diff options
| author | Silvino Silva <silvino@bk.ru> | 2020-02-07 03:41:45 +0000 |
|---|---|---|
| committer | Silvino Silva <silvino@bk.ru> | 2020-02-15 00:56:46 +0000 |
| commit | a947a31ede27fdf995e0a63e766fcd68eb491426 (patch) | |
| tree | 74c749814fc91a22148b637b90507c78c56e02c8 /tools/conf | |
| parent | ac7c572733282e49801b16531d841682e3ab1b5a (diff) | |
| download | doc-a947a31ede27fdf995e0a63e766fcd68eb491426.tar.gz | |
System configuration update
Diffstat (limited to 'tools/conf')
27 files changed, 966 insertions, 542 deletions
diff --git a/tools/conf/etc/dnsmasq.conf b/tools/conf/etc/dnsmasq.conf index c7dd4cd..b6267fa 100644 --- a/tools/conf/etc/dnsmasq.conf +++ b/tools/conf/etc/dnsmasq.conf @@ -69,7 +69,7 @@ no-poll # Add other name servers here, with domain specs if they are for # non-public domains. #server=/localnet/192.168.0.1 -#server=127.0.0.1#40 +#server=10.0.0.4#40 #server=213.73.91.35 #server=37.235.1.174 #server=84.200.69.80 @@ -89,7 +89,6 @@ local=/ank/ # The example below send any host in double-click.net to a local # web-server. address=/tribu.semdestino.org/10.0.0.4 -#address=/tribu.semdestino.org/192.168.1.5 #host-record=tribu.semdestino.org,10.0.0.4 #host-record=tribu.semdestino.org,192.168.1.67 @@ -128,9 +127,9 @@ interface=wlp7s0 #except-interface=wlp7s0 #except-interface=enp8s0 -# Or which to listen on by address (remember to include 127.0.0.1 if +# Or which to listen on by address (remember to include 10.0.0.4 if # you use this.) -#listen-address=127.0.0.1 +#listen-address=10.0.0.4 #listen-address=10.0.0.254 #listen-address=192.168.1.33 @@ -178,11 +177,17 @@ dhcp-option=15,ank # Same idea, but range rather then subnet #domain=reserved.thekelleys.org.uk,192.68.3.100,192.168.3.200 -#address=/.akamai.net/127.0.0.1 -address=/.firefox.com/127.0.0.1 -#address=/.google.com/127.0.0.1 -address=/.stripe.com/127.0.0.1 -address=/.mozilla.com/127.0.0.1 +address=/.akamai.net/10.0.0.4 +address=/.akamaitechnologies.com/10.0.0.4 +address=/.firefox.com/10.0.0.4 +#address=/.google.com/10.0.0.4 +address=/.stripe.com/10.0.0.4 +address=/.mozilla.com/10.0.0.4 +address=/.amazonaws.com/10.0.0.4 +address=/.amazontrust.com/10.0.0.4 +address=/.1e100.net/10.0.0.4 +address=/.1e100.net/10.0.0.4 +address=/.ank.sec-t4net-srv/10.0.0.4 # Uncomment this to enable the integrated DHCP server, you need # to supply the range of addresses available for lease and optionally diff --git a/tools/conf/etc/logrotate.conf b/tools/conf/etc/logrotate.conf index 896b779..636dffb 100644 --- a/tools/conf/etc/logrotate.conf +++ b/tools/conf/etc/logrotate.conf @@ -9,13 +9,10 @@ rotate 4 create # uncomment this if you want your log files compressed -compress +#compress olddir /var/log/old - -notifempty - -maxsize 5M +maxsize 1M # some packages can drop log rotation information into # this directory @@ -23,111 +20,297 @@ include /etc/logrotate.d # few generic files to rotate /var/log/wtmp { + monthly create 0644 root root - rotate 5 + rotate 1 } /var/log/btmp { + monthly create 0600 root root - rotate 5 + rotate 1 } # system-specific logs may be also be configured here. -/var/log/faillog { - maxsize 5M +/var/log/auth { + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript } -/var/log/lastlog { - maxsize 5M +/var/log/sudo { + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript } -/var/log/auth { - create 0644 root root - rotate 5 - sharedscripts +/var/log/cron { + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript +} + +/var/log/daemon { + rotate 7 + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript +} + +/var/log/debug { + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript +} + +/var/log/error { + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript +} + +/var/log/iptables { + # uncomment this if you want your log files compressed + delaycompress + compress postrotate - if [ -f /var/run/syslog-ng.pid ]; then \ - kill -HUP `cat /var/run/syslog-ng.pid`; \ - fi; + /etc/rc.d/syslog-ng reload >/dev/null endscript } -/var/log/cron { - create 0644 root root - rotate 5 - sharedscripts +/var/log/kernel { + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript +} + +/var/log/lpr { + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript +} + +/var/log/mail.err { + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript +} + +/var/log/mail.info { + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript +} + +/var/log/mail { + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript +} + +/var/log/mail.warn { + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript +} + +/var/log/messages { + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript +} + + +/var/log/user { + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript +} + +/var/log/uucp { + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript +} + +/var/log/syslog-ng { + rotate 7 + daily + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript +} + +/var/log/dnsmasq { + # uncomment this if you want your log files compressed + delaycompress + compress postrotate - if [ -f /var/run/syslog-ng.pid ]; then \ - kill -HUP `cat /var/run/syslog-ng.pid`; \ - fi; + /etc/rc.d/syslog-ng reload >/dev/null endscript } -/var/log/debug { +/var/log/pgsql { + # create new (empty) log files after rotating old ones create 0644 root root - rotate 5 - sharedscripts + # uncomment this if you want your log files compressed + delaycompress + compress + notifempty + maxsize 5M postrotate - if [ -f /var/run/syslog-ng.pid ]; then \ - kill -HUP `cat /var/run/syslog-ng.pid`; \ - fi; + /etc/rc.d/syslog-ng reload >/dev/null endscript } -/var/log/kernel { - rotate 5 - create 0644 root root - sharedscripts +/var/log/git-daemon { + # uncomment this if you want your log files compressed + delaycompress + compress postrotate - if [ -f /var/run/syslog-ng.pid ]; then \ - kill -HUP `cat /var/run/syslog-ng.pid`; \ - fi; + /etc/rc.d/syslog-ng reload >/dev/null endscript } -/var/log/daemon { +/var/log/gitolite { + # uncomment this if you want your log files compressed + delaycompress + compress + postrotate + /etc/rc.d/syslog-ng reload >/dev/null + endscript +} + +/var/log/php-fpm { + # uncomment this if you want your log files compressed + delaycompress compress - rotate 5 - create 644 root root - sharedscripts postrotate - if [ -f /var/run/syslog-ng.pid ]; then \ - kill -HUP `cat /var/run/syslog-ng.pid`; \ - fi; + /etc/rc.d/syslog-ng reload >/dev/null endscript +} +/var/log/php { + # uncomment this if you want your log files compressed + delaycompress + compress + postrotate + /etc/rc.d/syslog-ng reload >/dev/null + endscript } -/var/log/messages { - rotate 5 - create 0644 root root - sharedscripts +/var/log/nginx_access { + # uncomment this if you want your log files compressed + delaycompress + compress postrotate - if [ -f /var/run/syslog-ng.pid ]; then \ - kill -HUP `cat /var/run/syslog-ng.pid`; \ - fi; + /etc/rc.d/syslog-ng reload >/dev/null endscript } -/var/log/mail { - create 0644 root root - rotate 5 - sharedscripts +/var/log/nginx_error { + # uncomment this if you want your log files compressed + delaycompress + compress postrotate - if [ -f /var/run/syslog-ng.pid ]; then \ - kill -HUP `cat /var/run/syslog-ng.pid`; \ - fi; + /etc/rc.d/syslog-ng reload >/dev/null endscript } -/var/log/user { - create 0644 root root - rotate 5 - sharedscripts +/var/log/nginx/tribu_error.log { + # uncomment this if you want your log files compressed + delaycompress + compress + olddir /var/log/old/nginx postrotate - if [ -f /var/run/syslog-ng.pid ]; then \ - kill -HUP `cat /var/run/syslog-ng.pid`; \ - fi; + /etc/rc.d/syslog-ng reload >/dev/null endscript } +/var/log/nginx/tribu_access.log { + # uncomment this if you want your log files compressed + delaycompress + compress + olddir /var/log/old/nginx + postrotate + /etc/rc.d/syslog-ng reload >/dev/null + endscript +} diff --git a/tools/conf/etc/logrotate.d/dnsmasq b/tools/conf/etc/logrotate.d/dnsmasq deleted file mode 100644 index 3151ddc..0000000 --- a/tools/conf/etc/logrotate.d/dnsmasq +++ /dev/null @@ -1,11 +0,0 @@ -/var/log/dnsmasq { - weekly - create 0644 root root - rotate 5 - sharedscripts - postrotate - if [ -f /var/run/syslog-ng.pid ]; then \ - kill -HUP `cat /var/run/syslog-ng.pid`; \ - fi; - endscript -} diff --git a/tools/conf/etc/logrotate.d/gitolite b/tools/conf/etc/logrotate.d/gitolite deleted file mode 100644 index 547d6b6..0000000 --- a/tools/conf/etc/logrotate.d/gitolite +++ /dev/null @@ -1,12 +0,0 @@ -/var/log/gitolite { - rotate 5 - monthly - create 0644 root root - sharedscripts - postrotate - if [ -f /var/run/syslog-ng.pid ]; then \ - kill -HUP `cat /var/run/syslog-ng.pid`; \ - fi; - endscript - -} diff --git a/tools/conf/etc/logrotate.d/letsencrypt b/tools/conf/etc/logrotate.d/letsencrypt new file mode 100644 index 0000000..ce73ebc --- /dev/null +++ b/tools/conf/etc/logrotate.d/letsencrypt @@ -0,0 +1,7 @@ +/var/log/letsencrypt/*.log { + # uncomment this if you want your log files compressed + delaycompress + compress + olddir /var/log/old/letsencrypt + notifempty +} diff --git a/tools/conf/etc/logrotate.d/nginx b/tools/conf/etc/logrotate.d/nginx deleted file mode 100644 index ae05445..0000000 --- a/tools/conf/etc/logrotate.d/nginx +++ /dev/null @@ -1,23 +0,0 @@ -/var/log/nginx/access.log { - weekly - create 0664 root www - rotate 5 - sharedscripts - postrotate - if [ -f /var/run/syslog-ng.pid ]; then \ - kill -HUP `cat /var/run/syslog-ng.pid`; \ - fi; - endscript -} - -/var/log/nginx/error.log { - weekly - create 0644 root root - rotate 5 - sharedscripts - postrotate - if [ -f /var/run/syslog-ng.pid ]; then \ - kill -HUP `cat /var/run/syslog-ng.pid`; \ - fi; - endscript -} diff --git a/tools/conf/etc/logrotate.d/php-fpm b/tools/conf/etc/logrotate.d/php-fpm deleted file mode 100644 index c778658..0000000 --- a/tools/conf/etc/logrotate.d/php-fpm +++ /dev/null @@ -1,5 +0,0 @@ -/var/log/php-fpm.log { - rotate 5 - monthly - create 0644 root root -} diff --git a/tools/conf/etc/logrotate.d/postgres b/tools/conf/etc/logrotate.d/postgres deleted file mode 100644 index fc59aad..0000000 --- a/tools/conf/etc/logrotate.d/postgres +++ /dev/null @@ -1,17 +0,0 @@ -/var/log/pgsql { - weekly - compress - delaycompress - rotate 10 - notifempty - create 660 postgres postgres - sharedscripts - postrotate - if [ -f /var/run/syslog-ng.pid ]; then \ - kill -HUP `cat /var/run/syslog-ng.pid`; \ - fi; - endscript - -} - - diff --git a/tools/conf/etc/logrotate.d/postgresql b/tools/conf/etc/logrotate.d/postgresql new file mode 100644 index 0000000..8c16bfa --- /dev/null +++ b/tools/conf/etc/logrotate.d/postgresql @@ -0,0 +1,10 @@ +# this log is only used by postgresql at startup +# before start using syslog so there is no need +# to reload syslog-ng or syslog-ng +/var/log/postgresql { + # uncomment this if you want your log files compressed + delaycompress + compress + notifempty + create 664 postgres postgres +} diff --git a/tools/conf/etc/nginx/nginx.conf b/tools/conf/etc/nginx/nginx.conf index 8fca293..1339275 100644 --- a/tools/conf/etc/nginx/nginx.conf +++ b/tools/conf/etc/nginx/nginx.conf @@ -6,36 +6,36 @@ user www; worker_processes auto; -error_log /var/log/nginx/error.log; +error_log syslog:server=unix:/dev/log debug; pid /var/run/nginx.pid; - events { worker_connections 1024; } - http { include mime.types; default_type application/octet-stream; - #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - # '$status $body_bytes_sent "$http_referer" ' - # '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log /var/log/nginx/access.log; - error_log /var/log/nginx/error.log; + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; sendfile on; #tcp_nopush on; - client_max_body_size 8M; - keepalive_timeout 65; - client_body_timeout 12; - client_header_timeout 12; - send_timeout 65; + # Allow attach iso to wiki + #client_max_body_size 8M; + client_max_body_size 30M; + #keepalive_timeout 65; + keepalive_timeout 120; + #client_body_timeout 12; + client_body_timeout 24; + #client_header_timeout 12; + client_header_timeout 24; + send_timeout 65; gzip on; gzip_vary on; @@ -45,88 +45,6 @@ http { # gzip_http_version 1.1; gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; - - include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*.conf; - - #server { - # listen 80; - # server_name localhost; - # - # #charset koi8-r; - # - # location / { - # root html; - # index index.html index.htm; - # } - # - # error_page 404 /404.html; - # - # # redirect server error pages to the static page /50x.html - # # - # error_page 500 502 503 504 /50x.html; - # location = /50x.html { - # root html; - # } - # - # # proxy the PHP scripts to Apache listening on 127.0.0.1:80 - # # - # #location ~ \.php$ { - # # proxy_pass http://127.0.0.1; - # #} - # - # # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 - # # - # #location ~ \.php$ { - # # root html; - # # fastcgi_pass 127.0.0.1:9000; - # # fastcgi_index index.php; - # # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; - # # include fastcgi_params; - # #} - # - # # deny access to .htaccess files, if Apache's document root - # # concurs with nginx's one - # # - # #location ~ /\.ht { - # # deny all; - # #} - #} - - - # another virtual host using mix of IP-, name-, and port-based configuration - # - #server { - # listen 8000; - # listen somename:8080; - # server_name somename alias another.alias; - - # location / { - # root html; - # index index.html index.htm; - # } - #} - - - # HTTPS server - # - #server { - # listen 443 ssl; - # server_name localhost; - - # ssl_certificate cert.pem; - # ssl_certificate_key cert.key; - - # ssl_session_cache shared:SSL:1m; - # ssl_session_timeout 5m; - - # ssl_ciphers HIGH:!aNULL:!MD5; - # ssl_prefer_server_ciphers on; - - # location / { - # root html; - # index index.html index.htm; - # } - #} - } +# End of file diff --git a/tools/conf/etc/nginx/sites-enabled/default.conf b/tools/conf/etc/nginx/sites-enabled/default.conf index c35b0cd..fb9fb8e 100644 --- a/tools/conf/etc/nginx/sites-enabled/default.conf +++ b/tools/conf/etc/nginx/sites-enabled/default.conf @@ -1,15 +1,13 @@ server { + server_name tribu.semdestino.org; -#listen 443 ssl http2; - listen 443 ssl; + listen 80 default_server; + listen 443 ssl default_server; -# listen 80; - server_name machine.example; + ssl_certificate /etc/letsencrypt/live/tribu.semdestino.org/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/tribu.semdestino.org/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/tribu.semdestino.org/chain.pem; -# listen [::]:443 ssl http2; - ssl_certificate /etc/letsencrypt/live/machine.example/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/machine.example/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/machine.example/chain.pem; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; @@ -20,84 +18,62 @@ server { ssl_stapling on; ssl_stapling_verify on; - access_log /var/log/nginx/access.log; - error_log /var/log/nginx/error.log; + access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_vhost,nohostname main; + error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_vhost_err,nohostname debug; - - root /srv/www; - - location /ports/distfiles { - alias /usr/ports/distfiles; - } - - location /ports/packages { - alias /usr/ports/distfiles; - } + root /etc/html/; location /doc { alias /srv/www/doc; index index.html; } - location /git/static { -# static files (png/css) served from /usr/share/gitweb/static - alias /srv/www/gitweb/static; - expires 30d; + location /pub { + proxy_pass http://wiki.c2.ank:8080; + } + + location /wiki { + proxy_pass http://wiki.c2.ank:8080; } location /git { - alias /srv/www/gitweb; - index gitweb.cgi; - fastcgi_split_path_info ^/git()(/?.+)$; - fastcgi_param GITWEB_CONFIG /etc/gitweb.conf; - fastcgi_param DOCUMENT_ROOT /srv/www/gitweb; - fastcgi_param SCRIPT_NAME /gitweb.cgi$fastcgi_path_info; - - include fastcgi_params; - fastcgi_pass unix:/var/run/fcgiwrap.sock; + proxy_pass http://git.c2.ank:8080; + } + + location /forum { + proxy_pass http://forum.c2.ank:8080; } location /task { - index index.php; - alias /srv/www/flyspray; - try_files $uri $uri/ index.php$is_args$args; + proxy_pass http://task.c2.ank:8080; } - location ~ ^/task(.+\.php)$ { ### This location block was the solution - alias /srv/www/flyspray; - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_index index.php; - try_files $uri /index.php =404; - include /etc/nginx/fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$1; -# fastcgi_pass unix:/var/run/php5-fpm.sock; - fastcgi_pass 127.0.0.1:9000; + location /shop { + proxy_pass http://shop.c2.ank:8080; } - location / { - alias /srv/www/pmwiki/; - index pmwiki.php; - try_files $uri $uri/ /pmwiki.php$is_args$args; + location /email { + proxy_pass http://email.c2.ank:8080; } -# ACME challenge - location ^~ /.well-known { - allow all; - alias /srv/www/pmwiki/pub/cert/.well-known/; - default_type "text/plain"; - try_files $uri =404; + location /mirror { + proxy_pass http://c1.ank; } + location /awstats { + proxy_pass http://awstats.c2.ank:8080; + } + + location /stats { + proxy_pass http://stats.c2.ank:8080; + } - location ~ \.php$ { - alias /srv/www/pmwiki; - index pmwiki.php; - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_index pmwiki.php; - try_files $uri /pmwiki.php =404; - include /etc/nginx/fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; -# fastcgi_pass unix:/var/run/php5-fpm.sock; - fastcgi_pass 127.0.0.1:9000; + # ACME challenge + location ^~ /.well-known { + proxy_pass http://wiki.c2.ank; + } + + location / { + proxy_pass http://frontpage.c2.ank; } } diff --git a/tools/conf/etc/nginx/sites-enabled/email.c2.ank.conf b/tools/conf/etc/nginx/sites-enabled/email.c2.ank.conf new file mode 100644 index 0000000..3ae544c --- /dev/null +++ b/tools/conf/etc/nginx/sites-enabled/email.c2.ank.conf @@ -0,0 +1,61 @@ +server { + listen 8080; + server_name email.c2.ank; + +#access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_git,nohostname main; +#error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_git_err,nohostname debug; +#access_log /var/log/nginx/roundcube_access.log; +#error_log /var/log/nginx/roundcube_error.log; + + + + location /email { + alias /srv/www/email; + index index.php; + autoindex off; + } + +# Favicon + location ~ ^/email/favicon.ico$ { + root /srv/www/email/skins/classic/images; + log_not_found off; + access_log off; + expires max; + } +# Robots file + location ~ ^/email/robots.txt { + allow all; + log_not_found off; + access_log off; + } +# Deny Protected directories + location ~ ^/email/(config|temp|logs)/ { + deny all; + } + location ~ ^/email/(README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ { + deny all; + } + location ~ ^/email/(bin|SQL)/ { + deny all; + } +# Hide .md files + location ~ ^/email/(.+\.md)$ { + deny all; + } +# Hide all dot files + location ~ ^/email/\. { + deny all; + access_log off; + log_not_found off; + } + + location ~ /email/.*\.php { + alias /srv/www/email; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_index index.php; + try_files $uri /index.php =404; + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_pass 127.0.0.1:9000; + } +} diff --git a/tools/conf/etc/nginx/sites-enabled/forum.c2.ank.conf b/tools/conf/etc/nginx/sites-enabled/forum.c2.ank.conf new file mode 100644 index 0000000..2ed362a --- /dev/null +++ b/tools/conf/etc/nginx/sites-enabled/forum.c2.ank.conf @@ -0,0 +1,26 @@ +server { + listen 8080; + server_name forum.c2.ank; + + #access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_forum,nohostname main; + #error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_forum_err,nohostname debug; + + root /srv/www/; + + location /forum { + index index.php; + alias /srv/www/forum; + try_files $uri $uri/ index.php$is_args$args; + } + + location ~ ^/forum(.+\.php)$ { ### This location block was the solution + alias /srv/www/forum; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_index index.php; + try_files $uri /index.php =404; + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$1; +# fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_pass 127.0.0.1:9000; + } +} diff --git a/tools/conf/etc/nginx/sites-enabled/git.c2.ank.conf b/tools/conf/etc/nginx/sites-enabled/git.c2.ank.conf new file mode 100644 index 0000000..56e6412 --- /dev/null +++ b/tools/conf/etc/nginx/sites-enabled/git.c2.ank.conf @@ -0,0 +1,28 @@ +server { + listen 8080; + server_name git.c2.ank; + + #access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_git,nohostname main; + #error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_git_err,nohostname debug; + + #access_log /var/log/nginx/git main; + #error_log /var/log/nginx/git_error debug; + + root /srv/www/; + + location /git/static { + # static files (png/css) served from /usr/share/gitweb/static + alias /srv/www/gitweb/static; + } + + location /git { + alias /srv/www/gitweb; + index gitweb.cgi; + fastcgi_split_path_info ^/git()(/?.+)$; + fastcgi_param GITWEB_CONFIG /etc/gitweb.conf; + fastcgi_param DOCUMENT_ROOT /srv/www/gitweb; + fastcgi_param SCRIPT_NAME /gitweb.cgi$fastcgi_path_info; + include fastcgi_params; + fastcgi_pass unix:/var/run/fcgiwrap.sock; + } +} diff --git a/tools/conf/etc/nginx/sites-enabled/git.localhost.conf b/tools/conf/etc/nginx/sites-enabled/git.localhost.conf deleted file mode 100644 index 910df66..0000000 --- a/tools/conf/etc/nginx/sites-enabled/git.localhost.conf +++ /dev/null @@ -1,25 +0,0 @@ -server { - listen 443 ssl; - - server_name git.localhost git.machine.example git.machine.example.org; - - root /srv/www/gitweb; - - location /static/ { - # static files (png/css) served from /usr/share/gitweb/static - root /usr/share/gitweb ; - expires 30d; - } - - location / { - index gitweb.cgi - fastcgi_param GITWEB_CONFIG /etc/gitweb.conf; - fastcgi_param DOCUMENT_ROOT /srv/www/gitweb/; - fastcgi_param SCRIPT_NAME /gitweb.cgi$fastcgi_path_info; - fastcgi_split_path_info ^()(/?.+)$; - - include fastcgi_params; - fastcgi_pass unix:/var/run/fcgiwrap.sock; - } - -} diff --git a/tools/conf/etc/nginx/sites-enabled/shop.c2.ank.conf b/tools/conf/etc/nginx/sites-enabled/shop.c2.ank.conf new file mode 100644 index 0000000..3a0aea1 --- /dev/null +++ b/tools/conf/etc/nginx/sites-enabled/shop.c2.ank.conf @@ -0,0 +1,84 @@ +server { + listen 8080; + server_name shop.c2.ank; + + + location ~ ^/shop/admin { + alias /srv/www/shop/upload/admin; + index index.php; + + location ~ ^/shop/admin/config.php { + deny all; + } + + location ~ \.php$ { + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $request_filename$1; + fastcgi_pass 127.0.0.1:9000; + } + } + + location ^~ /shop { + alias /srv/www/shop/upload; + index index.php; + #try_files $uri $uri/ index.php$is_args$args; + #try_files index.php @opencart; + + location ~ ^/shop/upload/image/data { + autoindex on; + } + + location ~ ^/shop/config.php { + deny all; + } + + + location ~ ^/shop/admin/config.php { + deny all; + } + +# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac). +# + location ~ ^/shop/\. { + deny all; + access_log off; + log_not_found off; + } + location ~ ^/shop/\.(jpg|jpeg|png|gif|css|js|ico)$ { + expires max; + log_not_found off; + } + + location ~ \.php$ { + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $request_filename$1; + fastcgi_pass 127.0.0.1:9000; + #fastcgi_split_path_info ^(.+\.php)(/.+)$; + #fastcgi_split_path_info ^(.+\.php)(.*)$; + #fastcgi_index index.php; + #try_files $uri /index.php =404; + # fastcgi_pass unix:/var/run/php5-fpm.sock; + } + + } + + +location @tribushop { + rewrite ^/shop/(.+)$ /shop/index.php?_route_=$1 last; + } + + location /shop/engine { + deny all; + } + + location ~ ^/shop/library { + deny all; + } + + # Make sure files with the following extensions do not + # get loaded by nginx because nginx would display the + # source code, and these files can contain PASSWORDS! + location ~ ^/shop/\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|.*ini|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|\.php_ { + deny all; + } +} diff --git a/tools/conf/etc/nginx/sites-enabled/task.c2.ank.conf b/tools/conf/etc/nginx/sites-enabled/task.c2.ank.conf new file mode 100644 index 0000000..2d62e96 --- /dev/null +++ b/tools/conf/etc/nginx/sites-enabled/task.c2.ank.conf @@ -0,0 +1,21 @@ +server { + listen 8080; + server_name task.c2.ank; + + location /task { + index index.php; + alias /srv/www/task; + try_files $uri $uri/ index.php$is_args$args; + } + + location ~ ^/task(.+\.php)$ { ### This location block was the solution + alias /srv/www/task; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_index index.php; + try_files $uri /index.php =404; + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$1; +# fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_pass 127.0.0.1:9000; + } +} diff --git a/tools/conf/etc/nginx/sites-enabled/wiki.c2.ank.conf b/tools/conf/etc/nginx/sites-enabled/wiki.c2.ank.conf new file mode 100644 index 0000000..1504fa1 --- /dev/null +++ b/tools/conf/etc/nginx/sites-enabled/wiki.c2.ank.conf @@ -0,0 +1,43 @@ +server { + listen 8080; + server_name wiki.c2.ank; + + #access_log syslog:server=unix:/dev/log,facility=daemon,tag=vh_tribu,nohostname main; + #error_log syslog:server=unix:/dev/log,facility=daemon,tag=vh_tribu_err,nohostname debug; + + #access_log /var/log/nginx/wiki main; + #error_log /var/log/nginx/wiki_error debug; + + root /srv/www/; + + location /pub { + alias /srv/www/wiki/pub; + } + # ACME challenge + location ^~ /.well-known { + allow all; + alias /srv/www/wiki/pub/cert/.well-known/; + default_type "text/plain"; + try_files $uri =404; + } + + location @pmwiki { + rewrite ^/wiki/(.*) /wiki/pmwiki.php?n=$1; + } + + location /wiki { + index pmwiki.php; + try_files $uri $uri/ @pmwiki; + } + + location ~ ^\/wiki(.+\.php)$ { + index pmwiki.php; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_index pmwiki.php; + try_files $uri /pmwiki.php =404; + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; +# fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_pass 127.0.0.1:9000; + } +} diff --git a/tools/conf/etc/rc.conf b/tools/conf/etc/rc.conf index 2dbf272..192ef3e 100644 --- a/tools/conf/etc/rc.conf +++ b/tools/conf/etc/rc.conf @@ -5,8 +5,8 @@ FONT=default KEYMAP=dvorak TIMEZONE="Europe/Lisbon" -HOSTNAME=machine -SYSLOG=sysklogd -SERVICES=(lo iptables wlan blan crond) +HOSTNAME=c2 +SYSLOG=syslog-ng +SERVICES=(apparmor lo net iptables sshd ntpd postgresql exim dovecot git-daemon php-fpm fcgiwrap nginx crond) # End of file diff --git a/tools/conf/etc/ssh/sshd_config b/tools/conf/etc/ssh/sshd_config index 6fd955a..495d183 100644 --- a/tools/conf/etc/ssh/sshd_config +++ b/tools/conf/etc/ssh/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $ +# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -16,12 +16,7 @@ AddressFamily inet #ListenAddress 0.0.0.0 #ListenAddress :: - -# The default requires explicit activation of protocol 1 -Protocol 2 - #HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_dsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key #HostKey /etc/ssh/ssh_host_ed25519_key @@ -29,8 +24,8 @@ Protocol 2 #RekeyLimit default none # Logging -#SyslogFacility AUTH -#LogLevel INFO +SyslogFacility AUTH +LogLevel INFO # Authentication: @@ -40,10 +35,11 @@ PermitRootLogin no #StrictModes yes MaxAuthTries 3 #MaxSessions 10 -MaxSessions 3 PubkeyAuthentication yes +AllowGroups admin users gitolite sshproxy + # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # but this is overridden so installations will only check .ssh/authorized_keys AuthorizedKeysFile .ssh/authorized_keys @@ -90,7 +86,6 @@ ChallengeResponseAuthentication no # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. #UsePAM no -#UsePAM no #AllowAgentForwarding yes #AllowTcpForwarding yes @@ -102,8 +97,6 @@ ChallengeResponseAuthentication no #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes -#UseLogin no -#UsePrivilegeSeparation sandbox #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 @@ -116,11 +109,25 @@ ChallengeResponseAuthentication no #VersionAddendum none # no default banner path -Banner /etc/issue +#Banner none # override default of no subsystems Subsystem sftp /usr/lib/ssh/sftp-server +Match Group gitolite + AllowAgentForwarding no + AllowTcpForwarding no + +Match Group sshproxy + AllowAgentForwarding no + PermitTTY no + PermitOpen 10.0.0.4:443 + PermitOpen 10.0.0.4:9418 + PermitOpen tribu.semdestino.org:443 + PermitOpen tribu.semdestino.org:9418 + ForceCommand echo 'This account can only be used for web proxy' + + # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no diff --git a/tools/conf/etc/syslog-ng.conf b/tools/conf/etc/syslog-ng.conf index 16c1ddb..b6aa817 100644 --- a/tools/conf/etc/syslog-ng.conf +++ b/tools/conf/etc/syslog-ng.conf @@ -1,127 +1,223 @@ -@version: 3.17 +@version: 3.25 +@include "scl.conf" + +# Syslog-ng configuration file, compatible with default Debian syslogd +# installation. + +# First, set some global options. +options { chain_hostnames(off); flush_lines(0); use_dns(no); use_fqdn(no); + owner("root"); group("adm"); perm(0640); stats_freq(0); + bad_hostname("^gconfd$"); +}; + +######################## +# Sources +######################## +# This is the default behavior of sysklogd package +# Logs may come from unix stream, but not from another machine. # -# /etc/syslog-ng: syslog-ng(8) configration file -# based on a gentoo template added custom changes for crux +source s_src { + system(); + internal(); +}; -# on busy systems you may have to adjus flush_lines and suppress() to avoid -# heavy disc i/o -# to change default permissions/owner/group for newly created files add -# options like this: owner(root); group(sys); perm(0644); - -options { chain_hostnames(off); flush_lines(0); stats_freq(0); create_dirs(on); }; - -#source where to read log -source src { unix-stream("/dev/log"); internal(); }; -source kernsrc { file("/proc/kmsg"); }; - -#define templates -template t_debug { template("$DATE fac $FACILITY lvl $LEVEL prg $PROGRAM: $MSG\n"); }; - -#define destinations -destination authlog { file("/var/log/auth" suppress(5)); }; -destination sudo { file("/var/log/sudo" suppress(5)); }; -destination cron { file("/var/log/cron" suppress(5)); }; -destination kern { file("/var/log/kernel" suppress(5)); }; -destination mail { file("/var/log/mail" suppress(5)); }; - -destination mailinfo { file("/var/log/mail.info" suppress(5)); }; -destination mailwarn { file("/var/log/mail.warn" suppress(5)); }; -destination mailerr { file("/var/log/mail.err" suppress(5)); }; +# If you wish to get logs from remote machine you should uncomment +# this and comment the above source line. +# +#source s_net { tcp(ip(127.0.0.1) port(1000)); }; -#destination newscrit { file("/var/log/news/news.crit" suppress(5)); }; -#destination newserr { file("/var/log/news/news.err" suppress(5)); }; -#destination newsnotice { file("/var/log/news/news.notice" suppress(5)); }; +######################## +# Destinations +######################## +# First some standard logfile +# +destination d_auth { file("/var/log/auth"); }; +destination d_sudo { file("/var/log/sudo" ); }; +destination d_cron { file("/var/log/cron"); }; +destination d_daemon { file("/var/log/daemon"); }; +destination d_kern { file("/var/log/kernel"); }; +destination d_lpr { file("/var/log/lpr"); }; +destination d_mail { file("/var/log/mail"); }; +destination d_syslog { file("/var/log/syslog-ng"); }; +destination d_user { file("/var/log/user"); }; +destination d_uucp { file("/var/log/uucp"); }; + +# This files are the log come from the mail subsystem. +# +destination d_mailinfo { file("/var/log/mail.info"); }; +destination d_mailwarn { file("/var/log/mail.warn"); }; +destination d_mailerr { file("/var/log/mail.err"); }; -destination debug { file("/var/log/debug" template(t_debug) suppress(5)); }; -destination messages { file("/var/log/messages" suppress(5)); }; -destination errors { file("/var/log/error" suppress(5)); }; -destination console { usertty("root"); }; -destination console_all { file("/dev/tty12" suppress(5)); }; -destination xconsole { pipe("/dev/xconsole" suppress(5)); }; +# Logging for INN news system +# +destination d_newscrit { file("/var/log/news/news.crit"); }; +destination d_newserr { file("/var/log/news/news.err"); }; +destination d_newsnotice { file("/var/log/news/news.notice"); }; -############################################# -# custom destinations +# Some 'catch-all' logfiles. # +destination d_debug { file("/var/log/debug"); }; +destination d_error { file("/var/log/error"); }; +destination d_messages { file("/var/log/messages"); }; -destination d_shorewall_warn { file ("/var/log/shorewall/warn.log"); }; -destination d_shorewall_info { file ("/var/log/shorewall/info.log"); }; +# Custom destinations +destination d_shorewall_warn { file ("/var/log/shorewall/warn"); }; +destination d_shorewall_info { file ("/var/log/shorewall/info"); }; destination d_dnsmasq { file("/var/log/dnsmasq"); }; destination d_postgres { file("/var/log/pgsql"); }; +destination d_mysql { file("/var/log/pgsql"); }; destination d_iptables { file("/var/log/iptables"); }; destination d_sshd { file("/var/log/sshd"); }; destination d_gitolite { file("/var/log/gitolite"); }; -destination d_nginx_access { file("/var/log/nginx/access.log" owner(root) group(www) perm(0644)); }; -destination d_nginx_error { file("/var/log/nginx/error.log"); }; +destination d_git-daemon { file("/var/log/git-daemon"); }; +destination d_nginx_access { file("/var/log/nginx_access"); }; +destination d_nginx_error { file("/var/log/nginx_error"); }; +destination d_php_fpm { file("/var/log/php-fpm"); }; +destination d_php { file("/var/log/php"); }; +destination d_nginx_vhost { file("/var/log/nginx/vhost_access"); }; +destination d_nginx_vhost_err { file("/var/log/nginx/vhost_error"); }; + +# The root's console. +# +destination d_console { usertty("root"); }; + +# Virtual console. +# +#destination d_console_all { file(`tty10`); }; +destination console { usertty("root"); }; +destination d_console_all { file("/dev/tty12" suppress(5)); }; +destination xconsole { pipe("/dev/xconsole" suppress(5)); }; + + + +# The named pipe /dev/xconsole is for the nsole' utility. To use it, +# you must invoke nsole' with the -file' option: +# +# $ xconsole -file /dev/xconsole [...] +# +destination d_xconsole { pipe("/dev/xconsole"); }; +# Send the messages to an other host +# +#destination d_net { tcp("127.0.0.1" port(1000) log_fifo_size(1000)); }; -#create filters -filter f_authpriv { facility(auth, authpriv); }; -filter f_cron { facility(cron); }; -filter f_kern { facility(kern); }; -filter f_mail { facility(mail); }; -#filter f_debug { not facility(auth, authpriv, mail) and not program(sudo); }; -filter f_debug { not facility(mail) and not program(sudo); }; -filter f_messages { level(info..warn) - and not facility(auth, authpriv, mail) and not program(sudo); }; -filter f_sudo { program(sudo); }; -filter f_errors { level(err..emerg); }; +# Debian only +destination d_ppp { file("/var/log/ppp"); }; -filter f_emergency { level(emerg); }; +######################## +# Filters +######################## +# Here's come the filter options. With this rules, we can set which +# message go where. +filter f_dbg { level(debug); }; filter f_info { level(info); }; filter f_notice { level(notice); }; filter f_warn { level(warn); }; -filter f_crit { level(crit); }; filter f_err { level(err); }; +filter f_crit { level(crit .. emerg); }; + +filter f_debug { level(debug) and not facility(auth, authpriv, news, mail); }; +filter f_error { level(err .. emerg) ; }; +filter f_messages { level(info,notice,warn) + and not facility(auth,authpriv,cron,daemon,mail,news,local0); }; + +filter f_auth { facility(auth, authpriv) and not filter(f_debug); }; +filter f_sudo { facility(auth, authpriv) and program("^sudo$"); }; +filter f_cron { facility(cron) and not filter(f_debug);}; +filter f_daemon { facility(daemon, local0) + and not filter(f_debug) + and not program("^php$") + and not program("^nginx_vhost$") + and not program("^nginx_vhost_err$");}; +filter f_kern { facility(kern) and not filter(f_debug); }; +filter f_lpr { facility(lpr) and not filter(f_debug); }; +filter f_local { facility(local0, local1, local3, local4, local5, + local6, local7) and not filter(f_debug); }; +filter f_mail { facility(mail) and not filter(f_debug); }; +filter f_news { facility(news) and not filter(f_debug); }; +filter f_syslog3 { program("^syslog-ng$");}; +filter f_user { facility(user) and not filter(f_debug); }; +filter f_uucp { facility(uucp) and not filter(f_debug); }; + +filter f_cnews { level(notice, err, crit) and facility(news); }; +filter f_cother { level(debug, info, notice, warn) or facility(daemon, mail); }; + +filter f_ppp { facility(local2) and not filter(f_debug); }; +filter f_console { level(warn .. emerg); }; -############################################# # custom filters -# -filter f_dnsmasq { program("dnsmasq"); }; -filter f_postgres { facility(local0); }; -filter f_sshd { facility(local1); }; + +filter f_dnsmasq { program("^dnsmasq$"); }; +filter f_postgres { facility(local0) and program("^postgresql$"); }; +filter f_sshd { facility(auth) and program("^sshd$"); }; filter f_iptables { facility(kern) and match("iptables" value("MESSAGE")) }; filter f_shorewall_warn { level (warn) and match ("Shorewall" value("MESSAGE")); }; filter f_shorewall_info {level (info) and match ("Shorewall" value("MESSAGE")); }; -filter f_gitolite { program("gitolite"); }; -filter f_nginx_access { match("nginx_access:" value("MESSAGE")); }; -filter f_nginx_error { match("nginx_error:" value("MESSAGE")); }; - -# examples for text-matching (beware of performance issues) -#filter f_failed { match("failed"); }; -#filter f_denied { match("denied"); }; - -#connect filter and destination -log { source(src); filter(f_authpriv); destination(authlog); }; -log { source(src); filter(f_sudo); destination(sudo); }; -log { source(src); filter(f_cron); destination(cron); }; -log { source(kernsrc); filter(f_kern); destination(kern); }; -log { source(src); filter(f_mail); destination(mail); }; -log { source(src); filter(f_mail); filter(f_info); destination(mailinfo); }; -log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); }; -log { source(src); filter(f_mail); filter(f_err); destination(mailerr); }; - -#log { source(src); filter(f_debug); destination(debug); }; -log { source(src); filter(f_messages); destination(messages); }; -log { source(src); filter(f_errors); destination(errors); }; -log { source(src); filter(f_emergency); destination(console); }; - -#default log -#log { source(src); destination(console_all); }; - -############################################# -# custom -# - -log { source (kernsrc); filter (f_iptables); destination (d_iptables);}; -log { source (kernsrc); filter (f_shorewall_warn); destination (d_shorewall_warn);}; -log { source (kernsrc); filter (f_shorewall_info); destination (d_shorewall_info);}; -log { source(src); filter(f_dnsmasq); destination(d_dnsmasq);}; -log { source(src); filter(f_postgres); destination(d_postgres);}; -log { source(src); filter(f_sshd); destination(d_sshd);}; -log { source(src); filter(f_gitolite); destination(d_gitolite);}; -log { source(src); filter(f_nginx_error); destination(d_nginx_error);}; -log { source(src); filter(f_nginx_access); destination(d_nginx_access);}; +filter f_gitolite { program("^gitolite$"); }; +filter f_git-daemon { program("^git-daemon$"); }; +filter f_nginx_error { facility(daemon) and program("^nginx$"); }; +filter f_nginx_vhost { facility(daemon) and program("^nginx_vhost$");}; +filter f_nginx_vhost_err { facility(daemon) and program("^nginx_vhost_err$");}; +filter f_php_fpm { facility(daemon) and program("^php-fpm$");}; +filter f_php { facility(daemon) and program("^php$");}; + +# custom logs +log { source(s_src); filter(f_php_fpm); destination(d_php_fpm); }; +log { source(s_src); filter(f_php); destination(d_php); }; +log { source(s_src); filter(f_nginx_vhost); destination(d_nginx_vhost); }; +log { source(s_src); filter(f_nginx_vhost_err); destination(d_nginx_vhost_err); }; +log { source(s_src); filter(f_sshd); destination(d_sshd);}; +log { source (s_src); filter (f_iptables); destination (d_iptables);}; +log { source (s_src); filter (f_shorewall_warn); destination (d_shorewall_warn);}; +log { source (s_src); filter (f_shorewall_info); destination (d_shorewall_info);}; +log { source(s_src); filter(f_dnsmasq); destination(d_dnsmasq);}; +log { source(s_src); filter(f_postgres); destination(d_postgres);}; +log { source(s_src); filter(f_gitolite); destination(d_gitolite);}; +log { source(s_src); filter(f_git-daemon); destination(d_git-daemon);}; +log { source(s_src); filter(f_nginx_error); destination(d_nginx_error);}; + +######################## +# Log paths +######################## +log { source(s_src); filter(f_auth); destination(d_auth); }; +log { source(s_src); filter(f_sudo); destination(d_sudo); }; +log { source(s_src); filter(f_cron); destination(d_cron); }; +log { source(s_src); filter(f_daemon); destination(d_daemon); }; +log { source(s_src); filter(f_kern); destination(d_kern); }; +log { source(s_src); filter(f_lpr); destination(d_lpr); }; +log { source(s_src); filter(f_user); destination(d_user); }; +log { source(s_src); filter(f_uucp); destination(d_uucp); }; + +log { source(s_src); filter(f_mail); destination(d_mail); }; +log { source(s_src); filter(f_mail); filter(f_info); destination(d_mailinfo); }; +log { source(s_src); filter(f_mail); filter(f_warn); destination(d_mailwarn); }; +log { source(s_src); filter(f_mail); filter(f_err); destination(d_mailerr); }; + +log { source(s_src); filter(f_news); filter(f_crit); destination(d_newscrit); }; +log { source(s_src); filter(f_news); filter(f_err); destination(d_newserr); }; +log { source(s_src); filter(f_news); filter(f_notice); destination(d_newsnotice); }; +#log { source(s_src); filter(f_cnews); destination(d_console_all); }; +#log { source(s_src); filter(f_cother); destination(d_console_all); }; + +#log { source(s_src); filter(f_ppp); destination(d_ppp); }; + +log { source(s_src); filter(f_debug); destination(d_debug); }; +log { source(s_src); filter(f_error); destination(d_error); }; +log { source(s_src); filter(f_messages); destination(d_messages); }; +log { source(s_src); filter(f_syslog3); destination(d_syslog); }; +log { source(s_src); filter(f_console); destination(d_console_all); + destination(d_xconsole); }; +log { source(s_src); filter(f_crit); destination(d_console); }; +# +# +# All messages send to a remote site +# +#log { source(s_src); destination(d_net); }; +### +# Include all config files in /etc/syslog-ng/conf.d/ +### +@include "/etc/syslog-ng/conf.d/*.conf" diff --git a/tools/conf/srv/gitolite/.gitolite.rc b/tools/conf/srv/gitolite/.gitolite.rc index fa18e4e..d2c80b7 100644 --- a/tools/conf/srv/gitolite/.gitolite.rc +++ b/tools/conf/srv/gitolite/.gitolite.rc @@ -28,7 +28,7 @@ # logging options # 1. leave this section as is for 'normal' gitolite logging (default) # 2. uncomment this line to log ONLY to syslog: - # LOG_DEST => 'syslog', + LOG_DEST => 'syslog', # 3. uncomment this line to log to syslog and the normal gitolite log: # LOG_DEST => 'syslog,normal', # 4. prefixing "repo-log," to any of the above will **also** log just the diff --git a/tools/conf/srv/gitolite/deploy-web-doc b/tools/conf/srv/gitolite/deploy-web-doc index ae8e2db..b836515 100755 --- a/tools/conf/srv/gitolite/deploy-web-doc +++ b/tools/conf/srv/gitolite/deploy-web-doc @@ -2,7 +2,7 @@ ###################################################################### # # Put this file in your gitolite-admin; -# ~/gitolite-admin/local/hooks/repo-specific/deploy-web-doc +# ~/gitolite-admin/local/hooks/repo-specific/hook-deploy-web # # set host to empty to create package for each push # or set remote host to create package based on last deployed push diff --git a/tools/conf/srv/gitolite/deploy-web.sh b/tools/conf/srv/gitolite/deploy-web.sh index 01e92ac..86d2026 100644 --- a/tools/conf/srv/gitolite/deploy-web.sh +++ b/tools/conf/srv/gitolite/deploy-web.sh @@ -3,7 +3,7 @@ pkg_path=$1 www_root="/srv/www" -www_user="nginx" +www_user="www" www_group="www" pkg_file="${pkg_path}/project" diff --git a/tools/conf/srv/gitolite/gitolite.conf b/tools/conf/srv/gitolite/gitolite.conf index 3de7ba5..2685d90 100644 --- a/tools/conf/srv/gitolite/gitolite.conf +++ b/tools/conf/srv/gitolite/gitolite.conf @@ -1,80 +1,73 @@ -@guests = gitweb -@interns = silvino -@dev = silvino -@teamleads = silvino -@staff = @interns @dev @teamleads +@guests = bob +@interns = bob +@dev = bob alice +@teamleads = druid bob +@staff = @interns @dev + repo @secret - = @guests option deny-rules = 1 repo @floss - RW+ = @dev @staff + RW+ = @staff R = @all repo @project RW+ = @teamleads - - master = @dev - - refs/tags/v[0-9] = @dev - RW+ develop/ = @dev - RW+ feature/ = @dev - RW+ hot-fix/ = @dev - RW = @dev - R = @interns + - master = @staff @guests + - refs/tags/ = @staff @guests + RW+ develop/ = @staff + RW+ feature/ = @staff + RW+ hot-fix/ = @staff + RW = @staff + R = @all repo @mirror + R = @all RW+ release/ = @teamleads RW+ develop/ = @dev RW+ feature/ = @dev RW+ hot-fix/ = @dev - R = @all + option upstream.nice = 120 repo gitolite-admin RW+ = gitolite -repo doc machine-ports pmwiki assistant - config gitweb.owner = "Tribu Team" - config gitweb.category = "machine" - -repo linux-pck - config gitweb.owner = "Tribu Team" - config gitweb.category = "mirrors" +repo mate + config gitweb.description = "Mate ports" -repo opt core contrib - config gitweb.owner = "crux" - config gitweb.category = "crux" +repo kde5 + config gitweb.description = "Kde5 ports" -repo doc - config gitweb.description = "documentation" - option hook.post-receive = deploy-web-doc - -repo machine-ports - config gitweb.description = "ports" +repo xorg + config gitweb.description = "Xorg ports" -repo pmwiki - config gitweb.description = "wiki" - option hook.post-receive = deploy-web-doc +repo contrib + config gitweb.description = "Contrib ports" -repo assistant - config gitweb.owner = "Tribu Team" - config gitweb.description = "open assistant" +repo opt + config gitweb.description = "Opt ports" repo core - config gitweb.description = "crux core collection" + config gitweb.description = "Core ports" -repo opt - config gitweb.description = "crux opt collection" +repo doc + config gitweb.description = "System doc." + option hook.post-receive = deploy-web-doc -repo contrib - config gitweb.description = "crux contrib collection" +repo ports + config gitweb.description = "Extra ports." + option hook.post-receive = deploy-web-doc -repo linux-pck - config gitweb.description = "PCK or Parabola Community Kernel are multiple patches, pf-kernel and zen-kernel for Linux-libre kernel" - option upstream.url = git://git.parabola.nu/pck.git - option upstream.nice = 120 +repo doc + config gitweb.owner = "Team" + config gitweb.category = "Repositories" +repo core opt contrib ports xorg iso mate kde5 + config gitweb.owner = "Team" + config gitweb.category = "Host Ports" -@secret = gitolite-admin -@project = doc machine-ports pmwiki assistant -@project = core opt contrib -@mirror = linux-pck +@secret = gitolite-admin +@project = doc +@project = core opt contrib ports xorg iso mate kde5 webdata diff --git a/tools/conf/srv/pgsql/data/pg_hba.conf b/tools/conf/srv/pgsql/data/pg_hba.conf index af37ab4..f60af44 100644 --- a/tools/conf/srv/pgsql/data/pg_hba.conf +++ b/tools/conf/srv/pgsql/data/pg_hba.conf @@ -81,20 +81,14 @@ # TYPE DATABASE USER ADDRESS METHOD # "local" is for Unix domain socket connections only -#local all all trust +local all postgres scram-sha-256 +#local all postgres trust # IPv4 local connections: -#host all all 127.0.0.1/32 trust +host all postgres 127.0.0.1/32 scram-sha-256 # IPv6 local connections: -#host all all ::1/128 trust +host all postgres ::1/128 scram-sha-256 # Allow replication connections from localhost, by a user with the # replication privilege. -#local replication all trust -#host replication all 127.0.0.1/32 trust -#host replication all ::1/128 trust - -# TYPE DATABASE USER ADDRESS METHOD -local postgres postgres trust -host postgres postgres 127.0.0.1/32 trust -host db_flyspray flyspray 127.0.0.1/32 md5 -host all all 127.0.0.1/32 scram-sha-256 -host all all 0.0.0.0/0 reject +local replication postgres scram-sha-256 +host replication postgres 127.0.0.1/32 scram-sha-256 +host replication postgres ::1/128 scram-sha-256 diff --git a/tools/conf/srv/pgsql/data/postgresql.conf b/tools/conf/srv/pgsql/data/postgresql.conf index e25ab49..4497df9 100644 --- a/tools/conf/srv/pgsql/data/postgresql.conf +++ b/tools/conf/srv/pgsql/data/postgresql.conf @@ -73,7 +73,7 @@ max_connections = 100 # (change requires restart) #bonjour_name = '' # defaults to the computer name # (change requires restart) -# - TCP Keepalives - +# - TCP settings - # see "man 7 tcp" for details #tcp_keepalives_idle = 0 # TCP_KEEPIDLE, in seconds; @@ -82,12 +82,14 @@ max_connections = 100 # (change requires restart) # 0 selects the system default #tcp_keepalives_count = 0 # TCP_KEEPCNT; # 0 selects the system default +#tcp_user_timeout = 0 # TCP_USER_TIMEOUT, in milliseconds; + # 0 selects the system default # - Authentication - #authentication_timeout = 1min # 1s-600s #password_encryption = md5 # md5 or scram-sha-256 -password_encryption = scram-sha-256 # md5 or scram-sha-256 +password_encryption = scram-sha-256 # md5 or scram-sha-256 #db_user_namespace = off # GSSAPI using Kerberos @@ -107,6 +109,8 @@ ssl_key_file = '/etc/ssl/keys/pg.key' #ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers #ssl_prefer_server_ciphers = on #ssl_ecdh_curve = 'prime256v1' +#ssl_min_protocol_version = 'TLSv1' +#ssl_max_protocol_version = '' #ssl_dh_params_file = '' #ssl_passphrase_command = '' #ssl_passphrase_command_supports_reload = off @@ -131,13 +135,18 @@ shared_buffers = 128MB # min 128kB #maintenance_work_mem = 64MB # min 1MB #autovacuum_work_mem = -1 # min 1MB, or -1 to use maintenance_work_mem #max_stack_depth = 2MB # min 100kB +#shared_memory_type = mmap # the default is the first option + # supported by the operating system: + # mmap + # sysv + # windows + # (change requires restart) dynamic_shared_memory_type = posix # the default is the first option # supported by the operating system: # posix # sysv # windows # mmap - # use none to disable dynamic shared memory # (change requires restart) # - Disk - @@ -152,7 +161,7 @@ dynamic_shared_memory_type = posix # the default is the first option # - Cost-Based Vacuum Delay - -#vacuum_cost_delay = 0 # 0-100 milliseconds +#vacuum_cost_delay = 0 # 0-100 milliseconds (0 disables) #vacuum_cost_page_hit = 1 # 0-10000 credits #vacuum_cost_page_miss = 10 # 0-10000 credits #vacuum_cost_page_dirty = 20 # 0-10000 credits @@ -203,6 +212,8 @@ dynamic_shared_memory_type = posix # the default is the first option #wal_compression = off # enable compression of full-page writes #wal_log_hints = off # also do full page writes of non-critical updates # (change requires restart) +#wal_init_zero = on # zero-fill new WAL files +#wal_recycle = on # recycle WAL files #wal_buffers = -1 # min 32kB, -1 sets based on shared_buffers # (change requires restart) #wal_writer_delay = 200ms # 1-10000 milliseconds @@ -231,6 +242,42 @@ min_wal_size = 80MB #archive_timeout = 0 # force a logfile segment switch after this # number of seconds; 0 disables +# - Archive Recovery - + +# These are only used in recovery mode. + +#restore_command = '' # command to use to restore an archived logfile segment + # placeholders: %p = path of file to restore + # %f = file name only + # e.g. 'cp /mnt/server/archivedir/%f %p' + # (change requires restart) +#archive_cleanup_command = '' # command to execute at every restartpoint +#recovery_end_command = '' # command to execute at completion of recovery + +# - Recovery Target - + +# Set these only when performing a targeted recovery. + +#recovery_target = '' # 'immediate' to end recovery as soon as a + # consistent state is reached + # (change requires restart) +#recovery_target_name = '' # the named restore point to which recovery will proceed + # (change requires restart) +#recovery_target_time = '' # the time stamp up to which recovery will proceed + # (change requires restart) +#recovery_target_xid = '' # the transaction ID up to which recovery will proceed + # (change requires restart) +#recovery_target_lsn = '' # the WAL LSN up to which recovery will proceed + # (change requires restart) +#recovery_target_inclusive = on # Specifies whether to stop: + # just after the specified recovery target (on) + # just before the recovery target (off) + # (change requires restart) +#recovery_target_timeline = 'latest' # 'current', 'latest', or timeline ID + # (change requires restart) +#recovery_target_action = 'pause' # 'pause', 'promote', 'shutdown' + # (change requires restart) + #------------------------------------------------------------------------------ # REPLICATION @@ -264,6 +311,11 @@ min_wal_size = 80MB # These settings are ignored on a master server. +#primary_conninfo = '' # connection string to sending server + # (change requires restart) +#primary_slot_name = '' # replication slot on sending server + # (change requires restart) +#promote_trigger_file = '' # file name whose presence ends recovery #hot_standby = on # "off" disallows queries during recovery # (change requires restart) #max_standby_archive_delay = 30s # max delay before canceling queries @@ -281,6 +333,7 @@ min_wal_size = 80MB # in milliseconds; 0 disables #wal_retrieve_retry_interval = 5s # time to wait before retrying to # retrieve WAL after a failed attempt +#recovery_min_apply_delay = 0 # minimum delay for applying changes during recovery # - Subscribers - @@ -356,7 +409,10 @@ min_wal_size = 80MB #join_collapse_limit = 8 # 1 disables collapsing of explicit # JOIN clauses #force_parallel_mode = off -#jit = off # allow JIT compilation +#jit = on # allow JIT compilation +jit = off # allow JIT compilation +#plan_cache_mode = auto # auto, force_generic_plan or + # force_custom_plan #------------------------------------------------------------------------------ @@ -365,9 +421,8 @@ min_wal_size = 80MB # - Where to Log - -#log_destination = 'stderr' # Valid values are combinations of -#log_destination = 'stderr,syslog' # Multiple are valide -log_destination = 'syslog' +#log_destination = 'stderr' +#log_destination = 'syslog' # Valid values are combinations of # stderr, csvlog, syslog, and eventlog, # depending on platform. csvlog # requires logging_collector to be on. @@ -400,7 +455,6 @@ log_destination = 'syslog' # 0 disables. # These are relevant when logging to syslog: -#syslog_facility = 'LOCAL0' syslog_facility = 'LOCAL0' syslog_ident = 'postgres' #syslog_sequence_numbers = on @@ -412,17 +466,6 @@ syslog_ident = 'postgres' # - When to Log - -#client_min_messages = notice # values in order of decreasing detail: - # debug5 - # debug4 - # debug3 - # debug2 - # debug1 - # log - # notice - # warning - # error - #log_min_messages = warning # values in order of decreasing detail: # debug5 # debug4 @@ -456,6 +499,9 @@ syslog_ident = 'postgres' # statements running at least this number # of milliseconds +#log_transaction_sample_rate = 0.0 # Fraction of transactions whose statements + # are logged regardless of their duration. 1.0 logs all + # statements from all transactions, 0.0 never logs. # - What to Log - @@ -464,12 +510,15 @@ syslog_ident = 'postgres' #debug_print_plan = off #debug_pretty_print = on #log_checkpoints = off +#log_connections = off log_connections = on +#log_disconnections = off log_disconnections = on -log_duration = on +#log_duration = off #log_error_verbosity = default # terse, default, or verbose messages +#log_hostname = off log_hostname = on -#log_line_prefix = '%m [%p] ' # special values: +log_line_prefix = 'd=$d u=% %m [%p] ' # special values: # %a = application name # %u = user name # %d = database name @@ -492,11 +541,12 @@ log_hostname = on # e.g. '<%u%%%d> ' #log_lock_waits = off # log lock waits >= deadlock_timeout #log_statement = 'none' # none, ddl, mod, all +log_statement = 'mod' # none, ddl, mod, all #log_replication_commands = off #log_temp_files = -1 # log temporary files equal or larger # than the specified size in kilobytes; # -1 disables, 0 logs all temp files -log_timezone = 'Portugal' +log_timezone = 'Europe/Lisbon' #------------------------------------------------------------------------------ # PROCESS TITLE @@ -553,7 +603,7 @@ log_timezone = 'Portugal' #autovacuum_multixact_freeze_max_age = 400000000 # maximum multixact age # before forced vacuum # (change requires restart) -#autovacuum_vacuum_cost_delay = 20ms # default vacuum cost delay for +#autovacuum_vacuum_cost_delay = 2ms # default vacuum cost delay for # autovacuum, in milliseconds; # -1 means use vacuum_cost_delay #autovacuum_vacuum_cost_limit = -1 # default vacuum cost limit for @@ -567,11 +617,22 @@ log_timezone = 'Portugal' # - Statement Behavior - +#client_min_messages = notice # values in order of decreasing detail: + # debug5 + # debug4 + # debug3 + # debug2 + # debug1 + # log + # notice + # warning + # error #search_path = '"$user", public' # schema names #row_security = on #default_tablespace = '' # a tablespace name, '' uses the default #temp_tablespaces = '' # a list of tablespace names, '' uses # only default tablespace +#default_table_access_method = 'heap' #check_function_bodies = on #default_transaction_isolation = 'read committed' #default_transaction_read_only = off @@ -597,7 +658,7 @@ log_timezone = 'Portugal' datestyle = 'iso, mdy' #intervalstyle = 'postgres' -timezone = 'Portugal' +timezone = 'Europe/Lisbon' #timezone_abbreviations = 'Default' # Select the set of available time zone # abbreviations. Currently, there are # Default @@ -605,7 +666,8 @@ timezone = 'Portugal' # India # You can create your own file in # share/timezonesets/. -#extra_float_digits = 0 # min -15, max 3 +#extra_float_digits = 1 # min -15, max 3; any value >0 actually + # selects precise output mode #client_encoding = sql_ascii # actually, defaults to database # encoding @@ -654,7 +716,6 @@ default_text_search_config = 'pg_catalog.english' #array_nulls = on #backslash_quote = safe_encoding # on, off, or safe_encoding -#default_with_oids = off #escape_string_warning = on #lo_compat_privileges = off #operator_precedence_warning = off @@ -673,6 +734,9 @@ default_text_search_config = 'pg_catalog.english' #exit_on_error = off # terminate session on any error? #restart_after_crash = on # reinitialize after backend crash? +#data_sync_retry = off # retry or panic on failure to fsync + # data? + # (change requires restart) #------------------------------------------------------------------------------ @@ -680,12 +744,13 @@ default_text_search_config = 'pg_catalog.english' #------------------------------------------------------------------------------ # These options allow settings to be loaded from files other than the -# default postgresql.conf. +# default postgresql.conf. Note that these are directives, not variable +# assignments, so they can usefully be given more than once. -#include_dir = 'conf.d' # include files ending in '.conf' from - # directory 'conf.d' -#include_if_exists = 'exists.conf' # include file only if it exists -#include = 'special.conf' # include file +#include_dir = '...' # include files ending in '.conf' from + # a directory, e.g., 'conf.d' +#include_if_exists = '...' # include file only if it exists +#include = '...' # include file #------------------------------------------------------------------------------ |