summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorCharlie Root <root@jozanofastora.xyz>2022-04-27 14:02:54 +0000
committerCharlie Root <root@jozanofastora.xyz>2022-04-27 14:02:54 +0000
commit96d51c38abc47fc5ea5dee0949f5fc0323b31026 (patch)
tree15c5266908f61ed9a7e1e621f83ff65c431eee46
downloadjoe-conf-96d51c38abc47fc5ea5dee0949f5fc0323b31026.tar.gz
joe-conf-96d51c38abc47fc5ea5dee0949f5fc0323b31026.tar.bz2
joe-conf-96d51c38abc47fc5ea5dee0949f5fc0323b31026.tar.xz
joe-conf-96d51c38abc47fc5ea5dee0949f5fc0323b31026.tar.zst
joe-conf-96d51c38abc47fc5ea5dee0949f5fc0323b31026.zip
First commit
-rw-r--r--etc/rc.conf21
-rw-r--r--root/.cshrc49
-rw-r--r--usr/local/etc/nginx/nginx.conf192
-rw-r--r--usr/local/etc/pf.conf60
4 files changed, 322 insertions, 0 deletions
diff --git a/etc/rc.conf b/etc/rc.conf
new file mode 100644
index 0000000..8c8846a
--- /dev/null
+++ b/etc/rc.conf
@@ -0,0 +1,21 @@
+hostname="jozanofastora.xyz"
+sshd_enable="YES"
+ntpd_enable="YES"
+static_routes="linklocal"
+ifconfig_vtnet0="DHCP"
+ifconfig_vtnet0_ipv6="inet6 accept_rtadv"
+ipv6_activate_all_interfaces="YES"
+rtsold_enable="YES"
+rtsold_flags="-aF"
+nginx_enable="YES"
+uwsgi_enable="YES"
+cron_flags="-m ''"
+gmid_enable="YES"
+pf_enable="NO"
+pf_rules="/usr/local/etc/pf.conf"
+plog_enable="NO"
+pflog_logfile="/var/log/pflog"
+obspamd_enable="NO"
+obspamd_flags="-v"
+obspamlogd_enable="NO"
+dovecot_enable="NO"
diff --git a/root/.cshrc b/root/.cshrc
new file mode 100644
index 0000000..f4436db
--- /dev/null
+++ b/root/.cshrc
@@ -0,0 +1,49 @@
+# $FreeBSD: releng/12.1/bin/csh/dot.cshrc 338374 2018-08-29 16:59:19Z brd $
+#
+# .cshrc - csh resource script, read at beginning of execution by each shell
+#
+# see also csh(1), environ(7).
+# more examples available at /usr/share/examples/csh/
+#
+
+alias h history 25
+alias j jobs -l
+alias la ls -aF
+alias lf ls -FA
+alias ll ls -lAF
+alias ls ls -lhG
+alias tree tree -C
+alias c clear
+alias vim nvim
+alias diff colordiff -c
+alias confgit git --git-dir=/usr/local/git/jozan/jozanofastora-conf.git --work-tree=/
+
+# A righteous umask
+umask 22
+
+set path = (/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin $HOME/bin)
+
+setenv EDITOR vi
+setenv PAGER less
+setenv BLOCKSIZE K
+
+if ($?prompt) then
+ # An interactive shell -- set some stuff up
+ set prompt = "%N@%m:%~ %# "
+ set promptchars = "%#"
+
+ set filec
+ set history = 1000
+ set savehist = (1000 merge)
+ set autolist = ambiguous
+ # Use history to aid expansion
+ set autoexpand
+ set autorehash
+ set mail = (/var/mail/$USER)
+ if ( $?tcsh ) then
+ bindkey "^W" backward-delete-word
+ bindkey -k up history-search-backward
+ bindkey -k down history-search-forward
+ bindkey -v
+ endif
+endif
diff --git a/usr/local/etc/nginx/nginx.conf b/usr/local/etc/nginx/nginx.conf
new file mode 100644
index 0000000..2cfd861
--- /dev/null
+++ b/usr/local/etc/nginx/nginx.conf
@@ -0,0 +1,192 @@
+worker_processes 1;
+
+events {
+ worker_connections 1024;
+}
+
+http {
+ include mime.types;
+ default_type application/octet-stream;
+ sendfile on;
+ keepalive_timeout 65;
+ gzip on;
+ gzip_vary on;
+ gzip_min_length 1024;
+ gzip_proxied expired no-cache no-store private auth;
+
+ server{
+ server_name jozanofastora.xyz;
+ root /usr/local/www/jozan;
+ index index.html;
+ location / {
+ try_files $uri $uri/ =404;
+ }
+ location ~ /\.ht {
+ deny all;
+ }
+ error_page 403 /403.html;
+ location = /403.html {
+ root /usr/local/www/jozan/err;
+ }
+ error_page 404 /404.html;
+ location = /404.html {
+ root /usr/local/www/jozan/err;
+ }
+ error_page 500 502 503 504 /50x.html;
+ location = /50x.html {
+ root /usr/local/www/nginx-dist;
+ }
+
+
+ listen 443 ssl; # managed by Certbot
+ ssl_certificate /usr/local/etc/letsencrypt/live/jozanofastora.xyz-0001/fullchain.pem; # managed by Certbot
+ ssl_certificate_key /usr/local/etc/letsencrypt/live/jozanofastora.xyz-0001/privkey.pem; # managed by Certbot
+ include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+ ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
+}
+
+ server{
+ server_name gitjoe.xyz git.jozanofastora.xyz;
+ root /usr/local/www/gitjoe;
+ index index.html;
+ location / {
+ try_files $uri $uri/ =404;
+ }
+ location ~ /\.ht {
+ deny all;
+ }
+ error_page 403 /403.html;
+ location = /403.html {
+ root /usr/local/www/gitjoe/err;
+ }
+ error_page 404 /404.html;
+ location = /404.html {
+ root /usr/local/www/gitjoe/err;
+ }
+ error_page 500 502 503 504 /50x.html;
+ location = /50x.html {
+ root /usr/local/www/nginx-dist;
+ }
+
+
+ listen 443 ssl; # managed by Certbot
+ ssl_certificate /usr/local/etc/letsencrypt/live/jozanofastora.xyz-0001/fullchain.pem; # managed by Certbot
+ ssl_certificate_key /usr/local/etc/letsencrypt/live/jozanofastora.xyz-0001/privkey.pem; # managed by Certbot
+ include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+ ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
+
+}
+
+ server {
+ listen 80;
+ server_name cgit.gitjoe.xyz;
+ root /usr/local/www/cgit;
+
+ # Serve static files with nginx
+ location ~* ^.+(cgit.(css|png)|favicon.ico|robots.txt) {
+ root /usr/share/webapps/cgit;
+ expires 30d;
+ }
+ location / {
+ try_files $uri @cgit;
+ }
+ location @cgit {
+ gzip off;
+ include uwsgi_params;
+ uwsgi_modifier1 9;
+ uwsgi_pass unix:/var/run/uwsgi/cgit.sock;
+ }
+ }
+
+ server {
+ server_name fossil.jozanofastora.xyz;
+ index index.html;
+ root /usr/local/www/fossiljoe;
+
+ # Bypass Fossil for the static documentation generated from
+ # our source code by Doxygen, so it merges into the embedded
+ # doc URL hierarchy at Fossil’s $ROOT/doc without requiring that
+ # these generated files actually be stored in the repo. This
+ # also lets us set aggressive caching on these docs, since
+ # they rarely change.
+ location /code/doc/html {
+ root /usr/local/www/fossiljoe;
+
+ location ~* \.(html|ico|css|js|gif|jpg|png)$ {
+ expires 7d;
+ add_header Vary Accept-Encoding;
+ access_log off;
+ }
+ }
+ # Redirect everything else to the Fossil instance
+ location /code {
+ include scgi_params;
+ scgi_param SCRIPT_NAME "/code";
+ scgi_pass 127.0.0.1:12345;
+ }
+
+
+ listen 443 ssl; # managed by Certbot
+ ssl_certificate /usr/local/etc/letsencrypt/live/jozanofastora.xyz-0001/fullchain.pem; # managed by Certbot
+ ssl_certificate_key /usr/local/etc/letsencrypt/live/jozanofastora.xyz-0001/privkey.pem; # managed by Certbot
+ include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # managed by Ce/srvrtbot
+ ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed by Cert/srvbot
+
+ }
+
+
+server{
+ if ($host = git.jozanofastora.xyz) {
+ return 301 https://gitjoe.xyz$request_uri;
+ } # managed by Certbot
+
+ if ($host = www.gitjoe.xyz) {
+ return 301 https://gitjoe.xyz$request_uri;
+ } # managed by Certbot
+
+ if ($host = gitjoe.xyz) {
+ return 301 https://$host$request_uri;
+ } # managed by Certbot
+
+
+ server_name gitjoe.xyz;
+ listen 80;
+ return 404; # managed by Certbot
+
+
+
+
+}
+
+server{
+ if ($host = www.jozanofastora.xyz) {
+ return 301 https://jozanofastora.xyz$request_uri;
+ } # managed by Certbot
+
+ if ($host = jozanofastora.xyz) {
+ return 301 https://$host$request_uri;
+ } # managed by Certbot
+
+
+ server_name jozanofastora.xyz;
+ listen 80;
+ return 404; # managed by Certbot
+
+
+}
+
+server {
+ if ($host = fossil.jozanofastora.xyz) {
+ return 301 https://$host$request_uri;
+ } # managed by Certbot
+
+
+ server_name fossil.jozanofastora.xyz;
+ listen 80;
+ return 404; # managed by Certbot
+
+
+}
+}
diff --git a/usr/local/etc/pf.conf b/usr/local/etc/pf.conf
new file mode 100644
index 0000000..1838656
--- /dev/null
+++ b/usr/local/etc/pf.conf
@@ -0,0 +1,60 @@
+## Set public interface ##
+ext_if="vtnet0"
+
+## set and drop IP ranges on the public interface ##
+martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
+ 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
+ 0.0.0.0/8, 240.0.0.0/4 }"
+
+table <spamd> persist
+table <spamd-allow> persist
+
+# Allowed webmail services
+table <webmail> persist file "/usr/local/etc/pf.webmail.ip.conf"
+
+## Skip loop back interface - Skip all PF processing on interface ##
+set skip on lo
+
+## Sets the interface for which PF should gather statistics such as bytes in/out and packets passed/blocked ##
+set loginterface $ext_if
+
+# Deal with attacks based on incorrect handling of packet fragments
+scrub in all
+
+
+# Pass spamd allow list
+pass quick log on $ext_if inet proto tcp from <spamd-allow> to $ext_if port smtp \
+ -> 127.0.0.1 port 25
+# Pass webmail servers
+rdr pass quick log on $ext_if inet proto tcp from <gmail> to $ext_if port smtp \
+ -> 127.0.0.1 port 25
+# pass submission messages.
+pass quick log on $ext_if inet proto tcp from any to $ext_if port submission modulate state
+# Pass unknown mail to spamd
+rdr pass log on $ext_if inet proto tcp from {!<spamd-allow> <spamd>} to $ext_if port smtp \
+ -> 127.0.0.1 port 8025
+
+## Blocking spoofed packets
+antispoof quick for $ext_if
+
+## Set default policy ##
+block return in log all
+block out all
+
+# Drop all Non-Routable Addresses
+block drop in quick on $ext_if from $martians to any
+block drop out quick on $ext_if from any to $martians
+
+pass in inet proto tcp to $ext_if port ssh
+
+# Allow Ping-Pong stuff. Be a good sysadmin
+pass inet proto icmp icmp-type echoreq
+
+# Open up imap/pop3 support
+pass quick on $ext_if proto tcp from any to any port {imap, imaps, pop3, pop3s} modulate state
+
+
+# Allow outgoing traffic
+pass out on $ext_if proto tcp from any to any modulate state
+pass out on $ext_if proto udp from any to any keep state
+pass quick on $ext_if from any to any port http