rwx.work/rtfd
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

−personal

Browse source
This commit is contained in:
Marc Beninca 2019-09-09 09:08:21 +02:00
parent 57d19de7f3
commit 9fc6d455cb
6 changed files with 0 additions and 960 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
docs/index.rst
View file

@ -54,14 +54,6 @@ RTFD
public/windows/index public/windows/index
public/xorriso/index public/xorriso/index
.. toctree::
:caption: Personal
:maxdepth: 2
personal/dns
personal/openssh-server/index
personal/server/index
.. toctree:: .. toctree::
:caption: Dispatch :caption: Dispatch

44
docs/personal/dns.rst
View file

@ -1,44 +0,0 @@
DNS
===
::
$TTL 3600
@ IN SOA dns200.anycast.me. tech.ovh.net. (
2019082700 ; Serial
86400 ; Refresh
3600 ; Retry
3600000 ; Expire
300 ) ; Negative Cache TTL
@ IN NS dns200.anycast.me.
@ IN NS ns200.anycast.me.
; mailbox.org
c9e8c75cec08cbff50e7c33108bd12d30b862813.rwx.work. IN TXT a9a1e94fbc4aa297df829145c8c48e298fea5bb9
rwx.work. IN MX 10 mxext1.mailbox.org.
rwx.work. IN MX 10 mxext2.mailbox.org.
rwx.work. IN MX 20 mxext3.mailbox.org.
IN TXT "v=spf1 include:mailbox.org"
; acme-challenge
rwx.work. CAA 128 issue "letsencrypt.org"
rwx.work. CAA 128 issuewild "letsencrypt.org"
_acme-challenge.rwx.work. 60 IN TXT WD4jQ2O8P3KJwirPHyyzXizlgS2RmfkV88nqzEZY8Go
_acme-challenge.rwx.work. 60 IN TXT LLbjKm7UTSFRrdVFOeL7UQn8arZthF2RSxqTLxGnaHY
; domain.tld
* IN CNAME rwx.work.
@ IN A 192.99.14.98
@ IN AAAA 2607:5300:60:3f62::1
; google.com
rwx.work. IN TXT google-site-verification=GOZKfz4ZacW9oEJpI8MVn24nFHGkZchd80iWphZsaFM

41
docs/personal/openssh-server/index.rst
View file

@ -1,41 +0,0 @@
openssh-server
==============
::
LogLevel INFO
StrictModes yes
Subsystem sftp internal-sftp
AllowTcpForwarding yes
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
Compression no
MaxStartups 10:30:50
PermitTunnel no
Port 22
TCPKeepAlive yes
ClientAliveInterval 30
X11Forwarding no
AuthorizedKeysFile .ssh/authorized_keys
ChallengeResponseAuthentication no
FingerprintHash sha256
HostbasedAuthentication no
IgnoreRhosts yes
HostKey /etc/ssh/ssh_host_ed25519_key
HostKeyAlgorithms ssh-ed25519
KexAlgorithms curve25519-sha256@libssh.org
LoginGraceTime 60
MACs hmac-sha2-512-etm@openssh.com
PasswordAuthentication no
PermitEmptyPasswords no
PermitRootLogin prohibit-password
PubkeyAuthentication yes
UseDNS no
UsePAM yes
DebianBanner no
PrintLastLog yes
PrintMotd yes
Banner none
VersionAddendum none

128
docs/personal/server/certificate.rst
View file

@ -1,128 +0,0 @@
Certificate
===========
Request
-------
.. code:: shell
echo -n "\
FR
Gironde
Bordeaux
Marc Beninca
.
rwx.work
tls@rwx.work
.
.
" \
| \
openssl \
req \
-new \
-utf8 \
-key "rwx.work.key" \
-out "rwx.work.csr" \
-addext "subjectAltName=DNS:*.rwx.work"
::
-----BEGIN CERTIFICATE REQUEST-----
MIIE5zCCAs8CAQAwejELMAkGA1UEBhMCRlIxEDAOBgNVBAgMB0dpcm9uZGUxETAP
BgNVBAcMCEJvcmRlYXV4MRUwEwYDVQQKDAxNYXJjIEJlbmluY2ExETAPBgNVBAMM
CHJ3eC53b3JrMRwwGgYJKoZIhvcNAQkBFg1tYXJjQHJ3eC53b3JrMIICIjANBgkq
hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAzFVnxoVca/cMv9HoOwOF6oYUiwXIuS8N
QAWc9mqZowcIL0SEmC/kP+T2DMHR673Z9fCe2EXfG/Yfo/GRHB1zgUgjSKFWSCHA
whk+72fnukX0XtJ+DXywMbPMSkSu6ppJlQvLxn59ya0bbhmZZnTGmK3GoVoyoMid
sjLguNRRxSSuNiMbvN4alFxWztHhPfifS95DVAx2do8qaYFrIOIxZBne0KkzYKBo
N/HH+HKaptYNgVtUvEYYQgW8zlUMd6i70HrVpNUMRlGpixB2jgEasgjrj4ICG/Gn
rdw5mRtJ/a8lKx0l5YOzWik/6kSYK+2vffILxmn3NxCuE4UOgN+DK3Dke7+kHX53
sLrwV5OMoqtln0ZJIprWWwlV58iTkNz12/tpcyV7NW3rQ448HqZTzXmsTu3t3hsK
Y3HUuuGplLPp/P/fgNQMb4e58OTivs3JmA96MYcJ8hwmnpUQzbC5xjApHd5cD+mP
3DEejwxLqQMpaielJ7dqWGywuxxbqHZ1rl5tHKDcD8sTfcryEM6IErlWGWEn6lZP
lLREx7xa/g0cSVKSlnEpENDdwcs7cDgKEtRbZL+xxU9epNUsyxE0mm2YO8HFctGS
lAlctOlxEXe/YdRJuonJ5tGqut9YzSCASF+OOmnyb0oYRLZz2/b8TsgD07TGALWO
dsuHLBPvlD0CAwEAAaAoMCYGCSqGSIb3DQEJDjEZMBcwFQYDVR0RBA4wDIIKKi5y
d3gud29yazANBgkqhkiG9w0BAQsFAAOCAgEAqkilUJUv66UEoNnvw1GHh8eTE9vc
iae22pj+VScil1R8nesWiNP3FuDDYcMkBG2SAfiDnG4Ua9cmm3YeiTf0kkdAafnq
oWM0YG7FM3b5TA9d+RUV2p5UIOZt1RLprcg/6TZv12lz5XCPYF+3YUqREzozTmZd
lEnFtBns+QnsC6vMlEtEDqvUWhSYHFmJF4LoFH7u3A6Bsl5ge0bNrzl/LXj6/7Lt
/4XQu1daWGvc5lrOhSzB+K7kiA5tYWjNCC4BFhufj8KBblzg4rNqRBTzU6BjzHfW
R4X4C7fEmqQ0rDtdTYmhJRUwRV3dI2SpRnnXiQehAeUHj2ZUpvU0VmAymGXmM/2u
o+dINwRbi5g4SNMDgiXu90zfYbhdH0YDFIClYCJyfedE0tYxLI+qLFjVnVRE0HO/
vlFQluLN9UKd5AcWTCKMLqdDUi75oaSo2dZxQhDz3Dm1oxlormBK/vECjtTgmsKL
VZeilFwLyvDaaM9zJf6d7mADrwD/LVuS4Hb6vhcdjMxqK1ULErBdhAnk8lyf9Po+
iuo9FGfA/3I3iRZS8CntJbPQ+kIljJFkgoWR8tGZ2odrSjvjvdFS0UsRjRSa0FsV
cj6qi6keDP8TdXGd4fs+o0bfjAbbRkvwksBYIW/1nVWm4pFCnHWArrPHbLmqlmig
RD9FQO+ig4qr5yo=
-----END CERTIFICATE REQUEST-----
Certificate
-----------
::
-----BEGIN CERTIFICATE-----
MIIGVDCCBTygAwIBAgISA1bXuFYa3VXO0psSAItXFGijMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTA4MjcxODM1MTdaFw0x
OTExMjUxODM1MTdaMBMxETAPBgNVBAMTCHJ3eC53b3JrMIICIjANBgkqhkiG9w0B
AQEFAAOCAg8AMIICCgKCAgEAzFVnxoVca/cMv9HoOwOF6oYUiwXIuS8NQAWc9mqZ
owcIL0SEmC/kP+T2DMHR673Z9fCe2EXfG/Yfo/GRHB1zgUgjSKFWSCHAwhk+72fn
ukX0XtJ+DXywMbPMSkSu6ppJlQvLxn59ya0bbhmZZnTGmK3GoVoyoMidsjLguNRR
xSSuNiMbvN4alFxWztHhPfifS95DVAx2do8qaYFrIOIxZBne0KkzYKBoN/HH+HKa
ptYNgVtUvEYYQgW8zlUMd6i70HrVpNUMRlGpixB2jgEasgjrj4ICG/Gnrdw5mRtJ
/a8lKx0l5YOzWik/6kSYK+2vffILxmn3NxCuE4UOgN+DK3Dke7+kHX53sLrwV5OM
oqtln0ZJIprWWwlV58iTkNz12/tpcyV7NW3rQ448HqZTzXmsTu3t3hsKY3HUuuGp
lLPp/P/fgNQMb4e58OTivs3JmA96MYcJ8hwmnpUQzbC5xjApHd5cD+mP3DEejwxL
qQMpaielJ7dqWGywuxxbqHZ1rl5tHKDcD8sTfcryEM6IErlWGWEn6lZPlLREx7xa
/g0cSVKSlnEpENDdwcs7cDgKEtRbZL+xxU9epNUsyxE0mm2YO8HFctGSlAlctOlx
EXe/YdRJuonJ5tGqut9YzSCASF+OOmnyb0oYRLZz2/b8TsgD07TGALWOdsuHLBPv
lD0CAwEAAaOCAmkwggJlMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEF
BQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUfVa3O25izrKy
ggUlotk52GBMZmswHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYI
KwYBBQUHAQEEYzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0
c2VuY3J5cHQub3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0
c2VuY3J5cHQub3JnLzAfBgNVHREEGDAWggoqLnJ3eC53b3Jrgghyd3gud29yazBM
BgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIB
FhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQQGCisGAQQB1nkCBAIEgfUE
gfIA8AB1AHR+2oMxrTMQkSGcziVPQnDCv/1eQiAIxjc1eeYQe8xWAAABbNSTR3MA
AAQDAEYwRAIgB44ARVYKCw+5gJkbE9cP5Mu0hu5fUIBW5RMZBPsI3zoCIEEJ+WT3
hxOrzjbpulpk0GOPXmLnRUpHI3WxCFjcZLOtAHcAY/Lbzeg7zCzPC3KEJ1drM6SN
YXePvXWmOLHHaFRL2I0AAAFs1JNJggAABAMASDBGAiEAiBpinu+8BLqMJsGd9GUi
8eIHFeDEKWlt8JR6JRxwByECIQDvpMAYEpNvt6r2+kfh9m4DwI0Hs7ZMCDjBjn/l
MGPVsTANBgkqhkiG9w0BAQsFAAOCAQEAQHzWsPPMxClzKt1UF9qyrREzjH2hAg2/
VDiQyAmkBnmJusnd4x/MJsO94qEfxZMS5yQOTSnDVoKoYyTr/nGLlHb6mt6P4ro7
iIUdtypOt0M4NkJUR5q5ic9GILZ9eUXveSYdc8k22ll5Oqepwv1ewAMEDsmmyqo3
X1WVifSGQDnatwesy9oxI/V+aWaxMedX0swbDVi3QPqndNyC2SsElvfiman6zRTJ
53bqiAXkeWpC3mp9r0krrjR85rvXBN6TT2RyFOLqM8pTuFnsbYXL+14jlmANCNWj
veTL3PTpKOI8XXIZFbP56rfTnAnmb0pwxLJcgha//he/Y1m9aRHxNA==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----

732
docs/personal/server/dispatch.rst
View file

@ -1,732 +0,0 @@
To dispatch
===========
Hardware
--------
=== ================================
BHS KS-12
CPU Intel Xeon W3530 4c/8t @ 2.8 GHz
RAM 32 GB DDR3 ECC @ 1333 MHz
HDD 2 × 2 TB
MAC 00:25:90:7b:d4:38
WAN 100 Mbps
=== ================================
Network
-------
+-----+---------+-------------------------------+
| IP4 | address | 192.99.14.98 /24 |
| +---------+-------------------------------+
| | gateway | 192.99.14.254 |
+-----+---------+-------------------------------+
| IP6 | address | 2607:5300:60:3f62::1 |
| +---------+-------------------------------+
| | gateway | 2607:5300:60:3fff:ff:ff:ff:ff |
+-----+---------+-------------------------------+
Rescue
------
.. code:: shell
ssh-keygen -R rwx.work
ssh-keygen -R 192.99.14.98
scp /home/user/.ssh/id_ecdsa.pub root@rwx.work:/root/.ssh/authorized_keys
scp /etc/bash.bashrc root@rwx.work:/etc/
Partitions
----------
.. code:: shell
parted
select /dev/sda
mktable gpt
mkpart boot 1 2
mkpart raid 2 2000399
toggle 1 bios_grub
select /dev/sdb
mktable gpt
mkpart boot 1 2
mkpart raid 2 2000399
toggle 1 bios_grub
q
.. code:: shell
mdadm --create /dev/md0 \
--level 0 --raid-devices 2 /dev/sd[ab]2
.. code:: shell
parted /dev/md0
mktable gpt
mkpart data 1 3966966
mkpart swap 3966966 4000523
q
.. code:: shell
mkswap --label swap \
-U d8ee4260-4652-7192-7bb3-ebbadeb835a7 \
/dev/md0p2
mkfs.ext4 -L data \
-U 46527192-7bb3-ebba-deb8-35a7e8606808 \
/dev/md0p1
Boot
----
.. warning:: no ESP boot available!
Prepare a grub.cfg
.. code:: shell
insmod biosdisk
insmod part_gpt
insmod mdraid1x
insmod ext2
insmod search
insmod squash4
insmod loopback
insmod linux
search --set data --fs-uuid 46527192-7bb3-ebba-deb8-35a7e8606808
lmp=/fs/up
sfs=filesystem.squashfs
loopback loop (${data})${lmp}/${sfs}
linux (loop)/vmlinuz \
boot=live \
elevator=deadline \
ip=frommedia \
live-media-path=${lmp} \
toram=${sfs}
initrd (loop)/initrd.img
boot
.. code:: shell
grub-mkstandalone \
--verbose \
--compress xz \
--format i386-pc \
--output core.img \
--themes "" \
boot/grub/grub.cfg=grub.cfg \
--fonts "" \
--locales "" \
--install-modules "\
biosdisk \
part_gpt \
mdraid1x \
ext2 \
search \
squash4 \
loopback \
linux \
"
.. todo:: move to public grub
.. code:: shell
grub-mkstandalone \
--verbose \
--compress xz \
--format x86_64-efi \
--output bootx64.efi \
--themes "" \
boot/grub/grub.cfg=grub.cfg
.. code:: shell
scp core.img root@rwx.work:
cp /usr/lib/grub/i386-pc/boot.img . \
/usr/lib/grub/i386-pc/grub-bios-setup \
--directory . /dev/sda
/usr/lib/grub/i386-pc/grub-bios-setup \
--directory . /dev/sdb
* debootstrap
* apt
* user account and home directory
* fstab /d
* systemd
* linux-image
* tops
* hardware
* completion
* network
* interfaces
* iputils-ping
* basics
* openssh-server fixes (sshd user, /run/sshd)
* live-boot
* root
* inception
* bridge
* grub-pc-bin
* apparmor
* unbound
* tree
* net.ipv4.ip_forward=1
* net.ipv6.conf.all.forwarding=1
* nftables
* nginx-extras
* root/user authorized_keys
* curl
* swap,swappiness
* enable nftables.service
* enable lxc.service
* sources.list file:/
* syslog-ng
* ssh on port 80
* domain certificate private key
* domain certificate bundle
* /etc/ssl/openssl.cnf tls 1.3 suites
* nginx configuration
* nginx in container
* nginx host sites
* python3-sphinx-rtd-theme
* uwsgi
* uwsgi-plugin-python3
* sudo
* file
* fcgiwrap
* gitweb
* /etc/bash.bashrc
* /etc/fstab (/d)
* /etc/locale.gen
* locale-gen
* /etc/resolv.conf
* /etc/apt/apt.conf
* /etc/apt/sources.list
* apt update
* apt upgrade
* live-boot
* update-initramfs ← update-initramfs.orig
* openssh-server
* parted
* squashfs-tools
* tree
* apt clean
* /etc/ssh/sshd_config
* mkdir /root/.ssh
* echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICZAs76kQJ0/Et2NGzhxurK2wE0VhYsG9wl85iCmR9xH" > /root/.ssh/authorized_keys
* lxc
* /etc/network/interfaces.d/setup
.. warning:: inet6 dhcp hangs!
::
auto lo
iface lo inet loopback
iface lo inet6 loopback
auto br0
iface br0 inet static
address 10.0.0.254/24
bridge_fd 0
bridge_maxwait 0
bridge_ports enp1s0
bridge_stp on
iface br0 inet static
address 192.99.14.98/24
gateway 192.99.14.254
iface br0 inet6 static
address 2607:5300:60:3f62::1/64
gateway 2607:5300:60:3fff:ff:ff:ff:ff
.. warning::
reboot from container doesn't reload config file
/var/lib/lxc/config
::
lxc.include = /usr/share/lxc/config/common.conf
lxc.mount.entry = /d/mirrors/apt-mirror/debian deb none bind,create=dir,ro 0 0
lxc.start.auto = 1
lxc.net.0.type = veth
lxc.net.0.flags = up
lxc.net.0.link = br0
/var/lib/lxc/name/config
::
lxc.include = /var/lib/lxc/config
lxc.mount.entry = /d/d/buster d none bind,create=dir,rw 0 0
lxc.rootfs.path = dir:/var/lib/lxc/buster
lxc.net.0.veth.pair = buster
lxc.net.0.ipv4.address = 10.0.0.1/24
lxc.net.0.ipv4.gateway = 10.0.0.254
/etc/nftables.conf
::
#! /usr/sbin/nft --file
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy accept;
iifname "lo" accept
ip protocol icmp accept
ip6 nexthdr icmp accept
tcp dport ssh accept
tcp dport domain accept
tcp dport http accept
tcp dport https accept
}
chain forward {
type filter hook forward priority 0; policy accept;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
table ip nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
tcp dport 65001 dnat to 10.0.0.1:ssh
}
chain postrouting {
type nat hook postrouting priority 0; policy accept;
masquerade
}
}
Security
--------
* /etc/sudoers
.. todo:: all directives
::
user ALL=NOPASSWD: /bin/systemctl restart uwsgi
Web
---
Configuration
^^^^^^^^^^^^^
* /etc/nginx/nginx.conf
::
load_module modules/ngx_http_fancyindex_module.so;
load_module modules/ngx_http_headers_more_filter_module.so;
pid /run/nginx.pid;
user user;
worker_processes auto;
events {
multi_accept off;
worker_connections 512;
}
http {
# General
keepalive_timeout 60;
sendfile on;
server_tokens off;
tcp_nopush on;
tcp_nodelay on;
types_hash_max_size 2048;
# Names
server_name_in_redirect off;
server_names_hash_bucket_size 128;
# File types
include mime.types;
default_type application/octet-stream;
# Security
ssl_buffer_size 8k;
ssl_ciphers "ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384";
ssl_ecdh_curve "X448:X25519:P-521";
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_session_cache shared:ssl_session_cache:16m;
ssl_session_tickets off;
ssl_session_timeout 15m;
# Log
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
# Compression
gzip off;
# Misc
client_max_body_size 16m;
index index.html;
# Proxy
proxy_pass_request_body on;
proxy_pass_request_headers on;
proxy_redirect off;
# Headers
more_clear_headers Server;
# Includes
include sites-enabled/*;
}
.. warning:: almost 1 minute to start the service
::
ssl_stapling on;
ssl_stapling_verify on;
Security
^^^^^^^^
* /etc/nginx/https.conf
::
listen 443 ssl http2;
listen [::]:443 ssl http2;
error_page 496 =496 @error; # Certificate Required
error_page 497 =497 @error; # HTTP Request Sent to HTTPS Port
error_page
403 # Forbidden
404 # Not Found
@error;
add_header Expect-CT "enforce,max-age=0" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Strict-Transport-Security "max-age=31557600;includeSubDomains;preload" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
set $fp "";
set $fp "${fp}accelerometer 'none';";
set $fp "${fp}ambient-light-sensor 'none';";
set $fp "${fp}animations 'self';";
set $fp "${fp}autoplay 'none';";
set $fp "${fp}camera 'none';";
set $fp "${fp}document-domain 'none';";
set $fp "${fp}document-write 'none';";
set $fp "${fp}encrypted-media 'none';";
set $fp "${fp}fullscreen *;";
set $fp "${fp}geolocation 'none';";
set $fp "${fp}gyroscope 'none';";
set $fp "${fp}legacy-image-formats 'none';";
set $fp "${fp}magnetometer 'none';";
set $fp "${fp}microphone 'none';";
set $fp "${fp}midi 'none';";
set $fp "${fp}payment 'self';";
set $fp "${fp}picture-in-picture 'none';";
set $fp "${fp}speaker 'self';";
set $fp "${fp}sync-xhr 'none';";
set $fp "${fp}unsized-media 'none';";
set $fp "${fp}usb 'none';";
set $fp "${fp}vertical-scroll 'self';";
set $fp "${fp}vr 'none';";
add_header Feature-Policy "${fp}" always;
.. todo:: find policy not blocking sphinx search
::
add_header Content-Security-Policy "default-src 'self'" always;
* /etc/nginx/fcgi.conf
::
fastcgi_param SERVER_PORT ${server_port};
fastcgi_param QUERY_STRING ${query_string};
fastcgi_param REQUEST_METHOD ${request_method};
fastcgi_param CONTENT_TYPE ${content_type};
fastcgi_param CONTENT_LENGTH ${content_length};
* /etc/nginx/uwsgi.conf
::
uwsgi_param client_address ${remote_addr};
uwsgi_param client_port ${remote_port};
uwsgi_param client_ciphers ${ssl_ciphers};
uwsgi_param client_curves ${ssl_curves};
uwsgi_param session_reused ${ssl_session_reused};
uwsgi_param session_id ${ssl_session_id};
uwsgi_param session_cipher ${ssl_cipher};
uwsgi_param session_protocol ${ssl_protocol};
uwsgi_param server_protocol ${server_protocol};
uwsgi_param server_address ${server_addr};
uwsgi_param server_port ${server_port};
uwsgi_param request_scheme ${scheme};
uwsgi_param request_host ${host};
uwsgi_param request_document ${document_uri};
uwsgi_param request_query ${query_string};
uwsgi_param request_method ${request_method};
uwsgi_param content_type ${content_type};
uwsgi_param content_length ${content_length};
uwsgi_param client_verify ${ssl_client_verify};
uwsgi_param client_issuer ${ssl_client_i_dn};
uwsgi_param client_subject ${ssl_client_s_dn};
uwsgi_param client_start ${ssl_client_v_start};
uwsgi_param client_remain ${ssl_client_v_remain};
uwsgi_param client_end ${ssl_client_v_end};
Apps
^^^^
* /lib/systemd/system/fcgiwrap.socket
::
[Unit]
Description=fcgiwrap socket
[Socket]
SocketMode=0600
SocketUser=user
SocketGroup=user
ListenStream=/run/fcgiwrap.socket
[Install]
WantedBy=sockets.target
* /etc/gitweb.conf
::
$projectroot = "/d/projects/rwx.work";
$git_temp = "/tmp";
* /etc/uwsgi/apps-enabled/root.ini
.. code:: ini
[uwsgi]
chown-socket = user
uid = user
gid = user
chdir = /d/projects/rwx.work/root
plugins = python3
module = __init__
callable = app
threads = 2
Sites
^^^^^
* "/etc/nginx/sites-enabled/0 http"
::
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 301 https://${host}${request_uri};
}
* "/etc/nginx/sites-enabled/1 rwx.work"
::
server {
include rwx.work.conf;
include uwsgi.conf;
server_name .rwx.work;
location / {
uwsgi_pass unix:/run/uwsgi/app/root/socket;
}
}
server {
include rwx.work.conf;
server_name deb.rwx.work;
root /d/mirrors/apt-mirror/debian;
fancyindex on;
}
server {
include rwx.work.conf;
server_name git.rwx.work;
location ~ ^.*/(info/refs|git-upload-pack)$ {
include fcgi.conf;
fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
fastcgi_param PATH_INFO ${uri};
fastcgi_param GIT_PROJECT_ROOT /d/projects/rwx.work;
fastcgi_param GIT_HTTP_EXPORT_ALL "";
fastcgi_pass unix:/run/fcgiwrap.socket;
}
location /static/ {
root /usr/share/gitweb;
}
location / {
include fcgi.conf;
fastcgi_param SCRIPT_FILENAME /usr/share/gitweb/gitweb.cgi;
fastcgi_pass unix:/run/fcgiwrap.socket;
}
}
server {
include rwx.work.conf;
server_name docs.rwx.work;
root /d/projects/rwx.work/docs/out/docs;
}
server {
include rwx.work.conf;
server_name sites.rwx.work;
root /d/projects/rwx.work/sites/out/sites;
}
server {
include rwx.work.conf;
server_name todo.rwx.work;
root /d/projects/rwx.work/todo/out/todo;
}
* "/etc/nginx/sites-enabled/2 marc-beninca.fr"
::
server {
include marc-beninca.fr.conf;
include uwsgi.conf;
server_name .marc-beninca.fr;
location / {
uwsgi_pass unix:/run/uwsgi/app/root/socket;
}
}
server {
include marc-beninca.fr.conf;
server_name cnam.marc-beninca.fr;
root /d/projects/marc-beninca.fr/cnam/out/cnam;
}
server {
include marc-beninca.fr.conf;
server_name docs.marc-beninca.fr;
root /d/projects/marc-beninca.fr/docs/out/docs;
}
server {
include marc-beninca.fr.conf;
server_name sites.marc-beninca.fr;
root /d/projects/marc-beninca.fr/sites/out/sites;
}
server {
include marc-beninca.fr.conf;
server_name todo.marc-beninca.fr;
root /d/projects/marc-beninca.fr/todo/out/todo;
}
* "/etc/nginx/sites-enabled/3 tilde.link"
::
server {
include tilde.link.conf;
include uwsgi.conf;
server_name .tilde.link;
location / {
uwsgi_pass unix:/run/uwsgi/app/root/socket;
}
}
server {
include tilde.link.conf;
server_name docs.tilde.link;
root /d/projects/tilde.link/docs/out/docs;
}
Certificate and errors
^^^^^^^^^^^^^^^^^^^^^^
* /etc/nginx/rwx.work.conf
::
include https.conf;
ssl_certificate rwx.work.crt;
ssl_certificate_key rwx.work.key;
location @error {
return https://rwx.work/error/${status};
}
* /etc/nginx/marc-beninca.fr.conf
::
include https.conf;
ssl_certificate marc-beninca.fr.crt;
ssl_certificate_key marc-beninca.fr.key;
location @error {
return https://marc-beninca.fr/error/${status};
}
* /etc/nginx/tilde.link.conf
::
include https.conf;
ssl_certificate tilde.link.crt;
ssl_certificate_key tilde.link.key;
location @error {
return https://tilde.link/error/${status};
}
* /etc/nginx/rwx.work.key
* /etc/nginx/rwx.work.crt
* /etc/nginx/marc-beninca.fr.key
* /etc/nginx/marc-beninca.fr.crt
* /etc/nginx/tilde.link.key
* /etc/nginx/tilde.link.crt

7
docs/personal/server/index.rst
View file

@ -1,7 +0,0 @@
Server
======
.. toctree::
certificate
dispatch