meta on
|
||||
set output-meta on
|
||||
|
||||
# To allow the use of 8bit-characters like the german umlauts, uncomment
|
||||
# the line below. However this makes the meta key not work as a meta key,
|
||||
# which is annoying to those which don't need to type in 8-bit characters.
|
||||
|
||||
# set convert-meta off
|
||||
|
||||
# try to enable the application keypad when it is called. Some systems
|
||||
# need this to enable the arrow keys.
|
||||
# set enable-keypad on
|
||||
|
||||
# see /usr/share/doc/bash/inputrc.arrows for other codes of arrow keys
|
||||
|
||||
# do not bell on tab-completion
|
||||
set bell-style none
|
||||
# set bell-style visible
|
||||
|
||||
# some defaults / modifications for the emacs mode
|
||||
$if mode=emacs
|
||||
|
||||
# allow the use of the Home/End keys
|
||||
"\e[1~": beginning-of-line
|
||||
"\e[4~": end-of-line
|
||||
|
||||
# allow the use of the Delete/Insert keys
|
||||
"\e[3~": delete-char
|
||||
"\e[2~": quoted-insert
|
||||
|
||||
# mappings for "page up" and "page down" to step to the beginning/end
|
||||
# of the history
|
||||
# "\e[5~": beginning-of-history
|
||||
# "\e[6~": end-of-history
|
||||
|
||||
# alternate mappings for "page up" and "page down" to search the history
|
||||
"\e[5~": history-search-backward
|
||||
"\e[6~": history-search-forward
|
||||
|
||||
# mappings for Ctrl-left-arrow and Ctrl-right-arrow for word moving
|
||||
"\e[1;5C": forward-word
|
||||
"\e[1;5D": backward-word
|
||||
"\e[5C": forward-word
|
||||
"\e[5D": backward-word
|
||||
"\e\e[C": forward-word
|
||||
"\e\e[D": backward-word
|
||||
|
||||
$if term=rxvt
|
||||
"\e[7~": beginning-of-line
|
||||
"\e[8~": end-of-line
|
||||
"\eOc": forward-word
|
||||
"\eOd": backward-word
|
||||
$endif
|
||||
|
||||
# for non RH/Debian xterm, can't hurt for RH/Debian xterm
|
||||
# "\eOH": beginning-of-line
|
||||
# "\eOF": end-of-line
|
||||
|
||||
# for freebsd console
|
||||
# "\e[H": beginning-of-line
|
||||
# "\e[F": end-of-line
|
||||
|
||||
$endif
|
|
@ -0,0 +1,272 @@
|
|||
## Sample initialization file for GNU nano.
|
||||
##
|
||||
## Please note that you must have configured nano with --enable-nanorc
|
||||
## for this file to be read! Also note that this file should not be in
|
||||
## DOS or Mac format, and that characters specially interpreted by the
|
||||
## shell should not be escaped here.
|
||||
##
|
||||
## To make sure an option is disabled, use "unset <option>".
|
||||
##
|
||||
## For the options that take parameters, the default value is given.
|
||||
## Other options are unset by default.
|
||||
##
|
||||
## Quotes inside string parameters don't have to be escaped with
|
||||
## backslashes. The last double quote in the string will be treated as
|
||||
## its end. For example, for the "brackets" option, ""')>]}" will match
|
||||
## ", ', ), >, ], and }.
|
||||
|
||||
## Make the 'nextword' function (Ctrl+Right) stop at word ends
|
||||
## instead of at beginnings.
|
||||
# set afterends
|
||||
|
||||
## When soft line wrapping is enabled, make it wrap lines at blanks
|
||||
## (tabs and spaces) instead of always at the edge of the screen.
|
||||
# set atblanks
|
||||
|
||||
## Automatically indent a newly created line to the same number of
|
||||
## tabs and/or spaces as the preceding line -- or as the next line
|
||||
## if the preceding line is the beginning of a paragraph.
|
||||
# set autoindent
|
||||
|
||||
## Back up files to the current filename plus a tilde.
|
||||
# set backup
|
||||
|
||||
## The directory to put unique backup files in.
|
||||
# set backupdir ""
|
||||
|
||||
## Use bold text instead of reverse video text.
|
||||
# set boldtext
|
||||
|
||||
## The characters treated as closing brackets when justifying paragraphs.
|
||||
## This may not include any blank characters. Only closing punctuation,
|
||||
## optionally followed by these closing brackets, can end sentences.
|
||||
# set brackets ""')>]}"
|
||||
|
||||
## Do case-sensitive searches by default.
|
||||
# set casesensitive
|
||||
|
||||
## Constantly display the cursor position in the status bar. Note that
|
||||
## this overrides "quickblank".
|
||||
# set constantshow
|
||||
|
||||
## Use cut-from-cursor-to-end-of-line by default.
|
||||
# set cutfromcursor
|
||||
## (The old form, 'cut', is deprecated.)
|
||||
|
||||
## Set the line length for wrapping text and justifying paragraphs.
|
||||
## If the value is 0 or less, the wrapping point will be the screen
|
||||
## width less this number.
|
||||
# set fill -8
|
||||
|
||||
## Remember the used search/replace strings for the next session.
|
||||
set historylog
|
||||
|
||||
## Display line numbers to the left of the text.
|
||||
# set linenumbers
|
||||
|
||||
## Enable vim-style lock-files. This is just to let a vim user know you
|
||||
## are editing a file [s]he is trying to edit and vice versa. There are
|
||||
## no plans to implement vim-style undo state in these files.
|
||||
set locking
|
||||
|
||||
## The opening and closing brackets that can be found by bracket
|
||||
## searches. They cannot contain blank characters. The former set must
|
||||
## come before the latter set, and both must be in the same order.
|
||||
# set matchbrackets "(<[{)>]}"
|
||||
|
||||
## Use the blank line below the title bar as extra editing space.
|
||||
# set morespace
|
||||
|
||||
## Enable mouse support, if available for your system. When enabled,
|
||||
## mouse clicks can be used to place the cursor, set the mark (with a
|
||||
## double click), and execute shortcuts. The mouse will work in the X
|
||||
## Window System, and on the console when gpm is running.
|
||||
# set mouse
|
||||
|
||||
## Switch on multiple file buffers (inserting a file will put it into
|
||||
## a separate buffer).
|
||||
# set multibuffer
|
||||
|
||||
## Don't convert files from DOS/Mac format.
|
||||
# set noconvert
|
||||
|
||||
## Don't display the helpful shortcut lists at the bottom of the screen.
|
||||
# set nohelp
|
||||
|
||||
## Don't automatically add a newline when a file does not end with one.
|
||||
# set nonewlines
|
||||
|
||||
## Don't pause between warnings at startup. Which means that only the
|
||||
## last one will be readable (when there are multiple ones).
|
||||
# set nopauses
|
||||
|
||||
## Don't wrap text at all.
|
||||
set nowrap
|
||||
|
||||
## Set operating directory. nano will not read or write files outside
|
||||
## this directory and its subdirectories. Also, the current directory
|
||||
## is changed to here, so any files are inserted from this dir. A blank
|
||||
## string means the operating-directory feature is turned off.
|
||||
# set operatingdir ""
|
||||
|
||||
## Remember the cursor position in each file for the next editing session.
|
||||
# set positionlog
|
||||
|
||||
## Preserve the XON and XOFF keys (^Q and ^S).
|
||||
# set preserve
|
||||
|
||||
## The characters treated as closing punctuation when justifying
|
||||
## paragraphs. They cannot contain blank characters. Only closing
|
||||
## punctuation, optionally followed by closing brackets, can end
|
||||
## sentences.
|
||||
# set punct "!.?"
|
||||
|
||||
## Do quick status-bar blanking. Status-bar messages will disappear after
|
||||
## 1 keystroke instead of 26. Note that "constantshow" overrides this.
|
||||
# set quickblank
|
||||
|
||||
## The email-quote string, used to justify email-quoted paragraphs.
|
||||
## This is an extended regular expression. The default is:
|
||||
# set quotestr "^([ ]*([#:>|}]|//))+"
|
||||
|
||||
## Fix Backspace/Delete confusion problem.
|
||||
# set rebinddelete
|
||||
|
||||
## Fix numeric keypad key confusion problem.
|
||||
# set rebindkeypad
|
||||
|
||||
## Do extended regular expression searches by default.
|
||||
# set regexp
|
||||
|
||||
## Put the cursor on the highlighted item in the file browser;
|
||||
## useful for people who use a braille display.
|
||||
# set showcursor
|
||||
|
||||
## Make the Home key smarter. When Home is pressed anywhere but at the
|
||||
## very beginning of non-whitespace characters on a line, the cursor
|
||||
## will jump to that beginning (either forwards or backwards). If the
|
||||
## cursor is already at that position, it will jump to the true
|
||||
## beginning of the line.
|
||||
# set smarthome
|
||||
|
||||
## Use smooth scrolling as the default.
|
||||
# set smooth
|
||||
|
||||
## Enable soft line wrapping (AKA full-line display).
|
||||
# set softwrap
|
||||
|
||||
## Use this spelling checker instead of the internal one. This option
|
||||
## does not have a default value.
|
||||
# set speller "aspell -x -c"
|
||||
|
||||
## Allow nano to be suspended.
|
||||
set suspend
|
||||
|
||||
## Use this tab size instead of the default; it must be greater than 0.
|
||||
set tabsize 4
|
||||
|
||||
## Convert typed tabs to spaces.
|
||||
# set tabstospaces
|
||||
|
||||
## Save automatically on exit; don't prompt.
|
||||
# set tempfile
|
||||
|
||||
## Snip whitespace at the end of lines when justifying or hard-wrapping.
|
||||
# set trimblanks
|
||||
## (The old form, 'justifytrim', is deprecated.)
|
||||
|
||||
## Disallow file modification. Why would you want this in an rcfile? ;)
|
||||
# set view
|
||||
|
||||
## The two single-column characters used to display the first characters
|
||||
## of tabs and spaces. 187 in ISO 8859-1 (0000BB in Unicode) and 183 in
|
||||
## ISO-8859-1 (0000B7 in Unicode) seem to be good values for these.
|
||||
## The default when in a UTF-8 locale:
|
||||
# set whitespace "»·"
|
||||
## The default otherwise:
|
||||
# set whitespace ">."
|
||||
|
||||
## Detect word boundaries differently by treating punctuation
|
||||
## characters as parts of words.
|
||||
# set wordbounds
|
||||
|
||||
## The characters (besides alphanumeric ones) that should be considered
|
||||
## as parts of words. This option does not have a default value. When
|
||||
## set, it overrides option 'set wordbounds'.
|
||||
# set wordchars "<_>."
|
||||
|
||||
|
||||
## Paint the interface elements of nano. These are examples;
|
||||
## by default there are no colors, except for errorcolor.
|
||||
# set titlecolor brightwhite,blue
|
||||
# set statuscolor brightwhite,green
|
||||
# set errorcolor brightwhite,red
|
||||
# set selectedcolor brightwhite,magenta
|
||||
# set numbercolor cyan
|
||||
# set keycolor cyan
|
||||
# set functioncolor green
|
||||
## In root's .nanorc you might want to use:
|
||||
# set titlecolor brightwhite,magenta
|
||||
# set statuscolor brightwhite,magenta
|
||||
# set errorcolor brightwhite,red
|
||||
# set selectedcolor brightwhite,cyan
|
||||
# set numbercolor magenta
|
||||
# set keycolor brightmagenta
|
||||
# set functioncolor magenta
|
||||
|
||||
|
||||
## Setup of syntax coloring.
|
||||
##
|
||||
## Format:
|
||||
##
|
||||
## syntax "short description" ["filename regex" ...]
|
||||
##
|
||||
## The "none" syntax is reserved; specifying it on the command line is
|
||||
## the same as not having a syntax at all. The "default" syntax is
|
||||
## special: it takes no filename regexes, and applies to files that
|
||||
## don't match any other syntax's filename regexes.
|
||||
##
|
||||
## color foreground,background "regex" ["regex"...]
|
||||
## or
|
||||
## icolor foreground,background "regex" ["regex"...]
|
||||
##
|
||||
## "color" will do case-sensitive matches, while "icolor" will do
|
||||
## case-insensitive matches.
|
||||
##
|
||||
## Valid colors: white, black, red, blue, green, yellow, magenta, cyan.
|
||||
## For foreground colors, you may use the prefix "bright" to get a
|
||||
## stronger highlight.
|
||||
##
|
||||
## To use multi-line regexes, use the start="regex" end="regex"
|
||||
## [start="regex" end="regex"...] format.
|
||||
##
|
||||
## If your system supports transparency, not specifying a background
|
||||
## color will use a transparent color. If you don't want this, be sure
|
||||
## to set the background color to black or white.
|
||||
##
|
||||
## All regexes should be extended regular expressions.
|
||||
##
|
||||
## If you wish, you may put your syntax definitions in separate files.
|
||||
## You can make use of such files as follows:
|
||||
##
|
||||
## include "/path/to/syntax_file.nanorc"
|
||||
##
|
||||
## Unless otherwise noted, the name of the syntax file (without the
|
||||
## ".nanorc" extension) should be the same as the "short description"
|
||||
## name inside that file. These names are kept fairly short to make
|
||||
## them easier to remember and faster to type using nano's -Y option.
|
||||
##
|
||||
## To include all existing syntax definitions, you can do:
|
||||
include "/usr/share/nano/*.nanorc"
|
||||
|
||||
|
||||
## Key bindings.
|
||||
## See nanorc(5) (section REBINDING KEYS) for more details on this.
|
||||
##
|
||||
## The following two functions are not bound to any key by default.
|
||||
## You may wish to choose other keys than the ones suggested here.
|
||||
# bind M-B cutwordleft main
|
||||
# bind M-N cutwordright main
|
||||
|
||||
## Set this if your Backspace key sends Del most of the time.
|
||||
# bind Del backspace all
|
|
@ -0,0 +1,33 @@
|
|||
#
|
||||
# This file MUST be edited with the 'visudo' command as root.
|
||||
#
|
||||
# Please consider adding local content in /etc/sudoers.d/ instead of
|
||||
# directly modifying this file.
|
||||
#
|
||||
# See the man page for details on how to write a sudoers file.
|
||||
#
|
||||
Defaults env_reset
|
||||
Defaults mail_badpass
|
||||
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
||||
|
||||
# Host alias specification
|
||||
|
||||
# User alias specification
|
||||
|
||||
# Cmnd alias specification
|
||||
Cmnd_Alias THELOUNGE=/srv/thelounge/.yarn/bin/thelounge add *
|
||||
Cmnd_Alias TOOT=/usr/bin/toot post *
|
||||
|
||||
# User privilege specification
|
||||
root ALL=(ALL:ALL) ALL
|
||||
services ALL=(ALL:ALL) NOPASSWD:ALL
|
||||
|
||||
# Allow members of group sudo to execute any command
|
||||
%sudo ALL=(ALL:ALL) ALL
|
||||
|
||||
%envs ALL=(thelounge) NOPASSWD: THELOUNGE
|
||||
%envs ALL=(services) NOPASSWD: TOOT
|
||||
|
||||
# See sudoers(5) for more information on "#include" directives:
|
||||
|
||||
#includedir /etc/sudoers.d
|
|
@ -0,0 +1,40 @@
|
|||
#
|
||||
# Fail2ban config
|
||||
#
|
||||
|
||||
[DEFAULT]
|
||||
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
|
||||
# ban a host which matches an address in this list. Several addresses can be
|
||||
# defined using space separator.
|
||||
ignoreip = 127.0.0.1/8
|
||||
|
||||
# External command that will take an tagged arguments to ignore, e.g. <ip>,
|
||||
# and return true if the IP is to be ignored. False otherwise.
|
||||
#
|
||||
# ignorecommand = /path/to/command <ip>
|
||||
ignorecommand =
|
||||
|
||||
# "bantime" is the number of seconds that a host is banned. (1day)
|
||||
bantime = 3600
|
||||
|
||||
# A host is banned if it has generated "maxretry" during the last "findtime"
|
||||
# seconds.
|
||||
findtime = 600
|
||||
|
||||
# "maxretry" is the number of failures before a host get banned.
|
||||
maxretry = 5
|
||||
|
||||
#
|
||||
# enabled modules
|
||||
#
|
||||
|
||||
# ssh enabled by default config
|
||||
#[sshd]
|
||||
#enabled = true
|
||||
|
||||
[pam-generic]
|
||||
enabled = true
|
||||
|
||||
[nginx-http-auth]
|
||||
enabled = true
|
||||
|
|
@ -0,0 +1,398 @@
|
|||
#!/usr/bin/env bash
|
||||
### BEGIN INIT INFO
|
||||
# Provides: S41firewall
|
||||
# Required-Start: network.target
|
||||
# Required-Stop:
|
||||
# Default-Start: 2 3 4 5
|
||||
# Default-Stop: 0 1 6
|
||||
# Short-Description: set basic firewall
|
||||
# Description: set basic firewall
|
||||
### END INIT INFO
|
||||
|
||||
# TODO
|
||||
# - do more secure and optimize
|
||||
# - change to nftables
|
||||
#
|
||||
|
||||
DEF_IF='enp2s0'
|
||||
IPT='/usr/sbin/iptables'
|
||||
|
||||
# Logging options.
|
||||
#------------------------------------------------------------------------------
|
||||
LOG="LOG --log-level debug --log-tcp-sequence --log-tcp-options"
|
||||
LOG="$LOG --log-ip-options"
|
||||
|
||||
# Defaults for rate limiting
|
||||
#------------------------------------------------------------------------------
|
||||
RLIMIT="-m limit --limit 3/s --limit-burst 30"
|
||||
|
||||
|
||||
if [ "$1" = "start" ]; then
|
||||
|
||||
# Default policies.
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
# Drop everything by default.
|
||||
$IPT -P INPUT DROP
|
||||
$IPT -P FORWARD DROP
|
||||
$IPT -P OUTPUT ACCEPT
|
||||
|
||||
# Set the nat/mangle/raw tables' chains to ACCEPT
|
||||
$IPT -w -t nat -P PREROUTING ACCEPT
|
||||
$IPT -w -t nat -P OUTPUT ACCEPT
|
||||
$IPT -w -t nat -P POSTROUTING ACCEPT
|
||||
|
||||
$IPT -w -t mangle -P PREROUTING ACCEPT
|
||||
$IPT -w -t mangle -P INPUT ACCEPT
|
||||
$IPT -w -t mangle -P FORWARD ACCEPT
|
||||
$IPT -w -t mangle -P OUTPUT ACCEPT
|
||||
$IPT -w -t mangle -P POSTROUTING ACCEPT
|
||||
|
||||
# Cleanup.
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
# Delete all
|
||||
$IPT -F
|
||||
$IPT -t nat -F
|
||||
$IPT -t mangle -F
|
||||
|
||||
# Delete all
|
||||
$IPT -X
|
||||
$IPT -t nat -X
|
||||
$IPT -t mangle -X
|
||||
|
||||
# Zero all packets and counters.
|
||||
$IPT -Z
|
||||
$IPT -t nat -Z
|
||||
$IPT -t mangle -Z
|
||||
|
||||
# Custom user-defined chains.
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
# LOG packets, then ACCEPT.
|
||||
$IPT -w -N ACCEPTLOG
|
||||
$IPT -w -A ACCEPTLOG -j "$LOG" "$RLIMIT" --log-prefix "ACCEPT "
|
||||
$IPT -w -A ACCEPTLOG -j ACCEPT
|
||||
|
||||
# LOG packets, then DROP.
|
||||
$IPT -w -N DROPLOG
|
||||
$IPT -w -A DROPLOG -j "$LOG" "$RLIMIT" --log-prefix "DROP "
|
||||
$IPT -w -A DROPLOG -j DROP
|
||||
|
||||
# LOG packets, then REJECT.
|
||||
# TCP packets are rejected with a TCP reset.
|
||||
$IPT -w -N REJECTLOG
|
||||
$IPT -w -A REJECTLOG -j "$LOG" "$RLIMIT" --log-prefix "REJECT "
|
||||
$IPT -w -A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset
|
||||
$IPT -w -A REJECTLOG -j REJECT
|
||||
|
||||
# Only allows RELATED ICMP types
|
||||
# (destination-unreachable, time-exceeded, and parameter-problem).
|
||||
# TODO: Rate-limit this traffic?
|
||||
# TODO: Allow fragmentation-needed?
|
||||
# TODO: Test.
|
||||
$IPT -w -N RELATED_ICMP
|
||||
$IPT -w -A RELATED_ICMP -p icmp --icmp-type destination-unreachable -j ACCEPT
|
||||
$IPT -w -A RELATED_ICMP -p icmp --icmp-type time-exceeded -j ACCEPT
|
||||
$IPT -w -A RELATED_ICMP -p icmp --icmp-type parameter-problem -j ACCEPT
|
||||
$IPT -w -A RELATED_ICMP -p icmp --icmp-type fragmentation-needed -j ACCEPT
|
||||
#$IPT -w -A RELATED_ICMP -p icmp --icmp-type source-quench -j ACCEPT
|
||||
$IPT -w -A RELATED_ICMP -j DROPLOG
|
||||
|
||||
# Make It Even Harder To Multi-PING
|
||||
$IPT -w -A INPUT -p icmp -m limit --limit 1/s --limit-burst 2 -j ACCEPT
|
||||
$IPT -w -A OUTPUT -p icmp -j ACCEPT
|
||||
|
||||
# Only allow the minimally required/recommended parts of ICMP. Block the rest.
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
# Allow all ESTABLISHED ICMP traffic.
|
||||
$IPT -w -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT "$RLIMIT"
|
||||
$IPT -w -A OUTPUT -p icmp -m state --state ESTABLISHED -j ACCEPT "$RLIMIT"
|
||||
|
||||
# Allow some parts of the RELATED ICMP traffic, block the rest.
|
||||
$IPT -w -A INPUT -p icmp -m state --state RELATED -j RELATED_ICMP "$RLIMIT"
|
||||
$IPT -w -A OUTPUT -p icmp -m state --state RELATED -j RELATED_ICMP "$RLIMIT"
|
||||
|
||||
# Allow incoming ICMP echo requests (ping), but only rate-limited.
|
||||
$IPT -w -A INPUT -p icmp --icmp-type echo-request -j ACCEPT "$RLIMIT"
|
||||
|
||||
# Allow outgoing ICMP echo requests (ping), but only rate-limited.
|
||||
$IPT -w -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT "$RLIMIT"
|
||||
|
||||
# Drop any other ICMP traffic.
|
||||
$IPT -w -A INPUT -p icmp -j DROPLOG
|
||||
$IPT -w -A OUTPUT -p icmp -j DROPLOG
|
||||
$IPT -w -A FORWARD -p icmp -j DROPLOG
|
||||
|
||||
# Selectively allow certain special types of traffic.
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
# Allow loopback interface to do anything.
|
||||
$IPT -w -A INPUT -i lo -j ACCEPT
|
||||
$IPT -w -A OUTPUT -o lo -j ACCEPT
|
||||
|
||||
# Allow incoming connections related to existing allowed connections.
|
||||
$IPT -w -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
|
||||
# Allow outgoing connections EXCEPT invalid
|
||||
$IPT -w -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
|
||||
# FORWARD RULES
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
$IPT -w -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
|
||||
|
||||
#
|
||||
# ENVS.NET - 89.163.145.170 (default wan_ip)
|
||||
#
|
||||
# lxcbr0 - 192.168.1.0/24
|
||||
$IPT -w -t nat -A POSTROUTING -d 192.168.1.0/24 -s 192.168.1.1 -j SNAT --to 192.168.1.1
|
||||
|
||||
# dns
|
||||
$IPT -w -t nat -A PREROUTING -i "$DEF_IF" -d 89.163.145.170 -p udp --dport 53 -j DNAT --to-destination 192.168.1.2:53
|
||||
$IPT -w -A FORWARD -p udp -d 192.168.1.2 --dport 53 -j ACCEPT
|
||||
$IPT -w -t nat -A PREROUTING -i "$DEF_IF" -d 89.163.145.170 -p tcp --dport 53 -j DNAT --to-destination 192.168.1.2:53
|
||||
$IPT -w -A FORWARD -p tcp -d 192.168.1.2 --dport 53 -j ACCEPT
|
||||
$IPT -w -t nat -A POSTROUTING ! -d 192.168.1.0/24 -s 192.168.1.2 -j SNAT --to 89.163.145.170
|
||||
|
||||
#
|
||||
# MAIL ()
|
||||
# => apache2 proxy (http/https)
|
||||
# SMTP
|
||||
$IPT -w -t nat -A PREROUTING -i "$DEF_IF" -d 5.199.136.28 -p tcp --dport 25 -j DNAT --to-destination 192.168.1.3:25
|
||||
$IPT -w -t nat -A PREROUTING -i "$DEF_IF" -d 89.163.145.170 -p tcp --dport 25 -j DNAT --to-destination 192.168.1.3:25
|
||||
$IPT -w -A FORWARD -p tcp -d 192.168.1.3 --dport 25 -j ACCEPT
|
||||
# SMTPs
|
||||
$IPT -w -t nat -A PREROUTING -i "$DEF_IF" -d 5.199.136.28 -p tcp --dport 587 -j DNAT --to-destination 192.168.1.3:587
|
||||
$IPT -w -t nat -A PREROUTING -i "$DEF_IF" -d 89.163.145.170 -p tcp --dport 587 -j DNAT --to-destination 192.168.1.3:587
|
||||
$IPT -w -A FORWARD -p tcp -d 192.168.1.3 --dport 587 -j ACCEPT
|
||||
# Sieve
|
||||
$IPT -w -t nat -A PREROUTING -i "$DEF_IF" -d 5.199.136.28 -p tcp --dport 4190 -j DNAT --to-destination 192.168.1.3:4190
|
||||
$IPT -w -t nat -A PREROUTING -i "$DEF_IF" -d 89.163.145.170 -p tcp --dport 4190 -j DNAT --to-destination 192.168.1.3:4190
|
||||
$IPT -w -A FORWARD -p tcp -d 192.168.1.3 --dport 4190 -j ACCEPT
|
||||
# IMAP
|
||||
$IPT -w -t nat -A PREROUTING -i "$DEF_IF" -d 5.199.136.28 -p tcp --dport 143 -j DNAT --to-destination 192.168.1.3:143
|
||||
$IPT -w -t nat -A PREROUTING -i "$DEF_IF" -d 89.163.145.170 -p tcp --dport 143 -j DNAT --to-destination 192.168.1.3:143
|
||||
$IPT -w -A FORWARD -p tcp -d 192.168.1.3 --dport 143 -j ACCEPT
|
||||
# IMAPs
|
||||
$IPT -w -t nat -A PREROUTING -i "$DEF_IF" -d 5.199.136.28 -p tcp --dport 993 -j DNAT --to-destination 192.168.1.3:993
|
||||
$IPT -w -t nat -A PREROUTING -i "$DEF_IF" -d 89.163.145.170 -p tcp --dport 993 -j DNAT --to-destination 192.168.1.3:993
|
||||
$IPT -w -A FORWARD -p tcp -d 192.168.1.3 --dport 993 -j ACCEPT
|
||||
# POP
|
||||
$IPT -w -t nat -A PREROUTING -i "$DEF_IF" -d 5.199.136.28 -p tcp --dport 110 -j DNAT --to-destination 192.168.1.3:110
|
||||
$IPT -w -t nat -A PREROUTING -i "$DEF_IF" -d 89.163.145.170 -p tcp --dport 110 -j DNAT --to-destination 192.168.1.3:110
|
||||
$IPT -w -A FORWARD -p tcp -d 192.168.1.3 --dport 110 -j ACCEPT
|
||||
# POPs
|
||||
$IPT -w -t nat -A PREROUTING -i "$DEF_IF" -d 5.199.136.28 -p tcp --dport 995 -j DNAT --to-destination 192.168.1.3:995
|
||||
$IPT -w -t nat -A PREROUTING -i "$DEF_IF" -d 89.163.145.170 -p tcp --dport 995 -j DNAT --to-destination 192.168.1.3:995
|
||||
$IPT -w -A FORWARD -p tcp -d 192.168.1.3 --dport 995 -j ACCEPT
|
||||
#
|
||||
$IPT -w -t nat -A POSTROUTING -d 192.168.1.4 -s 192.168.1.3 -j SNAT --to 192.168.1.3
|
||||
$IPT -w -t nat -A POSTROUTING ! -d 192.168.1.0/24 -s 192.168.1.3 -j SNAT --to 5.199.136.28
|
||||
|
||||
# mail-lists
|
||||
# => apache2 proxy (http/https)
|
||||
$IPT -w -t nat -A POSTROUTING ! -d 192.168.1.0/24 -s 192.168.1.4 -j SNAT --to 5.199.136.29
|
||||
|
||||
# gitea
|
||||
# => apache2 proxy (http/https)
|
||||
$IPT -w -t nat -A PREROUTING -i "$DEF_IF" -d 5.199.130.141 -p tcp --dport 22 -j DNAT --to-destination 192.168.1.10:22
|
||||
$IPT -w -A FORWARD -p tcp -d 192.168.1.10 --dport 22 -j ACCEPT
|
||||
$IPT -w -t nat -A POSTROUTING ! -d 192.168.1.0/24 -s 192.168.1.10 -j SNAT --to 5.199.130.141
|
||||
|
||||
# searx
|
||||
# => apache2 proxy (http/https)
|
||||
$IPT -w -t nat -A POSTROUTING ! -d 192.168.1.0/24 -s 192.168.1.11 -j SNAT --to 89.163.145.170
|
||||
|
||||
# cryptpad
|
||||
# => apache2 proxy (http/https)
|
||||
$IPT -w -t nat -A POSTROUTING ! -d 192.168.1.0/24 -s 192.168.1.12 -j SNAT --to 89.163.145.170
|
||||
|
||||
# 0x0
|
||||
# => apache2 proxy (http/https)
|
||||
$IPT -w -t nat -A PREROUTING -i "$DEF_IF" -d 89.163.145.170 -p tcp --dport 9999 -j DNAT --to-destination 192.168.1.15:9999
|
||||
$IPT -w -A FORWARD -p tcp -d 192.168.1.15 --dport 9999 -j ACCEPT
|
||||
$IPT -w -t nat -A POSTROUTING ! -d 192.168.1.0/24 -s 192.168.1.15 -j SNAT --to 89.163.145.170
|
||||
|
||||
# rss
|
||||
# => apache2 proxy (http/https)
|
||||
$IPT -w -t nat -A POSTROUTING ! -d 192.168.1.0/24 -s 192.168.1.16 -j SNAT --to 89.163.145.170
|
||||
|
||||
# pb
|
||||
# => apache2 proxy (http/https)
|
||||
$IPT -w -t nat -A POSTROUTING ! -d 192.168.1.0/24 -s 192.168.1.17 -j SNAT --to 89.163.145.170
|
||||
|
||||
|
||||
# MASQUERADE.
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
#dont SNAT locally generated packets target for local
|
||||
$IPT -w -t nat -A POSTROUTING -o lo -j ACCEPT
|
||||
|
||||
# snat all lxc traffic to freifunk network
|
||||
# this allows to access the freifunk network from other lxc container
|
||||
# all container must setup a routing entry to lxc.vpn1
|
||||
#iptables -t nat -A POSTROUTING -o tbb+ -s 192.168.1.0/24 -j SNAT --to-source 10.200.1.1
|
||||
#iptables -I FORWARD -i "$DEF_IF" -o tbb+ -j ACCEPT
|
||||
|
||||
# wen using lxc, masq all traffic which goes via "$DEF_IF" (like DNS,vpn)
|
||||
# iptables -t nat -o "$DEF_IF" -A POSTROUTING -j MASQUERADE
|
||||
|
||||
# Selectively allow certain outbound connections, block the rest.
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
# dns
|
||||
$IPT -w -A OUTPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
|
||||
$IPT -w -A OUTPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT
|
||||
|
||||
# openvpn
|
||||
$IPT -w -A OUTPUT -m state --state NEW -p tcp --dport 1194 -j ACCEPT
|
||||
$IPT -w -A OUTPUT -m state --state NEW -p udp --dport 1194 -j ACCEPT
|
||||
|
||||
# http
|
||||
$IPT -w -A OUTPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
|
||||
|
||||
# https
|
||||
$IPT -w -A OUTPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
|
||||
|
||||
# smtp
|
||||
$IPT -w -A OUTPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT
|
||||
|
||||
# smtps
|
||||
$IPT -w -A OUTPUT -m state --state NEW -p tcp --dport 465 -j ACCEPT
|
||||
|
||||
# syslog
|
||||
$IPT -w -A OUTPUT -m state --state NEW -p udp --dport 514 -j ACCEPT
|
||||
|
||||
# "submission" (RFC 2476)
|
||||
$IPT -w -A OUTPUT -m state --state NEW -p tcp --dport 587 -j ACCEPT
|
||||
|
||||
# pop3s
|
||||
$IPT -w -A OUTPUT -m state --state NEW -p tcp --dport 995 -j ACCEPT
|
||||
|
||||
# ssh
|
||||
$IPT -w -A OUTPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
|
||||
|
||||
# ftp
|
||||
$IPT -w -A OUTPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
|
||||
|
||||
# ntp
|
||||
$IPT -w -A OUTPUT -m state --state NEW -p udp --dport 123 -j ACCEPT
|
||||
|
||||
# whois
|
||||
$IPT -w -A OUTPUT -m state --state NEW -p tcp --dport 43 -j ACCEPT
|
||||
|
||||
# csv
|
||||
$IPT -w -A OUTPUT -m state --state NEW -p tcp --dport 2401 -j ACCEPT
|
||||
|
||||
# mysql
|
||||
$IPT -w -A OUTPUT -m state --state NEW -p tcp --dport 3306 -j ACCEPT
|
||||
|
||||
# svn
|
||||
$IPT -w -A OUTPUT -m state --state NEW -p tcp --dport 3690 -j ACCEPT
|
||||
|
||||
|
||||
|
||||
# Selectively allow certain inbound connections, block the rest.
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
# dns
|
||||
$IPT -w -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
|
||||
$IPT -w -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT
|
||||
|
||||
# finger
|
||||
$IPT -w -A INPUT -m state --state NEW -p tcp --dport 79 -j ACCEPT
|
||||
|
||||
# ident
|
||||
$IPT -w -A INPUT -m state --state NEW -p tcp --dport 113 -j ACCEPT
|
||||
|
||||
# gopher
|
||||
$IPT -w -A INPUT -m state --state NEW -p tcp --dport 70 -j ACCEPT
|
||||
|
||||
# http/https
|
||||
$IPT -w -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
|
||||
$IPT -w -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
|
||||
|
||||
# gemini
|
||||
$IPT -w -A INPUT -m state --state NEW -p tcp --dport 1965 -j ACCEPT
|
||||
|
||||
# ssh
|
||||
$IPT -w -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
|
||||
$IPT -w -A INPUT -m state --state NEW -p tcp --dport 2222 -j ACCEPT
|
||||
$IPT -w -A INPUT -m state --state NEW -p tcp --dport 2223 -j ACCEPT
|
||||
|
||||
# mosh
|
||||
$IPT -w -A INPUT -m state --state NEW -p udp --dport 60001:61000 -j ACCEPT
|
||||
|
||||
# znc
|
||||
$IPT -w -A INPUT -m state --state NEW -p tcp --dport 6667 -j ACCEPT
|
||||
$IPT -w -A INPUT -m state --state NEW -p tcp --dport 6697 -j ACCEPT
|
||||
|
||||
|
||||
# Miscellaneous.
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
# Explicitly drop invalid incoming traffic
|
||||
$IPT -w -A INPUT -m state --state INVALID -j DROP
|
||||
|
||||
# Drop invalid outgoing traffic, too.
|
||||
$IPT -w -A OUTPUT -m state --state INVALID -j DROP
|
||||
|
||||
# If we would use NAT, INVALID packets would pass - BLOCK them anyways
|
||||
$IPT -w -A FORWARD -m state --state INVALID -j DROP
|
||||
|
||||
# Explicitly log and reject everything else.
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
# Enable blacklists
|
||||
ipset restore < /etc/ipset-blacklist/ip-blacklist.restore
|
||||
ipset restore < /etc/ipset-fail2ban/ipset-fail2ban.restore
|
||||
|
||||
$IPT -I INPUT 1 -m set --match-set blacklist_default src -j DROP
|
||||
$IPT -I INPUT 2 -m set --match-set blacklist_fail2ban src -j DROP
|
||||
|
||||
$IPT -I FORWARD 1 -m set --match-set blacklist_default src -j DROP
|
||||
$IPT -I FORWARD 2 -m set --match-set blacklist_fail2ban src -j DROP
|
||||
|
||||
|
||||
# Use REJECT instead of REJECTLOG if you don't need/want logging.
|
||||
$IPT -w -A INPUT -j REJECT
|
||||
$IPT -w -A FORWARD -j REJECT
|
||||
$IPT -w -A OUTPUT -j ACCEPT
|
||||
fi
|
||||
|
||||
if [ "$1" = "stop" ]; then
|
||||
|
||||
$IPT -t mangle -F PREROUTING
|
||||
$IPT -t mangle -F OUTPUT
|
||||
$IPT -t nat -F PREROUTING
|
||||
$IPT -t nat -F POSTROUTING
|
||||
$IPT -t nat -F OUTPUT
|
||||
$IPT -F INPUT
|
||||
$IPT -F FORWARD
|
||||
$IPT -F OUTPUT
|
||||
|
||||
fi
|
||||
|
||||
if [ "$1" = "restart" ]; then
|
||||
|
||||
$0 stop
|
||||
sleep 1
|
||||
$0 start
|
||||
fi
|
||||
|
||||
if [ "$1" = "status" ]; then
|
||||
|
||||
echo "iptables -vnL ..."
|
||||
$IPT -vnL --line-numbers
|
||||
echo "iptables -vnL -t nat ..."
|
||||
$IPT -vnL -t nat --line-numbers
|
||||
echo "iptables -vnL -t mangle ..."
|
||||
$IPT -vnL -t mangle --line-numbers
|
||||
fi
|
||||
|
||||
# Exit gracefully.
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
exit 0
|
|
@ -0,0 +1,36 @@
|
|||
#!/bin/sh
|
||||
|
||||
set -e
|
||||
|
||||
for domain in $RENEWED_DOMAINS; do
|
||||
case $domain in
|
||||
envs.net)
|
||||
daemon_cert_root=/opt/lxc_ssl/envs.net
|
||||
umask 077
|
||||
cat "$RENEWED_LINEAGE/privkey.pem" > "$daemon_cert_root/privkey.pem"
|
||||
cat "$RENEWED_LINEAGE/chain.pem" > "$daemon_cert_root/chain.pem"
|
||||
cat "$RENEWED_LINEAGE/fullchain.pem" > "$daemon_cert_root/fullchain.pem"
|
||||
cat /etc/ssl/certs/envs_dhparam.pem > "$daemon_cert_root/envs_dhparam.pem"
|
||||
;;
|
||||
|
||||
envs.sh)
|
||||
daemon_cert_root=/opt/lxc_ssl/envs.sh
|
||||
umask 077
|
||||
cat "$RENEWED_LINEAGE/privkey.pem" > "$daemon_cert_root/privkey.pem"
|
||||
cat "$RENEWED_LINEAGE/chain.pem" > "$daemon_cert_root/chain.pem"
|
||||
cat "$RENEWED_LINEAGE/fullchain.pem" > "$daemon_cert_root/fullchain.pem"
|
||||
cat /etc/ssl/certs/envs_dhparam.pem > "$daemon_cert_root/envs_dhparam.pem"
|
||||
;;
|
||||
|
||||
znc.envs.net)
|
||||
daemon_cert_root=/srv/znc/.znc
|
||||
umask 077
|
||||
cat "$RENEWED_LINEAGE/privkey.pem" > "$daemon_cert_root/znc.pem"
|
||||
cat "$RENEWED_LINEAGE/fullchain.pem" >> "$daemon_cert_root/znc.pem"
|
||||
cat /etc/ssl/certs/envs_dhparam.pem >> "$daemon_cert_root/znc.pem"
|
||||
chown znc "$daemon_cert_root/znc.pem"
|
||||
chmod 600 "$daemon_cert_root/znc.pem"
|
||||
;;
|
||||
|
||||
esac
|
||||
done
|
|
@ -0,0 +1,25 @@
|
|||
fastcgi_param QUERY_STRING $query_string;
|
||||
fastcgi_param REQUEST_METHOD $request_method;
|
||||
fastcgi_param CONTENT_TYPE $content_type;
|
||||
fastcgi_param CONTENT_LENGTH $content_length;
|
||||
|
||||
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
fastcgi_param REQUEST_URI $request_uri;
|
||||
fastcgi_param DOCUMENT_URI $document_uri;
|
||||
fastcgi_param DOCUMENT_ROOT $document_root;
|
||||
fastcgi_param SERVER_PROTOCOL $server_protocol;
|
||||
fastcgi_param REQUEST_SCHEME $scheme;
|
||||
fastcgi_param HTTPS $https if_not_empty;
|
||||
|
||||
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
|
||||
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
|
||||
|
||||
fastcgi_param REMOTE_ADDR $remote_addr;
|
||||
fastcgi_param REMOTE_PORT $remote_port;
|
||||
fastcgi_param SERVER_ADDR $server_addr;
|
||||
fastcgi_param SERVER_PORT $server_port;
|
||||
fastcgi_param SERVER_NAME $server_name;
|
||||
|
||||
# PHP only, required if PHP was built with --enable-force-cgi-redirect
|
||||
fastcgi_param REDIRECT_STATUS 200;
|
|
@ -0,0 +1,25 @@
|
|||
fastcgi_param QUERY_STRING $query_string;
|
||||
fastcgi_param REQUEST_METHOD $request_method;
|
||||
fastcgi_param CONTENT_TYPE $content_type;
|
||||
fastcgi_param CONTENT_LENGTH $content_length;
|
||||
|
||||
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
|
||||
fastcgi_param SCRIPT_FILENAME $request_filename;
|
||||
fastcgi_param REQUEST_URI $request_uri;
|
||||
fastcgi_param DOCUMENT_URI $document_uri;
|
||||
fastcgi_param DOCUMENT_ROOT $document_root;
|
||||
fastcgi_param SERVER_PROTOCOL $server_protocol;
|
||||
fastcgi_param REQUEST_SCHEME $scheme;
|
||||
fastcgi_param HTTPS $https if_not_empty;
|
||||
|
||||
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
|
||||
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
|
||||
|
||||
fastcgi_param REMOTE_ADDR $remote_addr;
|
||||
fastcgi_param REMOTE_PORT $remote_port;
|
||||
fastcgi_param SERVER_ADDR $server_addr;
|
||||
fastcgi_param SERVER_PORT $server_port;
|
||||
fastcgi_param SERVER_NAME $server_name;
|
||||
|
||||
# PHP only, required if PHP was built with --enable-force-cgi-redirect
|
||||
fastcgi_param REDIRECT_STATUS 200;
|
|
@ -0,0 +1,109 @@
|
|||
|
||||
# This map is not a full koi8-r <> utf8 map: it does not contain
|
||||
# box-drawing and some other characters. Besides this map contains
|
||||
# several koi8-u and Byelorussian letters which are not in koi8-r.
|
||||
# If you need a full and standard map, use contrib/unicode2nginx/koi-utf
|
||||
# map instead.
|
||||
|
||||
charset_map koi8-r utf-8 {
|
||||
|
||||
80 E282AC ; # euro
|
||||
|
||||
95 E280A2 ; # bullet
|
||||
|
||||
9A C2A0 ; #
|
||||
|
||||
9E C2B7 ; # ·
|
||||
|
||||
A3 D191 ; # small yo
|
||||
A4 D194 ; # small Ukrainian ye
|
||||
|
||||
A6 D196 ; # small Ukrainian i
|
||||
A7 D197 ; # small Ukrainian yi
|
||||
|
||||
AD D291 ; # small Ukrainian soft g
|
||||
AE D19E ; # small Byelorussian short u
|
||||
|
||||
B0 C2B0 ; # °
|
||||
|
||||
B3 D081 ; # capital YO
|
||||
B4 D084 ; # capital Ukrainian YE
|
||||
|
||||
B6 D086 ; # capital Ukrainian I
|
||||
B7 D087 ; # capital Ukrainian YI
|
||||
|
||||
B9 E28496 ; # numero sign
|
||||
|
||||
BD D290 ; # capital Ukrainian soft G
|
||||
BE D18E ; # capital Byelorussian short U
|
||||
|
||||
BF C2A9 ; # (C)
|
||||
|
||||
C0 D18E ; # small yu
|
||||
C1 D0B0 ; # small a
|
||||
C2 D0B1 ; # small b
|
||||
C3 D186 ; # small ts
|
||||
C4 D0B4 ; # small d
|
||||
C5 D0B5 ; # small ye
|
||||
C6 D184 ; # small f
|
||||
C7 D0B3 ; # small g
|
||||
C8 D185 ; # small kh
|
||||
C9 D0B8 ; # small i
|
||||
CA D0B9 ; # small j
|
||||
CB D0BA ; # small k
|
||||
CC D0BB ; # small l
|
||||
CD D0BC ; # small m
|
||||
CE D0BD ; # small n
|
||||
CF D0BE ; # small o
|
||||
|
||||
D0 D0BF ; # small p
|
||||
D1 D18F ; # small ya
|
||||
D2 D180 ; # small r
|
||||
D3 D181 ; # small s
|
||||
D4 D182 ; # small t
|
||||
D5 D183 ; # small u
|
||||
D6 D0B6 ; # small zh
|
||||
D7 D0B2 ; # small v
|
||||
D8 D18C ; # small soft sign
|
||||
D9 D18B ; # small y
|
||||
DA D0B7 ; # small z
|
||||
DB D188 ; # small sh
|
||||
DC D18D ; # small e
|
||||
DD D189 ; # small shch
|
||||
DE D187 ; # small ch
|
||||
DF D18A ; # small hard sign
|
||||
|
||||
E0 D0AE ; # capital YU
|
||||
E1 D090 ; # capital A
|
||||
E2 D091 ; # capital B
|
||||
E3 D0A6 ; # capital TS
|
||||
E4 D094 ; # capital D
|
||||
E5 D095 ; # capital YE
|
||||
E6 D0A4 ; # capital F
|
||||
E7 D093 ; # capital G
|
||||
E8 D0A5 ; # capital KH
|
||||
E9 D098 ; # capital I
|
||||
EA D099 ; # capital J
|
||||
EB D09A ; # capital K
|
||||
EC D09B ; # capital L
|
||||
ED D09C ; # capital M
|
||||
EE D09D ; # capital N
|
||||
EF D09E ; # capital O
|
||||
|
||||
F0 D09F ; # capital P
|
||||
F1 D0AF ; # capital YA
|
||||
F2 D0A0 ; # capital R
|
||||
F3 D0A1 ; # capital S
|
||||
F4 D0A2 ; # capital T
|
||||
F5 D0A3 ; # capital U
|
||||
F6 D096 ; # capital ZH
|
||||
F7 D092 ; # capital V
|
||||
F8 D0AC ; # capital soft sign
|
||||
F9 D0AB ; # capital Y
|
||||
FA D097 ; # capital Z
|
||||
FB D0A8 ; # capital SH
|
||||
FC D0AD ; # capital E
|
||||
FD D0A9 ; # capital SHCH
|
||||
FE D0A7 ; # capital CH
|
||||
FF D0AA ; # capital hard sign
|
||||
}
|
|
@ -0,0 +1,103 @@
|
|||
|
||||
charset_map koi8-r windows-1251 {
|
||||
|
||||
80 88 ; # euro
|
||||
|
||||
95 95 ; # bullet
|
||||
|
||||
9A A0 ; #
|
||||
|
||||
9E B7 ; # ·
|
||||
|
||||
A3 B8 ; # small yo
|
||||
A4 BA ; # small Ukrainian ye
|
||||
|
||||
A6 B3 ; # small Ukrainian i
|
||||
A7 BF ; # small Ukrainian yi
|
||||
|
||||
AD B4 ; # small Ukrainian soft g
|
||||
AE A2 ; # small Byelorussian short u
|
||||
|
||||
B0 B0 ; # °
|
||||
|
||||
B3 A8 ; # capital YO
|
||||
B4 AA ; # capital Ukrainian YE
|
||||
|
||||
B6 B2 ; # capital Ukrainian I
|
||||
B7 AF ; # capital Ukrainian YI
|
||||
|
||||
B9 B9 ; # numero sign
|
||||
|
||||
BD A5 ; # capital Ukrainian soft G
|
||||
BE A1 ; # capital Byelorussian short U
|
||||
|
||||
BF A9 ; # (C)
|
||||
|
||||
C0 FE ; # small yu
|
||||
C1 E0 ; # small a
|
||||
C2 E1 ; # small b
|
||||
C3 F6 ; # small ts
|
||||
C4 E4 ; # small d
|
||||
C5 E5 ; # small ye
|
||||
C6 F4 ; # small f
|
||||
C7 E3 ; # small g
|
||||
C8 F5 ; # small kh
|
||||
C9 E8 ; # small i
|
||||
CA E9 ; # small j
|
||||
CB EA ; # small k
|
||||
CC EB ; # small l
|
||||
CD EC ; # small m
|
||||
CE ED ; # small n
|
||||
CF EE ; # small o
|
||||
|
||||
D0 EF ; # small p
|
||||
D1 FF ; # small ya
|
||||
D2 F0 ; # small r
|
||||
D3 F1 ; # small s
|
||||
D4 F2 ; # small t
|
||||
D5 F3 ; # small u
|
||||
D6 E6 ; # small zh
|
||||
D7 E2 ; # small v
|
||||
D8 FC ; # small soft sign
|
||||
D9 FB ; # small y
|
||||
DA E7 ; # small z
|
||||
DB F8 ; # small sh
|
||||
DC FD ; # small e
|
||||
DD F9 ; # small shch
|
||||
DE F7 ; # small ch
|
||||
DF FA ; # small hard sign
|
||||
|
||||
E0 DE ; # capital YU
|
||||
E1 C0 ; # capital A
|
||||
E2 C1 ; # capital B
|
||||
E3 D6 ; # capital TS
|
||||
E4 C4 ; # capital D
|
||||
E5 C5 ; # capital YE
|
||||
E6 D4 ; # capital F
|
||||
E7 C3 ; # capital G
|
||||
E8 D5 ; # capital KH
|
||||
E9 C8 ; # capital I
|
||||
EA C9 ; # capital J
|
||||
EB CA ; # capital K
|
||||
EC CB ; # capital L
|
||||
ED CC ; # capital M
|
||||
EE CD ; # capital N
|
||||
EF CE ; # capital O
|
||||
|
||||
F0 CF ; # capital P
|
||||
F1 DF ; # capital YA
|
||||
F2 D0 ; # capital R
|
||||
F3 D1 ; # capital S
|
||||
F4 D2 ; # capital T
|
||||
F5 D3 ; # capital U
|
||||
F6 C6 ; # capital ZH
|
||||
F7 C2 ; # capital V
|
||||
F8 DC ; # capital soft sign
|
||||
F9 DB ; # capital Y
|
||||
FA C7 ; # capital Z
|
||||
FB D8 ; # capital SH
|
||||
FC DD ; # capital E
|
||||
FD D9 ; # capital SHCH
|
||||
FE D7 ; # capital CH
|
||||
FF DA ; # capital hard sign
|
||||
}
|
|
@ -0,0 +1,89 @@
|
|||
|
||||
types {
|
||||
text/html html htm shtml;
|
||||
text/css css;
|
||||
text/xml xml;
|
||||
image/gif gif;
|
||||
image/jpeg jpeg jpg;
|
||||
application/javascript js;
|
||||
application/atom+xml atom;
|
||||
application/rss+xml rss;
|
||||
|
||||
text/mathml mml;
|
||||
text/plain txt;
|
||||
text/vnd.sun.j2me.app-descriptor jad;
|
||||
text/vnd.wap.wml wml;
|
||||
text/x-component htc;
|
||||
|
||||
image/png png;
|
||||
image/tiff tif tiff;
|
||||
image/vnd.wap.wbmp wbmp;
|
||||
image/x-icon ico;
|
||||
image/x-jng jng;
|
||||
image/x-ms-bmp bmp;
|
||||
image/svg+xml svg svgz;
|
||||
image/webp webp;
|
||||
|
||||
application/font-woff woff;
|
||||
application/java-archive jar war ear;
|
||||
application/json json;
|
||||
application/mac-binhex40 hqx;
|
||||
application/msword doc;
|
||||
application/pdf pdf;
|
||||
application/postscript ps eps ai;
|
||||
application/rtf rtf;
|
||||
application/vnd.apple.mpegurl m3u8;
|
||||
application/vnd.ms-excel xls;
|
||||
application/vnd.ms-fontobject eot;
|
||||
application/vnd.ms-powerpoint ppt;
|
||||
application/vnd.wap.wmlc wmlc;
|
||||
application/vnd.google-earth.kml+xml kml;
|
||||
application/vnd.google-earth.kmz kmz;
|
||||
application/x-7z-compressed 7z;
|
||||
application/x-cocoa cco;
|
||||
application/x-java-archive-diff jardiff;
|
||||
application/x-java-jnlp-file jnlp;
|
||||
application/x-makeself run;
|
||||
application/x-perl pl pm;
|
||||
application/x-pilot prc pdb;
|
||||
application/x-rar-compressed rar;
|
||||
application/x-redhat-package-manager rpm;
|
||||
application/x-sea sea;
|
||||
application/x-shockwave-flash swf;
|
||||
application/x-stuffit sit;
|
||||
application/x-tcl tcl tk;
|
||||
application/x-x509-ca-cert der pem crt;
|
||||
application/x-xpinstall xpi;
|
||||
application/xhtml+xml xhtml;
|
||||
application/xspf+xml xspf;
|
||||
application/zip zip;
|
||||
|
||||
application/octet-stream bin exe dll;
|
||||
application/octet-stream deb;
|
||||
application/octet-stream dmg;
|
||||
application/octet-stream iso img;
|
||||
application/octet-stream msi msp msm;
|
||||
|
||||
application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
|
||||
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
|
||||
application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
|
||||
|
||||
audio/midi mid midi kar;
|
||||
audio/mpeg mp3;
|
||||
audio/ogg ogg;
|
||||
audio/x-m4a m4a;
|
||||
audio/x-realaudio ra;
|
||||
|
||||
video/3gpp 3gpp 3gp;
|
||||
video/mp2t ts;
|
||||
video/mp4 mp4;
|
||||
video/mpeg mpeg mpg;
|
||||
video/quicktime mov;
|
||||
video/webm webm;
|
||||
video/x-flv flv;
|
||||
video/x-m4v m4v;
|
||||
video/x-mng mng;
|
||||
video/x-ms-asf asx asf;
|
||||
video/x-ms-wmv wmv;
|
||||
video/x-msvideo avi;
|
||||
}
|
|
@ -0,0 +1 @@
|
|||
/usr/share/nginx/modules-available/mod-http-ndk.conf
|
|
@ -0,0 +1 @@
|
|||
/usr/share/nginx/modules-available/mod-http-auth-pam.conf
|
|
@ -0,0 +1 @@
|
|||
/usr/share/nginx/modules-available/mod-http-cache-purge.conf
|
|
@ -0,0 +1 @@
|
|||
/usr/share/nginx/modules-available/mod-http-dav-ext.conf
|
|
@ -0,0 +1 @@
|
|||
/usr/share/nginx/modules-available/mod-http-echo.conf
|
|
@ -0,0 +1 @@
|
|||
/usr/share/nginx/modules-available/mod-http-fancyindex.conf
|
|
@ -0,0 +1 @@
|
|||
/usr/share/nginx/modules-available/mod-http-geoip.conf
|
|
@ -0,0 +1 @@
|
|||
/usr/share/nginx/modules-available/mod-http-headers-more-filter.conf
|
|
@ -0,0 +1 @@
|
|||
/usr/share/nginx/modules-available/mod-http-image-filter.conf
|
|
@ -0,0 +1 @@
|
|||
/usr/share/nginx/modules-available/mod-http-lua.conf
|
|
@ -0,0 +1 @@
|
|||
/usr/share/nginx/modules-available/mod-http-perl.conf
|
|
@ -0,0 +1 @@
|
|||
/usr/share/nginx/modules-available/mod-http-subs-filter.conf
|
|
@ -0,0 +1 @@
|
|||
/usr/share/nginx/modules-available/mod-http-uploadprogress.conf
|
|
@ -0,0 +1 @@
|
|||
/usr/share/nginx/modules-available/mod-http-upstream-fair.conf
|
|
@ -0,0 +1 @@
|
|||
/usr/share/nginx/modules-available/mod-http-xslt-filter.conf
|
|
@ -0,0 +1 @@
|
|||
/usr/share/nginx/modules-available/mod-mail.conf
|
|
@ -0,0 +1 @@
|
|||
/usr/share/nginx/modules-available/mod-nchan.conf
|
|
@ -0,0 +1 @@
|
|||
/usr/share/nginx/modules-available/mod-stream.conf
|
|
@ -0,0 +1,164 @@
|
|||
user www-data;
|
||||
worker_processes auto;
|
||||
worker_rlimit_nofile 100000;
|
||||
pid /run/nginx.pid;
|
||||
include /etc/nginx/modules-enabled/*.conf;
|
||||
|
||||
error_log /var/log/nginx/error.log crit;
|
||||
|
||||
events {
|
||||
worker_connections 4000;
|
||||
use epoll;
|
||||
multi_accept on;
|
||||
}
|
||||
|
||||
http {
|
||||
##
|
||||
# Basic Settings
|
||||
##
|
||||
client_max_body_size 32M;
|
||||
|
||||
open_file_cache max=100000 inactive=20s;
|
||||
open_file_cache_valid 30s;
|
||||
open_file_cache_min_uses 2;
|
||||
open_file_cache_errors on;
|
||||
|
||||
types_hash_max_size 2048;
|
||||
variables_hash_max_size 2048;
|
||||
variables_hash_bucket_size 128;
|
||||
|
||||
sendfile on;
|
||||
tcp_nopush on;
|
||||
tcp_nodelay on;
|
||||
|
||||
# server_tokens off;
|
||||
|
||||
# server_names_hash_bucket_size 64;
|
||||
# server_name_in_redirect off;
|
||||
|
||||
# allow the server to close connection on non responding client, this will free up memory
|
||||
reset_timedout_connection on;
|
||||
|
||||
# request timed out -- default 60
|
||||
client_body_timeout 10;
|
||||
client_header_timeout 10;
|
||||
|
||||
# if client stop responding, free up memory -- default 60
|
||||
send_timeout 10;
|
||||
|
||||
# server will close connection after this time -- default 75
|
||||
keepalive_timeout 30;
|
||||
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
##
|
||||
# SSL Settings
|
||||
##
|
||||
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
||||
##
|
||||
# Logging Settings
|
||||
##
|
||||
|
||||
#access_log /var/log/nginx/access.log;
|
||||
#error_log /var/log/nginx/error.log crit;
|
||||
|
||||
# borrowed from Apache
|
||||
# (Could use $host instead of $server_name to log vhost aliases separately)
|
||||
log_format vhost_combined '$server_name $remote_addr - $remote_user [$time_local] '
|
||||
'"$request" $status $body_bytes_sent '
|
||||
'"$http_referer" "$http_user_agent"';
|
||||
|
||||
log_format vcombined '$host:$server_port '
|
||||
'$remote_addr - $remote_user [$time_local] '
|
||||
'"$request" $status $body_bytes_sent '
|
||||
'"$http_referer" "$http_user_agent"';
|
||||
|
||||
# Define an access log for VirtualHosts that don't define their own logfile
|
||||
access_log /var/log/nginx/other_vhosts_access.log vcombined;
|
||||
|
||||
##
|
||||
# Gzip Settings
|
||||
##
|
||||
|
||||
gzip on;
|
||||
gzip_min_length 10240;
|
||||
gzip_comp_level 1;
|
||||
gzip_vary on;
|
||||
gzip_disable "msie6";
|
||||
gzip_proxied expired no-cache no-store private auth;
|
||||
gzip_types
|
||||
# text/html is always compressed by HttpGzipModule
|
||||
text/css
|
||||
text/javascript
|
||||
text/xml
|
||||
text/plain
|
||||
text/x-component
|
||||
application/javascript
|
||||
application/x-javascript
|
||||
application/json
|
||||
application/xml
|
||||
application/rss+xml
|
||||
application/atom+xml
|
||||
font/truetype
|
||||
font/opentype
|
||||
application/vnd.ms-fontobject
|
||||
image/svg+xml;
|
||||
|
||||
# gzip_proxied any;
|
||||
# gzip_comp_level 6;
|
||||
# gzip_buffers 16 8k;
|
||||
# gzip_http_version 1.1;
|
||||
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
|
||||
|
||||
##
|
||||
# DDOS Defense
|
||||
##
|
||||
# limit the number of connections per single IP
|
||||
# limit_conn_zone $binary_remote_addr zone=conn_limit_def:10m;
|
||||
# limit_conn_zone $binary_remote_addr zone=conn_limit_mid:32m;
|
||||
# limit_conn_zone $binary_remote_addr zone=conn_limit_high:64m;
|
||||
|
||||
# limit the number of requests for a given session
|
||||
# limit_req_zone $binary_remote_addr zone=req_limit_def:64m rate=10r/s;
|
||||
# limit_req_zone $binary_remote_addr zone=req_limit_mid:128m rate=20r/s;
|
||||
# limit_req_zone $binary_remote_addr zone=req_limit_high:512m rate=30r/s;
|
||||
|
||||
# if the request body size is more than the buffer size, then the entire (or partial)
|
||||
# request body is written into a temporary file
|
||||
client_body_buffer_size 128k;
|
||||
|
||||
# maximum number and size of buffers for large headers to read from client request
|
||||
large_client_header_buffers 4 256k;
|
||||
|
||||
##
|
||||
# Virtual Host Configs
|
||||
##
|
||||
|
||||
include /etc/nginx/conf.d/*.conf;
|
||||
include /etc/nginx/sites-enabled/*;
|
||||
}
|
||||
|
||||
#mail {
|
||||
# # See sample authentication script at:
|
||||
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
|
||||
#
|
||||
# # auth_http localhost/auth.php;
|
||||
# # pop3_capabilities "TOP" "USER";
|
||||
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
|
||||
#
|
||||
# server {
|
||||
# listen localhost:110;
|
||||
# protocol pop3;
|
||||
# proxy on;
|
||||
# }
|
||||
#
|
||||
# server {
|
||||
# listen localhost:143;
|
||||
# protocol imap;
|
||||
# proxy on;
|
||||
# }
|
||||
#}
|
|
@ -0,0 +1,12 @@
|
|||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
|
||||
port_in_redirect off;
|
||||
proxy_redirect off;
|
||||
proxy_connect_timeout 300;
|
||||
|
||||
#proxy_buffering off;
|
||||
#proxy_buffer_size 128k;
|
||||
#proxy_buffers 100 128k;
|
|
@ -0,0 +1,17 @@
|
|||
|
||||
scgi_param REQUEST_METHOD $request_method;
|
||||
scgi_param REQUEST_URI $request_uri;
|
||||
scgi_param QUERY_STRING $query_string;
|
||||
scgi_param CONTENT_TYPE $content_type;
|
||||
|
||||
scgi_param DOCUMENT_URI $document_uri;
|
||||
scgi_param DOCUMENT_ROOT $document_root;
|
||||
scgi_param SCGI 1;
|
||||
scgi_param SERVER_PROTOCOL $server_protocol;
|
||||
scgi_param REQUEST_SCHEME $scheme;
|
||||
scgi_param HTTPS $https if_not_empty;
|
||||
|
||||
scgi_param REMOTE_ADDR $remote_addr;
|
||||
scgi_param REMOTE_PORT $remote_port;
|
||||
scgi_param SERVER_PORT $server_port;
|
||||
scgi_param SERVER_NAME $server_name;
|
|
@ -0,0 +1,31 @@
|
|||
server {
|
||||
include snippets/listen_local.conf;
|
||||
include snippets/listen.conf;
|
||||
# include snippets/ddos_def.conf;
|
||||
server_name auth.envs.net;
|
||||
|
||||
return 307 https://$host$request_uri;
|
||||
}
|
||||
|
||||
server {
|
||||
include snippets/listen_local_ssl.conf;
|
||||
include snippets/listen_ssl.conf;
|
||||
# include snippets/ddos_def.conf;
|
||||
server_name auth.envs.net;
|
||||
|
||||
include snippets/ssl.conf;
|
||||
include ssl/envs_net_wild.conf;
|
||||
include snippets/local_ssl_header.conf;
|
||||
|
||||
error_log /var/log/nginx/envs.net-error.log;
|
||||
|
||||
root /var/www/auth.envs.net/;
|
||||
location / {
|
||||
index index.php index.html;
|
||||
}
|
||||
|
||||
location ~ \.php$ {
|
||||
include snippets/fastcgi-php.conf;
|
||||
fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
|
||||
}
|
||||
}
|
|
@ -0,0 +1,34 @@
|
|||
### BBJ.ENVS.NET - local ###
|
||||
server {
|
||||
include snippets/listen_local.conf;
|
||||
include snippets/listen.conf;
|
||||
# include snippets/ddos_def.conf;
|
||||
server_name bbj.envs.net forum.envs.net;
|
||||
|
||||
return 307 https://$host$request_uri;
|
||||
}
|
||||
|
||||
server {
|
||||
include snippets/listen_local_ssl.conf;
|
||||
include snippets/listen_ssl.conf;
|
||||
# include snippets/ddos_def.conf;
|
||||
server_name bbj.envs.net forum.envs.net;
|
||||
|
||||
include snippets/ssl.conf;
|
||||
include ssl/envs_net_wild.conf;
|
||||
include snippets/local_ssl_header.conf;
|
||||
|
||||
error_log /var/log/nginx/bbj.envs.net-error.log crit;
|
||||
|
||||
root /var/www/bbj.envs.net/;
|
||||
location / {
|
||||
index index.php index.html index.shtml index.htm;
|
||||
}
|
||||
|
||||
location ~ \.php$ {
|
||||
include snippets/fastcgi-php.conf;
|
||||
fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
|
||||
}
|
||||
|
||||
include snippets/favicon;
|
||||
}
|
|
@ -0,0 +1,91 @@
|
|||
##
|
||||
# You should look at the following URL's in order to grasp a solid understanding
|
||||
# of Nginx configuration files in order to fully unleash the power of Nginx.
|
||||
# https://www.nginx.com/resources/wiki/start/
|
||||
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
|
||||
# https://wiki.debian.org/Nginx/DirectoryStructure
|
||||
#
|
||||
# In most cases, administrators will remove this file from sites-enabled/ and
|
||||
# leave it as reference inside of sites-available where it will continue to be
|
||||
# updated by the nginx packaging team.
|
||||
#
|
||||
# This file will automatically load configuration files provided by other
|
||||
# applications, such as Drupal or Wordpress. These applications will be made
|
||||
# available underneath a path with that package name, such as /drupal8.
|
||||
#
|
||||
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
|
||||
##
|
||||
|
||||
# Default server configuration
|
||||
#
|
||||
server {
|
||||
listen 80 default_server;
|
||||
listen [::]:80 default_server;
|
||||
|
||||
# SSL configuration
|
||||
#
|
||||
# listen 443 ssl default_server;
|
||||
# listen [::]:443 ssl default_server;
|
||||
#
|
||||
# Note: You should disable gzip for SSL traffic.
|
||||
# See: https://bugs.debian.org/773332
|
||||
#
|
||||
# Read up on ssl_ciphers to ensure a secure configuration.
|
||||
# See: https://bugs.debian.org/765782
|
||||
#
|
||||
# Self signed certs generated by the ssl-cert package
|
||||
# Don't use them in a production server!
|
||||
#
|
||||
# include snippets/snakeoil.conf;
|
||||
|
||||
root /var/www/html;
|
||||
|
||||
# Add index.php to the list if you are using PHP
|
||||
index index.html index.htm index.nginx-debian.html;
|
||||
|
||||
server_name _;
|
||||
|
||||
location / {
|
||||
# First attempt to serve request as file, then
|
||||
# as directory, then fall back to displaying a 404.
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
|
||||
# pass PHP scripts to FastCGI server
|
||||
#
|
||||
#location ~ \.php$ {
|
||||
# include snippets/fastcgi-php.conf;
|
||||
#
|
||||
# # With php-fpm (or other unix sockets):
|
||||
# fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
|
||||
# # With php-cgi (or other tcp sockets):
|
||||
# fastcgi_pass 127.0.0.1:9000;
|
||||
#}
|
||||
|
||||
# deny access to .htaccess files, if Apache's document root
|
||||
# concurs with nginx's one
|
||||
#
|
||||
#location ~ /\.ht {
|
||||
# deny all;
|
||||
#}
|
||||
}
|
||||
|
||||
|
||||
# Virtual Host configuration for example.com
|
||||
#
|
||||
# You can move that to a different file under sites-available/ and symlink that
|
||||
# to sites-enabled/ to enable it.
|
||||
#
|
||||
#server {
|
||||
# listen 80;
|
||||
# listen [::]:80;
|
||||
#
|
||||
# server_name example.com;
|
||||
#
|
||||
# root /var/www/example.com;
|
||||
# index index.html;
|
||||
#
|
||||
# location / {
|
||||
# try_files $uri $uri/ =404;
|
||||
# }
|
||||
#}
|
|
@ -0,0 +1,98 @@
|
|||
### ENVS.NET - local ###
|
||||
server {
|
||||
# listen 80 default_server;
|
||||
include snippets/listen_local.conf;
|
||||
include snippets/listen.conf;
|
||||
# include snippets/ddos_def.conf;
|
||||
server_name envs.net www.envs.net _;
|
||||
|
||||
error_log /var/log/nginx/envs.net-error.log crit;
|
||||
|
||||
location / {
|
||||
return 307 https://$host$request_uri;
|
||||
}
|
||||
|
||||
location /.well-known/acme-challenge/ {
|
||||
alias /var/lib/letsencrypt/.well-known/acme-challenge/;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
# listen 443 ssl http2 default_server;
|
||||
include snippets/listen_local_ssl.conf;
|
||||
include snippets/listen_ssl.conf;
|
||||
# include snippets/ddos_def.conf;
|
||||
server_name envs.net www.envs.net _;
|
||||
|
||||
include snippets/ssl.conf;
|
||||
include ssl/envs_net_wild.conf;
|
||||
include snippets/local_ssl_header.conf;
|
||||
add_header X-Frame-Options "ALLOW-FROM https://envs.sh/";
|
||||
|
||||
error_log /var/log/nginx/envs.net-error.log crit;
|
||||
|
||||
include snippets/error_pages;
|
||||
|
||||
root /var/www/envs.net/;
|
||||
index index.php index.html;
|
||||
|
||||
rewrite ^([^.\?]*[^/])$ $1/ permanent;
|
||||
|
||||
location / {
|
||||
add_header Access-Control-Allow-Origin *;
|
||||
try_files $uri.html $uri $uri/ @extensionless-php;
|
||||
}
|
||||
location @extensionless-php {
|
||||
rewrite ^(.*)/$ $1.php last;
|
||||
}
|
||||
|
||||
location /cgi-bin {
|
||||
gzip off;
|
||||
include fastcgi_params;
|
||||
fastcgi_pass unix:/var/run/fcgiwrap.socket;
|
||||
}
|
||||
|
||||
# users
|
||||
location ~ ^/(~|u/)(?<user>[\w-]+)(?<user_uri>/.*)?$ {
|
||||
alias /home/$user/public_html$user_uri;
|
||||
index index.html index.php;
|
||||
|
||||
fancyindex on;
|
||||
fancyindex_exact_size off;
|
||||
add_header X-Frame-Options SAMEORIGIN;
|
||||
|
||||
location ~ [^/]\.php(/|$) {
|
||||
include snippets/php_common;
|
||||
}
|
||||
|
||||
location ~ (\.cgi|\.py|\.sh|\.pl|\.lua|\/cgi-bin)$ {
|
||||
gzip off;
|
||||
include fastcgi_params;
|
||||
fastcgi_pass unix:/var/run/fcgiwrap.socket;
|
||||
fastcgi_param SCRIPT_FILENAME /home/$user/public_html$request_filename;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
location ~* /\.(eot|ttf|woff|woff2)$ {
|
||||
add_header Access-Control-Allow-Origin *;
|
||||
expires 365d;
|
||||
}
|
||||
|
||||
location ~* /\.(jpg|jpeg|png|gif|ico|css|js)$ {
|
||||
add_header Access-Control-Allow-Origin *;
|
||||
expires 365d;
|
||||
}
|
||||
|
||||
location ~* /\.(pdf)$ {
|
||||
expires 30d;
|
||||
}
|
||||
|
||||
location ~ /(\.ht|\.git)$ {
|
||||
deny all;
|
||||
}
|
||||
|
||||
# include php and ssi
|
||||
include snippets/php.conf;
|
||||
ssi on;
|
||||
}
|
|
@ -0,0 +1,55 @@
|
|||
### ENVS.SH - lxc - nullpointer ###
|
||||
server {
|
||||
include snippets/listen.conf;
|
||||
# include snippets/ddos_def.conf;
|
||||
server_name envs.sh 0x0.envs.sh null.envs.sh;
|
||||
|
||||
location / {
|
||||
return 307 https://$host$request_uri;
|
||||
}
|
||||
|
||||
location /.well-known/acme-challenge/ {
|
||||
alias /var/lib/letsencrypt/.well-known/acme-challenge/;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
include snippets/listen_ssl.conf;
|
||||
# include snippets/ddos_def.conf;
|
||||
server_name envs.sh 0x0.envs.sh null.envs.sh;
|
||||
|
||||
include snippets/ssl.conf;
|
||||
include ssl/envs_sh_wild.conf;
|
||||
|
||||
client_max_body_size 512M;
|
||||
|
||||
error_log /var/log/nginx/envs.sh-error.log crit;
|
||||
|
||||
location / {
|
||||
include proxy_params;
|
||||
proxy_ssl_name $http_host;
|
||||
proxy_ssl_server_name on;
|
||||
proxy_pass https://envs.sh;
|
||||
}
|
||||
|
||||
include snippets/favicon;
|
||||
}
|
||||
|
||||
|
||||
# 0x0.envs.net
|
||||
server {
|
||||
include snippets/listen.conf;
|
||||
# include snippets/ddos_def.conf;
|
||||
server_name 0x0.envs.net null.envs.net;
|
||||
|
||||
return 307 https://envs.sh$request_uri;
|
||||
}
|
||||
server {
|
||||
include snippets/listen_ssl.conf;
|
||||
# include snippets/ddos_def.conf;
|
||||
server_name 0x0.envs.net null.envs.net;
|
||||
return 307 https://envs.sh$request_uri;
|
||||
|
||||
include snippets/ssl.conf;
|
||||
include ssl/envs_net_wild.conf;
|
||||
}
|
|
@ -0,0 +1,27 @@
|
|||
### GIT.ENVS.NET - lxc ###
|
||||
server {
|
||||
listen 5.199.130.141:80;
|
||||
# include snippets/ddos_mid.conf;
|
||||
server_name git.envs.net gitea.envs.net;
|
||||
|
||||
return 307 https://$host$request_uri;
|
||||
}
|
||||
|
||||
# SSL
|
||||
server {
|
||||
listen 5.199.130.141:443 ssl http2;
|
||||
# include snippets/ddos_mid.conf;
|
||||
server_name git.envs.net gitea.envs.net;
|
||||
|
||||
include snippets/ssl.conf;
|
||||
include ssl/envs_net_wild.conf;
|
||||
|
||||
error_log /var/log/nginx/git.envs.net-error.log crit;
|
||||
|
||||
location / {
|
||||
include proxy_params;
|
||||
proxy_ssl_name $http_host;
|
||||
proxy_ssl_server_name on;
|
||||
proxy_pass https://git.envs.net;
|
||||
}
|
||||
}
|
|
@ -0,0 +1,29 @@
|
|||
### GOPHER.ENVS.NET - local ###
|
||||
server {
|
||||
include snippets/listen_local.conf;
|
||||
include snippets/listen.conf;
|
||||
# include snippets/ddos_def.conf;
|
||||
server_name gopher.envs.net gopherproxy.envs.net;
|
||||
|
||||
return 307 https://$server_name$request_uri;
|
||||
}
|
||||
|
||||
server {
|
||||
include snippets/listen_local_ssl.conf;
|
||||
include snippets/listen_ssl.conf;
|
||||
# include snippets/ddos_def.conf;
|
||||
server_name gopher.envs.net gopherproxy.envs.net;
|
||||
|
||||
include snippets/ssl.conf;
|
||||
include ssl/envs_net_wild.conf;
|
||||
include snippets/local_ssl_header.conf;
|
||||
|
||||
error_log /var/log/nginx/gopher.envs.net-error.log crit;
|
||||
|
||||
location / {
|
||||
include proxy_params;
|
||||
proxy_pass http://127.0.0.1:8993;
|
||||
}
|
||||
|
||||
include snippets/favicon;
|
||||
}
|
|
@ -0,0 +1,27 @@
|
|||
### HELP.ENVS.NET - local ###
|
||||
server {
|
||||
include snippets/listen_local.conf;
|
||||
include snippets/listen.conf;
|
||||
# include snippets/ddos_def.conf;
|
||||
server_name help.envs.net;
|
||||
|
||||
return 307 https://$host$request_uri;
|
||||
}
|
||||
|
||||
server {
|
||||
include snippets/listen_local_ssl.conf;
|
||||
include snippets/listen_ssl.conf;
|
||||
# include snippets/ddos_def.conf;
|
||||
server_name help.envs.net;
|
||||
|
||||
include snippets/ssl.conf;
|
||||
include ssl/envs_net_wild.conf;
|
||||
include snippets/local_ssl_header.conf;
|
||||
|
||||
error_log /var/log/nginx/help.envs.net-error.log crit;
|
||||
|
||||
root /var/www/docs/help/site/;
|
||||
location / {
|
||||
index index.html;
|
||||
}
|
||||
}
|
|
@ -0,0 +1,32 @@
|
|||
### IP.ENVS.NET - local ###
|
||||
server {
|
||||
include snippets/listen_local.conf;
|
||||
include snippets/listen.conf;
|
||||
# include snippets/ddos_def.conf;
|
||||
server_name ip.envs.net whois.envs.net ifconfig.envs.net ifconf.envs.net ping.envs.net checkip.envs.net ipconfig.envs.net ipconf.envs.net;
|
||||
|
||||
error_log /var/log/nginx/ip.envs.net-error.log crit;
|
||||
|
||||
location / {
|
||||
include proxy_params;
|
||||
proxy_pass http://127.0.0.1:8080;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
include snippets/listen_local_ssl.conf;
|
||||
include snippets/listen_ssl.conf;
|
||||
# include snippets/ddos_def.conf;
|
||||
server_name ip.envs.net whois.envs.net ifconfig.envs.net ifconf.envs.net ping.envs.net checkip.envs.net ipconfig.envs.net ipconf.envs.net;
|
||||
|
||||
include snippets/ssl.conf;
|
||||
include ssl/envs_net_wild.conf;
|
||||
include snippets/local_ssl_header.conf;
|
||||
|
||||
error_log /var/log/nginx/ip.envs.net-error.log crit;
|
||||
|
||||
location / {
|
||||
include proxy_params;
|
||||
proxy_pass http://127.0.0.1:8080;
|
||||
}
|
||||
}
|
|
@ -0,0 +1,32 @@
|
|||
### IP.ENVS.SH - local ###
|
||||
server {
|
||||
include snippets/listen_local.conf;
|
||||
include snippets/listen.conf;
|
||||
# include snippets/ddos_def.conf;
|
||||
server_name ip.envs.sh whois.envs.sh;
|
||||
|
||||
error_log /var/log/nginx/ip.envs.net-error.log crit;
|
||||
|
||||
location / {
|
||||
include proxy_params;
|
||||
proxy_pass http://127.0.0.1:8080;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
include snippets/listen_local_ssl.conf;
|
||||
include snippets/listen_ssl.conf;
|
||||
# include snippets/ddos_mid.conf;
|
||||
server_name ip.envs.sh whois.envs.sh;
|
||||
|
||||
include snippets/ssl.conf;
|
||||
include ssl/envs_sh_wild.conf;
|
||||
include snippets/local_ssl_header.conf;
|
||||
|
||||
error_log /var/log/nginx/ip.envs.net-error.log crit;
|
||||
|
||||
location / {
|
||||
include proxy_params;
|
||||
proxy_pass http://127.0.0.1:8080;
|
||||
}
|
||||
}
|
|
@ -0,0 +1,27 @@
|
|||
### LISTS.ENVS.NET - lxc ###
|
||||
server {
|
||||
listen 5.199.136.29:80;
|
||||
# include snippets/ddos_def.conf;
|
||||
server_name lists.envs.net;
|
||||
|
||||
return 307 https://$host$request_uri;
|
||||
}
|
||||
|
||||
# SSL
|
||||
server {
|
||||
listen 5.199.136.29:443 ssl http2;
|
||||
# include snippets/ddos_def.conf;
|
||||
server_name lists.envs.net;
|
||||
|
||||
include snippets/ssl.conf;
|
||||
include ssl/envs_net_wild.conf;
|
||||
|
||||
error_log /var/log/nginx/lists.envs.net-error.log crit;
|
||||
|
||||
location / {
|
||||
include proxy_params;
|
||||
proxy_ssl_name $http_host;
|
||||
proxy_ssl_server_name on;
|
||||
proxy_pass https://lists.envs.net;
|
||||
}
|
||||
}
|
|
@ -0,0 +1,58 @@
|
|||
### MAIL.ENVS.NET - lxc ###
|
||||
server {
|
||||
listen 5.199.136.28:80;
|
||||
# include snippets/ddos_mid.conf;
|
||||
server_name mail.envs.net webmail.envs.net autodiscover.envs.net smtp.envs.net imap.envs.net;
|
||||
|
||||
include /etc/nginx/proxy_params;
|
||||
|
||||
location / {
|
||||
return 307 https://$host$request_uri;
|
||||
}
|
||||
|
||||
location /.well-known/acme-challenge/ {
|
||||
include proxy_params;
|
||||
proxy_pass http://mail.envs.net/.well-known/acme-challenge/;
|
||||
}
|
||||
}
|
||||
|
||||
# automx
|
||||
server {
|
||||
listen 5.199.136.28:80;
|
||||
# include snippets/ddos_mid.conf;
|
||||
server_name autoconfig.envs.net;
|
||||
|
||||
include /etc/nginx/proxy_params;
|
||||
|
||||
location / {
|
||||
include proxy_params;
|
||||
proxy_pass http://autoconfig.envs.net/;
|
||||
}
|
||||
|
||||
location /.well-known/acme-challenge/ {
|
||||
include proxy_params;
|
||||
proxy_pass http://mail.envs.net/.well-known/acme-challenge/;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 5.199.136.28:443 ssl http2;
|
||||
# include snippets/ddos_mid.conf;
|
||||
server_name mail.envs.net webmail.envs.net autodiscover.envs.net;
|
||||
|
||||
ssl_certificate /var/lib/lxc/mail/rootfs/etc/letsencrypt/live/mail.envs.net/fullchain.pem;
|
||||
ssl_certificate_key /var/lib/lxc/mail/rootfs/etc/letsencrypt/live/mail.envs.net/privkey.pem;
|
||||
ssl_dhparam /var/lib/lxc/mail/rootfs/etc/nginx/dhparam.pem;
|
||||
ssl_trusted_certificate /var/lib/lxc/mail/rootfs/etc/letsencrypt/live/mail.envs.net/chain.pem;
|
||||
|
||||
include snippets/ssl.conf;
|
||||
|
||||
error_log /var/log/nginx/mail.envs.net-error.log crit;
|
||||
|
||||
location / {
|
||||
include proxy_params;
|
||||
proxy_ssl_name $http_host;
|
||||
proxy_ssl_server_name on;
|
||||
proxy_pass https://mail.envs.net;
|
||||
}
|
||||
}
|
|
@ -0,0 +1,30 @@
|
|||
### PAD.ENVS.NET - lxc ###
|
||||
server {
|
||||
include snippets/listen.conf;
|
||||
# include snippets/ddos_high.conf;
|
||||
server_name pad.envs.net;
|
||||
|
||||
return 307 https://$host$request_uri;
|
||||
}
|
||||
|
||||
# SSL
|
||||
server {
|
||||
include snippets/listen_ssl.conf;
|
||||
# include snippets/ddos_high.conf;
|
||||
server_name pad.envs.net;
|
||||
|
||||
include snippets/ssl.conf;
|
||||
include ssl/envs_net_wild.conf;
|
||||
|
||||
error_log /var/log/nginx/pad.envs.net-error.log crit;
|
||||
|
||||
location / {
|
||||
include proxy_params;
|
||||
proxy_ssl_name $http_host;
|
||||
proxy_ssl_server_name on;
|
||||
proxy_pass https://pad.envs.net;
|
||||
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "Upgrade";
|
||||
}
|
||||
}
|
|
@ -0,0 +1,27 @@
|
|||
### PB.ENVS.NET - lxc ###
|
||||
server {
|
||||
include snippets/listen.conf;
|
||||
# include snippets/ddos_mid.conf;
|
||||
server_name pb.envs.net pastebin.envs.net;
|
||||
|
||||
return 307 https://$host$request_uri;
|
||||
}
|
||||
|
||||
# SSL
|
||||
server {
|
||||
include snippets/listen_ssl.conf;
|
||||
# include snippets/ddos_mid.conf;
|
||||
server_name pb.envs.net pastebin.envs.net;
|
||||
|
||||
include snippets/ssl.conf;
|
||||
include ssl/envs_net_wild.conf;
|
||||
|
||||
error_log /var/log/nginx/pb.envs.net-error.log crit;
|
||||
|
||||
location / {
|
||||
include proxy_params;
|
||||
proxy_ssl_name $http_host;
|
||||
proxy_ssl_server_name on;
|
||||
proxy_pass https://pb.envs.net;
|
||||
}
|
||||
}
|
|
@ -0,0 +1,27 @@
|
|||
### RSS.ENVS.NET - lxc ###
|
||||
server {
|
||||
include snippets/listen.conf;
|
||||
# include snippets/ddos_high.conf;
|
||||
server_name rss.envs.net;
|
||||
|
||||
return 307 https://$host$request_uri;
|
||||
}
|
||||
|
||||
# SSL
|
||||
server {
|
||||
include snippets/listen_ssl.conf;
|
||||
# include snippets/ddos_high.conf;
|
||||
server_name rss.envs.net;
|
||||
|
||||
include snippets/ssl.conf;
|
||||
include ssl/envs_net_wild.conf;
|
||||
|
||||
error_log /var/log/nginx/rss.envs.net-error.log crit;
|
||||
|
||||
location / {
|
||||
include proxy_params;
|
||||
proxy_ssl_name $http_host;
|
||||
proxy_ssl_server_name on;
|
||||
proxy_pass https://rss.envs.net;
|
||||
}
|
||||
}
|
|
@ -0,0 +1,27 @@
|
|||
### SEARX.ENVS.NET - lxc ###
|
||||
server {
|
||||
include snippets/listen.conf;
|
||||
# include snippets/ddos_mid.conf;
|
||||
server_name searx.envs.net search.envs.net;
|
||||
|
||||
return 307 https://$host$request_uri;
|
||||
}
|
||||
|
||||
# SSL
|
||||
server {
|
||||
include snippets/listen_ssl.conf;
|
||||
# include snippets/ddos_mid.conf;
|
||||
server_name searx.envs.net search.envs.net;
|
||||
|
||||
include snippets/ssl.conf;
|
||||
include ssl/envs_net_wild.conf;
|
||||
|
||||
error_log /var/log/nginx/searx.envs.net-error.log crit;
|
||||
|
||||
location / {
|
||||
include proxy_params;
|
||||
proxy_ssl_name $http_host;
|
||||
proxy_ssl_server_name on;
|
||||
proxy_pass https://searx.envs.net;
|
||||
}
|
||||
}
|
|
@ -0,0 +1,27 @@
|
|||
### STATS.ENVS.NET - local ###
|
||||
server {
|
||||
include snippets/listen_local.conf;
|
||||
include snippets/listen.conf;
|
||||
# include snippets/ddos_def.conf;
|
||||
server_name stats.envs.net;
|
||||
|
||||
return 307 https://$host$request_uri;
|
||||
}
|
||||
|
||||
server {
|
||||
include snippets/listen_local_ssl.conf;
|
||||
include snippets/listen_ssl.conf;
|
||||
# include snippets/ddos_def.conf;
|
||||
server_name stats.envs.net;
|
||||
|
||||
include snippets/ssl.conf;
|
||||
include ssl/envs_net_wild.conf;
|
||||
include snippets/local_ssl_header.conf;
|
||||
|
||||
error_log /var/log/nginx/stats.envs.net-error.log crit;
|
||||
|
||||
root /var/www/envs.net/;
|
||||
location / {
|
||||
index stats.html;
|
||||
}
|
||||
}
|
|
@ -0,0 +1,31 @@
|
|||
### TB.ENVS.NET - lxc ###
|
||||
server {
|
||||
include snippets/listen.conf;
|
||||
# include snippets/ddos_def.conf;
|
||||
server_name tb.envs.net termbin.envs.net;
|
||||
|
||||
return 307 https://$host$request_uri;
|
||||
}
|
||||
|
||||
# SSL
|
||||
server {
|
||||
include snippets/listen_ssl.conf;
|
||||
# include snippets/ddos_def.conf;
|
||||
server_name tb.envs.net termbin.envs.net;
|
||||
|
||||
error_log /var/log/nginx/tb.envs.net-error.log crit;
|
||||
|
||||
include snippets/ssl.conf;
|
||||
include ssl/envs_net_wild.conf;
|
||||
|
||||
client_max_body_size 256M;
|
||||
|
||||
location / {
|
||||
include proxy_params;
|
||||
proxy_ssl_name $http_host;
|
||||
proxy_ssl_server_name on;
|
||||
proxy_pass https://tb.envs.net;
|
||||
}
|
||||
|
||||
include snippets/favicon;
|
||||
}
|
|
@ -0,0 +1,27 @@
|
|||
### TTBP.ENVS.NET - local ###
|
||||
server {
|
||||
include snippets/listen_local.conf;
|
||||
include snippets/listen.conf;
|
||||
# include snippets/ddos_def.conf;
|
||||
server_name ttbp.envs.net;
|
||||
|
||||
return 307 https://$host$request_uri;
|
||||
}
|
||||
|
||||
server {
|
||||
include snippets/listen_local_ssl.conf;
|
||||
include snippets/listen_ssl.conf;
|
||||
# include snippets/ddos_def.conf;
|
||||
server_name ttbp.envs.net;
|
||||
|
||||
include snippets/ssl.conf;
|
||||
include ssl/envs_net_wild.conf;
|
||||
include snippets/local_ssl_header.conf;
|
||||
|
||||
error_log /var/log/nginx/ttbp.envs.net-error.log crit;
|
||||
|
||||
root /var/global/ttbp/public_html/;
|
||||
location / {
|
||||
index index.html;
|
||||
}
|
||||
}
|
|
@ -0,0 +1,30 @@
|
|||
### TWTXT.ENVS.NET - local ###
|
||||
server {
|
||||
include snippets/listen_local.conf;
|
||||
include snippets/listen.conf;
|
||||
# include snippets/ddos_mid.conf;
|
||||
server_name twtxt.envs.net;
|
||||
|
||||
return 307 https://$server_name$request_uri;
|
||||
}
|
||||
|
||||
server {
|
||||
include snippets/listen_local_ssl.conf;
|
||||
include snippets/listen_ssl.conf;
|
||||
# include snippets/ddos_mid.conf;
|
||||
server_name twtxt.envs.net;
|
||||
|
||||
include snippets/ssl.conf;
|
||||
include ssl/envs_net_wild.conf;
|
||||
|
||||
include snippets/local_ssl_header.conf;
|
||||
|
||||
error_log /var/log/nginx/twtxt.envs.net-error.log crit;
|
||||
|
||||
location / {
|
||||
include proxy_params;
|
||||
proxy_pass http://127.0.0.1:9001;
|
||||
}
|
||||
|
||||
include snippets/favicon;
|
||||
}
|
|
@ -0,0 +1,31 @@
|
|||
### <USER>.ENVS.NET - local ###
|
||||
map $http_upgrade $connection_upgrade {
|
||||
default upgrade;
|
||||
'' close;
|
||||
}
|
||||
|
||||
limit_req_zone $binary_remote_addr zone=weechat:10m rate=10r/m;
|
||||
|
||||
server {
|
||||
include snippets/listen_local.conf;
|
||||
include snippets/listen.conf;
|
||||
# include snippets/ddos_def.conf;
|
||||
server_name ~^(.*)\.envs\.net;
|
||||
|
||||
return 307 https://$1.envs.net$request_uri;
|
||||
}
|
||||
|
||||
server {
|
||||
include snippets/listen_local_ssl.conf;
|
||||
include snippets/listen_ssl.conf;
|
||||
# include snippets/ddos_def.conf;
|
||||
server_name ~^(?<user>[^.]+)\.envs\.net;
|
||||
|
||||
include snippets/ssl.conf;
|
||||
include ssl/envs_net_wild.conf;
|
||||
include snippets/local_ssl_header.conf;
|
||||
|
||||
error_log /var/log/nginx/envs.net-error.log crit;
|
||||
|
||||
include snippets/user.envs.conf;
|
||||
}
|
|
@ -0,0 +1,29 @@
|
|||
### <USER>.ENVS.SH - local ###
|
||||
map $http_upgrade $connection_upgrade {
|
||||
default upgrade;
|
||||
'' close;
|
||||
}
|
||||
|
||||
server {
|
||||
include snippets/listen_local.conf;
|
||||
include snippets/listen.conf;
|
||||
# include snippets/ddos_def.conf;
|
||||
server_name ~^(.*)\.envs\.sh;
|
||||
|
||||
return 307 https://$1.envs.sh$request_uri;
|
||||
}
|
||||
|
||||
server {
|
||||
include snippets/listen_local_ssl.conf;
|
||||
include snippets/listen_ssl.conf;
|
||||
# include snippets/ddos_def.conf;
|
||||
server_name ~^(?<user>[^.]+)\.envs\.sh;
|
||||
|
||||
include snippets/ssl.conf;
|
||||
include ssl/envs_sh_wild.conf;
|
||||
include snippets/local_ssl_header.conf;
|
||||
|
||||
error_log /var/log/nginx/envs.net-error.log crit;
|
||||
|
||||
include snippets/user.envs.conf;
|
||||
}
|
|
@ -0,0 +1,32 @@
|
|||
### WEBIRC.ENVS.NET - local ###
|
||||
server {
|
||||
include snippets/listen_local.conf;
|
||||
include snippets/listen.conf;
|
||||
# include snippets/ddos_def.conf;
|
||||
server_name lounge.envs.net webirc.envs.net;
|
||||
return 307 https://webirc.envs.net$request_uri;
|
||||
}
|
||||
|
||||
server {
|
||||
include snippets/listen_local_ssl.conf;
|
||||
include snippets/listen_ssl.conf;
|
||||
# include snippets/ddos_def.conf;
|
||||
server_name lounge.envs.net webirc.envs.net;
|
||||
|
||||
include snippets/ssl.conf;
|
||||
include ssl/envs_net_wild.conf;
|
||||
include snippets/local_ssl_header.conf;
|
||||
|
||||
error_log /var/log/nginx/webirc.envs.net-error.log crit;
|
||||
|
||||
location / {
|
||||
include proxy_params;
|
||||
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "Upgrade";
|
||||
|
||||
add_header 'Access-Control-Allow-Origin' "$http_origin" always;
|
||||
proxy_pass http://127.0.0.1:9000;
|
||||
}
|
||||
}
|
|
@ -0,0 +1,40 @@
|
|||
### ZNC.ENVS.NET - local ###
|
||||
server {
|
||||
include snippets/listen_local.conf;
|
||||
include snippets/listen.conf;
|
||||
# include snippets/ddos_def.conf;
|
||||
server_name znc.envs.net bouncer.envs.net;
|
||||
|
||||
location / {
|
||||
return 307 https://$host$request_uri;
|
||||
}
|
||||
|
||||
location /.well-known/acme-challenge/ {
|
||||
alias /var/lib/letsencrypt/.well-known/acme-challenge/;
|
||||
}
|
||||
}
|
||||
|
||||
# SSL
|
||||
server {
|
||||
include snippets/listen_local_ssl.conf;
|
||||
include snippets/listen_ssl.conf;
|
||||
# include snippets/ddos_def.conf;
|
||||
server_name znc.envs.net bouncer.envs.net;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/znc.envs.net/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/znc.envs.net/privkey.pem;
|
||||
ssl_trusted_certificate /etc/letsencrypt/live/znc.envs.net/chain.pem;
|
||||
ssl_dhparam /etc/ssl/certs/envs_dhparam.pem;
|
||||
|
||||
include snippets/ssl.conf;
|
||||
include snippets/local_ssl_header.conf;
|
||||
|
||||
error_log /var/log/nginx/znc.envs.net-error.log crit;
|
||||
|
||||
location / {
|
||||
include proxy_params;
|
||||
proxy_ssl_name $http_host;
|
||||
proxy_ssl_server_name on;
|
||||
proxy_pass https://znc.envs.net:6667;
|
||||
}
|
||||
}
|
|
@ -0,0 +1 @@
|
|||
/etc/nginx/sites-available/bbj.envs.net.conf
|
|
@ -0,0 +1 @@
|
|||
/etc/nginx/sites-available/envs.net.conf
|
|
@ -0,0 +1 @@
|
|||
/etc/nginx/sites-available/envs.sh.conf
|
|
@ -0,0 +1 @@
|
|||
/etc/nginx/sites-available/git.envs.net.conf
|
|
@ -0,0 +1 @@
|
|||
/etc/nginx/sites-available/gopher.envs.net.conf
|
|
@ -0,0 +1 @@
|
|||
/etc/nginx/sites-available/help.envs.net.conf
|
|
@ -0,0 +1 @@
|
|||
/etc/nginx/sites-available/ip.envs.net.conf
|
|
@ -0,0 +1 @@
|
|||
/etc/nginx/sites-available/ip.envs.sh.conf
|
|
@ -0,0 +1 @@
|
|||
/etc/nginx/sites-available/lists.envs.net.conf
|
|
@ -0,0 +1 @@
|
|||
/etc/nginx/sites-available/mail.envs.net.conf
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue