diff options
| author | Silvino Silva <silvino@bk.ru> | 2020-02-07 03:41:45 +0000 |
|---|---|---|
| committer | Silvino Silva <silvino@bk.ru> | 2020-02-15 00:56:46 +0000 |
| commit | a947a31ede27fdf995e0a63e766fcd68eb491426 (patch) | |
| tree | 74c749814fc91a22148b637b90507c78c56e02c8 | |
| parent | ac7c572733282e49801b16531d841682e3ab1b5a (diff) | |
| download | doc-a947a31ede27fdf995e0a63e766fcd68eb491426.tar.gz | |
System configuration update
43 files changed, 2338 insertions, 1354 deletions
diff --git a/core/apparmor.html b/core/apparmor.html index 65ee7c3..22b5183 100644 --- a/core/apparmor.html +++ b/core/apparmor.html @@ -1,202 +1,248 @@ <!DOCTYPE html> <html dir="ltr" lang="en"> <head> - <meta charset='utf-8'> - <title>2.6.1. AppArmor</title> + <meta charset='utf-8'> + <title>2.6.1. AppArmor</title> </head> <body> - <a href="index.html">Core OS Index</a> + <a href="index.html">Core OS Index</a> - <h1>2.6.1. AppArmor</h1> + <h1>2.6.1. AppArmor</h1> - <p>Check <a href="linux.html#configure">kernel configuration</a> or - use the provided with <a href="reboot.html#linux">linux-gnu</a> port - to support apparmor. <a href="https://gitlab.com/apparmor/apparmor/wikis/home">AppArmor</a> enforce rules on applications based - on security policies. User space tools are provided by apparmor port - and its dependencies, install them;</p> + <p>Check <a href="linux.html#configure">kernel configuration</a> or + use the provided with <a href="reboot.html#linux">linux-gnu</a> port + to support apparmor. <a href="https://gitlab.com/apparmor/apparmor/wikis/home">AppArmor</a> enforce rules on applications based + on security policies.</p> - <pre> - $ sudo prt-get depinst apparmor - </pre> - <p>Enable apparmor on linux by command line, create /etc/default/grub;</p> + <h2 id="install">2.6.1.1 Install</h2> - <pre> - GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor" - </pre> + <p>User space tools are provided by apparmor port + and its dependencies, install them;</p> - <p>Add SecurityFS to /etc/fstab;</p> + <pre> + $ sudo prt-get depinst apparmor + </pre> - <pre> - none /sys/kernel/security securityfs defaults 0 0 - </pre> + <p>Enable apparmor on linux by command line, create /etc/default/grub;</p> - <p>Check status;</p> + <pre> + GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor" + </pre> - <pre> - # apparmor_status - </pre> + <p>Add SecurityFS to /etc/fstab;</p> - <p>Utilities;</p> + <pre> + none /sys/kernel/security securityfs defaults 0 0 + </pre> - <pre> - aa-audit aa-disable aa-genprof aa-status - aa-autodep aa-easyprof aa-logprof aa-unconfined - aa-cleanprof aa-enabled aa-mergeprof - aa-complain aa-enforce aa-notify - aa-decode aa-exec aa-remove-unknown - </pre> + <p>Check status;</p> - <h2 id="profiles">Profiles</h2> + <pre> + # apparmor_status + </pre> - <p>Profiles are located at /etc/apparmor.d/ and - /usr/share/apparmor/extra-profiles contain profiles - that require testing;</p> - - <pre> - # cp -r /usr/share/apparmor/extra-profiles/* /etc/apparmor.d/ - # sudo rm /etc/apparmor.d/README - # bash /etc/rc.d/apparmor restart - </pre> - - <p>Profiles are parsed using - apparmor_parser;</p> - - <pre> - Usage: apparmor_parser [options] [profile] - - Options: - -------- - -a, --add Add apparmor definitions [default] - -r, --replace Replace apparmor definitions - -R, --remove Remove apparmor definitions - -C, --Complain Force the profile into complain mode - -B, --binary Input is precompiled profile - -N, --names Dump names of profiles in input. - -S, --stdout Dump compiled profile to stdout - -o n, --ofile n Write output to file n - -b n, --base n Set base dir and cwd - -I n, --Include n Add n to the search path - -f n, --subdomainfs n Set location of apparmor filesystem - -m n, --match-string n Use only features n - -M n, --features-file n Use only features in file n - -n n, --namespace n Set Namespace for the profile - -X, --readimpliesX Map profile read permissions to mr - -k, --show-cache Report cache hit/miss details - -K, --skip-cache Do not attempt to load or save cached profiles - -T, --skip-read-cache Do not attempt to load cached profiles - -W, --write-cache Save cached profile (force with -T) - --skip-bad-cache Don't clear cache if out of sync - --purge-cache Clear cache regardless of its state - --debug-cache Debug cache file checks - -L, --cache-loc n Set the location of the profile cache - -q, --quiet Don't emit warnings - -v, --verbose Show profile names as they load - -Q, --skip-kernel-load Do everything except loading into kernel - -V, --version Display version info and exit - -d [n], --debug Debug apparmor definitions OR [n] - -p, --preprocess Dump preprocessed profile - -D [n], --dump Dump internal info for debugging - -O [n], --Optimize Control dfa optimizations - -h [cmd], --help[=cmd] Display this text or info about cmd - -j n, --jobs n Set the number of compile threads - --max-jobs n Hard cap on --jobs. Default 8*cpus - --abort-on-error Abort processing of profiles on first error - --skip-bad-cache-rebuild Do not try rebuilding the cache if it is rejected by the kernel - --warn n Enable warnings (see --help=warn) - </pre> - - <h3 id="auto_profiles">Create profile with audit</h3> - - <p>Tools use log as a source to build profiles, it is - necessary to disable log rate limit;</p> - - <pre> - # sysctl -w kernel.printk_ratelimit=0 - </pre> - - <p>Start aa-genprof;</p> - - <pre> - $ sudo aa-genprof /usr/bin/lynx - </pre> - - <p>Execute application with all common application options - and parts. After initial automatic configuration enable profile in - complain mode. Use aa-logprof when rules need to be adapted.</p> - - <pre> - # aa-logprof -f /var/log/kernel - </pre> - - <p>Once profile rules become well defined enable profile in - enforce mode with aa-enforce;</p> - - <p>Monitor logs with aa-notify;</p> - - <pre> - # aa-notify --file=/var/log/kernel -u username -l - </pre> - - <p>And keep adjusting the rules with logprof;</p> - - <pre> - # aa-logprof -f /var/log/kernel - </pre> - - - <h3 id="man_profiles">Create profile manually</h3> - - <p>To create a new profile, let's say for lynx, - first find where the application is;</p> - - <pre> - $ whereis lynx - lynx: /usr/bin/lynx /usr/etc/lynx.lss /usr/etc/lynx.cfg /usr/etc/lynx.cfg~ /usr/share/man/man1/lynx.1.gz - </pre> - - <p>Now create a file with path to executable in - /etc/apparmor.d;</p> - - <pre> - # vim /etc/apparmor.d/usr.bin.lynx - </pre> - - <p>Create basic profile template;</p> - - <pre> - #include <tunables/global> - - profile lynx /usr/bin/lynx { - #include <abstractions/base> - } - </pre> - - <h3>Seed up profile loading</h3> - - <p>Every time apparmor loads a profile in text it needs - to compile into binary format, this takes some time if - there is many profiles to load at boot time. To optimize - edit /etc/apparmor/parser.conf;</p> - - <pre> - ## Turn creating/updating of the cache on by default - write-cache - </pre> - - <p>To change default location add;</p> + <p>Utilities;</p> + + <pre> + aa-audit aa-disable aa-genprof aa-status + aa-autodep aa-easyprof aa-logprof aa-unconfined + aa-cleanprof aa-enabled aa-mergeprof + aa-complain aa-enforce aa-notify + aa-decode aa-exec aa-remove-unknown + </pre> - <pre> - chache-loc=/var/cache/apparmor - </pre> + <h2 id="configure">6.2.1.2 Configure</h2> - <a href="index.html">Core OS Index</a> - <p>This is part of the Tribu System Documentation. - Copyright (C) 2020 - Tribu Team. - See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> - for copying conditions.</p> + <p>Profiles are located at /etc/apparmor.d/ and + /usr/share/apparmor/extra-profiles contain profiles + that require testing;</p> + + <pre> + # cp -r /usr/share/apparmor/extra-profiles/* /etc/apparmor.d/ + # sudo rm /etc/apparmor.d/README + # bash /etc/rc.d/apparmor restart + </pre> + + <h2 id="profiles">6.2.1.3 Profiles</h2> + + <p>Profiles are parsed using + apparmor_parser;</p> + + <pre> + Usage: apparmor_parser [options] [profile] + + Options: + -------- + -a, --add Add apparmor definitions [default] + -r, --replace Replace apparmor definitions + -R, --remove Remove apparmor definitions + -C, --Complain Force the profile into complain mode + -B, --binary Input is precompiled profile + -N, --names Dump names of profiles in input. + -S, --stdout Dump compiled profile to stdout + -o n, --ofile n Write output to file n + -b n, --base n Set base dir and cwd + -I n, --Include n Add n to the search path + -f n, --subdomainfs n Set location of apparmor filesystem + -m n, --match-string n Use only features n + -M n, --features-file n Use only features in file n + -n n, --namespace n Set Namespace for the profile + -X, --readimpliesX Map profile read permissions to mr + -k, --show-cache Report cache hit/miss details + -K, --skip-cache Do not attempt to load or save cached profiles + -T, --skip-read-cache Do not attempt to load cached profiles + -W, --write-cache Save cached profile (force with -T) + --skip-bad-cache Don't clear cache if out of sync + --purge-cache Clear cache regardless of its state + --debug-cache Debug cache file checks + -L, --cache-loc n Set the location of the profile cache + -q, --quiet Don't emit warnings + -v, --verbose Show profile names as they load + -Q, --skip-kernel-load Do everything except loading into kernel + -V, --version Display version info and exit + -d [n], --debug Debug apparmor definitions OR [n] + -p, --preprocess Dump preprocessed profile + -D [n], --dump Dump internal info for debugging + -O [n], --Optimize Control dfa optimizations + -h [cmd], --help[=cmd] Display this text or info about cmd + -j n, --jobs n Set the number of compile threads + --max-jobs n Hard cap on --jobs. Default 8*cpus + --abort-on-error Abort processing of profiles on first error + --skip-bad-cache-rebuild Do not try rebuilding the cache if it is rejected by the kernel + --warn n Enable warnings (see --help=warn) + </pre> + + <h2 id="audit">2.6.1.4 Profile with audit</h2> + + <p>Tools use log as a source to build profiles, it is + necessary to disable log rate limit;</p> + + <pre> + # sysctl -w kernel.printk_ratelimit=0 + </pre> + + <p>Start aa-genprof;</p> + + <pre> + $ sudo aa-genprof /usr/bin/lynx + </pre> + + <p>Execute application with all common application options + and parts. After initial automatic configuration enable profile in + complain mode.</p> + + <pre> + $ sudo aa-complain lynx + </pre> + + <p>Use aa-logprof when rules need to be adapted.</p> + + <pre> + # aa-logprof -f /var/log/kernel + </pre> + + <p>Reload profile with the new settings;</p> + + <pre> + # apparmor_parser -r lynx + </pre> + + <p>Once profile rules become well defined enable profile in + enforce mode with aa-enforce;</p> + + <p>Monitor logs with aa-notify;</p> + + <pre> + # aa-notify --file=/var/log/kernel -u username -l + </pre> + + <p>And keep adjusting the rules with logprof;</p> + + <pre> + # aa-logprof -f /var/log/kernel + </pre> + + <h2 id="edit">2.6.1.5 Edit profiles</h2> + + <h3>File Globing</h3> + + <dl> + <dt>/dir/file</dt><dd>match a specific file</dd> + <dt>/dir/*</dt><dd>match any files in a directory (including dot files)</dd> + <dt>/dir/a*</dt><dd>match any file in a directory starting with 'a'</dd> + <dt>/dir/*.png</dt><dd>match any file in a directory ending with '.png'</dd> + <dt>/dir/[^.]*</dt><dd>match any file in a directory except dot files</dd> + <dt>/dir/</dt><dd>match a directory</dd> + <dt>/dir/*/</dt><dd>match any directory within /dir/</dd> + <dt>/dir/a*/</dt><dd>match any directory within /dir/ starting with a</dd> + <dt>/dir/*a/</dt><dd>match any directory within /dir/ ending with a</dd> + <dt>/dir/**</dt><dd>match any file or directory in or below /dir/</dd> + <dt>/dir/**/</dt><dd>match any directory in or below /dir/</dd> + <dt>/dir/**[^/]</dt><dd>match any file in or below /dir/</dd> + <dt>/dir{,1,2}/**</dt><dd> - match any file or directory in or below /dir/, /dir1/, and /dir2/</dd> + </dl> + + <h3>File Permissions</h3> + + <dl> + <dt>r</dt><dd>read</dd> + <dt>w</dt><dd>write</dd> + <dt>a</dt><dd>append (implied by w)</dd> + <dt>m</dt><dd>memory map executable</dd> + <dt>k</dt><dd>lock (requires r or w, AppArmor 2.1 and later)</dd> + <dt>l</dt><dd>link</dd> + + <dt>x</dt><dd>execute</dd> + </dl> + + <dl> + <dt>ux</dt><dd>Execute unconfined (preserve environment) -- WARNING: should only be used in very special cases</dd> + <dt>Ux</dt><dd>Execute unconfined (scrub the environment)</dd> + <dt>px</dt><dd>Execute under a specific profile (preserve the environment) -- WARNING: should only be used in special cases</dd> + <dt>Px</dt><dd>Execute under a specific profile (scrub the environment)</dd> + <dt>pix</dt><dd>as px but fallback to inheriting the current profile if the target profile is not found</dd> + <dt>Pix</dt><dd>as Px but fallback to inheriting the current profile if the target profile is not found</dd> + <dt>pux</dt><dd>as px but fallback to executing unconfined if the target profile is not found</dd> + <dt>Pux</dt><dd>as Px but fallback to executing unconfined if the target profile is not found</dd> + <dt>ix<dt><dd>Execute and inherit the current profile</dd> + <dt>cx<dt><dd>Execute and transition to a child profile (preserve the environment)</dd> + <dt>Cx<dt><dd>Execute and transition to a child profile (scrub the environment)</dd> + <dt>cix<dt><dd>as cx but fallback to inheriting the current profile if the target profile is not found</dd> + <dt>Cix<dt><dd>as Cx but fallback to inheriting the current profile if the target profile is not found</dd> + <dt>cux<dt><dd>as cx but fallback to executing unconfined if the target profile is not found</dd> + <dt>Cux<dt><dd>as Cx but fallback to executing unconfined if the target profile is not found</dd> + </dl> + + <p>The owner keyword can be used as a qualifier making permission conditional on owning the file (process fsuid == file's uid).</p> + + <p>Read <a href="https://gitlab.com/apparmor/apparmor/-/wikis/QuickProfileLanguage">Profile Language</a> for more information.</p> + + <h2 id="speedup">2.6.1.6 Speedup startup</h2> + + <p>Every time apparmor loads a profile in text it needs + to compile into binary format, this takes some time if + there is many profiles to load at boot time. To optimize + edit /etc/apparmor/parser.conf;</p> + + <pre> + ## Turn creating/updating of the cache on by default + write-cache + </pre> + + <p>To change default location add;</p> + + <pre> + chache-loc=/var/cache/apparmor + </pre> + + <a href="index.html">Core OS Index</a> + <p>This is part of the Tribu System Documentation. + Copyright (C) 2020 + Tribu Team. + See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> + for copying conditions.</p> </body> </html> diff --git a/core/conf/dracut.conf b/core/conf/dracut.conf new file mode 100644 index 0000000..eda69fd --- /dev/null +++ b/core/conf/dracut.conf @@ -0,0 +1,19 @@ +# PUT YOUR CONFIG IN separate files +# in /etc/dracut.conf.d named "<name>.conf" + +# Equivalent to -H +hostonly="no" + +# Mount / and /usr read-only by default. +ro_mnt="yes" + +# Equivalent to -m "module module module" +dracutmodules+="dash kernel-modules rootfs-block udev-rules usrmount base fs-lib shutdown" + +# Equivalent to -a "module" +add_dracutmodules+="caps debug crypt lvm" + +# Equivalent to -o "module" +omit_dracutmodules+="systemd systemd-bootchart systemd-networkd systemd-initrd" + +# SEE man dracut.conf(5) for options diff --git a/core/conf/fstab b/core/conf/fstab index 99fead9..23dd98c 100644 --- a/core/conf/fstab +++ b/core/conf/fstab @@ -25,6 +25,7 @@ none /sys/kernel/security securityfs defau devpts /dev/pts devpts noexec,nosuid,gid=tty,mode=0620 0 0 shm /dev/shm tmpfs defaults 0 0 tmp /tmp tmpfs defaults,noatime,nosuid,nodev,noexec,size=128M 0 0 + UUID=3b408790-65e1-4638-9591-7ba61f266913 /boot ext4 defaults,ro,noatime 0 2 UUID=962D-0DE1 /boot/efi vfat ro,noauto,umask=0077 0 2 UUID=f2336a56-fbe6-444c-bdbf-f0e6c209c237 /var ext4 defaults,nodev,noexec,nosuid,errors=remount-ro 0 2 diff --git a/core/conf/pkgmk.conf b/core/conf/pkgmk.conf index 643abcc..3ae582d 100644 --- a/core/conf/pkgmk.conf +++ b/core/conf/pkgmk.conf @@ -12,18 +12,14 @@ export MAKEFLAGS="-j $JOBS" # ccache settings #export PATH="/usr/lib/ccache/:$PATH" #export CCACHE_DIR="/usr/ports/ccache" -#export CCACHE_COMPILERCHECK="%compiler% -dumpversion; crux" - -# compile using ccache and distcc #export CCACHE_PREFIX="distcc" -#export DISTCC_HOSTS="localhost/4 c11/2" +#export CCACHE_COMPILERCHECK="%compiler% -dumpversion; crux" ## compile using distcc without ccache -#export PATH="/usr/lib/distcc/:$PATH" -#export DISTCC_HOSTS="localhost/4,lzo,cpp xborg/4,lzo,cpp" -#export PUMP_BUILD=yes +##export PATH="/usr/lib/distcc/:$PATH" # distcc settings +#export DISTCC_HOSTS="localhost/4,lzo,cpp xborg/4,lzo,cpp" #export JOBS=$(/usr/bin/distcc -j 2> /dev/null) #export DISTCC_DIR="/usr/ports/distcc" #export MAKEFLAGS="-j ${JOBS}" diff --git a/core/conf/prt-get.conf b/core/conf/prt-get.conf index 8e88333..d248d24 100644 --- a/core/conf/prt-get.conf +++ b/core/conf/prt-get.conf @@ -4,18 +4,31 @@ # note: the order matters: the package found first is used prtdir /usr/ports/core +prtdir /usr/ports/ports prtdir /usr/ports/opt prtdir /usr/ports/xorg +prtdir /usr/ports/contrib +prtdir /usr/ports/mate +#prtdir /usr/ports/kde5 +#prtdir /usr/ports/romster +#prtdir /usr/ports/tb +#prtdir /usr/ports/timcowchip +#prtdir /usr/ports/6c37 +#prtdir /usr/ports/nilp +#prtdir /usr/ports/nullspoon +#prtdir /usr/ports/dbrooke +#prtdir /usr/ports/pitillo + +# 6c37 team provides a collection with freetype-iu, fontconfig-iu +# and cairo-iu ports. +# the following line enables the user maintained contrib collection +# prtdir /usr/ports/6c37-dropin +# prtdir /usr/ports/6c37 + # the following line enables the multilib compat-32 collection #prtdir /usr/ports/compat-32 -# the following line enables the user maintained contrib collection -prtdir /usr/ports/contrib -prtdir /usr/ports/ports -prtdir /usr/ports/mate -prtdir /usr/ports/kde5 - ### use mypackage form local directory # prtdir /home/packages/build:mypackage @@ -23,7 +36,7 @@ prtdir /usr/ports/kde5 writelog enabled # (enabled|disabled) logmode overwrite # (append|overwrite) rmlog_on_success yes # (no|yes) -logfile /usr/ports/pkgbuild/%n.log +logfile /usr/ports/pkgbuild/%n-%v-%r.log # path, %p=path to port dir, %n=port name # %v=version, %r=release @@ -34,7 +47,7 @@ logfile /usr/ports/pkgbuild/%n.log readme verbose # (verbose|compact|disabled) ### prefer higher versions in sysup / diff -preferhigher yes # (yes|no) +preferhigher yes # (yes|no) ### use regexp search # useregex no # (yes|no) @@ -43,10 +56,11 @@ preferhigher yes # (yes|no) ### --install-scripts option runscripts yes # (no|yes) + ### EXPERT SECTION ### ### alternative commands -makecommand sudo -H -u pkgmk fakeroot pkgmk +makecommand sudo -H -u pkgmk -g pkgmk fakeroot pkgmk addcommand sudo pkgadd removecommand sudo pkgrm runscriptcommand sudo sh diff --git a/core/conf/skel/.bashrc b/core/conf/skel/.bashrc index 55d1c78..f562e3c 100644 --- a/core/conf/skel/.bashrc +++ b/core/conf/skel/.bashrc @@ -55,9 +55,9 @@ gloga () { alias tmux="tmux -2" # Virtual Crux machine -alias c1.ank="ssh c1.ank -t tmux a" -alias c2.ank="ssh c2.ank -t tmux a" -alias c9.ank="ssh c9.ank -t tmux a" +alias c1.ank="ssh c1 -t tmux a" +alias c2.ank="ssh c2 -t tmux a" +alias c9.ank="ssh c9 -t tmux a" alias pkg_mirror="pkg_bin -f /usr/ports/mirror_bin_db" alias pkg_update="pkg_bin -r /usr/ports/mirror_bin_db" diff --git a/core/conf/skel/.profile b/core/conf/skel/.profile index 1c8aa8b..7e15d10 100644 --- a/core/conf/skel/.profile +++ b/core/conf/skel/.profile @@ -11,7 +11,8 @@ function start_agent { echo succeeded chmod 600 "${SSH_ENV}" . "${SSH_ENV}" > /dev/null - /usr/bin/ssh-add; + # KEY_NAME with default key to load + /usr/bin/ssh-add ~/.ssh/KEY_NAME; } # Source SSH settings, if applicable diff --git a/core/conf/sysctl.conf b/core/conf/sysctl.conf index 3cc54d1..2a8723b 100644 --- a/core/conf/sysctl.conf +++ b/core/conf/sysctl.conf @@ -34,6 +34,8 @@ kernel.kptr_restrict = 2 # net.core.bpf_jit_enable = 0 +# harden all code +net.core.bpf_jit_harden = 2 # Increase Linux auto tuning TCP buffer limits # min, default, and max number of bytes to use @@ -54,13 +56,13 @@ net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1 # Tuen IPv6 -#net.ipv6.conf.default.router_solicitations = 0 -#net.ipv6.conf.default.accept_ra_rtr_pref = 0 -#net.ipv6.conf.default.accept_ra_pinfo = 0 -#net.ipv6.conf.default.accept_ra_defrtr = 0 -#net.ipv6.conf.default.autoconf = 0 -#net.ipv6.conf.default.dad_transmits = 0 -#net.ipv6.conf.default.max_addresses = 0 +net.ipv6.conf.default.router_solicitations = 0 +net.ipv6.conf.default.accept_ra_rtr_pref = 0 +net.ipv6.conf.default.accept_ra_pinfo = 0 +net.ipv6.conf.default.accept_ra_defrtr = 0 +net.ipv6.conf.default.autoconf = 0 +net.ipv6.conf.default.dad_transmits = 0 +net.ipv6.conf.default.max_addresses = 0 # Avoid a smurf attack, ping scanning net.ipv4.icmp_echo_ignore_broadcasts = 1 @@ -140,4 +142,3 @@ net.ipv4.tcp_keepalive_time = 1800 net.ipv4.tcp_synack_retries = 3 # End of file - diff --git a/core/index.html b/core/index.html index 639ffda..5a914fd 100644 --- a/core/index.html +++ b/core/index.html @@ -1,164 +1,173 @@ <!DOCTYPE html> <html dir="ltr" lang="en"> <head> - <meta charset='utf-8'> - <title>Core OS</title> + <meta charset='utf-8'> + <title>Core OS</title> </head> <body> - <a href="../index.html">Documentation Index</a> - - <h1>Core OS</h1> - - <p>Core OS covers installation and configuration of - basic functionality of Crux 3.5 Gnu\Linux operating system. - This documentation try's to follow Crux HandBook installation - method diverges, for example, by only installing and - documenting gpt and grub2.<p> - - <p>Read <a href="https://crux.nu/Main/Handbook3-5">Crux HandBook</a>, - you can ask for help on freenode #crux. Check <a href="scripts/">scripts</a> - folder the install process is automated and <a href="ports/">ports</a> - for extra ports used during the installation.</p> - - <h2>1. Install Crux 3.5 Gnu/Linux</h2> - - <ul> - <li><a href="install.html">1.1. Install Crux 3.5</a> - <ul> - <li><a href="install.html#step1">1.1.1. Download</a></li> - <li><a href="install.html#step2">1.1.2. Prepare target</a></li> - <li><a href="install.html#step3">1.1.3. Prepare install</a></li> - <li><a href="install.html#step4">1.1.4. Install</a></li> - <li><a href="install.html#step5">1.1.5. Install extra packages</a></li> - <li><a href="install.html#step6">1.1.6. Install extra ports</a></li> - <li><a href="install.html#step7">1.1.7. DNS Resolver</a></li> - <li><a href="install.html#step8">1.1.8. Install Handbook</a></li> - <li><a href="install.html#step9">1.1.9. Install Skeletons</a></li> - </ul> - </li> - - <li><a href ="configure.html">1.2. Configure</a> - <ul> - <li><a href="configure.html#hostname">1.2.1. Set hostname and hosts</a></li> - <li><a href="configure.html#time">1.2.2. Set timezone</a></li> - <li><a href="configure.html#locale">1.2.3. Set lacale</a></li> - <li><a href="configure.html#user">1.2.4. Users</a></li> - <li><a href="configure.html#fstab">1.2.5. File system table</a></li> - <li><a href="configure.html#rcconf">1.2.6. Initialization scripts</a></li> - </ul> - </li> - <li><a href="reboot.html">1.3. Boot</a> - <ul> - <li><a href="reboot.html#linux">1.3.1. Kernel</a></li> - <li><a href="reboot.html#dracut">1.3.2. Dracut</a></li> - <li><a href="reboot.html#grub">1.3.3. Grub</a></li> - <li><a href="reboot.html#recover">1.3.4. Recover</a></li> - <li><a href="reboot.html#checkup">1.3.5. Checkup</a></li> - </ul> - </li> - - <li><a href="ports.html">1.4. Ports</a> - <ul> - <li><a href="ports.html#filesystem">1.4.1. Ports layout</a></li> - <li><a href="ports.html#fakeroot">1.4.2. Build as user</a></li> - <li><a href="ports.html#pkgmk">1.4.3. Configure pkgmk</a></li> - <li><a href="ports.html#prtget">1.4.4. Configure prt-get</a></li> - <li><a href="ports.html#distcc">1.4.5. Ccache and distcc</a></li> - </ul> - </li> - - - </ul> - - <h2>2. System Administration</h2> - - <ul> - - <li><a href="linux.html">2.1. Linux Kernel</a> - <ul> - <li><a href="linux.html#download">2.1.1. Download</a></li> - - <li><a href="linux.html#configure">2.1.2. Configure</a> - <ul> - <li><a href="linux.html#general">2.1.2.1. General Setup</a></li> - <li><a href="linux.html#mod">2.1.2.2, Enable loadable module support</a></li> - <li><a href="linux.html#block">2.1.2.3. Enable the block layer</a></li> - <li><a href="linux.html#proc">2.1.2.4. Processor type and features</a></li> - <li><a href="linux.html#acpi">2.1.2.5 Power management and ACPI options</a></li> - <li><a href="linux.html#bus">2.1.2.6. Bus options (PCI etc.)</a></li> - <li><a href="linux.html#exec">2.1.2.7. Executable file formats / Emulations</a></li> - <li><a href="linux.html#net">2.1.2.8. Networking support</a></li> - <li><a href="linux.html#drivers">2.1.2.9. Device Drivers</a></li> - <li><a href="linux.html#firm">2.1.2.10. Firmware Drivers</a></li> - <li><a href="linux.html#fs">2.1.2.11. File systems</a></li> - <li><a href="linux.html#hack">2.1.2.12. Kernel hacking</a></li> - <li><a href="linux.html#sec">2.1.2.13. Security options</a></li> - <li><a href="linux.html#crypt">2.1.2.14. Cryptographic API</a></li> - <li><a href="linux.html#virt">2.1.2.15. Virtualization</a></li> - <li><a href="linux.html#lib">2.1.2.16. Library routines</a></li> - </ul> - - </li> - <li><a href="linux.html#build">2.1.3. Build</a></li> - <li><a href="linux.html#install">2.1.5. Install</a></li> - <li><a href="linux.html#remove">2.1.6. Remove</a></li> - </ul> - </li> - <li><a href="network.html">2.2. Network</a> - <ul> - <li><a href="network.html#resolv">2.2.1. Resolver</a></li> - <li><a href="network.html#static">2.2.2. Static ip</a></li> - <li><a href="network.html#iptables">2.2.3. Iptables</a></li> - <li><a href="network.html#wpa">2.2.4. Wpa and dhcpd</a></li> - <li><a href="network.html#nm">2.2.5. NetworkManager</a></li> - </ul> - </li> - <li><a href="package.html">2.3. Package Management</a> - <ul> - <li><a href="package.html#sysup">2.3.1. Update system</a></li> - <li><a href="package.html#depinst">2.3.2. Install ports and dependencies</a></li> - <li><a href="package.html#ports">2.3.3. Ports collections</a></li> - <li><a href="package.html#info">2.3.3. Show port information</a></li> - <li><a href="package.html#depends">2.3.4. Show port dependencies</a></li> - <li><a href="package.html#printf">2.3.5. Print information</a></li> - </ul> - </li> - <li><a href="tty-terminal.html">2.4. Terminals and shells</a> - <ul> - <li><a href="dash.html">2.4.1. Dash</a></li> - <li><a href="bash.html">2.4.2. Bash</a></li> - <li><a href="tmux.html">2.4.3. Tmux</a></li> - </ul> - </li> - <li><a href="exim.html">2.5. Exim</a> - <ul> - <li><a href="exim.html#conf">2.5.1. Exim configuration</a></li> - <li><a href="exim.html#cert">2.5.2. Certificates</a></li> - <li><a href="exim.html#alias">2.5.3. Aliases</a></li> - <li><a href="exim.html#smarthost">2.5.4. Smarthost</a></li> - <li><a href="exim.html#fetchmail">2.5.5. Fetchmail</a></li> - </ul> - </li> - <li><a href="hardening.html">2.6. Hardening</a> - <ul> - <li><a href="apparmor.html">2.6.1. AppArmor</a></li> - <li><a href="sysctl.html">2.6.2. Sysctl</a></li> - <li><a href="toolchain.html">2.6.3. Toolchain</a></li> - <li><a href="samhain.html">2.6.4. Samhain</a></li> - </ul> - </li> - - </ul> - - <a href="../index.html">Documentation Index</a> - - <p> - This is part of the Tribu System Documentation. - Copyright (C) 2020 - Tribu Team. - See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> - for copying conditions.</p> + <a href="../index.html">Documentation Index</a> + + <h1>Core OS</h1> + + <p>Core OS covers installation and configuration of + basic functionality of Crux 3.5 Gnu\Linux operating system. + This documentation try's to follow Crux HandBook installation + method diverges, for example, by only installing and + documenting gpt and grub2.<p> + + <p>Read <a href="https://crux.nu/Main/Handbook3-5">Crux HandBook</a>, + you can ask for help on freenode #crux. Check <a href="scripts/">scripts</a> + folder the install process is automated and <a href="ports/">ports</a> + for extra ports used during the installation.</p> + + <h2>1. Install Crux 3.5 Gnu/Linux</h2> + + <ul> + <li><a href="install.html">1.1. Install Crux 3.5</a> + <ul> + <li><a href="install.html#step1">1.1.1. Download</a></li> + <li><a href="install.html#step2">1.1.2. Prepare target</a></li> + <li><a href="install.html#step3">1.1.3. Prepare install</a></li> + <li><a href="install.html#step4">1.1.4. Install</a></li> + <li><a href="install.html#step5">1.1.5. Install extra packages</a></li> + <li><a href="install.html#step6">1.1.6. Install extra ports</a></li> + <li><a href="install.html#step7">1.1.7. DNS Resolver</a></li> + <li><a href="install.html#step8">1.1.8. Install Handbook</a></li> + <li><a href="install.html#step9">1.1.9. Install Skeletons</a></li> + </ul> + </li> + + <li><a href ="configure.html">1.2. Configure</a> + <ul> + <li><a href="configure.html#hostname">1.2.1. Set hostname and hosts</a></li> + <li><a href="configure.html#time">1.2.2. Set timezone</a></li> + <li><a href="configure.html#locale">1.2.3. Set lacale</a></li> + <li><a href="configure.html#user">1.2.4. Users</a></li> + <li><a href="configure.html#fstab">1.2.5. File system table</a></li> + <li><a href="configure.html#rcconf">1.2.6. Initialization scripts</a></li> + </ul> + </li> + <li><a href="reboot.html">1.3. Boot</a> + <ul> + <li><a href="reboot.html#linux">1.3.1. Kernel</a></li> + <li><a href="reboot.html#dracut">1.3.2. Dracut</a></li> + <li><a href="reboot.html#grub">1.3.3. Grub</a></li> + <li><a href="reboot.html#recover">1.3.4. Recover</a></li> + <li><a href="reboot.html#checkup">1.3.5. Checkup</a></li> + </ul> + </li> + + <li><a href="ports.html">1.4. Ports</a> + <ul> + <li><a href="ports.html#filesystem">1.4.1. Ports layout</a></li> + <li><a href="ports.html#fakeroot">1.4.2. Build as user</a></li> + <li><a href="ports.html#pkgmk">1.4.3. Configure pkgmk</a></li> + <li><a href="ports.html#prtget">1.4.4. Configure prt-get</a></li> + <li><a href="ports.html#distcc">1.4.5. Ccache and distcc</a></li> + </ul> + </li> + + + </ul> + + <h2>2. System Administration</h2> + + <ul> + + <li><a href="linux.html">2.1. Linux Kernel</a> + <ul> + <li><a href="linux.html#download">2.1.1. Download</a></li> + + <li><a href="linux.html#configure">2.1.2. Configure</a> + <ul> + <li><a href="linux.html#general">2.1.2.1. General Setup</a></li> + <li><a href="linux.html#mod">2.1.2.2, Enable loadable module support</a></li> + <li><a href="linux.html#block">2.1.2.3. Enable the block layer</a></li> + <li><a href="linux.html#proc">2.1.2.4. Processor type and features</a></li> + <li><a href="linux.html#acpi">2.1.2.5 Power management and ACPI options</a></li> + <li><a href="linux.html#bus">2.1.2.6. Bus options (PCI etc.)</a></li> + <li><a href="linux.html#exec">2.1.2.7. Executable file formats / Emulations</a></li> + <li><a href="linux.html#net">2.1.2.8. Networking support</a></li> + <li><a href="linux.html#drivers">2.1.2.9. Device Drivers</a></li> + <li><a href="linux.html#firm">2.1.2.10. Firmware Drivers</a></li> + <li><a href="linux.html#fs">2.1.2.11. File systems</a></li> + <li><a href="linux.html#hack">2.1.2.12. Kernel hacking</a></li> + <li><a href="linux.html#sec">2.1.2.13. Security options</a></li> + <li><a href="linux.html#crypt">2.1.2.14. Cryptographic API</a></li> + <li><a href="linux.html#virt">2.1.2.15. Virtualization</a></li> + <li><a href="linux.html#lib">2.1.2.16. Library routines</a></li> + </ul> + + </li> + <li><a href="linux.html#build">2.1.3. Build</a></li> + <li><a href="linux.html#install">2.1.5. Install</a></li> + <li><a href="linux.html#remove">2.1.6. Remove</a></li> + </ul> + </li> + <li><a href="network.html">2.2. Network</a> + <ul> + <li><a href="network.html#resolv">2.2.1. Resolver</a></li> + <li><a href="network.html#static">2.2.2. Static ip</a></li> + <li><a href="network.html#iptables">2.2.3. Iptables</a></li> + <li><a href="network.html#wpa">2.2.4. Wpa and dhcpd</a></li> + <li><a href="network.html#nm">2.2.5. NetworkManager</a></li> + </ul> + </li> + <li><a href="package.html">2.3. Package Management</a> + <ul> + <li><a href="package.html#sysup">2.3.1. Update system</a></li> + <li><a href="package.html#depinst">2.3.2. Install ports and dependencies</a></li> + <li><a href="package.html#ports">2.3.3. Ports collections</a></li> + <li><a href="package.html#info">2.3.3. Show port information</a></li> + <li><a href="package.html#depends">2.3.4. Show port dependencies</a></li> + <li><a href="package.html#printf">2.3.5. Print information</a></li> + </ul> + </li> + <li><a href="tty-terminal.html">2.4. Terminals and shells</a> + <ul> + <li><a href="dash.html">2.4.1. Dash</a></li> + <li><a href="bash.html">2.4.2. Bash</a></li> + <li><a href="tmux.html">2.4.3. Tmux</a></li> + </ul> + </li> + <li><a href="exim.html">2.5. Exim</a> + <ul> + <li><a href="exim.html#conf">2.5.1. Exim configuration</a></li> + <li><a href="exim.html#cert">2.5.2. Certificates</a></li> + <li><a href="exim.html#alias">2.5.3. Aliases</a></li> + <li><a href="exim.html#smarthost">2.5.4. Smarthost</a></li> + <li><a href="exim.html#fetchmail">2.5.5. Fetchmail</a></li> + </ul> + </li> + <li><a href="hardening.html">2.6. Hardening</a> + <ul> + <li><a href="apparmor.html">2.6.1. AppArmor</a> + <ul> + <li><a href="apparmor#install">2.6.1.1 Install</h2></li> + <li><a href="apparmor#configure">6.2.1.2 Configure</h2></li> + <li><a href="apparmor#profiles">6.2.1.3 Profiles</h2></li> + <li><a href="apparmor#audit">2.6.1.4 Profile with audit</h2></li> + <li><a href="apparmor#edit">2.6.1.5 Edit profiles</h2></li> + <li><a href="apparmor#speedup">2.6.1.6 Speedup startup</h2></li> + </ul> + </li> + <li><a href="sysctl.html">2.6.2. Sysctl</a></li> + <li><a href="toolchain.html">2.6.3. Toolchain</a></li> + <li><a href="samhain.html">2.6.4. Samhain</a></li> + </ul> + </li> + + </ul> + + <a href="../index.html">Documentation Index</a> + + <p> + This is part of the Tribu System Documentation. + Copyright (C) 2020 + Tribu Team. + See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> + for copying conditions.</p> </body> </html> diff --git a/index.html b/index.html index d566ccf..56b3b40 100644 --- a/index.html +++ b/index.html @@ -38,7 +38,7 @@ <p>Version;</p> <pre> - rev 0.6.0 + rev 0.6.2 </pre> <a href="links.html">Links</a> contains relevant diff --git a/tools/conf/etc/dnsmasq.conf b/tools/conf/etc/dnsmasq.conf index c7dd4cd..b6267fa 100644 --- a/tools/conf/etc/dnsmasq.conf +++ b/tools/conf/etc/dnsmasq.conf @@ -69,7 +69,7 @@ no-poll # Add other name servers here, with domain specs if they are for # non-public domains. #server=/localnet/192.168.0.1 -#server=127.0.0.1#40 +#server=10.0.0.4#40 #server=213.73.91.35 #server=37.235.1.174 #server=84.200.69.80 @@ -89,7 +89,6 @@ local=/ank/ # The example below send any host in double-click.net to a local # web-server. address=/tribu.semdestino.org/10.0.0.4 -#address=/tribu.semdestino.org/192.168.1.5 #host-record=tribu.semdestino.org,10.0.0.4 #host-record=tribu.semdestino.org,192.168.1.67 @@ -128,9 +127,9 @@ interface=wlp7s0 #except-interface=wlp7s0 #except-interface=enp8s0 -# Or which to listen on by address (remember to include 127.0.0.1 if +# Or which to listen on by address (remember to include 10.0.0.4 if # you use this.) -#listen-address=127.0.0.1 +#listen-address=10.0.0.4 #listen-address=10.0.0.254 #listen-address=192.168.1.33 @@ -178,11 +177,17 @@ dhcp-option=15,ank # Same idea, but range rather then subnet #domain=reserved.thekelleys.org.uk,192.68.3.100,192.168.3.200 -#address=/.akamai.net/127.0.0.1 -address=/.firefox.com/127.0.0.1 -#address=/.google.com/127.0.0.1 -address=/.stripe.com/127.0.0.1 -address=/.mozilla.com/127.0.0.1 +address=/.akamai.net/10.0.0.4 +address=/.akamaitechnologies.com/10.0.0.4 +address=/.firefox.com/10.0.0.4 +#address=/.google.com/10.0.0.4 +address=/.stripe.com/10.0.0.4 +address=/.mozilla.com/10.0.0.4 +address=/.amazonaws.com/10.0.0.4 +address=/.amazontrust.com/10.0.0.4 +address=/.1e100.net/10.0.0.4 +address=/.1e100.net/10.0.0.4 +address=/.ank.sec-t4net-srv/10.0.0.4 # Uncomment this to enable the integrated DHCP server, you need # to supply the range of addresses available for lease and optionally diff --git a/tools/conf/etc/logrotate.conf b/tools/conf/etc/logrotate.conf index 896b779..636dffb 100644 --- a/tools/conf/etc/logrotate.conf +++ b/tools/conf/etc/logrotate.conf @@ -9,13 +9,10 @@ rotate 4 create # uncomment this if you want your log files compressed -compress +#compress olddir /var/log/old - -notifempty - -maxsize 5M +maxsize 1M # some packages can drop log rotation information into # this directory @@ -23,111 +20,297 @@ include /etc/logrotate.d # few generic files to rotate /var/log/wtmp { + monthly create 0644 root root - rotate 5 + rotate 1 } /var/log/btmp { + monthly create 0600 root root - rotate 5 + rotate 1 } # system-specific logs may be also be configured here. -/var/log/faillog { - maxsize 5M +/var/log/auth { + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript } -/var/log/lastlog { - maxsize 5M +/var/log/sudo { + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript } -/var/log/auth { - create 0644 root root - rotate 5 - sharedscripts +/var/log/cron { + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript +} + +/var/log/daemon { + rotate 7 + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript +} + +/var/log/debug { + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript +} + +/var/log/error { + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript +} + +/var/log/iptables { + # uncomment this if you want your log files compressed + delaycompress + compress postrotate - if [ -f /var/run/syslog-ng.pid ]; then \ - kill -HUP `cat /var/run/syslog-ng.pid`; \ - fi; + /etc/rc.d/syslog-ng reload >/dev/null endscript } -/var/log/cron { - create 0644 root root - rotate 5 - sharedscripts +/var/log/kernel { + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript +} + +/var/log/lpr { + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript +} + +/var/log/mail.err { + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript +} + +/var/log/mail.info { + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript +} + +/var/log/mail { + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript +} + +/var/log/mail.warn { + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript +} + +/var/log/messages { + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript +} + + +/var/log/user { + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript +} + +/var/log/uucp { + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript +} + +/var/log/syslog-ng { + rotate 7 + daily + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript +} + +/var/log/dnsmasq { + # uncomment this if you want your log files compressed + delaycompress + compress postrotate - if [ -f /var/run/syslog-ng.pid ]; then \ - kill -HUP `cat /var/run/syslog-ng.pid`; \ - fi; + /etc/rc.d/syslog-ng reload >/dev/null endscript } -/var/log/debug { +/var/log/pgsql { + # create new (empty) log files after rotating old ones create 0644 root root - rotate 5 - sharedscripts + # uncomment this if you want your log files compressed + delaycompress + compress + notifempty + maxsize 5M postrotate - if [ -f /var/run/syslog-ng.pid ]; then \ - kill -HUP `cat /var/run/syslog-ng.pid`; \ - fi; + /etc/rc.d/syslog-ng reload >/dev/null endscript } -/var/log/kernel { - rotate 5 - create 0644 root root - sharedscripts +/var/log/git-daemon { + # uncomment this if you want your log files compressed + delaycompress + compress postrotate - if [ -f /var/run/syslog-ng.pid ]; then \ - kill -HUP `cat /var/run/syslog-ng.pid`; \ - fi; + /etc/rc.d/syslog-ng reload >/dev/null endscript } -/var/log/daemon { +/var/log/gitolite { + # uncomment this if you want your log files compressed + delaycompress + compress + postrotate + /etc/rc.d/syslog-ng reload >/dev/null + endscript +} + +/var/log/php-fpm { + # uncomment this if you want your log files compressed + delaycompress compress - rotate 5 - create 644 root root - sharedscripts postrotate - if [ -f /var/run/syslog-ng.pid ]; then \ - kill -HUP `cat /var/run/syslog-ng.pid`; \ - fi; + /etc/rc.d/syslog-ng reload >/dev/null endscript +} +/var/log/php { + # uncomment this if you want your log files compressed + delaycompress + compress + postrotate + /etc/rc.d/syslog-ng reload >/dev/null + endscript } -/var/log/messages { - rotate 5 - create 0644 root root - sharedscripts +/var/log/nginx_access { + # uncomment this if you want your log files compressed + delaycompress + compress postrotate - if [ -f /var/run/syslog-ng.pid ]; then \ - kill -HUP `cat /var/run/syslog-ng.pid`; \ - fi; + /etc/rc.d/syslog-ng reload >/dev/null endscript } -/var/log/mail { - create 0644 root root - rotate 5 - sharedscripts +/var/log/nginx_error { + # uncomment this if you want your log files compressed + delaycompress + compress postrotate - if [ -f /var/run/syslog-ng.pid ]; then \ - kill -HUP `cat /var/run/syslog-ng.pid`; \ - fi; + /etc/rc.d/syslog-ng reload >/dev/null endscript } -/var/log/user { - create 0644 root root - rotate 5 - sharedscripts +/var/log/nginx/tribu_error.log { + # uncomment this if you want your log files compressed + delaycompress + compress + olddir /var/log/old/nginx postrotate - if [ -f /var/run/syslog-ng.pid ]; then \ - kill -HUP `cat /var/run/syslog-ng.pid`; \ - fi; + /etc/rc.d/syslog-ng reload >/dev/null endscript } +/var/log/nginx/tribu_access.log { + # uncomment this if you want your log files compressed + delaycompress + compress + olddir /var/log/old/nginx + postrotate + /etc/rc.d/syslog-ng reload >/dev/null + endscript +} diff --git a/tools/conf/etc/logrotate.d/dnsmasq b/tools/conf/etc/logrotate.d/dnsmasq deleted file mode 100644 index 3151ddc..0000000 --- a/tools/conf/etc/logrotate.d/dnsmasq +++ /dev/null @@ -1,11 +0,0 @@ -/var/log/dnsmasq { - weekly - create 0644 root root - rotate 5 - sharedscripts - postrotate - if [ -f /var/run/syslog-ng.pid ]; then \ - kill -HUP `cat /var/run/syslog-ng.pid`; \ - fi; - endscript -} diff --git a/tools/conf/etc/logrotate.d/gitolite b/tools/conf/etc/logrotate.d/gitolite deleted file mode 100644 index 547d6b6..0000000 --- a/tools/conf/etc/logrotate.d/gitolite +++ /dev/null @@ -1,12 +0,0 @@ -/var/log/gitolite { - rotate 5 - monthly - create 0644 root root - sharedscripts - postrotate - if [ -f /var/run/syslog-ng.pid ]; then \ - kill -HUP `cat /var/run/syslog-ng.pid`; \ - fi; - endscript - -} diff --git a/tools/conf/etc/logrotate.d/letsencrypt b/tools/conf/etc/logrotate.d/letsencrypt new file mode 100644 index 0000000..ce73ebc --- /dev/null +++ b/tools/conf/etc/logrotate.d/letsencrypt @@ -0,0 +1,7 @@ +/var/log/letsencrypt/*.log { + # uncomment this if you want your log files compressed + delaycompress + compress + olddir /var/log/old/letsencrypt + notifempty +} diff --git a/tools/conf/etc/logrotate.d/nginx b/tools/conf/etc/logrotate.d/nginx deleted file mode 100644 index ae05445..0000000 --- a/tools/conf/etc/logrotate.d/nginx +++ /dev/null @@ -1,23 +0,0 @@ -/var/log/nginx/access.log { - weekly - create 0664 root www - rotate 5 - sharedscripts - postrotate - if [ -f /var/run/syslog-ng.pid ]; then \ - kill -HUP `cat /var/run/syslog-ng.pid`; \ - fi; - endscript -} - -/var/log/nginx/error.log { - weekly - create 0644 root root - rotate 5 - sharedscripts - postrotate - if [ -f /var/run/syslog-ng.pid ]; then \ - kill -HUP `cat /var/run/syslog-ng.pid`; \ - fi; - endscript -} diff --git a/tools/conf/etc/logrotate.d/php-fpm b/tools/conf/etc/logrotate.d/php-fpm deleted file mode 100644 index c778658..0000000 --- a/tools/conf/etc/logrotate.d/php-fpm +++ /dev/null @@ -1,5 +0,0 @@ -/var/log/php-fpm.log { - rotate 5 - monthly - create 0644 root root -} diff --git a/tools/conf/etc/logrotate.d/postgres b/tools/conf/etc/logrotate.d/postgres deleted file mode 100644 index fc59aad..0000000 --- a/tools/conf/etc/logrotate.d/postgres +++ /dev/null @@ -1,17 +0,0 @@ -/var/log/pgsql { - weekly - compress - delaycompress - rotate 10 - notifempty - create 660 postgres postgres - sharedscripts - postrotate - if [ -f /var/run/syslog-ng.pid ]; then \ - kill -HUP `cat /var/run/syslog-ng.pid`; \ - fi; - endscript - -} - - diff --git a/tools/conf/etc/logrotate.d/postgresql b/tools/conf/etc/logrotate.d/postgresql new file mode 100644 index 0000000..8c16bfa --- /dev/null +++ b/tools/conf/etc/logrotate.d/postgresql @@ -0,0 +1,10 @@ +# this log is only used by postgresql at startup +# before start using syslog so there is no need +# to reload syslog-ng or syslog-ng +/var/log/postgresql { + # uncomment this if you want your log files compressed + delaycompress + compress + notifempty + create 664 postgres postgres +} diff --git a/tools/conf/etc/nginx/nginx.conf b/tools/conf/etc/nginx/nginx.conf index 8fca293..1339275 100644 --- a/tools/conf/etc/nginx/nginx.conf +++ b/tools/conf/etc/nginx/nginx.conf @@ -6,36 +6,36 @@ user www; worker_processes auto; -error_log /var/log/nginx/error.log; +error_log syslog:server=unix:/dev/log debug; pid /var/run/nginx.pid; - events { worker_connections 1024; } - http { include mime.types; default_type application/octet-stream; - #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - # '$status $body_bytes_sent "$http_referer" ' - # '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log /var/log/nginx/access.log; - error_log /var/log/nginx/error.log; + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; sendfile on; #tcp_nopush on; - client_max_body_size 8M; - keepalive_timeout 65; - client_body_timeout 12; - client_header_timeout 12; - send_timeout 65; + # Allow attach iso to wiki + #client_max_body_size 8M; + client_max_body_size 30M; + #keepalive_timeout 65; + keepalive_timeout 120; + #client_body_timeout 12; + client_body_timeout 24; + #client_header_timeout 12; + client_header_timeout 24; + send_timeout 65; gzip on; gzip_vary on; @@ -45,88 +45,6 @@ http { # gzip_http_version 1.1; gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; - - include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*.conf; - - #server { - # listen 80; - # server_name localhost; - # - # #charset koi8-r; - # - # location / { - # root html; - # index index.html index.htm; - # } - # - # error_page 404 /404.html; - # - # # redirect server error pages to the static page /50x.html - # # - # error_page 500 502 503 504 /50x.html; - # location = /50x.html { - # root html; - # } - # - # # proxy the PHP scripts to Apache listening on 127.0.0.1:80 - # # - # #location ~ \.php$ { - # # proxy_pass http://127.0.0.1; - # #} - # - # # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 - # # - # #location ~ \.php$ { - # # root html; - # # fastcgi_pass 127.0.0.1:9000; - # # fastcgi_index index.php; - # # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; - # # include fastcgi_params; - # #} - # - # # deny access to .htaccess files, if Apache's document root - # # concurs with nginx's one - # # - # #location ~ /\.ht { - # # deny all; - # #} - #} - - - # another virtual host using mix of IP-, name-, and port-based configuration - # - #server { - # listen 8000; - # listen somename:8080; - # server_name somename alias another.alias; - - # location / { - # root html; - # index index.html index.htm; - # } - #} - - - # HTTPS server - # - #server { - # listen 443 ssl; - # server_name localhost; - - # ssl_certificate cert.pem; - # ssl_certificate_key cert.key; - - # ssl_session_cache shared:SSL:1m; - # ssl_session_timeout 5m; - - # ssl_ciphers HIGH:!aNULL:!MD5; - # ssl_prefer_server_ciphers on; - - # location / { - # root html; - # index index.html index.htm; - # } - #} - } +# End of file diff --git a/tools/conf/etc/nginx/sites-enabled/default.conf b/tools/conf/etc/nginx/sites-enabled/default.conf index c35b0cd..fb9fb8e 100644 --- a/tools/conf/etc/nginx/sites-enabled/default.conf +++ b/tools/conf/etc/nginx/sites-enabled/default.conf @@ -1,15 +1,13 @@ server { + server_name tribu.semdestino.org; -#listen 443 ssl http2; - listen 443 ssl; + listen 80 default_server; + listen 443 ssl default_server; -# listen 80; - server_name machine.example; + ssl_certificate /etc/letsencrypt/live/tribu.semdestino.org/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/tribu.semdestino.org/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/tribu.semdestino.org/chain.pem; -# listen [::]:443 ssl http2; - ssl_certificate /etc/letsencrypt/live/machine.example/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/machine.example/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/machine.example/chain.pem; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; @@ -20,84 +18,62 @@ server { ssl_stapling on; ssl_stapling_verify on; - access_log /var/log/nginx/access.log; - error_log /var/log/nginx/error.log; + access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_vhost,nohostname main; + error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_vhost_err,nohostname debug; - - root /srv/www; - - location /ports/distfiles { - alias /usr/ports/distfiles; - } - - location /ports/packages { - alias /usr/ports/distfiles; - } + root /etc/html/; location /doc { alias /srv/www/doc; index index.html; } - location /git/static { -# static files (png/css) served from /usr/share/gitweb/static - alias /srv/www/gitweb/static; - expires 30d; + location /pub { + proxy_pass http://wiki.c2.ank:8080; + } + + location /wiki { + proxy_pass http://wiki.c2.ank:8080; } location /git { - alias /srv/www/gitweb; - index gitweb.cgi; - fastcgi_split_path_info ^/git()(/?.+)$; - fastcgi_param GITWEB_CONFIG /etc/gitweb.conf; - fastcgi_param DOCUMENT_ROOT /srv/www/gitweb; - fastcgi_param SCRIPT_NAME /gitweb.cgi$fastcgi_path_info; - - include fastcgi_params; - fastcgi_pass unix:/var/run/fcgiwrap.sock; + proxy_pass http://git.c2.ank:8080; + } + + location /forum { + proxy_pass http://forum.c2.ank:8080; } location /task { - index index.php; - alias /srv/www/flyspray; - try_files $uri $uri/ index.php$is_args$args; + proxy_pass http://task.c2.ank:8080; } - location ~ ^/task(.+\.php)$ { ### This location block was the solution - alias /srv/www/flyspray; - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_index index.php; - try_files $uri /index.php =404; - include /etc/nginx/fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$1; -# fastcgi_pass unix:/var/run/php5-fpm.sock; - fastcgi_pass 127.0.0.1:9000; + location /shop { + proxy_pass http://shop.c2.ank:8080; } - location / { - alias /srv/www/pmwiki/; - index pmwiki.php; - try_files $uri $uri/ /pmwiki.php$is_args$args; + location /email { + proxy_pass http://email.c2.ank:8080; } -# ACME challenge - location ^~ /.well-known { - allow all; - alias /srv/www/pmwiki/pub/cert/.well-known/; - default_type "text/plain"; - try_files $uri =404; + location /mirror { + proxy_pass http://c1.ank; } + location /awstats { + proxy_pass http://awstats.c2.ank:8080; + } + + location /stats { + proxy_pass http://stats.c2.ank:8080; + } - location ~ \.php$ { - alias /srv/www/pmwiki; - index pmwiki.php; - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_index pmwiki.php; - try_files $uri /pmwiki.php =404; - include /etc/nginx/fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; -# fastcgi_pass unix:/var/run/php5-fpm.sock; - fastcgi_pass 127.0.0.1:9000; + # ACME challenge + location ^~ /.well-known { + proxy_pass http://wiki.c2.ank; + } + + location / { + proxy_pass http://frontpage.c2.ank; } } diff --git a/tools/conf/etc/nginx/sites-enabled/email.c2.ank.conf b/tools/conf/etc/nginx/sites-enabled/email.c2.ank.conf new file mode 100644 index 0000000..3ae544c --- /dev/null +++ b/tools/conf/etc/nginx/sites-enabled/email.c2.ank.conf @@ -0,0 +1,61 @@ +server { + listen 8080; + server_name email.c2.ank; + +#access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_git,nohostname main; +#error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_git_err,nohostname debug; +#access_log /var/log/nginx/roundcube_access.log; +#error_log /var/log/nginx/roundcube_error.log; + + + + location /email { + alias /srv/www/email; + index index.php; + autoindex off; + } + +# Favicon + location ~ ^/email/favicon.ico$ { + root /srv/www/email/skins/classic/images; + log_not_found off; + access_log off; + expires max; + } +# Robots file + location ~ ^/email/robots.txt { + allow all; + log_not_found off; + access_log off; + } +# Deny Protected directories + location ~ ^/email/(config|temp|logs)/ { + deny all; + } + location ~ ^/email/(README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ { + deny all; + } + location ~ ^/email/(bin|SQL)/ { + deny all; + } +# Hide .md files + location ~ ^/email/(.+\.md)$ { + deny all; + } +# Hide all dot files + location ~ ^/email/\. { + deny all; + access_log off; + log_not_found off; + } + + location ~ /email/.*\.php { + alias /srv/www/email; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_index index.php; + try_files $uri /index.php =404; + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_pass 127.0.0.1:9000; + } +} diff --git a/tools/conf/etc/nginx/sites-enabled/forum.c2.ank.conf b/tools/conf/etc/nginx/sites-enabled/forum.c2.ank.conf new file mode 100644 index 0000000..2ed362a --- /dev/null +++ b/tools/conf/etc/nginx/sites-enabled/forum.c2.ank.conf @@ -0,0 +1,26 @@ +server { + listen 8080; + server_name forum.c2.ank; + + #access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_forum,nohostname main; + #error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_forum_err,nohostname debug; + + root /srv/www/; + + location /forum { + index index.php; + alias /srv/www/forum; + try_files $uri $uri/ index.php$is_args$args; + } + + location ~ ^/forum(.+\.php)$ { ### This location block was the solution + alias /srv/www/forum; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_index index.php; + try_files $uri /index.php =404; + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$1; +# fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_pass 127.0.0.1:9000; + } +} diff --git a/tools/conf/etc/nginx/sites-enabled/git.c2.ank.conf b/tools/conf/etc/nginx/sites-enabled/git.c2.ank.conf new file mode 100644 index 0000000..56e6412 --- /dev/null +++ b/tools/conf/etc/nginx/sites-enabled/git.c2.ank.conf @@ -0,0 +1,28 @@ +server { + listen 8080; + server_name git.c2.ank; + + #access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_git,nohostname main; + #error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_git_err,nohostname debug; + + #access_log /var/log/nginx/git main; + #error_log /var/log/nginx/git_error debug; + + root /srv/www/; + + location /git/static { + # static files (png/css) served from /usr/share/gitweb/static + alias /srv/www/gitweb/static; + } + + location /git { + alias /srv/www/gitweb; + index gitweb.cgi; + fastcgi_split_path_info ^/git()(/?.+)$; + fastcgi_param GITWEB_CONFIG /etc/gitweb.conf; + fastcgi_param DOCUMENT_ROOT /srv/www/gitweb; + fastcgi_param SCRIPT_NAME /gitweb.cgi$fastcgi_path_info; + include fastcgi_params; + fastcgi_pass unix:/var/run/fcgiwrap.sock; + } +} diff --git a/tools/conf/etc/nginx/sites-enabled/git.localhost.conf b/tools/conf/etc/nginx/sites-enabled/git.localhost.conf deleted file mode 100644 index 910df66..0000000 --- a/tools/conf/etc/nginx/sites-enabled/git.localhost.conf +++ /dev/null @@ -1,25 +0,0 @@ -server { - listen 443 ssl; - - server_name git.localhost git.machine.example git.machine.example.org; - - root /srv/www/gitweb; - - location /static/ { - # static files (png/css) served from /usr/share/gitweb/static - root /usr/share/gitweb ; - expires 30d; - } - - location / { - index gitweb.cgi - fastcgi_param GITWEB_CONFIG /etc/gitweb.conf; - fastcgi_param DOCUMENT_ROOT /srv/www/gitweb/; - fastcgi_param SCRIPT_NAME /gitweb.cgi$fastcgi_path_info; - fastcgi_split_path_info ^()(/?.+)$; - - include fastcgi_params; - fastcgi_pass unix:/var/run/fcgiwrap.sock; - } - -} diff --git a/tools/conf/etc/nginx/sites-enabled/shop.c2.ank.conf b/tools/conf/etc/nginx/sites-enabled/shop.c2.ank.conf new file mode 100644 index 0000000..3a0aea1 --- /dev/null +++ b/tools/conf/etc/nginx/sites-enabled/shop.c2.ank.conf @@ -0,0 +1,84 @@ +server { + listen 8080; + server_name shop.c2.ank; + + + location ~ ^/shop/admin { + alias /srv/www/shop/upload/admin; + index index.php; + + location ~ ^/shop/admin/config.php { + deny all; + } + + location ~ \.php$ { + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $request_filename$1; + fastcgi_pass 127.0.0.1:9000; + } + } + + location ^~ /shop { + alias /srv/www/shop/upload; + index index.php; + #try_files $uri $uri/ index.php$is_args$args; + #try_files index.php @opencart; + + location ~ ^/shop/upload/image/data { + autoindex on; + } + + location ~ ^/shop/config.php { + deny all; + } + + + location ~ ^/shop/admin/config.php { + deny all; + } + +# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac). +# + location ~ ^/shop/\. { + deny all; + access_log off; + log_not_found off; + } + location ~ ^/shop/\.(jpg|jpeg|png|gif|css|js|ico)$ { + expires max; + log_not_found off; + } + + location ~ \.php$ { + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $request_filename$1; + fastcgi_pass 127.0.0.1:9000; + #fastcgi_split_path_info ^(.+\.php)(/.+)$; + #fastcgi_split_path_info ^(.+\.php)(.*)$; + #fastcgi_index index.php; + #try_files $uri /index.php =404; + # fastcgi_pass unix:/var/run/php5-fpm.sock; + } + + } + + +location @tribushop { + rewrite ^/shop/(.+)$ /shop/index.php?_route_=$1 last; + } + + location /shop/engine { + deny all; + } + + location ~ ^/shop/library { + deny all; + } + + # Make sure files with the following extensions do not + # get loaded by nginx because nginx would display the + # source code, and these files can contain PASSWORDS! + location ~ ^/shop/\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|.*ini|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|\.php_ { + deny all; + } +} diff --git a/tools/conf/etc/nginx/sites-enabled/task.c2.ank.conf b/tools/conf/etc/nginx/sites-enabled/task.c2.ank.conf new file mode 100644 index 0000000..2d62e96 --- /dev/null +++ b/tools/conf/etc/nginx/sites-enabled/task.c2.ank.conf @@ -0,0 +1,21 @@ +server { + listen 8080; + server_name task.c2.ank; + + location /task { + index index.php; + alias /srv/www/task; + try_files $uri $uri/ index.php$is_args$args; + } + + location ~ ^/task(.+\.php)$ { ### This location block was the solution + alias /srv/www/task; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_index index.php; + try_files $uri /index.php =404; + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$1; +# fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_pass 127.0.0.1:9000; + } +} diff --git a/tools/conf/etc/nginx/sites-enabled/wiki.c2.ank.conf b/tools/conf/etc/nginx/sites-enabled/wiki.c2.ank.conf new file mode 100644 index 0000000..1504fa1 --- /dev/null +++ b/tools/conf/etc/nginx/sites-enabled/wiki.c2.ank.conf @@ -0,0 +1,43 @@ +server { + listen 8080; + server_name wiki.c2.ank; + + #access_log syslog:server=unix:/dev/log,facility=daemon,tag=vh_tribu,nohostname main; + #error_log syslog:server=unix:/dev/log,facility=daemon,tag=vh_tribu_err,nohostname debug; + + #access_log /var/log/nginx/wiki main; + #error_log /var/log/nginx/wiki_error debug; + + root /srv/www/; + + location /pub { + alias /srv/www/wiki/pub; + } + # ACME challenge + location ^~ /.well-known { + allow all; + alias /srv/www/wiki/pub/cert/.well-known/; + default_type "text/plain"; + try_files $uri =404; + } + + location @pmwiki { + rewrite ^/wiki/(.*) /wiki/pmwiki.php?n=$1; + } + + location /wiki { + index pmwiki.php; + try_files $uri $uri/ @pmwiki; + } + + location ~ ^\/wiki(.+\.php)$ { + index pmwiki.php; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_index pmwiki.php; + try_files $uri /pmwiki.php =404; + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; +# fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_pass 127.0.0.1:9000; + } +} diff --git a/tools/conf/etc/rc.conf b/tools/conf/etc/rc.conf index 2dbf272..192ef3e 100644 --- a/tools/conf/etc/rc.conf +++ b/tools/conf/etc/rc.conf @@ -5,8 +5,8 @@ FONT=default KEYMAP=dvorak TIMEZONE="Europe/Lisbon" -HOSTNAME=machine -SYSLOG=sysklogd -SERVICES=(lo iptables wlan blan crond) +HOSTNAME=c2 +SYSLOG=syslog-ng +SERVICES=(apparmor lo net iptables sshd ntpd postgresql exim dovecot git-daemon php-fpm fcgiwrap nginx crond) # End of file diff --git a/tools/conf/etc/ssh/sshd_config b/tools/conf/etc/ssh/sshd_config index 6fd955a..495d183 100644 --- a/tools/conf/etc/ssh/sshd_config +++ b/tools/conf/etc/ssh/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $ +# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -16,12 +16,7 @@ AddressFamily inet #ListenAddress 0.0.0.0 #ListenAddress :: - -# The default requires explicit activation of protocol 1 -Protocol 2 - #HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_dsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key #HostKey /etc/ssh/ssh_host_ed25519_key @@ -29,8 +24,8 @@ Protocol 2 #RekeyLimit default none # Logging -#SyslogFacility AUTH -#LogLevel INFO +SyslogFacility AUTH +LogLevel INFO # Authentication: @@ -40,10 +35,11 @@ PermitRootLogin no #StrictModes yes MaxAuthTries 3 #MaxSessions 10 -MaxSessions 3 PubkeyAuthentication yes +AllowGroups admin users gitolite sshproxy + # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # but this is overridden so installations will only check .ssh/authorized_keys AuthorizedKeysFile .ssh/authorized_keys @@ -90,7 +86,6 @@ ChallengeResponseAuthentication no # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. #UsePAM no -#UsePAM no #AllowAgentForwarding yes #AllowTcpForwarding yes @@ -102,8 +97,6 @@ ChallengeResponseAuthentication no #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes -#UseLogin no -#UsePrivilegeSeparation sandbox #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 @@ -116,11 +109,25 @@ ChallengeResponseAuthentication no #VersionAddendum none # no default banner path -Banner /etc/issue +#Banner none # override default of no subsystems Subsystem sftp /usr/lib/ssh/sftp-server +Match Group gitolite + AllowAgentForwarding no + AllowTcpForwarding no + +Match Group sshproxy + AllowAgentForwarding no + PermitTTY no + PermitOpen 10.0.0.4:443 + PermitOpen 10.0.0.4:9418 + PermitOpen tribu.semdestino.org:443 + PermitOpen tribu.semdestino.org:9418 + ForceCommand echo 'This account can only be used for web proxy' + + # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no diff --git a/tools/conf/etc/syslog-ng.conf b/tools/conf/etc/syslog-ng.conf index 16c1ddb..b6aa817 100644 --- a/tools/conf/etc/syslog-ng.conf +++ b/tools/conf/etc/syslog-ng.conf @@ -1,127 +1,223 @@ -@version: 3.17 +@version: 3.25 +@include "scl.conf" + +# Syslog-ng configuration file, compatible with default Debian syslogd +# installation. + +# First, set some global options. +options { chain_hostnames(off); flush_lines(0); use_dns(no); use_fqdn(no); + owner("root"); group("adm"); perm(0640); stats_freq(0); + bad_hostname("^gconfd$"); +}; + +######################## +# Sources +######################## +# This is the default behavior of sysklogd package +# Logs may come from unix stream, but not from another machine. # -# /etc/syslog-ng: syslog-ng(8) configration file -# based on a gentoo template added custom changes for crux +source s_src { + system(); + internal(); +}; -# on busy systems you may have to adjus flush_lines and suppress() to avoid -# heavy disc i/o -# to change default permissions/owner/group for newly created files add -# options like this: owner(root); group(sys); perm(0644); - -options { chain_hostnames(off); flush_lines(0); stats_freq(0); create_dirs(on); }; - -#source where to read log -source src { unix-stream("/dev/log"); internal(); }; -source kernsrc { file("/proc/kmsg"); }; - -#define templates -template t_debug { template("$DATE fac $FACILITY lvl $LEVEL prg $PROGRAM: $MSG\n"); }; - -#define destinations -destination authlog { file("/var/log/auth" suppress(5)); }; -destination sudo { file("/var/log/sudo" suppress(5)); }; -destination cron { file("/var/log/cron" suppress(5)); }; -destination kern { file("/var/log/kernel" suppress(5)); }; -destination mail { file("/var/log/mail" suppress(5)); }; - -destination mailinfo { file("/var/log/mail.info" suppress(5)); }; -destination mailwarn { file("/var/log/mail.warn" suppress(5)); }; -destination mailerr { file("/var/log/mail.err" suppress(5)); }; +# If you wish to get logs from remote machine you should uncomment +# this and comment the above source line. +# +#source s_net { tcp(ip(127.0.0.1) port(1000)); }; -#destination newscrit { file("/var/log/news/news.crit" suppress(5)); }; -#destination newserr { file("/var/log/news/news.err" suppress(5)); }; -#destination newsnotice { file("/var/log/news/news.notice" suppress(5)); }; +######################## +# Destinations +######################## +# First some standard logfile +# +destination d_auth { file("/var/log/auth"); }; +destination d_sudo { file("/var/log/sudo" ); }; +destination d_cron { file("/var/log/cron"); }; +destination d_daemon { file("/var/log/daemon"); }; +destination d_kern { file("/var/log/kernel"); }; +destination d_lpr { file("/var/log/lpr"); }; +destination d_mail { file("/var/log/mail"); }; +destination d_syslog { file("/var/log/syslog-ng"); }; +destination d_user { file("/var/log/user"); }; +destination d_uucp { file("/var/log/uucp"); }; + +# This files are the log come from the mail subsystem. +# +destination d_mailinfo { file("/var/log/mail.info"); }; +destination d_mailwarn { file("/var/log/mail.warn"); }; +destination d_mailerr { file("/var/log/mail.err"); }; -destination debug { file("/var/log/debug" template(t_debug) suppress(5)); }; -destination messages { file("/var/log/messages" suppress(5)); }; -destination errors { file("/var/log/error" suppress(5)); }; -destination console { usertty("root"); }; -destination console_all { file("/dev/tty12" suppress(5)); }; -destination xconsole { pipe("/dev/xconsole" suppress(5)); }; +# Logging for INN news system +# +destination d_newscrit { file("/var/log/news/news.crit"); }; +destination d_newserr { file("/var/log/news/news.err"); }; +destination d_newsnotice { file("/var/log/news/news.notice"); }; -############################################# -# custom destinations +# Some 'catch-all' logfiles. # +destination d_debug { file("/var/log/debug"); }; +destination d_error { file("/var/log/error"); }; +destination d_messages { file("/var/log/messages"); }; -destination d_shorewall_warn { file ("/var/log/shorewall/warn.log"); }; -destination d_shorewall_info { file ("/var/log/shorewall/info.log"); }; +# Custom destinations +destination d_shorewall_warn { file ("/var/log/shorewall/warn"); }; +destination d_shorewall_info { file ("/var/log/shorewall/info"); }; destination d_dnsmasq { file("/var/log/dnsmasq"); }; destination d_postgres { file("/var/log/pgsql"); }; +destination d_mysql { file("/var/log/pgsql"); }; destination d_iptables { file("/var/log/iptables"); }; destination d_sshd { file("/var/log/sshd"); }; destination d_gitolite { file("/var/log/gitolite"); }; -destination d_nginx_access { file("/var/log/nginx/access.log" owner(root) group(www) perm(0644)); }; -destination d_nginx_error { file("/var/log/nginx/error.log"); }; +destination d_git-daemon { file("/var/log/git-daemon"); }; +destination d_nginx_access { file("/var/log/nginx_access"); }; +destination d_nginx_error { file("/var/log/nginx_error"); }; +destination d_php_fpm { file("/var/log/php-fpm"); }; +destination d_php { file("/var/log/php"); }; +destination d_nginx_vhost { file("/var/log/nginx/vhost_access"); }; +destination d_nginx_vhost_err { file("/var/log/nginx/vhost_error"); }; + +# The root's console. +# +destination d_console { usertty("root"); }; + +# Virtual console. +# +#destination d_console_all { file(`tty10`); }; +destination console { usertty("root"); }; +destination d_console_all { file("/dev/tty12" suppress(5)); }; +destination xconsole { pipe("/dev/xconsole" suppress(5)); }; + + + +# The named pipe /dev/xconsole is for the nsole' utility. To use it, +# you must invoke nsole' with the -file' option: +# +# $ xconsole -file /dev/xconsole [...] +# +destination d_xconsole { pipe("/dev/xconsole"); }; +# Send the messages to an other host +# +#destination d_net { tcp("127.0.0.1" port(1000) log_fifo_size(1000)); }; -#create filters -filter f_authpriv { facility(auth, authpriv); }; -filter f_cron { facility(cron); }; -filter f_kern { facility(kern); }; -filter f_mail { facility(mail); }; -#filter f_debug { not facility(auth, authpriv, mail) and not program(sudo); }; -filter f_debug { not facility(mail) and not program(sudo); }; -filter f_messages { level(info..warn) - and not facility(auth, authpriv, mail) and not program(sudo); }; -filter f_sudo { program(sudo); }; -filter f_errors { level(err..emerg); }; +# Debian only +destination d_ppp { file("/var/log/ppp"); }; -filter f_emergency { level(emerg); }; +######################## +# Filters +######################## +# Here's come the filter options. With this rules, we can set which +# message go where. +filter f_dbg { level(debug); }; filter f_info { level(info); }; filter f_notice { level(notice); }; filter f_warn { level(warn); }; -filter f_crit { level(crit); }; filter f_err { level(err); }; +filter f_crit { level(crit .. emerg); }; + +filter f_debug { level(debug) and not facility(auth, authpriv, news, mail); }; +filter f_error { level(err .. emerg) ; }; +filter f_messages { level(info,notice,warn) + and not facility(auth,authpriv,cron,daemon,mail,news,local0); }; + +filter f_auth { facility(auth, authpriv) and not filter(f_debug); }; +filter f_sudo { facility(auth, authpriv) and program("^sudo$"); }; +filter f_cron { facility(cron) and not filter(f_debug);}; +filter f_daemon { facility(daemon, local0) + and not filter(f_debug) + and not program("^php$") + and not program("^nginx_vhost$") + and not program("^nginx_vhost_err$");}; +filter f_kern { facility(kern) and not filter(f_debug); }; +filter f_lpr { facility(lpr) and not filter(f_debug); }; +filter f_local { facility(local0, local1, local3, local4, local5, + local6, local7) and not filter(f_debug); }; +filter f_mail { facility(mail) and not filter(f_debug); }; +filter f_news { facility(news) and not filter(f_debug); }; +filter f_syslog3 { program("^syslog-ng$");}; +filter f_user { facility(user) and not filter(f_debug); }; +filter f_uucp { facility(uucp) and not filter(f_debug); }; + +filter f_cnews { level(notice, err, crit) and facility(news); }; +filter f_cother { level(debug, info, notice, warn) or facility(daemon, mail); }; + +filter f_ppp { facility(local2) and not filter(f_debug); }; +filter f_console { level(warn .. emerg); }; -############################################# # custom filters -# -filter f_dnsmasq { program("dnsmasq"); }; -filter f_postgres { facility(local0); }; -filter f_sshd { facility(local1); }; + +filter f_dnsmasq { program("^dnsmasq$"); }; +filter f_postgres { facility(local0) and program("^postgresql$"); }; +filter f_sshd { facility(auth) and program("^sshd$"); }; filter f_iptables { facility(kern) and match("iptables" value("MESSAGE")) }; filter f_shorewall_warn { level (warn) and match ("Shorewall" value("MESSAGE")); }; filter f_shorewall_info {level (info) and match ("Shorewall" value("MESSAGE")); }; -filter f_gitolite { program("gitolite"); }; -filter f_nginx_access { match("nginx_access:" value("MESSAGE")); }; -filter f_nginx_error { match("nginx_error:" value("MESSAGE")); }; - -# examples for text-matching (beware of performance issues) -#filter f_failed { match("failed"); }; -#filter f_denied { match("denied"); }; - -#connect filter and destination -log { source(src); filter(f_authpriv); destination(authlog); }; -log { source(src); filter(f_sudo); destination(sudo); }; -log { source(src); filter(f_cron); destination(cron); }; -log { source(kernsrc); filter(f_kern); destination(kern); }; -log { source(src); filter(f_mail); destination(mail); }; -log { source(src); filter(f_mail); filter(f_info); destination(mailinfo); }; -log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); }; -log { source(src); filter(f_mail); filter(f_err); destination(mailerr); }; - -#log { source(src); filter(f_debug); destination(debug); }; -log { source(src); filter(f_messages); destination(messages); }; -log { source(src); filter(f_errors); destination(errors); }; -log { source(src); filter(f_emergency); destination(console); }; - -#default log -#log { source(src); destination(console_all); }; - -############################################# -# custom -# - -log { source (kernsrc); filter (f_iptables); destination (d_iptables);}; -log { source (kernsrc); filter (f_shorewall_warn); destination (d_shorewall_warn);}; -log { source (kernsrc); filter (f_shorewall_info); destination (d_shorewall_info);}; -log { source(src); filter(f_dnsmasq); destination(d_dnsmasq);}; -log { source(src); filter(f_postgres); destination(d_postgres);}; -log { source(src); filter(f_sshd); destination(d_sshd);}; -log { source(src); filter(f_gitolite); destination(d_gitolite);}; -log { source(src); filter(f_nginx_error); destination(d_nginx_error);}; -log { source(src); filter(f_nginx_access); destination(d_nginx_access);}; +filter f_gitolite { program("^gitolite$"); }; +filter f_git-daemon { program("^git-daemon$"); }; +filter f_nginx_error { facility(daemon) and program("^nginx$"); }; +filter f_nginx_vhost { facility(daemon) and program("^nginx_vhost$");}; +filter f_nginx_vhost_err { facility(daemon) and program("^nginx_vhost_err$");}; +filter f_php_fpm { facility(daemon) and program("^php-fpm$");}; +filter f_php { facility(daemon) and program("^php$");}; + +# custom logs +log { source(s_src); filter(f_php_fpm); destination(d_php_fpm); }; +log { source(s_src); filter(f_php); destination(d_php); }; +log { source(s_src); filter(f_nginx_vhost); destination(d_nginx_vhost); }; +log { source(s_src); filter(f_nginx_vhost_err); destination(d_nginx_vhost_err); }; +log { source(s_src); filter(f_sshd); destination(d_sshd);}; +log { source (s_src); filter (f_iptables); destination (d_iptables);}; +log { source (s_src); filter (f_shorewall_warn); destination (d_shorewall_warn);}; +log { source (s_src); filter (f_shorewall_info); destination (d_shorewall_info);}; +log { source(s_src); filter(f_dnsmasq); destination(d_dnsmasq);}; +log { source(s_src); filter(f_postgres); destination(d_postgres);}; +log { source(s_src); filter(f_gitolite); destination(d_gitolite);}; +log { source(s_src); filter(f_git-daemon); destination(d_git-daemon);}; +log { source(s_src); filter(f_nginx_error); destination(d_nginx_error);}; + +######################## +# Log paths +######################## +log { source(s_src); filter(f_auth); destination(d_auth); }; +log { source(s_src); filter(f_sudo); destination(d_sudo); }; +log { source(s_src); filter(f_cron); destination(d_cron); }; +log { source(s_src); filter(f_daemon); destination(d_daemon); }; +log { source(s_src); filter(f_kern); destination(d_kern); }; +log { source(s_src); filter(f_lpr); destination(d_lpr); }; +log { source(s_src); filter(f_user); destination(d_user); }; +log { source(s_src); filter(f_uucp); destination(d_uucp); }; + +log { source(s_src); filter(f_mail); destination(d_mail); }; +log { source(s_src); filter(f_mail); filter(f_info); destination(d_mailinfo); }; +log { source(s_src); filter(f_mail); filter(f_warn); destination(d_mailwarn); }; +log { source(s_src); filter(f_mail); filter(f_err); destination(d_mailerr); }; + +log { source(s_src); filter(f_news); filter(f_crit); destination(d_newscrit); }; +log { source(s_src); filter(f_news); filter(f_err); destination(d_newserr); }; +log { source(s_src); filter(f_news); filter(f_notice); destination(d_newsnotice); }; +#log { source(s_src); filter(f_cnews); destination(d_console_all); }; +#log { source(s_src); filter(f_cother); destination(d_console_all); }; + +#log { source(s_src); filter(f_ppp); destination(d_ppp); }; + +log { source(s_src); filter(f_debug); destination(d_debug); }; +log { source(s_src); filter(f_error); destination(d_error); }; +log { source(s_src); filter(f_messages); destination(d_messages); }; +log { source(s_src); filter(f_syslog3); destination(d_syslog); }; +log { source(s_src); filter(f_console); destination(d_console_all); + destination(d_xconsole); }; +log { source(s_src); filter(f_crit); destination(d_console); }; +# +# +# All messages send to a remote site +# +#log { source(s_src); destination(d_net); }; +### +# Include all config files in /etc/syslog-ng/conf.d/ +### +@include "/etc/syslog-ng/conf.d/*.conf" diff --git a/tools/conf/srv/gitolite/.gitolite.rc b/tools/conf/srv/gitolite/.gitolite.rc index fa18e4e..d2c80b7 100644 --- a/tools/conf/srv/gitolite/.gitolite.rc +++ b/tools/conf/srv/gitolite/.gitolite.rc @@ -28,7 +28,7 @@ # logging options # 1. leave this section as is for 'normal' gitolite logging (default) # 2. uncomment this line to log ONLY to syslog: - # LOG_DEST => 'syslog', + LOG_DEST => 'syslog', # 3. uncomment this line to log to syslog and the normal gitolite log: # LOG_DEST => 'syslog,normal', # 4. prefixing "repo-log," to any of the above will **also** log just the diff --git a/tools/conf/srv/gitolite/deploy-web-doc b/tools/conf/srv/gitolite/deploy-web-doc index ae8e2db..b836515 100755 --- a/tools/conf/srv/gitolite/deploy-web-doc +++ b/tools/conf/srv/gitolite/deploy-web-doc @@ -2,7 +2,7 @@ ###################################################################### # # Put this file in your gitolite-admin; -# ~/gitolite-admin/local/hooks/repo-specific/deploy-web-doc +# ~/gitolite-admin/local/hooks/repo-specific/hook-deploy-web # # set host to empty to create package for each push # or set remote host to create package based on last deployed push diff --git a/tools/conf/srv/gitolite/deploy-web.sh b/tools/conf/srv/gitolite/deploy-web.sh index 01e92ac..86d2026 100644 --- a/tools/conf/srv/gitolite/deploy-web.sh +++ b/tools/conf/srv/gitolite/deploy-web.sh @@ -3,7 +3,7 @@ pkg_path=$1 www_root="/srv/www" -www_user="nginx" +www_user="www" www_group="www" pkg_file="${pkg_path}/project" diff --git a/tools/conf/srv/gitolite/gitolite.conf b/tools/conf/srv/gitolite/gitolite.conf index 3de7ba5..2685d90 100644 --- a/tools/conf/srv/gitolite/gitolite.conf +++ b/tools/conf/srv/gitolite/gitolite.conf @@ -1,80 +1,73 @@ -@guests = gitweb -@interns = silvino -@dev = silvino -@teamleads = silvino -@staff = @interns @dev @teamleads +@guests = bob +@interns = bob +@dev = bob alice +@teamleads = druid bob +@staff = @interns @dev + repo @secret - = @guests option deny-rules = 1 repo @floss - RW+ = @dev @staff + RW+ = @staff R = @all repo @project RW+ = @teamleads - - master = @dev - - refs/tags/v[0-9] = @dev - RW+ develop/ = @dev - RW+ feature/ = @dev - RW+ hot-fix/ = @dev - RW = @dev - R = @interns + - master = @staff @guests + - refs/tags/ = @staff @guests + RW+ develop/ = @staff + RW+ feature/ = @staff + RW+ hot-fix/ = @staff + RW = @staff + R = @all repo @mirror + R = @all RW+ release/ = @teamleads RW+ develop/ = @dev RW+ feature/ = @dev RW+ hot-fix/ = @dev - R = @all + option upstream.nice = 120 repo gitolite-admin RW+ = gitolite -repo doc machine-ports pmwiki assistant - config gitweb.owner = "Tribu Team" - config gitweb.category = "machine" - -repo linux-pck - config gitweb.owner = "Tribu Team" - config gitweb.category = "mirrors" +repo mate + config gitweb.description = "Mate ports" -repo opt core contrib - config gitweb.owner = "crux" - config gitweb.category = "crux" +repo kde5 + config gitweb.description = "Kde5 ports" -repo doc - config gitweb.description = "documentation" - option hook.post-receive = deploy-web-doc - -repo machine-ports - config gitweb.description = "ports" +repo xorg + config gitweb.description = "Xorg ports" -repo pmwiki - config gitweb.description = "wiki" - option hook.post-receive = deploy-web-doc +repo contrib + config gitweb.description = "Contrib ports" -repo assistant - config gitweb.owner = "Tribu Team" - config gitweb.description = "open assistant" +repo opt + config gitweb.description = "Opt ports" repo core - config gitweb.description = "crux core collection" + config gitweb.description = "Core ports" -repo opt - config gitweb.description = "crux opt collection" +repo doc + config gitweb.description = "System doc." + option hook.post-receive = deploy-web-doc -repo contrib - config gitweb.description = "crux contrib collection" +repo ports + config gitweb.description = "Extra ports." + option hook.post-receive = deploy-web-doc -repo linux-pck - config gitweb.description = "PCK or Parabola Community Kernel are multiple patches, pf-kernel and zen-kernel for Linux-libre kernel" - option upstream.url = git://git.parabola.nu/pck.git - option upstream.nice = 120 +repo doc + config gitweb.owner = "Team" + config gitweb.category = "Repositories" +repo core opt contrib ports xorg iso mate kde5 + config gitweb.owner = "Team" + config gitweb.category = "Host Ports" -@secret = gitolite-admin -@project = doc machine-ports pmwiki assistant -@project = core opt contrib -@mirror = linux-pck +@secret = gitolite-admin +@project = doc +@project = core opt contrib ports xorg iso mate kde5 webdata diff --git a/tools/conf/srv/pgsql/data/pg_hba.conf b/tools/conf/srv/pgsql/data/pg_hba.conf index af37ab4..f60af44 100644 --- a/tools/conf/srv/pgsql/data/pg_hba.conf +++ b/tools/conf/srv/pgsql/data/pg_hba.conf @@ -81,20 +81,14 @@ # TYPE DATABASE USER ADDRESS METHOD # "local" is for Unix domain socket connections only -#local all all trust +local all postgres scram-sha-256 +#local all postgres trust # IPv4 local connections: -#host all all 127.0.0.1/32 trust +host all postgres 127.0.0.1/32 scram-sha-256 # IPv6 local connections: -#host all all ::1/128 trust +host all postgres ::1/128 scram-sha-256 # Allow replication connections from localhost, by a user with the # replication privilege. -#local replication all trust -#host replication all 127.0.0.1/32 trust -#host replication all ::1/128 trust - -# TYPE DATABASE USER ADDRESS METHOD -local postgres postgres trust -host postgres postgres 127.0.0.1/32 trust -host db_flyspray flyspray 127.0.0.1/32 md5 -host all all 127.0.0.1/32 scram-sha-256 -host all all 0.0.0.0/0 reject +local replication postgres scram-sha-256 +host replication postgres 127.0.0.1/32 scram-sha-256 +host replication postgres ::1/128 scram-sha-256 diff --git a/tools/conf/srv/pgsql/data/postgresql.conf b/tools/conf/srv/pgsql/data/postgresql.conf index e25ab49..4497df9 100644 --- a/tools/conf/srv/pgsql/data/postgresql.conf +++ b/tools/conf/srv/pgsql/data/postgresql.conf @@ -73,7 +73,7 @@ max_connections = 100 # (change requires restart) #bonjour_name = '' # defaults to the computer name # (change requires restart) -# - TCP Keepalives - +# - TCP settings - # see "man 7 tcp" for details #tcp_keepalives_idle = 0 # TCP_KEEPIDLE, in seconds; @@ -82,12 +82,14 @@ max_connections = 100 # (change requires restart) # 0 selects the system default #tcp_keepalives_count = 0 # TCP_KEEPCNT; # 0 selects the system default +#tcp_user_timeout = 0 # TCP_USER_TIMEOUT, in milliseconds; + # 0 selects the system default # - Authentication - #authentication_timeout = 1min # 1s-600s #password_encryption = md5 # md5 or scram-sha-256 -password_encryption = scram-sha-256 # md5 or scram-sha-256 +password_encryption = scram-sha-256 # md5 or scram-sha-256 #db_user_namespace = off # GSSAPI using Kerberos @@ -107,6 +109,8 @@ ssl_key_file = '/etc/ssl/keys/pg.key' #ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers #ssl_prefer_server_ciphers = on #ssl_ecdh_curve = 'prime256v1' +#ssl_min_protocol_version = 'TLSv1' +#ssl_max_protocol_version = '' #ssl_dh_params_file = '' #ssl_passphrase_command = '' #ssl_passphrase_command_supports_reload = off @@ -131,13 +135,18 @@ shared_buffers = 128MB # min 128kB #maintenance_work_mem = 64MB # min 1MB #autovacuum_work_mem = -1 # min 1MB, or -1 to use maintenance_work_mem #max_stack_depth = 2MB # min 100kB +#shared_memory_type = mmap # the default is the first option + # supported by the operating system: + # mmap + # sysv + # windows + # (change requires restart) dynamic_shared_memory_type = posix # the default is the first option # supported by the operating system: # posix # sysv # windows # mmap - # use none to disable dynamic shared memory # (change requires restart) # - Disk - @@ -152,7 +161,7 @@ dynamic_shared_memory_type = posix # the default is the first option # - Cost-Based Vacuum Delay - -#vacuum_cost_delay = 0 # 0-100 milliseconds +#vacuum_cost_delay = 0 # 0-100 milliseconds (0 disables) #vacuum_cost_page_hit = 1 # 0-10000 credits #vacuum_cost_page_miss = 10 # 0-10000 credits #vacuum_cost_page_dirty = 20 # 0-10000 credits @@ -203,6 +212,8 @@ dynamic_shared_memory_type = posix # the default is the first option #wal_compression = off # enable compression of full-page writes #wal_log_hints = off # also do full page writes of non-critical updates # (change requires restart) +#wal_init_zero = on # zero-fill new WAL files +#wal_recycle = on # recycle WAL files #wal_buffers = -1 # min 32kB, -1 sets based on shared_buffers # (change requires restart) #wal_writer_delay = 200ms # 1-10000 milliseconds @@ -231,6 +242,42 @@ min_wal_size = 80MB #archive_timeout = 0 # force a logfile segment switch after this # number of seconds; 0 disables +# - Archive Recovery - + +# These are only used in recovery mode. + +#restore_command = '' # command to use to restore an archived logfile segment + # placeholders: %p = path of file to restore + # %f = file name only + # e.g. 'cp /mnt/server/archivedir/%f %p' + # (change requires restart) +#archive_cleanup_command = '' # command to execute at every restartpoint +#recovery_end_command = '' # command to execute at completion of recovery + +# - Recovery Target - + +# Set these only when performing a targeted recovery. + +#recovery_target = '' # 'immediate' to end recovery as soon as a + # consistent state is reached + # (change requires restart) +#recovery_target_name = '' # the named restore point to which recovery will proceed + # (change requires restart) +#recovery_target_time = '' # the time stamp up to which recovery will proceed + # (change requires restart) +#recovery_target_xid = '' # the transaction ID up to which recovery will proceed + # (change requires restart) +#recovery_target_lsn = '' # the WAL LSN up to which recovery will proceed + # (change requires restart) +#recovery_target_inclusive = on # Specifies whether to stop: + # just after the specified recovery target (on) + # just before the recovery target (off) + # (change requires restart) +#recovery_target_timeline = 'latest' # 'current', 'latest', or timeline ID + # (change requires restart) +#recovery_target_action = 'pause' # 'pause', 'promote', 'shutdown' + # (change requires restart) + #------------------------------------------------------------------------------ # REPLICATION @@ -264,6 +311,11 @@ min_wal_size = 80MB # These settings are ignored on a master server. +#primary_conninfo = '' # connection string to sending server + # (change requires restart) +#primary_slot_name = '' # replication slot on sending server + # (change requires restart) +#promote_trigger_file = '' # file name whose presence ends recovery #hot_standby = on # "off" disallows queries during recovery # (change requires restart) #max_standby_archive_delay = 30s # max delay before canceling queries @@ -281,6 +333,7 @@ min_wal_size = 80MB # in milliseconds; 0 disables #wal_retrieve_retry_interval = 5s # time to wait before retrying to # retrieve WAL after a failed attempt +#recovery_min_apply_delay = 0 # minimum delay for applying changes during recovery # - Subscribers - @@ -356,7 +409,10 @@ min_wal_size = 80MB #join_collapse_limit = 8 # 1 disables collapsing of explicit # JOIN clauses #force_parallel_mode = off -#jit = off # allow JIT compilation +#jit = on # allow JIT compilation +jit = off # allow JIT compilation +#plan_cache_mode = auto # auto, force_generic_plan or + # force_custom_plan #------------------------------------------------------------------------------ @@ -365,9 +421,8 @@ min_wal_size = 80MB # - Where to Log - -#log_destination = 'stderr' # Valid values are combinations of -#log_destination = 'stderr,syslog' # Multiple are valide -log_destination = 'syslog' +#log_destination = 'stderr' +#log_destination = 'syslog' # Valid values are combinations of # stderr, csvlog, syslog, and eventlog, # depending on platform. csvlog # requires logging_collector to be on. @@ -400,7 +455,6 @@ log_destination = 'syslog' # 0 disables. # These are relevant when logging to syslog: -#syslog_facility = 'LOCAL0' syslog_facility = 'LOCAL0' syslog_ident = 'postgres' #syslog_sequence_numbers = on @@ -412,17 +466,6 @@ syslog_ident = 'postgres' # - When to Log - -#client_min_messages = notice # values in order of decreasing detail: - # debug5 - # debug4 - # debug3 - # debug2 - # debug1 - # log - # notice - # warning - # error - #log_min_messages = warning # values in order of decreasing detail: # debug5 # debug4 @@ -456,6 +499,9 @@ syslog_ident = 'postgres' # statements running at least this number # of milliseconds +#log_transaction_sample_rate = 0.0 # Fraction of transactions whose statements + # are logged regardless of their duration. 1.0 logs all + # statements from all transactions, 0.0 never logs. # - What to Log - @@ -464,12 +510,15 @@ syslog_ident = 'postgres' #debug_print_plan = off #debug_pretty_print = on #log_checkpoints = off +#log_connections = off log_connections = on +#log_disconnections = off log_disconnections = on -log_duration = on +#log_duration = off #log_error_verbosity = default # terse, default, or verbose messages +#log_hostname = off log_hostname = on -#log_line_prefix = '%m [%p] ' # special values: +log_line_prefix = 'd=$d u=% %m [%p] ' # special values: # %a = application name # %u = user name # %d = database name @@ -492,11 +541,12 @@ log_hostname = on # e.g. '<%u%%%d> ' #log_lock_waits = off # log lock waits >= deadlock_timeout #log_statement = 'none' # none, ddl, mod, all +log_statement = 'mod' # none, ddl, mod, all #log_replication_commands = off #log_temp_files = -1 # log temporary files equal or larger # than the specified size in kilobytes; # -1 disables, 0 logs all temp files -log_timezone = 'Portugal' +log_timezone = 'Europe/Lisbon' #------------------------------------------------------------------------------ # PROCESS TITLE @@ -553,7 +603,7 @@ log_timezone = 'Portugal' #autovacuum_multixact_freeze_max_age = 400000000 # maximum multixact age # before forced vacuum # (change requires restart) -#autovacuum_vacuum_cost_delay = 20ms # default vacuum cost delay for +#autovacuum_vacuum_cost_delay = 2ms # default vacuum cost delay for # autovacuum, in milliseconds; # -1 means use vacuum_cost_delay #autovacuum_vacuum_cost_limit = -1 # default vacuum cost limit for @@ -567,11 +617,22 @@ log_timezone = 'Portugal' # - Statement Behavior - +#client_min_messages = notice # values in order of decreasing detail: + # debug5 + # debug4 + # debug3 + # debug2 + # debug1 + # log + # notice + # warning + # error #search_path = '"$user", public' # schema names #row_security = on #default_tablespace = '' # a tablespace name, '' uses the default #temp_tablespaces = '' # a list of tablespace names, '' uses # only default tablespace +#default_table_access_method = 'heap' #check_function_bodies = on #default_transaction_isolation = 'read committed' #default_transaction_read_only = off @@ -597,7 +658,7 @@ log_timezone = 'Portugal' datestyle = 'iso, mdy' #intervalstyle = 'postgres' -timezone = 'Portugal' +timezone = 'Europe/Lisbon' #timezone_abbreviations = 'Default' # Select the set of available time zone # abbreviations. Currently, there are # Default @@ -605,7 +666,8 @@ timezone = 'Portugal' # India # You can create your own file in # share/timezonesets/. -#extra_float_digits = 0 # min -15, max 3 +#extra_float_digits = 1 # min -15, max 3; any value >0 actually + # selects precise output mode #client_encoding = sql_ascii # actually, defaults to database # encoding @@ -654,7 +716,6 @@ default_text_search_config = 'pg_catalog.english' #array_nulls = on #backslash_quote = safe_encoding # on, off, or safe_encoding -#default_with_oids = off #escape_string_warning = on #lo_compat_privileges = off #operator_precedence_warning = off @@ -673,6 +734,9 @@ default_text_search_config = 'pg_catalog.english' #exit_on_error = off # terminate session on any error? #restart_after_crash = on # reinitialize after backend crash? +#data_sync_retry = off # retry or panic on failure to fsync + # data? + # (change requires restart) #------------------------------------------------------------------------------ @@ -680,12 +744,13 @@ default_text_search_config = 'pg_catalog.english' #------------------------------------------------------------------------------ # These options allow settings to be loaded from files other than the -# default postgresql.conf. +# default postgresql.conf. Note that these are directives, not variable +# assignments, so they can usefully be given more than once. -#include_dir = 'conf.d' # include files ending in '.conf' from - # directory 'conf.d' -#include_if_exists = 'exists.conf' # include file only if it exists -#include = 'special.conf' # include file +#include_dir = '...' # include files ending in '.conf' from + # a directory, e.g., 'conf.d' +#include_if_exists = '...' # include file only if it exists +#include = '...' # include file #------------------------------------------------------------------------------ diff --git a/tools/gitolite.html b/tools/gitolite.html index 23460e9..ea07129 100644 --- a/tools/gitolite.html +++ b/tools/gitolite.html @@ -769,7 +769,7 @@ </pre> <p>Add this to default or main - <a href="nginx.html#virtual-host">nginx virtual host</a>;</p> + <a href="nginx.html#virtual-server">nginx virtual server</a>;</p> <pre> location /git/gitweb.cgi { diff --git a/tools/index.html b/tools/index.html index d8c0690..2724a6f 100644 --- a/tools/index.html +++ b/tools/index.html @@ -1,181 +1,209 @@ <!DOCTYPE html> <html dir="ltr" lang="en"> <head> - <meta charset='utf-8'> - <title>Tools</title> + <meta charset='utf-8'> + <title>Tools</title> </head> <body> - <a href="../index.html">Documentation Index</a> - <h1>Tools</h1> + <a href="../index.html">Documentation Index</a> + <h1>Tools</h1> - <p>Selection of system tools that extends core documentation.<p> + <p>Selection of system tools that extends core documentation.<p> - <h2>System Tools</h2> + <h2>System Tools</h2> - <ul> - <li><a href="tar.html">Tar</a> - <ul> - <li><a href="tar.html#tarbkup">1. Create Backup</a></li> - <li><a href="tar.html#tarview">2. View content of tar</a></li> - <li><a href="tar.html#tarextract">3. Extract content from tar</a></li> - <li><a href="tar.html#taradd">4. Add content to tar</a></li> - <li><a href="tar.html#tarrm">5. Remove content from tar</a></li> - </ul> - </li> - <li><a href="vim.html">Vim</a> - <ul> - <li><a href="vim.html#vimrc">1. Vim RC</a></li> - <li><a href="vim.html#color">2. Color schemes</a></li> - <li><a href="vim.html#split">3. Split and tab</a></li> - <li><a href="vim.html#filebrowser">4. File browser</a></li> - <li><a href="vim.html#block">5. Editing files</a></li> - <li><a href="vim.html#ctags">6. Tags</a></li> - <li><a href="vim.html#spellcheck">7. Spellcheck</a></li> - <li><a href="vim.html#plugin">8. Plugins</a></li> - <li><a href="vim.html#vimdiff">9. Vimdiff</a></li> - </ul> - </li> - <li><a href="gnupg.html">Gpg</a> - <ul> - <li><a href="gnupg.html#install">1. Install</a></li> - <li><a href="gnupg.html#genkey">2. Generate keys</a></li> - <li><a href="gnupg.html#keys">3. Key Management</a></li> - <li><a href="gnupg.html#keyex">4. Export and import keys</a></li> - <li><a href="gnupg.html#cryptsign">5. Encrypt, decrypt and signing</a></li> - </ul> - </li> - <li><a href="mutt.html">Mutt</a> - <ul> - <li><a href="mutt.html#install">1. Install</a></li> - <li><a href="mutt.html#conf">2. Configure</a> - <ul> - <li><a href="mutt.html#system">2.1. System Email</a></li> - <li><a href="mutt.html#external">2.2. External Email</a></li> - </ul> - </li> - <li><a href="mutt.html#usemutt">3. Using Mutt</a> - <ul> - <li><a href="mutt.html#tagmail">3.1. Tag Email</a></li> - <li><a href="mutt.html#alias">3.2. Address alias</a></li> - <li><a href="mutt.html#gpgkeys">3.3. GPG Keys</a></li> - </ul> - </li> - </ul> - </li> - <li><a href="lynx.html">Lynx</a></li> - <li><a href="irssi.html">Irssi</a></li> - <li><a href="x.html">X</a></li> - </ul> + <ul> + <li><a href="tar.html">Tar</a> + <ul> + <li><a href="tar.html#tarbkup">1. Create Backup</a></li> + <li><a href="tar.html#tarview">2. View content of tar</a></li> + <li><a href="tar.html#tarextract">3. Extract content from tar</a></li> + <li><a href="tar.html#taradd">4. Add content to tar</a></li> + <li><a href="tar.html#tarrm">5. Remove content from tar</a></li> + </ul> + </li> + <li><a href="vim.html">Vim</a> + <ul> + <li><a href="vim.html#vimrc">1. Vim RC</a></li> + <li><a href="vim.html#color">2. Color schemes</a></li> + <li><a href="vim.html#split">3. Split and tab</a></li> + <li><a href="vim.html#filebrowser">4. File browser</a></li> + <li><a href="vim.html#block">5. Editing files</a></li> + <li><a href="vim.html#ctags">6. Tags</a></li> + <li><a href="vim.html#spellcheck">7. Spellcheck</a></li> + <li><a href="vim.html#plugin">8. Plugins</a></li> + <li><a href="vim.html#vimdiff">9. Vimdiff</a></li> + </ul> + </li> + <li><a href="gnupg.html">Gpg</a> + <ul> + <li><a href="gnupg.html#install">1. Install</a></li> + <li><a href="gnupg.html#genkey">2. Generate keys</a></li> + <li><a href="gnupg.html#keys">3. Key Management</a></li> + <li><a href="gnupg.html#keyex">4. Export and import keys</a></li> + <li><a href="gnupg.html#cryptsign">5. Encrypt, decrypt and signing</a></li> + </ul> + </li> + <li><a href="mutt.html">Mutt</a> + <ul> + <li><a href="mutt.html#install">1. Install</a></li> + <li><a href="mutt.html#conf">2. Configure</a> + <ul> + <li><a href="mutt.html#system">2.1. System Email</a></li> + <li><a href="mutt.html#external">2.2. External Email</a></li> + </ul> + </li> + <li><a href="mutt.html#usemutt">3. Using Mutt</a> + <ul> + <li><a href="mutt.html#tagmail">3.1. Tag Email</a></li> + <li><a href="mutt.html#alias">3.2. Address alias</a></li> + <li><a href="mutt.html#gpgkeys">3.3. GPG Keys</a></li> + </ul> + </li> + </ul> + </li> + <li><a href="lynx.html">Lynx</a></li> + <li><a href="irssi.html">Irssi</a></li> + <li><a href="x.html">X</a></li> + </ul> - <h2>System Administration</h2> + <h2>System Administration</h2> - <ul> - <li><a href="network.html">Network Tools</a> - <ul> - <li><a href="dnsmasq.html">Dnscrypt and Dnsmasq</a></li> - <li><a href="tcpdump.html">Tcpdump</a></li> - <li><a href="nmap.html">Nmap</a></li> - <li><a href="wireless.html">Wireless</a></li> - </ul> - </li> - <li><a href="storage.html">Storage</a> - <ul> - <li><a href="storage.html#fsck">1. Maintenance</a></li> - <li><a href="storage.html#mv">2. Moving data</a></li> - <li><a href="storage.html#resize">2. Resize</a></li> - </ul> - </li> - <li><a href="lvm.html">LVM</a> - <ul> - <li><a href="lvm.html#lvmpart">1. LVM partition</a></li> - <li><a href="lvm.html#pv">2. Create physical volume</a></li> - <li><a href="lvm.html#vg">3. Create volume group</a></li> - <li><a href="lvm.html#lv">4. Create logical volume</a></li> - <li><a href="lvm.html#fsck">5. Maintenance</a></li> - </ul> - </li> - <li><a href="syslog-ng.html">Syslog-ng</a> - <ul> - <li><a href="syslog-ng.html#install">Install syslog-ng</a></li> - <li><a href="syslog-ng.html#configure">Configure syslog-ng</a></li> - <li><a href="logrotate.html">Logrotate</a></li> - <li><a href="logwatch.html">Logwatch</a> - <ul> - <li><a href="logwatch.html#conf">Configure Logwatch</a></li> - <li><a href="logwatch.html#cron">Set cron task</a></li> - </ul> - </li> + <ul> + <li><a href="network.html">Network Tools</a> + <ul> + <li><a href="dnsmasq.html">Dnscrypt and Dnsmasq</a></li> + <li><a href="tcpdump.html">Tcpdump</a></li> + <li><a href="nmap.html">Nmap</a></li> + <li><a href="wireless.html">Wireless</a></li> + </ul> + </li> + <li><a href="storage.html">Storage</a> + <ul> + <li><a href="storage.html#fsck">1. Maintenance</a></li> + <li><a href="storage.html#mv">2. Moving data</a></li> + <li><a href="storage.html#resize">2. Resize</a></li> + </ul> + </li> + <li><a href="lvm.html">LVM</a> + <ul> + <li><a href="lvm.html#lvmpart">1. LVM partition</a></li> + <li><a href="lvm.html#pv">2. Create physical volume</a></li> + <li><a href="lvm.html#vg">3. Create volume group</a></li> + <li><a href="lvm.html#lv">4. Create logical volume</a></li> + <li><a href="lvm.html#fsck">5. Maintenance</a></li> + </ul> + </li> + <li><a href="syslog-ng.html">Syslog-ng</a> + <ul> + <li><a href="syslog-ng.html#install">Install syslog-ng</a></li> + <li><a href="syslog-ng.html#configure">Configure syslog-ng</a></li> + <li><a href="logrotate.html">Logrotate</a></li> + <li><a href="logwatch.html">Logwatch</a> + <ul> + <li><a href="logwatch.html#conf">Configure Logwatch</a></li> + <li><a href="logwatch.html#cron">Set cron task</a></li> + </ul> + </li> - </ul> - </li> - <li><a href="fail2ban.html">Fail2Ban</a> - <ul> - <li><a href="fail2ban.html#conf">Configure Fail2ban</a></li> - </ul> - </li> + </ul> + </li> + <li><a href="fail2ban.html">Fail2Ban</a> + <ul> + <li><a href="fail2ban.html#conf">Configure Fail2ban</a></li> + </ul> + </li> - </ul> + </ul> - <h2>Network Services</h2> - <ul> - <li><a href="qemu.html">Qemu</a> - <ul> - <li><a href="qemu.html#kern">1. Host system</a></li> - <li><a href="qemu.html#disk">2. Disk images</a></li> - <li><a href="qemu.html#net">3. Network</a></li> - <li><a href="qemu.html#guest">4. Guest system</a></li> - </ul> - </li> - <li> - <a href="openssh.html">OpenSSH</a> - <ul> - <li><a href="openssh.html#sshd">1. Server</a></li> - <li><a href="openssh.html#ssh">2. Client</a></li> - <li><a href="openssh.html#reverse">3. Reverse connection</a></li> - </ul> - </li> - <li><a href="nginx.html">Nginx</a> - <ul> - <li><a href="nginx.html#install">1. Install Nginx</a></li> - <li><a href="nginx.html#certs">2. Certificates</a></li> - <li><a href="nginx.html#nginxconf">3. Nginx configuration</a></li> - <li><a href="nginx.html#server">4. Server with PHP</a></li> - <li><a href="nginx.html#userdir">5. User directory</a></li> - <li><a href="nginx.html#logs">6. Logs</a></li> - </ul> - </li> - <li><a href="gitolite.html">Gitolite</a> - <ul> - <li><a href="gitolite.html#install">1. Install Gitolite</a></li> - <li><a href="gitolite.html#config">2. Configure gitolite</a></li> - <li><a href="gitolite.html#admin">3. Gitolite administration</a></li> - <li><a href="gitolite.html#hooks">4. Gitolite hooks</a></li> - <li><a href="gitolite.html#gitweb">5. Gitweb</a></li> - <li><a href="gitolite.html#git-daemon">6. Git-daemon</a></li> - </ul> - </li> - <li><a href="postgresql.html">Postgresql</a> - <ul> - <li><a href="postgresql.html#install">1. Install Postgresql</a></li> - <li><a href="postgresql.html#config">2. Configure server</a></li> - <li><a href="postgresql.html#createuser">3. Create user</a></li> - <li><a href="postgresql.html#createdb">4. Create database</a></li> - <li><a href="postgresql.html#dropdb">5. Drop database</a></li> - <li><a href="postgresql.html#dropuser">6. Drop user</a></li> - <li><a href="postgresql.html#psql">7. Psql</a></li> - <li><a href="postgresql.html#backup">8. Backup and restore</a></li> - </ul> - </li> - </ul> + <h2>Network Services</h2> + <ul> + <li><a href="qemu.html">Qemu</a> + <ul> + <li><a href="qemu.html#kern">1. Host system</a></li> + <li><a href="qemu.html#disk">2. Disk images</a></li> + <li><a href="qemu.html#net">3. Network</a></li> + <li><a href="qemu.html#guest">4. Guest system</a></li> + </ul> + </li> + <li> + <a href="openssh.html">OpenSSH</a> + <ul> + <li><a href="openssh.html#sshd">1. Server</a></li> + <li><a href="openssh.html#ssh">2. Client</a></li> + <li><a href="openssh.html#reverse">3. Reverse connection</a></li> + </ul> + </li> + <li><a href="nginx.html">Nginx</a> + <ul> + <li><a href="nginx.html#install">1. Install Nginx</a></li> + <li><a href="nginx.html#certs">2. Certificates</a></li> + <li><a href="nginx.html#nginxconf">3. Nginx configuration</a></li> + <li><a href="nginx.html#server">4. Virtual servers</a></li> + <li><a href="nginx.html#userdir">5. User directory</a></li> + <li><a href="nginx.html#logs">6. Logs</a></li> + </ul> + </li> + <li><a href="gitolite.html">Gitolite</a> + <ul> + <li><a href="gitolite.html#install">1. Install Gitolite</a></li> + <li><a href="gitolite.html#config">2. Configure gitolite</a></li> + <li><a href="gitolite.html#admin">3. Gitolite administration</a></li> + <li><a href="gitolite.html#hooks">4. Gitolite hooks</a></li> + <li><a href="gitolite.html#gitweb">5. Gitweb</a></li> + <li><a href="gitolite.html#git-daemon">6. Git-daemon</a></li> + </ul> + </li> + <li><a href="postgresql.html">Postgresql</a> + <ul> + <li><a href="postgresql.html#install">1. Install Postgresql</a> + <ul> + <li><a href="postgresql.html#syslog-ng">1.1. Configure syslog-ng</a></li> + <li><a href="postgresql.html#gencert">1.2. Certificates</a></li> + </ul> + </li> + <li><a href="postgresql.html#server">2. Configure Server</a> + <ul> + <li><a href="postgresql.html#init">2.1. Init script</a></li> + <li><a href="postgresql.html#config">2.2. Configure postgresql.conf</a></li> + <li><a href="postgresql.html#pass">2.3. Super user password</a></li> + <li><a href="postgresql.html#pg_hba">2.4. Configure pg_hba.conf</a></li> + </ul> + </li> + <li><a href="postgresql.html#users">3. Manage users</a> + <ul> + <li><a href="postgresql.html#createuser">3.1. Create user - create role</a></li> + <li><a href="postgresql.html#dropuser">3.2. Remove user - drop role</a></li> + <li><a href="postgresql.html#userpass">3.3. Change password</a></li> + <li><a href="postgresql.html#listuser">3.4. List users - roles</a></li> + </ul> + </li> + <li><a href="postgresql.html#databases">4. Manage databases</a> + <ul> + <li><a href="postgresql.html#createdb">4.1. Create database</a></li> + <li><a href="postgresql.html#dropdb">4.2. Drop database</a></li> + <li><a href="postgresql.html#listdb">4.3. List databases</a></li> + <li><a href="postgresql.html#backup">4.4. Dump and restore</a></li> + </ul> + </li> + <li><a href="postgresql.html#psql">5. Psql</a> + <ul> + <li><a href="postgresql.html#psqldb">5.2. Create Database</a></li> + <li><a href="postgresql.html#droptables">5.3. Drop All Tables</a></li> + </ul> + </li> + </ul> + </li> + </ul> - <a href="../index.html">Documentation Index</a> + <a href="../index.html">Documentation Index</a> - <p> - This is part of the Tribu System Documentation. - Copyright (C) 2020 - Tribu Team. - See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> - for copying conditions.</p> + <p> + This is part of the Tribu System Documentation. + Copyright (C) 2020 + Tribu Team. + See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> + for copying conditions.</p> </body> </html> diff --git a/tools/logrotate.html b/tools/logrotate.html index d9047c4..fc07169 100644 --- a/tools/logrotate.html +++ b/tools/logrotate.html @@ -5,6 +5,8 @@ <title>1. Logrotate</title> </head> <body> + <a href="index.html">Tools Index</a> + <h1 id="logrotate">1. Logrotate</h1> <p><a href="https://fedorahosted.org/logrotate/">Logrotate</a> @@ -32,23 +34,24 @@ seems to be standard anyway). </pre> + <p>This is just an example configuration, review to match <a href="syslog-ng.html">syslog-ng</a> and other tools that write logs</p> + <pre> # see "man logrotate" for details # rotate log files weekly weekly - # keep 5 weeks worth of backlogs - rotate 5 + # keep 4 weeks worth of backlogs + rotate 4 # create new (empty) log files after rotating old ones create # uncomment this if you want your log files compressed - compress + #compress olddir /var/log/old - - notifempty + maxsize 1M # some packages can drop log rotation information into # this directory @@ -56,107 +59,310 @@ # few generic files to rotate /var/log/wtmp { - weekly + monthly create 0644 root root - rotate 5 + rotate 1 } /var/log/btmp { - weekly + monthly create 0600 root root - rotate 5 + rotate 1 } # system-specific logs may be also be configured here. - /var/log/faillog { - maxsize 5M + /var/log/auth { + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript } - /var/log/lastlog { - maxsize 5M + /var/log/sudo { + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript } - /var/log/auth { - weekly - create 0644 root root - rotate 5 - sharedscripts + /var/log/cron { + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript + } + + /var/log/daemon { + rotate 7 + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript + } + + /var/log/debug { + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript + } + + /var/log/error { + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript + } + + /var/log/iptables { + # uncomment this if you want your log files compressed + delaycompress + compress postrotate - if [ -f /var/run/syslog-ng.pid ]; then \ - kill -HUP `cat /var/run/syslog-ng.pid`; \ - fi; + /etc/rc.d/syslog-ng reload >/dev/null endscript } - /var/log/cron { - weekly - create 0644 root root - rotate 5 - sharedscripts + /var/log/kernel { + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript + } + + /var/log/lpr { + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript + } + + /var/log/mail.err { + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript + } + + /var/log/mail.info { + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript + } + + /var/log/mail { + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript + } + + /var/log/mail.warn { + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript + } + + /var/log/messages { + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript + } + + + /var/log/user { + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript + } + + /var/log/uucp { + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript + } + + /var/log/syslog-ng { + rotate 7 + daily + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript + } + + /var/log/dnsmasq { + # uncomment this if you want your log files compressed + delaycompress + compress postrotate - if [ -f /var/run/syslog-ng.pid ]; then \ - kill -HUP `cat /var/run/syslog-ng.pid`; \ - fi; + /etc/rc.d/syslog-ng reload >/dev/null endscript } - /var/log/debug { - weekly + /var/log/pgsql { + # create new (empty) log files after rotating old ones create 0644 root root - rotate 5 - sharedscripts + # uncomment this if you want your log files compressed + delaycompress + compress + notifempty + maxsize 5M postrotate - if [ -f /var/run/syslog-ng.pid ]; then \ - kill -HUP `cat /var/run/syslog-ng.pid`; \ - fi; + /etc/rc.d/syslog-ng reload >/dev/null endscript } - /var/log/kernel { - rotate 5 - monthly - create 0644 root root - sharedscripts + /var/log/git-daemon { + # uncomment this if you want your log files compressed + delaycompress + compress postrotate - if [ -f /var/run/syslog-ng.pid ]; then \ - kill -HUP `cat /var/run/syslog-ng.pid`; \ - fi; + /etc/rc.d/syslog-ng reload >/dev/null endscript } - /var/log/messages { - rotate 5 - weekly - create 0644 root root - sharedscripts + /var/log/gitolite { + # uncomment this if you want your log files compressed + delaycompress + compress postrotate - if [ -f /var/run/syslog-ng.pid ]; then \ - kill -HUP `cat /var/run/syslog-ng.pid`; \ - fi; + /etc/rc.d/syslog-ng reload >/dev/null endscript } - /var/log/mail { - weekly - create 0644 root root - rotate 5 - sharedscripts + /var/log/php-fpm { + # uncomment this if you want your log files compressed + delaycompress + compress + postrotate + /etc/rc.d/syslog-ng reload >/dev/null + endscript + } + + /var/log/php { + # uncomment this if you want your log files compressed + delaycompress + compress + postrotate + /etc/rc.d/syslog-ng reload >/dev/null + endscript + } + + /var/log/nginx_access { + # uncomment this if you want your log files compressed + delaycompress + compress + postrotate + /etc/rc.d/syslog-ng reload >/dev/null + endscript + } + + /var/log/nginx_error { + # uncomment this if you want your log files compressed + delaycompress + compress + postrotate + /etc/rc.d/syslog-ng reload >/dev/null + endscript + } + + /var/log/nginx/tribu_error.log { + # uncomment this if you want your log files compressed + delaycompress + compress + olddir /var/log/old/nginx + postrotate + /etc/rc.d/syslog-ng reload >/dev/null + endscript + } + + /var/log/nginx/tribu_access.log { + # uncomment this if you want your log files compressed + delaycompress + compress + olddir /var/log/old/nginx postrotate - if [ -f /var/run/syslog-ng.pid ]; then \ - kill -HUP `cat /var/run/syslog-ng.pid`; \ - fi; + /etc/rc.d/syslog-ng reload >/dev/null endscript } </pre> - <p>You can force logrotate to test configuration;</p> + <p>To force logrotate to test configuration;</p> <pre> # logrotate -f /etc/logrotate.conf </pre> <p>This is part of the Tribu System Documentation. -Copyright (C) 2020 +Copyright (C) 2020 Tribu Team. See the file <a href="fdl-1.3-standalone.html">Gnu Free Documentation License</a> for copying conditions.</p> diff --git a/tools/nginx.html b/tools/nginx.html index 0420e70..21abb90 100644 --- a/tools/nginx.html +++ b/tools/nginx.html @@ -155,9 +155,7 @@ <h2 id="nginxconf">3. Nginx Configuration</h2> - <p>Read <a href="http://wiki.nginx.org/Pitfalls">nginx pitfalls</a>, - for more information about optimization - <a href="https://www.digitalocean.com/community/tutorials/how-to-optimize-nginx-configuration">digitalocean</a>, + <p>This is the "main" nginx configuration not the servers, the way this configuration is setup nginx will load virtual servers configuration files with extension .conf from /etc/nginx/sites-enabled/.</p> <p>Number of worker_processes must be equal or less than the number of available cpu cores. This is set to auto.</p> @@ -186,11 +184,10 @@ user www; worker_processes auto; - error_log /var/log/nginx/error.log; + error_log syslog:server=unix:/dev/log debug; pid /var/run/nginx.pid; - events { worker_connections 1024; } @@ -199,9 +196,9 @@ include mime.types; default_type application/octet-stream; - #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - # '$status $body_bytes_sent "$http_referer" ' - # '"$http_user_agent" "$http_x_forwarded_for"'; + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; sendfile on; #tcp_nopush on; @@ -216,13 +213,8 @@ #client_header_timeout 12; client_header_timeout 24; - #client_max_body_size 10000M; - #keepalive_timeout 10000; - #client_body_timeout 10000; - #client_header_timeout 10000; send_timeout 65; - gzip on; gzip_vary on; #gzip_proxied any; @@ -234,14 +226,19 @@ include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*.conf; - } # End of file </pre> - <h2 id="server">4. Server with PHP</h2> - <p>To debug configurations check logs and;</p> + <h2 id="server">4. Virtual servers</h2> + + <p>Read <a href="http://wiki.nginx.org/Pitfalls">nginx pitfalls</a> and + <a href="https://www.digitalocean.com/community/tutorials/how-to-optimize-nginx-configuration">configuration optimization</a>.<p> + + <p>This setup uses default virtual server as a proxy, this allows to have a clean configuration file and delegate application specific settings to other servers. Other virtual servers can run on same machine or other machines, allowing greater compartmentalization.</p> + + <p>When testing or debugging configurations is useful to run nginx with following option;</p> <pre> nginx -V @@ -270,31 +267,19 @@ /etc/php/conf.d/pdo_pgsql.ini </pre> - <h3 id="virtual-host">4.2. Setup Virtual Host</h3> - - <p>Server (virtual host) with pmwiki and flyspray, check - <a href="conf/etc/nginx/sites/">/etc/nginx/sites</a> - for more examples. Install pmwiki and flyspray;</p> - - <pre> - $ sudo prt-get depinst pmwiki flyspray - </pre> + <h3 id="default-server">4.2. Setup default server</h3> - <p> This server is configured in a way that - root serves pmwiki and /tasks serves flyspray. In order to - flyspray to link correctly change index is needed. Create /etc/nginx/sites-enabled/machine.example.org.conf;</p> + <p>Default server that acts as a proxy except for /doc, with ssl certificates (serves port 443 and 80). Each location is proxy ed to correspondent virtual server.</p> <pre> server { + listen 80 default_server; + server_name tribu.semdestino.org; - listen 443 ssl; - listen 80; - server_name machine.example.org; - - # listen [::]:443 ssl http2; - ssl_certificate /etc/letsencrypt/live/machine.example.org/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/machine.example.org/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/machine.example.org/chain.pem; + listen 443 ssl default_server; + ssl_certificate /etc/letsencrypt/live/tribu.semdestino.org/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/tribu.semdestino.org/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/tribu.semdestino.org/chain.pem; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; @@ -306,112 +291,109 @@ ssl_stapling on; ssl_stapling_verify on; - access_log /var/log/nginx/example_access.log; - error_log /var/log/nginx/example_error.log; - - root /srv/www/; + access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_vhost,nohostname main; + error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_vhost_err,nohostname debug; - location /mirror { - #alias /usr/ports/releases; - proxy_pass http://10.0.0.3:80/; - } - - location /builder { - rewrite ^/blog(.*) /$1 break; - proxy_pass http://10.0.0.3:80; - } + root /etc/html/; location /doc { alias /srv/www/doc; index index.html; } - location /git/static { - # static files (png/css) served from /usr/share/gitweb/static - alias /srv/www/gitweb/static; + location /pub { + proxy_pass http://wiki.c2.ank:8080; + } + + location /wiki { + proxy_pass http://wiki.c2.ank:8080; } location /git { - alias /srv/www/gitweb; - index gitweb.cgi; - fastcgi_split_path_info ^/git()(/?.+)$; - fastcgi_param GITWEB_CONFIG /etc/gitweb.conf; - fastcgi_param DOCUMENT_ROOT /srv/www/gitweb; - fastcgi_param SCRIPT_NAME /gitweb.cgi$fastcgi_path_info; - - include fastcgi_params; - fastcgi_pass unix:/var/run/fcgiwrap.sock; + proxy_pass http://git.c2.ank:8080; } - location /chat { - index index.php; - alias /srv/www/chat; - try_files $uri $uri/ index.php$is_args$args; + location /forum { + proxy_pass http://forum.c2.ank:8080; } - location ~ ^/chat(.+\.php)$ { ### This location block was the solution - alias /srv/www/chat; - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_index index.php; - try_files $uri /index.php =404; - include /etc/nginx/fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$1; - # fastcgi_pass unix:/var/run/php5-fpm.sock; - fastcgi_pass 127.0.0.1:9000; + location /task { + proxy_pass http://task.c2.ank:8080; } + location /shop { + proxy_pass http://shop.c2.ank:8080; + } - location /task { - index index.php; - alias /srv/www/flyspray; - try_files $uri $uri/ index.php$is_args$args; + location /email { + proxy_pass http://email.c2.ank:8080; } - location ~ ^/task(.+\.php)$ { ### This location block was the solution - alias /srv/www/flyspray; - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_index index.php; - try_files $uri /index.php =404; - include /etc/nginx/fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$1; - # fastcgi_pass unix:/var/run/php5-fpm.sock; - fastcgi_pass 127.0.0.1:9000; + location /mirror { + proxy_pass http://c1.ank; } - location /pub { - alias /srv/www/pmwiki/pub; + # ACME challenge + location ^~ /.well-known { + proxy_pass http://wiki.c2.ank; } - location /wiki { - alias /srv/www/pmwiki/; - index pmwiki.php; - try_files $uri $uri/ /pmwiki.php$is_args$args; + + location / { + proxy_pass http://frontpage.c2.ank; } - location ~ ^/wiki(.+\.php)$ { - alias /srv/www/pmwiki; - index pmwiki.php; - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_index pmwiki.php; - try_files $uri /pmwiki.php =404; - include /etc/nginx/fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - # fastcgi_pass unix:/var/run/php5-fpm.sock; - fastcgi_pass 127.0.0.1:9000; + } + </pre> + + <h3 id="virtual-server">4.3. Setup virtual server</h3> + + <p>Example of pmwiki virtual server, check <a href="conf/etc/nginx/sites-enabled/">/etc/nginx/sites-enabled</a> for the rest of examples mentioned <a href="#default-server">default server</a>. If wiki server is running on same machine add following to /etc/hosts;</p> + + <pre> + 127.0.0.1 wiki.c2.ank + </pre> + + <p>Edit /etc/nginx/sites-enabled/wiki.c2.ank.conf;</p> + + <pre> + server { + listen 8080; + server_name wiki.c2.ank; + + access_log syslog:server=unix:/dev/log,facility=daemon,tag=vh_wiki,nohostname main; + error_log syslog:server=unix:/dev/log,facility=daemon,tag=vh_wiki_err,nohostname debug; + + root /srv/www/; + + location /pub { + alias /srv/www/wiki/pub; } # ACME challenge location ^~ /.well-known { allow all; - alias /srv/www/pmwiki/pub/cert/.well-known/; + alias /srv/www/wiki/pub/cert/.well-known/; default_type "text/plain"; try_files $uri =404; } - location / { - alias /srv/www/frontpage/; - index index.html; - try_files $uri $uri/ /index.html$is_args$args; + location @pmwiki { + rewrite ^/wiki/(.*) /wiki/pmwiki.php?n=$1; + } + + location /wiki { + index pmwiki.php; + try_files $uri $uri/ @pmwiki; } + location ~ ^\/wiki(.+\.php)$ { + index pmwiki.php; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_index pmwiki.php; + try_files $uri /pmwiki.php =404; + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_pass 127.0.0.1:9000; + } } </pre> @@ -452,12 +434,11 @@ <h2 id="logs">6. Logs</h2> <pre> - $ sudo grep "login" /var/log/nginx/access.log - $ sudo grep "etc/passwd" /var/log/nginx/access.log - $ sudo egrep -i "denied|error|warn" /var/log/nginx/error.log + $ sudo grep "login" /var/log/nginx/vhost_access + $ sudo grep "etc/passwd" /var/log/nginx/vhost_access + $ sudo egrep -i "denied|error|warn" /var/log/nginx_error </pre> - <a href="index.html">Tools Index</a> <p>This is part of the Tribu System Documentation. diff --git a/tools/postgresql.html b/tools/postgresql.html index 1fb48c7..141d6c2 100644 --- a/tools/postgresql.html +++ b/tools/postgresql.html @@ -26,32 +26,38 @@ # sudo -u postgres initdb -D /srv/pgsql/data </pre> - <h2 id="config">2. Configure Server</h2> + <h3 id="syslog-ng">1.1. Configure syslog-ng</h3> - <h3>2.1. Init script</h3> - - <p>Change <a href="conf/etc/rc.d/postgresql">/etc/rc.d/postgresql</a>;</p> + <p><a href="syslog-ng.html">Configure syslog-ng</a> first, configuration example contains rules for postgresql as is configured in this document.</p> <pre> - # - # /etc/rc.d/postgresql: start, stop or restart PostgreSQL server postmaster - # + destination d_postgres { file("/var/log/pgsql"); }; + filter f_postgres { facility(local0) and program("postgresql)"; }; + log { source(s_src); filter(f_postgres); destination(d_postgres);}; - PG_DATA=/srv/pgsql/data + filter f_messages { level(info,notice,warn) + and not facility(auth,authpriv,cron,daemon,mail,news,local0); }; - case "$1" in - start|stop|status|restart|reload) - sudo -u postgres pg_ctl -D "$PG_DATA" -l /var/log/postgresql "$1" - ;; - *) - echo "usage: $0 start|stop|restart|reload|status" - ;; - esac + filter f_daemon { facility(daemon, local0) + and not filter(f_debug) + and not program("vh_tribu") + and not program("vh_tribu_error");}; + </pre> - # End of file + <p>Create /etc/logrotate.d/postgres;</p> + + <pre> + /var/log/pgsql { + weekly + compress + delaycompress + rotate 10 + notifempty + create 660 postgres postgres + } </pre> - <h3>2.2. Certificates</h3> + <h3 id="gencert">1.2. Certificates</h3> <pre> $ sudo openssl genrsa -des3 -out /etc/ssl/keys/pg.key 2048 @@ -115,209 +121,231 @@ $ sudo chmod 644 /etc/ssl/certs/pg.cert </pre> - <h3>2.3. Super user password</h3> + <h2 id="server">2. Configure Server</h2> - <p>Create password for super user;</p> + <h3 id="init">2.1. Init script</h3> + + <p>Change <a href="conf/etc/rc.d/postgresql">/etc/rc.d/postgresql</a>;</p> <pre> - # su postgres - $ psql -U postgres + # + # /etc/rc.d/postgresql: start, stop or restart PostgreSQL server postmaster + # + + PG_DATA=/srv/pgsql/data + + case "$1" in + start|stop|status|restart|reload) + sudo -u postgres pg_ctl -D "$PG_DATA" -l /var/log/postgresql "$1" + ;; + *) + echo "usage: $0 start|stop|restart|reload|status" + ;; + esac + + # End of file </pre> - <h3>2.4. Configure postgresql.conf</h3> + <h3 id="config">2.2. Configure postgresql.conf</h3> <p>Edit <a href="conf/srv/pgsql/data/postgresql.conf">/srv/pgsql/data/postgresql.conf</a>;</p> <pre> - # - Security and Authentication - - - #authentication_timeout = 1min # 1s-600s ssl = on # (change requires restart) - #ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers - # (change requires restart) - #ssl_prefer_server_ciphers = on # (change requires restart) - #ssl_ecdh_curve = 'prime256v1' # (change requires restart) ssl_cert_file = '/etc/ssl/certs/pg.crt' # (change requires restart) ssl_key_file = '/etc/ssl/keys/pg.key' # (change requires restart) - #ssl_ca_file = '' # (change requires restart) - #ssl_crl_file = '' # (change requires restart) password_encryption = scram-sha-256 + jit = off + log_destination = 'syslog' + syslog_facility = 'LOCAL0' + log_connections = on + log_disconnections = on + log_duration = on + log_hostname = on + log_line_prefix = 'd=$d u=% %m [%p] ' # special values: </pre> - <h3>2.5. Configure pg_hba.conf</h3> + <h3 id="pass">2.3. Super user password</h3> - <p>Edit - <a href="conf/srv/pgsql/data/pg_hba.conf">/srv/pgsql/data/pg_hba.conf</a>; - </p> + <p>Create password for the super user postgres, login to postgresql;</p> <pre> - # TYPE DATABASE USER ADDRESS METHOD - local postgres all trust - host postgres all 127.0.0.1/32 trust - host all all 127.0.0.1/32 scram-sha-256 - host all all 0.0.0.0/0 reject + $ sudo -u postgres psql -U postgres </pre> - <p>Start server and alter postgres password</p> + <p>Create password for postgres user;</p> <pre> - # /etc/rc.d/postgresql start - </pre> - - <pre> - postgres=# alter user postgres with password 'new_password'; + postgres=# \password + Enter new password: + Enter it again: + postgres=# </pre> - <h3 id="syslog">2.6. Configure syslog-ng</h3> + <p>Configure pg_hba.conf in the next step to enforce authentication.</p> - <p><a href="syslog-ng.html">Configure Syslog-ng</a>, check <a href="http://michael.otacoo.com/postgresql-2/postgres-settings-simple-syslog-configuration-with-syslog-ng/">Michael at otacoo</a> article. Example;</p> + <h3 id="pg_hba">2.4. Configure pg_hba.conf</h3> - <p>Edit /pgsql/data/<a href="../conf/srv/pgsql/data/postgresql.conf">postgresql.conf</a>;</p> + <p>Edit + <a href="conf/srv/pgsql/data/pg_hba.conf">/srv/pgsql/data/pg_hba.conf</a>; + </p> <pre> - log_destination = 'syslog' # Can specify multiple destinations - syslog_facility='LOCAL0' - syslog_ident='postgres' - log_connections = on - log_disconnections = on - log_duration = on - </pre> - - <p>Create /etc/logrotate.d/postgres;</p> + # TYPE DATABASE USER ADDRESS METHOD - <pre> - /var/log/pgsql { - weekly - compress - delaycompress - rotate 10 - notifempty - create 660 postgres postgres - } + # "local" is for Unix domain socket connections only + local all postgres scram-sha-256 + #local all postgres trust + # IPv4 local connections: + host all postgres 127.0.0.1/32 scram-sha-256 + # IPv6 local connections: + host all postgres ::1/128 scram-sha-256 + # Allow replication connections from localhost, by a user with the + # replication privilege. + local replication postgres scram-sha-256 + host replication postgres 127.0.0.1/32 scram-sha-256 + host replication postgres ::1/128 scram-sha-256 </pre> + <p>Restart server to enforce authentication from now on;</p> <pre> - destination postgres { file("/var/log/pgsql"); }; - filter f_postgres { facility(local0); }; - log { source(s_log); filter(f_postgres); destination(postgres); }; + # /etc/rc.d/postgresql start </pre> + <h2 id="users">3. Manage users</h2> - <h2 id="createuser">3. Create User</h2> + <h3 id="createuser">3.1. Create user - create role</h3> <p>Create a new user with createuser command;</p> <pre> $ sudo -u postgres createuser --pwprompt --encrypted \ - --no-createrole --no-createdb user_example + --no-createrole --no-createdb user_name Enter password for new user: Enter it again: </pre> - <h2 id="createdb">4. Create Database</h2> + <h3 id="dropuser">3.2. Remove user - drop role</h3> - <p>Create a new database for new user with createdb command;</p> + <p>Deleting user with dropuser command;</p> <pre> - $ sudo -u postgres createdb --template=template0 --encoding=UTF8 \ - --owner=user_example db_example + sudo -u postgres dropuser user_name </pre> - <h2 id="dropdb">5. Drop Database</h2> + <h3 id="userpass">3.3. Change password</h3> - <p>Deleting database with dropdb command;</p> + <p>Update password of a user;</p> <pre> - sudo -u postgres dropdb db_example + $ sudo -u postgres psql </pre> - <h2 id="dropuser">6. Drop User</h2> + <pre> + postgres=#\password user_name; + </pre> - <p>Deleting user with dropuser command;</p> + <p>This will set password using hash / encryption method selected on postgresql.conf</p> + + <h3 id="listuser">3.4. List users - roles</h3> + + <pre> + $ sudo -u postgres psql + </pre> <pre> - sudo -u postgres dropuser user_example + postgres=# \dg </pre> - <h2 id="psql">7. Psql</h2> + <h2 id="databases">4. Manage databases</h2> - <p>Lets check with psql, login with user postgres;</p> + <h3 id="createdb">4.1. Create database</h3> + + <p>Create a new database named db_name for user_name with createdb command;</p> <pre> - $ sudo -u postgres psql + $ sudo -u postgres createdb --template=template0 --encoding=UTF8 \ + --owner=user_name db_name </pre> - <p>First show help;</p> + <h3 id="dropdb">4.2. Drop database</h3> + + <p>Deleting database with dropdb command;</p> <pre> - postgres=# \? + sudo -u postgres dropdb db_name </pre> - <h3 id="listdb">7.1. List Databases and Roles</h3> + <h3 id="listdb">4.3. List databases</h3> <p>List roles then list databases;</p> <pre> - postgres=# \dg postgres=# \l </pre> - <p>Connect to a datase;</p> + <h3 id="backup">4.4. Dump and restore</h3> + + <p>Dump all databases</p> <pre> - postgres=# \c db_example + $ pg_dumpall -U postgres | gzip > cluster_dump.gz </pre> - <p>List tables;</p> + <p>Restore dumpfile of all databases;</p> <pre> - postgres=# \dt + $ gzip -c cluster_dump.gz | psql -U postgres </pre> - <h3 id="psqldb">7.2. Create Database</h3> + <p>Restore a database;</p> <pre> - postgres=# create database db_example_ext owner user_example encoding 'UTF-8' template template0; + $ cat db_name_dump | psql -U user_name -d db_name </pre> - <h3 id="droptables">7.3. Drop All Tables</h3> + <h2 id="psql">5. Psql</h2> - <p>This example assumes that all tables, - are in public schema. First revoke previously granted privileges from one or more roles;</p> + <p>Lets check with psql, login with user postgres;</p> <pre> - postgres=# revoke ALL PRIVILEGES on db_example from user_example; + $ sudo -u postgres psql </pre> - <p>Drop all tables on public schema and recreate public schema;</p> + <p>First show help;</p> <pre> - postgres=# \c db_example - db_example=# drop schema public cascade; - db_example=# create schema public; + postgres=# \? </pre> - <h3 id="userpass">7.4. Change user password</h3> + <p>Connect to a db_name as user_name;</p> - <p>Update password of a user;</p> + <pre> + postgres=# \c db_name user_name + </pre> + + <h3 id="psqldb">5.2. Create Database</h3> <pre> - postgres=# ALTER USER user_example WITH ENCRYPTED PASSWORD 'password'; + postgres=# create database db_name owner user_name encoding 'UTF-8' template template0; </pre> - <h2 id="backup">8. Backup and restore</h3> + <h3 id="droptables">5.3. Drop All Tables</h3> - <h3>8.1. Dump databases</h3> + <p>This example assumes that all tables, + are in public schema. First revoke previously granted privileges from one or more roles;</p> <pre> - $ pg_dumpall -U postgres | gzip > cluster_dump.gz + postgres=# revoke ALL PRIVILEGES on db_name from user_name; </pre> - <h3>8.2. Restore</h3> + <p>Drop all tables on public schema and recreate public schema;</p> <pre> - $ gzip -c cluster_dump.gz | psql -U postgres + postgres=# \c db_name + db_name=# drop schema public cascade; + db_name=# create schema public; </pre> <a href="index.html">Tools Index</a> diff --git a/tools/syslog-ng.html b/tools/syslog-ng.html index 324a020..70dc994 100644 --- a/tools/syslog-ng.html +++ b/tools/syslog-ng.html @@ -52,6 +52,236 @@ # End of file </pre> + <p>Edit <a href="conf/etc/syslog-ng.conf">/etc/syslog-ng.conf</a> with your logging preferences;</p> + + <pre> + @version: 3.25 + @include "scl.conf" + + # Syslog-ng configuration file, compatible with default Debian syslogd + # installation. + + # First, set some global options. + options { chain_hostnames(off); flush_lines(0); use_dns(no); use_fqdn(no); + owner("root"); group("adm"); perm(0640); stats_freq(0); + bad_hostname("^gconfd$"); + }; + + ######################## + # Sources + ######################## + # This is the default behavior of sysklogd package + # Logs may come from unix stream, but not from another machine. + # + source s_src { + system(); + internal(); + }; + + # If you wish to get logs from remote machine you should uncomment + # this and comment the above source line. + # + #source s_net { tcp(ip(127.0.0.1) port(1000)); }; + + ######################## + # Destinations + ######################## + # First some standard logfile + # + destination d_auth { file("/var/log/auth"); }; + destination d_sudo { file("/var/log/sudo" ); }; + destination d_cron { file("/var/log/cron"); }; + destination d_daemon { file("/var/log/daemon"); }; + destination d_kern { file("/var/log/kernel"); }; + destination d_lpr { file("/var/log/lpr"); }; + destination d_mail { file("/var/log/mail"); }; + destination d_syslog { file("/var/log/syslog-ng"); }; + destination d_user { file("/var/log/user"); }; + destination d_uucp { file("/var/log/uucp"); }; + + # This files are the log come from the mail subsystem. + # + destination d_mailinfo { file("/var/log/mail.info"); }; + destination d_mailwarn { file("/var/log/mail.warn"); }; + destination d_mailerr { file("/var/log/mail.err"); }; + + # Logging for INN news system + # + destination d_newscrit { file("/var/log/news/news.crit"); }; + destination d_newserr { file("/var/log/news/news.err"); }; + destination d_newsnotice { file("/var/log/news/news.notice"); }; + + # Some 'catch-all' logfiles. + # + destination d_debug { file("/var/log/debug"); }; + destination d_error { file("/var/log/error"); }; + destination d_messages { file("/var/log/messages"); }; + + # Custom destinations + destination d_shorewall_warn { file ("/var/log/shorewall/warn"); }; + destination d_shorewall_info { file ("/var/log/shorewall/info"); }; + destination d_dnsmasq { file("/var/log/dnsmasq"); }; + destination d_postgres { file("/var/log/pgsql"); }; + destination d_mysql { file("/var/log/pgsql"); }; + destination d_iptables { file("/var/log/iptables"); }; + destination d_sshd { file("/var/log/sshd"); }; + destination d_gitolite { file("/var/log/gitolite"); }; + destination d_git-daemon { file("/var/log/git-daemon"); }; + destination d_nginx_access { file("/var/log/nginx_access"); }; + destination d_nginx_error { file("/var/log/nginx_error"); }; + destination d_php_fpm { file("/var/log/php-fpm"); }; + destination d_php { file("/var/log/php"); }; + destination d_nginx_vhost { file("/var/log/nginx/vhost_access"); }; + destination d_nginx_vhost_err { file("/var/log/nginx/vhost_error"); }; + + # The root's console. + # + destination d_console { usertty("root"); }; + + # Virtual console. + # + #destination d_console_all { file(`tty10`); }; + destination console { usertty("root"); }; + destination d_console_all { file("/dev/tty12" suppress(5)); }; + destination xconsole { pipe("/dev/xconsole" suppress(5)); }; + + + + # The named pipe /dev/xconsole is for the nsole' utility. To use it, + # you must invoke nsole' with the -file' option: + # + # $ xconsole -file /dev/xconsole [...] + # + destination d_xconsole { pipe("/dev/xconsole"); }; + + # Send the messages to an other host + # + #destination d_net { tcp("127.0.0.1" port(1000) log_fifo_size(1000)); }; + + # Debian only + destination d_ppp { file("/var/log/ppp"); }; + + ######################## + # Filters + ######################## + # Here's come the filter options. With this rules, we can set which + # message go where. + + filter f_dbg { level(debug); }; + filter f_info { level(info); }; + filter f_notice { level(notice); }; + filter f_warn { level(warn); }; + filter f_err { level(err); }; + filter f_crit { level(crit .. emerg); }; + + filter f_debug { level(debug) and not facility(auth, authpriv, news, mail); }; + filter f_error { level(err .. emerg) ; }; + filter f_messages { level(info,notice,warn) + and not facility(auth,authpriv,cron,daemon,mail,news,local0); }; + + filter f_auth { facility(auth, authpriv) and not filter(f_debug); }; + filter f_sudo { facility(auth, authpriv) and program("^sudo$"); }; + filter f_cron { facility(cron) and not filter(f_debug);}; + filter f_daemon { facility(daemon, local0) + and not filter(f_debug) + and not program("^php$") + and not program("^nginx_vhost$") + and not program("^nginx_vhost_err$");}; + filter f_kern { facility(kern) and not filter(f_debug); }; + filter f_lpr { facility(lpr) and not filter(f_debug); }; + filter f_local { facility(local0, local1, local3, local4, local5, + local6, local7) and not filter(f_debug); }; + filter f_mail { facility(mail) and not filter(f_debug); }; + filter f_news { facility(news) and not filter(f_debug); }; + filter f_syslog3 { program("^syslog-ng$");}; + filter f_user { facility(user) and not filter(f_debug); }; + filter f_uucp { facility(uucp) and not filter(f_debug); }; + + filter f_cnews { level(notice, err, crit) and facility(news); }; + filter f_cother { level(debug, info, notice, warn) or facility(daemon, mail); }; + + filter f_ppp { facility(local2) and not filter(f_debug); }; + filter f_console { level(warn .. emerg); }; + + # custom filters + + filter f_dnsmasq { program("^dnsmasq$"); }; + filter f_postgres { facility(local0) and program("^postgresql$"); }; + filter f_sshd { facility(auth) and program("^sshd$"); }; + + filter f_iptables { facility(kern) and match("iptables" value("MESSAGE")) }; + filter f_shorewall_warn { level (warn) and match ("Shorewall" value("MESSAGE")); }; + filter f_shorewall_info {level (info) and match ("Shorewall" value("MESSAGE")); }; + filter f_gitolite { program("^gitolite$"); }; + filter f_git-daemon { program("^git-daemon$"); }; + filter f_nginx_error { facility(daemon) and program("^nginx$"); }; + filter f_nginx_vhost { facility(daemon) and program("^nginx_vhost$");}; + filter f_nginx_vhost_err { facility(daemon) and program("^nginx_vhost_err$");}; + filter f_php_fpm { facility(daemon) and program("^php-fpm$");}; + filter f_php { facility(daemon) and program("^php$");}; + + # custom logs + log { source(s_src); filter(f_php_fpm); destination(d_php_fpm); }; + log { source(s_src); filter(f_php); destination(d_php); }; + log { source(s_src); filter(f_nginx_vhost); destination(d_nginx_vhost); }; + log { source(s_src); filter(f_nginx_vhost_err); destination(d_nginx_vhost_err); }; + log { source(s_src); filter(f_sshd); destination(d_sshd);}; + log { source (s_src); filter (f_iptables); destination (d_iptables);}; + log { source (s_src); filter (f_shorewall_warn); destination (d_shorewall_warn);}; + log { source (s_src); filter (f_shorewall_info); destination (d_shorewall_info);}; + log { source(s_src); filter(f_dnsmasq); destination(d_dnsmasq);}; + log { source(s_src); filter(f_postgres); destination(d_postgres);}; + log { source(s_src); filter(f_gitolite); destination(d_gitolite);}; + log { source(s_src); filter(f_git-daemon); destination(d_git-daemon);}; + log { source(s_src); filter(f_nginx_error); destination(d_nginx_error);}; + + ######################## + # Log paths + ######################## + log { source(s_src); filter(f_auth); destination(d_auth); }; + log { source(s_src); filter(f_sudo); destination(d_sudo); }; + log { source(s_src); filter(f_cron); destination(d_cron); }; + log { source(s_src); filter(f_daemon); destination(d_daemon); }; + log { source(s_src); filter(f_kern); destination(d_kern); }; + log { source(s_src); filter(f_lpr); destination(d_lpr); }; + log { source(s_src); filter(f_user); destination(d_user); }; + log { source(s_src); filter(f_uucp); destination(d_uucp); }; + + log { source(s_src); filter(f_mail); destination(d_mail); }; + log { source(s_src); filter(f_mail); filter(f_info); destination(d_mailinfo); }; + log { source(s_src); filter(f_mail); filter(f_warn); destination(d_mailwarn); }; + log { source(s_src); filter(f_mail); filter(f_err); destination(d_mailerr); }; + + log { source(s_src); filter(f_news); filter(f_crit); destination(d_newscrit); }; + log { source(s_src); filter(f_news); filter(f_err); destination(d_newserr); }; + log { source(s_src); filter(f_news); filter(f_notice); destination(d_newsnotice); }; + #log { source(s_src); filter(f_cnews); destination(d_console_all); }; + #log { source(s_src); filter(f_cother); destination(d_console_all); }; + + #log { source(s_src); filter(f_ppp); destination(d_ppp); }; + + log { source(s_src); filter(f_debug); destination(d_debug); }; + log { source(s_src); filter(f_error); destination(d_error); }; + log { source(s_src); filter(f_messages); destination(d_messages); }; + log { source(s_src); filter(f_syslog3); destination(d_syslog); }; + log { source(s_src); filter(f_console); destination(d_console_all); + destination(d_xconsole); }; + log { source(s_src); filter(f_crit); destination(d_console); }; + + # + # + # All messages send to a remote site + # + #log { source(s_src); destination(d_net); }; + + ### + # Include all config files in /etc/syslog-ng/conf.d/ + ### + @include "/etc/syslog-ng/conf.d/*.conf" + </pre> + + <p>Restart daemon;</p> + <pre> $ sudo sh /etc/rc.d/syslog-ng start $ sudo sh /etc/rc.d/sysklogd stop |