From 9fc6d455cb2adb194ba272726a7112ace717f415 Mon Sep 17 00:00:00 2001 From: Marc Beninca Date: Mon, 9 Sep 2019 09:08:21 +0200 Subject: [PATCH] =?UTF-8?q?=E2=88=92personal?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- docs/index.rst | 8 - docs/personal/dns.rst | 44 -- docs/personal/openssh-server/index.rst | 41 -- docs/personal/server/certificate.rst | 128 ----- docs/personal/server/dispatch.rst | 732 ------------------------- docs/personal/server/index.rst | 7 - 6 files changed, 960 deletions(-) delete mode 100644 docs/personal/dns.rst delete mode 100644 docs/personal/openssh-server/index.rst delete mode 100644 docs/personal/server/certificate.rst delete mode 100644 docs/personal/server/dispatch.rst delete mode 100644 docs/personal/server/index.rst diff --git a/docs/index.rst b/docs/index.rst index cc12c93..c03a97a 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -54,14 +54,6 @@ RTFD public/windows/index public/xorriso/index -.. toctree:: - :caption: Personal - :maxdepth: 2 - - personal/dns - personal/openssh-server/index - personal/server/index - .. toctree:: :caption: Dispatch diff --git a/docs/personal/dns.rst b/docs/personal/dns.rst deleted file mode 100644 index b4f6a88..0000000 --- a/docs/personal/dns.rst +++ /dev/null @@ -1,44 +0,0 @@ -DNS -=== - -:: - - $TTL 3600 - @ IN SOA dns200.anycast.me. tech.ovh.net. ( - 2019082700 ; Serial - 86400 ; Refresh - 3600 ; Retry - 3600000 ; Expire - 300 ) ; Negative Cache TTL - - @ IN NS dns200.anycast.me. - @ IN NS ns200.anycast.me. - - ; mailbox.org - - c9e8c75cec08cbff50e7c33108bd12d30b862813.rwx.work. IN TXT a9a1e94fbc4aa297df829145c8c48e298fea5bb9 - - rwx.work. IN MX 10 mxext1.mailbox.org. - rwx.work. IN MX 10 mxext2.mailbox.org. - rwx.work. IN MX 20 mxext3.mailbox.org. - - IN TXT "v=spf1 include:mailbox.org" - - ; acme-challenge - - rwx.work. CAA 128 issue "letsencrypt.org" - rwx.work. CAA 128 issuewild "letsencrypt.org" - - _acme-challenge.rwx.work. 60 IN TXT WD4jQ2O8P3KJwirPHyyzXizlgS2RmfkV88nqzEZY8Go - _acme-challenge.rwx.work. 60 IN TXT LLbjKm7UTSFRrdVFOeL7UQn8arZthF2RSxqTLxGnaHY - - ; domain.tld - - * IN CNAME rwx.work. - - @ IN A 192.99.14.98 - @ IN AAAA 2607:5300:60:3f62::1 - - ; google.com - - rwx.work. IN TXT google-site-verification=GOZKfz4ZacW9oEJpI8MVn24nFHGkZchd80iWphZsaFM diff --git a/docs/personal/openssh-server/index.rst b/docs/personal/openssh-server/index.rst deleted file mode 100644 index 83d4ec8..0000000 --- a/docs/personal/openssh-server/index.rst +++ /dev/null @@ -1,41 +0,0 @@ -openssh-server -============== - -:: - - LogLevel INFO - StrictModes yes - Subsystem sftp internal-sftp - - AllowTcpForwarding yes - Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com - Compression no - MaxStartups 10:30:50 - PermitTunnel no - Port 22 - TCPKeepAlive yes - ClientAliveInterval 30 - X11Forwarding no - - AuthorizedKeysFile .ssh/authorized_keys - ChallengeResponseAuthentication no - FingerprintHash sha256 - HostbasedAuthentication no - IgnoreRhosts yes - HostKey /etc/ssh/ssh_host_ed25519_key - HostKeyAlgorithms ssh-ed25519 - KexAlgorithms curve25519-sha256@libssh.org - LoginGraceTime 60 - MACs hmac-sha2-512-etm@openssh.com - PasswordAuthentication no - PermitEmptyPasswords no - PermitRootLogin prohibit-password - PubkeyAuthentication yes - UseDNS no - UsePAM yes - - DebianBanner no - PrintLastLog yes - PrintMotd yes - Banner none - VersionAddendum none diff --git a/docs/personal/server/certificate.rst b/docs/personal/server/certificate.rst deleted file mode 100644 index 3bdbb58..0000000 --- a/docs/personal/server/certificate.rst +++ /dev/null @@ -1,128 +0,0 @@ -Certificate -=========== - -Request -------- - -.. code:: shell - - echo -n "\ - FR - Gironde - Bordeaux - Marc Beninca - . - rwx.work - tls@rwx.work - . - . - " \ - | \ - openssl \ - req \ - -new \ - -utf8 \ - -key "rwx.work.key" \ - -out "rwx.work.csr" \ - -addext "subjectAltName=DNS:*.rwx.work" - -:: - - -----BEGIN CERTIFICATE REQUEST----- - MIIE5zCCAs8CAQAwejELMAkGA1UEBhMCRlIxEDAOBgNVBAgMB0dpcm9uZGUxETAP - BgNVBAcMCEJvcmRlYXV4MRUwEwYDVQQKDAxNYXJjIEJlbmluY2ExETAPBgNVBAMM - CHJ3eC53b3JrMRwwGgYJKoZIhvcNAQkBFg1tYXJjQHJ3eC53b3JrMIICIjANBgkq - hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAzFVnxoVca/cMv9HoOwOF6oYUiwXIuS8N - QAWc9mqZowcIL0SEmC/kP+T2DMHR673Z9fCe2EXfG/Yfo/GRHB1zgUgjSKFWSCHA - whk+72fnukX0XtJ+DXywMbPMSkSu6ppJlQvLxn59ya0bbhmZZnTGmK3GoVoyoMid - sjLguNRRxSSuNiMbvN4alFxWztHhPfifS95DVAx2do8qaYFrIOIxZBne0KkzYKBo - N/HH+HKaptYNgVtUvEYYQgW8zlUMd6i70HrVpNUMRlGpixB2jgEasgjrj4ICG/Gn - rdw5mRtJ/a8lKx0l5YOzWik/6kSYK+2vffILxmn3NxCuE4UOgN+DK3Dke7+kHX53 - sLrwV5OMoqtln0ZJIprWWwlV58iTkNz12/tpcyV7NW3rQ448HqZTzXmsTu3t3hsK - Y3HUuuGplLPp/P/fgNQMb4e58OTivs3JmA96MYcJ8hwmnpUQzbC5xjApHd5cD+mP - 3DEejwxLqQMpaielJ7dqWGywuxxbqHZ1rl5tHKDcD8sTfcryEM6IErlWGWEn6lZP - lLREx7xa/g0cSVKSlnEpENDdwcs7cDgKEtRbZL+xxU9epNUsyxE0mm2YO8HFctGS - lAlctOlxEXe/YdRJuonJ5tGqut9YzSCASF+OOmnyb0oYRLZz2/b8TsgD07TGALWO - dsuHLBPvlD0CAwEAAaAoMCYGCSqGSIb3DQEJDjEZMBcwFQYDVR0RBA4wDIIKKi5y - d3gud29yazANBgkqhkiG9w0BAQsFAAOCAgEAqkilUJUv66UEoNnvw1GHh8eTE9vc - iae22pj+VScil1R8nesWiNP3FuDDYcMkBG2SAfiDnG4Ua9cmm3YeiTf0kkdAafnq - oWM0YG7FM3b5TA9d+RUV2p5UIOZt1RLprcg/6TZv12lz5XCPYF+3YUqREzozTmZd - lEnFtBns+QnsC6vMlEtEDqvUWhSYHFmJF4LoFH7u3A6Bsl5ge0bNrzl/LXj6/7Lt - /4XQu1daWGvc5lrOhSzB+K7kiA5tYWjNCC4BFhufj8KBblzg4rNqRBTzU6BjzHfW - R4X4C7fEmqQ0rDtdTYmhJRUwRV3dI2SpRnnXiQehAeUHj2ZUpvU0VmAymGXmM/2u - o+dINwRbi5g4SNMDgiXu90zfYbhdH0YDFIClYCJyfedE0tYxLI+qLFjVnVRE0HO/ - vlFQluLN9UKd5AcWTCKMLqdDUi75oaSo2dZxQhDz3Dm1oxlormBK/vECjtTgmsKL - VZeilFwLyvDaaM9zJf6d7mADrwD/LVuS4Hb6vhcdjMxqK1ULErBdhAnk8lyf9Po+ - iuo9FGfA/3I3iRZS8CntJbPQ+kIljJFkgoWR8tGZ2odrSjvjvdFS0UsRjRSa0FsV - cj6qi6keDP8TdXGd4fs+o0bfjAbbRkvwksBYIW/1nVWm4pFCnHWArrPHbLmqlmig - RD9FQO+ig4qr5yo= - -----END CERTIFICATE REQUEST----- - -Certificate ------------ - -:: - - -----BEGIN CERTIFICATE----- - MIIGVDCCBTygAwIBAgISA1bXuFYa3VXO0psSAItXFGijMA0GCSqGSIb3DQEBCwUA - MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD - ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTA4MjcxODM1MTdaFw0x - OTExMjUxODM1MTdaMBMxETAPBgNVBAMTCHJ3eC53b3JrMIICIjANBgkqhkiG9w0B - AQEFAAOCAg8AMIICCgKCAgEAzFVnxoVca/cMv9HoOwOF6oYUiwXIuS8NQAWc9mqZ - owcIL0SEmC/kP+T2DMHR673Z9fCe2EXfG/Yfo/GRHB1zgUgjSKFWSCHAwhk+72fn - ukX0XtJ+DXywMbPMSkSu6ppJlQvLxn59ya0bbhmZZnTGmK3GoVoyoMidsjLguNRR - xSSuNiMbvN4alFxWztHhPfifS95DVAx2do8qaYFrIOIxZBne0KkzYKBoN/HH+HKa - ptYNgVtUvEYYQgW8zlUMd6i70HrVpNUMRlGpixB2jgEasgjrj4ICG/Gnrdw5mRtJ - /a8lKx0l5YOzWik/6kSYK+2vffILxmn3NxCuE4UOgN+DK3Dke7+kHX53sLrwV5OM - oqtln0ZJIprWWwlV58iTkNz12/tpcyV7NW3rQ448HqZTzXmsTu3t3hsKY3HUuuGp - lLPp/P/fgNQMb4e58OTivs3JmA96MYcJ8hwmnpUQzbC5xjApHd5cD+mP3DEejwxL - qQMpaielJ7dqWGywuxxbqHZ1rl5tHKDcD8sTfcryEM6IErlWGWEn6lZPlLREx7xa - /g0cSVKSlnEpENDdwcs7cDgKEtRbZL+xxU9epNUsyxE0mm2YO8HFctGSlAlctOlx - EXe/YdRJuonJ5tGqut9YzSCASF+OOmnyb0oYRLZz2/b8TsgD07TGALWOdsuHLBPv - lD0CAwEAAaOCAmkwggJlMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEF - BQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUfVa3O25izrKy - ggUlotk52GBMZmswHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYI - KwYBBQUHAQEEYzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0 - c2VuY3J5cHQub3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0 - c2VuY3J5cHQub3JnLzAfBgNVHREEGDAWggoqLnJ3eC53b3Jrgghyd3gud29yazBM - BgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIB - FhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQQGCisGAQQB1nkCBAIEgfUE - gfIA8AB1AHR+2oMxrTMQkSGcziVPQnDCv/1eQiAIxjc1eeYQe8xWAAABbNSTR3MA - AAQDAEYwRAIgB44ARVYKCw+5gJkbE9cP5Mu0hu5fUIBW5RMZBPsI3zoCIEEJ+WT3 - hxOrzjbpulpk0GOPXmLnRUpHI3WxCFjcZLOtAHcAY/Lbzeg7zCzPC3KEJ1drM6SN - YXePvXWmOLHHaFRL2I0AAAFs1JNJggAABAMASDBGAiEAiBpinu+8BLqMJsGd9GUi - 8eIHFeDEKWlt8JR6JRxwByECIQDvpMAYEpNvt6r2+kfh9m4DwI0Hs7ZMCDjBjn/l - MGPVsTANBgkqhkiG9w0BAQsFAAOCAQEAQHzWsPPMxClzKt1UF9qyrREzjH2hAg2/ - VDiQyAmkBnmJusnd4x/MJsO94qEfxZMS5yQOTSnDVoKoYyTr/nGLlHb6mt6P4ro7 - iIUdtypOt0M4NkJUR5q5ic9GILZ9eUXveSYdc8k22ll5Oqepwv1ewAMEDsmmyqo3 - X1WVifSGQDnatwesy9oxI/V+aWaxMedX0swbDVi3QPqndNyC2SsElvfiman6zRTJ - 53bqiAXkeWpC3mp9r0krrjR85rvXBN6TT2RyFOLqM8pTuFnsbYXL+14jlmANCNWj - veTL3PTpKOI8XXIZFbP56rfTnAnmb0pwxLJcgha//he/Y1m9aRHxNA== - -----END CERTIFICATE----- - -----BEGIN CERTIFICATE----- - MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/ - MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT - DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow - SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT - GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC - AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF - q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8 - SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0 - Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA - a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj - /PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T - AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG - CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv - bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k - c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw - VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC - ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz - MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu - Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF - AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo - uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/ - wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu - X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG - PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6 - KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg== - -----END CERTIFICATE----- diff --git a/docs/personal/server/dispatch.rst b/docs/personal/server/dispatch.rst deleted file mode 100644 index edebb96..0000000 --- a/docs/personal/server/dispatch.rst +++ /dev/null @@ -1,732 +0,0 @@ -To dispatch -=========== - -Hardware --------- - -=== ================================ -BHS KS-12 -CPU Intel Xeon W3530 4c/8t @ 2.8 GHz -RAM 32 GB DDR3 ECC @ 1333 MHz -HDD 2 × 2 TB -MAC 00:25:90:7b:d4:38 -WAN 100 Mbps -=== ================================ - -Network -------- - -+-----+---------+-------------------------------+ -| IP4 | address | 192.99.14.98 /24 | -| +---------+-------------------------------+ -| | gateway | 192.99.14.254 | -+-----+---------+-------------------------------+ -| IP6 | address | 2607:5300:60:3f62::1 | -| +---------+-------------------------------+ -| | gateway | 2607:5300:60:3fff:ff:ff:ff:ff | -+-----+---------+-------------------------------+ - -Rescue ------- - -.. code:: shell - - ssh-keygen -R rwx.work - ssh-keygen -R 192.99.14.98 - scp /home/user/.ssh/id_ecdsa.pub root@rwx.work:/root/.ssh/authorized_keys - scp /etc/bash.bashrc root@rwx.work:/etc/ - -Partitions ----------- - -.. code:: shell - - parted - - select /dev/sda - mktable gpt - mkpart boot 1 2 - mkpart raid 2 2000399 - toggle 1 bios_grub - - select /dev/sdb - mktable gpt - mkpart boot 1 2 - mkpart raid 2 2000399 - toggle 1 bios_grub - - q - -.. code:: shell - - mdadm --create /dev/md0 \ - --level 0 --raid-devices 2 /dev/sd[ab]2 - -.. code:: shell - - parted /dev/md0 - - mktable gpt - mkpart data 1 3966966 - mkpart swap 3966966 4000523 - - q - -.. code:: shell - - mkswap --label swap \ - -U d8ee4260-4652-7192-7bb3-ebbadeb835a7 \ - /dev/md0p2 - mkfs.ext4 -L data \ - -U 46527192-7bb3-ebba-deb8-35a7e8606808 \ - /dev/md0p1 - -Boot ----- - -.. warning:: no ESP boot available! - -Prepare a grub.cfg - -.. code:: shell - - insmod biosdisk - insmod part_gpt - insmod mdraid1x - insmod ext2 - insmod search - insmod squash4 - insmod loopback - insmod linux - - search --set data --fs-uuid 46527192-7bb3-ebba-deb8-35a7e8606808 - lmp=/fs/up - sfs=filesystem.squashfs - - loopback loop (${data})${lmp}/${sfs} - - linux (loop)/vmlinuz \ - boot=live \ - elevator=deadline \ - ip=frommedia \ - live-media-path=${lmp} \ - toram=${sfs} - - initrd (loop)/initrd.img - - boot - -.. code:: shell - - grub-mkstandalone \ - --verbose \ - --compress xz \ - --format i386-pc \ - --output core.img \ - --themes "" \ - boot/grub/grub.cfg=grub.cfg \ - --fonts "" \ - --locales "" \ - --install-modules "\ - biosdisk \ - part_gpt \ - mdraid1x \ - ext2 \ - search \ - squash4 \ - loopback \ - linux \ - " - -.. todo:: move to public grub - -.. code:: shell - - grub-mkstandalone \ - --verbose \ - --compress xz \ - --format x86_64-efi \ - --output bootx64.efi \ - --themes "" \ - boot/grub/grub.cfg=grub.cfg - -.. code:: shell - - scp core.img root@rwx.work: - cp /usr/lib/grub/i386-pc/boot.img . \ - /usr/lib/grub/i386-pc/grub-bios-setup \ - --directory . /dev/sda - /usr/lib/grub/i386-pc/grub-bios-setup \ - --directory . /dev/sdb - -* debootstrap -* apt -* user account and home directory -* fstab /d -* systemd -* linux-image -* tops -* hardware -* completion -* network -* interfaces -* iputils-ping -* basics -* openssh-server fixes (sshd user, /run/sshd) -* live-boot -* root -* inception -* bridge -* grub-pc-bin -* apparmor -* unbound -* tree -* net.ipv4.ip_forward=1 -* net.ipv6.conf.all.forwarding=1 -* nftables -* nginx-extras -* root/user authorized_keys -* curl -* swap,swappiness -* enable nftables.service -* enable lxc.service -* sources.list file:/ -* syslog-ng -* ssh on port 80 -* domain certificate private key -* domain certificate bundle -* /etc/ssl/openssl.cnf tls 1.3 suites -* nginx configuration -* nginx in container -* nginx host sites -* python3-sphinx-rtd-theme -* uwsgi -* uwsgi-plugin-python3 -* sudo -* file -* fcgiwrap -* gitweb - -* /etc/bash.bashrc -* /etc/fstab (/d) -* /etc/locale.gen -* locale-gen -* /etc/resolv.conf -* /etc/apt/apt.conf -* /etc/apt/sources.list -* apt update -* apt upgrade -* live-boot -* update-initramfs ← update-initramfs.orig -* openssh-server -* parted -* squashfs-tools -* tree -* apt clean -* /etc/ssh/sshd_config -* mkdir /root/.ssh -* echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICZAs76kQJ0/Et2NGzhxurK2wE0VhYsG9wl85iCmR9xH" > /root/.ssh/authorized_keys -* lxc -* /etc/network/interfaces.d/setup - -.. warning:: inet6 dhcp hangs! - -:: - - auto lo - iface lo inet loopback - iface lo inet6 loopback - - auto br0 - iface br0 inet static - address 10.0.0.254/24 - bridge_fd 0 - bridge_maxwait 0 - bridge_ports enp1s0 - bridge_stp on - iface br0 inet static - address 192.99.14.98/24 - gateway 192.99.14.254 - iface br0 inet6 static - address 2607:5300:60:3f62::1/64 - gateway 2607:5300:60:3fff:ff:ff:ff:ff - -.. warning:: - - reboot from container doesn't reload config file - -/var/lib/lxc/config - -:: - - lxc.include = /usr/share/lxc/config/common.conf - lxc.mount.entry = /d/mirrors/apt-mirror/debian deb none bind,create=dir,ro 0 0 - lxc.start.auto = 1 - lxc.net.0.type = veth - lxc.net.0.flags = up - lxc.net.0.link = br0 - -/var/lib/lxc/name/config - -:: - - lxc.include = /var/lib/lxc/config - lxc.mount.entry = /d/d/buster d none bind,create=dir,rw 0 0 - lxc.rootfs.path = dir:/var/lib/lxc/buster - lxc.net.0.veth.pair = buster - lxc.net.0.ipv4.address = 10.0.0.1/24 - lxc.net.0.ipv4.gateway = 10.0.0.254 - -/etc/nftables.conf - -:: - - #! /usr/sbin/nft --file - - flush ruleset - - table inet filter { - chain input { - type filter hook input priority 0; policy accept; - iifname "lo" accept - ip protocol icmp accept - ip6 nexthdr icmp accept - tcp dport ssh accept - tcp dport domain accept - tcp dport http accept - tcp dport https accept - } - chain forward { - type filter hook forward priority 0; policy accept; - } - chain output { - type filter hook output priority 0; policy accept; - } - } - - table ip nat { - chain prerouting { - type nat hook prerouting priority 0; policy accept; - tcp dport 65001 dnat to 10.0.0.1:ssh - } - chain postrouting { - type nat hook postrouting priority 0; policy accept; - masquerade - } - } - -Security --------- - -* /etc/sudoers - -.. todo:: all directives - -:: - - user ALL=NOPASSWD: /bin/systemctl restart uwsgi - -Web ---- - -Configuration -^^^^^^^^^^^^^ - -* /etc/nginx/nginx.conf - -:: - - load_module modules/ngx_http_fancyindex_module.so; - load_module modules/ngx_http_headers_more_filter_module.so; - - pid /run/nginx.pid; - user user; - worker_processes auto; - - events { - multi_accept off; - worker_connections 512; - } - - http { - - # General - - keepalive_timeout 60; - sendfile on; - server_tokens off; - tcp_nopush on; - tcp_nodelay on; - types_hash_max_size 2048; - - # Names - - server_name_in_redirect off; - server_names_hash_bucket_size 128; - - # File types - - include mime.types; - default_type application/octet-stream; - - # Security - - ssl_buffer_size 8k; - ssl_ciphers "ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384"; - ssl_ecdh_curve "X448:X25519:P-521"; - ssl_prefer_server_ciphers on; - ssl_protocols TLSv1.3 TLSv1.2; - ssl_session_cache shared:ssl_session_cache:16m; - ssl_session_tickets off; - ssl_session_timeout 15m; - - # Log - - access_log /var/log/nginx/access.log; - error_log /var/log/nginx/error.log; - - # Compression - - gzip off; - - # Misc - - client_max_body_size 16m; - index index.html; - - # Proxy - - proxy_pass_request_body on; - proxy_pass_request_headers on; - proxy_redirect off; - - # Headers - - more_clear_headers Server; - - # Includes - - include sites-enabled/*; - - } - -.. warning:: almost 1 minute to start the service - -:: - - ssl_stapling on; - ssl_stapling_verify on; - -Security -^^^^^^^^ - -* /etc/nginx/https.conf - -:: - - listen 443 ssl http2; - listen [::]:443 ssl http2; - - error_page 496 =496 @error; # Certificate Required - error_page 497 =497 @error; # HTTP Request Sent to HTTPS Port - error_page - 403 # Forbidden - 404 # Not Found - @error; - - add_header Expect-CT "enforce,max-age=0" always; - add_header Referrer-Policy "no-referrer-when-downgrade" always; - add_header Strict-Transport-Security "max-age=31557600;includeSubDomains;preload" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-Frame-Options "DENY" always; - set $fp ""; - set $fp "${fp}accelerometer 'none';"; - set $fp "${fp}ambient-light-sensor 'none';"; - set $fp "${fp}animations 'self';"; - set $fp "${fp}autoplay 'none';"; - set $fp "${fp}camera 'none';"; - set $fp "${fp}document-domain 'none';"; - set $fp "${fp}document-write 'none';"; - set $fp "${fp}encrypted-media 'none';"; - set $fp "${fp}fullscreen *;"; - set $fp "${fp}geolocation 'none';"; - set $fp "${fp}gyroscope 'none';"; - set $fp "${fp}legacy-image-formats 'none';"; - set $fp "${fp}magnetometer 'none';"; - set $fp "${fp}microphone 'none';"; - set $fp "${fp}midi 'none';"; - set $fp "${fp}payment 'self';"; - set $fp "${fp}picture-in-picture 'none';"; - set $fp "${fp}speaker 'self';"; - set $fp "${fp}sync-xhr 'none';"; - set $fp "${fp}unsized-media 'none';"; - set $fp "${fp}usb 'none';"; - set $fp "${fp}vertical-scroll 'self';"; - set $fp "${fp}vr 'none';"; - add_header Feature-Policy "${fp}" always; - -.. todo:: find policy not blocking sphinx search - -:: - - add_header Content-Security-Policy "default-src 'self'" always; - -* /etc/nginx/fcgi.conf - -:: - - fastcgi_param SERVER_PORT ${server_port}; - - fastcgi_param QUERY_STRING ${query_string}; - - fastcgi_param REQUEST_METHOD ${request_method}; - fastcgi_param CONTENT_TYPE ${content_type}; - fastcgi_param CONTENT_LENGTH ${content_length}; - -* /etc/nginx/uwsgi.conf - -:: - - uwsgi_param client_address ${remote_addr}; - uwsgi_param client_port ${remote_port}; - uwsgi_param client_ciphers ${ssl_ciphers}; - uwsgi_param client_curves ${ssl_curves}; - - uwsgi_param session_reused ${ssl_session_reused}; - uwsgi_param session_id ${ssl_session_id}; - uwsgi_param session_cipher ${ssl_cipher}; - uwsgi_param session_protocol ${ssl_protocol}; - - uwsgi_param server_protocol ${server_protocol}; - uwsgi_param server_address ${server_addr}; - uwsgi_param server_port ${server_port}; - - uwsgi_param request_scheme ${scheme}; - uwsgi_param request_host ${host}; - uwsgi_param request_document ${document_uri}; - uwsgi_param request_query ${query_string}; - uwsgi_param request_method ${request_method}; - - uwsgi_param content_type ${content_type}; - uwsgi_param content_length ${content_length}; - - uwsgi_param client_verify ${ssl_client_verify}; - uwsgi_param client_issuer ${ssl_client_i_dn}; - uwsgi_param client_subject ${ssl_client_s_dn}; - uwsgi_param client_start ${ssl_client_v_start}; - uwsgi_param client_remain ${ssl_client_v_remain}; - uwsgi_param client_end ${ssl_client_v_end}; - -Apps -^^^^ - -* /lib/systemd/system/fcgiwrap.socket - -:: - - [Unit] - Description=fcgiwrap socket - - [Socket] - SocketMode=0600 - SocketUser=user - SocketGroup=user - ListenStream=/run/fcgiwrap.socket - - [Install] - WantedBy=sockets.target - -* /etc/gitweb.conf - -:: - - $projectroot = "/d/projects/rwx.work"; - $git_temp = "/tmp"; - -* /etc/uwsgi/apps-enabled/root.ini - -.. code:: ini - - [uwsgi] - chown-socket = user - uid = user - gid = user - chdir = /d/projects/rwx.work/root - plugins = python3 - module = __init__ - callable = app - threads = 2 - -Sites -^^^^^ - -* "/etc/nginx/sites-enabled/0 http" - -:: - - server { - listen 80 default_server; - listen [::]:80 default_server; - server_name _; - return 301 https://${host}${request_uri}; - } - -* "/etc/nginx/sites-enabled/1 rwx.work" - -:: - - server { - include rwx.work.conf; - include uwsgi.conf; - server_name .rwx.work; - location / { - uwsgi_pass unix:/run/uwsgi/app/root/socket; - } - } - - server { - include rwx.work.conf; - server_name deb.rwx.work; - root /d/mirrors/apt-mirror/debian; - fancyindex on; - } - - server { - include rwx.work.conf; - server_name git.rwx.work; - location ~ ^.*/(info/refs|git-upload-pack)$ { - include fcgi.conf; - fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend; - fastcgi_param PATH_INFO ${uri}; - fastcgi_param GIT_PROJECT_ROOT /d/projects/rwx.work; - fastcgi_param GIT_HTTP_EXPORT_ALL ""; - fastcgi_pass unix:/run/fcgiwrap.socket; - } - location /static/ { - root /usr/share/gitweb; - } - location / { - include fcgi.conf; - fastcgi_param SCRIPT_FILENAME /usr/share/gitweb/gitweb.cgi; - fastcgi_pass unix:/run/fcgiwrap.socket; - } - } - - server { - include rwx.work.conf; - server_name docs.rwx.work; - root /d/projects/rwx.work/docs/out/docs; - } - - server { - include rwx.work.conf; - server_name sites.rwx.work; - root /d/projects/rwx.work/sites/out/sites; - } - - server { - include rwx.work.conf; - server_name todo.rwx.work; - root /d/projects/rwx.work/todo/out/todo; - } - -* "/etc/nginx/sites-enabled/2 marc-beninca.fr" - -:: - - server { - include marc-beninca.fr.conf; - include uwsgi.conf; - server_name .marc-beninca.fr; - location / { - uwsgi_pass unix:/run/uwsgi/app/root/socket; - } - } - - server { - include marc-beninca.fr.conf; - server_name cnam.marc-beninca.fr; - root /d/projects/marc-beninca.fr/cnam/out/cnam; - } - - server { - include marc-beninca.fr.conf; - server_name docs.marc-beninca.fr; - root /d/projects/marc-beninca.fr/docs/out/docs; - } - - server { - include marc-beninca.fr.conf; - server_name sites.marc-beninca.fr; - root /d/projects/marc-beninca.fr/sites/out/sites; - } - - server { - include marc-beninca.fr.conf; - server_name todo.marc-beninca.fr; - root /d/projects/marc-beninca.fr/todo/out/todo; - } - -* "/etc/nginx/sites-enabled/3 tilde.link" - -:: - - server { - include tilde.link.conf; - include uwsgi.conf; - server_name .tilde.link; - location / { - uwsgi_pass unix:/run/uwsgi/app/root/socket; - } - } - - server { - include tilde.link.conf; - server_name docs.tilde.link; - root /d/projects/tilde.link/docs/out/docs; - } - -Certificate and errors -^^^^^^^^^^^^^^^^^^^^^^ - -* /etc/nginx/rwx.work.conf - -:: - - include https.conf; - ssl_certificate rwx.work.crt; - ssl_certificate_key rwx.work.key; - location @error { - return https://rwx.work/error/${status}; - } - -* /etc/nginx/marc-beninca.fr.conf - -:: - - include https.conf; - ssl_certificate marc-beninca.fr.crt; - ssl_certificate_key marc-beninca.fr.key; - location @error { - return https://marc-beninca.fr/error/${status}; - } - -* /etc/nginx/tilde.link.conf - -:: - - include https.conf; - ssl_certificate tilde.link.crt; - ssl_certificate_key tilde.link.key; - location @error { - return https://tilde.link/error/${status}; - } - -* /etc/nginx/rwx.work.key -* /etc/nginx/rwx.work.crt - -* /etc/nginx/marc-beninca.fr.key -* /etc/nginx/marc-beninca.fr.crt - -* /etc/nginx/tilde.link.key -* /etc/nginx/tilde.link.crt diff --git a/docs/personal/server/index.rst b/docs/personal/server/index.rst deleted file mode 100644 index 98d86c2..0000000 --- a/docs/personal/server/index.rst +++ /dev/null @@ -1,7 +0,0 @@ -Server -====== - -.. toctree:: - - certificate - dispatch