From 98ae91447d2f29640094398068cca1a884f46d9b Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Tue, 27 Sep 2016 23:12:55 +0100 Subject: tool ningx revision, added install scripts --- tools/conf/etc/nginx/nginx.conf | 150 ++++++++++++++++++++++++++++++++ tools/conf/etc/nginx/sites/default.conf | 82 +++++++++++++++++ tools/conf/etc/nginx/sites/drupal.conf | 129 +++++++++++++++++++++++++++ tools/conf/etc/nginx/sites/laravel.conf | 28 ++++++ 4 files changed, 389 insertions(+) create mode 100644 tools/conf/etc/nginx/nginx.conf create mode 100644 tools/conf/etc/nginx/sites/default.conf create mode 100644 tools/conf/etc/nginx/sites/drupal.conf create mode 100644 tools/conf/etc/nginx/sites/laravel.conf (limited to 'tools/conf') diff --git a/tools/conf/etc/nginx/nginx.conf b/tools/conf/etc/nginx/nginx.conf new file mode 100644 index 0000000..088a798 --- /dev/null +++ b/tools/conf/etc/nginx/nginx.conf @@ -0,0 +1,150 @@ +# +# /etc/nginx/nginx.conf - nginx server configuration +# + + +user nginx; +worker_processes auto; + +error_log /var/log/nginx/error.log; + +pid /var/run/nginx.pid; + + +events { + worker_connections 1024; +} + + +http { + include mime.types; + default_type application/octet-stream; + + ## + # SSL Settings + ## + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE + ssl_prefer_server_ciphers on; + + # ssl on; + ssl_certificate /etc/ssl/certs/nginx.crt; + ssl_certificate_key /etc/ssl/keys/nginx.key; + + #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + # '$status $body_bytes_sent "$http_referer" ' + # '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + client_body_timeout 12; + client_header_timeout 12; + send_timeout 65; + + + gzip on; + gzip_vary on; + #gzip_proxied any; + gzip_comp_level 9; + # gzip_buffers 16 8k; + # gzip_http_version 1.1; + gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; + + + ## + # Virtual Host Configs + ## + server { + listen 80 default_server; + server_name _; + return 301 https://$host$request_uri; + } + + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*.conf; + + #server { + # listen 80; + # server_name localhost; + # + # #charset koi8-r; + # + # location / { + # root html; + # index index.html index.htm; + # } + # + # error_page 404 /404.html; + # + # # redirect server error pages to the static page /50x.html + # # + # error_page 500 502 503 504 /50x.html; + # location = /50x.html { + # root html; + # } + # + # # proxy the PHP scripts to Apache listening on 127.0.0.1:80 + # # + # #location ~ \.php$ { + # # proxy_pass http://127.0.0.1; + # #} + # + # # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 + # # + # #location ~ \.php$ { + # # root html; + # # fastcgi_pass 127.0.0.1:9000; + # # fastcgi_index index.php; + # # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; + # # include fastcgi_params; + # #} + # + # # deny access to .htaccess files, if Apache's document root + # # concurs with nginx's one + # # + # #location ~ /\.ht { + # # deny all; + # #} + #} + + + # another virtual host using mix of IP-, name-, and port-based configuration + # + #server { + # listen 8000; + # listen somename:8080; + # server_name somename alias another.alias; + + # location / { + # root html; + # index index.html index.htm; + # } + #} + + + # HTTPS server + # + #server { + # listen 443 ssl; + # server_name localhost; + + # ssl_certificate cert.pem; + # ssl_certificate_key cert.key; + + # ssl_session_cache shared:SSL:1m; + # ssl_session_timeout 5m; + + # ssl_ciphers HIGH:!aNULL:!MD5; + # ssl_prefer_server_ciphers on; + + # location / { + # root html; + # index index.html index.htm; + # } + #} + +} diff --git a/tools/conf/etc/nginx/sites/default.conf b/tools/conf/etc/nginx/sites/default.conf new file mode 100644 index 0000000..95be0b7 --- /dev/null +++ b/tools/conf/etc/nginx/sites/default.conf @@ -0,0 +1,82 @@ + +server { + listen 80; + server_name localhost; + +#charset koi8-r; + + location / { + root html; + index index.html index.htm; + } + + error_page 404 /404.html; + + # redirect server error pages to the static page /50x.html + # + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root html; + } + +# proxy the PHP scripts to Apache listening on 127.0.0.1:80 +# +#location ~ \.php$ { +# proxy_pass http://127.0.0.1; +#} + +# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 +# +#location ~ \.php$ { +# root html; +# fastcgi_pass 127.0.0.1:9000; +# fastcgi_index index.php; +# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; +# include fastcgi_params; +#} + +# deny access to .htaccess files, if Apache's document root +# concurs with nginx's one +# +#location ~ /\.ht { +# deny all; +#} +} + + +# another virtual host using mix of IP-, name-, and port-based configuration +# +#server { +# listen 8000; +# listen somename:8080; +# server_name somename alias another.alias; + +# location / { +# root html; +# index index.html index.htm; +# } +#} + + +# HTTPS server +# +#server { +# listen 443 ssl; +# server_name localhost; + +# ssl_certificate cert.pem; +# ssl_certificate_key cert.key; + +# ssl_session_cache shared:SSL:1m; +# ssl_session_timeout 5m; + +# ssl_ciphers HIGH:!aNULL:!MD5; +# ssl_prefer_server_ciphers on; + +# location / { +# root html; +# index index.html index.htm; +# } +#} + + diff --git a/tools/conf/etc/nginx/sites/drupal.conf b/tools/conf/etc/nginx/sites/drupal.conf new file mode 100644 index 0000000..39b096a --- /dev/null +++ b/tools/conf/etc/nginx/sites/drupal.conf @@ -0,0 +1,129 @@ +server { + + listen 192.168.1.254:443 ssl; + listen 10.0.0.254:443 ssl; + + server_name core.privat-network.net; + + root /srv/www/drupal; ## <-- Your only path reference. + + # Enable compression, this will help if you have for instance advagg¿? module + # by serving Gzip versions of the files. + gzip_static on; + + location ~ ^/stats/(.*)$ { + alias /srv/www/stats/$1; + autoindex on; + } + + location /sysdoc { + alias /srv/www/sysdoc; + autoindex on; + } + + location /ports { + alias /var/ports/ports; + autoindex on; + } + + location /distfiles { + alias /var/ports/distfiles; + autoindex on; + } + + + location /packages { + root /var/ports/packages; + autoindex off; + } + + + location = /favicon.ico { + log_not_found off; + access_log off; + } + + location = /robots.txt { + allow all; + log_not_found off; + } + + # This matters if you use drush prior to 5.x + # After 5.x backups are stored outside the Drupal install. + #location = /backup { + # deny all; + #} + + # Very rarely should these ever be accessed outside of your lan + location ~* \.(txt|log)$ { + allow 192.168.0.0/16; + deny all; + } + + location ~ \..*/.*\.php$ { + return 403; + } + + # No no for private + location ~ ^/sites/.*/private/ { + return 403; + } + + # Block access to "hidden" files and directories whose names begin with a + # period. This includes directories used by version control systems such + # as Subversion or Git to store control files. + location ~ (^|/)\. { + return 403; + } + + location / { + # This is cool because no php is touched for static content + try_files $uri @rewrite; + } + + location ~* /update.php*/.*$ { + # You have 2 options here + # For D7 and above: + # Clean URLs are handled in drupal_environment_initialize(). + rewrite ^ /update.php; + # For Drupal 6 and bwlow: + # Some modules enforce no slash (/) at the end of the URL + # Else this rewrite block wouldn't be needed (GlobalRedirect) + #rewrite ^/(.*)$ /index.php?q=$1; + } + + location @rewrite { + # You have 2 options here + # For D7 and above: + # Clean URLs are handled in drupal_environment_initialize(). + rewrite ^ /index.php; + # For Drupal 6 and bwlow: + # Some modules enforce no slash (/) at the end of the URL + # Else this rewrite block wouldn't be needed (GlobalRedirect) + #rewrite ^/(.*)$ /index.php?q=$1; + } + + location ~ \.php$ { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + #NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $request_filename; + fastcgi_intercept_errors on; + #fastcgi_pass unix:/tmp/phpfpm.sock; + fastcgi_pass 127.0.0.1:9000; + } + + # Fighting with Styles? This little gem is amazing. + # This is for D6 + #location ~ ^/sites/.*/files/imagecache/ { + # This is for D7 and D8 + location ~ ^/sites/.*/files/styles/ { + try_files $uri @rewrite; + } + + location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ { + expires max; + #log_not_found off; + } + +} diff --git a/tools/conf/etc/nginx/sites/laravel.conf b/tools/conf/etc/nginx/sites/laravel.conf new file mode 100644 index 0000000..f648f17 --- /dev/null +++ b/tools/conf/etc/nginx/sites/laravel.conf @@ -0,0 +1,28 @@ +server { + listen 443 ssl; + # listen [::]:443 ssl; + + root /srv/www/atom/public; + server_name core.privat-network.net; + + location /sysdoc { + alias /srv/www/sysdoc; + index index.html; + autoindex on; + } + + index index.php; + location / { + try_files $uri $uri/ /index.php$is_args$args; + } + + location ~ \.php$ { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_index index.php; + # try_files $uri /index.php =404; + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + # fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_pass 127.0.0.1:9000; + } +} -- cgit 1.4.1-2-gfad0 From 84221a7bb9bcdac6a3c162e77c2191a1c44bf574 Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Tue, 27 Sep 2016 23:20:02 +0100 Subject: nginx configuration fix --- tools/conf/etc/nginx/nginx.conf | 2 +- tools/nginx.html | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'tools/conf') diff --git a/tools/conf/etc/nginx/nginx.conf b/tools/conf/etc/nginx/nginx.conf index 088a798..20f53e0 100644 --- a/tools/conf/etc/nginx/nginx.conf +++ b/tools/conf/etc/nginx/nginx.conf @@ -35,7 +35,7 @@ http { # '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log; - error_log /var/log/nginx/error.log + error_log /var/log/nginx/error.log; sendfile on; #tcp_nopush on; diff --git a/tools/nginx.html b/tools/nginx.html index 01c5515..5a43a4c 100644 --- a/tools/nginx.html +++ b/tools/nginx.html @@ -172,7 +172,7 @@ # '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log; - error_log /var/log/nginx/error.log + error_log /var/log/nginx/error.log; sendfile on; #tcp_nopush on; -- cgit 1.4.1-2-gfad0 From 70951b1c23510043c6f321281ff3b80096fc4502 Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Wed, 28 Sep 2016 01:46:45 +0100 Subject: nginx revision with mantisbt --- tools/conf/etc/nginx/conf.d/10-default.conf | 8 ++++++++ tools/conf/etc/nginx/nginx.conf | 9 --------- tools/conf/etc/nginx/sites-enabled/mantisbt.conf | 23 +++++++++++++++++++++++ 3 files changed, 31 insertions(+), 9 deletions(-) create mode 100644 tools/conf/etc/nginx/conf.d/10-default.conf create mode 100644 tools/conf/etc/nginx/sites-enabled/mantisbt.conf (limited to 'tools/conf') diff --git a/tools/conf/etc/nginx/conf.d/10-default.conf b/tools/conf/etc/nginx/conf.d/10-default.conf new file mode 100644 index 0000000..97ee31b --- /dev/null +++ b/tools/conf/etc/nginx/conf.d/10-default.conf @@ -0,0 +1,8 @@ +## +# Virtual Host Redirection 80 to 443 +## +server { + listen 80 default_server; + server_name _; + return 301 https://$host$request_uri; +} diff --git a/tools/conf/etc/nginx/nginx.conf b/tools/conf/etc/nginx/nginx.conf index 20f53e0..ddbdee6 100644 --- a/tools/conf/etc/nginx/nginx.conf +++ b/tools/conf/etc/nginx/nginx.conf @@ -55,15 +55,6 @@ http { gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; - ## - # Virtual Host Configs - ## - server { - listen 80 default_server; - server_name _; - return 301 https://$host$request_uri; - } - include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*.conf; diff --git a/tools/conf/etc/nginx/sites-enabled/mantisbt.conf b/tools/conf/etc/nginx/sites-enabled/mantisbt.conf new file mode 100644 index 0000000..597983f --- /dev/null +++ b/tools/conf/etc/nginx/sites-enabled/mantisbt.conf @@ -0,0 +1,23 @@ +server { + listen 443 ssl; + # listen [::]:443 ssl; + + root /srv/www/mantisbt; + server_name core.privat-network.net; + + index index.php; + + location / { + try_files $uri $uri/ /index.php$is_args$args; + } + + location ~ \.php$ { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_index index.php; + # try_files $uri /index.php =404; + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + # fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_pass 127.0.0.1:9000; + } +} -- cgit 1.4.1-2-gfad0 From 2f30196609c9ef1c7e0b03fc0f6a7a60c0c5526e Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Sun, 25 Sep 2016 01:03:53 +0100 Subject: network revision --- core/conf/rc.d/iptables | 50 +++++- core/conf/rc.d/net | 2 - core/network.html | 33 +++- tools/conf/etc/dnsmasq.conf | 22 ++- tools/conf/etc/rc.d/blan | 63 +++++++ tools/index.html | 38 ++--- tools/network.html | 46 +++++ tools/qemu.html | 70 ++++---- tools/scripts/iptables.sh | 337 ------------------------------------ tools/scripts/system-iptables.sh | 361 +++++++++++++++++++++++++++++++++++++++ tools/scripts/system-qemu.sh | 15 ++ 11 files changed, 628 insertions(+), 409 deletions(-) create mode 100755 tools/conf/etc/rc.d/blan create mode 100644 tools/network.html delete mode 100644 tools/scripts/iptables.sh create mode 100644 tools/scripts/system-iptables.sh create mode 100644 tools/scripts/system-qemu.sh (limited to 'tools/conf') diff --git a/core/conf/rc.d/iptables b/core/conf/rc.d/iptables index 2d77722..3f29928 100644 --- a/core/conf/rc.d/iptables +++ b/core/conf/rc.d/iptables @@ -1,12 +1,12 @@ #!/bin/sh # -# /etc/rc.d/iptables: load/unload iptable rules +# /etc/rc.d/iptables: load/unload iptable rules # case $1 in start) echo "Starting IPv4 firewall filter table..." - /usr/sbin/iptables-restore < /etc/iptables/rules.v4 + /usr/sbin/iptables-restore < /etc/iptables/rules.v4 ;; stop) echo "Stopping firewall and deny everyone..." @@ -21,16 +21,60 @@ stop) iptables -t security -F iptables -t security -X - /usr/sbin/iptables -P INPUT DROP /usr/sbin/iptables -P FORWARD DROP /usr/sbin/iptables -P OUTPUT DROP + + # Unlimited on local + /usr/sbin/iptables -A INPUT -i lo -j ACCEPT + /usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT + + # log everything else and drop + /usr/sbin/iptables -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " + /usr/sbin/iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " + /usr/sbin/iptables -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " + + ;; +open) + echo "Outgoing Open firewall and deny everyone..." + iptables -F + iptables -X + iptables -t nat -F + iptables -t nat -X + iptables -t mangle -F + iptables -t mangle -X + iptables -t raw -F + iptables -t raw -X + iptables -t security -F + iptables -t security -X + + /usr/sbin/iptables -P INPUT DROP + /usr/sbin/iptables -P FORWARD DROP + /usr/sbin/iptables -P OUTPUT ACCEPT + + # Unlimited on local + /usr/sbin/iptables -A INPUT -i lo -j ACCEPT + /usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT + + # Accept passive + /usr/sbin/iptables -A INPUT -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT + + /usr/sbin/iptables -A INPUT -p udp --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT + + + # log everything else and drop + /usr/sbin/iptables -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " + #/usr/sbin/iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " + /usr/sbin/iptables -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " + ;; + restart) $0 stop $0 start ;; *) + echo "usage: $0 [start|stop|restart]" ;; esac diff --git a/core/conf/rc.d/net b/core/conf/rc.d/net index 2b94af0..d46583b 100755 --- a/core/conf/rc.d/net +++ b/core/conf/rc.d/net @@ -31,8 +31,6 @@ case $1 in /usr/bin/pkill -F /var/run/dhcpcd-${DEV}.pid else - # /sbin/ip route del default - /sbin/ip route flush dev ${DEV} /sbin/ip link set ${DEV} down /sbin/ip addr flush dev ${DEV} fi diff --git a/core/network.html b/core/network.html index 39fc9c2..ce4643b 100644 --- a/core/network.html +++ b/core/network.html @@ -23,9 +23,9 @@ connection to router and add as default gateway. -

If is first boot after install configure iptables and - one of above described scripts then proceed to upgrade your - system.

+

If is first boot after install configure iptables and + one of above described scripts then proceed to upgrade your + system.

2.1.1. Resolver

@@ -113,8 +113,16 @@ configure nat and filtering;

+<<<<<<< HEAD
         # mkdir /etc/iptables
         # cp c9-doc/core/scripts/iptables.sh /etc/iptables/
+=======
+        DEV=tap0
+        ADDR=10.0.0.1
+        NET=10.0.0.0
+        MASK=24
+        GW=10.0.0.1
+>>>>>>> core network revision

Adjust iptables to your needs, then;

@@ -129,9 +137,22 @@ let drop when you call stop.

+<<<<<<< HEAD
         # cp c9-doc/core/conf/rc.d/iptables /etc/rc.d/
         # vim /etc/rc.d/iptables
         # chmod +x /etc/rc.d/iptables
+=======
+        # ip link add name ${DEV} type bridge
+        # ip link set dev ${DEV} up
+
+        # ip addr add ${ADDR}/${MASK} dev ${DEV} broadcast 10.0.0.255
+        # ip addr add 0.0.0.0/${MASK} dev ${DEV} broadcast +
+
+        # ip tuntap add ${TAP} mode tap group kvm
+        # ip link set dev ${TAP} up
+
+        # ip link set dev ${TAP} master ${DEV}
+>>>>>>> core network revision

Re-configure your rc.conf and add iptables before (w)lan is up;

@@ -187,10 +208,10 @@

Use /etc/rc.d/wlan - init script to auto load wpa configuration and dhcp + init script to auto load wpa configuration and dhcp client.

-

2.1.4.2. Wpa Cli

+

2.1.4.2. Wpa Cli

         # wpa_cli
@@ -345,7 +366,7 @@
         
Change to act as a router (default of conf/sysctl.conf);

 
         
-    	# Act as a router, necessary for Access Point
+        # Act as a router, necessary for Access Point
         net.ipv4.ip_forward = 1
         net.ipv4.conf.all.send_redirects = 1
         net.ipv4.conf.default.send_redirects = 1
diff --git a/tools/conf/etc/dnsmasq.conf b/tools/conf/etc/dnsmasq.conf
index 35d75c8..f09b6a6 100644
--- a/tools/conf/etc/dnsmasq.conf
+++ b/tools/conf/etc/dnsmasq.conf
@@ -8,6 +8,7 @@
 # (53). Setting this to zero completely disables DNS function,
 # leaving only DHCP and/or TFTP.
 #port=5353
+port=53
 
 # The following two options make you a better netizen, since they
 # tell dnsmasq to filter out queries which the public DNS cannot
@@ -74,7 +75,7 @@ server=127.0.0.1#40
 
 # Add local-only domains here, queries in these domains are answered
 # from /etc/hosts or DHCP only.
-#local=/localnet/
+local=/core/
 
 # Add domains which you want to force to an IP address here.
 # The example below send any host in double-click.net to a local
@@ -106,16 +107,20 @@ server=127.0.0.1#40
 # specified interfaces (and the loopback) give the name of the
 # interface (eg eth0) here.
 # Repeat the line for more than one interface.
-#interface=
+interface=lo
+interface=br0
+
 # Or you can specify which interface _not_ to listen on
-#except-interface=
+except-interface=wlp7s0
 # Or which to listen on by address (remember to include 127.0.0.1 if
 # you use this.)
-#listen-address=
+listen-address=127.0.0.1
+#listen-address=10.0.0.1
 # If you want dnsmasq to provide only DNS service on an interface,
 # configure it as shown above, and then use the following line to
 # disable DHCP and TFTP on it.
-#no-dhcp-interface=
+no-dhcp-interface=lo
+no-dhcp-interface=wlp7s0
 
 # On systems which support it, dnsmasq binds the wildcard address,
 # even when it is listening on only some interfaces. It then discards
@@ -124,7 +129,7 @@ server=127.0.0.1#40
 # want dnsmasq to really bind only the interfaces it is listening on,
 # uncomment this option. About the only time you may need this is when
 # running another nameserver on the same machine.
-#bind-interfaces
+bind-interfaces
 
 # If you don't want dnsmasq to read /etc/hosts, uncomment the
 # following line.
@@ -136,7 +141,7 @@ addn-hosts=/etc/hosts.dnsmasq
 
 # Set this (and domain: see below) if you want to have a domain
 # automatically added to simple names in a hosts-file.
-#expand-hosts
+expand-hosts
 
 # Set the domain for dnsmasq. this is optional, but if it is set, it
 # does the following things.
@@ -145,7 +150,7 @@ addn-hosts=/etc/hosts.dnsmasq
 # 2) Sets the "domain" DHCP option thereby potentially setting the
 #    domain of all systems configured by DHCP
 # 3) Provides the domain part for "expand-hosts"
-#domain=thekelleys.org.uk
+domain=core.privat-network.net
 
 # Set a different domain for a particular subnet
 #domain=wireless.thekelleys.org.uk,192.168.2.0/24
@@ -159,6 +164,7 @@ addn-hosts=/etc/hosts.dnsmasq
 # repeat this for each network on which you want to supply DHCP
 # service.
 #dhcp-range=192.168.0.50,192.168.0.150,12h
+dhcp-range=br0,10.0.0.5,10.0.0.50,12h
 
 # This is an example of a DHCP range where the netmask is given. This
 # is needed for networks we reach the dnsmasq DHCP server via a relay
diff --git a/tools/conf/etc/rc.d/blan b/tools/conf/etc/rc.d/blan
new file mode 100755
index 0000000..f75d272
--- /dev/null
+++ b/tools/conf/etc/rc.d/blan
@@ -0,0 +1,63 @@
+#!/bin/sh
+#
+# /etc/rc.d/net: start/stop network interface
+#
+
+DEV="br0"
+PHY="enp8s0"
+
+ADDR=10.0.0.1
+NET=10.0.0.0
+MASK=24
+GTW=10.0.0.1
+NTAPS=$((`/usr/bin/nproc`-1))
+
+case $1 in
+	start)
+                /sbin/ip link add name ${DEV} type bridge
+                /sbin/ip link set dev ${DEV} up
+
+                /bin/sleep 0.2s
+                /sbin/ip route flush dev ${PHY}
+                /sbin/ip addr flush dev ${PHY}
+                /sbin/ip link set dev ${PHY} master ${DEV}
+
+                /sbin/ip addr add ${ADDR}/${MASK} dev ${DEV} broadcast +
+
+                for i in `/usr/bin/seq $NTAPS`
+                do
+                    TAP="tap$i"
+                    echo $TAP
+                    /sbin/ip tuntap add ${TAP} mode tap group kvm
+                    /sbin/ip link set ${TAP} up
+                    /bin/sleep 0.2s
+                    #brctl addif $switch $1
+                    /sbin/ip link set ${TAP} master ${DEV}
+                done
+
+		exit 0
+		;;
+	stop)
+
+                for i in `/usr/bin/seq $NTAPS`
+                do
+                    TAP="tap$i"
+		    /sbin/ip link del ${TAP}
+                    echo $TAP
+                done
+
+       		/sbin/ip link set dev ${DEV} down
+		/sbin/ip route flush dev ${DEV}
+		/sbin/ip link del ${DEV}
+		exit 0
+		;;
+	restart)
+		$0 stop
+		$0 start
+		;;
+	*)
+		echo "Usage: $0 [start|stop|restart]"
+		;;
+esac
+
+# End of file
diff --git a/tools/index.html b/tools/index.html
index bf317e1..407d212 100644
--- a/tools/index.html
+++ b/tools/index.html
@@ -68,12 +68,12 @@
         
System Administration

 
         
    
-            
  • Network
+            
  • Network Tools
                 
             
    • 
             
  • Storage
@@ -120,29 +120,29 @@
             
  • 
                 OpenSSH
                 
             
    • 
             
  • Gitolite
                 
             
    • 
             
  • Postgresql
                 
             
    • 
             
  • Nginx
diff --git a/tools/network.html b/tools/network.html
new file mode 100644
index 0000000..5e4a481
--- /dev/null
+++ b/tools/network.html
@@ -0,0 +1,46 @@
+
+
+    
+        
+        Network Tools
+    
+    
+
+        Tools Index
+
+        
    Network Tools
    
+
+        
    Bridges
    
+
+        
    See /etc/rc.d/blan on
+        how to create interfaces at startup or as source to do it
+        in automatic way;
    
+
+        
    +        DEV="br0"
+        PHY="enp8s0"
+        
    
+
+        
    +        # ip link add name ${DEV} type bridge
+        # ip link set dev ${DEV} up
+        
    
+        
    +        # ip route flush dev ${PHY}
+        # ip addr flush dev ${PHY}
+        # ip link set dev ${PHY} master ${DEV}
+        
    
+
+        
    +        # ip addr add ${ADDR}/${MASK} dev ${DEV} broadcast +
+        
    
+
+        Tools Index
+        
    This is part of the c9 Manual.
+        Copyright (C) 2016
+        c9 team.
+        See the file Gnu Free Documentation License
+        for copying conditions.
    
+
+    
+
diff --git a/tools/qemu.html b/tools/qemu.html
index ce1b66d..8c53ce7 100644
--- a/tools/qemu.html
+++ b/tools/qemu.html
@@ -97,45 +97,53 @@
             
    The VDE networking backend.
    
         
 
-
-        
    2.1. Tap interfaces
    
-
         
             KERNEL=="tun", GROUP="kvm", MODE="0660", OPTIONS+="static_node=net/tun"
         
    
 
-        
    Automatic creation of tap interface with
-        correct permissions set for user and group,
-        you can set only user or group;
    
 
-        
    -        # tunctl -u username -g kvm -t tap0
-        
    
+        
    2.1. Public Bridge
    
 
-        
    Set permissions to existing tap interface;
    
+        
    Create bridge, create new
+        tap and add it to bridge;
    
 
         
    -        # tunctl -u username -t tap0
+        # DEV="br0"
+        # TAP="tap5"
         
    
 
-
-        
    Manual creation of tap interface;
    
+        
    +        # ip tuntap add ${TAP} mode tap group kvm
+        # ip link set ${TAP} up
+        
    
 
         
    -        # ip tuntap add name tap0 mode tap
-        # chmod 0666 /dev/tap0
-        # chown root:username /dev/tap0
+        # ip link set ${TAP} master ${DEV}
         
    
 
+        
    See scripts/system-qemu.sh,
+        as template. Run virtual machine that uses above tap device;
    
+
         
    -        # ip addr add 10.0.2.1/24 dev tap0
-        # ip link set dev tap0 up
-        # ip link show
+        $ ISO=~/crux-3.2.iso
+        $ IMG=~/crux-img.qcow2
+
+        $ qemu-system-x86_64 \
+            -enable-kvm \
+            -m 1024 \
+            -boot d \
+            -cdrom ${ISO} \
+            -hda ${IMG} \
+            -net nic,model=virtio -net tap,ifname=${TAP},script=no,downscript=no
         
    
 
+        
    2.2. Routing
    
+
+        
    Create interface with correct permissions set for kvm group.
    
+
         
             # sysctl -w net.ipv4.ip_forward=1
-        # iptables -t nat -A POSTROUTING -s 10.0.2.0/24 -o eth0 -j MASQUERADE
+        # iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
         
    
 
         
    Guest System
    
@@ -143,22 +151,16 @@
         
    Start qemu with 512 of ram, mydisk.img as disk and boot from iso
    
 
         
    -        $ qemu-system-x86_64 \
-        -enable-kvm \
-        -m 512 \
-        -boot d -cdrom image.iso \
-        -hda mydisk.img
-        
    
+        $ ISO=~/crux-3.2.iso
+        $ IMG=~/crux-img.qcow2
 
-        
    Start qemu with 1024 of ram, network configured using tap0
-        interface device no host and boot from crux.qcow2;
    
-
-        
             $ qemu-system-x86_64 \
-        -enable-kvm \
-        -m 1024 \
-        -hda c9/local/crux.qcow2 \
-        -net nic,model=virtio -net tap,ifname=tap0,script=no,downscript=no
+            -enable-kvm \
+            -m 1024 \
+            -boot d \
+            -cdrom ${ISO} \
+            -hda ${IMG} \
+            -net nic,model=virtio -net tap,ifname=${TAP},script=no,downscript=no
         
    
 
         Tools Index
diff --git a/tools/scripts/iptables.sh b/tools/scripts/iptables.sh
deleted file mode 100644
index 3215633..0000000
--- a/tools/scripts/iptables.sh
+++ /dev/null
@@ -1,337 +0,0 @@
-#!/bin/sh
-
-#
-#                                XXXXXXXXXXXXXXXXX
-#                                XXXX Network XXXX
-#                                XXXXXXXXXXXXXXXXX
-#                                        +
-#                                        |
-#                                        v
-#  +-------------+              +------------------+
-#  |table: filter| <---+        | table: nat       |
-#  |chain: INPUT |     |        | chain: PREROUTING|
-#  +-----+-------+     |        +--------+---------+
-#        |             |                 |
-#        v             |                 v
-#  [local process]     |           ****************          +--------------+
-#        |             +---------+ Routing decision +------> |table: filter |
-#        v                         ****************          |chain: FORWARD|
-# ****************                                           +------+-------+
-# Routing decision                                                  |
-# ****************                                                  |
-#        |                                                          |
-#        v                        ****************                  |
-# +-------------+       +------>  Routing decision  <---------------+
-# |table: nat   |       |         ****************
-# |chain: OUTPUT|       |               +
-# +-----+-------+       |               |
-#       |               |               v
-#       v               |      +-------------------+
-# +--------------+      |      | table: nat        |
-# |table: filter | +----+      | chain: POSTROUTING|
-# |chain: OUTPUT |             +--------+----------+
-# +--------------+                      |
-#                                       v
-#                               XXXXXXXXXXXXXXXXX
-#                               XXXX Network XXXX
-#                               XXXXXXXXXXXXXXXXX
-#
-# iptables [-t table] {-A|-C|-D} chain rule-specification
-#
-# iptables [-t table] {-A|-C|-D} chain  rule-specification
-#
-# iptables  [-t table] -I chain [rulenum] rule-specification
-#
-# iptables [-t table] -R chain rulenum  rule-specification
-#
-# iptables [-t table] -D chain rulenum
-#
-# iptables [-t table] -S [chain [rulenum]]
-#
-# iptables  [-t  table]  {-F|-L|-Z} [chain [rulenum]] [options...]
-#
-# iptables [-t table] -N chain
-#
-# iptables [-t table] -X [chain]
-#
-# iptables [-t table] -P chain target
-#
-# iptables [-t table]  -E  old-chain-name  new-chain-name
-#
-# rule-specification = [matches...] [target]
-#
-# match = -m matchname [per-match-options]
-#
-#
-# Targets
-#
-# can be a user defined chain
-#
-# ACCEPT - accepts the packet
-# DROP   - drop the packet on the floor
-# QUEUE  - packet will be stent to queue
-# RETURN - stop traversing this chain and
-#          resume ate the next rule in the
-#          previeus (calling) chain.
-#
-# if packet reach the end of the chain or
-# a target RETURN, default policy for that
-# chain is applayed.
-#
-# Target Extensions
-#
-# AUDIT
-# CHECKSUM
-# CLASSIFY
-# DNAT
-# DSCP
-# LOG
-#     Torn on kernel logging, will print some
-#     some information on all matching packets.
-#     Log data can be read with dmesg or syslogd.
-#     This is a non-terminating target and a rule
-#     should be created with matching criteria.
-#
-#     --log-level level
-#           Level of logging (numeric or see sys-
-#           log.conf(5)
-#
-#     --log-prefix prefix
-#           Prefix log messages with specified prefix
-#           up to 29 chars log
-#
-#     --log-uid
-#           Log the userid of the process with gener-
-#           ated the packet
-# NFLOG
-#     This target pass the packet to loaded logging
-#     backend to log the packet. One or more userspace
-#     processes may subscribe to the group to receive
-#     the packets.
-#
-# ULOG
-#     This target provides userspace logging of maching
-#     packets. One or more userspace processes may then
-#     then subscribe to various multicast groups and
-#     then receive the packets.
-#
-#
-# Commands
-#
-# -A, --append chain rule-specification
-# -C, --check chain rule-specification
-# -D, --delete chain rule-specification
-# -D, --delete chain rulenum
-# -I, --insert chain [rulenum] rule-specification
-# -R, --replace chain rulenum rule-specification
-# -L, --list [chain]
-# -P, --policy chain target
-#
-# Parameters
-#
-# -p, --protocol protocol
-#       tcp, udp, udplite, icmp, esp, ah, sctp, all
-# -s, --source address[/mask][,...]
-# -d, --destination address[/mask][,...]
-# -j, --jump target
-# -g, --goto chain
-# -i, --in-interface name
-# -o, --out-interface name
-# -f, --fragment
-# -m, --match options module-name
-#       iptables can use extended packet matching
-#       modules.
-# -c, --set-counters packets bytes
-
-IPT="/usr/sbin/iptables"
-SPAMLIST="blockedip"
-SPAMDROPMSG="BLOCKED IP DROP"
-PUB_IF="wlp7s0"
-DHCP_SERV="192.168.1.254"
-#PUB_IP="192.168.1.65"
-#PRIV_IF="wlp3s0"
-
-modprobe ip_conntrack
-modprobe ip_conntrack_ftp
-
-echo "Stopping ipv4 firewall and deny everyone..."
-
-iptables -F
-iptables -X
-iptables -t nat -F
-iptables -t nat -X
-iptables -t mangle -F
-iptables -t mangle -X
-iptables -t raw -F
-iptables -t raw -X
-iptables -t security -F
-iptables -t security -X
-
-
-echo "Starting ipv4 firewall filter table..."
-
-# Set Default Rules
-iptables -P INPUT DROP
-iptables -P FORWARD DROP
-iptables -P OUTPUT DROP
-
-# Unlimited on local
-$IPT -A INPUT -i lo -j ACCEPT
-$IPT -A OUTPUT -o lo -j ACCEPT
-
-# Block sync
-$IPT -A INPUT -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 7 --log-prefix "iptables: drop sync: "
-$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
-
-# Block Fragments
-$IPT -A INPUT -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop frag: "
-$IPT -A INPUT -f -j DROP
-
-# Block bad stuff
-$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
-$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
-
-$IPT -A INPUT -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop null: "
-$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP # NULL packets
-
-$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop syn rst syn rst: "
-$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
-
-$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop xmas: "
-$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS
-
-$IPT -A INPUT -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop fin scan: "
-$IPT -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans
-
-$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
-
-##### Add your AP rules below ######
-
-#echo 1 > /proc/sys/net/ipv4/ip_forward
-#$IPT -t nat -A POSTROUTING -o ${PUB_IF} -j SNAT --to ${PUB_IP}
-#$IPT -A FORWARD -i ${PRIV_IF} -o ${PUB_IF} -j ACCEPT
-#$IPT -A FORWARD -i ${PUB_IF} -o ${PRIV_IF} -j ACCEPT
-
-#$IPT -A INPUT -i ${PRIV_IF} -j ACCEPT
-#$IPT -A OUTPUT -o ${PRIV_IF} -j ACCEPT
-
-##### Server rules below ######
-
-#echo "Allow ICMP"
-#$IPT -A INPUT -i ${PUB_IF} -p icmp --icmp-type 0 -s 192.168.0.0/16 -j ACCEPT
-#$IPT -A OUTPUT -o ${PUB_IF} -p icmp --icmp-type 0 -d 192.168.0.0/16 -j ACCEPT
-#$IPT -A INPUT -i ${PUB_IF} -p icmp --icmp-type 8 -s 192.168.0.0/16 -j ACCEPT
-#$IPT -A OUTPUT -o ${PUB_IF} -p icmp --icmp-type 8 -d 192.168.0.0/16 -j ACCEPT
-
-#echo "Allow DNS Server"
-#$IPT -A INPUT -i ${PUB_IF} -p udp --sport 1024:65535 --dport 53  -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT
-#$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -d 192.168.0.0/16 -j ACCEPT
-
-#echo "Allow HTTP and HTTPS server"
-#$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 443 -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT
-#$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 80 -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT
-#$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 80 -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT
-#$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 443 -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT
-
-#echo "Allow ssh server"
-#$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
-#$IPT -A INPUT  -i ${PUB_IF} -p tcp --dport 22 -m state --state ESTABLISHED -j ACCEPT
-#$IPT -A INPUT  -i ${PUB_IF} -p tcp --dport 22 -m state --state NEW -m limit --limit 3/min --limit-burst 3 -j ACCEPT
-
-##### Add your rules below ######
-
-echo "Allow DNS Client"
-
-#$IPT -A INPUT -i ${PUB_IF} -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-#$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-#$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-#$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-
-echo "Allow Whois Client"
-
-$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 43 -m state --state ESTABLISHED -j ACCEPT
-$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 43 -m state --state NEW,ESTABLISHED -j ACCEPT
-
-echo "Allow HTTP Client"
-
-$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-
-$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-$IPT -A INPUT -i ${PUB_IF} -p udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-
-
-echo "Allow Rsync Client"
-$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT
-$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 873 -m state --state ESTABLISHED -j ACCEPT
-
-echo "Allow POP3S Client"
-$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
-$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 995 -m state --state ESTABLISHED -j ACCEPT
-
-echo "Allow SMTPS Client"
-$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT
-$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 465 -m state --state ESTABLISHED -j ACCEPT
-
-echo "Allow NTP Client"
-$IPT -A OUTPUT -o ${PUB_IF} -p udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
-$IPT -A INPUT -i ${PUB_IF} -p udp --sport 123 -m state --state ESTABLISHED -j ACCEPT
-
-$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
-$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
-
-echo "Allow IRC Client"
-$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 6667 -m state --state NEW -j ACCEPT
-
-echo "Allow Active FTP Client"
-$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 20 -m state --state ESTABLISHED -j ACCEPT
-$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT
-
-echo "Allow Git"
-$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 9418 -m state --state NEW -j ACCEPT
-
-echo "Allow ssh client"
-$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-$IPT -A INPUT  -i ${PUB_IF} -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
-
-#echo "Allow Passive Connections"
-$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 1024:65535 --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
-$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 1024:  -m state --state ESTABLISHED,RELATED -j ACCEPT
-
-
-# echo "Allow FairCoin"
-# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 46392 -m state --state NEW,ESTABLISHED -j ACCEPT
-# $IPT -A INPUT -i ${PUB_IF} -p tcp --sport 46392 -m state --state ESTABLISHED -j ACCEPT
-# 
-# echo "Allow Dashcoin"
-# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 29080 -m state --state NEW,ESTABLISHED -j ACCEPT
-# $IPT -A INPUT -i ${PUB_IF} -p tcp --sport 29080 -m state --state ESTABLISHED -j ACCEPT
-# 
-# echo "Allow warzone2100"
-# $IPT -A INPUT -i ${PUB_IF} -p tcp --dport 2100 -s 192.168.0.0/16 -j ACCEPT
-# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 2100 -j ACCEPT
-# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 2100 -j ACCEPT
-# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 9990 -j ACCEPT
-# 
-# echo "Allow wesnoth"
-# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 15000 -m state --state NEW -j ACCEPT
-# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 14998 -m state --state NEW -j ACCEPT
-
-##### END your rules ############
-# Less log of known traffic
-
-# RIP protocol
-$IPT -A INPUT -i ${PUB_IF} -p udp --sport 520 --dport 520 -s 192.168.0.0/16 -j DROP
-
-# DHCP
-$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 68 --dport 67 -d $DHCP_SERV -j ACCEPT
-$IPT -A INPUT -i ${PUB_IF} -p udp --sport 68 --dport 67 -s $DHCP_SERV -j ACCEPT
-
-# log everything else and drop
-$IPT -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: "
-$IPT -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: "
-$IPT -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: "
-
-exit 0
diff --git a/tools/scripts/system-iptables.sh b/tools/scripts/system-iptables.sh
new file mode 100644
index 0000000..4ec3b79
--- /dev/null
+++ b/tools/scripts/system-iptables.sh
@@ -0,0 +1,361 @@
+#!/bin/sh
+
+#
+#                                XXXXXXXXXXXXXXXXX
+#                                XXXX Network XXXX
+#                                XXXXXXXXXXXXXXXXX
+#                                        +
+#                                        |
+#                                        v
+#  +-------------+              +------------------+
+#  |table: filter| <---+        | table: nat       |
+#  |chain: INPUT |     |        | chain: PREROUTING|
+#  +-----+-------+     |        +--------+---------+
+#        |             |                 |
+#        v             |                 v
+#  [local process]     |           ****************          +--------------+
+#        |             +---------+ Routing decision +------> |table: filter |
+#        v                         ****************          |chain: FORWARD|
+# ****************                                           +------+-------+
+# Routing decision                                                  |
+# ****************                                                  |
+#        |                                                          |
+#        v                        ****************                  |
+# +-------------+       +------>  Routing decision  <---------------+
+# |table: nat   |       |         ****************
+# |chain: OUTPUT|       |               +
+# +-----+-------+       |               |
+#       |               |               v
+#       v               |      +-------------------+
+# +--------------+      |      | table: nat        |
+# |table: filter | +----+      | chain: POSTROUTING|
+# |chain: OUTPUT |             +--------+----------+
+# +--------------+                      |
+#                                       v
+#                               XXXXXXXXXXXXXXXXX
+#                               XXXX Network XXXX
+#                               XXXXXXXXXXXXXXXXX
+#
+# iptables [-t table] {-A|-C|-D} chain rule-specification
+#
+# iptables [-t table] {-A|-C|-D} chain  rule-specification
+#
+# iptables  [-t table] -I chain [rulenum] rule-specification
+#
+# iptables [-t table] -R chain rulenum  rule-specification
+#
+# iptables [-t table] -D chain rulenum
+#
+# iptables [-t table] -S [chain [rulenum]]
+#
+# iptables  [-t  table]  {-F|-L|-Z} [chain [rulenum]] [options...]
+#
+# iptables [-t table] -N chain
+#
+# iptables [-t table] -X [chain]
+#
+# iptables [-t table] -P chain target
+#
+# iptables [-t table]  -E  old-chain-name  new-chain-name
+#
+# rule-specification = [matches...] [target]
+#
+# match = -m matchname [per-match-options]
+#
+#
+# Targets
+#
+# can be a user defined chain
+#
+# ACCEPT - accepts the packet
+# DROP   - drop the packet on the floor
+# QUEUE  - packet will be stent to queue
+# RETURN - stop traversing this chain and
+#          resume ate the next rule in the
+#          previeus (calling) chain.
+#
+# if packet reach the end of the chain or
+# a target RETURN, default policy for that
+# chain is applayed.
+#
+# Target Extensions
+#
+# AUDIT
+# CHECKSUM
+# CLASSIFY
+# DNAT
+# DSCP
+# LOG
+#     Torn on kernel logging, will print some
+#     some information on all matching packets.
+#     Log data can be read with dmesg or syslogd.
+#     This is a non-terminating target and a rule
+#     should be created with matching criteria.
+#
+#     --log-level level
+#           Level of logging (numeric or see sys-
+#           log.conf(5)
+#
+#     --log-prefix prefix
+#           Prefix log messages with specified prefix
+#           up to 29 chars log
+#
+#     --log-uid
+#           Log the userid of the process with gener-
+#           ated the packet
+# NFLOG
+#     This target pass the packet to loaded logging
+#     backend to log the packet. One or more userspace
+#     processes may subscribe to the group to receive
+#     the packets.
+#
+# ULOG
+#     This target provides userspace logging of maching
+#     packets. One or more userspace processes may then
+#     then subscribe to various multicast groups and
+#     then receive the packets.
+#
+#
+# Commands
+#
+# -A, --append chain rule-specification
+# -C, --check chain rule-specification
+# -D, --delete chain rule-specification
+# -D, --delete chain rulenum
+# -I, --insert chain [rulenum] rule-specification
+# -R, --replace chain rulenum rule-specification
+# -L, --list [chain]
+# -P, --policy chain target
+#
+# Parameters
+#
+# -p, --protocol protocol
+#       tcp, udp, udplite, icmp, esp, ah, sctp, all
+# -s, --source address[/mask][,...]
+# -d, --destination address[/mask][,...]
+# -j, --jump target
+# -g, --goto chain
+# -i, --in-interface name
+# -o, --out-interface name
+# -f, --fragment
+# -m, --match options module-name
+#       iptables can use extended packet matching
+#       modules.
+# -c, --set-counters packets bytes
+
+IPT="/usr/sbin/iptables"
+SPAMLIST="blockedip"
+SPAMDROPMSG="BLOCKED IP DROP"
+
+PUB_IF="wlp7s0"
+#PRIV_IF="wlp3s0"
+
+BRIDGE="br0"
+BNET=10.0.0.0
+BMSK=24
+
+DHCP_IP="192.168.1.254"
+PUB_IP=$(ip addr show dev ${PUB_IF} | grep 'state UP' -A2 | tail -n1 | awk '{print $2}' | cut -f1 -d'/')
+
+modprobe ip_conntrack
+modprobe ip_conntrack_ftp
+
+echo "Stopping ipv4 firewall and deny everyone..."
+
+iptables -F
+iptables -X
+iptables -t nat -F
+iptables -t nat -X
+iptables -t mangle -F
+iptables -t mangle -X
+iptables -t raw -F
+iptables -t raw -X
+iptables -t security -F
+iptables -t security -X
+
+
+echo "Starting ipv4 firewall filter table..."
+
+# Set Default Rules
+iptables -P INPUT DROP
+iptables -P FORWARD DROP
+iptables -P OUTPUT DROP
+
+
+# Unlimited on local
+$IPT -A INPUT -i lo -j ACCEPT
+$IPT -A OUTPUT -o lo -j ACCEPT
+
+$IPT -A INPUT -i $BRIDGE -j ACCEPT
+$IPT -A OUTPUT -o $BRIDGE -j ACCEPT
+
+# Block sync
+$IPT -A INPUT -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 7 --log-prefix "iptables: drop sync: "
+$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
+
+# Block Fragments
+$IPT -A INPUT -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop frag: "
+$IPT -A INPUT -f -j DROP
+
+# Block bad stuff
+$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
+$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
+
+$IPT -A INPUT -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop null: "
+$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP # NULL packets
+
+$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop syn rst syn rst: "
+$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
+
+$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop xmas: "
+$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS
+
+$IPT -A INPUT -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop fin scan: "
+$IPT -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans
+
+$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
+
+##### Add your virtual rules below ######
+
+#echo 1 > /proc/sys/net/ipv4/ip_forward
+#$IPT -t nat -A POSTROUTING -o ${PUB_IF} -j SNAT --to ${PUB_IP}
+##$IPT -t nat -A POSTROUTING -s 10.0.2.0/24 -o ${PUB_IF} -j MASQUERADE
+#$IPT -A FORWARD -i ${TAP_IF} -o ${PUB_IF} -j ACCEPT
+#$IPT -A FORWARD -i ${PUB_IF} -o ${TAP_IF} -j ACCEPT
+#
+#$IPT -A INPUT -i ${TAP_IF} -j ACCEPT
+#$IPT -A OUTPUT -o ${TAP_IF} -j ACCEPT
+
+##### Add your AP rules below ######
+
+#echo 1 > /proc/sys/net/ipv4/ip_forward
+#$IPT -t nat -A POSTROUTING -o ${PUB_IF} -j SNAT --to ${PUB_IP}
+#$IPT -A FORWARD -i ${PRIV_IF} -o ${PUB_IF} -j ACCEPT
+#$IPT -A FORWARD -i ${PUB_IF} -o ${PRIV_IF} -j ACCEPT
+
+#$IPT -A INPUT -i ${PRIV_IF} -j ACCEPT
+#$IPT -A OUTPUT -o ${PRIV_IF} -j ACCEPT
+
+##### Server rules below ######
+
+#echo "Allow ICMP"
+#$IPT -A INPUT -i ${PUB_IF} -p icmp --icmp-type 0 -s 192.168.0.0/16 -j ACCEPT
+#$IPT -A OUTPUT -o ${PUB_IF} -p icmp --icmp-type 0 -d 192.168.0.0/16 -j ACCEPT
+#$IPT -A INPUT -i ${PUB_IF} -p icmp --icmp-type 8 -s 192.168.0.0/16 -j ACCEPT
+#$IPT -A OUTPUT -o ${PUB_IF} -p icmp --icmp-type 8 -d 192.168.0.0/16 -j ACCEPT
+
+#echo "Allow DNS Server"
+#$IPT -A INPUT -i ${PUB_IF} -p udp --sport 1024:65535 --dport 53  -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT
+#$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -d 192.168.0.0/16 -j ACCEPT
+
+#echo "Allow HTTP and HTTPS server"
+#$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 443 -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT
+#$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 80 -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT
+#$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 80 -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT
+#$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 443 -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT
+
+#echo "Allow ssh server"
+#$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
+#$IPT -A INPUT  -i ${PUB_IF} -p tcp --dport 22 -m state --state ESTABLISHED -j ACCEPT
+#$IPT -A INPUT  -i ${PUB_IF} -p tcp --dport 22 -m state --state NEW -m limit --limit 3/min --limit-burst 3 -j ACCEPT
+
+##### Add your rules below ######
+
+echo "Allow DNS Client"
+
+$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+$IPT -A INPUT -i ${PUB_IF} -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 53 -m state --state NEW -j LOG --log-level 7 --log-prefix "iptables: DNS TCP: "
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
+
+$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 1024:65535 --dport 53 -m state --state NEW -j ACCEPT -j LOG --log-level 7 --log-prefix "iptables: DNS UDP: "
+$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
+
+echo "Allow Whois Client"
+
+$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 43 -m state --state ESTABLISHED -j ACCEPT
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 43 -m state --state NEW,ESTABLISHED -j ACCEPT
+
+echo "Allow HTTP Client"
+
+$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
+
+$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+$IPT -A INPUT -i ${PUB_IF} -p udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
+$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
+
+
+echo "Allow Rsync Client"
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT
+$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 873 -m state --state ESTABLISHED -j ACCEPT
+
+echo "Allow POP3S Client"
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
+$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 995 -m state --state ESTABLISHED -j ACCEPT
+
+echo "Allow SMTPS Client"
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT
+$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 465 -m state --state ESTABLISHED -j ACCEPT
+
+echo "Allow NTP Client"
+$IPT -A OUTPUT -o ${PUB_IF} -p udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
+$IPT -A INPUT -i ${PUB_IF} -p udp --sport 123 -m state --state ESTABLISHED -j ACCEPT
+
+$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
+
+echo "Allow IRC Client"
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 6667 -m state --state NEW -j ACCEPT
+
+echo "Allow Active FTP Client"
+$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 20 -m state --state ESTABLISHED -j ACCEPT
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT
+
+echo "Allow Git"
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 9418 -m state --state NEW -j ACCEPT
+
+echo "Allow ssh client"
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
+$IPT -A INPUT  -i ${PUB_IF} -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
+
+#echo "Allow Passive Connections"
+$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 1024:65535 --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 1024:  -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+# echo "Allow FairCoin"
+# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 46392 -m state --state NEW,ESTABLISHED -j ACCEPT
+# $IPT -A INPUT -i ${PUB_IF} -p tcp --sport 46392 -m state --state ESTABLISHED -j ACCEPT
+#
+# echo "Allow Dashcoin"
+# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 29080 -m state --state NEW,ESTABLISHED -j ACCEPT
+# $IPT -A INPUT -i ${PUB_IF} -p tcp --sport 29080 -m state --state ESTABLISHED -j ACCEPT
+#
+# echo "Allow warzone2100"
+# $IPT -A INPUT -i ${PUB_IF} -p tcp --dport 2100 -s 192.168.0.0/16 -j ACCEPT
+# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 2100 -j ACCEPT
+# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 2100 -j ACCEPT
+# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 9990 -j ACCEPT
+#
+# echo "Allow wesnoth"
+# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 15000 -m state --state NEW -j ACCEPT
+# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 14998 -m state --state NEW -j ACCEPT
+
+##### END your rules ############
+# Less log of known traffic
+
+# RIP protocol
+$IPT -A INPUT -i ${PUB_IF} -p udp --sport 520 --dport 520 -s 192.168.0.0/16 -j DROP
+
+# DHCP
+$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 68 --dport 67 -d $DHCP_IP -j ACCEPT
+$IPT -A INPUT -i ${PUB_IF} -p udp --sport 68 --dport 67 -s $DHCP_IP -j ACCEPT
+
+# log everything else and drop
+$IPT -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: "
+$IPT -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: "
+$IPT -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: "
+
+exit 0
diff --git a/tools/scripts/system-qemu.sh b/tools/scripts/system-qemu.sh
new file mode 100644
index 0000000..8c68e70
--- /dev/null
+++ b/tools/scripts/system-qemu.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+ISO=~/crux-3.2.iso
+IMG=~/crux-img.qcow2
+
+TAP=$1
+
+echo "TAP: $TAP"
+
+qemu-system-x86_64 \
+    -enable-kvm \
+    -m 1024 \
+    -boot d \
+    -cdrom ${ISO} \
+    -hda ${IMG} \
+    -net nic,model=virtio -net tap,ifname=${TAP},script=no,downscript=no
-- 
cgit 1.4.1-2-gfad0


From 81d7c7820c25cdca723bbe7c13a3657174904b70 Mon Sep 17 00:00:00 2001
From: Silvino Silva 
Date: Thu, 29 Sep 2016 05:21:34 +0100
Subject: postgresql revision

---
 tools/conf/etc/rc.d/postgresql        |  16 ++++
 tools/conf/srv/pgsql/data/pg_hba.conf |  96 ++++++++++++++++++++
 tools/postgresql.html                 | 165 ++++++++++++++++------------------
 tools/scripts/install-postgres.sh     |  16 ++++
 4 files changed, 203 insertions(+), 90 deletions(-)
 create mode 100755 tools/conf/etc/rc.d/postgresql
 create mode 100644 tools/conf/srv/pgsql/data/pg_hba.conf
 create mode 100644 tools/scripts/install-postgres.sh

(limited to 'tools/conf')

diff --git a/tools/conf/etc/rc.d/postgresql b/tools/conf/etc/rc.d/postgresql
new file mode 100755
index 0000000..5f0762a
--- /dev/null
+++ b/tools/conf/etc/rc.d/postgresql
@@ -0,0 +1,16 @@
+#
+# /etc/rc.d/postgresql: start, stop or restart PostgreSQL server postmaster
+#
+
+PG_DATA=/srv/pgsql/data
+
+case "$1" in
+    start|stop|status|restart|reload)
+        sudo -u postgres pg_ctl -D "$PG_DATA" -l /var/log/postgresql "$1"
+        ;;
+    *)
+        echo "usage: $0 start|stop|restart|reload|status"
+        ;;
+esac
+
+# End of file
diff --git a/tools/conf/srv/pgsql/data/pg_hba.conf b/tools/conf/srv/pgsql/data/pg_hba.conf
new file mode 100644
index 0000000..34587d4
--- /dev/null
+++ b/tools/conf/srv/pgsql/data/pg_hba.conf
@@ -0,0 +1,96 @@
+# PostgreSQL Client Authentication Configuration File
+# ===================================================
+#
+# Refer to the "Client Authentication" section in the PostgreSQL
+# documentation for a complete description of this file.  A short
+# synopsis follows.
+#
+# This file controls: which hosts are allowed to connect, how clients
+# are authenticated, which PostgreSQL user names they can use, which
+# databases they can access.  Records take one of these forms:
+#
+# local      DATABASE  USER  METHOD  [OPTIONS]
+# host       DATABASE  USER  ADDRESS  METHOD  [OPTIONS]
+# hostssl    DATABASE  USER  ADDRESS  METHOD  [OPTIONS]
+# hostnossl  DATABASE  USER  ADDRESS  METHOD  [OPTIONS]
+#
+# (The uppercase items must be replaced by actual values.)
+#
+# The first field is the connection type: "local" is a Unix-domain
+# socket, "host" is either a plain or SSL-encrypted TCP/IP socket,
+# "hostssl" is an SSL-encrypted TCP/IP socket, and "hostnossl" is a
+# plain TCP/IP socket.
+#
+# DATABASE can be "all", "sameuser", "samerole", "replication", a
+# database name, or a comma-separated list thereof. The "all"
+# keyword does not match "replication". Access to replication
+# must be enabled in a separate record (see example below).
+#
+# USER can be "all", a user name, a group name prefixed with "+", or a
+# comma-separated list thereof.  In both the DATABASE and USER fields
+# you can also write a file name prefixed with "@" to include names
+# from a separate file.
+#
+# ADDRESS specifies the set of hosts the record matches.  It can be a
+# host name, or it is made up of an IP address and a CIDR mask that is
+# an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that
+# specifies the number of significant bits in the mask.  A host name
+# that starts with a dot (.) matches a suffix of the actual host name.
+# Alternatively, you can write an IP address and netmask in separate
+# columns to specify the set of hosts.  Instead of a CIDR-address, you
+# can write "samehost" to match any of the server's own IP addresses,
+# or "samenet" to match any address in any subnet that the server is
+# directly connected to.
+#
+# METHOD can be "trust", "reject", "md5", "password", "gss", "sspi",
+# "ident", "peer", "pam", "ldap", "radius" or "cert".  Note that
+# "password" sends passwords in clear text; "md5" is preferred since
+# it sends encrypted passwords.
+#
+# OPTIONS are a set of options for the authentication in the format
+# NAME=VALUE.  The available options depend on the different
+# authentication methods -- refer to the "Client Authentication"
+# section in the documentation for a list of which options are
+# available for which authentication methods.
+#
+# Database and user names containing spaces, commas, quotes and other
+# special characters must be quoted.  Quoting one of the keywords
+# "all", "sameuser", "samerole" or "replication" makes the name lose
+# its special character, and just match a database or username with
+# that name.
+#
+# This file is read on server startup and when the postmaster receives
+# a SIGHUP signal.  If you edit the file on a running system, you have
+# to SIGHUP the postmaster for the changes to take effect.  You can
+# use "pg_ctl reload" to do that.
+
+# Put your actual configuration here
+# ----------------------------------
+#
+# If you want to allow non-local connections, you need to add more
+# "host" records.  In that case you will also need to make PostgreSQL
+# listen on a non-local interface via the listen_addresses
+# configuration parameter, or via the -i or -h command line switches.
+
+# CAUTION: Configuring the system for local "trust" authentication
+# allows any local user to connect as any PostgreSQL user, including
+# the database superuser.  If you do not trust all your local users,
+# use another authentication method.
+
+
+# TYPE  DATABASE        USER            ADDRESS                 METHOD
+
+# "local" is for Unix domain socket connections only
+#local   all             all                                     trust
+local   all             postgres                                ident
+# IPv4 local connections:
+#host    all             all             127.0.0.1/32            trust
+hostssl    all             all             127.0.0.1/32          md5
+
+# IPv6 local connections:
+#host    all             all             ::1/128                 trust
+# Allow replication connections from localhost, by a user with the
+# replication privilege.
+#local   replication     postgres                                trust
+#host    replication     postgres        127.0.0.1/32            trust
+#host    replication     postgres        ::1/128                 trust
diff --git a/tools/postgresql.html b/tools/postgresql.html
index e160ae2..b8790e2 100644
--- a/tools/postgresql.html
+++ b/tools/postgresql.html
@@ -11,53 +11,22 @@
         
    Postgresql
    
 
 
-        
    1.1. Install Postgresql
    
+        
    1. Install Postgresql
    
 
-        
    -        $ prt-get depinst postgresql
-        
    
-
-        
    Mount Point;
    
-
-        
    -        # mkdir -p /srv/pgsql
-        # mount /srv/pgsql
-        
    
-
-        
    Create user;
    
-
-        
    -        # useradd -U -m -d /srv/pgsql -s /bin/false postgres
-        useradd: warning: the home directory already exists.
-        Not copying any file from skel directory into it.
-        
    
+        
    Install postgresql;
    
 
         
    -        # passwd -l postgres
-        passwd: password expiry information changed.
-        # touch /var/log/pgsql
-        # chown -R postgres:postgres /srv/pgsql /var/log/pgsql
-        # ldconfig /user/lib/postgresql
-		
    
-
-        $ sudo -u postgres mkdir -p /srv/pgsql/data
-        # sudo -u postgres touch /srv/pgsql/.psql_history
+        $ prt-get depinst postgresql
         

 
-        
Create /etc/logrotate.d/postgres;

-
         
-        /var/log/pgsql {
-            weekly
-            compress
-            delaycompress
-            rotate 10
-            notifempty
-            create 660 postgres postgres
-        }
+        # mkdir /srv/pgsql/
+        # touch /var/log/postgresql
+        # chown postgres:postgres /srv/pgsql /var/log/postgresql
+        # sudo -u postgres initdb -D /srv/pgsql/data
         

 
-        
Edit /etc/rc.d/postgresql;

+        
Change /etc/rc.d/postgresql;

 
         
         #
@@ -65,25 +34,20 @@
         #
 
         PG_DATA=/srv/pgsql/data
-        PG_HOME=/srv/pgsql
 
         case "$1" in
-        start|stop|status|restart|reload)
-                (cd $PG_HOME && sudo -u postgres pg_ctl -D "$PG_DATA" -l /var/log/pgsql "$1")
-        ;;
-        *)
-        echo "usage: $0 start|stop|restart|reload|status"
-        ;;
+            start|stop|status|restart|reload)
+                sudo -u postgres pg_ctl -D "$PG_DATA" -l /var/log/postgresql "$1"
+                ;;
+            *)
+                echo "usage: $0 start|stop|restart|reload|status"
+                ;;
         esac
 
         # End of file
         

 
-        
1.2. Configure Server

-
-        
-        # sudo -u postgres initdb -D /srv/pgsql/data
-        

+        
2. Configure Server

 
         
Create password for super user;

 
@@ -92,17 +56,9 @@
         $ psql -U postgres
-

Edit /pgsql/data/postgresql.conf;

- - 
-        log_destination = 'syslog' # Can specify multiple destinations
-        syslog_facility='LOCAL0'
-        syslog_ident='postgres'
-        log_connections = on
-        password_encryption=on
-
- -

Edit /srv/pgsql/data/pg_hba.conf;

+

Edit + /srv/pgsql/data/pg_hba.conf; + 

         # TYPE  DATABASE        USER            ADDRESS                 METHOD
@@ -121,62 +77,89 @@
         #host    replication     postgres        ::1/128                 trust
+

Start server and alter postgres password

+ + 
+        # /etc/rc.d/postgresql start
+
+ + 
+        postgres=# alter user postgres with password 'new_password';
+
+ +

2.1. Configure syslog-ng

+

Configure Syslog-ng, check Michael at otacoo article. Example;

+

Edit /pgsql/data/postgresql.conf;

+ 
-        destination postgres { file("/var/log/pgsql"); };
-        filter f_postgres { facility(local0); };
-        log { source(s_log); filter(f_postgres); destination(postgres); };
+        log_destination = 'syslog' # Can specify multiple destinations
+        syslog_facility='LOCAL0'
+        syslog_ident='postgres'
+        log_connections = on
+        password_encryption=on
-

Start server and alter postgres password

+ +

Create /etc/logrotate.d/postgres;

-        # /etc/rc.d/postgresql start
+        /var/log/pgsql {
+            weekly
+            compress
+            delaycompress
+            rotate 10
+            notifempty
+            create 660 postgres postgres
+        }
+ 
-        postgres=# alter user postgres with password 'new_password';
+        destination postgres { file("/var/log/pgsql"); };
+        filter f_postgres { facility(local0); };
+        log { source(s_log); filter(f_postgres); destination(postgres); };
-

1.3. Create User

+ +

3. Create User

Create a new user with createuser command;

         $ sudo -u postgres createuser --pwprompt --encrypted \
-        --no-createrole --no-createdb laravel_user
+        --no-createrole --no-createdb flyspray
         Enter password for new user:
         Enter it again:
-

1.4. Create Database

+

4. Create Database

Create a new database for new user with createdb command;

         $ sudo -u postgres createdb --template=template0 --encoding=UTF8 \
-        --owner=laravel_user laravel_db
+        --owner=flyspray db_flyspray
-

1.5. Drop Database

+

5. Drop Database

Deleting database with dropdb command;

-        sudo -u postgres dropdb laravel_db
+        sudo -u postgres dropdb db_flyspray
-

1.6. Drop User

+

6. Drop User

Deleting user with dropuser command;

-        sudo -u postgres dropuser laravel_user
+        sudo -u postgres dropuser flyspray
- -

1.7. Psql

+

7. Psql

Lets check with psql, login with user postgres;

@@ -190,7 +173,7 @@ postgres=# \? -

Psql - List Databases and Roles

+

7.1. List Databases and Roles

List roles then list databases;

@@ -199,39 +182,43 @@ postgres=# \l -

Psql - Create Database

+

7.2. Create Database

-        postgres=# create database laravel_db_ext owner laravel_user encoding 'UTF-8' template template0;
+        postgres=# create database db_flyspray_ext owner flyspray encoding 'UTF-8' template template0;
-

Psql - Drop Tables

+

7.3. Drop Tables

This example assumes that all tables, are in public schema. First connect to database and list tables;

-        postgres=# \c laravel_db
+        postgres=# revoke SELECT on db_flyspray from flyspray;
+
+ + 
+        postgres=# \c db_flyspray
         postgres=# \dt

Drop all tables on public schema and recreate public schema;

-        laravel_db=# drop schema public cascade;
-        laravel_db=# create schema public;
+        db_flyspray=# drop schema public cascade;
+        db_flyspray=# create schema public;
-

Backup

+

7.4. Backup

Backup Database

-

Restore

+

7.5. Restore

-        $ psql laravel_db < database_dump
+        $ psql db_flyspray < database_dump
Tools Index @@ -242,7 +229,5 @@ See the file Gnu Free Documentation License for copying conditions.

- - diff --git a/tools/scripts/install-postgres.sh b/tools/scripts/install-postgres.sh new file mode 100644 index 0000000..06666e0 --- /dev/null +++ b/tools/scripts/install-postgres.sh @@ -0,0 +1,16 @@ +#!/bin/sh + +. `dirname $0`/config-install.sh + +prt-get depinst postgresql + +cp -R $CONF_DIR/etc/rc.d/postgresql /etc/rc.d/ + +mkdir /srv/pgsql/ +touch /var/log/postgresql +chown postgres:postgres /srv/pgsql /var/log/postgresql + +sudo -u postgres initdb -D /srv/pgsql/data + +cp $CONF_DIR/srv/pgsql/data/pg_hba.conf /srv/pgsql/data/ +chown postgres:postgres /srv/pgsql/data/pg_hba.conf -- cgit 1.4.1-2-gfad0 From ac808f10c9011249da393284b4bc92903d604972 Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Mon, 3 Oct 2016 22:37:04 +0100 Subject: nginx documentation and configuration review --- tools/conf/etc/nginx/sites-enabled/default.conf | 49 ++++++++ tools/conf/etc/nginx/sites-enabled/mantisbt.conf | 23 ---- tools/conf/etc/nginx/sites/default.conf | 136 ++++++++++------------- tools/conf/etc/nginx/sites/drupal.conf | 8 +- tools/conf/etc/nginx/sites/flyspray.conf | 40 +++++++ tools/conf/etc/nginx/sites/laravel.conf | 10 +- tools/nginx.html | 90 +++++++++------ 7 files changed, 214 insertions(+), 142 deletions(-) create mode 100644 tools/conf/etc/nginx/sites-enabled/default.conf delete mode 100644 tools/conf/etc/nginx/sites-enabled/mantisbt.conf create mode 100644 tools/conf/etc/nginx/sites/flyspray.conf (limited to 'tools/conf') diff --git a/tools/conf/etc/nginx/sites-enabled/default.conf b/tools/conf/etc/nginx/sites-enabled/default.conf new file mode 100644 index 0000000..4e01b88 --- /dev/null +++ b/tools/conf/etc/nginx/sites-enabled/default.conf @@ -0,0 +1,49 @@ + +server { + listen 443 ssl; + # listen [::]:443 ssl; + + server_name c9.core; + + root /srv/www/default; + + location /distfiles { + alias /usr/ports/distfiles; + } + + + location /bug { + index index.php; + alias /srv/www/default/flyspray; + try_files $uri $uri/ index.php$is_args$args; + } + + location ~ ^/bug(.+\.php)$ { ### This location block was the solution + alias /srv/www/default/flyspray; + + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_index index.php; + try_files $uri /index.php =404; + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$1; + # fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_pass 127.0.0.1:9000; + } + + location / { + alias /srv/www/default/pmwiki/; + index pmwiki.php + try_files $uri $uri/ /pmwiki.php$is_args$args; + } + + location ~ \.php$ { + alias /srv/www/default/pmwiki; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_index pmwiki.php; + try_files $uri /pmwiki.php =404; + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + # fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_pass 127.0.0.1:9000; + } +} diff --git a/tools/conf/etc/nginx/sites-enabled/mantisbt.conf b/tools/conf/etc/nginx/sites-enabled/mantisbt.conf deleted file mode 100644 index 597983f..0000000 --- a/tools/conf/etc/nginx/sites-enabled/mantisbt.conf +++ /dev/null @@ -1,23 +0,0 @@ -server { - listen 443 ssl; - # listen [::]:443 ssl; - - root /srv/www/mantisbt; - server_name core.privat-network.net; - - index index.php; - - location / { - try_files $uri $uri/ /index.php$is_args$args; - } - - location ~ \.php$ { - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_index index.php; - # try_files $uri /index.php =404; - include /etc/nginx/fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - # fastcgi_pass unix:/var/run/php5-fpm.sock; - fastcgi_pass 127.0.0.1:9000; - } -} diff --git a/tools/conf/etc/nginx/sites/default.conf b/tools/conf/etc/nginx/sites/default.conf index 95be0b7..1c71c44 100644 --- a/tools/conf/etc/nginx/sites/default.conf +++ b/tools/conf/etc/nginx/sites/default.conf @@ -1,82 +1,60 @@ server { - listen 80; - server_name localhost; - -#charset koi8-r; - - location / { - root html; - index index.html index.htm; - } - - error_page 404 /404.html; - - # redirect server error pages to the static page /50x.html - # - error_page 500 502 503 504 /50x.html; - location = /50x.html { - root html; - } - -# proxy the PHP scripts to Apache listening on 127.0.0.1:80 -# -#location ~ \.php$ { -# proxy_pass http://127.0.0.1; -#} - -# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 -# -#location ~ \.php$ { -# root html; -# fastcgi_pass 127.0.0.1:9000; -# fastcgi_index index.php; -# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; -# include fastcgi_params; -#} - -# deny access to .htaccess files, if Apache's document root -# concurs with nginx's one -# -#location ~ /\.ht { -# deny all; -#} + listen 443 ssl; + # listen [::]:443 ssl; + + server_name c9.core; + + root /srv/www/default; + + location /ports { + alias /var/ports/ports; + autoindex on; + } + + location /distfiles { + alias /var/ports/distfiles; + autoindex on; + } + + location /packages { + root /var/ports/packages; + autoindex off; + } + + + location /bug { + index index.php; + alias /srv/www/default/flyspray; + try_files $uri $uri/ index.php$is_args$args; + } + + location ~ ^/bug(.+\.php)$ { ### This location block was the solution + alias /srv/www/default/flyspray; + + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_index index.php; + try_files $uri /index.php =404; + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$1; + # fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_pass 127.0.0.1:9000; + } + + location / { + alias /srv/www/default/pmwiki/; + index pmwiki.php + try_files $uri $uri/ /pmwiki.php$is_args$args; + } + + location ~ \.php$ { + alias /srv/www/default/pmwiki; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_index pmwiki.php; + try_files $uri /pmwiki.php =404; + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + # fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_pass 127.0.0.1:9000; + } } - - -# another virtual host using mix of IP-, name-, and port-based configuration -# -#server { -# listen 8000; -# listen somename:8080; -# server_name somename alias another.alias; - -# location / { -# root html; -# index index.html index.htm; -# } -#} - - -# HTTPS server -# -#server { -# listen 443 ssl; -# server_name localhost; - -# ssl_certificate cert.pem; -# ssl_certificate_key cert.key; - -# ssl_session_cache shared:SSL:1m; -# ssl_session_timeout 5m; - -# ssl_ciphers HIGH:!aNULL:!MD5; -# ssl_prefer_server_ciphers on; - -# location / { -# root html; -# index index.html index.htm; -# } -#} - - diff --git a/tools/conf/etc/nginx/sites/drupal.conf b/tools/conf/etc/nginx/sites/drupal.conf index 39b096a..0407a6a 100644 --- a/tools/conf/etc/nginx/sites/drupal.conf +++ b/tools/conf/etc/nginx/sites/drupal.conf @@ -3,9 +3,9 @@ server { listen 192.168.1.254:443 ssl; listen 10.0.0.254:443 ssl; - server_name core.privat-network.net; + server_name c9.core - root /srv/www/drupal; ## <-- Your only path reference. + root /srv/www/default/drupal; ## <-- Your only path reference. # Enable compression, this will help if you have for instance advagg¿? module # by serving Gzip versions of the files. @@ -16,8 +16,8 @@ server { autoindex on; } - location /sysdoc { - alias /srv/www/sysdoc; + location /doc { + alias /srv/www/c9-doc; autoindex on; } diff --git a/tools/conf/etc/nginx/sites/flyspray.conf b/tools/conf/etc/nginx/sites/flyspray.conf new file mode 100644 index 0000000..80b5530 --- /dev/null +++ b/tools/conf/etc/nginx/sites/flyspray.conf @@ -0,0 +1,40 @@ + +server { + listen 443 ssl; + # listen [::]:443 ssl; + + server_name c9.core; + + root /srv/www/default/flyspray; + index index.php; + + location /ports { + alias /var/ports/ports; + autoindex on; + } + + location /distfiles { + alias /var/ports/distfiles; + autoindex on; + } + + location /packages { + root /var/ports/packages; + autoindex off; + } + + + location / { + try_files $uri $uri/ index.php$is_args$args; + } + + location ~ \.php$ { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_index index.php; + try_files $uri /index.php =404; + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + # fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_pass 127.0.0.1:9000; + } +} diff --git a/tools/conf/etc/nginx/sites/laravel.conf b/tools/conf/etc/nginx/sites/laravel.conf index f648f17..e563a3e 100644 --- a/tools/conf/etc/nginx/sites/laravel.conf +++ b/tools/conf/etc/nginx/sites/laravel.conf @@ -2,21 +2,21 @@ server { listen 443 ssl; # listen [::]:443 ssl; - root /srv/www/atom/public; - server_name core.privat-network.net; + root /srv/www/default/laravel/public; + server_name c9.core - location /sysdoc { - alias /srv/www/sysdoc; + location /c9-doc { + alias /srv/www/c9-doc; index index.html; autoindex on; } - index index.php; location / { try_files $uri $uri/ /index.php$is_args$args; } location ~ \.php$ { + index index.php; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_index index.php; # try_files $uri /index.php =404; diff --git a/tools/nginx.html b/tools/nginx.html index 3daf8d5..0ded2b6 100644 --- a/tools/nginx.html +++ b/tools/nginx.html @@ -150,7 +150,7 @@ 1024 -

Example of http block with ssl configured;

+

Example of http block with ssl configured;

         #
@@ -228,14 +228,10 @@
 
 
         
4. Server with PHP

-
-        
Check /etc/nginx/sites
-        for more examples.

-
         
To debug configurations check logs and;

 
         
-        
+        nginx -V
         

 
         
4.1. Setup PHP

@@ -263,51 +259,83 @@
 
         
4.2. Setup Virtual Host

 
-        
Server (virtual host) with Laravel,
-        /etc/nginx/sites/laravel.conf;

+        
Server (virtual host) with pmwiki and flyspray, check
+        /etc/nginx/sites
+        for more examples. Install pmwiki and flyspray;

+
+        
+        $ sudo prt-get depinst pmwiki flyspray
+        

+
+        
 This server is configured in a way that
+        root serves pmwiki and /tasks serves flyspray. In order to
+        flyspray to link correctly change index is needed;

 
         
         server {
             listen 443 ssl;
-            listen [::]:443 ssl;
+            # listen [::]:443 ssl;
 
-            root /srv/www/atom/public;
-            server_name core.privat-network.net;
-            index index.html index.htm index.php;
+            server_name c9.core;
 
-            charset utf-8;
+            root /srv/www/default;
 
-            location / {
-                try_files $uri $uri/ /index.php$is_args$args;
+            location /distfiles {
+                alias /usr/ports/distfiles;
             }
 
-            location = /favicon.ico { access_log off; log_not_found off; }
-            location = /robots.txt  { access_log off; log_not_found off; }
-
-            access_log off;
-            error_log  /var/log/nginx/core.privat-network.net-error.log error;
 
-            sendfile off;
+            location /tasks {
+                index index.php;
+                alias /srv/www/default/flyspray;
+                try_files $uri $uri/ index.php$is_args$args;
+            }
 
-            client_max_body_size 100m;
+            location ~  ^/tasks(.+\.php)$ {
+                alias /srv/www/default/flyspray;
 
-            location ~ \.php$ {
                 fastcgi_split_path_info ^(.+\.php)(/.+)$;
-                fastcgi_pass 127.0.0.1:9000;
                 fastcgi_index index.php;
-                include fastcgi_params;
-                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-                fastcgi_intercept_errors off;
-                fastcgi_buffer_size 16k;
-                fastcgi_buffers 4 16k;
+                try_files $uri /index.php =404;
+                include /etc/nginx/fastcgi_params;
+                fastcgi_param SCRIPT_FILENAME $document_root$1;
+                # fastcgi_pass unix:/var/run/php5-fpm.sock;
+                fastcgi_pass 127.0.0.1:9000;
+            }
+
+            location / {
+                alias /srv/www/default/pmwiki/;
+                index pmwiki.php
+                try_files $uri $uri/ /pmwiki.php$is_args$args;
             }
 
-            location ~ /\.ht {
-                deny all;
+            location ~ \.php$ {
+                alias /srv/www/default/pmwiki;
+                fastcgi_split_path_info ^(.+\.php)(/.+)$;
+                fastcgi_index pmwiki.php;
+                try_files $uri /pmwiki.php =404;
+                include /etc/nginx/fastcgi_params;
+                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+                # fastcgi_pass unix:/var/run/php5-fpm.sock;
+                fastcgi_pass 127.0.0.1:9000;
             }
         }
         

 
+        
Change /srv/www/default/flyspray/index.php to;

+
+        
+        <?php
+        /*
+           This is the main script that everything else is included
+           in.  Mostly what it does is check the user permissions
+           to see what they have access to.
+        */
+        define('IN_FS', true);
+        $_SERVER['SCRIPT_NAME'] = "/bug/index.php";
+        require_once(dirname(__FILE__).'/header.php');
+        

+
         
5. User Directory

 
         
Nginx Wiki UserDir

-- 
cgit 1.4.1-2-gfad0


From d1416890bb0624c6f496010433c32ad7c1621b40 Mon Sep 17 00:00:00 2001
From: Silvino Silva 
Date: Mon, 3 Oct 2016 18:54:20 +0100
Subject: tools postgresql configuration files revision

---
 tools/conf/srv/pgsql/data/pg_hba.conf     |   4 +-
 tools/conf/srv/pgsql/data/postgresql.conf | 623 ++++++++++++++++++++++++++++++
 tools/postgresql.html                     |   5 +-
 3 files changed, 628 insertions(+), 4 deletions(-)
 create mode 100644 tools/conf/srv/pgsql/data/postgresql.conf

(limited to 'tools/conf')

diff --git a/tools/conf/srv/pgsql/data/pg_hba.conf b/tools/conf/srv/pgsql/data/pg_hba.conf
index 34587d4..55ce3f3 100644
--- a/tools/conf/srv/pgsql/data/pg_hba.conf
+++ b/tools/conf/srv/pgsql/data/pg_hba.conf
@@ -84,8 +84,8 @@
 #local   all             all                                     trust
 local   all             postgres                                ident
 # IPv4 local connections:
-#host    all             all             127.0.0.1/32            trust
-hostssl    all             all             127.0.0.1/32          md5
+host    all             all             127.0.0.1/32            trust
+#hostssl    all             all             192.168.0.0/32          md5
 
 # IPv6 local connections:
 #host    all             all             ::1/128                 trust
diff --git a/tools/conf/srv/pgsql/data/postgresql.conf b/tools/conf/srv/pgsql/data/postgresql.conf
new file mode 100644
index 0000000..df3525c
--- /dev/null
+++ b/tools/conf/srv/pgsql/data/postgresql.conf
@@ -0,0 +1,623 @@
+# -----------------------------
+# PostgreSQL configuration file
+# -----------------------------
+#
+# This file consists of lines of the form:
+#
+#   name = value
+#
+# (The "=" is optional.)  Whitespace may be used.  Comments are introduced with
+# "#" anywhere on a line.  The complete list of parameter names and allowed
+# values can be found in the PostgreSQL documentation.
+#
+# The commented-out settings shown in this file represent the default values.
+# Re-commenting a setting is NOT sufficient to revert it to the default value;
+# you need to reload the server.
+#
+# This file is read on server startup and when the server receives a SIGHUP
+# signal.  If you edit the file on a running system, you have to SIGHUP the
+# server for the changes to take effect, or use "pg_ctl reload".  Some
+# parameters, which are marked below, require a server shutdown and restart to
+# take effect.
+#
+# Any parameter can also be given as a command-line option to the server, e.g.,
+# "postgres -c log_connections=on".  Some parameters can be changed at run time
+# with the "SET" SQL command.
+#
+# Memory units:  kB = kilobytes        Time units:  ms  = milliseconds
+#                MB = megabytes                     s   = seconds
+#                GB = gigabytes                     min = minutes
+#                TB = terabytes                     h   = hours
+#                                                   d   = days
+
+
+#------------------------------------------------------------------------------
+# FILE LOCATIONS
+#------------------------------------------------------------------------------
+
+# The default values of these variables are driven from the -D command-line
+# option or PGDATA environment variable, represented here as ConfigDir.
+
+#data_directory = 'ConfigDir'		# use data in another directory
+					# (change requires restart)
+#hba_file = 'ConfigDir/pg_hba.conf'	# host-based authentication file
+					# (change requires restart)
+#ident_file = 'ConfigDir/pg_ident.conf'	# ident configuration file
+					# (change requires restart)
+
+# If external_pid_file is not explicitly set, no extra PID file is written.
+#external_pid_file = ''			# write an extra PID file
+					# (change requires restart)
+
+
+#------------------------------------------------------------------------------
+# CONNECTIONS AND AUTHENTICATION
+#------------------------------------------------------------------------------
+
+# - Connection Settings -
+
+#listen_addresses = 'localhost'		# what IP address(es) to listen on;
+					# comma-separated list of addresses;
+					# defaults to 'localhost'; use '*' for all
+					# (change requires restart)
+#port = 5432				# (change requires restart)
+max_connections = 100			# (change requires restart)
+#superuser_reserved_connections = 3	# (change requires restart)
+#unix_socket_directories = '/tmp'	# comma-separated list of directories
+					# (change requires restart)
+#unix_socket_group = ''			# (change requires restart)
+#unix_socket_permissions = 0777		# begin with 0 to use octal notation
+					# (change requires restart)
+#bonjour = off				# advertise server via Bonjour
+					# (change requires restart)
+#bonjour_name = ''			# defaults to the computer name
+					# (change requires restart)
+
+# - Security and Authentication -
+
+#authentication_timeout = 1min		# 1s-600s
+ssl = on				# (change requires restart)
+#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
+					# (change requires restart)
+#ssl_prefer_server_ciphers = on		# (change requires restart)
+#ssl_ecdh_curve = 'prime256v1'		# (change requires restart)
+ssl_cert_file = '/etc/ssl/certs/pg.crt' # (change requires restart)
+ssl_key_file = '/etc/ssl/keys/pg.key'	# (change requires restart)
+#ssl_ca_file = ''			# (change requires restart)
+#ssl_crl_file = ''			# (change requires restart)
+password_encryption = on
+#db_user_namespace = off
+#row_security = on
+
+# GSSAPI using Kerberos
+#krb_server_keyfile = ''
+#krb_caseins_users = off
+
+# - TCP Keepalives -
+# see "man 7 tcp" for details
+
+#tcp_keepalives_idle = 0		# TCP_KEEPIDLE, in seconds;
+					# 0 selects the system default
+#tcp_keepalives_interval = 0		# TCP_KEEPINTVL, in seconds;
+					# 0 selects the system default
+#tcp_keepalives_count = 0		# TCP_KEEPCNT;
+					# 0 selects the system default
+
+
+#------------------------------------------------------------------------------
+# RESOURCE USAGE (except WAL)
+#------------------------------------------------------------------------------
+
+# - Memory -
+
+shared_buffers = 128MB			# min 128kB
+					# (change requires restart)
+#huge_pages = try			# on, off, or try
+					# (change requires restart)
+#temp_buffers = 8MB			# min 800kB
+#max_prepared_transactions = 0		# zero disables the feature
+					# (change requires restart)
+# Caution: it is not advisable to set max_prepared_transactions nonzero unless
+# you actively intend to use prepared transactions.
+#work_mem = 4MB				# min 64kB
+#maintenance_work_mem = 64MB		# min 1MB
+#autovacuum_work_mem = -1		# min 1MB, or -1 to use maintenance_work_mem
+#max_stack_depth = 2MB			# min 100kB
+dynamic_shared_memory_type = sysv	# the default is the first option
+					# supported by the operating system:
+					#   posix
+					#   sysv
+					#   windows
+					#   mmap
+					# use none to disable dynamic shared memory
+
+# - Disk -
+
+#temp_file_limit = -1			# limits per-session temp file space
+					# in kB, or -1 for no limit
+
+# - Kernel Resource Usage -
+
+#max_files_per_process = 1000		# min 25
+					# (change requires restart)
+#shared_preload_libraries = ''		# (change requires restart)
+
+# - Cost-Based Vacuum Delay -
+
+#vacuum_cost_delay = 0			# 0-100 milliseconds
+#vacuum_cost_page_hit = 1		# 0-10000 credits
+#vacuum_cost_page_miss = 10		# 0-10000 credits
+#vacuum_cost_page_dirty = 20		# 0-10000 credits
+#vacuum_cost_limit = 200		# 1-10000 credits
+
+# - Background Writer -
+
+#bgwriter_delay = 200ms			# 10-10000ms between rounds
+#bgwriter_lru_maxpages = 100		# 0-1000 max buffers written/round
+#bgwriter_lru_multiplier = 2.0		# 0-10.0 multipler on buffers scanned/round
+
+# - Asynchronous Behavior -
+
+#effective_io_concurrency = 1		# 1-1000; 0 disables prefetching
+#max_worker_processes = 8
+
+
+#------------------------------------------------------------------------------
+# WRITE AHEAD LOG
+#------------------------------------------------------------------------------
+
+# - Settings -
+
+#wal_level = minimal			# minimal, archive, hot_standby, or logical
+					# (change requires restart)
+#fsync = on				# turns forced synchronization on or off
+#synchronous_commit = on		# synchronization level;
+					# off, local, remote_write, or on
+#wal_sync_method = fsync		# the default is the first option
+					# supported by the operating system:
+					#   open_datasync
+					#   fdatasync (default on Linux)
+					#   fsync
+					#   fsync_writethrough
+					#   open_sync
+#full_page_writes = on			# recover from partial page writes
+#wal_compression = off			# enable compression of full-page writes
+#wal_log_hints = off			# also do full page writes of non-critical updates
+					# (change requires restart)
+#wal_buffers = -1			# min 32kB, -1 sets based on shared_buffers
+					# (change requires restart)
+#wal_writer_delay = 200ms		# 1-10000 milliseconds
+
+#commit_delay = 0			# range 0-100000, in microseconds
+#commit_siblings = 5			# range 1-1000
+
+# - Checkpoints -
+
+#checkpoint_timeout = 5min		# range 30s-1h
+#max_wal_size = 1GB
+#min_wal_size = 80MB
+#checkpoint_completion_target = 0.5	# checkpoint target duration, 0.0 - 1.0
+#checkpoint_warning = 30s		# 0 disables
+
+# - Archiving -
+
+#archive_mode = off		# enables archiving; off, on, or always
+				# (change requires restart)
+#archive_command = ''		# command to use to archive a logfile segment
+				# placeholders: %p = path of file to archive
+				#               %f = file name only
+				# e.g. 'test ! -f /mnt/server/archivedir/%f && cp %p /mnt/server/archivedir/%f'
+#archive_timeout = 0		# force a logfile segment switch after this
+				# number of seconds; 0 disables
+
+
+#------------------------------------------------------------------------------
+# REPLICATION
+#------------------------------------------------------------------------------
+
+# - Sending Server(s) -
+
+# Set these on the master and on any standby that will send replication data.
+
+#max_wal_senders = 0		# max number of walsender processes
+				# (change requires restart)
+#wal_keep_segments = 0		# in logfile segments, 16MB each; 0 disables
+#wal_sender_timeout = 60s	# in milliseconds; 0 disables
+
+#max_replication_slots = 0	# max number of replication slots
+				# (change requires restart)
+#track_commit_timestamp = off	# collect timestamp of transaction commit
+				# (change requires restart)
+
+# - Master Server -
+
+# These settings are ignored on a standby server.
+
+#synchronous_standby_names = ''	# standby servers that provide sync rep
+				# comma-separated list of application_name
+				# from standby(s); '*' = all
+#vacuum_defer_cleanup_age = 0	# number of xacts by which cleanup is delayed
+
+# - Standby Servers -
+
+# These settings are ignored on a master server.
+
+#hot_standby = off			# "on" allows queries during recovery
+					# (change requires restart)
+#max_standby_archive_delay = 30s	# max delay before canceling queries
+					# when reading WAL from archive;
+					# -1 allows indefinite delay
+#max_standby_streaming_delay = 30s	# max delay before canceling queries
+					# when reading streaming WAL;
+					# -1 allows indefinite delay
+#wal_receiver_status_interval = 10s	# send replies at least this often
+					# 0 disables
+#hot_standby_feedback = off		# send info from standby to prevent
+					# query conflicts
+#wal_receiver_timeout = 60s		# time that receiver waits for
+					# communication from master
+					# in milliseconds; 0 disables
+#wal_retrieve_retry_interval = 5s	# time to wait before retrying to
+					# retrieve WAL after a failed attempt
+
+
+#------------------------------------------------------------------------------
+# QUERY TUNING
+#------------------------------------------------------------------------------
+
+# - Planner Method Configuration -
+
+#enable_bitmapscan = on
+#enable_hashagg = on
+#enable_hashjoin = on
+#enable_indexscan = on
+#enable_indexonlyscan = on
+#enable_material = on
+#enable_mergejoin = on
+#enable_nestloop = on
+#enable_seqscan = on
+#enable_sort = on
+#enable_tidscan = on
+
+# - Planner Cost Constants -
+
+#seq_page_cost = 1.0			# measured on an arbitrary scale
+#random_page_cost = 4.0			# same scale as above
+#cpu_tuple_cost = 0.01			# same scale as above
+#cpu_index_tuple_cost = 0.005		# same scale as above
+#cpu_operator_cost = 0.0025		# same scale as above
+#effective_cache_size = 4GB
+
+# - Genetic Query Optimizer -
+
+#geqo = on
+#geqo_threshold = 12
+#geqo_effort = 5			# range 1-10
+#geqo_pool_size = 0			# selects default based on effort
+#geqo_generations = 0			# selects default based on effort
+#geqo_selection_bias = 2.0		# range 1.5-2.0
+#geqo_seed = 0.0			# range 0.0-1.0
+
+# - Other Planner Options -
+
+#default_statistics_target = 100	# range 1-10000
+#constraint_exclusion = partition	# on, off, or partition
+#cursor_tuple_fraction = 0.1		# range 0.0-1.0
+#from_collapse_limit = 8
+#join_collapse_limit = 8		# 1 disables collapsing of explicit
+					# JOIN clauses
+
+
+#------------------------------------------------------------------------------
+# ERROR REPORTING AND LOGGING
+#------------------------------------------------------------------------------
+
+# - Where to Log -
+
+#log_destination = 'stderr'		# Valid values are combinations of
+					# stderr, csvlog, syslog, and eventlog,
+					# depending on platform.  csvlog
+					# requires logging_collector to be on.
+
+# This is used when logging to stderr:
+#logging_collector = off		# Enable capturing of stderr and csvlog
+					# into log files. Required to be on for
+					# csvlogs.
+					# (change requires restart)
+
+# These are only used if logging_collector is on:
+#log_directory = 'pg_log'		# directory where log files are written,
+					# can be absolute or relative to PGDATA
+#log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log'	# log file name pattern,
+					# can include strftime() escapes
+#log_file_mode = 0600			# creation mode for log files,
+					# begin with 0 to use octal notation
+#log_truncate_on_rotation = off		# If on, an existing log file with the
+					# same name as the new log file will be
+					# truncated rather than appended to.
+					# But such truncation only occurs on
+					# time-driven rotation, not on restarts
+					# or size-driven rotation.  Default is
+					# off, meaning append to existing files
+					# in all cases.
+#log_rotation_age = 1d			# Automatic rotation of logfiles will
+					# happen after that time.  0 disables.
+#log_rotation_size = 10MB		# Automatic rotation of logfiles will
+					# happen after that much log output.
+					# 0 disables.
+
+# These are relevant when logging to syslog:
+#syslog_facility = 'LOCAL0'
+#syslog_ident = 'postgres'
+
+# This is only relevant when logging to eventlog (win32):
+#event_source = 'PostgreSQL'
+
+# - When to Log -
+
+#client_min_messages = notice		# values in order of decreasing detail:
+					#   debug5
+					#   debug4
+					#   debug3
+					#   debug2
+					#   debug1
+					#   log
+					#   notice
+					#   warning
+					#   error
+
+#log_min_messages = warning		# values in order of decreasing detail:
+					#   debug5
+					#   debug4
+					#   debug3
+					#   debug2
+					#   debug1
+					#   info
+					#   notice
+					#   warning
+					#   error
+					#   log
+					#   fatal
+					#   panic
+
+#log_min_error_statement = error	# values in order of decreasing detail:
+					#   debug5
+					#   debug4
+					#   debug3
+					#   debug2
+					#   debug1
+					#   info
+					#   notice
+					#   warning
+					#   error
+					#   log
+					#   fatal
+					#   panic (effectively off)
+
+#log_min_duration_statement = -1	# -1 is disabled, 0 logs all statements
+					# and their durations, > 0 logs only
+					# statements running at least this number
+					# of milliseconds
+
+
+# - What to Log -
+
+#debug_print_parse = off
+#debug_print_rewritten = off
+#debug_print_plan = off
+#debug_pretty_print = on
+#log_checkpoints = off
+#log_connections = off
+#log_disconnections = off
+#log_duration = off
+#log_error_verbosity = default		# terse, default, or verbose messages
+#log_hostname = off
+#log_line_prefix = ''			# special values:
+					#   %a = application name
+					#   %u = user name
+					#   %d = database name
+					#   %r = remote host and port
+					#   %h = remote host
+					#   %p = process ID
+					#   %t = timestamp without milliseconds
+					#   %m = timestamp with milliseconds
+					#   %i = command tag
+					#   %e = SQL state
+					#   %c = session ID
+					#   %l = session line number
+					#   %s = session start timestamp
+					#   %v = virtual transaction ID
+					#   %x = transaction ID (0 if none)
+					#   %q = stop here in non-session
+					#        processes
+					#   %% = '%'
+					# e.g. '<%u%%%d> '
+#log_lock_waits = off			# log lock waits >= deadlock_timeout
+#log_statement = 'none'			# none, ddl, mod, all
+#log_replication_commands = off
+#log_temp_files = -1			# log temporary files equal or larger
+					# than the specified size in kilobytes;
+					# -1 disables, 0 logs all temp files
+log_timezone = 'Portugal'
+
+
+# - Process Title -
+
+#cluster_name = ''			# added to process titles if nonempty
+					# (change requires restart)
+#update_process_title = on
+
+
+#------------------------------------------------------------------------------
+# RUNTIME STATISTICS
+#------------------------------------------------------------------------------
+
+# - Query/Index Statistics Collector -
+
+#track_activities = on
+#track_counts = on
+#track_io_timing = off
+#track_functions = none			# none, pl, all
+#track_activity_query_size = 1024	# (change requires restart)
+#stats_temp_directory = 'pg_stat_tmp'
+
+
+# - Statistics Monitoring -
+
+#log_parser_stats = off
+#log_planner_stats = off
+#log_executor_stats = off
+#log_statement_stats = off
+
+
+#------------------------------------------------------------------------------
+# AUTOVACUUM PARAMETERS
+#------------------------------------------------------------------------------
+
+#autovacuum = on			# Enable autovacuum subprocess?  'on'
+					# requires track_counts to also be on.
+#log_autovacuum_min_duration = -1	# -1 disables, 0 logs all actions and
+					# their durations, > 0 logs only
+					# actions running at least this number
+					# of milliseconds.
+#autovacuum_max_workers = 3		# max number of autovacuum subprocesses
+					# (change requires restart)
+#autovacuum_naptime = 1min		# time between autovacuum runs
+#autovacuum_vacuum_threshold = 50	# min number of row updates before
+					# vacuum
+#autovacuum_analyze_threshold = 50	# min number of row updates before
+					# analyze
+#autovacuum_vacuum_scale_factor = 0.2	# fraction of table size before vacuum
+#autovacuum_analyze_scale_factor = 0.1	# fraction of table size before analyze
+#autovacuum_freeze_max_age = 200000000	# maximum XID age before forced vacuum
+					# (change requires restart)
+#autovacuum_multixact_freeze_max_age = 400000000	# maximum multixact age
+					# before forced vacuum
+					# (change requires restart)
+#autovacuum_vacuum_cost_delay = 20ms	# default vacuum cost delay for
+					# autovacuum, in milliseconds;
+					# -1 means use vacuum_cost_delay
+#autovacuum_vacuum_cost_limit = -1	# default vacuum cost limit for
+					# autovacuum, -1 means use
+					# vacuum_cost_limit
+
+
+#------------------------------------------------------------------------------
+# CLIENT CONNECTION DEFAULTS
+#------------------------------------------------------------------------------
+
+# - Statement Behavior -
+
+#search_path = '"$user", public'	# schema names
+#default_tablespace = ''		# a tablespace name, '' uses the default
+#temp_tablespaces = ''			# a list of tablespace names, '' uses
+					# only default tablespace
+#check_function_bodies = on
+#default_transaction_isolation = 'read committed'
+#default_transaction_read_only = off
+#default_transaction_deferrable = off
+#session_replication_role = 'origin'
+#statement_timeout = 0			# in milliseconds, 0 is disabled
+#lock_timeout = 0			# in milliseconds, 0 is disabled
+#vacuum_freeze_min_age = 50000000
+#vacuum_freeze_table_age = 150000000
+#vacuum_multixact_freeze_min_age = 5000000
+#vacuum_multixact_freeze_table_age = 150000000
+#bytea_output = 'hex'			# hex, escape
+#xmlbinary = 'base64'
+#xmloption = 'content'
+#gin_fuzzy_search_limit = 0
+#gin_pending_list_limit = 4MB
+
+# - Locale and Formatting -
+
+datestyle = 'iso, mdy'
+#intervalstyle = 'postgres'
+timezone = 'Portugal'
+#timezone_abbreviations = 'Default'     # Select the set of available time zone
+					# abbreviations.  Currently, there are
+					#   Default
+					#   Australia (historical usage)
+					#   India
+					# You can create your own file in
+					# share/timezonesets/.
+#extra_float_digits = 0			# min -15, max 3
+#client_encoding = sql_ascii		# actually, defaults to database
+					# encoding
+
+# These settings are initialized by initdb, but they can be changed.
+lc_messages = 'C'			# locale for system error message
+					# strings
+lc_monetary = 'C'			# locale for monetary formatting
+lc_numeric = 'C'			# locale for number formatting
+lc_time = 'C'				# locale for time formatting
+
+# default configuration for text search
+default_text_search_config = 'pg_catalog.english'
+
+# - Other Defaults -
+
+#dynamic_library_path = '$libdir'
+#local_preload_libraries = ''
+#session_preload_libraries = ''
+
+
+#------------------------------------------------------------------------------
+# LOCK MANAGEMENT
+#------------------------------------------------------------------------------
+
+#deadlock_timeout = 1s
+#max_locks_per_transaction = 64		# min 10
+					# (change requires restart)
+#max_pred_locks_per_transaction = 64	# min 10
+					# (change requires restart)
+
+
+#------------------------------------------------------------------------------
+# VERSION/PLATFORM COMPATIBILITY
+#------------------------------------------------------------------------------
+
+# - Previous PostgreSQL Versions -
+
+#array_nulls = on
+#backslash_quote = safe_encoding	# on, off, or safe_encoding
+#default_with_oids = off
+#escape_string_warning = on
+#lo_compat_privileges = off
+#operator_precedence_warning = off
+#quote_all_identifiers = off
+#sql_inheritance = on
+#standard_conforming_strings = on
+#synchronize_seqscans = on
+
+# - Other Platforms and Clients -
+
+#transform_null_equals = off
+
+
+#------------------------------------------------------------------------------
+# ERROR HANDLING
+#------------------------------------------------------------------------------
+
+#exit_on_error = off			# terminate session on any error?
+#restart_after_crash = on		# reinitialize after backend crash?
+
+
+#------------------------------------------------------------------------------
+# CONFIG FILE INCLUDES
+#------------------------------------------------------------------------------
+
+# These options allow settings to be loaded from files other than the
+# default postgresql.conf.
+
+#include_dir = 'conf.d'			# include files ending in '.conf' from
+					# directory 'conf.d'
+#include_if_exists = 'exists.conf'	# include file only if it exists
+#include = 'special.conf'		# include file
+
+
+#------------------------------------------------------------------------------
+# CUSTOMIZED OPTIONS
+#------------------------------------------------------------------------------
+
+# Add settings for extensions here
diff --git a/tools/postgresql.html b/tools/postgresql.html
index ca31a4d..0399ec6 100644
--- a/tools/postgresql.html
+++ b/tools/postgresql.html
@@ -138,7 +138,7 @@
         #ssl_prefer_server_ciphers = on         # (change requires restart)
         #ssl_ecdh_curve = 'prime256v1'          # (change requires restart)
         ssl_cert_file = '/etc/ssl/certs/pg.crt' # (change requires restart)
-        ssl_key_file = '/etc/ssl/keys/pg.key'           # (change requires restart)
+        ssl_key_file = '/etc/ssl/keys/pg.key'   # (change requires restart)
         #ssl_ca_file = ''                       # (change requires restart)
         #ssl_crl_file = ''                      # (change requires restart)
         password_encryption = on
@@ -157,7 +157,8 @@
         #local   all             all                                     trust
         local   all             postgres                                 ident
         # IPv4 local connections:
-        hostssl    all             all             127.0.0.1/32             md5
+        host    all             all             127.0.0.1/32            trust
+        #hostssl    all             all             192.168.0.0/32             md5
         # IPv6 local connections:
         #host    all             all             ::1/128                 trust
         # Allow replication connections from localhost, by a user with the
-- 
cgit 1.4.1-2-gfad0