diff options
16 files changed, 220 insertions, 310 deletions
diff --git a/etc/rc.conf b/etc/rc.conf index 507adae..c96e4a5 100644 --- a/etc/rc.conf +++ b/etc/rc.conf @@ -1,6 +1,9 @@ -hostname="joe" +hostname="alcatraz" +clear_tmp_enable="YES" +tmpmfs="YES" +tmpsize="256m" sshd_enable="YES" -ntpd_enable="YES" +ntpd_enable="NO" static_routes="linklocal" devmatch_blacklist="virtio_random.ko" sendmail_enable="NONE" @@ -8,19 +11,20 @@ sendmail_submit_enable="NONE" sendmail_msp_queue_enable="NONE" sendmail_outbound_enable="NONE" ifconfig_vtnet0="DHCP -rxcsum -tso" -nginx_enable="YES" -fcgiwrap_enable="YES" -fcgiwrap_user="www" -fcgiwrap_group="www" -fcgiwrap_socket_owner="www" -fcgiwrap_socket_group="www" +#nginx_enable="NO" +#fcgiwrap_enable="NO" +#fcgiwrap_user="www" +#fcgiwrap_group="www" +#fcgiwrap_socket_owner="www" +#fcgiwrap_socket_group="www" cron_flags="-m ''" -gmid_enable="YES" -pf_enable="NO" -pf_rules="/usr/local/etc/pf.conf" -plog_enable="NO" -pflog_logfile="/var/log/pflog" -obspamd_enable="NO" -obspamd_flags="-v" -obspamlogd_enable="NO" -dovecot_enable="NO" +jail_enable="YES" +gateway_enable="YES" +static_routes="net1" +route_net1="-net 10.0.0.0/24 95.179.223.82" +kld_list="if_bridge if_tap if_epair" +cloned_interfaces="bridge0" +ifconfig_bridge0="inet 10.0.0.254/24" +#cloned_interfaces="bridge0 epair0" +#ifconfig_bridge0="addm vtnet0 addm epair0a up" +#ifconfig_epair0a="up" diff --git a/root/.cshrc b/root/.cshrc index b1c5b5b..fc22012 100644 --- a/root/.cshrc +++ b/root/.cshrc @@ -15,8 +15,8 @@ alias ls ls -lhG alias tree tree -C alias c clear alias vim nvim -alias diff colordiff -c -alias confgit git --git-dir=/usr/local/git/jozan/joe-conf.git --work-tree=/ +alias confgit git --git-dir=/var/jail/git/var/git/jozan/joe-conf.git --work-tree=/ +alias jx jexec # A righteous umask umask 22 diff --git a/usr/local/etc/gmid.conf b/usr/local/etc/gmid.conf deleted file mode 100644 index cf7b293..0000000 --- a/usr/local/etc/gmid.conf +++ /dev/null @@ -1,24 +0,0 @@ -# drop privileges -user "_gmid" - -# it's a good idea to enable chroot, but -# beware that can make CGI scripting harder -#chroot "/var/gemini" - -# An example of a server block: -server "jozanofastora.xyz" { - # set the directory to serve; it's relative to the - # chroot (if enabled) - root "/usr/local/gemini" - - # Set self-signed TLS cert and key. It's better to keep - # the keys outside the chroot. - # - # You should generate them manually, for example: - # openssl req -x509 -newkey rsa:4096 -nodes \ - # -out /usr/local/etc/ssl/gmid/localhost.crt \ - # -keyout /usr/local/etc/ssl/gmid/localhost.key \ - # -subj "/CN=localhost" - cert "/usr/local/etc/letsencrypt/live/jozanofastora.xyz/cert.pem" - key "/usr/local/etc/letsencrypt/live/jozanofastora.xyz/privkey.pem" -} diff --git a/usr/local/etc/nginx/nginx.conf b/usr/local/etc/nginx/nginx.conf deleted file mode 100644 index 3febbf9..0000000 --- a/usr/local/etc/nginx/nginx.conf +++ /dev/null @@ -1,202 +0,0 @@ -worker_processes 1; - -events { - worker_connections 1024; -} - -http { - include mime.types; - default_type application/octet-stream; - sendfile on; - keepalive_timeout 65; - gzip on; - gzip_vary on; - gzip_min_length 1k; - gzip_proxied expired no-cache no-store private auth; - gzip_buffers 4 16k; - gzip_http_version 1.1; - gzip_comp_level 2; - gzip_types text/plain application/x-javascript application/javascript text/css application/xml application/json; - - map $sent_http_content_type $expires { - default off; - text/css 15m; - application/javascript 15m; - ~image/ 15m; - } - - server{ - server_name jozanofastora.xyz; - root /usr/local/www/jozan; - index index.html; - expires $expires; - - location / { - try_files $uri $uri/ =404; - } - location ~ /\.ht { - deny all; - } - location ~ \.cgi$ { - include fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root/asm-example.cgi; - fastcgi_param PATH_INFO $uri; - fastcgi_param HTTP_HOST $server_name; - fastcgi_pass unix:/var/run/fcgiwrap/fcgiwrap.sock; - } - error_page 403 /403.html; - location = /403.html { - root /usr/local/www/jozan/err; - } - error_page 404 /404.html; - location = /404.html { - root /usr/local/www/jozan/err; - } - error_page 500 502 503 504 /50x.html; - location = /50x.html { - root /usr/local/www/nginx-dist; - } - - listen 443 ssl; - ssl_certificate /usr/local/etc/letsencrypt/live/jozanofastora.xyz/fullchain.pem; - ssl_certificate_key /usr/local/etc/letsencrypt/live/jozanofastora.xyz/privkey.pem; -} - - server { - server_name gitjoe.xyz; - root /usr/local/www/gitjoe; - try_files $uri @cgit; - index cgit.cgi; - - location @cgit { - include fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root/cgit.cgi; - fastcgi_param PATH_INFO $uri; - fastcgi_param QUERY_STRING $args; - fastcgi_param HTTP_HOST $server_name; - fastcgi_param CGIT_CONFIG /usr/local/etc/cgitrc; - fastcgi_pass unix:/var/run/fcgiwrap/fcgiwrap.sock; - - gzip off; - rewrite ^/([^/]+/.*)?$ /cgit.cgi?url=$1 break; - } - error_page 500 502 503 504 /50x.html; - location = /50x.html { - root /usr/local/www/nginx-dist; - } - - listen 443 ssl; - ssl_certificate /usr/local/etc/letsencrypt/live/gitjoe.xyz/fullchain.pem; - ssl_certificate_key /usr/local/etc/letsencrypt/live/gitjoe.xyz/privkey.pem; -} - server{ - server_name watchoom.gitjoe.xyz; - root /usr/local/www/watchoom; - index index.html; - expires $expires; - - location / { - try_files $uri $uri/ =404; - } - location ~ /\.ht { - deny all; - } - error_page 500 502 503 504 /50x.html; - location = /50x.html { - root /usr/local/www/nginx-dist; - } - - listen 443 ssl; - ssl_certificate /usr/local/etc/letsencrypt/live/gitjoe.xyz/fullchain.pem; - ssl_certificate_key /usr/local/etc/letsencrypt/live/gitjoe.xyz/privkey.pem; -} - - server { - server_name fossil.jozanofastora.xyz; - index index.html; - root /usr/local/www/fossiljoe; - - # Bypass Fossil for the static documentation generated from - # our source code by Doxygen, so it merges into the embedded - # doc URL hierarchy at Fossil’s $ROOT/doc without requiring that - # these generated files actually be stored in the repo. This - # also lets us set aggressive caching on these docs, since - # they rarely change. - location /code/doc/html { - root /usr/local/www/fossiljoe; - - location ~* \.(html|ico|css|js|gif|jpg|png)$ { - expires 7d; - add_header Vary Accept-Encoding; - access_log off; - } - } - # Redirect everything else to the Fossil instance - location /code { - include scgi_params; - scgi_param SCRIPT_NAME "/code"; - scgi_pass 127.0.0.1:12345; - } -} - -server{ - if ($host = gitjoe.xyz) { - return 301 https://$host?p=about; - } - - server_name gitjoe.xyz; - listen 80; - return 404; -} - -server{ - if ($host = jozanofastora.xyz) { - return 301 https://$host$request_uri; - } - - server_name jozanofastora.xyz; - listen 80; - return 404; -} - -server{ - if ($host = watchoom.gitjoe.xyz) { - return 301 https://$host$request_uri; - } - - server_name watchoom.gitjoe.xyz; - listen 80; - return 404; -} - -#server { -# if ($host = fossil.jozanofastora.xyz) { -# return 301 https://$host$request_uri; -# } -# -# server_name fossil.jozanofastora.xyz; -# listen 80; -# return 404; -#} - -server { - server_name www.jozanofastora.xyz; - listen 80; - listen 443 ssl; - rewrite ^/(.*) http://jozanofastora.xyz/$1 permanent; - ssl_certificate /usr/local/etc/letsencrypt/live/jozanofastora.xyz/fullchain.pem; - ssl_certificate_key /usr/local/etc/letsencrypt/live/jozanofastora.xyz/privkey.pem; - return 404; -} - -server { - - server_name www.gitjoe.xyz git.jozanofastora.xyz; - listen 80; - listen 443 ssl; - rewrite ^/(.*) http://gitjoe.xyz/?p=about permanent; - ssl_certificate /usr/local/etc/letsencrypt/live/gitjoe.xyz/fullchain.pem; - ssl_certificate_key /usr/local/etc/letsencrypt/live/gitjoe.xyz/privkey.pem; - return 404; -} -} diff --git a/usr/local/etc/pf.conf b/usr/local/etc/pf.conf deleted file mode 100644 index c514fe8..0000000 --- a/usr/local/etc/pf.conf +++ /dev/null @@ -1,60 +0,0 @@ -## Set public interface ## -ext_if="vtnet0" - -## set and drop IP ranges on the public interface ## -martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ - 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \ - 0.0.0.0/8, 240.0.0.0/4 }" - -table <spamd> persist -table <spamd-allow> persist - -# Allowed webmail services -#table <webmail> persist file "/usr/local/etc/pf.webmail.ip.conf" - -## Skip loop back interface - Skip all PF processing on interface ## -set skip on lo - -## Sets the interface for which PF should gather statistics such as bytes in/out and packets passed/blocked ## -set loginterface $ext_if - -# Deal with attacks based on incorrect handling of packet fragments -scrub in all - - -# Pass spamd allow list -rdr pass log on $ext_if inet proto tcp from <spamd-allow> to $ext_if port smtp \ - -> 127.0.0.1 port 25 -# Pass webmail servers -rdr pass log on $ext_if inet proto tcp from <gmail> to $ext_if port smtp \ - -> 127.0.0.1 port 25 -# pass submission messages. -pass quick log on $ext_if inet proto tcp from any to $ext_if port submission modulate state -# Pass unknown mail to spamd -rdr pass log on $ext_if inet proto tcp from {!<spamd-allow> <spamd>} to $ext_if port smtp \ - -> 127.0.0.1 port 8025 - -## Blocking spoofed packets -antispoof quick for $ext_if - -## Set default policy ## -block return in log all -block out all - -# Drop all Non-Routable Addresses -block drop in quick on $ext_if from $martians to any -block drop out quick on $ext_if from any to $martians - -pass in inet proto tcp to $ext_if port ssh - -# Allow Ping-Pong stuff. Be a good sysadmin -pass inet proto icmp icmp-type echoreq - -# Open up imap/pop3 support -pass quick on $ext_if proto tcp from any to any port {imap, imaps, pop3, pop3s} modulate state - - -# Allow outgoing traffic -pass out on $ext_if proto tcp from any to any modulate state -pass out on $ext_if proto udp from any to any keep state -#pass quick on $ext_if from any to any port http diff --git a/var/jail/git/etc/rc.conf b/var/jail/git/etc/rc.conf new file mode 100644 index 0000000..30dad04 --- /dev/null +++ b/var/jail/git/etc/rc.conf @@ -0,0 +1,8 @@ +# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable +dumpdev="NO" +cron_flags="-m ''" +sendmail_enable="NONE" +sendmail_submit_enable="NONE" +sendmail_msp_queue_enable="NONE" +sendmail_outbound_enable="NONE" +sshd_enable="YES" diff --git a/var/jail/i2p/etc/rc.conf b/var/jail/i2p/etc/rc.conf new file mode 100644 index 0000000..ffd49a6 --- /dev/null +++ b/var/jail/i2p/etc/rc.conf @@ -0,0 +1,8 @@ +# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable +dumpdev="NO" +cron_flags="-m ''" +sendmail_enable="NONE" +sendmail_submit_enable="NONE" +sendmail_msp_queue_enable="NONE" +sendmail_outbound_enable="NONE" +i2pd_enable="YES" diff --git a/var/jail/nextcloud/etc/rc.conf b/var/jail/nextcloud/etc/rc.conf new file mode 100644 index 0000000..2307f03 --- /dev/null +++ b/var/jail/nextcloud/etc/rc.conf @@ -0,0 +1,8 @@ +sshd_enable="NO" +# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable +dumpdev="NO" +cron_flags="-m ''" +sendmail_enable="NONE" +sendmail_submit_enable="NONE" +sendmail_msp_queue_enable="NONE" +sendmail_outbound_enable="NONE" diff --git a/var/jail/wireguard/etc/rc.conf b/var/jail/wireguard/etc/rc.conf new file mode 100644 index 0000000..48ffe2d --- /dev/null +++ b/var/jail/wireguard/etc/rc.conf @@ -0,0 +1,11 @@ +# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable +dumpdev="NO" +cron_flags="-m ''" +sendmail_enable="NONE" +sendmail_submit_enable="NONE" +sendmail_msp_queue_enable="NONE" +sendmail_outbound_enable="NONE" +wireguard_enable="NO" +wireguard_interfaces="wg0" +gateway_enable="YES" +pf_enable="YES" diff --git a/var/jail/www/etc/rc.conf b/var/jail/www/etc/rc.conf new file mode 100644 index 0000000..682f65a --- /dev/null +++ b/var/jail/www/etc/rc.conf @@ -0,0 +1,13 @@ +# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable +dumpdev="NO" +cron_flags="-m ''" +sendmail_enable="NONE" +sendmail_submit_enable="NONE" +sendmail_msp_queue_enable="NONE" +sendmail_outbound_enable="NONE" +nginx_enable="YES" +fcgiwrap_enable="YES" +fcgiwrap_user="www" +fcgiwrap_group="www" +fcgiwrap_socket_owner="www" +fcgiwrap_socket_group="www" diff --git a/usr/local/etc/cgitrc b/var/jail/www/usr/local/etc/cgitrc index b123224..cb8da04 100644 --- a/usr/local/etc/cgitrc +++ b/var/jail/www/usr/local/etc/cgitrc @@ -14,8 +14,8 @@ virtual-root=/ root-title=GitJoe root-desc=where the good code belongs -root-readme=/usr/local/www/gitjoe/about.html -footer=/usr/local/www/gitjoe/footer.html +root-readme=/var/www/gitjoe/about.html +footer=/var/www/gitjoe/footer.html clone-url=git://gitjoe.xyz/$CGIT_REPO_URL @@ -48,7 +48,7 @@ cache-size=0 about-filter=/usr/local/lib/cgit/filters/about-formatting-edited.sh source-filter=/usr/local/lib/cgit/filters/syntax-highlighting-edited.sh -snapshots=tar.gz tar.bz2 tar.xz zip +snapshots=tar.zst tar.gz tar.bz2 tar.xz zip max-stats=year readme=:README.md @@ -80,4 +80,4 @@ readme=:install.txt readme=:INSTALL readme=:install -scan-path=/usr/local/git +scan-path=/var/mnt/git diff --git a/var/jail/www/usr/local/etc/nginx/nginx.conf b/var/jail/www/usr/local/etc/nginx/nginx.conf new file mode 100644 index 0000000..869ff4d --- /dev/null +++ b/var/jail/www/usr/local/etc/nginx/nginx.conf @@ -0,0 +1,144 @@ +worker_processes 1; + +events { + worker_connections 1024; +} + +http { + include mime.types; + default_type application/octet-stream; + sendfile on; + keepalive_timeout 65; + gzip on; + gzip_vary on; + gzip_min_length 1k; + gzip_proxied expired no-cache no-store private auth; + gzip_buffers 4 16k; + gzip_http_version 1.1; + gzip_comp_level 2; + gzip_types text/plain application/x-javascript application/javascript text/css application/xml application/json; + + map $sent_http_content_type $expires { + default off; + text/css 15m; + application/javascript 15m; + ~image/ 15m; + } + +# JOZAN + + server{ + server_name jozan.org; + root /var/www/joe; + index index.html; + expires $expires; + + location / { + try_files $uri $uri/ =404; + } + location ~ /\.ht { + deny all; + } + location ~ \.cgi$ { + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root/asm-example.cgi; + fastcgi_param PATH_INFO $uri; + fastcgi_param HTTP_HOST $server_name; + fastcgi_pass unix:/var/run/fcgiwrap/fcgiwrap.sock; + } + error_page 403 /403.html; + location = /403.html { + root /var/www/joe/err; + } + error_page 404 /404.html; + location = /404.html { + root /var/www/joe/err; + } + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/local/www/nginx-dist; + } + + listen 443 ssl; # managed by Certbot + ssl_certificate /usr/local/etc/letsencrypt/live/jozan.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /usr/local/etc/letsencrypt/live/jozan.org/privkey.pem; # managed by Certbot + include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + + +} + +# GITJOE + + server { + server_name gitjoe.xyz; + root /var/www/gitjoe; + try_files $uri @cgit; + index cgit.cgi; + + location @cgit { + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root/cgit.cgi; + fastcgi_param PATH_INFO $uri; + fastcgi_param QUERY_STRING $args; + fastcgi_param HTTP_HOST $server_name; + fastcgi_param CGIT_CONFIG /usr/local/etc/cgitrc; + fastcgi_pass unix:/var/run/fcgiwrap/fcgiwrap.sock; + + gzip off; + rewrite ^/([^/]+/.*)?$ /cgit.cgi?url=$1 break; + } + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/local/www/nginx-dist; + } + + listen 443 ssl; + + ssl_certificate /usr/local/etc/letsencrypt/live/jozan.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /usr/local/etc/letsencrypt/live/jozan.org/privkey.pem; # managed by Certbot +} + +# REDIRECT 80 to 443 + +server{ + if ($host = jozan.org) { + return 301 https://$host$request_uri; + } + + + if ($host = www.jozanofastora.xyz) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + if ($host = jozanofastora.xyz) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + if ($host = www.jozan.org) { + return 301 https://$host$request_uri; + } # managed by Certbot + + if ($host = gitjoe.xyz) { + return 301 https://$host$request_uri; + } # managed by Certbot + + server_name jozan.org www.jozan.org jozanofastora.xyz www.jozanofastora.xyz gitjoe.xyz; + listen 80; + return 404; +} + +# REDIRECT 443 to JOZAN 443 + +server{ + listen 443 ssl; + server_name www.jozan.org jozanofastora.xyz www.jozanofastora.xyz; + return 301 $scheme://jozan.org$request_uri; + ssl_certificate /usr/local/etc/letsencrypt/live/jozan.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /usr/local/etc/letsencrypt/live/jozan.org/privkey.pem; # managed by Certbot + include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot +} +} diff --git a/usr/local/lib/cgit/filters/about-formatting-edited.sh b/var/jail/www/usr/local/lib/cgit/filters/about-formatting-edited.sh index cf1140e..cf1140e 100755 --- a/usr/local/lib/cgit/filters/about-formatting-edited.sh +++ b/var/jail/www/usr/local/lib/cgit/filters/about-formatting-edited.sh diff --git a/usr/local/lib/cgit/filters/html-converters/md2html b/var/jail/www/usr/local/lib/cgit/filters/html-converters/md2html index 7d97b1e..a4a43ff 100755 --- a/usr/local/lib/cgit/filters/html-converters/md2html +++ b/var/jail/www/usr/local/lib/cgit/filters/html-converters/md2html @@ -1,4 +1,4 @@ -#!/usr/local/bin/python3.8 +#!/usr/local/bin/python3.9 import markdown import sys import io diff --git a/usr/local/lib/cgit/filters/html-converters/org2html b/var/jail/www/usr/local/lib/cgit/filters/html-converters/org2html index e9c3b44..e9c3b44 100755 --- a/usr/local/lib/cgit/filters/html-converters/org2html +++ b/var/jail/www/usr/local/lib/cgit/filters/html-converters/org2html diff --git a/usr/local/lib/cgit/filters/syntax-highlighting-edited.sh b/var/jail/www/usr/local/lib/cgit/filters/syntax-highlighting-edited.sh index 3de95fa..3de95fa 100755 --- a/usr/local/lib/cgit/filters/syntax-highlighting-edited.sh +++ b/var/jail/www/usr/local/lib/cgit/filters/syntax-highlighting-edited.sh |