diff options
| -rw-r--r-- | etc/acme-client.conf | 25 | ||||
| -rw-r--r-- | etc/daily.local | 17 | ||||
| -rw-r--r-- | etc/doas.conf | 1 | ||||
| -rw-r--r-- | etc/dovecot/dovecot-sql.conf.ext | 5 | ||||
| -rw-r--r-- | etc/dovecot/dovecot.conf | 138 | ||||
| -rw-r--r-- | etc/gotosocial.yaml | 580 | ||||
| -rw-r--r-- | etc/httpd.conf | 207 | ||||
| -rw-r--r-- | etc/mail/aliases | 7 | ||||
| -rw-r--r-- | etc/mail/smtpd.conf | 21 | ||||
| -rw-r--r-- | etc/my.cnf | 10 | ||||
| -rw-r--r-- | etc/mygate | 2 | ||||
| -rw-r--r-- | etc/myname | 1 | ||||
| -rw-r--r-- | etc/pf.conf | 56 | ||||
| -rw-r--r-- | etc/php-fpm.conf | 20 | ||||
| -rw-r--r-- | etc/postfix/main.cf | 125 | ||||
| -rw-r--r-- | etc/postfix/master.cf | 49 | ||||
| -rw-r--r-- | etc/rc.conf.local | 7 | ||||
| -rw-r--r-- | etc/rc.local | 26 | ||||
| -rw-r--r-- | etc/relayd.conf | 60 | ||||
| -rw-r--r-- | etc/sqlgrey/clients_fqdn_whitelist.local | 4 | ||||
| -rw-r--r-- | etc/sqlgrey/sqlgrey.conf | 14 | ||||
| -rw-r--r-- | etc/ssh/sshd_config | 11 |
22 files changed, 1386 insertions, 0 deletions
diff --git a/etc/acme-client.conf b/etc/acme-client.conf new file mode 100644 index 0000000..2fceff4 --- /dev/null +++ b/etc/acme-client.conf @@ -0,0 +1,25 @@ +authority letsencrypt { + api url "https://acme-v02.api.letsencrypt.org/directory" + account key "/etc/acme/letsencrypt-privkey.pem" +} + +authority letsencrypt-staging { + api url "https://acme-staging.api.letsencrypt.org/directory" + account key "/etc/acme/letsencrypt-staging-privkey.pem" +} + +domain rockgeeks.net { + alternative names { www.rockgeeks.net mail.rockgeeks.net src.rockgeeks.net todo.rockgeeks.net magpie.rockgeeks.net shrike.rockgeeks.net } + domain key "/etc/ssl/private/rockgeeks.net.key" + domain certificate "/etc/ssl/rockgeeks.net.crt" + domain full chain certificate "/etc/ssl/rockgeeks.net.fullchain.pem" + sign with letsencrypt +} + +domain annetronics.com { + alternative names { www.annetronics.com mail.annetronics.com } + domain key "/etc/ssl/private/annetronics.com.key" + domain certificate "/etc/ssl/annetronics.com.crt" + domain full chain certificate "/etc/ssl/annetronics.com.fullchain.pem" + sign with letsencrypt +} diff --git a/etc/daily.local b/etc/daily.local new file mode 100644 index 0000000..3613dae --- /dev/null +++ b/etc/daily.local @@ -0,0 +1,17 @@ +# -*- sh -*- + +next_part acme-client + +if acme-client -v rockgeeks.net || acme-client -v annetronics.com; then + rcctl reload httpd + rcctl reload dovecot + rcctl reload postfix +fi + +next_part syspatch + +syspatch -c + +next_part dump-status + +dump -W diff --git a/etc/doas.conf b/etc/doas.conf new file mode 100644 index 0000000..2222cbf --- /dev/null +++ b/etc/doas.conf @@ -0,0 +1 @@ +permit nopass dumper as root cmd /sbin/dump diff --git a/etc/dovecot/dovecot-sql.conf.ext b/etc/dovecot/dovecot-sql.conf.ext new file mode 100644 index 0000000..3d8dbd6 --- /dev/null +++ b/etc/dovecot/dovecot-sql.conf.ext @@ -0,0 +1,5 @@ +driver = mysql +connect = host=localhost dbname=mail user=postfix password=<PASSWORD GOES HERE> +default_pass_scheme = PLAIN +password_query = SELECT email as user, password FROM users WHERE email = '%u' +user_query = SELECT id as uid, id as gid, home, concat('*:storage=', quota, 'M') AS quota_rule FROM users WHERE email = '%u' diff --git a/etc/dovecot/dovecot.conf b/etc/dovecot/dovecot.conf new file mode 100644 index 0000000..b8c2421 --- /dev/null +++ b/etc/dovecot/dovecot.conf @@ -0,0 +1,138 @@ +## Dovecot configuration file + +dict { +} + +auth_mechanisms = plain login digest-md5 cram-md5 apop +log_path = syslog +syslog_facility = mail +mail_location = maildir:/var/mailserv/mail/%d/%n +base_dir = /var/dovecot/ +first_valid_uid = 1000 +mmap_disable = yes + +passdb { + args = /etc/dovecot/dovecot-sql.conf.ext + driver = sql +} + +plugin { + antispam_mail_notspam = --ham + antispam_mail_sendmail = /usr/local/bin/sa-learn + antispam_mail_sendmail_args = --username=%u + antispam_mail_spam = --spam + antispam_mail_tmpdir = /tmp + antispam_signature = X-Spam-Flag + antispam_signature_missing = move + antispam_spam = SPAM;Spam;spam;Junk;junk + antispam_trash = trash;Trash;Deleted Items; Deleted Messages + quota = maildir + quota_rule = *:storage=5G + quota_rule2 = Trash:storage=+100M + quota_warning = storage=95%% /usr/local/bin/quota-warning.sh 95 + quota_warning2 = storage=80%% /usr/local/bin/quota-warning.sh 80 + sieve = ~/.dovecot.sieve + sieve_dir = ~/sieve +} + +protocols = imap sieve pop3 lmtp + +service auth { + unix_listener /var/run/dovecot-auth-master { + group = _dovecot + mode = 0666 + user = _dovecot + } + + unix_listener /var/spool/postfix/private/auth { + group = _postfix + mode = 0660 + user = _postfix + } +} + +service imap-login { + service_count = 1 +} +service pop3-login { + service_count = 1 +} + +ssl_cert=</etc/ssl/rockgeeks.net.fullchain.pem +ssl_key =</etc/ssl/private/rockgeeks.net.key + +userdb { + driver = sql + args = /etc/dovecot/dovecot-sql.conf.ext +} + +protocol imap { + imap_client_workarounds = delay-newmail + mail_plugins = quota imap_quota +} + +protocol pop3 { + mail_plugins = quota + pop3_client_workarounds = outlook-no-nuls oe-ns-eoh + pop3_uidl_format = %08Xv%08Xu +} + +protocol lda { + auth_socket_path = /var/run/dovecot-auth-master + mail_plugins = $mail_plugins sieve + sendmail_path = /usr/sbin/sendmail +} + +protocol lmtp { + mail_plugins = $mail_plugins sieve + postmaster_address = jon@rockgeeks.net +} + +default_login_user = _dovenull +default_internal_user = _dovecot + +service managesieve-login { + inet_listener sieve { + port = 4190 + } + + inet_listener sieve_deprecated { + port = 2000 + } +} + +service lmtp { + unix_listener /var/spool/postfix/private/dovecot-lmtp { + group = _postfix + mode = 0600 + user = _postfix + } +} + +service managesieve { +} + +protocol sieve { +} + +imap_capability = +SPECIAL-USE + +namespace inbox { + inbox=yes + mailbox Drafts { + auto = subscribe + special_use = \Drafts + } + mailbox Sent { + auto = subscribe + special_use = \Sent + } + mailbox Spam { + auto = subscribe + special_use = \Junk + } + mailbox Trash { + auto = subscribe + special_use = \Trash + } +} diff --git a/etc/gotosocial.yaml b/etc/gotosocial.yaml new file mode 100644 index 0000000..39d7e33 --- /dev/null +++ b/etc/gotosocial.yaml @@ -0,0 +1,580 @@ +# GoToSocial +# Copyright (C) 2021-2022 GoToSocial Authors admin@gotosocial.org + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. + +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +########################### +##### GENERAL CONFIG ###### +########################### + +# String. Log level to use throughout the application. Must be lower-case. +# Options: ["trace","debug","info","warn","error","fatal"] +# Default: "info" +log-level: "info" + +# Bool. Log database queries when log-level is set to debug or trace. +# This setting produces verbose logs, so it's better to only enable it +# when you're trying to track an issue down. +# Options: [true, false] +# Default: false +log-db-queries: false + +# String. Application name to use internally. +# Examples: ["My Application","gotosocial"] +# Default: "gotosocial" +application-name: "gotosocial" + +# String. Hostname that this server will be reachable at. Defaults to localhost for local testing, +# but you should *definitely* change this when running for real, or your server won't work at all. +# DO NOT change this after your server has already run once, or you will break things! +# Examples: ["gts.example.org","some.server.com"] +# Default: "localhost" +host: "magpie.rockgeeks.net" + +# String. Domain to use when federating profiles. This is useful when you want your server to be at +# eg., "gts.example.org", but you want the domain on accounts to be "example.org" because it looks better +# or is just shorter/easier to remember. +# To make this setting work properly, you need to redirect requests at "example.org/.well-known/webfinger" +# to "gts.example.org/.well-known/webfinger" so that GtS can handle them properly. +# You should also redirect requests at "example.org/.well-known/nodeinfo" in the same way. +# An empty string (ie., not set) means that the same value as 'host' will be used. +# DO NOT change this after your server has already run once, or you will break things! +# Examples: ["example.org","server.com"] +# Default: "" +account-domain: "rockgeeks.net" + +# String. Protocol to use for the server. Only change to http for local testing! +# This should be the protocol part of the URI that your server is actually reachable on. So even if you're +# running GoToSocial behind a reverse proxy that handles SSL certificates for you, instead of using built-in +# letsencrypt, it should still be https. +# Options: ["http","https"] +# Default: "https" +protocol: "https" + +# String. Address to bind the GoToSocial server to. +# This can be an IPv4 address or an IPv6 address (surrounded in square brackets), or a hostname. +# Default value will bind to all interfaces. +# You probably won't need to change this unless you're setting GoToSocial up in some fancy way or +# you have specific networking requirements. +# Examples: ["0.0.0.0", "172.128.0.16", "localhost", "[::]", "[2001:db8::fed1]"] +# Default: "0.0.0.0" +#bind-address: "0.0.0.0" +bind-address: "127.0.0.1" + +# Int. Listen port for the GoToSocial webserver + API. If you're running behind a reverse proxy and/or in a docker, +# container, just set this to whatever you like (or leave the default), and make sure it's forwarded properly. +# If you are running with built-in letsencrypt enabled, and running GoToSocial directly on a host machine, you will +# probably want to set this to 443 (standard https port), unless you have other services already using that port. +# This *MUST NOT* be the same as the letsencrypt port specified below, unless letsencrypt is turned off. +# Examples: [443, 6666, 8080] +# Default: 8080 +#port: 4443 +port: 4444 + +# Array of string. CIDRs or IP addresses of proxies that should be trusted when determining real client IP from behind a reverse proxy. +# If you're running inside a Docker container behind Traefik or Nginx, for example, add the subnet of your docker network, +# or the gateway of the docker network, and/or the address of the reverse proxy (if it's not running on the host network). +# Example: ["127.0.0.1/32", "172.20.0.1"] +# Default: ["127.0.0.1/32"] (localhost) +trusted-proxies: + - "127.0.0.1/32" + +############################ +##### DATABASE CONFIG ###### +############################ + +# Config pertaining to the Gotosocial database connection + +# String. Database type. +# Options: ["postgres","sqlite"] +# Default: "postgres" +db-type: "sqlite" + +# String. Database address or parameters. +# +# For Postgres, this should be the address or socket at which the database can be reached. +# +# For Sqlite, this should be the path to your sqlite database file. Eg., /opt/gotosocial/sqlite.db. +# If the file doesn't exist at the specified path, it will be created. +# If just a filename is provided (no directory) then the database will be created in the same directory +# as the GoToSocial binary. +# If address is set to :memory: then an in-memory database will be used (no file). +# WARNING: :memory: should NOT BE USED except for testing purposes. +# +# Examples: ["localhost","my.db.host","127.0.0.1","192.111.39.110",":memory:", "sqlite.db"] +# Default: "" +db-address: "/var/gotosocial/db/sqlite.db" + +# Int. Port for database connection. +# Examples: [5432, 1234, 6969] +# Default: 5432 +db-port: 5432 + +# String. Username for the database connection. +# Examples: ["mydbuser","postgres","gotosocial"] +# Default: "" +db-user: "" + +# String. Password to use for the database connection +# Examples: ["password123","verysafepassword","postgres"] +# Default: "" +db-password: "" + +# String. Name of the database to use within the provided database type. +# Examples: ["mydb","postgres","gotosocial"] +# Default: "gotosocial" +db-database: "gotosocial" + +# String. Disable, enable, or require SSL/TLS connection to the database. +# If "disable" then no TLS connection will be attempted. +# If "enable" then TLS will be tried, but the database certificate won't be checked (for self-signed certs). +# If "require" then TLS will be required to make a connection, and a valid certificate must be presented. +# Options: ["disable", "enable", "require"] +# Default: "disable" +db-tls-mode: "disable" + +# String. Path to a CA certificate on the host machine for db certificate validation. +# If this is left empty, just the host certificates will be used. +# If filled in, the certificate will be loaded and added to host certificates. +# Examples: ["/path/to/some/cert.crt"] +# Default: "" +db-tls-ca-cert: "" + +###################### +##### WEB CONFIG ##### +###################### + +# Config pertaining to templating and serving of web pages/email notifications and the like + +# String. Directory from which gotosocial will attempt to load html templates (.tmpl files). +# Examples: ["/some/absolute/path/", "./relative/path/", "../../some/weird/path/"] +# Default: "./web/template/" +web-template-base-dir: "./web/template/" + +# String. Directory from which gotosocial will attempt to serve static web assets (images, scripts). +# Examples: ["/some/absolute/path/", "./relative/path/", "../../some/weird/path/"] +# Default: "./web/assets/" +web-asset-base-dir: "./web/assets/" + +########################### +##### INSTANCE CONFIG ##### +########################### + +# Config pertaining to instance federation settings, pages to hide/expose, etc. + +# Bool. Allow unauthenticated users to make queries to /api/v1/instance/peers?filter=open in order +# to see a list of instances that this instance 'peers' with. Even if set to 'false', then authenticated +# users (members of the instance) will still be able to query the endpoint. +# Options: [true, false] +# Default: false +instance-expose-peers: false + +# Bool. Allow unauthenticated users to make queries to /api/v1/instance/peers?filter=suspended in order +# to see a list of instances that this instance blocks/suspends. This will also allow unauthenticated +# users to see the list through the web UI. Even if set to 'false', then authenticated users (members +# of the instance) will still be able to query the endpoint. +# Options: [true, false] +# Default: false +instance-expose-suspended: false + +# Bool. This flag tweaks whether GoToSocial will deliver ActivityPub messages +# to the shared inbox of a recipient, if one is available, instead of delivering +# each message to each actor who should receive a message individually. +# +# Shared inbox delivery can significantly reduce network load when delivering +# to multiple recipients share an inbox (eg., on large Mastodon instances). +# +# See: https://www.w3.org/TR/activitypub/#shared-inbox-delivery +# +# Options: [true, false] +# Default: true +instance-deliver-to-shared-inboxes: true + +########################### +##### ACCOUNTS CONFIG ##### +########################### + +# Config pertaining to creation and maintenance of accounts on the server, as well as defaults for new accounts. + +# Bool. Do we want people to be able to just submit sign up requests, or do we want invite only? +# Options: [true, false] +# Default: true +accounts-registration-open: false + +# Bool. Do sign up requests require approval from an admin/moderator before an account can sign in/use the server? +# Options: [true, false] +# Default: true +accounts-approval-required: true + +# Bool. Are sign up requests required to submit a reason for the request (eg., an explanation of why they want to join the instance)? +# Options: [true, false] +# Default: true +accounts-reason-required: true + +# Bool. Allow accounts on this instance to set custom CSS for their profile pages and statuses. +# Enabling this setting will allow accounts to upload custom CSS via the /user settings page, +# which will then be rendered on the web view of the account's profile and statuses. +# +# For instances with public sign ups, it is **HIGHLY RECOMMENDED** to leave this setting on 'false', +# since setting it to true allows malicious accounts to make their profile pages misleading, unusable +# or even dangerous to visitors. In other words, you should only enable this setting if you trust +# the users on your instance not to produce harmful CSS. +# +# Regardless of what this value is set to, any uploaded CSS will not be federated to other instances, +# it will only be shown on profiles and statuses on *this* instance. +# +# Options: [true, false] +# Default: false +accounts-allow-custom-css: false + +######################## +##### MEDIA CONFIG ##### +######################## + +# Config pertaining to media uploads (videos, image, image descriptions, emoji). + +# Int. Maximum allowed image upload size in bytes. +# Examples: [2097152, 10485760] +# Default: 10485760 -- aka 10MB +media-image-max-size: 2097152 + +# Int. Maximum allowed video upload size in bytes. +# Examples: [2097152, 10485760] +# Default: 41943040 -- aka 40MB +media-video-max-size: 10485760 + +# Int. Minimum amount of characters required as an image or video description. +# Examples: [500, 1000, 1500] +# Default: 0 (not required) +media-description-min-chars: 0 + +# Int. Maximum amount of characters permitted in an image or video description. +# Examples: [500, 1000, 1500] +# Default: 500 +media-description-max-chars: 500 + +# Int. Number of days to cache media from remote instances before they are removed from the cache. +# A job will run every day at midnight to clean up any remote media older than the given amount of days. +# +# When remote media is removed from the cache, it is deleted from storage but the database entries for the media +# are kept so that it can be fetched again if requested by a user. +# +# If this is set to 0, then media from remote instances will be cached indefinitely. +# Examples: [30, 60, 7, 0] +# Default: 30 +media-remote-cache-days: 30 + +# Int. Max size in bytes of emojis uploaded to this instance via the admin API. +# The default is the same as the Mastodon size limit for emojis (50kb), which allows +# for good interoperability. Raising this limit may cause issues with federation +# of your emojis to other instances, so beware. +# Examples: [51200, 102400] +# Default: 51200 +media-emoji-local-max-size: 51200 + +# Int. Max size in bytes of emojis to download from other instances. +# By default this is 100kb, or twice the size of the default for media-emoji-local-max-size. +# This strikes a good balance between decent interoperability with instances that have +# higher emoji size limits, and not taking up too much space in storage. +# Examples: [51200, 102400] +# Default: 51200 +media-emoji-remote-max-size: 102400 + +########################## +##### STORAGE CONFIG ##### +########################## + +# Config pertaining to storage of user-created uploads (videos, images, etc). + +# String. Type of storage backend to use. +# Examples: ["local", "s3"] +# Default: "local" (storage on local disk) +storage-backend: "local" + +# String. Directory to use as a base path for storing files. +# Make sure whatever user/group gotosocial is running as has permission to access +# this directory, and create new subdirectories and files within it. +# Only required when running with the local storage backend. +# Examples: ["/home/gotosocial/storage", "/opt/gotosocial/datastorage"] +# Default: "/gotosocial/storage" +storage-local-base-path: "/var/gotosocial/storage" + +# String. API endpoint of the S3 compatible service. +# Only required when running with the s3 storage backend. +# Examples: ["minio:9000", "s3.nl-ams.scw.cloud", "s3.us-west-002.backblazeb2.com"] +# Default: "" +storage-s3-endpoint: "" + +# String. Access key part of the S3 credentials. +# Consider setting this value using environment variables to avoid leaking it via the config file +# Only required when running with the s3 storage backend. +# Examples: ["AKIAJSIE27KKMHXI3BJQ","miniouser"] +# Default: "" +storage-s3-access-key: "" +# String. Secret key part of the S3 credentials. +# Consider setting this value using environment variables to avoid leaking it via the config file +# Only required when running with the s3 storage backend. +# Examples: ["5bEYu26084qjSFyclM/f2pz4gviSfoOg+mFwBH39","miniopassword"] +# Default: "" +storage-s3-secret-key: "" +# String. Name of the storage bucket. +# +# If you have already encoded your bucket name in the storage-s3-endpoint, this +# value will be used as a directory containing your data. +# +# The bucket must exist prior to starting GoToSocial +# +# Only required when running with the s3 storage backend. +# Examples: ["gts","cool-instance"] +# Default: "" +storage-s3-bucket: "" + +########################### +##### STATUSES CONFIG ##### +########################### + +# Config pertaining to the creation of statuses/posts, and permitted limits. + +# Int. Maximum amount of characters permitted for a new status. +# Note that going way higher than the default might break federation. +# Examples: [140, 500, 5000] +# Default: 5000 +statuses-max-chars: 5000 + +# Int. Maximum amount of characters allowed in the CW/subject header of a status. +# Note that going way higher than the default might break federation. +# Examples: [100, 200] +# Default: 100 +statuses-cw-max-chars: 100 + +# Int. Maximum amount of options to permit when creating a new poll. +# Note that going way higher than the default might break federation. +# Examples: [4, 6, 10] +# Default: 6 +statuses-poll-max-options: 6 + +# Int. Maximum amount of characters to permit per poll option when creating a new poll. +# Note that going way higher than the default might break federation. +# Examples: [50, 100, 150] +# Default: 50 +statuses-poll-option-max-chars: 50 + +# Int. Maximum amount of media files that can be attached to a new status. +# Note that going way higher than the default might break federation. +# Examples: [4, 6, 10] +# Default: 6 +statuses-media-max-files: 6 + +#################################### +##### HTTPS CERTIFICATE CONFIG ##### +#################################### + +# Config pertaining to using already-existing certificates for HTTPS + +# Bool. Enable use of an already-provisioned HTTPS certificate +# Options: [true, false] +# Default: false +https-local-certificate-enabled: false + +# String. Full path to private key file. +# This takes precedence over letsencrypt auto-provisioned certificates. +# Examples: ["/etc/ssl/private/server.key", "/var/gotosocial/storage/certs/private/server.key"] +# Default: "" +#https-key-path: "/var/gotosocial/storage/certs/private/magpie.rockgeeks.net.key" +https-key-path: "" + +# String. Full path to certificate with full chain. +# This takes precedence over letsencrypt auto-provisioned certificates. +# Examples: ["/etc/ssl/private/server.key", "/var/gotosocial/storage/certs/private/server.key"] +# Default: "" +#https-certificate-path: "/var/gotosocial/storage/certs/magpie.rockgeeks.net.fullchain.pem" +https-certificate-path: "" + +############################## +##### LETSENCRYPT CONFIG ##### +############################## + +# Config pertaining to the automatic acquisition and use of LetsEncrypt HTTPS certificates. + +# Bool. Whether or not letsencrypt should be enabled for the server. +# If false, the rest of the settings here will be ignored. +# If you serve GoToSocial behind a reverse proxy like nginx or traefik, leave this turned off. +# If you don't, then turn it on so that you can use https. +# Options: [true, false] +# Default: false +letsencrypt-enabled: false + +# Int. Port to listen for letsencrypt certificate challenges on. +# If letsencrypt is enabled, this port must be reachable or you won't be able to obtain certs. +# If letsencrypt is disabled, this port will not be used. +# This *must not* be the same as the webserver/API port specified above. +# Examples: [80, 8000, 1312] +# Default: 80 +letsencrypt-port: 80 + +# String. Directory in which to store LetsEncrypt certificates. +# It is a good move to make this a sub-path within your storage directory, as it makes +# backup easier, but you might wish to move them elsewhere if they're also accessed by other services. +# In any case, make sure GoToSocial has permissions to write to / read from this directory. +# Examples: ["/home/gotosocial/storage/certs", "/acmecerts"] +# Default: "/gotosocial/storage/certs" +letsencrypt-cert-dir: "/var/gotosocial/storage/certs" + +# String. Email address to use when registering LetsEncrypt certs. +# Most likely, this will be the email address of the instance administrator. +# LetsEncrypt will send notifications about expiring certificates etc to this address. +# Examples: ["admin@example.org"] +# Default: "" +letsencrypt-email-address: "" + +####################### +##### OIDC CONFIG ##### +####################### + +# Config for authentication with an external OIDC provider (Dex, Google, Auth0, etc). + +# Bool. Enable authentication with external OIDC provider. If set to true, then +# the other OIDC options must be set as well. If this is set to false, then the standard +# internal oauth flow will be used, where users sign in to GtS with username/password. +# Options: [true, false] +# Default: false +oidc-enabled: false + +# String. Name of the oidc idp (identity provider). This will be shown to users when +# they log in. +# Examples: ["Google", "Dex", "Auth0"] +# Default: "" +oidc-idp-name: "" + +# Bool. Skip the normal verification flow of tokens returned from the OIDC provider, ie., +# don't check the expiry or signature. This should only be used in debugging or testing, +# never ever in a production environment as it's extremely unsafe! +# Options: [true, false] +# Default: false +oidc-skip-verification: false + +# String. The OIDC issuer URI. This is where GtS will redirect users to for login. +# Typically this will look like a standard web URL. +# Examples: ["https://auth.example.org", "https://example.org/auth"] +# Default: "" +oidc-issuer: "" + +# String. The ID for this client as registered with the OIDC provider. +# Examples: ["some-client-id", "fda3772a-ad35-41c9-9a59-f1943ad18f54"] +# Default: "" +oidc-client-id: "" + +# String. The secret for this client as registered with the OIDC provider. +# Examples: ["super-secret-business", "79379cf5-8057-426d-bb83-af504d98a7b0"] +# Default: "" +oidc-client-secret: "" + +# Array of string. Scopes to request from the OIDC provider. The returned values will be used to +# populate users created in GtS as a result of the authentication flow. 'openid' and 'email' are required. +# 'profile' is used to extract a username for the newly created user. +# 'groups' is optional and can be used to determine if a user is an admin (if they're in the group 'admin' or 'admins'). +# Examples: See eg., https://auth0.com/docs/scopes/openid-connect-scopes +# Default: ["openid", "email", "profile", "groups"] +oidc-scopes: + - "openid" + - "email" + - "profile" + - "groups" + +####################### +##### SMTP CONFIG ##### +####################### + +# Config for sending emails via an smtp server. See https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol + +# String. The hostname of the smtp server you want to use. +# If this is not set, smtp will not be used to send emails, and you can ignore the other settings. +# Examples: ["mail.example.org", "localhost"] +# Default: "" +smtp-host: "" + +# Int. Port to use to connect to the smtp server. +# Examples: [] +# Default: 0 +smtp-port: 0 + +# String. Username to use when authenticating with the smtp server. +# This should have been provided to you by your smtp host. +# This is often, but not always, an email address. +# Examples: ["maillord@example.org"] +# Default: "" +smtp-username: "" + +# String. Password to use when authenticating with the smtp server. +# This should have been provided to you by your smtp host. +# Examples: ["1234", "password"] +# Default: "" +smtp-password: "" + +# String. 'From' address for sent emails. +# Examples: ["mail@example.org"] +# Default: "" +smtp-from: "" + +######################### +##### SYSLOG CONFIG ##### +######################### + +# Config for additional syslog log hooks. See https://en.wikipedia.org/wiki/Syslog, +# and https://github.com/sirupsen/logrus/tree/master/hooks/syslog. +# +# These settings are useful when one wants to daemonize GoToSocial and send logs +# to a specific place, either a local location or a syslog server. Most users will +# not need to touch these settings. + +# Bool. Enable the syslog logging hook. Logs will be mirrored to the configured destination. +# Options: [true, false] +# Default: false +syslog-enabled: true + +# String. Protocol to use when directing logs to syslog. Leave empty to connect to local syslog. +# Options: ["udp", "tcp", ""] +# Default: "tcp" +syslog-protocol: "" + +# String. Address:port to send syslog logs to. Leave empty to connect to local syslog. +# Default: "localhost:514" +syslog-address: "" + +############################# +##### ADVANCED SETTINGS ##### +############################# + +# Advanced settings pertaining to http timeouts, security, cookies, and more. +# +# ONLY ADJUST THESE SETTINGS IF YOU KNOW WHAT YOU ARE DOING! +# +# Most users will not need to (and should not) touch these settings, since +# they are set to sensible defaults, and may break if they are changed. +# +# Nevertheless, they are provided for the sake of allowing server admins to +# tweak their instance for performance or security reasons. + +# String. Value of the SameSite attribute of cookies set by GoToSocial. +# Defaults to 'lax' to ensure that the OIDC flow does not break, which is +# fine in most cases. If you want to harden your instance against CSRF attacks +# and don't mind if some login-related things might break, you can set this +# to 'strict' instead. +# +# For an overview of what this does, see: +# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite +# +# Options: ["lax", "strict"] +# Default: "lax" +advanced-cookies-samesite: "lax" diff --git a/etc/httpd.conf b/etc/httpd.conf new file mode 100644 index 0000000..d3cf7ae --- /dev/null +++ b/etc/httpd.conf @@ -0,0 +1,207 @@ +types { + include "/usr/share/misc/mime.types" +} + +server "rockgeeks.net" { + listen on * port 80 + + alias "www.rockgeeks.net" + + location "/.well-known/acme-challenge/*" { + root "/acme" + request strip 2 + } + + location "/.well-known/webfinger" { + block return 302 "https://magpie.rockgeeks.net/.well-known/webfinger" + } + + location "/.well-known/nodeinfo" { + block return 302 "https://magpie.rockgeeks.net/.well-known/nodeinfo" + } + + # wp blog is https-only + location "/soc" { + block return 302 "https://$HTTP_HOST$REQUEST_URI" + } + location "/soc/*" { + block return 302 "https://$HTTP_HOST$REQUEST_URI" + } + + location "/plss" { + root "/plss" + fastcgi socket "/run/slowcgi.sock" + } + + location * { + root "/rockgeeks.net" + } +} + +server "rockgeeks.net" { + listen on 127.0.0.1 port 4443 # https via relayd + + location "/.well-known/acme-challenge/*" { + root "/acme" + request strip 2 + } + + location "/.well-known/webfinger" { + block return 302 "https://magpie.rockgeeks.net/.well-known/webfinger" + } + + location "/.well-known/nodeinfo" { + block return 302 "https://magpie.rockgeeks.net/.well-known/nodeinfo" + } + + # wp blog + location "/soc/*.php*" { + root "/wordpress" + request strip 1 + fastcgi socket "/run/php-fpm.sock" + } + location "/soc/*" { + root "/wordpress" + directory index index.php + request strip 1 + } + location "/soc" { + block return 302 "https://$HTTP_HOST/soc/" + } + + # rest of site can be served over https, too + location * { + root "/rockgeeks.net" + } +} + +server "magpie.rockgeeks.net" { + listen on * port 80 + + location "/.well-known/acme-challenge/*" { + root "/acme" + request strip 2 + } + + location "*" { + block return 302 "https://$HTTP_HOST$REQUEST_URI" + } +} + +server "mail.rockgeeks.net" { + listen on 127.0.0.1 port 4443 # https via relayd + + root "/roundcubemail" + + location "/config*" { block return 404 } + location "/logs*" { block return 404 } + location "/temp*" { block return 404 } + + location "/*.php*" { + fastcgi socket "/run/php-fpm.sock" + } + + location "*" { + directory index index.php + } +} + +server "src.rockgeeks.net" { + listen on * port 80 + + location "/.well-known/acme-challenge/*" { + root "/acme" + request strip 2 + } + + location * { + block return 302 "https://$HTTP_HOST$REQUEST_URI" + } +} + +server "src.rockgeeks.net" { + listen on 127.0.0.1 port 4443 # https via relayd + + location "/.well-known/acme-challenge/*" { + root "/acme" + request strip 2 + } + + location "/cgit.*" { + root "/cgit" + no fastcgi + } + + location "/*" { + root "/cgi-bin/cgit.cgi" + fastcgi socket "/run/slowcgi.sock" + } +} + +server "todo.rockgeeks.net" { + listen on * port 80 + + location "/.well-known/acme-challenge/*" { + root "/acme" + request strip 2 + } + + location * { + block return 302 "https://$HTTP_HOST$REQUEST_URI" + } +} + +server "todo.rockgeeks.net" { + listen on 127.0.0.1 port 4443 # https via relayd + + location "/.well-known/acme-challenge/*" { + root "/acme" + request strip 2 + } + + # Whitelist only + location "*.cgi" { + root "/bugzilla" + fastcgi socket "/run/slowcgi.sock" + } + location "*.css" { root "/bugzilla" } + location "*.gif" { root "/bugzilla" } + location "*.ico" { root "/bugzilla" } + location "*.js" { root "/bugzilla" } + location "*.png" { root "/bugzilla" } + location "/robots.txt" { root "/bugzilla" } + location "/" { + root "/bugzilla" + directory index index.cgi + request rewrite "/index.cgi" + } + + location "/*" { + block return 404 + } +} + +server "annetronics.com" { + listen on * port 80 + alias "*.annetronics.com" + location "/.well-known/acme-challenge/*" { + root "/acme" + request strip 2 + } + location * { + block return 302 "https://annetronics.com$REQUEST_URI" + } +} + +server "annetronics.com" { + listen on 127.0.0.1 port 4443 # https via relayd + alias "*.annetronics.com" + + location "/.well-known/acme-challenge/*" { + root "/acme" + request strip 2 + } + location * { + root "/annetronics.com" + } +} diff --git a/etc/mail/aliases b/etc/mail/aliases new file mode 100644 index 0000000..0c32841 --- /dev/null +++ b/etc/mail/aliases @@ -0,0 +1,7 @@ + +.... add the below in .... + +# Well-known aliases -- these should be filled in! +root: jon@rockgeeks.net +manager: root +dumper: root diff --git a/etc/mail/smtpd.conf b/etc/mail/smtpd.conf new file mode 100644 index 0000000..fcf92fe --- /dev/null +++ b/etc/mail/smtpd.conf @@ -0,0 +1,21 @@ +# $OpenBSD: smtpd.conf,v 1.14 2019/11/26 20:14:38 gilles Exp $ + +# This is the smtpd server system-wide configuration file. +# See smtpd.conf(5) for more information. + +table aliases file:/etc/mail/aliases + +listen on socket + +# To accept external mail, replace with: listen on all +# +listen on lo0 + +action "local_mail" mbox alias <aliases> +action "outbound" relay + +# Uncomment the following to accept external mail for domain "example.org" +# +# match from any for domain "example.org" action "local_mail" +match from local for local action "local_mail" +match from local for any action "outbound" diff --git a/etc/my.cnf b/etc/my.cnf new file mode 100644 index 0000000..d65bff0 --- /dev/null +++ b/etc/my.cnf @@ -0,0 +1,10 @@ +[client-server] +socket=/var/www/var/run/mysql/mysql.sock + +[client] +user=root +password=<PASSWORD GOES HERE> + +# The MariaDB server +[mysqld] +bind-address=127.0.0.1 diff --git a/etc/mygate b/etc/mygate new file mode 100644 index 0000000..ffb53a7 --- /dev/null +++ b/etc/mygate @@ -0,0 +1,2 @@ +104.225.1.1 +2607:fc50:0:15::1 diff --git a/etc/myname b/etc/myname new file mode 100644 index 0000000..2405628 --- /dev/null +++ b/etc/myname @@ -0,0 +1 @@ +shrike.rockgeeks.net diff --git a/etc/pf.conf b/etc/pf.conf new file mode 100644 index 0000000..b1c7b08 --- /dev/null +++ b/etc/pf.conf @@ -0,0 +1,56 @@ +# See pf.conf(5) and /etc/examples/pf.conf + +ext_if = "vio0" + +set skip on lo + +block return # block stateless traffic +pass # establish keep-state + +# By default, do not permit remote connections to X11 +block return in on ! lo0 proto tcp to port 6000:6010 + +# Port build user does not need network +block return out log proto {tcp udp} user _pbuild + +block in log + +pass out quick + +# Brute force prevention +# See http://home.nuug.no/~peter/pf/en/bruteforce.html + +# External-facing services. SSH is handled separately. +tcp_services = "{ smtp www pop3 imap auth https smtps submission pop3s imaps git }" + +table <brutessh> persist +block quick from <brutessh> + +table <bruteforce> persist +block quick from <bruteforce> + +# SSH +pass quick proto tcp from any to any port ssh \ + flags S/SA keep state \ + (max-src-conn 15, max-src-conn-rate 10/3, \ + overload <brutessh> flush global) + +# Rate and connection limits on the services we allow +pass inet proto tcp from any to any port $tcp_services \ + flags S/SA keep state \ + (max-src-conn 100, max-src-conn-rate 120/5, \ + overload <bruteforce> flush global) + +# Restrict ICMP types +pass in inet proto icmp from any to any icmp-type { echoreq echorep timex unreach } +pass in inet6 proto icmp6 from any to any icmp6-type { echoreq echorep unreach } + +# Firewall memcached (per instructions 2017-11-22) +block on $ext_if proto tcp to ($ext_if) port 11211 + +# Table for abusive hosts to block +table <badhosts> persist file "/etc/per-host-blocklist" +block on vio0 from <badhosts> to any + +# Additional per-host rules (for chronic abusers) +#include "/etc/pf/per-host-rules.conf" diff --git a/etc/php-fpm.conf b/etc/php-fpm.conf new file mode 100644 index 0000000..10d8b5e --- /dev/null +++ b/etc/php-fpm.conf @@ -0,0 +1,20 @@ +;;;;;;;;;;;;;;;;;;;;; +; FPM Configuration ; +;;;;;;;;;;;;;;;;;;;;; + +[global] +include=/etc/php-fpm.d/*.conf + +[www] +user = www +group = www +listen = /var/www/run/php-fpm.sock +listen.owner = www +listen.group = www +listen.mode = 0660 +pm = dynamic +pm.max_children = 5 +pm.start_servers = 2 +pm.min_spare_servers = 1 +pm.max_spare_servers = 3 +chroot = /var/www diff --git a/etc/postfix/main.cf b/etc/postfix/main.cf new file mode 100644 index 0000000..9348678 --- /dev/null +++ b/etc/postfix/main.cf @@ -0,0 +1,125 @@ +# Global Postfix configuration file. + +compatibility_level = 3.6 +queue_directory = /var/spool/postfix +command_directory = /usr/local/sbin +daemon_directory = /usr/local/libexec/postfix +data_directory = /var/postfix + +mail_owner = _postfix +inet_protocols = all + +unknown_local_recipient_reject_code = 450 + +mynetworks = 127.0.0.0/8, 104.225.1.6/32, rockgeeks.net + +debug_peer_level = 2 +debug_peer_list = 127.0.0.1 +debugger_command = + PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin + ddd $daemon_directory/$process_name $process_id & sleep 5 + +sendmail_path = /usr/local/sbin/sendmail +newaliases_path = /usr/local/sbin/newaliases +mailq_path = /usr/local/sbin/mailq + +setgid_group = _postdrop + +html_directory = /usr/local/share/doc/postfix/html +manpage_directory = /usr/local/man +sample_directory = /etc/postfix +readme_directory = /usr/local/share/doc/postfix/readme +meta_directory = /etc/postfix +shlib_directory = no + +smtpd_use_tls = yes +smtpd_tls_auth_only = yes +smtp_tls_cert_file = /etc/ssl/rockgeeks.net.fullchain.pem +smtp_tls_key_file = /etc/ssl/private/rockgeeks.net.key +smtpd_tls_cert_file = /etc/ssl/rockgeeks.net.fullchain.pem +smtpd_tls_key_file = /etc/ssl/private/rockgeeks.net.key + +smtp_tls_security_level = may +smtpd_tls_security_level = may +smtpd_tls_received_header = yes + +smtp_tls_session_cache_database = btree:/var/postfix/smtpd_tls_session_cache +tls_random_source = dev:/dev/urandom + +virtual_alias_domains = +virtual_alias_maps = + proxy:mysql:/etc/postfix/sql/forwardings.cf + proxy:mysql:/etc/postfix/sql/email2email.cf + +virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/domains.cf +virtual_mailbox_maps = proxy:mysql:/etc/postfix/sql/mailboxes.cf +virtual_uid_maps = proxy:mysql:/etc/postfix/sql/user.cf +virtual_gid_maps = proxy:mysql:/etc/postfix/sql/group.cf +virtual_minimum_uid = 1000 +virtual_transport = lmtp:unix:private/dovecot-lmtp + +dovecot_destination_recipient_limit = 1 +spamassassin_destination_recipient_limit = 1 +transport_maps = proxy:mysql:/etc/postfix/sql/routing.cf +relay_domains = proxy:mysql:/etc/postfix/sql/routing.cf +recipient_delimiter = + + +proxy_read_maps = + proxy:mysql:/etc/postfix/sql/routing.cf + proxy:mysql:/etc/postfix/sql/domains.cf + proxy:mysql:/etc/postfix/sql/mailboxes.cf + proxy:mysql:/etc/postfix/sql/user.cf + proxy:mysql:/etc/postfix/sql/group.cf + proxy:mysql:/etc/postfix/sql/forwardings.cf + proxy:mysql:/etc/postfix/sql/email2email.cf + proxy:unix:passwd.byname + unix:passwd.byname + +smtpd_sasl_type = dovecot +smtpd_sasl_path = private/auth +smtpd_sasl_auth_enable = yes +smtpd_sasl_security_options = noanonymous +smtpd_sasl_local_domain = + +smtpd_delay_reject = yes +smtpd_helo_required = yes +smtpd_recipient_restrictions = + permit_mynetworks + permit_sasl_authenticated + permit_auth_destination + reject_unauth_destination + reject_unknown_recipient_domain + reject_non_fqdn_recipient + +smtpd_relay_restrictions = + permit_mynetworks + permit_sasl_authenticated + permit_auth_destination + reject_unauth_destination + reject_non_fqdn_recipient + reject_unknown_recipient_domain + +smtpd_client_restrictions = + permit_mynetworks + permit_sasl_authenticated + reject_unauth_destination + check_policy_service inet:127.0.0.1:2501 + reject_rbl_client zen.spamhaus.org + reject_rbl_client bl.spamcop.net + reject_unknown_client_hostname + +smtpd_sender_restrictions = + reject_unknown_sender_domain + reject_non_fqdn_sender + +smtpd_data_restrictions = reject_unauth_pipelining + +message_size_limit = 27962027 +milter_default_action = tempfail +milter_connect_macros = j {daemon_name} v _ +milter_header_checks = pcre:/etc/postfix/milter_header_checks +header_checks = pcre:/etc/postfix/header_checks.pcre + +# Disabled -- clamd takes too much memory. XXX 2021-03-14: revisit? +#smtpd_milters = +# unix:/tmp/clamav-milter.sock diff --git a/etc/postfix/master.cf b/etc/postfix/master.cf new file mode 100644 index 0000000..652c8d8 --- /dev/null +++ b/etc/postfix/master.cf @@ -0,0 +1,49 @@ +# Postfix master process configuration file. + +#smtp inet n - y - - smtpd -o content_filter=spamassassin +smtp inet n - y - - smtpd +smtps inet n - y - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes +submission inet n - y - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes + +#smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_milters=unix:/tmp/clamav-milter.sock +#submission inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_milters=unix:/tmp/clamav-milter.sock + +pickup unix n - y 60 1 pickup +cleanup unix n - y - 0 cleanup +qmgr unix n - y 300 1 qmgr +tlsmgr unix - - y 1000? 1 tlsmgr +rewrite unix - - y - - trivial-rewrite +bounce unix - - y - 0 bounce +defer unix - - y - 0 bounce +trace unix - - y - 0 bounce +verify unix - - y - 1 verify +flush unix n - y 1000? 0 flush +proxymap unix - - n - - proxymap +proxywrite unix - - n - 1 proxymap +smtp unix - - y - - smtp +relay unix - - y - - smtp + -o syslog_name=postfix/$service_name +# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 +showq unix n - y - - showq +error unix - - y - - error +retry unix - - y - - error +discard unix - - y - - discard +local unix - n n - - local +virtual unix - n n - - virtual +lmtp unix - - y - - lmtp +anvil unix - - y - 1 anvil +scache unix - - y - 1 scache +postlog unix-dgram n - n - 1 postlogd + +maildrop unix - n n - - pipe + flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient} +bsmtp unix - n n - - pipe + flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient +# Dovecot2 LDA +dovecot unix - n n - - pipe + flags=DRhu user=_dovecot:_dovecot argv=/usr/local/libexec/dovecot/dovecot-lda -f ${sender} -d ${user}@${nexthop} -m ${extension} + +spamassassin + unix - n n - - pipe + flags=Rqhu user=_dovecot:_dovecot argv=/usr/local/bin/spamc -x -u ${user} -e /usr/local/libexec/dovecot/deliver -a ${recipient} -d ${user}@${domain} -f ${sender} + diff --git a/etc/rc.conf.local b/etc/rc.conf.local new file mode 100644 index 0000000..f714521 --- /dev/null +++ b/etc/rc.conf.local @@ -0,0 +1,7 @@ +gitdaemon_flags=--base-path=/var/www +httpd_flags= +pkg_scripts=php74_fpm postfix spamassassin dovecot mysqld sqlgrey gitdaemon gotosocial +relayd_flags= +slowcgi_flags= +smtpd_flags=NO +spamd_flags= diff --git a/etc/rc.local b/etc/rc.local new file mode 100644 index 0000000..8333c36 --- /dev/null +++ b/etc/rc.local @@ -0,0 +1,26 @@ +# + +## Copy programs and dependencies into the /var/www chroot +perl /var/www/chroot.pl + +# Prepare chroot /dev for git and bugzilla +mkdir -p /var/www/dev +mount_mfs -s 64k swap /var/www/dev/ +mknod -m 666 /var/www/dev/null c 2 2 +mknod /var/www/dev/urandom c 45 0 +ln -s urandom /var/www/dev/urandom + +# Run ldconfig so we can load runtime stuff +cp /sbin/ldconfig /var/www/tmp/ldconfig +chroot /var/www /tmp/ldconfig /usr/lib /usr/local/lib +rm /var/www/tmp/ldconfig + +# checksetup.pl calls getgrnam($webservergroup) so we need this entry +if ! grep -q www /var/www/etc/group ; then + grep www /etc/group >> /var/www/etc/group +fi + +# Local Variables: +# mode: sh +# sh-shell: ksh +# End: diff --git a/etc/relayd.conf b/etc/relayd.conf new file mode 100644 index 0000000..5cf4b47 --- /dev/null +++ b/etc/relayd.conf @@ -0,0 +1,60 @@ +# +# Relay https traffic: +# +# magpie.rockgeeks.net -> localhost:4444 (http:gotosocial) +# * -> localhost:4443 (http:httpd) +# + +log connection + +ext_addr="0.0.0.0" +ext_addr6="::" +tls_port="443" +httpd_port="4443" +gotosocial_port="4444" + +table <gotosocial> { 127.0.0.1 } +table <httpd> { 127.0.0.1 } + +http protocol https { + return error + + http websockets + + tls keypair "relayd-rockgeeks.net" + tls keypair "relayd-annetronics.com" + + match request header set "X-Forwarded-For" value "$REMOTE_ADDR" + match request header set "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT" + match request header set "X-Forwarded-Proto" value "https" + match request header set "Connection" value "close" + + match request header set "Connection" value "upgrade" + pass request quick header "Host" value "magpie.rockgeeks.net" forward to <gotosocial> + + pass request quick header "Host" value "rockgeeks.net" forward to <httpd> + pass request quick header "Host" value "mail.rockgeeks.net" forward to <httpd> + pass request quick header "Host" value "src.rockgeeks.net" forward to <httpd> + pass request quick header "Host" value "todo.rockgeeks.net" forward to <httpd> + pass request quick header "Host" value "www.rockgeeks.net" forward to <httpd> + pass request quick header "Host" value "annetronics.com" forward to <httpd> + pass request quick header "Host" value "mail.annetronics.com" forward to <httpd> + pass request quick header "Host" value "www.annetronics.com" forward to <httpd> + + block + #pass request forward to <httpd> +} + +relay https { + listen on $ext_addr port $tls_port tls + protocol https + forward to <gotosocial> port $gotosocial_port + forward to <httpd> port $httpd_port +} + +relay https6 { + listen on $ext_addr6 port $tls_port tls + protocol https + forward to <gotosocial> port $gotosocial_port + forward to <httpd> port $httpd_port +} diff --git a/etc/sqlgrey/clients_fqdn_whitelist.local b/etc/sqlgrey/clients_fqdn_whitelist.local new file mode 100644 index 0000000..8b695ee --- /dev/null +++ b/etc/sqlgrey/clients_fqdn_whitelist.local @@ -0,0 +1,4 @@ +# 2022-08-20 Fine Homebuilding "forgot password" +subscriptionconfirmation.com +# 2022-09-12 Sends from IP without hostname +att-mail.com diff --git a/etc/sqlgrey/sqlgrey.conf b/etc/sqlgrey/sqlgrey.conf new file mode 100644 index 0000000..eb73182 --- /dev/null +++ b/etc/sqlgrey/sqlgrey.conf @@ -0,0 +1,14 @@ +######################### +## SQLgrey config file ## +######################### + +user = _sqlgrey +group = _sqlgrey + +db_type = mysql +db_name = sqlgrey +db_host = localhost +db_port = default +db_user = sqlgrey +db_pass = <PASSWORD GOES HERE> +db_dsn = DBI:mysql:database=sqlgrey;host=localhost;mysql_socket=/var/www/var/run/mysql/mysql.sock diff --git a/etc/ssh/sshd_config b/etc/ssh/sshd_config new file mode 100644 index 0000000..38a006f --- /dev/null +++ b/etc/ssh/sshd_config @@ -0,0 +1,11 @@ +.... + +PermitRootLogin no +PubkeyAuthentication yes +PasswordAuthentication no + +Match User git + X11Forwarding no + AllowTcpForwarding no + PermitTTY no + ChrootDirectory /var/www |