martin/configs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ORIGIN

Browse Source
This commit is contained in:
martin 2025-01-14 10:10:15 +01:00
commit 56fba3b5d9
61 changed files with 6012 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md Normal file
View File

@ -0,0 +1,2 @@
# admin

93
do_proxy/etc/nginx/nginx.conf Normal file
View File

@ -0,0 +1,93 @@
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
client_max_body_size 128M;
proxy_max_temp_file_size 0;
proxy_buffering off;
server_names_hash_bucket_size 256;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}

110
do_proxy/etc/nginx/sites-available/smartinspace Normal file
View File

@ -0,0 +1,110 @@
server{
server_name smartinspace.ai;
proxy_set_header X-Forwarded-For $remote_addr;
location / {
root /var/www/html;
index index.html;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/smartinspace.ai/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/smartinspace.ai/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
server_name file.smartinspace.ai;
proxy_set_header X-Forwarded-For $remote_addr;
location / {
proxy_pass https://svnasolvo.ddns.net:44300/;
proxy_intercept_errors on;
error_page 404 502 503 504 = @fallback;
}
location @fallback {
root /var/www/html;
index maintenance.html;
}
location /seafdav {
proxy_pass https://svnasolvo.ddns.net:44300/seafdav;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 1200s;
client_max_body_size 0;
access_log /var/log/nginx/seafdav.access.log;
error_log /var/log/nginx/seafdav.error.log;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/file.smartinspace.ai/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/file.smartinspace.ai/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = file.smartinspace.ai) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name file.smartinspace.ai;
listen 80;
return 404; # managed by Certbot
}
server {
server_name git.smartinspace.ai;
proxy_set_header X-Forwarded-For $remote_addr;
location / {
proxy_pass https://svnasolvo.ddns.net:30000/;
proxy_intercept_errors on;
error_page 404 502 503 504 = @fallback;
}
location @fallback {
root /var/www/html;
index maintenance.html;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/git.smartinspace.ai/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/git.smartinspace.ai/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = git.smartinspace.ai) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name git.smartinspace.ai;
listen 80;
return 404; # managed by Certbot
}
server {
server_name dev.smartinspace.ai;
proxy_set_header X-Forwarded-For $remote_addr;
location / {
proxy_pass https://svnasolvo.ddns.net:8080/;
proxy_intercept_errors on;
error_page 404 502 503 504 = @fallback;
}
location @fallback {
root /var/www/html;
index maintenance.html;
}
listen 443 ssl; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/dev.smartinspace.ai/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/dev.smartinspace.ai/privkey.pem; # managed by Certbot
}
server {
if ($host = dev.smartinspace.ai) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name dev.smartinspace.ai;
listen 80;
return 404; # managed by Certbot
}

127
do_proxy/etc/ssh/sshd_config Normal file
View File

@ -0,0 +1,127 @@
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Include /etc/ssh/sshd_config.d/*.conf
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin yes
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server

63
ligalytics/bernie/etc/nginx/sites-available/leagues.conf Normal file
View File

@ -0,0 +1,63 @@
server {
listen 80;
server_name bernie;
client_max_body_size 48M;
client_body_buffer_size 128k;
client_header_buffer_size 5120k;
large_client_header_buffers 32 5120k;
#only works in nginx+
#set_cookie_flag HttpOnly Secure;
#proxy_cookie_path / "/; secure; HTTPOnly; SameSite=strict";
# proxy_set_header X-Real-IP $remote_addr;
set_real_ip_from 192.168.178.41;
error_page 501 502 503 504 /maintenance.html;
location /maintenance.html {
root /home/django/;
}
location = /favicon.ico {
access_log off; log_not_found off;
}
location /media {
#autoindex on;
alias /home/django/leagues/data/media;
}
location /static/ {
root /home/django/;
}
location / {
include proxy_params;
proxy_pass http://unix:/run/gunicorn.sock;
# proxy_set_header X-Real-IP $remote_addr;
#proxy_set_header Host $http_host;
#proxy_set_header REMOTE_ADDR $remote_addr;
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_headers_hash_max_size 512;
#proxy_headers_hash_bucket_size 128;
#proxy_read_timeout 3600;
#proxy_intercept_errors on;
}
#location ^~ /.well-known {
#root /home/django/leagues/;
#allow all;
#}
#location = /_csp {
# access_log /var/log/nginx/csp.log CSP;
# proxy_pass http://127.0.0.1/_csp_response;
#}
# FOR CSP
include snippets/ssl-params.conf;
}

52
ligalytics/bernie/etc/nginx/snippets/ssl-params.conf Normal file
View File

@ -0,0 +1,52 @@
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
# add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block" always;
add_header Content-Security-Policy "
object-src 'none';
base-uri 'none';
require-trusted-types-for 'script';
report-uri https://optimization.ligalytics.com/_csp;
script-src 'strict-dynamic' 'self' 'unsafe-inline' 'nonce-secret321' https://*.googleapis.com https://*.gstatic.com *.google.com https://*.ggpht.com *.googleusercontent.com blob:;
img-src 'self' https://*.googleapis.com https://*.gstatic.com *.google.com *.googleusercontent.com data:;
frame-src *.google.com;
connect-src 'self' https://*.googleapis.com *.google.com https://*.gstatic.com data: blob:;
font-src https://fonts.gstatic.com;
style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
worker-src blob:;
";
set $SCRIPT "script-src 'strict-dynamic' 'nonce-rAnd0m123' 'unsafe-inline'";
set $SCRIPT "${SCRIPT} https://www.a.com";
set $SCRIPT "${SCRIPT} https://b.com";
set $STYLE "style-src 'self'";
set $STYLE "${STYLE} https://a.com";
set $IMG "img-src 'self' data:";
set $IMG "${IMG} https://a.com";
set $IMG "${IMG} https://www.b.com";
set $FONT "font-src 'self' data:";
set $FONT "${FONT} https://a.com";
set $DEFAULT "default-src 'self'";
set $CONNECT "connect-src 'self'";
set $CONNECT "${CONNECT} https://www.a.com";
set $CONNECT "${CONNECT} https://www.b.com";
set $FRAME "frame-src 'self'";
set $FRAME "${FRAME} https://a.com";
set $FRAME "${FRAME} https://b.com";
add_header Content-Security-Policy "${SCRIPT}; ${STYLE}; ${IMG}; ${FONT}; ${DEFAULT}; ${CONNECT}; ${FRAME}";

34
ligalytics/bernie/etc/prometheus/prometheus.yml Normal file
View File

@ -0,0 +1,34 @@
# my global config
global:
scrape_interval: 15s # Set the scrape interval to every 15 seconds. Default is every 1 minute.
evaluation_interval: 15s # Evaluate rules every 15 seconds. The default is every 1 minute.
# scrape_timeout is set to the global default (10s).
# Alertmanager configuration
alerting:
alertmanagers:
- static_configs:
- targets:
# - alertmanager:9093
# Load rules once and periodically evaluate them according to the global 'evaluation_interval'.
rule_files:
# - "first_rules.yml"
# - "second_rules.yml"
# A scrape configuration containing exactly one endpoint to scrape:
# Here it's Prometheus itself.
scrape_configs:
# The job name is added as a label `job=<job_name>` to any timeseries scraped from this config.
- job_name: "prometheus"
# metrics_path defaults to '/metrics'
# scheme defaults to 'http'.
static_configs:
- targets: ["localhost:9090"]
- job_name: "node"
static_configs:
- targets: ["localhost:9100"]

24
ligalytics/bernie/etc/systemd/system/gunicorn.service Normal file
View File

@ -0,0 +1,24 @@
[Unit]
Description=gunicorn daemon
Requires=gunicorn.socket
After=network.target
[Service]
User=django
Group=django
WorkingDirectory=/home/django/leagues
ExecStart=/home/django/leagues/venv/bin/gunicorn \
--bind unix:/run/gunicorn.sock \
--log-level debug \
--limit-request-line 0 \
--limit-request-field_size 0 \
--graceful-timeout 1200 \
--capture-output \
--timeout 1200 \
--workers 3 \
leagues.wsgi:application
[Install]
WantedBy=multi-user.target

25
ligalytics/bernie/etc/systemd/system/prometheus.service Normal file
View File

@ -0,0 +1,25 @@
[Unit]
Description=Prometheus
Wants=network-online.target
After=network-online.target
[Service]
User=prometheus
Group=prometheus
Type=simple
ExecStart=/usr/local/bin/prometheus \
--config.file /etc/prometheus/prometheus.yml \
--storage.tsdb.path /var/lib/prometheus/ \
--web.console.templates=/etc/prometheus/consoles \
--web.console.libraries=/etc/prometheus/console_libraries
[Install]
WantedBy=multi-user.target

4
ligalytics/meemaw/admin/dbbackup.sh Executable file
View File

@ -0,0 +1,4 @@
cd /var/www/leagues
venv/bin/python manage.py dbbackup
rsync -a data/computation /db_backup/computation

5
ligalytics/meemaw/admin/iftop.sh Executable file
View File

@ -0,0 +1,5 @@
#!/bin/bash
echo "$(date)" >> /var/log/iftop/$(date +%F)_iftop.log
/usr/sbin/iftop -PptBbNn -s 28795 -o destination >> /var/log/iftop/$(date +%F)_iftop.log

5
ligalytics/meemaw/admin/logwatch.sh Executable file
View File

@ -0,0 +1,5 @@
#!/bin/bash
#/usr/sbin/logwatch --detail high --range yesterday --format html --filename /var/log/logwatch/$(date -d "yesterday" +%F)_logwatch.html
/usr/sbin/logwatch --detail high --range yesterday --format html --mailto m.dahmen@asolvo.de
/usr/sbin/logwatch --detail high --range yesterday --format html --mailto m.dahmen@asolvo.de --filename /var/log/logwatch/$(date -d "yesterday" +%F)_logwatch.html
chmod 644 /var/log/logwatch/$(date -d "yesterday" +%F)_logwatch.html

24
ligalytics/meemaw/admin/nettraf.sh Executable file
View File

@ -0,0 +1,24 @@
#!/bin/bash
#file1="/var/log/logwatch/$(ls -1r /var/log/logwatch/ | head -1)"
#file2="/var/log/iftop/$(ls -1r /var/log/iftop/ | head -1)"
#file3="/var/log/vnstat/$(ls -1r /var/log/vnstat/ | head -1)"
file1="/var/log/logwatch/$(date -d "yesterday" +%F)_logwatch.html"
file2="/var/log/iftop/$(date -d "yesterday" +%F)_iftop.log"
file3="/var/log/vnstat/$(date -d "yesterday" +%F)_vnstat.json"
file4="/var/log/ipfm/$(date -d "yesterday" +%F)_ipfm.log"
mkdir /var/log/nettraf/tmp
cp $file1 /var/log/nettraf/tmp
cp $file2 /var/log/nettraf/tmp
cp $file3 /var/log/nettraf/tmp
cp $file4 /var/log/nettraf/tmp
cd /var/log/nettraf/tmp
tar -czvf /var/log/nettraf/$(date +%Y_%m_%d_%H_%M)_summary.tar.gz -P *
cd /var/log/nettraf
rm -rf tmp

3
ligalytics/meemaw/admin/vnstat.sh Executable file
View File

@ -0,0 +1,3 @@
#!/bin/bash
/usr/bin/vnstat --json >> /var/log/vnstat/$(date +%F)_vnstat.json

890
ligalytics/meemaw/etc/fail2ban/jail.local Normal file
View File

@ -0,0 +1,890 @@
#
# WARNING: heavily refactored in 0.9.0 release. Please review and
# customize settings for your setup.
#
# Changes: in most of the cases you should not modify this
# file, but provide customizations in jail.local file,
# or separate .conf files under jail.d/ directory, e.g.:
#
# HOW TO ACTIVATE JAILS:
#
# YOU SHOULD NOT MODIFY THIS FILE.
#
# It will probably be overwritten or improved in a distribution update.
#
# Provide customizations in a jail.local file or a jail.d/customisation.local.
# For example to change the default bantime for all jails and to enable the
# ssh-iptables jail the following (uncommented) would appear in the .local file.
# See man 5 jail.conf for details.
#
# [DEFAULT]
# bantime = 1h
#
# [sshd]
# enabled = true
#
# See jail.conf(5) man page for more information
# Comments: use '#' for comment lines and ';' (following a space) for inline comments
[INCLUDES]
#before = paths-distro.conf
before = paths-debian.conf
# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.
[DEFAULT]
#
# MISCELLANEOUS OPTIONS
#
# "ignorself" specifies whether the local resp. own IP addresses should be ignored
# (default is true). Fail2ban will not ban a host which matches such addresses.
#ignorself = true
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
#ignoreip = 127.0.0.1/8 ::1
# External command that will take an tagged arguments to ignore, e.g. <ip>,
# and return true if the IP is to be ignored. False otherwise.
#
# ignorecommand = /path/to/command <ip>
ignorecommand =
# "bantime" is the number of seconds that a host is banned.
bantime = 30m
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 10m
# "maxretry" is the number of failures before a host get banned.
maxretry = 2
# "backend" specifies the backend used to get files modification.
# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
# This option can be overridden in each jail as well.
#
# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
# If pyinotify is not installed, Fail2ban will use auto.
# gamin: requires Gamin (a file alteration monitor) to be installed.
# If Gamin is not installed, Fail2ban will use auto.
# polling: uses a polling algorithm which does not require external libraries.
# systemd: uses systemd python library to access the systemd journal.
# Specifying "logpath" is not valid for this backend.
# See "journalmatch" in the jails associated filter config
# auto: will try to use the following backends, in order:
# pyinotify, gamin, polling.
#
# Note: if systemd backend is chosen as the default but you enable a jail
# for which logs are present only in its own log files, specify some other
# backend for that jail (e.g. polling) and provide empty value for
# journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200
backend = auto
# "usedns" specifies if jails should trust hostnames in logs,
# warn when DNS lookups are performed, or ignore all hostnames in logs
#
# yes: if a hostname is encountered, a DNS lookup will be performed.
# warn: if a hostname is encountered, a DNS lookup will be performed,
# but it will be logged as a warning.
# no: if a hostname is encountered, will not be used for banning,
# but it will be logged as info.
# raw: use raw value (no hostname), allow use it for no-host filters/actions (example user)
usedns = warn
# "logencoding" specifies the encoding of the log files handled by the jail
# This is used to decode the lines from the log file.
# Typical examples: "ascii", "utf-8"
#
# auto: will use the system locale setting
logencoding = auto
# "enabled" enables the jails.
# By default all jails are disabled, and it should stay this way.
# Enable only relevant to your setup jails in your .local or jail.d/*.conf
#
# true: jail will be enabled and log files will get monitored for changes
# false: jail is not enabled
enabled = false
# "mode" defines the mode of the filter (see corresponding filter implementation for more info).
mode = normal
# "filter" defines the filter to use by the jail.
# By default jails have names matching their filter name
#
filter = %(__name__)s[mode=%(mode)s]
#
# ACTIONS
#
# Some options used for actions
# Destination email address used solely for the interpolations in
# jail.{conf,local,d/*} configuration files.
destemail = root@localhost
# Sender email address used solely for some actions
sender = root@<fq-hostname>
# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
# mailing. Change mta configuration parameter to mail if you want to
# revert to conventional 'mail'.
mta = sendmail
# Default protocol
protocol = tcp
# Specify chain where jumps would need to be added in ban-actions expecting parameter chain
chain = <known/chain>
# Ports to be banned
# Usually should be overridden in a particular jail
port = 0:65535
# Format of user-agent https://tools.ietf.org/html/rfc7231#section-5.5.3
fail2ban_agent = Fail2Ban/%(fail2ban_version)s
#
# Action shortcuts. To be used to define action parameter
# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-multiport
banaction_allports = iptables-allports
# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action
#
# ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
# to the destemail.
action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]
# ban IP on CloudFlare & send an e-mail with whois report and relevant log lines
# to the destemail.
action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
%(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
# Report block via blocklist.de fail2ban reporting service API
#
# See the IMPORTANT note in action.d/blocklist_de.conf for when to use this action.
# Specify expected parameters in file action.d/blocklist_de.local or if the interpolation
# `action_blocklist_de` used for the action, set value of `blocklist_de_apikey`
# in your `jail.local` globally (section [DEFAULT]) or per specific jail section (resp. in
# corresponding jail.d/my-jail.local file).
#
action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]
# Report ban via badips.com, and use as blacklist
#
# See BadIPsAction docstring in config/action.d/badips.py for
# documentation for this action.
#
# NOTE: This action relies on banaction being present on start and therefore
# should be last action defined for a jail.
#
action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]
#
# Report ban via badips.com (uses action.d/badips.conf for reporting only)
#
action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]
# Report ban via abuseipdb.com.
#
# See action.d/abuseipdb.conf for usage example and details.
#
action_abuseipdb = abuseipdb
# Choose default action. To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)s
#
# JAILS
#
#
# SSH servers
#
[sshd]
# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode = normal
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
[dropbear]
port = ssh
logpath = %(dropbear_log)s
backend = %(dropbear_backend)s
[selinux-ssh]
port = ssh
logpath = %(auditd_log)s
#
# HTTP servers
#
[apache-auth]
port = http,https
logpath = %(apache_error_log)s
[apache-badbots]
# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.
port = http,https
logpath = %(apache_access_log)s
bantime = 48h
maxretry = 1
[apache-noscript]
port = http,https
logpath = %(apache_error_log)s
[apache-overflows]
port = http,https
logpath = %(apache_error_log)s
maxretry = 2
[apache-nohome]
port = http,https
logpath = %(apache_error_log)s
maxretry = 2
[apache-botsearch]
port = http,https
logpath = %(apache_error_log)s
maxretry = 2
[apache-fakegooglebot]
port = http,https
logpath = %(apache_access_log)s
maxretry = 1
ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot <ip>
[apache-modsecurity]
port = http,https
logpath = %(apache_error_log)s
maxretry = 2
[apache-shellshock]
port = http,https
logpath = %(apache_error_log)s
maxretry = 1
[openhab-auth]
filter = openhab
action = iptables-allports[name=NoAuthFailures]
logpath = /opt/openhab/logs/request.log
[nginx-http-auth]
port = http,https
logpath = %(nginx_error_log)s
# To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module`
# and define `limit_req` and `limit_req_zone` as described in nginx documentation
# http://nginx.org/en/docs/http/ngx_http_limit_req_module.html
# or for example see in 'config/filter.d/nginx-limit-req.conf'
[nginx-limit-req]
port = http,https
logpath = %(nginx_error_log)s
[nginx-botsearch]
port = http,https
logpath = %(nginx_error_log)s
maxretry = 2
# Ban attackers that try to use PHP's URL-fopen() functionality
# through GET/POST variables. - Experimental, with more than a year
# of usage in production environments.
[php-url-fopen]
port = http,https
logpath = %(nginx_access_log)s
%(apache_access_log)s
[suhosin]
port = http,https
logpath = %(suhosin_log)s
[lighttpd-auth]
# Same as above for Apache's mod_auth
# It catches wrong authentifications
port = http,https
logpath = %(lighttpd_error_log)s
#
# Webmail and groupware servers
#
[roundcube-auth]
port = http,https
logpath = %(roundcube_errors_log)s
# Use following line in your jail.local if roundcube logs to journal.
#backend = %(syslog_backend)s
[openwebmail]
port = http,https
logpath = /var/log/openwebmail.log
[horde]
port = http,https
logpath = /var/log/horde/horde.log
[groupoffice]
port = http,https
logpath = /home/groupoffice/log/info.log
[sogo-auth]
# Monitor SOGo groupware server
# without proxy this would be:
# port = 20000
port = http,https
logpath = /var/log/sogo/sogo.log
[tine20]
logpath = /var/log/tine20/tine20.log
port = http,https
#
# Web Applications
#
#
[drupal-auth]
port = http,https
logpath = %(syslog_daemon)s
backend = %(syslog_backend)s
[guacamole]
port = http,https
logpath = /var/log/tomcat*/catalina.out
[monit]
#Ban clients brute-forcing the monit gui login
port = 2812
logpath = /var/log/monit
[webmin-auth]
port = 10000
logpath = %(syslog_authpriv)s
backend = %(syslog_backend)s
[froxlor-auth]
port = http,https
logpath = %(syslog_authpriv)s
backend = %(syslog_backend)s
#
# HTTP Proxy servers
#
#
[squid]
port = 80,443,3128,8080
logpath = /var/log/squid/access.log
[3proxy]
port = 3128
logpath = /var/log/3proxy.log
#
# FTP servers
#
[proftpd]
port = ftp,ftp-data,ftps,ftps-data
logpath = %(proftpd_log)s
backend = %(proftpd_backend)s
[pure-ftpd]
port = ftp,ftp-data,ftps,ftps-data
logpath = %(pureftpd_log)s
backend = %(pureftpd_backend)s
[gssftpd]
port = ftp,ftp-data,ftps,ftps-data
logpath = %(syslog_daemon)s
backend = %(syslog_backend)s
[wuftpd]
port = ftp,ftp-data,ftps,ftps-data
logpath = %(wuftpd_log)s
backend = %(wuftpd_backend)s
[vsftpd]
# or overwrite it in jails.local to be
# logpath = %(syslog_authpriv)s
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
port = ftp,ftp-data,ftps,ftps-data
logpath = %(vsftpd_log)s
#
# Mail servers
#
# ASSP SMTP Proxy Jail
[assp]
port = smtp,465,submission
logpath = /root/path/to/assp/logs/maillog.txt
[courier-smtp]
port = smtp,465,submission
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
[postfix]
# To use another modes set filter parameter "mode" in jail.local:
mode = more
port = smtp,465,submission
logpath = %(postfix_log)s
backend = %(postfix_backend)s
[postfix-rbl]
filter = postfix[mode=rbl]
port = smtp,465,submission
logpath = %(postfix_log)s
backend = %(postfix_backend)s
maxretry = 1
[sendmail-auth]
port = submission,465,smtp
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
[sendmail-reject]
# To use more aggressive modes set filter parameter "mode" in jail.local:
# normal (default), extra or aggressive
# See "tests/files/logs/sendmail-reject" or "filter.d/sendmail-reject.conf" for usage example and details.
#mode = normal
port = smtp,465,submission
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
[qmail-rbl]
filter = qmail
port = smtp,465,submission
logpath = /service/qmail/log/main/current
# dovecot defaults to logging to the mail syslog facility
# but can be set by syslog_facility in the dovecot configuration.
[dovecot]
port = pop3,pop3s,imap,imaps,submission,465,sieve
logpath = %(dovecot_log)s
backend = %(dovecot_backend)s
[sieve]
port = smtp,465,submission
logpath = %(dovecot_log)s
backend = %(dovecot_backend)s
[solid-pop3d]
port = pop3,pop3s
logpath = %(solidpop3d_log)s
[exim]
# see filter.d/exim.conf for further modes supported from filter:
#mode = normal
port = smtp,465,submission
logpath = %(exim_main_log)s
[exim-spam]
port = smtp,465,submission
logpath = %(exim_main_log)s
[kerio]
port = imap,smtp,imaps,465
logpath = /opt/kerio/mailserver/store/logs/security.log
#
# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
# all relevant ports get banned
#
[courier-auth]
port = smtp,465,submission,imap,imaps,pop3,pop3s
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
[postfix-sasl]
filter = postfix[mode=auth]
port = smtp,465,submission,imap,imaps,pop3,pop3s
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
logpath = %(postfix_log)s
backend = %(postfix_backend)s
[perdition]
port = imap,imaps,pop3,pop3s
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
[squirrelmail]
port = smtp,465,submission,imap,imap2,imaps,pop3,pop3s,http,https,socks
logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log
[cyrus-imap]
port = imap,imaps
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
[uwimap-auth]
port = imap,imaps
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
#
#
# DNS servers
#
# !!! WARNING !!!
# Since UDP is connection-less protocol, spoofing of IP and imitation
# of illegal actions is way too simple. Thus enabling of this filter
# might provide an easy way for implementing a DoS against a chosen
# victim. See
# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
# Please DO NOT USE this jail unless you know what you are doing.
#
# IMPORTANT: see filter.d/named-refused for instructions to enable logging
# This jail blocks UDP traffic for DNS requests.
# [named-refused-udp]
#
# filter = named-refused
# port = domain,953
# protocol = udp
# logpath = /var/log/named/security.log
# IMPORTANT: see filter.d/named-refused for instructions to enable logging
# This jail blocks TCP traffic for DNS requests.
[named-refused]
port = domain,953
logpath = /var/log/named/security.log
[nsd]
port = 53
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
logpath = /var/log/nsd.log
#
# Miscellaneous
#
[asterisk]
port = 5060,5061
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
logpath = /var/log/asterisk/messages
maxretry = 10
[freeswitch]
port = 5060,5061
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
logpath = /var/log/freeswitch.log
maxretry = 10
# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or
# equivalent section:
# log-warning = 2
#
# for syslog (daemon facility)
# [mysqld_safe]
# syslog
#
# for own logfile
# [mysqld]
# log-error=/var/log/mysqld.log
[mysqld-auth]
port = 3306
logpath = %(mysql_log)s
backend = %(mysql_backend)s
# Log wrong MongoDB auth (for details see filter 'filter.d/mongodb-auth.conf')
[mongodb-auth]
# change port when running with "--shardsvr" or "--configsvr" runtime operation
port = 27017
logpath = /var/log/mongodb/mongodb.log
# Jail for more extended banning of persistent abusers
# !!! WARNINGS !!!
# 1. Make sure that your loglevel specified in fail2ban.conf/.local
# is not at DEBUG level -- which might then cause fail2ban to fall into
# an infinite loop constantly feeding itself with non-informative lines
# 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days)
# to maintain entries for failed logins for sufficient amount of time
[recidive]
logpath = /var/log/fail2ban.log
banaction = %(banaction_allports)s
bantime = 1w
findtime = 1d
# Generic filter for PAM. Has to be used with action which bans all
# ports such as iptables-allports, shorewall
[pam-generic]
# pam-generic filter can be customized to monitor specific subset of 'tty's
banaction = %(banaction_allports)s
logpath = %(syslog_authpriv)s
backend = %(syslog_backend)s
[xinetd-fail]
banaction = iptables-multiport-log
logpath = %(syslog_daemon)s
backend = %(syslog_backend)s
maxretry = 2
# stunnel - need to set port for this
[stunnel]
logpath = /var/log/stunnel4/stunnel.log
[ejabberd-auth]
port = 5222
logpath = /var/log/ejabberd/ejabberd.log
[counter-strike]
logpath = /opt/cstrike/logs/L[0-9]*.log
# Firewall: http://www.cstrike-planet.com/faq/6
tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039
udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015
action = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
# consider low maxretry and a long bantime
# nobody except your own Nagios server should ever probe nrpe
[nagios]
logpath = %(syslog_daemon)s ; nrpe.cfg may define a different log_facility
backend = %(syslog_backend)s
maxretry = 1
[oracleims]
# see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above
logpath = /opt/sun/comms/messaging64/log/mail.log_current
banaction = %(banaction_allports)s
[directadmin]
logpath = /var/log/directadmin/login.log
port = 2222
[portsentry]
logpath = /var/lib/portsentry/portsentry.history
maxretry = 1
[pass2allow-ftp]
# this pass2allow example allows FTP traffic after successful HTTP authentication
port = ftp,ftp-data,ftps,ftps-data
# knocking_url variable must be overridden to some secret value in jail.local
knocking_url = /knocking/
filter = apache-pass[knocking_url="%(knocking_url)s"]
# access log of the website with HTTP auth
logpath = %(apache_access_log)s
blocktype = RETURN
returntype = DROP
action = %(action_)s[blocktype=%(blocktype)s, returntype=%(returntype)s]
bantime = 1h
maxretry = 1
findtime = 1
[murmur]
# AKA mumble-server
port = 64738
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol=tcp, chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol=udp, chain="%(chain)s", actname=%(banaction)s-udp]
logpath = /var/log/mumble-server/mumble-server.log
[screensharingd]
# For Mac OS Screen Sharing Service (VNC)
logpath = /var/log/system.log
logencoding = utf-8
[haproxy-http-auth]
# HAProxy by default doesn't log to file you'll need to set it up to forward
# logs to a syslog server which would then write them to disk.
# See "haproxy-http-auth" filter for a brief cautionary note when setting
# maxretry and findtime.
logpath = /var/log/haproxy.log
[slapd]
port = ldap,ldaps
logpath = /var/log/slapd.log
[domino-smtp]
port = smtp,ssmtp
logpath = /home/domino01/data/IBM_TECHNICAL_SUPPORT/console.log
[phpmyadmin-syslog]
port = http,https
logpath = %(syslog_authpriv)s
backend = %(syslog_backend)s
[zoneminder]
# Zoneminder HTTP/HTTPS web interface auth
# Logs auth failures to apache2 error log
port = http,https
logpath = %(apache_error_log)s

84
ligalytics/meemaw/etc/nginx/nginx.conf Normal file
View File

@ -0,0 +1,84 @@
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}

77
ligalytics/meemaw/etc/nginx/sites-available/leagues-dev.conf Normal file
View File

@ -0,0 +1,77 @@
# server {
# listen 44333 ssl default_server;
# listen [::]:44333 ssl default_server;
# fastcgi_buffers 16 32k;
# fastcgi_buffer_size 64k;
# client_max_body_size 48M;
# client_body_buffer_size 128k;
# client_header_buffer_size 5120k;
# large_client_header_buffers 32 5120k;
# proxy_max_temp_file_size 0;
# proxy_buffering off;
# proxy_read_timeout 300;
# proxy_send_timeout 300;
# proxy_connect_timeout 300;
# fastcgi_read_timeout 300;
# fastcgi_send_timeout 300;
# fastcgi_connect_timeout 300;
# #only works in nginx+
# #set_cookie_flag HttpOnly Secure;
# proxy_cookie_path / "/; secure; HTTPOnly; SameSite=strict";
# proxy_set_header X-Real-IP $remote_addr;
# server_name stage.ligalytics.com;
# error_page 501 502 503 504 /maintenance.html;
# location /maintenance.html {
# root /var/www/html;
# }
# location = /favicon.ico {
# access_log off; log_not_found off;
# }
# location /media {
# #autoindex on;
# alias /home/django/dev/data/media/;
# }
# location /static/ {
# root /home/django/;
# }
# location / {
# proxy_set_header Host $http_host;
# proxy_pass http://unix:/home/django/dev/leagues.sock;
# proxy_set_header REMOTE_ADDR $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_read_timeout 3600;
# proxy_intercept_errors on;
# }
# location ^~ /.well-known {
# root /home/django/dev;
# allow all;
# }
# include snippets/ssl-ligalytics.conf;
# include snippets/ssl-params.conf;
# }

92
ligalytics/meemaw/etc/nginx/sites-available/leagues.conf Normal file
View File

@ -0,0 +1,92 @@
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
fastcgi_buffers 16 32k;
fastcgi_buffer_size 64k;
client_max_body_size 48M;
client_body_buffer_size 128k;
client_header_buffer_size 5120k;
large_client_header_buffers 32 5120k;
proxy_max_temp_file_size 0;
proxy_buffering off;
proxy_read_timeout 300;
proxy_send_timeout 300;
proxy_connect_timeout 300;
fastcgi_read_timeout 300;
fastcgi_send_timeout 300;
fastcgi_connect_timeout 300;
#only works in nginx+
#set_cookie_flag HttpOnly Secure;
proxy_cookie_path / "/; secure; HTTPOnly; SameSite=strict";
proxy_set_header X-Real-IP $remote_addr;
server_name stage.ligalytics.com;
error_page 501 502 503 504 /maintenance.html;
location /maintenance.html {
root /var/www/html;
}
location = /favicon.ico {
access_log off; log_not_found off;
}
location /media {
#autoindex on;
alias /home/django/prod/data/media;
}
location /static/ {
root /home/django/;
}
location / {
proxy_set_header Host $http_host;
proxy_pass http://unix:/home/django/prod/leagues.sock;
proxy_set_header REMOTE_ADDR $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 3600;
proxy_intercept_errors on;
}
location ^~ /.well-known {
root /home/django/prod;
allow all;
}
location = /_csp {
access_log /var/log/nginx/csp.log CSP;
proxy_pass http://127.0.0.1/_csp_response;
}
include snippets/ssl-ligalytics.conf;
include snippets/ssl-params.conf;
}
server {
listen 81;
location /metrics {
stub_status on;
}
}

23
ligalytics/meemaw/etc/nginx/snippets/ssl-params.conf Normal file
View File

@ -0,0 +1,23 @@
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
# add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block" always;
add_header Content-Security-Policy "frame-ancestors none; object-src 'none'; form-action 'self'; base-uri 'self'; report-uri https://optimization.ligalytics.com/_csp;";
#add_header Content-Security-Policy "default-src 'self'; script-src 'self'; img-src 'self' data:; style-src 'self' https://fonts.googleapis.com https://fonts.gstatic.com; 'unsafe-inline'; font-src 'self' data:; frame-src 'self'; connect-src 'self' https://apis.google.com; object-src 'none'; frame-ancestors none; ";

138
ligalytics/meemaw/etc/ssh/sshd_config Normal file
View File

@ -0,0 +1,138 @@
# $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
#Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
PasswordAuthentication yes
#Subsystem sftp internal-sftp
#Match user dumpy
#ForceCommand internal-sftp
#ChrootDirectory /home/dumpy
subsystem sftp internal-sftp
Match User dumpy
ChrootDirectory %h
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp

52
ligalytics/meemaw/etc/supervisor/conf.d/celery.conf Normal file
View File

@ -0,0 +1,52 @@
; ==================================
; celery worker supervisor example
; ==================================
; the name of your supervisord program
[program:celery]
; Set full path to celery program if using virtualenv
command=/var/www/leagues/venv/bin/celery worker -A leagues --loglevel=INFO
; The directory to your Django project
directory=/var/www/leagues/
; If supervisord is run as the root user, switch users to this UNIX user account
; before doing any processing.
user=root
; Supervisor will start as many instances of this program as named by numprocs
numprocs=1
; Put process stdout output in this file
stdout_logfile=/var/log/celery/celery.log
; Put process stderr output in this file
stderr_logfile=/var/log/celery/celery_error.log
; If true, this program will start automatically when supervisord is started
autostart=true
; May be one of false, unexpected, or true. If false, the process will never
; be autorestarted. If unexpected, the process will be restart when the program
; exits with an exit code that is not one of the exit codes associated with this
; process configuration (see exitcodes). If true, the process will be
; unconditionally restarted when it exits, without regard to its exit code.
autorestart=true
; The total number of seconds which the program needs to stay running after
; a startup to consider the start successful.
startsecs=10
; Need to wait for currently executing tasks to finish at shutdown.
; Increase this if you have very long running tasks.
stopwaitsecs = 600
; When resorting to send SIGKILL to the program to terminate it
; send SIGKILL to its whole process group instead,
; taking care of its children as well.
killasgroup=true
; if your broker is supervised, set its priority higher
; so it starts first
priority=998

52
ligalytics/meemaw/etc/supervisor/conf.d/flower.conf Normal file
View File

@ -0,0 +1,52 @@
; ==================================
; celery flower supervisor example
; ==================================
; the name of your supervisord program
[program:flower]
; Set full path to celery program if using virtualenv
command=/var/www/leagues/venv/bin/celery flower -A leagues --loglevel=INFO --url_prefix=flower --basic_auth=4w3s0m3usr:4w3s0m3pwd
; The directory to your Django projeict
directory=/var/www/leagues/
; If supervisord is run as the root user, switch users to this UNIX user account
; before doing any processing.
user=root
; Supervisor will start as many instances of this program as named by numprocs
numprocs=1
; Put process stdout output in this file
stdout_logfile=/var/log/celery/flower.log
; Put process stderr output in this file
stderr_logfile=/var/log/celery/flower_error.log
; If true, this program will start automatically when supervisord is started
autostart=true
; May be one of false, unexpected, or true. If false, the process will never
; be autorestarted. If unexpected, the process will be restart when the program
; exits with an exit code that is not one of the exit codes associated with this
; process configuration (see exitcodes). If true, the process will be
; unconditionally restarted when it exits, without regard to its exit code.
autorestart=true
; The total number of seconds which the program needs to stay running after
; a startup to consider the start successful.
startsecs=10
; Need to wait for currently executing tasks to finish at shutdown.
; Increase this if you have very long running tasks.
stopwaitsecs = 600
; When resorting to send SIGKILL to the program to terminate it
; send SIGKILL to its whole process group instead,
; taking care of its children as well.
killasgroup=true
; if your broker is supervised, set its priority higher
; so it starts first
priority=998

14
ligalytics/meemaw/etc/supervisor/conf.d/gunicorn.conf Normal file
View File

@ -0,0 +1,14 @@
[program:gunicorn]
directory=/var/www/leagues/
command=/var/www/leagues/venv/bin/gunicorn --log-level=debug --limit-request-line 0 --limit-request-field_size 0 --graceful-timeout 1200 --timeout 1200 --workers 3 --bind unix:/var/www/leagues/leagues.sock leagues.wsgi:application
autostart=true
autorestart=true
#stderr_logfile=/var/log/gunicorn/gunicorn.out.log
#stdout_logfile=/var/log/gunicorn/gunicorn.err.log
stderr_logfile=/var/log/gunicorn/gunicorn.verbose.log
stdout_logfile=/var/log/gunicorn/gunicorn.verbose.log
user=root
group=www-data
environment=LANG=en_US.UTF-8,LC_ALL=en_US.UTF-8
[group:guni]
programs:gunicorn

28
ligalytics/meemaw/etc/supervisor/supervisord.conf Normal file
View File

@ -0,0 +1,28 @@
; supervisor config file
[unix_http_server]
file=/var/run/supervisor.sock ; (the path to the socket file)
chmod=0700 ; sockef file mode (default 0700)
[supervisord]
logfile=/var/log/supervisor/supervisord.log ; (main log file;default $CWD/supervisord.log)
pidfile=/var/run/supervisord.pid ; (supervisord pidfile;default supervisord.pid)
childlogdir=/var/log/supervisor ; ('AUTO' child log dir, default $TEMP)
; the below section must remain in the config file for RPC
; (supervisorctl/web interface) to work, additional interfaces may be
; added by defining them in separate rpcinterface: sections
[rpcinterface:supervisor]
supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface
[supervisorctl]
serverurl=unix:///var/run/supervisor.sock ; use a unix:// URL for a unix socket
; The [include] section can just contain the "files" setting. This
; setting can list multiple files (separated by whitespace or
; newlines). It can also contain wildcards. The filenames are
; interpreted as relative to this file. Included files *cannot*
; include files themselves.
[include]
files = /etc/supervisor/conf.d/*.conf

35
ligalytics/proxy/etc/nginx/sites-available/accounting.conf Normal file
View File

@ -0,0 +1,35 @@
server {
server_name accounting.asolvo.de;
location = /robots.txt {
add_header Content-Type text/plain;
return 200 "User-agent: *\nDisallow: /\n";
}
#SSL configuration
listen 443 ssl http2;
listen [::]:443 ssl http2;
#include snippets/letsencrypt.conf;
include snippets/ssl-params.conf;
proxy_set_header X-Forwarded-For $remote_addr;
fastcgi_buffers 16 32k;
fastcgi_buffer_size 64k;
client_max_body_size 48M;
client_body_buffer_size 128k;
client_header_buffer_size 5120k;
large_client_header_buffers 32 5120k;
proxy_max_temp_file_size 0;
proxy_buffering off;
#only works in nginx+
#set_cookie_flag HttpOnly Secure;
#proxy_cookie_path / "/; secure; HTTPOnly; SameSite=strict";
location / {
proxy_pass http://localhost:5000;
proxy_intercept_errors on;
error_page 404 502 503 504 = @fallback;
}
location @fallback {
root /var/www/html;
index maintenance.html;
}
ssl_certificate /etc/letsencrypt/live/accounting.asolvo.de/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/accounting.asolvo.de/privkey.pem; # managed by Certbot
}

94
ligalytics/proxy/etc/nginx/sites-available/bernie.conf Normal file
View File

@ -0,0 +1,94 @@
server {
# server_name compute.asolvo.de;
server_name optimization.ligalytics.com;
location = /robots.txt {
add_header Content-Type text/plain;
return 200 "User-agent: *\nDisallow: /\n";
}
#SSL configuration
listen 443 ssl http2;
listen [::]:443 ssl http2;
include snippets/ssl-params.conf;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
fastcgi_buffers 16 32k;
fastcgi_buffer_size 64k;
client_max_body_size 48M;
client_body_buffer_size 128k;
client_header_buffer_size 5120k;
large_client_header_buffers 32 5120k;
proxy_max_temp_file_size 0;
proxy_buffering off;
location / {
proxy_pass http://bernie/;
proxy_set_header HOST optimization.ligalytics.com;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
proxy_intercept_errors on;
proxy_connect_timeout 5;
proxy_read_timeout 240;
error_page 404 502 503 504 = @fallback;
}
location /flower/ {
#rewrite ^/flower/(.*)$ /$1 break;
proxy_pass http://bernie:5555;
proxy_set_header Host $host;
proxy_redirect off;
}
location @fallback {
root /var/www/html;
index maintenance.html;
}
ssl_certificate /etc/letsencrypt/live/optimization.ligalytics.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/optimization.ligalytics.com/privkey.pem; # managed by Certbot
}
server {
server_name team.ligalytics.com;
listen 443;
#rewrite ^/singleteam(.*)$ $1 last;
location = /robots.txt {
add_header Content-Type text/plain;
return 200 "User-agent: *\nDisallow: /\n";
}
error_page 400 401 402 403 404 500 501 502 503 504 /maintenance.html;
location /maintenance.html {
root /var/www/html;
}
location / {
proxy_pass http://bernie/;
#rewrite ^/singleteam(.*)$ $1 break;
proxy_intercept_errors on;
proxy_set_header Host team.ligalytics.com;
proxy_set_header X-Real-IP $remote_addr;
proxy_connect_timeout 5;
proxy_read_timeout 240;
#root /var/www/html;
#index maintenance.html;
}
ssl_certificate /etc/letsencrypt/live/team.ligalytics.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/team.ligalytics.com/privkey.pem; # managed by Certbot
}
server {
server_name club.ligalytics.com;
error_page 400 401 402 403 404 500 501 502 503 504 /maintenance.html;
location /maintenance.html {
root /var/www/html;
}
listen 443;
location / {
proxy_pass http://bernie/;
proxy_intercept_errors on;
proxy_set_header HOST club.ligalytics.com;
proxy_set_header X-Real-IP $remote_addr;
proxy_connect_timeout 5;
proxy_read_timeout 240;
#root /var/www/html;
#index maintenance.html;
}
ssl_certificate /etc/letsencrypt/live/club.ligalytics.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/club.ligalytics.com/privkey.pem; # managed by Certbot
}

65
ligalytics/proxy/etc/nginx/sites-available/cloud.conf Normal file
View File

@ -0,0 +1,65 @@
server {
server_name cloud.asolvo.de;
location = /robots.txt {
add_header Content-Type text/plain;
return 200 "User-agent: *\nDisallow: /\n";
}
#SSL configuration
listen 443 ssl http2;
listen [::]:443 ssl http2;
#include snippets/letsencrypt.conf;
include snippets/ssl-params.conf;
proxy_set_header X-Forwarded-For $remote_addr;
fastcgi_buffers 16 32k;
fastcgi_buffer_size 64k;
client_max_body_size 48M;
client_body_buffer_size 128k;
client_header_buffer_size 5120k;
large_client_header_buffers 32 5120k;
proxy_max_temp_file_size 0;
proxy_buffering off;
#only works in nginx+
#set_cookie_flag HttpOnly Secure;
#proxy_cookie_path / "/; secure; HTTPOnly; SameSite=strict";
location / {
proxy_pass http://127.0.0.1:8000;
proxy_set_header host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_read_timeout 1200s;
#Used for view/edit office file via Office Online Server
client_max_body_size 0;
access_log /var/log/nginx/seahub.access.log;
error_log /var/log/nginx/seahub.error.log;
}
location /seafhttp {
rewrite ^/seafhttp(.*)$ $1 break;
proxy_pass http://127.0.0.1:8082;
client_max_body_size 0;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_connect_timeout 36000s;
proxy_read_timeout 36000s;
proxy_send_timeout 36000s;
send_timeout 36000s;
}
location /media {
root /home/seafile/seafile-server-latest/seahub;
}
#location /flower/ {
# proxy_pass http://192.168.178.21:5555;
#}
#location / {
# proxy_pass https://meemaw/;
# proxy_intercept_errors on;
# error_page 404 502 503 504 = @fallback;
#}
location @fallback {
root /var/www/html;
index maintenance.html;
}
ssl_certificate /etc/letsencrypt/live/cloud.asolvo.de/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/cloud.asolvo.de/privkey.pem; # managed by Certbot
}

32
ligalytics/proxy/etc/nginx/sites-available/git.conf Normal file
View File

@ -0,0 +1,32 @@
server {
server_name git.asolvo.de;
location = /robots.txt {
add_header Content-Type text/plain;
return 200 "User-agent: *\nDisallow: /\n";
}
#SSL configuration
listen 443 ssl http2;
listen [::]:443 ssl http2;
include snippets/ssl-params.conf;
proxy_set_header X-Forwarded-For $remote_addr;
fastcgi_buffers 16 32k;
fastcgi_buffer_size 64k;
client_max_body_size 48M;
client_body_buffer_size 128k;
client_header_buffer_size 5120k;
large_client_header_buffers 32 5120k;
proxy_max_temp_file_size 0;
proxy_buffering off;
proxy_set_header X-Forwarded-For $remote_addr;
location / {
proxy_pass http://127.0.0.1:3000/;
proxy_intercept_errors on;
error_page 404 502 503 504 = @fallback;
}
location @fallback {
root /var/www/html;
index maintenance.html;
}
ssl_certificate /etc/letsencrypt/live/git.asolvo.de/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/git.asolvo.de/privkey.pem; # managed by Certbot
}

28
ligalytics/proxy/etc/nginx/sites-available/grafana.conf Normal file
View File

@ -0,0 +1,28 @@
server {
server_name monitor.asolvo.de;
location = /robots.txt {
add_header Content-Type text/plain;
return 200 "User-agent: *\nDisallow: /\n";
}
#SSL configuration
listen 443 ssl http2;
listen [::]:443 ssl http2;
include snippets/ssl-params.conf;
#proxy_set_header X-Forwarded-For $remote_addr;
fastcgi_buffers 16 32k;
fastcgi_buffer_size 64k;
client_max_body_size 48M;
client_body_buffer_size 128k;
client_header_buffer_size 5120k;
large_client_header_buffers 32 5120k;
proxy_max_temp_file_size 0;
proxy_buffering off;
#proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
location / {
proxy_pass http://localhost:3030/;
}
ssl_certificate /etc/letsencrypt/live/monitor.asolvo.de/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/monitor.asolvo.de/privkey.pem; # managed by Certbot
}

11
ligalytics/proxy/etc/nginx/sites-available/main.conf Normal file
View File

@ -0,0 +1,11 @@
server {
listen 80;
rewrite ^ https://$http_host$request_uri? permanent; # force redirect http to https
server_tokens off;
location = /robots.txt {
add_header Content-Type text/plain;
return 200 "User-agent: *\nDisallow: /\n";
}
}

112
ligalytics/proxy/etc/nginx/sites-available/optimization.conf Normal file
View File

@ -0,0 +1,112 @@
# server {
# server_name team.ligalytics.com;
# listen 443;
# #rewrite ^/singleteam(.*)$ $1 last;
# location = /robots.txt {
# add_header Content-Type text/plain;
# return 200 "User-agent: *\nDisallow: /\n";
# }
# error_page 400 401 402 403 404 500 501 502 503 504 /maintenance.html;
# location /maintenance.html {
# root /var/www/html;
# }
# location / {
# proxy_pass https://meemaw/;
# #rewrite ^/singleteam(.*)$ $1 break;
# proxy_intercept_errors on;
# proxy_set_header Host team.ligalytics.com;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_connect_timeout 5;
# proxy_read_timeout 240;
# #root /var/www/html;
# #index maintenance.html;
# }
# ssl_certificate /etc/letsencrypt/live/team.ligalytics.com/fullchain.pem; # managed by Certbot
# ssl_certificate_key /etc/letsencrypt/live/team.ligalytics.com/privkey.pem; # managed by Certbot
# }
# server {
# server_name club.ligalytics.com;
# error_page 400 401 402 403 404 500 501 502 503 504 /maintenance.html;
# location /maintenance.html {
# root /var/www/html;
# }
# listen 443;
# location / {
# proxy_pass https://meemaw/;
# proxy_intercept_errors on;
# proxy_set_header HOST club.ligalytics.com;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_connect_timeout 5;
# proxy_read_timeout 240;
# #root /var/www/html;
# #index maintenance.html;
# }
# ssl_certificate /etc/letsencrypt/live/club.ligalytics.com/fullchain.pem; # managed by Certbot
# ssl_certificate_key /etc/letsencrypt/live/club.ligalytics.com/privkey.pem; # managed by Certbot
# }
# server {
# server_name stage.ligalytics.com;
# error_page 402 403 501 502 503 504 /maintenance.html;
# location /maintenance.html {
# root /var/www/html;
# }
# location = /robots.txt {
# add_header Content-Type text/plain;
# return 200 "User-agent: *\nDisallow: /\n";
# }
# #SSL configuration
# listen 443 ssl http2 default_server;
# listen [::]:443 ssl http2 default_server;
# include snippets/letsencrypt.conf;
# include snippets/ssl-params.conf;
# proxy_set_header X-Forwarded-For $remote_addr;
# proxy_set_header X-Real-IP $remote_addr;
# fastcgi_buffers 16 32k;
# fastcgi_buffer_size 64k;
# client_max_body_size 48M;
# client_body_buffer_size 128k;
# client_header_buffer_size 5120k;
# large_client_header_buffers 32 5120k;
# proxy_max_temp_file_size 0;
# proxy_buffering off;
# proxy_read_timeout 300;
# proxy_send_timeout 300;
# proxy_connect_timeout 300;
# fastcgi_read_timeout 300;
# fastcgi_send_timeout 300;
# fastcgi_connect_timeout 300;
# error_page 402 403 501 502 503 504 = @fallback;
# #only works in nginx+
# #set_cookie_flag HttpOnly Secure;
# #proxy_cookie_path / "/; secure; HTTPOnly; SameSite=strict";
# location / {
# proxy_pass https://meemaw/;
# proxy_set_header HOST stage.ligalytics.com;
# proxy_set_header X-Forwarded-For $remote_addr;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_intercept_errors on;
# proxy_connect_timeout 5;
# proxy_read_timeout 240;
# #root /var/www/html;
# #index maintenance.html;
# }
# location /flower/ {
# #rewrite ^/flower/(.*)$ /$1 break;
# proxy_pass http://192.168.178.21:5555;
# proxy_set_header Host $host;
# proxy_redirect off;
# }
# location @fallback {
# root /var/www/html;
# index /var/www/html/maintenance.html;
# }
# ssl_certificate /etc/letsencrypt/live/stage.ligalytics.com/fullchain.pem; # managed by Certbot
# ssl_certificate_key /etc/letsencrypt/live/stage.ligalytics.com/privkey.pem; # managed by Certbot
# }

76
ligalytics/proxy/etc/nginx/sites-available/stage.conf Normal file
View File

@ -0,0 +1,76 @@
server {
server_name stage.ligalytics.com;
error_page 400 401 402 403 404 500 501 502 503 504 /maintenance.html;
location /maintenance.html {
root /var/www/html;
}
location = /robots.txt {
add_header Content-Type text/plain;
return 200 "User-agent: *\nDisallow: /\n";
}
#SSL configuration
listen 443 ssl http2;
listen [::]:443 ssl http2;
#include snippets/letsencrypt.conf;
#include snippets/ssl-params.conf;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
fastcgi_buffers 16 32k;
fastcgi_buffer_size 64k;
client_max_body_size 48M;
client_body_buffer_size 128k;
client_header_buffer_size 5120k;
large_client_header_buffers 32 5120k;
proxy_read_timeout 300;
proxy_send_timeout 300;
proxy_connect_timeout 300;
fastcgi_read_timeout 300;
fastcgi_send_timeout 300;
fastcgi_connect_timeout 300;
proxy_max_temp_file_size 0;
proxy_buffering off;
#only works in nginx+
#set_cookie_flag HttpOnly Secure;
#proxy_cookie_path / "/; secure; HTTPOnly; SameSite=strict";
location / {
proxy_pass http://bernie:8000;
#proxy_intercept_errors on;
#error_page 404 502 503 504 = @fallback;
#root /var/www/html;
#index maintenance.html;
}
location @fallback {
root /var/www/html;
index maintenance.html;
}
ssl_certificate /etc/letsencrypt/live/stage.ligalytics.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/stage.ligalytics.com/privkey.pem; # managed by Certbot
}
# server {
# server_name api.ligalytics.com;
# listen 443;
# #rewrite ^/singleteam(.*)$ $1 last;
# location = /robots.txt {
# add_header Content-Type text/plain;
# return 200 "User-agent: *\nDisallow: /\n";
# }
# error_page 400 401 402 403 404 500 501 502 503 504 /maintenance.html;
# location /maintenance.html {
# root /var/www/html;
# }
# location / {
# proxy_pass https://meemaw:44333/;
# #rewrite ^/singleteam(.*)$ $1 break;
# proxy_intercept_errors on;
# proxy_set_header Host api.ligalytics.com;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_connect_timeout 5;
# proxy_read_timeout 240;
# #root /var/www/html;
# #index maintenance.html;
# }
# ssl_certificate /etc/letsencrypt/live/api.ligalytics.com/fullchain.pem; # managed by Certbot
# ssl_certificate_key /etc/letsencrypt/live/api.ligalytics.com/privkey.pem; # managed by Certbot
# }

20
ligalytics/proxy/etc/nginx/snippets/ssl-params.conf Normal file
View File

@ -0,0 +1,20 @@
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

12
ligalytics/proxy/seafile/conf/ccnet.conf Normal file
View File

@ -0,0 +1,12 @@
[General]
SERVICE_URL = https://cloud.asolvo.de
[Database]
ENGINE = mysql
HOST = 127.0.0.1
PORT = 3306
USER = seafile
PASSWD = 4w3s0m3pwd
DB = ccnet-db
CONNECTION_CHARSET = utf8

17
ligalytics/proxy/seafile/conf/gunicorn.conf.py Normal file
View File

@ -0,0 +1,17 @@
import os
daemon = True
workers = 5
# default localhost:8000
bind = "127.0.0.1:8000"
# Pid
pids_dir = '/home/seafile/pids'
pidfile = os.path.join(pids_dir, 'seahub.pid')
# for file upload, we need a longer timeout value (default is only 30s, too short)
timeout = 1200
limit_request_line = 8190

6
ligalytics/proxy/seafile/conf/seafdav.conf Normal file
View File

@ -0,0 +1,6 @@
[WEBDAV]
enabled = false
port = 8080
fastcgi = false
share_name = /

13
ligalytics/proxy/seafile/conf/seafile.conf Normal file
View File

@ -0,0 +1,13 @@
[fileserver]
host = 127.0.0.1
port = 8082
[database]
type = mysql
host = 127.0.0.1
port = 3306
user = seafile
password = 4w3s0m3pwd
db_name = seafile-db
connection_charset = utf8

22
ligalytics/proxy/seafile/conf/seahub_settings.py Executable file
View File

@ -0,0 +1,22 @@
# -*- coding: utf-8 -*-
SECRET_KEY = "b'h#cff-ei%$8+zlpxf-*fu)tg4i4^j1c=+144@hl%d5ff8t!*c*'"
#SERVE_STATIC = False
SITE_ROOT="/"
LOGIN_URL="/accounts/login/"
FILE_SERVER_ROOT="https://cloud.asolvo.de/seafhttp"
#MEDIA_URL = "/seafmedia/"
#COMPRESS_URL = MEDIA_URL
#STATIC_URL = MEDIA_URL + "assets/"
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.mysql',
'NAME': 'seahub-db',
'USER': 'seafile',
'PASSWORD': '4w3s0m3pwd',
'HOST': '127.0.0.1',
'PORT': '3306'
}
}

98
raspbi/apache2/mods-available/dav_svn.conf Normal file
View File

@ -0,0 +1,98 @@
# dav_svn.conf - Subversion/Apache configuration
#
#GLOBAL FLAGS
#SVNCompressionLevel 9
#SVNAllowBulkUpdates prefer
#LimitRequestBody 0
<Location /svn/E-On>
DAV svn
SVNPATH /home/pi/repos/E-On
AuthType Basic
AuthName "E-On"
AuthUserFile /home/pi/repos/E-On/conf/dav_svn.passwd
Require valid-user
SSLRequireSSL
</Location>
<Location /svn/Sasol>
DAV svn
SVNPATH /home/pi/repos/Sasol
AuthType Basic
AuthName "Sasol"
AuthUserFile /home/pi/repos/Sasol/conf/dav_svn.passwd
Require valid-user
SSLRequireSSL
</Location>
<Location /svn/DFL>
DAV svn
SVNPATH /home/pi/repos/DFL
AuthType Basic
AuthName "DFL"
AuthUserFile /home/pi/repos/DFL/conf/dav_svn.passwd
Require valid-user
SSLRequireSSL
</Location>
<Location /svn/uefa>
DAV svn
SVNPATH /home/pi/repos/uefa
AuthType Basic
AuthName "UEFA"
AuthUserFile /home/pi/repos/uefa/conf/dav_svn.passwd
Require valid-user
SSLRequireSSL
</Location>
<Location /svn/BBL>
DAV svn
SVNPATH /home/pi/repos/BBL
AuthType Basic
AuthName "BBL"
AuthUserFile /home/pi/repos/BBL/conf/dav_svn.passwd
Require valid-user
SSLRequireSSL
</Location>
<Location /svn/CHL>
DAV svn
SVNPATH /home/pi/repos/CHL
AuthType Basic
AuthName "CHL"
AuthUserFile /home/pi/repos/CHL/conf/dav_svn.passwd
Require valid-user
SSLRequireSSL
</Location>
<Location /svn/DFLdeploy>
DAV svn
SVNPATH /home/pi/repos/DFLdeploy
AuthType Basic
AuthName DFL-Deploy
AuthUserFile /home/pi/repos/DFLdeploy/conf/dav_svn.passwd
Require valid-user
SSLRequireSSL
</Location>
<Location /svn/leagues>
DAV svn
SVNPATH /home/pi/repos/leagues
AuthType Basic
AuthName Leagues
AuthUserFile /home/pi/repos/leagues/conf/dav_svn.passwd
Require valid-user
SSLRequireSSL
</Location>
<Location /svn/bigstar>
DAV svn
SVNPATH /home/pi/repos/bigstar
AuthType Basic
AuthName BigStar
AuthUserFile /home/pi/repos/bigstar/conf/dav_svn.passwd
Require valid-user
SSLRequireSSL
</Location>

87
raspbi/apache2/sites-available/000-default-le-ssl.conf Normal file
View File

@ -0,0 +1,87 @@
<IfModule mod_ssl.c>
<VirtualHost *:443>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
#ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
#TimeOUt 12000
#KeepAlive On
#MaxKeepAliveRequests 100
#KeepAliveTimeout 15
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
SSLProxyEngine On
ProxyPreserveHost On
ProxyPass /svn/ !
ProxyPass / https://raspbi4/
ProxyPassReverse / https://raspbi4/
ServerName svnasolvo.ddns.net
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/svnasolvo.ddns.net/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/svnasolvo.ddns.net/privkey.pem
</VirtualHost>
</IfModule>
<IfModule mod_ssl.c>
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
</VirtualHost>
</IfModule>

91
raspbi3/etc/nginx/nginx.conf Normal file
View File

@ -0,0 +1,91 @@
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
client_max_body_size 128M;
proxy_max_temp_file_size 0;
proxy_buffering off;
server_names_hash_bucket_size 256;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}

4
raspbi3/etc/nginx/proxy_params Normal file
View File

@ -0,0 +1,4 @@
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

78
raspbi3/etc/nginx/sites-available/seafile.conf Normal file
View File

@ -0,0 +1,78 @@
server {
#listen 80;
server_name smartinspace.ai; # managed by Certbot
#SSL configuration
listen 443 ssl http2 ;
listen [::]:443 ssl http2 ;
include snippets/letsencrypt.conf;
include snippets/ssl-params.conf;
proxy_set_header X-Forwarded-For $remote_addr;
location / {
proxy_pass http://127.0.0.1:8000;
proxy_set_header host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_read_timeout 1200s;
#Used for view/edit office file via Office Online Server
client_max_body_size 0;
access_log /var/log/nginx/seahub.access.log;
error_log /var/log/nginx/seahub.error.log;
}
location /seafhttp {
rewrite ^/seafhttp(.*)$ $1 break;
proxy_pass http://127.0.0.1:8082;
client_max_body_size 0;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 36000s;
proxy_read_timeout 36000s;
proxy_send_timeout 36000s;
send_timeout 36000s;
}
location /seafdav {
proxy_pass http://127.0.0.1:8080/seafdav;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 1200s;
client_max_body_size 0;
access_log /var/log/nginx/seafdav.access.log;
error_log /var/log/nginx/seafdav.error.log;
}
location /media {
root /home/seafile/seafile-server-latest/seahub;
}
ssl_certificate /etc/letsencrypt/live/smartinspace.ai/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/smartinspace.ai/privkey.pem; # managed by Certbot
}
server {
listen 3000 ssl;
listen [::]:3000 ssl;
ssl_certificate /etc/letsencrypt/live/smartinspace.ai/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/smartinspace.ai/privkey.pem; # managed by Certbot
location / {
proxy_pass http://127.0.0.1:30000/;
}
}

13
raspbi3/etc/nginx/snippets/fastcgi-php.conf Normal file
View File

@ -0,0 +1,13 @@
# regex to split $uri to $fastcgi_script_name and $fastcgi_path
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
# Check that the PHP script exists before passing it
try_files $fastcgi_script_name =404;
# Bypass the fact that try_files resets $fastcgi_path_info
# see: http://trac.nginx.org/nginx/ticket/321
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;
fastcgi_index index.php;
include fastcgi.conf;

2
raspbi3/etc/nginx/snippets/letsencrypt.conf Normal file
View File

@ -0,0 +1,2 @@
ssl_certificate /etc/letsencrypt/live/smartinspace.ai/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/smartinspace.ai/privkey.pem; # managed by Certbot

5
raspbi3/etc/nginx/snippets/snakeoil.conf Normal file
View File

@ -0,0 +1,5 @@
# Self signed certificates generated by the ssl-cert package
# Don't use them in a production server!
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;

19
raspbi3/etc/nginx/snippets/ssl-params.conf Normal file
View File

@ -0,0 +1,19 @@
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

243
raspbi3/etc/samba/smb.conf Normal file
View File

@ -0,0 +1,243 @@
#
# Sample configuration file for the Samba suite for Debian GNU/Linux.
#
#
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options most of which
# are not shown in this example
#
# Some options that are often worth tuning have been included as
# commented-out examples in this file.
# - When such options are commented with ";", the proposed setting
# differs from the default Samba behaviour
# - When commented with "#", the proposed setting is the default
# behaviour of Samba but the option is considered important
# enough to be mentioned here
#
# NOTE: Whenever you modify this file you should run the command
# "testparm" to check that you have not made any basic syntactic
# errors.
#======================= Global Settings =======================
[global]
## Browsing/Identification ###
# Change this to the workgroup/NT-domain name your Samba server will part of
workgroup = WORKGROUP
#### Networking ####
# The specific set of interfaces / networks to bind to
# This can be either the interface name or an IP address/netmask;
# interface names are normally preferred
; interfaces = 127.0.0.0/8 eth0
# Only bind to the named interfaces and/or networks; you must use the
# 'interfaces' option above to use this.
# It is recommended that you enable this feature if your Samba machine is
# not protected by a firewall or is a firewall itself. However, this
# option cannot handle dynamic or non-broadcast interfaces correctly.
; bind interfaces only = yes
#### Debugging/Accounting ####
# This tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/log.%m
# Cap the size of the individual log files (in KiB).
max log size = 1000
# We want Samba to only log to /var/log/samba/log.{smbd,nmbd}.
# Append syslog@1 if you want important messages to be sent to syslog too.
logging = file
# Do something sensible when Samba crashes: mail the admin a backtrace
panic action = /usr/share/samba/panic-action %d
####### Authentication #######
# Server role. Defines in which mode Samba will operate. Possible
# values are "standalone server", "member server", "classic primary
# domain controller", "classic backup domain controller", "active
# directory domain controller".
#
# Most people will want "standalone server" or "member server".
# Running as "active directory domain controller" will require first
# running "samba-tool domain provision" to wipe databases and create a
# new domain.
server role = standalone server
obey pam restrictions = yes
# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
unix password sync = yes
# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for
# sending the correct chat script for the passwd program in Debian Sarge).
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
pam password change = yes
# This option controls how unsuccessful authentication attempts are mapped
# to anonymous connections
map to guest = bad user
########## Domains ###########
#
# The following settings only takes effect if 'server role = primary
# classic domain controller', 'server role = backup domain controller'
# or 'domain logons' is set
#
# It specifies the location of the user's
# profile directory from the client point of view) The following
# required a [profiles] share to be setup on the samba server (see
# below)
; logon path = \\%N\profiles\%U
# Another common choice is storing the profile in the user's home directory
# (this is Samba's default)
# logon path = \\%N\%U\profile
# The following setting only takes effect if 'domain logons' is set
# It specifies the location of a user's home directory (from the client
# point of view)
; logon drive = H:
# logon home = \\%N\%U
# The following setting only takes effect if 'domain logons' is set
# It specifies the script to run during logon. The script must be stored
# in the [netlogon] share
# NOTE: Must be store in 'DOS' file format convention
; logon script = logon.cmd
# This allows Unix users to be created on the domain controller via the SAMR
# RPC pipe. The example command creates a user account with a disabled Unix
# password; please adapt to your needs
; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
# This allows machine accounts to be created on the domain controller via the
# SAMR RPC pipe.
# The following assumes a "machines" group exists on the system
; add machine script = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u
# This allows Unix groups to be created on the domain controller via the SAMR
# RPC pipe.
; add group script = /usr/sbin/addgroup --force-badname %g
############ Misc ############
# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
; include = /home/samba/etc/smb.conf.%m
# Some defaults for winbind (make sure you're not using the ranges
# for something else.)
; idmap config * : backend = tdb
; idmap config * : range = 3000-7999
; idmap config YOURDOMAINHERE : backend = tdb
; idmap config YOURDOMAINHERE : range = 100000-999999
; template shell = /bin/bash
# Setup usershare options to enable non-root users to share folders
# with the net usershare command.
# Maximum number of usershare. 0 means that usershare is disabled.
# usershare max shares = 100
# Allow users who've been granted usershare privileges to create
# public shares, not just authenticated ones
usershare allow guests = yes
#======================= Share Definitions =======================
[homes]
comment = Home Directories
browseable = no
# By default, the home directories are exported read-only. Change the
# next parameter to 'no' if you want to be able to write to them.
read only = yes
# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
create mask = 0700
# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
directory mask = 0700
# By default, \\server\username shares can be connected to by anyone
# with access to the samba server.
# The following parameter makes sure that only "username" can connect
# to \\server\username
# This might need tweaking when using external authentication schemes
valid users = %S
# Un-comment the following and create the netlogon directory for Domain Logons
# (you need to configure Samba to act as a domain controller too.)
;[netlogon]
; comment = Network Logon Service
; path = /home/samba/netlogon
; guest ok = yes
; read only = yes
# Un-comment the following and create the profiles directory to store
# users profiles (see the "logon path" option above)
# (you need to configure Samba to act as a domain controller too.)
# The path below should be writable by all users so that their
# profile directory may be created the first time they log on
;[profiles]
; comment = Users profiles
; path = /home/samba/profiles
; guest ok = no
; browseable = no
; create mask = 0600
; directory mask = 0700
[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
guest ok = no
read only = yes
create mask = 0700
# Windows clients look for this share name as a source of downloadable
# printer drivers
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
# Uncomment to allow remote administration of Windows print drivers.
# You may need to replace 'lpadmin' with the name of the group your
# admin users are members of.
# Please note that you also need to set appropriate Unix permissions
# to the drivers directory for these users to have write rights in it
; write list = root, @lpadmin
[smb]
comment = raspbi4
public = yes
writeable = yes
browsable = yes
path = /media/part-ntfs/
create mask = 0777
directory mask = 0777

68
raspbi3/etc/systemd/system/gitea.service Normal file
View File

@ -0,0 +1,68 @@
[Unit]
Description=Gitea (Git with a cup of tea)
After=syslog.target
After=network.target
###
# Don't forget to add the database service requirements
###
#
#Requires=mysql.service
#Requires=mariadb.service
#Requires=postgresql.service
#Requires=memcached.service
#Requires=redis.service
#
###
# If using socket activation for main http/s
###
#
#After=gitea.main.socket
#Requires=gitea.main.socket
#
###
# (You can also provide gitea an http fallback and/or ssh socket too)
#
# An example of /etc/systemd/system/gitea.main.socket
###
##
## [Unit]
## Description=Gitea Web Socket
## PartOf=gitea.service
##
## [Socket]
## Service=gitea.service
## ListenStream=<some_port>
## NoDelay=true
##
## [Install]
## WantedBy=sockets.target
##
###
[Service]
# Modify these two values and uncomment them if you have
# repos with lots of files and get an HTTP error 500 because
# of that
###
#LimitMEMLOCK=infinity
#LimitNOFILE=65535
RestartSec=2s
Type=simple
User=git
Group=git
WorkingDirectory=/var/lib/gitea/
# If using Unix socket: tells systemd to create the /run/gitea folder, which will contain the gitea.sock file
# (manually creating /run/gitea doesn't work, because it would not persist across reboots)
#RuntimeDirectory=gitea
ExecStart=/usr/local/bin/gitea web --config /etc/gitea/app.ini
Restart=always
Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/var/lib/gitea
# If you want to bind Gitea to a port below 1024, uncomment
# the two values below, or use socket activation to pass Gitea its ports as above
###
#CapabilityBoundingSet=CAP_NET_BIND_SERVICE
#AmbientCapabilities=CAP_NET_BIND_SERVICE
###
[Install]
WantedBy=multi-user.target

10
raspbi3/etc/systemd/system/noip2.service Normal file
View File

@ -0,0 +1,10 @@
[Unit]
Description=No-Ip Dynamic DNS Update Service
After=network.target
[Service]
Type=forking
ExecStart=/usr/local/bin/noip2
[Install]
WantedBy=multi-user.target

14
raspbi3/etc/systemd/system/seafile.service Normal file
View File

@ -0,0 +1,14 @@
[Unit]
Description=Seafile
#add mysql.service or postgresql.service depending on your database to the line below
After=network.target mysql.service
[Service]
Type=forking
ExecStart=/home/seafile/seafile-server-latest/seafile.sh start
ExecStop=/home/seafile/seafile-server-latest/seafile.sh stop
User=seafile
Group=seafile
[Install]
WantedBy=multi-user.target

14
raspbi3/etc/systemd/system/seahub.service Normal file
View File

@ -0,0 +1,14 @@
[Unit]
Description=Seafile hub
After=network.target seafile.service
[Service]
Type=forking
#change start to start-fastcgi if you want to run fastcgi
ExecStart=/home/seafile/seafile-server-latest/seahub.sh start
ExecStop=/home/seafile/seafile-server-latest/seahub.sh stop
User=seafile
Group=seafile
[Install]
WantedBy=multi-user.target

3
raspbi3/scripts/getdump.sh Executable file
View File

@ -0,0 +1,3 @@
host="martin@optimization.ligalytics.com"
file=`ssh $host 'ls -1r /db_backup | head -1'`
scp $host:/db_backup/$file /media/part-ntfs/Work/ligalytics/db_dump/

24
raspbi3/scripts/getlog.sh Executable file
View File

@ -0,0 +1,24 @@
host="martin@optimization.ligalytics.com"
#LOGWATCH
#file=`ssh -i keyfile $host 'ls -1r /var/log/logwatch/ | head -1'`
#echo copying latest logfile for logwatch... $file
#scp -i keyfile $host:/var/log/logwatch/$file .
#IFTOP
#file=`ssh -i keyfile $host 'ls -1r /var/log/iftop/ | head -1'`
#echo copying latest logfile for iftop ... $file
#scp -i keyfile $host:/var/log/iftop/$file .
#Summary
file=`ssh $host 'ls -1r /var/log/nettraf/ | head -1'`
#echo copying latest network summary ... $file
scp $host:/var/log/nettraf/$file /media/part-ntfs/Work/ligalytics/logs/

18
raspbi3/seafile_conf/ccnet.conf Normal file
View File

@ -0,0 +1,18 @@
[General]
USER_NAME = SmartInServer
ID = 878b66071f5ba78dbaf323cd481cb61118a92321
NAME = SmartInServer
SERVICE_URL = https://smartinspace.ai:44300
[Client]
PORT = 13419
[Database]
ENGINE = mysql
HOST = 127.0.0.1
PORT = 3306
USER = seafile
PASSWD = seafile+123
DB = ccnet-db
CONNECTION_CHARSET = utf8

17
raspbi3/seafile_conf/gunicorn.conf Normal file
View File

@ -0,0 +1,17 @@
import os
daemon = True
workers = 5
# default localhost:8000
bind = "127.0.0.1:8000"
# Pid
pids_dir = '/home/seafile/pids'
pidfile = os.path.join(pids_dir, 'seahub.pid')
# for file upload, we need a longer timeout value (default is only 30s, too short)
timeout = 1200
limit_request_line = 8190

6
raspbi3/seafile_conf/seafdav.conf Normal file
View File

@ -0,0 +1,6 @@
[WEBDAV]
enabled = true
port = 8080
fastcgi = false
share_name = /seafdav

12
raspbi3/seafile_conf/seafile.conf Normal file
View File

@ -0,0 +1,12 @@
[fileserver]
port = 8082
[database]
type = mysql
host = 127.0.0.1
port = 3306
user = seafile
password = seafile+123
db_name = seafile-db
connection_charset = utf8

17
raspbi3/seafile_conf/seahub_settings.py Executable file
View File

@ -0,0 +1,17 @@
# -*- coding: utf-8 -*-
SECRET_KEY = "$&@+j^qy!((+ml4pvnwl+uui6tvil2-6=10ihwso=6pee6mwec"
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.mysql',
'NAME': 'seahub-db',
'USER': 'seafile',
'PASSWORD': 'seafile+123',
'HOST': '127.0.0.1',
'PORT': '3306'
}
}
SERVER_ROOT = 'https://smartinspace.ai:44300'
FILE_SERVER_ROOT = 'https://smartinspace.ai:44300/seafhttp'

2390
raspbi4/gitlab/gitlab.rb Normal file
View File

File diff suppressed because it is too large Load Diff

215
smartinspace/etc/nginx/sites-available/smartinspace.conf Normal file
View File

@ -0,0 +1,215 @@
server {
server_name smartinspace.tech;
proxy_set_header X-Forwarded-For $remote_addr;
location / {
root /var/www/html;
index index.html;
proxy_intercept_errors on;
error_page 404 502 503 504 = @fallback;
}
location @fallback {
root /var/www/html;
index maintenance.html;
}
location = /_csp {
access_log /var/log/nginx/csp.log CSP;
proxy_pass http://127.0.0.1/_csp_response;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/smartinspace.tech/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/smartinspace.tech/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
include snippets/ssl-params.conf;
}
server {
if ($host = smartinspace.tech) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name smartinspace.tech;
listen 80;
return 404; # managed by Certbot
location /_csp_response {
access_log off;
return 204;
}
}
#server{
# server_name nemo.smartinspace.tech;
# proxy_set_header X-Forwarded-For $remote_addr;
# location / {
# root /var/www/html;
# index nemo.html;
# proxy_intercept_errors on;
# error_page 404 502 503 504 = @fallback;
# auth_basic "Restricted Content";
# auth_basic_user_file /etc/nginx/.htpasswd;
# }
#
# location @fallback {
# root /var/www/html;
# index maintenance.html;
# }
# listen 443 ssl; # managed by Certbot
# ssl_certificate /etc/letsencrypt/live/nemo.smartinspace.tech/fullchain.pem; # managed by Certbot
# ssl_certificate_key /etc/letsencrypt/live/nemo.smartinspace.tech/privkey.pem; # managed by Certbot
# include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
#
#
#
#}
#server{
# if ($host = nemo.smartinspace.tech) {
# return 301 https://$host$request_uri;
# } # managed by Certbot
# server_name nemo.smartinspace.tech;
# listen 80;
# return 404; # managed by Certbot
#}
server {
server_name file.smartinspace.tech;
#proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host:$server_port;
location / {
proxy_pass http://svnasolvo.ddns.net:8100/;
proxy_intercept_errors on;
error_page 404 502 503 504 = @fallback;
}
location @fallback {
root /var/www/html;
index maintenance.html;
}
location /seafhttp {
rewrite ^/seafhttp(.*)$ $1 break;
proxy_pass http://svnasolvo.ddns.net:18082;
client_max_body_size 0;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 36000s;
proxy_read_timeout 36000s;
proxy_send_timeout 36000s;
send_timeout 36000s;
access_log /var/log/nginx/seafhttp.access.log;
error_log /var/log/nginx/seafhttp.error.log;
}
#location /media {
# root /home/seafile/seafile-server-latest/seahub;
#}
location /seafdav {
proxy_pass https://svnasolvo.ddns.net:44300/seafdav;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 1200s;
client_max_body_size 0;
access_log /var/log/nginx/seafdav.access.log;
error_log /var/log/nginx/seafdav.error.log;
}
client_max_body_size 0;
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/file.smartinspace.tech/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/file.smartinspace.tech/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
server_name git.smartinspace.tech;
proxy_set_header X-Forwarded-For $remote_addr;
location / {
proxy_pass http://svnasolvo.ddns.net:30000/;
proxy_intercept_errors on;
error_page 404 502 503 504 = @fallback;
}
location @fallback {
root /var/www/html;
index maintenance.html;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/git.smartinspace.tech/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/git.smartinspace.tech/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
#server {
# server_name dev.smartinspace.ai;
# proxy_set_header X-Forwarded-For $remote_addr;
# location / {
# #proxy_pass https://svnasolvo.ddns.net:/;
# proxy_pass https://svnasolvo.ddns.net;
# proxy_intercept_errors on;
# error_page 404 502 503 504 = @fallback;
# }
# location @fallback {
# root /var/www/html;
# index maintenance.html;
# }
# listen 443 ssl; # managed by Certbot
# ssl_certificate /etc/letsencrypt/live/dev.smartinspace.ai/fullchain.pem; # managed by Certbot
# ssl_certificate_key /etc/letsencrypt/live/dev.smartinspace.ai/privkey.pem; # managed by Certbot
# include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
#}
#server {
# if ($host = dev.smartinspace.ai) {
# return 301 https://$host$request_uri;
# } # managed by Certbot
# server_name dev.smartinspace.ai;
# listen 80;
# return 404; # managed by Certbot
#}
server {
server_name goats.smartinspace.tech;
proxy_set_header X-Forwarded-For $remote_addr;
location / {
proxy_pass http://localhost:5000;
proxy_intercept_errors on;
error_page 404 502 503 504 = @fallback;
}
location @fallback {
root /var/www/html;
index maintenance.html;
}
listen 443;
ssl_certificate /etc/letsencrypt/live/goats.smartinspace.tech/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/goats.smartinspace.tech/privkey.pem; # managed by Certbot
}
server {
if ($host = goats.smartinspace.tech) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name goats.smartinspace.tech;
listen 80;
return 404; # managed by Certbot
}