From ac7c572733282e49801b16531d841682e3ab1b5a Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Sun, 19 Jan 2020 00:59:14 +0000 Subject: documentation date and domain update --- core/apparmor.html | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'core/apparmor.html') diff --git a/core/apparmor.html b/core/apparmor.html index 8e057de..65ee7c3 100644 --- a/core/apparmor.html +++ b/core/apparmor.html @@ -192,9 +192,9 @@ Core OS Index -

-- cgit 1.4.1-2-gfad0 From a947a31ede27fdf995e0a63e766fcd68eb491426 Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Fri, 7 Feb 2020 03:41:45 +0000 Subject: System configuration update --- core/apparmor.html | 402 ++++++++++++--------- core/conf/dracut.conf | 19 + core/conf/fstab | 1 + core/conf/pkgmk.conf | 10 +- core/conf/prt-get.conf | 32 +- core/conf/skel/.bashrc | 6 +- core/conf/skel/.profile | 3 +- core/conf/sysctl.conf | 17 +- core/index.html | 319 ++++++++-------- index.html | 2 +- tools/conf/etc/dnsmasq.conf | 23 +- tools/conf/etc/logrotate.conf | 315 ++++++++++++---- tools/conf/etc/logrotate.d/dnsmasq | 11 - tools/conf/etc/logrotate.d/gitolite | 12 - tools/conf/etc/logrotate.d/letsencrypt | 7 + tools/conf/etc/logrotate.d/nginx | 23 -- tools/conf/etc/logrotate.d/php-fpm | 5 - tools/conf/etc/logrotate.d/postgres | 17 - tools/conf/etc/logrotate.d/postgresql | 10 + tools/conf/etc/nginx/nginx.conf | 112 +----- tools/conf/etc/nginx/sites-enabled/default.conf | 106 +++--- .../conf/etc/nginx/sites-enabled/email.c2.ank.conf | 61 ++++ .../conf/etc/nginx/sites-enabled/forum.c2.ank.conf | 26 ++ tools/conf/etc/nginx/sites-enabled/git.c2.ank.conf | 28 ++ .../etc/nginx/sites-enabled/git.localhost.conf | 25 -- .../conf/etc/nginx/sites-enabled/shop.c2.ank.conf | 84 +++++ .../conf/etc/nginx/sites-enabled/task.c2.ank.conf | 21 ++ .../conf/etc/nginx/sites-enabled/wiki.c2.ank.conf | 43 +++ tools/conf/etc/rc.conf | 6 +- tools/conf/etc/ssh/sshd_config | 33 +- tools/conf/etc/syslog-ng.conf | 294 ++++++++++----- tools/conf/srv/gitolite/.gitolite.rc | 2 +- tools/conf/srv/gitolite/deploy-web-doc | 2 +- tools/conf/srv/gitolite/deploy-web.sh | 2 +- tools/conf/srv/gitolite/gitolite.conf | 91 +++-- tools/conf/srv/pgsql/data/pg_hba.conf | 20 +- tools/conf/srv/pgsql/data/postgresql.conf | 129 +++++-- tools/gitolite.html | 2 +- tools/index.html | 354 +++++++++--------- tools/logrotate.html | 330 +++++++++++++---- tools/nginx.html | 205 +++++------ tools/postgresql.html | 252 +++++++------ tools/syslog-ng.html | 230 ++++++++++++ 43 files changed, 2338 insertions(+), 1354 deletions(-) create mode 100644 core/conf/dracut.conf delete mode 100644 tools/conf/etc/logrotate.d/dnsmasq delete mode 100644 tools/conf/etc/logrotate.d/gitolite create mode 100644 tools/conf/etc/logrotate.d/letsencrypt delete mode 100644 tools/conf/etc/logrotate.d/nginx delete mode 100644 tools/conf/etc/logrotate.d/php-fpm delete mode 100644 tools/conf/etc/logrotate.d/postgres create mode 100644 tools/conf/etc/logrotate.d/postgresql create mode 100644 tools/conf/etc/nginx/sites-enabled/email.c2.ank.conf create mode 100644 tools/conf/etc/nginx/sites-enabled/forum.c2.ank.conf create mode 100644 tools/conf/etc/nginx/sites-enabled/git.c2.ank.conf delete mode 100644 tools/conf/etc/nginx/sites-enabled/git.localhost.conf create mode 100644 tools/conf/etc/nginx/sites-enabled/shop.c2.ank.conf create mode 100644 tools/conf/etc/nginx/sites-enabled/task.c2.ank.conf create mode 100644 tools/conf/etc/nginx/sites-enabled/wiki.c2.ank.conf (limited to 'core/apparmor.html') diff --git a/core/apparmor.html b/core/apparmor.html index 65ee7c3..22b5183 100644 --- a/core/apparmor.html +++ b/core/apparmor.html @@ -1,202 +1,248 @@ - - 2.6.1. AppArmor + + 2.6.1. AppArmor - Core OS Index + Core OS Index -

2.6.1. AppArmor

Check kernel configuration or - use the provided with linux-gnu port - to support apparmor. AppArmor enforce rules on applications based - on security policies. User space tools are provided by apparmor port - and its dependencies, install them;

Check kernel configuration or + use the provided with linux-gnu port + to support apparmor. AppArmor enforce rules on applications based + on security policies.

-        $ sudo prt-get depinst apparmor
-

Enable apparmor on linux by command line, create /etc/default/grub;

2.6.1.1 Install

-        GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor"
-

User space tools are provided by apparmor port + and its dependencies, install them;

Add SecurityFS to /etc/fstab;

+	$ sudo prt-get depinst apparmor
+

-        none /sys/kernel/security securityfs defaults 0 0
-

Enable apparmor on linux by command line, create /etc/default/grub;

Check status;

+	GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor"
+

-        # apparmor_status
-

Add SecurityFS to /etc/fstab;

Utilities;

+	none /sys/kernel/security securityfs defaults 0 0
+

-        aa-audit           aa-disable         aa-genprof         aa-status
-        aa-autodep         aa-easyprof        aa-logprof         aa-unconfined
-        aa-cleanprof       aa-enabled         aa-mergeprof
-        aa-complain        aa-enforce         aa-notify
-        aa-decode          aa-exec            aa-remove-unknown
-

Check status;

Profiles

+	# apparmor_status
+

Profiles are located at /etc/apparmor.d/ and - /usr/share/apparmor/extra-profiles contain profiles - that require testing;

- -

-        # cp -r /usr/share/apparmor/extra-profiles/* /etc/apparmor.d/
-        # sudo rm /etc/apparmor.d/README
-        # bash /etc/rc.d/apparmor restart
-

- -

Profiles are parsed using - apparmor_parser;

- -

-        Usage: apparmor_parser [options] [profile]
-
-        Options:
-        --------
-        -a, --add               Add apparmor definitions [default]
-        -r, --replace           Replace apparmor definitions
-        -R, --remove            Remove apparmor definitions
-        -C, --Complain          Force the profile into complain mode
-        -B, --binary            Input is precompiled profile
-        -N, --names             Dump names of profiles in input.
-        -S, --stdout            Dump compiled profile to stdout
-        -o n, --ofile n         Write output to file n
-        -b n, --base n          Set base dir and cwd
-        -I n, --Include n       Add n to the search path
-        -f n, --subdomainfs n   Set location of apparmor filesystem
-        -m n, --match-string n  Use only features n
-        -M n, --features-file n Use only features in file n
-        -n n, --namespace n     Set Namespace for the profile
-        -X, --readimpliesX      Map profile read permissions to mr
-        -k, --show-cache        Report cache hit/miss details
-        -K, --skip-cache        Do not attempt to load or save cached profiles
-        -T, --skip-read-cache   Do not attempt to load cached profiles
-        -W, --write-cache       Save cached profile (force with -T)
-            --skip-bad-cache    Don't clear cache if out of sync
-            --purge-cache       Clear cache regardless of its state
-            --debug-cache       Debug cache file checks
-        -L, --cache-loc n       Set the location of the profile cache
-        -q, --quiet             Don't emit warnings
-        -v, --verbose           Show profile names as they load
-        -Q, --skip-kernel-load  Do everything except loading into kernel
-        -V, --version           Display version info and exit
-        -d [n], --debug         Debug apparmor definitions OR [n]
-        -p, --preprocess        Dump preprocessed profile
-        -D [n], --dump          Dump internal info for debugging
-        -O [n], --Optimize      Control dfa optimizations
-        -h [cmd], --help[=cmd]  Display this text or info about cmd
-        -j n, --jobs n          Set the number of compile threads
-        --max-jobs n            Hard cap on --jobs. Default 8*cpus
-        --abort-on-error        Abort processing of profiles on first error
-        --skip-bad-cache-rebuild Do not try rebuilding the cache if it is rejected by the kernel
-        --warn n                Enable warnings (see --help=warn)
-

- -

Create profile with audit

- -

Tools use log as a source to build profiles, it is - necessary to disable log rate limit;

- -

-        # sysctl -w kernel.printk_ratelimit=0
-

- -

Start aa-genprof;

- -

-        $ sudo aa-genprof /usr/bin/lynx
-

- -

Execute application with all common application options - and parts. After initial automatic configuration enable profile in - complain mode. Use aa-logprof when rules need to be adapted.

- -

-        # aa-logprof -f /var/log/kernel
-

- -

Once profile rules become well defined enable profile in - enforce mode with aa-enforce;

- -

Monitor logs with aa-notify;

- -

-        # aa-notify --file=/var/log/kernel -u username -l
-

- -

And keep adjusting the rules with logprof;

- -

-        # aa-logprof -f /var/log/kernel
-

- - -

Create profile manually

- -

To create a new profile, let's say for lynx, - first find where the application is;

- -

-        $ whereis lynx
-        lynx: /usr/bin/lynx /usr/etc/lynx.lss /usr/etc/lynx.cfg /usr/etc/lynx.cfg~ /usr/share/man/man1/lynx.1.gz
-

- -

Now create a file with path to executable in - /etc/apparmor.d;

- -

-        # vim /etc/apparmor.d/usr.bin.lynx
-

- -

Create basic profile template;

- -

-        #include <tunables/global>
-
-        profile lynx /usr/bin/lynx {
-          #include <abstractions/base>
-        }
-

- -

Seed up profile loading

- -

Every time apparmor loads a profile in text it needs - to compile into binary format, this takes some time if - there is many profiles to load at boot time. To optimize - edit /etc/apparmor/parser.conf;

- -

-        ## Turn creating/updating of the cache on by default
-        write-cache
-

- -

To change default location add;

Utilities;

+ +

+	aa-audit           aa-disable         aa-genprof         aa-status
+	aa-autodep         aa-easyprof        aa-logprof         aa-unconfined
+	aa-cleanprof       aa-enabled         aa-mergeprof
+	aa-complain        aa-enforce         aa-notify
+	aa-decode          aa-exec            aa-remove-unknown
+

-        chache-loc=/var/cache/apparmor
-

6.2.1.2 Configure

- Core OS Index -

Profiles are located at /etc/apparmor.d/ and + /usr/share/apparmor/extra-profiles contain profiles + that require testing;

+ +

+	# cp -r /usr/share/apparmor/extra-profiles/* /etc/apparmor.d/
+	# sudo rm /etc/apparmor.d/README
+	# bash /etc/rc.d/apparmor restart
+

+ +

6.2.1.3 Profiles

+ +

Profiles are parsed using + apparmor_parser;

+ +

+	Usage: apparmor_parser [options] [profile]
+
+	Options:
+	--------
+	-a, --add               Add apparmor definitions [default]
+	-r, --replace           Replace apparmor definitions
+	-R, --remove            Remove apparmor definitions
+	-C, --Complain          Force the profile into complain mode
+	-B, --binary            Input is precompiled profile
+	-N, --names             Dump names of profiles in input.
+	-S, --stdout            Dump compiled profile to stdout
+	-o n, --ofile n         Write output to file n
+	-b n, --base n          Set base dir and cwd
+	-I n, --Include n       Add n to the search path
+	-f n, --subdomainfs n   Set location of apparmor filesystem
+	-m n, --match-string n  Use only features n
+	-M n, --features-file n Use only features in file n
+	-n n, --namespace n     Set Namespace for the profile
+	-X, --readimpliesX      Map profile read permissions to mr
+	-k, --show-cache        Report cache hit/miss details
+	-K, --skip-cache        Do not attempt to load or save cached profiles
+	-T, --skip-read-cache   Do not attempt to load cached profiles
+	-W, --write-cache       Save cached profile (force with -T)
+	    --skip-bad-cache    Don't clear cache if out of sync
+	    --purge-cache       Clear cache regardless of its state
+	    --debug-cache       Debug cache file checks
+	-L, --cache-loc n       Set the location of the profile cache
+	-q, --quiet             Don't emit warnings
+	-v, --verbose           Show profile names as they load
+	-Q, --skip-kernel-load  Do everything except loading into kernel
+	-V, --version           Display version info and exit
+	-d [n], --debug         Debug apparmor definitions OR [n]
+	-p, --preprocess        Dump preprocessed profile
+	-D [n], --dump          Dump internal info for debugging
+	-O [n], --Optimize      Control dfa optimizations
+	-h [cmd], --help[=cmd]  Display this text or info about cmd
+	-j n, --jobs n          Set the number of compile threads
+	--max-jobs n            Hard cap on --jobs. Default 8*cpus
+	--abort-on-error        Abort processing of profiles on first error
+	--skip-bad-cache-rebuild Do not try rebuilding the cache if it is rejected by the kernel
+	--warn n                Enable warnings (see --help=warn)
+

+ +

2.6.1.4 Profile with audit

+ +

Tools use log as a source to build profiles, it is + necessary to disable log rate limit;

+ +

+	# sysctl -w kernel.printk_ratelimit=0
+

+ +

Start aa-genprof;

+ +

+	$ sudo aa-genprof /usr/bin/lynx
+

+ +

Execute application with all common application options + and parts. After initial automatic configuration enable profile in + complain mode.

+ +

+	$ sudo aa-complain lynx
+

+ +

Use aa-logprof when rules need to be adapted.

+ +

+	# aa-logprof -f /var/log/kernel
+

+ +

Reload profile with the new settings;

+ +

+	# apparmor_parser -r lynx
+

+ +

Once profile rules become well defined enable profile in + enforce mode with aa-enforce;

+ +

Monitor logs with aa-notify;

+ +

+	# aa-notify --file=/var/log/kernel -u username -l
+

+ +

And keep adjusting the rules with logprof;

+ +

+	# aa-logprof -f /var/log/kernel
+

+ +

2.6.1.5 Edit profiles

+ +

File Globing

+ +

/dir/file: match a specific file
/dir/*: match any files in a directory (including dot files)
/dir/a*: match any file in a directory starting with 'a'
/dir/*.png: match any file in a directory ending with '.png'
/dir/[^.]*: match any file in a directory except dot files
/dir/: match a directory
/dir/*/: match any directory within /dir/
/dir/a*/: match any directory within /dir/ starting with a
/dir/*a/: match any directory within /dir/ ending with a
/dir/**: match any file or directory in or below /dir/
/dir/**/: match any directory in or below /dir/
/dir/**[^/]: match any file in or below /dir/
/dir{,1,2}/**: - match any file or directory in or below /dir/, /dir1/, and /dir2/

+ +

File Permissions

+ +

r: read
w: write
a: append (implied by w)
m: memory map executable
k: lock (requires r or w, AppArmor 2.1 and later)
l: link
x: execute

+ +

ux: Execute unconfined (preserve environment) -- WARNING: should only be used in very special cases
Ux: Execute unconfined (scrub the environment)
px: Execute under a specific profile (preserve the environment) -- WARNING: should only be used in special cases
Px: Execute under a specific profile (scrub the environment)
pix: as px but fallback to inheriting the current profile if the target profile is not found
Pix: as Px but fallback to inheriting the current profile if the target profile is not found
pux: as px but fallback to executing unconfined if the target profile is not found
Pux: as Px but fallback to executing unconfined if the target profile is not found
ix
: Execute and inherit the current profile
cx
: Execute and transition to a child profile (preserve the environment)
Cx
: Execute and transition to a child profile (scrub the environment)
cix
: as cx but fallback to inheriting the current profile if the target profile is not found
Cix
: as Cx but fallback to inheriting the current profile if the target profile is not found
cux
: as cx but fallback to executing unconfined if the target profile is not found
Cux
: as Cx but fallback to executing unconfined if the target profile is not found

+ +

The owner keyword can be used as a qualifier making permission conditional on owning the file (process fsuid == file's uid).

+ +

Read Profile Language for more information.

+ +

2.6.1.6 Speedup startup

+ +

Every time apparmor loads a profile in text it needs + to compile into binary format, this takes some time if + there is many profiles to load at boot time. To optimize + edit /etc/apparmor/parser.conf;

+ +

+	## Turn creating/updating of the cache on by default
+	write-cache
+

+ +

To change default location add;

+ +

+	chache-loc=/var/cache/apparmor
+

+ + Core OS Index +

diff --git a/core/conf/dracut.conf b/core/conf/dracut.conf new file mode 100644 index 0000000..eda69fd --- /dev/null +++ b/core/conf/dracut.conf @@ -0,0 +1,19 @@ +# PUT YOUR CONFIG IN separate files +# in /etc/dracut.conf.d named ".conf" + +# Equivalent to -H +hostonly="no" + +# Mount / and /usr read-only by default. +ro_mnt="yes" + +# Equivalent to -m "module module module" +dracutmodules+="dash kernel-modules rootfs-block udev-rules usrmount base fs-lib shutdown" + +# Equivalent to -a "module" +add_dracutmodules+="caps debug crypt lvm" + +# Equivalent to -o "module" +omit_dracutmodules+="systemd systemd-bootchart systemd-networkd systemd-initrd" + +# SEE man dracut.conf(5) for options diff --git a/core/conf/fstab b/core/conf/fstab index 99fead9..23dd98c 100644 --- a/core/conf/fstab +++ b/core/conf/fstab @@ -25,6 +25,7 @@ none /sys/kernel/security securityfs defau devpts /dev/pts devpts noexec,nosuid,gid=tty,mode=0620 0 0 shm /dev/shm tmpfs defaults 0 0 tmp /tmp tmpfs defaults,noatime,nosuid,nodev,noexec,size=128M 0 0 + UUID=3b408790-65e1-4638-9591-7ba61f266913 /boot ext4 defaults,ro,noatime 0 2 UUID=962D-0DE1 /boot/efi vfat ro,noauto,umask=0077 0 2 UUID=f2336a56-fbe6-444c-bdbf-f0e6c209c237 /var ext4 defaults,nodev,noexec,nosuid,errors=remount-ro 0 2 diff --git a/core/conf/pkgmk.conf b/core/conf/pkgmk.conf index 643abcc..3ae582d 100644 --- a/core/conf/pkgmk.conf +++ b/core/conf/pkgmk.conf @@ -12,18 +12,14 @@ export MAKEFLAGS="-j $JOBS" # ccache settings #export PATH="/usr/lib/ccache/:$PATH" #export CCACHE_DIR="/usr/ports/ccache" -#export CCACHE_COMPILERCHECK="%compiler% -dumpversion; crux" - -# compile using ccache and distcc #export CCACHE_PREFIX="distcc" -#export DISTCC_HOSTS="localhost/4 c11/2" +#export CCACHE_COMPILERCHECK="%compiler% -dumpversion; crux" ## compile using distcc without ccache -#export PATH="/usr/lib/distcc/:$PATH" -#export DISTCC_HOSTS="localhost/4,lzo,cpp xborg/4,lzo,cpp" -#export PUMP_BUILD=yes +##export PATH="/usr/lib/distcc/:$PATH" # distcc settings +#export DISTCC_HOSTS="localhost/4,lzo,cpp xborg/4,lzo,cpp" #export JOBS=$(/usr/bin/distcc -j 2> /dev/null) #export DISTCC_DIR="/usr/ports/distcc" #export MAKEFLAGS="-j ${JOBS}" diff --git a/core/conf/prt-get.conf b/core/conf/prt-get.conf index 8e88333..d248d24 100644 --- a/core/conf/prt-get.conf +++ b/core/conf/prt-get.conf @@ -4,18 +4,31 @@ # note: the order matters: the package found first is used prtdir /usr/ports/core +prtdir /usr/ports/ports prtdir /usr/ports/opt prtdir /usr/ports/xorg +prtdir /usr/ports/contrib +prtdir /usr/ports/mate +#prtdir /usr/ports/kde5 +#prtdir /usr/ports/romster +#prtdir /usr/ports/tb +#prtdir /usr/ports/timcowchip +#prtdir /usr/ports/6c37 +#prtdir /usr/ports/nilp +#prtdir /usr/ports/nullspoon +#prtdir /usr/ports/dbrooke +#prtdir /usr/ports/pitillo + +# 6c37 team provides a collection with freetype-iu, fontconfig-iu +# and cairo-iu ports. +# the following line enables the user maintained contrib collection +# prtdir /usr/ports/6c37-dropin +# prtdir /usr/ports/6c37 + # the following line enables the multilib compat-32 collection #prtdir /usr/ports/compat-32 -# the following line enables the user maintained contrib collection -prtdir /usr/ports/contrib -prtdir /usr/ports/ports -prtdir /usr/ports/mate -prtdir /usr/ports/kde5 - ### use mypackage form local directory # prtdir /home/packages/build:mypackage @@ -23,7 +36,7 @@ prtdir /usr/ports/kde5 writelog enabled # (enabled|disabled) logmode overwrite # (append|overwrite) rmlog_on_success yes # (no|yes) -logfile /usr/ports/pkgbuild/%n.log +logfile /usr/ports/pkgbuild/%n-%v-%r.log # path, %p=path to port dir, %n=port name # %v=version, %r=release @@ -34,7 +47,7 @@ logfile /usr/ports/pkgbuild/%n.log readme verbose # (verbose|compact|disabled) ### prefer higher versions in sysup / diff -preferhigher yes # (yes|no) +preferhigher yes # (yes|no) ### use regexp search # useregex no # (yes|no) @@ -43,10 +56,11 @@ preferhigher yes # (yes|no) ### --install-scripts option runscripts yes # (no|yes) + ### EXPERT SECTION ### ### alternative commands -makecommand sudo -H -u pkgmk fakeroot pkgmk +makecommand sudo -H -u pkgmk -g pkgmk fakeroot pkgmk addcommand sudo pkgadd removecommand sudo pkgrm runscriptcommand sudo sh diff --git a/core/conf/skel/.bashrc b/core/conf/skel/.bashrc index 55d1c78..f562e3c 100644 --- a/core/conf/skel/.bashrc +++ b/core/conf/skel/.bashrc @@ -55,9 +55,9 @@ gloga () { alias tmux="tmux -2" # Virtual Crux machine -alias c1.ank="ssh c1.ank -t tmux a" -alias c2.ank="ssh c2.ank -t tmux a" -alias c9.ank="ssh c9.ank -t tmux a" +alias c1.ank="ssh c1 -t tmux a" +alias c2.ank="ssh c2 -t tmux a" +alias c9.ank="ssh c9 -t tmux a" alias pkg_mirror="pkg_bin -f /usr/ports/mirror_bin_db" alias pkg_update="pkg_bin -r /usr/ports/mirror_bin_db" diff --git a/core/conf/skel/.profile b/core/conf/skel/.profile index 1c8aa8b..7e15d10 100644 --- a/core/conf/skel/.profile +++ b/core/conf/skel/.profile @@ -11,7 +11,8 @@ function start_agent { echo succeeded chmod 600 "${SSH_ENV}" . "${SSH_ENV}" > /dev/null - /usr/bin/ssh-add; + # KEY_NAME with default key to load + /usr/bin/ssh-add ~/.ssh/KEY_NAME; } # Source SSH settings, if applicable diff --git a/core/conf/sysctl.conf b/core/conf/sysctl.conf index 3cc54d1..2a8723b 100644 --- a/core/conf/sysctl.conf +++ b/core/conf/sysctl.conf @@ -34,6 +34,8 @@ kernel.kptr_restrict = 2 # net.core.bpf_jit_enable = 0 +# harden all code +net.core.bpf_jit_harden = 2 # Increase Linux auto tuning TCP buffer limits # min, default, and max number of bytes to use @@ -54,13 +56,13 @@ net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1 # Tuen IPv6 -#net.ipv6.conf.default.router_solicitations = 0 -#net.ipv6.conf.default.accept_ra_rtr_pref = 0 -#net.ipv6.conf.default.accept_ra_pinfo = 0 -#net.ipv6.conf.default.accept_ra_defrtr = 0 -#net.ipv6.conf.default.autoconf = 0 -#net.ipv6.conf.default.dad_transmits = 0 -#net.ipv6.conf.default.max_addresses = 0 +net.ipv6.conf.default.router_solicitations = 0 +net.ipv6.conf.default.accept_ra_rtr_pref = 0 +net.ipv6.conf.default.accept_ra_pinfo = 0 +net.ipv6.conf.default.accept_ra_defrtr = 0 +net.ipv6.conf.default.autoconf = 0 +net.ipv6.conf.default.dad_transmits = 0 +net.ipv6.conf.default.max_addresses = 0 # Avoid a smurf attack, ping scanning net.ipv4.icmp_echo_ignore_broadcasts = 1 @@ -140,4 +142,3 @@ net.ipv4.tcp_keepalive_time = 1800 net.ipv4.tcp_synack_retries = 3 # End of file - diff --git a/core/index.html b/core/index.html index 639ffda..5a914fd 100644 --- a/core/index.html +++ b/core/index.html @@ -1,164 +1,173 @@ - - Core OS + + Core OS - Documentation Index - -

Core OS

- -

Core OS covers installation and configuration of - basic functionality of Crux 3.5 Gnu\Linux operating system. - This documentation try's to follow Crux HandBook installation - method diverges, for example, by only installing and - documenting gpt and grub2.

- -

Read Crux HandBook, - you can ask for help on freenode #crux. Check scripts - folder the install process is automated and ports - for extra ports used during the installation.

- -

1. Install Crux 3.5 Gnu/Linux

- -

1.1. Install Crux 3.5 -
-
1.2. Configure -
-
1.3. Boot -
- 1.3.1. Kernel
- 1.3.2. Dracut
- 1.3.3. Grub
- 1.3.4. Recover
- 1.3.5. Checkup
-
1.4. Ports -
-

- -

2. System Administration

- -

2.1. Linux Kernel -
-
2.2. Network -
- 2.2.1. Resolver
- 2.2.2. Static ip
- 2.2.3. Iptables
- 2.2.4. Wpa and dhcpd
- 2.2.5. NetworkManager
-
2.3. Package Management -
-
2.4. Terminals and shells -
- 2.4.1. Dash
- 2.4.2. Bash
- 2.4.3. Tmux
-
2.5. Exim -
- 2.5.1. Exim configuration
- 2.5.2. Certificates
- 2.5.3. Aliases
- 2.5.4. Smarthost
- 2.5.5. Fetchmail
-
2.6. Hardening -
- 2.6.1. AppArmor
- 2.6.2. Sysctl
- 2.6.3. Toolchain
- 2.6.4. Samhain
-

- - Documentation Index - -

+ Documentation Index + +

Core OS

+ +

Core OS covers installation and configuration of + basic functionality of Crux 3.5 Gnu\Linux operating system. + This documentation try's to follow Crux HandBook installation + method diverges, for example, by only installing and + documenting gpt and grub2.

+ +

Read Crux HandBook, + you can ask for help on freenode #crux. Check scripts + folder the install process is automated and ports + for extra ports used during the installation.

+ +

1. Install Crux 3.5 Gnu/Linux

+ +

1.1. Install Crux 3.5 +
+
1.2. Configure +
+
1.3. Boot +
- 1.3.1. Kernel
- 1.3.2. Dracut
- 1.3.3. Grub
- 1.3.4. Recover
- 1.3.5. Checkup
+
1.4. Ports +
+

+ +

2. System Administration

+ +

2.1. Linux Kernel +
+
2.2. Network +
- 2.2.1. Resolver
- 2.2.2. Static ip
- 2.2.3. Iptables
- 2.2.4. Wpa and dhcpd
- 2.2.5. NetworkManager
+
2.3. Package Management +
+
2.4. Terminals and shells +
- 2.4.1. Dash
- 2.4.2. Bash
- 2.4.3. Tmux
+
2.5. Exim +
- 2.5.1. Exim configuration
- 2.5.2. Certificates
- 2.5.3. Aliases
- 2.5.4. Smarthost
- 2.5.5. Fetchmail
+
2.6. Hardening +
+

+ + Documentation Index + +

diff --git a/index.html b/index.html index d566ccf..56b3b40 100644 --- a/index.html +++ b/index.html @@ -38,7 +38,7 @@

Version;

-        rev 0.6.0
+        rev 0.6.2

Links contains relevant diff --git a/tools/conf/etc/dnsmasq.conf b/tools/conf/etc/dnsmasq.conf index c7dd4cd..b6267fa 100644 --- a/tools/conf/etc/dnsmasq.conf +++ b/tools/conf/etc/dnsmasq.conf @@ -69,7 +69,7 @@ no-poll # Add other name servers here, with domain specs if they are for # non-public domains. #server=/localnet/192.168.0.1 -#server=127.0.0.1#40 +#server=10.0.0.4#40 #server=213.73.91.35 #server=37.235.1.174 #server=84.200.69.80 @@ -89,7 +89,6 @@ local=/ank/ # The example below send any host in double-click.net to a local # web-server. address=/tribu.semdestino.org/10.0.0.4 -#address=/tribu.semdestino.org/192.168.1.5 #host-record=tribu.semdestino.org,10.0.0.4 #host-record=tribu.semdestino.org,192.168.1.67 @@ -128,9 +127,9 @@ interface=wlp7s0 #except-interface=wlp7s0 #except-interface=enp8s0 -# Or which to listen on by address (remember to include 127.0.0.1 if +# Or which to listen on by address (remember to include 10.0.0.4 if # you use this.) -#listen-address=127.0.0.1 +#listen-address=10.0.0.4 #listen-address=10.0.0.254 #listen-address=192.168.1.33 @@ -178,11 +177,17 @@ dhcp-option=15,ank # Same idea, but range rather then subnet #domain=reserved.thekelleys.org.uk,192.68.3.100,192.168.3.200 -#address=/.akamai.net/127.0.0.1 -address=/.firefox.com/127.0.0.1 -#address=/.google.com/127.0.0.1 -address=/.stripe.com/127.0.0.1 -address=/.mozilla.com/127.0.0.1 +address=/.akamai.net/10.0.0.4 +address=/.akamaitechnologies.com/10.0.0.4 +address=/.firefox.com/10.0.0.4 +#address=/.google.com/10.0.0.4 +address=/.stripe.com/10.0.0.4 +address=/.mozilla.com/10.0.0.4 +address=/.amazonaws.com/10.0.0.4 +address=/.amazontrust.com/10.0.0.4 +address=/.1e100.net/10.0.0.4 +address=/.1e100.net/10.0.0.4 +address=/.ank.sec-t4net-srv/10.0.0.4 # Uncomment this to enable the integrated DHCP server, you need # to supply the range of addresses available for lease and optionally diff --git a/tools/conf/etc/logrotate.conf b/tools/conf/etc/logrotate.conf index 896b779..636dffb 100644 --- a/tools/conf/etc/logrotate.conf +++ b/tools/conf/etc/logrotate.conf @@ -9,13 +9,10 @@ rotate 4 create # uncomment this if you want your log files compressed -compress +#compress olddir /var/log/old - -notifempty - -maxsize 5M +maxsize 1M # some packages can drop log rotation information into # this directory @@ -23,111 +20,297 @@ include /etc/logrotate.d # few generic files to rotate /var/log/wtmp { + monthly create 0644 root root - rotate 5 + rotate 1 } /var/log/btmp { + monthly create 0600 root root - rotate 5 + rotate 1 } # system-specific logs may be also be configured here. -/var/log/faillog { - maxsize 5M +/var/log/auth { + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript } -/var/log/lastlog { - maxsize 5M +/var/log/sudo { + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript } -/var/log/auth { - create 0644 root root - rotate 5 - sharedscripts +/var/log/cron { + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript +} + +/var/log/daemon { + rotate 7 + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript +} + +/var/log/debug { + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript +} + +/var/log/error { + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript +} + +/var/log/iptables { + # uncomment this if you want your log files compressed + delaycompress + compress postrotate - if [ -f /var/run/syslog-ng.pid ]; then \ - kill -HUP `cat /var/run/syslog-ng.pid`; \ - fi; + /etc/rc.d/syslog-ng reload >/dev/null endscript } -/var/log/cron { - create 0644 root root - rotate 5 - sharedscripts +/var/log/kernel { + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript +} + +/var/log/lpr { + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript +} + +/var/log/mail.err { + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript +} + +/var/log/mail.info { + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript +} + +/var/log/mail { + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript +} + +/var/log/mail.warn { + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript +} + +/var/log/messages { + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript +} + + +/var/log/user { + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript +} + +/var/log/uucp { + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript +} + +/var/log/syslog-ng { + rotate 7 + daily + compress + delaycompress + sharedscripts + postrotate + /etc/init.d/syslog-ng reload + endscript +} + +/var/log/dnsmasq { + # uncomment this if you want your log files compressed + delaycompress + compress postrotate - if [ -f /var/run/syslog-ng.pid ]; then \ - kill -HUP `cat /var/run/syslog-ng.pid`; \ - fi; + /etc/rc.d/syslog-ng reload >/dev/null endscript } -/var/log/debug { +/var/log/pgsql { + # create new (empty) log files after rotating old ones create 0644 root root - rotate 5 - sharedscripts + # uncomment this if you want your log files compressed + delaycompress + compress + notifempty + maxsize 5M postrotate - if [ -f /var/run/syslog-ng.pid ]; then \ - kill -HUP `cat /var/run/syslog-ng.pid`; \ - fi; + /etc/rc.d/syslog-ng reload >/dev/null endscript } -/var/log/kernel { - rotate 5 - create 0644 root root - sharedscripts +/var/log/git-daemon { + # uncomment this if you want your log files compressed + delaycompress + compress postrotate - if [ -f /var/run/syslog-ng.pid ]; then \ - kill -HUP `cat /var/run/syslog-ng.pid`; \ - fi; + /etc/rc.d/syslog-ng reload >/dev/null endscript } -/var/log/daemon { +/var/log/gitolite { + # uncomment this if you want your log files compressed + delaycompress + compress + postrotate + /etc/rc.d/syslog-ng reload >/dev/null + endscript +} + +/var/log/php-fpm { + # uncomment this if you want your log files compressed + delaycompress compress - rotate 5 - create 644 root root - sharedscripts postrotate - if [ -f /var/run/syslog-ng.pid ]; then \ - kill -HUP `cat /var/run/syslog-ng.pid`; \ - fi; + /etc/rc.d/syslog-ng reload >/dev/null endscript +} +/var/log/php { + # uncomment this if you want your log files compressed + delaycompress + compress + postrotate + /etc/rc.d/syslog-ng reload >/dev/null + endscript } -/var/log/messages { - rotate 5 - create 0644 root root - sharedscripts +/var/log/nginx_access { + # uncomment this if you want your log files compressed + delaycompress + compress postrotate - if [ -f /var/run/syslog-ng.pid ]; then \ - kill -HUP `cat /var/run/syslog-ng.pid`; \ - fi; + /etc/rc.d/syslog-ng reload >/dev/null endscript } -/var/log/mail { - create 0644 root root - rotate 5 - sharedscripts +/var/log/nginx_error { + # uncomment this if you want your log files compressed + delaycompress + compress postrotate - if [ -f /var/run/syslog-ng.pid ]; then \ - kill -HUP `cat /var/run/syslog-ng.pid`; \ - fi; + /etc/rc.d/syslog-ng reload >/dev/null endscript } -/var/log/user { - create 0644 root root - rotate 5 - sharedscripts +/var/log/nginx/tribu_error.log { + # uncomment this if you want your log files compressed + delaycompress + compress + olddir /var/log/old/nginx postrotate - if [ -f /var/run/syslog-ng.pid ]; then \ - kill -HUP `cat /var/run/syslog-ng.pid`; \ - fi; + /etc/rc.d/syslog-ng reload >/dev/null endscript } +/var/log/nginx/tribu_access.log { + # uncomment this if you want your log files compressed + delaycompress + compress + olddir /var/log/old/nginx + postrotate + /etc/rc.d/syslog-ng reload >/dev/null + endscript +} diff --git a/tools/conf/etc/logrotate.d/dnsmasq b/tools/conf/etc/logrotate.d/dnsmasq deleted file mode 100644 index 3151ddc..0000000 --- a/tools/conf/etc/logrotate.d/dnsmasq +++ /dev/null @@ -1,11 +0,0 @@ -/var/log/dnsmasq { - weekly - create 0644 root root - rotate 5 - sharedscripts - postrotate - if [ -f /var/run/syslog-ng.pid ]; then \ - kill -HUP `cat /var/run/syslog-ng.pid`; \ - fi; - endscript -} diff --git a/tools/conf/etc/logrotate.d/gitolite b/tools/conf/etc/logrotate.d/gitolite deleted file mode 100644 index 547d6b6..0000000 --- a/tools/conf/etc/logrotate.d/gitolite +++ /dev/null @@ -1,12 +0,0 @@ -/var/log/gitolite { - rotate 5 - monthly - create 0644 root root - sharedscripts - postrotate - if [ -f /var/run/syslog-ng.pid ]; then \ - kill -HUP `cat /var/run/syslog-ng.pid`; \ - fi; - endscript - -} diff --git a/tools/conf/etc/logrotate.d/letsencrypt b/tools/conf/etc/logrotate.d/letsencrypt new file mode 100644 index 0000000..ce73ebc --- /dev/null +++ b/tools/conf/etc/logrotate.d/letsencrypt @@ -0,0 +1,7 @@ +/var/log/letsencrypt/*.log { + # uncomment this if you want your log files compressed + delaycompress + compress + olddir /var/log/old/letsencrypt + notifempty +} diff --git a/tools/conf/etc/logrotate.d/nginx b/tools/conf/etc/logrotate.d/nginx deleted file mode 100644 index ae05445..0000000 --- a/tools/conf/etc/logrotate.d/nginx +++ /dev/null @@ -1,23 +0,0 @@ -/var/log/nginx/access.log { - weekly - create 0664 root www - rotate 5 - sharedscripts - postrotate - if [ -f /var/run/syslog-ng.pid ]; then \ - kill -HUP `cat /var/run/syslog-ng.pid`; \ - fi; - endscript -} - -/var/log/nginx/error.log { - weekly - create 0644 root root - rotate 5 - sharedscripts - postrotate - if [ -f /var/run/syslog-ng.pid ]; then \ - kill -HUP `cat /var/run/syslog-ng.pid`; \ - fi; - endscript -} diff --git a/tools/conf/etc/logrotate.d/php-fpm b/tools/conf/etc/logrotate.d/php-fpm deleted file mode 100644 index c778658..0000000 --- a/tools/conf/etc/logrotate.d/php-fpm +++ /dev/null @@ -1,5 +0,0 @@ -/var/log/php-fpm.log { - rotate 5 - monthly - create 0644 root root -} diff --git a/tools/conf/etc/logrotate.d/postgres b/tools/conf/etc/logrotate.d/postgres deleted file mode 100644 index fc59aad..0000000 --- a/tools/conf/etc/logrotate.d/postgres +++ /dev/null @@ -1,17 +0,0 @@ -/var/log/pgsql { - weekly - compress - delaycompress - rotate 10 - notifempty - create 660 postgres postgres - sharedscripts - postrotate - if [ -f /var/run/syslog-ng.pid ]; then \ - kill -HUP `cat /var/run/syslog-ng.pid`; \ - fi; - endscript - -} - - diff --git a/tools/conf/etc/logrotate.d/postgresql b/tools/conf/etc/logrotate.d/postgresql new file mode 100644 index 0000000..8c16bfa --- /dev/null +++ b/tools/conf/etc/logrotate.d/postgresql @@ -0,0 +1,10 @@ +# this log is only used by postgresql at startup +# before start using syslog so there is no need +# to reload syslog-ng or syslog-ng +/var/log/postgresql { + # uncomment this if you want your log files compressed + delaycompress + compress + notifempty + create 664 postgres postgres +} diff --git a/tools/conf/etc/nginx/nginx.conf b/tools/conf/etc/nginx/nginx.conf index 8fca293..1339275 100644 --- a/tools/conf/etc/nginx/nginx.conf +++ b/tools/conf/etc/nginx/nginx.conf @@ -6,36 +6,36 @@ user www; worker_processes auto; -error_log /var/log/nginx/error.log; +error_log syslog:server=unix:/dev/log debug; pid /var/run/nginx.pid; - events { worker_connections 1024; } - http { include mime.types; default_type application/octet-stream; - #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - # '$status $body_bytes_sent "$http_referer" ' - # '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log /var/log/nginx/access.log; - error_log /var/log/nginx/error.log; + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; sendfile on; #tcp_nopush on; - client_max_body_size 8M; - keepalive_timeout 65; - client_body_timeout 12; - client_header_timeout 12; - send_timeout 65; + # Allow attach iso to wiki + #client_max_body_size 8M; + client_max_body_size 30M; + #keepalive_timeout 65; + keepalive_timeout 120; + #client_body_timeout 12; + client_body_timeout 24; + #client_header_timeout 12; + client_header_timeout 24; + send_timeout 65; gzip on; gzip_vary on; @@ -45,88 +45,6 @@ http { # gzip_http_version 1.1; gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; - - include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*.conf; - - #server { - # listen 80; - # server_name localhost; - # - # #charset koi8-r; - # - # location / { - # root html; - # index index.html index.htm; - # } - # - # error_page 404 /404.html; - # - # # redirect server error pages to the static page /50x.html - # # - # error_page 500 502 503 504 /50x.html; - # location = /50x.html { - # root html; - # } - # - # # proxy the PHP scripts to Apache listening on 127.0.0.1:80 - # # - # #location ~ \.php$ { - # # proxy_pass http://127.0.0.1; - # #} - # - # # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 - # # - # #location ~ \.php$ { - # # root html; - # # fastcgi_pass 127.0.0.1:9000; - # # fastcgi_index index.php; - # # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; - # # include fastcgi_params; - # #} - # - # # deny access to .htaccess files, if Apache's document root - # # concurs with nginx's one - # # - # #location ~ /\.ht { - # # deny all; - # #} - #} - - - # another virtual host using mix of IP-, name-, and port-based configuration - # - #server { - # listen 8000; - # listen somename:8080; - # server_name somename alias another.alias; - - # location / { - # root html; - # index index.html index.htm; - # } - #} - - - # HTTPS server - # - #server { - # listen 443 ssl; - # server_name localhost; - - # ssl_certificate cert.pem; - # ssl_certificate_key cert.key; - - # ssl_session_cache shared:SSL:1m; - # ssl_session_timeout 5m; - - # ssl_ciphers HIGH:!aNULL:!MD5; - # ssl_prefer_server_ciphers on; - - # location / { - # root html; - # index index.html index.htm; - # } - #} - } +# End of file diff --git a/tools/conf/etc/nginx/sites-enabled/default.conf b/tools/conf/etc/nginx/sites-enabled/default.conf index c35b0cd..fb9fb8e 100644 --- a/tools/conf/etc/nginx/sites-enabled/default.conf +++ b/tools/conf/etc/nginx/sites-enabled/default.conf @@ -1,15 +1,13 @@ server { + server_name tribu.semdestino.org; -#listen 443 ssl http2; - listen 443 ssl; + listen 80 default_server; + listen 443 ssl default_server; -# listen 80; - server_name machine.example; + ssl_certificate /etc/letsencrypt/live/tribu.semdestino.org/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/tribu.semdestino.org/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/tribu.semdestino.org/chain.pem; -# listen [::]:443 ssl http2; - ssl_certificate /etc/letsencrypt/live/machine.example/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/machine.example/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/machine.example/chain.pem; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; @@ -20,84 +18,62 @@ server { ssl_stapling on; ssl_stapling_verify on; - access_log /var/log/nginx/access.log; - error_log /var/log/nginx/error.log; + access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_vhost,nohostname main; + error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_vhost_err,nohostname debug; - - root /srv/www; - - location /ports/distfiles { - alias /usr/ports/distfiles; - } - - location /ports/packages { - alias /usr/ports/distfiles; - } + root /etc/html/; location /doc { alias /srv/www/doc; index index.html; } - location /git/static { -# static files (png/css) served from /usr/share/gitweb/static - alias /srv/www/gitweb/static; - expires 30d; + location /pub { + proxy_pass http://wiki.c2.ank:8080; + } + + location /wiki { + proxy_pass http://wiki.c2.ank:8080; } location /git { - alias /srv/www/gitweb; - index gitweb.cgi; - fastcgi_split_path_info ^/git()(/?.+)$; - fastcgi_param GITWEB_CONFIG /etc/gitweb.conf; - fastcgi_param DOCUMENT_ROOT /srv/www/gitweb; - fastcgi_param SCRIPT_NAME /gitweb.cgi$fastcgi_path_info; - - include fastcgi_params; - fastcgi_pass unix:/var/run/fcgiwrap.sock; + proxy_pass http://git.c2.ank:8080; + } + + location /forum { + proxy_pass http://forum.c2.ank:8080; } location /task { - index index.php; - alias /srv/www/flyspray; - try_files $uri $uri/ index.php$is_args$args; + proxy_pass http://task.c2.ank:8080; } - location ~ ^/task(.+\.php)$ { ### This location block was the solution - alias /srv/www/flyspray; - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_index index.php; - try_files $uri /index.php =404; - include /etc/nginx/fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$1; -# fastcgi_pass unix:/var/run/php5-fpm.sock; - fastcgi_pass 127.0.0.1:9000; + location /shop { + proxy_pass http://shop.c2.ank:8080; } - location / { - alias /srv/www/pmwiki/; - index pmwiki.php; - try_files $uri $uri/ /pmwiki.php$is_args$args; + location /email { + proxy_pass http://email.c2.ank:8080; } -# ACME challenge - location ^~ /.well-known { - allow all; - alias /srv/www/pmwiki/pub/cert/.well-known/; - default_type "text/plain"; - try_files $uri =404; + location /mirror { + proxy_pass http://c1.ank; } + location /awstats { + proxy_pass http://awstats.c2.ank:8080; + } + + location /stats { + proxy_pass http://stats.c2.ank:8080; + } - location ~ \.php$ { - alias /srv/www/pmwiki; - index pmwiki.php; - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_index pmwiki.php; - try_files $uri /pmwiki.php =404; - include /etc/nginx/fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; -# fastcgi_pass unix:/var/run/php5-fpm.sock; - fastcgi_pass 127.0.0.1:9000; + # ACME challenge + location ^~ /.well-known { + proxy_pass http://wiki.c2.ank; + } + + location / { + proxy_pass http://frontpage.c2.ank; } } diff --git a/tools/conf/etc/nginx/sites-enabled/email.c2.ank.conf b/tools/conf/etc/nginx/sites-enabled/email.c2.ank.conf new file mode 100644 index 0000000..3ae544c --- /dev/null +++ b/tools/conf/etc/nginx/sites-enabled/email.c2.ank.conf @@ -0,0 +1,61 @@ +server { + listen 8080; + server_name email.c2.ank; + +#access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_git,nohostname main; +#error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_git_err,nohostname debug; +#access_log /var/log/nginx/roundcube_access.log; +#error_log /var/log/nginx/roundcube_error.log; + + + + location /email { + alias /srv/www/email; + index index.php; + autoindex off; + } + +# Favicon + location ~ ^/email/favicon.ico$ { + root /srv/www/email/skins/classic/images; + log_not_found off; + access_log off; + expires max; + } +# Robots file + location ~ ^/email/robots.txt { + allow all; + log_not_found off; + access_log off; + } +# Deny Protected directories + location ~ ^/email/(config|temp|logs)/ { + deny all; + } + location ~ ^/email/(README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ { + deny all; + } + location ~ ^/email/(bin|SQL)/ { + deny all; + } +# Hide .md files + location ~ ^/email/(.+\.md)$ { + deny all; + } +# Hide all dot files + location ~ ^/email/\. { + deny all; + access_log off; + log_not_found off; + } + + location ~ /email/.*\.php { + alias /srv/www/email; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_index index.php; + try_files $uri /index.php =404; + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_pass 127.0.0.1:9000; + } +} diff --git a/tools/conf/etc/nginx/sites-enabled/forum.c2.ank.conf b/tools/conf/etc/nginx/sites-enabled/forum.c2.ank.conf new file mode 100644 index 0000000..2ed362a --- /dev/null +++ b/tools/conf/etc/nginx/sites-enabled/forum.c2.ank.conf @@ -0,0 +1,26 @@ +server { + listen 8080; + server_name forum.c2.ank; + + #access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_forum,nohostname main; + #error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_forum_err,nohostname debug; + + root /srv/www/; + + location /forum { + index index.php; + alias /srv/www/forum; + try_files $uri $uri/ index.php$is_args$args; + } + + location ~ ^/forum(.+\.php)$ { ### This location block was the solution + alias /srv/www/forum; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_index index.php; + try_files $uri /index.php =404; + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$1; +# fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_pass 127.0.0.1:9000; + } +} diff --git a/tools/conf/etc/nginx/sites-enabled/git.c2.ank.conf b/tools/conf/etc/nginx/sites-enabled/git.c2.ank.conf new file mode 100644 index 0000000..56e6412 --- /dev/null +++ b/tools/conf/etc/nginx/sites-enabled/git.c2.ank.conf @@ -0,0 +1,28 @@ +server { + listen 8080; + server_name git.c2.ank; + + #access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_git,nohostname main; + #error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_git_err,nohostname debug; + + #access_log /var/log/nginx/git main; + #error_log /var/log/nginx/git_error debug; + + root /srv/www/; + + location /git/static { + # static files (png/css) served from /usr/share/gitweb/static + alias /srv/www/gitweb/static; + } + + location /git { + alias /srv/www/gitweb; + index gitweb.cgi; + fastcgi_split_path_info ^/git()(/?.+)$; + fastcgi_param GITWEB_CONFIG /etc/gitweb.conf; + fastcgi_param DOCUMENT_ROOT /srv/www/gitweb; + fastcgi_param SCRIPT_NAME /gitweb.cgi$fastcgi_path_info; + include fastcgi_params; + fastcgi_pass unix:/var/run/fcgiwrap.sock; + } +} diff --git a/tools/conf/etc/nginx/sites-enabled/git.localhost.conf b/tools/conf/etc/nginx/sites-enabled/git.localhost.conf deleted file mode 100644 index 910df66..0000000 --- a/tools/conf/etc/nginx/sites-enabled/git.localhost.conf +++ /dev/null @@ -1,25 +0,0 @@ -server { - listen 443 ssl; - - server_name git.localhost git.machine.example git.machine.example.org; - - root /srv/www/gitweb; - - location /static/ { - # static files (png/css) served from /usr/share/gitweb/static - root /usr/share/gitweb ; - expires 30d; - } - - location / { - index gitweb.cgi - fastcgi_param GITWEB_CONFIG /etc/gitweb.conf; - fastcgi_param DOCUMENT_ROOT /srv/www/gitweb/; - fastcgi_param SCRIPT_NAME /gitweb.cgi$fastcgi_path_info; - fastcgi_split_path_info ^()(/?.+)$; - - include fastcgi_params; - fastcgi_pass unix:/var/run/fcgiwrap.sock; - } - -} diff --git a/tools/conf/etc/nginx/sites-enabled/shop.c2.ank.conf b/tools/conf/etc/nginx/sites-enabled/shop.c2.ank.conf new file mode 100644 index 0000000..3a0aea1 --- /dev/null +++ b/tools/conf/etc/nginx/sites-enabled/shop.c2.ank.conf @@ -0,0 +1,84 @@ +server { + listen 8080; + server_name shop.c2.ank; + + + location ~ ^/shop/admin { + alias /srv/www/shop/upload/admin; + index index.php; + + location ~ ^/shop/admin/config.php { + deny all; + } + + location ~ \.php$ { + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $request_filename$1; + fastcgi_pass 127.0.0.1:9000; + } + } + + location ^~ /shop { + alias /srv/www/shop/upload; + index index.php; + #try_files $uri $uri/ index.php$is_args$args; + #try_files index.php @opencart; + + location ~ ^/shop/upload/image/data { + autoindex on; + } + + location ~ ^/shop/config.php { + deny all; + } + + + location ~ ^/shop/admin/config.php { + deny all; + } + +# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac). +# + location ~ ^/shop/\. { + deny all; + access_log off; + log_not_found off; + } + location ~ ^/shop/\.(jpg|jpeg|png|gif|css|js|ico)$ { + expires max; + log_not_found off; + } + + location ~ \.php$ { + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $request_filename$1; + fastcgi_pass 127.0.0.1:9000; + #fastcgi_split_path_info ^(.+\.php)(/.+)$; + #fastcgi_split_path_info ^(.+\.php)(.*)$; + #fastcgi_index index.php; + #try_files $uri /index.php =404; + # fastcgi_pass unix:/var/run/php5-fpm.sock; + } + + } + + +location @tribushop { + rewrite ^/shop/(.+)$ /shop/index.php?_route_=$1 last; + } + + location /shop/engine { + deny all; + } + + location ~ ^/shop/library { + deny all; + } + + # Make sure files with the following extensions do not + # get loaded by nginx because nginx would display the + # source code, and these files can contain PASSWORDS! + location ~ ^/shop/\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|.*ini|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|\.php_ { + deny all; + } +} diff --git a/tools/conf/etc/nginx/sites-enabled/task.c2.ank.conf b/tools/conf/etc/nginx/sites-enabled/task.c2.ank.conf new file mode 100644 index 0000000..2d62e96 --- /dev/null +++ b/tools/conf/etc/nginx/sites-enabled/task.c2.ank.conf @@ -0,0 +1,21 @@ +server { + listen 8080; + server_name task.c2.ank; + + location /task { + index index.php; + alias /srv/www/task; + try_files $uri $uri/ index.php$is_args$args; + } + + location ~ ^/task(.+\.php)$ { ### This location block was the solution + alias /srv/www/task; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_index index.php; + try_files $uri /index.php =404; + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$1; +# fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_pass 127.0.0.1:9000; + } +} diff --git a/tools/conf/etc/nginx/sites-enabled/wiki.c2.ank.conf b/tools/conf/etc/nginx/sites-enabled/wiki.c2.ank.conf new file mode 100644 index 0000000..1504fa1 --- /dev/null +++ b/tools/conf/etc/nginx/sites-enabled/wiki.c2.ank.conf @@ -0,0 +1,43 @@ +server { + listen 8080; + server_name wiki.c2.ank; + + #access_log syslog:server=unix:/dev/log,facility=daemon,tag=vh_tribu,nohostname main; + #error_log syslog:server=unix:/dev/log,facility=daemon,tag=vh_tribu_err,nohostname debug; + + #access_log /var/log/nginx/wiki main; + #error_log /var/log/nginx/wiki_error debug; + + root /srv/www/; + + location /pub { + alias /srv/www/wiki/pub; + } + # ACME challenge + location ^~ /.well-known { + allow all; + alias /srv/www/wiki/pub/cert/.well-known/; + default_type "text/plain"; + try_files $uri =404; + } + + location @pmwiki { + rewrite ^/wiki/(.*) /wiki/pmwiki.php?n=$1; + } + + location /wiki { + index pmwiki.php; + try_files $uri $uri/ @pmwiki; + } + + location ~ ^\/wiki(.+\.php)$ { + index pmwiki.php; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_index pmwiki.php; + try_files $uri /pmwiki.php =404; + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; +# fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_pass 127.0.0.1:9000; + } +} diff --git a/tools/conf/etc/rc.conf b/tools/conf/etc/rc.conf index 2dbf272..192ef3e 100644 --- a/tools/conf/etc/rc.conf +++ b/tools/conf/etc/rc.conf @@ -5,8 +5,8 @@ FONT=default KEYMAP=dvorak TIMEZONE="Europe/Lisbon" -HOSTNAME=machine -SYSLOG=sysklogd -SERVICES=(lo iptables wlan blan crond) +HOSTNAME=c2 +SYSLOG=syslog-ng +SERVICES=(apparmor lo net iptables sshd ntpd postgresql exim dovecot git-daemon php-fpm fcgiwrap nginx crond) # End of file diff --git a/tools/conf/etc/ssh/sshd_config b/tools/conf/etc/ssh/sshd_config index 6fd955a..495d183 100644 --- a/tools/conf/etc/ssh/sshd_config +++ b/tools/conf/etc/ssh/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $ +# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -16,12 +16,7 @@ AddressFamily inet #ListenAddress 0.0.0.0 #ListenAddress :: - -# The default requires explicit activation of protocol 1 -Protocol 2 - #HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_dsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key #HostKey /etc/ssh/ssh_host_ed25519_key @@ -29,8 +24,8 @@ Protocol 2 #RekeyLimit default none # Logging -#SyslogFacility AUTH -#LogLevel INFO +SyslogFacility AUTH +LogLevel INFO # Authentication: @@ -40,10 +35,11 @@ PermitRootLogin no #StrictModes yes MaxAuthTries 3 #MaxSessions 10 -MaxSessions 3 PubkeyAuthentication yes +AllowGroups admin users gitolite sshproxy + # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # but this is overridden so installations will only check .ssh/authorized_keys AuthorizedKeysFile .ssh/authorized_keys @@ -90,7 +86,6 @@ ChallengeResponseAuthentication no # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. #UsePAM no -#UsePAM no #AllowAgentForwarding yes #AllowTcpForwarding yes @@ -102,8 +97,6 @@ ChallengeResponseAuthentication no #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes -#UseLogin no -#UsePrivilegeSeparation sandbox #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 @@ -116,11 +109,25 @@ ChallengeResponseAuthentication no #VersionAddendum none # no default banner path -Banner /etc/issue +#Banner none # override default of no subsystems Subsystem sftp /usr/lib/ssh/sftp-server +Match Group gitolite + AllowAgentForwarding no + AllowTcpForwarding no + +Match Group sshproxy + AllowAgentForwarding no + PermitTTY no + PermitOpen 10.0.0.4:443 + PermitOpen 10.0.0.4:9418 + PermitOpen tribu.semdestino.org:443 + PermitOpen tribu.semdestino.org:9418 + ForceCommand echo 'This account can only be used for web proxy' + + # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no diff --git a/tools/conf/etc/syslog-ng.conf b/tools/conf/etc/syslog-ng.conf index 16c1ddb..b6aa817 100644 --- a/tools/conf/etc/syslog-ng.conf +++ b/tools/conf/etc/syslog-ng.conf @@ -1,127 +1,223 @@ -@version: 3.17 +@version: 3.25 +@include "scl.conf" + +# Syslog-ng configuration file, compatible with default Debian syslogd +# installation. + +# First, set some global options. +options { chain_hostnames(off); flush_lines(0); use_dns(no); use_fqdn(no); + owner("root"); group("adm"); perm(0640); stats_freq(0); + bad_hostname("^gconfd$"); +}; + +######################## +# Sources +######################## +# This is the default behavior of sysklogd package +# Logs may come from unix stream, but not from another machine. # -# /etc/syslog-ng: syslog-ng(8) configration file -# based on a gentoo template added custom changes for crux +source s_src { + system(); + internal(); +}; -# on busy systems you may have to adjus flush_lines and suppress() to avoid -# heavy disc i/o -# to change default permissions/owner/group for newly created files add -# options like this: owner(root); group(sys); perm(0644); - -options { chain_hostnames(off); flush_lines(0); stats_freq(0); create_dirs(on); }; - -#source where to read log -source src { unix-stream("/dev/log"); internal(); }; -source kernsrc { file("/proc/kmsg"); }; - -#define templates -template t_debug { template("$DATE fac $FACILITY lvl $LEVEL prg $PROGRAM: $MSG\n"); }; - -#define destinations -destination authlog { file("/var/log/auth" suppress(5)); }; -destination sudo { file("/var/log/sudo" suppress(5)); }; -destination cron { file("/var/log/cron" suppress(5)); }; -destination kern { file("/var/log/kernel" suppress(5)); }; -destination mail { file("/var/log/mail" suppress(5)); }; - -destination mailinfo { file("/var/log/mail.info" suppress(5)); }; -destination mailwarn { file("/var/log/mail.warn" suppress(5)); }; -destination mailerr { file("/var/log/mail.err" suppress(5)); }; +# If you wish to get logs from remote machine you should uncomment +# this and comment the above source line. +# +#source s_net { tcp(ip(127.0.0.1) port(1000)); }; -#destination newscrit { file("/var/log/news/news.crit" suppress(5)); }; -#destination newserr { file("/var/log/news/news.err" suppress(5)); }; -#destination newsnotice { file("/var/log/news/news.notice" suppress(5)); }; +######################## +# Destinations +######################## +# First some standard logfile +# +destination d_auth { file("/var/log/auth"); }; +destination d_sudo { file("/var/log/sudo" ); }; +destination d_cron { file("/var/log/cron"); }; +destination d_daemon { file("/var/log/daemon"); }; +destination d_kern { file("/var/log/kernel"); }; +destination d_lpr { file("/var/log/lpr"); }; +destination d_mail { file("/var/log/mail"); }; +destination d_syslog { file("/var/log/syslog-ng"); }; +destination d_user { file("/var/log/user"); }; +destination d_uucp { file("/var/log/uucp"); }; + +# This files are the log come from the mail subsystem. +# +destination d_mailinfo { file("/var/log/mail.info"); }; +destination d_mailwarn { file("/var/log/mail.warn"); }; +destination d_mailerr { file("/var/log/mail.err"); }; -destination debug { file("/var/log/debug" template(t_debug) suppress(5)); }; -destination messages { file("/var/log/messages" suppress(5)); }; -destination errors { file("/var/log/error" suppress(5)); }; -destination console { usertty("root"); }; -destination console_all { file("/dev/tty12" suppress(5)); }; -destination xconsole { pipe("/dev/xconsole" suppress(5)); }; +# Logging for INN news system +# +destination d_newscrit { file("/var/log/news/news.crit"); }; +destination d_newserr { file("/var/log/news/news.err"); }; +destination d_newsnotice { file("/var/log/news/news.notice"); }; -############################################# -# custom destinations +# Some 'catch-all' logfiles. # +destination d_debug { file("/var/log/debug"); }; +destination d_error { file("/var/log/error"); }; +destination d_messages { file("/var/log/messages"); }; -destination d_shorewall_warn { file ("/var/log/shorewall/warn.log"); }; -destination d_shorewall_info { file ("/var/log/shorewall/info.log"); }; +# Custom destinations +destination d_shorewall_warn { file ("/var/log/shorewall/warn"); }; +destination d_shorewall_info { file ("/var/log/shorewall/info"); }; destination d_dnsmasq { file("/var/log/dnsmasq"); }; destination d_postgres { file("/var/log/pgsql"); }; +destination d_mysql { file("/var/log/pgsql"); }; destination d_iptables { file("/var/log/iptables"); }; destination d_sshd { file("/var/log/sshd"); }; destination d_gitolite { file("/var/log/gitolite"); }; -destination d_nginx_access { file("/var/log/nginx/access.log" owner(root) group(www) perm(0644)); }; -destination d_nginx_error { file("/var/log/nginx/error.log"); }; +destination d_git-daemon { file("/var/log/git-daemon"); }; +destination d_nginx_access { file("/var/log/nginx_access"); }; +destination d_nginx_error { file("/var/log/nginx_error"); }; +destination d_php_fpm { file("/var/log/php-fpm"); }; +destination d_php { file("/var/log/php"); }; +destination d_nginx_vhost { file("/var/log/nginx/vhost_access"); }; +destination d_nginx_vhost_err { file("/var/log/nginx/vhost_error"); }; + +# The root's console. +# +destination d_console { usertty("root"); }; + +# Virtual console. +# +#destination d_console_all { file(`tty10`); }; +destination console { usertty("root"); }; +destination d_console_all { file("/dev/tty12" suppress(5)); }; +destination xconsole { pipe("/dev/xconsole" suppress(5)); }; + + + +# The named pipe /dev/xconsole is for the nsole' utility. To use it, +# you must invoke nsole' with the -file' option: +# +# $ xconsole -file /dev/xconsole [...] +# +destination d_xconsole { pipe("/dev/xconsole"); }; +# Send the messages to an other host +# +#destination d_net { tcp("127.0.0.1" port(1000) log_fifo_size(1000)); }; -#create filters -filter f_authpriv { facility(auth, authpriv); }; -filter f_cron { facility(cron); }; -filter f_kern { facility(kern); }; -filter f_mail { facility(mail); }; -#filter f_debug { not facility(auth, authpriv, mail) and not program(sudo); }; -filter f_debug { not facility(mail) and not program(sudo); }; -filter f_messages { level(info..warn) - and not facility(auth, authpriv, mail) and not program(sudo); }; -filter f_sudo { program(sudo); }; -filter f_errors { level(err..emerg); }; +# Debian only +destination d_ppp { file("/var/log/ppp"); }; -filter f_emergency { level(emerg); }; +######################## +# Filters +######################## +# Here's come the filter options. With this rules, we can set which +# message go where. +filter f_dbg { level(debug); }; filter f_info { level(info); }; filter f_notice { level(notice); }; filter f_warn { level(warn); }; -filter f_crit { level(crit); }; filter f_err { level(err); }; +filter f_crit { level(crit .. emerg); }; + +filter f_debug { level(debug) and not facility(auth, authpriv, news, mail); }; +filter f_error { level(err .. emerg) ; }; +filter f_messages { level(info,notice,warn) + and not facility(auth,authpriv,cron,daemon,mail,news,local0); }; + +filter f_auth { facility(auth, authpriv) and not filter(f_debug); }; +filter f_sudo { facility(auth, authpriv) and program("^sudo$"); }; +filter f_cron { facility(cron) and not filter(f_debug);}; +filter f_daemon { facility(daemon, local0) + and not filter(f_debug) + and not program("^php$") + and not program("^nginx_vhost$") + and not program("^nginx_vhost_err$");}; +filter f_kern { facility(kern) and not filter(f_debug); }; +filter f_lpr { facility(lpr) and not filter(f_debug); }; +filter f_local { facility(local0, local1, local3, local4, local5, + local6, local7) and not filter(f_debug); }; +filter f_mail { facility(mail) and not filter(f_debug); }; +filter f_news { facility(news) and not filter(f_debug); }; +filter f_syslog3 { program("^syslog-ng$");}; +filter f_user { facility(user) and not filter(f_debug); }; +filter f_uucp { facility(uucp) and not filter(f_debug); }; + +filter f_cnews { level(notice, err, crit) and facility(news); }; +filter f_cother { level(debug, info, notice, warn) or facility(daemon, mail); }; + +filter f_ppp { facility(local2) and not filter(f_debug); }; +filter f_console { level(warn .. emerg); }; -############################################# # custom filters -# -filter f_dnsmasq { program("dnsmasq"); }; -filter f_postgres { facility(local0); }; -filter f_sshd { facility(local1); }; + +filter f_dnsmasq { program("^dnsmasq$"); }; +filter f_postgres { facility(local0) and program("^postgresql$"); }; +filter f_sshd { facility(auth) and program("^sshd$"); }; filter f_iptables { facility(kern) and match("iptables" value("MESSAGE")) }; filter f_shorewall_warn { level (warn) and match ("Shorewall" value("MESSAGE")); }; filter f_shorewall_info {level (info) and match ("Shorewall" value("MESSAGE")); }; -filter f_gitolite { program("gitolite"); }; -filter f_nginx_access { match("nginx_access:" value("MESSAGE")); }; -filter f_nginx_error { match("nginx_error:" value("MESSAGE")); }; - -# examples for text-matching (beware of performance issues) -#filter f_failed { match("failed"); }; -#filter f_denied { match("denied"); }; - -#connect filter and destination -log { source(src); filter(f_authpriv); destination(authlog); }; -log { source(src); filter(f_sudo); destination(sudo); }; -log { source(src); filter(f_cron); destination(cron); }; -log { source(kernsrc); filter(f_kern); destination(kern); }; -log { source(src); filter(f_mail); destination(mail); }; -log { source(src); filter(f_mail); filter(f_info); destination(mailinfo); }; -log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); }; -log { source(src); filter(f_mail); filter(f_err); destination(mailerr); }; - -#log { source(src); filter(f_debug); destination(debug); }; -log { source(src); filter(f_messages); destination(messages); }; -log { source(src); filter(f_errors); destination(errors); }; -log { source(src); filter(f_emergency); destination(console); }; - -#default log -#log { source(src); destination(console_all); }; - -############################################# -# custom -# - -log { source (kernsrc); filter (f_iptables); destination (d_iptables);}; -log { source (kernsrc); filter (f_shorewall_warn); destination (d_shorewall_warn);}; -log { source (kernsrc); filter (f_shorewall_info); destination (d_shorewall_info);}; -log { source(src); filter(f_dnsmasq); destination(d_dnsmasq);}; -log { source(src); filter(f_postgres); destination(d_postgres);}; -log { source(src); filter(f_sshd); destination(d_sshd);}; -log { source(src); filter(f_gitolite); destination(d_gitolite);}; -log { source(src); filter(f_nginx_error); destination(d_nginx_error);}; -log { source(src); filter(f_nginx_access); destination(d_nginx_access);}; +filter f_gitolite { program("^gitolite$"); }; +filter f_git-daemon { program("^git-daemon$"); }; +filter f_nginx_error { facility(daemon) and program("^nginx$"); }; +filter f_nginx_vhost { facility(daemon) and program("^nginx_vhost$");}; +filter f_nginx_vhost_err { facility(daemon) and program("^nginx_vhost_err$");}; +filter f_php_fpm { facility(daemon) and program("^php-fpm$");}; +filter f_php { facility(daemon) and program("^php$");}; + +# custom logs +log { source(s_src); filter(f_php_fpm); destination(d_php_fpm); }; +log { source(s_src); filter(f_php); destination(d_php); }; +log { source(s_src); filter(f_nginx_vhost); destination(d_nginx_vhost); }; +log { source(s_src); filter(f_nginx_vhost_err); destination(d_nginx_vhost_err); }; +log { source(s_src); filter(f_sshd); destination(d_sshd);}; +log { source (s_src); filter (f_iptables); destination (d_iptables);}; +log { source (s_src); filter (f_shorewall_warn); destination (d_shorewall_warn);}; +log { source (s_src); filter (f_shorewall_info); destination (d_shorewall_info);}; +log { source(s_src); filter(f_dnsmasq); destination(d_dnsmasq);}; +log { source(s_src); filter(f_postgres); destination(d_postgres);}; +log { source(s_src); filter(f_gitolite); destination(d_gitolite);}; +log { source(s_src); filter(f_git-daemon); destination(d_git-daemon);}; +log { source(s_src); filter(f_nginx_error); destination(d_nginx_error);}; + +######################## +# Log paths +######################## +log { source(s_src); filter(f_auth); destination(d_auth); }; +log { source(s_src); filter(f_sudo); destination(d_sudo); }; +log { source(s_src); filter(f_cron); destination(d_cron); }; +log { source(s_src); filter(f_daemon); destination(d_daemon); }; +log { source(s_src); filter(f_kern); destination(d_kern); }; +log { source(s_src); filter(f_lpr); destination(d_lpr); }; +log { source(s_src); filter(f_user); destination(d_user); }; +log { source(s_src); filter(f_uucp); destination(d_uucp); }; + +log { source(s_src); filter(f_mail); destination(d_mail); }; +log { source(s_src); filter(f_mail); filter(f_info); destination(d_mailinfo); }; +log { source(s_src); filter(f_mail); filter(f_warn); destination(d_mailwarn); }; +log { source(s_src); filter(f_mail); filter(f_err); destination(d_mailerr); }; + +log { source(s_src); filter(f_news); filter(f_crit); destination(d_newscrit); }; +log { source(s_src); filter(f_news); filter(f_err); destination(d_newserr); }; +log { source(s_src); filter(f_news); filter(f_notice); destination(d_newsnotice); }; +#log { source(s_src); filter(f_cnews); destination(d_console_all); }; +#log { source(s_src); filter(f_cother); destination(d_console_all); }; + +#log { source(s_src); filter(f_ppp); destination(d_ppp); }; + +log { source(s_src); filter(f_debug); destination(d_debug); }; +log { source(s_src); filter(f_error); destination(d_error); }; +log { source(s_src); filter(f_messages); destination(d_messages); }; +log { source(s_src); filter(f_syslog3); destination(d_syslog); }; +log { source(s_src); filter(f_console); destination(d_console_all); + destination(d_xconsole); }; +log { source(s_src); filter(f_crit); destination(d_console); }; +# +# +# All messages send to a remote site +# +#log { source(s_src); destination(d_net); }; +### +# Include all config files in /etc/syslog-ng/conf.d/ +### +@include "/etc/syslog-ng/conf.d/*.conf" diff --git a/tools/conf/srv/gitolite/.gitolite.rc b/tools/conf/srv/gitolite/.gitolite.rc index fa18e4e..d2c80b7 100644 --- a/tools/conf/srv/gitolite/.gitolite.rc +++ b/tools/conf/srv/gitolite/.gitolite.rc @@ -28,7 +28,7 @@ # logging options # 1. leave this section as is for 'normal' gitolite logging (default) # 2. uncomment this line to log ONLY to syslog: - # LOG_DEST => 'syslog', + LOG_DEST => 'syslog', # 3. uncomment this line to log to syslog and the normal gitolite log: # LOG_DEST => 'syslog,normal', # 4. prefixing "repo-log," to any of the above will **also** log just the diff --git a/tools/conf/srv/gitolite/deploy-web-doc b/tools/conf/srv/gitolite/deploy-web-doc index ae8e2db..b836515 100755 --- a/tools/conf/srv/gitolite/deploy-web-doc +++ b/tools/conf/srv/gitolite/deploy-web-doc @@ -2,7 +2,7 @@ ###################################################################### # # Put this file in your gitolite-admin; -# ~/gitolite-admin/local/hooks/repo-specific/deploy-web-doc +# ~/gitolite-admin/local/hooks/repo-specific/hook-deploy-web # # set host to empty to create package for each push # or set remote host to create package based on last deployed push diff --git a/tools/conf/srv/gitolite/deploy-web.sh b/tools/conf/srv/gitolite/deploy-web.sh index 01e92ac..86d2026 100644 --- a/tools/conf/srv/gitolite/deploy-web.sh +++ b/tools/conf/srv/gitolite/deploy-web.sh @@ -3,7 +3,7 @@ pkg_path=$1 www_root="/srv/www" -www_user="nginx" +www_user="www" www_group="www" pkg_file="${pkg_path}/project" diff --git a/tools/conf/srv/gitolite/gitolite.conf b/tools/conf/srv/gitolite/gitolite.conf index 3de7ba5..2685d90 100644 --- a/tools/conf/srv/gitolite/gitolite.conf +++ b/tools/conf/srv/gitolite/gitolite.conf @@ -1,80 +1,73 @@ -@guests = gitweb -@interns = silvino -@dev = silvino -@teamleads = silvino -@staff = @interns @dev @teamleads +@guests = bob +@interns = bob +@dev = bob alice +@teamleads = druid bob +@staff = @interns @dev + repo @secret - = @guests option deny-rules = 1 repo @floss - RW+ = @dev @staff + RW+ = @staff R = @all repo @project RW+ = @teamleads - - master = @dev - - refs/tags/v[0-9] = @dev - RW+ develop/ = @dev - RW+ feature/ = @dev - RW+ hot-fix/ = @dev - RW = @dev - R = @interns + - master = @staff @guests + - refs/tags/ = @staff @guests + RW+ develop/ = @staff + RW+ feature/ = @staff + RW+ hot-fix/ = @staff + RW = @staff + R = @all repo @mirror + R = @all RW+ release/ = @teamleads RW+ develop/ = @dev RW+ feature/ = @dev RW+ hot-fix/ = @dev - R = @all + option upstream.nice = 120 repo gitolite-admin RW+ = gitolite -repo doc machine-ports pmwiki assistant - config gitweb.owner = "Tribu Team" - config gitweb.category = "machine" - -repo linux-pck - config gitweb.owner = "Tribu Team" - config gitweb.category = "mirrors" +repo mate + config gitweb.description = "Mate ports" -repo opt core contrib - config gitweb.owner = "crux" - config gitweb.category = "crux" +repo kde5 + config gitweb.description = "Kde5 ports" -repo doc - config gitweb.description = "documentation" - option hook.post-receive = deploy-web-doc - -repo machine-ports - config gitweb.description = "ports" +repo xorg + config gitweb.description = "Xorg ports" -repo pmwiki - config gitweb.description = "wiki" - option hook.post-receive = deploy-web-doc +repo contrib + config gitweb.description = "Contrib ports" -repo assistant - config gitweb.owner = "Tribu Team" - config gitweb.description = "open assistant" +repo opt + config gitweb.description = "Opt ports" repo core - config gitweb.description = "crux core collection" + config gitweb.description = "Core ports" -repo opt - config gitweb.description = "crux opt collection" +repo doc + config gitweb.description = "System doc." + option hook.post-receive = deploy-web-doc -repo contrib - config gitweb.description = "crux contrib collection" +repo ports + config gitweb.description = "Extra ports." + option hook.post-receive = deploy-web-doc -repo linux-pck - config gitweb.description = "PCK or Parabola Community Kernel are multiple patches, pf-kernel and zen-kernel for Linux-libre kernel" - option upstream.url = git://git.parabola.nu/pck.git - option upstream.nice = 120 +repo doc + config gitweb.owner = "Team" + config gitweb.category = "Repositories" +repo core opt contrib ports xorg iso mate kde5 + config gitweb.owner = "Team" + config gitweb.category = "Host Ports" -@secret = gitolite-admin -@project = doc machine-ports pmwiki assistant -@project = core opt contrib -@mirror = linux-pck +@secret = gitolite-admin +@project = doc +@project = core opt contrib ports xorg iso mate kde5 webdata diff --git a/tools/conf/srv/pgsql/data/pg_hba.conf b/tools/conf/srv/pgsql/data/pg_hba.conf index af37ab4..f60af44 100644 --- a/tools/conf/srv/pgsql/data/pg_hba.conf +++ b/tools/conf/srv/pgsql/data/pg_hba.conf @@ -81,20 +81,14 @@ # TYPE DATABASE USER ADDRESS METHOD # "local" is for Unix domain socket connections only -#local all all trust +local all postgres scram-sha-256 +#local all postgres trust # IPv4 local connections: -#host all all 127.0.0.1/32 trust +host all postgres 127.0.0.1/32 scram-sha-256 # IPv6 local connections: -#host all all ::1/128 trust +host all postgres ::1/128 scram-sha-256 # Allow replication connections from localhost, by a user with the # replication privilege. -#local replication all trust -#host replication all 127.0.0.1/32 trust -#host replication all ::1/128 trust - -# TYPE DATABASE USER ADDRESS METHOD -local postgres postgres trust -host postgres postgres 127.0.0.1/32 trust -host db_flyspray flyspray 127.0.0.1/32 md5 -host all all 127.0.0.1/32 scram-sha-256 -host all all 0.0.0.0/0 reject +local replication postgres scram-sha-256 +host replication postgres 127.0.0.1/32 scram-sha-256 +host replication postgres ::1/128 scram-sha-256 diff --git a/tools/conf/srv/pgsql/data/postgresql.conf b/tools/conf/srv/pgsql/data/postgresql.conf index e25ab49..4497df9 100644 --- a/tools/conf/srv/pgsql/data/postgresql.conf +++ b/tools/conf/srv/pgsql/data/postgresql.conf @@ -73,7 +73,7 @@ max_connections = 100 # (change requires restart) #bonjour_name = '' # defaults to the computer name # (change requires restart) -# - TCP Keepalives - +# - TCP settings - # see "man 7 tcp" for details #tcp_keepalives_idle = 0 # TCP_KEEPIDLE, in seconds; @@ -82,12 +82,14 @@ max_connections = 100 # (change requires restart) # 0 selects the system default #tcp_keepalives_count = 0 # TCP_KEEPCNT; # 0 selects the system default +#tcp_user_timeout = 0 # TCP_USER_TIMEOUT, in milliseconds; + # 0 selects the system default # - Authentication - #authentication_timeout = 1min # 1s-600s #password_encryption = md5 # md5 or scram-sha-256 -password_encryption = scram-sha-256 # md5 or scram-sha-256 +password_encryption = scram-sha-256 # md5 or scram-sha-256 #db_user_namespace = off # GSSAPI using Kerberos @@ -107,6 +109,8 @@ ssl_key_file = '/etc/ssl/keys/pg.key' #ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers #ssl_prefer_server_ciphers = on #ssl_ecdh_curve = 'prime256v1' +#ssl_min_protocol_version = 'TLSv1' +#ssl_max_protocol_version = '' #ssl_dh_params_file = '' #ssl_passphrase_command = '' #ssl_passphrase_command_supports_reload = off @@ -131,13 +135,18 @@ shared_buffers = 128MB # min 128kB #maintenance_work_mem = 64MB # min 1MB #autovacuum_work_mem = -1 # min 1MB, or -1 to use maintenance_work_mem #max_stack_depth = 2MB # min 100kB +#shared_memory_type = mmap # the default is the first option + # supported by the operating system: + # mmap + # sysv + # windows + # (change requires restart) dynamic_shared_memory_type = posix # the default is the first option # supported by the operating system: # posix # sysv # windows # mmap - # use none to disable dynamic shared memory # (change requires restart) # - Disk - @@ -152,7 +161,7 @@ dynamic_shared_memory_type = posix # the default is the first option # - Cost-Based Vacuum Delay - -#vacuum_cost_delay = 0 # 0-100 milliseconds +#vacuum_cost_delay = 0 # 0-100 milliseconds (0 disables) #vacuum_cost_page_hit = 1 # 0-10000 credits #vacuum_cost_page_miss = 10 # 0-10000 credits #vacuum_cost_page_dirty = 20 # 0-10000 credits @@ -203,6 +212,8 @@ dynamic_shared_memory_type = posix # the default is the first option #wal_compression = off # enable compression of full-page writes #wal_log_hints = off # also do full page writes of non-critical updates # (change requires restart) +#wal_init_zero = on # zero-fill new WAL files +#wal_recycle = on # recycle WAL files #wal_buffers = -1 # min 32kB, -1 sets based on shared_buffers # (change requires restart) #wal_writer_delay = 200ms # 1-10000 milliseconds @@ -231,6 +242,42 @@ min_wal_size = 80MB #archive_timeout = 0 # force a logfile segment switch after this # number of seconds; 0 disables +# - Archive Recovery - + +# These are only used in recovery mode. + +#restore_command = '' # command to use to restore an archived logfile segment + # placeholders: %p = path of file to restore + # %f = file name only + # e.g. 'cp /mnt/server/archivedir/%f %p' + # (change requires restart) +#archive_cleanup_command = '' # command to execute at every restartpoint +#recovery_end_command = '' # command to execute at completion of recovery + +# - Recovery Target - + +# Set these only when performing a targeted recovery. + +#recovery_target = '' # 'immediate' to end recovery as soon as a + # consistent state is reached + # (change requires restart) +#recovery_target_name = '' # the named restore point to which recovery will proceed + # (change requires restart) +#recovery_target_time = '' # the time stamp up to which recovery will proceed + # (change requires restart) +#recovery_target_xid = '' # the transaction ID up to which recovery will proceed + # (change requires restart) +#recovery_target_lsn = '' # the WAL LSN up to which recovery will proceed + # (change requires restart) +#recovery_target_inclusive = on # Specifies whether to stop: + # just after the specified recovery target (on) + # just before the recovery target (off) + # (change requires restart) +#recovery_target_timeline = 'latest' # 'current', 'latest', or timeline ID + # (change requires restart) +#recovery_target_action = 'pause' # 'pause', 'promote', 'shutdown' + # (change requires restart) + #------------------------------------------------------------------------------ # REPLICATION @@ -264,6 +311,11 @@ min_wal_size = 80MB # These settings are ignored on a master server. +#primary_conninfo = '' # connection string to sending server + # (change requires restart) +#primary_slot_name = '' # replication slot on sending server + # (change requires restart) +#promote_trigger_file = '' # file name whose presence ends recovery #hot_standby = on # "off" disallows queries during recovery # (change requires restart) #max_standby_archive_delay = 30s # max delay before canceling queries @@ -281,6 +333,7 @@ min_wal_size = 80MB # in milliseconds; 0 disables #wal_retrieve_retry_interval = 5s # time to wait before retrying to # retrieve WAL after a failed attempt +#recovery_min_apply_delay = 0 # minimum delay for applying changes during recovery # - Subscribers - @@ -356,7 +409,10 @@ min_wal_size = 80MB #join_collapse_limit = 8 # 1 disables collapsing of explicit # JOIN clauses #force_parallel_mode = off -#jit = off # allow JIT compilation +#jit = on # allow JIT compilation +jit = off # allow JIT compilation +#plan_cache_mode = auto # auto, force_generic_plan or + # force_custom_plan #------------------------------------------------------------------------------ @@ -365,9 +421,8 @@ min_wal_size = 80MB # - Where to Log - -#log_destination = 'stderr' # Valid values are combinations of -#log_destination = 'stderr,syslog' # Multiple are valide -log_destination = 'syslog' +#log_destination = 'stderr' +#log_destination = 'syslog' # Valid values are combinations of # stderr, csvlog, syslog, and eventlog, # depending on platform. csvlog # requires logging_collector to be on. @@ -400,7 +455,6 @@ log_destination = 'syslog' # 0 disables. # These are relevant when logging to syslog: -#syslog_facility = 'LOCAL0' syslog_facility = 'LOCAL0' syslog_ident = 'postgres' #syslog_sequence_numbers = on @@ -412,17 +466,6 @@ syslog_ident = 'postgres' # - When to Log - -#client_min_messages = notice # values in order of decreasing detail: - # debug5 - # debug4 - # debug3 - # debug2 - # debug1 - # log - # notice - # warning - # error - #log_min_messages = warning # values in order of decreasing detail: # debug5 # debug4 @@ -456,6 +499,9 @@ syslog_ident = 'postgres' # statements running at least this number # of milliseconds +#log_transaction_sample_rate = 0.0 # Fraction of transactions whose statements + # are logged regardless of their duration. 1.0 logs all + # statements from all transactions, 0.0 never logs. # - What to Log - @@ -464,12 +510,15 @@ syslog_ident = 'postgres' #debug_print_plan = off #debug_pretty_print = on #log_checkpoints = off +#log_connections = off log_connections = on +#log_disconnections = off log_disconnections = on -log_duration = on +#log_duration = off #log_error_verbosity = default # terse, default, or verbose messages +#log_hostname = off log_hostname = on -#log_line_prefix = '%m [%p] ' # special values: +log_line_prefix = 'd=$d u=% %m [%p] ' # special values: # %a = application name # %u = user name # %d = database name @@ -492,11 +541,12 @@ log_hostname = on # e.g. '<%u%%%d> ' #log_lock_waits = off # log lock waits >= deadlock_timeout #log_statement = 'none' # none, ddl, mod, all +log_statement = 'mod' # none, ddl, mod, all #log_replication_commands = off #log_temp_files = -1 # log temporary files equal or larger # than the specified size in kilobytes; # -1 disables, 0 logs all temp files -log_timezone = 'Portugal' +log_timezone = 'Europe/Lisbon' #------------------------------------------------------------------------------ # PROCESS TITLE @@ -553,7 +603,7 @@ log_timezone = 'Portugal' #autovacuum_multixact_freeze_max_age = 400000000 # maximum multixact age # before forced vacuum # (change requires restart) -#autovacuum_vacuum_cost_delay = 20ms # default vacuum cost delay for +#autovacuum_vacuum_cost_delay = 2ms # default vacuum cost delay for # autovacuum, in milliseconds; # -1 means use vacuum_cost_delay #autovacuum_vacuum_cost_limit = -1 # default vacuum cost limit for @@ -567,11 +617,22 @@ log_timezone = 'Portugal' # - Statement Behavior - +#client_min_messages = notice # values in order of decreasing detail: + # debug5 + # debug4 + # debug3 + # debug2 + # debug1 + # log + # notice + # warning + # error #search_path = '"$user", public' # schema names #row_security = on #default_tablespace = '' # a tablespace name, '' uses the default #temp_tablespaces = '' # a list of tablespace names, '' uses # only default tablespace +#default_table_access_method = 'heap' #check_function_bodies = on #default_transaction_isolation = 'read committed' #default_transaction_read_only = off @@ -597,7 +658,7 @@ log_timezone = 'Portugal' datestyle = 'iso, mdy' #intervalstyle = 'postgres' -timezone = 'Portugal' +timezone = 'Europe/Lisbon' #timezone_abbreviations = 'Default' # Select the set of available time zone # abbreviations. Currently, there are # Default @@ -605,7 +666,8 @@ timezone = 'Portugal' # India # You can create your own file in # share/timezonesets/. -#extra_float_digits = 0 # min -15, max 3 +#extra_float_digits = 1 # min -15, max 3; any value >0 actually + # selects precise output mode #client_encoding = sql_ascii # actually, defaults to database # encoding @@ -654,7 +716,6 @@ default_text_search_config = 'pg_catalog.english' #array_nulls = on #backslash_quote = safe_encoding # on, off, or safe_encoding -#default_with_oids = off #escape_string_warning = on #lo_compat_privileges = off #operator_precedence_warning = off @@ -673,6 +734,9 @@ default_text_search_config = 'pg_catalog.english' #exit_on_error = off # terminate session on any error? #restart_after_crash = on # reinitialize after backend crash? +#data_sync_retry = off # retry or panic on failure to fsync + # data? + # (change requires restart) #------------------------------------------------------------------------------ @@ -680,12 +744,13 @@ default_text_search_config = 'pg_catalog.english' #------------------------------------------------------------------------------ # These options allow settings to be loaded from files other than the -# default postgresql.conf. +# default postgresql.conf. Note that these are directives, not variable +# assignments, so they can usefully be given more than once. -#include_dir = 'conf.d' # include files ending in '.conf' from - # directory 'conf.d' -#include_if_exists = 'exists.conf' # include file only if it exists -#include = 'special.conf' # include file +#include_dir = '...' # include files ending in '.conf' from + # a directory, e.g., 'conf.d' +#include_if_exists = '...' # include file only if it exists +#include = '...' # include file #------------------------------------------------------------------------------ diff --git a/tools/gitolite.html b/tools/gitolite.html index 23460e9..ea07129 100644 --- a/tools/gitolite.html +++ b/tools/gitolite.html @@ -769,7 +769,7 @@

Add this to default or main - nginx virtual host;

+ nginx virtual server;

 	location /git/gitweb.cgi {
diff --git a/tools/index.html b/tools/index.html
index d8c0690..2724a6f 100644
--- a/tools/index.html
+++ b/tools/index.html
@@ -1,181 +1,209 @@
 
 
     
-        
-        Tools
+	
+	Tools
     
     
 
-        Documentation Index
-        Tools
+	Documentation Index
+	Tools
 
-        Selection of system tools that extends core documentation.

+	
Selection of system tools that extends core documentation.

 
-        
System Tools
+	System Tools
 
-        
-            Tar
-                
-                    1. Create Backup
-                    2. View content of tar
-                    3. Extract content from tar
-                    4. Add content to tar
-                    5. Remove content from tar
-                
-            
-            Vim
-                
-                    1. Vim RC
-                    2. Color schemes
-                    3. Split and tab
-                    4. File browser
-                    5. Editing files
-                    6. Tags
-                    7. Spellcheck
-                    8. Plugins
-                    9. Vimdiff
-                
-            
-            Gpg
-                
-                    1. Install
-                    2. Generate keys
-                    3. Key Management
-                    4. Export and import keys
-                    5. Encrypt, decrypt and signing
-                
-            
-            Mutt
-                
-                    1. Install
-                    2. Configure
-                        
-                            2.1. System Email
-                            2.2. External Email
-                        
-                    
-                    3. Using Mutt
-                        
-                            3.1. Tag Email
-                            3.2. Address alias
-                            3.3. GPG Keys
-                        
-                    
-                
-            
-            Lynx
-            Irssi
-            X
-        
+	
+	    Tar
+		
+		    1. Create Backup
+		    2. View content of tar
+		    3. Extract content from tar
+		    4. Add content to tar
+		    5. Remove content from tar
+		
+	    
+	    Vim
+		
+		    1. Vim RC
+		    2. Color schemes
+		    3. Split and tab
+		    4. File browser
+		    5. Editing files
+		    6. Tags
+		    7. Spellcheck
+		    8. Plugins
+		    9. Vimdiff
+		
+	    
+	    Gpg
+		
+		    1. Install
+		    2. Generate keys
+		    3. Key Management
+		    4. Export and import keys
+		    5. Encrypt, decrypt and signing
+		
+	    
+	    Mutt
+		
+		    1. Install
+		    2. Configure
+			
+			    2.1. System Email
+			    2.2. External Email
+			
+		    
+		    3. Using Mutt
+			
+			    3.1. Tag Email
+			    3.2. Address alias
+			    3.3. GPG Keys
+			
+		    
+		
+	    
+	    Lynx
+	    Irssi
+	    X
+	
 
-        System Administration
+	System Administration
 
-        
-            Network Tools
-                
-                    Dnscrypt and Dnsmasq
-                    Tcpdump
-                    Nmap
-                    Wireless
-                
-            
-            Storage
-                
-                    1. Maintenance
-                    2. Moving data
-                    2. Resize
-                
-            
-            LVM
-                
-                    1. LVM partition
-                    2. Create physical volume
-                    3. Create volume group
-                    4. Create logical volume
-                    5. Maintenance
-                
-            
-            Syslog-ng
-                
-                    Install syslog-ng
-                    Configure syslog-ng
-                    Logrotate
-                    Logwatch
-                        
-                            Configure Logwatch
-                            Set cron task
-                        
-                    
+	
+	    Network Tools
+		
+		    Dnscrypt and Dnsmasq
+		    Tcpdump
+		    Nmap
+		    Wireless
+		
+	    
+	    Storage
+		
+		    1. Maintenance
+		    2. Moving data
+		    2. Resize
+		
+	    
+	    LVM
+		
+		    1. LVM partition
+		    2. Create physical volume
+		    3. Create volume group
+		    4. Create logical volume
+		    5. Maintenance
+		
+	    
+	    Syslog-ng
+		
+		    Install syslog-ng
+		    Configure syslog-ng
+		    Logrotate
+		    Logwatch
+			
+			    Configure Logwatch
+			    Set cron task
+			
+		    
 
-                
-            
-            Fail2Ban
-                
-                    Configure Fail2ban
-                
-            
+		
+	    
+	    Fail2Ban
+		
+		    Configure Fail2ban
+		
+	    
 
-        
+	
 
-        Network Services
-        
-            Qemu
-                
-                    1. Host system
-                    2. Disk images
-                    3. Network
-                    4. Guest system
-                
-            
-            
-                OpenSSH
-                
-                    1. Server
-                    2. Client
-                    3. Reverse connection
-                
-            
-            Nginx
-                
-                    1. Install Nginx
-                    2. Certificates
-                    3. Nginx configuration
-                    4. Server with PHP
-                    5. User directory
-                    6. Logs
-                
-            
-            Gitolite
-                
-                    1. Install Gitolite
-                    2. Configure gitolite
-                    3. Gitolite administration
-                    4. Gitolite hooks
-                    5. Gitweb
-                    6. Git-daemon
-                
-            
-            Postgresql
-                
-                    1. Install Postgresql
-                    2. Configure server
-                    3. Create user
-                    4. Create database
-                    5. Drop database
-                    6. Drop user
-                    7. Psql
-                    8. Backup and restore
-                
-            
-        
+	Network Services
+	
+	    Qemu
+		
+		    1. Host system
+		    2. Disk images
+		    3. Network
+		    4. Guest system
+		
+	    
+	    
+		OpenSSH
+		
+		    1. Server
+		    2. Client
+		    3. Reverse connection
+		
+	    
+	    Nginx
+		
+		    1. Install Nginx
+		    2. Certificates
+		    3. Nginx configuration
+		    4. Virtual servers
+		    5. User directory
+		    6. Logs
+		
+	    
+	    Gitolite
+		
+		    1. Install Gitolite
+		    2. Configure gitolite
+		    3. Gitolite administration
+		    4. Gitolite hooks
+		    5. Gitweb
+		    6. Git-daemon
+		
+	    
+	    Postgresql
+		
+		    1. Install Postgresql
+			
+			    1.1. Configure syslog-ng
+			    1.2. Certificates
+			
+		    
+		    2. Configure Server
+			
+			    2.1. Init script
+			    2.2. Configure postgresql.conf
+			    2.3. Super user password
+			    2.4. Configure pg_hba.conf
+			
+		    
+		    3. Manage users
+			
+			    3.1. Create user - create role
+			    3.2. Remove user - drop role
+			    3.3. Change password
+			    3.4. List users - roles
+			
+		    
+		    4. Manage  databases
+			
+			    4.1. Create database
+			    4.2. Drop database
+			    4.3. List databases
+			    4.4. Dump and restore
+			
+		    
+		    5. Psql
+			
+			    5.2. Create Database
+			    5.3. Drop All Tables
+			
+		    
+		
+	    
+	
 
-        Documentation Index
+	Documentation Index
 
-        
-        This is part of the Tribu System Documentation.
-        Copyright (C) 2020
-        Tribu Team.
-        See the file Gnu Free Documentation License
-        for copying conditions.
+	
+	This is part of the Tribu System Documentation.
+	Copyright (C) 2020
+	Tribu Team.
+	See the file Gnu Free Documentation License
+	for copying conditions.
     
 
diff --git a/tools/logrotate.html b/tools/logrotate.html
index d9047c4..fc07169 100644
--- a/tools/logrotate.html
+++ b/tools/logrotate.html
@@ -5,6 +5,8 @@
         1. Logrotate
     
     
+        Tools Index
+
         1. Logrotate
 
         Logrotate
@@ -32,23 +34,24 @@
             seems to be standard anyway).

This is just an example configuration, review to match syslog-ng and other tools that write logs

         # see "man logrotate" for details
         # rotate log files weekly
         weekly
 
-        # keep 5 weeks worth of backlogs
-        rotate 5 
+        # keep 4 weeks worth of backlogs
+        rotate 4
 
         # create new (empty) log files after rotating old ones
         create
 
         # uncomment this if you want your log files compressed
-        compress
+        #compress
 
         olddir /var/log/old
-
-        notifempty
+        maxsize 1M
 
         # some packages can drop log rotation information into 
         # this directory
@@ -56,107 +59,310 @@
 
         # few generic files to rotate
         /var/log/wtmp {
-            weekly
+            monthly
             create 0644 root root
-            rotate 5
+            rotate 1
         }
 
         /var/log/btmp {
-            weekly
+            monthly
             create 0600 root root
-            rotate 5
+            rotate 1
         }
 
         # system-specific logs may be also be configured here.
-        /var/log/faillog {
-            maxsize 5M
+        /var/log/auth {
+           missingok
+           notifempty
+           compress
+           delaycompress
+           sharedscripts
+           postrotate
+              /etc/init.d/syslog-ng reload
+           endscript
         }
 
-        /var/log/lastlog {
-            maxsize 5M
+        /var/log/sudo {
+           missingok
+           notifempty
+           compress
+           delaycompress
+           sharedscripts
+           postrotate
+              /etc/init.d/syslog-ng reload
+           endscript
         }
 
-        /var/log/auth {
-            weekly
-            create 0644 root root
-            rotate 5
-            sharedscripts
+        /var/log/cron {
+           missingok
+           notifempty
+           compress
+           delaycompress
+           sharedscripts
+           postrotate
+              /etc/init.d/syslog-ng reload
+           endscript
+        }
+
+        /var/log/daemon {
+           rotate 7
+           missingok
+           notifempty
+           compress
+           delaycompress
+           sharedscripts
+           postrotate
+              /etc/init.d/syslog-ng reload
+           endscript
+        }
+
+        /var/log/debug {
+           missingok
+           notifempty
+           compress
+           delaycompress
+           sharedscripts
+           postrotate
+              /etc/init.d/syslog-ng reload
+           endscript
+        }
+
+        /var/log/error {
+           missingok
+           notifempty
+           compress
+           delaycompress
+           sharedscripts
+           postrotate
+              /etc/init.d/syslog-ng reload
+           endscript
+        }
+
+        /var/log/iptables {
+            # uncomment this if you want your log files compressed
+            delaycompress
+            compress
             postrotate
-            if [ -f /var/run/syslog-ng.pid ]; then \
-                kill -HUP `cat /var/run/syslog-ng.pid`; \
-            fi;
+                /etc/rc.d/syslog-ng reload >/dev/null
             endscript
         }
 
-        /var/log/cron {
-            weekly
-            create 0644 root root
-            rotate 5
-            sharedscripts
+        /var/log/kernel {
+           missingok
+           notifempty
+           compress
+           delaycompress
+           sharedscripts
+           postrotate
+              /etc/init.d/syslog-ng reload
+           endscript
+        }
+
+        /var/log/lpr {
+           missingok
+           notifempty
+           compress
+           delaycompress
+           sharedscripts
+           postrotate
+              /etc/init.d/syslog-ng reload
+           endscript
+        }
+
+        /var/log/mail.err {
+           missingok
+           notifempty
+           compress
+           delaycompress
+           sharedscripts
+           postrotate
+              /etc/init.d/syslog-ng reload
+           endscript
+        }
+
+        /var/log/mail.info {
+           missingok
+           notifempty
+           compress
+           delaycompress
+           sharedscripts
+           postrotate
+              /etc/init.d/syslog-ng reload
+           endscript
+        }
+
+        /var/log/mail {
+           missingok
+           notifempty
+           compress
+           delaycompress
+           sharedscripts
+           postrotate
+              /etc/init.d/syslog-ng reload
+           endscript
+        }
+
+        /var/log/mail.warn {
+           missingok
+           notifempty
+           compress
+           delaycompress
+           sharedscripts
+           postrotate
+              /etc/init.d/syslog-ng reload
+           endscript
+        }
+
+        /var/log/messages {
+           missingok
+           notifempty
+           compress
+           delaycompress
+           sharedscripts
+           postrotate
+              /etc/init.d/syslog-ng reload
+           endscript
+        }
+
+
+        /var/log/user {
+           missingok
+           notifempty
+           compress
+           delaycompress
+           sharedscripts
+           postrotate
+              /etc/init.d/syslog-ng reload
+           endscript
+        }
+
+        /var/log/uucp {
+           missingok
+           notifempty
+           compress
+           delaycompress
+           sharedscripts
+           postrotate
+              /etc/init.d/syslog-ng reload
+           endscript
+        }
+
+        /var/log/syslog-ng {
+           rotate 7
+           daily
+           compress
+           delaycompress
+           sharedscripts
+           postrotate
+              /etc/init.d/syslog-ng reload
+           endscript
+        }
+
+        /var/log/dnsmasq {
+            # uncomment this if you want your log files compressed
+            delaycompress
+            compress
             postrotate
-            if [ -f /var/run/syslog-ng.pid ]; then \
-                kill -HUP `cat /var/run/syslog-ng.pid`; \
-            fi;
+                /etc/rc.d/syslog-ng reload >/dev/null
             endscript
         }
 
-        /var/log/debug {
-            weekly
+        /var/log/pgsql {
+            # create new (empty) log files after rotating old ones
             create 0644 root root
-            rotate 5
-            sharedscripts
+            # uncomment this if you want your log files compressed
+            delaycompress
+            compress
+            notifempty
+            maxsize 5M
             postrotate
-            if [ -f /var/run/syslog-ng.pid ]; then \
-                kill -HUP `cat /var/run/syslog-ng.pid`; \
-            fi;
+                /etc/rc.d/syslog-ng reload >/dev/null
             endscript
         }
 
-        /var/log/kernel {
-            rotate 5
-            monthly
-            create 0644 root root
-            sharedscripts
+        /var/log/git-daemon {
+            # uncomment this if you want your log files compressed
+            delaycompress
+            compress
             postrotate
-            if [ -f /var/run/syslog-ng.pid ]; then \
-                kill -HUP `cat /var/run/syslog-ng.pid`; \
-            fi;
+                /etc/rc.d/syslog-ng reload >/dev/null
             endscript
         }
 
-        /var/log/messages {
-            rotate 5
-            weekly
-            create 0644 root root
-            sharedscripts
+        /var/log/gitolite {
+            # uncomment this if you want your log files compressed
+            delaycompress
+            compress
             postrotate
-            if [ -f /var/run/syslog-ng.pid ]; then \
-                kill -HUP `cat /var/run/syslog-ng.pid`; \
-            fi;
+                /etc/rc.d/syslog-ng reload >/dev/null
             endscript
         }
 
-        /var/log/mail {
-            weekly
-            create 0644 root root
-            rotate 5
-            sharedscripts
+        /var/log/php-fpm {
+            # uncomment this if you want your log files compressed
+            delaycompress
+            compress
+            postrotate
+                /etc/rc.d/syslog-ng reload >/dev/null
+            endscript
+        }
+
+        /var/log/php {
+            # uncomment this if you want your log files compressed
+            delaycompress
+            compress
+            postrotate
+                /etc/rc.d/syslog-ng reload >/dev/null
+            endscript
+        }
+
+        /var/log/nginx_access {
+            # uncomment this if you want your log files compressed
+            delaycompress
+            compress
+            postrotate
+                /etc/rc.d/syslog-ng reload >/dev/null
+            endscript
+        }
+
+        /var/log/nginx_error {
+            # uncomment this if you want your log files compressed
+            delaycompress
+            compress
+            postrotate
+                /etc/rc.d/syslog-ng reload >/dev/null
+            endscript
+        }
+
+        /var/log/nginx/tribu_error.log {
+            # uncomment this if you want your log files compressed
+            delaycompress
+            compress
+            olddir /var/log/old/nginx
+            postrotate
+                /etc/rc.d/syslog-ng reload >/dev/null
+            endscript
+        }
+
+        /var/log/nginx/tribu_access.log {
+            # uncomment this if you want your log files compressed
+            delaycompress
+            compress
+            olddir /var/log/old/nginx
             postrotate
-            if [ -f /var/run/syslog-ng.pid ]; then \
-                kill -HUP `cat /var/run/syslog-ng.pid`; \
-            fi;
+                /etc/rc.d/syslog-ng reload >/dev/null
             endscript
         }

You can force logrotate to test configuration;

To force logrotate to test configuration;

         # logrotate -f /etc/logrotate.conf

diff --git a/tools/nginx.html b/tools/nginx.html index 0420e70..21abb90 100644 --- a/tools/nginx.html +++ b/tools/nginx.html @@ -155,9 +155,7 @@

3. Nginx Configuration

Read nginx pitfalls, - for more information about optimization - digitalocean, +

This is the "main" nginx configuration not the servers, the way this configuration is setup nginx will load virtual servers configuration files with extension .conf from /etc/nginx/sites-enabled/.

Number of worker_processes must be equal or less than the number of available cpu cores. This is set to auto.

@@ -186,11 +184,10 @@ user www; worker_processes auto; - error_log /var/log/nginx/error.log; + error_log syslog:server=unix:/dev/log debug; pid /var/run/nginx.pid; - events { worker_connections 1024; } @@ -199,9 +196,9 @@ include mime.types; default_type application/octet-stream; - #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - # '$status $body_bytes_sent "$http_referer" ' - # '"$http_user_agent" "$http_x_forwarded_for"'; + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; sendfile on; #tcp_nopush on; @@ -216,13 +213,8 @@ #client_header_timeout 12; client_header_timeout 24; - #client_max_body_size 10000M; - #keepalive_timeout 10000; - #client_body_timeout 10000; - #client_header_timeout 10000; send_timeout 65; - gzip on; gzip_vary on; #gzip_proxied any; @@ -234,14 +226,19 @@ include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*.conf; - } # End of file -

4. Server with PHP

To debug configurations check logs and;

4. Virtual servers

+ +

Read nginx pitfalls and + configuration optimization.

+ +

This setup uses default virtual server as a proxy, this allows to have a clean configuration file and delegate application specific settings to other servers. Other virtual servers can run on same machine or other machines, allowing greater compartmentalization.

+ +

When testing or debugging configurations is useful to run nginx with following option;

         nginx -V
@@ -270,31 +267,19 @@
         /etc/php/conf.d/pdo_pgsql.ini

4.2. Setup Virtual Host

- -

Server (virtual host) with pmwiki and flyspray, check - /etc/nginx/sites - for more examples. Install pmwiki and flyspray;

- -

-        $ sudo prt-get depinst pmwiki flyspray
-

4.2. Setup default server

This server is configured in a way that - root serves pmwiki and /tasks serves flyspray. In order to - flyspray to link correctly change index is needed. Create /etc/nginx/sites-enabled/machine.example.org.conf;

Default server that acts as a proxy except for /doc, with ssl certificates (serves port 443 and 80). Each location is proxy ed to correspondent virtual server.

         server {
+            listen 80 default_server;
+            server_name tribu.semdestino.org;
 
-            listen 443 ssl;
-            listen 80;
-            server_name machine.example.org;
-
-            #  listen [::]:443 ssl http2;
-            ssl_certificate /etc/letsencrypt/live/machine.example.org/fullchain.pem;
-            ssl_certificate_key /etc/letsencrypt/live/machine.example.org/privkey.pem;
-            ssl_trusted_certificate /etc/letsencrypt/live/machine.example.org/chain.pem;
+            listen 443 ssl default_server;
+            ssl_certificate /etc/letsencrypt/live/tribu.semdestino.org/fullchain.pem;
+            ssl_certificate_key /etc/letsencrypt/live/tribu.semdestino.org/privkey.pem;
+            ssl_trusted_certificate /etc/letsencrypt/live/tribu.semdestino.org/chain.pem;
 
             ssl_session_timeout 1d;
             ssl_session_cache shared:SSL:50m;
@@ -306,112 +291,109 @@
             ssl_stapling on;
             ssl_stapling_verify on;
 
-            access_log /var/log/nginx/example_access.log;
-            error_log  /var/log/nginx/example_error.log;
-
-            root /srv/www/;
+            access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_vhost,nohostname main;
+            error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_vhost_err,nohostname debug;
 
-            location /mirror {
-                #alias /usr/ports/releases;
-                proxy_pass http://10.0.0.3:80/;
-            }
-
-            location /builder {
-                rewrite ^/blog(.*) /$1 break;
-                proxy_pass http://10.0.0.3:80;
-            }
+            root /etc/html/;
 
             location /doc {
                 alias /srv/www/doc;
                 index index.html;
             }
 
-            location /git/static {
-                # static files (png/css) served from /usr/share/gitweb/static
-                alias /srv/www/gitweb/static;
+            location /pub {
+                proxy_pass http://wiki.c2.ank:8080;
+            }
+
+            location /wiki {
+                proxy_pass http://wiki.c2.ank:8080;
             }
 
             location /git {
-                alias /srv/www/gitweb;
-                index gitweb.cgi;
-                fastcgi_split_path_info      ^/git()(/?.+)$;
-                fastcgi_param GITWEB_CONFIG  /etc/gitweb.conf;
-                fastcgi_param DOCUMENT_ROOT  /srv/www/gitweb;
-                fastcgi_param SCRIPT_NAME    /gitweb.cgi$fastcgi_path_info;
-
-                include fastcgi_params;
-                fastcgi_pass unix:/var/run/fcgiwrap.sock;
+                proxy_pass http://git.c2.ank:8080;
             }
 
-            location /chat {
-                index index.php;
-                alias /srv/www/chat;
-                try_files $uri $uri/ index.php$is_args$args;
+            location /forum {
+                proxy_pass http://forum.c2.ank:8080;
             }
 
-            location ~  ^/chat(.+\.php)$ { ### This location block was the solution
-                alias /srv/www/chat;
-                fastcgi_split_path_info ^(.+\.php)(/.+)$;
-                fastcgi_index index.php;
-                try_files $uri /index.php =404;	
-                include /etc/nginx/fastcgi_params;
-                fastcgi_param SCRIPT_FILENAME $document_root$1;
-                # fastcgi_pass unix:/var/run/php5-fpm.sock;
-                fastcgi_pass 127.0.0.1:9000;
+            location /task {
+                proxy_pass http://task.c2.ank:8080;
             }
 
+            location /shop {
+                proxy_pass http://shop.c2.ank:8080;
+            }
 
-            location /task {
-                index index.php;
-                alias /srv/www/flyspray;
-                try_files $uri $uri/ index.php$is_args$args;
+            location /email {
+                proxy_pass http://email.c2.ank:8080;
             }
 
-            location ~  ^/task(.+\.php)$ { ### This location block was the solution
-                alias /srv/www/flyspray;
-                fastcgi_split_path_info ^(.+\.php)(/.+)$;
-                fastcgi_index index.php;
-                try_files $uri /index.php =404;	
-                include /etc/nginx/fastcgi_params;
-                fastcgi_param SCRIPT_FILENAME $document_root$1;
-                # fastcgi_pass unix:/var/run/php5-fpm.sock;
-                fastcgi_pass 127.0.0.1:9000;
+            location /mirror {
+                proxy_pass http://c1.ank;
             }
 
-            location /pub {
-                alias /srv/www/pmwiki/pub;
+            # ACME challenge
+            location ^~ /.well-known {
+                proxy_pass http://wiki.c2.ank;
             }
-            location /wiki {
-                alias /srv/www/pmwiki/;
-                index pmwiki.php;
-                try_files $uri $uri/ /pmwiki.php$is_args$args;
+
+            location / {
+                proxy_pass http://frontpage.c2.ank;
             }
-            location ~  ^/wiki(.+\.php)$ {
-                alias /srv/www/pmwiki;
-                index pmwiki.php;
-                fastcgi_split_path_info ^(.+\.php)(/.+)$;
-                fastcgi_index pmwiki.php;
-                try_files $uri /pmwiki.php =404;
-                include /etc/nginx/fastcgi_params;
-                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-                # fastcgi_pass unix:/var/run/php5-fpm.sock;
-                fastcgi_pass 127.0.0.1:9000;
+        }
+

+ +

4.3. Setup virtual server

+ +

Example of pmwiki virtual server, check /etc/nginx/sites-enabled for the rest of examples mentioned default server. If wiki server is running on same machine add following to /etc/hosts;

+ +

+        127.0.0.1 wiki.c2.ank
+

+ +

Edit /etc/nginx/sites-enabled/wiki.c2.ank.conf;

+ +

+        server {
+            listen 8080;
+            server_name wiki.c2.ank;
+
+            access_log syslog:server=unix:/dev/log,facility=daemon,tag=vh_wiki,nohostname main;
+            error_log syslog:server=unix:/dev/log,facility=daemon,tag=vh_wiki_err,nohostname debug;
+
+            root /srv/www/;
+
+            location /pub {
+                alias /srv/www/wiki/pub;
             }
 
             # ACME challenge
             location ^~ /.well-known {
                 allow all;
-                alias /srv/www/pmwiki/pub/cert/.well-known/;
+                alias /srv/www/wiki/pub/cert/.well-known/;
                 default_type "text/plain";
                 try_files $uri =404;
             }
 
-            location / {
-                alias /srv/www/frontpage/;
-                index index.html;
-                try_files $uri $uri/ /index.html$is_args$args;
+            location @pmwiki {
+                rewrite ^/wiki/(.*) /wiki/pmwiki.php?n=$1;
+            }
+
+            location /wiki {
+                index pmwiki.php;
+                try_files $uri $uri/ @pmwiki;
             }
 
+            location ~  ^\/wiki(.+\.php)$ {
+                index pmwiki.php;
+                fastcgi_split_path_info ^(.+\.php)(/.+)$;
+                fastcgi_index pmwiki.php;
+                try_files $uri /pmwiki.php =404;
+                include /etc/nginx/fastcgi_params;
+                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+                fastcgi_pass 127.0.0.1:9000;
+            }
         }

@@ -452,12 +434,11 @@

6. Logs

-        $ sudo grep "login" /var/log/nginx/access.log
-        $ sudo grep "etc/passwd" /var/log/nginx/access.log
-        $ sudo egrep -i "denied|error|warn" /var/log/nginx/error.log
+        $ sudo grep "login" /var/log/nginx/vhost_access
+        $ sudo grep "etc/passwd" /var/log/nginx/vhost_access
+        $ sudo egrep -i "denied|error|warn" /var/log/nginx_error

- Tools Index

This is part of the Tribu System Documentation. diff --git a/tools/postgresql.html b/tools/postgresql.html index 1fb48c7..141d6c2 100644 --- a/tools/postgresql.html +++ b/tools/postgresql.html @@ -26,32 +26,38 @@ # sudo -u postgres initdb -D /srv/pgsql/data -

2. Configure Server

1.1. Configure syslog-ng

2.1. Init script

- -

Change /etc/rc.d/postgresql;

Configure syslog-ng first, configuration example contains rules for postgresql as is configured in this document.

-        #
-        # /etc/rc.d/postgresql: start, stop or restart PostgreSQL server postmaster
-        #
+        destination d_postgres  { file("/var/log/pgsql"); };
+        filter f_postgres { facility(local0) and program("postgresql)"; };
+        log { source(s_src); filter(f_postgres); destination(d_postgres);};
 
-        PG_DATA=/srv/pgsql/data
+        filter f_messages { level(info,notice,warn)
+                    and not facility(auth,authpriv,cron,daemon,mail,news,local0); };
 
-        case "$1" in
-            start|stop|status|restart|reload)
-                sudo -u postgres pg_ctl -D "$PG_DATA" -l /var/log/postgresql "$1"
-                ;;
-            *)
-                echo "usage: $0 start|stop|restart|reload|status"
-                ;;
-        esac
+        filter f_daemon { facility(daemon, local0)
+        and not filter(f_debug)
+        and not program("vh_tribu")
+        and not program("vh_tribu_error");};
+

- # End of file +

Create /etc/logrotate.d/postgres;

+ +

+        /var/log/pgsql {
+            weekly
+            compress
+            delaycompress
+            rotate 10
+            notifempty
+            create 660 postgres postgres
+        }

2.2. Certificates

1.2. Certificates

         $ sudo openssl genrsa -des3 -out /etc/ssl/keys/pg.key 2048
@@ -115,209 +121,231 @@
         $ sudo chmod 644 /etc/ssl/certs/pg.cert

2.3. Super user password

2. Configure Server

Create password for super user;

2.1. Init script

+ +

Change /etc/rc.d/postgresql;

-        # su postgres
-        $ psql -U postgres
+        #
+        # /etc/rc.d/postgresql: start, stop or restart PostgreSQL server postmaster
+        #
+
+        PG_DATA=/srv/pgsql/data
+
+        case "$1" in
+            start|stop|status|restart|reload)
+                sudo -u postgres pg_ctl -D "$PG_DATA" -l /var/log/postgresql "$1"
+                ;;
+            *)
+                echo "usage: $0 start|stop|restart|reload|status"
+                ;;
+        esac
+
+        # End of file

2.4. Configure postgresql.conf

2.2. Configure postgresql.conf

Edit /srv/pgsql/data/postgresql.conf;

-        # - Security and Authentication -
-
-        #authentication_timeout = 1min          # 1s-600s
         ssl = on                                # (change requires restart)
-        #ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
-                                                # (change requires restart)
-        #ssl_prefer_server_ciphers = on         # (change requires restart)
-        #ssl_ecdh_curve = 'prime256v1'          # (change requires restart)
         ssl_cert_file = '/etc/ssl/certs/pg.crt' # (change requires restart)
         ssl_key_file = '/etc/ssl/keys/pg.key'   # (change requires restart)
-        #ssl_ca_file = ''                       # (change requires restart)
-        #ssl_crl_file = ''                      # (change requires restart)
         password_encryption = scram-sha-256
+        jit = off
+        log_destination = 'syslog'
+        syslog_facility = 'LOCAL0'
+        log_connections = on
+        log_disconnections = on
+        log_duration = on
+        log_hostname = on
+        log_line_prefix = 'd=$d u=% %m [%p] '  # special values:

2.5. Configure pg_hba.conf

2.3. Super user password

Edit - /srv/pgsql/data/pg_hba.conf; -

Create password for the super user postgres, login to postgresql;

-        # TYPE  DATABASE        USER            ADDRESS                 METHOD
-        local   postgres        all             trust
-        host    postgres        all             127.0.0.1/32            trust
-        host    all             all             127.0.0.1/32            scram-sha-256
-        host all all 0.0.0.0/0 reject
+        $ sudo -u postgres psql -U postgres

Start server and alter postgres password

Create password for postgres user;

-        # /etc/rc.d/postgresql start
-

- -

-        postgres=# alter user postgres with password 'new_password';
+        postgres=# \password
+        Enter new password:
+        Enter it again:
+        postgres=#

2.6. Configure syslog-ng

Configure pg_hba.conf in the next step to enforce authentication.

Configure Syslog-ng, check Michael at otacoo article. Example;

2.4. Configure pg_hba.conf

Edit /pgsql/data/postgresql.conf;

Edit + /srv/pgsql/data/pg_hba.conf; +

-        log_destination = 'syslog' # Can specify multiple destinations
-        syslog_facility='LOCAL0'
-        syslog_ident='postgres'
-        log_connections = on
-        log_disconnections = on
-        log_duration = on
-

- -

Create /etc/logrotate.d/postgres;

+ # TYPE DATABASE USER ADDRESS METHOD -

-        /var/log/pgsql {
-            weekly
-            compress
-            delaycompress
-            rotate 10
-            notifempty
-            create 660 postgres postgres
-        }
+        # "local" is for Unix domain socket connections only
+        local   all             postgres                                scram-sha-256
+        #local   all             postgres                                trust
+        # IPv4 local connections:
+        host    all             postgres        127.0.0.1/32            scram-sha-256
+        # IPv6 local connections:
+        host    all             postgres        ::1/128                 scram-sha-256
+        # Allow replication connections from localhost, by a user with the
+        # replication privilege.
+        local   replication     postgres                                 scram-sha-256
+        host    replication     postgres         127.0.0.1/32            scram-sha-256
+        host    replication     postgres         ::1/128                 scram-sha-256

Restart server to enforce authentication from now on;

-        destination postgres { file("/var/log/pgsql"); };
-        filter f_postgres { facility(local0); };
-        log { source(s_log); filter(f_postgres); destination(postgres); };
+        # /etc/rc.d/postgresql start

3. Manage users

3. Create User

3.1. Create user - create role

Create a new user with createuser command;

         $ sudo -u postgres createuser --pwprompt --encrypted \
-        --no-createrole --no-createdb user_example
+        --no-createrole --no-createdb user_name
         Enter password for new user:
         Enter it again:

4. Create Database

3.2. Remove user - drop role

Create a new database for new user with createdb command;

Deleting user with dropuser command;

-        $ sudo -u postgres createdb --template=template0 --encoding=UTF8 \
-        --owner=user_example db_example
+        sudo -u postgres dropuser user_name

5. Drop Database

3.3. Change password

Deleting database with dropdb command;

Update password of a user;

-        sudo -u postgres dropdb db_example
+        $ sudo -u postgres psql

6. Drop User

+        postgres=#\password user_name;
+

Deleting user with dropuser command;

This will set password using hash / encryption method selected on postgresql.conf

+ +

3.4. List users - roles

+ +

+        $ sudo -u postgres psql
+

-        sudo -u postgres dropuser user_example
+        postgres=# \dg

7. Psql

4. Manage databases

Lets check with psql, login with user postgres;

4.1. Create database

+ +

Create a new database named db_name for user_name with createdb command;

-        $ sudo -u postgres psql
+        $ sudo -u postgres createdb --template=template0 --encoding=UTF8 \
+        --owner=user_name db_name

First show help;

4.2. Drop database

+ +

Deleting database with dropdb command;

-        postgres=# \?
+        sudo -u postgres dropdb db_name

7.1. List Databases and Roles

4.3. List databases

List roles then list databases;

-        postgres=# \dg
         postgres=# \l

Connect to a datase;

4.4. Dump and restore

+ +

Dump all databases

-        postgres=# \c db_example
+        $ pg_dumpall -U postgres | gzip > cluster_dump.gz

List tables;

Restore dumpfile of all databases;

-        postgres=# \dt
+        $ gzip -c cluster_dump.gz | psql -U postgres

7.2. Create Database

Restore a database;

-        postgres=# create database db_example_ext owner user_example encoding 'UTF-8' template template0;
+        $ cat db_name_dump | psql -U user_name -d db_name

7.3. Drop All Tables

5. Psql

This example assumes that all tables, - are in public schema. First revoke previously granted privileges from one or more roles;

Lets check with psql, login with user postgres;

-        postgres=# revoke ALL PRIVILEGES on db_example from user_example;
+        $ sudo -u postgres psql

Drop all tables on public schema and recreate public schema;

First show help;

-        postgres=# \c db_example
-        db_example=# drop schema public cascade;
-        db_example=# create schema public;
+        postgres=# \?

7.4. Change user password

Connect to a db_name as user_name;

Update password of a user;

+        postgres=# \c db_name user_name
+

+ +

5.2. Create Database

-        postgres=# ALTER USER user_example WITH ENCRYPTED PASSWORD 'password';
+        postgres=# create database db_name owner user_name encoding 'UTF-8' template template0;

8. Backup and restore

5.3. Drop All Tables

8.1. Dump databases

This example assumes that all tables, + are in public schema. First revoke previously granted privileges from one or more roles;

-        $ pg_dumpall -U postgres | gzip > cluster_dump.gz
+        postgres=# revoke ALL PRIVILEGES on db_name from user_name;

8.2. Restore

Drop all tables on public schema and recreate public schema;

-        $ gzip -c cluster_dump.gz | psql -U postgres 
+        postgres=# \c db_name
+        db_name=# drop schema public cascade;
+        db_name=# create schema public;

Tools Index diff --git a/tools/syslog-ng.html b/tools/syslog-ng.html index 324a020..70dc994 100644 --- a/tools/syslog-ng.html +++ b/tools/syslog-ng.html @@ -52,6 +52,236 @@ # End of file +

Edit /etc/syslog-ng.conf with your logging preferences;

+ +

+        @version: 3.25
+        @include "scl.conf"
+
+        # Syslog-ng configuration file, compatible with default Debian syslogd
+        # installation.
+
+        # First, set some global options.
+        options { chain_hostnames(off); flush_lines(0); use_dns(no); use_fqdn(no);
+                  owner("root"); group("adm"); perm(0640); stats_freq(0);
+                  bad_hostname("^gconfd$");
+        };
+
+        ########################
+        # Sources
+        ########################
+        # This is the default behavior of sysklogd package
+        # Logs may come from unix stream, but not from another machine.
+        #
+        source s_src {
+               system();
+               internal();
+        };
+
+        # If you wish to get logs from remote machine you should uncomment
+        # this and comment the above source line.
+        #
+        #source s_net { tcp(ip(127.0.0.1) port(1000)); };
+
+        ########################
+        # Destinations
+        ########################
+        # First some standard logfile
+        #
+        destination d_auth { file("/var/log/auth"); };
+        destination d_sudo { file("/var/log/sudo" ); };
+        destination d_cron { file("/var/log/cron"); };
+        destination d_daemon { file("/var/log/daemon"); };
+        destination d_kern { file("/var/log/kernel"); };
+        destination d_lpr { file("/var/log/lpr"); };
+        destination d_mail { file("/var/log/mail"); };
+        destination d_syslog { file("/var/log/syslog-ng"); };
+        destination d_user { file("/var/log/user"); };
+        destination d_uucp { file("/var/log/uucp"); };
+
+        # This files are the log come from the mail subsystem.
+        #
+        destination d_mailinfo { file("/var/log/mail.info"); };
+        destination d_mailwarn { file("/var/log/mail.warn"); };
+        destination d_mailerr { file("/var/log/mail.err"); };
+
+        # Logging for INN news system
+        #
+        destination d_newscrit { file("/var/log/news/news.crit"); };
+        destination d_newserr { file("/var/log/news/news.err"); };
+        destination d_newsnotice { file("/var/log/news/news.notice"); };
+
+        # Some 'catch-all' logfiles.
+        #
+        destination d_debug { file("/var/log/debug"); };
+        destination d_error { file("/var/log/error"); };
+        destination d_messages { file("/var/log/messages"); };
+
+        # Custom destinations
+        destination d_shorewall_warn { file ("/var/log/shorewall/warn"); };
+        destination d_shorewall_info { file ("/var/log/shorewall/info"); };
+        destination d_dnsmasq	{ file("/var/log/dnsmasq"); };
+        destination d_postgres  { file("/var/log/pgsql"); };
+        destination d_mysql  { file("/var/log/pgsql"); };
+        destination d_iptables  { file("/var/log/iptables"); };
+        destination d_sshd      { file("/var/log/sshd"); };
+        destination d_gitolite  { file("/var/log/gitolite"); };
+        destination d_git-daemon  { file("/var/log/git-daemon"); };
+        destination d_nginx_access { file("/var/log/nginx_access"); };
+        destination d_nginx_error  { file("/var/log/nginx_error"); };
+        destination d_php_fpm { file("/var/log/php-fpm"); };
+        destination d_php { file("/var/log/php"); };
+        destination d_nginx_vhost { file("/var/log/nginx/vhost_access"); };
+        destination d_nginx_vhost_err { file("/var/log/nginx/vhost_error"); };
+
+        # The root's console.
+        #
+        destination d_console { usertty("root"); };
+
+        # Virtual console.
+        #
+        #destination d_console_all { file(`tty10`); };
+        destination console { usertty("root"); };
+        destination d_console_all { file("/dev/tty12" suppress(5)); };
+        destination xconsole { pipe("/dev/xconsole" suppress(5)); };
+
+
+
+        # The named pipe /dev/xconsole is for the nsole' utility.  To use it,
+        # you must invoke nsole' with the -file' option:
+        #
+        #    $ xconsole -file /dev/xconsole [...]
+        #
+        destination d_xconsole { pipe("/dev/xconsole"); };
+
+        # Send the messages to an other host
+        #
+        #destination d_net { tcp("127.0.0.1" port(1000) log_fifo_size(1000)); };
+
+        # Debian only
+        destination d_ppp { file("/var/log/ppp"); };
+
+        ########################
+        # Filters
+        ########################
+        # Here's come the filter options. With this rules, we can set which 
+        # message go where.
+
+        filter f_dbg { level(debug); };
+        filter f_info { level(info); };
+        filter f_notice { level(notice); };
+        filter f_warn { level(warn); };
+        filter f_err { level(err); };
+        filter f_crit { level(crit .. emerg); };
+
+        filter f_debug { level(debug) and not facility(auth, authpriv, news, mail); };
+        filter f_error { level(err .. emerg) ; };
+        filter f_messages { level(info,notice,warn)
+                            and not facility(auth,authpriv,cron,daemon,mail,news,local0); };
+
+        filter f_auth { facility(auth, authpriv) and not filter(f_debug); };
+        filter f_sudo { facility(auth, authpriv) and program("^sudo$"); };
+        filter f_cron { facility(cron) and not filter(f_debug);};
+        filter f_daemon { facility(daemon, local0)
+                and not filter(f_debug)
+                and not program("^php$")
+                and not program("^nginx_vhost$")
+                and not program("^nginx_vhost_err$");};
+        filter f_kern { facility(kern) and not filter(f_debug); };
+        filter f_lpr { facility(lpr) and not filter(f_debug); };
+        filter f_local { facility(local0, local1, local3, local4, local5,
+                                local6, local7) and not filter(f_debug); };
+        filter f_mail { facility(mail) and not filter(f_debug); };
+        filter f_news { facility(news) and not filter(f_debug); };
+        filter f_syslog3 { program("^syslog-ng$");};
+        filter f_user { facility(user) and not filter(f_debug); };
+        filter f_uucp { facility(uucp) and not filter(f_debug); };
+
+        filter f_cnews { level(notice, err, crit) and facility(news); };
+        filter f_cother { level(debug, info, notice, warn) or facility(daemon, mail); };
+
+        filter f_ppp { facility(local2) and not filter(f_debug); };
+        filter f_console { level(warn .. emerg); };
+
+        # custom filters
+
+        filter f_dnsmasq { program("^dnsmasq$"); };
+        filter f_postgres { facility(local0) and program("^postgresql$"); };
+        filter f_sshd { facility(auth) and program("^sshd$"); };
+
+        filter f_iptables { facility(kern) and match("iptables" value("MESSAGE")) };
+        filter f_shorewall_warn { level (warn) and match ("Shorewall" value("MESSAGE")); };
+        filter f_shorewall_info {level (info) and match ("Shorewall" value("MESSAGE")); };
+        filter f_gitolite { program("^gitolite$"); };
+        filter f_git-daemon { program("^git-daemon$"); };
+        filter f_nginx_error { facility(daemon) and program("^nginx$"); };
+        filter f_nginx_vhost { facility(daemon) and program("^nginx_vhost$");};
+        filter f_nginx_vhost_err { facility(daemon) and program("^nginx_vhost_err$");};
+        filter f_php_fpm { facility(daemon) and program("^php-fpm$");};
+        filter f_php { facility(daemon) and program("^php$");};
+
+        # custom logs
+        log { source(s_src); filter(f_php_fpm); destination(d_php_fpm); };
+        log { source(s_src); filter(f_php); destination(d_php); };
+        log { source(s_src); filter(f_nginx_vhost); destination(d_nginx_vhost); };
+        log { source(s_src); filter(f_nginx_vhost_err); destination(d_nginx_vhost_err); };
+        log { source(s_src); filter(f_sshd); destination(d_sshd);};
+        log { source (s_src); filter (f_iptables); destination (d_iptables);};
+        log { source (s_src); filter (f_shorewall_warn); destination (d_shorewall_warn);};
+        log { source (s_src); filter (f_shorewall_info); destination (d_shorewall_info);};
+        log { source(s_src); filter(f_dnsmasq); destination(d_dnsmasq);};
+        log { source(s_src); filter(f_postgres); destination(d_postgres);};
+        log { source(s_src); filter(f_gitolite); destination(d_gitolite);};
+        log { source(s_src); filter(f_git-daemon); destination(d_git-daemon);};
+        log { source(s_src); filter(f_nginx_error); destination(d_nginx_error);};
+
+        ########################
+        # Log paths
+        ########################
+        log { source(s_src); filter(f_auth); destination(d_auth); };
+        log { source(s_src); filter(f_sudo); destination(d_sudo); };
+        log { source(s_src); filter(f_cron); destination(d_cron); };
+        log { source(s_src); filter(f_daemon); destination(d_daemon); };
+        log { source(s_src); filter(f_kern); destination(d_kern); };
+        log { source(s_src); filter(f_lpr); destination(d_lpr); };
+        log { source(s_src); filter(f_user); destination(d_user); };
+        log { source(s_src); filter(f_uucp); destination(d_uucp); };
+
+        log { source(s_src); filter(f_mail); destination(d_mail); };
+        log { source(s_src); filter(f_mail); filter(f_info); destination(d_mailinfo); };
+        log { source(s_src); filter(f_mail); filter(f_warn); destination(d_mailwarn); };
+        log { source(s_src); filter(f_mail); filter(f_err); destination(d_mailerr); };
+
+        log { source(s_src); filter(f_news); filter(f_crit); destination(d_newscrit); };
+        log { source(s_src); filter(f_news); filter(f_err); destination(d_newserr); };
+        log { source(s_src); filter(f_news); filter(f_notice); destination(d_newsnotice); };
+        #log { source(s_src); filter(f_cnews); destination(d_console_all); };
+        #log { source(s_src); filter(f_cother); destination(d_console_all); };
+
+        #log { source(s_src); filter(f_ppp); destination(d_ppp); };
+
+        log { source(s_src); filter(f_debug); destination(d_debug); };
+        log { source(s_src); filter(f_error); destination(d_error); };
+        log { source(s_src); filter(f_messages); destination(d_messages); };
+        log { source(s_src); filter(f_syslog3); destination(d_syslog); };
+        log { source(s_src); filter(f_console); destination(d_console_all);
+                                            destination(d_xconsole); };
+        log { source(s_src); filter(f_crit); destination(d_console); };
+
+        #
+        # 
+        # All messages send to a remote site
+        #
+        #log { source(s_src); destination(d_net); };
+
+        ###
+        # Include all config files in /etc/syslog-ng/conf.d/
+        ###
+        @include "/etc/syslog-ng/conf.d/*.conf"
+

+ +

Restart daemon;

         $ sudo sh /etc/rc.d/syslog-ng start
         $ sudo sh /etc/rc.d/sysklogd stop
-- 
cgit 1.4.1-2-gfad0